From 17250d1413b4e2b66105c5b7e291c2cec69da4ea Mon Sep 17 00:00:00 2001 From: John Peterson Date: Tue, 11 Feb 2020 10:33:42 -0800 Subject: [PATCH 01/28] Openshift4 operator for Artifactory HA v7.0.2 --- Openshift4/.gitignore | 1 + .../artifactory-ha-operator/build/Dockerfile | 4 + ...lm.k8s.io_openshiftartifactoryhas_crd.yaml | 22 + ...io_v1alpha1_openshiftartifactoryha_cr.yaml | 997 ++++++++++++ .../deploy/imagestream.yaml | 6 + .../deploy/namespace.yaml | 17 + ...operator.v1.0.0.clusterserviceversion.yaml | 745 +++++++++ .../artifactory-ha-operator.package.yaml | 5 + .../deploy/operator.yaml | 31 + .../deploy/operatorgroup.yaml | 8 + .../deploy/project.yaml | 89 ++ .../artifactory-ha-operator/deploy/role.yaml | 100 ++ .../deploy/role_binding.yaml | 11 + .../deploy/securitycontextconstraints.yaml | 15 + .../deploy/service_account.yaml | 4 + .../openshift-artifactory-ha/CHANGELOG.md | 557 +++++++ .../openshift-artifactory-ha/Chart.yaml | 24 + .../openshift-artifactory-ha/LICENSE | 201 +++ .../openshift-artifactory-ha/README.md | 1266 ++++++++++++++++ .../ReverseProxyConfiguration.md | 140 ++ .../openshift-artifactory-ha/UPGRADE_NOTES.md | 33 + .../charts/postgresql/.helmignore | 2 + .../charts/postgresql/Chart.yaml | 23 + .../charts/postgresql/README.md | 487 ++++++ .../charts/postgresql/files/README.md | 1 + .../charts/postgresql/files/conf.d/README.md | 4 + .../docker-entrypoint-initdb.d/README.md | 3 + .../charts/postgresql/templates/NOTES.txt | 50 + .../charts/postgresql/templates/_helpers.tpl | 374 +++++ .../postgresql/templates/configmap.yaml | 26 + .../templates/extended-config-configmap.yaml | 21 + .../templates/initialization-configmap.yaml | 24 + .../postgresql/templates/metrics-svc.yaml | 26 + .../postgresql/templates/networkpolicy.yaml | 34 + .../charts/postgresql/templates/secrets.yaml | 17 + .../postgresql/templates/serviceaccount.yaml | 11 + .../postgresql/templates/servicemonitor.yaml | 33 + .../templates/statefulset-slaves.yaml | 247 +++ .../postgresql/templates/statefulset.yaml | 355 +++++ .../postgresql/templates/svc-headless.yaml | 19 + .../charts/postgresql/templates/svc-read.yaml | 31 + .../charts/postgresql/templates/svc.yaml | 38 + .../charts/postgresql/values-production.yaml | 392 +++++ .../charts/postgresql/values.schema.json | 103 ++ .../charts/postgresql/values.yaml | 392 +++++ .../openshift-artifactory-ha/helminstall.sh | 23 + .../pv-examples/pv0001-large.yaml | 15 + .../pv-examples/pv0002-large.yaml | 15 + .../pv-examples/pv0003-large.yaml | 15 + .../pv-examples/pv0004-large.yaml | 15 + .../pv-examples/pv0005-large.yaml | 15 + .../requirements.lock | 6 + .../requirements.yaml | 5 + .../openshift-artifactory-ha/scc.yaml | 18 + .../templates/NOTES.txt | 113 ++ .../templates/_helpers.tpl | 103 ++ .../templates/access-bootstrap-creds.yaml | 15 + .../artifactory-binarystore-secret.yaml | 14 + .../templates/artifactory-configmaps.yaml | 13 + .../templates/artifactory-installer-info.yaml | 25 + .../templates/artifactory-license-secret.yaml | 14 + .../templates/artifactory-networkpolicy.yaml | 34 + .../templates/artifactory-nfs-pvc.yaml | 101 ++ .../templates/artifactory-node-pdb.yaml | 19 + .../artifactory-node-statefulset.yaml | 510 +++++++ .../artifactory-primary-statefulset.yaml | 587 ++++++++ .../templates/artifactory-priority-class.yaml | 9 + .../templates/artifactory-role.yaml | 14 + .../templates/artifactory-rolebinding.yaml | 19 + .../templates/artifactory-secrets.yaml | 17 + .../templates/artifactory-service.yaml | 88 ++ .../templates/artifactory-serviceaccount.yaml | 16 + .../templates/artifactory-storage-pvc.yaml | 27 + .../templates/artifactory-system-yaml.yaml | 14 + .../templates/catalina-logger-configmap.yaml | 53 + .../templates/filebeat-configmap.yaml | 15 + .../templates/ingress.yaml | 56 + .../templates/nginx-artifactory-conf.yaml | 14 + .../templates/nginx-certificate-secret.yaml | 14 + .../templates/nginx-conf.yaml | 14 + .../templates/nginx-deployment.yaml | 185 +++ .../templates/nginx-pvc.yaml | 26 + .../templates/nginx-service.yaml | 69 + .../values-large.yaml | 24 + .../values-medium.yaml | 24 + .../values-small.yaml | 24 + .../openshift-artifactory-ha/values.yaml | 1330 +++++++++++++++++ .../artifactory-ha-operator/watches.yaml | 5 + Openshift4/artifactoryha-helm/CHANGELOG.md | 557 +++++++ Openshift4/artifactoryha-helm/Chart.yaml | 24 + Openshift4/artifactoryha-helm/LICENSE | 201 +++ Openshift4/artifactoryha-helm/README.md | 1266 ++++++++++++++++ .../ReverseProxyConfiguration.md | 140 ++ .../artifactoryha-helm/UPGRADE_NOTES.md | 33 + .../charts/postgresql/.helmignore | 2 + .../charts/postgresql/Chart.yaml | 23 + .../charts/postgresql/README.md | 487 ++++++ .../charts/postgresql/files/README.md | 1 + .../charts/postgresql/files/conf.d/README.md | 4 + .../docker-entrypoint-initdb.d/README.md | 3 + .../charts/postgresql/templates/NOTES.txt | 50 + .../charts/postgresql/templates/_helpers.tpl | 374 +++++ .../postgresql/templates/configmap.yaml | 26 + .../templates/extended-config-configmap.yaml | 21 + .../templates/initialization-configmap.yaml | 24 + .../postgresql/templates/metrics-svc.yaml | 26 + .../postgresql/templates/networkpolicy.yaml | 34 + .../charts/postgresql/templates/secrets.yaml | 17 + .../postgresql/templates/serviceaccount.yaml | 11 + .../postgresql/templates/servicemonitor.yaml | 33 + .../templates/statefulset-slaves.yaml | 247 +++ .../postgresql/templates/statefulset.yaml | 355 +++++ .../postgresql/templates/svc-headless.yaml | 19 + .../charts/postgresql/templates/svc-read.yaml | 31 + .../charts/postgresql/templates/svc.yaml | 38 + .../charts/postgresql/values-production.yaml | 392 +++++ .../charts/postgresql/values.schema.json | 103 ++ .../charts/postgresql/values.yaml | 392 +++++ Openshift4/artifactoryha-helm/helminstall.sh | 23 + .../pv-examples/pv0001-large.yaml | 15 + .../pv-examples/pv0002-large.yaml | 15 + .../pv-examples/pv0003-large.yaml | 15 + .../pv-examples/pv0004-large.yaml | 15 + .../pv-examples/pv0005-large.yaml | 15 + .../artifactoryha-helm/requirements.lock | 6 + .../artifactoryha-helm/requirements.yaml | 5 + Openshift4/artifactoryha-helm/scc.yaml | 18 + .../artifactoryha-helm/templates/NOTES.txt | 113 ++ .../artifactoryha-helm/templates/_helpers.tpl | 103 ++ .../templates/access-bootstrap-creds.yaml | 15 + .../artifactory-binarystore-secret.yaml | 14 + .../templates/artifactory-configmaps.yaml | 13 + .../templates/artifactory-installer-info.yaml | 25 + .../templates/artifactory-license-secret.yaml | 14 + .../templates/artifactory-networkpolicy.yaml | 34 + .../templates/artifactory-nfs-pvc.yaml | 101 ++ .../templates/artifactory-node-pdb.yaml | 19 + .../artifactory-node-statefulset.yaml | 510 +++++++ .../artifactory-primary-statefulset.yaml | 593 ++++++++ .../templates/artifactory-priority-class.yaml | 9 + .../templates/artifactory-role.yaml | 14 + .../templates/artifactory-rolebinding.yaml | 19 + .../templates/artifactory-secrets.yaml | 17 + .../templates/artifactory-service.yaml | 88 ++ .../templates/artifactory-serviceaccount.yaml | 16 + .../templates/artifactory-storage-pvc.yaml | 27 + .../templates/artifactory-system-yaml.yaml | 14 + .../templates/catalina-logger-configmap.yaml | 53 + .../templates/filebeat-configmap.yaml | 15 + .../artifactoryha-helm/templates/ingress.yaml | 56 + .../templates/nginx-artifactory-conf.yaml | 14 + .../templates/nginx-certificate-secret.yaml | 14 + .../templates/nginx-conf.yaml | 14 + .../templates/nginx-deployment.yaml | 185 +++ .../templates/nginx-pvc.yaml | 26 + .../templates/nginx-service.yaml | 69 + .../artifactoryha-helm/values-large.yaml | 24 + .../artifactoryha-helm/values-medium.yaml | 24 + .../artifactoryha-helm/values-small.yaml | 24 + Openshift4/artifactoryha-helm/values.yaml | 1330 +++++++++++++++++ 160 files changed, 19388 insertions(+) create mode 100644 Openshift4/.gitignore create mode 100644 Openshift4/artifactory-ha-operator/build/Dockerfile create mode 100644 Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_openshiftartifactoryhas_crd.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/imagestream.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/namespace.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/artifactory-ha-operator.package.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/operator.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/operatorgroup.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/project.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/role.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/role_binding.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/securitycontextconstraints.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/service_account.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/CHANGELOG.md create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/LICENSE create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/ReverseProxyConfiguration.md create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/UPGRADE_NOTES.md create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/.helmignore create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/Chart.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/README.md create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/README.md create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/conf.d/README.md create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/docker-entrypoint-initdb.d/README.md create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/NOTES.txt create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/_helpers.tpl create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/configmap.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/extended-config-configmap.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/initialization-configmap.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/metrics-svc.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/networkpolicy.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/secrets.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/serviceaccount.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/servicemonitor.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset-slaves.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-headless.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-read.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values-production.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.schema.json create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh create mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0001-large.yaml create mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0002-large.yaml create mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0003-large.yaml create mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0004-large.yaml create mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0005-large.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml create mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/scc.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/NOTES.txt create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/_helpers.tpl create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/access-bootstrap-creds.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-binarystore-secret.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-configmaps.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-installer-info.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-license-secret.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-networkpolicy.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-nfs-pvc.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-pdb.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-statefulset.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-primary-statefulset.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-priority-class.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-role.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-rolebinding.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-secrets.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-service.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-serviceaccount.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-storage-pvc.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-system-yaml.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/catalina-logger-configmap.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/filebeat-configmap.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/ingress.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-artifactory-conf.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-certificate-secret.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-conf.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-deployment.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-pvc.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-service.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-large.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-medium.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-small.yaml create mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml create mode 100644 Openshift4/artifactory-ha-operator/watches.yaml create mode 100755 Openshift4/artifactoryha-helm/CHANGELOG.md create mode 100755 Openshift4/artifactoryha-helm/Chart.yaml create mode 100755 Openshift4/artifactoryha-helm/LICENSE create mode 100755 Openshift4/artifactoryha-helm/README.md create mode 100755 Openshift4/artifactoryha-helm/ReverseProxyConfiguration.md create mode 100755 Openshift4/artifactoryha-helm/UPGRADE_NOTES.md create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/.helmignore create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/Chart.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/README.md create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/files/README.md create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/files/conf.d/README.md create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/files/docker-entrypoint-initdb.d/README.md create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/NOTES.txt create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/_helpers.tpl create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/configmap.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/extended-config-configmap.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/initialization-configmap.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/metrics-svc.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/networkpolicy.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/secrets.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/serviceaccount.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/servicemonitor.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset-slaves.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-headless.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-read.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/svc.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/values-production.yaml create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/values.schema.json create mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/values.yaml create mode 100755 Openshift4/artifactoryha-helm/helminstall.sh create mode 100644 Openshift4/artifactoryha-helm/pv-examples/pv0001-large.yaml create mode 100644 Openshift4/artifactoryha-helm/pv-examples/pv0002-large.yaml create mode 100644 Openshift4/artifactoryha-helm/pv-examples/pv0003-large.yaml create mode 100644 Openshift4/artifactoryha-helm/pv-examples/pv0004-large.yaml create mode 100644 Openshift4/artifactoryha-helm/pv-examples/pv0005-large.yaml create mode 100755 Openshift4/artifactoryha-helm/requirements.lock create mode 100755 Openshift4/artifactoryha-helm/requirements.yaml create mode 100644 Openshift4/artifactoryha-helm/scc.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/NOTES.txt create mode 100755 Openshift4/artifactoryha-helm/templates/_helpers.tpl create mode 100755 Openshift4/artifactoryha-helm/templates/access-bootstrap-creds.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-binarystore-secret.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-configmaps.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-installer-info.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-license-secret.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-networkpolicy.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-nfs-pvc.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-node-pdb.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-node-statefulset.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-primary-statefulset.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-priority-class.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-role.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-rolebinding.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-secrets.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-service.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-serviceaccount.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-storage-pvc.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-system-yaml.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/catalina-logger-configmap.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/filebeat-configmap.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/ingress.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/nginx-artifactory-conf.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/nginx-certificate-secret.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/nginx-conf.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/nginx-deployment.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/nginx-pvc.yaml create mode 100755 Openshift4/artifactoryha-helm/templates/nginx-service.yaml create mode 100755 Openshift4/artifactoryha-helm/values-large.yaml create mode 100755 Openshift4/artifactoryha-helm/values-medium.yaml create mode 100755 Openshift4/artifactoryha-helm/values-small.yaml create mode 100755 Openshift4/artifactoryha-helm/values.yaml diff --git a/Openshift4/.gitignore b/Openshift4/.gitignore new file mode 100644 index 0000000..bcacc76 --- /dev/null +++ b/Openshift4/.gitignore @@ -0,0 +1 @@ +artifactory.cluster.license diff --git a/Openshift4/artifactory-ha-operator/build/Dockerfile b/Openshift4/artifactory-ha-operator/build/Dockerfile new file mode 100644 index 0000000..6fcc547 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/build/Dockerfile @@ -0,0 +1,4 @@ +FROM quay.io/operator-framework/helm-operator:v0.14.1 + +COPY watches.yaml ${HOME}/watches.yaml +COPY helm-charts/ ${HOME}/helm-charts/ diff --git a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_openshiftartifactoryhas_crd.yaml b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_openshiftartifactoryhas_crd.yaml new file mode 100644 index 0000000..a125712 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_openshiftartifactoryhas_crd.yaml @@ -0,0 +1,22 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: openshiftartifactoryhas.charts.helm.k8s.io +spec: + group: charts.helm.k8s.io + names: + kind: OpenshiftArtifactoryHa + listKind: OpenshiftArtifactoryHaList + plural: openshiftartifactoryhas + singular: openshiftartifactoryha + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: true diff --git a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml new file mode 100644 index 0000000..da682db --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml @@ -0,0 +1,997 @@ +apiVersion: charts.helm.k8s.io/v1alpha1 +kind: OpenshiftArtifactoryHa +metadata: + name: artifactoryha +spec: + # Default values copied from /helm-charts/openshift-artifactory-ha/values.yaml + + access: + database: + maxOpenConnections: 80 + artifactory: + accessAdmin: + dataKey: null + ip: 127.0.0.1 + password: null + secret: null + annotations: {} + binarystore: + enabled: true + catalinaLoggers: [] + configMapName: null + configMaps: "" + copyOnEveryStartup: null + customInitContainers: "" + customInitContainersBegin: | + - name: "custom-setup" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + command: + - 'sh' + - '-c' + - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}' + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: volume + customPersistentPodVolumeClaim: {} + customPersistentVolumeClaim: {} + customSidecarContainers: "" + customVolumeMounts: "" + customVolumes: "" + database: + maxOpenConnections: 80 + deleteDBPropertiesOnStartup: true + externalArtifactoryPort: 8081 + externalPort: 8082 + haDataDir: + enabled: false + path: null + image: + pullPolicy: IfNotPresent + repository: earlyaccess.jfrog.io/artifactory-pro + internalArtifactoryPort: 8081 + internalPort: 8082 + javaOpts: {} + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + license: + dataKey: artifactory.cluster.license + licenseKey: null + secret: artifactory-license + livenessProbe: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 180 + path: /router/api/v1/system/health + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + loggers: [] + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + name: artifactory-ha + node: + affinity: {} + javaOpts: + corePoolSize: 16 + jmx: + accessFile: null + authenticate: false + enabled: false + host: null + passwordFile: null + port: 9010 + ssl: false + labels: {} + minAvailable: 1 + name: artifactory-ha-member + nodeSelector: {} + persistence: + existingClaim: false + podAntiAffinity: + topologyKey: kubernetes.io/hostname + type: "" + replicaCount: 1 + resources: {} + tolerations: [] + waitForPrimaryStartup: + enabled: true + time: 60 + persistence: + accessMode: ReadWriteOnce + awsS3: + bucketName: artifactory-ha-aws + credential: null + endpoint: null + httpsOnly: true + identity: null + path: artifactory-ha/filestore + properties: {} + refreshCredentials: true + region: null + roleName: null + s3AwsVersion: AWS4-HMAC-SHA256 + testConnection: false + awsS3V3: + bucketName: artifactory-aws + cloudFrontDomainName: null + cloudFrontKeyPairId: null + cloudFrontPrivateKey: null + credential: null + endpoint: null + identity: null + kmsCryptoMode: null + kmsKeyRegion: null + kmsServerSideEncryptionKeyId: null + path: artifactory/filestore + region: null + signatureExpirySeconds: 300 + testConnection: false + useInstanceCredentials: true + usePresigning: false + azureBlob: + accountKey: null + accountName: null + containerName: null + endpoint: null + testConnection: false + binarystoreXml: | + {{- if eq .Values.artifactory.persistence.type "file-system" }} + + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + + + + + + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} + + {{- end }} + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + // Specify the read and write strategy and redundancy for the sharding binary provider + + roundRobin + percentageFreeSpace + 2 + + + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} + //For each sub-provider (mount), specify the filestore location + + filestore{{ $sharedClaimNumber }} + + {{- end }} + + {{- else }} + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + 2 + 2 + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + + shard-fs-1 + local + + + + + 30 + tester-remote1 + 10000 + remote + + + + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "google-storage" }} + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + 2 + + + + + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + local + + + + 30 + 10000 + remote + + + + {{ .Values.artifactory.persistence.mountPath }}/data/filestore + /tmp + + + + google-cloud-storage + {{ .Values.artifactory.persistence.googleStorage.endpoint }} + {{ .Values.artifactory.persistence.googleStorage.httpsOnly }} + {{ .Values.artifactory.persistence.googleStorage.bucketName }} + {{ .Values.artifactory.persistence.googleStorage.identity }} + {{ .Values.artifactory.persistence.googleStorage.credential }} + {{ .Values.artifactory.persistence.googleStorage.path }} + {{ .Values.artifactory.persistence.googleStorage.bucketExists }} + + + {{- end }} + {{- if eq .Values.artifactory.persistence.type "aws-s3-v3" }} + + + + + + + + + + + + + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + + + + + remote + + + + local + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + {{- with .Values.artifactory.persistence.awsS3V3 }} + + {{ .testConnection }} + {{- if .identity }} + {{ .identity }} + {{- end }} + {{- if .credential }} + {{ .credential }} + {{- end }} + {{ .region }} + {{ .bucketName }} + {{ .path }} + {{ .endpoint }} + {{- with .kmsServerSideEncryptionKeyId }} + {{ . }} + {{- end }} + {{- with .kmsKeyRegion }} + {{ . }} + {{- end }} + {{- with .kmsCryptoMode }} + {{ . }} + {{- end }} + true + {{ .usePresigning }} + {{ .signatureExpirySeconds }} + {{- with .cloudFrontDomainName }} + {{ . }} + {{- end }} + {{- with .cloudFrontKeyPairId }} + {{ .cloudFrontKeyPairId }} + {{- end }} + {{- with .cloudFrontPrivateKey }} + {{ . }} + {{- end }} + + {{- end }} + + {{- end }} + + {{- if eq .Values.artifactory.persistence.type "aws-s3" }} + + + + + + + + + + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + local + + + + 30 + 10000 + remote + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + + + + + {{ .Values.artifactory.persistence.awsS3.endpoint }} + {{- if .Values.artifactory.persistence.awsS3.roleName }} + {{ .Values.artifactory.persistence.awsS3.roleName }} + true + {{- else }} + {{ .Values.artifactory.persistence.awsS3.refreshCredentials }} + {{- end }} + {{ .Values.artifactory.persistence.awsS3.s3AwsVersion }} + {{ .Values.artifactory.persistence.awsS3.testConnection }} + {{ .Values.artifactory.persistence.awsS3.httpsOnly }} + {{ .Values.artifactory.persistence.awsS3.region }} + {{ .Values.artifactory.persistence.awsS3.bucketName }} + {{- if .Values.artifactory.persistence.awsS3.identity }} + {{ .Values.artifactory.persistence.awsS3.identity }} + {{- end }} + {{- if .Values.artifactory.persistence.awsS3.credential }} + {{ .Values.artifactory.persistence.awsS3.credential }} + {{- end }} + {{ .Values.artifactory.persistence.awsS3.path }} + {{- range $key, $value := .Values.artifactory.persistence.awsS3.properties }} + + {{- end }} + + + {{- end }} + {{- if eq .Values.artifactory.persistence.type "azure-blob" }} + + + + + + + + + + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + + crossNetworkStrategy + crossNetworkStrategy + 2 + 1 + + + + + remote + + + + local + + + + + {{ .Values.artifactory.persistence.azureBlob.accountName }} + {{ .Values.artifactory.persistence.azureBlob.accountKey }} + {{ .Values.artifactory.persistence.azureBlob.endpoint }} + {{ .Values.artifactory.persistence.azureBlob.containerName }} + {{ .Values.artifactory.persistence.azureBlob.testConnection }} + + + {{- end }} + cacheProviderDir: cache + customBinarystoreXmlSecret: null + enabled: true + eventual: + numberOfThreads: 10 + fileSystem: + existingSharedClaim: + backupDir: /var/opt/jfrog/artifactory-backup + dataDir: '{{ .Values.artifactory.persistence.mountPath }}/artifactory-data' + enabled: false + numberOfExistingClaims: 1 + googleStorage: + bucketExists: false + bucketName: artifactory-ha-gcp + credential: null + endpoint: storage.googleapis.com + httpsOnly: false + identity: null + path: artifactory-ha/filestore + local: false + maxCacheSize: 50000000000 + mountPath: /var/opt/jfrog/artifactory + nfs: + backupDir: /var/opt/jfrog/artifactory-backup + capacity: 200Gi + dataDir: /var/opt/jfrog/artifactory-ha + haBackupMount: /backup + haDataMount: /data + ip: null + mountOptions: [] + redundancy: 3 + size: 200Gi + type: file-system + primary: + affinity: {} + javaOpts: + corePoolSize: 16 + jmx: + accessFile: null + authenticate: false + enabled: false + host: null + passwordFile: null + port: 9010 + ssl: false + labels: {} + name: artifactory-ha-primary + nodeSelector: {} + persistence: + existingClaim: false + podAntiAffinity: + topologyKey: kubernetes.io/hostname + type: "" + resources: {} + tolerations: [] + priorityClass: + create: false + value: 1000000000 + readinessProbe: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 60 + path: /router/api/v1/system/health + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + service: + annotations: {} + loadBalancerSourceRanges: [] + name: artifactory + pool: members + type: ClusterIP + systemYaml: | + shared: + extraJavaOpts: > + {{- with .Values.artifactory.primary.javaOpts }} + -Dartifactory.async.corePoolSize={{ .corePoolSize }} + {{- if .xms }} + -Xms{{ .xms }} + {{- end }} + {{- if .xmx }} + -Xmx{{ .xmx }} + {{- end }} + {{- if .jmx.enabled }} + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} + {{- if .jmx.host }} + -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} + {{- else }} + -Djava.rmi.server.hostname={{ template "artifactory-ha.fullname" $ }} + {{- end }} + {{- if .jmx.authenticate }} + -Dcom.sun.management.jmxremote.authenticate=true + -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} + -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} + {{- else }} + -Dcom.sun.management.jmxremote.authenticate=false + {{- end }} + {{- end }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + database: + {{- if .Values.postgresql.enabled }} + type: postgresql + url: 'jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}' + host: '' + driver: org.postgresql.Driver + username: '{{ .Values.postgresql.postgresqlUsername }}' + password: '{{ .Values.postgresql.postgresqlPassword }}' + {{ else }} + type: '{{ .Values.database.type }}' + url: '{{ .Values.database.url }}' + driver: '{{ .Values.database.driver }}' + username: '{{ .Values.database.user }}' + password: '{{ .Values.database.password }}' + {{- end }} + security: + joinKey: '{{ .Values.artifactory.joinKey }}' + masterKey: '{{ .Values.artifactory.masterKey }}' + artifactory: + {{- if .Values.artifactory.haDataDir.enabled }} + node: + haDataDir: {{ .Values.artifactory.haDataDir.path }} + {{- end }} + database: + maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} + access: + database: + maxOpenConnections: '{{ .Values.access.database.maxOpenConnections }}' + {{- if .Values.access.database.enabled }} + type: '{{ .Values.access.database.type }}' + url: '{{ .Values.access.database.url }}' + driver: '{{ .Values.access.database.driver }}' + username: '{{ .Values.access.database.user }}' + password: '{{ .Values.access.database.password }}' + {{- end }} + terminationGracePeriodSeconds: 30 + uid: 1030 + userPluginSecrets: null + database: + driver: null + password: null + secrets: {} + type: null + url: null + user: null + filebeat: + enabled: false + filebeatYml: | + logging.level: info + path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat + name: artifactory-filebeat + queue.spool: ~ + filebeat.inputs: + - type: log + enabled: true + close_eof: ${CLOSE:false} + paths: + - {{ .Values.artifactory.persistence.mountPath }}/log/*.log + fields: + service: "jfrt" + log_type: "artifactory" + output: + logstash: + hosts: ["{{ .Values.filebeat.logstashUrl }}"] + image: + repository: docker.elastic.co/beats/filebeat + version: 7.5.1 + livenessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + curl --fail 127.0.0.1:5066 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + logstashUrl: logstash:5044 + name: artifactory-filebeat + readinessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + filebeat test output + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + resources: {} + terminationGracePeriod: 10 + imagePullSecrets: null + ingress: + additionalRules: [] + annotations: {} + artifactoryPath: /artifactory/ + defaultBackend: + enabled: true + enabled: false + hosts: [] + labels: {} + routerPath: / + tls: [] + initContainerImage: alpine:3.10 + initContainers: + resources: {} + installer: + platform: null + type: null + logger: + image: + repository: busybox + tag: "1.30" + networkpolicy: + - egress: + - {} + ingress: + - {} + name: artifactory + podSelector: + matchLabels: + app: artifactory-ha + nginx: + affinity: {} + artifactoryConf: | + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; + ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + ## server configuration + server { + {{- if .Values.nginx.internalPortHttps }} + listen {{ .Values.nginx.internalPortHttps }} ssl; + {{- else -}} + {{- if .Values.nginx.https.enabled }} + listen {{ .Values.nginx.https.internalPort }} ssl; + {{- end }} + {{- end }} + {{- if .Values.nginx.internalPortHttp }} + listen {{ .Values.nginx.internalPortHttp }}; + {{- else -}} + {{- if .Values.nginx.http.enabled }} + listen {{ .Values.nginx.http.internalPort }}; + {{- end }} + {{- end }} + server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} + {{- range .Values.ingress.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ (splitn "." 2 .)._1 }} {{ . }} + {{- end -}} + {{- end -}}; + + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + ## Application specific logs + ## access_log /var/log/nginx/artifactory-access.log timing; + ## error_log /var/log/nginx/artifactory-error.log; + rewrite ^/artifactory/?$ / redirect; + if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; + } + chunked_transfer_encoding on; + client_max_body_size 0; + + location / { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location /artifactory/ { + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; + } + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; + } + } + } + customArtifactoryConfigMap: null + customConfigMap: null + enabled: true + gid: 107 + http: + enabled: true + externalPort: 80 + internalPort: 80 + https: + enabled: true + externalPort: 443 + internalPort: 443 + image: + pullPolicy: IfNotPresent + repository: earlyaccess.jfrog.io/nginx-artifactory-pro + labels: {} + livenessProbe: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 60 + path: /router/api/v1/system/health + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + loggers: [] + mainConf: | + # Main Nginx configuration file + worker_processes 4; + error_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + variables_hash_max_size 1024; + variables_hash_bucket_size 64; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 128; + types_hash_max_size 2048; + types_hash_bucket_size 64; + proxy_read_timeout 2400s; + client_header_timeout 2400s; + client_body_timeout 2400s; + proxy_connect_timeout 75s; + proxy_send_timeout 2400s; + proxy_buffer_size 32k; + proxy_buffers 40 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 250m; + proxy_http_version 1.1; + client_body_buffer_size 128k; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + log_format timing 'ip = $remote_addr ' + 'user = \"$remote_user\" ' + 'local_time = \"$time_local\" ' + 'host = $host ' + 'request = \"$request\" ' + 'status = $status ' + 'bytes = $body_bytes_sent ' + 'upstream = \"$upstream_addr\" ' + 'upstream_time = $upstream_response_time ' + 'request_time = $request_time ' + 'referer = \"$http_referer\" ' + 'UA = \"$http_user_agent\"'; + access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; + sendfile on; + #tcp_nopush on; + keepalive_timeout 65; + #gzip on; + include /etc/nginx/conf.d/*.conf; + } + name: nginx + nodeSelector: {} + persistence: + accessMode: ReadWriteOnce + enabled: false + mountPath: /var/opt/jfrog/nginx + size: 5Gi + readinessProbe: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 10 + path: /router/api/v1/system/health + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + replicaCount: 1 + resources: {} + service: + externalTrafficPolicy: Cluster + labels: {} + loadBalancerIP: null + loadBalancerSourceRanges: [] + type: LoadBalancer + tolerations: [] + uid: 104 + postgresql: + enabled: true + extraEnv: [] + global: + postgresql: {} + image: + debug: false + pullPolicy: IfNotPresent + registry: docker.bintray.io + repository: bitnami/postgresql + tag: 9.6.15-debian-9-r91 + livenessProbe: + enabled: true + failureThreshold: 6 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + master: + affinity: {} + annotations: {} + extraVolumeMounts: [] + extraVolumes: [] + labels: {} + nodeSelector: {} + podAnnotations: {} + podLabels: {} + tolerations: [] + metrics: + enabled: false + image: + pullPolicy: IfNotPresent + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.6.0-debian-9-r0 + livenessProbe: + enabled: true + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + enabled: true + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + enabled: false + runAsUser: 1001 + service: + annotations: + prometheus.io/port: "9187" + prometheus.io/scrape: "true" + loadBalancerIP: null + type: ClusterIP + serviceMonitor: + additionalLabels: {} + enabled: false + networkPolicy: + allowExternal: true + enabled: false + nodeSelector: {} + persistence: + accessModes: + - ReadWriteOnce + annotations: {} + enabled: true + mountPath: /bitnami/postgresql + size: 50Gi + subPath: "" + postgresqlConfiguration: + listenAddresses: '''*''' + maxConnections: "1500" + postgresqlDataDir: /bitnami/postgresql/data + postgresqlDatabase: artifactory + postgresqlPassword: "" + postgresqlUsername: artifactory + readinessProbe: + enabled: true + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + replication: + applicationName: my_application + enabled: false + numSynchronousReplicas: 0 + password: repl_password + slaveReplicas: 1 + synchronousCommit: "off" + user: repl_user + resources: + requests: + cpu: 250m + memory: 256Mi + securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + service: + annotations: {} + port: 5432 + type: ClusterIP + serviceAccount: + enabled: false + slave: + affinity: {} + annotations: {} + extraVolumeMounts: [] + extraVolumes: [] + labels: {} + nodeSelector: {} + podAnnotations: {} + podLabels: {} + tolerations: [] + updateStrategy: + type: RollingUpdate + volumePermissions: + enabled: true + image: + pullPolicy: Always + registry: docker.io + repository: bitnami/minideb + tag: stretch + securityContext: + runAsUser: 0 + rbac: + create: true + role: + rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - watch + - list + serviceAccount: + annotations: {} + create: true + name: null + waitForDatabase: true + diff --git a/Openshift4/artifactory-ha-operator/deploy/imagestream.yaml b/Openshift4/artifactory-ha-operator/deploy/imagestream.yaml new file mode 100644 index 0000000..12d9a2f --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/imagestream.yaml @@ -0,0 +1,6 @@ +apiVersion: image.openshift.io/v1 +kind: ImageStream +metadata: + name: artifactory-ha + namespace: jfrog-artifactory + diff --git a/Openshift4/artifactory-ha-operator/deploy/namespace.yaml b/Openshift4/artifactory-ha-operator/deploy/namespace.yaml new file mode 100644 index 0000000..1be0be1 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/namespace.yaml @@ -0,0 +1,17 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: jfrog-artifactory + selfLink: /api/v1/namespaces/jfrog-artifactory + uid: 402ec7e9-3ca2-11ea-bd94-0ef0e3c74fbe + resourceVersion: '523038' + creationTimestamp: '2020-01-21T23:03:34Z' + annotations: + openshift.io/sa.scc.mcs: 's0:c23,c2' + openshift.io/sa.scc.supplemental-groups: 1000510000/10000 + openshift.io/sa.scc.uid-range: 1000510000/10000 +spec: + finalizers: + - kubernetes +status: + phase: Active diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml new file mode 100644 index 0000000..0a3b20c --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -0,0 +1,745 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "charts.helm.k8s.io/v1alpha1", + "kind": "OpenshiftArtifactoryHa", + "metadata": { + "name": "artifactoryha" + }, + "spec": { + "access": { + "database": { + "maxOpenConnections": 80 + } + }, + "artifactory": { + "accessAdmin": { + "dataKey": null, + "ip": "127.0.0.1", + "password": null, + "secret": null + }, + "annotations": {}, + "binarystore": { + "enabled": true + }, + "catalinaLoggers": [], + "configMapName": null, + "configMaps": "", + "copyOnEveryStartup": null, + "customInitContainers": "", + "customInitContainersBegin": "- name: \"custom-setup\"\n image: \"{{ .Values.initContainerImage }}\"\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", + "customPersistentPodVolumeClaim": {}, + "customPersistentVolumeClaim": {}, + "customSidecarContainers": "", + "customVolumeMounts": "", + "customVolumes": "", + "database": { + "maxOpenConnections": 80 + }, + "deleteDBPropertiesOnStartup": true, + "externalArtifactoryPort": 8081, + "externalPort": 8082, + "haDataDir": { + "enabled": false, + "path": null + }, + "image": { + "pullPolicy": "IfNotPresent", + "repository": "earlyaccess.jfrog.io/artifactory-pro" + }, + "internalArtifactoryPort": 8081, + "internalPort": 8082, + "javaOpts": {}, + "joinKey": "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE", + "license": { + "dataKey": "artifactory.cluster.license", + "licenseKey": null, + "secret": "artifactory-license" + }, + "livenessProbe": { + "enabled": true, + "failureThreshold": 10, + "initialDelaySeconds": 180, + "path": "/router/api/v1/system/health", + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 10 + }, + "loggers": [], + "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "name": "artifactory-ha", + "node": { + "affinity": {}, + "javaOpts": { + "corePoolSize": 16, + "jmx": { + "accessFile": null, + "authenticate": false, + "enabled": false, + "host": null, + "passwordFile": null, + "port": 9010, + "ssl": false + } + }, + "labels": {}, + "minAvailable": 1, + "name": "artifactory-ha-member", + "nodeSelector": {}, + "persistence": { + "existingClaim": false + }, + "podAntiAffinity": { + "topologyKey": "kubernetes.io/hostname", + "type": "" + }, + "replicaCount": 1, + "resources": {}, + "tolerations": [], + "waitForPrimaryStartup": { + "enabled": true, + "time": 60 + } + }, + "persistence": { + "accessMode": "ReadWriteOnce", + "awsS3": { + "bucketName": "artifactory-ha-aws", + "credential": null, + "endpoint": null, + "httpsOnly": true, + "identity": null, + "path": "artifactory-ha/filestore", + "properties": {}, + "refreshCredentials": true, + "region": null, + "roleName": null, + "s3AwsVersion": "AWS4-HMAC-SHA256", + "testConnection": false + }, + "awsS3V3": { + "bucketName": "artifactory-aws", + "cloudFrontDomainName": null, + "cloudFrontKeyPairId": null, + "cloudFrontPrivateKey": null, + "credential": null, + "endpoint": null, + "identity": null, + "kmsCryptoMode": null, + "kmsKeyRegion": null, + "kmsServerSideEncryptionKeyId": null, + "path": "artifactory/filestore", + "region": null, + "signatureExpirySeconds": 300, + "testConnection": false, + "useInstanceCredentials": true, + "usePresigning": false + }, + "azureBlob": { + "accountKey": null, + "accountName": null, + "containerName": null, + "endpoint": null, + "testConnection": false + }, + "binarystoreXml": "{{- if eq .Values.artifactory.persistence.type \"file-system\" }}\n\u003c!-- File system replication --\u003e\n{{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }}\n\u003c!-- File Storage - Dynamic for Artifactory files, pre-created for DATA and BACKUP --\u003e\n\u003cconfig version=\"4\"\u003e\n \u003cchain\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e \u003c!-- This is a cached filestore --\u003e\n \u003cprovider id=\"sharding\" type=\"sharding\"\u003e \u003c!-- This is a sharding provider --\u003e\n {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}}\n \u003csub-provider id=\"shard{{ $sharedClaimNumber }}\" type=\"state-aware\"/\u003e\n {{- end }}\n \u003c/provider\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n // Specify the read and write strategy and redundancy for the sharding binary provider\n \u003cprovider id=\"sharding\" type=\"sharding\"\u003e\n \u003creadBehavior\u003eroundRobin\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003epercentageFreeSpace\u003c/writeBehavior\u003e\n \u003credundancy\u003e2\u003c/redundancy\u003e\n \u003c/provider\u003e\n\n {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}}\n //For each sub-provider (mount), specify the filestore location\n \u003cprovider id=\"shard{{ $sharedClaimNumber }}\" type=\"state-aware\"\u003e\n \u003cfileStoreDir\u003efilestore{{ $sharedClaimNumber }}\u003c/fileStoreDir\u003e\n \u003c/provider\u003e\n {{- end }}\n\u003c/config\u003e\n{{- else }}\n\u003cconfig version=\"2\"\u003e\n \u003cchain\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003creadBehavior\u003ecrossNetworkStrategy\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003ecrossNetworkStrategy\u003c/writeBehavior\u003e\n \u003credundancy\u003e{{ .Values.artifactory.persistence.redundancy }}\u003c/redundancy\u003e\n \u003clenientLimit\u003e2\u003c/lenientLimit\u003e\n \u003cminSpareUploaderExecutor\u003e2\u003c/minSpareUploaderExecutor\u003e\n \u003csub-provider id=\"state-aware\" type=\"state-aware\"/\u003e\n \u003cdynamic-provider id=\"remote\" type=\"remote\"/\u003e\n \u003cproperty name=\"zones\" value=\"local,remote\"/\u003e\n \u003c/provider\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n \u003c!-- Shards add local file-system provider configuration --\u003e\n \u003cprovider id=\"state-aware\" type=\"state-aware\"\u003e\n \u003cfileStoreDir\u003eshard-fs-1\u003c/fileStoreDir\u003e\n \u003czone\u003elocal\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003c!-- Shards dynamic remote provider configuration --\u003e\n \u003cprovider id=\"remote\" type=\"remote\"\u003e\n \u003ccheckPeriod\u003e30\u003c/checkPeriod\u003e\n \u003cserviceId\u003etester-remote1\u003c/serviceId\u003e\n \u003ctimeout\u003e10000\u003c/timeout\u003e\n \u003czone\u003eremote\u003c/zone\u003e\n \u003cproperty name=\"header.remote.block\" value=\"true\"/\u003e\n \u003c/provider\u003e\n\u003c/config\u003e\n{{- end }}\n{{- end }}\n{{- if eq .Values.artifactory.persistence.type \"google-storage\" }}\n\u003c!-- Google storage --\u003e\n\u003cconfig version=\"2\"\u003e\n \u003cchain\u003e\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003creadBehavior\u003ecrossNetworkStrategy\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003ecrossNetworkStrategy\u003c/writeBehavior\u003e\n \u003credundancy\u003e{{ .Values.artifactory.persistence.redundancy }}\u003c/redundancy\u003e\n \u003cminSpareUploaderExecutor\u003e2\u003c/minSpareUploaderExecutor\u003e\n \u003csub-provider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003cprovider id=\"retry\" type=\"retry\"\u003e\n \u003cprovider id=\"google-storage\" type=\"google-storage\"/\u003e\n \u003c/provider\u003e\n \u003c/sub-provider\u003e\n \u003cdynamic-provider id=\"remote\" type=\"remote\"/\u003e\n \u003cproperty name=\"zones\" value=\"local,remote\"/\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003c!-- Set max cache-fs size --\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003czone\u003elocal\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"remote\" type=\"remote\"\u003e\n \u003ccheckPeriod\u003e30\u003c/checkPeriod\u003e\n \u003ctimeout\u003e10000\u003c/timeout\u003e\n \u003czone\u003eremote\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"file-system\" type=\"file-system\"\u003e\n \u003cfileStoreDir\u003e{{ .Values.artifactory.persistence.mountPath }}/data/filestore\u003c/fileStoreDir\u003e\n \u003ctempDir\u003e/tmp\u003c/tempDir\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"google-storage\" type=\"google-storage\"\u003e\n \u003cproviderId\u003egoogle-cloud-storage\u003c/providerId\u003e\n \u003cendpoint\u003e{{ .Values.artifactory.persistence.googleStorage.endpoint }}\u003c/endpoint\u003e\n \u003chttpsOnly\u003e{{ .Values.artifactory.persistence.googleStorage.httpsOnly }}\u003c/httpsOnly\u003e\n \u003cbucketName\u003e{{ .Values.artifactory.persistence.googleStorage.bucketName }}\u003c/bucketName\u003e\n \u003cidentity\u003e{{ .Values.artifactory.persistence.googleStorage.identity }}\u003c/identity\u003e\n \u003ccredential\u003e{{ .Values.artifactory.persistence.googleStorage.credential }}\u003c/credential\u003e\n \u003cpath\u003e{{ .Values.artifactory.persistence.googleStorage.path }}\u003c/path\u003e\n \u003cbucketExists\u003e{{ .Values.artifactory.persistence.googleStorage.bucketExists }}\u003c/bucketExists\u003e\n \u003c/provider\u003e\n\u003c/config\u003e\n{{- end }}\n{{- if eq .Values.artifactory.persistence.type \"aws-s3-v3\" }}\n\u003c!-- AWS S3 V3 --\u003e\n\u003cconfig version=\"2\"\u003e\n \u003cchain\u003e \u003c!--template=\"cluster-s3-storage-v3\"--\u003e\n \u003cprovider id=\"cache-fs-eventual-s3\" type=\"cache-fs\"\u003e\n \u003cprovider id=\"sharding-cluster-eventual-s3\" type=\"sharding-cluster\"\u003e\n \u003csub-provider id=\"eventual-cluster-s3\" type=\"eventual-cluster\"\u003e\n \u003cprovider id=\"retry-s3\" type=\"retry\"\u003e\n \u003cprovider id=\"s3-storage-v3\" type=\"s3-storage-v3\"/\u003e\n \u003c/provider\u003e\n \u003c/sub-provider\u003e\n \u003cdynamic-provider id=\"remote-s3\" type=\"remote\"/\u003e\n \u003c/provider\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003cprovider id=\"sharding-cluster-eventual-s3\" type=\"sharding-cluster\"\u003e\n \u003creadBehavior\u003ecrossNetworkStrategy\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003ecrossNetworkStrategy\u003c/writeBehavior\u003e\n \u003credundancy\u003e{{ .Values.artifactory.persistence.redundancy }}\u003c/redundancy\u003e\n \u003cproperty name=\"zones\" value=\"local,remote\"/\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"remote-s3\" type=\"remote\"\u003e\n \u003czone\u003eremote\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"eventual-cluster-s3\" type=\"eventual-cluster\"\u003e\n \u003czone\u003elocal\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003c!-- Set max cache-fs size --\u003e\n \u003cprovider id=\"cache-fs-eventual-s3\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n {{- with .Values.artifactory.persistence.awsS3V3 }}\n \u003cprovider id=\"s3-storage-v3\" type=\"s3-storage-v3\"\u003e\n \u003ctestConnection\u003e{{ .testConnection }}\u003c/testConnection\u003e\n {{- if .identity }}\n \u003cidentity\u003e{{ .identity }}\u003c/identity\u003e\n {{- end }}\n {{- if .credential }}\n \u003ccredential\u003e{{ .credential }}\u003c/credential\u003e\n {{- end }}\n \u003cregion\u003e{{ .region }}\u003c/region\u003e\n \u003cbucketName\u003e{{ .bucketName }}\u003c/bucketName\u003e\n \u003cpath\u003e{{ .path }}\u003c/path\u003e\n \u003cendpoint\u003e{{ .endpoint }}\u003c/endpoint\u003e\n {{- with .kmsServerSideEncryptionKeyId }}\n \u003ckmsServerSideEncryptionKeyId\u003e{{ . }}\u003c/kmsServerSideEncryptionKeyId\u003e\n {{- end }}\n {{- with .kmsKeyRegion }}\n \u003ckmsKeyRegion\u003e{{ . }}\u003c/kmsKeyRegion\u003e\n {{- end }}\n {{- with .kmsCryptoMode }}\n \u003ckmsCryptoMode\u003e{{ . }}\u003c/kmsCryptoMode\u003e\n {{- end }}\n \u003cuseInstanceCredentials\u003etrue\u003c/useInstanceCredentials\u003e\n \u003cusePresigning\u003e{{ .usePresigning }}\u003c/usePresigning\u003e\n \u003csignatureExpirySeconds\u003e{{ .signatureExpirySeconds }}\u003c/signatureExpirySeconds\u003e\n {{- with .cloudFrontDomainName }}\n \u003ccloudFrontDomainName\u003e{{ . }}\u003c/cloudFrontDomainName\u003e\n {{- end }}\n {{- with .cloudFrontKeyPairId }}\n \u003ccloudFrontKeyPairId\u003e{{ .cloudFrontKeyPairId }}\u003c/cloudFrontKeyPairId\u003e\n {{- end }}\n {{- with .cloudFrontPrivateKey }}\n \u003ccloudFrontPrivateKey\u003e{{ . }}\u003c/cloudFrontPrivateKey\u003e\n {{- end }}\n \u003c/provider\u003e\n {{- end }}\n\u003c/config\u003e\n{{- end }}\n\n{{- if eq .Values.artifactory.persistence.type \"aws-s3\" }}\n\u003c!-- AWS S3 --\u003e\n\u003cconfig version=\"2\"\u003e\n \u003cchain\u003e \u003c!--template=\"cluster-s3\"--\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003csub-provider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003cprovider id=\"retry-s3\" type=\"retry\"\u003e\n \u003cprovider id=\"s3\" type=\"s3\"/\u003e\n \u003c/provider\u003e\n \u003c/sub-provider\u003e\n \u003cdynamic-provider id=\"remote\" type=\"remote\"/\u003e\n \u003c/provider\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003c!-- Set max cache-fs size --\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003czone\u003elocal\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"remote\" type=\"remote\"\u003e\n \u003ccheckPeriod\u003e30\u003c/checkPeriod\u003e\n \u003ctimeout\u003e10000\u003c/timeout\u003e\n \u003czone\u003eremote\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003creadBehavior\u003ecrossNetworkStrategy\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003ecrossNetworkStrategy\u003c/writeBehavior\u003e\n \u003credundancy\u003e{{ .Values.artifactory.persistence.redundancy }}\u003c/redundancy\u003e\n \u003cproperty name=\"zones\" value=\"local,remote\"/\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"s3\" type=\"s3\"\u003e\n \u003cendpoint\u003e{{ .Values.artifactory.persistence.awsS3.endpoint }}\u003c/endpoint\u003e\n {{- if .Values.artifactory.persistence.awsS3.roleName }}\n \u003croleName\u003e{{ .Values.artifactory.persistence.awsS3.roleName }}\u003c/roleName\u003e\n \u003crefreshCredentials\u003etrue\u003c/refreshCredentials\u003e\n {{- else }}\n \u003crefreshCredentials\u003e{{ .Values.artifactory.persistence.awsS3.refreshCredentials }}\u003c/refreshCredentials\u003e\n {{- end }}\n \u003cs3AwsVersion\u003e{{ .Values.artifactory.persistence.awsS3.s3AwsVersion }}\u003c/s3AwsVersion\u003e\n \u003ctestConnection\u003e{{ .Values.artifactory.persistence.awsS3.testConnection }}\u003c/testConnection\u003e\n \u003chttpsOnly\u003e{{ .Values.artifactory.persistence.awsS3.httpsOnly }}\u003c/httpsOnly\u003e\n \u003cregion\u003e{{ .Values.artifactory.persistence.awsS3.region }}\u003c/region\u003e\n \u003cbucketName\u003e{{ .Values.artifactory.persistence.awsS3.bucketName }}\u003c/bucketName\u003e\n {{- if .Values.artifactory.persistence.awsS3.identity }}\n \u003cidentity\u003e{{ .Values.artifactory.persistence.awsS3.identity }}\u003c/identity\u003e\n {{- end }}\n {{- if .Values.artifactory.persistence.awsS3.credential }}\n \u003ccredential\u003e{{ .Values.artifactory.persistence.awsS3.credential }}\u003c/credential\u003e\n {{- end }}\n \u003cpath\u003e{{ .Values.artifactory.persistence.awsS3.path }}\u003c/path\u003e\n {{- range $key, $value := .Values.artifactory.persistence.awsS3.properties }}\n \u003cproperty name=\"{{ $key }}\" value=\"{{ $value }}\"/\u003e\n {{- end }}\n \u003c/provider\u003e\n\u003c/config\u003e\n{{- end }}\n{{- if eq .Values.artifactory.persistence.type \"azure-blob\" }}\n\u003c!-- Azure Blob Storage --\u003e\n\u003cconfig version=\"2\"\u003e\n \u003cchain\u003e \u003c!--template=\"cluster-azure-blob-storage\"--\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003csub-provider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003cprovider id=\"retry-azure-blob-storage\" type=\"retry\"\u003e\n \u003cprovider id=\"azure-blob-storage\" type=\"azure-blob-storage\"/\u003e\n \u003c/provider\u003e\n \u003c/sub-provider\u003e\n \u003cdynamic-provider id=\"remote\" type=\"remote\"/\u003e\n \u003c/provider\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003c!-- Set max cache-fs size --\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n \u003c!-- cluster eventual Azure Blob Storage Service default chain --\u003e\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003creadBehavior\u003ecrossNetworkStrategy\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003ecrossNetworkStrategy\u003c/writeBehavior\u003e\n \u003credundancy\u003e2\u003c/redundancy\u003e\n \u003clenientLimit\u003e1\u003c/lenientLimit\u003e\n \u003cproperty name=\"zones\" value=\"local,remote\"/\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"remote\" type=\"remote\"\u003e\n \u003czone\u003eremote\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003czone\u003elocal\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003c!--cluster eventual template--\u003e\n \u003cprovider id=\"azure-blob-storage\" type=\"azure-blob-storage\"\u003e\n \u003caccountName\u003e{{ .Values.artifactory.persistence.azureBlob.accountName }}\u003c/accountName\u003e\n \u003caccountKey\u003e{{ .Values.artifactory.persistence.azureBlob.accountKey }}\u003c/accountKey\u003e\n \u003cendpoint\u003e{{ .Values.artifactory.persistence.azureBlob.endpoint }}\u003c/endpoint\u003e\n \u003ccontainerName\u003e{{ .Values.artifactory.persistence.azureBlob.containerName }}\u003c/containerName\u003e\n \u003ctestConnection\u003e{{ .Values.artifactory.persistence.azureBlob.testConnection }}\u003c/testConnection\u003e\n \u003c/provider\u003e\n\u003c/config\u003e\n{{- end }}\n", + "cacheProviderDir": "cache", + "customBinarystoreXmlSecret": null, + "enabled": true, + "eventual": { + "numberOfThreads": 10 + }, + "fileSystem": { + "existingSharedClaim": { + "backupDir": "/var/opt/jfrog/artifactory-backup", + "dataDir": "{{ .Values.artifactory.persistence.mountPath }}/artifactory-data", + "enabled": false, + "numberOfExistingClaims": 1 + } + }, + "googleStorage": { + "bucketExists": false, + "bucketName": "artifactory-ha-gcp", + "credential": null, + "endpoint": "storage.googleapis.com", + "httpsOnly": false, + "identity": null, + "path": "artifactory-ha/filestore" + }, + "local": false, + "maxCacheSize": 50000000000, + "mountPath": "/var/opt/jfrog/artifactory", + "nfs": { + "backupDir": "/var/opt/jfrog/artifactory-backup", + "capacity": "200Gi", + "dataDir": "/var/opt/jfrog/artifactory-ha", + "haBackupMount": "/backup", + "haDataMount": "/data", + "ip": null, + "mountOptions": [] + }, + "redundancy": 3, + "size": "200Gi", + "type": "file-system" + }, + "primary": { + "affinity": {}, + "javaOpts": { + "corePoolSize": 16, + "jmx": { + "accessFile": null, + "authenticate": false, + "enabled": false, + "host": null, + "passwordFile": null, + "port": 9010, + "ssl": false + } + }, + "labels": {}, + "name": "artifactory-ha-primary", + "nodeSelector": {}, + "persistence": { + "existingClaim": false + }, + "podAntiAffinity": { + "topologyKey": "kubernetes.io/hostname", + "type": "" + }, + "resources": {}, + "tolerations": [] + }, + "priorityClass": { + "create": false, + "value": 1000000000 + }, + "readinessProbe": { + "enabled": true, + "failureThreshold": 10, + "initialDelaySeconds": 60, + "path": "/router/api/v1/system/health", + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 10 + }, + "service": { + "annotations": {}, + "loadBalancerSourceRanges": [], + "name": "artifactory", + "pool": "members", + "type": "ClusterIP" + }, + "systemYaml": "shared:\n extraJavaOpts: \u003e\n {{- with .Values.artifactory.primary.javaOpts }}\n -Dartifactory.async.corePoolSize={{ .corePoolSize }}\n {{- if .xms }}\n -Xms{{ .xms }}\n {{- end }}\n {{- if .xmx }}\n -Xmx{{ .xmx }}\n {{- end }}\n {{- if .jmx.enabled }}\n -Dcom.sun.management.jmxremote\n -Dcom.sun.management.jmxremote.port={{ .jmx.port }}\n -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }}\n -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }}\n {{- if .jmx.host }}\n -Djava.rmi.server.hostname={{ tpl .jmx.host $ }}\n {{- else }}\n -Djava.rmi.server.hostname={{ template \"artifactory-ha.fullname\" $ }}\n {{- end }}\n {{- if .jmx.authenticate }}\n -Dcom.sun.management.jmxremote.authenticate=true\n -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }}\n -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }}\n {{- else }}\n -Dcom.sun.management.jmxremote.authenticate=false\n {{- end }}\n {{- end }}\n {{- if .other }}\n {{ .other }}\n {{- end }}\n {{- end }}\n database:\n {{- if .Values.postgresql.enabled }}\n type: postgresql\n url: 'jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}'\n host: ''\n driver: org.postgresql.Driver\n username: '{{ .Values.postgresql.postgresqlUsername }}'\n password: '{{ .Values.postgresql.postgresqlPassword }}'\n {{ else }}\n type: '{{ .Values.database.type }}'\n url: '{{ .Values.database.url }}'\n driver: '{{ .Values.database.driver }}'\n username: '{{ .Values.database.user }}'\n password: '{{ .Values.database.password }}'\n {{- end }}\n security:\n joinKey: '{{ .Values.artifactory.joinKey }}'\n masterKey: '{{ .Values.artifactory.masterKey }}'\nartifactory:\n{{- if .Values.artifactory.haDataDir.enabled }}\n node:\n haDataDir: {{ .Values.artifactory.haDataDir.path }}\n{{- end }}\n database:\n maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }}\naccess:\n database:\n maxOpenConnections: '{{ .Values.access.database.maxOpenConnections }}'\n {{- if .Values.access.database.enabled }}\n type: '{{ .Values.access.database.type }}'\n url: '{{ .Values.access.database.url }}'\n driver: '{{ .Values.access.database.driver }}'\n username: '{{ .Values.access.database.user }}'\n password: '{{ .Values.access.database.password }}'\n {{- end }}\n", + "terminationGracePeriodSeconds": 30, + "uid": 1030, + "userPluginSecrets": null + }, + "database": { + "driver": null, + "password": null, + "secrets": {}, + "type": null, + "url": null, + "user": null + }, + "filebeat": { + "enabled": false, + "filebeatYml": "logging.level: info\npath.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat\nname: artifactory-filebeat\nqueue.spool: ~\nfilebeat.inputs:\n- type: log\n enabled: true\n close_eof: ${CLOSE:false}\n paths:\n - {{ .Values.artifactory.persistence.mountPath }}/log/*.log\n fields:\n service: \"jfrt\"\n log_type: \"artifactory\"\noutput:\n logstash:\n hosts: [\"{{ .Values.filebeat.logstashUrl }}\"]\n", + "image": { + "repository": "docker.elastic.co/beats/filebeat", + "version": "7.5.1" + }, + "livenessProbe": { + "exec": { + "command": [ + "sh", + "-c", + "#!/usr/bin/env bash -e\ncurl --fail 127.0.0.1:5066\n" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "timeoutSeconds": 5 + }, + "logstashUrl": "logstash:5044", + "name": "artifactory-filebeat", + "readinessProbe": { + "exec": { + "command": [ + "sh", + "-c", + "#!/usr/bin/env bash -e\nfilebeat test output\n" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "timeoutSeconds": 5 + }, + "resources": {}, + "terminationGracePeriod": 10 + }, + "imagePullSecrets": null, + "ingress": { + "additionalRules": [], + "annotations": {}, + "artifactoryPath": "/artifactory/", + "defaultBackend": { + "enabled": true + }, + "enabled": false, + "hosts": [], + "labels": {}, + "routerPath": "/", + "tls": [] + }, + "initContainerImage": "alpine:3.10", + "initContainers": { + "resources": {} + }, + "installer": { + "platform": null, + "type": null + }, + "logger": { + "image": { + "repository": "busybox", + "tag": "1.30" + } + }, + "networkpolicy": [ + { + "egress": [ + {} + ], + "ingress": [ + {} + ], + "name": "artifactory", + "podSelector": { + "matchLabels": { + "app": "artifactory-ha" + } + } + } + ], + "nginx": { + "affinity": {}, + "artifactoryConf": "ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;\nssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt;\nssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key;\nssl_session_cache shared:SSL:1m;\nssl_prefer_server_ciphers on;\n## server configuration\nserver {\n {{- if .Values.nginx.internalPortHttps }}\n listen {{ .Values.nginx.internalPortHttps }} ssl;\n {{- else -}}\n {{- if .Values.nginx.https.enabled }}\n listen {{ .Values.nginx.https.internalPort }} ssl;\n {{- end }}\n {{- end }}\n {{- if .Values.nginx.internalPortHttp }}\n listen {{ .Values.nginx.internalPortHttp }};\n {{- else -}}\n {{- if .Values.nginx.http.enabled }}\n listen {{ .Values.nginx.http.internalPort }};\n {{- end }}\n {{- end }}\n server_name ~(?\u003crepo\u003e.+)\\.{{ include \"artifactory-ha.fullname\" . }} {{ include \"artifactory-ha.fullname\" . }}\n {{- range .Values.ingress.hosts -}}\n {{- if contains \".\" . -}}\n {{ \"\" | indent 0 }} ~(?\u003crepo\u003e.+)\\.{{ (splitn \".\" 2 .)._1 }} {{ . }}\n {{- end -}}\n {{- end -}};\n\n if ($http_x_forwarded_proto = '') {\n set $http_x_forwarded_proto $scheme;\n }\n ## Application specific logs\n ## access_log /var/log/nginx/artifactory-access.log timing;\n ## error_log /var/log/nginx/artifactory-error.log;\n rewrite ^/artifactory/?$ / redirect;\n if ( $repo != \"\" ) {\n rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break;\n }\n chunked_transfer_encoding on;\n client_max_body_size 0;\n\n location / {\n proxy_read_timeout 900;\n proxy_pass_header Server;\n proxy_cookie_path ~*^/.* /;\n proxy_pass http://{{ include \"artifactory-ha.fullname\" . }}:{{ .Values.artifactory.externalPort }}/;\n proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;\n proxy_set_header X-Forwarded-Port $server_port;\n proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;\n proxy_set_header Host $http_host;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n\n location /artifactory/ {\n if ( $request_uri ~ ^/artifactory/(.*)$ ) {\n proxy_pass http://{{ include \"artifactory-ha.fullname\" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1;\n }\n proxy_pass http://{{ include \"artifactory-ha.fullname\" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/;\n }\n }\n}\n", + "customArtifactoryConfigMap": null, + "customConfigMap": null, + "enabled": true, + "gid": 107, + "http": { + "enabled": true, + "externalPort": 80, + "internalPort": 80 + }, + "https": { + "enabled": true, + "externalPort": 443, + "internalPort": 443 + }, + "image": { + "pullPolicy": "IfNotPresent", + "repository": "earlyaccess.jfrog.io/nginx-artifactory-pro" + }, + "labels": {}, + "livenessProbe": { + "enabled": true, + "failureThreshold": 10, + "initialDelaySeconds": 60, + "path": "/router/api/v1/system/health", + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 10 + }, + "loggers": [], + "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \\\"$remote_user\\\" '\n 'local_time = \\\"$time_local\\\" '\n 'host = $host '\n 'request = \\\"$request\\\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \\\"$upstream_addr\\\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \\\"$http_referer\\\" '\n 'UA = \\\"$http_user_agent\\\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include /etc/nginx/conf.d/*.conf;\n}\n", + "name": "nginx", + "nodeSelector": {}, + "persistence": { + "accessMode": "ReadWriteOnce", + "enabled": false, + "mountPath": "/var/opt/jfrog/nginx", + "size": "5Gi" + }, + "readinessProbe": { + "enabled": true, + "failureThreshold": 10, + "initialDelaySeconds": 10, + "path": "/router/api/v1/system/health", + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 10 + }, + "replicaCount": 1, + "resources": {}, + "service": { + "externalTrafficPolicy": "Cluster", + "labels": {}, + "loadBalancerIP": null, + "loadBalancerSourceRanges": [], + "type": "LoadBalancer" + }, + "tolerations": [], + "uid": 104 + }, + "postgresql": { + "enabled": true, + "extraEnv": [], + "global": { + "postgresql": {} + }, + "image": { + "debug": false, + "pullPolicy": "IfNotPresent", + "registry": "docker.bintray.io", + "repository": "bitnami/postgresql", + "tag": "9.6.15-debian-9-r91" + }, + "livenessProbe": { + "enabled": true, + "failureThreshold": 6, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "master": { + "affinity": {}, + "annotations": {}, + "extraVolumeMounts": [], + "extraVolumes": [], + "labels": {}, + "nodeSelector": {}, + "podAnnotations": {}, + "podLabels": {}, + "tolerations": [] + }, + "metrics": { + "enabled": false, + "image": { + "pullPolicy": "IfNotPresent", + "registry": "docker.io", + "repository": "bitnami/postgres-exporter", + "tag": "0.6.0-debian-9-r0" + }, + "livenessProbe": { + "enabled": true, + "failureThreshold": 6, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "readinessProbe": { + "enabled": true, + "failureThreshold": 6, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "securityContext": { + "enabled": false, + "runAsUser": 1001 + }, + "service": { + "annotations": { + "prometheus.io/port": "9187", + "prometheus.io/scrape": "true" + }, + "loadBalancerIP": null, + "type": "ClusterIP" + }, + "serviceMonitor": { + "additionalLabels": {}, + "enabled": false + } + }, + "networkPolicy": { + "allowExternal": true, + "enabled": false + }, + "nodeSelector": {}, + "persistence": { + "accessModes": [ + "ReadWriteOnce" + ], + "annotations": {}, + "enabled": true, + "mountPath": "/bitnami/postgresql", + "size": "50Gi", + "subPath": "" + }, + "postgresqlConfiguration": { + "listenAddresses": "'*'", + "maxConnections": "1500" + }, + "postgresqlDataDir": "/bitnami/postgresql/data", + "postgresqlDatabase": "artifactory", + "postgresqlPassword": "", + "postgresqlUsername": "artifactory", + "readinessProbe": { + "enabled": true, + "failureThreshold": 6, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "replication": { + "applicationName": "my_application", + "enabled": false, + "numSynchronousReplicas": 0, + "password": "repl_password", + "slaveReplicas": 1, + "synchronousCommit": "off", + "user": "repl_user" + }, + "resources": { + "requests": { + "cpu": "250m", + "memory": "256Mi" + } + }, + "securityContext": { + "enabled": true, + "fsGroup": 1001, + "runAsUser": 1001 + }, + "service": { + "annotations": {}, + "port": 5432, + "type": "ClusterIP" + }, + "serviceAccount": { + "enabled": false + }, + "slave": { + "affinity": {}, + "annotations": {}, + "extraVolumeMounts": [], + "extraVolumes": [], + "labels": {}, + "nodeSelector": {}, + "podAnnotations": {}, + "podLabels": {}, + "tolerations": [] + }, + "updateStrategy": { + "type": "RollingUpdate" + }, + "volumePermissions": { + "enabled": true, + "image": { + "pullPolicy": "Always", + "registry": "docker.io", + "repository": "bitnami/minideb", + "tag": "stretch" + }, + "securityContext": { + "runAsUser": 0 + } + } + }, + "rbac": { + "create": true, + "role": { + "rules": [ + { + "apiGroups": [ + "" + ], + "resources": [ + "services", + "endpoints", + "pods" + ], + "verbs": [ + "get", + "watch", + "list" + ] + } + ] + } + }, + "serviceAccount": { + "annotations": {}, + "create": true, + "name": null + }, + "waitForDatabase": true + } + } + ] + capabilities: Basic Install + name: artifactory-ha-operator.v1.0.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: {} + description: Openshift 4 Operator to deploy JFrog Artifactory-HA + displayName: JFrog Artifactory-HA Operator + provider: + name: JFrog + links: + - name: JFrog + url: http://www.jfrog.com + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAMkAAADCCAYAAADjAebGAAAKN2lDQ1BzUkdCIElFQzYxOTY2LTIuMQAAeJydlndUU9kWh8+9N71QkhCKlNBraFICSA29SJEuKjEJEErAkAAiNkRUcERRkaYIMijggKNDkbEiioUBUbHrBBlE1HFwFBuWSWStGd+8ee/Nm98f935rn73P3Wfvfda6AJD8gwXCTFgJgAyhWBTh58WIjYtnYAcBDPAAA2wA4HCzs0IW+EYCmQJ82IxsmRP4F726DiD5+yrTP4zBAP+flLlZIjEAUJiM5/L42VwZF8k4PVecJbdPyZi2NE3OMErOIlmCMlaTc/IsW3z2mWUPOfMyhDwZy3PO4mXw5Nwn4405Er6MkWAZF+cI+LkyviZjg3RJhkDGb+SxGXxONgAoktwu5nNTZGwtY5IoMoIt43kA4EjJX/DSL1jMzxPLD8XOzFouEiSniBkmXFOGjZMTi+HPz03ni8XMMA43jSPiMdiZGVkc4XIAZs/8WRR5bRmyIjvYODk4MG0tbb4o1H9d/JuS93aWXoR/7hlEH/jD9ld+mQ0AsKZltdn6h21pFQBd6wFQu/2HzWAvAIqyvnUOfXEeunxeUsTiLGcrq9zcXEsBn2spL+jv+p8Of0NffM9Svt3v5WF485M4knQxQ143bmZ6pkTEyM7icPkM5p+H+B8H/nUeFhH8JL6IL5RFRMumTCBMlrVbyBOIBZlChkD4n5r4D8P+pNm5lona+BHQllgCpSEaQH4eACgqESAJe2Qr0O99C8ZHA/nNi9GZmJ37z4L+fVe4TP7IFiR/jmNHRDK4ElHO7Jr8WgI0IABFQAPqQBvoAxPABLbAEbgAD+ADAkEoiARxYDHgghSQAUQgFxSAtaAYlIKtYCeoBnWgETSDNnAYdIFj4DQ4By6By2AE3AFSMA6egCnwCsxAEISFyBAVUod0IEPIHLKFWJAb5AMFQxFQHJQIJUNCSAIVQOugUqgcqobqoWboW+godBq6AA1Dt6BRaBL6FXoHIzAJpsFasBFsBbNgTzgIjoQXwcnwMjgfLoK3wJVwA3wQ7oRPw5fgEVgKP4GnEYAQETqiizARFsJGQpF4JAkRIauQEqQCaUDakB6kH7mKSJGnyFsUBkVFMVBMlAvKHxWF4qKWoVahNqOqUQdQnag+1FXUKGoK9RFNRmuizdHO6AB0LDoZnYsuRlegm9Ad6LPoEfQ4+hUGg6FjjDGOGH9MHCYVswKzGbMb0445hRnGjGGmsVisOtYc64oNxXKwYmwxtgp7EHsSewU7jn2DI+J0cLY4X1w8TogrxFXgWnAncFdwE7gZvBLeEO+MD8Xz8MvxZfhGfA9+CD+OnyEoE4wJroRIQiphLaGS0EY4S7hLeEEkEvWITsRwooC4hlhJPEQ8TxwlviVRSGYkNimBJCFtIe0nnSLdIr0gk8lGZA9yPFlM3kJuJp8h3ye/UaAqWCoEKPAUVivUKHQqXFF4pohXNFT0VFysmK9YoXhEcUjxqRJeyUiJrcRRWqVUo3RU6YbStDJV2UY5VDlDebNyi/IF5UcULMWI4kPhUYoo+yhnKGNUhKpPZVO51HXURupZ6jgNQzOmBdBSaaW0b2iDtCkVioqdSrRKnkqNynEVKR2hG9ED6On0Mvph+nX6O1UtVU9Vvuom1TbVK6qv1eaoeajx1UrU2tVG1N6pM9R91NPUt6l3qd/TQGmYaYRr5Grs0Tir8XQObY7LHO6ckjmH59zWhDXNNCM0V2ju0xzQnNbS1vLTytKq0jqj9VSbru2hnaq9Q/uE9qQOVcdNR6CzQ+ekzmOGCsOTkc6oZPQxpnQ1df11Jbr1uoO6M3rGelF6hXrtevf0Cfos/ST9Hfq9+lMGOgYhBgUGrQa3DfGGLMMUw12G/YavjYyNYow2GHUZPTJWMw4wzjduNb5rQjZxN1lm0mByzRRjyjJNM91tetkMNrM3SzGrMRsyh80dzAXmu82HLdAWThZCiwaLG0wS05OZw2xljlrSLYMtCy27LJ9ZGVjFW22z6rf6aG1vnW7daH3HhmITaFNo02Pzq62ZLde2xvbaXPJc37mr53bPfW5nbse322N3055qH2K/wb7X/oODo4PIoc1h0tHAMdGx1vEGi8YKY21mnXdCO3k5rXY65vTW2cFZ7HzY+RcXpkuaS4vLo3nG8/jzGueNueq5clzrXaVuDLdEt71uUnddd457g/sDD30PnkeTx4SnqWeq50HPZ17WXiKvDq/XbGf2SvYpb8Tbz7vEe9CH4hPlU+1z31fPN9m31XfKz95vhd8pf7R/kP82/xsBWgHcgOaAqUDHwJWBfUGkoAVB1UEPgs2CRcE9IXBIYMj2kLvzDecL53eFgtCA0O2h98KMw5aFfR+OCQ8Lrwl/GGETURDRv4C6YMmClgWvIr0iyyLvRJlESaJ6oxWjE6Kbo1/HeMeUx0hjrWJXxl6K04gTxHXHY+Oj45vipxf6LNy5cDzBPqE44foi40V5iy4s1licvvj4EsUlnCVHEtGJMYktie85oZwGzvTSgKW1S6e4bO4u7hOeB28Hb5Lvyi/nTyS5JpUnPUp2Td6ePJninlKR8lTAFlQLnqf6p9alvk4LTduf9ik9Jr09A5eRmHFUSBGmCfsytTPzMoezzLOKs6TLnJftXDYlChI1ZUPZi7K7xTTZz9SAxESyXjKa45ZTk/MmNzr3SJ5ynjBvYLnZ8k3LJ/J9879egVrBXdFboFuwtmB0pefK+lXQqqWrelfrry5aPb7Gb82BtYS1aWt/KLQuLC98uS5mXU+RVtGaorH1futbixWKRcU3NrhsqNuI2ijYOLhp7qaqTR9LeCUXS61LK0rfb+ZuvviVzVeVX33akrRlsMyhbM9WzFbh1uvb3LcdKFcuzy8f2x6yvXMHY0fJjpc7l+y8UGFXUbeLsEuyS1oZXNldZVC1tep9dUr1SI1XTXutZu2m2te7ebuv7PHY01anVVda926vYO/Ner/6zgajhop9mH05+x42Rjf2f836urlJo6m06cN+4X7pgYgDfc2Ozc0tmi1lrXCrpHXyYMLBy994f9Pdxmyrb6e3lx4ChySHHn+b+O31w0GHe4+wjrR9Z/hdbQe1o6QT6lzeOdWV0iXtjusePhp4tLfHpafje8vv9x/TPVZzXOV42QnCiaITn07mn5w+lXXq6enk02O9S3rvnIk9c60vvG/wbNDZ8+d8z53p9+w/ed71/LELzheOXmRd7LrkcKlzwH6g4wf7HzoGHQY7hxyHui87Xe4Znjd84or7ldNXva+euxZw7dLI/JHh61HXb95IuCG9ybv56Fb6ree3c27P3FlzF3235J7SvYr7mvcbfjT9sV3qID0+6j068GDBgztj3LEnP2X/9H686CH5YcWEzkTzI9tHxyZ9Jy8/Xvh4/EnWk5mnxT8r/1z7zOTZd794/DIwFTs1/lz0/NOvm1+ov9j/0u5l73TY9P1XGa9mXpe8UX9z4C3rbf+7mHcTM7nvse8rP5h+6PkY9PHup4xPn34D94Tz+49wZioAAAAJcEhZcwAACxIAAAsSAdLdfvwAACAASURBVHic7V0HfBzF1Z83u3un5iLJGGzAdoyDgWDAgIxtSdd0xZiaxEASWiDARw9gei8hQCghhN5CJ4BDMHGMdbqiU7ExpgZCb4ZgTLFsg2Wr3O18792d7JN0ZfeaTvb9f7/T3u3N7oz25j/z3swrshCCEfg1nJvqG44F4HWMCQlPrwQmWgKt3oB6laqyIorYRiHTnzBBTI6ngLGjIqeBAUSOZpNjpdXrvDLg8DyuqqoYuqYWUcTQIEwSU73jtC0EGYSJjMOjZq/jQL6AH6POU0N5bF8RGaDe49pHkthM/G27u4W6eKmt6ZuhbtNwhIwdXzJX2y+hWSMFfmWqtv8Xj3/IQ7uKyBA4+58uS3BX32cj8A6LxzWz2d740VC2azhCrhtl3QcJsqOWwiiEzZ+1ZNYdy+Ys+yHXDUsEi98+Gxi/HlszDT/2oO60Aph6p9/W1DRUbSpIcDhnwJkq4OIsPJ49FM0pFNQ8UKNUTKk6hgl2NHZo7PusmwnxzKqelZd8MOeD7njXyAByhY46RpcYR/4Sj3/LSot1YrbPsb0RpCX4dkTfOdSdDsUecbDJ63S1NLg9Q9GuAsXYOOd2zXsrCgjYR+oqplQ+xOg5xApOAOeOM0wche9+F+86uWNd72tjqpW1+L5SS0VCCAsbIpIYGduXxRAkBpxzQJGRFUmyBV/ia1S/MwAdQ9OUoYfF7/qFxOEZFtXDBwIATqh1225od/o+Hvid/PY83wazx3UEl9jf8fOYVJXhzeKNUHlBD4j/GBgLsjj/KA4M+wxBkwoWgrHX8Jns2e+cUP89VO0ZSuy70DZ61EiFZpC4BIkCFFk6AI+DSUJ/AvZGr7nRvBdXjH9DFriSVym+zKC9GaHd6vnK6nNdhoy4kQ1caRCsqJDGAAmxAIAfv/kzY6+0tIaeYbahbNXQYNRI+Qg8jE5VTgj4Pt75zcwKuAJfo8xyoNlrPxP73014qjTefdQQPJp2a7MAv63xT1av8yVUTC/Ej7/Gl4Sv7pAQFw9luwoNAVvTIqvfebpgMA9//f91bgzOV6/yBYe6XUMD2FdDoVWre1c2x/ui3/QT3Sz8a73f7paF9CiO1QfEfi8EuwFnnfa025ol+Bvcb+PhWLPPcQMwOIKB+lJLg+eVoW5XocFvdd+Dh3uGuh0FgGRiVh/OT7i6Fe9kq9XzAb/GVmcyKSehTHMkztUGlbEHA7bGRzJpabaBo+W7eLhmqNtRRKFDvJtsHxBnhvuarY1PJ/o+IcOiU/O90VcRRQxbbOgMPl5RrvyekfVIf3QIIe5oaQ1ez6yJr9cyDRVRxLDGioN939csqtmjvLxqDgh1Jyagi4F47/uO1cvfnvd2T6rFjIxJYvU5rAz4efiW9JdynLw+wEb8vadjw1/b57VvyvT+abRnlgB+C74tYaq4trnBvTDfbSgUYMcoKy+tPETt7nK3zG1ZO9TtGUqsOHjFRjw8n861GZHE4nedA8BvY/0EPpiOn6YbqiuOq3XbDo+3OZMrWNyWnUExvgR9m2gcnrd4nUciUf6RrzYUEirKKp9iAIdJpSXN+DGJQFFEMqRNkmiH/BNLrBH9zCArfvMS876BOYHv0q1HD0Ax0LJw7C4zBw4PmBvNS2mJOx9tKBRYmiw/Adl4WOQTWCwe10+Lxo3pIW2SgCLTDreSvBDbiRuMZC5yXrr16AMcFudkJZKZxK+j89OGwgBwQ33sZ8HVvfGw1ZIExWz8f/kswVinYGpTwNb0YbbunTZJenrV9wyKRPsqyW3sAU6Y/Kjt0k+P93WlW5cWYB0lEycoO8dvAvwaH+KDfluTP5dtKCgA2z/2IwcYN1RNySXqmmx7KrJ8Dwt71EY6IzCuWn3O+wKtwbOzsYGaNklI17D6nY9gk05IUXT0xJ3kI/H4WLp1aUF5+XcqY+MTkRbwId6DRNon12QtGACri/2ID2b7oWpKrmD2Og9SZOU5Ntg6hOPIeJq5XtmA7y/MtJ6MFPeeNZ1nGKrKx2KDDkpakMP5fAF/MpdejbSUZ/W7yClszwRFpk7cWbkSj5fmqg2FAtQDt+PGkr1jz4FGn6HhAvK6lCWIR5AtAHZmzaKaq6MrW2kjI5LQEi+/xna42STfgC2azxKLXtPMlfb/w+PdWu9t8bsOZUJEXIoBnmy2Ni5OdY0Q6i0A/JGEBYBdYG5qWBhweJdrbcdwBFeMh9Ch/1kxZUgakwNQTAazyX4//qCJCRJBqaKMIKv1zzOpL+N9kqjMdwF26mUQ8TMZGbcghz9Y3JZ/NTubU1oRW/zOi3HkuyEajYLwa7PP8QtUxl5Idl2zrelRi8+1K16WaLaQuSw9Nr1p+r5vON7oTNWOYQsOxww+CT/Nf0NyA7PJQdbNNRqKdvR+8eNXmdaXtR13HOmfx478DgdOexLxRJ5KkI1PT1swzRbe5UyAaQtsFWOqlasHnAa8742c84WpIrY02xovQ7GL9mZuZ3EJC7uOlseSqc2xKf6lYYmIIqtY4ny1vbnRPG64L4XXLqgtNVRVXJs6JANB3LLi5BW9mdaZVbMUWnbDUXrmKGm7hwHgyEEFgNWOqR53J747JdE9FCXcpnhLy1NNbgeJDCmXMf3Wxr+hXL6IG42otAHVNZAsx+DM147E3urs0pAgpHfF7ULcoNCK17/y26LswlBdfiYedkpVTgjxfEtr8OZsbKFm3XaLxBgc8X9l8trfQJHpejZINoaTUSRaiSP+9fGuf/0w3zqLz/kEkuy4gd+pIDQr/tENzAv2XWi7ftQI5TzsNrTKYdzcCsbuMHmd77c0uJu13rPQYfY6XZzDEYlL8BlsGJOkrqlurCKXp1p4oXiLNyNBLsuW/0xODByjItGNOFr/Bzvjk2yAVxjqDNfhd+txJL8z3vW9HZ2nGqrKO7EgyZ5l+PqOCXYLduhP9baFSIeHK1EUfAFFtpfYlgAJisThHyiemNscvnf03rfQQDvsXDamcogjr9Mr8tGeXAAJcitL5mEo2PKgys5ptTe+nE0PzJxaAdOKFHbOAzjAv0gXiPmKVPI7rH5nt9/qfmDgdVHDyNP5NbazZ83qHrlszrK1mUaPRFHwdavPcThqNy1sy/9dpcjyEovHZR3OJhv4jPfgkpH811PshcB+FHFmOAapw//xcBzk4ixIhPERU8XlAYfnuVxEGc25qTzpKabFpplSacmz+CPZY75CnsB9OKNIiXSD6HTZwbIUidhva1qGxMTZKzYmFewIEgvgjOIcbjNK/Yv1I6SKsrOx85AIUqbhEm5g7GA8PpTjpmUV0Vny4ThfdQomru78eO1fwgp6jiJW58WfhMy0cVY40Fwv30E7oTFf0Yxyt8XvHN1sdd+Yj7Zs6AxeX1GuUHyl2NBE41DhbcWZ5sh8BLnDZyEfcADbQZFge8alEahHGCLfhIKqynsAxMZQKLRRVVmXJCk9QnQGQyEDQhoJwElp3RUl73p5RNlcfK8nbhqZbNCq3rAhSWS100ArpgNCXgkPsuKkNqtnZa7tm/PmdBWdFU7HmeNDJAbJln0KPdCeiNXnHB/o8Jyb61jD5IBj9btITzp1wFejURR7yepz/fH7jlV/SLZMrQcUEMzcZKcl8XoBrBb/2z3NJmU3/GwYXFpiUvipYFeWY9c7ylEeH1AUNK2BDgYwE4oue+EM/5/0bpA/0GBiMikUK2t6zOkeJtRLAq3e2/OV7SDvnokoWt2ORPkCf+InWKxJAcBZ5mrHJBQhjm49tPXHnDZCFQ8zDgNJQpCwE10xpnr8L3BWuQBnlZfSuX2tu7bKIJXPQVK4zF6HA0+FjQvT7NbZBu05Xc4odkEBg2JUm+rtj+IzmxtzejUOofMC9qZ2PYq5xes8Cv/pM1hYehBPBdZ4btMzGA+J+y5tPGInbMCf60XWPyDeIXJF2Ssmd8O8Fqf3v7mqHxW8V7Hzrsa3OyQo8jNs22KccV5DLfDBTZt6X1g+17c60f1IJKislPfnnFnwR3UalAraDZYLhBTxMM/scZkD9sZApjey+FyX4aS2d6Ch6ahsKc2RIO6OR/Dtb7acFe+K3p45AQ0WG7FAHfRkJMj9W87APuZqO1kfJNyrG4gh83EnJbreb6+TmdTIYh30ge0mKfIr+M9dHGjx3KVlSiVbntmzZ49pc7R9q6Vu+jGRAMvw7c9TFN0PO/p+ZaXK3diej4SA9/EckaULO0YZ6gU4Q8AuY6oVeuiSlroLBMAl9rBpsWn/dN16wyN9leM2fA7hANxmT8Nf8dCaacNoR91cZafIJbG+QS+HNnXN1dvWqPvEHwd/AyfXe1wPh5eKNWBIA0FQ6KJav73WwCQSa6bFfFWG/8gd5nrH0Ra//bxmq2dponvU+e0TsdyTSK59rV5nrb/B/YaWuoVg7+EPnIokfaCVOLIJ6x9wOl29oDAwWSoteXHfhbZDontJmmHxuHbHkf4+fLvZsUswTiuXGZEESVtpqK5YGHtfvPOyru4f5yybqz+TwYQJnILSxQ3diyqfEw+FTxIChS7FH8o0aqRMeyn9fCAoOB4wqR11GB/qEfd3MrZkRYN7PX1F5uBgNP6fwqSLsVx5pDzcjH/tgyqJD02zztYNqBs1QlmGA9EZOBD5UpXG0XemxMVpIAGJQf36Do4XWqIkJgQRTyotJYLEGGKKN9b/EJz7+mHppfro7la/KDFKcWNHo76o+fcfcpIQaCSrWVTjKi+v+ifJ9AO/x3M2VLRtFfi/oZhEBnqcG0to55wPKNhAbpwoyqUc0YCR/MxTFdv6geItDkReq8/1Pj4QIsq72OG/xffdQqhlHGBnLLQXnjfJEpuQZPlh70RfpILVbz8EJIkWcmJt7D7DBhw4cJajCDBlZaMPxV9ufEjA620OTyCRLrRsju9/Fp/jVABOLhpbVhMFe39NR+8TWttXECQhkGPM1CVTDx1vmPgMRfhIUIx+ofHJ7iOAX42HhpQVAmynu5FbM8JkYbtt+UiPSNcgsvMBi207JFvgGIjwEm+9cg2ARHGcYytbJ0LsoKX2/pYB5GhVUV5Fs80E+iwB2avZV6DIfUR4vyQOmm1ND9U12doVST5FAExFgrzTxdQ/UTYFre0sGJIQKBYrPrh5JpPyRJIcjklBsw7OJgemWr5FJXyv4a1SFB5KSpQ5eHhES9lZS2w7mU3KU6yf/hFGkAn1yGZ703uxJ8nMXzaU0G86YEUSalDk9tW6a2vane1x86+0OXy04JJ2MJKCIgmBNh2RKMfgA6Qp9Fdp3QT4zXwBdydaC5/eNL18tDy2GIcqy+AgKCLNI6nKWbzOX5YYFTJFGqRUC8HOaR5g9RBdEqYN4ERL9pMNcgXNRhn7s8dDwZGEECXKsUgU+pgOUX5mrrafjse/xvtytDRmoFlKEVkB2C1+19xErtazG22TjAblZuAwL/714vZmm/uugWfxtyTbtOSDGrBfsG2JJIQ+opjqZQMA/EL/HeA6nKIXDPTEoyVjBaRiJPocASXYp80+x+9a7d5/kEJNZjm1bsd+EmcnI0HIR6gk3nURJynP/IFUsPjtJmDSVRqqLs+89fFRsCQhEFGmLZj26zFV455PGZFlMEZxQ8lf2ADzC5lJtPuaMutREWljJAf+nNnr+M7qd63GI0VpqUp6hWDtvR2dxwzcOK5ZZBtTUabQHpiWjdpFGbQ5KQqaJAQyNJz8qG3exJ2VJfiwzDovPwJHtXkBW9OCvhNCqPcA8EHLzEVkHdtFX0lBaeo6hThoxYDg6lE9hGK1pXTVxbu0rf8heEG6DU2FgicJgQLK1Xidh1UA84cDcusAjmp31TXVtfSZrFDEFavPuTDJMvPWAlri/CdTBWUkfk8IWCe4OiJiai/2wN65O1kko3i0B0sgAuUB/u7uHw5fMWfwZqGp2k7u3QcmuZaWml/G/+/pQJtnQS4tgocFSQi00z7b5zjQyKANZxQ9MaTIL/oRlI0P6tt06gH1DAOTaHe/OgdN7cEOuEoA+wE74EbasQTayBJkih9encl1h9xErs7rf+y9LYG5yev4erHvw9QlU41j5UnTJYnNBCHqkDi0x5QHcVQ8sKp75VnxUrBZfI6jkcwXDb6EfYzP894QhF5otXo+2Xw+9a5YRhg2JCGQ26nF45oLEiNbrpTptGNACVPJG/HP9IFMYSx+1ynYeTNNyUCsexWY8KlCLBe0A9zm+V+yUS1iTqPszphEo/l0AOyYDPBzNizpRXNIZb/TEwsg2klfjr5upw2+ujp5JufsYGDhiDc/ybxd/bAORd4zm21NT8b70up11gDnA126V+GDvqy1temxfPmQxGJYkYRAvuj1HtchshQ2oUgVwS8GcAPqJwHydQ/fx9r4PBLlIeyZv9PbBiTGf5AYD27cFHxu0A5zilEtGsWFXi1958IKaqnsxDmHxAt66Z3haPa6ItDquSXTThR1jmujF86+l9Q3WmdwWT6JRczWtbgIJ8Pfe1jo/HabJ27AOEoPARKQAr75dxWC3b+mo3d+eId8iNJrDzuSEMjE2eJ1ngAcyKRa6whs5ABPT1tg26/PJGF98Nvfj5bHUiwqTXZHSA43Y6Hrm62eltSltYO8JfFAu89P1TxQo5ROrmyQOK3KhZe+RyW/WrwbCoaOa3F4X8t2J4qKpxQSdrlpselCqcR4AkqPp+kUd6mNb2Bvn58sqn+t2zbFoCikP/VFsyHHu+ObbY3/TLP5WcOwJAmhucH9jMXn3A0ArtZ+Few6plr5G46QR1IHoBhhdX77YQqTyLckSWoC8YYagnOz4aSUCtGIg0voVbOo5syK0sp5OMPQSE46VOyAsBpH2Vu+7ll5Z6LUytlE1JfjNn4Nv72+vuFQHHB+T8mBUlz2jirU61tbvc8mm+EsfvsMJAjZZPXtqK8O9QbntDi9b2Wp+Rlh2JKE0GL3XGv2OmgW0OoXQpiH+gmZMNxAH8gwzuRucEiK3MwG6zkbsSNe2tLhuTPXvvfxEI2GTsugj6GIOR5FTMpLWRFSxWebPl27PBshPPUi2tkpJvMLZHCICv8xEBEyaXaRcED5jJE1sRDPB+ze5vBslGCGI/3HbJLPAiaRY1TfgsY3SCwzEiRrSXgyxbAmCf0A9S/WHy+PKJ2Ko9oe2q+EP1h9jjf7jCDJVRjlYRNI4eiGu0QLvSpC7DeFEo8LRcxVjJZ0+5DjFR0twDa9iYc3ExZIMHfQLrypyX6o2aTQQLV7zFedoWDwIBQdC4YghGFNEgIFjcAOPg87+Aqm3TSBM+BP4nUH9JEAj+/VeJ37lQOE3T2/7vn8vHyIMdsSwnHCRpQdj7M/xfOdOqiAKk4J61YFhmFPEgJ1cIvPcUbS3CSDUYnE+vdMn2PWy7amNXQi6vV4Rk4auQ3D7HPsCoyfIY8o+y1LlJqDsSf8De6n8tgszdgqSEII5ybxu6woHx+v47KflgL/59QlUx3FWSP7QJ1lf4mLSzjww1lyN9B1Gzp7z81Xu/RiqyEJYX3w2zNGy2MpcvruKQtvQf04w8SHUU4+JhdxZLdFULginKUvlSVyxU69Qi+YuCm6DF6QGDYkodhWVVWSBUelyp7eDf+O54VGS7o4tR+DZWj3OHn67BgAwG/MHgdtcOXEHyEfCK9+cXaqAHYYROR9yuTlU4PBW/KV/s7kddolDldyaZC3YTKs7+7+UXOawKFAQZMkvBNdLv8cu/GhY6qVGajYXRPoaLov2XIs7ahb/M5rgcF1uioDSmnn/LbZ6r4l44bnEWR7Nc448RJZAiJ4acy4TblY5nFZ/qXV73qoq/uH+cviGBJmirC1bqX9l4LDfCTIDL3XC8GeyUW7somCIwntOJftMvownA2OryhXKJ+Ggk/y3109wf0o+oWWe7S0BG80mxTyP5mpp24k1p+wQ62hTFnptD3fQLGmdrxxEtk5JRMviTcnlRhH2nCkP76lwd2WjbopoY4sl51ornL8H9YwKV3DM6HmNnV5NlAwJKFIG6Wl8pkVU6pod7kvz8ZGnD3OCTg89+jRF8j+CMWu45FotIavw74r3KEesHidG2lHX8d1eQWJntVVyvUo1tBSqtaQJpNxpA/gIHA/KslXpKMDUDifivKqg3D0P0aRyynogyEzs0zxVavTszRXKROyhSEnicVt2ZkpxsvKShValYo1I/8ACXKEv8H9djoPkfKiWH2uP+CPGDftXBJIwOFx7EwGnFEe119zbmH1Oo9E0ZOC8E1I43Ii1Kk4Qx9t9TsfVYOhJ1qX+lckMhmhWb1icuWeDEQ9A25HgtAWZlnWoswI9uJwWCwZMpLsu9A2etRI+SpQjJSvxDjg6yUoQx+Vqay64ZOOm3FmokAS01IW7g9S+h+z+pxHdfcGz1zq8n2eSTuyASTHNMbhL/jKRpSXEThpnon6yplmk2O9xe+i4ORfAvmiYJ/AXluF7yfgs6OwroacxcMHNa2o/fnGkJAER+ljR40Mj4aD0peRaXRLa+8Z6lXLMk4KSbZN9R7XKbLE2lk64RoBDjIaFCsq9DevD35381DkfqcIIwZFvgJnNwqikIvfaxRSYHbsiTyFIwsGf+xuzk9VmSGvJKHVqvIy+b6E0U8oa6q96aJsTsFkVo+ixd00cqZ5izJU6K8aLW93ktnnunrjJx2P5sOwMBp+5yJ8ncjiJvwZ3sAf+PWc56HJEvJGElSk90VZ+HkWm2YhBvjQbm22NV6YCyUu+OOmS+WKssNxiNQQVCARYEcO7AEUQS5H0t20LvjdY7mYWUxepwXrOQvJQT74wymdgy4AEwkzBcQDJUbatMmo6o2Anw3khSQo8zo5cCJIXANEJMiTLQ1NF+RqlSNsBOl3nYFixMIs3A5JDnePlsfeYPG5HmUQwrb7VmQy+9U12XaTZflXOGP9SuIw2PBvK4RQtaU96ANtHuPzvg91s7cCbcH7s5WjXQtyThKz1+niHKhzDlTOIxBs+Rdf9p6kt5PRJpYeH49ma+OLSJRn0o0xHAejIglspLPNXsdKVPIX4//SJtSeZS1LW1YmWjGihEOzZlkmy7K0PzBOtmY2RVZ0evoNfwS5qoskhE1dvVeVlSofmE3KKSZ3w/H5csrKKUnwH9lbUuTnWCKCMLa2u7f3VxQySOs9w74IHsfZdSOtzfhR10MKBjvPVuRyWsbUE0RCCyaGswoDOw24kZlNjh4UyT7HGacDRwH634KCAeo2bDv8bmc2dCF8CgWrEkWBTwaKJ4DP9Q58rpeHs6H5XNcHWnv/mOtZJWckiW48kQ96wpi7OHecp2d5ddaSWSNx1KYoG+NwFPmL3jZR7C2Lz3EOANecmyJN0LJpNCsWxPwtIor2dC/sYeq9BiZRbGDayLzGZFIaDlhsO0pPyge9yBlJKsorL2FJzCVQtmpptTc9qlUPodWeEuNIiqTxM7xYS2zYuKBQNla/i/ZODk73HkVkBvztdSntsaBwUPj7UcQbCuBBg48JRbDlKLXMzVUy2pyQJGKYqCTNBxEKMc1LvSavc7LRoFCkjfAus8rU1zNpX1d372klRoUsVVNEIikiFxBCTZl6Lvn17HXUB/ePOTUBxa8AKvUOrTkz9SAnJCkvV45hSWM0ieZWu1uT4kaGdKhH0EPdbIYBIDLKd0iGkmaf6xwObFgYMm5l+LLV7k3L1KgPkd9/kABbzTg01rpts9udvo8zaeBA5IQkwMRByaVw0OQ/QLZD5VOqSPHvt7eiqjzjzbWArfERi89pBQjvZBeRJ+As8FzGm8UCjAm613YGRV44vWn6jGzuYeVIJ4H9kny5oWfNBk1h8it2qSK9xjTwPAdBpMnY5Lu3o/NUQ3XFz/BtsvYWkT2oIQjdn+lNBBMTIeEgDHuMlre7Ed+cpeVepOumWjzKOknClqNTqpIFXG5rHxBmPx7IOhgU48XxvsMHVIuHuLFk9YDaYW40H8KVkqXkE5Hp/YpIiWdbrZ4PMrkBbQGYPY7ZyUvBaajI36tFkceZ51azz/E4ZRtIVCZXq1sJZS0hhCZdBBQDKf7xfUEAfjFtwbRzKHdJes3bAsqEhXKsw6AoFJ0xaWbfIjLC+q7u3oxziJg9DXUazIskLkvkqZkyKAgAexcYf97qc5zvtzXdFq9M1klCxn/RXOtxw4biVJlyJIkmcDk6SZHtq6t2OBaPD6XZzH4gRQ+JYo7Goo1rW1ZERiAl5DitnqXJIBg/X8ueE+qa82oW1ZwWjYKZ+H5CvI9lUTjht1r9zkq/1X3FwDK5mklotogbelTLylTtaAf5fyTNkgTAr521ZNZz2fKPJqIcsNg2s6xUfh7vPisb9ywijF5VqCeiOPNi6qLJYfa4GrjEDtVYvKy8fBS5bydfbgYRk1MTLscZZe3AGSUnJBFC/Qd24vgkEZBSH5FATNWwRz2+xDiSMrUem0YT44J2bacumWodb5x4C9ZPQeqKG+WZ4dNgiB3dam/Sbac1EGQFbFAqdEkOoPLdWCqSMNbfJAr4zRav85PmBvdmY9ickOTrni8WYEe7iczLB34nQKT0ORcAIzT2zmOQ+W8kkiXTQTRI3Vlmr3MRB7i3qNCnBRRxxG0bOtfekErc0YLIYlAlxRzQJwoDVKQqIkJSKfR3SODA4cF6j2tFNP5ybkhCHc3ic1yGot4jg1sFSVIcRMCBrddcGTLf6nWu8ze4H9bVyBQINLgbaxfU7mGoqriAwg3hqZQPvAjK0xhObnRTtmypwntlu1Q+QTni9V5LKflSFuLquDhOq2Nkid2Lx7BolzPbrRa79zGzx37EwNTSSJzdUl6sivfDmQa1gWPZByw+V2WzrfHWNJqaENGl6mvNS8z3cKPxPGz96SxxLNttGR8IJIe6qeuhaB6TrICiwoyZEjaSTcvOTqV+lAIoLSTy3zkEpRQrJR7KGUloVxXlyOMMSvmyLRaxjOidUikOrPW8a652fMPi+MAnAP6v7BaLz7lH58a1Z2Vjiu/XnkgKt0vqX6z/o1xeeizWRmT5WTbrxdCg7wAAIABJREFUGIZAUUQ8iwroswG79+VsRz2h1HDV1QqlFt8rzVt0btq09hUN5RLGZhPAaZ8udyQhkDfZ7Eaby2gI70FEbK+A1VII/mT+zeRMZfU7cQSBc/TUh7PUiRXlVTNQnjw2mjsjq4i2mUxq7iZ3ZGTmsVjrL/HzztmuqwARQha8xgTzhFT2r/b2plc2O5Zl2aPU7HP9lkvsDpbEzUIDnk81WFI/lEeUJQzJirKMnTa1c+6ZSFv+WFEdKMbF+HFPfJVIFSUUCOLRZNd1dQdvLTEq8cINpcKeKE+SQ86NPR0bbtCyu58OoglKX+ecn1fvaZiOhDlIoNwMkZFpawjc0C3IqY28LZnaGgxubOkXf1m3hpAalibLT0Ay/JUPENHTgBrqDd6UqhBKBbQCm6x/caYYD8qLj3uzs/nLGq+zrgJ1B/x4BI74tLyalCS08YQd/Y/kWJNGlQpedwUq3cfiiH9Jq937TK6CoEXv+3r0dd30punlI/h2NZyzmcDgAOxk+2BbaFWmkJeT1+E/8S428D9hYrDQ6193f/lWvtJRhEf0irILQDaez/RF3IwPIe7S5FvC4bRURfCZHJC3aCnRBDlHWr3OU7Bxt1JwiGZrozvZNd93rLpxTPW4OWlv7gGbhFr90yav4wKs75qWhqZ/5TpiYNT6tDn6CmOmz1GNv/weKuNTeWQPiHzaJ7HIkmZlLtsTBZnvrMbe84UQ7Aus/3N8CJ9xpn6ysSv0Xi69+pIhrJhXy6ehyEOrh0k3j3Xgv993BC9NVcjit9uASRpiRYspeQ9O529w34/i10tMMfyOL+DeZMEcyDar1m8/wsAk8mRLJ6xnGDga7IuHhWav4y2cWW7p6Fj9bDbsvrQimkmrNfrqh9oFtaVihHF7hcP2IMvVQqhVAHw0/jgVqDmWYuPLcTZSAMIiXMzvJYjsNNJ34ZtuEIDyt7oBr1mngugQeBRc/U7t3fTdsjnL1hZSONHZPsf2BoDTxlQrFAtNb876ZPhOhNjP+1KQJwIF4zCbHCnFsQhg1JBEcCTxCw9XU2PZvORlyV2z3m93ykwiz8SUeywpsDcH/viY6vE3WXyuB4MQejidgATZRFRn+jz6yg0KJCC1CUVuicMpRuBHMv26Zip0qEKdE7A3pUwEa6p3kJi1f6pyUfQMacDsZLm9Y0Hm1eEHDNCII2s2wu+Mx5H5SoVJFGjOh53o8WDnpn8Ol4iCwwl1fvtERUhkrHosEiT1HllaEF/1BoNz2hy+d1KVxAF3qgySxlkk7I//zZBHldeKlgb3p7Xu2gMMSsXf8aMjS7fl4Z1czuwoF99r8TlfwsfyvNrVvTibm2LbGmiPAyRxuGAwDweiGpbYQypjUFAJ0dM9r80V+DpV2YgOpJCnq9YszVTBO8OGJARagkQ95kBzleMifOxXMx0p3zSgNBKjGH4hlZYGrT4Xhb1ZrDLV09rqfVPrrLctgsJHlZZWmjiAA9kwFyS2G8slMyIIoVZ2U+cnHVdric0cdb+g3XtdGQZUIXK7mZgLRBX9P9Z7XItlSdyPP0ZNDqqR8Rc249HMcZpBJW+N1e9qxVErEAqxtq7POt7KR9DsQoVpsakSjCUzUKOsw4+WivIq+g2yrWMkwztMqKc025qWMVvqwmFvRq/jQabfvGXNpk/XeocdSfpAO+o4OswyVTtOxhGL9lLG5rA6WoE5HOs5XJYYq5hS1YWkeRNHsleQOG+IYPCNtT98+14+V8zyhRqvc1Q5V/dmTNqXCTEd54cZONOSvdNQ7PusE0xcv2bN13dofdbhGcRrvwff/lZ3bYLdT4PhsCUJITqr3DtryaynSgwjz8efjcxYMjFl0AoKUzoTlf+Z4Z6iyGxM9fheq9/5Efadd5E8H4IQnwiufhwKSR+3O5u+LqQl2IGYtmCaoapqh0kAfAoIdYpgfBf838jebo8KDjuTh0+4YNZSXOnGJnym93Ru7L1BTxq7yY/aSswTHJST8Yg06lyv9nT9md4Ma5L0IeqdeGXNItsd5eXyOTja0RJfVZ6boVCkDjzuEe5L5BHKJEYzD071GyOxgckoEGhTbzWtmgghVjOVf43KzppQqHddryyvfa3N82M29B8yMZd2GT1SCoYqFYVXgYBqclMQnI2HsOEo7IDt2IF8fpDgtAcV8aoAXkimAT8gOR4MqezWPt8OraC9mAkTwqk+UgSNSAChXhk1bN06SNKH6Chz+fSm6TeM5tsdj+rEGdGOO9Qo6yNQ5GNEqSXXauqa5M0gS0pYqEf9R6AoR7v2P+J0H94sxMK0YdgDEV9xFfAXFNSb8TK6A55TQIRj45JJB71GokgYCcqt8L4qw6/+BCggOvTHJ/gv3r1BwENRSw1dQH11ppFzWsVKLx+NYN5Aq/fOPn1nqyJJH6KmIXejwnaP2dNgwQ51UjS71nCI5k49tyL8gv4ntxz7rxxBbIHhC9IxXkRyPIwdtDGd2ZT0D1OV42KcvSlWdHorn4J93hvq/E1s/VslSfoQ1QNop95PiUxHjFDmcRBHYY+i5JxbbRapYQTsiGIpDmLPiO6uZ/rEGy0rVgNBm4TmajuFrc0kiMd3QmVzKftA7MmtmiSxiKYRo2XABym+sCSVH8qBUco1MvoeDjPM1gKcMUQLEmNhd3fvC5mGGZq6ZKpxvGHSRTJIFO0zk99xdW+w19Hm8L038ItthiSxiI4UYcKQaftIaYyVA7hQsbWj2JIj04ltGIJ9LIB5hVCXqBu6vNky/zH7HIcjQW7O2FRJsPdFqBtnkObP4n29TZIkFlH9ZVH0xWr99h1lAVZgvB71aloZIWVbf3rrbRco4oqPRNhZC1pDEPK32bJrRGr1OVCk4jdw4OYs3O6Frp4fjk8Wv22bJ8lAkNUxHp6IvsK7y7y0tAZ/+Bk409QgcfZhEXfd4a8qZwerkBVv4vNZgY/klc7O3lf07GXogcVvnwFMuoIBz0YCpk6migsDDs89qfawiiRJgaihozv6CoOIw4wle3MOe+K4uTuAwNkGKKuX1sAVwxFrkAjvCQHv4vDwHvard6C3+63NynaOQO4U9fUNcwH4uUiQNFT6uHipu6f39HA0eQ1raEWSpIEocZpZjPchgXI6yvLIXTlXpwDAJGAwUUScxXaCSDBuMm8p1BmI/Ndpw44U6c+R/F8Kpq5kID5SN/V8lG+r6HDOzdLK35pN9t/3i7aTGT4QqrgoNjqjFhRJkkVE5dpXo69BoJWYathxnMHAxzImjUG5fSzOQmMgkpZuNMrwlfi+XESyhFUAHUV4xaYEqUV7jbRszWNeaswrNGDzcSMwsVGEPRbFBuxo64A8FhlbDyrrEBy+D4XYt5Lo/uaLVfxrPRmQc4moSHVCRXkV5bVMlsJDDz5F0eqmDZ+u/Vs6hqlFkuQR0cAKn7NceiEOQ9BiiUHAUahrnIgEyWY8s1eRHH8OtAWfDaexbkjvJkWSFDEkiBLjlwyAYhjMxtkvWyuIFGr1uWAI7m+1N0YCdadJjj4USVJEXkA+HRSfDHW1uSj6HWigSCXZIwaJikvw9eyGzo6F2Y7gWSRJETmDudE8jikGMwfuMnsdc/DUDlm8Pe29NKGO9VLox41NuYxPUCRJEVmD2efYlQuoE8BqgYGJG0qyEbSDEIwEzxPLVQFLhRAtFPMgS/dOibyThAK1QU9Ic5Q+Awt1J1qLr/fbd5EYmxgKSe/r9TcoIn2Q6FTXZP+JRGF5OJsuGOwLjO2HM0b1YHN8XehGfWIl3o/ysH8EqniXgXh7w8Z1b2VbhNKDvJOkhPGHwci1pvRCyJSKOm5QY0lIJwKwS8mxyepzfY6/zstCsJdDKlv+1Ve9bxbKsubWhp89aykXAkaGQPwgqew9JMo39NzZFhP/8rCfixB9OkcQdREK3LAJQFBn39C3FK2C+FZV+eqent7/rTi4+ZtC9ODcesStSEaqSUiaXxFpJk5Qei1+19v4Y71O8W3x2b8pOje9VYytlTmiERKzHrW/UILoDcTWQ5LBUKLhTUkUYBIlBRpRplr9rs9xRKMgZu8Ipr6HI9uHQ7GjXMTwwdZMknig6X8yzjaT8Xho3wqkVFrKkDzfMsE+Ekx8grPSZygKfIry8GchAV9907vyq3xFWC+i8LCtkSQZxiI5xgKD2vCnMH8gHCdkvHES+Z1/R+E08RwFcPgWiUY+KZ/6re57hrLRReQeRZJoA0lsY/EQju0Fm0PrkHk4K5JkK0eRJBlAMMjbWn0RQ4ciSTKBYJ8MdROKyD2KJMkIanEm2QZQJEkGAPJTKGKrx7ZGkjd7g73HZutmq1axj7N1ryIKF9sUSchbT0s2pCKKiMU2RZIiikgHRZIUsU2BghFGY61pRpEkRWwzoKB2o6Wxz1o8LmezvXFQONNEKJIkh4gE6ZbswPiOzbbGvyQrS342pQJcgrO9UHnaDgC4oFhXqlixZm3w36lyk8cD+X0csNiyo6LIu0kcxolwVBZRAirbKECsJ9u0zk71w1wFk9MKSvhZVSVNwH95JyHUkRx4Kf7fIRXERgDxbXe3+sXyuc1fpWtGT7laKqZUns+AU0Y0BSR2Hz4bs9b7FUmSRVDo/9rRjhpJEnMYA8eokcoMFnnGal2TrbHN4Xt/4DWRjLDydaXAT6OwQbFpFMIHDmxMtfJDvcfV0GpvjBuqaGAbTNUOF157hNnrcLJIvK8t96O/fEvyhopyiVn9zg8pJ4cA9e8tDb7WXPt0mJeYt+OK8RDBwYmtqMH/7yd9zQOIuqBwMj+NtLHEKFEipPUWv+stYKJFDUFzcN2Gpe3z2jclqydMjsmVR1TsUnUFfoyN8Vxf73H8jkXiQadEkSQZAjvveM6ZE39Tl7naQamzq+P45nFZUk7A40WxJ80+x77YQZ7Ft7ukqKa0C8RHyQpEO8TJ2IYL8eNEff8F7IpN3hWYdJrZ43jf7HPd1NrR9Hg03V7WYPHbTVjH+dxYciCLJCDSg1FY3sTILVhilxuqK7qQ3OTo1aYK8RoXsDIUCvVIMh/JBPxUANRWTKmirAFxo2ri73VTXVPdiwPTLMRDkSQZwOp3/VOWwukbUv7eAOznLIYkFq/zMJzyn2KRQHTJIVhLsoxPJGujOPFIViIdAtsNx/K/IdnOQRKfGLA1vZ7pLSl3iMz4nUgQe8bt24ISbKwFjxYOEZ9hiUe7szYX4ipZLr8Nj8ekKlgkSSYQ4rMYk+BU+Cnl8Vtqa/oGyfVr4EAJL7U9fxD/jneadA6Tx3EpiihXa76XduyNusFSq9d5tr/BfX+6N0ER6VSZSZSgs+BywOAPdzS277Fma6M7WbkiSTKAECyAFDlXa3kjY3uZvU4D10MQqicEiwaeC+seHvv9WP+JWu+TBowol9yHYs3OgQbPlXp0lUjudPttqPuck8P2ZQwQ7K7aBbV7JdNviiTJACEBK/Q8QMG4HfUXygys57IPmu2Ng/QRczXlJodcEiQGcDnqKkSQK7VegTPcjXgoaIKEAWyKUlV2HL67L1GRIkkyAIUxQtFpDYtEi08JHPUvYDoj7ohocqFY4Mh+Cd7mZD33yRjArkDR639aRC/Ut45CcfLCfDQrc4gHWlpDDyXL01gkSeagUV4TSVgaIalQwulHEpPXWSdxuFbvfbICDnegMv9qMmU+vLxrLLkrn81KE9/g61y/1f00syYvuK2RpKTWbUs7quBGWPv1QJMGHOlXYs+fmXnT4mJdW1uwrS/gczSJJmWYTed368LWvoE8/R4bXYV03Y/pV6aNqMw/he3YO1FgDG40Xsq0DxoDsQaf53/xef6ARwNElrJpxS6deHe0GjiC9U/l14n/+8sC2IL1wW8f12qesk2RhEIMGRQl6X5DMhhYNQXV+1e/k4J9lcO0PEvCKQOiQILMTyOJJiqk4rqu7h/vis0LWP9i/QhpRNnvsOm0Cz1Sx/2mjjNMOh+P1w/8osbrHFXB4RSd7aNnGFBVdlVre1PrwPzts5bYdjIalNNQVJ3Pwmsfmu/56sovew/ecUelShLdRhESG1rntn6fzkbpNkWSnADEdxkmrwpHRBdMtAshVnOAUvyBp1NKAiHUzaIWZdEqMY68QOe9NwgWcjVbPUsHfhEN0nc7ik9unB18TEcqO+ywF8/0Oe592da0JvZ8OYh5+G3qfZ9YCPHnQKvn/DA54uyiRFNYX1bvCe9JNeL7Km2NZA0TdpaOarY1Prr5XJrB74okyRAUqjPNBAI0oj3ULdTLae9k4JfTm6ZfIHfLm0e9EuOI/2P6Mz+dHo8gsUD94l3Uc45BPadJx30rShicySKz0GYAcJfO9vkDds98LaM7meRY/K4TcDjSnMoN23MVX8CfyNRyoEiSTMEhnbCpm4Qqjm1ucP8jUYFYeTmy5+A4VWcdrwYamp7QMnq2NLg9Vp+zkVEue40AgFOxA/5hQAfUp5sJmj+0iz/N1sYXrT7XcpwlDtB4yU9M1Q7S6JJuFqZCkSQZAn/hTp3CVjd2q0MCdrdX6wX1bgflk5+sqxZVPKCnAwrBHkAxSs9MsIO5qoEWTsMzEPlpjJbH7qTj+u8Cdm+bbhEIBA4soJUkyCdBdmJFkgwlsB/2hOMMawT22jsD9kbNBCFwKSzr62pXdzCoq2OsV79bMpqP7WG0PqERgvHDWZQk5XL1GKavke+ko0QLBm/p22iC6XrrGIgiSTJHMHWRGAimyysuAnDovGBlOEe5DpB4h6LMGzpEGRS5hKXvvSSgXA9FhBBpBSgHFa/TMShhm/TMbnFRJEmG4JyWLKWc3Z+MIo3A99B1kRBpBbugFBXY/TSTBHvg7qbFpspoRH5dgwXoWc6NASpARp1PW99qWxwUSVLgUATss9lDSiuAaXZNHYAPdZYHMJQSgdtZT89aZtSxNwkwSWddYXAQu+gUPZM6ZmlBkSQFDg6wdxqXfZFWZUL8j2m2/I+Cs93xb3vr8tY1ZpODslhpHbl3P2CxbYflc32r9VUITl3FBfta3/0HY1sjySeoKt6Y7sVC8Ley2RhNADFFr9KuChE3x2TK6xj7Rq/gyKPuwbSYa/G73sGWztB6aWmJchYeL9NaF5kUGRTll7oaCOxtXeXjYJsiCcrc3wRsjZr8mgsHoF/xVHlaJJEi9k66IPrt1As/tlcrSWjSOt/scfm0rPbVumurFKXiGaZTlxGq8OgpHw/bFEmGKcbpvUBl6aygMdYTCv5o4Iqua7CjV26uNxh6TpLli5KVHwADl9hii8/5R7Wr6454KfnId798cuUvDHIFSQCTdDWOsbWdm9a+pPOaQSiSpNAhwtlsdYFztSedqiRJ1n2dEGLzyN7i8L5m9bnasb21Om5hAICrpdLSS61+1+t4v3eReD8IwUbicULFlCqamfQYYMY0jt2bjdTWRZIUOkCU6tVJKGpIOlUJAfr2fNjgpVw1FJzPZbmd6V8Xp03MmUiYsGmL3vWDOPh6gxA3ZXwXViTJMADk7TeS1G6JSTq3LwD67ZoHHN7lKD5dR7NDFpumF2pIFScmizCjB0WSFD669F4gSZJm05JY9DJu1H2hEIOcr1rsnmvNHns1EuisdNqRKZC181sa3Euydb8iSQodgm3SrZOkuZstMdB9nQAYROKoTdbZVq/zfcbhZpaFXW+NCGGLzm22uv+azZsWSVLoALJx0qmTCP2dPVyVzHVfByyxDZa/wX23yetcJHEgv5Oj8aVv6UwfvhQs9Ntmq8eX7RsXSVLwgK90XwFCr3NW9Do+Ru81qOwn3TFHsYd2/0+Y7XNcbAQ4Dmu5BD9XJrtGJ9bjbHvH9x29f0onqLgWFElS8BD/0zuTgA5X3P5VqeMY6HOzBGCrUpWx+O2zDYyfgaUPZuku5/YHrcItQ5nuqe7uH56K9d3PBYokKXCoAv6rxzKcAABj06uN76D7EqEOipTfByTHDBDSbQBSrU6eEwleEELQUraM/89GrGidYLAShcn/dKr8tWytXGlBkSQFDi7EW3o3DVAESs+HAthPdF4huno2/DfeFxa/83Jg0tV4T337JUIs7A0FL46XpmKoUCRJgWNV78r/jDdO0mNdS4P21HTqAsH21DnifxhP1KEIk8DgOp3V031O8tvcz+m8LucokqTAQUHgrD5nq54gDdjR9+HXcD4whlUyhAPfGSftp6txQgxaSarz2ycqTLomXvGkt2LsiFTR3YcKRZIMA6As/hIO8HqCNIwy19nJD+UNrReMM04yM50RHYUIx8HqB1lIxyBJ9S71bmxZ06TL7z+fGAYkgZymJhsO2NTV+0xZqXIL05OugYeTC2kmCeI3OpvVsWbt14MsbFF92l/nfQhl5mq7B/WYRhBiI4vYkPV7qSB6APhGEWKdIdG7prubrc5XrsfCJ4lIN+7e1gPy3rP4XW6cTeZqvQZ1glNqFtX8SYsVrMVt2RkU41F62oQj19Nvz3t7kCElnq9KzzYRLHidhUH8NFV9+RNBovcKU+RwpjFa4XoPa21TQ7Cktb3Jr0fE1Iq8kwSYkPSs+wtgWc3bN1wBQr2FAddMEsS4ivLKOznnv0sWuod0F7PJcTfTJ2oF8Za3JfhOt61ZBhjFwgHxYCaX2Pn4f3xp9TluWdXzxX2JAnqng/zPJAC6lgSRVNv8TELw25r8Vr9zGT6RWdqvghNMHrtx34W2M14/zLdu4LfTFkwzmCIEOVhnc55oaXB/GrdGJj7U7YeePeyMA8lfxhsnnWpqajiW/FuycdOhELd0rpsXZ5I+oOR5DjAJiaI9+jAA/GbUSGUOimuP40cfqOJrVcBILokZY6rHU5rmVJl/B2Jdt1AvTthGlXmAszN13jPb2F2S5TYUx47zWxszXlLOO0lw3pd0yqy6HYG2VjRbPa9Yfc77sOefpvNS0hN+z+gVzo9OSE9zEEI9P16A7z50frp2ccUuVZ/j7SelVUH2QOLj02afQwRsTQsyudFQzCT6lhnT9NfeWtHT0TnfUF1Rh2+n5btu/C2ebLY1PZSszIqTV/TWe1y/liVGARjK89S0RJA48MesXucH/gZ32lFThkJxH61zFMuJZedwBWWJrffbfy4zqQ0/6re1ShtixZo1QU2R7VvtjS+b3A21KPLcpdPfPRcoFRwe5NfwWemufA3BTAL6zLghrdQGWzVarZ5PcLQ+MDpap5t6TQ/+q3Z3H/T2vIDmAavF6aUYZXWzG22TDAblYBwWaTefgldTpq68zjAUC8xUZ/85vk2Y6iIZ8kqSaJ4NbZmK+pCFCHxbI3C0ftPicc1CJXlxGiniNANFrBZ106bD44X70YJo4O47Y89R1i7ZWD5OiizhVqBUVMFUUQq0qMNBwvcKjv4GEGoZDpLbYTffkUXESwqpmpZrMnA4gw0Hkhyw2EL/rE6dRF2Zo+YMe1B+9xqvc/8KgNvx42+zfHsUTcSfOj9eeyXpGdm8cdQoUrcPSDglnjLiYCTSeSwyM+mBaabPUT0whZ0W5JUkBoO0j95ruIC4pthFRBD1qzjB7HE9waVwCNd0zEL6AWcPXyjELmq1u19Nlb45n4iS6ym+gD9jrrY/QPtAOi6nODC0x7QoZckByCtJgHG9eTY2BNZ63k14PyFW4k3btNcPaaUkSAY1KNZLstDcBuyC6QWzTgEKFYri7AyT12YFJp2Epw5i+rwAyQ7qBcFCD9BSs976UUfaR5JYnZayoIp2f4Nbj11ZP1AKutoFtWcYqsudUVFMEzgLp7AoXJJMftRWMnGCoss+CNGWLCkkPuj78XB/Zi3LDNFd3fqhbEMfouYnZL7u49fYZHO9VCOA74dTA0V+3wlHiQoQzIjHH4UQPwCwL1Co+iikhl5rW+p/IxO7J1liZKaiad4JZeF50Sqfxed6Ev+HC7Vegw9HM6FikTeSTJwg0waYLt9r/Kf+naPmbPWI5n9fFn2lht45PgYk65cCN2stv4llHumdgAR5U98VoiKdevJCEloGNBoUvY443aK765mcNKiIrMJAeQlBu6nMa23BTtaQeb1CFSroSg2XnttFzkkS9Xh7Gt+O0HMdigNPBuYE0kohUER+wUFsr2eDeEa9REu/uleZBgIAdK1wARNp7bnllCRkhm2qtz/M9Ob3JnPrUM8fctGmIrIP7Ky6IjSWCCAFf2EmdU5bYKsYU60cp+caIeB/6dSVM5JE/BTs9+Ij1OvxRm6hf2p2NH+Wi3YVkQuAPtMhDhfyBXxRskWZVBhTLd/BdOq4KkWeSQM5IUnNopoyc739MXx4+lJ3RfDamo5V12e9UUXkDqr4WE/aaCw521Rlv3/agmmnxfNuTIbIKikRRNceCaFr7drgyzqvCSPrJKn326dWlFeiDpJWkvnvRLD7CL0ProihxYZP175ZMaWKZhPNq0coop04pnrcTKvfdeP3a3r/mSpEKSUhLSuVfz5xgjKf6feBIfHk3+mGQc06SSQmkadbOgT5UQ0GDwkUxaxhBzJbwc7+T3x7rL4rgTb3HkPdosfid72PM8wHKGqTjVgXADMIIch2ayc8P6WsVNmZpesEwyiIOLs93WuzTpIeof7GCJzW5vVEA1wfUsXBLQ7v8my3p4j8INQbvFVS5GNYeh3ZgBfthce9YoNVQhbSXRGQeC+2NLh1WEX0R9ZJQl5rZp/jYA58KYtYeSaHYJ+rTD2spaHpP9luSxH5A5nGW3yuB7BfnzLUbRmAjl4InZ7JDXKiuAdsTe+aPa5fcolRXKZkgcr+tWFj74n5ip9URG6xpqN3PopO5GT1s6FuSxS9KKEc1d7g0Z2+IhY5WwImgzuzz3U6B/ZAnK87VEFWpk0PJQt3U8TwAinGFrflQFCMAaZP3M4FelShHo0SSmHncQ/YGh+0+J1TgEFfbu8elK/u7untvK7d2d5RDDu39aHZ2fxlrd9eb2ASbRbq9fnIFr4VLPTrgC07Wa9ybpbS0uK51GyyjxUCvuvu6f3rsjm+tHY9ixg+aLd6vpq6ZGrtOOPEa3CAPJdBy7cAAAAAtklEQVSl6U2YBkgqeULt7pqfTZOmnJMkan59Yq7rKaKwEI2geHG93/6AJKTzUKH/LctdglHynHwBxasbUR9+Pds3L/xYwEUMa1DQCjycYVpsuhxKSg9DHZUCeZNZfaZ5E38QgjWDEI3dIP6RLBZYpiiSpIi8IBpI4hF6UUCQek/D7sDYdGB8FwFsMp7fDgSrZkCRVISBcgGj8NSDn7tQhurAsqsEE1+ByshT9e1AW/DtqM9MzvH/uFCgxBI9EGYAAAAASUVORK5CYII= + mediatype: image/png + maintainers: + - name: JFrog, Ltd + email: support@jfrog.com + install: + spec: + deployments: + - name: artifactory-ha-operator + spec: + replicas: 1 + selector: + matchLabels: + name: artifactory-ha-operator + strategy: {} + template: + metadata: + labels: + name: artifactory-ha-operator + spec: + containers: + - env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.annotations['olm.targetNamespaces'] + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: artifactory-ha-operator + image: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-ha + imagePullPolicy: IfNotPresent + name: artifactory-ha-operator + resources: {} + serviceAccountName: artifactory-ha-operator + permissions: + - rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - '*' + - apiGroups: + - "" + resources: + - events + verbs: + - create + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - '*' + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' + - apiGroups: + - "" + resources: + - configmaps + - secrets + - serviceaccounts + - services + verbs: + - '*' + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - '*' + - apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - '*' + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - artifactory-ha-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - apiGroups: + - charts.helm.k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + serviceAccountName: artifactory-ha-operator + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + maturity: alpha + provider: {} + replaces: artifactory-ha-operator.v0.0.0 + version: 1.0.0 diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/artifactory-ha-operator.package.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/artifactory-ha-operator.package.yaml new file mode 100644 index 0000000..6cf02ab --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/artifactory-ha-operator.package.yaml @@ -0,0 +1,5 @@ +channels: +- currentCSV: artifactory-ha-operator.v1.0.0 + name: alpha +defaultChannel: alpha +packageName: artifactory-ha-operator diff --git a/Openshift4/artifactory-ha-operator/deploy/operator.yaml b/Openshift4/artifactory-ha-operator/deploy/operator.yaml new file mode 100644 index 0000000..c0d5a69 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/operator.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: artifactory-ha-operator +spec: + replicas: 1 + selector: + matchLabels: + name: artifactory-ha-operator + template: + metadata: + labels: + name: artifactory-ha-operator + spec: + serviceAccountName: artifactory-ha-operator + containers: + - name: artifactory-ha-operator + image: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-ha + #image: ubuntu + imagePullPolicy: IfNotPresent + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "artifactory-ha-operator" diff --git a/Openshift4/artifactory-ha-operator/deploy/operatorgroup.yaml b/Openshift4/artifactory-ha-operator/deploy/operatorgroup.yaml new file mode 100644 index 0000000..8356f6c --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/operatorgroup.yaml @@ -0,0 +1,8 @@ +apiVersion: operators.coreos.com/v1alpha2 +kind: OperatorGroup +metadata: + name: jfrog-group + namespace: jfrog-artifactory +spec: + targetNamespaces: + - jfrog-artifactory diff --git a/Openshift4/artifactory-ha-operator/deploy/project.yaml b/Openshift4/artifactory-ha-operator/deploy/project.yaml new file mode 100644 index 0000000..49904a2 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/project.yaml @@ -0,0 +1,89 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + creationTimestamp: null + name: project-request +objects: +- apiVersion: project.openshift.io/v1 + kind: Project + metadata: + annotations: + openshift.io/description: JFrog Artifactory + openshift.io/display-name: jfrog-artifactory + openshift.io/requester: johnp@jfrog.com + creationTimestamp: null + name: jfrog-artifactory + spec: {} + status: {} +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + openshift.io/description: Allows all pods in this namespace to pull images from + this namespace. It is auto-managed by a controller; remove subjects to disable. + creationTimestamp: null + name: system:image-pullers + namespace: jfrog-artifactory + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:image-puller + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:jfrog-artifactory +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + openshift.io/description: Allows builds in this namespace to push images to + this namespace. It is auto-managed by a controller; remove subjects to disable. + creationTimestamp: null + name: system:image-builders + namespace: jfrog-artifactory + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:image-builder + subjects: + - kind: ServiceAccount + name: builder + namespace: jfrog-artifactory +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + openshift.io/description: Allows deploymentconfigs in this namespace to rollout + pods in this namespace. It is auto-managed by a controller; remove subjects + to disable. + creationTimestamp: null + name: system:deployers + namespace: jfrog-artifactory + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:deployer + subjects: + - kind: ServiceAccount + name: deployer + namespace: jfrog-artifactory +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: admin + namespace: jfrog-artifactory + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: kubeadmin +parameters: +- name: PROJECT_NAME +- name: PROJECT_DISPLAYNAME +- name: PROJECT_DESCRIPTION +- name: PROJECT_ADMIN_USER +- name: PROJECT_REQUESTING_USER diff --git a/Openshift4/artifactory-ha-operator/deploy/role.yaml b/Openshift4/artifactory-ha-operator/deploy/role.yaml new file mode 100644 index 0000000..f881935 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/role.yaml @@ -0,0 +1,100 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: artifactory-ha-operator +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - '*' +- apiGroups: + - "" + resources: + - events + verbs: + - create +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - '*' +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - secrets + - serviceaccounts + - services + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - apps + resourceNames: + - artifactory-ha-operator + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get +- apiGroups: + - charts.helm.k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/Openshift4/artifactory-ha-operator/deploy/role_binding.yaml b/Openshift4/artifactory-ha-operator/deploy/role_binding.yaml new file mode 100644 index 0000000..5e1093e --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/role_binding.yaml @@ -0,0 +1,11 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: artifactory-ha-operator +subjects: +- kind: ServiceAccount + name: artifactory-ha-operator +roleRef: + kind: Role + name: artifactory-ha-operator + apiGroup: rbac.authorization.k8s.io diff --git a/Openshift4/artifactory-ha-operator/deploy/securitycontextconstraints.yaml b/Openshift4/artifactory-ha-operator/deploy/securitycontextconstraints.yaml new file mode 100644 index 0000000..6bcf847 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/securitycontextconstraints.yaml @@ -0,0 +1,15 @@ +kind: SecurityContextConstraints +apiVersion: v1 +metadata: + name: scc-admin +allowPrivilegedContainer: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: +- kubeadmin diff --git a/Openshift4/artifactory-ha-operator/deploy/service_account.yaml b/Openshift4/artifactory-ha-operator/deploy/service_account.yaml new file mode 100644 index 0000000..37ccebe --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/service_account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: artifactory-ha-operator diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/CHANGELOG.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/CHANGELOG.md new file mode 100755 index 0000000..075bfa2 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/CHANGELOG.md @@ -0,0 +1,557 @@ +# JFrog Artifactory-ha Chart Changelog +All changes to this chart will be documented in this file. + +## [1.3.7] - Jan 07, 2020 +* Add support for customizable `mountOptions` of NFS PVs + +## [1.3.6] - Dec 30, 2019 +* Fix for nginx probes failing when launched with http disabled + +## [1.3.5] - Dec 24, 2019 +* Better support for custom `artifactory.internalPort` + +## [1.3.4] - Dec 23, 2019 +* Mark empty map values with `{}` + +## [1.3.3] - Dec 16, 2019 +* Another fix for toggling nginx service ports + +## [1.3.2] - Dec 12, 2019 +* Fix for toggling nginx service ports + +## [1.3.1] - Dec 10, 2019 +* Add support for toggling nginx service ports + +## [1.3.0] - Dec 1, 2019 +* Updated Artifactory version to 6.16.0 + +## [1.2.4] - Nov 28, 2019 +* Add support for using existing PriorityClass + +## [1.2.3] - Nov 27, 2019 +* Add support for PriorityClass + +## [1.2.2] - Nov 20, 2019 +* Update Artifactory logo + +## [1.2.1] - Nov 18, 2019 +* Add the option to provide service account annotations (in order to support stuff like https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html) + +## [1.2.0] - Nov 18, 2019 +* Updated Artifactory version to 6.15.0 + +## [1.1.12] - Nov 17, 2019 +* Fix `README.md` format (broken table) + +## [1.1.11] - Nov 17, 2019 +* Update comment on Artifactory master key + +## [1.1.10] - Nov 17, 2019 +* Fix creation of double slash in nginx artifactory configuration + +## [1.1.9] - Nov 14, 2019 +* Set explicit `postgresql.postgresqlPassword=""` to avoid helm v3 error + +## [1.1.8] - Nov 12, 2019 +* Updated Artifactory version to 6.14.1 + +## [1.1.7] - Nov 11, 2019 +* Additional documentation for masterKey + +## [1.1.6] - Nov 10, 2019 +* Update PostgreSQL chart version to 7.0.1 +* Use formal PostgreSQL configuration format + +## [1.1.5] - Nov 8, 2019 +* Add support `artifactory.service.loadBalancerSourceRanges` for whitelisting when setting `artifactory.service.type=LoadBalancer` + +## [1.1.4] - Nov 6, 2019 +* Add support for any type of environment variable by using `extraEnvironmentVariables` as-is + +## [1.1.3] - Nov 6, 2019 +* Add nodeselector support for Postgresql + +## [1.1.2] - Nov 5, 2019 +* Add support for the aws-s3-v3 filestore, which adds support for pod IAM roles + +## [1.1.1] - Nov 4, 2019 +* When using `copyOnEveryStartup`, make sure that the target base directories are created before copying the files + +## [1.1.0] - Nov 3, 2019 +* Updated Artifactory version to 6.14.0 + +## [1.0.1] - Nov 3, 2019 +* Make sure the artifactory pod exits when one of the pre-start stages fail + +## [1.0.0] - Oct 27, 2019 +**IMPORTANT - BREAKING CHANGES!**
+**DOWNTIME MIGHT BE REQUIRED FOR AN UPGRADE!** +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), must use the upgrade instructions in [UPGRADE_NOTES.md](UPGRADE_NOTES.md)! +* PostgreSQL sub chart was upgraded to version `6.5.x`. This version is **not backward compatible** with the old version (`0.9.5`)! +* Note the following **PostgreSQL** Helm chart changes + * The chart configuration has changed! See [values.yaml](values.yaml) for the new keys used + * **PostgreSQL** is deployed as a StatefulSet + * See [PostgreSQL helm chart](https://hub.helm.sh/charts/stable/postgresql) for all available configurations + +## [0.17.3] - Oct 24, 2019 +* Change the preStartCommand to support templating + +## [0.17.2] - Oct 21, 2019 +* Add support for setting `artifactory.primary.labels` +* Add support for setting `artifactory.node.labels` +* Add support for setting `nginx.labels` + +## [0.17.1] - Oct 10, 2019 +* Updated Artifactory version to 6.13.1 + +## [0.17.0] - Oct 7, 2019 +* Updated Artifactory version to 6.13.0 + +## [0.16.7] - Sep 24, 2019 +* Option to skip wait-for-db init container with '--set waitForDatabase=false' + +## [0.16.6] - Sep 24, 2019 +* Add support for setting `nginx.service.labels` + +## [0.16.5] - Sep 23, 2019 +* Add support for setting `artifactory.customInitContainersBegin` + +## [0.16.4] - Sep 20, 2019 +* Add support for setting `initContainers.resources` + +## [0.16.3] - Sep 11, 2019 +* Updated Artifactory version to 6.12.2 + +## [0.16.2] - Sep 9, 2019 +* Updated Artifactory version to 6.12.1 + +## [0.16.1] - Aug 22, 2019 +* Fix the nginx server_name directive used with ingress.hosts + +## [0.16.0] - Aug 21, 2019 +* Updated Artifactory version to 6.12.0 + +## [0.15.15] - Aug 18, 2019 +* Fix existingSharedClaim permissions issue and example + +## [0.15.14] - Aug 14, 2019 +* Updated Artifactory version to 6.11.6 + +## [0.15.13] - Aug 11, 2019 +* Fix Ingress routing and add an example + +## [0.15.12] - Aug 6, 2019 +* Do not mount `access/etc/bootstrap.creds` unless user specifies a custom password or secret (Access already generates a random password if not provided one) +* If custom `bootstrap.creds` is provided (using keys or custom secret), prepare it with an init container so the temp file does not persist + +## [0.15.11] - Aug 5, 2019 +* Improve binarystore config + 1. Convert to a secret + 2. Move config to values.yaml + 3. Support an external secret + +## [0.15.10] - Aug 5, 2019 +* Don't create the nginx configmaps when nginx.enabled is false + +## [0.15.9] - Aug 1, 2019 +* Fix masterkey/masterKeySecretName not specified warning render logic in NOTES.txt + +## [0.15.8] - Jul 28, 2019 +* Simplify nginx setup and shorten initial wait for probes + +## [0.15.7] - Jul 25, 2019 +* Updated README about how to apply Artifactory licenses + +## [0.15.6] - Jul 22, 2019 +* Change Ingress API to be compatible with recent kubernetes versions + +## [0.15.5] - Jul 22, 2019 +* Updated Artifactory version to 6.11.3 + +## [0.15.4] - Jul 11, 2019 +* Add `artifactory.customVolumeMounts` support to member node statefulset template + +## [0.15.3] - Jul 11, 2019 +* Add ingress.hosts to the Nginx server_name directive when ingress is enabled to help with Docker repository sub domain configuration + +## [0.15.2] - Jul 3, 2019 +* Add the option for changing nginx config using values.yaml and remove outdated reverse proxy documentation + +## [0.15.1] - Jul 1, 2019 +* Updated Artifactory version to 6.11.1 + +## [0.15.0] - Jun 27, 2019 +* Updated Artifactory version to 6.11.0 and Restart Primary node when bootstrap.creds file has been modified in artifactory-ha + +## [0.14.4] - Jun 24, 2019 +* Add the option to provide an IP for the access-admin endpoints + +## [0.14.3] - Jun 24, 2019 +* Update chart maintainers + +## [0.14.2] - Jun 24, 2019 +* Change Nginx to point to the artifactory externalPort + +## [0.14.1] - Jun 23, 2019 +* Add values files for small, medium and large installations + +## [0.14.0] - Jun 20, 2019 +* Use ConfigMaps for nginx configuration and remove nginx postStart command + +## [0.13.10] - Jun 19, 2019 +* Updated Artifactory version to 6.10.4 + +## [0.13.9] - Jun 18, 2019 +* Add the option to provide additional ingress rules + +## [0.13.8] - Jun 14, 2019 +* Updated readme with improved external database setup example + +## [0.13.7] - Jun 6, 2019 +* Updated Artifactory version to 6.10.3 +* Updated installer-info template + +## [0.13.6] - Jun 6, 2019 +* Updated Google Cloud Storage API URL and https settings + +## [0.13.5] - Jun 5, 2019 +* Delete the db.properties file on Artifactory startup + +## [0.13.4] - Jun 3, 2019 +* Updated Artifactory version to 6.10.2 + +## [0.13.3] - May 21, 2019 +* Updated Artifactory version to 6.10.1 + +## [0.13.2] - May 19, 2019 +* Fix missing logger image tag + +## [0.13.1] - May 15, 2019 +* Support `artifactory.persistence.cacheProviderDir` for on-premise cluster + +## [0.13.0] - May 7, 2019 +* Updated Artifactory version to 6.10.0 + +## [0.12.23] - May 5, 2019 +* Add support for setting `artifactory.async.corePoolSize` + +## [0.12.22] - May 2, 2019 +* Remove unused property `artifactory.releasebundle.feature.enabled` + +## [0.12.21] - Apr 30, 2019 +* Add support for JMX monitoring + +## [0.12.20] - Apr29, 2019 +* Added support for headless services + +## [0.12.19] - Apr 28, 2019 +* Added support for `cacheProviderDir` + +## [0.12.18] - Apr 18, 2019 +* Changing API StatefulSet version to `v1` and permission fix for custom `artifactory.conf` for Nginx + +## [0.12.17] - Apr 16, 2019 +* Updated documentation for Reverse Proxy Configuration + +## [0.12.16] - Apr 12, 2019 +* Added support for `customVolumeMounts` + +## [0.12.15] - Aprl 12, 2019 +* Added support for `bucketExists` flag for googleStorage + +## [0.12.14] - Apr 11, 2019 +* Replace `curl` examples with `wget` due to the new base image + +## [0.12.13] - Aprl 07, 2019 +* Add support for providing the Artifactory license as a parameter + +## [0.12.12] - Apr 10, 2019 +* Updated Artifactory version to 6.9.1 + +## [0.12.11] - Aprl 04, 2019 +* Add support for templated extraEnvironmentVariables + +## [0.12.10] - Aprl 07, 2019 +* Change network policy API group + +## [0.12.9] - Aprl 04, 2019 +* Apply the existing PVC for members (in addition to primary) + +## [0.12.8] - Aprl 03, 2019 +* Bugfix for userPluginSecrets + +## [0.12.7] - Apr 4, 2019 +* Add information about upgrading Artifactory with auto-generated postgres password + +## [0.12.6] - Aprl 03, 2019 +* Added installer info + +## [0.12.5] - Aprl 03, 2019 +* Allow secret names for user plugins to contain template language + +## [0.12.4] - Apr 02, 2019 +* Fix issue #253 (use existing PVC for data and backup storage) + +## [0.12.3] - Apr 02, 2019 +* Allow NetworkPolicy configurations (defaults to allow all) + +## [0.12.2] - Aprl 01, 2019 +* Add support for user plugin secret + +## [0.12.1] - Mar 26, 2019 +* Add the option to copy a list of files to ARTIFACTORY_HOME on startup + +## [0.12.0] - Mar 26, 2019 +* Updated Artifactory version to 6.9.0 + +## [0.11.18] - Mar 25, 2019 +* Add CI tests for persistence, ingress support and nginx + +## [0.11.17] - Mar 22, 2019 +* Add the option to change the default access-admin password + +## [0.11.16] - Mar 22, 2019 +* Added support for `.Probe.path` to customise the paths used for health probes + +## [0.11.15] - Mar 21, 2019 +* Added support for `artifactory.customSidecarContainers` to create custom sidecar containers +* Added support for `artifactory.customVolumes` to create custom volumes + +## [0.11.14] - Mar 21, 2019 +* Make ingress path configurable + +## [0.11.13] - Mar 19, 2019 +* Move the copy of bootstrap config from postStart to preStart for Primary + +## [0.11.12] - Mar 19, 2019 +* Fix existingClaim example + +## [0.11.11] - Mar 18, 2019 +* Disable the option to use nginx PVC with more than one replica + +## [0.11.10] - Mar 15, 2019 +* Wait for nginx configuration file before using it + +## [0.11.9] - Mar 15, 2019 +* Revert securityContext changes since they were causing issues + +## [0.11.8] - Mar 15, 2019 +* Fix issue #247 (init container failing to run) + +## [0.11.7] - Mar 14, 2019 +* Updated Artifactory version to 6.8.7 + +## [0.11.6] - Mar 13, 2019 +* Move securityContext to container level + +## [0.11.5] - Mar 11, 2019 +* Add the option to use existing volume claims for Artifactory storage + +## [0.11.4] - Mar 11, 2019 +* Updated Artifactory version to 6.8.6 + +## [0.11.3] - Mar 5, 2019 +* Updated Artifactory version to 6.8.4 + +## [0.11.2] - Mar 4, 2019 +* Add support for catalina logs sidecars + +## [0.11.1] - Feb 27, 2019 +* Updated Artifactory version to 6.8.3 + +## [0.11.0] - Feb 25, 2019 +* Add nginx support for tail sidecars + +## [0.10.3] - Feb 21, 2019 +* Add s3AwsVersion option to awsS3 configuration for use with IAM roles + +## [0.10.2] - Feb 19, 2019 +* Updated Artifactory version to 6.8.2 + +## [0.10.1] - Feb 17, 2019 +* Updated Artifactory version to 6.8.1 +* Add example of `SERVER_XML_EXTRA_CONNECTOR` usage + +## [0.10.0] - Feb 15, 2019 +* Updated Artifactory version to 6.8.0 + +## [0.9.7] - Feb 13, 2019 +* Updated Artifactory version to 6.7.3 + +## [0.9.6] - Feb 7, 2019 +* Add support for tail sidecars to view logs from k8s api + +## [0.9.5] - Feb 6, 2019 +* Fix support for customizing statefulset `terminationGracePeriodSeconds` + +## [0.9.4] - Feb 5, 2019 +* Add support for customizing statefulset `terminationGracePeriodSeconds` + +## [0.9.3] - Feb 5, 2019 +* Remove the inactive server remove plugin + +## [0.9.2] - Feb 3, 2019 +* Updated Artifactory version to 6.7.2 + +## [0.9.1] - Jan 27, 2019 +* Fix support for Azure Blob Storage Binary provider + +## [0.9.0] - Jan 23, 2019 +* Updated Artifactory version to 6.7.0 + +## [0.8.10] - Jan 22, 2019 +* Added support for `artifactory.customInitContainers` to create custom init containers + +## [0.8.9] - Jan 18, 2019 +* Added support of values ingress.labels + +## [0.8.8] - Jan 16, 2019 +* Mount replicator.yaml (config) directly to /replicator_extra_conf + +## [0.8.7] - Jan 15, 2018 +* Add support for Azure Blob Storage Binary provider + +## [0.8.6] - Jan 13, 2019 +* Fix documentation about nginx group id + +## [0.8.5] - Jan 13, 2019 +* Updated Artifactory version to 6.6.5 + +## [0.8.4] - Jan 8, 2019 +* Make artifactory.replicator.publicUrl required when the replicator is enabled + +## [0.8.3] - Jan 1, 2019 +* Updated Artifactory version to 6.6.3 +* Add support for `artifactory.extraEnvironmentVariables` to pass more environment variables to Artifactory + +## [0.8.2] - Dec 28, 2018 +* Fix location `replicator.yaml` is copied to + +## [0.8.1] - Dec 27, 2018 +* Updated Artifactory version to 6.6.1 + +## [0.8.0] - Dec 20, 2018 +* Updated Artifactory version to 6.6.0 + +## [0.7.17] - Dec 17, 2018 +* Updated Artifactory version to 6.5.13 + +## [0.7.16] - Dec 12, 2018 +* Fix documentation about Artifactory license setup using secret + +## [0.7.15] - Dec 9, 2018 +* AWS S3 add `roleName` for using IAM role + +## [0.7.14] - Dec 6, 2018 +* AWS S3 `identity` and `credential` are now added only if have a value to allow using IAM role + +## [0.7.13] - Dec 5, 2018 +* Remove Distribution certificates creation. + +## [0.7.12] - Dec 2, 2018 +* Remove Java option "-Dartifactory.locking.provider.type=db". This is already the default setting. + +## [0.7.11] - Nov 30, 2018 +* Updated Artifactory version to 6.5.9 + +## [0.7.10] - Nov 29, 2018 +* Fixed the volumeMount for the replicator.yaml + +## [0.7.9] - Nov 29, 2018 +* Optionally include primary node into poddisruptionbudget + +## [0.7.8] - Nov 29, 2018 +* Updated postgresql version to 9.6.11 + +## [0.7.7] - Nov 27, 2018 +* Updated Artifactory version to 6.5.8 + +## [0.7.6] - Nov 18, 2018 +* Added support for configMap to use custom Reverse Proxy Configuration with Nginx + +## [0.7.5] - Nov 14, 2018 +* Updated Artifactory version to 6.5.3 + +## [0.7.4] - Nov 13, 2018 +* Allow pod anti-affinity settings to include primary node + +## [0.7.3] - Nov 12, 2018 +* Support artifactory.preStartCommand for running command before entrypoint starts + +## [0.7.2] - Nov 7, 2018 +* Support database.url parameter (DB_URL) + +## [0.7.1] - Oct 29, 2018 +* Change probes port to 8040 (so they will not be blocked when all tomcat threads on 8081 are exhausted) + +## [0.7.0] - Oct 28, 2018 +* Update postgresql chart to version 0.9.5 to be able and use `postgresConfig` options + +## [0.6.9] - Oct 23, 2018 +* Fix providing external secret for database credentials + +## [0.6.8] - Oct 22, 2018 +* Allow user to configure externalTrafficPolicy for Loadbalancer + +## [0.6.7] - Oct 22, 2018 +* Updated ingress annotation support (with examples) to support docker registry v2 + +## [0.6.6] - Oct 21, 2018 +* Updated Artifactory version to 6.5.2 + +## [0.6.5] - Oct 19, 2018 +* Allow providing pre-existing secret containing master key +* Allow arbitrary annotations on primary and member node pods +* Enforce size limits when using local storage with `emptyDir` +* Allow `soft` or `hard` specification of member node anti-affinity +* Allow providing pre-existing secrets containing external database credentials +* Fix `s3` binary store provider to properly use the `cache-fs` provider +* Allow arbitrary properties when using the `s3` binary store provider + +## [0.6.4] - Oct 18, 2018 +* Updated Artifactory version to 6.5.1 + +## [0.6.3] - Oct 17, 2018 +* Add Apache 2.0 license + +## [0.6.2] - Oct 14, 2018 +* Make S3 endpoint configurable (was hardcoded with `s3.amazonaws.com`) + +## [0.6.1] - Oct 11, 2018 +* Allows ingress default `backend` to be enabled or disabled (defaults to enabled) + +## [0.6.0] - Oct 11, 2018 +* Updated Artifactory version to 6.5.0 + +## [0.5.3] - Oct 9, 2018 +* Quote ingress hosts to support wildcard names + +## [0.5.2] - Oct 2, 2018 +* Add `helm repo add jfrog https://charts.jfrog.io` to README + +## [0.5.1] - Oct 2, 2018 +* Set Artifactory to 6.4.1 + +## [0.5.0] - Sep 27, 2018 +* Set Artifactory to 6.4.0 + +## [0.4.7] - Sep 26, 2018 +* Add ci/test-values.yaml + +## [0.4.6] - Sep 25, 2018 +* Add PodDisruptionBudget for member nodes, defaulting to minAvailable of 1 + +## [0.4.4] - Sep 2, 2018 +* Updated Artifactory version to 6.3.2 + +## [0.4.0] - Aug 22, 2018 +* Added support to run as non root +* Updated Artifactory version to 6.2.0 + +## [0.3.0] - Aug 22, 2018 +* Enabled RBAC Support +* Added support for PostStartCommand (To download Database JDBC connector) +* Increased postgresql max_connections +* Added support for `nginx.conf` ConfigMap +* Updated Artifactory version to 6.1.0 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml new file mode 100755 index 0000000..0e1989f --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +appVersion: 7.0.2 +description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. +home: https://www.jfrog.com/artifactory/ +icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-ha/logo/artifactory-logo.png +keywords: +- artifactory +- jfrog +- devops +maintainers: +- email: amithk@jfrog.com + name: amithins +- email: daniele@jfrog.com + name: danielezer +- email: eldada@jfrog.com + name: eldada +- email: rimasm@jfrog.com + name: rimusz +name: openshift-artifactory-ha +sources: +- https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view +- https://github.com/jfrog/charts +version: 2.0.4 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/LICENSE b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/LICENSE new file mode 100755 index 0000000..8dada3e --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md new file mode 100755 index 0000000..76bd6af --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md @@ -0,0 +1,1266 @@ +# JFrog Artifactory High Availability Helm Chart + +## Prerequisites Details + +* Kubernetes 1.8+ +* Artifactory HA license + +## Chart Details +This chart will do the following: + +* Deploy Artifactory highly available cluster. 1 primary node and 2 member nodes. +* Deploy a PostgreSQL database +* Deploy an Nginx server + +## Artifactory HA architecture +The Artifactory HA cluster in this chart is made up of +- A single primary node +- Two member nodes, which can be resized at will + +Load balancing is done to the member nodes only. +This leaves the primary node free to handle jobs and tasks and not be interrupted by inbound traffic. +> This can be controlled by the parameter `artifactory.service.pool`. + +## Installing the Chart + +### Add JFrog Helm repository +Before installing JFrog helm charts, you need to add the [JFrog helm repository](https://charts.jfrog.io/) to your helm client +```bash +helm repo add jfrog https://charts.jfrog.io +``` + +### Install Chart +To install the chart with the release name `artifactory-ha`: +```bash +helm install --name artifactory-ha --set postgresql.postgresqlPassword= jfrog/artifactory-ha +``` + +### System Configuration +Artifactory uses a common system configuration file - `system.yaml`. See [official documentation](https://www.jfrog.com/confluence/display/JFROG/System+YAML+Configuration+File) on its usage. +In order to override the default `system.yaml` configuration, do the following: +```bash +artifactory: + systemYaml: | + +``` + +### Accessing Artifactory +**NOTE:** It might take a few minutes for Artifactory's public IP to become available, and the nodes to complete initial setup. +Follow the instructions outputted by the install command to get the Artifactory IP and URL to access it. + +### Updating Artifactory +Once you have a new chart version, you can update your deployment with +```bash +helm upgrade artifactory-ha jfrog/artifactory-ha +``` + +If artifactory was installed without providing a value to postgresql.postgresqlPassword (a password was autogenerated), follow these instructions: +1. Get the current password by running: +```bash +POSTGRES_PASSWORD=$(kubectl get secret -n -postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +``` +2. Upgrade the release by passing the previously auto-generated secret: +```bash +helm upgrade jfrog/artifactory-ha --set postgresql.postgresqlPassword=${POSTGRES_PASSWORD} +``` + +This will apply any configuration changes on your existing deployment. + +### Artifactory memory and CPU resources +The Artifactory HA Helm chart comes with support for configured resource requests and limits to all pods. By default, these settings are commented out. +It is **highly** recommended to set these so you have full control of the allocated resources and limits. + +See more information on [setting resources for your Artifactory based on planned usage](https://www.jfrog.com/confluence/display/RTF/System+Requirements#SystemRequirements-RecommendedHardware). + +```bash +# Example of setting resource requests and limits to all pods (including passing java memory settings to Artifactory) +helm install --name artifactory-ha \ + --set artifactory.primary.resources.requests.cpu="500m" \ + --set artifactory.primary.resources.limits.cpu="2" \ + --set artifactory.primary.resources.requests.memory="1Gi" \ + --set artifactory.primary.resources.limits.memory="4Gi" \ + --set artifactory.primary.javaOpts.xms="1g" \ + --set artifactory.primary.javaOpts.xmx="4g" \ + --set artifactory.node.resources.requests.cpu="500m" \ + --set artifactory.node.resources.limits.cpu="2" \ + --set artifactory.node.resources.requests.memory="1Gi" \ + --set artifactory.node.resources.limits.memory="4Gi" \ + --set artifactory.node.javaOpts.xms="1g" \ + --set artifactory.node.javaOpts.xmx="4g" \ + --set initContainers.resources.requests.cpu="10m" \ + --set initContainers.resources.limits.cpu="250m" \ + --set initContainers.resources.requests.memory="64Mi" \ + --set initContainers.resources.limits.memory="128Mi" \ + --set postgresql.resources.requests.cpu="200m" \ + --set postgresql.resources.limits.cpu="1" \ + --set postgresql.resources.requests.memory="500Mi" \ + --set postgresql.resources.limits.memory="1Gi" \ + --set nginx.resources.requests.cpu="100m" \ + --set nginx.resources.limits.cpu="250m" \ + --set nginx.resources.requests.memory="250Mi" \ + --set nginx.resources.limits.memory="500Mi" \ + jfrog/artifactory-ha +``` +> Artifactory java memory parameters can (and should) also be set to match the allocated resources with `artifactory.[primary|node].javaOpts.xms` and `artifactory.[primary|node].javaOpts.xmx`. + +Get more details on configuring Artifactory in the [official documentation](https://www.jfrog.com/confluence/). + +Although it is possible to set resources limits and requests this way, it is recommended to use the pre-built values files +for small, medium and large installation and change them according to your needs (if necessary), as described [here](#Deploying-Artifactory-for-small/medium/large-installations) + +### Deploying Artifactory for small/medium/large installations +In the chart directory, we have added three values files, one for each installation type - small/medium/large. These values files are recommendations for setting resources requests and limits for your installation. The values are derived from the following [documentation](https://www.jfrog.com/confluence/display/EP/Installing+on+Kubernetes#InstallingonKubernetes-Systemrequirements). You can find them in the corresponding chart directory - values-small.yaml, values-medium.yaml and values-large.yaml + +### Artifactory storage +Artifactory HA support a wide range of storage back ends. You can see more details on [Artifactory HA storage options](https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup#HAInstallationandSetup-SettingUpYourStorageConfiguration) + +In this chart, you set the type of storage you want with `artifactory.persistence.type` and pass the required configuration settings. +The default storage in this chart is the `file-system` replication, where the data is replicated to all nodes. + +> **IMPORTANT:** All storage configurations (except NFS) come with a default `artifactory.persistence.redundancy` parameter. +This is used to set how many replicas of a binary should be stored in the cluster's nodes. +Once this value is set on initial deployment, you can not update it using helm. +It is recommended to set this to a number greater than half of your cluster's size, and never scale your cluster down to a size smaller than this number. + +#### Existing volume claim + +###### Primary node +In order to use an existing volume claim for the Artifactory primary storage, you need to: +- Create a persistent volume claim by the name `volume--artifactory-ha-primary-0` e.g `volume-myrelease-artifactory-ha-primary-0` +- Pass a parameter to `helm install` and `helm upgrade` +```bash +... +--set artifactory.primary.persistence.existingClaim=true +``` + +###### Member nodes +In order to use an existing volume claim for the Artifactory member nodes storage, you need to: +- Create persistent volume claims according to the number of replicas defined at `artifactory.node.replicaCount` by the names `volume--artifactory-ha-member-`, e.g `volume-myrelease-artifactory-ha-member-0` and `volume-myrelease-artifactory-ha-primary-1`. +- Pass a parameter to `helm install` and `helm upgrade` +```bash +... +--set artifactory.node.persistence.existingClaim=true +``` + +#### Existing shared volume claim + +In order to use an existing claim (for data and backup) that is to be shared across all nodes, you need to: + +- Create PVCs with ReadWriteMany that match the naming conventions: +``` + {{ template "artifactory-ha.fullname" . }}-data-pvc- + {{ template "artifactory-ha.fullname" . }}-backup-pvc- +``` +An example that shows 2 existing claims to be used: +``` + myexample-artifactory-ha-data-pvc-0 + myexample-artifactory-ha-backup-pvc-0 + myexample-artifactory-ha-data-pvc-1 + myexample-artifactory-ha-backup-pvc-1 +``` +- Set the artifactory.persistence.fileSystem.existingSharedClaim.enabled in values.yaml to true: +``` +-- set artifactory.persistence.fileSystem.existingSharedClaim.enabled=true +-- set artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims=2 +``` + +#### NFS +To use an NFS server as your cluster's storage, you need to +- Setup an NFS server. Get its IP as `NFS_IP` +- Create a `data` and `backup` directories on the NFS exported directory with write permissions to all +- Pass NFS parameters to `helm install` and `helm upgrade` +```bash +... +--set artifactory.persistence.type=nfs \ +--set artifactory.persistence.nfs.ip=${NFS_IP} \ +... +``` + +#### Google Storage +To use a Google Storage bucket as the cluster's filestore. See [Google Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-GoogleStorageBinaryProvider) +- Pass Google Storage parameters to `helm install` and `helm upgrade` +```bash +... +--set artifactory.persistence.type=google-storage \ +--set artifactory.persistence.googleStorage.identity=${GCP_ID} \ +--set artifactory.persistence.googleStorage.credential=${GCP_KEY} \ +... +``` + +#### AWS S3 +**NOTE** Keep in mind that when using the `aws-s3` persistence type, you will not be able to provide an IAM on the pod level. +In order to grant permissions to Artifactory using an IAM role, you will have to attach the IAM role to the machine(s) on which Artifactory is running. +This is due to the fact that the `aws-s3` template uses the `JetS3t` library to interact with AWS. If you want to grant an IAM role at the pod level, see the `AWS S3 Vs` section. + +To use an AWS S3 bucket as the cluster's filestore. See [S3 Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-S3BinaryProvider) +- Pass AWS S3 parameters to `helm install` and `helm upgrade` +```bash +... +# With explicit credentials: +--set artifactory.persistence.type=aws-s3 \ +--set artifactory.persistence.awsS3.endpoint=${AWS_S3_ENDPOINT} \ +--set artifactory.persistence.awsS3.region=${AWS_REGION} \ +--set artifactory.persistence.awsS3.identity=${AWS_ACCESS_KEY_ID} \ +--set artifactory.persistence.awsS3.credential=${AWS_SECRET_ACCESS_KEY} \ +... + +... +# With using existing IAM role +--set artifactory.persistence.type=aws-s3 \ +--set artifactory.persistence.awsS3.endpoint=${AWS_S3_ENDPOINT} \ +--set artifactory.persistence.awsS3.region=${AWS_REGION} \ +--set artifactory.persistence.awsS3.roleName=${AWS_ROLE_NAME} \ +... +``` +**NOTE:** Make sure S3 `endpoint` and `region` match. See [AWS documentation on endpoint](https://docs.aws.amazon.com/general/latest/gr/rande.html) + +#### AWS S3 V3 +To use an AWS S3 bucket as the cluster's filestore and access it with the official AWS SDK, See [S3 Official SDK Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AmazonS3OfficialSDKTemplate). +This filestore template uses the official AWS SDK, unlike the `aws-s3` implementation that uses the `JetS3t` library. +Use this template if you want to attach an IAM role to the Artifactory pod directly (as opposed to attaching it to the machine/s that Artifactory will run on). + +**NOTE** This will have to be combined with a k8s mechanism for attaching IAM roles to pods, like [kube2iam](https://github.com/helm/charts/tree/master/stable/kube2iam) or anything similar. + +- Pass AWS S3 V3 parameters and the annotation pointing to the IAM role (when using an IAM role. this is kube2iam specific and may vary depending on the implementation) to `helm install` and `helm upgrade` + +```bash +# With explicit credentials: +--set artifactory.persistence.type=aws-s3-v3 \ +--set artifactory.persistence.awsS3V3.region=${AWS_REGION} \ +--set artifactory.persistence.awsS3V3.bucketName=${AWS_S3_BUCKET_NAME} \ +--set artifactory.persistence.awsS3V3.identity=${AWS_ACCESS_KEY_ID} \ +--set artifactory.persistence.awsS3V3.credential=${AWS_SECRET_ACCESS_KEY} \ +... +``` + +```bash +# With using existing IAM role +--set artifactory.persistence.type=aws-s3-v3 \ +--set artifactory.persistence.awsS3V3.region=${AWS_REGION} \ +--set artifactory.persistence.awsS3V3.bucketName=${AWS_S3_BUCKET_NAME} \ +--set artifactory.annotations.'iam\.amazonaws\.com/role'=${AWS_IAM_ROLE_ARN} +... +``` + +#### Microsoft Azure Blob Storage +To use Azure Blob Storage as the cluster's filestore. See [Azure Blob Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AzureBlobStorageClusterBinaryProvider) +- Pass Azure Blob Storage parameters to `helm install` and `helm upgrade` +```bash +... +--set artifactory.persistence.type=azure-blob \ +--set artifactory.persistence.azureBlob.accountName=${AZURE_ACCOUNT_NAME} \ +--set artifactory.persistence.azureBlob.accountKey=${AZURE_ACCOUNT_KEY} \ +--set artifactory.persistence.azureBlob.endpoint=${AZURE_ENDPOINT} \ +--set artifactory.persistence.azureBlob.containerName=${AZURE_CONTAINER_NAME} \ +... +``` + +#### Custom binarystore.xml +You have an option to provide a custom [binarystore.xml](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore).
+There are two options for this + +1. Editing directly in [values.yaml](values.yaml) +```yaml +artifactory: + persistence: + binarystoreXml: | + + + + + +``` + +2. Create your own [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) and pass it to your `helm install` command +```yaml +# Prepare your custom Secret file (custom-binarystore.yaml) +kind: Secret +apiVersion: v1 +metadata: + name: custom-binarystore + labels: + app: artifactory + chart: artifactory +stringData: + binarystore.xml: |- + + + + +``` + +```bash +# Create a secret from the file +kubectl apply -n artifactory -f ./custom-binarystore.yaml + +# Pass it to your helm install command: +helm install --name artifactory-ha --set artifactory.persistence.customBinarystoreXmlSecret=custom-binarystore jfrog/artifactory-ha +``` + +### Create a unique Master Key +Artifactory HA cluster requires a unique master key. By default the chart has one set in values.yaml (`artifactory.masterKey`). + +**This key is for demo purpose and should not be used in a production environment!** + +You should generate a unique one and pass it to the template at install/upgrade time. +```bash +# Create a key +export MASTER_KEY=$(openssl rand -hex 32) +echo ${MASTER_KEY} + +# Pass the created master key to helm +helm install --name artifactory-ha --set artifactory.masterKey=${MASTER_KEY} jfrog/artifactory-ha +``` + +Alternatively, you can create a secret containing the master key manually and pass it to the template at install/upgrade time. +```bash +# Create a key +export MASTER_KEY=$(openssl rand -hex 32) +echo ${MASTER_KEY} + +# Create a secret containing the key. The key in the secret must be named master-key +kubectl create secret generic my-secret --from-literal=master-key=${MASTER_KEY} + +# Pass the created secret to helm +helm install --name artifactory-ha --set artifactory.masterKeySecretName=my-secret jfrog/artifactory-ha +``` +**NOTE:** In either case, make sure to pass the same master key on all future calls to `helm install` and `helm upgrade`! In the first case, this means always passing `--set artifactory.masterKey=${MASTER_KEY}`. In the second, this means always passing `--set artifactory.masterKeySecretName=my-secret` and ensuring the contents of the secret remain unchanged. + +### Create a unique Join Key +Artifactory requires a unique join key. By default the chart has one set in values.yaml (`artifactory.joinKey`). + +**This key is for demo purpose and should not be used in a production environment!** + +You should generate a unique key and pass it to the template at install/upgrade time. +```bash +# Create a key +export JOIN_KEY=$(openssl rand -hex 16) +echo ${JOIN_KEY} + +# Pass the created master key to helm +helm install --name artifactory --set artifactory.joinKey=${JOIN_KEY} jfrog/artifactory +``` + +**NOTE:** In either case, make sure to pass the same join key on all future calls to `helm install` and `helm upgrade`! This means always passing `--set artifactory.joinKey=${JOIN_KEY}`. + +### Install Artifactory HA license +For activating Artifactory HA, you must install an appropriate license. There are three ways to manage the license. **Artifactory UI**, **REST API**, or a **Kubernetes Secret**. + +The easier and recommended way is the **Artifactory UI**. Using the **Kubernetes Secret** or **REST API** is for advanced users and is better suited for automation. + +**IMPORTANT:** You should use only one of the following methods. Switching between them while a cluster is running might disable your Artifactory HA cluster! + +##### Artifactory UI +Once primary cluster is running, open Artifactory UI and insert the license(s) in the UI. See [HA installation and setup](https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup) for more details. **Note that you should enter all licenses at once, with each license is separated by a newline.** If you add the licenses one at a time, you may get redirected to a node without a license and the UI won't load for that node. + +##### REST API +You can add licenses via REST API (https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API#ArtifactoryRESTAPI-InstallHAClusterLicenses). Note that the REST API expects "\n" for the newlines in the licenses. + +##### Kubernetes Secret +You can deploy the Artifactory license(s) as a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/). +Prepare a text file with the license(s) written in it. If writing multiple licenses (must be in the same file), it's important to put **two new lines between each license block**! +```bash +# Create the Kubernetes secret (assuming the local license file is 'art.lic') +kubectl create secret generic artifactory-cluster-license --from-file=./art.lic + +# Pass the license to helm +helm install --name artifactory-ha --set artifactory.license.secret=artifactory-cluster-license,artifactory.license.dataKey=art.lic jfrog/artifactory-ha +``` +**NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). +Updating the license should be done via Artifactory UI or REST API. + +##### Create the secret as part of the helm release +values.yaml +```yaml +artifactory: + license: + licenseKey: |- + + + + + + + +``` + +```bash +helm install --name artifactory-ha -f values.yaml jfrog/artifactory-ha +``` +**NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). +Updating the license should be done via Artifactory UI or REST API. +If you want to keep managing the artifactory license using the same method, you can use the copyOnEveryStartup example shown in the values.yaml file + + +### copyOnEveryStartup feature +Files stored in the `/artifactory-extra-conf` directory are only copied to the `ARTIFACTORY_HOME/etc` directory upon the first startup. +In some cases, you want your configuration files to be copied to the `ARTIFACTORY_HOME/etc` directory on every startup. +Two examples for that would be: + +1. the binarstore.xml file. If you use the default behaviour, your binarystore.xml configuration will only be copied on the first startup, +which means that changes you make over time to the `binaryStoreXml` configuration will not be applied. In order to make sure your changes are applied on every startup, do the following: +Create a values file with the following values: +```yaml +artifactory: + copyOnEveryStartup: + - source: /artifactory_extra_conf/binarystore.xml + target: etc/ +``` + +Install the helm chart with the values file you created: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f values.yaml +``` + +2. Any custom configuration file you have to configure artifactory, such as `logabck.xml`: +Create a config map with your `logback.xml` configuration. + +Create a values file with the following values: +```yaml +artifactory: + ## Create a volume pointing to the config map with your configuration file + customVolumes: | + - name: logback-xml-configmap + configMap: + name: logback-xml-configmap + customVolumeMounts: | + - name: logback-xml-configmap + mountPath: /tmp/artifactory-logback/ + copyOnEveryStartup: + - source: /tmp/artifactory-logback/* + target: etc/ +``` + +Install the helm chart with the values file you created: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f values.yaml +``` + +### Configure NetworkPolicy + +NetworkPolicy specifies what ingress and egress is allowed in this namespace. It is encouraged to be more specific whenever possible to increase security of the system. + +In the `networkpolicy` section of values.yaml you can specify a list of NetworkPolicy objects. + +For podSelector, ingress and egress, if nothing is provided then a default `- {}` is applied which is to allow everything. + +A full (but very wide open) example that results in 2 NetworkPolicy objects being created: +```yaml +networkpolicy: + # Allows all ingress and egress to/from artifactory primary and member pods. + - name: artifactory + podSelector: + matchLabels: + app: artifactory-ha + egress: + - {} + ingress: + - {} + # Allows connectivity from artifactory-ha pods to postgresql pods, but no traffic leaving postgresql pod. + - name: postgresql + podSelector: + matchLabels: + app: postgresql + ingress: + - from: + - podSelector: + matchLabels: + app: artifactory-ha +``` + +### Artifactory JMX Configuration +** You can see some information about the exposed MBeans here - https://www.jfrog.com/confluence/display/RTF/Artifactory+JMX+MBeans + +Enable JMX in your deployment: +```bash +helm install --name artifactory \ + --set artifactory.primary.javaOpts.jmx.enabled=true \ + --set artifactory.node.javaOpts.jmx.enabled=true \ + jfrog/artifactory-ha +``` +This will enable access to Artifactory with JMX on the default port (9010). +** You have the option to change the port by setting ```artifactory.primary.javaOpts.jmx.port``` and ```artifactory.node.javaOpts.jmx.port``` +to your choice of port + +In order to connect to Artifactory using JMX with jconsole (or any similar tool) installed on your computer, follow the following steps: +1. Enable JMX as described above and Change the Artifactory service to be of type LoadBalancer: +```bash +helm install --name artifactory \ + --set artifactory.primary.javaOpts.jmx.enabled=true \ + --set artifactory.node.javaOpts.jmx.enabled=true \ + --set artifactory.service.type=LoadBalancer \ + jfrog/artifactory-ha +``` +2. The default setting for java.rmi.server.hostname is the service name (this is also configurable with +```artifactory.primary.javaOpts.jmx.host``` and ```artifactory.node.javaOpts.jmx.host```), So in order to connect to Artifactory +with jconsole you should map the Artifactory kuberentes service IP to the service name using your hosts file as such: +``` + artifactory-ha--primary + +``` +3. Launch jconsole with the service address and port: +```bash +jconsole artifactory-ha--primary: +jconsole : +``` + +### Access creds. bootstraping +**IMPORTANT:** Bootsrapping access creds. will allow access for the user access-admin from certain IP's. + +* User guide to [bootstrap Artifactory Access credentials](https://www.jfrog.com/confluence/display/ACC/Configuring+Access) + +1. Create `access-creds-values.yaml` and provide the IP (By default 127.0.0.1) and password: +```yaml +artifactory: + accessAdmin: + ip: "" #Example: "*" + password: "" +``` + +2. Apply the `access-creds-values.yaml` file: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f access-creds-values.yaml +``` + +### Bootstrapping Artifactory +**IMPORTANT:** Bootstrapping Artifactory needs license. Pass license as shown in above section. + +* User guide to [bootstrap Artifactory Global Configuration](https://www.jfrog.com/confluence/display/RTF/Configuration+Files#ConfigurationFiles-BootstrappingtheGlobalConfiguration) +* User guide to [bootstrap Artifactory Security Configuration](https://www.jfrog.com/confluence/display/RTF/Configuration+Files#ConfigurationFiles-BootstrappingtheSecurityConfiguration) + +1. Create `bootstrap-config.yaml` with artifactory.config.import.xml and security.import.xml as shown below: +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-release-bootstrap-config +data: + artifactory.config.import.xml: | + + security.import.xml: | + +``` + +2. Create configMap in Kubernetes: +```bash +kubectl apply -f bootstrap-config.yaml +``` +3. Pass the configMap to helm +```bash +helm install --name artifactory-ha --set artifactory.license.secret=artifactory-cluster-license,artifactory.license.dataKey=art.lic,artifactory.configMapName=my-release-bootstrap-config jfrog/artifactory-ha +``` + +### Use custom nginx.conf with Nginx + +Steps to create configMap with nginx.conf +* Create `nginx.conf` file. +```bash +kubectl create configmap nginx-config --from-file=nginx.conf +``` +* Pass configMap to helm install +```bash +helm install --name artifactory-ha --set nginx.customConfigMap=nginx-config jfrog/artifactory-ha +``` + +### Scaling your Artifactory cluster +A key feature in Artifactory HA is the ability to set an initial cluster size with `--set artifactory.node.replicaCount=${CLUSTER_SIZE}` and if needed, resize it. + +##### Before scaling +**IMPORTANT:** When scaling, you need to explicitly pass the database password if it's an auto generated one (this is the default with the enclosed PostgreSQL helm chart). + +Get the current database password +```bash +export DB_PASSWORD=$(kubectl get $(kubectl get secret -o name | grep postgresql) -o jsonpath="{.data.postgresql-password}" | base64 --decode) +``` +Use `--set postgresql.postgresqlPassword=${DB_PASSWORD}` with every scale action to prevent a miss configured cluster! + +##### Scale up +Let's assume you have a cluster with **2** member nodes, and you want to scale up to **3** member nodes (a total of 4 nodes). +```bash +# Scale to 4 nodes (1 primary and 3 member nodes) +helm upgrade --install artifactory-ha --set artifactory.node.replicaCount=3 --set postgresql.postgresqlPassword=${DB_PASSWORD} jfrog/artifactory-ha +``` + +##### Scale down +Let's assume you have a cluster with **3** member nodes, and you want to scale down to **2** member node. + +```bash +# Scale down to 2 member nodes +helm upgrade --install artifactory-ha --set artifactory.node.replicaCount=2 --set postgresql.postgresqlPassword=${DB_PASSWORD} jfrog/artifactory-ha +``` +- **NOTE:** Since Artifactory is running as a Kubernetes Stateful Set, the removal of the node will **not** remove the persistent volume. You need to explicitly remove it +```bash +# List PVCs +kubectl get pvc + +# Remove the PVC with highest ordinal! +# In this example, the highest node ordinal was 2, so need to remove its storage. +kubectl delete pvc volume-artifactory-node-2 +``` + +### Use an external Database + +#### PostgreSQL +There are cases where you will want to use external PostgreSQL with a different database name e.g. `my-artifactory-db`, then you need set a custom PostgreSQL connection URL, where `my-artifactory-db` is the database name. + +This can be done with the following parameters +```bash +... +--set postgresql.enabled=false \ +--set database.type=postgresql \ +--set database.driver=org.postgresql.Driver \ +--set database.url='jdbc:postgresql://${DB_HOST}:${DB_PORT}/my-artifactory-db' \ +--set database.user=${DB_USER} \ +--set database.password=${DB_PASSWORD} \ +... +``` +**NOTE:** You must set `postgresql.enabled=false` in order for the chart to use the `database.*` parameters. Without it, they will be ignored! + +#### Other DB type +There are cases where you will want to use a different database and not the enclosed **PostgreSQL**. +See more details on [configuring the database](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Database) +> The official Artifactory Docker images include the PostgreSQL database driver. +> For other database types, you will have to add the relevant database driver to Artifactory's tomcat/lib + +This can be done with the following parameters +```bash +# Make sure your Artifactory Docker image has the MySQL database driver in it +... +--set postgresql.enabled=false \ +--set artifactory.preStartCommand="wget -O /opt/jfrog/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" \ +--set database.type=mysql \ +--set database.driver=com.mysql.jdbc.Driver \ +--set database.url=${DB_URL} \ +--set database.user=${DB_USER} \ +--set database.password=${DB_PASSWORD} \ +... +``` +**NOTE:** You must set `postgresql.enabled=false` in order for the chart to use the `database.*` parameters. Without it, they will be ignored! + +#### Using pre-existing Kubernetes Secret +If you store your database credentials in a pre-existing Kubernetes `Secret`, you can specify them via `database.secrets` instead of `database.user` and `database.password`: +```bash +# Create a secret containing the database credentials +kubectl create secret generic my-secret --from-literal=user=${DB_USER} --from-literal=password=${DB_PASSWORD} +... +--set postgresql.enabled=false \ +--set database.secrets.user.name=my-secret \ +--set database.secrets.user.key=user \ +--set database.secrets.password.name=my-secret \ +--set database.secrets.password.key=password \ +... +``` + +### Deleting Artifactory +To delete the Artifactory HA cluster +```bash +helm delete --purge artifactory-ha +``` +This will completely delete your Artifactory HA cluster. +**NOTE:** Since Artifactory is running as Kubernetes Stateful Sets, the removal of the helm release will **not** remove the persistent volumes. You need to explicitly remove them +```bash +kubectl delete pvc -l release=artifactory-ha +``` +See more details in the official [Kubernetes Stateful Set removal page](https://kubernetes.io/docs/tasks/run-application/delete-stateful-set/) + +### Custom Docker registry for your images +If you need to pull your Docker images from a private registry (for example, when you have a custom image with a MySQL database driver), you need to create a +[Kubernetes Docker registry secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) and pass it to helm +```bash +# Create a Docker registry secret called 'regsecret' +kubectl create secret docker-registry regsecret --docker-server=${DOCKER_REGISTRY} --docker-username=${DOCKER_USER} --docker-password=${DOCKER_PASS} --docker-email=${DOCKER_EMAIL} +``` +Once created, you pass it to `helm` +```bash +helm install --name artifactory-ha --set imagePullSecrets=regsecret jfrog/artifactory-ha +``` + +### Logger sidecars +This chart provides the option to add sidecars to tail various logs from Artifactory. See the available values in [values.yaml](values.yaml) + +Get list of containers in the pod +```bash +kubectl get pods -n -o jsonpath='{.spec.containers[*].name}' | tr ' ' '\n' +``` + +View specific log +```bash +kubectl logs -n -c +``` + + +### Custom init containers +There are cases where a special, unsupported init processes is needed like checking something on the file system or testing something before spinning up the main container. + +For this, there is a section for writing custom init containers before and after the predefined init containers in the [values.yaml](values.yaml) . By default it's commented out +```yaml +artifactory: + ## Add custom init containers executed before predefined init containers + customInitContainersBegin: | + ## Init containers template goes here ## + ## Add custom init containers executed after predefined init containers + customInitContainers: | + ## Init containers template goes here ## +``` + +### Custom sidecar containers +There are cases where an extra sidecar container is needed. For example monitoring agents or log collection. + +For this, there is a section for writing a custom sidecar container in the [values.yaml](values.yaml). By default it's commented out +```yaml +artifactory: + ## Add custom sidecar containers + customSidecarContainers: | + ## Sidecar containers template goes here ## +``` + +You can configure the sidecar to run as a custom user if needed by setting the following in the container template +```yaml + # Example of running container as root (id 0) + securityContext: + runAsUser: 0 + fsGroup: 0 +``` + +### Custom volumes +If you need to use a custom volume in a custom init or sidecar container, you can use this option. + +For this, there is a section for defining custom volumes in the [values.yaml](values.yaml). By default it's commented out +```yaml +artifactory: + ## Add custom volumes + customVolumes: | + ## Custom volume comes here ## +``` + +### Add Artifactory User Plugin during installation +If you need to add [Artifactory User Plugin](https://github.com/jfrog/artifactory-user-plugins), you can use this option. + +Create a secret with [Artifactory User Plugin](https://github.com/jfrog/artifactory-user-plugins) by following command: +```bash +# Secret with single user plugin +kubectl create secret generic archive-old-artifacts --from-file=archiveOldArtifacts.groovy --namespace=artifactory-ha + +# Secret with single user plugin with configuration file +kubectl create secret generic webhook --from-file=webhook.groovy --from-file=webhook.config.json.sample --namespace=artifactory-ha +``` + +Add plugin secret names to `plugins.yaml` as following: +```yaml +artifactory: + userPluginSecrets: + - archive-old-artifacts + - webhook +``` + +You can now pass the created `plugins.yaml` file to helm install command to deploy Artifactory with user plugins as follows: +```bash +helm install --name artifactory-ha -f plugins.yaml jfrog/artifactory-ha +``` + +Alternatively, you may be in a situation in which you would like to create a secret in a Helm chart that depends on this chart. In this scenario, the name of the secret is likely dynamically generated via template functions, so passing a statically named secret isn't possible. In this case, the chart supports evaluating strings as templates via the [`tpl`](https://helm.sh/docs/charts_tips_and_tricks/#using-the-tpl-function) function - simply pass the raw string containing the templating language used to name your secret as a value instead by adding the following to your chart's `values.yaml` file: +```yaml +artifactory-ha: # Name of the artifactory-ha dependency + artifactory: + userPluginSecrets: + - '{{ template "my-chart.fullname" . }}' +``` +NOTE: By defining userPluginSecrets, this overrides any pre-defined plugins from the container image that are stored in /tmp/plugins. At this time [artifactory-pro:6.9.0](https://bintray.com/jfrog/artifactory-pro) is distributed with `internalUser.groovy` plugin. If you need this plugin in addition to your user plugins, you should include these additional plugins as part of your userPluginSecrets. + +### Provide custom configMaps to Artifactory +If you want to mount a custom file to Artifactory, either an init shell script or a custom configuration file (such as `logback.xml`), you can use this option. + +Create a `configmaps.yaml` file with the following content: +```yaml +artifactory: + configMaps: | + logback.xml: | + + + + + %date [%-5level] \(%-20c{3}:%L\) %message%n + + + + + + + + + + + + + + + my-custom-post-start-hook.sh: | + echo "This is my custom post start hook" + + customVolumeMounts: | + - name: artifactory-configmaps + mountPath: /tmp/my-config-map + + postStartCommand: | + chmod +x /tmp/my-config-map/my-custom-post-start-hook.sh; + /tmp/my-config-map/my-custom-post-start-hook.sh; + + copyOnEveryStartup: + - source: /tmp/my-config-map/logback.xml + target: etc/ + +``` + +and use it with you helm install/upgrade: +```bash +helm install --name artifactory-ha -f configmaps.yaml jfrog/artifactory-ha +``` + +This will, in turn: +* create a configMap with the files you specified above +* create a volume pointing to the configMap with the name `artifactory-configmaps` +* Mount said configMap onto `/tmp/my-config-map` using a `customVolumeMounts` +* Set the shell script we mounted as the `postStartCommand` +* Copy the `logback.xml` file to its proper location in the `$ARTIFACTORY_HOME/etc` directory. + + +### Artifactory filebeat +If you want to collect logs from your Artifactory installation and send them to a central log collection solution like ELK, you can use this option. + +Create a `filebeat.yaml` values file with the following content: +```yaml +filebeat: + enabled: true + logstashUrl: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" +``` + +You can optionally customize the `filebeat.yaml` to send output to a different location like so: +```yaml +filebeat: + enabled: true + filebeatYml: | + +``` + +and use it with you helm install/upgrade: +```bash +helm install --name artifactory -f filebeat.yaml jfrog/artifactory +``` + +This will start sending your Artifactory logs to the log aggregator of your choice, based on your configuration in the `filebeatYml` + +## Configuration +The following table lists the configurable parameters of the artifactory chart and their default values. + +| Parameter | Description | Default | +|------------------------------|-----------------------------------|-------------------------------------------------------| +| `imagePullSecrets` | Docker registry pull secret | | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the fullname template | +| `serviceAccount.annotations` | Artifactory service account annotations | `` | +| `rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `rbac.role.rules` | Rules to create | `[]` | +| `logger.image.repository` | repository for logger image | `busybox` | +| `logger.image.tag` | tag for logger image | `1.30` | +| `artifactory.name` | Artifactory name | `artifactory` | +| `artifactory.image.pullPolicy` | Container pull policy | `IfNotPresent` | +| `artifactory.image.repository` | Container image | `docker.bintray.io/jfrog/artifactory-pro` | +| `artifactory.image.version` | Container image tag | `.Chart.AppVersion` | +| `artifactory.priorityClass.create` | Create a PriorityClass object | `false` | +| `artifactory.priorityClass.value` | Priority Class value | `1000000000` | +| `artifactory.priorityClass.name` | Priority Class name | `{{ template "artifactory-ha.fullname" . }}` | +| `artifactory.priorityClass.existingPriorityClass` | Use existing priority class | `` | +| `artifactory.loggers` | Artifactory loggers (see values.yaml for possible values) | `[]` | +| `artifactory.catalinaLoggers` | Artifactory Tomcat loggers (see values.yaml for possible values) | `[]` | +| `artifactory.customInitContainersBegin`| Custom init containers to run before existing init containers | | +| `artifactory.customInitContainers`| Custom init containers to run after existing init containers | | +| `artifactory.customSidecarContainers`| Custom sidecar containers | | +| `artifactory.customVolumes` | Custom volumes | | +| `artifactory.customVolumeMounts` | Custom Artifactory volumeMounts | | +| `artifactory.customPersistentPodVolumeClaim` | Custom PVC spec to create and attach a unique PVC for each pod on startup with the volumeClaimTemplates feature in StatefulSet | | +| `artifactory.customPersistentVolumeClaim` | Custom PVC spec to be mounted to the all artifactory containers using a volume | | +| `artifactory.userPluginSecrets` | Array of secret names for Artifactory user plugins | | +| `artifactory.masterKey` | Artifactory master key. A 128-Bit key size (hexadecimal encoded) string (32 hex characters). Can be generated with `openssl rand -hex 16`. NOTE: This key can be generated only once and cannot be updated once created |`FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF`| +| `artifactory.masterKeySecretName` | Artifactory Master Key secret name | | +| `artifactory.joinKey` | Join Key to connect other services to Artifactory. Can be generated with `openssl rand -hex 16` | `EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE` | +| `artifactory.accessAdmin.ip` | Artifactory access-admin ip to be set upon startup, can use (*) for 0.0.0.0| 127.0.0.1 | +| `artifactory.accessAdmin.password` | Artifactory access-admin password to be set upon startup| | +| `artifactory.accessAdmin.secret` | Artifactory access-admin secret name | | +| `artifactory.accessAdmin.dataKey` | Artifactory access-admin secret data key | | +| `artifactory.preStartCommand` | Command to run before entrypoint starts | | +| `artifactory.postStartCommand` | Command to run after container starts | | +| `artifactory.license.licenseKey` | Artifactory license key. Providing the license key as a parameter will cause a secret containing the license key to be created as part of the release. Use either this setting or the license.secret and license.dataKey. If you use both, the latter will be used. | | +| `artifactory.configMaps` | configMaps to be created as volume by the name `artifactory-configmaps`. In order to use these configMaps, you will need to add `customVolumeMounts` to point to the created volume and mount it onto a container | | +| `artifactory.license.secret` | Artifactory license secret name | | +| `artifactory.license.dataKey`| Artifactory license secret data key | | +| `artifactory.service.name` | Artifactory service name to be set in Nginx configuration | `artifactory` | +| `artifactory.service.type` | Artifactory service type | `ClusterIP` | +| `artifactory.service.clusterIP`| Specific cluster IP or `None` for headless services | `nil` | +| `artifactory.service.loadBalancerSourceRanges`| Artifactory service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | | +| `artifactory.service.annotations` | Artifactory service annotations | `{}` | +| `artifactory.service.pool` | Artifactory instances to be in the load balancing pool. `members` or `all` | `members` | +| `artifactory.externalPort` | Artifactory service external port | `8082` | +| `artifactory.internalPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8082` | +| `artifactory.internalArtifactoryPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8081` | +| `artifactory.externalArtifactoryPort` | Artifactory service external port | `8081` | +| `artifactory.extraEnvironmentVariables` | Extra environment variables to pass to Artifactory. Supports evaluating strings as templates via the [`tpl`](https://helm.sh/docs/charts_tips_and_tricks/#using-the-tpl-function) function. See [documentation](https://www.jfrog.com/confluence/display/RTF/Installing+with+Docker#InstallingwithDocker-SupportedEnvironmentVariables) | | +| `artifactory.livenessProbe.enabled` | Enable liveness probe | `true` | +| `artifactory.livenessProbe.path` | liveness probe HTTP Get path | `/router/api/v1/system/health` | +| `artifactory.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 | +| `artifactory.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `artifactory.livenessProbe.timeoutSeconds` | When the probe times out | 10 | +| `artifactory.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | +| `artifactory.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `artifactory.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `artifactory.readinessProbe.path` | readiness probe HTTP Get path | `/router/api/v1/system/health` | +| `artifactory.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 | +| `artifactory.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `artifactory.readinessProbe.timeoutSeconds` | When the probe times out | 10 | +| `artifactory.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | +| `artifactory.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `artifactory.copyOnEveryStartup` | List of files to copy on startup from source (which is absolute) to target (which is relative to ARTIFACTORY_HOME | | +| `artifactory.deleteDBPropertiesOnStartup` | Whether to delete the ARTIFACTORY_HOME/etc/db.properties file on startup. Disabling this will remove the ability for the db.properties to be updated with any DB-related environment variables change (e.g. DB_HOST, DB_URL) | `true` | +| `artifactory.database.maxOpenConnections` | Maximum amount of open connections from Artifactory to the DB | `80` | +| `artifactory.haDataDir.enabled` | Enable haDataDir for eventual storage in the HA cluster | `false` | +| `artifactory.haDataDir.path` | Path to the directory intended for use with NFS eventual configuration for HA | | +| `artifactory.persistence.mountPath` | Artifactory persistence volume mount path | `"/var/opt/jfrog/artifactory"` | +| `artifactory.persistence.enabled` | Artifactory persistence volume enabled | `true` | +| `artifactory.persistence.accessMode` | Artifactory persistence volume access mode | `ReadWriteOnce` | +| `artifactory.persistence.size` | Artifactory persistence or local volume size | `200Gi` | +| `artifactory.persistence.binarystore.enabled` | whether you want to mount the binarystore.xml file from a secret created by the chart. If `false` you will need need to get the binarystore.xml file into the file-system from either an `initContainer` or using a `preStartCommand` | `true` | +| `artifactory.persistence.binarystoreXml` | Artifactory binarystore.xml template | See `values.yaml` | +| `artifactory.persistence.customBinarystoreXmlSecret` | A custom Secret for binarystore.xml | `` | +| `artifactory.persistence.maxCacheSize` | Artifactory cache-fs provider maxCacheSize in bytes | `50000000000` | +| `artifactory.persistence.cacheProviderDir` | the root folder of binaries for the filestore cache. If the value specified starts with a forward slash ("/") it is considered the fully qualified path to the filestore folder. Otherwise, it is considered relative to the *baseDataDir*. | `cache` | +| `artifactory.persistence.type` | Artifactory HA storage type | `file-system` | +| `artifactory.persistence.redundancy` | Artifactory HA storage redundancy | `3` | +| `artifactory.persistence.nfs.ip` | NFS server IP | | +| `artifactory.persistence.nfs.haDataMount` | NFS data directory | `/data` | +| `artifactory.persistence.nfs.haBackupMount` | NFS backup directory | `/backup` | +| `artifactory.persistence.nfs.dataDir` | HA data directory | `/var/opt/jfrog/artifactory-ha` | +| `artifactory.persistence.nfs.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` | +| `artifactory.persistence.nfs.capacity` | NFS PVC size | `200Gi` | +| `artifactory.persistence.nfs.mountOptions` | NFS mount options | `[]` | +| `artifactory.persistence.eventual.numberOfThreads` | Eventual number of threads | `10` | +| `artifactory.persistence.googleStorage.endpoint` | Google Storage API endpoint| `storage.googleapis.com` | +| `artifactory.persistence.googleStorage.httpsOnly` | Google Storage API has to be consumed https only| `false` | +| `artifactory.persistence.googleStorage.bucketName` | Google Storage bucket name | `artifactory-ha` | +| `artifactory.persistence.googleStorage.identity` | Google Storage service account id | | +| `artifactory.persistence.googleStorage.credential` | Google Storage service account key | | +| `artifactory.persistence.googleStorage.path` | Google Storage path in bucket | `artifactory-ha/filestore` | +| `artifactory.persistence.googleStorage.bucketExists`| Google Storage bucket exists therefore does not need to be created.| `false` | +| `artifactory.persistence.awsS3.bucketName` | AWS S3 bucket name | `artifactory-ha` | +| `artifactory.persistence.awsS3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html | +| `artifactory.persistence.awsS3.region` | AWS S3 bucket region | | +| `artifactory.persistence.awsS3.roleName` | AWS S3 IAM role name | | +| `artifactory.persistence.awsS3.identity` | AWS S3 AWS_ACCESS_KEY_ID | | +| `artifactory.persistence.awsS3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | | +| `artifactory.persistence.awsS3.properties` | AWS S3 additional properties | | +| `artifactory.persistence.awsS3.path` | AWS S3 path in bucket | `artifactory-ha/filestore` | +| `artifactory.persistence.awsS3.refreshCredentials` | AWS S3 renew credentials on expiration | `true` (When roleName is used, this parameter will be set to true) | +| `artifactory.persistence.awsS3.httpsOnly` | AWS S3 https access to the bucket only | `true` | +| `artifactory.persistence.awsS3.testConnection` | AWS S3 test connection on start up | `false` | +| `artifactory.persistence.awsS3.s3AwsVersion` | AWS S3 signature version | `AWS4-HMAC-SHA256` | +| `artifactory.persistence.awsS3V3.testConnection` | AWS S3 test connection on start up | `false` | +| `artifactory.persistence.awsS3V3.identity` | AWS S3 AWS_ACCESS_KEY_ID | | +| `artifactory.persistence.awsS3V3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | | +| `artifactory.persistence.awsS3V3.region` | AWS S3 bucket region | | +| `artifactory.persistence.awsS3V3.bucketName` | AWS S3 bucket name | `artifactory-aws` | +| `artifactory.persistence.awsS3V3.path` | AWS S3 path in bucket | `artifactory/filestore` | +| `artifactory.persistence.awsS3V3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html | +| `artifactory.persistence.awsS3V3.kmsServerSideEncryptionKeyId` | AWS S3 encryption key ID or alias | | +| `artifactory.persistence.awsS3V3.kmsKeyRegion` | AWS S3 KMS Key region | | +| `artifactory.persistence.awsS3V3.kmsCryptoMode` | AWS S3 KMS encryption mode | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AmazonS3OfficialSDKTemplate | +| `artifactory.persistence.awsS3V3.useInstanceCredentials` | AWS S3 Use default authentication mechanism | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-authentication | +| `artifactory.persistence.awsS3V3.usePresigning` | AWS S3 Use URL signing | `false` | +| `artifactory.persistence.awsS3V3.signatureExpirySeconds` | AWS S3 Validity period in seconds for signed URLs | `300` | +| `artifactory.persistence.awsS3V3.cloudFrontDomainName` | AWS CloudFront domain name | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| +| `artifactory.persistence.awsS3V3.cloudFrontKeyPairId` | AWS CloudFront key pair ID | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| +| `artifactory.persistence.awsS3V3.cloudFrontPrivateKey` | AWS CloudFront private key | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| +| `artifactory.persistence.azureBlob.accountName` | Azure Blob Storage account name | `` | +| `artifactory.persistence.azureBlob.accountKey` | Azure Blob Storage account key | `` | +| `artifactory.persistence.azureBlob.endpoint` | Azure Blob Storage endpoint | `` | +| `artifactory.persistence.azureBlob.containerName` | Azure Blob Storage container name | `` | +| `artifactory.persistence.azureBlob.testConnection` | Azure Blob Storage test connection | `false` | +| `artifactory.persistence.fileSystem.existingSharedClaim` | Enable using an existing shared pvc | `false` | +| `artifactory.persistence.fileStorage.dataDir` | HA data directory | `/var/opt/jfrog/artifactory/artifactory-data` | +| `artifactory.persistence.fileStorage.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` | +| `artifactory.javaOpts.other` | Artifactory additional java options (for all nodes) | | +| `artifactory.primary.labels` | Artifactory primary node labels | `{}` | +| `artifactory.primary.resources.requests.memory` | Artifactory primary node initial memory request | | +| `artifactory.primary.resources.requests.cpu` | Artifactory primary node initial cpu request | | +| `artifactory.primary.resources.limits.memory` | Artifactory primary node memory limit | | +| `artifactory.primary.resources.limits.cpu` | Artifactory primary node cpu limit | | +| `artifactory.primary.javaOpts.xms` | Artifactory primary node java Xms size | | +| `artifactory.primary.javaOpts.xmx` | Artifactory primary node java Xms size | | +| `artifactory.primary.javaOpts.corePoolSize` | The number of async processes that can run in parallel in the primary node - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `16` | +| `artifactory.primary.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` | +| `artifactory.primary.javaOpts.jmx.port` | JMX Port number | `9010` | +| `artifactory.primary.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory-ha.primary.name" $ }}` | +| `artifactory.primary.javaOpts.jmx.ssl` | Enable SSL | `false` | +| `artifactory.primary.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` | +| `artifactory.primary.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | | +| `artifactory.primary.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | | +| `artifactory.primary.javaOpts.other` | Artifactory primary node additional java options | | +| `artifactory.primary.persistence.existingClaim` | Whether to use an existing pvc for the primary node | `false` | +| `artifactory.node.labels` | Artifactory member node labels | `{}` | +| `artifactory.node.replicaCount` | Artifactory member node replica count | `2` | +| `artifactory.node.minAvailable` | Artifactory member node min available count | `1` | +| `artifactory.node.resources.requests.memory` | Artifactory member node initial memory request | | +| `artifactory.node.resources.requests.cpu` | Artifactory member node initial cpu request | | +| `artifactory.node.resources.limits.memory` | Artifactory member node memory limit | | +| `artifactory.node.resources.limits.cpu` | Artifactory member node cpu limit | | +| `artifactory.node.javaOpts.xms` | Artifactory member node java Xms size | | +| `artifactory.node.javaOpts.xmx` | Artifactory member node java Xms size | | +| `artifactory.node.javaOpts.corePoolSize` | The number of async processes that can run in parallel in the member nodes - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `16` | +| `artifactory.node.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` | +| `artifactory.node.javaOpts.jmx.port` | JMX Port number | `9010` | +| `artifactory.node.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory-ha.fullname" $ }}` | +| `artifactory.node.javaOpts.jmx.ssl` | Enable SSL | `false` | +| `artifactory.node.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` | +| `artifactory.node.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | | +| `artifactory.node.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | | +| `artifactory.node.javaOpts.other` | Artifactory member node additional java options | | +| `artifactory.node.persistence.existingClaim` | Whether to use existing PVCs for the member nodes | `false` | +| `artifactory.node.waitForPrimaryStartup.enabled` | Whether to wait for the primary node to start before starting up the member nodes | `false` | +| `artifactory.node.waitForPrimaryStartup.time` | The amount of time to wait for the primary node to start before starting up the member nodes | `60` | +| `artifactory.systemYaml` | Artifactory system configuration (`system.yaml`) as described here - https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML | `see values.yaml` | +| `access.database.maxOpenConnections` | Maximum amount of open connections from Access to the DB | `80` | +| `initContainers.resources.requests.memory` | Init containers initial memory request | | +| `initContainers.resources.requests.cpu` | Init containers initial cpu request | | +| `initContainers.resources.limits.memory` | Init containers memory limit | | +| `initContainers.resources.limits.cpu` | Init containers cpu limit | | +| `ingress.enabled` | If true, Artifactory Ingress will be created | `false` | +| `ingress.annotations` | Artifactory Ingress annotations | `{}` | +| `ingress.labels` | Artifactory Ingress labels | `{}` | +| `ingress.hosts` | Artifactory Ingress hostnames | `[]` | +| `ingress.routerPath` | Router Ingress path | `/` | +| `ingress.artifactoryPath` | Artifactory Ingress path | `/artifactory` | +| `ingress.tls` | Artifactory Ingress TLS configuration (YAML) | `[]` | +| `ingress.defaultBackend.enabled` | If true, the default `backend` will be added using serviceName and servicePort | `true` | +| `ingress.annotations` | Ingress annotations, which are written out if annotations section exists in values. Everything inside of the annotations section will appear verbatim inside the resulting manifest. See `Ingress annotations` section below for examples of how to leverage the annotations, specifically for how to enable docker authentication. | | +| `ingress.additionalRules` | Ingress additional rules to be added to the Artifactory ingress. | `[]` | +| `nginx.enabled` | Deploy nginx server | `true` | +| `nginx.name` | Nginx name | `nginx` | +| `nginx.replicaCount` | Nginx replica count | `1` | +| `nginx.uid` | Nginx User Id | `104` | +| `nginx.gid` | Nginx Group Id | `107` | +| `nginx.image.repository` | Container image | `docker.bintray.io/jfrog/nginx-artifactory-pro` | +| `nginx.image.version` | Container version | `.Chart.AppVersion` | +| `nginx.image.pullPolicy` | Container pull policy | `IfNotPresent` | +| `nginx.labels` | Nginx deployment labels | `{}` | +| `nginx.loggers` | Artifactory loggers (see values.yaml for possible values) | `[]` | +| `nginx.mainConf` | Content of the Artifactory nginx main nginx.conf config file | `see values.yaml` | +| `nginx.artifactoryConf` | Content of Artifactory nginx artifactory.conf config file | `see values.yaml` | +| `nginx.service.type` | Nginx service type | `LoadBalancer` | +| `nginx.service.clusterIP` | Specific cluster IP or `None` for headless services | `nil` | +| `nginx.service.loadBalancerSourceRanges`| Nginx service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | | +| `nginx.service.labels` | Nginx service labels | `{}` | +| `nginx.service.annotations` | Nginx service annotations | `{}` | +| `nginx.service.externalTrafficPolicy`| Nginx service desires to route external traffic to node-local or cluster-wide endpoints. | `Cluster` | +| `nginx.loadBalancerIP`| Provide Static IP to configure with Nginx | | +| `nginx.http.enabled` | Nginx http service enabled/disabled | true | +| `nginx.http.externalPort` | Nginx service external port | `80` | +| `nginx.http.internalPort` | Nginx service internal port | `80` | +| `nginx.https.enabled` | Nginx http service enabled/disabled | true | +| `nginx.https.externalPort` | Nginx service external port | `443` | +| `nginx.https.internalPort` | Nginx service internal port | `443` | +| `nginx.externalPortHttp` | DEPRECATED: Nginx service external port | `80` | +| `nginx.internalPortHttp` | DEPRECATED: Nginx service internal port | `80` | +| `nginx.externalPortHttps` | DEPRECATED: Nginx service external port | `443` | +| `nginx.internalPortHttps` | DEPRECATED: Nginx service internal port | `443` | +| `nginx.livenessProbe.enabled` | would you like a liveness Probe to be enabled | `true` | +| `nginx.livenessProbe.path` | liveness probe HTTP Get path | `/router/api/v1/system/health` | +| `nginx.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 100 | +| `nginx.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `nginx.livenessProbe.timeoutSeconds` | When the probe times out | 10 | +| `nginx.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | +| `nginx.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `nginx.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `nginx.readinessProbe.path` | Readiness probe HTTP Get path | `/router/api/v1/system/health` | +| `nginx.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 | +| `nginx.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `nginx.readinessProbe.timeoutSeconds` | When the probe times out | 10 | +| `nginx.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | +| `nginx.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `nginx.tlsSecretName` | SSL secret that will be used by the Nginx pod | | +| `nginx.customConfigMap` | Nginx CustomeConfigMap name for `nginx.conf` | ` ` | +| `nginx.customArtifactoryConfigMap`| Nginx CustomeConfigMap name for `artifactory-ha.conf` | ` ` | +| `nginx.resources.requests.memory` | Nginx initial memory request | `250Mi` | +| `nginx.resources.requests.cpu` | Nginx initial cpu request | `100m` | +| `nginx.resources.limits.memory` | Nginx memory limit | `250Mi` | +| `nginx.resources.limits.cpu` | Nginx cpu limit | `500m` | +| `nginx.persistence.mountPath` | Nginx persistence volume mount path | `"/var/opt/jfrog/nginx"` | +| `nginx.persistence.enabled` | Nginx persistence volume enabled. This is only available when the nginx.replicaCount is set to 1 | `false` | +| `nginx.persistence.accessMode` | Nginx persistence volume access mode | `ReadWriteOnce` | +| `nginx.persistence.size` | Nginx persistence volume size | `5Gi` | +| `waitForDatabase` | Wait for database (using wait-for-db init container) | `true` | +| `postgresql.enabled` | Use enclosed PostgreSQL as database | `true` | +| `postgresql.imageTag` | PostgreSQL version | `9.6.11` | +| `postgresql.postgresqlDatabase` | PostgreSQL database name | `artifactory` | +| `postgresql.postgresqlUsername` | PostgreSQL database user | `artifactory` | +| `postgresql.postgresqlPassword` | PostgreSQL database password | | +| `postgresql.persistence.enabled` | PostgreSQL use persistent storage | `true` | +| `postgresql.persistence.size` | PostgreSQL persistent storage size | `50Gi` | +| `postgresql.service.port` | PostgreSQL database port | `5432` | +| `postgresql.resources.requests.memory` | PostgreSQL initial memory request | | +| `postgresql.resources.requests.cpu` | PostgreSQL initial cpu request | | +| `postgresql.resources.limits.memory` | PostgreSQL memory limit | | +| `postgresql.resources.limits.cpu` | PostgreSQL cpu limit | | +| `database.type` | External database type (`postgresql`, `mysql`, `oracle` or `mssql`) | | +| `database.driver` | External database driver e.g. `org.postgresql.Driver` | | +| `database.url` | External database connection URL | | +| `database.user` | External database username | | +| `database.password` | External database password | | +| `database.secrets.user.name` | External database username `Secret` name | | +| `database.secrets.user.key` | External database username `Secret` key | | +| `database.secrets.password.name` | External database password `Secret` name | | +| `database.secrets.password.key` | External database password `Secret` key | | +| `database.secrets.url.name ` | External database url `Secret` name | | +| `database.secrets.url.key` | External database url `Secret` key | | +| `networkpolicy.name` | Becomes part of the NetworkPolicy object name | `artifactory` | +| `networkpolicy.podselector` | Contains the YAML that specifies how to match pods. Usually using matchLabels. | | +| `networkpolicy.ingress` | YAML snippet containing to & from rules applied to incoming traffic | `- {}` (open to all inbound traffic) | +| `networkpolicy.egress` | YAML snippet containing to & from rules applied to outgoing traffic | `- {}` (open to all outbound traffic) | +| `filebeat.enabled` | Enable a filebeat container to send your logs to a log management solution like ELK | `false` | +| `filebeat.name` | filebeat container name | `artifactory-filebeat` | +| `filebeat.image.repository` | filebeat Docker image repository | `docker.elastic.co/beats/filebeat` | +| `filebeat.image.version` | filebeat Docker image version | `7.5.1` | +| `filebeat.logstashUrl` | The URL to the central Logstash service, if you have one | `logstash:5044` | +| `filebeat.livenessProbe.exec.command` | liveness probe exec command | see [values.yaml](stable/artifactory-ha/values.yaml) | +| `filebeat.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `filebeat.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 | +| `filebeat.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `filebeat.readinessProbe.exec.command` | readiness probe exec command | see [values.yaml](stable/artifactory-ha/values.yaml) | +| `filebeat.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `filebeat.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 180 | +| `filebeat.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `filebeat.resources.requests.memory` | Filebeat initial memory request | | +| `filebeat.resources.requests.cpu` | Filebeat initial cpu request | | +| `filebeat.resources.limits.memory` | Filebeat memory limit | | +| `filebeat.resources.limits.cpu` | Filebeat cpu limit | | +| `filebeat.filebeatYml` | Filebeat yaml configuration file | see [values.yaml](stable/artifactory-ha/values.yaml) | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +### Ingress and TLS +To get Helm to create an ingress object with a hostname, add these two lines to your Helm command: +```bash +helm install --name artifactory-ha \ + --set ingress.enabled=true \ + --set ingress.hosts[0]="artifactory.company.com" \ + --set artifactory.service.type=NodePort \ + --set nginx.enabled=false \ + jfrog/artifactory-ha +``` + +If your cluster allows automatic creation/retrieval of TLS certificates (e.g. [cert-manager](https://github.com/jetstack/cert-manager)), please refer to the documentation for that mechanism. + +To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: + +```bash +kubectl create secret tls artifactory-tls --cert=path/to/tls.cert --key=path/to/tls.key +``` + +Include the secret's name, along with the desired hostnames, in the Artifactory Ingress TLS section of your custom `values.yaml` file: + +```yaml + ingress: + ## If true, Artifactory Ingress will be created + ## + enabled: true + + ## Artifactory Ingress hostnames + ## Must be provided if Ingress is enabled + ## + hosts: + - artifactory.domain.com + annotations: + kubernetes.io/tls-acme: "true" + ## Artifactory Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: + - secretName: artifactory-tls + hosts: + - artifactory.domain.com +``` + +### Ingress annotations + +This example specifically enables Artifactory to work as a Docker Registry using the Repository Path method. See [Artifactory as Docker Registry](https://www.jfrog.com/confluence/display/RTF/Getting+Started+with+Artifactory+as+a+Docker+Registry) documentation for more information about this setup. + +```yaml +ingress: + enabled: true + defaultBackend: + enabled: false + hosts: + - myhost.example.com + annotations: + ingress.kubernetes.io/force-ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + ingress.kubernetes.io/proxy-read-timeout: "600" + ingress.kubernetes.io/proxy-send-timeout: "600" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/configuration-snippet: | + rewrite ^/(v2)/token /artifactory/api/docker/null/v2/token; + rewrite ^/(v2)/([^\/]*)/(.*) /artifactory/api/docker/$2/$1/$3; + nginx.ingress.kubernetes.io/proxy-body-size: "0" + tls: + - hosts: + - "myhost.example.com" +``` + +### Ingress additional rules + +You have the option to add additional ingress rules to the Artifactory ingress. An example for this use case can be routing the /xray path to Xray. +In order to do that, simply add the following to a `artifactory-ha-values.yaml` file: +```yaml +ingress: + enabled: true + + defaultBackend: + enabled: false + + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/configuration-snippet: | + rewrite "(?i)/xray(/|$)(.*)" /$2 break; + + additionalRules: | + - host: + http: + paths: + - path: / + backend: + serviceName: + servicePort: + - path: /xray + backend: + serviceName: + servicePort: + - path: /artifactory + backend: + serviceName: {{ template "artifactory.nginx.fullname" . }} + servicePort: {{ .Values.nginx.externalPortHttp }} +``` + +and running: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f artifactory-ha-values.yaml +``` + + + +## Useful links +- https://www.jfrog.com/confluence/display/EP/Getting+Started +- https://www.jfrog.com/confluence/display/RTF/Installing+Artifactory +- https://www.jfrog.com/confluence/ diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/ReverseProxyConfiguration.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/ReverseProxyConfiguration.md new file mode 100755 index 0000000..8515932 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/ReverseProxyConfiguration.md @@ -0,0 +1,140 @@ +# JFrog Artifactory Reverse Proxy Settings using Nginx + +#### Reverse Proxy +* To use Artifactory as docker registry it's mandatory to use Reverse Proxy. +* Artifactory provides a Reverse Proxy Configuration Generator screen in which you can fill in a set of fields to generate +the required configuration snippet which you can then download and install directly in the corresponding directory of your reverse proxy server. +* To learn about configuring NGINX or Apache for reverse proxy refer to documentation provided on [JFrog wiki](https://www.jfrog.com/confluence/display/RTF/Configuring+a+Reverse+Proxy) +* By default Artifactory helm chart uses Nginx for reverse proxy and load balancing. + +**Note**: Nginx image distributed with Artifactory helm chart is custom image managed and maintained by JFrog. + +#### Features of Artifactory Nginx +* Provides default configuration with self signed SSL certificate generated on each helm install/upgrade. +* Persist configuration and SSL certificate in `/var/opt/jfrog/nginx` directory + +#### Changing the default Artifactory nginx conf +Use a values.yaml file for changing the value of nginx.mainConf or nginx.artifactoryConf +These configuration will be mounted to the nginx container using a configmap. +For example: +1. Create a values file `nginx-values.yaml` with the following values: +```yaml +nginx: + artifactoryConf: | + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; + ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + ## server configuration + server { + listen {{ .Values.nginx.internalPortHttps }} ssl; + listen {{ .Values.nginx.internalPortHttp }} ; + ## Change to you DNS name you use to access Artifactory + server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }}; + + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + ## Application specific logs + ## access_log /var/log/nginx/artifactory-access.log timing; + ## error_log /var/log/nginx/artifactory-error.log; + rewrite ^/$ /artifactory/webapp/ redirect; + rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect; + if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; + } + rewrite ^/(v1|v2)/([^/]+)(.*)$ /artifactory/api/docker/$2/$1/$3; + rewrite ^/(v1|v2)/ /artifactory/api/docker/$1/; + chunked_transfer_encoding on; + client_max_body_size 0; + location /artifactory/ { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/artifactory/$1; + } + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/artifactory/; + proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } +``` + +2. Install/upgrade artifactory: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f nginx-values.yaml +``` + + +#### Steps to use static configuration for reverse proxy in nginx. +1. Get Artifactory service name using this command `kubectl get svc -n $NAMESPACE` + +2. Create `artifactory.conf` file with nginx configuration. More [nginx configuration examples](https://github.com/jfrog/artifactory-docker-examples/tree/master/files/nginx/conf.d) + + Following is example `artifactory.conf` + + **Note**: + * Create file with name `artifactory.conf` as it's fixed in configMap key. + * Replace `artifactory-artifactory` with service name taken from step 1. + + ```bash + ## add ssl entries when https has been set in config + ssl_certificate /var/opt/jfrog/nginx/ssl/tls.crt; + ssl_certificate_key /var/opt/jfrog/nginx/ssl/tls.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + ## server configuration + server { + listen 443 ssl; + listen 80; + ## Change to you DNS name you use to access Artifactory + server_name ~(?.+)\.artifactory-artifactory artifactory-artifactory; + + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + ## Application specific logs + ## access_log /var/log/nginx/artifactory-access.log timing; + ## error_log /var/log/nginx/artifactory-error.log; + rewrite ^/$ /artifactory/webapp/ redirect; + rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect; + if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; + } + rewrite ^/(v1|v2)/([^/]+)(.*)$ /artifactory/api/docker/$2/$1/$3; + rewrite ^/(v1|v2)/ /artifactory/api/docker/$1/; + chunked_transfer_encoding on; + client_max_body_size 0; + location /artifactory/ { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://artifactory-artifactory:8081/artifactory/$1 break; + } + proxy_pass http://artifactory-artifactory:8081/artifactory/; + proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } + ``` + +3. Create configMap of `artifactory.conf` created with step above. + ```bash + kubectl create configmap art-nginx-conf --from-file=artifactory.conf + ``` +4. Deploy Artifactory using helm chart. + You can achieve this by providing the name of configMap created above to `nginx.customArtifactoryConfigMap` in [values.yaml](values.yaml) + + Following is command to set values at runtime: + ```bash + helm install --name artifactory-ha nginx.customArtifactoryConfigMap=art-nginx-conf jfrog/artifactory-ha + ``` \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/UPGRADE_NOTES.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/UPGRADE_NOTES.md new file mode 100755 index 0000000..640474f --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/UPGRADE_NOTES.md @@ -0,0 +1,33 @@ +# JFrog Artifactory Chart Upgrade Notes +This file describes special upgrade notes needed at specific versions + +## Upgrade from 0.X to 1.X +**DOWNTIME IS REQUIRED FOR AN UPGRADE!** +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you!** +* PostgreSQL sub chart was upgraded to version `6.5.x`. This version is not backward compatible with the old version (`0.9.5`)! +* Note the following **PostgreSQL** Helm chart changes + * The chart configuration has changed! See [values.yaml](values.yaml) for the new keys used + * **PostgreSQL** is deployed as a StatefulSet + * See [PostgreSQL helm chart](https://hub.helm.sh/charts/stable/postgresql) for all available configurations +* Upgrade + * Due to breaking changes in the **PostgreSQL** Helm chart, a migration of the database is needed from the old to the new database + * The recommended migration process is the [full system export and import](https://www.jfrog.com/confluence/display/RTF/Importing+and+Exporting) + * **NOTE:** To save time, export only metadata and configuration (check `Exclude Content` in the `System Import & Export`) since the Artifactory filestore is persisted + * Upgrade steps: + 1. Block user access to Artifactory (do not shutdown) + a. Scale down the cluster to primary node only (`node.replicaCount=0`) so the exported db and configuration will be kept on one known node (the primary) + b. If your Artifactory HA K8s service is set to member nodes only (`service.pool=members`) you will need to access the primary node directly (use `kubectl port-forward`) + 2. Perform `Export System` from the `Admin` -> `Import & Export` -> `System` -> `Export System` + a. Check `Exclude Content` to save export size (as Artifactory filestore will persist across upgrade) + b. Choose to save the export on the persisted Artifactory volume (`/var/opt/jfrog/artifactory/`) + c. Click `Export` (this can take some time) + 3. Run the `helm upgrade` with the new version. Old PostgreSQL will be removed and new one deployed + a. You must pass explicit "ready for upgrade flag" with `--set databaseUpgradeReady=yes`. Failing to provide this will block the upgrade! + 4. Once ready, open Artifactory UI (you might need to re-enter a valid license). Skip all onboarding wizard steps + a. **NOTE:** Don't worry you can't see the old config and files. It will all restore with the system import in the next step + 5. Perform `Import System` from the `Admin` -> `Import & Export` -> `System` -> `Import System` + a. Browse to where the export was saved Artifactory volume (`/var/opt/jfrog/artifactory/`) + b. Click `Import` (this can take some time) + 6. Restore access to Artifactory + a. Scale the cluster member nodes back to the original size + * Artifactory should now be ready to get back to normal operation diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/.helmignore b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/.helmignore new file mode 100755 index 0000000..a1c17ae --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/.helmignore @@ -0,0 +1,2 @@ +.git +OWNERS \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/Chart.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/Chart.yaml new file mode 100755 index 0000000..4687eb3 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +appVersion: 11.5.0 +description: Chart for PostgreSQL, an object-relational database management system + (ORDBMS) with an emphasis on extensibility and on standards-compliance. +engine: gotpl +home: https://www.postgresql.org/ +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: postgresql +sources: +- https://github.com/bitnami/bitnami-docker-postgresql +version: 7.0.1 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/README.md new file mode 100755 index 0000000..e6621b4 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/README.md @@ -0,0 +1,487 @@ +# PostgreSQL + +[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. + +## TL;DR; + +```console +$ helm install stable/postgresql +``` + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 2.11+ or Helm 3.0-beta3+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart +To install the chart with the release name `my-release`: + +```console +$ helm install --name my-release stable/postgresql +``` + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +The following tables lists the configurable parameters of the PostgreSQL chart and their default values. + +| Parameter | Description | Default | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | +| `global.imageRegistry` | Global Docker Image registry | `nil` | +| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` | +| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` | +| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` | +| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` | +| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` | +| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | +| `image.registry` | PostgreSQL Image registry | `docker.io` | +| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` | +| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `image.debug` | Specify if debug values should be set | `false` | +| `nameOverride` | String to partially override postgresql.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override postgresql.fullname template with a string | `nil` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `stretch` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` | +| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` | +| `replication.enabled` | Enable replication | `false` | +| `replication.user` | Replication user | `repl_user` | +| `replication.password` | Replication user password | `repl_password` | +| `replication.slaveReplicas` | Number of slaves replicas | `1` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `existingSecret` | Name of existing secret to use for PostgreSQL passwords | `nil` | +| `postgresqlUsername` | PostgreSQL admin user | `postgres` | +| `postgresqlPassword` | PostgreSQL admin password | _random 10 character alphanumeric string_ | +| `postgresqlDatabase` | PostgreSQL database | `nil` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) | +| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` | +| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` | +| `postgresqlConfiguration` | Runtime Config Parameters | `nil` | +| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` | +| `pgHbaConfiguration` | Content of pg\_hba.conf | `nil (do not create pg_hba.conf)` | +| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` | +| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` | +| `initdbScripts` | Dictionary of initdb scripts | `nil` | +| `initdbUsername` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` | +| `initdbPassword` | Password for the user specified in `initdbUsername` | `nil` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` | +| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | PostgreSQL port | `5432` | +| `service.nodePort` | Kubernetes Service nodePort | `nil` | +| `service.annotations` | Annotations for PostgreSQL service, the value is evaluated as a template. | {} | +| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | +| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | [] | +| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | +| `persistence.enabled` | Enable persistence using PVC | `true` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` | +| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` | +| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `persistence.annotations` | Annotations for the PVC | `{}` | +| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` | +| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` | +| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` | +| `master.anotations` | Map of annotations to add to the statefulset (postgresql master) | `{}` | +| `master.labels` | Map of labels to add to the statefulset (postgresql master) | `{}` | +| `master.podAnnotations` | Map of annotations to add to the pods (postgresql master) | `{}` | +| `master.podLabels` | Map of labels to add to the pods (postgresql master) | `{}` | +| `master.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql master) | `[]` | +| `master.extraVolumes` | Additional volumes to add to the pods (postgresql master) | `[]` | +| `slave.nodeSelector` | Node labels for pod assignment (postgresql slave) | `{}` | +| `slave.affinity` | Affinity labels for pod assignment (postgresql slave) | `{}` | +| `slave.tolerations` | Toleration labels for pod assignment (postgresql slave) | `[]` | +| `slave.anotations` | Map of annotations to add to the statefulsets (postgresql slave) | `{}` | +| `slave.labels` | Map of labels to add to the statefulsets (postgresql slave) | `{}` | +| `slave.podAnnotations` | Map of annotations to add to the pods (postgresql slave) | `{}` | +| `slave.podLabels` | Map of labels to add to the pods (postgresql slave) | `{}` | +| `slave.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql slave) | `[]` | +| `slave.extraVolumes` | Additional volumes to add to the pods (postgresql slave) | `[]` | +| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` | +| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the container | `1001` | +| `securityContext.runAsUser` | User ID for the container | `1001` | +| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` | +| `serviceAcccount.name` | Name of existing service account | `nil` | +| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` | +| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 | +| `readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | +| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | +| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` | +| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | +| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` | +| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` | +| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` | +| `metrics.image.registry` | PostgreSQL Image registry | `docker.io` | +| `metrics.image.repository` | PostgreSQL Image name | `bitnami/postgres-exporter` | +| `metrics.image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | +| `metrics.image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `metrics.securityContext.enabled` | Enable security context for metrics | `false` | +| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` | +| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 | +| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `{}` | +| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install --name my-release \ + --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \ + stable/postgresql +``` + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +$ helm install --name my-release -f values.yaml stable/postgresql +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Production configuration and horizontal scaling + +This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. + +- Enable replication: +```diff +- replication.enabled: false ++ replication.enabled: true +``` + +- Number of slaves replicas: +```diff +- replication.slaveReplicas: 1 ++ replication.slaveReplicas: 2 +``` + +- Set synchronous commit mode: +```diff +- replication.synchronousCommit: "off" ++ replication.synchronousCommit: "on" +``` + +- Number of replicas that will have synchronous replication: +```diff +- replication.numSynchronousReplicas: 0 ++ replication.numSynchronousReplicas: 1 +``` + +- Start a prometheus exporter: +```diff +- metrics.enabled: false ++ metrics.enabled: true +``` + +To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above. + +### Change PostgreSQL version + +To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=12.0.0-debian-9-r0` + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the whole configuration file. + +Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server. + +Alternatively, you can specify PostgreSQL configuration parameters using the `postgresqlConfiguration` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options. + +### Allow settings to be loaded from files other than the default `postgresql.conf` + +If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory. +Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap. + +Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict. + +In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +``` + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +``` +postgresql.postgresqlPassword=testtest +subchart1.postgresql.postgresqlPassword=testtest +subchart2.postgresql.postgresqlPassword=testtest +postgresql.postgresqlDatabase=db1 +subchart1.postgresql.postgresqlDatabase=db1 +subchart2.postgresql.postgresqlDatabase=db1 +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +``` +global.postgresql.postgresqlPassword=testtest +global.postgresql.postgresqlDatabase=db1 +``` + +This way, the credentials will be available in all of the subcharts. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```console +$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. + +### Deploy chart using Docker Official PostgreSQL Image + +From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image. +Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory. + +``` +helm install --name postgres \ + --set image.repository=postgres \ + --set image.tag=10.6 \ + --set postgresqlDataDir=/data/pgdata \ + --set persistence.mountPath=/data/ \ + stable/postgresql +``` + +## Upgrade + +It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart: + +```bash +$ helm upgrade my-release bitnami/influxdb \ + --set postgresqlPassword=[POSTGRESQL_PASSWORD] \ + --set replication.password=[REPLICATION_PASSWORD] +``` + +> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes. + +## 7.0.0 + +Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. + +In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. + +This major version bump signifies this change. + +## 5.0.0 + +In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/). + +For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs: + +```bash +Welcome to the Bitnami postgresql container +Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql +Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues +Send us your feedback at containers@bitnami.com + +INFO ==> ** Starting PostgreSQL setup ** +NFO ==> Validating settings in POSTGRESQL_* env vars.. +INFO ==> Initializing PostgreSQL database... +INFO ==> postgresql.conf file not detected. Generating it... +INFO ==> pg_hba.conf file not detected. Generating it... +INFO ==> Deploying PostgreSQL with persisted data... +INFO ==> Configuring replication parameters +INFO ==> Loading custom scripts... +INFO ==> Enabling remote connections +INFO ==> Stopping PostgreSQL... +INFO ==> ** PostgreSQL setup finished! ** + +INFO ==> ** Starting PostgreSQL ** + [1] FATAL: database files are incompatible with server + [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3. +``` +In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one. + +### 4.0.0 + +This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately. + +IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error + +``` +The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development +``` + +### 3.0.0 + +This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods. +It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride. + +#### Breaking changes + +- `affinty` has been renamed to `master.affinity` and `slave.affinity`. +- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`. +- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`. + +### 2.0.0 + +In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps: + + - Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running + + ```console +$ kubectl get svc + ``` + +- Install (not upgrade) the new version + +```console +$ helm repo update +$ helm install --name my-release stable/postgresql +``` + +- Connect to the new pod (you can obtain the name by running `kubectl get pods`): + +```console +$ kubectl exec -it NAME bash +``` + +- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart: + +```console +$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql +``` + +After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`). +This operation could take some time depending on the database size. + +- Once you have the backup file, you can restore it with a command like the one below: + +```console +$ psql -U postgres DATABASE_NAME < /tmp/backup.sql +``` + +In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt). + +If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below. + +```console +$ psql -U postgres +postgres=# drop database DATABASE_NAME; +postgres=# create database DATABASE_NAME; +postgres=# create user USER_NAME; +postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD'; +postgres=# grant all privileges on database DATABASE_NAME to USER_NAME; +postgres=# alter database DATABASE_NAME owner to USER_NAME; +``` diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/README.md new file mode 100755 index 0000000..1813a2f --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/README.md @@ -0,0 +1 @@ +Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/conf.d/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/conf.d/README.md new file mode 100755 index 0000000..184c187 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/conf.d/README.md @@ -0,0 +1,4 @@ +If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. +These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/docker-entrypoint-initdb.d/README.md new file mode 100755 index 0000000..cba3809 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/docker-entrypoint-initdb.d/README.md @@ -0,0 +1,3 @@ +You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. + +More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/NOTES.txt b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/NOTES.txt new file mode 100755 index 0000000..798fa10 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,50 @@ +** Please be patient while the chart is being deployed ** + +PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster: + + {{ template "postgresql.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection +{{- if .Values.replication.enabled }} + {{ template "postgresql.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection +{{- end }} +To get the password for "{{ template "postgresql.username" . }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode) + +To connect to your database run the following command: + + kubectl run {{ template "postgresql.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} + --labels="{{ template "postgresql.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "postgresql.fullname" . }} -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} -p {{ template "postgresql.port" . }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label {{ template "postgresql.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster. +{{- end }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "postgresql.fullname" . }}) + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "postgresql.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "postgresql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "postgresql.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} & + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} -p {{ template "postgresql.port" . }} + +{{- end }} + +{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} + +WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ + +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/_helpers.tpl b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/_helpers.tpl new file mode 100755 index 0000000..b379f29 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,374 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "postgresql.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.master.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}} +{{- if .Values.replication.enabled -}} +{{- printf "%s-%s" $fullname "master" | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "postgresql.networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"extensions/v1beta1" +{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"networking.k8s.io/v1" +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "postgresql.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL password +*/}} +{{- define "postgresql.password" -}} +{{- if .Values.global.postgresql.postgresqlPassword }} + {{- .Values.global.postgresql.postgresqlPassword -}} +{{- else if .Values.postgresqlPassword -}} + {{- .Values.postgresqlPassword -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication password +*/}} +{{- define "postgresql.replication.password" -}} +{{- if .Values.global.postgresql.replicationPassword }} + {{- .Values.global.postgresql.replicationPassword -}} +{{- else if .Values.replication.password -}} + {{- .Values.replication.password -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL username +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.postgresql.postgresqlUsername }} + {{- .Values.global.postgresql.postgresqlUsername -}} +{{- else -}} + {{- .Values.postgresqlUsername -}} +{{- end -}} +{{- end -}} + + +{{/* +Return PostgreSQL replication username +*/}} +{{- define "postgresql.replication.username" -}} +{{- if .Values.global.postgresql.replicationUser }} + {{- .Values.global.postgresql.replicationUser -}} +{{- else -}} + {{- .Values.replication.user -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL port +*/}} +{{- define "postgresql.port" -}} +{{- if .Values.global.postgresql.servicePort }} + {{- .Values.global.postgresql.servicePort -}} +{{- else -}} + {{- .Values.service.port -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL created database +*/}} +{{- define "postgresql.database" -}} +{{- if .Values.global.postgresql.postgresqlDatabase }} + {{- .Values.global.postgresql.postgresqlDatabase -}} +{{- else if .Values.postgresqlDatabase -}} + {{- .Values.postgresqlDatabase -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper image name to change the volume permissions +*/}} +{{- define "postgresql.volumePermissions.image" -}} +{{- $registryName := .Values.volumePermissions.image.registry -}} +{{- $repositoryName := .Values.volumePermissions.image.repository -}} +{{- $tag := .Values.volumePermissions.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.metrics.image" -}} +{{- $registryName := default "docker.io" .Values.metrics.image.registry -}} +{{- $repositoryName := .Values.metrics.image.repository -}} +{{- $tag := default "latest" .Values.metrics.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.secretName" -}} +{{- if .Values.global.postgresql.existingSecret }} + {{- printf "%s" .Values.global.postgresql.existingSecret -}} +{{- else if .Values.existingSecret -}} + {{- printf "%s" .Values.existingSecret -}} +{{- else -}} + {{- printf "%s" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.createSecret" -}} +{{- if .Values.global.postgresql.existingSecret }} +{{- else if .Values.existingSecret -}} +{{- else -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the configuration ConfigMap name. +*/}} +{{- define "postgresql.configurationCM" -}} +{{- if .Values.configurationConfigMap -}} +{{- printf "%s" (tpl .Values.configurationConfigMap $) -}} +{{- else -}} +{{- printf "%s-configuration" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the extended configuration ConfigMap name. +*/}} +{{- define "postgresql.extendedConfigurationCM" -}} +{{- if .Values.extendedConfConfigMap -}} +{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}} +{{- else -}} +{{- printf "%s-extended-configuration" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts Secret name. +*/}} +{{- define "postgresql.initdbScriptsSecret" -}} +{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.metrics.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.metrics.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.readinessProbeCommand" -}} +- | +{{- if (include "postgresql.database" .) }} + pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- else }} + pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] +{{- end -}} +{{- end -}} + +{{/* +Return the proper Storage Class +*/}} +{{- define "postgresql.storageClass" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +*/}} +{{- if .Values.global -}} + {{- if .Values.global.storageClass -}} + {{- if (eq "-" .Values.global.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.global.storageClass -}} + {{- end -}} + {{- else -}} + {{- if .Values.persistence.storageClass -}} + {{- if (eq "-" .Values.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- if .Values.persistence.storageClass -}} + {{- if (eq "-" .Values.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "postgresql.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "postgresql.tplValue" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "postgresql.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "apps/v1beta2" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/configmap.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/configmap.yaml new file mode 100755 index 0000000..d2178c0 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/configmap.yaml @@ -0,0 +1,26 @@ +{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.fullname" . }}-configuration + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +data: +{{- if (.Files.Glob "files/postgresql.conf") }} +{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }} +{{- else if .Values.postgresqlConfiguration }} + postgresql.conf: | +{{- range $key, $value := default dict .Values.postgresqlConfiguration }} + {{ $key | snakecase }}={{ $value }} +{{- end }} +{{- end }} +{{- if (.Files.Glob "files/pg_hba.conf") }} +{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }} +{{- else if .Values.pgHbaConfiguration }} + pg_hba.conf: | +{{ .Values.pgHbaConfiguration | indent 4 }} +{{- end }} +{{ end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/extended-config-configmap.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/extended-config-configmap.yaml new file mode 100755 index 0000000..8a41195 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/extended-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.fullname" . }}-extended-configuration + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +data: +{{- with .Files.Glob "files/conf.d/*.conf" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{ with .Values.postgresqlExtendedConf }} + override.conf: | +{{- range $key, $value := . }} + {{ $key | snakecase }}={{ $value }} +{{- end }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/initialization-configmap.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/initialization-configmap.yaml new file mode 100755 index 0000000..8eb5e05 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/initialization-configmap.yaml @@ -0,0 +1,24 @@ +{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.fullname" . }}-init-scripts + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} +data: +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{- with .Values.initdbScripts }} +{{ toYaml . | indent 2 }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/metrics-svc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/metrics-svc.yaml new file mode 100755 index 0000000..f370041 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/metrics-svc.yaml @@ -0,0 +1,26 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }}-metrics + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + annotations: +{{ toYaml .Values.metrics.service.annotations | indent 4 }} +spec: + type: {{ .Values.metrics.service.type }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{- end }} + ports: + - name: metrics + port: 9187 + targetPort: metrics + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name }} + role: master +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/networkpolicy.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/networkpolicy.yaml new file mode 100755 index 0000000..8fb23f2 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/networkpolicy.yaml @@ -0,0 +1,34 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + podSelector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + ingress: + # Allow inbound connections + - ports: + - port: {{ template "postgresql.port" . }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "postgresql.fullname" . }}-client: "true" + - podSelector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: slave + {{- end }} + # Allow prometheus scrapes + - ports: + - port: 9187 +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/secrets.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/secrets.yaml new file mode 100755 index 0000000..e0bc3b2 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{- if (include "postgresql.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +type: Opaque +data: + postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} + {{- if .Values.replication.enabled }} + postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} + {{- end }} +{{- end -}} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/serviceaccount.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/serviceaccount.yaml new file mode 100755 index 0000000..27e5b51 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ template "postgresql.fullname" . }} +{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/servicemonitor.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/servicemonitor.yaml new file mode 100755 index 0000000..9211d51 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/servicemonitor.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "postgresql.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} + {{- end }} +spec: + endpoints: + - port: metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset-slaves.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset-slaves.yaml new file mode 100755 index 0000000..74a81d0 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset-slaves.yaml @@ -0,0 +1,247 @@ +{{- if .Values.replication.enabled }} +apiVersion: {{ template "postgresql.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: "{{ template "postgresql.fullname" . }}-slave" + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.slave.labels }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.slave.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "postgresql.fullname" . }}-headless + replicas: {{ .Values.replication.slaveReplicas }} + selector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: slave + template: + metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + role: slave +{{- with .Values.slave.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.slave.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.slave.nodeSelector }} + nodeSelector: +{{ toYaml .Values.slave.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.slave.affinity }} + affinity: +{{ toYaml .Values.slave.affinity | indent 8 }} + {{- end }} + {{- if .Values.slave.tolerations }} + tolerations: +{{ toYaml .Values.slave.tolerations | indent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name}} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + initContainers: + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -c + - | + mkdir -p {{ .Values.persistence.mountPath }}/data + chmod 700 {{ .Values.persistence.mountPath }}/data + find {{ .Values.persistence.mountPath }} -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ + xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + securityContext: + runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }} + volumeMounts: + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + containers: + - name: {{ template "postgresql.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ template "postgresql.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.port" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + ports: + - name: postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{ end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.slave.extraVolumeMounts }} + {{- toYaml .Values.slave.extraVolumeMounts | nindent 12 }} + {{- end }} + volumes: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: data + emptyDir: {} + {{- end }} + {{- if .Values.slave.extraVolumes }} + {{- toYaml .Values.slave.extraVolumes | nindent 8 }} + {{- end }} + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} +{{- if .Values.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "postgresql.storageClass" . }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset.yaml new file mode 100755 index 0000000..64c297f --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset.yaml @@ -0,0 +1,355 @@ +apiVersion: {{ template "postgresql.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ template "postgresql.master.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.master.labels }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.master.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "postgresql.fullname" . }}-headless + replicas: 1 + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: master + template: + metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + role: master +{{- with .Values.master.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.master.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.master.nodeSelector }} + nodeSelector: +{{ toYaml .Values.master.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.master.affinity }} + affinity: +{{ toYaml .Values.master.affinity | indent 8 }} + {{- end }} + {{- if .Values.master.tolerations }} + tolerations: +{{ toYaml .Values.master.tolerations | indent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + initContainers: + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -c + - | + mkdir -p {{ .Values.persistence.mountPath }}/data + chmod 700 {{ .Values.persistence.mountPath }}/data + find {{ .Values.persistence.mountPath }} -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ + xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + securityContext: + runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }} + volumeMounts: + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + containers: + - name: {{ template "postgresql.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + {{- if .Values.postgresqlInitdbArgs }} + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.postgresqlInitdbArgs | quote }} + {{- end }} + {{- if .Values.postgresqlInitdbWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.postgresqlInitdbWalDir | quote }} + {{- end }} + {{- if .Values.initdbUser }} + - name: POSTGRESQL_INITSCRIPTS_USERNAME + value: {{ .Values.initdbUser }} + {{- end }} + {{- if .Values.initdbPassword }} + - name: POSTGRESQL_INITSCRIPTS_PASSWORD + value: .Values.initdbPassword + {{- end }} + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + {{- if .Values.replication.enabled }} + - name: POSTGRES_REPLICATION_MODE + value: "master" + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + {{- if not (eq .Values.replication.synchronousCommit "off")}} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + - name: POSTGRES_USER + value: {{ include "postgresql.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + {{- if (include "postgresql.database" .) }} + - name: POSTGRES_DB + value: {{ (include "postgresql.database" .) | quote }} + {{- end }} + {{- if .Values.extraEnv }} + {{- include "postgresql.tplValue" (dict "value" .Values.extraEnv "context" $) | nindent 12 }} + {{- end }} + ports: + - name: postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.master.extraVolumeMounts }} + {{- toYaml .Values.master.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.metrics.securityContext.runAsUser }} + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.port" .)) $database | quote }} + {{- if .Values.usePasswordFile }} + - name: DATA_SOURCE_PASS_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: DATA_SOURCE_USER + value: {{ template "postgresql.username" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: / + port: metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: / + port: metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + ports: + - name: metrics + containerPort: 9187 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} +{{- end }} + volumes: + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "postgresql.initdbScriptsCM" . }} + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ template "postgresql.initdbScriptsSecret" . }} + {{- end }} + {{- if .Values.master.extraVolumes }} + {{- toYaml .Values.master.extraVolumes | nindent 8 }} + {{- end }} +{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} + - name: data + persistentVolumeClaim: +{{- with .Values.persistence.existingClaim }} + claimName: {{ tpl . $ }} +{{- end }} +{{- else if not .Values.persistence.enabled }} + - name: data + emptyDir: {} +{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "postgresql.storageClass" . }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-headless.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-headless.yaml new file mode 100755 index 0000000..0bc60be --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-headless.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }}-headless + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: postgresql + port: {{ template "postgresql.port" . }} + targetPort: postgresql + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-read.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-read.yaml new file mode 100755 index 0000000..17bda04 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-read.yaml @@ -0,0 +1,31 @@ +{{- if .Values.replication.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }}-read + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: postgresql + port: {{ template "postgresql.port" . }} + targetPort: postgresql + {{- if .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: slave +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc.yaml new file mode 100755 index 0000000..3b880b7 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.service.annotations }} + annotations: +{{ tpl (toYaml .) $ | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{ with .Values.service.loadBalancerSourceRanges }} +{{ toYaml . | indent 4 }} +{{- end }} + {{- end }} + {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + ports: + - name: postgresql + port: {{ template "postgresql.port" . }} + targetPort: postgresql + {{- if .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: master diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values-production.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values-production.yaml new file mode 100755 index 0000000..353848a --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values-production.yaml @@ -0,0 +1,392 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + postgresql: {} +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.5.0-debian-9-r84 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Set to true if you would like to see extra information on logs + ## It turns BASH and NAMI debugging in minideb + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + debug: false + +## String to partially override postgresql.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override postgresql.fullname template +## +# fullnameOverride: + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: true + image: + registry: docker.io + repository: bitnami/minideb + tag: stretch + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Init container Security Context + securityContext: + runAsUser: 0 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + enabled: false + ## Name of an already existing service account. Setting this value disables the automatic service account creation. + # name: + +replication: + enabled: true + user: repl_user + password: repl_password + slaveReplicas: 2 + ## Set synchronous commit mode: on, off, remote_apply, remote_write and local + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + synchronousCommit: "on" + ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication + ## NOTE: It cannot be > slaveReplicas + numSynchronousReplicas: 1 + ## Replication Cluster application name. Useful for defining multiple replication policies + applicationName: my_application + +## PostgreSQL admin user +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +postgresqlUsername: postgres + +## PostgreSQL password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +# postgresqlPassword: + +## PostgreSQL password using existing secret +## existingSecret: secret + +## Mount PostgreSQL secret as a file instead of passing environment variable +# usePasswordFile: false + +## Create a database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +# postgresqlDatabase: + +## PostgreSQL data dir +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data + +## Specify extra initdb args +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbArgs: + +## Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbWalDir: + +## PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +# postgresqlConfiguration: + +## PostgreSQL extended configuration +## As above, but _appended_ to the main configuration +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +# postgresqlExtendedConf: + +## PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +# pgHbaConfiguration: |- +# local all all trust +# host all all localhost trust +# host mydatabase mysuser 192.168.0.0/24 md5 + +## ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +# configurationConfigMap: + +## ConfigMap with PostgreSQL extended configuration +# extendedConfConfigMap: + +## initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## +# initdbScripts: +# my_init_script.sh: | +# #!/bin/sh +# echo "Do something." + +## Specify the PostgreSQL username and password to execute the initdb scripts +# initdbUser: +# initdbPassword: + +## ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +# initdbScriptsConfigMap: + +## Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +# initdbScriptsSecret: + +## Optional duration in seconds the pod needs to terminate gracefully. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +# terminationGracePeriodSeconds: 30 + +## PostgreSQL service configuration +service: + ## PosgresSQL service type + type: ClusterIP + # clusterIP: None + port: 5432 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## PostgreSQL data Persistent Volume Storage Class +## If defined, storageClassName: +## If set to "-", storageClassName: "", which disables dynamic provisioning +## If undefined (the default) or set to null, no storageClassName spec is +## set, choosing the default provisioner. (gp2 on AWS, standard on +## GKE, AWS & OpenStack) +## +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + + ## The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + +## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +updateStrategy: + type: RollingUpdate + +## +## PostgreSQL Master parameters +## +master: + ## Node, affinity and tolerations labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + ## Additional PostgreSQL Master Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Master Volumes + ## + extraVolumes: [] + +## +## PostgreSQL Slave parameters +## +slave: + ## Node, affinity and tolerations labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + ## Additional PostgreSQL Slave Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Slave Volumes + ## + extraVolumes: [] + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 250m + +networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Configure metrics exporter +## +metrics: + enabled: true + # resources: {} + service: + type: ClusterIP + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + loadBalancerIP: + serviceMonitor: + enabled: false + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.6.0-debian-9-r0 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: false + runAsUser: 1001 + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## Configure extra options for liveness and readiness probes + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +# Define custom environment variables to pass to the image here +extraEnv: [] diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.schema.json b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.schema.json new file mode 100755 index 0000000..ac2de6e --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.schema.json @@ -0,0 +1,103 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "postgresqlUsername": { + "type": "string", + "title": "Admin user", + "form": true + }, + "postgresqlPassword": { + "type": "string", + "title": "Password", + "form": true + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "slaveReplicas": { + "type": "integer", + "title": "Slave Replicas", + "form": true, + "hidden": { + "condition": false, + "value": "replication.enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.yaml new file mode 100755 index 0000000..e13d0a7 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.yaml @@ -0,0 +1,392 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + postgresql: {} +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.5.0-debian-9-r84 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Set to true if you would like to see extra information on logs + ## It turns BASH and NAMI debugging in minideb + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + debug: false + +## String to partially override postgresql.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override postgresql.fullname template +## +# fullnameOverride: + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: true + image: + registry: docker.io + repository: bitnami/minideb + tag: stretch + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Init container Security Context + securityContext: + runAsUser: 0 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + enabled: false + ## Name of an already existing service account. Setting this value disables the automatic service account creation. + # name: + +replication: + enabled: false + user: repl_user + password: repl_password + slaveReplicas: 1 + ## Set synchronous commit mode: on, off, remote_apply, remote_write and local + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + synchronousCommit: "off" + ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication + ## NOTE: It cannot be > slaveReplicas + numSynchronousReplicas: 0 + ## Replication Cluster application name. Useful for defining multiple replication policies + applicationName: my_application + +## PostgreSQL admin user +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +postgresqlUsername: postgres + +## PostgreSQL password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +# postgresqlPassword: + +## PostgreSQL password using existing secret +## existingSecret: secret + +## Mount PostgreSQL secret as a file instead of passing environment variable +# usePasswordFile: false + +## Create a database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +# postgresqlDatabase: + +## PostgreSQL data dir +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data + +## Specify extra initdb args +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbArgs: + +## Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbWalDir: + +## PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +# postgresqlConfiguration: + +## PostgreSQL extended configuration +## As above, but _appended_ to the main configuration +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +# postgresqlExtendedConf: + +## PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +# pgHbaConfiguration: |- +# local all all trust +# host all all localhost trust +# host mydatabase mysuser 192.168.0.0/24 md5 + +## ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +# configurationConfigMap: + +## ConfigMap with PostgreSQL extended configuration +# extendedConfConfigMap: + +## initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## +# initdbScripts: +# my_init_script.sh: | +# #!/bin/sh +# echo "Do something." + +## ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +# initdbScriptsConfigMap: + +## Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +# initdbScriptsSecret: + +## Specify the PostgreSQL username and password to execute the initdb scripts +# initdbUser: +# initdbPassword: + +## Optional duration in seconds the pod needs to terminate gracefully. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +# terminationGracePeriodSeconds: 30 + +## PostgreSQL service configuration +service: + ## PosgresSQL service type + type: ClusterIP + # clusterIP: None + port: 5432 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## PostgreSQL data Persistent Volume Storage Class +## If defined, storageClassName: +## If set to "-", storageClassName: "", which disables dynamic provisioning +## If undefined (the default) or set to null, no storageClassName spec is +## set, choosing the default provisioner. (gp2 on AWS, standard on +## GKE, AWS & OpenStack) +## +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + + ## The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + +## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +updateStrategy: + type: RollingUpdate + +## +## PostgreSQL Master parameters +## +master: + ## Node, affinity and tolerations labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + ## Additional PostgreSQL Master Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Master Volumes + ## + extraVolumes: [] + +## +## PostgreSQL Slave parameters +## +slave: + ## Node, affinity and tolerations labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + ## Additional PostgreSQL Slave Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Slave Volumes + ## + extraVolumes: [] + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 250m + +networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Configure metrics exporter +## +metrics: + enabled: false + # resources: {} + service: + type: ClusterIP + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + loadBalancerIP: + serviceMonitor: + enabled: false + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.6.0-debian-9-r0 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: false + runAsUser: 1001 + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## Configure extra options for liveness and readiness probes + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +# Define custom environment variables to pass to the image here +extraEnv: [] diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh new file mode 100755 index 0000000..6f0132d --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +if [ -z "$1" ]; then echo "Skipping creation of persistent volume examples. Ensure there is available PVs 200Gi per node for HA."; else oc create -f pv-examples/; fi + +oc new-project jfrog-artifactory +oc create serviceaccount svcaccount -n jfrog-artifactory +oc adm policy add-scc-to-user privileged system:serviceaccount:jfrog-artifactory:svcaccount +oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:svcaccount +oc adm policy add-scc-to-group anyuid system:authenticated + +# enables hostPath plugin for openshift system wide +oc create -f scc.yaml -n jfrog-artifactory +oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' +oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:svcaccount + +# create the license secret +oc create secret generic artifactory-license --from-file=./artifactory.cluster.license + +# install via helm +helm install . --generate-name \ + --set artifactory.node.replicaCount=1 \ + --set nginx.service.type=NodePort \ + --set artifactory.license.secret=artifactory-license,artifactory.license.dataKey=artifactory.cluster.license diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0001-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0001-large.yaml new file mode 100644 index 0000000..8a36385 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0001-large.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv0001-large +spec: + capacity: + storage: 200Gi + hostPath: + path: /mnt/pv-data/pv0001-large + accessModes: + - ReadWriteOnce + - ReadWriteMany + - ReadOnlyMany + persistentVolumeReclaimPolicy: Recycle + volumeMode: Filesystem diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0002-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0002-large.yaml new file mode 100644 index 0000000..b96fa47 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0002-large.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv0002-large +spec: + capacity: + storage: 200Gi + hostPath: + path: /mnt/pv-data/pv0002-large + accessModes: + - ReadWriteOnce + - ReadWriteMany + - ReadOnlyMany + persistentVolumeReclaimPolicy: Recycle + volumeMode: Filesystem diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0003-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0003-large.yaml new file mode 100644 index 0000000..476ad41 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0003-large.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv0003-large +spec: + capacity: + storage: 200Gi + hostPath: + path: /mnt/pv-data/pv0003-large + accessModes: + - ReadWriteOnce + - ReadWriteMany + - ReadOnlyMany + persistentVolumeReclaimPolicy: Recycle + volumeMode: Filesystem diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0004-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0004-large.yaml new file mode 100644 index 0000000..ae2fbda --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0004-large.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv0004-large +spec: + capacity: + storage: 200Gi + hostPath: + path: /mnt/pv-data/pv0004-large + accessModes: + - ReadWriteOnce + - ReadWriteMany + - ReadOnlyMany + persistentVolumeReclaimPolicy: Recycle + volumeMode: Filesystem diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0005-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0005-large.yaml new file mode 100644 index 0000000..9488514 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0005-large.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv0005-large +spec: + capacity: + storage: 200Gi + hostPath: + path: /mnt/pv-data/pv0005-large + accessModes: + - ReadWriteOnce + - ReadWriteMany + - ReadOnlyMany + persistentVolumeReclaimPolicy: Recycle + volumeMode: Filesystem diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock new file mode 100755 index 0000000..7037cff --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: postgresql + repository: https://kubernetes-charts.storage.googleapis.com/ + version: 7.0.1 +digest: sha256:dcdafe9ab91ccf0e5883e2b5dd9ba13e82190b5e16e6dee6d39fd16a04123ce8 +generated: 2019-11-10T13:12:29.836238+02:00 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml new file mode 100755 index 0000000..756a19c --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml @@ -0,0 +1,5 @@ +dependencies: + - name: postgresql + version: 7.0.1 + repository: https://kubernetes-charts.storage.googleapis.com/ + condition: postgresql.enabled diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/scc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/scc.yaml new file mode 100644 index 0000000..13eef79 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/scc.yaml @@ -0,0 +1,18 @@ +kind: SecurityContextConstraints +apiVersion: v1 +metadata: + name: hostpath +allowPrivilegedContainer: false +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: +- artifactory +groups: +- artifactory +- jfrog-artifactory diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/NOTES.txt b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/NOTES.txt new file mode 100755 index 0000000..d08fa88 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/NOTES.txt @@ -0,0 +1,113 @@ +Congratulations. You have just deployed JFrog Artifactory HA! + +{{- if and (not .Values.artifactory.masterKeySecretName) (eq .Values.artifactory.masterKey "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF") }} + + +***************************************** WARNING ****************************************** +* Your Artifactory master key is still set to the provided example: * +* artifactory.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF * +* * +* You should change this to your own generated key: * +* $ export MASTER_KEY=$(openssl rand -hex 32) * +* $ echo ${MASTER_KEY} * +* * +* Pass the created master key to helm with '--set artifactory.masterKey=${MASTER_KEY}' * +* * +* Alternatively, you can use a pre-existing secret with a key called master-key with * +* '--set artifactory.masterKeySecretName=${SECRET_NAME}' * +******************************************************************************************** +{{- end }} + +{{ if eq .Values.artifactory.joinKey "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" }} + + +***************************************** WARNING ****************************************** +* Your Artifactory join key is still set to the provided example: * +* artifactory.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE * +* * +* You should change this to your own generated key: * +* $ export JOIN_KEY=$(openssl rand -hex 16) * +* $ echo ${JOIN_KEY} * +* * +* Pass the created master key to helm with '--set artifactory.joinKey=${JOIN_KEY}' * +* * +******************************************************************************************** +{{- end }} + +{{- if .Values.postgresql.enabled }} + +DATABASE: +To extract the database password, run the following +export DB_PASSWORD=$(kubectl get --namespace {{ .Release.Namespace }} $(kubectl get secret --namespace {{ .Release.Namespace }} -o name | grep postgresql) -o jsonpath="{.data.postgresql-password}" | base64 --decode) +echo ${DB_PASSWORD} +{{- end }} + +SETUP: +1. Get the Artifactory IP and URL + + {{- if contains "NodePort" .Values.nginx.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "artifactory-ha.nginx.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT/ + + {{- else if contains "LoadBalancer" .Values.nginx.service.type }} + NOTE: It may take a few minutes for the LoadBalancer public IP to be available! + + You can watch the status of the service by running 'kubectl get svc -w {{ template "artifactory-ha.nginx.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.nginx.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP/ + + {{- else if contains "ClusterIP" .Values.nginx.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "component={{ .Values.nginx.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080:80 + echo http://127.0.0.1:8080 + + {{- end }} + +2. Open Artifactory in your browser + Default credential for Artifactory: + user: admin + password: password + + {{- if .Values.artifactory.license.secret }} + +3. Manage Artifactory license through the {{ .Values.artifactory.license.secret }} secret ONLY! + Since the artifactory license(s) is managed with a secret ({{ .Values.artifactory.license.secret }}), any change through the Artifactory UI might not be saved! + + {{- else }} + +3. Add HA licenses to activate Artifactory HA through the Artifactory UI + NOTE: Each Artifactory node requires a valid license. See https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup for more details. + + {{- end }} + +{{ if or .Values.artifactory.primary.javaOpts.jmx.enabled .Values.artifactory.node.javaOpts.jmx.enabled }} +JMX configuration: +{{- if not (contains "LoadBalancer" .Values.artifactory.service.type) }} +If you want to access JMX from you computer with jconsole, you should set ".Values.artifactory.service.type=LoadBalancer" !!! +{{ end }} + +1. Get the Artifactory service IP: +{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} +export PRIMARY_SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.primary.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +{{- end }} +{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} +export MEMBER_SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +{{- end }} + +2. Map the service name to the service IP in /etc/hosts: +{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} +sudo sh -c "echo \"${PRIMARY_SERVICE_IP} {{ template "artifactory-ha.primary.name" . }}\" >> /etc/hosts" +{{- end }} +{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} +sudo sh -c "echo \"${MEMBER_SERVICE_IP} {{ template "artifactory-ha.fullname" . }}\" >> /etc/hosts" +{{- end }} + +3. Launch jconsole: +{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} +jconsole {{ template "artifactory-ha.primary.name" . }}:{{ .Values.artifactory.primary.javaOpts.jmx.port }} +{{- end }} +{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} +jconsole {{ template "artifactory-ha.fullname" . }}:{{ .Values.artifactory.node.javaOpts.jmx.port }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/_helpers.tpl b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/_helpers.tpl new file mode 100755 index 0000000..32171c2 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/_helpers.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "artifactory-ha.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The primary node name +*/}} +{{- define "artifactory-ha.primary.name" -}} +{{- if .Values.nameOverride -}} +{{- printf "%s-primary" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-primary" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +The member node name +*/}} +{{- define "artifactory-ha.node.name" -}} +{{- if .Values.nameOverride -}} +{{- printf "%s-member" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-member" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name nginx service. +*/}} +{{- define "artifactory-ha.nginx.name" -}} +{{- default .Values.nginx.name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "artifactory-ha.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "artifactory-ha.nginx.fullname" -}} +{{- if .Values.nginx.fullnameOverride -}} +{{- .Values.nginx.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nginx.name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "artifactory-ha.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{ default (include "artifactory-ha.fullname" .) .Values.serviceAccount.name }} +{{- else -}} +{{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "artifactory-ha.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate SSL certificates +*/}} +{{- define "artifactory-ha.gen-certs" -}} +{{- $altNames := list ( printf "%s.%s" (include "artifactory-ha.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "artifactory-ha.name" .) .Release.Namespace ) -}} +{{- $ca := genCA "artifactory-ca" 365 -}} +{{- $cert := genSignedCert ( include "artifactory-ha.name" . ) nil $altNames 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/access-bootstrap-creds.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/access-bootstrap-creds.yaml new file mode 100755 index 0000000..f4e34a2 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/access-bootstrap-creds.yaml @@ -0,0 +1,15 @@ +{{- if not (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) }} +{{- if .Values.artifactory.accessAdmin.password }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-bootstrap-creds + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + bootstrap.creds: {{ (printf "access-admin@%s=%s" .Values.artifactory.accessAdmin.ip .Values.artifactory.accessAdmin.password) | b64enc }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-binarystore-secret.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-binarystore-secret.yaml new file mode 100755 index 0000000..2e7cac7 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-binarystore-secret.yaml @@ -0,0 +1,14 @@ +{{- if not .Values.artifactory.persistence.customBinarystoreXmlSecret }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-binarystore + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +stringData: + binarystore.xml: |- +{{ tpl .Values.artifactory.persistence.binarystoreXml . | indent 4 }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-configmaps.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-configmaps.yaml new file mode 100755 index 0000000..1385bc5 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-configmaps.yaml @@ -0,0 +1,13 @@ +{{ if .Values.artifactory.configMaps }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-configmaps + labels: + app: {{ template "artifactory-ha.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: +{{ tpl .Values.artifactory.configMaps . | indent 2 }} +{{ end -}} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-installer-info.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-installer-info.yaml new file mode 100755 index 0000000..0c9a4f4 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-installer-info.yaml @@ -0,0 +1,25 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-installer-info + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + installer-info.json: | + { + "productId": "Helm_artifactory-ha/{{ .Chart.Version }}", + "features": [ + { + "featureId": "ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}" + }, + { + "featureId": "{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default "derby" .Values.database.type }}{{ end }}/0.0.0" + }, + { + "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}" + } + ] + } diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-license-secret.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-license-secret.yaml new file mode 100755 index 0000000..3f629c6 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-license-secret.yaml @@ -0,0 +1,14 @@ +{{- with .Values.artifactory.license.licenseKey }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory-ha.fullname" $ }}-license + labels: + app: {{ template "artifactory-ha.name" $ }} + chart: {{ template "artifactory-ha.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} +type: Opaque +data: + artifactory.lic: {{ . | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-networkpolicy.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-networkpolicy.yaml new file mode 100755 index 0000000..371dc9a --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-networkpolicy.yaml @@ -0,0 +1,34 @@ +{{- range .Values.networkpolicy }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "artifactory-ha.fullname" $ }}-{{ .name }}-networkpolicy + labels: + app: {{ template "artifactory-ha.name" $ }} + chart: {{ template "artifactory-ha.chart" $ }} + release: {{ $.Release.Name }} + heritage: {{ $.Release.Service }} +spec: +{{- if .podSelector }} + podSelector: +{{ .podSelector | toYaml | trimSuffix "\n" | indent 4 -}} +{{ else }} + podSelector: {} +{{- end }} + policyTypes: + {{- if .ingress }} + - Ingress + {{- end }} + {{- if .egress }} + - Egress + {{- end }} +{{- if .ingress }} + ingress: +{{ .ingress | toYaml | trimSuffix "\n" | indent 2 -}} +{{- end }} +{{- if .egress }} + egress: +{{ .egress | toYaml | trimSuffix "\n" | indent 2 -}} +{{- end }} +--- +{{- end -}} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-nfs-pvc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-nfs-pvc.yaml new file mode 100755 index 0000000..6ed7d82 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-nfs-pvc.yaml @@ -0,0 +1,101 @@ +{{- if eq .Values.artifactory.persistence.type "nfs" }} +### Artifactory HA data +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ template "artifactory-ha.fullname" . }}-data-pv + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + id: {{ template "artifactory-ha.name" . }}-data-pv + type: nfs-volume +spec: + {{- if .Values.artifactory.persistence.nfs.mountOptions }} + mountOptions: +{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} + {{- end }} + capacity: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + nfs: + server: {{ .Values.artifactory.persistence.nfs.ip }} + path: "{{ .Values.artifactory.persistence.nfs.haDataMount }}" + readOnly: false +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-data-pvc + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + type: nfs-volume +spec: + accessModes: + - ReadWriteOnce + storageClassName: "" + resources: + requests: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + selector: + matchLabels: + id: {{ template "artifactory-ha.name" . }}-data-pv + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} +--- +### Artifactory HA backup +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ template "artifactory-ha.fullname" . }}-backup-pv + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + id: {{ template "artifactory-ha.name" . }}-backup-pv + type: nfs-volume +spec: + {{- if .Values.artifactory.persistence.nfs.mountOptions }} + mountOptions: +{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} + {{- end }} + capacity: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + nfs: + server: {{ .Values.artifactory.persistence.nfs.ip }} + path: "{{ .Values.artifactory.persistence.nfs.haBackupMount }}" + readOnly: false +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-backup-pvc + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + type: nfs-volume +spec: + accessModes: + - ReadWriteOnce + storageClassName: "" + resources: + requests: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + selector: + matchLabels: + id: {{ template "artifactory-ha.name" . }}-backup-pv + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-pdb.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-pdb.yaml new file mode 100755 index 0000000..871bb21 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-pdb.yaml @@ -0,0 +1,19 @@ +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "artifactory-ha.fullname" . }}-node + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + {{- if eq .Values.artifactory.service.pool "members" }} + role: {{ template "artifactory-ha.node.name" . }} + {{- end }} + release: {{ .Release.Name }} + minAvailable: {{ .Values.artifactory.node.minAvailable }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-statefulset.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-statefulset.yaml new file mode 100755 index 0000000..67e1ab3 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-statefulset.yaml @@ -0,0 +1,510 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "artifactory-ha.node.name" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + force-update: "{{ randAlpha 63 | lower }}" +{{- if .Values.artifactory.node.labels }} +{{ toYaml .Values.artifactory.node.labels | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "artifactory-ha.node.name" . }} + replicas: {{ .Values.artifactory.node.replicaCount }} + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + role: {{ template "artifactory-ha.node.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + role: {{ template "artifactory-ha.node.name" . }} + heritage: {{ .Release.Service }} + component: {{ .Values.artifactory.name }} + release: {{ .Release.Name }} + annotations: + checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }} + checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }} + {{- range $key, $value := .Values.artifactory.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .Values.artifactory.priorityClass.existingPriorityClass }} + priorityClassName: {{ .Values.artifactory.priorityClass.existingPriorityClass }} + {{- else -}} + {{- if .Values.artifactory.priorityClass.create }} + priorityClassName: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + securityContext: + runAsUser: {{ .Values.artifactory.uid }} + fsGroup: {{ .Values.artifactory.uid }} + initContainers: + {{- if .Values.artifactory.customInitContainersBegin }} +{{ tpl .Values.artifactory.customInitContainersBegin . | indent 6 }} + {{- end }} + {{- if .Values.artifactory.persistence.enabled }} + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + - name: "create-artifactory-data-dir" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + mkdir -p {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}; + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + {{- end }} + {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} + - name: "delete-db-properties" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + - name: "remove-lost-found" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + - name: 'copy-system-yaml' + image: '{{ .Values.initContainerImage }}' + command: + - '/bin/sh' + - '-c' + - > + {{- if .Values.artifactory.node.waitForPrimaryStartup.enabled }} + echo "Sleeping to allow time for primary node to come up"; + sleep {{ .Values.artifactory.node.waitForPrimaryStartup.seconds }}; + {{- end }} + echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; + cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; + echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists"; + rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + - name: systemyaml + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: "prepare-custom-persistent-volume" + image: "{{ .Values.initContainerImage }}" + command: + - 'sh' + - '-c' + - > + chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + securityContext: + runAsUser: 0 + volumeMounts: + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.waitForDatabase }} + {{- if or .Values.postgresql.enabled }} + - name: "wait-for-db" + image: "{{ .Values.initContainerImage }}" + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do + sleep 2; + done; + {{- end }} + {{- end }} + {{- if .Values.artifactory.customInitContainers }} +{{ tpl .Values.artifactory.customInitContainers . | indent 6 }} + {{- end }} + containers: + - name: {{ .Values.artifactory.name }} + image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}' + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + command: + - '/bin/sh' + - '-c' + - > + {{- if .Values.artifactory.userPluginSecrets }} + echo "Copying plugins"; + cp -Lrf /tmp/plugin/*/* /tmp/plugins; + {{- end }} + {{- if .Values.artifactory.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.artifactory.preStartCommand . }}; + {{- end }} + /entrypoint-artifactory.sh + lifecycle: + postStart: + exec: + command: + - '/bin/sh' + - '-c' + - > + echo; + {{- if .Values.artifactory.postStartCommand }} + {{ .Values.artifactory.postStartCommand }} + {{- end }} + env: + {{- if .Values.database.secrets.user }} + - name: JF_SHARED_DATABSE_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.user.name }} + key: {{ .Values.database.secrets.user.key }} + {{- end }} + {{- if .Values.database.secrets.password }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.password.name }} + key: {{ .Values.database.secrets.password.key }} + {{- end }} + {{- if .Values.database.secrets.url }} + - name: JF_SHARED_DATABSE_URL + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.url.name }} + key: {{ .Values.database.secrets.url.key }} + {{- end }} + - name: JF_SHARED_NODE_PRIMARY + value: "false" + - name: JF_SHARED_NODE_HAENABLED + value: "true" + - name: JF_SHARED_DATABSE_USERNAME + value: "artifactory" + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgresql + key: postgresql-password + ports: + - containerPort: {{ .Values.artifactory.internalPort }} + - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} + {{- if .Values.artifactory.node.javaOpts.jmx.enabled }} + - containerPort: {{ .Values.artifactory.node.javaOpts.jmx.port }} + {{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.userPluginSecrets }} + - name: tmp-plugins + mountPath: "/tmp/plugins/" + {{- range .Values.artifactory.userPluginSecrets }} + - name: {{ tpl . $ }} + mountPath: "/tmp/plugin/{{ tpl . $ }}" + {{- end }} + {{- end }} + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + {{- if .Values.artifactory.binarystore.enabled }} + - name: binarystore-xml + mountPath: "/artifactory_extra_conf/binarystore.xml" + subPath: binarystore.xml + {{- end }} + {{- end }} + - name: installer-info + mountPath: "/artifactory_extra_conf/info/installer-info.json" + subPath: installer-info.json + {{- if .Values.artifactory.customVolumeMounts }} +{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} + {{- end }} + resources: +{{ toYaml .Values.artifactory.node.resources | indent 10 }} + {{- if .Values.artifactory.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.artifactory.readinessProbe.path }} + port: {{ .Values.artifactory.internalPort }} + initialDelaySeconds: {{ .Values.artifactory.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.artifactory.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.artifactory.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.artifactory.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.artifactory.readinessProbe.successThreshold }} + {{- end }} + {{- if .Values.artifactory.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.artifactory.livenessProbe.path }} + port: {{ .Values.artifactory.internalPort }} + initialDelaySeconds: {{ .Values.artifactory.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.artifactory.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.artifactory.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }} + {{- end }} + {{- $image := .Values.logger.image.repository }} + {{- $tag := .Values.logger.image.tag }} + {{- $mountPath := .Values.artifactory.persistence.mountPath }} + {{- range .Values.artifactory.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: '{{ $image }}:{{ $tag }}' + command: + - tail + args: + - '-F' + - '{{ $mountPath }}/logs/{{ . }}' + volumeMounts: + - name: volume + mountPath: {{ $mountPath }} + {{- end }} + {{ if .Values.artifactory.catalinaLoggers }} + {{- range .Values.artifactory.catalinaLoggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: '{{ $image }}:{{ $tag }}' + command: + - 'sh' + - '-c' + - 'sh /scripts/tail-log.sh {{ $mountPath }}/logs/catalina {{ . }}' + volumeMounts: + - name: volume + mountPath: {{ $mountPath }} + - name: catalina-logger + mountPath: /scripts/tail-log.sh + subPath: tail-log.sh + {{- end }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: {{ .Values.filebeat.name }} + image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" + imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} + args: + - "-e" + - "-E" + - "http.enabled=true" + securityContext: + runAsUser: 0 + volumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + livenessProbe: +{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} + readinessProbe: +{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} + resources: +{{ toYaml .Values.filebeat.resources | indent 10 }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} + {{- end }} + {{- if .Values.artifactory.customSidecarContainers }} +{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }} + {{- end }} + {{- with .Values.artifactory.node.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.artifactory.node.affinity }} + {{- with .Values.artifactory.node.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if eq .Values.artifactory.node.podAntiAffinity.type "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.artifactory.node.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + {{- if eq .Values.artifactory.service.pool "members" }} + role: {{ template "artifactory-ha.node.name" . }} + {{- end }} + {{- else if eq .Values.artifactory.node.podAntiAffinity.type "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.artifactory.node.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + {{- if eq .Values.artifactory.service.pool "members" }} + role: {{ template "artifactory-ha.node.name" . }} + {{- end }} + {{- end }} + {{- with .Values.artifactory.node.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- if .Values.artifactory.binarystore.enabled }} + - name: binarystore-xml + secret: + {{- if .Values.artifactory.persistence.customBinarystoreXmlSecret }} + secretName: {{ .Values.artifactory.persistence.customBinarystoreXmlSecret }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-binarystore + {{- end }} + {{- end }} + - name: installer-info + configMap: + name: {{ template "artifactory-ha.fullname" . }}-installer-info + {{- if .Values.artifactory.userPluginSecrets }} + - name: tmp-plugins + emptyDir: {} + {{- range .Values.artifactory.userPluginSecrets }} + - name: {{ tpl . $ }} + secret: + secretName: {{ tpl . $ }} + {{- end }} + {{- end }} + {{- if .Values.artifactory.catalinaLoggers }} + - name: catalina-logger + configMap: + name: {{ template "artifactory-ha.fullname" . }}-catalina-logger + {{- end }} + {{- if .Values.artifactory.configMaps }} + - name: artifactory-configmaps + configMap: + name: {{ template "artifactory-ha.fullname" . }}-configmaps + {{- end }} + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" $ }}-data-pvc-{{ $sharedClaimNumber }} + {{- end }} + - name: artifactory-ha-backup + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" $ }}-backup-pvc + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" . }}-data-pvc + - name: artifactory-ha-backup + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" . }}-backup-pvc + {{- end }} + - name: systemyaml + secret: + secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + persistentVolumeClaim: + claimName: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: filebeat-config + configMap: + name: {{ template "artifactory-ha.fullname" . }}-filebeat-config + {{- end }} + {{- if .Values.artifactory.customVolumes }} +{{ tpl .Values.artifactory.customVolumes . | indent 6 }} + {{- end }} + {{- if not .Values.artifactory.persistence.enabled }} + - name: volume + emptyDir: + sizeLimit: {{ .Values.artifactory.persistence.size }} + {{- end }} + volumeClaimTemplates: + {{- if .Values.artifactory.persistence.enabled }} + - metadata: + name: volume + {{- if not .Values.artifactory.node.persistence.existingClaim }} + spec: + {{- if .Values.artifactory.persistence.storageClassName }} + {{- if (eq "-" .Values.artifactory.persistence.storageClassName) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.artifactory.persistence.storageClassName }}" + {{- end }} + {{- end }} + accessModes: [ "{{ .Values.artifactory.persistence.accessMode }}" ] + resources: + requests: + storage: {{ .Values.artifactory.persistence.size }} + {{- end }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - metadata: + name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + spec: + {{- if .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }} + {{- if (eq "-" .Values.artifactory.customPersistentPodVolumeClaim.storageClassName) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }}" + {{- end }} + {{- end }} + accessModes: + {{- range .Values.artifactory.customPersistentPodVolumeClaim.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.artifactory.customPersistentPodVolumeClaim.size }} + {{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-primary-statefulset.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-primary-statefulset.yaml new file mode 100755 index 0000000..8b53315 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-primary-statefulset.yaml @@ -0,0 +1,587 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "artifactory-ha.primary.name" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + force-update: "{{ randAlpha 63 | lower }}" +{{- if .Values.artifactory.primary.labels }} +{{ toYaml .Values.artifactory.primary.labels | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "artifactory-ha.primary.name" . }} + replicas: 1 + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + role: {{ template "artifactory-ha.primary.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + role: {{ template "artifactory-ha.primary.name" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }} + checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }} + {{- if not (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) }} + checksum/access-creds: {{ include (print $.Template.BasePath "/access-bootstrap-creds.yaml") . | sha256sum }} + {{- end }} + {{- range $key, $value := .Values.artifactory.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .Values.artifactory.priorityClass.existingPriorityClass }} + priorityClassName: {{ .Values.artifactory.priorityClass.existingPriorityClass }} + {{- else -}} + {{- if .Values.artifactory.priorityClass.create }} + priorityClassName: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + securityContext: + runAsUser: {{ .Values.artifactory.uid }} + fsGroup: {{ .Values.artifactory.uid }} + initContainers: + {{- if .Values.artifactory.customInitContainersBegin }} +{{ tpl .Values.artifactory.customInitContainersBegin . | indent 6 }} + {{- end }} + {{- if .Values.artifactory.persistence.enabled }} + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + - name: "create-artifactory-data-dir" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + mkdir -p {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}; + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + {{- end }} + {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} + - name: "delete-db-properties" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + - name: "remove-lost-found" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; + rm -rfv {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}/lost+found; + rm -rfv {{ .Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}/lost+found; + volumeMounts: + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + {{- if or (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) .Values.artifactory.accessAdmin.password }} + - name: "access-bootstrap-creds" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + echo "Preparing custom Access bootstrap.creds"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/access/etc; + cp -Lrf /tmp/access/bootstrap.creds {{ .Values.artifactory.persistence.mountPath }}/access/etc/bootstrap.creds; + chmod 600 {{ .Values.artifactory.persistence.mountPath }}/access/etc/bootstrap.creds; + volumeMounts: + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + - name: access-bootstrap-creds + mountPath: "/tmp/access/bootstrap.creds" + {{- if and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey }} + subPath: {{ .Values.artifactory.accessAdmin.dataKey }} + {{- else }} + subPath: bootstrap.creds + {{- end }} + {{- end }} + {{- end }} + - name: 'copy-system-yaml' + image: '{{ .Values.initContainerImage }}' + command: + - '/bin/sh' + - '-c' + - > + echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; + cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; + echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists"; + rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + - name: systemyaml + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: "prepare-custom-persistent-volume" + image: "{{ .Values.initContainerImage }}" + command: + - 'sh' + - '-c' + - > + chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + securityContext: + runAsUser: 0 + volumeMounts: + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.waitForDatabase }} + {{- if or .Values.postgresql.enabled }} + - name: "wait-for-db" + image: "{{ .Values.initContainerImage }}" + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do + sleep 2; + done; + {{- end }} + {{- end }} + {{- if .Values.artifactory.customInitContainers }} +{{ tpl .Values.artifactory.customInitContainers . | indent 6 }} + {{- end }} + containers: + - name: {{ .Values.artifactory.name }} + image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}' + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + command: + - '/bin/sh' + - '-c' + - > + set -e; + {{- if .Values.artifactory.configMapName }} + echo "Copying bootstrap configs"; + cp -Lrf /bootstrap/* /artifactory_extra_conf/; + {{- end }} + {{- if .Values.artifactory.userPluginSecrets }} + echo "Copying plugins"; + cp -Lrf /tmp/plugin/*/* /tmp/plugins; + {{- end }} + {{- range .Values.artifactory.copyOnEveryStartup }} + {{- $targetPath := printf "%s/%s" $.Values.artifactory.persistence.mountPath .target }} + {{- $baseDirectory := regexFind ".*/" $targetPath }} + mkdir -p {{ $baseDirectory }}; + cp -Lrf {{ .source }} {{ $.Values.artifactory.persistence.mountPath }}/{{ .target }}; + {{- end }} + {{- if .Values.artifactory.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.artifactory.preStartCommand . }}; + {{- end }} + /entrypoint-artifactory.sh + lifecycle: + postStart: + exec: + command: + - '/bin/sh' + - '-c' + - > + echo; + {{- if .Values.artifactory.postStartCommand }} + {{ .Values.artifactory.postStartCommand }} + {{- end }} + env: + {{- if .Values.database.secrets.user }} + - name: JF_SHARED_DATABSE_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.user.name }} + key: {{ .Values.database.secrets.user.key }} + {{- end }} + {{- if .Values.database.secrets.password }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.password.name }} + key: {{ .Values.database.secrets.password.key }} + {{- end }} + {{- if .Values.database.secrets.url }} + - name: JF_SHARED_DATABSE_URL + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.url.name }} + key: {{ .Values.database.secrets.url.key }} + {{- end }} + - name: JF_SHARED_NODE_PRIMARY + value: "true" + - name: JF_SHARED_NODE_HAENABLED + value: "true" + - name: JF_SHARED_DATABSE_USERNAME + value: "artifactory" + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgresql + key: postgresql-password + ports: + - containerPort: {{ .Values.artifactory.internalPort }} + - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} + {{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} + - containerPort: {{ .Values.artifactory.primary.javaOpts.jmx.port }} + {{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.userPluginSecrets }} + - name: tmp-plugins + mountPath: "/tmp/plugins/" + {{- range .Values.artifactory.userPluginSecrets }} + - name: {{ tpl . $ }} + mountPath: "/tmp/plugin/{{ tpl . $ }}" + {{- end }} + {{- end }} + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + {{- if .Values.artifactory.binarystore.enabled }} + - name: binarystore-xml + mountPath: "/artifactory_extra_conf/binarystore.xml" + subPath: binarystore.xml + {{- end }} + {{- end }} + {{- if .Values.artifactory.configMapName }} + - name: bootstrap-config + mountPath: "/bootstrap/" + {{- end }} + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + - name: artifactory-license + mountPath: "/artifactory_extra_conf/artifactory.cluster.license" + {{- if .Values.artifactory.license.secret }} + subPath: {{ .Values.artifactory.license.dataKey }} + {{- else if .Values.artifactory.license.licenseKey }} + subPath: artifactory.lic + {{- end }} + {{- end }} + - name: installer-info + mountPath: "/artifactory_extra_conf/info/installer-info.json" + subPath: installer-info.json + {{- if .Values.artifactory.customVolumeMounts }} +{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} + {{- end }} + resources: +{{ toYaml .Values.artifactory.primary.resources | indent 10 }} + {{- if .Values.artifactory.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.artifactory.readinessProbe.path }} + port: {{ .Values.artifactory.internalPort }} + initialDelaySeconds: {{ .Values.artifactory.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.artifactory.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.artifactory.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.artifactory.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.artifactory.readinessProbe.successThreshold }} + {{- end }} + {{- if .Values.artifactory.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.artifactory.livenessProbe.path }} + port: {{ .Values.artifactory.internalPort }} + initialDelaySeconds: {{ .Values.artifactory.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.artifactory.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.artifactory.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }} + {{- end }} + {{- $image := .Values.logger.image.repository }} + {{- $tag := .Values.logger.image.tag }} + {{- $mountPath := .Values.artifactory.persistence.mountPath }} + {{- range .Values.artifactory.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: '{{ $image }}:{{ $tag }}' + command: + - tail + args: + - '-F' + - '{{ $mountPath }}/logs/{{ . }}' + volumeMounts: + - name: volume + mountPath: {{ $mountPath }} + {{- end }} + {{ if .Values.artifactory.catalinaLoggers }} + {{- range .Values.artifactory.catalinaLoggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: '{{ $image }}:{{ $tag }}' + command: + - 'sh' + - '-c' + - 'sh /scripts/tail-log.sh {{ $mountPath }}/logs/catalina {{ . }}' + volumeMounts: + - name: volume + mountPath: {{ $mountPath }} + - name: catalina-logger + mountPath: /scripts/tail-log.sh + subPath: tail-log.sh + {{- end }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: {{ .Values.filebeat.name }} + image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" + imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} + args: + - "-e" + - "-E" + - "http.enabled=true" + securityContext: + runAsUser: 0 + volumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + livenessProbe: +{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} + readinessProbe: +{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} + resources: +{{ toYaml .Values.filebeat.resources | indent 10 }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} + {{- end }} + {{- if .Values.artifactory.customSidecarContainers }} +{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }} + {{- end }} + {{- with .Values.artifactory.primary.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.artifactory.primary.affinity }} + {{- with .Values.artifactory.primary.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if eq .Values.artifactory.primary.podAntiAffinity.type "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.artifactory.primary.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + {{- else if eq .Values.artifactory.primary.podAntiAffinity.type "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.artifactory.primary.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + {{- end }} + {{- with .Values.artifactory.primary.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- if .Values.artifactory.binarystore.enabled }} + - name: binarystore-xml + secret: + {{- if .Values.artifactory.persistence.customBinarystoreXmlSecret }} + secretName: {{ .Values.artifactory.persistence.customBinarystoreXmlSecret }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-binarystore + {{- end }} + {{- end }} + - name: installer-info + configMap: + name: {{ template "artifactory-ha.fullname" . }}-installer-info + {{- if .Values.artifactory.userPluginSecrets }} + - name: tmp-plugins + emptyDir: {} + {{- range .Values.artifactory.userPluginSecrets }} + - name: {{ tpl . $ }} + secret: + secretName: {{ tpl . $ }} + {{- end }} + {{- end }} + {{- if .Values.artifactory.configMapName }} + - name: bootstrap-config + configMap: + name: {{ .Values.artifactory.configMapName }} + {{- end}} + {{- if .Values.artifactory.catalinaLoggers }} + - name: catalina-logger + configMap: + name: {{ template "artifactory-ha.fullname" . }}-catalina-logger + {{- end }} + {{- if .Values.artifactory.configMaps }} + - name: artifactory-configmaps + configMap: + name: {{ template "artifactory-ha.fullname" . }}-configmaps + {{- end }} + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + - name: artifactory-license + secret: + {{- if .Values.artifactory.license.secret }} + secretName: {{ .Values.artifactory.license.secret }} + {{- else if .Values.artifactory.license.licenseKey }} + secretName: {{ template "artifactory-ha.fullname" . }}-license + {{- end }} + {{- end }} + {{- if or (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) .Values.artifactory.accessAdmin.password }} + - name: access-bootstrap-creds + secret: + {{- if and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey }} + secretName: {{ .Values.artifactory.accessAdmin.secret }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-bootstrap-creds + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" $ }}-data-pvc-{{ $sharedClaimNumber }} + {{- end }} + - name: artifactory-ha-backup + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" $ }}-backup-pvc + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" . }}-data-pvc + - name: artifactory-ha-backup + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" . }}-backup-pvc + {{- end }} + - name: systemyaml + secret: + secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + persistentVolumeClaim: + claimName: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: filebeat-config + configMap: + name: {{ template "artifactory-ha.fullname" . }}-filebeat-config + {{- end }} + {{- if .Values.artifactory.customVolumes }} +{{ tpl .Values.artifactory.customVolumes . | indent 6 }} + {{- end }} + {{- if not .Values.artifactory.persistence.enabled }} + - name: volume + emptyDir: + sizeLimit: {{ .Values.artifactory.persistence.size }} + {{- end }} + volumeClaimTemplates: + {{- if .Values.artifactory.persistence.enabled }} + - metadata: + name: volume + {{- if not .Values.artifactory.primary.persistence.existingClaim }} + spec: + {{- if .Values.artifactory.persistence.storageClassName }} + {{- if (eq "-" .Values.artifactory.persistence.storageClassName) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.artifactory.persistence.storageClassName }}" + {{- end }} + {{- end }} + accessModes: [ "{{ .Values.artifactory.persistence.accessMode }}" ] + resources: + requests: + storage: {{ .Values.artifactory.persistence.size }} + {{- end }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - metadata: + name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + spec: + {{- if .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }} + {{- if (eq "-" .Values.artifactory.customPersistentPodVolumeClaim.storageClassName) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }}" + {{- end }} + {{- end }} + accessModes: + {{- range .Values.artifactory.customPersistentPodVolumeClaim.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.artifactory.customPersistentPodVolumeClaim.size }} + {{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-priority-class.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-priority-class.yaml new file mode 100755 index 0000000..417ec5c --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-priority-class.yaml @@ -0,0 +1,9 @@ +{{- if .Values.artifactory.priorityClass.create }} +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} +value: {{ .Values.artifactory.priorityClass.value }} +globalDefault: false +description: "Artifactory priority class" +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-role.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-role.yaml new file mode 100755 index 0000000..c86bffd --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-role.yaml @@ -0,0 +1,14 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "artifactory-ha.fullname" . }} +rules: +{{ toYaml .Values.rbac.role.rules }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-rolebinding.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-rolebinding.yaml new file mode 100755 index 0000000..4412870 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "artifactory-ha.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "artifactory-ha.serviceAccountName" . }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: {{ template "artifactory-ha.fullname" . }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-secrets.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-secrets.yaml new file mode 100755 index 0000000..2665d32 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory-ha.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +data: +{{- if not .Values.artifactory.masterKeySecretName }} + master-key: {{ .Values.artifactory.masterKey | b64enc | quote }} +{{- end }} +{{- if .Values.database.password }} + db-password: {{ .Values.database.password | b64enc | quote }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-service.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-service.yaml new file mode 100755 index 0000000..38d3355 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-service.yaml @@ -0,0 +1,88 @@ +# Service for all Artifactory cluster nodes. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "artifactory-ha.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.artifactory.service.annotations }} + annotations: +{{ toYaml .Values.artifactory.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.artifactory.service.type }} + {{- if and (eq .Values.artifactory.service.type "ClusterIP") .Values.artifactory.service.clusterIP }} + clusterIP: {{ .Values.artifactory.service.clusterIP }} + {{- end }} + {{- if .Values.artifactory.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.artifactory.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} + ports: + - port: {{ .Values.artifactory.externalPort }} + targetPort: {{ .Values.artifactory.internalPort }} + protocol: TCP + name: {{ .Release.Name }}-router + - port: {{ .Values.artifactory.externalArtifactoryPort }} + targetPort: {{ .Values.artifactory.internalArtifactoryPort }} + protocol: TCP + name: {{ .Release.Name }}-artifactory + {{- with .Values.artifactory.node.javaOpts.jmx }} + {{- if .enabled }} + - port: {{ .port }} + targetPort: {{ .port }} + protocol: TCP + name: jmx + {{- end }} + {{- end }} + selector: +{{- if eq .Values.artifactory.service.pool "members" }} + role: {{ template "artifactory-ha.node.name" . }} +{{- end }} + app: {{ template "artifactory-ha.name" . }} + component: "{{ .Values.artifactory.name }}" + release: {{ .Release.Name }} +--- +# Internal service for Artifactory primary node only! +# Used by member nodes to check readiness of primary node before starting up +apiVersion: v1 +kind: Service +metadata: + name: {{ template "artifactory-ha.primary.name" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.artifactory.service.type }} + {{- if and (eq .Values.artifactory.service.type "ClusterIP") .Values.artifactory.service.clusterIP }} + clusterIP: {{ .Values.artifactory.service.clusterIP }} + {{- end }} + ports: + - port: {{ .Values.artifactory.externalPort }} + targetPort: {{ .Values.artifactory.internalPort }} + protocol: TCP + name: {{ .Release.Name }}-router + - port: {{ .Values.artifactory.externalArtifactoryPort }} + targetPort: {{ .Values.artifactory.internalArtifactoryPort }} + protocol: TCP + name: {{ .Release.Name }}-artifactory + {{- with .Values.artifactory.primary.javaOpts.jmx }} + {{- if .enabled }} + - port: {{ .port }} + targetPort: {{ .port }} + protocol: TCP + name: jmx + {{- end }} + {{- end }} + selector: + role: {{ template "artifactory-ha.primary.name" . }} + app: {{ template "artifactory-ha.name" . }} + component: "{{ .Values.artifactory.name }}" + release: {{ .Release.Name }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-serviceaccount.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-serviceaccount.yaml new file mode 100755 index 0000000..6ea0b10 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: +{{- if .Values.serviceAccount.annotations }} + annotations: +{{ tpl (toYaml .) $ | indent 4 }} +{{- end}} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "artifactory-ha.serviceAccountName" . }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-storage-pvc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-storage-pvc.yaml new file mode 100755 index 0000000..e0bfa6b --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-storage-pvc.yaml @@ -0,0 +1,27 @@ +{{ if .Values.artifactory.customPersistentVolumeClaim }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + labels: + app: {{ template "artifactory-ha.name" . }} + version: "{{ .Values.artifactory.version }}" + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + accessModes: + {{- range .Values.artifactory.customPersistentVolumeClaim.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.artifactory.customPersistentVolumeClaim.storageClassName }} + {{- if (eq "-" .Values.artifactory.customPersistentVolumeClaim.storageClassName) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.artifactory.customPersistentVolumeClaim.storageClassName }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ .Values.artifactory.customPersistentVolumeClaim.size | quote }} +{{ end -}} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-system-yaml.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-system-yaml.yaml new file mode 100755 index 0000000..cf8ffba --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-system-yaml.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory-ha.primary.name" . }}-system-yaml + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +stringData: + system.yaml: | +{{ tpl .Values.artifactory.systemYaml . | indent 4 }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/catalina-logger-configmap.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/catalina-logger-configmap.yaml new file mode 100755 index 0000000..807fe72 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/catalina-logger-configmap.yaml @@ -0,0 +1,53 @@ +{{- if .Values.artifactory.catalinaLoggers }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-catalina-logger + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + tail-log.sh: | + #!/bin/sh + + LOG_DIR=$1 + LOG_NAME=$2 + PID= + + # Wait for log dir to appear + while [ ! -d ${LOG_DIR} ]; do + sleep 1 + done + sleep 5 + + cd ${LOG_DIR} + + LOG_PREFIX=$(echo ${LOG_NAME} | awk -F\. '{print $1}') + + # Find the log to tail + LOG_FILE=$(ls -1t ./${LOG_PREFIX}.*.log | head -1) + + # echo "Tailing ${LOG_FILE}" + tail -F ${LOG_FILE} & + PID=$! + + # Loop forever to see if a new log was created + while true; do + # Find the latest log + NEW_LOG_FILE=$(ls -1t ./${LOG_PREFIX}.*.log | head -1) + + # If a new log file is found, kill old tail and switch to tailing it + if [ "${LOG_FILE}" != "${NEW_LOG_FILE}" ]; then + kill -9 ${PID} + wait $! 2>/dev/null + LOG_FILE=${NEW_LOG_FILE} + + # echo "Tailing ${LOG_FILE}" + tail -F ${LOG_FILE} & + PID=$! + fi + sleep 2 + done +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/filebeat-configmap.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/filebeat-configmap.yaml new file mode 100755 index 0000000..d2db2a0 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/filebeat-configmap.yaml @@ -0,0 +1,15 @@ +{{- if .Values.filebeat.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.name" . }}-filebeat-config + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} +data: + filebeat.yml: | +{{ tpl .Values.filebeat.filebeatYml . | indent 4 }} +{{- end -}} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/ingress.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/ingress.yaml new file mode 100755 index 0000000..e8e2fd2 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/ingress.yaml @@ -0,0 +1,56 @@ +{{- if .Values.ingress.enabled -}} +{{- $serviceName := include "artifactory-ha.fullname" . -}} +{{- $servicePort := .Values.artifactory.externalPort -}} +{{- $artifactoryServicePort := .Values.artifactory.externalArtifactoryPort -}} +{{- if semverCompare ">=v1.14.0" .Capabilities.KubeVersion.GitVersion }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "artifactory-ha.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.ingress.labels }} +{{ .Values.ingress.labels | toYaml | trimSuffix "\n"| indent 4 -}} +{{- end}} +{{- if .Values.ingress.annotations }} + annotations: + force-update: "{{ randAlpha 63 | lower }}" +{{ .Values.ingress.annotations | toYaml | trimSuffix "\n" | indent 4 -}} +{{- end }} +spec: + {{- if .Values.ingress.defaultBackend.enabled }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + rules: +{{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host | quote }} + http: + paths: + - path: {{ $.Values.ingress.routerPath }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + - path: {{ $.Values.ingress.artifactoryPath }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $artifactoryServicePort }} + {{- end -}} +{{- end -}} + {{- with .Values.ingress.additionalRules }} +{{ tpl . $ | indent 2 }} + {{- end }} + + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-artifactory-conf.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-artifactory-conf.yaml new file mode 100755 index 0000000..eb1f0e6 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-artifactory-conf.yaml @@ -0,0 +1,14 @@ +{{- if and (not .Values.nginx.customArtifactoryConfigMap) .Values.nginx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-nginx-artifactory-conf + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + artifactory.conf: | +{{ tpl .Values.nginx.artifactoryConf . | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-certificate-secret.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-certificate-secret.yaml new file mode 100755 index 0000000..2c1430a --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-certificate-secret.yaml @@ -0,0 +1,14 @@ +{{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.enabled }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ template "artifactory-ha.fullname" . }}-nginx-certificate + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: +{{ ( include "artifactory-ha.gen-certs" . ) | indent 2 }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-conf.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-conf.yaml new file mode 100755 index 0000000..5f424d5 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-conf.yaml @@ -0,0 +1,14 @@ +{{- if and (not .Values.nginx.customConfigMap) .Values.nginx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-nginx-conf + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + nginx.conf: | +{{ tpl .Values.nginx.mainConf . | indent 4 }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-deployment.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-deployment.yaml new file mode 100755 index 0000000..4bc3f79 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-deployment.yaml @@ -0,0 +1,185 @@ +{{- if .Values.nginx.enabled -}} +{{- $serviceName := include "artifactory-ha.fullname" . -}} +{{- $servicePort := .Values.artifactory.externalPort -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "artifactory-ha.nginx.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: {{ .Values.nginx.name }} +{{- if .Values.nginx.labels }} +{{ toYaml .Values.nginx.labels | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.nginx.replicaCount }} + selector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.nginx.name }} + template: + metadata: + annotations: + checksum/nginx-conf: {{ include (print $.Template.BasePath "/nginx-conf.yaml") . | sha256sum }} + checksum/nginx-artifactory-conf: {{ include (print $.Template.BasePath "/nginx-artifactory-conf.yaml") . | sha256sum }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.nginx.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + initContainers: + - name: "setup" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + command: + - '/bin/sh' + - '-c' + - > + rm -rfv {{ .Values.nginx.persistence.mountPath }}/lost+found; + mkdir -p {{ .Values.nginx.persistence.mountPath }}/logs; + volumeMounts: + - mountPath: {{ .Values.nginx.persistence.mountPath | quote }} + name: nginx-volume + securityContext: + runAsUser: {{ .Values.nginx.uid }} + fsGroup: {{ .Values.nginx.gid }} + containers: + - name: {{ .Values.nginx.name }} + image: '{{ .Values.nginx.image.repository }}:{{ default .Chart.AppVersion .Values.nginx.image.version }}' + imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + command: + - 'nginx' + - '-g' + - 'daemon off;' + ports: + # DEPRECATION NOTE: The following is to maintain support for values pre 1.3.1 and + # will be cleaned up in a later version + {{- if .Values.nginx.http }} + {{- if .Values.nginx.http.enabled }} + - containerPort: {{ .Values.nginx.http.internalPort }} + {{- end }} + {{- else }} # DEPRECATED + - containerPort: {{ .Values.nginx.internalPortHttp }} + {{- end }} + {{- if .Values.nginx.https }} + {{- if .Values.nginx.https.enabled }} + - containerPort: {{ .Values.nginx.https.internalPort }} + {{- end }} + {{- else }} # DEPRECATED + - containerPort: {{ .Values.nginx.internalPortHttps }} + {{- end }} + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: nginx-artifactory-conf + mountPath: "{{ .Values.nginx.persistence.mountPath }}/conf.d/" + - name: nginx-volume + mountPath: {{ .Values.nginx.persistence.mountPath | quote }} + - name: ssl-certificates + mountPath: "{{ .Values.nginx.persistence.mountPath }}/ssl" + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} + {{- if .Values.nginx.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.nginx.readinessProbe.path }} + {{- if .Values.nginx.http.enabled }} + port: {{ .Values.nginx.http.internalPort }} + scheme: HTTP + {{- else }} + port: {{ .Values.nginx.https.internalPort }} + scheme: HTTPS + {{- end }} + initialDelaySeconds: {{ .Values.nginx.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.nginx.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.nginx.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.nginx.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.nginx.readinessProbe.successThreshold }} + {{- end }} + {{- if .Values.nginx.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.nginx.livenessProbe.path }} + {{- if .Values.nginx.http.enabled }} + port: {{ .Values.nginx.http.internalPort }} + scheme: HTTP + {{- else }} + port: {{ .Values.nginx.https.internalPort }} + scheme: HTTPS + {{- end }} + initialDelaySeconds: {{ .Values.nginx.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.nginx.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.nginx.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.nginx.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.nginx.livenessProbe.successThreshold }} + {{- end }} + {{- $image := .Values.logger.image.repository }} + {{- $tag := .Values.logger.image.tag }} + {{- $mountPath := .Values.nginx.persistence.mountPath }} + {{- range .Values.nginx.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: '{{ $image }}:{{ $tag }}' + command: + - tail + args: + - '-F' + - '{{ $mountPath }}/logs/{{ . }}' + volumeMounts: + - name: nginx-volume + mountPath: {{ $mountPath }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: nginx-conf + configMap: + {{- if .Values.nginx.customConfigMap }} + name: {{ .Values.nginx.customConfigMap }} + {{- else }} + name: {{ template "artifactory-ha.fullname" . }}-nginx-conf + {{- end }} + - name: nginx-artifactory-conf + configMap: + {{- if .Values.nginx.customArtifactoryConfigMap }} + name: {{ .Values.nginx.customArtifactoryConfigMap }} + {{- else }} + name: {{ template "artifactory-ha.fullname" . }}-nginx-artifactory-conf + {{- end }} + + - name: nginx-volume + {{- if .Values.nginx.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.nginx.persistence.existingClaim | default (include "artifactory-ha.nginx.fullname" .) }} + {{- else }} + emptyDir: {} + {{- end }} + - name: ssl-certificates + secret: + {{- if .Values.nginx.tlsSecretName }} + secretName: {{ .Values.nginx.tlsSecretName }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-nginx-certificate + {{- end }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-pvc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-pvc.yaml new file mode 100755 index 0000000..68a89ce --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-pvc.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.nginx.persistence.enabled (.Values.nginx.enabled) (eq (int .Values.nginx.replicaCount) 1) }} +{{- if (not .Values.nginx.persistence.existingClaim) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.nginx.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + accessModes: + - {{ .Values.nginx.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.nginx.persistence.size | quote }} +{{- if .Values.nginx.persistence.storageClass }} +{{- if (eq "-" .Values.nginx.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.nginx.persistence.storageClass }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-service.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-service.yaml new file mode 100755 index 0000000..7a212e0 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-service.yaml @@ -0,0 +1,69 @@ +{{- if .Values.nginx.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "artifactory-ha.nginx.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: {{ .Values.nginx.name }} + {{- if .Values.nginx.service.labels }} +{{ toYaml .Values.nginx.service.labels | indent 4 }} + {{- end }} +{{- if .Values.nginx.service.annotations }} + annotations: +{{ toYaml .Values.nginx.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.nginx.service.type }} + {{- if and (eq .Values.nginx.service.type "ClusterIP") .Values.nginx.service.clusterIP }} + clusterIP: {{ .Values.nginx.service.clusterIP }} + {{- end }} +{{- if eq .Values.nginx.service.type "LoadBalancer" }} + {{ if .Values.nginx.service.loadBalancerIP -}} + loadBalancerIP: {{ .Values.nginx.service.loadBalancerIP }} + {{ end -}} + {{- if .Values.nginx.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.nginx.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if .Values.nginx.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.nginx.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} + ports: + # DEPRECATION NOTE: The following is to maintain support for values pre 1.3.0 and + # will be cleaned up in a later verion + {{- if .Values.nginx.http }} + {{- if .Values.nginx.http.enabled }} + - port: {{ .Values.nginx.http.externalPort }} + targetPort: {{ .Values.nginx.http.internalPort }} + protocol: TCP + name: http + {{- end }} + {{- else }} # DEPRECATED + - port: {{ .Values.nginx.externalPortHttp }} + targetPort: {{ .Values.nginx.internalPortHttp }} + protocol: TCP + name: http + {{- end }} + {{- if .Values.nginx.https }} + {{- if .Values.nginx.https.enabled }} + - port: {{ .Values.nginx.https.externalPort }} + targetPort: {{ .Values.nginx.https.internalPort }} + protocol: TCP + name: https + {{- end }} + {{- else }} # DEPRECATED + - port: {{ .Values.nginx.externalPortHttps }} + targetPort: {{ .Values.nginx.internalPortHttps }} + protocol: TCP + name: https + {{- end }} + selector: + app: {{ template "artifactory-ha.name" . }} + component: {{ .Values.nginx.name }} + release: {{ .Release.Name }} +{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-large.yaml new file mode 100755 index 0000000..ec05d2a --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-large.yaml @@ -0,0 +1,24 @@ +artifactory: + primary: + resources: + requests: + memory: "6Gi" + cpu: "4" + limits: + memory: "10Gi" + cpu: "8" + javaOpts: + xms: "6g" + xmx: "8g" + node: + replicaCount: 3 + resources: + requests: + memory: "6Gi" + cpu: "4" + limits: + memory: "10Gi" + cpu: "8" + javaOpts: + xms: "6g" + xmx: "8g" diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-medium.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-medium.yaml new file mode 100755 index 0000000..33879c0 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-medium.yaml @@ -0,0 +1,24 @@ +artifactory: + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "8Gi" + cpu: "6" + javaOpts: + xms: "4g" + xmx: "6g" + node: + replicaCount: 2 + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "8Gi" + cpu: "6" + javaOpts: + xms: "4g" + xmx: "6g" diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-small.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-small.yaml new file mode 100755 index 0000000..4babf97 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-small.yaml @@ -0,0 +1,24 @@ +artifactory: + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + node: + replicaCount: 1 + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml new file mode 100755 index 0000000..64af84e --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml @@ -0,0 +1,1330 @@ +# Default values for artifactory-ha. +# This is a YAML-formatted file. +# Beware when changing values here. You should know what you are doing! +# Access the values with {{ .Values.key.subkey }} + +# Common +initContainerImage: "alpine:3.10" + +installer: + type: + platform: + +# For supporting pulling from private registries +imagePullSecrets: + +## Role Based Access Control +## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ +rbac: + create: true + role: + ## Rules to create. It follows the role specification + rules: + - apiGroups: + - '' + resources: + - services + - endpoints + - pods + verbs: + - get + - watch + - list + +## Service Account +## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ +## +serviceAccount: + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + annotations: {} + +ingress: + enabled: false + defaultBackend: + enabled: true + # Used to create an Ingress record. + hosts: [] + routerPath: / + artifactoryPath: /artifactory/ + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + # traffic-type: external + # traffic-type: internal + tls: [] + # Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - artifactory.domain.example + + # Additional ingress rules + additionalRules: [] + + +networkpolicy: + # Allows all ingress and egress + - name: artifactory + podSelector: + matchLabels: + app: artifactory-ha + egress: + - {} + ingress: + - {} + # Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) + # - name: postgresql + # podSelector: + # matchLabels: + # app: postgresql + # ingress: + # - from: + # - podSelector: + # matchLabels: + # app: artifactory-ha + + +## Database configurations +## Use the wait-for-db init container. Set to false to skip +waitForDatabase: true + +## Configuration values for the postgresql dependency +## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md +## +postgresql: + enabled: true + image: + registry: docker.bintray.io + repository: bitnami/postgresql + tag: 9.6.15-debian-9-r91 + postgresqlUsername: artifactory + postgresqlPassword: "" + postgresqlDatabase: artifactory + postgresqlConfiguration: + listenAddresses: "'*'" + maxConnections: "1500" + persistence: + enabled: true + size: 50Gi + service: + port: 5432 + resources: {} + # requests: + # memory: "512Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "500m" + nodeSelector: {} + +## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), +## you MUST specify custom database details here or Artifactory will NOT start +database: + type: + driver: + ## If you set the url, leave host and port empty + url: + ## If you would like this chart to create the secret containing the db + ## password, use these values + user: + password: + ## If you have existing Kubernetes secrets containing db credentials, use + ## these values + secrets: {} + # user: + # name: "rds-artifactory" + # key: "db-user" + # password: + # name: "{{ .Release.Name}}}}-postgresql" + # key: "postgresql-password" + # url: + # name: "rds-artifactory" + # key: "db-url" + +logger: + image: + repository: 'busybox' + tag: '1.30' + +# Artifactory +artifactory: + name: artifactory-ha + image: + # repository: "docker.bintray.io/jfrog/artifactory-pro" + repository: "earlyaccess.jfrog.io/artifactory-pro" + # Note that by default we use appVersion to get image tag + # version: + pullPolicy: IfNotPresent + + # Create a priority class for the Artifactory pods or use an existing one + # NOTE - Maximum allowed value of a user defined priority is 1000000000 + priorityClass: + create: false + value: 1000000000 + ## Override default name + # name: + ## Use an existing priority class + # existingPriorityClass: + + # Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties + deleteDBPropertiesOnStartup: true + database: + maxOpenConnections: 80 + + # This directory is intended for use with NFS eventual configuration for HA + haDataDir: + enabled: false + path: + + # Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup + copyOnEveryStartup: + # # Absolute path + # - source: /artifactory_extra_conf/binarystore.xml + # # Relative to ARTIFACTORY_HOME/ + # target: etc/ + # # Absolute path + # - source: /artifactory_extra_conf/artifactory.lic + # # Relative to ARTIFACTORY_HOME/ + # target: etc/ + + # Sidecar containers for tailing Artifactory logs + loggers: [] + # - request.log + # - event.log + # - binarystore.log + # - request_trace.log + # - access.log + # - artifactory.log + # - build_info_migration.log + + # Sidecar containers for tailing Tomcat (catalina) logs + catalinaLoggers: [] + # - catalina.log + # - host-manager.log + # - localhost.log + # - manager.log + + ## Add custom init containers execution before predefined init containers + customInitContainersBegin: | + - name: "custom-setup" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + command: + - 'sh' + - '-c' + - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}' + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: volume + ## Add custom init containers + + ## Add custom init containers execution after predefined init containers + customInitContainers: | + # - name: "custom-setup" + # image: "{{ .Values.initContainerImage }}" + # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: volume + + ## Add custom sidecar containers + # - The provided example uses a custom volume (customVolumes) + # - The provided example shows running container as root (id 0) + customSidecarContainers: | + # - name: "sidecar-list-etc" + # image: "{{ .Values.initContainerImage }}" + # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + # securityContext: + # runAsUser: 0 + # fsGroup: 0 + # command: + # - 'sh' + # - '-c' + # - 'sh /scripts/script.sh' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: volume + # - mountPath: "/scripts/script.sh" + # name: custom-script + # subPath: script.sh + # resources: + # requests: + # memory: "32Mi" + # cpu: "50m" + # limits: + # memory: "128Mi" + # cpu: "100m" + + ## Add custom volumes + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script + + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: "/scripts/script.sh" + # subPath: script.sh + # - name: posthook-start + # mountPath: "/scripts/posthoook-start.sh" + # subPath: posthoook-start.sh + # - name: prehook-start + # mountPath: "/scripts/prehook-start.sh" + # subPath: prehook-start.sh + + # Add custom persistent volume mounts - Available for the pod + customPersistentPodVolumeClaim: {} + # name: + # mountPath: + # accessModes: + # - "-" + # size: + # storageClassName: + + # Add custom persistent volume mounts - Available to the entire namespace + customPersistentVolumeClaim: {} + # name: + # mountPath: + # accessModes: + # - "-" + # size: + # storageClassName: + + ## Artifactory HA requires a unique master key. Each Artifactory node must have the same master key! + ## You can generate one with the command: 'openssl rand -hex 16' + ## Pass it to helm with '--set artifactory.masterKey=${MASTER_KEY}' + ## Alternatively, you can use a pre-existing secret with a key called master-key by specifying masterKeySecretName + ## IMPORTANT: You should NOT use the example masterKey for a production deployment! + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + # masterKeySecretName: + + ## Join Key to connect to other services to Artifactory + ## IMPORTANT: You should NOT use the example joinKey for a production deployment! + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + + binarystore: + enabled: true + + accessAdmin: + ip: "127.0.0.1" + password: + secret: + dataKey: + + ## Artifactory license. + license: + ## licenseKey is the license key in plain text. Use either this or the license.secret setting + licenseKey: + ## If artifactory.license.secret is passed, it will be mounted as + ## ARTIFACTORY_HOME/etc/artifactory.lic and loaded at run time. + secret: + ## The dataKey should be the name of the secret data key created. + dataKey: + + ## Create configMap with artifactory.config.import.xml and security.import.xml and pass name of configMap in following parameter + configMapName: + + # Add any list of configmaps to Artifactory + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" + + ## List of secrets for Artifactory user plugins. + ## One Secret per plugin's files. + userPluginSecrets: + # - archive-old-artifacts + # - build-cleanup + # - webhook + # - '{{ template "my-chart.fullname" . }}' + + ## Extra pre-start command to install JDBC driver for MySql/MariaDb/Oracle + # preStartCommand: "wget -O /opt/jfrog/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" + ## Extra post-start command to run extra commands after container starts + # postStartCommand: + + ## Extra environment variables that can be used to tune Artifactory to your needs. + ## Uncomment and set value as needed + #extraEnvironmentVariables: | + # - name: JF_SHARED_DATABSE_USERNAME + # value: "artifactory" + # - name: JF_SHARED_DATABASE_PASSWORD + # valueFrom: + # secretKeyRef: + # name: {{ .Release.Name }}-postgresql + # key: postgresql-password + # - name: POSTGRES_DB + # value: "artifactory" + + # TODO: Fix javaOpts for member nodes (currently uses primary settings for all nodes) + systemYaml: | + shared: + extraJavaOpts: > + {{- with .Values.artifactory.primary.javaOpts }} + -Dartifactory.async.corePoolSize={{ .corePoolSize }} + {{- if .xms }} + -Xms{{ .xms }} + {{- end }} + {{- if .xmx }} + -Xmx{{ .xmx }} + {{- end }} + {{- if .jmx.enabled }} + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} + {{- if .jmx.host }} + -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} + {{- else }} + -Djava.rmi.server.hostname={{ template "artifactory-ha.fullname" $ }} + {{- end }} + {{- if .jmx.authenticate }} + -Dcom.sun.management.jmxremote.authenticate=true + -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} + -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} + {{- else }} + -Dcom.sun.management.jmxremote.authenticate=false + {{- end }} + {{- end }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + database: + {{- if .Values.postgresql.enabled }} + type: postgresql + url: 'jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}' + host: '' + driver: org.postgresql.Driver + username: '{{ .Values.postgresql.postgresqlUsername }}' + password: '{{ .Values.postgresql.postgresqlPassword }}' + {{ else }} + type: '{{ .Values.database.type }}' + url: '{{ .Values.database.url }}' + driver: '{{ .Values.database.driver }}' + username: '{{ .Values.database.user }}' + password: '{{ .Values.database.password }}' + {{- end }} + security: + joinKey: '{{ .Values.artifactory.joinKey }}' + masterKey: '{{ .Values.artifactory.masterKey }}' + artifactory: + {{- if .Values.artifactory.haDataDir.enabled }} + node: + haDataDir: {{ .Values.artifactory.haDataDir.path }} + {{- end }} + database: + maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} + access: + database: + maxOpenConnections: '{{ .Values.access.database.maxOpenConnections }}' + {{- if .Values.access.database.enabled }} + type: '{{ .Values.access.database.type }}' + url: '{{ .Values.access.database.url }}' + driver: '{{ .Values.access.database.driver }}' + username: '{{ .Values.access.database.user }}' + password: '{{ .Values.access.database.password }}' + {{- end }} + + ## IMPORTANT: If overriding artifactory.internalPort: + ## DO NOT use port lower than 1024 as Artifactory runs as non-root and cannot bind to ports lower than 1024! + externalPort: 8082 + internalPort: 8082 + externalArtifactoryPort: 8081 + internalArtifactoryPort: 8081 + uid: 1030 + terminationGracePeriodSeconds: 30 + ## The following settings are to configure the frequency of the liveness and readiness probes + livenessProbe: + enabled: true + path: /router/api/v1/system/health + initialDelaySeconds: 180 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + + readinessProbe: + enabled: true + path: /router/api/v1/system/health + initialDelaySeconds: 60 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + + persistence: + enabled: true + local: false + redundancy: 3 + mountPath: "/var/opt/jfrog/artifactory" + accessMode: ReadWriteOnce + size: 200Gi + + ## Use a custom Secret to be mounted as your binarystore.xml + ## NOTE: This will ignore all settings below that make up binarystore.xml + customBinarystoreXmlSecret: + + maxCacheSize: 50000000000 + cacheProviderDir: cache + eventual: + numberOfThreads: 10 + ## artifactory data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClassName: "-" + + ## Set the persistence storage type. This will apply the matching binarystore.xml to Artifactory config + ## Supported types are: + ## file-system (default) + ## nfs + ## google-storage + ## aws-s3 + ## azure-blob + type: file-system + + ## Use binarystoreXml to provide a custom binarystore.xml + ## This can be a template or hardcoded. + binarystoreXml: | + {{- if eq .Values.artifactory.persistence.type "file-system" }} + + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + + + + + + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} + + {{- end }} + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + // Specify the read and write strategy and redundancy for the sharding binary provider + + roundRobin + percentageFreeSpace + 2 + + + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} + //For each sub-provider (mount), specify the filestore location + + filestore{{ $sharedClaimNumber }} + + {{- end }} + + {{- else }} + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + 2 + 2 + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + + shard-fs-1 + local + + + + + 30 + tester-remote1 + 10000 + remote + + + + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "google-storage" }} + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + 2 + + + + + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + local + + + + 30 + 10000 + remote + + + + {{ .Values.artifactory.persistence.mountPath }}/data/filestore + /tmp + + + + google-cloud-storage + {{ .Values.artifactory.persistence.googleStorage.endpoint }} + {{ .Values.artifactory.persistence.googleStorage.httpsOnly }} + {{ .Values.artifactory.persistence.googleStorage.bucketName }} + {{ .Values.artifactory.persistence.googleStorage.identity }} + {{ .Values.artifactory.persistence.googleStorage.credential }} + {{ .Values.artifactory.persistence.googleStorage.path }} + {{ .Values.artifactory.persistence.googleStorage.bucketExists }} + + + {{- end }} + {{- if eq .Values.artifactory.persistence.type "aws-s3-v3" }} + + + + + + + + + + + + + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + + + + + remote + + + + local + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + {{- with .Values.artifactory.persistence.awsS3V3 }} + + {{ .testConnection }} + {{- if .identity }} + {{ .identity }} + {{- end }} + {{- if .credential }} + {{ .credential }} + {{- end }} + {{ .region }} + {{ .bucketName }} + {{ .path }} + {{ .endpoint }} + {{- with .kmsServerSideEncryptionKeyId }} + {{ . }} + {{- end }} + {{- with .kmsKeyRegion }} + {{ . }} + {{- end }} + {{- with .kmsCryptoMode }} + {{ . }} + {{- end }} + true + {{ .usePresigning }} + {{ .signatureExpirySeconds }} + {{- with .cloudFrontDomainName }} + {{ . }} + {{- end }} + {{- with .cloudFrontKeyPairId }} + {{ .cloudFrontKeyPairId }} + {{- end }} + {{- with .cloudFrontPrivateKey }} + {{ . }} + {{- end }} + + {{- end }} + + {{- end }} + + {{- if eq .Values.artifactory.persistence.type "aws-s3" }} + + + + + + + + + + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + local + + + + 30 + 10000 + remote + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + + + + + {{ .Values.artifactory.persistence.awsS3.endpoint }} + {{- if .Values.artifactory.persistence.awsS3.roleName }} + {{ .Values.artifactory.persistence.awsS3.roleName }} + true + {{- else }} + {{ .Values.artifactory.persistence.awsS3.refreshCredentials }} + {{- end }} + {{ .Values.artifactory.persistence.awsS3.s3AwsVersion }} + {{ .Values.artifactory.persistence.awsS3.testConnection }} + {{ .Values.artifactory.persistence.awsS3.httpsOnly }} + {{ .Values.artifactory.persistence.awsS3.region }} + {{ .Values.artifactory.persistence.awsS3.bucketName }} + {{- if .Values.artifactory.persistence.awsS3.identity }} + {{ .Values.artifactory.persistence.awsS3.identity }} + {{- end }} + {{- if .Values.artifactory.persistence.awsS3.credential }} + {{ .Values.artifactory.persistence.awsS3.credential }} + {{- end }} + {{ .Values.artifactory.persistence.awsS3.path }} + {{- range $key, $value := .Values.artifactory.persistence.awsS3.properties }} + + {{- end }} + + + {{- end }} + {{- if eq .Values.artifactory.persistence.type "azure-blob" }} + + + + + + + + + + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + + crossNetworkStrategy + crossNetworkStrategy + 2 + 1 + + + + + remote + + + + local + + + + + {{ .Values.artifactory.persistence.azureBlob.accountName }} + {{ .Values.artifactory.persistence.azureBlob.accountKey }} + {{ .Values.artifactory.persistence.azureBlob.endpoint }} + {{ .Values.artifactory.persistence.azureBlob.containerName }} + {{ .Values.artifactory.persistence.azureBlob.testConnection }} + + + {{- end }} + + ## For artifactory.persistence.type file-system + fileSystem: + ## You may also use existing shared claims for the data and backup storage. This allows storage (NAS for example) to be used for Data and Backup dirs which are safe to share across multiple artifactory nodes. + ## You may specify numberOfExistingClaims to indicate how many of these existing shared claims to mount. (Default = 1) + ## Create PVCs with ReadWriteMany that match the naming convetions: + ## {{ template "artifactory-ha.fullname" . }}-data-pvc- + ## {{ template "artifactory-ha.fullname" . }}-backup-pvc- + ## Example (using numberOfExistingClaims: 2) + ## myexample-artifactory-ha-data-pvc-0 + ## myexample-artifactory-ha-backup-pvc-0 + ## myexample-artifactory-ha-data-pvc-1 + ## myexample-artifactory-ha-backup-pvc-1 + ## Note: While you need two PVC fronting two PVs, multiple PVs can be attached to the same storage in many cases allowing you to share an underlying drive. + + ## Need to have the following set + existingSharedClaim: + enabled: false + numberOfExistingClaims: 1 + ## Should be a child directory of {{ .Values.artifactory.persistence.mountPath }} + dataDir: "{{ .Values.artifactory.persistence.mountPath }}/artifactory-data" + backupDir: "/var/opt/jfrog/artifactory-backup" + + + ## For artifactory.persistence.type nfs + ## If using NFS as the shared storage, you must have a running NFS server that is accessible by your Kubernetes + ## cluster nodes. + ## Need to have the following set + nfs: + # Must pass actual IP of NFS server with '--set For artifactory.persistence.nfs.ip=${NFS_IP}' + ip: + haDataMount: "/data" + haBackupMount: "/backup" + dataDir: "/var/opt/jfrog/artifactory-ha" + backupDir: "/var/opt/jfrog/artifactory-backup" + capacity: 200Gi + mountOptions: [] + ## For artifactory.persistence.type google-storage + googleStorage: + endpoint: storage.googleapis.com + httpsOnly: false + # Set a unique bucket name + bucketName: "artifactory-ha-gcp" + identity: + credential: + path: "artifactory-ha/filestore" + bucketExists: false + + ## For artifactory.persistence.type aws-s3-v3 + awsS3V3: + testConnection: false + identity: + credential: + region: + bucketName: artifactory-aws + path: artifactory/filestore + endpoint: + kmsServerSideEncryptionKeyId: + kmsKeyRegion: + kmsCryptoMode: + useInstanceCredentials: true + usePresigning: false + signatureExpirySeconds: 300 + cloudFrontDomainName: + cloudFrontKeyPairId: + cloudFrontPrivateKey: + + ## For artifactory.persistence.type aws-s3 + ## IMPORTANT: Make sure S3 `endpoint` and `region` match! See https://docs.aws.amazon.com/general/latest/gr/rande.html + awsS3: + # Set a unique bucket name + bucketName: "artifactory-ha-aws" + endpoint: + region: + roleName: + identity: + credential: + path: "artifactory-ha/filestore" + refreshCredentials: true + httpsOnly: true + testConnection: false + s3AwsVersion: "AWS4-HMAC-SHA256" + + ## Additional properties to set on the s3 provider + properties: {} + # httpclient.max-connections: 100 + ## For artifactory.persistence.type azure-blob + azureBlob: + accountName: + accountKey: + endpoint: + containerName: + testConnection: false + service: + name: artifactory + type: ClusterIP + ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + annotations: {} + ## Which nodes in the cluster should be in the external load balancer pool (have external traffic routed to them) + ## Supported pool values + ## members + ## all + pool: members + + ## The following Java options are passed to the java process running Artifactory. + ## This will be passed to all cluster members. Primary and member nodes. + javaOpts: {} + # other: "" + annotations: {} + + ## Type specific configurations. + ## There is a difference between the primary and the member nodes. + ## Customising their resources and java parameters is done here. + primary: + name: artifactory-ha-primary + labels: {} + persistence: + ## Set existingClaim to true or false + ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-primary-0` + existingClaim: false + ## Resources for the primary node + resources: {} + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "2Gi" + # cpu: "1" + ## The following Java options are passed to the java process running Artifactory primary node. + ## You should set them according to the resources set above + javaOpts: + # xms: "1g" + # xmx: "2g" + corePoolSize: 16 + jmx: + enabled: false + port: 9010 + host: + ssl: false + # When authenticate is true, accessFile and passwordFile are required + authenticate: false + accessFile: + passwordFile: + # other: "" + nodeSelector: {} + + tolerations: [] + + affinity: {} + ## Only used if "affinity" is empty + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "" + topologyKey: "kubernetes.io/hostname" + + node: + name: artifactory-ha-member + labels: {} + persistence: + ## Set existingClaim to true or false + ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-member-0` + existingClaim: false + replicaCount: 2 + minAvailable: 1 + ## Resources for the member nodes + resources: {} + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "2Gi" + # cpu: "1" + ## The following Java options are passed to the java process running Artifactory member nodes. + ## You should set them according to the resources set above + javaOpts: + # xms: "1g" + # xmx: "2g" + corePoolSize: 16 + jmx: + enabled: false + port: 9010 + host: + ssl: false + # When authenticate is true, accessFile and passwordFile are required + authenticate: false + accessFile: + passwordFile: + # other: "" + # xms: "1g" + # xmx: "2g" + # other: "" + nodeSelector: {} + waitForPrimaryStartup: + enabled: true + time: 60 + + tolerations: [] + + ## Complete specification of the "affinity" of the member nodes; if this is non-empty, + ## "podAntiAffinity" values are not used. + affinity: {} + + ## Only used if "affinity" is empty + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "" + topologyKey: "kubernetes.io/hostname" + +access: + database: + maxOpenConnections: 80 + +# Init containers +initContainers: + resources: {} +# requests: +# memory: "64Mi" +# cpu: "10m" +# limits: +# memory: "128Mi" +# cpu: "250m" + + +# Nginx +nginx: + enabled: true + name: nginx + labels: {} + replicaCount: 1 + uid: 104 + gid: 107 + image: + # repository: "docker.bintray.io/jfrog/nginx-artifactory-pro" + repository: "earlyaccess.jfrog.io/nginx-artifactory-pro" + # Note that by default we use appVersion to get image tag + # version: + pullPolicy: IfNotPresent + + + # Sidecar containers for tailing Nginx logs + loggers: [] + # - access.log + # - error.log + + mainConf: | + # Main Nginx configuration file + worker_processes 4; + error_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + variables_hash_max_size 1024; + variables_hash_bucket_size 64; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 128; + types_hash_max_size 2048; + types_hash_bucket_size 64; + proxy_read_timeout 2400s; + client_header_timeout 2400s; + client_body_timeout 2400s; + proxy_connect_timeout 75s; + proxy_send_timeout 2400s; + proxy_buffer_size 32k; + proxy_buffers 40 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 250m; + proxy_http_version 1.1; + client_body_buffer_size 128k; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + log_format timing 'ip = $remote_addr ' + 'user = \"$remote_user\" ' + 'local_time = \"$time_local\" ' + 'host = $host ' + 'request = \"$request\" ' + 'status = $status ' + 'bytes = $body_bytes_sent ' + 'upstream = \"$upstream_addr\" ' + 'upstream_time = $upstream_response_time ' + 'request_time = $request_time ' + 'referer = \"$http_referer\" ' + 'UA = \"$http_user_agent\"'; + access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; + sendfile on; + #tcp_nopush on; + keepalive_timeout 65; + #gzip on; + include /etc/nginx/conf.d/*.conf; + } + + artifactoryConf: | + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; + ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + ## server configuration + server { + {{- if .Values.nginx.internalPortHttps }} + listen {{ .Values.nginx.internalPortHttps }} ssl; + {{- else -}} + {{- if .Values.nginx.https.enabled }} + listen {{ .Values.nginx.https.internalPort }} ssl; + {{- end }} + {{- end }} + {{- if .Values.nginx.internalPortHttp }} + listen {{ .Values.nginx.internalPortHttp }}; + {{- else -}} + {{- if .Values.nginx.http.enabled }} + listen {{ .Values.nginx.http.internalPort }}; + {{- end }} + {{- end }} + server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} + {{- range .Values.ingress.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ (splitn "." 2 .)._1 }} {{ . }} + {{- end -}} + {{- end -}}; + + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + ## Application specific logs + ## access_log /var/log/nginx/artifactory-access.log timing; + ## error_log /var/log/nginx/artifactory-error.log; + rewrite ^/artifactory/?$ / redirect; + if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; + } + chunked_transfer_encoding on; + client_max_body_size 0; + + location / { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location /artifactory/ { + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; + } + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; + } + } + } + + service: + ## For minikube, set this to NodePort, elsewhere use LoadBalancer + #type: NodePort + type: LoadBalancer + #type: ClusterIP + ## For supporting whitelist on the Nginx LoadBalancer service + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + ## Provide static ip address + loadBalancerIP: + ## There are two available options: “Cluster” (default) and “Local”. + externalTrafficPolicy: Cluster + labels: {} + # label-key: label-value + http: + enabled: true + externalPort: 80 + internalPort: 80 + https: + enabled: true + externalPort: 443 + internalPort: 443 + # DEPRECATED: The following will be replaced by L1065-L1076 in a future release + # externalPortHttp: 80 + # internalPortHttp: 80 + # externalPortHttps: 443 + # internalPortHttps: 443 + + ## The following settings are to configure the frequency of the liveness and readiness probes + livenessProbe: + enabled: true + path: /router/api/v1/system/health + initialDelaySeconds: 60 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + + readinessProbe: + enabled: true + path: /router/api/v1/system/health + initialDelaySeconds: 10 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + ## The SSL secret that will be used by the Nginx pod + # tlsSecretName: chart-example-tls + ## Custom ConfigMap for nginx.conf + customConfigMap: + ## Custom ConfigMap for artifactory.conf + customArtifactoryConfigMap: + persistence: + mountPath: "/var/opt/jfrog/nginx" + enabled: false + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + + accessMode: ReadWriteOnce + size: 5Gi + ## nginx data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClassName: "-" + resources: {} + # requests: + # memory: "250Mi" + # cpu: "100m" + # limits: + # memory: "250Mi" + # cpu: "500m" + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +# Filebeat Sidecar container +## The provided filebeat configuration is for Artifactory logs. It assumes you have a logstash installed and configured properly. +filebeat: + enabled: false + name: artifactory-filebeat + image: + repository: "docker.elastic.co/beats/filebeat" + version: 7.5.1 + logstashUrl: "logstash:5044" + + terminationGracePeriod: 10 + + livenessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + curl --fail 127.0.0.1:5066 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + + readinessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + filebeat test output + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + + resources: {} +# requests: +# memory: "100Mi" +# cpu: "100m" +# limits: +# memory: "100Mi" +# cpu: "100m" + + filebeatYml: | + logging.level: info + path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat + name: artifactory-filebeat + queue.spool: ~ + filebeat.inputs: + - type: log + enabled: true + close_eof: ${CLOSE:false} + paths: + - {{ .Values.artifactory.persistence.mountPath }}/log/*.log + fields: + service: "jfrt" + log_type: "artifactory" + output: + logstash: + hosts: ["{{ .Values.filebeat.logstashUrl }}"] diff --git a/Openshift4/artifactory-ha-operator/watches.yaml b/Openshift4/artifactory-ha-operator/watches.yaml new file mode 100644 index 0000000..42941f3 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/watches.yaml @@ -0,0 +1,5 @@ +--- +- version: v1alpha1 + group: charts.helm.k8s.io + kind: OpenshiftArtifactoryHa + chart: helm-charts/openshift-artifactory-ha diff --git a/Openshift4/artifactoryha-helm/CHANGELOG.md b/Openshift4/artifactoryha-helm/CHANGELOG.md new file mode 100755 index 0000000..075bfa2 --- /dev/null +++ b/Openshift4/artifactoryha-helm/CHANGELOG.md @@ -0,0 +1,557 @@ +# JFrog Artifactory-ha Chart Changelog +All changes to this chart will be documented in this file. + +## [1.3.7] - Jan 07, 2020 +* Add support for customizable `mountOptions` of NFS PVs + +## [1.3.6] - Dec 30, 2019 +* Fix for nginx probes failing when launched with http disabled + +## [1.3.5] - Dec 24, 2019 +* Better support for custom `artifactory.internalPort` + +## [1.3.4] - Dec 23, 2019 +* Mark empty map values with `{}` + +## [1.3.3] - Dec 16, 2019 +* Another fix for toggling nginx service ports + +## [1.3.2] - Dec 12, 2019 +* Fix for toggling nginx service ports + +## [1.3.1] - Dec 10, 2019 +* Add support for toggling nginx service ports + +## [1.3.0] - Dec 1, 2019 +* Updated Artifactory version to 6.16.0 + +## [1.2.4] - Nov 28, 2019 +* Add support for using existing PriorityClass + +## [1.2.3] - Nov 27, 2019 +* Add support for PriorityClass + +## [1.2.2] - Nov 20, 2019 +* Update Artifactory logo + +## [1.2.1] - Nov 18, 2019 +* Add the option to provide service account annotations (in order to support stuff like https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html) + +## [1.2.0] - Nov 18, 2019 +* Updated Artifactory version to 6.15.0 + +## [1.1.12] - Nov 17, 2019 +* Fix `README.md` format (broken table) + +## [1.1.11] - Nov 17, 2019 +* Update comment on Artifactory master key + +## [1.1.10] - Nov 17, 2019 +* Fix creation of double slash in nginx artifactory configuration + +## [1.1.9] - Nov 14, 2019 +* Set explicit `postgresql.postgresqlPassword=""` to avoid helm v3 error + +## [1.1.8] - Nov 12, 2019 +* Updated Artifactory version to 6.14.1 + +## [1.1.7] - Nov 11, 2019 +* Additional documentation for masterKey + +## [1.1.6] - Nov 10, 2019 +* Update PostgreSQL chart version to 7.0.1 +* Use formal PostgreSQL configuration format + +## [1.1.5] - Nov 8, 2019 +* Add support `artifactory.service.loadBalancerSourceRanges` for whitelisting when setting `artifactory.service.type=LoadBalancer` + +## [1.1.4] - Nov 6, 2019 +* Add support for any type of environment variable by using `extraEnvironmentVariables` as-is + +## [1.1.3] - Nov 6, 2019 +* Add nodeselector support for Postgresql + +## [1.1.2] - Nov 5, 2019 +* Add support for the aws-s3-v3 filestore, which adds support for pod IAM roles + +## [1.1.1] - Nov 4, 2019 +* When using `copyOnEveryStartup`, make sure that the target base directories are created before copying the files + +## [1.1.0] - Nov 3, 2019 +* Updated Artifactory version to 6.14.0 + +## [1.0.1] - Nov 3, 2019 +* Make sure the artifactory pod exits when one of the pre-start stages fail + +## [1.0.0] - Oct 27, 2019 +**IMPORTANT - BREAKING CHANGES!**
+**DOWNTIME MIGHT BE REQUIRED FOR AN UPGRADE!** +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), must use the upgrade instructions in [UPGRADE_NOTES.md](UPGRADE_NOTES.md)! +* PostgreSQL sub chart was upgraded to version `6.5.x`. This version is **not backward compatible** with the old version (`0.9.5`)! +* Note the following **PostgreSQL** Helm chart changes + * The chart configuration has changed! See [values.yaml](values.yaml) for the new keys used + * **PostgreSQL** is deployed as a StatefulSet + * See [PostgreSQL helm chart](https://hub.helm.sh/charts/stable/postgresql) for all available configurations + +## [0.17.3] - Oct 24, 2019 +* Change the preStartCommand to support templating + +## [0.17.2] - Oct 21, 2019 +* Add support for setting `artifactory.primary.labels` +* Add support for setting `artifactory.node.labels` +* Add support for setting `nginx.labels` + +## [0.17.1] - Oct 10, 2019 +* Updated Artifactory version to 6.13.1 + +## [0.17.0] - Oct 7, 2019 +* Updated Artifactory version to 6.13.0 + +## [0.16.7] - Sep 24, 2019 +* Option to skip wait-for-db init container with '--set waitForDatabase=false' + +## [0.16.6] - Sep 24, 2019 +* Add support for setting `nginx.service.labels` + +## [0.16.5] - Sep 23, 2019 +* Add support for setting `artifactory.customInitContainersBegin` + +## [0.16.4] - Sep 20, 2019 +* Add support for setting `initContainers.resources` + +## [0.16.3] - Sep 11, 2019 +* Updated Artifactory version to 6.12.2 + +## [0.16.2] - Sep 9, 2019 +* Updated Artifactory version to 6.12.1 + +## [0.16.1] - Aug 22, 2019 +* Fix the nginx server_name directive used with ingress.hosts + +## [0.16.0] - Aug 21, 2019 +* Updated Artifactory version to 6.12.0 + +## [0.15.15] - Aug 18, 2019 +* Fix existingSharedClaim permissions issue and example + +## [0.15.14] - Aug 14, 2019 +* Updated Artifactory version to 6.11.6 + +## [0.15.13] - Aug 11, 2019 +* Fix Ingress routing and add an example + +## [0.15.12] - Aug 6, 2019 +* Do not mount `access/etc/bootstrap.creds` unless user specifies a custom password or secret (Access already generates a random password if not provided one) +* If custom `bootstrap.creds` is provided (using keys or custom secret), prepare it with an init container so the temp file does not persist + +## [0.15.11] - Aug 5, 2019 +* Improve binarystore config + 1. Convert to a secret + 2. Move config to values.yaml + 3. Support an external secret + +## [0.15.10] - Aug 5, 2019 +* Don't create the nginx configmaps when nginx.enabled is false + +## [0.15.9] - Aug 1, 2019 +* Fix masterkey/masterKeySecretName not specified warning render logic in NOTES.txt + +## [0.15.8] - Jul 28, 2019 +* Simplify nginx setup and shorten initial wait for probes + +## [0.15.7] - Jul 25, 2019 +* Updated README about how to apply Artifactory licenses + +## [0.15.6] - Jul 22, 2019 +* Change Ingress API to be compatible with recent kubernetes versions + +## [0.15.5] - Jul 22, 2019 +* Updated Artifactory version to 6.11.3 + +## [0.15.4] - Jul 11, 2019 +* Add `artifactory.customVolumeMounts` support to member node statefulset template + +## [0.15.3] - Jul 11, 2019 +* Add ingress.hosts to the Nginx server_name directive when ingress is enabled to help with Docker repository sub domain configuration + +## [0.15.2] - Jul 3, 2019 +* Add the option for changing nginx config using values.yaml and remove outdated reverse proxy documentation + +## [0.15.1] - Jul 1, 2019 +* Updated Artifactory version to 6.11.1 + +## [0.15.0] - Jun 27, 2019 +* Updated Artifactory version to 6.11.0 and Restart Primary node when bootstrap.creds file has been modified in artifactory-ha + +## [0.14.4] - Jun 24, 2019 +* Add the option to provide an IP for the access-admin endpoints + +## [0.14.3] - Jun 24, 2019 +* Update chart maintainers + +## [0.14.2] - Jun 24, 2019 +* Change Nginx to point to the artifactory externalPort + +## [0.14.1] - Jun 23, 2019 +* Add values files for small, medium and large installations + +## [0.14.0] - Jun 20, 2019 +* Use ConfigMaps for nginx configuration and remove nginx postStart command + +## [0.13.10] - Jun 19, 2019 +* Updated Artifactory version to 6.10.4 + +## [0.13.9] - Jun 18, 2019 +* Add the option to provide additional ingress rules + +## [0.13.8] - Jun 14, 2019 +* Updated readme with improved external database setup example + +## [0.13.7] - Jun 6, 2019 +* Updated Artifactory version to 6.10.3 +* Updated installer-info template + +## [0.13.6] - Jun 6, 2019 +* Updated Google Cloud Storage API URL and https settings + +## [0.13.5] - Jun 5, 2019 +* Delete the db.properties file on Artifactory startup + +## [0.13.4] - Jun 3, 2019 +* Updated Artifactory version to 6.10.2 + +## [0.13.3] - May 21, 2019 +* Updated Artifactory version to 6.10.1 + +## [0.13.2] - May 19, 2019 +* Fix missing logger image tag + +## [0.13.1] - May 15, 2019 +* Support `artifactory.persistence.cacheProviderDir` for on-premise cluster + +## [0.13.0] - May 7, 2019 +* Updated Artifactory version to 6.10.0 + +## [0.12.23] - May 5, 2019 +* Add support for setting `artifactory.async.corePoolSize` + +## [0.12.22] - May 2, 2019 +* Remove unused property `artifactory.releasebundle.feature.enabled` + +## [0.12.21] - Apr 30, 2019 +* Add support for JMX monitoring + +## [0.12.20] - Apr29, 2019 +* Added support for headless services + +## [0.12.19] - Apr 28, 2019 +* Added support for `cacheProviderDir` + +## [0.12.18] - Apr 18, 2019 +* Changing API StatefulSet version to `v1` and permission fix for custom `artifactory.conf` for Nginx + +## [0.12.17] - Apr 16, 2019 +* Updated documentation for Reverse Proxy Configuration + +## [0.12.16] - Apr 12, 2019 +* Added support for `customVolumeMounts` + +## [0.12.15] - Aprl 12, 2019 +* Added support for `bucketExists` flag for googleStorage + +## [0.12.14] - Apr 11, 2019 +* Replace `curl` examples with `wget` due to the new base image + +## [0.12.13] - Aprl 07, 2019 +* Add support for providing the Artifactory license as a parameter + +## [0.12.12] - Apr 10, 2019 +* Updated Artifactory version to 6.9.1 + +## [0.12.11] - Aprl 04, 2019 +* Add support for templated extraEnvironmentVariables + +## [0.12.10] - Aprl 07, 2019 +* Change network policy API group + +## [0.12.9] - Aprl 04, 2019 +* Apply the existing PVC for members (in addition to primary) + +## [0.12.8] - Aprl 03, 2019 +* Bugfix for userPluginSecrets + +## [0.12.7] - Apr 4, 2019 +* Add information about upgrading Artifactory with auto-generated postgres password + +## [0.12.6] - Aprl 03, 2019 +* Added installer info + +## [0.12.5] - Aprl 03, 2019 +* Allow secret names for user plugins to contain template language + +## [0.12.4] - Apr 02, 2019 +* Fix issue #253 (use existing PVC for data and backup storage) + +## [0.12.3] - Apr 02, 2019 +* Allow NetworkPolicy configurations (defaults to allow all) + +## [0.12.2] - Aprl 01, 2019 +* Add support for user plugin secret + +## [0.12.1] - Mar 26, 2019 +* Add the option to copy a list of files to ARTIFACTORY_HOME on startup + +## [0.12.0] - Mar 26, 2019 +* Updated Artifactory version to 6.9.0 + +## [0.11.18] - Mar 25, 2019 +* Add CI tests for persistence, ingress support and nginx + +## [0.11.17] - Mar 22, 2019 +* Add the option to change the default access-admin password + +## [0.11.16] - Mar 22, 2019 +* Added support for `.Probe.path` to customise the paths used for health probes + +## [0.11.15] - Mar 21, 2019 +* Added support for `artifactory.customSidecarContainers` to create custom sidecar containers +* Added support for `artifactory.customVolumes` to create custom volumes + +## [0.11.14] - Mar 21, 2019 +* Make ingress path configurable + +## [0.11.13] - Mar 19, 2019 +* Move the copy of bootstrap config from postStart to preStart for Primary + +## [0.11.12] - Mar 19, 2019 +* Fix existingClaim example + +## [0.11.11] - Mar 18, 2019 +* Disable the option to use nginx PVC with more than one replica + +## [0.11.10] - Mar 15, 2019 +* Wait for nginx configuration file before using it + +## [0.11.9] - Mar 15, 2019 +* Revert securityContext changes since they were causing issues + +## [0.11.8] - Mar 15, 2019 +* Fix issue #247 (init container failing to run) + +## [0.11.7] - Mar 14, 2019 +* Updated Artifactory version to 6.8.7 + +## [0.11.6] - Mar 13, 2019 +* Move securityContext to container level + +## [0.11.5] - Mar 11, 2019 +* Add the option to use existing volume claims for Artifactory storage + +## [0.11.4] - Mar 11, 2019 +* Updated Artifactory version to 6.8.6 + +## [0.11.3] - Mar 5, 2019 +* Updated Artifactory version to 6.8.4 + +## [0.11.2] - Mar 4, 2019 +* Add support for catalina logs sidecars + +## [0.11.1] - Feb 27, 2019 +* Updated Artifactory version to 6.8.3 + +## [0.11.0] - Feb 25, 2019 +* Add nginx support for tail sidecars + +## [0.10.3] - Feb 21, 2019 +* Add s3AwsVersion option to awsS3 configuration for use with IAM roles + +## [0.10.2] - Feb 19, 2019 +* Updated Artifactory version to 6.8.2 + +## [0.10.1] - Feb 17, 2019 +* Updated Artifactory version to 6.8.1 +* Add example of `SERVER_XML_EXTRA_CONNECTOR` usage + +## [0.10.0] - Feb 15, 2019 +* Updated Artifactory version to 6.8.0 + +## [0.9.7] - Feb 13, 2019 +* Updated Artifactory version to 6.7.3 + +## [0.9.6] - Feb 7, 2019 +* Add support for tail sidecars to view logs from k8s api + +## [0.9.5] - Feb 6, 2019 +* Fix support for customizing statefulset `terminationGracePeriodSeconds` + +## [0.9.4] - Feb 5, 2019 +* Add support for customizing statefulset `terminationGracePeriodSeconds` + +## [0.9.3] - Feb 5, 2019 +* Remove the inactive server remove plugin + +## [0.9.2] - Feb 3, 2019 +* Updated Artifactory version to 6.7.2 + +## [0.9.1] - Jan 27, 2019 +* Fix support for Azure Blob Storage Binary provider + +## [0.9.0] - Jan 23, 2019 +* Updated Artifactory version to 6.7.0 + +## [0.8.10] - Jan 22, 2019 +* Added support for `artifactory.customInitContainers` to create custom init containers + +## [0.8.9] - Jan 18, 2019 +* Added support of values ingress.labels + +## [0.8.8] - Jan 16, 2019 +* Mount replicator.yaml (config) directly to /replicator_extra_conf + +## [0.8.7] - Jan 15, 2018 +* Add support for Azure Blob Storage Binary provider + +## [0.8.6] - Jan 13, 2019 +* Fix documentation about nginx group id + +## [0.8.5] - Jan 13, 2019 +* Updated Artifactory version to 6.6.5 + +## [0.8.4] - Jan 8, 2019 +* Make artifactory.replicator.publicUrl required when the replicator is enabled + +## [0.8.3] - Jan 1, 2019 +* Updated Artifactory version to 6.6.3 +* Add support for `artifactory.extraEnvironmentVariables` to pass more environment variables to Artifactory + +## [0.8.2] - Dec 28, 2018 +* Fix location `replicator.yaml` is copied to + +## [0.8.1] - Dec 27, 2018 +* Updated Artifactory version to 6.6.1 + +## [0.8.0] - Dec 20, 2018 +* Updated Artifactory version to 6.6.0 + +## [0.7.17] - Dec 17, 2018 +* Updated Artifactory version to 6.5.13 + +## [0.7.16] - Dec 12, 2018 +* Fix documentation about Artifactory license setup using secret + +## [0.7.15] - Dec 9, 2018 +* AWS S3 add `roleName` for using IAM role + +## [0.7.14] - Dec 6, 2018 +* AWS S3 `identity` and `credential` are now added only if have a value to allow using IAM role + +## [0.7.13] - Dec 5, 2018 +* Remove Distribution certificates creation. + +## [0.7.12] - Dec 2, 2018 +* Remove Java option "-Dartifactory.locking.provider.type=db". This is already the default setting. + +## [0.7.11] - Nov 30, 2018 +* Updated Artifactory version to 6.5.9 + +## [0.7.10] - Nov 29, 2018 +* Fixed the volumeMount for the replicator.yaml + +## [0.7.9] - Nov 29, 2018 +* Optionally include primary node into poddisruptionbudget + +## [0.7.8] - Nov 29, 2018 +* Updated postgresql version to 9.6.11 + +## [0.7.7] - Nov 27, 2018 +* Updated Artifactory version to 6.5.8 + +## [0.7.6] - Nov 18, 2018 +* Added support for configMap to use custom Reverse Proxy Configuration with Nginx + +## [0.7.5] - Nov 14, 2018 +* Updated Artifactory version to 6.5.3 + +## [0.7.4] - Nov 13, 2018 +* Allow pod anti-affinity settings to include primary node + +## [0.7.3] - Nov 12, 2018 +* Support artifactory.preStartCommand for running command before entrypoint starts + +## [0.7.2] - Nov 7, 2018 +* Support database.url parameter (DB_URL) + +## [0.7.1] - Oct 29, 2018 +* Change probes port to 8040 (so they will not be blocked when all tomcat threads on 8081 are exhausted) + +## [0.7.0] - Oct 28, 2018 +* Update postgresql chart to version 0.9.5 to be able and use `postgresConfig` options + +## [0.6.9] - Oct 23, 2018 +* Fix providing external secret for database credentials + +## [0.6.8] - Oct 22, 2018 +* Allow user to configure externalTrafficPolicy for Loadbalancer + +## [0.6.7] - Oct 22, 2018 +* Updated ingress annotation support (with examples) to support docker registry v2 + +## [0.6.6] - Oct 21, 2018 +* Updated Artifactory version to 6.5.2 + +## [0.6.5] - Oct 19, 2018 +* Allow providing pre-existing secret containing master key +* Allow arbitrary annotations on primary and member node pods +* Enforce size limits when using local storage with `emptyDir` +* Allow `soft` or `hard` specification of member node anti-affinity +* Allow providing pre-existing secrets containing external database credentials +* Fix `s3` binary store provider to properly use the `cache-fs` provider +* Allow arbitrary properties when using the `s3` binary store provider + +## [0.6.4] - Oct 18, 2018 +* Updated Artifactory version to 6.5.1 + +## [0.6.3] - Oct 17, 2018 +* Add Apache 2.0 license + +## [0.6.2] - Oct 14, 2018 +* Make S3 endpoint configurable (was hardcoded with `s3.amazonaws.com`) + +## [0.6.1] - Oct 11, 2018 +* Allows ingress default `backend` to be enabled or disabled (defaults to enabled) + +## [0.6.0] - Oct 11, 2018 +* Updated Artifactory version to 6.5.0 + +## [0.5.3] - Oct 9, 2018 +* Quote ingress hosts to support wildcard names + +## [0.5.2] - Oct 2, 2018 +* Add `helm repo add jfrog https://charts.jfrog.io` to README + +## [0.5.1] - Oct 2, 2018 +* Set Artifactory to 6.4.1 + +## [0.5.0] - Sep 27, 2018 +* Set Artifactory to 6.4.0 + +## [0.4.7] - Sep 26, 2018 +* Add ci/test-values.yaml + +## [0.4.6] - Sep 25, 2018 +* Add PodDisruptionBudget for member nodes, defaulting to minAvailable of 1 + +## [0.4.4] - Sep 2, 2018 +* Updated Artifactory version to 6.3.2 + +## [0.4.0] - Aug 22, 2018 +* Added support to run as non root +* Updated Artifactory version to 6.2.0 + +## [0.3.0] - Aug 22, 2018 +* Enabled RBAC Support +* Added support for PostStartCommand (To download Database JDBC connector) +* Increased postgresql max_connections +* Added support for `nginx.conf` ConfigMap +* Updated Artifactory version to 6.1.0 diff --git a/Openshift4/artifactoryha-helm/Chart.yaml b/Openshift4/artifactoryha-helm/Chart.yaml new file mode 100755 index 0000000..0e1989f --- /dev/null +++ b/Openshift4/artifactoryha-helm/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +appVersion: 7.0.2 +description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. +home: https://www.jfrog.com/artifactory/ +icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-ha/logo/artifactory-logo.png +keywords: +- artifactory +- jfrog +- devops +maintainers: +- email: amithk@jfrog.com + name: amithins +- email: daniele@jfrog.com + name: danielezer +- email: eldada@jfrog.com + name: eldada +- email: rimasm@jfrog.com + name: rimusz +name: openshift-artifactory-ha +sources: +- https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view +- https://github.com/jfrog/charts +version: 2.0.4 diff --git a/Openshift4/artifactoryha-helm/LICENSE b/Openshift4/artifactoryha-helm/LICENSE new file mode 100755 index 0000000..8dada3e --- /dev/null +++ b/Openshift4/artifactoryha-helm/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Openshift4/artifactoryha-helm/README.md b/Openshift4/artifactoryha-helm/README.md new file mode 100755 index 0000000..76bd6af --- /dev/null +++ b/Openshift4/artifactoryha-helm/README.md @@ -0,0 +1,1266 @@ +# JFrog Artifactory High Availability Helm Chart + +## Prerequisites Details + +* Kubernetes 1.8+ +* Artifactory HA license + +## Chart Details +This chart will do the following: + +* Deploy Artifactory highly available cluster. 1 primary node and 2 member nodes. +* Deploy a PostgreSQL database +* Deploy an Nginx server + +## Artifactory HA architecture +The Artifactory HA cluster in this chart is made up of +- A single primary node +- Two member nodes, which can be resized at will + +Load balancing is done to the member nodes only. +This leaves the primary node free to handle jobs and tasks and not be interrupted by inbound traffic. +> This can be controlled by the parameter `artifactory.service.pool`. + +## Installing the Chart + +### Add JFrog Helm repository +Before installing JFrog helm charts, you need to add the [JFrog helm repository](https://charts.jfrog.io/) to your helm client +```bash +helm repo add jfrog https://charts.jfrog.io +``` + +### Install Chart +To install the chart with the release name `artifactory-ha`: +```bash +helm install --name artifactory-ha --set postgresql.postgresqlPassword= jfrog/artifactory-ha +``` + +### System Configuration +Artifactory uses a common system configuration file - `system.yaml`. See [official documentation](https://www.jfrog.com/confluence/display/JFROG/System+YAML+Configuration+File) on its usage. +In order to override the default `system.yaml` configuration, do the following: +```bash +artifactory: + systemYaml: | + +``` + +### Accessing Artifactory +**NOTE:** It might take a few minutes for Artifactory's public IP to become available, and the nodes to complete initial setup. +Follow the instructions outputted by the install command to get the Artifactory IP and URL to access it. + +### Updating Artifactory +Once you have a new chart version, you can update your deployment with +```bash +helm upgrade artifactory-ha jfrog/artifactory-ha +``` + +If artifactory was installed without providing a value to postgresql.postgresqlPassword (a password was autogenerated), follow these instructions: +1. Get the current password by running: +```bash +POSTGRES_PASSWORD=$(kubectl get secret -n -postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +``` +2. Upgrade the release by passing the previously auto-generated secret: +```bash +helm upgrade jfrog/artifactory-ha --set postgresql.postgresqlPassword=${POSTGRES_PASSWORD} +``` + +This will apply any configuration changes on your existing deployment. + +### Artifactory memory and CPU resources +The Artifactory HA Helm chart comes with support for configured resource requests and limits to all pods. By default, these settings are commented out. +It is **highly** recommended to set these so you have full control of the allocated resources and limits. + +See more information on [setting resources for your Artifactory based on planned usage](https://www.jfrog.com/confluence/display/RTF/System+Requirements#SystemRequirements-RecommendedHardware). + +```bash +# Example of setting resource requests and limits to all pods (including passing java memory settings to Artifactory) +helm install --name artifactory-ha \ + --set artifactory.primary.resources.requests.cpu="500m" \ + --set artifactory.primary.resources.limits.cpu="2" \ + --set artifactory.primary.resources.requests.memory="1Gi" \ + --set artifactory.primary.resources.limits.memory="4Gi" \ + --set artifactory.primary.javaOpts.xms="1g" \ + --set artifactory.primary.javaOpts.xmx="4g" \ + --set artifactory.node.resources.requests.cpu="500m" \ + --set artifactory.node.resources.limits.cpu="2" \ + --set artifactory.node.resources.requests.memory="1Gi" \ + --set artifactory.node.resources.limits.memory="4Gi" \ + --set artifactory.node.javaOpts.xms="1g" \ + --set artifactory.node.javaOpts.xmx="4g" \ + --set initContainers.resources.requests.cpu="10m" \ + --set initContainers.resources.limits.cpu="250m" \ + --set initContainers.resources.requests.memory="64Mi" \ + --set initContainers.resources.limits.memory="128Mi" \ + --set postgresql.resources.requests.cpu="200m" \ + --set postgresql.resources.limits.cpu="1" \ + --set postgresql.resources.requests.memory="500Mi" \ + --set postgresql.resources.limits.memory="1Gi" \ + --set nginx.resources.requests.cpu="100m" \ + --set nginx.resources.limits.cpu="250m" \ + --set nginx.resources.requests.memory="250Mi" \ + --set nginx.resources.limits.memory="500Mi" \ + jfrog/artifactory-ha +``` +> Artifactory java memory parameters can (and should) also be set to match the allocated resources with `artifactory.[primary|node].javaOpts.xms` and `artifactory.[primary|node].javaOpts.xmx`. + +Get more details on configuring Artifactory in the [official documentation](https://www.jfrog.com/confluence/). + +Although it is possible to set resources limits and requests this way, it is recommended to use the pre-built values files +for small, medium and large installation and change them according to your needs (if necessary), as described [here](#Deploying-Artifactory-for-small/medium/large-installations) + +### Deploying Artifactory for small/medium/large installations +In the chart directory, we have added three values files, one for each installation type - small/medium/large. These values files are recommendations for setting resources requests and limits for your installation. The values are derived from the following [documentation](https://www.jfrog.com/confluence/display/EP/Installing+on+Kubernetes#InstallingonKubernetes-Systemrequirements). You can find them in the corresponding chart directory - values-small.yaml, values-medium.yaml and values-large.yaml + +### Artifactory storage +Artifactory HA support a wide range of storage back ends. You can see more details on [Artifactory HA storage options](https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup#HAInstallationandSetup-SettingUpYourStorageConfiguration) + +In this chart, you set the type of storage you want with `artifactory.persistence.type` and pass the required configuration settings. +The default storage in this chart is the `file-system` replication, where the data is replicated to all nodes. + +> **IMPORTANT:** All storage configurations (except NFS) come with a default `artifactory.persistence.redundancy` parameter. +This is used to set how many replicas of a binary should be stored in the cluster's nodes. +Once this value is set on initial deployment, you can not update it using helm. +It is recommended to set this to a number greater than half of your cluster's size, and never scale your cluster down to a size smaller than this number. + +#### Existing volume claim + +###### Primary node +In order to use an existing volume claim for the Artifactory primary storage, you need to: +- Create a persistent volume claim by the name `volume--artifactory-ha-primary-0` e.g `volume-myrelease-artifactory-ha-primary-0` +- Pass a parameter to `helm install` and `helm upgrade` +```bash +... +--set artifactory.primary.persistence.existingClaim=true +``` + +###### Member nodes +In order to use an existing volume claim for the Artifactory member nodes storage, you need to: +- Create persistent volume claims according to the number of replicas defined at `artifactory.node.replicaCount` by the names `volume--artifactory-ha-member-`, e.g `volume-myrelease-artifactory-ha-member-0` and `volume-myrelease-artifactory-ha-primary-1`. +- Pass a parameter to `helm install` and `helm upgrade` +```bash +... +--set artifactory.node.persistence.existingClaim=true +``` + +#### Existing shared volume claim + +In order to use an existing claim (for data and backup) that is to be shared across all nodes, you need to: + +- Create PVCs with ReadWriteMany that match the naming conventions: +``` + {{ template "artifactory-ha.fullname" . }}-data-pvc- + {{ template "artifactory-ha.fullname" . }}-backup-pvc- +``` +An example that shows 2 existing claims to be used: +``` + myexample-artifactory-ha-data-pvc-0 + myexample-artifactory-ha-backup-pvc-0 + myexample-artifactory-ha-data-pvc-1 + myexample-artifactory-ha-backup-pvc-1 +``` +- Set the artifactory.persistence.fileSystem.existingSharedClaim.enabled in values.yaml to true: +``` +-- set artifactory.persistence.fileSystem.existingSharedClaim.enabled=true +-- set artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims=2 +``` + +#### NFS +To use an NFS server as your cluster's storage, you need to +- Setup an NFS server. Get its IP as `NFS_IP` +- Create a `data` and `backup` directories on the NFS exported directory with write permissions to all +- Pass NFS parameters to `helm install` and `helm upgrade` +```bash +... +--set artifactory.persistence.type=nfs \ +--set artifactory.persistence.nfs.ip=${NFS_IP} \ +... +``` + +#### Google Storage +To use a Google Storage bucket as the cluster's filestore. See [Google Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-GoogleStorageBinaryProvider) +- Pass Google Storage parameters to `helm install` and `helm upgrade` +```bash +... +--set artifactory.persistence.type=google-storage \ +--set artifactory.persistence.googleStorage.identity=${GCP_ID} \ +--set artifactory.persistence.googleStorage.credential=${GCP_KEY} \ +... +``` + +#### AWS S3 +**NOTE** Keep in mind that when using the `aws-s3` persistence type, you will not be able to provide an IAM on the pod level. +In order to grant permissions to Artifactory using an IAM role, you will have to attach the IAM role to the machine(s) on which Artifactory is running. +This is due to the fact that the `aws-s3` template uses the `JetS3t` library to interact with AWS. If you want to grant an IAM role at the pod level, see the `AWS S3 Vs` section. + +To use an AWS S3 bucket as the cluster's filestore. See [S3 Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-S3BinaryProvider) +- Pass AWS S3 parameters to `helm install` and `helm upgrade` +```bash +... +# With explicit credentials: +--set artifactory.persistence.type=aws-s3 \ +--set artifactory.persistence.awsS3.endpoint=${AWS_S3_ENDPOINT} \ +--set artifactory.persistence.awsS3.region=${AWS_REGION} \ +--set artifactory.persistence.awsS3.identity=${AWS_ACCESS_KEY_ID} \ +--set artifactory.persistence.awsS3.credential=${AWS_SECRET_ACCESS_KEY} \ +... + +... +# With using existing IAM role +--set artifactory.persistence.type=aws-s3 \ +--set artifactory.persistence.awsS3.endpoint=${AWS_S3_ENDPOINT} \ +--set artifactory.persistence.awsS3.region=${AWS_REGION} \ +--set artifactory.persistence.awsS3.roleName=${AWS_ROLE_NAME} \ +... +``` +**NOTE:** Make sure S3 `endpoint` and `region` match. See [AWS documentation on endpoint](https://docs.aws.amazon.com/general/latest/gr/rande.html) + +#### AWS S3 V3 +To use an AWS S3 bucket as the cluster's filestore and access it with the official AWS SDK, See [S3 Official SDK Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AmazonS3OfficialSDKTemplate). +This filestore template uses the official AWS SDK, unlike the `aws-s3` implementation that uses the `JetS3t` library. +Use this template if you want to attach an IAM role to the Artifactory pod directly (as opposed to attaching it to the machine/s that Artifactory will run on). + +**NOTE** This will have to be combined with a k8s mechanism for attaching IAM roles to pods, like [kube2iam](https://github.com/helm/charts/tree/master/stable/kube2iam) or anything similar. + +- Pass AWS S3 V3 parameters and the annotation pointing to the IAM role (when using an IAM role. this is kube2iam specific and may vary depending on the implementation) to `helm install` and `helm upgrade` + +```bash +# With explicit credentials: +--set artifactory.persistence.type=aws-s3-v3 \ +--set artifactory.persistence.awsS3V3.region=${AWS_REGION} \ +--set artifactory.persistence.awsS3V3.bucketName=${AWS_S3_BUCKET_NAME} \ +--set artifactory.persistence.awsS3V3.identity=${AWS_ACCESS_KEY_ID} \ +--set artifactory.persistence.awsS3V3.credential=${AWS_SECRET_ACCESS_KEY} \ +... +``` + +```bash +# With using existing IAM role +--set artifactory.persistence.type=aws-s3-v3 \ +--set artifactory.persistence.awsS3V3.region=${AWS_REGION} \ +--set artifactory.persistence.awsS3V3.bucketName=${AWS_S3_BUCKET_NAME} \ +--set artifactory.annotations.'iam\.amazonaws\.com/role'=${AWS_IAM_ROLE_ARN} +... +``` + +#### Microsoft Azure Blob Storage +To use Azure Blob Storage as the cluster's filestore. See [Azure Blob Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AzureBlobStorageClusterBinaryProvider) +- Pass Azure Blob Storage parameters to `helm install` and `helm upgrade` +```bash +... +--set artifactory.persistence.type=azure-blob \ +--set artifactory.persistence.azureBlob.accountName=${AZURE_ACCOUNT_NAME} \ +--set artifactory.persistence.azureBlob.accountKey=${AZURE_ACCOUNT_KEY} \ +--set artifactory.persistence.azureBlob.endpoint=${AZURE_ENDPOINT} \ +--set artifactory.persistence.azureBlob.containerName=${AZURE_CONTAINER_NAME} \ +... +``` + +#### Custom binarystore.xml +You have an option to provide a custom [binarystore.xml](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore).
+There are two options for this + +1. Editing directly in [values.yaml](values.yaml) +```yaml +artifactory: + persistence: + binarystoreXml: | + + + + + +``` + +2. Create your own [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) and pass it to your `helm install` command +```yaml +# Prepare your custom Secret file (custom-binarystore.yaml) +kind: Secret +apiVersion: v1 +metadata: + name: custom-binarystore + labels: + app: artifactory + chart: artifactory +stringData: + binarystore.xml: |- + + + + +``` + +```bash +# Create a secret from the file +kubectl apply -n artifactory -f ./custom-binarystore.yaml + +# Pass it to your helm install command: +helm install --name artifactory-ha --set artifactory.persistence.customBinarystoreXmlSecret=custom-binarystore jfrog/artifactory-ha +``` + +### Create a unique Master Key +Artifactory HA cluster requires a unique master key. By default the chart has one set in values.yaml (`artifactory.masterKey`). + +**This key is for demo purpose and should not be used in a production environment!** + +You should generate a unique one and pass it to the template at install/upgrade time. +```bash +# Create a key +export MASTER_KEY=$(openssl rand -hex 32) +echo ${MASTER_KEY} + +# Pass the created master key to helm +helm install --name artifactory-ha --set artifactory.masterKey=${MASTER_KEY} jfrog/artifactory-ha +``` + +Alternatively, you can create a secret containing the master key manually and pass it to the template at install/upgrade time. +```bash +# Create a key +export MASTER_KEY=$(openssl rand -hex 32) +echo ${MASTER_KEY} + +# Create a secret containing the key. The key in the secret must be named master-key +kubectl create secret generic my-secret --from-literal=master-key=${MASTER_KEY} + +# Pass the created secret to helm +helm install --name artifactory-ha --set artifactory.masterKeySecretName=my-secret jfrog/artifactory-ha +``` +**NOTE:** In either case, make sure to pass the same master key on all future calls to `helm install` and `helm upgrade`! In the first case, this means always passing `--set artifactory.masterKey=${MASTER_KEY}`. In the second, this means always passing `--set artifactory.masterKeySecretName=my-secret` and ensuring the contents of the secret remain unchanged. + +### Create a unique Join Key +Artifactory requires a unique join key. By default the chart has one set in values.yaml (`artifactory.joinKey`). + +**This key is for demo purpose and should not be used in a production environment!** + +You should generate a unique key and pass it to the template at install/upgrade time. +```bash +# Create a key +export JOIN_KEY=$(openssl rand -hex 16) +echo ${JOIN_KEY} + +# Pass the created master key to helm +helm install --name artifactory --set artifactory.joinKey=${JOIN_KEY} jfrog/artifactory +``` + +**NOTE:** In either case, make sure to pass the same join key on all future calls to `helm install` and `helm upgrade`! This means always passing `--set artifactory.joinKey=${JOIN_KEY}`. + +### Install Artifactory HA license +For activating Artifactory HA, you must install an appropriate license. There are three ways to manage the license. **Artifactory UI**, **REST API**, or a **Kubernetes Secret**. + +The easier and recommended way is the **Artifactory UI**. Using the **Kubernetes Secret** or **REST API** is for advanced users and is better suited for automation. + +**IMPORTANT:** You should use only one of the following methods. Switching between them while a cluster is running might disable your Artifactory HA cluster! + +##### Artifactory UI +Once primary cluster is running, open Artifactory UI and insert the license(s) in the UI. See [HA installation and setup](https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup) for more details. **Note that you should enter all licenses at once, with each license is separated by a newline.** If you add the licenses one at a time, you may get redirected to a node without a license and the UI won't load for that node. + +##### REST API +You can add licenses via REST API (https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API#ArtifactoryRESTAPI-InstallHAClusterLicenses). Note that the REST API expects "\n" for the newlines in the licenses. + +##### Kubernetes Secret +You can deploy the Artifactory license(s) as a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/). +Prepare a text file with the license(s) written in it. If writing multiple licenses (must be in the same file), it's important to put **two new lines between each license block**! +```bash +# Create the Kubernetes secret (assuming the local license file is 'art.lic') +kubectl create secret generic artifactory-cluster-license --from-file=./art.lic + +# Pass the license to helm +helm install --name artifactory-ha --set artifactory.license.secret=artifactory-cluster-license,artifactory.license.dataKey=art.lic jfrog/artifactory-ha +``` +**NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). +Updating the license should be done via Artifactory UI or REST API. + +##### Create the secret as part of the helm release +values.yaml +```yaml +artifactory: + license: + licenseKey: |- + + + + + + + +``` + +```bash +helm install --name artifactory-ha -f values.yaml jfrog/artifactory-ha +``` +**NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). +Updating the license should be done via Artifactory UI or REST API. +If you want to keep managing the artifactory license using the same method, you can use the copyOnEveryStartup example shown in the values.yaml file + + +### copyOnEveryStartup feature +Files stored in the `/artifactory-extra-conf` directory are only copied to the `ARTIFACTORY_HOME/etc` directory upon the first startup. +In some cases, you want your configuration files to be copied to the `ARTIFACTORY_HOME/etc` directory on every startup. +Two examples for that would be: + +1. the binarstore.xml file. If you use the default behaviour, your binarystore.xml configuration will only be copied on the first startup, +which means that changes you make over time to the `binaryStoreXml` configuration will not be applied. In order to make sure your changes are applied on every startup, do the following: +Create a values file with the following values: +```yaml +artifactory: + copyOnEveryStartup: + - source: /artifactory_extra_conf/binarystore.xml + target: etc/ +``` + +Install the helm chart with the values file you created: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f values.yaml +``` + +2. Any custom configuration file you have to configure artifactory, such as `logabck.xml`: +Create a config map with your `logback.xml` configuration. + +Create a values file with the following values: +```yaml +artifactory: + ## Create a volume pointing to the config map with your configuration file + customVolumes: | + - name: logback-xml-configmap + configMap: + name: logback-xml-configmap + customVolumeMounts: | + - name: logback-xml-configmap + mountPath: /tmp/artifactory-logback/ + copyOnEveryStartup: + - source: /tmp/artifactory-logback/* + target: etc/ +``` + +Install the helm chart with the values file you created: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f values.yaml +``` + +### Configure NetworkPolicy + +NetworkPolicy specifies what ingress and egress is allowed in this namespace. It is encouraged to be more specific whenever possible to increase security of the system. + +In the `networkpolicy` section of values.yaml you can specify a list of NetworkPolicy objects. + +For podSelector, ingress and egress, if nothing is provided then a default `- {}` is applied which is to allow everything. + +A full (but very wide open) example that results in 2 NetworkPolicy objects being created: +```yaml +networkpolicy: + # Allows all ingress and egress to/from artifactory primary and member pods. + - name: artifactory + podSelector: + matchLabels: + app: artifactory-ha + egress: + - {} + ingress: + - {} + # Allows connectivity from artifactory-ha pods to postgresql pods, but no traffic leaving postgresql pod. + - name: postgresql + podSelector: + matchLabels: + app: postgresql + ingress: + - from: + - podSelector: + matchLabels: + app: artifactory-ha +``` + +### Artifactory JMX Configuration +** You can see some information about the exposed MBeans here - https://www.jfrog.com/confluence/display/RTF/Artifactory+JMX+MBeans + +Enable JMX in your deployment: +```bash +helm install --name artifactory \ + --set artifactory.primary.javaOpts.jmx.enabled=true \ + --set artifactory.node.javaOpts.jmx.enabled=true \ + jfrog/artifactory-ha +``` +This will enable access to Artifactory with JMX on the default port (9010). +** You have the option to change the port by setting ```artifactory.primary.javaOpts.jmx.port``` and ```artifactory.node.javaOpts.jmx.port``` +to your choice of port + +In order to connect to Artifactory using JMX with jconsole (or any similar tool) installed on your computer, follow the following steps: +1. Enable JMX as described above and Change the Artifactory service to be of type LoadBalancer: +```bash +helm install --name artifactory \ + --set artifactory.primary.javaOpts.jmx.enabled=true \ + --set artifactory.node.javaOpts.jmx.enabled=true \ + --set artifactory.service.type=LoadBalancer \ + jfrog/artifactory-ha +``` +2. The default setting for java.rmi.server.hostname is the service name (this is also configurable with +```artifactory.primary.javaOpts.jmx.host``` and ```artifactory.node.javaOpts.jmx.host```), So in order to connect to Artifactory +with jconsole you should map the Artifactory kuberentes service IP to the service name using your hosts file as such: +``` + artifactory-ha--primary + +``` +3. Launch jconsole with the service address and port: +```bash +jconsole artifactory-ha--primary: +jconsole : +``` + +### Access creds. bootstraping +**IMPORTANT:** Bootsrapping access creds. will allow access for the user access-admin from certain IP's. + +* User guide to [bootstrap Artifactory Access credentials](https://www.jfrog.com/confluence/display/ACC/Configuring+Access) + +1. Create `access-creds-values.yaml` and provide the IP (By default 127.0.0.1) and password: +```yaml +artifactory: + accessAdmin: + ip: "" #Example: "*" + password: "" +``` + +2. Apply the `access-creds-values.yaml` file: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f access-creds-values.yaml +``` + +### Bootstrapping Artifactory +**IMPORTANT:** Bootstrapping Artifactory needs license. Pass license as shown in above section. + +* User guide to [bootstrap Artifactory Global Configuration](https://www.jfrog.com/confluence/display/RTF/Configuration+Files#ConfigurationFiles-BootstrappingtheGlobalConfiguration) +* User guide to [bootstrap Artifactory Security Configuration](https://www.jfrog.com/confluence/display/RTF/Configuration+Files#ConfigurationFiles-BootstrappingtheSecurityConfiguration) + +1. Create `bootstrap-config.yaml` with artifactory.config.import.xml and security.import.xml as shown below: +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-release-bootstrap-config +data: + artifactory.config.import.xml: | + + security.import.xml: | + +``` + +2. Create configMap in Kubernetes: +```bash +kubectl apply -f bootstrap-config.yaml +``` +3. Pass the configMap to helm +```bash +helm install --name artifactory-ha --set artifactory.license.secret=artifactory-cluster-license,artifactory.license.dataKey=art.lic,artifactory.configMapName=my-release-bootstrap-config jfrog/artifactory-ha +``` + +### Use custom nginx.conf with Nginx + +Steps to create configMap with nginx.conf +* Create `nginx.conf` file. +```bash +kubectl create configmap nginx-config --from-file=nginx.conf +``` +* Pass configMap to helm install +```bash +helm install --name artifactory-ha --set nginx.customConfigMap=nginx-config jfrog/artifactory-ha +``` + +### Scaling your Artifactory cluster +A key feature in Artifactory HA is the ability to set an initial cluster size with `--set artifactory.node.replicaCount=${CLUSTER_SIZE}` and if needed, resize it. + +##### Before scaling +**IMPORTANT:** When scaling, you need to explicitly pass the database password if it's an auto generated one (this is the default with the enclosed PostgreSQL helm chart). + +Get the current database password +```bash +export DB_PASSWORD=$(kubectl get $(kubectl get secret -o name | grep postgresql) -o jsonpath="{.data.postgresql-password}" | base64 --decode) +``` +Use `--set postgresql.postgresqlPassword=${DB_PASSWORD}` with every scale action to prevent a miss configured cluster! + +##### Scale up +Let's assume you have a cluster with **2** member nodes, and you want to scale up to **3** member nodes (a total of 4 nodes). +```bash +# Scale to 4 nodes (1 primary and 3 member nodes) +helm upgrade --install artifactory-ha --set artifactory.node.replicaCount=3 --set postgresql.postgresqlPassword=${DB_PASSWORD} jfrog/artifactory-ha +``` + +##### Scale down +Let's assume you have a cluster with **3** member nodes, and you want to scale down to **2** member node. + +```bash +# Scale down to 2 member nodes +helm upgrade --install artifactory-ha --set artifactory.node.replicaCount=2 --set postgresql.postgresqlPassword=${DB_PASSWORD} jfrog/artifactory-ha +``` +- **NOTE:** Since Artifactory is running as a Kubernetes Stateful Set, the removal of the node will **not** remove the persistent volume. You need to explicitly remove it +```bash +# List PVCs +kubectl get pvc + +# Remove the PVC with highest ordinal! +# In this example, the highest node ordinal was 2, so need to remove its storage. +kubectl delete pvc volume-artifactory-node-2 +``` + +### Use an external Database + +#### PostgreSQL +There are cases where you will want to use external PostgreSQL with a different database name e.g. `my-artifactory-db`, then you need set a custom PostgreSQL connection URL, where `my-artifactory-db` is the database name. + +This can be done with the following parameters +```bash +... +--set postgresql.enabled=false \ +--set database.type=postgresql \ +--set database.driver=org.postgresql.Driver \ +--set database.url='jdbc:postgresql://${DB_HOST}:${DB_PORT}/my-artifactory-db' \ +--set database.user=${DB_USER} \ +--set database.password=${DB_PASSWORD} \ +... +``` +**NOTE:** You must set `postgresql.enabled=false` in order for the chart to use the `database.*` parameters. Without it, they will be ignored! + +#### Other DB type +There are cases where you will want to use a different database and not the enclosed **PostgreSQL**. +See more details on [configuring the database](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Database) +> The official Artifactory Docker images include the PostgreSQL database driver. +> For other database types, you will have to add the relevant database driver to Artifactory's tomcat/lib + +This can be done with the following parameters +```bash +# Make sure your Artifactory Docker image has the MySQL database driver in it +... +--set postgresql.enabled=false \ +--set artifactory.preStartCommand="wget -O /opt/jfrog/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" \ +--set database.type=mysql \ +--set database.driver=com.mysql.jdbc.Driver \ +--set database.url=${DB_URL} \ +--set database.user=${DB_USER} \ +--set database.password=${DB_PASSWORD} \ +... +``` +**NOTE:** You must set `postgresql.enabled=false` in order for the chart to use the `database.*` parameters. Without it, they will be ignored! + +#### Using pre-existing Kubernetes Secret +If you store your database credentials in a pre-existing Kubernetes `Secret`, you can specify them via `database.secrets` instead of `database.user` and `database.password`: +```bash +# Create a secret containing the database credentials +kubectl create secret generic my-secret --from-literal=user=${DB_USER} --from-literal=password=${DB_PASSWORD} +... +--set postgresql.enabled=false \ +--set database.secrets.user.name=my-secret \ +--set database.secrets.user.key=user \ +--set database.secrets.password.name=my-secret \ +--set database.secrets.password.key=password \ +... +``` + +### Deleting Artifactory +To delete the Artifactory HA cluster +```bash +helm delete --purge artifactory-ha +``` +This will completely delete your Artifactory HA cluster. +**NOTE:** Since Artifactory is running as Kubernetes Stateful Sets, the removal of the helm release will **not** remove the persistent volumes. You need to explicitly remove them +```bash +kubectl delete pvc -l release=artifactory-ha +``` +See more details in the official [Kubernetes Stateful Set removal page](https://kubernetes.io/docs/tasks/run-application/delete-stateful-set/) + +### Custom Docker registry for your images +If you need to pull your Docker images from a private registry (for example, when you have a custom image with a MySQL database driver), you need to create a +[Kubernetes Docker registry secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) and pass it to helm +```bash +# Create a Docker registry secret called 'regsecret' +kubectl create secret docker-registry regsecret --docker-server=${DOCKER_REGISTRY} --docker-username=${DOCKER_USER} --docker-password=${DOCKER_PASS} --docker-email=${DOCKER_EMAIL} +``` +Once created, you pass it to `helm` +```bash +helm install --name artifactory-ha --set imagePullSecrets=regsecret jfrog/artifactory-ha +``` + +### Logger sidecars +This chart provides the option to add sidecars to tail various logs from Artifactory. See the available values in [values.yaml](values.yaml) + +Get list of containers in the pod +```bash +kubectl get pods -n -o jsonpath='{.spec.containers[*].name}' | tr ' ' '\n' +``` + +View specific log +```bash +kubectl logs -n -c +``` + + +### Custom init containers +There are cases where a special, unsupported init processes is needed like checking something on the file system or testing something before spinning up the main container. + +For this, there is a section for writing custom init containers before and after the predefined init containers in the [values.yaml](values.yaml) . By default it's commented out +```yaml +artifactory: + ## Add custom init containers executed before predefined init containers + customInitContainersBegin: | + ## Init containers template goes here ## + ## Add custom init containers executed after predefined init containers + customInitContainers: | + ## Init containers template goes here ## +``` + +### Custom sidecar containers +There are cases where an extra sidecar container is needed. For example monitoring agents or log collection. + +For this, there is a section for writing a custom sidecar container in the [values.yaml](values.yaml). By default it's commented out +```yaml +artifactory: + ## Add custom sidecar containers + customSidecarContainers: | + ## Sidecar containers template goes here ## +``` + +You can configure the sidecar to run as a custom user if needed by setting the following in the container template +```yaml + # Example of running container as root (id 0) + securityContext: + runAsUser: 0 + fsGroup: 0 +``` + +### Custom volumes +If you need to use a custom volume in a custom init or sidecar container, you can use this option. + +For this, there is a section for defining custom volumes in the [values.yaml](values.yaml). By default it's commented out +```yaml +artifactory: + ## Add custom volumes + customVolumes: | + ## Custom volume comes here ## +``` + +### Add Artifactory User Plugin during installation +If you need to add [Artifactory User Plugin](https://github.com/jfrog/artifactory-user-plugins), you can use this option. + +Create a secret with [Artifactory User Plugin](https://github.com/jfrog/artifactory-user-plugins) by following command: +```bash +# Secret with single user plugin +kubectl create secret generic archive-old-artifacts --from-file=archiveOldArtifacts.groovy --namespace=artifactory-ha + +# Secret with single user plugin with configuration file +kubectl create secret generic webhook --from-file=webhook.groovy --from-file=webhook.config.json.sample --namespace=artifactory-ha +``` + +Add plugin secret names to `plugins.yaml` as following: +```yaml +artifactory: + userPluginSecrets: + - archive-old-artifacts + - webhook +``` + +You can now pass the created `plugins.yaml` file to helm install command to deploy Artifactory with user plugins as follows: +```bash +helm install --name artifactory-ha -f plugins.yaml jfrog/artifactory-ha +``` + +Alternatively, you may be in a situation in which you would like to create a secret in a Helm chart that depends on this chart. In this scenario, the name of the secret is likely dynamically generated via template functions, so passing a statically named secret isn't possible. In this case, the chart supports evaluating strings as templates via the [`tpl`](https://helm.sh/docs/charts_tips_and_tricks/#using-the-tpl-function) function - simply pass the raw string containing the templating language used to name your secret as a value instead by adding the following to your chart's `values.yaml` file: +```yaml +artifactory-ha: # Name of the artifactory-ha dependency + artifactory: + userPluginSecrets: + - '{{ template "my-chart.fullname" . }}' +``` +NOTE: By defining userPluginSecrets, this overrides any pre-defined plugins from the container image that are stored in /tmp/plugins. At this time [artifactory-pro:6.9.0](https://bintray.com/jfrog/artifactory-pro) is distributed with `internalUser.groovy` plugin. If you need this plugin in addition to your user plugins, you should include these additional plugins as part of your userPluginSecrets. + +### Provide custom configMaps to Artifactory +If you want to mount a custom file to Artifactory, either an init shell script or a custom configuration file (such as `logback.xml`), you can use this option. + +Create a `configmaps.yaml` file with the following content: +```yaml +artifactory: + configMaps: | + logback.xml: | + + + + + %date [%-5level] \(%-20c{3}:%L\) %message%n + + + + + + + + + + + + + + + my-custom-post-start-hook.sh: | + echo "This is my custom post start hook" + + customVolumeMounts: | + - name: artifactory-configmaps + mountPath: /tmp/my-config-map + + postStartCommand: | + chmod +x /tmp/my-config-map/my-custom-post-start-hook.sh; + /tmp/my-config-map/my-custom-post-start-hook.sh; + + copyOnEveryStartup: + - source: /tmp/my-config-map/logback.xml + target: etc/ + +``` + +and use it with you helm install/upgrade: +```bash +helm install --name artifactory-ha -f configmaps.yaml jfrog/artifactory-ha +``` + +This will, in turn: +* create a configMap with the files you specified above +* create a volume pointing to the configMap with the name `artifactory-configmaps` +* Mount said configMap onto `/tmp/my-config-map` using a `customVolumeMounts` +* Set the shell script we mounted as the `postStartCommand` +* Copy the `logback.xml` file to its proper location in the `$ARTIFACTORY_HOME/etc` directory. + + +### Artifactory filebeat +If you want to collect logs from your Artifactory installation and send them to a central log collection solution like ELK, you can use this option. + +Create a `filebeat.yaml` values file with the following content: +```yaml +filebeat: + enabled: true + logstashUrl: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" +``` + +You can optionally customize the `filebeat.yaml` to send output to a different location like so: +```yaml +filebeat: + enabled: true + filebeatYml: | + +``` + +and use it with you helm install/upgrade: +```bash +helm install --name artifactory -f filebeat.yaml jfrog/artifactory +``` + +This will start sending your Artifactory logs to the log aggregator of your choice, based on your configuration in the `filebeatYml` + +## Configuration +The following table lists the configurable parameters of the artifactory chart and their default values. + +| Parameter | Description | Default | +|------------------------------|-----------------------------------|-------------------------------------------------------| +| `imagePullSecrets` | Docker registry pull secret | | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the fullname template | +| `serviceAccount.annotations` | Artifactory service account annotations | `` | +| `rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `rbac.role.rules` | Rules to create | `[]` | +| `logger.image.repository` | repository for logger image | `busybox` | +| `logger.image.tag` | tag for logger image | `1.30` | +| `artifactory.name` | Artifactory name | `artifactory` | +| `artifactory.image.pullPolicy` | Container pull policy | `IfNotPresent` | +| `artifactory.image.repository` | Container image | `docker.bintray.io/jfrog/artifactory-pro` | +| `artifactory.image.version` | Container image tag | `.Chart.AppVersion` | +| `artifactory.priorityClass.create` | Create a PriorityClass object | `false` | +| `artifactory.priorityClass.value` | Priority Class value | `1000000000` | +| `artifactory.priorityClass.name` | Priority Class name | `{{ template "artifactory-ha.fullname" . }}` | +| `artifactory.priorityClass.existingPriorityClass` | Use existing priority class | `` | +| `artifactory.loggers` | Artifactory loggers (see values.yaml for possible values) | `[]` | +| `artifactory.catalinaLoggers` | Artifactory Tomcat loggers (see values.yaml for possible values) | `[]` | +| `artifactory.customInitContainersBegin`| Custom init containers to run before existing init containers | | +| `artifactory.customInitContainers`| Custom init containers to run after existing init containers | | +| `artifactory.customSidecarContainers`| Custom sidecar containers | | +| `artifactory.customVolumes` | Custom volumes | | +| `artifactory.customVolumeMounts` | Custom Artifactory volumeMounts | | +| `artifactory.customPersistentPodVolumeClaim` | Custom PVC spec to create and attach a unique PVC for each pod on startup with the volumeClaimTemplates feature in StatefulSet | | +| `artifactory.customPersistentVolumeClaim` | Custom PVC spec to be mounted to the all artifactory containers using a volume | | +| `artifactory.userPluginSecrets` | Array of secret names for Artifactory user plugins | | +| `artifactory.masterKey` | Artifactory master key. A 128-Bit key size (hexadecimal encoded) string (32 hex characters). Can be generated with `openssl rand -hex 16`. NOTE: This key can be generated only once and cannot be updated once created |`FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF`| +| `artifactory.masterKeySecretName` | Artifactory Master Key secret name | | +| `artifactory.joinKey` | Join Key to connect other services to Artifactory. Can be generated with `openssl rand -hex 16` | `EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE` | +| `artifactory.accessAdmin.ip` | Artifactory access-admin ip to be set upon startup, can use (*) for 0.0.0.0| 127.0.0.1 | +| `artifactory.accessAdmin.password` | Artifactory access-admin password to be set upon startup| | +| `artifactory.accessAdmin.secret` | Artifactory access-admin secret name | | +| `artifactory.accessAdmin.dataKey` | Artifactory access-admin secret data key | | +| `artifactory.preStartCommand` | Command to run before entrypoint starts | | +| `artifactory.postStartCommand` | Command to run after container starts | | +| `artifactory.license.licenseKey` | Artifactory license key. Providing the license key as a parameter will cause a secret containing the license key to be created as part of the release. Use either this setting or the license.secret and license.dataKey. If you use both, the latter will be used. | | +| `artifactory.configMaps` | configMaps to be created as volume by the name `artifactory-configmaps`. In order to use these configMaps, you will need to add `customVolumeMounts` to point to the created volume and mount it onto a container | | +| `artifactory.license.secret` | Artifactory license secret name | | +| `artifactory.license.dataKey`| Artifactory license secret data key | | +| `artifactory.service.name` | Artifactory service name to be set in Nginx configuration | `artifactory` | +| `artifactory.service.type` | Artifactory service type | `ClusterIP` | +| `artifactory.service.clusterIP`| Specific cluster IP or `None` for headless services | `nil` | +| `artifactory.service.loadBalancerSourceRanges`| Artifactory service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | | +| `artifactory.service.annotations` | Artifactory service annotations | `{}` | +| `artifactory.service.pool` | Artifactory instances to be in the load balancing pool. `members` or `all` | `members` | +| `artifactory.externalPort` | Artifactory service external port | `8082` | +| `artifactory.internalPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8082` | +| `artifactory.internalArtifactoryPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8081` | +| `artifactory.externalArtifactoryPort` | Artifactory service external port | `8081` | +| `artifactory.extraEnvironmentVariables` | Extra environment variables to pass to Artifactory. Supports evaluating strings as templates via the [`tpl`](https://helm.sh/docs/charts_tips_and_tricks/#using-the-tpl-function) function. See [documentation](https://www.jfrog.com/confluence/display/RTF/Installing+with+Docker#InstallingwithDocker-SupportedEnvironmentVariables) | | +| `artifactory.livenessProbe.enabled` | Enable liveness probe | `true` | +| `artifactory.livenessProbe.path` | liveness probe HTTP Get path | `/router/api/v1/system/health` | +| `artifactory.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 | +| `artifactory.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `artifactory.livenessProbe.timeoutSeconds` | When the probe times out | 10 | +| `artifactory.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | +| `artifactory.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `artifactory.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `artifactory.readinessProbe.path` | readiness probe HTTP Get path | `/router/api/v1/system/health` | +| `artifactory.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 | +| `artifactory.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `artifactory.readinessProbe.timeoutSeconds` | When the probe times out | 10 | +| `artifactory.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | +| `artifactory.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `artifactory.copyOnEveryStartup` | List of files to copy on startup from source (which is absolute) to target (which is relative to ARTIFACTORY_HOME | | +| `artifactory.deleteDBPropertiesOnStartup` | Whether to delete the ARTIFACTORY_HOME/etc/db.properties file on startup. Disabling this will remove the ability for the db.properties to be updated with any DB-related environment variables change (e.g. DB_HOST, DB_URL) | `true` | +| `artifactory.database.maxOpenConnections` | Maximum amount of open connections from Artifactory to the DB | `80` | +| `artifactory.haDataDir.enabled` | Enable haDataDir for eventual storage in the HA cluster | `false` | +| `artifactory.haDataDir.path` | Path to the directory intended for use with NFS eventual configuration for HA | | +| `artifactory.persistence.mountPath` | Artifactory persistence volume mount path | `"/var/opt/jfrog/artifactory"` | +| `artifactory.persistence.enabled` | Artifactory persistence volume enabled | `true` | +| `artifactory.persistence.accessMode` | Artifactory persistence volume access mode | `ReadWriteOnce` | +| `artifactory.persistence.size` | Artifactory persistence or local volume size | `200Gi` | +| `artifactory.persistence.binarystore.enabled` | whether you want to mount the binarystore.xml file from a secret created by the chart. If `false` you will need need to get the binarystore.xml file into the file-system from either an `initContainer` or using a `preStartCommand` | `true` | +| `artifactory.persistence.binarystoreXml` | Artifactory binarystore.xml template | See `values.yaml` | +| `artifactory.persistence.customBinarystoreXmlSecret` | A custom Secret for binarystore.xml | `` | +| `artifactory.persistence.maxCacheSize` | Artifactory cache-fs provider maxCacheSize in bytes | `50000000000` | +| `artifactory.persistence.cacheProviderDir` | the root folder of binaries for the filestore cache. If the value specified starts with a forward slash ("/") it is considered the fully qualified path to the filestore folder. Otherwise, it is considered relative to the *baseDataDir*. | `cache` | +| `artifactory.persistence.type` | Artifactory HA storage type | `file-system` | +| `artifactory.persistence.redundancy` | Artifactory HA storage redundancy | `3` | +| `artifactory.persistence.nfs.ip` | NFS server IP | | +| `artifactory.persistence.nfs.haDataMount` | NFS data directory | `/data` | +| `artifactory.persistence.nfs.haBackupMount` | NFS backup directory | `/backup` | +| `artifactory.persistence.nfs.dataDir` | HA data directory | `/var/opt/jfrog/artifactory-ha` | +| `artifactory.persistence.nfs.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` | +| `artifactory.persistence.nfs.capacity` | NFS PVC size | `200Gi` | +| `artifactory.persistence.nfs.mountOptions` | NFS mount options | `[]` | +| `artifactory.persistence.eventual.numberOfThreads` | Eventual number of threads | `10` | +| `artifactory.persistence.googleStorage.endpoint` | Google Storage API endpoint| `storage.googleapis.com` | +| `artifactory.persistence.googleStorage.httpsOnly` | Google Storage API has to be consumed https only| `false` | +| `artifactory.persistence.googleStorage.bucketName` | Google Storage bucket name | `artifactory-ha` | +| `artifactory.persistence.googleStorage.identity` | Google Storage service account id | | +| `artifactory.persistence.googleStorage.credential` | Google Storage service account key | | +| `artifactory.persistence.googleStorage.path` | Google Storage path in bucket | `artifactory-ha/filestore` | +| `artifactory.persistence.googleStorage.bucketExists`| Google Storage bucket exists therefore does not need to be created.| `false` | +| `artifactory.persistence.awsS3.bucketName` | AWS S3 bucket name | `artifactory-ha` | +| `artifactory.persistence.awsS3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html | +| `artifactory.persistence.awsS3.region` | AWS S3 bucket region | | +| `artifactory.persistence.awsS3.roleName` | AWS S3 IAM role name | | +| `artifactory.persistence.awsS3.identity` | AWS S3 AWS_ACCESS_KEY_ID | | +| `artifactory.persistence.awsS3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | | +| `artifactory.persistence.awsS3.properties` | AWS S3 additional properties | | +| `artifactory.persistence.awsS3.path` | AWS S3 path in bucket | `artifactory-ha/filestore` | +| `artifactory.persistence.awsS3.refreshCredentials` | AWS S3 renew credentials on expiration | `true` (When roleName is used, this parameter will be set to true) | +| `artifactory.persistence.awsS3.httpsOnly` | AWS S3 https access to the bucket only | `true` | +| `artifactory.persistence.awsS3.testConnection` | AWS S3 test connection on start up | `false` | +| `artifactory.persistence.awsS3.s3AwsVersion` | AWS S3 signature version | `AWS4-HMAC-SHA256` | +| `artifactory.persistence.awsS3V3.testConnection` | AWS S3 test connection on start up | `false` | +| `artifactory.persistence.awsS3V3.identity` | AWS S3 AWS_ACCESS_KEY_ID | | +| `artifactory.persistence.awsS3V3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | | +| `artifactory.persistence.awsS3V3.region` | AWS S3 bucket region | | +| `artifactory.persistence.awsS3V3.bucketName` | AWS S3 bucket name | `artifactory-aws` | +| `artifactory.persistence.awsS3V3.path` | AWS S3 path in bucket | `artifactory/filestore` | +| `artifactory.persistence.awsS3V3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html | +| `artifactory.persistence.awsS3V3.kmsServerSideEncryptionKeyId` | AWS S3 encryption key ID or alias | | +| `artifactory.persistence.awsS3V3.kmsKeyRegion` | AWS S3 KMS Key region | | +| `artifactory.persistence.awsS3V3.kmsCryptoMode` | AWS S3 KMS encryption mode | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AmazonS3OfficialSDKTemplate | +| `artifactory.persistence.awsS3V3.useInstanceCredentials` | AWS S3 Use default authentication mechanism | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-authentication | +| `artifactory.persistence.awsS3V3.usePresigning` | AWS S3 Use URL signing | `false` | +| `artifactory.persistence.awsS3V3.signatureExpirySeconds` | AWS S3 Validity period in seconds for signed URLs | `300` | +| `artifactory.persistence.awsS3V3.cloudFrontDomainName` | AWS CloudFront domain name | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| +| `artifactory.persistence.awsS3V3.cloudFrontKeyPairId` | AWS CloudFront key pair ID | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| +| `artifactory.persistence.awsS3V3.cloudFrontPrivateKey` | AWS CloudFront private key | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| +| `artifactory.persistence.azureBlob.accountName` | Azure Blob Storage account name | `` | +| `artifactory.persistence.azureBlob.accountKey` | Azure Blob Storage account key | `` | +| `artifactory.persistence.azureBlob.endpoint` | Azure Blob Storage endpoint | `` | +| `artifactory.persistence.azureBlob.containerName` | Azure Blob Storage container name | `` | +| `artifactory.persistence.azureBlob.testConnection` | Azure Blob Storage test connection | `false` | +| `artifactory.persistence.fileSystem.existingSharedClaim` | Enable using an existing shared pvc | `false` | +| `artifactory.persistence.fileStorage.dataDir` | HA data directory | `/var/opt/jfrog/artifactory/artifactory-data` | +| `artifactory.persistence.fileStorage.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` | +| `artifactory.javaOpts.other` | Artifactory additional java options (for all nodes) | | +| `artifactory.primary.labels` | Artifactory primary node labels | `{}` | +| `artifactory.primary.resources.requests.memory` | Artifactory primary node initial memory request | | +| `artifactory.primary.resources.requests.cpu` | Artifactory primary node initial cpu request | | +| `artifactory.primary.resources.limits.memory` | Artifactory primary node memory limit | | +| `artifactory.primary.resources.limits.cpu` | Artifactory primary node cpu limit | | +| `artifactory.primary.javaOpts.xms` | Artifactory primary node java Xms size | | +| `artifactory.primary.javaOpts.xmx` | Artifactory primary node java Xms size | | +| `artifactory.primary.javaOpts.corePoolSize` | The number of async processes that can run in parallel in the primary node - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `16` | +| `artifactory.primary.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` | +| `artifactory.primary.javaOpts.jmx.port` | JMX Port number | `9010` | +| `artifactory.primary.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory-ha.primary.name" $ }}` | +| `artifactory.primary.javaOpts.jmx.ssl` | Enable SSL | `false` | +| `artifactory.primary.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` | +| `artifactory.primary.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | | +| `artifactory.primary.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | | +| `artifactory.primary.javaOpts.other` | Artifactory primary node additional java options | | +| `artifactory.primary.persistence.existingClaim` | Whether to use an existing pvc for the primary node | `false` | +| `artifactory.node.labels` | Artifactory member node labels | `{}` | +| `artifactory.node.replicaCount` | Artifactory member node replica count | `2` | +| `artifactory.node.minAvailable` | Artifactory member node min available count | `1` | +| `artifactory.node.resources.requests.memory` | Artifactory member node initial memory request | | +| `artifactory.node.resources.requests.cpu` | Artifactory member node initial cpu request | | +| `artifactory.node.resources.limits.memory` | Artifactory member node memory limit | | +| `artifactory.node.resources.limits.cpu` | Artifactory member node cpu limit | | +| `artifactory.node.javaOpts.xms` | Artifactory member node java Xms size | | +| `artifactory.node.javaOpts.xmx` | Artifactory member node java Xms size | | +| `artifactory.node.javaOpts.corePoolSize` | The number of async processes that can run in parallel in the member nodes - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `16` | +| `artifactory.node.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` | +| `artifactory.node.javaOpts.jmx.port` | JMX Port number | `9010` | +| `artifactory.node.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory-ha.fullname" $ }}` | +| `artifactory.node.javaOpts.jmx.ssl` | Enable SSL | `false` | +| `artifactory.node.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` | +| `artifactory.node.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | | +| `artifactory.node.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | | +| `artifactory.node.javaOpts.other` | Artifactory member node additional java options | | +| `artifactory.node.persistence.existingClaim` | Whether to use existing PVCs for the member nodes | `false` | +| `artifactory.node.waitForPrimaryStartup.enabled` | Whether to wait for the primary node to start before starting up the member nodes | `false` | +| `artifactory.node.waitForPrimaryStartup.time` | The amount of time to wait for the primary node to start before starting up the member nodes | `60` | +| `artifactory.systemYaml` | Artifactory system configuration (`system.yaml`) as described here - https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML | `see values.yaml` | +| `access.database.maxOpenConnections` | Maximum amount of open connections from Access to the DB | `80` | +| `initContainers.resources.requests.memory` | Init containers initial memory request | | +| `initContainers.resources.requests.cpu` | Init containers initial cpu request | | +| `initContainers.resources.limits.memory` | Init containers memory limit | | +| `initContainers.resources.limits.cpu` | Init containers cpu limit | | +| `ingress.enabled` | If true, Artifactory Ingress will be created | `false` | +| `ingress.annotations` | Artifactory Ingress annotations | `{}` | +| `ingress.labels` | Artifactory Ingress labels | `{}` | +| `ingress.hosts` | Artifactory Ingress hostnames | `[]` | +| `ingress.routerPath` | Router Ingress path | `/` | +| `ingress.artifactoryPath` | Artifactory Ingress path | `/artifactory` | +| `ingress.tls` | Artifactory Ingress TLS configuration (YAML) | `[]` | +| `ingress.defaultBackend.enabled` | If true, the default `backend` will be added using serviceName and servicePort | `true` | +| `ingress.annotations` | Ingress annotations, which are written out if annotations section exists in values. Everything inside of the annotations section will appear verbatim inside the resulting manifest. See `Ingress annotations` section below for examples of how to leverage the annotations, specifically for how to enable docker authentication. | | +| `ingress.additionalRules` | Ingress additional rules to be added to the Artifactory ingress. | `[]` | +| `nginx.enabled` | Deploy nginx server | `true` | +| `nginx.name` | Nginx name | `nginx` | +| `nginx.replicaCount` | Nginx replica count | `1` | +| `nginx.uid` | Nginx User Id | `104` | +| `nginx.gid` | Nginx Group Id | `107` | +| `nginx.image.repository` | Container image | `docker.bintray.io/jfrog/nginx-artifactory-pro` | +| `nginx.image.version` | Container version | `.Chart.AppVersion` | +| `nginx.image.pullPolicy` | Container pull policy | `IfNotPresent` | +| `nginx.labels` | Nginx deployment labels | `{}` | +| `nginx.loggers` | Artifactory loggers (see values.yaml for possible values) | `[]` | +| `nginx.mainConf` | Content of the Artifactory nginx main nginx.conf config file | `see values.yaml` | +| `nginx.artifactoryConf` | Content of Artifactory nginx artifactory.conf config file | `see values.yaml` | +| `nginx.service.type` | Nginx service type | `LoadBalancer` | +| `nginx.service.clusterIP` | Specific cluster IP or `None` for headless services | `nil` | +| `nginx.service.loadBalancerSourceRanges`| Nginx service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | | +| `nginx.service.labels` | Nginx service labels | `{}` | +| `nginx.service.annotations` | Nginx service annotations | `{}` | +| `nginx.service.externalTrafficPolicy`| Nginx service desires to route external traffic to node-local or cluster-wide endpoints. | `Cluster` | +| `nginx.loadBalancerIP`| Provide Static IP to configure with Nginx | | +| `nginx.http.enabled` | Nginx http service enabled/disabled | true | +| `nginx.http.externalPort` | Nginx service external port | `80` | +| `nginx.http.internalPort` | Nginx service internal port | `80` | +| `nginx.https.enabled` | Nginx http service enabled/disabled | true | +| `nginx.https.externalPort` | Nginx service external port | `443` | +| `nginx.https.internalPort` | Nginx service internal port | `443` | +| `nginx.externalPortHttp` | DEPRECATED: Nginx service external port | `80` | +| `nginx.internalPortHttp` | DEPRECATED: Nginx service internal port | `80` | +| `nginx.externalPortHttps` | DEPRECATED: Nginx service external port | `443` | +| `nginx.internalPortHttps` | DEPRECATED: Nginx service internal port | `443` | +| `nginx.livenessProbe.enabled` | would you like a liveness Probe to be enabled | `true` | +| `nginx.livenessProbe.path` | liveness probe HTTP Get path | `/router/api/v1/system/health` | +| `nginx.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 100 | +| `nginx.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `nginx.livenessProbe.timeoutSeconds` | When the probe times out | 10 | +| `nginx.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | +| `nginx.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `nginx.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `nginx.readinessProbe.path` | Readiness probe HTTP Get path | `/router/api/v1/system/health` | +| `nginx.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 | +| `nginx.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `nginx.readinessProbe.timeoutSeconds` | When the probe times out | 10 | +| `nginx.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | +| `nginx.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `nginx.tlsSecretName` | SSL secret that will be used by the Nginx pod | | +| `nginx.customConfigMap` | Nginx CustomeConfigMap name for `nginx.conf` | ` ` | +| `nginx.customArtifactoryConfigMap`| Nginx CustomeConfigMap name for `artifactory-ha.conf` | ` ` | +| `nginx.resources.requests.memory` | Nginx initial memory request | `250Mi` | +| `nginx.resources.requests.cpu` | Nginx initial cpu request | `100m` | +| `nginx.resources.limits.memory` | Nginx memory limit | `250Mi` | +| `nginx.resources.limits.cpu` | Nginx cpu limit | `500m` | +| `nginx.persistence.mountPath` | Nginx persistence volume mount path | `"/var/opt/jfrog/nginx"` | +| `nginx.persistence.enabled` | Nginx persistence volume enabled. This is only available when the nginx.replicaCount is set to 1 | `false` | +| `nginx.persistence.accessMode` | Nginx persistence volume access mode | `ReadWriteOnce` | +| `nginx.persistence.size` | Nginx persistence volume size | `5Gi` | +| `waitForDatabase` | Wait for database (using wait-for-db init container) | `true` | +| `postgresql.enabled` | Use enclosed PostgreSQL as database | `true` | +| `postgresql.imageTag` | PostgreSQL version | `9.6.11` | +| `postgresql.postgresqlDatabase` | PostgreSQL database name | `artifactory` | +| `postgresql.postgresqlUsername` | PostgreSQL database user | `artifactory` | +| `postgresql.postgresqlPassword` | PostgreSQL database password | | +| `postgresql.persistence.enabled` | PostgreSQL use persistent storage | `true` | +| `postgresql.persistence.size` | PostgreSQL persistent storage size | `50Gi` | +| `postgresql.service.port` | PostgreSQL database port | `5432` | +| `postgresql.resources.requests.memory` | PostgreSQL initial memory request | | +| `postgresql.resources.requests.cpu` | PostgreSQL initial cpu request | | +| `postgresql.resources.limits.memory` | PostgreSQL memory limit | | +| `postgresql.resources.limits.cpu` | PostgreSQL cpu limit | | +| `database.type` | External database type (`postgresql`, `mysql`, `oracle` or `mssql`) | | +| `database.driver` | External database driver e.g. `org.postgresql.Driver` | | +| `database.url` | External database connection URL | | +| `database.user` | External database username | | +| `database.password` | External database password | | +| `database.secrets.user.name` | External database username `Secret` name | | +| `database.secrets.user.key` | External database username `Secret` key | | +| `database.secrets.password.name` | External database password `Secret` name | | +| `database.secrets.password.key` | External database password `Secret` key | | +| `database.secrets.url.name ` | External database url `Secret` name | | +| `database.secrets.url.key` | External database url `Secret` key | | +| `networkpolicy.name` | Becomes part of the NetworkPolicy object name | `artifactory` | +| `networkpolicy.podselector` | Contains the YAML that specifies how to match pods. Usually using matchLabels. | | +| `networkpolicy.ingress` | YAML snippet containing to & from rules applied to incoming traffic | `- {}` (open to all inbound traffic) | +| `networkpolicy.egress` | YAML snippet containing to & from rules applied to outgoing traffic | `- {}` (open to all outbound traffic) | +| `filebeat.enabled` | Enable a filebeat container to send your logs to a log management solution like ELK | `false` | +| `filebeat.name` | filebeat container name | `artifactory-filebeat` | +| `filebeat.image.repository` | filebeat Docker image repository | `docker.elastic.co/beats/filebeat` | +| `filebeat.image.version` | filebeat Docker image version | `7.5.1` | +| `filebeat.logstashUrl` | The URL to the central Logstash service, if you have one | `logstash:5044` | +| `filebeat.livenessProbe.exec.command` | liveness probe exec command | see [values.yaml](stable/artifactory-ha/values.yaml) | +| `filebeat.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `filebeat.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 | +| `filebeat.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `filebeat.readinessProbe.exec.command` | readiness probe exec command | see [values.yaml](stable/artifactory-ha/values.yaml) | +| `filebeat.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | +| `filebeat.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 180 | +| `filebeat.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `filebeat.resources.requests.memory` | Filebeat initial memory request | | +| `filebeat.resources.requests.cpu` | Filebeat initial cpu request | | +| `filebeat.resources.limits.memory` | Filebeat memory limit | | +| `filebeat.resources.limits.cpu` | Filebeat cpu limit | | +| `filebeat.filebeatYml` | Filebeat yaml configuration file | see [values.yaml](stable/artifactory-ha/values.yaml) | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +### Ingress and TLS +To get Helm to create an ingress object with a hostname, add these two lines to your Helm command: +```bash +helm install --name artifactory-ha \ + --set ingress.enabled=true \ + --set ingress.hosts[0]="artifactory.company.com" \ + --set artifactory.service.type=NodePort \ + --set nginx.enabled=false \ + jfrog/artifactory-ha +``` + +If your cluster allows automatic creation/retrieval of TLS certificates (e.g. [cert-manager](https://github.com/jetstack/cert-manager)), please refer to the documentation for that mechanism. + +To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: + +```bash +kubectl create secret tls artifactory-tls --cert=path/to/tls.cert --key=path/to/tls.key +``` + +Include the secret's name, along with the desired hostnames, in the Artifactory Ingress TLS section of your custom `values.yaml` file: + +```yaml + ingress: + ## If true, Artifactory Ingress will be created + ## + enabled: true + + ## Artifactory Ingress hostnames + ## Must be provided if Ingress is enabled + ## + hosts: + - artifactory.domain.com + annotations: + kubernetes.io/tls-acme: "true" + ## Artifactory Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: + - secretName: artifactory-tls + hosts: + - artifactory.domain.com +``` + +### Ingress annotations + +This example specifically enables Artifactory to work as a Docker Registry using the Repository Path method. See [Artifactory as Docker Registry](https://www.jfrog.com/confluence/display/RTF/Getting+Started+with+Artifactory+as+a+Docker+Registry) documentation for more information about this setup. + +```yaml +ingress: + enabled: true + defaultBackend: + enabled: false + hosts: + - myhost.example.com + annotations: + ingress.kubernetes.io/force-ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + ingress.kubernetes.io/proxy-read-timeout: "600" + ingress.kubernetes.io/proxy-send-timeout: "600" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/configuration-snippet: | + rewrite ^/(v2)/token /artifactory/api/docker/null/v2/token; + rewrite ^/(v2)/([^\/]*)/(.*) /artifactory/api/docker/$2/$1/$3; + nginx.ingress.kubernetes.io/proxy-body-size: "0" + tls: + - hosts: + - "myhost.example.com" +``` + +### Ingress additional rules + +You have the option to add additional ingress rules to the Artifactory ingress. An example for this use case can be routing the /xray path to Xray. +In order to do that, simply add the following to a `artifactory-ha-values.yaml` file: +```yaml +ingress: + enabled: true + + defaultBackend: + enabled: false + + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/configuration-snippet: | + rewrite "(?i)/xray(/|$)(.*)" /$2 break; + + additionalRules: | + - host: + http: + paths: + - path: / + backend: + serviceName: + servicePort: + - path: /xray + backend: + serviceName: + servicePort: + - path: /artifactory + backend: + serviceName: {{ template "artifactory.nginx.fullname" . }} + servicePort: {{ .Values.nginx.externalPortHttp }} +``` + +and running: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f artifactory-ha-values.yaml +``` + + + +## Useful links +- https://www.jfrog.com/confluence/display/EP/Getting+Started +- https://www.jfrog.com/confluence/display/RTF/Installing+Artifactory +- https://www.jfrog.com/confluence/ diff --git a/Openshift4/artifactoryha-helm/ReverseProxyConfiguration.md b/Openshift4/artifactoryha-helm/ReverseProxyConfiguration.md new file mode 100755 index 0000000..8515932 --- /dev/null +++ b/Openshift4/artifactoryha-helm/ReverseProxyConfiguration.md @@ -0,0 +1,140 @@ +# JFrog Artifactory Reverse Proxy Settings using Nginx + +#### Reverse Proxy +* To use Artifactory as docker registry it's mandatory to use Reverse Proxy. +* Artifactory provides a Reverse Proxy Configuration Generator screen in which you can fill in a set of fields to generate +the required configuration snippet which you can then download and install directly in the corresponding directory of your reverse proxy server. +* To learn about configuring NGINX or Apache for reverse proxy refer to documentation provided on [JFrog wiki](https://www.jfrog.com/confluence/display/RTF/Configuring+a+Reverse+Proxy) +* By default Artifactory helm chart uses Nginx for reverse proxy and load balancing. + +**Note**: Nginx image distributed with Artifactory helm chart is custom image managed and maintained by JFrog. + +#### Features of Artifactory Nginx +* Provides default configuration with self signed SSL certificate generated on each helm install/upgrade. +* Persist configuration and SSL certificate in `/var/opt/jfrog/nginx` directory + +#### Changing the default Artifactory nginx conf +Use a values.yaml file for changing the value of nginx.mainConf or nginx.artifactoryConf +These configuration will be mounted to the nginx container using a configmap. +For example: +1. Create a values file `nginx-values.yaml` with the following values: +```yaml +nginx: + artifactoryConf: | + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; + ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + ## server configuration + server { + listen {{ .Values.nginx.internalPortHttps }} ssl; + listen {{ .Values.nginx.internalPortHttp }} ; + ## Change to you DNS name you use to access Artifactory + server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }}; + + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + ## Application specific logs + ## access_log /var/log/nginx/artifactory-access.log timing; + ## error_log /var/log/nginx/artifactory-error.log; + rewrite ^/$ /artifactory/webapp/ redirect; + rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect; + if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; + } + rewrite ^/(v1|v2)/([^/]+)(.*)$ /artifactory/api/docker/$2/$1/$3; + rewrite ^/(v1|v2)/ /artifactory/api/docker/$1/; + chunked_transfer_encoding on; + client_max_body_size 0; + location /artifactory/ { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/artifactory/$1; + } + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/artifactory/; + proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } +``` + +2. Install/upgrade artifactory: +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f nginx-values.yaml +``` + + +#### Steps to use static configuration for reverse proxy in nginx. +1. Get Artifactory service name using this command `kubectl get svc -n $NAMESPACE` + +2. Create `artifactory.conf` file with nginx configuration. More [nginx configuration examples](https://github.com/jfrog/artifactory-docker-examples/tree/master/files/nginx/conf.d) + + Following is example `artifactory.conf` + + **Note**: + * Create file with name `artifactory.conf` as it's fixed in configMap key. + * Replace `artifactory-artifactory` with service name taken from step 1. + + ```bash + ## add ssl entries when https has been set in config + ssl_certificate /var/opt/jfrog/nginx/ssl/tls.crt; + ssl_certificate_key /var/opt/jfrog/nginx/ssl/tls.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + ## server configuration + server { + listen 443 ssl; + listen 80; + ## Change to you DNS name you use to access Artifactory + server_name ~(?.+)\.artifactory-artifactory artifactory-artifactory; + + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + ## Application specific logs + ## access_log /var/log/nginx/artifactory-access.log timing; + ## error_log /var/log/nginx/artifactory-error.log; + rewrite ^/$ /artifactory/webapp/ redirect; + rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect; + if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; + } + rewrite ^/(v1|v2)/([^/]+)(.*)$ /artifactory/api/docker/$2/$1/$3; + rewrite ^/(v1|v2)/ /artifactory/api/docker/$1/; + chunked_transfer_encoding on; + client_max_body_size 0; + location /artifactory/ { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://artifactory-artifactory:8081/artifactory/$1 break; + } + proxy_pass http://artifactory-artifactory:8081/artifactory/; + proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } + ``` + +3. Create configMap of `artifactory.conf` created with step above. + ```bash + kubectl create configmap art-nginx-conf --from-file=artifactory.conf + ``` +4. Deploy Artifactory using helm chart. + You can achieve this by providing the name of configMap created above to `nginx.customArtifactoryConfigMap` in [values.yaml](values.yaml) + + Following is command to set values at runtime: + ```bash + helm install --name artifactory-ha nginx.customArtifactoryConfigMap=art-nginx-conf jfrog/artifactory-ha + ``` \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/UPGRADE_NOTES.md b/Openshift4/artifactoryha-helm/UPGRADE_NOTES.md new file mode 100755 index 0000000..640474f --- /dev/null +++ b/Openshift4/artifactoryha-helm/UPGRADE_NOTES.md @@ -0,0 +1,33 @@ +# JFrog Artifactory Chart Upgrade Notes +This file describes special upgrade notes needed at specific versions + +## Upgrade from 0.X to 1.X +**DOWNTIME IS REQUIRED FOR AN UPGRADE!** +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you!** +* PostgreSQL sub chart was upgraded to version `6.5.x`. This version is not backward compatible with the old version (`0.9.5`)! +* Note the following **PostgreSQL** Helm chart changes + * The chart configuration has changed! See [values.yaml](values.yaml) for the new keys used + * **PostgreSQL** is deployed as a StatefulSet + * See [PostgreSQL helm chart](https://hub.helm.sh/charts/stable/postgresql) for all available configurations +* Upgrade + * Due to breaking changes in the **PostgreSQL** Helm chart, a migration of the database is needed from the old to the new database + * The recommended migration process is the [full system export and import](https://www.jfrog.com/confluence/display/RTF/Importing+and+Exporting) + * **NOTE:** To save time, export only metadata and configuration (check `Exclude Content` in the `System Import & Export`) since the Artifactory filestore is persisted + * Upgrade steps: + 1. Block user access to Artifactory (do not shutdown) + a. Scale down the cluster to primary node only (`node.replicaCount=0`) so the exported db and configuration will be kept on one known node (the primary) + b. If your Artifactory HA K8s service is set to member nodes only (`service.pool=members`) you will need to access the primary node directly (use `kubectl port-forward`) + 2. Perform `Export System` from the `Admin` -> `Import & Export` -> `System` -> `Export System` + a. Check `Exclude Content` to save export size (as Artifactory filestore will persist across upgrade) + b. Choose to save the export on the persisted Artifactory volume (`/var/opt/jfrog/artifactory/`) + c. Click `Export` (this can take some time) + 3. Run the `helm upgrade` with the new version. Old PostgreSQL will be removed and new one deployed + a. You must pass explicit "ready for upgrade flag" with `--set databaseUpgradeReady=yes`. Failing to provide this will block the upgrade! + 4. Once ready, open Artifactory UI (you might need to re-enter a valid license). Skip all onboarding wizard steps + a. **NOTE:** Don't worry you can't see the old config and files. It will all restore with the system import in the next step + 5. Perform `Import System` from the `Admin` -> `Import & Export` -> `System` -> `Import System` + a. Browse to where the export was saved Artifactory volume (`/var/opt/jfrog/artifactory/`) + b. Click `Import` (this can take some time) + 6. Restore access to Artifactory + a. Scale the cluster member nodes back to the original size + * Artifactory should now be ready to get back to normal operation diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/.helmignore b/Openshift4/artifactoryha-helm/charts/postgresql/.helmignore new file mode 100755 index 0000000..a1c17ae --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/.helmignore @@ -0,0 +1,2 @@ +.git +OWNERS \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/Chart.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/Chart.yaml new file mode 100755 index 0000000..4687eb3 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +appVersion: 11.5.0 +description: Chart for PostgreSQL, an object-relational database management system + (ORDBMS) with an emphasis on extensibility and on standards-compliance. +engine: gotpl +home: https://www.postgresql.org/ +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: postgresql +sources: +- https://github.com/bitnami/bitnami-docker-postgresql +version: 7.0.1 diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/README.md b/Openshift4/artifactoryha-helm/charts/postgresql/README.md new file mode 100755 index 0000000..e6621b4 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/README.md @@ -0,0 +1,487 @@ +# PostgreSQL + +[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. + +## TL;DR; + +```console +$ helm install stable/postgresql +``` + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 2.11+ or Helm 3.0-beta3+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart +To install the chart with the release name `my-release`: + +```console +$ helm install --name my-release stable/postgresql +``` + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +The following tables lists the configurable parameters of the PostgreSQL chart and their default values. + +| Parameter | Description | Default | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | +| `global.imageRegistry` | Global Docker Image registry | `nil` | +| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` | +| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` | +| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` | +| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` | +| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` | +| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | +| `image.registry` | PostgreSQL Image registry | `docker.io` | +| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` | +| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `image.debug` | Specify if debug values should be set | `false` | +| `nameOverride` | String to partially override postgresql.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override postgresql.fullname template with a string | `nil` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `stretch` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` | +| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` | +| `replication.enabled` | Enable replication | `false` | +| `replication.user` | Replication user | `repl_user` | +| `replication.password` | Replication user password | `repl_password` | +| `replication.slaveReplicas` | Number of slaves replicas | `1` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `existingSecret` | Name of existing secret to use for PostgreSQL passwords | `nil` | +| `postgresqlUsername` | PostgreSQL admin user | `postgres` | +| `postgresqlPassword` | PostgreSQL admin password | _random 10 character alphanumeric string_ | +| `postgresqlDatabase` | PostgreSQL database | `nil` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) | +| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` | +| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` | +| `postgresqlConfiguration` | Runtime Config Parameters | `nil` | +| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` | +| `pgHbaConfiguration` | Content of pg\_hba.conf | `nil (do not create pg_hba.conf)` | +| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` | +| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` | +| `initdbScripts` | Dictionary of initdb scripts | `nil` | +| `initdbUsername` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` | +| `initdbPassword` | Password for the user specified in `initdbUsername` | `nil` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` | +| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | PostgreSQL port | `5432` | +| `service.nodePort` | Kubernetes Service nodePort | `nil` | +| `service.annotations` | Annotations for PostgreSQL service, the value is evaluated as a template. | {} | +| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | +| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | [] | +| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | +| `persistence.enabled` | Enable persistence using PVC | `true` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` | +| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` | +| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `persistence.annotations` | Annotations for the PVC | `{}` | +| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` | +| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` | +| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` | +| `master.anotations` | Map of annotations to add to the statefulset (postgresql master) | `{}` | +| `master.labels` | Map of labels to add to the statefulset (postgresql master) | `{}` | +| `master.podAnnotations` | Map of annotations to add to the pods (postgresql master) | `{}` | +| `master.podLabels` | Map of labels to add to the pods (postgresql master) | `{}` | +| `master.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql master) | `[]` | +| `master.extraVolumes` | Additional volumes to add to the pods (postgresql master) | `[]` | +| `slave.nodeSelector` | Node labels for pod assignment (postgresql slave) | `{}` | +| `slave.affinity` | Affinity labels for pod assignment (postgresql slave) | `{}` | +| `slave.tolerations` | Toleration labels for pod assignment (postgresql slave) | `[]` | +| `slave.anotations` | Map of annotations to add to the statefulsets (postgresql slave) | `{}` | +| `slave.labels` | Map of labels to add to the statefulsets (postgresql slave) | `{}` | +| `slave.podAnnotations` | Map of annotations to add to the pods (postgresql slave) | `{}` | +| `slave.podLabels` | Map of labels to add to the pods (postgresql slave) | `{}` | +| `slave.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql slave) | `[]` | +| `slave.extraVolumes` | Additional volumes to add to the pods (postgresql slave) | `[]` | +| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` | +| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the container | `1001` | +| `securityContext.runAsUser` | User ID for the container | `1001` | +| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` | +| `serviceAcccount.name` | Name of existing service account | `nil` | +| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` | +| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 | +| `readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | +| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | +| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` | +| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | +| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` | +| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` | +| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` | +| `metrics.image.registry` | PostgreSQL Image registry | `docker.io` | +| `metrics.image.repository` | PostgreSQL Image name | `bitnami/postgres-exporter` | +| `metrics.image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | +| `metrics.image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `metrics.securityContext.enabled` | Enable security context for metrics | `false` | +| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` | +| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 | +| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `{}` | +| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install --name my-release \ + --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \ + stable/postgresql +``` + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +$ helm install --name my-release -f values.yaml stable/postgresql +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Production configuration and horizontal scaling + +This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. + +- Enable replication: +```diff +- replication.enabled: false ++ replication.enabled: true +``` + +- Number of slaves replicas: +```diff +- replication.slaveReplicas: 1 ++ replication.slaveReplicas: 2 +``` + +- Set synchronous commit mode: +```diff +- replication.synchronousCommit: "off" ++ replication.synchronousCommit: "on" +``` + +- Number of replicas that will have synchronous replication: +```diff +- replication.numSynchronousReplicas: 0 ++ replication.numSynchronousReplicas: 1 +``` + +- Start a prometheus exporter: +```diff +- metrics.enabled: false ++ metrics.enabled: true +``` + +To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above. + +### Change PostgreSQL version + +To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=12.0.0-debian-9-r0` + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the whole configuration file. + +Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server. + +Alternatively, you can specify PostgreSQL configuration parameters using the `postgresqlConfiguration` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options. + +### Allow settings to be loaded from files other than the default `postgresql.conf` + +If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory. +Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap. + +Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict. + +In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +``` + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +``` +postgresql.postgresqlPassword=testtest +subchart1.postgresql.postgresqlPassword=testtest +subchart2.postgresql.postgresqlPassword=testtest +postgresql.postgresqlDatabase=db1 +subchart1.postgresql.postgresqlDatabase=db1 +subchart2.postgresql.postgresqlDatabase=db1 +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +``` +global.postgresql.postgresqlPassword=testtest +global.postgresql.postgresqlDatabase=db1 +``` + +This way, the credentials will be available in all of the subcharts. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```console +$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. + +### Deploy chart using Docker Official PostgreSQL Image + +From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image. +Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory. + +``` +helm install --name postgres \ + --set image.repository=postgres \ + --set image.tag=10.6 \ + --set postgresqlDataDir=/data/pgdata \ + --set persistence.mountPath=/data/ \ + stable/postgresql +``` + +## Upgrade + +It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart: + +```bash +$ helm upgrade my-release bitnami/influxdb \ + --set postgresqlPassword=[POSTGRESQL_PASSWORD] \ + --set replication.password=[REPLICATION_PASSWORD] +``` + +> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes. + +## 7.0.0 + +Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. + +In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. + +This major version bump signifies this change. + +## 5.0.0 + +In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/). + +For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs: + +```bash +Welcome to the Bitnami postgresql container +Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql +Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues +Send us your feedback at containers@bitnami.com + +INFO ==> ** Starting PostgreSQL setup ** +NFO ==> Validating settings in POSTGRESQL_* env vars.. +INFO ==> Initializing PostgreSQL database... +INFO ==> postgresql.conf file not detected. Generating it... +INFO ==> pg_hba.conf file not detected. Generating it... +INFO ==> Deploying PostgreSQL with persisted data... +INFO ==> Configuring replication parameters +INFO ==> Loading custom scripts... +INFO ==> Enabling remote connections +INFO ==> Stopping PostgreSQL... +INFO ==> ** PostgreSQL setup finished! ** + +INFO ==> ** Starting PostgreSQL ** + [1] FATAL: database files are incompatible with server + [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3. +``` +In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one. + +### 4.0.0 + +This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately. + +IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error + +``` +The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development +``` + +### 3.0.0 + +This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods. +It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride. + +#### Breaking changes + +- `affinty` has been renamed to `master.affinity` and `slave.affinity`. +- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`. +- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`. + +### 2.0.0 + +In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps: + + - Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running + + ```console +$ kubectl get svc + ``` + +- Install (not upgrade) the new version + +```console +$ helm repo update +$ helm install --name my-release stable/postgresql +``` + +- Connect to the new pod (you can obtain the name by running `kubectl get pods`): + +```console +$ kubectl exec -it NAME bash +``` + +- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart: + +```console +$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql +``` + +After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`). +This operation could take some time depending on the database size. + +- Once you have the backup file, you can restore it with a command like the one below: + +```console +$ psql -U postgres DATABASE_NAME < /tmp/backup.sql +``` + +In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt). + +If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below. + +```console +$ psql -U postgres +postgres=# drop database DATABASE_NAME; +postgres=# create database DATABASE_NAME; +postgres=# create user USER_NAME; +postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD'; +postgres=# grant all privileges on database DATABASE_NAME to USER_NAME; +postgres=# alter database DATABASE_NAME owner to USER_NAME; +``` diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/files/README.md b/Openshift4/artifactoryha-helm/charts/postgresql/files/README.md new file mode 100755 index 0000000..1813a2f --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/files/README.md @@ -0,0 +1 @@ +Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/files/conf.d/README.md b/Openshift4/artifactoryha-helm/charts/postgresql/files/conf.d/README.md new file mode 100755 index 0000000..184c187 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/files/conf.d/README.md @@ -0,0 +1,4 @@ +If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. +These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/Openshift4/artifactoryha-helm/charts/postgresql/files/docker-entrypoint-initdb.d/README.md new file mode 100755 index 0000000..cba3809 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/files/docker-entrypoint-initdb.d/README.md @@ -0,0 +1,3 @@ +You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. + +More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/NOTES.txt b/Openshift4/artifactoryha-helm/charts/postgresql/templates/NOTES.txt new file mode 100755 index 0000000..798fa10 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,50 @@ +** Please be patient while the chart is being deployed ** + +PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster: + + {{ template "postgresql.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection +{{- if .Values.replication.enabled }} + {{ template "postgresql.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection +{{- end }} +To get the password for "{{ template "postgresql.username" . }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode) + +To connect to your database run the following command: + + kubectl run {{ template "postgresql.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} + --labels="{{ template "postgresql.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "postgresql.fullname" . }} -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} -p {{ template "postgresql.port" . }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label {{ template "postgresql.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster. +{{- end }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "postgresql.fullname" . }}) + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "postgresql.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "postgresql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "postgresql.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} & + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} -p {{ template "postgresql.port" . }} + +{{- end }} + +{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} + +WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ + +{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/_helpers.tpl b/Openshift4/artifactoryha-helm/charts/postgresql/templates/_helpers.tpl new file mode 100755 index 0000000..b379f29 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,374 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "postgresql.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.master.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}} +{{- if .Values.replication.enabled -}} +{{- printf "%s-%s" $fullname "master" | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "postgresql.networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"extensions/v1beta1" +{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"networking.k8s.io/v1" +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "postgresql.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL password +*/}} +{{- define "postgresql.password" -}} +{{- if .Values.global.postgresql.postgresqlPassword }} + {{- .Values.global.postgresql.postgresqlPassword -}} +{{- else if .Values.postgresqlPassword -}} + {{- .Values.postgresqlPassword -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication password +*/}} +{{- define "postgresql.replication.password" -}} +{{- if .Values.global.postgresql.replicationPassword }} + {{- .Values.global.postgresql.replicationPassword -}} +{{- else if .Values.replication.password -}} + {{- .Values.replication.password -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL username +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.postgresql.postgresqlUsername }} + {{- .Values.global.postgresql.postgresqlUsername -}} +{{- else -}} + {{- .Values.postgresqlUsername -}} +{{- end -}} +{{- end -}} + + +{{/* +Return PostgreSQL replication username +*/}} +{{- define "postgresql.replication.username" -}} +{{- if .Values.global.postgresql.replicationUser }} + {{- .Values.global.postgresql.replicationUser -}} +{{- else -}} + {{- .Values.replication.user -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL port +*/}} +{{- define "postgresql.port" -}} +{{- if .Values.global.postgresql.servicePort }} + {{- .Values.global.postgresql.servicePort -}} +{{- else -}} + {{- .Values.service.port -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL created database +*/}} +{{- define "postgresql.database" -}} +{{- if .Values.global.postgresql.postgresqlDatabase }} + {{- .Values.global.postgresql.postgresqlDatabase -}} +{{- else if .Values.postgresqlDatabase -}} + {{- .Values.postgresqlDatabase -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper image name to change the volume permissions +*/}} +{{- define "postgresql.volumePermissions.image" -}} +{{- $registryName := .Values.volumePermissions.image.registry -}} +{{- $repositoryName := .Values.volumePermissions.image.repository -}} +{{- $tag := .Values.volumePermissions.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.metrics.image" -}} +{{- $registryName := default "docker.io" .Values.metrics.image.registry -}} +{{- $repositoryName := .Values.metrics.image.repository -}} +{{- $tag := default "latest" .Values.metrics.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.secretName" -}} +{{- if .Values.global.postgresql.existingSecret }} + {{- printf "%s" .Values.global.postgresql.existingSecret -}} +{{- else if .Values.existingSecret -}} + {{- printf "%s" .Values.existingSecret -}} +{{- else -}} + {{- printf "%s" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.createSecret" -}} +{{- if .Values.global.postgresql.existingSecret }} +{{- else if .Values.existingSecret -}} +{{- else -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the configuration ConfigMap name. +*/}} +{{- define "postgresql.configurationCM" -}} +{{- if .Values.configurationConfigMap -}} +{{- printf "%s" (tpl .Values.configurationConfigMap $) -}} +{{- else -}} +{{- printf "%s-configuration" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the extended configuration ConfigMap name. +*/}} +{{- define "postgresql.extendedConfigurationCM" -}} +{{- if .Values.extendedConfConfigMap -}} +{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}} +{{- else -}} +{{- printf "%s-extended-configuration" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts Secret name. +*/}} +{{- define "postgresql.initdbScriptsSecret" -}} +{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.metrics.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.metrics.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.readinessProbeCommand" -}} +- | +{{- if (include "postgresql.database" .) }} + pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- else }} + pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] +{{- end -}} +{{- end -}} + +{{/* +Return the proper Storage Class +*/}} +{{- define "postgresql.storageClass" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +*/}} +{{- if .Values.global -}} + {{- if .Values.global.storageClass -}} + {{- if (eq "-" .Values.global.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.global.storageClass -}} + {{- end -}} + {{- else -}} + {{- if .Values.persistence.storageClass -}} + {{- if (eq "-" .Values.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- if .Values.persistence.storageClass -}} + {{- if (eq "-" .Values.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "postgresql.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "postgresql.tplValue" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "postgresql.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "apps/v1beta2" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/configmap.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/configmap.yaml new file mode 100755 index 0000000..d2178c0 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/configmap.yaml @@ -0,0 +1,26 @@ +{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.fullname" . }}-configuration + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +data: +{{- if (.Files.Glob "files/postgresql.conf") }} +{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }} +{{- else if .Values.postgresqlConfiguration }} + postgresql.conf: | +{{- range $key, $value := default dict .Values.postgresqlConfiguration }} + {{ $key | snakecase }}={{ $value }} +{{- end }} +{{- end }} +{{- if (.Files.Glob "files/pg_hba.conf") }} +{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }} +{{- else if .Values.pgHbaConfiguration }} + pg_hba.conf: | +{{ .Values.pgHbaConfiguration | indent 4 }} +{{- end }} +{{ end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/extended-config-configmap.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/extended-config-configmap.yaml new file mode 100755 index 0000000..8a41195 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/extended-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.fullname" . }}-extended-configuration + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +data: +{{- with .Files.Glob "files/conf.d/*.conf" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{ with .Values.postgresqlExtendedConf }} + override.conf: | +{{- range $key, $value := . }} + {{ $key | snakecase }}={{ $value }} +{{- end }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/initialization-configmap.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/initialization-configmap.yaml new file mode 100755 index 0000000..8eb5e05 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/initialization-configmap.yaml @@ -0,0 +1,24 @@ +{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.fullname" . }}-init-scripts + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} +data: +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{- with .Values.initdbScripts }} +{{ toYaml . | indent 2 }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/metrics-svc.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/metrics-svc.yaml new file mode 100755 index 0000000..f370041 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/metrics-svc.yaml @@ -0,0 +1,26 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }}-metrics + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + annotations: +{{ toYaml .Values.metrics.service.annotations | indent 4 }} +spec: + type: {{ .Values.metrics.service.type }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{- end }} + ports: + - name: metrics + port: 9187 + targetPort: metrics + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name }} + role: master +{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/networkpolicy.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/networkpolicy.yaml new file mode 100755 index 0000000..8fb23f2 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/networkpolicy.yaml @@ -0,0 +1,34 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + podSelector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + ingress: + # Allow inbound connections + - ports: + - port: {{ template "postgresql.port" . }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "postgresql.fullname" . }}-client: "true" + - podSelector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: slave + {{- end }} + # Allow prometheus scrapes + - ports: + - port: 9187 +{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/secrets.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/secrets.yaml new file mode 100755 index 0000000..e0bc3b2 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{- if (include "postgresql.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +type: Opaque +data: + postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} + {{- if .Values.replication.enabled }} + postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} + {{- end }} +{{- end -}} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/serviceaccount.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/serviceaccount.yaml new file mode 100755 index 0000000..27e5b51 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ template "postgresql.fullname" . }} +{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/servicemonitor.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/servicemonitor.yaml new file mode 100755 index 0000000..9211d51 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/servicemonitor.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "postgresql.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} + {{- end }} +spec: + endpoints: + - port: metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset-slaves.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset-slaves.yaml new file mode 100755 index 0000000..74a81d0 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset-slaves.yaml @@ -0,0 +1,247 @@ +{{- if .Values.replication.enabled }} +apiVersion: {{ template "postgresql.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: "{{ template "postgresql.fullname" . }}-slave" + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.slave.labels }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.slave.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "postgresql.fullname" . }}-headless + replicas: {{ .Values.replication.slaveReplicas }} + selector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: slave + template: + metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + role: slave +{{- with .Values.slave.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.slave.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.slave.nodeSelector }} + nodeSelector: +{{ toYaml .Values.slave.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.slave.affinity }} + affinity: +{{ toYaml .Values.slave.affinity | indent 8 }} + {{- end }} + {{- if .Values.slave.tolerations }} + tolerations: +{{ toYaml .Values.slave.tolerations | indent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name}} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + initContainers: + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -c + - | + mkdir -p {{ .Values.persistence.mountPath }}/data + chmod 700 {{ .Values.persistence.mountPath }}/data + find {{ .Values.persistence.mountPath }} -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ + xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + securityContext: + runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }} + volumeMounts: + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + containers: + - name: {{ template "postgresql.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ template "postgresql.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.port" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + ports: + - name: postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{ end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.slave.extraVolumeMounts }} + {{- toYaml .Values.slave.extraVolumeMounts | nindent 12 }} + {{- end }} + volumes: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: data + emptyDir: {} + {{- end }} + {{- if .Values.slave.extraVolumes }} + {{- toYaml .Values.slave.extraVolumes | nindent 8 }} + {{- end }} + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} +{{- if .Values.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "postgresql.storageClass" . }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset.yaml new file mode 100755 index 0000000..64c297f --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset.yaml @@ -0,0 +1,355 @@ +apiVersion: {{ template "postgresql.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ template "postgresql.master.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.master.labels }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.master.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "postgresql.fullname" . }}-headless + replicas: 1 + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: master + template: + metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + role: master +{{- with .Values.master.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.master.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.master.nodeSelector }} + nodeSelector: +{{ toYaml .Values.master.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.master.affinity }} + affinity: +{{ toYaml .Values.master.affinity | indent 8 }} + {{- end }} + {{- if .Values.master.tolerations }} + tolerations: +{{ toYaml .Values.master.tolerations | indent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + initContainers: + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -c + - | + mkdir -p {{ .Values.persistence.mountPath }}/data + chmod 700 {{ .Values.persistence.mountPath }}/data + find {{ .Values.persistence.mountPath }} -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ + xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + securityContext: + runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }} + volumeMounts: + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + containers: + - name: {{ template "postgresql.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + {{- if .Values.postgresqlInitdbArgs }} + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.postgresqlInitdbArgs | quote }} + {{- end }} + {{- if .Values.postgresqlInitdbWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.postgresqlInitdbWalDir | quote }} + {{- end }} + {{- if .Values.initdbUser }} + - name: POSTGRESQL_INITSCRIPTS_USERNAME + value: {{ .Values.initdbUser }} + {{- end }} + {{- if .Values.initdbPassword }} + - name: POSTGRESQL_INITSCRIPTS_PASSWORD + value: .Values.initdbPassword + {{- end }} + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + {{- if .Values.replication.enabled }} + - name: POSTGRES_REPLICATION_MODE + value: "master" + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + {{- if not (eq .Values.replication.synchronousCommit "off")}} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + - name: POSTGRES_USER + value: {{ include "postgresql.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + {{- if (include "postgresql.database" .) }} + - name: POSTGRES_DB + value: {{ (include "postgresql.database" .) | quote }} + {{- end }} + {{- if .Values.extraEnv }} + {{- include "postgresql.tplValue" (dict "value" .Values.extraEnv "context" $) | nindent 12 }} + {{- end }} + ports: + - name: postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.master.extraVolumeMounts }} + {{- toYaml .Values.master.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.metrics.securityContext.runAsUser }} + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.port" .)) $database | quote }} + {{- if .Values.usePasswordFile }} + - name: DATA_SOURCE_PASS_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: DATA_SOURCE_USER + value: {{ template "postgresql.username" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: / + port: metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: / + port: metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + ports: + - name: metrics + containerPort: 9187 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} +{{- end }} + volumes: + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "postgresql.initdbScriptsCM" . }} + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ template "postgresql.initdbScriptsSecret" . }} + {{- end }} + {{- if .Values.master.extraVolumes }} + {{- toYaml .Values.master.extraVolumes | nindent 8 }} + {{- end }} +{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} + - name: data + persistentVolumeClaim: +{{- with .Values.persistence.existingClaim }} + claimName: {{ tpl . $ }} +{{- end }} +{{- else if not .Values.persistence.enabled }} + - name: data + emptyDir: {} +{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "postgresql.storageClass" . }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-headless.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-headless.yaml new file mode 100755 index 0000000..0bc60be --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-headless.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }}-headless + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: postgresql + port: {{ template "postgresql.port" . }} + targetPort: postgresql + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-read.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-read.yaml new file mode 100755 index 0000000..17bda04 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-read.yaml @@ -0,0 +1,31 @@ +{{- if .Values.replication.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }}-read + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: postgresql + port: {{ template "postgresql.port" . }} + targetPort: postgresql + {{- if .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: slave +{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc.yaml new file mode 100755 index 0000000..3b880b7 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.service.annotations }} + annotations: +{{ tpl (toYaml .) $ | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{ with .Values.service.loadBalancerSourceRanges }} +{{ toYaml . | indent 4 }} +{{- end }} + {{- end }} + {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + ports: + - name: postgresql + port: {{ template "postgresql.port" . }} + targetPort: postgresql + {{- if .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: master diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/values-production.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/values-production.yaml new file mode 100755 index 0000000..353848a --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/values-production.yaml @@ -0,0 +1,392 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + postgresql: {} +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.5.0-debian-9-r84 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Set to true if you would like to see extra information on logs + ## It turns BASH and NAMI debugging in minideb + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + debug: false + +## String to partially override postgresql.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override postgresql.fullname template +## +# fullnameOverride: + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: true + image: + registry: docker.io + repository: bitnami/minideb + tag: stretch + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Init container Security Context + securityContext: + runAsUser: 0 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + enabled: false + ## Name of an already existing service account. Setting this value disables the automatic service account creation. + # name: + +replication: + enabled: true + user: repl_user + password: repl_password + slaveReplicas: 2 + ## Set synchronous commit mode: on, off, remote_apply, remote_write and local + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + synchronousCommit: "on" + ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication + ## NOTE: It cannot be > slaveReplicas + numSynchronousReplicas: 1 + ## Replication Cluster application name. Useful for defining multiple replication policies + applicationName: my_application + +## PostgreSQL admin user +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +postgresqlUsername: postgres + +## PostgreSQL password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +# postgresqlPassword: + +## PostgreSQL password using existing secret +## existingSecret: secret + +## Mount PostgreSQL secret as a file instead of passing environment variable +# usePasswordFile: false + +## Create a database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +# postgresqlDatabase: + +## PostgreSQL data dir +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data + +## Specify extra initdb args +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbArgs: + +## Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbWalDir: + +## PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +# postgresqlConfiguration: + +## PostgreSQL extended configuration +## As above, but _appended_ to the main configuration +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +# postgresqlExtendedConf: + +## PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +# pgHbaConfiguration: |- +# local all all trust +# host all all localhost trust +# host mydatabase mysuser 192.168.0.0/24 md5 + +## ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +# configurationConfigMap: + +## ConfigMap with PostgreSQL extended configuration +# extendedConfConfigMap: + +## initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## +# initdbScripts: +# my_init_script.sh: | +# #!/bin/sh +# echo "Do something." + +## Specify the PostgreSQL username and password to execute the initdb scripts +# initdbUser: +# initdbPassword: + +## ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +# initdbScriptsConfigMap: + +## Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +# initdbScriptsSecret: + +## Optional duration in seconds the pod needs to terminate gracefully. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +# terminationGracePeriodSeconds: 30 + +## PostgreSQL service configuration +service: + ## PosgresSQL service type + type: ClusterIP + # clusterIP: None + port: 5432 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## PostgreSQL data Persistent Volume Storage Class +## If defined, storageClassName: +## If set to "-", storageClassName: "", which disables dynamic provisioning +## If undefined (the default) or set to null, no storageClassName spec is +## set, choosing the default provisioner. (gp2 on AWS, standard on +## GKE, AWS & OpenStack) +## +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + + ## The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + +## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +updateStrategy: + type: RollingUpdate + +## +## PostgreSQL Master parameters +## +master: + ## Node, affinity and tolerations labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + ## Additional PostgreSQL Master Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Master Volumes + ## + extraVolumes: [] + +## +## PostgreSQL Slave parameters +## +slave: + ## Node, affinity and tolerations labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + ## Additional PostgreSQL Slave Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Slave Volumes + ## + extraVolumes: [] + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 250m + +networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Configure metrics exporter +## +metrics: + enabled: true + # resources: {} + service: + type: ClusterIP + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + loadBalancerIP: + serviceMonitor: + enabled: false + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.6.0-debian-9-r0 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: false + runAsUser: 1001 + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## Configure extra options for liveness and readiness probes + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +# Define custom environment variables to pass to the image here +extraEnv: [] diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/values.schema.json b/Openshift4/artifactoryha-helm/charts/postgresql/values.schema.json new file mode 100755 index 0000000..ac2de6e --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/values.schema.json @@ -0,0 +1,103 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "postgresqlUsername": { + "type": "string", + "title": "Admin user", + "form": true + }, + "postgresqlPassword": { + "type": "string", + "title": "Password", + "form": true + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "slaveReplicas": { + "type": "integer", + "title": "Slave Replicas", + "form": true, + "hidden": { + "condition": false, + "value": "replication.enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/values.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/values.yaml new file mode 100755 index 0000000..e13d0a7 --- /dev/null +++ b/Openshift4/artifactoryha-helm/charts/postgresql/values.yaml @@ -0,0 +1,392 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + postgresql: {} +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.5.0-debian-9-r84 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Set to true if you would like to see extra information on logs + ## It turns BASH and NAMI debugging in minideb + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + debug: false + +## String to partially override postgresql.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override postgresql.fullname template +## +# fullnameOverride: + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: true + image: + registry: docker.io + repository: bitnami/minideb + tag: stretch + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Init container Security Context + securityContext: + runAsUser: 0 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + enabled: false + ## Name of an already existing service account. Setting this value disables the automatic service account creation. + # name: + +replication: + enabled: false + user: repl_user + password: repl_password + slaveReplicas: 1 + ## Set synchronous commit mode: on, off, remote_apply, remote_write and local + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + synchronousCommit: "off" + ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication + ## NOTE: It cannot be > slaveReplicas + numSynchronousReplicas: 0 + ## Replication Cluster application name. Useful for defining multiple replication policies + applicationName: my_application + +## PostgreSQL admin user +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +postgresqlUsername: postgres + +## PostgreSQL password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +# postgresqlPassword: + +## PostgreSQL password using existing secret +## existingSecret: secret + +## Mount PostgreSQL secret as a file instead of passing environment variable +# usePasswordFile: false + +## Create a database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +# postgresqlDatabase: + +## PostgreSQL data dir +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data + +## Specify extra initdb args +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbArgs: + +## Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbWalDir: + +## PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +# postgresqlConfiguration: + +## PostgreSQL extended configuration +## As above, but _appended_ to the main configuration +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +# postgresqlExtendedConf: + +## PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +# pgHbaConfiguration: |- +# local all all trust +# host all all localhost trust +# host mydatabase mysuser 192.168.0.0/24 md5 + +## ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +# configurationConfigMap: + +## ConfigMap with PostgreSQL extended configuration +# extendedConfConfigMap: + +## initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## +# initdbScripts: +# my_init_script.sh: | +# #!/bin/sh +# echo "Do something." + +## ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +# initdbScriptsConfigMap: + +## Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +# initdbScriptsSecret: + +## Specify the PostgreSQL username and password to execute the initdb scripts +# initdbUser: +# initdbPassword: + +## Optional duration in seconds the pod needs to terminate gracefully. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +# terminationGracePeriodSeconds: 30 + +## PostgreSQL service configuration +service: + ## PosgresSQL service type + type: ClusterIP + # clusterIP: None + port: 5432 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## PostgreSQL data Persistent Volume Storage Class +## If defined, storageClassName: +## If set to "-", storageClassName: "", which disables dynamic provisioning +## If undefined (the default) or set to null, no storageClassName spec is +## set, choosing the default provisioner. (gp2 on AWS, standard on +## GKE, AWS & OpenStack) +## +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + + ## The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + +## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +updateStrategy: + type: RollingUpdate + +## +## PostgreSQL Master parameters +## +master: + ## Node, affinity and tolerations labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + ## Additional PostgreSQL Master Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Master Volumes + ## + extraVolumes: [] + +## +## PostgreSQL Slave parameters +## +slave: + ## Node, affinity and tolerations labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + ## Additional PostgreSQL Slave Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Slave Volumes + ## + extraVolumes: [] + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 250m + +networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Configure metrics exporter +## +metrics: + enabled: false + # resources: {} + service: + type: ClusterIP + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + loadBalancerIP: + serviceMonitor: + enabled: false + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.6.0-debian-9-r0 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: false + runAsUser: 1001 + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## Configure extra options for liveness and readiness probes + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +# Define custom environment variables to pass to the image here +extraEnv: [] diff --git a/Openshift4/artifactoryha-helm/helminstall.sh b/Openshift4/artifactoryha-helm/helminstall.sh new file mode 100755 index 0000000..6f0132d --- /dev/null +++ b/Openshift4/artifactoryha-helm/helminstall.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +if [ -z "$1" ]; then echo "Skipping creation of persistent volume examples. Ensure there is available PVs 200Gi per node for HA."; else oc create -f pv-examples/; fi + +oc new-project jfrog-artifactory +oc create serviceaccount svcaccount -n jfrog-artifactory +oc adm policy add-scc-to-user privileged system:serviceaccount:jfrog-artifactory:svcaccount +oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:svcaccount +oc adm policy add-scc-to-group anyuid system:authenticated + +# enables hostPath plugin for openshift system wide +oc create -f scc.yaml -n jfrog-artifactory +oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' +oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:svcaccount + +# create the license secret +oc create secret generic artifactory-license --from-file=./artifactory.cluster.license + +# install via helm +helm install . --generate-name \ + --set artifactory.node.replicaCount=1 \ + --set nginx.service.type=NodePort \ + --set artifactory.license.secret=artifactory-license,artifactory.license.dataKey=artifactory.cluster.license diff --git a/Openshift4/artifactoryha-helm/pv-examples/pv0001-large.yaml b/Openshift4/artifactoryha-helm/pv-examples/pv0001-large.yaml new file mode 100644 index 0000000..8a36385 --- /dev/null +++ b/Openshift4/artifactoryha-helm/pv-examples/pv0001-large.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv0001-large +spec: + capacity: + storage: 200Gi + hostPath: + path: /mnt/pv-data/pv0001-large + accessModes: + - ReadWriteOnce + - ReadWriteMany + - ReadOnlyMany + persistentVolumeReclaimPolicy: Recycle + volumeMode: Filesystem diff --git a/Openshift4/artifactoryha-helm/pv-examples/pv0002-large.yaml b/Openshift4/artifactoryha-helm/pv-examples/pv0002-large.yaml new file mode 100644 index 0000000..b96fa47 --- /dev/null +++ b/Openshift4/artifactoryha-helm/pv-examples/pv0002-large.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv0002-large +spec: + capacity: + storage: 200Gi + hostPath: + path: /mnt/pv-data/pv0002-large + accessModes: + - ReadWriteOnce + - ReadWriteMany + - ReadOnlyMany + persistentVolumeReclaimPolicy: Recycle + volumeMode: Filesystem diff --git a/Openshift4/artifactoryha-helm/pv-examples/pv0003-large.yaml b/Openshift4/artifactoryha-helm/pv-examples/pv0003-large.yaml new file mode 100644 index 0000000..476ad41 --- /dev/null +++ b/Openshift4/artifactoryha-helm/pv-examples/pv0003-large.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv0003-large +spec: + capacity: + storage: 200Gi + hostPath: + path: /mnt/pv-data/pv0003-large + accessModes: + - ReadWriteOnce + - ReadWriteMany + - ReadOnlyMany + persistentVolumeReclaimPolicy: Recycle + volumeMode: Filesystem diff --git a/Openshift4/artifactoryha-helm/pv-examples/pv0004-large.yaml b/Openshift4/artifactoryha-helm/pv-examples/pv0004-large.yaml new file mode 100644 index 0000000..ae2fbda --- /dev/null +++ b/Openshift4/artifactoryha-helm/pv-examples/pv0004-large.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv0004-large +spec: + capacity: + storage: 200Gi + hostPath: + path: /mnt/pv-data/pv0004-large + accessModes: + - ReadWriteOnce + - ReadWriteMany + - ReadOnlyMany + persistentVolumeReclaimPolicy: Recycle + volumeMode: Filesystem diff --git a/Openshift4/artifactoryha-helm/pv-examples/pv0005-large.yaml b/Openshift4/artifactoryha-helm/pv-examples/pv0005-large.yaml new file mode 100644 index 0000000..9488514 --- /dev/null +++ b/Openshift4/artifactoryha-helm/pv-examples/pv0005-large.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv0005-large +spec: + capacity: + storage: 200Gi + hostPath: + path: /mnt/pv-data/pv0005-large + accessModes: + - ReadWriteOnce + - ReadWriteMany + - ReadOnlyMany + persistentVolumeReclaimPolicy: Recycle + volumeMode: Filesystem diff --git a/Openshift4/artifactoryha-helm/requirements.lock b/Openshift4/artifactoryha-helm/requirements.lock new file mode 100755 index 0000000..7037cff --- /dev/null +++ b/Openshift4/artifactoryha-helm/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: postgresql + repository: https://kubernetes-charts.storage.googleapis.com/ + version: 7.0.1 +digest: sha256:dcdafe9ab91ccf0e5883e2b5dd9ba13e82190b5e16e6dee6d39fd16a04123ce8 +generated: 2019-11-10T13:12:29.836238+02:00 diff --git a/Openshift4/artifactoryha-helm/requirements.yaml b/Openshift4/artifactoryha-helm/requirements.yaml new file mode 100755 index 0000000..756a19c --- /dev/null +++ b/Openshift4/artifactoryha-helm/requirements.yaml @@ -0,0 +1,5 @@ +dependencies: + - name: postgresql + version: 7.0.1 + repository: https://kubernetes-charts.storage.googleapis.com/ + condition: postgresql.enabled diff --git a/Openshift4/artifactoryha-helm/scc.yaml b/Openshift4/artifactoryha-helm/scc.yaml new file mode 100644 index 0000000..13eef79 --- /dev/null +++ b/Openshift4/artifactoryha-helm/scc.yaml @@ -0,0 +1,18 @@ +kind: SecurityContextConstraints +apiVersion: v1 +metadata: + name: hostpath +allowPrivilegedContainer: false +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: +- artifactory +groups: +- artifactory +- jfrog-artifactory diff --git a/Openshift4/artifactoryha-helm/templates/NOTES.txt b/Openshift4/artifactoryha-helm/templates/NOTES.txt new file mode 100755 index 0000000..d08fa88 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/NOTES.txt @@ -0,0 +1,113 @@ +Congratulations. You have just deployed JFrog Artifactory HA! + +{{- if and (not .Values.artifactory.masterKeySecretName) (eq .Values.artifactory.masterKey "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF") }} + + +***************************************** WARNING ****************************************** +* Your Artifactory master key is still set to the provided example: * +* artifactory.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF * +* * +* You should change this to your own generated key: * +* $ export MASTER_KEY=$(openssl rand -hex 32) * +* $ echo ${MASTER_KEY} * +* * +* Pass the created master key to helm with '--set artifactory.masterKey=${MASTER_KEY}' * +* * +* Alternatively, you can use a pre-existing secret with a key called master-key with * +* '--set artifactory.masterKeySecretName=${SECRET_NAME}' * +******************************************************************************************** +{{- end }} + +{{ if eq .Values.artifactory.joinKey "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" }} + + +***************************************** WARNING ****************************************** +* Your Artifactory join key is still set to the provided example: * +* artifactory.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE * +* * +* You should change this to your own generated key: * +* $ export JOIN_KEY=$(openssl rand -hex 16) * +* $ echo ${JOIN_KEY} * +* * +* Pass the created master key to helm with '--set artifactory.joinKey=${JOIN_KEY}' * +* * +******************************************************************************************** +{{- end }} + +{{- if .Values.postgresql.enabled }} + +DATABASE: +To extract the database password, run the following +export DB_PASSWORD=$(kubectl get --namespace {{ .Release.Namespace }} $(kubectl get secret --namespace {{ .Release.Namespace }} -o name | grep postgresql) -o jsonpath="{.data.postgresql-password}" | base64 --decode) +echo ${DB_PASSWORD} +{{- end }} + +SETUP: +1. Get the Artifactory IP and URL + + {{- if contains "NodePort" .Values.nginx.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "artifactory-ha.nginx.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT/ + + {{- else if contains "LoadBalancer" .Values.nginx.service.type }} + NOTE: It may take a few minutes for the LoadBalancer public IP to be available! + + You can watch the status of the service by running 'kubectl get svc -w {{ template "artifactory-ha.nginx.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.nginx.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP/ + + {{- else if contains "ClusterIP" .Values.nginx.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "component={{ .Values.nginx.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080:80 + echo http://127.0.0.1:8080 + + {{- end }} + +2. Open Artifactory in your browser + Default credential for Artifactory: + user: admin + password: password + + {{- if .Values.artifactory.license.secret }} + +3. Manage Artifactory license through the {{ .Values.artifactory.license.secret }} secret ONLY! + Since the artifactory license(s) is managed with a secret ({{ .Values.artifactory.license.secret }}), any change through the Artifactory UI might not be saved! + + {{- else }} + +3. Add HA licenses to activate Artifactory HA through the Artifactory UI + NOTE: Each Artifactory node requires a valid license. See https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup for more details. + + {{- end }} + +{{ if or .Values.artifactory.primary.javaOpts.jmx.enabled .Values.artifactory.node.javaOpts.jmx.enabled }} +JMX configuration: +{{- if not (contains "LoadBalancer" .Values.artifactory.service.type) }} +If you want to access JMX from you computer with jconsole, you should set ".Values.artifactory.service.type=LoadBalancer" !!! +{{ end }} + +1. Get the Artifactory service IP: +{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} +export PRIMARY_SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.primary.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +{{- end }} +{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} +export MEMBER_SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +{{- end }} + +2. Map the service name to the service IP in /etc/hosts: +{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} +sudo sh -c "echo \"${PRIMARY_SERVICE_IP} {{ template "artifactory-ha.primary.name" . }}\" >> /etc/hosts" +{{- end }} +{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} +sudo sh -c "echo \"${MEMBER_SERVICE_IP} {{ template "artifactory-ha.fullname" . }}\" >> /etc/hosts" +{{- end }} + +3. Launch jconsole: +{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} +jconsole {{ template "artifactory-ha.primary.name" . }}:{{ .Values.artifactory.primary.javaOpts.jmx.port }} +{{- end }} +{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} +jconsole {{ template "artifactory-ha.fullname" . }}:{{ .Values.artifactory.node.javaOpts.jmx.port }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/_helpers.tpl b/Openshift4/artifactoryha-helm/templates/_helpers.tpl new file mode 100755 index 0000000..32171c2 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/_helpers.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "artifactory-ha.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The primary node name +*/}} +{{- define "artifactory-ha.primary.name" -}} +{{- if .Values.nameOverride -}} +{{- printf "%s-primary" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-primary" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +The member node name +*/}} +{{- define "artifactory-ha.node.name" -}} +{{- if .Values.nameOverride -}} +{{- printf "%s-member" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-member" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name nginx service. +*/}} +{{- define "artifactory-ha.nginx.name" -}} +{{- default .Values.nginx.name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "artifactory-ha.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "artifactory-ha.nginx.fullname" -}} +{{- if .Values.nginx.fullnameOverride -}} +{{- .Values.nginx.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nginx.name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "artifactory-ha.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{ default (include "artifactory-ha.fullname" .) .Values.serviceAccount.name }} +{{- else -}} +{{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "artifactory-ha.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate SSL certificates +*/}} +{{- define "artifactory-ha.gen-certs" -}} +{{- $altNames := list ( printf "%s.%s" (include "artifactory-ha.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "artifactory-ha.name" .) .Release.Namespace ) -}} +{{- $ca := genCA "artifactory-ca" 365 -}} +{{- $cert := genSignedCert ( include "artifactory-ha.name" . ) nil $altNames 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} diff --git a/Openshift4/artifactoryha-helm/templates/access-bootstrap-creds.yaml b/Openshift4/artifactoryha-helm/templates/access-bootstrap-creds.yaml new file mode 100755 index 0000000..f4e34a2 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/access-bootstrap-creds.yaml @@ -0,0 +1,15 @@ +{{- if not (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) }} +{{- if .Values.artifactory.accessAdmin.password }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-bootstrap-creds + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + bootstrap.creds: {{ (printf "access-admin@%s=%s" .Values.artifactory.accessAdmin.ip .Values.artifactory.accessAdmin.password) | b64enc }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-binarystore-secret.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-binarystore-secret.yaml new file mode 100755 index 0000000..2e7cac7 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-binarystore-secret.yaml @@ -0,0 +1,14 @@ +{{- if not .Values.artifactory.persistence.customBinarystoreXmlSecret }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-binarystore + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +stringData: + binarystore.xml: |- +{{ tpl .Values.artifactory.persistence.binarystoreXml . | indent 4 }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-configmaps.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-configmaps.yaml new file mode 100755 index 0000000..1385bc5 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-configmaps.yaml @@ -0,0 +1,13 @@ +{{ if .Values.artifactory.configMaps }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-configmaps + labels: + app: {{ template "artifactory-ha.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: +{{ tpl .Values.artifactory.configMaps . | indent 2 }} +{{ end -}} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-installer-info.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-installer-info.yaml new file mode 100755 index 0000000..0c9a4f4 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-installer-info.yaml @@ -0,0 +1,25 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-installer-info + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + installer-info.json: | + { + "productId": "Helm_artifactory-ha/{{ .Chart.Version }}", + "features": [ + { + "featureId": "ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}" + }, + { + "featureId": "{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default "derby" .Values.database.type }}{{ end }}/0.0.0" + }, + { + "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}" + } + ] + } diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-license-secret.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-license-secret.yaml new file mode 100755 index 0000000..3f629c6 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-license-secret.yaml @@ -0,0 +1,14 @@ +{{- with .Values.artifactory.license.licenseKey }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory-ha.fullname" $ }}-license + labels: + app: {{ template "artifactory-ha.name" $ }} + chart: {{ template "artifactory-ha.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} +type: Opaque +data: + artifactory.lic: {{ . | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-networkpolicy.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-networkpolicy.yaml new file mode 100755 index 0000000..371dc9a --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-networkpolicy.yaml @@ -0,0 +1,34 @@ +{{- range .Values.networkpolicy }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "artifactory-ha.fullname" $ }}-{{ .name }}-networkpolicy + labels: + app: {{ template "artifactory-ha.name" $ }} + chart: {{ template "artifactory-ha.chart" $ }} + release: {{ $.Release.Name }} + heritage: {{ $.Release.Service }} +spec: +{{- if .podSelector }} + podSelector: +{{ .podSelector | toYaml | trimSuffix "\n" | indent 4 -}} +{{ else }} + podSelector: {} +{{- end }} + policyTypes: + {{- if .ingress }} + - Ingress + {{- end }} + {{- if .egress }} + - Egress + {{- end }} +{{- if .ingress }} + ingress: +{{ .ingress | toYaml | trimSuffix "\n" | indent 2 -}} +{{- end }} +{{- if .egress }} + egress: +{{ .egress | toYaml | trimSuffix "\n" | indent 2 -}} +{{- end }} +--- +{{- end -}} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-nfs-pvc.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-nfs-pvc.yaml new file mode 100755 index 0000000..6ed7d82 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-nfs-pvc.yaml @@ -0,0 +1,101 @@ +{{- if eq .Values.artifactory.persistence.type "nfs" }} +### Artifactory HA data +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ template "artifactory-ha.fullname" . }}-data-pv + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + id: {{ template "artifactory-ha.name" . }}-data-pv + type: nfs-volume +spec: + {{- if .Values.artifactory.persistence.nfs.mountOptions }} + mountOptions: +{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} + {{- end }} + capacity: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + nfs: + server: {{ .Values.artifactory.persistence.nfs.ip }} + path: "{{ .Values.artifactory.persistence.nfs.haDataMount }}" + readOnly: false +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-data-pvc + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + type: nfs-volume +spec: + accessModes: + - ReadWriteOnce + storageClassName: "" + resources: + requests: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + selector: + matchLabels: + id: {{ template "artifactory-ha.name" . }}-data-pv + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} +--- +### Artifactory HA backup +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ template "artifactory-ha.fullname" . }}-backup-pv + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + id: {{ template "artifactory-ha.name" . }}-backup-pv + type: nfs-volume +spec: + {{- if .Values.artifactory.persistence.nfs.mountOptions }} + mountOptions: +{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} + {{- end }} + capacity: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + nfs: + server: {{ .Values.artifactory.persistence.nfs.ip }} + path: "{{ .Values.artifactory.persistence.nfs.haBackupMount }}" + readOnly: false +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-backup-pvc + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + type: nfs-volume +spec: + accessModes: + - ReadWriteOnce + storageClassName: "" + resources: + requests: + storage: {{ .Values.artifactory.persistence.nfs.capacity }} + selector: + matchLabels: + id: {{ template "artifactory-ha.name" . }}-backup-pv + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-node-pdb.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-node-pdb.yaml new file mode 100755 index 0000000..871bb21 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-node-pdb.yaml @@ -0,0 +1,19 @@ +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "artifactory-ha.fullname" . }}-node + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + {{- if eq .Values.artifactory.service.pool "members" }} + role: {{ template "artifactory-ha.node.name" . }} + {{- end }} + release: {{ .Release.Name }} + minAvailable: {{ .Values.artifactory.node.minAvailable }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-node-statefulset.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-node-statefulset.yaml new file mode 100755 index 0000000..67e1ab3 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-node-statefulset.yaml @@ -0,0 +1,510 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "artifactory-ha.node.name" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + force-update: "{{ randAlpha 63 | lower }}" +{{- if .Values.artifactory.node.labels }} +{{ toYaml .Values.artifactory.node.labels | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "artifactory-ha.node.name" . }} + replicas: {{ .Values.artifactory.node.replicaCount }} + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + role: {{ template "artifactory-ha.node.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + role: {{ template "artifactory-ha.node.name" . }} + heritage: {{ .Release.Service }} + component: {{ .Values.artifactory.name }} + release: {{ .Release.Name }} + annotations: + checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }} + checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }} + {{- range $key, $value := .Values.artifactory.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .Values.artifactory.priorityClass.existingPriorityClass }} + priorityClassName: {{ .Values.artifactory.priorityClass.existingPriorityClass }} + {{- else -}} + {{- if .Values.artifactory.priorityClass.create }} + priorityClassName: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + securityContext: + runAsUser: {{ .Values.artifactory.uid }} + fsGroup: {{ .Values.artifactory.uid }} + initContainers: + {{- if .Values.artifactory.customInitContainersBegin }} +{{ tpl .Values.artifactory.customInitContainersBegin . | indent 6 }} + {{- end }} + {{- if .Values.artifactory.persistence.enabled }} + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + - name: "create-artifactory-data-dir" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + mkdir -p {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}; + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + {{- end }} + {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} + - name: "delete-db-properties" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + - name: "remove-lost-found" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + - name: 'copy-system-yaml' + image: '{{ .Values.initContainerImage }}' + command: + - '/bin/sh' + - '-c' + - > + {{- if .Values.artifactory.node.waitForPrimaryStartup.enabled }} + echo "Sleeping to allow time for primary node to come up"; + sleep {{ .Values.artifactory.node.waitForPrimaryStartup.seconds }}; + {{- end }} + echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; + cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; + echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists"; + rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + - name: systemyaml + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: "prepare-custom-persistent-volume" + image: "{{ .Values.initContainerImage }}" + command: + - 'sh' + - '-c' + - > + chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + securityContext: + runAsUser: 0 + volumeMounts: + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.waitForDatabase }} + {{- if or .Values.postgresql.enabled }} + - name: "wait-for-db" + image: "{{ .Values.initContainerImage }}" + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do + sleep 2; + done; + {{- end }} + {{- end }} + {{- if .Values.artifactory.customInitContainers }} +{{ tpl .Values.artifactory.customInitContainers . | indent 6 }} + {{- end }} + containers: + - name: {{ .Values.artifactory.name }} + image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}' + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + command: + - '/bin/sh' + - '-c' + - > + {{- if .Values.artifactory.userPluginSecrets }} + echo "Copying plugins"; + cp -Lrf /tmp/plugin/*/* /tmp/plugins; + {{- end }} + {{- if .Values.artifactory.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.artifactory.preStartCommand . }}; + {{- end }} + /entrypoint-artifactory.sh + lifecycle: + postStart: + exec: + command: + - '/bin/sh' + - '-c' + - > + echo; + {{- if .Values.artifactory.postStartCommand }} + {{ .Values.artifactory.postStartCommand }} + {{- end }} + env: + {{- if .Values.database.secrets.user }} + - name: JF_SHARED_DATABSE_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.user.name }} + key: {{ .Values.database.secrets.user.key }} + {{- end }} + {{- if .Values.database.secrets.password }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.password.name }} + key: {{ .Values.database.secrets.password.key }} + {{- end }} + {{- if .Values.database.secrets.url }} + - name: JF_SHARED_DATABSE_URL + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.url.name }} + key: {{ .Values.database.secrets.url.key }} + {{- end }} + - name: JF_SHARED_NODE_PRIMARY + value: "false" + - name: JF_SHARED_NODE_HAENABLED + value: "true" + - name: JF_SHARED_DATABSE_USERNAME + value: "artifactory" + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgresql + key: postgresql-password + ports: + - containerPort: {{ .Values.artifactory.internalPort }} + - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} + {{- if .Values.artifactory.node.javaOpts.jmx.enabled }} + - containerPort: {{ .Values.artifactory.node.javaOpts.jmx.port }} + {{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.userPluginSecrets }} + - name: tmp-plugins + mountPath: "/tmp/plugins/" + {{- range .Values.artifactory.userPluginSecrets }} + - name: {{ tpl . $ }} + mountPath: "/tmp/plugin/{{ tpl . $ }}" + {{- end }} + {{- end }} + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + {{- if .Values.artifactory.binarystore.enabled }} + - name: binarystore-xml + mountPath: "/artifactory_extra_conf/binarystore.xml" + subPath: binarystore.xml + {{- end }} + {{- end }} + - name: installer-info + mountPath: "/artifactory_extra_conf/info/installer-info.json" + subPath: installer-info.json + {{- if .Values.artifactory.customVolumeMounts }} +{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} + {{- end }} + resources: +{{ toYaml .Values.artifactory.node.resources | indent 10 }} + {{- if .Values.artifactory.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.artifactory.readinessProbe.path }} + port: {{ .Values.artifactory.internalPort }} + initialDelaySeconds: {{ .Values.artifactory.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.artifactory.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.artifactory.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.artifactory.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.artifactory.readinessProbe.successThreshold }} + {{- end }} + {{- if .Values.artifactory.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.artifactory.livenessProbe.path }} + port: {{ .Values.artifactory.internalPort }} + initialDelaySeconds: {{ .Values.artifactory.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.artifactory.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.artifactory.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }} + {{- end }} + {{- $image := .Values.logger.image.repository }} + {{- $tag := .Values.logger.image.tag }} + {{- $mountPath := .Values.artifactory.persistence.mountPath }} + {{- range .Values.artifactory.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: '{{ $image }}:{{ $tag }}' + command: + - tail + args: + - '-F' + - '{{ $mountPath }}/logs/{{ . }}' + volumeMounts: + - name: volume + mountPath: {{ $mountPath }} + {{- end }} + {{ if .Values.artifactory.catalinaLoggers }} + {{- range .Values.artifactory.catalinaLoggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: '{{ $image }}:{{ $tag }}' + command: + - 'sh' + - '-c' + - 'sh /scripts/tail-log.sh {{ $mountPath }}/logs/catalina {{ . }}' + volumeMounts: + - name: volume + mountPath: {{ $mountPath }} + - name: catalina-logger + mountPath: /scripts/tail-log.sh + subPath: tail-log.sh + {{- end }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: {{ .Values.filebeat.name }} + image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" + imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} + args: + - "-e" + - "-E" + - "http.enabled=true" + securityContext: + runAsUser: 0 + volumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + livenessProbe: +{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} + readinessProbe: +{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} + resources: +{{ toYaml .Values.filebeat.resources | indent 10 }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} + {{- end }} + {{- if .Values.artifactory.customSidecarContainers }} +{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }} + {{- end }} + {{- with .Values.artifactory.node.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.artifactory.node.affinity }} + {{- with .Values.artifactory.node.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if eq .Values.artifactory.node.podAntiAffinity.type "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.artifactory.node.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + {{- if eq .Values.artifactory.service.pool "members" }} + role: {{ template "artifactory-ha.node.name" . }} + {{- end }} + {{- else if eq .Values.artifactory.node.podAntiAffinity.type "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.artifactory.node.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + {{- if eq .Values.artifactory.service.pool "members" }} + role: {{ template "artifactory-ha.node.name" . }} + {{- end }} + {{- end }} + {{- with .Values.artifactory.node.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- if .Values.artifactory.binarystore.enabled }} + - name: binarystore-xml + secret: + {{- if .Values.artifactory.persistence.customBinarystoreXmlSecret }} + secretName: {{ .Values.artifactory.persistence.customBinarystoreXmlSecret }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-binarystore + {{- end }} + {{- end }} + - name: installer-info + configMap: + name: {{ template "artifactory-ha.fullname" . }}-installer-info + {{- if .Values.artifactory.userPluginSecrets }} + - name: tmp-plugins + emptyDir: {} + {{- range .Values.artifactory.userPluginSecrets }} + - name: {{ tpl . $ }} + secret: + secretName: {{ tpl . $ }} + {{- end }} + {{- end }} + {{- if .Values.artifactory.catalinaLoggers }} + - name: catalina-logger + configMap: + name: {{ template "artifactory-ha.fullname" . }}-catalina-logger + {{- end }} + {{- if .Values.artifactory.configMaps }} + - name: artifactory-configmaps + configMap: + name: {{ template "artifactory-ha.fullname" . }}-configmaps + {{- end }} + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" $ }}-data-pvc-{{ $sharedClaimNumber }} + {{- end }} + - name: artifactory-ha-backup + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" $ }}-backup-pvc + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" . }}-data-pvc + - name: artifactory-ha-backup + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" . }}-backup-pvc + {{- end }} + - name: systemyaml + secret: + secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + persistentVolumeClaim: + claimName: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: filebeat-config + configMap: + name: {{ template "artifactory-ha.fullname" . }}-filebeat-config + {{- end }} + {{- if .Values.artifactory.customVolumes }} +{{ tpl .Values.artifactory.customVolumes . | indent 6 }} + {{- end }} + {{- if not .Values.artifactory.persistence.enabled }} + - name: volume + emptyDir: + sizeLimit: {{ .Values.artifactory.persistence.size }} + {{- end }} + volumeClaimTemplates: + {{- if .Values.artifactory.persistence.enabled }} + - metadata: + name: volume + {{- if not .Values.artifactory.node.persistence.existingClaim }} + spec: + {{- if .Values.artifactory.persistence.storageClassName }} + {{- if (eq "-" .Values.artifactory.persistence.storageClassName) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.artifactory.persistence.storageClassName }}" + {{- end }} + {{- end }} + accessModes: [ "{{ .Values.artifactory.persistence.accessMode }}" ] + resources: + requests: + storage: {{ .Values.artifactory.persistence.size }} + {{- end }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - metadata: + name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + spec: + {{- if .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }} + {{- if (eq "-" .Values.artifactory.customPersistentPodVolumeClaim.storageClassName) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }}" + {{- end }} + {{- end }} + accessModes: + {{- range .Values.artifactory.customPersistentPodVolumeClaim.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.artifactory.customPersistentPodVolumeClaim.size }} + {{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-primary-statefulset.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-primary-statefulset.yaml new file mode 100755 index 0000000..0e03476 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-primary-statefulset.yaml @@ -0,0 +1,593 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "artifactory-ha.primary.name" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + force-update: "{{ randAlpha 63 | lower }}" +{{- if .Release.IsUpgrade }} + unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Artifactory 6.x currently not supported!\nIf this is an upgrade over an existing Artifactory 7.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }} +{{- end }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE FAILED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/CHANGELOG.md) and prepare PostgreSQL DB migration before upgrading.\nOnce ready, explicitly pass 'databaseUpgradeReady=yes' to upgrade and complete migration after server starts!\n" .Values.databaseUpgradeReady | quote }} +{{- end }} +{{- if .Values.artifactory.primary.labels }} +{{ toYaml .Values.artifactory.primary.labels | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "artifactory-ha.primary.name" . }} + replicas: 1 + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + role: {{ template "artifactory-ha.primary.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + role: {{ template "artifactory-ha.primary.name" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }} + checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }} + {{- if not (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) }} + checksum/access-creds: {{ include (print $.Template.BasePath "/access-bootstrap-creds.yaml") . | sha256sum }} + {{- end }} + {{- range $key, $value := .Values.artifactory.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .Values.artifactory.priorityClass.existingPriorityClass }} + priorityClassName: {{ .Values.artifactory.priorityClass.existingPriorityClass }} + {{- else -}} + {{- if .Values.artifactory.priorityClass.create }} + priorityClassName: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + securityContext: + runAsUser: {{ .Values.artifactory.uid }} + fsGroup: {{ .Values.artifactory.uid }} + initContainers: + {{- if .Values.artifactory.customInitContainersBegin }} +{{ tpl .Values.artifactory.customInitContainersBegin . | indent 6 }} + {{- end }} + {{- if .Values.artifactory.persistence.enabled }} + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + - name: "create-artifactory-data-dir" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + mkdir -p {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}; + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + {{- end }} + {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} + - name: "delete-db-properties" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' + volumeMounts: + - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + name: volume + {{- end }} + - name: "remove-lost-found" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; + rm -rfv {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}/lost+found; + rm -rfv {{ .Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}/lost+found; + volumeMounts: + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + {{- if or (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) .Values.artifactory.accessAdmin.password }} + - name: "access-bootstrap-creds" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + echo "Preparing custom Access bootstrap.creds"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/access/etc; + cp -Lrf /tmp/access/bootstrap.creds {{ .Values.artifactory.persistence.mountPath }}/access/etc/bootstrap.creds; + chmod 600 {{ .Values.artifactory.persistence.mountPath }}/access/etc/bootstrap.creds; + volumeMounts: + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + - name: access-bootstrap-creds + mountPath: "/tmp/access/bootstrap.creds" + {{- if and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey }} + subPath: {{ .Values.artifactory.accessAdmin.dataKey }} + {{- else }} + subPath: bootstrap.creds + {{- end }} + {{- end }} + {{- end }} + - name: 'copy-system-yaml' + image: '{{ .Values.initContainerImage }}' + command: + - '/bin/sh' + - '-c' + - > + echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; + mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; + cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; + echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists"; + rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + - name: systemyaml + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: "prepare-custom-persistent-volume" + image: "{{ .Values.initContainerImage }}" + command: + - 'sh' + - '-c' + - > + chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + securityContext: + runAsUser: 0 + volumeMounts: + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.waitForDatabase }} + {{- if or .Values.postgresql.enabled }} + - name: "wait-for-db" + image: "{{ .Values.initContainerImage }}" + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'sh' + - '-c' + - > + until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do + sleep 2; + done; + {{- end }} + {{- end }} + {{- if .Values.artifactory.customInitContainers }} +{{ tpl .Values.artifactory.customInitContainers . | indent 6 }} + {{- end }} + containers: + - name: {{ .Values.artifactory.name }} + image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}' + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + command: + - '/bin/sh' + - '-c' + - > + set -e; + {{- if .Values.artifactory.configMapName }} + echo "Copying bootstrap configs"; + cp -Lrf /bootstrap/* /artifactory_extra_conf/; + {{- end }} + {{- if .Values.artifactory.userPluginSecrets }} + echo "Copying plugins"; + cp -Lrf /tmp/plugin/*/* /tmp/plugins; + {{- end }} + {{- range .Values.artifactory.copyOnEveryStartup }} + {{- $targetPath := printf "%s/%s" $.Values.artifactory.persistence.mountPath .target }} + {{- $baseDirectory := regexFind ".*/" $targetPath }} + mkdir -p {{ $baseDirectory }}; + cp -Lrf {{ .source }} {{ $.Values.artifactory.persistence.mountPath }}/{{ .target }}; + {{- end }} + {{- if .Values.artifactory.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.artifactory.preStartCommand . }}; + {{- end }} + /entrypoint-artifactory.sh + lifecycle: + postStart: + exec: + command: + - '/bin/sh' + - '-c' + - > + echo; + {{- if .Values.artifactory.postStartCommand }} + {{ .Values.artifactory.postStartCommand }} + {{- end }} + env: + {{- if .Values.database.secrets.user }} + - name: JF_SHARED_DATABSE_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.user.name }} + key: {{ .Values.database.secrets.user.key }} + {{- end }} + {{- if .Values.database.secrets.password }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.password.name }} + key: {{ .Values.database.secrets.password.key }} + {{- end }} + {{- if .Values.database.secrets.url }} + - name: JF_SHARED_DATABSE_URL + valueFrom: + secretKeyRef: + name: {{ .Values.database.secrets.url.name }} + key: {{ .Values.database.secrets.url.key }} + {{- end }} + - name: JF_SHARED_NODE_PRIMARY + value: "true" + - name: JF_SHARED_NODE_HAENABLED + value: "true" + - name: JF_SHARED_DATABSE_USERNAME + value: "artifactory" + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgresql + key: postgresql-password + ports: + - containerPort: {{ .Values.artifactory.internalPort }} + - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} + {{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} + - containerPort: {{ .Values.artifactory.primary.javaOpts.jmx.port }} + {{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.userPluginSecrets }} + - name: tmp-plugins + mountPath: "/tmp/plugins/" + {{- range .Values.artifactory.userPluginSecrets }} + - name: {{ tpl . $ }} + mountPath: "/tmp/plugin/{{ tpl . $ }}" + {{- end }} + {{- end }} + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + {{- if .Values.artifactory.binarystore.enabled }} + - name: binarystore-xml + mountPath: "/artifactory_extra_conf/binarystore.xml" + subPath: binarystore.xml + {{- end }} + {{- end }} + {{- if .Values.artifactory.configMapName }} + - name: bootstrap-config + mountPath: "/bootstrap/" + {{- end }} + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + - name: artifactory-license + mountPath: "/artifactory_extra_conf/artifactory.cluster.license" + {{- if .Values.artifactory.license.secret }} + subPath: {{ .Values.artifactory.license.dataKey }} + {{- else if .Values.artifactory.license.licenseKey }} + subPath: artifactory.lic + {{- end }} + {{- end }} + - name: installer-info + mountPath: "/artifactory_extra_conf/info/installer-info.json" + subPath: installer-info.json + {{- if .Values.artifactory.customVolumeMounts }} +{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} + {{- end }} + resources: +{{ toYaml .Values.artifactory.primary.resources | indent 10 }} + {{- if .Values.artifactory.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.artifactory.readinessProbe.path }} + port: {{ .Values.artifactory.internalPort }} + initialDelaySeconds: {{ .Values.artifactory.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.artifactory.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.artifactory.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.artifactory.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.artifactory.readinessProbe.successThreshold }} + {{- end }} + {{- if .Values.artifactory.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.artifactory.livenessProbe.path }} + port: {{ .Values.artifactory.internalPort }} + initialDelaySeconds: {{ .Values.artifactory.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.artifactory.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.artifactory.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }} + {{- end }} + {{- $image := .Values.logger.image.repository }} + {{- $tag := .Values.logger.image.tag }} + {{- $mountPath := .Values.artifactory.persistence.mountPath }} + {{- range .Values.artifactory.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: '{{ $image }}:{{ $tag }}' + command: + - tail + args: + - '-F' + - '{{ $mountPath }}/logs/{{ . }}' + volumeMounts: + - name: volume + mountPath: {{ $mountPath }} + {{- end }} + {{ if .Values.artifactory.catalinaLoggers }} + {{- range .Values.artifactory.catalinaLoggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: '{{ $image }}:{{ $tag }}' + command: + - 'sh' + - '-c' + - 'sh /scripts/tail-log.sh {{ $mountPath }}/logs/catalina {{ . }}' + volumeMounts: + - name: volume + mountPath: {{ $mountPath }} + - name: catalina-logger + mountPath: /scripts/tail-log.sh + subPath: tail-log.sh + {{- end }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: {{ .Values.filebeat.name }} + image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" + imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} + args: + - "-e" + - "-E" + - "http.enabled=true" + securityContext: + runAsUser: 0 + volumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + livenessProbe: +{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} + readinessProbe: +{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} + resources: +{{ toYaml .Values.filebeat.resources | indent 10 }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} + {{- end }} + {{- if .Values.artifactory.customSidecarContainers }} +{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }} + {{- end }} + {{- with .Values.artifactory.primary.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.artifactory.primary.affinity }} + {{- with .Values.artifactory.primary.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if eq .Values.artifactory.primary.podAntiAffinity.type "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.artifactory.primary.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + {{- else if eq .Values.artifactory.primary.podAntiAffinity.type "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.artifactory.primary.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + {{- end }} + {{- with .Values.artifactory.primary.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- if .Values.artifactory.binarystore.enabled }} + - name: binarystore-xml + secret: + {{- if .Values.artifactory.persistence.customBinarystoreXmlSecret }} + secretName: {{ .Values.artifactory.persistence.customBinarystoreXmlSecret }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-binarystore + {{- end }} + {{- end }} + - name: installer-info + configMap: + name: {{ template "artifactory-ha.fullname" . }}-installer-info + {{- if .Values.artifactory.userPluginSecrets }} + - name: tmp-plugins + emptyDir: {} + {{- range .Values.artifactory.userPluginSecrets }} + - name: {{ tpl . $ }} + secret: + secretName: {{ tpl . $ }} + {{- end }} + {{- end }} + {{- if .Values.artifactory.configMapName }} + - name: bootstrap-config + configMap: + name: {{ .Values.artifactory.configMapName }} + {{- end}} + {{- if .Values.artifactory.catalinaLoggers }} + - name: catalina-logger + configMap: + name: {{ template "artifactory-ha.fullname" . }}-catalina-logger + {{- end }} + {{- if .Values.artifactory.configMaps }} + - name: artifactory-configmaps + configMap: + name: {{ template "artifactory-ha.fullname" . }}-configmaps + {{- end }} + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + - name: artifactory-license + secret: + {{- if .Values.artifactory.license.secret }} + secretName: {{ .Values.artifactory.license.secret }} + {{- else if .Values.artifactory.license.licenseKey }} + secretName: {{ template "artifactory-ha.fullname" . }}-license + {{- end }} + {{- end }} + {{- if or (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) .Values.artifactory.accessAdmin.password }} + - name: access-bootstrap-creds + secret: + {{- if and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey }} + secretName: {{ .Values.artifactory.accessAdmin.secret }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-bootstrap-creds + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" $ }}-data-pvc-{{ $sharedClaimNumber }} + {{- end }} + - name: artifactory-ha-backup + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" $ }}-backup-pvc + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" . }}-data-pvc + - name: artifactory-ha-backup + persistentVolumeClaim: + claimName: {{ template "artifactory-ha.fullname" . }}-backup-pvc + {{- end }} + - name: systemyaml + secret: + secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + persistentVolumeClaim: + claimName: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: filebeat-config + configMap: + name: {{ template "artifactory-ha.fullname" . }}-filebeat-config + {{- end }} + {{- if .Values.artifactory.customVolumes }} +{{ tpl .Values.artifactory.customVolumes . | indent 6 }} + {{- end }} + {{- if not .Values.artifactory.persistence.enabled }} + - name: volume + emptyDir: + sizeLimit: {{ .Values.artifactory.persistence.size }} + {{- end }} + volumeClaimTemplates: + {{- if .Values.artifactory.persistence.enabled }} + - metadata: + name: volume + {{- if not .Values.artifactory.primary.persistence.existingClaim }} + spec: + {{- if .Values.artifactory.persistence.storageClassName }} + {{- if (eq "-" .Values.artifactory.persistence.storageClassName) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.artifactory.persistence.storageClassName }}" + {{- end }} + {{- end }} + accessModes: [ "{{ .Values.artifactory.persistence.accessMode }}" ] + resources: + requests: + storage: {{ .Values.artifactory.persistence.size }} + {{- end }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - metadata: + name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + spec: + {{- if .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }} + {{- if (eq "-" .Values.artifactory.customPersistentPodVolumeClaim.storageClassName) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }}" + {{- end }} + {{- end }} + accessModes: + {{- range .Values.artifactory.customPersistentPodVolumeClaim.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.artifactory.customPersistentPodVolumeClaim.size }} + {{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-priority-class.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-priority-class.yaml new file mode 100755 index 0000000..417ec5c --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-priority-class.yaml @@ -0,0 +1,9 @@ +{{- if .Values.artifactory.priorityClass.create }} +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} +value: {{ .Values.artifactory.priorityClass.value }} +globalDefault: false +description: "Artifactory priority class" +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-role.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-role.yaml new file mode 100755 index 0000000..c86bffd --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-role.yaml @@ -0,0 +1,14 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "artifactory-ha.fullname" . }} +rules: +{{ toYaml .Values.rbac.role.rules }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-rolebinding.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-rolebinding.yaml new file mode 100755 index 0000000..4412870 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "artifactory-ha.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "artifactory-ha.serviceAccountName" . }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: {{ template "artifactory-ha.fullname" . }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-secrets.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-secrets.yaml new file mode 100755 index 0000000..2665d32 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory-ha.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +data: +{{- if not .Values.artifactory.masterKeySecretName }} + master-key: {{ .Values.artifactory.masterKey | b64enc | quote }} +{{- end }} +{{- if .Values.database.password }} + db-password: {{ .Values.database.password | b64enc | quote }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-service.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-service.yaml new file mode 100755 index 0000000..38d3355 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-service.yaml @@ -0,0 +1,88 @@ +# Service for all Artifactory cluster nodes. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "artifactory-ha.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.artifactory.service.annotations }} + annotations: +{{ toYaml .Values.artifactory.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.artifactory.service.type }} + {{- if and (eq .Values.artifactory.service.type "ClusterIP") .Values.artifactory.service.clusterIP }} + clusterIP: {{ .Values.artifactory.service.clusterIP }} + {{- end }} + {{- if .Values.artifactory.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.artifactory.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} + ports: + - port: {{ .Values.artifactory.externalPort }} + targetPort: {{ .Values.artifactory.internalPort }} + protocol: TCP + name: {{ .Release.Name }}-router + - port: {{ .Values.artifactory.externalArtifactoryPort }} + targetPort: {{ .Values.artifactory.internalArtifactoryPort }} + protocol: TCP + name: {{ .Release.Name }}-artifactory + {{- with .Values.artifactory.node.javaOpts.jmx }} + {{- if .enabled }} + - port: {{ .port }} + targetPort: {{ .port }} + protocol: TCP + name: jmx + {{- end }} + {{- end }} + selector: +{{- if eq .Values.artifactory.service.pool "members" }} + role: {{ template "artifactory-ha.node.name" . }} +{{- end }} + app: {{ template "artifactory-ha.name" . }} + component: "{{ .Values.artifactory.name }}" + release: {{ .Release.Name }} +--- +# Internal service for Artifactory primary node only! +# Used by member nodes to check readiness of primary node before starting up +apiVersion: v1 +kind: Service +metadata: + name: {{ template "artifactory-ha.primary.name" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.artifactory.service.type }} + {{- if and (eq .Values.artifactory.service.type "ClusterIP") .Values.artifactory.service.clusterIP }} + clusterIP: {{ .Values.artifactory.service.clusterIP }} + {{- end }} + ports: + - port: {{ .Values.artifactory.externalPort }} + targetPort: {{ .Values.artifactory.internalPort }} + protocol: TCP + name: {{ .Release.Name }}-router + - port: {{ .Values.artifactory.externalArtifactoryPort }} + targetPort: {{ .Values.artifactory.internalArtifactoryPort }} + protocol: TCP + name: {{ .Release.Name }}-artifactory + {{- with .Values.artifactory.primary.javaOpts.jmx }} + {{- if .enabled }} + - port: {{ .port }} + targetPort: {{ .port }} + protocol: TCP + name: jmx + {{- end }} + {{- end }} + selector: + role: {{ template "artifactory-ha.primary.name" . }} + app: {{ template "artifactory-ha.name" . }} + component: "{{ .Values.artifactory.name }}" + release: {{ .Release.Name }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-serviceaccount.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-serviceaccount.yaml new file mode 100755 index 0000000..6ea0b10 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: +{{- if .Values.serviceAccount.annotations }} + annotations: +{{ tpl (toYaml .) $ | indent 4 }} +{{- end}} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "artifactory-ha.serviceAccountName" . }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-storage-pvc.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-storage-pvc.yaml new file mode 100755 index 0000000..e0bfa6b --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-storage-pvc.yaml @@ -0,0 +1,27 @@ +{{ if .Values.artifactory.customPersistentVolumeClaim }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + labels: + app: {{ template "artifactory-ha.name" . }} + version: "{{ .Values.artifactory.version }}" + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + accessModes: + {{- range .Values.artifactory.customPersistentVolumeClaim.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.artifactory.customPersistentVolumeClaim.storageClassName }} + {{- if (eq "-" .Values.artifactory.customPersistentVolumeClaim.storageClassName) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.artifactory.customPersistentVolumeClaim.storageClassName }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ .Values.artifactory.customPersistentVolumeClaim.size | quote }} +{{ end -}} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-system-yaml.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-system-yaml.yaml new file mode 100755 index 0000000..cf8ffba --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/artifactory-system-yaml.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "artifactory-ha.primary.name" . }}-system-yaml + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.artifactory.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +stringData: + system.yaml: | +{{ tpl .Values.artifactory.systemYaml . | indent 4 }} diff --git a/Openshift4/artifactoryha-helm/templates/catalina-logger-configmap.yaml b/Openshift4/artifactoryha-helm/templates/catalina-logger-configmap.yaml new file mode 100755 index 0000000..807fe72 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/catalina-logger-configmap.yaml @@ -0,0 +1,53 @@ +{{- if .Values.artifactory.catalinaLoggers }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-catalina-logger + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + tail-log.sh: | + #!/bin/sh + + LOG_DIR=$1 + LOG_NAME=$2 + PID= + + # Wait for log dir to appear + while [ ! -d ${LOG_DIR} ]; do + sleep 1 + done + sleep 5 + + cd ${LOG_DIR} + + LOG_PREFIX=$(echo ${LOG_NAME} | awk -F\. '{print $1}') + + # Find the log to tail + LOG_FILE=$(ls -1t ./${LOG_PREFIX}.*.log | head -1) + + # echo "Tailing ${LOG_FILE}" + tail -F ${LOG_FILE} & + PID=$! + + # Loop forever to see if a new log was created + while true; do + # Find the latest log + NEW_LOG_FILE=$(ls -1t ./${LOG_PREFIX}.*.log | head -1) + + # If a new log file is found, kill old tail and switch to tailing it + if [ "${LOG_FILE}" != "${NEW_LOG_FILE}" ]; then + kill -9 ${PID} + wait $! 2>/dev/null + LOG_FILE=${NEW_LOG_FILE} + + # echo "Tailing ${LOG_FILE}" + tail -F ${LOG_FILE} & + PID=$! + fi + sleep 2 + done +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/filebeat-configmap.yaml b/Openshift4/artifactoryha-helm/templates/filebeat-configmap.yaml new file mode 100755 index 0000000..d2db2a0 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/filebeat-configmap.yaml @@ -0,0 +1,15 @@ +{{- if .Values.filebeat.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.name" . }}-filebeat-config + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} +data: + filebeat.yml: | +{{ tpl .Values.filebeat.filebeatYml . | indent 4 }} +{{- end -}} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/ingress.yaml b/Openshift4/artifactoryha-helm/templates/ingress.yaml new file mode 100755 index 0000000..e8e2fd2 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/ingress.yaml @@ -0,0 +1,56 @@ +{{- if .Values.ingress.enabled -}} +{{- $serviceName := include "artifactory-ha.fullname" . -}} +{{- $servicePort := .Values.artifactory.externalPort -}} +{{- $artifactoryServicePort := .Values.artifactory.externalArtifactoryPort -}} +{{- if semverCompare ">=v1.14.0" .Capabilities.KubeVersion.GitVersion }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "artifactory-ha.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.ingress.labels }} +{{ .Values.ingress.labels | toYaml | trimSuffix "\n"| indent 4 -}} +{{- end}} +{{- if .Values.ingress.annotations }} + annotations: + force-update: "{{ randAlpha 63 | lower }}" +{{ .Values.ingress.annotations | toYaml | trimSuffix "\n" | indent 4 -}} +{{- end }} +spec: + {{- if .Values.ingress.defaultBackend.enabled }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + rules: +{{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host | quote }} + http: + paths: + - path: {{ $.Values.ingress.routerPath }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + - path: {{ $.Values.ingress.artifactoryPath }} + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $artifactoryServicePort }} + {{- end -}} +{{- end -}} + {{- with .Values.ingress.additionalRules }} +{{ tpl . $ | indent 2 }} + {{- end }} + + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/Openshift4/artifactoryha-helm/templates/nginx-artifactory-conf.yaml b/Openshift4/artifactoryha-helm/templates/nginx-artifactory-conf.yaml new file mode 100755 index 0000000..eb1f0e6 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/nginx-artifactory-conf.yaml @@ -0,0 +1,14 @@ +{{- if and (not .Values.nginx.customArtifactoryConfigMap) .Values.nginx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-nginx-artifactory-conf + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + artifactory.conf: | +{{ tpl .Values.nginx.artifactoryConf . | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/nginx-certificate-secret.yaml b/Openshift4/artifactoryha-helm/templates/nginx-certificate-secret.yaml new file mode 100755 index 0000000..2c1430a --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/nginx-certificate-secret.yaml @@ -0,0 +1,14 @@ +{{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.enabled }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ template "artifactory-ha.fullname" . }}-nginx-certificate + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: +{{ ( include "artifactory-ha.gen-certs" . ) | indent 2 }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/nginx-conf.yaml b/Openshift4/artifactoryha-helm/templates/nginx-conf.yaml new file mode 100755 index 0000000..5f424d5 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/nginx-conf.yaml @@ -0,0 +1,14 @@ +{{- if and (not .Values.nginx.customConfigMap) .Values.nginx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "artifactory-ha.fullname" . }}-nginx-conf + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + nginx.conf: | +{{ tpl .Values.nginx.mainConf . | indent 4 }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/nginx-deployment.yaml b/Openshift4/artifactoryha-helm/templates/nginx-deployment.yaml new file mode 100755 index 0000000..4bc3f79 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/nginx-deployment.yaml @@ -0,0 +1,185 @@ +{{- if .Values.nginx.enabled -}} +{{- $serviceName := include "artifactory-ha.fullname" . -}} +{{- $servicePort := .Values.artifactory.externalPort -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "artifactory-ha.nginx.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: {{ .Values.nginx.name }} +{{- if .Values.nginx.labels }} +{{ toYaml .Values.nginx.labels | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.nginx.replicaCount }} + selector: + matchLabels: + app: {{ template "artifactory-ha.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.nginx.name }} + template: + metadata: + annotations: + checksum/nginx-conf: {{ include (print $.Template.BasePath "/nginx-conf.yaml") . | sha256sum }} + checksum/nginx-artifactory-conf: {{ include (print $.Template.BasePath "/nginx-artifactory-conf.yaml") . | sha256sum }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + component: {{ .Values.nginx.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + initContainers: + - name: "setup" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + command: + - '/bin/sh' + - '-c' + - > + rm -rfv {{ .Values.nginx.persistence.mountPath }}/lost+found; + mkdir -p {{ .Values.nginx.persistence.mountPath }}/logs; + volumeMounts: + - mountPath: {{ .Values.nginx.persistence.mountPath | quote }} + name: nginx-volume + securityContext: + runAsUser: {{ .Values.nginx.uid }} + fsGroup: {{ .Values.nginx.gid }} + containers: + - name: {{ .Values.nginx.name }} + image: '{{ .Values.nginx.image.repository }}:{{ default .Chart.AppVersion .Values.nginx.image.version }}' + imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + command: + - 'nginx' + - '-g' + - 'daemon off;' + ports: + # DEPRECATION NOTE: The following is to maintain support for values pre 1.3.1 and + # will be cleaned up in a later version + {{- if .Values.nginx.http }} + {{- if .Values.nginx.http.enabled }} + - containerPort: {{ .Values.nginx.http.internalPort }} + {{- end }} + {{- else }} # DEPRECATED + - containerPort: {{ .Values.nginx.internalPortHttp }} + {{- end }} + {{- if .Values.nginx.https }} + {{- if .Values.nginx.https.enabled }} + - containerPort: {{ .Values.nginx.https.internalPort }} + {{- end }} + {{- else }} # DEPRECATED + - containerPort: {{ .Values.nginx.internalPortHttps }} + {{- end }} + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: nginx-artifactory-conf + mountPath: "{{ .Values.nginx.persistence.mountPath }}/conf.d/" + - name: nginx-volume + mountPath: {{ .Values.nginx.persistence.mountPath | quote }} + - name: ssl-certificates + mountPath: "{{ .Values.nginx.persistence.mountPath }}/ssl" + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} + {{- if .Values.nginx.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.nginx.readinessProbe.path }} + {{- if .Values.nginx.http.enabled }} + port: {{ .Values.nginx.http.internalPort }} + scheme: HTTP + {{- else }} + port: {{ .Values.nginx.https.internalPort }} + scheme: HTTPS + {{- end }} + initialDelaySeconds: {{ .Values.nginx.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.nginx.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.nginx.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.nginx.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.nginx.readinessProbe.successThreshold }} + {{- end }} + {{- if .Values.nginx.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.nginx.livenessProbe.path }} + {{- if .Values.nginx.http.enabled }} + port: {{ .Values.nginx.http.internalPort }} + scheme: HTTP + {{- else }} + port: {{ .Values.nginx.https.internalPort }} + scheme: HTTPS + {{- end }} + initialDelaySeconds: {{ .Values.nginx.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.nginx.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.nginx.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.nginx.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.nginx.livenessProbe.successThreshold }} + {{- end }} + {{- $image := .Values.logger.image.repository }} + {{- $tag := .Values.logger.image.tag }} + {{- $mountPath := .Values.nginx.persistence.mountPath }} + {{- range .Values.nginx.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: '{{ $image }}:{{ $tag }}' + command: + - tail + args: + - '-F' + - '{{ $mountPath }}/logs/{{ . }}' + volumeMounts: + - name: nginx-volume + mountPath: {{ $mountPath }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: nginx-conf + configMap: + {{- if .Values.nginx.customConfigMap }} + name: {{ .Values.nginx.customConfigMap }} + {{- else }} + name: {{ template "artifactory-ha.fullname" . }}-nginx-conf + {{- end }} + - name: nginx-artifactory-conf + configMap: + {{- if .Values.nginx.customArtifactoryConfigMap }} + name: {{ .Values.nginx.customArtifactoryConfigMap }} + {{- else }} + name: {{ template "artifactory-ha.fullname" . }}-nginx-artifactory-conf + {{- end }} + + - name: nginx-volume + {{- if .Values.nginx.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.nginx.persistence.existingClaim | default (include "artifactory-ha.nginx.fullname" .) }} + {{- else }} + emptyDir: {} + {{- end }} + - name: ssl-certificates + secret: + {{- if .Values.nginx.tlsSecretName }} + secretName: {{ .Values.nginx.tlsSecretName }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-nginx-certificate + {{- end }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/nginx-pvc.yaml b/Openshift4/artifactoryha-helm/templates/nginx-pvc.yaml new file mode 100755 index 0000000..68a89ce --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/nginx-pvc.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.nginx.persistence.enabled (.Values.nginx.enabled) (eq (int .Values.nginx.replicaCount) 1) }} +{{- if (not .Values.nginx.persistence.existingClaim) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.nginx.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + accessModes: + - {{ .Values.nginx.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.nginx.persistence.size | quote }} +{{- if .Values.nginx.persistence.storageClass }} +{{- if (eq "-" .Values.nginx.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.nginx.persistence.storageClass }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/nginx-service.yaml b/Openshift4/artifactoryha-helm/templates/nginx-service.yaml new file mode 100755 index 0000000..7a212e0 --- /dev/null +++ b/Openshift4/artifactoryha-helm/templates/nginx-service.yaml @@ -0,0 +1,69 @@ +{{- if .Values.nginx.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "artifactory-ha.nginx.fullname" . }} + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: {{ .Values.nginx.name }} + {{- if .Values.nginx.service.labels }} +{{ toYaml .Values.nginx.service.labels | indent 4 }} + {{- end }} +{{- if .Values.nginx.service.annotations }} + annotations: +{{ toYaml .Values.nginx.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.nginx.service.type }} + {{- if and (eq .Values.nginx.service.type "ClusterIP") .Values.nginx.service.clusterIP }} + clusterIP: {{ .Values.nginx.service.clusterIP }} + {{- end }} +{{- if eq .Values.nginx.service.type "LoadBalancer" }} + {{ if .Values.nginx.service.loadBalancerIP -}} + loadBalancerIP: {{ .Values.nginx.service.loadBalancerIP }} + {{ end -}} + {{- if .Values.nginx.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.nginx.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if .Values.nginx.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.nginx.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} + ports: + # DEPRECATION NOTE: The following is to maintain support for values pre 1.3.0 and + # will be cleaned up in a later verion + {{- if .Values.nginx.http }} + {{- if .Values.nginx.http.enabled }} + - port: {{ .Values.nginx.http.externalPort }} + targetPort: {{ .Values.nginx.http.internalPort }} + protocol: TCP + name: http + {{- end }} + {{- else }} # DEPRECATED + - port: {{ .Values.nginx.externalPortHttp }} + targetPort: {{ .Values.nginx.internalPortHttp }} + protocol: TCP + name: http + {{- end }} + {{- if .Values.nginx.https }} + {{- if .Values.nginx.https.enabled }} + - port: {{ .Values.nginx.https.externalPort }} + targetPort: {{ .Values.nginx.https.internalPort }} + protocol: TCP + name: https + {{- end }} + {{- else }} # DEPRECATED + - port: {{ .Values.nginx.externalPortHttps }} + targetPort: {{ .Values.nginx.internalPortHttps }} + protocol: TCP + name: https + {{- end }} + selector: + app: {{ template "artifactory-ha.name" . }} + component: {{ .Values.nginx.name }} + release: {{ .Release.Name }} +{{- end }} diff --git a/Openshift4/artifactoryha-helm/values-large.yaml b/Openshift4/artifactoryha-helm/values-large.yaml new file mode 100755 index 0000000..ec05d2a --- /dev/null +++ b/Openshift4/artifactoryha-helm/values-large.yaml @@ -0,0 +1,24 @@ +artifactory: + primary: + resources: + requests: + memory: "6Gi" + cpu: "4" + limits: + memory: "10Gi" + cpu: "8" + javaOpts: + xms: "6g" + xmx: "8g" + node: + replicaCount: 3 + resources: + requests: + memory: "6Gi" + cpu: "4" + limits: + memory: "10Gi" + cpu: "8" + javaOpts: + xms: "6g" + xmx: "8g" diff --git a/Openshift4/artifactoryha-helm/values-medium.yaml b/Openshift4/artifactoryha-helm/values-medium.yaml new file mode 100755 index 0000000..33879c0 --- /dev/null +++ b/Openshift4/artifactoryha-helm/values-medium.yaml @@ -0,0 +1,24 @@ +artifactory: + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "8Gi" + cpu: "6" + javaOpts: + xms: "4g" + xmx: "6g" + node: + replicaCount: 2 + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "8Gi" + cpu: "6" + javaOpts: + xms: "4g" + xmx: "6g" diff --git a/Openshift4/artifactoryha-helm/values-small.yaml b/Openshift4/artifactoryha-helm/values-small.yaml new file mode 100755 index 0000000..4babf97 --- /dev/null +++ b/Openshift4/artifactoryha-helm/values-small.yaml @@ -0,0 +1,24 @@ +artifactory: + primary: + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + node: + replicaCount: 1 + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" diff --git a/Openshift4/artifactoryha-helm/values.yaml b/Openshift4/artifactoryha-helm/values.yaml new file mode 100755 index 0000000..ce07ccb --- /dev/null +++ b/Openshift4/artifactoryha-helm/values.yaml @@ -0,0 +1,1330 @@ +# Default values for artifactory-ha. +# This is a YAML-formatted file. +# Beware when changing values here. You should know what you are doing! +# Access the values with {{ .Values.key.subkey }} + +# Common +initContainerImage: "alpine:3.10" + +installer: + type: + platform: + +# For supporting pulling from private registries +imagePullSecrets: + +## Role Based Access Control +## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ +rbac: + create: true + role: + ## Rules to create. It follows the role specification + rules: + - apiGroups: + - '' + resources: + - services + - endpoints + - pods + verbs: + - get + - watch + - list + +## Service Account +## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ +## +serviceAccount: + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + annotations: {} + +ingress: + enabled: false + defaultBackend: + enabled: true + # Used to create an Ingress record. + hosts: [] + routerPath: / + artifactoryPath: /artifactory/ + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + # traffic-type: external + # traffic-type: internal + tls: [] + # Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - artifactory.domain.example + + # Additional ingress rules + additionalRules: [] + + +networkpolicy: + # Allows all ingress and egress + - name: artifactory + podSelector: + matchLabels: + app: artifactory-ha + egress: + - {} + ingress: + - {} + # Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) + # - name: postgresql + # podSelector: + # matchLabels: + # app: postgresql + # ingress: + # - from: + # - podSelector: + # matchLabels: + # app: artifactory-ha + + +## Database configurations +## Use the wait-for-db init container. Set to false to skip +waitForDatabase: true + +## Configuration values for the postgresql dependency +## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md +## +postgresql: + enabled: true + image: + registry: docker.bintray.io + repository: bitnami/postgresql + tag: 9.6.15-debian-9-r91 + postgresqlUsername: artifactory + postgresqlPassword: "" + postgresqlDatabase: artifactory + postgresqlConfiguration: + listenAddresses: "'*'" + maxConnections: "1500" + persistence: + enabled: true + size: 50Gi + service: + port: 5432 + resources: {} + # requests: + # memory: "512Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "500m" + nodeSelector: {} + +## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), +## you MUST specify custom database details here or Artifactory will NOT start +database: + type: + driver: + ## If you set the url, leave host and port empty + url: + ## If you would like this chart to create the secret containing the db + ## password, use these values + user: + password: + ## If you have existing Kubernetes secrets containing db credentials, use + ## these values + secrets: {} + # user: + # name: "rds-artifactory" + # key: "db-user" + # password: + # name: "{{ .Release.Name}}}}-postgresql" + # key: "postgresql-password" + # url: + # name: "rds-artifactory" + # key: "db-url" + +logger: + image: + repository: 'busybox' + tag: '1.30' + +# Artifactory +artifactory: + name: artifactory-ha + image: + # repository: "docker.bintray.io/jfrog/artifactory-pro" + repository: "peters95/artifactory-pro" + # Note that by default we use appVersion to get image tag + # version: + pullPolicy: IfNotPresent + + # Create a priority class for the Artifactory pods or use an existing one + # NOTE - Maximum allowed value of a user defined priority is 1000000000 + priorityClass: + create: false + value: 1000000000 + ## Override default name + # name: + ## Use an existing priority class + # existingPriorityClass: + + # Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties + deleteDBPropertiesOnStartup: true + database: + maxOpenConnections: 80 + + # This directory is intended for use with NFS eventual configuration for HA + haDataDir: + enabled: false + path: + + # Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup + copyOnEveryStartup: + # # Absolute path + # - source: /artifactory_extra_conf/binarystore.xml + # # Relative to ARTIFACTORY_HOME/ + # target: etc/ + # # Absolute path + # - source: /artifactory_extra_conf/artifactory.lic + # # Relative to ARTIFACTORY_HOME/ + # target: etc/ + + # Sidecar containers for tailing Artifactory logs + loggers: [] + # - request.log + # - event.log + # - binarystore.log + # - request_trace.log + # - access.log + # - artifactory.log + # - build_info_migration.log + + # Sidecar containers for tailing Tomcat (catalina) logs + catalinaLoggers: [] + # - catalina.log + # - host-manager.log + # - localhost.log + # - manager.log + + ## Add custom init containers execution before predefined init containers + customInitContainersBegin: | + - name: "custom-setup" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + command: + - 'sh' + - '-c' + - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}' + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: volume + ## Add custom init containers + + ## Add custom init containers execution after predefined init containers + customInitContainers: | + # - name: "custom-setup" + # image: "{{ .Values.initContainerImage }}" + # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: volume + + ## Add custom sidecar containers + # - The provided example uses a custom volume (customVolumes) + # - The provided example shows running container as root (id 0) + customSidecarContainers: | + # - name: "sidecar-list-etc" + # image: "{{ .Values.initContainerImage }}" + # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + # securityContext: + # runAsUser: 0 + # fsGroup: 0 + # command: + # - 'sh' + # - '-c' + # - 'sh /scripts/script.sh' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: volume + # - mountPath: "/scripts/script.sh" + # name: custom-script + # subPath: script.sh + # resources: + # requests: + # memory: "32Mi" + # cpu: "50m" + # limits: + # memory: "128Mi" + # cpu: "100m" + + ## Add custom volumes + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script + + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: "/scripts/script.sh" + # subPath: script.sh + # - name: posthook-start + # mountPath: "/scripts/posthoook-start.sh" + # subPath: posthoook-start.sh + # - name: prehook-start + # mountPath: "/scripts/prehook-start.sh" + # subPath: prehook-start.sh + + # Add custom persistent volume mounts - Available for the pod + customPersistentPodVolumeClaim: {} + # name: + # mountPath: + # accessModes: + # - "-" + # size: + # storageClassName: + + # Add custom persistent volume mounts - Available to the entire namespace + customPersistentVolumeClaim: {} + # name: + # mountPath: + # accessModes: + # - "-" + # size: + # storageClassName: + + ## Artifactory HA requires a unique master key. Each Artifactory node must have the same master key! + ## You can generate one with the command: 'openssl rand -hex 16' + ## Pass it to helm with '--set artifactory.masterKey=${MASTER_KEY}' + ## Alternatively, you can use a pre-existing secret with a key called master-key by specifying masterKeySecretName + ## IMPORTANT: You should NOT use the example masterKey for a production deployment! + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + # masterKeySecretName: + + ## Join Key to connect to other services to Artifactory + ## IMPORTANT: You should NOT use the example joinKey for a production deployment! + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + + binarystore: + enabled: true + + accessAdmin: + ip: "127.0.0.1" + password: + secret: + dataKey: + + ## Artifactory license. + license: + ## licenseKey is the license key in plain text. Use either this or the license.secret setting + licenseKey: + ## If artifactory.license.secret is passed, it will be mounted as + ## ARTIFACTORY_HOME/etc/artifactory.lic and loaded at run time. + secret: + ## The dataKey should be the name of the secret data key created. + dataKey: + + ## Create configMap with artifactory.config.import.xml and security.import.xml and pass name of configMap in following parameter + configMapName: + + # Add any list of configmaps to Artifactory + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" + + ## List of secrets for Artifactory user plugins. + ## One Secret per plugin's files. + userPluginSecrets: + # - archive-old-artifacts + # - build-cleanup + # - webhook + # - '{{ template "my-chart.fullname" . }}' + + ## Extra pre-start command to install JDBC driver for MySql/MariaDb/Oracle + # preStartCommand: "wget -O /opt/jfrog/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" + ## Extra post-start command to run extra commands after container starts + # postStartCommand: + + ## Extra environment variables that can be used to tune Artifactory to your needs. + ## Uncomment and set value as needed + #extraEnvironmentVariables: | + # - name: JF_SHARED_DATABSE_USERNAME + # value: "artifactory" + # - name: JF_SHARED_DATABASE_PASSWORD + # valueFrom: + # secretKeyRef: + # name: {{ .Release.Name }}-postgresql + # key: postgresql-password + # - name: POSTGRES_DB + # value: "artifactory" + + # TODO: Fix javaOpts for member nodes (currently uses primary settings for all nodes) + systemYaml: | + shared: + extraJavaOpts: > + {{- with .Values.artifactory.primary.javaOpts }} + -Dartifactory.async.corePoolSize={{ .corePoolSize }} + {{- if .xms }} + -Xms{{ .xms }} + {{- end }} + {{- if .xmx }} + -Xmx{{ .xmx }} + {{- end }} + {{- if .jmx.enabled }} + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} + {{- if .jmx.host }} + -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} + {{- else }} + -Djava.rmi.server.hostname={{ template "artifactory-ha.fullname" $ }} + {{- end }} + {{- if .jmx.authenticate }} + -Dcom.sun.management.jmxremote.authenticate=true + -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} + -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} + {{- else }} + -Dcom.sun.management.jmxremote.authenticate=false + {{- end }} + {{- end }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + database: + {{- if .Values.postgresql.enabled }} + type: postgresql + url: 'jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}' + host: '' + driver: org.postgresql.Driver + username: '{{ .Values.postgresql.postgresqlUsername }}' + password: '{{ .Values.postgresql.postgresqlPassword }}' + {{ else }} + type: '{{ .Values.database.type }}' + url: '{{ .Values.database.url }}' + driver: '{{ .Values.database.driver }}' + username: '{{ .Values.database.user }}' + password: '{{ .Values.database.password }}' + {{- end }} + security: + joinKey: '{{ .Values.artifactory.joinKey }}' + masterKey: '{{ .Values.artifactory.masterKey }}' + artifactory: + {{- if .Values.artifactory.haDataDir.enabled }} + node: + haDataDir: {{ .Values.artifactory.haDataDir.path }} + {{- end }} + database: + maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} + access: + database: + maxOpenConnections: '{{ .Values.access.database.maxOpenConnections }}' + {{- if .Values.access.database.enabled }} + type: '{{ .Values.access.database.type }}' + url: '{{ .Values.access.database.url }}' + driver: '{{ .Values.access.database.driver }}' + username: '{{ .Values.access.database.user }}' + password: '{{ .Values.access.database.password }}' + {{- end }} + + ## IMPORTANT: If overriding artifactory.internalPort: + ## DO NOT use port lower than 1024 as Artifactory runs as non-root and cannot bind to ports lower than 1024! + externalPort: 8082 + internalPort: 8082 + externalArtifactoryPort: 8081 + internalArtifactoryPort: 8081 + uid: 1030 + terminationGracePeriodSeconds: 30 + ## The following settings are to configure the frequency of the liveness and readiness probes + livenessProbe: + enabled: true + path: /router/api/v1/system/health + initialDelaySeconds: 180 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + + readinessProbe: + enabled: true + path: /router/api/v1/system/health + initialDelaySeconds: 60 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + + persistence: + enabled: true + local: false + redundancy: 3 + mountPath: "/var/opt/jfrog/artifactory" + accessMode: ReadWriteOnce + size: 200Gi + + ## Use a custom Secret to be mounted as your binarystore.xml + ## NOTE: This will ignore all settings below that make up binarystore.xml + customBinarystoreXmlSecret: + + maxCacheSize: 50000000000 + cacheProviderDir: cache + eventual: + numberOfThreads: 10 + ## artifactory data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClassName: "-" + + ## Set the persistence storage type. This will apply the matching binarystore.xml to Artifactory config + ## Supported types are: + ## file-system (default) + ## nfs + ## google-storage + ## aws-s3 + ## azure-blob + type: file-system + + ## Use binarystoreXml to provide a custom binarystore.xml + ## This can be a template or hardcoded. + binarystoreXml: | + {{- if eq .Values.artifactory.persistence.type "file-system" }} + + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + + + + + + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} + + {{- end }} + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + // Specify the read and write strategy and redundancy for the sharding binary provider + + roundRobin + percentageFreeSpace + 2 + + + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} + //For each sub-provider (mount), specify the filestore location + + filestore{{ $sharedClaimNumber }} + + {{- end }} + + {{- else }} + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + 2 + 2 + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + + shard-fs-1 + local + + + + + 30 + tester-remote1 + 10000 + remote + + + + {{- end }} + {{- end }} + {{- if eq .Values.artifactory.persistence.type "google-storage" }} + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + 2 + + + + + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + local + + + + 30 + 10000 + remote + + + + {{ .Values.artifactory.persistence.mountPath }}/data/filestore + /tmp + + + + google-cloud-storage + {{ .Values.artifactory.persistence.googleStorage.endpoint }} + {{ .Values.artifactory.persistence.googleStorage.httpsOnly }} + {{ .Values.artifactory.persistence.googleStorage.bucketName }} + {{ .Values.artifactory.persistence.googleStorage.identity }} + {{ .Values.artifactory.persistence.googleStorage.credential }} + {{ .Values.artifactory.persistence.googleStorage.path }} + {{ .Values.artifactory.persistence.googleStorage.bucketExists }} + + + {{- end }} + {{- if eq .Values.artifactory.persistence.type "aws-s3-v3" }} + + + + + + + + + + + + + + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + + + + + remote + + + + local + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + {{- with .Values.artifactory.persistence.awsS3V3 }} + + {{ .testConnection }} + {{- if .identity }} + {{ .identity }} + {{- end }} + {{- if .credential }} + {{ .credential }} + {{- end }} + {{ .region }} + {{ .bucketName }} + {{ .path }} + {{ .endpoint }} + {{- with .kmsServerSideEncryptionKeyId }} + {{ . }} + {{- end }} + {{- with .kmsKeyRegion }} + {{ . }} + {{- end }} + {{- with .kmsCryptoMode }} + {{ . }} + {{- end }} + true + {{ .usePresigning }} + {{ .signatureExpirySeconds }} + {{- with .cloudFrontDomainName }} + {{ . }} + {{- end }} + {{- with .cloudFrontKeyPairId }} + {{ .cloudFrontKeyPairId }} + {{- end }} + {{- with .cloudFrontPrivateKey }} + {{ . }} + {{- end }} + + {{- end }} + + {{- end }} + + {{- if eq .Values.artifactory.persistence.type "aws-s3" }} + + + + + + + + + + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + local + + + + 30 + 10000 + remote + + + + crossNetworkStrategy + crossNetworkStrategy + {{ .Values.artifactory.persistence.redundancy }} + + + + + {{ .Values.artifactory.persistence.awsS3.endpoint }} + {{- if .Values.artifactory.persistence.awsS3.roleName }} + {{ .Values.artifactory.persistence.awsS3.roleName }} + true + {{- else }} + {{ .Values.artifactory.persistence.awsS3.refreshCredentials }} + {{- end }} + {{ .Values.artifactory.persistence.awsS3.s3AwsVersion }} + {{ .Values.artifactory.persistence.awsS3.testConnection }} + {{ .Values.artifactory.persistence.awsS3.httpsOnly }} + {{ .Values.artifactory.persistence.awsS3.region }} + {{ .Values.artifactory.persistence.awsS3.bucketName }} + {{- if .Values.artifactory.persistence.awsS3.identity }} + {{ .Values.artifactory.persistence.awsS3.identity }} + {{- end }} + {{- if .Values.artifactory.persistence.awsS3.credential }} + {{ .Values.artifactory.persistence.awsS3.credential }} + {{- end }} + {{ .Values.artifactory.persistence.awsS3.path }} + {{- range $key, $value := .Values.artifactory.persistence.awsS3.properties }} + + {{- end }} + + + {{- end }} + {{- if eq .Values.artifactory.persistence.type "azure-blob" }} + + + + + + + + + + + + + + + + + + {{ .Values.artifactory.persistence.maxCacheSize }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + + + + crossNetworkStrategy + crossNetworkStrategy + 2 + 1 + + + + + remote + + + + local + + + + + {{ .Values.artifactory.persistence.azureBlob.accountName }} + {{ .Values.artifactory.persistence.azureBlob.accountKey }} + {{ .Values.artifactory.persistence.azureBlob.endpoint }} + {{ .Values.artifactory.persistence.azureBlob.containerName }} + {{ .Values.artifactory.persistence.azureBlob.testConnection }} + + + {{- end }} + + ## For artifactory.persistence.type file-system + fileSystem: + ## You may also use existing shared claims for the data and backup storage. This allows storage (NAS for example) to be used for Data and Backup dirs which are safe to share across multiple artifactory nodes. + ## You may specify numberOfExistingClaims to indicate how many of these existing shared claims to mount. (Default = 1) + ## Create PVCs with ReadWriteMany that match the naming convetions: + ## {{ template "artifactory-ha.fullname" . }}-data-pvc- + ## {{ template "artifactory-ha.fullname" . }}-backup-pvc- + ## Example (using numberOfExistingClaims: 2) + ## myexample-artifactory-ha-data-pvc-0 + ## myexample-artifactory-ha-backup-pvc-0 + ## myexample-artifactory-ha-data-pvc-1 + ## myexample-artifactory-ha-backup-pvc-1 + ## Note: While you need two PVC fronting two PVs, multiple PVs can be attached to the same storage in many cases allowing you to share an underlying drive. + + ## Need to have the following set + existingSharedClaim: + enabled: false + numberOfExistingClaims: 1 + ## Should be a child directory of {{ .Values.artifactory.persistence.mountPath }} + dataDir: "{{ .Values.artifactory.persistence.mountPath }}/artifactory-data" + backupDir: "/var/opt/jfrog/artifactory-backup" + + + ## For artifactory.persistence.type nfs + ## If using NFS as the shared storage, you must have a running NFS server that is accessible by your Kubernetes + ## cluster nodes. + ## Need to have the following set + nfs: + # Must pass actual IP of NFS server with '--set For artifactory.persistence.nfs.ip=${NFS_IP}' + ip: + haDataMount: "/data" + haBackupMount: "/backup" + dataDir: "/var/opt/jfrog/artifactory-ha" + backupDir: "/var/opt/jfrog/artifactory-backup" + capacity: 200Gi + mountOptions: [] + ## For artifactory.persistence.type google-storage + googleStorage: + endpoint: storage.googleapis.com + httpsOnly: false + # Set a unique bucket name + bucketName: "artifactory-ha-gcp" + identity: + credential: + path: "artifactory-ha/filestore" + bucketExists: false + + ## For artifactory.persistence.type aws-s3-v3 + awsS3V3: + testConnection: false + identity: + credential: + region: + bucketName: artifactory-aws + path: artifactory/filestore + endpoint: + kmsServerSideEncryptionKeyId: + kmsKeyRegion: + kmsCryptoMode: + useInstanceCredentials: true + usePresigning: false + signatureExpirySeconds: 300 + cloudFrontDomainName: + cloudFrontKeyPairId: + cloudFrontPrivateKey: + + ## For artifactory.persistence.type aws-s3 + ## IMPORTANT: Make sure S3 `endpoint` and `region` match! See https://docs.aws.amazon.com/general/latest/gr/rande.html + awsS3: + # Set a unique bucket name + bucketName: "artifactory-ha-aws" + endpoint: + region: + roleName: + identity: + credential: + path: "artifactory-ha/filestore" + refreshCredentials: true + httpsOnly: true + testConnection: false + s3AwsVersion: "AWS4-HMAC-SHA256" + + ## Additional properties to set on the s3 provider + properties: {} + # httpclient.max-connections: 100 + ## For artifactory.persistence.type azure-blob + azureBlob: + accountName: + accountKey: + endpoint: + containerName: + testConnection: false + service: + name: artifactory + type: ClusterIP + ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + annotations: {} + ## Which nodes in the cluster should be in the external load balancer pool (have external traffic routed to them) + ## Supported pool values + ## members + ## all + pool: members + + ## The following Java options are passed to the java process running Artifactory. + ## This will be passed to all cluster members. Primary and member nodes. + javaOpts: {} + # other: "" + annotations: {} + + ## Type specific configurations. + ## There is a difference between the primary and the member nodes. + ## Customising their resources and java parameters is done here. + primary: + name: artifactory-ha-primary + labels: {} + persistence: + ## Set existingClaim to true or false + ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-primary-0` + existingClaim: false + ## Resources for the primary node + resources: {} + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "2Gi" + # cpu: "1" + ## The following Java options are passed to the java process running Artifactory primary node. + ## You should set them according to the resources set above + javaOpts: + # xms: "1g" + # xmx: "2g" + corePoolSize: 16 + jmx: + enabled: false + port: 9010 + host: + ssl: false + # When authenticate is true, accessFile and passwordFile are required + authenticate: false + accessFile: + passwordFile: + # other: "" + nodeSelector: {} + + tolerations: [] + + affinity: {} + ## Only used if "affinity" is empty + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "" + topologyKey: "kubernetes.io/hostname" + + node: + name: artifactory-ha-member + labels: {} + persistence: + ## Set existingClaim to true or false + ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-member-0` + existingClaim: false + replicaCount: 2 + minAvailable: 1 + ## Resources for the member nodes + resources: {} + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "2Gi" + # cpu: "1" + ## The following Java options are passed to the java process running Artifactory member nodes. + ## You should set them according to the resources set above + javaOpts: + # xms: "1g" + # xmx: "2g" + corePoolSize: 16 + jmx: + enabled: false + port: 9010 + host: + ssl: false + # When authenticate is true, accessFile and passwordFile are required + authenticate: false + accessFile: + passwordFile: + # other: "" + # xms: "1g" + # xmx: "2g" + # other: "" + nodeSelector: {} + waitForPrimaryStartup: + enabled: true + time: 60 + + tolerations: [] + + ## Complete specification of the "affinity" of the member nodes; if this is non-empty, + ## "podAntiAffinity" values are not used. + affinity: {} + + ## Only used if "affinity" is empty + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "" + topologyKey: "kubernetes.io/hostname" + +access: + database: + maxOpenConnections: 80 + +# Init containers +initContainers: + resources: {} +# requests: +# memory: "64Mi" +# cpu: "10m" +# limits: +# memory: "128Mi" +# cpu: "250m" + + +# Nginx +nginx: + enabled: true + name: nginx + labels: {} + replicaCount: 1 + uid: 104 + gid: 107 + image: + # repository: "docker.bintray.io/jfrog/nginx-artifactory-pro" + repository: "peters95/nginx-artifactory-pro" + # Note that by default we use appVersion to get image tag + # version: + pullPolicy: IfNotPresent + + + # Sidecar containers for tailing Nginx logs + loggers: [] + # - access.log + # - error.log + + mainConf: | + # Main Nginx configuration file + worker_processes 4; + error_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + variables_hash_max_size 1024; + variables_hash_bucket_size 64; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 128; + types_hash_max_size 2048; + types_hash_bucket_size 64; + proxy_read_timeout 2400s; + client_header_timeout 2400s; + client_body_timeout 2400s; + proxy_connect_timeout 75s; + proxy_send_timeout 2400s; + proxy_buffer_size 32k; + proxy_buffers 40 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 250m; + proxy_http_version 1.1; + client_body_buffer_size 128k; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + log_format timing 'ip = $remote_addr ' + 'user = \"$remote_user\" ' + 'local_time = \"$time_local\" ' + 'host = $host ' + 'request = \"$request\" ' + 'status = $status ' + 'bytes = $body_bytes_sent ' + 'upstream = \"$upstream_addr\" ' + 'upstream_time = $upstream_response_time ' + 'request_time = $request_time ' + 'referer = \"$http_referer\" ' + 'UA = \"$http_user_agent\"'; + access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; + sendfile on; + #tcp_nopush on; + keepalive_timeout 65; + #gzip on; + include /etc/nginx/conf.d/*.conf; + } + + artifactoryConf: | + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; + ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + ## server configuration + server { + {{- if .Values.nginx.internalPortHttps }} + listen {{ .Values.nginx.internalPortHttps }} ssl; + {{- else -}} + {{- if .Values.nginx.https.enabled }} + listen {{ .Values.nginx.https.internalPort }} ssl; + {{- end }} + {{- end }} + {{- if .Values.nginx.internalPortHttp }} + listen {{ .Values.nginx.internalPortHttp }}; + {{- else -}} + {{- if .Values.nginx.http.enabled }} + listen {{ .Values.nginx.http.internalPort }}; + {{- end }} + {{- end }} + server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} + {{- range .Values.ingress.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ (splitn "." 2 .)._1 }} {{ . }} + {{- end -}} + {{- end -}}; + + if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; + } + ## Application specific logs + ## access_log /var/log/nginx/artifactory-access.log timing; + ## error_log /var/log/nginx/artifactory-error.log; + rewrite ^/artifactory/?$ / redirect; + if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; + } + chunked_transfer_encoding on; + client_max_body_size 0; + + location / { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location /artifactory/ { + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; + } + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; + } + } + } + + service: + ## For minikube, set this to NodePort, elsewhere use LoadBalancer + #type: NodePort + type: LoadBalancer + #type: ClusterIP + ## For supporting whitelist on the Nginx LoadBalancer service + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + ## Provide static ip address + loadBalancerIP: + ## There are two available options: “Cluster” (default) and “Local”. + externalTrafficPolicy: Cluster + labels: {} + # label-key: label-value + http: + enabled: true + externalPort: 80 + internalPort: 80 + https: + enabled: true + externalPort: 443 + internalPort: 443 + # DEPRECATED: The following will be replaced by L1065-L1076 in a future release + # externalPortHttp: 80 + # internalPortHttp: 80 + # externalPortHttps: 443 + # internalPortHttps: 443 + + ## The following settings are to configure the frequency of the liveness and readiness probes + livenessProbe: + enabled: true + path: /router/api/v1/system/health + initialDelaySeconds: 60 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + + readinessProbe: + enabled: true + path: /router/api/v1/system/health + initialDelaySeconds: 10 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + ## The SSL secret that will be used by the Nginx pod + # tlsSecretName: chart-example-tls + ## Custom ConfigMap for nginx.conf + customConfigMap: + ## Custom ConfigMap for artifactory.conf + customArtifactoryConfigMap: + persistence: + mountPath: "/var/opt/jfrog/nginx" + enabled: false + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + + accessMode: ReadWriteOnce + size: 5Gi + ## nginx data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClassName: "-" + resources: {} + # requests: + # memory: "250Mi" + # cpu: "100m" + # limits: + # memory: "250Mi" + # cpu: "500m" + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +# Filebeat Sidecar container +## The provided filebeat configuration is for Artifactory logs. It assumes you have a logstash installed and configured properly. +filebeat: + enabled: false + name: artifactory-filebeat + image: + repository: "docker.elastic.co/beats/filebeat" + version: 7.5.1 + logstashUrl: "logstash:5044" + + terminationGracePeriod: 10 + + livenessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + curl --fail 127.0.0.1:5066 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + + readinessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + filebeat test output + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + + resources: {} +# requests: +# memory: "100Mi" +# cpu: "100m" +# limits: +# memory: "100Mi" +# cpu: "100m" + + filebeatYml: | + logging.level: info + path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat + name: artifactory-filebeat + queue.spool: ~ + filebeat.inputs: + - type: log + enabled: true + close_eof: ${CLOSE:false} + paths: + - {{ .Values.artifactory.persistence.mountPath }}/log/*.log + fields: + service: "jfrt" + log_type: "artifactory" + output: + logstash: + hosts: ["{{ .Values.filebeat.logstashUrl }}"] From 47efd4f31d641e98aad5a341b235b7adc4e2db62 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Wed, 12 Feb 2020 10:46:23 -0800 Subject: [PATCH 02/28] Deleting duplicated helm chart for openshift artifactory ha.. --- Openshift4/artifactoryha-helm/CHANGELOG.md | 557 ------- Openshift4/artifactoryha-helm/Chart.yaml | 24 - Openshift4/artifactoryha-helm/LICENSE | 201 --- Openshift4/artifactoryha-helm/README.md | 1266 ---------------- .../ReverseProxyConfiguration.md | 140 -- .../artifactoryha-helm/UPGRADE_NOTES.md | 33 - .../charts/postgresql/.helmignore | 2 - .../charts/postgresql/Chart.yaml | 23 - .../charts/postgresql/README.md | 487 ------ .../charts/postgresql/files/README.md | 1 - .../charts/postgresql/files/conf.d/README.md | 4 - .../docker-entrypoint-initdb.d/README.md | 3 - .../charts/postgresql/templates/NOTES.txt | 50 - .../charts/postgresql/templates/_helpers.tpl | 374 ----- .../postgresql/templates/configmap.yaml | 26 - .../templates/extended-config-configmap.yaml | 21 - .../templates/initialization-configmap.yaml | 24 - .../postgresql/templates/metrics-svc.yaml | 26 - .../postgresql/templates/networkpolicy.yaml | 34 - .../charts/postgresql/templates/secrets.yaml | 17 - .../postgresql/templates/serviceaccount.yaml | 11 - .../postgresql/templates/servicemonitor.yaml | 33 - .../templates/statefulset-slaves.yaml | 247 --- .../postgresql/templates/statefulset.yaml | 355 ----- .../postgresql/templates/svc-headless.yaml | 19 - .../charts/postgresql/templates/svc-read.yaml | 31 - .../charts/postgresql/templates/svc.yaml | 38 - .../charts/postgresql/values-production.yaml | 392 ----- .../charts/postgresql/values.schema.json | 103 -- .../charts/postgresql/values.yaml | 392 ----- Openshift4/artifactoryha-helm/helminstall.sh | 23 - .../pv-examples/pv0001-large.yaml | 15 - .../pv-examples/pv0002-large.yaml | 15 - .../pv-examples/pv0003-large.yaml | 15 - .../pv-examples/pv0004-large.yaml | 15 - .../pv-examples/pv0005-large.yaml | 15 - .../artifactoryha-helm/requirements.lock | 6 - .../artifactoryha-helm/requirements.yaml | 5 - Openshift4/artifactoryha-helm/scc.yaml | 18 - .../artifactoryha-helm/templates/NOTES.txt | 113 -- .../artifactoryha-helm/templates/_helpers.tpl | 103 -- .../templates/access-bootstrap-creds.yaml | 15 - .../artifactory-binarystore-secret.yaml | 14 - .../templates/artifactory-configmaps.yaml | 13 - .../templates/artifactory-installer-info.yaml | 25 - .../templates/artifactory-license-secret.yaml | 14 - .../templates/artifactory-networkpolicy.yaml | 34 - .../templates/artifactory-nfs-pvc.yaml | 101 -- .../templates/artifactory-node-pdb.yaml | 19 - .../artifactory-node-statefulset.yaml | 510 ------- .../artifactory-primary-statefulset.yaml | 593 -------- .../templates/artifactory-priority-class.yaml | 9 - .../templates/artifactory-role.yaml | 14 - .../templates/artifactory-rolebinding.yaml | 19 - .../templates/artifactory-secrets.yaml | 17 - .../templates/artifactory-service.yaml | 88 -- .../templates/artifactory-serviceaccount.yaml | 16 - .../templates/artifactory-storage-pvc.yaml | 27 - .../templates/artifactory-system-yaml.yaml | 14 - .../templates/catalina-logger-configmap.yaml | 53 - .../templates/filebeat-configmap.yaml | 15 - .../artifactoryha-helm/templates/ingress.yaml | 56 - .../templates/nginx-artifactory-conf.yaml | 14 - .../templates/nginx-certificate-secret.yaml | 14 - .../templates/nginx-conf.yaml | 14 - .../templates/nginx-deployment.yaml | 185 --- .../templates/nginx-pvc.yaml | 26 - .../templates/nginx-service.yaml | 69 - .../artifactoryha-helm/values-large.yaml | 24 - .../artifactoryha-helm/values-medium.yaml | 24 - .../artifactoryha-helm/values-small.yaml | 24 - Openshift4/artifactoryha-helm/values.yaml | 1330 ----------------- 72 files changed, 8667 deletions(-) delete mode 100755 Openshift4/artifactoryha-helm/CHANGELOG.md delete mode 100755 Openshift4/artifactoryha-helm/Chart.yaml delete mode 100755 Openshift4/artifactoryha-helm/LICENSE delete mode 100755 Openshift4/artifactoryha-helm/README.md delete mode 100755 Openshift4/artifactoryha-helm/ReverseProxyConfiguration.md delete mode 100755 Openshift4/artifactoryha-helm/UPGRADE_NOTES.md delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/.helmignore delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/Chart.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/README.md delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/files/README.md delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/files/conf.d/README.md delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/files/docker-entrypoint-initdb.d/README.md delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/NOTES.txt delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/_helpers.tpl delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/configmap.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/extended-config-configmap.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/initialization-configmap.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/metrics-svc.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/networkpolicy.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/secrets.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/serviceaccount.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/servicemonitor.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset-slaves.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-headless.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-read.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/templates/svc.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/values-production.yaml delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/values.schema.json delete mode 100755 Openshift4/artifactoryha-helm/charts/postgresql/values.yaml delete mode 100755 Openshift4/artifactoryha-helm/helminstall.sh delete mode 100644 Openshift4/artifactoryha-helm/pv-examples/pv0001-large.yaml delete mode 100644 Openshift4/artifactoryha-helm/pv-examples/pv0002-large.yaml delete mode 100644 Openshift4/artifactoryha-helm/pv-examples/pv0003-large.yaml delete mode 100644 Openshift4/artifactoryha-helm/pv-examples/pv0004-large.yaml delete mode 100644 Openshift4/artifactoryha-helm/pv-examples/pv0005-large.yaml delete mode 100755 Openshift4/artifactoryha-helm/requirements.lock delete mode 100755 Openshift4/artifactoryha-helm/requirements.yaml delete mode 100644 Openshift4/artifactoryha-helm/scc.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/NOTES.txt delete mode 100755 Openshift4/artifactoryha-helm/templates/_helpers.tpl delete mode 100755 Openshift4/artifactoryha-helm/templates/access-bootstrap-creds.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-binarystore-secret.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-configmaps.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-installer-info.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-license-secret.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-networkpolicy.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-nfs-pvc.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-node-pdb.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-node-statefulset.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-primary-statefulset.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-priority-class.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-role.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-rolebinding.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-secrets.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-service.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-serviceaccount.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-storage-pvc.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/artifactory-system-yaml.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/catalina-logger-configmap.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/filebeat-configmap.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/ingress.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/nginx-artifactory-conf.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/nginx-certificate-secret.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/nginx-conf.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/nginx-deployment.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/nginx-pvc.yaml delete mode 100755 Openshift4/artifactoryha-helm/templates/nginx-service.yaml delete mode 100755 Openshift4/artifactoryha-helm/values-large.yaml delete mode 100755 Openshift4/artifactoryha-helm/values-medium.yaml delete mode 100755 Openshift4/artifactoryha-helm/values-small.yaml delete mode 100755 Openshift4/artifactoryha-helm/values.yaml diff --git a/Openshift4/artifactoryha-helm/CHANGELOG.md b/Openshift4/artifactoryha-helm/CHANGELOG.md deleted file mode 100755 index 075bfa2..0000000 --- a/Openshift4/artifactoryha-helm/CHANGELOG.md +++ /dev/null @@ -1,557 +0,0 @@ -# JFrog Artifactory-ha Chart Changelog -All changes to this chart will be documented in this file. - -## [1.3.7] - Jan 07, 2020 -* Add support for customizable `mountOptions` of NFS PVs - -## [1.3.6] - Dec 30, 2019 -* Fix for nginx probes failing when launched with http disabled - -## [1.3.5] - Dec 24, 2019 -* Better support for custom `artifactory.internalPort` - -## [1.3.4] - Dec 23, 2019 -* Mark empty map values with `{}` - -## [1.3.3] - Dec 16, 2019 -* Another fix for toggling nginx service ports - -## [1.3.2] - Dec 12, 2019 -* Fix for toggling nginx service ports - -## [1.3.1] - Dec 10, 2019 -* Add support for toggling nginx service ports - -## [1.3.0] - Dec 1, 2019 -* Updated Artifactory version to 6.16.0 - -## [1.2.4] - Nov 28, 2019 -* Add support for using existing PriorityClass - -## [1.2.3] - Nov 27, 2019 -* Add support for PriorityClass - -## [1.2.2] - Nov 20, 2019 -* Update Artifactory logo - -## [1.2.1] - Nov 18, 2019 -* Add the option to provide service account annotations (in order to support stuff like https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html) - -## [1.2.0] - Nov 18, 2019 -* Updated Artifactory version to 6.15.0 - -## [1.1.12] - Nov 17, 2019 -* Fix `README.md` format (broken table) - -## [1.1.11] - Nov 17, 2019 -* Update comment on Artifactory master key - -## [1.1.10] - Nov 17, 2019 -* Fix creation of double slash in nginx artifactory configuration - -## [1.1.9] - Nov 14, 2019 -* Set explicit `postgresql.postgresqlPassword=""` to avoid helm v3 error - -## [1.1.8] - Nov 12, 2019 -* Updated Artifactory version to 6.14.1 - -## [1.1.7] - Nov 11, 2019 -* Additional documentation for masterKey - -## [1.1.6] - Nov 10, 2019 -* Update PostgreSQL chart version to 7.0.1 -* Use formal PostgreSQL configuration format - -## [1.1.5] - Nov 8, 2019 -* Add support `artifactory.service.loadBalancerSourceRanges` for whitelisting when setting `artifactory.service.type=LoadBalancer` - -## [1.1.4] - Nov 6, 2019 -* Add support for any type of environment variable by using `extraEnvironmentVariables` as-is - -## [1.1.3] - Nov 6, 2019 -* Add nodeselector support for Postgresql - -## [1.1.2] - Nov 5, 2019 -* Add support for the aws-s3-v3 filestore, which adds support for pod IAM roles - -## [1.1.1] - Nov 4, 2019 -* When using `copyOnEveryStartup`, make sure that the target base directories are created before copying the files - -## [1.1.0] - Nov 3, 2019 -* Updated Artifactory version to 6.14.0 - -## [1.0.1] - Nov 3, 2019 -* Make sure the artifactory pod exits when one of the pre-start stages fail - -## [1.0.0] - Oct 27, 2019 -**IMPORTANT - BREAKING CHANGES!**
-**DOWNTIME MIGHT BE REQUIRED FOR AN UPGRADE!** -* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! -* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), must use the upgrade instructions in [UPGRADE_NOTES.md](UPGRADE_NOTES.md)! -* PostgreSQL sub chart was upgraded to version `6.5.x`. This version is **not backward compatible** with the old version (`0.9.5`)! -* Note the following **PostgreSQL** Helm chart changes - * The chart configuration has changed! See [values.yaml](values.yaml) for the new keys used - * **PostgreSQL** is deployed as a StatefulSet - * See [PostgreSQL helm chart](https://hub.helm.sh/charts/stable/postgresql) for all available configurations - -## [0.17.3] - Oct 24, 2019 -* Change the preStartCommand to support templating - -## [0.17.2] - Oct 21, 2019 -* Add support for setting `artifactory.primary.labels` -* Add support for setting `artifactory.node.labels` -* Add support for setting `nginx.labels` - -## [0.17.1] - Oct 10, 2019 -* Updated Artifactory version to 6.13.1 - -## [0.17.0] - Oct 7, 2019 -* Updated Artifactory version to 6.13.0 - -## [0.16.7] - Sep 24, 2019 -* Option to skip wait-for-db init container with '--set waitForDatabase=false' - -## [0.16.6] - Sep 24, 2019 -* Add support for setting `nginx.service.labels` - -## [0.16.5] - Sep 23, 2019 -* Add support for setting `artifactory.customInitContainersBegin` - -## [0.16.4] - Sep 20, 2019 -* Add support for setting `initContainers.resources` - -## [0.16.3] - Sep 11, 2019 -* Updated Artifactory version to 6.12.2 - -## [0.16.2] - Sep 9, 2019 -* Updated Artifactory version to 6.12.1 - -## [0.16.1] - Aug 22, 2019 -* Fix the nginx server_name directive used with ingress.hosts - -## [0.16.0] - Aug 21, 2019 -* Updated Artifactory version to 6.12.0 - -## [0.15.15] - Aug 18, 2019 -* Fix existingSharedClaim permissions issue and example - -## [0.15.14] - Aug 14, 2019 -* Updated Artifactory version to 6.11.6 - -## [0.15.13] - Aug 11, 2019 -* Fix Ingress routing and add an example - -## [0.15.12] - Aug 6, 2019 -* Do not mount `access/etc/bootstrap.creds` unless user specifies a custom password or secret (Access already generates a random password if not provided one) -* If custom `bootstrap.creds` is provided (using keys or custom secret), prepare it with an init container so the temp file does not persist - -## [0.15.11] - Aug 5, 2019 -* Improve binarystore config - 1. Convert to a secret - 2. Move config to values.yaml - 3. Support an external secret - -## [0.15.10] - Aug 5, 2019 -* Don't create the nginx configmaps when nginx.enabled is false - -## [0.15.9] - Aug 1, 2019 -* Fix masterkey/masterKeySecretName not specified warning render logic in NOTES.txt - -## [0.15.8] - Jul 28, 2019 -* Simplify nginx setup and shorten initial wait for probes - -## [0.15.7] - Jul 25, 2019 -* Updated README about how to apply Artifactory licenses - -## [0.15.6] - Jul 22, 2019 -* Change Ingress API to be compatible with recent kubernetes versions - -## [0.15.5] - Jul 22, 2019 -* Updated Artifactory version to 6.11.3 - -## [0.15.4] - Jul 11, 2019 -* Add `artifactory.customVolumeMounts` support to member node statefulset template - -## [0.15.3] - Jul 11, 2019 -* Add ingress.hosts to the Nginx server_name directive when ingress is enabled to help with Docker repository sub domain configuration - -## [0.15.2] - Jul 3, 2019 -* Add the option for changing nginx config using values.yaml and remove outdated reverse proxy documentation - -## [0.15.1] - Jul 1, 2019 -* Updated Artifactory version to 6.11.1 - -## [0.15.0] - Jun 27, 2019 -* Updated Artifactory version to 6.11.0 and Restart Primary node when bootstrap.creds file has been modified in artifactory-ha - -## [0.14.4] - Jun 24, 2019 -* Add the option to provide an IP for the access-admin endpoints - -## [0.14.3] - Jun 24, 2019 -* Update chart maintainers - -## [0.14.2] - Jun 24, 2019 -* Change Nginx to point to the artifactory externalPort - -## [0.14.1] - Jun 23, 2019 -* Add values files for small, medium and large installations - -## [0.14.0] - Jun 20, 2019 -* Use ConfigMaps for nginx configuration and remove nginx postStart command - -## [0.13.10] - Jun 19, 2019 -* Updated Artifactory version to 6.10.4 - -## [0.13.9] - Jun 18, 2019 -* Add the option to provide additional ingress rules - -## [0.13.8] - Jun 14, 2019 -* Updated readme with improved external database setup example - -## [0.13.7] - Jun 6, 2019 -* Updated Artifactory version to 6.10.3 -* Updated installer-info template - -## [0.13.6] - Jun 6, 2019 -* Updated Google Cloud Storage API URL and https settings - -## [0.13.5] - Jun 5, 2019 -* Delete the db.properties file on Artifactory startup - -## [0.13.4] - Jun 3, 2019 -* Updated Artifactory version to 6.10.2 - -## [0.13.3] - May 21, 2019 -* Updated Artifactory version to 6.10.1 - -## [0.13.2] - May 19, 2019 -* Fix missing logger image tag - -## [0.13.1] - May 15, 2019 -* Support `artifactory.persistence.cacheProviderDir` for on-premise cluster - -## [0.13.0] - May 7, 2019 -* Updated Artifactory version to 6.10.0 - -## [0.12.23] - May 5, 2019 -* Add support for setting `artifactory.async.corePoolSize` - -## [0.12.22] - May 2, 2019 -* Remove unused property `artifactory.releasebundle.feature.enabled` - -## [0.12.21] - Apr 30, 2019 -* Add support for JMX monitoring - -## [0.12.20] - Apr29, 2019 -* Added support for headless services - -## [0.12.19] - Apr 28, 2019 -* Added support for `cacheProviderDir` - -## [0.12.18] - Apr 18, 2019 -* Changing API StatefulSet version to `v1` and permission fix for custom `artifactory.conf` for Nginx - -## [0.12.17] - Apr 16, 2019 -* Updated documentation for Reverse Proxy Configuration - -## [0.12.16] - Apr 12, 2019 -* Added support for `customVolumeMounts` - -## [0.12.15] - Aprl 12, 2019 -* Added support for `bucketExists` flag for googleStorage - -## [0.12.14] - Apr 11, 2019 -* Replace `curl` examples with `wget` due to the new base image - -## [0.12.13] - Aprl 07, 2019 -* Add support for providing the Artifactory license as a parameter - -## [0.12.12] - Apr 10, 2019 -* Updated Artifactory version to 6.9.1 - -## [0.12.11] - Aprl 04, 2019 -* Add support for templated extraEnvironmentVariables - -## [0.12.10] - Aprl 07, 2019 -* Change network policy API group - -## [0.12.9] - Aprl 04, 2019 -* Apply the existing PVC for members (in addition to primary) - -## [0.12.8] - Aprl 03, 2019 -* Bugfix for userPluginSecrets - -## [0.12.7] - Apr 4, 2019 -* Add information about upgrading Artifactory with auto-generated postgres password - -## [0.12.6] - Aprl 03, 2019 -* Added installer info - -## [0.12.5] - Aprl 03, 2019 -* Allow secret names for user plugins to contain template language - -## [0.12.4] - Apr 02, 2019 -* Fix issue #253 (use existing PVC for data and backup storage) - -## [0.12.3] - Apr 02, 2019 -* Allow NetworkPolicy configurations (defaults to allow all) - -## [0.12.2] - Aprl 01, 2019 -* Add support for user plugin secret - -## [0.12.1] - Mar 26, 2019 -* Add the option to copy a list of files to ARTIFACTORY_HOME on startup - -## [0.12.0] - Mar 26, 2019 -* Updated Artifactory version to 6.9.0 - -## [0.11.18] - Mar 25, 2019 -* Add CI tests for persistence, ingress support and nginx - -## [0.11.17] - Mar 22, 2019 -* Add the option to change the default access-admin password - -## [0.11.16] - Mar 22, 2019 -* Added support for `.Probe.path` to customise the paths used for health probes - -## [0.11.15] - Mar 21, 2019 -* Added support for `artifactory.customSidecarContainers` to create custom sidecar containers -* Added support for `artifactory.customVolumes` to create custom volumes - -## [0.11.14] - Mar 21, 2019 -* Make ingress path configurable - -## [0.11.13] - Mar 19, 2019 -* Move the copy of bootstrap config from postStart to preStart for Primary - -## [0.11.12] - Mar 19, 2019 -* Fix existingClaim example - -## [0.11.11] - Mar 18, 2019 -* Disable the option to use nginx PVC with more than one replica - -## [0.11.10] - Mar 15, 2019 -* Wait for nginx configuration file before using it - -## [0.11.9] - Mar 15, 2019 -* Revert securityContext changes since they were causing issues - -## [0.11.8] - Mar 15, 2019 -* Fix issue #247 (init container failing to run) - -## [0.11.7] - Mar 14, 2019 -* Updated Artifactory version to 6.8.7 - -## [0.11.6] - Mar 13, 2019 -* Move securityContext to container level - -## [0.11.5] - Mar 11, 2019 -* Add the option to use existing volume claims for Artifactory storage - -## [0.11.4] - Mar 11, 2019 -* Updated Artifactory version to 6.8.6 - -## [0.11.3] - Mar 5, 2019 -* Updated Artifactory version to 6.8.4 - -## [0.11.2] - Mar 4, 2019 -* Add support for catalina logs sidecars - -## [0.11.1] - Feb 27, 2019 -* Updated Artifactory version to 6.8.3 - -## [0.11.0] - Feb 25, 2019 -* Add nginx support for tail sidecars - -## [0.10.3] - Feb 21, 2019 -* Add s3AwsVersion option to awsS3 configuration for use with IAM roles - -## [0.10.2] - Feb 19, 2019 -* Updated Artifactory version to 6.8.2 - -## [0.10.1] - Feb 17, 2019 -* Updated Artifactory version to 6.8.1 -* Add example of `SERVER_XML_EXTRA_CONNECTOR` usage - -## [0.10.0] - Feb 15, 2019 -* Updated Artifactory version to 6.8.0 - -## [0.9.7] - Feb 13, 2019 -* Updated Artifactory version to 6.7.3 - -## [0.9.6] - Feb 7, 2019 -* Add support for tail sidecars to view logs from k8s api - -## [0.9.5] - Feb 6, 2019 -* Fix support for customizing statefulset `terminationGracePeriodSeconds` - -## [0.9.4] - Feb 5, 2019 -* Add support for customizing statefulset `terminationGracePeriodSeconds` - -## [0.9.3] - Feb 5, 2019 -* Remove the inactive server remove plugin - -## [0.9.2] - Feb 3, 2019 -* Updated Artifactory version to 6.7.2 - -## [0.9.1] - Jan 27, 2019 -* Fix support for Azure Blob Storage Binary provider - -## [0.9.0] - Jan 23, 2019 -* Updated Artifactory version to 6.7.0 - -## [0.8.10] - Jan 22, 2019 -* Added support for `artifactory.customInitContainers` to create custom init containers - -## [0.8.9] - Jan 18, 2019 -* Added support of values ingress.labels - -## [0.8.8] - Jan 16, 2019 -* Mount replicator.yaml (config) directly to /replicator_extra_conf - -## [0.8.7] - Jan 15, 2018 -* Add support for Azure Blob Storage Binary provider - -## [0.8.6] - Jan 13, 2019 -* Fix documentation about nginx group id - -## [0.8.5] - Jan 13, 2019 -* Updated Artifactory version to 6.6.5 - -## [0.8.4] - Jan 8, 2019 -* Make artifactory.replicator.publicUrl required when the replicator is enabled - -## [0.8.3] - Jan 1, 2019 -* Updated Artifactory version to 6.6.3 -* Add support for `artifactory.extraEnvironmentVariables` to pass more environment variables to Artifactory - -## [0.8.2] - Dec 28, 2018 -* Fix location `replicator.yaml` is copied to - -## [0.8.1] - Dec 27, 2018 -* Updated Artifactory version to 6.6.1 - -## [0.8.0] - Dec 20, 2018 -* Updated Artifactory version to 6.6.0 - -## [0.7.17] - Dec 17, 2018 -* Updated Artifactory version to 6.5.13 - -## [0.7.16] - Dec 12, 2018 -* Fix documentation about Artifactory license setup using secret - -## [0.7.15] - Dec 9, 2018 -* AWS S3 add `roleName` for using IAM role - -## [0.7.14] - Dec 6, 2018 -* AWS S3 `identity` and `credential` are now added only if have a value to allow using IAM role - -## [0.7.13] - Dec 5, 2018 -* Remove Distribution certificates creation. - -## [0.7.12] - Dec 2, 2018 -* Remove Java option "-Dartifactory.locking.provider.type=db". This is already the default setting. - -## [0.7.11] - Nov 30, 2018 -* Updated Artifactory version to 6.5.9 - -## [0.7.10] - Nov 29, 2018 -* Fixed the volumeMount for the replicator.yaml - -## [0.7.9] - Nov 29, 2018 -* Optionally include primary node into poddisruptionbudget - -## [0.7.8] - Nov 29, 2018 -* Updated postgresql version to 9.6.11 - -## [0.7.7] - Nov 27, 2018 -* Updated Artifactory version to 6.5.8 - -## [0.7.6] - Nov 18, 2018 -* Added support for configMap to use custom Reverse Proxy Configuration with Nginx - -## [0.7.5] - Nov 14, 2018 -* Updated Artifactory version to 6.5.3 - -## [0.7.4] - Nov 13, 2018 -* Allow pod anti-affinity settings to include primary node - -## [0.7.3] - Nov 12, 2018 -* Support artifactory.preStartCommand for running command before entrypoint starts - -## [0.7.2] - Nov 7, 2018 -* Support database.url parameter (DB_URL) - -## [0.7.1] - Oct 29, 2018 -* Change probes port to 8040 (so they will not be blocked when all tomcat threads on 8081 are exhausted) - -## [0.7.0] - Oct 28, 2018 -* Update postgresql chart to version 0.9.5 to be able and use `postgresConfig` options - -## [0.6.9] - Oct 23, 2018 -* Fix providing external secret for database credentials - -## [0.6.8] - Oct 22, 2018 -* Allow user to configure externalTrafficPolicy for Loadbalancer - -## [0.6.7] - Oct 22, 2018 -* Updated ingress annotation support (with examples) to support docker registry v2 - -## [0.6.6] - Oct 21, 2018 -* Updated Artifactory version to 6.5.2 - -## [0.6.5] - Oct 19, 2018 -* Allow providing pre-existing secret containing master key -* Allow arbitrary annotations on primary and member node pods -* Enforce size limits when using local storage with `emptyDir` -* Allow `soft` or `hard` specification of member node anti-affinity -* Allow providing pre-existing secrets containing external database credentials -* Fix `s3` binary store provider to properly use the `cache-fs` provider -* Allow arbitrary properties when using the `s3` binary store provider - -## [0.6.4] - Oct 18, 2018 -* Updated Artifactory version to 6.5.1 - -## [0.6.3] - Oct 17, 2018 -* Add Apache 2.0 license - -## [0.6.2] - Oct 14, 2018 -* Make S3 endpoint configurable (was hardcoded with `s3.amazonaws.com`) - -## [0.6.1] - Oct 11, 2018 -* Allows ingress default `backend` to be enabled or disabled (defaults to enabled) - -## [0.6.0] - Oct 11, 2018 -* Updated Artifactory version to 6.5.0 - -## [0.5.3] - Oct 9, 2018 -* Quote ingress hosts to support wildcard names - -## [0.5.2] - Oct 2, 2018 -* Add `helm repo add jfrog https://charts.jfrog.io` to README - -## [0.5.1] - Oct 2, 2018 -* Set Artifactory to 6.4.1 - -## [0.5.0] - Sep 27, 2018 -* Set Artifactory to 6.4.0 - -## [0.4.7] - Sep 26, 2018 -* Add ci/test-values.yaml - -## [0.4.6] - Sep 25, 2018 -* Add PodDisruptionBudget for member nodes, defaulting to minAvailable of 1 - -## [0.4.4] - Sep 2, 2018 -* Updated Artifactory version to 6.3.2 - -## [0.4.0] - Aug 22, 2018 -* Added support to run as non root -* Updated Artifactory version to 6.2.0 - -## [0.3.0] - Aug 22, 2018 -* Enabled RBAC Support -* Added support for PostStartCommand (To download Database JDBC connector) -* Increased postgresql max_connections -* Added support for `nginx.conf` ConfigMap -* Updated Artifactory version to 6.1.0 diff --git a/Openshift4/artifactoryha-helm/Chart.yaml b/Openshift4/artifactoryha-helm/Chart.yaml deleted file mode 100755 index 0e1989f..0000000 --- a/Openshift4/artifactoryha-helm/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -appVersion: 7.0.2 -description: Universal Repository Manager supporting all major packaging formats, - build tools and CI servers. -home: https://www.jfrog.com/artifactory/ -icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-ha/logo/artifactory-logo.png -keywords: -- artifactory -- jfrog -- devops -maintainers: -- email: amithk@jfrog.com - name: amithins -- email: daniele@jfrog.com - name: danielezer -- email: eldada@jfrog.com - name: eldada -- email: rimasm@jfrog.com - name: rimusz -name: openshift-artifactory-ha -sources: -- https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view -- https://github.com/jfrog/charts -version: 2.0.4 diff --git a/Openshift4/artifactoryha-helm/LICENSE b/Openshift4/artifactoryha-helm/LICENSE deleted file mode 100755 index 8dada3e..0000000 --- a/Openshift4/artifactoryha-helm/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/Openshift4/artifactoryha-helm/README.md b/Openshift4/artifactoryha-helm/README.md deleted file mode 100755 index 76bd6af..0000000 --- a/Openshift4/artifactoryha-helm/README.md +++ /dev/null @@ -1,1266 +0,0 @@ -# JFrog Artifactory High Availability Helm Chart - -## Prerequisites Details - -* Kubernetes 1.8+ -* Artifactory HA license - -## Chart Details -This chart will do the following: - -* Deploy Artifactory highly available cluster. 1 primary node and 2 member nodes. -* Deploy a PostgreSQL database -* Deploy an Nginx server - -## Artifactory HA architecture -The Artifactory HA cluster in this chart is made up of -- A single primary node -- Two member nodes, which can be resized at will - -Load balancing is done to the member nodes only. -This leaves the primary node free to handle jobs and tasks and not be interrupted by inbound traffic. -> This can be controlled by the parameter `artifactory.service.pool`. - -## Installing the Chart - -### Add JFrog Helm repository -Before installing JFrog helm charts, you need to add the [JFrog helm repository](https://charts.jfrog.io/) to your helm client -```bash -helm repo add jfrog https://charts.jfrog.io -``` - -### Install Chart -To install the chart with the release name `artifactory-ha`: -```bash -helm install --name artifactory-ha --set postgresql.postgresqlPassword= jfrog/artifactory-ha -``` - -### System Configuration -Artifactory uses a common system configuration file - `system.yaml`. See [official documentation](https://www.jfrog.com/confluence/display/JFROG/System+YAML+Configuration+File) on its usage. -In order to override the default `system.yaml` configuration, do the following: -```bash -artifactory: - systemYaml: | - -``` - -### Accessing Artifactory -**NOTE:** It might take a few minutes for Artifactory's public IP to become available, and the nodes to complete initial setup. -Follow the instructions outputted by the install command to get the Artifactory IP and URL to access it. - -### Updating Artifactory -Once you have a new chart version, you can update your deployment with -```bash -helm upgrade artifactory-ha jfrog/artifactory-ha -``` - -If artifactory was installed without providing a value to postgresql.postgresqlPassword (a password was autogenerated), follow these instructions: -1. Get the current password by running: -```bash -POSTGRES_PASSWORD=$(kubectl get secret -n -postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) -``` -2. Upgrade the release by passing the previously auto-generated secret: -```bash -helm upgrade jfrog/artifactory-ha --set postgresql.postgresqlPassword=${POSTGRES_PASSWORD} -``` - -This will apply any configuration changes on your existing deployment. - -### Artifactory memory and CPU resources -The Artifactory HA Helm chart comes with support for configured resource requests and limits to all pods. By default, these settings are commented out. -It is **highly** recommended to set these so you have full control of the allocated resources and limits. - -See more information on [setting resources for your Artifactory based on planned usage](https://www.jfrog.com/confluence/display/RTF/System+Requirements#SystemRequirements-RecommendedHardware). - -```bash -# Example of setting resource requests and limits to all pods (including passing java memory settings to Artifactory) -helm install --name artifactory-ha \ - --set artifactory.primary.resources.requests.cpu="500m" \ - --set artifactory.primary.resources.limits.cpu="2" \ - --set artifactory.primary.resources.requests.memory="1Gi" \ - --set artifactory.primary.resources.limits.memory="4Gi" \ - --set artifactory.primary.javaOpts.xms="1g" \ - --set artifactory.primary.javaOpts.xmx="4g" \ - --set artifactory.node.resources.requests.cpu="500m" \ - --set artifactory.node.resources.limits.cpu="2" \ - --set artifactory.node.resources.requests.memory="1Gi" \ - --set artifactory.node.resources.limits.memory="4Gi" \ - --set artifactory.node.javaOpts.xms="1g" \ - --set artifactory.node.javaOpts.xmx="4g" \ - --set initContainers.resources.requests.cpu="10m" \ - --set initContainers.resources.limits.cpu="250m" \ - --set initContainers.resources.requests.memory="64Mi" \ - --set initContainers.resources.limits.memory="128Mi" \ - --set postgresql.resources.requests.cpu="200m" \ - --set postgresql.resources.limits.cpu="1" \ - --set postgresql.resources.requests.memory="500Mi" \ - --set postgresql.resources.limits.memory="1Gi" \ - --set nginx.resources.requests.cpu="100m" \ - --set nginx.resources.limits.cpu="250m" \ - --set nginx.resources.requests.memory="250Mi" \ - --set nginx.resources.limits.memory="500Mi" \ - jfrog/artifactory-ha -``` -> Artifactory java memory parameters can (and should) also be set to match the allocated resources with `artifactory.[primary|node].javaOpts.xms` and `artifactory.[primary|node].javaOpts.xmx`. - -Get more details on configuring Artifactory in the [official documentation](https://www.jfrog.com/confluence/). - -Although it is possible to set resources limits and requests this way, it is recommended to use the pre-built values files -for small, medium and large installation and change them according to your needs (if necessary), as described [here](#Deploying-Artifactory-for-small/medium/large-installations) - -### Deploying Artifactory for small/medium/large installations -In the chart directory, we have added three values files, one for each installation type - small/medium/large. These values files are recommendations for setting resources requests and limits for your installation. The values are derived from the following [documentation](https://www.jfrog.com/confluence/display/EP/Installing+on+Kubernetes#InstallingonKubernetes-Systemrequirements). You can find them in the corresponding chart directory - values-small.yaml, values-medium.yaml and values-large.yaml - -### Artifactory storage -Artifactory HA support a wide range of storage back ends. You can see more details on [Artifactory HA storage options](https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup#HAInstallationandSetup-SettingUpYourStorageConfiguration) - -In this chart, you set the type of storage you want with `artifactory.persistence.type` and pass the required configuration settings. -The default storage in this chart is the `file-system` replication, where the data is replicated to all nodes. - -> **IMPORTANT:** All storage configurations (except NFS) come with a default `artifactory.persistence.redundancy` parameter. -This is used to set how many replicas of a binary should be stored in the cluster's nodes. -Once this value is set on initial deployment, you can not update it using helm. -It is recommended to set this to a number greater than half of your cluster's size, and never scale your cluster down to a size smaller than this number. - -#### Existing volume claim - -###### Primary node -In order to use an existing volume claim for the Artifactory primary storage, you need to: -- Create a persistent volume claim by the name `volume--artifactory-ha-primary-0` e.g `volume-myrelease-artifactory-ha-primary-0` -- Pass a parameter to `helm install` and `helm upgrade` -```bash -... ---set artifactory.primary.persistence.existingClaim=true -``` - -###### Member nodes -In order to use an existing volume claim for the Artifactory member nodes storage, you need to: -- Create persistent volume claims according to the number of replicas defined at `artifactory.node.replicaCount` by the names `volume--artifactory-ha-member-`, e.g `volume-myrelease-artifactory-ha-member-0` and `volume-myrelease-artifactory-ha-primary-1`. -- Pass a parameter to `helm install` and `helm upgrade` -```bash -... ---set artifactory.node.persistence.existingClaim=true -``` - -#### Existing shared volume claim - -In order to use an existing claim (for data and backup) that is to be shared across all nodes, you need to: - -- Create PVCs with ReadWriteMany that match the naming conventions: -``` - {{ template "artifactory-ha.fullname" . }}-data-pvc- - {{ template "artifactory-ha.fullname" . }}-backup-pvc- -``` -An example that shows 2 existing claims to be used: -``` - myexample-artifactory-ha-data-pvc-0 - myexample-artifactory-ha-backup-pvc-0 - myexample-artifactory-ha-data-pvc-1 - myexample-artifactory-ha-backup-pvc-1 -``` -- Set the artifactory.persistence.fileSystem.existingSharedClaim.enabled in values.yaml to true: -``` --- set artifactory.persistence.fileSystem.existingSharedClaim.enabled=true --- set artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims=2 -``` - -#### NFS -To use an NFS server as your cluster's storage, you need to -- Setup an NFS server. Get its IP as `NFS_IP` -- Create a `data` and `backup` directories on the NFS exported directory with write permissions to all -- Pass NFS parameters to `helm install` and `helm upgrade` -```bash -... ---set artifactory.persistence.type=nfs \ ---set artifactory.persistence.nfs.ip=${NFS_IP} \ -... -``` - -#### Google Storage -To use a Google Storage bucket as the cluster's filestore. See [Google Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-GoogleStorageBinaryProvider) -- Pass Google Storage parameters to `helm install` and `helm upgrade` -```bash -... ---set artifactory.persistence.type=google-storage \ ---set artifactory.persistence.googleStorage.identity=${GCP_ID} \ ---set artifactory.persistence.googleStorage.credential=${GCP_KEY} \ -... -``` - -#### AWS S3 -**NOTE** Keep in mind that when using the `aws-s3` persistence type, you will not be able to provide an IAM on the pod level. -In order to grant permissions to Artifactory using an IAM role, you will have to attach the IAM role to the machine(s) on which Artifactory is running. -This is due to the fact that the `aws-s3` template uses the `JetS3t` library to interact with AWS. If you want to grant an IAM role at the pod level, see the `AWS S3 Vs` section. - -To use an AWS S3 bucket as the cluster's filestore. See [S3 Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-S3BinaryProvider) -- Pass AWS S3 parameters to `helm install` and `helm upgrade` -```bash -... -# With explicit credentials: ---set artifactory.persistence.type=aws-s3 \ ---set artifactory.persistence.awsS3.endpoint=${AWS_S3_ENDPOINT} \ ---set artifactory.persistence.awsS3.region=${AWS_REGION} \ ---set artifactory.persistence.awsS3.identity=${AWS_ACCESS_KEY_ID} \ ---set artifactory.persistence.awsS3.credential=${AWS_SECRET_ACCESS_KEY} \ -... - -... -# With using existing IAM role ---set artifactory.persistence.type=aws-s3 \ ---set artifactory.persistence.awsS3.endpoint=${AWS_S3_ENDPOINT} \ ---set artifactory.persistence.awsS3.region=${AWS_REGION} \ ---set artifactory.persistence.awsS3.roleName=${AWS_ROLE_NAME} \ -... -``` -**NOTE:** Make sure S3 `endpoint` and `region` match. See [AWS documentation on endpoint](https://docs.aws.amazon.com/general/latest/gr/rande.html) - -#### AWS S3 V3 -To use an AWS S3 bucket as the cluster's filestore and access it with the official AWS SDK, See [S3 Official SDK Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AmazonS3OfficialSDKTemplate). -This filestore template uses the official AWS SDK, unlike the `aws-s3` implementation that uses the `JetS3t` library. -Use this template if you want to attach an IAM role to the Artifactory pod directly (as opposed to attaching it to the machine/s that Artifactory will run on). - -**NOTE** This will have to be combined with a k8s mechanism for attaching IAM roles to pods, like [kube2iam](https://github.com/helm/charts/tree/master/stable/kube2iam) or anything similar. - -- Pass AWS S3 V3 parameters and the annotation pointing to the IAM role (when using an IAM role. this is kube2iam specific and may vary depending on the implementation) to `helm install` and `helm upgrade` - -```bash -# With explicit credentials: ---set artifactory.persistence.type=aws-s3-v3 \ ---set artifactory.persistence.awsS3V3.region=${AWS_REGION} \ ---set artifactory.persistence.awsS3V3.bucketName=${AWS_S3_BUCKET_NAME} \ ---set artifactory.persistence.awsS3V3.identity=${AWS_ACCESS_KEY_ID} \ ---set artifactory.persistence.awsS3V3.credential=${AWS_SECRET_ACCESS_KEY} \ -... -``` - -```bash -# With using existing IAM role ---set artifactory.persistence.type=aws-s3-v3 \ ---set artifactory.persistence.awsS3V3.region=${AWS_REGION} \ ---set artifactory.persistence.awsS3V3.bucketName=${AWS_S3_BUCKET_NAME} \ ---set artifactory.annotations.'iam\.amazonaws\.com/role'=${AWS_IAM_ROLE_ARN} -... -``` - -#### Microsoft Azure Blob Storage -To use Azure Blob Storage as the cluster's filestore. See [Azure Blob Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AzureBlobStorageClusterBinaryProvider) -- Pass Azure Blob Storage parameters to `helm install` and `helm upgrade` -```bash -... ---set artifactory.persistence.type=azure-blob \ ---set artifactory.persistence.azureBlob.accountName=${AZURE_ACCOUNT_NAME} \ ---set artifactory.persistence.azureBlob.accountKey=${AZURE_ACCOUNT_KEY} \ ---set artifactory.persistence.azureBlob.endpoint=${AZURE_ENDPOINT} \ ---set artifactory.persistence.azureBlob.containerName=${AZURE_CONTAINER_NAME} \ -... -``` - -#### Custom binarystore.xml -You have an option to provide a custom [binarystore.xml](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore).
-There are two options for this - -1. Editing directly in [values.yaml](values.yaml) -```yaml -artifactory: - persistence: - binarystoreXml: | - - - - - -``` - -2. Create your own [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) and pass it to your `helm install` command -```yaml -# Prepare your custom Secret file (custom-binarystore.yaml) -kind: Secret -apiVersion: v1 -metadata: - name: custom-binarystore - labels: - app: artifactory - chart: artifactory -stringData: - binarystore.xml: |- - - - - -``` - -```bash -# Create a secret from the file -kubectl apply -n artifactory -f ./custom-binarystore.yaml - -# Pass it to your helm install command: -helm install --name artifactory-ha --set artifactory.persistence.customBinarystoreXmlSecret=custom-binarystore jfrog/artifactory-ha -``` - -### Create a unique Master Key -Artifactory HA cluster requires a unique master key. By default the chart has one set in values.yaml (`artifactory.masterKey`). - -**This key is for demo purpose and should not be used in a production environment!** - -You should generate a unique one and pass it to the template at install/upgrade time. -```bash -# Create a key -export MASTER_KEY=$(openssl rand -hex 32) -echo ${MASTER_KEY} - -# Pass the created master key to helm -helm install --name artifactory-ha --set artifactory.masterKey=${MASTER_KEY} jfrog/artifactory-ha -``` - -Alternatively, you can create a secret containing the master key manually and pass it to the template at install/upgrade time. -```bash -# Create a key -export MASTER_KEY=$(openssl rand -hex 32) -echo ${MASTER_KEY} - -# Create a secret containing the key. The key in the secret must be named master-key -kubectl create secret generic my-secret --from-literal=master-key=${MASTER_KEY} - -# Pass the created secret to helm -helm install --name artifactory-ha --set artifactory.masterKeySecretName=my-secret jfrog/artifactory-ha -``` -**NOTE:** In either case, make sure to pass the same master key on all future calls to `helm install` and `helm upgrade`! In the first case, this means always passing `--set artifactory.masterKey=${MASTER_KEY}`. In the second, this means always passing `--set artifactory.masterKeySecretName=my-secret` and ensuring the contents of the secret remain unchanged. - -### Create a unique Join Key -Artifactory requires a unique join key. By default the chart has one set in values.yaml (`artifactory.joinKey`). - -**This key is for demo purpose and should not be used in a production environment!** - -You should generate a unique key and pass it to the template at install/upgrade time. -```bash -# Create a key -export JOIN_KEY=$(openssl rand -hex 16) -echo ${JOIN_KEY} - -# Pass the created master key to helm -helm install --name artifactory --set artifactory.joinKey=${JOIN_KEY} jfrog/artifactory -``` - -**NOTE:** In either case, make sure to pass the same join key on all future calls to `helm install` and `helm upgrade`! This means always passing `--set artifactory.joinKey=${JOIN_KEY}`. - -### Install Artifactory HA license -For activating Artifactory HA, you must install an appropriate license. There are three ways to manage the license. **Artifactory UI**, **REST API**, or a **Kubernetes Secret**. - -The easier and recommended way is the **Artifactory UI**. Using the **Kubernetes Secret** or **REST API** is for advanced users and is better suited for automation. - -**IMPORTANT:** You should use only one of the following methods. Switching between them while a cluster is running might disable your Artifactory HA cluster! - -##### Artifactory UI -Once primary cluster is running, open Artifactory UI and insert the license(s) in the UI. See [HA installation and setup](https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup) for more details. **Note that you should enter all licenses at once, with each license is separated by a newline.** If you add the licenses one at a time, you may get redirected to a node without a license and the UI won't load for that node. - -##### REST API -You can add licenses via REST API (https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API#ArtifactoryRESTAPI-InstallHAClusterLicenses). Note that the REST API expects "\n" for the newlines in the licenses. - -##### Kubernetes Secret -You can deploy the Artifactory license(s) as a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/). -Prepare a text file with the license(s) written in it. If writing multiple licenses (must be in the same file), it's important to put **two new lines between each license block**! -```bash -# Create the Kubernetes secret (assuming the local license file is 'art.lic') -kubectl create secret generic artifactory-cluster-license --from-file=./art.lic - -# Pass the license to helm -helm install --name artifactory-ha --set artifactory.license.secret=artifactory-cluster-license,artifactory.license.dataKey=art.lic jfrog/artifactory-ha -``` -**NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). -Updating the license should be done via Artifactory UI or REST API. - -##### Create the secret as part of the helm release -values.yaml -```yaml -artifactory: - license: - licenseKey: |- - - - - - - - -``` - -```bash -helm install --name artifactory-ha -f values.yaml jfrog/artifactory-ha -``` -**NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). -Updating the license should be done via Artifactory UI or REST API. -If you want to keep managing the artifactory license using the same method, you can use the copyOnEveryStartup example shown in the values.yaml file - - -### copyOnEveryStartup feature -Files stored in the `/artifactory-extra-conf` directory are only copied to the `ARTIFACTORY_HOME/etc` directory upon the first startup. -In some cases, you want your configuration files to be copied to the `ARTIFACTORY_HOME/etc` directory on every startup. -Two examples for that would be: - -1. the binarstore.xml file. If you use the default behaviour, your binarystore.xml configuration will only be copied on the first startup, -which means that changes you make over time to the `binaryStoreXml` configuration will not be applied. In order to make sure your changes are applied on every startup, do the following: -Create a values file with the following values: -```yaml -artifactory: - copyOnEveryStartup: - - source: /artifactory_extra_conf/binarystore.xml - target: etc/ -``` - -Install the helm chart with the values file you created: -```bash -helm upgrade --install artifactory-ha jfrog/artifactory-ha -f values.yaml -``` - -2. Any custom configuration file you have to configure artifactory, such as `logabck.xml`: -Create a config map with your `logback.xml` configuration. - -Create a values file with the following values: -```yaml -artifactory: - ## Create a volume pointing to the config map with your configuration file - customVolumes: | - - name: logback-xml-configmap - configMap: - name: logback-xml-configmap - customVolumeMounts: | - - name: logback-xml-configmap - mountPath: /tmp/artifactory-logback/ - copyOnEveryStartup: - - source: /tmp/artifactory-logback/* - target: etc/ -``` - -Install the helm chart with the values file you created: -```bash -helm upgrade --install artifactory-ha jfrog/artifactory-ha -f values.yaml -``` - -### Configure NetworkPolicy - -NetworkPolicy specifies what ingress and egress is allowed in this namespace. It is encouraged to be more specific whenever possible to increase security of the system. - -In the `networkpolicy` section of values.yaml you can specify a list of NetworkPolicy objects. - -For podSelector, ingress and egress, if nothing is provided then a default `- {}` is applied which is to allow everything. - -A full (but very wide open) example that results in 2 NetworkPolicy objects being created: -```yaml -networkpolicy: - # Allows all ingress and egress to/from artifactory primary and member pods. - - name: artifactory - podSelector: - matchLabels: - app: artifactory-ha - egress: - - {} - ingress: - - {} - # Allows connectivity from artifactory-ha pods to postgresql pods, but no traffic leaving postgresql pod. - - name: postgresql - podSelector: - matchLabels: - app: postgresql - ingress: - - from: - - podSelector: - matchLabels: - app: artifactory-ha -``` - -### Artifactory JMX Configuration -** You can see some information about the exposed MBeans here - https://www.jfrog.com/confluence/display/RTF/Artifactory+JMX+MBeans - -Enable JMX in your deployment: -```bash -helm install --name artifactory \ - --set artifactory.primary.javaOpts.jmx.enabled=true \ - --set artifactory.node.javaOpts.jmx.enabled=true \ - jfrog/artifactory-ha -``` -This will enable access to Artifactory with JMX on the default port (9010). -** You have the option to change the port by setting ```artifactory.primary.javaOpts.jmx.port``` and ```artifactory.node.javaOpts.jmx.port``` -to your choice of port - -In order to connect to Artifactory using JMX with jconsole (or any similar tool) installed on your computer, follow the following steps: -1. Enable JMX as described above and Change the Artifactory service to be of type LoadBalancer: -```bash -helm install --name artifactory \ - --set artifactory.primary.javaOpts.jmx.enabled=true \ - --set artifactory.node.javaOpts.jmx.enabled=true \ - --set artifactory.service.type=LoadBalancer \ - jfrog/artifactory-ha -``` -2. The default setting for java.rmi.server.hostname is the service name (this is also configurable with -```artifactory.primary.javaOpts.jmx.host``` and ```artifactory.node.javaOpts.jmx.host```), So in order to connect to Artifactory -with jconsole you should map the Artifactory kuberentes service IP to the service name using your hosts file as such: -``` - artifactory-ha--primary - -``` -3. Launch jconsole with the service address and port: -```bash -jconsole artifactory-ha--primary: -jconsole : -``` - -### Access creds. bootstraping -**IMPORTANT:** Bootsrapping access creds. will allow access for the user access-admin from certain IP's. - -* User guide to [bootstrap Artifactory Access credentials](https://www.jfrog.com/confluence/display/ACC/Configuring+Access) - -1. Create `access-creds-values.yaml` and provide the IP (By default 127.0.0.1) and password: -```yaml -artifactory: - accessAdmin: - ip: "" #Example: "*" - password: "" -``` - -2. Apply the `access-creds-values.yaml` file: -```bash -helm upgrade --install artifactory-ha jfrog/artifactory-ha -f access-creds-values.yaml -``` - -### Bootstrapping Artifactory -**IMPORTANT:** Bootstrapping Artifactory needs license. Pass license as shown in above section. - -* User guide to [bootstrap Artifactory Global Configuration](https://www.jfrog.com/confluence/display/RTF/Configuration+Files#ConfigurationFiles-BootstrappingtheGlobalConfiguration) -* User guide to [bootstrap Artifactory Security Configuration](https://www.jfrog.com/confluence/display/RTF/Configuration+Files#ConfigurationFiles-BootstrappingtheSecurityConfiguration) - -1. Create `bootstrap-config.yaml` with artifactory.config.import.xml and security.import.xml as shown below: -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: my-release-bootstrap-config -data: - artifactory.config.import.xml: | - - security.import.xml: | - -``` - -2. Create configMap in Kubernetes: -```bash -kubectl apply -f bootstrap-config.yaml -``` -3. Pass the configMap to helm -```bash -helm install --name artifactory-ha --set artifactory.license.secret=artifactory-cluster-license,artifactory.license.dataKey=art.lic,artifactory.configMapName=my-release-bootstrap-config jfrog/artifactory-ha -``` - -### Use custom nginx.conf with Nginx - -Steps to create configMap with nginx.conf -* Create `nginx.conf` file. -```bash -kubectl create configmap nginx-config --from-file=nginx.conf -``` -* Pass configMap to helm install -```bash -helm install --name artifactory-ha --set nginx.customConfigMap=nginx-config jfrog/artifactory-ha -``` - -### Scaling your Artifactory cluster -A key feature in Artifactory HA is the ability to set an initial cluster size with `--set artifactory.node.replicaCount=${CLUSTER_SIZE}` and if needed, resize it. - -##### Before scaling -**IMPORTANT:** When scaling, you need to explicitly pass the database password if it's an auto generated one (this is the default with the enclosed PostgreSQL helm chart). - -Get the current database password -```bash -export DB_PASSWORD=$(kubectl get $(kubectl get secret -o name | grep postgresql) -o jsonpath="{.data.postgresql-password}" | base64 --decode) -``` -Use `--set postgresql.postgresqlPassword=${DB_PASSWORD}` with every scale action to prevent a miss configured cluster! - -##### Scale up -Let's assume you have a cluster with **2** member nodes, and you want to scale up to **3** member nodes (a total of 4 nodes). -```bash -# Scale to 4 nodes (1 primary and 3 member nodes) -helm upgrade --install artifactory-ha --set artifactory.node.replicaCount=3 --set postgresql.postgresqlPassword=${DB_PASSWORD} jfrog/artifactory-ha -``` - -##### Scale down -Let's assume you have a cluster with **3** member nodes, and you want to scale down to **2** member node. - -```bash -# Scale down to 2 member nodes -helm upgrade --install artifactory-ha --set artifactory.node.replicaCount=2 --set postgresql.postgresqlPassword=${DB_PASSWORD} jfrog/artifactory-ha -``` -- **NOTE:** Since Artifactory is running as a Kubernetes Stateful Set, the removal of the node will **not** remove the persistent volume. You need to explicitly remove it -```bash -# List PVCs -kubectl get pvc - -# Remove the PVC with highest ordinal! -# In this example, the highest node ordinal was 2, so need to remove its storage. -kubectl delete pvc volume-artifactory-node-2 -``` - -### Use an external Database - -#### PostgreSQL -There are cases where you will want to use external PostgreSQL with a different database name e.g. `my-artifactory-db`, then you need set a custom PostgreSQL connection URL, where `my-artifactory-db` is the database name. - -This can be done with the following parameters -```bash -... ---set postgresql.enabled=false \ ---set database.type=postgresql \ ---set database.driver=org.postgresql.Driver \ ---set database.url='jdbc:postgresql://${DB_HOST}:${DB_PORT}/my-artifactory-db' \ ---set database.user=${DB_USER} \ ---set database.password=${DB_PASSWORD} \ -... -``` -**NOTE:** You must set `postgresql.enabled=false` in order for the chart to use the `database.*` parameters. Without it, they will be ignored! - -#### Other DB type -There are cases where you will want to use a different database and not the enclosed **PostgreSQL**. -See more details on [configuring the database](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Database) -> The official Artifactory Docker images include the PostgreSQL database driver. -> For other database types, you will have to add the relevant database driver to Artifactory's tomcat/lib - -This can be done with the following parameters -```bash -# Make sure your Artifactory Docker image has the MySQL database driver in it -... ---set postgresql.enabled=false \ ---set artifactory.preStartCommand="wget -O /opt/jfrog/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" \ ---set database.type=mysql \ ---set database.driver=com.mysql.jdbc.Driver \ ---set database.url=${DB_URL} \ ---set database.user=${DB_USER} \ ---set database.password=${DB_PASSWORD} \ -... -``` -**NOTE:** You must set `postgresql.enabled=false` in order for the chart to use the `database.*` parameters. Without it, they will be ignored! - -#### Using pre-existing Kubernetes Secret -If you store your database credentials in a pre-existing Kubernetes `Secret`, you can specify them via `database.secrets` instead of `database.user` and `database.password`: -```bash -# Create a secret containing the database credentials -kubectl create secret generic my-secret --from-literal=user=${DB_USER} --from-literal=password=${DB_PASSWORD} -... ---set postgresql.enabled=false \ ---set database.secrets.user.name=my-secret \ ---set database.secrets.user.key=user \ ---set database.secrets.password.name=my-secret \ ---set database.secrets.password.key=password \ -... -``` - -### Deleting Artifactory -To delete the Artifactory HA cluster -```bash -helm delete --purge artifactory-ha -``` -This will completely delete your Artifactory HA cluster. -**NOTE:** Since Artifactory is running as Kubernetes Stateful Sets, the removal of the helm release will **not** remove the persistent volumes. You need to explicitly remove them -```bash -kubectl delete pvc -l release=artifactory-ha -``` -See more details in the official [Kubernetes Stateful Set removal page](https://kubernetes.io/docs/tasks/run-application/delete-stateful-set/) - -### Custom Docker registry for your images -If you need to pull your Docker images from a private registry (for example, when you have a custom image with a MySQL database driver), you need to create a -[Kubernetes Docker registry secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) and pass it to helm -```bash -# Create a Docker registry secret called 'regsecret' -kubectl create secret docker-registry regsecret --docker-server=${DOCKER_REGISTRY} --docker-username=${DOCKER_USER} --docker-password=${DOCKER_PASS} --docker-email=${DOCKER_EMAIL} -``` -Once created, you pass it to `helm` -```bash -helm install --name artifactory-ha --set imagePullSecrets=regsecret jfrog/artifactory-ha -``` - -### Logger sidecars -This chart provides the option to add sidecars to tail various logs from Artifactory. See the available values in [values.yaml](values.yaml) - -Get list of containers in the pod -```bash -kubectl get pods -n -o jsonpath='{.spec.containers[*].name}' | tr ' ' '\n' -``` - -View specific log -```bash -kubectl logs -n -c -``` - - -### Custom init containers -There are cases where a special, unsupported init processes is needed like checking something on the file system or testing something before spinning up the main container. - -For this, there is a section for writing custom init containers before and after the predefined init containers in the [values.yaml](values.yaml) . By default it's commented out -```yaml -artifactory: - ## Add custom init containers executed before predefined init containers - customInitContainersBegin: | - ## Init containers template goes here ## - ## Add custom init containers executed after predefined init containers - customInitContainers: | - ## Init containers template goes here ## -``` - -### Custom sidecar containers -There are cases where an extra sidecar container is needed. For example monitoring agents or log collection. - -For this, there is a section for writing a custom sidecar container in the [values.yaml](values.yaml). By default it's commented out -```yaml -artifactory: - ## Add custom sidecar containers - customSidecarContainers: | - ## Sidecar containers template goes here ## -``` - -You can configure the sidecar to run as a custom user if needed by setting the following in the container template -```yaml - # Example of running container as root (id 0) - securityContext: - runAsUser: 0 - fsGroup: 0 -``` - -### Custom volumes -If you need to use a custom volume in a custom init or sidecar container, you can use this option. - -For this, there is a section for defining custom volumes in the [values.yaml](values.yaml). By default it's commented out -```yaml -artifactory: - ## Add custom volumes - customVolumes: | - ## Custom volume comes here ## -``` - -### Add Artifactory User Plugin during installation -If you need to add [Artifactory User Plugin](https://github.com/jfrog/artifactory-user-plugins), you can use this option. - -Create a secret with [Artifactory User Plugin](https://github.com/jfrog/artifactory-user-plugins) by following command: -```bash -# Secret with single user plugin -kubectl create secret generic archive-old-artifacts --from-file=archiveOldArtifacts.groovy --namespace=artifactory-ha - -# Secret with single user plugin with configuration file -kubectl create secret generic webhook --from-file=webhook.groovy --from-file=webhook.config.json.sample --namespace=artifactory-ha -``` - -Add plugin secret names to `plugins.yaml` as following: -```yaml -artifactory: - userPluginSecrets: - - archive-old-artifacts - - webhook -``` - -You can now pass the created `plugins.yaml` file to helm install command to deploy Artifactory with user plugins as follows: -```bash -helm install --name artifactory-ha -f plugins.yaml jfrog/artifactory-ha -``` - -Alternatively, you may be in a situation in which you would like to create a secret in a Helm chart that depends on this chart. In this scenario, the name of the secret is likely dynamically generated via template functions, so passing a statically named secret isn't possible. In this case, the chart supports evaluating strings as templates via the [`tpl`](https://helm.sh/docs/charts_tips_and_tricks/#using-the-tpl-function) function - simply pass the raw string containing the templating language used to name your secret as a value instead by adding the following to your chart's `values.yaml` file: -```yaml -artifactory-ha: # Name of the artifactory-ha dependency - artifactory: - userPluginSecrets: - - '{{ template "my-chart.fullname" . }}' -``` -NOTE: By defining userPluginSecrets, this overrides any pre-defined plugins from the container image that are stored in /tmp/plugins. At this time [artifactory-pro:6.9.0](https://bintray.com/jfrog/artifactory-pro) is distributed with `internalUser.groovy` plugin. If you need this plugin in addition to your user plugins, you should include these additional plugins as part of your userPluginSecrets. - -### Provide custom configMaps to Artifactory -If you want to mount a custom file to Artifactory, either an init shell script or a custom configuration file (such as `logback.xml`), you can use this option. - -Create a `configmaps.yaml` file with the following content: -```yaml -artifactory: - configMaps: | - logback.xml: | - - - - - %date [%-5level] \(%-20c{3}:%L\) %message%n - - - - - - - - - - - - - - - my-custom-post-start-hook.sh: | - echo "This is my custom post start hook" - - customVolumeMounts: | - - name: artifactory-configmaps - mountPath: /tmp/my-config-map - - postStartCommand: | - chmod +x /tmp/my-config-map/my-custom-post-start-hook.sh; - /tmp/my-config-map/my-custom-post-start-hook.sh; - - copyOnEveryStartup: - - source: /tmp/my-config-map/logback.xml - target: etc/ - -``` - -and use it with you helm install/upgrade: -```bash -helm install --name artifactory-ha -f configmaps.yaml jfrog/artifactory-ha -``` - -This will, in turn: -* create a configMap with the files you specified above -* create a volume pointing to the configMap with the name `artifactory-configmaps` -* Mount said configMap onto `/tmp/my-config-map` using a `customVolumeMounts` -* Set the shell script we mounted as the `postStartCommand` -* Copy the `logback.xml` file to its proper location in the `$ARTIFACTORY_HOME/etc` directory. - - -### Artifactory filebeat -If you want to collect logs from your Artifactory installation and send them to a central log collection solution like ELK, you can use this option. - -Create a `filebeat.yaml` values file with the following content: -```yaml -filebeat: - enabled: true - logstashUrl: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "100Mi" - cpu: "100m" -``` - -You can optionally customize the `filebeat.yaml` to send output to a different location like so: -```yaml -filebeat: - enabled: true - filebeatYml: | - -``` - -and use it with you helm install/upgrade: -```bash -helm install --name artifactory -f filebeat.yaml jfrog/artifactory -``` - -This will start sending your Artifactory logs to the log aggregator of your choice, based on your configuration in the `filebeatYml` - -## Configuration -The following table lists the configurable parameters of the artifactory chart and their default values. - -| Parameter | Description | Default | -|------------------------------|-----------------------------------|-------------------------------------------------------| -| `imagePullSecrets` | Docker registry pull secret | | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the fullname template | -| `serviceAccount.annotations` | Artifactory service account annotations | `` | -| `rbac.create` | Specifies whether RBAC resources should be created | `true` | -| `rbac.role.rules` | Rules to create | `[]` | -| `logger.image.repository` | repository for logger image | `busybox` | -| `logger.image.tag` | tag for logger image | `1.30` | -| `artifactory.name` | Artifactory name | `artifactory` | -| `artifactory.image.pullPolicy` | Container pull policy | `IfNotPresent` | -| `artifactory.image.repository` | Container image | `docker.bintray.io/jfrog/artifactory-pro` | -| `artifactory.image.version` | Container image tag | `.Chart.AppVersion` | -| `artifactory.priorityClass.create` | Create a PriorityClass object | `false` | -| `artifactory.priorityClass.value` | Priority Class value | `1000000000` | -| `artifactory.priorityClass.name` | Priority Class name | `{{ template "artifactory-ha.fullname" . }}` | -| `artifactory.priorityClass.existingPriorityClass` | Use existing priority class | `` | -| `artifactory.loggers` | Artifactory loggers (see values.yaml for possible values) | `[]` | -| `artifactory.catalinaLoggers` | Artifactory Tomcat loggers (see values.yaml for possible values) | `[]` | -| `artifactory.customInitContainersBegin`| Custom init containers to run before existing init containers | | -| `artifactory.customInitContainers`| Custom init containers to run after existing init containers | | -| `artifactory.customSidecarContainers`| Custom sidecar containers | | -| `artifactory.customVolumes` | Custom volumes | | -| `artifactory.customVolumeMounts` | Custom Artifactory volumeMounts | | -| `artifactory.customPersistentPodVolumeClaim` | Custom PVC spec to create and attach a unique PVC for each pod on startup with the volumeClaimTemplates feature in StatefulSet | | -| `artifactory.customPersistentVolumeClaim` | Custom PVC spec to be mounted to the all artifactory containers using a volume | | -| `artifactory.userPluginSecrets` | Array of secret names for Artifactory user plugins | | -| `artifactory.masterKey` | Artifactory master key. A 128-Bit key size (hexadecimal encoded) string (32 hex characters). Can be generated with `openssl rand -hex 16`. NOTE: This key can be generated only once and cannot be updated once created |`FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF`| -| `artifactory.masterKeySecretName` | Artifactory Master Key secret name | | -| `artifactory.joinKey` | Join Key to connect other services to Artifactory. Can be generated with `openssl rand -hex 16` | `EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE` | -| `artifactory.accessAdmin.ip` | Artifactory access-admin ip to be set upon startup, can use (*) for 0.0.0.0| 127.0.0.1 | -| `artifactory.accessAdmin.password` | Artifactory access-admin password to be set upon startup| | -| `artifactory.accessAdmin.secret` | Artifactory access-admin secret name | | -| `artifactory.accessAdmin.dataKey` | Artifactory access-admin secret data key | | -| `artifactory.preStartCommand` | Command to run before entrypoint starts | | -| `artifactory.postStartCommand` | Command to run after container starts | | -| `artifactory.license.licenseKey` | Artifactory license key. Providing the license key as a parameter will cause a secret containing the license key to be created as part of the release. Use either this setting or the license.secret and license.dataKey. If you use both, the latter will be used. | | -| `artifactory.configMaps` | configMaps to be created as volume by the name `artifactory-configmaps`. In order to use these configMaps, you will need to add `customVolumeMounts` to point to the created volume and mount it onto a container | | -| `artifactory.license.secret` | Artifactory license secret name | | -| `artifactory.license.dataKey`| Artifactory license secret data key | | -| `artifactory.service.name` | Artifactory service name to be set in Nginx configuration | `artifactory` | -| `artifactory.service.type` | Artifactory service type | `ClusterIP` | -| `artifactory.service.clusterIP`| Specific cluster IP or `None` for headless services | `nil` | -| `artifactory.service.loadBalancerSourceRanges`| Artifactory service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | | -| `artifactory.service.annotations` | Artifactory service annotations | `{}` | -| `artifactory.service.pool` | Artifactory instances to be in the load balancing pool. `members` or `all` | `members` | -| `artifactory.externalPort` | Artifactory service external port | `8082` | -| `artifactory.internalPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8082` | -| `artifactory.internalArtifactoryPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8081` | -| `artifactory.externalArtifactoryPort` | Artifactory service external port | `8081` | -| `artifactory.extraEnvironmentVariables` | Extra environment variables to pass to Artifactory. Supports evaluating strings as templates via the [`tpl`](https://helm.sh/docs/charts_tips_and_tricks/#using-the-tpl-function) function. See [documentation](https://www.jfrog.com/confluence/display/RTF/Installing+with+Docker#InstallingwithDocker-SupportedEnvironmentVariables) | | -| `artifactory.livenessProbe.enabled` | Enable liveness probe | `true` | -| `artifactory.livenessProbe.path` | liveness probe HTTP Get path | `/router/api/v1/system/health` | -| `artifactory.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 | -| `artifactory.livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `artifactory.livenessProbe.timeoutSeconds` | When the probe times out | 10 | -| `artifactory.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | -| `artifactory.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `artifactory.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | -| `artifactory.readinessProbe.path` | readiness probe HTTP Get path | `/router/api/v1/system/health` | -| `artifactory.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 | -| `artifactory.readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `artifactory.readinessProbe.timeoutSeconds` | When the probe times out | 10 | -| `artifactory.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | -| `artifactory.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `artifactory.copyOnEveryStartup` | List of files to copy on startup from source (which is absolute) to target (which is relative to ARTIFACTORY_HOME | | -| `artifactory.deleteDBPropertiesOnStartup` | Whether to delete the ARTIFACTORY_HOME/etc/db.properties file on startup. Disabling this will remove the ability for the db.properties to be updated with any DB-related environment variables change (e.g. DB_HOST, DB_URL) | `true` | -| `artifactory.database.maxOpenConnections` | Maximum amount of open connections from Artifactory to the DB | `80` | -| `artifactory.haDataDir.enabled` | Enable haDataDir for eventual storage in the HA cluster | `false` | -| `artifactory.haDataDir.path` | Path to the directory intended for use with NFS eventual configuration for HA | | -| `artifactory.persistence.mountPath` | Artifactory persistence volume mount path | `"/var/opt/jfrog/artifactory"` | -| `artifactory.persistence.enabled` | Artifactory persistence volume enabled | `true` | -| `artifactory.persistence.accessMode` | Artifactory persistence volume access mode | `ReadWriteOnce` | -| `artifactory.persistence.size` | Artifactory persistence or local volume size | `200Gi` | -| `artifactory.persistence.binarystore.enabled` | whether you want to mount the binarystore.xml file from a secret created by the chart. If `false` you will need need to get the binarystore.xml file into the file-system from either an `initContainer` or using a `preStartCommand` | `true` | -| `artifactory.persistence.binarystoreXml` | Artifactory binarystore.xml template | See `values.yaml` | -| `artifactory.persistence.customBinarystoreXmlSecret` | A custom Secret for binarystore.xml | `` | -| `artifactory.persistence.maxCacheSize` | Artifactory cache-fs provider maxCacheSize in bytes | `50000000000` | -| `artifactory.persistence.cacheProviderDir` | the root folder of binaries for the filestore cache. If the value specified starts with a forward slash ("/") it is considered the fully qualified path to the filestore folder. Otherwise, it is considered relative to the *baseDataDir*. | `cache` | -| `artifactory.persistence.type` | Artifactory HA storage type | `file-system` | -| `artifactory.persistence.redundancy` | Artifactory HA storage redundancy | `3` | -| `artifactory.persistence.nfs.ip` | NFS server IP | | -| `artifactory.persistence.nfs.haDataMount` | NFS data directory | `/data` | -| `artifactory.persistence.nfs.haBackupMount` | NFS backup directory | `/backup` | -| `artifactory.persistence.nfs.dataDir` | HA data directory | `/var/opt/jfrog/artifactory-ha` | -| `artifactory.persistence.nfs.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` | -| `artifactory.persistence.nfs.capacity` | NFS PVC size | `200Gi` | -| `artifactory.persistence.nfs.mountOptions` | NFS mount options | `[]` | -| `artifactory.persistence.eventual.numberOfThreads` | Eventual number of threads | `10` | -| `artifactory.persistence.googleStorage.endpoint` | Google Storage API endpoint| `storage.googleapis.com` | -| `artifactory.persistence.googleStorage.httpsOnly` | Google Storage API has to be consumed https only| `false` | -| `artifactory.persistence.googleStorage.bucketName` | Google Storage bucket name | `artifactory-ha` | -| `artifactory.persistence.googleStorage.identity` | Google Storage service account id | | -| `artifactory.persistence.googleStorage.credential` | Google Storage service account key | | -| `artifactory.persistence.googleStorage.path` | Google Storage path in bucket | `artifactory-ha/filestore` | -| `artifactory.persistence.googleStorage.bucketExists`| Google Storage bucket exists therefore does not need to be created.| `false` | -| `artifactory.persistence.awsS3.bucketName` | AWS S3 bucket name | `artifactory-ha` | -| `artifactory.persistence.awsS3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html | -| `artifactory.persistence.awsS3.region` | AWS S3 bucket region | | -| `artifactory.persistence.awsS3.roleName` | AWS S3 IAM role name | | -| `artifactory.persistence.awsS3.identity` | AWS S3 AWS_ACCESS_KEY_ID | | -| `artifactory.persistence.awsS3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | | -| `artifactory.persistence.awsS3.properties` | AWS S3 additional properties | | -| `artifactory.persistence.awsS3.path` | AWS S3 path in bucket | `artifactory-ha/filestore` | -| `artifactory.persistence.awsS3.refreshCredentials` | AWS S3 renew credentials on expiration | `true` (When roleName is used, this parameter will be set to true) | -| `artifactory.persistence.awsS3.httpsOnly` | AWS S3 https access to the bucket only | `true` | -| `artifactory.persistence.awsS3.testConnection` | AWS S3 test connection on start up | `false` | -| `artifactory.persistence.awsS3.s3AwsVersion` | AWS S3 signature version | `AWS4-HMAC-SHA256` | -| `artifactory.persistence.awsS3V3.testConnection` | AWS S3 test connection on start up | `false` | -| `artifactory.persistence.awsS3V3.identity` | AWS S3 AWS_ACCESS_KEY_ID | | -| `artifactory.persistence.awsS3V3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | | -| `artifactory.persistence.awsS3V3.region` | AWS S3 bucket region | | -| `artifactory.persistence.awsS3V3.bucketName` | AWS S3 bucket name | `artifactory-aws` | -| `artifactory.persistence.awsS3V3.path` | AWS S3 path in bucket | `artifactory/filestore` | -| `artifactory.persistence.awsS3V3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html | -| `artifactory.persistence.awsS3V3.kmsServerSideEncryptionKeyId` | AWS S3 encryption key ID or alias | | -| `artifactory.persistence.awsS3V3.kmsKeyRegion` | AWS S3 KMS Key region | | -| `artifactory.persistence.awsS3V3.kmsCryptoMode` | AWS S3 KMS encryption mode | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AmazonS3OfficialSDKTemplate | -| `artifactory.persistence.awsS3V3.useInstanceCredentials` | AWS S3 Use default authentication mechanism | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-authentication | -| `artifactory.persistence.awsS3V3.usePresigning` | AWS S3 Use URL signing | `false` | -| `artifactory.persistence.awsS3V3.signatureExpirySeconds` | AWS S3 Validity period in seconds for signed URLs | `300` | -| `artifactory.persistence.awsS3V3.cloudFrontDomainName` | AWS CloudFront domain name | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| -| `artifactory.persistence.awsS3V3.cloudFrontKeyPairId` | AWS CloudFront key pair ID | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| -| `artifactory.persistence.awsS3V3.cloudFrontPrivateKey` | AWS CloudFront private key | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| -| `artifactory.persistence.azureBlob.accountName` | Azure Blob Storage account name | `` | -| `artifactory.persistence.azureBlob.accountKey` | Azure Blob Storage account key | `` | -| `artifactory.persistence.azureBlob.endpoint` | Azure Blob Storage endpoint | `` | -| `artifactory.persistence.azureBlob.containerName` | Azure Blob Storage container name | `` | -| `artifactory.persistence.azureBlob.testConnection` | Azure Blob Storage test connection | `false` | -| `artifactory.persistence.fileSystem.existingSharedClaim` | Enable using an existing shared pvc | `false` | -| `artifactory.persistence.fileStorage.dataDir` | HA data directory | `/var/opt/jfrog/artifactory/artifactory-data` | -| `artifactory.persistence.fileStorage.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` | -| `artifactory.javaOpts.other` | Artifactory additional java options (for all nodes) | | -| `artifactory.primary.labels` | Artifactory primary node labels | `{}` | -| `artifactory.primary.resources.requests.memory` | Artifactory primary node initial memory request | | -| `artifactory.primary.resources.requests.cpu` | Artifactory primary node initial cpu request | | -| `artifactory.primary.resources.limits.memory` | Artifactory primary node memory limit | | -| `artifactory.primary.resources.limits.cpu` | Artifactory primary node cpu limit | | -| `artifactory.primary.javaOpts.xms` | Artifactory primary node java Xms size | | -| `artifactory.primary.javaOpts.xmx` | Artifactory primary node java Xms size | | -| `artifactory.primary.javaOpts.corePoolSize` | The number of async processes that can run in parallel in the primary node - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `16` | -| `artifactory.primary.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` | -| `artifactory.primary.javaOpts.jmx.port` | JMX Port number | `9010` | -| `artifactory.primary.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory-ha.primary.name" $ }}` | -| `artifactory.primary.javaOpts.jmx.ssl` | Enable SSL | `false` | -| `artifactory.primary.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` | -| `artifactory.primary.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | | -| `artifactory.primary.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | | -| `artifactory.primary.javaOpts.other` | Artifactory primary node additional java options | | -| `artifactory.primary.persistence.existingClaim` | Whether to use an existing pvc for the primary node | `false` | -| `artifactory.node.labels` | Artifactory member node labels | `{}` | -| `artifactory.node.replicaCount` | Artifactory member node replica count | `2` | -| `artifactory.node.minAvailable` | Artifactory member node min available count | `1` | -| `artifactory.node.resources.requests.memory` | Artifactory member node initial memory request | | -| `artifactory.node.resources.requests.cpu` | Artifactory member node initial cpu request | | -| `artifactory.node.resources.limits.memory` | Artifactory member node memory limit | | -| `artifactory.node.resources.limits.cpu` | Artifactory member node cpu limit | | -| `artifactory.node.javaOpts.xms` | Artifactory member node java Xms size | | -| `artifactory.node.javaOpts.xmx` | Artifactory member node java Xms size | | -| `artifactory.node.javaOpts.corePoolSize` | The number of async processes that can run in parallel in the member nodes - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `16` | -| `artifactory.node.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` | -| `artifactory.node.javaOpts.jmx.port` | JMX Port number | `9010` | -| `artifactory.node.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory-ha.fullname" $ }}` | -| `artifactory.node.javaOpts.jmx.ssl` | Enable SSL | `false` | -| `artifactory.node.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` | -| `artifactory.node.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | | -| `artifactory.node.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | | -| `artifactory.node.javaOpts.other` | Artifactory member node additional java options | | -| `artifactory.node.persistence.existingClaim` | Whether to use existing PVCs for the member nodes | `false` | -| `artifactory.node.waitForPrimaryStartup.enabled` | Whether to wait for the primary node to start before starting up the member nodes | `false` | -| `artifactory.node.waitForPrimaryStartup.time` | The amount of time to wait for the primary node to start before starting up the member nodes | `60` | -| `artifactory.systemYaml` | Artifactory system configuration (`system.yaml`) as described here - https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML | `see values.yaml` | -| `access.database.maxOpenConnections` | Maximum amount of open connections from Access to the DB | `80` | -| `initContainers.resources.requests.memory` | Init containers initial memory request | | -| `initContainers.resources.requests.cpu` | Init containers initial cpu request | | -| `initContainers.resources.limits.memory` | Init containers memory limit | | -| `initContainers.resources.limits.cpu` | Init containers cpu limit | | -| `ingress.enabled` | If true, Artifactory Ingress will be created | `false` | -| `ingress.annotations` | Artifactory Ingress annotations | `{}` | -| `ingress.labels` | Artifactory Ingress labels | `{}` | -| `ingress.hosts` | Artifactory Ingress hostnames | `[]` | -| `ingress.routerPath` | Router Ingress path | `/` | -| `ingress.artifactoryPath` | Artifactory Ingress path | `/artifactory` | -| `ingress.tls` | Artifactory Ingress TLS configuration (YAML) | `[]` | -| `ingress.defaultBackend.enabled` | If true, the default `backend` will be added using serviceName and servicePort | `true` | -| `ingress.annotations` | Ingress annotations, which are written out if annotations section exists in values. Everything inside of the annotations section will appear verbatim inside the resulting manifest. See `Ingress annotations` section below for examples of how to leverage the annotations, specifically for how to enable docker authentication. | | -| `ingress.additionalRules` | Ingress additional rules to be added to the Artifactory ingress. | `[]` | -| `nginx.enabled` | Deploy nginx server | `true` | -| `nginx.name` | Nginx name | `nginx` | -| `nginx.replicaCount` | Nginx replica count | `1` | -| `nginx.uid` | Nginx User Id | `104` | -| `nginx.gid` | Nginx Group Id | `107` | -| `nginx.image.repository` | Container image | `docker.bintray.io/jfrog/nginx-artifactory-pro` | -| `nginx.image.version` | Container version | `.Chart.AppVersion` | -| `nginx.image.pullPolicy` | Container pull policy | `IfNotPresent` | -| `nginx.labels` | Nginx deployment labels | `{}` | -| `nginx.loggers` | Artifactory loggers (see values.yaml for possible values) | `[]` | -| `nginx.mainConf` | Content of the Artifactory nginx main nginx.conf config file | `see values.yaml` | -| `nginx.artifactoryConf` | Content of Artifactory nginx artifactory.conf config file | `see values.yaml` | -| `nginx.service.type` | Nginx service type | `LoadBalancer` | -| `nginx.service.clusterIP` | Specific cluster IP or `None` for headless services | `nil` | -| `nginx.service.loadBalancerSourceRanges`| Nginx service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | | -| `nginx.service.labels` | Nginx service labels | `{}` | -| `nginx.service.annotations` | Nginx service annotations | `{}` | -| `nginx.service.externalTrafficPolicy`| Nginx service desires to route external traffic to node-local or cluster-wide endpoints. | `Cluster` | -| `nginx.loadBalancerIP`| Provide Static IP to configure with Nginx | | -| `nginx.http.enabled` | Nginx http service enabled/disabled | true | -| `nginx.http.externalPort` | Nginx service external port | `80` | -| `nginx.http.internalPort` | Nginx service internal port | `80` | -| `nginx.https.enabled` | Nginx http service enabled/disabled | true | -| `nginx.https.externalPort` | Nginx service external port | `443` | -| `nginx.https.internalPort` | Nginx service internal port | `443` | -| `nginx.externalPortHttp` | DEPRECATED: Nginx service external port | `80` | -| `nginx.internalPortHttp` | DEPRECATED: Nginx service internal port | `80` | -| `nginx.externalPortHttps` | DEPRECATED: Nginx service external port | `443` | -| `nginx.internalPortHttps` | DEPRECATED: Nginx service internal port | `443` | -| `nginx.livenessProbe.enabled` | would you like a liveness Probe to be enabled | `true` | -| `nginx.livenessProbe.path` | liveness probe HTTP Get path | `/router/api/v1/system/health` | -| `nginx.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 100 | -| `nginx.livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `nginx.livenessProbe.timeoutSeconds` | When the probe times out | 10 | -| `nginx.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | -| `nginx.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `nginx.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | -| `nginx.readinessProbe.path` | Readiness probe HTTP Get path | `/router/api/v1/system/health` | -| `nginx.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 | -| `nginx.readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `nginx.readinessProbe.timeoutSeconds` | When the probe times out | 10 | -| `nginx.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | -| `nginx.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `nginx.tlsSecretName` | SSL secret that will be used by the Nginx pod | | -| `nginx.customConfigMap` | Nginx CustomeConfigMap name for `nginx.conf` | ` ` | -| `nginx.customArtifactoryConfigMap`| Nginx CustomeConfigMap name for `artifactory-ha.conf` | ` ` | -| `nginx.resources.requests.memory` | Nginx initial memory request | `250Mi` | -| `nginx.resources.requests.cpu` | Nginx initial cpu request | `100m` | -| `nginx.resources.limits.memory` | Nginx memory limit | `250Mi` | -| `nginx.resources.limits.cpu` | Nginx cpu limit | `500m` | -| `nginx.persistence.mountPath` | Nginx persistence volume mount path | `"/var/opt/jfrog/nginx"` | -| `nginx.persistence.enabled` | Nginx persistence volume enabled. This is only available when the nginx.replicaCount is set to 1 | `false` | -| `nginx.persistence.accessMode` | Nginx persistence volume access mode | `ReadWriteOnce` | -| `nginx.persistence.size` | Nginx persistence volume size | `5Gi` | -| `waitForDatabase` | Wait for database (using wait-for-db init container) | `true` | -| `postgresql.enabled` | Use enclosed PostgreSQL as database | `true` | -| `postgresql.imageTag` | PostgreSQL version | `9.6.11` | -| `postgresql.postgresqlDatabase` | PostgreSQL database name | `artifactory` | -| `postgresql.postgresqlUsername` | PostgreSQL database user | `artifactory` | -| `postgresql.postgresqlPassword` | PostgreSQL database password | | -| `postgresql.persistence.enabled` | PostgreSQL use persistent storage | `true` | -| `postgresql.persistence.size` | PostgreSQL persistent storage size | `50Gi` | -| `postgresql.service.port` | PostgreSQL database port | `5432` | -| `postgresql.resources.requests.memory` | PostgreSQL initial memory request | | -| `postgresql.resources.requests.cpu` | PostgreSQL initial cpu request | | -| `postgresql.resources.limits.memory` | PostgreSQL memory limit | | -| `postgresql.resources.limits.cpu` | PostgreSQL cpu limit | | -| `database.type` | External database type (`postgresql`, `mysql`, `oracle` or `mssql`) | | -| `database.driver` | External database driver e.g. `org.postgresql.Driver` | | -| `database.url` | External database connection URL | | -| `database.user` | External database username | | -| `database.password` | External database password | | -| `database.secrets.user.name` | External database username `Secret` name | | -| `database.secrets.user.key` | External database username `Secret` key | | -| `database.secrets.password.name` | External database password `Secret` name | | -| `database.secrets.password.key` | External database password `Secret` key | | -| `database.secrets.url.name ` | External database url `Secret` name | | -| `database.secrets.url.key` | External database url `Secret` key | | -| `networkpolicy.name` | Becomes part of the NetworkPolicy object name | `artifactory` | -| `networkpolicy.podselector` | Contains the YAML that specifies how to match pods. Usually using matchLabels. | | -| `networkpolicy.ingress` | YAML snippet containing to & from rules applied to incoming traffic | `- {}` (open to all inbound traffic) | -| `networkpolicy.egress` | YAML snippet containing to & from rules applied to outgoing traffic | `- {}` (open to all outbound traffic) | -| `filebeat.enabled` | Enable a filebeat container to send your logs to a log management solution like ELK | `false` | -| `filebeat.name` | filebeat container name | `artifactory-filebeat` | -| `filebeat.image.repository` | filebeat Docker image repository | `docker.elastic.co/beats/filebeat` | -| `filebeat.image.version` | filebeat Docker image version | `7.5.1` | -| `filebeat.logstashUrl` | The URL to the central Logstash service, if you have one | `logstash:5044` | -| `filebeat.livenessProbe.exec.command` | liveness probe exec command | see [values.yaml](stable/artifactory-ha/values.yaml) | -| `filebeat.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `filebeat.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 | -| `filebeat.livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `filebeat.readinessProbe.exec.command` | readiness probe exec command | see [values.yaml](stable/artifactory-ha/values.yaml) | -| `filebeat.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `filebeat.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 180 | -| `filebeat.readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `filebeat.resources.requests.memory` | Filebeat initial memory request | | -| `filebeat.resources.requests.cpu` | Filebeat initial cpu request | | -| `filebeat.resources.limits.memory` | Filebeat memory limit | | -| `filebeat.resources.limits.cpu` | Filebeat cpu limit | | -| `filebeat.filebeatYml` | Filebeat yaml configuration file | see [values.yaml](stable/artifactory-ha/values.yaml) | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. - -### Ingress and TLS -To get Helm to create an ingress object with a hostname, add these two lines to your Helm command: -```bash -helm install --name artifactory-ha \ - --set ingress.enabled=true \ - --set ingress.hosts[0]="artifactory.company.com" \ - --set artifactory.service.type=NodePort \ - --set nginx.enabled=false \ - jfrog/artifactory-ha -``` - -If your cluster allows automatic creation/retrieval of TLS certificates (e.g. [cert-manager](https://github.com/jetstack/cert-manager)), please refer to the documentation for that mechanism. - -To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: - -```bash -kubectl create secret tls artifactory-tls --cert=path/to/tls.cert --key=path/to/tls.key -``` - -Include the secret's name, along with the desired hostnames, in the Artifactory Ingress TLS section of your custom `values.yaml` file: - -```yaml - ingress: - ## If true, Artifactory Ingress will be created - ## - enabled: true - - ## Artifactory Ingress hostnames - ## Must be provided if Ingress is enabled - ## - hosts: - - artifactory.domain.com - annotations: - kubernetes.io/tls-acme: "true" - ## Artifactory Ingress TLS configuration - ## Secrets must be manually created in the namespace - ## - tls: - - secretName: artifactory-tls - hosts: - - artifactory.domain.com -``` - -### Ingress annotations - -This example specifically enables Artifactory to work as a Docker Registry using the Repository Path method. See [Artifactory as Docker Registry](https://www.jfrog.com/confluence/display/RTF/Getting+Started+with+Artifactory+as+a+Docker+Registry) documentation for more information about this setup. - -```yaml -ingress: - enabled: true - defaultBackend: - enabled: false - hosts: - - myhost.example.com - annotations: - ingress.kubernetes.io/force-ssl-redirect: "true" - ingress.kubernetes.io/proxy-body-size: "0" - ingress.kubernetes.io/proxy-read-timeout: "600" - ingress.kubernetes.io/proxy-send-timeout: "600" - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/configuration-snippet: | - rewrite ^/(v2)/token /artifactory/api/docker/null/v2/token; - rewrite ^/(v2)/([^\/]*)/(.*) /artifactory/api/docker/$2/$1/$3; - nginx.ingress.kubernetes.io/proxy-body-size: "0" - tls: - - hosts: - - "myhost.example.com" -``` - -### Ingress additional rules - -You have the option to add additional ingress rules to the Artifactory ingress. An example for this use case can be routing the /xray path to Xray. -In order to do that, simply add the following to a `artifactory-ha-values.yaml` file: -```yaml -ingress: - enabled: true - - defaultBackend: - enabled: false - - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/configuration-snippet: | - rewrite "(?i)/xray(/|$)(.*)" /$2 break; - - additionalRules: | - - host: - http: - paths: - - path: / - backend: - serviceName: - servicePort: - - path: /xray - backend: - serviceName: - servicePort: - - path: /artifactory - backend: - serviceName: {{ template "artifactory.nginx.fullname" . }} - servicePort: {{ .Values.nginx.externalPortHttp }} -``` - -and running: -```bash -helm upgrade --install artifactory-ha jfrog/artifactory-ha -f artifactory-ha-values.yaml -``` - - - -## Useful links -- https://www.jfrog.com/confluence/display/EP/Getting+Started -- https://www.jfrog.com/confluence/display/RTF/Installing+Artifactory -- https://www.jfrog.com/confluence/ diff --git a/Openshift4/artifactoryha-helm/ReverseProxyConfiguration.md b/Openshift4/artifactoryha-helm/ReverseProxyConfiguration.md deleted file mode 100755 index 8515932..0000000 --- a/Openshift4/artifactoryha-helm/ReverseProxyConfiguration.md +++ /dev/null @@ -1,140 +0,0 @@ -# JFrog Artifactory Reverse Proxy Settings using Nginx - -#### Reverse Proxy -* To use Artifactory as docker registry it's mandatory to use Reverse Proxy. -* Artifactory provides a Reverse Proxy Configuration Generator screen in which you can fill in a set of fields to generate -the required configuration snippet which you can then download and install directly in the corresponding directory of your reverse proxy server. -* To learn about configuring NGINX or Apache for reverse proxy refer to documentation provided on [JFrog wiki](https://www.jfrog.com/confluence/display/RTF/Configuring+a+Reverse+Proxy) -* By default Artifactory helm chart uses Nginx for reverse proxy and load balancing. - -**Note**: Nginx image distributed with Artifactory helm chart is custom image managed and maintained by JFrog. - -#### Features of Artifactory Nginx -* Provides default configuration with self signed SSL certificate generated on each helm install/upgrade. -* Persist configuration and SSL certificate in `/var/opt/jfrog/nginx` directory - -#### Changing the default Artifactory nginx conf -Use a values.yaml file for changing the value of nginx.mainConf or nginx.artifactoryConf -These configuration will be mounted to the nginx container using a configmap. -For example: -1. Create a values file `nginx-values.yaml` with the following values: -```yaml -nginx: - artifactoryConf: | - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; - ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; - ssl_session_cache shared:SSL:1m; - ssl_prefer_server_ciphers on; - ## server configuration - server { - listen {{ .Values.nginx.internalPortHttps }} ssl; - listen {{ .Values.nginx.internalPortHttp }} ; - ## Change to you DNS name you use to access Artifactory - server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }}; - - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - ## access_log /var/log/nginx/artifactory-access.log timing; - ## error_log /var/log/nginx/artifactory-error.log; - rewrite ^/$ /artifactory/webapp/ redirect; - rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect; - if ( $repo != "" ) { - rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; - } - rewrite ^/(v1|v2)/([^/]+)(.*)$ /artifactory/api/docker/$2/$1/$3; - rewrite ^/(v1|v2)/ /artifactory/api/docker/$1/; - chunked_transfer_encoding on; - client_max_body_size 0; - location /artifactory/ { - proxy_read_timeout 900; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - if ( $request_uri ~ ^/artifactory/(.*)$ ) { - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/artifactory/$1; - } - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/artifactory/; - proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - } -``` - -2. Install/upgrade artifactory: -```bash -helm upgrade --install artifactory-ha jfrog/artifactory-ha -f nginx-values.yaml -``` - - -#### Steps to use static configuration for reverse proxy in nginx. -1. Get Artifactory service name using this command `kubectl get svc -n $NAMESPACE` - -2. Create `artifactory.conf` file with nginx configuration. More [nginx configuration examples](https://github.com/jfrog/artifactory-docker-examples/tree/master/files/nginx/conf.d) - - Following is example `artifactory.conf` - - **Note**: - * Create file with name `artifactory.conf` as it's fixed in configMap key. - * Replace `artifactory-artifactory` with service name taken from step 1. - - ```bash - ## add ssl entries when https has been set in config - ssl_certificate /var/opt/jfrog/nginx/ssl/tls.crt; - ssl_certificate_key /var/opt/jfrog/nginx/ssl/tls.key; - ssl_session_cache shared:SSL:1m; - ssl_prefer_server_ciphers on; - ## server configuration - server { - listen 443 ssl; - listen 80; - ## Change to you DNS name you use to access Artifactory - server_name ~(?.+)\.artifactory-artifactory artifactory-artifactory; - - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - ## access_log /var/log/nginx/artifactory-access.log timing; - ## error_log /var/log/nginx/artifactory-error.log; - rewrite ^/$ /artifactory/webapp/ redirect; - rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect; - if ( $repo != "" ) { - rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; - } - rewrite ^/(v1|v2)/([^/]+)(.*)$ /artifactory/api/docker/$2/$1/$3; - rewrite ^/(v1|v2)/ /artifactory/api/docker/$1/; - chunked_transfer_encoding on; - client_max_body_size 0; - location /artifactory/ { - proxy_read_timeout 900; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - if ( $request_uri ~ ^/artifactory/(.*)$ ) { - proxy_pass http://artifactory-artifactory:8081/artifactory/$1 break; - } - proxy_pass http://artifactory-artifactory:8081/artifactory/; - proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - } - ``` - -3. Create configMap of `artifactory.conf` created with step above. - ```bash - kubectl create configmap art-nginx-conf --from-file=artifactory.conf - ``` -4. Deploy Artifactory using helm chart. - You can achieve this by providing the name of configMap created above to `nginx.customArtifactoryConfigMap` in [values.yaml](values.yaml) - - Following is command to set values at runtime: - ```bash - helm install --name artifactory-ha nginx.customArtifactoryConfigMap=art-nginx-conf jfrog/artifactory-ha - ``` \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/UPGRADE_NOTES.md b/Openshift4/artifactoryha-helm/UPGRADE_NOTES.md deleted file mode 100755 index 640474f..0000000 --- a/Openshift4/artifactoryha-helm/UPGRADE_NOTES.md +++ /dev/null @@ -1,33 +0,0 @@ -# JFrog Artifactory Chart Upgrade Notes -This file describes special upgrade notes needed at specific versions - -## Upgrade from 0.X to 1.X -**DOWNTIME IS REQUIRED FOR AN UPGRADE!** -* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you!** -* PostgreSQL sub chart was upgraded to version `6.5.x`. This version is not backward compatible with the old version (`0.9.5`)! -* Note the following **PostgreSQL** Helm chart changes - * The chart configuration has changed! See [values.yaml](values.yaml) for the new keys used - * **PostgreSQL** is deployed as a StatefulSet - * See [PostgreSQL helm chart](https://hub.helm.sh/charts/stable/postgresql) for all available configurations -* Upgrade - * Due to breaking changes in the **PostgreSQL** Helm chart, a migration of the database is needed from the old to the new database - * The recommended migration process is the [full system export and import](https://www.jfrog.com/confluence/display/RTF/Importing+and+Exporting) - * **NOTE:** To save time, export only metadata and configuration (check `Exclude Content` in the `System Import & Export`) since the Artifactory filestore is persisted - * Upgrade steps: - 1. Block user access to Artifactory (do not shutdown) - a. Scale down the cluster to primary node only (`node.replicaCount=0`) so the exported db and configuration will be kept on one known node (the primary) - b. If your Artifactory HA K8s service is set to member nodes only (`service.pool=members`) you will need to access the primary node directly (use `kubectl port-forward`) - 2. Perform `Export System` from the `Admin` -> `Import & Export` -> `System` -> `Export System` - a. Check `Exclude Content` to save export size (as Artifactory filestore will persist across upgrade) - b. Choose to save the export on the persisted Artifactory volume (`/var/opt/jfrog/artifactory/`) - c. Click `Export` (this can take some time) - 3. Run the `helm upgrade` with the new version. Old PostgreSQL will be removed and new one deployed - a. You must pass explicit "ready for upgrade flag" with `--set databaseUpgradeReady=yes`. Failing to provide this will block the upgrade! - 4. Once ready, open Artifactory UI (you might need to re-enter a valid license). Skip all onboarding wizard steps - a. **NOTE:** Don't worry you can't see the old config and files. It will all restore with the system import in the next step - 5. Perform `Import System` from the `Admin` -> `Import & Export` -> `System` -> `Import System` - a. Browse to where the export was saved Artifactory volume (`/var/opt/jfrog/artifactory/`) - b. Click `Import` (this can take some time) - 6. Restore access to Artifactory - a. Scale the cluster member nodes back to the original size - * Artifactory should now be ready to get back to normal operation diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/.helmignore b/Openshift4/artifactoryha-helm/charts/postgresql/.helmignore deleted file mode 100755 index a1c17ae..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/.helmignore +++ /dev/null @@ -1,2 +0,0 @@ -.git -OWNERS \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/Chart.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/Chart.yaml deleted file mode 100755 index 4687eb3..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -appVersion: 11.5.0 -description: Chart for PostgreSQL, an object-relational database management system - (ORDBMS) with an emphasis on extensibility and on standards-compliance. -engine: gotpl -home: https://www.postgresql.org/ -icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png -keywords: -- postgresql -- postgres -- database -- sql -- replication -- cluster -maintainers: -- email: containers@bitnami.com - name: Bitnami -- email: cedric@desaintmartin.fr - name: desaintmartin -name: postgresql -sources: -- https://github.com/bitnami/bitnami-docker-postgresql -version: 7.0.1 diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/README.md b/Openshift4/artifactoryha-helm/charts/postgresql/README.md deleted file mode 100755 index e6621b4..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/README.md +++ /dev/null @@ -1,487 +0,0 @@ -# PostgreSQL - -[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. - -## TL;DR; - -```console -$ helm install stable/postgresql -``` - -## Introduction - -This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). - -## Prerequisites - -- Kubernetes 1.12+ -- Helm 2.11+ or Helm 3.0-beta3+ -- PV provisioner support in the underlying infrastructure - -## Installing the Chart -To install the chart with the release name `my-release`: - -```console -$ helm install --name my-release stable/postgresql -``` - -The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -$ helm delete my-release -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Parameters - -The following tables lists the configurable parameters of the PostgreSQL chart and their default values. - -| Parameter | Description | Default | -| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | -| `global.imageRegistry` | Global Docker Image registry | `nil` | -| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` | -| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` | -| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` | -| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` | -| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` | -| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | -| `image.registry` | PostgreSQL Image registry | `docker.io` | -| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` | -| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | -| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | -| `image.debug` | Specify if debug values should be set | `false` | -| `nameOverride` | String to partially override postgresql.fullname template with a string (will prepend the release name) | `nil` | -| `fullnameOverride` | String to fully override postgresql.fullname template with a string | `nil` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag | `stretch` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | -| `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` | -| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` | -| `replication.enabled` | Enable replication | `false` | -| `replication.user` | Replication user | `repl_user` | -| `replication.password` | Replication user password | `repl_password` | -| `replication.slaveReplicas` | Number of slaves replicas | `1` | -| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | -| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` | -| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | -| `existingSecret` | Name of existing secret to use for PostgreSQL passwords | `nil` | -| `postgresqlUsername` | PostgreSQL admin user | `postgres` | -| `postgresqlPassword` | PostgreSQL admin password | _random 10 character alphanumeric string_ | -| `postgresqlDatabase` | PostgreSQL database | `nil` | -| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) | -| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` | -| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` | -| `postgresqlConfiguration` | Runtime Config Parameters | `nil` | -| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` | -| `pgHbaConfiguration` | Content of pg\_hba.conf | `nil (do not create pg_hba.conf)` | -| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` | -| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` | -| `initdbScripts` | Dictionary of initdb scripts | `nil` | -| `initdbUsername` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` | -| `initdbPassword` | Password for the user specified in `initdbUsername` | `nil` | -| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` | -| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.port` | PostgreSQL port | `5432` | -| `service.nodePort` | Kubernetes Service nodePort | `nil` | -| `service.annotations` | Annotations for PostgreSQL service, the value is evaluated as a template. | {} | -| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | -| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | [] | -| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | -| `persistence.enabled` | Enable persistence using PVC | `true` | -| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` | -| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` | -| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` | -| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` | -| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | -| `persistence.annotations` | Annotations for the PVC | `{}` | -| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` | -| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` | -| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` | -| `master.anotations` | Map of annotations to add to the statefulset (postgresql master) | `{}` | -| `master.labels` | Map of labels to add to the statefulset (postgresql master) | `{}` | -| `master.podAnnotations` | Map of annotations to add to the pods (postgresql master) | `{}` | -| `master.podLabels` | Map of labels to add to the pods (postgresql master) | `{}` | -| `master.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql master) | `[]` | -| `master.extraVolumes` | Additional volumes to add to the pods (postgresql master) | `[]` | -| `slave.nodeSelector` | Node labels for pod assignment (postgresql slave) | `{}` | -| `slave.affinity` | Affinity labels for pod assignment (postgresql slave) | `{}` | -| `slave.tolerations` | Toleration labels for pod assignment (postgresql slave) | `[]` | -| `slave.anotations` | Map of annotations to add to the statefulsets (postgresql slave) | `{}` | -| `slave.labels` | Map of labels to add to the statefulsets (postgresql slave) | `{}` | -| `slave.podAnnotations` | Map of annotations to add to the pods (postgresql slave) | `{}` | -| `slave.podLabels` | Map of labels to add to the pods (postgresql slave) | `{}` | -| `slave.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql slave) | `[]` | -| `slave.extraVolumes` | Additional volumes to add to the pods (postgresql slave) | `[]` | -| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` | -| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` | -| `securityContext.enabled` | Enable security context | `true` | -| `securityContext.fsGroup` | Group ID for the container | `1001` | -| `securityContext.runAsUser` | User ID for the container | `1001` | -| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` | -| `serviceAcccount.name` | Name of existing service account | `nil` | -| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` | -| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | -| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | -| `livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `livenessProbe.timeoutSeconds` | When the probe times out | 5 | -| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | -| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 | -| `readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `readinessProbe.timeoutSeconds` | When the probe times out | 5 | -| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `metrics.enabled` | Start a prometheus exporter | `false` | -| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | -| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | -| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` | -| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | -| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | -| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` | -| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` | -| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` | -| `metrics.image.registry` | PostgreSQL Image registry | `docker.io` | -| `metrics.image.repository` | PostgreSQL Image name | `bitnami/postgres-exporter` | -| `metrics.image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | -| `metrics.image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | -| `metrics.securityContext.enabled` | Enable security context for metrics | `false` | -| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` | -| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | -| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 | -| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 | -| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 | -| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `{}` | -| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -$ helm install --name my-release \ - --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \ - stable/postgresql -``` - -The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -$ helm install --name my-release -f values.yaml stable/postgresql -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - -## Configuration and installation details - -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Production configuration and horizontal scaling - -This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. - -- Enable replication: -```diff -- replication.enabled: false -+ replication.enabled: true -``` - -- Number of slaves replicas: -```diff -- replication.slaveReplicas: 1 -+ replication.slaveReplicas: 2 -``` - -- Set synchronous commit mode: -```diff -- replication.synchronousCommit: "off" -+ replication.synchronousCommit: "on" -``` - -- Number of replicas that will have synchronous replication: -```diff -- replication.numSynchronousReplicas: 0 -+ replication.numSynchronousReplicas: 1 -``` - -- Start a prometheus exporter: -```diff -- metrics.enabled: false -+ metrics.enabled: true -``` - -To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above. - -### Change PostgreSQL version - -To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=12.0.0-debian-9-r0` - -### postgresql.conf / pg_hba.conf files as configMap - -This helm chart also supports to customize the whole configuration file. - -Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server. - -Alternatively, you can specify PostgreSQL configuration parameters using the `postgresqlConfiguration` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}. - -In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options. - -### Allow settings to be loaded from files other than the default `postgresql.conf` - -If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory. -Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. - -Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option. - -### Initialize a fresh instance - -The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap. - -Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict. - -In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter. - -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. - -### Metrics - -The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). - -The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. - -### Use of global variables - -In more complex scenarios, we may have the following tree of dependencies - -``` - +--------------+ - | | - +------------+ Chart 1 +-----------+ - | | | | - | --------+------+ | - | | | - | | | - | | | - | | | - v v v -+-------+------+ +--------+------+ +--------+------+ -| | | | | | -| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | -| | | | | | -+--------------+ +---------------+ +---------------+ -``` - -The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: - -``` -postgresql.postgresqlPassword=testtest -subchart1.postgresql.postgresqlPassword=testtest -subchart2.postgresql.postgresqlPassword=testtest -postgresql.postgresqlDatabase=db1 -subchart1.postgresql.postgresqlDatabase=db1 -subchart2.postgresql.postgresqlDatabase=db1 -``` - -If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: - -``` -global.postgresql.postgresqlPassword=testtest -global.postgresql.postgresqlDatabase=db1 -``` - -This way, the credentials will be available in all of the subcharts. - -## Persistence - -The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. - -If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. - -## NetworkPolicy - -To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. - -For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: - -```console -$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" -``` - -With NetworkPolicy enabled, traffic will be limited to just port 5432. - -For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. -This label will be displayed in the output of a successful install. - -## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image - -- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. -- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. - -### Deploy chart using Docker Official PostgreSQL Image - -From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image. -Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory. - -``` -helm install --name postgres \ - --set image.repository=postgres \ - --set image.tag=10.6 \ - --set postgresqlDataDir=/data/pgdata \ - --set persistence.mountPath=/data/ \ - stable/postgresql -``` - -## Upgrade - -It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart: - -```bash -$ helm upgrade my-release bitnami/influxdb \ - --set postgresqlPassword=[POSTGRESQL_PASSWORD] \ - --set replication.password=[REPLICATION_PASSWORD] -``` - -> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes. - -## 7.0.0 - -Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. - -In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. - -This major version bump signifies this change. - -## 5.0.0 - -In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/). - -For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs: - -```bash -Welcome to the Bitnami postgresql container -Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql -Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues -Send us your feedback at containers@bitnami.com - -INFO ==> ** Starting PostgreSQL setup ** -NFO ==> Validating settings in POSTGRESQL_* env vars.. -INFO ==> Initializing PostgreSQL database... -INFO ==> postgresql.conf file not detected. Generating it... -INFO ==> pg_hba.conf file not detected. Generating it... -INFO ==> Deploying PostgreSQL with persisted data... -INFO ==> Configuring replication parameters -INFO ==> Loading custom scripts... -INFO ==> Enabling remote connections -INFO ==> Stopping PostgreSQL... -INFO ==> ** PostgreSQL setup finished! ** - -INFO ==> ** Starting PostgreSQL ** - [1] FATAL: database files are incompatible with server - [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3. -``` -In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one. - -### 4.0.0 - -This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately. - -IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error - -``` -The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development -``` - -### 3.0.0 - -This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods. -It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride. - -#### Breaking changes - -- `affinty` has been renamed to `master.affinity` and `slave.affinity`. -- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`. -- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`. - -### 2.0.0 - -In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps: - - - Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running - - ```console -$ kubectl get svc - ``` - -- Install (not upgrade) the new version - -```console -$ helm repo update -$ helm install --name my-release stable/postgresql -``` - -- Connect to the new pod (you can obtain the name by running `kubectl get pods`): - -```console -$ kubectl exec -it NAME bash -``` - -- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart: - -```console -$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql -``` - -After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`). -This operation could take some time depending on the database size. - -- Once you have the backup file, you can restore it with a command like the one below: - -```console -$ psql -U postgres DATABASE_NAME < /tmp/backup.sql -``` - -In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt). - -If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below. - -```console -$ psql -U postgres -postgres=# drop database DATABASE_NAME; -postgres=# create database DATABASE_NAME; -postgres=# create user USER_NAME; -postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD'; -postgres=# grant all privileges on database DATABASE_NAME to USER_NAME; -postgres=# alter database DATABASE_NAME owner to USER_NAME; -``` diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/files/README.md b/Openshift4/artifactoryha-helm/charts/postgresql/files/README.md deleted file mode 100755 index 1813a2f..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/files/README.md +++ /dev/null @@ -1 +0,0 @@ -Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/files/conf.d/README.md b/Openshift4/artifactoryha-helm/charts/postgresql/files/conf.d/README.md deleted file mode 100755 index 184c187..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/files/conf.d/README.md +++ /dev/null @@ -1,4 +0,0 @@ -If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. -These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. - -More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/Openshift4/artifactoryha-helm/charts/postgresql/files/docker-entrypoint-initdb.d/README.md deleted file mode 100755 index cba3809..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/files/docker-entrypoint-initdb.d/README.md +++ /dev/null @@ -1,3 +0,0 @@ -You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. - -More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/NOTES.txt b/Openshift4/artifactoryha-helm/charts/postgresql/templates/NOTES.txt deleted file mode 100755 index 798fa10..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/NOTES.txt +++ /dev/null @@ -1,50 +0,0 @@ -** Please be patient while the chart is being deployed ** - -PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster: - - {{ template "postgresql.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection -{{- if .Values.replication.enabled }} - {{ template "postgresql.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection -{{- end }} -To get the password for "{{ template "postgresql.username" . }}" run: - - export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode) - -To connect to your database run the following command: - - kubectl run {{ template "postgresql.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} - --labels="{{ template "postgresql.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "postgresql.fullname" . }} -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} -p {{ template "postgresql.port" . }} - -{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} -Note: Since NetworkPolicy is enabled, only pods with label {{ template "postgresql.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster. -{{- end }} - -To connect to your database from outside the cluster execute the following commands: - -{{- if contains "NodePort" .Values.service.type }} - - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "postgresql.fullname" . }}) - {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} - -{{- else if contains "LoadBalancer" .Values.service.type }} - - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "postgresql.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "postgresql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} - -{{- else if contains "ClusterIP" .Values.service.type }} - - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "postgresql.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} & - {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} -p {{ template "postgresql.port" . }} - -{{- end }} - -{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} - -WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ - -{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/_helpers.tpl b/Openshift4/artifactoryha-helm/charts/postgresql/templates/_helpers.tpl deleted file mode 100755 index b379f29..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/_helpers.tpl +++ /dev/null @@ -1,374 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "postgresql.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "postgresql.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "postgresql.master.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}} -{{- if .Values.replication.enabled -}} -{{- printf "%s-%s" $fullname "master" | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "postgresql.networkPolicy.apiVersion" -}} -{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} -"extensions/v1beta1" -{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} -"networking.k8s.io/v1" -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "postgresql.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Return the proper PostgreSQL image name -*/}} -{{- define "postgresql.image" -}} -{{- $registryName := .Values.image.registry -}} -{{- $repositoryName := .Values.image.repository -}} -{{- $tag := .Values.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL password -*/}} -{{- define "postgresql.password" -}} -{{- if .Values.global.postgresql.postgresqlPassword }} - {{- .Values.global.postgresql.postgresqlPassword -}} -{{- else if .Values.postgresqlPassword -}} - {{- .Values.postgresqlPassword -}} -{{- else -}} - {{- randAlphaNum 10 -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL replication password -*/}} -{{- define "postgresql.replication.password" -}} -{{- if .Values.global.postgresql.replicationPassword }} - {{- .Values.global.postgresql.replicationPassword -}} -{{- else if .Values.replication.password -}} - {{- .Values.replication.password -}} -{{- else -}} - {{- randAlphaNum 10 -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL username -*/}} -{{- define "postgresql.username" -}} -{{- if .Values.global.postgresql.postgresqlUsername }} - {{- .Values.global.postgresql.postgresqlUsername -}} -{{- else -}} - {{- .Values.postgresqlUsername -}} -{{- end -}} -{{- end -}} - - -{{/* -Return PostgreSQL replication username -*/}} -{{- define "postgresql.replication.username" -}} -{{- if .Values.global.postgresql.replicationUser }} - {{- .Values.global.postgresql.replicationUser -}} -{{- else -}} - {{- .Values.replication.user -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL port -*/}} -{{- define "postgresql.port" -}} -{{- if .Values.global.postgresql.servicePort }} - {{- .Values.global.postgresql.servicePort -}} -{{- else -}} - {{- .Values.service.port -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL created database -*/}} -{{- define "postgresql.database" -}} -{{- if .Values.global.postgresql.postgresqlDatabase }} - {{- .Values.global.postgresql.postgresqlDatabase -}} -{{- else if .Values.postgresqlDatabase -}} - {{- .Values.postgresqlDatabase -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper image name to change the volume permissions -*/}} -{{- define "postgresql.volumePermissions.image" -}} -{{- $registryName := .Values.volumePermissions.image.registry -}} -{{- $repositoryName := .Values.volumePermissions.image.repository -}} -{{- $tag := .Values.volumePermissions.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper PostgreSQL metrics image name -*/}} -{{- define "postgresql.metrics.image" -}} -{{- $registryName := default "docker.io" .Values.metrics.image.registry -}} -{{- $repositoryName := .Values.metrics.image.repository -}} -{{- $tag := default "latest" .Values.metrics.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Get the password secret. -*/}} -{{- define "postgresql.secretName" -}} -{{- if .Values.global.postgresql.existingSecret }} - {{- printf "%s" .Values.global.postgresql.existingSecret -}} -{{- else if .Values.existingSecret -}} - {{- printf "%s" .Values.existingSecret -}} -{{- else -}} - {{- printf "%s" (include "postgresql.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a secret object should be created -*/}} -{{- define "postgresql.createSecret" -}} -{{- if .Values.global.postgresql.existingSecret }} -{{- else if .Values.existingSecret -}} -{{- else -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Get the configuration ConfigMap name. -*/}} -{{- define "postgresql.configurationCM" -}} -{{- if .Values.configurationConfigMap -}} -{{- printf "%s" (tpl .Values.configurationConfigMap $) -}} -{{- else -}} -{{- printf "%s-configuration" (include "postgresql.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the extended configuration ConfigMap name. -*/}} -{{- define "postgresql.extendedConfigurationCM" -}} -{{- if .Values.extendedConfConfigMap -}} -{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}} -{{- else -}} -{{- printf "%s-extended-configuration" (include "postgresql.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the initialization scripts ConfigMap name. -*/}} -{{- define "postgresql.initdbScriptsCM" -}} -{{- if .Values.initdbScriptsConfigMap -}} -{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} -{{- else -}} -{{- printf "%s-init-scripts" (include "postgresql.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the initialization scripts Secret name. -*/}} -{{- define "postgresql.initdbScriptsSecret" -}} -{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "postgresql.imagePullSecrets" -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -Also, we can not use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} -imagePullSecrets: -{{- range .Values.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.metrics.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.volumePermissions.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- end -}} -{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} -imagePullSecrets: -{{- range .Values.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.metrics.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.volumePermissions.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- end -}} -{{- end -}} - -{{/* -Get the readiness probe command -*/}} -{{- define "postgresql.readinessProbeCommand" -}} -- | -{{- if (include "postgresql.database" .) }} - pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} -{{- else }} - pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} -{{- end }} -{{- if contains "bitnami/" .Values.image.repository }} - [ -f /opt/bitnami/postgresql/tmp/.initialized ] -{{- end -}} -{{- end -}} - -{{/* -Return the proper Storage Class -*/}} -{{- define "postgresql.storageClass" -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -*/}} -{{- if .Values.global -}} - {{- if .Values.global.storageClass -}} - {{- if (eq "-" .Values.global.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.global.storageClass -}} - {{- end -}} - {{- else -}} - {{- if .Values.persistence.storageClass -}} - {{- if (eq "-" .Values.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{- else -}} - {{- if .Values.persistence.storageClass -}} - {{- if (eq "-" .Values.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Renders a value that contains template. -Usage: -{{ include "postgresql.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }} -*/}} -{{- define "postgresql.tplValue" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} -{{- end -}} - -{{/* -Return the appropriate apiVersion for statefulset. -*/}} -{{- define "postgresql.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "apps/v1beta2" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/configmap.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/configmap.yaml deleted file mode 100755 index d2178c0..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/configmap.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "postgresql.fullname" . }}-configuration - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -data: -{{- if (.Files.Glob "files/postgresql.conf") }} -{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }} -{{- else if .Values.postgresqlConfiguration }} - postgresql.conf: | -{{- range $key, $value := default dict .Values.postgresqlConfiguration }} - {{ $key | snakecase }}={{ $value }} -{{- end }} -{{- end }} -{{- if (.Files.Glob "files/pg_hba.conf") }} -{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }} -{{- else if .Values.pgHbaConfiguration }} - pg_hba.conf: | -{{ .Values.pgHbaConfiguration | indent 4 }} -{{- end }} -{{ end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/extended-config-configmap.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/extended-config-configmap.yaml deleted file mode 100755 index 8a41195..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/extended-config-configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "postgresql.fullname" . }}-extended-configuration - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -data: -{{- with .Files.Glob "files/conf.d/*.conf" }} -{{ .AsConfig | indent 2 }} -{{- end }} -{{ with .Values.postgresqlExtendedConf }} - override.conf: | -{{- range $key, $value := . }} - {{ $key | snakecase }}={{ $value }} -{{- end }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/initialization-configmap.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/initialization-configmap.yaml deleted file mode 100755 index 8eb5e05..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/initialization-configmap.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "postgresql.fullname" . }}-init-scripts - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} -binaryData: -{{- range $path, $bytes := . }} - {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} -{{- end }} -{{- end }} -data: -{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} -{{ .AsConfig | indent 2 }} -{{- end }} -{{- with .Values.initdbScripts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/metrics-svc.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/metrics-svc.yaml deleted file mode 100755 index f370041..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/metrics-svc.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "postgresql.fullname" . }}-metrics - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - annotations: -{{ toYaml .Values.metrics.service.annotations | indent 4 }} -spec: - type: {{ .Values.metrics.service.type }} - {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} - {{- end }} - ports: - - name: metrics - port: 9187 - targetPort: metrics - selector: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name }} - role: master -{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/networkpolicy.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/networkpolicy.yaml deleted file mode 100755 index 8fb23f2..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/networkpolicy.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }} -metadata: - name: {{ template "postgresql.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -spec: - podSelector: - matchLabels: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - ingress: - # Allow inbound connections - - ports: - - port: {{ template "postgresql.port" . }} - {{- if not .Values.networkPolicy.allowExternal }} - from: - - podSelector: - matchLabels: - {{ template "postgresql.fullname" . }}-client: "true" - - podSelector: - matchLabels: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - role: slave - {{- end }} - # Allow prometheus scrapes - - ports: - - port: 9187 -{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/secrets.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/secrets.yaml deleted file mode 100755 index e0bc3b2..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if (include "postgresql.createSecret" .) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "postgresql.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -type: Opaque -data: - postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} - {{- if .Values.replication.enabled }} - postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} - {{- end }} -{{- end -}} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/serviceaccount.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/serviceaccount.yaml deleted file mode 100755 index 27e5b51..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - name: {{ template "postgresql.fullname" . }} -{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/servicemonitor.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/servicemonitor.yaml deleted file mode 100755 index 9211d51..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/servicemonitor.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "postgresql.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- end }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - {{- if .Values.metrics.serviceMonitor.additionalLabels }} -{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} - {{- end }} -spec: - endpoints: - - port: metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset-slaves.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset-slaves.yaml deleted file mode 100755 index 74a81d0..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset-slaves.yaml +++ /dev/null @@ -1,247 +0,0 @@ -{{- if .Values.replication.enabled }} -apiVersion: {{ template "postgresql.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: "{{ template "postgresql.fullname" . }}-slave" - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Values.slave.labels }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.slave.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: - serviceName: {{ template "postgresql.fullname" . }}-headless - replicas: {{ .Values.replication.slaveReplicas }} - selector: - matchLabels: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - role: slave - template: - metadata: - name: {{ template "postgresql.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - role: slave -{{- with .Values.slave.podLabels }} -{{ toYaml . | indent 8 }} -{{- end }} -{{- with .Values.slave.podAnnotations }} - annotations: -{{ toYaml . | indent 8 }} -{{- end }} - spec: - {{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" - {{- end }} -{{- include "postgresql.imagePullSecrets" . | indent 6 }} - {{- if .Values.slave.nodeSelector }} - nodeSelector: -{{ toYaml .Values.slave.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.slave.affinity }} - affinity: -{{ toYaml .Values.slave.affinity | indent 8 }} - {{- end }} - {{- if .Values.slave.tolerations }} - tolerations: -{{ toYaml .Values.slave.tolerations | indent 8 }} - {{- end }} - {{- if .Values.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} - {{- if .Values.serviceAccount.enabled }} - serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name}} - {{- end }} - {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - initContainers: - - name: init-chmod-data - image: {{ template "postgresql.volumePermissions.image" . }} - imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}" - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -c - - | - mkdir -p {{ .Values.persistence.mountPath }}/data - chmod 700 {{ .Values.persistence.mountPath }}/data - find {{ .Values.persistence.mountPath }} -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ - xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} - securityContext: - runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }} - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - containers: - - name: {{ template "postgresql.fullname" . }} - image: {{ template "postgresql.image" . }} - imagePullPolicy: "{{ .Values.image.pullPolicy }}" - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" .Values.image.debug | quote }} - - name: POSTGRESQL_VOLUME_DIR - value: "{{ .Values.persistence.mountPath }}" - - name: POSTGRESQL_PORT_NUMBER - value: "{{ template "postgresql.port" . }}" - {{- if .Values.persistence.mountPath }} - - name: PGDATA - value: {{ .Values.postgresqlDataDir | quote }} - {{- end }} - - name: POSTGRES_REPLICATION_MODE - value: "slave" - - name: POSTGRES_REPLICATION_USER - value: {{ include "postgresql.replication.username" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_REPLICATION_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" - {{- else }} - - name: POSTGRES_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-replication-password - {{- end }} - - name: POSTGRES_CLUSTER_APP_NAME - value: {{ .Values.replication.applicationName }} - - name: POSTGRES_MASTER_HOST - value: {{ template "postgresql.fullname" . }} - - name: POSTGRES_MASTER_PORT_NUMBER - value: {{ include "postgresql.port" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-password" - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-password - {{- end }} - ports: - - name: postgresql - containerPort: {{ template "postgresql.port" . }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.database" .) }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- else }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- end }} - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - exec: - command: - - /bin/sh - - -c - - -e - {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - {{- end }} - volumeMounts: - {{- if .Values.usePasswordFile }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.persistence.enabled }} - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{ end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - mountPath: /bitnami/postgresql/conf/conf.d/ - {{- end }} - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} - - name: postgresql-config - mountPath: /bitnami/postgresql/conf - {{- end }} - {{- if .Values.slave.extraVolumeMounts }} - {{- toYaml .Values.slave.extraVolumeMounts | nindent 12 }} - {{- end }} - volumes: - {{- if .Values.usePasswordFile }} - - name: postgresql-password - secret: - secretName: {{ template "postgresql.secretName" . }} - {{- end }} - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} - - name: postgresql-config - configMap: - name: {{ template "postgresql.configurationCM" . }} - {{- end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - configMap: - name: {{ template "postgresql.extendedConfigurationCM" . }} - {{- end }} - {{- if not .Values.persistence.enabled }} - - name: data - emptyDir: {} - {{- end }} - {{- if .Values.slave.extraVolumes }} - {{- toYaml .Values.slave.extraVolumes | nindent 8 }} - {{- end }} - updateStrategy: - type: {{ .Values.updateStrategy.type }} - {{- if (eq "Recreate" .Values.updateStrategy.type) }} - rollingUpdate: null - {{- end }} -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: data - {{- with .Values.persistence.annotations }} - annotations: - {{- range $key, $value := . }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - spec: - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{ include "postgresql.storageClass" . }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset.yaml deleted file mode 100755 index 64c297f..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/statefulset.yaml +++ /dev/null @@ -1,355 +0,0 @@ -apiVersion: {{ template "postgresql.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ template "postgresql.master.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Values.master.labels }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.master.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: - serviceName: {{ template "postgresql.fullname" . }}-headless - replicas: 1 - updateStrategy: - type: {{ .Values.updateStrategy.type }} - {{- if (eq "Recreate" .Values.updateStrategy.type) }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - role: master - template: - metadata: - name: {{ template "postgresql.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - role: master -{{- with .Values.master.podLabels }} -{{ toYaml . | indent 8 }} -{{- end }} -{{- with .Values.master.podAnnotations }} - annotations: -{{ toYaml . | indent 8 }} -{{- end }} - spec: - {{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" - {{- end }} -{{- include "postgresql.imagePullSecrets" . | indent 6 }} - {{- if .Values.master.nodeSelector }} - nodeSelector: -{{ toYaml .Values.master.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.master.affinity }} - affinity: -{{ toYaml .Values.master.affinity | indent 8 }} - {{- end }} - {{- if .Values.master.tolerations }} - tolerations: -{{ toYaml .Values.master.tolerations | indent 8 }} - {{- end }} - {{- if .Values.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} - {{- if .Values.serviceAccount.enabled }} - serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }} - {{- end }} - {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - initContainers: - - name: init-chmod-data - image: {{ template "postgresql.volumePermissions.image" . }} - imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}" - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -c - - | - mkdir -p {{ .Values.persistence.mountPath }}/data - chmod 700 {{ .Values.persistence.mountPath }}/data - find {{ .Values.persistence.mountPath }} -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ - xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} - securityContext: - runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }} - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - containers: - - name: {{ template "postgresql.fullname" . }} - image: {{ template "postgresql.image" . }} - imagePullPolicy: "{{ .Values.image.pullPolicy }}" - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" .Values.image.debug | quote }} - - name: POSTGRESQL_PORT_NUMBER - value: "{{ template "postgresql.port" . }}" - - name: POSTGRESQL_VOLUME_DIR - value: "{{ .Values.persistence.mountPath }}" - {{- if .Values.postgresqlInitdbArgs }} - - name: POSTGRES_INITDB_ARGS - value: {{ .Values.postgresqlInitdbArgs | quote }} - {{- end }} - {{- if .Values.postgresqlInitdbWalDir }} - - name: POSTGRES_INITDB_WALDIR - value: {{ .Values.postgresqlInitdbWalDir | quote }} - {{- end }} - {{- if .Values.initdbUser }} - - name: POSTGRESQL_INITSCRIPTS_USERNAME - value: {{ .Values.initdbUser }} - {{- end }} - {{- if .Values.initdbPassword }} - - name: POSTGRESQL_INITSCRIPTS_PASSWORD - value: .Values.initdbPassword - {{- end }} - {{- if .Values.persistence.mountPath }} - - name: PGDATA - value: {{ .Values.postgresqlDataDir | quote }} - {{- end }} - {{- if .Values.replication.enabled }} - - name: POSTGRES_REPLICATION_MODE - value: "master" - - name: POSTGRES_REPLICATION_USER - value: {{ include "postgresql.replication.username" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_REPLICATION_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" - {{- else }} - - name: POSTGRES_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-replication-password - {{- end }} - {{- if not (eq .Values.replication.synchronousCommit "off")}} - - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE - value: {{ .Values.replication.synchronousCommit | quote }} - - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS - value: {{ .Values.replication.numSynchronousReplicas | quote }} - {{- end }} - - name: POSTGRES_CLUSTER_APP_NAME - value: {{ .Values.replication.applicationName }} - {{- end }} - - name: POSTGRES_USER - value: {{ include "postgresql.username" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-password" - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-password - {{- end }} - {{- if (include "postgresql.database" .) }} - - name: POSTGRES_DB - value: {{ (include "postgresql.database" .) | quote }} - {{- end }} - {{- if .Values.extraEnv }} - {{- include "postgresql.tplValue" (dict "value" .Values.extraEnv "context" $) | nindent 12 }} - {{- end }} - ports: - - name: postgresql - containerPort: {{ template "postgresql.port" . }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.database" .) }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- else }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- end }} - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - exec: - command: - - /bin/sh - - -c - - -e - {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - {{- end }} - volumeMounts: - {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} - - name: custom-init-scripts - mountPath: /docker-entrypoint-initdb.d/ - {{- end }} - {{- if .Values.initdbScriptsSecret }} - - name: custom-init-scripts-secret - mountPath: /docker-entrypoint-initdb.d/secret - {{- end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - mountPath: /bitnami/postgresql/conf/conf.d/ - {{- end }} - {{- if .Values.usePasswordFile }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.persistence.enabled }} - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} - - name: postgresql-config - mountPath: /bitnami/postgresql/conf - {{- end }} - {{- if .Values.master.extraVolumeMounts }} - {{- toYaml .Values.master.extraVolumeMounts | nindent 12 }} - {{- end }} -{{- if .Values.metrics.enabled }} - - name: metrics - image: {{ template "postgresql.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.metrics.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.metrics.securityContext.runAsUser }} - {{- end }} - env: - {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }} - - name: DATA_SOURCE_URI - value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.port" .)) $database | quote }} - {{- if .Values.usePasswordFile }} - - name: DATA_SOURCE_PASS_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-password" - {{- else }} - - name: DATA_SOURCE_PASS - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-password - {{- end }} - - name: DATA_SOURCE_USER - value: {{ template "postgresql.username" . }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: / - port: metrics - initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: / - port: metrics - initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} - {{- end }} - volumeMounts: - {{- if .Values.usePasswordFile }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - ports: - - name: metrics - containerPort: 9187 - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} -{{- end }} - volumes: - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} - - name: postgresql-config - configMap: - name: {{ template "postgresql.configurationCM" . }} - {{- end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - configMap: - name: {{ template "postgresql.extendedConfigurationCM" . }} - {{- end }} - {{- if .Values.usePasswordFile }} - - name: postgresql-password - secret: - secretName: {{ template "postgresql.secretName" . }} - {{- end }} - {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} - - name: custom-init-scripts - configMap: - name: {{ template "postgresql.initdbScriptsCM" . }} - {{- end }} - {{- if .Values.initdbScriptsSecret }} - - name: custom-init-scripts-secret - secret: - secretName: {{ template "postgresql.initdbScriptsSecret" . }} - {{- end }} - {{- if .Values.master.extraVolumes }} - {{- toYaml .Values.master.extraVolumes | nindent 8 }} - {{- end }} -{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} - - name: data - persistentVolumeClaim: -{{- with .Values.persistence.existingClaim }} - claimName: {{ tpl . $ }} -{{- end }} -{{- else if not .Values.persistence.enabled }} - - name: data - emptyDir: {} -{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: data - {{- with .Values.persistence.annotations }} - annotations: - {{- range $key, $value := . }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - spec: - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{ include "postgresql.storageClass" . }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-headless.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-headless.yaml deleted file mode 100755 index 0bc60be..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-headless.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "postgresql.fullname" . }}-headless - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -spec: - type: ClusterIP - clusterIP: None - ports: - - name: postgresql - port: {{ template "postgresql.port" . }} - targetPort: postgresql - selector: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-read.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-read.yaml deleted file mode 100755 index 17bda04..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc-read.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.replication.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "postgresql.fullname" . }}-read - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Values.service.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - ports: - - name: postgresql - port: {{ template "postgresql.port" . }} - targetPort: postgresql - {{- if .Values.service.nodePort }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - selector: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - role: slave -{{- end }} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc.yaml deleted file mode 100755 index 3b880b7..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/templates/svc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "postgresql.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Values.service.annotations }} - annotations: -{{ tpl (toYaml .) $ | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{ with .Values.service.loadBalancerSourceRanges }} -{{ toYaml . | indent 4 }} -{{- end }} - {{- end }} - {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} - clusterIP: {{ .Values.service.clusterIP }} - {{- end }} - ports: - - name: postgresql - port: {{ template "postgresql.port" . }} - targetPort: postgresql - {{- if .Values.service.nodePort }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - selector: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - role: master diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/values-production.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/values-production.yaml deleted file mode 100755 index 353848a..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/values-production.yaml +++ /dev/null @@ -1,392 +0,0 @@ -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets -## -global: - postgresql: {} -# imageRegistry: myRegistryName -# imagePullSecrets: -# - myRegistryKeySecretName -# storageClass: myStorageClass - -## Bitnami PostgreSQL image version -## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ -## -image: - registry: docker.io - repository: bitnami/postgresql - tag: 11.5.0-debian-9-r84 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - - ## Set to true if you would like to see extra information on logs - ## It turns BASH and NAMI debugging in minideb - ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging - debug: false - -## String to partially override postgresql.fullname template (will maintain the release name) -## -# nameOverride: - -## String to fully override postgresql.fullname template -## -# fullnameOverride: - -## -## Init containers parameters: -## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup -## -volumePermissions: - enabled: true - image: - registry: docker.io - repository: bitnami/minideb - tag: stretch - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Init container Security Context - securityContext: - runAsUser: 0 - -## Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -# schedulerName: - -## Pod Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 - -## Pod Service Account -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -serviceAccount: - enabled: false - ## Name of an already existing service account. Setting this value disables the automatic service account creation. - # name: - -replication: - enabled: true - user: repl_user - password: repl_password - slaveReplicas: 2 - ## Set synchronous commit mode: on, off, remote_apply, remote_write and local - ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL - synchronousCommit: "on" - ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication - ## NOTE: It cannot be > slaveReplicas - numSynchronousReplicas: 1 - ## Replication Cluster application name. Useful for defining multiple replication policies - applicationName: my_application - -## PostgreSQL admin user -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -postgresqlUsername: postgres - -## PostgreSQL password -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -## -# postgresqlPassword: - -## PostgreSQL password using existing secret -## existingSecret: secret - -## Mount PostgreSQL secret as a file instead of passing environment variable -# usePasswordFile: false - -## Create a database -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run -## -# postgresqlDatabase: - -## PostgreSQL data dir -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -postgresqlDataDir: /bitnami/postgresql/data - -## Specify extra initdb args -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbArgs: - -## Specify a custom location for the PostgreSQL transaction log -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbWalDir: - -## PostgreSQL configuration -## Specify runtime configuration parameters as a dict, using camelCase, e.g. -## {"sharedBuffers": "500MB"} -## Alternatively, you can put your postgresql.conf under the files/ directory -## ref: https://www.postgresql.org/docs/current/static/runtime-config.html -## -# postgresqlConfiguration: - -## PostgreSQL extended configuration -## As above, but _appended_ to the main configuration -## Alternatively, you can put your *.conf under the files/conf.d/ directory -## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf -## -# postgresqlExtendedConf: - -## PostgreSQL client authentication configuration -## Specify content for pg_hba.conf -## Default: do not create pg_hba.conf -## Alternatively, you can put your pg_hba.conf under the files/ directory -# pgHbaConfiguration: |- -# local all all trust -# host all all localhost trust -# host mydatabase mysuser 192.168.0.0/24 md5 - -## ConfigMap with PostgreSQL configuration -## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration -# configurationConfigMap: - -## ConfigMap with PostgreSQL extended configuration -# extendedConfConfigMap: - -## initdb scripts -## Specify dictionary of scripts to be run at first boot -## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory -## -# initdbScripts: -# my_init_script.sh: | -# #!/bin/sh -# echo "Do something." - -## Specify the PostgreSQL username and password to execute the initdb scripts -# initdbUser: -# initdbPassword: - -## ConfigMap with scripts to be run at first boot -## NOTE: This will override initdbScripts -# initdbScriptsConfigMap: - -## Secret with scripts to be run at first boot (in case it contains sensitive information) -## NOTE: This can work along initdbScripts or initdbScriptsConfigMap -# initdbScriptsSecret: - -## Optional duration in seconds the pod needs to terminate gracefully. -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods -## -# terminationGracePeriodSeconds: 30 - -## PostgreSQL service configuration -service: - ## PosgresSQL service type - type: ClusterIP - # clusterIP: None - port: 5432 - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # nodePort: - - ## Provide any additional annotations which may be required. - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - annotations: {} - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: - - ## Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - # loadBalancerSourceRanges: - # - 10.10.10.0/24 - -## PostgreSQL data Persistent Volume Storage Class -## If defined, storageClassName: -## If set to "-", storageClassName: "", which disables dynamic provisioning -## If undefined (the default) or set to null, no storageClassName spec is -## set, choosing the default provisioner. (gp2 on AWS, standard on -## GKE, AWS & OpenStack) -## -persistence: - enabled: true - ## A manually managed Persistent Volume and Claim - ## If defined, PVC must be created manually before volume will be bound - ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart - ## - # existingClaim: - - ## The path the volume will be mounted at, useful when using different - ## PostgreSQL images. - ## - mountPath: /bitnami/postgresql - - ## The subdirectory of the volume to mount to, useful in dev environments - ## and one PV for multiple services. - ## - subPath: "" - - # storageClass: "-" - accessModes: - - ReadWriteOnce - size: 8Gi - annotations: {} - -## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -updateStrategy: - type: RollingUpdate - -## -## PostgreSQL Master parameters -## -master: - ## Node, affinity and tolerations labels for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature - nodeSelector: {} - affinity: {} - tolerations: [] - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - ## Additional PostgreSQL Master Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL Master Volumes - ## - extraVolumes: [] - -## -## PostgreSQL Slave parameters -## -slave: - ## Node, affinity and tolerations labels for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature - nodeSelector: {} - affinity: {} - tolerations: [] - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - ## Additional PostgreSQL Slave Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL Slave Volumes - ## - extraVolumes: [] - -## Configure resource requests and limits -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -## -resources: - requests: - memory: 256Mi - cpu: 250m - -networkPolicy: - ## Enable creation of NetworkPolicy resources. - ## - enabled: false - - ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the port PostgreSQL is listening - ## on. When true, PostgreSQL will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - -## Configure extra options for liveness and readiness probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) -livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -## Configure metrics exporter -## -metrics: - enabled: true - # resources: {} - service: - type: ClusterIP - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9187" - loadBalancerIP: - serviceMonitor: - enabled: false - additionalLabels: {} - # namespace: monitoring - # interval: 30s - # scrapeTimeout: 10s - image: - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.6.0-debian-9-r0 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## - securityContext: - enabled: false - runAsUser: 1001 - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## Configure extra options for liveness and readiness probes - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -# Define custom environment variables to pass to the image here -extraEnv: [] diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/values.schema.json b/Openshift4/artifactoryha-helm/charts/postgresql/values.schema.json deleted file mode 100755 index ac2de6e..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/values.schema.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "postgresqlUsername": { - "type": "string", - "title": "Admin user", - "form": true - }, - "postgresqlPassword": { - "type": "string", - "title": "Password", - "form": true - }, - "persistence": { - "type": "object", - "properties": { - "size": { - "type": "string", - "title": "Persistent Volume Size", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderUnit": "Gi" - } - } - }, - "resources": { - "type": "object", - "title": "Required Resources", - "description": "Configure resource requests", - "form": true, - "properties": { - "requests": { - "type": "object", - "properties": { - "memory": { - "type": "string", - "form": true, - "render": "slider", - "title": "Memory Request", - "sliderMin": 10, - "sliderMax": 2048, - "sliderUnit": "Mi" - }, - "cpu": { - "type": "string", - "form": true, - "render": "slider", - "title": "CPU Request", - "sliderMin": 10, - "sliderMax": 2000, - "sliderUnit": "m" - } - } - } - } - }, - "replication": { - "type": "object", - "form": true, - "title": "Replication Details", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable Replication", - "form": true - }, - "slaveReplicas": { - "type": "integer", - "title": "Slave Replicas", - "form": true, - "hidden": { - "condition": false, - "value": "replication.enabled" - } - } - } - }, - "volumePermissions": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable Init Containers", - "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" - } - } - }, - "metrics": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "title": "Configure metrics exporter", - "form": true - } - } - } - } -} diff --git a/Openshift4/artifactoryha-helm/charts/postgresql/values.yaml b/Openshift4/artifactoryha-helm/charts/postgresql/values.yaml deleted file mode 100755 index e13d0a7..0000000 --- a/Openshift4/artifactoryha-helm/charts/postgresql/values.yaml +++ /dev/null @@ -1,392 +0,0 @@ -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets -## -global: - postgresql: {} -# imageRegistry: myRegistryName -# imagePullSecrets: -# - myRegistryKeySecretName -# storageClass: myStorageClass - -## Bitnami PostgreSQL image version -## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ -## -image: - registry: docker.io - repository: bitnami/postgresql - tag: 11.5.0-debian-9-r84 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - - ## Set to true if you would like to see extra information on logs - ## It turns BASH and NAMI debugging in minideb - ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging - debug: false - -## String to partially override postgresql.fullname template (will maintain the release name) -## -# nameOverride: - -## String to fully override postgresql.fullname template -## -# fullnameOverride: - -## -## Init containers parameters: -## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup -## -volumePermissions: - enabled: true - image: - registry: docker.io - repository: bitnami/minideb - tag: stretch - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Init container Security Context - securityContext: - runAsUser: 0 - -## Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -# schedulerName: - -## Pod Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 - -## Pod Service Account -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -serviceAccount: - enabled: false - ## Name of an already existing service account. Setting this value disables the automatic service account creation. - # name: - -replication: - enabled: false - user: repl_user - password: repl_password - slaveReplicas: 1 - ## Set synchronous commit mode: on, off, remote_apply, remote_write and local - ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL - synchronousCommit: "off" - ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication - ## NOTE: It cannot be > slaveReplicas - numSynchronousReplicas: 0 - ## Replication Cluster application name. Useful for defining multiple replication policies - applicationName: my_application - -## PostgreSQL admin user -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -postgresqlUsername: postgres - -## PostgreSQL password -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -## -# postgresqlPassword: - -## PostgreSQL password using existing secret -## existingSecret: secret - -## Mount PostgreSQL secret as a file instead of passing environment variable -# usePasswordFile: false - -## Create a database -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run -## -# postgresqlDatabase: - -## PostgreSQL data dir -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -postgresqlDataDir: /bitnami/postgresql/data - -## Specify extra initdb args -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbArgs: - -## Specify a custom location for the PostgreSQL transaction log -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbWalDir: - -## PostgreSQL configuration -## Specify runtime configuration parameters as a dict, using camelCase, e.g. -## {"sharedBuffers": "500MB"} -## Alternatively, you can put your postgresql.conf under the files/ directory -## ref: https://www.postgresql.org/docs/current/static/runtime-config.html -## -# postgresqlConfiguration: - -## PostgreSQL extended configuration -## As above, but _appended_ to the main configuration -## Alternatively, you can put your *.conf under the files/conf.d/ directory -## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf -## -# postgresqlExtendedConf: - -## PostgreSQL client authentication configuration -## Specify content for pg_hba.conf -## Default: do not create pg_hba.conf -## Alternatively, you can put your pg_hba.conf under the files/ directory -# pgHbaConfiguration: |- -# local all all trust -# host all all localhost trust -# host mydatabase mysuser 192.168.0.0/24 md5 - -## ConfigMap with PostgreSQL configuration -## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration -# configurationConfigMap: - -## ConfigMap with PostgreSQL extended configuration -# extendedConfConfigMap: - -## initdb scripts -## Specify dictionary of scripts to be run at first boot -## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory -## -# initdbScripts: -# my_init_script.sh: | -# #!/bin/sh -# echo "Do something." - -## ConfigMap with scripts to be run at first boot -## NOTE: This will override initdbScripts -# initdbScriptsConfigMap: - -## Secret with scripts to be run at first boot (in case it contains sensitive information) -## NOTE: This can work along initdbScripts or initdbScriptsConfigMap -# initdbScriptsSecret: - -## Specify the PostgreSQL username and password to execute the initdb scripts -# initdbUser: -# initdbPassword: - -## Optional duration in seconds the pod needs to terminate gracefully. -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods -## -# terminationGracePeriodSeconds: 30 - -## PostgreSQL service configuration -service: - ## PosgresSQL service type - type: ClusterIP - # clusterIP: None - port: 5432 - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # nodePort: - - ## Provide any additional annotations which may be required. - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - annotations: {} - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: - - ## Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - # loadBalancerSourceRanges: - # - 10.10.10.0/24 - -## PostgreSQL data Persistent Volume Storage Class -## If defined, storageClassName: -## If set to "-", storageClassName: "", which disables dynamic provisioning -## If undefined (the default) or set to null, no storageClassName spec is -## set, choosing the default provisioner. (gp2 on AWS, standard on -## GKE, AWS & OpenStack) -## -persistence: - enabled: true - ## A manually managed Persistent Volume and Claim - ## If defined, PVC must be created manually before volume will be bound - ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart - ## - # existingClaim: - - ## The path the volume will be mounted at, useful when using different - ## PostgreSQL images. - ## - mountPath: /bitnami/postgresql - - ## The subdirectory of the volume to mount to, useful in dev environments - ## and one PV for multiple services. - ## - subPath: "" - - # storageClass: "-" - accessModes: - - ReadWriteOnce - size: 8Gi - annotations: {} - -## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -updateStrategy: - type: RollingUpdate - -## -## PostgreSQL Master parameters -## -master: - ## Node, affinity and tolerations labels for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature - nodeSelector: {} - affinity: {} - tolerations: [] - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - ## Additional PostgreSQL Master Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL Master Volumes - ## - extraVolumes: [] - -## -## PostgreSQL Slave parameters -## -slave: - ## Node, affinity and tolerations labels for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature - nodeSelector: {} - affinity: {} - tolerations: [] - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - ## Additional PostgreSQL Slave Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL Slave Volumes - ## - extraVolumes: [] - -## Configure resource requests and limits -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -## -resources: - requests: - memory: 256Mi - cpu: 250m - -networkPolicy: - ## Enable creation of NetworkPolicy resources. - ## - enabled: false - - ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the port PostgreSQL is listening - ## on. When true, PostgreSQL will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - -## Configure extra options for liveness and readiness probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) -livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -## Configure metrics exporter -## -metrics: - enabled: false - # resources: {} - service: - type: ClusterIP - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9187" - loadBalancerIP: - serviceMonitor: - enabled: false - additionalLabels: {} - # namespace: monitoring - # interval: 30s - # scrapeTimeout: 10s - image: - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.6.0-debian-9-r0 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## - securityContext: - enabled: false - runAsUser: 1001 - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## Configure extra options for liveness and readiness probes - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -# Define custom environment variables to pass to the image here -extraEnv: [] diff --git a/Openshift4/artifactoryha-helm/helminstall.sh b/Openshift4/artifactoryha-helm/helminstall.sh deleted file mode 100755 index 6f0132d..0000000 --- a/Openshift4/artifactoryha-helm/helminstall.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash - -if [ -z "$1" ]; then echo "Skipping creation of persistent volume examples. Ensure there is available PVs 200Gi per node for HA."; else oc create -f pv-examples/; fi - -oc new-project jfrog-artifactory -oc create serviceaccount svcaccount -n jfrog-artifactory -oc adm policy add-scc-to-user privileged system:serviceaccount:jfrog-artifactory:svcaccount -oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:svcaccount -oc adm policy add-scc-to-group anyuid system:authenticated - -# enables hostPath plugin for openshift system wide -oc create -f scc.yaml -n jfrog-artifactory -oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' -oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:svcaccount - -# create the license secret -oc create secret generic artifactory-license --from-file=./artifactory.cluster.license - -# install via helm -helm install . --generate-name \ - --set artifactory.node.replicaCount=1 \ - --set nginx.service.type=NodePort \ - --set artifactory.license.secret=artifactory-license,artifactory.license.dataKey=artifactory.cluster.license diff --git a/Openshift4/artifactoryha-helm/pv-examples/pv0001-large.yaml b/Openshift4/artifactoryha-helm/pv-examples/pv0001-large.yaml deleted file mode 100644 index 8a36385..0000000 --- a/Openshift4/artifactoryha-helm/pv-examples/pv0001-large.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv0001-large -spec: - capacity: - storage: 200Gi - hostPath: - path: /mnt/pv-data/pv0001-large - accessModes: - - ReadWriteOnce - - ReadWriteMany - - ReadOnlyMany - persistentVolumeReclaimPolicy: Recycle - volumeMode: Filesystem diff --git a/Openshift4/artifactoryha-helm/pv-examples/pv0002-large.yaml b/Openshift4/artifactoryha-helm/pv-examples/pv0002-large.yaml deleted file mode 100644 index b96fa47..0000000 --- a/Openshift4/artifactoryha-helm/pv-examples/pv0002-large.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv0002-large -spec: - capacity: - storage: 200Gi - hostPath: - path: /mnt/pv-data/pv0002-large - accessModes: - - ReadWriteOnce - - ReadWriteMany - - ReadOnlyMany - persistentVolumeReclaimPolicy: Recycle - volumeMode: Filesystem diff --git a/Openshift4/artifactoryha-helm/pv-examples/pv0003-large.yaml b/Openshift4/artifactoryha-helm/pv-examples/pv0003-large.yaml deleted file mode 100644 index 476ad41..0000000 --- a/Openshift4/artifactoryha-helm/pv-examples/pv0003-large.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv0003-large -spec: - capacity: - storage: 200Gi - hostPath: - path: /mnt/pv-data/pv0003-large - accessModes: - - ReadWriteOnce - - ReadWriteMany - - ReadOnlyMany - persistentVolumeReclaimPolicy: Recycle - volumeMode: Filesystem diff --git a/Openshift4/artifactoryha-helm/pv-examples/pv0004-large.yaml b/Openshift4/artifactoryha-helm/pv-examples/pv0004-large.yaml deleted file mode 100644 index ae2fbda..0000000 --- a/Openshift4/artifactoryha-helm/pv-examples/pv0004-large.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv0004-large -spec: - capacity: - storage: 200Gi - hostPath: - path: /mnt/pv-data/pv0004-large - accessModes: - - ReadWriteOnce - - ReadWriteMany - - ReadOnlyMany - persistentVolumeReclaimPolicy: Recycle - volumeMode: Filesystem diff --git a/Openshift4/artifactoryha-helm/pv-examples/pv0005-large.yaml b/Openshift4/artifactoryha-helm/pv-examples/pv0005-large.yaml deleted file mode 100644 index 9488514..0000000 --- a/Openshift4/artifactoryha-helm/pv-examples/pv0005-large.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv0005-large -spec: - capacity: - storage: 200Gi - hostPath: - path: /mnt/pv-data/pv0005-large - accessModes: - - ReadWriteOnce - - ReadWriteMany - - ReadOnlyMany - persistentVolumeReclaimPolicy: Recycle - volumeMode: Filesystem diff --git a/Openshift4/artifactoryha-helm/requirements.lock b/Openshift4/artifactoryha-helm/requirements.lock deleted file mode 100755 index 7037cff..0000000 --- a/Openshift4/artifactoryha-helm/requirements.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: postgresql - repository: https://kubernetes-charts.storage.googleapis.com/ - version: 7.0.1 -digest: sha256:dcdafe9ab91ccf0e5883e2b5dd9ba13e82190b5e16e6dee6d39fd16a04123ce8 -generated: 2019-11-10T13:12:29.836238+02:00 diff --git a/Openshift4/artifactoryha-helm/requirements.yaml b/Openshift4/artifactoryha-helm/requirements.yaml deleted file mode 100755 index 756a19c..0000000 --- a/Openshift4/artifactoryha-helm/requirements.yaml +++ /dev/null @@ -1,5 +0,0 @@ -dependencies: - - name: postgresql - version: 7.0.1 - repository: https://kubernetes-charts.storage.googleapis.com/ - condition: postgresql.enabled diff --git a/Openshift4/artifactoryha-helm/scc.yaml b/Openshift4/artifactoryha-helm/scc.yaml deleted file mode 100644 index 13eef79..0000000 --- a/Openshift4/artifactoryha-helm/scc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -kind: SecurityContextConstraints -apiVersion: v1 -metadata: - name: hostpath -allowPrivilegedContainer: false -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -fsGroup: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: -- artifactory -groups: -- artifactory -- jfrog-artifactory diff --git a/Openshift4/artifactoryha-helm/templates/NOTES.txt b/Openshift4/artifactoryha-helm/templates/NOTES.txt deleted file mode 100755 index d08fa88..0000000 --- a/Openshift4/artifactoryha-helm/templates/NOTES.txt +++ /dev/null @@ -1,113 +0,0 @@ -Congratulations. You have just deployed JFrog Artifactory HA! - -{{- if and (not .Values.artifactory.masterKeySecretName) (eq .Values.artifactory.masterKey "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF") }} - - -***************************************** WARNING ****************************************** -* Your Artifactory master key is still set to the provided example: * -* artifactory.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF * -* * -* You should change this to your own generated key: * -* $ export MASTER_KEY=$(openssl rand -hex 32) * -* $ echo ${MASTER_KEY} * -* * -* Pass the created master key to helm with '--set artifactory.masterKey=${MASTER_KEY}' * -* * -* Alternatively, you can use a pre-existing secret with a key called master-key with * -* '--set artifactory.masterKeySecretName=${SECRET_NAME}' * -******************************************************************************************** -{{- end }} - -{{ if eq .Values.artifactory.joinKey "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" }} - - -***************************************** WARNING ****************************************** -* Your Artifactory join key is still set to the provided example: * -* artifactory.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE * -* * -* You should change this to your own generated key: * -* $ export JOIN_KEY=$(openssl rand -hex 16) * -* $ echo ${JOIN_KEY} * -* * -* Pass the created master key to helm with '--set artifactory.joinKey=${JOIN_KEY}' * -* * -******************************************************************************************** -{{- end }} - -{{- if .Values.postgresql.enabled }} - -DATABASE: -To extract the database password, run the following -export DB_PASSWORD=$(kubectl get --namespace {{ .Release.Namespace }} $(kubectl get secret --namespace {{ .Release.Namespace }} -o name | grep postgresql) -o jsonpath="{.data.postgresql-password}" | base64 --decode) -echo ${DB_PASSWORD} -{{- end }} - -SETUP: -1. Get the Artifactory IP and URL - - {{- if contains "NodePort" .Values.nginx.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "artifactory-ha.nginx.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT/ - - {{- else if contains "LoadBalancer" .Values.nginx.service.type }} - NOTE: It may take a few minutes for the LoadBalancer public IP to be available! - - You can watch the status of the service by running 'kubectl get svc -w {{ template "artifactory-ha.nginx.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.nginx.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP/ - - {{- else if contains "ClusterIP" .Values.nginx.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "component={{ .Values.nginx.name }}" -o jsonpath="{.items[0].metadata.name}") - kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080:80 - echo http://127.0.0.1:8080 - - {{- end }} - -2. Open Artifactory in your browser - Default credential for Artifactory: - user: admin - password: password - - {{- if .Values.artifactory.license.secret }} - -3. Manage Artifactory license through the {{ .Values.artifactory.license.secret }} secret ONLY! - Since the artifactory license(s) is managed with a secret ({{ .Values.artifactory.license.secret }}), any change through the Artifactory UI might not be saved! - - {{- else }} - -3. Add HA licenses to activate Artifactory HA through the Artifactory UI - NOTE: Each Artifactory node requires a valid license. See https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup for more details. - - {{- end }} - -{{ if or .Values.artifactory.primary.javaOpts.jmx.enabled .Values.artifactory.node.javaOpts.jmx.enabled }} -JMX configuration: -{{- if not (contains "LoadBalancer" .Values.artifactory.service.type) }} -If you want to access JMX from you computer with jconsole, you should set ".Values.artifactory.service.type=LoadBalancer" !!! -{{ end }} - -1. Get the Artifactory service IP: -{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} -export PRIMARY_SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.primary.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') -{{- end }} -{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} -export MEMBER_SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') -{{- end }} - -2. Map the service name to the service IP in /etc/hosts: -{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} -sudo sh -c "echo \"${PRIMARY_SERVICE_IP} {{ template "artifactory-ha.primary.name" . }}\" >> /etc/hosts" -{{- end }} -{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} -sudo sh -c "echo \"${MEMBER_SERVICE_IP} {{ template "artifactory-ha.fullname" . }}\" >> /etc/hosts" -{{- end }} - -3. Launch jconsole: -{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} -jconsole {{ template "artifactory-ha.primary.name" . }}:{{ .Values.artifactory.primary.javaOpts.jmx.port }} -{{- end }} -{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} -jconsole {{ template "artifactory-ha.fullname" . }}:{{ .Values.artifactory.node.javaOpts.jmx.port }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/_helpers.tpl b/Openshift4/artifactoryha-helm/templates/_helpers.tpl deleted file mode 100755 index 32171c2..0000000 --- a/Openshift4/artifactoryha-helm/templates/_helpers.tpl +++ /dev/null @@ -1,103 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "artifactory-ha.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -The primary node name -*/}} -{{- define "artifactory-ha.primary.name" -}} -{{- if .Values.nameOverride -}} -{{- printf "%s-primary" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := .Release.Name | trunc 29 -}} -{{- printf "%s-%s-primary" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -The member node name -*/}} -{{- define "artifactory-ha.node.name" -}} -{{- if .Values.nameOverride -}} -{{- printf "%s-member" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := .Release.Name | trunc 29 -}} -{{- printf "%s-%s-member" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Expand the name nginx service. -*/}} -{{- define "artifactory-ha.nginx.name" -}} -{{- default .Values.nginx.name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "artifactory-ha.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "artifactory-ha.nginx.fullname" -}} -{{- if .Values.nginx.fullnameOverride -}} -{{- .Values.nginx.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nginx.name -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "artifactory-ha.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} -{{ default (include "artifactory-ha.fullname" .) .Values.serviceAccount.name }} -{{- else -}} -{{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "artifactory-ha.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Generate SSL certificates -*/}} -{{- define "artifactory-ha.gen-certs" -}} -{{- $altNames := list ( printf "%s.%s" (include "artifactory-ha.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "artifactory-ha.name" .) .Release.Namespace ) -}} -{{- $ca := genCA "artifactory-ca" 365 -}} -{{- $cert := genSignedCert ( include "artifactory-ha.name" . ) nil $altNames 365 $ca -}} -tls.crt: {{ $cert.Cert | b64enc }} -tls.key: {{ $cert.Key | b64enc }} -{{- end -}} diff --git a/Openshift4/artifactoryha-helm/templates/access-bootstrap-creds.yaml b/Openshift4/artifactoryha-helm/templates/access-bootstrap-creds.yaml deleted file mode 100755 index f4e34a2..0000000 --- a/Openshift4/artifactoryha-helm/templates/access-bootstrap-creds.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if not (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) }} -{{- if .Values.artifactory.accessAdmin.password }} -kind: Secret -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.fullname" . }}-bootstrap-creds - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - bootstrap.creds: {{ (printf "access-admin@%s=%s" .Values.artifactory.accessAdmin.ip .Values.artifactory.accessAdmin.password) | b64enc }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-binarystore-secret.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-binarystore-secret.yaml deleted file mode 100755 index 2e7cac7..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-binarystore-secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if not .Values.artifactory.persistence.customBinarystoreXmlSecret }} -kind: Secret -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.fullname" . }}-binarystore - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -stringData: - binarystore.xml: |- -{{ tpl .Values.artifactory.persistence.binarystoreXml . | indent 4 }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-configmaps.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-configmaps.yaml deleted file mode 100755 index 1385bc5..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-configmaps.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{ if .Values.artifactory.configMaps }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "artifactory-ha.fullname" . }}-configmaps - labels: - app: {{ template "artifactory-ha.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: -{{ tpl .Values.artifactory.configMaps . | indent 2 }} -{{ end -}} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-installer-info.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-installer-info.yaml deleted file mode 100755 index 0c9a4f4..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-installer-info.yaml +++ /dev/null @@ -1,25 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.fullname" . }}-installer-info - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - installer-info.json: | - { - "productId": "Helm_artifactory-ha/{{ .Chart.Version }}", - "features": [ - { - "featureId": "ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}" - }, - { - "featureId": "{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default "derby" .Values.database.type }}{{ end }}/0.0.0" - }, - { - "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}" - } - ] - } diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-license-secret.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-license-secret.yaml deleted file mode 100755 index 3f629c6..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-license-secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- with .Values.artifactory.license.licenseKey }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "artifactory-ha.fullname" $ }}-license - labels: - app: {{ template "artifactory-ha.name" $ }} - chart: {{ template "artifactory-ha.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} -type: Opaque -data: - artifactory.lic: {{ . | b64enc | quote }} -{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-networkpolicy.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-networkpolicy.yaml deleted file mode 100755 index 371dc9a..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-networkpolicy.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- range .Values.networkpolicy }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "artifactory-ha.fullname" $ }}-{{ .name }}-networkpolicy - labels: - app: {{ template "artifactory-ha.name" $ }} - chart: {{ template "artifactory-ha.chart" $ }} - release: {{ $.Release.Name }} - heritage: {{ $.Release.Service }} -spec: -{{- if .podSelector }} - podSelector: -{{ .podSelector | toYaml | trimSuffix "\n" | indent 4 -}} -{{ else }} - podSelector: {} -{{- end }} - policyTypes: - {{- if .ingress }} - - Ingress - {{- end }} - {{- if .egress }} - - Egress - {{- end }} -{{- if .ingress }} - ingress: -{{ .ingress | toYaml | trimSuffix "\n" | indent 2 -}} -{{- end }} -{{- if .egress }} - egress: -{{ .egress | toYaml | trimSuffix "\n" | indent 2 -}} -{{- end }} ---- -{{- end -}} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-nfs-pvc.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-nfs-pvc.yaml deleted file mode 100755 index 6ed7d82..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-nfs-pvc.yaml +++ /dev/null @@ -1,101 +0,0 @@ -{{- if eq .Values.artifactory.persistence.type "nfs" }} -### Artifactory HA data -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ template "artifactory-ha.fullname" . }}-data-pv - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - id: {{ template "artifactory-ha.name" . }}-data-pv - type: nfs-volume -spec: - {{- if .Values.artifactory.persistence.nfs.mountOptions }} - mountOptions: -{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} - {{- end }} - capacity: - storage: {{ .Values.artifactory.persistence.nfs.capacity }} - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - nfs: - server: {{ .Values.artifactory.persistence.nfs.ip }} - path: "{{ .Values.artifactory.persistence.nfs.haDataMount }}" - readOnly: false ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.fullname" . }}-data-pvc - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - type: nfs-volume -spec: - accessModes: - - ReadWriteOnce - storageClassName: "" - resources: - requests: - storage: {{ .Values.artifactory.persistence.nfs.capacity }} - selector: - matchLabels: - id: {{ template "artifactory-ha.name" . }}-data-pv - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} ---- -### Artifactory HA backup -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ template "artifactory-ha.fullname" . }}-backup-pv - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - id: {{ template "artifactory-ha.name" . }}-backup-pv - type: nfs-volume -spec: - {{- if .Values.artifactory.persistence.nfs.mountOptions }} - mountOptions: -{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} - {{- end }} - capacity: - storage: {{ .Values.artifactory.persistence.nfs.capacity }} - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - nfs: - server: {{ .Values.artifactory.persistence.nfs.ip }} - path: "{{ .Values.artifactory.persistence.nfs.haBackupMount }}" - readOnly: false ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.fullname" . }}-backup-pvc - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - type: nfs-volume -spec: - accessModes: - - ReadWriteOnce - storageClassName: "" - resources: - requests: - storage: {{ .Values.artifactory.persistence.nfs.capacity }} - selector: - matchLabels: - id: {{ template "artifactory-ha.name" . }}-backup-pv - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-node-pdb.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-node-pdb.yaml deleted file mode 100755 index 871bb21..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-node-pdb.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ template "artifactory-ha.fullname" . }}-node - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - {{- if eq .Values.artifactory.service.pool "members" }} - role: {{ template "artifactory-ha.node.name" . }} - {{- end }} - release: {{ .Release.Name }} - minAvailable: {{ .Values.artifactory.node.minAvailable }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-node-statefulset.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-node-statefulset.yaml deleted file mode 100755 index 67e1ab3..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-node-statefulset.yaml +++ /dev/null @@ -1,510 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "artifactory-ha.node.name" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - force-update: "{{ randAlpha 63 | lower }}" -{{- if .Values.artifactory.node.labels }} -{{ toYaml .Values.artifactory.node.labels | indent 4 }} -{{- end }} -spec: - serviceName: {{ template "artifactory-ha.node.name" . }} - replicas: {{ .Values.artifactory.node.replicaCount }} - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - role: {{ template "artifactory-ha.node.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - role: {{ template "artifactory-ha.node.name" . }} - heritage: {{ .Release.Service }} - component: {{ .Values.artifactory.name }} - release: {{ .Release.Name }} - annotations: - checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }} - checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }} - {{- range $key, $value := .Values.artifactory.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - spec: - {{- if .Values.artifactory.priorityClass.existingPriorityClass }} - priorityClassName: {{ .Values.artifactory.priorityClass.existingPriorityClass }} - {{- else -}} - {{- if .Values.artifactory.priorityClass.create }} - priorityClassName: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} - {{- end }} - {{- end }} - serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} - terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - securityContext: - runAsUser: {{ .Values.artifactory.uid }} - fsGroup: {{ .Values.artifactory.uid }} - initContainers: - {{- if .Values.artifactory.customInitContainersBegin }} -{{ tpl .Values.artifactory.customInitContainersBegin . | indent 6 }} - {{- end }} - {{- if .Values.artifactory.persistence.enabled }} - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - - name: "create-artifactory-data-dir" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - mkdir -p {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}; - volumeMounts: - - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - name: volume - {{- end }} - {{- end }} - {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} - - name: "delete-db-properties" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' - volumeMounts: - - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - name: volume - {{- end }} - - name: "remove-lost-found" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found - volumeMounts: - - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - name: volume - {{- end }} - - name: 'copy-system-yaml' - image: '{{ .Values.initContainerImage }}' - command: - - '/bin/sh' - - '-c' - - > - {{- if .Values.artifactory.node.waitForPrimaryStartup.enabled }} - echo "Sleeping to allow time for primary node to come up"; - sleep {{ .Values.artifactory.node.waitForPrimaryStartup.seconds }}; - {{- end }} - echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; - mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; - mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; - cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; - echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists"; - rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; - volumeMounts: - - name: volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - - name: systemyaml - mountPath: "/tmp/etc/system.yaml" - subPath: system.yaml - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - name: "prepare-custom-persistent-volume" - image: "{{ .Values.initContainerImage }}" - command: - - 'sh' - - '-c' - - > - chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - securityContext: - runAsUser: 0 - volumeMounts: - - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.waitForDatabase }} - {{- if or .Values.postgresql.enabled }} - - name: "wait-for-db" - image: "{{ .Values.initContainerImage }}" - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do - sleep 2; - done; - {{- end }} - {{- end }} - {{- if .Values.artifactory.customInitContainers }} -{{ tpl .Values.artifactory.customInitContainers . | indent 6 }} - {{- end }} - containers: - - name: {{ .Values.artifactory.name }} - image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}' - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - command: - - '/bin/sh' - - '-c' - - > - {{- if .Values.artifactory.userPluginSecrets }} - echo "Copying plugins"; - cp -Lrf /tmp/plugin/*/* /tmp/plugins; - {{- end }} - {{- if .Values.artifactory.preStartCommand }} - echo "Running custom preStartCommand command"; - {{ tpl .Values.artifactory.preStartCommand . }}; - {{- end }} - /entrypoint-artifactory.sh - lifecycle: - postStart: - exec: - command: - - '/bin/sh' - - '-c' - - > - echo; - {{- if .Values.artifactory.postStartCommand }} - {{ .Values.artifactory.postStartCommand }} - {{- end }} - env: - {{- if .Values.database.secrets.user }} - - name: JF_SHARED_DATABSE_USERNAME - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.user.name }} - key: {{ .Values.database.secrets.user.key }} - {{- end }} - {{- if .Values.database.secrets.password }} - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.password.name }} - key: {{ .Values.database.secrets.password.key }} - {{- end }} - {{- if .Values.database.secrets.url }} - - name: JF_SHARED_DATABSE_URL - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.url.name }} - key: {{ .Values.database.secrets.url.key }} - {{- end }} - - name: JF_SHARED_NODE_PRIMARY - value: "false" - - name: JF_SHARED_NODE_HAENABLED - value: "true" - - name: JF_SHARED_DATABSE_USERNAME - value: "artifactory" - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-postgresql - key: postgresql-password - ports: - - containerPort: {{ .Values.artifactory.internalPort }} - - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} - {{- if .Values.artifactory.node.javaOpts.jmx.enabled }} - - containerPort: {{ .Values.artifactory.node.javaOpts.jmx.port }} - {{- end }} - volumeMounts: - {{- if .Values.artifactory.customPersistentVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.artifactory.userPluginSecrets }} - - name: tmp-plugins - mountPath: "/tmp/plugins/" - {{- range .Values.artifactory.userPluginSecrets }} - - name: {{ tpl . $ }} - mountPath: "/tmp/plugin/{{ tpl . $ }}" - {{- end }} - {{- end }} - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} - - name: artifactory-ha-data-{{ $sharedClaimNumber }} - mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" - {{- end }} - - name: artifactory-ha-backup - mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "nfs" }} - - name: artifactory-ha-data - mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" - - name: artifactory-ha-backup - mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" - {{- else }} - {{- if .Values.artifactory.binarystore.enabled }} - - name: binarystore-xml - mountPath: "/artifactory_extra_conf/binarystore.xml" - subPath: binarystore.xml - {{- end }} - {{- end }} - - name: installer-info - mountPath: "/artifactory_extra_conf/info/installer-info.json" - subPath: installer-info.json - {{- if .Values.artifactory.customVolumeMounts }} -{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} - {{- end }} - resources: -{{ toYaml .Values.artifactory.node.resources | indent 10 }} - {{- if .Values.artifactory.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: {{ .Values.artifactory.readinessProbe.path }} - port: {{ .Values.artifactory.internalPort }} - initialDelaySeconds: {{ .Values.artifactory.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.artifactory.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.artifactory.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.artifactory.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.artifactory.readinessProbe.successThreshold }} - {{- end }} - {{- if .Values.artifactory.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: {{ .Values.artifactory.livenessProbe.path }} - port: {{ .Values.artifactory.internalPort }} - initialDelaySeconds: {{ .Values.artifactory.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.artifactory.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.artifactory.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }} - {{- end }} - {{- $image := .Values.logger.image.repository }} - {{- $tag := .Values.logger.image.tag }} - {{- $mountPath := .Values.artifactory.persistence.mountPath }} - {{- range .Values.artifactory.loggers }} - - name: {{ . | replace "_" "-" | replace "." "-" }} - image: '{{ $image }}:{{ $tag }}' - command: - - tail - args: - - '-F' - - '{{ $mountPath }}/logs/{{ . }}' - volumeMounts: - - name: volume - mountPath: {{ $mountPath }} - {{- end }} - {{ if .Values.artifactory.catalinaLoggers }} - {{- range .Values.artifactory.catalinaLoggers }} - - name: {{ . | replace "_" "-" | replace "." "-" }} - image: '{{ $image }}:{{ $tag }}' - command: - - 'sh' - - '-c' - - 'sh /scripts/tail-log.sh {{ $mountPath }}/logs/catalina {{ . }}' - volumeMounts: - - name: volume - mountPath: {{ $mountPath }} - - name: catalina-logger - mountPath: /scripts/tail-log.sh - subPath: tail-log.sh - {{- end }} - {{- end }} - {{- if .Values.filebeat.enabled }} - - name: {{ .Values.filebeat.name }} - image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" - imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - args: - - "-e" - - "-E" - - "http.enabled=true" - securityContext: - runAsUser: 0 - volumeMounts: - - name: filebeat-config - mountPath: /usr/share/filebeat/filebeat.yml - readOnly: true - subPath: filebeat.yml - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - livenessProbe: -{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} - readinessProbe: -{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} - resources: -{{ toYaml .Values.filebeat.resources | indent 10 }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} - {{- end }} - {{- if .Values.artifactory.customSidecarContainers }} -{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }} - {{- end }} - {{- with .Values.artifactory.node.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if .Values.artifactory.node.affinity }} - {{- with .Values.artifactory.node.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- else if eq .Values.artifactory.node.podAntiAffinity.type "soft" }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - topologyKey: {{ .Values.artifactory.node.podAntiAffinity.topologyKey }} - labelSelector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} - {{- if eq .Values.artifactory.service.pool "members" }} - role: {{ template "artifactory-ha.node.name" . }} - {{- end }} - {{- else if eq .Values.artifactory.node.podAntiAffinity.type "hard" }} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: {{ .Values.artifactory.node.podAntiAffinity.topologyKey }} - labelSelector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} - {{- if eq .Values.artifactory.service.pool "members" }} - role: {{ template "artifactory-ha.node.name" . }} - {{- end }} - {{- end }} - {{- with .Values.artifactory.node.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - {{- if .Values.artifactory.binarystore.enabled }} - - name: binarystore-xml - secret: - {{- if .Values.artifactory.persistence.customBinarystoreXmlSecret }} - secretName: {{ .Values.artifactory.persistence.customBinarystoreXmlSecret }} - {{- else }} - secretName: {{ template "artifactory-ha.fullname" . }}-binarystore - {{- end }} - {{- end }} - - name: installer-info - configMap: - name: {{ template "artifactory-ha.fullname" . }}-installer-info - {{- if .Values.artifactory.userPluginSecrets }} - - name: tmp-plugins - emptyDir: {} - {{- range .Values.artifactory.userPluginSecrets }} - - name: {{ tpl . $ }} - secret: - secretName: {{ tpl . $ }} - {{- end }} - {{- end }} - {{- if .Values.artifactory.catalinaLoggers }} - - name: catalina-logger - configMap: - name: {{ template "artifactory-ha.fullname" . }}-catalina-logger - {{- end }} - {{- if .Values.artifactory.configMaps }} - - name: artifactory-configmaps - configMap: - name: {{ template "artifactory-ha.fullname" . }}-configmaps - {{- end }} - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} - - name: artifactory-ha-data-{{ $sharedClaimNumber }} - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" $ }}-data-pvc-{{ $sharedClaimNumber }} - {{- end }} - - name: artifactory-ha-backup - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" $ }}-backup-pvc - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "nfs" }} - - name: artifactory-ha-data - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" . }}-data-pvc - - name: artifactory-ha-backup - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" . }}-backup-pvc - {{- end }} - - name: systemyaml - secret: - secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml - {{- if .Values.artifactory.customPersistentVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - persistentVolumeClaim: - claimName: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - {{- end }} - {{- if .Values.filebeat.enabled }} - - name: filebeat-config - configMap: - name: {{ template "artifactory-ha.fullname" . }}-filebeat-config - {{- end }} - {{- if .Values.artifactory.customVolumes }} -{{ tpl .Values.artifactory.customVolumes . | indent 6 }} - {{- end }} - {{- if not .Values.artifactory.persistence.enabled }} - - name: volume - emptyDir: - sizeLimit: {{ .Values.artifactory.persistence.size }} - {{- end }} - volumeClaimTemplates: - {{- if .Values.artifactory.persistence.enabled }} - - metadata: - name: volume - {{- if not .Values.artifactory.node.persistence.existingClaim }} - spec: - {{- if .Values.artifactory.persistence.storageClassName }} - {{- if (eq "-" .Values.artifactory.persistence.storageClassName) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.artifactory.persistence.storageClassName }}" - {{- end }} - {{- end }} - accessModes: [ "{{ .Values.artifactory.persistence.accessMode }}" ] - resources: - requests: - storage: {{ .Values.artifactory.persistence.size }} - {{- end }} - {{- end }} - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - metadata: - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - spec: - {{- if .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }} - {{- if (eq "-" .Values.artifactory.customPersistentPodVolumeClaim.storageClassName) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }}" - {{- end }} - {{- end }} - accessModes: - {{- range .Values.artifactory.customPersistentPodVolumeClaim.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.artifactory.customPersistentPodVolumeClaim.size }} - {{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-primary-statefulset.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-primary-statefulset.yaml deleted file mode 100755 index 0e03476..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-primary-statefulset.yaml +++ /dev/null @@ -1,593 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "artifactory-ha.primary.name" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - force-update: "{{ randAlpha 63 | lower }}" -{{- if .Release.IsUpgrade }} - unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Artifactory 6.x currently not supported!\nIf this is an upgrade over an existing Artifactory 7.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }} -{{- end }} -{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} - databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE FAILED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/CHANGELOG.md) and prepare PostgreSQL DB migration before upgrading.\nOnce ready, explicitly pass 'databaseUpgradeReady=yes' to upgrade and complete migration after server starts!\n" .Values.databaseUpgradeReady | quote }} -{{- end }} -{{- if .Values.artifactory.primary.labels }} -{{ toYaml .Values.artifactory.primary.labels | indent 4 }} -{{- end }} -spec: - serviceName: {{ template "artifactory-ha.primary.name" . }} - replicas: 1 - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - role: {{ template "artifactory-ha.primary.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - role: {{ template "artifactory-ha.primary.name" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }} - checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }} - {{- if not (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) }} - checksum/access-creds: {{ include (print $.Template.BasePath "/access-bootstrap-creds.yaml") . | sha256sum }} - {{- end }} - {{- range $key, $value := .Values.artifactory.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - spec: - {{- if .Values.artifactory.priorityClass.existingPriorityClass }} - priorityClassName: {{ .Values.artifactory.priorityClass.existingPriorityClass }} - {{- else -}} - {{- if .Values.artifactory.priorityClass.create }} - priorityClassName: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} - {{- end }} - {{- end }} - serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} - terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - securityContext: - runAsUser: {{ .Values.artifactory.uid }} - fsGroup: {{ .Values.artifactory.uid }} - initContainers: - {{- if .Values.artifactory.customInitContainersBegin }} -{{ tpl .Values.artifactory.customInitContainersBegin . | indent 6 }} - {{- end }} - {{- if .Values.artifactory.persistence.enabled }} - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - - name: "create-artifactory-data-dir" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - mkdir -p {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}; - volumeMounts: - - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - name: volume - {{- end }} - {{- end }} - {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} - - name: "delete-db-properties" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' - volumeMounts: - - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - name: volume - {{- end }} - - name: "remove-lost-found" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; - rm -rfv {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}/lost+found; - rm -rfv {{ .Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}/lost+found; - volumeMounts: - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} - - name: artifactory-ha-data-{{ $sharedClaimNumber }} - mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" - {{- end }} - - name: artifactory-ha-backup - mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" - {{- end }} - {{- end }} - {{- if or (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) .Values.artifactory.accessAdmin.password }} - - name: "access-bootstrap-creds" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - echo "Preparing custom Access bootstrap.creds"; - mkdir -p {{ .Values.artifactory.persistence.mountPath }}/access/etc; - cp -Lrf /tmp/access/bootstrap.creds {{ .Values.artifactory.persistence.mountPath }}/access/etc/bootstrap.creds; - chmod 600 {{ .Values.artifactory.persistence.mountPath }}/access/etc/bootstrap.creds; - volumeMounts: - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - - name: access-bootstrap-creds - mountPath: "/tmp/access/bootstrap.creds" - {{- if and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey }} - subPath: {{ .Values.artifactory.accessAdmin.dataKey }} - {{- else }} - subPath: bootstrap.creds - {{- end }} - {{- end }} - {{- end }} - - name: 'copy-system-yaml' - image: '{{ .Values.initContainerImage }}' - command: - - '/bin/sh' - - '-c' - - > - echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; - mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; - mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; - cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; - echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists"; - rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; - volumeMounts: - - name: volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - - name: systemyaml - mountPath: "/tmp/etc/system.yaml" - subPath: system.yaml - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - name: "prepare-custom-persistent-volume" - image: "{{ .Values.initContainerImage }}" - command: - - 'sh' - - '-c' - - > - chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - securityContext: - runAsUser: 0 - volumeMounts: - - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.waitForDatabase }} - {{- if or .Values.postgresql.enabled }} - - name: "wait-for-db" - image: "{{ .Values.initContainerImage }}" - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do - sleep 2; - done; - {{- end }} - {{- end }} - {{- if .Values.artifactory.customInitContainers }} -{{ tpl .Values.artifactory.customInitContainers . | indent 6 }} - {{- end }} - containers: - - name: {{ .Values.artifactory.name }} - image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}' - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - command: - - '/bin/sh' - - '-c' - - > - set -e; - {{- if .Values.artifactory.configMapName }} - echo "Copying bootstrap configs"; - cp -Lrf /bootstrap/* /artifactory_extra_conf/; - {{- end }} - {{- if .Values.artifactory.userPluginSecrets }} - echo "Copying plugins"; - cp -Lrf /tmp/plugin/*/* /tmp/plugins; - {{- end }} - {{- range .Values.artifactory.copyOnEveryStartup }} - {{- $targetPath := printf "%s/%s" $.Values.artifactory.persistence.mountPath .target }} - {{- $baseDirectory := regexFind ".*/" $targetPath }} - mkdir -p {{ $baseDirectory }}; - cp -Lrf {{ .source }} {{ $.Values.artifactory.persistence.mountPath }}/{{ .target }}; - {{- end }} - {{- if .Values.artifactory.preStartCommand }} - echo "Running custom preStartCommand command"; - {{ tpl .Values.artifactory.preStartCommand . }}; - {{- end }} - /entrypoint-artifactory.sh - lifecycle: - postStart: - exec: - command: - - '/bin/sh' - - '-c' - - > - echo; - {{- if .Values.artifactory.postStartCommand }} - {{ .Values.artifactory.postStartCommand }} - {{- end }} - env: - {{- if .Values.database.secrets.user }} - - name: JF_SHARED_DATABSE_USERNAME - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.user.name }} - key: {{ .Values.database.secrets.user.key }} - {{- end }} - {{- if .Values.database.secrets.password }} - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.password.name }} - key: {{ .Values.database.secrets.password.key }} - {{- end }} - {{- if .Values.database.secrets.url }} - - name: JF_SHARED_DATABSE_URL - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.url.name }} - key: {{ .Values.database.secrets.url.key }} - {{- end }} - - name: JF_SHARED_NODE_PRIMARY - value: "true" - - name: JF_SHARED_NODE_HAENABLED - value: "true" - - name: JF_SHARED_DATABSE_USERNAME - value: "artifactory" - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-postgresql - key: postgresql-password - ports: - - containerPort: {{ .Values.artifactory.internalPort }} - - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} - {{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} - - containerPort: {{ .Values.artifactory.primary.javaOpts.jmx.port }} - {{- end }} - volumeMounts: - {{- if .Values.artifactory.customPersistentVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.artifactory.userPluginSecrets }} - - name: tmp-plugins - mountPath: "/tmp/plugins/" - {{- range .Values.artifactory.userPluginSecrets }} - - name: {{ tpl . $ }} - mountPath: "/tmp/plugin/{{ tpl . $ }}" - {{- end }} - {{- end }} - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} - - name: artifactory-ha-data-{{ $sharedClaimNumber }} - mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" - {{- end }} - - name: artifactory-ha-backup - mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "nfs" }} - - name: artifactory-ha-data - mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" - - name: artifactory-ha-backup - mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" - {{- else }} - {{- if .Values.artifactory.binarystore.enabled }} - - name: binarystore-xml - mountPath: "/artifactory_extra_conf/binarystore.xml" - subPath: binarystore.xml - {{- end }} - {{- end }} - {{- if .Values.artifactory.configMapName }} - - name: bootstrap-config - mountPath: "/bootstrap/" - {{- end }} - {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} - - name: artifactory-license - mountPath: "/artifactory_extra_conf/artifactory.cluster.license" - {{- if .Values.artifactory.license.secret }} - subPath: {{ .Values.artifactory.license.dataKey }} - {{- else if .Values.artifactory.license.licenseKey }} - subPath: artifactory.lic - {{- end }} - {{- end }} - - name: installer-info - mountPath: "/artifactory_extra_conf/info/installer-info.json" - subPath: installer-info.json - {{- if .Values.artifactory.customVolumeMounts }} -{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} - {{- end }} - resources: -{{ toYaml .Values.artifactory.primary.resources | indent 10 }} - {{- if .Values.artifactory.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: {{ .Values.artifactory.readinessProbe.path }} - port: {{ .Values.artifactory.internalPort }} - initialDelaySeconds: {{ .Values.artifactory.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.artifactory.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.artifactory.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.artifactory.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.artifactory.readinessProbe.successThreshold }} - {{- end }} - {{- if .Values.artifactory.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: {{ .Values.artifactory.livenessProbe.path }} - port: {{ .Values.artifactory.internalPort }} - initialDelaySeconds: {{ .Values.artifactory.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.artifactory.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.artifactory.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }} - {{- end }} - {{- $image := .Values.logger.image.repository }} - {{- $tag := .Values.logger.image.tag }} - {{- $mountPath := .Values.artifactory.persistence.mountPath }} - {{- range .Values.artifactory.loggers }} - - name: {{ . | replace "_" "-" | replace "." "-" }} - image: '{{ $image }}:{{ $tag }}' - command: - - tail - args: - - '-F' - - '{{ $mountPath }}/logs/{{ . }}' - volumeMounts: - - name: volume - mountPath: {{ $mountPath }} - {{- end }} - {{ if .Values.artifactory.catalinaLoggers }} - {{- range .Values.artifactory.catalinaLoggers }} - - name: {{ . | replace "_" "-" | replace "." "-" }} - image: '{{ $image }}:{{ $tag }}' - command: - - 'sh' - - '-c' - - 'sh /scripts/tail-log.sh {{ $mountPath }}/logs/catalina {{ . }}' - volumeMounts: - - name: volume - mountPath: {{ $mountPath }} - - name: catalina-logger - mountPath: /scripts/tail-log.sh - subPath: tail-log.sh - {{- end }} - {{- end }} - {{- if .Values.filebeat.enabled }} - - name: {{ .Values.filebeat.name }} - image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" - imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - args: - - "-e" - - "-E" - - "http.enabled=true" - securityContext: - runAsUser: 0 - volumeMounts: - - name: filebeat-config - mountPath: /usr/share/filebeat/filebeat.yml - readOnly: true - subPath: filebeat.yml - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - livenessProbe: -{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} - readinessProbe: -{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} - resources: -{{ toYaml .Values.filebeat.resources | indent 10 }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} - {{- end }} - {{- if .Values.artifactory.customSidecarContainers }} -{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }} - {{- end }} - {{- with .Values.artifactory.primary.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if .Values.artifactory.primary.affinity }} - {{- with .Values.artifactory.primary.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- else if eq .Values.artifactory.primary.podAntiAffinity.type "soft" }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - topologyKey: {{ .Values.artifactory.primary.podAntiAffinity.topologyKey }} - labelSelector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} - {{- else if eq .Values.artifactory.primary.podAntiAffinity.type "hard" }} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: {{ .Values.artifactory.primary.podAntiAffinity.topologyKey }} - labelSelector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} - {{- end }} - {{- with .Values.artifactory.primary.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - {{- if .Values.artifactory.binarystore.enabled }} - - name: binarystore-xml - secret: - {{- if .Values.artifactory.persistence.customBinarystoreXmlSecret }} - secretName: {{ .Values.artifactory.persistence.customBinarystoreXmlSecret }} - {{- else }} - secretName: {{ template "artifactory-ha.fullname" . }}-binarystore - {{- end }} - {{- end }} - - name: installer-info - configMap: - name: {{ template "artifactory-ha.fullname" . }}-installer-info - {{- if .Values.artifactory.userPluginSecrets }} - - name: tmp-plugins - emptyDir: {} - {{- range .Values.artifactory.userPluginSecrets }} - - name: {{ tpl . $ }} - secret: - secretName: {{ tpl . $ }} - {{- end }} - {{- end }} - {{- if .Values.artifactory.configMapName }} - - name: bootstrap-config - configMap: - name: {{ .Values.artifactory.configMapName }} - {{- end}} - {{- if .Values.artifactory.catalinaLoggers }} - - name: catalina-logger - configMap: - name: {{ template "artifactory-ha.fullname" . }}-catalina-logger - {{- end }} - {{- if .Values.artifactory.configMaps }} - - name: artifactory-configmaps - configMap: - name: {{ template "artifactory-ha.fullname" . }}-configmaps - {{- end }} - {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} - - name: artifactory-license - secret: - {{- if .Values.artifactory.license.secret }} - secretName: {{ .Values.artifactory.license.secret }} - {{- else if .Values.artifactory.license.licenseKey }} - secretName: {{ template "artifactory-ha.fullname" . }}-license - {{- end }} - {{- end }} - {{- if or (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) .Values.artifactory.accessAdmin.password }} - - name: access-bootstrap-creds - secret: - {{- if and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey }} - secretName: {{ .Values.artifactory.accessAdmin.secret }} - {{- else }} - secretName: {{ template "artifactory-ha.fullname" . }}-bootstrap-creds - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} - - name: artifactory-ha-data-{{ $sharedClaimNumber }} - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" $ }}-data-pvc-{{ $sharedClaimNumber }} - {{- end }} - - name: artifactory-ha-backup - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" $ }}-backup-pvc - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "nfs" }} - - name: artifactory-ha-data - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" . }}-data-pvc - - name: artifactory-ha-backup - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" . }}-backup-pvc - {{- end }} - - name: systemyaml - secret: - secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml - {{- if .Values.artifactory.customPersistentVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - persistentVolumeClaim: - claimName: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - {{- end }} - {{- if .Values.filebeat.enabled }} - - name: filebeat-config - configMap: - name: {{ template "artifactory-ha.fullname" . }}-filebeat-config - {{- end }} - {{- if .Values.artifactory.customVolumes }} -{{ tpl .Values.artifactory.customVolumes . | indent 6 }} - {{- end }} - {{- if not .Values.artifactory.persistence.enabled }} - - name: volume - emptyDir: - sizeLimit: {{ .Values.artifactory.persistence.size }} - {{- end }} - volumeClaimTemplates: - {{- if .Values.artifactory.persistence.enabled }} - - metadata: - name: volume - {{- if not .Values.artifactory.primary.persistence.existingClaim }} - spec: - {{- if .Values.artifactory.persistence.storageClassName }} - {{- if (eq "-" .Values.artifactory.persistence.storageClassName) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.artifactory.persistence.storageClassName }}" - {{- end }} - {{- end }} - accessModes: [ "{{ .Values.artifactory.persistence.accessMode }}" ] - resources: - requests: - storage: {{ .Values.artifactory.persistence.size }} - {{- end }} - {{- end }} - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - metadata: - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - spec: - {{- if .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }} - {{- if (eq "-" .Values.artifactory.customPersistentPodVolumeClaim.storageClassName) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }}" - {{- end }} - {{- end }} - accessModes: - {{- range .Values.artifactory.customPersistentPodVolumeClaim.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.artifactory.customPersistentPodVolumeClaim.size }} - {{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-priority-class.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-priority-class.yaml deleted file mode 100755 index 417ec5c..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-priority-class.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.artifactory.priorityClass.create }} -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} -value: {{ .Values.artifactory.priorityClass.value }} -globalDefault: false -description: "Artifactory priority class" -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-role.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-role.yaml deleted file mode 100755 index c86bffd..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-role.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "artifactory-ha.fullname" . }} -rules: -{{ toYaml .Values.rbac.role.rules }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-rolebinding.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-rolebinding.yaml deleted file mode 100755 index 4412870..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-rolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "artifactory-ha.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "artifactory-ha.serviceAccountName" . }} -roleRef: - kind: Role - apiGroup: rbac.authorization.k8s.io - name: {{ template "artifactory-ha.fullname" . }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-secrets.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-secrets.yaml deleted file mode 100755 index 2665d32..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "artifactory-ha.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -data: -{{- if not .Values.artifactory.masterKeySecretName }} - master-key: {{ .Values.artifactory.masterKey | b64enc | quote }} -{{- end }} -{{- if .Values.database.password }} - db-password: {{ .Values.database.password | b64enc | quote }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-service.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-service.yaml deleted file mode 100755 index 38d3355..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-service.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# Service for all Artifactory cluster nodes. -apiVersion: v1 -kind: Service -metadata: - name: {{ template "artifactory-ha.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -{{- if .Values.artifactory.service.annotations }} - annotations: -{{ toYaml .Values.artifactory.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.artifactory.service.type }} - {{- if and (eq .Values.artifactory.service.type "ClusterIP") .Values.artifactory.service.clusterIP }} - clusterIP: {{ .Values.artifactory.service.clusterIP }} - {{- end }} - {{- if .Values.artifactory.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.artifactory.service.loadBalancerSourceRanges | indent 4 }} - {{- end }} - ports: - - port: {{ .Values.artifactory.externalPort }} - targetPort: {{ .Values.artifactory.internalPort }} - protocol: TCP - name: {{ .Release.Name }}-router - - port: {{ .Values.artifactory.externalArtifactoryPort }} - targetPort: {{ .Values.artifactory.internalArtifactoryPort }} - protocol: TCP - name: {{ .Release.Name }}-artifactory - {{- with .Values.artifactory.node.javaOpts.jmx }} - {{- if .enabled }} - - port: {{ .port }} - targetPort: {{ .port }} - protocol: TCP - name: jmx - {{- end }} - {{- end }} - selector: -{{- if eq .Values.artifactory.service.pool "members" }} - role: {{ template "artifactory-ha.node.name" . }} -{{- end }} - app: {{ template "artifactory-ha.name" . }} - component: "{{ .Values.artifactory.name }}" - release: {{ .Release.Name }} ---- -# Internal service for Artifactory primary node only! -# Used by member nodes to check readiness of primary node before starting up -apiVersion: v1 -kind: Service -metadata: - name: {{ template "artifactory-ha.primary.name" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: {{ .Values.artifactory.service.type }} - {{- if and (eq .Values.artifactory.service.type "ClusterIP") .Values.artifactory.service.clusterIP }} - clusterIP: {{ .Values.artifactory.service.clusterIP }} - {{- end }} - ports: - - port: {{ .Values.artifactory.externalPort }} - targetPort: {{ .Values.artifactory.internalPort }} - protocol: TCP - name: {{ .Release.Name }}-router - - port: {{ .Values.artifactory.externalArtifactoryPort }} - targetPort: {{ .Values.artifactory.internalArtifactoryPort }} - protocol: TCP - name: {{ .Release.Name }}-artifactory - {{- with .Values.artifactory.primary.javaOpts.jmx }} - {{- if .enabled }} - - port: {{ .port }} - targetPort: {{ .port }} - protocol: TCP - name: jmx - {{- end }} - {{- end }} - selector: - role: {{ template "artifactory-ha.primary.name" . }} - app: {{ template "artifactory-ha.name" . }} - component: "{{ .Values.artifactory.name }}" - release: {{ .Release.Name }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-serviceaccount.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-serviceaccount.yaml deleted file mode 100755 index 6ea0b10..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: -{{- if .Values.serviceAccount.annotations }} - annotations: -{{ tpl (toYaml .) $ | indent 4 }} -{{- end}} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "artifactory-ha.serviceAccountName" . }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-storage-pvc.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-storage-pvc.yaml deleted file mode 100755 index e0bfa6b..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-storage-pvc.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{ if .Values.artifactory.customPersistentVolumeClaim }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - labels: - app: {{ template "artifactory-ha.name" . }} - version: "{{ .Values.artifactory.version }}" - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - accessModes: - {{- range .Values.artifactory.customPersistentVolumeClaim.accessModes }} - - {{ . | quote }} - {{- end }} - {{- if .Values.artifactory.customPersistentVolumeClaim.storageClassName }} - {{- if (eq "-" .Values.artifactory.customPersistentVolumeClaim.storageClassName) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.artifactory.customPersistentVolumeClaim.storageClassName }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ .Values.artifactory.customPersistentVolumeClaim.size | quote }} -{{ end -}} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/artifactory-system-yaml.yaml b/Openshift4/artifactoryha-helm/templates/artifactory-system-yaml.yaml deleted file mode 100755 index cf8ffba..0000000 --- a/Openshift4/artifactoryha-helm/templates/artifactory-system-yaml.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "artifactory-ha.primary.name" . }}-system-yaml - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -stringData: - system.yaml: | -{{ tpl .Values.artifactory.systemYaml . | indent 4 }} diff --git a/Openshift4/artifactoryha-helm/templates/catalina-logger-configmap.yaml b/Openshift4/artifactoryha-helm/templates/catalina-logger-configmap.yaml deleted file mode 100755 index 807fe72..0000000 --- a/Openshift4/artifactoryha-helm/templates/catalina-logger-configmap.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- if .Values.artifactory.catalinaLoggers }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "artifactory-ha.fullname" . }}-catalina-logger - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - tail-log.sh: | - #!/bin/sh - - LOG_DIR=$1 - LOG_NAME=$2 - PID= - - # Wait for log dir to appear - while [ ! -d ${LOG_DIR} ]; do - sleep 1 - done - sleep 5 - - cd ${LOG_DIR} - - LOG_PREFIX=$(echo ${LOG_NAME} | awk -F\. '{print $1}') - - # Find the log to tail - LOG_FILE=$(ls -1t ./${LOG_PREFIX}.*.log | head -1) - - # echo "Tailing ${LOG_FILE}" - tail -F ${LOG_FILE} & - PID=$! - - # Loop forever to see if a new log was created - while true; do - # Find the latest log - NEW_LOG_FILE=$(ls -1t ./${LOG_PREFIX}.*.log | head -1) - - # If a new log file is found, kill old tail and switch to tailing it - if [ "${LOG_FILE}" != "${NEW_LOG_FILE}" ]; then - kill -9 ${PID} - wait $! 2>/dev/null - LOG_FILE=${NEW_LOG_FILE} - - # echo "Tailing ${LOG_FILE}" - tail -F ${LOG_FILE} & - PID=$! - fi - sleep 2 - done -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/filebeat-configmap.yaml b/Openshift4/artifactoryha-helm/templates/filebeat-configmap.yaml deleted file mode 100755 index d2db2a0..0000000 --- a/Openshift4/artifactoryha-helm/templates/filebeat-configmap.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.filebeat.enabled }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "artifactory-ha.name" . }}-filebeat-config - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service | quote }} - release: {{ .Release.Name | quote }} -data: - filebeat.yml: | -{{ tpl .Values.filebeat.filebeatYml . | indent 4 }} -{{- end -}} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/ingress.yaml b/Openshift4/artifactoryha-helm/templates/ingress.yaml deleted file mode 100755 index e8e2fd2..0000000 --- a/Openshift4/artifactoryha-helm/templates/ingress.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $serviceName := include "artifactory-ha.fullname" . -}} -{{- $servicePort := .Values.artifactory.externalPort -}} -{{- $artifactoryServicePort := .Values.artifactory.externalArtifactoryPort -}} -{{- if semverCompare ">=v1.14.0" .Capabilities.KubeVersion.GitVersion }} -apiVersion: networking.k8s.io/v1beta1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ template "artifactory-ha.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.ingress.labels }} -{{ .Values.ingress.labels | toYaml | trimSuffix "\n"| indent 4 -}} -{{- end}} -{{- if .Values.ingress.annotations }} - annotations: - force-update: "{{ randAlpha 63 | lower }}" -{{ .Values.ingress.annotations | toYaml | trimSuffix "\n" | indent 4 -}} -{{- end }} -spec: - {{- if .Values.ingress.defaultBackend.enabled }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - rules: -{{- if .Values.ingress.hosts }} - {{- range $host := .Values.ingress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: {{ $.Values.ingress.routerPath }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - - path: {{ $.Values.ingress.artifactoryPath }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $artifactoryServicePort }} - {{- end -}} -{{- end -}} - {{- with .Values.ingress.additionalRules }} -{{ tpl . $ | indent 2 }} - {{- end }} - - {{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/Openshift4/artifactoryha-helm/templates/nginx-artifactory-conf.yaml b/Openshift4/artifactoryha-helm/templates/nginx-artifactory-conf.yaml deleted file mode 100755 index eb1f0e6..0000000 --- a/Openshift4/artifactoryha-helm/templates/nginx-artifactory-conf.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and (not .Values.nginx.customArtifactoryConfigMap) .Values.nginx.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "artifactory-ha.fullname" . }}-nginx-artifactory-conf - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - artifactory.conf: | -{{ tpl .Values.nginx.artifactoryConf . | indent 4 }} -{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactoryha-helm/templates/nginx-certificate-secret.yaml b/Openshift4/artifactoryha-helm/templates/nginx-certificate-secret.yaml deleted file mode 100755 index 2c1430a..0000000 --- a/Openshift4/artifactoryha-helm/templates/nginx-certificate-secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.enabled }} -apiVersion: v1 -kind: Secret -type: kubernetes.io/tls -metadata: - name: {{ template "artifactory-ha.fullname" . }}-nginx-certificate - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: -{{ ( include "artifactory-ha.gen-certs" . ) | indent 2 }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/nginx-conf.yaml b/Openshift4/artifactoryha-helm/templates/nginx-conf.yaml deleted file mode 100755 index 5f424d5..0000000 --- a/Openshift4/artifactoryha-helm/templates/nginx-conf.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and (not .Values.nginx.customConfigMap) .Values.nginx.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "artifactory-ha.fullname" . }}-nginx-conf - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - nginx.conf: | -{{ tpl .Values.nginx.mainConf . | indent 4 }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/nginx-deployment.yaml b/Openshift4/artifactoryha-helm/templates/nginx-deployment.yaml deleted file mode 100755 index 4bc3f79..0000000 --- a/Openshift4/artifactoryha-helm/templates/nginx-deployment.yaml +++ /dev/null @@ -1,185 +0,0 @@ -{{- if .Values.nginx.enabled -}} -{{- $serviceName := include "artifactory-ha.fullname" . -}} -{{- $servicePort := .Values.artifactory.externalPort -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "artifactory-ha.nginx.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: {{ .Values.nginx.name }} -{{- if .Values.nginx.labels }} -{{ toYaml .Values.nginx.labels | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.nginx.replicaCount }} - selector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} - component: {{ .Values.nginx.name }} - template: - metadata: - annotations: - checksum/nginx-conf: {{ include (print $.Template.BasePath "/nginx-conf.yaml") . | sha256sum }} - checksum/nginx-artifactory-conf: {{ include (print $.Template.BasePath "/nginx-artifactory-conf.yaml") . | sha256sum }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.nginx.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - spec: - serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - initContainers: - - name: "setup" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} - command: - - '/bin/sh' - - '-c' - - > - rm -rfv {{ .Values.nginx.persistence.mountPath }}/lost+found; - mkdir -p {{ .Values.nginx.persistence.mountPath }}/logs; - volumeMounts: - - mountPath: {{ .Values.nginx.persistence.mountPath | quote }} - name: nginx-volume - securityContext: - runAsUser: {{ .Values.nginx.uid }} - fsGroup: {{ .Values.nginx.gid }} - containers: - - name: {{ .Values.nginx.name }} - image: '{{ .Values.nginx.image.repository }}:{{ default .Chart.AppVersion .Values.nginx.image.version }}' - imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} - command: - - 'nginx' - - '-g' - - 'daemon off;' - ports: - # DEPRECATION NOTE: The following is to maintain support for values pre 1.3.1 and - # will be cleaned up in a later version - {{- if .Values.nginx.http }} - {{- if .Values.nginx.http.enabled }} - - containerPort: {{ .Values.nginx.http.internalPort }} - {{- end }} - {{- else }} # DEPRECATED - - containerPort: {{ .Values.nginx.internalPortHttp }} - {{- end }} - {{- if .Values.nginx.https }} - {{- if .Values.nginx.https.enabled }} - - containerPort: {{ .Values.nginx.https.internalPort }} - {{- end }} - {{- else }} # DEPRECATED - - containerPort: {{ .Values.nginx.internalPortHttps }} - {{- end }} - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - - name: nginx-artifactory-conf - mountPath: "{{ .Values.nginx.persistence.mountPath }}/conf.d/" - - name: nginx-volume - mountPath: {{ .Values.nginx.persistence.mountPath | quote }} - - name: ssl-certificates - mountPath: "{{ .Values.nginx.persistence.mountPath }}/ssl" - resources: -{{ toYaml .Values.nginx.resources | indent 10 }} - {{- if .Values.nginx.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: {{ .Values.nginx.readinessProbe.path }} - {{- if .Values.nginx.http.enabled }} - port: {{ .Values.nginx.http.internalPort }} - scheme: HTTP - {{- else }} - port: {{ .Values.nginx.https.internalPort }} - scheme: HTTPS - {{- end }} - initialDelaySeconds: {{ .Values.nginx.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.nginx.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.nginx.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.nginx.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.nginx.readinessProbe.successThreshold }} - {{- end }} - {{- if .Values.nginx.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: {{ .Values.nginx.livenessProbe.path }} - {{- if .Values.nginx.http.enabled }} - port: {{ .Values.nginx.http.internalPort }} - scheme: HTTP - {{- else }} - port: {{ .Values.nginx.https.internalPort }} - scheme: HTTPS - {{- end }} - initialDelaySeconds: {{ .Values.nginx.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.nginx.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.nginx.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.nginx.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.nginx.livenessProbe.successThreshold }} - {{- end }} - {{- $image := .Values.logger.image.repository }} - {{- $tag := .Values.logger.image.tag }} - {{- $mountPath := .Values.nginx.persistence.mountPath }} - {{- range .Values.nginx.loggers }} - - name: {{ . | replace "_" "-" | replace "." "-" }} - image: '{{ $image }}:{{ $tag }}' - command: - - tail - args: - - '-F' - - '{{ $mountPath }}/logs/{{ . }}' - volumeMounts: - - name: nginx-volume - mountPath: {{ $mountPath }} - {{- end }} - {{- with .Values.nginx.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.nginx.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.nginx.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - - name: nginx-conf - configMap: - {{- if .Values.nginx.customConfigMap }} - name: {{ .Values.nginx.customConfigMap }} - {{- else }} - name: {{ template "artifactory-ha.fullname" . }}-nginx-conf - {{- end }} - - name: nginx-artifactory-conf - configMap: - {{- if .Values.nginx.customArtifactoryConfigMap }} - name: {{ .Values.nginx.customArtifactoryConfigMap }} - {{- else }} - name: {{ template "artifactory-ha.fullname" . }}-nginx-artifactory-conf - {{- end }} - - - name: nginx-volume - {{- if .Values.nginx.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.nginx.persistence.existingClaim | default (include "artifactory-ha.nginx.fullname" .) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: ssl-certificates - secret: - {{- if .Values.nginx.tlsSecretName }} - secretName: {{ .Values.nginx.tlsSecretName }} - {{- else }} - secretName: {{ template "artifactory-ha.fullname" . }}-nginx-certificate - {{- end }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/nginx-pvc.yaml b/Openshift4/artifactoryha-helm/templates/nginx-pvc.yaml deleted file mode 100755 index 68a89ce..0000000 --- a/Openshift4/artifactoryha-helm/templates/nginx-pvc.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.nginx.persistence.enabled (.Values.nginx.enabled) (eq (int .Values.nginx.replicaCount) 1) }} -{{- if (not .Values.nginx.persistence.existingClaim) }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.nginx.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - accessModes: - - {{ .Values.nginx.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.nginx.persistence.size | quote }} -{{- if .Values.nginx.persistence.storageClass }} -{{- if (eq "-" .Values.nginx.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.nginx.persistence.storageClass }}" -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/templates/nginx-service.yaml b/Openshift4/artifactoryha-helm/templates/nginx-service.yaml deleted file mode 100755 index 7a212e0..0000000 --- a/Openshift4/artifactoryha-helm/templates/nginx-service.yaml +++ /dev/null @@ -1,69 +0,0 @@ -{{- if .Values.nginx.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "artifactory-ha.nginx.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: {{ .Values.nginx.name }} - {{- if .Values.nginx.service.labels }} -{{ toYaml .Values.nginx.service.labels | indent 4 }} - {{- end }} -{{- if .Values.nginx.service.annotations }} - annotations: -{{ toYaml .Values.nginx.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.nginx.service.type }} - {{- if and (eq .Values.nginx.service.type "ClusterIP") .Values.nginx.service.clusterIP }} - clusterIP: {{ .Values.nginx.service.clusterIP }} - {{- end }} -{{- if eq .Values.nginx.service.type "LoadBalancer" }} - {{ if .Values.nginx.service.loadBalancerIP -}} - loadBalancerIP: {{ .Values.nginx.service.loadBalancerIP }} - {{ end -}} - {{- if .Values.nginx.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.nginx.service.externalTrafficPolicy }} - {{- end }} -{{- end }} -{{- if .Values.nginx.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.nginx.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} - ports: - # DEPRECATION NOTE: The following is to maintain support for values pre 1.3.0 and - # will be cleaned up in a later verion - {{- if .Values.nginx.http }} - {{- if .Values.nginx.http.enabled }} - - port: {{ .Values.nginx.http.externalPort }} - targetPort: {{ .Values.nginx.http.internalPort }} - protocol: TCP - name: http - {{- end }} - {{- else }} # DEPRECATED - - port: {{ .Values.nginx.externalPortHttp }} - targetPort: {{ .Values.nginx.internalPortHttp }} - protocol: TCP - name: http - {{- end }} - {{- if .Values.nginx.https }} - {{- if .Values.nginx.https.enabled }} - - port: {{ .Values.nginx.https.externalPort }} - targetPort: {{ .Values.nginx.https.internalPort }} - protocol: TCP - name: https - {{- end }} - {{- else }} # DEPRECATED - - port: {{ .Values.nginx.externalPortHttps }} - targetPort: {{ .Values.nginx.internalPortHttps }} - protocol: TCP - name: https - {{- end }} - selector: - app: {{ template "artifactory-ha.name" . }} - component: {{ .Values.nginx.name }} - release: {{ .Release.Name }} -{{- end }} diff --git a/Openshift4/artifactoryha-helm/values-large.yaml b/Openshift4/artifactoryha-helm/values-large.yaml deleted file mode 100755 index ec05d2a..0000000 --- a/Openshift4/artifactoryha-helm/values-large.yaml +++ /dev/null @@ -1,24 +0,0 @@ -artifactory: - primary: - resources: - requests: - memory: "6Gi" - cpu: "4" - limits: - memory: "10Gi" - cpu: "8" - javaOpts: - xms: "6g" - xmx: "8g" - node: - replicaCount: 3 - resources: - requests: - memory: "6Gi" - cpu: "4" - limits: - memory: "10Gi" - cpu: "8" - javaOpts: - xms: "6g" - xmx: "8g" diff --git a/Openshift4/artifactoryha-helm/values-medium.yaml b/Openshift4/artifactoryha-helm/values-medium.yaml deleted file mode 100755 index 33879c0..0000000 --- a/Openshift4/artifactoryha-helm/values-medium.yaml +++ /dev/null @@ -1,24 +0,0 @@ -artifactory: - primary: - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "8Gi" - cpu: "6" - javaOpts: - xms: "4g" - xmx: "6g" - node: - replicaCount: 2 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "8Gi" - cpu: "6" - javaOpts: - xms: "4g" - xmx: "6g" diff --git a/Openshift4/artifactoryha-helm/values-small.yaml b/Openshift4/artifactoryha-helm/values-small.yaml deleted file mode 100755 index 4babf97..0000000 --- a/Openshift4/artifactoryha-helm/values-small.yaml +++ /dev/null @@ -1,24 +0,0 @@ -artifactory: - primary: - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "6Gi" - cpu: "4" - javaOpts: - xms: "4g" - xmx: "4g" - node: - replicaCount: 1 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "6Gi" - cpu: "4" - javaOpts: - xms: "4g" - xmx: "4g" diff --git a/Openshift4/artifactoryha-helm/values.yaml b/Openshift4/artifactoryha-helm/values.yaml deleted file mode 100755 index ce07ccb..0000000 --- a/Openshift4/artifactoryha-helm/values.yaml +++ /dev/null @@ -1,1330 +0,0 @@ -# Default values for artifactory-ha. -# This is a YAML-formatted file. -# Beware when changing values here. You should know what you are doing! -# Access the values with {{ .Values.key.subkey }} - -# Common -initContainerImage: "alpine:3.10" - -installer: - type: - platform: - -# For supporting pulling from private registries -imagePullSecrets: - -## Role Based Access Control -## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ -rbac: - create: true - role: - ## Rules to create. It follows the role specification - rules: - - apiGroups: - - '' - resources: - - services - - endpoints - - pods - verbs: - - get - - watch - - list - -## Service Account -## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ -## -serviceAccount: - create: true - ## The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the fullname template - name: - annotations: {} - -ingress: - enabled: false - defaultBackend: - enabled: true - # Used to create an Ingress record. - hosts: [] - routerPath: / - artifactoryPath: /artifactory/ - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - # traffic-type: external - # traffic-type: internal - tls: [] - # Secrets must be manually created in the namespace. - # - secretName: chart-example-tls - # hosts: - # - artifactory.domain.example - - # Additional ingress rules - additionalRules: [] - - -networkpolicy: - # Allows all ingress and egress - - name: artifactory - podSelector: - matchLabels: - app: artifactory-ha - egress: - - {} - ingress: - - {} - # Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) - # - name: postgresql - # podSelector: - # matchLabels: - # app: postgresql - # ingress: - # - from: - # - podSelector: - # matchLabels: - # app: artifactory-ha - - -## Database configurations -## Use the wait-for-db init container. Set to false to skip -waitForDatabase: true - -## Configuration values for the postgresql dependency -## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md -## -postgresql: - enabled: true - image: - registry: docker.bintray.io - repository: bitnami/postgresql - tag: 9.6.15-debian-9-r91 - postgresqlUsername: artifactory - postgresqlPassword: "" - postgresqlDatabase: artifactory - postgresqlConfiguration: - listenAddresses: "'*'" - maxConnections: "1500" - persistence: - enabled: true - size: 50Gi - service: - port: 5432 - resources: {} - # requests: - # memory: "512Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "500m" - nodeSelector: {} - -## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), -## you MUST specify custom database details here or Artifactory will NOT start -database: - type: - driver: - ## If you set the url, leave host and port empty - url: - ## If you would like this chart to create the secret containing the db - ## password, use these values - user: - password: - ## If you have existing Kubernetes secrets containing db credentials, use - ## these values - secrets: {} - # user: - # name: "rds-artifactory" - # key: "db-user" - # password: - # name: "{{ .Release.Name}}}}-postgresql" - # key: "postgresql-password" - # url: - # name: "rds-artifactory" - # key: "db-url" - -logger: - image: - repository: 'busybox' - tag: '1.30' - -# Artifactory -artifactory: - name: artifactory-ha - image: - # repository: "docker.bintray.io/jfrog/artifactory-pro" - repository: "peters95/artifactory-pro" - # Note that by default we use appVersion to get image tag - # version: - pullPolicy: IfNotPresent - - # Create a priority class for the Artifactory pods or use an existing one - # NOTE - Maximum allowed value of a user defined priority is 1000000000 - priorityClass: - create: false - value: 1000000000 - ## Override default name - # name: - ## Use an existing priority class - # existingPriorityClass: - - # Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties - deleteDBPropertiesOnStartup: true - database: - maxOpenConnections: 80 - - # This directory is intended for use with NFS eventual configuration for HA - haDataDir: - enabled: false - path: - - # Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup - copyOnEveryStartup: - # # Absolute path - # - source: /artifactory_extra_conf/binarystore.xml - # # Relative to ARTIFACTORY_HOME/ - # target: etc/ - # # Absolute path - # - source: /artifactory_extra_conf/artifactory.lic - # # Relative to ARTIFACTORY_HOME/ - # target: etc/ - - # Sidecar containers for tailing Artifactory logs - loggers: [] - # - request.log - # - event.log - # - binarystore.log - # - request_trace.log - # - access.log - # - artifactory.log - # - build_info_migration.log - - # Sidecar containers for tailing Tomcat (catalina) logs - catalinaLoggers: [] - # - catalina.log - # - host-manager.log - # - localhost.log - # - manager.log - - ## Add custom init containers execution before predefined init containers - customInitContainersBegin: | - - name: "custom-setup" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - command: - - 'sh' - - '-c' - - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}' - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - name: volume - ## Add custom init containers - - ## Add custom init containers execution after predefined init containers - customInitContainers: | - # - name: "custom-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - # command: - # - 'sh' - # - '-c' - # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' - # volumeMounts: - # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - # name: volume - - ## Add custom sidecar containers - # - The provided example uses a custom volume (customVolumes) - # - The provided example shows running container as root (id 0) - customSidecarContainers: | - # - name: "sidecar-list-etc" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - # securityContext: - # runAsUser: 0 - # fsGroup: 0 - # command: - # - 'sh' - # - '-c' - # - 'sh /scripts/script.sh' - # volumeMounts: - # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - # name: volume - # - mountPath: "/scripts/script.sh" - # name: custom-script - # subPath: script.sh - # resources: - # requests: - # memory: "32Mi" - # cpu: "50m" - # limits: - # memory: "128Mi" - # cpu: "100m" - - ## Add custom volumes - customVolumes: | - # - name: custom-script - # configMap: - # name: custom-script - - ## Add custom volumesMounts - customVolumeMounts: | - # - name: custom-script - # mountPath: "/scripts/script.sh" - # subPath: script.sh - # - name: posthook-start - # mountPath: "/scripts/posthoook-start.sh" - # subPath: posthoook-start.sh - # - name: prehook-start - # mountPath: "/scripts/prehook-start.sh" - # subPath: prehook-start.sh - - # Add custom persistent volume mounts - Available for the pod - customPersistentPodVolumeClaim: {} - # name: - # mountPath: - # accessModes: - # - "-" - # size: - # storageClassName: - - # Add custom persistent volume mounts - Available to the entire namespace - customPersistentVolumeClaim: {} - # name: - # mountPath: - # accessModes: - # - "-" - # size: - # storageClassName: - - ## Artifactory HA requires a unique master key. Each Artifactory node must have the same master key! - ## You can generate one with the command: 'openssl rand -hex 16' - ## Pass it to helm with '--set artifactory.masterKey=${MASTER_KEY}' - ## Alternatively, you can use a pre-existing secret with a key called master-key by specifying masterKeySecretName - ## IMPORTANT: You should NOT use the example masterKey for a production deployment! - masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF - # masterKeySecretName: - - ## Join Key to connect to other services to Artifactory - ## IMPORTANT: You should NOT use the example joinKey for a production deployment! - joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE - - binarystore: - enabled: true - - accessAdmin: - ip: "127.0.0.1" - password: - secret: - dataKey: - - ## Artifactory license. - license: - ## licenseKey is the license key in plain text. Use either this or the license.secret setting - licenseKey: - ## If artifactory.license.secret is passed, it will be mounted as - ## ARTIFACTORY_HOME/etc/artifactory.lic and loaded at run time. - secret: - ## The dataKey should be the name of the secret data key created. - dataKey: - - ## Create configMap with artifactory.config.import.xml and security.import.xml and pass name of configMap in following parameter - configMapName: - - # Add any list of configmaps to Artifactory - configMaps: | - # posthook-start.sh: |- - # echo "This is a post start script" - # posthook-end.sh: |- - # echo "This is a post end script" - - ## List of secrets for Artifactory user plugins. - ## One Secret per plugin's files. - userPluginSecrets: - # - archive-old-artifacts - # - build-cleanup - # - webhook - # - '{{ template "my-chart.fullname" . }}' - - ## Extra pre-start command to install JDBC driver for MySql/MariaDb/Oracle - # preStartCommand: "wget -O /opt/jfrog/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" - ## Extra post-start command to run extra commands after container starts - # postStartCommand: - - ## Extra environment variables that can be used to tune Artifactory to your needs. - ## Uncomment and set value as needed - #extraEnvironmentVariables: | - # - name: JF_SHARED_DATABSE_USERNAME - # value: "artifactory" - # - name: JF_SHARED_DATABASE_PASSWORD - # valueFrom: - # secretKeyRef: - # name: {{ .Release.Name }}-postgresql - # key: postgresql-password - # - name: POSTGRES_DB - # value: "artifactory" - - # TODO: Fix javaOpts for member nodes (currently uses primary settings for all nodes) - systemYaml: | - shared: - extraJavaOpts: > - {{- with .Values.artifactory.primary.javaOpts }} - -Dartifactory.async.corePoolSize={{ .corePoolSize }} - {{- if .xms }} - -Xms{{ .xms }} - {{- end }} - {{- if .xmx }} - -Xmx{{ .xmx }} - {{- end }} - {{- if .jmx.enabled }} - -Dcom.sun.management.jmxremote - -Dcom.sun.management.jmxremote.port={{ .jmx.port }} - -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} - -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} - {{- if .jmx.host }} - -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} - {{- else }} - -Djava.rmi.server.hostname={{ template "artifactory-ha.fullname" $ }} - {{- end }} - {{- if .jmx.authenticate }} - -Dcom.sun.management.jmxremote.authenticate=true - -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} - -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} - {{- else }} - -Dcom.sun.management.jmxremote.authenticate=false - {{- end }} - {{- end }} - {{- if .other }} - {{ .other }} - {{- end }} - {{- end }} - database: - {{- if .Values.postgresql.enabled }} - type: postgresql - url: 'jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}' - host: '' - driver: org.postgresql.Driver - username: '{{ .Values.postgresql.postgresqlUsername }}' - password: '{{ .Values.postgresql.postgresqlPassword }}' - {{ else }} - type: '{{ .Values.database.type }}' - url: '{{ .Values.database.url }}' - driver: '{{ .Values.database.driver }}' - username: '{{ .Values.database.user }}' - password: '{{ .Values.database.password }}' - {{- end }} - security: - joinKey: '{{ .Values.artifactory.joinKey }}' - masterKey: '{{ .Values.artifactory.masterKey }}' - artifactory: - {{- if .Values.artifactory.haDataDir.enabled }} - node: - haDataDir: {{ .Values.artifactory.haDataDir.path }} - {{- end }} - database: - maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} - access: - database: - maxOpenConnections: '{{ .Values.access.database.maxOpenConnections }}' - {{- if .Values.access.database.enabled }} - type: '{{ .Values.access.database.type }}' - url: '{{ .Values.access.database.url }}' - driver: '{{ .Values.access.database.driver }}' - username: '{{ .Values.access.database.user }}' - password: '{{ .Values.access.database.password }}' - {{- end }} - - ## IMPORTANT: If overriding artifactory.internalPort: - ## DO NOT use port lower than 1024 as Artifactory runs as non-root and cannot bind to ports lower than 1024! - externalPort: 8082 - internalPort: 8082 - externalArtifactoryPort: 8081 - internalArtifactoryPort: 8081 - uid: 1030 - terminationGracePeriodSeconds: 30 - ## The following settings are to configure the frequency of the liveness and readiness probes - livenessProbe: - enabled: true - path: /router/api/v1/system/health - initialDelaySeconds: 180 - failureThreshold: 10 - timeoutSeconds: 10 - periodSeconds: 10 - successThreshold: 1 - - readinessProbe: - enabled: true - path: /router/api/v1/system/health - initialDelaySeconds: 60 - failureThreshold: 10 - timeoutSeconds: 10 - periodSeconds: 10 - successThreshold: 1 - - persistence: - enabled: true - local: false - redundancy: 3 - mountPath: "/var/opt/jfrog/artifactory" - accessMode: ReadWriteOnce - size: 200Gi - - ## Use a custom Secret to be mounted as your binarystore.xml - ## NOTE: This will ignore all settings below that make up binarystore.xml - customBinarystoreXmlSecret: - - maxCacheSize: 50000000000 - cacheProviderDir: cache - eventual: - numberOfThreads: 10 - ## artifactory data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClassName: "-" - - ## Set the persistence storage type. This will apply the matching binarystore.xml to Artifactory config - ## Supported types are: - ## file-system (default) - ## nfs - ## google-storage - ## aws-s3 - ## azure-blob - type: file-system - - ## Use binarystoreXml to provide a custom binarystore.xml - ## This can be a template or hardcoded. - binarystoreXml: | - {{- if eq .Values.artifactory.persistence.type "file-system" }} - - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - - - - - - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} - - {{- end }} - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - // Specify the read and write strategy and redundancy for the sharding binary provider - - roundRobin - percentageFreeSpace - 2 - - - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} - //For each sub-provider (mount), specify the filestore location - - filestore{{ $sharedClaimNumber }} - - {{- end }} - - {{- else }} - - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - 2 - 2 - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - - shard-fs-1 - local - - - - - 30 - tester-remote1 - 10000 - remote - - - - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "google-storage" }} - - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - 2 - - - - - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - local - - - - 30 - 10000 - remote - - - - {{ .Values.artifactory.persistence.mountPath }}/data/filestore - /tmp - - - - google-cloud-storage - {{ .Values.artifactory.persistence.googleStorage.endpoint }} - {{ .Values.artifactory.persistence.googleStorage.httpsOnly }} - {{ .Values.artifactory.persistence.googleStorage.bucketName }} - {{ .Values.artifactory.persistence.googleStorage.identity }} - {{ .Values.artifactory.persistence.googleStorage.credential }} - {{ .Values.artifactory.persistence.googleStorage.path }} - {{ .Values.artifactory.persistence.googleStorage.bucketExists }} - - - {{- end }} - {{- if eq .Values.artifactory.persistence.type "aws-s3-v3" }} - - - - - - - - - - - - - - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - - - - - remote - - - - local - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - {{- with .Values.artifactory.persistence.awsS3V3 }} - - {{ .testConnection }} - {{- if .identity }} - {{ .identity }} - {{- end }} - {{- if .credential }} - {{ .credential }} - {{- end }} - {{ .region }} - {{ .bucketName }} - {{ .path }} - {{ .endpoint }} - {{- with .kmsServerSideEncryptionKeyId }} - {{ . }} - {{- end }} - {{- with .kmsKeyRegion }} - {{ . }} - {{- end }} - {{- with .kmsCryptoMode }} - {{ . }} - {{- end }} - true - {{ .usePresigning }} - {{ .signatureExpirySeconds }} - {{- with .cloudFrontDomainName }} - {{ . }} - {{- end }} - {{- with .cloudFrontKeyPairId }} - {{ .cloudFrontKeyPairId }} - {{- end }} - {{- with .cloudFrontPrivateKey }} - {{ . }} - {{- end }} - - {{- end }} - - {{- end }} - - {{- if eq .Values.artifactory.persistence.type "aws-s3" }} - - - - - - - - - - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - local - - - - 30 - 10000 - remote - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - - - - - {{ .Values.artifactory.persistence.awsS3.endpoint }} - {{- if .Values.artifactory.persistence.awsS3.roleName }} - {{ .Values.artifactory.persistence.awsS3.roleName }} - true - {{- else }} - {{ .Values.artifactory.persistence.awsS3.refreshCredentials }} - {{- end }} - {{ .Values.artifactory.persistence.awsS3.s3AwsVersion }} - {{ .Values.artifactory.persistence.awsS3.testConnection }} - {{ .Values.artifactory.persistence.awsS3.httpsOnly }} - {{ .Values.artifactory.persistence.awsS3.region }} - {{ .Values.artifactory.persistence.awsS3.bucketName }} - {{- if .Values.artifactory.persistence.awsS3.identity }} - {{ .Values.artifactory.persistence.awsS3.identity }} - {{- end }} - {{- if .Values.artifactory.persistence.awsS3.credential }} - {{ .Values.artifactory.persistence.awsS3.credential }} - {{- end }} - {{ .Values.artifactory.persistence.awsS3.path }} - {{- range $key, $value := .Values.artifactory.persistence.awsS3.properties }} - - {{- end }} - - - {{- end }} - {{- if eq .Values.artifactory.persistence.type "azure-blob" }} - - - - - - - - - - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - - crossNetworkStrategy - crossNetworkStrategy - 2 - 1 - - - - - remote - - - - local - - - - - {{ .Values.artifactory.persistence.azureBlob.accountName }} - {{ .Values.artifactory.persistence.azureBlob.accountKey }} - {{ .Values.artifactory.persistence.azureBlob.endpoint }} - {{ .Values.artifactory.persistence.azureBlob.containerName }} - {{ .Values.artifactory.persistence.azureBlob.testConnection }} - - - {{- end }} - - ## For artifactory.persistence.type file-system - fileSystem: - ## You may also use existing shared claims for the data and backup storage. This allows storage (NAS for example) to be used for Data and Backup dirs which are safe to share across multiple artifactory nodes. - ## You may specify numberOfExistingClaims to indicate how many of these existing shared claims to mount. (Default = 1) - ## Create PVCs with ReadWriteMany that match the naming convetions: - ## {{ template "artifactory-ha.fullname" . }}-data-pvc- - ## {{ template "artifactory-ha.fullname" . }}-backup-pvc- - ## Example (using numberOfExistingClaims: 2) - ## myexample-artifactory-ha-data-pvc-0 - ## myexample-artifactory-ha-backup-pvc-0 - ## myexample-artifactory-ha-data-pvc-1 - ## myexample-artifactory-ha-backup-pvc-1 - ## Note: While you need two PVC fronting two PVs, multiple PVs can be attached to the same storage in many cases allowing you to share an underlying drive. - - ## Need to have the following set - existingSharedClaim: - enabled: false - numberOfExistingClaims: 1 - ## Should be a child directory of {{ .Values.artifactory.persistence.mountPath }} - dataDir: "{{ .Values.artifactory.persistence.mountPath }}/artifactory-data" - backupDir: "/var/opt/jfrog/artifactory-backup" - - - ## For artifactory.persistence.type nfs - ## If using NFS as the shared storage, you must have a running NFS server that is accessible by your Kubernetes - ## cluster nodes. - ## Need to have the following set - nfs: - # Must pass actual IP of NFS server with '--set For artifactory.persistence.nfs.ip=${NFS_IP}' - ip: - haDataMount: "/data" - haBackupMount: "/backup" - dataDir: "/var/opt/jfrog/artifactory-ha" - backupDir: "/var/opt/jfrog/artifactory-backup" - capacity: 200Gi - mountOptions: [] - ## For artifactory.persistence.type google-storage - googleStorage: - endpoint: storage.googleapis.com - httpsOnly: false - # Set a unique bucket name - bucketName: "artifactory-ha-gcp" - identity: - credential: - path: "artifactory-ha/filestore" - bucketExists: false - - ## For artifactory.persistence.type aws-s3-v3 - awsS3V3: - testConnection: false - identity: - credential: - region: - bucketName: artifactory-aws - path: artifactory/filestore - endpoint: - kmsServerSideEncryptionKeyId: - kmsKeyRegion: - kmsCryptoMode: - useInstanceCredentials: true - usePresigning: false - signatureExpirySeconds: 300 - cloudFrontDomainName: - cloudFrontKeyPairId: - cloudFrontPrivateKey: - - ## For artifactory.persistence.type aws-s3 - ## IMPORTANT: Make sure S3 `endpoint` and `region` match! See https://docs.aws.amazon.com/general/latest/gr/rande.html - awsS3: - # Set a unique bucket name - bucketName: "artifactory-ha-aws" - endpoint: - region: - roleName: - identity: - credential: - path: "artifactory-ha/filestore" - refreshCredentials: true - httpsOnly: true - testConnection: false - s3AwsVersion: "AWS4-HMAC-SHA256" - - ## Additional properties to set on the s3 provider - properties: {} - # httpclient.max-connections: 100 - ## For artifactory.persistence.type azure-blob - azureBlob: - accountName: - accountKey: - endpoint: - containerName: - testConnection: false - service: - name: artifactory - type: ClusterIP - ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) - ## Set this to a list of IP CIDR ranges - ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] - ## or pass from helm command line - ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' - loadBalancerSourceRanges: [] - annotations: {} - ## Which nodes in the cluster should be in the external load balancer pool (have external traffic routed to them) - ## Supported pool values - ## members - ## all - pool: members - - ## The following Java options are passed to the java process running Artifactory. - ## This will be passed to all cluster members. Primary and member nodes. - javaOpts: {} - # other: "" - annotations: {} - - ## Type specific configurations. - ## There is a difference between the primary and the member nodes. - ## Customising their resources and java parameters is done here. - primary: - name: artifactory-ha-primary - labels: {} - persistence: - ## Set existingClaim to true or false - ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-primary-0` - existingClaim: false - ## Resources for the primary node - resources: {} - # requests: - # memory: "1Gi" - # cpu: "500m" - # limits: - # memory: "2Gi" - # cpu: "1" - ## The following Java options are passed to the java process running Artifactory primary node. - ## You should set them according to the resources set above - javaOpts: - # xms: "1g" - # xmx: "2g" - corePoolSize: 16 - jmx: - enabled: false - port: 9010 - host: - ssl: false - # When authenticate is true, accessFile and passwordFile are required - authenticate: false - accessFile: - passwordFile: - # other: "" - nodeSelector: {} - - tolerations: [] - - affinity: {} - ## Only used if "affinity" is empty - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "" - topologyKey: "kubernetes.io/hostname" - - node: - name: artifactory-ha-member - labels: {} - persistence: - ## Set existingClaim to true or false - ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-member-0` - existingClaim: false - replicaCount: 2 - minAvailable: 1 - ## Resources for the member nodes - resources: {} - # requests: - # memory: "1Gi" - # cpu: "500m" - # limits: - # memory: "2Gi" - # cpu: "1" - ## The following Java options are passed to the java process running Artifactory member nodes. - ## You should set them according to the resources set above - javaOpts: - # xms: "1g" - # xmx: "2g" - corePoolSize: 16 - jmx: - enabled: false - port: 9010 - host: - ssl: false - # When authenticate is true, accessFile and passwordFile are required - authenticate: false - accessFile: - passwordFile: - # other: "" - # xms: "1g" - # xmx: "2g" - # other: "" - nodeSelector: {} - waitForPrimaryStartup: - enabled: true - time: 60 - - tolerations: [] - - ## Complete specification of the "affinity" of the member nodes; if this is non-empty, - ## "podAntiAffinity" values are not used. - affinity: {} - - ## Only used if "affinity" is empty - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "" - topologyKey: "kubernetes.io/hostname" - -access: - database: - maxOpenConnections: 80 - -# Init containers -initContainers: - resources: {} -# requests: -# memory: "64Mi" -# cpu: "10m" -# limits: -# memory: "128Mi" -# cpu: "250m" - - -# Nginx -nginx: - enabled: true - name: nginx - labels: {} - replicaCount: 1 - uid: 104 - gid: 107 - image: - # repository: "docker.bintray.io/jfrog/nginx-artifactory-pro" - repository: "peters95/nginx-artifactory-pro" - # Note that by default we use appVersion to get image tag - # version: - pullPolicy: IfNotPresent - - - # Sidecar containers for tailing Nginx logs - loggers: [] - # - access.log - # - error.log - - mainConf: | - # Main Nginx configuration file - worker_processes 4; - error_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - variables_hash_max_size 1024; - variables_hash_bucket_size 64; - server_names_hash_max_size 4096; - server_names_hash_bucket_size 128; - types_hash_max_size 2048; - types_hash_bucket_size 64; - proxy_read_timeout 2400s; - client_header_timeout 2400s; - client_body_timeout 2400s; - proxy_connect_timeout 75s; - proxy_send_timeout 2400s; - proxy_buffer_size 32k; - proxy_buffers 40 32k; - proxy_busy_buffers_size 64k; - proxy_temp_file_write_size 250m; - proxy_http_version 1.1; - client_body_buffer_size 128k; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - log_format timing 'ip = $remote_addr ' - 'user = \"$remote_user\" ' - 'local_time = \"$time_local\" ' - 'host = $host ' - 'request = \"$request\" ' - 'status = $status ' - 'bytes = $body_bytes_sent ' - 'upstream = \"$upstream_addr\" ' - 'upstream_time = $upstream_response_time ' - 'request_time = $request_time ' - 'referer = \"$http_referer\" ' - 'UA = \"$http_user_agent\"'; - access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; - sendfile on; - #tcp_nopush on; - keepalive_timeout 65; - #gzip on; - include /etc/nginx/conf.d/*.conf; - } - - artifactoryConf: | - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; - ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; - ssl_session_cache shared:SSL:1m; - ssl_prefer_server_ciphers on; - ## server configuration - server { - {{- if .Values.nginx.internalPortHttps }} - listen {{ .Values.nginx.internalPortHttps }} ssl; - {{- else -}} - {{- if .Values.nginx.https.enabled }} - listen {{ .Values.nginx.https.internalPort }} ssl; - {{- end }} - {{- end }} - {{- if .Values.nginx.internalPortHttp }} - listen {{ .Values.nginx.internalPortHttp }}; - {{- else -}} - {{- if .Values.nginx.http.enabled }} - listen {{ .Values.nginx.http.internalPort }}; - {{- end }} - {{- end }} - server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} - {{- range .Values.ingress.hosts -}} - {{- if contains "." . -}} - {{ "" | indent 0 }} ~(?.+)\.{{ (splitn "." 2 .)._1 }} {{ . }} - {{- end -}} - {{- end -}}; - - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - ## access_log /var/log/nginx/artifactory-access.log timing; - ## error_log /var/log/nginx/artifactory-error.log; - rewrite ^/artifactory/?$ / redirect; - if ( $repo != "" ) { - rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; - } - chunked_transfer_encoding on; - client_max_body_size 0; - - location / { - proxy_read_timeout 900; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - location /artifactory/ { - if ( $request_uri ~ ^/artifactory/(.*)$ ) { - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; - } - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; - } - } - } - - service: - ## For minikube, set this to NodePort, elsewhere use LoadBalancer - #type: NodePort - type: LoadBalancer - #type: ClusterIP - ## For supporting whitelist on the Nginx LoadBalancer service - ## Set this to a list of IP CIDR ranges - ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] - ## or pass from helm command line - ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' - loadBalancerSourceRanges: [] - ## Provide static ip address - loadBalancerIP: - ## There are two available options: “Cluster” (default) and “Local”. - externalTrafficPolicy: Cluster - labels: {} - # label-key: label-value - http: - enabled: true - externalPort: 80 - internalPort: 80 - https: - enabled: true - externalPort: 443 - internalPort: 443 - # DEPRECATED: The following will be replaced by L1065-L1076 in a future release - # externalPortHttp: 80 - # internalPortHttp: 80 - # externalPortHttps: 443 - # internalPortHttps: 443 - - ## The following settings are to configure the frequency of the liveness and readiness probes - livenessProbe: - enabled: true - path: /router/api/v1/system/health - initialDelaySeconds: 60 - failureThreshold: 10 - timeoutSeconds: 10 - periodSeconds: 10 - successThreshold: 1 - - readinessProbe: - enabled: true - path: /router/api/v1/system/health - initialDelaySeconds: 10 - failureThreshold: 10 - timeoutSeconds: 10 - periodSeconds: 10 - successThreshold: 1 - ## The SSL secret that will be used by the Nginx pod - # tlsSecretName: chart-example-tls - ## Custom ConfigMap for nginx.conf - customConfigMap: - ## Custom ConfigMap for artifactory.conf - customArtifactoryConfigMap: - persistence: - mountPath: "/var/opt/jfrog/nginx" - enabled: false - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - accessMode: ReadWriteOnce - size: 5Gi - ## nginx data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClassName: "-" - resources: {} - # requests: - # memory: "250Mi" - # cpu: "100m" - # limits: - # memory: "250Mi" - # cpu: "500m" - - nodeSelector: {} - - tolerations: [] - - affinity: {} - -# Filebeat Sidecar container -## The provided filebeat configuration is for Artifactory logs. It assumes you have a logstash installed and configured properly. -filebeat: - enabled: false - name: artifactory-filebeat - image: - repository: "docker.elastic.co/beats/filebeat" - version: 7.5.1 - logstashUrl: "logstash:5044" - - terminationGracePeriod: 10 - - livenessProbe: - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash -e - curl --fail 127.0.0.1:5066 - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - - readinessProbe: - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash -e - filebeat test output - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - - resources: {} -# requests: -# memory: "100Mi" -# cpu: "100m" -# limits: -# memory: "100Mi" -# cpu: "100m" - - filebeatYml: | - logging.level: info - path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat - name: artifactory-filebeat - queue.spool: ~ - filebeat.inputs: - - type: log - enabled: true - close_eof: ${CLOSE:false} - paths: - - {{ .Values.artifactory.persistence.mountPath }}/log/*.log - fields: - service: "jfrt" - log_type: "artifactory" - output: - logstash: - hosts: ["{{ .Values.filebeat.logstashUrl }}"] From 4be8a96fb6b0d8df1ce42b6364e7ede2cff9af9d Mon Sep 17 00:00:00 2001 From: John Peterson Date: Thu, 13 Feb 2020 11:51:35 -0800 Subject: [PATCH 03/28] updates for new redhat ubi image and also temp fix for INST-550 bug --- Openshift4/artifactory-ha-operator/README.md | 26 +++++++++++++++++++ ...io_v1alpha1_openshiftartifactoryha_cr.yaml | 4 +-- .../deploy/hostpathscc.yaml | 18 +++++++++++++ .../deploy/imagestream-nginx.yaml | 6 +++++ ...estream.yaml => imagestream-operator.yaml} | 0 .../deploy/imagestream-pro.yaml | 6 +++++ .../deploy/namespace.yaml | 13 ---------- ...operator.v1.0.0.clusterserviceversion.yaml | 4 +-- .../deploy/operator.yaml | 1 - .../openshift-artifactory-ha/Chart.yaml | 2 +- .../openshift-artifactory-ha/values.yaml | 24 ++++++++--------- Openshift4/artifactory-ha-operator/setup.sh | 25 ++++++++++++++++++ Openshift4/artifactory-ha-operator/unload.sh | 10 +++++++ 13 files changed, 108 insertions(+), 31 deletions(-) create mode 100644 Openshift4/artifactory-ha-operator/README.md create mode 100644 Openshift4/artifactory-ha-operator/deploy/hostpathscc.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/imagestream-nginx.yaml rename Openshift4/artifactory-ha-operator/deploy/{imagestream.yaml => imagestream-operator.yaml} (100%) create mode 100644 Openshift4/artifactory-ha-operator/deploy/imagestream-pro.yaml create mode 100755 Openshift4/artifactory-ha-operator/setup.sh create mode 100755 Openshift4/artifactory-ha-operator/unload.sh diff --git a/Openshift4/artifactory-ha-operator/README.md b/Openshift4/artifactory-ha-operator/README.md new file mode 100644 index 0000000..5bebad5 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/README.md @@ -0,0 +1,26 @@ +# Openshift 4 Artifactory Operator +## Cluster Setup +###### Security Context Constraints - Anyuid + Hostpath +###### Persistent Volumes +###### +## Installation types +###### OLM Catalog +To install via the OLM catalog download the operator from the Operator hub and install it via the Openshift console GUI + +To test OLM catalog installs you will need to deploy the lastest ClusterServiceVersion found at: + deploy/olm-catalog/artifactory-ha-operator/X.X.X/artifactory-ha-operator.vX.X.X.clusterserviceversion.yaml + +This will install the operator into whatever cluster your kubectl or oc program is currently logged into. + +Please refer to Local Testing section below for full instructions. + +###### Operator YAML +To install the operator via the Operator YAML first follow the steps in + + +###### Operator-sdk local + + + +## Local Testing + diff --git a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml index da682db..ae1ad6a 100644 --- a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml @@ -50,7 +50,7 @@ spec: path: null image: pullPolicy: IfNotPresent - repository: earlyaccess.jfrog.io/artifactory-pro + repository: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro internalArtifactoryPort: 8081 internalPort: 8082 javaOpts: {} @@ -759,7 +759,7 @@ spec: internalPort: 443 image: pullPolicy: IfNotPresent - repository: earlyaccess.jfrog.io/nginx-artifactory-pro + repository: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro labels: {} livenessProbe: enabled: true diff --git a/Openshift4/artifactory-ha-operator/deploy/hostpathscc.yaml b/Openshift4/artifactory-ha-operator/deploy/hostpathscc.yaml new file mode 100644 index 0000000..13eef79 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/hostpathscc.yaml @@ -0,0 +1,18 @@ +kind: SecurityContextConstraints +apiVersion: v1 +metadata: + name: hostpath +allowPrivilegedContainer: false +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: +- artifactory +groups: +- artifactory +- jfrog-artifactory diff --git a/Openshift4/artifactory-ha-operator/deploy/imagestream-nginx.yaml b/Openshift4/artifactory-ha-operator/deploy/imagestream-nginx.yaml new file mode 100644 index 0000000..a0ef6b3 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/imagestream-nginx.yaml @@ -0,0 +1,6 @@ +apiVersion: image.openshift.io/v1 +kind: ImageStream +metadata: + name: nginx-artifactory-pro + namespace: jfrog-artifactory + diff --git a/Openshift4/artifactory-ha-operator/deploy/imagestream.yaml b/Openshift4/artifactory-ha-operator/deploy/imagestream-operator.yaml similarity index 100% rename from Openshift4/artifactory-ha-operator/deploy/imagestream.yaml rename to Openshift4/artifactory-ha-operator/deploy/imagestream-operator.yaml diff --git a/Openshift4/artifactory-ha-operator/deploy/imagestream-pro.yaml b/Openshift4/artifactory-ha-operator/deploy/imagestream-pro.yaml new file mode 100644 index 0000000..4c4ba85 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/imagestream-pro.yaml @@ -0,0 +1,6 @@ +apiVersion: image.openshift.io/v1 +kind: ImageStream +metadata: + name: artifactory-pro + namespace: jfrog-artifactory + diff --git a/Openshift4/artifactory-ha-operator/deploy/namespace.yaml b/Openshift4/artifactory-ha-operator/deploy/namespace.yaml index 1be0be1..b94caf4 100644 --- a/Openshift4/artifactory-ha-operator/deploy/namespace.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/namespace.yaml @@ -2,16 +2,3 @@ kind: Namespace apiVersion: v1 metadata: name: jfrog-artifactory - selfLink: /api/v1/namespaces/jfrog-artifactory - uid: 402ec7e9-3ca2-11ea-bd94-0ef0e3c74fbe - resourceVersion: '523038' - creationTimestamp: '2020-01-21T23:03:34Z' - annotations: - openshift.io/sa.scc.mcs: 's0:c23,c2' - openshift.io/sa.scc.supplemental-groups: 1000510000/10000 - openshift.io/sa.scc.uid-range: 1000510000/10000 -spec: - finalizers: - - kubernetes -status: - phase: Active diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index 0a3b20c..de12846 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -50,7 +50,7 @@ metadata: }, "image": { "pullPolicy": "IfNotPresent", - "repository": "earlyaccess.jfrog.io/artifactory-pro" + "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro" }, "internalArtifactoryPort": 8081, "internalPort": 8082, @@ -348,7 +348,7 @@ metadata: }, "image": { "pullPolicy": "IfNotPresent", - "repository": "earlyaccess.jfrog.io/nginx-artifactory-pro" + "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro" }, "labels": {}, "livenessProbe": { diff --git a/Openshift4/artifactory-ha-operator/deploy/operator.yaml b/Openshift4/artifactory-ha-operator/deploy/operator.yaml index c0d5a69..e32db4a 100644 --- a/Openshift4/artifactory-ha-operator/deploy/operator.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/operator.yaml @@ -16,7 +16,6 @@ spec: containers: - name: artifactory-ha-operator image: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-ha - #image: ubuntu imagePullPolicy: IfNotPresent env: - name: WATCH_NAMESPACE diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml index 0e1989f..af5ff44 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 7.0.2 +appVersion: 7.0.7 description: Universal Repository Manager supporting all major packaging formats, build tools and CI servers. home: https://www.jfrog.com/artifactory/ diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml index 64af84e..242803c 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml @@ -154,7 +154,7 @@ artifactory: name: artifactory-ha image: # repository: "docker.bintray.io/jfrog/artifactory-pro" - repository: "earlyaccess.jfrog.io/artifactory-pro" + repository: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro # Note that by default we use appVersion to get image tag # version: pullPolicy: IfNotPresent @@ -356,16 +356,16 @@ artifactory: ## Extra environment variables that can be used to tune Artifactory to your needs. ## Uncomment and set value as needed - #extraEnvironmentVariables: | - # - name: JF_SHARED_DATABSE_USERNAME - # value: "artifactory" - # - name: JF_SHARED_DATABASE_PASSWORD - # valueFrom: - # secretKeyRef: - # name: {{ .Release.Name }}-postgresql - # key: postgresql-password - # - name: POSTGRES_DB - # value: "artifactory" + extraEnvironmentVariables: | + - name: JF_SHARED_DATABSE_USERNAME + value: "artifactory" + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgresql + key: postgresql-password + - name: POSTGRES_DB + value: "artifactory" # TODO: Fix javaOpts for member nodes (currently uses primary settings for all nodes) systemYaml: | @@ -1054,7 +1054,7 @@ nginx: gid: 107 image: # repository: "docker.bintray.io/jfrog/nginx-artifactory-pro" - repository: "earlyaccess.jfrog.io/nginx-artifactory-pro" + repository: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro # Note that by default we use appVersion to get image tag # version: pullPolicy: IfNotPresent diff --git a/Openshift4/artifactory-ha-operator/setup.sh b/Openshift4/artifactory-ha-operator/setup.sh new file mode 100755 index 0000000..3bef5e9 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/setup.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +oc project default +oc apply -f helm-charts/openshift-artifactory-ha/pv-examples +oc apply -f deploy/project.yaml +oc apply -f deploy/namespace.yaml +oc project jfrog-artifactory +oc apply -f deploy/imagestream-nginx.yaml +oc apply -f deploy/imagestream-pro.yaml +oc apply -f deploy/imagestream-operator.yaml +oc patch image.config.openshift.io/cluster --type=merge --patch='{"spec":{"registrySources":{"insecureRegistries":["default-route-openshift-image-registry.apps-crc.testing"]}}}' +oc apply -f deploy/role.yaml +oc apply -f deploy/role_binding.yaml +oc apply -f deploy/service_account.yaml +oc apply -f deploy/securitycontextconstraints.yaml +oc adm policy add-scc-to-user scc-admin system:serviceaccount:jfrog-artifactory:artifactory-ha-operator +oc adm policy add-scc-to-user scc-admin system:serviceaccount:jfrog-artifactory:default +oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:artifactory-ha-operator +oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:default +oc adm policy add-scc-to-group anyuid system:authenticated +oc apply -f deploy/hostpathscc.yaml +oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' +oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:artifactory-ha-operator +oc apply -f deploy/crds/charts.helm.k8s.io_openshiftartifactoryhas_crd.yaml +oc apply -f deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml +oc create secret generic artifactory-license --from-file=../artifactory.cluster.license diff --git a/Openshift4/artifactory-ha-operator/unload.sh b/Openshift4/artifactory-ha-operator/unload.sh new file mode 100755 index 0000000..343f2a4 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/unload.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +oc project jfrog-artifactory +oc delete deployments --all +oc delete statefulsets --all +oc delete configmaps --all +oc delete deploymentconfigs --all +oc delete pods --all +oc delete svc --all +oc delete networkpolicies --all +oc delete pvc --all From 91a785a188d7565722fbf15722a3cf81bdc5f9d5 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Thu, 13 Feb 2020 13:54:25 -0800 Subject: [PATCH 04/28] updating readme contents with cluster setup and local test steps --- Openshift4/artifactory-ha-operator/README.md | 79 ++++++++++++++++++-- 1 file changed, 74 insertions(+), 5 deletions(-) diff --git a/Openshift4/artifactory-ha-operator/README.md b/Openshift4/artifactory-ha-operator/README.md index 5bebad5..a2751f1 100644 --- a/Openshift4/artifactory-ha-operator/README.md +++ b/Openshift4/artifactory-ha-operator/README.md @@ -1,8 +1,53 @@ # Openshift 4 Artifactory Operator ## Cluster Setup -###### Security Context Constraints - Anyuid + Hostpath +###### Security Context Constraints - Anyuid + +Openshift only allows statefulsets / pods to run in specific user and group id ranges. +Artifactory currently uses users outside of this allowed range. +For this reason the service account for the operator in the jfrog-artifactory namespace must be granted anyuid privileges. + +Ex: oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:artifactory-ha-operator + +Where anyuid is the Security context constraint being applied to the service account artifactory-ha-operator in namespace jfrog-artifactory. + +If you run setup.sh these will be created on the cluster your kubectl or oc program is connected to. + +###### Security Context Constraints - Hostpath + +Openshift does not have the hostpath plugin enabled by default. + +A security context constraint has been created for hostpath in deploy/hostpathscc.yaml + +You can apply the security context constraint and hostpath plugin patch via these commands: + +oc apply -f deploy/hostpathscc.yaml +oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' +oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:artifactory-ha-operator + +Or if you run setup.sh these will already be done. + ###### Persistent Volumes -###### + +Artifactory HA nodes by default request persistent volume claims 200 Gbs in size. + +If your cluster does not already have existing persistent volumes that are 200Gi you will need to create new persistent volumes that are large enough to bound the claims to. + +Example persistent volumes can be found at: + +helm-charts/openshift-artifactory-ha/pv-examples + +If you create the five folders on each node: + + /mnt/pv-data/pv0001-large + /mnt/pv-data/pv0002-large + /mnt/pv-data/pv0003-large + /mnt/pv-data/pv0004-large + /mnt/pv-data/pv0005-large + +You can then apply the example persistent volumes to your cluster with: + +oc apply -f helm-charts/openshift-artifactory-ha/pv-examples + ## Installation types ###### OLM Catalog To install via the OLM catalog download the operator from the Operator hub and install it via the Openshift console GUI @@ -15,12 +60,36 @@ This will install the operator into whatever cluster your kubectl or oc program Please refer to Local Testing section below for full instructions. ###### Operator YAML -To install the operator via the Operator YAML first follow the steps in +To install the operator via the Operator YAML follow the Local Testing tests. +Instead of running operator-sdk up local for the last step run: -###### Operator-sdk local +oc apply -f deploy/operator.yaml - +This will deploy the operator into the cluster. ## Local Testing +Please refer to cluster setup. Ensure all steps have been completed prior to local testing against code ready containers. + +Follow these steps: + +Install code ready containers if you do not already have it installed. + +Run your cluster with 2 cpus and 8192 MBs of memory at a minimum to support HA: + +crc start -c 2 -m 8192 + +Recommended settings: + +crc start -c 4 -m 16384 + +Create file: JFrog-Cloud-Installers/Openshift4/artifactory.cluster.license + Paste your license keys into this file for HA configuration of multiple nodes. + Note: License keys must be separated by two new lines. + +Run: setup.sh + +###### Operator-sdk local + +Run: operator-sdk up local \ No newline at end of file From 43118a099c05f714de52a48490a6630d1c7d1969 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Thu, 13 Feb 2020 14:05:23 -0800 Subject: [PATCH 05/28] README for artifactory-ha-operator formatting updates --- Openshift4/README.md | 7 +++ Openshift4/artifactory-ha-operator/README.md | 59 +++++++++++++++----- 2 files changed, 53 insertions(+), 13 deletions(-) create mode 100644 Openshift4/README.md diff --git a/Openshift4/README.md b/Openshift4/README.md new file mode 100644 index 0000000..fbd9ee7 --- /dev/null +++ b/Openshift4/README.md @@ -0,0 +1,7 @@ +# Openshift 4 Operators + +## Artifactory HA + +To install Artifactory HA as an Openshift 4 operator please use the console's OperatorHub to install the official operator. + +To install the operator locally please refer to the instructions that can be found in the README under artifactory-ha-operator. diff --git a/Openshift4/artifactory-ha-operator/README.md b/Openshift4/artifactory-ha-operator/README.md index a2751f1..8e442dd 100644 --- a/Openshift4/artifactory-ha-operator/README.md +++ b/Openshift4/artifactory-ha-operator/README.md @@ -1,4 +1,4 @@ -# Openshift 4 Artifactory Operator +# Artifactory HA Operator ## Cluster Setup ###### Security Context Constraints - Anyuid @@ -6,7 +6,9 @@ Openshift only allows statefulsets / pods to run in specific user and group id r Artifactory currently uses users outside of this allowed range. For this reason the service account for the operator in the jfrog-artifactory namespace must be granted anyuid privileges. -Ex: oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:artifactory-ha-operator +``` +oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:artifactory-ha-operator +``` Where anyuid is the Security context constraint being applied to the service account artifactory-ha-operator in namespace jfrog-artifactory. @@ -20,9 +22,11 @@ A security context constraint has been created for hostpath in deploy/hostpathsc You can apply the security context constraint and hostpath plugin patch via these commands: +``` oc apply -f deploy/hostpathscc.yaml oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:artifactory-ha-operator +``` Or if you run setup.sh these will already be done. @@ -34,26 +38,35 @@ If your cluster does not already have existing persistent volumes that are 200Gi Example persistent volumes can be found at: +``` helm-charts/openshift-artifactory-ha/pv-examples +``` If you create the five folders on each node: - /mnt/pv-data/pv0001-large - /mnt/pv-data/pv0002-large - /mnt/pv-data/pv0003-large - /mnt/pv-data/pv0004-large - /mnt/pv-data/pv0005-large +``` +mkdir -p /mnt/pv-data/pv0001-large +mkdir -p /mnt/pv-data/pv0002-large +mkdir -p /mnt/pv-data/pv0003-large +mkdir -p /mnt/pv-data/pv0004-large +mkdir -p /mnt/pv-data/pv0005-large +``` You can then apply the example persistent volumes to your cluster with: +``` oc apply -f helm-charts/openshift-artifactory-ha/pv-examples +``` ## Installation types ###### OLM Catalog To install via the OLM catalog download the operator from the Operator hub and install it via the Openshift console GUI To test OLM catalog installs you will need to deploy the lastest ClusterServiceVersion found at: - deploy/olm-catalog/artifactory-ha-operator/X.X.X/artifactory-ha-operator.vX.X.X.clusterserviceversion.yaml + +``` +deploy/olm-catalog/artifactory-ha-operator/X.X.X/artifactory-ha-operator.vX.X.X.clusterserviceversion.yaml +``` This will install the operator into whatever cluster your kubectl or oc program is currently logged into. @@ -64,7 +77,9 @@ To install the operator via the Operator YAML follow the Local Testing tests. Instead of running operator-sdk up local for the last step run: +``` oc apply -f deploy/operator.yaml +``` This will deploy the operator into the cluster. @@ -78,18 +93,36 @@ Install code ready containers if you do not already have it installed. Run your cluster with 2 cpus and 8192 MBs of memory at a minimum to support HA: +``` crc start -c 2 -m 8192 +``` Recommended settings: +``` crc start -c 4 -m 16384 +``` -Create file: JFrog-Cloud-Installers/Openshift4/artifactory.cluster.license - Paste your license keys into this file for HA configuration of multiple nodes. - Note: License keys must be separated by two new lines. +Create file: -Run: setup.sh +``` +JFrog-Cloud-Installers/Openshift4/artifactory.cluster.license +``` + +Paste your license keys into this file for HA configuration of multiple nodes. + +* License keys must be separated by two new lines. * + +Run: + +``` +JFrog-Cloud-Installers/Openshift4/artifactory-ha-operator/setup.sh +``` ###### Operator-sdk local -Run: operator-sdk up local \ No newline at end of file +Run: + +``` +operator-sdk up local +``` \ No newline at end of file From e9ee970196d7f472c5a817a3e9961b2c89f7c1b2 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Thu, 13 Feb 2020 14:09:32 -0800 Subject: [PATCH 06/28] updates to README to fix typo and add change dir for operator sdk up local to work as expected --- Openshift4/artifactory-ha-operator/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Openshift4/artifactory-ha-operator/README.md b/Openshift4/artifactory-ha-operator/README.md index 8e442dd..eadfde7 100644 --- a/Openshift4/artifactory-ha-operator/README.md +++ b/Openshift4/artifactory-ha-operator/README.md @@ -111,7 +111,7 @@ JFrog-Cloud-Installers/Openshift4/artifactory.cluster.license Paste your license keys into this file for HA configuration of multiple nodes. -* License keys must be separated by two new lines. * +* License keys must be separated by two new lines. Run: @@ -124,5 +124,6 @@ JFrog-Cloud-Installers/Openshift4/artifactory-ha-operator/setup.sh Run: ``` +cd JFrog-Cloud-Installers/Openshift4/artifactory-ha-operator operator-sdk up local ``` \ No newline at end of file From af2336cb3786d27fa1fbc3d00bf5bc1dc5773838 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Thu, 13 Feb 2020 14:52:09 -0800 Subject: [PATCH 07/28] updates to readme and contributing files --- Openshift4/README.md | 35 ++++++++++- .../artifactory-ha-operator/CONTRIBUTING.md | 62 +++++++++++++++++++ Openshift4/artifactory-ha-operator/README.md | 35 ++++++++++- 3 files changed, 129 insertions(+), 3 deletions(-) create mode 100644 Openshift4/artifactory-ha-operator/CONTRIBUTING.md diff --git a/Openshift4/README.md b/Openshift4/README.md index fbd9ee7..b68063b 100644 --- a/Openshift4/README.md +++ b/Openshift4/README.md @@ -1,7 +1,38 @@ -# Openshift 4 Operators +# Artifactory HA Operator +This code base is intended to deploy Artifactory HA as an operator to an Openshift4 cluster. You can run the operator either through the operator-sdk, operator.yaml, or the Operatorhub. -## Artifactory HA +Openshift OperatorHub has the latest official supported Cluster Service Version (CSV) for the OLM catalog. + +## Getting Started + +These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system. + +## Prerequisites + +###### Openshift 4 Cluster + +Available on AWS, GCP, or Azure. Follow the Cloud installer guide available here: + +[Openshift 4 Installers](https://cloud.redhat.com/openshift/install) + +Or run it locally using CodeReadyContainers. + +[Code Ready Container Installer](https://cloud.redhat.com/openshift/install/crc/installer-provisioned) + +###### Openshift 4 Command Line Tools + +[Getting Started with CLI](https://docs.openshift.com/container-platform/4.2/cli_reference/openshift_cli/getting-started-cli.html) + +## Next Steps To install Artifactory HA as an Openshift 4 operator please use the console's OperatorHub to install the official operator. To install the operator locally please refer to the instructions that can be found in the README under artifactory-ha-operator. + +## Contributing +Please read [CONTRIBUTING.md](JFrog-Cloud-Installers/Openshift4/artifactory-ha-operator/CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us. + +## Versioning +We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/jfrog/JFrog-Cloud-Installers/tags). + +## Contact diff --git a/Openshift4/artifactory-ha-operator/CONTRIBUTING.md b/Openshift4/artifactory-ha-operator/CONTRIBUTING.md new file mode 100644 index 0000000..83961a0 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/CONTRIBUTING.md @@ -0,0 +1,62 @@ +# Contributing + +When contributing to this repository, please first discuss the change you wish to make via slack, issue, email, or any other method with the owners of this repository before making a change. + +Note we have a code of conduct, please follow it in all your interactions with the project. + +## Pull Request Process + +Ensure any install or build dependencies are removed before the end of the layer when doing a build. + +Update the README.md with details of changes to the interface, this includes new environment variables, exposed ports, useful file locations and container parameters. + +Increase the version numbers in any examples files and the README.md to the new version that this Pull Request would represent. The versioning scheme we use is SemVer. + +You may merge the Pull Request in once you have the sign-off of one other developer. + +## Code of Conduct +### Our Pledge + +In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. + +### Our Standards + +Examples of behavior that contributes to creating a positive environment include: + + ``` + Using welcoming and inclusive language + Being respectful of differing viewpoints and experiences + Gracefully accepting constructive criticism + Focusing on what is best for the company + Showing empathy towards other colleagues + ``` + +Examples of unacceptable behavior by participants include: + + ``` + The use of sexualized language or imagery and unwelcome sexual attention or advances + Trolling, insulting/derogatory comments, and personal or political attacks + Public or private harassment + Publishing others' private information, such as a physical or electronic address, without explicit permission + Other conduct which could reasonably be considered inappropriate in a professional setting + ``` + +### Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project. Examples of representing a project include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. + +Attribution + + This Code of Conduct is adapted from the [Contributor Covenant version 1.4] (http://contributor-covenant.org/version/1/4) diff --git a/Openshift4/artifactory-ha-operator/README.md b/Openshift4/artifactory-ha-operator/README.md index eadfde7..7b25a3b 100644 --- a/Openshift4/artifactory-ha-operator/README.md +++ b/Openshift4/artifactory-ha-operator/README.md @@ -1,4 +1,28 @@ # Artifactory HA Operator +This code base is intended to deploy Artifactory HA as an operator to an Openshift4 cluster. You can run the operator either through the operator-sdk, operator.yaml, or the Operatorhub. + +Openshift OperatorHub has the latest official supported Cluster Service Version (CSV) for the OLM catalog. + +## Getting Started + +These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system. + +## Prerequisites + +###### Openshift 4 Cluster + +Available on AWS, GCP, or Azure. Follow the Cloud installer guide available here: + +[Openshift 4 Installers](https://cloud.redhat.com/openshift/install) + +Or run it locally using CodeReadyContainers. + +[Code Ready Container Installer](https://cloud.redhat.com/openshift/install/crc/installer-provisioned) + +###### Openshift 4 Command Line Tools + +[Getting Started with CLI](https://docs.openshift.com/container-platform/4.2/cli_reference/openshift_cli/getting-started-cli.html) + ## Cluster Setup ###### Security Context Constraints - Anyuid @@ -58,6 +82,7 @@ You can then apply the example persistent volumes to your cluster with: oc apply -f helm-charts/openshift-artifactory-ha/pv-examples ``` + ## Installation types ###### OLM Catalog To install via the OLM catalog download the operator from the Operator hub and install it via the Openshift console GUI @@ -126,4 +151,12 @@ Run: ``` cd JFrog-Cloud-Installers/Openshift4/artifactory-ha-operator operator-sdk up local -``` \ No newline at end of file +``` + +## Contributing +Please read [CONTRIBUTING.md](JFrog-Cloud-Installers/Openshift4/artifactory-ha-operator/CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us. + +## Versioning +We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/jfrog/JFrog-Cloud-Installers/tags). + +## Contact From 03d9a2ff09ca795a546a2dd49b11e4700c951edf Mon Sep 17 00:00:00 2001 From: John Peterson Date: Fri, 6 Mar 2020 11:20:14 -0800 Subject: [PATCH 08/28] adding tls-ingress for ssl certificates to work --- .../charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml index ae1ad6a..b6f8cec 100644 --- a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml @@ -748,6 +748,7 @@ spec: customArtifactoryConfigMap: null customConfigMap: null enabled: true + tlsSecretName: tls-ingress gid: 107 http: enabled: true From c71db854a9b17d2be99f6ff42cff5b3ab8a7a2c3 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Mon, 9 Mar 2020 15:23:31 -0700 Subject: [PATCH 09/28] updates to helm chart to subchart latest GA ha chart version 2.0.25 w/ redhat init container fix --- Openshift4/.gitignore | 2 + .../openshift-artifactory-ha/Chart.yaml | 4 +- .../openshift-artifactory-ha/README.md | 1268 +--------------- .../charts/artifactory-ha-2.0.25.tgz | Bin 0 -> 111438 bytes .../openshift-artifactory-ha/helminstall.sh | 39 +- .../openshift-artifactory-ha/hostpathscc.yaml | 18 + .../requirements.lock | 10 +- .../requirements.yaml | 7 +- .../openshift-artifactory-ha/values.yaml | 1350 +---------------- 9 files changed, 75 insertions(+), 2623 deletions(-) mode change 100755 => 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md create mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.25.tgz create mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/hostpathscc.yaml mode change 100755 => 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock mode change 100755 => 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml diff --git a/Openshift4/.gitignore b/Openshift4/.gitignore index bcacc76..29f94fa 100644 --- a/Openshift4/.gitignore +++ b/Openshift4/.gitignore @@ -1 +1,3 @@ artifactory.cluster.license +jfrog.team.crt +jfrog.team.key diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml index af5ff44..0c34ad8 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 7.0.7 +appVersion: 7.2.1 description: Universal Repository Manager supporting all major packaging formats, build tools and CI servers. home: https://www.jfrog.com/artifactory/ @@ -21,4 +21,4 @@ name: openshift-artifactory-ha sources: - https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view - https://github.com/jfrog/charts -version: 2.0.4 +version: 2.0.25 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md old mode 100755 new mode 100644 index 76bd6af..5e69a31 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md @@ -1,1266 +1,2 @@ -# JFrog Artifactory High Availability Helm Chart - -## Prerequisites Details - -* Kubernetes 1.8+ -* Artifactory HA license - -## Chart Details -This chart will do the following: - -* Deploy Artifactory highly available cluster. 1 primary node and 2 member nodes. -* Deploy a PostgreSQL database -* Deploy an Nginx server - -## Artifactory HA architecture -The Artifactory HA cluster in this chart is made up of -- A single primary node -- Two member nodes, which can be resized at will - -Load balancing is done to the member nodes only. -This leaves the primary node free to handle jobs and tasks and not be interrupted by inbound traffic. -> This can be controlled by the parameter `artifactory.service.pool`. - -## Installing the Chart - -### Add JFrog Helm repository -Before installing JFrog helm charts, you need to add the [JFrog helm repository](https://charts.jfrog.io/) to your helm client -```bash -helm repo add jfrog https://charts.jfrog.io -``` - -### Install Chart -To install the chart with the release name `artifactory-ha`: -```bash -helm install --name artifactory-ha --set postgresql.postgresqlPassword= jfrog/artifactory-ha -``` - -### System Configuration -Artifactory uses a common system configuration file - `system.yaml`. See [official documentation](https://www.jfrog.com/confluence/display/JFROG/System+YAML+Configuration+File) on its usage. -In order to override the default `system.yaml` configuration, do the following: -```bash -artifactory: - systemYaml: | - -``` - -### Accessing Artifactory -**NOTE:** It might take a few minutes for Artifactory's public IP to become available, and the nodes to complete initial setup. -Follow the instructions outputted by the install command to get the Artifactory IP and URL to access it. - -### Updating Artifactory -Once you have a new chart version, you can update your deployment with -```bash -helm upgrade artifactory-ha jfrog/artifactory-ha -``` - -If artifactory was installed without providing a value to postgresql.postgresqlPassword (a password was autogenerated), follow these instructions: -1. Get the current password by running: -```bash -POSTGRES_PASSWORD=$(kubectl get secret -n -postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) -``` -2. Upgrade the release by passing the previously auto-generated secret: -```bash -helm upgrade jfrog/artifactory-ha --set postgresql.postgresqlPassword=${POSTGRES_PASSWORD} -``` - -This will apply any configuration changes on your existing deployment. - -### Artifactory memory and CPU resources -The Artifactory HA Helm chart comes with support for configured resource requests and limits to all pods. By default, these settings are commented out. -It is **highly** recommended to set these so you have full control of the allocated resources and limits. - -See more information on [setting resources for your Artifactory based on planned usage](https://www.jfrog.com/confluence/display/RTF/System+Requirements#SystemRequirements-RecommendedHardware). - -```bash -# Example of setting resource requests and limits to all pods (including passing java memory settings to Artifactory) -helm install --name artifactory-ha \ - --set artifactory.primary.resources.requests.cpu="500m" \ - --set artifactory.primary.resources.limits.cpu="2" \ - --set artifactory.primary.resources.requests.memory="1Gi" \ - --set artifactory.primary.resources.limits.memory="4Gi" \ - --set artifactory.primary.javaOpts.xms="1g" \ - --set artifactory.primary.javaOpts.xmx="4g" \ - --set artifactory.node.resources.requests.cpu="500m" \ - --set artifactory.node.resources.limits.cpu="2" \ - --set artifactory.node.resources.requests.memory="1Gi" \ - --set artifactory.node.resources.limits.memory="4Gi" \ - --set artifactory.node.javaOpts.xms="1g" \ - --set artifactory.node.javaOpts.xmx="4g" \ - --set initContainers.resources.requests.cpu="10m" \ - --set initContainers.resources.limits.cpu="250m" \ - --set initContainers.resources.requests.memory="64Mi" \ - --set initContainers.resources.limits.memory="128Mi" \ - --set postgresql.resources.requests.cpu="200m" \ - --set postgresql.resources.limits.cpu="1" \ - --set postgresql.resources.requests.memory="500Mi" \ - --set postgresql.resources.limits.memory="1Gi" \ - --set nginx.resources.requests.cpu="100m" \ - --set nginx.resources.limits.cpu="250m" \ - --set nginx.resources.requests.memory="250Mi" \ - --set nginx.resources.limits.memory="500Mi" \ - jfrog/artifactory-ha -``` -> Artifactory java memory parameters can (and should) also be set to match the allocated resources with `artifactory.[primary|node].javaOpts.xms` and `artifactory.[primary|node].javaOpts.xmx`. - -Get more details on configuring Artifactory in the [official documentation](https://www.jfrog.com/confluence/). - -Although it is possible to set resources limits and requests this way, it is recommended to use the pre-built values files -for small, medium and large installation and change them according to your needs (if necessary), as described [here](#Deploying-Artifactory-for-small/medium/large-installations) - -### Deploying Artifactory for small/medium/large installations -In the chart directory, we have added three values files, one for each installation type - small/medium/large. These values files are recommendations for setting resources requests and limits for your installation. The values are derived from the following [documentation](https://www.jfrog.com/confluence/display/EP/Installing+on+Kubernetes#InstallingonKubernetes-Systemrequirements). You can find them in the corresponding chart directory - values-small.yaml, values-medium.yaml and values-large.yaml - -### Artifactory storage -Artifactory HA support a wide range of storage back ends. You can see more details on [Artifactory HA storage options](https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup#HAInstallationandSetup-SettingUpYourStorageConfiguration) - -In this chart, you set the type of storage you want with `artifactory.persistence.type` and pass the required configuration settings. -The default storage in this chart is the `file-system` replication, where the data is replicated to all nodes. - -> **IMPORTANT:** All storage configurations (except NFS) come with a default `artifactory.persistence.redundancy` parameter. -This is used to set how many replicas of a binary should be stored in the cluster's nodes. -Once this value is set on initial deployment, you can not update it using helm. -It is recommended to set this to a number greater than half of your cluster's size, and never scale your cluster down to a size smaller than this number. - -#### Existing volume claim - -###### Primary node -In order to use an existing volume claim for the Artifactory primary storage, you need to: -- Create a persistent volume claim by the name `volume--artifactory-ha-primary-0` e.g `volume-myrelease-artifactory-ha-primary-0` -- Pass a parameter to `helm install` and `helm upgrade` -```bash -... ---set artifactory.primary.persistence.existingClaim=true -``` - -###### Member nodes -In order to use an existing volume claim for the Artifactory member nodes storage, you need to: -- Create persistent volume claims according to the number of replicas defined at `artifactory.node.replicaCount` by the names `volume--artifactory-ha-member-`, e.g `volume-myrelease-artifactory-ha-member-0` and `volume-myrelease-artifactory-ha-primary-1`. -- Pass a parameter to `helm install` and `helm upgrade` -```bash -... ---set artifactory.node.persistence.existingClaim=true -``` - -#### Existing shared volume claim - -In order to use an existing claim (for data and backup) that is to be shared across all nodes, you need to: - -- Create PVCs with ReadWriteMany that match the naming conventions: -``` - {{ template "artifactory-ha.fullname" . }}-data-pvc- - {{ template "artifactory-ha.fullname" . }}-backup-pvc- -``` -An example that shows 2 existing claims to be used: -``` - myexample-artifactory-ha-data-pvc-0 - myexample-artifactory-ha-backup-pvc-0 - myexample-artifactory-ha-data-pvc-1 - myexample-artifactory-ha-backup-pvc-1 -``` -- Set the artifactory.persistence.fileSystem.existingSharedClaim.enabled in values.yaml to true: -``` --- set artifactory.persistence.fileSystem.existingSharedClaim.enabled=true --- set artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims=2 -``` - -#### NFS -To use an NFS server as your cluster's storage, you need to -- Setup an NFS server. Get its IP as `NFS_IP` -- Create a `data` and `backup` directories on the NFS exported directory with write permissions to all -- Pass NFS parameters to `helm install` and `helm upgrade` -```bash -... ---set artifactory.persistence.type=nfs \ ---set artifactory.persistence.nfs.ip=${NFS_IP} \ -... -``` - -#### Google Storage -To use a Google Storage bucket as the cluster's filestore. See [Google Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-GoogleStorageBinaryProvider) -- Pass Google Storage parameters to `helm install` and `helm upgrade` -```bash -... ---set artifactory.persistence.type=google-storage \ ---set artifactory.persistence.googleStorage.identity=${GCP_ID} \ ---set artifactory.persistence.googleStorage.credential=${GCP_KEY} \ -... -``` - -#### AWS S3 -**NOTE** Keep in mind that when using the `aws-s3` persistence type, you will not be able to provide an IAM on the pod level. -In order to grant permissions to Artifactory using an IAM role, you will have to attach the IAM role to the machine(s) on which Artifactory is running. -This is due to the fact that the `aws-s3` template uses the `JetS3t` library to interact with AWS. If you want to grant an IAM role at the pod level, see the `AWS S3 Vs` section. - -To use an AWS S3 bucket as the cluster's filestore. See [S3 Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-S3BinaryProvider) -- Pass AWS S3 parameters to `helm install` and `helm upgrade` -```bash -... -# With explicit credentials: ---set artifactory.persistence.type=aws-s3 \ ---set artifactory.persistence.awsS3.endpoint=${AWS_S3_ENDPOINT} \ ---set artifactory.persistence.awsS3.region=${AWS_REGION} \ ---set artifactory.persistence.awsS3.identity=${AWS_ACCESS_KEY_ID} \ ---set artifactory.persistence.awsS3.credential=${AWS_SECRET_ACCESS_KEY} \ -... - -... -# With using existing IAM role ---set artifactory.persistence.type=aws-s3 \ ---set artifactory.persistence.awsS3.endpoint=${AWS_S3_ENDPOINT} \ ---set artifactory.persistence.awsS3.region=${AWS_REGION} \ ---set artifactory.persistence.awsS3.roleName=${AWS_ROLE_NAME} \ -... -``` -**NOTE:** Make sure S3 `endpoint` and `region` match. See [AWS documentation on endpoint](https://docs.aws.amazon.com/general/latest/gr/rande.html) - -#### AWS S3 V3 -To use an AWS S3 bucket as the cluster's filestore and access it with the official AWS SDK, See [S3 Official SDK Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AmazonS3OfficialSDKTemplate). -This filestore template uses the official AWS SDK, unlike the `aws-s3` implementation that uses the `JetS3t` library. -Use this template if you want to attach an IAM role to the Artifactory pod directly (as opposed to attaching it to the machine/s that Artifactory will run on). - -**NOTE** This will have to be combined with a k8s mechanism for attaching IAM roles to pods, like [kube2iam](https://github.com/helm/charts/tree/master/stable/kube2iam) or anything similar. - -- Pass AWS S3 V3 parameters and the annotation pointing to the IAM role (when using an IAM role. this is kube2iam specific and may vary depending on the implementation) to `helm install` and `helm upgrade` - -```bash -# With explicit credentials: ---set artifactory.persistence.type=aws-s3-v3 \ ---set artifactory.persistence.awsS3V3.region=${AWS_REGION} \ ---set artifactory.persistence.awsS3V3.bucketName=${AWS_S3_BUCKET_NAME} \ ---set artifactory.persistence.awsS3V3.identity=${AWS_ACCESS_KEY_ID} \ ---set artifactory.persistence.awsS3V3.credential=${AWS_SECRET_ACCESS_KEY} \ -... -``` - -```bash -# With using existing IAM role ---set artifactory.persistence.type=aws-s3-v3 \ ---set artifactory.persistence.awsS3V3.region=${AWS_REGION} \ ---set artifactory.persistence.awsS3V3.bucketName=${AWS_S3_BUCKET_NAME} \ ---set artifactory.annotations.'iam\.amazonaws\.com/role'=${AWS_IAM_ROLE_ARN} -... -``` - -#### Microsoft Azure Blob Storage -To use Azure Blob Storage as the cluster's filestore. See [Azure Blob Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AzureBlobStorageClusterBinaryProvider) -- Pass Azure Blob Storage parameters to `helm install` and `helm upgrade` -```bash -... ---set artifactory.persistence.type=azure-blob \ ---set artifactory.persistence.azureBlob.accountName=${AZURE_ACCOUNT_NAME} \ ---set artifactory.persistence.azureBlob.accountKey=${AZURE_ACCOUNT_KEY} \ ---set artifactory.persistence.azureBlob.endpoint=${AZURE_ENDPOINT} \ ---set artifactory.persistence.azureBlob.containerName=${AZURE_CONTAINER_NAME} \ -... -``` - -#### Custom binarystore.xml -You have an option to provide a custom [binarystore.xml](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore).
-There are two options for this - -1. Editing directly in [values.yaml](values.yaml) -```yaml -artifactory: - persistence: - binarystoreXml: | - - - - - -``` - -2. Create your own [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) and pass it to your `helm install` command -```yaml -# Prepare your custom Secret file (custom-binarystore.yaml) -kind: Secret -apiVersion: v1 -metadata: - name: custom-binarystore - labels: - app: artifactory - chart: artifactory -stringData: - binarystore.xml: |- - - - - -``` - -```bash -# Create a secret from the file -kubectl apply -n artifactory -f ./custom-binarystore.yaml - -# Pass it to your helm install command: -helm install --name artifactory-ha --set artifactory.persistence.customBinarystoreXmlSecret=custom-binarystore jfrog/artifactory-ha -``` - -### Create a unique Master Key -Artifactory HA cluster requires a unique master key. By default the chart has one set in values.yaml (`artifactory.masterKey`). - -**This key is for demo purpose and should not be used in a production environment!** - -You should generate a unique one and pass it to the template at install/upgrade time. -```bash -# Create a key -export MASTER_KEY=$(openssl rand -hex 32) -echo ${MASTER_KEY} - -# Pass the created master key to helm -helm install --name artifactory-ha --set artifactory.masterKey=${MASTER_KEY} jfrog/artifactory-ha -``` - -Alternatively, you can create a secret containing the master key manually and pass it to the template at install/upgrade time. -```bash -# Create a key -export MASTER_KEY=$(openssl rand -hex 32) -echo ${MASTER_KEY} - -# Create a secret containing the key. The key in the secret must be named master-key -kubectl create secret generic my-secret --from-literal=master-key=${MASTER_KEY} - -# Pass the created secret to helm -helm install --name artifactory-ha --set artifactory.masterKeySecretName=my-secret jfrog/artifactory-ha -``` -**NOTE:** In either case, make sure to pass the same master key on all future calls to `helm install` and `helm upgrade`! In the first case, this means always passing `--set artifactory.masterKey=${MASTER_KEY}`. In the second, this means always passing `--set artifactory.masterKeySecretName=my-secret` and ensuring the contents of the secret remain unchanged. - -### Create a unique Join Key -Artifactory requires a unique join key. By default the chart has one set in values.yaml (`artifactory.joinKey`). - -**This key is for demo purpose and should not be used in a production environment!** - -You should generate a unique key and pass it to the template at install/upgrade time. -```bash -# Create a key -export JOIN_KEY=$(openssl rand -hex 16) -echo ${JOIN_KEY} - -# Pass the created master key to helm -helm install --name artifactory --set artifactory.joinKey=${JOIN_KEY} jfrog/artifactory -``` - -**NOTE:** In either case, make sure to pass the same join key on all future calls to `helm install` and `helm upgrade`! This means always passing `--set artifactory.joinKey=${JOIN_KEY}`. - -### Install Artifactory HA license -For activating Artifactory HA, you must install an appropriate license. There are three ways to manage the license. **Artifactory UI**, **REST API**, or a **Kubernetes Secret**. - -The easier and recommended way is the **Artifactory UI**. Using the **Kubernetes Secret** or **REST API** is for advanced users and is better suited for automation. - -**IMPORTANT:** You should use only one of the following methods. Switching between them while a cluster is running might disable your Artifactory HA cluster! - -##### Artifactory UI -Once primary cluster is running, open Artifactory UI and insert the license(s) in the UI. See [HA installation and setup](https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup) for more details. **Note that you should enter all licenses at once, with each license is separated by a newline.** If you add the licenses one at a time, you may get redirected to a node without a license and the UI won't load for that node. - -##### REST API -You can add licenses via REST API (https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API#ArtifactoryRESTAPI-InstallHAClusterLicenses). Note that the REST API expects "\n" for the newlines in the licenses. - -##### Kubernetes Secret -You can deploy the Artifactory license(s) as a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/). -Prepare a text file with the license(s) written in it. If writing multiple licenses (must be in the same file), it's important to put **two new lines between each license block**! -```bash -# Create the Kubernetes secret (assuming the local license file is 'art.lic') -kubectl create secret generic artifactory-cluster-license --from-file=./art.lic - -# Pass the license to helm -helm install --name artifactory-ha --set artifactory.license.secret=artifactory-cluster-license,artifactory.license.dataKey=art.lic jfrog/artifactory-ha -``` -**NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). -Updating the license should be done via Artifactory UI or REST API. - -##### Create the secret as part of the helm release -values.yaml -```yaml -artifactory: - license: - licenseKey: |- - - - - - - - -``` - -```bash -helm install --name artifactory-ha -f values.yaml jfrog/artifactory-ha -``` -**NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). -Updating the license should be done via Artifactory UI or REST API. -If you want to keep managing the artifactory license using the same method, you can use the copyOnEveryStartup example shown in the values.yaml file - - -### copyOnEveryStartup feature -Files stored in the `/artifactory-extra-conf` directory are only copied to the `ARTIFACTORY_HOME/etc` directory upon the first startup. -In some cases, you want your configuration files to be copied to the `ARTIFACTORY_HOME/etc` directory on every startup. -Two examples for that would be: - -1. the binarstore.xml file. If you use the default behaviour, your binarystore.xml configuration will only be copied on the first startup, -which means that changes you make over time to the `binaryStoreXml` configuration will not be applied. In order to make sure your changes are applied on every startup, do the following: -Create a values file with the following values: -```yaml -artifactory: - copyOnEveryStartup: - - source: /artifactory_extra_conf/binarystore.xml - target: etc/ -``` - -Install the helm chart with the values file you created: -```bash -helm upgrade --install artifactory-ha jfrog/artifactory-ha -f values.yaml -``` - -2. Any custom configuration file you have to configure artifactory, such as `logabck.xml`: -Create a config map with your `logback.xml` configuration. - -Create a values file with the following values: -```yaml -artifactory: - ## Create a volume pointing to the config map with your configuration file - customVolumes: | - - name: logback-xml-configmap - configMap: - name: logback-xml-configmap - customVolumeMounts: | - - name: logback-xml-configmap - mountPath: /tmp/artifactory-logback/ - copyOnEveryStartup: - - source: /tmp/artifactory-logback/* - target: etc/ -``` - -Install the helm chart with the values file you created: -```bash -helm upgrade --install artifactory-ha jfrog/artifactory-ha -f values.yaml -``` - -### Configure NetworkPolicy - -NetworkPolicy specifies what ingress and egress is allowed in this namespace. It is encouraged to be more specific whenever possible to increase security of the system. - -In the `networkpolicy` section of values.yaml you can specify a list of NetworkPolicy objects. - -For podSelector, ingress and egress, if nothing is provided then a default `- {}` is applied which is to allow everything. - -A full (but very wide open) example that results in 2 NetworkPolicy objects being created: -```yaml -networkpolicy: - # Allows all ingress and egress to/from artifactory primary and member pods. - - name: artifactory - podSelector: - matchLabels: - app: artifactory-ha - egress: - - {} - ingress: - - {} - # Allows connectivity from artifactory-ha pods to postgresql pods, but no traffic leaving postgresql pod. - - name: postgresql - podSelector: - matchLabels: - app: postgresql - ingress: - - from: - - podSelector: - matchLabels: - app: artifactory-ha -``` - -### Artifactory JMX Configuration -** You can see some information about the exposed MBeans here - https://www.jfrog.com/confluence/display/RTF/Artifactory+JMX+MBeans - -Enable JMX in your deployment: -```bash -helm install --name artifactory \ - --set artifactory.primary.javaOpts.jmx.enabled=true \ - --set artifactory.node.javaOpts.jmx.enabled=true \ - jfrog/artifactory-ha -``` -This will enable access to Artifactory with JMX on the default port (9010). -** You have the option to change the port by setting ```artifactory.primary.javaOpts.jmx.port``` and ```artifactory.node.javaOpts.jmx.port``` -to your choice of port - -In order to connect to Artifactory using JMX with jconsole (or any similar tool) installed on your computer, follow the following steps: -1. Enable JMX as described above and Change the Artifactory service to be of type LoadBalancer: -```bash -helm install --name artifactory \ - --set artifactory.primary.javaOpts.jmx.enabled=true \ - --set artifactory.node.javaOpts.jmx.enabled=true \ - --set artifactory.service.type=LoadBalancer \ - jfrog/artifactory-ha -``` -2. The default setting for java.rmi.server.hostname is the service name (this is also configurable with -```artifactory.primary.javaOpts.jmx.host``` and ```artifactory.node.javaOpts.jmx.host```), So in order to connect to Artifactory -with jconsole you should map the Artifactory kuberentes service IP to the service name using your hosts file as such: -``` - artifactory-ha--primary - -``` -3. Launch jconsole with the service address and port: -```bash -jconsole artifactory-ha--primary: -jconsole : -``` - -### Access creds. bootstraping -**IMPORTANT:** Bootsrapping access creds. will allow access for the user access-admin from certain IP's. - -* User guide to [bootstrap Artifactory Access credentials](https://www.jfrog.com/confluence/display/ACC/Configuring+Access) - -1. Create `access-creds-values.yaml` and provide the IP (By default 127.0.0.1) and password: -```yaml -artifactory: - accessAdmin: - ip: "" #Example: "*" - password: "" -``` - -2. Apply the `access-creds-values.yaml` file: -```bash -helm upgrade --install artifactory-ha jfrog/artifactory-ha -f access-creds-values.yaml -``` - -### Bootstrapping Artifactory -**IMPORTANT:** Bootstrapping Artifactory needs license. Pass license as shown in above section. - -* User guide to [bootstrap Artifactory Global Configuration](https://www.jfrog.com/confluence/display/RTF/Configuration+Files#ConfigurationFiles-BootstrappingtheGlobalConfiguration) -* User guide to [bootstrap Artifactory Security Configuration](https://www.jfrog.com/confluence/display/RTF/Configuration+Files#ConfigurationFiles-BootstrappingtheSecurityConfiguration) - -1. Create `bootstrap-config.yaml` with artifactory.config.import.xml and security.import.xml as shown below: -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: my-release-bootstrap-config -data: - artifactory.config.import.xml: | - - security.import.xml: | - -``` - -2. Create configMap in Kubernetes: -```bash -kubectl apply -f bootstrap-config.yaml -``` -3. Pass the configMap to helm -```bash -helm install --name artifactory-ha --set artifactory.license.secret=artifactory-cluster-license,artifactory.license.dataKey=art.lic,artifactory.configMapName=my-release-bootstrap-config jfrog/artifactory-ha -``` - -### Use custom nginx.conf with Nginx - -Steps to create configMap with nginx.conf -* Create `nginx.conf` file. -```bash -kubectl create configmap nginx-config --from-file=nginx.conf -``` -* Pass configMap to helm install -```bash -helm install --name artifactory-ha --set nginx.customConfigMap=nginx-config jfrog/artifactory-ha -``` - -### Scaling your Artifactory cluster -A key feature in Artifactory HA is the ability to set an initial cluster size with `--set artifactory.node.replicaCount=${CLUSTER_SIZE}` and if needed, resize it. - -##### Before scaling -**IMPORTANT:** When scaling, you need to explicitly pass the database password if it's an auto generated one (this is the default with the enclosed PostgreSQL helm chart). - -Get the current database password -```bash -export DB_PASSWORD=$(kubectl get $(kubectl get secret -o name | grep postgresql) -o jsonpath="{.data.postgresql-password}" | base64 --decode) -``` -Use `--set postgresql.postgresqlPassword=${DB_PASSWORD}` with every scale action to prevent a miss configured cluster! - -##### Scale up -Let's assume you have a cluster with **2** member nodes, and you want to scale up to **3** member nodes (a total of 4 nodes). -```bash -# Scale to 4 nodes (1 primary and 3 member nodes) -helm upgrade --install artifactory-ha --set artifactory.node.replicaCount=3 --set postgresql.postgresqlPassword=${DB_PASSWORD} jfrog/artifactory-ha -``` - -##### Scale down -Let's assume you have a cluster with **3** member nodes, and you want to scale down to **2** member node. - -```bash -# Scale down to 2 member nodes -helm upgrade --install artifactory-ha --set artifactory.node.replicaCount=2 --set postgresql.postgresqlPassword=${DB_PASSWORD} jfrog/artifactory-ha -``` -- **NOTE:** Since Artifactory is running as a Kubernetes Stateful Set, the removal of the node will **not** remove the persistent volume. You need to explicitly remove it -```bash -# List PVCs -kubectl get pvc - -# Remove the PVC with highest ordinal! -# In this example, the highest node ordinal was 2, so need to remove its storage. -kubectl delete pvc volume-artifactory-node-2 -``` - -### Use an external Database - -#### PostgreSQL -There are cases where you will want to use external PostgreSQL with a different database name e.g. `my-artifactory-db`, then you need set a custom PostgreSQL connection URL, where `my-artifactory-db` is the database name. - -This can be done with the following parameters -```bash -... ---set postgresql.enabled=false \ ---set database.type=postgresql \ ---set database.driver=org.postgresql.Driver \ ---set database.url='jdbc:postgresql://${DB_HOST}:${DB_PORT}/my-artifactory-db' \ ---set database.user=${DB_USER} \ ---set database.password=${DB_PASSWORD} \ -... -``` -**NOTE:** You must set `postgresql.enabled=false` in order for the chart to use the `database.*` parameters. Without it, they will be ignored! - -#### Other DB type -There are cases where you will want to use a different database and not the enclosed **PostgreSQL**. -See more details on [configuring the database](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Database) -> The official Artifactory Docker images include the PostgreSQL database driver. -> For other database types, you will have to add the relevant database driver to Artifactory's tomcat/lib - -This can be done with the following parameters -```bash -# Make sure your Artifactory Docker image has the MySQL database driver in it -... ---set postgresql.enabled=false \ ---set artifactory.preStartCommand="wget -O /opt/jfrog/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" \ ---set database.type=mysql \ ---set database.driver=com.mysql.jdbc.Driver \ ---set database.url=${DB_URL} \ ---set database.user=${DB_USER} \ ---set database.password=${DB_PASSWORD} \ -... -``` -**NOTE:** You must set `postgresql.enabled=false` in order for the chart to use the `database.*` parameters. Without it, they will be ignored! - -#### Using pre-existing Kubernetes Secret -If you store your database credentials in a pre-existing Kubernetes `Secret`, you can specify them via `database.secrets` instead of `database.user` and `database.password`: -```bash -# Create a secret containing the database credentials -kubectl create secret generic my-secret --from-literal=user=${DB_USER} --from-literal=password=${DB_PASSWORD} -... ---set postgresql.enabled=false \ ---set database.secrets.user.name=my-secret \ ---set database.secrets.user.key=user \ ---set database.secrets.password.name=my-secret \ ---set database.secrets.password.key=password \ -... -``` - -### Deleting Artifactory -To delete the Artifactory HA cluster -```bash -helm delete --purge artifactory-ha -``` -This will completely delete your Artifactory HA cluster. -**NOTE:** Since Artifactory is running as Kubernetes Stateful Sets, the removal of the helm release will **not** remove the persistent volumes. You need to explicitly remove them -```bash -kubectl delete pvc -l release=artifactory-ha -``` -See more details in the official [Kubernetes Stateful Set removal page](https://kubernetes.io/docs/tasks/run-application/delete-stateful-set/) - -### Custom Docker registry for your images -If you need to pull your Docker images from a private registry (for example, when you have a custom image with a MySQL database driver), you need to create a -[Kubernetes Docker registry secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) and pass it to helm -```bash -# Create a Docker registry secret called 'regsecret' -kubectl create secret docker-registry regsecret --docker-server=${DOCKER_REGISTRY} --docker-username=${DOCKER_USER} --docker-password=${DOCKER_PASS} --docker-email=${DOCKER_EMAIL} -``` -Once created, you pass it to `helm` -```bash -helm install --name artifactory-ha --set imagePullSecrets=regsecret jfrog/artifactory-ha -``` - -### Logger sidecars -This chart provides the option to add sidecars to tail various logs from Artifactory. See the available values in [values.yaml](values.yaml) - -Get list of containers in the pod -```bash -kubectl get pods -n -o jsonpath='{.spec.containers[*].name}' | tr ' ' '\n' -``` - -View specific log -```bash -kubectl logs -n -c -``` - - -### Custom init containers -There are cases where a special, unsupported init processes is needed like checking something on the file system or testing something before spinning up the main container. - -For this, there is a section for writing custom init containers before and after the predefined init containers in the [values.yaml](values.yaml) . By default it's commented out -```yaml -artifactory: - ## Add custom init containers executed before predefined init containers - customInitContainersBegin: | - ## Init containers template goes here ## - ## Add custom init containers executed after predefined init containers - customInitContainers: | - ## Init containers template goes here ## -``` - -### Custom sidecar containers -There are cases where an extra sidecar container is needed. For example monitoring agents or log collection. - -For this, there is a section for writing a custom sidecar container in the [values.yaml](values.yaml). By default it's commented out -```yaml -artifactory: - ## Add custom sidecar containers - customSidecarContainers: | - ## Sidecar containers template goes here ## -``` - -You can configure the sidecar to run as a custom user if needed by setting the following in the container template -```yaml - # Example of running container as root (id 0) - securityContext: - runAsUser: 0 - fsGroup: 0 -``` - -### Custom volumes -If you need to use a custom volume in a custom init or sidecar container, you can use this option. - -For this, there is a section for defining custom volumes in the [values.yaml](values.yaml). By default it's commented out -```yaml -artifactory: - ## Add custom volumes - customVolumes: | - ## Custom volume comes here ## -``` - -### Add Artifactory User Plugin during installation -If you need to add [Artifactory User Plugin](https://github.com/jfrog/artifactory-user-plugins), you can use this option. - -Create a secret with [Artifactory User Plugin](https://github.com/jfrog/artifactory-user-plugins) by following command: -```bash -# Secret with single user plugin -kubectl create secret generic archive-old-artifacts --from-file=archiveOldArtifacts.groovy --namespace=artifactory-ha - -# Secret with single user plugin with configuration file -kubectl create secret generic webhook --from-file=webhook.groovy --from-file=webhook.config.json.sample --namespace=artifactory-ha -``` - -Add plugin secret names to `plugins.yaml` as following: -```yaml -artifactory: - userPluginSecrets: - - archive-old-artifacts - - webhook -``` - -You can now pass the created `plugins.yaml` file to helm install command to deploy Artifactory with user plugins as follows: -```bash -helm install --name artifactory-ha -f plugins.yaml jfrog/artifactory-ha -``` - -Alternatively, you may be in a situation in which you would like to create a secret in a Helm chart that depends on this chart. In this scenario, the name of the secret is likely dynamically generated via template functions, so passing a statically named secret isn't possible. In this case, the chart supports evaluating strings as templates via the [`tpl`](https://helm.sh/docs/charts_tips_and_tricks/#using-the-tpl-function) function - simply pass the raw string containing the templating language used to name your secret as a value instead by adding the following to your chart's `values.yaml` file: -```yaml -artifactory-ha: # Name of the artifactory-ha dependency - artifactory: - userPluginSecrets: - - '{{ template "my-chart.fullname" . }}' -``` -NOTE: By defining userPluginSecrets, this overrides any pre-defined plugins from the container image that are stored in /tmp/plugins. At this time [artifactory-pro:6.9.0](https://bintray.com/jfrog/artifactory-pro) is distributed with `internalUser.groovy` plugin. If you need this plugin in addition to your user plugins, you should include these additional plugins as part of your userPluginSecrets. - -### Provide custom configMaps to Artifactory -If you want to mount a custom file to Artifactory, either an init shell script or a custom configuration file (such as `logback.xml`), you can use this option. - -Create a `configmaps.yaml` file with the following content: -```yaml -artifactory: - configMaps: | - logback.xml: | - - - - - %date [%-5level] \(%-20c{3}:%L\) %message%n - - - - - - - - - - - - - - - my-custom-post-start-hook.sh: | - echo "This is my custom post start hook" - - customVolumeMounts: | - - name: artifactory-configmaps - mountPath: /tmp/my-config-map - - postStartCommand: | - chmod +x /tmp/my-config-map/my-custom-post-start-hook.sh; - /tmp/my-config-map/my-custom-post-start-hook.sh; - - copyOnEveryStartup: - - source: /tmp/my-config-map/logback.xml - target: etc/ - -``` - -and use it with you helm install/upgrade: -```bash -helm install --name artifactory-ha -f configmaps.yaml jfrog/artifactory-ha -``` - -This will, in turn: -* create a configMap with the files you specified above -* create a volume pointing to the configMap with the name `artifactory-configmaps` -* Mount said configMap onto `/tmp/my-config-map` using a `customVolumeMounts` -* Set the shell script we mounted as the `postStartCommand` -* Copy the `logback.xml` file to its proper location in the `$ARTIFACTORY_HOME/etc` directory. - - -### Artifactory filebeat -If you want to collect logs from your Artifactory installation and send them to a central log collection solution like ELK, you can use this option. - -Create a `filebeat.yaml` values file with the following content: -```yaml -filebeat: - enabled: true - logstashUrl: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "100Mi" - cpu: "100m" -``` - -You can optionally customize the `filebeat.yaml` to send output to a different location like so: -```yaml -filebeat: - enabled: true - filebeatYml: | - -``` - -and use it with you helm install/upgrade: -```bash -helm install --name artifactory -f filebeat.yaml jfrog/artifactory -``` - -This will start sending your Artifactory logs to the log aggregator of your choice, based on your configuration in the `filebeatYml` - -## Configuration -The following table lists the configurable parameters of the artifactory chart and their default values. - -| Parameter | Description | Default | -|------------------------------|-----------------------------------|-------------------------------------------------------| -| `imagePullSecrets` | Docker registry pull secret | | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the fullname template | -| `serviceAccount.annotations` | Artifactory service account annotations | `` | -| `rbac.create` | Specifies whether RBAC resources should be created | `true` | -| `rbac.role.rules` | Rules to create | `[]` | -| `logger.image.repository` | repository for logger image | `busybox` | -| `logger.image.tag` | tag for logger image | `1.30` | -| `artifactory.name` | Artifactory name | `artifactory` | -| `artifactory.image.pullPolicy` | Container pull policy | `IfNotPresent` | -| `artifactory.image.repository` | Container image | `docker.bintray.io/jfrog/artifactory-pro` | -| `artifactory.image.version` | Container image tag | `.Chart.AppVersion` | -| `artifactory.priorityClass.create` | Create a PriorityClass object | `false` | -| `artifactory.priorityClass.value` | Priority Class value | `1000000000` | -| `artifactory.priorityClass.name` | Priority Class name | `{{ template "artifactory-ha.fullname" . }}` | -| `artifactory.priorityClass.existingPriorityClass` | Use existing priority class | `` | -| `artifactory.loggers` | Artifactory loggers (see values.yaml for possible values) | `[]` | -| `artifactory.catalinaLoggers` | Artifactory Tomcat loggers (see values.yaml for possible values) | `[]` | -| `artifactory.customInitContainersBegin`| Custom init containers to run before existing init containers | | -| `artifactory.customInitContainers`| Custom init containers to run after existing init containers | | -| `artifactory.customSidecarContainers`| Custom sidecar containers | | -| `artifactory.customVolumes` | Custom volumes | | -| `artifactory.customVolumeMounts` | Custom Artifactory volumeMounts | | -| `artifactory.customPersistentPodVolumeClaim` | Custom PVC spec to create and attach a unique PVC for each pod on startup with the volumeClaimTemplates feature in StatefulSet | | -| `artifactory.customPersistentVolumeClaim` | Custom PVC spec to be mounted to the all artifactory containers using a volume | | -| `artifactory.userPluginSecrets` | Array of secret names for Artifactory user plugins | | -| `artifactory.masterKey` | Artifactory master key. A 128-Bit key size (hexadecimal encoded) string (32 hex characters). Can be generated with `openssl rand -hex 16`. NOTE: This key can be generated only once and cannot be updated once created |`FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF`| -| `artifactory.masterKeySecretName` | Artifactory Master Key secret name | | -| `artifactory.joinKey` | Join Key to connect other services to Artifactory. Can be generated with `openssl rand -hex 16` | `EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE` | -| `artifactory.accessAdmin.ip` | Artifactory access-admin ip to be set upon startup, can use (*) for 0.0.0.0| 127.0.0.1 | -| `artifactory.accessAdmin.password` | Artifactory access-admin password to be set upon startup| | -| `artifactory.accessAdmin.secret` | Artifactory access-admin secret name | | -| `artifactory.accessAdmin.dataKey` | Artifactory access-admin secret data key | | -| `artifactory.preStartCommand` | Command to run before entrypoint starts | | -| `artifactory.postStartCommand` | Command to run after container starts | | -| `artifactory.license.licenseKey` | Artifactory license key. Providing the license key as a parameter will cause a secret containing the license key to be created as part of the release. Use either this setting or the license.secret and license.dataKey. If you use both, the latter will be used. | | -| `artifactory.configMaps` | configMaps to be created as volume by the name `artifactory-configmaps`. In order to use these configMaps, you will need to add `customVolumeMounts` to point to the created volume and mount it onto a container | | -| `artifactory.license.secret` | Artifactory license secret name | | -| `artifactory.license.dataKey`| Artifactory license secret data key | | -| `artifactory.service.name` | Artifactory service name to be set in Nginx configuration | `artifactory` | -| `artifactory.service.type` | Artifactory service type | `ClusterIP` | -| `artifactory.service.clusterIP`| Specific cluster IP or `None` for headless services | `nil` | -| `artifactory.service.loadBalancerSourceRanges`| Artifactory service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | | -| `artifactory.service.annotations` | Artifactory service annotations | `{}` | -| `artifactory.service.pool` | Artifactory instances to be in the load balancing pool. `members` or `all` | `members` | -| `artifactory.externalPort` | Artifactory service external port | `8082` | -| `artifactory.internalPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8082` | -| `artifactory.internalArtifactoryPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8081` | -| `artifactory.externalArtifactoryPort` | Artifactory service external port | `8081` | -| `artifactory.extraEnvironmentVariables` | Extra environment variables to pass to Artifactory. Supports evaluating strings as templates via the [`tpl`](https://helm.sh/docs/charts_tips_and_tricks/#using-the-tpl-function) function. See [documentation](https://www.jfrog.com/confluence/display/RTF/Installing+with+Docker#InstallingwithDocker-SupportedEnvironmentVariables) | | -| `artifactory.livenessProbe.enabled` | Enable liveness probe | `true` | -| `artifactory.livenessProbe.path` | liveness probe HTTP Get path | `/router/api/v1/system/health` | -| `artifactory.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 | -| `artifactory.livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `artifactory.livenessProbe.timeoutSeconds` | When the probe times out | 10 | -| `artifactory.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | -| `artifactory.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `artifactory.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | -| `artifactory.readinessProbe.path` | readiness probe HTTP Get path | `/router/api/v1/system/health` | -| `artifactory.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 | -| `artifactory.readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `artifactory.readinessProbe.timeoutSeconds` | When the probe times out | 10 | -| `artifactory.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | -| `artifactory.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `artifactory.copyOnEveryStartup` | List of files to copy on startup from source (which is absolute) to target (which is relative to ARTIFACTORY_HOME | | -| `artifactory.deleteDBPropertiesOnStartup` | Whether to delete the ARTIFACTORY_HOME/etc/db.properties file on startup. Disabling this will remove the ability for the db.properties to be updated with any DB-related environment variables change (e.g. DB_HOST, DB_URL) | `true` | -| `artifactory.database.maxOpenConnections` | Maximum amount of open connections from Artifactory to the DB | `80` | -| `artifactory.haDataDir.enabled` | Enable haDataDir for eventual storage in the HA cluster | `false` | -| `artifactory.haDataDir.path` | Path to the directory intended for use with NFS eventual configuration for HA | | -| `artifactory.persistence.mountPath` | Artifactory persistence volume mount path | `"/var/opt/jfrog/artifactory"` | -| `artifactory.persistence.enabled` | Artifactory persistence volume enabled | `true` | -| `artifactory.persistence.accessMode` | Artifactory persistence volume access mode | `ReadWriteOnce` | -| `artifactory.persistence.size` | Artifactory persistence or local volume size | `200Gi` | -| `artifactory.persistence.binarystore.enabled` | whether you want to mount the binarystore.xml file from a secret created by the chart. If `false` you will need need to get the binarystore.xml file into the file-system from either an `initContainer` or using a `preStartCommand` | `true` | -| `artifactory.persistence.binarystoreXml` | Artifactory binarystore.xml template | See `values.yaml` | -| `artifactory.persistence.customBinarystoreXmlSecret` | A custom Secret for binarystore.xml | `` | -| `artifactory.persistence.maxCacheSize` | Artifactory cache-fs provider maxCacheSize in bytes | `50000000000` | -| `artifactory.persistence.cacheProviderDir` | the root folder of binaries for the filestore cache. If the value specified starts with a forward slash ("/") it is considered the fully qualified path to the filestore folder. Otherwise, it is considered relative to the *baseDataDir*. | `cache` | -| `artifactory.persistence.type` | Artifactory HA storage type | `file-system` | -| `artifactory.persistence.redundancy` | Artifactory HA storage redundancy | `3` | -| `artifactory.persistence.nfs.ip` | NFS server IP | | -| `artifactory.persistence.nfs.haDataMount` | NFS data directory | `/data` | -| `artifactory.persistence.nfs.haBackupMount` | NFS backup directory | `/backup` | -| `artifactory.persistence.nfs.dataDir` | HA data directory | `/var/opt/jfrog/artifactory-ha` | -| `artifactory.persistence.nfs.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` | -| `artifactory.persistence.nfs.capacity` | NFS PVC size | `200Gi` | -| `artifactory.persistence.nfs.mountOptions` | NFS mount options | `[]` | -| `artifactory.persistence.eventual.numberOfThreads` | Eventual number of threads | `10` | -| `artifactory.persistence.googleStorage.endpoint` | Google Storage API endpoint| `storage.googleapis.com` | -| `artifactory.persistence.googleStorage.httpsOnly` | Google Storage API has to be consumed https only| `false` | -| `artifactory.persistence.googleStorage.bucketName` | Google Storage bucket name | `artifactory-ha` | -| `artifactory.persistence.googleStorage.identity` | Google Storage service account id | | -| `artifactory.persistence.googleStorage.credential` | Google Storage service account key | | -| `artifactory.persistence.googleStorage.path` | Google Storage path in bucket | `artifactory-ha/filestore` | -| `artifactory.persistence.googleStorage.bucketExists`| Google Storage bucket exists therefore does not need to be created.| `false` | -| `artifactory.persistence.awsS3.bucketName` | AWS S3 bucket name | `artifactory-ha` | -| `artifactory.persistence.awsS3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html | -| `artifactory.persistence.awsS3.region` | AWS S3 bucket region | | -| `artifactory.persistence.awsS3.roleName` | AWS S3 IAM role name | | -| `artifactory.persistence.awsS3.identity` | AWS S3 AWS_ACCESS_KEY_ID | | -| `artifactory.persistence.awsS3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | | -| `artifactory.persistence.awsS3.properties` | AWS S3 additional properties | | -| `artifactory.persistence.awsS3.path` | AWS S3 path in bucket | `artifactory-ha/filestore` | -| `artifactory.persistence.awsS3.refreshCredentials` | AWS S3 renew credentials on expiration | `true` (When roleName is used, this parameter will be set to true) | -| `artifactory.persistence.awsS3.httpsOnly` | AWS S3 https access to the bucket only | `true` | -| `artifactory.persistence.awsS3.testConnection` | AWS S3 test connection on start up | `false` | -| `artifactory.persistence.awsS3.s3AwsVersion` | AWS S3 signature version | `AWS4-HMAC-SHA256` | -| `artifactory.persistence.awsS3V3.testConnection` | AWS S3 test connection on start up | `false` | -| `artifactory.persistence.awsS3V3.identity` | AWS S3 AWS_ACCESS_KEY_ID | | -| `artifactory.persistence.awsS3V3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | | -| `artifactory.persistence.awsS3V3.region` | AWS S3 bucket region | | -| `artifactory.persistence.awsS3V3.bucketName` | AWS S3 bucket name | `artifactory-aws` | -| `artifactory.persistence.awsS3V3.path` | AWS S3 path in bucket | `artifactory/filestore` | -| `artifactory.persistence.awsS3V3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html | -| `artifactory.persistence.awsS3V3.kmsServerSideEncryptionKeyId` | AWS S3 encryption key ID or alias | | -| `artifactory.persistence.awsS3V3.kmsKeyRegion` | AWS S3 KMS Key region | | -| `artifactory.persistence.awsS3V3.kmsCryptoMode` | AWS S3 KMS encryption mode | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AmazonS3OfficialSDKTemplate | -| `artifactory.persistence.awsS3V3.useInstanceCredentials` | AWS S3 Use default authentication mechanism | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-authentication | -| `artifactory.persistence.awsS3V3.usePresigning` | AWS S3 Use URL signing | `false` | -| `artifactory.persistence.awsS3V3.signatureExpirySeconds` | AWS S3 Validity period in seconds for signed URLs | `300` | -| `artifactory.persistence.awsS3V3.cloudFrontDomainName` | AWS CloudFront domain name | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| -| `artifactory.persistence.awsS3V3.cloudFrontKeyPairId` | AWS CloudFront key pair ID | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| -| `artifactory.persistence.awsS3V3.cloudFrontPrivateKey` | AWS CloudFront private key | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)| -| `artifactory.persistence.azureBlob.accountName` | Azure Blob Storage account name | `` | -| `artifactory.persistence.azureBlob.accountKey` | Azure Blob Storage account key | `` | -| `artifactory.persistence.azureBlob.endpoint` | Azure Blob Storage endpoint | `` | -| `artifactory.persistence.azureBlob.containerName` | Azure Blob Storage container name | `` | -| `artifactory.persistence.azureBlob.testConnection` | Azure Blob Storage test connection | `false` | -| `artifactory.persistence.fileSystem.existingSharedClaim` | Enable using an existing shared pvc | `false` | -| `artifactory.persistence.fileStorage.dataDir` | HA data directory | `/var/opt/jfrog/artifactory/artifactory-data` | -| `artifactory.persistence.fileStorage.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` | -| `artifactory.javaOpts.other` | Artifactory additional java options (for all nodes) | | -| `artifactory.primary.labels` | Artifactory primary node labels | `{}` | -| `artifactory.primary.resources.requests.memory` | Artifactory primary node initial memory request | | -| `artifactory.primary.resources.requests.cpu` | Artifactory primary node initial cpu request | | -| `artifactory.primary.resources.limits.memory` | Artifactory primary node memory limit | | -| `artifactory.primary.resources.limits.cpu` | Artifactory primary node cpu limit | | -| `artifactory.primary.javaOpts.xms` | Artifactory primary node java Xms size | | -| `artifactory.primary.javaOpts.xmx` | Artifactory primary node java Xms size | | -| `artifactory.primary.javaOpts.corePoolSize` | The number of async processes that can run in parallel in the primary node - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `16` | -| `artifactory.primary.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` | -| `artifactory.primary.javaOpts.jmx.port` | JMX Port number | `9010` | -| `artifactory.primary.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory-ha.primary.name" $ }}` | -| `artifactory.primary.javaOpts.jmx.ssl` | Enable SSL | `false` | -| `artifactory.primary.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` | -| `artifactory.primary.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | | -| `artifactory.primary.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | | -| `artifactory.primary.javaOpts.other` | Artifactory primary node additional java options | | -| `artifactory.primary.persistence.existingClaim` | Whether to use an existing pvc for the primary node | `false` | -| `artifactory.node.labels` | Artifactory member node labels | `{}` | -| `artifactory.node.replicaCount` | Artifactory member node replica count | `2` | -| `artifactory.node.minAvailable` | Artifactory member node min available count | `1` | -| `artifactory.node.resources.requests.memory` | Artifactory member node initial memory request | | -| `artifactory.node.resources.requests.cpu` | Artifactory member node initial cpu request | | -| `artifactory.node.resources.limits.memory` | Artifactory member node memory limit | | -| `artifactory.node.resources.limits.cpu` | Artifactory member node cpu limit | | -| `artifactory.node.javaOpts.xms` | Artifactory member node java Xms size | | -| `artifactory.node.javaOpts.xmx` | Artifactory member node java Xms size | | -| `artifactory.node.javaOpts.corePoolSize` | The number of async processes that can run in parallel in the member nodes - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `16` | -| `artifactory.node.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` | -| `artifactory.node.javaOpts.jmx.port` | JMX Port number | `9010` | -| `artifactory.node.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory-ha.fullname" $ }}` | -| `artifactory.node.javaOpts.jmx.ssl` | Enable SSL | `false` | -| `artifactory.node.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` | -| `artifactory.node.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | | -| `artifactory.node.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | | -| `artifactory.node.javaOpts.other` | Artifactory member node additional java options | | -| `artifactory.node.persistence.existingClaim` | Whether to use existing PVCs for the member nodes | `false` | -| `artifactory.node.waitForPrimaryStartup.enabled` | Whether to wait for the primary node to start before starting up the member nodes | `false` | -| `artifactory.node.waitForPrimaryStartup.time` | The amount of time to wait for the primary node to start before starting up the member nodes | `60` | -| `artifactory.systemYaml` | Artifactory system configuration (`system.yaml`) as described here - https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML | `see values.yaml` | -| `access.database.maxOpenConnections` | Maximum amount of open connections from Access to the DB | `80` | -| `initContainers.resources.requests.memory` | Init containers initial memory request | | -| `initContainers.resources.requests.cpu` | Init containers initial cpu request | | -| `initContainers.resources.limits.memory` | Init containers memory limit | | -| `initContainers.resources.limits.cpu` | Init containers cpu limit | | -| `ingress.enabled` | If true, Artifactory Ingress will be created | `false` | -| `ingress.annotations` | Artifactory Ingress annotations | `{}` | -| `ingress.labels` | Artifactory Ingress labels | `{}` | -| `ingress.hosts` | Artifactory Ingress hostnames | `[]` | -| `ingress.routerPath` | Router Ingress path | `/` | -| `ingress.artifactoryPath` | Artifactory Ingress path | `/artifactory` | -| `ingress.tls` | Artifactory Ingress TLS configuration (YAML) | `[]` | -| `ingress.defaultBackend.enabled` | If true, the default `backend` will be added using serviceName and servicePort | `true` | -| `ingress.annotations` | Ingress annotations, which are written out if annotations section exists in values. Everything inside of the annotations section will appear verbatim inside the resulting manifest. See `Ingress annotations` section below for examples of how to leverage the annotations, specifically for how to enable docker authentication. | | -| `ingress.additionalRules` | Ingress additional rules to be added to the Artifactory ingress. | `[]` | -| `nginx.enabled` | Deploy nginx server | `true` | -| `nginx.name` | Nginx name | `nginx` | -| `nginx.replicaCount` | Nginx replica count | `1` | -| `nginx.uid` | Nginx User Id | `104` | -| `nginx.gid` | Nginx Group Id | `107` | -| `nginx.image.repository` | Container image | `docker.bintray.io/jfrog/nginx-artifactory-pro` | -| `nginx.image.version` | Container version | `.Chart.AppVersion` | -| `nginx.image.pullPolicy` | Container pull policy | `IfNotPresent` | -| `nginx.labels` | Nginx deployment labels | `{}` | -| `nginx.loggers` | Artifactory loggers (see values.yaml for possible values) | `[]` | -| `nginx.mainConf` | Content of the Artifactory nginx main nginx.conf config file | `see values.yaml` | -| `nginx.artifactoryConf` | Content of Artifactory nginx artifactory.conf config file | `see values.yaml` | -| `nginx.service.type` | Nginx service type | `LoadBalancer` | -| `nginx.service.clusterIP` | Specific cluster IP or `None` for headless services | `nil` | -| `nginx.service.loadBalancerSourceRanges`| Nginx service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | | -| `nginx.service.labels` | Nginx service labels | `{}` | -| `nginx.service.annotations` | Nginx service annotations | `{}` | -| `nginx.service.externalTrafficPolicy`| Nginx service desires to route external traffic to node-local or cluster-wide endpoints. | `Cluster` | -| `nginx.loadBalancerIP`| Provide Static IP to configure with Nginx | | -| `nginx.http.enabled` | Nginx http service enabled/disabled | true | -| `nginx.http.externalPort` | Nginx service external port | `80` | -| `nginx.http.internalPort` | Nginx service internal port | `80` | -| `nginx.https.enabled` | Nginx http service enabled/disabled | true | -| `nginx.https.externalPort` | Nginx service external port | `443` | -| `nginx.https.internalPort` | Nginx service internal port | `443` | -| `nginx.externalPortHttp` | DEPRECATED: Nginx service external port | `80` | -| `nginx.internalPortHttp` | DEPRECATED: Nginx service internal port | `80` | -| `nginx.externalPortHttps` | DEPRECATED: Nginx service external port | `443` | -| `nginx.internalPortHttps` | DEPRECATED: Nginx service internal port | `443` | -| `nginx.livenessProbe.enabled` | would you like a liveness Probe to be enabled | `true` | -| `nginx.livenessProbe.path` | liveness probe HTTP Get path | `/router/api/v1/system/health` | -| `nginx.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 100 | -| `nginx.livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `nginx.livenessProbe.timeoutSeconds` | When the probe times out | 10 | -| `nginx.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | -| `nginx.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `nginx.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | -| `nginx.readinessProbe.path` | Readiness probe HTTP Get path | `/router/api/v1/system/health` | -| `nginx.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 | -| `nginx.readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `nginx.readinessProbe.timeoutSeconds` | When the probe times out | 10 | -| `nginx.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 | -| `nginx.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `nginx.tlsSecretName` | SSL secret that will be used by the Nginx pod | | -| `nginx.customConfigMap` | Nginx CustomeConfigMap name for `nginx.conf` | ` ` | -| `nginx.customArtifactoryConfigMap`| Nginx CustomeConfigMap name for `artifactory-ha.conf` | ` ` | -| `nginx.resources.requests.memory` | Nginx initial memory request | `250Mi` | -| `nginx.resources.requests.cpu` | Nginx initial cpu request | `100m` | -| `nginx.resources.limits.memory` | Nginx memory limit | `250Mi` | -| `nginx.resources.limits.cpu` | Nginx cpu limit | `500m` | -| `nginx.persistence.mountPath` | Nginx persistence volume mount path | `"/var/opt/jfrog/nginx"` | -| `nginx.persistence.enabled` | Nginx persistence volume enabled. This is only available when the nginx.replicaCount is set to 1 | `false` | -| `nginx.persistence.accessMode` | Nginx persistence volume access mode | `ReadWriteOnce` | -| `nginx.persistence.size` | Nginx persistence volume size | `5Gi` | -| `waitForDatabase` | Wait for database (using wait-for-db init container) | `true` | -| `postgresql.enabled` | Use enclosed PostgreSQL as database | `true` | -| `postgresql.imageTag` | PostgreSQL version | `9.6.11` | -| `postgresql.postgresqlDatabase` | PostgreSQL database name | `artifactory` | -| `postgresql.postgresqlUsername` | PostgreSQL database user | `artifactory` | -| `postgresql.postgresqlPassword` | PostgreSQL database password | | -| `postgresql.persistence.enabled` | PostgreSQL use persistent storage | `true` | -| `postgresql.persistence.size` | PostgreSQL persistent storage size | `50Gi` | -| `postgresql.service.port` | PostgreSQL database port | `5432` | -| `postgresql.resources.requests.memory` | PostgreSQL initial memory request | | -| `postgresql.resources.requests.cpu` | PostgreSQL initial cpu request | | -| `postgresql.resources.limits.memory` | PostgreSQL memory limit | | -| `postgresql.resources.limits.cpu` | PostgreSQL cpu limit | | -| `database.type` | External database type (`postgresql`, `mysql`, `oracle` or `mssql`) | | -| `database.driver` | External database driver e.g. `org.postgresql.Driver` | | -| `database.url` | External database connection URL | | -| `database.user` | External database username | | -| `database.password` | External database password | | -| `database.secrets.user.name` | External database username `Secret` name | | -| `database.secrets.user.key` | External database username `Secret` key | | -| `database.secrets.password.name` | External database password `Secret` name | | -| `database.secrets.password.key` | External database password `Secret` key | | -| `database.secrets.url.name ` | External database url `Secret` name | | -| `database.secrets.url.key` | External database url `Secret` key | | -| `networkpolicy.name` | Becomes part of the NetworkPolicy object name | `artifactory` | -| `networkpolicy.podselector` | Contains the YAML that specifies how to match pods. Usually using matchLabels. | | -| `networkpolicy.ingress` | YAML snippet containing to & from rules applied to incoming traffic | `- {}` (open to all inbound traffic) | -| `networkpolicy.egress` | YAML snippet containing to & from rules applied to outgoing traffic | `- {}` (open to all outbound traffic) | -| `filebeat.enabled` | Enable a filebeat container to send your logs to a log management solution like ELK | `false` | -| `filebeat.name` | filebeat container name | `artifactory-filebeat` | -| `filebeat.image.repository` | filebeat Docker image repository | `docker.elastic.co/beats/filebeat` | -| `filebeat.image.version` | filebeat Docker image version | `7.5.1` | -| `filebeat.logstashUrl` | The URL to the central Logstash service, if you have one | `logstash:5044` | -| `filebeat.livenessProbe.exec.command` | liveness probe exec command | see [values.yaml](stable/artifactory-ha/values.yaml) | -| `filebeat.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `filebeat.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 | -| `filebeat.livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `filebeat.readinessProbe.exec.command` | readiness probe exec command | see [values.yaml](stable/artifactory-ha/values.yaml) | -| `filebeat.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 | -| `filebeat.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 180 | -| `filebeat.readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `filebeat.resources.requests.memory` | Filebeat initial memory request | | -| `filebeat.resources.requests.cpu` | Filebeat initial cpu request | | -| `filebeat.resources.limits.memory` | Filebeat memory limit | | -| `filebeat.resources.limits.cpu` | Filebeat cpu limit | | -| `filebeat.filebeatYml` | Filebeat yaml configuration file | see [values.yaml](stable/artifactory-ha/values.yaml) | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. - -### Ingress and TLS -To get Helm to create an ingress object with a hostname, add these two lines to your Helm command: -```bash -helm install --name artifactory-ha \ - --set ingress.enabled=true \ - --set ingress.hosts[0]="artifactory.company.com" \ - --set artifactory.service.type=NodePort \ - --set nginx.enabled=false \ - jfrog/artifactory-ha -``` - -If your cluster allows automatic creation/retrieval of TLS certificates (e.g. [cert-manager](https://github.com/jetstack/cert-manager)), please refer to the documentation for that mechanism. - -To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: - -```bash -kubectl create secret tls artifactory-tls --cert=path/to/tls.cert --key=path/to/tls.key -``` - -Include the secret's name, along with the desired hostnames, in the Artifactory Ingress TLS section of your custom `values.yaml` file: - -```yaml - ingress: - ## If true, Artifactory Ingress will be created - ## - enabled: true - - ## Artifactory Ingress hostnames - ## Must be provided if Ingress is enabled - ## - hosts: - - artifactory.domain.com - annotations: - kubernetes.io/tls-acme: "true" - ## Artifactory Ingress TLS configuration - ## Secrets must be manually created in the namespace - ## - tls: - - secretName: artifactory-tls - hosts: - - artifactory.domain.com -``` - -### Ingress annotations - -This example specifically enables Artifactory to work as a Docker Registry using the Repository Path method. See [Artifactory as Docker Registry](https://www.jfrog.com/confluence/display/RTF/Getting+Started+with+Artifactory+as+a+Docker+Registry) documentation for more information about this setup. - -```yaml -ingress: - enabled: true - defaultBackend: - enabled: false - hosts: - - myhost.example.com - annotations: - ingress.kubernetes.io/force-ssl-redirect: "true" - ingress.kubernetes.io/proxy-body-size: "0" - ingress.kubernetes.io/proxy-read-timeout: "600" - ingress.kubernetes.io/proxy-send-timeout: "600" - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/configuration-snippet: | - rewrite ^/(v2)/token /artifactory/api/docker/null/v2/token; - rewrite ^/(v2)/([^\/]*)/(.*) /artifactory/api/docker/$2/$1/$3; - nginx.ingress.kubernetes.io/proxy-body-size: "0" - tls: - - hosts: - - "myhost.example.com" -``` - -### Ingress additional rules - -You have the option to add additional ingress rules to the Artifactory ingress. An example for this use case can be routing the /xray path to Xray. -In order to do that, simply add the following to a `artifactory-ha-values.yaml` file: -```yaml -ingress: - enabled: true - - defaultBackend: - enabled: false - - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/configuration-snippet: | - rewrite "(?i)/xray(/|$)(.*)" /$2 break; - - additionalRules: | - - host: - http: - paths: - - path: / - backend: - serviceName: - servicePort: - - path: /xray - backend: - serviceName: - servicePort: - - path: /artifactory - backend: - serviceName: {{ template "artifactory.nginx.fullname" . }} - servicePort: {{ .Values.nginx.externalPortHttp }} -``` - -and running: -```bash -helm upgrade --install artifactory-ha jfrog/artifactory-ha -f artifactory-ha-values.yaml -``` - - - -## Useful links -- https://www.jfrog.com/confluence/display/EP/Getting+Started -- https://www.jfrog.com/confluence/display/RTF/Installing+Artifactory -- https://www.jfrog.com/confluence/ +# Openshift artifactory ha helm chart +This chart extends the base artifactory-ha chart to make it compatiable with openshift 4 clusters diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.25.tgz b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.25.tgz new file mode 100644 index 0000000000000000000000000000000000000000..a3f1ca8e4c7dc27e8fb38ab147312454df6bbdba GIT binary patch literal 111438 zcmV)oK%BoHiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ}dfT>=Fn<2lRiLzbZ1;rvu;a8<;_R!~a-!B>D>-TNYkO3P zge24y!4jZt)%8AmA@6&0dnLaI1AqiSB+E{k?%A!{CzeQHFc<)XnZaNN$AV6A@I3h2$NRKet=5-&d+@i_Y8C&scXport-bqfx7~i$e!A2CTdV!F-ERF2 zwLT&aOFs!0IR0DfgWD>0?qB4CBl?cSoU*WkuG%#mMd{Bk8#|45%_rQ8X(Zs$+mK$7 znBxEqNW?gm(*~X35Kl>rcoIb{7Brk990X{Ne_=6-uy={4^4WyNb1e9i8bafQ20jvu z1svhfM+bexNh~2ZYBM$`9W)an;+B))Bn{&(siJM&DaX^}d$se#O%RQ418c{f{U6RE$i+$dyxyUL| za}hwVxyUD1EaJ5}rlG(zBr%jFb4-H{!gDHSm;Wd2NDZM7%WlF88uF~Dk3&iVQc+gF z`HjR`X%hI@#}$Rui>zQw=a|nc3dVGv@ZV}0og6)CoF%bGpd*INV;YJWFD$}FG4m5o zG`~5D+0^Y?5YA)PyrSgVs;)+;G%U3%Gv{_1t;Wt??ay8n|9d`#C2)m1VYK z)b%{VITABsYF|?^L$|l6@lMUnOR{M2WPC{$=FhSzEvHtaAs09ZNZhF*Bo+~of1>~k*`JPtb;NS}Sd;_->|HUNqbR0VSP&GG zDdi%jgx9ES<~#|4A@O1&xP-BR1}q@x73Rb@-H~|3EP$6}lI>cT$(Y0;5rj7=Yx>ON zP3+HU*u;sLv6%jb<-XgD$JlGu+#`U)nBiN|7Jc4@}A;2reCPcXj{LE>{PW*yX&C}qq+Kg@|` zWt?TB`9ad1Xm|nUyn`gOxTz>60`6i@3MP)k-l-uJ;4uj@up-8j3H4l9%ZS_v5{Edb zctykXl?Y7FsR?8lm)zia z6cASg9Lg9X>L0MMGCDPUCPl@Du2q9lUEimYY&byF42fKrlBVe^SmDrtS}i2vn#Gq9 z3#hkHEp^pemjbwfA!j6kuQiE9Nz{XR5;1>B0wN!n)j5~z@mLXDKSBscQAtjOd6rH~ z*#-;`Le^wWpKhSHp~vQPqSg?W_#zet3mYnM449;BK2Ji)s)*VMBF2RT`fGr;=*0Tj z&@d z6FN;|wZP=7x17Kvy~b3?o!RxrNN$F*sM-x1Xh?wCz$xSxeo3R6tZ>9)16uP43G%>h z#Fh+XJJt~RBqE_tLT@2!#Wq{EMEz`48#QbkuyH{b%b+#~z3$;juQB%}tInS1c%Eiw zumP+2rMKlp2l>pqByq#&DwOH>Mq}-uF%==6(`If^5fXUXL0>nXHQIZwPsS97?$>Vo zbz4daY00--a+2~I%1WGL&ZWB8L5`Dqkx_bC)g0kfzvMz167^9_Ra})%wsP~BucH;Tt5ovoK{t9zb;nV)0INzlXMNi{--wE)3Xa} z13g#d8~*#T;@6Zbo{YB2>|r04!1fafND7}PZ-*CJAX*?V;eySPZ`PVm1g3!!U=fRv zrQM=y8U%oc)E`96)UhQ?Kc-ho)>K%__N0g)aZcjk2?_|lBCt;Yla_=>WF84QCz3eG z*SrSNIiQ!s?qar)OQ>pFG7I0(#~&*|k)D@Nq~s#sa3f^P_P9dT6v{U~lZcWV%0Vpt zHeJxVMQ%6gk0nYz2?fOghsG4FLW{a;Hn9u}FcH)eb7G&n)?!KL$t969#~-`0l75;) z{UI<+Mg7K*{y}KOfm5pmY&una$T6mj@obJ0z8JHc&5Yk{wi~;xO{siX)2n7R*2&C8 z#eH{4D^7_6YIBPXAc~pdA{*$G!TiAjjTc6WMArnSNoEn0b8Sk5YEtUlHc?*%gUn z>XVdga-=k2j1Uh6-xj)&r+}_u-k#@ig8m+ofaqoJj~h|UA`%NK_hlLo$@sd1i~dpf z;NooXe)Q(-q}L?EYvziAjv%2NzB*4Io`pln!ICK59Bf_&o6K26!rVslRZHOnW&xkZ zL=73`AZUj^@nJ~i(1Fx;dNf4jii9G;L0*D^a&Nj)=fHA%Jfv}9$I1pFlIn(P_=p-k zmqiQtx72yWLPW4P%grgSdMfoj7A?-g-W7=#ru%A5Z=mj&vmg-!+EWi*q;|o)vNIYp zCb)=k)Ev_g#|ti4Od2olD^iK0DJF0{C8C4mfEARfM`L6w8v*q`7Dh^K zqCW9(oC%nE1!D@<5}V=yo62dY7-Ob*xkid;1Z=9Gzyz^=+ceFd>Utv)OLZ)Jj=|Dm zKd=dq0ZnM&k7zhyqdA?bIS8-e{joyR?pP`SWxW_YL?(Lnv?LPk?AzQ3jv4tuOrbTKN z(D}2edSa%7F#sy7-?PSzTq$2RZfXdnQ)Zb|E$E!EL=1_?LZ5fg?z5I+m7v`l0W+_i zaYSy2mq62FGGQ@6k(8g*zEvnI=>|ahwz-qPB2yZ6(C>yhXt6~VbvY49ly;nI+o)wz zE!$4f-Ce%IxwWy|RqbU41sj}N$)qSW|YR?4Ja2b5#FCXt2przke^v7$c?ZDG)}@Ue=8MD z)XJVtIGlJ`&mJ`|`3yCcw*=RJ8&;K1&3P)}m+`9rVO9tfv0w9Ktl*@z&D-3;kfC*P z`_ApgySA;Uupy^U3tRb$?Hm;>PNgNL=#nu>y--SXxw7+0XF0);=tGl=1e@dD}AP#dCwB$;V?Z*MJ&{223f~2ZnViF5^^4(7>7P`XXFO8pKU4- z=a_Ru!FoC)!CckebX_>Wwb-s|`&+Wuuiu_@hZnuU=-b}=I}N29z@eg4rh~;3u#-x> zz+fe(tD72ov|SdO!LlpJ!$ClN-8ol2883_-TGmKg9;PRas?q+*`Pty2dwS8aJt~wz zTv5&J@+k=A(}A?7mXsuY5(R8AC!vruO$&C=(FcBDf>hvcrpPyphDf3WrW>#*$*)Yz zNSt~SfMvoOg;K|dLlFX5@^Ez!f5y{Sv-_aG)t0CKNQl+NW%u4V2 zbE*|t8o_@0Wuw(-HQJ80wq@3IW2{%-eJrr-bj7j{s7FHO7NNhU22lN5l9j4a(obML z&=5rdrXiB@S_7=5gu<+VLDpQ`fYnP<^a9 zF7XlOsqR)~RxQAVSbWOO*E3SpyC(GA)!$< z0NSda$|#!8SSYGj4LXllEE+fS01!4(a`Cw&ONvYem4@1t2+Y?w#&aS_T(g9u!nTIP z1)N@HVCFa~u5P=2CJW`|lm?%5(C@Ah35Yji$jMyNWMO66)nboR076249S}s)L<3Ni zJ=WNpQ?5zj5D-onq9B>lkZU$|7831NBKLFsa#LC9p^U6^4o_33F)cIU*qhNS;pdxn}U z66M3ErT`0JGoa(N!0yJN^s(`DHHO*@{_s-s4 zl7+VXpBbV|c%=A~xIMd>q34q9Sl$!ejyJ6#W!&o{a+9rRK^ zzP)wTE?a4=Q5|ZeBuJqlYJwVP_zy?Mh_=qMna(+D%YovU2Q)->{_RyI+c~ePfB3*?1%;r!N6!Ec~ItQ9#}Pn z*Y9BFaj=A%mE=`AtktAMvheVJXnEg@47z4B75=VPi^|uz;M6ETNgQ<0<}d!(>sbDj z&89?gKmvj}X-MH6-QBrX0gF#s4Qs8{tg&Wwsj}B2$esoxIlnvEy@J$P4zYM@gE@r9 zSw~Xm%gy_mHGY~_v$waUd7(&V12ZGgkgsw$D=JnMP2wO|(sZV>uokFukSn{Df#jDY)>voS7VE4%drOV+LbcSu zw6dBhRXzVphQ0p8m;&J*vVC5tuYjDhSZL?g!?V=-2h1#B*I;nMA!@gFo=QE+R>9&V zr1#uh`ZKwr@J!Peuz_DKFEsUuu zpjRX`7foV;o>Jpl~}_P>j%AZMXx-$K}FwO-R& z&QsQ$iD^@sV0q)LvW1krE&;&l*+s9Td{e=!OQ#`=iMF`wsXZnEyH=K$Ild$)i7KHf zEM8@AzMt#6o}F5H1p|9CGSt^8@(#kDe08qeFJjmO;fbQW_J=h)OqfU=`D`MG3|k|) zv5~tO1s37#kPoR-J~UKka_AuQCI$nzb`^S3KD0wG>_;!HI$ROlahbH+0`FzzDZPzYY?=y_Ab5g8R%#B8#1Kt;BxN1( z1bH*Y((50_^Ez#v#0`YDrqK>!A?kiNl)b>Ak7FO{`>p`#^|!qz@-_N9k{k6^2`qbOKFX}J9*aWBlbf?Zs5-Lx&`lSq7k46Hdl zQIIN;tC$ShGSoFM!%0fKDPvPvQlXemu50e{-SpRQNle^vz{a&q>aZHftU+;C70kO!jy5MAD)r-$u7ktUJ zi3!Cd3iQQj;~C>{N>H6=19S=u z_z9{L)Y(T#C}@DTK5)zpQ}5|_@Ra{fL$QrqOS&&~jVEKbOqtu;3VhMsT}m#21#$5; zj)~J;)%ToUm20?ZS}o0t$~P~XdK%T14e9bZRBXWBNnftx24|H=cXuzEIRHiI#hrMa z7K(MCl@g#@HIb~x%_bV^8-@^rfnXoj?6nky5En5PWV+Devyrt@Po;EXD^{4!@1-PP zzKV)Ok(j(9Gkir^{4!=q=nvSKhA*1A7sXnDcKS9Vu}4CIr{pLmWEf$OylCc&l$$l3 ze7PgrN`Ku?%Kwflx7j>mvAS!NTen*vu5Ld`ua|=MlrlsqXQu%;mX6~?)_jT3&_&sp zoTq8a%Rs(p=E^S_jQm*SILV8q+H+nmwZoP+rJawsDXqP|xL%NOLE_>9NuMv{o%sdh z#f0Kfp!zm~($mnj!;K)Ubz z#zMj!b+Eecfa?5Y6^y?&*gs-}1yN8kZ=WOV`^tooQ;SlPCnQ>(%X_3q(2=?86xA7d;0INRVKxdnc-ovgfz8S`I}`laWq zwjz5Oi+GW(V)*B0l>NP`q- zfx2I+tLS)++NP(uhfC!;bgyiO){^hgJu+Udi=WbT@=<2RhblrJt_1y23eaQa>IaBo z<)QxrM5hl~osYNAJX%wD5Ucwit2L~?U|}_fulaEI-ERIo^TAB8LaOB=bKQh~=O010 z3Z-&DjMIQ61g(^;))1DKoZXt1a>CF(Qr4P+)6&!87crR{!l$)aD?>s7^}acFd9sdYy*#SboLX$n{1 zlfKTipFMqWdj}F-cEWs8-C*`U*P``!%_)>{(hs@7p+^p~fUz${oRAmIB`+&roX3RI zX-LB<;FEg-$mPqF%++)nVv)q8cN5XrxMKpS>Q?}BNv$PR1+DZbW}!HQxbJ%Em)2-S zv5dx*Zyz?g8HjJm;vCbsa*|h+Qaq!wwvAX;{;_zSt0WuhTEcR~vSL;AvEJT~N0s!r z-qCjIf{q@oaV=4|KANtzwu1Gi9H)PLqj(w1kE2CpQp2CGFMTp)=`V}-Ul#8_&*J@P z_VSlT{wR$+$K*c9S`I4N{bKlHA_4cShekhK^8tF)a%dHA{?fDl(z7b5StOmF+gXB{3Pxd)h?={i zFbb>PfB$EwA4@OTK*5|he|xoe|0g&O{PbsmfA~RQX>yv~XVu($5T7hzs`K5hEnrHJ za6De0!@vR)NkDvslZ9Pa4 zdXQ`ePc~G(>y`4Def3+`$!^V=xCJ^Q_Z%+}4me~*&f+htduGUk%X8_KMu=g6Lm!Q? zcbP=SyV5dp#aAOaXe8ePbDe{ z13yLcBoH(TNG`Mj#2ajsyJhb0RbL5I0aJYyQf# z+gal}sPFl^1Dygr4W4l#;p@m1!kd}U!8(=46;ZK?GDr~jYK<6j4Rm+s%As+iE6;ra zh`LN}c9~A}P;hF1CBO_oPY2oFQW-p}soFt1+jg7tg-PF%V%WOpeY^U76-uW}kPiB8 zMgsz2+(SZqB(9kxKbpiWRN=7UC1w2-oMA*`ZFIN=Q%?bmNlkA|cEc^aLIMy53t*bTCr$g!}8 zX@(WEPG6egD9(!&BRET;J#ffXB@ai~qhevg52>dx$<87j-whJvtv5R=f~(}*eGO5J zOwvhrJyi@xls7y!Hv}>U$^3FvL1)s08p;lseb&v&>b-JgoM1v7&N8k<5!FPmXG5ln&Z$nLV<~ccfE#m%4A1Uu7;8 zorjKZ$~3bmeJA*mATG7^;V$~wQ1)k#;(k^`_p_32K0`x7(ireQ^LPVa^9G*d-&hDS z;8hx!pee->E}GN08RO6=jhWElhG1TGKE?vV*W6h$8}jqboGEoa_Hrv9_vGe?#Wk#_ zt5%YIfYU)v_q*X!_svQ7z#YEn?(98tED5CR`&0tJ0kW*lQhp%IIa9qA|xeCPKeryX`E$^8IrxAFwJ_o(y3vCARP=O%+le&74YiA4AF|&o3qF zhNmiw)`8l=`{#D&bh1&oVPDUvASz)-SW1U&a>Z;VoJ^7c(TNFWXI=q4_Kz9%U*SM< zk~j?lrXrP5u2RXEoE-ggbkIK>sPl(Z&d}m{2lAO1NJB{OHh_X1^uuPm)lmQMHFtM5 zpCEY9P9LP(CX1D@0jX3W)so4q5YUj6nuHQ2`$VJBKuQb=r!>4t;|?#wYk%`Lht`uE zPFg-$(J6&Ag!9BEn(UoH@jK8bRRDXcM#l(bSrQlh!UXVy#?V-|h9brSw52oY>k=Zy zlL_?@1dKGg!#o?eH0m2vPE+T@OBGZ<{fPs`?qtbM`m!p%=QsEYBc@~=P?1$09HY7X zB40-_lQL;4wU+ZSWwGtXHUv3xhB6w720GUv{^h{ixd0@nU((?EhT19}6r@d%%ZtyJ zW(3d2Pi^n+eyvL0lpfd0Bdfb1nTXQxsh5wNz|)?Rn5ZaYKAlWR43YlEL|hZ1Mm)0m z2QmH%eU$n<#KWT|Y9WoYl!;JHQQc(KfuLqS3ki~KH&mK>*~AhqBX=iVLesF2k|pb+ z9%X~F#PNwXslo ztD#)p%WV4Q5?_{*P`{>5_SodSR7o!j*{h3HcPgstWL+P7jpsU=Dw|f;G_GP_&S5iE z@yRskY+6G$y)nB|luFlmDg)fix$MEzv7X$>ex^_CL>L{^ex@J)GQYXktP#Q5|GL#~ zrH>%yeEN&?pr~7YHzOg+rAUxlCd@!9X@N?nrifbxEJMeJn2{*s zgh)qLACds^Xm`&*fIi`doJ4xn|Sm^D;?}mbQ zP5o>&zQY0a^&SL$b~u{|N3L6EhGXA(4jI2x$^+$8VCjywgR-W{hyj~I7Gu7W6)OI_CMUF*_5UJ9sCvByAJidH50s^52cFGo zm}Vq3mcmMYX>Wx8qxofV$N!68{x{&48>m1tcwm!k1Fgkkr2>GdC`IM9MXqa1#Sx3O zs0&OXi82MVkb*N~0_tdi&WRGHO(Ij68{>oq0@Mn^Rk{Hv^NZvFvOS$DQb2vfL#a-} zxMXLLvM7`4mdNB@6(&r_^S5>e{luQ!&*kPJblBaHg)VFzPYh_MuzxuAh7mFW`%k01 zMg5Q4qq1}&`BWlRX+*wi)oL54A5xK79(XO6Cm$f?nWxUXZdj*I&6aY%XHQS4W1gDK z=yUzVFwJ5mol`wmYX?%YOAJq?9$o`&T%uFV9dJoQzk?3b6uC9CJ420HVPDMeD{>FX z?<%bQ{vN%VPads9AO^HxVBY|~XcH?fSkcpBYIA;O%79G@|oHB796E5kXa^nrDPdsep zjnvyDrU9G_Nh~1+a7|^jlY_3T5*x_XJW%KTl@CZ9vlxEEgJV_0hMrEB4B()!{ccob z=`YNn-1fP%XR`AbGV?FV%5UZLheXpAo1^W3g|33>jg62R5qlDT1pJ1=D`&S1y4Jo=Zj@eMv#N&xdmb-M3h!ANb9jD z!ZReNb7fQI1`W*~Mqqe`ln#39Y%)&};VKfF(rJR%(G2t1XpV12;MAF6Q!1klA5^ht zX(2UKBgpk%fc3QX^|R&0Y;f(Jubx{QS`pAr>uJ^dYJ}9N#{~N$eg6yXJZ-g7Iw`yU zNCn?qS!B%oMRftyh91VW$d`MC0-S_PkWlZ($z(!e)q&le%c_?gJ#AIJ<7olY|3VQ# z=Fvzpsu8$jYC`U{=J{fBwvF^gf!d9B6$xxK+dE&S4FzmEny`3|h2owFZPt|oXH;Aa8vvVId#q39b^vYH|tzrk#JO3%`ODtl7<2~b-*(w6B3iys-a&< z_#-?ep>Ryu8;ROAj(y_GZ_Z`~)`Eg#(k6}2KFXnMSyRl&;1FtMW6UV?=HS5LcR9<>vSwBBf@D)_cdgW~E4%Y>0$762L;C)( zt}m16?(elFXQ2Ps`nMNS2YcE0$M%nnwMD@7g+&VqbxqFngoe{tav#a=c`hS|CXiNy zIC2^ilv}uZh#Uv~E|q`D(pwUzQePUV09BH~EfL1eh({-AtGqV?mqGhzb9390w>c4L zSy@!)-i*viUj9{H7@5?WS+cd(sEb%E9lYTJqXXx>;VkZ*XWkndmTt8IK&nNViZM|c zZT@K&YyMjuHBn5Izo<(wqgT^tzmqn_1vn0GE{z$|)Df*AXT9fOfo?A#LISuJ$GA2*-nU3+4}e_1+CIK26<|NOtlQf>XO z|NMXI2*k|M3*`o8jK>;)!Xtl{yrG}Cmt@h=U*R01rdN)FTgvKNOg{||i|MB|489(a zr%!h)ps1%C=&*M_=pA$~dWW6DQLFJ8i%AqAlj`DQ}>@K$!DnP9Sx@xsxd03Cw3k7$Yh%ZMs+a z`uaw&Xw*!Lxs!jh-pgKiruhBm^(4StP_N;!rmVo5rmEsC=7=4A+1P8e)loJe{WcCd z$T7b1MxZ58*py`@|4 zC+T-OQ^ALcB_c}1r|IznoMqarR)x3B{q8bLtJSiOzt8g42W&c};j|HuD-v`N4JRxW zc^Y!-=sff)HQ45?wRX=^MCjLqB&5OBEs_7I*(21TVU!q$Lsx66%HgD1QiBVEoQw#Y zbWr{F;P`CV>i|nIy0q*V&n6XeAJxAv8W|Q7N&?>kX;gIN{4$A!W7$)tBkj3mwWHpv zN!Uqkdzyn}Xo69>gMP5DrKeP~_z$|fbAGD*?O*s)xNvCVI`HP{*+p;I5I5q(+i0~~ ztuOcX;BTwdD*SCfeYX4bZ|&V@yY2R~_S2pA-&*axXFKh`q1MOf;C-Kj3mpHg^}%fw zJNGa0Ibh*5#v%#yjVJI~2I&BtOnq?XBR&G7Z%(dw)BUVg(`PMGXxIvws9f4}%mskUglb=``$6Az2dDkh*J$k;U(~*k1j`Ftstf3nETlNb zg;Y1RAT4YWju>;;l8*#lNt*o+rHlsthkZ0zjPJWQgOfXBnS}Tj>^em1=C;(-z?k&_ z;B`c9z=!UnJG|%(M&I_{@7K3jL_*F36wB%8&d3eg-PwLP=5<888AJ8k4EWt6h)@mu z5Bo^q=a{QlB$)=BPDR0#+0_p3Q9ZkI9pC&kn0Es(stI~Uf`z)~;^9y^;i4!eZWcyK z*<7F-7<%R@#YJ_%l~3Sh27Fa-GoG|xza91t2EB{XY4@b3JANYZI&6Q?)UzE-CldP{$Za_$2h+^>z^)Vo9$;0WSa%X zX@Gwmw)x+jahlm>b$j!ZVg3hxZ1!Vwq9QAb7#Gu+@LvPl0jYM_z39H`4tt&21w-UU z#Ml#Q@V_zUB)!4)1g=}=VprAlEIoWRI`0mL-<=H(_v>4i$(VQ|fQuNe3x3WK_6Vqy z19ec;I8C44-JyIHy>qNp(`D)^-xlFKH0A61!DCpPuyYe;_Z2-)^4EJ>cU`-LH5r<(tbNQ1`Bn`(a9V_J4F|M zD?o_$Y0?BfJv;1;&d&xHk0Eb?5%Y8kalAsOWrU;6R0G{%C)@h-v@4 zfTs$`@fd8WAag)e`TaKZ*)M@-`p2E4Fpz_$-4f~=k4`-$T{9gF@YKtVh<#eW#;8c8 zyMy`y!cGc&DW#tYxkhsuCc?T_n{xt)l5s#iIXTqj<@8YcGeGRUmZh%KV3FF>S)V+b zz%t`Sda-pgw`{IF^7~j8}3uLs^OmC+FCpH0o;(=|vc*CS6ru(*P`Xhmxo@9SZ2mU}5V zytysT5k^;V!`JjH7ai{U`nmx}(-0TVW8ox7Na&HKPk9vJMRRa*)O^$ZM_(OwfyL_| zIQ0K9BqC7<=5rPk_`>mdg=tskBGZF$asF8iMEKE~))qFWm4d$G+A+)7L(mp{fy=w*E1 zg9vVbJdm2p{Cq2$i}10ebIzD+5Do`yNOJE zLtx5Ue*{0qMopJGQY@SW!^_I4aEdGpK}vf(D{IFn0tQmM;%Dq z+0XCEDV&|Jt8lQexao$n`Y zs_9p(s|V^c>DDfE3rtWwADbxkcj?pw+_q)E3NK6HuDy&oHY0?wxLRyUMlx*^{fa!bM706`Iq41XB z;d=GL3F!a%obSUvch3OOXzelDu4Iw zJL^p22JQvAQj-!;KbyiVOK;?%erl^RKvh zo30lYz%N{qM_uVRq4u08W`5#{zVCF9^M(ZTQDJRWF(BuOsXif)!IwK7^n-quMe#Fl z6>!T{PD5&1)>z#}H_Kg7#gQN;N8>6(M7MSKA6Zbz}ja`fXYj4}f z=zf1&NB-L>+W&TTzI^r<|Nj&psWyO%?<((c{a0TytrP{d;`iA7qAvFf-OS@Qiu%Jh zihAWnQD0}LsF$`16>H=y!oMaY-8TxvRGUm@JNq5|nlM2=z1Ls%S!?~z=~OwPyWERu zBp#>+u3Z0nyRDtwy`uf6wfC3&_enl0jPvQJ+upE$q#jtBX8+0}qv{N4@L8Je>NALv zHO73V)7_z?0PDc*N5|dQqxbucj!*bSS>j83~F^&0*;csm&MPA^99dV^vA>~z20&fa}D=$@bV2BYD@pnrZbx_E!y8x77+ z4tuZm9rf2)TJG@d;M?9{bZ~ZZem3mwJLoeujK{dc|5x4rkHcirQ+62}oI zA*X^~K@N=3jQTzaMz{txd!N?g#7kl-(u>`zYpYNhmG#pY6E+d@VAN&O z!?Z5=OH#kG$#1&vx^K=-dRh1I6@J6!WI1?q2O9<|t(TLxE1SyIQ$sa6KO0`W9`uI$ zPA1;3u6#J?zv~Uk&H6FDBJt|F_AsUulO;o$)f)B&aIdmlm6KQ{W?WT2y=z{oZw|he z)4F%u9bWVghQ03K;7tyH9p8`>9DB2+ohZ~V_M`x0Rd@1`N`1;h%6Dufq=VzPa<0P_ z^(D}B;(xeLw@xol`v=|O#ZmuwX-7lqVJ?nnuuflX3=M~Q-y7z5$)WPKQ5j4_q_y@e zm4@1S8fd6Pa3~)&6@mnd88~l+R7k9{B!wz;XX>CtLk_nmb;2CMkV~zPoc!8Qh+1yk z_XFymuLeV-+;B*`!5uWUk4elWDx=~1;YIIc^uBu{7ZNaj5IUVgxipT6BiVK1(s0|X zgcTynQ7pNtRR45%(LFxy4Rn*4jUa1Pqx?ExV;snt!37S5_DiE78Yf&u?GD(Ks(6_| z65yi4i|*-R_xS8ok{RON1}xMB%}VJR45Zw5B*BU$471vI40FmM*VEC-w^Z=o?KIp5 zS0yrDm-2J-&B+(YO|5+=_p?ycOoV;Me6w&e;77;ZSH0tX=Ui-L#GGW4x&9@WI*XMYn${_dv5}R(07bMpks&Di-Iu zKIk3xbB)Esr`(n>FJr&P%HuabUSbI=IbZnIgNQEZ$vg~5#gR_(K3z*-d!~S4& ze0I>4W3cbo_qEZXsjWIF`A|ibZ28J2M?Q`35yIYdd#6%tF34gt+*7)bW8>I8JRDt| znZ+t68G(z@SkpO#ZxUS`sM|7v$){-$GqdaH4dLIiz7#=c9hqTO>RtD^f2i2|uvEOB zY6@0=PkO^)_jR`94YS*KE@mXNZ9|k0la&LbdVb-ijN}PoaT=ga=jSZ;&tvll3px(S zQZPS;TUM!*OLf-2%@6W^a|nCGKXlaiISB>dP|xf~uKnW#i2IT=?3^3SGJwkA+(4Rza+GDcH9-p$M>szj9rj*j0HxkAI_w>F-yUD= z7vuQnd6TJYCQY_)W#Ht3+joj1J7XreKEw}&wT?p{QNi<}4Dt=>0a)J7#UdieC!9(h zu(DCZNAiGSi7$m}9Rg%$7_+=OWoVFBOHAIFTrjKhNH|5VW*}^BTS=Fhhl3Q#+d-gn z&=lY4h7Im64x{wwz!5vDeAS&}lYb^v@-48T5w3 zmz@{qXM>BE%~BX;`}6#H8KZ2gT_2Tuv6xexN-9wYM%3AGq2YU+BfPMtiyCl+M+ER?Nm9 z>-Kc)4F+d}QT3kG4^>>GswI|_ld~%I6}C53XCn(SNh{Zw+Ls|q=nXBLqmKD2d zPB_O?0x|5y1SylQloa>{VdY!9j(1V+l!l&2&9Ip+bSrzhH$gFftCboi?2s&t>Z z+%}+8Hk~c=s`kqaVrliY4Da`$W38(ybjk~RY4x?N_Z3TgDZtV?-!KU!Q&SA2!J#b7 zPa$J`v@HOFKz+Za_WaS-icM~XM~2K&a&?ahny@7FjghEe>d{xBCp6|NYAd82i&e}i zb7a;m+GjQCs}MU;D5S@0l7v;|iu5g?+*Q!F63|lqnc1KvpZvy(VyvzPz;0lU9--T$xUe*M#J``ME_BkJUZ zoUDQoaPsKt>1|BG>HIbaEi{yb%WRAW?usK2GvRS)j%n(*dDHV<767M#20C=L$#?q$ zgk_udgkcIgtoV>fpUgSbtd23psm2VjH7kNgz}7W6_|U^h#pLL zv=tIhicXRVguw#BY^uy}E`+e;$Rh z4r^4(fH(-)HAnSZTj9IYxnEPsr?99I7`H=@RIlz7_?pZ6F1N^2hlmu8waU|%#Z_+J z0vO#-34j25ar;!a|fp(-`~2aGSU1 zuLs>jnDxr>E4W!DXKpfGle<+q)6jbK+er~vn4{niF|m$&PErYw7 z(vxc`Mea(xVbD8DXa1aWuQ3VOlyWu^F#X4v&zgcpBaa0v<|7>XBee?&lke6$2nde% zogc{$D!(g2-m4%X@MQO^=X=keeQll(h<}&_0laEI-))=c?}=pd=JBpo{8db+Gm*h+ zfBj|J2n&2wWnScYqkv7PBz{fA3G>MSU*}euS_~)P4Nz}8dDCKDKDP~u{nMkfy!pz+ z1ITJx#;C*ItGBPK%YV)t~J)dfr0TEIT)nd0c-4#b!J*^mM7SkyWabWf)r*2twRS{_BV20!U z`WDE8PW`q}t<&nXAqxz?zC@e1iWo?+B#KD9Rc~!0opizi8xu~%*(7VY1hjqUZ~5|ByrG(;?k zVGT6UcLe!N^7)uxon{0g=QRpMhcw<7G4}Fw&-l*g?rw`K_9N#+yHnrEX2f09YQ31n z1p7eM%lt9?*$}W?KCO4>(icLjXhhNWvKLB#Kxph`+CrKLcRbHCGv{ z#JO_Sw$UYCpT0FKxLzu@T{+$8oN$5XQI7l|J~{PU1@bNv4_6$B*0&Vy3Hrz9M;D)8 zG(O)w{r@tKKvZh=HR`omEvufE!*U~FYYZ@dwVSIFnRt^&Gz>}HRDG4dwiLjuhq}nV z)BOF%A6@t-8~W=R4G79IDEll!hsB6WX7Mv8zoHiU^5?2jD0gmqs~hXoX^!D#rAUaJ zA6xBK{v8hpiBQ{WASC4<7G?O1T@O`Tx#8SELxE$JnL@wMItTPYf42&ss8mfM6A<)~ z3XaZW23a-whiL1(f4H4hAD;J5N9X;+{rYDXh;L~SD0`u5&RC8(orXAgq66VcjmKmG zBsYe=%8!U~gq%wW#r+!9O(TvWdwcI^^mlu4fSMx(c+@IUMX;!fDtdSHyd;jLp2_#? zTMe_v5pQ+9ORKka2=VmcT`FjR73y=_Z_Wgu`# zVi^$k$Z0wmsMDh&tOt=j-Ql*8{n!$d@-O5t=`qSZ*OE;EN-6-Ny4|gR{EhlP=5)AodoJ>>k;es8}V5weNzisE1arRo^cuL?3%znk{8uSkP138*!r#3t7 zA8BnUAc%6=xd?Mk{3i&HSu85nZPv`gtv%3MrX!4r+^6D15(iz8c+5CKbLJ~=F8D&Z zq7Gs)3fMJ?D-m<*x9@s`S7*cCNb825?W6Q$3H^lr{`aM&M4XU&iU0=Hz17Xj!b+9{ z)my^*{rAF~VgLB}eKnK{x)o?wpWPs$U>X9PwOPLT3M`V6@snP&rdx7G-% z<^)T;8L~#dQi7JmtR8wT{7}&Re5vYKFTL5E`RLix*7^-twU613Sya= zK`x{Ge6}0ND?ZbLh@;27w9HO>-vMJ%L!QmRW#YY4$&9LYeB{*s&srP%n!V2&OL>l& zt`+@1luN)CI_zb#pIw@WHT|=?oUfdE}Q)C(*Ir@v;0z8-ltrPU^aB_ZGuSny&Edf$8H3mOTg`7 zo7XrFAJyD<-NEVoT>^FSG2l+d;t^{gH^~l&ctI zD_(sVVL1^4;-d;FmxfUy_RIE2m!KbEa_!2=2Bq$P)U(Zk&WU&(6B0fS^v*q?)v4a& zVDGMiZOIuU?EA+wB;%OiOH?-AO5(e&`(s$zr_}^W^_A6gM4>%aCyr_j7sZQ^9k75U zu`W=#steOa!n@m8^Mm>)=Vyb9?&$?uw@UriAXPOdb^B)4u2p#5mLKt1+J5!G^}_t= z#Ky(h;Th;-2&?e}y~x9Xmq3)7fP_;qL;fPfb1HX&1>#H@#yFTIWpNVvQsulvIG~qg z#Q@&Bq962Gr^Bl!s21t>>pSTqYpYtxo9epmk~0RlcMq;V*Jwt9h@*s~m?$sQ^q}jS zZ2Bl<@f-*{qkfuSR;v9{=W1A5NcIhVN7T(mPOeA{5dgsFkE81u^=8Nm5;$~J?tm(1 zD0uNOaHxSnTt zX2}il(6g5Xi>+z)m`!QaPjXetpZQ>L#31 zmzACEV)2|2U{bCAZ@|AlAlH|L6ljCS{L-f}awC+!kWYUs)ZNm3mZEL{^fl_B12``Z z8D!*_Y%9XCTwj^f_f`sVTMnMR5@D$2;B`=n^z)P=XxnPNY$DlshC+6YB1S{Oi;LGP zXNFd{U_*!roIQG3_V^^EHw`YZcS&wkdVFvzN?qlf?WcRs_S(%vt_@d$c5&#tf)H0Q z*YwQ|*p$l$T=*;zPz1||u0+A5p(|#@<#J;Gd$kx)le8p(J z0%K^p#xf3+VO>6?ni6py(@>8Ba)M#Gm>7CMKwXSA1~zydm@3Y z8jS5a8i}4;;NX+m=3&Fo_WP-v@NhV&@;oLXxrx+1VgvzwTBs&^uJQCFdL3`eLT9hk zRIcw>-CcM7*DHeLl~;pfmP1iO3Q^rISRBfc;?oC;`yR8L-Orlk-yDsM3;Ub1liqsP zWXnoaacoh72{9-FHf`#?pb@ZX)}3@qT2a#}*`>3MFlP*}#Qwv~-jA?r=UBILu~xE= z_7ReM%qE16Qh7%s8d+IK&Dm35AWyP=sX63gYGe+zaPA~XJf|TsSvCv)T~Zwd*cu%p zqOlNJ!;$T#W^>agfE6-PVeBitw>`68!O=z%s!NAcB2>5*n6m18BeVABJ+}*GAM3gO z*$U5XF!?zk+N55~;FSUGzQ^<64dlgdpy4Hr;I@Dym7!1?ge1R8EN6it(6&VLLy zVYjEDl$c+>%rPKKr$8I%5YDvC1!zeP94-W0nsCt^0uvM`95c!{~OV(2UU8wQ4! zG!0sv!t4DdAM^g3Bh;(v$(r>uFolS&sQl@`l$tSpe4DGK?^9ORQvJ?12!Awrdf`=t z+47sCUU;=%R|x@0cx4>4{wW8gQk2X@wMv0z#p>>bR}YdAvTYO#^x_5ToxU3lFS>(^ z+(jbzXC?ht4&KU|D_TU_Ws!tJ`8b;%mKNn@PJ)N>cbP-Z=Kkgi-yTKNHEZvf+Bpy_ zgvzUuHg#22qs*s@(KtVbpS!!-=h*;uKvyqHo;epw*`4Plu@n3LF`EvUP)slrS_<=4 z9Y!NZT|-0l+oQLq2dCYW-Vd#x?rce7jzb@Vg#qmDyf9&ZRKfDtJc@n|lg+uy+2j@WE|W;No5%anEe`2# zwD_TJR@_geHP!X~ zLVYP}+Ge_J%^sM8fi1l;9G|@&oLzJ;dIx8xM^M4EYw?YGI#o0Ek#bJMDZ5Oc=$_OI zBai_p&WZF*$ON5`c_cFMEbygzTFMQ(&-(kw)B>~h7FSsuBczjr^M zyPs$A&E%+|`fWCNcNSAEQ)L_FI51q($ml8MM5LZ5eYm*vZC=d`v+MI$iy@wqx4hB` zTuGhsWfhlIe%A21f4E=YqCRqyqNrgNI>mEhiiO)1qDDOjQ7-U$hJjHh>II0UVylAF zEeOy1$P~B6v}DLiY@)E+9mFjBhK-L{d~6oc_^bS#r$=~&~QeOSk}c*EwETd}oG@08vt z3Z7lVjg$IriLZP|Qq3me1nxxW%SCj8BE~rdWw0+yyskNmrIO`INm0zOGX1fT7%Sk} zuq-JkI;)Jg`%c~JPZLK`Q_N`WyAh7XqM4S?zBv{1SRd0AU{?#zB?JnP?-}j1^s@0@ zK9S0Uj;btt-rV0W^(Dt?T$d}pYm-hY%|v)rBvZv5v;p_I#*7zyLV-b`x;;B8C7WB_ zMOgOv;yxp)w_s^%sCBhszsu3$Il8M_n*%auS0o?dMQZ5T_5%fs5G?nC+-#CUwvD8- z%p-P?gchD4m?13C&TeOK56xH-mqg*1h5b;F_zDO6&fXr{*+pN#e|2wOEv;q2=}(w1 zxpMWMP(-Ci6W}VqwUt7u%L*j>rwlQ_RwrpPL=lrmVA#en%;QVr@6K ztt@TzVU4WVfi^af(Xxm&Tcq5E4No=&k1!2nF^`2RU^zDy6ghsTG6lo1Iqe;rkR{+U zz~*4P;yS|8#s)gaF`g4a;tW>3-2n#;6X__#^VAAd-^st5vFzO;iAd;k#6mQMtP33! z8hvwP1HFx;6vZpw4PeRg4m#~-q%kYoUWyOfnIF9SfoM~C_*J(`tgv_X^G99{)Xk9* zn0LAuCMuRLbTYMp>W<#a)mLucJIgyDOFXUv5WRZ>^7BXP$5M6w)v*(>syJW z@3y-Af#Yi$-eXrkwva5UNi%G&#*i?ZhJFL(f&k5N2uGdk*{Uo0n<$Apm6&qFrCvU4 zq;#D>WN@Z2OCqTs+&=BN8oT1+oa zb&bnUPqN5Fz--Z5RUwbZPZc7%j%yUhEKb8WSS~VUj+~Bt?p=m$8ZuD@t4^m?HeiPQz@$x9M8I4LT*hDpIWiMb?-I*ClnsiTcUD&>J(gHonZRF>Z~c^z9gtKZth zx?3t}Ep0;f=@T`h4xB$(Q_a+#_R-q>cq413l7l`GL2}d9QRD>@7DM@rI?oX|_{#n@H!J|GV`0||5uy7jy6@sT_<(A(G zEyja-CF_7YV;WWk{a`_|Ls^+m(FGOd1%s+)&SR-dkq|;7g`Q4Y6syDMg^pAyXqb?S z=q^a7dqOTp-i%SNA~;F;)??1?<%87VQsu{))E*(+X~3sUAUcl%NFqd3EI(DXvA(>v zo@Fd={VG|NqBW%PA3~vv?^+ulgn7HW+W@bvU` z|MYwHsNH&MJ$gMjdwag$ZhZ;QOtp5arS@Kx88Zj!r1}AwS1HQFvXws<7OMBb}QP;i!TcANmg+`^9y5Mn94DXOM zcSDa76NyOfv&DM=T_dCVX7^qZoW!InON;V|V^iit2?7pZF^4|I*aG7iG;RfAED2aL zRflIW!J2TM0l|3_vQTe6ho`&*!7hS|gWw66CCJfytZmY|cJ#m~6>3#njMCgu5zt~6 zQ~wf%RDgs>XE^>n&HRukS^Nu8m7;s*l^+mn&leeqIz8!+0AD8BV_$&ALQ~1v=aIA0 zbPdlWK0S&044y&yld&%P2zy=dB_Ts(L1)hM-6j__HGYV4DVE(d850AW{E0@ev201m zCOIO!94Oxgwt^HiyMTQD*rvyj*8zc>`Ip#ha_VL?bE>sGu32m&o4Zj$RhAGmws5RI z86Gro4BSMDbOl-jCtKgdzl0nsQsy0Tt(#>oPBf_UlmQ5>*amh@Uy>iR*ll>7CGHuq z1FS7E2Pjoqg_?fIEVK5-FHogn+T@?s^*pfl(w3w`A7z1x@hw6^8=O3PY?HNYFSQQJ z$dsWQw<@5e&N4vpHVUt6WvI?$-Q~iBT6kzH<=w(#I>^{P6ZU%bghaxt_*JAJ+KJDx zmi9sbi05_}{Caq@-~V+8{+E5T$1Tjcdkvx(hIG@!tJL-tv@<*=gK9+imV_Kl@&7oWhK~ z@O-}8LjV_MtbkkXcJuzb5 zWK#>-NKv&QAf=qDhw)QfX(oyg+PHQMQV$YZC`x$l_l?zgYrZd)hZ4A)v)-Zt>*XA- zvmb}4u%OCSdAo{iD0EO+QTS?2?6{EGkq_{>SW-m5&Xz)}dtprue{Jk3Y_0rAO$}#< z8^`-@=HhG?`n!DWRU`qxs?JNilxfE~$06I`Jc_auC%VSf1z|QOPNl0TxllH0wh;N) znD~f01=@8(al(QTp_z)rUxp4xJan2Ri*dF{paV3EiYwju)R>+u4$U2^EQ-f8AZw!y zN`H)Tf>7(+$zYldpzHmLbhlHO(3;jpoyhZ(vn)Ep zs*|C@6+*CsU)5@?iR=`y_mb=j!kjjh2AkX=n{%mAH$f9PBWY-42yOIDGtQ?Z_uc?_ z%JSO`e?oH^!!*N>2srd5*ii#-jY%8`&~z~#L+C-T1xAp>$0pGATCJAKPGdKdhY?1x zCD@(QC;z-t#r?A*iLJsRx*t>TVl@f3t(lu*y0)?9 z0feSftb|j3~CxdOskuuaDaoXTE29U*dabX_j;xA0dDmsvZ)yA2F8938^An zLRcIm(zqo98vHQd*tZpBB$KPXBHyu~3F3gYavr}y&d$)G(rIj=-$C?l2yWrdK zsW{DD@U8n4N5&+(;M+GeZf+NR`^r(LpeC^=G`>T&J=Hlx6QL?gwBPRyvHK2(h{s73 z!=%ze>3}(LEG>?s1r7kn`DKn%s=1f2E|=UJnFQh5FJ$X;*Q<=F6vsdiK2^G^L%0b9 z(cbvz_Ki?&bay5%sq#B|CF0{=sYJq-CVgq=$?{{f{Yn^_@QTGKw_gc*T2J3<= zm(f26aR!VI*bOK64QUJtjqS`eeiql@pF6-ov^c|6je&zFc$Swq*5T`Z_aurkqd9_B z5m_<1ErN#ZG@dJ;;=ySE^DSz!R6SFZMG#;wrFt&1do_wnaZ*4jKr-*)&_VHU7#H>Q z$;V++D;|iWn-8NK7f2(=mIa5Yxz+_Z>{nz-cnqF#V!UO+%z!O7Nu~YdK{g8ME{b#( zw}Mp!`T6G+WZA|yC4WowcP=c{%@0|rmQEOn2M8??YYdhFes~#OK#%PA?;3OjA@H7= z+4LJ`Vk`Go;&|+RdzQg@j5R*dWaMyo7t!?0N3mXe5o!~OOv@-%~$b|J?iel#GzNf$5jS==x6)X`6Q46r#DU(ZbfpX8JEQ~b6O zTwx}pN)Mtr^uP`c9-3f_yai68EA%H$xO(L#VcG%;U}I#Pbu^^kokLP%lH9)LljWgG zICc$92l(Uk2PI!khG~jUof{E5x_OJ@+XA3ZjGuSp zU^?7i?$U$laDS=OLXcPzxIBy|*^wV!bVF~CpLu3G+qRXK?-|m&FO7~)IhLxFC%tNV^L!3^c1uCmQo`q?`-J1d#aF7D4Ycw$R3b z#->3%ysO!k#m~KYSnSOl_Y}E>WG1Eu%sX~NjK*3j_1=l^%1C@;I1Ik$%?&!dHLwf@ zF-szZO|N}Fp_u^8#G_6h99qFhn4hgI#zShjWN}M8q>m)oK_?>ngybJoF)!E9gh*to za%R)Fa0rN^YTb+OV-Dd%!<$65SigDKVEtsBhG+5Cl^VerNYahR>1l9V+UIRw=%a}yrP zWE3~P?stWJ7<`Ld5aNvg=VG(RcbWdapU{j$b@m(}9O5{HY{#_kd;(Wv z&$)q(=Yyi_JpjkRtO2!q51TWp-7nax9REZd;Q8uYctZI*%5Ak~K^rJSzaK^9F{E-P z&D?ZG9%9O^mW~)GsenwfPUC;&ecfp!8J^EJ+q~sGT0fHnT4KhmpN+g?pxq(~$n2!7 zMR%YW2Pi*vP?yO;4b6&+ADzwI^w`bDGxfbs(GjomBu!1dE%v7_3Ho$3oPu|R>72&S zdxyP9d+#)!z1Lz_1hs)?i`n5l5aXL-T__4Wf)#+zOqv?Iioz~s@uqbph&BMW7AZ~C zk2cJZzGqt`!DE2)N~CdwG%~(U?s$fCl;a0wcI6M8v1EhFx^xP>r>#~(p!NcL% zQGc&{^twMB5j&OCyg;1TX1U)iYN8*VO<{JJ9-#%FMQOGgzlbPw^mjAD7B|Eb*ECPc zR;O-)A4$Dy2#r5Tt9S+R6^#eofah&Ctd4s8^;~>nYFDC?`*0!_r?8nx2YrC~0I0OX@6mTpBulVuOQOP5vgwNl|D!p{R z{?!ixrnX@fY!)RM-k?Yz>DD4`f~rJQ#d7^Hb_WzHlDP|4d65Un{YfUr@lYQ*^7+&-FMO_FJ)pFbrfMvP56-^ zZBc0Qh1fQv(F#OZ)2uSAoibQKby!UUFeR5);q#li+sE@4|L?~ieqy^vmiY7L)y&Tz z4mxa3l4#y^@$S%6Jh;e~iGdpgAb>6|6M@4e64%G>1KdBogUX-ybA#G_=_*wQSSm4& zMUFif&)mcvqr;XrC;e|P-DHFO^X<3qzInHc+wXq(@MP&M4Y2vFssjI(jPNN-|NM&7#P7$)3O|yf*uo$k!a0>0WU{(u%3c`{la};nFNGc3XOJVb>Sx z=66e>hxGoOXiN9wEfSvKzOni?Gn;s3a-in_cWxw(tdPC zcN)TMrln-{xD9KWr1=G!o@5n{qtN5uYk`&2u#OU%Vy&&ER$E}_jZzW4?qZ5Sa^E7Y z!U#TLvO8(xmZP&obmKEy%HN2SlD-mrDB8+CJPM+FH+PK+c<7$dvxy&iZ~q}Nz(%R- z3v3%n>uIBJ}krBV|C${qTyg~gM>UwMd%ck}Y-`C(LJrw%V z0Zr^j6-rXk99W+A^x)=WhbGIa3gWRcGu-p$v|AD{Mz zJtKPRcg48Ltxbs0S_Hr1a!}mvp7|*_52En}a3>jl*b&f7upUm7kwBga!)w)=+i-7i zcxtA+@>TK7q{dc?%Lf&S0AF11`$)Mx*E7{09iF`T?QH*WI2s(je1p@<%38(-ICd`} zzzKEPdz2^y7%FeX&lb>3A7h<^U4$vGqXe)AXfucw8MvCc8G#2p0ZkSq5-B~$ZU%62 zw|OSp(!m6ve|h#xZ_sgmv{ruW55Z3YQe^y(2nB~>^^-&JOrSS&GmdN}+{o}h z6%GGm$?!kkdHBNFzbG00#hr(LVHv)Z%k#fB>9t7b$IW`IxB^uQ(emKA?}im|*e8wa zkFq#lgxR9vC~rt(aTK{|oh{Zd;;#Ur2}=ouGuQJf{k9h)^y|Zk{F>C~Wv)o!HqZnI z-BI^Q=|eJ$6173E3G#^oK1lyzt`~Yr+V1)18@~FUMfO7v! z(4sBpF))YWr5pGj=GQSV14dT01&&EwYpwF2rh+K5A}JE2Y4N8%;>W51i$6T$$rh-g z8%B=3^cqX6DZX!wnE#It^dV0(@=n9z1CuRQmQDK7mb}`ii_srdPcIMfPfoj}IwJ?pFgO&h}3P2h{)1e$}o`#@=r`da}jbLA%< zATDisRC5oaQrGx2O0#KFE~-@Ia3)(q`#f<-lmItP{b^`S^kR}iQ9_t3@piN%(m#&Q z_Pe9**`VJa-Ce{?Idf8O8Dg?AQs9hFtCTro?pV_djF}A#L!9D7jv3Ymjc`6t+*<%A zxP~6DgO+obn8w5ir0uzxE8O2G*#`@%p*4Bd?44KdA+|M1lZi6yV?myzzpKfUiCjdY1Yo<;U-y1!xaa47cKnYo zN2quq-v>TAC?W2CdT98sbb#nkYM&tnM2e3Q6XxRQ!eOF(RPj79O^O~V62M*c1G^Z2 zuIC{RWUn7wS~ViO0X{C1cIkW2V;}l3l_JOc34H>=Xm1ETX7EVr5G~g{{gwvSstM=w zaY-I^HTAp)NzpYHf80@TWf|KeR(8W17XD6s$Zi4woX6Qs&W0>zRlwRIHKz0rJ00M# zB!!BjRE2}*=O}R4ht=UwLO2o}{-Fg92SyTS{IhW@PGtE$ebTt)gj}|sG#tR2P}oul zA{^i%2yWwlK{JG48wlANA#mP@%0S{M`B$u<-CzEqkIDxTpZR<$pTMUYBY&FyY?!Yu zC_|X#vJr*Bjac_Mh1sKgUtrQe${r`aXGoZO4`T6^>8msSZY>@sHLWc!0EgF5Qj;)o~Mfnxf-F>-b6v6b*+*cnibFW zJc3eV2mOh&1Ag~HUg)u#@hd0{l4lca9ss8yAmV`L)khrwn#XyD(yCu0-2H z8wkm%>V_VF>g;+R^b9C+ZWFP=JSCv5XcT#Jd%C{T6osV(<}_FK1c)w847f$|?8Hb* z&0zAFDqDy(-4M7*;@*I*XQ4-0AU&2PwAo?Z(1*Yw;Iatk<6?ORrH;Ts>M8-5MeM<( zAGW|LiOr1NGzBhuK8bISp*vAt7geb44)F0)&8Cshefb#OcG5t}I(&mx}{cv2Ywhv6f! zO)q%Bsf8bKQvwTT)^x{X7-vrnOPw+Z&l4SjpOR8CaN;fk1`upz5gMD>LO5P8_2+SL z1LB0#5blMDpA|L&n^Ty*Nnx@_;5gj`f}3aoCJ^F`3c+H0ar3|6bP-;BgZV22Z@~%r z%^~?*r2e7?L5%iA0*|6;A1CD%R>SqqGJg)EMb>HDihu4lw_88x(Txar#|d52+hDZ2 zczzlO?v2jDl;FB{LJ4?AVGBw-B3{ZqmyhX1nE8P&c@5Io;lHJhR%VGj#&dpV|4Lt` z0faGVh=c$exZny5(?x=_f|IxsY{=kIslLQgg~;_e5hT#WCZ9qguetOSPLQ*Q>_*+5mHuxCV?Lpeu4~KH=Ctwn%y`ig-P<+(Z^2v zhl5UI%kvZbxTvxHSZ(mSf86Uhjjb`77;oq_ZgIk>VgJowk2pRaMw7SbvW7bA09fOPkLB9iEbGjLv_2nof+pI3pjAqj?;$wC1mSN5}N@84PH`rNJrt zEQ#qy`@NU+Bl3nq@RN|d>O)c&$dcjTl--{{KckDQRzD>QiS*upW>iLJJRX!Pl7?sJ zQf4;G%Qayv#w6lk`1mS%*-cQ8xYJkyi#DX~o`RStB~r?0T3ZtPW^e&Y(e0N-ENYG> z1H>tCEU!j4z>ti`Ie7+yn5E|NLqB^>{x+&8H)#gvZ{2x78g-n;E#<*wTm7vtGVA~Z(6e2R8Q_@0xT5BM4ebJV$o#YqV#;twz)U=ILnB^3Z$9Ib1XysfOL2hxQU%E$c#O0-2`5!T1LtrOC4y{9 za87!^lB+bVb2ql6N;{7Dtpglo0Ozq|U<(@EDD}@Dx7tu|gZ=2_I1Tv56>nx}VW+F{twzo*LXuj`e z?!KSk6pe+b^pExh(pO(0oCMSDlK5{VWmp&>7aj%3`PnD7biesy{xxVnrK>> zf6(vegH_^wagsXsi{BFNmqt+8e{ERRmB~V^exFO8({xn47yTQ3oRF=Nwr%S%e;3T|J?kY1Ova_jw{U`Uy^@mL*{G z-R>feVY2&S6a5}USLAo0GR0$^4|5>jbb#X~nLlx{#L(p4N&_*wkGaKl;@;S*2Id=q zM&b&zVuv~PxpFrV-XPtSyuD=L+!S;Nqr-#l-l#u#3!(&wNkxo;e3xVQZwEMPs3VfY z=6%{DS>T+y4KFqpx3ykZOF%Za#;UBK(3%Y2Sld}qg? z(bbuYx+Zs_ixrlIF6V9-!ep4aNd}yKn89%dJ&_pNI8U+T)OYa}!CXJEtzi^YA>ZoT@VNC>W zqr>&t{|;}&5F;WH5=x2+Y-Csa7$p9s6rw>}rBrv)#TackW>*Cvp};&vB&(Z};8|2ECIJD+jdH2j*6&cAycvNBdX|YGhm}94g9)f@cWpv1Kf!7o)is z*}S_C%b|8kLj@8%DrfT?4#C@RmUdwCDCSSy0t=Xp70A>X}TK3Lbitmkh{1zZ6wC z{@v9KQRDDn*xBrC(txW3TtMcWAjx9z>@MI9j`!ewmDsR%@4z>CyUzay-fy&?pv7R} zDC7&_gZ%bK0(1e<#I|UCCf?KNam>f-D7%hT^e^+{gdy_u z!{)cmR-a>jdv3jOc$31U8+xyjXb~SI(foitcgklxk1pXbnq)_Qc+m~LJt?h(cHGM=89`eW~d|fYbis-3i(NXdO!))9ZhA3IvZ>lXCI~qmY*+U3|JU%7y zEZ;S5RV=Ns6jXGeaevw87b*r};T=rJ8IPgR4m8u|t3+4i_eNs{H_*7{zu!mXpuBaV zg~^A@Tg@*#KLO2H`Cd7XK7BIIwe|sWw|EL$WWxF)8mP?hr@k-U6ng#eFibNy2#8&# zQc(_?ws)=0cAx*)6SC9Er`fJ{mZ^-R#c>M{n?umZ*LXi z4UCO_n#qwR`5|BL`)W`)y(n3n4g)}A-O=I6D=_H&BJ-B?ATR4tHTk^z0?QE<+zdxIWe5g5<>OX%I-C|6N(aevThk^5Tk4coC2 zx>LR**W<~8NXdH4(2i-c(5e|R_1POe|Gy7g7iQzCw(cF-N)zw_!3^B0}~SZq;w zQld}2>^emcS@%OcATz^Pk6kyJj+)JuTbo7xMQUiOoDoFRy(qpJVrRVZ@f*F}(PSiZ2nE-7BD>ygVC6@eO`R4Z|!Y;e_-}Vio}p zrkNk+akr@P-rO@12zN4;jmB>^jd4|x2aR=Ng_sN=m)1h|!yFeiRBFD4{ztJwCGQb~ zCQ+jaf=j3U1pP&jS~_h+CH3kK$*29IQRf$N1)L!PGFb!xB5dpny0uE_cN{I2nv3G~ z!4b>+;x$?UMv+~R#&GOU{IQv2@kAuq!xM~Ma8;&GS%)H0#BP?sBt-g5T7?{+fq`)C zHh@b3;d%ianJ3jqQ?YLml_pXYtwfz<@>RejdgVs9bfj~*{DB|cY5<`?Ucc!h2ZRPo zrGS3#hkK+4uC9AOyRK%IlY;Exz^S;pw7PFWRd#krST+#sPK~_6!sx=?H>VkAXJt)_ z6+T=Z*M6X(uh)2>Sr4xHC5=llQlyrIR1Zv$1O?4hl#?o4T}ipfr3lly`UuiGr8o1y z4=*Tf^UMhNYx?Cn7m7d}F3w3Ma!my>shqk8O9I0e&!xz+ZI}Mp z57)ZoTG(yMcwqWWQ=+$&B}-g-p{Fhtc#A$QSyz@mLS;d|a4c-E zQ?Lv092B&%og}Q~mc(y)&&P#(fCygNDoG$B4HK&%X~5)!)HX`=9nNE1LG4n$7W|i6 z^6r!i?BjyBL0ih^VeF*@5*G$z5`Bc{lJ`@RE1CJ0-!b?fSmGw;r>O4yw8u<}h)Ste ztcZ$9R|ujL61mOi`JuLR){ftQVPNi^U&L@prt#TSnD=3Fj`yq_DWh~(0QDN}ud9M0 z34vLe!#7DV#A$QSUPsXd&@%4Wff@q+4K&Bf-gVYmB(}^>?1xCY9}92983VBMyPcoj z&zGCv6V4L9nYMRZPulHG-LnP6@JD(8rZYEzUMq||*z(D}lpmA1YC(o(N^*mV1~aS_;i~o3TzSR z^8KK2D@A`NDaWgtlWeZ1<~igqScEqhd=%Y{k;3e?+rzmXJ)Ac}J~L^?S+y4x&r=>Y zgdNegtGy#X&D1xn{Is>5w94mmH#YdF%F;n#s$kq&*rn_Mhau$9JW|3bKryY7L5npm z&_pdK42?lz0Z6BV{$6i5JUn@o$904L0XQA>PkV#WTX1lABt|0PYScc-swkjgJ%#j; zCtMtc6b{ZG(nk}}kW;1CBropWVyjB&On)`%*MhobSFl$?fYfntgkP-)P@T?>faxmv zyYGb0XuSX;n`ra*!-eVbA#;=qsQl+SlfTxr>fE@?YcXqaU=V6fM5Q z0CP7kUT46P*t1BD#@vm6)|x2tY333h%^_<0RhWSNsD_Z>9FUpWF`hx!D(b7(e8hxk*^dQ{`{qw_t8avALPiHRu;o>T&Co3gqX?P342NT#oSN0wKQD zX~^*sO?4buG{Wvii^p#sEy9erCQALekJQ-_$by$UpVzy_Ed!0_!hGLP^T1nQ$Th6I zFd4w{B1!#ANbbrg7{w7QNuoAs1FSpF9#qH)`a65iVpt)~|HfZfj_awkTd6knlt$4izDm-Elfa)R${)kU| zL=lVPn?ApLy60dhyG+qF5Iw}|mx$BVZ;%DA_>(u-y@-_Ok?SM$#tbJA4crWECOiQ- z;1>_r|CnE|D3?C+D+cjSOJ|uCywx%-v@q~TR(?=AQa`cW+mO&t;19$NM?5yq5ZP$~y>Q3JHMSi^-I=eLpeYdwx@_u5qUYA+b0e)9FmLj(Uz(0mVIb z3%L@K^`cs8qLx!n;%xDVE5}q-oHS_Wdt5~*l<+0vEwBMSMS_%lcSz$Ftxl5l?7d&N z#s}FNi|qN8rC*B$)f4OAN&3Ga5wk{D)RwDL5(Ilp!$j{{ytI%Br*Zqen$CYMqQ|Za zP2!iE?Pd|way|Wbh@s&OW|Ua<9Hw^sdd}iNMXW8xX78wVSqp59^@=oDU95rbY|+G9 zooXFnH!@b?wyBKvq80#x_%1{@c{e!*!$*6ZSDxQgrZPq%F zi5dLxGP;0>D-RYS9;FsHaAinSdAKs9hWf6;D!ScM{cVMT+QocRcs z-`UFVhfEq@;boCkDJ`A5F|O4@3(Kn}$-#FgVp|_3u4f4SrBM|7xH_w0XU#WWH}u%X zs^q$g;v2fdvTPtGfylYQm=s*wAPsQ`k_4Hh$F}zxTU-2~Ii{GI6~||FX2)wG|1F0+ zr~_4rd{Fw-4}jn#$!{m946wo&ycmX9B*R!3!*DQ4B4s!+YU~w-m&iqz$G=mXtKjxp zxz}0KZFTNxsuJWXPqbn@E&Jj8EBL7M*Ew{vp*aAQK-20M+D>6`07rpul_CmsYr9_* zOuB>N3@WhrjF(dn7zIEVpWs<&jB3TwP1o&&Aji=qEL5gedO(Hy6kc_`bW<2g!ES5u zAF(l4a^OCa#f+mU)%xZR24PyXHVe6^$&YQ-LSnX%VkoJR6uO;M>hR(2it0X}ef{NU zj-MX!K_85+!3%4iE+h7e&R9K-lnPdYz#bCo1hivVbO6TrLsqM*j@9%O1wo{xXrIWcp7MPqRZr=2=UCU{{x3aqe!V)A zU0p5vs^9!~=r{6l{>Ra3Drq#>8aC}+lF_8v%MP}CScv>02%PffZ?Kzybs|oK3f&~H zkOLg%L#oi#Ne#q9E}@Npy7tG$TX*nd zS&(CK93zmU1^`X{A=!8?z~YM3R4*zFyt7iUb|7B4U1(lIA!2St^I-$zfzvq+WNqC* zh7u;V2P##$8ec6&Pe}A(e99tf%RqNr6o&4tXFg&$A4mP275ayDOIP-8yYtA+xP zf*KT%MJ%kJ&d~DUf&B;y#mcHBIuS?)x}tNVTG%_Nnt~|LdPReKISY`*x1iECya}sG z1Ka-0ikAp+#YBLbV5l1FSp=?T{&>b>fX}1AACnD|)_}o5z%51TE3)BH6Rb2opykfT zbburNE?et4W>xHT-uliK`ta@X(c#J8S1{5!4qwf4Qzw3qP%f{wQ{`F5Y#Z}eM}Qdx zP3imNcmY6FPXI}Lu@{9Q5pRw&QO6-ODeFuY>hJJIJr-tB znjOX+oU;X)NQ?8pAHPN)o~lpoP*VwlZs@PIGLUF=3}76%V+j7r$i4gYuXyI(`R>!d zvPDC`B3kaE?dY$!WNyn{u(cP><0yrIKeCf;1U570uMOTwF-vh=QJ&yO-=Q0~A}1^@ z8Bh2!IQdNUjS=vqFnC=OGI=T#a+VPek^D(#q8dR!kDMVmbIGWHFr)Y9#8(v03Mg~N z_^dcHfv07Xhg_9BsaAUd})=nVrhXQxposx1H zk*b=V3rUHHvoW2R?&qc1HV{wgRs8bgQkt<}HxrexM-{mZ3aw={7bzo^?gE%pHvcDU zG5w|NQ)tY>%u{&G&yaKq6YewQno`F7!ct60$7bDpbD+|jRasMTJlR_?u_1a2DcqG`(UVgyC zuO8U5GS5%i@7ryQ(awJKVeZM{j`>d_g0;4@LJniQ`!1iXp{ka%Ex}kVb!%D!VQVX@ zu*-RooM#ed%13y3t*)-Z(lkAy1i3AEZ|b5&^B}H>T)jb9?!>zgf}|_llY((N#_$~5 z=%#>F6Vzp;(tCQ=Eit&YkO*?DvhEck#O(*(>YE+Ytt&+U@?T0`a?$hA_K-{8PnEY^ zf>Ec&2H1*3_C7By$zoQAyG~VY|3P$f!BPGFSH1nK-d?1) zf7RK)>g;)*KPjoZa9dSK1^vlif#SaME=Y!@+uEH<`hf>j>?Op_3ck{$NYT%)@;c_* zJs%qlA>&D=Vj&RGUlVW>bn^!Fh&Z3p<5c- z!SGAy`+G~maZpbY5s}>5yJu_^ov6}TXNmYRz90eW9-n4zlH~zg(iX2i9UFBABdLs` zcIyN~uNtg877ZD2N4-&R9}M5@?e&JkgEvPtQFBznu@IE+Bd?Q?ijn4Kn(w-{%3 z7?3CZzDBPLe4!u%@Y3{qiBV- zFElCwcAdCZg#0M{Epe^5NTKiW+RwnYN~8_Y3)4jcQ!s~_OT1KmN_098w>av*I(ylB z-TmdTKRD~|@1Gs_M%|9nI5_IQI-^W15ZzKe*`QaE`1G=;TDk_Gmnp{OiNE^}$YtH1 zINo_{7R{k!@zYdywOG$Ok4>!Ow4*p{|9g@|)3(4u?MpXlBWg+?;%<5*7>nZ8D=4SX z15WzsmdLO zX4RbOg(YjvT>PG}<@pI4!`hG>vZSe%ui0YbEgcb?5s4osr;EZv zrFNS=y!#mJ8e9iLXd0rg=|N}lD~&o&oZ4;S!69%q%x+{moi}JM7U9SOF*#wuB}`Iw z>fn_Y8vR1PGiD3)LwZKjMjhuxYrD0rQh)AVtL=U?wPPhv55xUvd;yb=gOsm>?%t?B zczgCsZ!qNgm)@x(@i(1O-ndlMtM2w>)DT{Y;rHFsQ?iM+TJ07LFHHtR6nJ76+5H8x zvAFjN1&6D+*lphahsWao4o~Y-Pd)f=$EDwb)hGW(o${?yY7`f`qWY=lj zYO+dm+N+{TJ{D$7J`ivvAE>e_f2yC|Q<&{7(kz-&?c5OVSLh{*#QSgQj|0~iYzuMG zjh-S&*L?*uw1H&NI12LTTJ(i{lrYSHn+JRBvs2dGup#=ULrGwrTJCy=*Dv(2XdE5B z{O$PY84h*^&E_?Z3I4|)!#2nC-Dbnz{Lua@1GEV&uV%z7^x%_wbpe_O zPR9Y8w{hZ!8E8CPZjvWu@l9O(b`qqqI~I}|no;$mvn=uF*tM%S5VbU>BN&@m zWF$(ms`7!F-n(o>Np^R+h?1T$9WB?PxmVOFYdl=_KKM-vmE zVcu#_N$b3stoHJfBT@YHQc%6v<=ay*#;GC0C}TcRlFHPOQKA^14J?J2@OT_dcFe!H zS{XOLfFDjGa3kLO7_2pkG9nob7x@yEtHdja9qJQae^;u&Qx>H5`%(#<@r@~lT>8$m znkeK7l_n2dL98njnV{<#OU6;S_bwYaK1tN#>OvB@dhT8WrZ2CNxiw-KLse9QRePGM z^jZh6n}BLWuFdi~RF&_=0oKI%s$!|}e-%}|NDR!Hx2Y1A((pm#!lGB-K|(Z(XpLfG zBauN`tkkR`G`7y`keve91?y2;n5@I7GG!idP12>R?V5B|F}#YT%WP&Cq)To1Akt;A zTJ9iSnti)Q>9Uc?AYE2!R*^1S=XFR|0qlbHs4ZRAVN~fdkGNjx%FQ90comzq7351b z;p_sIw|qzm(=5WfiXsuU1y2AhuhQ@G1K*nLB3!9fM5AMn~u zmr5Od>tfaxL=`p_KMq~IhP{Kt;b8>1V}i!yiw;&(#Gur>NV-Uihj7=)Bd$fhLO71H zd&GEhSd1q;?kxc#L8W7oGj$2b-y1aK8RdC@F z$#}tJd!Eb3--{MuX3QscJq{Kg+=ml)5oGj^Ld#y@cbvu#1sX>O6z`~t6yT*-$E8uN zH!!ux!vt;YTR!N39q=>o!Jj*lEa53G9rV?o{`B~<@*+ZgvIdN?9j4e4r{VJ_K)JXH zk9;+_WQIa427bNPxZUp^bl)6}&bs&w&e>^yFj}(r1NPQ~5o`J31AZZE%bcsweC3fy&yGO1z8SDzW zZS3WYZ!;^57t$k#~5q(Lqcn9D={dcLh}~|cj`YDY==Kt zhf$sO!eIZ;+DY|AidxLh_Oh&>*-qctSsH@IH~2j(S`AU9SNEn{fP@IUyF+6lwkF_#P$9Q7{N+X@hBCuAQp#jWoDHj&H`ioZ5=uQWv zK}BW3PODAb0Oqz-mYD8m_KUuE9Q&*lH>WmjJp?f$?Gy;1_3Jr(xY>gr@QLoN&`rtbnb({_xN z*-ddD+;rOQ>1N&}-}-PvWs6Z;tK`Cc%wno`Rq5Js-f!BteDl4zb54J$x5_BA`{#-E zw)s5GJ>?CrVthDxR)&lLj~EYxvwzzDej88ir|qA1NE!!jQK65iuoyKcTTIvenO$D7 zy=7Cg?23~~&C>LyVl_)srK+e)b{(rgT`JYFEV`1eWSN8KN+XD^~hLvL7<*8r-&)iFNQc1f#+R^z#IzI*7znzLZyWmzjoOJ&ke<7Ru z*PX_+(|q#~JB`KHT2)Tiia259PyyFD+MugM^Vm&TU}#2-Wl1@~EyuVWEPiY?@sreG zJDd4eYkj)Tr>_UyVNVA= z=pA)`>+Pe@_Fi`fhQVozf4u1p-l|Ou3*(L}EQ~?!*RwKK!1~e%h>{Pwd#0u7?%9{7 zySL)fboYvu#(qO#6@Eo@o&vM@n0HEY;Q9v6$2^LN;$|&>d_Q)BO~I?Gwv{V^6_h%&k3_YGg%Lv3YvTHWtkT`_ zw*H|k5~4gR94|UQEIx<)u2u;~GYH;&7#-}#XzVC{iVcuvQGze}GBx=FbjLI0>9a~2 zzRF9Q7TdSw86#txnYj4&kaSfis6`1_`#CmsAl+#rp5%qEHfFg~@tj>Hf zT95H0e{igC)Z~j+eD%z=lIb$>Lk|o_*wpXtxH zp*p2-R%N-*M|hKlR;a~H(X2wKidiY>L~7WZqWM-Gn@edTWWV50K@N>s5+-7?~cQ z!Rn}BJ*f7!Ok7PMjX{RSouHO2UZfh=R*Z${m(T-qQTxqiZl>ogT}_lfzyAB6>aQ{E z)c)$y;t&CUXiahAtM9if>U-17&hR7m0)oK^pn`|04btT!JF>wqoZNLMotR$ zAI{Oh4);d%YF*FqliAe0gdXrik_z&jg+3qjy>N6iJlpG^ob>ia{lQu9x5MFR z*lFC7dhAQBd0Fg>`9W|BGcd*lJV6%C$8JWk2SZLGa-`|TA1RQupA&@#4 zWx#ZC5~y>iAO&pRDFNG}u2`8=d1MMv0)Krf(V9Lf)4yb9=ieu`vjJ=ecu>m?^8Px9tZRI;YPO`sG_ zYs-qV4vHFZ>+TgU^S!OIW~Y9hI|}n6QA7X17fQeT(6ua*rbzO4(X)&Sk z*IQOc)?=#yZ7hF0wgvP_6fjs+j1)$-@AJ}xp|LJf9P=#E+zygbtQXX2_-!5>_<=De z#5MUU)l)D~GT2C`e4a*&WDF0qZw-fe$3ar&XicbMhQ9tuSQb?k>Nwo|YccFwgebqw zgBHT&sr1|QkBVMG+P=qz?o=S zWQBA#D}z=Ex+xA|HDYQEpr$-F4PdZ=>W?6lxfh36g((E!X3prp8TAIWxFd-c8B7$$ zFjkQ$0fZ51jTMZFotc$DvSUJGu|nTe#}O$-oSdy$mc_Zpqebo|JjD<(l$p{obburL zI=t}X95ufGR;j+k8rS!Xko%e;9OIM1IUV%Tc6@m93LGE48gxg8{S(kX0KXj{frG=N z-q5KxLtzcr!QlW$_*E;bB^G11v}z48L6@vuu`f`-cM%A!Eaza4dkI;xzf0e+lu08V8^p z>5VN4Z{Ig)x#Ad1$synBVQyQ*rRWC`zl6gUtvr~dCOMCZbwHfcg?@aj<-8M}^Jse9 zjnD22mBBukvSKK{UM-e}2l6Pu3ZrSbwWJy8MYj|{zNuK(1%;+T>KCR8cL6<~#N_tI zv?|cZYZA@m)Gq~Lb1vCjz1oFLF-viau!yaYMou+wQTh$}cIj(U!7_c5LgW1}4Q;zI znJ!V_ozkzZ#f(FErMA&7F>VT~Bjs~6Bn#o}tzyC>Db?YtR}j3B5_cO0Sn1a4##nSW znqYxqv_=it@0PN=g)D?*cIJjth?&I!tObRw%? zk%Vjf8~(M7W?l-%z!@a0V)JG1)#1tQ!LZXm7L<17DlLF_j4sd`W3|cC~tL<=xvb$>4T}~TC?re4d`(ff{CYn}pxcbT#@7nJ* zB3aAUN~so2NLtx})l^mS{-y(-=!?WEEtDg!LIl<4^669YTof*~Ww!Z63D$eRgFOOz*O3;`v+YNLSctQ))VHm=zk`__m*)FU@ zcy(a;YVOABM_xWo)f;a0m@mE^xA*Jl2Xf&Bgn+689QiN#j!B$Ul{*Ka{k`2Z(S7;g z@Tgbu!bQNU6$Kvt*OS@8!6(zc_MvtKW8gU(VQS+f+bdcF)f#28@e;oFq{OY z3E@@I#i_WT)nyue2KF_wQR_aKMwnAMLTh1~lFLzDx>mj>H43VJUutOf*f2!LcvUJ1 zolfn->(*rjIx_wmW5P=aXmI1?Yt+>PnXWbaUk(}msp<08080>_9=lewEcRsIHk3+7HTW=>Uo zaEt$g6HL!xn1L|zV9WPR`HpEG4%QTU;K&alaL=Plh?%XRFYR*@dGOFHjFC2cZZf8P z@9*$NaTgY{GNTKLqMEq~6}I-4P%7E1d7wC|yG=q5h0`bT0C8|dySO!Ut7Z_Ee0`D5 z+yr_p#DaCMF9;juw{#*+z$Y+GU<{mp`rfWF$8rLv@OqdfemKR&$Ph4N&7%ayfjfpH zc%5~ejqlWxgnxO)m-=iLMHdJoVGObb3C$~ppS?JCoh!WH}g&A1j07ukl__{mj?Vp|W_j_lD z`v8WQeiDUvYq_MZ%@!EVU;@eh20{ou^8POl{IQ<}Hz1AS*q_`0KLe;?%Tb)ISl>nS zH_|7oLKxk9B!uK1hLh+Rrl~s>JV;g4yuJSMX@A&bsvaqptv7q!J31~@2VIX&Zv*e^ z_?*9TQ!s@gM2D0|UW$6>tvvPE(}a7~@V1Me8O_`#UTPsj841C|8$sGCBa?QjRmF@x zX+oo@h&`3iUJIIZHPt1}2R==ri60;yEm+SB$h?>_YrgNNBn-Q#K-4#MySyxlFq1~Q z6cXQ*#S@^POL9YiH$$y~^{$)tvP1>gua$M#NMZKc?U9IdvN2VD<+R#Kpff~;13|r| z7mkG1jG=#*tP@6n^y0d9hKU5uqf4w=7UqsPcgGit7~65?$7Av(a1psD%y259<2VM* zc#`)(zi~9kwnh}&1J@78<~@$$8-CL{;a5gdKl#j?gQhry0VW}k0<}W;j4j9f(Z$IJcJ*G z)U|mOP4nSncag&0H5@MpN%gilu2`28M)?IMsUL*}z|0+Th-u~~8GjFH2PC%>`ZHDk zEp>YqfKZz{GJW6xeq8to^!9xrI!SFX1g0vFBzm z=cQsWrq;qr2ha`Q#Qngd7i$&P+}6bewPewhh9UihszC7gkql$Hh+QH<*oI|*U%o@OK%)j;A%vHWdAMx+6qU1vPKAXqF>5mq0 zJo7K1r!)(qX=-VguXsmlCF{l=K}{A>rjs@|R3?w7XKpD?Q^L>Oo@0v6CcGznNv!!r zv8Cco=@?c|{Mxi;;`h=@rHeR@l1yqqKf`UbGeB9I8kFOg()v0BwM=-kcn6$+jTcD( znki^TAkXpLyaLX*x3esZ&&H7lmkvO`@3z}J&wgxex3*h5yFYFJ^sG(t;(Oe_+snqS z!0*epluBv_(kzMv*u87AJO)@)!J)=$I#U5t^%Vha>Bl zNi6h1KW)6X#E~CnO=Yg%iB=$!XEJ%wrB86kbLNCm211CI$4$`Um}%t5d_>lJ;y=2* zZ6b9NESHb|=j+dX{|GDIoVo1`&f~z%WM^hGgc(x6;wbRP#3@*7jP331?H_;m0sp(b zy{-Pc^ZoZf{?E?y7teQgUhI7TZ0CQrpFMlNv;99{``%_P{49`w{Ll8C$5JQvJNZG< zmf%=fcA!d&jik_xed-n31@ucloVG50N?U%^zTA0q;fLNXI3Zu1;(m{q)`2vY(4E6w zbY?T|lI+Rm%x$4e*#)@ z(Y~K%FdV~Hb`wM3gp<@k^0Be8A!(YgyVzis4hw!XoH8)kFHx|V!yPat=w;Ss5KaW-A%H*=!d$75mNHeK&KDah}5^ zy&+7X>-EFnW*3me8|c(Ai_9LHgDPF?5To($RgSCzQOY5d0eOM7UErYQNFZ@0QbHu~ z;{v7`cdy=!ZBwq_VV|6vjb}#!)mPpY>MvLcX%Pz=Hh1bAeSqzqjP&2J!HaYKy2bwi zws;aG^5tyuoWZ_s^S`@oUfvwmzR`d6vwr=lYX3(bY{uUCiVlD>|L^nd=ZgKmv;D(Y z`~N|H#KVSo1>2W9=P+}*au<2~ewr+>67X{2O<{JoBMC9n!yiWDXdXu)3^VJ-9@>1m zD;-_zlqx+C>LIquDNyXnZx-xOo)qzo*_|CvcC9{m2p(A9acE$=YH6| zbp60R5A2689!hNa_4K;qPxbvj&D;!57C{QLn&&|A{{P~|iyzhf|Jje*J74$zhxifq ze>aZP{623;*Lzrd!`C;2Klo-}V4q`Jkm-|_Mdr8IShlu>-84U0FoGv5EC-DeON;ke z+G>v)vyXUOb(XjpoKjPt*k^+%2>fvR1~;g3?5$wTtauQWoI4B}#Z+K)^b<%(uY&eU z41AaQR%GZ^bdL(=Isk4MMwv_9O*swV_#$1*+vk4hCO62)CP4gf94tHtw&KJOGtg*_ z=xkdr-IOHsa-_3J0MJa~IH9MJ^BAtEXFt417jt<5=-?#wj>L_xGB)YoL;y+# z&BH1h7x3mOXpl(S-HwsU0?9) z?$YhKJH};O%XewLy(HBn&kN>}SBX1@r!es&kH)uJ*Q2nPh`K;_f9_7<=^_Y*Sh@s0 zP`_c~-OP1@G9U&rjTe~2QJBH&EZ;GbMc7T>qy=8vh3|>dGD-2X#A?m`(9d`zVp=LL z<3*Z9^FyiAOE~pIcBaSX1Kr-Ql^^ggjKrzv^QXlpm9?yVoj>sdNVhddvlz=jpw8sk z6c_a&&bxvA*eYr{pU@Y2Vzeo_)AD>FDipJj?0c71?GSy>o$L~SvWox({@hJ&C`%RWVyJy{5+%);^!Vb~s?OG>zayZt!U^bb@*Rk8GH+U~mLpaf zyE|!XcFX*^!V>hE2YUpQMZgV$=nCMLrn!uxIRuMXng@AzQe+SpqN9=|kHlp^S2LXF z2xqyT!VENLU zTIvE?7aW#5>jK`S?JQZO8T3Th;~1ZO?Q9<7<{}AJ8BXZ0v*dteGph?Xh|=s&B%|{r z3XohQMI5Jeljx03@nnT#Jcn;V8Et+4j{LB70ZE28ZP*o+2WF$S8T1EMMh)jZX1Mif z6>N;$L1Z4sF>#=nUnpIila^{$#pIH>mm_8MGDv=g?a#s1tIbmN%T|$wx`Z?6 z)B*=nWoX~c+;caDnyMWoylEVz*))Oa$DoQf?VYccf9oj0;Y`!YLWZ4w6#cKVp5;}c5p_M%I|ka-Iv{A4`)_9=^pn4D&T9Z zgCv^o%3B}?{&#pYfD`!}pdXb+lnkdL`niBN75b8kHoK8|d#jvk8kpEk)2k@)^cLDT zMJHk*IZwO8;jjI{{;K3GTUm~&M#b_aV0~9z2HxMa6hR7&h*vlj8o&RqxIbB z-qVe)5ayER?M@c+bC^5@4IJ=7jH<0W4jp2c{Yj60hd)g}`C<0hB;N8)Pi~iQZw**l zjcA98U1Lp`xDBL>;TkDflt3FUj(s1uOijsJr_JH6`191p96K#cL5*3colKy@>a8wL z;UwjYAbJW`q-T}kRGP{6K?SlX1h*9_hGGodwcS@KKt4N#D*$q+NrP&B7k6 zFXBRJb|zJ_I%R}`l}FsUK=#fkdxQoi@dm9@eFFmt(dp$Xo3JT2ZU=9LTdRa*0k#^7-RcCWf_?LbQwWMe;_0 zKY`<$aR5cOMRqJkM79dyH49f3ctgL00v7(|-^e#oz;G+Y$o8}HY2iw6tc|N+pq>G^ zLc*`Ewy&iZF64}Sb)z{M~u|KWyLn%OS<^DpVCKXiKyTpIH zmu^4K($>G{*XG@^8Y()l*nmlO?JZ4bcR>erw^6sMtF%VEjxkuLc7VsaqdUrCV(P6( z)flDULtKk-_N$sYY`WPzZc?kI$jeNdv>nZXy7I_2?b9-LTWW9hHx}&Y>-KMhwY^)q zH$OM{>g&EgUv~++eRh9$HTn4J`!@T&f$=@W@6rceccb*fG;@OhCQUz_MD;L4J=!vW z*1uD+u%dvfpngoaw*AEs69L*A#&Z5Ap3RCT;-k0EKCbgle{Z_YZ0{;>gGN;twZoDav z^_f^xMq*8zsm$!oj48ug3t!40*Tj}G&{|xHK4{#k5$#Rz38yx4#}GJY4se=|_(_X=V!kG%v>_LP4Kl03_j{S^ z=Sqj0OeGJ{X7fP0VnZ<1pxm^LQ5J`}(*vl6(a<#>yha_FQg%@5@c?ty8}$V@a|1tg zkJKeAUSVsu&$ZIU??*P%8EDh^vNmFhW)Mwj9JgW3+3dhWEI#YZ25pixHbXH@!lZ1P zzOK$?%IenVwqm~xGVacyo7rEe2wN*}YzZH5Ol>W(1D1AqctEwc{z`XqY=FAkI8DiG z?lgPSpGb3H^ym-|IbYP8@8XJilp)_7N8!YuTG(unCT;8vXtVbGm)4DB$mNOC5!NPN zGDCO#Nor}cWK?6M0G`~`4zR$|5@3~BSk?1QnOj;#w$vgW`W_s+NzE`L zy;p@uqw*LG^dGra8~PDHmB?%`hpSH?59m%NNJ+k_j-uKF0QSiWsIl8tiyMo?r9@sg z%=|7Lh5ED7Xp%W592iF_-K5Zv1WsU*KyQDM_~CRooAcsF(kqie^$vZ zng3MC%_#m9J1oo6LQ4a$oT*aAW^KGUa}#e>UQFP}g})*z-Um+=a#SHd-G!TK@zT0D z>F#_0S3s!0RQ|NNcrVSO048c8PT|9vJ1SF{_~NYU_AYaJlfVp-1u9;Ik;C(44)(V> zP1&fpDDY>+xj$C`YfhA;3|6_;O+K7DL=_X_egfF5gs<0Hy~05B@>MG8e&=xX)z(dq z=C5t`iC9+1Qeb}=Ml6?OHx^f;c8Locd~F&fH%05g#t3}1c!#2B2RM(jn|+^D8_ow= zDY~IJwn3K{mGjg-cVehghm_5|vYzELL$5UfhKB)nact6V?#Anu2MzF@Z_mHRf7~hh zLoJ|(n~6(|>*>|m$s1xx(JJ95*1fPeCgGkim+Iuz+%r}T`KS``vHsbrrC&cM<@E}M zg^XcH&Q^XBR8OQS=6bBKr&b99U1JDnP3qrmxVwAVZLZ+;oF``JwT?s~mZeVIi`lJc zei0i+W^f|{jNbM`EHqI|~)bsK};JyyL^(Ut$7y?5_!+eRLSe}C&! zpicLR?Mk%eTM}=Ra~#`A-6pml%W1byw zFJ9f^Pf|O?#-Dx`oqyhg(`Eh4^-!(k|Gn>s+w{BBtxQ=)bEl;20icf<^aY4Mzy9d0 zdkd+SnWZkArNX-Eq0$uYFjg5{FWxD_08JHr>WoO{kTUuRk7KT%No-IJ`W&`1$?!XD6rce>nd66M0ep>aD45 z=Je}m&U85bOrv?#xitr>!ih7#Ti55UyOR`6bWAWS`F%+{eOXXeRedGk))kx7Sq2`O zFh4Y5c7MIknydFyY~uba%s%u^*1PbhF~0q28!^vMFn;Kr{Lnl3p?7ix#%|HK_@Q_5 zLqnH`hAs~cT^<^`{52c8_{HY_D*ap@S||T)S|^hSNAW{ziHFt_53MB-;9tG9#AmHk z^<`Tv&)KQZ(r%gDM~$nywp?DuX!Ou@`R`+#THG|n3esY(=_BrwUq~w=-f085_kGCI zKKYgWpZ`F0b@J7B?UMp~&1MY*m6v{3_Q!v)ii z|G9_^W-5zJSE-!6)S9-`b~5YpXE|SW^js@nws&^TCoBID8~+e1^CcxKs0RqBVg#w79>qDNg-+xkIUBGKui`W!E5Z84iZ=&e z{&Z}PB`|JOzeS|v73j}UKCdMf@aYpYaxlxdeb?{L+q8UsZ|^yi!^F`gCaGR|=tyqA zeCSC2V8DJbU_ThJ9}L(J2JFvf!2U}%B-irAef1=-g!h+kOMd5)lz;lZk)^ z+6QOWU)`BS9{Sx^p=9BH_gYPPXnFt8^8TUa{X@(91y}aa^8TUay)IDx(DMGF<^4m; z`_jt~E$<&%-aoXwe`tCC(DHtX9>}IR{1@zcug6@f@qOJ(pR@P934r>qX@6h4;=gPM z{5x;+pSiRAEw<}V+FbrNJnNx#`+sli_Np~Kv;lu;1Af14z^i>@b3J3TcW;T2)MOW$ z>qE=(FV(XA^Y||p@m?-{wdfYHUO)(1B%u2q!?~Bl{@sSVyIZ5q_I^JCU^Vom zWLPJDXqi}}YCCRe?2oe>>CfnWR_iS=nwv}N@qgHxcofgbv#4z1?#=bu5`k_d31*cA zFH&#*buHYTwai0}Hj}wSxVNB2lA!hIH?&)=_o&N60(an`nHC%-H-o_$4* zM1EC}?y0qUHHB83r$w3yE|PCjN27PoJXxq|>GGZT7pKuBVSj$IU4F4OlsuD;8|IA} zK^(JZ;(+tx6;y18Uk-h0HurQE=Ao;Cf&bAR>K{Iz^WzIa8(KONUIT00;I|b*hhHhZ zE;GjF=H}*;-Cg+q&CSj7|8MSY?fg%BdvCkl-fQn{wf|>xYioOV?|;bV=UcY@j7357 z|Jl6rSmnk2MLx4V^Oen{X%?#zP5VR`FJ^G{R0J{KxNbMD;xyVPUOVfCdn2ZwyY;ln zzFw&NHg*gD^rg{LV`QO`lQab;e+dJ)t^ZzA2rSqTnXjpU9;U_vShCGk|gPzs$k-y*x^GrR$935__!S2@No>ps@B;SFR1o~x&GbxcrnS?J~_+i|BhJ$ z7d|JCGM!bh2DNWnd?rhC2Rlz$MLAy4+n<>7h5x~p?OE+BY&7AngnG3QJhp1&j==O)ML4g zSj>4c=iY$zSKA(Lb#vHjpf187b;AZ`^7vM()p$fs6b%sJT&yL}5tPN3OCdZ>CSNrk zk#~Ycq&Fdm5xj6o!AUq|;gwC9CcN*z-(!8AGa`kUB2EWnoZaUwJsrXL_rIzCD{jX> z<2Ccw;m&`H%W$Er+CTM8v)GMM$;1BOo8phw`s`;J{hy+v;ojqao=o}ww|3eO`u`XC zl-QZ?QmXL;mW2xKv$C?qY^d`U-P)E1t}6TAAdK9}4Y-Iwbg}b~QKhZyI{X~||0nG! z``_O7=EM2_5}z5h>}F>lsUW|qpUcdmQs=mR_Rw99{I#A|-5p-8UiODLqO=N93PE2k z{(MgGc~#)~ZIdA8rx)BJwP1m~f|{HHKcC?CxdaO&64Z;SrGWi%u>P`v`cqN*p5qIK zZQUkTe=+`Vvlc%C|KHr(-I|X7df@+GZ@re6n1mYUlImjJ4;#RKvv>M0)K`y_GruTgT$LcVN%Jw5*E{cV?u&`;bs_2m>|LHc~0Mon@RCkf$6go~zWM8r*8ghP#K ziJ-VJz@UNriianMmhCq`8vD)ycYY}=zy9ub9@J=X>$F!0 z{pM%=kDn_^~AlD#WFbI$*^JoDc9Z}06s_{FCBy3N;3x4XF205M^+`Q;K(ODcu*}ZSTsm19vnC$a~RUp>hgPI8`N`FbiE0#un z=td8}#65OSIZ}js>~#$ydlJ28Y#54f2iFPDl`|W1p$k4cwJ+tj?kTT$x<%w4I01OP zbXO0H!qk7uXfgD9x0oJsUzbO~V5D+Wp%RviQn3KGO3%)~+Wg5mr{_z|u!j43Tio)c zl&Y{IGy5otC5hAI!X~(z8r_Drx29;Qp00~TQA3ebhGo0Y)kR&GSMWz)$Y1zVEB~c~ zIQ`Iaf0iQpt;E53`rnhO`akWRovjD??@N5#uvIrX5Vl`=AsvCrsC;XsC!IUxa~g@O zsq(LEEA}kzJndKLiilzA??SDzxSXyy=lq9E{vL<4U@8mz793#i`QMzX|M6t|LI3+A zpV{ZXNQ9dbyxfsjUS#x(UX6P!Pg%i0l_`=M6=XR+;85pZmj!(MI70&+uoPA)PzCj+ zr2DX8&pZFOz4P7AT>I}{+5YpS-G1=@ev!{2_y3>c(*LVp^a`W1uJ{p+(>Zthed{N4 z&VR(Rgil877E%B9GyD9v_jaD_PSyY0dyxOX$fu-P`{()(v;Ml=gl3trCB_`<8O~LH zEziZ0E+}~Sk1j%RANc`wfo{0Mw7UEN{^(gnOQsX=i8+-7bisXAwKXe8l#O`WVY)qP z&axy9si>H(`st95(}I+fd;PqxisqEdx1^kl+QpDd%#dnsrRwjV`B$6UAhB1BM~=arV-PLIk!yYA=3r_O-J>qritZW^lT~`#nb_rsy-j5abf#R zmm#hQR*bV!w|76x-UDzVe_yyiJnq=6=I|jOji_t-Zjr|-+U~LYT`P3|eBoHX^ATy~ z{p;yr>zbo)BwQ5VKs44r9XO+_D9%YMTME!XSP*sH=AAz73xY0p6o3!z7oKFV`%7(C ze5WV=)WGA|YhTtEs<`CTg9G=$u$GSI9#chFk87wSXBihU)L8iRY2T?Yu3|q9vP?T$ zt6sOMKaW2bVFDS#dyoC^T7%LT5!{-D_xt~}znH9j{5&E@$LANvhX)VKikC z8D}I;358I{T&Gc)=PSjFVNql*HfkTL>V?;`bTX9)@4Q)+15c_rn3omgVD9*6i6Pz5 zzN=VW#fX&)7K=S~d%TE07%@`|oQ;{8MHCjDLtROPnkm$AT9-vClY{;^On8G8AxcCW zR#cOL9q~E`?>; zBamn~WOB>CySzM~n!$9#)|ms<^PBQWo#~;{(vqaC7}Mm4C3MnZAy1=fUC~2j#Y;Za zjO8(p7KZ0N?n5f#5#!@xVNm|_KCC{ClX1>2hdC2No>Un)O3=!0`0&ISGJThTSAOF* zcUlr(vze#Id*HT*#~5d1-2X^OkG2Zb4tzLfGNAfEFuKX5tzQNz-5i3 z@^vLSQ=@H(X_^N4knfz-b1e(Q-$cBrQ{HlLbtXumJng+rwJoBM%Z@Py@V z=q#`e`{k0O=pCLiHB`v=6>Wnn?~{^Gw93FT#XDxaQ+;FH%|}|ph89#jrVud$4OO9G zOJHR7>-UP9n&tX&rgKhzB_d|FTE2Bt?F!glkK*6wH_w~$ajnfpt?B zTY4qJyr81eHSBj*U+BGRDp|Bg`vP%AB}DwaGDqk5|Ffuf_YAN(@jvbM)>b+H>&ezb z{NES(%=Q1fuJ{Zr+$Ot7l>p<>Q7rN?G|7B9js{Ctj`?#q;}`W8-d}mIxgPDsU6}Xo z`yR#V!8MH&NeC6AyFdT^nBsrYXCD8*UByTLGmro8?ru-<|A+klFY~Er991vYu2x^>>S|L;BI|9zRyQu6;DyNUccSnZb!x~;K)mUwI(~ODC09AkeErgW2^_8eRJW;u>J|v6!)UrWadZp% zw=3GtxQ{O0ab}J;ysm?be4(;7c6E?h?R4Fly5V*+XImGex9ntR1@0{xvNv-h#O-#X zI$U7Z>cr>R3vsK>5VxN19a=8g@W7=Jeh+Pyd?Vi-x(>~>0M6|_TBn1Q^*T-mO-YKhh_4xhaXH`1tMCy?*#KlovYO?rAAevGh5>xF z7LcwCUlm(68sPn#4@SHUskwZQj@s#{{*dbAzi$*Yriw*cMPQMZK z{*!OOfAtr`!G`>g{!?718x~NHhF9YZ3O0(ydLVAH#(L1BSB>?c7-fz1|F7|g{7Cbd zj|Dk7Iu?x}%lU6CEE+)^F}i`z<@~qC*-xj(7o9(POPBhT&i~*OGc2u%sk zure5yl$MgT*W|R|a)g}GXoB2=${Sd62dKL(p9djX6tox%XT)ti;+`4tRr~=tQ^85s z?Q-(I$9W-&oMv4$F;}t=d0ON=feO{dkimUVcpv_)%8Y?BOQn{8WyK3JlFYOi$_1v3 zgz_C{a$9(qk_H5 z204w`g(ROYxf#ac5Nf>BC}NTAv8&}gl5tVU4JBiI(HVcUV)(gB*bFuiLOa+A+6F{> zyLQ_V3L(+8K0cvHg^8+8_hESMraX&e1=D3q?$Mt1x*q(b=j%y zR!_~vk!Dsrcl$R(E^yqJBj(ISnuWb1VSi6kvc2g6m$*ir2=ob|apRm>rwk0M+A9oL z?j%)O;M*FwbKXv*pmNRZ;RwcpB*hYjon?I)HGY~#rT5PR;< zvxu+{bd)7bb7LfC^v0-*#zJ|bp*Z|#>gK}3_a8WXU5Hjb1Eh+syueOhb;$XT4oonPo|5O)m3Z3FQw&95++k&I}jZE`TL?#EBg%iH>8+yi*|Amzo7<)p7xT=2mFR*6g3 zJ>5b7v5>Y5q^&8OEe4@&AXu!IcXBaEn+B2rG@my2ENyNfQcwA{5+5q(G8S?o+D}i; z^O!^actS0GZXt#N(vw<9HLq@&S2s)R@RpJA0kvKX%OeM!wv`VFBJ>@ znE`HjN{1DMeUKbHE>LEXeDi;k!2a`GU2)G>R=Utp>6*t88M0(VuD1!xbDrBVo|-YX zme`M-plv}sF(BG5WvYtEMteeh$YX(+{J}-!o`ErSBphJ})v}TV+Ln(BhCA-bM*dxm z6k&(l)k9Wu0*^({bHAX1aWjkymMFFXSBGE){80(4m}Km^>ul@V$r(PiSIb;zIsu=g zBr#^S8gi}F8q%96R@SZ6e7b~+RxIqe+tuSrnNM4LeGX@+&cZOqbGM$|4;i61q9wLl z*V|~Gl1f%nsW3E(gfE5ih@2d}g_iivY|SCI=i?`dcD3w~XOpw^_?qPtkWt53w~3OR z7^C)Dz)a9iPNaNDqBw_D#!~RhneLWFdaN&{LJ3mq$!JwGlQFDdd#QtD7~7^@j(g$T z*)or3NR+S-aUqb>q!zAp_AF;DA=fLlf`O7|>?knLv#@Y3uJx0*=Vup}2d9^$MP6PU zAN+7~`kJ7@tn=0S`nSFOMPq&a=oF z!1U$I8njfma#X#9yFBg$qv+Sw@;7U8qRyaV+|yPlYSeX51~mb7_k!Kv zLpMOfwf;7ic#ufw(eUbq<`MW=Xc6}kw!V&{B8Uu0WZqfrZU)bS-7d`Gloz-d>lI#K zw-Z}mC*R4N1m~tu-ymciJjv=?kM9ntP|rnQkq%?z7Zh8;zVqv<^T(Ru4U$@}*hEOo zMgYAuhgc|TViBQ|zB&ahSbv;!SOL$&Kn^~KX41c|Y5`|B?txP%5W@}lNo)uZ6gKRJ z=zGI-*YhebuUlh$&9&rI~Yk=)#w6U#V%Ym__VLV$3MB4!YM0YSA zC`*fxz=4ezWs>FZ!K{tfdwdP{9i`EGEm$1Ln+Ec73$(Pj8?<*d5J%sU)6?o@XGn7v zVd7)P@=+`V-Wo!T@s83)6Bp`^fx5HA)Y`$G3uM~>X?s&sjg&~v$3P8W`$uPnnu`l% zOGB{|;}KrNV2>ePjKYShLdFddggJ{umyA=eph;Cyn-rzorOhP9oC&lU=ByyA2LR4U z4g;35Tq>l5lANZI`&QhCc_^JYk}}d7iUZmVGc}=D*vD5)nr?6&YfZ_`p&M3Q zC?jlIW+j57c*#cSf+Z1W0;hz5*Df9n9b2hcTQqxdO7jUw$iy@gB%~dXL!MqU^m~)KQ`!Ec)L^e!cw##+CTv&mQdo8;wmChqBc47klxXZ6G-FOwGN~VN8%sen z5iapOGZg3%AnJ!#Y_efAMJGE};!o2`L~dxF%3aD?8nN6Oby2P=KDanW!{j(|jX#}u zlqGS0Vt7R{&amt3kmm(Ub=eWueFr8&2ksLCcX#SEqDg|#9v>HEi2gI0Wy!=h^~51d z1rrX?Jp**BEKBGEdT@TC{D)S?Lt4yPD5Y%MnLu*_cZA)F5f))0+YXE!4a3*{tL~>C zoq`ly*I(!P6_gk!Z(kiqT9~Zbe(BD~rTkylg zx39Pd*WhZY-EBJ{&>1jJT^r{jFd#UTTrku^&s~2v#^3mC7n!5f6MBrLWW*yp+i^<# z7!ETv?Ou{o+gZRIN>g%jZY>XRg|uiiic`YUDC2SJ-2B?Tho>@p98aPVEW{wO#fhmK-q0XlcY&TEQ-e?z<)yX0jqNT0bskg zj<7D6ZEPSMw}?;d4oxbriFTdp;x=ZSZFPUhf!fOmd7HtG1LT>3v54{8wqr9#99s1` z0G}Fw(*l$fEJliv#&`us6{ZQiD#{X(c3h29M<7~cx!cZjYR_2Siqk%yW`x`NcBmTU zHRpqbk;8zjV%)sG?`&}tyCbXn51D4 z@|>M>o^;~>u&xW%pwG$)Dllc7f*PghV&X$pfxEqN8YL{~Gg^#ulW^+|fU<9vyMEd7 z#J_+0FEZk(yoX&Y$(D-QImq&@XYR|)e|^Yk1iFUOzl8$ij#ux>w{TUB!mA6>3Vx%XyQ`{*$F;kf43e#Sg3nfLIgA{Q% z?Sev}dj{y%Ox#S%crKJ(1tpmSrZ*0+SaB?sW6{N6C;9yVc$#8nF5De6yS77{Sfs5R zj`O6eIka|@-wasMCDEAaOE_gWX!?ia?*iX8lisZN@#3YU&Bql&J=!NTn$r<0Sndw6 zWoEyG!R(pC+P1Xb2$QV0LFpSLnim9zFgL3ft|S@Nyjc}Y0m>fa+~N9L!L!OKfzl&! zWIgLY9-==G6aaKg>$@B8a}XTY9MDfKXnUo+91rw~84H%5C*wh!s=EKqyXJW8lynF5 z41#0>Y8qPG;oLf#fJ*+j;4N))h-^HawmCS%?Nv<`N#5M=Fu3#1Zsj`=cd0aUsmBPj zRFc73g$kvDq%D(wkTf5t2bu22jNJ>4xrBp<@$`*IGX1fA5 zPW==~My1sG)^oC|JT9;X3^Aoi;sV~XNU67jJJ|5TGm)TmIO^8k4Dm7K*@RG%#G)X) zuSDyDlY@)PlUE0amuDA0zyI#+?XeVl%A(GezQ4UO7C6iH{%)%~1Yr0V_~8je1LM9s zf=1KGx5C(RB9zHpuulxwty#;rjtcDr^Ax2i5^t-^VH$FotAFcUV86rkUIgEoV!glX z@}nLa}|XNqJ7w28vD`v5@B0?v0Z`E0?zZ z;WKVf;)2leYOI2(>NvV<*r`|pxPtY5LzuTYNj*maX{&onzU_#+U=G9p#%vHKj#Lb-Pn41wp^hmz5wKuC z@?1qTy3ox@bVT-_wDqn^p9Nh;Irz~66BiD^XBF^3cq+=hMT{$2#AyginUEWnGZIn- zSMphRr=M29b{X={6L~9oR%IQVSa6b$(=`W}Ip@oG1)c^^91!L}x3_)LDX-LCI4ma# zyJm?4#T>zsnQnS-%|(NU04qi!pYt_KU-DA{GNmCFSnHkx!W@%ntL+R3I}QXt&7tyM z3TZ);IHgj@6q=#Xm2Knwpxw$r13uKc8)K8Jid7U zueWdBAOGv};^6(^+3D%AyyUxNEL>W1QX|?+QHr_RpVJv=wdg$f&p2n~Wx{*LGWQak zd)juHTX-fCe`~238LE4#O|K>kVR2E&k0q#(S^PUm*fF2!A=`DP6yDdyYwfkcPzVd7 zlt7>^p>bL`xeMqWSw$YSraU_dWM^&Ir{06Q`yPrS8}KHxKpp3&6*Rf{Mm<%wSP5_2 z+j!sPf~qC5WKft%99bB<6)@&*_Fk}SA((udr@qAKTjUJ-vT-ko!*_WC<@~p3EKT*n;1pdq(t)Duivkeg>T`3cs(h=)Ai56N`aG;pfm%TES zZVZWj#YE+Gg*k&SXwrp1&XnJ%ywuL+#KeamMlnb(b8)qR8Xk z7|`Pu2sgq0fdj|VT^Y{z^qOi}YNd7L9)X01S8+NBG>^d$@u;_=f;?jz_u{JQ%BJrQ zZ$pWfptarLnFGSaGjBa}>4c#e@3faNe$~=Rvap_2fI3ro(Q=nmm3J>OI!?h`8re)a zOq8=wpH@KCYqSBJ?h>EL1KG9^OyhyY9ZLXg{SUa!lp8;RRaK}_NZHQh6x_! zXwSs|#HK7L1#iLmI;Y>{6{vgWsWH-JJR&qL;+E-yp*@69J)>faEL4*<;II@EUF5~3 z`T?*KH~Bb)03PKz)_OQgi+qC4awt+9P z4?{W@1&f?H*g*WJrQLMN7XuEQxNnf$Roo9)OeEGMQJFAxB&4olG6r*dcn)F2ZIAU^ zA4WM4Oxu3JL1LM$1M{hYxmBVlFv)s3zST9>b!7sb*=CO1 zDx4kd_gQn}tRo%LGmzYTLaw*$XnVi<;noYDE(gM{hR}XiK3xXGSY=c#1Znw= zlVzsgrFkzda(U|9EIyu^!w3n=P7oF339pmmw9oU95vWv~#3Pd{GFDFSQ0}vmZqYfW z`($*@;9bG{MVClnZAkN|Ycju0dYe14$3PZayl_`P9cAItoXYYO+g%kBNiZf-UzaKd zBx89pF*zCNwQco9*NX1bm~|o>92CL(wZqwc-!c1MKFPDiG7G_E4mg6Hl$H-NIeW4d zY-;(-zGKn@oZA3I{?4|EYVvHvWc7v$BDXQ*k&b@uifxtPNpD0D@=Q|Ytj*Qrql_1+W+Bw=LxRmqHlx8;jw@PWIKEp<5Nv8qt}X$LZC-*t|gMAL`ij zCZwa-5ot@UhmQwC@(k0EV_^(R<$3XZYGNVJCV4y<7KGoVESEw9nt7mB6wl-Tz<9c8 zV#OO+JV}s2E@e<9yD2<46JP_HkYfNnHHmSmBwCCS2Pk?LSpH0b!7?iFlN1BLS;tN1qmM1X}Ppe0|w-kvZ-X_JmZ21i&eAXdXH8VloeQt zAgl2jzRGV{-c+V>If*#Me>XuZqe?7H$M;P3=aWp%M__$d59G#J5i>zEN6X|=NQQ{QZ+HIK>dT<2UMdQdEc+*(UrjLuh;@`R20kPy%^ra`)ypsk08yuwHG(n&Mgqq3 z@9?FjpTgr<#WQM&dJ6wcy%LpwB3ZqkAUp&{_?4Bmm94^b5U}@3Bz}%Z5 zPvB4xp2ve2Ds@in`7}S)e5&sq|0XG;Phn3|v$mn$!1sWdoQ-H~&L>oVlawOy(!`Q` zIZGxaiPI}UTrW<6PNcHBrZ*kxhxKU)mqgRKBMnlgCMB`Mc;D{&p=9Oij<4MD@)MscB-hn72l zx?tv5DrJY}3cbs4-Oao$TtNlQ3vzf#?>#o8NuTh3z3{TwZBJIrnpPAnyzdQL z=6wP+dUBq|VN>oxk0wAzH@SQ-1>s|yYU7^z3ej}0EF%hG@mJxpa14f%q6XZN>IvL_dGn#PVq`5B=}m`?cvRqE8)|gL zA{=8f5R3?EUs{a(2{@j;n%D=81b?lX9z&jrEDpzfERqQs(fkVSU`9I9A{P_!AXV0E z*dst}B_&E`wQ|Y}LWz4;gO%wcT#~QNvh@j^EAqGql>Bj28q}t0<}75u$$JxT9D4`_ z``OM%xpe#nTn0`gjlRdU!vvwSUCkBMhcq8Z#feX7QcPO? zoUtZ}^PFAt5Q1{cx4HJA7u;xD%vKVZ;&hgsW4J~#k%XEhbkelnWGu(4R=_t(uyFM@ zSIjrO7=-1i5i729;4Qd8+s+1^Q^|Dy2D`J$K7=eQ(dn0X_qQ_VYL$XpM%&`tEZN{;F6bG=WlMN&y`8 zRDhnk>*Kuqf?kj=JOu<;a3$pVlT$<7$gR+KT|iFya{rAkB#O9@G;KDeh*jSOI-v4r zU~)=vU$qyOk*#wsL<7$g1MHV0EQmXiREl%E(B3k!dLX?NqMj(Qf!30_9oI1$1+Xa+{nJ# zj8}LKCu>?&2oPdPYs6Sls(fa7*M7t3RcpA?u_(wu&R0$k^^Kf`aTYVlv|Q2GXovDM zwNPqOGTa^eCtRa?%$_qQ8g8s8E%hj!sua>3otdLJm2`sIqi}}zij7N{sx+IeXy}g| zIwR+-pmEyNaH1?S*kC&A@|fUU~;N@V8(LHqvPttLCmVRlIg43M_ROoH3!xHE5%Q4^~&kl<;mgk z3V|dFNIaoJk0C{FXB_u*IV_;!q)cHJ_R9gKRZj}V4O9_3O?0dhtva~ZMZaQdz!`8M zu!QC!cy+*3W4IEpKy0)i38O-)Q?8X>y<$%*r2UG0Jx!|TXmM>Zx#xm8io@3=wxm{`9|v1XoJTFW$cfpT z6zb(B6De3Qng>|Gk%KNRrqS%|HwX`?N*f~|O&sM_N+|wxB3%+Jiu)7KHgB#C8b$Ko zxzu-DigcjpsVfXEauS+|eGx|<>3}{(A>Ejz(RgHP2DucY84K!vdOOQJ4G`><9H~4^ zV6DPRO;8)OOn-=&I=@9FimX-vVk;QyQ2;0zzMQR)Kq{)FK#YczT0JSZLV~xZy$Y9+ z3iYt7=lzP=H0`m`Rg9}u5!X6rjuOC=Lp#Mq%1``#w^E-RcpGklD-_VY{)@T zujg8ymr>1>m<7{x2nIo*=o)G7Bffvi3;B}q-oX9RvN0nO2`RMtI|FJLbqms$W3 zD)L&((WZhQh}>??4i(u8la_C5HwGOs;Yc*1X=?MUKW(QLmE5n0R?oO;txif!H5nTa zKg+1#sR;zd$YPpf09>4sh>0+ddul6;(h(2hY5S}`O?uzdZBTIqAf}!Kj55|%u%_KGb@qjw>ME4Qq~WlvqPkDVh443b zjX>!tvU1QNC!H1Y@}P6l(a8PjmiNi!$>p2lCOJJjZJnIH zx;Qy~ef;+L^s-6b9$y@OcW`=n@bcu%$>q;LLa$CPPmenoK5(F5oF80Vo*ce=b8tb< z-(8%ab&m12MQ>rk5~-_+jHd!B2SThbL#@y!7n)@`&+=G`=dj?u3XlZ)vmDp4m!h>% zi17$?70s?=0i0d%Fg9v3GIix=1#7J9Xq{GOk@lVj(VnaVqKB=?AZ3Fj9V>0KW@Cq2Do3HAU`76A<79?^ks!{{$QGv|B;6=if)rrTrW-??E&$aWIvi4oB9;@Hqt9I4;^wXvSyUaVQydg&BR&Eh6;;OGDBeiT4<_nUJ^`cmgZY@O)87P~u zN>>B^EDt=Mcfd{G;3i^ymPYu-kS9@v>73>x;6z%uHdwUBd7S6gTc#|>R0x*K?ww7n&-J!nY=9v6{yT%dwymYI9Ai$@gQHM1rt1Ot?U%-^*!u z#R@@IK7LxUN=iaQecMemF<~krYJH9-9gtP5udIwV&KcFfzgi=pt%I5>hJ2hv7;>-X zp|k_%+ID=i&~k8+7W9L0go09!69~vpjL<}I+k;R!47Ab)g&%=#guq^*pmu?nnd!?| zyHnC_z5lQ6eOg{NE-GETCDjzU0muvr&AhbRr83A5j%6zWH zc&H#O#YJF^hN6s!<7oZ72i7v`nd~$n(?XN`ypU5B|J;HIcS07D(CcIm6?4{bt&|?V z^z>rkJy0is-%A0NQ6C!*0aYlH*(IN*#DuhWXhrC5DZ+Iz-3_}A#nqq5o0YP;Xk=JOv;WQ$c zD~u)8NW@c9&DDhjLUn-XPZ+&cHY5*qeI;rSX&NPr{Kk7|8Z9VTD$+=2dqb3EKF*XI zCQf^NET6+v=AiKc4TWmfUIu_FU#PRuE1LmkoF`qZ;BbP~LA5o-(B>mZ#6z0?PNyMa zV}iy@%$kqwtN5I4dnKA6l%(o9r>Y#=FV1rop6!uU%4ytKGomwsPGXi8jc&Kwqhi=t zB0EyPgR4^ORSUi3dKD-Ps$-+%BUMux<<73p;k*0(JT#bA3#C-=VS*i=W;f9MR)6W1yzl(nxjcURUQYJ?;o0e{ zlh^Mq4y080!lE5{S-E1bX^XId(IXqSBZ6s&aFRM?rkg)bn&gJ5$}!kUe<<06+jF4_ z)hAIi35Q;n1?xx!QJa&cE4ACk=<;HMGO*Cy0TcTB*hw+>W`Mq2 zHHw7q2HcmN=D*yQl#b6gET{U0r{CBc@{#?4r}pa>(w)*cXWCY4#0hP2!pWTpAoI(&+sYK;tp&~NL$vI}ghkWE@f1u3<>W#zIq*7X-yMk^p z1eKM7#w*wx725AKlH}te8y8L(fM#%^?I$=;Ax!QuI5~&0-(9=`#*h88;vzsCKyGju z1!qzzmDh!;o|Lj1zxgg+CLy%bglI9KL8rkdxK=%OZ2E5ce7K&Up7gy2DL0TTgN3sr z<5sb?C7c>hGr2lhrM5+w1WLyRHz5{lO?5U1HWzhwV8780$ZLgRu%e}f1=XAAS~ix& zou73sUtb(|-k%?IIzOFV96kSf^=jN>VUfUAsrnzSlza=mzl?_L1^IR~QTN=7mXiYB z;^a5M(~K6w=PMrrDatv^Yw3x6S|Ptfy3O7WX|*C2@`$YgMz;d;PHlpFm-Z&G2rX}9 zIlGQAbiGvV9A~>low3MUwp||uMC*xUI6WTo&+Dr>Oq!i1JGLIAU7{K&**m*uaj3k2&wUi zNtU9foaI~|MqAwrBw2~|5iQ~nA^_xLJkkZnp{E^V5sQMxNgAZSOhPJ{zKVRA1+#Idk4v^Yv0JC*V7-lkv zjpr-v*YVw^qXF$K2}thASyqVP!$>?|X%BAu@`vXuJBz&xeUb0HFC{3;Z%W-Xmfex+ zi7dMv0OeMDQGRpwM%1+;E^R}5#xB%?@b+N$HV~#ZVQ=ScJ^toR#O&nO(-}}45vmRw zTeFC=@_iQ-?OP75r@yh>7Q4xEf=p?uy|A_CTibC2yWiiiF#&+o6^(O1QI z7km0cH)u4Z76n2_gf?<1KWMS4Y{pUMfZH3tq=;~kNPTfIBr!--h-h|pS!!!Uj+gH^Aqy0=TJAm1H)bK-3GH#CjD>9As) zJ^Jpz{eh+teBJ6GExpTr=Hpy-3Gl4xYYjXJ+9ifYGo`vAK|70pF=rKef8IlL^Oh&#v~!DiZNL zmHUkrImF&0)b_qBe4xr8j$T3hrS+{cM}k8BqUDQGEj46ovrAYoFfSP+X8rSx7CDzE z&*|wY7u|Ku07@Wo4WwOTr3iwcQLmx86z(-rdtT&YX3Sf11Kv8m?z?S(=QW?R3pINn zd~pS~18JA{?XlCf18M18E1eXcI^^TD=(>9<7Ti=^M(bOc22ENxffwE8VtcG!-&DJ| zC`q)t!Dpfgz{;WoVNWX*%!^8gb{2ggVXRg(`dl+bZLq4d0!^Wag5~)oTCv1({^Oz2 zB`z3^e#+y5y_I|zpjr(ir6XmHzQ*J?0bYg%As;{5hNdh21_b?al1MsOAp!aHsU@f0 z%C5uKx3Hd;qJkI8LBVxb!jUsNuvOJC`*X-|1lcO#Qlm@WL3$;liF&b2M`qrevz~J1 zHS;+Gt-T<$Hq5UD1*Jh7thsKbXn?Y&A;S((0}!L`>n-n2r?51zf_%&n39S~HVtY%E zfMkC+P{f)_nn26AE=D&>YL#bk%oJ&C6 z(^sAMC+A)Fj_b-DRLlamscR&3tp9?^c&|EyeUM@_iyR3a&f1MUXI@Y%3TT>5$#)$~ z!F}9bB?3f1r!%g_O*%wd+ zr9`KqXG*WBhF-d%`;zLyp|w_gQw$kI&cI-goL`C|GvBvfyG_h-a6R^#-kH)AKl3JG zTlJQf%;)Ww*M&XMotU0~{qgnT`TLWjPfG%@tsNAIAC7;XrU7jHq=GWm*U1lzWs=E^ zVx5^#ZrDI?L`!UU-A2ivY~lHIJGkf+Ig=8fLQ5!h!ZIFVXVZXqw`V!^x9ky8b5X!@ zNMJW3gZ)FEMw@b?pE4ngG#th$Tg8l342JaVVL}HQSY^lQXD=VK6^jfu%>4%uXzgBg1QBOVGlA=OO=&LPGQB^#3Qh+<=qZ{#$MSTHO`*y7(X zc=F@+Ef@o)6Y72ReM}ea8c%CNoQ+8!(RP1229_g5NSW^fk{D`4X>UGU65R$vBQpT z+EQbXU?iFZ(D%#LxW~3)IPL42iq?>xQbriD00R&ut(R1D5U(bq2FCoDdJe; zM8u;wp?T0Cr5oc%@6ymgp-vYwI984o#UOpv5pxFQx=G zB;Z4A6pM~3q`(iOr17%}%};eJVONdS{bheCy?0+kxfXoe%U?7u!6itgsB*)#*H!r! zV$o={19BW;QF9|1#3}j3u@C;b>in@*7aiFX>+KsN z(m2alL0YXB`YCil>Rg8BE7$Fn7f$fax8V@VQ!07r`HJHeUD+^DHW18<2JY8Zplx`j z!ox2eh?uu%zcOz7Am$)3OCTZ33bEn&MK>_keq+sgdQo%&*rmg&@;?mrAd3|$ildSV1FNP`L*w9kG2f4W>Z|w)4l0 zqFJ`@9uD{tWGVk^QAjE~Qou`OyH9>^{h=FNx`K_VRyWBt0U&Y08alrN^AuXCm&DTQ zlVGC;`3<>orJeR-i`72wFP`35$ChvgFTGQQd;WZSa&uB14K~JU{J&#H-eL#aAK0WE z_MyGdPEv$=$9BDS1Ld6{qM=kMQjA?Ic^FnbMo8ukd;&dKA!EZtd$~{30;-V9KSelqen>NR)4h(fy&(iBS=cyF=zgk~!z%`;?(^)=tPaqY= zXFgbwQE7>^(0JU?*)ByqVnNkGxnh$BIxEQAgU;pgg}j2Ff4#~xmI{%OTn^M4vJYf? zYpub;Atzsdv`>CAM*}DVphhmn3Jxdbb_c_d%yVzd8DxKuK%3$szGlh926}`gzTh-A zF75D$remzV`zJzhnXQ$k4@7^7|IiUK>Pe^$-a}u#-j|k~lIDd9GwN}mwKycBNlPcd zwImO1C2_%Wnmo4$~40GS|&Xm)nBgy3X~rn)LkNCj&`e+V?PNx4i<8Hye` zWWcd+e1BZXCqtSfi^<|&5fx$Ck8`L9FNXvxfa(a8+|Y?ISuEX!X}%k1$O4k8ZVR;v zjkpk&3XJe|>Wi9^rwZTL6^o2hRhvGjzG%MZaXNL)Oy4cP$;a;DW|460z4FD`F<`J2|c8741F4EA(^KXHesK(NkD)1QmLpJ44+&2R76Eoc#Az7`-pvD_3|I&a2;l zK5xgD+9|??@rd&n`C|c;<$534$k2(=)SYQ z?i6K0wT+ajfgN>&$L&gO@_29p(=;a8tV0q#0@~T+Vob26+ zGOK=fFr5$sMKSIxlz$C-?K*h`lGsjpp`!UFb`w|%WsH-=G+UAv0#8i=P)JcpY@I`0 zogOPGl9b&famoV8t58$aC6^35(6FSgC$E*JsTnzd!-^I&57S4R)`gvdh`;^LZ=R{SusZEPq{7~iiD;U zzc>)Yoh^7lLtEph(}~8os-3}gm(DmPaRCMf-4k*&PKr279NJmc_r8_}g%`34CEhjDOn6AmdBJtY zf;^^q5hQW=cx{eU;$HZQxwJGeC8tQ3&w~vG(UVM^?tHgb1oah!GkZQ`M$M|%B3e*+ z^{e?UBFHGwLh^J>21(ep+%@d?QO+uXd*Lere7F=7h7Yl*>2fiteq1q@xfNc7=lh{P z_F^fI7a#L{qX~vxMpTmELRF|ZEX+s|IdA7YyKnKB`fkG z)YM&Jhqp zsPv6I+TBfX6`%lK@p_+8D7Fb6w^CMG*P{XUp~z`V-aK6=3S8bcAVEUQMbjR>dvI}i z^6KF5^6cX0_urkpJ>FnN=)O13xNBHaMTejSpy0YHP}5=({Yz8T3x$czS!#5i5(egR zGw$UL*QgX$thrG;zYi`(2^zc=#$SXTYP8r@Hp}cmTL69Ph8S{-{ZUxMNYGgvU?lZXF>A;EA|O1 zLifE5IXr1JPMj*Cw#=!Ww!0QMv1qxdDPPuV83oqo!qv6RJl1UdzX$0=dx|PbdYUp# zUa2kzvg)}&1?eVyKzrep#75WIALZ8^(ah;3ARq2g^{_v1(73O?b?vVzv8)`ZRynz8 zJV-(T9Q_Djg!bOIluuc$ruAWzwD9c_%}oCS`S)9@2#XLh=OuTfw|txyOAR-YZ=BO& zxKB2UQRY#BdT(Pfy03eCy@J+N^}|0Id4nWosP>ckutLU9%rME<;PF(4>euyTeF^!r>P{0Ye_}rCCEbp zHRHTuqbj5r8&c`Y;81xSYRY-fxr?>GEWg&$yQL+`dFvNiRe)=O*CDgAyyEw7|5Yk^ ztqhvFat8>HZhb-8<6|`Tun!m}{`MsZPGBW&ky{&}zJL3#ZxB?Yag1#dP?cAB37VW@ ziBXF>uNaQ%`-!)iyqG2#BX2m3UP3nmmjCH#a{4vhzW`!>-L=f2Vj|^buP%)uE~(|o zX$1Kw4pi3kkc$FPpj6lcctXw7&urRX}jjXs%EGa&0rk}i2BQWFsTNm@XV1)wGinABM=KazD zr4k$JB_EQ+Nf`_w#D5hgupN*$bex9H`i%&y7ek}Shz;_*+hbtfS!j;?-|7|qHu}(# zkX~2_{ww?6!V>Ir_Fh9~8s;n#0WmsioDRw!yO;8}oMss$Idz;7z>uG z?^-k(#VN`bp=ybLa{gFKk?Z80d~Ps?Rtuc`V&>tIiZfT0d9#G0?BMXwi||HZYhY7R zs$N%36js%81Y=czO2wN)meM&{b>eHN44rD4s;+9f-*>)?UR*n zPtM<89Gt#Bez8IxsnWjtWMv&2>lvVA*v z%%(dIOcPesgR1_Y@soq^!}tP)wKn2iWK*seq^H*j@6p5;B{4bQ##%xUTr(!@wwF6U93+&F;nGUc?9BwLEAQDUpp(i$kqmJQUQG*Fcf>p#}k z?Y1@2o`3!E@Xb32-tCtZ5cUZZxT5mK^V5)}`ZvE_n9lM| zCN{WE_mZ+sSfvK6q^$R zT`9^@Tpf6GoHgDs*dA=l@AUW4^arD@uWzldms;{k!gBqmLP3=OUSHoXJx^9CDR@Dl z3B?Y6x8}yp;)DvWefm>TpG+X4zY%kb{#@&V4?7`qS;y3A{7%pS14#T=& z=hU8fT`xM`vwkPYd&J$=z2dG#Y~VsCt_VWVQHv0hjBkB7L` z!+0=cq9Ce>;8%@DMArmXCV5CCn>CT|bB+XUj$~iC{R<5dZh=LYzXgK!zy2^95PdZt}5N)6e51Rs7 z`h3W-W(*X?{XX-r31IFl7zCs{ns~U0dfg^^U(B5cr$I|j4tVVr;3;``@kW`8yj%mzdP$(e%i;Qe|B;CX=4f@k1GHQmLt1(*EzoUH2pwU z!&9ot8vU#T(Itd#9g@1%UZ*WG=vQ^h_;=0t>rP>55kTn;J}yX%Y-cJ|N!_>P4Du3= zUV?#l8G5cHTit`!6Oz`~ElsYk2eyfmTOQqQsNj;~9m@b{PO%0(Z{4ay4*x#l;T6kC zJfZ^#)eV!evJ_QxBPK|QLE{CHtcL^s%#RX_qN;?Ril;VVZY6MJD$uOpqmULGN!+{j zIeg^Q&zjN)+(koTnFRNCQn6Hw@m=Or`zCA#fd+?|5dM7SM&3fLGqS<6Vq@yY-LUK4 z7)_+Ws<;@>Tffn3+S(1;!A?8)jpoMj_FD)6@Ifz5i=0k?KH%L-2pb4t9`uzO9tE$} zvZs)b0(c^j%x5NhLS}ODrh=FJU6~E0tYkTBnQ}nW0q`mm4%7M35vu9YF&^s##cEJp zgw<_MMMXf`$#qPf#h^+hx*#<$8cETt>+OZ|wM?Pk>Eb*$Ev{-2x6OPj(?{v&8tS;! zy{wP}Xb4h2^=`_yl)03<^|Gfso&7&F8SQq;Sa|bQ1PvEdGYfn`-o&gDVDKP4{4sM z9&ouOJ|H=!^8g#sII+JTzdbm4gPndM9YMvN;WjyFfxO)A@+M$F`}sIgMQ+4%yYAVh z-#2_P0K06&LYfODHNqvXyq}^JHzTD|{Wy5-X`GO2n#X)BNWuq-xE=n4$&X+l*4@H& zbm#19Szr;>0f~mt3_HkpG{s}UTEQa$EvHWp-X3?(4-SuCkZ;e=j-UkD3(wa1_+ub1 zd0V_p{IdQlTrHm-lix{^lgILZ|4ttx%6^R5jSbOE_+V-RfPooVh5Us$iFnm9z=-d4B%To#eh@`<(_|l5IEIW^oNxUMO{n&X*CO*J8^o#h z8bYqRKY*##FyKtZ4nBIc__PprOV4WQ3E2Q@oRH!V3(zk%~$Lg=0%o=@*cIUz0<>N;G6 z(BR}boK8*d3sILwMNLXd8E2{?{M50Q5WVC>Ngn6Pco3%~Li?L*JuhQkiVVNhykA+7 zdRk_Y1lh{q4Y4+BL&_R8h{^XkxI7H@0GN`6j%2> zDvm|UVu3&gQ9plG6)B4JWYr|FdzzG-)&A)4J>lm6)tnW%cq9ZRHtV#4%1uzesp20^>XsAxouFfmRDxlV9#97BF5i zA<-nIqd0_mS2iN!I;QqY?2l7m$pV~>I=@@H>)=hSFJ*wIj|-D|WoM-;(P=}c61fFo zl67MeHus`L_Ese*p-~#sEL$qifT^s&xEFfF&!||N)*rx<_cSgfa+eL%Fx-H zNPa#o3fR;Jn#%-aTDI0l)KtrLM9C4BfT9IRz&76<@+S4k zB;-JMMvX^|{NjhU^ZmWxS+HqI$MsxHpXV&+Yf$MRmSoTabpQjepaoJ&6L}9R2HjPY z4+!zDZaEjlZ)2#Z6Kg8~Y_-doyh;j=J4`V19!*>}rVCscNFKIT?Jia4-A_7xOS5t^ zP`Ug8B(_@7PP5(vHy2rzS5r}HL=0Jy5E15aR$%$9`b_6lH;>t*CNCzJbWO;hcQI6W z=T!9QjC6F34K2?(vvF#M`wNIzZ#;Ou0;YSvXf(~>pyj{@p06C9op#RN9Iuctp+Y=g z35UV|auMh;LY}kW5R(rM)SDhWfXUL3OOP{Qs7Hb~bi&8QPb&8K7{8r@2v8GvR0HMt zAn?LZ`Ct&Ig8-ijUefUDGN&Osr-h_^9H$a60MGET7yp2c#=rcdwF_OpekK22{YPtS zGyJ&yY5yN@{=G*2F=9f{0sBY#?S_7-YPK6Vkty74sFi!0u%UOMRB{E^jn+EcANROV zBOd0Ato!-O$?2;zTlafv!&^D)lbrSKo^SYb!f{{JPDSnj3zIk#EclHT#k~3abZ~Kc zfAjg)FHH5K0pCl0kEOmdE{YaZhiHM|DTelNK&{IEpS|~QYa>Sz$M0{y3ayj70YbNJ z2ua4f+4~Y;GJGZp9448aXLb(DZrSclyVcWbL)ege?cYZwsaxt+|FAJ6vx}d*onT9< zQmIrbmFh=ZRhgTo=?!=vkx>HiKJ8YcSbM`kI^E_a!S-|2#+l=YkI!N1&)#bE@oY{# z^yHJJTc>K4e}>*mcWNH+Z;q-7A6w8r@G_{FT;JsaQWdm<7Yh|ypH|A70; z(VL%|o#P5od5YJhA1NH>syp9V@;$u|rG#5>jjn+^4jirmobR8ZoYHyDsFMSn z8Ig=Z(d*Q_lclax_xbFuZv(ECTvIsMau>*=T3WqAmI5CR#mMmpk2Ol__!Vh-_G-@kLahRF(?90@N}5XD#6n-s2T8{yW3r5?f~2f97*{&55ov$<}7I) z&ls%+qXKX-eJ&+VWojoiYWhwnWQa&%WC4CWc}J7em@pD1)zC|T>kD55ZXvz~T)4-i zUbjBAo34hXz-7s+p+0IJIA;eNaQ6TVfcsJOp)g9#%%j++@F*Ez#tbo#g8+>Yj!>KwHqbit402P*6%glRS^{K<42DmQ6bHMEke}jgG8P>dx<&3ezI`GPG z*P!)KL3$4%Gt#qHbre=2DZiJTyO1X=FXeM88*hR(7|A6-rCRDX@xx}704@W5rp^vm z>G-Zt)Q2UQsF+*PO5F@>E3-5qEVzuL#juVz9++tFyl;I-j0j(R- zVP#wtRmyPT^e7;5OI*e{!GRy*H#*ar;LjmWVhuc72fQ)U<}kVo-mOQ?&ch|Bt&^2Y zQLAC;9BOyL*>$Luad-~3J7M%PN4nuniT9*(aguI&=^2r4R>Z0i@LIUS4{r&umB0&r zVHy0QH`$6rF9j|=h&0X5^lP$>v<%n=z@=eR1FkdRrPgMxz)#aCh*RnbOb!C<&visj zKOBI8SoeYmJz1eYt98bkfu}$JHlkq1k?E_o1h^T9^VE+(%fX=n9|j~rH}yz2z<89I zgryNG7f7%3m9jZYqxU-KTzCamk}t-P=+^N0;q)`}BWi9k_1F}EXN6VuRt5;YI_f^^ z?YwYa`3a;(fixr=Gx7<0WbDszfW+ILx2e1^Hg-IjN4;# z_1>}?h!m~4>OC^h(G}(i;dCTi9HmRW44pQUt$_^BB~mj=evD``6RwB>_@1Qk(+fsC z*Q8`oIY?cHIK51_Dsv|CcpqKYzgwH7J7fSj)84=JBnP^0xb4|mWFGg!v}~!uNg@Qf z)xlKnC*oxsYy4I@d6Up(3{!eM-A;?nE$Oflcq%W}1Y9LER#rUw8;E#JNkz0DicEUB zN5(ocb}8`WI;sE;Iiu@mhK91p-tnnbAe8|hr@hk0nsJ)D>iCrJ#o;>|k|7+MGlIQ< zFqSC_5_sqb<;KKP;DMGtdH~nyGpJ`XEP0DkdhhWmIygQ&<7&rLC@WVpKOqnqxdB=q zL<$=u^qG-)dy{icDPqRsSP3$P2Qf*C&tEFds--X^N`oRBz-xOrPAe>_8i*8oXasW+ zr3Pr=qM=9w#)hzJP}}xK`_cwnB~&`4aZ=8MY1$>ovRA=_FS;*wn!h0^$J=V)s+G)R zzqNIE!ZrV`Es&`2Wk9ds48bAlb$6a_t{+7WF@f#+a1}W9R(OdkUCoBrn#;OgJYsy5 z6+8ccV;_%<*I9Ifjv&xctBDR#)6g!f>72WV48Do@0$IJ*qvHj~dzJLVvf7UyPM>gn z?}>1Gc$9t3zZG9P0~N_BtY9yE7v=u#MgfGilyFBmw5v zcN%)a!UkWc%R~-MUs=V$kKqROUUZivR}+$v*r#5Gk|M*8^a{~QLPV-i5>IG6mto?$ zMZH12Rq(1qEb-@rE|MH(HzLVwh6r!Q5M5YbG42F0wt%bW`79=EMgvd11ike`f4+c# z21dq<#J?m+wk25te~GoMZx}M)BQfz*!^t9$m%Ev$`ZK|P!0#J3s8@>^Z@Y*|BgACe zTD$~&6DPn`gpNxh7Z8gH_WXK*A>!Kjr3JhbF*5r}bYyR%=Q2J$6^PjdhJ=x}trr`) zp3P-Q9fDT5krNwvJPo;VgPyHt6XYpplN(<}Y~&EL%8jogHgbqr<;GVL8#%wwF;ctk}TX`wqj0`GIODN^agQ<7-E#w379T+j=1&h%m* z7cdkltPWqDf>VCt6Lu2nr~;!28 zsdVsaDa_HtlBl-{k(!rZ2#pjTc_ z7v(1P&Mw9br`5Kv&2rl+WuJNskk)8v7gxy(Ch2Z84c*GxJtY+opmMwlHgjYeE&!W_ zDi3|#^8_qkY4BI&Gf@>cHKia_@HUq*KateYGY5P?NG>D55-5o0fma41gUooZVm4)Z z6E2nVXf<*Ftd=SG(*YjO$N*T{q`{c~;7rm&w=vRNb0IdmP6*>D>~$+0ajU7oN0b5a z@u44cG~j)SQa(^?*3TU=Ef!UUEk zoO*CjyqHU|s!rF+mxmh>O(l2b(kR5lTZA4C#};Qk4TY?k9fjQ`{q=Pe!U@Ye8Qj3( zF7jcb1)@yA6Z!3*Fc_^JXt2QC^_ zfv*Mb2_Duiq5Jg{2jHa|h%=KEsRb_ZPr(E5+KJZyS2U>wKE@Fq`^j~x2ywE5%b9k> z+kn@c`Hf}{2l`2r)9_O?q<$}cUm`TBTJe*bvKubuBNCrX_@xy~Tk4Tgqs5QHK>&V6 zGD>54dyx)&O6fEp16enPgdRMgOD*^{{D|bQX#eyWsTMbAsEVzKA#mg~cT96~ZVA}% zHgFOKQruZ!L-m04R=$`MPo(AtFE)F)%o6ZNi}6S0fL4Sre$74Yn`5W@YX#swq-vK; zUjUwuH1xfC5xWHNEK|H~=6T@YTd+Rh#yztD95e&24GHp>kiC;C4OXAIx-~!g*6{7Ck^3|PxwU!9e8_8I@7ol__jmT5Rlb`Q;D0Egz!Eetu(=&IK74ht^x>-urVoXasnMC# zIDE?n(4s0dP!w`92w$<=Ec`m<;j+T;!#A(3eAsnA&e;I0Bm>_gN8vcWhFjxLmMvkRRsd?Pyrud#^C7bagnem1) zFV&okXE^lP{GR5V1HbfQE*LqD2|vF4aB83F`?EJlHYhnd8bL~r$Rn`wEQAJ7*wJJy%o6ayk7(GG(_lK76MZQo&^$RgkJ;jg1T=7o>%%& zje1`RoNHqPc(Y1#=L}{zCSDc@E`3krGjf=vDPYhL>h(3tUsR8YG}YxEL==IWJd0F5 zOc;+8*{e}wymD_P8eWZ_idJ|q`3JtlCsD#&2uLnxFf+6?vykxq=^F-A55z$r3gd6q zs)CHoN<3dRz>+<5_=CZZ$^?KKzYp5M=VM|j=gr}oAt#dZz1`jK8+z*7iSTJjEQ%3A zOJQM&@b%}oI?^}iJ|jAaa{9Sm(u$qM;Wi5(2O z<`*)6mt_}Pa^@D`_6$N+;LY*}H2_|dBgg>0T!x_Lz{|1#8Nipz0aOY+6_uandA6$n z4g&ITbC!Q`ULANoedRp@AJdqeQW_{PB*>zgz9nOJ9gelKk5F%9j6;wFkbWV?K|q4E zex{D9lT}7fb>@#Dy$XmoCC&&l(wWgK$D@w#B#V$Z`tdfQu`?t1^4j6LG3$sK4tvk+ z3H{7T{bT;AE@12bz5SbB_|G8Z5{VU?5t-u?6%T?Nz=EF;isU&wzV9}8zh4fG8D(}f z_z$3(ZbUd{B2piVY}U#HZ&RXGm3>hG6&V;Gmu6rrV#ZkBg)d#K!QhR3g_@15nLqNY zYVbp;nPhp0pvwH<2Ss>%gXs=!09a@~TyK;mnl0$~%o-Kcko#nwl*TBfiB;|hsiJaP zA@s_$(r}*=QVLM5 zP{S%wEmOprYGMF9CQv*5K>74F1upv`VP7zTTcXwNz~_Fruj)xJ1AOj>S|Mr;1+Kz3 z1zw?mRst_gaJkHyS16#3fag`v6@eEN&}y=msGzq4uFbm&c$o^i6z~cKv=Vrk7Pu;K zOaAox0=`}aRKt_qp8{&m=qqcVMP%+@^(^9WTfI}qty%W(65X?i+FBIP;;?tBby~oE zMU~USa$i~BG%>PTLdykQnYy`@fU8h80eDW|OqI>k4+mMGjUmpOX`2a&=Y9y(dJQEC zi$Uu*=satLro5GUN8OOGsQCmy@P=AAqU+&zXEm?UA|&V+OHiAYcV%3k8A-b_6km(j zxJ@orJt%}UBAzJ6?lgbb{C_{3oxJX7FrSDQpeMiVzkLJTk<0r&%;p7xrdgj3X|JMT*Ml_l>oSnb=+&hl?OJsn99mt$6od>y! z4(*52m@||`!@7Yu#CSorjqPzPdZb>fTH&cBR4oH|q4ZOJODdT89C!8E?dpM>_j5a3 z?Jm9|$P(aOU8}5KqA*Z;omT8>l|oSlaFJl{dYT7#7MSm4Rpl++VQx5z2#(PuiAOl`=c=1X-OCmM=mv8f`V+zukqU2U z!F-sGIwAqR5*a)`;dvAgD4IB^DIThPY zbHJp8PSxQvy*`{q>`Y&dRl&G)dF82WX5GL;-)#_;KLb$3Vkg_vxy_R{)<@ z0e>CSMN|SEfIq(-aBJ1PCMEMK>gB=6h6zkm%_{+(tD2_+w@0_20ufY&`v$PHij9$~TS=`+lgr&GhOttMR=#LDtsIu2_q z=v4xxB-d+6K@gOUunN9BouDDCVGF*c5ge|QQkl8Yu z0x~_I^MH!(&Z`1q_enmsBK>aA@afaaELR0UtI=;MK&6iA3Yy(9T>;uDFTh{{Wc5YY z0hQ2hDL^`qACn}4l+8z{XGaJ7=SPSAJK=Vng7q-h!}$4mvehQK6u0E(Sp#z|9NMh> zK_Q!Yn$N#7oB0y85K2+{N`((f@mWi`gYL@Z4y+{lx`hsGD1GG;2R4+xa&ZG2N?*CG zfwJw@7c{tsdIl9Jm6tNOL1%YX$)FscuUommPNJ_`v%red*R57yMd|C-DX^mSbt@DI zl#+m%b$7ubPUfoyS4_P^q{>_^l#z&fD^zgSfQuB&2ddJe`Oq(5h=S83Z6lsLI2DGO zg$PQxp(dB|0`Ps)EF|z~06gcD*a!=Q6KZXtjf|jNf8XoAtx0-X4?J%PEp<-G0q=FY z*1X0|fS1}qOWjn~IP+2~XsN?W4*1^EGcTz&pa54F8L*TVfKl5Gb$x4{feO&FjVmgL z`y#`t_Tq4*M0xR%5Q!?aTsZZX^uTF?yVZR5Z7elB_ z9F7CZ4~A3Ge(*nUzztF1lQv%JE~o*A$G~$u&FiEZyt21Q4fyx&Gq+d&7@Y^6{Zn5B z19&>q(zKt$hR#6cz~3`|*PmAaUofk)#5#bVY8Bh$-wE*X#eMdXJu~naE=nP+sn*y;7@m}ZF+X#bw0Bi63gX8 zSP{74J!=8J`txi#aJwI^2K@Gqv$eo;9<>_q+ds_$@YGS;tZ|_Ycce_3DYwCk+J=Vr za2pNh*YY1U#^ZnpZ>TxrUv8FTW#Zt){-xz1(}sg+ilBzqkj7I@O1Xz>m}XEHvGv8$ z231R{^#1IPwNuki4hLp^z_sD9kS9R-$SdLyY0|w0hY~S=dmO}NlL0+6SGP(!3{@qc z997nW!$&Q{SrZ(LTKl)hK@nQgqH-qiSTh|Kap0!YveRJ^2c;xf8x9#e z)Z>sN!74a}B)OvTN8#UQas9kOugI9r31sU|y=dNvUgAk#IkHxY3~j)rv_uoXh39|A*?DjLOwkX)yc4*X*hCNU1s8`)mHHg6+;0?$7)d`S=u^CVW|_xHL_pIX41&&;0)Cy6Cf zUGCwOH$<|b36K$je$|}re%oLP=gM5EtB%&B$lc%6Yg`FdcUxY+3i91PE1Qt>kC3Gd zl7CmbV-9KZTJsfHq{)NiQZJHAFiDe_$2;SaiWid~l#pDP=Xe#^?5(5#_O>457O<9A zk`(N^JjKhw>hB{d*mZe`r(o4Ten}muHE0lnkSihW2Nq3##ZBK7;g)cazD5Ldtu?Kb zBQ#dd-9yJ=1TtU01Q@?=r~mwIh;TezfC7|IG=$_Qe#jCW1Vgvgdi3a#7TD;a^EZRm zxv2d6Bjib;GNu{fPzBd1Enn7NRnfTH2zyXul@XL&Q55hE%Lf3p3`UbOv)>vHha=2p zEgc=?IG{$ER6~DnAtdIP3(tNDUY^CDA&mIf?r$&KrVsr*!Xf;(t#vX|BWTX?FW*s5 zM2Kc>jVQvGpf19%wsMzzhOO4|L`+_Jw&Nh6R}A4rLg(Oc47BxW*ojFJ`{WV_{9XkS zwSe34a0huczGK*DWtPMG6RT#z!a=<_#&Z8Y&?rV2|d?74c*FQWgYV=uD$tMdqZ z9$%yl!Zu~mX$HAkqL?ORoVZ*y3{#c^N=TmonS}}Bz9T#){Z`6F9~UDsP6E|UIS~ZR z;3fXI<8aJgMmU*u652@u=JGF)QN?A{v?b z{BTXf)3+7UWnt4Q2A3*65v8Hc($ie%h{^K5TSzf_zs2PP-@i*_CXjvLKa!LC(7UBZ zs|>hTjovO;!bg=gq&=>vtHxO#9UU0#N`W#$jWSF# zUyV%eEI&#ng&NhbcukVT52sHcFAnjZ@U8PiPyK?~6Z}NLc%oozS|rt+E0=!A^*iw; z9??Z2YRNH@EFw4CFxqx8IUXT1%|PGW6(HbS#@ab(e$D@MO6n`EGr4t}Z*$7p{-m&$qLFZG9uhaZ# ze~a<8+d2*rjXj|@cocMmZN&U}6kIEX4^1dnY^13W=bh9X%W+n_Ih*ZH+vdAJhHY>B zx4#KA+vwap-sIfYMxDnyXcQCt@y~#rnczZ=AvmUw{_^&hiyu!0=kNC49{p90&LwJg zRPe>fogDnDKI*jeYr;q;QufhOpY+jR{&u$i%f;a6?8DI+{O9=K=t75_>&4aIl3u4L zXXk&lA;pRDO(LeTLc&_g(c{Dvr?*h3>3IVrC-ko88Q z2-bG3$+oyl$Re-sP%xQ53ob6;0^x^f0!6XtM0&L;*atLBVj2W|7#b@ZFo(v3{(!c& z{^tBZ<0~9{#B;W`wje~9#B3Xy&i&~uL04GZd1XeLt*!4Cj5w3Do9qJD$nUncq`Y;} z37_$m&!mfCszFcuAP|C*GNJ%x+P^Zt=vs-NpqPw_e@SFIIo>c0+cGF7Zd(#pUtX@w z>w4v_S)|xdM}znh^w!)j(ln88&Pd|01Tw~sQ}Vk)4!Y%Z1ID4TL{xI-(9W-G0%@Ir z!Xv#n8hIrAfMn~GomFEIf1hoy3=J+01SUc-SkXzfHx3-`t!hoosivR>QUV{&r}C;% zZ4SBJ!cLH7o1^!POcntO{O}`dEs?A7=rpgwFVmaf0FK4v_z0TD(qxp@e>{Bt$e)}s z^o(4Rn2}SiS|8}@mOJ-WhSBYIyU+Lb;J@8&H}~J(UiazFfAn^r?e==ldQW$H|IzI| zf8N{u57b@jOiMlsmf-k5y0?avpWGkh^9cRFA7VN+E-I1<5O4t+2+_i%X#$i2&`KVe z4O?3Xp>vVjIA@-aY3E{PXEmrkm7UNJI3iV23OJqrapTNiR~2pU5S80!y?BsK2^SGehd@ z3a9IM1{LWUVN&ZXBF{;x>1KX7bz7V$TkmK>wzgDAyl{x{IHUQaMM6Ar(3e2;nX>MR ze!@5})^Cn|;Yb2;Za^0oAr2FmAN@d}ZZXSe3KBbn&-hfateUsUNPrk4!9-Or9t_?X zHhRU5urlz@q^lwwslth^aw@#gb0GLU@}v4;q0FSr3YhX@I?00>=D$siyq?9hNE~SE zJ+rEKd?m;FFwlY%%}fc!IoFz-i7Ro!@z$W7Q2!w&DoZ+ufwm81rd(F$RevioNy+gE#%& z{Lk8qx!k!BlI&vaM>Bp!Lx@UC;iE??!DsPJK>qMq-roa2t%!9YUk3W}g~R^ylKpr$ z)km>Ek*}rb@ZCVTl<`0KiIq?lSEg@?R%T)#@db4Fzm5O?OH3mASNF;0-`&rjkuRUG z%8OaJ9F@i`|J;&L{R!H5%;omQr;GGzBzO+JMBjb4nUWI0@mJOsJ!az>nG;2fFBwtx zBM9yjXQ9dx7SJinnh2^~1ayi((gaGz81@gDD4w@U{J9@aHOiAXrg7Z>(1`ahTAUx7 z2Iea=!co*g%EVvnptt_-4cTGyzZ;Ij$&McLB}RXGiP~+X(^Wb%|Ly$t1WcWe8(P+F!<2XJbyTnMY!QAW-bE7QknwFz!Z8I+hNg!9ap03M zxtQZm7bEIjUqCoiH{FX=GLHdGqZgd_7cs%!g?#xy==*NkUp0s@V;ADmj}RKbcFVUJ zQ~J>-7cv9H|84zm$K67mtd&|fFcMuXVjulqju!+?_2tyz%P+t<-03vlu6<1q>6S~~ z@W^GZj>zL)hV~Z=DKhl#1Diad8A-CWK!0;If#{rEk~sD~;=IC)IPc@2OzQMIoyTB- ze=LP(MB_vUTL(3>J_622A7_caAOTBotRCh^ns+Y~!|+)(M}Vs+2t5|fu;&?AOlWKh zgfGH?wBw>Gfc%>paFcVkviT_EsT8z_F7az&Bn~iuzq5zN0F&ramMBZ(*)l2Y45(;}e zOGt!zZicktO(fL^&*RD)B4HBygo*3|Kxj0>42=ln_DnJi?Yc7m*e*H^RpZL8-+~tW z^y#ie$9>Vga|O0!)ltd!56UTg9+cAu<Ve?;O47U%J9rZHv5Kb_e01?7|}4tsv6;}N|iZsAPNxdNxwIDTR{LZyUk>W;(p z0|?A}nFp6*`P4+_ko`EYgXpbZHnxIUQaK_PzHeoe2m=O5r z*QN>M>WCR|V1yQw=yc<(%r`&sq!AJ)C|-nI!1N2mY~Y<=hwIB6-L1az67JW2p?dh- zkgWgLM z0l!W%;o=TANL5pm3H=%enJW=*i9(20L|KIYScNAuaB`82;Ud^||HcL1j{CP(YYQSK zWO_M_LUN@S*rBm-Hw(Dtbq$vn9A-{iS;jLlVNmcIMHt%J@+e0d;mL%I z6As`{TU)Iyc*WMy#A$$a6#EojP+s~~cjw1%kI?Y|ogMwp z`{T2tL-fPR8QOn`P+ie@_{`mNKMiG;LiMfBVB`@V zf8;6aPXO2AXQCWt3e0t0gy(^OijuxSe*a( z_b!_$?vosst)svR?1fsjDQ$kNwWatE03R+yoHM^mfOnrV9u|yX}T6M;hGi+d8cgPD5hf>9mRY8I#~pPs;*2vK~6Pr<(Tt- zF6j_)44uFoBJ`ddeUg7|N-Nsd7C&VBTOe*2gcta8vaP^Eg3UQeFrNt^k*nr8o{{lK zG(7qwO#HHJ(NIx#DC#vMfd%?6BoG*GBIbuh|7q z(W`)tKZh&$A3Z387XhET{` zPb~Vf%O^vn_b#6t@sKyN&`LQAd?XPkEaa^C7;?A(U_&eKogp}KkqQ*mXY}Jf`soGB zDleqTO^uS@66Y*|9}QlL25hK8EQ26DHWcylWyVw2p$#r&Q)4%ut8#oDDvWnrbSh)( zhhnXfV1Z$_NrwC0+z*Gy`70Xc83VplJ@~)PLG*EgM0m*3y zk7LSGscx*o!HiO2t7Iw&C*320WQto2Kr#dCM&8#&w?YgvKw}pj1iqM-pvQ)IX}}?v zt`Vbiu|-v%T^F4#@}erHjLDo{N|z(vo-?Ns<~q^&O%}o; z!SF&p@r~dos4Y%mE|ycBCBW0RbX6BI(n=c2eSF5dyu2oC=%OF6AIK0P=?5lGet{nB zZ$1+__Maq1PhE7vr3e7u7FF7H;=eye8=23)V)K|dB!q}-e$Vwi6!>EjGP3ES!ACz5 ziHO1x#WCE>ul#@V^BRPXPKiu%9@6l;1YOZMzE+NS-z5*Q}QVh<_(F(p0?HGHoDzbGY8S<`YNVZg88qYgull9TnpkmVtKaz zOX}$5T+;>TkiQPiEhlz@K&yTyJaf^Rq@?v2C<=XD-W!6GYia5nr?Efvxk||ei9Csn z$H5s?q6q1g*hhRHBqB?K8YZOi90!~~{5}WnY>uMI5>4>X>D^nl4Q%a`+ z!I95EH*O(y0QS*yx9j#=o*ekLdrxFyQTu5-bxfN3)=s@{vDXXn#Xs;RK8dnk zpXQ81nYPovKk>%!H@`V3j5G64AMO5uX7LTIzqbG9#Pb*PbqRpl{ogI<|Ic>z9`^rz zeAc!9pBDGPPVLTlQS9`rYU4c3ZJcM7+kfYeGl_3v{k8qi<~RuM@BAYNAGgi6&eO{M-}~cC;+t51zW?RBZ+0E)fHTPLL_y8|@AZoLANHO7TuxyXSUW!d)d2_jKVJG@-HflC_O+D3cF6F$u8DhnGIq>%|`6fun`c z#>v^?tG9zqnXNcPWFE~hgTj*FN)j@ErXFiGtRQ&Pm_MS)c1+qN$a1p z6@6_EfA~~=YURJ?khCg{YWct0eb&p#|DA4k_rd;qFP}$`(CdJXa9|dcN%Pr*&*mxQ zDc=SMPmw|}a}l62I0Ig6^PRV41TrML(Jal|S>AF_#f$R(Q-KQb90z=`h+}?kWX@*O zN@V-un>3rU@ZG{wa=HitnOnN`=uu0I0t#=+>3#J1OY0Fr<`8`}zgGW#hvy_~p$*xG zZ$%BM>(ksTUvZcgLJ6KKoxt(P$j71cy%WE9+7gMoWiz7sC9-)$ojFrxgbzB``0qseJZ7zvZ_#BeDU zj5i0@ryY-uS!cmW>`WKFM>+t2bsj}AaiRsJxO2pJEtxkwN>S}29h87{5(#xCxR&nB zoT(6wV+;wK@|@tdR!d{<=H|uh6H74r$kIHx#EGcqq}oA;&qPeliDLf}C&W=}-BGiB z1oKV#mVZ&jw`w}D5|HOn=KZ_^*9)lG1(7R|Kr_Zho=qC6$je8M&~bv2MI18pYJcz} zY|MB2Z;z2jMvEz=2J%BR_e0+!BaIeS8i;J|0ASX6#D{li=!`I%IqA5Nv3RtYrn!kB zPCZsGPyGCYl}Y88rZTED30a=m4UlW|%oHChXmpU02NTI`$m?YygI=o8MtX5L0vr%vz)nPG4^pX4IuS3+<&{lq0SlV8biB(tR)i@GYYDv&XN5QT&w zHl7i00jZ3khD)2D%^%xt;e;(E2=+Le@=Kc|FK-%+=8GWlqkuRm9B~9c$^b(OYe4Rl zdc~RDdSMh{;4AVe0r(bb<@c=I<9*cYc6%*@mher6vG9N1ACI}TxIMzz_tI(F!D8r6 zOMW3i8Ca`o5RV?AcQS?(7Fsw1l21N^%+$(TTMp@}q?SUD6$$A)pNU!>P!K1r1(fTW z)&_zTTU@AHE$udMMQ;HF%)t{WD1AIx&#DGj#G361=uEX&xrXgL3 zuu(rjbLx>kqTx28lgT#t5+~#WM^SK{{v`tGMf$`s4lJ66#Zm$*_PzV8Bg0S~u|Ccf z4%}HX4<5aKf8hMQ|HgT9^x^0YM>|9A0C4N0Hl0k`0^ASEEjC<$vnQRPp)t`R^2h{o zEkeZYwh+ih2a(|$t{-p;LrDgmCb~^Uu*AvvQJ-rbV<<;{$`nC`UFvteU2;UWB zoMnTe1643eOESSZz*VW6Co~rGfU31p3g~ztsPpQ>aiEPN657wNFSPIER!gq}AaQ_` z3Y%>i^NbNuc6PLX`1Z)1dyixecPE(?kmm6g`xU3KWH? zCC|SLUgbEL7##X>AK5Oy91Ed;t73iflHw=c2;q3j?g&4fM#lhcKc2F_feTitXVaV` zD&9|{BV;ncq8?d5r}u{L&p6;z%`dB&nn;_BJSK91SJ{;}&tC);w9jq#iW2Vhs? zIv5}9b6ez2dbOBLNX*)O)ZXiM-@a;p;lJ)n_07K|{B%=^m!m}@qO`OV43ZiwLa2{3 z6Pd4AM@w(p^Z*g3F-)NB_ehxsx3l$5& zubh@%H6+=xQ$nN}%MoN1j(P;86CEjynUhdwM4W(Pk9b)s59UC*5+|AA5G1xtB&-bt z2|jY9Jd(tM1iA%Age*Q>Pn(f2QKxGud&;5`u*0J1#cYIK2~yn_`OOqU6=jZ+T&r5< z%bHg*9*U+vj$OO>E*r=)%<&>bIFaG}BTADdtFDH~uei$h7bfvF7*ZU8lQa|84&~hOyO3J0;A^ENCKQT|FJx+fJj2N^;MSb}W$K>F&VxL)ar}_$jWqOR7%=r9 zY*JK`Bk|k^!^JelV*)0`Mz)GE4aX!(Scemfi)Ge{sQ91GBQ>f|Lx)cIb({&F)P8u) z;hpMrz58gln-|9Fj%;pH`E6g^qfRN~@UC@cdO%5xL1$WUw!nBh6EmJ z;-ruEp6>3n%ohi^B&xE&;wrE7s5caQuVf`BVRBaObQD-a<9kX>*_k;ZNjPEsaH_uR zJmMod93PHwW_4E>_9gbRGyuZkwO&L}E1M_lOU$8cds>S^;(DIu(f1i5{9htl6<4y9 z`FI;Kx(&3Dc|*6g^!t1Vi5EFUL*$-GBQ}kZ3qBsX5`O6O7wst^Pg9dr~fri%csUkK<7G>B9{|50>y`c{RS{?0TZZY_c1G?}W89yEK>k_%b zLC|>=6PCpOIFacjoe7Nrb%nVycG+hz08GyyV}^LEaZs=8ivQzBy7ks|sxtT|=z}om z%a=wZo*G4MVrg#KHl8JA;XnPWzsmN~K;CxRwl3}Vw&d5;jOJZ)opCIp%9&3?Kb*?3 z_;D$WJsVnGiA~OZ5=^)Vf^8Ji0w^$xBOhh~NkX^Lct$D9*QiLLLhY1|X|%)neE;Xc zcIrulgo=aE>z|Ic`A_J-&`CtXL4wC0;U!0_gjI?AOs{=D)R?SLv1S#UQ{KW6|huw zIWXM!z&Hk3e8t_*^Z5lYePqo)cuR@gLMW|3VZGmLc(BFDsHCHzlu$7YN@$9U&nJGV zTVbR;5Z-14oqiA%jg<{gNu?AswipS#+HF81_q^YB+FXRfu768ClGda>BiQ>n_7idv z!nPNsYhS$fEfSZr=OXfOLIz2U6EeNdx!&n{euT3_!i0g7=|2^%9L;ovtnwZ>#=&rm zB%MbBDTfKHe8O5Ln*H=xKcnyn_8xv#FPGW`-hws4^fze<6NOY9_?f+p@MOaEDB;qP z&_KrXGZf$v37ELpQO^6!pTdGJdF&XvOGgX?PZa#*?mU9*1S9|kTkptfW)2QL2ZxF8 zsBhK_hpX2K11K8(oDoT|GZCeXq%-wE&QqTH3LW{U*13;<{jG)M5~$V%ts$b`8@)wD zy?vW%v7f0yMF#nxJx!;s8(_^7zkm@|A=GRz+c08;BAX8Qp2~44?6U_ZePB|>9_!&z zeXL3rO$*&>!=jr6Q7mKT?&zU(ol9tj|iRul!-F8X;U3j`!o zblDaOx%d?~%k=|w_{MSzN_!%3iT1oGC!nRZ5tsAWc<}L=OujGtjUGKhG?Z9yRdKtJ z_K6P{fzcx*V<93$qRH@DUQfg@8+l}rN4OrQ-V)4-E^8k)Z8D?m;P#1TL`kF?J4&1OqAKIMN~9g9Lg@o{iS z0(`BTB@l{CQ$>$|C)2d2U+%RKnqWUz#N>Py6E>rP*GJDlr-NnIzU{SIDaOm8vv)Vx z7z;Wl{Bp@u_PZE#C-I%#OG1l=5)w_b(bx0#*Oovtl^!2*^hOkzi7~t8|M{_ZX*o^!)uo_(QU9sDhu2x9k zeJ)mmuMJz>V@=&ioOB^l-?gs$%ZGI3WT@DM5r;BN&tcs%q&q8{>XP903R z8E49a@IsxDn6zM-j>1dO=)O+;M{WF%vLmsM$O)f(N|uFD6aV?V82{7T?LNf++{mgoLV;Bck0~ZKd{TOD@Sz2 z)4Q~+(i(}HKcC80g}!`Q0w)mZ%OfT(F*&?Q2*A%p-b=WhsAozp z_uFL{sh3TGQJbG-lCCnn=;_Je{Po$<;NoGb$wu zOHX>q3=T#AU^I+yGJDzn?0PuCnqyAt<@cqHZqNub^6V*c9FL5tM>boW2$DLo;#r(U zA;*h6pUKKAa@J~Uyj{aply^qQiRZ|1lH?jWKL3kwk&?Xp?j5-#@psKAfui_WR&%a`2VExInkIG%kRt&NU#)IhGa zTAx4P3H{&Eg!It>lDM0O6Q3!)s9^69c8yh5OFig-(IzoA7&y-xK3PI$>2j%ZPlAA_ zi-f88QI!%{_pT^xSk`YTiJW?kwAIUgJEfz_y$+Ak91~5py*oKPx;Q?~Ni>mxxY>3! z<&>Y0Is3Kyo68cMESQTuFXks9d?)|-(%vkfaC&lfof3+b)D8Bj}s^u_Qlo93aKxlonrSLko6-FffCs zbRUOGzDnZ^=J;Bq$i`?wuF%{M7YSi@f0W}>=@^v;H@j&XnV)eomI=v$p;|tlU7~{iawvHTKoWOIt4%|u169wPKbv#wAtrT$Q7y2F!=Ii za~nl606Wc2;lq`cB{2=B!L?EPC!q*mQeQ>-#2F?~lL(_IrrtutTWIDSxAnviCp5L| zd34NNJ$+CXhuxXcD<`2H@CgQABS%7UI21=~X{^uJx&JR=|GAivAR;kylW4hAFxB>- zo#(yo^PK%>XQ%s6|Ldnk&`e)wuRppIPfPv@eqz85wY3&nTXM$eZpbzi7+%GW4vIp$jMKs z`CeM2d=hvJ;h2cWb>gM>ppB7mMV8hph#ri{c(a-^*$Jp7q@5G_%nxas(guwv#+3l| z$77gQ|7G(<(eO+U5iyE!{%5!v-!6?{6#HQ^LGAx!&VRCYZZrXR88#{Z_aBjagrA&+ ziB@0M$7vQ4t@lR#Ds0wsZH)!BWW_Ut+G4ux+c1$n-l}{fnB|Nli&&TxaTLWgihW>) zG@l~e`lK-@62_crA!*uu(s2yYz{vcP#0PX9aV~2A^<~d}>U6i!UwZCyr`tyE0gf;v zPV@q|<8D-8PAm#wBDq&YE3j-;Qx+PwOGS#lHN?NwJZ>O#pI>C!Pui$`(UA4Z_=Ix_ ziHqsI_(UrwAdSE29*wnxWPG3I)n=LfOlz+c>9QWFqMi2P+I68}PU%l2C)DlSaeF<) z77-Yt#KuVd93e4>^i}67c=|k=rhNeAJM{}kY)m7v-5MC#3;HVX{9-T9t9%hs3>DQae%J_I`zkHYd>Ign>QEr;-G>p;`f07SYHY80RQt^ zxz%fhWN|28*0VL!M4L=dm%ayCess+wb+V~yp0Q`=KUp6*w5oT0abe*c4SXsItAUtI zRX?h}hjj?I8oiOowWXM-+CABQ-*OU3ni|*Ve7XpIF_-FR5Xfo(Fq-CJ)Qzb3iE-%d z2hj|_Tg*|fyAm~xJS9yis~_V_Qd#S|9GPt$%jj&w&r0dihIdA5_54~%-|UTcNzT=5 zPfKxb+OKr(6?U#lGBn}2Ml{ivYDxNNT{+TA^BZ)krA!{d)dU-jlWL(xb(N-a+R~s4 zaj%W0taqrLZdT%0Z@t7+m1|;})~0IOs?pLrLbIYSwIkAg^|IV(TE1V3BR08XNZm10 z7~w58%jYO#-J&cbVsMSNux;|*851Q#$*G%n~Jmsa|@UkbH z*KWwvI@3-a)UyRK23cxv=6jaz$P~Otq*@01VPigQ%&)gGU*~-yg~wsFy-4>;Y@}wG z$pMjdT7@+!?_Z{BSejMAsT#Gcul2!Pd#2x9LKwsy&`gzOC!IZ=Rz2-X`ZXXP z@9D_t+zZL17+8{CdAZb#5)#(qBHCrzq%3!G3>sv5j>~bt-KzfmK#Lb_e^oUMG@^Cr zVKC4gX<`*xm_|t6vRDj8+6bqlN%ySe`sdHWY3p<56QmzpG|oN7XrYuPy0@)G*#$aU zepc3wwevB@C`Wktu^LXTp5l2$^?~|di~3d(o(o@9aRD`EV?BuUK=crD&_Oq9yIT*M z%;xCI0GMcc;WJTUKzM)Jy6FK{H|X~TO*A*pdO&)YneJ}d$ni5}-P_~4BJgZM4Ts}; zcT<7#ugIC84vi9PO{;m-anpmGc<8rgR}%e5HFM%sUI(?rUVq?|v*NsSDoqdi{0mkA zzG=ws;Qvt3ZPVzNzjzkY3I4tP_jbDgD`V)U<5;fUm9tS?Q)vj%jsIDK!194BiB&d2 zkz%XSt(tnv(s0T7>f|gXag|kQSyJDc$oJ2djptQKxC+S!Zs?gHnqe*3vXbO(>pg?a zCnaY?5(R*68*M-mZPdOLf2Om*$;?fto6Ly#3bkcYjW)mMeECu-VYA_Li=SLa|c6<5w zkEhR`Kg56B$43iNr!m@afA9ms+}8mep|+@HkTX%YH|?#m`WNj@i`Ro$B_jR3P$?o8 z3~x7F!-0~kT>sGzy?$o-Y|Tl6`Gu;VmOXD8{ca?&PZLLq{9{p6K2A1)0uK zYbj#`aXB?d?#tV_FfKg)NUpchV{uSxkItZkG#Va4LHRJ~2C)!-BxB(P^pby_suPxz zK09~o`MrW}db_1)R@fTpU0w|+NLAG%1@p8pv#%R=`0)8gK1-bcxd$z$u|809{`YpC z=JS8;?LE~0zn{-%EhxN10g%xR z*rca`7_xFj1;VNtRD(m>UC+t;a6sL|X9@XlzMMA~|F!b}>GN(u{_pHP$p8EJG?4%0 z#q2s;?q@dJX1@pg|J~_7zi7vU;qs6>73_{7cY3YUJxcz_r$N;@P`OfKh2V4;`5}(4 z57To+itz|1vu*Tvbe#~U$??yhA=RSz9ew!%C_Yx;Ng{u^L8E6+NjT0UTa@Va2U-)B z`?AzQ=a?s*Sus$IBdoyi`dKl|zu2j?g#4Gz0uH+zFJ}R)mH&Hr`M>l0`ObsXlZS&0$B>C)y1&{^hcJ&x#9?#1j!Log~;i}9Zky&i^w>unWfou@B z=5lMMK8^WI>jGyLlp)keou0PY+GgdLWZ9#drG*3d-{A0j_$+h&Gg)kEN$-#P`(LkD zxc~K@KYcj=@8eVD_-@8ty5;6M(d6IqFc&wrlL-I5AT2fd41=^{Nx#hPUe88tGock6 zVN0veXi&8_^%&T*I8|X|@rnG}eEjfP?X#5p2kyt?F5IK{7M7-H7}ch;&bcDg^$3-WV_=o?tHrtqxgwOo$0@DaQ+Q*!L(}BH z=DYeI<+IHBpGBxSV03J13aUQ;cb@L-Jz7~?ItVg@3 zk^v0MU8b0pOGErwsfsB`5>hW!@Uo`*w>Fm~OJ9>z&9q!8X(kgt^b;)|srsfIblPWi zun7%FoaY4X%W~j)&sE?jB%b>r4DdR}V{%GjpLzo_rlF_fQq{~5h7AX-r3)D^Vn4Y) z5a|o@Md`UzH5z16Xu@8{bP*XymY)(CgpB~!tJ#77QXcqXna%NP?z7x9=d6K48#Uu4oSH(J)|28D8m^>)k=3M<1uX*GVNeH_#o`C*66 za^E`R+!r@F*NFK?&yQugD%(=dIlr6=fA&spZ2%j-Xy|#jyXpWFKlGaPMb4a4DN1Ij zi<~+BB>vq)PDm5vh{9(s3vt9|G-(@O2b3jGCUg;cZFGbFp2Gm4PdJ`3G@j9`5IJX6 zTRdKb`%Kov=r1D*P?c~2Zc!r}BBsciRTyalijHqN0a>0^#GbRPMN02}lNHHzW{Xi} zSNVH|bR1Vmh^16WR4+JI5EI|BP+0byTag_bGM^Pi5?- zb-&JOXCQL3?xZygB6W&M69u&5-e%oZ-;l9JO`u|0YsrdLQ%r5CK7_yqylX~x>YH*0_%%sCh{qX@ds^J+j?0asER$y4Q3Xcge1{~ zNOJ+wOn3;XU<#@10)z2hg_5G?)7VdWRyDPD^l*n3%5T&)= z8WKbgUZ^>uN{%NokCN*{KklQ?O#qf|ZI*9bCku2j@S=3Ki^#(X86+`I$n;u}wvbT7 zY^3EAF^eah5fS{?uIiZHE@K)5emH#(P5LNY1VIZ~d>|U=2ttG%1lXUSE6+pa1)TT7 zLB(Y%_>bs-3Z7BoV>prMlbs2YkKhbk|YwL(GR9oqOp_eVhpgEIP-dU-)^mRm9= zmUS_a6CS=cyO)J+vo{>$2K4)au)Ja_3sscsS^ht*K0_rJayFWiDi|~WxoW(D$D;3I>a~2A5cZhrY`j2mi6F6 z|KLNfeb(heue}lL)f9|m1=rzt7SoU}*a4l-{RFk?WYXTOqu}6|cLzV7oxD4FKe#wJ zdHeSGyn@Ti5+xL1H$1KRF>PQV*R%fg(!qy|`5?m}P1tbD(3!goQ)r6A(lX-i<-$Wa z!JUN@tnN2opv&Q_Qnp#fEq;X~7W_hv!b@v23*;mUpl2IxK-J{-rTD8bUVAL=CvEh2 zb2+~=^bo2ce|ZSi&{*UlRO2C3;~`YzAynhvC{*JPOQ>dUx7MG_G?wv#C3K!If2x0U zSNIA?Mr1daUj+sQ(gt z)%}=wsC^tF8ha#02}NQCY8}uuU7(N7p`?KRxTSFB4VKPDO^fuK0Pp|Wz?7tZc=F}rEJ)iN} z112TDFY=DGxv3Fzt(Gl)E~op0!B;hG<&pUpv1?iRrpmTyMN+?Q-<`2#mL$>Zd=w!< zkvJyu-&!*Ni%;FPNJ*SE-q`I!u6jwbk9Lc@l6}BiU774de*GK$J@e2yuh=DH-j<8j zcjYb_aV>oGZ=Wrp!c1;s(1MLztBr1%b4KPB+^CA38@W?8jza$e_N0Gz<*2Jfz3o_{q2*_ z5GzA#RgGW(gYhr3rHBILqQ}S*{>^W6>(Ak!4_!yUjZ)b9 z1m%VPA&bF776bH$NL{c@{Qu=R4FO&%0YF{-_wG(H{=fU|A^!h9K2_yk15d!Cd3J3D(1`Csnk(=2}DZcYi#On>APqM)YBfbn(a zX(^;pQ82RnDV7VMY7|iHy}|(w$Nac5LK}>6+HbUmZFz|?J6n;+jh~{E>g3H2#x_40?z6o9-`m}NkpK7c zxf99$Zz|NI0BtDAzKI_H%L{i6x5mJ$fDFKJbB4pIvH+F++6UtXQ@mo_O%7>H}h49zI{;Q@j7qj`k1V9=UUGbr_ZVzxTAe^Sqbe z|GnLZ{eLf?N9a_n_27Trv|7JrfBd#FOOlB7JDsbmE8WqV#?#Iw@)^P*qN9J1apJ@z z06iE7nIrWahj>cnT)|@3EFp8WadLL}>g`}tsBJhzWFE~h^BJNc0$&j3kNm(-u0h$N zAz}#*Jsf+?8PjbZaXFe0R4m6@PVM&Z5hA^^{V(KTe#mF7gdFllw|LaHxjtt%= z@<{he-t>pdwu-wZ|FGWBx2iWOyb0mGuTFxU_rvf z1GuL#os(on7Qh_|jW~Fq$E%-C&&(M_G4))Zb~XiXoW=wq0hpf<)@nH@BRlH3y`3j5 zM@(eL?e(4@8jHVn-L5kt3Et(upMF45OfP+YF(xr$i-@bve9jz)Md*<@xaLdbhm#ny zBwmb@MNA}r0SBrD1ah^`Y08=WOF=3i3I9{7vY^zX;r!Z>Ukv+IEbfRzeOdD|ra$Kp zMX;${U#4w)An=UnWKwJ>=c{sO8lG!>(FywX6vuc@I2Zi3@hD3F*hGxL4nu*@5(dL$ zzoKM@6UCuwRN^6T5euTi1O=E@>#t~Q>)emFw)*Ie&l1GvE@#Z-P8kAWI4H5l--o_! z75FkN)K49c1SBEwvrcnu3s}i7yJbC!M2^XvUJ{1Xa_gj}^N5BdOc=t9(Xo#cwLvq+ z5DOJR2aP`@f2U*=KqoW^=oL(quRhZ#o-WuZFvu_WlEwoW++;@lI9>8fahYqiZZf#2 z$>#-)(gb;VU zqRQ>rzM|Nh`(Zkll66goxZS$m$wZ|I@s!3%eq>{!pquH_Q?^I`!&(?t2Yd$;)t=q+ zOL~LOvL9iS+E-M6xsTSdrt6z%z8-;n%>40^9xQUFa^b^uCVq3oag5h?;@qI&ufGk^ zhDQkl4`b|kBF-8`3ju8~lFxpV6j*anAv8ncp@@2HvoKNJ1GJoQ=|p97H0JHaJCV1MUn`NR2UL%KA03Lom-+v8xBEKxXq}oKYtO(1lD9D0HBviP&&kY(L zPu|hwG$xFMg=4R-w>i;Dd8^tj#C7=Hpd6N9TU%dt|iCbSo!nJz1Mibj`=>4H~i} zCdqiV3j0=0)OxZupXi#8*Bdn453cZa<>9yNL`#zw4bcsPBu2-FpvQAr>6;V3tIrJ@ zc2^Zea-zBT>FUvL(2w|17|qoQ4G9v62X`|x@dE+|e1bhNxP+JJ634e!Cf0C{TD;q< zu4zXibClNW7U(a5>Ut--0RF6mSFkYL&qpG9QH!CycYdN#-WXPdS8htV(~p{HEr#~q z`H6y8xXQwB8|wzWTg*o!=KBvCv$SCA+U8_O6%Bj06h@V04~ka60ZEY73|`>;1kI^O zT(lnq^on>=(eI-n4Tswt#GEGN0!LABt^Iu!`w8KH2Xu^sAv}f+>11N3aM>>_P1Igs z!8k{=6-}2C9#KI@pK+0_lR+OGy`u@~qXY0)=GUAl6xijb6b`F6%U#d$Qc|_zZ0gJs$9FB=+2xmr;#1E&d@%RlI&aW>tpi9jfCR*_TVS~5olf*4Q zYq-5sJSo}W6`myS=Zw)1U17Gli56a3Z1Bq8UhedBgDzqmdUTF@U3kdHW7t4JG{fOy zPGWy7Z@U+^-sVILuc0=0w)fF{_^g$6WxcCv<5+H@$n#?~p@DbD{Ck6jmNa8Sw86N{ z5Xm_(L)Ns#oB4@m)#oZSBWj^1Fd5hnheAkkR!8oJdy>QP;$ zsIF_G4fI@ObEtv@YjRb3(XahZ0z)MS|DtjkPS7cQ8iHH1f zN!m3;bfz;G;hGLbYDwCkTVd;k+wlXt*9831OEJF z#aZSjYGxHEmAbj)1O7zKPi$46p`o5xU@d3MdRMe84?*r}f8XSz zMC@|R=c-S2T@(HFw_EgviH>K)TLdJwTXOU8l)00$=f@WerQOj6O=ij*EiYy3^Vwa; zHLaKqw!yQZ)=LH{oqjl2c^VB+MZ+Xstg2-dC#t8lwLgKJ#`Mzn2!wJf8}{(jmLqt$ zPN}r!6-^Ci<<~SQ>XlIO&@E;Hb3^#9j~A;Iuwn1~L}hidN)>Q1^86U`aa^mtDyN!G z{|@GSgNE()$|Aft(K3)5Xx?gLjshstiKWk=PEn{+-6_8JKADSWF?tZ2z zeCp2#_I{52gq(z9^4ro5RryTJb^f~Aik^vd&-XFe8#H|J+F##_)~SI-6%edrcY3l& zz{AhWdtRr#`9x)Yd#;%eWY(W5Vf2pktH>h;6OAZ8E|@;InFPeMK8w(m1@g81fb9DdQ3f z4(Pvd#&wZ$-uO)GPIJqH;CwV~!H=x+WS?Z@>QP-C#u{>aq3n?pi1M zrhZYYSM+Y?C;_i)qJ`S7B`V;)=lL>ejZ_Tgq7>}i&iMx2MjDk&v|8*IW_n+|d+V8k zKUzbDVL6QfM*jcV`}XIyZ7$LNtiJ*)-Py#cNJ&ndhwkQ^>%?yAX`J}lPO{&mod_Z! z2@OSP0n(0I_kZ8PIRFSgB+HJ{Hl1kp+r}h_$HBqDd7mw58Mc7CxX{fQhMRK?+gj|_ z7P=Y3a2t+cJ4@XH$6$7JBZlFI9D~~4inq3-n=uTVa|~NtqZxQh3*C%ixE05+72MtC zLN{O-ZptxikM3@5p_?%bpTRMF=9;&5k8a2?+=^q^67GKXN;4+sJcaZ2Lehwx_+@pQ z!UwQEu2~aQhKIG@pL`dfFmMj2qxgz*|wq3l1f$#S} zHMvl88yhQplLX?{mJcFLXkAl1p|zlT6J-Ql&~)UuX;9PccHtnhj%wi*Nbv=DOBB=EPL>gRLy zcA*=EhWrykLZVIjfgR0wR1~2jLP8O9z*<|j-OA(J6JfR>dRKRJt*cx~g-t6SbEc;P zl^0@b*Xb1*{q7x?kc*y*Bwer}X=_%Z-L1UEf_?2LgU65Be~g-!x;AE_DON(Vm@Bu= zFBCbk{XIPvDbIvlL7gz!Pd4MApf`+JCTu|RS*Z{7{q%~+ESRMF`Rx|EWpZQ}N*$8= zrnVCDTCBC@?g?_dZPV+(`dG~@wtP=h5dSRC7 z8W5h6%NdVmtGD*^e_sxDd73eKQB@sXkux9y#J(Zs4?F*d^6C!3f+mA}zP7qV zN;8|2=EYu<<@{^TZeCyLnk?sEb9VEB?rvcJUTydG8Qw3m(CzU?8<>UHnS;ORQnz3Z zwhP_J5c4$~V44@YLLvAyYXX}WxGc6kZ=g9* zru~qBmwogO-`taWHcVND6+*GHTwe7+r;E@W^0;w1;wFY_UG(U zFtNq8mvo-2g0WZo{NEynspX25sVd36%AjPgY3rXBL$ zoC5Opj2zA9In0S}{rXf$(SB<4LQfUDk2Tn3rwL4ACc(KHSub{ObB0+)51hE znog_k(i{`rKyK}fPC)?;WFWS+!eTy|FsXY&wNtD03;}>f7rUjDr0mj^QimR(n0=-S z9fi_^VY3S+m0pEOvjbU)UArz(e46qJk7#OVt-3@=5=jp8CKq{s>p}nmQ*dN2*p&8Irb` zOxo2Eo0_HV`T}oQcVyMHnrod5Nxw3$RqX~2B&(fM{IM%8FU8*0UKIO!F1%BcEa99O zgo8uUb!cyi@hAwSE88+j=oAxX#hN+L?^6fHROrLSQzTM;fdNOaLb9JIQ6FRNaTL-Y z&pU)_CN5LFs112|j#SW3jfBJqR_^suZ-J&co_fG=^HhczqHrbgxF}&)+#a)h92)zT zzB^pAqh4nf3E_Yo4lo@-rWP2f9Ae|tu#RkFkuVtN>))O>&#Vk z&sSzE_Yl$B(3RQQ3mzK8lbAJD{4Cd(vuY1Xd#~R= ze%AgYY_*P3Vx21tAQU44ybV+_d)!WzVG2VG`lu#+*4&$cV^b1#t~9?8iGlk8I8oa}-NaAJY^n^O$ct%{;YDCj1FY6fZ|4T>q^ zCD-&X$5932My=M-1OO95gv%vGvBYq}9(u1$Ob<8)QE3)4A|@eibb$yS{OzG|S?@BB(pIZdPdOj3A4+2E{w9bacUtsN{NthJ;lHI9=u(a zWS*-Gw>`p;OwdCW5~QsrG(t2tb7pBKmkYtuEWi}$VLT#AV3$Tb)q-X|w|X46CD)Vc z$~sHfTq^2NqQ#mLe-XOsfNYAm;po?3?6ifI2IZnj5hbgo40S1j8^wBe8`K^PG&ec3z&XXOp!w&3*I2F#1=D1qO04xf> zQKGNm|H+x;nu4D(1kiK6(|1%^dd9+usb!gAAApD?nS~6_L7zEq6^)R%lp<#;Wr^cl zKiJPZc$o$%y9~^%g9}ar8X$lJP3m^gTSG`@HBbg)-zW$TpC)2VlS0)Eln0teLeKsa zQ4ve2-z?N(YYHq(a#=Ay`$X<-773D}QN zhrm$#C^L)7A^A~UvJ22q=412m0BFfB9Kw{Ly3Yi{>wo%XF%`LFNmAyXVnLK>>d*G| zF%_4!DqzJG+tsX*<`VE~1ImKR6c8K1J~n3Nkvo&FnomJ33K3<9M8adi8%!w~Q z%g%fd-tdFnO+RRC<}5bxcyQeu8r!ZIzSI`b0JxVw((S7S&FG{qp<`b zUbC}AV$STR94rAbpG*eFo&pf@IJ-ENnWFMa%IcW=T5@uT>DpN-k$_z4|6WKRZ<_Tv8D^|&APww}ggb#aG zW!jTMWE0g(_}IgGHS4_G8$1qP?(IF?v67M_(kRggg}~^N1=_?Q6bUeA4lpqF@Aw=9 z1oXfto4(0}r(DfgjK`pqQU(;%sIVs{af|g8C@1@OB#6AHwk44GB%gvLKr=mugkf=8 zz3*NOXgQ6I7MzPM@c4Hwz#7`isQRdSQ1V%$i42Tz(u-M?P{{%_fdHr4LGQ9)De_>< zraaw2?9~))Ro)#J@fNmPKM3hh_F@q3k^j{Hd5FjdItLKJvs|Y7HZQNIB1|8k!s&pe zOD_zo2%5A78}80ga&Lx*AsO;u?Ta=E5?)mQMH8PFWU?Sw_P$ zw99aO`uopqo@(S&Kevba4<*p5{d0TxbK6_j&+R|{Fcz(M`VuO`!vMKUGD-E#;|Mk6 z#Y61=Rl^iecJIOcU9$-wk1QmMxU#_LHtk|5snApOmp3%6$l?W!5Q2_1nX;5g&>NK! z4Xt9YLcDyikrxiQNa(VVfJL4ya;PFpeP<|hUhvQz7=w4jG;5e$GM1A1?PK+6X-wW9 z0Qn)WH2^tHR$6>MxNF1QLakN+DuhZ0^E=ZzG zqoY?x=LgR|?4Q0kt3Q3W|MKAI6kvYx;$Z)LKP3A`lP1}m@>Cz|=BevB86TL)>cCfR zYG`(4<)(vDCk^yPp&?;TuEA=P9?O`D^}fhFbxAg{E@UO#1NB$vcVY5zGCAi8wO!>} zM5sSB1xBA+ZetXZee#hl$(W^V!ZZActE#(!D%4GSHik1SB4@@-A9YEi3_{@Hwo>|- zYk3HWfnJPAeHt8dl}SF%kyC>C&8Un^;W#Rjlmv$vSS zYMZ}ls%mDwtA4S<-K^6gZx&NYW7cXNWp@-wnZ6&WTmtiEEC^^vGPxU_a@+XH8CP=s zil!vT-oQu#&RHnwnCLf6k@Sw0+^u+u-UE`Rv6v@I?-q1ph2)gY8Azk6=4Jf*4CNTr z1w5lM_iqvBh3Jc^P>2!NQIcnouNhM{v(A2Yv7VQo<q3b9o6oGPe5^8_S)0`&p%I&bB}$PGjdS>b zJnDz$kv6P5Xdeo4}mR z>94|pi;VO6!a7?5($Qlm-LeEzy6`zjv>2 zWCXWK=l>Zywj1zO%SZb5HvXUX;1mkWgr^_Xki54$a(Q{_tEq&X_UKsTSubUmsyBH2 za_Zpd};#n*I#kB@NX~ry?D`mQo5g)|&m8Ppf@$|yN$v}_dW-<|1Q$;$pAW zStb^X@?6W^+`CubOsl{95529|W5B(8EkfQ8ejz{XpYOjMk|NB*cw|bj4;Y%Bm}>wX z6U~xGQ@vMBtaG z>4}C)QW1RXW*4cgb8_;PoaM7$87WOnpcgk@x{#z30Brnj|2|78-|DT8ttsgt9mX ztFc=+8uY_QVLy-$A6s3VeWfR;ntYQIG360_(1E+fv<$>$S`2}0%h_<|dYjFn{g ze9mG{GnQ!S_~`iL_38QktMegozM^ngth1<-_FTUf8krWN=JX>YAOz}foePw=6E)~L zQxbWd&6vF8_Lu=GOl?9qxVKS!*Ce1pfN9i;ffLevku5ckZ_-qSCe0jc{$l^-%h&Hd z93G#X|J(KbbZH9YfC{&qlmrzGfP+@R9VayX=*zO!y5)yJfeI2W*%vGk3q1=fqj$)C z?`SxF3Bb#dtKYmP>b`r&_v|2-mONmERpHyXf`(!GS2419n-A1Y%D&CZg5yat)wXlO8JBxt|x zj?NBG-yS_bge+AflnPuB=iSlkmj?w2+p%Z2&=7f?Fh)(*q@R+0AQMJ=V7ySwIOgwH zug?$9!t9gDCs&%NagBAlhw+lgJWV0QjWimeGzC!?5xmu?b!7B@cTp_`Al`9zlM9on z2YO1j5QdY#KK65k_AStCo;B;(F&82xcdek}!3Fv(7Dz_^lJr3x?X0rAu}>@_0ndou zPPo79_^-9-nTY8W*bDzs*LOKEx(?smjp8nR6oU0dq??brMp;8Ma>*?IMdcN`PO3;! zoxACj1T*3zBMIIV%Grbc^ZjT0XXeenNH3c&dRjus7oh|4KA4pR)y)%Nrzw5a8i|5ftTLOqhSnmn2Z!7A@z6}+>0PX@;NikH7ImC{t*DI_-`1}2>YaG z?0g<^nXpBLT&IDdGRks6{?fHj)2IV}u~K)I|1qoe_!aH%q% zh645Ucya(`cnv6>JJ-_=iKSQ+GbzFN|N8CBN!+|;u9zfm&JIuOEx@IUNRhCjf%VQZ z;J@?i==|0G@e$ZA9R}Yibu*P3%9_G0B){MZn=;5f(L6^DzID@C@s+qVT$J~%#X- ztga`<8=n8waj6^7gzL_~KJ4Z5zjy!9qi^T`&-nej`G6YBQ8~a=$RfTJX@Ct$)-s-n zfsRRBB$7aJX)Hu$l|nXu(hW|vYHq43{#loF+$oVOH*R$O&jIyWpg?Hl)7#ao1!MgG3!( z2yVBqU3sx1tccu7at68U&|c|9OikBLc8E_-Z6ywjG@(;=Qq&1(bvh=ZYuF;5z%wMj z|Iz9YQto0%=1cqUS9H#b7G9S_cuGj%HU5b$@vZyHc&j{5s8YJyGw*M3HCpLwZPm`5 z4v}m!BsWf`q}L2x=_O0IG*?Ijo?41HB=v4ugk*F&B!fY?S4yq)_(6-1PRG?*papPD z#16bRu^7Nm-Punr=~CSxd{ShHB3zL>3C)3E?U03!xB9_4ytT_g zeZ9pZy32^VRztKL>i`B;y^iia5NR-`Y8JSDTLj0jdEfLQI?JTdMKARI2Rq~Fn8(6fn`B|JybCmM zPI>C=FxIA{8}8_X)*-$fb66Qs_qpL{*jd#u3LUmg;v7GRksrO>=@=jSlOl*>X!E{- z+8@-ahAA_SMj&uuhb9;jG$WV)r zN)VAjHixmKk0A|U^l_2oXz+>igh`W1uC4FpkL|E_!`>v=vw+b&PcptpSm4INE4Wh( ztQU!-;Y7ssm3{WcSil6P4iJpr0IlkoHD`QC2L1k^Re~ivDQ1jj_kB$1{P`0uo*RpP zV6sK`TIPWnsx)h)>3}R6q7c-Wy3lOrfnc2kOqbx|W8AQ~GP%)Bus0fXU4r21r+A zM*G3K3=|0@Mx}L*NX#bSu>m&uu1oGve1Opqo28yL2=V&-aH#o?A}s7*W$?BLS)FAT z`Z)DmZB3HP;cyGfoHZ>*1U)Z!O6Lu*5*G(5F zZav0oxN53KN$gP#eI4n>_7PrCL;FU*ItHpx@`2XxP+MKiPOV2;6`$Mc=ecy37u<7NR!!Ne!ab1^Ww3QqQ3l962OSqOYC>a^JQ}gAq}97LN&) zQ}u=B=fmg-M%$MVGE(ARjgA#EL)x@OmB`ji(p1sNIv@XO(|t!14b|$lmMjeZV$3bE zI`!{$$$WKZtMmD`Alq$YQp-i2HCwKs27ysRCrtHQ#f|zOonJIM0Z_2cY2x>n>%B1601c1|;{IAz^H}Wq{mD#SYf8z#7YfOax;V zps_5NNHGT^lnTID7GyJ;0>w7QGOr^&qbev5y?nEEM8s?uG|y%%&Ft;E5vdVrD0unype-Cuj_hOU_AN-*Ou7o zkmgj_!)qqA>cEi3WW?B;q3$N;$;Sdsezb5cL6r8={EivAgJzz+YLi`e8FVWw? zI&&>MS(E$~waD}32mSN|b{?wPkX#w{GU@zBZ_Lx4n%M^|nhDZA5JmpeuwA-kD)&il z*tW6*cO`*w6@umg2!ZaeGBZ`#!VO@%617Sose-7o*T{}-G$y&LDJVskB_nmJ<}AKD zmHFvCheT5}5um5^CPai>F~jQA4eJQ=c2)0VuLg?3x^*ruNy=D^Vc$&7IjAkBl12;^ zh#P4tB9TUHk*S`Zy(Y`5w-EUMdL7#<7il0SS{PS|lirILdb|_Ae&CSY?^lVjm5|Ga z)I1%c9Cad;rWbzmY`M^~F_zylvenTENY#=3Ye-&+l!2K>WKu8oZI}tK7 zg1qIUUJ4pNqX|tT6T|Y#w)3Z;HdMVkV49CrP-GRe&w3r*W1#1wCtT>m~)=x{y7q#9AT2wmGV@EF0^OrQXB;!W%5!~$DSmK3waWCQr>dNm(7 zt_PlA-k|P_5|PJ&ahj4^Tw<3rNqQa0R3>?p1*V&ckT7*SbF1oVUcnj6^c13=&{7kS zK|jR*(^q<<)KyQoXzYvx4UL@+Iht5?OSfc{L_NfR`H%i(+8gzFJ7_n3(r(+}S*Jvc zmzrmc(3MPa0Wmn(m%c7h*>l(Po!ZgZXNF1hBovGh znG6ZJJ6-H*Jcl%qkc5#+jriEhi=QxqB>7Lw$&}IPBiM1gbUIB+J6FC{ z;MbG~a$Xvpwg>!^x6hr%-YV){kER5zOL>LfaAT3D@n=&37c6xR5inS3)gQ17d#uhO zTEixNDbLbX-2izHlw+7hM`6hh6N~8XhLXA4P~;XNE{Rd2eDBS}&*D_c6$WXiaxi7N zxp2Mk3ttOk=mGjPGIH`3;~%XK&r&5fGnJ2VUhOtaqhj1|2W?G4;nW|Cm>H8tKu#Hr z-$|aa*C`x(#eZW%^7sXBptu@6%VjhxIWEbWNuzQGl@?-1Ut=PNy;pTD$7Z~O=8~jH zzKcn(@Fs+3q+Qq@IIOJop7; zmeIf@32Bj1Y_PfY?R3na-p51o{+AXpTVPw)xQ2y@U-~T;BHnLeEsCn24G8kqGfX?j z4bbM{8&Ja932oL{Q#aT{9Zk6oaL&FV={F>`=&>Cf_4`_jqAnv0a~ZU}EI$z8 zIp-DHf35pMB<718Z1{#v2D7pI3%$p147}0iY!1E~yL%6hIXsCLx&E_1Z?#HEaLrLM zwK%O6RbSTSWV~)Lch^>oy~V9>zL<*`bK-*CGsJrDhLeO(x)`TWPOWPapkZ&N?7D?{ z(Po&&i@d0*ElUO;u1EqbA9@>gIz*&q7MfM;mh=2133Ru}{ER!Ms!O^w;t6(hw>nu8 zGtGxtTcXT%9FR&Wh7FHe#u7Asm^w#5j1qpqQl^wi#$rmZW8L(Pn1)R)`gWke4HDoW zy^i-WJlSd4#!v#j(X9v_yAN1Gm%dtpkVRQlG0@L4K4&7&+{3*VA=Lu{QBtDS)(r!5jgvX{f@e{`1Es-*J{0%+ z#?Q(Wd^*R?&|9N!@2+MAlECeQb6o3(56g8(Yu;ZKhtqF9U^O4GM)#;K%)0I%WktIt zm$C+Qta?UmVNSQCm@x9~2|Xb-l3S-9Yv^1vrE8{jtEk-ydPhi|{{CI&2DU?- zg9V-|{u?VjSv||jOzY}>-BqcvH}}$W$-P2fy)6Ut7$!hYab5L>B}C}2dJWjH+kfzQMFWcx#~wIjU5 zNEl65kSwF}@djQ=t_nDGJzD9zY_FPvmhz@mlIEs>S~b_lM$~e~VZngr| zOXc^#FzG@4LJbyxH`w%Ah}GxZH@DfqRe-5(EJW$JDm)eFR;lw=BG9h8WQ-Q%&jwgQ qRaWX~Ho*Myidy=Ae|*cS^zHZU_wBd+-~R>x0RR7ytckV&#t8tqjXEd* literal 0 HcmV?d00001 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh index 6f0132d..b7e77bc 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh @@ -1,23 +1,30 @@ #!/usr/bin/env bash -if [ -z "$1" ]; then echo "Skipping creation of persistent volume examples. Ensure there is available PVs 200Gi per node for HA."; else oc create -f pv-examples/; fi +if [[ -z "$1" ]] +then + echo "Skipping creation of persistent volume examples. Ensure there is available PVs 200Gi per node for HA." +else + oc create -f pv-examples/ + oc new-project jfrog-artifactory + oc create serviceaccount svcaccount -n jfrog-artifactory + oc adm policy add-scc-to-user privileged system:serviceaccount:jfrog-artifactory:svcaccount + oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:svcaccount + oc adm policy add-scc-to-group anyuid system:authenticated -oc new-project jfrog-artifactory -oc create serviceaccount svcaccount -n jfrog-artifactory -oc adm policy add-scc-to-user privileged system:serviceaccount:jfrog-artifactory:svcaccount -oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:svcaccount -oc adm policy add-scc-to-group anyuid system:authenticated + # enables hostPath plugin for openshift system wide + oc create -f hostpathscc.yaml -n jfrog-artifactory + oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' + oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:svcaccount -# enables hostPath plugin for openshift system wide -oc create -f scc.yaml -n jfrog-artifactory -oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' -oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:svcaccount + # create the license secret + oc create secret generic artifactory-license --from-file=artifactory.cluster.license -# create the license secret -oc create secret generic artifactory-license --from-file=./artifactory.cluster.license + # create the tls secret + oc create secret tls tls-ingress --cert=jfrog.team.crt --key=jfrog.team.key +fi # install via helm -helm install . --generate-name \ - --set artifactory.node.replicaCount=1 \ - --set nginx.service.type=NodePort \ - --set artifactory.license.secret=artifactory-license,artifactory.license.dataKey=artifactory.cluster.license +helm install artifactory-ha . \ + --set nginx.tlsSecretName=tls-ingress \ + --set artifactory-ha.artifactory.node.replicaCount=1 \ + --set artifactory-ha.artifactory.license.secret=artifactory-license,artifactory-ha.artifactory.license.dataKey=artifactory.cluster.license diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/hostpathscc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/hostpathscc.yaml new file mode 100644 index 0000000..13eef79 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/hostpathscc.yaml @@ -0,0 +1,18 @@ +kind: SecurityContextConstraints +apiVersion: v1 +metadata: + name: hostpath +allowPrivilegedContainer: false +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: +- artifactory +groups: +- artifactory +- jfrog-artifactory diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock old mode 100755 new mode 100644 index 7037cff..97b3164 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock @@ -1,6 +1,6 @@ dependencies: -- name: postgresql - repository: https://kubernetes-charts.storage.googleapis.com/ - version: 7.0.1 -digest: sha256:dcdafe9ab91ccf0e5883e2b5dd9ba13e82190b5e16e6dee6d39fd16a04123ce8 -generated: 2019-11-10T13:12:29.836238+02:00 +- name: artifactory-ha + repository: https://charts.jfrog.io/ + version: 2.0.25 +digest: sha256:1de97dca862a0b7e74fc937fbeff231119071a00cea8e42f92adb87c59fa554c +generated: "2020-03-09T12:41:44.126599-07:00" diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml old mode 100755 new mode 100644 index 756a19c..1b41f8c --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml @@ -1,5 +1,4 @@ dependencies: - - name: postgresql - version: 7.0.1 - repository: https://kubernetes-charts.storage.googleapis.com/ - condition: postgresql.enabled + - name: artifactory-ha + version: 2.0.25 + repository: https://charts.jfrog.io/ diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml index 242803c..1991513 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml @@ -1,1330 +1,20 @@ -# Default values for artifactory-ha. -# This is a YAML-formatted file. -# Beware when changing values here. You should know what you are doing! -# Access the values with {{ .Values.key.subkey }} - -# Common -initContainerImage: "alpine:3.10" - -installer: - type: - platform: - -# For supporting pulling from private registries -imagePullSecrets: - -## Role Based Access Control -## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ -rbac: - create: true - role: - ## Rules to create. It follows the role specification - rules: - - apiGroups: - - '' - resources: - - services - - endpoints - - pods - verbs: - - get - - watch - - list - -## Service Account -## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ -## -serviceAccount: - create: true - ## The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the fullname template - name: - annotations: {} - -ingress: - enabled: false - defaultBackend: - enabled: true - # Used to create an Ingress record. - hosts: [] - routerPath: / - artifactoryPath: /artifactory/ - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - # traffic-type: external - # traffic-type: internal - tls: [] - # Secrets must be manually created in the namespace. - # - secretName: chart-example-tls - # hosts: - # - artifactory.domain.example - - # Additional ingress rules - additionalRules: [] - - -networkpolicy: - # Allows all ingress and egress - - name: artifactory - podSelector: - matchLabels: - app: artifactory-ha - egress: - - {} - ingress: - - {} - # Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) - # - name: postgresql - # podSelector: - # matchLabels: - # app: postgresql - # ingress: - # - from: - # - podSelector: - # matchLabels: - # app: artifactory-ha - - -## Database configurations -## Use the wait-for-db init container. Set to false to skip -waitForDatabase: true - -## Configuration values for the postgresql dependency -## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md -## -postgresql: - enabled: true - image: - registry: docker.bintray.io - repository: bitnami/postgresql - tag: 9.6.15-debian-9-r91 - postgresqlUsername: artifactory - postgresqlPassword: "" - postgresqlDatabase: artifactory - postgresqlConfiguration: - listenAddresses: "'*'" - maxConnections: "1500" - persistence: - enabled: true - size: 50Gi - service: - port: 5432 - resources: {} - # requests: - # memory: "512Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "500m" - nodeSelector: {} - -## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), -## you MUST specify custom database details here or Artifactory will NOT start -database: - type: - driver: - ## If you set the url, leave host and port empty - url: - ## If you would like this chart to create the secret containing the db - ## password, use these values - user: - password: - ## If you have existing Kubernetes secrets containing db credentials, use - ## these values - secrets: {} - # user: - # name: "rds-artifactory" - # key: "db-user" - # password: - # name: "{{ .Release.Name}}}}-postgresql" - # key: "postgresql-password" - # url: - # name: "rds-artifactory" - # key: "db-url" - -logger: - image: - repository: 'busybox' - tag: '1.30' - -# Artifactory -artifactory: - name: artifactory-ha - image: - # repository: "docker.bintray.io/jfrog/artifactory-pro" - repository: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro - # Note that by default we use appVersion to get image tag - # version: - pullPolicy: IfNotPresent - - # Create a priority class for the Artifactory pods or use an existing one - # NOTE - Maximum allowed value of a user defined priority is 1000000000 - priorityClass: - create: false - value: 1000000000 - ## Override default name - # name: - ## Use an existing priority class - # existingPriorityClass: - - # Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties - deleteDBPropertiesOnStartup: true - database: - maxOpenConnections: 80 - - # This directory is intended for use with NFS eventual configuration for HA - haDataDir: - enabled: false - path: - - # Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup - copyOnEveryStartup: - # # Absolute path - # - source: /artifactory_extra_conf/binarystore.xml - # # Relative to ARTIFACTORY_HOME/ - # target: etc/ - # # Absolute path - # - source: /artifactory_extra_conf/artifactory.lic - # # Relative to ARTIFACTORY_HOME/ - # target: etc/ - - # Sidecar containers for tailing Artifactory logs - loggers: [] - # - request.log - # - event.log - # - binarystore.log - # - request_trace.log - # - access.log - # - artifactory.log - # - build_info_migration.log - - # Sidecar containers for tailing Tomcat (catalina) logs - catalinaLoggers: [] - # - catalina.log - # - host-manager.log - # - localhost.log - # - manager.log - - ## Add custom init containers execution before predefined init containers - customInitContainersBegin: | - - name: "custom-setup" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - command: - - 'sh' - - '-c' - - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}' - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - name: volume - ## Add custom init containers - - ## Add custom init containers execution after predefined init containers - customInitContainers: | - # - name: "custom-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - # command: - # - 'sh' - # - '-c' - # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' - # volumeMounts: - # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - # name: volume - - ## Add custom sidecar containers - # - The provided example uses a custom volume (customVolumes) - # - The provided example shows running container as root (id 0) - customSidecarContainers: | - # - name: "sidecar-list-etc" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - # securityContext: - # runAsUser: 0 - # fsGroup: 0 - # command: - # - 'sh' - # - '-c' - # - 'sh /scripts/script.sh' - # volumeMounts: - # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - # name: volume - # - mountPath: "/scripts/script.sh" - # name: custom-script - # subPath: script.sh - # resources: - # requests: - # memory: "32Mi" - # cpu: "50m" - # limits: - # memory: "128Mi" - # cpu: "100m" - - ## Add custom volumes - customVolumes: | - # - name: custom-script - # configMap: - # name: custom-script - - ## Add custom volumesMounts - customVolumeMounts: | - # - name: custom-script - # mountPath: "/scripts/script.sh" - # subPath: script.sh - # - name: posthook-start - # mountPath: "/scripts/posthoook-start.sh" - # subPath: posthoook-start.sh - # - name: prehook-start - # mountPath: "/scripts/prehook-start.sh" - # subPath: prehook-start.sh - - # Add custom persistent volume mounts - Available for the pod - customPersistentPodVolumeClaim: {} - # name: - # mountPath: - # accessModes: - # - "-" - # size: - # storageClassName: - - # Add custom persistent volume mounts - Available to the entire namespace - customPersistentVolumeClaim: {} - # name: - # mountPath: - # accessModes: - # - "-" - # size: - # storageClassName: - - ## Artifactory HA requires a unique master key. Each Artifactory node must have the same master key! - ## You can generate one with the command: 'openssl rand -hex 16' - ## Pass it to helm with '--set artifactory.masterKey=${MASTER_KEY}' - ## Alternatively, you can use a pre-existing secret with a key called master-key by specifying masterKeySecretName - ## IMPORTANT: You should NOT use the example masterKey for a production deployment! - masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF - # masterKeySecretName: - - ## Join Key to connect to other services to Artifactory - ## IMPORTANT: You should NOT use the example joinKey for a production deployment! - joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE - - binarystore: - enabled: true - - accessAdmin: - ip: "127.0.0.1" - password: - secret: - dataKey: - - ## Artifactory license. - license: - ## licenseKey is the license key in plain text. Use either this or the license.secret setting - licenseKey: - ## If artifactory.license.secret is passed, it will be mounted as - ## ARTIFACTORY_HOME/etc/artifactory.lic and loaded at run time. - secret: - ## The dataKey should be the name of the secret data key created. - dataKey: - - ## Create configMap with artifactory.config.import.xml and security.import.xml and pass name of configMap in following parameter - configMapName: - - # Add any list of configmaps to Artifactory - configMaps: | - # posthook-start.sh: |- - # echo "This is a post start script" - # posthook-end.sh: |- - # echo "This is a post end script" - - ## List of secrets for Artifactory user plugins. - ## One Secret per plugin's files. - userPluginSecrets: - # - archive-old-artifacts - # - build-cleanup - # - webhook - # - '{{ template "my-chart.fullname" . }}' - - ## Extra pre-start command to install JDBC driver for MySql/MariaDb/Oracle - # preStartCommand: "wget -O /opt/jfrog/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" - ## Extra post-start command to run extra commands after container starts - # postStartCommand: - - ## Extra environment variables that can be used to tune Artifactory to your needs. - ## Uncomment and set value as needed - extraEnvironmentVariables: | - - name: JF_SHARED_DATABSE_USERNAME - value: "artifactory" - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-postgresql - key: postgresql-password - - name: POSTGRES_DB - value: "artifactory" - - # TODO: Fix javaOpts for member nodes (currently uses primary settings for all nodes) - systemYaml: | - shared: - extraJavaOpts: > - {{- with .Values.artifactory.primary.javaOpts }} - -Dartifactory.async.corePoolSize={{ .corePoolSize }} - {{- if .xms }} - -Xms{{ .xms }} - {{- end }} - {{- if .xmx }} - -Xmx{{ .xmx }} - {{- end }} - {{- if .jmx.enabled }} - -Dcom.sun.management.jmxremote - -Dcom.sun.management.jmxremote.port={{ .jmx.port }} - -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} - -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} - {{- if .jmx.host }} - -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} - {{- else }} - -Djava.rmi.server.hostname={{ template "artifactory-ha.fullname" $ }} - {{- end }} - {{- if .jmx.authenticate }} - -Dcom.sun.management.jmxremote.authenticate=true - -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} - -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} - {{- else }} - -Dcom.sun.management.jmxremote.authenticate=false - {{- end }} - {{- end }} - {{- if .other }} - {{ .other }} - {{- end }} - {{- end }} - database: - {{- if .Values.postgresql.enabled }} - type: postgresql - url: 'jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}' - host: '' - driver: org.postgresql.Driver - username: '{{ .Values.postgresql.postgresqlUsername }}' - password: '{{ .Values.postgresql.postgresqlPassword }}' - {{ else }} - type: '{{ .Values.database.type }}' - url: '{{ .Values.database.url }}' - driver: '{{ .Values.database.driver }}' - username: '{{ .Values.database.user }}' - password: '{{ .Values.database.password }}' - {{- end }} - security: - joinKey: '{{ .Values.artifactory.joinKey }}' - masterKey: '{{ .Values.artifactory.masterKey }}' - artifactory: - {{- if .Values.artifactory.haDataDir.enabled }} - node: - haDataDir: {{ .Values.artifactory.haDataDir.path }} - {{- end }} - database: - maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} - access: - database: - maxOpenConnections: '{{ .Values.access.database.maxOpenConnections }}' - {{- if .Values.access.database.enabled }} - type: '{{ .Values.access.database.type }}' - url: '{{ .Values.access.database.url }}' - driver: '{{ .Values.access.database.driver }}' - username: '{{ .Values.access.database.user }}' - password: '{{ .Values.access.database.password }}' - {{- end }} - - ## IMPORTANT: If overriding artifactory.internalPort: - ## DO NOT use port lower than 1024 as Artifactory runs as non-root and cannot bind to ports lower than 1024! - externalPort: 8082 - internalPort: 8082 - externalArtifactoryPort: 8081 - internalArtifactoryPort: 8081 - uid: 1030 - terminationGracePeriodSeconds: 30 - ## The following settings are to configure the frequency of the liveness and readiness probes - livenessProbe: - enabled: true - path: /router/api/v1/system/health - initialDelaySeconds: 180 - failureThreshold: 10 - timeoutSeconds: 10 - periodSeconds: 10 - successThreshold: 1 - - readinessProbe: - enabled: true - path: /router/api/v1/system/health - initialDelaySeconds: 60 - failureThreshold: 10 - timeoutSeconds: 10 - periodSeconds: 10 - successThreshold: 1 - - persistence: - enabled: true - local: false - redundancy: 3 - mountPath: "/var/opt/jfrog/artifactory" - accessMode: ReadWriteOnce - size: 200Gi - - ## Use a custom Secret to be mounted as your binarystore.xml - ## NOTE: This will ignore all settings below that make up binarystore.xml - customBinarystoreXmlSecret: - - maxCacheSize: 50000000000 - cacheProviderDir: cache - eventual: - numberOfThreads: 10 - ## artifactory data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClassName: "-" - - ## Set the persistence storage type. This will apply the matching binarystore.xml to Artifactory config - ## Supported types are: - ## file-system (default) - ## nfs - ## google-storage - ## aws-s3 - ## azure-blob - type: file-system - - ## Use binarystoreXml to provide a custom binarystore.xml - ## This can be a template or hardcoded. - binarystoreXml: | - {{- if eq .Values.artifactory.persistence.type "file-system" }} - - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - - - - - - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} - - {{- end }} - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - // Specify the read and write strategy and redundancy for the sharding binary provider - - roundRobin - percentageFreeSpace - 2 - - - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} - //For each sub-provider (mount), specify the filestore location - - filestore{{ $sharedClaimNumber }} - - {{- end }} - - {{- else }} - - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - 2 - 2 - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - - shard-fs-1 - local - - - - - 30 - tester-remote1 - 10000 - remote - - - - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "google-storage" }} - - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - 2 - - - - - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - local - - - - 30 - 10000 - remote - - - - {{ .Values.artifactory.persistence.mountPath }}/data/filestore - /tmp - - - - google-cloud-storage - {{ .Values.artifactory.persistence.googleStorage.endpoint }} - {{ .Values.artifactory.persistence.googleStorage.httpsOnly }} - {{ .Values.artifactory.persistence.googleStorage.bucketName }} - {{ .Values.artifactory.persistence.googleStorage.identity }} - {{ .Values.artifactory.persistence.googleStorage.credential }} - {{ .Values.artifactory.persistence.googleStorage.path }} - {{ .Values.artifactory.persistence.googleStorage.bucketExists }} - - - {{- end }} - {{- if eq .Values.artifactory.persistence.type "aws-s3-v3" }} - - - - - - - - - - - - - - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - - - - - remote - - - - local - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - {{- with .Values.artifactory.persistence.awsS3V3 }} - - {{ .testConnection }} - {{- if .identity }} - {{ .identity }} - {{- end }} - {{- if .credential }} - {{ .credential }} - {{- end }} - {{ .region }} - {{ .bucketName }} - {{ .path }} - {{ .endpoint }} - {{- with .kmsServerSideEncryptionKeyId }} - {{ . }} - {{- end }} - {{- with .kmsKeyRegion }} - {{ . }} - {{- end }} - {{- with .kmsCryptoMode }} - {{ . }} - {{- end }} - true - {{ .usePresigning }} - {{ .signatureExpirySeconds }} - {{- with .cloudFrontDomainName }} - {{ . }} - {{- end }} - {{- with .cloudFrontKeyPairId }} - {{ .cloudFrontKeyPairId }} - {{- end }} - {{- with .cloudFrontPrivateKey }} - {{ . }} - {{- end }} - - {{- end }} - - {{- end }} - - {{- if eq .Values.artifactory.persistence.type "aws-s3" }} - - - - - - - - - - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - local - - - - 30 - 10000 - remote - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - - - - - {{ .Values.artifactory.persistence.awsS3.endpoint }} - {{- if .Values.artifactory.persistence.awsS3.roleName }} - {{ .Values.artifactory.persistence.awsS3.roleName }} - true - {{- else }} - {{ .Values.artifactory.persistence.awsS3.refreshCredentials }} - {{- end }} - {{ .Values.artifactory.persistence.awsS3.s3AwsVersion }} - {{ .Values.artifactory.persistence.awsS3.testConnection }} - {{ .Values.artifactory.persistence.awsS3.httpsOnly }} - {{ .Values.artifactory.persistence.awsS3.region }} - {{ .Values.artifactory.persistence.awsS3.bucketName }} - {{- if .Values.artifactory.persistence.awsS3.identity }} - {{ .Values.artifactory.persistence.awsS3.identity }} - {{- end }} - {{- if .Values.artifactory.persistence.awsS3.credential }} - {{ .Values.artifactory.persistence.awsS3.credential }} - {{- end }} - {{ .Values.artifactory.persistence.awsS3.path }} - {{- range $key, $value := .Values.artifactory.persistence.awsS3.properties }} - - {{- end }} - - - {{- end }} - {{- if eq .Values.artifactory.persistence.type "azure-blob" }} - - - - - - - - - - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - - crossNetworkStrategy - crossNetworkStrategy - 2 - 1 - - - - - remote - - - - local - - - - - {{ .Values.artifactory.persistence.azureBlob.accountName }} - {{ .Values.artifactory.persistence.azureBlob.accountKey }} - {{ .Values.artifactory.persistence.azureBlob.endpoint }} - {{ .Values.artifactory.persistence.azureBlob.containerName }} - {{ .Values.artifactory.persistence.azureBlob.testConnection }} - - - {{- end }} - - ## For artifactory.persistence.type file-system - fileSystem: - ## You may also use existing shared claims for the data and backup storage. This allows storage (NAS for example) to be used for Data and Backup dirs which are safe to share across multiple artifactory nodes. - ## You may specify numberOfExistingClaims to indicate how many of these existing shared claims to mount. (Default = 1) - ## Create PVCs with ReadWriteMany that match the naming convetions: - ## {{ template "artifactory-ha.fullname" . }}-data-pvc- - ## {{ template "artifactory-ha.fullname" . }}-backup-pvc- - ## Example (using numberOfExistingClaims: 2) - ## myexample-artifactory-ha-data-pvc-0 - ## myexample-artifactory-ha-backup-pvc-0 - ## myexample-artifactory-ha-data-pvc-1 - ## myexample-artifactory-ha-backup-pvc-1 - ## Note: While you need two PVC fronting two PVs, multiple PVs can be attached to the same storage in many cases allowing you to share an underlying drive. - - ## Need to have the following set - existingSharedClaim: - enabled: false - numberOfExistingClaims: 1 - ## Should be a child directory of {{ .Values.artifactory.persistence.mountPath }} - dataDir: "{{ .Values.artifactory.persistence.mountPath }}/artifactory-data" - backupDir: "/var/opt/jfrog/artifactory-backup" - - - ## For artifactory.persistence.type nfs - ## If using NFS as the shared storage, you must have a running NFS server that is accessible by your Kubernetes - ## cluster nodes. - ## Need to have the following set - nfs: - # Must pass actual IP of NFS server with '--set For artifactory.persistence.nfs.ip=${NFS_IP}' - ip: - haDataMount: "/data" - haBackupMount: "/backup" - dataDir: "/var/opt/jfrog/artifactory-ha" - backupDir: "/var/opt/jfrog/artifactory-backup" - capacity: 200Gi - mountOptions: [] - ## For artifactory.persistence.type google-storage - googleStorage: - endpoint: storage.googleapis.com - httpsOnly: false - # Set a unique bucket name - bucketName: "artifactory-ha-gcp" - identity: - credential: - path: "artifactory-ha/filestore" - bucketExists: false - - ## For artifactory.persistence.type aws-s3-v3 - awsS3V3: - testConnection: false - identity: - credential: - region: - bucketName: artifactory-aws - path: artifactory/filestore - endpoint: - kmsServerSideEncryptionKeyId: - kmsKeyRegion: - kmsCryptoMode: - useInstanceCredentials: true - usePresigning: false - signatureExpirySeconds: 300 - cloudFrontDomainName: - cloudFrontKeyPairId: - cloudFrontPrivateKey: - - ## For artifactory.persistence.type aws-s3 - ## IMPORTANT: Make sure S3 `endpoint` and `region` match! See https://docs.aws.amazon.com/general/latest/gr/rande.html - awsS3: - # Set a unique bucket name - bucketName: "artifactory-ha-aws" - endpoint: - region: - roleName: - identity: - credential: - path: "artifactory-ha/filestore" - refreshCredentials: true - httpsOnly: true - testConnection: false - s3AwsVersion: "AWS4-HMAC-SHA256" - - ## Additional properties to set on the s3 provider - properties: {} - # httpclient.max-connections: 100 - ## For artifactory.persistence.type azure-blob - azureBlob: - accountName: - accountKey: - endpoint: - containerName: - testConnection: false - service: - name: artifactory - type: ClusterIP - ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) - ## Set this to a list of IP CIDR ranges - ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] - ## or pass from helm command line - ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' - loadBalancerSourceRanges: [] - annotations: {} - ## Which nodes in the cluster should be in the external load balancer pool (have external traffic routed to them) - ## Supported pool values - ## members - ## all - pool: members - - ## The following Java options are passed to the java process running Artifactory. - ## This will be passed to all cluster members. Primary and member nodes. - javaOpts: {} - # other: "" - annotations: {} - - ## Type specific configurations. - ## There is a difference between the primary and the member nodes. - ## Customising their resources and java parameters is done here. - primary: - name: artifactory-ha-primary - labels: {} - persistence: - ## Set existingClaim to true or false - ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-primary-0` - existingClaim: false - ## Resources for the primary node - resources: {} - # requests: - # memory: "1Gi" - # cpu: "500m" - # limits: - # memory: "2Gi" - # cpu: "1" - ## The following Java options are passed to the java process running Artifactory primary node. - ## You should set them according to the resources set above - javaOpts: - # xms: "1g" - # xmx: "2g" - corePoolSize: 16 - jmx: - enabled: false - port: 9010 - host: - ssl: false - # When authenticate is true, accessFile and passwordFile are required - authenticate: false - accessFile: - passwordFile: - # other: "" - nodeSelector: {} - - tolerations: [] - - affinity: {} - ## Only used if "affinity" is empty - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "" - topologyKey: "kubernetes.io/hostname" - - node: - name: artifactory-ha-member - labels: {} - persistence: - ## Set existingClaim to true or false - ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-member-0` - existingClaim: false - replicaCount: 2 - minAvailable: 1 - ## Resources for the member nodes - resources: {} - # requests: - # memory: "1Gi" - # cpu: "500m" - # limits: - # memory: "2Gi" - # cpu: "1" - ## The following Java options are passed to the java process running Artifactory member nodes. - ## You should set them according to the resources set above - javaOpts: - # xms: "1g" - # xmx: "2g" - corePoolSize: 16 - jmx: - enabled: false - port: 9010 - host: - ssl: false - # When authenticate is true, accessFile and passwordFile are required - authenticate: false - accessFile: - passwordFile: - # other: "" - # xms: "1g" - # xmx: "2g" - # other: "" - nodeSelector: {} - waitForPrimaryStartup: - enabled: true - time: 60 - - tolerations: [] - - ## Complete specification of the "affinity" of the member nodes; if this is non-empty, - ## "podAntiAffinity" values are not used. - affinity: {} - - ## Only used if "affinity" is empty - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "" - topologyKey: "kubernetes.io/hostname" - -access: - database: - maxOpenConnections: 80 - -# Init containers -initContainers: - resources: {} -# requests: -# memory: "64Mi" -# cpu: "10m" -# limits: -# memory: "128Mi" -# cpu: "250m" - - -# Nginx -nginx: - enabled: true - name: nginx - labels: {} - replicaCount: 1 - uid: 104 - gid: 107 - image: - # repository: "docker.bintray.io/jfrog/nginx-artifactory-pro" - repository: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro - # Note that by default we use appVersion to get image tag - # version: - pullPolicy: IfNotPresent - - - # Sidecar containers for tailing Nginx logs - loggers: [] - # - access.log - # - error.log - - mainConf: | - # Main Nginx configuration file - worker_processes 4; - error_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - variables_hash_max_size 1024; - variables_hash_bucket_size 64; - server_names_hash_max_size 4096; - server_names_hash_bucket_size 128; - types_hash_max_size 2048; - types_hash_bucket_size 64; - proxy_read_timeout 2400s; - client_header_timeout 2400s; - client_body_timeout 2400s; - proxy_connect_timeout 75s; - proxy_send_timeout 2400s; - proxy_buffer_size 32k; - proxy_buffers 40 32k; - proxy_busy_buffers_size 64k; - proxy_temp_file_write_size 250m; - proxy_http_version 1.1; - client_body_buffer_size 128k; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - log_format timing 'ip = $remote_addr ' - 'user = \"$remote_user\" ' - 'local_time = \"$time_local\" ' - 'host = $host ' - 'request = \"$request\" ' - 'status = $status ' - 'bytes = $body_bytes_sent ' - 'upstream = \"$upstream_addr\" ' - 'upstream_time = $upstream_response_time ' - 'request_time = $request_time ' - 'referer = \"$http_referer\" ' - 'UA = \"$http_user_agent\"'; - access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; - sendfile on; - #tcp_nopush on; - keepalive_timeout 65; - #gzip on; - include /etc/nginx/conf.d/*.conf; - } - - artifactoryConf: | - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; - ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; - ssl_session_cache shared:SSL:1m; - ssl_prefer_server_ciphers on; - ## server configuration - server { - {{- if .Values.nginx.internalPortHttps }} - listen {{ .Values.nginx.internalPortHttps }} ssl; - {{- else -}} - {{- if .Values.nginx.https.enabled }} - listen {{ .Values.nginx.https.internalPort }} ssl; - {{- end }} - {{- end }} - {{- if .Values.nginx.internalPortHttp }} - listen {{ .Values.nginx.internalPortHttp }}; - {{- else -}} - {{- if .Values.nginx.http.enabled }} - listen {{ .Values.nginx.http.internalPort }}; - {{- end }} - {{- end }} - server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} - {{- range .Values.ingress.hosts -}} - {{- if contains "." . -}} - {{ "" | indent 0 }} ~(?.+)\.{{ (splitn "." 2 .)._1 }} {{ . }} - {{- end -}} - {{- end -}}; - - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - ## access_log /var/log/nginx/artifactory-access.log timing; - ## error_log /var/log/nginx/artifactory-error.log; - rewrite ^/artifactory/?$ / redirect; - if ( $repo != "" ) { - rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; - } - chunked_transfer_encoding on; - client_max_body_size 0; - - location / { - proxy_read_timeout 900; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - location /artifactory/ { - if ( $request_uri ~ ^/artifactory/(.*)$ ) { - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; - } - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; - } - } - } - - service: - ## For minikube, set this to NodePort, elsewhere use LoadBalancer - #type: NodePort - type: LoadBalancer - #type: ClusterIP - ## For supporting whitelist on the Nginx LoadBalancer service - ## Set this to a list of IP CIDR ranges - ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] - ## or pass from helm command line - ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' - loadBalancerSourceRanges: [] - ## Provide static ip address - loadBalancerIP: - ## There are two available options: “Cluster” (default) and “Local”. - externalTrafficPolicy: Cluster - labels: {} - # label-key: label-value - http: - enabled: true - externalPort: 80 - internalPort: 80 - https: - enabled: true - externalPort: 443 - internalPort: 443 - # DEPRECATED: The following will be replaced by L1065-L1076 in a future release - # externalPortHttp: 80 - # internalPortHttp: 80 - # externalPortHttps: 443 - # internalPortHttps: 443 - - ## The following settings are to configure the frequency of the liveness and readiness probes - livenessProbe: - enabled: true - path: /router/api/v1/system/health - initialDelaySeconds: 60 - failureThreshold: 10 - timeoutSeconds: 10 - periodSeconds: 10 - successThreshold: 1 - - readinessProbe: - enabled: true - path: /router/api/v1/system/health - initialDelaySeconds: 10 - failureThreshold: 10 - timeoutSeconds: 10 - periodSeconds: 10 - successThreshold: 1 - ## The SSL secret that will be used by the Nginx pod - # tlsSecretName: chart-example-tls - ## Custom ConfigMap for nginx.conf - customConfigMap: - ## Custom ConfigMap for artifactory.conf - customArtifactoryConfigMap: - persistence: - mountPath: "/var/opt/jfrog/nginx" - enabled: false - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - accessMode: ReadWriteOnce - size: 5Gi - ## nginx data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClassName: "-" - resources: {} - # requests: - # memory: "250Mi" - # cpu: "100m" - # limits: - # memory: "250Mi" - # cpu: "500m" - - nodeSelector: {} - - tolerations: [] - - affinity: {} - -# Filebeat Sidecar container -## The provided filebeat configuration is for Artifactory logs. It assumes you have a logstash installed and configured properly. -filebeat: - enabled: false - name: artifactory-filebeat - image: - repository: "docker.elastic.co/beats/filebeat" - version: 7.5.1 - logstashUrl: "logstash:5044" - - terminationGracePeriod: 10 - - livenessProbe: - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash -e - curl --fail 127.0.0.1:5066 - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - - readinessProbe: - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash -e - filebeat test output - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - - resources: {} -# requests: -# memory: "100Mi" -# cpu: "100m" -# limits: -# memory: "100Mi" -# cpu: "100m" - - filebeatYml: | - logging.level: info - path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat - name: artifactory-filebeat - queue.spool: ~ - filebeat.inputs: - - type: log - enabled: true - close_eof: ${CLOSE:false} - paths: - - {{ .Values.artifactory.persistence.mountPath }}/log/*.log - fields: - service: "jfrt" - log_type: "artifactory" - output: - logstash: - hosts: ["{{ .Values.filebeat.logstashUrl }}"] +# Openshift artifactory ha +# Requires one custom init container +# to resolve the user id perm issue with redhat +artifactory-ha: + artifactory: + ## Add custom init containers execution before predefined init containers + customInitContainersBegin: | + - name: "redhat-custom-setup" + image: "{{ .Values.initContainerImage }}" + imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + command: + - 'sh' + - '-c' + - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}' + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: volume + ## Add custom init containers From e1d129d1a554acf02bd5f7761f0ebf49eab22772 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Mon, 9 Mar 2020 16:43:30 -0700 Subject: [PATCH 10/28] Removing files from base chart --- .../openshift-artifactory-ha/CHANGELOG.md | 558 +---------------- .../openshift-artifactory-ha/README.md | 2 - .../ReverseProxyConfiguration.md | 140 ----- .../openshift-artifactory-ha/UPGRADE_NOTES.md | 33 - .../charts/postgresql/.helmignore | 2 - .../charts/postgresql/Chart.yaml | 23 - .../charts/postgresql/README.md | 487 --------------- .../charts/postgresql/files/README.md | 1 - .../charts/postgresql/files/conf.d/README.md | 4 - .../docker-entrypoint-initdb.d/README.md | 3 - .../charts/postgresql/templates/NOTES.txt | 50 -- .../charts/postgresql/templates/_helpers.tpl | 374 ----------- .../postgresql/templates/configmap.yaml | 26 - .../templates/extended-config-configmap.yaml | 21 - .../templates/initialization-configmap.yaml | 24 - .../postgresql/templates/metrics-svc.yaml | 26 - .../postgresql/templates/networkpolicy.yaml | 34 - .../charts/postgresql/templates/secrets.yaml | 17 - .../postgresql/templates/serviceaccount.yaml | 11 - .../postgresql/templates/servicemonitor.yaml | 33 - .../templates/statefulset-slaves.yaml | 247 -------- .../postgresql/templates/statefulset.yaml | 355 ----------- .../postgresql/templates/svc-headless.yaml | 19 - .../charts/postgresql/templates/svc-read.yaml | 31 - .../charts/postgresql/templates/svc.yaml | 38 -- .../charts/postgresql/values-production.yaml | 392 ------------ .../charts/postgresql/values.schema.json | 103 --- .../charts/postgresql/values.yaml | 392 ------------ .../templates/NOTES.txt | 113 ---- .../templates/_helpers.tpl | 103 --- .../templates/access-bootstrap-creds.yaml | 15 - .../artifactory-binarystore-secret.yaml | 14 - .../templates/artifactory-configmaps.yaml | 13 - .../templates/artifactory-installer-info.yaml | 25 - .../templates/artifactory-license-secret.yaml | 14 - .../templates/artifactory-networkpolicy.yaml | 34 - .../templates/artifactory-nfs-pvc.yaml | 101 --- .../templates/artifactory-node-pdb.yaml | 19 - .../artifactory-node-statefulset.yaml | 510 --------------- .../artifactory-primary-statefulset.yaml | 587 ------------------ .../templates/artifactory-priority-class.yaml | 9 - .../templates/artifactory-role.yaml | 14 - .../templates/artifactory-rolebinding.yaml | 19 - .../templates/artifactory-secrets.yaml | 17 - .../templates/artifactory-service.yaml | 88 --- .../templates/artifactory-serviceaccount.yaml | 16 - .../templates/artifactory-storage-pvc.yaml | 27 - .../templates/artifactory-system-yaml.yaml | 14 - .../templates/catalina-logger-configmap.yaml | 53 -- .../templates/filebeat-configmap.yaml | 15 - .../templates/ingress.yaml | 56 -- .../templates/nginx-artifactory-conf.yaml | 14 - .../templates/nginx-certificate-secret.yaml | 14 - .../templates/nginx-conf.yaml | 14 - .../templates/nginx-deployment.yaml | 185 ------ .../templates/nginx-pvc.yaml | 26 - .../templates/nginx-service.yaml | 69 -- .../values-large.yaml | 24 - .../values-medium.yaml | 24 - .../values-small.yaml | 24 - 60 files changed, 3 insertions(+), 5713 deletions(-) delete mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/ReverseProxyConfiguration.md delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/UPGRADE_NOTES.md delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/.helmignore delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/Chart.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/README.md delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/README.md delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/conf.d/README.md delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/docker-entrypoint-initdb.d/README.md delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/NOTES.txt delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/_helpers.tpl delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/configmap.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/extended-config-configmap.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/initialization-configmap.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/metrics-svc.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/networkpolicy.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/secrets.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/serviceaccount.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/servicemonitor.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset-slaves.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-headless.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-read.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values-production.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.schema.json delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/NOTES.txt delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/_helpers.tpl delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/access-bootstrap-creds.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-binarystore-secret.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-configmaps.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-installer-info.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-license-secret.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-networkpolicy.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-nfs-pvc.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-pdb.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-statefulset.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-primary-statefulset.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-priority-class.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-role.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-rolebinding.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-secrets.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-service.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-serviceaccount.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-storage-pvc.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-system-yaml.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/catalina-logger-configmap.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/filebeat-configmap.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/ingress.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-artifactory-conf.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-certificate-secret.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-conf.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-deployment.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-pvc.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-service.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-large.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-medium.yaml delete mode 100755 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-small.yaml diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/CHANGELOG.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/CHANGELOG.md index 075bfa2..1315675 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/CHANGELOG.md +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/CHANGELOG.md @@ -1,557 +1,5 @@ -# JFrog Artifactory-ha Chart Changelog +# JFrog Openshift Artifactory-ha Chart Changelog All changes to this chart will be documented in this file. -## [1.3.7] - Jan 07, 2020 -* Add support for customizable `mountOptions` of NFS PVs - -## [1.3.6] - Dec 30, 2019 -* Fix for nginx probes failing when launched with http disabled - -## [1.3.5] - Dec 24, 2019 -* Better support for custom `artifactory.internalPort` - -## [1.3.4] - Dec 23, 2019 -* Mark empty map values with `{}` - -## [1.3.3] - Dec 16, 2019 -* Another fix for toggling nginx service ports - -## [1.3.2] - Dec 12, 2019 -* Fix for toggling nginx service ports - -## [1.3.1] - Dec 10, 2019 -* Add support for toggling nginx service ports - -## [1.3.0] - Dec 1, 2019 -* Updated Artifactory version to 6.16.0 - -## [1.2.4] - Nov 28, 2019 -* Add support for using existing PriorityClass - -## [1.2.3] - Nov 27, 2019 -* Add support for PriorityClass - -## [1.2.2] - Nov 20, 2019 -* Update Artifactory logo - -## [1.2.1] - Nov 18, 2019 -* Add the option to provide service account annotations (in order to support stuff like https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html) - -## [1.2.0] - Nov 18, 2019 -* Updated Artifactory version to 6.15.0 - -## [1.1.12] - Nov 17, 2019 -* Fix `README.md` format (broken table) - -## [1.1.11] - Nov 17, 2019 -* Update comment on Artifactory master key - -## [1.1.10] - Nov 17, 2019 -* Fix creation of double slash in nginx artifactory configuration - -## [1.1.9] - Nov 14, 2019 -* Set explicit `postgresql.postgresqlPassword=""` to avoid helm v3 error - -## [1.1.8] - Nov 12, 2019 -* Updated Artifactory version to 6.14.1 - -## [1.1.7] - Nov 11, 2019 -* Additional documentation for masterKey - -## [1.1.6] - Nov 10, 2019 -* Update PostgreSQL chart version to 7.0.1 -* Use formal PostgreSQL configuration format - -## [1.1.5] - Nov 8, 2019 -* Add support `artifactory.service.loadBalancerSourceRanges` for whitelisting when setting `artifactory.service.type=LoadBalancer` - -## [1.1.4] - Nov 6, 2019 -* Add support for any type of environment variable by using `extraEnvironmentVariables` as-is - -## [1.1.3] - Nov 6, 2019 -* Add nodeselector support for Postgresql - -## [1.1.2] - Nov 5, 2019 -* Add support for the aws-s3-v3 filestore, which adds support for pod IAM roles - -## [1.1.1] - Nov 4, 2019 -* When using `copyOnEveryStartup`, make sure that the target base directories are created before copying the files - -## [1.1.0] - Nov 3, 2019 -* Updated Artifactory version to 6.14.0 - -## [1.0.1] - Nov 3, 2019 -* Make sure the artifactory pod exits when one of the pre-start stages fail - -## [1.0.0] - Oct 27, 2019 -**IMPORTANT - BREAKING CHANGES!**
-**DOWNTIME MIGHT BE REQUIRED FOR AN UPGRADE!** -* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! -* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), must use the upgrade instructions in [UPGRADE_NOTES.md](UPGRADE_NOTES.md)! -* PostgreSQL sub chart was upgraded to version `6.5.x`. This version is **not backward compatible** with the old version (`0.9.5`)! -* Note the following **PostgreSQL** Helm chart changes - * The chart configuration has changed! See [values.yaml](values.yaml) for the new keys used - * **PostgreSQL** is deployed as a StatefulSet - * See [PostgreSQL helm chart](https://hub.helm.sh/charts/stable/postgresql) for all available configurations - -## [0.17.3] - Oct 24, 2019 -* Change the preStartCommand to support templating - -## [0.17.2] - Oct 21, 2019 -* Add support for setting `artifactory.primary.labels` -* Add support for setting `artifactory.node.labels` -* Add support for setting `nginx.labels` - -## [0.17.1] - Oct 10, 2019 -* Updated Artifactory version to 6.13.1 - -## [0.17.0] - Oct 7, 2019 -* Updated Artifactory version to 6.13.0 - -## [0.16.7] - Sep 24, 2019 -* Option to skip wait-for-db init container with '--set waitForDatabase=false' - -## [0.16.6] - Sep 24, 2019 -* Add support for setting `nginx.service.labels` - -## [0.16.5] - Sep 23, 2019 -* Add support for setting `artifactory.customInitContainersBegin` - -## [0.16.4] - Sep 20, 2019 -* Add support for setting `initContainers.resources` - -## [0.16.3] - Sep 11, 2019 -* Updated Artifactory version to 6.12.2 - -## [0.16.2] - Sep 9, 2019 -* Updated Artifactory version to 6.12.1 - -## [0.16.1] - Aug 22, 2019 -* Fix the nginx server_name directive used with ingress.hosts - -## [0.16.0] - Aug 21, 2019 -* Updated Artifactory version to 6.12.0 - -## [0.15.15] - Aug 18, 2019 -* Fix existingSharedClaim permissions issue and example - -## [0.15.14] - Aug 14, 2019 -* Updated Artifactory version to 6.11.6 - -## [0.15.13] - Aug 11, 2019 -* Fix Ingress routing and add an example - -## [0.15.12] - Aug 6, 2019 -* Do not mount `access/etc/bootstrap.creds` unless user specifies a custom password or secret (Access already generates a random password if not provided one) -* If custom `bootstrap.creds` is provided (using keys or custom secret), prepare it with an init container so the temp file does not persist - -## [0.15.11] - Aug 5, 2019 -* Improve binarystore config - 1. Convert to a secret - 2. Move config to values.yaml - 3. Support an external secret - -## [0.15.10] - Aug 5, 2019 -* Don't create the nginx configmaps when nginx.enabled is false - -## [0.15.9] - Aug 1, 2019 -* Fix masterkey/masterKeySecretName not specified warning render logic in NOTES.txt - -## [0.15.8] - Jul 28, 2019 -* Simplify nginx setup and shorten initial wait for probes - -## [0.15.7] - Jul 25, 2019 -* Updated README about how to apply Artifactory licenses - -## [0.15.6] - Jul 22, 2019 -* Change Ingress API to be compatible with recent kubernetes versions - -## [0.15.5] - Jul 22, 2019 -* Updated Artifactory version to 6.11.3 - -## [0.15.4] - Jul 11, 2019 -* Add `artifactory.customVolumeMounts` support to member node statefulset template - -## [0.15.3] - Jul 11, 2019 -* Add ingress.hosts to the Nginx server_name directive when ingress is enabled to help with Docker repository sub domain configuration - -## [0.15.2] - Jul 3, 2019 -* Add the option for changing nginx config using values.yaml and remove outdated reverse proxy documentation - -## [0.15.1] - Jul 1, 2019 -* Updated Artifactory version to 6.11.1 - -## [0.15.0] - Jun 27, 2019 -* Updated Artifactory version to 6.11.0 and Restart Primary node when bootstrap.creds file has been modified in artifactory-ha - -## [0.14.4] - Jun 24, 2019 -* Add the option to provide an IP for the access-admin endpoints - -## [0.14.3] - Jun 24, 2019 -* Update chart maintainers - -## [0.14.2] - Jun 24, 2019 -* Change Nginx to point to the artifactory externalPort - -## [0.14.1] - Jun 23, 2019 -* Add values files for small, medium and large installations - -## [0.14.0] - Jun 20, 2019 -* Use ConfigMaps for nginx configuration and remove nginx postStart command - -## [0.13.10] - Jun 19, 2019 -* Updated Artifactory version to 6.10.4 - -## [0.13.9] - Jun 18, 2019 -* Add the option to provide additional ingress rules - -## [0.13.8] - Jun 14, 2019 -* Updated readme with improved external database setup example - -## [0.13.7] - Jun 6, 2019 -* Updated Artifactory version to 6.10.3 -* Updated installer-info template - -## [0.13.6] - Jun 6, 2019 -* Updated Google Cloud Storage API URL and https settings - -## [0.13.5] - Jun 5, 2019 -* Delete the db.properties file on Artifactory startup - -## [0.13.4] - Jun 3, 2019 -* Updated Artifactory version to 6.10.2 - -## [0.13.3] - May 21, 2019 -* Updated Artifactory version to 6.10.1 - -## [0.13.2] - May 19, 2019 -* Fix missing logger image tag - -## [0.13.1] - May 15, 2019 -* Support `artifactory.persistence.cacheProviderDir` for on-premise cluster - -## [0.13.0] - May 7, 2019 -* Updated Artifactory version to 6.10.0 - -## [0.12.23] - May 5, 2019 -* Add support for setting `artifactory.async.corePoolSize` - -## [0.12.22] - May 2, 2019 -* Remove unused property `artifactory.releasebundle.feature.enabled` - -## [0.12.21] - Apr 30, 2019 -* Add support for JMX monitoring - -## [0.12.20] - Apr29, 2019 -* Added support for headless services - -## [0.12.19] - Apr 28, 2019 -* Added support for `cacheProviderDir` - -## [0.12.18] - Apr 18, 2019 -* Changing API StatefulSet version to `v1` and permission fix for custom `artifactory.conf` for Nginx - -## [0.12.17] - Apr 16, 2019 -* Updated documentation for Reverse Proxy Configuration - -## [0.12.16] - Apr 12, 2019 -* Added support for `customVolumeMounts` - -## [0.12.15] - Aprl 12, 2019 -* Added support for `bucketExists` flag for googleStorage - -## [0.12.14] - Apr 11, 2019 -* Replace `curl` examples with `wget` due to the new base image - -## [0.12.13] - Aprl 07, 2019 -* Add support for providing the Artifactory license as a parameter - -## [0.12.12] - Apr 10, 2019 -* Updated Artifactory version to 6.9.1 - -## [0.12.11] - Aprl 04, 2019 -* Add support for templated extraEnvironmentVariables - -## [0.12.10] - Aprl 07, 2019 -* Change network policy API group - -## [0.12.9] - Aprl 04, 2019 -* Apply the existing PVC for members (in addition to primary) - -## [0.12.8] - Aprl 03, 2019 -* Bugfix for userPluginSecrets - -## [0.12.7] - Apr 4, 2019 -* Add information about upgrading Artifactory with auto-generated postgres password - -## [0.12.6] - Aprl 03, 2019 -* Added installer info - -## [0.12.5] - Aprl 03, 2019 -* Allow secret names for user plugins to contain template language - -## [0.12.4] - Apr 02, 2019 -* Fix issue #253 (use existing PVC for data and backup storage) - -## [0.12.3] - Apr 02, 2019 -* Allow NetworkPolicy configurations (defaults to allow all) - -## [0.12.2] - Aprl 01, 2019 -* Add support for user plugin secret - -## [0.12.1] - Mar 26, 2019 -* Add the option to copy a list of files to ARTIFACTORY_HOME on startup - -## [0.12.0] - Mar 26, 2019 -* Updated Artifactory version to 6.9.0 - -## [0.11.18] - Mar 25, 2019 -* Add CI tests for persistence, ingress support and nginx - -## [0.11.17] - Mar 22, 2019 -* Add the option to change the default access-admin password - -## [0.11.16] - Mar 22, 2019 -* Added support for `.Probe.path` to customise the paths used for health probes - -## [0.11.15] - Mar 21, 2019 -* Added support for `artifactory.customSidecarContainers` to create custom sidecar containers -* Added support for `artifactory.customVolumes` to create custom volumes - -## [0.11.14] - Mar 21, 2019 -* Make ingress path configurable - -## [0.11.13] - Mar 19, 2019 -* Move the copy of bootstrap config from postStart to preStart for Primary - -## [0.11.12] - Mar 19, 2019 -* Fix existingClaim example - -## [0.11.11] - Mar 18, 2019 -* Disable the option to use nginx PVC with more than one replica - -## [0.11.10] - Mar 15, 2019 -* Wait for nginx configuration file before using it - -## [0.11.9] - Mar 15, 2019 -* Revert securityContext changes since they were causing issues - -## [0.11.8] - Mar 15, 2019 -* Fix issue #247 (init container failing to run) - -## [0.11.7] - Mar 14, 2019 -* Updated Artifactory version to 6.8.7 - -## [0.11.6] - Mar 13, 2019 -* Move securityContext to container level - -## [0.11.5] - Mar 11, 2019 -* Add the option to use existing volume claims for Artifactory storage - -## [0.11.4] - Mar 11, 2019 -* Updated Artifactory version to 6.8.6 - -## [0.11.3] - Mar 5, 2019 -* Updated Artifactory version to 6.8.4 - -## [0.11.2] - Mar 4, 2019 -* Add support for catalina logs sidecars - -## [0.11.1] - Feb 27, 2019 -* Updated Artifactory version to 6.8.3 - -## [0.11.0] - Feb 25, 2019 -* Add nginx support for tail sidecars - -## [0.10.3] - Feb 21, 2019 -* Add s3AwsVersion option to awsS3 configuration for use with IAM roles - -## [0.10.2] - Feb 19, 2019 -* Updated Artifactory version to 6.8.2 - -## [0.10.1] - Feb 17, 2019 -* Updated Artifactory version to 6.8.1 -* Add example of `SERVER_XML_EXTRA_CONNECTOR` usage - -## [0.10.0] - Feb 15, 2019 -* Updated Artifactory version to 6.8.0 - -## [0.9.7] - Feb 13, 2019 -* Updated Artifactory version to 6.7.3 - -## [0.9.6] - Feb 7, 2019 -* Add support for tail sidecars to view logs from k8s api - -## [0.9.5] - Feb 6, 2019 -* Fix support for customizing statefulset `terminationGracePeriodSeconds` - -## [0.9.4] - Feb 5, 2019 -* Add support for customizing statefulset `terminationGracePeriodSeconds` - -## [0.9.3] - Feb 5, 2019 -* Remove the inactive server remove plugin - -## [0.9.2] - Feb 3, 2019 -* Updated Artifactory version to 6.7.2 - -## [0.9.1] - Jan 27, 2019 -* Fix support for Azure Blob Storage Binary provider - -## [0.9.0] - Jan 23, 2019 -* Updated Artifactory version to 6.7.0 - -## [0.8.10] - Jan 22, 2019 -* Added support for `artifactory.customInitContainers` to create custom init containers - -## [0.8.9] - Jan 18, 2019 -* Added support of values ingress.labels - -## [0.8.8] - Jan 16, 2019 -* Mount replicator.yaml (config) directly to /replicator_extra_conf - -## [0.8.7] - Jan 15, 2018 -* Add support for Azure Blob Storage Binary provider - -## [0.8.6] - Jan 13, 2019 -* Fix documentation about nginx group id - -## [0.8.5] - Jan 13, 2019 -* Updated Artifactory version to 6.6.5 - -## [0.8.4] - Jan 8, 2019 -* Make artifactory.replicator.publicUrl required when the replicator is enabled - -## [0.8.3] - Jan 1, 2019 -* Updated Artifactory version to 6.6.3 -* Add support for `artifactory.extraEnvironmentVariables` to pass more environment variables to Artifactory - -## [0.8.2] - Dec 28, 2018 -* Fix location `replicator.yaml` is copied to - -## [0.8.1] - Dec 27, 2018 -* Updated Artifactory version to 6.6.1 - -## [0.8.0] - Dec 20, 2018 -* Updated Artifactory version to 6.6.0 - -## [0.7.17] - Dec 17, 2018 -* Updated Artifactory version to 6.5.13 - -## [0.7.16] - Dec 12, 2018 -* Fix documentation about Artifactory license setup using secret - -## [0.7.15] - Dec 9, 2018 -* AWS S3 add `roleName` for using IAM role - -## [0.7.14] - Dec 6, 2018 -* AWS S3 `identity` and `credential` are now added only if have a value to allow using IAM role - -## [0.7.13] - Dec 5, 2018 -* Remove Distribution certificates creation. - -## [0.7.12] - Dec 2, 2018 -* Remove Java option "-Dartifactory.locking.provider.type=db". This is already the default setting. - -## [0.7.11] - Nov 30, 2018 -* Updated Artifactory version to 6.5.9 - -## [0.7.10] - Nov 29, 2018 -* Fixed the volumeMount for the replicator.yaml - -## [0.7.9] - Nov 29, 2018 -* Optionally include primary node into poddisruptionbudget - -## [0.7.8] - Nov 29, 2018 -* Updated postgresql version to 9.6.11 - -## [0.7.7] - Nov 27, 2018 -* Updated Artifactory version to 6.5.8 - -## [0.7.6] - Nov 18, 2018 -* Added support for configMap to use custom Reverse Proxy Configuration with Nginx - -## [0.7.5] - Nov 14, 2018 -* Updated Artifactory version to 6.5.3 - -## [0.7.4] - Nov 13, 2018 -* Allow pod anti-affinity settings to include primary node - -## [0.7.3] - Nov 12, 2018 -* Support artifactory.preStartCommand for running command before entrypoint starts - -## [0.7.2] - Nov 7, 2018 -* Support database.url parameter (DB_URL) - -## [0.7.1] - Oct 29, 2018 -* Change probes port to 8040 (so they will not be blocked when all tomcat threads on 8081 are exhausted) - -## [0.7.0] - Oct 28, 2018 -* Update postgresql chart to version 0.9.5 to be able and use `postgresConfig` options - -## [0.6.9] - Oct 23, 2018 -* Fix providing external secret for database credentials - -## [0.6.8] - Oct 22, 2018 -* Allow user to configure externalTrafficPolicy for Loadbalancer - -## [0.6.7] - Oct 22, 2018 -* Updated ingress annotation support (with examples) to support docker registry v2 - -## [0.6.6] - Oct 21, 2018 -* Updated Artifactory version to 6.5.2 - -## [0.6.5] - Oct 19, 2018 -* Allow providing pre-existing secret containing master key -* Allow arbitrary annotations on primary and member node pods -* Enforce size limits when using local storage with `emptyDir` -* Allow `soft` or `hard` specification of member node anti-affinity -* Allow providing pre-existing secrets containing external database credentials -* Fix `s3` binary store provider to properly use the `cache-fs` provider -* Allow arbitrary properties when using the `s3` binary store provider - -## [0.6.4] - Oct 18, 2018 -* Updated Artifactory version to 6.5.1 - -## [0.6.3] - Oct 17, 2018 -* Add Apache 2.0 license - -## [0.6.2] - Oct 14, 2018 -* Make S3 endpoint configurable (was hardcoded with `s3.amazonaws.com`) - -## [0.6.1] - Oct 11, 2018 -* Allows ingress default `backend` to be enabled or disabled (defaults to enabled) - -## [0.6.0] - Oct 11, 2018 -* Updated Artifactory version to 6.5.0 - -## [0.5.3] - Oct 9, 2018 -* Quote ingress hosts to support wildcard names - -## [0.5.2] - Oct 2, 2018 -* Add `helm repo add jfrog https://charts.jfrog.io` to README - -## [0.5.1] - Oct 2, 2018 -* Set Artifactory to 6.4.1 - -## [0.5.0] - Sep 27, 2018 -* Set Artifactory to 6.4.0 - -## [0.4.7] - Sep 26, 2018 -* Add ci/test-values.yaml - -## [0.4.6] - Sep 25, 2018 -* Add PodDisruptionBudget for member nodes, defaulting to minAvailable of 1 - -## [0.4.4] - Sep 2, 2018 -* Updated Artifactory version to 6.3.2 - -## [0.4.0] - Aug 22, 2018 -* Added support to run as non root -* Updated Artifactory version to 6.2.0 - -## [0.3.0] - Aug 22, 2018 -* Enabled RBAC Support -* Added support for PostStartCommand (To download Database JDBC connector) -* Increased postgresql max_connections -* Added support for `nginx.conf` ConfigMap -* Updated Artifactory version to 6.1.0 +## [1.0.0] - March 09, 2020 +* Updated Artifactory version to 7.2.1 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md deleted file mode 100644 index 5e69a31..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# Openshift artifactory ha helm chart -This chart extends the base artifactory-ha chart to make it compatiable with openshift 4 clusters diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/ReverseProxyConfiguration.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/ReverseProxyConfiguration.md deleted file mode 100755 index 8515932..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/ReverseProxyConfiguration.md +++ /dev/null @@ -1,140 +0,0 @@ -# JFrog Artifactory Reverse Proxy Settings using Nginx - -#### Reverse Proxy -* To use Artifactory as docker registry it's mandatory to use Reverse Proxy. -* Artifactory provides a Reverse Proxy Configuration Generator screen in which you can fill in a set of fields to generate -the required configuration snippet which you can then download and install directly in the corresponding directory of your reverse proxy server. -* To learn about configuring NGINX or Apache for reverse proxy refer to documentation provided on [JFrog wiki](https://www.jfrog.com/confluence/display/RTF/Configuring+a+Reverse+Proxy) -* By default Artifactory helm chart uses Nginx for reverse proxy and load balancing. - -**Note**: Nginx image distributed with Artifactory helm chart is custom image managed and maintained by JFrog. - -#### Features of Artifactory Nginx -* Provides default configuration with self signed SSL certificate generated on each helm install/upgrade. -* Persist configuration and SSL certificate in `/var/opt/jfrog/nginx` directory - -#### Changing the default Artifactory nginx conf -Use a values.yaml file for changing the value of nginx.mainConf or nginx.artifactoryConf -These configuration will be mounted to the nginx container using a configmap. -For example: -1. Create a values file `nginx-values.yaml` with the following values: -```yaml -nginx: - artifactoryConf: | - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; - ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; - ssl_session_cache shared:SSL:1m; - ssl_prefer_server_ciphers on; - ## server configuration - server { - listen {{ .Values.nginx.internalPortHttps }} ssl; - listen {{ .Values.nginx.internalPortHttp }} ; - ## Change to you DNS name you use to access Artifactory - server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }}; - - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - ## access_log /var/log/nginx/artifactory-access.log timing; - ## error_log /var/log/nginx/artifactory-error.log; - rewrite ^/$ /artifactory/webapp/ redirect; - rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect; - if ( $repo != "" ) { - rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; - } - rewrite ^/(v1|v2)/([^/]+)(.*)$ /artifactory/api/docker/$2/$1/$3; - rewrite ^/(v1|v2)/ /artifactory/api/docker/$1/; - chunked_transfer_encoding on; - client_max_body_size 0; - location /artifactory/ { - proxy_read_timeout 900; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - if ( $request_uri ~ ^/artifactory/(.*)$ ) { - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/artifactory/$1; - } - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/artifactory/; - proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - } -``` - -2. Install/upgrade artifactory: -```bash -helm upgrade --install artifactory-ha jfrog/artifactory-ha -f nginx-values.yaml -``` - - -#### Steps to use static configuration for reverse proxy in nginx. -1. Get Artifactory service name using this command `kubectl get svc -n $NAMESPACE` - -2. Create `artifactory.conf` file with nginx configuration. More [nginx configuration examples](https://github.com/jfrog/artifactory-docker-examples/tree/master/files/nginx/conf.d) - - Following is example `artifactory.conf` - - **Note**: - * Create file with name `artifactory.conf` as it's fixed in configMap key. - * Replace `artifactory-artifactory` with service name taken from step 1. - - ```bash - ## add ssl entries when https has been set in config - ssl_certificate /var/opt/jfrog/nginx/ssl/tls.crt; - ssl_certificate_key /var/opt/jfrog/nginx/ssl/tls.key; - ssl_session_cache shared:SSL:1m; - ssl_prefer_server_ciphers on; - ## server configuration - server { - listen 443 ssl; - listen 80; - ## Change to you DNS name you use to access Artifactory - server_name ~(?.+)\.artifactory-artifactory artifactory-artifactory; - - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - ## access_log /var/log/nginx/artifactory-access.log timing; - ## error_log /var/log/nginx/artifactory-error.log; - rewrite ^/$ /artifactory/webapp/ redirect; - rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect; - if ( $repo != "" ) { - rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; - } - rewrite ^/(v1|v2)/([^/]+)(.*)$ /artifactory/api/docker/$2/$1/$3; - rewrite ^/(v1|v2)/ /artifactory/api/docker/$1/; - chunked_transfer_encoding on; - client_max_body_size 0; - location /artifactory/ { - proxy_read_timeout 900; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - if ( $request_uri ~ ^/artifactory/(.*)$ ) { - proxy_pass http://artifactory-artifactory:8081/artifactory/$1 break; - } - proxy_pass http://artifactory-artifactory:8081/artifactory/; - proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - } - ``` - -3. Create configMap of `artifactory.conf` created with step above. - ```bash - kubectl create configmap art-nginx-conf --from-file=artifactory.conf - ``` -4. Deploy Artifactory using helm chart. - You can achieve this by providing the name of configMap created above to `nginx.customArtifactoryConfigMap` in [values.yaml](values.yaml) - - Following is command to set values at runtime: - ```bash - helm install --name artifactory-ha nginx.customArtifactoryConfigMap=art-nginx-conf jfrog/artifactory-ha - ``` \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/UPGRADE_NOTES.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/UPGRADE_NOTES.md deleted file mode 100755 index 640474f..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/UPGRADE_NOTES.md +++ /dev/null @@ -1,33 +0,0 @@ -# JFrog Artifactory Chart Upgrade Notes -This file describes special upgrade notes needed at specific versions - -## Upgrade from 0.X to 1.X -**DOWNTIME IS REQUIRED FOR AN UPGRADE!** -* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you!** -* PostgreSQL sub chart was upgraded to version `6.5.x`. This version is not backward compatible with the old version (`0.9.5`)! -* Note the following **PostgreSQL** Helm chart changes - * The chart configuration has changed! See [values.yaml](values.yaml) for the new keys used - * **PostgreSQL** is deployed as a StatefulSet - * See [PostgreSQL helm chart](https://hub.helm.sh/charts/stable/postgresql) for all available configurations -* Upgrade - * Due to breaking changes in the **PostgreSQL** Helm chart, a migration of the database is needed from the old to the new database - * The recommended migration process is the [full system export and import](https://www.jfrog.com/confluence/display/RTF/Importing+and+Exporting) - * **NOTE:** To save time, export only metadata and configuration (check `Exclude Content` in the `System Import & Export`) since the Artifactory filestore is persisted - * Upgrade steps: - 1. Block user access to Artifactory (do not shutdown) - a. Scale down the cluster to primary node only (`node.replicaCount=0`) so the exported db and configuration will be kept on one known node (the primary) - b. If your Artifactory HA K8s service is set to member nodes only (`service.pool=members`) you will need to access the primary node directly (use `kubectl port-forward`) - 2. Perform `Export System` from the `Admin` -> `Import & Export` -> `System` -> `Export System` - a. Check `Exclude Content` to save export size (as Artifactory filestore will persist across upgrade) - b. Choose to save the export on the persisted Artifactory volume (`/var/opt/jfrog/artifactory/`) - c. Click `Export` (this can take some time) - 3. Run the `helm upgrade` with the new version. Old PostgreSQL will be removed and new one deployed - a. You must pass explicit "ready for upgrade flag" with `--set databaseUpgradeReady=yes`. Failing to provide this will block the upgrade! - 4. Once ready, open Artifactory UI (you might need to re-enter a valid license). Skip all onboarding wizard steps - a. **NOTE:** Don't worry you can't see the old config and files. It will all restore with the system import in the next step - 5. Perform `Import System` from the `Admin` -> `Import & Export` -> `System` -> `Import System` - a. Browse to where the export was saved Artifactory volume (`/var/opt/jfrog/artifactory/`) - b. Click `Import` (this can take some time) - 6. Restore access to Artifactory - a. Scale the cluster member nodes back to the original size - * Artifactory should now be ready to get back to normal operation diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/.helmignore b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/.helmignore deleted file mode 100755 index a1c17ae..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/.helmignore +++ /dev/null @@ -1,2 +0,0 @@ -.git -OWNERS \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/Chart.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/Chart.yaml deleted file mode 100755 index 4687eb3..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -appVersion: 11.5.0 -description: Chart for PostgreSQL, an object-relational database management system - (ORDBMS) with an emphasis on extensibility and on standards-compliance. -engine: gotpl -home: https://www.postgresql.org/ -icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png -keywords: -- postgresql -- postgres -- database -- sql -- replication -- cluster -maintainers: -- email: containers@bitnami.com - name: Bitnami -- email: cedric@desaintmartin.fr - name: desaintmartin -name: postgresql -sources: -- https://github.com/bitnami/bitnami-docker-postgresql -version: 7.0.1 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/README.md deleted file mode 100755 index e6621b4..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/README.md +++ /dev/null @@ -1,487 +0,0 @@ -# PostgreSQL - -[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. - -## TL;DR; - -```console -$ helm install stable/postgresql -``` - -## Introduction - -This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). - -## Prerequisites - -- Kubernetes 1.12+ -- Helm 2.11+ or Helm 3.0-beta3+ -- PV provisioner support in the underlying infrastructure - -## Installing the Chart -To install the chart with the release name `my-release`: - -```console -$ helm install --name my-release stable/postgresql -``` - -The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -$ helm delete my-release -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Parameters - -The following tables lists the configurable parameters of the PostgreSQL chart and their default values. - -| Parameter | Description | Default | -| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | -| `global.imageRegistry` | Global Docker Image registry | `nil` | -| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` | -| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` | -| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` | -| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` | -| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` | -| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | -| `image.registry` | PostgreSQL Image registry | `docker.io` | -| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` | -| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | -| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | -| `image.debug` | Specify if debug values should be set | `false` | -| `nameOverride` | String to partially override postgresql.fullname template with a string (will prepend the release name) | `nil` | -| `fullnameOverride` | String to fully override postgresql.fullname template with a string | `nil` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag | `stretch` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | -| `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` | -| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` | -| `replication.enabled` | Enable replication | `false` | -| `replication.user` | Replication user | `repl_user` | -| `replication.password` | Replication user password | `repl_password` | -| `replication.slaveReplicas` | Number of slaves replicas | `1` | -| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | -| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` | -| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | -| `existingSecret` | Name of existing secret to use for PostgreSQL passwords | `nil` | -| `postgresqlUsername` | PostgreSQL admin user | `postgres` | -| `postgresqlPassword` | PostgreSQL admin password | _random 10 character alphanumeric string_ | -| `postgresqlDatabase` | PostgreSQL database | `nil` | -| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) | -| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` | -| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` | -| `postgresqlConfiguration` | Runtime Config Parameters | `nil` | -| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` | -| `pgHbaConfiguration` | Content of pg\_hba.conf | `nil (do not create pg_hba.conf)` | -| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` | -| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` | -| `initdbScripts` | Dictionary of initdb scripts | `nil` | -| `initdbUsername` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` | -| `initdbPassword` | Password for the user specified in `initdbUsername` | `nil` | -| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` | -| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.port` | PostgreSQL port | `5432` | -| `service.nodePort` | Kubernetes Service nodePort | `nil` | -| `service.annotations` | Annotations for PostgreSQL service, the value is evaluated as a template. | {} | -| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | -| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | [] | -| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | -| `persistence.enabled` | Enable persistence using PVC | `true` | -| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` | -| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` | -| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` | -| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` | -| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | -| `persistence.annotations` | Annotations for the PVC | `{}` | -| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` | -| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` | -| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` | -| `master.anotations` | Map of annotations to add to the statefulset (postgresql master) | `{}` | -| `master.labels` | Map of labels to add to the statefulset (postgresql master) | `{}` | -| `master.podAnnotations` | Map of annotations to add to the pods (postgresql master) | `{}` | -| `master.podLabels` | Map of labels to add to the pods (postgresql master) | `{}` | -| `master.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql master) | `[]` | -| `master.extraVolumes` | Additional volumes to add to the pods (postgresql master) | `[]` | -| `slave.nodeSelector` | Node labels for pod assignment (postgresql slave) | `{}` | -| `slave.affinity` | Affinity labels for pod assignment (postgresql slave) | `{}` | -| `slave.tolerations` | Toleration labels for pod assignment (postgresql slave) | `[]` | -| `slave.anotations` | Map of annotations to add to the statefulsets (postgresql slave) | `{}` | -| `slave.labels` | Map of labels to add to the statefulsets (postgresql slave) | `{}` | -| `slave.podAnnotations` | Map of annotations to add to the pods (postgresql slave) | `{}` | -| `slave.podLabels` | Map of labels to add to the pods (postgresql slave) | `{}` | -| `slave.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql slave) | `[]` | -| `slave.extraVolumes` | Additional volumes to add to the pods (postgresql slave) | `[]` | -| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` | -| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` | -| `securityContext.enabled` | Enable security context | `true` | -| `securityContext.fsGroup` | Group ID for the container | `1001` | -| `securityContext.runAsUser` | User ID for the container | `1001` | -| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` | -| `serviceAcccount.name` | Name of existing service account | `nil` | -| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` | -| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | -| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | -| `livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `livenessProbe.timeoutSeconds` | When the probe times out | 5 | -| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | -| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 | -| `readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `readinessProbe.timeoutSeconds` | When the probe times out | 5 | -| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `metrics.enabled` | Start a prometheus exporter | `false` | -| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | -| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | -| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` | -| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | -| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | -| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` | -| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` | -| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` | -| `metrics.image.registry` | PostgreSQL Image registry | `docker.io` | -| `metrics.image.repository` | PostgreSQL Image name | `bitnami/postgres-exporter` | -| `metrics.image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | -| `metrics.image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | -| `metrics.securityContext.enabled` | Enable security context for metrics | `false` | -| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` | -| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | -| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 | -| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 | -| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 | -| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `{}` | -| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -$ helm install --name my-release \ - --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \ - stable/postgresql -``` - -The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -$ helm install --name my-release -f values.yaml stable/postgresql -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - -## Configuration and installation details - -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Production configuration and horizontal scaling - -This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. - -- Enable replication: -```diff -- replication.enabled: false -+ replication.enabled: true -``` - -- Number of slaves replicas: -```diff -- replication.slaveReplicas: 1 -+ replication.slaveReplicas: 2 -``` - -- Set synchronous commit mode: -```diff -- replication.synchronousCommit: "off" -+ replication.synchronousCommit: "on" -``` - -- Number of replicas that will have synchronous replication: -```diff -- replication.numSynchronousReplicas: 0 -+ replication.numSynchronousReplicas: 1 -``` - -- Start a prometheus exporter: -```diff -- metrics.enabled: false -+ metrics.enabled: true -``` - -To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above. - -### Change PostgreSQL version - -To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=12.0.0-debian-9-r0` - -### postgresql.conf / pg_hba.conf files as configMap - -This helm chart also supports to customize the whole configuration file. - -Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server. - -Alternatively, you can specify PostgreSQL configuration parameters using the `postgresqlConfiguration` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}. - -In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options. - -### Allow settings to be loaded from files other than the default `postgresql.conf` - -If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory. -Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. - -Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option. - -### Initialize a fresh instance - -The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap. - -Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict. - -In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter. - -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. - -### Metrics - -The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). - -The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. - -### Use of global variables - -In more complex scenarios, we may have the following tree of dependencies - -``` - +--------------+ - | | - +------------+ Chart 1 +-----------+ - | | | | - | --------+------+ | - | | | - | | | - | | | - | | | - v v v -+-------+------+ +--------+------+ +--------+------+ -| | | | | | -| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | -| | | | | | -+--------------+ +---------------+ +---------------+ -``` - -The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: - -``` -postgresql.postgresqlPassword=testtest -subchart1.postgresql.postgresqlPassword=testtest -subchart2.postgresql.postgresqlPassword=testtest -postgresql.postgresqlDatabase=db1 -subchart1.postgresql.postgresqlDatabase=db1 -subchart2.postgresql.postgresqlDatabase=db1 -``` - -If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: - -``` -global.postgresql.postgresqlPassword=testtest -global.postgresql.postgresqlDatabase=db1 -``` - -This way, the credentials will be available in all of the subcharts. - -## Persistence - -The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. - -If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. - -## NetworkPolicy - -To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. - -For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: - -```console -$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" -``` - -With NetworkPolicy enabled, traffic will be limited to just port 5432. - -For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. -This label will be displayed in the output of a successful install. - -## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image - -- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. -- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. - -### Deploy chart using Docker Official PostgreSQL Image - -From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image. -Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory. - -``` -helm install --name postgres \ - --set image.repository=postgres \ - --set image.tag=10.6 \ - --set postgresqlDataDir=/data/pgdata \ - --set persistence.mountPath=/data/ \ - stable/postgresql -``` - -## Upgrade - -It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart: - -```bash -$ helm upgrade my-release bitnami/influxdb \ - --set postgresqlPassword=[POSTGRESQL_PASSWORD] \ - --set replication.password=[REPLICATION_PASSWORD] -``` - -> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes. - -## 7.0.0 - -Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. - -In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. - -This major version bump signifies this change. - -## 5.0.0 - -In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/). - -For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs: - -```bash -Welcome to the Bitnami postgresql container -Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql -Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues -Send us your feedback at containers@bitnami.com - -INFO ==> ** Starting PostgreSQL setup ** -NFO ==> Validating settings in POSTGRESQL_* env vars.. -INFO ==> Initializing PostgreSQL database... -INFO ==> postgresql.conf file not detected. Generating it... -INFO ==> pg_hba.conf file not detected. Generating it... -INFO ==> Deploying PostgreSQL with persisted data... -INFO ==> Configuring replication parameters -INFO ==> Loading custom scripts... -INFO ==> Enabling remote connections -INFO ==> Stopping PostgreSQL... -INFO ==> ** PostgreSQL setup finished! ** - -INFO ==> ** Starting PostgreSQL ** - [1] FATAL: database files are incompatible with server - [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3. -``` -In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one. - -### 4.0.0 - -This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately. - -IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error - -``` -The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development -``` - -### 3.0.0 - -This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods. -It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride. - -#### Breaking changes - -- `affinty` has been renamed to `master.affinity` and `slave.affinity`. -- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`. -- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`. - -### 2.0.0 - -In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps: - - - Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running - - ```console -$ kubectl get svc - ``` - -- Install (not upgrade) the new version - -```console -$ helm repo update -$ helm install --name my-release stable/postgresql -``` - -- Connect to the new pod (you can obtain the name by running `kubectl get pods`): - -```console -$ kubectl exec -it NAME bash -``` - -- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart: - -```console -$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql -``` - -After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`). -This operation could take some time depending on the database size. - -- Once you have the backup file, you can restore it with a command like the one below: - -```console -$ psql -U postgres DATABASE_NAME < /tmp/backup.sql -``` - -In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt). - -If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below. - -```console -$ psql -U postgres -postgres=# drop database DATABASE_NAME; -postgres=# create database DATABASE_NAME; -postgres=# create user USER_NAME; -postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD'; -postgres=# grant all privileges on database DATABASE_NAME to USER_NAME; -postgres=# alter database DATABASE_NAME owner to USER_NAME; -``` diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/README.md deleted file mode 100755 index 1813a2f..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/README.md +++ /dev/null @@ -1 +0,0 @@ -Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/conf.d/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/conf.d/README.md deleted file mode 100755 index 184c187..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/conf.d/README.md +++ /dev/null @@ -1,4 +0,0 @@ -If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. -These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. - -More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/docker-entrypoint-initdb.d/README.md deleted file mode 100755 index cba3809..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/files/docker-entrypoint-initdb.d/README.md +++ /dev/null @@ -1,3 +0,0 @@ -You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. - -More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/NOTES.txt b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/NOTES.txt deleted file mode 100755 index 798fa10..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/NOTES.txt +++ /dev/null @@ -1,50 +0,0 @@ -** Please be patient while the chart is being deployed ** - -PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster: - - {{ template "postgresql.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection -{{- if .Values.replication.enabled }} - {{ template "postgresql.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection -{{- end }} -To get the password for "{{ template "postgresql.username" . }}" run: - - export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode) - -To connect to your database run the following command: - - kubectl run {{ template "postgresql.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} - --labels="{{ template "postgresql.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "postgresql.fullname" . }} -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} -p {{ template "postgresql.port" . }} - -{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} -Note: Since NetworkPolicy is enabled, only pods with label {{ template "postgresql.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster. -{{- end }} - -To connect to your database from outside the cluster execute the following commands: - -{{- if contains "NodePort" .Values.service.type }} - - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "postgresql.fullname" . }}) - {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} - -{{- else if contains "LoadBalancer" .Values.service.type }} - - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "postgresql.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "postgresql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} - -{{- else if contains "ClusterIP" .Values.service.type }} - - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "postgresql.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} & - {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }}{{- if .Values.postgresqlDatabase }} -d {{ .Values.postgresqlDatabase }}{{- end }} -p {{ template "postgresql.port" . }} - -{{- end }} - -{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} - -WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ - -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/_helpers.tpl b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/_helpers.tpl deleted file mode 100755 index b379f29..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/_helpers.tpl +++ /dev/null @@ -1,374 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "postgresql.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "postgresql.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "postgresql.master.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}} -{{- if .Values.replication.enabled -}} -{{- printf "%s-%s" $fullname "master" | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "postgresql.networkPolicy.apiVersion" -}} -{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} -"extensions/v1beta1" -{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} -"networking.k8s.io/v1" -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "postgresql.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Return the proper PostgreSQL image name -*/}} -{{- define "postgresql.image" -}} -{{- $registryName := .Values.image.registry -}} -{{- $repositoryName := .Values.image.repository -}} -{{- $tag := .Values.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL password -*/}} -{{- define "postgresql.password" -}} -{{- if .Values.global.postgresql.postgresqlPassword }} - {{- .Values.global.postgresql.postgresqlPassword -}} -{{- else if .Values.postgresqlPassword -}} - {{- .Values.postgresqlPassword -}} -{{- else -}} - {{- randAlphaNum 10 -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL replication password -*/}} -{{- define "postgresql.replication.password" -}} -{{- if .Values.global.postgresql.replicationPassword }} - {{- .Values.global.postgresql.replicationPassword -}} -{{- else if .Values.replication.password -}} - {{- .Values.replication.password -}} -{{- else -}} - {{- randAlphaNum 10 -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL username -*/}} -{{- define "postgresql.username" -}} -{{- if .Values.global.postgresql.postgresqlUsername }} - {{- .Values.global.postgresql.postgresqlUsername -}} -{{- else -}} - {{- .Values.postgresqlUsername -}} -{{- end -}} -{{- end -}} - - -{{/* -Return PostgreSQL replication username -*/}} -{{- define "postgresql.replication.username" -}} -{{- if .Values.global.postgresql.replicationUser }} - {{- .Values.global.postgresql.replicationUser -}} -{{- else -}} - {{- .Values.replication.user -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL port -*/}} -{{- define "postgresql.port" -}} -{{- if .Values.global.postgresql.servicePort }} - {{- .Values.global.postgresql.servicePort -}} -{{- else -}} - {{- .Values.service.port -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL created database -*/}} -{{- define "postgresql.database" -}} -{{- if .Values.global.postgresql.postgresqlDatabase }} - {{- .Values.global.postgresql.postgresqlDatabase -}} -{{- else if .Values.postgresqlDatabase -}} - {{- .Values.postgresqlDatabase -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper image name to change the volume permissions -*/}} -{{- define "postgresql.volumePermissions.image" -}} -{{- $registryName := .Values.volumePermissions.image.registry -}} -{{- $repositoryName := .Values.volumePermissions.image.repository -}} -{{- $tag := .Values.volumePermissions.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper PostgreSQL metrics image name -*/}} -{{- define "postgresql.metrics.image" -}} -{{- $registryName := default "docker.io" .Values.metrics.image.registry -}} -{{- $repositoryName := .Values.metrics.image.repository -}} -{{- $tag := default "latest" .Values.metrics.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Get the password secret. -*/}} -{{- define "postgresql.secretName" -}} -{{- if .Values.global.postgresql.existingSecret }} - {{- printf "%s" .Values.global.postgresql.existingSecret -}} -{{- else if .Values.existingSecret -}} - {{- printf "%s" .Values.existingSecret -}} -{{- else -}} - {{- printf "%s" (include "postgresql.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a secret object should be created -*/}} -{{- define "postgresql.createSecret" -}} -{{- if .Values.global.postgresql.existingSecret }} -{{- else if .Values.existingSecret -}} -{{- else -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Get the configuration ConfigMap name. -*/}} -{{- define "postgresql.configurationCM" -}} -{{- if .Values.configurationConfigMap -}} -{{- printf "%s" (tpl .Values.configurationConfigMap $) -}} -{{- else -}} -{{- printf "%s-configuration" (include "postgresql.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the extended configuration ConfigMap name. -*/}} -{{- define "postgresql.extendedConfigurationCM" -}} -{{- if .Values.extendedConfConfigMap -}} -{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}} -{{- else -}} -{{- printf "%s-extended-configuration" (include "postgresql.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the initialization scripts ConfigMap name. -*/}} -{{- define "postgresql.initdbScriptsCM" -}} -{{- if .Values.initdbScriptsConfigMap -}} -{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} -{{- else -}} -{{- printf "%s-init-scripts" (include "postgresql.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the initialization scripts Secret name. -*/}} -{{- define "postgresql.initdbScriptsSecret" -}} -{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "postgresql.imagePullSecrets" -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -Also, we can not use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} -imagePullSecrets: -{{- range .Values.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.metrics.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.volumePermissions.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- end -}} -{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} -imagePullSecrets: -{{- range .Values.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.metrics.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.volumePermissions.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- end -}} -{{- end -}} - -{{/* -Get the readiness probe command -*/}} -{{- define "postgresql.readinessProbeCommand" -}} -- | -{{- if (include "postgresql.database" .) }} - pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} -{{- else }} - pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} -{{- end }} -{{- if contains "bitnami/" .Values.image.repository }} - [ -f /opt/bitnami/postgresql/tmp/.initialized ] -{{- end -}} -{{- end -}} - -{{/* -Return the proper Storage Class -*/}} -{{- define "postgresql.storageClass" -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -*/}} -{{- if .Values.global -}} - {{- if .Values.global.storageClass -}} - {{- if (eq "-" .Values.global.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.global.storageClass -}} - {{- end -}} - {{- else -}} - {{- if .Values.persistence.storageClass -}} - {{- if (eq "-" .Values.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{- else -}} - {{- if .Values.persistence.storageClass -}} - {{- if (eq "-" .Values.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Renders a value that contains template. -Usage: -{{ include "postgresql.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }} -*/}} -{{- define "postgresql.tplValue" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} -{{- end -}} - -{{/* -Return the appropriate apiVersion for statefulset. -*/}} -{{- define "postgresql.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "apps/v1beta2" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/configmap.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/configmap.yaml deleted file mode 100755 index d2178c0..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/configmap.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "postgresql.fullname" . }}-configuration - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -data: -{{- if (.Files.Glob "files/postgresql.conf") }} -{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }} -{{- else if .Values.postgresqlConfiguration }} - postgresql.conf: | -{{- range $key, $value := default dict .Values.postgresqlConfiguration }} - {{ $key | snakecase }}={{ $value }} -{{- end }} -{{- end }} -{{- if (.Files.Glob "files/pg_hba.conf") }} -{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }} -{{- else if .Values.pgHbaConfiguration }} - pg_hba.conf: | -{{ .Values.pgHbaConfiguration | indent 4 }} -{{- end }} -{{ end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/extended-config-configmap.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/extended-config-configmap.yaml deleted file mode 100755 index 8a41195..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/extended-config-configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "postgresql.fullname" . }}-extended-configuration - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -data: -{{- with .Files.Glob "files/conf.d/*.conf" }} -{{ .AsConfig | indent 2 }} -{{- end }} -{{ with .Values.postgresqlExtendedConf }} - override.conf: | -{{- range $key, $value := . }} - {{ $key | snakecase }}={{ $value }} -{{- end }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/initialization-configmap.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/initialization-configmap.yaml deleted file mode 100755 index 8eb5e05..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/initialization-configmap.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "postgresql.fullname" . }}-init-scripts - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} -binaryData: -{{- range $path, $bytes := . }} - {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} -{{- end }} -{{- end }} -data: -{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} -{{ .AsConfig | indent 2 }} -{{- end }} -{{- with .Values.initdbScripts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/metrics-svc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/metrics-svc.yaml deleted file mode 100755 index f370041..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/metrics-svc.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "postgresql.fullname" . }}-metrics - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - annotations: -{{ toYaml .Values.metrics.service.annotations | indent 4 }} -spec: - type: {{ .Values.metrics.service.type }} - {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} - {{- end }} - ports: - - name: metrics - port: 9187 - targetPort: metrics - selector: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name }} - role: master -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/networkpolicy.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/networkpolicy.yaml deleted file mode 100755 index 8fb23f2..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/networkpolicy.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }} -metadata: - name: {{ template "postgresql.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -spec: - podSelector: - matchLabels: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - ingress: - # Allow inbound connections - - ports: - - port: {{ template "postgresql.port" . }} - {{- if not .Values.networkPolicy.allowExternal }} - from: - - podSelector: - matchLabels: - {{ template "postgresql.fullname" . }}-client: "true" - - podSelector: - matchLabels: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - role: slave - {{- end }} - # Allow prometheus scrapes - - ports: - - port: 9187 -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/secrets.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/secrets.yaml deleted file mode 100755 index e0bc3b2..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if (include "postgresql.createSecret" .) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "postgresql.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -type: Opaque -data: - postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} - {{- if .Values.replication.enabled }} - postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} - {{- end }} -{{- end -}} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/serviceaccount.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/serviceaccount.yaml deleted file mode 100755 index 27e5b51..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - name: {{ template "postgresql.fullname" . }} -{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/servicemonitor.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/servicemonitor.yaml deleted file mode 100755 index 9211d51..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/servicemonitor.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "postgresql.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- end }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - {{- if .Values.metrics.serviceMonitor.additionalLabels }} -{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} - {{- end }} -spec: - endpoints: - - port: metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset-slaves.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset-slaves.yaml deleted file mode 100755 index 74a81d0..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset-slaves.yaml +++ /dev/null @@ -1,247 +0,0 @@ -{{- if .Values.replication.enabled }} -apiVersion: {{ template "postgresql.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: "{{ template "postgresql.fullname" . }}-slave" - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Values.slave.labels }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.slave.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: - serviceName: {{ template "postgresql.fullname" . }}-headless - replicas: {{ .Values.replication.slaveReplicas }} - selector: - matchLabels: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - role: slave - template: - metadata: - name: {{ template "postgresql.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - role: slave -{{- with .Values.slave.podLabels }} -{{ toYaml . | indent 8 }} -{{- end }} -{{- with .Values.slave.podAnnotations }} - annotations: -{{ toYaml . | indent 8 }} -{{- end }} - spec: - {{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" - {{- end }} -{{- include "postgresql.imagePullSecrets" . | indent 6 }} - {{- if .Values.slave.nodeSelector }} - nodeSelector: -{{ toYaml .Values.slave.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.slave.affinity }} - affinity: -{{ toYaml .Values.slave.affinity | indent 8 }} - {{- end }} - {{- if .Values.slave.tolerations }} - tolerations: -{{ toYaml .Values.slave.tolerations | indent 8 }} - {{- end }} - {{- if .Values.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} - {{- if .Values.serviceAccount.enabled }} - serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name}} - {{- end }} - {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - initContainers: - - name: init-chmod-data - image: {{ template "postgresql.volumePermissions.image" . }} - imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}" - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -c - - | - mkdir -p {{ .Values.persistence.mountPath }}/data - chmod 700 {{ .Values.persistence.mountPath }}/data - find {{ .Values.persistence.mountPath }} -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ - xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} - securityContext: - runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }} - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - containers: - - name: {{ template "postgresql.fullname" . }} - image: {{ template "postgresql.image" . }} - imagePullPolicy: "{{ .Values.image.pullPolicy }}" - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" .Values.image.debug | quote }} - - name: POSTGRESQL_VOLUME_DIR - value: "{{ .Values.persistence.mountPath }}" - - name: POSTGRESQL_PORT_NUMBER - value: "{{ template "postgresql.port" . }}" - {{- if .Values.persistence.mountPath }} - - name: PGDATA - value: {{ .Values.postgresqlDataDir | quote }} - {{- end }} - - name: POSTGRES_REPLICATION_MODE - value: "slave" - - name: POSTGRES_REPLICATION_USER - value: {{ include "postgresql.replication.username" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_REPLICATION_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" - {{- else }} - - name: POSTGRES_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-replication-password - {{- end }} - - name: POSTGRES_CLUSTER_APP_NAME - value: {{ .Values.replication.applicationName }} - - name: POSTGRES_MASTER_HOST - value: {{ template "postgresql.fullname" . }} - - name: POSTGRES_MASTER_PORT_NUMBER - value: {{ include "postgresql.port" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-password" - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-password - {{- end }} - ports: - - name: postgresql - containerPort: {{ template "postgresql.port" . }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.database" .) }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- else }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- end }} - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - exec: - command: - - /bin/sh - - -c - - -e - {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - {{- end }} - volumeMounts: - {{- if .Values.usePasswordFile }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.persistence.enabled }} - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{ end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - mountPath: /bitnami/postgresql/conf/conf.d/ - {{- end }} - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} - - name: postgresql-config - mountPath: /bitnami/postgresql/conf - {{- end }} - {{- if .Values.slave.extraVolumeMounts }} - {{- toYaml .Values.slave.extraVolumeMounts | nindent 12 }} - {{- end }} - volumes: - {{- if .Values.usePasswordFile }} - - name: postgresql-password - secret: - secretName: {{ template "postgresql.secretName" . }} - {{- end }} - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} - - name: postgresql-config - configMap: - name: {{ template "postgresql.configurationCM" . }} - {{- end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - configMap: - name: {{ template "postgresql.extendedConfigurationCM" . }} - {{- end }} - {{- if not .Values.persistence.enabled }} - - name: data - emptyDir: {} - {{- end }} - {{- if .Values.slave.extraVolumes }} - {{- toYaml .Values.slave.extraVolumes | nindent 8 }} - {{- end }} - updateStrategy: - type: {{ .Values.updateStrategy.type }} - {{- if (eq "Recreate" .Values.updateStrategy.type) }} - rollingUpdate: null - {{- end }} -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: data - {{- with .Values.persistence.annotations }} - annotations: - {{- range $key, $value := . }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - spec: - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{ include "postgresql.storageClass" . }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset.yaml deleted file mode 100755 index 64c297f..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/statefulset.yaml +++ /dev/null @@ -1,355 +0,0 @@ -apiVersion: {{ template "postgresql.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ template "postgresql.master.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Values.master.labels }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.master.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: - serviceName: {{ template "postgresql.fullname" . }}-headless - replicas: 1 - updateStrategy: - type: {{ .Values.updateStrategy.type }} - {{- if (eq "Recreate" .Values.updateStrategy.type) }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - role: master - template: - metadata: - name: {{ template "postgresql.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - role: master -{{- with .Values.master.podLabels }} -{{ toYaml . | indent 8 }} -{{- end }} -{{- with .Values.master.podAnnotations }} - annotations: -{{ toYaml . | indent 8 }} -{{- end }} - spec: - {{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" - {{- end }} -{{- include "postgresql.imagePullSecrets" . | indent 6 }} - {{- if .Values.master.nodeSelector }} - nodeSelector: -{{ toYaml .Values.master.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.master.affinity }} - affinity: -{{ toYaml .Values.master.affinity | indent 8 }} - {{- end }} - {{- if .Values.master.tolerations }} - tolerations: -{{ toYaml .Values.master.tolerations | indent 8 }} - {{- end }} - {{- if .Values.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} - {{- if .Values.serviceAccount.enabled }} - serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }} - {{- end }} - {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - initContainers: - - name: init-chmod-data - image: {{ template "postgresql.volumePermissions.image" . }} - imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}" - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -c - - | - mkdir -p {{ .Values.persistence.mountPath }}/data - chmod 700 {{ .Values.persistence.mountPath }}/data - find {{ .Values.persistence.mountPath }} -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ - xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} - securityContext: - runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }} - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - containers: - - name: {{ template "postgresql.fullname" . }} - image: {{ template "postgresql.image" . }} - imagePullPolicy: "{{ .Values.image.pullPolicy }}" - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" .Values.image.debug | quote }} - - name: POSTGRESQL_PORT_NUMBER - value: "{{ template "postgresql.port" . }}" - - name: POSTGRESQL_VOLUME_DIR - value: "{{ .Values.persistence.mountPath }}" - {{- if .Values.postgresqlInitdbArgs }} - - name: POSTGRES_INITDB_ARGS - value: {{ .Values.postgresqlInitdbArgs | quote }} - {{- end }} - {{- if .Values.postgresqlInitdbWalDir }} - - name: POSTGRES_INITDB_WALDIR - value: {{ .Values.postgresqlInitdbWalDir | quote }} - {{- end }} - {{- if .Values.initdbUser }} - - name: POSTGRESQL_INITSCRIPTS_USERNAME - value: {{ .Values.initdbUser }} - {{- end }} - {{- if .Values.initdbPassword }} - - name: POSTGRESQL_INITSCRIPTS_PASSWORD - value: .Values.initdbPassword - {{- end }} - {{- if .Values.persistence.mountPath }} - - name: PGDATA - value: {{ .Values.postgresqlDataDir | quote }} - {{- end }} - {{- if .Values.replication.enabled }} - - name: POSTGRES_REPLICATION_MODE - value: "master" - - name: POSTGRES_REPLICATION_USER - value: {{ include "postgresql.replication.username" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_REPLICATION_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" - {{- else }} - - name: POSTGRES_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-replication-password - {{- end }} - {{- if not (eq .Values.replication.synchronousCommit "off")}} - - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE - value: {{ .Values.replication.synchronousCommit | quote }} - - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS - value: {{ .Values.replication.numSynchronousReplicas | quote }} - {{- end }} - - name: POSTGRES_CLUSTER_APP_NAME - value: {{ .Values.replication.applicationName }} - {{- end }} - - name: POSTGRES_USER - value: {{ include "postgresql.username" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-password" - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-password - {{- end }} - {{- if (include "postgresql.database" .) }} - - name: POSTGRES_DB - value: {{ (include "postgresql.database" .) | quote }} - {{- end }} - {{- if .Values.extraEnv }} - {{- include "postgresql.tplValue" (dict "value" .Values.extraEnv "context" $) | nindent 12 }} - {{- end }} - ports: - - name: postgresql - containerPort: {{ template "postgresql.port" . }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.database" .) }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- else }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- end }} - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - exec: - command: - - /bin/sh - - -c - - -e - {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - {{- end }} - volumeMounts: - {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} - - name: custom-init-scripts - mountPath: /docker-entrypoint-initdb.d/ - {{- end }} - {{- if .Values.initdbScriptsSecret }} - - name: custom-init-scripts-secret - mountPath: /docker-entrypoint-initdb.d/secret - {{- end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - mountPath: /bitnami/postgresql/conf/conf.d/ - {{- end }} - {{- if .Values.usePasswordFile }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.persistence.enabled }} - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} - - name: postgresql-config - mountPath: /bitnami/postgresql/conf - {{- end }} - {{- if .Values.master.extraVolumeMounts }} - {{- toYaml .Values.master.extraVolumeMounts | nindent 12 }} - {{- end }} -{{- if .Values.metrics.enabled }} - - name: metrics - image: {{ template "postgresql.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.metrics.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.metrics.securityContext.runAsUser }} - {{- end }} - env: - {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }} - - name: DATA_SOURCE_URI - value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.port" .)) $database | quote }} - {{- if .Values.usePasswordFile }} - - name: DATA_SOURCE_PASS_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-password" - {{- else }} - - name: DATA_SOURCE_PASS - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-password - {{- end }} - - name: DATA_SOURCE_USER - value: {{ template "postgresql.username" . }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: / - port: metrics - initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: / - port: metrics - initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} - {{- end }} - volumeMounts: - {{- if .Values.usePasswordFile }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - ports: - - name: metrics - containerPort: 9187 - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} -{{- end }} - volumes: - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} - - name: postgresql-config - configMap: - name: {{ template "postgresql.configurationCM" . }} - {{- end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - configMap: - name: {{ template "postgresql.extendedConfigurationCM" . }} - {{- end }} - {{- if .Values.usePasswordFile }} - - name: postgresql-password - secret: - secretName: {{ template "postgresql.secretName" . }} - {{- end }} - {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} - - name: custom-init-scripts - configMap: - name: {{ template "postgresql.initdbScriptsCM" . }} - {{- end }} - {{- if .Values.initdbScriptsSecret }} - - name: custom-init-scripts-secret - secret: - secretName: {{ template "postgresql.initdbScriptsSecret" . }} - {{- end }} - {{- if .Values.master.extraVolumes }} - {{- toYaml .Values.master.extraVolumes | nindent 8 }} - {{- end }} -{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} - - name: data - persistentVolumeClaim: -{{- with .Values.persistence.existingClaim }} - claimName: {{ tpl . $ }} -{{- end }} -{{- else if not .Values.persistence.enabled }} - - name: data - emptyDir: {} -{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: data - {{- with .Values.persistence.annotations }} - annotations: - {{- range $key, $value := . }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - spec: - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{ include "postgresql.storageClass" . }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-headless.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-headless.yaml deleted file mode 100755 index 0bc60be..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-headless.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "postgresql.fullname" . }}-headless - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -spec: - type: ClusterIP - clusterIP: None - ports: - - name: postgresql - port: {{ template "postgresql.port" . }} - targetPort: postgresql - selector: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-read.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-read.yaml deleted file mode 100755 index 17bda04..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc-read.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.replication.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "postgresql.fullname" . }}-read - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Values.service.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - ports: - - name: postgresql - port: {{ template "postgresql.port" . }} - targetPort: postgresql - {{- if .Values.service.nodePort }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - selector: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - role: slave -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc.yaml deleted file mode 100755 index 3b880b7..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/templates/svc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "postgresql.fullname" . }} - labels: - app: {{ template "postgresql.name" . }} - chart: {{ template "postgresql.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Values.service.annotations }} - annotations: -{{ tpl (toYaml .) $ | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{ with .Values.service.loadBalancerSourceRanges }} -{{ toYaml . | indent 4 }} -{{- end }} - {{- end }} - {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} - clusterIP: {{ .Values.service.clusterIP }} - {{- end }} - ports: - - name: postgresql - port: {{ template "postgresql.port" . }} - targetPort: postgresql - {{- if .Values.service.nodePort }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - selector: - app: {{ template "postgresql.name" . }} - release: {{ .Release.Name | quote }} - role: master diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values-production.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values-production.yaml deleted file mode 100755 index 353848a..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values-production.yaml +++ /dev/null @@ -1,392 +0,0 @@ -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets -## -global: - postgresql: {} -# imageRegistry: myRegistryName -# imagePullSecrets: -# - myRegistryKeySecretName -# storageClass: myStorageClass - -## Bitnami PostgreSQL image version -## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ -## -image: - registry: docker.io - repository: bitnami/postgresql - tag: 11.5.0-debian-9-r84 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - - ## Set to true if you would like to see extra information on logs - ## It turns BASH and NAMI debugging in minideb - ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging - debug: false - -## String to partially override postgresql.fullname template (will maintain the release name) -## -# nameOverride: - -## String to fully override postgresql.fullname template -## -# fullnameOverride: - -## -## Init containers parameters: -## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup -## -volumePermissions: - enabled: true - image: - registry: docker.io - repository: bitnami/minideb - tag: stretch - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Init container Security Context - securityContext: - runAsUser: 0 - -## Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -# schedulerName: - -## Pod Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 - -## Pod Service Account -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -serviceAccount: - enabled: false - ## Name of an already existing service account. Setting this value disables the automatic service account creation. - # name: - -replication: - enabled: true - user: repl_user - password: repl_password - slaveReplicas: 2 - ## Set synchronous commit mode: on, off, remote_apply, remote_write and local - ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL - synchronousCommit: "on" - ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication - ## NOTE: It cannot be > slaveReplicas - numSynchronousReplicas: 1 - ## Replication Cluster application name. Useful for defining multiple replication policies - applicationName: my_application - -## PostgreSQL admin user -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -postgresqlUsername: postgres - -## PostgreSQL password -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -## -# postgresqlPassword: - -## PostgreSQL password using existing secret -## existingSecret: secret - -## Mount PostgreSQL secret as a file instead of passing environment variable -# usePasswordFile: false - -## Create a database -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run -## -# postgresqlDatabase: - -## PostgreSQL data dir -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -postgresqlDataDir: /bitnami/postgresql/data - -## Specify extra initdb args -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbArgs: - -## Specify a custom location for the PostgreSQL transaction log -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbWalDir: - -## PostgreSQL configuration -## Specify runtime configuration parameters as a dict, using camelCase, e.g. -## {"sharedBuffers": "500MB"} -## Alternatively, you can put your postgresql.conf under the files/ directory -## ref: https://www.postgresql.org/docs/current/static/runtime-config.html -## -# postgresqlConfiguration: - -## PostgreSQL extended configuration -## As above, but _appended_ to the main configuration -## Alternatively, you can put your *.conf under the files/conf.d/ directory -## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf -## -# postgresqlExtendedConf: - -## PostgreSQL client authentication configuration -## Specify content for pg_hba.conf -## Default: do not create pg_hba.conf -## Alternatively, you can put your pg_hba.conf under the files/ directory -# pgHbaConfiguration: |- -# local all all trust -# host all all localhost trust -# host mydatabase mysuser 192.168.0.0/24 md5 - -## ConfigMap with PostgreSQL configuration -## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration -# configurationConfigMap: - -## ConfigMap with PostgreSQL extended configuration -# extendedConfConfigMap: - -## initdb scripts -## Specify dictionary of scripts to be run at first boot -## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory -## -# initdbScripts: -# my_init_script.sh: | -# #!/bin/sh -# echo "Do something." - -## Specify the PostgreSQL username and password to execute the initdb scripts -# initdbUser: -# initdbPassword: - -## ConfigMap with scripts to be run at first boot -## NOTE: This will override initdbScripts -# initdbScriptsConfigMap: - -## Secret with scripts to be run at first boot (in case it contains sensitive information) -## NOTE: This can work along initdbScripts or initdbScriptsConfigMap -# initdbScriptsSecret: - -## Optional duration in seconds the pod needs to terminate gracefully. -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods -## -# terminationGracePeriodSeconds: 30 - -## PostgreSQL service configuration -service: - ## PosgresSQL service type - type: ClusterIP - # clusterIP: None - port: 5432 - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # nodePort: - - ## Provide any additional annotations which may be required. - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - annotations: {} - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: - - ## Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - # loadBalancerSourceRanges: - # - 10.10.10.0/24 - -## PostgreSQL data Persistent Volume Storage Class -## If defined, storageClassName: -## If set to "-", storageClassName: "", which disables dynamic provisioning -## If undefined (the default) or set to null, no storageClassName spec is -## set, choosing the default provisioner. (gp2 on AWS, standard on -## GKE, AWS & OpenStack) -## -persistence: - enabled: true - ## A manually managed Persistent Volume and Claim - ## If defined, PVC must be created manually before volume will be bound - ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart - ## - # existingClaim: - - ## The path the volume will be mounted at, useful when using different - ## PostgreSQL images. - ## - mountPath: /bitnami/postgresql - - ## The subdirectory of the volume to mount to, useful in dev environments - ## and one PV for multiple services. - ## - subPath: "" - - # storageClass: "-" - accessModes: - - ReadWriteOnce - size: 8Gi - annotations: {} - -## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -updateStrategy: - type: RollingUpdate - -## -## PostgreSQL Master parameters -## -master: - ## Node, affinity and tolerations labels for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature - nodeSelector: {} - affinity: {} - tolerations: [] - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - ## Additional PostgreSQL Master Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL Master Volumes - ## - extraVolumes: [] - -## -## PostgreSQL Slave parameters -## -slave: - ## Node, affinity and tolerations labels for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature - nodeSelector: {} - affinity: {} - tolerations: [] - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - ## Additional PostgreSQL Slave Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL Slave Volumes - ## - extraVolumes: [] - -## Configure resource requests and limits -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -## -resources: - requests: - memory: 256Mi - cpu: 250m - -networkPolicy: - ## Enable creation of NetworkPolicy resources. - ## - enabled: false - - ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the port PostgreSQL is listening - ## on. When true, PostgreSQL will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - -## Configure extra options for liveness and readiness probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) -livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -## Configure metrics exporter -## -metrics: - enabled: true - # resources: {} - service: - type: ClusterIP - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9187" - loadBalancerIP: - serviceMonitor: - enabled: false - additionalLabels: {} - # namespace: monitoring - # interval: 30s - # scrapeTimeout: 10s - image: - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.6.0-debian-9-r0 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## - securityContext: - enabled: false - runAsUser: 1001 - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## Configure extra options for liveness and readiness probes - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -# Define custom environment variables to pass to the image here -extraEnv: [] diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.schema.json b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.schema.json deleted file mode 100755 index ac2de6e..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.schema.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "postgresqlUsername": { - "type": "string", - "title": "Admin user", - "form": true - }, - "postgresqlPassword": { - "type": "string", - "title": "Password", - "form": true - }, - "persistence": { - "type": "object", - "properties": { - "size": { - "type": "string", - "title": "Persistent Volume Size", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderUnit": "Gi" - } - } - }, - "resources": { - "type": "object", - "title": "Required Resources", - "description": "Configure resource requests", - "form": true, - "properties": { - "requests": { - "type": "object", - "properties": { - "memory": { - "type": "string", - "form": true, - "render": "slider", - "title": "Memory Request", - "sliderMin": 10, - "sliderMax": 2048, - "sliderUnit": "Mi" - }, - "cpu": { - "type": "string", - "form": true, - "render": "slider", - "title": "CPU Request", - "sliderMin": 10, - "sliderMax": 2000, - "sliderUnit": "m" - } - } - } - } - }, - "replication": { - "type": "object", - "form": true, - "title": "Replication Details", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable Replication", - "form": true - }, - "slaveReplicas": { - "type": "integer", - "title": "Slave Replicas", - "form": true, - "hidden": { - "condition": false, - "value": "replication.enabled" - } - } - } - }, - "volumePermissions": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable Init Containers", - "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" - } - } - }, - "metrics": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "title": "Configure metrics exporter", - "form": true - } - } - } - } -} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.yaml deleted file mode 100755 index e13d0a7..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/postgresql/values.yaml +++ /dev/null @@ -1,392 +0,0 @@ -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets -## -global: - postgresql: {} -# imageRegistry: myRegistryName -# imagePullSecrets: -# - myRegistryKeySecretName -# storageClass: myStorageClass - -## Bitnami PostgreSQL image version -## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ -## -image: - registry: docker.io - repository: bitnami/postgresql - tag: 11.5.0-debian-9-r84 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - - ## Set to true if you would like to see extra information on logs - ## It turns BASH and NAMI debugging in minideb - ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging - debug: false - -## String to partially override postgresql.fullname template (will maintain the release name) -## -# nameOverride: - -## String to fully override postgresql.fullname template -## -# fullnameOverride: - -## -## Init containers parameters: -## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup -## -volumePermissions: - enabled: true - image: - registry: docker.io - repository: bitnami/minideb - tag: stretch - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Init container Security Context - securityContext: - runAsUser: 0 - -## Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -# schedulerName: - -## Pod Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 - -## Pod Service Account -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -serviceAccount: - enabled: false - ## Name of an already existing service account. Setting this value disables the automatic service account creation. - # name: - -replication: - enabled: false - user: repl_user - password: repl_password - slaveReplicas: 1 - ## Set synchronous commit mode: on, off, remote_apply, remote_write and local - ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL - synchronousCommit: "off" - ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication - ## NOTE: It cannot be > slaveReplicas - numSynchronousReplicas: 0 - ## Replication Cluster application name. Useful for defining multiple replication policies - applicationName: my_application - -## PostgreSQL admin user -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -postgresqlUsername: postgres - -## PostgreSQL password -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -## -# postgresqlPassword: - -## PostgreSQL password using existing secret -## existingSecret: secret - -## Mount PostgreSQL secret as a file instead of passing environment variable -# usePasswordFile: false - -## Create a database -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run -## -# postgresqlDatabase: - -## PostgreSQL data dir -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -postgresqlDataDir: /bitnami/postgresql/data - -## Specify extra initdb args -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbArgs: - -## Specify a custom location for the PostgreSQL transaction log -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbWalDir: - -## PostgreSQL configuration -## Specify runtime configuration parameters as a dict, using camelCase, e.g. -## {"sharedBuffers": "500MB"} -## Alternatively, you can put your postgresql.conf under the files/ directory -## ref: https://www.postgresql.org/docs/current/static/runtime-config.html -## -# postgresqlConfiguration: - -## PostgreSQL extended configuration -## As above, but _appended_ to the main configuration -## Alternatively, you can put your *.conf under the files/conf.d/ directory -## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf -## -# postgresqlExtendedConf: - -## PostgreSQL client authentication configuration -## Specify content for pg_hba.conf -## Default: do not create pg_hba.conf -## Alternatively, you can put your pg_hba.conf under the files/ directory -# pgHbaConfiguration: |- -# local all all trust -# host all all localhost trust -# host mydatabase mysuser 192.168.0.0/24 md5 - -## ConfigMap with PostgreSQL configuration -## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration -# configurationConfigMap: - -## ConfigMap with PostgreSQL extended configuration -# extendedConfConfigMap: - -## initdb scripts -## Specify dictionary of scripts to be run at first boot -## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory -## -# initdbScripts: -# my_init_script.sh: | -# #!/bin/sh -# echo "Do something." - -## ConfigMap with scripts to be run at first boot -## NOTE: This will override initdbScripts -# initdbScriptsConfigMap: - -## Secret with scripts to be run at first boot (in case it contains sensitive information) -## NOTE: This can work along initdbScripts or initdbScriptsConfigMap -# initdbScriptsSecret: - -## Specify the PostgreSQL username and password to execute the initdb scripts -# initdbUser: -# initdbPassword: - -## Optional duration in seconds the pod needs to terminate gracefully. -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods -## -# terminationGracePeriodSeconds: 30 - -## PostgreSQL service configuration -service: - ## PosgresSQL service type - type: ClusterIP - # clusterIP: None - port: 5432 - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # nodePort: - - ## Provide any additional annotations which may be required. - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - annotations: {} - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: - - ## Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - # loadBalancerSourceRanges: - # - 10.10.10.0/24 - -## PostgreSQL data Persistent Volume Storage Class -## If defined, storageClassName: -## If set to "-", storageClassName: "", which disables dynamic provisioning -## If undefined (the default) or set to null, no storageClassName spec is -## set, choosing the default provisioner. (gp2 on AWS, standard on -## GKE, AWS & OpenStack) -## -persistence: - enabled: true - ## A manually managed Persistent Volume and Claim - ## If defined, PVC must be created manually before volume will be bound - ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart - ## - # existingClaim: - - ## The path the volume will be mounted at, useful when using different - ## PostgreSQL images. - ## - mountPath: /bitnami/postgresql - - ## The subdirectory of the volume to mount to, useful in dev environments - ## and one PV for multiple services. - ## - subPath: "" - - # storageClass: "-" - accessModes: - - ReadWriteOnce - size: 8Gi - annotations: {} - -## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -updateStrategy: - type: RollingUpdate - -## -## PostgreSQL Master parameters -## -master: - ## Node, affinity and tolerations labels for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature - nodeSelector: {} - affinity: {} - tolerations: [] - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - ## Additional PostgreSQL Master Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL Master Volumes - ## - extraVolumes: [] - -## -## PostgreSQL Slave parameters -## -slave: - ## Node, affinity and tolerations labels for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature - nodeSelector: {} - affinity: {} - tolerations: [] - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - ## Additional PostgreSQL Slave Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL Slave Volumes - ## - extraVolumes: [] - -## Configure resource requests and limits -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -## -resources: - requests: - memory: 256Mi - cpu: 250m - -networkPolicy: - ## Enable creation of NetworkPolicy resources. - ## - enabled: false - - ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the port PostgreSQL is listening - ## on. When true, PostgreSQL will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - -## Configure extra options for liveness and readiness probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) -livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -## Configure metrics exporter -## -metrics: - enabled: false - # resources: {} - service: - type: ClusterIP - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9187" - loadBalancerIP: - serviceMonitor: - enabled: false - additionalLabels: {} - # namespace: monitoring - # interval: 30s - # scrapeTimeout: 10s - image: - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.6.0-debian-9-r0 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## - securityContext: - enabled: false - runAsUser: 1001 - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## Configure extra options for liveness and readiness probes - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -# Define custom environment variables to pass to the image here -extraEnv: [] diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/NOTES.txt b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/NOTES.txt deleted file mode 100755 index d08fa88..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/NOTES.txt +++ /dev/null @@ -1,113 +0,0 @@ -Congratulations. You have just deployed JFrog Artifactory HA! - -{{- if and (not .Values.artifactory.masterKeySecretName) (eq .Values.artifactory.masterKey "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF") }} - - -***************************************** WARNING ****************************************** -* Your Artifactory master key is still set to the provided example: * -* artifactory.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF * -* * -* You should change this to your own generated key: * -* $ export MASTER_KEY=$(openssl rand -hex 32) * -* $ echo ${MASTER_KEY} * -* * -* Pass the created master key to helm with '--set artifactory.masterKey=${MASTER_KEY}' * -* * -* Alternatively, you can use a pre-existing secret with a key called master-key with * -* '--set artifactory.masterKeySecretName=${SECRET_NAME}' * -******************************************************************************************** -{{- end }} - -{{ if eq .Values.artifactory.joinKey "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" }} - - -***************************************** WARNING ****************************************** -* Your Artifactory join key is still set to the provided example: * -* artifactory.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE * -* * -* You should change this to your own generated key: * -* $ export JOIN_KEY=$(openssl rand -hex 16) * -* $ echo ${JOIN_KEY} * -* * -* Pass the created master key to helm with '--set artifactory.joinKey=${JOIN_KEY}' * -* * -******************************************************************************************** -{{- end }} - -{{- if .Values.postgresql.enabled }} - -DATABASE: -To extract the database password, run the following -export DB_PASSWORD=$(kubectl get --namespace {{ .Release.Namespace }} $(kubectl get secret --namespace {{ .Release.Namespace }} -o name | grep postgresql) -o jsonpath="{.data.postgresql-password}" | base64 --decode) -echo ${DB_PASSWORD} -{{- end }} - -SETUP: -1. Get the Artifactory IP and URL - - {{- if contains "NodePort" .Values.nginx.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "artifactory-ha.nginx.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT/ - - {{- else if contains "LoadBalancer" .Values.nginx.service.type }} - NOTE: It may take a few minutes for the LoadBalancer public IP to be available! - - You can watch the status of the service by running 'kubectl get svc -w {{ template "artifactory-ha.nginx.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.nginx.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP/ - - {{- else if contains "ClusterIP" .Values.nginx.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "component={{ .Values.nginx.name }}" -o jsonpath="{.items[0].metadata.name}") - kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080:80 - echo http://127.0.0.1:8080 - - {{- end }} - -2. Open Artifactory in your browser - Default credential for Artifactory: - user: admin - password: password - - {{- if .Values.artifactory.license.secret }} - -3. Manage Artifactory license through the {{ .Values.artifactory.license.secret }} secret ONLY! - Since the artifactory license(s) is managed with a secret ({{ .Values.artifactory.license.secret }}), any change through the Artifactory UI might not be saved! - - {{- else }} - -3. Add HA licenses to activate Artifactory HA through the Artifactory UI - NOTE: Each Artifactory node requires a valid license. See https://www.jfrog.com/confluence/display/RTF/HA+Installation+and+Setup for more details. - - {{- end }} - -{{ if or .Values.artifactory.primary.javaOpts.jmx.enabled .Values.artifactory.node.javaOpts.jmx.enabled }} -JMX configuration: -{{- if not (contains "LoadBalancer" .Values.artifactory.service.type) }} -If you want to access JMX from you computer with jconsole, you should set ".Values.artifactory.service.type=LoadBalancer" !!! -{{ end }} - -1. Get the Artifactory service IP: -{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} -export PRIMARY_SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.primary.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') -{{- end }} -{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} -export MEMBER_SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "artifactory-ha.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') -{{- end }} - -2. Map the service name to the service IP in /etc/hosts: -{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} -sudo sh -c "echo \"${PRIMARY_SERVICE_IP} {{ template "artifactory-ha.primary.name" . }}\" >> /etc/hosts" -{{- end }} -{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} -sudo sh -c "echo \"${MEMBER_SERVICE_IP} {{ template "artifactory-ha.fullname" . }}\" >> /etc/hosts" -{{- end }} - -3. Launch jconsole: -{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} -jconsole {{ template "artifactory-ha.primary.name" . }}:{{ .Values.artifactory.primary.javaOpts.jmx.port }} -{{- end }} -{{- if .Values.artifactory.node.javaOpts.jmx.enabled }} -jconsole {{ template "artifactory-ha.fullname" . }}:{{ .Values.artifactory.node.javaOpts.jmx.port }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/_helpers.tpl b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/_helpers.tpl deleted file mode 100755 index 32171c2..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/_helpers.tpl +++ /dev/null @@ -1,103 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "artifactory-ha.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -The primary node name -*/}} -{{- define "artifactory-ha.primary.name" -}} -{{- if .Values.nameOverride -}} -{{- printf "%s-primary" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := .Release.Name | trunc 29 -}} -{{- printf "%s-%s-primary" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -The member node name -*/}} -{{- define "artifactory-ha.node.name" -}} -{{- if .Values.nameOverride -}} -{{- printf "%s-member" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := .Release.Name | trunc 29 -}} -{{- printf "%s-%s-member" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Expand the name nginx service. -*/}} -{{- define "artifactory-ha.nginx.name" -}} -{{- default .Values.nginx.name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "artifactory-ha.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "artifactory-ha.nginx.fullname" -}} -{{- if .Values.nginx.fullnameOverride -}} -{{- .Values.nginx.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nginx.name -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "artifactory-ha.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} -{{ default (include "artifactory-ha.fullname" .) .Values.serviceAccount.name }} -{{- else -}} -{{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "artifactory-ha.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Generate SSL certificates -*/}} -{{- define "artifactory-ha.gen-certs" -}} -{{- $altNames := list ( printf "%s.%s" (include "artifactory-ha.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "artifactory-ha.name" .) .Release.Namespace ) -}} -{{- $ca := genCA "artifactory-ca" 365 -}} -{{- $cert := genSignedCert ( include "artifactory-ha.name" . ) nil $altNames 365 $ca -}} -tls.crt: {{ $cert.Cert | b64enc }} -tls.key: {{ $cert.Key | b64enc }} -{{- end -}} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/access-bootstrap-creds.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/access-bootstrap-creds.yaml deleted file mode 100755 index f4e34a2..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/access-bootstrap-creds.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if not (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) }} -{{- if .Values.artifactory.accessAdmin.password }} -kind: Secret -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.fullname" . }}-bootstrap-creds - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - bootstrap.creds: {{ (printf "access-admin@%s=%s" .Values.artifactory.accessAdmin.ip .Values.artifactory.accessAdmin.password) | b64enc }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-binarystore-secret.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-binarystore-secret.yaml deleted file mode 100755 index 2e7cac7..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-binarystore-secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if not .Values.artifactory.persistence.customBinarystoreXmlSecret }} -kind: Secret -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.fullname" . }}-binarystore - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -stringData: - binarystore.xml: |- -{{ tpl .Values.artifactory.persistence.binarystoreXml . | indent 4 }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-configmaps.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-configmaps.yaml deleted file mode 100755 index 1385bc5..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-configmaps.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{ if .Values.artifactory.configMaps }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "artifactory-ha.fullname" . }}-configmaps - labels: - app: {{ template "artifactory-ha.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: -{{ tpl .Values.artifactory.configMaps . | indent 2 }} -{{ end -}} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-installer-info.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-installer-info.yaml deleted file mode 100755 index 0c9a4f4..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-installer-info.yaml +++ /dev/null @@ -1,25 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.fullname" . }}-installer-info - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - installer-info.json: | - { - "productId": "Helm_artifactory-ha/{{ .Chart.Version }}", - "features": [ - { - "featureId": "ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}" - }, - { - "featureId": "{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default "derby" .Values.database.type }}{{ end }}/0.0.0" - }, - { - "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}" - } - ] - } diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-license-secret.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-license-secret.yaml deleted file mode 100755 index 3f629c6..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-license-secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- with .Values.artifactory.license.licenseKey }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "artifactory-ha.fullname" $ }}-license - labels: - app: {{ template "artifactory-ha.name" $ }} - chart: {{ template "artifactory-ha.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} -type: Opaque -data: - artifactory.lic: {{ . | b64enc | quote }} -{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-networkpolicy.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-networkpolicy.yaml deleted file mode 100755 index 371dc9a..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-networkpolicy.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- range .Values.networkpolicy }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "artifactory-ha.fullname" $ }}-{{ .name }}-networkpolicy - labels: - app: {{ template "artifactory-ha.name" $ }} - chart: {{ template "artifactory-ha.chart" $ }} - release: {{ $.Release.Name }} - heritage: {{ $.Release.Service }} -spec: -{{- if .podSelector }} - podSelector: -{{ .podSelector | toYaml | trimSuffix "\n" | indent 4 -}} -{{ else }} - podSelector: {} -{{- end }} - policyTypes: - {{- if .ingress }} - - Ingress - {{- end }} - {{- if .egress }} - - Egress - {{- end }} -{{- if .ingress }} - ingress: -{{ .ingress | toYaml | trimSuffix "\n" | indent 2 -}} -{{- end }} -{{- if .egress }} - egress: -{{ .egress | toYaml | trimSuffix "\n" | indent 2 -}} -{{- end }} ---- -{{- end -}} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-nfs-pvc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-nfs-pvc.yaml deleted file mode 100755 index 6ed7d82..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-nfs-pvc.yaml +++ /dev/null @@ -1,101 +0,0 @@ -{{- if eq .Values.artifactory.persistence.type "nfs" }} -### Artifactory HA data -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ template "artifactory-ha.fullname" . }}-data-pv - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - id: {{ template "artifactory-ha.name" . }}-data-pv - type: nfs-volume -spec: - {{- if .Values.artifactory.persistence.nfs.mountOptions }} - mountOptions: -{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} - {{- end }} - capacity: - storage: {{ .Values.artifactory.persistence.nfs.capacity }} - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - nfs: - server: {{ .Values.artifactory.persistence.nfs.ip }} - path: "{{ .Values.artifactory.persistence.nfs.haDataMount }}" - readOnly: false ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.fullname" . }}-data-pvc - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - type: nfs-volume -spec: - accessModes: - - ReadWriteOnce - storageClassName: "" - resources: - requests: - storage: {{ .Values.artifactory.persistence.nfs.capacity }} - selector: - matchLabels: - id: {{ template "artifactory-ha.name" . }}-data-pv - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} ---- -### Artifactory HA backup -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ template "artifactory-ha.fullname" . }}-backup-pv - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - id: {{ template "artifactory-ha.name" . }}-backup-pv - type: nfs-volume -spec: - {{- if .Values.artifactory.persistence.nfs.mountOptions }} - mountOptions: -{{ toYaml .Values.artifactory.persistence.nfs.mountOptions | indent 4 }} - {{- end }} - capacity: - storage: {{ .Values.artifactory.persistence.nfs.capacity }} - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - nfs: - server: {{ .Values.artifactory.persistence.nfs.ip }} - path: "{{ .Values.artifactory.persistence.nfs.haBackupMount }}" - readOnly: false ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.fullname" . }}-backup-pvc - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - type: nfs-volume -spec: - accessModes: - - ReadWriteOnce - storageClassName: "" - resources: - requests: - storage: {{ .Values.artifactory.persistence.nfs.capacity }} - selector: - matchLabels: - id: {{ template "artifactory-ha.name" . }}-backup-pv - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-pdb.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-pdb.yaml deleted file mode 100755 index 871bb21..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-pdb.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ template "artifactory-ha.fullname" . }}-node - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - {{- if eq .Values.artifactory.service.pool "members" }} - role: {{ template "artifactory-ha.node.name" . }} - {{- end }} - release: {{ .Release.Name }} - minAvailable: {{ .Values.artifactory.node.minAvailable }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-statefulset.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-statefulset.yaml deleted file mode 100755 index 67e1ab3..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-node-statefulset.yaml +++ /dev/null @@ -1,510 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "artifactory-ha.node.name" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - force-update: "{{ randAlpha 63 | lower }}" -{{- if .Values.artifactory.node.labels }} -{{ toYaml .Values.artifactory.node.labels | indent 4 }} -{{- end }} -spec: - serviceName: {{ template "artifactory-ha.node.name" . }} - replicas: {{ .Values.artifactory.node.replicaCount }} - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - role: {{ template "artifactory-ha.node.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - role: {{ template "artifactory-ha.node.name" . }} - heritage: {{ .Release.Service }} - component: {{ .Values.artifactory.name }} - release: {{ .Release.Name }} - annotations: - checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }} - checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }} - {{- range $key, $value := .Values.artifactory.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - spec: - {{- if .Values.artifactory.priorityClass.existingPriorityClass }} - priorityClassName: {{ .Values.artifactory.priorityClass.existingPriorityClass }} - {{- else -}} - {{- if .Values.artifactory.priorityClass.create }} - priorityClassName: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} - {{- end }} - {{- end }} - serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} - terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - securityContext: - runAsUser: {{ .Values.artifactory.uid }} - fsGroup: {{ .Values.artifactory.uid }} - initContainers: - {{- if .Values.artifactory.customInitContainersBegin }} -{{ tpl .Values.artifactory.customInitContainersBegin . | indent 6 }} - {{- end }} - {{- if .Values.artifactory.persistence.enabled }} - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - - name: "create-artifactory-data-dir" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - mkdir -p {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}; - volumeMounts: - - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - name: volume - {{- end }} - {{- end }} - {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} - - name: "delete-db-properties" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' - volumeMounts: - - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - name: volume - {{- end }} - - name: "remove-lost-found" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found - volumeMounts: - - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - name: volume - {{- end }} - - name: 'copy-system-yaml' - image: '{{ .Values.initContainerImage }}' - command: - - '/bin/sh' - - '-c' - - > - {{- if .Values.artifactory.node.waitForPrimaryStartup.enabled }} - echo "Sleeping to allow time for primary node to come up"; - sleep {{ .Values.artifactory.node.waitForPrimaryStartup.seconds }}; - {{- end }} - echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; - mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; - mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; - cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; - echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists"; - rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; - volumeMounts: - - name: volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - - name: systemyaml - mountPath: "/tmp/etc/system.yaml" - subPath: system.yaml - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - name: "prepare-custom-persistent-volume" - image: "{{ .Values.initContainerImage }}" - command: - - 'sh' - - '-c' - - > - chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - securityContext: - runAsUser: 0 - volumeMounts: - - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.waitForDatabase }} - {{- if or .Values.postgresql.enabled }} - - name: "wait-for-db" - image: "{{ .Values.initContainerImage }}" - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do - sleep 2; - done; - {{- end }} - {{- end }} - {{- if .Values.artifactory.customInitContainers }} -{{ tpl .Values.artifactory.customInitContainers . | indent 6 }} - {{- end }} - containers: - - name: {{ .Values.artifactory.name }} - image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}' - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - command: - - '/bin/sh' - - '-c' - - > - {{- if .Values.artifactory.userPluginSecrets }} - echo "Copying plugins"; - cp -Lrf /tmp/plugin/*/* /tmp/plugins; - {{- end }} - {{- if .Values.artifactory.preStartCommand }} - echo "Running custom preStartCommand command"; - {{ tpl .Values.artifactory.preStartCommand . }}; - {{- end }} - /entrypoint-artifactory.sh - lifecycle: - postStart: - exec: - command: - - '/bin/sh' - - '-c' - - > - echo; - {{- if .Values.artifactory.postStartCommand }} - {{ .Values.artifactory.postStartCommand }} - {{- end }} - env: - {{- if .Values.database.secrets.user }} - - name: JF_SHARED_DATABSE_USERNAME - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.user.name }} - key: {{ .Values.database.secrets.user.key }} - {{- end }} - {{- if .Values.database.secrets.password }} - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.password.name }} - key: {{ .Values.database.secrets.password.key }} - {{- end }} - {{- if .Values.database.secrets.url }} - - name: JF_SHARED_DATABSE_URL - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.url.name }} - key: {{ .Values.database.secrets.url.key }} - {{- end }} - - name: JF_SHARED_NODE_PRIMARY - value: "false" - - name: JF_SHARED_NODE_HAENABLED - value: "true" - - name: JF_SHARED_DATABSE_USERNAME - value: "artifactory" - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-postgresql - key: postgresql-password - ports: - - containerPort: {{ .Values.artifactory.internalPort }} - - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} - {{- if .Values.artifactory.node.javaOpts.jmx.enabled }} - - containerPort: {{ .Values.artifactory.node.javaOpts.jmx.port }} - {{- end }} - volumeMounts: - {{- if .Values.artifactory.customPersistentVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.artifactory.userPluginSecrets }} - - name: tmp-plugins - mountPath: "/tmp/plugins/" - {{- range .Values.artifactory.userPluginSecrets }} - - name: {{ tpl . $ }} - mountPath: "/tmp/plugin/{{ tpl . $ }}" - {{- end }} - {{- end }} - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} - - name: artifactory-ha-data-{{ $sharedClaimNumber }} - mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" - {{- end }} - - name: artifactory-ha-backup - mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "nfs" }} - - name: artifactory-ha-data - mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" - - name: artifactory-ha-backup - mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" - {{- else }} - {{- if .Values.artifactory.binarystore.enabled }} - - name: binarystore-xml - mountPath: "/artifactory_extra_conf/binarystore.xml" - subPath: binarystore.xml - {{- end }} - {{- end }} - - name: installer-info - mountPath: "/artifactory_extra_conf/info/installer-info.json" - subPath: installer-info.json - {{- if .Values.artifactory.customVolumeMounts }} -{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} - {{- end }} - resources: -{{ toYaml .Values.artifactory.node.resources | indent 10 }} - {{- if .Values.artifactory.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: {{ .Values.artifactory.readinessProbe.path }} - port: {{ .Values.artifactory.internalPort }} - initialDelaySeconds: {{ .Values.artifactory.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.artifactory.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.artifactory.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.artifactory.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.artifactory.readinessProbe.successThreshold }} - {{- end }} - {{- if .Values.artifactory.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: {{ .Values.artifactory.livenessProbe.path }} - port: {{ .Values.artifactory.internalPort }} - initialDelaySeconds: {{ .Values.artifactory.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.artifactory.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.artifactory.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }} - {{- end }} - {{- $image := .Values.logger.image.repository }} - {{- $tag := .Values.logger.image.tag }} - {{- $mountPath := .Values.artifactory.persistence.mountPath }} - {{- range .Values.artifactory.loggers }} - - name: {{ . | replace "_" "-" | replace "." "-" }} - image: '{{ $image }}:{{ $tag }}' - command: - - tail - args: - - '-F' - - '{{ $mountPath }}/logs/{{ . }}' - volumeMounts: - - name: volume - mountPath: {{ $mountPath }} - {{- end }} - {{ if .Values.artifactory.catalinaLoggers }} - {{- range .Values.artifactory.catalinaLoggers }} - - name: {{ . | replace "_" "-" | replace "." "-" }} - image: '{{ $image }}:{{ $tag }}' - command: - - 'sh' - - '-c' - - 'sh /scripts/tail-log.sh {{ $mountPath }}/logs/catalina {{ . }}' - volumeMounts: - - name: volume - mountPath: {{ $mountPath }} - - name: catalina-logger - mountPath: /scripts/tail-log.sh - subPath: tail-log.sh - {{- end }} - {{- end }} - {{- if .Values.filebeat.enabled }} - - name: {{ .Values.filebeat.name }} - image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" - imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - args: - - "-e" - - "-E" - - "http.enabled=true" - securityContext: - runAsUser: 0 - volumeMounts: - - name: filebeat-config - mountPath: /usr/share/filebeat/filebeat.yml - readOnly: true - subPath: filebeat.yml - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - livenessProbe: -{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} - readinessProbe: -{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} - resources: -{{ toYaml .Values.filebeat.resources | indent 10 }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} - {{- end }} - {{- if .Values.artifactory.customSidecarContainers }} -{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }} - {{- end }} - {{- with .Values.artifactory.node.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if .Values.artifactory.node.affinity }} - {{- with .Values.artifactory.node.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- else if eq .Values.artifactory.node.podAntiAffinity.type "soft" }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - topologyKey: {{ .Values.artifactory.node.podAntiAffinity.topologyKey }} - labelSelector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} - {{- if eq .Values.artifactory.service.pool "members" }} - role: {{ template "artifactory-ha.node.name" . }} - {{- end }} - {{- else if eq .Values.artifactory.node.podAntiAffinity.type "hard" }} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: {{ .Values.artifactory.node.podAntiAffinity.topologyKey }} - labelSelector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} - {{- if eq .Values.artifactory.service.pool "members" }} - role: {{ template "artifactory-ha.node.name" . }} - {{- end }} - {{- end }} - {{- with .Values.artifactory.node.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - {{- if .Values.artifactory.binarystore.enabled }} - - name: binarystore-xml - secret: - {{- if .Values.artifactory.persistence.customBinarystoreXmlSecret }} - secretName: {{ .Values.artifactory.persistence.customBinarystoreXmlSecret }} - {{- else }} - secretName: {{ template "artifactory-ha.fullname" . }}-binarystore - {{- end }} - {{- end }} - - name: installer-info - configMap: - name: {{ template "artifactory-ha.fullname" . }}-installer-info - {{- if .Values.artifactory.userPluginSecrets }} - - name: tmp-plugins - emptyDir: {} - {{- range .Values.artifactory.userPluginSecrets }} - - name: {{ tpl . $ }} - secret: - secretName: {{ tpl . $ }} - {{- end }} - {{- end }} - {{- if .Values.artifactory.catalinaLoggers }} - - name: catalina-logger - configMap: - name: {{ template "artifactory-ha.fullname" . }}-catalina-logger - {{- end }} - {{- if .Values.artifactory.configMaps }} - - name: artifactory-configmaps - configMap: - name: {{ template "artifactory-ha.fullname" . }}-configmaps - {{- end }} - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} - - name: artifactory-ha-data-{{ $sharedClaimNumber }} - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" $ }}-data-pvc-{{ $sharedClaimNumber }} - {{- end }} - - name: artifactory-ha-backup - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" $ }}-backup-pvc - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "nfs" }} - - name: artifactory-ha-data - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" . }}-data-pvc - - name: artifactory-ha-backup - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" . }}-backup-pvc - {{- end }} - - name: systemyaml - secret: - secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml - {{- if .Values.artifactory.customPersistentVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - persistentVolumeClaim: - claimName: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - {{- end }} - {{- if .Values.filebeat.enabled }} - - name: filebeat-config - configMap: - name: {{ template "artifactory-ha.fullname" . }}-filebeat-config - {{- end }} - {{- if .Values.artifactory.customVolumes }} -{{ tpl .Values.artifactory.customVolumes . | indent 6 }} - {{- end }} - {{- if not .Values.artifactory.persistence.enabled }} - - name: volume - emptyDir: - sizeLimit: {{ .Values.artifactory.persistence.size }} - {{- end }} - volumeClaimTemplates: - {{- if .Values.artifactory.persistence.enabled }} - - metadata: - name: volume - {{- if not .Values.artifactory.node.persistence.existingClaim }} - spec: - {{- if .Values.artifactory.persistence.storageClassName }} - {{- if (eq "-" .Values.artifactory.persistence.storageClassName) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.artifactory.persistence.storageClassName }}" - {{- end }} - {{- end }} - accessModes: [ "{{ .Values.artifactory.persistence.accessMode }}" ] - resources: - requests: - storage: {{ .Values.artifactory.persistence.size }} - {{- end }} - {{- end }} - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - metadata: - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - spec: - {{- if .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }} - {{- if (eq "-" .Values.artifactory.customPersistentPodVolumeClaim.storageClassName) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }}" - {{- end }} - {{- end }} - accessModes: - {{- range .Values.artifactory.customPersistentPodVolumeClaim.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.artifactory.customPersistentPodVolumeClaim.size }} - {{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-primary-statefulset.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-primary-statefulset.yaml deleted file mode 100755 index 8b53315..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-primary-statefulset.yaml +++ /dev/null @@ -1,587 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "artifactory-ha.primary.name" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - force-update: "{{ randAlpha 63 | lower }}" -{{- if .Values.artifactory.primary.labels }} -{{ toYaml .Values.artifactory.primary.labels | indent 4 }} -{{- end }} -spec: - serviceName: {{ template "artifactory-ha.primary.name" . }} - replicas: 1 - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - role: {{ template "artifactory-ha.primary.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - role: {{ template "artifactory-ha.primary.name" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }} - checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }} - {{- if not (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) }} - checksum/access-creds: {{ include (print $.Template.BasePath "/access-bootstrap-creds.yaml") . | sha256sum }} - {{- end }} - {{- range $key, $value := .Values.artifactory.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - spec: - {{- if .Values.artifactory.priorityClass.existingPriorityClass }} - priorityClassName: {{ .Values.artifactory.priorityClass.existingPriorityClass }} - {{- else -}} - {{- if .Values.artifactory.priorityClass.create }} - priorityClassName: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} - {{- end }} - {{- end }} - serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} - terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - securityContext: - runAsUser: {{ .Values.artifactory.uid }} - fsGroup: {{ .Values.artifactory.uid }} - initContainers: - {{- if .Values.artifactory.customInitContainersBegin }} -{{ tpl .Values.artifactory.customInitContainersBegin . | indent 6 }} - {{- end }} - {{- if .Values.artifactory.persistence.enabled }} - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - - name: "create-artifactory-data-dir" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - mkdir -p {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}; - volumeMounts: - - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - name: volume - {{- end }} - {{- end }} - {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} - - name: "delete-db-properties" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - 'rm -fv {{ .Values.artifactory.persistence.mountPath }}/etc/db.properties' - volumeMounts: - - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - name: volume - {{- end }} - - name: "remove-lost-found" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; - rm -rfv {{ tpl .Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir . }}/lost+found; - rm -rfv {{ .Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}/lost+found; - volumeMounts: - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} - - name: artifactory-ha-data-{{ $sharedClaimNumber }} - mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" - {{- end }} - - name: artifactory-ha-backup - mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" - {{- end }} - {{- end }} - {{- if or (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) .Values.artifactory.accessAdmin.password }} - - name: "access-bootstrap-creds" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - echo "Preparing custom Access bootstrap.creds"; - mkdir -p {{ .Values.artifactory.persistence.mountPath }}/access/etc; - cp -Lrf /tmp/access/bootstrap.creds {{ .Values.artifactory.persistence.mountPath }}/access/etc/bootstrap.creds; - chmod 600 {{ .Values.artifactory.persistence.mountPath }}/access/etc/bootstrap.creds; - volumeMounts: - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - - name: access-bootstrap-creds - mountPath: "/tmp/access/bootstrap.creds" - {{- if and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey }} - subPath: {{ .Values.artifactory.accessAdmin.dataKey }} - {{- else }} - subPath: bootstrap.creds - {{- end }} - {{- end }} - {{- end }} - - name: 'copy-system-yaml' - image: '{{ .Values.initContainerImage }}' - command: - - '/bin/sh' - - '-c' - - > - echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc"; - mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc; - mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted; - cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml; - echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists"; - rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found; - volumeMounts: - - name: volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - - name: systemyaml - mountPath: "/tmp/etc/system.yaml" - subPath: system.yaml - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - name: "prepare-custom-persistent-volume" - image: "{{ .Values.initContainerImage }}" - command: - - 'sh' - - '-c' - - > - chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - securityContext: - runAsUser: 0 - volumeMounts: - - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.waitForDatabase }} - {{- if or .Values.postgresql.enabled }} - - name: "wait-for-db" - image: "{{ .Values.initContainerImage }}" - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > - until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do - sleep 2; - done; - {{- end }} - {{- end }} - {{- if .Values.artifactory.customInitContainers }} -{{ tpl .Values.artifactory.customInitContainers . | indent 6 }} - {{- end }} - containers: - - name: {{ .Values.artifactory.name }} - image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}' - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - command: - - '/bin/sh' - - '-c' - - > - set -e; - {{- if .Values.artifactory.configMapName }} - echo "Copying bootstrap configs"; - cp -Lrf /bootstrap/* /artifactory_extra_conf/; - {{- end }} - {{- if .Values.artifactory.userPluginSecrets }} - echo "Copying plugins"; - cp -Lrf /tmp/plugin/*/* /tmp/plugins; - {{- end }} - {{- range .Values.artifactory.copyOnEveryStartup }} - {{- $targetPath := printf "%s/%s" $.Values.artifactory.persistence.mountPath .target }} - {{- $baseDirectory := regexFind ".*/" $targetPath }} - mkdir -p {{ $baseDirectory }}; - cp -Lrf {{ .source }} {{ $.Values.artifactory.persistence.mountPath }}/{{ .target }}; - {{- end }} - {{- if .Values.artifactory.preStartCommand }} - echo "Running custom preStartCommand command"; - {{ tpl .Values.artifactory.preStartCommand . }}; - {{- end }} - /entrypoint-artifactory.sh - lifecycle: - postStart: - exec: - command: - - '/bin/sh' - - '-c' - - > - echo; - {{- if .Values.artifactory.postStartCommand }} - {{ .Values.artifactory.postStartCommand }} - {{- end }} - env: - {{- if .Values.database.secrets.user }} - - name: JF_SHARED_DATABSE_USERNAME - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.user.name }} - key: {{ .Values.database.secrets.user.key }} - {{- end }} - {{- if .Values.database.secrets.password }} - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.password.name }} - key: {{ .Values.database.secrets.password.key }} - {{- end }} - {{- if .Values.database.secrets.url }} - - name: JF_SHARED_DATABSE_URL - valueFrom: - secretKeyRef: - name: {{ .Values.database.secrets.url.name }} - key: {{ .Values.database.secrets.url.key }} - {{- end }} - - name: JF_SHARED_NODE_PRIMARY - value: "true" - - name: JF_SHARED_NODE_HAENABLED - value: "true" - - name: JF_SHARED_DATABSE_USERNAME - value: "artifactory" - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-postgresql - key: postgresql-password - ports: - - containerPort: {{ .Values.artifactory.internalPort }} - - containerPort: {{ .Values.artifactory.internalArtifactoryPort }} - {{- if .Values.artifactory.primary.javaOpts.jmx.enabled }} - - containerPort: {{ .Values.artifactory.primary.javaOpts.jmx.port }} - {{- end }} - volumeMounts: - {{- if .Values.artifactory.customPersistentVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} - {{- end }} - {{- if .Values.artifactory.userPluginSecrets }} - - name: tmp-plugins - mountPath: "/tmp/plugins/" - {{- range .Values.artifactory.userPluginSecrets }} - - name: {{ tpl . $ }} - mountPath: "/tmp/plugin/{{ tpl . $ }}" - {{- end }} - {{- end }} - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} - - name: artifactory-ha-data-{{ $sharedClaimNumber }} - mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" - {{- end }} - - name: artifactory-ha-backup - mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "nfs" }} - - name: artifactory-ha-data - mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" - - name: artifactory-ha-backup - mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" - {{- else }} - {{- if .Values.artifactory.binarystore.enabled }} - - name: binarystore-xml - mountPath: "/artifactory_extra_conf/binarystore.xml" - subPath: binarystore.xml - {{- end }} - {{- end }} - {{- if .Values.artifactory.configMapName }} - - name: bootstrap-config - mountPath: "/bootstrap/" - {{- end }} - {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} - - name: artifactory-license - mountPath: "/artifactory_extra_conf/artifactory.cluster.license" - {{- if .Values.artifactory.license.secret }} - subPath: {{ .Values.artifactory.license.dataKey }} - {{- else if .Values.artifactory.license.licenseKey }} - subPath: artifactory.lic - {{- end }} - {{- end }} - - name: installer-info - mountPath: "/artifactory_extra_conf/info/installer-info.json" - subPath: installer-info.json - {{- if .Values.artifactory.customVolumeMounts }} -{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} - {{- end }} - resources: -{{ toYaml .Values.artifactory.primary.resources | indent 10 }} - {{- if .Values.artifactory.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: {{ .Values.artifactory.readinessProbe.path }} - port: {{ .Values.artifactory.internalPort }} - initialDelaySeconds: {{ .Values.artifactory.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.artifactory.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.artifactory.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.artifactory.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.artifactory.readinessProbe.successThreshold }} - {{- end }} - {{- if .Values.artifactory.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: {{ .Values.artifactory.livenessProbe.path }} - port: {{ .Values.artifactory.internalPort }} - initialDelaySeconds: {{ .Values.artifactory.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.artifactory.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.artifactory.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }} - {{- end }} - {{- $image := .Values.logger.image.repository }} - {{- $tag := .Values.logger.image.tag }} - {{- $mountPath := .Values.artifactory.persistence.mountPath }} - {{- range .Values.artifactory.loggers }} - - name: {{ . | replace "_" "-" | replace "." "-" }} - image: '{{ $image }}:{{ $tag }}' - command: - - tail - args: - - '-F' - - '{{ $mountPath }}/logs/{{ . }}' - volumeMounts: - - name: volume - mountPath: {{ $mountPath }} - {{- end }} - {{ if .Values.artifactory.catalinaLoggers }} - {{- range .Values.artifactory.catalinaLoggers }} - - name: {{ . | replace "_" "-" | replace "." "-" }} - image: '{{ $image }}:{{ $tag }}' - command: - - 'sh' - - '-c' - - 'sh /scripts/tail-log.sh {{ $mountPath }}/logs/catalina {{ . }}' - volumeMounts: - - name: volume - mountPath: {{ $mountPath }} - - name: catalina-logger - mountPath: /scripts/tail-log.sh - subPath: tail-log.sh - {{- end }} - {{- end }} - {{- if .Values.filebeat.enabled }} - - name: {{ .Values.filebeat.name }} - image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" - imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - args: - - "-e" - - "-E" - - "http.enabled=true" - securityContext: - runAsUser: 0 - volumeMounts: - - name: filebeat-config - mountPath: /usr/share/filebeat/filebeat.yml - readOnly: true - subPath: filebeat.yml - - name: volume - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - livenessProbe: -{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} - readinessProbe: -{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} - resources: -{{ toYaml .Values.filebeat.resources | indent 10 }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} - {{- end }} - {{- if .Values.artifactory.customSidecarContainers }} -{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }} - {{- end }} - {{- with .Values.artifactory.primary.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if .Values.artifactory.primary.affinity }} - {{- with .Values.artifactory.primary.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- else if eq .Values.artifactory.primary.podAntiAffinity.type "soft" }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - topologyKey: {{ .Values.artifactory.primary.podAntiAffinity.topologyKey }} - labelSelector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} - {{- else if eq .Values.artifactory.primary.podAntiAffinity.type "hard" }} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: {{ .Values.artifactory.primary.podAntiAffinity.topologyKey }} - labelSelector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} - {{- end }} - {{- with .Values.artifactory.primary.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - {{- if .Values.artifactory.binarystore.enabled }} - - name: binarystore-xml - secret: - {{- if .Values.artifactory.persistence.customBinarystoreXmlSecret }} - secretName: {{ .Values.artifactory.persistence.customBinarystoreXmlSecret }} - {{- else }} - secretName: {{ template "artifactory-ha.fullname" . }}-binarystore - {{- end }} - {{- end }} - - name: installer-info - configMap: - name: {{ template "artifactory-ha.fullname" . }}-installer-info - {{- if .Values.artifactory.userPluginSecrets }} - - name: tmp-plugins - emptyDir: {} - {{- range .Values.artifactory.userPluginSecrets }} - - name: {{ tpl . $ }} - secret: - secretName: {{ tpl . $ }} - {{- end }} - {{- end }} - {{- if .Values.artifactory.configMapName }} - - name: bootstrap-config - configMap: - name: {{ .Values.artifactory.configMapName }} - {{- end}} - {{- if .Values.artifactory.catalinaLoggers }} - - name: catalina-logger - configMap: - name: {{ template "artifactory-ha.fullname" . }}-catalina-logger - {{- end }} - {{- if .Values.artifactory.configMaps }} - - name: artifactory-configmaps - configMap: - name: {{ template "artifactory-ha.fullname" . }}-configmaps - {{- end }} - {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} - - name: artifactory-license - secret: - {{- if .Values.artifactory.license.secret }} - secretName: {{ .Values.artifactory.license.secret }} - {{- else if .Values.artifactory.license.licenseKey }} - secretName: {{ template "artifactory-ha.fullname" . }}-license - {{- end }} - {{- end }} - {{- if or (and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey) .Values.artifactory.accessAdmin.password }} - - name: access-bootstrap-creds - secret: - {{- if and .Values.artifactory.accessAdmin.secret .Values.artifactory.accessAdmin.dataKey }} - secretName: {{ .Values.artifactory.accessAdmin.secret }} - {{- else }} - secretName: {{ template "artifactory-ha.fullname" . }}-bootstrap-creds - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "file-system" }} - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} - - name: artifactory-ha-data-{{ $sharedClaimNumber }} - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" $ }}-data-pvc-{{ $sharedClaimNumber }} - {{- end }} - - name: artifactory-ha-backup - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" $ }}-backup-pvc - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "nfs" }} - - name: artifactory-ha-data - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" . }}-data-pvc - - name: artifactory-ha-backup - persistentVolumeClaim: - claimName: {{ template "artifactory-ha.fullname" . }}-backup-pvc - {{- end }} - - name: systemyaml - secret: - secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml - {{- if .Values.artifactory.customPersistentVolumeClaim }} - - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - persistentVolumeClaim: - claimName: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - {{- end }} - {{- if .Values.filebeat.enabled }} - - name: filebeat-config - configMap: - name: {{ template "artifactory-ha.fullname" . }}-filebeat-config - {{- end }} - {{- if .Values.artifactory.customVolumes }} -{{ tpl .Values.artifactory.customVolumes . | indent 6 }} - {{- end }} - {{- if not .Values.artifactory.persistence.enabled }} - - name: volume - emptyDir: - sizeLimit: {{ .Values.artifactory.persistence.size }} - {{- end }} - volumeClaimTemplates: - {{- if .Values.artifactory.persistence.enabled }} - - metadata: - name: volume - {{- if not .Values.artifactory.primary.persistence.existingClaim }} - spec: - {{- if .Values.artifactory.persistence.storageClassName }} - {{- if (eq "-" .Values.artifactory.persistence.storageClassName) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.artifactory.persistence.storageClassName }}" - {{- end }} - {{- end }} - accessModes: [ "{{ .Values.artifactory.persistence.accessMode }}" ] - resources: - requests: - storage: {{ .Values.artifactory.persistence.size }} - {{- end }} - {{- end }} - {{- if .Values.artifactory.customPersistentPodVolumeClaim }} - - metadata: - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} - spec: - {{- if .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }} - {{- if (eq "-" .Values.artifactory.customPersistentPodVolumeClaim.storageClassName) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.artifactory.customPersistentPodVolumeClaim.storageClassName }}" - {{- end }} - {{- end }} - accessModes: - {{- range .Values.artifactory.customPersistentPodVolumeClaim.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.artifactory.customPersistentPodVolumeClaim.size }} - {{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-priority-class.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-priority-class.yaml deleted file mode 100755 index 417ec5c..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-priority-class.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.artifactory.priorityClass.create }} -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: {{ default (include "artifactory-ha.fullname" .) .Values.artifactory.priorityClass.name }} -value: {{ .Values.artifactory.priorityClass.value }} -globalDefault: false -description: "Artifactory priority class" -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-role.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-role.yaml deleted file mode 100755 index c86bffd..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-role.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "artifactory-ha.fullname" . }} -rules: -{{ toYaml .Values.rbac.role.rules }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-rolebinding.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-rolebinding.yaml deleted file mode 100755 index 4412870..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-rolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "artifactory-ha.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "artifactory-ha.serviceAccountName" . }} -roleRef: - kind: Role - apiGroup: rbac.authorization.k8s.io - name: {{ template "artifactory-ha.fullname" . }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-secrets.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-secrets.yaml deleted file mode 100755 index 2665d32..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "artifactory-ha.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -data: -{{- if not .Values.artifactory.masterKeySecretName }} - master-key: {{ .Values.artifactory.masterKey | b64enc | quote }} -{{- end }} -{{- if .Values.database.password }} - db-password: {{ .Values.database.password | b64enc | quote }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-service.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-service.yaml deleted file mode 100755 index 38d3355..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-service.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# Service for all Artifactory cluster nodes. -apiVersion: v1 -kind: Service -metadata: - name: {{ template "artifactory-ha.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -{{- if .Values.artifactory.service.annotations }} - annotations: -{{ toYaml .Values.artifactory.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.artifactory.service.type }} - {{- if and (eq .Values.artifactory.service.type "ClusterIP") .Values.artifactory.service.clusterIP }} - clusterIP: {{ .Values.artifactory.service.clusterIP }} - {{- end }} - {{- if .Values.artifactory.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.artifactory.service.loadBalancerSourceRanges | indent 4 }} - {{- end }} - ports: - - port: {{ .Values.artifactory.externalPort }} - targetPort: {{ .Values.artifactory.internalPort }} - protocol: TCP - name: {{ .Release.Name }}-router - - port: {{ .Values.artifactory.externalArtifactoryPort }} - targetPort: {{ .Values.artifactory.internalArtifactoryPort }} - protocol: TCP - name: {{ .Release.Name }}-artifactory - {{- with .Values.artifactory.node.javaOpts.jmx }} - {{- if .enabled }} - - port: {{ .port }} - targetPort: {{ .port }} - protocol: TCP - name: jmx - {{- end }} - {{- end }} - selector: -{{- if eq .Values.artifactory.service.pool "members" }} - role: {{ template "artifactory-ha.node.name" . }} -{{- end }} - app: {{ template "artifactory-ha.name" . }} - component: "{{ .Values.artifactory.name }}" - release: {{ .Release.Name }} ---- -# Internal service for Artifactory primary node only! -# Used by member nodes to check readiness of primary node before starting up -apiVersion: v1 -kind: Service -metadata: - name: {{ template "artifactory-ha.primary.name" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: {{ .Values.artifactory.service.type }} - {{- if and (eq .Values.artifactory.service.type "ClusterIP") .Values.artifactory.service.clusterIP }} - clusterIP: {{ .Values.artifactory.service.clusterIP }} - {{- end }} - ports: - - port: {{ .Values.artifactory.externalPort }} - targetPort: {{ .Values.artifactory.internalPort }} - protocol: TCP - name: {{ .Release.Name }}-router - - port: {{ .Values.artifactory.externalArtifactoryPort }} - targetPort: {{ .Values.artifactory.internalArtifactoryPort }} - protocol: TCP - name: {{ .Release.Name }}-artifactory - {{- with .Values.artifactory.primary.javaOpts.jmx }} - {{- if .enabled }} - - port: {{ .port }} - targetPort: {{ .port }} - protocol: TCP - name: jmx - {{- end }} - {{- end }} - selector: - role: {{ template "artifactory-ha.primary.name" . }} - app: {{ template "artifactory-ha.name" . }} - component: "{{ .Values.artifactory.name }}" - release: {{ .Release.Name }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-serviceaccount.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-serviceaccount.yaml deleted file mode 100755 index 6ea0b10..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: -{{- if .Values.serviceAccount.annotations }} - annotations: -{{ tpl (toYaml .) $ | indent 4 }} -{{- end}} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "artifactory-ha.serviceAccountName" . }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-storage-pvc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-storage-pvc.yaml deleted file mode 100755 index e0bfa6b..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-storage-pvc.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{ if .Values.artifactory.customPersistentVolumeClaim }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} - labels: - app: {{ template "artifactory-ha.name" . }} - version: "{{ .Values.artifactory.version }}" - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - accessModes: - {{- range .Values.artifactory.customPersistentVolumeClaim.accessModes }} - - {{ . | quote }} - {{- end }} - {{- if .Values.artifactory.customPersistentVolumeClaim.storageClassName }} - {{- if (eq "-" .Values.artifactory.customPersistentVolumeClaim.storageClassName) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.artifactory.customPersistentVolumeClaim.storageClassName }}" - {{- end }} - {{- end }} - resources: - requests: - storage: {{ .Values.artifactory.customPersistentVolumeClaim.size | quote }} -{{ end -}} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-system-yaml.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-system-yaml.yaml deleted file mode 100755 index cf8ffba..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/artifactory-system-yaml.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "artifactory-ha.primary.name" . }}-system-yaml - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.artifactory.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -stringData: - system.yaml: | -{{ tpl .Values.artifactory.systemYaml . | indent 4 }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/catalina-logger-configmap.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/catalina-logger-configmap.yaml deleted file mode 100755 index 807fe72..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/catalina-logger-configmap.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- if .Values.artifactory.catalinaLoggers }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "artifactory-ha.fullname" . }}-catalina-logger - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - tail-log.sh: | - #!/bin/sh - - LOG_DIR=$1 - LOG_NAME=$2 - PID= - - # Wait for log dir to appear - while [ ! -d ${LOG_DIR} ]; do - sleep 1 - done - sleep 5 - - cd ${LOG_DIR} - - LOG_PREFIX=$(echo ${LOG_NAME} | awk -F\. '{print $1}') - - # Find the log to tail - LOG_FILE=$(ls -1t ./${LOG_PREFIX}.*.log | head -1) - - # echo "Tailing ${LOG_FILE}" - tail -F ${LOG_FILE} & - PID=$! - - # Loop forever to see if a new log was created - while true; do - # Find the latest log - NEW_LOG_FILE=$(ls -1t ./${LOG_PREFIX}.*.log | head -1) - - # If a new log file is found, kill old tail and switch to tailing it - if [ "${LOG_FILE}" != "${NEW_LOG_FILE}" ]; then - kill -9 ${PID} - wait $! 2>/dev/null - LOG_FILE=${NEW_LOG_FILE} - - # echo "Tailing ${LOG_FILE}" - tail -F ${LOG_FILE} & - PID=$! - fi - sleep 2 - done -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/filebeat-configmap.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/filebeat-configmap.yaml deleted file mode 100755 index d2db2a0..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/filebeat-configmap.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.filebeat.enabled }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "artifactory-ha.name" . }}-filebeat-config - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service | quote }} - release: {{ .Release.Name | quote }} -data: - filebeat.yml: | -{{ tpl .Values.filebeat.filebeatYml . | indent 4 }} -{{- end -}} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/ingress.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/ingress.yaml deleted file mode 100755 index e8e2fd2..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/ingress.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $serviceName := include "artifactory-ha.fullname" . -}} -{{- $servicePort := .Values.artifactory.externalPort -}} -{{- $artifactoryServicePort := .Values.artifactory.externalArtifactoryPort -}} -{{- if semverCompare ">=v1.14.0" .Capabilities.KubeVersion.GitVersion }} -apiVersion: networking.k8s.io/v1beta1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ template "artifactory-ha.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.ingress.labels }} -{{ .Values.ingress.labels | toYaml | trimSuffix "\n"| indent 4 -}} -{{- end}} -{{- if .Values.ingress.annotations }} - annotations: - force-update: "{{ randAlpha 63 | lower }}" -{{ .Values.ingress.annotations | toYaml | trimSuffix "\n" | indent 4 -}} -{{- end }} -spec: - {{- if .Values.ingress.defaultBackend.enabled }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - rules: -{{- if .Values.ingress.hosts }} - {{- range $host := .Values.ingress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: {{ $.Values.ingress.routerPath }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - - path: {{ $.Values.ingress.artifactoryPath }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $artifactoryServicePort }} - {{- end -}} -{{- end -}} - {{- with .Values.ingress.additionalRules }} -{{ tpl . $ | indent 2 }} - {{- end }} - - {{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-artifactory-conf.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-artifactory-conf.yaml deleted file mode 100755 index eb1f0e6..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-artifactory-conf.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and (not .Values.nginx.customArtifactoryConfigMap) .Values.nginx.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "artifactory-ha.fullname" . }}-nginx-artifactory-conf - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - artifactory.conf: | -{{ tpl .Values.nginx.artifactoryConf . | indent 4 }} -{{- end }} \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-certificate-secret.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-certificate-secret.yaml deleted file mode 100755 index 2c1430a..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-certificate-secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.enabled }} -apiVersion: v1 -kind: Secret -type: kubernetes.io/tls -metadata: - name: {{ template "artifactory-ha.fullname" . }}-nginx-certificate - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: -{{ ( include "artifactory-ha.gen-certs" . ) | indent 2 }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-conf.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-conf.yaml deleted file mode 100755 index 5f424d5..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-conf.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and (not .Values.nginx.customConfigMap) .Values.nginx.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "artifactory-ha.fullname" . }}-nginx-conf - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - nginx.conf: | -{{ tpl .Values.nginx.mainConf . | indent 4 }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-deployment.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-deployment.yaml deleted file mode 100755 index 4bc3f79..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-deployment.yaml +++ /dev/null @@ -1,185 +0,0 @@ -{{- if .Values.nginx.enabled -}} -{{- $serviceName := include "artifactory-ha.fullname" . -}} -{{- $servicePort := .Values.artifactory.externalPort -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "artifactory-ha.nginx.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: {{ .Values.nginx.name }} -{{- if .Values.nginx.labels }} -{{ toYaml .Values.nginx.labels | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.nginx.replicaCount }} - selector: - matchLabels: - app: {{ template "artifactory-ha.name" . }} - release: {{ .Release.Name }} - component: {{ .Values.nginx.name }} - template: - metadata: - annotations: - checksum/nginx-conf: {{ include (print $.Template.BasePath "/nginx-conf.yaml") . | sha256sum }} - checksum/nginx-artifactory-conf: {{ include (print $.Template.BasePath "/nginx-artifactory-conf.yaml") . | sha256sum }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - component: {{ .Values.nginx.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - spec: - serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - initContainers: - - name: "setup" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} - command: - - '/bin/sh' - - '-c' - - > - rm -rfv {{ .Values.nginx.persistence.mountPath }}/lost+found; - mkdir -p {{ .Values.nginx.persistence.mountPath }}/logs; - volumeMounts: - - mountPath: {{ .Values.nginx.persistence.mountPath | quote }} - name: nginx-volume - securityContext: - runAsUser: {{ .Values.nginx.uid }} - fsGroup: {{ .Values.nginx.gid }} - containers: - - name: {{ .Values.nginx.name }} - image: '{{ .Values.nginx.image.repository }}:{{ default .Chart.AppVersion .Values.nginx.image.version }}' - imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} - command: - - 'nginx' - - '-g' - - 'daemon off;' - ports: - # DEPRECATION NOTE: The following is to maintain support for values pre 1.3.1 and - # will be cleaned up in a later version - {{- if .Values.nginx.http }} - {{- if .Values.nginx.http.enabled }} - - containerPort: {{ .Values.nginx.http.internalPort }} - {{- end }} - {{- else }} # DEPRECATED - - containerPort: {{ .Values.nginx.internalPortHttp }} - {{- end }} - {{- if .Values.nginx.https }} - {{- if .Values.nginx.https.enabled }} - - containerPort: {{ .Values.nginx.https.internalPort }} - {{- end }} - {{- else }} # DEPRECATED - - containerPort: {{ .Values.nginx.internalPortHttps }} - {{- end }} - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - - name: nginx-artifactory-conf - mountPath: "{{ .Values.nginx.persistence.mountPath }}/conf.d/" - - name: nginx-volume - mountPath: {{ .Values.nginx.persistence.mountPath | quote }} - - name: ssl-certificates - mountPath: "{{ .Values.nginx.persistence.mountPath }}/ssl" - resources: -{{ toYaml .Values.nginx.resources | indent 10 }} - {{- if .Values.nginx.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: {{ .Values.nginx.readinessProbe.path }} - {{- if .Values.nginx.http.enabled }} - port: {{ .Values.nginx.http.internalPort }} - scheme: HTTP - {{- else }} - port: {{ .Values.nginx.https.internalPort }} - scheme: HTTPS - {{- end }} - initialDelaySeconds: {{ .Values.nginx.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.nginx.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.nginx.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.nginx.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.nginx.readinessProbe.successThreshold }} - {{- end }} - {{- if .Values.nginx.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: {{ .Values.nginx.livenessProbe.path }} - {{- if .Values.nginx.http.enabled }} - port: {{ .Values.nginx.http.internalPort }} - scheme: HTTP - {{- else }} - port: {{ .Values.nginx.https.internalPort }} - scheme: HTTPS - {{- end }} - initialDelaySeconds: {{ .Values.nginx.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.nginx.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.nginx.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.nginx.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.nginx.livenessProbe.successThreshold }} - {{- end }} - {{- $image := .Values.logger.image.repository }} - {{- $tag := .Values.logger.image.tag }} - {{- $mountPath := .Values.nginx.persistence.mountPath }} - {{- range .Values.nginx.loggers }} - - name: {{ . | replace "_" "-" | replace "." "-" }} - image: '{{ $image }}:{{ $tag }}' - command: - - tail - args: - - '-F' - - '{{ $mountPath }}/logs/{{ . }}' - volumeMounts: - - name: nginx-volume - mountPath: {{ $mountPath }} - {{- end }} - {{- with .Values.nginx.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.nginx.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.nginx.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - - name: nginx-conf - configMap: - {{- if .Values.nginx.customConfigMap }} - name: {{ .Values.nginx.customConfigMap }} - {{- else }} - name: {{ template "artifactory-ha.fullname" . }}-nginx-conf - {{- end }} - - name: nginx-artifactory-conf - configMap: - {{- if .Values.nginx.customArtifactoryConfigMap }} - name: {{ .Values.nginx.customArtifactoryConfigMap }} - {{- else }} - name: {{ template "artifactory-ha.fullname" . }}-nginx-artifactory-conf - {{- end }} - - - name: nginx-volume - {{- if .Values.nginx.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.nginx.persistence.existingClaim | default (include "artifactory-ha.nginx.fullname" .) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: ssl-certificates - secret: - {{- if .Values.nginx.tlsSecretName }} - secretName: {{ .Values.nginx.tlsSecretName }} - {{- else }} - secretName: {{ template "artifactory-ha.fullname" . }}-nginx-certificate - {{- end }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-pvc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-pvc.yaml deleted file mode 100755 index 68a89ce..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-pvc.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.nginx.persistence.enabled (.Values.nginx.enabled) (eq (int .Values.nginx.replicaCount) 1) }} -{{- if (not .Values.nginx.persistence.existingClaim) }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "artifactory-ha.nginx.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - accessModes: - - {{ .Values.nginx.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.nginx.persistence.size | quote }} -{{- if .Values.nginx.persistence.storageClass }} -{{- if (eq "-" .Values.nginx.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.nginx.persistence.storageClass }}" -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-service.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-service.yaml deleted file mode 100755 index 7a212e0..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/templates/nginx-service.yaml +++ /dev/null @@ -1,69 +0,0 @@ -{{- if .Values.nginx.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "artifactory-ha.nginx.fullname" . }} - labels: - app: {{ template "artifactory-ha.name" . }} - chart: {{ template "artifactory-ha.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: {{ .Values.nginx.name }} - {{- if .Values.nginx.service.labels }} -{{ toYaml .Values.nginx.service.labels | indent 4 }} - {{- end }} -{{- if .Values.nginx.service.annotations }} - annotations: -{{ toYaml .Values.nginx.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.nginx.service.type }} - {{- if and (eq .Values.nginx.service.type "ClusterIP") .Values.nginx.service.clusterIP }} - clusterIP: {{ .Values.nginx.service.clusterIP }} - {{- end }} -{{- if eq .Values.nginx.service.type "LoadBalancer" }} - {{ if .Values.nginx.service.loadBalancerIP -}} - loadBalancerIP: {{ .Values.nginx.service.loadBalancerIP }} - {{ end -}} - {{- if .Values.nginx.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.nginx.service.externalTrafficPolicy }} - {{- end }} -{{- end }} -{{- if .Values.nginx.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.nginx.service.loadBalancerSourceRanges | indent 4 }} -{{- end }} - ports: - # DEPRECATION NOTE: The following is to maintain support for values pre 1.3.0 and - # will be cleaned up in a later verion - {{- if .Values.nginx.http }} - {{- if .Values.nginx.http.enabled }} - - port: {{ .Values.nginx.http.externalPort }} - targetPort: {{ .Values.nginx.http.internalPort }} - protocol: TCP - name: http - {{- end }} - {{- else }} # DEPRECATED - - port: {{ .Values.nginx.externalPortHttp }} - targetPort: {{ .Values.nginx.internalPortHttp }} - protocol: TCP - name: http - {{- end }} - {{- if .Values.nginx.https }} - {{- if .Values.nginx.https.enabled }} - - port: {{ .Values.nginx.https.externalPort }} - targetPort: {{ .Values.nginx.https.internalPort }} - protocol: TCP - name: https - {{- end }} - {{- else }} # DEPRECATED - - port: {{ .Values.nginx.externalPortHttps }} - targetPort: {{ .Values.nginx.internalPortHttps }} - protocol: TCP - name: https - {{- end }} - selector: - app: {{ template "artifactory-ha.name" . }} - component: {{ .Values.nginx.name }} - release: {{ .Release.Name }} -{{- end }} diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-large.yaml deleted file mode 100755 index ec05d2a..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-large.yaml +++ /dev/null @@ -1,24 +0,0 @@ -artifactory: - primary: - resources: - requests: - memory: "6Gi" - cpu: "4" - limits: - memory: "10Gi" - cpu: "8" - javaOpts: - xms: "6g" - xmx: "8g" - node: - replicaCount: 3 - resources: - requests: - memory: "6Gi" - cpu: "4" - limits: - memory: "10Gi" - cpu: "8" - javaOpts: - xms: "6g" - xmx: "8g" diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-medium.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-medium.yaml deleted file mode 100755 index 33879c0..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-medium.yaml +++ /dev/null @@ -1,24 +0,0 @@ -artifactory: - primary: - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "8Gi" - cpu: "6" - javaOpts: - xms: "4g" - xmx: "6g" - node: - replicaCount: 2 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "8Gi" - cpu: "6" - javaOpts: - xms: "4g" - xmx: "6g" diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-small.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-small.yaml deleted file mode 100755 index 4babf97..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values-small.yaml +++ /dev/null @@ -1,24 +0,0 @@ -artifactory: - primary: - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "6Gi" - cpu: "4" - javaOpts: - xms: "4g" - xmx: "4g" - node: - replicaCount: 1 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "6Gi" - cpu: "4" - javaOpts: - xms: "4g" - xmx: "4g" From daf344e55e6c8afce8c02fd1e2f3a97bced39660 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Thu, 19 Mar 2020 20:03:51 -0700 Subject: [PATCH 11/28] updates to ha chart v2.0.31, using redhat nginx and redhat ubi artifactory. plan to disable embedded postgresql for certification --- ...io_v1alpha1_openshiftartifactoryha_cr.yaml | 5 +- ...operator.v1.0.0.clusterserviceversion.yaml | 13 +++- .../openshift-artifactory-ha/Chart.yaml | 2 +- .../charts/artifactory-ha-2.0.25.tgz | Bin 111438 -> 0 bytes .../charts/artifactory-ha-2.0.31.tgz | Bin 0 -> 126568 bytes .../openshift-artifactory-ha/helminstall.sh | 6 +- .../pv-examples/pv0001-large.yaml | 15 ---- .../pv-examples/pv0002-large.yaml | 15 ---- .../pv-examples/pv0003-large.yaml | 15 ---- .../pv-examples/pv0004-large.yaml | 15 ---- .../pv-examples/pv0005-large.yaml | 15 ---- .../requirements.lock | 6 +- .../requirements.yaml | 2 +- .../openshift-artifactory-ha/values.yaml | 71 +++++++++++++++++- Openshift4/artifactory-ha-operator/unload.sh | 6 ++ 15 files changed, 97 insertions(+), 89 deletions(-) delete mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.25.tgz create mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.31.tgz delete mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0001-large.yaml delete mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0002-large.yaml delete mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0003-large.yaml delete mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0004-large.yaml delete mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0005-large.yaml diff --git a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml index b6f8cec..bdc896e 100644 --- a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml @@ -760,7 +760,8 @@ spec: internalPort: 443 image: pullPolicy: IfNotPresent - repository: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro + #repository: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro + repository: registry.redhat.io/rhel8/nginx-116 labels: {} livenessProbe: enabled: true @@ -819,7 +820,7 @@ spec: #tcp_nopush on; keepalive_timeout 65; #gzip on; - include /etc/nginx/conf.d/*.conf; + include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf; } name: nginx nodeSelector: {} diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index de12846..2876eaf 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -583,7 +583,7 @@ metadata: ] capabilities: Basic Install name: artifactory-ha-operator.v1.0.0 - namespace: placeholder + namespace: jfrog-artifactory spec: apiservicedefinitions: {} customresourcedefinitions: {} @@ -729,6 +729,17 @@ spec: - update - watch serviceAccountName: artifactory-ha-operator + clusterPermissions: + - rules: + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + verbs: + - use + serviceAccountName: artifactory-ha-operator strategy: deployment installModes: - supported: true diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml index 0c34ad8..f6c3215 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml @@ -21,4 +21,4 @@ name: openshift-artifactory-ha sources: - https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view - https://github.com/jfrog/charts -version: 2.0.25 +version: 2.0.31 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.25.tgz b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.25.tgz deleted file mode 100644 index a3f1ca8e4c7dc27e8fb38ab147312454df6bbdba..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 111438 zcmV)oK%BoHiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ}dfT>=Fn<2lRiLzbZ1;rvu;a8<;_R!~a-!B>D>-TNYkO3P zge24y!4jZt)%8AmA@6&0dnLaI1AqiSB+E{k?%A!{CzeQHFc<)XnZaNN$AV6A@I3h2$NRKet=5-&d+@i_Y8C&scXport-bqfx7~i$e!A2CTdV!F-ERF2 zwLT&aOFs!0IR0DfgWD>0?qB4CBl?cSoU*WkuG%#mMd{Bk8#|45%_rQ8X(Zs$+mK$7 znBxEqNW?gm(*~X35Kl>rcoIb{7Brk990X{Ne_=6-uy={4^4WyNb1e9i8bafQ20jvu z1svhfM+bexNh~2ZYBM$`9W)an;+B))Bn{&(siJM&DaX^}d$se#O%RQ418c{f{U6RE$i+$dyxyUL| za}hwVxyUD1EaJ5}rlG(zBr%jFb4-H{!gDHSm;Wd2NDZM7%WlF88uF~Dk3&iVQc+gF z`HjR`X%hI@#}$Rui>zQw=a|nc3dVGv@ZV}0og6)CoF%bGpd*INV;YJWFD$}FG4m5o zG`~5D+0^Y?5YA)PyrSgVs;)+;G%U3%Gv{_1t;Wt??ay8n|9d`#C2)m1VYK z)b%{VITABsYF|?^L$|l6@lMUnOR{M2WPC{$=FhSzEvHtaAs09ZNZhF*Bo+~of1>~k*`JPtb;NS}Sd;_->|HUNqbR0VSP&GG zDdi%jgx9ES<~#|4A@O1&xP-BR1}q@x73Rb@-H~|3EP$6}lI>cT$(Y0;5rj7=Yx>ON zP3+HU*u;sLv6%jb<-XgD$JlGu+#`U)nBiN|7Jc4@}A;2reCPcXj{LE>{PW*yX&C}qq+Kg@|` zWt?TB`9ad1Xm|nUyn`gOxTz>60`6i@3MP)k-l-uJ;4uj@up-8j3H4l9%ZS_v5{Edb zctykXl?Y7FsR?8lm)zia z6cASg9Lg9X>L0MMGCDPUCPl@Du2q9lUEimYY&byF42fKrlBVe^SmDrtS}i2vn#Gq9 z3#hkHEp^pemjbwfA!j6kuQiE9Nz{XR5;1>B0wN!n)j5~z@mLXDKSBscQAtjOd6rH~ z*#-;`Le^wWpKhSHp~vQPqSg?W_#zet3mYnM449;BK2Ji)s)*VMBF2RT`fGr;=*0Tj z&@d z6FN;|wZP=7x17Kvy~b3?o!RxrNN$F*sM-x1Xh?wCz$xSxeo3R6tZ>9)16uP43G%>h z#Fh+XJJt~RBqE_tLT@2!#Wq{EMEz`48#QbkuyH{b%b+#~z3$;juQB%}tInS1c%Eiw zumP+2rMKlp2l>pqByq#&DwOH>Mq}-uF%==6(`If^5fXUXL0>nXHQIZwPsS97?$>Vo zbz4daY00--a+2~I%1WGL&ZWB8L5`Dqkx_bC)g0kfzvMz167^9_Ra})%wsP~BucH;Tt5ovoK{t9zb;nV)0INzlXMNi{--wE)3Xa} z13g#d8~*#T;@6Zbo{YB2>|r04!1fafND7}PZ-*CJAX*?V;eySPZ`PVm1g3!!U=fRv zrQM=y8U%oc)E`96)UhQ?Kc-ho)>K%__N0g)aZcjk2?_|lBCt;Yla_=>WF84QCz3eG z*SrSNIiQ!s?qar)OQ>pFG7I0(#~&*|k)D@Nq~s#sa3f^P_P9dT6v{U~lZcWV%0Vpt zHeJxVMQ%6gk0nYz2?fOghsG4FLW{a;Hn9u}FcH)eb7G&n)?!KL$t969#~-`0l75;) z{UI<+Mg7K*{y}KOfm5pmY&una$T6mj@obJ0z8JHc&5Yk{wi~;xO{siX)2n7R*2&C8 z#eH{4D^7_6YIBPXAc~pdA{*$G!TiAjjTc6WMArnSNoEn0b8Sk5YEtUlHc?*%gUn z>XVdga-=k2j1Uh6-xj)&r+}_u-k#@ig8m+ofaqoJj~h|UA`%NK_hlLo$@sd1i~dpf z;NooXe)Q(-q}L?EYvziAjv%2NzB*4Io`pln!ICK59Bf_&o6K26!rVslRZHOnW&xkZ zL=73`AZUj^@nJ~i(1Fx;dNf4jii9G;L0*D^a&Nj)=fHA%Jfv}9$I1pFlIn(P_=p-k zmqiQtx72yWLPW4P%grgSdMfoj7A?-g-W7=#ru%A5Z=mj&vmg-!+EWi*q;|o)vNIYp zCb)=k)Ev_g#|ti4Od2olD^iK0DJF0{C8C4mfEARfM`L6w8v*q`7Dh^K zqCW9(oC%nE1!D@<5}V=yo62dY7-Ob*xkid;1Z=9Gzyz^=+ceFd>Utv)OLZ)Jj=|Dm zKd=dq0ZnM&k7zhyqdA?bIS8-e{joyR?pP`SWxW_YL?(Lnv?LPk?AzQ3jv4tuOrbTKN z(D}2edSa%7F#sy7-?PSzTq$2RZfXdnQ)Zb|E$E!EL=1_?LZ5fg?z5I+m7v`l0W+_i zaYSy2mq62FGGQ@6k(8g*zEvnI=>|ahwz-qPB2yZ6(C>yhXt6~VbvY49ly;nI+o)wz zE!$4f-Ce%IxwWy|RqbU41sj}N$)qSW|YR?4Ja2b5#FCXt2przke^v7$c?ZDG)}@Ue=8MD z)XJVtIGlJ`&mJ`|`3yCcw*=RJ8&;K1&3P)}m+`9rVO9tfv0w9Ktl*@z&D-3;kfC*P z`_ApgySA;Uupy^U3tRb$?Hm;>PNgNL=#nu>y--SXxw7+0XF0);=tGl=1e@dD}AP#dCwB$;V?Z*MJ&{223f~2ZnViF5^^4(7>7P`XXFO8pKU4- z=a_Ru!FoC)!CckebX_>Wwb-s|`&+Wuuiu_@hZnuU=-b}=I}N29z@eg4rh~;3u#-x> zz+fe(tD72ov|SdO!LlpJ!$ClN-8ol2883_-TGmKg9;PRas?q+*`Pty2dwS8aJt~wz zTv5&J@+k=A(}A?7mXsuY5(R8AC!vruO$&C=(FcBDf>hvcrpPyphDf3WrW>#*$*)Yz zNSt~SfMvoOg;K|dLlFX5@^Ez!f5y{Sv-_aG)t0CKNQl+NW%u4V2 zbE*|t8o_@0Wuw(-HQJ80wq@3IW2{%-eJrr-bj7j{s7FHO7NNhU22lN5l9j4a(obML z&=5rdrXiB@S_7=5gu<+VLDpQ`fYnP<^a9 zF7XlOsqR)~RxQAVSbWOO*E3SpyC(GA)!$< z0NSda$|#!8SSYGj4LXllEE+fS01!4(a`Cw&ONvYem4@1t2+Y?w#&aS_T(g9u!nTIP z1)N@HVCFa~u5P=2CJW`|lm?%5(C@Ah35Yji$jMyNWMO66)nboR076249S}s)L<3Ni zJ=WNpQ?5zj5D-onq9B>lkZU$|7831NBKLFsa#LC9p^U6^4o_33F)cIU*qhNS;pdxn}U z66M3ErT`0JGoa(N!0yJN^s(`DHHO*@{_s-s4 zl7+VXpBbV|c%=A~xIMd>q34q9Sl$!ejyJ6#W!&o{a+9rRK^ zzP)wTE?a4=Q5|ZeBuJqlYJwVP_zy?Mh_=qMna(+D%YovU2Q)->{_RyI+c~ePfB3*?1%;r!N6!Ec~ItQ9#}Pn z*Y9BFaj=A%mE=`AtktAMvheVJXnEg@47z4B75=VPi^|uz;M6ETNgQ<0<}d!(>sbDj z&89?gKmvj}X-MH6-QBrX0gF#s4Qs8{tg&Wwsj}B2$esoxIlnvEy@J$P4zYM@gE@r9 zSw~Xm%gy_mHGY~_v$waUd7(&V12ZGgkgsw$D=JnMP2wO|(sZV>uokFukSn{Df#jDY)>voS7VE4%drOV+LbcSu zw6dBhRXzVphQ0p8m;&J*vVC5tuYjDhSZL?g!?V=-2h1#B*I;nMA!@gFo=QE+R>9&V zr1#uh`ZKwr@J!Peuz_DKFEsUuu zpjRX`7foV;o>Jpl~}_P>j%AZMXx-$K}FwO-R& z&QsQ$iD^@sV0q)LvW1krE&;&l*+s9Td{e=!OQ#`=iMF`wsXZnEyH=K$Ild$)i7KHf zEM8@AzMt#6o}F5H1p|9CGSt^8@(#kDe08qeFJjmO;fbQW_J=h)OqfU=`D`MG3|k|) zv5~tO1s37#kPoR-J~UKka_AuQCI$nzb`^S3KD0wG>_;!HI$ROlahbH+0`FzzDZPzYY?=y_Ab5g8R%#B8#1Kt;BxN1( z1bH*Y((50_^Ez#v#0`YDrqK>!A?kiNl)b>Ak7FO{`>p`#^|!qz@-_N9k{k6^2`qbOKFX}J9*aWBlbf?Zs5-Lx&`lSq7k46Hdl zQIIN;tC$ShGSoFM!%0fKDPvPvQlXemu50e{-SpRQNle^vz{a&q>aZHftU+;C70kO!jy5MAD)r-$u7ktUJ zi3!Cd3iQQj;~C>{N>H6=19S=u z_z9{L)Y(T#C}@DTK5)zpQ}5|_@Ra{fL$QrqOS&&~jVEKbOqtu;3VhMsT}m#21#$5; zj)~J;)%ToUm20?ZS}o0t$~P~XdK%T14e9bZRBXWBNnftx24|H=cXuzEIRHiI#hrMa z7K(MCl@g#@HIb~x%_bV^8-@^rfnXoj?6nky5En5PWV+Devyrt@Po;EXD^{4!@1-PP zzKV)Ok(j(9Gkir^{4!=q=nvSKhA*1A7sXnDcKS9Vu}4CIr{pLmWEf$OylCc&l$$l3 ze7PgrN`Ku?%Kwflx7j>mvAS!NTen*vu5Ld`ua|=MlrlsqXQu%;mX6~?)_jT3&_&sp zoTq8a%Rs(p=E^S_jQm*SILV8q+H+nmwZoP+rJawsDXqP|xL%NOLE_>9NuMv{o%sdh z#f0Kfp!zm~($mnj!;K)Ubz z#zMj!b+Eecfa?5Y6^y?&*gs-}1yN8kZ=WOV`^tooQ;SlPCnQ>(%X_3q(2=?86xA7d;0INRVKxdnc-ovgfz8S`I}`laWq zwjz5Oi+GW(V)*B0l>NP`q- zfx2I+tLS)++NP(uhfC!;bgyiO){^hgJu+Udi=WbT@=<2RhblrJt_1y23eaQa>IaBo z<)QxrM5hl~osYNAJX%wD5Ucwit2L~?U|}_fulaEI-ERIo^TAB8LaOB=bKQh~=O010 z3Z-&DjMIQ61g(^;))1DKoZXt1a>CF(Qr4P+)6&!87crR{!l$)aD?>s7^}acFd9sdYy*#SboLX$n{1 zlfKTipFMqWdj}F-cEWs8-C*`U*P``!%_)>{(hs@7p+^p~fUz${oRAmIB`+&roX3RI zX-LB<;FEg-$mPqF%++)nVv)q8cN5XrxMKpS>Q?}BNv$PR1+DZbW}!HQxbJ%Em)2-S zv5dx*Zyz?g8HjJm;vCbsa*|h+Qaq!wwvAX;{;_zSt0WuhTEcR~vSL;AvEJT~N0s!r z-qCjIf{q@oaV=4|KANtzwu1Gi9H)PLqj(w1kE2CpQp2CGFMTp)=`V}-Ul#8_&*J@P z_VSlT{wR$+$K*c9S`I4N{bKlHA_4cShekhK^8tF)a%dHA{?fDl(z7b5StOmF+gXB{3Pxd)h?={i zFbb>PfB$EwA4@OTK*5|he|xoe|0g&O{PbsmfA~RQX>yv~XVu($5T7hzs`K5hEnrHJ za6De0!@vR)NkDvslZ9Pa4 zdXQ`ePc~G(>y`4Def3+`$!^V=xCJ^Q_Z%+}4me~*&f+htduGUk%X8_KMu=g6Lm!Q? zcbP=SyV5dp#aAOaXe8ePbDe{ z13yLcBoH(TNG`Mj#2ajsyJhb0RbL5I0aJYyQf# z+gal}sPFl^1Dygr4W4l#;p@m1!kd}U!8(=46;ZK?GDr~jYK<6j4Rm+s%As+iE6;ra zh`LN}c9~A}P;hF1CBO_oPY2oFQW-p}soFt1+jg7tg-PF%V%WOpeY^U76-uW}kPiB8 zMgsz2+(SZqB(9kxKbpiWRN=7UC1w2-oMA*`ZFIN=Q%?bmNlkA|cEc^aLIMy53t*bTCr$g!}8 zX@(WEPG6egD9(!&BRET;J#ffXB@ai~qhevg52>dx$<87j-whJvtv5R=f~(}*eGO5J zOwvhrJyi@xls7y!Hv}>U$^3FvL1)s08p;lseb&v&>b-JgoM1v7&N8k<5!FPmXG5ln&Z$nLV<~ccfE#m%4A1Uu7;8 zorjKZ$~3bmeJA*mATG7^;V$~wQ1)k#;(k^`_p_32K0`x7(ireQ^LPVa^9G*d-&hDS z;8hx!pee->E}GN08RO6=jhWElhG1TGKE?vV*W6h$8}jqboGEoa_Hrv9_vGe?#Wk#_ zt5%YIfYU)v_q*X!_svQ7z#YEn?(98tED5CR`&0tJ0kW*lQhp%IIa9qA|xeCPKeryX`E$^8IrxAFwJ_o(y3vCARP=O%+le&74YiA4AF|&o3qF zhNmiw)`8l=`{#D&bh1&oVPDUvASz)-SW1U&a>Z;VoJ^7c(TNFWXI=q4_Kz9%U*SM< zk~j?lrXrP5u2RXEoE-ggbkIK>sPl(Z&d}m{2lAO1NJB{OHh_X1^uuPm)lmQMHFtM5 zpCEY9P9LP(CX1D@0jX3W)so4q5YUj6nuHQ2`$VJBKuQb=r!>4t;|?#wYk%`Lht`uE zPFg-$(J6&Ag!9BEn(UoH@jK8bRRDXcM#l(bSrQlh!UXVy#?V-|h9brSw52oY>k=Zy zlL_?@1dKGg!#o?eH0m2vPE+T@OBGZ<{fPs`?qtbM`m!p%=QsEYBc@~=P?1$09HY7X zB40-_lQL;4wU+ZSWwGtXHUv3xhB6w720GUv{^h{ixd0@nU((?EhT19}6r@d%%ZtyJ zW(3d2Pi^n+eyvL0lpfd0Bdfb1nTXQxsh5wNz|)?Rn5ZaYKAlWR43YlEL|hZ1Mm)0m z2QmH%eU$n<#KWT|Y9WoYl!;JHQQc(KfuLqS3ki~KH&mK>*~AhqBX=iVLesF2k|pb+ z9%X~F#PNwXslo ztD#)p%WV4Q5?_{*P`{>5_SodSR7o!j*{h3HcPgstWL+P7jpsU=Dw|f;G_GP_&S5iE z@yRskY+6G$y)nB|luFlmDg)fix$MEzv7X$>ex^_CL>L{^ex@J)GQYXktP#Q5|GL#~ zrH>%yeEN&?pr~7YHzOg+rAUxlCd@!9X@N?nrifbxEJMeJn2{*s zgh)qLACds^Xm`&*fIi`doJ4xn|Sm^D;?}mbQ zP5o>&zQY0a^&SL$b~u{|N3L6EhGXA(4jI2x$^+$8VCjywgR-W{hyj~I7Gu7W6)OI_CMUF*_5UJ9sCvByAJidH50s^52cFGo zm}Vq3mcmMYX>Wx8qxofV$N!68{x{&48>m1tcwm!k1Fgkkr2>GdC`IM9MXqa1#Sx3O zs0&OXi82MVkb*N~0_tdi&WRGHO(Ij68{>oq0@Mn^Rk{Hv^NZvFvOS$DQb2vfL#a-} zxMXLLvM7`4mdNB@6(&r_^S5>e{luQ!&*kPJblBaHg)VFzPYh_MuzxuAh7mFW`%k01 zMg5Q4qq1}&`BWlRX+*wi)oL54A5xK79(XO6Cm$f?nWxUXZdj*I&6aY%XHQS4W1gDK z=yUzVFwJ5mol`wmYX?%YOAJq?9$o`&T%uFV9dJoQzk?3b6uC9CJ420HVPDMeD{>FX z?<%bQ{vN%VPads9AO^HxVBY|~XcH?fSkcpBYIA;O%79G@|oHB796E5kXa^nrDPdsep zjnvyDrU9G_Nh~1+a7|^jlY_3T5*x_XJW%KTl@CZ9vlxEEgJV_0hMrEB4B()!{ccob z=`YNn-1fP%XR`AbGV?FV%5UZLheXpAo1^W3g|33>jg62R5qlDT1pJ1=D`&S1y4Jo=Zj@eMv#N&xdmb-M3h!ANb9jD z!ZReNb7fQI1`W*~Mqqe`ln#39Y%)&};VKfF(rJR%(G2t1XpV12;MAF6Q!1klA5^ht zX(2UKBgpk%fc3QX^|R&0Y;f(Jubx{QS`pAr>uJ^dYJ}9N#{~N$eg6yXJZ-g7Iw`yU zNCn?qS!B%oMRftyh91VW$d`MC0-S_PkWlZ($z(!e)q&le%c_?gJ#AIJ<7olY|3VQ# z=Fvzpsu8$jYC`U{=J{fBwvF^gf!d9B6$xxK+dE&S4FzmEny`3|h2owFZPt|oXH;Aa8vvVId#q39b^vYH|tzrk#JO3%`ODtl7<2~b-*(w6B3iys-a&< z_#-?ep>Ryu8;ROAj(y_GZ_Z`~)`Eg#(k6}2KFXnMSyRl&;1FtMW6UV?=HS5LcR9<>vSwBBf@D)_cdgW~E4%Y>0$762L;C)( zt}m16?(elFXQ2Ps`nMNS2YcE0$M%nnwMD@7g+&VqbxqFngoe{tav#a=c`hS|CXiNy zIC2^ilv}uZh#Uv~E|q`D(pwUzQePUV09BH~EfL1eh({-AtGqV?mqGhzb9390w>c4L zSy@!)-i*viUj9{H7@5?WS+cd(sEb%E9lYTJqXXx>;VkZ*XWkndmTt8IK&nNViZM|c zZT@K&YyMjuHBn5Izo<(wqgT^tzmqn_1vn0GE{z$|)Df*AXT9fOfo?A#LISuJ$GA2*-nU3+4}e_1+CIK26<|NOtlQf>XO z|NMXI2*k|M3*`o8jK>;)!Xtl{yrG}Cmt@h=U*R01rdN)FTgvKNOg{||i|MB|489(a zr%!h)ps1%C=&*M_=pA$~dWW6DQLFJ8i%AqAlj`DQ}>@K$!DnP9Sx@xsxd03Cw3k7$Yh%ZMs+a z`uaw&Xw*!Lxs!jh-pgKiruhBm^(4StP_N;!rmVo5rmEsC=7=4A+1P8e)loJe{WcCd z$T7b1MxZ58*py`@|4 zC+T-OQ^ALcB_c}1r|IznoMqarR)x3B{q8bLtJSiOzt8g42W&c};j|HuD-v`N4JRxW zc^Y!-=sff)HQ45?wRX=^MCjLqB&5OBEs_7I*(21TVU!q$Lsx66%HgD1QiBVEoQw#Y zbWr{F;P`CV>i|nIy0q*V&n6XeAJxAv8W|Q7N&?>kX;gIN{4$A!W7$)tBkj3mwWHpv zN!Uqkdzyn}Xo69>gMP5DrKeP~_z$|fbAGD*?O*s)xNvCVI`HP{*+p;I5I5q(+i0~~ ztuOcX;BTwdD*SCfeYX4bZ|&V@yY2R~_S2pA-&*axXFKh`q1MOf;C-Kj3mpHg^}%fw zJNGa0Ibh*5#v%#yjVJI~2I&BtOnq?XBR&G7Z%(dw)BUVg(`PMGXxIvws9f4}%mskUglb=``$6Az2dDkh*J$k;U(~*k1j`Ftstf3nETlNb zg;Y1RAT4YWju>;;l8*#lNt*o+rHlsthkZ0zjPJWQgOfXBnS}Tj>^em1=C;(-z?k&_ z;B`c9z=!UnJG|%(M&I_{@7K3jL_*F36wB%8&d3eg-PwLP=5<888AJ8k4EWt6h)@mu z5Bo^q=a{QlB$)=BPDR0#+0_p3Q9ZkI9pC&kn0Es(stI~Uf`z)~;^9y^;i4!eZWcyK z*<7F-7<%R@#YJ_%l~3Sh27Fa-GoG|xza91t2EB{XY4@b3JANYZI&6Q?)UzE-CldP{$Za_$2h+^>z^)Vo9$;0WSa%X zX@Gwmw)x+jahlm>b$j!ZVg3hxZ1!Vwq9QAb7#Gu+@LvPl0jYM_z39H`4tt&21w-UU z#Ml#Q@V_zUB)!4)1g=}=VprAlEIoWRI`0mL-<=H(_v>4i$(VQ|fQuNe3x3WK_6Vqy z19ec;I8C44-JyIHy>qNp(`D)^-xlFKH0A61!DCpPuyYe;_Z2-)^4EJ>cU`-LH5r<(tbNQ1`Bn`(a9V_J4F|M zD?o_$Y0?BfJv;1;&d&xHk0Eb?5%Y8kalAsOWrU;6R0G{%C)@h-v@4 zfTs$`@fd8WAag)e`TaKZ*)M@-`p2E4Fpz_$-4f~=k4`-$T{9gF@YKtVh<#eW#;8c8 zyMy`y!cGc&DW#tYxkhsuCc?T_n{xt)l5s#iIXTqj<@8YcGeGRUmZh%KV3FF>S)V+b zz%t`Sda-pgw`{IF^7~j8}3uLs^OmC+FCpH0o;(=|vc*CS6ru(*P`Xhmxo@9SZ2mU}5V zytysT5k^;V!`JjH7ai{U`nmx}(-0TVW8ox7Na&HKPk9vJMRRa*)O^$ZM_(OwfyL_| zIQ0K9BqC7<=5rPk_`>mdg=tskBGZF$asF8iMEKE~))qFWm4d$G+A+)7L(mp{fy=w*E1 zg9vVbJdm2p{Cq2$i}10ebIzD+5Do`yNOJE zLtx5Ue*{0qMopJGQY@SW!^_I4aEdGpK}vf(D{IFn0tQmM;%Dq z+0XCEDV&|Jt8lQexao$n`Y zs_9p(s|V^c>DDfE3rtWwADbxkcj?pw+_q)E3NK6HuDy&oHY0?wxLRyUMlx*^{fa!bM706`Iq41XB z;d=GL3F!a%obSUvch3OOXzelDu4Iw zJL^p22JQvAQj-!;KbyiVOK;?%erl^RKvh zo30lYz%N{qM_uVRq4u08W`5#{zVCF9^M(ZTQDJRWF(BuOsXif)!IwK7^n-quMe#Fl z6>!T{PD5&1)>z#}H_Kg7#gQN;N8>6(M7MSKA6Zbz}ja`fXYj4}f z=zf1&NB-L>+W&TTzI^r<|Nj&psWyO%?<((c{a0TytrP{d;`iA7qAvFf-OS@Qiu%Jh zihAWnQD0}LsF$`16>H=y!oMaY-8TxvRGUm@JNq5|nlM2=z1Ls%S!?~z=~OwPyWERu zBp#>+u3Z0nyRDtwy`uf6wfC3&_enl0jPvQJ+upE$q#jtBX8+0}qv{N4@L8Je>NALv zHO73V)7_z?0PDc*N5|dQqxbucj!*bSS>j83~F^&0*;csm&MPA^99dV^vA>~z20&fa}D=$@bV2BYD@pnrZbx_E!y8x77+ z4tuZm9rf2)TJG@d;M?9{bZ~ZZem3mwJLoeujK{dc|5x4rkHcirQ+62}oI zA*X^~K@N=3jQTzaMz{txd!N?g#7kl-(u>`zYpYNhmG#pY6E+d@VAN&O z!?Z5=OH#kG$#1&vx^K=-dRh1I6@J6!WI1?q2O9<|t(TLxE1SyIQ$sa6KO0`W9`uI$ zPA1;3u6#J?zv~Uk&H6FDBJt|F_AsUulO;o$)f)B&aIdmlm6KQ{W?WT2y=z{oZw|he z)4F%u9bWVghQ03K;7tyH9p8`>9DB2+ohZ~V_M`x0Rd@1`N`1;h%6Dufq=VzPa<0P_ z^(D}B;(xeLw@xol`v=|O#ZmuwX-7lqVJ?nnuuflX3=M~Q-y7z5$)WPKQ5j4_q_y@e zm4@1S8fd6Pa3~)&6@mnd88~l+R7k9{B!wz;XX>CtLk_nmb;2CMkV~zPoc!8Qh+1yk z_XFymuLeV-+;B*`!5uWUk4elWDx=~1;YIIc^uBu{7ZNaj5IUVgxipT6BiVK1(s0|X zgcTynQ7pNtRR45%(LFxy4Rn*4jUa1Pqx?ExV;snt!37S5_DiE78Yf&u?GD(Ks(6_| z65yi4i|*-R_xS8ok{RON1}xMB%}VJR45Zw5B*BU$471vI40FmM*VEC-w^Z=o?KIp5 zS0yrDm-2J-&B+(YO|5+=_p?ycOoV;Me6w&e;77;ZSH0tX=Ui-L#GGW4x&9@WI*XMYn${_dv5}R(07bMpks&Di-Iu zKIk3xbB)Esr`(n>FJr&P%HuabUSbI=IbZnIgNQEZ$vg~5#gR_(K3z*-d!~S4& ze0I>4W3cbo_qEZXsjWIF`A|ibZ28J2M?Q`35yIYdd#6%tF34gt+*7)bW8>I8JRDt| znZ+t68G(z@SkpO#ZxUS`sM|7v$){-$GqdaH4dLIiz7#=c9hqTO>RtD^f2i2|uvEOB zY6@0=PkO^)_jR`94YS*KE@mXNZ9|k0la&LbdVb-ijN}PoaT=ga=jSZ;&tvll3px(S zQZPS;TUM!*OLf-2%@6W^a|nCGKXlaiISB>dP|xf~uKnW#i2IT=?3^3SGJwkA+(4Rza+GDcH9-p$M>szj9rj*j0HxkAI_w>F-yUD= z7vuQnd6TJYCQY_)W#Ht3+joj1J7XreKEw}&wT?p{QNi<}4Dt=>0a)J7#UdieC!9(h zu(DCZNAiGSi7$m}9Rg%$7_+=OWoVFBOHAIFTrjKhNH|5VW*}^BTS=Fhhl3Q#+d-gn z&=lY4h7Im64x{wwz!5vDeAS&}lYb^v@-48T5w3 zmz@{qXM>BE%~BX;`}6#H8KZ2gT_2Tuv6xexN-9wYM%3AGq2YU+BfPMtiyCl+M+ER?Nm9 z>-Kc)4F+d}QT3kG4^>>GswI|_ld~%I6}C53XCn(SNh{Zw+Ls|q=nXBLqmKD2d zPB_O?0x|5y1SylQloa>{VdY!9j(1V+l!l&2&9Ip+bSrzhH$gFftCboi?2s&t>Z z+%}+8Hk~c=s`kqaVrliY4Da`$W38(ybjk~RY4x?N_Z3TgDZtV?-!KU!Q&SA2!J#b7 zPa$J`v@HOFKz+Za_WaS-icM~XM~2K&a&?ahny@7FjghEe>d{xBCp6|NYAd82i&e}i zb7a;m+GjQCs}MU;D5S@0l7v;|iu5g?+*Q!F63|lqnc1KvpZvy(VyvzPz;0lU9--T$xUe*M#J``ME_BkJUZ zoUDQoaPsKt>1|BG>HIbaEi{yb%WRAW?usK2GvRS)j%n(*dDHV<767M#20C=L$#?q$ zgk_udgkcIgtoV>fpUgSbtd23psm2VjH7kNgz}7W6_|U^h#pLL zv=tIhicXRVguw#BY^uy}E`+e;$Rh z4r^4(fH(-)HAnSZTj9IYxnEPsr?99I7`H=@RIlz7_?pZ6F1N^2hlmu8waU|%#Z_+J z0vO#-34j25ar;!a|fp(-`~2aGSU1 zuLs>jnDxr>E4W!DXKpfGle<+q)6jbK+er~vn4{niF|m$&PErYw7 z(vxc`Mea(xVbD8DXa1aWuQ3VOlyWu^F#X4v&zgcpBaa0v<|7>XBee?&lke6$2nde% zogc{$D!(g2-m4%X@MQO^=X=keeQll(h<}&_0laEI-))=c?}=pd=JBpo{8db+Gm*h+ zfBj|J2n&2wWnScYqkv7PBz{fA3G>MSU*}euS_~)P4Nz}8dDCKDKDP~u{nMkfy!pz+ z1ITJx#;C*ItGBPK%YV)t~J)dfr0TEIT)nd0c-4#b!J*^mM7SkyWabWf)r*2twRS{_BV20!U z`WDE8PW`q}t<&nXAqxz?zC@e1iWo?+B#KD9Rc~!0opizi8xu~%*(7VY1hjqUZ~5|ByrG(;?k zVGT6UcLe!N^7)uxon{0g=QRpMhcw<7G4}Fw&-l*g?rw`K_9N#+yHnrEX2f09YQ31n z1p7eM%lt9?*$}W?KCO4>(icLjXhhNWvKLB#Kxph`+CrKLcRbHCGv{ z#JO_Sw$UYCpT0FKxLzu@T{+$8oN$5XQI7l|J~{PU1@bNv4_6$B*0&Vy3Hrz9M;D)8 zG(O)w{r@tKKvZh=HR`omEvufE!*U~FYYZ@dwVSIFnRt^&Gz>}HRDG4dwiLjuhq}nV z)BOF%A6@t-8~W=R4G79IDEll!hsB6WX7Mv8zoHiU^5?2jD0gmqs~hXoX^!D#rAUaJ zA6xBK{v8hpiBQ{WASC4<7G?O1T@O`Tx#8SELxE$JnL@wMItTPYf42&ss8mfM6A<)~ z3XaZW23a-whiL1(f4H4hAD;J5N9X;+{rYDXh;L~SD0`u5&RC8(orXAgq66VcjmKmG zBsYe=%8!U~gq%wW#r+!9O(TvWdwcI^^mlu4fSMx(c+@IUMX;!fDtdSHyd;jLp2_#? zTMe_v5pQ+9ORKka2=VmcT`FjR73y=_Z_Wgu`# zVi^$k$Z0wmsMDh&tOt=j-Ql*8{n!$d@-O5t=`qSZ*OE;EN-6-Ny4|gR{EhlP=5)AodoJ>>k;es8}V5weNzisE1arRo^cuL?3%znk{8uSkP138*!r#3t7 zA8BnUAc%6=xd?Mk{3i&HSu85nZPv`gtv%3MrX!4r+^6D15(iz8c+5CKbLJ~=F8D&Z zq7Gs)3fMJ?D-m<*x9@s`S7*cCNb825?W6Q$3H^lr{`aM&M4XU&iU0=Hz17Xj!b+9{ z)my^*{rAF~VgLB}eKnK{x)o?wpWPs$U>X9PwOPLT3M`V6@snP&rdx7G-% z<^)T;8L~#dQi7JmtR8wT{7}&Re5vYKFTL5E`RLix*7^-twU613Sya= zK`x{Ge6}0ND?ZbLh@;27w9HO>-vMJ%L!QmRW#YY4$&9LYeB{*s&srP%n!V2&OL>l& zt`+@1luN)CI_zb#pIw@WHT|=?oUfdE}Q)C(*Ir@v;0z8-ltrPU^aB_ZGuSny&Edf$8H3mOTg`7 zo7XrFAJyD<-NEVoT>^FSG2l+d;t^{gH^~l&ctI zD_(sVVL1^4;-d;FmxfUy_RIE2m!KbEa_!2=2Bq$P)U(Zk&WU&(6B0fS^v*q?)v4a& zVDGMiZOIuU?EA+wB;%OiOH?-AO5(e&`(s$zr_}^W^_A6gM4>%aCyr_j7sZQ^9k75U zu`W=#steOa!n@m8^Mm>)=Vyb9?&$?uw@UriAXPOdb^B)4u2p#5mLKt1+J5!G^}_t= z#Ky(h;Th;-2&?e}y~x9Xmq3)7fP_;qL;fPfb1HX&1>#H@#yFTIWpNVvQsulvIG~qg z#Q@&Bq962Gr^Bl!s21t>>pSTqYpYtxo9epmk~0RlcMq;V*Jwt9h@*s~m?$sQ^q}jS zZ2Bl<@f-*{qkfuSR;v9{=W1A5NcIhVN7T(mPOeA{5dgsFkE81u^=8Nm5;$~J?tm(1 zD0uNOaHxSnTt zX2}il(6g5Xi>+z)m`!QaPjXetpZQ>L#31 zmzACEV)2|2U{bCAZ@|AlAlH|L6ljCS{L-f}awC+!kWYUs)ZNm3mZEL{^fl_B12``Z z8D!*_Y%9XCTwj^f_f`sVTMnMR5@D$2;B`=n^z)P=XxnPNY$DlshC+6YB1S{Oi;LGP zXNFd{U_*!roIQG3_V^^EHw`YZcS&wkdVFvzN?qlf?WcRs_S(%vt_@d$c5&#tf)H0Q z*YwQ|*p$l$T=*;zPz1||u0+A5p(|#@<#J;Gd$kx)le8p(J z0%K^p#xf3+VO>6?ni6py(@>8Ba)M#Gm>7CMKwXSA1~zydm@3Y z8jS5a8i}4;;NX+m=3&Fo_WP-v@NhV&@;oLXxrx+1VgvzwTBs&^uJQCFdL3`eLT9hk zRIcw>-CcM7*DHeLl~;pfmP1iO3Q^rISRBfc;?oC;`yR8L-Orlk-yDsM3;Ub1liqsP zWXnoaacoh72{9-FHf`#?pb@ZX)}3@qT2a#}*`>3MFlP*}#Qwv~-jA?r=UBILu~xE= z_7ReM%qE16Qh7%s8d+IK&Dm35AWyP=sX63gYGe+zaPA~XJf|TsSvCv)T~Zwd*cu%p zqOlNJ!;$T#W^>agfE6-PVeBitw>`68!O=z%s!NAcB2>5*n6m18BeVABJ+}*GAM3gO z*$U5XF!?zk+N55~;FSUGzQ^<64dlgdpy4Hr;I@Dym7!1?ge1R8EN6it(6&VLLy zVYjEDl$c+>%rPKKr$8I%5YDvC1!zeP94-W0nsCt^0uvM`95c!{~OV(2UU8wQ4! zG!0sv!t4DdAM^g3Bh;(v$(r>uFolS&sQl@`l$tSpe4DGK?^9ORQvJ?12!Awrdf`=t z+47sCUU;=%R|x@0cx4>4{wW8gQk2X@wMv0z#p>>bR}YdAvTYO#^x_5ToxU3lFS>(^ z+(jbzXC?ht4&KU|D_TU_Ws!tJ`8b;%mKNn@PJ)N>cbP-Z=Kkgi-yTKNHEZvf+Bpy_ zgvzUuHg#22qs*s@(KtVbpS!!-=h*;uKvyqHo;epw*`4Plu@n3LF`EvUP)slrS_<=4 z9Y!NZT|-0l+oQLq2dCYW-Vd#x?rce7jzb@Vg#qmDyf9&ZRKfDtJc@n|lg+uy+2j@WE|W;No5%anEe`2# zwD_TJR@_geHP!X~ zLVYP}+Ge_J%^sM8fi1l;9G|@&oLzJ;dIx8xM^M4EYw?YGI#o0Ek#bJMDZ5Oc=$_OI zBai_p&WZF*$ON5`c_cFMEbygzTFMQ(&-(kw)B>~h7FSsuBczjr^M zyPs$A&E%+|`fWCNcNSAEQ)L_FI51q($ml8MM5LZ5eYm*vZC=d`v+MI$iy@wqx4hB` zTuGhsWfhlIe%A21f4E=YqCRqyqNrgNI>mEhiiO)1qDDOjQ7-U$hJjHh>II0UVylAF zEeOy1$P~B6v}DLiY@)E+9mFjBhK-L{d~6oc_^bS#r$=~&~QeOSk}c*EwETd}oG@08vt z3Z7lVjg$IriLZP|Qq3me1nxxW%SCj8BE~rdWw0+yyskNmrIO`INm0zOGX1fT7%Sk} zuq-JkI;)Jg`%c~JPZLK`Q_N`WyAh7XqM4S?zBv{1SRd0AU{?#zB?JnP?-}j1^s@0@ zK9S0Uj;btt-rV0W^(Dt?T$d}pYm-hY%|v)rBvZv5v;p_I#*7zyLV-b`x;;B8C7WB_ zMOgOv;yxp)w_s^%sCBhszsu3$Il8M_n*%auS0o?dMQZ5T_5%fs5G?nC+-#CUwvD8- z%p-P?gchD4m?13C&TeOK56xH-mqg*1h5b;F_zDO6&fXr{*+pN#e|2wOEv;q2=}(w1 zxpMWMP(-Ci6W}VqwUt7u%L*j>rwlQ_RwrpPL=lrmVA#en%;QVr@6K ztt@TzVU4WVfi^af(Xxm&Tcq5E4No=&k1!2nF^`2RU^zDy6ghsTG6lo1Iqe;rkR{+U zz~*4P;yS|8#s)gaF`g4a;tW>3-2n#;6X__#^VAAd-^st5vFzO;iAd;k#6mQMtP33! z8hvwP1HFx;6vZpw4PeRg4m#~-q%kYoUWyOfnIF9SfoM~C_*J(`tgv_X^G99{)Xk9* zn0LAuCMuRLbTYMp>W<#a)mLucJIgyDOFXUv5WRZ>^7BXP$5M6w)v*(>syJW z@3y-Af#Yi$-eXrkwva5UNi%G&#*i?ZhJFL(f&k5N2uGdk*{Uo0n<$Apm6&qFrCvU4 zq;#D>WN@Z2OCqTs+&=BN8oT1+oa zb&bnUPqN5Fz--Z5RUwbZPZc7%j%yUhEKb8WSS~VUj+~Bt?p=m$8ZuD@t4^m?HeiPQz@$x9M8I4LT*hDpIWiMb?-I*ClnsiTcUD&>J(gHonZRF>Z~c^z9gtKZth zx?3t}Ep0;f=@T`h4xB$(Q_a+#_R-q>cq413l7l`GL2}d9QRD>@7DM@rI?oX|_{#n@H!J|GV`0||5uy7jy6@sT_<(A(G zEyja-CF_7YV;WWk{a`_|Ls^+m(FGOd1%s+)&SR-dkq|;7g`Q4Y6syDMg^pAyXqb?S z=q^a7dqOTp-i%SNA~;F;)??1?<%87VQsu{))E*(+X~3sUAUcl%NFqd3EI(DXvA(>v zo@Fd={VG|NqBW%PA3~vv?^+ulgn7HW+W@bvU` z|MYwHsNH&MJ$gMjdwag$ZhZ;QOtp5arS@Kx88Zj!r1}AwS1HQFvXws<7OMBb}QP;i!TcANmg+`^9y5Mn94DXOM zcSDa76NyOfv&DM=T_dCVX7^qZoW!InON;V|V^iit2?7pZF^4|I*aG7iG;RfAED2aL zRflIW!J2TM0l|3_vQTe6ho`&*!7hS|gWw66CCJfytZmY|cJ#m~6>3#njMCgu5zt~6 zQ~wf%RDgs>XE^>n&HRukS^Nu8m7;s*l^+mn&leeqIz8!+0AD8BV_$&ALQ~1v=aIA0 zbPdlWK0S&044y&yld&%P2zy=dB_Ts(L1)hM-6j__HGYV4DVE(d850AW{E0@ev201m zCOIO!94Oxgwt^HiyMTQD*rvyj*8zc>`Ip#ha_VL?bE>sGu32m&o4Zj$RhAGmws5RI z86Gro4BSMDbOl-jCtKgdzl0nsQsy0Tt(#>oPBf_UlmQ5>*amh@Uy>iR*ll>7CGHuq z1FS7E2Pjoqg_?fIEVK5-FHogn+T@?s^*pfl(w3w`A7z1x@hw6^8=O3PY?HNYFSQQJ z$dsWQw<@5e&N4vpHVUt6WvI?$-Q~iBT6kzH<=w(#I>^{P6ZU%bghaxt_*JAJ+KJDx zmi9sbi05_}{Caq@-~V+8{+E5T$1Tjcdkvx(hIG@!tJL-tv@<*=gK9+imV_Kl@&7oWhK~ z@O-}8LjV_MtbkkXcJuzb5 zWK#>-NKv&QAf=qDhw)QfX(oyg+PHQMQV$YZC`x$l_l?zgYrZd)hZ4A)v)-Zt>*XA- zvmb}4u%OCSdAo{iD0EO+QTS?2?6{EGkq_{>SW-m5&Xz)}dtprue{Jk3Y_0rAO$}#< z8^`-@=HhG?`n!DWRU`qxs?JNilxfE~$06I`Jc_auC%VSf1z|QOPNl0TxllH0wh;N) znD~f01=@8(al(QTp_z)rUxp4xJan2Ri*dF{paV3EiYwju)R>+u4$U2^EQ-f8AZw!y zN`H)Tf>7(+$zYldpzHmLbhlHO(3;jpoyhZ(vn)Ep zs*|C@6+*CsU)5@?iR=`y_mb=j!kjjh2AkX=n{%mAH$f9PBWY-42yOIDGtQ?Z_uc?_ z%JSO`e?oH^!!*N>2srd5*ii#-jY%8`&~z~#L+C-T1xAp>$0pGATCJAKPGdKdhY?1x zCD@(QC;z-t#r?A*iLJsRx*t>TVl@f3t(lu*y0)?9 z0feSftb|j3~CxdOskuuaDaoXTE29U*dabX_j;xA0dDmsvZ)yA2F8938^An zLRcIm(zqo98vHQd*tZpBB$KPXBHyu~3F3gYavr}y&d$)G(rIj=-$C?l2yWrdK zsW{DD@U8n4N5&+(;M+GeZf+NR`^r(LpeC^=G`>T&J=Hlx6QL?gwBPRyvHK2(h{s73 z!=%ze>3}(LEG>?s1r7kn`DKn%s=1f2E|=UJnFQh5FJ$X;*Q<=F6vsdiK2^G^L%0b9 z(cbvz_Ki?&bay5%sq#B|CF0{=sYJq-CVgq=$?{{f{Yn^_@QTGKw_gc*T2J3<= zm(f26aR!VI*bOK64QUJtjqS`eeiql@pF6-ov^c|6je&zFc$Swq*5T`Z_aurkqd9_B z5m_<1ErN#ZG@dJ;;=ySE^DSz!R6SFZMG#;wrFt&1do_wnaZ*4jKr-*)&_VHU7#H>Q z$;V++D;|iWn-8NK7f2(=mIa5Yxz+_Z>{nz-cnqF#V!UO+%z!O7Nu~YdK{g8ME{b#( zw}Mp!`T6G+WZA|yC4WowcP=c{%@0|rmQEOn2M8??YYdhFes~#OK#%PA?;3OjA@H7= z+4LJ`Vk`Go;&|+RdzQg@j5R*dWaMyo7t!?0N3mXe5o!~OOv@-%~$b|J?iel#GzNf$5jS==x6)X`6Q46r#DU(ZbfpX8JEQ~b6O zTwx}pN)Mtr^uP`c9-3f_yai68EA%H$xO(L#VcG%;U}I#Pbu^^kokLP%lH9)LljWgG zICc$92l(Uk2PI!khG~jUof{E5x_OJ@+XA3ZjGuSp zU^?7i?$U$laDS=OLXcPzxIBy|*^wV!bVF~CpLu3G+qRXK?-|m&FO7~)IhLxFC%tNV^L!3^c1uCmQo`q?`-J1d#aF7D4Ycw$R3b z#->3%ysO!k#m~KYSnSOl_Y}E>WG1Eu%sX~NjK*3j_1=l^%1C@;I1Ik$%?&!dHLwf@ zF-szZO|N}Fp_u^8#G_6h99qFhn4hgI#zShjWN}M8q>m)oK_?>ngybJoF)!E9gh*to za%R)Fa0rN^YTb+OV-Dd%!<$65SigDKVEtsBhG+5Cl^VerNYahR>1l9V+UIRw=%a}yrP zWE3~P?stWJ7<`Ld5aNvg=VG(RcbWdapU{j$b@m(}9O5{HY{#_kd;(Wv z&$)q(=Yyi_JpjkRtO2!q51TWp-7nax9REZd;Q8uYctZI*%5Ak~K^rJSzaK^9F{E-P z&D?ZG9%9O^mW~)GsenwfPUC;&ecfp!8J^EJ+q~sGT0fHnT4KhmpN+g?pxq(~$n2!7 zMR%YW2Pi*vP?yO;4b6&+ADzwI^w`bDGxfbs(GjomBu!1dE%v7_3Ho$3oPu|R>72&S zdxyP9d+#)!z1Lz_1hs)?i`n5l5aXL-T__4Wf)#+zOqv?Iioz~s@uqbph&BMW7AZ~C zk2cJZzGqt`!DE2)N~CdwG%~(U?s$fCl;a0wcI6M8v1EhFx^xP>r>#~(p!NcL% zQGc&{^twMB5j&OCyg;1TX1U)iYN8*VO<{JJ9-#%FMQOGgzlbPw^mjAD7B|Eb*ECPc zR;O-)A4$Dy2#r5Tt9S+R6^#eofah&Ctd4s8^;~>nYFDC?`*0!_r?8nx2YrC~0I0OX@6mTpBulVuOQOP5vgwNl|D!p{R z{?!ixrnX@fY!)RM-k?Yz>DD4`f~rJQ#d7^Hb_WzHlDP|4d65Un{YfUr@lYQ*^7+&-FMO_FJ)pFbrfMvP56-^ zZBc0Qh1fQv(F#OZ)2uSAoibQKby!UUFeR5);q#li+sE@4|L?~ieqy^vmiY7L)y&Tz z4mxa3l4#y^@$S%6Jh;e~iGdpgAb>6|6M@4e64%G>1KdBogUX-ybA#G_=_*wQSSm4& zMUFif&)mcvqr;XrC;e|P-DHFO^X<3qzInHc+wXq(@MP&M4Y2vFssjI(jPNN-|NM&7#P7$)3O|yf*uo$k!a0>0WU{(u%3c`{la};nFNGc3XOJVb>Sx z=66e>hxGoOXiN9wEfSvKzOni?Gn;s3a-in_cWxw(tdPC zcN)TMrln-{xD9KWr1=G!o@5n{qtN5uYk`&2u#OU%Vy&&ER$E}_jZzW4?qZ5Sa^E7Y z!U#TLvO8(xmZP&obmKEy%HN2SlD-mrDB8+CJPM+FH+PK+c<7$dvxy&iZ~q}Nz(%R- z3v3%n>uIBJ}krBV|C${qTyg~gM>UwMd%ck}Y-`C(LJrw%V z0Zr^j6-rXk99W+A^x)=WhbGIa3gWRcGu-p$v|AD{Mz zJtKPRcg48Ltxbs0S_Hr1a!}mvp7|*_52En}a3>jl*b&f7upUm7kwBga!)w)=+i-7i zcxtA+@>TK7q{dc?%Lf&S0AF11`$)Mx*E7{09iF`T?QH*WI2s(je1p@<%38(-ICd`} zzzKEPdz2^y7%FeX&lb>3A7h<^U4$vGqXe)AXfucw8MvCc8G#2p0ZkSq5-B~$ZU%62 zw|OSp(!m6ve|h#xZ_sgmv{ruW55Z3YQe^y(2nB~>^^-&JOrSS&GmdN}+{o}h z6%GGm$?!kkdHBNFzbG00#hr(LVHv)Z%k#fB>9t7b$IW`IxB^uQ(emKA?}im|*e8wa zkFq#lgxR9vC~rt(aTK{|oh{Zd;;#Ur2}=ouGuQJf{k9h)^y|Zk{F>C~Wv)o!HqZnI z-BI^Q=|eJ$6173E3G#^oK1lyzt`~Yr+V1)18@~FUMfO7v! z(4sBpF))YWr5pGj=GQSV14dT01&&EwYpwF2rh+K5A}JE2Y4N8%;>W51i$6T$$rh-g z8%B=3^cqX6DZX!wnE#It^dV0(@=n9z1CuRQmQDK7mb}`ii_srdPcIMfPfoj}IwJ?pFgO&h}3P2h{)1e$}o`#@=r`da}jbLA%< zATDisRC5oaQrGx2O0#KFE~-@Ia3)(q`#f<-lmItP{b^`S^kR}iQ9_t3@piN%(m#&Q z_Pe9**`VJa-Ce{?Idf8O8Dg?AQs9hFtCTro?pV_djF}A#L!9D7jv3Ymjc`6t+*<%A zxP~6DgO+obn8w5ir0uzxE8O2G*#`@%p*4Bd?44KdA+|M1lZi6yV?myzzpKfUiCjdY1Yo<;U-y1!xaa47cKnYo zN2quq-v>TAC?W2CdT98sbb#nkYM&tnM2e3Q6XxRQ!eOF(RPj79O^O~V62M*c1G^Z2 zuIC{RWUn7wS~ViO0X{C1cIkW2V;}l3l_JOc34H>=Xm1ETX7EVr5G~g{{gwvSstM=w zaY-I^HTAp)NzpYHf80@TWf|KeR(8W17XD6s$Zi4woX6Qs&W0>zRlwRIHKz0rJ00M# zB!!BjRE2}*=O}R4ht=UwLO2o}{-Fg92SyTS{IhW@PGtE$ebTt)gj}|sG#tR2P}oul zA{^i%2yWwlK{JG48wlANA#mP@%0S{M`B$u<-CzEqkIDxTpZR<$pTMUYBY&FyY?!Yu zC_|X#vJr*Bjac_Mh1sKgUtrQe${r`aXGoZO4`T6^>8msSZY>@sHLWc!0EgF5Qj;)o~Mfnxf-F>-b6v6b*+*cnibFW zJc3eV2mOh&1Ag~HUg)u#@hd0{l4lca9ss8yAmV`L)khrwn#XyD(yCu0-2H z8wkm%>V_VF>g;+R^b9C+ZWFP=JSCv5XcT#Jd%C{T6osV(<}_FK1c)w847f$|?8Hb* z&0zAFDqDy(-4M7*;@*I*XQ4-0AU&2PwAo?Z(1*Yw;Iatk<6?ORrH;Ts>M8-5MeM<( zAGW|LiOr1NGzBhuK8bISp*vAt7geb44)F0)&8Cshefb#OcG5t}I(&mx}{cv2Ywhv6f! zO)q%Bsf8bKQvwTT)^x{X7-vrnOPw+Z&l4SjpOR8CaN;fk1`upz5gMD>LO5P8_2+SL z1LB0#5blMDpA|L&n^Ty*Nnx@_;5gj`f}3aoCJ^F`3c+H0ar3|6bP-;BgZV22Z@~%r z%^~?*r2e7?L5%iA0*|6;A1CD%R>SqqGJg)EMb>HDihu4lw_88x(Txar#|d52+hDZ2 zczzlO?v2jDl;FB{LJ4?AVGBw-B3{ZqmyhX1nE8P&c@5Io;lHJhR%VGj#&dpV|4Lt` z0faGVh=c$exZny5(?x=_f|IxsY{=kIslLQgg~;_e5hT#WCZ9qguetOSPLQ*Q>_*+5mHuxCV?Lpeu4~KH=Ctwn%y`ig-P<+(Z^2v zhl5UI%kvZbxTvxHSZ(mSf86Uhjjb`77;oq_ZgIk>VgJowk2pRaMw7SbvW7bA09fOPkLB9iEbGjLv_2nof+pI3pjAqj?;$wC1mSN5}N@84PH`rNJrt zEQ#qy`@NU+Bl3nq@RN|d>O)c&$dcjTl--{{KckDQRzD>QiS*upW>iLJJRX!Pl7?sJ zQf4;G%Qayv#w6lk`1mS%*-cQ8xYJkyi#DX~o`RStB~r?0T3ZtPW^e&Y(e0N-ENYG> z1H>tCEU!j4z>ti`Ie7+yn5E|NLqB^>{x+&8H)#gvZ{2x78g-n;E#<*wTm7vtGVA~Z(6e2R8Q_@0xT5BM4ebJV$o#YqV#;twz)U=ILnB^3Z$9Ib1XysfOL2hxQU%E$c#O0-2`5!T1LtrOC4y{9 za87!^lB+bVb2ql6N;{7Dtpglo0Ozq|U<(@EDD}@Dx7tu|gZ=2_I1Tv56>nx}VW+F{twzo*LXuj`e z?!KSk6pe+b^pExh(pO(0oCMSDlK5{VWmp&>7aj%3`PnD7biesy{xxVnrK>> zf6(vegH_^wagsXsi{BFNmqt+8e{ERRmB~V^exFO8({xn47yTQ3oRF=Nwr%S%e;3T|J?kY1Ova_jw{U`Uy^@mL*{G z-R>feVY2&S6a5}USLAo0GR0$^4|5>jbb#X~nLlx{#L(p4N&_*wkGaKl;@;S*2Id=q zM&b&zVuv~PxpFrV-XPtSyuD=L+!S;Nqr-#l-l#u#3!(&wNkxo;e3xVQZwEMPs3VfY z=6%{DS>T+y4KFqpx3ykZOF%Za#;UBK(3%Y2Sld}qg? z(bbuYx+Zs_ixrlIF6V9-!ep4aNd}yKn89%dJ&_pNI8U+T)OYa}!CXJEtzi^YA>ZoT@VNC>W zqr>&t{|;}&5F;WH5=x2+Y-Csa7$p9s6rw>}rBrv)#TackW>*Cvp};&vB&(Z};8|2ECIJD+jdH2j*6&cAycvNBdX|YGhm}94g9)f@cWpv1Kf!7o)is z*}S_C%b|8kLj@8%DrfT?4#C@RmUdwCDCSSy0t=Xp70A>X}TK3Lbitmkh{1zZ6wC z{@v9KQRDDn*xBrC(txW3TtMcWAjx9z>@MI9j`!ewmDsR%@4z>CyUzay-fy&?pv7R} zDC7&_gZ%bK0(1e<#I|UCCf?KNam>f-D7%hT^e^+{gdy_u z!{)cmR-a>jdv3jOc$31U8+xyjXb~SI(foitcgklxk1pXbnq)_Qc+m~LJt?h(cHGM=89`eW~d|fYbis-3i(NXdO!))9ZhA3IvZ>lXCI~qmY*+U3|JU%7y zEZ;S5RV=Ns6jXGeaevw87b*r};T=rJ8IPgR4m8u|t3+4i_eNs{H_*7{zu!mXpuBaV zg~^A@Tg@*#KLO2H`Cd7XK7BIIwe|sWw|EL$WWxF)8mP?hr@k-U6ng#eFibNy2#8&# zQc(_?ws)=0cAx*)6SC9Er`fJ{mZ^-R#c>M{n?umZ*LXi z4UCO_n#qwR`5|BL`)W`)y(n3n4g)}A-O=I6D=_H&BJ-B?ATR4tHTk^z0?QE<+zdxIWe5g5<>OX%I-C|6N(aevThk^5Tk4coC2 zx>LR**W<~8NXdH4(2i-c(5e|R_1POe|Gy7g7iQzCw(cF-N)zw_!3^B0}~SZq;w zQld}2>^emcS@%OcATz^Pk6kyJj+)JuTbo7xMQUiOoDoFRy(qpJVrRVZ@f*F}(PSiZ2nE-7BD>ygVC6@eO`R4Z|!Y;e_-}Vio}p zrkNk+akr@P-rO@12zN4;jmB>^jd4|x2aR=Ng_sN=m)1h|!yFeiRBFD4{ztJwCGQb~ zCQ+jaf=j3U1pP&jS~_h+CH3kK$*29IQRf$N1)L!PGFb!xB5dpny0uE_cN{I2nv3G~ z!4b>+;x$?UMv+~R#&GOU{IQv2@kAuq!xM~Ma8;&GS%)H0#BP?sBt-g5T7?{+fq`)C zHh@b3;d%ianJ3jqQ?YLml_pXYtwfz<@>RejdgVs9bfj~*{DB|cY5<`?Ucc!h2ZRPo zrGS3#hkK+4uC9AOyRK%IlY;Exz^S;pw7PFWRd#krST+#sPK~_6!sx=?H>VkAXJt)_ z6+T=Z*M6X(uh)2>Sr4xHC5=llQlyrIR1Zv$1O?4hl#?o4T}ipfr3lly`UuiGr8o1y z4=*Tf^UMhNYx?Cn7m7d}F3w3Ma!my>shqk8O9I0e&!xz+ZI}Mp z57)ZoTG(yMcwqWWQ=+$&B}-g-p{Fhtc#A$QSyz@mLS;d|a4c-E zQ?Lv092B&%og}Q~mc(y)&&P#(fCygNDoG$B4HK&%X~5)!)HX`=9nNE1LG4n$7W|i6 z^6r!i?BjyBL0ih^VeF*@5*G$z5`Bc{lJ`@RE1CJ0-!b?fSmGw;r>O4yw8u<}h)Ste ztcZ$9R|ujL61mOi`JuLR){ftQVPNi^U&L@prt#TSnD=3Fj`yq_DWh~(0QDN}ud9M0 z34vLe!#7DV#A$QSUPsXd&@%4Wff@q+4K&Bf-gVYmB(}^>?1xCY9}92983VBMyPcoj z&zGCv6V4L9nYMRZPulHG-LnP6@JD(8rZYEzUMq||*z(D}lpmA1YC(o(N^*mV1~aS_;i~o3TzSR z^8KK2D@A`NDaWgtlWeZ1<~igqScEqhd=%Y{k;3e?+rzmXJ)Ac}J~L^?S+y4x&r=>Y zgdNegtGy#X&D1xn{Is>5w94mmH#YdF%F;n#s$kq&*rn_Mhau$9JW|3bKryY7L5npm z&_pdK42?lz0Z6BV{$6i5JUn@o$904L0XQA>PkV#WTX1lABt|0PYScc-swkjgJ%#j; zCtMtc6b{ZG(nk}}kW;1CBropWVyjB&On)`%*MhobSFl$?fYfntgkP-)P@T?>faxmv zyYGb0XuSX;n`ra*!-eVbA#;=qsQl+SlfTxr>fE@?YcXqaU=V6fM5Q z0CP7kUT46P*t1BD#@vm6)|x2tY333h%^_<0RhWSNsD_Z>9FUpWF`hx!D(b7(e8hxk*^dQ{`{qw_t8avALPiHRu;o>T&Co3gqX?P342NT#oSN0wKQD zX~^*sO?4buG{Wvii^p#sEy9erCQALekJQ-_$by$UpVzy_Ed!0_!hGLP^T1nQ$Th6I zFd4w{B1!#ANbbrg7{w7QNuoAs1FSpF9#qH)`a65iVpt)~|HfZfj_awkTd6knlt$4izDm-Elfa)R${)kU| zL=lVPn?ApLy60dhyG+qF5Iw}|mx$BVZ;%DA_>(u-y@-_Ok?SM$#tbJA4crWECOiQ- z;1>_r|CnE|D3?C+D+cjSOJ|uCywx%-v@q~TR(?=AQa`cW+mO&t;19$NM?5yq5ZP$~y>Q3JHMSi^-I=eLpeYdwx@_u5qUYA+b0e)9FmLj(Uz(0mVIb z3%L@K^`cs8qLx!n;%xDVE5}q-oHS_Wdt5~*l<+0vEwBMSMS_%lcSz$Ftxl5l?7d&N z#s}FNi|qN8rC*B$)f4OAN&3Ga5wk{D)RwDL5(Ilp!$j{{ytI%Br*Zqen$CYMqQ|Za zP2!iE?Pd|way|Wbh@s&OW|Ua<9Hw^sdd}iNMXW8xX78wVSqp59^@=oDU95rbY|+G9 zooXFnH!@b?wyBKvq80#x_%1{@c{e!*!$*6ZSDxQgrZPq%F zi5dLxGP;0>D-RYS9;FsHaAinSdAKs9hWf6;D!ScM{cVMT+QocRcs z-`UFVhfEq@;boCkDJ`A5F|O4@3(Kn}$-#FgVp|_3u4f4SrBM|7xH_w0XU#WWH}u%X zs^q$g;v2fdvTPtGfylYQm=s*wAPsQ`k_4Hh$F}zxTU-2~Ii{GI6~||FX2)wG|1F0+ zr~_4rd{Fw-4}jn#$!{m946wo&ycmX9B*R!3!*DQ4B4s!+YU~w-m&iqz$G=mXtKjxp zxz}0KZFTNxsuJWXPqbn@E&Jj8EBL7M*Ew{vp*aAQK-20M+D>6`07rpul_CmsYr9_* zOuB>N3@WhrjF(dn7zIEVpWs<&jB3TwP1o&&Aji=qEL5gedO(Hy6kc_`bW<2g!ES5u zAF(l4a^OCa#f+mU)%xZR24PyXHVe6^$&YQ-LSnX%VkoJR6uO;M>hR(2it0X}ef{NU zj-MX!K_85+!3%4iE+h7e&R9K-lnPdYz#bCo1hivVbO6TrLsqM*j@9%O1wo{xXrIWcp7MPqRZr=2=UCU{{x3aqe!V)A zU0p5vs^9!~=r{6l{>Ra3Drq#>8aC}+lF_8v%MP}CScv>02%PffZ?Kzybs|oK3f&~H zkOLg%L#oi#Ne#q9E}@Npy7tG$TX*nd zS&(CK93zmU1^`X{A=!8?z~YM3R4*zFyt7iUb|7B4U1(lIA!2St^I-$zfzvq+WNqC* zh7u;V2P##$8ec6&Pe}A(e99tf%RqNr6o&4tXFg&$A4mP275ayDOIP-8yYtA+xP zf*KT%MJ%kJ&d~DUf&B;y#mcHBIuS?)x}tNVTG%_Nnt~|LdPReKISY`*x1iECya}sG z1Ka-0ikAp+#YBLbV5l1FSp=?T{&>b>fX}1AACnD|)_}o5z%51TE3)BH6Rb2opykfT zbburNE?et4W>xHT-uliK`ta@X(c#J8S1{5!4qwf4Qzw3qP%f{wQ{`F5Y#Z}eM}Qdx zP3imNcmY6FPXI}Lu@{9Q5pRw&QO6-ODeFuY>hJJIJr-tB znjOX+oU;X)NQ?8pAHPN)o~lpoP*VwlZs@PIGLUF=3}76%V+j7r$i4gYuXyI(`R>!d zvPDC`B3kaE?dY$!WNyn{u(cP><0yrIKeCf;1U570uMOTwF-vh=QJ&yO-=Q0~A}1^@ z8Bh2!IQdNUjS=vqFnC=OGI=T#a+VPek^D(#q8dR!kDMVmbIGWHFr)Y9#8(v03Mg~N z_^dcHfv07Xhg_9BsaAUd})=nVrhXQxposx1H zk*b=V3rUHHvoW2R?&qc1HV{wgRs8bgQkt<}HxrexM-{mZ3aw={7bzo^?gE%pHvcDU zG5w|NQ)tY>%u{&G&yaKq6YewQno`F7!ct60$7bDpbD+|jRasMTJlR_?u_1a2DcqG`(UVgyC zuO8U5GS5%i@7ryQ(awJKVeZM{j`>d_g0;4@LJniQ`!1iXp{ka%Ex}kVb!%D!VQVX@ zu*-RooM#ed%13y3t*)-Z(lkAy1i3AEZ|b5&^B}H>T)jb9?!>zgf}|_llY((N#_$~5 z=%#>F6Vzp;(tCQ=Eit&YkO*?DvhEck#O(*(>YE+Ytt&+U@?T0`a?$hA_K-{8PnEY^ zf>Ec&2H1*3_C7By$zoQAyG~VY|3P$f!BPGFSH1nK-d?1) zf7RK)>g;)*KPjoZa9dSK1^vlif#SaME=Y!@+uEH<`hf>j>?Op_3ck{$NYT%)@;c_* zJs%qlA>&D=Vj&RGUlVW>bn^!Fh&Z3p<5c- z!SGAy`+G~maZpbY5s}>5yJu_^ov6}TXNmYRz90eW9-n4zlH~zg(iX2i9UFBABdLs` zcIyN~uNtg877ZD2N4-&R9}M5@?e&JkgEvPtQFBznu@IE+Bd?Q?ijn4Kn(w-{%3 z7?3CZzDBPLe4!u%@Y3{qiBV- zFElCwcAdCZg#0M{Epe^5NTKiW+RwnYN~8_Y3)4jcQ!s~_OT1KmN_098w>av*I(ylB z-TmdTKRD~|@1Gs_M%|9nI5_IQI-^W15ZzKe*`QaE`1G=;TDk_Gmnp{OiNE^}$YtH1 zINo_{7R{k!@zYdywOG$Ok4>!Ow4*p{|9g@|)3(4u?MpXlBWg+?;%<5*7>nZ8D=4SX z15WzsmdLO zX4RbOg(YjvT>PG}<@pI4!`hG>vZSe%ui0YbEgcb?5s4osr;EZv zrFNS=y!#mJ8e9iLXd0rg=|N}lD~&o&oZ4;S!69%q%x+{moi}JM7U9SOF*#wuB}`Iw z>fn_Y8vR1PGiD3)LwZKjMjhuxYrD0rQh)AVtL=U?wPPhv55xUvd;yb=gOsm>?%t?B zczgCsZ!qNgm)@x(@i(1O-ndlMtM2w>)DT{Y;rHFsQ?iM+TJ07LFHHtR6nJ76+5H8x zvAFjN1&6D+*lphahsWao4o~Y-Pd)f=$EDwb)hGW(o${?yY7`f`qWY=lj zYO+dm+N+{TJ{D$7J`ivvAE>e_f2yC|Q<&{7(kz-&?c5OVSLh{*#QSgQj|0~iYzuMG zjh-S&*L?*uw1H&NI12LTTJ(i{lrYSHn+JRBvs2dGup#=ULrGwrTJCy=*Dv(2XdE5B z{O$PY84h*^&E_?Z3I4|)!#2nC-Dbnz{Lua@1GEV&uV%z7^x%_wbpe_O zPR9Y8w{hZ!8E8CPZjvWu@l9O(b`qqqI~I}|no;$mvn=uF*tM%S5VbU>BN&@m zWF$(ms`7!F-n(o>Np^R+h?1T$9WB?PxmVOFYdl=_KKM-vmE zVcu#_N$b3stoHJfBT@YHQc%6v<=ay*#;GC0C}TcRlFHPOQKA^14J?J2@OT_dcFe!H zS{XOLfFDjGa3kLO7_2pkG9nob7x@yEtHdja9qJQae^;u&Qx>H5`%(#<@r@~lT>8$m znkeK7l_n2dL98njnV{<#OU6;S_bwYaK1tN#>OvB@dhT8WrZ2CNxiw-KLse9QRePGM z^jZh6n}BLWuFdi~RF&_=0oKI%s$!|}e-%}|NDR!Hx2Y1A((pm#!lGB-K|(Z(XpLfG zBauN`tkkR`G`7y`keve91?y2;n5@I7GG!idP12>R?V5B|F}#YT%WP&Cq)To1Akt;A zTJ9iSnti)Q>9Uc?AYE2!R*^1S=XFR|0qlbHs4ZRAVN~fdkGNjx%FQ90comzq7351b z;p_sIw|qzm(=5WfiXsuU1y2AhuhQ@G1K*nLB3!9fM5AMn~u zmr5Od>tfaxL=`p_KMq~IhP{Kt;b8>1V}i!yiw;&(#Gur>NV-Uihj7=)Bd$fhLO71H zd&GEhSd1q;?kxc#L8W7oGj$2b-y1aK8RdC@F z$#}tJd!Eb3--{MuX3QscJq{Kg+=ml)5oGj^Ld#y@cbvu#1sX>O6z`~t6yT*-$E8uN zH!!ux!vt;YTR!N39q=>o!Jj*lEa53G9rV?o{`B~<@*+ZgvIdN?9j4e4r{VJ_K)JXH zk9;+_WQIa427bNPxZUp^bl)6}&bs&w&e>^yFj}(r1NPQ~5o`J31AZZE%bcsweC3fy&yGO1z8SDzW zZS3WYZ!;^57t$k#~5q(Lqcn9D={dcLh}~|cj`YDY==Kt zhf$sO!eIZ;+DY|AidxLh_Oh&>*-qctSsH@IH~2j(S`AU9SNEn{fP@IUyF+6lwkF_#P$9Q7{N+X@hBCuAQp#jWoDHj&H`ioZ5=uQWv zK}BW3PODAb0Oqz-mYD8m_KUuE9Q&*lH>WmjJp?f$?Gy;1_3Jr(xY>gr@QLoN&`rtbnb({_xN z*-ddD+;rOQ>1N&}-}-PvWs6Z;tK`Cc%wno`Rq5Js-f!BteDl4zb54J$x5_BA`{#-E zw)s5GJ>?CrVthDxR)&lLj~EYxvwzzDej88ir|qA1NE!!jQK65iuoyKcTTIvenO$D7 zy=7Cg?23~~&C>LyVl_)srK+e)b{(rgT`JYFEV`1eWSN8KN+XD^~hLvL7<*8r-&)iFNQc1f#+R^z#IzI*7znzLZyWmzjoOJ&ke<7Ru z*PX_+(|q#~JB`KHT2)Tiia259PyyFD+MugM^Vm&TU}#2-Wl1@~EyuVWEPiY?@sreG zJDd4eYkj)Tr>_UyVNVA= z=pA)`>+Pe@_Fi`fhQVozf4u1p-l|Ou3*(L}EQ~?!*RwKK!1~e%h>{Pwd#0u7?%9{7 zySL)fboYvu#(qO#6@Eo@o&vM@n0HEY;Q9v6$2^LN;$|&>d_Q)BO~I?Gwv{V^6_h%&k3_YGg%Lv3YvTHWtkT`_ zw*H|k5~4gR94|UQEIx<)u2u;~GYH;&7#-}#XzVC{iVcuvQGze}GBx=FbjLI0>9a~2 zzRF9Q7TdSw86#txnYj4&kaSfis6`1_`#CmsAl+#rp5%qEHfFg~@tj>Hf zT95H0e{igC)Z~j+eD%z=lIb$>Lk|o_*wpXtxH zp*p2-R%N-*M|hKlR;a~H(X2wKidiY>L~7WZqWM-Gn@edTWWV50K@N>s5+-7?~cQ z!Rn}BJ*f7!Ok7PMjX{RSouHO2UZfh=R*Z${m(T-qQTxqiZl>ogT}_lfzyAB6>aQ{E z)c)$y;t&CUXiahAtM9if>U-17&hR7m0)oK^pn`|04btT!JF>wqoZNLMotR$ zAI{Oh4);d%YF*FqliAe0gdXrik_z&jg+3qjy>N6iJlpG^ob>ia{lQu9x5MFR z*lFC7dhAQBd0Fg>`9W|BGcd*lJV6%C$8JWk2SZLGa-`|TA1RQupA&@#4 zWx#ZC5~y>iAO&pRDFNG}u2`8=d1MMv0)Krf(V9Lf)4yb9=ieu`vjJ=ecu>m?^8Px9tZRI;YPO`sG_ zYs-qV4vHFZ>+TgU^S!OIW~Y9hI|}n6QA7X17fQeT(6ua*rbzO4(X)&Sk z*IQOc)?=#yZ7hF0wgvP_6fjs+j1)$-@AJ}xp|LJf9P=#E+zygbtQXX2_-!5>_<=De z#5MUU)l)D~GT2C`e4a*&WDF0qZw-fe$3ar&XicbMhQ9tuSQb?k>Nwo|YccFwgebqw zgBHT&sr1|QkBVMG+P=qz?o=S zWQBA#D}z=Ex+xA|HDYQEpr$-F4PdZ=>W?6lxfh36g((E!X3prp8TAIWxFd-c8B7$$ zFjkQ$0fZ51jTMZFotc$DvSUJGu|nTe#}O$-oSdy$mc_Zpqebo|JjD<(l$p{obburL zI=t}X95ufGR;j+k8rS!Xko%e;9OIM1IUV%Tc6@m93LGE48gxg8{S(kX0KXj{frG=N z-q5KxLtzcr!QlW$_*E;bB^G11v}z48L6@vuu`f`-cM%A!Eaza4dkI;xzf0e+lu08V8^p z>5VN4Z{Ig)x#Ad1$synBVQyQ*rRWC`zl6gUtvr~dCOMCZbwHfcg?@aj<-8M}^Jse9 zjnD22mBBukvSKK{UM-e}2l6Pu3ZrSbwWJy8MYj|{zNuK(1%;+T>KCR8cL6<~#N_tI zv?|cZYZA@m)Gq~Lb1vCjz1oFLF-viau!yaYMou+wQTh$}cIj(U!7_c5LgW1}4Q;zI znJ!V_ozkzZ#f(FErMA&7F>VT~Bjs~6Bn#o}tzyC>Db?YtR}j3B5_cO0Sn1a4##nSW znqYxqv_=it@0PN=g)D?*cIJjth?&I!tObRw%? zk%Vjf8~(M7W?l-%z!@a0V)JG1)#1tQ!LZXm7L<17DlLF_j4sd`W3|cC~tL<=xvb$>4T}~TC?re4d`(ff{CYn}pxcbT#@7nJ* zB3aAUN~so2NLtx})l^mS{-y(-=!?WEEtDg!LIl<4^669YTof*~Ww!Z63D$eRgFOOz*O3;`v+YNLSctQ))VHm=zk`__m*)FU@ zcy(a;YVOABM_xWo)f;a0m@mE^xA*Jl2Xf&Bgn+689QiN#j!B$Ul{*Ka{k`2Z(S7;g z@Tgbu!bQNU6$Kvt*OS@8!6(zc_MvtKW8gU(VQS+f+bdcF)f#28@e;oFq{OY z3E@@I#i_WT)nyue2KF_wQR_aKMwnAMLTh1~lFLzDx>mj>H43VJUutOf*f2!LcvUJ1 zolfn->(*rjIx_wmW5P=aXmI1?Yt+>PnXWbaUk(}msp<08080>_9=lewEcRsIHk3+7HTW=>Uo zaEt$g6HL!xn1L|zV9WPR`HpEG4%QTU;K&alaL=Plh?%XRFYR*@dGOFHjFC2cZZf8P z@9*$NaTgY{GNTKLqMEq~6}I-4P%7E1d7wC|yG=q5h0`bT0C8|dySO!Ut7Z_Ee0`D5 z+yr_p#DaCMF9;juw{#*+z$Y+GU<{mp`rfWF$8rLv@OqdfemKR&$Ph4N&7%ayfjfpH zc%5~ejqlWxgnxO)m-=iLMHdJoVGObb3C$~ppS?JCoh!WH}g&A1j07ukl__{mj?Vp|W_j_lD z`v8WQeiDUvYq_MZ%@!EVU;@eh20{ou^8POl{IQ<}Hz1AS*q_`0KLe;?%Tb)ISl>nS zH_|7oLKxk9B!uK1hLh+Rrl~s>JV;g4yuJSMX@A&bsvaqptv7q!J31~@2VIX&Zv*e^ z_?*9TQ!s@gM2D0|UW$6>tvvPE(}a7~@V1Me8O_`#UTPsj841C|8$sGCBa?QjRmF@x zX+oo@h&`3iUJIIZHPt1}2R==ri60;yEm+SB$h?>_YrgNNBn-Q#K-4#MySyxlFq1~Q z6cXQ*#S@^POL9YiH$$y~^{$)tvP1>gua$M#NMZKc?U9IdvN2VD<+R#Kpff~;13|r| z7mkG1jG=#*tP@6n^y0d9hKU5uqf4w=7UqsPcgGit7~65?$7Av(a1psD%y259<2VM* zc#`)(zi~9kwnh}&1J@78<~@$$8-CL{;a5gdKl#j?gQhry0VW}k0<}W;j4j9f(Z$IJcJ*G z)U|mOP4nSncag&0H5@MpN%gilu2`28M)?IMsUL*}z|0+Th-u~~8GjFH2PC%>`ZHDk zEp>YqfKZz{GJW6xeq8to^!9xrI!SFX1g0vFBzm z=cQsWrq;qr2ha`Q#Qngd7i$&P+}6bewPewhh9UihszC7gkql$Hh+QH<*oI|*U%o@OK%)j;A%vHWdAMx+6qU1vPKAXqF>5mq0 zJo7K1r!)(qX=-VguXsmlCF{l=K}{A>rjs@|R3?w7XKpD?Q^L>Oo@0v6CcGznNv!!r zv8Cco=@?c|{Mxi;;`h=@rHeR@l1yqqKf`UbGeB9I8kFOg()v0BwM=-kcn6$+jTcD( znki^TAkXpLyaLX*x3esZ&&H7lmkvO`@3z}J&wgxex3*h5yFYFJ^sG(t;(Oe_+snqS z!0*epluBv_(kzMv*u87AJO)@)!J)=$I#U5t^%Vha>Bl zNi6h1KW)6X#E~CnO=Yg%iB=$!XEJ%wrB86kbLNCm211CI$4$`Um}%t5d_>lJ;y=2* zZ6b9NESHb|=j+dX{|GDIoVo1`&f~z%WM^hGgc(x6;wbRP#3@*7jP331?H_;m0sp(b zy{-Pc^ZoZf{?E?y7teQgUhI7TZ0CQrpFMlNv;99{``%_P{49`w{Ll8C$5JQvJNZG< zmf%=fcA!d&jik_xed-n31@ucloVG50N?U%^zTA0q;fLNXI3Zu1;(m{q)`2vY(4E6w zbY?T|lI+Rm%x$4e*#)@ z(Y~K%FdV~Hb`wM3gp<@k^0Be8A!(YgyVzis4hw!XoH8)kFHx|V!yPat=w;Ss5KaW-A%H*=!d$75mNHeK&KDah}5^ zy&+7X>-EFnW*3me8|c(Ai_9LHgDPF?5To($RgSCzQOY5d0eOM7UErYQNFZ@0QbHu~ z;{v7`cdy=!ZBwq_VV|6vjb}#!)mPpY>MvLcX%Pz=Hh1bAeSqzqjP&2J!HaYKy2bwi zws;aG^5tyuoWZ_s^S`@oUfvwmzR`d6vwr=lYX3(bY{uUCiVlD>|L^nd=ZgKmv;D(Y z`~N|H#KVSo1>2W9=P+}*au<2~ewr+>67X{2O<{JoBMC9n!yiWDXdXu)3^VJ-9@>1m zD;-_zlqx+C>LIquDNyXnZx-xOo)qzo*_|CvcC9{m2p(A9acE$=YH6| zbp60R5A2689!hNa_4K;qPxbvj&D;!57C{QLn&&|A{{P~|iyzhf|Jje*J74$zhxifq ze>aZP{623;*Lzrd!`C;2Klo-}V4q`Jkm-|_Mdr8IShlu>-84U0FoGv5EC-DeON;ke z+G>v)vyXUOb(XjpoKjPt*k^+%2>fvR1~;g3?5$wTtauQWoI4B}#Z+K)^b<%(uY&eU z41AaQR%GZ^bdL(=Isk4MMwv_9O*swV_#$1*+vk4hCO62)CP4gf94tHtw&KJOGtg*_ z=xkdr-IOHsa-_3J0MJa~IH9MJ^BAtEXFt417jt<5=-?#wj>L_xGB)YoL;y+# z&BH1h7x3mOXpl(S-HwsU0?9) z?$YhKJH};O%XewLy(HBn&kN>}SBX1@r!es&kH)uJ*Q2nPh`K;_f9_7<=^_Y*Sh@s0 zP`_c~-OP1@G9U&rjTe~2QJBH&EZ;GbMc7T>qy=8vh3|>dGD-2X#A?m`(9d`zVp=LL z<3*Z9^FyiAOE~pIcBaSX1Kr-Ql^^ggjKrzv^QXlpm9?yVoj>sdNVhddvlz=jpw8sk z6c_a&&bxvA*eYr{pU@Y2Vzeo_)AD>FDipJj?0c71?GSy>o$L~SvWox({@hJ&C`%RWVyJy{5+%);^!Vb~s?OG>zayZt!U^bb@*Rk8GH+U~mLpaf zyE|!XcFX*^!V>hE2YUpQMZgV$=nCMLrn!uxIRuMXng@AzQe+SpqN9=|kHlp^S2LXF z2xqyT!VENLU zTIvE?7aW#5>jK`S?JQZO8T3Th;~1ZO?Q9<7<{}AJ8BXZ0v*dteGph?Xh|=s&B%|{r z3XohQMI5Jeljx03@nnT#Jcn;V8Et+4j{LB70ZE28ZP*o+2WF$S8T1EMMh)jZX1Mif z6>N;$L1Z4sF>#=nUnpIila^{$#pIH>mm_8MGDv=g?a#s1tIbmN%T|$wx`Z?6 z)B*=nWoX~c+;caDnyMWoylEVz*))Oa$DoQf?VYccf9oj0;Y`!YLWZ4w6#cKVp5;}c5p_M%I|ka-Iv{A4`)_9=^pn4D&T9Z zgCv^o%3B}?{&#pYfD`!}pdXb+lnkdL`niBN75b8kHoK8|d#jvk8kpEk)2k@)^cLDT zMJHk*IZwO8;jjI{{;K3GTUm~&M#b_aV0~9z2HxMa6hR7&h*vlj8o&RqxIbB z-qVe)5ayER?M@c+bC^5@4IJ=7jH<0W4jp2c{Yj60hd)g}`C<0hB;N8)Pi~iQZw**l zjcA98U1Lp`xDBL>;TkDflt3FUj(s1uOijsJr_JH6`191p96K#cL5*3colKy@>a8wL z;UwjYAbJW`q-T}kRGP{6K?SlX1h*9_hGGodwcS@KKt4N#D*$q+NrP&B7k6 zFXBRJb|zJ_I%R}`l}FsUK=#fkdxQoi@dm9@eFFmt(dp$Xo3JT2ZU=9LTdRa*0k#^7-RcCWf_?LbQwWMe;_0 zKY`<$aR5cOMRqJkM79dyH49f3ctgL00v7(|-^e#oz;G+Y$o8}HY2iw6tc|N+pq>G^ zLc*`Ewy&iZF64}Sb)z{M~u|KWyLn%OS<^DpVCKXiKyTpIH zmu^4K($>G{*XG@^8Y()l*nmlO?JZ4bcR>erw^6sMtF%VEjxkuLc7VsaqdUrCV(P6( z)flDULtKk-_N$sYY`WPzZc?kI$jeNdv>nZXy7I_2?b9-LTWW9hHx}&Y>-KMhwY^)q zH$OM{>g&EgUv~++eRh9$HTn4J`!@T&f$=@W@6rceccb*fG;@OhCQUz_MD;L4J=!vW z*1uD+u%dvfpngoaw*AEs69L*A#&Z5Ap3RCT;-k0EKCbgle{Z_YZ0{;>gGN;twZoDav z^_f^xMq*8zsm$!oj48ug3t!40*Tj}G&{|xHK4{#k5$#Rz38yx4#}GJY4se=|_(_X=V!kG%v>_LP4Kl03_j{S^ z=Sqj0OeGJ{X7fP0VnZ<1pxm^LQ5J`}(*vl6(a<#>yha_FQg%@5@c?ty8}$V@a|1tg zkJKeAUSVsu&$ZIU??*P%8EDh^vNmFhW)Mwj9JgW3+3dhWEI#YZ25pixHbXH@!lZ1P zzOK$?%IenVwqm~xGVacyo7rEe2wN*}YzZH5Ol>W(1D1AqctEwc{z`XqY=FAkI8DiG z?lgPSpGb3H^ym-|IbYP8@8XJilp)_7N8!YuTG(unCT;8vXtVbGm)4DB$mNOC5!NPN zGDCO#Nor}cWK?6M0G`~`4zR$|5@3~BSk?1QnOj;#w$vgW`W_s+NzE`L zy;p@uqw*LG^dGra8~PDHmB?%`hpSH?59m%NNJ+k_j-uKF0QSiWsIl8tiyMo?r9@sg z%=|7Lh5ED7Xp%W592iF_-K5Zv1WsU*KyQDM_~CRooAcsF(kqie^$vZ zng3MC%_#m9J1oo6LQ4a$oT*aAW^KGUa}#e>UQFP}g})*z-Um+=a#SHd-G!TK@zT0D z>F#_0S3s!0RQ|NNcrVSO048c8PT|9vJ1SF{_~NYU_AYaJlfVp-1u9;Ik;C(44)(V> zP1&fpDDY>+xj$C`YfhA;3|6_;O+K7DL=_X_egfF5gs<0Hy~05B@>MG8e&=xX)z(dq z=C5t`iC9+1Qeb}=Ml6?OHx^f;c8Locd~F&fH%05g#t3}1c!#2B2RM(jn|+^D8_ow= zDY~IJwn3K{mGjg-cVehghm_5|vYzELL$5UfhKB)nact6V?#Anu2MzF@Z_mHRf7~hh zLoJ|(n~6(|>*>|m$s1xx(JJ95*1fPeCgGkim+Iuz+%r}T`KS``vHsbrrC&cM<@E}M zg^XcH&Q^XBR8OQS=6bBKr&b99U1JDnP3qrmxVwAVZLZ+;oF``JwT?s~mZeVIi`lJc zei0i+W^f|{jNbM`EHqI|~)bsK};JyyL^(Ut$7y?5_!+eRLSe}C&! zpicLR?Mk%eTM}=Ra~#`A-6pml%W1byw zFJ9f^Pf|O?#-Dx`oqyhg(`Eh4^-!(k|Gn>s+w{BBtxQ=)bEl;20icf<^aY4Mzy9d0 zdkd+SnWZkArNX-Eq0$uYFjg5{FWxD_08JHr>WoO{kTUuRk7KT%No-IJ`W&`1$?!XD6rce>nd66M0ep>aD45 z=Je}m&U85bOrv?#xitr>!ih7#Ti55UyOR`6bWAWS`F%+{eOXXeRedGk))kx7Sq2`O zFh4Y5c7MIknydFyY~uba%s%u^*1PbhF~0q28!^vMFn;Kr{Lnl3p?7ix#%|HK_@Q_5 zLqnH`hAs~cT^<^`{52c8_{HY_D*ap@S||T)S|^hSNAW{ziHFt_53MB-;9tG9#AmHk z^<`Tv&)KQZ(r%gDM~$nywp?DuX!Ou@`R`+#THG|n3esY(=_BrwUq~w=-f085_kGCI zKKYgWpZ`F0b@J7B?UMp~&1MY*m6v{3_Q!v)ii z|G9_^W-5zJSE-!6)S9-`b~5YpXE|SW^js@nws&^TCoBID8~+e1^CcxKs0RqBVg#w79>qDNg-+xkIUBGKui`W!E5Z84iZ=&e z{&Z}PB`|JOzeS|v73j}UKCdMf@aYpYaxlxdeb?{L+q8UsZ|^yi!^F`gCaGR|=tyqA zeCSC2V8DJbU_ThJ9}L(J2JFvf!2U}%B-irAef1=-g!h+kOMd5)lz;lZk)^ z+6QOWU)`BS9{Sx^p=9BH_gYPPXnFt8^8TUa{X@(91y}aa^8TUay)IDx(DMGF<^4m; z`_jt~E$<&%-aoXwe`tCC(DHtX9>}IR{1@zcug6@f@qOJ(pR@P934r>qX@6h4;=gPM z{5x;+pSiRAEw<}V+FbrNJnNx#`+sli_Np~Kv;lu;1Af14z^i>@b3J3TcW;T2)MOW$ z>qE=(FV(XA^Y||p@m?-{wdfYHUO)(1B%u2q!?~Bl{@sSVyIZ5q_I^JCU^Vom zWLPJDXqi}}YCCRe?2oe>>CfnWR_iS=nwv}N@qgHxcofgbv#4z1?#=bu5`k_d31*cA zFH&#*buHYTwai0}Hj}wSxVNB2lA!hIH?&)=_o&N60(an`nHC%-H-o_$4* zM1EC}?y0qUHHB83r$w3yE|PCjN27PoJXxq|>GGZT7pKuBVSj$IU4F4OlsuD;8|IA} zK^(JZ;(+tx6;y18Uk-h0HurQE=Ao;Cf&bAR>K{Iz^WzIa8(KONUIT00;I|b*hhHhZ zE;GjF=H}*;-Cg+q&CSj7|8MSY?fg%BdvCkl-fQn{wf|>xYioOV?|;bV=UcY@j7357 z|Jl6rSmnk2MLx4V^Oen{X%?#zP5VR`FJ^G{R0J{KxNbMD;xyVPUOVfCdn2ZwyY;ln zzFw&NHg*gD^rg{LV`QO`lQab;e+dJ)t^ZzA2rSqTnXjpU9;U_vShCGk|gPzs$k-y*x^GrR$935__!S2@No>ps@B;SFR1o~x&GbxcrnS?J~_+i|BhJ$ z7d|JCGM!bh2DNWnd?rhC2Rlz$MLAy4+n<>7h5x~p?OE+BY&7AngnG3QJhp1&j==O)ML4g zSj>4c=iY$zSKA(Lb#vHjpf187b;AZ`^7vM()p$fs6b%sJT&yL}5tPN3OCdZ>CSNrk zk#~Ycq&Fdm5xj6o!AUq|;gwC9CcN*z-(!8AGa`kUB2EWnoZaUwJsrXL_rIzCD{jX> z<2Ccw;m&`H%W$Er+CTM8v)GMM$;1BOo8phw`s`;J{hy+v;ojqao=o}ww|3eO`u`XC zl-QZ?QmXL;mW2xKv$C?qY^d`U-P)E1t}6TAAdK9}4Y-Iwbg}b~QKhZyI{X~||0nG! z``_O7=EM2_5}z5h>}F>lsUW|qpUcdmQs=mR_Rw99{I#A|-5p-8UiODLqO=N93PE2k z{(MgGc~#)~ZIdA8rx)BJwP1m~f|{HHKcC?CxdaO&64Z;SrGWi%u>P`v`cqN*p5qIK zZQUkTe=+`Vvlc%C|KHr(-I|X7df@+GZ@re6n1mYUlImjJ4;#RKvv>M0)K`y_GruTgT$LcVN%Jw5*E{cV?u&`;bs_2m>|LHc~0Mon@RCkf$6go~zWM8r*8ghP#K ziJ-VJz@UNriianMmhCq`8vD)ycYY}=zy9ub9@J=X>$F!0 z{pM%=kDn_^~AlD#WFbI$*^JoDc9Z}06s_{FCBy3N;3x4XF205M^+`Q;K(ODcu*}ZSTsm19vnC$a~RUp>hgPI8`N`FbiE0#un z=td8}#65OSIZ}js>~#$ydlJ28Y#54f2iFPDl`|W1p$k4cwJ+tj?kTT$x<%w4I01OP zbXO0H!qk7uXfgD9x0oJsUzbO~V5D+Wp%RviQn3KGO3%)~+Wg5mr{_z|u!j43Tio)c zl&Y{IGy5otC5hAI!X~(z8r_Drx29;Qp00~TQA3ebhGo0Y)kR&GSMWz)$Y1zVEB~c~ zIQ`Iaf0iQpt;E53`rnhO`akWRovjD??@N5#uvIrX5Vl`=AsvCrsC;XsC!IUxa~g@O zsq(LEEA}kzJndKLiilzA??SDzxSXyy=lq9E{vL<4U@8mz793#i`QMzX|M6t|LI3+A zpV{ZXNQ9dbyxfsjUS#x(UX6P!Pg%i0l_`=M6=XR+;85pZmj!(MI70&+uoPA)PzCj+ zr2DX8&pZFOz4P7AT>I}{+5YpS-G1=@ev!{2_y3>c(*LVp^a`W1uJ{p+(>Zthed{N4 z&VR(Rgil877E%B9GyD9v_jaD_PSyY0dyxOX$fu-P`{()(v;Ml=gl3trCB_`<8O~LH zEziZ0E+}~Sk1j%RANc`wfo{0Mw7UEN{^(gnOQsX=i8+-7bisXAwKXe8l#O`WVY)qP z&axy9si>H(`st95(}I+fd;PqxisqEdx1^kl+QpDd%#dnsrRwjV`B$6UAhB1BM~=arV-PLIk!yYA=3r_O-J>qritZW^lT~`#nb_rsy-j5abf#R zmm#hQR*bV!w|76x-UDzVe_yyiJnq=6=I|jOji_t-Zjr|-+U~LYT`P3|eBoHX^ATy~ z{p;yr>zbo)BwQ5VKs44r9XO+_D9%YMTME!XSP*sH=AAz73xY0p6o3!z7oKFV`%7(C ze5WV=)WGA|YhTtEs<`CTg9G=$u$GSI9#chFk87wSXBihU)L8iRY2T?Yu3|q9vP?T$ zt6sOMKaW2bVFDS#dyoC^T7%LT5!{-D_xt~}znH9j{5&E@$LANvhX)VKikC z8D}I;358I{T&Gc)=PSjFVNql*HfkTL>V?;`bTX9)@4Q)+15c_rn3omgVD9*6i6Pz5 zzN=VW#fX&)7K=S~d%TE07%@`|oQ;{8MHCjDLtROPnkm$AT9-vClY{;^On8G8AxcCW zR#cOL9q~E`?>; zBamn~WOB>CySzM~n!$9#)|ms<^PBQWo#~;{(vqaC7}Mm4C3MnZAy1=fUC~2j#Y;Za zjO8(p7KZ0N?n5f#5#!@xVNm|_KCC{ClX1>2hdC2No>Un)O3=!0`0&ISGJThTSAOF* zcUlr(vze#Id*HT*#~5d1-2X^OkG2Zb4tzLfGNAfEFuKX5tzQNz-5i3 z@^vLSQ=@H(X_^N4knfz-b1e(Q-$cBrQ{HlLbtXumJng+rwJoBM%Z@Py@V z=q#`e`{k0O=pCLiHB`v=6>Wnn?~{^Gw93FT#XDxaQ+;FH%|}|ph89#jrVud$4OO9G zOJHR7>-UP9n&tX&rgKhzB_d|FTE2Bt?F!glkK*6wH_w~$ajnfpt?B zTY4qJyr81eHSBj*U+BGRDp|Bg`vP%AB}DwaGDqk5|Ffuf_YAN(@jvbM)>b+H>&ezb z{NES(%=Q1fuJ{Zr+$Ot7l>p<>Q7rN?G|7B9js{Ctj`?#q;}`W8-d}mIxgPDsU6}Xo z`yR#V!8MH&NeC6AyFdT^nBsrYXCD8*UByTLGmro8?ru-<|A+klFY~Er991vYu2x^>>S|L;BI|9zRyQu6;DyNUccSnZb!x~;K)mUwI(~ODC09AkeErgW2^_8eRJW;u>J|v6!)UrWadZp% zw=3GtxQ{O0ab}J;ysm?be4(;7c6E?h?R4Fly5V*+XImGex9ntR1@0{xvNv-h#O-#X zI$U7Z>cr>R3vsK>5VxN19a=8g@W7=Jeh+Pyd?Vi-x(>~>0M6|_TBn1Q^*T-mO-YKhh_4xhaXH`1tMCy?*#KlovYO?rAAevGh5>xF z7LcwCUlm(68sPn#4@SHUskwZQj@s#{{*dbAzi$*Yriw*cMPQMZK z{*!OOfAtr`!G`>g{!?718x~NHhF9YZ3O0(ydLVAH#(L1BSB>?c7-fz1|F7|g{7Cbd zj|Dk7Iu?x}%lU6CEE+)^F}i`z<@~qC*-xj(7o9(POPBhT&i~*OGc2u%sk zure5yl$MgT*W|R|a)g}GXoB2=${Sd62dKL(p9djX6tox%XT)ti;+`4tRr~=tQ^85s z?Q-(I$9W-&oMv4$F;}t=d0ON=feO{dkimUVcpv_)%8Y?BOQn{8WyK3JlFYOi$_1v3 zgz_C{a$9(qk_H5 z204w`g(ROYxf#ac5Nf>BC}NTAv8&}gl5tVU4JBiI(HVcUV)(gB*bFuiLOa+A+6F{> zyLQ_V3L(+8K0cvHg^8+8_hESMraX&e1=D3q?$Mt1x*q(b=j%y zR!_~vk!Dsrcl$R(E^yqJBj(ISnuWb1VSi6kvc2g6m$*ir2=ob|apRm>rwk0M+A9oL z?j%)O;M*FwbKXv*pmNRZ;RwcpB*hYjon?I)HGY~#rT5PR;< zvxu+{bd)7bb7LfC^v0-*#zJ|bp*Z|#>gK}3_a8WXU5Hjb1Eh+syueOhb;$XT4oonPo|5O)m3Z3FQw&95++k&I}jZE`TL?#EBg%iH>8+yi*|Amzo7<)p7xT=2mFR*6g3 zJ>5b7v5>Y5q^&8OEe4@&AXu!IcXBaEn+B2rG@my2ENyNfQcwA{5+5q(G8S?o+D}i; z^O!^actS0GZXt#N(vw<9HLq@&S2s)R@RpJA0kvKX%OeM!wv`VFBJ>@ znE`HjN{1DMeUKbHE>LEXeDi;k!2a`GU2)G>R=Utp>6*t88M0(VuD1!xbDrBVo|-YX zme`M-plv}sF(BG5WvYtEMteeh$YX(+{J}-!o`ErSBphJ})v}TV+Ln(BhCA-bM*dxm z6k&(l)k9Wu0*^({bHAX1aWjkymMFFXSBGE){80(4m}Km^>ul@V$r(PiSIb;zIsu=g zBr#^S8gi}F8q%96R@SZ6e7b~+RxIqe+tuSrnNM4LeGX@+&cZOqbGM$|4;i61q9wLl z*V|~Gl1f%nsW3E(gfE5ih@2d}g_iivY|SCI=i?`dcD3w~XOpw^_?qPtkWt53w~3OR z7^C)Dz)a9iPNaNDqBw_D#!~RhneLWFdaN&{LJ3mq$!JwGlQFDdd#QtD7~7^@j(g$T z*)or3NR+S-aUqb>q!zAp_AF;DA=fLlf`O7|>?knLv#@Y3uJx0*=Vup}2d9^$MP6PU zAN+7~`kJ7@tn=0S`nSFOMPq&a=oF z!1U$I8njfma#X#9yFBg$qv+Sw@;7U8qRyaV+|yPlYSeX51~mb7_k!Kv zLpMOfwf;7ic#ufw(eUbq<`MW=Xc6}kw!V&{B8Uu0WZqfrZU)bS-7d`Gloz-d>lI#K zw-Z}mC*R4N1m~tu-ymciJjv=?kM9ntP|rnQkq%?z7Zh8;zVqv<^T(Ru4U$@}*hEOo zMgYAuhgc|TViBQ|zB&ahSbv;!SOL$&Kn^~KX41c|Y5`|B?txP%5W@}lNo)uZ6gKRJ z=zGI-*YhebuUlh$&9&rI~Yk=)#w6U#V%Ym__VLV$3MB4!YM0YSA zC`*fxz=4ezWs>FZ!K{tfdwdP{9i`EGEm$1Ln+Ec73$(Pj8?<*d5J%sU)6?o@XGn7v zVd7)P@=+`V-Wo!T@s83)6Bp`^fx5HA)Y`$G3uM~>X?s&sjg&~v$3P8W`$uPnnu`l% zOGB{|;}KrNV2>ePjKYShLdFddggJ{umyA=eph;Cyn-rzorOhP9oC&lU=ByyA2LR4U z4g;35Tq>l5lANZI`&QhCc_^JYk}}d7iUZmVGc}=D*vD5)nr?6&YfZ_`p&M3Q zC?jlIW+j57c*#cSf+Z1W0;hz5*Df9n9b2hcTQqxdO7jUw$iy@gB%~dXL!MqU^m~)KQ`!Ec)L^e!cw##+CTv&mQdo8;wmChqBc47klxXZ6G-FOwGN~VN8%sen z5iapOGZg3%AnJ!#Y_efAMJGE};!o2`L~dxF%3aD?8nN6Oby2P=KDanW!{j(|jX#}u zlqGS0Vt7R{&amt3kmm(Ub=eWueFr8&2ksLCcX#SEqDg|#9v>HEi2gI0Wy!=h^~51d z1rrX?Jp**BEKBGEdT@TC{D)S?Lt4yPD5Y%MnLu*_cZA)F5f))0+YXE!4a3*{tL~>C zoq`ly*I(!P6_gk!Z(kiqT9~Zbe(BD~rTkylg zx39Pd*WhZY-EBJ{&>1jJT^r{jFd#UTTrku^&s~2v#^3mC7n!5f6MBrLWW*yp+i^<# z7!ETv?Ou{o+gZRIN>g%jZY>XRg|uiiic`YUDC2SJ-2B?Tho>@p98aPVEW{wO#fhmK-q0XlcY&TEQ-e?z<)yX0jqNT0bskg zj<7D6ZEPSMw}?;d4oxbriFTdp;x=ZSZFPUhf!fOmd7HtG1LT>3v54{8wqr9#99s1` z0G}Fw(*l$fEJliv#&`us6{ZQiD#{X(c3h29M<7~cx!cZjYR_2Siqk%yW`x`NcBmTU zHRpqbk;8zjV%)sG?`&}tyCbXn51D4 z@|>M>o^;~>u&xW%pwG$)Dllc7f*PghV&X$pfxEqN8YL{~Gg^#ulW^+|fU<9vyMEd7 z#J_+0FEZk(yoX&Y$(D-QImq&@XYR|)e|^Yk1iFUOzl8$ij#ux>w{TUB!mA6>3Vx%XyQ`{*$F;kf43e#Sg3nfLIgA{Q% z?Sev}dj{y%Ox#S%crKJ(1tpmSrZ*0+SaB?sW6{N6C;9yVc$#8nF5De6yS77{Sfs5R zj`O6eIka|@-wasMCDEAaOE_gWX!?ia?*iX8lisZN@#3YU&Bql&J=!NTn$r<0Sndw6 zWoEyG!R(pC+P1Xb2$QV0LFpSLnim9zFgL3ft|S@Nyjc}Y0m>fa+~N9L!L!OKfzl&! zWIgLY9-==G6aaKg>$@B8a}XTY9MDfKXnUo+91rw~84H%5C*wh!s=EKqyXJW8lynF5 z41#0>Y8qPG;oLf#fJ*+j;4N))h-^HawmCS%?Nv<`N#5M=Fu3#1Zsj`=cd0aUsmBPj zRFc73g$kvDq%D(wkTf5t2bu22jNJ>4xrBp<@$`*IGX1fA5 zPW==~My1sG)^oC|JT9;X3^Aoi;sV~XNU67jJJ|5TGm)TmIO^8k4Dm7K*@RG%#G)X) zuSDyDlY@)PlUE0amuDA0zyI#+?XeVl%A(GezQ4UO7C6iH{%)%~1Yr0V_~8je1LM9s zf=1KGx5C(RB9zHpuulxwty#;rjtcDr^Ax2i5^t-^VH$FotAFcUV86rkUIgEoV!glX z@}nLa}|XNqJ7w28vD`v5@B0?v0Z`E0?zZ z;WKVf;)2leYOI2(>NvV<*r`|pxPtY5LzuTYNj*maX{&onzU_#+U=G9p#%vHKj#Lb-Pn41wp^hmz5wKuC z@?1qTy3ox@bVT-_wDqn^p9Nh;Irz~66BiD^XBF^3cq+=hMT{$2#AyginUEWnGZIn- zSMphRr=M29b{X={6L~9oR%IQVSa6b$(=`W}Ip@oG1)c^^91!L}x3_)LDX-LCI4ma# zyJm?4#T>zsnQnS-%|(NU04qi!pYt_KU-DA{GNmCFSnHkx!W@%ntL+R3I}QXt&7tyM z3TZ);IHgj@6q=#Xm2Knwpxw$r13uKc8)K8Jid7U zueWdBAOGv};^6(^+3D%AyyUxNEL>W1QX|?+QHr_RpVJv=wdg$f&p2n~Wx{*LGWQak zd)juHTX-fCe`~238LE4#O|K>kVR2E&k0q#(S^PUm*fF2!A=`DP6yDdyYwfkcPzVd7 zlt7>^p>bL`xeMqWSw$YSraU_dWM^&Ir{06Q`yPrS8}KHxKpp3&6*Rf{Mm<%wSP5_2 z+j!sPf~qC5WKft%99bB<6)@&*_Fk}SA((udr@qAKTjUJ-vT-ko!*_WC<@~p3EKT*n;1pdq(t)Duivkeg>T`3cs(h=)Ai56N`aG;pfm%TES zZVZWj#YE+Gg*k&SXwrp1&XnJ%ywuL+#KeamMlnb(b8)qR8Xk z7|`Pu2sgq0fdj|VT^Y{z^qOi}YNd7L9)X01S8+NBG>^d$@u;_=f;?jz_u{JQ%BJrQ zZ$pWfptarLnFGSaGjBa}>4c#e@3faNe$~=Rvap_2fI3ro(Q=nmm3J>OI!?h`8re)a zOq8=wpH@KCYqSBJ?h>EL1KG9^OyhyY9ZLXg{SUa!lp8;RRaK}_NZHQh6x_! zXwSs|#HK7L1#iLmI;Y>{6{vgWsWH-JJR&qL;+E-yp*@69J)>faEL4*<;II@EUF5~3 z`T?*KH~Bb)03PKz)_OQgi+qC4awt+9P z4?{W@1&f?H*g*WJrQLMN7XuEQxNnf$Roo9)OeEGMQJFAxB&4olG6r*dcn)F2ZIAU^ zA4WM4Oxu3JL1LM$1M{hYxmBVlFv)s3zST9>b!7sb*=CO1 zDx4kd_gQn}tRo%LGmzYTLaw*$XnVi<;noYDE(gM{hR}XiK3xXGSY=c#1Znw= zlVzsgrFkzda(U|9EIyu^!w3n=P7oF339pmmw9oU95vWv~#3Pd{GFDFSQ0}vmZqYfW z`($*@;9bG{MVClnZAkN|Ycju0dYe14$3PZayl_`P9cAItoXYYO+g%kBNiZf-UzaKd zBx89pF*zCNwQco9*NX1bm~|o>92CL(wZqwc-!c1MKFPDiG7G_E4mg6Hl$H-NIeW4d zY-;(-zGKn@oZA3I{?4|EYVvHvWc7v$BDXQ*k&b@uifxtPNpD0D@=Q|Ytj*Qrql_1+W+Bw=LxRmqHlx8;jw@PWIKEp<5Nv8qt}X$LZC-*t|gMAL`ij zCZwa-5ot@UhmQwC@(k0EV_^(R<$3XZYGNVJCV4y<7KGoVESEw9nt7mB6wl-Tz<9c8 zV#OO+JV}s2E@e<9yD2<46JP_HkYfNnHHmSmBwCCS2Pk?LSpH0b!7?iFlN1BLS;tN1qmM1X}Ppe0|w-kvZ-X_JmZ21i&eAXdXH8VloeQt zAgl2jzRGV{-c+V>If*#Me>XuZqe?7H$M;P3=aWp%M__$d59G#J5i>zEN6X|=NQQ{QZ+HIK>dT<2UMdQdEc+*(UrjLuh;@`R20kPy%^ra`)ypsk08yuwHG(n&Mgqq3 z@9?FjpTgr<#WQM&dJ6wcy%LpwB3ZqkAUp&{_?4Bmm94^b5U}@3Bz}%Z5 zPvB4xp2ve2Ds@in`7}S)e5&sq|0XG;Phn3|v$mn$!1sWdoQ-H~&L>oVlawOy(!`Q` zIZGxaiPI}UTrW<6PNcHBrZ*kxhxKU)mqgRKBMnlgCMB`Mc;D{&p=9Oij<4MD@)MscB-hn72l zx?tv5DrJY}3cbs4-Oao$TtNlQ3vzf#?>#o8NuTh3z3{TwZBJIrnpPAnyzdQL z=6wP+dUBq|VN>oxk0wAzH@SQ-1>s|yYU7^z3ej}0EF%hG@mJxpa14f%q6XZN>IvL_dGn#PVq`5B=}m`?cvRqE8)|gL zA{=8f5R3?EUs{a(2{@j;n%D=81b?lX9z&jrEDpzfERqQs(fkVSU`9I9A{P_!AXV0E z*dst}B_&E`wQ|Y}LWz4;gO%wcT#~QNvh@j^EAqGql>Bj28q}t0<}75u$$JxT9D4`_ z``OM%xpe#nTn0`gjlRdU!vvwSUCkBMhcq8Z#feX7QcPO? zoUtZ}^PFAt5Q1{cx4HJA7u;xD%vKVZ;&hgsW4J~#k%XEhbkelnWGu(4R=_t(uyFM@ zSIjrO7=-1i5i729;4Qd8+s+1^Q^|Dy2D`J$K7=eQ(dn0X_qQ_VYL$XpM%&`tEZN{;F6bG=WlMN&y`8 zRDhnk>*Kuqf?kj=JOu<;a3$pVlT$<7$gR+KT|iFya{rAkB#O9@G;KDeh*jSOI-v4r zU~)=vU$qyOk*#wsL<7$g1MHV0EQmXiREl%E(B3k!dLX?NqMj(Qf!30_9oI1$1+Xa+{nJ# zj8}LKCu>?&2oPdPYs6Sls(fa7*M7t3RcpA?u_(wu&R0$k^^Kf`aTYVlv|Q2GXovDM zwNPqOGTa^eCtRa?%$_qQ8g8s8E%hj!sua>3otdLJm2`sIqi}}zij7N{sx+IeXy}g| zIwR+-pmEyNaH1?S*kC&A@|fUU~;N@V8(LHqvPttLCmVRlIg43M_ROoH3!xHE5%Q4^~&kl<;mgk z3V|dFNIaoJk0C{FXB_u*IV_;!q)cHJ_R9gKRZj}V4O9_3O?0dhtva~ZMZaQdz!`8M zu!QC!cy+*3W4IEpKy0)i38O-)Q?8X>y<$%*r2UG0Jx!|TXmM>Zx#xm8io@3=wxm{`9|v1XoJTFW$cfpT z6zb(B6De3Qng>|Gk%KNRrqS%|HwX`?N*f~|O&sM_N+|wxB3%+Jiu)7KHgB#C8b$Ko zxzu-DigcjpsVfXEauS+|eGx|<>3}{(A>Ejz(RgHP2DucY84K!vdOOQJ4G`><9H~4^ zV6DPRO;8)OOn-=&I=@9FimX-vVk;QyQ2;0zzMQR)Kq{)FK#YczT0JSZLV~xZy$Y9+ z3iYt7=lzP=H0`m`Rg9}u5!X6rjuOC=Lp#Mq%1``#w^E-RcpGklD-_VY{)@T zujg8ymr>1>m<7{x2nIo*=o)G7Bffvi3;B}q-oX9RvN0nO2`RMtI|FJLbqms$W3 zD)L&((WZhQh}>??4i(u8la_C5HwGOs;Yc*1X=?MUKW(QLmE5n0R?oO;txif!H5nTa zKg+1#sR;zd$YPpf09>4sh>0+ddul6;(h(2hY5S}`O?uzdZBTIqAf}!Kj55|%u%_KGb@qjw>ME4Qq~WlvqPkDVh443b zjX>!tvU1QNC!H1Y@}P6l(a8PjmiNi!$>p2lCOJJjZJnIH zx;Qy~ef;+L^s-6b9$y@OcW`=n@bcu%$>q;LLa$CPPmenoK5(F5oF80Vo*ce=b8tb< z-(8%ab&m12MQ>rk5~-_+jHd!B2SThbL#@y!7n)@`&+=G`=dj?u3XlZ)vmDp4m!h>% zi17$?70s?=0i0d%Fg9v3GIix=1#7J9Xq{GOk@lVj(VnaVqKB=?AZ3Fj9V>0KW@Cq2Do3HAU`76A<79?^ks!{{$QGv|B;6=if)rrTrW-??E&$aWIvi4oB9;@Hqt9I4;^wXvSyUaVQydg&BR&Eh6;;OGDBeiT4<_nUJ^`cmgZY@O)87P~u zN>>B^EDt=Mcfd{G;3i^ymPYu-kS9@v>73>x;6z%uHdwUBd7S6gTc#|>R0x*K?ww7n&-J!nY=9v6{yT%dwymYI9Ai$@gQHM1rt1Ot?U%-^*!u z#R@@IK7LxUN=iaQecMemF<~krYJH9-9gtP5udIwV&KcFfzgi=pt%I5>hJ2hv7;>-X zp|k_%+ID=i&~k8+7W9L0go09!69~vpjL<}I+k;R!47Ab)g&%=#guq^*pmu?nnd!?| zyHnC_z5lQ6eOg{NE-GETCDjzU0muvr&AhbRr83A5j%6zWH zc&H#O#YJF^hN6s!<7oZ72i7v`nd~$n(?XN`ypU5B|J;HIcS07D(CcIm6?4{bt&|?V z^z>rkJy0is-%A0NQ6C!*0aYlH*(IN*#DuhWXhrC5DZ+Iz-3_}A#nqq5o0YP;Xk=JOv;WQ$c zD~u)8NW@c9&DDhjLUn-XPZ+&cHY5*qeI;rSX&NPr{Kk7|8Z9VTD$+=2dqb3EKF*XI zCQf^NET6+v=AiKc4TWmfUIu_FU#PRuE1LmkoF`qZ;BbP~LA5o-(B>mZ#6z0?PNyMa zV}iy@%$kqwtN5I4dnKA6l%(o9r>Y#=FV1rop6!uU%4ytKGomwsPGXi8jc&Kwqhi=t zB0EyPgR4^ORSUi3dKD-Ps$-+%BUMux<<73p;k*0(JT#bA3#C-=VS*i=W;f9MR)6W1yzl(nxjcURUQYJ?;o0e{ zlh^Mq4y080!lE5{S-E1bX^XId(IXqSBZ6s&aFRM?rkg)bn&gJ5$}!kUe<<06+jF4_ z)hAIi35Q;n1?xx!QJa&cE4ACk=<;HMGO*Cy0TcTB*hw+>W`Mq2 zHHw7q2HcmN=D*yQl#b6gET{U0r{CBc@{#?4r}pa>(w)*cXWCY4#0hP2!pWTpAoI(&+sYK;tp&~NL$vI}ghkWE@f1u3<>W#zIq*7X-yMk^p z1eKM7#w*wx725AKlH}te8y8L(fM#%^?I$=;Ax!QuI5~&0-(9=`#*h88;vzsCKyGju z1!qzzmDh!;o|Lj1zxgg+CLy%bglI9KL8rkdxK=%OZ2E5ce7K&Up7gy2DL0TTgN3sr z<5sb?C7c>hGr2lhrM5+w1WLyRHz5{lO?5U1HWzhwV8780$ZLgRu%e}f1=XAAS~ix& zou73sUtb(|-k%?IIzOFV96kSf^=jN>VUfUAsrnzSlza=mzl?_L1^IR~QTN=7mXiYB z;^a5M(~K6w=PMrrDatv^Yw3x6S|Ptfy3O7WX|*C2@`$YgMz;d;PHlpFm-Z&G2rX}9 zIlGQAbiGvV9A~>low3MUwp||uMC*xUI6WTo&+Dr>Oq!i1JGLIAU7{K&**m*uaj3k2&wUi zNtU9foaI~|MqAwrBw2~|5iQ~nA^_xLJkkZnp{E^V5sQMxNgAZSOhPJ{zKVRA1+#Idk4v^Yv0JC*V7-lkv zjpr-v*YVw^qXF$K2}thASyqVP!$>?|X%BAu@`vXuJBz&xeUb0HFC{3;Z%W-Xmfex+ zi7dMv0OeMDQGRpwM%1+;E^R}5#xB%?@b+N$HV~#ZVQ=ScJ^toR#O&nO(-}}45vmRw zTeFC=@_iQ-?OP75r@yh>7Q4xEf=p?uy|A_CTibC2yWiiiF#&+o6^(O1QI z7km0cH)u4Z76n2_gf?<1KWMS4Y{pUMfZH3tq=;~kNPTfIBr!--h-h|pS!!!Uj+gH^Aqy0=TJAm1H)bK-3GH#CjD>9As) zJ^Jpz{eh+teBJ6GExpTr=Hpy-3Gl4xYYjXJ+9ifYGo`vAK|70pF=rKef8IlL^Oh&#v~!DiZNL zmHUkrImF&0)b_qBe4xr8j$T3hrS+{cM}k8BqUDQGEj46ovrAYoFfSP+X8rSx7CDzE z&*|wY7u|Ku07@Wo4WwOTr3iwcQLmx86z(-rdtT&YX3Sf11Kv8m?z?S(=QW?R3pINn zd~pS~18JA{?XlCf18M18E1eXcI^^TD=(>9<7Ti=^M(bOc22ENxffwE8VtcG!-&DJ| zC`q)t!Dpfgz{;WoVNWX*%!^8gb{2ggVXRg(`dl+bZLq4d0!^Wag5~)oTCv1({^Oz2 zB`z3^e#+y5y_I|zpjr(ir6XmHzQ*J?0bYg%As;{5hNdh21_b?al1MsOAp!aHsU@f0 z%C5uKx3Hd;qJkI8LBVxb!jUsNuvOJC`*X-|1lcO#Qlm@WL3$;liF&b2M`qrevz~J1 zHS;+Gt-T<$Hq5UD1*Jh7thsKbXn?Y&A;S((0}!L`>n-n2r?51zf_%&n39S~HVtY%E zfMkC+P{f)_nn26AE=D&>YL#bk%oJ&C6 z(^sAMC+A)Fj_b-DRLlamscR&3tp9?^c&|EyeUM@_iyR3a&f1MUXI@Y%3TT>5$#)$~ z!F}9bB?3f1r!%g_O*%wd+ zr9`KqXG*WBhF-d%`;zLyp|w_gQw$kI&cI-goL`C|GvBvfyG_h-a6R^#-kH)AKl3JG zTlJQf%;)Ww*M&XMotU0~{qgnT`TLWjPfG%@tsNAIAC7;XrU7jHq=GWm*U1lzWs=E^ zVx5^#ZrDI?L`!UU-A2ivY~lHIJGkf+Ig=8fLQ5!h!ZIFVXVZXqw`V!^x9ky8b5X!@ zNMJW3gZ)FEMw@b?pE4ngG#th$Tg8l342JaVVL}HQSY^lQXD=VK6^jfu%>4%uXzgBg1QBOVGlA=OO=&LPGQB^#3Qh+<=qZ{#$MSTHO`*y7(X zc=F@+Ef@o)6Y72ReM}ea8c%CNoQ+8!(RP1229_g5NSW^fk{D`4X>UGU65R$vBQpT z+EQbXU?iFZ(D%#LxW~3)IPL42iq?>xQbriD00R&ut(R1D5U(bq2FCoDdJe; zM8u;wp?T0Cr5oc%@6ymgp-vYwI984o#UOpv5pxFQx=G zB;Z4A6pM~3q`(iOr17%}%};eJVONdS{bheCy?0+kxfXoe%U?7u!6itgsB*)#*H!r! zV$o={19BW;QF9|1#3}j3u@C;b>in@*7aiFX>+KsN z(m2alL0YXB`YCil>Rg8BE7$Fn7f$fax8V@VQ!07r`HJHeUD+^DHW18<2JY8Zplx`j z!ox2eh?uu%zcOz7Am$)3OCTZ33bEn&MK>_keq+sgdQo%&*rmg&@;?mrAd3|$ildSV1FNP`L*w9kG2f4W>Z|w)4l0 zqFJ`@9uD{tWGVk^QAjE~Qou`OyH9>^{h=FNx`K_VRyWBt0U&Y08alrN^AuXCm&DTQ zlVGC;`3<>orJeR-i`72wFP`35$ChvgFTGQQd;WZSa&uB14K~JU{J&#H-eL#aAK0WE z_MyGdPEv$=$9BDS1Ld6{qM=kMQjA?Ic^FnbMo8ukd;&dKA!EZtd$~{30;-V9KSelqen>NR)4h(fy&(iBS=cyF=zgk~!z%`;?(^)=tPaqY= zXFgbwQE7>^(0JU?*)ByqVnNkGxnh$BIxEQAgU;pgg}j2Ff4#~xmI{%OTn^M4vJYf? zYpub;Atzsdv`>CAM*}DVphhmn3Jxdbb_c_d%yVzd8DxKuK%3$szGlh926}`gzTh-A zF75D$remzV`zJzhnXQ$k4@7^7|IiUK>Pe^$-a}u#-j|k~lIDd9GwN}mwKycBNlPcd zwImO1C2_%Wnmo4$~40GS|&Xm)nBgy3X~rn)LkNCj&`e+V?PNx4i<8Hye` zWWcd+e1BZXCqtSfi^<|&5fx$Ck8`L9FNXvxfa(a8+|Y?ISuEX!X}%k1$O4k8ZVR;v zjkpk&3XJe|>Wi9^rwZTL6^o2hRhvGjzG%MZaXNL)Oy4cP$;a;DW|460z4FD`F<`J2|c8741F4EA(^KXHesK(NkD)1QmLpJ44+&2R76Eoc#Az7`-pvD_3|I&a2;l zK5xgD+9|??@rd&n`C|c;<$534$k2(=)SYQ z?i6K0wT+ajfgN>&$L&gO@_29p(=;a8tV0q#0@~T+Vob26+ zGOK=fFr5$sMKSIxlz$C-?K*h`lGsjpp`!UFb`w|%WsH-=G+UAv0#8i=P)JcpY@I`0 zogOPGl9b&famoV8t58$aC6^35(6FSgC$E*JsTnzd!-^I&57S4R)`gvdh`;^LZ=R{SusZEPq{7~iiD;U zzc>)Yoh^7lLtEph(}~8os-3}gm(DmPaRCMf-4k*&PKr279NJmc_r8_}g%`34CEhjDOn6AmdBJtY zf;^^q5hQW=cx{eU;$HZQxwJGeC8tQ3&w~vG(UVM^?tHgb1oah!GkZQ`M$M|%B3e*+ z^{e?UBFHGwLh^J>21(ep+%@d?QO+uXd*Lere7F=7h7Yl*>2fiteq1q@xfNc7=lh{P z_F^fI7a#L{qX~vxMpTmELRF|ZEX+s|IdA7YyKnKB`fkG z)YM&Jhqp zsPv6I+TBfX6`%lK@p_+8D7Fb6w^CMG*P{XUp~z`V-aK6=3S8bcAVEUQMbjR>dvI}i z^6KF5^6cX0_urkpJ>FnN=)O13xNBHaMTejSpy0YHP}5=({Yz8T3x$czS!#5i5(egR zGw$UL*QgX$thrG;zYi`(2^zc=#$SXTYP8r@Hp}cmTL69Ph8S{-{ZUxMNYGgvU?lZXF>A;EA|O1 zLifE5IXr1JPMj*Cw#=!Ww!0QMv1qxdDPPuV83oqo!qv6RJl1UdzX$0=dx|PbdYUp# zUa2kzvg)}&1?eVyKzrep#75WIALZ8^(ah;3ARq2g^{_v1(73O?b?vVzv8)`ZRynz8 zJV-(T9Q_Djg!bOIluuc$ruAWzwD9c_%}oCS`S)9@2#XLh=OuTfw|txyOAR-YZ=BO& zxKB2UQRY#BdT(Pfy03eCy@J+N^}|0Id4nWosP>ckutLU9%rME<;PF(4>euyTeF^!r>P{0Ye_}rCCEbp zHRHTuqbj5r8&c`Y;81xSYRY-fxr?>GEWg&$yQL+`dFvNiRe)=O*CDgAyyEw7|5Yk^ ztqhvFat8>HZhb-8<6|`Tun!m}{`MsZPGBW&ky{&}zJL3#ZxB?Yag1#dP?cAB37VW@ ziBXF>uNaQ%`-!)iyqG2#BX2m3UP3nmmjCH#a{4vhzW`!>-L=f2Vj|^buP%)uE~(|o zX$1Kw4pi3kkc$FPpj6lcctXw7&urRX}jjXs%EGa&0rk}i2BQWFsTNm@XV1)wGinABM=KazD zr4k$JB_EQ+Nf`_w#D5hgupN*$bex9H`i%&y7ek}Shz;_*+hbtfS!j;?-|7|qHu}(# zkX~2_{ww?6!V>Ir_Fh9~8s;n#0WmsioDRw!yO;8}oMss$Idz;7z>uG z?^-k(#VN`bp=ybLa{gFKk?Z80d~Ps?Rtuc`V&>tIiZfT0d9#G0?BMXwi||HZYhY7R zs$N%36js%81Y=czO2wN)meM&{b>eHN44rD4s;+9f-*>)?UR*n zPtM<89Gt#Bez8IxsnWjtWMv&2>lvVA*v z%%(dIOcPesgR1_Y@soq^!}tP)wKn2iWK*seq^H*j@6p5;B{4bQ##%xUTr(!@wwF6U93+&F;nGUc?9BwLEAQDUpp(i$kqmJQUQG*Fcf>p#}k z?Y1@2o`3!E@Xb32-tCtZ5cUZZxT5mK^V5)}`ZvE_n9lM| zCN{WE_mZ+sSfvK6q^$R zT`9^@Tpf6GoHgDs*dA=l@AUW4^arD@uWzldms;{k!gBqmLP3=OUSHoXJx^9CDR@Dl z3B?Y6x8}yp;)DvWefm>TpG+X4zY%kb{#@&V4?7`qS;y3A{7%pS14#T=& z=hU8fT`xM`vwkPYd&J$=z2dG#Y~VsCt_VWVQHv0hjBkB7L` z!+0=cq9Ce>;8%@DMArmXCV5CCn>CT|bB+XUj$~iC{R<5dZh=LYzXgK!zy2^95PdZt}5N)6e51Rs7 z`h3W-W(*X?{XX-r31IFl7zCs{ns~U0dfg^^U(B5cr$I|j4tVVr;3;``@kW`8yj%mzdP$(e%i;Qe|B;CX=4f@k1GHQmLt1(*EzoUH2pwU z!&9ot8vU#T(Itd#9g@1%UZ*WG=vQ^h_;=0t>rP>55kTn;J}yX%Y-cJ|N!_>P4Du3= zUV?#l8G5cHTit`!6Oz`~ElsYk2eyfmTOQqQsNj;~9m@b{PO%0(Z{4ay4*x#l;T6kC zJfZ^#)eV!evJ_QxBPK|QLE{CHtcL^s%#RX_qN;?Ril;VVZY6MJD$uOpqmULGN!+{j zIeg^Q&zjN)+(koTnFRNCQn6Hw@m=Or`zCA#fd+?|5dM7SM&3fLGqS<6Vq@yY-LUK4 z7)_+Ws<;@>Tffn3+S(1;!A?8)jpoMj_FD)6@Ifz5i=0k?KH%L-2pb4t9`uzO9tE$} zvZs)b0(c^j%x5NhLS}ODrh=FJU6~E0tYkTBnQ}nW0q`mm4%7M35vu9YF&^s##cEJp zgw<_MMMXf`$#qPf#h^+hx*#<$8cETt>+OZ|wM?Pk>Eb*$Ev{-2x6OPj(?{v&8tS;! zy{wP}Xb4h2^=`_yl)03<^|Gfso&7&F8SQq;Sa|bQ1PvEdGYfn`-o&gDVDKP4{4sM z9&ouOJ|H=!^8g#sII+JTzdbm4gPndM9YMvN;WjyFfxO)A@+M$F`}sIgMQ+4%yYAVh z-#2_P0K06&LYfODHNqvXyq}^JHzTD|{Wy5-X`GO2n#X)BNWuq-xE=n4$&X+l*4@H& zbm#19Szr;>0f~mt3_HkpG{s}UTEQa$EvHWp-X3?(4-SuCkZ;e=j-UkD3(wa1_+ub1 zd0V_p{IdQlTrHm-lix{^lgILZ|4ttx%6^R5jSbOE_+V-RfPooVh5Us$iFnm9z=-d4B%To#eh@`<(_|l5IEIW^oNxUMO{n&X*CO*J8^o#h z8bYqRKY*##FyKtZ4nBIc__PprOV4WQ3E2Q@oRH!V3(zk%~$Lg=0%o=@*cIUz0<>N;G6 z(BR}boK8*d3sILwMNLXd8E2{?{M50Q5WVC>Ngn6Pco3%~Li?L*JuhQkiVVNhykA+7 zdRk_Y1lh{q4Y4+BL&_R8h{^XkxI7H@0GN`6j%2> zDvm|UVu3&gQ9plG6)B4JWYr|FdzzG-)&A)4J>lm6)tnW%cq9ZRHtV#4%1uzesp20^>XsAxouFfmRDxlV9#97BF5i zA<-nIqd0_mS2iN!I;QqY?2l7m$pV~>I=@@H>)=hSFJ*wIj|-D|WoM-;(P=}c61fFo zl67MeHus`L_Ese*p-~#sEL$qifT^s&xEFfF&!||N)*rx<_cSgfa+eL%Fx-H zNPa#o3fR;Jn#%-aTDI0l)KtrLM9C4BfT9IRz&76<@+S4k zB;-JMMvX^|{NjhU^ZmWxS+HqI$MsxHpXV&+Yf$MRmSoTabpQjepaoJ&6L}9R2HjPY z4+!zDZaEjlZ)2#Z6Kg8~Y_-doyh;j=J4`V19!*>}rVCscNFKIT?Jia4-A_7xOS5t^ zP`Ug8B(_@7PP5(vHy2rzS5r}HL=0Jy5E15aR$%$9`b_6lH;>t*CNCzJbWO;hcQI6W z=T!9QjC6F34K2?(vvF#M`wNIzZ#;Ou0;YSvXf(~>pyj{@p06C9op#RN9Iuctp+Y=g z35UV|auMh;LY}kW5R(rM)SDhWfXUL3OOP{Qs7Hb~bi&8QPb&8K7{8r@2v8GvR0HMt zAn?LZ`Ct&Ig8-ijUefUDGN&Osr-h_^9H$a60MGET7yp2c#=rcdwF_OpekK22{YPtS zGyJ&yY5yN@{=G*2F=9f{0sBY#?S_7-YPK6Vkty74sFi!0u%UOMRB{E^jn+EcANROV zBOd0Ato!-O$?2;zTlafv!&^D)lbrSKo^SYb!f{{JPDSnj3zIk#EclHT#k~3abZ~Kc zfAjg)FHH5K0pCl0kEOmdE{YaZhiHM|DTelNK&{IEpS|~QYa>Sz$M0{y3ayj70YbNJ z2ua4f+4~Y;GJGZp9448aXLb(DZrSclyVcWbL)ege?cYZwsaxt+|FAJ6vx}d*onT9< zQmIrbmFh=ZRhgTo=?!=vkx>HiKJ8YcSbM`kI^E_a!S-|2#+l=YkI!N1&)#bE@oY{# z^yHJJTc>K4e}>*mcWNH+Z;q-7A6w8r@G_{FT;JsaQWdm<7Yh|ypH|A70; z(VL%|o#P5od5YJhA1NH>syp9V@;$u|rG#5>jjn+^4jirmobR8ZoYHyDsFMSn z8Ig=Z(d*Q_lclax_xbFuZv(ECTvIsMau>*=T3WqAmI5CR#mMmpk2Ol__!Vh-_G-@kLahRF(?90@N}5XD#6n-s2T8{yW3r5?f~2f97*{&55ov$<}7I) z&ls%+qXKX-eJ&+VWojoiYWhwnWQa&%WC4CWc}J7em@pD1)zC|T>kD55ZXvz~T)4-i zUbjBAo34hXz-7s+p+0IJIA;eNaQ6TVfcsJOp)g9#%%j++@F*Ez#tbo#g8+>Yj!>KwHqbit402P*6%glRS^{K<42DmQ6bHMEke}jgG8P>dx<&3ezI`GPG z*P!)KL3$4%Gt#qHbre=2DZiJTyO1X=FXeM88*hR(7|A6-rCRDX@xx}704@W5rp^vm z>G-Zt)Q2UQsF+*PO5F@>E3-5qEVzuL#juVz9++tFyl;I-j0j(R- zVP#wtRmyPT^e7;5OI*e{!GRy*H#*ar;LjmWVhuc72fQ)U<}kVo-mOQ?&ch|Bt&^2Y zQLAC;9BOyL*>$Luad-~3J7M%PN4nuniT9*(aguI&=^2r4R>Z0i@LIUS4{r&umB0&r zVHy0QH`$6rF9j|=h&0X5^lP$>v<%n=z@=eR1FkdRrPgMxz)#aCh*RnbOb!C<&visj zKOBI8SoeYmJz1eYt98bkfu}$JHlkq1k?E_o1h^T9^VE+(%fX=n9|j~rH}yz2z<89I zgryNG7f7%3m9jZYqxU-KTzCamk}t-P=+^N0;q)`}BWi9k_1F}EXN6VuRt5;YI_f^^ z?YwYa`3a;(fixr=Gx7<0WbDszfW+ILx2e1^Hg-IjN4;# z_1>}?h!m~4>OC^h(G}(i;dCTi9HmRW44pQUt$_^BB~mj=evD``6RwB>_@1Qk(+fsC z*Q8`oIY?cHIK51_Dsv|CcpqKYzgwH7J7fSj)84=JBnP^0xb4|mWFGg!v}~!uNg@Qf z)xlKnC*oxsYy4I@d6Up(3{!eM-A;?nE$Oflcq%W}1Y9LER#rUw8;E#JNkz0DicEUB zN5(ocb}8`WI;sE;Iiu@mhK91p-tnnbAe8|hr@hk0nsJ)D>iCrJ#o;>|k|7+MGlIQ< zFqSC_5_sqb<;KKP;DMGtdH~nyGpJ`XEP0DkdhhWmIygQ&<7&rLC@WVpKOqnqxdB=q zL<$=u^qG-)dy{icDPqRsSP3$P2Qf*C&tEFds--X^N`oRBz-xOrPAe>_8i*8oXasW+ zr3Pr=qM=9w#)hzJP}}xK`_cwnB~&`4aZ=8MY1$>ovRA=_FS;*wn!h0^$J=V)s+G)R zzqNIE!ZrV`Es&`2Wk9ds48bAlb$6a_t{+7WF@f#+a1}W9R(OdkUCoBrn#;OgJYsy5 z6+8ccV;_%<*I9Ifjv&xctBDR#)6g!f>72WV48Do@0$IJ*qvHj~dzJLVvf7UyPM>gn z?}>1Gc$9t3zZG9P0~N_BtY9yE7v=u#MgfGilyFBmw5v zcN%)a!UkWc%R~-MUs=V$kKqROUUZivR}+$v*r#5Gk|M*8^a{~QLPV-i5>IG6mto?$ zMZH12Rq(1qEb-@rE|MH(HzLVwh6r!Q5M5YbG42F0wt%bW`79=EMgvd11ike`f4+c# z21dq<#J?m+wk25te~GoMZx}M)BQfz*!^t9$m%Ev$`ZK|P!0#J3s8@>^Z@Y*|BgACe zTD$~&6DPn`gpNxh7Z8gH_WXK*A>!Kjr3JhbF*5r}bYyR%=Q2J$6^PjdhJ=x}trr`) zp3P-Q9fDT5krNwvJPo;VgPyHt6XYpplN(<}Y~&EL%8jogHgbqr<;GVL8#%wwF;ctk}TX`wqj0`GIODN^agQ<7-E#w379T+j=1&h%m* z7cdkltPWqDf>VCt6Lu2nr~;!28 zsdVsaDa_HtlBl-{k(!rZ2#pjTc_ z7v(1P&Mw9br`5Kv&2rl+WuJNskk)8v7gxy(Ch2Z84c*GxJtY+opmMwlHgjYeE&!W_ zDi3|#^8_qkY4BI&Gf@>cHKia_@HUq*KateYGY5P?NG>D55-5o0fma41gUooZVm4)Z z6E2nVXf<*Ftd=SG(*YjO$N*T{q`{c~;7rm&w=vRNb0IdmP6*>D>~$+0ajU7oN0b5a z@u44cG~j)SQa(^?*3TU=Ef!UUEk zoO*CjyqHU|s!rF+mxmh>O(l2b(kR5lTZA4C#};Qk4TY?k9fjQ`{q=Pe!U@Ye8Qj3( zF7jcb1)@yA6Z!3*Fc_^JXt2QC^_ zfv*Mb2_Duiq5Jg{2jHa|h%=KEsRb_ZPr(E5+KJZyS2U>wKE@Fq`^j~x2ywE5%b9k> z+kn@c`Hf}{2l`2r)9_O?q<$}cUm`TBTJe*bvKubuBNCrX_@xy~Tk4Tgqs5QHK>&V6 zGD>54dyx)&O6fEp16enPgdRMgOD*^{{D|bQX#eyWsTMbAsEVzKA#mg~cT96~ZVA}% zHgFOKQruZ!L-m04R=$`MPo(AtFE)F)%o6ZNi}6S0fL4Sre$74Yn`5W@YX#swq-vK; zUjUwuH1xfC5xWHNEK|H~=6T@YTd+Rh#yztD95e&24GHp>kiC;C4OXAIx-~!g*6{7Ck^3|PxwU!9e8_8I@7ol__jmT5Rlb`Q;D0Egz!Eetu(=&IK74ht^x>-urVoXasnMC# zIDE?n(4s0dP!w`92w$<=Ec`m<;j+T;!#A(3eAsnA&e;I0Bm>_gN8vcWhFjxLmMvkRRsd?Pyrud#^C7bagnem1) zFV&okXE^lP{GR5V1HbfQE*LqD2|vF4aB83F`?EJlHYhnd8bL~r$Rn`wEQAJ7*wJJy%o6ayk7(GG(_lK76MZQo&^$RgkJ;jg1T=7o>%%& zje1`RoNHqPc(Y1#=L}{zCSDc@E`3krGjf=vDPYhL>h(3tUsR8YG}YxEL==IWJd0F5 zOc;+8*{e}wymD_P8eWZ_idJ|q`3JtlCsD#&2uLnxFf+6?vykxq=^F-A55z$r3gd6q zs)CHoN<3dRz>+<5_=CZZ$^?KKzYp5M=VM|j=gr}oAt#dZz1`jK8+z*7iSTJjEQ%3A zOJQM&@b%}oI?^}iJ|jAaa{9Sm(u$qM;Wi5(2O z<`*)6mt_}Pa^@D`_6$N+;LY*}H2_|dBgg>0T!x_Lz{|1#8Nipz0aOY+6_uandA6$n z4g&ITbC!Q`ULANoedRp@AJdqeQW_{PB*>zgz9nOJ9gelKk5F%9j6;wFkbWV?K|q4E zex{D9lT}7fb>@#Dy$XmoCC&&l(wWgK$D@w#B#V$Z`tdfQu`?t1^4j6LG3$sK4tvk+ z3H{7T{bT;AE@12bz5SbB_|G8Z5{VU?5t-u?6%T?Nz=EF;isU&wzV9}8zh4fG8D(}f z_z$3(ZbUd{B2piVY}U#HZ&RXGm3>hG6&V;Gmu6rrV#ZkBg)d#K!QhR3g_@15nLqNY zYVbp;nPhp0pvwH<2Ss>%gXs=!09a@~TyK;mnl0$~%o-Kcko#nwl*TBfiB;|hsiJaP zA@s_$(r}*=QVLM5 zP{S%wEmOprYGMF9CQv*5K>74F1upv`VP7zTTcXwNz~_Fruj)xJ1AOj>S|Mr;1+Kz3 z1zw?mRst_gaJkHyS16#3fag`v6@eEN&}y=msGzq4uFbm&c$o^i6z~cKv=Vrk7Pu;K zOaAox0=`}aRKt_qp8{&m=qqcVMP%+@^(^9WTfI}qty%W(65X?i+FBIP;;?tBby~oE zMU~USa$i~BG%>PTLdykQnYy`@fU8h80eDW|OqI>k4+mMGjUmpOX`2a&=Y9y(dJQEC zi$Uu*=satLro5GUN8OOGsQCmy@P=AAqU+&zXEm?UA|&V+OHiAYcV%3k8A-b_6km(j zxJ@orJt%}UBAzJ6?lgbb{C_{3oxJX7FrSDQpeMiVzkLJTk<0r&%;p7xrdgj3X|JMT*Ml_l>oSnb=+&hl?OJsn99mt$6od>y! z4(*52m@||`!@7Yu#CSorjqPzPdZb>fTH&cBR4oH|q4ZOJODdT89C!8E?dpM>_j5a3 z?Jm9|$P(aOU8}5KqA*Z;omT8>l|oSlaFJl{dYT7#7MSm4Rpl++VQx5z2#(PuiAOl`=c=1X-OCmM=mv8f`V+zukqU2U z!F-sGIwAqR5*a)`;dvAgD4IB^DIThPY zbHJp8PSxQvy*`{q>`Y&dRl&G)dF82WX5GL;-)#_;KLb$3Vkg_vxy_R{)<@ z0e>CSMN|SEfIq(-aBJ1PCMEMK>gB=6h6zkm%_{+(tD2_+w@0_20ufY&`v$PHij9$~TS=`+lgr&GhOttMR=#LDtsIu2_q z=v4xxB-d+6K@gOUunN9BouDDCVGF*c5ge|QQkl8Yu z0x~_I^MH!(&Z`1q_enmsBK>aA@afaaELR0UtI=;MK&6iA3Yy(9T>;uDFTh{{Wc5YY z0hQ2hDL^`qACn}4l+8z{XGaJ7=SPSAJK=Vng7q-h!}$4mvehQK6u0E(Sp#z|9NMh> zK_Q!Yn$N#7oB0y85K2+{N`((f@mWi`gYL@Z4y+{lx`hsGD1GG;2R4+xa&ZG2N?*CG zfwJw@7c{tsdIl9Jm6tNOL1%YX$)FscuUommPNJ_`v%red*R57yMd|C-DX^mSbt@DI zl#+m%b$7ubPUfoyS4_P^q{>_^l#z&fD^zgSfQuB&2ddJe`Oq(5h=S83Z6lsLI2DGO zg$PQxp(dB|0`Ps)EF|z~06gcD*a!=Q6KZXtjf|jNf8XoAtx0-X4?J%PEp<-G0q=FY z*1X0|fS1}qOWjn~IP+2~XsN?W4*1^EGcTz&pa54F8L*TVfKl5Gb$x4{feO&FjVmgL z`y#`t_Tq4*M0xR%5Q!?aTsZZX^uTF?yVZR5Z7elB_ z9F7CZ4~A3Ge(*nUzztF1lQv%JE~o*A$G~$u&FiEZyt21Q4fyx&Gq+d&7@Y^6{Zn5B z19&>q(zKt$hR#6cz~3`|*PmAaUofk)#5#bVY8Bh$-wE*X#eMdXJu~naE=nP+sn*y;7@m}ZF+X#bw0Bi63gX8 zSP{74J!=8J`txi#aJwI^2K@Gqv$eo;9<>_q+ds_$@YGS;tZ|_Ycce_3DYwCk+J=Vr za2pNh*YY1U#^ZnpZ>TxrUv8FTW#Zt){-xz1(}sg+ilBzqkj7I@O1Xz>m}XEHvGv8$ z231R{^#1IPwNuki4hLp^z_sD9kS9R-$SdLyY0|w0hY~S=dmO}NlL0+6SGP(!3{@qc z997nW!$&Q{SrZ(LTKl)hK@nQgqH-qiSTh|Kap0!YveRJ^2c;xf8x9#e z)Z>sN!74a}B)OvTN8#UQas9kOugI9r31sU|y=dNvUgAk#IkHxY3~j)rv_uoXh39|A*?DjLOwkX)yc4*X*hCNU1s8`)mHHg6+;0?$7)d`S=u^CVW|_xHL_pIX41&&;0)Cy6Cf zUGCwOH$<|b36K$je$|}re%oLP=gM5EtB%&B$lc%6Yg`FdcUxY+3i91PE1Qt>kC3Gd zl7CmbV-9KZTJsfHq{)NiQZJHAFiDe_$2;SaiWid~l#pDP=Xe#^?5(5#_O>457O<9A zk`(N^JjKhw>hB{d*mZe`r(o4Ten}muHE0lnkSihW2Nq3##ZBK7;g)cazD5Ldtu?Kb zBQ#dd-9yJ=1TtU01Q@?=r~mwIh;TezfC7|IG=$_Qe#jCW1Vgvgdi3a#7TD;a^EZRm zxv2d6Bjib;GNu{fPzBd1Enn7NRnfTH2zyXul@XL&Q55hE%Lf3p3`UbOv)>vHha=2p zEgc=?IG{$ER6~DnAtdIP3(tNDUY^CDA&mIf?r$&KrVsr*!Xf;(t#vX|BWTX?FW*s5 zM2Kc>jVQvGpf19%wsMzzhOO4|L`+_Jw&Nh6R}A4rLg(Oc47BxW*ojFJ`{WV_{9XkS zwSe34a0huczGK*DWtPMG6RT#z!a=<_#&Z8Y&?rV2|d?74c*FQWgYV=uD$tMdqZ z9$%yl!Zu~mX$HAkqL?ORoVZ*y3{#c^N=TmonS}}Bz9T#){Z`6F9~UDsP6E|UIS~ZR z;3fXI<8aJgMmU*u652@u=JGF)QN?A{v?b z{BTXf)3+7UWnt4Q2A3*65v8Hc($ie%h{^K5TSzf_zs2PP-@i*_CXjvLKa!LC(7UBZ zs|>hTjovO;!bg=gq&=>vtHxO#9UU0#N`W#$jWSF# zUyV%eEI&#ng&NhbcukVT52sHcFAnjZ@U8PiPyK?~6Z}NLc%oozS|rt+E0=!A^*iw; z9??Z2YRNH@EFw4CFxqx8IUXT1%|PGW6(HbS#@ab(e$D@MO6n`EGr4t}Z*$7p{-m&$qLFZG9uhaZ# ze~a<8+d2*rjXj|@cocMmZN&U}6kIEX4^1dnY^13W=bh9X%W+n_Ih*ZH+vdAJhHY>B zx4#KA+vwap-sIfYMxDnyXcQCt@y~#rnczZ=AvmUw{_^&hiyu!0=kNC49{p90&LwJg zRPe>fogDnDKI*jeYr;q;QufhOpY+jR{&u$i%f;a6?8DI+{O9=K=t75_>&4aIl3u4L zXXk&lA;pRDO(LeTLc&_g(c{Dvr?*h3>3IVrC-ko88Q z2-bG3$+oyl$Re-sP%xQ53ob6;0^x^f0!6XtM0&L;*atLBVj2W|7#b@ZFo(v3{(!c& z{^tBZ<0~9{#B;W`wje~9#B3Xy&i&~uL04GZd1XeLt*!4Cj5w3Do9qJD$nUncq`Y;} z37_$m&!mfCszFcuAP|C*GNJ%x+P^Zt=vs-NpqPw_e@SFIIo>c0+cGF7Zd(#pUtX@w z>w4v_S)|xdM}znh^w!)j(ln88&Pd|01Tw~sQ}Vk)4!Y%Z1ID4TL{xI-(9W-G0%@Ir z!Xv#n8hIrAfMn~GomFEIf1hoy3=J+01SUc-SkXzfHx3-`t!hoosivR>QUV{&r}C;% zZ4SBJ!cLH7o1^!POcntO{O}`dEs?A7=rpgwFVmaf0FK4v_z0TD(qxp@e>{Bt$e)}s z^o(4Rn2}SiS|8}@mOJ-WhSBYIyU+Lb;J@8&H}~J(UiazFfAn^r?e==ldQW$H|IzI| zf8N{u57b@jOiMlsmf-k5y0?avpWGkh^9cRFA7VN+E-I1<5O4t+2+_i%X#$i2&`KVe z4O?3Xp>vVjIA@-aY3E{PXEmrkm7UNJI3iV23OJqrapTNiR~2pU5S80!y?BsK2^SGehd@ z3a9IM1{LWUVN&ZXBF{;x>1KX7bz7V$TkmK>wzgDAyl{x{IHUQaMM6Ar(3e2;nX>MR ze!@5})^Cn|;Yb2;Za^0oAr2FmAN@d}ZZXSe3KBbn&-hfateUsUNPrk4!9-Or9t_?X zHhRU5urlz@q^lwwslth^aw@#gb0GLU@}v4;q0FSr3YhX@I?00>=D$siyq?9hNE~SE zJ+rEKd?m;FFwlY%%}fc!IoFz-i7Ro!@z$W7Q2!w&DoZ+ufwm81rd(F$RevioNy+gE#%& z{Lk8qx!k!BlI&vaM>Bp!Lx@UC;iE??!DsPJK>qMq-roa2t%!9YUk3W}g~R^ylKpr$ z)km>Ek*}rb@ZCVTl<`0KiIq?lSEg@?R%T)#@db4Fzm5O?OH3mASNF;0-`&rjkuRUG z%8OaJ9F@i`|J;&L{R!H5%;omQr;GGzBzO+JMBjb4nUWI0@mJOsJ!az>nG;2fFBwtx zBM9yjXQ9dx7SJinnh2^~1ayi((gaGz81@gDD4w@U{J9@aHOiAXrg7Z>(1`ahTAUx7 z2Iea=!co*g%EVvnptt_-4cTGyzZ;Ij$&McLB}RXGiP~+X(^Wb%|Ly$t1WcWe8(P+F!<2XJbyTnMY!QAW-bE7QknwFz!Z8I+hNg!9ap03M zxtQZm7bEIjUqCoiH{FX=GLHdGqZgd_7cs%!g?#xy==*NkUp0s@V;ADmj}RKbcFVUJ zQ~J>-7cv9H|84zm$K67mtd&|fFcMuXVjulqju!+?_2tyz%P+t<-03vlu6<1q>6S~~ z@W^GZj>zL)hV~Z=DKhl#1Diad8A-CWK!0;If#{rEk~sD~;=IC)IPc@2OzQMIoyTB- ze=LP(MB_vUTL(3>J_622A7_caAOTBotRCh^ns+Y~!|+)(M}Vs+2t5|fu;&?AOlWKh zgfGH?wBw>Gfc%>paFcVkviT_EsT8z_F7az&Bn~iuzq5zN0F&ramMBZ(*)l2Y45(;}e zOGt!zZicktO(fL^&*RD)B4HBygo*3|Kxj0>42=ln_DnJi?Yc7m*e*H^RpZL8-+~tW z^y#ie$9>Vga|O0!)ltd!56UTg9+cAu<Ve?;O47U%J9rZHv5Kb_e01?7|}4tsv6;}N|iZsAPNxdNxwIDTR{LZyUk>W;(p z0|?A}nFp6*`P4+_ko`EYgXpbZHnxIUQaK_PzHeoe2m=O5r z*QN>M>WCR|V1yQw=yc<(%r`&sq!AJ)C|-nI!1N2mY~Y<=hwIB6-L1az67JW2p?dh- zkgWgLM z0l!W%;o=TANL5pm3H=%enJW=*i9(20L|KIYScNAuaB`82;Ud^||HcL1j{CP(YYQSK zWO_M_LUN@S*rBm-Hw(Dtbq$vn9A-{iS;jLlVNmcIMHt%J@+e0d;mL%I z6As`{TU)Iyc*WMy#A$$a6#EojP+s~~cjw1%kI?Y|ogMwp z`{T2tL-fPR8QOn`P+ie@_{`mNKMiG;LiMfBVB`@V zf8;6aPXO2AXQCWt3e0t0gy(^OijuxSe*a( z_b!_$?vosst)svR?1fsjDQ$kNwWatE03R+yoHM^mfOnrV9u|yX}T6M;hGi+d8cgPD5hf>9mRY8I#~pPs;*2vK~6Pr<(Tt- zF6j_)44uFoBJ`ddeUg7|N-Nsd7C&VBTOe*2gcta8vaP^Eg3UQeFrNt^k*nr8o{{lK zG(7qwO#HHJ(NIx#DC#vMfd%?6BoG*GBIbuh|7q z(W`)tKZh&$A3Z387XhET{` zPb~Vf%O^vn_b#6t@sKyN&`LQAd?XPkEaa^C7;?A(U_&eKogp}KkqQ*mXY}Jf`soGB zDleqTO^uS@66Y*|9}QlL25hK8EQ26DHWcylWyVw2p$#r&Q)4%ut8#oDDvWnrbSh)( zhhnXfV1Z$_NrwC0+z*Gy`70Xc83VplJ@~)PLG*EgM0m*3y zk7LSGscx*o!HiO2t7Iw&C*320WQto2Kr#dCM&8#&w?YgvKw}pj1iqM-pvQ)IX}}?v zt`Vbiu|-v%T^F4#@}erHjLDo{N|z(vo-?Ns<~q^&O%}o; z!SF&p@r~dos4Y%mE|ycBCBW0RbX6BI(n=c2eSF5dyu2oC=%OF6AIK0P=?5lGet{nB zZ$1+__Maq1PhE7vr3e7u7FF7H;=eye8=23)V)K|dB!q}-e$Vwi6!>EjGP3ES!ACz5 ziHO1x#WCE>ul#@V^BRPXPKiu%9@6l;1YOZMzE+NS-z5*Q}QVh<_(F(p0?HGHoDzbGY8S<`YNVZg88qYgull9TnpkmVtKaz zOX}$5T+;>TkiQPiEhlz@K&yTyJaf^Rq@?v2C<=XD-W!6GYia5nr?Efvxk||ei9Csn z$H5s?q6q1g*hhRHBqB?K8YZOi90!~~{5}WnY>uMI5>4>X>D^nl4Q%a`+ z!I95EH*O(y0QS*yx9j#=o*ekLdrxFyQTu5-bxfN3)=s@{vDXXn#Xs;RK8dnk zpXQ81nYPovKk>%!H@`V3j5G64AMO5uX7LTIzqbG9#Pb*PbqRpl{ogI<|Ic>z9`^rz zeAc!9pBDGPPVLTlQS9`rYU4c3ZJcM7+kfYeGl_3v{k8qi<~RuM@BAYNAGgi6&eO{M-}~cC;+t51zW?RBZ+0E)fHTPLL_y8|@AZoLANHO7TuxyXSUW!d)d2_jKVJG@-HflC_O+D3cF6F$u8DhnGIq>%|`6fun`c z#>v^?tG9zqnXNcPWFE~hgTj*FN)j@ErXFiGtRQ&Pm_MS)c1+qN$a1p z6@6_EfA~~=YURJ?khCg{YWct0eb&p#|DA4k_rd;qFP}$`(CdJXa9|dcN%Pr*&*mxQ zDc=SMPmw|}a}l62I0Ig6^PRV41TrML(Jal|S>AF_#f$R(Q-KQb90z=`h+}?kWX@*O zN@V-un>3rU@ZG{wa=HitnOnN`=uu0I0t#=+>3#J1OY0Fr<`8`}zgGW#hvy_~p$*xG zZ$%BM>(ksTUvZcgLJ6KKoxt(P$j71cy%WE9+7gMoWiz7sC9-)$ojFrxgbzB``0qseJZ7zvZ_#BeDU zj5i0@ryY-uS!cmW>`WKFM>+t2bsj}AaiRsJxO2pJEtxkwN>S}29h87{5(#xCxR&nB zoT(6wV+;wK@|@tdR!d{<=H|uh6H74r$kIHx#EGcqq}oA;&qPeliDLf}C&W=}-BGiB z1oKV#mVZ&jw`w}D5|HOn=KZ_^*9)lG1(7R|Kr_Zho=qC6$je8M&~bv2MI18pYJcz} zY|MB2Z;z2jMvEz=2J%BR_e0+!BaIeS8i;J|0ASX6#D{li=!`I%IqA5Nv3RtYrn!kB zPCZsGPyGCYl}Y88rZTED30a=m4UlW|%oHChXmpU02NTI`$m?YygI=o8MtX5L0vr%vz)nPG4^pX4IuS3+<&{lq0SlV8biB(tR)i@GYYDv&XN5QT&w zHl7i00jZ3khD)2D%^%xt;e;(E2=+Le@=Kc|FK-%+=8GWlqkuRm9B~9c$^b(OYe4Rl zdc~RDdSMh{;4AVe0r(bb<@c=I<9*cYc6%*@mher6vG9N1ACI}TxIMzz_tI(F!D8r6 zOMW3i8Ca`o5RV?AcQS?(7Fsw1l21N^%+$(TTMp@}q?SUD6$$A)pNU!>P!K1r1(fTW z)&_zTTU@AHE$udMMQ;HF%)t{WD1AIx&#DGj#G361=uEX&xrXgL3 zuu(rjbLx>kqTx28lgT#t5+~#WM^SK{{v`tGMf$`s4lJ66#Zm$*_PzV8Bg0S~u|Ccf z4%}HX4<5aKf8hMQ|HgT9^x^0YM>|9A0C4N0Hl0k`0^ASEEjC<$vnQRPp)t`R^2h{o zEkeZYwh+ih2a(|$t{-p;LrDgmCb~^Uu*AvvQJ-rbV<<;{$`nC`UFvteU2;UWB zoMnTe1643eOESSZz*VW6Co~rGfU31p3g~ztsPpQ>aiEPN657wNFSPIER!gq}AaQ_` z3Y%>i^NbNuc6PLX`1Z)1dyixecPE(?kmm6g`xU3KWH? zCC|SLUgbEL7##X>AK5Oy91Ed;t73iflHw=c2;q3j?g&4fM#lhcKc2F_feTitXVaV` zD&9|{BV;ncq8?d5r}u{L&p6;z%`dB&nn;_BJSK91SJ{;}&tC);w9jq#iW2Vhs? zIv5}9b6ez2dbOBLNX*)O)ZXiM-@a;p;lJ)n_07K|{B%=^m!m}@qO`OV43ZiwLa2{3 z6Pd4AM@w(p^Z*g3F-)NB_ehxsx3l$5& zubh@%H6+=xQ$nN}%MoN1j(P;86CEjynUhdwM4W(Pk9b)s59UC*5+|AA5G1xtB&-bt z2|jY9Jd(tM1iA%Age*Q>Pn(f2QKxGud&;5`u*0J1#cYIK2~yn_`OOqU6=jZ+T&r5< z%bHg*9*U+vj$OO>E*r=)%<&>bIFaG}BTADdtFDH~uei$h7bfvF7*ZU8lQa|84&~hOyO3J0;A^ENCKQT|FJx+fJj2N^;MSb}W$K>F&VxL)ar}_$jWqOR7%=r9 zY*JK`Bk|k^!^JelV*)0`Mz)GE4aX!(Scemfi)Ge{sQ91GBQ>f|Lx)cIb({&F)P8u) z;hpMrz58gln-|9Fj%;pH`E6g^qfRN~@UC@cdO%5xL1$WUw!nBh6EmJ z;-ruEp6>3n%ohi^B&xE&;wrE7s5caQuVf`BVRBaObQD-a<9kX>*_k;ZNjPEsaH_uR zJmMod93PHwW_4E>_9gbRGyuZkwO&L}E1M_lOU$8cds>S^;(DIu(f1i5{9htl6<4y9 z`FI;Kx(&3Dc|*6g^!t1Vi5EFUL*$-GBQ}kZ3qBsX5`O6O7wst^Pg9dr~fri%csUkK<7G>B9{|50>y`c{RS{?0TZZY_c1G?}W89yEK>k_%b zLC|>=6PCpOIFacjoe7Nrb%nVycG+hz08GyyV}^LEaZs=8ivQzBy7ks|sxtT|=z}om z%a=wZo*G4MVrg#KHl8JA;XnPWzsmN~K;CxRwl3}Vw&d5;jOJZ)opCIp%9&3?Kb*?3 z_;D$WJsVnGiA~OZ5=^)Vf^8Ji0w^$xBOhh~NkX^Lct$D9*QiLLLhY1|X|%)neE;Xc zcIrulgo=aE>z|Ic`A_J-&`CtXL4wC0;U!0_gjI?AOs{=D)R?SLv1S#UQ{KW6|huw zIWXM!z&Hk3e8t_*^Z5lYePqo)cuR@gLMW|3VZGmLc(BFDsHCHzlu$7YN@$9U&nJGV zTVbR;5Z-14oqiA%jg<{gNu?AswipS#+HF81_q^YB+FXRfu768ClGda>BiQ>n_7idv z!nPNsYhS$fEfSZr=OXfOLIz2U6EeNdx!&n{euT3_!i0g7=|2^%9L;ovtnwZ>#=&rm zB%MbBDTfKHe8O5Ln*H=xKcnyn_8xv#FPGW`-hws4^fze<6NOY9_?f+p@MOaEDB;qP z&_KrXGZf$v37ELpQO^6!pTdGJdF&XvOGgX?PZa#*?mU9*1S9|kTkptfW)2QL2ZxF8 zsBhK_hpX2K11K8(oDoT|GZCeXq%-wE&QqTH3LW{U*13;<{jG)M5~$V%ts$b`8@)wD zy?vW%v7f0yMF#nxJx!;s8(_^7zkm@|A=GRz+c08;BAX8Qp2~44?6U_ZePB|>9_!&z zeXL3rO$*&>!=jr6Q7mKT?&zU(ol9tj|iRul!-F8X;U3j`!o zblDaOx%d?~%k=|w_{MSzN_!%3iT1oGC!nRZ5tsAWc<}L=OujGtjUGKhG?Z9yRdKtJ z_K6P{fzcx*V<93$qRH@DUQfg@8+l}rN4OrQ-V)4-E^8k)Z8D?m;P#1TL`kF?J4&1OqAKIMN~9g9Lg@o{iS z0(`BTB@l{CQ$>$|C)2d2U+%RKnqWUz#N>Py6E>rP*GJDlr-NnIzU{SIDaOm8vv)Vx z7z;Wl{Bp@u_PZE#C-I%#OG1l=5)w_b(bx0#*Oovtl^!2*^hOkzi7~t8|M{_ZX*o^!)uo_(QU9sDhu2x9k zeJ)mmuMJz>V@=&ioOB^l-?gs$%ZGI3WT@DM5r;BN&tcs%q&q8{>XP903R z8E49a@IsxDn6zM-j>1dO=)O+;M{WF%vLmsM$O)f(N|uFD6aV?V82{7T?LNf++{mgoLV;Bck0~ZKd{TOD@Sz2 z)4Q~+(i(}HKcC80g}!`Q0w)mZ%OfT(F*&?Q2*A%p-b=WhsAozp z_uFL{sh3TGQJbG-lCCnn=;_Je{Po$<;NoGb$wu zOHX>q3=T#AU^I+yGJDzn?0PuCnqyAt<@cqHZqNub^6V*c9FL5tM>boW2$DLo;#r(U zA;*h6pUKKAa@J~Uyj{aply^qQiRZ|1lH?jWKL3kwk&?Xp?j5-#@psKAfui_WR&%a`2VExInkIG%kRt&NU#)IhGa zTAx4P3H{&Eg!It>lDM0O6Q3!)s9^69c8yh5OFig-(IzoA7&y-xK3PI$>2j%ZPlAA_ zi-f88QI!%{_pT^xSk`YTiJW?kwAIUgJEfz_y$+Ak91~5py*oKPx;Q?~Ni>mxxY>3! z<&>Y0Is3Kyo68cMESQTuFXks9d?)|-(%vkfaC&lfof3+b)D8Bj}s^u_Qlo93aKxlonrSLko6-FffCs zbRUOGzDnZ^=J;Bq$i`?wuF%{M7YSi@f0W}>=@^v;H@j&XnV)eomI=v$p;|tlU7~{iawvHTKoWOIt4%|u169wPKbv#wAtrT$Q7y2F!=Ii za~nl606Wc2;lq`cB{2=B!L?EPC!q*mQeQ>-#2F?~lL(_IrrtutTWIDSxAnviCp5L| zd34NNJ$+CXhuxXcD<`2H@CgQABS%7UI21=~X{^uJx&JR=|GAivAR;kylW4hAFxB>- zo#(yo^PK%>XQ%s6|Ldnk&`e)wuRppIPfPv@eqz85wY3&nTXM$eZpbzi7+%GW4vIp$jMKs z`CeM2d=hvJ;h2cWb>gM>ppB7mMV8hph#ri{c(a-^*$Jp7q@5G_%nxas(guwv#+3l| z$77gQ|7G(<(eO+U5iyE!{%5!v-!6?{6#HQ^LGAx!&VRCYZZrXR88#{Z_aBjagrA&+ ziB@0M$7vQ4t@lR#Ds0wsZH)!BWW_Ut+G4ux+c1$n-l}{fnB|Nli&&TxaTLWgihW>) zG@l~e`lK-@62_crA!*uu(s2yYz{vcP#0PX9aV~2A^<~d}>U6i!UwZCyr`tyE0gf;v zPV@q|<8D-8PAm#wBDq&YE3j-;Qx+PwOGS#lHN?NwJZ>O#pI>C!Pui$`(UA4Z_=Ix_ ziHqsI_(UrwAdSE29*wnxWPG3I)n=LfOlz+c>9QWFqMi2P+I68}PU%l2C)DlSaeF<) z77-Yt#KuVd93e4>^i}67c=|k=rhNeAJM{}kY)m7v-5MC#3;HVX{9-T9t9%hs3>DQae%J_I`zkHYd>Ign>QEr;-G>p;`f07SYHY80RQt^ zxz%fhWN|28*0VL!M4L=dm%ayCess+wb+V~yp0Q`=KUp6*w5oT0abe*c4SXsItAUtI zRX?h}hjj?I8oiOowWXM-+CABQ-*OU3ni|*Ve7XpIF_-FR5Xfo(Fq-CJ)Qzb3iE-%d z2hj|_Tg*|fyAm~xJS9yis~_V_Qd#S|9GPt$%jj&w&r0dihIdA5_54~%-|UTcNzT=5 zPfKxb+OKr(6?U#lGBn}2Ml{ivYDxNNT{+TA^BZ)krA!{d)dU-jlWL(xb(N-a+R~s4 zaj%W0taqrLZdT%0Z@t7+m1|;})~0IOs?pLrLbIYSwIkAg^|IV(TE1V3BR08XNZm10 z7~w58%jYO#-J&cbVsMSNux;|*851Q#$*G%n~Jmsa|@UkbH z*KWwvI@3-a)UyRK23cxv=6jaz$P~Otq*@01VPigQ%&)gGU*~-yg~wsFy-4>;Y@}wG z$pMjdT7@+!?_Z{BSejMAsT#Gcul2!Pd#2x9LKwsy&`gzOC!IZ=Rz2-X`ZXXP z@9D_t+zZL17+8{CdAZb#5)#(qBHCrzq%3!G3>sv5j>~bt-KzfmK#Lb_e^oUMG@^Cr zVKC4gX<`*xm_|t6vRDj8+6bqlN%ySe`sdHWY3p<56QmzpG|oN7XrYuPy0@)G*#$aU zepc3wwevB@C`Wktu^LXTp5l2$^?~|di~3d(o(o@9aRD`EV?BuUK=crD&_Oq9yIT*M z%;xCI0GMcc;WJTUKzM)Jy6FK{H|X~TO*A*pdO&)YneJ}d$ni5}-P_~4BJgZM4Ts}; zcT<7#ugIC84vi9PO{;m-anpmGc<8rgR}%e5HFM%sUI(?rUVq?|v*NsSDoqdi{0mkA zzG=ws;Qvt3ZPVzNzjzkY3I4tP_jbDgD`V)U<5;fUm9tS?Q)vj%jsIDK!194BiB&d2 zkz%XSt(tnv(s0T7>f|gXag|kQSyJDc$oJ2djptQKxC+S!Zs?gHnqe*3vXbO(>pg?a zCnaY?5(R*68*M-mZPdOLf2Om*$;?fto6Ly#3bkcYjW)mMeECu-VYA_Li=SLa|c6<5w zkEhR`Kg56B$43iNr!m@afA9ms+}8mep|+@HkTX%YH|?#m`WNj@i`Ro$B_jR3P$?o8 z3~x7F!-0~kT>sGzy?$o-Y|Tl6`Gu;VmOXD8{ca?&PZLLq{9{p6K2A1)0uK zYbj#`aXB?d?#tV_FfKg)NUpchV{uSxkItZkG#Va4LHRJ~2C)!-BxB(P^pby_suPxz zK09~o`MrW}db_1)R@fTpU0w|+NLAG%1@p8pv#%R=`0)8gK1-bcxd$z$u|809{`YpC z=JS8;?LE~0zn{-%EhxN10g%xR z*rca`7_xFj1;VNtRD(m>UC+t;a6sL|X9@XlzMMA~|F!b}>GN(u{_pHP$p8EJG?4%0 z#q2s;?q@dJX1@pg|J~_7zi7vU;qs6>73_{7cY3YUJxcz_r$N;@P`OfKh2V4;`5}(4 z57To+itz|1vu*Tvbe#~U$??yhA=RSz9ew!%C_Yx;Ng{u^L8E6+NjT0UTa@Va2U-)B z`?AzQ=a?s*Sus$IBdoyi`dKl|zu2j?g#4Gz0uH+zFJ}R)mH&Hr`M>l0`ObsXlZS&0$B>C)y1&{^hcJ&x#9?#1j!Log~;i}9Zky&i^w>unWfou@B z=5lMMK8^WI>jGyLlp)keou0PY+GgdLWZ9#drG*3d-{A0j_$+h&Gg)kEN$-#P`(LkD zxc~K@KYcj=@8eVD_-@8ty5;6M(d6IqFc&wrlL-I5AT2fd41=^{Nx#hPUe88tGock6 zVN0veXi&8_^%&T*I8|X|@rnG}eEjfP?X#5p2kyt?F5IK{7M7-H7}ch;&bcDg^$3-WV_=o?tHrtqxgwOo$0@DaQ+Q*!L(}BH z=DYeI<+IHBpGBxSV03J13aUQ;cb@L-Jz7~?ItVg@3 zk^v0MU8b0pOGErwsfsB`5>hW!@Uo`*w>Fm~OJ9>z&9q!8X(kgt^b;)|srsfIblPWi zun7%FoaY4X%W~j)&sE?jB%b>r4DdR}V{%GjpLzo_rlF_fQq{~5h7AX-r3)D^Vn4Y) z5a|o@Md`UzH5z16Xu@8{bP*XymY)(CgpB~!tJ#77QXcqXna%NP?z7x9=d6K48#Uu4oSH(J)|28D8m^>)k=3M<1uX*GVNeH_#o`C*66 za^E`R+!r@F*NFK?&yQugD%(=dIlr6=fA&spZ2%j-Xy|#jyXpWFKlGaPMb4a4DN1Ij zi<~+BB>vq)PDm5vh{9(s3vt9|G-(@O2b3jGCUg;cZFGbFp2Gm4PdJ`3G@j9`5IJX6 zTRdKb`%Kov=r1D*P?c~2Zc!r}BBsciRTyalijHqN0a>0^#GbRPMN02}lNHHzW{Xi} zSNVH|bR1Vmh^16WR4+JI5EI|BP+0byTag_bGM^Pi5?- zb-&JOXCQL3?xZygB6W&M69u&5-e%oZ-;l9JO`u|0YsrdLQ%r5CK7_yqylX~x>YH*0_%%sCh{qX@ds^J+j?0asER$y4Q3Xcge1{~ zNOJ+wOn3;XU<#@10)z2hg_5G?)7VdWRyDPD^l*n3%5T&)= z8WKbgUZ^>uN{%NokCN*{KklQ?O#qf|ZI*9bCku2j@S=3Ki^#(X86+`I$n;u}wvbT7 zY^3EAF^eah5fS{?uIiZHE@K)5emH#(P5LNY1VIZ~d>|U=2ttG%1lXUSE6+pa1)TT7 zLB(Y%_>bs-3Z7BoV>prMlbs2YkKhbk|YwL(GR9oqOp_eVhpgEIP-dU-)^mRm9= zmUS_a6CS=cyO)J+vo{>$2K4)au)Ja_3sscsS^ht*K0_rJayFWiDi|~WxoW(D$D;3I>a~2A5cZhrY`j2mi6F6 z|KLNfeb(heue}lL)f9|m1=rzt7SoU}*a4l-{RFk?WYXTOqu}6|cLzV7oxD4FKe#wJ zdHeSGyn@Ti5+xL1H$1KRF>PQV*R%fg(!qy|`5?m}P1tbD(3!goQ)r6A(lX-i<-$Wa z!JUN@tnN2opv&Q_Qnp#fEq;X~7W_hv!b@v23*;mUpl2IxK-J{-rTD8bUVAL=CvEh2 zb2+~=^bo2ce|ZSi&{*UlRO2C3;~`YzAynhvC{*JPOQ>dUx7MG_G?wv#C3K!If2x0U zSNIA?Mr1daUj+sQ(gt z)%}=wsC^tF8ha#02}NQCY8}uuU7(N7p`?KRxTSFB4VKPDO^fuK0Pp|Wz?7tZc=F}rEJ)iN} z112TDFY=DGxv3Fzt(Gl)E~op0!B;hG<&pUpv1?iRrpmTyMN+?Q-<`2#mL$>Zd=w!< zkvJyu-&!*Ni%;FPNJ*SE-q`I!u6jwbk9Lc@l6}BiU774de*GK$J@e2yuh=DH-j<8j zcjYb_aV>oGZ=Wrp!c1;s(1MLztBr1%b4KPB+^CA38@W?8jza$e_N0Gz<*2Jfz3o_{q2*_ z5GzA#RgGW(gYhr3rHBILqQ}S*{>^W6>(Ak!4_!yUjZ)b9 z1m%VPA&bF776bH$NL{c@{Qu=R4FO&%0YF{-_wG(H{=fU|A^!h9K2_yk15d!Cd3J3D(1`Csnk(=2}DZcYi#On>APqM)YBfbn(a zX(^;pQ82RnDV7VMY7|iHy}|(w$Nac5LK}>6+HbUmZFz|?J6n;+jh~{E>g3H2#x_40?z6o9-`m}NkpK7c zxf99$Zz|NI0BtDAzKI_H%L{i6x5mJ$fDFKJbB4pIvH+F++6UtXQ@mo_O%7>H}h49zI{;Q@j7qj`k1V9=UUGbr_ZVzxTAe^Sqbe z|GnLZ{eLf?N9a_n_27Trv|7JrfBd#FOOlB7JDsbmE8WqV#?#Iw@)^P*qN9J1apJ@z z06iE7nIrWahj>cnT)|@3EFp8WadLL}>g`}tsBJhzWFE~h^BJNc0$&j3kNm(-u0h$N zAz}#*Jsf+?8PjbZaXFe0R4m6@PVM&Z5hA^^{V(KTe#mF7gdFllw|LaHxjtt%= z@<{he-t>pdwu-wZ|FGWBx2iWOyb0mGuTFxU_rvf z1GuL#os(on7Qh_|jW~Fq$E%-C&&(M_G4))Zb~XiXoW=wq0hpf<)@nH@BRlH3y`3j5 zM@(eL?e(4@8jHVn-L5kt3Et(upMF45OfP+YF(xr$i-@bve9jz)Md*<@xaLdbhm#ny zBwmb@MNA}r0SBrD1ah^`Y08=WOF=3i3I9{7vY^zX;r!Z>Ukv+IEbfRzeOdD|ra$Kp zMX;${U#4w)An=UnWKwJ>=c{sO8lG!>(FywX6vuc@I2Zi3@hD3F*hGxL4nu*@5(dL$ zzoKM@6UCuwRN^6T5euTi1O=E@>#t~Q>)emFw)*Ie&l1GvE@#Z-P8kAWI4H5l--o_! z75FkN)K49c1SBEwvrcnu3s}i7yJbC!M2^XvUJ{1Xa_gj}^N5BdOc=t9(Xo#cwLvq+ z5DOJR2aP`@f2U*=KqoW^=oL(quRhZ#o-WuZFvu_WlEwoW++;@lI9>8fahYqiZZf#2 z$>#-)(gb;VU zqRQ>rzM|Nh`(Zkll66goxZS$m$wZ|I@s!3%eq>{!pquH_Q?^I`!&(?t2Yd$;)t=q+ zOL~LOvL9iS+E-M6xsTSdrt6z%z8-;n%>40^9xQUFa^b^uCVq3oag5h?;@qI&ufGk^ zhDQkl4`b|kBF-8`3ju8~lFxpV6j*anAv8ncp@@2HvoKNJ1GJoQ=|p97H0JHaJCV1MUn`NR2UL%KA03Lom-+v8xBEKxXq}oKYtO(1lD9D0HBviP&&kY(L zPu|hwG$xFMg=4R-w>i;Dd8^tj#C7=Hpd6N9TU%dt|iCbSo!nJz1Mibj`=>4H~i} zCdqiV3j0=0)OxZupXi#8*Bdn453cZa<>9yNL`#zw4bcsPBu2-FpvQAr>6;V3tIrJ@ zc2^Zea-zBT>FUvL(2w|17|qoQ4G9v62X`|x@dE+|e1bhNxP+JJ634e!Cf0C{TD;q< zu4zXibClNW7U(a5>Ut--0RF6mSFkYL&qpG9QH!CycYdN#-WXPdS8htV(~p{HEr#~q z`H6y8xXQwB8|wzWTg*o!=KBvCv$SCA+U8_O6%Bj06h@V04~ka60ZEY73|`>;1kI^O zT(lnq^on>=(eI-n4Tswt#GEGN0!LABt^Iu!`w8KH2Xu^sAv}f+>11N3aM>>_P1Igs z!8k{=6-}2C9#KI@pK+0_lR+OGy`u@~qXY0)=GUAl6xijb6b`F6%U#d$Qc|_zZ0gJs$9FB=+2xmr;#1E&d@%RlI&aW>tpi9jfCR*_TVS~5olf*4Q zYq-5sJSo}W6`myS=Zw)1U17Gli56a3Z1Bq8UhedBgDzqmdUTF@U3kdHW7t4JG{fOy zPGWy7Z@U+^-sVILuc0=0w)fF{_^g$6WxcCv<5+H@$n#?~p@DbD{Ck6jmNa8Sw86N{ z5Xm_(L)Ns#oB4@m)#oZSBWj^1Fd5hnheAkkR!8oJdy>QP;$ zsIF_G4fI@ObEtv@YjRb3(XahZ0z)MS|DtjkPS7cQ8iHH1f zN!m3;bfz;G;hGLbYDwCkTVd;k+wlXt*9831OEJF z#aZSjYGxHEmAbj)1O7zKPi$46p`o5xU@d3MdRMe84?*r}f8XSz zMC@|R=c-S2T@(HFw_EgviH>K)TLdJwTXOU8l)00$=f@WerQOj6O=ij*EiYy3^Vwa; zHLaKqw!yQZ)=LH{oqjl2c^VB+MZ+Xstg2-dC#t8lwLgKJ#`Mzn2!wJf8}{(jmLqt$ zPN}r!6-^Ci<<~SQ>XlIO&@E;Hb3^#9j~A;Iuwn1~L}hidN)>Q1^86U`aa^mtDyN!G z{|@GSgNE()$|Aft(K3)5Xx?gLjshstiKWk=PEn{+-6_8JKADSWF?tZ2z zeCp2#_I{52gq(z9^4ro5RryTJb^f~Aik^vd&-XFe8#H|J+F##_)~SI-6%edrcY3l& zz{AhWdtRr#`9x)Yd#;%eWY(W5Vf2pktH>h;6OAZ8E|@;InFPeMK8w(m1@g81fb9DdQ3f z4(Pvd#&wZ$-uO)GPIJqH;CwV~!H=x+WS?Z@>QP-C#u{>aq3n?pi1M zrhZYYSM+Y?C;_i)qJ`S7B`V;)=lL>ejZ_Tgq7>}i&iMx2MjDk&v|8*IW_n+|d+V8k zKUzbDVL6QfM*jcV`}XIyZ7$LNtiJ*)-Py#cNJ&ndhwkQ^>%?yAX`J}lPO{&mod_Z! z2@OSP0n(0I_kZ8PIRFSgB+HJ{Hl1kp+r}h_$HBqDd7mw58Mc7CxX{fQhMRK?+gj|_ z7P=Y3a2t+cJ4@XH$6$7JBZlFI9D~~4inq3-n=uTVa|~NtqZxQh3*C%ixE05+72MtC zLN{O-ZptxikM3@5p_?%bpTRMF=9;&5k8a2?+=^q^67GKXN;4+sJcaZ2Lehwx_+@pQ z!UwQEu2~aQhKIG@pL`dfFmMj2qxgz*|wq3l1f$#S} zHMvl88yhQplLX?{mJcFLXkAl1p|zlT6J-Ql&~)UuX;9PccHtnhj%wi*Nbv=DOBB=EPL>gRLy zcA*=EhWrykLZVIjfgR0wR1~2jLP8O9z*<|j-OA(J6JfR>dRKRJt*cx~g-t6SbEc;P zl^0@b*Xb1*{q7x?kc*y*Bwer}X=_%Z-L1UEf_?2LgU65Be~g-!x;AE_DON(Vm@Bu= zFBCbk{XIPvDbIvlL7gz!Pd4MApf`+JCTu|RS*Z{7{q%~+ESRMF`Rx|EWpZQ}N*$8= zrnVCDTCBC@?g?_dZPV+(`dG~@wtP=h5dSRC7 z8W5h6%NdVmtGD*^e_sxDd73eKQB@sXkux9y#J(Zs4?F*d^6C!3f+mA}zP7qV zN;8|2=EYu<<@{^TZeCyLnk?sEb9VEB?rvcJUTydG8Qw3m(CzU?8<>UHnS;ORQnz3Z zwhP_J5c4$~V44@YLLvAyYXX}WxGc6kZ=g9* zru~qBmwogO-`taWHcVND6+*GHTwe7+r;E@W^0;w1;wFY_UG(U zFtNq8mvo-2g0WZo{NEynspX25sVd36%AjPgY3rXBL$ zoC5Opj2zA9In0S}{rXf$(SB<4LQfUDk2Tn3rwL4ACc(KHSub{ObB0+)51hE znog_k(i{`rKyK}fPC)?;WFWS+!eTy|FsXY&wNtD03;}>f7rUjDr0mj^QimR(n0=-S z9fi_^VY3S+m0pEOvjbU)UArz(e46qJk7#OVt-3@=5=jp8CKq{s>p}nmQ*dN2*p&8Irb` zOxo2Eo0_HV`T}oQcVyMHnrod5Nxw3$RqX~2B&(fM{IM%8FU8*0UKIO!F1%BcEa99O zgo8uUb!cyi@hAwSE88+j=oAxX#hN+L?^6fHROrLSQzTM;fdNOaLb9JIQ6FRNaTL-Y z&pU)_CN5LFs112|j#SW3jfBJqR_^suZ-J&co_fG=^HhczqHrbgxF}&)+#a)h92)zT zzB^pAqh4nf3E_Yo4lo@-rWP2f9Ae|tu#RkFkuVtN>))O>&#Vk z&sSzE_Yl$B(3RQQ3mzK8lbAJD{4Cd(vuY1Xd#~R= ze%AgYY_*P3Vx21tAQU44ybV+_d)!WzVG2VG`lu#+*4&$cV^b1#t~9?8iGlk8I8oa}-NaAJY^n^O$ct%{;YDCj1FY6fZ|4T>q^ zCD-&X$5932My=M-1OO95gv%vGvBYq}9(u1$Ob<8)QE3)4A|@eibb$yS{OzG|S?@BB(pIZdPdOj3A4+2E{w9bacUtsN{NthJ;lHI9=u(a zWS*-Gw>`p;OwdCW5~QsrG(t2tb7pBKmkYtuEWi}$VLT#AV3$Tb)q-X|w|X46CD)Vc z$~sHfTq^2NqQ#mLe-XOsfNYAm;po?3?6ifI2IZnj5hbgo40S1j8^wBe8`K^PG&ec3z&XXOp!w&3*I2F#1=D1qO04xf> zQKGNm|H+x;nu4D(1kiK6(|1%^dd9+usb!gAAApD?nS~6_L7zEq6^)R%lp<#;Wr^cl zKiJPZc$o$%y9~^%g9}ar8X$lJP3m^gTSG`@HBbg)-zW$TpC)2VlS0)Eln0teLeKsa zQ4ve2-z?N(YYHq(a#=Ay`$X<-773D}QN zhrm$#C^L)7A^A~UvJ22q=412m0BFfB9Kw{Ly3Yi{>wo%XF%`LFNmAyXVnLK>>d*G| zF%_4!DqzJG+tsX*<`VE~1ImKR6c8K1J~n3Nkvo&FnomJ33K3<9M8adi8%!w~Q z%g%fd-tdFnO+RRC<}5bxcyQeu8r!ZIzSI`b0JxVw((S7S&FG{qp<`b zUbC}AV$STR94rAbpG*eFo&pf@IJ-ENnWFMa%IcW=T5@uT>DpN-k$_z4|6WKRZ<_Tv8D^|&APww}ggb#aG zW!jTMWE0g(_}IgGHS4_G8$1qP?(IF?v67M_(kRggg}~^N1=_?Q6bUeA4lpqF@Aw=9 z1oXfto4(0}r(DfgjK`pqQU(;%sIVs{af|g8C@1@OB#6AHwk44GB%gvLKr=mugkf=8 zz3*NOXgQ6I7MzPM@c4Hwz#7`isQRdSQ1V%$i42Tz(u-M?P{{%_fdHr4LGQ9)De_>< zraaw2?9~))Ro)#J@fNmPKM3hh_F@q3k^j{Hd5FjdItLKJvs|Y7HZQNIB1|8k!s&pe zOD_zo2%5A78}80ga&Lx*AsO;u?Ta=E5?)mQMH8PFWU?Sw_P$ zw99aO`uopqo@(S&Kevba4<*p5{d0TxbK6_j&+R|{Fcz(M`VuO`!vMKUGD-E#;|Mk6 z#Y61=Rl^iecJIOcU9$-wk1QmMxU#_LHtk|5snApOmp3%6$l?W!5Q2_1nX;5g&>NK! z4Xt9YLcDyikrxiQNa(VVfJL4ya;PFpeP<|hUhvQz7=w4jG;5e$GM1A1?PK+6X-wW9 z0Qn)WH2^tHR$6>MxNF1QLakN+DuhZ0^E=ZzG zqoY?x=LgR|?4Q0kt3Q3W|MKAI6kvYx;$Z)LKP3A`lP1}m@>Cz|=BevB86TL)>cCfR zYG`(4<)(vDCk^yPp&?;TuEA=P9?O`D^}fhFbxAg{E@UO#1NB$vcVY5zGCAi8wO!>} zM5sSB1xBA+ZetXZee#hl$(W^V!ZZActE#(!D%4GSHik1SB4@@-A9YEi3_{@Hwo>|- zYk3HWfnJPAeHt8dl}SF%kyC>C&8Un^;W#Rjlmv$vSS zYMZ}ls%mDwtA4S<-K^6gZx&NYW7cXNWp@-wnZ6&WTmtiEEC^^vGPxU_a@+XH8CP=s zil!vT-oQu#&RHnwnCLf6k@Sw0+^u+u-UE`Rv6v@I?-q1ph2)gY8Azk6=4Jf*4CNTr z1w5lM_iqvBh3Jc^P>2!NQIcnouNhM{v(A2Yv7VQo<q3b9o6oGPe5^8_S)0`&p%I&bB}$PGjdS>b zJnDz$kv6P5Xdeo4}mR z>94|pi;VO6!a7?5($Qlm-LeEzy6`zjv>2 zWCXWK=l>Zywj1zO%SZb5HvXUX;1mkWgr^_Xki54$a(Q{_tEq&X_UKsTSubUmsyBH2 za_Zpd};#n*I#kB@NX~ry?D`mQo5g)|&m8Ppf@$|yN$v}_dW-<|1Q$;$pAW zStb^X@?6W^+`CubOsl{95529|W5B(8EkfQ8ejz{XpYOjMk|NB*cw|bj4;Y%Bm}>wX z6U~xGQ@vMBtaG z>4}C)QW1RXW*4cgb8_;PoaM7$87WOnpcgk@x{#z30Brnj|2|78-|DT8ttsgt9mX ztFc=+8uY_QVLy-$A6s3VeWfR;ntYQIG360_(1E+fv<$>$S`2}0%h_<|dYjFn{g ze9mG{GnQ!S_~`iL_38QktMegozM^ngth1<-_FTUf8krWN=JX>YAOz}foePw=6E)~L zQxbWd&6vF8_Lu=GOl?9qxVKS!*Ce1pfN9i;ffLevku5ckZ_-qSCe0jc{$l^-%h&Hd z93G#X|J(KbbZH9YfC{&qlmrzGfP+@R9VayX=*zO!y5)yJfeI2W*%vGk3q1=fqj$)C z?`SxF3Bb#dtKYmP>b`r&_v|2-mONmERpHyXf`(!GS2419n-A1Y%D&CZg5yat)wXlO8JBxt|x zj?NBG-yS_bge+AflnPuB=iSlkmj?w2+p%Z2&=7f?Fh)(*q@R+0AQMJ=V7ySwIOgwH zug?$9!t9gDCs&%NagBAlhw+lgJWV0QjWimeGzC!?5xmu?b!7B@cTp_`Al`9zlM9on z2YO1j5QdY#KK65k_AStCo;B;(F&82xcdek}!3Fv(7Dz_^lJr3x?X0rAu}>@_0ndou zPPo79_^-9-nTY8W*bDzs*LOKEx(?smjp8nR6oU0dq??brMp;8Ma>*?IMdcN`PO3;! zoxACj1T*3zBMIIV%Grbc^ZjT0XXeenNH3c&dRjus7oh|4KA4pR)y)%Nrzw5a8i|5ftTLOqhSnmn2Z!7A@z6}+>0PX@;NikH7ImC{t*DI_-`1}2>YaG z?0g<^nXpBLT&IDdGRks6{?fHj)2IV}u~K)I|1qoe_!aH%q% zh645Ucya(`cnv6>JJ-_=iKSQ+GbzFN|N8CBN!+|;u9zfm&JIuOEx@IUNRhCjf%VQZ z;J@?i==|0G@e$ZA9R}Yibu*P3%9_G0B){MZn=;5f(L6^DzID@C@s+qVT$J~%#X- ztga`<8=n8waj6^7gzL_~KJ4Z5zjy!9qi^T`&-nej`G6YBQ8~a=$RfTJX@Ct$)-s-n zfsRRBB$7aJX)Hu$l|nXu(hW|vYHq43{#loF+$oVOH*R$O&jIyWpg?Hl)7#ao1!MgG3!( z2yVBqU3sx1tccu7at68U&|c|9OikBLc8E_-Z6ywjG@(;=Qq&1(bvh=ZYuF;5z%wMj z|Iz9YQto0%=1cqUS9H#b7G9S_cuGj%HU5b$@vZyHc&j{5s8YJyGw*M3HCpLwZPm`5 z4v}m!BsWf`q}L2x=_O0IG*?Ijo?41HB=v4ugk*F&B!fY?S4yq)_(6-1PRG?*papPD z#16bRu^7Nm-Punr=~CSxd{ShHB3zL>3C)3E?U03!xB9_4ytT_g zeZ9pZy32^VRztKL>i`B;y^iia5NR-`Y8JSDTLj0jdEfLQI?JTdMKARI2Rq~Fn8(6fn`B|JybCmM zPI>C=FxIA{8}8_X)*-$fb66Qs_qpL{*jd#u3LUmg;v7GRksrO>=@=jSlOl*>X!E{- z+8@-ahAA_SMj&uuhb9;jG$WV)r zN)VAjHixmKk0A|U^l_2oXz+>igh`W1uC4FpkL|E_!`>v=vw+b&PcptpSm4INE4Wh( ztQU!-;Y7ssm3{WcSil6P4iJpr0IlkoHD`QC2L1k^Re~ivDQ1jj_kB$1{P`0uo*RpP zV6sK`TIPWnsx)h)>3}R6q7c-Wy3lOrfnc2kOqbx|W8AQ~GP%)Bus0fXU4r21r+A zM*G3K3=|0@Mx}L*NX#bSu>m&uu1oGve1Opqo28yL2=V&-aH#o?A}s7*W$?BLS)FAT z`Z)DmZB3HP;cyGfoHZ>*1U)Z!O6Lu*5*G(5F zZav0oxN53KN$gP#eI4n>_7PrCL;FU*ItHpx@`2XxP+MKiPOV2;6`$Mc=ecy37u<7NR!!Ne!ab1^Ww3QqQ3l962OSqOYC>a^JQ}gAq}97LN&) zQ}u=B=fmg-M%$MVGE(ARjgA#EL)x@OmB`ji(p1sNIv@XO(|t!14b|$lmMjeZV$3bE zI`!{$$$WKZtMmD`Alq$YQp-i2HCwKs27ysRCrtHQ#f|zOonJIM0Z_2cY2x>n>%B1601c1|;{IAz^H}Wq{mD#SYf8z#7YfOax;V zps_5NNHGT^lnTID7GyJ;0>w7QGOr^&qbev5y?nEEM8s?uG|y%%&Ft;E5vdVrD0unype-Cuj_hOU_AN-*Ou7o zkmgj_!)qqA>cEi3WW?B;q3$N;$;Sdsezb5cL6r8={EivAgJzz+YLi`e8FVWw? zI&&>MS(E$~waD}32mSN|b{?wPkX#w{GU@zBZ_Lx4n%M^|nhDZA5JmpeuwA-kD)&il z*tW6*cO`*w6@umg2!ZaeGBZ`#!VO@%617Sose-7o*T{}-G$y&LDJVskB_nmJ<}AKD zmHFvCheT5}5um5^CPai>F~jQA4eJQ=c2)0VuLg?3x^*ruNy=D^Vc$&7IjAkBl12;^ zh#P4tB9TUHk*S`Zy(Y`5w-EUMdL7#<7il0SS{PS|lirILdb|_Ae&CSY?^lVjm5|Ga z)I1%c9Cad;rWbzmY`M^~F_zylvenTENY#=3Ye-&+l!2K>WKu8oZI}tK7 zg1qIUUJ4pNqX|tT6T|Y#w)3Z;HdMVkV49CrP-GRe&w3r*W1#1wCtT>m~)=x{y7q#9AT2wmGV@EF0^OrQXB;!W%5!~$DSmK3waWCQr>dNm(7 zt_PlA-k|P_5|PJ&ahj4^Tw<3rNqQa0R3>?p1*V&ckT7*SbF1oVUcnj6^c13=&{7kS zK|jR*(^q<<)KyQoXzYvx4UL@+Iht5?OSfc{L_NfR`H%i(+8gzFJ7_n3(r(+}S*Jvc zmzrmc(3MPa0Wmn(m%c7h*>l(Po!ZgZXNF1hBovGh znG6ZJJ6-H*Jcl%qkc5#+jriEhi=QxqB>7Lw$&}IPBiM1gbUIB+J6FC{ z;MbG~a$Xvpwg>!^x6hr%-YV){kER5zOL>LfaAT3D@n=&37c6xR5inS3)gQ17d#uhO zTEixNDbLbX-2izHlw+7hM`6hh6N~8XhLXA4P~;XNE{Rd2eDBS}&*D_c6$WXiaxi7N zxp2Mk3ttOk=mGjPGIH`3;~%XK&r&5fGnJ2VUhOtaqhj1|2W?G4;nW|Cm>H8tKu#Hr z-$|aa*C`x(#eZW%^7sXBptu@6%VjhxIWEbWNuzQGl@?-1Ut=PNy;pTD$7Z~O=8~jH zzKcn(@Fs+3q+Qq@IIOJop7; zmeIf@32Bj1Y_PfY?R3na-p51o{+AXpTVPw)xQ2y@U-~T;BHnLeEsCn24G8kqGfX?j z4bbM{8&Ja932oL{Q#aT{9Zk6oaL&FV={F>`=&>Cf_4`_jqAnv0a~ZU}EI$z8 zIp-DHf35pMB<718Z1{#v2D7pI3%$p147}0iY!1E~yL%6hIXsCLx&E_1Z?#HEaLrLM zwK%O6RbSTSWV~)Lch^>oy~V9>zL<*`bK-*CGsJrDhLeO(x)`TWPOWPapkZ&N?7D?{ z(Po&&i@d0*ElUO;u1EqbA9@>gIz*&q7MfM;mh=2133Ru}{ER!Ms!O^w;t6(hw>nu8 zGtGxtTcXT%9FR&Wh7FHe#u7Asm^w#5j1qpqQl^wi#$rmZW8L(Pn1)R)`gWke4HDoW zy^i-WJlSd4#!v#j(X9v_yAN1Gm%dtpkVRQlG0@L4K4&7&+{3*VA=Lu{QBtDS)(r!5jgvX{f@e{`1Es-*J{0%+ z#?Q(Wd^*R?&|9N!@2+MAlECeQb6o3(56g8(Yu;ZKhtqF9U^O4GM)#;K%)0I%WktIt zm$C+Qta?UmVNSQCm@x9~2|Xb-l3S-9Yv^1vrE8{jtEk-ydPhi|{{CI&2DU?- zg9V-|{u?VjSv||jOzY}>-BqcvH}}$W$-P2fy)6Ut7$!hYab5L>B}C}2dJWjH+kfzQMFWcx#~wIjU5 zNEl65kSwF}@djQ=t_nDGJzD9zY_FPvmhz@mlIEs>S~b_lM$~e~VZngr| zOXc^#FzG@4LJbyxH`w%Ah}GxZH@DfqRe-5(EJW$JDm)eFR;lw=BG9h8WQ-Q%&jwgQ qRaWX~Ho*Myidy=Ae|*cS^zHZU_wBd+-~R>x0RR7ytckV&#t8tqjXEd* diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.31.tgz b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.31.tgz new file mode 100644 index 0000000000000000000000000000000000000000..20a856925d260c934289148ce640e18465e9736e GIT binary patch literal 126568 zcmV)FK)=5qiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ}dfT>=Fn<2lRiLzbZ1;rvu;a8<;_NE6oT&BJN>1AR+O7(b zkc65dSOT=Iy546mA@I3h2$NRKet=5-&d+@i_Y8C&scfQ>FTYLA}?$fsXxBa(P`)RxV<=;^2 zBjT|1lW>9KzqLNNtzzf?Nj^BD??}uk3p?nlUBgk7{`|7B(`eUx!o8SA0v^2$=@p4N z4$y!^j8i#n&G%H0U5ar($;b?`cPB2!&X76JF4eXGMJ+QWB7gvii+$ zB+g2cz{ftWD6C#&1!Fw-DvEitePruwL^8eju&;H{7pW?HD4#@;3fk0~LC7UiR@J4L|UCby)lp~DZ zcTbL8#mfcp(S!y>7I;OjaZJ$ljD*OW;SgB9200@!X`uHkL43xNz(uLsUSUB{Os15Jm=a#2vYGQF2!_OqiQp2(1{$z{pjVg^-*iXf6|(?dl1a8}T_$4^ zheQzGpseXLk2kSDr(qK(V#Z?n8F4i$V!N|uCTeHv=ST&yZ` zS3Rz6Y}E8C4YGo$8*<7M*!&Qi0O^LgI+Df-Ck<7$KS3cAh!X+wi~=Utiv;%sVFieC zG$kR4v0OL_mlI0@o+Lp4?**C5$w@+<6JlF(N~P79fip|^5grZWWL5cL&I6cdldzU-pD8OS9WMD;%Cll(q zu$B?I5hM&u&2fwCcUh9 zs)Z;V3zyvBc@z*=1RTm3BI+NourfL|d?rQ3hOSkEQeEGtl599Y)C`GSn3AUHD_G&s zfm$sj;+n;m5euldP%U-UT9*R2fgxukfv+`*MM;K(c@i;yNCF}snAJI#>+x6-Tt7kx zM^Q-tgn5=uOW6ht4?@;tO`mR{x1q=8bE4J|miQtT1`8W1a15BFY(7sy$*PFj2qMOX z1o~@$w&=wA+0ZlHth#MIQmVUIIXxbQ{%%zDc*E{<34+zR4d|ZSB<$g?Y+^+-%g75{ z@DK|;#+)FJg%dhWVzt2JtGArMB)!H|$er2s$4G95vZ&e(8)!&?+Q2E~7k){jnyhfd zVgp+92nq7QZp4-hWINUn_#`5sPeN}YYsEHOwq*EhRU0*I9I$ag7t5eF2fgm$Nv|>Y zC9BS!=XjoGXRraQ`K7nzMF;uJyCiYLC?S;T_eNvwpfMF8p3`P-P!SS%+Cg78o;BKg zu204khwj&I{B>JO32DiE?iiA@MY`b=rHa7BndpC0WfQ)!P6QVzah6nFCdwz4p!tb{ z!TzT<+tafPYXd!35nB!J_!ZI0f)vEtU`;rYBsS93NR7W5_4joyVhb!=gB3J zGshphvXXw9L;WEzOhx_1kp4kv#DP<*1#CK1eaJDUjPY!a6TTR;o6U^hY_=P_txc(X zSktR!HP*?@Ma6x01D!G$dMwa*VFW;QO<;sGW1gHQQz8^rve~9Kr7Xv^#6-0z#>OFv z6>Hr<#xkQAND>6+N+v=5$te@(G2tW>O3FFVa;Ma%SWLwNff$%>FWsUTz+%;#Fq?oZ zRI=>p*+mbz=mg);c`{eR1o71rlX5$TIVI^rL*i#GQjXd!^O2KYzc>Ja6gpuP0wY`_ z1+|l}2=n^vio`MXNlJe?TADCMkcWbA3*E?5K-VyD&+|Aze-BAO^iuc7jVNXji3OE= zGYyDje%--E|EPO#aW;5AdUJNtYZBo#b45WO5j0BG{Yd<`h>wl{z1b7H47aio^@keYLJPPP4R$D<+M}GF;l)=BS|y@Hq}pHf>^(8nr2UR zy^)BeN|rsxU~RD<*aXOcCN%IzG@P)}oKDpogxB!?SfOcmEER&XUJM>07d?Ag5{q{B z?v;vmzADw)lVZ_2{Ml4JG1I{q0hQ(NS>r~olrI}MHH6YBqj;2{bHWlaBpwTW-a)(1 zT8c4(K5sC`3mROHf~q77Znt2WE;K>MC$H1^eq+FMVoxKnfvW}`QL&i zUe4TWw`Qp|jX6s~agN0d-Q6{f@x|_a3ipZy$()>k4KRmH3SxQxmbK{Edb=XMYQ}8! z%g6p9lLJo#i61^U{+bs5>!w9%(0Pf0YfgGGliYw^Q7J*`9!M#QBW&s_m}pD=douYRX#Q6sf1s~uL6WwAyCAA&6BZ$ zlh!tGb4Njj*2T>_xA*Sa)}g}on?5aU+$%P3RIo9XmYAYT#w7JZDb3}|&MOV&1VRw?QNbS)wTl?u~oTnAfnXiWCAi#8|V)zm=A8!hB*G z{~cH34|Y}kRj?RO2`KPzRP?wG2nP6*P|(;qimK?$C+;|>c@Yelcy3qvOf~bKCCI~JdU}djsErD;j$zzrlSL%tJU}rH zedNx_4QfBzR3OeV=ZJ#6bVh=?s=evDaAa$-UDfutWU*hrJ?RcFdV|roz4vz-N;iOG zM5#Ilizi?im3V=9N={cdHSK6iEHr~9Rv!5IDy!!5Afn}#FmVH1y5-LXs{WUdr z>fe&ARE?5;0_%Z>C<-tQk(AdOU>hYAW(5qg=Gq3lUQb-j1AQ=Nz^5(tC#YcavMW;# zT_pY!$q9h!W6g1ik1$Vlw<;rQ0WKWa1Pn_d8w)99f+e6)BAxam(G)aOa7WHP8U)Xqa-ti~~( z6G7sdB^(vDH5@MByfOnb$5C;0+x0V9C@-fp_^g9|ca2Cuyct7I=7c5-D?_dpdz=Cg z68h_aAd)5;fTHZN#@?K3O$x_;aGnqa$&`j%v#GO?Xh#ycpX-;K$|etGWSw((n!1T; znF+_kP_cb5*wzLQ_Gw54w}11>>Sj47r#Iyw?x8HpFClGt^NdC1K=9k)t*VuV~CdaCfceP^2O zXbXXo)Q7#nyWU{*{mJpjW_WVL)N4i`csXCSzG^$`)II5bKe~7`=yeZ=1rR&RFQFR3 z!9j00Tv2&%MO~})-uD-S?&#p`^r-*30O7v2A5%50bJ~;budH_XYIJ^fb_{*&9$fU_ z^$Nw?Mf%t^`iIBm^7-N???=Pl!Jv0B>YctDz3b-CIm$UEDbDsSSq#X;R51rgI!G z%x&_i^(}-!I1t&_9brigRHV_ zlTJ|MW}b)m{hZ56xyQ1s+|DX0-xMm}sLD5MRQ_dtlRDPr`sA^BgC}7_o%={OBg@8Q z&IDPrSVM{+(0kbmoVKjpL?fQl530|3kXDr{V`b05GbaaA4luN>?khnFxlkl55d~JY zdV#tDCl3IXZs`SA{A^<{!e2IeI1w`v3gtq%K7H(J`>E5|Iu+F!tQ3Ay0;^|7G~t>tK|Sl#NDHmjF)vF_5fy{f_c=WDUXI@7jT zXYJWrYK#}Er3R*z)l8}C`Cl^Z^(V#@2se-I^Fn>; zyS4LF>QS}|7AGMG-HL@SoRh-s9=PCw##CvG5)Ll{`b_CzS@Yk_} zbo#z+Ra*8wp?(LoTf40qLW0C|8iIq$>ll0FoWzv*nR`mBmfEB;+fFKo2WWg-Wj+{W!`KLqFvS%s?AT4P4)K z$NsQxJo^N_SmP=H_;cA#mND^@(8r;-=%8KY0BWD$UE#Re$m3XS^+fIoXh5+4T}%Zz z3qAYZ!A`67n$~iDvF1!no6-c!8)ua*r0in}08Y;?dL8A73T9n84OvXI#a&PBF$vhU zvb@akB|%A42~A<~Dtq(&T;J~O)Y3~A*qf1|zCe+82lnKvbLD;!!yX7v6y>$|tJz_~ zMC!xd`Fn=zJN_%MFfY3n3zAhb1&b`T3u_q(C&1rB{2`$*q#1xT;I?LCpN z(ch8WsD}c3m)rWa_P(y@z3ZeCb*OJ|Sc}TkfbF_r%|RSR!2(LdeJ_c7VZIgY;+pHG zZ7B~#;sa!0&FP7PREb>0WYCtOu6Y?wQsPY+o63?3#dLCAbC>U?zkW+%;*JA0u4Ph( z)j)2Qj&th*wm&u3v-P`Vi2`A?$rEP^E{o9&$G*pWbJUS<^XaCb}Bf7FAH^9>t^-3=uj`E z;zA3Onby}6AliyU?@y0GuQ>K=Ui_T0kxg_=L+F2=s|)Ol&y!d`eYOhfw#Jk{eD zBkJ!vz^mK|cVHS=zh9#A2Rf4-s6bg25C8_x!fbhiTn;`Br>4R5_ZkhFvM7aE-J%)K z7>84W>O32uQ((YPP@SO8K1xDC1GM#lV{VvwPrrkw{C66PZRA?geW7bS8M|f5+}>8; zi|+1HatSPmi?4A^oaU;&=k%&v!%fp_X=YTudC}CG8 z2z%s3Ghd|Ktm)*-9obg;>wZ%HZ(O;}<`Ik4&7$18-2!oS`$>AC6tt(5Axb$r4Y{#& z93QggON53l%Esh8OQY|FBmUooS&+o3q!q#S1+9uPJVq<16sL;ER53Cvj#`A*oz$R>ZO;1ACQoe zP#n`a6>_!aelM#ur{OTdF?kz-PfXl{D-0}_0G7U6e=oGA{6luW7g|lpLsJI;29W-> z9EQF+xqt)Gedjk867Hyj)qMw4=O?RR{I$XU5gROsf|7ar9AV#ACXAd~l#(oe)if_6 zzIezqTg_~NrMMIBwwH5Ns3j-ROThO<6TUyJw?^|;bM7(StepSl(VY?RQW+0l?zZHt z%zhWk>hqz#|56a}ZdE|rFPhn#VjXSUdI{I5Uo_3nN@^)^Wpbg4^*JMw$29aQ-#B32 zWx84+icoX)K3BP=t#cf>wqlxB%8R<`Yj~Sl6;`Ns58p{YXgmBETj9sq2LH${@T2Wy zL<8d{11ur>VDg*DFhW;J*AJd-4Nz zUEsPzpgF!lW|IZ`^-A{o*Y;eb$fGCzqxQ-_c(3~y`_@{h=j@jXfBVsDY2=|dWqmAg zGu0RGkzfRwNAh`7%%c}g^XsAgTZ;uP-Ou{|OI_3pSmK)sS<4k7hY3u%4s{f8ZKZ9P zny?;HFh%&_w|o``Ywb$;2GXj~LI$YV#5nOT)%}`>w~^I_Ml4XpRwx8-5|8MIsR=El zU`p#P4G;D37P7jEIc1low5?UQK_n5b?*3fU0ecfd=>CV(CMqP<068 zUhNhI(C&9bG~7k+b{{NzLVa_xv+roGE?d#7Q?^#N(N}MuZn``0-H%}TsRFmY73f}B z&VstOI9Em*q&N%I{Zd^;$8*#+J9xGQrKolzv{U0DYeaPy3ynW`;n!$^kJ>1C|i9QnFe@SXy#+Yg)<)L-$BoYYI+FPm5o~WNHYbzG`kV zEfJzDsID)2rc&E#K`bZBuOXgiv+Hushj8O!NPW@^y?6o1ZN4RoepRnm6^F*5(Uqmv z9nlm&xSXXaT!ByeI@f;o^ug^NNOai=^GS7s+523J*5fs&P{K(+#1K_qZP$68dtu3*yv^;z9oxuOykN)UQtT%jLO*HLit0&97xKzsCe7Aeebv}Ugk+5qiG1vyPh7P?}D-Tq( zA9~iJ8d>*@#nN-v9H$2=!)rlZOJjb}f?C%s@lasZwu{P%_#k{AV%&H*z-1PYSQuBr7(0oZ2Pf%S&@agQY3pmUAP=RB9ySTlDM!h1M^DPyOpluX(wjhUs-VmV=uyj|RlNC2&-zQxs-$L-bb4-Q z>0~Mxg-IJ~?ux=FtaktX*HAx}Ua*0JIdA^9uLE3}4{bx)che?HmfDAEoGJYEe6!NfjSnYMuBzf& zIba__2};{~kRtRT*$kd+s0`ODE`YNQ_j9sHS4oz&7<)jcy zMYCw2Et7J6AGNo$#&uBN^LGb2>3JGF<3z&Okt>8ZGogcZDvv9oViRSMAnw%~G2|NP z?#`7%<3?AW`vMSkncVC$o#>(9)BsC>8GxP+vc08pc2-lhgLbyXzMU!yC8#LOl-<}=~NB#3OIv0&h zYbvlCWI2&zVGq*`D`uU(G{aGx7b`|^mO^{rkgG}_j<83?!h|1EPhpasMLND4q{CZp zc2opc$+`O)q8OQ^lkR$|7>+1!cx-M6WDJt|<*I_tqzN^Y9Wcu=b#kJN44e z8ylU$Dzko>Cn}Ov0Yr8wz{$0ze3q>o1nbc(^*V+c+LOy5ke77wWVj!FWqa*ZP{r;M zzUH~^+9Ar*t`-MQ|6b+fW0grAaja*VtBiSA?d@Vk<$@xa7fYTT)y^m#wA(U!WR>qo zr}Qp$-zdMzTq-&b9p98`W>NZ1@FhW9YU#sW^s}Mt&mhJ9tcLDqCEa|6hJ>Us;C<%t z2EOJEJjcJW5MscqG%!I^iX&V!r*SjJp-&n!p~DTqyy|?61%$7;vt%~p=bJfG>U`|w zRzB{@%@K=hSWj22B>MoTgPiVn!>8_>lkR~#eAC_8d*)aYNZ0qN1b_o%S)HZ)LIh%= z+5~rt@kz3xIth^)1whpcC<#Slj&Dqae#Lg%SvKYS=U6^qRjNE0!dgmf;Zd3@q&%8A zmF_-4(m!i=z#{MzJ-*-AK>Bmtrm6U@%M z0($HpGwi>@f#f7{8U##5Dx+Mbk})|s`se7Ne>hO*52>7?#q$p2Gck~cklbwm1v}`6 z&33Dy{@-iv?rc6m@SvSONViQED`5i?r$VYFlUX64At^NpB~12-Mx%k07!potc$3B* zUWV8H=4}qGCpnz7e6pfb3TX)EiA^-wJA>kPpiim*_Ee3I5y-M6F8YND;0cYPv2G1T zj0I>*=g!w9M2sgB>LCaiX>^BqHg0LuH>jK@%ZHaLsDAnr2a4UvlAZKrReaBH@D)Z( z$vB`Qt2{VHbNNNSj$$Td(o||K=VQuZ+l_4qa^wtUG!hMTu0#CGfwyx3NKn6|!SxNb zRXQk0n;@4LpDoS*osXZ|-rfCLmAolEu9ZhtcSAA}rQuUAA2)%gJtZ+wQO0~anUEMF z{f&vZCPa;RWc3eX{1y5r^?8VgM@`g18fPgJp_-z)$*KcE&3qOTB-?JNr1Y|hC0s`C zPP&AqVId_;)R@BHW7|ox6Ta5zVjS1eyNlP%BjHEML7x?!l9t9 zY1PP7AQ(AjyakI`z@`fbT<=__HjoBoO_LD=Hiaz4d?hPX{C7=GXff;mhZv#i^%{Io zheSP4mYN-SHm6~lkpz%MsYfoAZ)CfNpBi^WO>08>$l z%4>^U*O-bU7Hd%#m_ia|3T7b%XT}87(E^k;rky##iEte-BAmy2-&bw|{r%uh5 za=&L!PpD&_n#|~P{lqZMVkMnZJy&Z7QnE`7Po*AS18rQQQ_LN3NkhMb4$~C5HM2WI zjap$}%vXC1S_F-{@t4f2_HY2}!tOdlga4{}>*6f@01G*AUBN`l~=1=L$~P=9jD z#Cc4(q=m|lH>5uCu$4PfZflAaTrM_ze$^ zRSg?@I%P6|gTfZPQIV;?FpF|q=+2(W&|k>Tza%rimDeAVO;b7fCnl8p20Fns)IHCK zEu7FmF|}(JUy^vF_g}&hdiq=``m+C{fK8Eo1gXqLOOFmEd7I6Ybm$t#p#m3C-)t{U zF^`%W5cQuc{M~}&vxRN-7H36=DWQ`H1vYRzt1tCv*f%N$aquPkRoa+Ih2|QS0ofX?TDT)mQ5K! z9-ikGh?x*kTEQT#$DRn!ketqyU6mU&G`AUn@fp%O=f&#h#^w)KHBe-+uwt)7IC|mKU?ZwRgUHZf$BsKs&9cRqv}2QllOd z?2q&vFtqcu)k^84Z2Kb>fOBP$G4mJI1ymb)7}FwO?iC7f5-vePy&or&35it)c6TnT zUUKxbRrQXi1x)`7MFg2gBgv>n;F75cx!0QKi^9#(siuH|4?pZ$njHJc5GH*Cw2?20l*$l~G*1QK z<`?wNZX$i5dytik36EIFiF#ASIW3?2ZIyzNQjObVXSe;fYrW5g@W*Vdlw9$seKZqE zkRIoZ6@|WB7-pMbp?R|*yl51%DB-ihn@d6>9MCJ0E@$*?FReEHjYf89!?i7bEd_{% z-~6H>zZiC3%cVB7g%8dHDOCvOv4EqC)KQ`7D0oNB6EhN-cInxsw zPGiY^B)jLitQ?v^S`p&NX-H6R;rbzR9P~S)p)Xl_OX5`OO9K_4N;0@5!nhgn=mc$* z_eS6{Xdi8EZd>v;Cju=ii|X8)kvYlBzseIMlR7hNw$>VT5sRgRM_gc(*qle4#l7>) zdt<}WtyTa?wJ1|DCMv7Vf7->G|5is$6cgn$Y7H`{a0bF$#qiCt)|g=HWb~vwA0p{ zhV(KSlPCIIM|oDAGM`BBPhh*g2CtEX6J)z&0Tg9XEtVP1}J|ZNRE8X5H==jb9~rA|MTDfNBjEy&wu~l zEF~u#;QY^j|DR*2w*Jq5|6g?sV&>?Das@NSV+}yzkv~t~&`;b;vgqiqaF$WiD@VaC zW%ezmpoWLV6x139Uk}LBr@IwU)YA=g*gGHe4!Re;!%pG2)%cCYBnq%cd^BF5<96%W zo_pMGefbR05MeY)L;^>JaDWXE?bfB3tTEm|Mfo{>QLMo;^h!#HdS&~ZJ;=fApFWZH zr^rD4$LG;*|IxijM|wCsMqDSTo?(&BYB;|fFD#B7F(0O!2)IfgtsKm~8IFZ(Zl;NV z+rEO@et&`^I3rS=QBI+n$xEFU=&Yz`?}xeC-MmdC1ypiZS&{A=kaF^am~)})qB#x| z90Uvb1y6}zk-S>YcknwgwFb&NfZMn<%Cn@9;`;pEfpU%+6J(O)rmc_3gvA6Yx0rOK z#w^i}JR1cM80|*2M)vYOeR*hOLygg2DZ2ms6y0S7Yntom3l=K5G8D}pn^Io#Qwi9VH&9<7%y}{=kUrns zOO)>f<})LV5tW=a-K%_kg(FxrYNo~9>AzX;Wlua)eEE61qYvCkfVrSv!(&ZZfj3Q6 z#aqk~JNmM**J!JwY(V;L9CVOles%U*PoDzu1&QZ01bV!Vu}4%eL*VL5Hqsm7Ww$>p zUq1P95uaHjW|mf~WgUN? z<*pCdbV|c%BOq5K=pY(SSSs=~M_lNwuT~mjpQ(5jN?d`t8B-*|66EmSA*g*)g6?D&#(@e_u2*EGCo$z6H{# z=*anH5(~$&r%XrMd&_D^y;qa4liKz)2g%R`qjCrRU|&s7sbujVba&_cRQub%#HVom z&_sFQ&C|1s-moEV#D}-hYPDKl?(M~VDGsp?xa_WO?AMp{Ge{&MXo9<_| znm%=r;=@+RMCBr%V=hSiEm>rG&^Fpy5*{!ujGUtn{5ad-EmZqr-4FV%J2>s1zD8@; z_@efOBv@YbQe8loWFZAJE~Mh2MQULSbHo_NmV6}eO496qC}lM8KkTE)Vm#r!8Jyu6 z8zn@$VAmm1_qe6b24<}X0Iwr*1KxBe-Qh)VF#5Lle!srOA`)^Qpjb{vcSdf|?#}kZ zF|Q-y%^0fRX29-grU!Mq!Qc}>tO z5-ilE7Y~QZyB9?KsW7Sou6zP7GvKRwoAIRm`t7iHFz8*3PP->P z-SK-d{{ufY+vjnGBkC`VhB|x3>d>pEpwqkO-O5S^$+`e zI>!0US^sn?+iX93Aloc3P6Pbou+9JFjML06tJ|BO4D&zmW3wNd6BSue#JHHog#Q}Y zu1K}R?nU=ici8LHE*K&=BF3IbLjjI4C+U5zCvf>P7s;xoXX)Xq(Rp_`{O)XUxL@D8 zOvc0$0o?F#UGR90utz|-9H=9s#%cQW?hfUv=$&J&nl4ipD}P7Rm_#V+Gq-+9^8oTj4^qcatXY>Dgg#bbdCtcno<9l;9EZ8WJl1q4iTE)VSO^ zMp@@8!w4!&^N0M~MNIqW1w2)Fj>lk21(^e)$^*EePk{+M(?9MUg@GJ2?VwQCcy#J1 z>6+HAY1$-5t~y5QI|TODX+K$TgbNFcH=z+nhT;61eU z+-Ps!nnAXY_l+;19B&%kZI*{RLwnT_r!jukUv=kahahAYs1Y%L-MJhf$7Az|g(MXF zB~Q;#1*&zH&iOeJ7#Nos`XW?qudN^N@j*{SsI-j$cAfE_K1Kuc2)Z1G*Uszmi%U0LG8|D^& z2mO=o;Qi>2-GvM?AGikkhsyFz9d;Jl1-NH_Af}@;R0(+T> zu$;~dxj(=qAa!Q*A+v-hK0|zlTn{<0Y5nNbZ_9HAblHbZfFB+7@}-5Q^D#!Z65Y~R z--~U2;8tQPx%@FsLNDV3A4G5i${KL)|qLU%pqzuw)q9RqVo=H=Mx$b*tO@9 zEZ&TC&=*aZlg%$`y_?8HI|Qbz^+)h%Y}9l)S39?rwKP~AZdM3n`Njd%2CuSIhrx4V z?wO$9k%*JfL(g{ME1eIM$%Nh@$IXD53t9@zi$c&o73%js^z!`1E%S>UR_1*a(@;#1 z^Eo$R2AvP+hPm-4f7F4*o&EftoWj}px(Wvy4F$la??XsgO;#%^(0Wt_hWBWas^g2p2`7lNIkA!+C?Y67AMlk^7?wp@Vtu zl8q__H{tGIHBi`DIw$N2tG=6Xa=)AFYRLJAgPf7`h%NKAKCFkkLss+;elOZn61uVi z&p_9405gHh6$e*6x2*0oWOtShbvDdpGtYJrPJ>^0kA{_E>tTuKl!OP}JO~dvX!qHk zRg%O)mmSh+Nc;o&U~B1ZV54krqmTv`StL-|tOTrMuYh+oG|&K`zoYT9rzG@{E&@Ij zX_0TqB3Hs5&_7#Q`vX2p^?zj)cE^kfE@B+HUQB%6Sm61C%>no5|LykfPG0}tX+Ld0 z`%C}-6d(IgL9*K_vz3|(U4KqPbC7gjF&_*3Em>^eV|cTxn4>vaMa30WzIinq(KKDn zRl8=+E<5Q3q=#fD%unYmLaDm@7e%X~6(ZEYzOuT8-g?q1GZIsQrwZ$od75O!x{wwl zJ0+XEEMWScb_Md+m$Rb|MkzF*?)c3`7G!E z){8L>alC-ERIXwG584Or;s32KcMA7Ec6N7mcK_o4pW0e zh(C^HXAS-{vTH748cq)l)6P26xPcpjuGFMN6x>VxagOk)k;O54`T?AGt@W=Q5#~7h zL*&2Kv-WOL{@dHx`D^`uijQ(>shWG9i4Xz791AO2t@bpC#D}f$YD_e_W1(DUG*@$!% zn*jQ+3K;hK6zzXIyRG(L{QpyYq}l*3zN@^)^+Upbl)ftQ*APt?d*5-Yr+Ki z^j?42XRY-=r&HyG?s6}tk$9jQxN`mP?Y5t`itB&3wfC3*-zWL}k$PQe+Wa$%fT}a3 z!Dne6tIr_*)fn@cPG*OW0<1%_A02mJkKXS)I`$C!Jl%J~?B{UwUOuU-l1TkMwTqu! zjJoIN$NhuutK;6jGdk^#)NAkWqev(x>0JA3!tpnHDa8;phrgZ}x& z=;Hl(Z!|bRIqbdKchp~JX}QC*gKv9-(ZSit`Ps0y@2KDUr`7(jcRK7}^xySH-}c^* z-gS@PN*qU=gq#X`1=%e|GwS;!9F1(mH_#BWR3H`I6J3&pqS^5M5MT}8bO*h|(Kknf zv)6A2$NP@TYN77-yp02=s`RjT@OIF@ct85)tbh7#?|oW}6EBIWNH1!yuB}2}RMt;p zM%YBigHe}557WBf|49AHCco*v>%KWV>1Ex+SNIK^ljY#eooX1Uv|dhru52n-PYu=R z{A_sfde9s0JDIq?y7J+m|E@PEH|xjrio~ny+QXPuOqL8~R%_TBz&*)wRZe1+c5zkx z^zL}6zB$NRPV3%rcX-i181}k@gEu++b>u=$aO};NcA`+f*pmW~Ro%%$D)lK3Dc`Y` zkPeRD%DE0#&X+*bY5n1T+&aBH?H_c97f1c$r5z2ahq*YS!8(1lF*F?JeQ%iKC5Os) zM&&0Bk=DYqBpGV!X`rDFsiAz%R7eplX5fq!QX#R*(hsVjoT8; zCXc%CNc3fNun?dNiBA^u8UvghEmTA6($jRmV!{r(uU_>pPX1%mJpgtLOeiF6%26xKTJ|;1jsEmg1hZnt*(fjU+Tu8w9L5Oq;<g}p+iCa=u1aLQF6HOuo0Bh)n_Bx$?q{K>nF#xi`DWo{z>ki*uX@M(&bit?hW~M_ z3gxG;F4VJUzABf_HeF-@vupmV)l_$I(Ld@QT$~Nwn^N6kRL5_QP7ch=6AHPor2Hyk zrbqd(KfD<9U%kEPpPib5hm?z$juR=Is#4z%x@jBV$9PfI;e)f&i*El^?tx~{tm?8= zjI8LkRV>bReb77X=NgNNPq{rSx<2Hw!HCas5ST!yCg3$z{Dy=)i6uW0h;jr0cqt2s zWPx!^JQ2Vpd+<;7VnRYK3TJ6;_FIiTdn%skTA}zDaa(pl-hiCZDE3$;_^!H-vx7`ced)b!3KBsdwGu z{-I*;!&32jswr6gJ?RaH-PhTYH_UF|xtNj6Rt-@iLD6GLk2V#c9Aboq4m^ zKab5LEa*5OOTqjYZds*LF4bB8c0S1a%^~a!|IqQ^=Oh$-Lp`$}x%Q6}EMj`Iog30J zZ4O!P(z_u{p+DBpl|f{Kr@xJgvU6@Q%K$2ea|3A>%2AfT)&wC?9O3+Abl7{90hD^f z=&*OxeS3VdUyRV7=S`-rnKaqHm4TBBZr>@6?2MVP`4A5j);bP-LCdfCW2Vi+S z7mJ7>pKvO5z{*AqAISrTCB77@Wz^5kBxZSa%FrOMmY9q%x!_dgk#LG!%|O`Nw$dpx z4+klfw}U`uzu8YqcoMo(KOdYOzCBQ}1|6irl;l43(&o2aDkDD?Z8^XAW3Q8uq0?-> z=$}j8GUyG5FFP;J&juGSo23BB_UHNYGDg`}yFM!SVlk&Wf2G>9|Bdrt&U~`3^BAm$ zS$U8D*u?TJiQ#cLW)jB3ska2Fn;0+r@q^JJ9A|Oe=>+|N+~1H>FC*ZfpPtKQk)NFq zb-)c#iDA4Q96Ly5w35QKa$M5UIE{u293+jxV}p%}NaC!e39a4RU=jz7EWgwb6+QUL z(Z_fQ1gqD*@BitRZsQAkr8d6!L~FJ2MR94a+w{j>jEygHYj0g7K5(@)zR-(njrMZO zDV?kTSuq=btlQJEHyE4^M%8;#KU8s!s+L$zPR^>-SJ>WEosBfS9Oa14BNhuS3~3Qe z<)nf;RaPvjIpG{n3B;ru6QoSKl5e~n97{--A-gV#`~~}6Y31e&Uir>smF}|({z=`+ zOmM|+<*jeIZdsM?GgqqG{oyDxu~&gn2L~16jU^=IHPiLdlZzgvE35*Qlc(-S zd71cL(S#+#-w(Ge(^n|%IkEnJm`lX`oDpQ1tZxP}5Bjio(d{1(^TKK+dG8TiE6m!J zU~-J6s?vSta@&AX*>twdtJ*I!h^5s4VnCh0*D}1{hmN(bs?aGf?4{M$vffuL@udJu z>wLqcicC#0kl=>0Fh7Ni@zJ)J+Ve+SD>k_m?ig}L$<;k3Xu^`vH%6j@sYhRJp3s=9 zD6EiBELJh3%#m5MXrI-juR`oZp^zT0NfK6-E7G@oa#umyN#uzFOAeT1+9Hc7Ag`S z+`2+9(NGfgGvH_4$F?+X^cKXb;f^t@6n_fzk&R+iK57_;!>;8W&_v@c- z+s~fd8Br%Mx%O47YiE{(8_ogjuf~U+!|V5{^>GBw*nbmY7s+(Kr!?A)lQdOQ=L;WDN=N;n0IK zbV*1gS0@z+5;#LrRd(G#2Wo?xV>#187{)mfGo}(DG8GI(s{`qD&&{Kgx5pR#^W)y= z{Pk#f@TLc>Mg@Q25KXqI8h{mqdowb}2y^5U?!|Ph4jLb5BG>09G@SlJpLqQvcj5*A zjHX1KK%dSa@7Y=W4#yOa0|JhoTXwqmB;-V(-qBG{Eg#*mz)^BZacX_+sXUeiys#a~-Ti&?c|3m7B zn*vQ}Mgks`K&2uH1b%$Vm`v5KT^Ap zFqv$uSZyxVj z#b3pAIujYJ_Savgjj+I1Rpv#WHwxHvO5)cZBS{BvHv zRfNBjFdg|Cz&glT0vR@tRiG8A9|t@&zZGX#ekA^oVW{82e3OW~d#jOu@QArz=Em%U zhU`(uJz&%x1;1+GHqZf%sK5b*Sn{cc84w}mP%U*&a_W{< zR~3O~4rVysuWx}o=+tiu)jF+C8?w6K>r1qGtB8RFOQMLxTlLm9(n%yNurc98oK3QZ zOF-LqPF@go>M1VueDx9|RoS5-8#fL(LmV&QXclsi>nQDGf&wxTu88S;PJ9rYl(QU% zTmP9fPea6#7}h`oeMgYbB%hB7)@ef^5?-S~bV$&B5o0e;_l)m+?(Vj@Vn1?Dv^({k zY)0Hwt=5ZKOt8NMoP;ySG+YHhyLVqKqUA{KWjOH}34%(THlSmue`tt>qbQ&r>~n&l z%&R?zzO2(fT!DYNp@2<`JB6AHP6>p~uIw^-XmW!psW?^8ZecIGtGBb&dmnf;>wGMT z4rhR_S$xTnPbU)+lTZW;NPOf=QU7{I#7t_CAg;eYecOCBJOnV5k0gu{Pojv$g82I? ztup|2U2`?DN}MZKZ5v(U_32x)g6pMX+m+Le&IuQI9_7dn;*(RqRUq#&@o>d~XnjlJ zo}hnxesuBqMdS0`)Bi8y2t*}KU!z{D)w1eoIV?82XM8lB8P1RTV zYfAyldZ>%+JI&vJ{LzJfvZ248(SV>VH?q$%bXbh2WEMYj@+)egFMqBog>vV%x4N-T zo#q%`R*Hnk`LWe*<=^pukO;M{20~K)VNr(9*!57gl^f0tG!!^inI`o6taCsg^mnW9 ziAuc`G66vxso>~5W{@SLe~7lu`-j_E_2GH{badW7+^>ITf%ujNfwC8>=8WZt(`kr< zCpxg5)Obu*KXPN(tNe%#2dFtxfJdzoRRoKwsG@gA z&r9N1>Y04Mz7=ugl8H%t=3aYp_)P0MRgkJo1ahpp|Jcvzc3>J%(J-+vPKa_p3kBNR zL0q51QI7O^2o;a71Vbek z*4wr;SOx-@B$fejkDR8HfjT`Z!g>(d(;aRb*^ezTDgQzalOChob1m5vprisIs@r|b zeo1l_0D*+Jja;JViU8u;yda=1AV7%X?P60 zlMoFjG^B!{fU&57-g2V0D8Z0V#>q4lA1>Gt4VLPa_1kuC8E3Brj;92!!0cD7u0ijx zKait&c51WJ{*l&(0)i-)or^H%#D9YDn8l)E-Db@^+}Z=JWjex`$bBkKByrFciN}l+ zG-tl@=7KMjE9xK?qkvtLxDqj^e*3OBcy%`HjkIp~**;27me5b=?|)xfO2i4drwCwB z-CNzfEUaWXP`xF*-+wQ>8TOBl-&aGapj&}tf0_p^rSq2d`4gt;RGp9q|cBG zl6f|OcWaHHYEH1kn;~oTD_0pTonU9`5ZLQycRr{Dtjdsc_ zRHGk5sUVh_8RRC)&u6=Vyy7!0h&X!OOUvxE_Z=`MHRRb0TqfQ-mCUGW$45^6-`CpM z*X(`PSjuzEbgk(Bp-xWpDES1hb)YZxckq@7+*= zK6WDjT>@?w+q}kc_^9T->kdxu?-Hnsj{$#rcG0^Z{1{6G4)oYuBZ7*6*e7z5VdZ|n z;r5TM-Q6GB^ZG56zk{FV)FfA{+@$g+drYJEB^gHs9duvGwGd6l9}U-)n5~11+ztxX z=#NA+r(DG#Tk-0{2+N5W5Fb@YxipLtv0t`Fx&-|QlWSK_HYj!Xqn>RRbWX(Un2_*s zpm**8txokG2YYuFY)j4Rb7}a65id$njh3ZIX@d*bWbnPx>f482C1q!soOWRcCEtew)}|C z()Ozdt{3J{CpIq54$nXzLs*R;=tUk5yab}u1SFh_8S)n)o>RFKED&ePFvh_wDT|ZP zmn!Ea!U4S`D+ci175$*kIvrj;LA6M~U*Aa|SzFag-c;9hmz*)cy?b!|xkfV*L>wg? z#YB0brUzZuWYb3>i|0Vt8THeAu~O}qI#SkApV1Z# zxggj_YywYTqL)@*wx3jEPr123q3tUf$*fk!iAc#{Qfj3a5mbN7kQK?GW`#)se}#ht zEc4G~%RqqCHcM`Zhn~GGSZqzR$85?g3^zp`ZzDYx&gQ!HGWD#vooMyEWJoT7lFAv4 z_v>3eRX5?Bx~%MM7mMeN0F!F{{59l&{U$RNYMWLpuA<@(B;zPD0{+j8*il?X#E2d{%tq@Sl0LEBdAWfRH9GZeCG z6fqhKUR=CZIWx4n1sg(4;Ox=MvcV@Iy=icPy-RYV(%pkwQR*t+Y(L$5w%2YZa&5R0 zw2MRE6@<8gxu$P!z@}V2;KFB#fFf8vbR`Nd4P7xKF2{4?3OX+#3+9lQ=;f9m1i3gH z(d{zFJD3sgQjR`GQ+h?f!#quq21iFGv=&l9LUFvZ5H-(Hf%orC`VcLM@^4EOa; z1@@ZUi~23JtGb_uRz5JfB#W{h8Mpzg`g}ue=%@vmA;NQi$qy!QxPk6rVm&-1nH}?0(iP|K@09 zT-e{7o%GhTCRTgll*%I-(a6doYR;be0(p|{OU)q{QzLVzg>xrC;yDe8$(mX4 z?~>{$z}Dy(5sih&8jfr?HJh700j!XT3S(dCz3rL(3XV3CP+dBl5~0Giz?4cCi;+dOh8x4CG@17hhHlc08%CKDBH)BH_WXK}$rvPmNYCg1E&zJUV zH9tws`sH`B7u6g`jZLA3>_HOZD@+49{Xg2cd^i(Jzm)iHz9r>51u?kX7zH#W&x@W> z`q*dlbN*wv3A;TFrNsR5WsU(^ItAK5hj6BCEyDn1%m?~GQK396T5k%d9b#7oSL z6+>U)-!L$=q-oIV6khKy`Iz_L9HCxSPu8rTfhk0EMdeQirqqn-0NXxuQj+T^30wl#jFNVQEob<|KG1f0sGrZ0>Ka@a<7F zU9)B|__@2QeVz?q2XytKHX09>CToU<~Z~*SQxc;Y#0cR_6t};5YqkwRa~irkCVcGsF+s5bdGNTrh^>YIoX`MoK0R~?=p#W zyLr4H-Qtk`Moz{Ka(4ELO>+7hIWw!lZtbKrRA%|Cx%+t*-%O4gs^4aVcV{uxGF7%wjswFrjf|dBPDJX7(ua#n-{#fKFuOi~ zwHV?#dCM!Ez?IY~UsiEhk|S~K^t(NYs`4TClnY2 zs@t=pQnI<#U4&(yFYYsJy%U1n2K3=o*fYn3pK4M)*2ijy!@r_XQ$ zNZq26i&z$i^LJS^yM`LY^oj;#YVFzDXENUtB^HLPda-S3=7`*&JjE=1`MKF)ZOS^^ z=y#L?DAsm!+se{bAJ)i<9cW_%87+%gvqj2n*zjai@CegD7V}uB0+w@QL6PHUDpN2F zo73L030VRz18feqE3P9fZET=(9OF3=B+g*f+Z}MwFp-WzJWs7a^_~2?8Oz=sl8A&p zM=V5B$hy!$q0u)tHqhHhN>RM>-2j#>@1WCeMjErS?WOpzo%zALABZ-UhhKH8#0q<7 zKY!%aK;0Y}fqAEkVWMK`LMKxjsP5>!Tz%#Cy|cUnvc%&$0MWZAAU}Vkek@h@Z!Ki+ zG2AMpvc8o_`fjV+A2`0I;XQWsV++Zmnl!`aY77apY3MglE(p*Zhj7%no~^o~zloB# zQ;8`zT!4ljM=4y-i zK|}cIiNXQ>P}jKp^dyT+1k4t_RTc7h{8S;L>$pa7%;GeBgXJPq=E&*T=iX)5rXdqm zuO- zlh?6@v-+(~th=Rx*3u?qpFUAD>cIJvHPuY*X&p+`sM2^!3Pv^w(6*~B@5FNR zdL>5bkB>8QOUxZr+~5J!S*LZ|<`UtAlim&Sl9EKX;{Mc%>z{@F9X#q|f-lb*4GXsc zP$76)R&M#7&|*BOSF#ScGp1ox&<_?QJCv3A6kSkJUNER?<~)|V6bT_TQt0WVMX@@3 zUg$`bf`$pHi0*=Px+mmv(VsiL~)~}Lv?Bl5DA4On5B@@@f^zJp)?liv0mAV8l(f4{ErFB;;-S;=K za&D`n0vDDuVrpqpj!)XhJ%19y3HWHmd5@e_)NW|t#uXCI@>O23hE&k6v#47Nz!N0c z+`~foktrvSDJgoBgs%AnUj*f_y7=~!CXM=mV?pb z7HK*)wZqKAoo}jrZeTjxL@XBQpnK6h?w@u?XKyd|)#jv2-j!~bK-Y$_@gK7(|KRRD z*w@l#La0!sp-mk$oUY@oii$x7iXMMD;DE6S2WoH7p?EA1B?^}uCO6Oq>OodP%KycfM}Rj!)8;Uh2ASi%8c7kt^;mxh+b}P z0_cND$_Gk@?Zf--fq7e&mD~w(nhh19n}k>Q<#e(!MXREgIk}AGYDS`B2h$+PZ->3X z{?}iB4Np&B_fNl9kJ_!L)}z;hv$yB_?bes@%v5W)T59iAnK5&qPR>qWpXDE=!N7A* z<;XyK*z?}tq(6j|>Cc`jxaa-Dig!=#aXMhpB0J~yShP_7vj0DO-`dv3kt}>Z=T~$F zC4kqGz)qYTvf8sU2%B9%tRyG#vAyh|X-Tt;W+pQuE(h!V?eEjq>FZpCz)sfeJ~2q$ z)z#Hi-Bs1qRq8!z8ZDBs;r%ALwiMsUkaAeYSWHplf7Q-|XHif|HnZWoc0!acs(*C_%vCE9TIr7+YW* zgT|dej3og}rt0u4CRh{BGaxu`LKf=H=kS!5AlO4taS%KKvjjPs+uA0rYe$caQlVDG z#VE}k6#*@FG4-!tNCilEbcW;K)65TvlEuFeRVlh>Ui$&T_F|EdsMFK_2=Ha1Jq`qD zEHsszeI7Y0P1o>D;?vWp&)^xPKN;(ykFeJTUlKAz7Ifx3-)nL~Q{#symtxsXlQA){ z$)9Kh8_Sl2Y?33w%YpK3U@J&LvkS=Q+crIhybcK5%)i23lQTD)nNzLham`{I+1!m1 zsD%A8tW|_4wet{|t(m#08~(u;IRo_o;e zo+O%->{kfFn`3{DwlhP#*W3?J+?#$3LlU~!xZB-pK7Y2ev!f~$dCN04W~XuYY_GYy z^XxmdaSAi`!t?oF6CF%y3v`(K;q)Y(9!3cpTZ1FD636{sza_$Vb(mr}o2pE#oK84> zb!xt3A#r9hLADmS2WWMqxK5$r6VK);DI?rH9K){K)9G+kPPhtK}^UaDh1K?*Sa{e z(@kd)_QZ&JlT9sTBSqDMfRu8o9>z~`rI{!~Xye*3NIghsp(x?G-`7^>t@*xG9!lVH z&U%Xqte11R&VC%G!h$MSr{=r?gDx^R9??E%`}E}wi$ zLUSXvn=q1lAn&Yo5}$(e5oFWz(Dei2FQinnfD<^_^tuuMCxdA=fUfro(%sHrLTg$Z zbt2DC&a>zot4@XrR|vrlepRcnCbCn+-b=DC2y@z08f0sGhFZZih1MnC zwPtRL>DtDY2N2ep#B5PjV3AU-~t#zCLbWoco^beTna#r&-c*e1rgMsCr1) ze#BTZC!~sS31M-NNaKzSXz;^)ZQoXukxZ`kihRd{CWr&p%6a?-IXg#(N~f`feh1Ct zF>p99?168>r{XmCz&Gww92t}Bfp6Z>xVb&>%_~Qpf||sh(D)wN_EhH(O@yi}(LujA z#O^yBA|5AE43kO=r32=~v9vge7B~PP=a)H7spek6x?J*LWDxAMWz6ep87mIp_dFN+);Mh-b-mN^`ZanjY zoQHhunZZ#UB={_i-Ekfx|9p=u%JnQ_k!pwnxX?Dks0I2li4EZ0zT2Y#u66nqN8J|$ z-D@%T8>|biTt@#O#2GL;U^krLH>5ErG`2I>_*qNGXu8VB$f7) zN7*Q(yC~9G+zM6^9Bx-?^|*H$P;hS~_7Q9w4+ptT9*y_~BJ_2|cpk zziZGDgur`dX47w&iLKmUiQ}>N?O6urG1mA*laa&WT}0C}AH{m@NdS4d4)reY_CX~J zf2g4a_vNo5p4*-};Kx~Sjt<(d$kPl~+Jzj8_|bs;CSAP9XK}yOQ%67LF~H_rd_6Y_ ze3DPrPx0GEaE+OeDm{qi&;z?PcxZwx@)kIauF;=3;p(-UglP*XfQ^xD*3poDcL7O_ zNpky|PnL%&;n+1ax-!%dmk{&mO|KhVlj@gq$g`~BkzAJX3&(r0=ff-n97h<1QP@Pg zBVNU)QWy?~&F2gJiGoB*>b1)%m+J>9*h(V=oyOI<_!SC{o8nJOCqZPzz2usd@k zR9LFu^4;Sz7=gvj%wT6rF7^W#Yb#6uM=;keo zZwr7vF@D~WgX!pCxknGCql2YR3qfK@;PNnI zjqmbrWvrwv&a8FhJD|f!ke|-%4{;f)9MJ>~;DR)oAnh)^G|;RvooLL%v2rdL6F}ly zTLit+*g_iz8k+|7@UCWC7C-mqVX?P!+*9Nhl9`wuFz?t6F&b;B)O#nsD|B;lFR@D19G7qDo8gZ}B}2y_n)z;XZ8tE1CbN>bKb z}N?=$@aKcN|i>g+i{IK*)X z*{*5d`3SDZpc!mCxNz%^c}tgx#lNygBnu=g<`-6lF6SB56kLg7lw5Y6q0zxQ$8d^i zly`WHrL!#+LM)`1LJ2#`WYU@_Hh^gq&@3G+CF6=jf>& z@`oVeQvJB+(&@Z!+&Qd#j}RM;+u=!*2CTjI^pH8Xm=E5Rc4?6Wo7dZ~>BdK={q45W46|W(_qVb>`@Vw22)lrY1Tq1xY0(XEDu({(`+jpu3 zMNvD97Px*DZ7V!t1MldYBE?iP5#_D$GCWU3jx!wQLml|Uxq;)u=NRV+t~$){f5Cc?odBf>!; z5m=5&g$(FpGa<~BAT~@jTA;R{iW;ZQ#SuK6-oB>#+0z%Ga^byQ8X1ceFEgPx7P#ChIpIW^T4f5xY&u!wCSx9e%o}_*<4O zoaPD7(}b%7GjMcd7iTvrNKPTn!i<3*!c2HCkN$iiV*_+_$^u!@h~Vf<&NP=0Yr?Y! zqr$*U;A1~r+?Z#n%n-3V4#I5uazX%VZ9BWqerWBqc3QiFLr}m#0moACiXSf>l{`{P z`23Bm(o5&-U;H3oY8zI;W>J#i4T=PkZY^T=a(dz?X$HI~Th**L?RAE_r3i0(%s5vnNxlFUUMpWr+${=CZughn##>a}}WZk9>UeqF=$E9F{G+`OWL* zHz&<+hJsY)Z?Wh+atCRPjN5A5F_6N{Z(#~Pg7@T=s_bmMlVM6`9k~xUB*~icp+4X_ zLJu)XnqL5L5Fd;W`_+PkxE5h_1(Qh-T`RQ+zuS5C{Kw}z?OAl)%%bKvn#XPeo7r{L zB(_l6^uwkXWz7`EE)FVcUcn^wqp(S`j-&4{+;oOOeZTYK`wjXp;idGPJSmX)XzZpC zIE|Ox;p_9CdxPOo|I`7#%mB|@yR9eN+BSdI9gTW})6VAmf4+aW)BNxEAO7^dv8grt z=_l!Cc2{sg@_<9cXMIHRl=Y zj@i%XU~{OhH21@Ex(GZLckYM&d@-*g4gBve;_KaSzG*!XnDHh0@R{(Tg00i&615D? z{@ZWSI?}(N(Z9R&<^D^ja7sFDkdW+dJZX^|z-Rb3;doX~eSea(7a8^2Z>3LO%EU10 zD8ihY@Hd9EMWM+TV#kn1D-dB#v&yh`%U}i7VKoiFlw4kg&u{8(AJ1R>_YdFy$aaq` z@#oF!nV&%%bl99E(Y)#6-Jz*?aFHz&12+gj09{-r0*6Z^u8-XZxPN*Nl|S+42DSUj zRjLfIRAL;99D6XHxrsYQhb?bT`rlo-$p-o7n{VEI{caDp-}~_4$_r#99KrGC4=)gN^p`@Rv?e197x!$v!8+PuzN;(q|i;M-NvfCh8{>@93Xr% zc!RGigi?O^ixIrZ&gcG=WTHBsMUnB6J%LkrWA-tTuQ@Q&z2bzV6;qS<%Xb&TrCDC= zw)En{t}oQh@0LOj>HV9VxWIVYZrllzUgAIbB$sVRc>2xbXY%()ob0ol^sK#oN2Dk` z*7&CFV|6b2!Zv8xHsod7ke6-a!P({!#s`vmKOkK^@U9^Y{DFmQ3Zs8O&`7jHVVIPS z3F8EtNIDbJFIHs2><`0zo9#_UUVdk@?Z4k_Y`zcQzenGpxh|be{K;l9D{yMB$cm4T zjER$6kMavLH{sMLv716dZQRcFtjt5XL*tr>xpv&=%pJRF`=4!r@MJC8C8Wm`T$KkN zXh?mf{pg(TG=$kqOUdeS8`d&O^9wXR$toO2p~t`10xPLu9VIlyT3bu4w!qFCr6PLW z#T0?$zC~Jv5q!jCchbfkM`wxX#%H#azY!-TeI@u%w3U5)6h!xK?iv;F&^@E)6F>Cc z{zGDbjZ)Va*gDDs&jV6phE>=D2P_*Z;!HeU&EfANBmTfoY~}5FgZeep_1FNGP3;}N zufb1xDDDynk=g-h;3zNxaaL}%l7SWmh_M$yXD(|oS$_^ zuRD3`0$FAP%?n~a)>7IdcW!@^<92GTpbY=(f?C)(Dv}VjS~^(D>&6b{s1QWx+AP(u z%)9;m$ytBcGoq({SB#t7+JqRbMeqwQ2gU8~nV*7-AR1o+caq_U9RbY*>)}Kh3FMhD zyjHEb4fh8}XJ*PPUlq?xYHX#rd{B`H@Wsu6kCfXBJyZSh(dnCC&kv49(=K-Y(+FM%ST8k5~B4 zH?@?t6F+3N2cT4X;Iuz_eRTSY#cKA4Xfh}CLd>Tb8c4B(`-HVd>F73wdPt0_U)_<0 zOGi4C3h$8Lgy|wink4i z_``FaY=IiOVdU6Lud%e6;``Q!`TzJpAM!LK?=&nvFxg^d*`zOxX@Jtq%{qqlaT<5Z z9F`^eJchId#H={qyrF4sq$w=7L4nC^022lGMOXx|yI+cROH zzNlPFW-aq+geyo$#}SDEYSUf32~PW`d5V{ZJ)X#U!3+P;SL97Py_8ZwKAJ$ivx&W{ zeAJUk@BT=rRy?AUw{>cPfK&)H1K>$5;Xt6R$Pg%y5{^{{s zoZpEw!Fe_ln9i713Zew(ix|6$6zBiKp;kES1Tt11SYQ25+7P~M0-yaR&>Ym=2TFU? z-wIfnD?jl7acR?|ntKqHy2fWwnoW~(QKce>GuaZ_=ZQn21h{GHPeWs(7n2l<62fGO zx1%MI{&9SM&>eNp2mSu&{vu||nUiwM5R;9O0%v?$rOX*~$C_qf%xqv7;tVHp%&R+K2R_T;Tv2(%KVX>Gipe407)m5eSRc| zhzxR1{on)5xunOGtw%0Sr+#?z`3MCm|Mj@?fJty~VNft%MGjODbwxl!p^)))g!zX# z!wcouDzm#j4Z`UH>^&LsLo<0VaMR2m4{;pQ=fmv1DwExKLE)nD2Y_H8>6~@{KK5LrN67Ow>}HP+ybaQ>92=o@slW=MxPIh<1(ZNFCUr7F%j;~6E8l}2`_PA}6gl2c=o1J=dqe0kgGW+_Xu0O; zw=}R;O*o&AOY*3zspmaNimtKvVvK!vA@OSD%b`uETJkD-&He@lY0@eUf%DO4P#DjYmNM}fmWtPY0~!ja(c4=r#wFp@aqpN%_lBFp#blg1q<~Z3IhJ>jPAQoSkzB<$I)#7nd(~7gX zHHjoHiYt!;s&RV$7KH8ooYzVr;;PM2 z7e)-tm1tXN10gw8-O%Gton6m^o&iP9Z6Y?9rv$VWjUrEOPuEwPqOg>}oaV}&0MVt1 z0k=q=ofv7U8BDgRvV~aF4S|~^?k(7Q7J8%w(qmadn_booeFz)^E{kwJE|zCd>IfX9 zt`d-0#2!rgVGEp**v!~XQ{b}allb-+x?`5Ykmmy71%}utw0!v<&lB7W;2ee-aBdyo z+=90t1T+Jo+QO8!7UM-5m}-8aue)d#ovp?*^-;|vT7;gEqY@b#kia?$k3tXLAkyLj zn;g!&zkXOcKM6Hx=rb#&U#9~a5_0A@R|EqsKnSRnx>@#2+`bC$Od+Wmv6+JLEb>`_ zCzTO!7(No)^pXdhTKEAsC9rU2O?NzoarV@()G34TJkcTeDJdlbC+;F(0Krxkp|P1Q zgyZ#6e;x<7AWldP;a-UNSz#lvIfdDq6ejxwj?+ybxQ!NI0wK<*5G=-*xBmmq7UAXB zn7=~s7M!Br9FosP>Mv>##Ash6@Hm?GaZ+AkHC*pJ^XD*HWSz#H_~%}8r}e!a-H3p9 zoX|DB4Mw|*=cjSt-s&7o39f4=lz`_HwxF~l;-&0!`IugWnIGtq*C34@{#)v3WtPZe zJm)9&uk>XaKp2CDNC>cj3$DO0T_iXwIEgF4h72B+>PswDh+Ll&K>|%|@+l+&dydG_ z><68n=jIW7W-wIEV4)oSq)A!QY468PJ~PmqD@X0wz{vm3{x zFiAc;`q=5bYkqq8Toh|&EtrrHGkbZKB1q_ zU_cWt4bIqSNlZUF=)I&Lkv9~ApM>O9ACkI2mJI)|Qx6vRX+ky1v}+LG8eg9}iK zZoe#IQFAmIAWnf}c{RELhGaa>$uk(lEH#fG`q^vpw^2p8O*1%u>&^qxsN*#5C=V{% z>X)r_rX3M8Kk?4oB)i3R1j&0^0Ys}+z}GOCqs}cfrsY}v$D-N;HH?Z~oYqz1D4WX=f za{zJdO6sL$i4U(JlKr2Fg{|-3XbioOjGXa9OX1o|aJC%-ThQo6p{H#Q3Wdd~uxyj2InlcY zT5c1kfuL%ipfz&k!Ma+6if$ak5ND3Oauc~=Z$lZoh;H(H+dQWuka<*JXF*Lc6KM*w z{Y9EZ^8+_?5BvnDXe>mfe|#X2zWNH`BpB}i{aS`nX#sN&D^-He2K^IcFj6qMH~|vt zWxbWsMAO3jgML3BtP=N&lhnCi{FZRPG=j?hYs0FpOcrAG`&{yzrmG65fsjQ)T9C43 z3NtEuRs*DL3&)psh9IvmctG30y&l9Q9 zPjD)=ECHME_7-srlf4g{==UJHCcg`nDYkV!%z=E}0gjtw{=~%+Lz8M%H2eGgLG5!_L6~fQ_vlZjt;x~qyFG6h!P+s6)_6(eU9C~ z9pb2=jz|uh_i3MGLFcHl)b9A!ZSIGZO=*^Ne8D+)Z{$xgC_+St-6pKHIhsi5X)=7Y zK}|-GhJ(o-lE-?n`(wv>(c1m7wWBs%ghQ61Lx!6E(Ajc+XgzD~0Q6s0Iz?NhEptA3 z83AJRXqaPHaufarcF0z{7FfH*MZ@_ahIyEWM7BWAF^Iw09lt)hEJ{d#2DtTjm4?qOY^3W>@9;6;VIBFa$TWdTQzN( z`p#Igx5lmXKhc70#Eq*JHwWXC?&rZBZ43&NnSbX0Anuv&(81mep5e}}hX@EO?`B$O26$jGktF-T-o zDMW)EL#ghhi!nMU%uXyqLV(OO7ZYde*gLomj-$$6~lE z<3iz3QAQMehSV=28%(Syk5{bh0m4qhVz*5{3TxVzbpy64<~f3b!ZoGu5S8R zEJan%WWrSN1gN~2ME?1esKW8@u4jlEM~B1CW@nRz;w9h`GPe~;BZOyn32$*E5bvu* z4ZeE^zRufq{vUY1(RzXwg9R#)FN6>BdqD}%B}5b3qLsUNPopn7AFreAI#$uY%8wI< zz_;HLw`V6y77+b)kwEvdd=ny_@V%%_$h;_o;LmxOlkQMrDGvz`2WkCM9=v#hjg>ao zOU&bFn!CO6SLBQ1Xezm+LGcco$01m~(Ro~j^(yL33X^W=y-K1*e3(S@L-r6ZpYc4p zg2QN%9sA*BH}v+Ugd>u3IEZjDY#ai1KI)(EzwYh-oyZza^C5gz=tIUsNVX~3O!7y1 z?8zzd*dW501oXK7>iqENxOaZqJ?V7>hbBUkw-srx0LWdP43zE<529(iaVHIB;;*us z0_zf%YQ1J8#URT9`~?0bP7f*mfb|kO=;5-C0R5~tI5`>;rLYtfyn$oz?O(uOwlWAo z)3tTjmTz$An>9C^f$JGeAdUCK0Wd6^A6e6{D8fS?(}n{%Bu){1*eq^NUSODw+rkhf zYx{MzMPo;!h&y{CLy*U(B%bBF#+{0#HOhvH4m9pB2mGqdAS}Ft={V!jHQIq@+I*F` zoBT#`tl$P3cl`H;d)!FXTAA3UHLise?)6O!LakL13;mLal8aeyx z4;dffyigzcE69_=Gx?)_{zt)qtb4{xbd6T$R=BW;q!to;Uv)lIE zO*5FZF5zwAFucjPhXE178gTE>hU`JgI;%ZbovSm zdjEKHH0T|GgQG!jf7Blw^@b0n)!7V<>S{MuQ7BalB$(vJUwIUqP3^&;2UrBgGye*D z4>!tnlw3X>^b2=9s4?mP9_zyoM-vu6iC}B&eKbX-qf~_MMW;pXVn7c9XQ-HJ4llRi( zrIj1^a1(K7PzU!j*4jBNQV^oR=j24(EVy zspky+ax@`dSae0(0}$bHh{YC_CnfsS%dS)O#|(am2V`dW>aQA1rlV%F<<@4Ae~}uR zDrW@IbU%u3hu9f!d=^P>cXXNt(e#8rlF_J&sFHuJ7SAraWYF&O@`1z@X~mZa%%nl0Z}XS~ZJ+2h+?C^N0X%K#;#|)OdgH83}|t84HTzSG>lEyU2sa z3c^B629S%cA^TyD%UvqffJ6T`v34o%5rZaCqX~jbr~L%|MUYxLZA2yY>JG`L{i0Fl z7jXrgAptU31OXy!>`(l$nPl-qB-!H= zj9qY5rcPOhB2vU|mcb-M`b=7d9G`%Ja8*Bmi$vi{5*(Q))kssZZxNLyQhc>Uon-Pw zz$AL*Mz?gNbGZEJC*5l4^B05$OR|A}?}z)O2d=yPFuSg1mXlKb;=rl6y0q?dLA`!< zNLV%y>`slm!jk#I-8ZKhXJ=(iiWNRwIN5%np|96?pji*D`4x>zF;b+Kgj5eqkOT$I zRFsn{TwO`I$fXF=y7~yxI;FSszz;7eZS$NN_-p#*Iv0vS94;}wDz)Cyc8z5xCcvpn2$Y9I$y8Cw`cL z#_n>{fYlI=qtIK$MYArvo=JFZfDwss6jzF{o14uBFpYw%k_%iL$9d#^s*Rd#GzvWWa@GNk^as0(mte73*xr7kAM(PMwk%?E($Mm%Utn>z7e zdZDK-6?lt2D_K{TSVUz(zHlsTuT!uK@a!bCv7IEW<(9;6dC%>_JwOC6ZIvVtk%oy? zkThU<Vc&`VMEfuAp`)Ukm=rEqQm!1$MjOZP1poc^G>sfy9Num_#4pRR;W&WYK26 z<#!DJ2bR){`6;S9KkYG-BBD|f9xI|^Iv#@PghX!hd48zvoVDZk9~hW>?-wy#l4*Q4 z73Kq&T;M$`N6IMO6+pd4`|GNpNUCU70P{@}3~@r`^Vd;y3A9{HcA$npe*?|2vUiiU z7KttA7yBWS?#Dv*0LB39{BGx`_w(f@_=xKVY^LqK){}O7Q}=8EG5nDpfa%Olpw|i` z54L=AFXhK%u3C_xnUdUKqQOn?WRM@oBl&k2E|x`O@MHlQRg^7jVn$gq=@^Cr1d1LJ zUz!m&7D}wh+lYv|B|hC|iUL~%x_mz<+)B~kNizDX<|LcznRyQR3l`zc1s_FsW27*9 z?e=iiPY-7lk*C#~}N+>H%Bs<#FAhe+bS7{j=U+ z^cEZ*9gC4jxK6oG@@)!eSWh86^c&O zwf437VD6%$j{MiS`sfGkDMgDfF~Ho7i`N;j@&+tYqcL}5J&}YWpJp!M(Hx?-Uxf+S zk7@`B&H&sJXQV%ehcP?6q}nFU4woh zC8f7csX%_N-BdnU%jF1PE)e2dorWAQ(NxEgMI-EPw0QjH(IU)i11<73*1*14(B}vpKZGd&p*@Ft%Vt;4v zSqv+r`QP{pi`=r{Ye3SHwKoC!pIWUYV{F%v7Ew|@JU=12M?UeNfKB_50P;T&?w$k~ zD6ewzrWLQ3K!ryv0#IE9!5{Hyk0@eMeB0-DPY)anWtSp{StAy`VF$+6@T&u zyBCo%fO36=-k9OkvVohS&4j0>2mImz`ycb`73I=Le#Ic(Y3VGpg11_xg%$?>m6acq zj?_;q_co+@6!-&i!!eJ|GlVy6ke!E<5!XEPaXBh-gQZ$U#}e@h=8Kn?&E;>s~q6(Dt%`s*nM6IXv3SL?R9#t0WWh*zJ!l0sy)>;&=&j*4euW1F=OWMT$CyoxR%;>yECh)1c#4O|)0R35GjsiD5Bu!?T? zRDWAxpms6e6kZQC?hr1A_#$E1%6GQ%`yrFYS9n=uRZ2_eZj5WS(8BVnNpkSri`dqO ziR&3ce`yrOKCatq*je+9*9|?ku`0Q)qWG5Xuq+#hNg#4AFeU}pHb_I9Os- z#?}@;XpSjnX2tPYo!RkP$bZWr59&ZwA|I4K^#dR{N%GqXDg&%!3NMo)mQOL3Ofejc zl1Ld&j2e4I;U#j>^Ps@Hd{|Y|p{B;i9Y-kPu zCD63`g|<@|9KccFTcwBs-P#@&1(WVzID-l-KI7%oBSrzx#V2?c8lzenebaS2A;?K| z1q+p_l^#&xK806ZFWnS|Qn1@v{6}oel^nQV$zsM)l&ZjU2ZJyzT2hBx)a1vuY9TRO zNHLVuNDAFfDs}j9cSUud&w>8(GsjPl_@EC)*WiUUPnQvUMQ5y@MoI-ML0}JwbpqNk zEINSdz{}t~*52d^0L-l`;bnSKeIndtR?sLBA|=`+ZXzq4g(0g|RmW<2ih>~0QnXKG zRZsc8lB%clxp%DVN&n}bIlo?=$*!)JebI0JGxQtzIRE2lHI+0PYz>?CF3D(8?PUks zJuF0i5d=~Q8LFqFF~x)w3`jCz*AwiILJh;3OMej_BTm_d*(F0}Nioc>Dk@Pbp<;ytUa z`BdIfQ3HUc{*Y`u7hrKkYN{6%2HsgISUV7} z+%7b)p%5{*qWQ1^^1$hw2C}wpAVUe0+5?rUT#c_5qbDT#Fg|4wwPm0?E($~U)-xY5 zoR6da&IV>-YQf0wQG9J4BRI&Xb%3w`+ZocTg&nz$Diem4J2YE3>o`OVaU)ftdFcy8t*3(7bG^nAHB{-iZl zW^bH?N}`TKW>VIfEY#oOt$HlXqBJ{-J2+0j~8y^Fo4e`Sk?enqt0L)+0`@5tPidthrnn#WNJ0e@sC+X!rC z&R-k6lVXN6o)u8$jPXfvW&&RYVa&dtoFmk2=CkJx9;gKjerS>e%aVr; z$@D5Y*a)hJwpzM*G!)R!F6Hw}aZ|0CgpFq0s+)O@W(2e6GP{Jo<9usqcI!;FHiemB zNeFqpawb536GN8wx~dSUrsq?$W-4Uq!89$&ni$MZA+hzxZWbkHNi^{TmeRLi z6$>XN7U0HoHLRUL-VX)txO*k#G9pzqI~S4?5ocpMG2PEgvuz-r(yRF8$)z-7ziuWf zVUH?u8x&g0Xf9GlD%}MzscimF)?)fg*{9H$g_)=Dn4ci&6eip!$Tg*m`s;{@Epa(rSfrYCk}pC;u_hJZ(_NOv(>C zH}vxIW5Q`CcySQR{~g{EuCJp}uckAvsyOqct94c9Lam1Io#HV3PgkGUqn}mQ&E7GH zW|d5HJLV<$ZOT~A*j7ENnlhyh=l~~&t?5;2>q;t?+Ueff)|<0~?x+XI%H--6_~mHy z8vMQY7IaS!0LG~51&oT~eP6H02VbqZKKezDVUNr~l%EKn#kp3J7m$<{#W!q*G`&GI z9r{6V3!D>}%_0vp?hfCa?w@u~dhd2V=>8c3Ee{AXh$nAiEb)LpE{KdXWX^z-3F7`M z_$Gx~=p6qNm+G~Zj_^pZo4x#ihhIIgXJwwBwBNVe7Ned0=)*ja!yWUVLRAHC%B00|_%#@Gt@LFA6g{5hFL@xdfw5jSa9B6{)`J0`+SwboEqn@5CX*PH;i88D zR81=F(i@a$T=E%b*hg|2nsS5EAT5<0D+Ok)QiG1Ls<8qcrjt_uy-K)OIb4at;+uj1 zy5XC+&xwSBS16B347^*9LKbWBN>a@2;U%>BYO+>)zV`{&BB+3f`QdtpOm> zT_NB~!)kSfznYs1$1XdKE%Yz=(>HIwnSbMb^ZJ_;VTTa6QDa$r`cD%V%@Tc3gg{60 zI7%`%%z*O*|A2nr;YwTxorynPkjbaOO&}f(dW)DU>A7%=I|_lLqA2LmH=7OX8yDxhC7rnhmZ~vmRf6>|VJbzMBcj30GkP7;fzXHX51TfP|d16Zv7mudPu)0VRH7znCZ zmxfDG@?@`w!5`cVVD}gnirv>5s0_Z`D6mQ>ZBq4(#XYP5_KZUR#AX3he_o;VS+Dl5 z1XPgyW!|A|fKWwfDf-C^}K4v(6InV|+mZ z)IC1U+$75bwxlgyeL6Pk4n|TLL+#cHhF&#Tc`O<-;EsEv-T@fC+28LChlg*DkKbyL z{m{>RH}L;YxoJ*e){PN)_$TMFyGUX0296hGEZ#)e{6jx`4TBgaslA`jNH|`w?6Wx@ zg_Gzli{mf?F}Kg*O<{JHMBZYY*GKwTk1;HS`qT2@Ylq(;v$8S(?-PK|}>pV8Gj?<3fto`pv5>49z z3$?G@q>ZR4eTcj1kzg!}Td$y;LJv6U$2&Ts<;Mme`J?jm!59=E;Hj!MkBXfBb{dq| z!MByqUL!9RI;L#Cs}=llwl;#Nte91ErWcm1HFNQM!j|VJYz%8da>$aVR=#G7jkk0} zY)bsZ_;_HIl`Sk}zOGlDHJ&aC50%<&_VDhvV9($>5JJ-seN7KKi(hHfdE(S=3l9!~ zvtf24+v&VPbFm0V7Kq6S3$9?2vQr1Iw9x2h@|`hTpdZpRnl|bHL*T3{m9f`l`jPk~%qF!~kC!>b&S`5GM zo}H0RwAE_2V0dLR7^1)vyU6Y@n2p7~S134K#l>#(_CG!r|9f;+pL+5+q##j>&|2rF z6=r!XbTJ&W=1>Mvy}`&;XC}K&<4%)Rn$untP4clYWAcH3EBQc`Rryo>?4H7Gf01U< zoNDKWaKAz?Q6%1fOMe`?zF=F3i*EE3NxJSUn4t|Mi^frqKi8r!>(p}BGrWGLhehM~=;f~`$Io!EGiWw%a2)?;yFG--6-@9y{us77rtdZz z{^p1FUm2iHV0kqoW}yck-Rn!xJajq^*u0AqKg>Ym*>aPlv2S`{)7jjXkDDf>OP`}_ zqqQ3Zz|Dx61JhDkck`wXP3^Hh=6z`Xq!O`nLT&(L{KX)Eu7?x>oWwVA@!Ls|#_m{1 zW@tv$kIu8ipJUgq-aypSn2um!lURdy;o}Xd-jm?oH`@mJdvC8D&NPMf6T#=nbHoM&a2kaZ^~4>O-~LL(^Wx z^WICK0({_wFye1mj|2wp4fGHe`!hGGDg^_z+e5F1is!x8Lk0K{>rv-Wu}x4oR*X%w zgN3ZWrLArK|FM9{?FtMa^m`-@$VXfk3*-<#6CTi~s561mrkD$~#`;^Wd^WHYV#4EbFxfHx;%a5w`~rSBiNLLR>tnFiB+7_nG+g9MRIU=QAaP_e0#8|x+V4vxaK<;L7;@=5(`urSD^!|1a0RihP-KFxXDk^<;Xb%*;P@m_i>nJs z;Oe=11DL+NM&{OtVGLDK30CcCs?uv6ylw)j5xF+Y>rhp`7YA4q=c|gP#{X4R^&&Aa zYu=_xSW3f3kqe7neGduIETT1viH$@CX|YnXiqP0PuS0eUU>B@MZDFzwqso+d#5GBm zse=&)r7MPSl;q6B}}sj?=NBk&DJktI+g4~W}s*dDbste zQOu0Mi&kY-K{E_wku-J8^@v)kysXp&t#^|p?mli)SHw)$F9!L7`3Mi~NibgI+(V)S z)YmCXB3NB|RC-mB8Kut(lYYc&H(e@q^sS3oTM$*)RQxz}@f!9X5{HKok~xElw1hd%>6*iqO9!C zm_N9(x9TUV5illZUA#vDoafFGy6r~JC1$UiknlLwjO3u z8sl@XiA!*_nVVf>@9oYpHg^L7lqlyc%C%2)Fukx3_B@F2PNB$rZ?){{i@xSlr9!S%xT>D z{CS#4Qe~dS%6pkQT)Lgw*1m=cT1j22rrQX@q9^Ly5W`Bb?($SHfoJX&I;o`H9_{G- zA)TLs?%&SDon3G%9ZkCbjz5#l{mV{c+G)OijGe~fYpp6LY(<gliJWE93I0`)@M8g9isVxPmDK3IgX}XFa zR4+7JW;~0c6oQ#Qok20)SiC_@#bg34-KT6J(9!|TX$Fw0Zl3RwrmiUH4}UA{Z#EZ}boH$X^SMB?@A({U80z6X)eS3j8rG|2~4@lf2kgVFg(_t(+uL9cr-)W5@yV51+n zXq!P=NAL7t(CZHSr)RGR-C<7$J?I^Gf9)Nh&-Pz;2Zq6Ei+{Z74c@9v3=89qD=dsb z?$@(2R>1nw2#Asoy8EW3>F(Q?rn|r5(scKWmd1WVVHJKwbe;mU_?sk55kiBQ-b)5Q zho$}^g`es6_&bn6(}fyw7KzFi#Km#4i0NF!Y~cC^&c{58h~j1~fBZ0ZgH6G!sJDK`Z6{719ZnT<>|9Z8otU)niku)0%BE>j@^TpMt^YsY1Ch$`JK* zqwI?{^+(g=J_i;1cd5yVC+SN!gGIB!6_QZ`I_BR($o$wUX&F@k0*`M%dKv?&oUe zSENJe4YF?Nb;pIT9v;qEp~>R8jO`T2-;V0-ox%)PnIB{6jV7oyzrz7vE=cSbB-RLE zk=~81EoFKBw7ad?J<9T_+ksi%EZjPH%{NUM@;tiQj8jR8A~yvtR{b!K3u#AfD$oWv zag$4W1DKMK55y_1;i|S41F6=h9xGmQ0BIztyKi7V(MEl!2z9F>;a9u2{sU`s>mbkP zr%|yVQv|UYTjOH|MNXs;{er#WneBp%*@~h;RBQ!VJ#{q&t^(rI%#L^krQ$&pib68) z*sx9M(ub7}oNH~u64?~DQ^~xo zqPq!s67|*+UmqgNBiE}G_b@U&K7rLy!Fo{bZJD^5KpKM#jXOatTf9g$uB{jg(J!F~ z=A!nS&D>1STe_Mke|r7*QPp2#*s1;1rNtov{?MA@#8=;MSJd~WnVsQB?j;0+5y;C* z06)wk#_d=?K~~)tR=yW2*N&k6W3w_?vla^UE7t0^(2k`xJ~<5rBVo(;VCMQkTJ1Q% z&Ja*|U65Z7)#7IJDY@q5uCb(lT!SK4yiC3@!SVaY(!S(;2%n1vCW_*h^JtB#mAu>! zdM5qB{gkU6LZu2CJ!~{3P1uyEruO6R7s*(oruIcL)+HHWjSkG!B~4cMjQ3)iVkanl zk}}8@J~stA#t*9ZY3K8rndh+?WL=E$IVq30jOt;OjDqyhmBSUceJ?UNMAI}lTUQ}M z0oFs5x&cx|qk=cx+egR4f{mOM>_3{Lz1c+v+G&5(+XF|_Fv1V9M#n>OXIPMzge+g< zQ!tM_e{zczSaOR)ayw=bfT4R4Km?!#`iVdFLmcjn=+(NJ<0rGJdj&nzMU@ zaH-R^EAEm<5=3@Kr}G{EO>Qil>d^WR+*^^ zPf1xi7@d#$C;Q#e`Rmc>Y$)u5r`?ywy#oX@OBN7=uAiB-6ug|)9F1hoU=A!UCgBVa z=o~{a!Qjn2ppRSn?2E^ZEmRp)h_N;2`jB2GnDco^O^S}NQ-NMU$vBiB#&{Lb`TP{g z3}tb2ZbL@ba0>i9b)Qi`TQz2dOQ~rd+^VDpa_vOP)-7m7LCT*>4MuYG3C=$)>=eAq zgLN`WzA0gGh4#gk-&2~p?=)85K4@M`b-EVa}v<~jutr#BStUs_N16v^<|U8H?doHJ*2dS zY4XcT9QuJVC&Uf;D%DdkP%_v^r+l79i)0KBwQmiFdB;Ig=4ef* zVurr{QCJpL73w(L{A)4nTZAaT&Vv@wR$B6&XI7l5LCWLyC3seSsv1-^`K|=pq{vkR zD^#|SEYDgL6jGJRWHehEHNcr@S!9KDHY(VzENsRL2o1MVy?i zS(e4Q$D>8=B|OCtF_f9oF?4_<{5rh!;~X`<|5mBK#2VN4jF9`9AspkA!Z{oC(RO@v z`U;#Jy&7~!NBvXKKLo#?9D~E7Kj@CS=Lbgv z5Fum3pKvUIpW-z6nSTZGg&GH-9O;cM3h%%-Xu0ATOvxeN>S1nM#HHv55Wj@O7Ogy( zq$WAr#5y3(=|Vp~)^gs7&UrLF?#5^Lh00(bOj$7$U#}KR!vlE~V1>~%+*;C%^rBk| zAm3E1>w-elAoUAVg}Z~~Aq-9i>ZGCOm_Da6cT21*9@Lz$1P zJft!ZZ8Csy;E!EP?7)3_N8pR+%F3^Oy&iC_bh-PRd*$|He2w^fkvR#29Dmg;58<`_ zORO&2zs9F@2UiYN5h4!F4my$5uSmi*{tf?HMl&ykW8e%DRGW?>zg-|MThLPyU}e&$g%O;$o`}+E1OoI!_z^_HtK{Q z`djzs?s@-gbksi`*3h8@4S<#5pdgu(-Jk`)FiVUofOI@-hkxcKQ<%|j?Z>`NW+qRlLB}0m=b~gCogVg8hd{Nm_hrTN38Ji3jwm|u zHF;VSev2@L84!Rg&K)2Lim0o}T-4ZtS8njLoA@|5+ff@h@=9&XTvGvyTuPSu1}d-s z+8;!rx6nG**xBWh)X79DgOaXHT5X|DS}}<@V;D4Cd2>56Z>y4zpJQ$YzZv!hQZwU{s6Fz6Mn=De48Uq08q{>{R1}C}dEx@Zr7xYz z6Pdl9$P*C_#mAk*aMT@)&X4>1-Q)8?@9g+!zdPzzSQ&Fawm!PspyI4<_3~&|rv!}& zv)w>PfhV*u9fl#iE@=@3p6$Xqgx80bujX#7e&prjRK4L=kNM);aeKdxejpcKKnSQh zz>)uw@0i3%Rk?Ez+CSJ$6Wx~&kB)m4FI)tyT2bKPe?6Hk9DFhzXdh}6Y$tS-~&GqA6bjam=EG{T(95n2n=lw6ML z(zWt6sZmh%`%*)*ZNm^9<5j67bUL*QuUnTD=*Se+zJw&wNyU*BjTJi#DqXl1E)#;F z^DVgcgMhgNF5DEq2Te0K2wvFMw=!6uXaoz-PU$Ia7AzK#`fB?lPDoR zFMIJ23e&|9Louu z!kb~1_~8^6BSXN9HIEV)2ksb-;7!(XHojF)68_~mU+VK&6kQ^WgfYk#Bs8xWhJp=$ zGBhBGGnk}~-4I+r;4ZRg?q>ej4T4+X!3-vIKZG7tbs}<>j2B6Qwuo7jW}!QWAWBf@ z6lP$70~}GK;p^_8cW{2%Kj@tw9RL_!`AHPwt>uckHd|mcg9#-28werv$os!I@W*}@ z+=4WQV}EiB{0yLmEk|*-Vtp6Q-$N1 zsd}VXw%+V@@A#xp9dtc9y$!st<8%JnO~Dj~5FJt;c`52$wDQzrPZRD{!`m)?W;An~ zc&UX9Wh4X-Zv<(pj7-|8Ruwb)qzR3pBKA~5do5_v)l`=>ANVYZCVqf;v|v3iA@gF! ztoebTk}&L|0#RSn?eeN9!b}?JN=STD7EgeFuE-4m-VC({*1K-n%Muk}zgE^|BZb*( zw?`t<$;MRqmD6e`fzA*W4g~dYj^h|K<4N8F{l?KC+Zs`94_!YXoA)@1Z~0BJi>t}GcRc!fK_;C-3$;*jp*9b&3 zNmqfWWddsLtOq=Z2__`;@eqC#QrG5jG|h*P-9-v}H*mZlB-PvIxME#W80BY}q<$0@ z05f;UA*Pv|Wc)p(9gy5k=+9LBx76)f077l*$n=2&_}juypm*R48JEoTk=hE_+|C0( zykslo!vZ*ZTLGUazO4jAX(+hiqbpbmg3?fcK-T|^8(vs83IG|~Yw+lCRtkr<)A|cH z9;GmZwi+C^6O;nsdkJs3h&?xhIWHB1F|`&}I)HBYChi9wy;!TT=C&>-s3nW0G!!{d zaMKs@pU^DtZFZsA!I;|%CuZnX*dxSN+7?NR!1@12(3rb^4(Th9KTv%QgE_(hD<^y4 z<5xiVau0WjlgL|)vpq3h5q}Z!CD{Y*D>rFJan}C#B#EY?^7fTMKKCdtb2nzcZh+G$ zgJ2Id{&sji==Vo?v;e+?zJSaDN~~m@(imI3{Gh-W)-;fw1{g@81lZKoz$47B+>Jpxixz>00Qe!hoPsy*JPzQV2}H+$IbR-f{87caL+xPlVa_4kLS_wMHs;@Y zZssaqqmTIa*HLn*e4ou@;q*rfIG*`e&{LWP(KNNR%U8T3wUTw?j-V!sDAP%s8!D5> z(=)e}rYYfPZqG4AXA|BNJ}1`vtk_cVrgRLeCw^^OGx2+ArP4(lM@c3%pr7G3+8LlM zO%2NNOKE+bfm$X!XO#Rng_)}|S^AZ@qYm*iq*gkkyD8ZCx_#k??F%<0#7xJDA7?3X z8JqXawj0N&lk*knfkEOVvs>Fl%_X;`DXq`C0Z!Z-F!JXxT9A^x_~l2+FZ;p&d;VgF zv^{Ze2DEcy3*N*DxVr-_>^e^6Btrc5H6wtB6zFmZ+F*BQn-2Yp>*E`FaPSi6#zLwq zb)N?i#^5;_cM)cO0Nw%TU*km*fMyDs5y*3VH?M*7&D|`^;`4Fj!KDMx?|bd`?z10S zJFT78?%t0(KR#=dyf|$)_S;vxZQ^ro&!8J*vwsnb@!8If13r)_3L%05-*h5e{cwuW z70m~ZceB|fXtP$kJB*l;`3)L$1#k_IMov`lLAYX(i@0G7az8H~u$6y%<7Z&kYeFs*lY=(I!lm9PZQ$j9WeSDZJ-0eT=^AjY38g5b8*YWX2J3jGZ1M`7mr zJjD;`KFlJL}$g$i4xtvK+wt)*wD}vx;H@&v|24Q(vE3i znJYv@!%&l(j9SX8mSsXeZM?tFYD>J3Bi&KYaf^{�*NBwvAyYGJZ zuifV_o`1KC{=55MJI|gy-+lgHVCTVRE&MDHzy84)API3-`5;eKB+T?FYbp*x3r=p<*{C0Uux zncG5}dx%4$8eq9>qC+1Cvn-b~?|lV8;9kIhYQk;*HCRuS0+(hV-zyP`_ zLBG)&kiS}|1UcMd1`|JXr)m?L4izaR;Hxx-j54VFtbf&E*pHMBAhe6WlHF;4t*qmx!99+nCrC z3^6~PCNND&n3uf9EGZCHw!2ot^KM{eS0&?{~lK|BvxQWeEOeG_zu~@243I z$FP;%#t=B+Bz2H{Y;0^uir?!lHlwA(f*%cM3{3WO6fEX&<N?fUfsT;%BfQj**EF zE6g^4>I(5t~- zUGK-XDcA3?r_RmBvtxnkD{l++7p#P|hy@LsJ9U{p!uC!^`p?+l#kqdj;{O0!JP957 zd^UN`U|+WR-`zGZZw_nU=mqip)JDjcpHKEv&Hj%(*o?i46&(O&{@-WMo-6kM?#_#6 zU+n+K_z@2q;uUOP?Owpl<;q>;9r$Uoz)HZ&g*S!S{f;EWOpkvUjiY%Sg)q#l8+&N; z>8^Biu~Vw_K&Zc~7rSgyf@CX>q5wE^IKO}iaoNx_Aqq;?3qPeYj>@&Y3Mcp654%^c zAGjBR{V>Hti7mgJMvweceg980H-nQ!kix9yIZ(X+zj*Q83w8g0_QTE>|L>#xi2J`A z$7z0_H>B%5ti9pu8^|AgvoEmEF)hgSNy{ShTWl;_+rsXfpDY-`(-oG3#*U@M`!a2{ zPmS5Hc(iqvxEY*MQ=iypgD436aQX%}c$i~v)q|_#oMO-@rUIj*pFl!-6|`4k;QP$C zB16}glS<|~0B#sYnM>VGISt_WGF{Bu7k=m_x5&sQK>TnVEIbId;=~U#&}fb5Y+Eng zl%)A`q_ao>&`jYtp{J3v4O-wMNN4V|?_Z>gxx4^$a1xP6qRCeooAhrY040OwVHJ%_ zc>5GINPO*H$4F&?WFp>ocepoLE=gGs?m z<6^GmyR_b3l4_Fu1@p+O#2v#knD~)Lqh77+QP@jFT_C$Zcc<`d5d=dlT>>Ad-!SoR z<~l(c5CfUU3rylD%-~Iy?-y)o&_A}!2o9P;AQ^0u^$dIH^~;U zfz?Rsrgza4($;)#Jf?A(#%K5goS)^Y-hwPi0stw!)8=FH(%QM{KK$f{p55NLcKz%y zO3o60?k2aCr3!X2)V?{1l4eYLe0FSAXY10#`su82S~{GP2jZK|+g7XPh_%P=PuiN@ zGJmeH1bzI$p2lPmaDyPa2DqhZF5_qp!6KICL0+R28N`L?s3gfFaoNxH3}-*Wxv!@% z1I=a{`yNa{a|oIv@SHs=D$)|^L%9%0{pH(TmOXLvp8&ib zjn3MetmxexwSk^3H)$4M@u?E~@ghp=GfvQqas_+7gxQ0=t`d8DQ7F}{QvrFDzrNPE zOOoU@Z(16BCf=LlD3&a~O;x-%%fx%LP&DzwyPER3AH}y~E;Gc-D;x(Bg+-;ME}(V6 zVHve9;ceQ^l0}+9PlP>=@ySPCLuKQ(NP<;{6Z-2cIUqUC>cS18H2V|D^E`YJZ;agBfTi?GUKWtq>lJ`v;c17iZ*=TJB{gIVX!+DPxZhcw>8zXlR zna6QV94KZTN*5QTrJ8HG)VR!JfzBdN2nRAK9&rL=H-Sykv6)9h(GZ#YC?YHBrhk!+ ziSaDD4ncEZWjA7r+m0^st*vh{xg_r8NLjrMlAmGcQ?T`FvsC@ERivRV;S4&pz`;}* zI&d@h!cC#3YDWog8b@h1OeF4oGwb(CQ83_Kiz=Kq1_HF#$7ayRqYh=dmA znBTx-%?o_{E!m|#MylxYCpCROeF|;Ym)6LUWwsL6fcPW(rmTe)YC^iTlE64heH=(k zWS%)@Tl+IN$y(hwrdN;!K(1&DQL9>q(NwTAU>o8r@vr;^DiD3kD)R7atZzd{<4+9Rdmd0dj^AfGtYk!MAL0-+vUi?@M=#o zaD;7}Z9*+_cb2vmDNIbN(BBTvY1;UM?x_2+JM7`yiKpF@onIC7#|w`=;o0D{Ipo0cL-p%L*42v-a;G@U>zwY)< zyDyJ>nqcnH4DC1?2Pc@fINlPsmzUUJ#e-Afu5gPfaND4fD``I}kv@FzLIWb#(&%AS zWV+_(wb5$Lzh1{M>VaM`q}p^%!}F84cxc|NmeZlit03|8cD`EA{paB=MWxMgZeUOH_K_r;$lFXq^3AqQ&wLG8o<6;^L`aSA6XUj)(WUy+_w zhEr)K-|ZC0q7bN7q!^0vY&UklqX7B*B8sv!OWatDrjsj22)mrp#(d_{FWXmOH}&en4jOS+JP;p%&!_B(ISl zPC<+trkZo;IH3s&NrU#2_7m~%wB#PQFx(U3>-Bv?0~2zCMHnLF2%7@62c@2Jmu!#9 zQo73_R~F>0CIBsyRe28Nl@_@JCw2Dx@hTI;ib)~bMcEg5qrjiQ@$EQ(BHJR<6(b@W zg7Ah#8wU$=69AtZKb(8Jgxx;5 zi@Tb9d~tW1-QB?WoZ)xr_O828`eB;6K>(AcA5Nlr7@{6+89?jbsaP#hK-JK$oX+If z{8>w`>Cc3KlY_)Zl)+DUbDuSW`w~O`NIB?B0wi z!&?hq${^RomNL*b)gdiOm+MWD=3V zg;f#lP4E$CCUVCRIOh&7l92jtHS4Znd|3Dhnq|#571`wP`YA6 zFx5ERw2e^~hq>4LrH0YaH6FZ19hp*gP%HMIIqQx3f}6R4AG*itk`=G8wcDp!>Eh=f zo9PU+X-HWcF-0?orZjZhu;y%b;4v1Tb!LM$$r_uXm?mLTHcekw=Q3q=>vLPN-v$|X z7tqb@?}UV{l{dD84>+c_me>JHyF5Ig+Eaa{yE!&M-EEwvk8u zYlh<_wX|6>sxeXkPi|@lSYT-huu3ef>gl4)Emw~*8u}g_yGhM3BfVFJNTc!?4D=tl z)EfE`Kb6RAFo&y89}nnGCP+!Xt&XDF0|55P3aGK$R*M^p#HB=DH_ZGl9fkU{(rA)7 zCL9*1G_srigDwy zu|_bNs~4nM6h}ccz5P412WXk6n|IW&PI0=&p_IE){4wOQ6n|Dp4w?T{NUbRT6gw=- zvOr4%ubgO7#%682ICB$kRbEWsZwr4#R(uGaD&(j_e!34g)#9afank+ysQ6`a`Cghu z0Zi09n!<-QcT}b@@x@uy?Oo>dCV?3u3sk%aBZue99PF=insHHaQQ*&tQ+KWa)|}@^ z8LV=tntV8Qh$<$;!^EstiCC|-dWEs)<*QWG{oWDitF4&nMb@)? zX6Ush!0<5OE{;vw&E0t2?5_d7_qF$zz>Rx_ZK#Foa5Hg>=ZWn~wB=ha+vFU_c2c*A?ZVYx;bWN(Hsz;YBuadKrs{ z-nxxS$*&8IXJ3&ck>3=gQtMJu(Y}-{*}~M4=K^`*Hw`VXBhcFinJ?7rWDdMr(dd$} zKR?+nzt|c|o=L|I^Tv!wfY~!~!1+#Z6(HajX`PzQ9i4@F=&In}e|F2ZJN@_o%de~In@^FJ2zwD=9u=16V(c&Oh(L z>AHaCdZRn{fJb{%u*N5Qe|HCP-zOc z7^@7bH1=@BBeJ)-`B_Hzb1oW>qf{P<+7V}L!89A2(L?#>$G^P@1NO{FWxD_08JHr>Wo zO{kTUhadOPFOFaBA6%TC|MLEa)8mu(KOX(^iM*(P^~TgTbNY2OXF42zrqR6e-kJkd z;l!EWjSKwN-ARfjIwq)={IR5+zAPxKvcM8>>yl0CECcsVnD3h~yT9IL(bl`ER&ns|P2jBj6UBj$Mq`TO3<__^<$eBV3yzIXC{cNhPO`|d9H-CgdxyZkk~yZDvo z{wmE~?pr7SZCWRjd#CSxpNacE6Zd^45a3_E&%|dfTlHmIEzjAh&(dz0+(p5w`Z( zbvZ~s=cC#I3tltQN@X0$RUM#>8Za9!n11|^MT9O>o@Ba4!l&{Eyi9AF(oDG_sO;fPgAS zkSgh6oI_6ML=KX(0sHVOP9w4stZ%G%bMOUD$H-U$XrL`wAm!y~X<8VtsG1{%jWOzhpad zEnnPKNAgN|fBB~5x2|jX)psRda!>yDZOL!0N#3$C`8+N0%e5x2#maqq@_V<@z1ygI ze)n#pd$-X{LRiX(Y8GYF)@F40TXC$XGmG5bd$0cL-Yat7?Y;^n3wOKMYRY}X`}>CX z_YLpw8{RLtvipYj_YLoLmGk?C_xBC&?;GBiUcPU5f8X%_zTy3S!~6S&_e*p@HkIAK zV9$F!=2C6%>t6bto$pNm)PGI$``Q)%W&7XXdYixIzVbKNuCKJU{7rb)edG53!p80Q zO~99P%>Q>b0k3vy&2?$b-n}J8Qj=Y1uJ;Ygzf{BW&*OMp#O=5g%b)2yoX^^4y?$%= z;mw%+v=?@nRL8HZ!10`NuC-hJx$CqpKpGW8ea0KUw%+aCN3Pt*UfnA4>NEA}*PZJZ z3H_=S^k&BceWsaD^|}B2;Z}StdxR+5lS``{V33`ZGF?)tdQ@=H`-m z{2%rv9>p^fBr03Ddvm?AM4%fuf<0uxi`1KcT?2P#E%Q*L?OW~;?k%VhW&1KNJk?t@ zaGwR}^LJ~Xvy7SXm$l8=$*&8IXJ3&ck>3=gJ8G<6O`#R%X^~cbizJHF(dg|{Miy!n zx_saL#c6a&*q@(lmtSlRCC{YehIwN~^u_F%IN3;db zIKqO&i~%d2(ISXDHQ;_2@^M-$1XFmgoH$H| zCrlM_aTv42eXN@Q*KX!b7V{SseeOSt@_${Z=Y}HSJpRAEwO8i%~={QpaQTn=ye zIEDmO>uihHZj=b%t;Ah;8Pl>~r`_ zt6Uzd8vY-ox3|O6(6w1Pe0R<~b&tu~Sxz+^RCCn*0&8ceAul#R4WXt8oKv)|x?-4l ze9mxx_Nn^od=}*Y*hua3@c+Hty=nfxdvE{yBA*9Z@Fabn6PhH%HFBwv8IV09f=10{ z0q_6CZi_FiBh0Eyr%o45Q(m}1@XinbqTO)ML4goy&PL=iY$zSKA(LbaU8ipw8Ewx(@7_ zJigUxH6D;-MFT`Q7i-CL1eMk0QV36z$v2G$WXXLor^Psh^z{cr03irevPyk`D7-1%>D87`EV`BmREi`^KNJnT=t zDgJD&&wiHC|0y~e?mYhI@$ObR{%5DXd$0e0iBE~0`7WgzPheT7&^{|GTTJnm65RQ! zZf)KCvNHR(mq%{p37l&aUF`g0d}AxS3O|Sc|8aZD{hS|If|4{F}>ZUi5${@;DtFD&!#^;OIOff6U5A#3##jj&?qu&RBc?OVvbd zX^!PNz?}2HwX?Zh*8etl?&Ckd$Y;57HkI7sKxh8m$^~3ezUD6%K&031l$@34UB36= z8`W#H0e`+Zef|FM`26|9w)yj9|LxK9hg40@2SxELefJeOa%v;4GD z*=ihyYCRQe)4|0mX!JM8?yCcBVtz@={WJ*VA}Qj12w#-=5DP1)NioS?>_(Qi+mQS|Iuo-?)KuJS?}X+ zF8$y@{?qj7wcq??>^lqG`KA2u`n%tGP@};u^<5$Ko1gVReyI@oHIurLX1~~{_WZ}` zAZIs7_OAHMIse-`TW$aRxA%6p?&Ckd$ftDv^{(sV-%?cgPH{Cbn`cwH& z;XjH}4zlcHoO?CH_7L=ExYp*@mY%Dk)sQo;L)l7ee*8lRb^bw$JRWt%{eJv`to$oo zahP(;a^?Eb=6W}0y-+_5QaumXVNf$6Md>eTc*)Yp58deDm$=8yDMyNMkG-yjV^5;@ zj15Ea?ch4$xpHPhE_CT(rwXI|);;AFPq&Et11A8Fm+tCeQJ6|(87+oh`w!EG>|uEX z3`Q#Vr72;_C>0A}tMu#)tj(XCb9%nS3~RWrx5X`AN~sDfGP94OSdutR&c}X({J{0^ zZ%xrqJzW=xqJ|==49j+(tBblWui($VkiYP!R{l!|ar&X<{wziG8;OJS^uNbb^?%ws zJNNNFU*zM4t-8s9u>Hyl=?GLtD(!w(@0!Rm49Vhv1f7TX}>~OL=01Z7iyKo z<#fe4=Raif_c){lQ(53Q-~e;a|K?QvkH5q{$Kr~R~Vgj#gAy5&biy~T0fa{{v(zpd@^D;i2Apm+2_B#xAS;+ zs{Y^Jz5M@0J|)fCKi7Yn_1EPlG|Pl7G3Hp$aIW%ec`lZ8LBYF!b`gTRNDinAbi);< z)#V59N6#u+GM#u&%&8=xOTV+KtywvwY{b(J(;YT*mL+jWMa68@PX~OQ7E@^+e%@C_ zf5YXw8qP)SV#p;H^x0ZfK{bIc-XFZAf`Q#{r7WDS ztig>ThIDIpPmD*dX|FU+S#@4^%u0h${rE|#1LaLRPu}2QExvR3S?C}xL@{prg6XWB z8)os4>C*G2Dfd+SzVa`6HWe*P>VQnuL66h8u&s*A5LW~%##yOhxF2Tk0XS9-?H6k? zjypE1zj##-d=+gsqY?fK$NHU*NGtDOO%GewUwb3rqWBh~vHsz}8C^zkPFmSgfCj>X zsB2j6ch6r0bh)-Yd~m<;Bzt{GY8$INZPlj+9>-oIt-esjC8r)7xDST4bTs#vD#ChH zLmg91?zM+k#eVE(nRd2Ty>3%~9(^vt1Tuv89{Jz32Bj||xHSpy_y1vkFkJx0QW(Ue7GoRK&s6ha+yoknGzuM{taMUlDKsC}raD_hIb$y6e|^JY~J zJgMSfURIEUxue4+hIB{!zG8J1BUUb0EcVpR@gn|Y#7r%4HfClPQCM^ibtMsMrclRe zT^6ZK4*KIT;SE-VC=qQ~z213LjC=TC#jpMt6~2s$@m3bUP(Uh+HdboJE47~@cXPFv zPHrM`t+L|Qs}UkuailMkQ&*?4m`AMA(%zhV+)RC)vz+%TdUp}xKjCt8dEQ?8t?Gz% z;?Eo>oATl>$t8)p6qaR=K%(K0$u0Z-;^J&-2GgxWXAV@)Z^|QeriV&POOmo;Op`;F z&`F1dJdLV#MGut~FZob2md89=7@qgI52=VpjE{?jLHW=7u=+Gk#yPtf=1dHEQf1&M zK`X!E!xLl3^j!j8`Hh?0X-Ry=W}Y7Jftwy4f0X;PbMv#~WAfHVr?fG*I5|F~TOJ%A z*safv4{oVrgVCp;^*R<%%yX;KUEJ3SI;ed~{^mbz?@s5P*;lOdx?fyCExWFny(%A& zvn-(@BP;J$AhqB5Cctm16*z?tRMZ~gN*>Kp=}iWi{Lp;hNo|i>uRK*>!kkjGH(<){ zFpCI*a|EV`6}YUCR327h_I$R)QqeHa3$Ig}GLKkC8A$EB?zf)EWQTfEWAmvQhxYrD zT{uLlzquRu1y5M+hRy=puwO1Yir(QVQ$vM(U(vv}@;)i~M5_!eQ@mrwJJmPF?R=y) zY-mBnV+s*7&`=c`wgg6Izka8vsadWcXFBKfS0Z9&)88Ancdmf#b<6!@e)GI3AJ^J! z)S6Djx$37!fmpPR0%L19mXObLzB#x<7lvS<(RL-8NaB% z@b1cc&Gl$6?!vrt-}fj^_pfN2NJ6L>-TnFR#}xmIKJ)nh%_=_npLzU$cXxY=|KI2T zf0<83?ZPcu-Y#dbX#NpFb$&ShToQ+oY6RH z=0M9f7OQ`I`Icfnthwz{Dju(Fl;S_PP>YnAuS}zI&ZOQr-Mv;cj2V0FJbrwpQsww)>%X=j+!;*-OlaL*2Gwn< zpt=RZ=`fmZP8{8W{_TpkGw!2{cbu8y4X^9qB44Pija?mNRy$pHrf#_1%-Pn(=q)?h zS%G_thV0GU2ywHWs16sHwL0-R_CnlfGsKPOdyAG!Hau`?gx^7%CEv(*i>^a6Er4@- zkJjlRCHX%XvSbtwQl7KBlQHMz|L$&;?LRx)?Z@}>|CjhYAZN6Y1P+%P?mW33vXu13 zaT3Y5aM*d@DR|Br56A%@jd)6aI_Qun z&P5{_#Ki{u7pLC{djH8c;J^Bd;b24lNB=3V(hUo!N5ji;1_c{MV?7YpSz|ru(aXkq zP>iz1`v2E>Kz^cm%*TQpA0CNDkmdY$78Z>lju_p*=W_mgR*&Gx&ERvEfJRnb0&}ck(Kz`i{HiPZaY&#{HN@ zh#o<*aW9EOeL*|#KGyF(@m4@n!ZWOsh6T2zUg5QTEx5#Y&S*42-btlAB6%fLA(zjC z${-3_j2)zHZR-*DJoE#fE;#ABJzw7UI4?wz)2yo|=IS{iPm7!imyk@bR%j z*ysY?Igo+uUa=n8dQu6x;1YkKoO2fxxK}wJbzwyIp~&e`dKKq9mBcNt0V!;{Slu+> zEn4BKBER!EC6{c12!LWZ=C$_Iir3x&eMMfkV4anwXtzxq7+V^~rae&SY{cc|oAZK& zaMSh^Iw0MM7PLnNQv`i3$)`)MhjBQBiuW{%SY$g6YpIuHToiIc$yl8PJN{7Y7)w+O@DAYgm??I|>d?256a)6Di6Q$dtD) z?-|`ka?EK#w%`*T-Xc2;ZhDT$h znm82&O%j*$%Bk&EPtC=VW>!3RyIDhKbljIC=FCN!g}ozT|3Fi+z3Bm$xJI4`^a+82 zq?lUZ+ZwoY-j1c%cE#-B2*!ftU0_}IJB^{P1RsZT_jw+v<`HV$ zz}qCwLn;{Zz7f4-FeyD@B;7>vnVe;;h^3TlC%9!MxaAz?ew?z1WIU4GPX*bK9z@v) zPn+FsMGnNZQsLt=E8-RtnSpjtp8`ull zk1ZeA#*+siyz87rgngi+EMb}(BQc|IN?kM-%3}@1;YU+97aqRSY$!(YS3Fd z2J}lNHJ^$ZlWtvq?XHEmV<2uDh;M0riJ_fjL^Exngn4y8esW&k)-U58z{~q7FNQ29 zeYN6(4+gMGT)OUX589xGv}GV|P2p@Y2yFwwV!gbRi$U5nkPM*tw7F+#a|@Ar!mpJ0 zP&t>ekQ32S3*;=1Ib_o()Y9h`Vi+Jju7yXvzRv$PIx83`Y7`%+uK)b?lY^Ha$J zW67Tt0_n8iO;)RTo+!rsK1t$BhGx5G8ygW1ML@4bKu7dHJPkrV+F+Mr0~_RQNbWiq z#}V7W%fNJ&ZmB_AIZs$HEJn$iUB+g`GUo5$uHD17l9T|(V~-@e=STa8Z;yge1OnfP z7G$-T^GlYJLLS#O2S&RBhS~#tFZ0x!(TECpnlIVJ0kc^%6=*pWL(V^m_*n8Mkx((T zY}nxd{-t7}KQ+KDPwB9Nun&@h#|6qPl5hSy3G6@5)D`!9Wu*)KrLK4!ks(V)MRU%Ja_Ba z{g4rQEm~r`b+wJgI;mtel?p?nNcd7HkI3=pS&h$KJ0w6zW!Y=f6-W9KRo^UhzrKpOANFug~`nkG@%7mjZboEl06Xz0Yj@L8(qm_?XZHEgxkCM~mxZ)n#$Y zH}t$u6T!M`O}Sbrr7Kg``g+7k$_qmKeHIpSfc5onN)t(q>MNydm;(s=dQ){Gj>ASO z=TPKhn8Ii*3YflpS%a49R*tHdkR1P4g_rjyrx!<^U=;nfTK;BDPShDxjCwyN6D{Ii!q(SOR0NSBiOf5z-Ob=>u-k<> zobUn{V}0c7>vm%6>*RZRli=JG>KlZtgI`^J>+#(o73#U@8`5En{EA{L*mr(gb^cg0 zyg^dSC7TF|*$AMQ<`4@-O)Mf*(pRUT1?!KK4lCe!7|6lr&`kQbRW0BQ$31Y71!A~? z2EGjeg2IN~aGVoO5<*Rgyth8Z0XC%)v~7--Wk_gt)d$nnm0j^mxe()Y;DFmQ;M%pE zwDN}0-Fq?AsLJM7`I_YNi@c*UUe$wkzHL3C?4dl; zVVS!Nr$#~+mvIKR*jAtCt*8fC_SVRNC*)D9C0GHEz2f(02^oT9 zfoMA*favze17&G35;(9CqfD~=J(#uedXKNbzN0jHuOW>CdDB2%Zh@8-cZ2q>2IA;D za(Y_5>4Is;v~s`534H zZ2#!YP;+siY-uP~Vm!oa80;~mi!td?W68K7f-q;1=#p^?7Bs0!YLlXryR@0am@|Pk z!<-dlbsxYP$zi}!mP>_{P?FO$a^H&kFb|~@M^Z*wLvcWxVWuV&3;XygN(FEaS?37MGIiiETS za=_CohF%Y>VYgz0MVQF817k zyB6RU{4nwDEAGKHxLRs=+YShH28>hJ#<>U#2$d!047JcR*WZoNNIu&|<|y@q9%CsP z@d(d$oDx5x#Y|1Rm*muT7BGj>lpLQ~%L7~?EgFsDl(00)c$_*nzjiPAz_oD@G#ni- zY@AZ?+E&GD>c}E3${ESAG=;kQyc^Ewz-$|sJ~=7VKiD8pb{o+oX_66(;_(RZpU`~3 zs$72n*zT<(tP5t_JP5}v;uE_=lgewNU8lO#j~QoM-5+wG_A)}=X0YP`d1_!RV*Iwv z>C6#_#)S^RCkEiO03`*Bkz%AVUcpg?X#%f`vP7gESL4(Xh!$Dyw)33YGnTjFw9ls* z;kLdVss?$@`5{V; z6-X*3X&8h&XJ?!zo%lbj>w-1tvvPt8Oc|%3Mk%_O_)t}pRBxO{2@Cp+7USHcAA19! z?3?ATU$#8)AKw0xjCd;VVb@BsrDAsWvwZ8R`!e%iA2J$&uA%gA;XuIf9XY=56)b`1 zPHn3T|V7oM!{--#zR}>Etaep=?U%>cM6Zq6sEbtv=`=F zNfBotMI21Kpb+Su0lGC4H`6kn3uRY9N#=m*jl)Y;97*L^bTQaTem?-7rkI%vcgM`G z?a(Hctm}s3Jn3oQ*)L%*d+M;ZEv+}gBG`3}Tg zD$QK#F~TgBWUyADLa88y&19n_G#!k6k~YU>(>Io(wduju?lxH+i;69hQV(z`6<@D% z=iRN@u7HhGKS7dF35LG)oUAI33#h0hTHoWjmBxoIuy0te$d<=Ou zA(SMsC(YoMd|NP?k)&9Z7>G?13zdwC@B*mVxsIwJpR*bR0S+@6gTiqc5!@s}} zjv*Qt_uUaRnnu1A#+DPIOzwg;!O2@&vzBii71{~rDN0i$-d2~xG~_Z@|IWF<{($Md z2);9=i~rEYSYOy;z!12gV=I;Sgcd_|2e2YM*(T8dkX^DtwaRoKn!5a zCX&334z6tv5Ls_EIpDwOuhOwhk{P?>Y*mco+P2ZEUDl9v@D03ZWu-$EL+cZzWJaiC zN=^hU*pEC{(Tpy1n@(U)(a+j?SEbK_E~6a$Xn~0f2jJ5Rcpy9#`sDqy<|dFQdb6+Nr6j!i5$$;auM1I(QBWxN7Ug2xUBbD-PXKIxQK zYA+m?lZ0Kd#DQXtV9883y|?C~!9#%cGm+2vnx!xKsQ{VM5DTnz&jDeM$+XpW28104 zf}iG4c`t>uph=uksbdPwKD@JTVz8G`{GK>Q*tQMbFI^kTr0vRqG)|@`v5BYv2&Ef# zd;ePKHam9b=(Xrx_%2VN7+jpQ z2wgMs#5fru)-`5FGRZef+`M~W-=0dqD)o)63sRM`C=~)lzp7YQQJF+0Cu`CdlxgpY z+MI-|?6Yo(rXU6&Gh$SYm8??6_ z7$yluS>m3|AlE8$7WzFc@GwjqL~D`kQcI$~WX(L&1#4iuC6 zvR8)EjUmymn5ew2FlX=uO}Y@sneuCu{K(T}LgGFd(kn(NvK(t-s2$oQ&RE`{?vle; z6nWem1A5$Y=_c4eaNtMA zBbzCQiER;4L^`=k%Mr0(H+kF-E$KM}($D+%jE3w1*ICiBxQng=(?}9F}6D zi@dm0KLA$ZCLgB|z@t3JS`TMwkx$TB4z@O7M>F{akEaH+sh@dbP3~m%@a6k==Wo^= z>NcUZmUfhZTgCV2=#(d$JDX$`L%AkcAOXUw8R^O6s_#vjB&6V@5K;={5fy}|E4C#m7@~7$HH~38I2L;dOG9_IVyM0(E(j(%6(SS zEjq_^*O0CmyeoLW=n^Tc4QU>AP3E^rZ*xcX7|3Fa7w+n(qbyvSQ(1muyQ@MX3C2X~ z>r%ylWGqi6CMN^EwynPCTG4$Pvrc4#gCcmpb~wB5J7(X@CwaD5W+9l&0Y|Wt((-;L zXHT|*O)Y=fcT9SKa~puj-`O@%O`eUItX@+=9q(#KI*R7A#6l{ z+b3wFycr>++oRznOQWu0O**2^l=@(i@9WV8$L(mF6{9VHMk65aS~S}8_kU2XTF=%5 z2x^9K9Vbyp^9UVl7Lv`q@b;q%c_cZ@I0&@A_j5il3A30(62O;1%mEV^|7qd2r{Q*( zFKENEb}V(MI6R2me?0FkgNz*~4`R<-Ll|!qOcX6QB-p%UGa7v5xS}zLO7K2u+hJ@r!s0ut%pTFEc z&~itm(05jjO+6H3 z9H`vWn~;uTz@#npJU$)_$x}?cj)gIymFLCtsfmR=o8<9eSP*`lvRsNuXxM`4SUiva z1LNtYnH6tfxhO#fxspfag zP*z|mf~>}C_$t37eOv8GfA zVEMfX&Yl8n7cIdSPj z0bn0k9>$;mxfzK-XLtx;Tc$`23u3H5p^Y-7WjX7!Jjd9bk*Wf62?{S{d!RZg^ai83 zN&eg$7hrDz{S^~*q(*uz$qSQGiBx8qr8F1>gAX+I`7echIPBxJ_d5%V>8aCng5Tv# zD7h9~sUsE+X&Q%AACMxasjzW`l9c5)iP4fNLG%E)roTYb;MZGb$VXWW8Wc=UEz`yx zdJA^BR|rXgxM>AfXLrP+m_oe}XW2jV{BnvZKy;^^G4LTtY4!-jsa}RT0EjxZtPvDe zFfu=$e}^wMB{!7>7*a(_)bIt(-BMn}Av5evSso*-)JAAgP$R{y=&x;n!;x3x_O^udvFoM2J`^Q-Bra!gg!Xu@|KhpcX7@Ci=73qw1WSu1 zh9X}Nc>;%m@H`&GP@8mW&!_pZ=2Ly|_%}%zeF}S$nzhyV8omd_u<-X%>E&9=q3H;N0z zJha>a)CDug>L96|UT;z*R_I-Z>u%<4;R-5XP?5t+dhf9zP5OlQ>xGxaZhNv~*0iEv z;eBt|GVc?pN|f_74x4fpdNct#y3XZ$DF`3qRGTa1DR7a_ETSZy3Skcm;9oRnUPZRE zr!xjmojH+_iq=bFQHZ8{Wf@Tj%iRi>g=6@i6gA+ER8Qdc%bO3S6(ei8NN+l9#G?WS z+fbD(7U3AvpI}5tbkkzw&%p8Q)x@%x%<{ElMLJ`=Tnk>W%s9u)<;skP zL*gKaNEXtYpcDsk!7qGFsFd(BR*Y$)$?uxyNpu}cStI3X3wB<_SMX;m9MXIs6(>HS zNik{lbH0%+IBYRj7p~aH`tw3_90|hArBbD+u0)T0u`b)lHppN z-5b$M*2HKEDdp)2fga8KeN|18B}r5LHy&j?FK}ZFA5em_k_v&%=#@zn;2xR8sVqyR zx(T5ifMvjHAzm-}yYAyLGIq-nD$MXdU6 z&;gY{1CvvV`>MULjBK5AAzFYiC}hINQhvg}RpY8_F^&tl)PxO8Eowb^D-)Es;w%OS zcLGjaC{^3S3GL=g^s@ARj6hN?z^R^2N|dNYCasLBlcE(3d&bn2r==>q9dtmcrWGo* zzy@A-MSKRks_Q|7tY9Y~=ghSX1u*o8PAq3Db0LT$6TYH9Ps)QWkzylc@;8x=I2NYj z=0^6_X1u~{I9b!GLVyrUS|i4aQmr@3yPh?SUbTiR9gBht#GjHHItk3dBYWk}xWyI^|mF)hqV2LZY*Hrl(2u94)RbhCHegGw1LR zmzjG+=ALWc07c@y z7dbI|lR|~yWFiF%M)LqmR&vm##Wb3o{RZIyRcT}7qlu%uN(sfEPNa*VMR9-P+2+l) zL8D0iJD2*7OOXx~J#~elMNUE!u`lAtBOTDEC?r_3G#Zagl_Zy9G-E;iPj6?LrvZYU zA}f`L39MCEn+mF-mgx@>Q|Gs+M3L1hKx_qLJqiFN!G)dQmZHBR!H#H zv{&IWQo${D^}Js(o2ETBx^8o|D&kt_%uxb(a%jhzXD2Y_t@3VRBXx&-grc;hBhM^j zG?kJj;BCk*C_B131?Z|)3KRi(hh_Zars>+`$pj%f4iaPEn3SbR$C%}qv1(0MR??Rv zmJK;5>h)af^D?TL60=~M4#6M@6kQ|jeZ==qcp+ah-W#}IdK{H9d29!u-pOkOrY6Q2 z%LR)VI)daeaJEDZgwlm+2x3&CLC%oyC+dWNM#es{&|&ewcnv~wHlR8BmCCw@@&)V# z&N-$Z=!Q=)x7sB{0^pFLiVIjafUVT20dwSOg&q+^jS%O^;ltlmo*GF{V+wkSv zIwZgb2S7}-HL}HN2x&&jl^_KewCTnWnG8TRhYp8SqKM^$=IAq*x45~h#W*R-iY{Pt zY;K;8{iotO+u~xKITJ#yQ?b zH0h61E8M^(SP=;VEmHE(!v_w`#99;RPzvZ}L!5$PjOjGGior>$8W(UOVub`9+@QeY z33wWi{ZQTs5(}F1%8{LRBhI1tc_>A9|G1W&g)`l4S_%z^oTC*KES;XS9c-?Il0E}| z(uATZSwYi~;UY3LgDUPf0lH(OG%n0}G~U}p&zn&53V=4rL z)}qRY+MKo<_a;i%unU?<3|O2RVgA~oMn`Nkb3p<=Iysd0YE>8<{Jwv7c64%h{Lg1{ z3vH=j3}0|V_vCLdm22ZmB7|Hl_(D^KQTWybEmre5VL6tNLT#>THTizbl1LDih6xwQ z^m{oCFIgeT%EwPDR!K={sBgQ8CMHbYM6J)!qyw^w6{VHY#yO)J_%~|=v~^HZ#gLDa z2$KxdJd}3eT-%Os7Md(h(t>_4j!;nQaRLGPnGu=@Zo4ijhk;hwpwuPMjS$!!71S;e zGc$b|Yu9Rz*^m|Rkm{KT`Ql2J$6&aYJa|Rk6~5 zhr{?vb4u$>{5Y9RCZEVh-PN_^W&H$?DP& zu9ecmm!4iMya(ze@LP)CTJQ$6br|!epo!cx>C~0r$berlte5TzoXT2a<#jQ=uHZgD z;OqaC;{Q!Myt^D@X8ixw?p}MdU5@|X*}aed|017?{_o`bcrYX?4GU#U=-&iA;UUxM zEN8$GMO-jJ4p~9tL^K-finE~tpQ;ArIo>DTClJf=d5v2 zs_XjwzNz1=t);lsSYQC`I3v8@Xpwy)6~d&HHQyo^*SwTBhoJ!>O|cogfS@{x$ZIs- za2gTJj>aN#B;u*5U+Y2wp*leHCyZVx8sBQe&;X$mug-H8p6v=&%HrHuGomwsPGXi8jc&Kw zqhi=tA|F(~gR4^ORSUh~dKD-Ps$-+%BUMEk<<73p;k(cLd1x@L7D}n!!vuR;&2Aa` zo&N5`M#72Us$vwFDut5HjN-QFnVOe_JA-gAdXXq%yhfUNt0YNRVydL zND;{<+%6MMsJDrlNjUWSN?;$-R>jcZV--Fiu*Mo)i`twlU7Oyvf|nN)6uyOi7Ffcd zkG&&vZwBbgRijAwZoqxXY5wa?N$Kcp!*Z%`dHSurAs^Tucxu0HA>ApBLyjrd&>}6l zW|@^R7wl< zlh93-pq5n7cm;c-Li?T8nS5MikO{Y*dStY~RrLG>oO zdXHssXQ!Qu*XKu__h>ilJCIxm(h^DAm5E9>YjVi za+2O#ocu0$n$cqTeC1;xMLB1AEj^J>E94JIx7phvtyaWB9uxu$~|4^!hQI03S*y;7(loJ=^1T$;BD}(OyV-3!q`quN4ms1bn#;>Vo}gIE+o?dF9CXbY-u5o zgv~H=RC!jc-O>$kbWj*W?>otwNk|0~c#oLi3sYguSR8HjX_i9vFV^=0zUIVVn5hJE zGlBn>F8>GQt(mSV;^5=GK`fkSARnl8sS>Eq$oAgmrj-f2ZuM-$RcWAuvv>ANtLHWkG%Wf&~8ERt+q?k)B%Mip>< z-AV{5zX-XIgu*SO?vLR%z(g7y+m}FbM`y0?9D_zf3YH^O9-NfTl>9m^fEZ!JMVZO$ z%MzNVEJCqy2|?og;+2+2&mGa=0e-cul(SUZA1SI$5G%G~#VI-cfvGYG z%kD_^M3&tSfO4a~D8D&-BkGzjm$sojV;5>cczdvW69`kAu($KJ9)I&DVs>)t$qXot z2vvuTtyx4_`M!&a_6>*D)8F0PTz2|p1k4~pEbCNH2QyY)es$sfuN_lQcx!jol557D zhp$@I=!JIyyO)%)GNL7NRrT&2C(#;ub$bkD2Tn$`P(JS}5do{=xySZb#Y6v)=l3`7 z=&SO>i#`3J8#EeHivpn|LL0f1AGBCiHsdIBz|DKsE=warzE{!&os zo7}z0S`%Z+Aj*?P9^4j7hBJ;1at0PurzhUR%_)8`{+9y;1GnsP>?;Q%y<5 zGX1&8bu5)+AbBaWtMaQo8eS5XO0`KZL})F=VHm%b!K&9)rQao0kni`uJ$APHTbf4S zc33ga9(=#={y@_RzHW7pmfmH*@NusCB6!yHwFaI9?Gi(ynNr=5pq)j_->#_+WUK9_ zDqmAAGN};CkfTC4d~IGUECFb_MtN7mO*!kJysJDtEwsdUO$BqX_hCk|$_}N-1@UL) zP=YEa;CgJlAnWVLZ_iH8FZNF^o~=WbR5Nh7pF=rKef7>l?lgj&#v~! zDiZNLmCqV2a)8}dsO|Pw_&}9G9KC}0OY1vjjs%7LMavhXT58DFW|y#FU|upt%=+gW zEpjGLp3}utF1qWQ0hB=G8c4gwN)ZG>qh3RGDcoxv_q@o*%$T?22E28A-M8BS&uczs z7i#uE_~Hs|2huL@+heC|2h!5HRyrv>b->4I(RKG!EV!w-jMjHB4VtuY0x!DF#r9ae zzNvO^QIcqPgU>`0fR#lF!k$(rm=~1}?JW90!dR_nZMtTP+F%`P1)4$;1gd=CPZ>y?d_UDja3$j(hrAC*$gY-&96ZK-5j?BC_ zXFcW2YvywXT6;lgZJ1vRN@#;NSaaP<(Ew#lLxvro1|UY=$z0x@PAP3*1^JjE5?U=X z#rBpS0m=S$ppY?~_K)22B%W_Mr|INXr*UD9%E_ya?wCf!)WuuDFcG2S%zqi(hf>8j zK9hjDC$Bp1kI%a99oLmRsF($AQ`bo7SpNl+@m_TZ`yj<=7C90;oV9Ct&b**j6woxA zlJ7c}g1flAN)qbxv@giN<~*48MG$AtAAUqEd?Nn>=ynfYL!)!ubIfc<>3f20(oOid z*%wd+r9`KqXG*WB7G}DI{gUd!fwfkATMQXQ&cI*~oL`C|GvBvfyKUQXa6R^#-kH)A zKl3JGBl(t=%;)Ww*LOb9y{Dc({P_Cd?EUfKrzHW{W)=#>k4L{u(*U-*Qb8H(>*Pnq zGRb5{vCd2=x2T}kq9wMwZfj^zw(xwqJ!^D|oJomKp$V2cVHuCGmuo=0+q0bdTlNU4 zxhP;cB(R&2!TupnqfI%{Pni%#8V=)>tzyP1219!GFrfnttg_>D@RyI-ibVz+=Kg~S zH2CQUR&=(DE=l4ZwEci6|AIkDU*IGAKX;(~l2J{~>Yc?AHIhMB6O?rrLG>y7Npy8F zt)Ss>RrT|t=eM){#m{VKyXK&(so&;+J|I71XCAB(;5K)8w#ezlot=B=pgnD%TcA9D z_;LT|&il^x`=gV?v(w{~i}}YEA>?cj^HjZme)RhI^kmUj9abS<-aj}v>U89BUx;fU z43AsD5{?eek1iZwns>O!#iMA1Gt=VkZ-rjnM^L|f`sV2U$^P3Tmzmn2HfV|?#yNDx z>FS9qYQnAHO&^*$2#Yw)G@Bhd*8@w!9V) zWaf5l(;RzxS>rT`FPYEjV=3_4&4R0-mgxtLcRD@Ij2HVHUtLu$%U4&8XT#xsr7l?e_ZU@Q63Ew`bn_PC(nqRhvV&enp4z4~non7&0J(tgwflY%lEUOo}JAh|$e zhaKHC;>IAsNHhtc@7K$5k8Q)I&#YTgIby3PN1RJ5dMN=7 zp&Y9wm;d+f{79aN(|0EepVBg{AK7FIlsa9DLUM&WfU|^bXMmXY@ZRDMPERiOk57)y zrvx@6-~()pi;gO!zz?IO@rwz~Pj&NTSB=#jb$>0rcUMHY7JS#sUoHa?Q2Z zRrwcU(P*>-aui`vb0ZnVDf!j05B|35{IOOS9qeEfBY&NB{nO?P5%S$PtrpfXLVT!!Z>SM8M-PVmil;SkDGDtYMnisKbs*)UKx5X_4P?$=hJ zZFr`_!>=8Pn73%ZG;aGK<{&XkAR)^NvElheH!#+IW6gScQFH>>rNgT7KMeLDixn!0 zqoERU(NR5YV<}4DcP*Dba0f2qG`(zOk?k|`N9#}B;L;UrOtrc#un7Q(6V}lA9hj%k zO1&hOR-XhLHOOzsjVtZ67hA0M`Pt&>jdg4ZXYkTHMY!kBrzbZj<Nye-(vNJ?Mb+VzEw3lJBxYrJ z(Ml?&OB6Xz2T&4iD!9uqRCk`rE~Y&HPLEwZd;2izrdWsZiscjNItv*aCfdt=nif!n zT>dEvI$-PTjrDam~4$38)G|*W=-tKoUj?U#3{QTi6&sZu%LUK7! zYsfy3?X9&23x}LM{Ai#2WR3<<1VD{kj1?SC%FPajA(`jim@~+JKY_-~MSR7Qi4F7! zOMJm;`^;Bh*2%}n1dzstw&;AW9aRe25pF2a{IR`e={G9yvMi{*--YZvl z8_uiWe?D)=m*cwi`~3wNuG#gQv)hYhxL^e(-;%G+z|}3dYT%b&sVQe91!x);P!qJ2 z3-J9uo;)Byz4keu#K)u>n0CE4YW=KOxsS<(Bv+L{bFz=4n*PCR0{rsqNLH5t! zFX+CrzU~xdLgcKk2Mq{!#(IG&jl&A`*L0#|ou>y0$U757PzhTO>&`9GPt_;IZ3x9iMqaD$gZq#foDHE>hN{bti$E=H^vLPl}tIxf(!(PPCmV<`su zUqhW&YO6AtZ~;}!B8s6y)O04VRnfjtF{Z>v5e7i(Xx-@nnnZHE(o3ovk6?M>?((Ww z)12(xu`;WEzdxN214S|JDwKZ>d+j=T1d`ZJc%h>CCUz583T2Fw#57xy7XnXB0Z>R$ zNo<`%U7a2)DUy_3CvnOG$*WLP)Fqb;JkYSDt|zaRrl}b@fWwLwGvzPsMCqYxT>AOb(hXKC2;`;2Hg{KG){^*OB~u+)%U)Z2INgA zA+I$_Ts#u0;hb{eX5)gauNT)GD!Cx~G}G|txR>zoa((@qX&FZjGKCki3MJk((@c0s z&3VCf#)3Sec@ZRW_-Jj8RN`Lvin+8jFeRr*n9qX^1<{jCobG%#R|NGHgfn|SV@A!Y z*CJX_dG)LLEh5M$(L(ZcOa@8VmE1M#_fgI&fqUT_0(`g>6NV45sOfSsseW8Cmbn#P zgy;LAKK5cMkK~L-6JvFk+}n?EvoWtw{B~lDTk#;}Ig8eUhAAuL0=J1aQ0PSRoYGyv zb94I5d3Fd;5lpFJld3ugLHZ3xfva;TsOg}ETK(}Oo496XRV-HuZ*6T4_W#d)WNZE- z+a)XVBGlRUw9$K7x(zLrq8MQvAbOe}HPaV@6I63 zzPo>Zar|ok;NtZBm-pYFzCGGtMd-da&bVt>QbmWL1fbx$Dp1p668%e4)eD7*%~@)6 zo)QM;aWn44HP@&VR;;;JJO2z^j1n|>D~!JgJJe{gt8A9I!(yPVq2=w_cP*>?)x6+g(z~GZIs>H$UY02 z4_NVxup)Hd+mOSPM&sD25^Bqw+G)FMffI|Ci<eJ)&G%gkfV#{avYPPC_} zqNJxO)8v)vav-ao3sjJ9!UsJXUP^3qo&8aM%@NIb_ILdcw#+>ze$aat@j+(^E0 zMvLJyvQdmOj|$X#8;j9>-P`LGw63Zjer4nhl9-{|6INXF{PK(^aX4u-ygzmLArs^p zk_XcP)aeI975)<>gM?o@E%r?P!+>B~G)qH1&Y`hC-X@^7o6yGVA;UChx0FYmN;E)i zwQ!uP&N*;@V=h=jm!{~ZIO7avY_b#NKhYJ3tB=jeRTtx7r&Q=w^oM z3Or-!nxC|YotQv_-l|>+=`l!VbchN_!9yDs?%S6W!CcUaoi6wWgh$YdbZ>}G#mr-< zk=L-NvK%tvp!AvPWm$y7H%_ccRlJFmk>&R|8+|N4eu96f>3ZLq^@Kc4B~e^SDk?8Q z9ulY-=M@`OA;s8`N>>Jl%HvQ|&U?;Xto>#AwU*v3ElJK>ztE}zTnoGonU&=ge|Y=P zQpsy&(A1SXKzMZP3(_7Rqp^p5z%cQ*FF|kuD{+h5*Z}pz+kbwGpc;)MY>Oyo7pLV4 zwF?&uS9O^ds44gR=!2J}TKlG70j=h>T7A!k!86tO5fdOvS!i%m$h9kRRkIavQmsDS zY;UdwdY@1%88RoB&% z>*`=uC*8^Q!oq(Kc?zw$R&|qE49F)1=gFE=NLZJP)eYd>`oE5NBnp;c0bqx!yuwS+ zW*S zmM5nXd9$a*+{Pm0Do0qDT-C#CP11qBNb^Xu z;ZvkzQjxN9nM}aK%u+P6;ySUU_|(dgx?UI3f- zO9PZjY^axfND?PyFoY2QRhYnbK;F=C8anGYBCK8vjUpp9$n$QGfq7@4IX?SNukiQL zhn9r&!b0$0dG;MF!9Hj2HDsn?&LR;Iqoc;@pzN`GDSyjpmO(;}_Zk+e1~#I8(B6x& zV7dCPMWa!iqHGbWmiWhKkE9g2PTtAq24iToz{#&>9v-PUb5)r)OE}8*4-UKtZv?gm zHWj7nb=5>+RV_y_Rt2b3yg6hkosm^1zNWqPIM@s}gSHJ|zUFyUt6t(j`w}52gT&c0 zvhv;W+57YTlh;QtR>%WY+V>e*S;xkD1}Iti4yuJ8zF4uUxas^iV-fPa+?B#qH;SdK zmwFGg>5c=_gjMyRs{d#F2<<;H1S2b8|Dnyb|T_|_Z@uI z@|IW(8ID}4p0?nuJ6hNK6XvbQF4ui?&XAe3GA}6F!*oUGo>9M|-wrI1=>En5yzli+ z_gKQOoipW!>tiVYfi{^`gzt|gEzK3nvux-mXHL;{YEiZy9eVPjL8@k6|9B~b!q|Bv zF_!sJR|6zSUSaG;P1^s&??@jq!jGJ19d13ROQ3^ zkF|BXZH=_&4?iBfc?ZF}o#X#^^a*ce(;=d%dZ(FQFY*q;K4Ah^RK9qA9ImwtHfn@H)4bN{R%h*=YpP~&;dEY^8sCtH zio`s8S=V=^x(f?OvHA}($XVuCR@QFcdPN???qVHKoLPTT*MxH5Ks`qq+H^nF;hv0Q zb7G(?MLCMA18)WO0$tooU zFDNvj*un4C+_+hsP{H+&WVP*C1-CtLYYU2IiyWEl1^dvryD*zQ82m>3I$adQWsKEf zSQqS^+7qwqMaO&A?*w^=xZAo@+_i`eT+fH z0JnM=4~9$>L=_SIrtyI2n!w5=k4wmY#Gsp4b``3X zwWd_|EnhHz8jui3pO8b{8FZPXxvE?_2d2ZyRdo(g&>{{E$6jAodCvApC#x8u4OHP_ zQ$S0f4>{J1fugwIXZ|$-%$)^;fOJO_4>wV-+eGh+x%1#OXvxU|uiXMXCGXDP=(5Na z0L?|`4j-sSR;o)VM6Oi$Vr@uGMb^D@`m}|vPZMFwx9JhlCg->vrXGm$_=@Gvc|LFs za&QRWPCq@)ljo0qk9y%V`|z`k4LI-LpLQ-jJ;S4adVcX~V+tXUDgX+WBfEIlIXeF| z{Xka3Q>w}u{h|ZWC4_DrlDgJjr!6w*S9Qwxcg^_gPGM;gKlGfKPO|Gv8wuzHl9^GxI;F97k%K&Iju?9VF-KsW^(?ff|vYVnGL3_WI1b@azN7o@G2Az)A`X6s_D@&9_s|f zYEWH-)oo5iML^ogRZN}5ph_jWAT=-=Nztt9?S=BSOrhWD;ygDku4)lC&3r4bTLptdIj}2vR@wZT7>LYyuOle@xGFVYuc63EOD$ejOTeC`HS%)%t>Kk+bZ=vWY~# zwMISOYGvbmP`1{TeA~J^ZZgrY&B#{@8jI@^HJXH|R3+Td^2JpOF;AzECuYiI=E(1@ zL=XDB0!dSsy^0Jr7xAw(Yc#9Nybg^OIW5rsej^{JEr>nBCLkL)!Keb;>Bmd+Y(xOgkCWPwB=M4GX~v@#yGOxdRmxz-lUt)}dAfZsf-VS^F8Zw4mj1=4D%-_YkS`P}Kjk4NWF@vU=l{>vx(h-5)2ma$R~ zX`ZPbaJeNuAUUS<02|RbvA-U@-9LVVoqi!5LB*ZnHaTd4yxi{cCSXAO**H-}Zp3rD z?%Af_H+(PvyKKZlnhPa0!X>V}pQ02uBc)RPIC$-8oRBM;$9ybE!Uu}D9sY#Lk6<9y z-NJQr=j>`(U=h^;iH6V&JIHu6#bdx)!6N}Jr%(3Z9(B(44~|}t@6JvSp#<3r&(`_q zV<0biTf9vCy8atnEuS8dKS+_2NAiFFN*^K0eu~+(4be>aU}^$@ff<8`5*a<8Kd0NPl%Llv^lE8|c-1k$i0^eIo)H$lA4PT3WFJ^KhKyL8Z~Y8SsP?hfBJ(91 z#HscgLaw?$fT`6m;7r91K6tSBv=Dbo&uZxj*#K&skm3&u&@VRRrqgd&q76W2*73a~ zp2h_Sm7fl<3P3Io9SM1on0SDN>CarM6%&|8Q+GmA6{ymi(!rl9_oXxS+N`b7p{jlZ zbv<;!p%^ikq1CKF1~-m2H#X8YAeg3m8fkhGX7Pl0O{=w>YTuxOt-Jc4428r>ArX;SpJM`!WVtO7Q@N&^<*wpWcyjLR>7= zb+`zj!O3$totoSiqArb!nv|3>&QwGAsbei6ddY{9JkFBwAWlhy_BYphUdFr>8GfyK zzp^6rw9Fz2vX#LbVr|xjlr?G)lkakHc^K>gFeM8eXO%Osh|@u$g5nT>5fo~3#KU2H z#acXxjDcBr@dWCL(A#j_Nx- zugc$49E+620)Y&oe*UT|QWWXQs!3q?G$}c&{n6oj!p;AyIV*DUNC--7)@cQmo1lJE z)At!`%CBwQfG#0ani2?CrC<+DKk|E3ykRQD-Ps~x*CiH?rB?BK?qrrLJT;;dRfs{} z)5RD`Bi5~3z-|rEzF4ZCPgSXcH@~+zUXY`M)!J3NC#`e@#(5}0mP(}ptroB*zuZqO zV7z2PqDe|eaR~LUY(&OYOzoA}AE&^Q1vndZez$hl!JAlL$^cIv6(;k_&PrFJ(}qqZ zatp#F>&7H*EcJ@X;%a;>KLY%|TVzSs@*U`tDTb=h2GrnxU&NVsPt)jqk;mbs*mwYO z(5+&~T1A$$^jg-;sz{57c$B%ZD>=PZ6Divi)tuy?2~7uMI$)-iD4-e46}Auo)xAKK zp|dxU{Crvzu&E6+m$y~7Iuf;f4qHR|j65JG&IXrg7YT)>;lz*D!^2v0hUH0p0$a_#R z=&qW4K!|sB%eg3i8$&&vSX%*Lt6k3IRZ?)=VS<_WXyURlUEsn%^02LHcd0t>e$w$< znw67*%H(9>8R2$R)@bFw`T#8#>|R;%60me1zXlK?JA?JgR~6 zd=Plyr+hGo(?Nhw1utoMd6CnQozX&4K8{lf7=UN^*#FPod%!i3y#M2XA{tM<^Xzp+ zP+AfY+o7lkC`gr{qNrp^Hn5Up<8DGgK(U;j4G%oAx3hN;I~MG{oO+4{%c=|o4NTQT0KO;pdn(ko1|zgW5FJ7Y1WzK-xHv$pN=GKkoXQa1fUHABlz_-OjsmNE z?KuY0hGlNS*c!#}rG*5s1&xg3}z8$eW*CqyjexuopzYsGL??sgig&B1iz4`&yGN z$0M-T^hl@md#oo0v-eV-*osvAKou2aP==5alhQ<82oac42mS)?FM**U)}7-Fq4X(U zN%#@7!DaFAV)7x&oI=H2`{42QD3PX>DXW@v?_HtcV22pz}<;rJ9HFn z@?kPEz#Tvhv{o7&m2r(_2WDU!F!}^$-3T$i4Q4srfN}C4Ac>9$i|Z2{8rVC~FFI~; zSZI%bY1<+998OowcN~-LhCWdUI!&1w0|VZscMXzB;e-SnNr1H&Zjh8I&v6f6h0k{G zW{Y^t0%Q#mP~@4!Fo@>f-@v<^5+$^3S0dWcm=y!f{E|lBh3QzGC~nYN(lA;f>tH0C^iUn6@nz3;;a~Sj7}>Zl9DS>`YGV#`jOII ziZ)T|m;f7IIkXGEc@jVS;JX%TUq5@9h@Iuxa&Bh&E=ouLo0!z#tG3{J`2BEZoi z9MNC|N{*fsN{5X90?!`w^?*`*7{KFoL~1;iQe_Iv!L@LL)YvO6oL~vn2<|2F_WYE- z18|Pxh=GqyF*vTwBunzP$7!t+ip;>N?vuMjBpup`Y1QyfNbMn12qPZwU`05ljl>ZG zQEMwkw*bzbcyn-`!DoR}<}n7VTNLA0T}ds1({d;|Np|1^7x@DPpr1xF(5#h8 zdal7y3_MCIVS?anqXvO6l3j$3GsOa@EoQCwR00l8RVmdfg9%Zfl%|%a=U$%7r!opE z0cY>wCgA)GpAJbmYFO@d%tRS0tqh*A+vSY4ltCH*TxMv?UZx_YC8GE5D)yb)PYBap z-b7?0i$E>}ViEuqV})*`esHa51GWSn#he`?M#dLWg1XcKC5+E4Rf@S8@Xbt>2ZDzd znMNnIJSqnNUyY7KNEKw7%4wl)F@{mGL<>D0ptP0a@X53=qhg5`ay-lk`Ak}5uohOL zYB-e5v|RXT;3x3~c(yWdtC`k>qJM*TD<_Sghb@ryC0W@bX_c_F32FZZXIDm=B@Qf;+tEOed3^71g9;C zSdt&tu8FUus=!(SPAfK9;A{p=W|jG(;E@I|h)7IMQR1(JQ5Bnz$btSqLCm&-P|N8I z{l;8pWHDgrPkyVxfF6eqU(E`DYlMh4*b%T|a4?P!5=0B7S5CAQ6vrD?!n6{~#F3uO zSB%b?R(gMlaW;DeW_CUt27zulHb3O}apNPh%w#I3#tht;Se0Fh1HsOY>IZps=ql`u zYC&ie5QfAh5lMmNhzwQ1N{D*fle;oj7%tu&phP4E=*nQ37QqQu5#&#~XBv%Gs26&^ zv}#fjL>Va<67$JSE7K{JWE9WIfC>ZT=F`aO-(@UCjtkw7P_>BxSBt<(K2koCSwZ1MsK&yzfHQoYzzuvR>rRv9>16Rh0|3E;T{bKIeM86_R^H<}W%WgWE^PX#ZM)G$}JH=2W+ zJ_=d`P6<3l11Jhw1W6csIhGX~wY0PvrL^jco{2POOmbs(E2g6df=!z;Co;{n0y2*h z5Nv$qpglBU%4D41H_P zk9bU*NSPukf$fRGe_BT%auIhV&4mMl=@2#F#yZ z(L<4zQK4GZBBlnzl;&&zUfb0&Lxv?L2OYB=vj%e8rnA1} z17`v%MPj(tG7lQUE`ca}74TqJ&#oP;e?wplZz~38O3`ub-P{5qNXg&L4eY4kOC_cU zX9%o@ygWN}bp7%qvIwK7{c^NYGDSa5&JI?0g`Mqi{Uubrwp8 z0)e9=DJIh{@JA(HPw-7@nhy2Qm~Qn9jnQR8X<^C9E(So_#~!EYbLb;Qy9{arTOO=vhq>BGTz`4rh&DI ze76=8ih`n}BcZ;C79z`=6DGznofg5xum%+;dx3NmXXge*otn2z@q<6j|+(1ELGbRv!riI`H(yaa`z zYE-2I4h;k%(`nIU1ft6##sK~_)pUMCHG#?z9Fa2x6*?t-xl5$7{wQEnN!~ZoA+Jga zBg^V=#45t*vX#su@ zDjt{Oln%chg3!&@4jKOZJ5%@**DUm&R=E`n2sFZzVTJI4HLq6_l>Wz zZI}?oyKj7zZNr2x-hJb%Y#Zi|5zHPIN{6X2q=zMovfp)p$vX9j3b_~(-NEs|`W$hk zLh0ZMh?ey$jwpdAE|3dNjOnR$Y(^m!!YZJ5BrwX?q6iV8W|ImSjnYAJ!<+Hg>Wk&^ zB8{OP%Cz0sBM}sU5^%hdQiw4Y&aALuOgMOED!8ptQ^LGWP|>W^sZc;~A?P(Cw;(Fh zdAnRdpj$dJs|Q4dMRa8uQ<{$q6B$kgr$lHFwZ9?KEys#73{C-D1ykB3OaT%Mvf|>J z2RLF>Q~|x2I~NapA{+o~;Q$mjKWq$wsi6$@I+%>8wK`a7$RAB#hK*t2Ahu;$1&G{J zBpr$*&j*@lV|rrpHU}adli)gnc4G+dBQa89;tPr4Bry=*^P>t)pi{Kc`yJ;l#CcU? zN*abf8dV`+>jRo|OsAF;>5$aBv(b9ZTuaTobIK5r!O@DxsDo9G(IisyY;t6#LsCa^ zGK}*F9ChTgPh^w8o#IMKFc%;oYs`WxB!PN=2*cz&$~GPn=rm3$Opb6!h(cibARN^q z5o#F^EftbLpra6}g;{5lfKkpvN`@BjnrbAWgQsU-vmM1{- zWpMtg@R_J0ZnAa+K?ZN`G@5qAVCZQAE+a#u1X z%Np~~iuV*a#UGX>A`-yT+%b@mKL{0uM7KD^E=_J?@u^ybAW7)tS)n0r#iKyBNIS&i z0VqzA0p6D|jO?_M1jZCp*HM-P1SAp=7#FkvxYUqfndQz%KM&GzB^4O1hjBSXC}AQI za&Z(py3#T6SyB|^evt}|)WJ%s84c@fF+x-HiKx)wdXzvs%v)niJ7jG)^0cOpFgH?E zl!6XadEl4_2Zk3-LaZ{UYlSZl>6AAWy(+6r0*=UaYB{Wy@fh>5NH7-TC&9al_WEoR z)C$7X$RHgY?o>QXC^*t`->vyn3Qmb5;CWAK00%EzMiGR!*J85JXZAc1?hVV5bQ&6- z0*?n@RRB+dQ-vymuM}KP@i6NW>Q{Nk0k}m8M3_jANTuKu{RVgdUTMcG0cXafQg9ip zfn}&R)gTCw!wyW&SVue`cqM1PRXqm>dW6PA!Z(mX%lFjpRd9`}Sn#7IWszE^ibwDW z1$k+OXa`1poOTm4?j}ZMU~mGX25$oqY9+nh@nD1O0ft+-PKC&+(EPxPjo)3S3i$Cl zSrTJ_W{yw&YVx$tZQHQEJ^>sBq1tJtHv>2IG(_c$xd7ur2s<;GBD= z890y(NNI=~ehb4cHV6&8HglEDd0+}kXbGvMIR`e_1Qo0i=qBYDLV)xmjEHVDe-V8G z8^U@*;>~40<9PTDl0Xt~e)faD3@1|foTYCGpDDzHPfF{|^PU`&5oEI>SOt&5)Zmei zvWrxT!P}!&oPdjQSS=@)y-H~feK?X}?tN!UA61BVd@B4{gO4eZa8oZ%1Aeey7(|w^ zG(%N2pfiK#Y!GJfeuE@&e*XS}5=mT0;NZC6fG^&C&K|*wFA4OI3XEov@kQ~CT0lO0 zcDOL3y6}tQ^F68<@Oif>PQg##u^9GO;0TfEZ%pbTW#Qw98qssomSAcKNztH2!z=10 z?*g6-7+xkXQ#t~X({budY#C`=F7jrD>kwCKsAQkv2I8nQnpPIk_cVH-fFY7)^{Y7m zxpx?quu_w0Ab(|NBV!cLkWRx)Lq#sNR^SufetN>x6WD-Hpb2Wq*MfFAHfICBL6VNb zpfEpwp(Mz!L#NIazMGlh5411>RTu*fHJ>*c1HbyVH1Ml$OaskMCacaQtKGNw0C_|O zD+C3TJqXqlpEL1aazCu z$k)LEAe^KUg$XlWu@*f9NsY3=nIT~k;M~Hn<|iWflO$uzbAdSot5eh)0e9R#DbZdZ zhE>|Ke$gf(hVO-bU=}6b5p?DsNkB+6C(27@J<}0LFl|!GJ#J09IDjywY=(8(M6w_q zmr8}m5@9t;sQ#lqo4{9jGIazJi6i9kg{l+ydpaO06ru}QI6ACCG8~bCq;!&MZlgs* z4uqAc9MytH9~6^Q&w8LNP*Ri4Aaar@Dolg7iE`Y!qeF@5~gq0hnH`#9(<_>R0e1{TuU>5M;A665OnYAvoIsas4%c`fMPk1mH0Vl%|8Z99L4#}1o zjO$uz)R2(%4R07AdmyY-Qi<_hD-{I^BGH27D+`!r4>rC;62zzgAgkX8`Qc4{Vk+!6 ziOY34p-0}!+xrJAE%o^aA*G5`n0p9Si3%PMUsMHG?CEP_K0{TY(&?MjqP5sYKV0ja ziTS6|BB@F^9#QgNJ1ZcSs>N4@&yma`IBsoxAr82u=t5QOIS)901R-8<>*5Dl0bWUr zAP#udA_Q3vZYc^72fS)AfGmO=w#pQhDce;54mQXb6=C|~{ORDP;Vb_`a2bXpkr<|A ztdKwyRl{2{Or)x1thA3H--rxWgPj0`U%+9d5>XoRXR=8Z8Z)CCWacC_rdJ~J1Vk7Q z6Noqw(+lO85EW{5YDCCB-V_)vOhn-1R3RxF6Jn}|Qm@YZ0sXk08lg(5%welvSPVPy zA7>z|5LnT=K_=&e`fC}=2V20d;jvqX&c)zb28HpIdPX_q|5KUb)FiudO`Y;vE znz6uhrOB!&`XU2LMPPKY7=h88GJ-HQ;WJE@L=wtBL)Nv-Qh%7vDu*8|s!6Jj2t=7a zsL~vdTwrX2HULaXKBU}8r)cIO2PJsDf~@2|I!=n!BpCv${7Xcc3#S!qdX}WqDsFll zs~Y-BLSI@qJ`5m62kX{CURR9HA1u18({qtUD+#z_V!jUi&A+4|X6;A;QY#R{DkRmC zAZD#32EcIy=s1O&jV-myCQH)B50MsD-b{{1h*swekwRm z{Ph0{{L2cUEINt*P5|Zh=qpQ~=EVH>qNh0xpDTB=X|pc+w*}eLoU|_@c$zo+uS%Uf za9>g6INOS!jhA<6 zzdo)ft&5cUn(~cvCAU>MNQ4xR$fGMe?t}fpLIHP}#C?|< z`vo={>s+Nx`e?P^G{<%@pf|*LOfxiaJRFHiCGB97VA`J|VOI{xk*_U5Rz3Z)Cqdgr(C$2_nmNuO5SvAtNTpdIP`NRyJWqAdH&~-V zU>r(D@OW5@s+ek2=w3pn1hRn&R-+1p&{CoBq&$>M4Xwr_N=#2h@JNAG8YKdfCMIHf z^3YQv$p~fU!KKNA@x+#ajG7?&C{=@+Du~LQWg=pW3^8B~18oq8quBZ3Sc7epmvJUx zoMC$DQ<)o)lWN$&d;m_JfT}HAoYSEIM5Dw~Ay9^KFXrdaDhJtPfhVCn!Kl;eShaNe zEwYRUdnzDl0F0hJs>GXsS0F5!*EE-%BjF>2f(TDDMa(;j$??n=n+O?gBGg1 z39-O=)wK+`MV+ig&1luYbtsRK2?IWWAddq%e;bh0%d_LBZoU+FLPg+xaZIPNfDXXB zd>%M&);w!c=2eg{546ltfl*oWEP$J2&0~Y}d$&MU%a>PS&rOmQT9c`;N@)r$fb+hL zFmo<9tYh<+kWZGuSm2dCPS6X!viArctsc9FCh6&zX1`cYI!lNZruSmg@Wm2(RR(V~ zz~P1e+@xI=;CW1NIPhO8F;~U#Y$F^F{Fh3;MYA-Fs{Jvwg2itBR8n(B#Nwns1%yym z_Mkc`(9%*Z74FD_9-?wWSi7EOddz8I>ukOpF{V-NIrC6aQ2TU9$_~)}Nn4zGRD00y zzZ%${i(ElSd+rc?@nH6rNiw-{bLsfvcWo}XNhE!fG5DMq`dl2w05uwi6$(^FAFrl> za)dx}YLLNg+-SF|rRtHtkcW_viob^849f`hC2+-Q2~;EG!%ERIRA z>A+gd5Mb10S_{OrfHnm(H+TM2AmYCqKH?L{FCCJ0>{wxxD>I-^8^0<6Su|8<(D)70 z8K4f96EN@q@!F!Zfh>$&m4MhFL0YW_glrCsj0*Jkiw+F%`B%7|J%W{Eei_C$?I-bR z9jy|#nD(<0%rC;B)}=o%i)Lk# zcuD%Y*$Q|``nq`vcuD%Y844(pv`T`TcNZAM(ebK*DJDBZBon!s5=Jzb{1Y-bv%skk z%>GQKNA5#Eg+V2pMhs=B=MHidq(%)9NZ|%qb163i_v5OCC_1bFH?c{yiV6-VRH_TL zN(oBJ@0~ouDhYa8Ik>4N)S_{U3AmT1CvRM1Yrrk)K`ol8e8HYu)PhpEu7y1<-UE5tTU{r6R1dUL5qyR&M@C2vJ#T$<4{DiWWH5 zP|r?LP(cUSsR=62NMJ2EL7T8!garokBzsgAh`3U4+JrHHwyNX12MuBXeL#Z0%oQ2a zJIIAHwIJ&P^LBYWSjt9=EZ0ik&(k3iU4s$Y1RNnoDlJ|NL1tpLOo@>PLnKvR(mxcK zAu{wB3Rmea$N~qCfzfb+sZ7ekv-B3p0{=nOS>#puW3(x_@vrPz;D8%?YBB7m)JkI@ z%iseD@~*F{09;4#8cTc$@JLq1c7AY!UAHN?wI4HZ-kc~LaF8jKDW)}q!e{sV6B&*_ z6$uBN2bkk015O94*1svZG0iR8ox{Sg^QW05!8>|atkdHMugqqaMMTwNB77n^$9k3r z{L`OjEravh(Xzll|8cfba1)DK7Wn5s%>rmMIa+8cIcwU%FbRic5nWN0WITGWlqrib5cVmlVSjSi6)cfN91$R2|OyV#$Zf z3aT_9DwMa9wI3522;K)=J{olN31GS9PozP^+TAOm!NNBG`7}_MO#+Mu%havHagZ{Z zd`w2=i_nn7ig0EP4V+y2pHBlb(DYbTI2ZrcI2dT4#=<%pzVJBcaHYu5E&g%P;Yy1` z@Wp5_vP0!Gm<++E(4a=NdJIpZ?Av%uKhvS!hzwI9AX>M=hO8BC8LS4Y zBqeg`(_nG}QG)PhhBZT5>Vbp_5O5y?iXKJhu$%;`OUcs|JSGH&hM3T5P#18i zF;a()@cfeq zCnFH1HXUN7eVph0u~*X_D$n z%qn8e-T$Xv<1A41@21zU2>IWAR^}p`K0;b#5YuhEMm=rWR+edtH31I zygdGETvEY{NgrmD{8Ekg#-d3U;6@#SP#Qr zhe;tAPtXAYNQ*&I5c~vH6IxiQl!^p`wr$(892@0Obf`oSO=bQK0&!9>+NT+U)r@l; zBjwY%R~c_y4+xfnB&!4hY4sSSBo{2%01(SSYxJJ!Balj^@i37nV3Pw0g+Pqrjv6#n z06|p$Ox&}5ft9EE&%lj1)^nJzBiDvrrGeGpPe)cIPG|&{alCIhCZ{|^jb%ArguXyr z1i$j7yCi!k5Ckiz&NG(nuu_TX2?*9{F%>X424jn2YB7#zaTH00mE^q&c+?_fdmzFK zL8p(8CBG9=5-mQ=g^93`fNB$U@gTgy2t-S0VOf%xUDDOn1JWoF^2&%K3QAlC&a;>d z@P#ouI=C$v5=e*yBqyj~HFZHUT17{PN<1J1iW5v?X@+`IJSQ)r?by^)QT>_o2$svq zNpe95S32o50b;dia7>HHv?5Y8R2x_hj09~HKu2K$e%~5chWH2!T$H4XM`T(hQ;jhq zP!b$oBL6KEl9c&sU~QsUi;1;LLPUN635Dc}VSk;3q|$S!mML|#hb`4|djg{QU5Tj^ zsAWKTBNHfjxEkEkJs6@bxlJ=ZxERAHRBC8$>S=P*p*lEvJa>&U|Ort;hrfJrX#dut8@-&IVq?!g^h7^*kE8)QY1r=khAWn^cExogP&P` z2TXZ#f^jvXMFf+NbZDbE5=>Os{9pw5v>+gC%A*SIEdVxTsrRT z&@V9I4!ctr?hJ-2&rYQxg-cXT%6HV4a6G2dQn};^M61(?j0=XfT(}$$LEJC{KHOCS zHh2MN?u3vkmHelOo&uU@%{Z1hinx5Mz;GENBnYJtN2t*J91iBMq`|S2RAD?OPZbjA zD3a$rD=$up%R<@~&IfYr>}f?E0#WnU;g)4ukSSq;@S%=GP>iuA=L6s@Kq0MQ@`2Ln z^?)OK9MvMwaIs5r2UoEcOG4BTH&KEH6;sL$v0A58ijzA~rMmIA;1WB0sCby0tJp>4 z=4!Derw(E#FR_z%w@T@^Fb9TRKxn$VIhwPHBhSh1$6*ZSr;K0cwd6mAl@sc(=t1OI0c7O4e`@ra5z;Y2v$QFE~mr> zIR<0|4~Rfj8f7XY@IeZU6l`c!A#7@-CgeHJDqWn`txmqh_unzBqf1ZJ6^xmSINiyW z5@#}PQG8=#IG;DTv`;us&Od)VN(pa@BHxL;Uc54v@7M>QT5}D#g%m*<85NP7mIjFiQj3A#ACzxE9 zbeaSlmLrf*$XuLEZcKdl5lEG(cz(p9r2@gLRC6HT9exX$pro{fOz&IFA z6H0TYl%HR}5F~F87&;6WM@}3GREZep$#_=DDF1uo@-mV^ZU+=4)W*O|jzM}O!NI+i znGrUh2&xdPF)-3pgs)0%@&*u0 zb&hO-C9zo3iooW7pZ}LXCd$w#BpJa8B$5=Z{n_G{NG1Pd3{Ou_&n}%hfj>PxJx%`f z>g3t6gN>JWXYY<)DZ5b5JT-A+1 zU5KfnSc)C=XcAgQEfPCPG3-uHkvo_oS3r92R6}G)_Pm1ARh9@c(h~?lOP%J#lS9gq z%}{lMNI(vXTR5gg+}s$Kc*-C`PBI!AuhSxO>Y%rPh!Tu;m#Rl8=c)Nq!6;=&0{q;- zxQHN##01O_^+7=1V!||15Vbh3f%;P?1yQqsM;*eBpnsdz>9`X`X|EVZwZ{Zp5|eZNKnB5f>*>NXHv#) z29zKNjT;h*^6F8j+xnF_5E=z)J-A zbA?liXv)`zt0Li%RjJ>NdJ|BKlub>#z$h39LK&yQF)b#;lt2rf>_z=w#QfQT{*%^! zkrmi;XMR`Zbt8i^GQ3;!i4vy75(r}vYEP zD;=o9E7X9K%>X61L1oFE1D^I`hl_`~168M!m6~B9GJJu$my3 zHKLYbK$5`>ihr3BMbz3j6`T?mkI7TxfIF0@VJ%`b^Kj5u;|0$9I2?iHarDav1pVM? zsLvG8zyuLTUHTyil7QuAT1JLpNhlIWM}QdZHe4)ngT%&C%)9|5QJfA(q0uJ1K#eJT zI@$R27eF~I7F)eseOMb2TXV@)Jd%4Zn-C{2BiR`|Lt!NEzo5o+pb124oC_#M$l4Hv z5y=RSqjE&p8zvCp09G>YtFI|E$gee(t&u{0S(*IsU39DzjVrABe?bcF*wLFu#_j6) zuM4miW*xHd{r`kh@cEx``aj{6Q|8|hPAilNEv!(VuAW`JOr%Zj^jax%THXHt!-JBlDCI}H2OqNGEkZkM8BFs+`4Wr@HP8c2`v%xeOpk_2ZQreJlL=^E$| zu+gtHOc*JSa2*aft_2okI+-!eH+kgIN=R4>;W{JGVZ*#@-*(( zexdr`=imI8y#Ee}>>K455EvI85gjP`oHt+gr{ect&(0k?n7;pZ?9{2l|K5N9ix1!X zFUZ&f4WLy7@vzr zNb2fA`$d80DTILB+~gS93kX&y5Sf+)XyfK4a0AcUY`S5C$F&AWG4Q17B}$>p+$a|u zauk3jgs!H=ASJ9t2(6(erXcHZv$UdW$f7<09BPC(UWvssssnz9Hvb^M@V= zo}wQ_ousa91a4q`m^=%*xfzLabEBQ?09|x%1Q6r~-0kUaIl84pn4rta+fd#fmW2w& zfs34gBqWtG>;$cw(0~&31Tp#6Sy}2pc>u&3OQRrV)NzpvNq#RP5*c=+S>K`F+V;B+u2k0nIX!5oJ?EmNqr>!L{j->|#Ln<_Z9yB`ciGj6H!$xGV@FZuD zc_t?Ll`d+S3mhS3F+@#PGB&KiF&XVYMb?Z}=#)w(|1y#SqOJjB4;A^>Dw<3LgG#_) zLM?X>OrihfO6%F&+{k0t#|`X11aLq=Rfq=z3qo+J5G_ph1Q218?^BkD$dVvwU<&mJ zKqoemG9xRcGCD&P6;L~fB0%a25vW>*nE5XNMWq(F_z;GmcXFCmW{V+j0S3c(FA>yR ziOG_vfP}CiX*0W37kXI}i8`$u)2m$#w;WgmNn|j{TB)ZkXK05_;F-wE#tlZoMG8`V zvqO*idXk;NX!~BWbBG+0$McL8V@{BSXvl#DQ7w|xBrX7OVI=@J5*ROn7*|qukAnQ5 zkgkL=H-jPkDJLm7O|vn?AExxB3J_Ap2~(*woFmNOnIMK zcMw65wD-M~nrnz+0jY73Nd4q0R4s*sJs_zmV}LK28sy)(jj$)q-vaAtX-1}580cPH zV8Q~Qff1lN4T5DjMi_Q=&Mf#RVi={(Bp5dx!y2K6jNw)e5FMk{#nc*xt*4M0fn*}c zUx`xPqQ=98dW(S7K)DSOn2K7WOdW3#6s4mV8^;vec&v~+5q+$Ppa>-=aw@}=IHJOm zX`>{vJjtBQX3idT@~#UUCxL1PNg)>ks)Zb>Q<&VA4ML0(PH?1+*(on-W;dkQaTHm_ zHx(hIBB&3HDrqMo+ER=<`6=?i`X+lqx7~)OsG|sqAa@Y}?m^{oXAk~>V93Sj6~M4L zjtCJo@X01`!l)clqB2BHAg&@vl7wogP(|u^493CTU5}0;&ug&hut&nUa|U4Q_F71f z;dm-zs@Gl%VgoQo0-eE)99+P8A}E-Sa!!Kb23DjejNbaG{ode?ilk^M1qe+=C)QG< zm(k}fHEtv9zV^m3J;nTbkmR4m{iGB`u869$eRqQ?m@pO7ksQ)P%3X5QN}$N9d?j=i zK~eNb@*V@`n?8HL=WLv$l*XLn7>*{Oq)16_B=kwdc|J@8xhm9{o?1ubI?z&a6qshz z7_NeqB!ANHEnoXa_TPR??hZ0kOkPsh54@j`QOW(^vqNXo`+uh{9X$Vc|Nk#O91{VE z9m3qivy*cFG|Ks)v{_haAIOmj1nI~rz%kOMnpVLn{)S+xgb(EC<=MfpavHw&i2eWT zW3v90SOUh;Cy-x=H0p%U!KirsdwY3#bu#t;@ao|8zxDrLd?rVR_pKvnMy{$l!9f90 zHa2!KHa521YSyr^v9T@txYfqSrh0;3n4gVJ{*2o1VS5`J8%P!u6=q{Is-2BZ<^&s? zw>CC5nSa^X=say~9!hO&eCF8LG}bKG)xW!qjZKaCkiG#nAIblg>{&I_#>Pt?9N-t7 za`o>Ly;eSGR{4j=dk5tBY$qJXmz?>o?*gBo5d(rtI?q{fq$qQ4xoxXChdjS|-BJ&=bSFes8PH~v3HZ~oz1&B z?{3UFT|+VUteqk=%zmYvu-E20?)GbY**CG>W*a+pdQrPcb!sG)46gQ1_17}RaY<1l zedp#6{%mk<_vn+aU)|iBTqL{M`n%(zslGPf9nX?%8tSuWgY!Od-X{3@_4FQRPM#`7 ziqfU6@)~=pj()rskx^sMFK3;{Ec&>uWlXj1HU4Q*ysYjFn;EzN*&&;el{K*Sp0a7r zE)|zY1Z?)V4GBmdlC~z%$?11(x}pc_dn#{P=CaIctAAX*v*k%{OJ;nER)an7?)9_+c6I9@NiXxH8k(QQWWZ&aQ_~D}H{vSCKqr?m|I} zzN$WJU)9We)dbs&OTD)qou1S}U2Wfy;7v#W&OW3%*()D&dIbf_@yMe3+4nDAiJNn8 zQE7svrec+k$L6b{zk6TqgAC}W+HiT`t-1?lsfSJ?x-9C^J;p;d&9~Qg=ukn7e!ef(z^>F+n|CBMXG_*EXc52tywqxxtD%ReOXl`3pO|4(Gz-PsRr{A7=-7A04qiq567TDzm z%^V?aI3&mE%C*~F58kM$wINmuLoX*BJaa|ReXRH0vf0x2?VN{s4|SPwwAGxS4lS+M zKfB$9;iB-6psX6$(b7&ulP@aPzDUh`wBYKgOJP|b>!&9wJwE*1>EyfZhg;40>Ei4j zk%99L{d!|X!Sgq{b;l2~U0BrSFK=kMn`ZIB%>BqLxAE?UXyNTh+Sq+EM50pILVBFz)=SC_w&)t8}tFG+|A` z*yblszxKY>V9TD~ZJXI|)W3Js@55I|?&|p}Ge90smOAw7v-5j~tiLzCC^j?DB_^y! z+oG*mACHxYTe|%+@Mx=_e+vD^-Xl9${dCshxjP%VH+khZZRVPmv2ACbRNV4e@I3Q; zucdlPsqN%r8~Yd4pSwKwmr+B$zY{&JyxHz%b6Tc_ZVqWtZ1?`a?Q6HXe3SeVO>@W& z?q?e!um8}cyajyZ+Su)qYa@qkzSriK!=kt4zAw8?9M$h?)8X%SZoyXe${wi_ZP*H^7>@4>W#`9#pdj8xlr1=&x~sGPxpCp^1{WB zsyo|++poW!m$Y?E?lGq&na<~L`MgVem3;rS;-BqOhoxb?=l2&}e^eIdU79nt_v4xQ z4o;3|BWy#K`z^dWD0Il_@X%BL)VQ-XaarWpzl&CsJ-A%F?Vlt2y|MGk+@SGMMfK5M z?c;_o=&W12=X72@+rGc;?z!%t^&dZ+dUtMpxs$#6=!c}bjq5aeyX{D;pMQEEar&*T z^ZB21f4M5m-&W1*-Os<@`1ZQ+)f~IvHK&hED}CL}{z!7V%AxZe<>BHoPesbZm=V(9 zX#rOio(<>pQQh3Mrq`paP1{<=N%ZN+%j}1JCbeFEW_B0VpZ~~e#~ z|5X~7o7p&XhF!?QeC}PIN^IC5Nsg#LUsgPHK}O5Eo_9QN)x0H@ z`pkUy{7JnXWA;R~>^25DyQEdqDIGJ9zaQ(EQ)}S|-*F|%lT z+2~HMH%Mo6Tfa`(x+LZ0x=C*N4sVnTS8Uwf{x{LO2c#Y)4Ge#cYRX*NoKdp^WF&b zqsQmx&s(|7ed@hkr^Ca3IlN-g&_B@mt2(V&V@7V=Mv5lMyZ#tWXf>pyO} ze?E4S&&g3IBc1Bodt}!PFO8cQ+CDBQFT!?}=MSSBEw)jw{n2e>nEQk2{=O^f8HCkW6;a>&8GS`$yQuA*1E3a+zb65E>cfkSm%9P&n~Z07Ww~pHFnIp7W-=M z@Y2Ql4*jd;bl<$toX453%b6D^%nFhBn9x zc({DozO)G99du;Un!igfCiclJ+SPf0W%ky#B1)gN$l|f#NHFM73EQQfhN>N>Snd ztY!I%EqyX;XP*5=`*K8chwP#Tc>#7q&JUWi_~gAF)fNQaIW=OMt=^{bt)cx6w5=AB z_R{BLbu{j`?1C-2R>jRvr!>}doL*pmw8@$B>mRP~kH5Jr-=S>|B8YJu>*3lsZjp3x z=YoR7X>ob3ntHDfqazx}9H=&am|)=27H{6nR6hPbx!W=PRrsyb7cV7t8aL%&`O_DR z9cr(bB&*lQX&p&P%=tkJ7T?W@c-%E_=XZ*Ymu|m5R3Z))?islw^3q(L?)={P!Dp^V zbiUuR31<6hif=nU+^V64AAAeO&ai3yYjTXnqixZwTX8pc=?)Gnv-eb>`#O0?Vp6KIW`Q5tr-K5R-91$LSrEE$@aPO@EO_y%1$Evx&ht7S`KoiljEKcI@FV#>hpk-I+_5mIXMkhjl4Tb& z);hmhT=X=1;uD)Ev-)ivwf{uf=1XTo@u?>cH%%?|RlK@fH4A?VdB5{1Zu;GcZm&-l_4HdYW=YbIiVYop-4m_c>g3vNLG1-C;F@)Z z&RY4;{-yCZGx8r#IwoJycY>qXFKta;;oJ|t#hYv1>pS*j$%TT;s@RMb2L^2WreTOo zos7&|ImY&V&egfuFXg@TImJh>o-9c_w70e6%vp-OfaIum4S(FdwO#8D1rc_VM?*)~ zeqDZ{Qx;|CvIARn5xCTVoe-H&sx4$k#{G<5X3JB!2iJezguw*0~u!y`8i!>{eWI`Ivz_M%48`{Lj(z7eB`7_X^f;BHlch_yIZdY?Zj|?{ls1 zICcxR4UxCk{*sop_0SpHKY!o(LUQYV@0TaX|9F00ak<~agw@5{>%Ojkrv2EhI#JKo zrFVkQC(BFUK^?BRNGIxx&d8Kh`dv zVfV7ff;T%3y*}!E?@XVr%ZJF%M;6sj{qAbWj|08m5x45-L?80*v~Ira*}}2$!Bely zFYcwkS##iv|5oQZi_A$-a&o#~zr{Z{EtDwjVw6 zc7-FcMK@-8KblgqFKC&hsD5hQzd!hjy{Wk?KF0Q#d=U^Af{hkg}GOop! zi)S8{4tjh^yZ&t*{l|SpF~g=b8@8zUTEzQ%=hMl`v&hOn4}5-fT!zi+qeEt{?KV5* z#Oz6eJ_Pj?hB~*@)w0L2Lm#d!Z#tQ-w&gCd$u4|V zkDjf|ZSL1?ctU@uEVkXg{qYafM|;{|A3kGLjZLQqtFQdA_t!IS4N@D~dt@j4eEbw%ynW@!hM?se`KRWPgT;%W~^D()%0-?`VH-@FjZ?z1e@dGo>ieLX~N zo?f;Mc^IiaRB|@t!i)RsM)i9cn<;x3Syos7@j&FD$IJ5H<(4*cd*S=wb>p!&FD9pgRRe!}R(?*}cy9~9pl_BcN+_fPMkF00TJo38J4(yZCNzbTs2 zqIF?Hc5#Ee<*0Dy+G4wHEyjsY?YUfXw)w-dVXX@j(Bb}vZ@m0@bnPAPnl-LMAxxDDnv@k9^p?Rrj!}E*#?AOT_Y$y$HK-!B7RH8zn1ud$!=z#&)Ifxfi7upAQl~y4kEylHGVSp88Rt zA6>nB!@N`dbMJ;vEm;?|$5k49AyM3TRlK&EcePwsI5~rCb$vf%{j~3&r6r4>1pYl} z>vpo)MGf+nr^akv^?TNlTFCr^5e|i;{Lj?*DRlM7?HjVj%wAGhcoe3_owRIm_Z)nTHu%s1MSUZDylz~*YWf-;lAwjY@#St&VzS+5Kg8BNRXgU7iCX20ZN(W=c1Pct z_4H=7gSH{1liuX#ziY6jvAqW>n7B|-+VHPu^E2b>F6`00QDH>(>=6Ub79~HiJ)pXB zE;lBswDj?r!({`Ow`!2*^xP-paB7oHHDms;-L$+~{<{WO2B4i<+LhJPzG;z{=QD8O zcZCtzqaurPN(=64ZvEVAkbc3*V5O|Ib71oCk@`3N7Yyj-969;TrJT#M-l#wjlas1$ zQMa`5U(aH%KWORk>cP_`^6_u(75&+3&`t0BTMiqhcC2piaePbG-m9drPJgIOBL8*p-}(C0VSVq*S~Mu^3tB5!8LC1% zl~ymZo3(?u@Mpi(TiqOgOPRN^#>P4^e>};Gnw@nzJ5*AXQ`%vOS62JbqN_FD|CxJv zL(P{yg+U$1A3opc`j~3VVYlM%V#1I98MM+>8mt(wZg1l}=-j=_e~czdTLm7-FC06` zZrFRz@g*|7OZ^8KY84b^w1~i(mOZS!^}A(3 zGL72dlEaS8wv)z@WV=d(+okSBT7COaxZ>r+2PrL%ch{HI=QGsKrv~;O z$Co<=53g~m?nu?7!V+aHN&B@ellx}=K33Fo-HIRIL6=)mM;rNr(qG_I&{|xVb zaaV)vBVK7;nmd%WJ2g5+sMt1!tku6LXWHh}>OPJ~OCGNoc;slj-lhJcZd)@O#`~8v z(vuU@AkS&tpEhkS>ASwpaG$+l^$~TX)0VLtd+5v4YBtEroPC(4Xuf#wOFCcIs={fG8(qo;Ik zJ}We;DCbl#-nm-s=QY~oUCk4cWo94B>A&Ep-LTP$*uBDICtV!#$(H6gUl==htY}}O z;%0??vv+y9#pGpn`f+*Kq#hyd$ltq$wl8izp?jx+8%EUgKwFjF=^9aE*V_i($x};y z4XP=K$@xJMx}wo$yC-!Xb?&jlH+hER%bZbLr=+fK-0iAIt>;I74pItYa(vG;kPi7N zWPbkBGhIIVP3j)Dak^Ak_NSiH7SI{tV^(0J`w16t!Pmzwn3bx3!ap zOMl;*x=H?vU9SAMCh$LQ>T0#MKWzzWTQGR6XsGRlrxMU@zaDnVdYapZ4t{VJpZ~d0 z+;0mBW%81fGvK|Ql4m%!aghesxZ;v0Jh#;!6u?vQ8fi6ly>IgELkP`Y-5}42xSrAN z+q;|M$Cu>(GF2igcZm`&in$?_7U4Hr6!y*jwn3g#+O!S5R@eL6xBfXF5473j>@IV@ z|La-XIoLFM&VHEq<2NyB@Je0G`GD^APSw^v&7M-wBY6^l|1)JsiQR;^>rz_#+lI{R zJ8y`)XU}u@wy%$SG(W!FrT#d(T=|)azx{SPJa6BW`*z+W0bS0tDk>Yhaqrt#+g~NM z*B^Hx*HUcUR{Xkj*picvAG9i+Jw51Pev5bCD;k%(JxMA3CxBeF>xYE>-SEle+%D<+ ze?93VOdjvJbZfc3`Rg_lYQ@~y(X)PG-|WZ+c~0}Mw{Cy2xBkx0?=PmumNp9P9a8j7 zw_l{TQzw!1OtH(A=g4M!uda6R;HgmCkPet!n^w1LgJbqP-lvS{-h^&sW{WY^YraU% zX<2ur|6=FoSBI=T)#iHh3D?#}x5_G67UV)QH|%|Q+W|#6r=p5-N^!MApK3#Y*xxl- zzGbaW4=T%V-d8C|LJLKiaTfg<1ee>kBJF;?@`qSR*FB;ct(7ySaqk|`d!*hL$H~lBw zv}twgSwT_wt<5vH)D7v7F!JVk*CMZ8KYzG!eP`PZHM*VYx13}F#SeF66K@90$+Xv` zyt{bi-C^>;yN3(YnkV;L{iylq`;mHV&df#u%_i98$}dI2fxqWptGT`IqnZVGe=5$H z656%=L#C|Sunggm*74h2>d&*wmCw69LlXP=y8}ZP$nGz`x%B9SoTe>TEZPlEt-0Oz zV7080#`KYVAu8hXxSNe0zEybm$o(Gm$bZ*hu8Sh{a7_4)oAt_PWDR^gqhwW3q97&* z_5bnN+m^LU{C{W|v9)eUheP!ovg&G|dfnQV6d``}6F9k1yJUwaDNCk4p6tBv?+=I5 zOGSb0CR}Mcq1%`zu1}iFw!1{tBZZH$(T%IeM$d1OtQZou>S&onK4|OgU9YP9WM1m! zylDOF*FsWCacelUMO61FsD9^e@t!HA z9^=1Xy~nr7iD45xGRO3n%L=G z-Phe2&~irGFp_{Hy_RC@?hN{_%&Se&I*Goejc{h4^YeO6zFIn9wRfj3vh~e|55G~r za1dzu&p(pgHAImht-WH*-sStg9kHxWb}gdx?5D+GJU#^ptyG3DwnDfzn zwyO$nE*zWbTtCly`rREQ89$fk3x4d?<+fr|)UA2@<8S(s(svho57h1QqMe(^dDZOR zBJb4RTCX-{xi?N~6w>U{fpw!+7Cx_Wt0)t>v}@JApGwvReItlDuXQ`qsn@aR=juy$ zZVeySq;OF7{hYHS$2G-j4nBBW5wWukeFwQPc)(vJ)!z$h?reW{tTaKF`?Al{j*FaE z{4vexc1h7myWFPUufLnDnqIOAG`ryXrs`#NhThwnCCn;Wd#u2@R>*3VN3-*fFLZ2q z?zgVz*Eh&p9(?6a(b>!qMUL<0Jl*@_pybEj6~<<-5{Mf z?(wjTgBCO+ud-9q3RjKa)4Z#fW{pG1n>Xh+@BO)byPrCe%WOo$?ajxovzv|D-k8_r z(Ug)+9XAclO7^}HTzodeq4nzMo$ZqM0jWn4JGiuDBH{HU@>Z0%;Lty73x-}7C!al^ zp8KNVt4;+o>3)e7VQz zWd#>YazpUeHsQ60o){@Q7}k91lqH$Y2Xu$`{&w-hwW9CGhTPkKW9ndi>7o^ro1FAI zQ=@n5k{3G;>K&%;xhC80alU4Qya1bn>R-2s2mUp9ed@#y{t08A-YWJDd8K=$Z$0tK zq|8*Ei@w(Du>7<}XahlvW07>J-YM)tZB5xG|DA_Zo-IAR=kS&Mce$kx|8hT7<6ZLu zk5lb6vkykpsGZ@{sIT0?-XptZ`t>mmquaoGy~8nh!K{vBn=yqARVfCT1*yY(S(#hQq_8RmcS^u$B-p;!B>UMZ7@4GX$aQDdx z4_q402%k2ldZUX=uP0yMXMepVtw?(2F?_?&>fc;mbG`S$9#@8oCfryYG_P0RxXVMm zyE()}t;%sf-|y|r{qe3ZPPTEJnPr!Itl*oM>r>pq-ZXn6Z+XJG$)*sGH`iX_m)95X zIeAxiwc(Esa!+P7DV?r!d$Xf(j4W|*s;cxxV6$wy++&NS%l&u61-(`^w^=!EPnZ1n zh22j0E-iP<`NrqZocNHWq-Ue^%57CTm$~CUp1W{DO4bAVJI@%8>0KAp8ydSRC(Y*m zoTo?5M73#LIA(75t0BHSeP0FLfEBH66_?hO*2!Af^WvWPSVr?lH1T**GWp#Yo0p@i zcWC_DBN*>J;GlTH5PAc^}hM|VSBb8EsI;8{lI_d-P9HP zs*BpZzY!DB&8C#NF|Wa^cl(zvEf?nm|9|X#3w#_^)i`YhbQKT~K@_}hi%r^{eI!lV zE)+{uK~Vk?%tRdH4wmDhMJXqEba(Dxe<^ z%eyGbtGonTp*;S-`>?7Hv6f-}i*_rz~=bn4cx#ymH&W~RI{r}!_(TR7j?EL1PKfPML zrg+Xx!uI0UyOS6Gde3M3Z-3&8kKVBUnLQg)XaDl!KYaWn@6J!HKkS^tvoreCSmE*k z?M?As@t)5Xu07$hXD%2%^P-VG=l$%fSN$b9{MwVoGhf}Z<5;n&d-DOsDedd0UG}|` zp1$wqYYzKpPwcLlXO9SdmppXptNVRz&D{qif7~!bx_IECM{b*P*I#aUW8Qs(KUjU+ z+fTpzxtEGZ{4@Mq`?_a3UwAI|vO440Dc}FgEpMogzw_ByCpZ3h)^$sSr}jSkyEoqU zt<$-^cOLx0k?2e9mk<4Gr2R|!f_>W$zUM>trq2H5k}s~mYVT9t3u`McUHaKe>2t9_ZqzAq<_A$`Ni;m_r3D!`X8@4X6}Q%Cm*)+ zr{r7_Dp=nF6?a9x-^IUXB^BIS{__FfaoOe#!>zu1D z5uV!b{Ckf3+J`$&{@*heK6T#9?|us0`PZjfx1RT{OP@+}-yi(%3!ne`b00fFfAhD) zS6zI}1Lvy8Uvk)a`(JmsvE#HupE_D!x^3s@nl5_2`^59t$6vbtdruy@U@ki6B5tqm zEjr}4zs?LCI&bHDZ?+8{wejhZ={LM`_AlqW^!LA>e9Q2QJO8-tfzA8>uK3&QAAaJP zJs&z}ZS=Db{^;tvqurYicx2E1)2_es*>@lLug6}0b4Fs`LAkTz=RR?-{GE$lx_RrR zdq4U5<}dBI_Uw^9@!81pFV3I!%`M-L@7&}1wO8_TVaJcxJn;LuXPz^Ak?_=k=ijrU z|N4&4AG`RLd5=ZjoVhi2&4OQ_^PSM+f4%0kqnAI>x8IKczWI({$Nu?t@~vC57eDs= zAm>b>8B1pKhnMVfQ!IkSG|18gtvid2&&SUE=-;os;g$0q{PysPJAQgi?@Q-p zetG$$pT0UV`0U`;?@KN3?EKEl-}ssE@r#ZPoe)0oN8f!MUHz%|7QOVx-)>P~xbBX3 z4&M0ILvwC8^2}cx_pc{Evw9#GD?EGP-x{vJ?Kc}+t{;5nbMs$)an9dwZ|}U<_{y?5 zdq&RRBl(8~i_^m&IbqS;UthiF%V@{zOWyg$anTWD_1fE>{P+(qxbL6^i!Ofo*)5mc zyX{w-fAhQdwiUL{T5`-$e_H*E1=|-KaL@m4Ip&%0MGu|$^3i+U7~A8C-|cr|_ha8S zuDZ2v>ox0J9(>}~*6pYNu;`m@~JxxKWoXF z#?;v#dhn5_Mn1OX*=z0uJXIf7yK%?2r}dxS zcGqpoU-*mi*&X-(`)!*)dEjZ6KGb~G<{y9V zovRQ3=vV&V_fJ2fXYWhjdE(5|M-JUM?Y!5&_2CV-8FQb0^2Jx%zxd)04mwTWcw$#u z|4ie*hyF43`xn2q?-d{2vS9nSE<0k+Q@^}({8Zi`vy1N_FoU9dG8+l(F-nW{@!6<|JFg9Pu?@K zXXehs|8jZ!E3Z#~^|Zqq-dOO7p?LV-g;SPZ`PJkfzBK>q!ymeF$Fv88uRS|o-cy;j zX6xIJKYg=u?!JY8wT^6=^|4Rp|F)?AlB3W2E_cIUdM~+l)1K$;RByTCiQ6t+^TYR& zk3aC9xa~J*%{g$-$oa_^pL_8#IREGmZy)^Kk%KSaamchaN1pVxokwhLY5eu3pLcKg z#q^EIw{HFZEzNgrozpyY;H$@__WjeLL-PH?dAFW+?ZUr*`iG&}t#=-N?vfji-+aK? zspDVy>(4HH{K1=rfqicpIsed$ru}X6ufDqD>5pw4_*eDTbi z_jq>6x%=L}>GWw=FL*Nl#{KsV{pOgtO+R^O=U*&*8~IqJu6uRi6`pGx=afA*Un zNzI%(bL!$h{rqctTz>BvFP?sX>iN~vmfnPJTM`MK5Z=FV@`=lGHwf{a^IkplQ1sf) z*B_aB)YPN4Y6o7^_s#D;f9-{je&GxGUp6iL`wPu)9jd&vCVSe~&Um)#S65y9=w)4B z{afP5J2srL;k2!A^SN98_IQ`D`R~{4oH={l1&>{K>b!Vxo5|MKhFEzxx(oOZr*qA%<-38b+J5UhqUq*bn5^7{+nw*`O|N$ zzjFVE)Y)^+y5pOL<@YSV_i}jWQ&Se-arpfoT5`>TpFA2m>cfw}`0{>J_PgkjzinN4 z%Z-0d9eCeAesE)9IP%0>&s}_;u-|Pv?>uxqveT@emH#I zaZ{FFc}65!_`81Lw>Mn)_O$E2edno5^J~wY_Tu1h{zI+D4?X_#hhEEnIX`XD>4{fQ zx$6fHPF6KHsXyM-bPkeVI^R{~Ei$DLLP3YaB&u@GF#B0U7);6DZ z>a|ne{llg2HJ|X@$h_^Tj%QBW@Q?i(&j0eyu6(fhh%=PtqrY;>0gqgI?>7$q@zj%^ zeYtPh$hO}<{nsmgmioBV9XcVr&viGRbkt9O_WG^AI&90#?HgxYJoAim9)CdH_mjsB z-f{T3XB~CSo{{sruK3mCEr;FzuNh~*v(NQsZM$yvH{QEu>Ph=EX7F>Js*RQ;%efFleUijIs zzI4{MLr3PFv#jZy=u3A$o4qMAXX(4&c$B|==+470SoZUMj_rHl-FQFaGAqJtH0GY`yV{sXsFQefX=d|K_?U3m8i=tV+xn_~#wp z-}2uJGTf4L|MJCmVjK2e+&}X0GZ#!9obv1!-;=NS;VZx1GVOr#*MIl)Bfc@^rIDqt zpYZY(zx&1@|I3fe`}o~=9RAH;UJ<%!{mZcxmwxoXrLTPIx&NDTZ}`M3PCw!spF8K& zhcD~D=%Ing*}s}LZ`!>7ch6~`S@y}*XB=~S-}%X>rrlb&`ie`pbpE7c%F-EMOujYr z&#g1h_|=_T|J9Id34MRy?pGz+L!khp2^zgwyo*lm6tf?0+x!{H8Uc5{>`>;KK{qY+g zIHULU6Q4s*U!|p*@4IQ=wg1(({+dT$S@W+ql=BwE_dmP+vsZ?fUpLa3xZ%O=iND2D zpW5>L=BcT@E`DUw(W_IuK>mNVkkG<=Wv+izgNS%E* zdLeSqv$q^^m+ z_PTkG9m%8SZF%U{*6n*R=j2O&cIAUDM||^{?DwQ!oOz=Dp*vsOYi9Rje=K6yUojLQ8Gmg|QJMM|r{SF>loZfF$$LBx0XJr3JjyUJI z1sBdeAad_{-+$;t?wS2s|E8V$#m%4G1D*cF;P6X}xYHkcegD55a{WiPT>rQJ1+QLt z`?PtdY5#ZYop-%`@{Nz*`S8O(OIIo^-+9{o!^@{Udi9<+9Ced$>c^H`{#wg% z+)?LsU-G3*Z}ngBUSi3c$=e@(`bX0q-umlbY-PA}U5Upp{mMmaPq{Pk zX_WoU@W*zX|AXeHPd}7A_Qa0Kr=#P_^H1D1<*Yr7?K>hRx&0dwX=Q+6E51@AWx*?6JoYM&}8J$Qv+8V_NOe6i>|O5(%y; zzA8RH+1!$BYMC96C*$!iJa@}?Tov-FC}oPJ6%q+r;rK%Mr9Jl8V~?)R6&=?tO#Roc zzRWWD)cknvf3cJ&d8imDDyu?&J^HA0|FgNJ)qDT5rFAm@&xAZ8)Sx0lMUWs$hBy)l zFX_0q83I7J5)mh@=tOp6PL2kGi6TSQ`7DfPRW&O^UXu`sd=dg?c!MOE8;wU3AyLXg zWF!H~@l7qQNl_5_44luW=O+Xq6NfGH<~75nbc-m?PxFapIIk%&Kb~%ZiB{MuLf9%c z&(Da7Rz5x_(bO!!c_AxFN)j~1o8nx&iECadIU$dG{R8030ZP^|0ApthB$Xpg!|UwMi~}~gRwv}~ ztbZE!fs=VX3ny&-w6_Ox4Cu{|#&r80Q67kYn^XQ8W`~bgFvukb4Biu_iZ2jJd3zOf9DnfI_ zcJQwxXx@#WcpuEaWBuo$C>8ScVgMD_f4oHhZ*888|1u#@z1IJn(lyXjaplY_t<+j> z;mq+YoYu0-ziIaY;(amyj`ff7yev0q&}rg<53kcG_h;A_0j=b-_0 zlCz^*hCG51lHdavIo@ytfL2*@E)tK|TRFlq&`L@cI4#W)EBrdkl7VRbEFB7=Ioxr3 zLD#X|uu}WI6hd zw1g?Z8fp?ayP`d<)TlZm7g;(ROjLl^b-oDHObI1K88+xI8jU?oRGPSd3U-hiAr*D({?=>%SjZt;t9bZde` zX2Q@55KkIOPCx={%ThlLyAL7O+H@XBN=DW5EGLIzX5O4W9dsGMDCi0T3)^~^kcGLT zZFv_EVY-mbl3ZvC$V-YO!n6Yy)=FHw0)ONk9_IkcHN3 z=w?8BEdR*NSbWT(GMZ_!fdTUxCQi^mc%G@IkvY^M;f`c38}UM$PX08L7A8GC;x?=7 zjW%Y!b~T9G>{2Adp&L5cApT6lymv!AFOlrDC~0Mb%|W0JDo{7GrkE)fSY-G--al)q zq>x$fDJX4dHG+CFgBI&*LBrjbHXicEX=ZHF+?o6F9DlB3QvqW-$k3r7SlNNgv6{Lw zn|iVvwglZQhmOzeX%y^c^bBYGS&jv93EQc}cqq?sQ8)&&pyMqeNhh)qb7;g~u{Vs^ zEQ$qjn*WL>pyFkcfXaXX2{|YhWT-~~jAo-CjAe6wI9eiM0};ZDm`w4ejbocP2afUu z*^o3Da#lZ71W&g+#z0cm(5;H4kd1j_OvI2^aHB!`_raET&9XI~1c`V&5pv;@ys<}2 zv)i-@0_GNDAF%zNrNrTQ+H@?$Ua+oQqozEa5X%ad!;?%jP4xgbO31)`*UZJknv7zJ zW?0GOiMk0y3E@U*jvc;WsCkmV-cyw>C`na_#HJhSP{^^H_Z?n=AP|@8!+&C}!wQ&B z-kLu#Nz42I?4b=JYQlxuplL%T1LRc^CV{F%fSSofNTwJA_VJn~7p-43 zkusLJvMTVhkEY>cDIqg9KiV2&X-GLbKinWMM{`DAp1yc>JGZuN8Mmx+P3JN^Y8P=@TPVB|=WAH4k_QaHyCKo?G& zHWf+|D_3b%gSw0fpkz^cGKooPBOhG1w zF#-psEt3m4#|1RZ_9Y??9IX&;0P@8?$2+#vtgQgyIE0c)7F#Xm8CL?qp3b(8<(<*I zI33Xi!5KNo>8fgQCPiY6ilj8;^n&8Z|A2Xd+jQg|utn3mZn%W!`edmH8Y)X7?BE+% zAmPI1D=MOr<`?{FIpGV=G=$_EO|wT*W=aY&ATMGf#yycPlmSUs6=D?~;B^TzjL>vE zz2+bnNiuXQtt=-qZ`%^b0k4$1DOrx^%x=nJw1X8Y!6?Z|CraZ%t9T6V5p+m;68LR? z@hGVN&6Fu~lOh>n8t{4+jnnv?IO-z3wdq-ubd7}vG(oeSbKcD6=)fb%WY3cnDR?tA zVZ&X^%NVQPX?11Ia{|M}geR?@y(OWmL6ig|!WNmp=b_wA>`GV%!;KAvQI6N4xUi7P zKplmXAlwpZ`FL*>$tlT}`XqMgbeajKDnI%ni~g>Y<G*BY>cSB#dyUDY4NrK0FD7s@@NHStX`J z$AEyU2aM1=bf(L>gtABc7MPYx>Dts14HdwRP$;m(&t8IKFUYRh`sLO=O*;<|&4nW= zSZ`DnktKOmMUoVgV9$VhULuBztj-INm=LS7RS2pgK+Qlgj4aHSQA|_me`3?kRwY&8 z)C}H^BTAEw4~ubs-B6cQv6qf637X?xW^C?}-HVjHP11c-w~8>oa27X;8r~e^f0E|j zs;isqs|E8{60A@aNDgXrBMDmOG&hCZCk|wjsEV*#)eW|lH}$AxDlabNWnK~RrcDvS z3bUMZ2&hWqyM;_v8F30UFk&SoYrcz3$1QSrJb1vi)!iInl8wHbWm4spBH%@O4FWTN zyicWRvcX_Z5^^BV7isQFaxq6_V_lVl3|0vNi2ov1KB8oq=Hm!JYJ}hdZshZt3`t6L zRt>KpdLjo@1w?z85nI(kl=yhy{i!_`ayDik1$a^G#3rU!Nnx4ZRRt4j9kFY+Omqw` z%?4njS#}JotJ_329xSj&OZ^+@r^<#tlCG3GR<_t!Xsz^$fwS~nc zHTICi+Dsj6#MH;SQ3|pg0g77E6)}qgi9i8x=?D;Vs*0#F&uYu=73xs{8nRjwrt`M7 zy%Eck2v8LVfW=EYBlr{eJXongrPttvesYrI$wcY3m0|_KwzN|>C(#G}nDeyDyp(5F zZ3ptZ*R)$Ud(%{JwU~w(Rfp!OjF}BOtriq<%v^v7wJMkZqe|2KLBKGV74BZ+Szct% zD9ITT9t+v;5#!ik4k~Q#CrWsOXC1P754;&i4guOsH*e&8_xFx*phDWxtjuFAHY7u( z%>YBS#v)7{!|)vMhq*9jp=8xBS4GqP zlmk7G7uV{N0aq$y*&}HaOoDlfB_EE9$+Mt|ya9U+oi|{%=yAORy#{Y!fG}Go&JG5m z22SMsRBGj@PFKK6nXby@`~tD&5Hw=b>7Y17M<4^y0uDmxczYKx1KOL2mVBPuVZMkj`YaabVjIic_ zs%y-z8QMZAnfBr}<)Kot&L)X;l1NSRs1J=g+bT<ym?Yxq%+{kt++Knj9De zHLn%ODLzw^$-%Mf5{3H$g?SI6sik$f6teC>G_}O@p%7EynXdzdx|3*8);TH`)+?OF z>>C@Fto59y+ESm@$g3ihv79FdpHZ+DYZ^?GBvm40CxRyxQPTug4+K@m3IlD8*%Jws zIF1(?08EgZ##p?yb15wd$VBC%{zlWM165(8z^Y=zS(dboo70HV!%Tk;GP;^4yFm&( zZKlCHSRg{IhnZ)Iy3uGMiI`$LH`4u)nXlbNCG_w^)mVqB4rFNnDi|3k) zJX8yY^|B=dK!%s(f(}>Zbck}QEG9uK(do!EJKiQjA#2374X0&%M&p{$Jj9zz1mH$Y z3gloo#NPRPNjPppQI6)Y(fAo++?$s21w9(TrG@|5%w)YO*i5BiFtEr z0q-u|8pm=~kuXnpr~NmF4;+>f7qd1!F^FeV669$sbTQ&@#A+~rS4DH2xmp1_?p1U) z@Z6x$d#sr|63&_k%XcjvZFTv}#!DQ)JU*wBZeS&DV7?wwbr^N2kCeH$^Ybe6AxE!s zR2{}NN|s4_9zCZApoHg^vbi#h&Y#u!GrJ&m7r^iUC}qI!m$8wx|P;*d+Au>&!$^g;mcFp~diuZp^I}(bmSh=dRH)?D&YVD)K{m;3j_kR-2iOKsv z6Y|WO#cuataiQ@B(Siqal1z`b2t8o^HVxSw9$76y5zLwu3OUb>c?H*}S~3*DfW%WJ zd1%P?oew)aEbzxLh=P$3pi+^PQL+AtJLy=_OU;u+CB_=Cq|oD5W_Ty|M-bSy=`c^* zj}8r4md)r2Q|{ppXh4Xv7Nhj&om%H<Iv&O<{(9FQ^~x`y6`bNKU_(W=16NDX5m zEWP%D(M^nJTu>pMuTnvl9nDzBl$h^_gGOYYY|;^hu`FYFrAiFwUfH{9aZhJ&Uw2z? z@7k3;9SdeOU~wiGGU{F*~rM87)~T) z>P02?4rcyWxE2_3o_G0VQJ&@GOJ&z2Veo3fK<52X)`H8sqGZ9MWXR;m zme)wwJlPLhcw}43C^?kIBXRJy6)QVB`?|V49F3Syt6Z*bJ|!72kJiQ4N0GrB1r+5) zQOA;yykkE`!i^Gb~)}ngvbCiChD7(UjB2p)6fl_YCrU5g2?w z1U$&VL6Db}f&r1gKT20ObBwYsH%F~7GHZE5pmsk>P-GD&!AzI@9T2J{mcc5gf2M1V z^mg{F>1y{`CRKM_EfeSLQbR*nr0C?DVuPfJa3e6+l+$Pwl@#0-0`W#NlTrL1Hk;uQ zbEQ>H$fKoW8$~85SE28|uSnc7_Eq4U=KNzgxQwa~^14_Z5ugDfRwW@+MqaWC{C<8y z=04FhHyV$|qlx#s4&tT&Qz5Y_z_el71VB{HsBPzD`bmTPyTNC{Ffdehvw0ZkFbg*> zk`xhyIsK%Q#Mv{3S%~j&BT-yJYukEObgfuyIR%ibxFR&5U_cQxIH30qflYns2u4O4 zBS2#pu&wA664|mMLsyloTm(AAngjJCHdMe5sFHcpN4H0UfTRE(Xu2vE=zR-^IVT#L zEh!n*vg?VefTGUuLH0fDSWX?}3^hi4f{CvY$9my#FPx*KYkqdk{=WwMPhSqo8q`tL z&}s_>Q{Mj5G&d2S>#_edHN~4J?LQOo3=PF*fdMI>BWa*)SLF7f28G7*n6V|G36Mih zcq2bpWdaLSg)yuIm_KF^u#yX^pA^S9Eg?c%amjystgg2;4^Y!3#mIp05r{hig*~m& zerq9<;JY;veK14M7X`Nw3A#v1hs5}dem8rIZ1vOyC?E!@;xZ$x7k+Z$g(hVh+ z9%vMFYEtAiO;)s6ue+7613J8jTtrc2|ShmVzmJ|#JvJ~gipnsci z43n$-cq0>@9R}gPDoHPhPB4`~y)?WR2DB^y%=l}qQQZ-c46jqK+RUP#Im(-gbWjaT z(YESf?Yg9(N9ngX=MpIAK~pr50H~l5Llj*YmY*XD%)xxsu?lV-k6K|Li1Kaug##q0 z8jOU}1p~0g=M!3JiYDSfR3TDk8fIreG9mz}U=WfkQ{)CpUXy9aQNmuO3`gi%RJ_D(LDIL^_%#Re@bg!$mkJv!;431o;{OTt&ToRBF*#N9Pr>P1bV!ib5VF;-kW*D^5u@n01Qr z8nNuCS{s`EDhA=%Z+yO(4lFosxHgYp%i`BQqpgv09k!>MDA%eN2zwbjS6MVvLvvN( z#5q+p;>S@H54vW0Bb6#*#yh~#F*a2<$}=_9snV1Mn;CS;z1ONhc2=keu4yjTT%~IO z)pSj?!rGJr+bmS`if~v_Yg!Rjy~@1YRWx|Ll(tyS9)szQw!%oxV(oa2?5>+;M`SFE z$CCJsRqL1mHEYs3gWIU6hXz%h)J!Ke(_OBa`fu_~Fa0Vvd#rfH1!-Al!j^-&Jt3|} zYFeA#nt?0Q>YfHt4eEPxVNNd0UAHh7dwn9Q$6WVS^lW=52sZbcLDXPKpw8iF>odX zWsD8fh%YZ+styyZuNkGo4$>xBx|1%VL0WR0wL{#kDxV)X?hA%@sTxK!qI&3Iq@i)r z#L8%44n*RTrO9BJjW7$VscxrS9~z=gTSK-_kW+A}y5}&)ag{Pa_x39hw1L)Yhsw8N zMR?q81P{3OwyFfJGRD1%>Lm7e7505uxaaz+c`u-X+1PoBw4K(Ve2@df=5qHHG`7t# z$}YfY***!;6a&=z)32KIg4HlMrJx!PH_yr)IjiKH?xs~aep;kE_VJFgb9+Kv4#$<< zP3e%=0WJe#s%H4+w90F-s3pju2-a7(C2@*WcTBvp+d)TQuiaR3mXUW{S<{0P{t~MI zUNrC&;{Q;lTBEC;cjH+aPVl7gN#SrwUp7Hk+m6q+yDT&&)s!`aIF0{yfWY8}%OWeN zg;I=-4sYeLS1S%{gx87AKopm=3e}40F(Y~6$+Bv=$|9}|=Ob?DHY3XMj$q3sCy$0! zBNF)}KsFefOokf<4J3#*2oKPo78JaZiyCUw$U*uFgjrCHFy7~kjFjcDcJrReH;NkU zLKua*q-4V&N`dfThHSLxmniEMco(rxl?GO47#Qk_d|qz!uU)E{)Zzf>2%A{J=;$a| zo%7#OiD+U@O+I-RRe~_DX{O^}Q#r3mt7Lhf$X)HmKKYFDsp0+ywPWRZt=43~72V%J^x8-hSdM|@FXSteiRPRyT7>AltRq4kw@Y$y0;;_Z(<( zRqF#4b|A~2q9GAia6abbjY*w&vcV_DH2yoxy)5dWW-~Pw09}GE8 zLitpjA;#a!3L8rb&?d{yC>^kw4XO$u9j%Y#ofJ?L@YKNn-6!YOv;T_xf6m-^3IA`7 zPxAkXc&gz4!O84mv!X*N7eS}U`2W%DrV)pDaJf8qq=LU=$hdCnoE{~+vot6t2g=SA zogpF}(vrgK#STlZFgC97MlJ$oq>Bbb4n96KL_#gn?_gwv3~`3pJv7*dVUTW}0~NtL z*iw#OS)f%zaw9bfI?gTW+!+IDJJbqHPCv^u^8u4eHSmAtEWn`wp*9O(MgHI7<^N4{ z=eA7p|A}}!r);J}h$F16FGFUGY4q%vb+kKkVo!1e2M6&W)4U?*Oz!Bm%peU4cFrt^ zO~>1W8I%pU!n?v#%2#klGHeVi?9R(T`|;#zC^tC2>JFAkb9h>b&?vdsbbue4DPn$N z-dy&=;PostNa9RKQ8UL;?L-qy1!e(N#-k#UMm~uA-uu+R|J|`nYLEaG&wu8$c=&%a z773I5e*zv4|Mv}0jOm}UeOJ6;mt+WBe}PeL$eJ9j{Meo4hRN(TRqS;!vOI4Hxn&Np zY6Gn5v9jQ)X8x5nSyl&uq>#j-&YV^Uv1v9kNz!(+2B zEn`p-$*He(R-kzf0IDConflqbp4iEtD^GoCZI6Ye+F`h|P1}_{NvJCiD4-qJs4RN* zu`ZHW5vIY13(VS6a>g=_rpXWHx%%$%)FS`w8)_UeI#z26Dlh+=<}|gmdgT9{Iq}K! z{|R}jGcHtf(i3!nF=`(l^|B(pzQ&?zlZg`A3-8Xtx5OQZfE1PelXDLGYfpQf12vvD|x6+bmv zH}NBT&WdV1C908VYd%t{Nptk#D}WR=RrJ*vZOWTh9ZhSh*ybf`g2alX?d^bQU5vba z)HfvLpjeQh?(_-4dYa=kBDC)QyP}bG4R$v6_cVwQAJC^vx_?4`ne?e z)ODk(IxUxRnoLGgB*PJo)O-`%wN+>I-5RP4buT42UIusWtT~$g4XEcOg*32O=LOge zbx9R_p`a?Fb1dbGxtL*<4OYYp6biaz6x(U|0&h}!%vD_lY%Y{Ri*>c2xd!EJjg_fo zIDYm+=V+YYE$L!qo2s<$Z!BkotT;-isiQPzmDlLu49`&l2&UwAE1jeB9GwaX;&U$K z@~X&T>ESrOCrdw=n+Jwx_c#t%9E5sOxH(g~fLttNxXrG7rcsATE$9M7?mn&8Ng7GR zz0mAR!$4sxEYaj{p=4(8V`bw9j)w!Ww4}sP&hwTNJTHblt`YfuQPNqsD!-}BV|wYP z{_HW&+>p`WNdt4^@zFMrkrc6-x`4}LENMm#!~vJ*H`2cofKyZha5V8*6e+xha;gz_ zy_QvE%+9Cu6v}Xjnp8+onQ@GQO}w9( zLalOcl;l_?@%auBDg*w6xUg&0inirleI1<(S1Hsoy~sSzKsdw82zrC# zi7;Kr2Kj-R{h67ok6+feX63Tg%RBozx_bQk4Og)Y!j(GdUfHv%Z^i263p>m7Qo%#e z-AS2-*aI`AUn|)FoH+!1ygl*L4~xl4PCKKb$@XQddslV# z^tE+&_pNAK9xy2ZHW^;C{&w$y13FvYM*3Q^vUgP(CRdAy3+|*M%L($aVhm?|7DJsE zz!-^sHz4%tiQD6!>;%|u&#Std>Q;AcZt9?v5@cxrS}}wDwGCGh_ekMJ+stGS&S#ec z0(UyVZ@1$ZXqEAby$#}#?FK=N{eTXNVpNLVq4$UGbbU>Le`k8^;bmmjq+n^R` zQF1q>`P-A|W6)FN%B{EydYeH7L4XLY%IOg0R9P(3khiF}sSGd41szt?l(%T@n+bPB zaR1fqE;DhEPBEz@Xm#A13(g{_bNl#d-G85`EnYfNQ z;2I|MeGw3}LMYHGP&ZnPje_*)F%#Tq==>VTs`jhpdq7oMGuU9}GbYMO989Eo22vgK zpj^Str0fmAC^iW`Xx)v7uRQ)r=uR-}xe-`?e^rteZfy7)FSb<^%Ni9T0&~4pi4f=I zg$g1nKs>>`W)wRlJqd=Y=`e61L@_zaJh=s?owA}SyHmANs%N_3bGsmK0Xjt=m?aBwadJeUuAk8nqI(OFC0)h zO(p&#&W=hvqv+#uB5`82LUcp3AdPWo#>Mi@P*8FX?Rw$#M*)B*%II=c^fGdHx+NE2 zb`|&FsE4ng-OGn;?K2$L4(OBuL|(;|C8`M4v!qSFK0^T;a(9NEprlZf-ofMWjL!eJ zp7Fn$TU%PZ@&B6>iRMZF--&o8#IrZ3VH#%X19Tg_MEo!a$LiV3nt4CE_9ou%n#Zp9 zDQ3~cCY_3_bt-m*U-MfAb#N=TTblGM_TXf6j>UeJN8@5^a=Myai@lY`(D7)Ti+!q2 zdKZHaq<3-UVNSXizb`!rC*6xD-HRvPiznTS%XtJ$x))dHUR;0A-wE+y_L`urVReyY z0Bx9?Rr0RuTG6$tV_{!g&*I)doR{sOHh1F+Lte|v9g<${px3r73&dubVY5!gG;o@3 zp_Jr(XC4o?x4oyUdsQ#-gRaVjHMoabMrfXn);P*?K9|XWE=Du`??Z?9>f#5K!)3KD z^mLas=|ey1L+^O%OW!i|+M*n8rN_9ZESICm6lod9O| ztE9cKK=&tMFr%?HzcVm-RfBz*ysF_Kk;$tXlUFq+uWC$Q)%Xv(sxgi!RBg9g-_JoB zi%>v@n)jwZbv{m4_%Z_>wNZr)kRC?YFiei>f}ncK8pt<}rD_Xxy(CP2RGp z=PeuNZ!wx{Hi1>E-0yftQkpK+iz0W>YEb!%&1|#Evo@cY(IrQ2e*4V;NXF|7EU10o zv#{z;!f>e><{kzl7Z6`{Nrxf`cPT*CMW_Qq1r!2v9zano00lx3e?l4*q)ZX;z-p$! z-!M+Tsk#MDR#wxz9Cd9qyyY9iqqj43w5@9E>s`6Jr@gapbx&8ItwGZz#mIoLwHrzv zA;ykC#~>u{`BbQ_i;O zJ4okld;E+oIm6Hvdv6f}piwd5ed`nXpFWkgMJC6oRUr zo80v~`U$3?dTy};+8iqt)o;rk&|+Qa=s!MMLK!o;AAy$G$Q`-SePFiHJPJ3e(#lo2 zQ&oKneRtUC_$cs`H@e@iH@bJnumu4?EV zH~HNEPfXtbpNOYiy53PIba&nq-)-;moBWJkWN()XSU7iehp^OQe<#5TRe>Sbt}f8& zNvqAr$>8-YH0Y+!)t37|4%eGPxAi>dB%ma|A#VlO$H4nXKw^EKJd)lF}A8ZFV{&g zG2HasPT#HqS-qAp5Z4Z4ww6=@1J;(0R2kD-|qZFo-vb0o|vY=wS zn&H0Bo{I86nuBs)$||Z3N83jQ`5%ubnmzKLe4dp56YxZ{k`Y?Dc134T@2(!o!mHD*)!T9FHUfR0R-U5G17~Su%=5*-{mN3|YvvBVfWVvM5xJXk)S|TaFa_5X{amEfQUAkjK%t` zS5ZlAG?hb8K$4OLMh=2?OQ4*$M}T3BqFf`;c%h%qnt0Zuq0mA)5(*3g0Ta>~%ptqDuZF7>bfLC1X4bg8{hwcu4dPJ`~fvD{{#SPRes+B zYC7Ukf6bJ;KVlbBGr%mw+(5B*Qb3SsJ`P-%KElX_3{MBuAYz{fNd+p-H#qMJFvGi{IfLtO~g+3`34>Ns}yPU$e{u|JYU>OZ5- zlY6Zmb6P(@z4-|I+w_VTOR%t&ikT1Anefh$*LA*b5@#5s)~!#022q8Gco_4dNbgw# zt$=rubkvwtP|XmEKvPB3SOTci12hL)SIhNE zs)E^{V~tLjwm<=;+wrKR)()-Zzg`vup{tbRjpt)BqtUTl2cRT+d1XA=fJzxaBc9W}EkHT7Ad4Uk0fM93G*$wX zL|q>p-z9)zX0nor`ijjAgIobfVV|~A%Pc^&frdc|le`W! zNbLeHJ5`BpQ3vs2j;JbNoq*zsqXTj@LmfMyLCI5mCF?NgQY6E^3Cyk+ahhG7Eu1=w z*E-12U_gB&YxRKES-d*rXkJnz5vFSaw=AH(lC^q3>nvV}K?)f^mw@vG$k)s^7#xVRE zhFV`h3xqz)_E%zIn3#tRw6Ed_{cC#x)x5^A(*A-?DdYN>fL0u#e{C_fqCa z$*;eXBZ-NTF^++b0$LBCB_}O@{RN-BjO#ND`gC3q)jUYV$w59ZkOd@bIbJE`p)Lt* zx7+7e+YM;RX{cX+e&?eT@YI!bS-z|C#xW0|K$LWlQDt$Q>30~Ue8P;SKm)=&g9hi| z5%3LL+~@_=&OTR0Gjae*gWmuWh6eC@wvZ>@D&qxc{btmeuP&fT7ob?q6Tv~YY&x$X zp1CZkb+>8P6;M~etf14ho`PaXc?f7>hu6@U;HW&*dIIWH;^B>Q1l13f016sJm6+)TqCEmfK)%MZ zJQM@!A8aphM(sdmmS3FHRm~O8kAzPH4OGWn>F43#K`>G4eK6lh9U3Wfl@NgVFW$0i znC9bX(8Mzp&?l;15PEz8HCw0vakYajGoxcW2zEwDtJKmk=#U6!<@F+_UM68!*tSs) zqpG3S3(zX`T;S(WMFNm-ghGM&nMTnmGNC{k%CBxHs2iYF=()5%D^;p#?Nl#K?O;MG=TAt zQT06KN(>1lw+;f)t?Hx3lLI#dQ0HCTD$Yk8-q_{^aB_=xoS$KkvaSh_(%k9tYpdL! z*F|oEo?(z`nbX`fO4@Y+YF-|$V8Hg7QR~|AI6ie)qdw6E%B|5hM-T#!frzyfAslLy zia~J4LnEVv(hI0Nsz4yu^#mV~GA4XoRJ0UB3tS^qd{>9JV*O&qNqc}SS+tY zz%!%uU=At(4G0)kC#dxTblv(f)FyxmIVcunsQX)Tz5SWyPE4Nt^ANDAg9g>endWG= zDXX8)ZaubXrQu+!I5u?DVwaS<*R+osj4Fl-Qifg_t(H{^s57js{}D*Ht`0~dBv(02 z8+NMOFGg^xo?NNUGin*mg12cTsh6SBgKi25ferBEEna-BfK}G^0?M+Jl~n-?X#oT) z`_xg=Nj#3CxmFpd7Wm@;^Dsz-!=q;5rGQp)!yYC}v6s1Dw_EPl4r$7uuJco8(se{k z4zdDbK-)+$fXht`nAE4f2lC=tT{7TGMS$yTcBt}3Vy@(`>zL6V8t!=_fE@;@d5fj` z&1fYxuv7&k*0FJwEUe?yQ0<=AR&5L@i*JuL^IjJ9ryMg{f$5dT5hH+VDi#+=$|~eK zdV|dpS!|#BC=K-kl+R@F2DidBiDA&j%1tn^^#jyUWvEx$yntb_$|^UZpt1`-qpj_n z(JD4+xWDB*iC5qZ8E2@(!QD`)>zu(GFjJ5btS7+rn^8JFm6du1D4WfRfRS}vFF-X_ zY^%KWu3|$pyUR;MtGN@J)C?bZ{}DinrVHHP}} z-MRrUl{a>us^l3$WXnR@d+P0L_ofU?Q2} z39M#25M*&P^nPjGo;uh8tvqMdv@#6ZyI04S!@Q~&tqf^aRqhQlK%Y>izUa zcV$Q!?XGav8Vdx~4z&)!HC%ua?~Bfj2GkYahg60^hpNmpi0G7b2n1QeJ5Zwg5(Xux zib4aQ)>od^VMg7wD=Cs8@p1>0`J#_{Gz`cWkcJsmhZfxejS#Mc0IhG-mu^YN&G9kR zE(KI8rvc*rmZ*b3%@|N25mTU^QT04k2nnp?^$deVeE~J3JX8xt5TwIkZ4N39z;Jm4 z)WUe{M#G?GEVWAk&G3?3(BZ0_4pB~(y=H} z2z4lua!>?(#(+A=@dHFW6$Al75sKvjvQW7q0U zK&!eM@?CwR)kzX_LbYbvc5^>ozb#B1w%*iTcm!a#fKGRS)1!G}w=klZb(yDQ1RhUP$hBwLyJ99Z6&~sPp*!=m4!VJ2C;~ zEh2RuwYiAbJXUigOd*%+km`k)7zEQ0h!PUi0U~SCMJEob0d&kxIR1c=;N2Q8K+o-$ zl^O%nDgYz}4CW*u7d*9Nf5wk=CB=aHfY)?140;I@0Osc?=*pNTSb8_YF;8Y-0_3iP zmoAz5_XVJIaI2{9n<@d6DaEzG$*PP7%(?n zcIN|_06_iO?k?oIbz7rVox^+(xNcSFFdqc2Th%$t2Z8HWbq=#Tb6w(s-Kh*z#n6U9 zn^I(PSfMf?=_`339;y45i&<~3X z$P}!LSbwfhS`>^HnMu3bo0^Z4a{pxflUFII(T{GMbQtn9t4Ngvbs?C2DpGg%(l- z&_fqmpKd0)_Cftz>kig^F!An^}Y~Ye2$OVzC zw-hBN&c->Rs}x;RgE^=}B7!hgW+c4+)x0~;ye>hK8VF0KpfM4+^BS*9$QE2W%ob!` zH-|v`je6FAgi6v4ITwbi;F;ol^7th2;=+>};($+5pd=tRtarW(Td9mlVYzdeHDeF$lnXjTBT;5VAa}G< zT7n+UNs0p*);JMUhIk^9B+*V`XG@PTyvFz<5#$t99?uIZXqe21 z@m?q(L(NN@=nM_!R2lk&>&D87DAF0HHJDnWf-vbe<{4VpB9K8<@5gws;<7POM_DjC z@^@rlvj%T+Qitpz!r!oJk*Q>t7RZ22e0!pbLcLVE^3Hi+v~mX_IwmwQI=ihylkJHp z2}Xof6!<)p+j#^d07kP>Fcd~PUWeks0v66FoCM*PczpT7@JKWi>QaE|T)_~5AW(_7 z0kTI=rxO}9gdx53;SKnVwKs-GzaZ=q!uo=!DiEZLW(pz-WKh(52MMoG4W^uu^+fM< znORJ6BgP<>oNz!=i4zMMKU>8lyOo{vh;DRcmB$KHMrS03fFro3Q#htP6qgExx-tYY zBDvu*$kS~J(}Er3T{bX1p)qnR&7=$g>LhHmO$ZMBn~TDVdY__$VPm(~2YwqBW98OG zXjM){kkzbpWr(7rWMdfhgIK|0Q|Ox_!o`@VveYL^dWsE28elU@t`ed8O;GS6tc8rJ zIiYr94#;d!3oU!-n2~W8HN;{T%7cs!QI2j<6amsL<~mc?wh7OcCt1nBA_dD5QpQe4=u&{Hi=`p{S$*Q|QUv(|GU&7m^hzeN zL)kk>Gn-I~k~teQR1CeSsgh!FG(>t-OaY|QCfW8BZ!`;e(~e_JNo7{;fzw6JuA~kw zUW_^MxbRgA$t;N*?Y#mu1_hNLGiwEu3F-mEst^Pp6@(mNH98cbg6rcwke$2DM{o2E z(r<&otSl@hG+Bf+Yc8)tkcy&QDuVwx#mrY2rHLg{Y;i58IxcO65}c}8#uY*pOp7jY zip7e-I$O84mz>LgmBsA0YAYfkThKrP&d*QGo7-sKHpVSuje}_+66p&HWP3=b$!-Tj zC#bSaKNDu@SULUkkmGNy<^ML>+_!#6np}v&sp=OPa_cR3J6?v5WBdPiI<81O}ljyR|1#1xWR4 z&upt-Q3p%1fY~B8f>k4|B~Z~uI14qVkZmJ5A4@~_%370FHXoZ?*jtn&WfBe*+~+98 zfXKlA51AuRL~E?jRBZ*{V%CX`m`+q0gKyb@?pyA zLJo7NV>5s`0oi!q?LS7};`Yu6Xj|JGAtTO9iiGv6Xvoxr*4bGg*EdYJiLVhL8m5Es zDgr39f~l*NF-gdq$|Gu-NqAX@yvVc;GH^)&5;F~xsm}0{OenRe2;^UbSHyIYS%8T) zCdn7#t;VE+~i z0_%9QBw_J#Axm}wyn)9cLz>(c&%5Ies5^`e-Zo*&sMD!;8CO&bTpDI2rIAuE=4e52cdQ$4(NJiSsyhcekchT`&*Ohu zDe)1T1KENb1zo|?+zpRsGu=TAP90DwI<8^amnO{w^7b|w;w`TLotW?AWx0=r1!Nm7 ztEr^tTpS}%Fsy5tj*^z`E37~xnuZ1+bz|F&#|1+tg(U?OCpsyd#6OTqPqj}9Cr=7H z;5sQhGQv)@)?y*##s@=k1QMYZK=vb=4h0FB$cXsO zqARG-0_rc%c$yu>ixi?5v{aKURG?1mMy^0ZLF!eM3Ljd?aUD>T`J%l8Rttt!AX#L2 zr!y2=FLcp$umf)aV%5+Xgiryc(#N!?DI!?cLD&yii4iFAa^Q(ipCvY!6bgknVnXmV zP}+@kh|kVnT&IO5HzNK|yi#<2^mU$!FnTsM3Ms3oI%M8bWJ3I1u2|>va;4!jZiW*b zg6@^Qs}}ck_V%sr?d*xzKRXsWess6>_O4yo)8Tm4wW4cP$HKn0p2fYTZ`Zah>*(qs zIPYHE(YC5B3fh<@O^112Qt-0&A37cr^MMge8+g#9M%k$0P7!z#eGOA|b zvDi^Do)^8KSV1;vUP#Y%4{E=neitkrC)D#2qSh{VE+T3_WC=#wO>H9;1#O@o7C{;+ zFe4eXl7zhO2FNxy;n6V7(7rj7hIpy#ykL+k@I+c6yv*@_h%f^TjH)YMxA*=d*L7 z@n}543~ZW;kd&qejh4%VLmBs@-%?6g2oXtZ$_&V++)&`4S=qirNYG{QS#tzb&a<;5 z|C41iu|7*Xg&S~&*9F9&7zGP?ME!LlK@DKd3G;_E)#DtsS@XEAWPluR9>!n>n0A~X z5fS0%w`KAy<`8E+)XmO&k#a#b#mPx^Jlg7C#=XPnkn{yH3}#Hr5@`MF_+>R?^}IC# z+|8y>2dlNL&WkV<>M~{`pg=4ic)duJH+F(R&yiT{M$5R({N$J`IsU{epg>zAha|)~ zi|%yT?KjMk@Qk_Ktt5qd59quis(HESkb+iUQP2bPknBc-#>M>m80ScpZt$4J+$lvY zFGS}yl_X-MaJcrfRIf?%C}%qRnZP={{7fxfQZjO3qnKv%5a^z{&gA#UFSA6$dRHaC z@h(``)7ibOtG#Vi*UA-kJ=2Ad>TgbE9Tn2ZkPP$8N|Sj3=EzAD0)4(?=%YGnpMOt% zHa{`(o+ez`Hr^Y0fyG5+dWg#nQBkpqM+k5(=3t@F5{ywsObGBmR@MH3X8CKX=?z%_ z!Fz9Fu#yY}vLqyK1FvbQF=BDVhJgfAu=^!N1PvY5#5{G$j!aq%;SkwqcUjLEaoz4TAmz2DUooxB|1OE zXU(!58HwAZ<^L&KYB!-*yg$OyoB4m53&%EC%97HLl3<-VBZGs3PBWFNXJdR?Ef_Hc z4x(6M-uyW+TQRSqa3j_2E7r(B-Y8)8)6k`j)pX&m&}iwxfF<6<1q^a(Gmru)>Ub1i{MX9w#$DT9eWeJ`rZ;bmU@ui+c+ zIH#|Fx)9>~?|%?`d*rcM+b4xA7n#`Gb9BYGaQge47n*%%!bBK{(jEvnAlMY1XY`;w zNorlF7y-|!U3UgV?X%Jjjc?_I1s1aQiQhv}M8okyPW%zXb@f{nabO zMb8v%D?Y`je3lZcVtabn4Wd&twHBwPG!qvawXVxF%WPQfX7=`)ld1G~e}QS;yaM+2 z93g%g{!9Ecz8Rm5L>1=29+^4X2biWud<>9dB7b>wd^0|UPj8eGxsoT~RH+>Mw>v@4!RuN}UT+^h*SKQp{1M5Qj71Su3?RvH{4sL;=fS#+gnj z*c7qx6X9oBp8C_dc4)xLerbC&{DPgcDtj&6MMdRwk>@fg`%Ox5hP*O}x zOt46NNJsCDDYQlr3bK{PVU-r6N()h_HHV{7Q+PWZc;9*hH-GU`>EhHY0I+EDO^VW4 zIHhKiG?3n}BuDzioLgv#>mb0jLd5c7YAAtj6(Ts8fX$^nDAwlEEKf6;N6VVo;?^KZ z^C5TauLy%Z<}!nfK5%9x1;_OvNUT$FQ}e+bn!!=*4&3E}YECh;9eK#Ks= zsuM#eq&O>=z~gh8Dv#65$@VYCXJ;2bzdJs^y!oeY`}-wdkb^2*J1Ge%8gLCN0e2Gl z$$L|lRn{#t1PWDiN;j~lX;t7PpB*BNN-bJ z%SP@w=+i{D30RP*o%Wnlwl08>0Bi;^9IVze$PV9Ac(;fmx)5S6qYO~OF{g;}bRzLE zRJAVHMUQAeSNsUvJ051l1Urr^ZV~Eod5dBT3M{##m_U#l8rScloL{?Q&x3ZXd+64+ zWmPnqGt03>`>w)uP1-e$Hmw&-3iq`XqRD{TYnn#i4!nPO|F{*C+)pTd-t7=etaFJD z8T^2JK8jLiz|IO+T%gR(8XC$OiQ2E7+w0@2x2La;F-z4gNd-EHbLaNr?5HAPyK3)N z8X|)erl`q=^keA<%9OPS?1jSp@bA|bH^VKU7?&s=6HbMl*GKUZkqTwwE*Sx5DmrGeN{f{K9` zY_l4mxHX3a8})W~mE}$TCa1y;O99h~=a=gL0z}U!oz0NFFb{P&%aPI5>rJ01`oJe4 z7!D$+e%oVZjbDlnQmwzKJwn|`eUa2*=SGD)7v^FV?wd+Edo;co|2V$pH$RAe8E1Wv zP!^e|kvv9|bG}GwvCGCDq2S**D>**K*Nc#?M%9`u>`~C6w{mN+fsT@qQY0kwSK_&d zGGrJ_cCI0zQ}d6A;3E8;LK<~m@M*+6>dt5qb3Num2-w-NE8ArEc#4z zDzr}LGWIJ2BT_D9!LT&ocVS+XCJjaEY4GHTN^b)ywL91MT@mDIRzYIn_63=JiPACV|3Vn6eqcIJQ6v*rHh@XLphfld4W+rvR^ z{|^rb&!6`Hmw2{}`Tf*D->FSz+QWT;JC=m@xbj68rDG9$7nU#Q%Sxr`r`L6fVWCoSdV+GAnnx;u5u% zJ#^Aq8&Y5YxX0PVFj0pQg4?TXS4QlJtRlCfg~Z%-WUn+Lre ztnLYLx?PUw8acucct+xnKb@`+b`v8JFV(+a`?0KQ7)_3_R0!9o{CByexB4sgR(Tcq zMFGuT8^6)jXr-^UQag9MBA0g~@zKeYV9eMQ3^~_B(-(-8U474jUm=GhcJMXFVjx5HY#e>?m&G#?-c=c*L|BMtkzdN9eAW{(DkKH? zrQ(@+W5hFRPGg}x9%oU=+?_4LK=!eNqTkJO>1GScMM!1X6086X>PVPfQBN0DwgjEt zDiMC3`%5^|>MOxxY_NZ;%Kj1i$-=&wy%rK0nFPBW{qL zO@xPNhPA?BkQ7YAAw!N3wICv1Y#m3Hvd@ zo)wPbMO21aBwgJP9l_nIV;CfnhRZZ)j_i{sMj^)Kdw{V27Hrk`EbsA=7!C$Q$HFC+ zR1lNdeM~8xKONwzoGtn;XN>T)dcvbpW zktRKn-re=smGhmSWzkaqBFz}ueAB5PwJ;j1yam7WUi9-tQiicqse3;75xESWym{sR zJU(;Jj^7@i0oW_D$YO6lDVKpNfyAvf&RY@4JM`Ew}xH%pH z-%*8y{a~Zl5n^?gS#0CVaJA)|dIg|YmBIX@o88?aVsEWG3c*w~!1mS!q95X6V6=j? zK*Y;;Mj3CkDsc+X8(c_@t@iOb0XSEc*4%Yj-|3cfi4mQyT97Vk67!;T^F?B0Apwej zYrnE-*8tW_`s;y<6t@{;HChEKD~S!N0ml(kRz-9`jno@>b&gcQ@_~kTq^+)Jr-q(Z z#pgO*m|g|sPhliYmi1NLyY_S7m1rBP%TzaOF{+ZEG%%`Mus;Kk07D}7dR)W4gO`9fo>^Z7cM?Y1?kWwt2WE!TJl0V|;+S@f%jfCd&fdCM1g zXL{`@#AC3IJu8`U1AW@+)xhJpPzT>+Q3^N*u;M%AE~PF9sC~5oC423dU|X(@kO!&Q z(OTvzW0_l~?nJs|EOYPjG)5y-;i9q3E$4oM6q}7@MneEm9hJvMzS-tNq-+@eqMXa5 zRHy68<%v9SLU&;rt_)5kD~^;WJ3CL+YHeJ6hJVDmg(tGv-zL7jO2ofiR1cC%oFCEu zWxgm%ET5-Esf)1^meeZ5OYJ`uFAMbj8h*F$4PU(U2Hv2*e<lk%D1Aqbd&PVt{>|!T(fvz*5+?m(t_tLIo{G*< zTIE0WI@T#uJ5LtOw%HEcwFJg>3~~Vqf%=!tOx31v3*4?;S{6#`D5}jhv142HDRzK@ z`sA|2QfJYg#do&`AIv!>n)0I*^^^ucBF$GoSO=Y1M}%A7dLI~fpcHg(oz6>=NEuMr zx6I=Z)fThdpGs69Zl$T1rpZ)hWzh%dfh-sOETupCUDaxsCT@BM!gxVz(s*$K{au>( z2ad$SpiYdHglun8E*+5^b(t1GFU;!YG6UI|uHRzW>huz&>Z$rQ60g%lqM0TyN0@ra zvF!~gB&LD9O!JZjdBsParGD_EANk3YV_06RdL{_Pma2D+O#ZlVtE^(GtlxzeU4RDw zu5|7S!VyD%$qqJtvNUt~Rynr{4n~aeE=mKloA9@8+^7^Ke?a+{|5?Bj^fprRr)Q z!8Jm9g;7srsd2?{;L(3@q_;|4&4i0=XB1>;>~_WJol>{-ETbgpA^vI>{lN8EJ>GFU zZJ%^HDtJ~a(SjxLj8k$YE5a0GaHuUfE=k$5WB5+(!s_F0l0_8tM3OeTLZ!F}aTEe- z_r!FbrbYd}2HmU7Jt1~x**>guOcRMo82ua;KDBc4cgi3s{y*hpD*fquwBs1*blQ}9 zz#vq5_SjGSnG9Oc50nRUUb0TxK>p?1S6XAQ6!p4AzJgY#ydrP7NxDdaPo@GoSZV_i z;8m&AA2S{A%iPTr*%3k~F>00X4LHm! zPPJTNn09J`rYsFh2m`-2wJ=N%$fr??%eNH&sC0OWDrv}y#f0GMbP$Z1alhksfP~_% zKTiY6CJ$F!Nk8~G4@-HG;I=Qq-{nZWJPBJUE-X*`8qHdcOL5I8UIJx^>%-G5ynUCAD8ky@Sf$Jw_=&F*( z?We@lbJ&Z4KX)Qa-{mABj<8~b`P5h7@K598k@)3bj^HU!wHsVRmIh~LjVukuZLCFg z>u1XXd21M^wc`eA^XLsKVHH5zHP+S)wa{Fq*A)D0ty0`)PmAs-;Mp}FU~_OnPv<4 zIfxy{N`lKVGkw<9jJ?&V&tJr8Ksj;I?&;Be@61W!Cq0T&uv6=D z0yJvP%C1|P7gdI7I>@U#wR6kh6BZ&umXExRx?Pbb3V z^i@Z$?!=`|`d#B=EZKEbWxN8u)vbseyN_h#FHNF8#le96toXvG8=4H5n&RQ^YDyq+^*m_DwSo7-zK68o{Z(@~eewZo_<*&#M?C`6 zO$R9@+O@fqwJgWFXVfFW^gxPLNw{`e+q19 zI}8(jL0fyyb@VZ=cn5Mpoy%N0I8DdNJu-A(E&gN6_#cl_WO%<8Y4Xv1Y>59md~sNh z{}~?a51!(GzQpr~BSh!_(d>3cqQhbW%(KgLp60VY{j=NYL3Lmipf05*rZP%OSBA3a zjKm+fYdTGLG5yYHr9jtsY=z3hGQt;Q?ebQ=yi4=AV{H6Cd-blAVe+H8(jRT^s8R~I z^yC+ur!U zb?~TbdG{s>OKA5b?C6(&I_BRBf0_r~277wcS8V?hSNd~ZiE{7YX$Mu;h{dh5yK$=Y z*DI#02K2hN@EwWFjq>#iVBNfKo?9E4=LmqfqH#4VS_@&Y>NT#0{lVeO6&2KyI5(Dr zs1|~*J4 ztG2)-O(W?iD@Ycre2k7)lB)_2J%d)7F59a>04Z-)Cutf4(yHk;wxX8vFbHJQ+`qsv zhCCIdUb5dK!vvk07d0pZe#E3VLaaXJym`n3u0l+GVlhfb-@;SFZk;+mN(9=bLx!~= tUm9T*RavQ{*<$6}BXZ#XKc8|cJv~p))ARVx{{;X5|NoI_N0R^o3INo-i;DmN literal 0 HcmV?d00001 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh index b7e77bc..d6767a7 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/helminstall.sh @@ -3,8 +3,7 @@ if [[ -z "$1" ]] then echo "Skipping creation of persistent volume examples. Ensure there is available PVs 200Gi per node for HA." -else - oc create -f pv-examples/ +else oc new-project jfrog-artifactory oc create serviceaccount svcaccount -n jfrog-artifactory oc adm policy add-scc-to-user privileged system:serviceaccount:jfrog-artifactory:svcaccount @@ -25,6 +24,5 @@ fi # install via helm helm install artifactory-ha . \ - --set nginx.tlsSecretName=tls-ingress \ - --set artifactory-ha.artifactory.node.replicaCount=1 \ + --set artifactory-ha.nginx.tlsSecretName=tls-ingress \ --set artifactory-ha.artifactory.license.secret=artifactory-license,artifactory-ha.artifactory.license.dataKey=artifactory.cluster.license diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0001-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0001-large.yaml deleted file mode 100644 index 8a36385..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0001-large.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv0001-large -spec: - capacity: - storage: 200Gi - hostPath: - path: /mnt/pv-data/pv0001-large - accessModes: - - ReadWriteOnce - - ReadWriteMany - - ReadOnlyMany - persistentVolumeReclaimPolicy: Recycle - volumeMode: Filesystem diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0002-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0002-large.yaml deleted file mode 100644 index b96fa47..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0002-large.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv0002-large -spec: - capacity: - storage: 200Gi - hostPath: - path: /mnt/pv-data/pv0002-large - accessModes: - - ReadWriteOnce - - ReadWriteMany - - ReadOnlyMany - persistentVolumeReclaimPolicy: Recycle - volumeMode: Filesystem diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0003-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0003-large.yaml deleted file mode 100644 index 476ad41..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0003-large.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv0003-large -spec: - capacity: - storage: 200Gi - hostPath: - path: /mnt/pv-data/pv0003-large - accessModes: - - ReadWriteOnce - - ReadWriteMany - - ReadOnlyMany - persistentVolumeReclaimPolicy: Recycle - volumeMode: Filesystem diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0004-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0004-large.yaml deleted file mode 100644 index ae2fbda..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0004-large.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv0004-large -spec: - capacity: - storage: 200Gi - hostPath: - path: /mnt/pv-data/pv0004-large - accessModes: - - ReadWriteOnce - - ReadWriteMany - - ReadOnlyMany - persistentVolumeReclaimPolicy: Recycle - volumeMode: Filesystem diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0005-large.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0005-large.yaml deleted file mode 100644 index 9488514..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/pv-examples/pv0005-large.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: PersistentVolume -apiVersion: v1 -metadata: - name: pv0005-large -spec: - capacity: - storage: 200Gi - hostPath: - path: /mnt/pv-data/pv0005-large - accessModes: - - ReadWriteOnce - - ReadWriteMany - - ReadOnlyMany - persistentVolumeReclaimPolicy: Recycle - volumeMode: Filesystem diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock index 97b3164..c9f98b1 100644 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: artifactory-ha repository: https://charts.jfrog.io/ - version: 2.0.25 -digest: sha256:1de97dca862a0b7e74fc937fbeff231119071a00cea8e42f92adb87c59fa554c -generated: "2020-03-09T12:41:44.126599-07:00" + version: 2.0.31 +digest: sha256:d7c2af74a0188ca8df2a97158c83b36f85dfae72c1b60ce4540a4e00da2d9a6f +generated: "2020-03-19T17:29:04.445679-07:00" diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml index 1b41f8c..8ce3183 100644 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml @@ -1,4 +1,4 @@ dependencies: - name: artifactory-ha - version: 2.0.25 + version: 2.0.31 repository: https://charts.jfrog.io/ diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml index 1991513..82edc7e 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/values.yaml @@ -2,11 +2,14 @@ # Requires one custom init container # to resolve the user id perm issue with redhat artifactory-ha: + initContainerImage: registry.redhat.io/ubi8-minimal + waitForDatabase: false artifactory: ## Add custom init containers execution before predefined init containers customInitContainersBegin: | - name: "redhat-custom-setup" - image: "{{ .Values.initContainerImage }}" + #image: "{{ .Values.initContainerImage }}" + image: {{ index .Values "initContainerImage" }} imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" command: - 'sh' @@ -17,4 +20,68 @@ artifactory-ha: volumeMounts: - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" name: volume - ## Add custom init containers + ## Change to use RH UBI images + image: + repository: "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro" + node: + waitForPrimaryStartup: + enabled: false + nginx: + image: + repository: "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro" + http: + externalPort: 80 + internalPort: 8080 + https: + externalPort: 443 + internalPort: 8443 + mainConf: | + # Main Nginx configuration file + worker_processes 4; + error_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + variables_hash_max_size 1024; + variables_hash_bucket_size 64; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 128; + types_hash_max_size 2048; + types_hash_bucket_size 64; + proxy_read_timeout 2400s; + client_header_timeout 2400s; + client_body_timeout 2400s; + proxy_connect_timeout 75s; + proxy_send_timeout 2400s; + proxy_buffer_size 32k; + proxy_buffers 40 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 250m; + proxy_http_version 1.1; + client_body_buffer_size 128k; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + log_format timing 'ip = $remote_addr ' + 'user = \"$remote_user\" ' + 'local_time = \"$time_local\" ' + 'host = $host ' + 'request = \"$request\" ' + 'status = $status ' + 'bytes = $body_bytes_sent ' + 'upstream = \"$upstream_addr\" ' + 'upstream_time = $upstream_response_time ' + 'request_time = $request_time ' + 'referer = \"$http_referer\" ' + 'UA = \"$http_user_agent\"'; + access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; + sendfile on; + #tcp_nopush on; + keepalive_timeout 65; + #gzip on; + include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf; + } diff --git a/Openshift4/artifactory-ha-operator/unload.sh b/Openshift4/artifactory-ha-operator/unload.sh index 343f2a4..37dab14 100755 --- a/Openshift4/artifactory-ha-operator/unload.sh +++ b/Openshift4/artifactory-ha-operator/unload.sh @@ -8,3 +8,9 @@ oc delete pods --all oc delete svc --all oc delete networkpolicies --all oc delete pvc --all +oc delete PodDisruptionBudget --all +for s in $(oc get secrets | grep artifactory | cut -f1 -d ' '); do + oc delete secret $s +done +oc delete serviceaccount artifactoryha-artifactory-ha +oc delete role artifactoryha-artifactory-ha From 800324820d7e39b0f44586f635788eb6af0cc58e Mon Sep 17 00:00:00 2001 From: John Peterson Date: Fri, 20 Mar 2020 09:10:37 -0700 Subject: [PATCH 12/28] updating to artifactory-ha subchart to version 2.0.34 --- .../helm-charts/openshift-artifactory-ha/Chart.yaml | 2 +- .../helm-charts/openshift-artifactory-ha/requirements.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml index f6c3215..abc3f9f 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml @@ -21,4 +21,4 @@ name: openshift-artifactory-ha sources: - https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view - https://github.com/jfrog/charts -version: 2.0.31 +version: 2.0.34 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml index 8ce3183..ab5e3d8 100644 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml +++ b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.yaml @@ -1,4 +1,4 @@ dependencies: - name: artifactory-ha - version: 2.0.31 + version: 2.0.34 repository: https://charts.jfrog.io/ From 6e38a2df5e87ec250f632aea3db005e32e57e6e1 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Fri, 27 Mar 2020 14:58:31 -0700 Subject: [PATCH 13/28] updates to openshift v4.3.5 to artifactory-ha v7.3.2 --- Openshift4/.gitignore | 1 + .../artifactory-ha-operator/build/Dockerfile | 2 +- ...operator.v1.0.0.clusterserviceversion.yaml | 281 +++++ .../openshiftartifactoryha-operator.crd.yaml | 23 + ...enshiftartifactoryha-operator.package.yaml | 4 + .../deploy/catalogsourceconfig.yaml | 8 + ...io_v1alpha1_openshiftartifactoryha_cr.yaml | 1080 ++--------------- .../deploy/imagestream-nginx.yaml | 6 - .../deploy/imagestream-operator.yaml | 6 - .../deploy/imagestream-pro.yaml | 6 - ...operator.v1.0.0.clusterserviceversion.yaml | 757 +++--------- .../deploy/operator.yaml | 16 +- .../deploy/operatorgroup.yaml | 2 +- .../deploy/project.yaml | 2 +- .../artifactory-ha-operator/deploy/role.yaml | 69 +- .../deploy/securitycontextconstraints.yaml | 15 - .../deploy/subscription.yaml | 10 + .../helm-charts/README.md | 2 + .../charts/artifactory-ha-2.0.31.tgz | Bin 126568 -> 0 bytes .../openshift-artifactory-ha/hostpathscc.yaml | 18 - .../requirements.lock | 6 - Openshift4/artifactory-ha-operator/setup.sh | 25 - Openshift4/artifactory-ha-operator/unload.sh | 16 - .../artifactory-ha-operator/watches.yaml | 8 + .../openshift-artifactory-ha/CHANGELOG.md | 0 .../openshift-artifactory-ha/Chart.yaml | 4 +- .../openshift-artifactory-ha/LICENSE | 0 .../charts/artifactory-ha-2.1.3.tgz | Bin 0 -> 130327 bytes .../openshift-artifactory-ha/helminstall.sh | 0 .../hostpathscc.yaml | 0 .../requirements.lock | 6 + .../requirements.yaml | 2 +- .../openshift-artifactory-ha/scc.yaml | 0 .../openshift-artifactory-ha/values.yaml | 16 + 34 files changed, 644 insertions(+), 1747 deletions(-) create mode 100644 Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml create mode 100644 Openshift4/artifactory-ha-operator/bundle/openshiftartifactoryha-operator.crd.yaml create mode 100644 Openshift4/artifactory-ha-operator/bundle/openshiftartifactoryha-operator.package.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/catalogsourceconfig.yaml delete mode 100644 Openshift4/artifactory-ha-operator/deploy/imagestream-nginx.yaml delete mode 100644 Openshift4/artifactory-ha-operator/deploy/imagestream-operator.yaml delete mode 100644 Openshift4/artifactory-ha-operator/deploy/imagestream-pro.yaml delete mode 100644 Openshift4/artifactory-ha-operator/deploy/securitycontextconstraints.yaml create mode 100644 Openshift4/artifactory-ha-operator/deploy/subscription.yaml create mode 100644 Openshift4/artifactory-ha-operator/helm-charts/README.md delete mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.31.tgz delete mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/hostpathscc.yaml delete mode 100644 Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock delete mode 100755 Openshift4/artifactory-ha-operator/setup.sh delete mode 100755 Openshift4/artifactory-ha-operator/unload.sh rename Openshift4/{artifactory-ha-operator/helm-charts => }/openshift-artifactory-ha/CHANGELOG.md (100%) rename Openshift4/{artifactory-ha-operator/helm-charts => }/openshift-artifactory-ha/Chart.yaml (94%) rename Openshift4/{artifactory-ha-operator/helm-charts => }/openshift-artifactory-ha/LICENSE (100%) create mode 100644 Openshift4/openshift-artifactory-ha/charts/artifactory-ha-2.1.3.tgz rename Openshift4/{artifactory-ha-operator/helm-charts => }/openshift-artifactory-ha/helminstall.sh (100%) rename Openshift4/{artifactory-ha-operator/deploy => openshift-artifactory-ha}/hostpathscc.yaml (100%) create mode 100644 Openshift4/openshift-artifactory-ha/requirements.lock rename Openshift4/{artifactory-ha-operator/helm-charts => }/openshift-artifactory-ha/requirements.yaml (80%) rename Openshift4/{artifactory-ha-operator/helm-charts => }/openshift-artifactory-ha/scc.yaml (100%) rename Openshift4/{artifactory-ha-operator/helm-charts => }/openshift-artifactory-ha/values.yaml (78%) diff --git a/Openshift4/.gitignore b/Openshift4/.gitignore index 29f94fa..bc88a61 100644 --- a/Openshift4/.gitignore +++ b/Openshift4/.gitignore @@ -1,3 +1,4 @@ artifactory.cluster.license jfrog.team.crt jfrog.team.key +artifactory-ha-operator/helm-charts/openshift-artifactory-ha diff --git a/Openshift4/artifactory-ha-operator/build/Dockerfile b/Openshift4/artifactory-ha-operator/build/Dockerfile index 6fcc547..f871c9f 100644 --- a/Openshift4/artifactory-ha-operator/build/Dockerfile +++ b/Openshift4/artifactory-ha-operator/build/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/operator-framework/helm-operator:v0.14.1 +FROM quay.io/operator-framework/helm-operator:v0.16.0 COPY watches.yaml ${HOME}/watches.yaml COPY helm-charts/ ${HOME}/helm-charts/ diff --git a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml new file mode 100644 index 0000000..befdf1a --- /dev/null +++ b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -0,0 +1,281 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "charts.helm.k8s.io/v1alpha1", + "kind": "OpenshiftArtifactoryHa", + "metadata": { + "name": "osartifactoryha" + }, + "spec": { + "artifactory-ha": { + "artifactory": { + "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n #image: \"{{ .Values.initContainerImage }}\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", + "image": { + "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro" + }, + "node": { + "waitForPrimaryStartup": { + "enabled": false + } + } + }, + "database": { + "driver": "OVERRIDE", + "password": "OVERRIDE", + "type": "OVERRIDE", + "url": "OVERRIDE", + "user": "OVERRIDE" + }, + "initContainerImage": "registry.redhat.io/ubi8-minimal", + "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default 'derby' .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/{{ default 'openshift' .Values.installer.platform }}\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", + "nginx": { + "http": { + "externalPort": 80, + "internalPort": 8080 + }, + "https": { + "externalPort": 443, + "internalPort": 8443 + }, + "image": { + "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro" + }, + "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n" + }, + "postgresql": { + "enabled": false + }, + "waitForDatabase": false + } + } + } + ] + capabilities: Basic Install + categories: "Developer Tools,Integration & Delivery" + description: "Artifactory HA deploys Artifactory in a high availability environment across multiple pods" + containerImage: quay.io/jfrog/artifactory-ha-operator + createdAt: 2020-03-25T00:00:00Z + support: JFrog + certified: "true" + repository: https://github.com/jfrog/JFrog-Cloud-Installers/tree/openshift4/Openshift4 + name: artifactory-ha-operator.v1.0.0 + namespace: jfrog-artifactory +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: Represents Artifactory HA Instances + displayName: Artifactory HA + kind: OpenshiftArtifactoryHa + name: openshiftartifactoryhas.charts.helm.k8s.io + resources: + - kind: Deployment + version: v1 + - kind: Service + version: v1 + - kind: ReplicaSet + version: v1 + - kind: Pod + version: v1 + - kind: Secret + version: v1 + - kind: ConfigMap + version: v1 + - kind: StatefulSet + version: apps/v1 + version: v1alpha1 + description: Openshift 4 Operator to deploy JFrog Artifactory Enterprise + displayName: JFrog Artifactory Enterprise Operator + provider: + name: JFrog LTD + links: + - name: JFrog + url: https://www.jfrog.com + - name: JFrog Artifact Repository + url: https://jfrog.com/artifactory/ + - name: Artifactory Video + url: https://www.youtube.com/watch?v=r2_A5CPo43U + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAMkAAADCCAYAAADjAebGAAAKN2lDQ1BzUkdCIElFQzYxOTY2LTIuMQAAeJydlndUU9kWh8+9N71QkhCKlNBraFICSA29SJEuKjEJEErAkAAiNkRUcERRkaYIMijggKNDkbEiioUBUbHrBBlE1HFwFBuWSWStGd+8ee/Nm98f935rn73P3Wfvfda6AJD8gwXCTFgJgAyhWBTh58WIjYtnYAcBDPAAA2wA4HCzs0IW+EYCmQJ82IxsmRP4F726DiD5+yrTP4zBAP+flLlZIjEAUJiM5/L42VwZF8k4PVecJbdPyZi2NE3OMErOIlmCMlaTc/IsW3z2mWUPOfMyhDwZy3PO4mXw5Nwn4405Er6MkWAZF+cI+LkyviZjg3RJhkDGb+SxGXxONgAoktwu5nNTZGwtY5IoMoIt43kA4EjJX/DSL1jMzxPLD8XOzFouEiSniBkmXFOGjZMTi+HPz03ni8XMMA43jSPiMdiZGVkc4XIAZs/8WRR5bRmyIjvYODk4MG0tbb4o1H9d/JuS93aWXoR/7hlEH/jD9ld+mQ0AsKZltdn6h21pFQBd6wFQu/2HzWAvAIqyvnUOfXEeunxeUsTiLGcrq9zcXEsBn2spL+jv+p8Of0NffM9Svt3v5WF485M4knQxQ143bmZ6pkTEyM7icPkM5p+H+B8H/nUeFhH8JL6IL5RFRMumTCBMlrVbyBOIBZlChkD4n5r4D8P+pNm5lona+BHQllgCpSEaQH4eACgqESAJe2Qr0O99C8ZHA/nNi9GZmJ37z4L+fVe4TP7IFiR/jmNHRDK4ElHO7Jr8WgI0IABFQAPqQBvoAxPABLbAEbgAD+ADAkEoiARxYDHgghSQAUQgFxSAtaAYlIKtYCeoBnWgETSDNnAYdIFj4DQ4By6By2AE3AFSMA6egCnwCsxAEISFyBAVUod0IEPIHLKFWJAb5AMFQxFQHJQIJUNCSAIVQOugUqgcqobqoWboW+godBq6AA1Dt6BRaBL6FXoHIzAJpsFasBFsBbNgTzgIjoQXwcnwMjgfLoK3wJVwA3wQ7oRPw5fgEVgKP4GnEYAQETqiizARFsJGQpF4JAkRIauQEqQCaUDakB6kH7mKSJGnyFsUBkVFMVBMlAvKHxWF4qKWoVahNqOqUQdQnag+1FXUKGoK9RFNRmuizdHO6AB0LDoZnYsuRlegm9Ad6LPoEfQ4+hUGg6FjjDGOGH9MHCYVswKzGbMb0445hRnGjGGmsVisOtYc64oNxXKwYmwxtgp7EHsSewU7jn2DI+J0cLY4X1w8TogrxFXgWnAncFdwE7gZvBLeEO+MD8Xz8MvxZfhGfA9+CD+OnyEoE4wJroRIQiphLaGS0EY4S7hLeEEkEvWITsRwooC4hlhJPEQ8TxwlviVRSGYkNimBJCFtIe0nnSLdIr0gk8lGZA9yPFlM3kJuJp8h3ye/UaAqWCoEKPAUVivUKHQqXFF4pohXNFT0VFysmK9YoXhEcUjxqRJeyUiJrcRRWqVUo3RU6YbStDJV2UY5VDlDebNyi/IF5UcULMWI4kPhUYoo+yhnKGNUhKpPZVO51HXURupZ6jgNQzOmBdBSaaW0b2iDtCkVioqdSrRKnkqNynEVKR2hG9ED6On0Mvph+nX6O1UtVU9Vvuom1TbVK6qv1eaoeajx1UrU2tVG1N6pM9R91NPUt6l3qd/TQGmYaYRr5Grs0Tir8XQObY7LHO6ckjmH59zWhDXNNCM0V2ju0xzQnNbS1vLTytKq0jqj9VSbru2hnaq9Q/uE9qQOVcdNR6CzQ+ekzmOGCsOTkc6oZPQxpnQ1df11Jbr1uoO6M3rGelF6hXrtevf0Cfos/ST9Hfq9+lMGOgYhBgUGrQa3DfGGLMMUw12G/YavjYyNYow2GHUZPTJWMw4wzjduNb5rQjZxN1lm0mByzRRjyjJNM91tetkMNrM3SzGrMRsyh80dzAXmu82HLdAWThZCiwaLG0wS05OZw2xljlrSLYMtCy27LJ9ZGVjFW22z6rf6aG1vnW7daH3HhmITaFNo02Pzq62ZLde2xvbaXPJc37mr53bPfW5nbse322N3055qH2K/wb7X/oODo4PIoc1h0tHAMdGx1vEGi8YKY21mnXdCO3k5rXY65vTW2cFZ7HzY+RcXpkuaS4vLo3nG8/jzGueNueq5clzrXaVuDLdEt71uUnddd457g/sDD30PnkeTx4SnqWeq50HPZ17WXiKvDq/XbGf2SvYpb8Tbz7vEe9CH4hPlU+1z31fPN9m31XfKz95vhd8pf7R/kP82/xsBWgHcgOaAqUDHwJWBfUGkoAVB1UEPgs2CRcE9IXBIYMj2kLvzDecL53eFgtCA0O2h98KMw5aFfR+OCQ8Lrwl/GGETURDRv4C6YMmClgWvIr0iyyLvRJlESaJ6oxWjE6Kbo1/HeMeUx0hjrWJXxl6K04gTxHXHY+Oj45vipxf6LNy5cDzBPqE44foi40V5iy4s1licvvj4EsUlnCVHEtGJMYktie85oZwGzvTSgKW1S6e4bO4u7hOeB28Hb5Lvyi/nTyS5JpUnPUp2Td6ePJninlKR8lTAFlQLnqf6p9alvk4LTduf9ik9Jr09A5eRmHFUSBGmCfsytTPzMoezzLOKs6TLnJftXDYlChI1ZUPZi7K7xTTZz9SAxESyXjKa45ZTk/MmNzr3SJ5ynjBvYLnZ8k3LJ/J9879egVrBXdFboFuwtmB0pefK+lXQqqWrelfrry5aPb7Gb82BtYS1aWt/KLQuLC98uS5mXU+RVtGaorH1futbixWKRcU3NrhsqNuI2ijYOLhp7qaqTR9LeCUXS61LK0rfb+ZuvviVzVeVX33akrRlsMyhbM9WzFbh1uvb3LcdKFcuzy8f2x6yvXMHY0fJjpc7l+y8UGFXUbeLsEuyS1oZXNldZVC1tep9dUr1SI1XTXutZu2m2te7ebuv7PHY01anVVda926vYO/Ner/6zgajhop9mH05+x42Rjf2f836urlJo6m06cN+4X7pgYgDfc2Ozc0tmi1lrXCrpHXyYMLBy994f9Pdxmyrb6e3lx4ChySHHn+b+O31w0GHe4+wjrR9Z/hdbQe1o6QT6lzeOdWV0iXtjusePhp4tLfHpafje8vv9x/TPVZzXOV42QnCiaITn07mn5w+lXXq6enk02O9S3rvnIk9c60vvG/wbNDZ8+d8z53p9+w/ed71/LELzheOXmRd7LrkcKlzwH6g4wf7HzoGHQY7hxyHui87Xe4Znjd84or7ldNXva+euxZw7dLI/JHh61HXb95IuCG9ybv56Fb6ree3c27P3FlzF3235J7SvYr7mvcbfjT9sV3qID0+6j068GDBgztj3LEnP2X/9H686CH5YcWEzkTzI9tHxyZ9Jy8/Xvh4/EnWk5mnxT8r/1z7zOTZd794/DIwFTs1/lz0/NOvm1+ov9j/0u5l73TY9P1XGa9mXpe8UX9z4C3rbf+7mHcTM7nvse8rP5h+6PkY9PHup4xPn34D94Tz+49wZioAAAAJcEhZcwAACxIAAAsSAdLdfvwAACAASURBVHic7V0HfBzF1Z83u3un5iLJGGzAdoyDgWDAgIxtSdd0xZiaxEASWiDARw9gei8hQCghhN5CJ4BDMHGMdbqiU7ExpgZCb4ZgTLFsg2Wr3O18792d7JN0ZfeaTvb9f7/T3u3N7oz25j/z3swrshCCEfg1nJvqG44F4HWMCQlPrwQmWgKt3oB6laqyIorYRiHTnzBBTI6ngLGjIqeBAUSOZpNjpdXrvDLg8DyuqqoYuqYWUcTQIEwSU73jtC0EGYSJjMOjZq/jQL6AH6POU0N5bF8RGaDe49pHkthM/G27u4W6eKmt6ZuhbtNwhIwdXzJX2y+hWSMFfmWqtv8Xj3/IQ7uKyBA4+58uS3BX32cj8A6LxzWz2d740VC2azhCrhtl3QcJsqOWwiiEzZ+1ZNYdy+Ys+yHXDUsEi98+Gxi/HlszDT/2oO60Aph6p9/W1DRUbSpIcDhnwJkq4OIsPJ49FM0pFNQ8UKNUTKk6hgl2NHZo7PusmwnxzKqelZd8MOeD7njXyAByhY46RpcYR/4Sj3/LSot1YrbPsb0RpCX4dkTfOdSdDsUecbDJ63S1NLg9Q9GuAsXYOOd2zXsrCgjYR+oqplQ+xOg5xApOAOeOM0wche9+F+86uWNd72tjqpW1+L5SS0VCCAsbIpIYGduXxRAkBpxzQJGRFUmyBV/ia1S/MwAdQ9OUoYfF7/qFxOEZFtXDBwIATqh1225od/o+Hvid/PY83wazx3UEl9jf8fOYVJXhzeKNUHlBD4j/GBgLsjj/KA4M+wxBkwoWgrHX8Jns2e+cUP89VO0ZSuy70DZ61EiFZpC4BIkCFFk6AI+DSUJ/AvZGr7nRvBdXjH9DFriSVym+zKC9GaHd6vnK6nNdhoy4kQ1caRCsqJDGAAmxAIAfv/kzY6+0tIaeYbahbNXQYNRI+Qg8jE5VTgj4Pt75zcwKuAJfo8xyoNlrPxP73014qjTefdQQPJp2a7MAv63xT1av8yVUTC/Ej7/Gl4Sv7pAQFw9luwoNAVvTIqvfebpgMA9//f91bgzOV6/yBYe6XUMD2FdDoVWre1c2x/ui3/QT3Sz8a73f7paF9CiO1QfEfi8EuwFnnfa025ol+Bvcb+PhWLPPcQMwOIKB+lJLg+eVoW5XocFvdd+Dh3uGuh0FgGRiVh/OT7i6Fe9kq9XzAb/GVmcyKSehTHMkztUGlbEHA7bGRzJpabaBo+W7eLhmqNtRRKFDvJtsHxBnhvuarY1PJ/o+IcOiU/O90VcRRQxbbOgMPl5RrvyekfVIf3QIIe5oaQ1ez6yJr9cyDRVRxLDGioN939csqtmjvLxqDgh1Jyagi4F47/uO1cvfnvd2T6rFjIxJYvU5rAz4efiW9JdynLw+wEb8vadjw1/b57VvyvT+abRnlgB+C74tYaq4trnBvTDfbSgUYMcoKy+tPETt7nK3zG1ZO9TtGUqsOHjFRjw8n861GZHE4nedA8BvY/0EPpiOn6YbqiuOq3XbDo+3OZMrWNyWnUExvgR9m2gcnrd4nUciUf6RrzYUEirKKp9iAIdJpSXN+DGJQFFEMqRNkmiH/BNLrBH9zCArfvMS876BOYHv0q1HD0Ax0LJw7C4zBw4PmBvNS2mJOx9tKBRYmiw/Adl4WOQTWCwe10+Lxo3pIW2SgCLTDreSvBDbiRuMZC5yXrr16AMcFudkJZKZxK+j89OGwgBwQ33sZ8HVvfGw1ZIExWz8f/kswVinYGpTwNb0YbbunTZJenrV9wyKRPsqyW3sAU6Y/Kjt0k+P93WlW5cWYB0lEycoO8dvAvwaH+KDfluTP5dtKCgA2z/2IwcYN1RNySXqmmx7KrJ8Dwt71EY6IzCuWn3O+wKtwbOzsYGaNklI17D6nY9gk05IUXT0xJ3kI/H4WLp1aUF5+XcqY+MTkRbwId6DRNon12QtGACri/2ID2b7oWpKrmD2Og9SZOU5Ntg6hOPIeJq5XtmA7y/MtJ6MFPeeNZ1nGKrKx2KDDkpakMP5fAF/MpdejbSUZ/W7yClszwRFpk7cWbkSj5fmqg2FAtQDt+PGkr1jz4FGn6HhAvK6lCWIR5AtAHZmzaKaq6MrW2kjI5LQEi+/xna42STfgC2azxKLXtPMlfb/w+PdWu9t8bsOZUJEXIoBnmy2Ni5OdY0Q6i0A/JGEBYBdYG5qWBhweJdrbcdwBFeMh9Ch/1kxZUgakwNQTAazyX4//qCJCRJBqaKMIKv1zzOpL+N9kqjMdwF26mUQ8TMZGbcghz9Y3JZ/NTubU1oRW/zOi3HkuyEajYLwa7PP8QtUxl5Idl2zrelRi8+1K16WaLaQuSw9Nr1p+r5vON7oTNWOYQsOxww+CT/Nf0NyA7PJQdbNNRqKdvR+8eNXmdaXtR13HOmfx478DgdOexLxRJ5KkI1PT1swzRbe5UyAaQtsFWOqlasHnAa8742c84WpIrY02xovQ7GL9mZuZ3EJC7uOlseSqc2xKf6lYYmIIqtY4ny1vbnRPG64L4XXLqgtNVRVXJs6JANB3LLi5BW9mdaZVbMUWnbDUXrmKGm7hwHgyEEFgNWOqR53J747JdE9FCXcpnhLy1NNbgeJDCmXMf3Wxr+hXL6IG42otAHVNZAsx+DM147E3urs0pAgpHfF7ULcoNCK17/y26LswlBdfiYedkpVTgjxfEtr8OZsbKFm3XaLxBgc8X9l8trfQJHpejZINoaTUSRaiSP+9fGuf/0w3zqLz/kEkuy4gd+pIDQr/tENzAv2XWi7ftQI5TzsNrTKYdzcCsbuMHmd77c0uJu13rPQYfY6XZzDEYlL8BlsGJOkrqlurCKXp1p4oXiLNyNBLsuW/0xODByjItGNOFr/Bzvjk2yAVxjqDNfhd+txJL8z3vW9HZ2nGqrKO7EgyZ5l+PqOCXYLduhP9baFSIeHK1EUfAFFtpfYlgAJisThHyiemNscvnf03rfQQDvsXDamcogjr9Mr8tGeXAAJcitL5mEo2PKgys5ptTe+nE0PzJxaAdOKFHbOAzjAv0gXiPmKVPI7rH5nt9/qfmDgdVHDyNP5NbazZ83qHrlszrK1mUaPRFHwdavPcThqNy1sy/9dpcjyEovHZR3OJhv4jPfgkpH811PshcB+FHFmOAapw//xcBzk4ixIhPERU8XlAYfnuVxEGc25qTzpKabFpplSacmz+CPZY75CnsB9OKNIiXSD6HTZwbIUidhva1qGxMTZKzYmFewIEgvgjOIcbjNK/Yv1I6SKsrOx85AIUqbhEm5g7GA8PpTjpmUV0Vny4ThfdQomru78eO1fwgp6jiJW58WfhMy0cVY40Fwv30E7oTFf0Yxyt8XvHN1sdd+Yj7Zs6AxeX1GuUHyl2NBE41DhbcWZ5sh8BLnDZyEfcADbQZFge8alEahHGCLfhIKqynsAxMZQKLRRVVmXJCk9QnQGQyEDQhoJwElp3RUl73p5RNlcfK8nbhqZbNCq3rAhSWS100ArpgNCXgkPsuKkNqtnZa7tm/PmdBWdFU7HmeNDJAbJln0KPdCeiNXnHB/o8Jyb61jD5IBj9btITzp1wFejURR7yepz/fH7jlV/SLZMrQcUEMzcZKcl8XoBrBb/2z3NJmU3/GwYXFpiUvipYFeWY9c7ylEeH1AUNK2BDgYwE4oue+EM/5/0bpA/0GBiMikUK2t6zOkeJtRLAq3e2/OV7SDvnokoWt2ORPkCf+InWKxJAcBZ5mrHJBQhjm49tPXHnDZCFQ8zDgNJQpCwE10xpnr8L3BWuQBnlZfSuX2tu7bKIJXPQVK4zF6HA0+FjQvT7NbZBu05Xc4odkEBg2JUm+rtj+IzmxtzejUOofMC9qZ2PYq5xes8Cv/pM1hYehBPBdZ4btMzGA+J+y5tPGInbMCf60XWPyDeIXJF2Ssmd8O8Fqf3v7mqHxW8V7Hzrsa3OyQo8jNs22KccV5DLfDBTZt6X1g+17c60f1IJKislPfnnFnwR3UalAraDZYLhBTxMM/scZkD9sZApjey+FyX4aS2d6Ch6ahsKc2RIO6OR/Dtb7acFe+K3p45AQ0WG7FAHfRkJMj9W87APuZqO1kfJNyrG4gh83EnJbreb6+TmdTIYh30ge0mKfIr+M9dHGjx3KVlSiVbntmzZ49pc7R9q6Vu+jGRAMvw7c9TFN0PO/p+ZaXK3diej4SA9/EckaULO0YZ6gU4Q8AuY6oVeuiSlroLBMAl9rBpsWn/dN16wyN9leM2fA7hANxmT8Nf8dCaacNoR91cZafIJbG+QS+HNnXN1dvWqPvEHwd/AyfXe1wPh5eKNWBIA0FQ6KJav73WwCQSa6bFfFWG/8gd5nrH0Ra//bxmq2dponvU+e0TsdyTSK59rV5nrb/B/YaWuoVg7+EPnIokfaCVOLIJ6x9wOl29oDAwWSoteXHfhbZDontJmmHxuHbHkf4+fLvZsUswTiuXGZEESVtpqK5YGHtfvPOyru4f5yybqz+TwYQJnILSxQ3diyqfEw+FTxIChS7FH8o0aqRMeyn9fCAoOB4wqR11GB/qEfd3MrZkRYN7PX1F5uBgNP6fwqSLsVx5pDzcjH/tgyqJD02zztYNqBs1QlmGA9EZOBD5UpXG0XemxMVpIAGJQf36Do4XWqIkJgQRTyotJYLEGGKKN9b/EJz7+mHppfro7la/KDFKcWNHo76o+fcfcpIQaCSrWVTjKi+v+ifJ9AO/x3M2VLRtFfi/oZhEBnqcG0to55wPKNhAbpwoyqUc0YCR/MxTFdv6geItDkReq8/1Pj4QIsq72OG/xffdQqhlHGBnLLQXnjfJEpuQZPlh70RfpILVbz8EJIkWcmJt7D7DBhw4cJajCDBlZaMPxV9ufEjA620OTyCRLrRsju9/Fp/jVABOLhpbVhMFe39NR+8TWttXECQhkGPM1CVTDx1vmPgMRfhIUIx+ofHJ7iOAX42HhpQVAmynu5FbM8JkYbtt+UiPSNcgsvMBi207JFvgGIjwEm+9cg2ARHGcYytbJ0LsoKX2/pYB5GhVUV5Fs80E+iwB2avZV6DIfUR4vyQOmm1ND9U12doVST5FAExFgrzTxdQ/UTYFre0sGJIQKBYrPrh5JpPyRJIcjklBsw7OJgemWr5FJXyv4a1SFB5KSpQ5eHhES9lZS2w7mU3KU6yf/hFGkAn1yGZ703uxJ8nMXzaU0G86YEUSalDk9tW6a2vane1x86+0OXy04JJ2MJKCIgmBNh2RKMfgA6Qp9Fdp3QT4zXwBdydaC5/eNL18tDy2GIcqy+AgKCLNI6nKWbzOX5YYFTJFGqRUC8HOaR5g9RBdEqYN4ERL9pMNcgXNRhn7s8dDwZGEECXKsUgU+pgOUX5mrrafjse/xvtytDRmoFlKEVkB2C1+19xErtazG22TjAblZuAwL/714vZmm/uugWfxtyTbtOSDGrBfsG2JJIQ+opjqZQMA/EL/HeA6nKIXDPTEoyVjBaRiJPocASXYp80+x+9a7d5/kEJNZjm1bsd+EmcnI0HIR6gk3nURJynP/IFUsPjtJmDSVRqqLs+89fFRsCQhEFGmLZj26zFV455PGZFlMEZxQ8lf2ADzC5lJtPuaMutREWljJAf+nNnr+M7qd63GI0VpqUp6hWDtvR2dxwzcOK5ZZBtTUabQHpiWjdpFGbQ5KQqaJAQyNJz8qG3exJ2VJfiwzDovPwJHtXkBW9OCvhNCqPcA8EHLzEVkHdtFX0lBaeo6hThoxYDg6lE9hGK1pXTVxbu0rf8heEG6DU2FgicJgQLK1Xidh1UA84cDcusAjmp31TXVtfSZrFDEFavPuTDJMvPWAlri/CdTBWUkfk8IWCe4OiJiai/2wN65O1kko3i0B0sgAuUB/u7uHw5fMWfwZqGp2k7u3QcmuZaWml/G/+/pQJtnQS4tgocFSQi00z7b5zjQyKANZxQ9MaTIL/oRlI0P6tt06gH1DAOTaHe/OgdN7cEOuEoA+wE74EbasQTayBJkih9encl1h9xErs7rf+y9LYG5yev4erHvw9QlU41j5UnTJYnNBCHqkDi0x5QHcVQ8sKp75VnxUrBZfI6jkcwXDb6EfYzP894QhF5otXo+2Xw+9a5YRhg2JCGQ26nF45oLEiNbrpTptGNACVPJG/HP9IFMYSx+1ynYeTNNyUCsexWY8KlCLBe0A9zm+V+yUS1iTqPszphEo/l0AOyYDPBzNizpRXNIZb/TEwsg2klfjr5upw2+ujp5JufsYGDhiDc/ybxd/bAORd4zm21NT8b70up11gDnA126V+GDvqy1temxfPmQxGJYkYRAvuj1HtchshQ2oUgVwS8GcAPqJwHydQ/fx9r4PBLlIeyZv9PbBiTGf5AYD27cFHxu0A5zilEtGsWFXi1958IKaqnsxDmHxAt66Z3haPa6ItDquSXTThR1jmujF86+l9Q3WmdwWT6JRczWtbgIJ8Pfe1jo/HabJ27AOEoPARKQAr75dxWC3b+mo3d+eId8iNJrDzuSEMjE2eJ1ngAcyKRa6whs5ABPT1tg26/PJGF98Nvfj5bHUiwqTXZHSA43Y6Hrm62eltSltYO8JfFAu89P1TxQo5ROrmyQOK3KhZe+RyW/WrwbCoaOa3F4X8t2J4qKpxQSdrlpselCqcR4AkqPp+kUd6mNb2Bvn58sqn+t2zbFoCikP/VFsyHHu+ObbY3/TLP5WcOwJAmhucH9jMXn3A0ArtZ+Few6plr5G46QR1IHoBhhdX77YQqTyLckSWoC8YYagnOz4aSUCtGIg0voVbOo5syK0sp5OMPQSE46VOyAsBpH2Vu+7ll5Z6LUytlE1JfjNn4Nv72+vuFQHHB+T8mBUlz2jirU61tbvc8mm+EsfvsMJAjZZPXtqK8O9QbntDi9b2Wp+Rlh2JKE0GL3XGv2OmgW0OoXQpiH+gmZMNxAH8gwzuRucEiK3MwG6zkbsSNe2tLhuTPXvvfxEI2GTsugj6GIOR5FTMpLWRFSxWebPl27PBshPPUi2tkpJvMLZHCICv8xEBEyaXaRcED5jJE1sRDPB+ze5vBslGCGI/3HbJLPAiaRY1TfgsY3SCwzEiRrSXgyxbAmCf0A9S/WHy+PKJ2Ko9oe2q+EP1h9jjf7jCDJVRjlYRNI4eiGu0QLvSpC7DeFEo8LRcxVjJZ0+5DjFR0twDa9iYc3ExZIMHfQLrypyX6o2aTQQLV7zFedoWDwIBQdC4YghGFNEgIFjcAOPg87+Aqm3TSBM+BP4nUH9JEAj+/VeJ37lQOE3T2/7vn8vHyIMdsSwnHCRpQdj7M/xfOdOqiAKk4J61YFhmFPEgJ1cIvPcUbS3CSDUYnE+vdMn2PWy7amNXQi6vV4Rk4auQ3D7HPsCoyfIY8o+y1LlJqDsSf8De6n8tgszdgqSEII5ybxu6woHx+v47KflgL/59QlUx3FWSP7QJ1lf4mLSzjww1lyN9B1Gzp7z81Xu/RiqyEJYX3w2zNGy2MpcvruKQtvQf04w8SHUU4+JhdxZLdFULginKUvlSVyxU69Qi+YuCm6DF6QGDYkodhWVVWSBUelyp7eDf+O54VGS7o4tR+DZWj3OHn67BgAwG/MHgdtcOXEHyEfCK9+cXaqAHYYROR9yuTlU4PBW/KV/s7kddolDldyaZC3YTKs7+7+UXOawKFAQZMkvBNdLv8cu/GhY6qVGajYXRPoaLov2XIs7ahb/M5rgcF1uioDSmnn/LbZ6r4l44bnEWR7Nc448RJZAiJ4acy4TblY5nFZ/qXV73qoq/uH+cviGBJmirC1bqX9l4LDfCTIDL3XC8GeyUW7somCIwntOJftMvownA2OryhXKJ+Ggk/y3109wf0o+oWWe7S0BG80mxTyP5mpp24k1p+wQ62hTFnptD3fQLGmdrxxEtk5JRMviTcnlRhH2nCkP76lwd2WjbopoY4sl51ornL8H9YwKV3DM6HmNnV5NlAwJKFIG6Wl8pkVU6pod7kvz8ZGnD3OCTg89+jRF8j+CMWu45FotIavw74r3KEesHidG2lHX8d1eQWJntVVyvUo1tBSqtaQJpNxpA/gIHA/KslXpKMDUDifivKqg3D0P0aRyynogyEzs0zxVavTszRXKROyhSEnicVt2ZkpxsvKShValYo1I/8ACXKEv8H9djoPkfKiWH2uP+CPGDftXBJIwOFx7EwGnFEe119zbmH1Oo9E0ZOC8E1I43Ii1Kk4Qx9t9TsfVYOhJ1qX+lckMhmhWb1icuWeDEQ9A25HgtAWZlnWoswI9uJwWCwZMpLsu9A2etRI+SpQjJSvxDjg6yUoQx+Vqay64ZOOm3FmokAS01IW7g9S+h+z+pxHdfcGz1zq8n2eSTuyASTHNMbhL/jKRpSXEThpnon6yplmk2O9xe+i4ORfAvmiYJ/AXluF7yfgs6OwroacxcMHNa2o/fnGkJAER+ljR40Mj4aD0peRaXRLa+8Z6lXLMk4KSbZN9R7XKbLE2lk64RoBDjIaFCsq9DevD35381DkfqcIIwZFvgJnNwqikIvfaxRSYHbsiTyFIwsGf+xuzk9VmSGvJKHVqvIy+b6E0U8oa6q96aJsTsFkVo+ixd00cqZ5izJU6K8aLW93ktnnunrjJx2P5sOwMBp+5yJ8ncjiJvwZ3sAf+PWc56HJEvJGElSk90VZ+HkWm2YhBvjQbm22NV6YCyUu+OOmS+WKssNxiNQQVCARYEcO7AEUQS5H0t20LvjdY7mYWUxepwXrOQvJQT74wymdgy4AEwkzBcQDJUbatMmo6o2Anw3khSQo8zo5cCJIXANEJMiTLQ1NF+RqlSNsBOl3nYFixMIs3A5JDnePlsfeYPG5HmUQwrb7VmQy+9U12XaTZflXOGP9SuIw2PBvK4RQtaU96ANtHuPzvg91s7cCbcH7s5WjXQtyThKz1+niHKhzDlTOIxBs+Rdf9p6kt5PRJpYeH49ma+OLSJRn0o0xHAejIglspLPNXsdKVPIX4//SJtSeZS1LW1YmWjGihEOzZlkmy7K0PzBOtmY2RVZ0evoNfwS5qoskhE1dvVeVlSofmE3KKSZ3w/H5csrKKUnwH9lbUuTnWCKCMLa2u7f3VxQySOs9w74IHsfZdSOtzfhR10MKBjvPVuRyWsbUE0RCCyaGswoDOw24kZlNjh4UyT7HGacDRwH634KCAeo2bDv8bmc2dCF8CgWrEkWBTwaKJ4DP9Q58rpeHs6H5XNcHWnv/mOtZJWckiW48kQ96wpi7OHecp2d5ddaSWSNx1KYoG+NwFPmL3jZR7C2Lz3EOANecmyJN0LJpNCsWxPwtIor2dC/sYeq9BiZRbGDayLzGZFIaDlhsO0pPyge9yBlJKsorL2FJzCVQtmpptTc9qlUPodWeEuNIiqTxM7xYS2zYuKBQNla/i/ZODk73HkVkBvztdSntsaBwUPj7UcQbCuBBg48JRbDlKLXMzVUy2pyQJGKYqCTNBxEKMc1LvSavc7LRoFCkjfAus8rU1zNpX1d372klRoUsVVNEIikiFxBCTZl6Lvn17HXUB/ePOTUBxa8AKvUOrTkz9SAnJCkvV45hSWM0ieZWu1uT4kaGdKhH0EPdbIYBIDLKd0iGkmaf6xwObFgYMm5l+LLV7k3L1KgPkd9/kABbzTg01rpts9udvo8zaeBA5IQkwMRByaVw0OQ/QLZD5VOqSPHvt7eiqjzjzbWArfERi89pBQjvZBeRJ+As8FzGm8UCjAm613YGRV44vWn6jGzuYeVIJ4H9kny5oWfNBk1h8it2qSK9xjTwPAdBpMnY5Lu3o/NUQ3XFz/BtsvYWkT2oIQjdn+lNBBMTIeEgDHuMlre7Ed+cpeVepOumWjzKOknClqNTqpIFXG5rHxBmPx7IOhgU48XxvsMHVIuHuLFk9YDaYW40H8KVkqXkE5Hp/YpIiWdbrZ4PMrkBbQGYPY7ZyUvBaajI36tFkceZ51azz/E4ZRtIVCZXq1sJZS0hhCZdBBQDKf7xfUEAfjFtwbRzKHdJes3bAsqEhXKsw6AoFJ0xaWbfIjLC+q7u3oxziJg9DXUazIskLkvkqZkyKAgAexcYf97qc5zvtzXdFq9M1klCxn/RXOtxw4biVJlyJIkmcDk6SZHtq6t2OBaPD6XZzH4gRQ+JYo7Goo1rW1ZERiAl5DitnqXJIBg/X8ueE+qa82oW1ZwWjYKZ+H5CvI9lUTjht1r9zkq/1X3FwDK5mklotogbelTLylTtaAf5fyTNkgTAr521ZNZz2fKPJqIcsNg2s6xUfh7vPisb9ywijF5VqCeiOPNi6qLJYfa4GrjEDtVYvKy8fBS5bydfbgYRk1MTLscZZe3AGSUnJBFC/Qd24vgkEZBSH5FATNWwRz2+xDiSMrUem0YT44J2bacumWodb5x4C9ZPQeqKG+WZ4dNgiB3dam/Sbac1EGQFbFAqdEkOoPLdWCqSMNbfJAr4zRav85PmBvdmY9ickOTrni8WYEe7iczLB34nQKT0ORcAIzT2zmOQ+W8kkiXTQTRI3Vlmr3MRB7i3qNCnBRRxxG0bOtfekErc0YLIYlAlxRzQJwoDVKQqIkJSKfR3SODA4cF6j2tFNP5ybkhCHc3ic1yGot4jg1sFSVIcRMCBrddcGTLf6nWu8ze4H9bVyBQINLgbaxfU7mGoqriAwg3hqZQPvAjK0xhObnRTtmypwntlu1Q+QTni9V5LKflSFuLquDhOq2Nkid2Lx7BolzPbrRa79zGzx37EwNTSSJzdUl6sivfDmQa1gWPZByw+V2WzrfHWNJqaENGl6mvNS8z3cKPxPGz96SxxLNttGR8IJIe6qeuhaB6TrICiwoyZEjaSTcvOTqV+lAIoLSTy3zkEpRQrJR7KGUloVxXlyOMMSvmyLRaxjOidUikOrPW8a652fMPi+MAnAP6v7BaLz7lH58a1Z2Vjiu/XnkgKt0vqX6z/o1xeeizWRmT5WTbrxdCg7wAAIABJREFUGIZAUUQ8iwroswG79+VsRz2h1HDV1QqlFt8rzVt0btq09hUN5RLGZhPAaZ8udyQhkDfZ7Eaby2gI70FEbK+A1VII/mT+zeRMZfU7cQSBc/TUh7PUiRXlVTNQnjw2mjsjq4i2mUxq7iZ3ZGTmsVjrL/HzztmuqwARQha8xgTzhFT2r/b2plc2O5Zl2aPU7HP9lkvsDpbEzUIDnk81WFI/lEeUJQzJirKMnTa1c+6ZSFv+WFEdKMbF+HFPfJVIFSUUCOLRZNd1dQdvLTEq8cINpcKeKE+SQ86NPR0bbtCyu58OoglKX+ecn1fvaZiOhDlIoNwMkZFpawjc0C3IqY28LZnaGgxubOkXf1m3hpAalibLT0Ay/JUPENHTgBrqDd6UqhBKBbQCm6x/caYYD8qLj3uzs/nLGq+zrgJ1B/x4BI74tLyalCS08YQd/Y/kWJNGlQpedwUq3cfiiH9Jq937TK6CoEXv+3r0dd30punlI/h2NZyzmcDgAOxk+2BbaFWmkJeT1+E/8S428D9hYrDQ6193f/lWvtJRhEf0irILQDaez/RF3IwPIe7S5FvC4bRURfCZHJC3aCnRBDlHWr3OU7Bxt1JwiGZrozvZNd93rLpxTPW4OWlv7gGbhFr90yav4wKs75qWhqZ/5TpiYNT6tDn6CmOmz1GNv/weKuNTeWQPiHzaJ7HIkmZlLtsTBZnvrMbe84UQ7Aus/3N8CJ9xpn6ysSv0Xi69+pIhrJhXy6ehyEOrh0k3j3Xgv993BC9NVcjit9uASRpiRYspeQ9O529w34/i10tMMfyOL+DeZMEcyDar1m8/wsAk8mRLJ6xnGDga7IuHhWav4y2cWW7p6Fj9bDbsvrQimkmrNfrqh9oFtaVihHF7hcP2IMvVQqhVAHw0/jgVqDmWYuPLcTZSAMIiXMzvJYjsNNJ34ZtuEIDyt7oBr1mngugQeBRc/U7t3fTdsjnL1hZSONHZPsf2BoDTxlQrFAtNb876ZPhOhNjP+1KQJwIF4zCbHCnFsQhg1JBEcCTxCw9XU2PZvORlyV2z3m93ykwiz8SUeywpsDcH/viY6vE3WXyuB4MQejidgATZRFRn+jz6yg0KJCC1CUVuicMpRuBHMv26Zip0qEKdE7A3pUwEa6p3kJi1f6pyUfQMacDsZLm9Y0Hm1eEHDNCII2s2wu+Mx5H5SoVJFGjOh53o8WDnpn8Ol4iCwwl1fvtERUhkrHosEiT1HllaEF/1BoNz2hy+d1KVxAF3qgySxlkk7I//zZBHldeKlgb3p7Xu2gMMSsXf8aMjS7fl4Z1czuwoF99r8TlfwsfyvNrVvTibm2LbGmiPAyRxuGAwDweiGpbYQypjUFAJ0dM9r80V+DpV2YgOpJCnq9YszVTBO8OGJARagkQ95kBzleMifOxXMx0p3zSgNBKjGH4hlZYGrT4Xhb1ZrDLV09rqfVPrrLctgsJHlZZWmjiAA9kwFyS2G8slMyIIoVZ2U+cnHVdric0cdb+g3XtdGQZUIXK7mZgLRBX9P9Z7XItlSdyPP0ZNDqqR8Rc249HMcZpBJW+N1e9qxVErEAqxtq7POt7KR9DsQoVpsakSjCUzUKOsw4+WivIq+g2yrWMkwztMqKc025qWMVvqwmFvRq/jQabfvGXNpk/XeocdSfpAO+o4OswyVTtOxhGL9lLG5rA6WoE5HOs5XJYYq5hS1YWkeRNHsleQOG+IYPCNtT98+14+V8zyhRqvc1Q5V/dmTNqXCTEd54cZONOSvdNQ7PusE0xcv2bN13dofdbhGcRrvwff/lZ3bYLdT4PhsCUJITqr3DtryaynSgwjz8efjcxYMjFl0AoKUzoTlf+Z4Z6iyGxM9fheq9/5Efadd5E8H4IQnwiufhwKSR+3O5u+LqQl2IGYtmCaoapqh0kAfAoIdYpgfBf838jebo8KDjuTh0+4YNZSXOnGJnym93Ru7L1BTxq7yY/aSswTHJST8Yg06lyv9nT9md4Ma5L0IeqdeGXNItsd5eXyOTja0RJfVZ6boVCkDjzuEe5L5BHKJEYzD071GyOxgckoEGhTbzWtmgghVjOVf43KzppQqHddryyvfa3N82M29B8yMZd2GT1SCoYqFYVXgYBqclMQnI2HsOEo7IDt2IF8fpDgtAcV8aoAXkimAT8gOR4MqezWPt8OraC9mAkTwqk+UgSNSAChXhk1bN06SNKH6Chz+fSm6TeM5tsdj+rEGdGOO9Qo6yNQ5GNEqSXXauqa5M0gS0pYqEf9R6AoR7v2P+J0H94sxMK0YdgDEV9xFfAXFNSb8TK6A55TQIRj45JJB71GokgYCcqt8L4qw6/+BCggOvTHJ/gv3r1BwENRSw1dQH11ppFzWsVKLx+NYN5Aq/fOPn1nqyJJH6KmIXejwnaP2dNgwQ51UjS71nCI5k49tyL8gv4ntxz7rxxBbIHhC9IxXkRyPIwdtDGd2ZT0D1OV42KcvSlWdHorn4J93hvq/E1s/VslSfoQ1QNop95PiUxHjFDmcRBHYY+i5JxbbRapYQTsiGIpDmLPiO6uZ/rEGy0rVgNBm4TmajuFrc0kiMd3QmVzKftA7MmtmiSxiKYRo2XABym+sCSVH8qBUco1MvoeDjPM1gKcMUQLEmNhd3fvC5mGGZq6ZKpxvGHSRTJIFO0zk99xdW+w19Hm8L038ItthiSxiI4UYcKQaftIaYyVA7hQsbWj2JIj04ltGIJ9LIB5hVCXqBu6vNky/zH7HIcjQW7O2FRJsPdFqBtnkObP4n29TZIkFlH9ZVH0xWr99h1lAVZgvB71aloZIWVbf3rrbRco4oqPRNhZC1pDEPK32bJrRGr1OVCk4jdw4OYs3O6Frp4fjk8Wv22bJ8lAkNUxHp6IvsK7y7y0tAZ/+Bk409QgcfZhEXfd4a8qZwerkBVv4vNZgY/klc7O3lf07GXogcVvnwFMuoIBz0YCpk6migsDDs89qfawiiRJgaihozv6CoOIw4wle3MOe+K4uTuAwNkGKKuX1sAVwxFrkAjvCQHv4vDwHvard6C3+63NynaOQO4U9fUNcwH4uUiQNFT6uHipu6f39HA0eQ1raEWSpIEocZpZjPchgXI6yvLIXTlXpwDAJGAwUUScxXaCSDBuMm8p1BmI/Ndpw44U6c+R/F8Kpq5kID5SN/V8lG+r6HDOzdLK35pN9t/3i7aTGT4QqrgoNjqjFhRJkkVE5dpXo69BoJWYathxnMHAxzImjUG5fSzOQmMgkpZuNMrwlfi+XESyhFUAHUV4xaYEqUV7jbRszWNeaswrNGDzcSMwsVGEPRbFBuxo64A8FhlbDyrrEBy+D4XYt5Lo/uaLVfxrPRmQc4moSHVCRXkV5bVMlsJDDz5F0eqmDZ+u/Vs6hqlFkuQR0cAKn7NceiEOQ9BiiUHAUahrnIgEyWY8s1eRHH8OtAWfDaexbkjvJkWSFDEkiBLjlwyAYhjMxtkvWyuIFGr1uWAI7m+1N0YCdadJjj4USVJEXkA+HRSfDHW1uSj6HWigSCXZIwaJikvw9eyGzo6F2Y7gWSRJETmDudE8jikGMwfuMnsdc/DUDlm8Pe29NKGO9VLox41NuYxPUCRJEVmD2efYlQuoE8BqgYGJG0qyEbSDEIwEzxPLVQFLhRAtFPMgS/dOibyThAK1QU9Ic5Q+Awt1J1qLr/fbd5EYmxgKSe/r9TcoIn2Q6FTXZP+JRGF5OJsuGOwLjO2HM0b1YHN8XehGfWIl3o/ysH8EqniXgXh7w8Z1b2VbhNKDvJOkhPGHwci1pvRCyJSKOm5QY0lIJwKwS8mxyepzfY6/zstCsJdDKlv+1Ve9bxbKsubWhp89aykXAkaGQPwgqew9JMo39NzZFhP/8rCfixB9OkcQdREK3LAJQFBn39C3FK2C+FZV+eqent7/rTi4+ZtC9ODcesStSEaqSUiaXxFpJk5Qei1+19v4Y71O8W3x2b8pOje9VYytlTmiERKzHrW/UILoDcTWQ5LBUKLhTUkUYBIlBRpRplr9rs9xRKMgZu8Ipr6HI9uHQ7GjXMTwwdZMknig6X8yzjaT8Xho3wqkVFrKkDzfMsE+Ekx8grPSZygKfIry8GchAV9907vyq3xFWC+i8LCtkSQZxiI5xgKD2vCnMH8gHCdkvHES+Z1/R+E08RwFcPgWiUY+KZ/6re57hrLRReQeRZJoA0lsY/EQju0Fm0PrkHk4K5JkK0eRJBlAMMjbWn0RQ4ciSTKBYJ8MdROKyD2KJMkIanEm2QZQJEkGAPJTKGKrx7ZGkjd7g73HZutmq1axj7N1ryIKF9sUSchbT0s2pCKKiMU2RZIiikgHRZIUsU2BghFGY61pRpEkRWwzoKB2o6Wxz1o8LmezvXFQONNEKJIkh4gE6ZbswPiOzbbGvyQrS342pQJcgrO9UHnaDgC4oFhXqlixZm3w36lyk8cD+X0csNiyo6LIu0kcxolwVBZRAirbKECsJ9u0zk71w1wFk9MKSvhZVSVNwH95JyHUkRx4Kf7fIRXERgDxbXe3+sXyuc1fpWtGT7laKqZUns+AU0Y0BSR2Hz4bs9b7FUmSRVDo/9rRjhpJEnMYA8eokcoMFnnGal2TrbHN4Xt/4DWRjLDydaXAT6OwQbFpFMIHDmxMtfJDvcfV0GpvjBuqaGAbTNUOF157hNnrcLJIvK8t96O/fEvyhopyiVn9zg8pJ4cA9e8tDb7WXPt0mJeYt+OK8RDBwYmtqMH/7yd9zQOIuqBwMj+NtLHEKFEipPUWv+stYKJFDUFzcN2Gpe3z2jclqydMjsmVR1TsUnUFfoyN8Vxf73H8jkXiQadEkSQZAjvveM6ZE39Tl7naQamzq+P45nFZUk7A40WxJ80+x77YQZ7Ft7ukqKa0C8RHyQpEO8TJ2IYL8eNEff8F7IpN3hWYdJrZ43jf7HPd1NrR9Hg03V7WYPHbTVjH+dxYciCLJCDSg1FY3sTILVhilxuqK7qQ3OTo1aYK8RoXsDIUCvVIMh/JBPxUANRWTKmirAFxo2ri73VTXVPdiwPTLMRDkSQZwOp3/VOWwukbUv7eAOznLIYkFq/zMJzyn2KRQHTJIVhLsoxPJGujOPFIViIdAtsNx/K/IdnOQRKfGLA1vZ7pLSl3iMz4nUgQe8bt24ISbKwFjxYOEZ9hiUe7szYX4ipZLr8Nj8ekKlgkSSYQ4rMYk+BU+Cnl8Vtqa/oGyfVr4EAJL7U9fxD/jneadA6Tx3EpiihXa76XduyNusFSq9d5tr/BfX+6N0ER6VSZSZSgs+BywOAPdzS277Fma6M7WbkiSTKAECyAFDlXa3kjY3uZvU4D10MQqicEiwaeC+seHvv9WP+JWu+TBowol9yHYs3OgQbPlXp0lUjudPttqPuck8P2ZQwQ7K7aBbV7JdNviiTJACEBK/Q8QMG4HfUXygys57IPmu2Ng/QRczXlJodcEiQGcDnqKkSQK7VegTPcjXgoaIKEAWyKUlV2HL67L1GRIkkyAIUxQtFpDYtEi08JHPUvYDoj7ohocqFY4Mh+Cd7mZD33yRjArkDR639aRC/Ut45CcfLCfDQrc4gHWlpDDyXL01gkSeagUV4TSVgaIalQwulHEpPXWSdxuFbvfbICDnegMv9qMmU+vLxrLLkrn81KE9/g61y/1f00syYvuK2RpKTWbUs7quBGWPv1QJMGHOlXYs+fmXnT4mJdW1uwrS/gczSJJmWYTed368LWvoE8/R4bXYV03Y/pV6aNqMw/he3YO1FgDG40Xsq0DxoDsQaf53/xef6ARwNElrJpxS6deHe0GjiC9U/l14n/+8sC2IL1wW8f12qesk2RhEIMGRQl6X5DMhhYNQXV+1e/k4J9lcO0PEvCKQOiQILMTyOJJiqk4rqu7h/vis0LWP9i/QhpRNnvsOm0Cz1Sx/2mjjNMOh+P1w/8osbrHFXB4RSd7aNnGFBVdlVre1PrwPzts5bYdjIalNNQVJ3Pwmsfmu/56sovew/ecUelShLdRhESG1rntn6fzkbpNkWSnADEdxkmrwpHRBdMtAshVnOAUvyBp1NKAiHUzaIWZdEqMY68QOe9NwgWcjVbPUsHfhEN0nc7ik9unB18TEcqO+ywF8/0Oe592da0JvZ8OYh5+G3qfZ9YCPHnQKvn/DA54uyiRFNYX1bvCe9JNeL7Km2NZA0TdpaOarY1Prr5XJrB74okyRAUqjPNBAI0oj3ULdTLae9k4JfTm6ZfIHfLm0e9EuOI/2P6Mz+dHo8gsUD94l3Uc45BPadJx30rShicySKz0GYAcJfO9vkDds98LaM7meRY/K4TcDjSnMoN23MVX8CfyNRyoEiSTMEhnbCpm4Qqjm1ucP8jUYFYeTmy5+A4VWcdrwYamp7QMnq2NLg9Vp+zkVEue40AgFOxA/5hQAfUp5sJmj+0iz/N1sYXrT7XcpwlDtB4yU9M1Q7S6JJuFqZCkSQZAn/hTp3CVjd2q0MCdrdX6wX1bgflk5+sqxZVPKCnAwrBHkAxSs9MsIO5qoEWTsMzEPlpjJbH7qTj+u8Cdm+bbhEIBA4soJUkyCdBdmJFkgwlsB/2hOMMawT22jsD9kbNBCFwKSzr62pXdzCoq2OsV79bMpqP7WG0PqERgvHDWZQk5XL1GKavke+ko0QLBm/p22iC6XrrGIgiSTJHMHWRGAimyysuAnDovGBlOEe5DpB4h6LMGzpEGRS5hKXvvSSgXA9FhBBpBSgHFa/TMShhm/TMbnFRJEmG4JyWLKWc3Z+MIo3A99B1kRBpBbugFBXY/TSTBHvg7qbFpspoRH5dgwXoWc6NASpARp1PW99qWxwUSVLgUATss9lDSiuAaXZNHYAPdZYHMJQSgdtZT89aZtSxNwkwSWddYXAQu+gUPZM6ZmlBkSQFDg6wdxqXfZFWZUL8j2m2/I+Cs93xb3vr8tY1ZpODslhpHbl3P2CxbYflc32r9VUITl3FBfta3/0HY1sjySeoKt6Y7sVC8Ley2RhNADFFr9KuChE3x2TK6xj7Rq/gyKPuwbSYa/G73sGWztB6aWmJchYeL9NaF5kUGRTll7oaCOxtXeXjYJsiCcrc3wRsjZr8mgsHoF/xVHlaJJEi9k66IPrt1As/tlcrSWjSOt/scfm0rPbVumurFKXiGaZTlxGq8OgpHw/bFEmGKcbpvUBl6aygMdYTCv5o4Iqua7CjV26uNxh6TpLli5KVHwADl9hii8/5R7Wr6454KfnId798cuUvDHIFSQCTdDWOsbWdm9a+pPOaQSiSpNAhwtlsdYFztSedqiRJ1n2dEGLzyN7i8L5m9bnasb21Om5hAICrpdLSS61+1+t4v3eReD8IwUbicULFlCqamfQYYMY0jt2bjdTWRZIUOkCU6tVJKGpIOlUJAfr2fNjgpVw1FJzPZbmd6V8Xp03MmUiYsGmL3vWDOPh6gxA3ZXwXViTJMADk7TeS1G6JSTq3LwD67ZoHHN7lKD5dR7NDFpumF2pIFScmizCjB0WSFD669F4gSZJm05JY9DJu1H2hEIOcr1rsnmvNHns1EuisdNqRKZC181sa3Euydb8iSQodgm3SrZOkuZstMdB9nQAYROKoTdbZVq/zfcbhZpaFXW+NCGGLzm22uv+azZsWSVLoALJx0qmTCP2dPVyVzHVfByyxDZa/wX23yetcJHEgv5Oj8aVv6UwfvhQs9Ntmq8eX7RsXSVLwgK90XwFCr3NW9Do+Ru81qOwn3TFHsYd2/0+Y7XNcbAQ4Dmu5BD9XJrtGJ9bjbHvH9x29f0onqLgWFElS8BD/0zuTgA5X3P5VqeMY6HOzBGCrUpWx+O2zDYyfgaUPZuku5/YHrcItQ5nuqe7uH56K9d3PBYokKXCoAv6rxzKcAABj06uN76D7EqEOipTfByTHDBDSbQBSrU6eEwleEELQUraM/89GrGidYLAShcn/dKr8tWytXGlBkSQFDi7EW3o3DVAESs+HAthPdF4huno2/DfeFxa/83Jg0tV4T337JUIs7A0FL46XpmKoUCRJgWNV78r/jDdO0mNdS4P21HTqAsH21DnifxhP1KEIk8DgOp3V031O8tvcz+m8LucokqTAQUHgrD5nq54gDdjR9+HXcD4whlUyhAPfGSftp6txQgxaSarz2ycqTLomXvGkt2LsiFTR3YcKRZIMA6As/hIO8HqCNIwy19nJD+UNrReMM04yM50RHYUIx8HqB1lIxyBJ9S71bmxZ06TL7z+fGAYkgZymJhsO2NTV+0xZqXIL05OugYeTC2kmCeI3OpvVsWbt14MsbFF92l/nfQhl5mq7B/WYRhBiI4vYkPV7qSB6APhGEWKdIdG7prubrc5XrsfCJ4lIN+7e1gPy3rP4XW6cTeZqvQZ1glNqFtX8SYsVrMVt2RkU41F62oQj19Nvz3t7kCElnq9KzzYRLHidhUH8NFV9+RNBovcKU+RwpjFa4XoPa21TQ7Cktb3Jr0fE1Iq8kwSYkPSs+wtgWc3bN1wBQr2FAddMEsS4ivLKOznnv0sWuod0F7PJcTfTJ2oF8Za3JfhOt61ZBhjFwgHxYCaX2Pn4f3xp9TluWdXzxX2JAnqng/zPJAC6lgSRVNv8TELw25r8Vr9zGT6RWdqvghNMHrtx34W2M14/zLdu4LfTFkwzmCIEOVhnc55oaXB/GrdGJj7U7YeePeyMA8lfxhsnnWpqajiW/FuycdOhELd0rpsXZ5I+oOR5DjAJiaI9+jAA/GbUSGUOimuP40cfqOJrVcBILokZY6rHU5rmVJl/B2Jdt1AvTthGlXmAszN13jPb2F2S5TYUx47zWxszXlLOO0lw3pd0yqy6HYG2VjRbPa9Yfc77sOefpvNS0hN+z+gVzo9OSE9zEEI9P16A7z50frp2ccUuVZ/j7SelVUH2QOLj02afQwRsTQsyudFQzCT6lhnT9NfeWtHT0TnfUF1Rh2+n5btu/C2ebLY1PZSszIqTV/TWe1y/liVGARjK89S0RJA48MesXucH/gZ32lFThkJxH61zFMuJZedwBWWJrffbfy4zqQ0/6re1ShtixZo1QU2R7VvtjS+b3A21KPLcpdPfPRcoFRwe5NfwWemufA3BTAL6zLghrdQGWzVarZ5PcLQ+MDpap5t6TQ/+q3Z3H/T2vIDmAavF6aUYZXWzG22TDAblYBwWaTefgldTpq68zjAUC8xUZ/85vk2Y6iIZ8kqSaJ4NbZmK+pCFCHxbI3C0ftPicc1CJXlxGiniNANFrBZ106bD44X70YJo4O47Y89R1i7ZWD5OiizhVqBUVMFUUQq0qMNBwvcKjv4GEGoZDpLbYTffkUXESwqpmpZrMnA4gw0Hkhyw2EL/rE6dRF2Zo+YMe1B+9xqvc/8KgNvx42+zfHsUTcSfOj9eeyXpGdm8cdQoUrcPSDglnjLiYCTSeSwyM+mBaabPUT0whZ0W5JUkBoO0j95ruIC4pthFRBD1qzjB7HE9waVwCNd0zEL6AWcPXyjELmq1u19Nlb45n4iS6ym+gD9jrrY/QPtAOi6nODC0x7QoZckByCtJgHG9eTY2BNZ63k14PyFW4k3btNcPaaUkSAY1KNZLstDcBuyC6QWzTgEKFYri7AyT12YFJp2Epw5i+rwAyQ7qBcFCD9BSs976UUfaR5JYnZayoIp2f4Nbj11ZP1AKutoFtWcYqsudUVFMEzgLp7AoXJJMftRWMnGCoss+CNGWLCkkPuj78XB/Zi3LDNFd3fqhbEMfouYnZL7u49fYZHO9VCOA74dTA0V+3wlHiQoQzIjHH4UQPwCwL1Co+iikhl5rW+p/IxO7J1liZKaiad4JZeF50Sqfxed6Ev+HC7Vegw9HM6FikTeSTJwg0waYLt9r/Kf+naPmbPWI5n9fFn2lht45PgYk65cCN2stv4llHumdgAR5U98VoiKdevJCEloGNBoUvY443aK765mcNKiIrMJAeQlBu6nMa23BTtaQeb1CFSroSg2XnttFzkkS9Xh7Gt+O0HMdigNPBuYE0kohUER+wUFsr2eDeEa9REu/uleZBgIAdK1wARNp7bnllCRkhm2qtz/M9Ob3JnPrUM8fctGmIrIP7Ky6IjSWCCAFf2EmdU5bYKsYU60cp+caIeB/6dSVM5JE/BTs9+Ij1OvxRm6hf2p2NH+Wi3YVkQuAPtMhDhfyBXxRskWZVBhTLd/BdOq4KkWeSQM5IUnNopoyc739MXx4+lJ3RfDamo5V12e9UUXkDqr4WE/aaCw521Rlv3/agmmnxfNuTIbIKikRRNceCaFr7drgyzqvCSPrJKn326dWlFeiDpJWkvnvRLD7CL0ProihxYZP175ZMaWKZhPNq0coop04pnrcTKvfdeP3a3r/mSpEKSUhLSuVfz5xgjKf6feBIfHk3+mGQc06SSQmkadbOgT5UQ0GDwkUxaxhBzJbwc7+T3x7rL4rgTb3HkPdosfid72PM8wHKGqTjVgXADMIIch2ayc8P6WsVNmZpesEwyiIOLs93WuzTpIeof7GCJzW5vVEA1wfUsXBLQ7v8my3p4j8INQbvFVS5GNYeh3ZgBfthce9YoNVQhbSXRGQeC+2NLh1WEX0R9ZJQl5rZp/jYA58KYtYeSaHYJ+rTD2spaHpP9luSxH5A5nGW3yuB7BfnzLUbRmAjl4InZ7JDXKiuAdsTe+aPa5fcolRXKZkgcr+tWFj74n5ip9URG6xpqN3PopO5GT1s6FuSxS9KKEc1d7g0Z2+IhY5WwImgzuzz3U6B/ZAnK87VEFWpk0PJQt3U8TwAinGFrflQFCMAaZP3M4FelShHo0SSmHncQ/YGh+0+J1TgEFfbu8elK/u7untvK7d2d5RDDu39aHZ2fxlrd9eb2ASbRbq9fnIFr4VLPTrgC07Wa9ybpbS0uK51GyyjxUCvuvu6f3rsjm+tHY9ixg+aLd6vpq6ZGrtOOPEa3CAPJdBy7cAAAAAtklEQVSl6U2YBkgqeULt7pqfTZOmnJMkan59Yq7rKaKwEI2geHG93/6AJKTzUKH/LctdglHynHwBxasbUR9+Pds3L/xYwEUMa1DQCjycYVpsuhxKSg9DHZUCeZNZfaZ5E38QgjWDEI3dIP6RLBZYpiiSpIi8IBpI4hF6UUCQek/D7sDYdGB8FwFsMp7fDgSrZkCRVISBcgGj8NSDn7tQhurAsqsEE1+ByshT9e1AW/DtqM9MzvH/uFCgxBI9EGYAAAAASUVORK5CYII= + mediatype: image/png + maintainers: + - name: JFrog, Ltd + email: integrations@jfrog.com + install: + spec: + deployments: + - name: artifactory-ha-operator + spec: + replicas: 1 + selector: + matchLabels: + name: artifactory-ha-operator + strategy: {} + template: + metadata: + labels: + name: artifactory-ha-operator + spec: + containers: + - env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.annotations['olm.targetNamespaces'] + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: artifactory-ha-operator + - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY + value: quay.io/jfrog/artifactory-rh-pro + - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY + value: quay.io/jfrog/nginx-artifactory-rh-pro + - name: DATABASE_TYPE + value: OVERRIDE + - name: DATABASE_DRIVER + value: OVERRIDE + - name: DATABASE_URL + value: OVERRIDE + - name: DATABASE_USER + value: OVERRIDE + - name: DATABASE_PASSWORD + value: OVERRIDE + image: quay.io/jfrog/artifactory-ha-operator + imagePullPolicy: IfNotPresent + name: artifactory-ha-operator + resources: {} + serviceAccountName: artifactory-ha-operator + permissions: + - rules: + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - '*' + - apiGroups: + - "" + resources: + - events + verbs: + - create + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - artifactory-ha-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - apiGroups: + - charts.helm.k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + serviceAccountName: artifactory-ha-operator + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - "DevOps" + - "CI/CD" + - "Developers" + - "Software" + - "Productivity" + - "Artifact Repository" + - "Repository Manager" + - "Docker" + - "Maven" + - "Git" + - "Helm" + - "npm" + - "go" + - "golang" + - "kubernetes" + - "k8s" + - "rpm" + - "yum" + maturity: alpha + replaces: artifactory-ha-operator.v0.0.0 + version: 1.0.0 diff --git a/Openshift4/artifactory-ha-operator/bundle/openshiftartifactoryha-operator.crd.yaml b/Openshift4/artifactory-ha-operator/bundle/openshiftartifactoryha-operator.crd.yaml new file mode 100644 index 0000000..17df5a1 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/bundle/openshiftartifactoryha-operator.crd.yaml @@ -0,0 +1,23 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: openshiftartifactoryhas.charts.helm.k8s.io +spec: + group: charts.helm.k8s.io + names: + kind: OpenshiftArtifactoryHa + listKind: OpenshiftArtifactoryHaList + plural: openshiftartifactoryhas + singular: openshiftartifactoryha + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true diff --git a/Openshift4/artifactory-ha-operator/bundle/openshiftartifactoryha-operator.package.yaml b/Openshift4/artifactory-ha-operator/bundle/openshiftartifactoryha-operator.package.yaml new file mode 100644 index 0000000..79968b8 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/bundle/openshiftartifactoryha-operator.package.yaml @@ -0,0 +1,4 @@ +packageName: openshiftartifactoryha-operator +channels: + - name: alpha + currentCSV: artifactory-ha-operator.v1.0.0 \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/deploy/catalogsourceconfig.yaml b/Openshift4/artifactory-ha-operator/deploy/catalogsourceconfig.yaml new file mode 100644 index 0000000..bcd0aa7 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/catalogsourceconfig.yaml @@ -0,0 +1,8 @@ +apiVersion: operators.coreos.com/v1 +kind: CatalogSourceConfig +metadata: + name: artifactory-ha-operator-csc + namespace: openshift-marketplace +spec: + targetNamespace: jfrog-artifactory + packages: artifactory-ha-operator diff --git a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml index bdc896e..54b7bf3 100644 --- a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml @@ -1,999 +1,97 @@ apiVersion: charts.helm.k8s.io/v1alpha1 kind: OpenshiftArtifactoryHa metadata: - name: artifactoryha + name: openshiftartifactoryha spec: - # Default values copied from /helm-charts/openshift-artifactory-ha/values.yaml - - access: + artifactory-ha: database: - maxOpenConnections: 80 - artifactory: - accessAdmin: - dataKey: null - ip: 127.0.0.1 - password: null - secret: null - annotations: {} - binarystore: - enabled: true - catalinaLoggers: [] - configMapName: null - configMaps: "" - copyOnEveryStartup: null - customInitContainers: "" - customInitContainersBegin: | - - name: "custom-setup" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - command: - - 'sh' - - '-c' - - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}' - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - name: volume - customPersistentPodVolumeClaim: {} - customPersistentVolumeClaim: {} - customSidecarContainers: "" - customVolumeMounts: "" - customVolumes: "" - database: - maxOpenConnections: 80 - deleteDBPropertiesOnStartup: true - externalArtifactoryPort: 8081 - externalPort: 8082 - haDataDir: - enabled: false - path: null - image: - pullPolicy: IfNotPresent - repository: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro - internalArtifactoryPort: 8081 - internalPort: 8082 - javaOpts: {} - joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE - license: - dataKey: artifactory.cluster.license - licenseKey: null - secret: artifactory-license - livenessProbe: - enabled: true - failureThreshold: 10 - initialDelaySeconds: 180 - path: /router/api/v1/system/health - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - loggers: [] - masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF - name: artifactory-ha - node: - affinity: {} - javaOpts: - corePoolSize: 16 - jmx: - accessFile: null - authenticate: false - enabled: false - host: null - passwordFile: null - port: 9010 - ssl: false - labels: {} - minAvailable: 1 - name: artifactory-ha-member - nodeSelector: {} - persistence: - existingClaim: false - podAntiAffinity: - topologyKey: kubernetes.io/hostname - type: "" - replicaCount: 1 - resources: {} - tolerations: [] - waitForPrimaryStartup: - enabled: true - time: 60 - persistence: - accessMode: ReadWriteOnce - awsS3: - bucketName: artifactory-ha-aws - credential: null - endpoint: null - httpsOnly: true - identity: null - path: artifactory-ha/filestore - properties: {} - refreshCredentials: true - region: null - roleName: null - s3AwsVersion: AWS4-HMAC-SHA256 - testConnection: false - awsS3V3: - bucketName: artifactory-aws - cloudFrontDomainName: null - cloudFrontKeyPairId: null - cloudFrontPrivateKey: null - credential: null - endpoint: null - identity: null - kmsCryptoMode: null - kmsKeyRegion: null - kmsServerSideEncryptionKeyId: null - path: artifactory/filestore - region: null - signatureExpirySeconds: 300 - testConnection: false - useInstanceCredentials: true - usePresigning: false - azureBlob: - accountKey: null - accountName: null - containerName: null - endpoint: null - testConnection: false - binarystoreXml: | - {{- if eq .Values.artifactory.persistence.type "file-system" }} - - {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - - - - - - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} - - {{- end }} - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - // Specify the read and write strategy and redundancy for the sharding binary provider - - roundRobin - percentageFreeSpace - 2 - - - {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}} - //For each sub-provider (mount), specify the filestore location - - filestore{{ $sharedClaimNumber }} - - {{- end }} - - {{- else }} - - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - 2 - 2 - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - - shard-fs-1 - local - - - - - 30 - tester-remote1 - 10000 - remote - - - - {{- end }} - {{- end }} - {{- if eq .Values.artifactory.persistence.type "google-storage" }} - - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - 2 - - - - - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - local - - - - 30 - 10000 - remote - - - - {{ .Values.artifactory.persistence.mountPath }}/data/filestore - /tmp - - - - google-cloud-storage - {{ .Values.artifactory.persistence.googleStorage.endpoint }} - {{ .Values.artifactory.persistence.googleStorage.httpsOnly }} - {{ .Values.artifactory.persistence.googleStorage.bucketName }} - {{ .Values.artifactory.persistence.googleStorage.identity }} - {{ .Values.artifactory.persistence.googleStorage.credential }} - {{ .Values.artifactory.persistence.googleStorage.path }} - {{ .Values.artifactory.persistence.googleStorage.bucketExists }} - - - {{- end }} - {{- if eq .Values.artifactory.persistence.type "aws-s3-v3" }} - - - - - - - - - - - - - - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - - - - - remote - - - - local - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - {{- with .Values.artifactory.persistence.awsS3V3 }} - - {{ .testConnection }} - {{- if .identity }} - {{ .identity }} - {{- end }} - {{- if .credential }} - {{ .credential }} - {{- end }} - {{ .region }} - {{ .bucketName }} - {{ .path }} - {{ .endpoint }} - {{- with .kmsServerSideEncryptionKeyId }} - {{ . }} - {{- end }} - {{- with .kmsKeyRegion }} - {{ . }} - {{- end }} - {{- with .kmsCryptoMode }} - {{ . }} - {{- end }} - true - {{ .usePresigning }} - {{ .signatureExpirySeconds }} - {{- with .cloudFrontDomainName }} - {{ . }} - {{- end }} - {{- with .cloudFrontKeyPairId }} - {{ .cloudFrontKeyPairId }} - {{- end }} - {{- with .cloudFrontPrivateKey }} - {{ . }} - {{- end }} - - {{- end }} - - {{- end }} - - {{- if eq .Values.artifactory.persistence.type "aws-s3" }} - - - - - - - - - - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - local - - - - 30 - 10000 - remote - - - - crossNetworkStrategy - crossNetworkStrategy - {{ .Values.artifactory.persistence.redundancy }} - - - - - {{ .Values.artifactory.persistence.awsS3.endpoint }} - {{- if .Values.artifactory.persistence.awsS3.roleName }} - {{ .Values.artifactory.persistence.awsS3.roleName }} - true - {{- else }} - {{ .Values.artifactory.persistence.awsS3.refreshCredentials }} - {{- end }} - {{ .Values.artifactory.persistence.awsS3.s3AwsVersion }} - {{ .Values.artifactory.persistence.awsS3.testConnection }} - {{ .Values.artifactory.persistence.awsS3.httpsOnly }} - {{ .Values.artifactory.persistence.awsS3.region }} - {{ .Values.artifactory.persistence.awsS3.bucketName }} - {{- if .Values.artifactory.persistence.awsS3.identity }} - {{ .Values.artifactory.persistence.awsS3.identity }} - {{- end }} - {{- if .Values.artifactory.persistence.awsS3.credential }} - {{ .Values.artifactory.persistence.awsS3.credential }} - {{- end }} - {{ .Values.artifactory.persistence.awsS3.path }} - {{- range $key, $value := .Values.artifactory.persistence.awsS3.properties }} - - {{- end }} - - - {{- end }} - {{- if eq .Values.artifactory.persistence.type "azure-blob" }} - - - - - - - - - - - - - - - - - - {{ .Values.artifactory.persistence.maxCacheSize }} - {{ .Values.artifactory.persistence.cacheProviderDir }} - - - - - crossNetworkStrategy - crossNetworkStrategy - 2 - 1 - - - - - remote - - - - local - - - - - {{ .Values.artifactory.persistence.azureBlob.accountName }} - {{ .Values.artifactory.persistence.azureBlob.accountKey }} - {{ .Values.artifactory.persistence.azureBlob.endpoint }} - {{ .Values.artifactory.persistence.azureBlob.containerName }} - {{ .Values.artifactory.persistence.azureBlob.testConnection }} - - - {{- end }} - cacheProviderDir: cache - customBinarystoreXmlSecret: null - enabled: true - eventual: - numberOfThreads: 10 - fileSystem: - existingSharedClaim: - backupDir: /var/opt/jfrog/artifactory-backup - dataDir: '{{ .Values.artifactory.persistence.mountPath }}/artifactory-data' - enabled: false - numberOfExistingClaims: 1 - googleStorage: - bucketExists: false - bucketName: artifactory-ha-gcp - credential: null - endpoint: storage.googleapis.com - httpsOnly: false - identity: null - path: artifactory-ha/filestore - local: false - maxCacheSize: 50000000000 - mountPath: /var/opt/jfrog/artifactory - nfs: - backupDir: /var/opt/jfrog/artifactory-backup - capacity: 200Gi - dataDir: /var/opt/jfrog/artifactory-ha - haBackupMount: /backup - haDataMount: /data - ip: null - mountOptions: [] - redundancy: 3 - size: 200Gi - type: file-system - primary: - affinity: {} - javaOpts: - corePoolSize: 16 - jmx: - accessFile: null - authenticate: false - enabled: false - host: null - passwordFile: null - port: 9010 - ssl: false - labels: {} - name: artifactory-ha-primary - nodeSelector: {} - persistence: - existingClaim: false - podAntiAffinity: - topologyKey: kubernetes.io/hostname - type: "" - resources: {} - tolerations: [] - priorityClass: - create: false - value: 1000000000 - readinessProbe: - enabled: true - failureThreshold: 10 - initialDelaySeconds: 60 - path: /router/api/v1/system/health - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - service: - annotations: {} - loadBalancerSourceRanges: [] - name: artifactory - pool: members - type: ClusterIP - systemYaml: | - shared: - extraJavaOpts: > - {{- with .Values.artifactory.primary.javaOpts }} - -Dartifactory.async.corePoolSize={{ .corePoolSize }} - {{- if .xms }} - -Xms{{ .xms }} - {{- end }} - {{- if .xmx }} - -Xmx{{ .xmx }} - {{- end }} - {{- if .jmx.enabled }} - -Dcom.sun.management.jmxremote - -Dcom.sun.management.jmxremote.port={{ .jmx.port }} - -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} - -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} - {{- if .jmx.host }} - -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} - {{- else }} - -Djava.rmi.server.hostname={{ template "artifactory-ha.fullname" $ }} - {{- end }} - {{- if .jmx.authenticate }} - -Dcom.sun.management.jmxremote.authenticate=true - -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} - -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} - {{- else }} - -Dcom.sun.management.jmxremote.authenticate=false - {{- end }} - {{- end }} - {{- if .other }} - {{ .other }} - {{- end }} - {{- end }} - database: - {{- if .Values.postgresql.enabled }} - type: postgresql - url: 'jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}' - host: '' - driver: org.postgresql.Driver - username: '{{ .Values.postgresql.postgresqlUsername }}' - password: '{{ .Values.postgresql.postgresqlPassword }}' - {{ else }} - type: '{{ .Values.database.type }}' - url: '{{ .Values.database.url }}' - driver: '{{ .Values.database.driver }}' - username: '{{ .Values.database.user }}' - password: '{{ .Values.database.password }}' - {{- end }} - security: - joinKey: '{{ .Values.artifactory.joinKey }}' - masterKey: '{{ .Values.artifactory.masterKey }}' - artifactory: - {{- if .Values.artifactory.haDataDir.enabled }} - node: - haDataDir: {{ .Values.artifactory.haDataDir.path }} - {{- end }} - database: - maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} - access: - database: - maxOpenConnections: '{{ .Values.access.database.maxOpenConnections }}' - {{- if .Values.access.database.enabled }} - type: '{{ .Values.access.database.type }}' - url: '{{ .Values.access.database.url }}' - driver: '{{ .Values.access.database.driver }}' - username: '{{ .Values.access.database.user }}' - password: '{{ .Values.access.database.password }}' - {{- end }} - terminationGracePeriodSeconds: 30 - uid: 1030 - userPluginSecrets: null - database: - driver: null - password: null - secrets: {} - type: null - url: null - user: null - filebeat: - enabled: false - filebeatYml: | - logging.level: info - path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat - name: artifactory-filebeat - queue.spool: ~ - filebeat.inputs: - - type: log - enabled: true - close_eof: ${CLOSE:false} - paths: - - {{ .Values.artifactory.persistence.mountPath }}/log/*.log - fields: - service: "jfrt" - log_type: "artifactory" - output: - logstash: - hosts: ["{{ .Values.filebeat.logstashUrl }}"] - image: - repository: docker.elastic.co/beats/filebeat - version: 7.5.1 - livenessProbe: - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash -e - curl --fail 127.0.0.1:5066 - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - logstashUrl: logstash:5044 - name: artifactory-filebeat - readinessProbe: - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash -e - filebeat test output - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - resources: {} - terminationGracePeriod: 10 - imagePullSecrets: null - ingress: - additionalRules: [] - annotations: {} - artifactoryPath: /artifactory/ - defaultBackend: - enabled: true - enabled: false - hosts: [] - labels: {} - routerPath: / - tls: [] - initContainerImage: alpine:3.10 - initContainers: - resources: {} - installer: - platform: null - type: null - logger: - image: - repository: busybox - tag: "1.30" - networkpolicy: - - egress: - - {} - ingress: - - {} - name: artifactory - podSelector: - matchLabels: - app: artifactory-ha - nginx: - affinity: {} - artifactoryConf: | - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; - ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; - ssl_session_cache shared:SSL:1m; - ssl_prefer_server_ciphers on; - ## server configuration - server { - {{- if .Values.nginx.internalPortHttps }} - listen {{ .Values.nginx.internalPortHttps }} ssl; - {{- else -}} - {{- if .Values.nginx.https.enabled }} - listen {{ .Values.nginx.https.internalPort }} ssl; - {{- end }} - {{- end }} - {{- if .Values.nginx.internalPortHttp }} - listen {{ .Values.nginx.internalPortHttp }}; - {{- else -}} - {{- if .Values.nginx.http.enabled }} - listen {{ .Values.nginx.http.internalPort }}; - {{- end }} - {{- end }} - server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} - {{- range .Values.ingress.hosts -}} - {{- if contains "." . -}} - {{ "" | indent 0 }} ~(?.+)\.{{ (splitn "." 2 .)._1 }} {{ . }} - {{- end -}} - {{- end -}}; - - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - ## access_log /var/log/nginx/artifactory-access.log timing; - ## error_log /var/log/nginx/artifactory-error.log; - rewrite ^/artifactory/?$ / redirect; - if ( $repo != "" ) { - rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; - } - chunked_transfer_encoding on; - client_max_body_size 0; - - location / { - proxy_read_timeout 900; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - location /artifactory/ { - if ( $request_uri ~ ^/artifactory/(.*)$ ) { - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; - } - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; - } - } - } - customArtifactoryConfigMap: null - customConfigMap: null - enabled: true - tlsSecretName: tls-ingress - gid: 107 - http: - enabled: true - externalPort: 80 - internalPort: 80 - https: - enabled: true - externalPort: 443 - internalPort: 443 - image: - pullPolicy: IfNotPresent - #repository: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro - repository: registry.redhat.io/rhel8/nginx-116 - labels: {} - livenessProbe: - enabled: true - failureThreshold: 10 - initialDelaySeconds: 60 - path: /router/api/v1/system/health - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - loggers: [] - mainConf: | - # Main Nginx configuration file - worker_processes 4; - error_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - variables_hash_max_size 1024; - variables_hash_bucket_size 64; - server_names_hash_max_size 4096; - server_names_hash_bucket_size 128; - types_hash_max_size 2048; - types_hash_bucket_size 64; - proxy_read_timeout 2400s; - client_header_timeout 2400s; - client_body_timeout 2400s; - proxy_connect_timeout 75s; - proxy_send_timeout 2400s; - proxy_buffer_size 32k; - proxy_buffers 40 32k; - proxy_busy_buffers_size 64k; - proxy_temp_file_write_size 250m; - proxy_http_version 1.1; - client_body_buffer_size 128k; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - log_format timing 'ip = $remote_addr ' - 'user = \"$remote_user\" ' - 'local_time = \"$time_local\" ' - 'host = $host ' - 'request = \"$request\" ' - 'status = $status ' - 'bytes = $body_bytes_sent ' - 'upstream = \"$upstream_addr\" ' - 'upstream_time = $upstream_response_time ' - 'request_time = $request_time ' - 'referer = \"$http_referer\" ' - 'UA = \"$http_user_agent\"'; - access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; - sendfile on; - #tcp_nopush on; - keepalive_timeout 65; - #gzip on; - include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf; - } - name: nginx - nodeSelector: {} - persistence: - accessMode: ReadWriteOnce - enabled: false - mountPath: /var/opt/jfrog/nginx - size: 5Gi - readinessProbe: - enabled: true - failureThreshold: 10 - initialDelaySeconds: 10 - path: /router/api/v1/system/health - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - replicaCount: 1 - resources: {} - service: - externalTrafficPolicy: Cluster - labels: {} - loadBalancerIP: null - loadBalancerSourceRanges: [] - type: LoadBalancer - tolerations: [] - uid: 104 - postgresql: - enabled: true - extraEnv: [] - global: - postgresql: {} - image: - debug: false - pullPolicy: IfNotPresent - registry: docker.bintray.io - repository: bitnami/postgresql - tag: 9.6.15-debian-9-r91 - livenessProbe: - enabled: true - failureThreshold: 6 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - master: - affinity: {} - annotations: {} - extraVolumeMounts: [] - extraVolumes: [] - labels: {} - nodeSelector: {} - podAnnotations: {} - podLabels: {} - tolerations: [] - metrics: - enabled: false + driver: OVERRIDE + password: OVERRIDE + type: OVERRIDE + url: OVERRIDE + user: OVERRIDE + artifactory: + customInitContainersBegin: | + - name: "redhat-custom-setup" + #image: "{{ .Values.initContainerImage }}" + image: {{ index .Values "initContainerImage" }} + imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + command: + - 'sh' + - '-c' + - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}' + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + name: volume image: - pullPolicy: IfNotPresent - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.6.0-debian-9-r0 - livenessProbe: - enabled: true - failureThreshold: 6 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - enabled: true - failureThreshold: 6 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - securityContext: - enabled: false - runAsUser: 1001 - service: - annotations: - prometheus.io/port: "9187" - prometheus.io/scrape: "true" - loadBalancerIP: null - type: ClusterIP - serviceMonitor: - additionalLabels: {} - enabled: false - networkPolicy: - allowExternal: true - enabled: false - nodeSelector: {} - persistence: - accessModes: - - ReadWriteOnce - annotations: {} - enabled: true - mountPath: /bitnami/postgresql - size: 50Gi - subPath: "" - postgresqlConfiguration: - listenAddresses: '''*''' - maxConnections: "1500" - postgresqlDataDir: /bitnami/postgresql/data - postgresqlDatabase: artifactory - postgresqlPassword: "" - postgresqlUsername: artifactory - readinessProbe: - enabled: true - failureThreshold: 6 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - replication: - applicationName: my_application - enabled: false - numSynchronousReplicas: 0 - password: repl_password - slaveReplicas: 1 - synchronousCommit: "off" - user: repl_user - resources: - requests: - cpu: 250m - memory: 256Mi - securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 - service: - annotations: {} - port: 5432 - type: ClusterIP - serviceAccount: - enabled: false - slave: - affinity: {} - annotations: {} - extraVolumeMounts: [] - extraVolumes: [] - labels: {} - nodeSelector: {} - podAnnotations: {} - podLabels: {} - tolerations: [] - updateStrategy: - type: RollingUpdate - volumePermissions: - enabled: true + repository: quay.io/jfrog/artifactory-rh-pro + node: + waitForPrimaryStartup: + enabled: false + initContainerImage: registry.redhat.io/ubi8-minimal + installerInfo: '{ "productId": "Openshift_artifactory-ha/{{ .Chart.Version }}", "features": [ { "featureId": "ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}" }, { "featureId": "{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default \"derby\" .Values.database.type }}{{ end }}/0.0.0" }, { "featureId": "Platform/{{ default \"openshift\" .Values.installer.platform }}" }, { "featureId": "Partner/ACC-006983" }, { "featureId": "Channel/Openshift" } ] }' + nginx: + http: + externalPort: 80 + internalPort: 8080 + https: + externalPort: 443 + internalPort: 8443 image: - pullPolicy: Always - registry: docker.io - repository: bitnami/minideb - tag: stretch - securityContext: - runAsUser: 0 - rbac: - create: true - role: - rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - pods - verbs: - - get - - watch - - list - serviceAccount: - annotations: {} - create: true - name: null - waitForDatabase: true + repository: quay.io/jfrog/nginx-artifactory-rh-pro + mainConf: | + # Main Nginx configuration file + worker_processes 4; + error_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + variables_hash_max_size 1024; + variables_hash_bucket_size 64; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 128; + types_hash_max_size 2048; + types_hash_bucket_size 64; + proxy_read_timeout 2400s; + client_header_timeout 2400s; + client_body_timeout 2400s; + proxy_connect_timeout 75s; + proxy_send_timeout 2400s; + proxy_buffer_size 32k; + proxy_buffers 40 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 250m; + proxy_http_version 1.1; + client_body_buffer_size 128k; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + log_format timing 'ip = $remote_addr ' + 'user = \"$remote_user\" ' + 'local_time = \"$time_local\" ' + 'host = $host ' + 'request = \"$request\" ' + 'status = $status ' + 'bytes = $body_bytes_sent ' + 'upstream = \"$upstream_addr\" ' + 'upstream_time = $upstream_response_time ' + 'request_time = $request_time ' + 'referer = \"$http_referer\" ' + 'UA = \"$http_user_agent\"'; + access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; + sendfile on; + #tcp_nopush on; + keepalive_timeout 65; + #gzip on; + include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf; + } + postgresql: + enabled: false + waitForDatabase: false diff --git a/Openshift4/artifactory-ha-operator/deploy/imagestream-nginx.yaml b/Openshift4/artifactory-ha-operator/deploy/imagestream-nginx.yaml deleted file mode 100644 index a0ef6b3..0000000 --- a/Openshift4/artifactory-ha-operator/deploy/imagestream-nginx.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: nginx-artifactory-pro - namespace: jfrog-artifactory - diff --git a/Openshift4/artifactory-ha-operator/deploy/imagestream-operator.yaml b/Openshift4/artifactory-ha-operator/deploy/imagestream-operator.yaml deleted file mode 100644 index 12d9a2f..0000000 --- a/Openshift4/artifactory-ha-operator/deploy/imagestream-operator.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: artifactory-ha - namespace: jfrog-artifactory - diff --git a/Openshift4/artifactory-ha-operator/deploy/imagestream-pro.yaml b/Openshift4/artifactory-ha-operator/deploy/imagestream-pro.yaml deleted file mode 100644 index 4c4ba85..0000000 --- a/Openshift4/artifactory-ha-operator/deploy/imagestream-pro.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: artifactory-pro - namespace: jfrog-artifactory - diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index 2876eaf..befdf1a 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -8,598 +8,103 @@ metadata: "apiVersion": "charts.helm.k8s.io/v1alpha1", "kind": "OpenshiftArtifactoryHa", "metadata": { - "name": "artifactoryha" + "name": "osartifactoryha" }, "spec": { - "access": { - "database": { - "maxOpenConnections": 80 - } - }, - "artifactory": { - "accessAdmin": { - "dataKey": null, - "ip": "127.0.0.1", - "password": null, - "secret": null - }, - "annotations": {}, - "binarystore": { - "enabled": true - }, - "catalinaLoggers": [], - "configMapName": null, - "configMaps": "", - "copyOnEveryStartup": null, - "customInitContainers": "", - "customInitContainersBegin": "- name: \"custom-setup\"\n image: \"{{ .Values.initContainerImage }}\"\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", - "customPersistentPodVolumeClaim": {}, - "customPersistentVolumeClaim": {}, - "customSidecarContainers": "", - "customVolumeMounts": "", - "customVolumes": "", - "database": { - "maxOpenConnections": 80 - }, - "deleteDBPropertiesOnStartup": true, - "externalArtifactoryPort": 8081, - "externalPort": 8082, - "haDataDir": { - "enabled": false, - "path": null - }, - "image": { - "pullPolicy": "IfNotPresent", - "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro" - }, - "internalArtifactoryPort": 8081, - "internalPort": 8082, - "javaOpts": {}, - "joinKey": "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE", - "license": { - "dataKey": "artifactory.cluster.license", - "licenseKey": null, - "secret": "artifactory-license" - }, - "livenessProbe": { - "enabled": true, - "failureThreshold": 10, - "initialDelaySeconds": 180, - "path": "/router/api/v1/system/health", - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 10 - }, - "loggers": [], - "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", - "name": "artifactory-ha", - "node": { - "affinity": {}, - "javaOpts": { - "corePoolSize": 16, - "jmx": { - "accessFile": null, - "authenticate": false, - "enabled": false, - "host": null, - "passwordFile": null, - "port": 9010, - "ssl": false - } - }, - "labels": {}, - "minAvailable": 1, - "name": "artifactory-ha-member", - "nodeSelector": {}, - "persistence": { - "existingClaim": false - }, - "podAntiAffinity": { - "topologyKey": "kubernetes.io/hostname", - "type": "" - }, - "replicaCount": 1, - "resources": {}, - "tolerations": [], - "waitForPrimaryStartup": { - "enabled": true, - "time": 60 - } - }, - "persistence": { - "accessMode": "ReadWriteOnce", - "awsS3": { - "bucketName": "artifactory-ha-aws", - "credential": null, - "endpoint": null, - "httpsOnly": true, - "identity": null, - "path": "artifactory-ha/filestore", - "properties": {}, - "refreshCredentials": true, - "region": null, - "roleName": null, - "s3AwsVersion": "AWS4-HMAC-SHA256", - "testConnection": false - }, - "awsS3V3": { - "bucketName": "artifactory-aws", - "cloudFrontDomainName": null, - "cloudFrontKeyPairId": null, - "cloudFrontPrivateKey": null, - "credential": null, - "endpoint": null, - "identity": null, - "kmsCryptoMode": null, - "kmsKeyRegion": null, - "kmsServerSideEncryptionKeyId": null, - "path": "artifactory/filestore", - "region": null, - "signatureExpirySeconds": 300, - "testConnection": false, - "useInstanceCredentials": true, - "usePresigning": false - }, - "azureBlob": { - "accountKey": null, - "accountName": null, - "containerName": null, - "endpoint": null, - "testConnection": false - }, - "binarystoreXml": "{{- if eq .Values.artifactory.persistence.type \"file-system\" }}\n\u003c!-- File system replication --\u003e\n{{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }}\n\u003c!-- File Storage - Dynamic for Artifactory files, pre-created for DATA and BACKUP --\u003e\n\u003cconfig version=\"4\"\u003e\n \u003cchain\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e \u003c!-- This is a cached filestore --\u003e\n \u003cprovider id=\"sharding\" type=\"sharding\"\u003e \u003c!-- This is a sharding provider --\u003e\n {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}}\n \u003csub-provider id=\"shard{{ $sharedClaimNumber }}\" type=\"state-aware\"/\u003e\n {{- end }}\n \u003c/provider\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n // Specify the read and write strategy and redundancy for the sharding binary provider\n \u003cprovider id=\"sharding\" type=\"sharding\"\u003e\n \u003creadBehavior\u003eroundRobin\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003epercentageFreeSpace\u003c/writeBehavior\u003e\n \u003credundancy\u003e2\u003c/redundancy\u003e\n \u003c/provider\u003e\n\n {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) -}}\n //For each sub-provider (mount), specify the filestore location\n \u003cprovider id=\"shard{{ $sharedClaimNumber }}\" type=\"state-aware\"\u003e\n \u003cfileStoreDir\u003efilestore{{ $sharedClaimNumber }}\u003c/fileStoreDir\u003e\n \u003c/provider\u003e\n {{- end }}\n\u003c/config\u003e\n{{- else }}\n\u003cconfig version=\"2\"\u003e\n \u003cchain\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003creadBehavior\u003ecrossNetworkStrategy\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003ecrossNetworkStrategy\u003c/writeBehavior\u003e\n \u003credundancy\u003e{{ .Values.artifactory.persistence.redundancy }}\u003c/redundancy\u003e\n \u003clenientLimit\u003e2\u003c/lenientLimit\u003e\n \u003cminSpareUploaderExecutor\u003e2\u003c/minSpareUploaderExecutor\u003e\n \u003csub-provider id=\"state-aware\" type=\"state-aware\"/\u003e\n \u003cdynamic-provider id=\"remote\" type=\"remote\"/\u003e\n \u003cproperty name=\"zones\" value=\"local,remote\"/\u003e\n \u003c/provider\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n \u003c!-- Shards add local file-system provider configuration --\u003e\n \u003cprovider id=\"state-aware\" type=\"state-aware\"\u003e\n \u003cfileStoreDir\u003eshard-fs-1\u003c/fileStoreDir\u003e\n \u003czone\u003elocal\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003c!-- Shards dynamic remote provider configuration --\u003e\n \u003cprovider id=\"remote\" type=\"remote\"\u003e\n \u003ccheckPeriod\u003e30\u003c/checkPeriod\u003e\n \u003cserviceId\u003etester-remote1\u003c/serviceId\u003e\n \u003ctimeout\u003e10000\u003c/timeout\u003e\n \u003czone\u003eremote\u003c/zone\u003e\n \u003cproperty name=\"header.remote.block\" value=\"true\"/\u003e\n \u003c/provider\u003e\n\u003c/config\u003e\n{{- end }}\n{{- end }}\n{{- if eq .Values.artifactory.persistence.type \"google-storage\" }}\n\u003c!-- Google storage --\u003e\n\u003cconfig version=\"2\"\u003e\n \u003cchain\u003e\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003creadBehavior\u003ecrossNetworkStrategy\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003ecrossNetworkStrategy\u003c/writeBehavior\u003e\n \u003credundancy\u003e{{ .Values.artifactory.persistence.redundancy }}\u003c/redundancy\u003e\n \u003cminSpareUploaderExecutor\u003e2\u003c/minSpareUploaderExecutor\u003e\n \u003csub-provider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003cprovider id=\"retry\" type=\"retry\"\u003e\n \u003cprovider id=\"google-storage\" type=\"google-storage\"/\u003e\n \u003c/provider\u003e\n \u003c/sub-provider\u003e\n \u003cdynamic-provider id=\"remote\" type=\"remote\"/\u003e\n \u003cproperty name=\"zones\" value=\"local,remote\"/\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003c!-- Set max cache-fs size --\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003czone\u003elocal\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"remote\" type=\"remote\"\u003e\n \u003ccheckPeriod\u003e30\u003c/checkPeriod\u003e\n \u003ctimeout\u003e10000\u003c/timeout\u003e\n \u003czone\u003eremote\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"file-system\" type=\"file-system\"\u003e\n \u003cfileStoreDir\u003e{{ .Values.artifactory.persistence.mountPath }}/data/filestore\u003c/fileStoreDir\u003e\n \u003ctempDir\u003e/tmp\u003c/tempDir\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"google-storage\" type=\"google-storage\"\u003e\n \u003cproviderId\u003egoogle-cloud-storage\u003c/providerId\u003e\n \u003cendpoint\u003e{{ .Values.artifactory.persistence.googleStorage.endpoint }}\u003c/endpoint\u003e\n \u003chttpsOnly\u003e{{ .Values.artifactory.persistence.googleStorage.httpsOnly }}\u003c/httpsOnly\u003e\n \u003cbucketName\u003e{{ .Values.artifactory.persistence.googleStorage.bucketName }}\u003c/bucketName\u003e\n \u003cidentity\u003e{{ .Values.artifactory.persistence.googleStorage.identity }}\u003c/identity\u003e\n \u003ccredential\u003e{{ .Values.artifactory.persistence.googleStorage.credential }}\u003c/credential\u003e\n \u003cpath\u003e{{ .Values.artifactory.persistence.googleStorage.path }}\u003c/path\u003e\n \u003cbucketExists\u003e{{ .Values.artifactory.persistence.googleStorage.bucketExists }}\u003c/bucketExists\u003e\n \u003c/provider\u003e\n\u003c/config\u003e\n{{- end }}\n{{- if eq .Values.artifactory.persistence.type \"aws-s3-v3\" }}\n\u003c!-- AWS S3 V3 --\u003e\n\u003cconfig version=\"2\"\u003e\n \u003cchain\u003e \u003c!--template=\"cluster-s3-storage-v3\"--\u003e\n \u003cprovider id=\"cache-fs-eventual-s3\" type=\"cache-fs\"\u003e\n \u003cprovider id=\"sharding-cluster-eventual-s3\" type=\"sharding-cluster\"\u003e\n \u003csub-provider id=\"eventual-cluster-s3\" type=\"eventual-cluster\"\u003e\n \u003cprovider id=\"retry-s3\" type=\"retry\"\u003e\n \u003cprovider id=\"s3-storage-v3\" type=\"s3-storage-v3\"/\u003e\n \u003c/provider\u003e\n \u003c/sub-provider\u003e\n \u003cdynamic-provider id=\"remote-s3\" type=\"remote\"/\u003e\n \u003c/provider\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003cprovider id=\"sharding-cluster-eventual-s3\" type=\"sharding-cluster\"\u003e\n \u003creadBehavior\u003ecrossNetworkStrategy\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003ecrossNetworkStrategy\u003c/writeBehavior\u003e\n \u003credundancy\u003e{{ .Values.artifactory.persistence.redundancy }}\u003c/redundancy\u003e\n \u003cproperty name=\"zones\" value=\"local,remote\"/\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"remote-s3\" type=\"remote\"\u003e\n \u003czone\u003eremote\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"eventual-cluster-s3\" type=\"eventual-cluster\"\u003e\n \u003czone\u003elocal\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003c!-- Set max cache-fs size --\u003e\n \u003cprovider id=\"cache-fs-eventual-s3\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n {{- with .Values.artifactory.persistence.awsS3V3 }}\n \u003cprovider id=\"s3-storage-v3\" type=\"s3-storage-v3\"\u003e\n \u003ctestConnection\u003e{{ .testConnection }}\u003c/testConnection\u003e\n {{- if .identity }}\n \u003cidentity\u003e{{ .identity }}\u003c/identity\u003e\n {{- end }}\n {{- if .credential }}\n \u003ccredential\u003e{{ .credential }}\u003c/credential\u003e\n {{- end }}\n \u003cregion\u003e{{ .region }}\u003c/region\u003e\n \u003cbucketName\u003e{{ .bucketName }}\u003c/bucketName\u003e\n \u003cpath\u003e{{ .path }}\u003c/path\u003e\n \u003cendpoint\u003e{{ .endpoint }}\u003c/endpoint\u003e\n {{- with .kmsServerSideEncryptionKeyId }}\n \u003ckmsServerSideEncryptionKeyId\u003e{{ . }}\u003c/kmsServerSideEncryptionKeyId\u003e\n {{- end }}\n {{- with .kmsKeyRegion }}\n \u003ckmsKeyRegion\u003e{{ . }}\u003c/kmsKeyRegion\u003e\n {{- end }}\n {{- with .kmsCryptoMode }}\n \u003ckmsCryptoMode\u003e{{ . }}\u003c/kmsCryptoMode\u003e\n {{- end }}\n \u003cuseInstanceCredentials\u003etrue\u003c/useInstanceCredentials\u003e\n \u003cusePresigning\u003e{{ .usePresigning }}\u003c/usePresigning\u003e\n \u003csignatureExpirySeconds\u003e{{ .signatureExpirySeconds }}\u003c/signatureExpirySeconds\u003e\n {{- with .cloudFrontDomainName }}\n \u003ccloudFrontDomainName\u003e{{ . }}\u003c/cloudFrontDomainName\u003e\n {{- end }}\n {{- with .cloudFrontKeyPairId }}\n \u003ccloudFrontKeyPairId\u003e{{ .cloudFrontKeyPairId }}\u003c/cloudFrontKeyPairId\u003e\n {{- end }}\n {{- with .cloudFrontPrivateKey }}\n \u003ccloudFrontPrivateKey\u003e{{ . }}\u003c/cloudFrontPrivateKey\u003e\n {{- end }}\n \u003c/provider\u003e\n {{- end }}\n\u003c/config\u003e\n{{- end }}\n\n{{- if eq .Values.artifactory.persistence.type \"aws-s3\" }}\n\u003c!-- AWS S3 --\u003e\n\u003cconfig version=\"2\"\u003e\n \u003cchain\u003e \u003c!--template=\"cluster-s3\"--\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003csub-provider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003cprovider id=\"retry-s3\" type=\"retry\"\u003e\n \u003cprovider id=\"s3\" type=\"s3\"/\u003e\n \u003c/provider\u003e\n \u003c/sub-provider\u003e\n \u003cdynamic-provider id=\"remote\" type=\"remote\"/\u003e\n \u003c/provider\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003c!-- Set max cache-fs size --\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003czone\u003elocal\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"remote\" type=\"remote\"\u003e\n \u003ccheckPeriod\u003e30\u003c/checkPeriod\u003e\n \u003ctimeout\u003e10000\u003c/timeout\u003e\n \u003czone\u003eremote\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003creadBehavior\u003ecrossNetworkStrategy\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003ecrossNetworkStrategy\u003c/writeBehavior\u003e\n \u003credundancy\u003e{{ .Values.artifactory.persistence.redundancy }}\u003c/redundancy\u003e\n \u003cproperty name=\"zones\" value=\"local,remote\"/\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"s3\" type=\"s3\"\u003e\n \u003cendpoint\u003e{{ .Values.artifactory.persistence.awsS3.endpoint }}\u003c/endpoint\u003e\n {{- if .Values.artifactory.persistence.awsS3.roleName }}\n \u003croleName\u003e{{ .Values.artifactory.persistence.awsS3.roleName }}\u003c/roleName\u003e\n \u003crefreshCredentials\u003etrue\u003c/refreshCredentials\u003e\n {{- else }}\n \u003crefreshCredentials\u003e{{ .Values.artifactory.persistence.awsS3.refreshCredentials }}\u003c/refreshCredentials\u003e\n {{- end }}\n \u003cs3AwsVersion\u003e{{ .Values.artifactory.persistence.awsS3.s3AwsVersion }}\u003c/s3AwsVersion\u003e\n \u003ctestConnection\u003e{{ .Values.artifactory.persistence.awsS3.testConnection }}\u003c/testConnection\u003e\n \u003chttpsOnly\u003e{{ .Values.artifactory.persistence.awsS3.httpsOnly }}\u003c/httpsOnly\u003e\n \u003cregion\u003e{{ .Values.artifactory.persistence.awsS3.region }}\u003c/region\u003e\n \u003cbucketName\u003e{{ .Values.artifactory.persistence.awsS3.bucketName }}\u003c/bucketName\u003e\n {{- if .Values.artifactory.persistence.awsS3.identity }}\n \u003cidentity\u003e{{ .Values.artifactory.persistence.awsS3.identity }}\u003c/identity\u003e\n {{- end }}\n {{- if .Values.artifactory.persistence.awsS3.credential }}\n \u003ccredential\u003e{{ .Values.artifactory.persistence.awsS3.credential }}\u003c/credential\u003e\n {{- end }}\n \u003cpath\u003e{{ .Values.artifactory.persistence.awsS3.path }}\u003c/path\u003e\n {{- range $key, $value := .Values.artifactory.persistence.awsS3.properties }}\n \u003cproperty name=\"{{ $key }}\" value=\"{{ $value }}\"/\u003e\n {{- end }}\n \u003c/provider\u003e\n\u003c/config\u003e\n{{- end }}\n{{- if eq .Values.artifactory.persistence.type \"azure-blob\" }}\n\u003c!-- Azure Blob Storage --\u003e\n\u003cconfig version=\"2\"\u003e\n \u003cchain\u003e \u003c!--template=\"cluster-azure-blob-storage\"--\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003csub-provider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003cprovider id=\"retry-azure-blob-storage\" type=\"retry\"\u003e\n \u003cprovider id=\"azure-blob-storage\" type=\"azure-blob-storage\"/\u003e\n \u003c/provider\u003e\n \u003c/sub-provider\u003e\n \u003cdynamic-provider id=\"remote\" type=\"remote\"/\u003e\n \u003c/provider\u003e\n \u003c/provider\u003e\n \u003c/chain\u003e\n\n \u003c!-- Set max cache-fs size --\u003e\n \u003cprovider id=\"cache-fs\" type=\"cache-fs\"\u003e\n \u003cmaxCacheSize\u003e{{ .Values.artifactory.persistence.maxCacheSize }}\u003c/maxCacheSize\u003e\n \u003ccacheProviderDir\u003e{{ .Values.artifactory.persistence.cacheProviderDir }}\u003c/cacheProviderDir\u003e\n \u003c/provider\u003e\n\n \u003c!-- cluster eventual Azure Blob Storage Service default chain --\u003e\n \u003cprovider id=\"sharding-cluster\" type=\"sharding-cluster\"\u003e\n \u003creadBehavior\u003ecrossNetworkStrategy\u003c/readBehavior\u003e\n \u003cwriteBehavior\u003ecrossNetworkStrategy\u003c/writeBehavior\u003e\n \u003credundancy\u003e2\u003c/redundancy\u003e\n \u003clenientLimit\u003e1\u003c/lenientLimit\u003e\n \u003cproperty name=\"zones\" value=\"local,remote\"/\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"remote\" type=\"remote\"\u003e\n \u003czone\u003eremote\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003cprovider id=\"eventual-cluster\" type=\"eventual-cluster\"\u003e\n \u003czone\u003elocal\u003c/zone\u003e\n \u003c/provider\u003e\n\n \u003c!--cluster eventual template--\u003e\n \u003cprovider id=\"azure-blob-storage\" type=\"azure-blob-storage\"\u003e\n \u003caccountName\u003e{{ .Values.artifactory.persistence.azureBlob.accountName }}\u003c/accountName\u003e\n \u003caccountKey\u003e{{ .Values.artifactory.persistence.azureBlob.accountKey }}\u003c/accountKey\u003e\n \u003cendpoint\u003e{{ .Values.artifactory.persistence.azureBlob.endpoint }}\u003c/endpoint\u003e\n \u003ccontainerName\u003e{{ .Values.artifactory.persistence.azureBlob.containerName }}\u003c/containerName\u003e\n \u003ctestConnection\u003e{{ .Values.artifactory.persistence.azureBlob.testConnection }}\u003c/testConnection\u003e\n \u003c/provider\u003e\n\u003c/config\u003e\n{{- end }}\n", - "cacheProviderDir": "cache", - "customBinarystoreXmlSecret": null, - "enabled": true, - "eventual": { - "numberOfThreads": 10 - }, - "fileSystem": { - "existingSharedClaim": { - "backupDir": "/var/opt/jfrog/artifactory-backup", - "dataDir": "{{ .Values.artifactory.persistence.mountPath }}/artifactory-data", - "enabled": false, - "numberOfExistingClaims": 1 - } - }, - "googleStorage": { - "bucketExists": false, - "bucketName": "artifactory-ha-gcp", - "credential": null, - "endpoint": "storage.googleapis.com", - "httpsOnly": false, - "identity": null, - "path": "artifactory-ha/filestore" - }, - "local": false, - "maxCacheSize": 50000000000, - "mountPath": "/var/opt/jfrog/artifactory", - "nfs": { - "backupDir": "/var/opt/jfrog/artifactory-backup", - "capacity": "200Gi", - "dataDir": "/var/opt/jfrog/artifactory-ha", - "haBackupMount": "/backup", - "haDataMount": "/data", - "ip": null, - "mountOptions": [] - }, - "redundancy": 3, - "size": "200Gi", - "type": "file-system" - }, - "primary": { - "affinity": {}, - "javaOpts": { - "corePoolSize": 16, - "jmx": { - "accessFile": null, - "authenticate": false, - "enabled": false, - "host": null, - "passwordFile": null, - "port": 9010, - "ssl": false - } - }, - "labels": {}, - "name": "artifactory-ha-primary", - "nodeSelector": {}, - "persistence": { - "existingClaim": false - }, - "podAntiAffinity": { - "topologyKey": "kubernetes.io/hostname", - "type": "" - }, - "resources": {}, - "tolerations": [] - }, - "priorityClass": { - "create": false, - "value": 1000000000 - }, - "readinessProbe": { - "enabled": true, - "failureThreshold": 10, - "initialDelaySeconds": 60, - "path": "/router/api/v1/system/health", - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 10 - }, - "service": { - "annotations": {}, - "loadBalancerSourceRanges": [], - "name": "artifactory", - "pool": "members", - "type": "ClusterIP" - }, - "systemYaml": "shared:\n extraJavaOpts: \u003e\n {{- with .Values.artifactory.primary.javaOpts }}\n -Dartifactory.async.corePoolSize={{ .corePoolSize }}\n {{- if .xms }}\n -Xms{{ .xms }}\n {{- end }}\n {{- if .xmx }}\n -Xmx{{ .xmx }}\n {{- end }}\n {{- if .jmx.enabled }}\n -Dcom.sun.management.jmxremote\n -Dcom.sun.management.jmxremote.port={{ .jmx.port }}\n -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }}\n -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }}\n {{- if .jmx.host }}\n -Djava.rmi.server.hostname={{ tpl .jmx.host $ }}\n {{- else }}\n -Djava.rmi.server.hostname={{ template \"artifactory-ha.fullname\" $ }}\n {{- end }}\n {{- if .jmx.authenticate }}\n -Dcom.sun.management.jmxremote.authenticate=true\n -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }}\n -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }}\n {{- else }}\n -Dcom.sun.management.jmxremote.authenticate=false\n {{- end }}\n {{- end }}\n {{- if .other }}\n {{ .other }}\n {{- end }}\n {{- end }}\n database:\n {{- if .Values.postgresql.enabled }}\n type: postgresql\n url: 'jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}'\n host: ''\n driver: org.postgresql.Driver\n username: '{{ .Values.postgresql.postgresqlUsername }}'\n password: '{{ .Values.postgresql.postgresqlPassword }}'\n {{ else }}\n type: '{{ .Values.database.type }}'\n url: '{{ .Values.database.url }}'\n driver: '{{ .Values.database.driver }}'\n username: '{{ .Values.database.user }}'\n password: '{{ .Values.database.password }}'\n {{- end }}\n security:\n joinKey: '{{ .Values.artifactory.joinKey }}'\n masterKey: '{{ .Values.artifactory.masterKey }}'\nartifactory:\n{{- if .Values.artifactory.haDataDir.enabled }}\n node:\n haDataDir: {{ .Values.artifactory.haDataDir.path }}\n{{- end }}\n database:\n maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }}\naccess:\n database:\n maxOpenConnections: '{{ .Values.access.database.maxOpenConnections }}'\n {{- if .Values.access.database.enabled }}\n type: '{{ .Values.access.database.type }}'\n url: '{{ .Values.access.database.url }}'\n driver: '{{ .Values.access.database.driver }}'\n username: '{{ .Values.access.database.user }}'\n password: '{{ .Values.access.database.password }}'\n {{- end }}\n", - "terminationGracePeriodSeconds": 30, - "uid": 1030, - "userPluginSecrets": null - }, - "database": { - "driver": null, - "password": null, - "secrets": {}, - "type": null, - "url": null, - "user": null - }, - "filebeat": { - "enabled": false, - "filebeatYml": "logging.level: info\npath.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat\nname: artifactory-filebeat\nqueue.spool: ~\nfilebeat.inputs:\n- type: log\n enabled: true\n close_eof: ${CLOSE:false}\n paths:\n - {{ .Values.artifactory.persistence.mountPath }}/log/*.log\n fields:\n service: \"jfrt\"\n log_type: \"artifactory\"\noutput:\n logstash:\n hosts: [\"{{ .Values.filebeat.logstashUrl }}\"]\n", - "image": { - "repository": "docker.elastic.co/beats/filebeat", - "version": "7.5.1" - }, - "livenessProbe": { - "exec": { - "command": [ - "sh", - "-c", - "#!/usr/bin/env bash -e\ncurl --fail 127.0.0.1:5066\n" - ] - }, - "failureThreshold": 3, - "initialDelaySeconds": 10, - "periodSeconds": 10, - "timeoutSeconds": 5 - }, - "logstashUrl": "logstash:5044", - "name": "artifactory-filebeat", - "readinessProbe": { - "exec": { - "command": [ - "sh", - "-c", - "#!/usr/bin/env bash -e\nfilebeat test output\n" - ] - }, - "failureThreshold": 3, - "initialDelaySeconds": 10, - "periodSeconds": 10, - "timeoutSeconds": 5 - }, - "resources": {}, - "terminationGracePeriod": 10 - }, - "imagePullSecrets": null, - "ingress": { - "additionalRules": [], - "annotations": {}, - "artifactoryPath": "/artifactory/", - "defaultBackend": { - "enabled": true - }, - "enabled": false, - "hosts": [], - "labels": {}, - "routerPath": "/", - "tls": [] - }, - "initContainerImage": "alpine:3.10", - "initContainers": { - "resources": {} - }, - "installer": { - "platform": null, - "type": null - }, - "logger": { - "image": { - "repository": "busybox", - "tag": "1.30" - } - }, - "networkpolicy": [ - { - "egress": [ - {} - ], - "ingress": [ - {} - ], - "name": "artifactory", - "podSelector": { - "matchLabels": { - "app": "artifactory-ha" - } - } - } - ], - "nginx": { - "affinity": {}, - "artifactoryConf": "ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;\nssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt;\nssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key;\nssl_session_cache shared:SSL:1m;\nssl_prefer_server_ciphers on;\n## server configuration\nserver {\n {{- if .Values.nginx.internalPortHttps }}\n listen {{ .Values.nginx.internalPortHttps }} ssl;\n {{- else -}}\n {{- if .Values.nginx.https.enabled }}\n listen {{ .Values.nginx.https.internalPort }} ssl;\n {{- end }}\n {{- end }}\n {{- if .Values.nginx.internalPortHttp }}\n listen {{ .Values.nginx.internalPortHttp }};\n {{- else -}}\n {{- if .Values.nginx.http.enabled }}\n listen {{ .Values.nginx.http.internalPort }};\n {{- end }}\n {{- end }}\n server_name ~(?\u003crepo\u003e.+)\\.{{ include \"artifactory-ha.fullname\" . }} {{ include \"artifactory-ha.fullname\" . }}\n {{- range .Values.ingress.hosts -}}\n {{- if contains \".\" . -}}\n {{ \"\" | indent 0 }} ~(?\u003crepo\u003e.+)\\.{{ (splitn \".\" 2 .)._1 }} {{ . }}\n {{- end -}}\n {{- end -}};\n\n if ($http_x_forwarded_proto = '') {\n set $http_x_forwarded_proto $scheme;\n }\n ## Application specific logs\n ## access_log /var/log/nginx/artifactory-access.log timing;\n ## error_log /var/log/nginx/artifactory-error.log;\n rewrite ^/artifactory/?$ / redirect;\n if ( $repo != \"\" ) {\n rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break;\n }\n chunked_transfer_encoding on;\n client_max_body_size 0;\n\n location / {\n proxy_read_timeout 900;\n proxy_pass_header Server;\n proxy_cookie_path ~*^/.* /;\n proxy_pass http://{{ include \"artifactory-ha.fullname\" . }}:{{ .Values.artifactory.externalPort }}/;\n proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;\n proxy_set_header X-Forwarded-Port $server_port;\n proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;\n proxy_set_header Host $http_host;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n\n location /artifactory/ {\n if ( $request_uri ~ ^/artifactory/(.*)$ ) {\n proxy_pass http://{{ include \"artifactory-ha.fullname\" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1;\n }\n proxy_pass http://{{ include \"artifactory-ha.fullname\" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/;\n }\n }\n}\n", - "customArtifactoryConfigMap": null, - "customConfigMap": null, - "enabled": true, - "gid": 107, - "http": { - "enabled": true, - "externalPort": 80, - "internalPort": 80 - }, - "https": { - "enabled": true, - "externalPort": 443, - "internalPort": 443 - }, - "image": { - "pullPolicy": "IfNotPresent", - "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro" - }, - "labels": {}, - "livenessProbe": { - "enabled": true, - "failureThreshold": 10, - "initialDelaySeconds": 60, - "path": "/router/api/v1/system/health", - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 10 - }, - "loggers": [], - "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \\\"$remote_user\\\" '\n 'local_time = \\\"$time_local\\\" '\n 'host = $host '\n 'request = \\\"$request\\\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \\\"$upstream_addr\\\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \\\"$http_referer\\\" '\n 'UA = \\\"$http_user_agent\\\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include /etc/nginx/conf.d/*.conf;\n}\n", - "name": "nginx", - "nodeSelector": {}, - "persistence": { - "accessMode": "ReadWriteOnce", - "enabled": false, - "mountPath": "/var/opt/jfrog/nginx", - "size": "5Gi" - }, - "readinessProbe": { - "enabled": true, - "failureThreshold": 10, - "initialDelaySeconds": 10, - "path": "/router/api/v1/system/health", - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 10 - }, - "replicaCount": 1, - "resources": {}, - "service": { - "externalTrafficPolicy": "Cluster", - "labels": {}, - "loadBalancerIP": null, - "loadBalancerSourceRanges": [], - "type": "LoadBalancer" - }, - "tolerations": [], - "uid": 104 - }, - "postgresql": { - "enabled": true, - "extraEnv": [], - "global": { - "postgresql": {} - }, - "image": { - "debug": false, - "pullPolicy": "IfNotPresent", - "registry": "docker.bintray.io", - "repository": "bitnami/postgresql", - "tag": "9.6.15-debian-9-r91" - }, - "livenessProbe": { - "enabled": true, - "failureThreshold": 6, - "initialDelaySeconds": 30, - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 5 - }, - "master": { - "affinity": {}, - "annotations": {}, - "extraVolumeMounts": [], - "extraVolumes": [], - "labels": {}, - "nodeSelector": {}, - "podAnnotations": {}, - "podLabels": {}, - "tolerations": [] - }, - "metrics": { - "enabled": false, + "artifactory-ha": { + "artifactory": { + "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n #image: \"{{ .Values.initContainerImage }}\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", "image": { - "pullPolicy": "IfNotPresent", - "registry": "docker.io", - "repository": "bitnami/postgres-exporter", - "tag": "0.6.0-debian-9-r0" + "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro" }, - "livenessProbe": { - "enabled": true, - "failureThreshold": 6, - "initialDelaySeconds": 5, - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 5 - }, - "readinessProbe": { - "enabled": true, - "failureThreshold": 6, - "initialDelaySeconds": 5, - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 5 - }, - "securityContext": { - "enabled": false, - "runAsUser": 1001 - }, - "service": { - "annotations": { - "prometheus.io/port": "9187", - "prometheus.io/scrape": "true" - }, - "loadBalancerIP": null, - "type": "ClusterIP" - }, - "serviceMonitor": { - "additionalLabels": {}, - "enabled": false + "node": { + "waitForPrimaryStartup": { + "enabled": false + } } }, - "networkPolicy": { - "allowExternal": true, + "database": { + "driver": "OVERRIDE", + "password": "OVERRIDE", + "type": "OVERRIDE", + "url": "OVERRIDE", + "user": "OVERRIDE" + }, + "initContainerImage": "registry.redhat.io/ubi8-minimal", + "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default 'derby' .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/{{ default 'openshift' .Values.installer.platform }}\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", + "nginx": { + "http": { + "externalPort": 80, + "internalPort": 8080 + }, + "https": { + "externalPort": 443, + "internalPort": 8443 + }, + "image": { + "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro" + }, + "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n" + }, + "postgresql": { "enabled": false }, - "nodeSelector": {}, - "persistence": { - "accessModes": [ - "ReadWriteOnce" - ], - "annotations": {}, - "enabled": true, - "mountPath": "/bitnami/postgresql", - "size": "50Gi", - "subPath": "" - }, - "postgresqlConfiguration": { - "listenAddresses": "'*'", - "maxConnections": "1500" - }, - "postgresqlDataDir": "/bitnami/postgresql/data", - "postgresqlDatabase": "artifactory", - "postgresqlPassword": "", - "postgresqlUsername": "artifactory", - "readinessProbe": { - "enabled": true, - "failureThreshold": 6, - "initialDelaySeconds": 5, - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 5 - }, - "replication": { - "applicationName": "my_application", - "enabled": false, - "numSynchronousReplicas": 0, - "password": "repl_password", - "slaveReplicas": 1, - "synchronousCommit": "off", - "user": "repl_user" - }, - "resources": { - "requests": { - "cpu": "250m", - "memory": "256Mi" - } - }, - "securityContext": { - "enabled": true, - "fsGroup": 1001, - "runAsUser": 1001 - }, - "service": { - "annotations": {}, - "port": 5432, - "type": "ClusterIP" - }, - "serviceAccount": { - "enabled": false - }, - "slave": { - "affinity": {}, - "annotations": {}, - "extraVolumeMounts": [], - "extraVolumes": [], - "labels": {}, - "nodeSelector": {}, - "podAnnotations": {}, - "podLabels": {}, - "tolerations": [] - }, - "updateStrategy": { - "type": "RollingUpdate" - }, - "volumePermissions": { - "enabled": true, - "image": { - "pullPolicy": "Always", - "registry": "docker.io", - "repository": "bitnami/minideb", - "tag": "stretch" - }, - "securityContext": { - "runAsUser": 0 - } - } - }, - "rbac": { - "create": true, - "role": { - "rules": [ - { - "apiGroups": [ - "" - ], - "resources": [ - "services", - "endpoints", - "pods" - ], - "verbs": [ - "get", - "watch", - "list" - ] - } - ] - } - }, - "serviceAccount": { - "annotations": {}, - "create": true, - "name": null - }, - "waitForDatabase": true + "waitForDatabase": false + } } } ] capabilities: Basic Install + categories: "Developer Tools,Integration & Delivery" + description: "Artifactory HA deploys Artifactory in a high availability environment across multiple pods" + containerImage: quay.io/jfrog/artifactory-ha-operator + createdAt: 2020-03-25T00:00:00Z + support: JFrog + certified: "true" + repository: https://github.com/jfrog/JFrog-Cloud-Installers/tree/openshift4/Openshift4 name: artifactory-ha-operator.v1.0.0 namespace: jfrog-artifactory spec: apiservicedefinitions: {} - customresourcedefinitions: {} - description: Openshift 4 Operator to deploy JFrog Artifactory-HA - displayName: JFrog Artifactory-HA Operator + customresourcedefinitions: + owned: + - description: Represents Artifactory HA Instances + displayName: Artifactory HA + kind: OpenshiftArtifactoryHa + name: openshiftartifactoryhas.charts.helm.k8s.io + resources: + - kind: Deployment + version: v1 + - kind: Service + version: v1 + - kind: ReplicaSet + version: v1 + - kind: Pod + version: v1 + - kind: Secret + version: v1 + - kind: ConfigMap + version: v1 + - kind: StatefulSet + version: apps/v1 + version: v1alpha1 + description: Openshift 4 Operator to deploy JFrog Artifactory Enterprise + displayName: JFrog Artifactory Enterprise Operator provider: - name: JFrog + name: JFrog LTD links: - name: JFrog - url: http://www.jfrog.com + url: https://www.jfrog.com + - name: JFrog Artifact Repository + url: https://jfrog.com/artifactory/ + - name: Artifactory Video + url: https://www.youtube.com/watch?v=r2_A5CPo43U icon: - base64data: iVBORw0KGgoAAAANSUhEUgAAAMkAAADCCAYAAADjAebGAAAKN2lDQ1BzUkdCIElFQzYxOTY2LTIuMQAAeJydlndUU9kWh8+9N71QkhCKlNBraFICSA29SJEuKjEJEErAkAAiNkRUcERRkaYIMijggKNDkbEiioUBUbHrBBlE1HFwFBuWSWStGd+8ee/Nm98f935rn73P3Wfvfda6AJD8gwXCTFgJgAyhWBTh58WIjYtnYAcBDPAAA2wA4HCzs0IW+EYCmQJ82IxsmRP4F726DiD5+yrTP4zBAP+flLlZIjEAUJiM5/L42VwZF8k4PVecJbdPyZi2NE3OMErOIlmCMlaTc/IsW3z2mWUPOfMyhDwZy3PO4mXw5Nwn4405Er6MkWAZF+cI+LkyviZjg3RJhkDGb+SxGXxONgAoktwu5nNTZGwtY5IoMoIt43kA4EjJX/DSL1jMzxPLD8XOzFouEiSniBkmXFOGjZMTi+HPz03ni8XMMA43jSPiMdiZGVkc4XIAZs/8WRR5bRmyIjvYODk4MG0tbb4o1H9d/JuS93aWXoR/7hlEH/jD9ld+mQ0AsKZltdn6h21pFQBd6wFQu/2HzWAvAIqyvnUOfXEeunxeUsTiLGcrq9zcXEsBn2spL+jv+p8Of0NffM9Svt3v5WF485M4knQxQ143bmZ6pkTEyM7icPkM5p+H+B8H/nUeFhH8JL6IL5RFRMumTCBMlrVbyBOIBZlChkD4n5r4D8P+pNm5lona+BHQllgCpSEaQH4eACgqESAJe2Qr0O99C8ZHA/nNi9GZmJ37z4L+fVe4TP7IFiR/jmNHRDK4ElHO7Jr8WgI0IABFQAPqQBvoAxPABLbAEbgAD+ADAkEoiARxYDHgghSQAUQgFxSAtaAYlIKtYCeoBnWgETSDNnAYdIFj4DQ4By6By2AE3AFSMA6egCnwCsxAEISFyBAVUod0IEPIHLKFWJAb5AMFQxFQHJQIJUNCSAIVQOugUqgcqobqoWboW+godBq6AA1Dt6BRaBL6FXoHIzAJpsFasBFsBbNgTzgIjoQXwcnwMjgfLoK3wJVwA3wQ7oRPw5fgEVgKP4GnEYAQETqiizARFsJGQpF4JAkRIauQEqQCaUDakB6kH7mKSJGnyFsUBkVFMVBMlAvKHxWF4qKWoVahNqOqUQdQnag+1FXUKGoK9RFNRmuizdHO6AB0LDoZnYsuRlegm9Ad6LPoEfQ4+hUGg6FjjDGOGH9MHCYVswKzGbMb0445hRnGjGGmsVisOtYc64oNxXKwYmwxtgp7EHsSewU7jn2DI+J0cLY4X1w8TogrxFXgWnAncFdwE7gZvBLeEO+MD8Xz8MvxZfhGfA9+CD+OnyEoE4wJroRIQiphLaGS0EY4S7hLeEEkEvWITsRwooC4hlhJPEQ8TxwlviVRSGYkNimBJCFtIe0nnSLdIr0gk8lGZA9yPFlM3kJuJp8h3ye/UaAqWCoEKPAUVivUKHQqXFF4pohXNFT0VFysmK9YoXhEcUjxqRJeyUiJrcRRWqVUo3RU6YbStDJV2UY5VDlDebNyi/IF5UcULMWI4kPhUYoo+yhnKGNUhKpPZVO51HXURupZ6jgNQzOmBdBSaaW0b2iDtCkVioqdSrRKnkqNynEVKR2hG9ED6On0Mvph+nX6O1UtVU9Vvuom1TbVK6qv1eaoeajx1UrU2tVG1N6pM9R91NPUt6l3qd/TQGmYaYRr5Grs0Tir8XQObY7LHO6ckjmH59zWhDXNNCM0V2ju0xzQnNbS1vLTytKq0jqj9VSbru2hnaq9Q/uE9qQOVcdNR6CzQ+ekzmOGCsOTkc6oZPQxpnQ1df11Jbr1uoO6M3rGelF6hXrtevf0Cfos/ST9Hfq9+lMGOgYhBgUGrQa3DfGGLMMUw12G/YavjYyNYow2GHUZPTJWMw4wzjduNb5rQjZxN1lm0mByzRRjyjJNM91tetkMNrM3SzGrMRsyh80dzAXmu82HLdAWThZCiwaLG0wS05OZw2xljlrSLYMtCy27LJ9ZGVjFW22z6rf6aG1vnW7daH3HhmITaFNo02Pzq62ZLde2xvbaXPJc37mr53bPfW5nbse322N3055qH2K/wb7X/oODo4PIoc1h0tHAMdGx1vEGi8YKY21mnXdCO3k5rXY65vTW2cFZ7HzY+RcXpkuaS4vLo3nG8/jzGueNueq5clzrXaVuDLdEt71uUnddd457g/sDD30PnkeTx4SnqWeq50HPZ17WXiKvDq/XbGf2SvYpb8Tbz7vEe9CH4hPlU+1z31fPN9m31XfKz95vhd8pf7R/kP82/xsBWgHcgOaAqUDHwJWBfUGkoAVB1UEPgs2CRcE9IXBIYMj2kLvzDecL53eFgtCA0O2h98KMw5aFfR+OCQ8Lrwl/GGETURDRv4C6YMmClgWvIr0iyyLvRJlESaJ6oxWjE6Kbo1/HeMeUx0hjrWJXxl6K04gTxHXHY+Oj45vipxf6LNy5cDzBPqE44foi40V5iy4s1licvvj4EsUlnCVHEtGJMYktie85oZwGzvTSgKW1S6e4bO4u7hOeB28Hb5Lvyi/nTyS5JpUnPUp2Td6ePJninlKR8lTAFlQLnqf6p9alvk4LTduf9ik9Jr09A5eRmHFUSBGmCfsytTPzMoezzLOKs6TLnJftXDYlChI1ZUPZi7K7xTTZz9SAxESyXjKa45ZTk/MmNzr3SJ5ynjBvYLnZ8k3LJ/J9879egVrBXdFboFuwtmB0pefK+lXQqqWrelfrry5aPb7Gb82BtYS1aWt/KLQuLC98uS5mXU+RVtGaorH1futbixWKRcU3NrhsqNuI2ijYOLhp7qaqTR9LeCUXS61LK0rfb+ZuvviVzVeVX33akrRlsMyhbM9WzFbh1uvb3LcdKFcuzy8f2x6yvXMHY0fJjpc7l+y8UGFXUbeLsEuyS1oZXNldZVC1tep9dUr1SI1XTXutZu2m2te7ebuv7PHY01anVVda926vYO/Ner/6zgajhop9mH05+x42Rjf2f836urlJo6m06cN+4X7pgYgDfc2Ozc0tmi1lrXCrpHXyYMLBy994f9Pdxmyrb6e3lx4ChySHHn+b+O31w0GHe4+wjrR9Z/hdbQe1o6QT6lzeOdWV0iXtjusePhp4tLfHpafje8vv9x/TPVZzXOV42QnCiaITn07mn5w+lXXq6enk02O9S3rvnIk9c60vvG/wbNDZ8+d8z53p9+w/ed71/LELzheOXmRd7LrkcKlzwH6g4wf7HzoGHQY7hxyHui87Xe4Znjd84or7ldNXva+euxZw7dLI/JHh61HXb95IuCG9ybv56Fb6ree3c27P3FlzF3235J7SvYr7mvcbfjT9sV3qID0+6j068GDBgztj3LEnP2X/9H686CH5YcWEzkTzI9tHxyZ9Jy8/Xvh4/EnWk5mnxT8r/1z7zOTZd794/DIwFTs1/lz0/NOvm1+ov9j/0u5l73TY9P1XGa9mXpe8UX9z4C3rbf+7mHcTM7nvse8rP5h+6PkY9PHup4xPn34D94Tz+49wZioAAAAJcEhZcwAACxIAAAsSAdLdfvwAACAASURBVHic7V0HfBzF1Z83u3un5iLJGGzAdoyDgWDAgIxtSdd0xZiaxEASWiDARw9gei8hQCghhN5CJ4BDMHGMdbqiU7ExpgZCb4ZgTLFsg2Wr3O18792d7JN0ZfeaTvb9f7/T3u3N7oz25j/z3swrshCCEfg1nJvqG44F4HWMCQlPrwQmWgKt3oB6laqyIorYRiHTnzBBTI6ngLGjIqeBAUSOZpNjpdXrvDLg8DyuqqoYuqYWUcTQIEwSU73jtC0EGYSJjMOjZq/jQL6AH6POU0N5bF8RGaDe49pHkthM/G27u4W6eKmt6ZuhbtNwhIwdXzJX2y+hWSMFfmWqtv8Xj3/IQ7uKyBA4+58uS3BX32cj8A6LxzWz2d740VC2azhCrhtl3QcJsqOWwiiEzZ+1ZNYdy+Ys+yHXDUsEi98+Gxi/HlszDT/2oO60Aph6p9/W1DRUbSpIcDhnwJkq4OIsPJ49FM0pFNQ8UKNUTKk6hgl2NHZo7PusmwnxzKqelZd8MOeD7njXyAByhY46RpcYR/4Sj3/LSot1YrbPsb0RpCX4dkTfOdSdDsUecbDJ63S1NLg9Q9GuAsXYOOd2zXsrCgjYR+oqplQ+xOg5xApOAOeOM0wche9+F+86uWNd72tjqpW1+L5SS0VCCAsbIpIYGduXxRAkBpxzQJGRFUmyBV/ia1S/MwAdQ9OUoYfF7/qFxOEZFtXDBwIATqh1225od/o+Hvid/PY83wazx3UEl9jf8fOYVJXhzeKNUHlBD4j/GBgLsjj/KA4M+wxBkwoWgrHX8Jns2e+cUP89VO0ZSuy70DZ61EiFZpC4BIkCFFk6AI+DSUJ/AvZGr7nRvBdXjH9DFriSVym+zKC9GaHd6vnK6nNdhoy4kQ1caRCsqJDGAAmxAIAfv/kzY6+0tIaeYbahbNXQYNRI+Qg8jE5VTgj4Pt75zcwKuAJfo8xyoNlrPxP73014qjTefdQQPJp2a7MAv63xT1av8yVUTC/Ej7/Gl4Sv7pAQFw9luwoNAVvTIqvfebpgMA9//f91bgzOV6/yBYe6XUMD2FdDoVWre1c2x/ui3/QT3Sz8a73f7paF9CiO1QfEfi8EuwFnnfa025ol+Bvcb+PhWLPPcQMwOIKB+lJLg+eVoW5XocFvdd+Dh3uGuh0FgGRiVh/OT7i6Fe9kq9XzAb/GVmcyKSehTHMkztUGlbEHA7bGRzJpabaBo+W7eLhmqNtRRKFDvJtsHxBnhvuarY1PJ/o+IcOiU/O90VcRRQxbbOgMPl5RrvyekfVIf3QIIe5oaQ1ez6yJr9cyDRVRxLDGioN939csqtmjvLxqDgh1Jyagi4F47/uO1cvfnvd2T6rFjIxJYvU5rAz4efiW9JdynLw+wEb8vadjw1/b57VvyvT+abRnlgB+C74tYaq4trnBvTDfbSgUYMcoKy+tPETt7nK3zG1ZO9TtGUqsOHjFRjw8n861GZHE4nedA8BvY/0EPpiOn6YbqiuOq3XbDo+3OZMrWNyWnUExvgR9m2gcnrd4nUciUf6RrzYUEirKKp9iAIdJpSXN+DGJQFFEMqRNkmiH/BNLrBH9zCArfvMS876BOYHv0q1HD0Ax0LJw7C4zBw4PmBvNS2mJOx9tKBRYmiw/Adl4WOQTWCwe10+Lxo3pIW2SgCLTDreSvBDbiRuMZC5yXrr16AMcFudkJZKZxK+j89OGwgBwQ33sZ8HVvfGw1ZIExWz8f/kswVinYGpTwNb0YbbunTZJenrV9wyKRPsqyW3sAU6Y/Kjt0k+P93WlW5cWYB0lEycoO8dvAvwaH+KDfluTP5dtKCgA2z/2IwcYN1RNySXqmmx7KrJ8Dwt71EY6IzCuWn3O+wKtwbOzsYGaNklI17D6nY9gk05IUXT0xJ3kI/H4WLp1aUF5+XcqY+MTkRbwId6DRNon12QtGACri/2ID2b7oWpKrmD2Og9SZOU5Ntg6hOPIeJq5XtmA7y/MtJ6MFPeeNZ1nGKrKx2KDDkpakMP5fAF/MpdejbSUZ/W7yClszwRFpk7cWbkSj5fmqg2FAtQDt+PGkr1jz4FGn6HhAvK6lCWIR5AtAHZmzaKaq6MrW2kjI5LQEi+/xna42STfgC2azxKLXtPMlfb/w+PdWu9t8bsOZUJEXIoBnmy2Ni5OdY0Q6i0A/JGEBYBdYG5qWBhweJdrbcdwBFeMh9Ch/1kxZUgakwNQTAazyX4//qCJCRJBqaKMIKv1zzOpL+N9kqjMdwF26mUQ8TMZGbcghz9Y3JZ/NTubU1oRW/zOi3HkuyEajYLwa7PP8QtUxl5Idl2zrelRi8+1K16WaLaQuSw9Nr1p+r5vON7oTNWOYQsOxww+CT/Nf0NyA7PJQdbNNRqKdvR+8eNXmdaXtR13HOmfx478DgdOexLxRJ5KkI1PT1swzRbe5UyAaQtsFWOqlasHnAa8742c84WpIrY02xovQ7GL9mZuZ3EJC7uOlseSqc2xKf6lYYmIIqtY4ny1vbnRPG64L4XXLqgtNVRVXJs6JANB3LLi5BW9mdaZVbMUWnbDUXrmKGm7hwHgyEEFgNWOqR53J747JdE9FCXcpnhLy1NNbgeJDCmXMf3Wxr+hXL6IG42otAHVNZAsx+DM147E3urs0pAgpHfF7ULcoNCK17/y26LswlBdfiYedkpVTgjxfEtr8OZsbKFm3XaLxBgc8X9l8trfQJHpejZINoaTUSRaiSP+9fGuf/0w3zqLz/kEkuy4gd+pIDQr/tENzAv2XWi7ftQI5TzsNrTKYdzcCsbuMHmd77c0uJu13rPQYfY6XZzDEYlL8BlsGJOkrqlurCKXp1p4oXiLNyNBLsuW/0xODByjItGNOFr/Bzvjk2yAVxjqDNfhd+txJL8z3vW9HZ2nGqrKO7EgyZ5l+PqOCXYLduhP9baFSIeHK1EUfAFFtpfYlgAJisThHyiemNscvnf03rfQQDvsXDamcogjr9Mr8tGeXAAJcitL5mEo2PKgys5ptTe+nE0PzJxaAdOKFHbOAzjAv0gXiPmKVPI7rH5nt9/qfmDgdVHDyNP5NbazZ83qHrlszrK1mUaPRFHwdavPcThqNy1sy/9dpcjyEovHZR3OJhv4jPfgkpH811PshcB+FHFmOAapw//xcBzk4ixIhPERU8XlAYfnuVxEGc25qTzpKabFpplSacmz+CPZY75CnsB9OKNIiXSD6HTZwbIUidhva1qGxMTZKzYmFewIEgvgjOIcbjNK/Yv1I6SKsrOx85AIUqbhEm5g7GA8PpTjpmUV0Vny4ThfdQomru78eO1fwgp6jiJW58WfhMy0cVY40Fwv30E7oTFf0Yxyt8XvHN1sdd+Yj7Zs6AxeX1GuUHyl2NBE41DhbcWZ5sh8BLnDZyEfcADbQZFge8alEahHGCLfhIKqynsAxMZQKLRRVVmXJCk9QnQGQyEDQhoJwElp3RUl73p5RNlcfK8nbhqZbNCq3rAhSWS100ArpgNCXgkPsuKkNqtnZa7tm/PmdBWdFU7HmeNDJAbJln0KPdCeiNXnHB/o8Jyb61jD5IBj9btITzp1wFejURR7yepz/fH7jlV/SLZMrQcUEMzcZKcl8XoBrBb/2z3NJmU3/GwYXFpiUvipYFeWY9c7ylEeH1AUNK2BDgYwE4oue+EM/5/0bpA/0GBiMikUK2t6zOkeJtRLAq3e2/OV7SDvnokoWt2ORPkCf+InWKxJAcBZ5mrHJBQhjm49tPXHnDZCFQ8zDgNJQpCwE10xpnr8L3BWuQBnlZfSuX2tu7bKIJXPQVK4zF6HA0+FjQvT7NbZBu05Xc4odkEBg2JUm+rtj+IzmxtzejUOofMC9qZ2PYq5xes8Cv/pM1hYehBPBdZ4btMzGA+J+y5tPGInbMCf60XWPyDeIXJF2Ssmd8O8Fqf3v7mqHxW8V7Hzrsa3OyQo8jNs22KccV5DLfDBTZt6X1g+17c60f1IJKislPfnnFnwR3UalAraDZYLhBTxMM/scZkD9sZApjey+FyX4aS2d6Ch6ahsKc2RIO6OR/Dtb7acFe+K3p45AQ0WG7FAHfRkJMj9W87APuZqO1kfJNyrG4gh83EnJbreb6+TmdTIYh30ge0mKfIr+M9dHGjx3KVlSiVbntmzZ49pc7R9q6Vu+jGRAMvw7c9TFN0PO/p+ZaXK3diej4SA9/EckaULO0YZ6gU4Q8AuY6oVeuiSlroLBMAl9rBpsWn/dN16wyN9leM2fA7hANxmT8Nf8dCaacNoR91cZafIJbG+QS+HNnXN1dvWqPvEHwd/AyfXe1wPh5eKNWBIA0FQ6KJav73WwCQSa6bFfFWG/8gd5nrH0Ra//bxmq2dponvU+e0TsdyTSK59rV5nrb/B/YaWuoVg7+EPnIokfaCVOLIJ6x9wOl29oDAwWSoteXHfhbZDontJmmHxuHbHkf4+fLvZsUswTiuXGZEESVtpqK5YGHtfvPOyru4f5yybqz+TwYQJnILSxQ3diyqfEw+FTxIChS7FH8o0aqRMeyn9fCAoOB4wqR11GB/qEfd3MrZkRYN7PX1F5uBgNP6fwqSLsVx5pDzcjH/tgyqJD02zztYNqBs1QlmGA9EZOBD5UpXG0XemxMVpIAGJQf36Do4XWqIkJgQRTyotJYLEGGKKN9b/EJz7+mHppfro7la/KDFKcWNHo76o+fcfcpIQaCSrWVTjKi+v+ifJ9AO/x3M2VLRtFfi/oZhEBnqcG0to55wPKNhAbpwoyqUc0YCR/MxTFdv6geItDkReq8/1Pj4QIsq72OG/xffdQqhlHGBnLLQXnjfJEpuQZPlh70RfpILVbz8EJIkWcmJt7D7DBhw4cJajCDBlZaMPxV9ufEjA620OTyCRLrRsju9/Fp/jVABOLhpbVhMFe39NR+8TWttXECQhkGPM1CVTDx1vmPgMRfhIUIx+ofHJ7iOAX42HhpQVAmynu5FbM8JkYbtt+UiPSNcgsvMBi207JFvgGIjwEm+9cg2ARHGcYytbJ0LsoKX2/pYB5GhVUV5Fs80E+iwB2avZV6DIfUR4vyQOmm1ND9U12doVST5FAExFgrzTxdQ/UTYFre0sGJIQKBYrPrh5JpPyRJIcjklBsw7OJgemWr5FJXyv4a1SFB5KSpQ5eHhES9lZS2w7mU3KU6yf/hFGkAn1yGZ703uxJ8nMXzaU0G86YEUSalDk9tW6a2vane1x86+0OXy04JJ2MJKCIgmBNh2RKMfgA6Qp9Fdp3QT4zXwBdydaC5/eNL18tDy2GIcqy+AgKCLNI6nKWbzOX5YYFTJFGqRUC8HOaR5g9RBdEqYN4ERL9pMNcgXNRhn7s8dDwZGEECXKsUgU+pgOUX5mrrafjse/xvtytDRmoFlKEVkB2C1+19xErtazG22TjAblZuAwL/714vZmm/uugWfxtyTbtOSDGrBfsG2JJIQ+opjqZQMA/EL/HeA6nKIXDPTEoyVjBaRiJPocASXYp80+x+9a7d5/kEJNZjm1bsd+EmcnI0HIR6gk3nURJynP/IFUsPjtJmDSVRqqLs+89fFRsCQhEFGmLZj26zFV455PGZFlMEZxQ8lf2ADzC5lJtPuaMutREWljJAf+nNnr+M7qd63GI0VpqUp6hWDtvR2dxwzcOK5ZZBtTUabQHpiWjdpFGbQ5KQqaJAQyNJz8qG3exJ2VJfiwzDovPwJHtXkBW9OCvhNCqPcA8EHLzEVkHdtFX0lBaeo6hThoxYDg6lE9hGK1pXTVxbu0rf8heEG6DU2FgicJgQLK1Xidh1UA84cDcusAjmp31TXVtfSZrFDEFavPuTDJMvPWAlri/CdTBWUkfk8IWCe4OiJiai/2wN65O1kko3i0B0sgAuUB/u7uHw5fMWfwZqGp2k7u3QcmuZaWml/G/+/pQJtnQS4tgocFSQi00z7b5zjQyKANZxQ9MaTIL/oRlI0P6tt06gH1DAOTaHe/OgdN7cEOuEoA+wE74EbasQTayBJkih9encl1h9xErs7rf+y9LYG5yev4erHvw9QlU41j5UnTJYnNBCHqkDi0x5QHcVQ8sKp75VnxUrBZfI6jkcwXDb6EfYzP894QhF5otXo+2Xw+9a5YRhg2JCGQ26nF45oLEiNbrpTptGNACVPJG/HP9IFMYSx+1ynYeTNNyUCsexWY8KlCLBe0A9zm+V+yUS1iTqPszphEo/l0AOyYDPBzNizpRXNIZb/TEwsg2klfjr5upw2+ujp5JufsYGDhiDc/ybxd/bAORd4zm21NT8b70up11gDnA126V+GDvqy1temxfPmQxGJYkYRAvuj1HtchshQ2oUgVwS8GcAPqJwHydQ/fx9r4PBLlIeyZv9PbBiTGf5AYD27cFHxu0A5zilEtGsWFXi1958IKaqnsxDmHxAt66Z3haPa6ItDquSXTThR1jmujF86+l9Q3WmdwWT6JRczWtbgIJ8Pfe1jo/HabJ27AOEoPARKQAr75dxWC3b+mo3d+eId8iNJrDzuSEMjE2eJ1ngAcyKRa6whs5ABPT1tg26/PJGF98Nvfj5bHUiwqTXZHSA43Y6Hrm62eltSltYO8JfFAu89P1TxQo5ROrmyQOK3KhZe+RyW/WrwbCoaOa3F4X8t2J4qKpxQSdrlpselCqcR4AkqPp+kUd6mNb2Bvn58sqn+t2zbFoCikP/VFsyHHu+ObbY3/TLP5WcOwJAmhucH9jMXn3A0ArtZ+Few6plr5G46QR1IHoBhhdX77YQqTyLckSWoC8YYagnOz4aSUCtGIg0voVbOo5syK0sp5OMPQSE46VOyAsBpH2Vu+7ll5Z6LUytlE1JfjNn4Nv72+vuFQHHB+T8mBUlz2jirU61tbvc8mm+EsfvsMJAjZZPXtqK8O9QbntDi9b2Wp+Rlh2JKE0GL3XGv2OmgW0OoXQpiH+gmZMNxAH8gwzuRucEiK3MwG6zkbsSNe2tLhuTPXvvfxEI2GTsugj6GIOR5FTMpLWRFSxWebPl27PBshPPUi2tkpJvMLZHCICv8xEBEyaXaRcED5jJE1sRDPB+ze5vBslGCGI/3HbJLPAiaRY1TfgsY3SCwzEiRrSXgyxbAmCf0A9S/WHy+PKJ2Ko9oe2q+EP1h9jjf7jCDJVRjlYRNI4eiGu0QLvSpC7DeFEo8LRcxVjJZ0+5DjFR0twDa9iYc3ExZIMHfQLrypyX6o2aTQQLV7zFedoWDwIBQdC4YghGFNEgIFjcAOPg87+Aqm3TSBM+BP4nUH9JEAj+/VeJ37lQOE3T2/7vn8vHyIMdsSwnHCRpQdj7M/xfOdOqiAKk4J61YFhmFPEgJ1cIvPcUbS3CSDUYnE+vdMn2PWy7amNXQi6vV4Rk4auQ3D7HPsCoyfIY8o+y1LlJqDsSf8De6n8tgszdgqSEII5ybxu6woHx+v47KflgL/59QlUx3FWSP7QJ1lf4mLSzjww1lyN9B1Gzp7z81Xu/RiqyEJYX3w2zNGy2MpcvruKQtvQf04w8SHUU4+JhdxZLdFULginKUvlSVyxU69Qi+YuCm6DF6QGDYkodhWVVWSBUelyp7eDf+O54VGS7o4tR+DZWj3OHn67BgAwG/MHgdtcOXEHyEfCK9+cXaqAHYYROR9yuTlU4PBW/KV/s7kddolDldyaZC3YTKs7+7+UXOawKFAQZMkvBNdLv8cu/GhY6qVGajYXRPoaLov2XIs7ahb/M5rgcF1uioDSmnn/LbZ6r4l44bnEWR7Nc448RJZAiJ4acy4TblY5nFZ/qXV73qoq/uH+cviGBJmirC1bqX9l4LDfCTIDL3XC8GeyUW7somCIwntOJftMvownA2OryhXKJ+Ggk/y3109wf0o+oWWe7S0BG80mxTyP5mpp24k1p+wQ62hTFnptD3fQLGmdrxxEtk5JRMviTcnlRhH2nCkP76lwd2WjbopoY4sl51ornL8H9YwKV3DM6HmNnV5NlAwJKFIG6Wl8pkVU6pod7kvz8ZGnD3OCTg89+jRF8j+CMWu45FotIavw74r3KEesHidG2lHX8d1eQWJntVVyvUo1tBSqtaQJpNxpA/gIHA/KslXpKMDUDifivKqg3D0P0aRyynogyEzs0zxVavTszRXKROyhSEnicVt2ZkpxsvKShValYo1I/8ACXKEv8H9djoPkfKiWH2uP+CPGDftXBJIwOFx7EwGnFEe119zbmH1Oo9E0ZOC8E1I43Ii1Kk4Qx9t9TsfVYOhJ1qX+lckMhmhWb1icuWeDEQ9A25HgtAWZlnWoswI9uJwWCwZMpLsu9A2etRI+SpQjJSvxDjg6yUoQx+Vqay64ZOOm3FmokAS01IW7g9S+h+z+pxHdfcGz1zq8n2eSTuyASTHNMbhL/jKRpSXEThpnon6yplmk2O9xe+i4ORfAvmiYJ/AXluF7yfgs6OwroacxcMHNa2o/fnGkJAER+ljR40Mj4aD0peRaXRLa+8Z6lXLMk4KSbZN9R7XKbLE2lk64RoBDjIaFCsq9DevD35381DkfqcIIwZFvgJnNwqikIvfaxRSYHbsiTyFIwsGf+xuzk9VmSGvJKHVqvIy+b6E0U8oa6q96aJsTsFkVo+ixd00cqZ5izJU6K8aLW93ktnnunrjJx2P5sOwMBp+5yJ8ncjiJvwZ3sAf+PWc56HJEvJGElSk90VZ+HkWm2YhBvjQbm22NV6YCyUu+OOmS+WKssNxiNQQVCARYEcO7AEUQS5H0t20LvjdY7mYWUxepwXrOQvJQT74wymdgy4AEwkzBcQDJUbatMmo6o2Anw3khSQo8zo5cCJIXANEJMiTLQ1NF+RqlSNsBOl3nYFixMIs3A5JDnePlsfeYPG5HmUQwrb7VmQy+9U12XaTZflXOGP9SuIw2PBvK4RQtaU96ANtHuPzvg91s7cCbcH7s5WjXQtyThKz1+niHKhzDlTOIxBs+Rdf9p6kt5PRJpYeH49ma+OLSJRn0o0xHAejIglspLPNXsdKVPIX4//SJtSeZS1LW1YmWjGihEOzZlkmy7K0PzBOtmY2RVZ0evoNfwS5qoskhE1dvVeVlSofmE3KKSZ3w/H5csrKKUnwH9lbUuTnWCKCMLa2u7f3VxQySOs9w74IHsfZdSOtzfhR10MKBjvPVuRyWsbUE0RCCyaGswoDOw24kZlNjh4UyT7HGacDRwH634KCAeo2bDv8bmc2dCF8CgWrEkWBTwaKJ4DP9Q58rpeHs6H5XNcHWnv/mOtZJWckiW48kQ96wpi7OHecp2d5ddaSWSNx1KYoG+NwFPmL3jZR7C2Lz3EOANecmyJN0LJpNCsWxPwtIor2dC/sYeq9BiZRbGDayLzGZFIaDlhsO0pPyge9yBlJKsorL2FJzCVQtmpptTc9qlUPodWeEuNIiqTxM7xYS2zYuKBQNla/i/ZODk73HkVkBvztdSntsaBwUPj7UcQbCuBBg48JRbDlKLXMzVUy2pyQJGKYqCTNBxEKMc1LvSavc7LRoFCkjfAus8rU1zNpX1d372klRoUsVVNEIikiFxBCTZl6Lvn17HXUB/ePOTUBxa8AKvUOrTkz9SAnJCkvV45hSWM0ieZWu1uT4kaGdKhH0EPdbIYBIDLKd0iGkmaf6xwObFgYMm5l+LLV7k3L1KgPkd9/kABbzTg01rpts9udvo8zaeBA5IQkwMRByaVw0OQ/QLZD5VOqSPHvt7eiqjzjzbWArfERi89pBQjvZBeRJ+As8FzGm8UCjAm613YGRV44vWn6jGzuYeVIJ4H9kny5oWfNBk1h8it2qSK9xjTwPAdBpMnY5Lu3o/NUQ3XFz/BtsvYWkT2oIQjdn+lNBBMTIeEgDHuMlre7Ed+cpeVepOumWjzKOknClqNTqpIFXG5rHxBmPx7IOhgU48XxvsMHVIuHuLFk9YDaYW40H8KVkqXkE5Hp/YpIiWdbrZ4PMrkBbQGYPY7ZyUvBaajI36tFkceZ51azz/E4ZRtIVCZXq1sJZS0hhCZdBBQDKf7xfUEAfjFtwbRzKHdJes3bAsqEhXKsw6AoFJ0xaWbfIjLC+q7u3oxziJg9DXUazIskLkvkqZkyKAgAexcYf97qc5zvtzXdFq9M1klCxn/RXOtxw4biVJlyJIkmcDk6SZHtq6t2OBaPD6XZzH4gRQ+JYo7Goo1rW1ZERiAl5DitnqXJIBg/X8ueE+qa82oW1ZwWjYKZ+H5CvI9lUTjht1r9zkq/1X3FwDK5mklotogbelTLylTtaAf5fyTNkgTAr521ZNZz2fKPJqIcsNg2s6xUfh7vPisb9ywijF5VqCeiOPNi6qLJYfa4GrjEDtVYvKy8fBS5bydfbgYRk1MTLscZZe3AGSUnJBFC/Qd24vgkEZBSH5FATNWwRz2+xDiSMrUem0YT44J2bacumWodb5x4C9ZPQeqKG+WZ4dNgiB3dam/Sbac1EGQFbFAqdEkOoPLdWCqSMNbfJAr4zRav85PmBvdmY9ickOTrni8WYEe7iczLB34nQKT0ORcAIzT2zmOQ+W8kkiXTQTRI3Vlmr3MRB7i3qNCnBRRxxG0bOtfekErc0YLIYlAlxRzQJwoDVKQqIkJSKfR3SODA4cF6j2tFNP5ybkhCHc3ic1yGot4jg1sFSVIcRMCBrddcGTLf6nWu8ze4H9bVyBQINLgbaxfU7mGoqriAwg3hqZQPvAjK0xhObnRTtmypwntlu1Q+QTni9V5LKflSFuLquDhOq2Nkid2Lx7BolzPbrRa79zGzx37EwNTSSJzdUl6sivfDmQa1gWPZByw+V2WzrfHWNJqaENGl6mvNS8z3cKPxPGz96SxxLNttGR8IJIe6qeuhaB6TrICiwoyZEjaSTcvOTqV+lAIoLSTy3zkEpRQrJR7KGUloVxXlyOMMSvmyLRaxjOidUikOrPW8a652fMPi+MAnAP6v7BaLz7lH58a1Z2Vjiu/XnkgKt0vqX6z/o1xeeizWRmT5WTbrxdCg7wAAIABJREFUGIZAUUQ8iwroswG79+VsRz2h1HDV1QqlFt8rzVt0btq09hUN5RLGZhPAaZ8udyQhkDfZ7Eaby2gI70FEbK+A1VII/mT+zeRMZfU7cQSBc/TUh7PUiRXlVTNQnjw2mjsjq4i2mUxq7iZ3ZGTmsVjrL/HzztmuqwARQha8xgTzhFT2r/b2plc2O5Zl2aPU7HP9lkvsDpbEzUIDnk81WFI/lEeUJQzJirKMnTa1c+6ZSFv+WFEdKMbF+HFPfJVIFSUUCOLRZNd1dQdvLTEq8cINpcKeKE+SQ86NPR0bbtCyu58OoglKX+ecn1fvaZiOhDlIoNwMkZFpawjc0C3IqY28LZnaGgxubOkXf1m3hpAalibLT0Ay/JUPENHTgBrqDd6UqhBKBbQCm6x/caYYD8qLj3uzs/nLGq+zrgJ1B/x4BI74tLyalCS08YQd/Y/kWJNGlQpedwUq3cfiiH9Jq937TK6CoEXv+3r0dd30punlI/h2NZyzmcDgAOxk+2BbaFWmkJeT1+E/8S428D9hYrDQ6193f/lWvtJRhEf0irILQDaez/RF3IwPIe7S5FvC4bRURfCZHJC3aCnRBDlHWr3OU7Bxt1JwiGZrozvZNd93rLpxTPW4OWlv7gGbhFr90yav4wKs75qWhqZ/5TpiYNT6tDn6CmOmz1GNv/weKuNTeWQPiHzaJ7HIkmZlLtsTBZnvrMbe84UQ7Aus/3N8CJ9xpn6ysSv0Xi69+pIhrJhXy6ehyEOrh0k3j3Xgv993BC9NVcjit9uASRpiRYspeQ9O529w34/i10tMMfyOL+DeZMEcyDar1m8/wsAk8mRLJ6xnGDga7IuHhWav4y2cWW7p6Fj9bDbsvrQimkmrNfrqh9oFtaVihHF7hcP2IMvVQqhVAHw0/jgVqDmWYuPLcTZSAMIiXMzvJYjsNNJ34ZtuEIDyt7oBr1mngugQeBRc/U7t3fTdsjnL1hZSONHZPsf2BoDTxlQrFAtNb876ZPhOhNjP+1KQJwIF4zCbHCnFsQhg1JBEcCTxCw9XU2PZvORlyV2z3m93ykwiz8SUeywpsDcH/viY6vE3WXyuB4MQejidgATZRFRn+jz6yg0KJCC1CUVuicMpRuBHMv26Zip0qEKdE7A3pUwEa6p3kJi1f6pyUfQMacDsZLm9Y0Hm1eEHDNCII2s2wu+Mx5H5SoVJFGjOh53o8WDnpn8Ol4iCwwl1fvtERUhkrHosEiT1HllaEF/1BoNz2hy+d1KVxAF3qgySxlkk7I//zZBHldeKlgb3p7Xu2gMMSsXf8aMjS7fl4Z1czuwoF99r8TlfwsfyvNrVvTibm2LbGmiPAyRxuGAwDweiGpbYQypjUFAJ0dM9r80V+DpV2YgOpJCnq9YszVTBO8OGJARagkQ95kBzleMifOxXMx0p3zSgNBKjGH4hlZYGrT4Xhb1ZrDLV09rqfVPrrLctgsJHlZZWmjiAA9kwFyS2G8slMyIIoVZ2U+cnHVdric0cdb+g3XtdGQZUIXK7mZgLRBX9P9Z7XItlSdyPP0ZNDqqR8Rc249HMcZpBJW+N1e9qxVErEAqxtq7POt7KR9DsQoVpsakSjCUzUKOsw4+WivIq+g2yrWMkwztMqKc025qWMVvqwmFvRq/jQabfvGXNpk/XeocdSfpAO+o4OswyVTtOxhGL9lLG5rA6WoE5HOs5XJYYq5hS1YWkeRNHsleQOG+IYPCNtT98+14+V8zyhRqvc1Q5V/dmTNqXCTEd54cZONOSvdNQ7PusE0xcv2bN13dofdbhGcRrvwff/lZ3bYLdT4PhsCUJITqr3DtryaynSgwjz8efjcxYMjFl0AoKUzoTlf+Z4Z6iyGxM9fheq9/5Efadd5E8H4IQnwiufhwKSR+3O5u+LqQl2IGYtmCaoapqh0kAfAoIdYpgfBf838jebo8KDjuTh0+4YNZSXOnGJnym93Ru7L1BTxq7yY/aSswTHJST8Yg06lyv9nT9md4Ma5L0IeqdeGXNItsd5eXyOTja0RJfVZ6boVCkDjzuEe5L5BHKJEYzD071GyOxgckoEGhTbzWtmgghVjOVf43KzppQqHddryyvfa3N82M29B8yMZd2GT1SCoYqFYVXgYBqclMQnI2HsOEo7IDt2IF8fpDgtAcV8aoAXkimAT8gOR4MqezWPt8OraC9mAkTwqk+UgSNSAChXhk1bN06SNKH6Chz+fSm6TeM5tsdj+rEGdGOO9Qo6yNQ5GNEqSXXauqa5M0gS0pYqEf9R6AoR7v2P+J0H94sxMK0YdgDEV9xFfAXFNSb8TK6A55TQIRj45JJB71GokgYCcqt8L4qw6/+BCggOvTHJ/gv3r1BwENRSw1dQH11ppFzWsVKLx+NYN5Aq/fOPn1nqyJJH6KmIXejwnaP2dNgwQ51UjS71nCI5k49tyL8gv4ntxz7rxxBbIHhC9IxXkRyPIwdtDGd2ZT0D1OV42KcvSlWdHorn4J93hvq/E1s/VslSfoQ1QNop95PiUxHjFDmcRBHYY+i5JxbbRapYQTsiGIpDmLPiO6uZ/rEGy0rVgNBm4TmajuFrc0kiMd3QmVzKftA7MmtmiSxiKYRo2XABym+sCSVH8qBUco1MvoeDjPM1gKcMUQLEmNhd3fvC5mGGZq6ZKpxvGHSRTJIFO0zk99xdW+w19Hm8L038ItthiSxiI4UYcKQaftIaYyVA7hQsbWj2JIj04ltGIJ9LIB5hVCXqBu6vNky/zH7HIcjQW7O2FRJsPdFqBtnkObP4n29TZIkFlH9ZVH0xWr99h1lAVZgvB71aloZIWVbf3rrbRco4oqPRNhZC1pDEPK32bJrRGr1OVCk4jdw4OYs3O6Frp4fjk8Wv22bJ8lAkNUxHp6IvsK7y7y0tAZ/+Bk409QgcfZhEXfd4a8qZwerkBVv4vNZgY/klc7O3lf07GXogcVvnwFMuoIBz0YCpk6migsDDs89qfawiiRJgaihozv6CoOIw4wle3MOe+K4uTuAwNkGKKuX1sAVwxFrkAjvCQHv4vDwHvard6C3+63NynaOQO4U9fUNcwH4uUiQNFT6uHipu6f39HA0eQ1raEWSpIEocZpZjPchgXI6yvLIXTlXpwDAJGAwUUScxXaCSDBuMm8p1BmI/Ndpw44U6c+R/F8Kpq5kID5SN/V8lG+r6HDOzdLK35pN9t/3i7aTGT4QqrgoNjqjFhRJkkVE5dpXo69BoJWYathxnMHAxzImjUG5fSzOQmMgkpZuNMrwlfi+XESyhFUAHUV4xaYEqUV7jbRszWNeaswrNGDzcSMwsVGEPRbFBuxo64A8FhlbDyrrEBy+D4XYt5Lo/uaLVfxrPRmQc4moSHVCRXkV5bVMlsJDDz5F0eqmDZ+u/Vs6hqlFkuQR0cAKn7NceiEOQ9BiiUHAUahrnIgEyWY8s1eRHH8OtAWfDaexbkjvJkWSFDEkiBLjlwyAYhjMxtkvWyuIFGr1uWAI7m+1N0YCdadJjj4USVJEXkA+HRSfDHW1uSj6HWigSCXZIwaJikvw9eyGzo6F2Y7gWSRJETmDudE8jikGMwfuMnsdc/DUDlm8Pe29NKGO9VLox41NuYxPUCRJEVmD2efYlQuoE8BqgYGJG0qyEbSDEIwEzxPLVQFLhRAtFPMgS/dOibyThAK1QU9Ic5Q+Awt1J1qLr/fbd5EYmxgKSe/r9TcoIn2Q6FTXZP+JRGF5OJsuGOwLjO2HM0b1YHN8XehGfWIl3o/ysH8EqniXgXh7w8Z1b2VbhNKDvJOkhPGHwci1pvRCyJSKOm5QY0lIJwKwS8mxyepzfY6/zstCsJdDKlv+1Ve9bxbKsubWhp89aykXAkaGQPwgqew9JMo39NzZFhP/8rCfixB9OkcQdREK3LAJQFBn39C3FK2C+FZV+eqent7/rTi4+ZtC9ODcesStSEaqSUiaXxFpJk5Qei1+19v4Y71O8W3x2b8pOje9VYytlTmiERKzHrW/UILoDcTWQ5LBUKLhTUkUYBIlBRpRplr9rs9xRKMgZu8Ipr6HI9uHQ7GjXMTwwdZMknig6X8yzjaT8Xho3wqkVFrKkDzfMsE+Ekx8grPSZygKfIry8GchAV9907vyq3xFWC+i8LCtkSQZxiI5xgKD2vCnMH8gHCdkvHES+Z1/R+E08RwFcPgWiUY+KZ/6re57hrLRReQeRZJoA0lsY/EQju0Fm0PrkHk4K5JkK0eRJBlAMMjbWn0RQ4ciSTKBYJ8MdROKyD2KJMkIanEm2QZQJEkGAPJTKGKrx7ZGkjd7g73HZutmq1axj7N1ryIKF9sUSchbT0s2pCKKiMU2RZIiikgHRZIUsU2BghFGY61pRpEkRWwzoKB2o6Wxz1o8LmezvXFQONNEKJIkh4gE6ZbswPiOzbbGvyQrS342pQJcgrO9UHnaDgC4oFhXqlixZm3w36lyk8cD+X0csNiyo6LIu0kcxolwVBZRAirbKECsJ9u0zk71w1wFk9MKSvhZVSVNwH95JyHUkRx4Kf7fIRXERgDxbXe3+sXyuc1fpWtGT7laKqZUns+AU0Y0BSR2Hz4bs9b7FUmSRVDo/9rRjhpJEnMYA8eokcoMFnnGal2TrbHN4Xt/4DWRjLDydaXAT6OwQbFpFMIHDmxMtfJDvcfV0GpvjBuqaGAbTNUOF157hNnrcLJIvK8t96O/fEvyhopyiVn9zg8pJ4cA9e8tDb7WXPt0mJeYt+OK8RDBwYmtqMH/7yd9zQOIuqBwMj+NtLHEKFEipPUWv+stYKJFDUFzcN2Gpe3z2jclqydMjsmVR1TsUnUFfoyN8Vxf73H8jkXiQadEkSQZAjvveM6ZE39Tl7naQamzq+P45nFZUk7A40WxJ80+x77YQZ7Ft7ukqKa0C8RHyQpEO8TJ2IYL8eNEff8F7IpN3hWYdJrZ43jf7HPd1NrR9Hg03V7WYPHbTVjH+dxYciCLJCDSg1FY3sTILVhilxuqK7qQ3OTo1aYK8RoXsDIUCvVIMh/JBPxUANRWTKmirAFxo2ri73VTXVPdiwPTLMRDkSQZwOp3/VOWwukbUv7eAOznLIYkFq/zMJzyn2KRQHTJIVhLsoxPJGujOPFIViIdAtsNx/K/IdnOQRKfGLA1vZ7pLSl3iMz4nUgQe8bt24ISbKwFjxYOEZ9hiUe7szYX4ipZLr8Nj8ekKlgkSSYQ4rMYk+BU+Cnl8Vtqa/oGyfVr4EAJL7U9fxD/jneadA6Tx3EpiihXa76XduyNusFSq9d5tr/BfX+6N0ER6VSZSZSgs+BywOAPdzS277Fma6M7WbkiSTKAECyAFDlXa3kjY3uZvU4D10MQqicEiwaeC+seHvv9WP+JWu+TBowol9yHYs3OgQbPlXp0lUjudPttqPuck8P2ZQwQ7K7aBbV7JdNviiTJACEBK/Q8QMG4HfUXygys57IPmu2Ng/QRczXlJodcEiQGcDnqKkSQK7VegTPcjXgoaIKEAWyKUlV2HL67L1GRIkkyAIUxQtFpDYtEi08JHPUvYDoj7ohocqFY4Mh+Cd7mZD33yRjArkDR639aRC/Ut45CcfLCfDQrc4gHWlpDDyXL01gkSeagUV4TSVgaIalQwulHEpPXWSdxuFbvfbICDnegMv9qMmU+vLxrLLkrn81KE9/g61y/1f00syYvuK2RpKTWbUs7quBGWPv1QJMGHOlXYs+fmXnT4mJdW1uwrS/gczSJJmWYTed368LWvoE8/R4bXYV03Y/pV6aNqMw/he3YO1FgDG40Xsq0DxoDsQaf53/xef6ARwNElrJpxS6deHe0GjiC9U/l14n/+8sC2IL1wW8f12qesk2RhEIMGRQl6X5DMhhYNQXV+1e/k4J9lcO0PEvCKQOiQILMTyOJJiqk4rqu7h/vis0LWP9i/QhpRNnvsOm0Cz1Sx/2mjjNMOh+P1w/8osbrHFXB4RSd7aNnGFBVdlVre1PrwPzts5bYdjIalNNQVJ3Pwmsfmu/56sovew/ecUelShLdRhESG1rntn6fzkbpNkWSnADEdxkmrwpHRBdMtAshVnOAUvyBp1NKAiHUzaIWZdEqMY68QOe9NwgWcjVbPUsHfhEN0nc7ik9unB18TEcqO+ywF8/0Oe592da0JvZ8OYh5+G3qfZ9YCPHnQKvn/DA54uyiRFNYX1bvCe9JNeL7Km2NZA0TdpaOarY1Prr5XJrB74okyRAUqjPNBAI0oj3ULdTLae9k4JfTm6ZfIHfLm0e9EuOI/2P6Mz+dHo8gsUD94l3Uc45BPadJx30rShicySKz0GYAcJfO9vkDds98LaM7meRY/K4TcDjSnMoN23MVX8CfyNRyoEiSTMEhnbCpm4Qqjm1ucP8jUYFYeTmy5+A4VWcdrwYamp7QMnq2NLg9Vp+zkVEue40AgFOxA/5hQAfUp5sJmj+0iz/N1sYXrT7XcpwlDtB4yU9M1Q7S6JJuFqZCkSQZAn/hTp3CVjd2q0MCdrdX6wX1bgflk5+sqxZVPKCnAwrBHkAxSs9MsIO5qoEWTsMzEPlpjJbH7qTj+u8Cdm+bbhEIBA4soJUkyCdBdmJFkgwlsB/2hOMMawT22jsD9kbNBCFwKSzr62pXdzCoq2OsV79bMpqP7WG0PqERgvHDWZQk5XL1GKavke+ko0QLBm/p22iC6XrrGIgiSTJHMHWRGAimyysuAnDovGBlOEe5DpB4h6LMGzpEGRS5hKXvvSSgXA9FhBBpBSgHFa/TMShhm/TMbnFRJEmG4JyWLKWc3Z+MIo3A99B1kRBpBbugFBXY/TSTBHvg7qbFpspoRH5dgwXoWc6NASpARp1PW99qWxwUSVLgUATss9lDSiuAaXZNHYAPdZYHMJQSgdtZT89aZtSxNwkwSWddYXAQu+gUPZM6ZmlBkSQFDg6wdxqXfZFWZUL8j2m2/I+Cs93xb3vr8tY1ZpODslhpHbl3P2CxbYflc32r9VUITl3FBfta3/0HY1sjySeoKt6Y7sVC8Ley2RhNADFFr9KuChE3x2TK6xj7Rq/gyKPuwbSYa/G73sGWztB6aWmJchYeL9NaF5kUGRTll7oaCOxtXeXjYJsiCcrc3wRsjZr8mgsHoF/xVHlaJJEi9k66IPrt1As/tlcrSWjSOt/scfm0rPbVumurFKXiGaZTlxGq8OgpHw/bFEmGKcbpvUBl6aygMdYTCv5o4Iqua7CjV26uNxh6TpLli5KVHwADl9hii8/5R7Wr6454KfnId798cuUvDHIFSQCTdDWOsbWdm9a+pPOaQSiSpNAhwtlsdYFztSedqiRJ1n2dEGLzyN7i8L5m9bnasb21Om5hAICrpdLSS61+1+t4v3eReD8IwUbicULFlCqamfQYYMY0jt2bjdTWRZIUOkCU6tVJKGpIOlUJAfr2fNjgpVw1FJzPZbmd6V8Xp03MmUiYsGmL3vWDOPh6gxA3ZXwXViTJMADk7TeS1G6JSTq3LwD67ZoHHN7lKD5dR7NDFpumF2pIFScmizCjB0WSFD669F4gSZJm05JY9DJu1H2hEIOcr1rsnmvNHns1EuisdNqRKZC181sa3Euydb8iSQodgm3SrZOkuZstMdB9nQAYROKoTdbZVq/zfcbhZpaFXW+NCGGLzm22uv+azZsWSVLoALJx0qmTCP2dPVyVzHVfByyxDZa/wX23yetcJHEgv5Oj8aVv6UwfvhQs9Ntmq8eX7RsXSVLwgK90XwFCr3NW9Do+Ru81qOwn3TFHsYd2/0+Y7XNcbAQ4Dmu5BD9XJrtGJ9bjbHvH9x29f0onqLgWFElS8BD/0zuTgA5X3P5VqeMY6HOzBGCrUpWx+O2zDYyfgaUPZuku5/YHrcItQ5nuqe7uH56K9d3PBYokKXCoAv6rxzKcAABj06uN76D7EqEOipTfByTHDBDSbQBSrU6eEwleEELQUraM/89GrGidYLAShcn/dKr8tWytXGlBkSQFDi7EW3o3DVAESs+HAthPdF4huno2/DfeFxa/83Jg0tV4T337JUIs7A0FL46XpmKoUCRJgWNV78r/jDdO0mNdS4P21HTqAsH21DnifxhP1KEIk8DgOp3V031O8tvcz+m8LucokqTAQUHgrD5nq54gDdjR9+HXcD4whlUyhAPfGSftp6txQgxaSarz2ycqTLomXvGkt2LsiFTR3YcKRZIMA6As/hIO8HqCNIwy19nJD+UNrReMM04yM50RHYUIx8HqB1lIxyBJ9S71bmxZ06TL7z+fGAYkgZymJhsO2NTV+0xZqXIL05OugYeTC2kmCeI3OpvVsWbt14MsbFF92l/nfQhl5mq7B/WYRhBiI4vYkPV7qSB6APhGEWKdIdG7prubrc5XrsfCJ4lIN+7e1gPy3rP4XW6cTeZqvQZ1glNqFtX8SYsVrMVt2RkU41F62oQj19Nvz3t7kCElnq9KzzYRLHidhUH8NFV9+RNBovcKU+RwpjFa4XoPa21TQ7Cktb3Jr0fE1Iq8kwSYkPSs+wtgWc3bN1wBQr2FAddMEsS4ivLKOznnv0sWuod0F7PJcTfTJ2oF8Za3JfhOt61ZBhjFwgHxYCaX2Pn4f3xp9TluWdXzxX2JAnqng/zPJAC6lgSRVNv8TELw25r8Vr9zGT6RWdqvghNMHrtx34W2M14/zLdu4LfTFkwzmCIEOVhnc55oaXB/GrdGJj7U7YeePeyMA8lfxhsnnWpqajiW/FuycdOhELd0rpsXZ5I+oOR5DjAJiaI9+jAA/GbUSGUOimuP40cfqOJrVcBILokZY6rHU5rmVJl/B2Jdt1AvTthGlXmAszN13jPb2F2S5TYUx47zWxszXlLOO0lw3pd0yqy6HYG2VjRbPa9Yfc77sOefpvNS0hN+z+gVzo9OSE9zEEI9P16A7z50frp2ccUuVZ/j7SelVUH2QOLj02afQwRsTQsyudFQzCT6lhnT9NfeWtHT0TnfUF1Rh2+n5btu/C2ebLY1PZSszIqTV/TWe1y/liVGARjK89S0RJA48MesXucH/gZ32lFThkJxH61zFMuJZedwBWWJrffbfy4zqQ0/6re1ShtixZo1QU2R7VvtjS+b3A21KPLcpdPfPRcoFRwe5NfwWemufA3BTAL6zLghrdQGWzVarZ5PcLQ+MDpap5t6TQ/+q3Z3H/T2vIDmAavF6aUYZXWzG22TDAblYBwWaTefgldTpq68zjAUC8xUZ/85vk2Y6iIZ8kqSaJ4NbZmK+pCFCHxbI3C0ftPicc1CJXlxGiniNANFrBZ106bD44X70YJo4O47Y89R1i7ZWD5OiizhVqBUVMFUUQq0qMNBwvcKjv4GEGoZDpLbYTffkUXESwqpmpZrMnA4gw0Hkhyw2EL/rE6dRF2Zo+YMe1B+9xqvc/8KgNvx42+zfHsUTcSfOj9eeyXpGdm8cdQoUrcPSDglnjLiYCTSeSwyM+mBaabPUT0whZ0W5JUkBoO0j95ruIC4pthFRBD1qzjB7HE9waVwCNd0zEL6AWcPXyjELmq1u19Nlb45n4iS6ym+gD9jrrY/QPtAOi6nODC0x7QoZckByCtJgHG9eTY2BNZ63k14PyFW4k3btNcPaaUkSAY1KNZLstDcBuyC6QWzTgEKFYri7AyT12YFJp2Epw5i+rwAyQ7qBcFCD9BSs976UUfaR5JYnZayoIp2f4Nbj11ZP1AKutoFtWcYqsudUVFMEzgLp7AoXJJMftRWMnGCoss+CNGWLCkkPuj78XB/Zi3LDNFd3fqhbEMfouYnZL7u49fYZHO9VCOA74dTA0V+3wlHiQoQzIjHH4UQPwCwL1Co+iikhl5rW+p/IxO7J1liZKaiad4JZeF50Sqfxed6Ev+HC7Vegw9HM6FikTeSTJwg0waYLt9r/Kf+naPmbPWI5n9fFn2lht45PgYk65cCN2stv4llHumdgAR5U98VoiKdevJCEloGNBoUvY443aK765mcNKiIrMJAeQlBu6nMa23BTtaQeb1CFSroSg2XnttFzkkS9Xh7Gt+O0HMdigNPBuYE0kohUER+wUFsr2eDeEa9REu/uleZBgIAdK1wARNp7bnllCRkhm2qtz/M9Ob3JnPrUM8fctGmIrIP7Ky6IjSWCCAFf2EmdU5bYKsYU60cp+caIeB/6dSVM5JE/BTs9+Ij1OvxRm6hf2p2NH+Wi3YVkQuAPtMhDhfyBXxRskWZVBhTLd/BdOq4KkWeSQM5IUnNopoyc739MXx4+lJ3RfDamo5V12e9UUXkDqr4WE/aaCw521Rlv3/agmmnxfNuTIbIKikRRNceCaFr7drgyzqvCSPrJKn326dWlFeiDpJWkvnvRLD7CL0ProihxYZP175ZMaWKZhPNq0coop04pnrcTKvfdeP3a3r/mSpEKSUhLSuVfz5xgjKf6feBIfHk3+mGQc06SSQmkadbOgT5UQ0GDwkUxaxhBzJbwc7+T3x7rL4rgTb3HkPdosfid72PM8wHKGqTjVgXADMIIch2ayc8P6WsVNmZpesEwyiIOLs93WuzTpIeof7GCJzW5vVEA1wfUsXBLQ7v8my3p4j8INQbvFVS5GNYeh3ZgBfthce9YoNVQhbSXRGQeC+2NLh1WEX0R9ZJQl5rZp/jYA58KYtYeSaHYJ+rTD2spaHpP9luSxH5A5nGW3yuB7BfnzLUbRmAjl4InZ7JDXKiuAdsTe+aPa5fcolRXKZkgcr+tWFj74n5ip9URG6xpqN3PopO5GT1s6FuSxS9KKEc1d7g0Z2+IhY5WwImgzuzz3U6B/ZAnK87VEFWpk0PJQt3U8TwAinGFrflQFCMAaZP3M4FelShHo0SSmHncQ/YGh+0+J1TgEFfbu8elK/u7untvK7d2d5RDDu39aHZ2fxlrd9eb2ASbRbq9fnIFr4VLPTrgC07Wa9ybpbS0uK51GyyjxUCvuvu6f3rsjm+tHY9ixg+aLd6vpq6ZGrtOOPEa3CAPJdBy7cAAAAAtklEQVSl6U2YBkgqeULt7pqfTZOmnJMkan59Yq7rKaKwEI2geHG93/6AJKTzUKH/LctdglHynHwBxasbUR9+Pds3L/xYwEUMa1DQCjycYVpsuhxKSg9DHZUCeZNZfaZ5E38QgjWDEI3dIP6RLBZYpiiSpIi8IBpI4hF6UUCQek/D7sDYdGB8FwFsMp7fDgSrZkCRVISBcgGj8NSDn7tQhurAsqsEE1+ByshT9e1AW/DtqM9MzvH/uFCgxBI9EGYAAAAASUVORK5CYII= mediatype: image/png maintainers: - name: JFrog, Ltd - email: support@jfrog.com + email: integrations@jfrog.com install: spec: deployments: @@ -627,13 +132,61 @@ spec: fieldPath: metadata.name - name: OPERATOR_NAME value: artifactory-ha-operator - image: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-ha + - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY + value: quay.io/jfrog/artifactory-rh-pro + - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY + value: quay.io/jfrog/nginx-artifactory-rh-pro + - name: DATABASE_TYPE + value: OVERRIDE + - name: DATABASE_DRIVER + value: OVERRIDE + - name: DATABASE_URL + value: OVERRIDE + - name: DATABASE_USER + value: OVERRIDE + - name: DATABASE_PASSWORD + value: OVERRIDE + image: quay.io/jfrog/artifactory-ha-operator imagePullPolicy: IfNotPresent name: artifactory-ha-operator resources: {} serviceAccountName: artifactory-ha-operator permissions: - rules: + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -653,41 +206,6 @@ spec: - events verbs: - create - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - '*' - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - '*' - - apiGroups: - - "" - resources: - - configmaps - - secrets - - serviceaccounts - - services - verbs: - - '*' - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - '*' - - apiGroups: - - apps - resources: - - deployments - - statefulsets - verbs: - - '*' - apiGroups: - monitoring.coreos.com resources: @@ -729,17 +247,6 @@ spec: - update - watch serviceAccountName: artifactory-ha-operator - clusterPermissions: - - rules: - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - anyuid - verbs: - - use - serviceAccountName: artifactory-ha-operator strategy: deployment installModes: - supported: true @@ -750,7 +257,25 @@ spec: type: MultiNamespace - supported: true type: AllNamespaces + keywords: + - "DevOps" + - "CI/CD" + - "Developers" + - "Software" + - "Productivity" + - "Artifact Repository" + - "Repository Manager" + - "Docker" + - "Maven" + - "Git" + - "Helm" + - "npm" + - "go" + - "golang" + - "kubernetes" + - "k8s" + - "rpm" + - "yum" maturity: alpha - provider: {} replaces: artifactory-ha-operator.v0.0.0 version: 1.0.0 diff --git a/Openshift4/artifactory-ha-operator/deploy/operator.yaml b/Openshift4/artifactory-ha-operator/deploy/operator.yaml index e32db4a..51f05a8 100644 --- a/Openshift4/artifactory-ha-operator/deploy/operator.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/operator.yaml @@ -15,7 +15,7 @@ spec: serviceAccountName: artifactory-ha-operator containers: - name: artifactory-ha-operator - image: image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-ha + image: quay.io/jfrog/artifactory-ha-operator imagePullPolicy: IfNotPresent env: - name: WATCH_NAMESPACE @@ -28,3 +28,17 @@ spec: fieldPath: metadata.name - name: OPERATOR_NAME value: "artifactory-ha-operator" + - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY + value: "quay.io/jfrog/artifactory-rh-pro" + - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY + value: "quay.io/jfrog/nginx-artifactory-rh-pro" + - name: DATABASE_TYPE + value: "OVERRIDE" + - name: DATABASE_DRIVER + value: "OVERRIDE" + - name: DATABASE_URL + value: "OVERRIDE" + - name: DATABASE_USER + value: "OVERRIDE" + - name: DATABASE_PASSWORD + value: "OVERRIDE" \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/deploy/operatorgroup.yaml b/Openshift4/artifactory-ha-operator/deploy/operatorgroup.yaml index 8356f6c..6784bcd 100644 --- a/Openshift4/artifactory-ha-operator/deploy/operatorgroup.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/operatorgroup.yaml @@ -1,7 +1,7 @@ apiVersion: operators.coreos.com/v1alpha2 kind: OperatorGroup metadata: - name: jfrog-group + name: jfrog-operator-group namespace: jfrog-artifactory spec: targetNamespaces: diff --git a/Openshift4/artifactory-ha-operator/deploy/project.yaml b/Openshift4/artifactory-ha-operator/deploy/project.yaml index 49904a2..c290689 100644 --- a/Openshift4/artifactory-ha-operator/deploy/project.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/project.yaml @@ -10,7 +10,7 @@ objects: annotations: openshift.io/description: JFrog Artifactory openshift.io/display-name: jfrog-artifactory - openshift.io/requester: johnp@jfrog.com + openshift.io/requester: integrations@jfrog.com creationTimestamp: null name: jfrog-artifactory spec: {} diff --git a/Openshift4/artifactory-ha-operator/deploy/role.yaml b/Openshift4/artifactory-ha-operator/deploy/role.yaml index f881935..b18faa9 100644 --- a/Openshift4/artifactory-ha-operator/deploy/role.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/role.yaml @@ -4,6 +4,40 @@ metadata: creationTimestamp: null name: artifactory-ha-operator rules: +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -23,41 +57,6 @@ rules: - events verbs: - create -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - '*' -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - '*' -- apiGroups: - - "" - resources: - - configmaps - - secrets - - serviceaccounts - - services - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - '*' -- apiGroups: - - apps - resources: - - deployments - - statefulsets - verbs: - - '*' - apiGroups: - monitoring.coreos.com resources: diff --git a/Openshift4/artifactory-ha-operator/deploy/securitycontextconstraints.yaml b/Openshift4/artifactory-ha-operator/deploy/securitycontextconstraints.yaml deleted file mode 100644 index 6bcf847..0000000 --- a/Openshift4/artifactory-ha-operator/deploy/securitycontextconstraints.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: SecurityContextConstraints -apiVersion: v1 -metadata: - name: scc-admin -allowPrivilegedContainer: true -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -fsGroup: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: -- kubeadmin diff --git a/Openshift4/artifactory-ha-operator/deploy/subscription.yaml b/Openshift4/artifactory-ha-operator/deploy/subscription.yaml new file mode 100644 index 0000000..5d7ffd1 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/deploy/subscription.yaml @@ -0,0 +1,10 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: artifactory-ha-operator + namespace: jfrog-artifactory +spec: + channel: alpha + name: artifactory-ha-operator + source: artifactory-ha-operator-csc + sourceNamespace: openshift-operators diff --git a/Openshift4/artifactory-ha-operator/helm-charts/README.md b/Openshift4/artifactory-ha-operator/helm-charts/README.md new file mode 100644 index 0000000..256b392 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/helm-charts/README.md @@ -0,0 +1,2 @@ +## README +Should use the latest openshift artifactory ha chart from the partnership artifactory diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.31.tgz b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/charts/artifactory-ha-2.0.31.tgz deleted file mode 100644 index 20a856925d260c934289148ce640e18465e9736e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126568 zcmV)FK)=5qiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ}dfT>=Fn<2lRiLzbZ1;rvu;a8<;_NE6oT&BJN>1AR+O7(b zkc65dSOT=Iy546mA@I3h2$NRKet=5-&d+@i_Y8C&scfQ>FTYLA}?$fsXxBa(P`)RxV<=;^2 zBjT|1lW>9KzqLNNtzzf?Nj^BD??}uk3p?nlUBgk7{`|7B(`eUx!o8SA0v^2$=@p4N z4$y!^j8i#n&G%H0U5ar($;b?`cPB2!&X76JF4eXGMJ+QWB7gvii+$ zB+g2cz{ftWD6C#&1!Fw-DvEitePruwL^8eju&;H{7pW?HD4#@;3fk0~LC7UiR@J4L|UCby)lp~DZ zcTbL8#mfcp(S!y>7I;OjaZJ$ljD*OW;SgB9200@!X`uHkL43xNz(uLsUSUB{Os15Jm=a#2vYGQF2!_OqiQp2(1{$z{pjVg^-*iXf6|(?dl1a8}T_$4^ zheQzGpseXLk2kSDr(qK(V#Z?n8F4i$V!N|uCTeHv=ST&yZ` zS3Rz6Y}E8C4YGo$8*<7M*!&Qi0O^LgI+Df-Ck<7$KS3cAh!X+wi~=Utiv;%sVFieC zG$kR4v0OL_mlI0@o+Lp4?**C5$w@+<6JlF(N~P79fip|^5grZWWL5cL&I6cdldzU-pD8OS9WMD;%Cll(q zu$B?I5hM&u&2fwCcUh9 zs)Z;V3zyvBc@z*=1RTm3BI+NourfL|d?rQ3hOSkEQeEGtl599Y)C`GSn3AUHD_G&s zfm$sj;+n;m5euldP%U-UT9*R2fgxukfv+`*MM;K(c@i;yNCF}snAJI#>+x6-Tt7kx zM^Q-tgn5=uOW6ht4?@;tO`mR{x1q=8bE4J|miQtT1`8W1a15BFY(7sy$*PFj2qMOX z1o~@$w&=wA+0ZlHth#MIQmVUIIXxbQ{%%zDc*E{<34+zR4d|ZSB<$g?Y+^+-%g75{ z@DK|;#+)FJg%dhWVzt2JtGArMB)!H|$er2s$4G95vZ&e(8)!&?+Q2E~7k){jnyhfd zVgp+92nq7QZp4-hWINUn_#`5sPeN}YYsEHOwq*EhRU0*I9I$ag7t5eF2fgm$Nv|>Y zC9BS!=XjoGXRraQ`K7nzMF;uJyCiYLC?S;T_eNvwpfMF8p3`P-P!SS%+Cg78o;BKg zu204khwj&I{B>JO32DiE?iiA@MY`b=rHa7BndpC0WfQ)!P6QVzah6nFCdwz4p!tb{ z!TzT<+tafPYXd!35nB!J_!ZI0f)vEtU`;rYBsS93NR7W5_4joyVhb!=gB3J zGshphvXXw9L;WEzOhx_1kp4kv#DP<*1#CK1eaJDUjPY!a6TTR;o6U^hY_=P_txc(X zSktR!HP*?@Ma6x01D!G$dMwa*VFW;QO<;sGW1gHQQz8^rve~9Kr7Xv^#6-0z#>OFv z6>Hr<#xkQAND>6+N+v=5$te@(G2tW>O3FFVa;Ma%SWLwNff$%>FWsUTz+%;#Fq?oZ zRI=>p*+mbz=mg);c`{eR1o71rlX5$TIVI^rL*i#GQjXd!^O2KYzc>Ja6gpuP0wY`_ z1+|l}2=n^vio`MXNlJe?TADCMkcWbA3*E?5K-VyD&+|Aze-BAO^iuc7jVNXji3OE= zGYyDje%--E|EPO#aW;5AdUJNtYZBo#b45WO5j0BG{Yd<`h>wl{z1b7H47aio^@keYLJPPP4R$D<+M}GF;l)=BS|y@Hq}pHf>^(8nr2UR zy^)BeN|rsxU~RD<*aXOcCN%IzG@P)}oKDpogxB!?SfOcmEER&XUJM>07d?Ag5{q{B z?v;vmzADw)lVZ_2{Ml4JG1I{q0hQ(NS>r~olrI}MHH6YBqj;2{bHWlaBpwTW-a)(1 zT8c4(K5sC`3mROHf~q77Znt2WE;K>MC$H1^eq+FMVoxKnfvW}`QL&i zUe4TWw`Qp|jX6s~agN0d-Q6{f@x|_a3ipZy$()>k4KRmH3SxQxmbK{Edb=XMYQ}8! z%g6p9lLJo#i61^U{+bs5>!w9%(0Pf0YfgGGliYw^Q7J*`9!M#QBW&s_m}pD=douYRX#Q6sf1s~uL6WwAyCAA&6BZ$ zlh!tGb4Njj*2T>_xA*Sa)}g}on?5aU+$%P3RIo9XmYAYT#w7JZDb3}|&MOV&1VRw?QNbS)wTl?u~oTnAfnXiWCAi#8|V)zm=A8!hB*G z{~cH34|Y}kRj?RO2`KPzRP?wG2nP6*P|(;qimK?$C+;|>c@Yelcy3qvOf~bKCCI~JdU}djsErD;j$zzrlSL%tJU}rH zedNx_4QfBzR3OeV=ZJ#6bVh=?s=evDaAa$-UDfutWU*hrJ?RcFdV|roz4vz-N;iOG zM5#Ilizi?im3V=9N={cdHSK6iEHr~9Rv!5IDy!!5Afn}#FmVH1y5-LXs{WUdr z>fe&ARE?5;0_%Z>C<-tQk(AdOU>hYAW(5qg=Gq3lUQb-j1AQ=Nz^5(tC#YcavMW;# zT_pY!$q9h!W6g1ik1$Vlw<;rQ0WKWa1Pn_d8w)99f+e6)BAxam(G)aOa7WHP8U)Xqa-ti~~( z6G7sdB^(vDH5@MByfOnb$5C;0+x0V9C@-fp_^g9|ca2Cuyct7I=7c5-D?_dpdz=Cg z68h_aAd)5;fTHZN#@?K3O$x_;aGnqa$&`j%v#GO?Xh#ycpX-;K$|etGWSw((n!1T; znF+_kP_cb5*wzLQ_Gw54w}11>>Sj47r#Iyw?x8HpFClGt^NdC1K=9k)t*VuV~CdaCfceP^2O zXbXXo)Q7#nyWU{*{mJpjW_WVL)N4i`csXCSzG^$`)II5bKe~7`=yeZ=1rR&RFQFR3 z!9j00Tv2&%MO~})-uD-S?&#p`^r-*30O7v2A5%50bJ~;budH_XYIJ^fb_{*&9$fU_ z^$Nw?Mf%t^`iIBm^7-N???=Pl!Jv0B>YctDz3b-CIm$UEDbDsSSq#X;R51rgI!G z%x&_i^(}-!I1t&_9brigRHV_ zlTJ|MW}b)m{hZ56xyQ1s+|DX0-xMm}sLD5MRQ_dtlRDPr`sA^BgC}7_o%={OBg@8Q z&IDPrSVM{+(0kbmoVKjpL?fQl530|3kXDr{V`b05GbaaA4luN>?khnFxlkl55d~JY zdV#tDCl3IXZs`SA{A^<{!e2IeI1w`v3gtq%K7H(J`>E5|Iu+F!tQ3Ay0;^|7G~t>tK|Sl#NDHmjF)vF_5fy{f_c=WDUXI@7jT zXYJWrYK#}Er3R*z)l8}C`Cl^Z^(V#@2se-I^Fn>; zyS4LF>QS}|7AGMG-HL@SoRh-s9=PCw##CvG5)Ll{`b_CzS@Yk_} zbo#z+Ra*8wp?(LoTf40qLW0C|8iIq$>ll0FoWzv*nR`mBmfEB;+fFKo2WWg-Wj+{W!`KLqFvS%s?AT4P4)K z$NsQxJo^N_SmP=H_;cA#mND^@(8r;-=%8KY0BWD$UE#Re$m3XS^+fIoXh5+4T}%Zz z3qAYZ!A`67n$~iDvF1!no6-c!8)ua*r0in}08Y;?dL8A73T9n84OvXI#a&PBF$vhU zvb@akB|%A42~A<~Dtq(&T;J~O)Y3~A*qf1|zCe+82lnKvbLD;!!yX7v6y>$|tJz_~ zMC!xd`Fn=zJN_%MFfY3n3zAhb1&b`T3u_q(C&1rB{2`$*q#1xT;I?LCpN z(ch8WsD}c3m)rWa_P(y@z3ZeCb*OJ|Sc}TkfbF_r%|RSR!2(LdeJ_c7VZIgY;+pHG zZ7B~#;sa!0&FP7PREb>0WYCtOu6Y?wQsPY+o63?3#dLCAbC>U?zkW+%;*JA0u4Ph( z)j)2Qj&th*wm&u3v-P`Vi2`A?$rEP^E{o9&$G*pWbJUS<^XaCb}Bf7FAH^9>t^-3=uj`E z;zA3Onby}6AliyU?@y0GuQ>K=Ui_T0kxg_=L+F2=s|)Ol&y!d`eYOhfw#Jk{eD zBkJ!vz^mK|cVHS=zh9#A2Rf4-s6bg25C8_x!fbhiTn;`Br>4R5_ZkhFvM7aE-J%)K z7>84W>O32uQ((YPP@SO8K1xDC1GM#lV{VvwPrrkw{C66PZRA?geW7bS8M|f5+}>8; zi|+1HatSPmi?4A^oaU;&=k%&v!%fp_X=YTudC}CG8 z2z%s3Ghd|Ktm)*-9obg;>wZ%HZ(O;}<`Ik4&7$18-2!oS`$>AC6tt(5Axb$r4Y{#& z93QggON53l%Esh8OQY|FBmUooS&+o3q!q#S1+9uPJVq<16sL;ER53Cvj#`A*oz$R>ZO;1ACQoe zP#n`a6>_!aelM#ur{OTdF?kz-PfXl{D-0}_0G7U6e=oGA{6luW7g|lpLsJI;29W-> z9EQF+xqt)Gedjk867Hyj)qMw4=O?RR{I$XU5gROsf|7ar9AV#ACXAd~l#(oe)if_6 zzIezqTg_~NrMMIBwwH5Ns3j-ROThO<6TUyJw?^|;bM7(StepSl(VY?RQW+0l?zZHt z%zhWk>hqz#|56a}ZdE|rFPhn#VjXSUdI{I5Uo_3nN@^)^Wpbg4^*JMw$29aQ-#B32 zWx84+icoX)K3BP=t#cf>wqlxB%8R<`Yj~Sl6;`Ns58p{YXgmBETj9sq2LH${@T2Wy zL<8d{11ur>VDg*DFhW;J*AJd-4Nz zUEsPzpgF!lW|IZ`^-A{o*Y;eb$fGCzqxQ-_c(3~y`_@{h=j@jXfBVsDY2=|dWqmAg zGu0RGkzfRwNAh`7%%c}g^XsAgTZ;uP-Ou{|OI_3pSmK)sS<4k7hY3u%4s{f8ZKZ9P zny?;HFh%&_w|o``Ywb$;2GXj~LI$YV#5nOT)%}`>w~^I_Ml4XpRwx8-5|8MIsR=El zU`p#P4G;D37P7jEIc1low5?UQK_n5b?*3fU0ecfd=>CV(CMqP<068 zUhNhI(C&9bG~7k+b{{NzLVa_xv+roGE?d#7Q?^#N(N}MuZn``0-H%}TsRFmY73f}B z&VstOI9Em*q&N%I{Zd^;$8*#+J9xGQrKolzv{U0DYeaPy3ynW`;n!$^kJ>1C|i9QnFe@SXy#+Yg)<)L-$BoYYI+FPm5o~WNHYbzG`kV zEfJzDsID)2rc&E#K`bZBuOXgiv+Hushj8O!NPW@^y?6o1ZN4RoepRnm6^F*5(Uqmv z9nlm&xSXXaT!ByeI@f;o^ug^NNOai=^GS7s+523J*5fs&P{K(+#1K_qZP$68dtu3*yv^;z9oxuOykN)UQtT%jLO*HLit0&97xKzsCe7Aeebv}Ugk+5qiG1vyPh7P?}D-Tq( zA9~iJ8d>*@#nN-v9H$2=!)rlZOJjb}f?C%s@lasZwu{P%_#k{AV%&H*z-1PYSQuBr7(0oZ2Pf%S&@agQY3pmUAP=RB9ySTlDM!h1M^DPyOpluX(wjhUs-VmV=uyj|RlNC2&-zQxs-$L-bb4-Q z>0~Mxg-IJ~?ux=FtaktX*HAx}Ua*0JIdA^9uLE3}4{bx)che?HmfDAEoGJYEe6!NfjSnYMuBzf& zIba__2};{~kRtRT*$kd+s0`ODE`YNQ_j9sHS4oz&7<)jcy zMYCw2Et7J6AGNo$#&uBN^LGb2>3JGF<3z&Okt>8ZGogcZDvv9oViRSMAnw%~G2|NP z?#`7%<3?AW`vMSkncVC$o#>(9)BsC>8GxP+vc08pc2-lhgLbyXzMU!yC8#LOl-<}=~NB#3OIv0&h zYbvlCWI2&zVGq*`D`uU(G{aGx7b`|^mO^{rkgG}_j<83?!h|1EPhpasMLND4q{CZp zc2opc$+`O)q8OQ^lkR$|7>+1!cx-M6WDJt|<*I_tqzN^Y9Wcu=b#kJN44e z8ylU$Dzko>Cn}Ov0Yr8wz{$0ze3q>o1nbc(^*V+c+LOy5ke77wWVj!FWqa*ZP{r;M zzUH~^+9Ar*t`-MQ|6b+fW0grAaja*VtBiSA?d@Vk<$@xa7fYTT)y^m#wA(U!WR>qo zr}Qp$-zdMzTq-&b9p98`W>NZ1@FhW9YU#sW^s}Mt&mhJ9tcLDqCEa|6hJ>Us;C<%t z2EOJEJjcJW5MscqG%!I^iX&V!r*SjJp-&n!p~DTqyy|?61%$7;vt%~p=bJfG>U`|w zRzB{@%@K=hSWj22B>MoTgPiVn!>8_>lkR~#eAC_8d*)aYNZ0qN1b_o%S)HZ)LIh%= z+5~rt@kz3xIth^)1whpcC<#Slj&Dqae#Lg%SvKYS=U6^qRjNE0!dgmf;Zd3@q&%8A zmF_-4(m!i=z#{MzJ-*-AK>Bmtrm6U@%M z0($HpGwi>@f#f7{8U##5Dx+Mbk})|s`se7Ne>hO*52>7?#q$p2Gck~cklbwm1v}`6 z&33Dy{@-iv?rc6m@SvSONViQED`5i?r$VYFlUX64At^NpB~12-Mx%k07!potc$3B* zUWV8H=4}qGCpnz7e6pfb3TX)EiA^-wJA>kPpiim*_Ee3I5y-M6F8YND;0cYPv2G1T zj0I>*=g!w9M2sgB>LCaiX>^BqHg0LuH>jK@%ZHaLsDAnr2a4UvlAZKrReaBH@D)Z( z$vB`Qt2{VHbNNNSj$$Td(o||K=VQuZ+l_4qa^wtUG!hMTu0#CGfwyx3NKn6|!SxNb zRXQk0n;@4LpDoS*osXZ|-rfCLmAolEu9ZhtcSAA}rQuUAA2)%gJtZ+wQO0~anUEMF z{f&vZCPa;RWc3eX{1y5r^?8VgM@`g18fPgJp_-z)$*KcE&3qOTB-?JNr1Y|hC0s`C zPP&AqVId_;)R@BHW7|ox6Ta5zVjS1eyNlP%BjHEML7x?!l9t9 zY1PP7AQ(AjyakI`z@`fbT<=__HjoBoO_LD=Hiaz4d?hPX{C7=GXff;mhZv#i^%{Io zheSP4mYN-SHm6~lkpz%MsYfoAZ)CfNpBi^WO>08>$l z%4>^U*O-bU7Hd%#m_ia|3T7b%XT}87(E^k;rky##iEte-BAmy2-&bw|{r%uh5 za=&L!PpD&_n#|~P{lqZMVkMnZJy&Z7QnE`7Po*AS18rQQQ_LN3NkhMb4$~C5HM2WI zjap$}%vXC1S_F-{@t4f2_HY2}!tOdlga4{}>*6f@01G*AUBN`l~=1=L$~P=9jD z#Cc4(q=m|lH>5uCu$4PfZflAaTrM_ze$^ zRSg?@I%P6|gTfZPQIV;?FpF|q=+2(W&|k>Tza%rimDeAVO;b7fCnl8p20Fns)IHCK zEu7FmF|}(JUy^vF_g}&hdiq=``m+C{fK8Eo1gXqLOOFmEd7I6Ybm$t#p#m3C-)t{U zF^`%W5cQuc{M~}&vxRN-7H36=DWQ`H1vYRzt1tCv*f%N$aquPkRoa+Ih2|QS0ofX?TDT)mQ5K! z9-ikGh?x*kTEQT#$DRn!ketqyU6mU&G`AUn@fp%O=f&#h#^w)KHBe-+uwt)7IC|mKU?ZwRgUHZf$BsKs&9cRqv}2QllOd z?2q&vFtqcu)k^84Z2Kb>fOBP$G4mJI1ymb)7}FwO?iC7f5-vePy&or&35it)c6TnT zUUKxbRrQXi1x)`7MFg2gBgv>n;F75cx!0QKi^9#(siuH|4?pZ$njHJc5GH*Cw2?20l*$l~G*1QK z<`?wNZX$i5dytik36EIFiF#ASIW3?2ZIyzNQjObVXSe;fYrW5g@W*Vdlw9$seKZqE zkRIoZ6@|WB7-pMbp?R|*yl51%DB-ihn@d6>9MCJ0E@$*?FReEHjYf89!?i7bEd_{% z-~6H>zZiC3%cVB7g%8dHDOCvOv4EqC)KQ`7D0oNB6EhN-cInxsw zPGiY^B)jLitQ?v^S`p&NX-H6R;rbzR9P~S)p)Xl_OX5`OO9K_4N;0@5!nhgn=mc$* z_eS6{Xdi8EZd>v;Cju=ii|X8)kvYlBzseIMlR7hNw$>VT5sRgRM_gc(*qle4#l7>) zdt<}WtyTa?wJ1|DCMv7Vf7->G|5is$6cgn$Y7H`{a0bF$#qiCt)|g=HWb~vwA0p{ zhV(KSlPCIIM|oDAGM`BBPhh*g2CtEX6J)z&0Tg9XEtVP1}J|ZNRE8X5H==jb9~rA|MTDfNBjEy&wu~l zEF~u#;QY^j|DR*2w*Jq5|6g?sV&>?Das@NSV+}yzkv~t~&`;b;vgqiqaF$WiD@VaC zW%ezmpoWLV6x139Uk}LBr@IwU)YA=g*gGHe4!Re;!%pG2)%cCYBnq%cd^BF5<96%W zo_pMGefbR05MeY)L;^>JaDWXE?bfB3tTEm|Mfo{>QLMo;^h!#HdS&~ZJ;=fApFWZH zr^rD4$LG;*|IxijM|wCsMqDSTo?(&BYB;|fFD#B7F(0O!2)IfgtsKm~8IFZ(Zl;NV z+rEO@et&`^I3rS=QBI+n$xEFU=&Yz`?}xeC-MmdC1ypiZS&{A=kaF^am~)})qB#x| z90Uvb1y6}zk-S>YcknwgwFb&NfZMn<%Cn@9;`;pEfpU%+6J(O)rmc_3gvA6Yx0rOK z#w^i}JR1cM80|*2M)vYOeR*hOLygg2DZ2ms6y0S7Yntom3l=K5G8D}pn^Io#Qwi9VH&9<7%y}{=kUrns zOO)>f<})LV5tW=a-K%_kg(FxrYNo~9>AzX;Wlua)eEE61qYvCkfVrSv!(&ZZfj3Q6 z#aqk~JNmM**J!JwY(V;L9CVOles%U*PoDzu1&QZ01bV!Vu}4%eL*VL5Hqsm7Ww$>p zUq1P95uaHjW|mf~WgUN? z<*pCdbV|c%BOq5K=pY(SSSs=~M_lNwuT~mjpQ(5jN?d`t8B-*|66EmSA*g*)g6?D&#(@e_u2*EGCo$z6H{# z=*anH5(~$&r%XrMd&_D^y;qa4liKz)2g%R`qjCrRU|&s7sbujVba&_cRQub%#HVom z&_sFQ&C|1s-moEV#D}-hYPDKl?(M~VDGsp?xa_WO?AMp{Ge{&MXo9<_| znm%=r;=@+RMCBr%V=hSiEm>rG&^Fpy5*{!ujGUtn{5ad-EmZqr-4FV%J2>s1zD8@; z_@efOBv@YbQe8loWFZAJE~Mh2MQULSbHo_NmV6}eO496qC}lM8KkTE)Vm#r!8Jyu6 z8zn@$VAmm1_qe6b24<}X0Iwr*1KxBe-Qh)VF#5Lle!srOA`)^Qpjb{vcSdf|?#}kZ zF|Q-y%^0fRX29-grU!Mq!Qc}>tO z5-ilE7Y~QZyB9?KsW7Sou6zP7GvKRwoAIRm`t7iHFz8*3PP->P z-SK-d{{ufY+vjnGBkC`VhB|x3>d>pEpwqkO-O5S^$+`e zI>!0US^sn?+iX93Aloc3P6Pbou+9JFjML06tJ|BO4D&zmW3wNd6BSue#JHHog#Q}Y zu1K}R?nU=ici8LHE*K&=BF3IbLjjI4C+U5zCvf>P7s;xoXX)Xq(Rp_`{O)XUxL@D8 zOvc0$0o?F#UGR90utz|-9H=9s#%cQW?hfUv=$&J&nl4ipD}P7Rm_#V+Gq-+9^8oTj4^qcatXY>Dgg#bbdCtcno<9l;9EZ8WJl1q4iTE)VSO^ zMp@@8!w4!&^N0M~MNIqW1w2)Fj>lk21(^e)$^*EePk{+M(?9MUg@GJ2?VwQCcy#J1 z>6+HAY1$-5t~y5QI|TODX+K$TgbNFcH=z+nhT;61eU z+-Ps!nnAXY_l+;19B&%kZI*{RLwnT_r!jukUv=kahahAYs1Y%L-MJhf$7Az|g(MXF zB~Q;#1*&zH&iOeJ7#Nos`XW?qudN^N@j*{SsI-j$cAfE_K1Kuc2)Z1G*Uszmi%U0LG8|D^& z2mO=o;Qi>2-GvM?AGikkhsyFz9d;Jl1-NH_Af}@;R0(+T> zu$;~dxj(=qAa!Q*A+v-hK0|zlTn{<0Y5nNbZ_9HAblHbZfFB+7@}-5Q^D#!Z65Y~R z--~U2;8tQPx%@FsLNDV3A4G5i${KL)|qLU%pqzuw)q9RqVo=H=Mx$b*tO@9 zEZ&TC&=*aZlg%$`y_?8HI|Qbz^+)h%Y}9l)S39?rwKP~AZdM3n`Njd%2CuSIhrx4V z?wO$9k%*JfL(g{ME1eIM$%Nh@$IXD53t9@zi$c&o73%js^z!`1E%S>UR_1*a(@;#1 z^Eo$R2AvP+hPm-4f7F4*o&EftoWj}px(Wvy4F$la??XsgO;#%^(0Wt_hWBWas^g2p2`7lNIkA!+C?Y67AMlk^7?wp@Vtu zl8q__H{tGIHBi`DIw$N2tG=6Xa=)AFYRLJAgPf7`h%NKAKCFkkLss+;elOZn61uVi z&p_9405gHh6$e*6x2*0oWOtShbvDdpGtYJrPJ>^0kA{_E>tTuKl!OP}JO~dvX!qHk zRg%O)mmSh+Nc;o&U~B1ZV54krqmTv`StL-|tOTrMuYh+oG|&K`zoYT9rzG@{E&@Ij zX_0TqB3Hs5&_7#Q`vX2p^?zj)cE^kfE@B+HUQB%6Sm61C%>no5|LykfPG0}tX+Ld0 z`%C}-6d(IgL9*K_vz3|(U4KqPbC7gjF&_*3Em>^eV|cTxn4>vaMa30WzIinq(KKDn zRl8=+E<5Q3q=#fD%unYmLaDm@7e%X~6(ZEYzOuT8-g?q1GZIsQrwZ$od75O!x{wwl zJ0+XEEMWScb_Md+m$Rb|MkzF*?)c3`7G!E z){8L>alC-ERIXwG584Or;s32KcMA7Ec6N7mcK_o4pW0e zh(C^HXAS-{vTH748cq)l)6P26xPcpjuGFMN6x>VxagOk)k;O54`T?AGt@W=Q5#~7h zL*&2Kv-WOL{@dHx`D^`uijQ(>shWG9i4Xz791AO2t@bpC#D}f$YD_e_W1(DUG*@$!% zn*jQ+3K;hK6zzXIyRG(L{QpyYq}l*3zN@^)^+Upbl)ftQ*APt?d*5-Yr+Ki z^j?42XRY-=r&HyG?s6}tk$9jQxN`mP?Y5t`itB&3wfC3*-zWL}k$PQe+Wa$%fT}a3 z!Dne6tIr_*)fn@cPG*OW0<1%_A02mJkKXS)I`$C!Jl%J~?B{UwUOuU-l1TkMwTqu! zjJoIN$NhuutK;6jGdk^#)NAkWqev(x>0JA3!tpnHDa8;phrgZ}x& z=;Hl(Z!|bRIqbdKchp~JX}QC*gKv9-(ZSit`Ps0y@2KDUr`7(jcRK7}^xySH-}c^* z-gS@PN*qU=gq#X`1=%e|GwS;!9F1(mH_#BWR3H`I6J3&pqS^5M5MT}8bO*h|(Kknf zv)6A2$NP@TYN77-yp02=s`RjT@OIF@ct85)tbh7#?|oW}6EBIWNH1!yuB}2}RMt;p zM%YBigHe}557WBf|49AHCco*v>%KWV>1Ex+SNIK^ljY#eooX1Uv|dhru52n-PYu=R z{A_sfde9s0JDIq?y7J+m|E@PEH|xjrio~ny+QXPuOqL8~R%_TBz&*)wRZe1+c5zkx z^zL}6zB$NRPV3%rcX-i181}k@gEu++b>u=$aO};NcA`+f*pmW~Ro%%$D)lK3Dc`Y` zkPeRD%DE0#&X+*bY5n1T+&aBH?H_c97f1c$r5z2ahq*YS!8(1lF*F?JeQ%iKC5Os) zM&&0Bk=DYqBpGV!X`rDFsiAz%R7eplX5fq!QX#R*(hsVjoT8; zCXc%CNc3fNun?dNiBA^u8UvghEmTA6($jRmV!{r(uU_>pPX1%mJpgtLOeiF6%26xKTJ|;1jsEmg1hZnt*(fjU+Tu8w9L5Oq;<g}p+iCa=u1aLQF6HOuo0Bh)n_Bx$?q{K>nF#xi`DWo{z>ki*uX@M(&bit?hW~M_ z3gxG;F4VJUzABf_HeF-@vupmV)l_$I(Ld@QT$~Nwn^N6kRL5_QP7ch=6AHPor2Hyk zrbqd(KfD<9U%kEPpPib5hm?z$juR=Is#4z%x@jBV$9PfI;e)f&i*El^?tx~{tm?8= zjI8LkRV>bReb77X=NgNNPq{rSx<2Hw!HCas5ST!yCg3$z{Dy=)i6uW0h;jr0cqt2s zWPx!^JQ2Vpd+<;7VnRYK3TJ6;_FIiTdn%skTA}zDaa(pl-hiCZDE3$;_^!H-vx7`ced)b!3KBsdwGu z{-I*;!&32jswr6gJ?RaH-PhTYH_UF|xtNj6Rt-@iLD6GLk2V#c9Aboq4m^ zKab5LEa*5OOTqjYZds*LF4bB8c0S1a%^~a!|IqQ^=Oh$-Lp`$}x%Q6}EMj`Iog30J zZ4O!P(z_u{p+DBpl|f{Kr@xJgvU6@Q%K$2ea|3A>%2AfT)&wC?9O3+Abl7{90hD^f z=&*OxeS3VdUyRV7=S`-rnKaqHm4TBBZr>@6?2MVP`4A5j);bP-LCdfCW2Vi+S z7mJ7>pKvO5z{*AqAISrTCB77@Wz^5kBxZSa%FrOMmY9q%x!_dgk#LG!%|O`Nw$dpx z4+klfw}U`uzu8YqcoMo(KOdYOzCBQ}1|6irl;l43(&o2aDkDD?Z8^XAW3Q8uq0?-> z=$}j8GUyG5FFP;J&juGSo23BB_UHNYGDg`}yFM!SVlk&Wf2G>9|Bdrt&U~`3^BAm$ zS$U8D*u?TJiQ#cLW)jB3ska2Fn;0+r@q^JJ9A|Oe=>+|N+~1H>FC*ZfpPtKQk)NFq zb-)c#iDA4Q96Ly5w35QKa$M5UIE{u293+jxV}p%}NaC!e39a4RU=jz7EWgwb6+QUL z(Z_fQ1gqD*@BitRZsQAkr8d6!L~FJ2MR94a+w{j>jEygHYj0g7K5(@)zR-(njrMZO zDV?kTSuq=btlQJEHyE4^M%8;#KU8s!s+L$zPR^>-SJ>WEosBfS9Oa14BNhuS3~3Qe z<)nf;RaPvjIpG{n3B;ru6QoSKl5e~n97{--A-gV#`~~}6Y31e&Uir>smF}|({z=`+ zOmM|+<*jeIZdsM?GgqqG{oyDxu~&gn2L~16jU^=IHPiLdlZzgvE35*Qlc(-S zd71cL(S#+#-w(Ge(^n|%IkEnJm`lX`oDpQ1tZxP}5Bjio(d{1(^TKK+dG8TiE6m!J zU~-J6s?vSta@&AX*>twdtJ*I!h^5s4VnCh0*D}1{hmN(bs?aGf?4{M$vffuL@udJu z>wLqcicC#0kl=>0Fh7Ni@zJ)J+Ve+SD>k_m?ig}L$<;k3Xu^`vH%6j@sYhRJp3s=9 zD6EiBELJh3%#m5MXrI-juR`oZp^zT0NfK6-E7G@oa#umyN#uzFOAeT1+9Hc7Ag`S z+`2+9(NGfgGvH_4$F?+X^cKXb;f^t@6n_fzk&R+iK57_;!>;8W&_v@c- z+s~fd8Br%Mx%O47YiE{(8_ogjuf~U+!|V5{^>GBw*nbmY7s+(Kr!?A)lQdOQ=L;WDN=N;n0IK zbV*1gS0@z+5;#LrRd(G#2Wo?xV>#187{)mfGo}(DG8GI(s{`qD&&{Kgx5pR#^W)y= z{Pk#f@TLc>Mg@Q25KXqI8h{mqdowb}2y^5U?!|Ph4jLb5BG>09G@SlJpLqQvcj5*A zjHX1KK%dSa@7Y=W4#yOa0|JhoTXwqmB;-V(-qBG{Eg#*mz)^BZacX_+sXUeiys#a~-Ti&?c|3m7B zn*vQ}Mgks`K&2uH1b%$Vm`v5KT^Ap zFqv$uSZyxVj z#b3pAIujYJ_Savgjj+I1Rpv#WHwxHvO5)cZBS{BvHv zRfNBjFdg|Cz&glT0vR@tRiG8A9|t@&zZGX#ekA^oVW{82e3OW~d#jOu@QArz=Em%U zhU`(uJz&%x1;1+GHqZf%sK5b*Sn{cc84w}mP%U*&a_W{< zR~3O~4rVysuWx}o=+tiu)jF+C8?w6K>r1qGtB8RFOQMLxTlLm9(n%yNurc98oK3QZ zOF-LqPF@go>M1VueDx9|RoS5-8#fL(LmV&QXclsi>nQDGf&wxTu88S;PJ9rYl(QU% zTmP9fPea6#7}h`oeMgYbB%hB7)@ef^5?-S~bV$&B5o0e;_l)m+?(Vj@Vn1?Dv^({k zY)0Hwt=5ZKOt8NMoP;ySG+YHhyLVqKqUA{KWjOH}34%(THlSmue`tt>qbQ&r>~n&l z%&R?zzO2(fT!DYNp@2<`JB6AHP6>p~uIw^-XmW!psW?^8ZecIGtGBb&dmnf;>wGMT z4rhR_S$xTnPbU)+lTZW;NPOf=QU7{I#7t_CAg;eYecOCBJOnV5k0gu{Pojv$g82I? ztup|2U2`?DN}MZKZ5v(U_32x)g6pMX+m+Le&IuQI9_7dn;*(RqRUq#&@o>d~XnjlJ zo}hnxesuBqMdS0`)Bi8y2t*}KU!z{D)w1eoIV?82XM8lB8P1RTV zYfAyldZ>%+JI&vJ{LzJfvZ248(SV>VH?q$%bXbh2WEMYj@+)egFMqBog>vV%x4N-T zo#q%`R*Hnk`LWe*<=^pukO;M{20~K)VNr(9*!57gl^f0tG!!^inI`o6taCsg^mnW9 ziAuc`G66vxso>~5W{@SLe~7lu`-j_E_2GH{badW7+^>ITf%ujNfwC8>=8WZt(`kr< zCpxg5)Obu*KXPN(tNe%#2dFtxfJdzoRRoKwsG@gA z&r9N1>Y04Mz7=ugl8H%t=3aYp_)P0MRgkJo1ahpp|Jcvzc3>J%(J-+vPKa_p3kBNR zL0q51QI7O^2o;a71Vbek z*4wr;SOx-@B$fejkDR8HfjT`Z!g>(d(;aRb*^ezTDgQzalOChob1m5vprisIs@r|b zeo1l_0D*+Jja;JViU8u;yda=1AV7%X?P60 zlMoFjG^B!{fU&57-g2V0D8Z0V#>q4lA1>Gt4VLPa_1kuC8E3Brj;92!!0cD7u0ijx zKait&c51WJ{*l&(0)i-)or^H%#D9YDn8l)E-Db@^+}Z=JWjex`$bBkKByrFciN}l+ zG-tl@=7KMjE9xK?qkvtLxDqj^e*3OBcy%`HjkIp~**;27me5b=?|)xfO2i4drwCwB z-CNzfEUaWXP`xF*-+wQ>8TOBl-&aGapj&}tf0_p^rSq2d`4gt;RGp9q|cBG zl6f|OcWaHHYEH1kn;~oTD_0pTonU9`5ZLQycRr{Dtjdsc_ zRHGk5sUVh_8RRC)&u6=Vyy7!0h&X!OOUvxE_Z=`MHRRb0TqfQ-mCUGW$45^6-`CpM z*X(`PSjuzEbgk(Bp-xWpDES1hb)YZxckq@7+*= zK6WDjT>@?w+q}kc_^9T->kdxu?-Hnsj{$#rcG0^Z{1{6G4)oYuBZ7*6*e7z5VdZ|n z;r5TM-Q6GB^ZG56zk{FV)FfA{+@$g+drYJEB^gHs9duvGwGd6l9}U-)n5~11+ztxX z=#NA+r(DG#Tk-0{2+N5W5Fb@YxipLtv0t`Fx&-|QlWSK_HYj!Xqn>RRbWX(Un2_*s zpm**8txokG2YYuFY)j4Rb7}a65id$njh3ZIX@d*bWbnPx>f482C1q!soOWRcCEtew)}|C z()Ozdt{3J{CpIq54$nXzLs*R;=tUk5yab}u1SFh_8S)n)o>RFKED&ePFvh_wDT|ZP zmn!Ea!U4S`D+ci175$*kIvrj;LA6M~U*Aa|SzFag-c;9hmz*)cy?b!|xkfV*L>wg? z#YB0brUzZuWYb3>i|0Vt8THeAu~O}qI#SkApV1Z# zxggj_YywYTqL)@*wx3jEPr123q3tUf$*fk!iAc#{Qfj3a5mbN7kQK?GW`#)se}#ht zEc4G~%RqqCHcM`Zhn~GGSZqzR$85?g3^zp`ZzDYx&gQ!HGWD#vooMyEWJoT7lFAv4 z_v>3eRX5?Bx~%MM7mMeN0F!F{{59l&{U$RNYMWLpuA<@(B;zPD0{+j8*il?X#E2d{%tq@Sl0LEBdAWfRH9GZeCG z6fqhKUR=CZIWx4n1sg(4;Ox=MvcV@Iy=icPy-RYV(%pkwQR*t+Y(L$5w%2YZa&5R0 zw2MRE6@<8gxu$P!z@}V2;KFB#fFf8vbR`Nd4P7xKF2{4?3OX+#3+9lQ=;f9m1i3gH z(d{zFJD3sgQjR`GQ+h?f!#quq21iFGv=&l9LUFvZ5H-(Hf%orC`VcLM@^4EOa; z1@@ZUi~23JtGb_uRz5JfB#W{h8Mpzg`g}ue=%@vmA;NQi$qy!QxPk6rVm&-1nH}?0(iP|K@09 zT-e{7o%GhTCRTgll*%I-(a6doYR;be0(p|{OU)q{QzLVzg>xrC;yDe8$(mX4 z?~>{$z}Dy(5sih&8jfr?HJh700j!XT3S(dCz3rL(3XV3CP+dBl5~0Giz?4cCi;+dOh8x4CG@17hhHlc08%CKDBH)BH_WXK}$rvPmNYCg1E&zJUV zH9tws`sH`B7u6g`jZLA3>_HOZD@+49{Xg2cd^i(Jzm)iHz9r>51u?kX7zH#W&x@W> z`q*dlbN*wv3A;TFrNsR5WsU(^ItAK5hj6BCEyDn1%m?~GQK396T5k%d9b#7oSL z6+>U)-!L$=q-oIV6khKy`Iz_L9HCxSPu8rTfhk0EMdeQirqqn-0NXxuQj+T^30wl#jFNVQEob<|KG1f0sGrZ0>Ka@a<7F zU9)B|__@2QeVz?q2XytKHX09>CToU<~Z~*SQxc;Y#0cR_6t};5YqkwRa~irkCVcGsF+s5bdGNTrh^>YIoX`MoK0R~?=p#W zyLr4H-Qtk`Moz{Ka(4ELO>+7hIWw!lZtbKrRA%|Cx%+t*-%O4gs^4aVcV{uxGF7%wjswFrjf|dBPDJX7(ua#n-{#fKFuOi~ zwHV?#dCM!Ez?IY~UsiEhk|S~K^t(NYs`4TClnY2 zs@t=pQnI<#U4&(yFYYsJy%U1n2K3=o*fYn3pK4M)*2ijy!@r_XQ$ zNZq26i&z$i^LJS^yM`LY^oj;#YVFzDXENUtB^HLPda-S3=7`*&JjE=1`MKF)ZOS^^ z=y#L?DAsm!+se{bAJ)i<9cW_%87+%gvqj2n*zjai@CegD7V}uB0+w@QL6PHUDpN2F zo73L030VRz18feqE3P9fZET=(9OF3=B+g*f+Z}MwFp-WzJWs7a^_~2?8Oz=sl8A&p zM=V5B$hy!$q0u)tHqhHhN>RM>-2j#>@1WCeMjErS?WOpzo%zALABZ-UhhKH8#0q<7 zKY!%aK;0Y}fqAEkVWMK`LMKxjsP5>!Tz%#Cy|cUnvc%&$0MWZAAU}Vkek@h@Z!Ki+ zG2AMpvc8o_`fjV+A2`0I;XQWsV++Zmnl!`aY77apY3MglE(p*Zhj7%no~^o~zloB# zQ;8`zT!4ljM=4y-i zK|}cIiNXQ>P}jKp^dyT+1k4t_RTc7h{8S;L>$pa7%;GeBgXJPq=E&*T=iX)5rXdqm zuO- zlh?6@v-+(~th=Rx*3u?qpFUAD>cIJvHPuY*X&p+`sM2^!3Pv^w(6*~B@5FNR zdL>5bkB>8QOUxZr+~5J!S*LZ|<`UtAlim&Sl9EKX;{Mc%>z{@F9X#q|f-lb*4GXsc zP$76)R&M#7&|*BOSF#ScGp1ox&<_?QJCv3A6kSkJUNER?<~)|V6bT_TQt0WVMX@@3 zUg$`bf`$pHi0*=Px+mmv(VsiL~)~}Lv?Bl5DA4On5B@@@f^zJp)?liv0mAV8l(f4{ErFB;;-S;=K za&D`n0vDDuVrpqpj!)XhJ%19y3HWHmd5@e_)NW|t#uXCI@>O23hE&k6v#47Nz!N0c z+`~foktrvSDJgoBgs%AnUj*f_y7=~!CXM=mV?pb z7HK*)wZqKAoo}jrZeTjxL@XBQpnK6h?w@u?XKyd|)#jv2-j!~bK-Y$_@gK7(|KRRD z*w@l#La0!sp-mk$oUY@oii$x7iXMMD;DE6S2WoH7p?EA1B?^}uCO6Oq>OodP%KycfM}Rj!)8;Uh2ASi%8c7kt^;mxh+b}P z0_cND$_Gk@?Zf--fq7e&mD~w(nhh19n}k>Q<#e(!MXREgIk}AGYDS`B2h$+PZ->3X z{?}iB4Np&B_fNl9kJ_!L)}z;hv$yB_?bes@%v5W)T59iAnK5&qPR>qWpXDE=!N7A* z<;XyK*z?}tq(6j|>Cc`jxaa-Dig!=#aXMhpB0J~yShP_7vj0DO-`dv3kt}>Z=T~$F zC4kqGz)qYTvf8sU2%B9%tRyG#vAyh|X-Tt;W+pQuE(h!V?eEjq>FZpCz)sfeJ~2q$ z)z#Hi-Bs1qRq8!z8ZDBs;r%ALwiMsUkaAeYSWHplf7Q-|XHif|HnZWoc0!acs(*C_%vCE9TIr7+YW* zgT|dej3og}rt0u4CRh{BGaxu`LKf=H=kS!5AlO4taS%KKvjjPs+uA0rYe$caQlVDG z#VE}k6#*@FG4-!tNCilEbcW;K)65TvlEuFeRVlh>Ui$&T_F|EdsMFK_2=Ha1Jq`qD zEHsszeI7Y0P1o>D;?vWp&)^xPKN;(ykFeJTUlKAz7Ifx3-)nL~Q{#symtxsXlQA){ z$)9Kh8_Sl2Y?33w%YpK3U@J&LvkS=Q+crIhybcK5%)i23lQTD)nNzLham`{I+1!m1 zsD%A8tW|_4wet{|t(m#08~(u;IRo_o;e zo+O%->{kfFn`3{DwlhP#*W3?J+?#$3LlU~!xZB-pK7Y2ev!f~$dCN04W~XuYY_GYy z^XxmdaSAi`!t?oF6CF%y3v`(K;q)Y(9!3cpTZ1FD636{sza_$Vb(mr}o2pE#oK84> zb!xt3A#r9hLADmS2WWMqxK5$r6VK);DI?rH9K){K)9G+kPPhtK}^UaDh1K?*Sa{e z(@kd)_QZ&JlT9sTBSqDMfRu8o9>z~`rI{!~Xye*3NIghsp(x?G-`7^>t@*xG9!lVH z&U%Xqte11R&VC%G!h$MSr{=r?gDx^R9??E%`}E}wi$ zLUSXvn=q1lAn&Yo5}$(e5oFWz(Dei2FQinnfD<^_^tuuMCxdA=fUfro(%sHrLTg$Z zbt2DC&a>zot4@XrR|vrlepRcnCbCn+-b=DC2y@z08f0sGhFZZih1MnC zwPtRL>DtDY2N2ep#B5PjV3AU-~t#zCLbWoco^beTna#r&-c*e1rgMsCr1) ze#BTZC!~sS31M-NNaKzSXz;^)ZQoXukxZ`kihRd{CWr&p%6a?-IXg#(N~f`feh1Ct zF>p99?168>r{XmCz&Gww92t}Bfp6Z>xVb&>%_~Qpf||sh(D)wN_EhH(O@yi}(LujA z#O^yBA|5AE43kO=r32=~v9vge7B~PP=a)H7spek6x?J*LWDxAMWz6ep87mIp_dFN+);Mh-b-mN^`ZanjY zoQHhunZZ#UB={_i-Ekfx|9p=u%JnQ_k!pwnxX?Dks0I2li4EZ0zT2Y#u66nqN8J|$ z-D@%T8>|biTt@#O#2GL;U^krLH>5ErG`2I>_*qNGXu8VB$f7) zN7*Q(yC~9G+zM6^9Bx-?^|*H$P;hS~_7Q9w4+ptT9*y_~BJ_2|cpk zziZGDgur`dX47w&iLKmUiQ}>N?O6urG1mA*laa&WT}0C}AH{m@NdS4d4)reY_CX~J zf2g4a_vNo5p4*-};Kx~Sjt<(d$kPl~+Jzj8_|bs;CSAP9XK}yOQ%67LF~H_rd_6Y_ ze3DPrPx0GEaE+OeDm{qi&;z?PcxZwx@)kIauF;=3;p(-UglP*XfQ^xD*3poDcL7O_ zNpky|PnL%&;n+1ax-!%dmk{&mO|KhVlj@gq$g`~BkzAJX3&(r0=ff-n97h<1QP@Pg zBVNU)QWy?~&F2gJiGoB*>b1)%m+J>9*h(V=oyOI<_!SC{o8nJOCqZPzz2usd@k zR9LFu^4;Sz7=gvj%wT6rF7^W#Yb#6uM=;keo zZwr7vF@D~WgX!pCxknGCql2YR3qfK@;PNnI zjqmbrWvrwv&a8FhJD|f!ke|-%4{;f)9MJ>~;DR)oAnh)^G|;RvooLL%v2rdL6F}ly zTLit+*g_iz8k+|7@UCWC7C-mqVX?P!+*9Nhl9`wuFz?t6F&b;B)O#nsD|B;lFR@D19G7qDo8gZ}B}2y_n)z;XZ8tE1CbN>bKb z}N?=$@aKcN|i>g+i{IK*)X z*{*5d`3SDZpc!mCxNz%^c}tgx#lNygBnu=g<`-6lF6SB56kLg7lw5Y6q0zxQ$8d^i zly`WHrL!#+LM)`1LJ2#`WYU@_Hh^gq&@3G+CF6=jf>& z@`oVeQvJB+(&@Z!+&Qd#j}RM;+u=!*2CTjI^pH8Xm=E5Rc4?6Wo7dZ~>BdK={q45W46|W(_qVb>`@Vw22)lrY1Tq1xY0(XEDu({(`+jpu3 zMNvD97Px*DZ7V!t1MldYBE?iP5#_D$GCWU3jx!wQLml|Uxq;)u=NRV+t~$){f5Cc?odBf>!; z5m=5&g$(FpGa<~BAT~@jTA;R{iW;ZQ#SuK6-oB>#+0z%Ga^byQ8X1ceFEgPx7P#ChIpIW^T4f5xY&u!wCSx9e%o}_*<4O zoaPD7(}b%7GjMcd7iTvrNKPTn!i<3*!c2HCkN$iiV*_+_$^u!@h~Vf<&NP=0Yr?Y! zqr$*U;A1~r+?Z#n%n-3V4#I5uazX%VZ9BWqerWBqc3QiFLr}m#0moACiXSf>l{`{P z`23Bm(o5&-U;H3oY8zI;W>J#i4T=PkZY^T=a(dz?X$HI~Th**L?RAE_r3i0(%s5vnNxlFUUMpWr+${=CZughn##>a}}WZk9>UeqF=$E9F{G+`OWL* zHz&<+hJsY)Z?Wh+atCRPjN5A5F_6N{Z(#~Pg7@T=s_bmMlVM6`9k~xUB*~icp+4X_ zLJu)XnqL5L5Fd;W`_+PkxE5h_1(Qh-T`RQ+zuS5C{Kw}z?OAl)%%bKvn#XPeo7r{L zB(_l6^uwkXWz7`EE)FVcUcn^wqp(S`j-&4{+;oOOeZTYK`wjXp;idGPJSmX)XzZpC zIE|Ox;p_9CdxPOo|I`7#%mB|@yR9eN+BSdI9gTW})6VAmf4+aW)BNxEAO7^dv8grt z=_l!Cc2{sg@_<9cXMIHRl=Y zj@i%XU~{OhH21@Ex(GZLckYM&d@-*g4gBve;_KaSzG*!XnDHh0@R{(Tg00i&615D? z{@ZWSI?}(N(Z9R&<^D^ja7sFDkdW+dJZX^|z-Rb3;doX~eSea(7a8^2Z>3LO%EU10 zD8ihY@Hd9EMWM+TV#kn1D-dB#v&yh`%U}i7VKoiFlw4kg&u{8(AJ1R>_YdFy$aaq` z@#oF!nV&%%bl99E(Y)#6-Jz*?aFHz&12+gj09{-r0*6Z^u8-XZxPN*Nl|S+42DSUj zRjLfIRAL;99D6XHxrsYQhb?bT`rlo-$p-o7n{VEI{caDp-}~_4$_r#99KrGC4=)gN^p`@Rv?e197x!$v!8+PuzN;(q|i;M-NvfCh8{>@93Xr% zc!RGigi?O^ixIrZ&gcG=WTHBsMUnB6J%LkrWA-tTuQ@Q&z2bzV6;qS<%Xb&TrCDC= zw)En{t}oQh@0LOj>HV9VxWIVYZrllzUgAIbB$sVRc>2xbXY%()ob0ol^sK#oN2Dk` z*7&CFV|6b2!Zv8xHsod7ke6-a!P({!#s`vmKOkK^@U9^Y{DFmQ3Zs8O&`7jHVVIPS z3F8EtNIDbJFIHs2><`0zo9#_UUVdk@?Z4k_Y`zcQzenGpxh|be{K;l9D{yMB$cm4T zjER$6kMavLH{sMLv716dZQRcFtjt5XL*tr>xpv&=%pJRF`=4!r@MJC8C8Wm`T$KkN zXh?mf{pg(TG=$kqOUdeS8`d&O^9wXR$toO2p~t`10xPLu9VIlyT3bu4w!qFCr6PLW z#T0?$zC~Jv5q!jCchbfkM`wxX#%H#azY!-TeI@u%w3U5)6h!xK?iv;F&^@E)6F>Cc z{zGDbjZ)Va*gDDs&jV6phE>=D2P_*Z;!HeU&EfANBmTfoY~}5FgZeep_1FNGP3;}N zufb1xDDDynk=g-h;3zNxaaL}%l7SWmh_M$yXD(|oS$_^ zuRD3`0$FAP%?n~a)>7IdcW!@^<92GTpbY=(f?C)(Dv}VjS~^(D>&6b{s1QWx+AP(u z%)9;m$ytBcGoq({SB#t7+JqRbMeqwQ2gU8~nV*7-AR1o+caq_U9RbY*>)}Kh3FMhD zyjHEb4fh8}XJ*PPUlq?xYHX#rd{B`H@Wsu6kCfXBJyZSh(dnCC&kv49(=K-Y(+FM%ST8k5~B4 zH?@?t6F+3N2cT4X;Iuz_eRTSY#cKA4Xfh}CLd>Tb8c4B(`-HVd>F73wdPt0_U)_<0 zOGi4C3h$8Lgy|wink4i z_``FaY=IiOVdU6Lud%e6;``Q!`TzJpAM!LK?=&nvFxg^d*`zOxX@Jtq%{qqlaT<5Z z9F`^eJchId#H={qyrF4sq$w=7L4nC^022lGMOXx|yI+cROH zzNlPFW-aq+geyo$#}SDEYSUf32~PW`d5V{ZJ)X#U!3+P;SL97Py_8ZwKAJ$ivx&W{ zeAJUk@BT=rRy?AUw{>cPfK&)H1K>$5;Xt6R$Pg%y5{^{{s zoZpEw!Fe_ln9i713Zew(ix|6$6zBiKp;kES1Tt11SYQ25+7P~M0-yaR&>Ym=2TFU? z-wIfnD?jl7acR?|ntKqHy2fWwnoW~(QKce>GuaZ_=ZQn21h{GHPeWs(7n2l<62fGO zx1%MI{&9SM&>eNp2mSu&{vu||nUiwM5R;9O0%v?$rOX*~$C_qf%xqv7;tVHp%&R+K2R_T;Tv2(%KVX>Gipe407)m5eSRc| zhzxR1{on)5xunOGtw%0Sr+#?z`3MCm|Mj@?fJty~VNft%MGjODbwxl!p^)))g!zX# z!wcouDzm#j4Z`UH>^&LsLo<0VaMR2m4{;pQ=fmv1DwExKLE)nD2Y_H8>6~@{KK5LrN67Ow>}HP+ybaQ>92=o@slW=MxPIh<1(ZNFCUr7F%j;~6E8l}2`_PA}6gl2c=o1J=dqe0kgGW+_Xu0O; zw=}R;O*o&AOY*3zspmaNimtKvVvK!vA@OSD%b`uETJkD-&He@lY0@eUf%DO4P#DjYmNM}fmWtPY0~!ja(c4=r#wFp@aqpN%_lBFp#blg1q<~Z3IhJ>jPAQoSkzB<$I)#7nd(~7gX zHHjoHiYt!;s&RV$7KH8ooYzVr;;PM2 z7e)-tm1tXN10gw8-O%Gton6m^o&iP9Z6Y?9rv$VWjUrEOPuEwPqOg>}oaV}&0MVt1 z0k=q=ofv7U8BDgRvV~aF4S|~^?k(7Q7J8%w(qmadn_booeFz)^E{kwJE|zCd>IfX9 zt`d-0#2!rgVGEp**v!~XQ{b}allb-+x?`5Ykmmy71%}utw0!v<&lB7W;2ee-aBdyo z+=90t1T+Jo+QO8!7UM-5m}-8aue)d#ovp?*^-;|vT7;gEqY@b#kia?$k3tXLAkyLj zn;g!&zkXOcKM6Hx=rb#&U#9~a5_0A@R|EqsKnSRnx>@#2+`bC$Od+Wmv6+JLEb>`_ zCzTO!7(No)^pXdhTKEAsC9rU2O?NzoarV@()G34TJkcTeDJdlbC+;F(0Krxkp|P1Q zgyZ#6e;x<7AWldP;a-UNSz#lvIfdDq6ejxwj?+ybxQ!NI0wK<*5G=-*xBmmq7UAXB zn7=~s7M!Br9FosP>Mv>##Ash6@Hm?GaZ+AkHC*pJ^XD*HWSz#H_~%}8r}e!a-H3p9 zoX|DB4Mw|*=cjSt-s&7o39f4=lz`_HwxF~l;-&0!`IugWnIGtq*C34@{#)v3WtPZe zJm)9&uk>XaKp2CDNC>cj3$DO0T_iXwIEgF4h72B+>PswDh+Ll&K>|%|@+l+&dydG_ z><68n=jIW7W-wIEV4)oSq)A!QY468PJ~PmqD@X0wz{vm3{x zFiAc;`q=5bYkqq8Toh|&EtrrHGkbZKB1q_ zU_cWt4bIqSNlZUF=)I&Lkv9~ApM>O9ACkI2mJI)|Qx6vRX+ky1v}+LG8eg9}iK zZoe#IQFAmIAWnf}c{RELhGaa>$uk(lEH#fG`q^vpw^2p8O*1%u>&^qxsN*#5C=V{% z>X)r_rX3M8Kk?4oB)i3R1j&0^0Ys}+z}GOCqs}cfrsY}v$D-N;HH?Z~oYqz1D4WX=f za{zJdO6sL$i4U(JlKr2Fg{|-3XbioOjGXa9OX1o|aJC%-ThQo6p{H#Q3Wdd~uxyj2InlcY zT5c1kfuL%ipfz&k!Ma+6if$ak5ND3Oauc~=Z$lZoh;H(H+dQWuka<*JXF*Lc6KM*w z{Y9EZ^8+_?5BvnDXe>mfe|#X2zWNH`BpB}i{aS`nX#sN&D^-He2K^IcFj6qMH~|vt zWxbWsMAO3jgML3BtP=N&lhnCi{FZRPG=j?hYs0FpOcrAG`&{yzrmG65fsjQ)T9C43 z3NtEuRs*DL3&)psh9IvmctG30y&l9Q9 zPjD)=ECHME_7-srlf4g{==UJHCcg`nDYkV!%z=E}0gjtw{=~%+Lz8M%H2eGgLG5!_L6~fQ_vlZjt;x~qyFG6h!P+s6)_6(eU9C~ z9pb2=jz|uh_i3MGLFcHl)b9A!ZSIGZO=*^Ne8D+)Z{$xgC_+St-6pKHIhsi5X)=7Y zK}|-GhJ(o-lE-?n`(wv>(c1m7wWBs%ghQ61Lx!6E(Ajc+XgzD~0Q6s0Iz?NhEptA3 z83AJRXqaPHaufarcF0z{7FfH*MZ@_ahIyEWM7BWAF^Iw09lt)hEJ{d#2DtTjm4?qOY^3W>@9;6;VIBFa$TWdTQzN( z`p#Igx5lmXKhc70#Eq*JHwWXC?&rZBZ43&NnSbX0Anuv&(81mep5e}}hX@EO?`B$O26$jGktF-T-o zDMW)EL#ghhi!nMU%uXyqLV(OO7ZYde*gLomj-$$6~lE z<3iz3QAQMehSV=28%(Syk5{bh0m4qhVz*5{3TxVzbpy64<~f3b!ZoGu5S8R zEJan%WWrSN1gN~2ME?1esKW8@u4jlEM~B1CW@nRz;w9h`GPe~;BZOyn32$*E5bvu* z4ZeE^zRufq{vUY1(RzXwg9R#)FN6>BdqD}%B}5b3qLsUNPopn7AFreAI#$uY%8wI< zz_;HLw`V6y77+b)kwEvdd=ny_@V%%_$h;_o;LmxOlkQMrDGvz`2WkCM9=v#hjg>ao zOU&bFn!CO6SLBQ1Xezm+LGcco$01m~(Ro~j^(yL33X^W=y-K1*e3(S@L-r6ZpYc4p zg2QN%9sA*BH}v+Ugd>u3IEZjDY#ai1KI)(EzwYh-oyZza^C5gz=tIUsNVX~3O!7y1 z?8zzd*dW501oXK7>iqENxOaZqJ?V7>hbBUkw-srx0LWdP43zE<529(iaVHIB;;*us z0_zf%YQ1J8#URT9`~?0bP7f*mfb|kO=;5-C0R5~tI5`>;rLYtfyn$oz?O(uOwlWAo z)3tTjmTz$An>9C^f$JGeAdUCK0Wd6^A6e6{D8fS?(}n{%Bu){1*eq^NUSODw+rkhf zYx{MzMPo;!h&y{CLy*U(B%bBF#+{0#HOhvH4m9pB2mGqdAS}Ft={V!jHQIq@+I*F` zoBT#`tl$P3cl`H;d)!FXTAA3UHLise?)6O!LakL13;mLal8aeyx z4;dffyigzcE69_=Gx?)_{zt)qtb4{xbd6T$R=BW;q!to;Uv)lIE zO*5FZF5zwAFucjPhXE178gTE>hU`JgI;%ZbovSm zdjEKHH0T|GgQG!jf7Blw^@b0n)!7V<>S{MuQ7BalB$(vJUwIUqP3^&;2UrBgGye*D z4>!tnlw3X>^b2=9s4?mP9_zyoM-vu6iC}B&eKbX-qf~_MMW;pXVn7c9XQ-HJ4llRi( zrIj1^a1(K7PzU!j*4jBNQV^oR=j24(EVy zspky+ax@`dSae0(0}$bHh{YC_CnfsS%dS)O#|(am2V`dW>aQA1rlV%F<<@4Ae~}uR zDrW@IbU%u3hu9f!d=^P>cXXNt(e#8rlF_J&sFHuJ7SAraWYF&O@`1z@X~mZa%%nl0Z}XS~ZJ+2h+?C^N0X%K#;#|)OdgH83}|t84HTzSG>lEyU2sa z3c^B629S%cA^TyD%UvqffJ6T`v34o%5rZaCqX~jbr~L%|MUYxLZA2yY>JG`L{i0Fl z7jXrgAptU31OXy!>`(l$nPl-qB-!H= zj9qY5rcPOhB2vU|mcb-M`b=7d9G`%Ja8*Bmi$vi{5*(Q))kssZZxNLyQhc>Uon-Pw zz$AL*Mz?gNbGZEJC*5l4^B05$OR|A}?}z)O2d=yPFuSg1mXlKb;=rl6y0q?dLA`!< zNLV%y>`slm!jk#I-8ZKhXJ=(iiWNRwIN5%np|96?pji*D`4x>zF;b+Kgj5eqkOT$I zRFsn{TwO`I$fXF=y7~yxI;FSszz;7eZS$NN_-p#*Iv0vS94;}wDz)Cyc8z5xCcvpn2$Y9I$y8Cw`cL z#_n>{fYlI=qtIK$MYArvo=JFZfDwss6jzF{o14uBFpYw%k_%iL$9d#^s*Rd#GzvWWa@GNk^as0(mte73*xr7kAM(PMwk%?E($Mm%Utn>z7e zdZDK-6?lt2D_K{TSVUz(zHlsTuT!uK@a!bCv7IEW<(9;6dC%>_JwOC6ZIvVtk%oy? zkThU<Vc&`VMEfuAp`)Ukm=rEqQm!1$MjOZP1poc^G>sfy9Num_#4pRR;W&WYK26 z<#!DJ2bR){`6;S9KkYG-BBD|f9xI|^Iv#@PghX!hd48zvoVDZk9~hW>?-wy#l4*Q4 z73Kq&T;M$`N6IMO6+pd4`|GNpNUCU70P{@}3~@r`^Vd;y3A9{HcA$npe*?|2vUiiU z7KttA7yBWS?#Dv*0LB39{BGx`_w(f@_=xKVY^LqK){}O7Q}=8EG5nDpfa%Olpw|i` z54L=AFXhK%u3C_xnUdUKqQOn?WRM@oBl&k2E|x`O@MHlQRg^7jVn$gq=@^Cr1d1LJ zUz!m&7D}wh+lYv|B|hC|iUL~%x_mz<+)B~kNizDX<|LcznRyQR3l`zc1s_FsW27*9 z?e=iiPY-7lk*C#~}N+>H%Bs<#FAhe+bS7{j=U+ z^cEZ*9gC4jxK6oG@@)!eSWh86^c&O zwf437VD6%$j{MiS`sfGkDMgDfF~Ho7i`N;j@&+tYqcL}5J&}YWpJp!M(Hx?-Uxf+S zk7@`B&H&sJXQV%ehcP?6q}nFU4woh zC8f7csX%_N-BdnU%jF1PE)e2dorWAQ(NxEgMI-EPw0QjH(IU)i11<73*1*14(B}vpKZGd&p*@Ft%Vt;4v zSqv+r`QP{pi`=r{Ye3SHwKoC!pIWUYV{F%v7Ew|@JU=12M?UeNfKB_50P;T&?w$k~ zD6ewzrWLQ3K!ryv0#IE9!5{Hyk0@eMeB0-DPY)anWtSp{StAy`VF$+6@T&u zyBCo%fO36=-k9OkvVohS&4j0>2mImz`ycb`73I=Le#Ic(Y3VGpg11_xg%$?>m6acq zj?_;q_co+@6!-&i!!eJ|GlVy6ke!E<5!XEPaXBh-gQZ$U#}e@h=8Kn?&E;>s~q6(Dt%`s*nM6IXv3SL?R9#t0WWh*zJ!l0sy)>;&=&j*4euW1F=OWMT$CyoxR%;>yECh)1c#4O|)0R35GjsiD5Bu!?T? zRDWAxpms6e6kZQC?hr1A_#$E1%6GQ%`yrFYS9n=uRZ2_eZj5WS(8BVnNpkSri`dqO ziR&3ce`yrOKCatq*je+9*9|?ku`0Q)qWG5Xuq+#hNg#4AFeU}pHb_I9Os- z#?}@;XpSjnX2tPYo!RkP$bZWr59&ZwA|I4K^#dR{N%GqXDg&%!3NMo)mQOL3Ofejc zl1Ld&j2e4I;U#j>^Ps@Hd{|Y|p{B;i9Y-kPu zCD63`g|<@|9KccFTcwBs-P#@&1(WVzID-l-KI7%oBSrzx#V2?c8lzenebaS2A;?K| z1q+p_l^#&xK806ZFWnS|Qn1@v{6}oel^nQV$zsM)l&ZjU2ZJyzT2hBx)a1vuY9TRO zNHLVuNDAFfDs}j9cSUud&w>8(GsjPl_@EC)*WiUUPnQvUMQ5y@MoI-ML0}JwbpqNk zEINSdz{}t~*52d^0L-l`;bnSKeIndtR?sLBA|=`+ZXzq4g(0g|RmW<2ih>~0QnXKG zRZsc8lB%clxp%DVN&n}bIlo?=$*!)JebI0JGxQtzIRE2lHI+0PYz>?CF3D(8?PUks zJuF0i5d=~Q8LFqFF~x)w3`jCz*AwiILJh;3OMej_BTm_d*(F0}Nioc>Dk@Pbp<;ytUa z`BdIfQ3HUc{*Y`u7hrKkYN{6%2HsgISUV7} z+%7b)p%5{*qWQ1^^1$hw2C}wpAVUe0+5?rUT#c_5qbDT#Fg|4wwPm0?E($~U)-xY5 zoR6da&IV>-YQf0wQG9J4BRI&Xb%3w`+ZocTg&nz$Diem4J2YE3>o`OVaU)ftdFcy8t*3(7bG^nAHB{-iZl zW^bH?N}`TKW>VIfEY#oOt$HlXqBJ{-J2+0j~8y^Fo4e`Sk?enqt0L)+0`@5tPidthrnn#WNJ0e@sC+X!rC z&R-k6lVXN6o)u8$jPXfvW&&RYVa&dtoFmk2=CkJx9;gKjerS>e%aVr; z$@D5Y*a)hJwpzM*G!)R!F6Hw}aZ|0CgpFq0s+)O@W(2e6GP{Jo<9usqcI!;FHiemB zNeFqpawb536GN8wx~dSUrsq?$W-4Uq!89$&ni$MZA+hzxZWbkHNi^{TmeRLi z6$>XN7U0HoHLRUL-VX)txO*k#G9pzqI~S4?5ocpMG2PEgvuz-r(yRF8$)z-7ziuWf zVUH?u8x&g0Xf9GlD%}MzscimF)?)fg*{9H$g_)=Dn4ci&6eip!$Tg*m`s;{@Epa(rSfrYCk}pC;u_hJZ(_NOv(>C zH}vxIW5Q`CcySQR{~g{EuCJp}uckAvsyOqct94c9Lam1Io#HV3PgkGUqn}mQ&E7GH zW|d5HJLV<$ZOT~A*j7ENnlhyh=l~~&t?5;2>q;t?+Ueff)|<0~?x+XI%H--6_~mHy z8vMQY7IaS!0LG~51&oT~eP6H02VbqZKKezDVUNr~l%EKn#kp3J7m$<{#W!q*G`&GI z9r{6V3!D>}%_0vp?hfCa?w@u~dhd2V=>8c3Ee{AXh$nAiEb)LpE{KdXWX^z-3F7`M z_$Gx~=p6qNm+G~Zj_^pZo4x#ihhIIgXJwwBwBNVe7Ned0=)*ja!yWUVLRAHC%B00|_%#@Gt@LFA6g{5hFL@xdfw5jSa9B6{)`J0`+SwboEqn@5CX*PH;i88D zR81=F(i@a$T=E%b*hg|2nsS5EAT5<0D+Ok)QiG1Ls<8qcrjt_uy-K)OIb4at;+uj1 zy5XC+&xwSBS16B347^*9LKbWBN>a@2;U%>BYO+>)zV`{&BB+3f`QdtpOm> zT_NB~!)kSfznYs1$1XdKE%Yz=(>HIwnSbMb^ZJ_;VTTa6QDa$r`cD%V%@Tc3gg{60 zI7%`%%z*O*|A2nr;YwTxorynPkjbaOO&}f(dW)DU>A7%=I|_lLqA2LmH=7OX8yDxhC7rnhmZ~vmRf6>|VJbzMBcj30GkP7;fzXHX51TfP|d16Zv7mudPu)0VRH7znCZ zmxfDG@?@`w!5`cVVD}gnirv>5s0_Z`D6mQ>ZBq4(#XYP5_KZUR#AX3he_o;VS+Dl5 z1XPgyW!|A|fKWwfDf-C^}K4v(6InV|+mZ z)IC1U+$75bwxlgyeL6Pk4n|TLL+#cHhF&#Tc`O<-;EsEv-T@fC+28LChlg*DkKbyL z{m{>RH}L;YxoJ*e){PN)_$TMFyGUX0296hGEZ#)e{6jx`4TBgaslA`jNH|`w?6Wx@ zg_Gzli{mf?F}Kg*O<{JHMBZYY*GKwTk1;HS`qT2@Ylq(;v$8S(?-PK|}>pV8Gj?<3fto`pv5>49z z3$?G@q>ZR4eTcj1kzg!}Td$y;LJv6U$2&Ts<;Mme`J?jm!59=E;Hj!MkBXfBb{dq| z!MByqUL!9RI;L#Cs}=llwl;#Nte91ErWcm1HFNQM!j|VJYz%8da>$aVR=#G7jkk0} zY)bsZ_;_HIl`Sk}zOGlDHJ&aC50%<&_VDhvV9($>5JJ-seN7KKi(hHfdE(S=3l9!~ zvtf24+v&VPbFm0V7Kq6S3$9?2vQr1Iw9x2h@|`hTpdZpRnl|bHL*T3{m9f`l`jPk~%qF!~kC!>b&S`5GM zo}H0RwAE_2V0dLR7^1)vyU6Y@n2p7~S134K#l>#(_CG!r|9f;+pL+5+q##j>&|2rF z6=r!XbTJ&W=1>Mvy}`&;XC}K&<4%)Rn$untP4clYWAcH3EBQc`Rryo>?4H7Gf01U< zoNDKWaKAz?Q6%1fOMe`?zF=F3i*EE3NxJSUn4t|Mi^frqKi8r!>(p}BGrWGLhehM~=;f~`$Io!EGiWw%a2)?;yFG--6-@9y{us77rtdZz z{^p1FUm2iHV0kqoW}yck-Rn!xJajq^*u0AqKg>Ym*>aPlv2S`{)7jjXkDDf>OP`}_ zqqQ3Zz|Dx61JhDkck`wXP3^Hh=6z`Xq!O`nLT&(L{KX)Eu7?x>oWwVA@!Ls|#_m{1 zW@tv$kIu8ipJUgq-aypSn2um!lURdy;o}Xd-jm?oH`@mJdvC8D&NPMf6T#=nbHoM&a2kaZ^~4>O-~LL(^Wx z^WICK0({_wFye1mj|2wp4fGHe`!hGGDg^_z+e5F1is!x8Lk0K{>rv-Wu}x4oR*X%w zgN3ZWrLArK|FM9{?FtMa^m`-@$VXfk3*-<#6CTi~s561mrkD$~#`;^Wd^WHYV#4EbFxfHx;%a5w`~rSBiNLLR>tnFiB+7_nG+g9MRIU=QAaP_e0#8|x+V4vxaK<;L7;@=5(`urSD^!|1a0RihP-KFxXDk^<;Xb%*;P@m_i>nJs z;Oe=11DL+NM&{OtVGLDK30CcCs?uv6ylw)j5xF+Y>rhp`7YA4q=c|gP#{X4R^&&Aa zYu=_xSW3f3kqe7neGduIETT1viH$@CX|YnXiqP0PuS0eUU>B@MZDFzwqso+d#5GBm zse=&)r7MPSl;q6B}}sj?=NBk&DJktI+g4~W}s*dDbste zQOu0Mi&kY-K{E_wku-J8^@v)kysXp&t#^|p?mli)SHw)$F9!L7`3Mi~NibgI+(V)S z)YmCXB3NB|RC-mB8Kut(lYYc&H(e@q^sS3oTM$*)RQxz}@f!9X5{HKok~xElw1hd%>6*iqO9!C zm_N9(x9TUV5illZUA#vDoafFGy6r~JC1$UiknlLwjO3u z8sl@XiA!*_nVVf>@9oYpHg^L7lqlyc%C%2)Fukx3_B@F2PNB$rZ?){{i@xSlr9!S%xT>D z{CS#4Qe~dS%6pkQT)Lgw*1m=cT1j22rrQX@q9^Ly5W`Bb?($SHfoJX&I;o`H9_{G- zA)TLs?%&SDon3G%9ZkCbjz5#l{mV{c+G)OijGe~fYpp6LY(<gliJWE93I0`)@M8g9isVxPmDK3IgX}XFa zR4+7JW;~0c6oQ#Qok20)SiC_@#bg34-KT6J(9!|TX$Fw0Zl3RwrmiUH4}UA{Z#EZ}boH$X^SMB?@A({U80z6X)eS3j8rG|2~4@lf2kgVFg(_t(+uL9cr-)W5@yV51+n zXq!P=NAL7t(CZHSr)RGR-C<7$J?I^Gf9)Nh&-Pz;2Zq6Ei+{Z74c@9v3=89qD=dsb z?$@(2R>1nw2#Asoy8EW3>F(Q?rn|r5(scKWmd1WVVHJKwbe;mU_?sk55kiBQ-b)5Q zho$}^g`es6_&bn6(}fyw7KzFi#Km#4i0NF!Y~cC^&c{58h~j1~fBZ0ZgH6G!sJDK`Z6{719ZnT<>|9Z8otU)niku)0%BE>j@^TpMt^YsY1Ch$`JK* zqwI?{^+(g=J_i;1cd5yVC+SN!gGIB!6_QZ`I_BR($o$wUX&F@k0*`M%dKv?&oUe zSENJe4YF?Nb;pIT9v;qEp~>R8jO`T2-;V0-ox%)PnIB{6jV7oyzrz7vE=cSbB-RLE zk=~81EoFKBw7ad?J<9T_+ksi%EZjPH%{NUM@;tiQj8jR8A~yvtR{b!K3u#AfD$oWv zag$4W1DKMK55y_1;i|S41F6=h9xGmQ0BIztyKi7V(MEl!2z9F>;a9u2{sU`s>mbkP zr%|yVQv|UYTjOH|MNXs;{er#WneBp%*@~h;RBQ!VJ#{q&t^(rI%#L^krQ$&pib68) z*sx9M(ub7}oNH~u64?~DQ^~xo zqPq!s67|*+UmqgNBiE}G_b@U&K7rLy!Fo{bZJD^5KpKM#jXOatTf9g$uB{jg(J!F~ z=A!nS&D>1STe_Mke|r7*QPp2#*s1;1rNtov{?MA@#8=;MSJd~WnVsQB?j;0+5y;C* z06)wk#_d=?K~~)tR=yW2*N&k6W3w_?vla^UE7t0^(2k`xJ~<5rBVo(;VCMQkTJ1Q% z&Ja*|U65Z7)#7IJDY@q5uCb(lT!SK4yiC3@!SVaY(!S(;2%n1vCW_*h^JtB#mAu>! zdM5qB{gkU6LZu2CJ!~{3P1uyEruO6R7s*(oruIcL)+HHWjSkG!B~4cMjQ3)iVkanl zk}}8@J~stA#t*9ZY3K8rndh+?WL=E$IVq30jOt;OjDqyhmBSUceJ?UNMAI}lTUQ}M z0oFs5x&cx|qk=cx+egR4f{mOM>_3{Lz1c+v+G&5(+XF|_Fv1V9M#n>OXIPMzge+g< zQ!tM_e{zczSaOR)ayw=bfT4R4Km?!#`iVdFLmcjn=+(NJ<0rGJdj&nzMU@ zaH-R^EAEm<5=3@Kr}G{EO>Qil>d^WR+*^^ zPf1xi7@d#$C;Q#e`Rmc>Y$)u5r`?ywy#oX@OBN7=uAiB-6ug|)9F1hoU=A!UCgBVa z=o~{a!Qjn2ppRSn?2E^ZEmRp)h_N;2`jB2GnDco^O^S}NQ-NMU$vBiB#&{Lb`TP{g z3}tb2ZbL@ba0>i9b)Qi`TQz2dOQ~rd+^VDpa_vOP)-7m7LCT*>4MuYG3C=$)>=eAq zgLN`WzA0gGh4#gk-&2~p?=)85K4@M`b-EVa}v<~jutr#BStUs_N16v^<|U8H?doHJ*2dS zY4XcT9QuJVC&Uf;D%DdkP%_v^r+l79i)0KBwQmiFdB;Ig=4ef* zVurr{QCJpL73w(L{A)4nTZAaT&Vv@wR$B6&XI7l5LCWLyC3seSsv1-^`K|=pq{vkR zD^#|SEYDgL6jGJRWHehEHNcr@S!9KDHY(VzENsRL2o1MVy?i zS(e4Q$D>8=B|OCtF_f9oF?4_<{5rh!;~X`<|5mBK#2VN4jF9`9AspkA!Z{oC(RO@v z`U;#Jy&7~!NBvXKKLo#?9D~E7Kj@CS=Lbgv z5Fum3pKvUIpW-z6nSTZGg&GH-9O;cM3h%%-Xu0ATOvxeN>S1nM#HHv55Wj@O7Ogy( zq$WAr#5y3(=|Vp~)^gs7&UrLF?#5^Lh00(bOj$7$U#}KR!vlE~V1>~%+*;C%^rBk| zAm3E1>w-elAoUAVg}Z~~Aq-9i>ZGCOm_Da6cT21*9@Lz$1P zJft!ZZ8Csy;E!EP?7)3_N8pR+%F3^Oy&iC_bh-PRd*$|He2w^fkvR#29Dmg;58<`_ zORO&2zs9F@2UiYN5h4!F4my$5uSmi*{tf?HMl&ykW8e%DRGW?>zg-|MThLPyU}e&$g%O;$o`}+E1OoI!_z^_HtK{Q z`djzs?s@-gbksi`*3h8@4S<#5pdgu(-Jk`)FiVUofOI@-hkxcKQ<%|j?Z>`NW+qRlLB}0m=b~gCogVg8hd{Nm_hrTN38Ji3jwm|u zHF;VSev2@L84!Rg&K)2Lim0o}T-4ZtS8njLoA@|5+ff@h@=9&XTvGvyTuPSu1}d-s z+8;!rx6nG**xBWh)X79DgOaXHT5X|DS}}<@V;D4Cd2>56Z>y4zpJQ$YzZv!hQZwU{s6Fz6Mn=De48Uq08q{>{R1}C}dEx@Zr7xYz z6Pdl9$P*C_#mAk*aMT@)&X4>1-Q)8?@9g+!zdPzzSQ&Fawm!PspyI4<_3~&|rv!}& zv)w>PfhV*u9fl#iE@=@3p6$Xqgx80bujX#7e&prjRK4L=kNM);aeKdxejpcKKnSQh zz>)uw@0i3%Rk?Ez+CSJ$6Wx~&kB)m4FI)tyT2bKPe?6Hk9DFhzXdh}6Y$tS-~&GqA6bjam=EG{T(95n2n=lw6ML z(zWt6sZmh%`%*)*ZNm^9<5j67bUL*QuUnTD=*Se+zJw&wNyU*BjTJi#DqXl1E)#;F z^DVgcgMhgNF5DEq2Te0K2wvFMw=!6uXaoz-PU$Ia7AzK#`fB?lPDoR zFMIJ23e&|9Louu z!kb~1_~8^6BSXN9HIEV)2ksb-;7!(XHojF)68_~mU+VK&6kQ^WgfYk#Bs8xWhJp=$ zGBhBGGnk}~-4I+r;4ZRg?q>ej4T4+X!3-vIKZG7tbs}<>j2B6Qwuo7jW}!QWAWBf@ z6lP$70~}GK;p^_8cW{2%Kj@tw9RL_!`AHPwt>uckHd|mcg9#-28werv$os!I@W*}@ z+=4WQV}EiB{0yLmEk|*-Vtp6Q-$N1 zsd}VXw%+V@@A#xp9dtc9y$!st<8%JnO~Dj~5FJt;c`52$wDQzrPZRD{!`m)?W;An~ zc&UX9Wh4X-Zv<(pj7-|8Ruwb)qzR3pBKA~5do5_v)l`=>ANVYZCVqf;v|v3iA@gF! ztoebTk}&L|0#RSn?eeN9!b}?JN=STD7EgeFuE-4m-VC({*1K-n%Muk}zgE^|BZb*( zw?`t<$;MRqmD6e`fzA*W4g~dYj^h|K<4N8F{l?KC+Zs`94_!YXoA)@1Z~0BJi>t}GcRc!fK_;C-3$;*jp*9b&3 zNmqfWWddsLtOq=Z2__`;@eqC#QrG5jG|h*P-9-v}H*mZlB-PvIxME#W80BY}q<$0@ z05f;UA*Pv|Wc)p(9gy5k=+9LBx76)f077l*$n=2&_}juypm*R48JEoTk=hE_+|C0( zykslo!vZ*ZTLGUazO4jAX(+hiqbpbmg3?fcK-T|^8(vs83IG|~Yw+lCRtkr<)A|cH z9;GmZwi+C^6O;nsdkJs3h&?xhIWHB1F|`&}I)HBYChi9wy;!TT=C&>-s3nW0G!!{d zaMKs@pU^DtZFZsA!I;|%CuZnX*dxSN+7?NR!1@12(3rb^4(Th9KTv%QgE_(hD<^y4 z<5xiVau0WjlgL|)vpq3h5q}Z!CD{Y*D>rFJan}C#B#EY?^7fTMKKCdtb2nzcZh+G$ zgJ2Id{&sji==Vo?v;e+?zJSaDN~~m@(imI3{Gh-W)-;fw1{g@81lZKoz$47B+>Jpxixz>00Qe!hoPsy*JPzQV2}H+$IbR-f{87caL+xPlVa_4kLS_wMHs;@Y zZssaqqmTIa*HLn*e4ou@;q*rfIG*`e&{LWP(KNNR%U8T3wUTw?j-V!sDAP%s8!D5> z(=)e}rYYfPZqG4AXA|BNJ}1`vtk_cVrgRLeCw^^OGx2+ArP4(lM@c3%pr7G3+8LlM zO%2NNOKE+bfm$X!XO#Rng_)}|S^AZ@qYm*iq*gkkyD8ZCx_#k??F%<0#7xJDA7?3X z8JqXawj0N&lk*knfkEOVvs>Fl%_X;`DXq`C0Z!Z-F!JXxT9A^x_~l2+FZ;p&d;VgF zv^{Ze2DEcy3*N*DxVr-_>^e^6Btrc5H6wtB6zFmZ+F*BQn-2Yp>*E`FaPSi6#zLwq zb)N?i#^5;_cM)cO0Nw%TU*km*fMyDs5y*3VH?M*7&D|`^;`4Fj!KDMx?|bd`?z10S zJFT78?%t0(KR#=dyf|$)_S;vxZQ^ro&!8J*vwsnb@!8If13r)_3L%05-*h5e{cwuW z70m~ZceB|fXtP$kJB*l;`3)L$1#k_IMov`lLAYX(i@0G7az8H~u$6y%<7Z&kYeFs*lY=(I!lm9PZQ$j9WeSDZJ-0eT=^AjY38g5b8*YWX2J3jGZ1M`7mr zJjD;`KFlJL}$g$i4xtvK+wt)*wD}vx;H@&v|24Q(vE3i znJYv@!%&l(j9SX8mSsXeZM?tFYD>J3Bi&KYaf^{�*NBwvAyYGJZ zuifV_o`1KC{=55MJI|gy-+lgHVCTVRE&MDHzy84)API3-`5;eKB+T?FYbp*x3r=p<*{C0Uux zncG5}dx%4$8eq9>qC+1Cvn-b~?|lV8;9kIhYQk;*HCRuS0+(hV-zyP`_ zLBG)&kiS}|1UcMd1`|JXr)m?L4izaR;Hxx-j54VFtbf&E*pHMBAhe6WlHF;4t*qmx!99+nCrC z3^6~PCNND&n3uf9EGZCHw!2ot^KM{eS0&?{~lK|BvxQWeEOeG_zu~@243I z$FP;%#t=B+Bz2H{Y;0^uir?!lHlwA(f*%cM3{3WO6fEX&<N?fUfsT;%BfQj**EF zE6g^4>I(5t~- zUGK-XDcA3?r_RmBvtxnkD{l++7p#P|hy@LsJ9U{p!uC!^`p?+l#kqdj;{O0!JP957 zd^UN`U|+WR-`zGZZw_nU=mqip)JDjcpHKEv&Hj%(*o?i46&(O&{@-WMo-6kM?#_#6 zU+n+K_z@2q;uUOP?Owpl<;q>;9r$Uoz)HZ&g*S!S{f;EWOpkvUjiY%Sg)q#l8+&N; z>8^Biu~Vw_K&Zc~7rSgyf@CX>q5wE^IKO}iaoNx_Aqq;?3qPeYj>@&Y3Mcp654%^c zAGjBR{V>Hti7mgJMvweceg980H-nQ!kix9yIZ(X+zj*Q83w8g0_QTE>|L>#xi2J`A z$7z0_H>B%5ti9pu8^|AgvoEmEF)hgSNy{ShTWl;_+rsXfpDY-`(-oG3#*U@M`!a2{ zPmS5Hc(iqvxEY*MQ=iypgD436aQX%}c$i~v)q|_#oMO-@rUIj*pFl!-6|`4k;QP$C zB16}glS<|~0B#sYnM>VGISt_WGF{Bu7k=m_x5&sQK>TnVEIbId;=~U#&}fb5Y+Eng zl%)A`q_ao>&`jYtp{J3v4O-wMNN4V|?_Z>gxx4^$a1xP6qRCeooAhrY040OwVHJ%_ zc>5GINPO*H$4F&?WFp>ocepoLE=gGs?m z<6^GmyR_b3l4_Fu1@p+O#2v#knD~)Lqh77+QP@jFT_C$Zcc<`d5d=dlT>>Ad-!SoR z<~l(c5CfUU3rylD%-~Iy?-y)o&_A}!2o9P;AQ^0u^$dIH^~;U zfz?Rsrgza4($;)#Jf?A(#%K5goS)^Y-hwPi0stw!)8=FH(%QM{KK$f{p55NLcKz%y zO3o60?k2aCr3!X2)V?{1l4eYLe0FSAXY10#`su82S~{GP2jZK|+g7XPh_%P=PuiN@ zGJmeH1bzI$p2lPmaDyPa2DqhZF5_qp!6KICL0+R28N`L?s3gfFaoNxH3}-*Wxv!@% z1I=a{`yNa{a|oIv@SHs=D$)|^L%9%0{pH(TmOXLvp8&ib zjn3MetmxexwSk^3H)$4M@u?E~@ghp=GfvQqas_+7gxQ0=t`d8DQ7F}{QvrFDzrNPE zOOoU@Z(16BCf=LlD3&a~O;x-%%fx%LP&DzwyPER3AH}y~E;Gc-D;x(Bg+-;ME}(V6 zVHve9;ceQ^l0}+9PlP>=@ySPCLuKQ(NP<;{6Z-2cIUqUC>cS18H2V|D^E`YJZ;agBfTi?GUKWtq>lJ`v;c17iZ*=TJB{gIVX!+DPxZhcw>8zXlR zna6QV94KZTN*5QTrJ8HG)VR!JfzBdN2nRAK9&rL=H-Sykv6)9h(GZ#YC?YHBrhk!+ ziSaDD4ncEZWjA7r+m0^st*vh{xg_r8NLjrMlAmGcQ?T`FvsC@ERivRV;S4&pz`;}* zI&d@h!cC#3YDWog8b@h1OeF4oGwb(CQ83_Kiz=Kq1_HF#$7ayRqYh=dmA znBTx-%?o_{E!m|#MylxYCpCROeF|;Ym)6LUWwsL6fcPW(rmTe)YC^iTlE64heH=(k zWS%)@Tl+IN$y(hwrdN;!K(1&DQL9>q(NwTAU>o8r@vr;^DiD3kD)R7atZzd{<4+9Rdmd0dj^AfGtYk!MAL0-+vUi?@M=#o zaD;7}Z9*+_cb2vmDNIbN(BBTvY1;UM?x_2+JM7`yiKpF@onIC7#|w`=;o0D{Ipo0cL-p%L*42v-a;G@U>zwY)< zyDyJ>nqcnH4DC1?2Pc@fINlPsmzUUJ#e-Afu5gPfaND4fD``I}kv@FzLIWb#(&%AS zWV+_(wb5$Lzh1{M>VaM`q}p^%!}F84cxc|NmeZlit03|8cD`EA{paB=MWxMgZeUOH_K_r;$lFXq^3AqQ&wLG8o<6;^L`aSA6XUj)(WUy+_w zhEr)K-|ZC0q7bN7q!^0vY&UklqX7B*B8sv!OWatDrjsj22)mrp#(d_{FWXmOH}&en4jOS+JP;p%&!_B(ISl zPC<+trkZo;IH3s&NrU#2_7m~%wB#PQFx(U3>-Bv?0~2zCMHnLF2%7@62c@2Jmu!#9 zQo73_R~F>0CIBsyRe28Nl@_@JCw2Dx@hTI;ib)~bMcEg5qrjiQ@$EQ(BHJR<6(b@W zg7Ah#8wU$=69AtZKb(8Jgxx;5 zi@Tb9d~tW1-QB?WoZ)xr_O828`eB;6K>(AcA5Nlr7@{6+89?jbsaP#hK-JK$oX+If z{8>w`>Cc3KlY_)Zl)+DUbDuSW`w~O`NIB?B0wi z!&?hq${^RomNL*b)gdiOm+MWD=3V zg;f#lP4E$CCUVCRIOh&7l92jtHS4Znd|3Dhnq|#571`wP`YA6 zFx5ERw2e^~hq>4LrH0YaH6FZ19hp*gP%HMIIqQx3f}6R4AG*itk`=G8wcDp!>Eh=f zo9PU+X-HWcF-0?orZjZhu;y%b;4v1Tb!LM$$r_uXm?mLTHcekw=Q3q=>vLPN-v$|X z7tqb@?}UV{l{dD84>+c_me>JHyF5Ig+Eaa{yE!&M-EEwvk8u zYlh<_wX|6>sxeXkPi|@lSYT-huu3ef>gl4)Emw~*8u}g_yGhM3BfVFJNTc!?4D=tl z)EfE`Kb6RAFo&y89}nnGCP+!Xt&XDF0|55P3aGK$R*M^p#HB=DH_ZGl9fkU{(rA)7 zCL9*1G_srigDwy zu|_bNs~4nM6h}ccz5P412WXk6n|IW&PI0=&p_IE){4wOQ6n|Dp4w?T{NUbRT6gw=- zvOr4%ubgO7#%682ICB$kRbEWsZwr4#R(uGaD&(j_e!34g)#9afank+ysQ6`a`Cghu z0Zi09n!<-QcT}b@@x@uy?Oo>dCV?3u3sk%aBZue99PF=insHHaQQ*&tQ+KWa)|}@^ z8LV=tntV8Qh$<$;!^EstiCC|-dWEs)<*QWG{oWDitF4&nMb@)? zX6Ush!0<5OE{;vw&E0t2?5_d7_qF$zz>Rx_ZK#Foa5Hg>=ZWn~wB=ha+vFU_c2c*A?ZVYx;bWN(Hsz;YBuadKrs{ z-nxxS$*&8IXJ3&ck>3=gQtMJu(Y}-{*}~M4=K^`*Hw`VXBhcFinJ?7rWDdMr(dd$} zKR?+nzt|c|o=L|I^Tv!wfY~!~!1+#Z6(HajX`PzQ9i4@F=&In}e|F2ZJN@_o%de~In@^FJ2zwD=9u=16V(c&Oh(L z>AHaCdZRn{fJb{%u*N5Qe|HCP-zOc z7^@7bH1=@BBeJ)-`B_Hzb1oW>qf{P<+7V}L!89A2(L?#>$G^P@1NO{FWxD_08JHr>Wo zO{kTUhadOPFOFaBA6%TC|MLEa)8mu(KOX(^iM*(P^~TgTbNY2OXF42zrqR6e-kJkd z;l!EWjSKwN-ARfjIwq)={IR5+zAPxKvcM8>>yl0CECcsVnD3h~yT9IL(bl`ER&ns|P2jBj6UBj$Mq`TO3<__^<$eBV3yzIXC{cNhPO`|d9H-CgdxyZkk~yZDvo z{wmE~?pr7SZCWRjd#CSxpNacE6Zd^45a3_E&%|dfTlHmIEzjAh&(dz0+(p5w`Z( zbvZ~s=cC#I3tltQN@X0$RUM#>8Za9!n11|^MT9O>o@Ba4!l&{Eyi9AF(oDG_sO;fPgAS zkSgh6oI_6ML=KX(0sHVOP9w4stZ%G%bMOUD$H-U$XrL`wAm!y~X<8VtsG1{%jWOzhpad zEnnPKNAgN|fBB~5x2|jX)psRda!>yDZOL!0N#3$C`8+N0%e5x2#maqq@_V<@z1ygI ze)n#pd$-X{LRiX(Y8GYF)@F40TXC$XGmG5bd$0cL-Yat7?Y;^n3wOKMYRY}X`}>CX z_YLpw8{RLtvipYj_YLoLmGk?C_xBC&?;GBiUcPU5f8X%_zTy3S!~6S&_e*p@HkIAK zV9$F!=2C6%>t6bto$pNm)PGI$``Q)%W&7XXdYixIzVbKNuCKJU{7rb)edG53!p80Q zO~99P%>Q>b0k3vy&2?$b-n}J8Qj=Y1uJ;Ygzf{BW&*OMp#O=5g%b)2yoX^^4y?$%= z;mw%+v=?@nRL8HZ!10`NuC-hJx$CqpKpGW8ea0KUw%+aCN3Pt*UfnA4>NEA}*PZJZ z3H_=S^k&BceWsaD^|}B2;Z}StdxR+5lS``{V33`ZGF?)tdQ@=H`-m z{2%rv9>p^fBr03Ddvm?AM4%fuf<0uxi`1KcT?2P#E%Q*L?OW~;?k%VhW&1KNJk?t@ zaGwR}^LJ~Xvy7SXm$l8=$*&8IXJ3&ck>3=gJ8G<6O`#R%X^~cbizJHF(dg|{Miy!n zx_saL#c6a&*q@(lmtSlRCC{YehIwN~^u_F%IN3;db zIKqO&i~%d2(ISXDHQ;_2@^M-$1XFmgoH$H| zCrlM_aTv42eXN@Q*KX!b7V{SseeOSt@_${Z=Y}HSJpRAEwO8i%~={QpaQTn=ye zIEDmO>uihHZj=b%t;Ah;8Pl>~r`_ zt6Uzd8vY-ox3|O6(6w1Pe0R<~b&tu~Sxz+^RCCn*0&8ceAul#R4WXt8oKv)|x?-4l ze9mxx_Nn^od=}*Y*hua3@c+Hty=nfxdvE{yBA*9Z@Fabn6PhH%HFBwv8IV09f=10{ z0q_6CZi_FiBh0Eyr%o45Q(m}1@XinbqTO)ML4goy&PL=iY$zSKA(LbaU8ipw8Ewx(@7_ zJigUxH6D;-MFT`Q7i-CL1eMk0QV36z$v2G$WXXLor^Psh^z{cr03irevPyk`D7-1%>D87`EV`BmREi`^KNJnT=t zDgJD&&wiHC|0y~e?mYhI@$ObR{%5DXd$0e0iBE~0`7WgzPheT7&^{|GTTJnm65RQ! zZf)KCvNHR(mq%{p37l&aUF`g0d}AxS3O|Sc|8aZD{hS|If|4{F}>ZUi5${@;DtFD&!#^;OIOff6U5A#3##jj&?qu&RBc?OVvbd zX^!PNz?}2HwX?Zh*8etl?&Ckd$Y;57HkI7sKxh8m$^~3ezUD6%K&031l$@34UB36= z8`W#H0e`+Zef|FM`26|9w)yj9|LxK9hg40@2SxELefJeOa%v;4GD z*=ihyYCRQe)4|0mX!JM8?yCcBVtz@={WJ*VA}Qj12w#-=5DP1)NioS?>_(Qi+mQS|Iuo-?)KuJS?}X+ zF8$y@{?qj7wcq??>^lqG`KA2u`n%tGP@};u^<5$Ko1gVReyI@oHIurLX1~~{_WZ}` zAZIs7_OAHMIse-`TW$aRxA%6p?&Ckd$ftDv^{(sV-%?cgPH{Cbn`cwH& z;XjH}4zlcHoO?CH_7L=ExYp*@mY%Dk)sQo;L)l7ee*8lRb^bw$JRWt%{eJv`to$oo zahP(;a^?Eb=6W}0y-+_5QaumXVNf$6Md>eTc*)Yp58deDm$=8yDMyNMkG-yjV^5;@ zj15Ea?ch4$xpHPhE_CT(rwXI|);;AFPq&Et11A8Fm+tCeQJ6|(87+oh`w!EG>|uEX z3`Q#Vr72;_C>0A}tMu#)tj(XCb9%nS3~RWrx5X`AN~sDfGP94OSdutR&c}X({J{0^ zZ%xrqJzW=xqJ|==49j+(tBblWui($VkiYP!R{l!|ar&X<{wziG8;OJS^uNbb^?%ws zJNNNFU*zM4t-8s9u>Hyl=?GLtD(!w(@0!Rm49Vhv1f7TX}>~OL=01Z7iyKo z<#fe4=Raif_c){lQ(53Q-~e;a|K?QvkH5q{$Kr~R~Vgj#gAy5&biy~T0fa{{v(zpd@^D;i2Apm+2_B#xAS;+ zs{Y^Jz5M@0J|)fCKi7Yn_1EPlG|Pl7G3Hp$aIW%ec`lZ8LBYF!b`gTRNDinAbi);< z)#V59N6#u+GM#u&%&8=xOTV+KtywvwY{b(J(;YT*mL+jWMa68@PX~OQ7E@^+e%@C_ zf5YXw8qP)SV#p;H^x0ZfK{bIc-XFZAf`Q#{r7WDS ztig>ThIDIpPmD*dX|FU+S#@4^%u0h${rE|#1LaLRPu}2QExvR3S?C}xL@{prg6XWB z8)os4>C*G2Dfd+SzVa`6HWe*P>VQnuL66h8u&s*A5LW~%##yOhxF2Tk0XS9-?H6k? zjypE1zj##-d=+gsqY?fK$NHU*NGtDOO%GewUwb3rqWBh~vHsz}8C^zkPFmSgfCj>X zsB2j6ch6r0bh)-Yd~m<;Bzt{GY8$INZPlj+9>-oIt-esjC8r)7xDST4bTs#vD#ChH zLmg91?zM+k#eVE(nRd2Ty>3%~9(^vt1Tuv89{Jz32Bj||xHSpy_y1vkFkJx0QW(Ue7GoRK&s6ha+yoknGzuM{taMUlDKsC}raD_hIb$y6e|^JY~J zJgMSfURIEUxue4+hIB{!zG8J1BUUb0EcVpR@gn|Y#7r%4HfClPQCM^ibtMsMrclRe zT^6ZK4*KIT;SE-VC=qQ~z213LjC=TC#jpMt6~2s$@m3bUP(Uh+HdboJE47~@cXPFv zPHrM`t+L|Qs}UkuailMkQ&*?4m`AMA(%zhV+)RC)vz+%TdUp}xKjCt8dEQ?8t?Gz% z;?Eo>oATl>$t8)p6qaR=K%(K0$u0Z-;^J&-2GgxWXAV@)Z^|QeriV&POOmo;Op`;F z&`F1dJdLV#MGut~FZob2md89=7@qgI52=VpjE{?jLHW=7u=+Gk#yPtf=1dHEQf1&M zK`X!E!xLl3^j!j8`Hh?0X-Ry=W}Y7Jftwy4f0X;PbMv#~WAfHVr?fG*I5|F~TOJ%A z*safv4{oVrgVCp;^*R<%%yX;KUEJ3SI;ed~{^mbz?@s5P*;lOdx?fyCExWFny(%A& zvn-(@BP;J$AhqB5Cctm16*z?tRMZ~gN*>Kp=}iWi{Lp;hNo|i>uRK*>!kkjGH(<){ zFpCI*a|EV`6}YUCR327h_I$R)QqeHa3$Ig}GLKkC8A$EB?zf)EWQTfEWAmvQhxYrD zT{uLlzquRu1y5M+hRy=puwO1Yir(QVQ$vM(U(vv}@;)i~M5_!eQ@mrwJJmPF?R=y) zY-mBnV+s*7&`=c`wgg6Izka8vsadWcXFBKfS0Z9&)88Ancdmf#b<6!@e)GI3AJ^J! z)S6Djx$37!fmpPR0%L19mXObLzB#x<7lvS<(RL-8NaB% z@b1cc&Gl$6?!vrt-}fj^_pfN2NJ6L>-TnFR#}xmIKJ)nh%_=_npLzU$cXxY=|KI2T zf0<83?ZPcu-Y#dbX#NpFb$&ShToQ+oY6RH z=0M9f7OQ`I`Icfnthwz{Dju(Fl;S_PP>YnAuS}zI&ZOQr-Mv;cj2V0FJbrwpQsww)>%X=j+!;*-OlaL*2Gwn< zpt=RZ=`fmZP8{8W{_TpkGw!2{cbu8y4X^9qB44Pija?mNRy$pHrf#_1%-Pn(=q)?h zS%G_thV0GU2ywHWs16sHwL0-R_CnlfGsKPOdyAG!Hau`?gx^7%CEv(*i>^a6Er4@- zkJjlRCHX%XvSbtwQl7KBlQHMz|L$&;?LRx)?Z@}>|CjhYAZN6Y1P+%P?mW33vXu13 zaT3Y5aM*d@DR|Br56A%@jd)6aI_Qun z&P5{_#Ki{u7pLC{djH8c;J^Bd;b24lNB=3V(hUo!N5ji;1_c{MV?7YpSz|ru(aXkq zP>iz1`v2E>Kz^cm%*TQpA0CNDkmdY$78Z>lju_p*=W_mgR*&Gx&ERvEfJRnb0&}ck(Kz`i{HiPZaY&#{HN@ zh#o<*aW9EOeL*|#KGyF(@m4@n!ZWOsh6T2zUg5QTEx5#Y&S*42-btlAB6%fLA(zjC z${-3_j2)zHZR-*DJoE#fE;#ABJzw7UI4?wz)2yo|=IS{iPm7!imyk@bR%j z*ysY?Igo+uUa=n8dQu6x;1YkKoO2fxxK}wJbzwyIp~&e`dKKq9mBcNt0V!;{Slu+> zEn4BKBER!EC6{c12!LWZ=C$_Iir3x&eMMfkV4anwXtzxq7+V^~rae&SY{cc|oAZK& zaMSh^Iw0MM7PLnNQv`i3$)`)MhjBQBiuW{%SY$g6YpIuHToiIc$yl8PJN{7Y7)w+O@DAYgm??I|>d?256a)6Di6Q$dtD) z?-|`ka?EK#w%`*T-Xc2;ZhDT$h znm82&O%j*$%Bk&EPtC=VW>!3RyIDhKbljIC=FCN!g}ozT|3Fi+z3Bm$xJI4`^a+82 zq?lUZ+ZwoY-j1c%cE#-B2*!ftU0_}IJB^{P1RsZT_jw+v<`HV$ zz}qCwLn;{Zz7f4-FeyD@B;7>vnVe;;h^3TlC%9!MxaAz?ew?z1WIU4GPX*bK9z@v) zPn+FsMGnNZQsLt=E8-RtnSpjtp8`ull zk1ZeA#*+siyz87rgngi+EMb}(BQc|IN?kM-%3}@1;YU+97aqRSY$!(YS3Fd z2J}lNHJ^$ZlWtvq?XHEmV<2uDh;M0riJ_fjL^Exngn4y8esW&k)-U58z{~q7FNQ29 zeYN6(4+gMGT)OUX589xGv}GV|P2p@Y2yFwwV!gbRi$U5nkPM*tw7F+#a|@Ar!mpJ0 zP&t>ekQ32S3*;=1Ib_o()Y9h`Vi+Jju7yXvzRv$PIx83`Y7`%+uK)b?lY^Ha$J zW67Tt0_n8iO;)RTo+!rsK1t$BhGx5G8ygW1ML@4bKu7dHJPkrV+F+Mr0~_RQNbWiq z#}V7W%fNJ&ZmB_AIZs$HEJn$iUB+g`GUo5$uHD17l9T|(V~-@e=STa8Z;yge1OnfP z7G$-T^GlYJLLS#O2S&RBhS~#tFZ0x!(TECpnlIVJ0kc^%6=*pWL(V^m_*n8Mkx((T zY}nxd{-t7}KQ+KDPwB9Nun&@h#|6qPl5hSy3G6@5)D`!9Wu*)KrLK4!ks(V)MRU%Ja_Ba z{g4rQEm~r`b+wJgI;mtel?p?nNcd7HkI3=pS&h$KJ0w6zW!Y=f6-W9KRo^UhzrKpOANFug~`nkG@%7mjZboEl06Xz0Yj@L8(qm_?XZHEgxkCM~mxZ)n#$Y zH}t$u6T!M`O}Sbrr7Kg``g+7k$_qmKeHIpSfc5onN)t(q>MNydm;(s=dQ){Gj>ASO z=TPKhn8Ii*3YflpS%a49R*tHdkR1P4g_rjyrx!<^U=;nfTK;BDPShDxjCwyN6D{Ii!q(SOR0NSBiOf5z-Ob=>u-k<> zobUn{V}0c7>vm%6>*RZRli=JG>KlZtgI`^J>+#(o73#U@8`5En{EA{L*mr(gb^cg0 zyg^dSC7TF|*$AMQ<`4@-O)Mf*(pRUT1?!KK4lCe!7|6lr&`kQbRW0BQ$31Y71!A~? z2EGjeg2IN~aGVoO5<*Rgyth8Z0XC%)v~7--Wk_gt)d$nnm0j^mxe()Y;DFmQ;M%pE zwDN}0-Fq?AsLJM7`I_YNi@c*UUe$wkzHL3C?4dl; zVVS!Nr$#~+mvIKR*jAtCt*8fC_SVRNC*)D9C0GHEz2f(02^oT9 zfoMA*favze17&G35;(9CqfD~=J(#uedXKNbzN0jHuOW>CdDB2%Zh@8-cZ2q>2IA;D za(Y_5>4Is;v~s`534H zZ2#!YP;+siY-uP~Vm!oa80;~mi!td?W68K7f-q;1=#p^?7Bs0!YLlXryR@0am@|Pk z!<-dlbsxYP$zi}!mP>_{P?FO$a^H&kFb|~@M^Z*wLvcWxVWuV&3;XygN(FEaS?37MGIiiETS za=_CohF%Y>VYgz0MVQF817k zyB6RU{4nwDEAGKHxLRs=+YShH28>hJ#<>U#2$d!047JcR*WZoNNIu&|<|y@q9%CsP z@d(d$oDx5x#Y|1Rm*muT7BGj>lpLQ~%L7~?EgFsDl(00)c$_*nzjiPAz_oD@G#ni- zY@AZ?+E&GD>c}E3${ESAG=;kQyc^Ewz-$|sJ~=7VKiD8pb{o+oX_66(;_(RZpU`~3 zs$72n*zT<(tP5t_JP5}v;uE_=lgewNU8lO#j~QoM-5+wG_A)}=X0YP`d1_!RV*Iwv z>C6#_#)S^RCkEiO03`*Bkz%AVUcpg?X#%f`vP7gESL4(Xh!$Dyw)33YGnTjFw9ls* z;kLdVss?$@`5{V; z6-X*3X&8h&XJ?!zo%lbj>w-1tvvPt8Oc|%3Mk%_O_)t}pRBxO{2@Cp+7USHcAA19! z?3?ATU$#8)AKw0xjCd;VVb@BsrDAsWvwZ8R`!e%iA2J$&uA%gA;XuIf9XY=56)b`1 zPHn3T|V7oM!{--#zR}>Etaep=?U%>cM6Zq6sEbtv=`=F zNfBotMI21Kpb+Su0lGC4H`6kn3uRY9N#=m*jl)Y;97*L^bTQaTem?-7rkI%vcgM`G z?a(Hctm}s3Jn3oQ*)L%*d+M;ZEv+}gBG`3}Tg zD$QK#F~TgBWUyADLa88y&19n_G#!k6k~YU>(>Io(wduju?lxH+i;69hQV(z`6<@D% z=iRN@u7HhGKS7dF35LG)oUAI33#h0hTHoWjmBxoIuy0te$d<=Ou zA(SMsC(YoMd|NP?k)&9Z7>G?13zdwC@B*mVxsIwJpR*bR0S+@6gTiqc5!@s}} zjv*Qt_uUaRnnu1A#+DPIOzwg;!O2@&vzBii71{~rDN0i$-d2~xG~_Z@|IWF<{($Md z2);9=i~rEYSYOy;z!12gV=I;Sgcd_|2e2YM*(T8dkX^DtwaRoKn!5a zCX&334z6tv5Ls_EIpDwOuhOwhk{P?>Y*mco+P2ZEUDl9v@D03ZWu-$EL+cZzWJaiC zN=^hU*pEC{(Tpy1n@(U)(a+j?SEbK_E~6a$Xn~0f2jJ5Rcpy9#`sDqy<|dFQdb6+Nr6j!i5$$;auM1I(QBWxN7Ug2xUBbD-PXKIxQK zYA+m?lZ0Kd#DQXtV9883y|?C~!9#%cGm+2vnx!xKsQ{VM5DTnz&jDeM$+XpW28104 zf}iG4c`t>uph=uksbdPwKD@JTVz8G`{GK>Q*tQMbFI^kTr0vRqG)|@`v5BYv2&Ef# zd;ePKHam9b=(Xrx_%2VN7+jpQ z2wgMs#5fru)-`5FGRZef+`M~W-=0dqD)o)63sRM`C=~)lzp7YQQJF+0Cu`CdlxgpY z+MI-|?6Yo(rXU6&Gh$SYm8??6_ z7$yluS>m3|AlE8$7WzFc@GwjqL~D`kQcI$~WX(L&1#4iuC6 zvR8)EjUmymn5ew2FlX=uO}Y@sneuCu{K(T}LgGFd(kn(NvK(t-s2$oQ&RE`{?vle; z6nWem1A5$Y=_c4eaNtMA zBbzCQiER;4L^`=k%Mr0(H+kF-E$KM}($D+%jE3w1*ICiBxQng=(?}9F}6D zi@dm0KLA$ZCLgB|z@t3JS`TMwkx$TB4z@O7M>F{akEaH+sh@dbP3~m%@a6k==Wo^= z>NcUZmUfhZTgCV2=#(d$JDX$`L%AkcAOXUw8R^O6s_#vjB&6V@5K;={5fy}|E4C#m7@~7$HH~38I2L;dOG9_IVyM0(E(j(%6(SS zEjq_^*O0CmyeoLW=n^Tc4QU>AP3E^rZ*xcX7|3Fa7w+n(qbyvSQ(1muyQ@MX3C2X~ z>r%ylWGqi6CMN^EwynPCTG4$Pvrc4#gCcmpb~wB5J7(X@CwaD5W+9l&0Y|Wt((-;L zXHT|*O)Y=fcT9SKa~puj-`O@%O`eUItX@+=9q(#KI*R7A#6l{ z+b3wFycr>++oRznOQWu0O**2^l=@(i@9WV8$L(mF6{9VHMk65aS~S}8_kU2XTF=%5 z2x^9K9Vbyp^9UVl7Lv`q@b;q%c_cZ@I0&@A_j5il3A30(62O;1%mEV^|7qd2r{Q*( zFKENEb}V(MI6R2me?0FkgNz*~4`R<-Ll|!qOcX6QB-p%UGa7v5xS}zLO7K2u+hJ@r!s0ut%pTFEc z&~itm(05jjO+6H3 z9H`vWn~;uTz@#npJU$)_$x}?cj)gIymFLCtsfmR=o8<9eSP*`lvRsNuXxM`4SUiva z1LNtYnH6tfxhO#fxspfag zP*z|mf~>}C_$t37eOv8GfA zVEMfX&Yl8n7cIdSPj z0bn0k9>$;mxfzK-XLtx;Tc$`23u3H5p^Y-7WjX7!Jjd9bk*Wf62?{S{d!RZg^ai83 zN&eg$7hrDz{S^~*q(*uz$qSQGiBx8qr8F1>gAX+I`7echIPBxJ_d5%V>8aCng5Tv# zD7h9~sUsE+X&Q%AACMxasjzW`l9c5)iP4fNLG%E)roTYb;MZGb$VXWW8Wc=UEz`yx zdJA^BR|rXgxM>AfXLrP+m_oe}XW2jV{BnvZKy;^^G4LTtY4!-jsa}RT0EjxZtPvDe zFfu=$e}^wMB{!7>7*a(_)bIt(-BMn}Av5evSso*-)JAAgP$R{y=&x;n!;x3x_O^udvFoM2J`^Q-Bra!gg!Xu@|KhpcX7@Ci=73qw1WSu1 zh9X}Nc>;%m@H`&GP@8mW&!_pZ=2Ly|_%}%zeF}S$nzhyV8omd_u<-X%>E&9=q3H;N0z zJha>a)CDug>L96|UT;z*R_I-Z>u%<4;R-5XP?5t+dhf9zP5OlQ>xGxaZhNv~*0iEv z;eBt|GVc?pN|f_74x4fpdNct#y3XZ$DF`3qRGTa1DR7a_ETSZy3Skcm;9oRnUPZRE zr!xjmojH+_iq=bFQHZ8{Wf@Tj%iRi>g=6@i6gA+ER8Qdc%bO3S6(ei8NN+l9#G?WS z+fbD(7U3AvpI}5tbkkzw&%p8Q)x@%x%<{ElMLJ`=Tnk>W%s9u)<;skP zL*gKaNEXtYpcDsk!7qGFsFd(BR*Y$)$?uxyNpu}cStI3X3wB<_SMX;m9MXIs6(>HS zNik{lbH0%+IBYRj7p~aH`tw3_90|hArBbD+u0)T0u`b)lHppN z-5b$M*2HKEDdp)2fga8KeN|18B}r5LHy&j?FK}ZFA5em_k_v&%=#@zn;2xR8sVqyR zx(T5ifMvjHAzm-}yYAyLGIq-nD$MXdU6 z&;gY{1CvvV`>MULjBK5AAzFYiC}hINQhvg}RpY8_F^&tl)PxO8Eowb^D-)Es;w%OS zcLGjaC{^3S3GL=g^s@ARj6hN?z^R^2N|dNYCasLBlcE(3d&bn2r==>q9dtmcrWGo* zzy@A-MSKRks_Q|7tY9Y~=ghSX1u*o8PAq3Db0LT$6TYH9Ps)QWkzylc@;8x=I2NYj z=0^6_X1u~{I9b!GLVyrUS|i4aQmr@3yPh?SUbTiR9gBht#GjHHItk3dBYWk}xWyI^|mF)hqV2LZY*Hrl(2u94)RbhCHegGw1LR zmzjG+=ALWc07c@y z7dbI|lR|~yWFiF%M)LqmR&vm##Wb3o{RZIyRcT}7qlu%uN(sfEPNa*VMR9-P+2+l) zL8D0iJD2*7OOXx~J#~elMNUE!u`lAtBOTDEC?r_3G#Zagl_Zy9G-E;iPj6?LrvZYU zA}f`L39MCEn+mF-mgx@>Q|Gs+M3L1hKx_qLJqiFN!G)dQmZHBR!H#H zv{&IWQo${D^}Js(o2ETBx^8o|D&kt_%uxb(a%jhzXD2Y_t@3VRBXx&-grc;hBhM^j zG?kJj;BCk*C_B131?Z|)3KRi(hh_Zars>+`$pj%f4iaPEn3SbR$C%}qv1(0MR??Rv zmJK;5>h)af^D?TL60=~M4#6M@6kQ|jeZ==qcp+ah-W#}IdK{H9d29!u-pOkOrY6Q2 z%LR)VI)daeaJEDZgwlm+2x3&CLC%oyC+dWNM#es{&|&ewcnv~wHlR8BmCCw@@&)V# z&N-$Z=!Q=)x7sB{0^pFLiVIjafUVT20dwSOg&q+^jS%O^;ltlmo*GF{V+wkSv zIwZgb2S7}-HL}HN2x&&jl^_KewCTnWnG8TRhYp8SqKM^$=IAq*x45~h#W*R-iY{Pt zY;K;8{iotO+u~xKITJ#yQ?b zH0h61E8M^(SP=;VEmHE(!v_w`#99;RPzvZ}L!5$PjOjGGior>$8W(UOVub`9+@QeY z33wWi{ZQTs5(}F1%8{LRBhI1tc_>A9|G1W&g)`l4S_%z^oTC*KES;XS9c-?Il0E}| z(uATZSwYi~;UY3LgDUPf0lH(OG%n0}G~U}p&zn&53V=4rL z)}qRY+MKo<_a;i%unU?<3|O2RVgA~oMn`Nkb3p<=Iysd0YE>8<{Jwv7c64%h{Lg1{ z3vH=j3}0|V_vCLdm22ZmB7|Hl_(D^KQTWybEmre5VL6tNLT#>THTizbl1LDih6xwQ z^m{oCFIgeT%EwPDR!K={sBgQ8CMHbYM6J)!qyw^w6{VHY#yO)J_%~|=v~^HZ#gLDa z2$KxdJd}3eT-%Os7Md(h(t>_4j!;nQaRLGPnGu=@Zo4ijhk;hwpwuPMjS$!!71S;e zGc$b|Yu9Rz*^m|Rkm{KT`Ql2J$6&aYJa|Rk6~5 zhr{?vb4u$>{5Y9RCZEVh-PN_^W&H$?DP& zu9ecmm!4iMya(ze@LP)CTJQ$6br|!epo!cx>C~0r$berlte5TzoXT2a<#jQ=uHZgD z;OqaC;{Q!Myt^D@X8ixw?p}MdU5@|X*}aed|017?{_o`bcrYX?4GU#U=-&iA;UUxM zEN8$GMO-jJ4p~9tL^K-finE~tpQ;ArIo>DTClJf=d5v2 zs_XjwzNz1=t);lsSYQC`I3v8@Xpwy)6~d&HHQyo^*SwTBhoJ!>O|cogfS@{x$ZIs- za2gTJj>aN#B;u*5U+Y2wp*leHCyZVx8sBQe&;X$mug-H8p6v=&%HrHuGomwsPGXi8jc&Kw zqhi=tA|F(~gR4^ORSUh~dKD-Ps$-+%BUMEk<<73p;k(cLd1x@L7D}n!!vuR;&2Aa` zo&N5`M#72Us$vwFDut5HjN-QFnVOe_JA-gAdXXq%yhfUNt0YNRVydL zND;{<+%6MMsJDrlNjUWSN?;$-R>jcZV--Fiu*Mo)i`twlU7Oyvf|nN)6uyOi7Ffcd zkG&&vZwBbgRijAwZoqxXY5wa?N$Kcp!*Z%`dHSurAs^Tucxu0HA>ApBLyjrd&>}6l zW|@^R7wl< zlh93-pq5n7cm;c-Li?T8nS5MikO{Y*dStY~RrLG>oO zdXHssXQ!Qu*XKu__h>ilJCIxm(h^DAm5E9>YjVi za+2O#ocu0$n$cqTeC1;xMLB1AEj^J>E94JIx7phvtyaWB9uxu$~|4^!hQI03S*y;7(loJ=^1T$;BD}(OyV-3!q`quN4ms1bn#;>Vo}gIE+o?dF9CXbY-u5o zgv~H=RC!jc-O>$kbWj*W?>otwNk|0~c#oLi3sYguSR8HjX_i9vFV^=0zUIVVn5hJE zGlBn>F8>GQt(mSV;^5=GK`fkSARnl8sS>Eq$oAgmrj-f2ZuM-$RcWAuvv>ANtLHWkG%Wf&~8ERt+q?k)B%Mip>< z-AV{5zX-XIgu*SO?vLR%z(g7y+m}FbM`y0?9D_zf3YH^O9-NfTl>9m^fEZ!JMVZO$ z%MzNVEJCqy2|?og;+2+2&mGa=0e-cul(SUZA1SI$5G%G~#VI-cfvGYG z%kD_^M3&tSfO4a~D8D&-BkGzjm$sojV;5>cczdvW69`kAu($KJ9)I&DVs>)t$qXot z2vvuTtyx4_`M!&a_6>*D)8F0PTz2|p1k4~pEbCNH2QyY)es$sfuN_lQcx!jol557D zhp$@I=!JIyyO)%)GNL7NRrT&2C(#;ub$bkD2Tn$`P(JS}5do{=xySZb#Y6v)=l3`7 z=&SO>i#`3J8#EeHivpn|LL0f1AGBCiHsdIBz|DKsE=warzE{!&os zo7}z0S`%Z+Aj*?P9^4j7hBJ;1at0PurzhUR%_)8`{+9y;1GnsP>?;Q%y<5 zGX1&8bu5)+AbBaWtMaQo8eS5XO0`KZL})F=VHm%b!K&9)rQao0kni`uJ$APHTbf4S zc33ga9(=#={y@_RzHW7pmfmH*@NusCB6!yHwFaI9?Gi(ynNr=5pq)j_->#_+WUK9_ zDqmAAGN};CkfTC4d~IGUECFb_MtN7mO*!kJysJDtEwsdUO$BqX_hCk|$_}N-1@UL) zP=YEa;CgJlAnWVLZ_iH8FZNF^o~=WbR5Nh7pF=rKef7>l?lgj&#v~! zDiZNLmCqV2a)8}dsO|Pw_&}9G9KC}0OY1vjjs%7LMavhXT58DFW|y#FU|upt%=+gW zEpjGLp3}utF1qWQ0hB=G8c4gwN)ZG>qh3RGDcoxv_q@o*%$T?22E28A-M8BS&uczs z7i#uE_~Hs|2huL@+heC|2h!5HRyrv>b->4I(RKG!EV!w-jMjHB4VtuY0x!DF#r9ae zzNvO^QIcqPgU>`0fR#lF!k$(rm=~1}?JW90!dR_nZMtTP+F%`P1)4$;1gd=CPZ>y?d_UDja3$j(hrAC*$gY-&96ZK-5j?BC_ zXFcW2YvywXT6;lgZJ1vRN@#;NSaaP<(Ew#lLxvro1|UY=$z0x@PAP3*1^JjE5?U=X z#rBpS0m=S$ppY?~_K)22B%W_Mr|INXr*UD9%E_ya?wCf!)WuuDFcG2S%zqi(hf>8j zK9hjDC$Bp1kI%a99oLmRsF($AQ`bo7SpNl+@m_TZ`yj<=7C90;oV9Ct&b**j6woxA zlJ7c}g1flAN)qbxv@giN<~*48MG$AtAAUqEd?Nn>=ynfYL!)!ubIfc<>3f20(oOid z*%wd+r9`KqXG*WB7G}DI{gUd!fwfkATMQXQ&cI*~oL`C|GvBvfyKUQXa6R^#-kH)A zKl3JGBl(t=%;)Ww*LOb9y{Dc({P_Cd?EUfKrzHW{W)=#>k4L{u(*U-*Qb8H(>*Pnq zGRb5{vCd2=x2T}kq9wMwZfj^zw(xwqJ!^D|oJomKp$V2cVHuCGmuo=0+q0bdTlNU4 zxhP;cB(R&2!TupnqfI%{Pni%#8V=)>tzyP1219!GFrfnttg_>D@RyI-ibVz+=Kg~S zH2CQUR&=(DE=l4ZwEci6|AIkDU*IGAKX;(~l2J{~>Yc?AHIhMB6O?rrLG>y7Npy8F zt)Ss>RrT|t=eM){#m{VKyXK&(so&;+J|I71XCAB(;5K)8w#ezlot=B=pgnD%TcA9D z_;LT|&il^x`=gV?v(w{~i}}YEA>?cj^HjZme)RhI^kmUj9abS<-aj}v>U89BUx;fU z43AsD5{?eek1iZwns>O!#iMA1Gt=VkZ-rjnM^L|f`sV2U$^P3Tmzmn2HfV|?#yNDx z>FS9qYQnAHO&^*$2#Yw)G@Bhd*8@w!9V) zWaf5l(;RzxS>rT`FPYEjV=3_4&4R0-mgxtLcRD@Ij2HVHUtLu$%U4&8XT#xsr7l?e_ZU@Q63Ew`bn_PC(nqRhvV&enp4z4~non7&0J(tgwflY%lEUOo}JAh|$e zhaKHC;>IAsNHhtc@7K$5k8Q)I&#YTgIby3PN1RJ5dMN=7 zp&Y9wm;d+f{79aN(|0EepVBg{AK7FIlsa9DLUM&WfU|^bXMmXY@ZRDMPERiOk57)y zrvx@6-~()pi;gO!zz?IO@rwz~Pj&NTSB=#jb$>0rcUMHY7JS#sUoHa?Q2Z zRrwcU(P*>-aui`vb0ZnVDf!j05B|35{IOOS9qeEfBY&NB{nO?P5%S$PtrpfXLVT!!Z>SM8M-PVmil;SkDGDtYMnisKbs*)UKx5X_4P?$=hJ zZFr`_!>=8Pn73%ZG;aGK<{&XkAR)^NvElheH!#+IW6gScQFH>>rNgT7KMeLDixn!0 zqoERU(NR5YV<}4DcP*Dba0f2qG`(zOk?k|`N9#}B;L;UrOtrc#un7Q(6V}lA9hj%k zO1&hOR-XhLHOOzsjVtZ67hA0M`Pt&>jdg4ZXYkTHMY!kBrzbZj<Nye-(vNJ?Mb+VzEw3lJBxYrJ z(Ml?&OB6Xz2T&4iD!9uqRCk`rE~Y&HPLEwZd;2izrdWsZiscjNItv*aCfdt=nif!n zT>dEvI$-PTjrDam~4$38)G|*W=-tKoUj?U#3{QTi6&sZu%LUK7! zYsfy3?X9&23x}LM{Ai#2WR3<<1VD{kj1?SC%FPajA(`jim@~+JKY_-~MSR7Qi4F7! zOMJm;`^;Bh*2%}n1dzstw&;AW9aRe25pF2a{IR`e={G9yvMi{*--YZvl z8_uiWe?D)=m*cwi`~3wNuG#gQv)hYhxL^e(-;%G+z|}3dYT%b&sVQe91!x);P!qJ2 z3-J9uo;)Byz4keu#K)u>n0CE4YW=KOxsS<(Bv+L{bFz=4n*PCR0{rsqNLH5t! zFX+CrzU~xdLgcKk2Mq{!#(IG&jl&A`*L0#|ou>y0$U757PzhTO>&`9GPt_;IZ3x9iMqaD$gZq#foDHE>hN{bti$E=H^vLPl}tIxf(!(PPCmV<`su zUqhW&YO6AtZ~;}!B8s6y)O04VRnfjtF{Z>v5e7i(Xx-@nnnZHE(o3ovk6?M>?((Ww z)12(xu`;WEzdxN214S|JDwKZ>d+j=T1d`ZJc%h>CCUz583T2Fw#57xy7XnXB0Z>R$ zNo<`%U7a2)DUy_3CvnOG$*WLP)Fqb;JkYSDt|zaRrl}b@fWwLwGvzPsMCqYxT>AOb(hXKC2;`;2Hg{KG){^*OB~u+)%U)Z2INgA zA+I$_Ts#u0;hb{eX5)gauNT)GD!Cx~G}G|txR>zoa((@qX&FZjGKCki3MJk((@c0s z&3VCf#)3Sec@ZRW_-Jj8RN`Lvin+8jFeRr*n9qX^1<{jCobG%#R|NGHgfn|SV@A!Y z*CJX_dG)LLEh5M$(L(ZcOa@8VmE1M#_fgI&fqUT_0(`g>6NV45sOfSsseW8Cmbn#P zgy;LAKK5cMkK~L-6JvFk+}n?EvoWtw{B~lDTk#;}Ig8eUhAAuL0=J1aQ0PSRoYGyv zb94I5d3Fd;5lpFJld3ugLHZ3xfva;TsOg}ETK(}Oo496XRV-HuZ*6T4_W#d)WNZE- z+a)XVBGlRUw9$K7x(zLrq8MQvAbOe}HPaV@6I63 zzPo>Zar|ok;NtZBm-pYFzCGGtMd-da&bVt>QbmWL1fbx$Dp1p668%e4)eD7*%~@)6 zo)QM;aWn44HP@&VR;;;JJO2z^j1n|>D~!JgJJe{gt8A9I!(yPVq2=w_cP*>?)x6+g(z~GZIs>H$UY02 z4_NVxup)Hd+mOSPM&sD25^Bqw+G)FMffI|Ci<eJ)&G%gkfV#{avYPPC_} zqNJxO)8v)vav-ao3sjJ9!UsJXUP^3qo&8aM%@NIb_ILdcw#+>ze$aat@j+(^E0 zMvLJyvQdmOj|$X#8;j9>-P`LGw63Zjer4nhl9-{|6INXF{PK(^aX4u-ygzmLArs^p zk_XcP)aeI975)<>gM?o@E%r?P!+>B~G)qH1&Y`hC-X@^7o6yGVA;UChx0FYmN;E)i zwQ!uP&N*;@V=h=jm!{~ZIO7avY_b#NKhYJ3tB=jeRTtx7r&Q=w^oM z3Or-!nxC|YotQv_-l|>+=`l!VbchN_!9yDs?%S6W!CcUaoi6wWgh$YdbZ>}G#mr-< zk=L-NvK%tvp!AvPWm$y7H%_ccRlJFmk>&R|8+|N4eu96f>3ZLq^@Kc4B~e^SDk?8Q z9ulY-=M@`OA;s8`N>>Jl%HvQ|&U?;Xto>#AwU*v3ElJK>ztE}zTnoGonU&=ge|Y=P zQpsy&(A1SXKzMZP3(_7Rqp^p5z%cQ*FF|kuD{+h5*Z}pz+kbwGpc;)MY>Oyo7pLV4 zwF?&uS9O^ds44gR=!2J}TKlG70j=h>T7A!k!86tO5fdOvS!i%m$h9kRRkIavQmsDS zY;UdwdY@1%88RoB&% z>*`=uC*8^Q!oq(Kc?zw$R&|qE49F)1=gFE=NLZJP)eYd>`oE5NBnp;c0bqx!yuwS+ zW*S zmM5nXd9$a*+{Pm0Do0qDT-C#CP11qBNb^Xu z;ZvkzQjxN9nM}aK%u+P6;ySUU_|(dgx?UI3f- zO9PZjY^axfND?PyFoY2QRhYnbK;F=C8anGYBCK8vjUpp9$n$QGfq7@4IX?SNukiQL zhn9r&!b0$0dG;MF!9Hj2HDsn?&LR;Iqoc;@pzN`GDSyjpmO(;}_Zk+e1~#I8(B6x& zV7dCPMWa!iqHGbWmiWhKkE9g2PTtAq24iToz{#&>9v-PUb5)r)OE}8*4-UKtZv?gm zHWj7nb=5>+RV_y_Rt2b3yg6hkosm^1zNWqPIM@s}gSHJ|zUFyUt6t(j`w}52gT&c0 zvhv;W+57YTlh;QtR>%WY+V>e*S;xkD1}Iti4yuJ8zF4uUxas^iV-fPa+?B#qH;SdK zmwFGg>5c=_gjMyRs{d#F2<<;H1S2b8|Dnyb|T_|_Z@uI z@|IW(8ID}4p0?nuJ6hNK6XvbQF4ui?&XAe3GA}6F!*oUGo>9M|-wrI1=>En5yzli+ z_gKQOoipW!>tiVYfi{^`gzt|gEzK3nvux-mXHL;{YEiZy9eVPjL8@k6|9B~b!q|Bv zF_!sJR|6zSUSaG;P1^s&??@jq!jGJ19d13ROQ3^ zkF|BXZH=_&4?iBfc?ZF}o#X#^^a*ce(;=d%dZ(FQFY*q;K4Ah^RK9qA9ImwtHfn@H)4bN{R%h*=YpP~&;dEY^8sCtH zio`s8S=V=^x(f?OvHA}($XVuCR@QFcdPN???qVHKoLPTT*MxH5Ks`qq+H^nF;hv0Q zb7G(?MLCMA18)WO0$tooU zFDNvj*un4C+_+hsP{H+&WVP*C1-CtLYYU2IiyWEl1^dvryD*zQ82m>3I$adQWsKEf zSQqS^+7qwqMaO&A?*w^=xZAo@+_i`eT+fH z0JnM=4~9$>L=_SIrtyI2n!w5=k4wmY#Gsp4b``3X zwWd_|EnhHz8jui3pO8b{8FZPXxvE?_2d2ZyRdo(g&>{{E$6jAodCvApC#x8u4OHP_ zQ$S0f4>{J1fugwIXZ|$-%$)^;fOJO_4>wV-+eGh+x%1#OXvxU|uiXMXCGXDP=(5Na z0L?|`4j-sSR;o)VM6Oi$Vr@uGMb^D@`m}|vPZMFwx9JhlCg->vrXGm$_=@Gvc|LFs za&QRWPCq@)ljo0qk9y%V`|z`k4LI-LpLQ-jJ;S4adVcX~V+tXUDgX+WBfEIlIXeF| z{Xka3Q>w}u{h|ZWC4_DrlDgJjr!6w*S9Qwxcg^_gPGM;gKlGfKPO|Gv8wuzHl9^GxI;F97k%K&Iju?9VF-KsW^(?ff|vYVnGL3_WI1b@azN7o@G2Az)A`X6s_D@&9_s|f zYEWH-)oo5iML^ogRZN}5ph_jWAT=-=Nztt9?S=BSOrhWD;ygDku4)lC&3r4bTLptdIj}2vR@wZT7>LYyuOle@xGFVYuc63EOD$ejOTeC`HS%)%t>Kk+bZ=vWY~# zwMISOYGvbmP`1{TeA~J^ZZgrY&B#{@8jI@^HJXH|R3+Td^2JpOF;AzECuYiI=E(1@ zL=XDB0!dSsy^0Jr7xAw(Yc#9Nybg^OIW5rsej^{JEr>nBCLkL)!Keb;>Bmd+Y(xOgkCWPwB=M4GX~v@#yGOxdRmxz-lUt)}dAfZsf-VS^F8Zw4mj1=4D%-_YkS`P}Kjk4NWF@vU=l{>vx(h-5)2ma$R~ zX`ZPbaJeNuAUUS<02|RbvA-U@-9LVVoqi!5LB*ZnHaTd4yxi{cCSXAO**H-}Zp3rD z?%Af_H+(PvyKKZlnhPa0!X>V}pQ02uBc)RPIC$-8oRBM;$9ybE!Uu}D9sY#Lk6<9y z-NJQr=j>`(U=h^;iH6V&JIHu6#bdx)!6N}Jr%(3Z9(B(44~|}t@6JvSp#<3r&(`_q zV<0biTf9vCy8atnEuS8dKS+_2NAiFFN*^K0eu~+(4be>aU}^$@ff<8`5*a<8Kd0NPl%Llv^lE8|c-1k$i0^eIo)H$lA4PT3WFJ^KhKyL8Z~Y8SsP?hfBJ(91 z#HscgLaw?$fT`6m;7r91K6tSBv=Dbo&uZxj*#K&skm3&u&@VRRrqgd&q76W2*73a~ zp2h_Sm7fl<3P3Io9SM1on0SDN>CarM6%&|8Q+GmA6{ymi(!rl9_oXxS+N`b7p{jlZ zbv<;!p%^ikq1CKF1~-m2H#X8YAeg3m8fkhGX7Pl0O{=w>YTuxOt-Jc4428r>ArX;SpJM`!WVtO7Q@N&^<*wpWcyjLR>7= zb+`zj!O3$totoSiqArb!nv|3>&QwGAsbei6ddY{9JkFBwAWlhy_BYphUdFr>8GfyK zzp^6rw9Fz2vX#LbVr|xjlr?G)lkakHc^K>gFeM8eXO%Osh|@u$g5nT>5fo~3#KU2H z#acXxjDcBr@dWCL(A#j_Nx- zugc$49E+620)Y&oe*UT|QWWXQs!3q?G$}c&{n6oj!p;AyIV*DUNC--7)@cQmo1lJE z)At!`%CBwQfG#0ani2?CrC<+DKk|E3ykRQD-Ps~x*CiH?rB?BK?qrrLJT;;dRfs{} z)5RD`Bi5~3z-|rEzF4ZCPgSXcH@~+zUXY`M)!J3NC#`e@#(5}0mP(}ptroB*zuZqO zV7z2PqDe|eaR~LUY(&OYOzoA}AE&^Q1vndZez$hl!JAlL$^cIv6(;k_&PrFJ(}qqZ zatp#F>&7H*EcJ@X;%a;>KLY%|TVzSs@*U`tDTb=h2GrnxU&NVsPt)jqk;mbs*mwYO z(5+&~T1A$$^jg-;sz{57c$B%ZD>=PZ6Divi)tuy?2~7uMI$)-iD4-e46}Auo)xAKK zp|dxU{Crvzu&E6+m$y~7Iuf;f4qHR|j65JG&IXrg7YT)>;lz*D!^2v0hUH0p0$a_#R z=&qW4K!|sB%eg3i8$&&vSX%*Lt6k3IRZ?)=VS<_WXyURlUEsn%^02LHcd0t>e$w$< znw67*%H(9>8R2$R)@bFw`T#8#>|R;%60me1zXlK?JA?JgR~6 zd=Plyr+hGo(?Nhw1utoMd6CnQozX&4K8{lf7=UN^*#FPod%!i3y#M2XA{tM<^Xzp+ zP+AfY+o7lkC`gr{qNrp^Hn5Up<8DGgK(U;j4G%oAx3hN;I~MG{oO+4{%c=|o4NTQT0KO;pdn(ko1|zgW5FJ7Y1WzK-xHv$pN=GKkoXQa1fUHABlz_-OjsmNE z?KuY0hGlNS*c!#}rG*5s1&xg3}z8$eW*CqyjexuopzYsGL??sgig&B1iz4`&yGN z$0M-T^hl@md#oo0v-eV-*osvAKou2aP==5alhQ<82oac42mS)?FM**U)}7-Fq4X(U zN%#@7!DaFAV)7x&oI=H2`{42QD3PX>DXW@v?_HtcV22pz}<;rJ9HFn z@?kPEz#Tvhv{o7&m2r(_2WDU!F!}^$-3T$i4Q4srfN}C4Ac>9$i|Z2{8rVC~FFI~; zSZI%bY1<+998OowcN~-LhCWdUI!&1w0|VZscMXzB;e-SnNr1H&Zjh8I&v6f6h0k{G zW{Y^t0%Q#mP~@4!Fo@>f-@v<^5+$^3S0dWcm=y!f{E|lBh3QzGC~nYN(lA;f>tH0C^iUn6@nz3;;a~Sj7}>Zl9DS>`YGV#`jOII ziZ)T|m;f7IIkXGEc@jVS;JX%TUq5@9h@Iuxa&Bh&E=ouLo0!z#tG3{J`2BEZoi z9MNC|N{*fsN{5X90?!`w^?*`*7{KFoL~1;iQe_Iv!L@LL)YvO6oL~vn2<|2F_WYE- z18|Pxh=GqyF*vTwBunzP$7!t+ip;>N?vuMjBpup`Y1QyfNbMn12qPZwU`05ljl>ZG zQEMwkw*bzbcyn-`!DoR}<}n7VTNLA0T}ds1({d;|Np|1^7x@DPpr1xF(5#h8 zdal7y3_MCIVS?anqXvO6l3j$3GsOa@EoQCwR00l8RVmdfg9%Zfl%|%a=U$%7r!opE z0cY>wCgA)GpAJbmYFO@d%tRS0tqh*A+vSY4ltCH*TxMv?UZx_YC8GE5D)yb)PYBap z-b7?0i$E>}ViEuqV})*`esHa51GWSn#he`?M#dLWg1XcKC5+E4Rf@S8@Xbt>2ZDzd znMNnIJSqnNUyY7KNEKw7%4wl)F@{mGL<>D0ptP0a@X53=qhg5`ay-lk`Ak}5uohOL zYB-e5v|RXT;3x3~c(yWdtC`k>qJM*TD<_Sghb@ryC0W@bX_c_F32FZZXIDm=B@Qf;+tEOed3^71g9;C zSdt&tu8FUus=!(SPAfK9;A{p=W|jG(;E@I|h)7IMQR1(JQ5Bnz$btSqLCm&-P|N8I z{l;8pWHDgrPkyVxfF6eqU(E`DYlMh4*b%T|a4?P!5=0B7S5CAQ6vrD?!n6{~#F3uO zSB%b?R(gMlaW;DeW_CUt27zulHb3O}apNPh%w#I3#tht;Se0Fh1HsOY>IZps=ql`u zYC&ie5QfAh5lMmNhzwQ1N{D*fle;oj7%tu&phP4E=*nQ37QqQu5#&#~XBv%Gs26&^ zv}#fjL>Va<67$JSE7K{JWE9WIfC>ZT=F`aO-(@UCjtkw7P_>BxSBt<(K2koCSwZ1MsK&yzfHQoYzzuvR>rRv9>16Rh0|3E;T{bKIeM86_R^H<}W%WgWE^PX#ZM)G$}JH=2W+ zJ_=d`P6<3l11Jhw1W6csIhGX~wY0PvrL^jco{2POOmbs(E2g6df=!z;Co;{n0y2*h z5Nv$qpglBU%4D41H_P zk9bU*NSPukf$fRGe_BT%auIhV&4mMl=@2#F#yZ z(L<4zQK4GZBBlnzl;&&zUfb0&Lxv?L2OYB=vj%e8rnA1} z17`v%MPj(tG7lQUE`ca}74TqJ&#oP;e?wplZz~38O3`ub-P{5qNXg&L4eY4kOC_cU zX9%o@ygWN}bp7%qvIwK7{c^NYGDSa5&JI?0g`Mqi{Uubrwp8 z0)e9=DJIh{@JA(HPw-7@nhy2Qm~Qn9jnQR8X<^C9E(So_#~!EYbLb;Qy9{arTOO=vhq>BGTz`4rh&DI ze76=8ih`n}BcZ;C79z`=6DGznofg5xum%+;dx3NmXXge*otn2z@q<6j|+(1ELGbRv!riI`H(yaa`z zYE-2I4h;k%(`nIU1ft6##sK~_)pUMCHG#?z9Fa2x6*?t-xl5$7{wQEnN!~ZoA+Jga zBg^V=#45t*vX#su@ zDjt{Oln%chg3!&@4jKOZJ5%@**DUm&R=E`n2sFZzVTJI4HLq6_l>Wz zZI}?oyKj7zZNr2x-hJb%Y#Zi|5zHPIN{6X2q=zMovfp)p$vX9j3b_~(-NEs|`W$hk zLh0ZMh?ey$jwpdAE|3dNjOnR$Y(^m!!YZJ5BrwX?q6iV8W|ImSjnYAJ!<+Hg>Wk&^ zB8{OP%Cz0sBM}sU5^%hdQiw4Y&aALuOgMOED!8ptQ^LGWP|>W^sZc;~A?P(Cw;(Fh zdAnRdpj$dJs|Q4dMRa8uQ<{$q6B$kgr$lHFwZ9?KEys#73{C-D1ykB3OaT%Mvf|>J z2RLF>Q~|x2I~NapA{+o~;Q$mjKWq$wsi6$@I+%>8wK`a7$RAB#hK*t2Ahu;$1&G{J zBpr$*&j*@lV|rrpHU}adli)gnc4G+dBQa89;tPr4Bry=*^P>t)pi{Kc`yJ;l#CcU? zN*abf8dV`+>jRo|OsAF;>5$aBv(b9ZTuaTobIK5r!O@DxsDo9G(IisyY;t6#LsCa^ zGK}*F9ChTgPh^w8o#IMKFc%;oYs`WxB!PN=2*cz&$~GPn=rm3$Opb6!h(cibARN^q z5o#F^EftbLpra6}g;{5lfKkpvN`@BjnrbAWgQsU-vmM1{- zWpMtg@R_J0ZnAa+K?ZN`G@5qAVCZQAE+a#u1X z%Np~~iuV*a#UGX>A`-yT+%b@mKL{0uM7KD^E=_J?@u^ybAW7)tS)n0r#iKyBNIS&i z0VqzA0p6D|jO?_M1jZCp*HM-P1SAp=7#FkvxYUqfndQz%KM&GzB^4O1hjBSXC}AQI za&Z(py3#T6SyB|^evt}|)WJ%s84c@fF+x-HiKx)wdXzvs%v)niJ7jG)^0cOpFgH?E zl!6XadEl4_2Zk3-LaZ{UYlSZl>6AAWy(+6r0*=UaYB{Wy@fh>5NH7-TC&9al_WEoR z)C$7X$RHgY?o>QXC^*t`->vyn3Qmb5;CWAK00%EzMiGR!*J85JXZAc1?hVV5bQ&6- z0*?n@RRB+dQ-vymuM}KP@i6NW>Q{Nk0k}m8M3_jANTuKu{RVgdUTMcG0cXafQg9ip zfn}&R)gTCw!wyW&SVue`cqM1PRXqm>dW6PA!Z(mX%lFjpRd9`}Sn#7IWszE^ibwDW z1$k+OXa`1poOTm4?j}ZMU~mGX25$oqY9+nh@nD1O0ft+-PKC&+(EPxPjo)3S3i$Cl zSrTJ_W{yw&YVx$tZQHQEJ^>sBq1tJtHv>2IG(_c$xd7ur2s<;GBD= z890y(NNI=~ehb4cHV6&8HglEDd0+}kXbGvMIR`e_1Qo0i=qBYDLV)xmjEHVDe-V8G z8^U@*;>~40<9PTDl0Xt~e)faD3@1|foTYCGpDDzHPfF{|^PU`&5oEI>SOt&5)Zmei zvWrxT!P}!&oPdjQSS=@)y-H~feK?X}?tN!UA61BVd@B4{gO4eZa8oZ%1Aeey7(|w^ zG(%N2pfiK#Y!GJfeuE@&e*XS}5=mT0;NZC6fG^&C&K|*wFA4OI3XEov@kQ~CT0lO0 zcDOL3y6}tQ^F68<@Oif>PQg##u^9GO;0TfEZ%pbTW#Qw98qssomSAcKNztH2!z=10 z?*g6-7+xkXQ#t~X({budY#C`=F7jrD>kwCKsAQkv2I8nQnpPIk_cVH-fFY7)^{Y7m zxpx?quu_w0Ab(|NBV!cLkWRx)Lq#sNR^SufetN>x6WD-Hpb2Wq*MfFAHfICBL6VNb zpfEpwp(Mz!L#NIazMGlh5411>RTu*fHJ>*c1HbyVH1Ml$OaskMCacaQtKGNw0C_|O zD+C3TJqXqlpEL1aazCu z$k)LEAe^KUg$XlWu@*f9NsY3=nIT~k;M~Hn<|iWflO$uzbAdSot5eh)0e9R#DbZdZ zhE>|Ke$gf(hVO-bU=}6b5p?DsNkB+6C(27@J<}0LFl|!GJ#J09IDjywY=(8(M6w_q zmr8}m5@9t;sQ#lqo4{9jGIazJi6i9kg{l+ydpaO06ru}QI6ACCG8~bCq;!&MZlgs* z4uqAc9MytH9~6^Q&w8LNP*Ri4Aaar@Dolg7iE`Y!qeF@5~gq0hnH`#9(<_>R0e1{TuU>5M;A665OnYAvoIsas4%c`fMPk1mH0Vl%|8Z99L4#}1o zjO$uz)R2(%4R07AdmyY-Qi<_hD-{I^BGH27D+`!r4>rC;62zzgAgkX8`Qc4{Vk+!6 ziOY34p-0}!+xrJAE%o^aA*G5`n0p9Si3%PMUsMHG?CEP_K0{TY(&?MjqP5sYKV0ja ziTS6|BB@F^9#QgNJ1ZcSs>N4@&yma`IBsoxAr82u=t5QOIS)901R-8<>*5Dl0bWUr zAP#udA_Q3vZYc^72fS)AfGmO=w#pQhDce;54mQXb6=C|~{ORDP;Vb_`a2bXpkr<|A ztdKwyRl{2{Or)x1thA3H--rxWgPj0`U%+9d5>XoRXR=8Z8Z)CCWacC_rdJ~J1Vk7Q z6Noqw(+lO85EW{5YDCCB-V_)vOhn-1R3RxF6Jn}|Qm@YZ0sXk08lg(5%welvSPVPy zA7>z|5LnT=K_=&e`fC}=2V20d;jvqX&c)zb28HpIdPX_q|5KUb)FiudO`Y;vE znz6uhrOB!&`XU2LMPPKY7=h88GJ-HQ;WJE@L=wtBL)Nv-Qh%7vDu*8|s!6Jj2t=7a zsL~vdTwrX2HULaXKBU}8r)cIO2PJsDf~@2|I!=n!BpCv${7Xcc3#S!qdX}WqDsFll zs~Y-BLSI@qJ`5m62kX{CURR9HA1u18({qtUD+#z_V!jUi&A+4|X6;A;QY#R{DkRmC zAZD#32EcIy=s1O&jV-myCQH)B50MsD-b{{1h*swekwRm z{Ph0{{L2cUEINt*P5|Zh=qpQ~=EVH>qNh0xpDTB=X|pc+w*}eLoU|_@c$zo+uS%Uf za9>g6INOS!jhA<6 zzdo)ft&5cUn(~cvCAU>MNQ4xR$fGMe?t}fpLIHP}#C?|< z`vo={>s+Nx`e?P^G{<%@pf|*LOfxiaJRFHiCGB97VA`J|VOI{xk*_U5Rz3Z)Cqdgr(C$2_nmNuO5SvAtNTpdIP`NRyJWqAdH&~-V zU>r(D@OW5@s+ek2=w3pn1hRn&R-+1p&{CoBq&$>M4Xwr_N=#2h@JNAG8YKdfCMIHf z^3YQv$p~fU!KKNA@x+#ajG7?&C{=@+Du~LQWg=pW3^8B~18oq8quBZ3Sc7epmvJUx zoMC$DQ<)o)lWN$&d;m_JfT}HAoYSEIM5Dw~Ay9^KFXrdaDhJtPfhVCn!Kl;eShaNe zEwYRUdnzDl0F0hJs>GXsS0F5!*EE-%BjF>2f(TDDMa(;j$??n=n+O?gBGg1 z39-O=)wK+`MV+ig&1luYbtsRK2?IWWAddq%e;bh0%d_LBZoU+FLPg+xaZIPNfDXXB zd>%M&);w!c=2eg{546ltfl*oWEP$J2&0~Y}d$&MU%a>PS&rOmQT9c`;N@)r$fb+hL zFmo<9tYh<+kWZGuSm2dCPS6X!viArctsc9FCh6&zX1`cYI!lNZruSmg@Wm2(RR(V~ zz~P1e+@xI=;CW1NIPhO8F;~U#Y$F^F{Fh3;MYA-Fs{Jvwg2itBR8n(B#Nwns1%yym z_Mkc`(9%*Z74FD_9-?wWSi7EOddz8I>ukOpF{V-NIrC6aQ2TU9$_~)}Nn4zGRD00y zzZ%${i(ElSd+rc?@nH6rNiw-{bLsfvcWo}XNhE!fG5DMq`dl2w05uwi6$(^FAFrl> za)dx}YLLNg+-SF|rRtHtkcW_viob^849f`hC2+-Q2~;EG!%ERIRA z>A+gd5Mb10S_{OrfHnm(H+TM2AmYCqKH?L{FCCJ0>{wxxD>I-^8^0<6Su|8<(D)70 z8K4f96EN@q@!F!Zfh>$&m4MhFL0YW_glrCsj0*Jkiw+F%`B%7|J%W{Eei_C$?I-bR z9jy|#nD(<0%rC;B)}=o%i)Lk# zcuD%Y*$Q|``nq`vcuD%Y844(pv`T`TcNZAM(ebK*DJDBZBon!s5=Jzb{1Y-bv%skk z%>GQKNA5#Eg+V2pMhs=B=MHidq(%)9NZ|%qb163i_v5OCC_1bFH?c{yiV6-VRH_TL zN(oBJ@0~ouDhYa8Ik>4N)S_{U3AmT1CvRM1Yrrk)K`ol8e8HYu)PhpEu7y1<-UE5tTU{r6R1dUL5qyR&M@C2vJ#T$<4{DiWWH5 zP|r?LP(cUSsR=62NMJ2EL7T8!garokBzsgAh`3U4+JrHHwyNX12MuBXeL#Z0%oQ2a zJIIAHwIJ&P^LBYWSjt9=EZ0ik&(k3iU4s$Y1RNnoDlJ|NL1tpLOo@>PLnKvR(mxcK zAu{wB3Rmea$N~qCfzfb+sZ7ekv-B3p0{=nOS>#puW3(x_@vrPz;D8%?YBB7m)JkI@ z%iseD@~*F{09;4#8cTc$@JLq1c7AY!UAHN?wI4HZ-kc~LaF8jKDW)}q!e{sV6B&*_ z6$uBN2bkk015O94*1svZG0iR8ox{Sg^QW05!8>|atkdHMugqqaMMTwNB77n^$9k3r z{L`OjEravh(Xzll|8cfba1)DK7Wn5s%>rmMIa+8cIcwU%FbRic5nWN0WITGWlqrib5cVmlVSjSi6)cfN91$R2|OyV#$Zf z3aT_9DwMa9wI3522;K)=J{olN31GS9PozP^+TAOm!NNBG`7}_MO#+Mu%havHagZ{Z zd`w2=i_nn7ig0EP4V+y2pHBlb(DYbTI2ZrcI2dT4#=<%pzVJBcaHYu5E&g%P;Yy1` z@Wp5_vP0!Gm<++E(4a=NdJIpZ?Av%uKhvS!hzwI9AX>M=hO8BC8LS4Y zBqeg`(_nG}QG)PhhBZT5>Vbp_5O5y?iXKJhu$%;`OUcs|JSGH&hM3T5P#18i zF;a()@cfeq zCnFH1HXUN7eVph0u~*X_D$n z%qn8e-T$Xv<1A41@21zU2>IWAR^}p`K0;b#5YuhEMm=rWR+edtH31I zygdGETvEY{NgrmD{8Ekg#-d3U;6@#SP#Qr zhe;tAPtXAYNQ*&I5c~vH6IxiQl!^p`wr$(892@0Obf`oSO=bQK0&!9>+NT+U)r@l; zBjwY%R~c_y4+xfnB&!4hY4sSSBo{2%01(SSYxJJ!Balj^@i37nV3Pw0g+Pqrjv6#n z06|p$Ox&}5ft9EE&%lj1)^nJzBiDvrrGeGpPe)cIPG|&{alCIhCZ{|^jb%ArguXyr z1i$j7yCi!k5Ckiz&NG(nuu_TX2?*9{F%>X424jn2YB7#zaTH00mE^q&c+?_fdmzFK zL8p(8CBG9=5-mQ=g^93`fNB$U@gTgy2t-S0VOf%xUDDOn1JWoF^2&%K3QAlC&a;>d z@P#ouI=C$v5=e*yBqyj~HFZHUT17{PN<1J1iW5v?X@+`IJSQ)r?by^)QT>_o2$svq zNpe95S32o50b;dia7>HHv?5Y8R2x_hj09~HKu2K$e%~5chWH2!T$H4XM`T(hQ;jhq zP!b$oBL6KEl9c&sU~QsUi;1;LLPUN635Dc}VSk;3q|$S!mML|#hb`4|djg{QU5Tj^ zsAWKTBNHfjxEkEkJs6@bxlJ=ZxERAHRBC8$>S=P*p*lEvJa>&U|Ort;hrfJrX#dut8@-&IVq?!g^h7^*kE8)QY1r=khAWn^cExogP&P` z2TXZ#f^jvXMFf+NbZDbE5=>Os{9pw5v>+gC%A*SIEdVxTsrRT z&@V9I4!ctr?hJ-2&rYQxg-cXT%6HV4a6G2dQn};^M61(?j0=XfT(}$$LEJC{KHOCS zHh2MN?u3vkmHelOo&uU@%{Z1hinx5Mz;GENBnYJtN2t*J91iBMq`|S2RAD?OPZbjA zD3a$rD=$up%R<@~&IfYr>}f?E0#WnU;g)4ukSSq;@S%=GP>iuA=L6s@Kq0MQ@`2Ln z^?)OK9MvMwaIs5r2UoEcOG4BTH&KEH6;sL$v0A58ijzA~rMmIA;1WB0sCby0tJp>4 z=4!Derw(E#FR_z%w@T@^Fb9TRKxn$VIhwPHBhSh1$6*ZSr;K0cwd6mAl@sc(=t1OI0c7O4e`@ra5z;Y2v$QFE~mr> zIR<0|4~Rfj8f7XY@IeZU6l`c!A#7@-CgeHJDqWn`txmqh_unzBqf1ZJ6^xmSINiyW z5@#}PQG8=#IG;DTv`;us&Od)VN(pa@BHxL;Uc54v@7M>QT5}D#g%m*<85NP7mIjFiQj3A#ACzxE9 zbeaSlmLrf*$XuLEZcKdl5lEG(cz(p9r2@gLRC6HT9exX$pro{fOz&IFA z6H0TYl%HR}5F~F87&;6WM@}3GREZep$#_=DDF1uo@-mV^ZU+=4)W*O|jzM}O!NI+i znGrUh2&xdPF)-3pgs)0%@&*u0 zb&hO-C9zo3iooW7pZ}LXCd$w#BpJa8B$5=Z{n_G{NG1Pd3{Ou_&n}%hfj>PxJx%`f z>g3t6gN>JWXYY<)DZ5b5JT-A+1 zU5KfnSc)C=XcAgQEfPCPG3-uHkvo_oS3r92R6}G)_Pm1ARh9@c(h~?lOP%J#lS9gq z%}{lMNI(vXTR5gg+}s$Kc*-C`PBI!AuhSxO>Y%rPh!Tu;m#Rl8=c)Nq!6;=&0{q;- zxQHN##01O_^+7=1V!||15Vbh3f%;P?1yQqsM;*eBpnsdz>9`X`X|EVZwZ{Zp5|eZNKnB5f>*>NXHv#) z29zKNjT;h*^6F8j+xnF_5E=z)J-A zbA?liXv)`zt0Li%RjJ>NdJ|BKlub>#z$h39LK&yQF)b#;lt2rf>_z=w#QfQT{*%^! zkrmi;XMR`Zbt8i^GQ3;!i4vy75(r}vYEP zD;=o9E7X9K%>X61L1oFE1D^I`hl_`~168M!m6~B9GJJu$my3 zHKLYbK$5`>ihr3BMbz3j6`T?mkI7TxfIF0@VJ%`b^Kj5u;|0$9I2?iHarDav1pVM? zsLvG8zyuLTUHTyil7QuAT1JLpNhlIWM}QdZHe4)ngT%&C%)9|5QJfA(q0uJ1K#eJT zI@$R27eF~I7F)eseOMb2TXV@)Jd%4Zn-C{2BiR`|Lt!NEzo5o+pb124oC_#M$l4Hv z5y=RSqjE&p8zvCp09G>YtFI|E$gee(t&u{0S(*IsU39DzjVrABe?bcF*wLFu#_j6) zuM4miW*xHd{r`kh@cEx``aj{6Q|8|hPAilNEv!(VuAW`JOr%Zj^jax%THXHt!-JBlDCI}H2OqNGEkZkM8BFs+`4Wr@HP8c2`v%xeOpk_2ZQreJlL=^E$| zu+gtHOc*JSa2*aft_2okI+-!eH+kgIN=R4>;W{JGVZ*#@-*(( zexdr`=imI8y#Ee}>>K455EvI85gjP`oHt+gr{ect&(0k?n7;pZ?9{2l|K5N9ix1!X zFUZ&f4WLy7@vzr zNb2fA`$d80DTILB+~gS93kX&y5Sf+)XyfK4a0AcUY`S5C$F&AWG4Q17B}$>p+$a|u zauk3jgs!H=ASJ9t2(6(erXcHZv$UdW$f7<09BPC(UWvssssnz9Hvb^M@V= zo}wQ_ousa91a4q`m^=%*xfzLabEBQ?09|x%1Q6r~-0kUaIl84pn4rta+fd#fmW2w& zfs34gBqWtG>;$cw(0~&31Tp#6Sy}2pc>u&3OQRrV)NzpvNq#RP5*c=+S>K`F+V;B+u2k0nIX!5oJ?EmNqr>!L{j->|#Ln<_Z9yB`ciGj6H!$xGV@FZuD zc_t?Ll`d+S3mhS3F+@#PGB&KiF&XVYMb?Z}=#)w(|1y#SqOJjB4;A^>Dw<3LgG#_) zLM?X>OrihfO6%F&+{k0t#|`X11aLq=Rfq=z3qo+J5G_ph1Q218?^BkD$dVvwU<&mJ zKqoemG9xRcGCD&P6;L~fB0%a25vW>*nE5XNMWq(F_z;GmcXFCmW{V+j0S3c(FA>yR ziOG_vfP}CiX*0W37kXI}i8`$u)2m$#w;WgmNn|j{TB)ZkXK05_;F-wE#tlZoMG8`V zvqO*idXk;NX!~BWbBG+0$McL8V@{BSXvl#DQ7w|xBrX7OVI=@J5*ROn7*|qukAnQ5 zkgkL=H-jPkDJLm7O|vn?AExxB3J_Ap2~(*woFmNOnIMK zcMw65wD-M~nrnz+0jY73Nd4q0R4s*sJs_zmV}LK28sy)(jj$)q-vaAtX-1}580cPH zV8Q~Qff1lN4T5DjMi_Q=&Mf#RVi={(Bp5dx!y2K6jNw)e5FMk{#nc*xt*4M0fn*}c zUx`xPqQ=98dW(S7K)DSOn2K7WOdW3#6s4mV8^;vec&v~+5q+$Ppa>-=aw@}=IHJOm zX`>{vJjtBQX3idT@~#UUCxL1PNg)>ks)Zb>Q<&VA4ML0(PH?1+*(on-W;dkQaTHm_ zHx(hIBB&3HDrqMo+ER=<`6=?i`X+lqx7~)OsG|sqAa@Y}?m^{oXAk~>V93Sj6~M4L zjtCJo@X01`!l)clqB2BHAg&@vl7wogP(|u^493CTU5}0;&ug&hut&nUa|U4Q_F71f z;dm-zs@Gl%VgoQo0-eE)99+P8A}E-Sa!!Kb23DjejNbaG{ode?ilk^M1qe+=C)QG< zm(k}fHEtv9zV^m3J;nTbkmR4m{iGB`u869$eRqQ?m@pO7ksQ)P%3X5QN}$N9d?j=i zK~eNb@*V@`n?8HL=WLv$l*XLn7>*{Oq)16_B=kwdc|J@8xhm9{o?1ubI?z&a6qshz z7_NeqB!ANHEnoXa_TPR??hZ0kOkPsh54@j`QOW(^vqNXo`+uh{9X$Vc|Nk#O91{VE z9m3qivy*cFG|Ks)v{_haAIOmj1nI~rz%kOMnpVLn{)S+xgb(EC<=MfpavHw&i2eWT zW3v90SOUh;Cy-x=H0p%U!KirsdwY3#bu#t;@ao|8zxDrLd?rVR_pKvnMy{$l!9f90 zHa2!KHa521YSyr^v9T@txYfqSrh0;3n4gVJ{*2o1VS5`J8%P!u6=q{Is-2BZ<^&s? zw>CC5nSa^X=say~9!hO&eCF8LG}bKG)xW!qjZKaCkiG#nAIblg>{&I_#>Pt?9N-t7 za`o>Ly;eSGR{4j=dk5tBY$qJXmz?>o?*gBo5d(rtI?q{fq$qQ4xoxXChdjS|-BJ&=bSFes8PH~v3HZ~oz1&B z?{3UFT|+VUteqk=%zmYvu-E20?)GbY**CG>W*a+pdQrPcb!sG)46gQ1_17}RaY<1l zedp#6{%mk<_vn+aU)|iBTqL{M`n%(zslGPf9nX?%8tSuWgY!Od-X{3@_4FQRPM#`7 ziqfU6@)~=pj()rskx^sMFK3;{Ec&>uWlXj1HU4Q*ysYjFn;EzN*&&;el{K*Sp0a7r zE)|zY1Z?)V4GBmdlC~z%$?11(x}pc_dn#{P=CaIctAAX*v*k%{OJ;nER)an7?)9_+c6I9@NiXxH8k(QQWWZ&aQ_~D}H{vSCKqr?m|I} zzN$WJU)9We)dbs&OTD)qou1S}U2Wfy;7v#W&OW3%*()D&dIbf_@yMe3+4nDAiJNn8 zQE7svrec+k$L6b{zk6TqgAC}W+HiT`t-1?lsfSJ?x-9C^J;p;d&9~Qg=ukn7e!ef(z^>F+n|CBMXG_*EXc52tywqxxtD%ReOXl`3pO|4(Gz-PsRr{A7=-7A04qiq567TDzm z%^V?aI3&mE%C*~F58kM$wINmuLoX*BJaa|ReXRH0vf0x2?VN{s4|SPwwAGxS4lS+M zKfB$9;iB-6psX6$(b7&ulP@aPzDUh`wBYKgOJP|b>!&9wJwE*1>EyfZhg;40>Ei4j zk%99L{d!|X!Sgq{b;l2~U0BrSFK=kMn`ZIB%>BqLxAE?UXyNTh+Sq+EM50pILVBFz)=SC_w&)t8}tFG+|A` z*yblszxKY>V9TD~ZJXI|)W3Js@55I|?&|p}Ge90smOAw7v-5j~tiLzCC^j?DB_^y! z+oG*mACHxYTe|%+@Mx=_e+vD^-Xl9${dCshxjP%VH+khZZRVPmv2ACbRNV4e@I3Q; zucdlPsqN%r8~Yd4pSwKwmr+B$zY{&JyxHz%b6Tc_ZVqWtZ1?`a?Q6HXe3SeVO>@W& z?q?e!um8}cyajyZ+Su)qYa@qkzSriK!=kt4zAw8?9M$h?)8X%SZoyXe${wi_ZP*H^7>@4>W#`9#pdj8xlr1=&x~sGPxpCp^1{WB zsyo|++poW!m$Y?E?lGq&na<~L`MgVem3;rS;-BqOhoxb?=l2&}e^eIdU79nt_v4xQ z4o;3|BWy#K`z^dWD0Il_@X%BL)VQ-XaarWpzl&CsJ-A%F?Vlt2y|MGk+@SGMMfK5M z?c;_o=&W12=X72@+rGc;?z!%t^&dZ+dUtMpxs$#6=!c}bjq5aeyX{D;pMQEEar&*T z^ZB21f4M5m-&W1*-Os<@`1ZQ+)f~IvHK&hED}CL}{z!7V%AxZe<>BHoPesbZm=V(9 zX#rOio(<>pQQh3Mrq`paP1{<=N%ZN+%j}1JCbeFEW_B0VpZ~~e#~ z|5X~7o7p&XhF!?QeC}PIN^IC5Nsg#LUsgPHK}O5Eo_9QN)x0H@ z`pkUy{7JnXWA;R~>^25DyQEdqDIGJ9zaQ(EQ)}S|-*F|%lT z+2~HMH%Mo6Tfa`(x+LZ0x=C*N4sVnTS8Uwf{x{LO2c#Y)4Ge#cYRX*NoKdp^WF&b zqsQmx&s(|7ed@hkr^Ca3IlN-g&_B@mt2(V&V@7V=Mv5lMyZ#tWXf>pyO} ze?E4S&&g3IBc1Bodt}!PFO8cQ+CDBQFT!?}=MSSBEw)jw{n2e>nEQk2{=O^f8HCkW6;a>&8GS`$yQuA*1E3a+zb65E>cfkSm%9P&n~Z07Ww~pHFnIp7W-=M z@Y2Ql4*jd;bl<$toX453%b6D^%nFhBn9x zc({DozO)G99du;Un!igfCiclJ+SPf0W%ky#B1)gN$l|f#NHFM73EQQfhN>N>Snd ztY!I%EqyX;XP*5=`*K8chwP#Tc>#7q&JUWi_~gAF)fNQaIW=OMt=^{bt)cx6w5=AB z_R{BLbu{j`?1C-2R>jRvr!>}doL*pmw8@$B>mRP~kH5Jr-=S>|B8YJu>*3lsZjp3x z=YoR7X>ob3ntHDfqazx}9H=&am|)=27H{6nR6hPbx!W=PRrsyb7cV7t8aL%&`O_DR z9cr(bB&*lQX&p&P%=tkJ7T?W@c-%E_=XZ*Ymu|m5R3Z))?islw^3q(L?)={P!Dp^V zbiUuR31<6hif=nU+^V64AAAeO&ai3yYjTXnqixZwTX8pc=?)Gnv-eb>`#O0?Vp6KIW`Q5tr-K5R-91$LSrEE$@aPO@EO_y%1$Evx&ht7S`KoiljEKcI@FV#>hpk-I+_5mIXMkhjl4Tb& z);hmhT=X=1;uD)Ev-)ivwf{uf=1XTo@u?>cH%%?|RlK@fH4A?VdB5{1Zu;GcZm&-l_4HdYW=YbIiVYop-4m_c>g3vNLG1-C;F@)Z z&RY4;{-yCZGx8r#IwoJycY>qXFKta;;oJ|t#hYv1>pS*j$%TT;s@RMb2L^2WreTOo zos7&|ImY&V&egfuFXg@TImJh>o-9c_w70e6%vp-OfaIum4S(FdwO#8D1rc_VM?*)~ zeqDZ{Qx;|CvIARn5xCTVoe-H&sx4$k#{G<5X3JB!2iJezguw*0~u!y`8i!>{eWI`Ivz_M%48`{Lj(z7eB`7_X^f;BHlch_yIZdY?Zj|?{ls1 zICcxR4UxCk{*sop_0SpHKY!o(LUQYV@0TaX|9F00ak<~agw@5{>%Ojkrv2EhI#JKo zrFVkQC(BFUK^?BRNGIxx&d8Kh`dv zVfV7ff;T%3y*}!E?@XVr%ZJF%M;6sj{qAbWj|08m5x45-L?80*v~Ira*}}2$!Bely zFYcwkS##iv|5oQZi_A$-a&o#~zr{Z{EtDwjVw6 zc7-FcMK@-8KblgqFKC&hsD5hQzd!hjy{Wk?KF0Q#d=U^Af{hkg}GOop! zi)S8{4tjh^yZ&t*{l|SpF~g=b8@8zUTEzQ%=hMl`v&hOn4}5-fT!zi+qeEt{?KV5* z#Oz6eJ_Pj?hB~*@)w0L2Lm#d!Z#tQ-w&gCd$u4|V zkDjf|ZSL1?ctU@uEVkXg{qYafM|;{|A3kGLjZLQqtFQdA_t!IS4N@D~dt@j4eEbw%ynW@!hM?se`KRWPgT;%W~^D()%0-?`VH-@FjZ?z1e@dGo>ieLX~N zo?f;Mc^IiaRB|@t!i)RsM)i9cn<;x3Syos7@j&FD$IJ5H<(4*cd*S=wb>p!&FD9pgRRe!}R(?*}cy9~9pl_BcN+_fPMkF00TJo38J4(yZCNzbTs2 zqIF?Hc5#Ee<*0Dy+G4wHEyjsY?YUfXw)w-dVXX@j(Bb}vZ@m0@bnPAPnl-LMAxxDDnv@k9^p?Rrj!}E*#?AOT_Y$y$HK-!B7RH8zn1ud$!=z#&)Ifxfi7upAQl~y4kEylHGVSp88Rt zA6>nB!@N`dbMJ;vEm;?|$5k49AyM3TRlK&EcePwsI5~rCb$vf%{j~3&r6r4>1pYl} z>vpo)MGf+nr^akv^?TNlTFCr^5e|i;{Lj?*DRlM7?HjVj%wAGhcoe3_owRIm_Z)nTHu%s1MSUZDylz~*YWf-;lAwjY@#St&VzS+5Kg8BNRXgU7iCX20ZN(W=c1Pct z_4H=7gSH{1liuX#ziY6jvAqW>n7B|-+VHPu^E2b>F6`00QDH>(>=6Ub79~HiJ)pXB zE;lBswDj?r!({`Ow`!2*^xP-paB7oHHDms;-L$+~{<{WO2B4i<+LhJPzG;z{=QD8O zcZCtzqaurPN(=64ZvEVAkbc3*V5O|Ib71oCk@`3N7Yyj-969;TrJT#M-l#wjlas1$ zQMa`5U(aH%KWORk>cP_`^6_u(75&+3&`t0BTMiqhcC2piaePbG-m9drPJgIOBL8*p-}(C0VSVq*S~Mu^3tB5!8LC1% zl~ymZo3(?u@Mpi(TiqOgOPRN^#>P4^e>};Gnw@nzJ5*AXQ`%vOS62JbqN_FD|CxJv zL(P{yg+U$1A3opc`j~3VVYlM%V#1I98MM+>8mt(wZg1l}=-j=_e~czdTLm7-FC06` zZrFRz@g*|7OZ^8KY84b^w1~i(mOZS!^}A(3 zGL72dlEaS8wv)z@WV=d(+okSBT7COaxZ>r+2PrL%ch{HI=QGsKrv~;O z$Co<=53g~m?nu?7!V+aHN&B@ellx}=K33Fo-HIRIL6=)mM;rNr(qG_I&{|xVb zaaV)vBVK7;nmd%WJ2g5+sMt1!tku6LXWHh}>OPJ~OCGNoc;slj-lhJcZd)@O#`~8v z(vuU@AkS&tpEhkS>ASwpaG$+l^$~TX)0VLtd+5v4YBtEroPC(4Xuf#wOFCcIs={fG8(qo;Ik zJ}We;DCbl#-nm-s=QY~oUCk4cWo94B>A&Ep-LTP$*uBDICtV!#$(H6gUl==htY}}O z;%0??vv+y9#pGpn`f+*Kq#hyd$ltq$wl8izp?jx+8%EUgKwFjF=^9aE*V_i($x};y z4XP=K$@xJMx}wo$yC-!Xb?&jlH+hER%bZbLr=+fK-0iAIt>;I74pItYa(vG;kPi7N zWPbkBGhIIVP3j)Dak^Ak_NSiH7SI{tV^(0J`w16t!Pmzwn3bx3!ap zOMl;*x=H?vU9SAMCh$LQ>T0#MKWzzWTQGR6XsGRlrxMU@zaDnVdYapZ4t{VJpZ~d0 z+;0mBW%81fGvK|Ql4m%!aghesxZ;v0Jh#;!6u?vQ8fi6ly>IgELkP`Y-5}42xSrAN z+q;|M$Cu>(GF2igcZm`&in$?_7U4Hr6!y*jwn3g#+O!S5R@eL6xBfXF5473j>@IV@ z|La-XIoLFM&VHEq<2NyB@Je0G`GD^APSw^v&7M-wBY6^l|1)JsiQR;^>rz_#+lI{R zJ8y`)XU}u@wy%$SG(W!FrT#d(T=|)azx{SPJa6BW`*z+W0bS0tDk>Yhaqrt#+g~NM z*B^Hx*HUcUR{Xkj*picvAG9i+Jw51Pev5bCD;k%(JxMA3CxBeF>xYE>-SEle+%D<+ ze?93VOdjvJbZfc3`Rg_lYQ@~y(X)PG-|WZ+c~0}Mw{Cy2xBkx0?=PmumNp9P9a8j7 zw_l{TQzw!1OtH(A=g4M!uda6R;HgmCkPet!n^w1LgJbqP-lvS{-h^&sW{WY^YraU% zX<2ur|6=FoSBI=T)#iHh3D?#}x5_G67UV)QH|%|Q+W|#6r=p5-N^!MApK3#Y*xxl- zzGbaW4=T%V-d8C|LJLKiaTfg<1ee>kBJF;?@`qSR*FB;ct(7ySaqk|`d!*hL$H~lBw zv}twgSwT_wt<5vH)D7v7F!JVk*CMZ8KYzG!eP`PZHM*VYx13}F#SeF66K@90$+Xv` zyt{bi-C^>;yN3(YnkV;L{iylq`;mHV&df#u%_i98$}dI2fxqWptGT`IqnZVGe=5$H z656%=L#C|Sunggm*74h2>d&*wmCw69LlXP=y8}ZP$nGz`x%B9SoTe>TEZPlEt-0Oz zV7080#`KYVAu8hXxSNe0zEybm$o(Gm$bZ*hu8Sh{a7_4)oAt_PWDR^gqhwW3q97&* z_5bnN+m^LU{C{W|v9)eUheP!ovg&G|dfnQV6d``}6F9k1yJUwaDNCk4p6tBv?+=I5 zOGSb0CR}Mcq1%`zu1}iFw!1{tBZZH$(T%IeM$d1OtQZou>S&onK4|OgU9YP9WM1m! zylDOF*FsWCacelUMO61FsD9^e@t!HA z9^=1Xy~nr7iD45xGRO3n%L=G z-Phe2&~irGFp_{Hy_RC@?hN{_%&Se&I*Goejc{h4^YeO6zFIn9wRfj3vh~e|55G~r za1dzu&p(pgHAImht-WH*-sStg9kHxWb}gdx?5D+GJU#^ptyG3DwnDfzn zwyO$nE*zWbTtCly`rREQ89$fk3x4d?<+fr|)UA2@<8S(s(svho57h1QqMe(^dDZOR zBJb4RTCX-{xi?N~6w>U{fpw!+7Cx_Wt0)t>v}@JApGwvReItlDuXQ`qsn@aR=juy$ zZVeySq;OF7{hYHS$2G-j4nBBW5wWukeFwQPc)(vJ)!z$h?reW{tTaKF`?Al{j*FaE z{4vexc1h7myWFPUufLnDnqIOAG`ryXrs`#NhThwnCCn;Wd#u2@R>*3VN3-*fFLZ2q z?zgVz*Eh&p9(?6a(b>!qMUL<0Jl*@_pybEj6~<<-5{Mf z?(wjTgBCO+ud-9q3RjKa)4Z#fW{pG1n>Xh+@BO)byPrCe%WOo$?ajxovzv|D-k8_r z(Ug)+9XAclO7^}HTzodeq4nzMo$ZqM0jWn4JGiuDBH{HU@>Z0%;Lty73x-}7C!al^ zp8KNVt4;+o>3)e7VQz zWd#>YazpUeHsQ60o){@Q7}k91lqH$Y2Xu$`{&w-hwW9CGhTPkKW9ndi>7o^ro1FAI zQ=@n5k{3G;>K&%;xhC80alU4Qya1bn>R-2s2mUp9ed@#y{t08A-YWJDd8K=$Z$0tK zq|8*Ei@w(Du>7<}XahlvW07>J-YM)tZB5xG|DA_Zo-IAR=kS&Mce$kx|8hT7<6ZLu zk5lb6vkykpsGZ@{sIT0?-XptZ`t>mmquaoGy~8nh!K{vBn=yqARVfCT1*yY(S(#hQq_8RmcS^u$B-p;!B>UMZ7@4GX$aQDdx z4_q402%k2ldZUX=uP0yMXMepVtw?(2F?_?&>fc;mbG`S$9#@8oCfryYG_P0RxXVMm zyE()}t;%sf-|y|r{qe3ZPPTEJnPr!Itl*oM>r>pq-ZXn6Z+XJG$)*sGH`iX_m)95X zIeAxiwc(Esa!+P7DV?r!d$Xf(j4W|*s;cxxV6$wy++&NS%l&u61-(`^w^=!EPnZ1n zh22j0E-iP<`NrqZocNHWq-Ue^%57CTm$~CUp1W{DO4bAVJI@%8>0KAp8ydSRC(Y*m zoTo?5M73#LIA(75t0BHSeP0FLfEBH66_?hO*2!Af^WvWPSVr?lH1T**GWp#Yo0p@i zcWC_DBN*>J;GlTH5PAc^}hM|VSBb8EsI;8{lI_d-P9HP zs*BpZzY!DB&8C#NF|Wa^cl(zvEf?nm|9|X#3w#_^)i`YhbQKT~K@_}hi%r^{eI!lV zE)+{uK~Vk?%tRdH4wmDhMJXqEba(Dxe<^ z%eyGbtGonTp*;S-`>?7Hv6f-}i*_rz~=bn4cx#ymH&W~RI{r}!_(TR7j?EL1PKfPML zrg+Xx!uI0UyOS6Gde3M3Z-3&8kKVBUnLQg)XaDl!KYaWn@6J!HKkS^tvoreCSmE*k z?M?As@t)5Xu07$hXD%2%^P-VG=l$%fSN$b9{MwVoGhf}Z<5;n&d-DOsDedd0UG}|` zp1$wqYYzKpPwcLlXO9SdmppXptNVRz&D{qif7~!bx_IECM{b*P*I#aUW8Qs(KUjU+ z+fTpzxtEGZ{4@Mq`?_a3UwAI|vO440Dc}FgEpMogzw_ByCpZ3h)^$sSr}jSkyEoqU zt<$-^cOLx0k?2e9mk<4Gr2R|!f_>W$zUM>trq2H5k}s~mYVT9t3u`McUHaKe>2t9_ZqzAq<_A$`Ni;m_r3D!`X8@4X6}Q%Cm*)+ zr{r7_Dp=nF6?a9x-^IUXB^BIS{__FfaoOe#!>zu1D z5uV!b{Ckf3+J`$&{@*heK6T#9?|us0`PZjfx1RT{OP@+}-yi(%3!ne`b00fFfAhD) zS6zI}1Lvy8Uvk)a`(JmsvE#HupE_D!x^3s@nl5_2`^59t$6vbtdruy@U@ki6B5tqm zEjr}4zs?LCI&bHDZ?+8{wejhZ={LM`_AlqW^!LA>e9Q2QJO8-tfzA8>uK3&QAAaJP zJs&z}ZS=Db{^;tvqurYicx2E1)2_es*>@lLug6}0b4Fs`LAkTz=RR?-{GE$lx_RrR zdq4U5<}dBI_Uw^9@!81pFV3I!%`M-L@7&}1wO8_TVaJcxJn;LuXPz^Ak?_=k=ijrU z|N4&4AG`RLd5=ZjoVhi2&4OQ_^PSM+f4%0kqnAI>x8IKczWI({$Nu?t@~vC57eDs= zAm>b>8B1pKhnMVfQ!IkSG|18gtvid2&&SUE=-;os;g$0q{PysPJAQgi?@Q-p zetG$$pT0UV`0U`;?@KN3?EKEl-}ssE@r#ZPoe)0oN8f!MUHz%|7QOVx-)>P~xbBX3 z4&M0ILvwC8^2}cx_pc{Evw9#GD?EGP-x{vJ?Kc}+t{;5nbMs$)an9dwZ|}U<_{y?5 zdq&RRBl(8~i_^m&IbqS;UthiF%V@{zOWyg$anTWD_1fE>{P+(qxbL6^i!Ofo*)5mc zyX{w-fAhQdwiUL{T5`-$e_H*E1=|-KaL@m4Ip&%0MGu|$^3i+U7~A8C-|cr|_ha8S zuDZ2v>ox0J9(>}~*6pYNu;`m@~JxxKWoXF z#?;v#dhn5_Mn1OX*=z0uJXIf7yK%?2r}dxS zcGqpoU-*mi*&X-(`)!*)dEjZ6KGb~G<{y9V zovRQ3=vV&V_fJ2fXYWhjdE(5|M-JUM?Y!5&_2CV-8FQb0^2Jx%zxd)04mwTWcw$#u z|4ie*hyF43`xn2q?-d{2vS9nSE<0k+Q@^}({8Zi`vy1N_FoU9dG8+l(F-nW{@!6<|JFg9Pu?@K zXXehs|8jZ!E3Z#~^|Zqq-dOO7p?LV-g;SPZ`PJkfzBK>q!ymeF$Fv88uRS|o-cy;j zX6xIJKYg=u?!JY8wT^6=^|4Rp|F)?AlB3W2E_cIUdM~+l)1K$;RByTCiQ6t+^TYR& zk3aC9xa~J*%{g$-$oa_^pL_8#IREGmZy)^Kk%KSaamchaN1pVxokwhLY5eu3pLcKg z#q^EIw{HFZEzNgrozpyY;H$@__WjeLL-PH?dAFW+?ZUr*`iG&}t#=-N?vfji-+aK? zspDVy>(4HH{K1=rfqicpIsed$ru}X6ufDqD>5pw4_*eDTbi z_jq>6x%=L}>GWw=FL*Nl#{KsV{pOgtO+R^O=U*&*8~IqJu6uRi6`pGx=afA*Un zNzI%(bL!$h{rqctTz>BvFP?sX>iN~vmfnPJTM`MK5Z=FV@`=lGHwf{a^IkplQ1sf) z*B_aB)YPN4Y6o7^_s#D;f9-{je&GxGUp6iL`wPu)9jd&vCVSe~&Um)#S65y9=w)4B z{afP5J2srL;k2!A^SN98_IQ`D`R~{4oH={l1&>{K>b!Vxo5|MKhFEzxx(oOZr*qA%<-38b+J5UhqUq*bn5^7{+nw*`O|N$ zzjFVE)Y)^+y5pOL<@YSV_i}jWQ&Se-arpfoT5`>TpFA2m>cfw}`0{>J_PgkjzinN4 z%Z-0d9eCeAesE)9IP%0>&s}_;u-|Pv?>uxqveT@emH#I zaZ{FFc}65!_`81Lw>Mn)_O$E2edno5^J~wY_Tu1h{zI+D4?X_#hhEEnIX`XD>4{fQ zx$6fHPF6KHsXyM-bPkeVI^R{~Ei$DLLP3YaB&u@GF#B0U7);6DZ z>a|ne{llg2HJ|X@$h_^Tj%QBW@Q?i(&j0eyu6(fhh%=PtqrY;>0gqgI?>7$q@zj%^ zeYtPh$hO}<{nsmgmioBV9XcVr&viGRbkt9O_WG^AI&90#?HgxYJoAim9)CdH_mjsB z-f{T3XB~CSo{{sruK3mCEr;FzuNh~*v(NQsZM$yvH{QEu>Ph=EX7F>Js*RQ;%efFleUijIs zzI4{MLr3PFv#jZy=u3A$o4qMAXX(4&c$B|==+470SoZUMj_rHl-FQFaGAqJtH0GY`yV{sXsFQefX=d|K_?U3m8i=tV+xn_~#wp z-}2uJGTf4L|MJCmVjK2e+&}X0GZ#!9obv1!-;=NS;VZx1GVOr#*MIl)Bfc@^rIDqt zpYZY(zx&1@|I3fe`}o~=9RAH;UJ<%!{mZcxmwxoXrLTPIx&NDTZ}`M3PCw!spF8K& zhcD~D=%Ing*}s}LZ`!>7ch6~`S@y}*XB=~S-}%X>rrlb&`ie`pbpE7c%F-EMOujYr z&#g1h_|=_T|J9Id34MRy?pGz+L!khp2^zgwyo*lm6tf?0+x!{H8Uc5{>`>;KK{qY+g zIHULU6Q4s*U!|p*@4IQ=wg1(({+dT$S@W+ql=BwE_dmP+vsZ?fUpLa3xZ%O=iND2D zpW5>L=BcT@E`DUw(W_IuK>mNVkkG<=Wv+izgNS%E* zdLeSqv$q^^m+ z_PTkG9m%8SZF%U{*6n*R=j2O&cIAUDM||^{?DwQ!oOz=Dp*vsOYi9Rje=K6yUojLQ8Gmg|QJMM|r{SF>loZfF$$LBx0XJr3JjyUJI z1sBdeAad_{-+$;t?wS2s|E8V$#m%4G1D*cF;P6X}xYHkcegD55a{WiPT>rQJ1+QLt z`?PtdY5#ZYop-%`@{Nz*`S8O(OIIo^-+9{o!^@{Udi9<+9Ced$>c^H`{#wg% z+)?LsU-G3*Z}ngBUSi3c$=e@(`bX0q-umlbY-PA}U5Upp{mMmaPq{Pk zX_WoU@W*zX|AXeHPd}7A_Qa0Kr=#P_^H1D1<*Yr7?K>hRx&0dwX=Q+6E51@AWx*?6JoYM&}8J$Qv+8V_NOe6i>|O5(%y; zzA8RH+1!$BYMC96C*$!iJa@}?Tov-FC}oPJ6%q+r;rK%Mr9Jl8V~?)R6&=?tO#Roc zzRWWD)cknvf3cJ&d8imDDyu?&J^HA0|FgNJ)qDT5rFAm@&xAZ8)Sx0lMUWs$hBy)l zFX_0q83I7J5)mh@=tOp6PL2kGi6TSQ`7DfPRW&O^UXu`sd=dg?c!MOE8;wU3AyLXg zWF!H~@l7qQNl_5_44luW=O+Xq6NfGH<~75nbc-m?PxFapIIk%&Kb~%ZiB{MuLf9%c z&(Da7Rz5x_(bO!!c_AxFN)j~1o8nx&iECadIU$dG{R8030ZP^|0ApthB$Xpg!|UwMi~}~gRwv}~ ztbZE!fs=VX3ny&-w6_Ox4Cu{|#&r80Q67kYn^XQ8W`~bgFvukb4Biu_iZ2jJd3zOf9DnfI_ zcJQwxXx@#WcpuEaWBuo$C>8ScVgMD_f4oHhZ*888|1u#@z1IJn(lyXjaplY_t<+j> z;mq+YoYu0-ziIaY;(amyj`ff7yev0q&}rg<53kcG_h;A_0j=b-_0 zlCz^*hCG51lHdavIo@ytfL2*@E)tK|TRFlq&`L@cI4#W)EBrdkl7VRbEFB7=Ioxr3 zLD#X|uu}WI6hd zw1g?Z8fp?ayP`d<)TlZm7g;(ROjLl^b-oDHObI1K88+xI8jU?oRGPSd3U-hiAr*D({?=>%SjZt;t9bZde` zX2Q@55KkIOPCx={%ThlLyAL7O+H@XBN=DW5EGLIzX5O4W9dsGMDCi0T3)^~^kcGLT zZFv_EVY-mbl3ZvC$V-YO!n6Yy)=FHw0)ONk9_IkcHN3 z=w?8BEdR*NSbWT(GMZ_!fdTUxCQi^mc%G@IkvY^M;f`c38}UM$PX08L7A8GC;x?=7 zjW%Y!b~T9G>{2Adp&L5cApT6lymv!AFOlrDC~0Mb%|W0JDo{7GrkE)fSY-G--al)q zq>x$fDJX4dHG+CFgBI&*LBrjbHXicEX=ZHF+?o6F9DlB3QvqW-$k3r7SlNNgv6{Lw zn|iVvwglZQhmOzeX%y^c^bBYGS&jv93EQc}cqq?sQ8)&&pyMqeNhh)qb7;g~u{Vs^ zEQ$qjn*WL>pyFkcfXaXX2{|YhWT-~~jAo-CjAe6wI9eiM0};ZDm`w4ejbocP2afUu z*^o3Da#lZ71W&g+#z0cm(5;H4kd1j_OvI2^aHB!`_raET&9XI~1c`V&5pv;@ys<}2 zv)i-@0_GNDAF%zNrNrTQ+H@?$Ua+oQqozEa5X%ad!;?%jP4xgbO31)`*UZJknv7zJ zW?0GOiMk0y3E@U*jvc;WsCkmV-cyw>C`na_#HJhSP{^^H_Z?n=AP|@8!+&C}!wQ&B z-kLu#Nz42I?4b=JYQlxuplL%T1LRc^CV{F%fSSofNTwJA_VJn~7p-43 zkusLJvMTVhkEY>cDIqg9KiV2&X-GLbKinWMM{`DAp1yc>JGZuN8Mmx+P3JN^Y8P=@TPVB|=WAH4k_QaHyCKo?G& zHWf+|D_3b%gSw0fpkz^cGKooPBOhG1w zF#-psEt3m4#|1RZ_9Y??9IX&;0P@8?$2+#vtgQgyIE0c)7F#Xm8CL?qp3b(8<(<*I zI33Xi!5KNo>8fgQCPiY6ilj8;^n&8Z|A2Xd+jQg|utn3mZn%W!`edmH8Y)X7?BE+% zAmPI1D=MOr<`?{FIpGV=G=$_EO|wT*W=aY&ATMGf#yycPlmSUs6=D?~;B^TzjL>vE zz2+bnNiuXQtt=-qZ`%^b0k4$1DOrx^%x=nJw1X8Y!6?Z|CraZ%t9T6V5p+m;68LR? z@hGVN&6Fu~lOh>n8t{4+jnnv?IO-z3wdq-ubd7}vG(oeSbKcD6=)fb%WY3cnDR?tA zVZ&X^%NVQPX?11Ia{|M}geR?@y(OWmL6ig|!WNmp=b_wA>`GV%!;KAvQI6N4xUi7P zKplmXAlwpZ`FL*>$tlT}`XqMgbeajKDnI%ni~g>Y<G*BY>cSB#dyUDY4NrK0FD7s@@NHStX`J z$AEyU2aM1=bf(L>gtABc7MPYx>Dts14HdwRP$;m(&t8IKFUYRh`sLO=O*;<|&4nW= zSZ`DnktKOmMUoVgV9$VhULuBztj-INm=LS7RS2pgK+Qlgj4aHSQA|_me`3?kRwY&8 z)C}H^BTAEw4~ubs-B6cQv6qf637X?xW^C?}-HVjHP11c-w~8>oa27X;8r~e^f0E|j zs;isqs|E8{60A@aNDgXrBMDmOG&hCZCk|wjsEV*#)eW|lH}$AxDlabNWnK~RrcDvS z3bUMZ2&hWqyM;_v8F30UFk&SoYrcz3$1QSrJb1vi)!iInl8wHbWm4spBH%@O4FWTN zyicWRvcX_Z5^^BV7isQFaxq6_V_lVl3|0vNi2ov1KB8oq=Hm!JYJ}hdZshZt3`t6L zRt>KpdLjo@1w?z85nI(kl=yhy{i!_`ayDik1$a^G#3rU!Nnx4ZRRt4j9kFY+Omqw` z%?4njS#}JotJ_329xSj&OZ^+@r^<#tlCG3GR<_t!Xsz^$fwS~nc zHTICi+Dsj6#MH;SQ3|pg0g77E6)}qgi9i8x=?D;Vs*0#F&uYu=73xs{8nRjwrt`M7 zy%Eck2v8LVfW=EYBlr{eJXongrPttvesYrI$wcY3m0|_KwzN|>C(#G}nDeyDyp(5F zZ3ptZ*R)$Ud(%{JwU~w(Rfp!OjF}BOtriq<%v^v7wJMkZqe|2KLBKGV74BZ+Szct% zD9ITT9t+v;5#!ik4k~Q#CrWsOXC1P754;&i4guOsH*e&8_xFx*phDWxtjuFAHY7u( z%>YBS#v)7{!|)vMhq*9jp=8xBS4GqP zlmk7G7uV{N0aq$y*&}HaOoDlfB_EE9$+Mt|ya9U+oi|{%=yAORy#{Y!fG}Go&JG5m z22SMsRBGj@PFKK6nXby@`~tD&5Hw=b>7Y17M<4^y0uDmxczYKx1KOL2mVBPuVZMkj`YaabVjIic_ zs%y-z8QMZAnfBr}<)Kot&L)X;l1NSRs1J=g+bT<ym?Yxq%+{kt++Knj9De zHLn%ODLzw^$-%Mf5{3H$g?SI6sik$f6teC>G_}O@p%7EynXdzdx|3*8);TH`)+?OF z>>C@Fto59y+ESm@$g3ihv79FdpHZ+DYZ^?GBvm40CxRyxQPTug4+K@m3IlD8*%Jws zIF1(?08EgZ##p?yb15wd$VBC%{zlWM165(8z^Y=zS(dboo70HV!%Tk;GP;^4yFm&( zZKlCHSRg{IhnZ)Iy3uGMiI`$LH`4u)nXlbNCG_w^)mVqB4rFNnDi|3k) zJX8yY^|B=dK!%s(f(}>Zbck}QEG9uK(do!EJKiQjA#2374X0&%M&p{$Jj9zz1mH$Y z3gloo#NPRPNjPppQI6)Y(fAo++?$s21w9(TrG@|5%w)YO*i5BiFtEr z0q-u|8pm=~kuXnpr~NmF4;+>f7qd1!F^FeV669$sbTQ&@#A+~rS4DH2xmp1_?p1U) z@Z6x$d#sr|63&_k%XcjvZFTv}#!DQ)JU*wBZeS&DV7?wwbr^N2kCeH$^Ybe6AxE!s zR2{}NN|s4_9zCZApoHg^vbi#h&Y#u!GrJ&m7r^iUC}qI!m$8wx|P;*d+Au>&!$^g;mcFp~diuZp^I}(bmSh=dRH)?D&YVD)K{m;3j_kR-2iOKsv z6Y|WO#cuataiQ@B(Siqal1z`b2t8o^HVxSw9$76y5zLwu3OUb>c?H*}S~3*DfW%WJ zd1%P?oew)aEbzxLh=P$3pi+^PQL+AtJLy=_OU;u+CB_=Cq|oD5W_Ty|M-bSy=`c^* zj}8r4md)r2Q|{ppXh4Xv7Nhj&om%H<Iv&O<{(9FQ^~x`y6`bNKU_(W=16NDX5m zEWP%D(M^nJTu>pMuTnvl9nDzBl$h^_gGOYYY|;^hu`FYFrAiFwUfH{9aZhJ&Uw2z? z@7k3;9SdeOU~wiGGU{F*~rM87)~T) z>P02?4rcyWxE2_3o_G0VQJ&@GOJ&z2Veo3fK<52X)`H8sqGZ9MWXR;m zme)wwJlPLhcw}43C^?kIBXRJy6)QVB`?|V49F3Syt6Z*bJ|!72kJiQ4N0GrB1r+5) zQOA;yykkE`!i^Gb~)}ngvbCiChD7(UjB2p)6fl_YCrU5g2?w z1U$&VL6Db}f&r1gKT20ObBwYsH%F~7GHZE5pmsk>P-GD&!AzI@9T2J{mcc5gf2M1V z^mg{F>1y{`CRKM_EfeSLQbR*nr0C?DVuPfJa3e6+l+$Pwl@#0-0`W#NlTrL1Hk;uQ zbEQ>H$fKoW8$~85SE28|uSnc7_Eq4U=KNzgxQwa~^14_Z5ugDfRwW@+MqaWC{C<8y z=04FhHyV$|qlx#s4&tT&Qz5Y_z_el71VB{HsBPzD`bmTPyTNC{Ffdehvw0ZkFbg*> zk`xhyIsK%Q#Mv{3S%~j&BT-yJYukEObgfuyIR%ibxFR&5U_cQxIH30qflYns2u4O4 zBS2#pu&wA664|mMLsyloTm(AAngjJCHdMe5sFHcpN4H0UfTRE(Xu2vE=zR-^IVT#L zEh!n*vg?VefTGUuLH0fDSWX?}3^hi4f{CvY$9my#FPx*KYkqdk{=WwMPhSqo8q`tL z&}s_>Q{Mj5G&d2S>#_edHN~4J?LQOo3=PF*fdMI>BWa*)SLF7f28G7*n6V|G36Mih zcq2bpWdaLSg)yuIm_KF^u#yX^pA^S9Eg?c%amjystgg2;4^Y!3#mIp05r{hig*~m& zerq9<;JY;veK14M7X`Nw3A#v1hs5}dem8rIZ1vOyC?E!@;xZ$x7k+Z$g(hVh+ z9%vMFYEtAiO;)s6ue+7613J8jTtrc2|ShmVzmJ|#JvJ~gipnsci z43n$-cq0>@9R}gPDoHPhPB4`~y)?WR2DB^y%=l}qQQZ-c46jqK+RUP#Im(-gbWjaT z(YESf?Yg9(N9ngX=MpIAK~pr50H~l5Llj*YmY*XD%)xxsu?lV-k6K|Li1Kaug##q0 z8jOU}1p~0g=M!3JiYDSfR3TDk8fIreG9mz}U=WfkQ{)CpUXy9aQNmuO3`gi%RJ_D(LDIL^_%#Re@bg!$mkJv!;431o;{OTt&ToRBF*#N9Pr>P1bV!ib5VF;-kW*D^5u@n01Qr z8nNuCS{s`EDhA=%Z+yO(4lFosxHgYp%i`BQqpgv09k!>MDA%eN2zwbjS6MVvLvvN( z#5q+p;>S@H54vW0Bb6#*#yh~#F*a2<$}=_9snV1Mn;CS;z1ONhc2=keu4yjTT%~IO z)pSj?!rGJr+bmS`if~v_Yg!Rjy~@1YRWx|Ll(tyS9)szQw!%oxV(oa2?5>+;M`SFE z$CCJsRqL1mHEYs3gWIU6hXz%h)J!Ke(_OBa`fu_~Fa0Vvd#rfH1!-Al!j^-&Jt3|} zYFeA#nt?0Q>YfHt4eEPxVNNd0UAHh7dwn9Q$6WVS^lW=52sZbcLDXPKpw8iF>odX zWsD8fh%YZ+styyZuNkGo4$>xBx|1%VL0WR0wL{#kDxV)X?hA%@sTxK!qI&3Iq@i)r z#L8%44n*RTrO9BJjW7$VscxrS9~z=gTSK-_kW+A}y5}&)ag{Pa_x39hw1L)Yhsw8N zMR?q81P{3OwyFfJGRD1%>Lm7e7505uxaaz+c`u-X+1PoBw4K(Ve2@df=5qHHG`7t# z$}YfY***!;6a&=z)32KIg4HlMrJx!PH_yr)IjiKH?xs~aep;kE_VJFgb9+Kv4#$<< zP3e%=0WJe#s%H4+w90F-s3pju2-a7(C2@*WcTBvp+d)TQuiaR3mXUW{S<{0P{t~MI zUNrC&;{Q;lTBEC;cjH+aPVl7gN#SrwUp7Hk+m6q+yDT&&)s!`aIF0{yfWY8}%OWeN zg;I=-4sYeLS1S%{gx87AKopm=3e}40F(Y~6$+Bv=$|9}|=Ob?DHY3XMj$q3sCy$0! zBNF)}KsFefOokf<4J3#*2oKPo78JaZiyCUw$U*uFgjrCHFy7~kjFjcDcJrReH;NkU zLKua*q-4V&N`dfThHSLxmniEMco(rxl?GO47#Qk_d|qz!uU)E{)Zzf>2%A{J=;$a| zo%7#OiD+U@O+I-RRe~_DX{O^}Q#r3mt7Lhf$X)HmKKYFDsp0+ywPWRZt=43~72V%J^x8-hSdM|@FXSteiRPRyT7>AltRq4kw@Y$y0;;_Z(<( zRqF#4b|A~2q9GAia6abbjY*w&vcV_DH2yoxy)5dWW-~Pw09}GE8 zLitpjA;#a!3L8rb&?d{yC>^kw4XO$u9j%Y#ofJ?L@YKNn-6!YOv;T_xf6m-^3IA`7 zPxAkXc&gz4!O84mv!X*N7eS}U`2W%DrV)pDaJf8qq=LU=$hdCnoE{~+vot6t2g=SA zogpF}(vrgK#STlZFgC97MlJ$oq>Bbb4n96KL_#gn?_gwv3~`3pJv7*dVUTW}0~NtL z*iw#OS)f%zaw9bfI?gTW+!+IDJJbqHPCv^u^8u4eHSmAtEWn`wp*9O(MgHI7<^N4{ z=eA7p|A}}!r);J}h$F16FGFUGY4q%vb+kKkVo!1e2M6&W)4U?*Oz!Bm%peU4cFrt^ zO~>1W8I%pU!n?v#%2#klGHeVi?9R(T`|;#zC^tC2>JFAkb9h>b&?vdsbbue4DPn$N z-dy&=;PostNa9RKQ8UL;?L-qy1!e(N#-k#UMm~uA-uu+R|J|`nYLEaG&wu8$c=&%a z773I5e*zv4|Mv}0jOm}UeOJ6;mt+WBe}PeL$eJ9j{Meo4hRN(TRqS;!vOI4Hxn&Np zY6Gn5v9jQ)X8x5nSyl&uq>#j-&YV^Uv1v9kNz!(+2B zEn`p-$*He(R-kzf0IDConflqbp4iEtD^GoCZI6Ye+F`h|P1}_{NvJCiD4-qJs4RN* zu`ZHW5vIY13(VS6a>g=_rpXWHx%%$%)FS`w8)_UeI#z26Dlh+=<}|gmdgT9{Iq}K! z{|R}jGcHtf(i3!nF=`(l^|B(pzQ&?zlZg`A3-8Xtx5OQZfE1PelXDLGYfpQf12vvD|x6+bmv zH}NBT&WdV1C908VYd%t{Nptk#D}WR=RrJ*vZOWTh9ZhSh*ybf`g2alX?d^bQU5vba z)HfvLpjeQh?(_-4dYa=kBDC)QyP}bG4R$v6_cVwQAJC^vx_?4`ne?e z)ODk(IxUxRnoLGgB*PJo)O-`%wN+>I-5RP4buT42UIusWtT~$g4XEcOg*32O=LOge zbx9R_p`a?Fb1dbGxtL*<4OYYp6biaz6x(U|0&h}!%vD_lY%Y{Ri*>c2xd!EJjg_fo zIDYm+=V+YYE$L!qo2s<$Z!BkotT;-isiQPzmDlLu49`&l2&UwAE1jeB9GwaX;&U$K z@~X&T>ESrOCrdw=n+Jwx_c#t%9E5sOxH(g~fLttNxXrG7rcsATE$9M7?mn&8Ng7GR zz0mAR!$4sxEYaj{p=4(8V`bw9j)w!Ww4}sP&hwTNJTHblt`YfuQPNqsD!-}BV|wYP z{_HW&+>p`WNdt4^@zFMrkrc6-x`4}LENMm#!~vJ*H`2cofKyZha5V8*6e+xha;gz_ zy_QvE%+9Cu6v}Xjnp8+onQ@GQO}w9( zLalOcl;l_?@%auBDg*w6xUg&0inirleI1<(S1Hsoy~sSzKsdw82zrC# zi7;Kr2Kj-R{h67ok6+feX63Tg%RBozx_bQk4Og)Y!j(GdUfHv%Z^i263p>m7Qo%#e z-AS2-*aI`AUn|)FoH+!1ygl*L4~xl4PCKKb$@XQddslV# z^tE+&_pNAK9xy2ZHW^;C{&w$y13FvYM*3Q^vUgP(CRdAy3+|*M%L($aVhm?|7DJsE zz!-^sHz4%tiQD6!>;%|u&#Std>Q;AcZt9?v5@cxrS}}wDwGCGh_ekMJ+stGS&S#ec z0(UyVZ@1$ZXqEAby$#}#?FK=N{eTXNVpNLVq4$UGbbU>Le`k8^;bmmjq+n^R` zQF1q>`P-A|W6)FN%B{EydYeH7L4XLY%IOg0R9P(3khiF}sSGd41szt?l(%T@n+bPB zaR1fqE;DhEPBEz@Xm#A13(g{_bNl#d-G85`EnYfNQ z;2I|MeGw3}LMYHGP&ZnPje_*)F%#Tq==>VTs`jhpdq7oMGuU9}GbYMO989Eo22vgK zpj^Str0fmAC^iW`Xx)v7uRQ)r=uR-}xe-`?e^rteZfy7)FSb<^%Ni9T0&~4pi4f=I zg$g1nKs>>`W)wRlJqd=Y=`e61L@_zaJh=s?owA}SyHmANs%N_3bGsmK0Xjt=m?aBwadJeUuAk8nqI(OFC0)h zO(p&#&W=hvqv+#uB5`82LUcp3AdPWo#>Mi@P*8FX?Rw$#M*)B*%II=c^fGdHx+NE2 zb`|&FsE4ng-OGn;?K2$L4(OBuL|(;|C8`M4v!qSFK0^T;a(9NEprlZf-ofMWjL!eJ zp7Fn$TU%PZ@&B6>iRMZF--&o8#IrZ3VH#%X19Tg_MEo!a$LiV3nt4CE_9ou%n#Zp9 zDQ3~cCY_3_bt-m*U-MfAb#N=TTblGM_TXf6j>UeJN8@5^a=Myai@lY`(D7)Ti+!q2 zdKZHaq<3-UVNSXizb`!rC*6xD-HRvPiznTS%XtJ$x))dHUR;0A-wE+y_L`urVReyY z0Bx9?Rr0RuTG6$tV_{!g&*I)doR{sOHh1F+Lte|v9g<${px3r73&dubVY5!gG;o@3 zp_Jr(XC4o?x4oyUdsQ#-gRaVjHMoabMrfXn);P*?K9|XWE=Du`??Z?9>f#5K!)3KD z^mLas=|ey1L+^O%OW!i|+M*n8rN_9ZESICm6lod9O| ztE9cKK=&tMFr%?HzcVm-RfBz*ysF_Kk;$tXlUFq+uWC$Q)%Xv(sxgi!RBg9g-_JoB zi%>v@n)jwZbv{m4_%Z_>wNZr)kRC?YFiei>f}ncK8pt<}rD_Xxy(CP2RGp z=PeuNZ!wx{Hi1>E-0yftQkpK+iz0W>YEb!%&1|#Evo@cY(IrQ2e*4V;NXF|7EU10o zv#{z;!f>e><{kzl7Z6`{Nrxf`cPT*CMW_Qq1r!2v9zano00lx3e?l4*q)ZX;z-p$! z-!M+Tsk#MDR#wxz9Cd9qyyY9iqqj43w5@9E>s`6Jr@gapbx&8ItwGZz#mIoLwHrzv zA;ykC#~>u{`BbQ_i;O zJ4okld;E+oIm6Hvdv6f}piwd5ed`nXpFWkgMJC6oRUr zo80v~`U$3?dTy};+8iqt)o;rk&|+Qa=s!MMLK!o;AAy$G$Q`-SePFiHJPJ3e(#lo2 zQ&oKneRtUC_$cs`H@e@iH@bJnumu4?EV zH~HNEPfXtbpNOYiy53PIba&nq-)-;moBWJkWN()XSU7iehp^OQe<#5TRe>Sbt}f8& zNvqAr$>8-YH0Y+!)t37|4%eGPxAi>dB%ma|A#VlO$H4nXKw^EKJd)lF}A8ZFV{&g zG2HasPT#HqS-qAp5Z4Z4ww6=@1J;(0R2kD-|qZFo-vb0o|vY=wS zn&H0Bo{I86nuBs)$||Z3N83jQ`5%ubnmzKLe4dp56YxZ{k`Y?Dc134T@2(!o!mHD*)!T9FHUfR0R-U5G17~Su%=5*-{mN3|YvvBVfWVvM5xJXk)S|TaFa_5X{amEfQUAkjK%t` zS5ZlAG?hb8K$4OLMh=2?OQ4*$M}T3BqFf`;c%h%qnt0Zuq0mA)5(*3g0Ta>~%ptqDuZF7>bfLC1X4bg8{hwcu4dPJ`~fvD{{#SPRes+B zYC7Ukf6bJ;KVlbBGr%mw+(5B*Qb3SsJ`P-%KElX_3{MBuAYz{fNd+p-H#qMJFvGi{IfLtO~g+3`34>Ns}yPU$e{u|JYU>OZ5- zlY6Zmb6P(@z4-|I+w_VTOR%t&ikT1Anefh$*LA*b5@#5s)~!#022q8Gco_4dNbgw# zt$=rubkvwtP|XmEKvPB3SOTci12hL)SIhNE zs)E^{V~tLjwm<=;+wrKR)()-Zzg`vup{tbRjpt)BqtUTl2cRT+d1XA=fJzxaBc9W}EkHT7Ad4Uk0fM93G*$wX zL|q>p-z9)zX0nor`ijjAgIobfVV|~A%Pc^&frdc|le`W! zNbLeHJ5`BpQ3vs2j;JbNoq*zsqXTj@LmfMyLCI5mCF?NgQY6E^3Cyk+ahhG7Eu1=w z*E-12U_gB&YxRKES-d*rXkJnz5vFSaw=AH(lC^q3>nvV}K?)f^mw@vG$k)s^7#xVRE zhFV`h3xqz)_E%zIn3#tRw6Ed_{cC#x)x5^A(*A-?DdYN>fL0u#e{C_fqCa z$*;eXBZ-NTF^++b0$LBCB_}O@{RN-BjO#ND`gC3q)jUYV$w59ZkOd@bIbJE`p)Lt* zx7+7e+YM;RX{cX+e&?eT@YI!bS-z|C#xW0|K$LWlQDt$Q>30~Ue8P;SKm)=&g9hi| z5%3LL+~@_=&OTR0Gjae*gWmuWh6eC@wvZ>@D&qxc{btmeuP&fT7ob?q6Tv~YY&x$X zp1CZkb+>8P6;M~etf14ho`PaXc?f7>hu6@U;HW&*dIIWH;^B>Q1l13f016sJm6+)TqCEmfK)%MZ zJQM@!A8aphM(sdmmS3FHRm~O8kAzPH4OGWn>F43#K`>G4eK6lh9U3Wfl@NgVFW$0i znC9bX(8Mzp&?l;15PEz8HCw0vakYajGoxcW2zEwDtJKmk=#U6!<@F+_UM68!*tSs) zqpG3S3(zX`T;S(WMFNm-ghGM&nMTnmGNC{k%CBxHs2iYF=()5%D^;p#?Nl#K?O;MG=TAt zQT06KN(>1lw+;f)t?Hx3lLI#dQ0HCTD$Yk8-q_{^aB_=xoS$KkvaSh_(%k9tYpdL! z*F|oEo?(z`nbX`fO4@Y+YF-|$V8Hg7QR~|AI6ie)qdw6E%B|5hM-T#!frzyfAslLy zia~J4LnEVv(hI0Nsz4yu^#mV~GA4XoRJ0UB3tS^qd{>9JV*O&qNqc}SS+tY zz%!%uU=At(4G0)kC#dxTblv(f)FyxmIVcunsQX)Tz5SWyPE4Nt^ANDAg9g>endWG= zDXX8)ZaubXrQu+!I5u?DVwaS<*R+osj4Fl-Qifg_t(H{^s57js{}D*Ht`0~dBv(02 z8+NMOFGg^xo?NNUGin*mg12cTsh6SBgKi25ferBEEna-BfK}G^0?M+Jl~n-?X#oT) z`_xg=Nj#3CxmFpd7Wm@;^Dsz-!=q;5rGQp)!yYC}v6s1Dw_EPl4r$7uuJco8(se{k z4zdDbK-)+$fXht`nAE4f2lC=tT{7TGMS$yTcBt}3Vy@(`>zL6V8t!=_fE@;@d5fj` z&1fYxuv7&k*0FJwEUe?yQ0<=AR&5L@i*JuL^IjJ9ryMg{f$5dT5hH+VDi#+=$|~eK zdV|dpS!|#BC=K-kl+R@F2DidBiDA&j%1tn^^#jyUWvEx$yntb_$|^UZpt1`-qpj_n z(JD4+xWDB*iC5qZ8E2@(!QD`)>zu(GFjJ5btS7+rn^8JFm6du1D4WfRfRS}vFF-X_ zY^%KWu3|$pyUR;MtGN@J)C?bZ{}DinrVHHP}} z-MRrUl{a>us^l3$WXnR@d+P0L_ofU?Q2} z39M#25M*&P^nPjGo;uh8tvqMdv@#6ZyI04S!@Q~&tqf^aRqhQlK%Y>izUa zcV$Q!?XGav8Vdx~4z&)!HC%ua?~Bfj2GkYahg60^hpNmpi0G7b2n1QeJ5Zwg5(Xux zib4aQ)>od^VMg7wD=Cs8@p1>0`J#_{Gz`cWkcJsmhZfxejS#Mc0IhG-mu^YN&G9kR zE(KI8rvc*rmZ*b3%@|N25mTU^QT04k2nnp?^$deVeE~J3JX8xt5TwIkZ4N39z;Jm4 z)WUe{M#G?GEVWAk&G3?3(BZ0_4pB~(y=H} z2z4lua!>?(#(+A=@dHFW6$Al75sKvjvQW7q0U zK&!eM@?CwR)kzX_LbYbvc5^>ozb#B1w%*iTcm!a#fKGRS)1!G}w=klZb(yDQ1RhUP$hBwLyJ99Z6&~sPp*!=m4!VJ2C;~ zEh2RuwYiAbJXUigOd*%+km`k)7zEQ0h!PUi0U~SCMJEob0d&kxIR1c=;N2Q8K+o-$ zl^O%nDgYz}4CW*u7d*9Nf5wk=CB=aHfY)?140;I@0Osc?=*pNTSb8_YF;8Y-0_3iP zmoAz5_XVJIaI2{9n<@d6DaEzG$*PP7%(?n zcIN|_06_iO?k?oIbz7rVox^+(xNcSFFdqc2Th%$t2Z8HWbq=#Tb6w(s-Kh*z#n6U9 zn^I(PSfMf?=_`339;y45i&<~3X z$P}!LSbwfhS`>^HnMu3bo0^Z4a{pxflUFII(T{GMbQtn9t4Ngvbs?C2DpGg%(l- z&_fqmpKd0)_Cftz>kig^F!An^}Y~Ye2$OVzC zw-hBN&c->Rs}x;RgE^=}B7!hgW+c4+)x0~;ye>hK8VF0KpfM4+^BS*9$QE2W%ob!` zH-|v`je6FAgi6v4ITwbi;F;ol^7th2;=+>};($+5pd=tRtarW(Td9mlVYzdeHDeF$lnXjTBT;5VAa}G< zT7n+UNs0p*);JMUhIk^9B+*V`XG@PTyvFz<5#$t99?uIZXqe21 z@m?q(L(NN@=nM_!R2lk&>&D87DAF0HHJDnWf-vbe<{4VpB9K8<@5gws;<7POM_DjC z@^@rlvj%T+Qitpz!r!oJk*Q>t7RZ22e0!pbLcLVE^3Hi+v~mX_IwmwQI=ihylkJHp z2}Xof6!<)p+j#^d07kP>Fcd~PUWeks0v66FoCM*PczpT7@JKWi>QaE|T)_~5AW(_7 z0kTI=rxO}9gdx53;SKnVwKs-GzaZ=q!uo=!DiEZLW(pz-WKh(52MMoG4W^uu^+fM< znORJ6BgP<>oNz!=i4zMMKU>8lyOo{vh;DRcmB$KHMrS03fFro3Q#htP6qgExx-tYY zBDvu*$kS~J(}Er3T{bX1p)qnR&7=$g>LhHmO$ZMBn~TDVdY__$VPm(~2YwqBW98OG zXjM){kkzbpWr(7rWMdfhgIK|0Q|Ox_!o`@VveYL^dWsE28elU@t`ed8O;GS6tc8rJ zIiYr94#;d!3oU!-n2~W8HN;{T%7cs!QI2j<6amsL<~mc?wh7OcCt1nBA_dD5QpQe4=u&{Hi=`p{S$*Q|QUv(|GU&7m^hzeN zL)kk>Gn-I~k~teQR1CeSsgh!FG(>t-OaY|QCfW8BZ!`;e(~e_JNo7{;fzw6JuA~kw zUW_^MxbRgA$t;N*?Y#mu1_hNLGiwEu3F-mEst^Pp6@(mNH98cbg6rcwke$2DM{o2E z(r<&otSl@hG+Bf+Yc8)tkcy&QDuVwx#mrY2rHLg{Y;i58IxcO65}c}8#uY*pOp7jY zip7e-I$O84mz>LgmBsA0YAYfkThKrP&d*QGo7-sKHpVSuje}_+66p&HWP3=b$!-Tj zC#bSaKNDu@SULUkkmGNy<^ML>+_!#6np}v&sp=OPa_cR3J6?v5WBdPiI<81O}ljyR|1#1xWR4 z&upt-Q3p%1fY~B8f>k4|B~Z~uI14qVkZmJ5A4@~_%370FHXoZ?*jtn&WfBe*+~+98 zfXKlA51AuRL~E?jRBZ*{V%CX`m`+q0gKyb@?pyA zLJo7NV>5s`0oi!q?LS7};`Yu6Xj|JGAtTO9iiGv6Xvoxr*4bGg*EdYJiLVhL8m5Es zDgr39f~l*NF-gdq$|Gu-NqAX@yvVc;GH^)&5;F~xsm}0{OenRe2;^UbSHyIYS%8T) zCdn7#t;VE+~i z0_%9QBw_J#Axm}wyn)9cLz>(c&%5Ies5^`e-Zo*&sMD!;8CO&bTpDI2rIAuE=4e52cdQ$4(NJiSsyhcekchT`&*Ohu zDe)1T1KENb1zo|?+zpRsGu=TAP90DwI<8^amnO{w^7b|w;w`TLotW?AWx0=r1!Nm7 ztEr^tTpS}%Fsy5tj*^z`E37~xnuZ1+bz|F&#|1+tg(U?OCpsyd#6OTqPqj}9Cr=7H z;5sQhGQv)@)?y*##s@=k1QMYZK=vb=4h0FB$cXsO zqARG-0_rc%c$yu>ixi?5v{aKURG?1mMy^0ZLF!eM3Ljd?aUD>T`J%l8Rttt!AX#L2 zr!y2=FLcp$umf)aV%5+Xgiryc(#N!?DI!?cLD&yii4iFAa^Q(ipCvY!6bgknVnXmV zP}+@kh|kVnT&IO5HzNK|yi#<2^mU$!FnTsM3Ms3oI%M8bWJ3I1u2|>va;4!jZiW*b zg6@^Qs}}ck_V%sr?d*xzKRXsWess6>_O4yo)8Tm4wW4cP$HKn0p2fYTZ`Zah>*(qs zIPYHE(YC5B3fh<@O^112Qt-0&A37cr^MMge8+g#9M%k$0P7!z#eGOA|b zvDi^Do)^8KSV1;vUP#Y%4{E=neitkrC)D#2qSh{VE+T3_WC=#wO>H9;1#O@o7C{;+ zFe4eXl7zhO2FNxy;n6V7(7rj7hIpy#ykL+k@I+c6yv*@_h%f^TjH)YMxA*=d*L7 z@n}543~ZW;kd&qejh4%VLmBs@-%?6g2oXtZ$_&V++)&`4S=qirNYG{QS#tzb&a<;5 z|C41iu|7*Xg&S~&*9F9&7zGP?ME!LlK@DKd3G;_E)#DtsS@XEAWPluR9>!n>n0A~X z5fS0%w`KAy<`8E+)XmO&k#a#b#mPx^Jlg7C#=XPnkn{yH3}#Hr5@`MF_+>R?^}IC# z+|8y>2dlNL&WkV<>M~{`pg=4ic)duJH+F(R&yiT{M$5R({N$J`IsU{epg>zAha|)~ zi|%yT?KjMk@Qk_Ktt5qd59quis(HESkb+iUQP2bPknBc-#>M>m80ScpZt$4J+$lvY zFGS}yl_X-MaJcrfRIf?%C}%qRnZP={{7fxfQZjO3qnKv%5a^z{&gA#UFSA6$dRHaC z@h(``)7ibOtG#Vi*UA-kJ=2Ad>TgbE9Tn2ZkPP$8N|Sj3=EzAD0)4(?=%YGnpMOt% zHa{`(o+ez`Hr^Y0fyG5+dWg#nQBkpqM+k5(=3t@F5{ywsObGBmR@MH3X8CKX=?z%_ z!Fz9Fu#yY}vLqyK1FvbQF=BDVhJgfAu=^!N1PvY5#5{G$j!aq%;SkwqcUjLEaoz4TAmz2DUooxB|1OE zXU(!58HwAZ<^L&KYB!-*yg$OyoB4m53&%EC%97HLl3<-VBZGs3PBWFNXJdR?Ef_Hc z4x(6M-uyW+TQRSqa3j_2E7r(B-Y8)8)6k`j)pX&m&}iwxfF<6<1q^a(Gmru)>Ub1i{MX9w#$DT9eWeJ`rZ;bmU@ui+c+ zIH#|Fx)9>~?|%?`d*rcM+b4xA7n#`Gb9BYGaQge47n*%%!bBK{(jEvnAlMY1XY`;w zNorlF7y-|!U3UgV?X%Jjjc?_I1s1aQiQhv}M8okyPW%zXb@f{nabO zMb8v%D?Y`je3lZcVtabn4Wd&twHBwPG!qvawXVxF%WPQfX7=`)ld1G~e}QS;yaM+2 z93g%g{!9Ecz8Rm5L>1=29+^4X2biWud<>9dB7b>wd^0|UPj8eGxsoT~RH+>Mw>v@4!RuN}UT+^h*SKQp{1M5Qj71Su3?RvH{4sL;=fS#+gnj z*c7qx6X9oBp8C_dc4)xLerbC&{DPgcDtj&6MMdRwk>@fg`%Ox5hP*O}x zOt46NNJsCDDYQlr3bK{PVU-r6N()h_HHV{7Q+PWZc;9*hH-GU`>EhHY0I+EDO^VW4 zIHhKiG?3n}BuDzioLgv#>mb0jLd5c7YAAtj6(Ts8fX$^nDAwlEEKf6;N6VVo;?^KZ z^C5TauLy%Z<}!nfK5%9x1;_OvNUT$FQ}e+bn!!=*4&3E}YECh;9eK#Ks= zsuM#eq&O>=z~gh8Dv#65$@VYCXJ;2bzdJs^y!oeY`}-wdkb^2*J1Ge%8gLCN0e2Gl z$$L|lRn{#t1PWDiN;j~lX;t7PpB*BNN-bJ z%SP@w=+i{D30RP*o%Wnlwl08>0Bi;^9IVze$PV9Ac(;fmx)5S6qYO~OF{g;}bRzLE zRJAVHMUQAeSNsUvJ051l1Urr^ZV~Eod5dBT3M{##m_U#l8rScloL{?Q&x3ZXd+64+ zWmPnqGt03>`>w)uP1-e$Hmw&-3iq`XqRD{TYnn#i4!nPO|F{*C+)pTd-t7=etaFJD z8T^2JK8jLiz|IO+T%gR(8XC$OiQ2E7+w0@2x2La;F-z4gNd-EHbLaNr?5HAPyK3)N z8X|)erl`q=^keA<%9OPS?1jSp@bA|bH^VKU7?&s=6HbMl*GKUZkqTwwE*Sx5DmrGeN{f{K9` zY_l4mxHX3a8})W~mE}$TCa1y;O99h~=a=gL0z}U!oz0NFFb{P&%aPI5>rJ01`oJe4 z7!D$+e%oVZjbDlnQmwzKJwn|`eUa2*=SGD)7v^FV?wd+Edo;co|2V$pH$RAe8E1Wv zP!^e|kvv9|bG}GwvCGCDq2S**D>**K*Nc#?M%9`u>`~C6w{mN+fsT@qQY0kwSK_&d zGGrJ_cCI0zQ}d6A;3E8;LK<~m@M*+6>dt5qb3Num2-w-NE8ArEc#4z zDzr}LGWIJ2BT_D9!LT&ocVS+XCJjaEY4GHTN^b)ywL91MT@mDIRzYIn_63=JiPACV|3Vn6eqcIJQ6v*rHh@XLphfld4W+rvR^ z{|^rb&!6`Hmw2{}`Tf*D->FSz+QWT;JC=m@xbj68rDG9$7nU#Q%Sxr`r`L6fVWCoSdV+GAnnx;u5u% zJ#^Aq8&Y5YxX0PVFj0pQg4?TXS4QlJtRlCfg~Z%-WUn+Lre ztnLYLx?PUw8acucct+xnKb@`+b`v8JFV(+a`?0KQ7)_3_R0!9o{CByexB4sgR(Tcq zMFGuT8^6)jXr-^UQag9MBA0g~@zKeYV9eMQ3^~_B(-(-8U474jUm=GhcJMXFVjx5HY#e>?m&G#?-c=c*L|BMtkzdN9eAW{(DkKH? zrQ(@+W5hFRPGg}x9%oU=+?_4LK=!eNqTkJO>1GScMM!1X6086X>PVPfQBN0DwgjEt zDiMC3`%5^|>MOxxY_NZ;%Kj1i$-=&wy%rK0nFPBW{qL zO@xPNhPA?BkQ7YAAw!N3wICv1Y#m3Hvd@ zo)wPbMO21aBwgJP9l_nIV;CfnhRZZ)j_i{sMj^)Kdw{V27Hrk`EbsA=7!C$Q$HFC+ zR1lNdeM~8xKONwzoGtn;XN>T)dcvbpW zktRKn-re=smGhmSWzkaqBFz}ueAB5PwJ;j1yam7WUi9-tQiicqse3;75xESWym{sR zJU(;Jj^7@i0oW_D$YO6lDVKpNfyAvf&RY@4JM`Ew}xH%pH z-%*8y{a~Zl5n^?gS#0CVaJA)|dIg|YmBIX@o88?aVsEWG3c*w~!1mS!q95X6V6=j? zK*Y;;Mj3CkDsc+X8(c_@t@iOb0XSEc*4%Yj-|3cfi4mQyT97Vk67!;T^F?B0Apwej zYrnE-*8tW_`s;y<6t@{;HChEKD~S!N0ml(kRz-9`jno@>b&gcQ@_~kTq^+)Jr-q(Z z#pgO*m|g|sPhliYmi1NLyY_S7m1rBP%TzaOF{+ZEG%%`Mus;Kk07D}7dR)W4gO`9fo>^Z7cM?Y1?kWwt2WE!TJl0V|;+S@f%jfCd&fdCM1g zXL{`@#AC3IJu8`U1AW@+)xhJpPzT>+Q3^N*u;M%AE~PF9sC~5oC423dU|X(@kO!&Q z(OTvzW0_l~?nJs|EOYPjG)5y-;i9q3E$4oM6q}7@MneEm9hJvMzS-tNq-+@eqMXa5 zRHy68<%v9SLU&;rt_)5kD~^;WJ3CL+YHeJ6hJVDmg(tGv-zL7jO2ofiR1cC%oFCEu zWxgm%ET5-Esf)1^meeZ5OYJ`uFAMbj8h*F$4PU(U2Hv2*e<lk%D1Aqbd&PVt{>|!T(fvz*5+?m(t_tLIo{G*< zTIE0WI@T#uJ5LtOw%HEcwFJg>3~~Vqf%=!tOx31v3*4?;S{6#`D5}jhv142HDRzK@ z`sA|2QfJYg#do&`AIv!>n)0I*^^^ucBF$GoSO=Y1M}%A7dLI~fpcHg(oz6>=NEuMr zx6I=Z)fThdpGs69Zl$T1rpZ)hWzh%dfh-sOETupCUDaxsCT@BM!gxVz(s*$K{au>( z2ad$SpiYdHglun8E*+5^b(t1GFU;!YG6UI|uHRzW>huz&>Z$rQ60g%lqM0TyN0@ra zvF!~gB&LD9O!JZjdBsParGD_EANk3YV_06RdL{_Pma2D+O#ZlVtE^(GtlxzeU4RDw zu5|7S!VyD%$qqJtvNUt~Rynr{4n~aeE=mKloA9@8+^7^Ke?a+{|5?Bj^fprRr)Q z!8Jm9g;7srsd2?{;L(3@q_;|4&4i0=XB1>;>~_WJol>{-ETbgpA^vI>{lN8EJ>GFU zZJ%^HDtJ~a(SjxLj8k$YE5a0GaHuUfE=k$5WB5+(!s_F0l0_8tM3OeTLZ!F}aTEe- z_r!FbrbYd}2HmU7Jt1~x**>guOcRMo82ua;KDBc4cgi3s{y*hpD*fquwBs1*blQ}9 zz#vq5_SjGSnG9Oc50nRUUb0TxK>p?1S6XAQ6!p4AzJgY#ydrP7NxDdaPo@GoSZV_i z;8m&AA2S{A%iPTr*%3k~F>00X4LHm! zPPJTNn09J`rYsFh2m`-2wJ=N%$fr??%eNH&sC0OWDrv}y#f0GMbP$Z1alhksfP~_% zKTiY6CJ$F!Nk8~G4@-HG;I=Qq-{nZWJPBJUE-X*`8qHdcOL5I8UIJx^>%-G5ynUCAD8ky@Sf$Jw_=&F*( z?We@lbJ&Z4KX)Qa-{mABj<8~b`P5h7@K598k@)3bj^HU!wHsVRmIh~LjVukuZLCFg z>u1XXd21M^wc`eA^XLsKVHH5zHP+S)wa{Fq*A)D0ty0`)PmAs-;Mp}FU~_OnPv<4 zIfxy{N`lKVGkw<9jJ?&V&tJr8Ksj;I?&;Be@61W!Cq0T&uv6=D z0yJvP%C1|P7gdI7I>@U#wR6kh6BZ&umXExRx?Pbb3V z^i@Z$?!=`|`d#B=EZKEbWxN8u)vbseyN_h#FHNF8#le96toXvG8=4H5n&RQ^YDyq+^*m_DwSo7-zK68o{Z(@~eewZo_<*&#M?C`6 zO$R9@+O@fqwJgWFXVfFW^gxPLNw{`e+q19 zI}8(jL0fyyb@VZ=cn5Mpoy%N0I8DdNJu-A(E&gN6_#cl_WO%<8Y4Xv1Y>59md~sNh z{}~?a51!(GzQpr~BSh!_(d>3cqQhbW%(KgLp60VY{j=NYL3Lmipf05*rZP%OSBA3a zjKm+fYdTGLG5yYHr9jtsY=z3hGQt;Q?ebQ=yi4=AV{H6Cd-blAVe+H8(jRT^s8R~I z^yC+ur!U zb?~TbdG{s>OKA5b?C6(&I_BRBf0_r~277wcS8V?hSNd~ZiE{7YX$Mu;h{dh5yK$=Y z*DI#02K2hN@EwWFjq>#iVBNfKo?9E4=LmqfqH#4VS_@&Y>NT#0{lVeO6&2KyI5(Dr zs1|~*J4 ztG2)-O(W?iD@Ycre2k7)lB)_2J%d)7F59a>04Z-)Cutf4(yHk;wxX8vFbHJQ+`qsv zhCCIdUb5dK!vvk07d0pZe#E3VLaaXJym`n3u0l+GVlhfb-@;SFZk;+mN(9=bLx!~= tUm9T*RavQ{*<$6}BXZ#XKc8|cJv~p))ARVx{{;X5|NoI_N0R^o3INo-i;DmN diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/hostpathscc.yaml b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/hostpathscc.yaml deleted file mode 100644 index 13eef79..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/hostpathscc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -kind: SecurityContextConstraints -apiVersion: v1 -metadata: - name: hostpath -allowPrivilegedContainer: false -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -fsGroup: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: -- artifactory -groups: -- artifactory -- jfrog-artifactory diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock b/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock deleted file mode 100644 index c9f98b1..0000000 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/requirements.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: artifactory-ha - repository: https://charts.jfrog.io/ - version: 2.0.31 -digest: sha256:d7c2af74a0188ca8df2a97158c83b36f85dfae72c1b60ce4540a4e00da2d9a6f -generated: "2020-03-19T17:29:04.445679-07:00" diff --git a/Openshift4/artifactory-ha-operator/setup.sh b/Openshift4/artifactory-ha-operator/setup.sh deleted file mode 100755 index 3bef5e9..0000000 --- a/Openshift4/artifactory-ha-operator/setup.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash -oc project default -oc apply -f helm-charts/openshift-artifactory-ha/pv-examples -oc apply -f deploy/project.yaml -oc apply -f deploy/namespace.yaml -oc project jfrog-artifactory -oc apply -f deploy/imagestream-nginx.yaml -oc apply -f deploy/imagestream-pro.yaml -oc apply -f deploy/imagestream-operator.yaml -oc patch image.config.openshift.io/cluster --type=merge --patch='{"spec":{"registrySources":{"insecureRegistries":["default-route-openshift-image-registry.apps-crc.testing"]}}}' -oc apply -f deploy/role.yaml -oc apply -f deploy/role_binding.yaml -oc apply -f deploy/service_account.yaml -oc apply -f deploy/securitycontextconstraints.yaml -oc adm policy add-scc-to-user scc-admin system:serviceaccount:jfrog-artifactory:artifactory-ha-operator -oc adm policy add-scc-to-user scc-admin system:serviceaccount:jfrog-artifactory:default -oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:artifactory-ha-operator -oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:default -oc adm policy add-scc-to-group anyuid system:authenticated -oc apply -f deploy/hostpathscc.yaml -oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' -oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:artifactory-ha-operator -oc apply -f deploy/crds/charts.helm.k8s.io_openshiftartifactoryhas_crd.yaml -oc apply -f deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml -oc create secret generic artifactory-license --from-file=../artifactory.cluster.license diff --git a/Openshift4/artifactory-ha-operator/unload.sh b/Openshift4/artifactory-ha-operator/unload.sh deleted file mode 100755 index 37dab14..0000000 --- a/Openshift4/artifactory-ha-operator/unload.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bash -oc project jfrog-artifactory -oc delete deployments --all -oc delete statefulsets --all -oc delete configmaps --all -oc delete deploymentconfigs --all -oc delete pods --all -oc delete svc --all -oc delete networkpolicies --all -oc delete pvc --all -oc delete PodDisruptionBudget --all -for s in $(oc get secrets | grep artifactory | cut -f1 -d ' '); do - oc delete secret $s -done -oc delete serviceaccount artifactoryha-artifactory-ha -oc delete role artifactoryha-artifactory-ha diff --git a/Openshift4/artifactory-ha-operator/watches.yaml b/Openshift4/artifactory-ha-operator/watches.yaml index 42941f3..843b786 100644 --- a/Openshift4/artifactory-ha-operator/watches.yaml +++ b/Openshift4/artifactory-ha-operator/watches.yaml @@ -3,3 +3,11 @@ group: charts.helm.k8s.io kind: OpenshiftArtifactoryHa chart: helm-charts/openshift-artifactory-ha + overrideValues: + artifactory-ha.artifactory.image.repository: $RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY + artifactory-ha.nginx.image.repository: $RELATED_IMAGE_NGINX_IMAGE_REPOSITORY + artifactory-ha.database.type: $DATABASE_TYPE + artifactory-ha.database.driver: $DATABASE_DRIVER + artifactory-ha.database.url: $DATABASE_URL + artifactory-ha.database.user: $DATABASE_USER + artifactory-ha.database.password: $DATABASE_PASSWORD diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/CHANGELOG.md b/Openshift4/openshift-artifactory-ha/CHANGELOG.md similarity index 100% rename from Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/CHANGELOG.md rename to Openshift4/openshift-artifactory-ha/CHANGELOG.md diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml b/Openshift4/openshift-artifactory-ha/Chart.yaml similarity index 94% rename from Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml rename to Openshift4/openshift-artifactory-ha/Chart.yaml index abc3f9f..42b4f95 100755 --- a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/Chart.yaml +++ b/Openshift4/openshift-artifactory-ha/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 7.2.1 +appVersion: 7.3.2 description: Universal Repository Manager supporting all major packaging formats, build tools and CI servers. home: https://www.jfrog.com/artifactory/ @@ -21,4 +21,4 @@ name: openshift-artifactory-ha sources: - https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view - https://github.com/jfrog/charts -version: 2.0.34 +version: 2.1.3 diff --git a/Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/LICENSE b/Openshift4/openshift-artifactory-ha/LICENSE similarity index 100% rename from Openshift4/artifactory-ha-operator/helm-charts/openshift-artifactory-ha/LICENSE rename to Openshift4/openshift-artifactory-ha/LICENSE diff --git a/Openshift4/openshift-artifactory-ha/charts/artifactory-ha-2.1.3.tgz b/Openshift4/openshift-artifactory-ha/charts/artifactory-ha-2.1.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..8d21a4f514e4bbfe76883c2898dfee5b0bf721d0 GIT binary patch literal 130327 zcmV)ZK&!tWiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ}dfT>=Fn<2lRiLzbV)sN}cAWMoads73PSpBqEhjzsH9aas zLK13{UUy8OkoUd0y^`O90YHKuk|pP(d-jdmCzeQHFc<)XnZaNN$AV6Xu6cyJF^vQ~dK1zs z5_9aMa}qI5<+MS^IK)#DBc4PNivU(?@UJXJ5q2-}R6d)qIKYBGt|2r|sP7@c zn9mUoJ+wbSoWv4xvo>P^>7tns5%0EI*Vot0Unen}HeD99tjXG{QCDJQ3dZ=lIi+Hj zj1x{`mxY3a0xCiEmMbSVZv~hO61TX(W1qANliz1kmU|{2G^21@yCm~#7JIx~YapvY zt$_e~t${pp#Ufq{FbxH!A&H?Z2{84$2nSTmF8@94NDZM7%WlF88uF~DheJwyQc+gF z`JKdBY2tg>!xe?qi>zRb1Gl1>J4-Gv?P4^*Jg6ub(;(r$*EH5Sveh_CVwXUF&1j5i zC}KRf=pV(*OI*?V{xD|KM$dw97PHnBCD&GUHISvzt6iC?x!vqEcWQt3+WFt`DJ+32 z>?eeOz`Tx%D&KLgwIX)ZcfJ|`W3#5i#vgyJCZ`L-@#f)-9Il|~& z@A#;pc)1`Rnoys}0x!umjtRP+kr25v90JSNAZH{dP4tc>h|gH!d+0J`*XVkN1)8%2 z$$B26;qF}1I$n4#NS)O@Sv<|Uaoc{08vb98rCt8Jit76dG;(U6LL zrn&DRz*Evi4)!A&lI~8k({^e#8ghYspTyl7LSh~f`8V>hkp1ae?+4+8b&+$69%;Tc z@Equ0a_M)oEo(NZFl-ZjzP-J{3o(S%@;#DqWUqMy)h`ddMoTJadWt(yE-&L}q~SdcCf zaYAYc#mt9^hLD7w_=F?DbfG312sB~7&#u*^mxU3Jh)XBb1>jIKmemxH2Eq}26|*GL z59FgqkM!4=q}#E1Cq*mj5}rOFp%*b4itI_mJoDp<#AB=Sl!)~EH5TqH{pC|GfSN-E zUy_m~p;(=U8nFge6?sEFu5E18^eYXrf~XskClQcN5Ssw$hPgVD#tA1)Rdz5zArpub z0RpE2CK;Lp_ZVRXh;lR~A&If%YzdbWO9GxGz7OvO3FNdSMl7l!gu{>t7$@FEw|A0< z$n^vi)XS`kCfMh)lAio8v3p5EPZ2pSWIBf4$a$I05QIZCP%u$UTo!w>OEbm=@1mc6 zhWV8U5}#o)>!OxKDdQ9RVNPx?<18D^50dUg)AcduT_m~rO+_)`^9FXMNa#rHof<+u z9uq$UD`GsEP`3fh7Lgl4;t=~4uV|RQ629q~oLjJLQIK$f#smd8OtA0IHE}#dLl`1C z96Z9V8gH2Nvf_!Ba&asgdsY5J+;=QhGbyK8A;%4O=3|JvSFS?%o`G)$OmS1 z268BxOO6 zgpySewNqz13fiO-RI%&mRkx)_N_96Yr^lnv-;JssZ`ge)k%2u_}lgBt) z15dK*?0JsoX?6x1u$o_bTb_53$J|R2H;tA^nSO6f3SBg&BE$i07cIZp0HM(IUW`!_-o)RP0Cx+V8P z681b#PByvnok!n1a%yTG-R!e4B(CPQPG`5>h8CsZCabxmdKW;5)89!K?Y3Xh8ZujW zS95|`bkXjUo$Z>v-<#EoV)9!;Y|a*t0Ep`BcD9eHV;;LvB2j9$1O3RS0j;Xmc~z{m zt1E@fBk2-??N9BsC#M(I{&}XTH~fzy#jYt=EE#Qzi-wZFbJTymc z!UYSEkwKA11g5@HFc6E8C0V0u>id9))bB*i)UhRhFQ!*Y7f@Ks_N0U$aZY0YG4ct% zBCt&WkCuc-B#4BZ5=rdmYhHtD=vD$t969#~U|fCH*vq`Z_R7Mg7K*el0X&->KDnHl3 zgxLgSp%P_JPA~eXfsXMF4U#~~62wzeOp5Io=9Huh4T+bvNIB}X%|}jp{bC>FQRsxx z2aIfu6x43MBFyX4D-y@lBPspmXlcS2IUWkWDRd)G0bRqqJQC zXig&%<~Ez}+6pHy-FP%6YRD)DSzGR5Fr;$mKyW)b93pZ>LXluUFT_B(*FC9rV7Wsc z(73Q`WrGk&jRQ(bEhmZYFAGQ>Qll2LXfFSj2!&XP2zF<=`NtJiqR|(^T{Ev6jmC@#E@B+D#x%t7oC_9{=1pKEN+dN~9}9X#DseQ$ z1dgXfbdem~g6{QTjBMS+r|!qXNNHKrBQB0Jc~q};4i<#sG?21ZhOZPxZTpVFj zSHVP^>gQYd#kZE#=QDQAQJjRJ&82N3%u&pkK%3MD^`7jMDfwe9A?G2=`B( zRh+m9NY*SAc1<~)_~%lK7* zFe?O#*spmqR&dhV=56lO$k4jDS?BiN9ov#r*nZQeg^hd3=8X#WsL~Qsbjg^cUMQux zT-kZ0%^c&%LZzzsqE^+Y7uwcSVI>4s9K%HeWE;t6j9oUAO=}r&UDTAVY^7YL&|FMb zZOtxO-BzJQdZ1!RovsmKSR%B)l3*gCbU=*(yCNzS^3UiV=6 z(-?NDB&5G31gYZybV=q-)Gun{A@hhjr2|tW7&~!bSNcjd^NuCR#bJ8Tidd)(5VDS8 z+{j@O2|4#sj6)AKX5KHsPR|b z7#j&-5)(c{1LafiIx{U1z} zDeN(v1?vt=N^s^AQ1R6nM#uz;i8A29fh;T%7Mh}3ao4|&*wmQVYRERZRGl-`4BO~= z0o6J%jbL;Bw%KmBn;l0R>N3NltUMZ_gJzOp!!&| zZ{i`$Q$?`KdRu@CCq+KPQewwKN~~a3XqHH)JyqE0@ z0JQNw6?in$vQSj7nly-5ESfig4+tBPyZBs^B}FEKN<;0m1Xgk! z4hN+fm;gt`)os_$1gpHz)8w-*`lDgw3*ycgax$hT3oEOzmZ6*i5E6Q;fFP148i1ng zk;dK}s7(szjc||=`N@=qT(haukZ1=MDIDmRkJMoRl#zAL;A!ffrUft@yEA%48qD|7 zb1iOOg3Ytx`UHny`-X?tWGp*qem=UrP2H7{6U-ZM9N9FkOb%+IySqoaZ~Yq)t36MV zPVd5Uc(g+v`u^bMzCJL8t{=~bzxl0W98-KSZk@*1^_A8V#RLrS`{_=8JtYD)PEm_R zqI^iz5@1|x`E=Y0=KMFmp*I5-H-5!exUt*pG@o>uzv4J`UHH`{p|B3WTo$Ohl@MAA z!hO)494#0ZWn#$1OyIqK$hB1`Q^KK+8Yu}QM~WP^Nq9wL7J{42l_cXBPC#Z@fEY3c zI{~yRk}!YjCYY2~ViXeMnYotv?5O3e{dp1QP>e`<8Bp(M?Y=e5cD1=diT%U=`P=^a z=pV;NBb(vL4O6cfebVN9*Z!{KtWx*5_m9!V>+^o^U|0aLtsEk%A?)w>hr=b6cbC+) zTJQhk;=DK7KRr1dyedGrukD9aP3xTWW&2C39lRW!ot_>+AA9>3gSY)c@lKIGc8$To zQMr7+`0=~Zu)lxazZmsT-j3e(a_Ai99HJCw`+>~Q$;8`)|=Pz4(L^whkDBlhg= zC7J6(gVTf4E;^()NG`O~Nb}5q1Y;6|zQEC@o5V2*g+EtTu_&eij^}1K*WTzL1bNCT z#^+p+;2jQpwLu`nXE-LFae(vLbV|c%<_~AdMd>q34q9Nb$!ejyJ6#W!&-c17UGzdf zzP)XzUAEHlqdL?~NsvNAsBvJI#C#sQO_#;wj4^*meYtT82bZ86OgX^Nwz|j$CFDYputelr)#?T6DyREZL8V)I z;f_YOu@~Vl8aOfZtKPiFLvqS2ygMraT@}SJqJg{mC zuinATSz!S+E6J;LSgT2iWZ~ic(DE)G8T4iMInoxDS9QUCQht)y?;__{Z|rt0&&?KG zWjQB4!JIUu@Q&{88dd>|Pg)IYt<|itR&}Yef2Fp4tB;)DdSlcbSAKbj#Zw#10X)t+ zlDc_1_cd!gLak=A>n;V7*}#gIU7P|HtBNMEpDSrPQ(0IG)H%qN-O9l8T=~+ZF^b%R zNmFSavx#6CfEJx**!33RQSgpS(O_{U#MG@QoypauQkSCgjF$q!3VqI6iqsKIHVaeN zrbRNrqPh#&z&(8^W01K_EyiI{{Q?&Ea+7MOu?5Yh)30179dcmh-L+cF%`mk+EN{tK zK;c5&h5T??gZHoTVvSXnda=&RE56hiFI0;%C-x=POsVR%S~7+XCdPaU*ZA!NTYW+2 zjKxCx9v_^h7E{;&e0B{+Ivk=-d;5vhJ#Do$PC^d)C<_~KPz^V+;4%^#Q>9@`IJ^kx zE2X<;&7<$y-)+|r%Hd=lnvz!2>HCgVY0>+HdR^3M@3duvB@$G110t@TF9iy$PJFhVI;$_k4OqLURo$CfK9!D~j1zIjQOQXY#?K z+X9ig=%ucLwQxjRSDlv9m0B}`eKFJbeW;+=KOjDyr@iQWr#xjRnEFXfE@m;|Gv)&o zD&3;=<0wxI{gfv#18pcZxTl~y_Q|^O^fUBgg?k&|P-lC&#>7iP4~Oo&i*}T^u6=}h zh2v_&m}9ZkW4XJbbAr7eV=BmL=-QV=w%hGjw3c&XHiweh{3ux7psnmjWhYkvaB_Ol z*9S>p3a8VM#YCS{=&3y>KD$=dssLXSlth)#6c#VDH~$FqP26tHI4bW%+af$sl-I7xW`_xrU`*oEi5xO)jpW8g?%o<$(X&%lq>fq9P#ub*{mjuD z4h^)g*5mT2DSB={dSTV!ir`MesjB8UkJ0svx-;Zau8e-(Jj4NYm8TDWQR~tRz=rAy&6&#xus@l%P7#2IvGB@MBabsJn-fP*5Lje&CoJrry`@ z;3@xuhGGjfEa|?`HJ*$cWy;*%R^Th;VnZ&01!>@G922LttnWF!D%Wt!v|5@Om2aN6 z^fan18q&pcsMvtLlfGER578=*?(UwqasZ0Zi#zcuEfniODi z8a{93UKDEq+UeVf#4ZU1o|40ukYR*f^1PKVQf}6C^2N4nEB$ppDgP&~+*a$5#p-HT zZryHzxVrT?z5NT?Q_2vfoSlY8SvZdCtoah5p^LIHIZxA;7lC}<%9UR*82PctagygP zwdcH8XuB?LO4}cCQ(Ad@X}EsE1&NCbBz?Y!cjgz28#B&NRDg`3Uc}3nP6{W#KB@sN zT|*W|>FQa5qgm`lj(7Fa%fa_aNJ%J;Xh4Nrt-0TeDg`tgMmQ#KBJd-M`*4SZ#S*~6 zcdPG()|6jo=XV+X||l%0!wL3c%!qJt3oX~fnET<&s*?)z1|wl zTg|zLbhC2)mq&L-+)HIVe6iD(voiZ#EUVAd2Hp!nz`a-j?L2Q~Z;ExaZR-WxeSh9E zKP#!Fz?I2`D%R(WNFLMFC!=GZxtHl`g@{kB<@;RambS_f>dJ~~UMVl?rmx^_YE@XG z-mSlre$aOKF}A{wvkiXAE%2l5WaVAVnE#5@FFjwj71_&J#Pe(w%O8s>mMa(Mpn_6( zx_D1qxTmSNcGoLQeBi$PA$#%~yDo5DB2a*DklAFxe!Y~ve%YRj6nXH(f6!j}iTApX zv2U$}dd_~S@V6f=mqymTs_bEbTdBTyj|3w~5Xt8)5k${h=GVIYTZsiN+|LHy3tiOp zS>l-rS<4k7hY2FO3Uw54ZKZ9Rny?;HFh%&_>wOyfEA2}82GXj~LI$YV#5i#;)t#jE z+sNudBNnJ)D-^1KDrtLYCG zBL2`3P_?Zw(BM8?EL}$mRfj;0tDT|%+WT>chCAr(&f2mk)Hf$PdyeMnvK75LWou;{ zef9R)NOuRm^ARjRRp3^)0^KXiSx{FN=gLTf6la0DU#hF5o z@6bImUapIu({%DtX2pjpLLaUKeJTa$p>p*aqF8z8KY{4YEZ17e&8EFoyAWVM2@wBYR4w3HKu z?vb)q6r2{G7C(>4)DT8})!bxSB1BnGU0wD}rMBgQSWcE-K|If9*JZ$ma7$%KJ<<=| zcn+DOejxKfRj-#7hsL4NrKMIK(G)+p(55L|flvB6*M9bN?e_L1y6l*Fq`JZEeXd38 z@j8<>;RJ#@gf7|7g8EjpTwM@QSP0{JYeB6thK0Kn%NrGOLe_v?xquQ*&SJvpG^F9w zbR&CWu(!&T4DECpLY9*LO+;hkND82;UjfVowHC|=(5DY$7K#JNC!iN?iMv!3%VtOA z+x6yU2I2=YKf^SxT%HxB6t}CaZ6lVIe<)sODtSxcI!Xz#tXLI&the{$Q6=}Tb|{}Z z&!Y$HiVGCQkESKAtQ!6)jsPFuoL|QBUM z)ZJSZaF$%80>}JzaeE7mfZwy;Gvp)H;@w?-&sb4c`uJyP>D8%{ZY1BJmp&V3H+?>i zo|Ltj9+H32n?P@>pv(v8QH!Bfy!oPMebKWjsaYhQp4(a0q6$V~lGB=7t}qJA9hd)i zs2>Zj20_8xJ%rBkdkLT6AoKH|Vt(=?%+lmEyU((@w-%o)VXE^euPk6nkaDp!t%|T9 zZ9oeeF$UOm+fer1w26|Xc3q7#g}<6tSsJKweIn(mD!!Ei_7Rkzw5_!ip|xZ)c(S4L zs4tbr>`UviPIlkVL|o9p+ygvE*yoUKJBzlhZpa}QuKlH#F(LW_4m~u6C`QIHU*Gh{ zDmAk4*55qo4WXtE#l5A&SU_A$lshCK}qcPX96>v-t#}k!GSE7P2@KY2dzMzp$ zazP;=x@5E5Epzj*`ZA*mkL#%bdNX#70vwvCE{jPan2N*EM4JbCPufGBt*mh!!ujm& zK39h%Y1ofr317$D5bn$biq=_Ru84}NltF?hXDdVuY@)lnh8&tkbmcal1ELKkH@i$H zS{IxeUm5mB!B%8`+W(XlZ zVjofmK!B)b%|ekV*lAvcT%;jguHp)A7J929^&+w&rWEPlNlR>OpkW%893yu|ea}iI z$tLS&aY`Y3Cf3@zDRXl9O(m2pAl5jGp0*^cj-CciZFN>?#Q+&hbYA0=!y&>vy;>Ai577`vi^WDkx8uyVta7BngX4tu`&fNyZJ(vBU_% zxnmdPk-?c9Knp25jm9#XgcIJR(O&)b9tVGolDV3)o$ z!%>_UOGa>(LR)jlRV5ck*rj4_0w<}bFv(6M9hnX?DXumWDH zfhZ;s%xoGW>|No|g$OfIB6O-2u)9D;Z!2rGrm;#rW+nYd-#|6<+X!miR1{FO!x808 zmj!0l7%OeQ6Do#KnxIC}Gt2IaP-ZUe7B{TM)JH)+vD!pRoyehvcFZ#fHP~}k5Exk*9TFS37Ka=jdbVuFS{=odrTUqH0|MGf6AO62O?=IpIKaQN5Yiy1v`T(U%4l4) zrg1CAp+}lCp`%B^yy||81%$7;vtTyl=bJfb>wfIzRz3sE%@K=hSWlO&B>PmWi=5t% z!zYc`$G!c=@O5u{_o-uvWj)WM5&-s*Wr~+V9TA8rrpR}S;byX;I;oc$1whsHDG5b0 zz&9pIh1!ccStj%Q=U6`eSgKJP!djYr;Zd3`r#zZDJ@-C_q%WzfVx_eB@Ki-b+gD=E z;LPrvPSq=Sq3anHMCFVLONr-Ax}?p7lS$$uIx(>c%`2eC-VwvzOYBQd5~nfURNy(v zRW>D)mS%8<_6G;&>QE*XzO>HLg_J%9(h!m*oO>p2lgW`{%WUCwwS^zLoYL>@HzcBGwp)oYpt)Yl9A8ms4nwAhTo=m8VApWOO zsDfC38ct>5D-jF=Mqz;2*YK^b-KSNS@MnH1Dh zQNEm#EDKdQwjs!oGnCOtG|`#Pav=xaPKO~u{hH>NFw|BV(I7y&TwZ*(FrR)t9ByZ4 z=kKcIP3dv1JhHkQl8Gp@2X*sdFnHQi5)&0P&ZCnFi6L;~n22ja)QCq`{~%;zp^qCI zXdmQ5YJyPGI7>ka)fClDVkwAG=dq9=*|r3sn^?eQ5@lV~qij%?I6l^P zrZ_Q4oAVhxa*)&{E95*DELU96;c23j<-BZ4?6ih9lBMjz> zG>IaFx+l#k`b8z8Yy|UIMfPu06RFYurC>+Uc_%XrHa1Y2&^=4TX;H0)a(QI4>6=R= zTT0>niaOb2lS5V|kuBtYFIL^IsH*eTee5-!>u9QhTZsd?3S}C=W~#!?Y0%lUhU}DM zcBLqluJcp|xCyxI!PK#y+{k{WPwZSUUDSE1AO9NM+^g(Gu=fAn?zGcKkai*c#kpV9 ztw3ANWeJg6Cd@!9Z->bem*(D(3@8=FjM2r7TJhk*+a*plf4Ii`doJ4u2_%=Px+^+G{=rhc{>-(sJ7dJlp= zJDg2~BiF4n!?EW)gQRyV>xc5RFvenzLWXcCXv4H>WGWS;-i)_k5%bw}uCg&)riP&= zWi68w1~!E(`9UQsRQz{EPG~Xf|A!c%>h%hIP)E4kSLUm2coxtwHP#sOX(hk3H^Tqb z{Ia;?f8m$^1Nh|zD$oob*d*IPE3sIq0AMOgL6&Wi>l#yW$YL$(0#it$Ou;N=2LgxMT5x+6K65uk`^jO1~OsSRANUt@X9i=ff||*>h#z00f}Q4!*6(Sq-xmE();QqrMo9ES>AL_M>;v_ufKG$86dQ~YU(7dPj#V!VDi z9$47}xQGc3P{6#zR~{P5u!Ao4&-BYQl{drQNEd7+JccyEfJjR{<*jgfGg6gw!6s+V zQj^i}HB#piXy2wLyw`Z#YF4I?L2uJd)dzx=X(@YW+gi}w-Lq^bj@iw81ZKY5TSPPcyj?SFN@dgmgevwlEu@BO zBq>;g^`!mxr;Cf(;5ysiJ+n5oBB1T|ldAXC2&qwz3HC<%VjS9j(r%}8Qnvk(il@4? z$e4Na>H?|_J&b9QZ+8m?I0+XZq27;^$%Moy2`;PNa`dEK`I4t476A|>h(?lEjlfk^ z({i^RNGo5R9J+m&!(dZivuha14ZajT{(x2u;<07fy_@xn)Xv&Qey-z zoIfL{uGzbTjN`(iIu}?Z9Mx5`b3wQyqd-m_@QlfX#3Z(A=ob?H2v12U98>m2qIQjA zk9hK%^QZ!ALBVP35slCu%AuY%0GRKg_m16__Z9}w9T;a-EbF6P3Np^_p*s9cpK1yi z`0&H7rOB~}3}MnYKpXj@NU03*NV8P{Zhk@U>?YC|x(8XwnDB^&oTxWNoYV5T-&QFY zDb=_=c6Qrude-}F2;XO8r9_JdZKau1g7i3N+$i+q!Z14p3(cDi;YOp7MG2o3-dqwA zVV_=+bVZ}5yJ@xQ?=-SY8^&$1Y$-!Dz1BBP`NeSjS}sGUEq@gDbk$)vM=kE>ocmG) z5zJ*iM;AxKtB(4&Y5s2OzdO&;3NDe&D&=?$!gB7ngwLC9EGl7*F3J2M@Gi+bgU1P% z%xDC+5lmL`;qa*237%O!Ccu)^#^TawCYfb628CNt8yiNdaLdw1Ufigpye(zCmZOmQ z&@B>9s;WrTpIPm|E!D=Ne5FeUeQ~p@ctI*EwYyUG-r*j@cv#~ zG79?7&3}6?^{*Grziqv5t}H&TE@)avsJn-zCp4VKl5NR-g69&nXaZ>^iX*2fK{X2Z zIg#U_KM)N)xfir0PNlvyQ30wXL!(5PMn*h3L7U}G6_^g%LysP9S+Y7O0xc?w>fD`? zfaGOo<;9UnteGWTYn-}>wHJVkp>Gu6oQt8w_VZkSW5d$RmH3~Wb^f^8-fC?&zu7`Ls5qi6rR=u=Osn2$)wj_& zCit>QHFuVTm&6;17>8UkLlU|SOt{%bq@_41OM{>QB3%1fEfs|{$y*kl6(ThHd%Inw zS!p>MA+6gL%eahPQZjECU&K>W)iQVdk^QJd=4HCK~b zeUa?NHVzGp29OL@*R8mfd@ndy{0mTBj@4@^F6TZ9OrDPSA#lj#qq-`FJ+G)6Jj?Ek zWh=s7me%UX7P%68lbE9aEbs=ouIstAUpd)7_DnA%QZ6{@x9Xi|7C!d2@i~^^J;-IK z-4zTgMOQZMpcc@OUM6GmSf61jFR~Nn5efb=tgCDAkV!Z}w)+`CQP%U)<81X8d@kBwSawbc3aiiZDRxJTgXW2z0^fCLQ-)hIw!CVVQ`kt3*`|7*}ktC!l~ar zGq(x;`@jB=_ICX5|N6gKj#)Uu`tSexKSxq)|L_0$zv>{!%-jp*3}?*e8i2whf1{LKePdCs(|LnZK-@E7^bPEU0 z#&a$vk&j*Cq469Yb=psN8%Le?w@={;0-7Wufx}Wb!Uu?U>r&X)7;m7W7LdLu*5Da> zCDlp2vc2xsaGT!?9?X3yZ?%wzs4{!8pbdoRTTdD5p@(+_y;!beGh#cgbAsUfv{>0xCJ|EXiLF zNICgI%x!2r6yPwyzCV{=@RWEJ+1TZL2hST*>s<#>)smCms%pwRt5)qxQ{j@5_XF901m|OdMftG2rn!#3VxqEzL(%-fG36ys9iL5k z6Ac8yoF@T+`-kSbs(dFfpBZ6{sBFvWUghaaEdIP%GcD%)AIy3$`y!g+i#-k;?Q%eT z%msCuE^EmOyk)8?-eQ~#(6`OqW=9?71JZ9|zl$96tGnBN@&t%4NF2}*=STq zfvYdrNNp<7Y11cH#P1>+PFO1PH09ROUH6tfSQxFfcF$5o=(mI< zq{-D?ng6WWBh;i}lo+?mhSpz|%T2YU2G=Ax84)(=qWbOr(dn??1(skmY}qlMO)AuQ zQ2)MZW>`!p@jVNqQQVR9>m(MAWo4O;wEvpbj(V>qVK=oFhk+ zdAhUPX>Ygx((dd&-G1^H)czP9yzi56f#bilKe(-8=l(@L`z)NsSR}r_;{{&YAPIn5 ztq1Ol#6w^S&dCt3dtcRROMJir%ms;cJbztI3KE+k6U!@P8qpToTo6ApgYF!D;K$hl z&#BrstA5arz4Md7$t$#Sjc;n-NW$iYFx3TgN#;^S<3g$+TDTUrSVxSBY{5qYuO!Xh zhf+oZ|70Ic7IQ1Woxz!;u~tG%40atNb*EiwZ(!hB19%;g8}KYV?hP;c=c6C`@Am4O zEFvN2K8odZY|O|F+S%S(AM-jQ?u?=OZ3g`A0Ys<<{>eTP_!;IZbWNrer&CcdWs0?< z!Bo$#T*n`M9?W|_7}^BABK}-m0CI7tJe^S#lSVO!33LNP&s?RA8|cih(-NeM_mh1-9}oThba1kegLa;-$w3P|)ByiD9Q1!U4>hyP>h`10hWRJ_ zEaF5(RunNVrZM5a`L>r;?Vxwjd)XWIyR{33$c>1xE7Gu$W6Vi<&FwMVNzFw)tLa&K z@N#t48xDUwJwMp1Z(b&2;tC%wzBC%(2p(aVfW~>Q&XJlY>C?MAl&_*Uk(FvTn7VKJ z2b#ttLRlZT=aE^~72EbvPK$A0B>p$U9)de9%8ot|GjguDex z@QAog36=lU{<#@yT<#pB!SkgdCl#i7e}Jtbrh~Hro+@g|L$IZS1c0dWif-zoVFJ(e zk2^)A?LAKBQjhmz#ZyMb_Di3vr_Oc;PLm#ca>dsCNK;A4+ zBVyjFbJ<6Z%Yul7BouokC)Q8}HFg%x`G5!vj7yf(v)o`JF>GkprWM(&=@0s@{aw4O zd=G3&X4Y_7Afu&bdfQDn0LrmC8tO2LF}vo5fZV9K7Wrnrgt2YA_(CJLTwdOHF9A6RdtNbF+ zH0gOBdfhWfD$gWWKt#QQg=tA^8Sm?3cb0o8IlQ@2&k;sfa1Gk@D;GlV`ue&FC)W@> z&t>7nPe|yJmPdKy<9X}+;;{9)_qTyM3j-tB-*D*tZAe6-&eH=H6XX$rsn46GiF$i0 z=L?Ig4czK>eA5IsX#N`9q!Lk81&BXWS^Dm-_Wkic@+W^?BX`Lm*<7^4RNp+b7!jDq z1`|-WuW=~UctPw3*(CUPfg;X=C=n)*?5{2hIrDXt4lC}1b6MKb_L(m0s zj@gn1XWeCr?^252-5DYB?0j(CJAXI&w7ZZ&<^%Vjg3!I7=S!!Kv6A(VU-r*Gaj!qZ zu3Oj%j&YO|OJFZE(YVujA@>Kk7^Mz!K4g~g#AArhP{TzIY+CP~`fYj6fG)e<1bFYD z7cVR{osTiPmFSkn`d)1F1Gf}Y$>oo561o{5_#lECAZt={k#lfmbCGfn{ul&b3EkEF zn9J=fz*Bu)`}}9&`QK<@1mXKho2u;4Xvw;V6RcG;2Q+1s%!@*@om49F2*K6HX9k0kN`OC?Y6N9`KI`|0)x6j&iiA9jFgZ zh9>I`kBGa~l)8z&6QF>knhvlg^^6w0u`!1W1-`Gby^q}4Ze1~v&CAkcURdDavv+0A zY2ld?M9<;e0!VSKTox-Mm|HYX0a`u$koEFq8ZI~!fv#g8W&)Qh4lZ+UTHR^N?kpVYY?#Y7o2??8CcknY3@gRf#S+gc z3HN(>5H5Dm&eL71B#DJCJEYT)c>D6f=E7URMswamA@wb?NT9M=30Q}W0sm=epb0?# zK;x%RNa!M61RNsLB0rFMu7o|Hf3~vr2|f$;e`Voqj2RPL#5iiWG4XhFj)S$$0r%+t zozBj7UjN_jJn4M#|NSf<`-DKU+bSEBnhHHHprJVxy04gr1^$7|x9+i`*;ULro2;T@ zrz)Sj8jfh1lIN;ZGY65~^or3sX({v5Ig7%oZudpea%hD}I49O|S!bFza0jp=fm{-R<_5_5V3O%0H!Q?ztug1O%NdtZ22`(=ZVqw!*XNweAA1 zh;EoIa$B#zyK7`mjCTK#MY1L9*rKJiZnxFCHR|P`GX5*A|Ea6wWu0VmT^ZnB{qIS; zxc`6q<^1>aeAd|ib6KsMrG(SXV$SD#biZ{#TfP;aOwO3P(Z8%tm=`jpuF?tha&7*~ zC4E+xH0~W}mHBo8n6DPKOH^|KQHH<4iC1`Q`{Z5i-B`EU10QT~$(;1~Y?IX*=} z?qhP){IvO3tDOhKg9O)msRw??V|mE zd;8mOzpVey@sT?<`0Fpb3Znn&8{?I#pccp;$}j4YU+88Y#whCRGm3g8qo}XKDe5Iw zq2daiM)y)O=zp@CRIzyU#mgegF3L@N%F`wy#o#@cVI(5Y1QSa60-JYYP zi^0#6Jtxe54oC0gle#L2)ZY`k`02%{cXoC(*zdhO>hC$Dlio zoeukZj{2>CTI~<}C&R(T;B9~OL;v0AZSUxf#Bsz)$f=-Lkd$XMqn<~?(a1)80}Ua$ z4pQ-Z(IuHHnhoC#0oL$!@4SC7`u_0z^wpd5qdi9@<53s&-o(CBReIRpe{(*#csKg~ zba3)R|6N*(6E}&eNTV(+udPDbRMt;p!PrE|gHboV57N5e|4hBgCcp2!?Y%xd?q}V@ zSNJsx$YSs&KmrU@TF*pBfXj20P37vTp&Ff?4liDv_lJ8<7Kvba<%9FV+x~gESudtn zBwk+E9>%m{vS28)TEqT1TzW27jE$nDWUChNH^;hYujiKQ%@A|_WFF8=Yb1DaOh@zNzi7T>XK5FY}qM?qDqkK+P zd>|}l;EWkkA+gF*tg5iPsly=+Ib3blDZ2ziDy5DlkGj1~bYuz85YdIiCyQ#20Zxt< zs-acsX}VuAVb6OnUk)yg|6|nK2X+ihC^y++JRVbV{998YYF*2?AJE`zIT#w{hC|W~ zE{LjqOkyrk84ceJFZ#!$cfDh|kbv=n5a|@kr9p-q$*!B1hTCQ(tWa)_V#!sd1}DRd z-qBJ2TsN8OVdzR#vq#kvKO02duz^iB?XN2e!} z%n+;EXQ3u&R!YxcAmyGT305p&nAM(Rm{Sh9zRoPLsRDOzrLl0hDv|NJl%Jb#PQE~H zYVA3>pM|1kBJ4Tln}w4BKRW8Y>>uqpXKMQx{>PCjl%K-7P~V>Us$4qTbdhtIUBPcw zQ@!(x!C`Oz;`IETDb*{+ZTbR{k(rL$Tb!dk8*of z^gPJ7g%J<1@0(D^CZs)9{Dy=)i6uW0h;jrWwkZpVWPx!^T;W5+4De5PV?shL3TNrJ z_S(%|dn%r)bS6?<#`;DCM7CGC$W&NyH_LB$c7A$%b^-HybTBv{9i8s?vg2|_8utBry=ndiDvc42SXC0YgRqAc;XmFs|`><5Jo@xqKe~HXB3Ky06#8QgT^U3+c>3F@ zC_Co{vkaheI5&`Hp&Vs7x=ln8#SzYqM+g0v89=Ewj1KyTy*Eb}d&L|adER8|nn{!G zTNyaH;P#y2$j+Eai~;e0VXfoPLsam5oRNG(dH@!;b1{zy@(8C=2dr$=@R2-VSmFzz zW@BSTmz(9)DMN$2T4HiO|3^TCCCP_KPzI~X~F7M{~!NyOSk!r zy;7Use5SS9{HC}xS8e*^F2?3JxwW?{5+AtQn&0TfwL*Kj<&@6Ve^$)K_jP+Z_Rr5x z&qvjJ(jZhp%c_=GPEO9M)R)-aRGp19RwU(!1`&&e7KXG4rn1h#ok}aPTtGO-Qvv}d z#{?;puH+kU&W|Ld%aC1{ME-*PuC#J<2CsZ)vP$>a1^=XOWhS^{xANAvT(_)B_n9kI z?ZI%Anb@nqsDpzF@x~I8@|x*tdP0Q)pUFk*=?cq0<>aaRQC=jzS2SVC@b|+l%k&jW zdrqvsALarvKW7A4Be6%g5 z_WaS-ibvdvT@G2{qs5vzQY z;+l{!i(;*5sFLWM`B+R?95mmDo9|Ly8mVmxTKj>_Rai~9b%|b}p(ZGNRXJqy=8ggk_udgkcI=rRdxNv8wXK~BY|T%}>;$Rh4r^4(fY|rh zHAnSZTj9IYd7D$or?99I7`H>0RIlz7_=?N>F1N^2hlmu8waU|%#Z_+J0vO#-34j_Id5-!a|fp(-?ciaGN)0ug-f1Fzc1$ z%Uy0(!cpp&_$-{l5|gSe8YjXqZAfeigrkw%&wbg zUu|#!mNPAcVGM|vF_r3+sbEN29Z08pZXO-KIl35}9rZ_NuSUcD*L`3$D)uix6>?(%lMuasr4RIS>ux43b;{|D3y9|<&}85LNJuJq(uNRhh| zZ#eHCrZYdF+-**LHl>_R1Wf-i=ChWd(a2>!i}?tL-bn32!sM!U_kDunJ?B07N#$ln z$bIQ21fJ}C_iXps)4!YN=fpcmd>>wQp6ztZ^LIqDdGmP3D*iI2)0xO%b^iWs+6ePK zRV66$yphkQQxd--;+T2l9AD>FnpzCU;0;jkIC;}zT|T!Bii4BG)4ci0#P`T*TE?h@ z{>wM7s>^@P9pwB}zm+ZA{fsKB|JXY}sjgkWHRQYdnt#pfw~Fw05~d?x16T(+3n0S= zvJA8$^}~Rt=C|Su%a6n-8HV~T%r}X6V|O|7YmZpt+uWFa(2zX{xiv=ZLGY^vZUgP( zhzjgeNDPr`m_89w4%K3}Hr*9RSv{>7Xcp5c4Y6YAS!^E5;(iD3;i(T@aq zO!E1dV4VX9B4IWQM28go7cqA8bkF$C*NvSvSL{d5iB7k^oy~~5s?~ZiiwX7?fRk_n zOv7aWw0rl(JX(y@ZiW+|5#O)GX#+Zj1_y>%IEsAg!agS$%Dmch=*v2TgC+Qv8}iw- zxKpUP;FLhv?8+{ahbA|ul8RFW?H2a3yLu;Ez4w7vv(CeU=x`?Jn#GqKd2})%F$sk~ zhb(5E6!ouXM9icH3F7*zlQ*rG!vg?A`AEVT@g#~^EQq(K61M~3M#IE?tP zHuTps>JyY@KlfOM4vP_$%;FbLenV~a?JrfOQ10CJRyWqI(;UOgN|6vb@7tYr{vG!T ziBQLCASC4<7G?O1T@O`Tx#8SELxE$JHb%eCItTPYf3*r9t2}BU6A;9e3XaZV1}Sd_ z2WazbaIlqCAD#_PMrVVAz4})ch##o$D|?}8&RC8(orc(dtOHw0jmMJ%(QvUaPKa_p3kBNTMqHo6QI7O^2o;?86XkFu zhY=-_F{mjOjc?^wXWeQXHKqb}DpzNTgy^p?7E>)<0GJA0C0}F7vXm-!zn}+~Jq$8M zuu~L5Kp?H(ZZ{k$ayk}hl=IZsKRvnV|Kp;X8|jyO^-V~49G4hLHt);oWJO~~r>{mY z`>%U%2dC%YpLpEA=v6me0nn*$mNX(IVQ=N$=)>5$u4k#mCAO((WfIrut1!U+oQiT6 z=e>P(C#Ul5>+^o^V9${vMgDz7VNKc5(cq+?iHYf87{O48aLiS@zOv=BI!=%S3_gqUh1t_Tii0XFVvR{&11wbI-ZJ`EQaSm9f z2s6FQd*UEH`fq62)rAx7a4sdH)M68}K=B>*poxA|w=`S^-bsjt6B<%Mkk44uL~l4z zTa;kPBjaS6iVqj;kopVt%KB|5w~Vvb0>@JVS77!kR@Zs|U~n!+^Yp}Kr-MVS4fzC7 zE;|=t&WZOJ;W3Lv#k$R!S>M_Ntz|mGn8T+ zNnDATQ@?%NKYw{T?2oi=_|+atPnOWn=&yfWSW3hRxu*zVP~BVIyezC_IZ(YNyg&XZ zycrITj^0&6si0edc10e$fvlkLYV@Q$fjmZF6yXFZPo%F<10?fo0Pj{BLDigKi918q z=vPY6l9<&)uZ159nx7|C9qXk#3z&zVK54JsfK~g5O^tTSD^#QRp;Qpd%nTBZ<>#~A zKwj~g7DOC9?xkgR(*F?{lN$1D1}+lsol0g@wc{hF{_iVo>?`&@Yb@nCX1Z4N|3EGQ zTj;Qt$zFcdG@J?cIkC`LEITY%zIo!AwNzEgEZ-$X(&bwk0yVIp{F;@!Og<p%&ErQw5xwi=-;rDN-Kp(pifGz=difvxwIDAlZ zKlaW~?(Y()iw^;Ra(dCfAN&|g1rGGsTqA-CpV%jIl40e3z~T1$_Rh{vouGaT7Yq%(0glwPrEQxi2%2i#M zE)w3|#)=;_I6gZ)zv!J@pjE5XZw*pab5gf&X6;IaS8e$LpM~vL4_rUYpH6ICoF1Hl zK8COwKhTR@?7Im>sqslT6*J_`LmW`K6U-53$}q;kEGdhV(32|XCBiYw@kF2d~DQ~Llx(m)2;NCsB{#>IO@gt5Bj$)#`P}761Yx2lLA&Ubb z?2LM8@@J{`OP#A}X(8D+^dnI>8#%cmF+>0WpFfVSXVje`*H7TkQMm)EgudX#!@!{i z28}~1FI&m^#SJ`LBl-n3lrC-X=C*&~BW|DxhGg-k1(lwhLS3{E=fxotNav7? za4gqX=JdUpLfn#rXRkyUYB_jalp_5sr3l)xS}&VOHlCu8U89K6Q1Ig7waS^H)h*Z% zVghH6E=iBZl91jsxxnrvxp8MWoDy&=N?qk!ohQ3bcRQ^_u8oES-N2#O5QH=YYnZ+@ zd^Y9s0T&)i1QfyYVMC(OpkYJINQ2{mGz1Mw$bvcK1$wb52tf^;jp$aH2;9;JoNQ9#!6Iu(Yc+UuPIYvSqQE4bI&B<$aaH7|2cG<@xuH=$baJ`bW!@qVj zB;e5%G6NE!AzWWW3D`Hfi1HuEe3)Y6)Ne1z{LVpt{i^{1K8AaGrviIT?nV6;+Ev}p zLn|McT#|WN9!hEP1DW$Z$K22OLwV=_aY^QX2zE&Ir%}`GL$UF2dU5RWTwt2|6R`C7D+fRQvH#j<72d*s8(U zuA`CYxdjeBscjxM3~j%k$_WpLgDP)p5|W!p?IT7I(5HoJqURb0#tC72L{!e`T#-V2&On`Yffx1=RCoswNT+X!>U@Jj4I%BVP=h4^vefS7= zdm2iK`NfMI1G01qw1E!bOxs+5mej!ET)?G?1_~fRp{=r7QN7RtZ>fz9bfB-ulkkeh zEDR)PF|3Cx>x9~P#SDFaI6~NG=4UEC8dz_QR+b5>mt>xWLCnNU%#9U8U*X>{Ftns; z(CQXm?=AS4_un6)epOFate=4?M07>vPZy@tjOpXsTrGW{va*)ycfLXRqsh|`uPV%z z-yinFtG&8P@JYfeA!UFmeyR-BGN94BoxZW+4QiqC@*soJe0r79C9A*JzC=1qiDKf?QKV#j( zc~#P;uF7hZ`BX6)=Y9BfV@LZu8^8|e>P5*j=VB?l^QB`!n{?7 z(a2HP&`|yM@Xg8oN$@becfRL%nELY~9pU=j6**+SN8&w4|MZ+HSS|~qm~eiiXwUcV6MnS%){Nzpp)70~ z2#)p(SV0id{sUE9sf3S{!e3WRD`6Vo8-VE`$97IO=Psv{m)N~bBHeBt?+3Ryq`#Bn zv4foL-C~oR{!UKKYOq^7E)A7gemYvH&!*4@DJUB1!k%77KTFZ#r@C2jKbO{2&+`iP zrKo9}>9RGuZw>}F^~P{?`s)1jqIc2XKRr2w3Z`9)Z`9MNnyHVJa~e+BW%@+-q+S?- z3`lWKq;End=!683$iOq-lj>5XrI26;oz;)cE>cERk>WR{ai%Z|;)yy!v0e?9k;()y2l}_MF z>Xa|5xUBNChS!6Gz4|8gP$Mad8djkb91v41+^P^Y>N$vVf!8w(j5<*-Kr9to7MyNQ zc-}{*xHYCFLsnuFh23sHX5sg2e8}P>vxpwH)!7Sa%wi#lk*!N}$;j*wX=%w3Hz^zG zW0yYY)aa2Lvrypiqb;QZ%N{HLNTpcG*Cm*aWil)sYuvLB>$n!LSx~tZTif(@>7AnB z={4Lqsqd8d%8w+~Y!Xi3PK3T(L?oKsK+2g1bb3RoQ;YRIEq?gMq{rL;aJRDY3b~nQ!$VAF--w>weVa*paA)v(N0S*8t=su zsXXYY%EIRc-d?FMIZo4PaK(3R(n+P62)Bx4s zuHF-hD3^{U2b0t%JOc^N-;dEX93jb3kc+pGz?nB3MaL*k!cd()!wn#Hi%KqHSsc#a zWzp;!Y82Be>XWIpXKSCyd{2~E7_#ccwyBvTYWU?TX6eh%%noZ)*4aXTpcFu{b|bf~ zENpeXMwaYA8ym=IS;U$xQf|YBC!2zYnEJAq%R&{foEr;@96wW;f??R4_Kr=+5^xz{ z0obm%jSELq+~C%ud`W@Xz;alM^+?cEPVo65tlx>aI{y>pO1@@k@9j*P&( z)5S1Rv2>x6sSQ+j^j@yMbo<_3+yPnQVI6?z-4l?XKT_ZM06e3D2`d2hHtQ3WXc>l9sAt74BIqhq6$`>PNn=LSu9kS zXZ!-G3lemfBy4a}RB{cIf^!mcNfdPwnU+&W8wXU%1GxsJOrxkQziIM1ws2OzwTX4N zP|#Y~gzVF2YDOJ6f3~JtsXgtZwfXTz)=VV_eI|nBrmdsYCu=dT-J(SbIrG&uyX<(J zU56@-SA|GQbP$gM=K7LVrujJ9&CWveE{A8yd9Gk&lK^eI+TuYcQBe%fZ zQN<0`pw23-+cuX7C!F+eh?|rox+V9gmR$cV?C;=F9}|3e#%Nf$4S)*4)3S1l?}QfP zLA{i9z@0G-tAc*AAlad;%%|vrit>U%RWoO?)TKxWp^-vYCoPKA;qzQasuVO#NJVrP zq|-g221o9UQMV#EN%_`e&h6!c)ZkL(hndtKAlzxdCrlt3L_Q=DA}W@js@hy#UR%vF zmbZSDtYaTXMgJ%Q11g!g*3-LJRJ+soB3J4Xz(n8ceUR2&t#set#L~H~k_uc{&WNd{ zNjW}gANTx82q)m973V#2Qc=69fg4vyILlXg#hOw^__33 zeQsbn+(axEX#f9b@9Y2CHj>7lpYvC2g&QCj+d$g1N6&rgfJuA>?6aM=c@mBj*4ow~ zOR6OEa>U=i{rlNh?W-&sL(*Qj`!rzh&d$!x%+Aiv&NK(jE=~zoq2?3=`jk-Gga9k!@6{txD)QCTtaDe%Q1F|>JR6GI*jlx>M zjcXyPOP26`&P6lLC6oTWB z%3Ry{DNVSM;_T(@B>=sc^wS=(VcYoo<^lUwx0R|R;M8j*LpKbs7S(hTF$G0g%N(g< zIpIj4PLL--e%o*L8h`!kU-74>uiK};k&kwFz7alp-Rr#VHgX zuV6?8NO*LHw+%{86peXb6)IMxuB`>LzGLg?54?(9I(lsXapO}E(qBq zTZESb}e5`X>Gr>4%PG*1q@!sx(ZU{8PJ`2G(BMl9cG9EKo7NMM!9alShwrvX=F^)`Y#_p2}Vc6N4DgCcL)Wn(rfcYFKQ-JQK})W#{y*bC1W z`&G0tsV&fE?uX-(bbJ&gY-|mV)Jh!pTm6;@-_>D?;cTihv2r@$^wp{Pl7+;X$pqP& z;U1tG>REdZNC$Ow{FKM6iLjJ|V&%@zW{yL8W+5IEdV(G{0R+_`LzalVh=rN&?%2{; zEI9PTXN=k_z~_#T2!IFX5Yz0$y#e8DdO5oqOXZ;iF6XQ_E5Uj>hwJRe zVJa-Ba#h~0BpV7HR8|zeS`$0YWOn2Od@7a{5wNqR(CR^0lfz#ddkU(RZ>gza?{MSz z(9K+&%|d^dkG+Z{09dtoiI*~MI2Sl%8(c(Dmf}R$xVj+BhQz6K9VM5FqGk(`kBy0s zxKp5AGZZH*93r%%BJr1@%@GfsX31=r%@XJU?L@_m?tE&@P8Nse4pkP#V;YdP(FUbI z#yCN27So`b5LE6c8S_0;F@wqX4T)HF)(!n8&O{f^ujqMzwztbCS4n7Yq;?ZVav$WK zwNBzwa6W>3^gMF?fcOh3)hyry4mQ1R#Q(`)n)RUT{fcb2E=*`mYokr%`N??}onzC< zP~i$8*ubx9HP%Gu6tVZ5=mlX;n@WRC?vTy7)M%Ta37nHOG%|!b`lcG^Q<8gc06b;+ zZH7Ohxr||&;YS1<`W)=4fw#sa4g_dA8xA4#pjQI}NaAA?=z6tUO=YK{o5{lnqu3Jc zPU(|>-l?SiY)E3OaER{5)VmlD$Mo)c4jK(Cn=7UZv0Wm{Nw3hlJ>&5J7m2dk=fVB?Xz>=v%N3zz4J6n8jg<;Kn+z73DZZ6C38Zm2rnQk z4ic%{kpT^Un6K<=MH$KDYA?xmENFr_V6B|TZ;-Qdw5c>ITj+OCJstvw^TIy(I(#lp zb02)|KF5(U$v*h{EsdMo2VcK-)G4S*>P8>^%lW2wm0CIkr;*@Ic6Lky2fo8ikv`dq&#njMiMMS?QR{nXlM z6pST+y%$BIvc*2=Yg{K37x6`i(!5yIJIp)p?So@K#d){#aJ%8e4{{#zv1bNHaggA% zGR1ivATL7}moxy8@o8vF|fIEWVKxT-O5@C48E6304x-S3`6QD!`jpjAYt z82v1QhHO+`D4*iNX#n#bYBE61rM6w+N3=`5;( zRRsCPrxj%RjBiT*mgw(XSg4yHvQjOLFcLQqS|HXKECc-TD!POo(f98wbOa&ro*lF4 zH|&V5++T^~vG?s+2B$H$_{1Y4hr_#wN6&l|>$N8V#xbv3|88OY>W8Ofcz$1yvS#9ztmGlKjksN=3IO&Hwk=_Pu5TI+eUDW znUESii004(yEJ%cgiqu(a2j2sKXJm1c-}r#T zgvK82t;V9`yCEDt8I1&?BS{_zh<*N4#%LFA@Z5{E=ql<<^4PFDb0kz)s<9$Ovq9q>KRe9pG1(#1MMdiSN#(W!ise=B1psW`LM zk!wJQlOW%n*&pIEl-Z&Q8o&iWO0Fo;q^ueJOjD-2#%3?gEhI1CT#6$W>k{z@ovQJ38-nvmEI0H%gQn}@Vj81^v*|cJp|QY z+rfofcg!kXCKmt79+51Nu$W(16}p^f)T7`^6r<#_^9+p+);We#OryNRV=SF*sSsiz z#S}`|NhXulM6n)Bqkv}VU?~|_Boe%GgI`!)V^bw!oJQGXDzU0PYLY($5tr)6J?Bp2 zL*>q4<$HwKXxt7@nlxbTwWo*7xy5|&rnF15B-q>*jnWm#p@KG0gnmDW$YV%lPnx*t zggnHQTg@FYP*MSzWR1%I%6i?YBpII14pZK89<3ip0xdCP)(=KrG0<+71Y~wn)}nh* zj02RPI;hL!poV6{#gEP>ZhGQo!-@Ldr)Y~;d6K54-Vys#mjr#f8jitx!gNk$_k+V; zqPHGQ zr0>~gNw5uYUWqi0kVVGV$sJB`j&l5<%x?UF)7&_-Sb!7{j-ES4dtJ7YDcJ6xA9oI# z$8S3Q0Xe6Vniq%@>n!)1#Z2_0^D)fY=`mXHNt9-*@r#H;Lw`3TsJK3!xMq1$w(7bG zekAq2A~ZgeR`D9*D;f{F0ngiPSRHly$t40fB5(&d0h>F1wSA|apeSlb(G1tGqHTpo zY~Ve8Q=}Y~OhkDnybRA%k>d=9`A~;Gacz zK>0crdN)*)>5g`$?n$0>z;ybJ`h$!Kg4W6ZqH) znAwI+ut}6;SV56M(ydv{UQUnvB+Y;qWvd?RO}frdw-n(m5HZ~@f%XUySj0M|Z?oML zOlQLhu2n|UxULKR_TeJrO_=K@FpWlD2r&5THvSjqw@=%*?Kj* z)9lIA>I*Ut)uKcNEOS}j=`1H-*<1x^{sSLxz35l)7l&obu73Td`t?cm>%JhB`CBYH zkK938BjeU8cMPO3^IMpLkKhA&r7Alc?_`+Lv5wpa9Fb&A`A}zgj?hC)lI9lx9K@ON zVZU0C5Z5A%u3$0>qHCoV;Ws;bFTQ`VQ=dfF)hwzGqiO6Wu$o;*RdN(e!D^cCA^fLlP3id9}V3U0;lq-*?)8XORLv! zcTOGP%M9?Mwp)9)t*QBLb1-Q2P8*va{`ukkPW7)J&i?YDvZ*!u;RorXB0&E{V9x$h z3?Lv`U@dis^v*|4=NkT%-LhzG5Z-EY!0=Rrha%% z7lFs(PW{lI&ZcFgf&bk^e7*bi*R^K?GrmF}?g<|%*gBOaG0V{GpFTzFNdMlWe>dsN z{Z~%mlyur4A=%w{RwFlnd-ykDdscRRf0VNq8TIK?>62G7F^o2fFsCZ~ogr;8X!3>F zF{IH7L|EgjG_2i4u!8ciss><6F0aDpH_NJz7cc+%-M8N}?U5z^w0b@9Gl+u@tD_{E zR$Z(es)`2}on>O+1_215i_1jdaEZkAvHJk`Pw!#!C;rr6c3-(ll>wGYjAM~w4~7#r zaffKL<;_X|yDK-@Apd;*_4}{h@8kCSXJ^mm&fEZ-&#El&ujv>Y&qU}F@Z9FOGM-v8 zIE|wOCs}0$@>t4&gxxy(8EE#KUD_jsZbHv(tjcTXfds|@!Z(9A__{(U<%ho*z?W@h#s`E({886urIEFW79~1eS12f$#j!0TDHF>{$cOhJw<;89nUR>Dig=O=*rO-om z|K=txFrL;ccfzFS_)k8`dEF77e)IU5{QVIp`y?klYj4+x6otnc-=scP=b|rcgO+VW zUbYQ+*)|@WZ60BKAer|)(!~SsE5g8MEL>9<{R}}P(GG=SQZ^=x6MRI{nUH?5A`@nR z8t&VyZ#wewJDYX?!)9gkL-^qX`VP%??rh>uHj7z-Q+q{Le0*d~oaB0xU(j(Aj(rll zDJ0a!?Oe~wJd`^$t{ItY$9>M+v76TaSr-UT)}p?E^q7LH^1uTPsjsvjol{Lin9a15 ztRA;vEt53AK+}_~!eJD8{Ch31k{+z1gr-=lYpK;{*mMIgCvkyc>@A2HdT zv~tJMnIpRKna$;I#7RkC2|g5UWgi~}(Y>3yMg=@{&*=Hc550H)kQiWNq3a85we!I9 zfYg{_752a(%Z7?L6Hixj_`B#3f9NN+^7g#J@-@`;*Z`JI?LEG)!B2W9^tl77*pDid zq@p>nJniYh?e7hmEUPStZDnS-=k4$F`t9$Q^pGUG<-32JcbkJZjl6Y%EHi=T1u-9M zDeaLvx4+AAJ4>yg4F9WwTG%)$k`T3AI#|l<#tw^7A&AhmnX6%$cL$x5Zl~WeqNjdW zjGNrrgcz+w@GC9{#n0UnKLr;-G`s}vD8mms0-6cd!-+By$TMMhwWa3PKj^i)X38sH z70*m+Y^AuoQIQDn+0CJkjN1!6Q~h!K^zCowhwc8L*M9XDrazDJ zQ3xHo5TvJ1O|$Gl?~R+;YMyoa;AQPbAJb3M8LSBxk!u|AJJW!sNe*F{MQO=l z4`7&e`sOdse`)m^&Ue%F&y%?ciw@318QlFQ(B8A&P6&y7O&10nx z$t+6D2E8WCQ{mN`q39j`n5SByf6Fi3Ha6JXMLgN)Iuz;g8sGV*ma=x@hphGhlu8er zb_Q?Sr>|M8W~YxPb3!k~e43$w6ic{ISZkCHZeys2#HjYw9cegsq)n;t4*6}E&SGRq zLJxHMHPFBG;}~1Q2zAq)nVv7laDXq!V}lb5_@2;WPo9v$+)(>CtR6A`RvOS^E$1;X z?eNMCd=K;Mke2}?t6Bpmq^`AAc~CP!lv$A!3DUIqQy=kT^#F@MJm<+4=s`D(9DC_C zmR3`I-x@LhA0Ox}Pc!mf!{Us|7AwmpeQ8VslxA+$FszSLxl`saUtrH;NLxV6iu3hb zn&w8D!h9PP9GOjEX5i~_F&OjeQTjAUVj3iZmgQwFcF*QIE#9+dn>Y~?x%s`*7y!RJ zLd^S~zw8v-Ys*186bfPnILNTZf+cb=XPTmYZ@_Nfgn{~^axIy)%)1e;AR%o> zBnGHXwRjbrc24sYFAuvtk^O=f{-LkPt8{uPrGUIOf#vol_O9|#cP7CPV0_mu?NufB zqGh+B1pydpf^zdd!uAf!mLYEwIj~Q;M+p1E+@Rf!_CO5?uU81G(A+IdT=Q)IxcZwQ zuw|NSPdita(;Dx^V-xaEM&JTs+rkY3=%G!El}UQeGOlz^kKf_^PNWIWvzfqj!mLsd zB{*Ni(4D0?{}&Fm!dWNKVfBIS)&C}i@I?uH_DZ1ITUHM&?6JHmU}diS!~?{oO}A?9 zK~(A*ccU~LCyPauiX6^lOK6`b4v7-rrl~&;jfq}NQYcCYlO^7cmPGo;@%dqM&^+&T zI)nR*m?>vY%1?%vY>X5*-@j7TZ zcZq3Cj6mw1o4LaMjgoz!U=qSNxPFxRBROYOpXLCPb}0M&NDdJh6dOc=P!P1u6gaxblEWaBpEyFkeLuR1nLGfQCXLbxcnLq5~IHb>q*;~iW{-AyE$m}i=EWwKW^zn~do#I)`zma%16h{QbqMt!8mE@* zg@)GTS+jRhzK7V>BuysDu#W|KlKw6yPbP8^i4uVAOMgB1rr};(_}R%nJ|Cgtg?t}* z>!5_V|L&pTztRSxLs@zcF(6XBjhHYOKNmI=<)f1OiD^=FOOXKXs~_0K05m-haUgsB z;L@rQ*)8yKnY1h4gC6_Php7}f-bv^a2u6ED=rMywQio`{=IOUIuvSetpN~uOsH>^x zJxGeKvH0VLdMnG=9s_>O*!D2;el%ZgVzdF{=XB4yiGvf7oaMhb1Xg9HlB8 zJU>T)!#*qzhZ4e(;P4MEa5ylMIOCs{J8>fO59zbY9Vg_x_N?Ln-h{%IN)X`y7eR0< z{|l-i1Uo>;)(C;~AyftuN6Eip1?_(PQ6H5LB0lr^xOf5|ml*lu_y@y$bwTOFESHTa z3~t4`$0^L7H~jP650M7!>f{MuV0>m+V{CyPz2mJW-B?n`AdW1F=mt>O9B6{yg zv*IKBBHYYmV}k7`$9|}0?ZD}~{Sb#qxSpqr3b`7g)!sxwp>?g2TbdQm^*n-7Wf%R4 zvjaYTDKGTU&G;1*2FbGtR*!&F5fE`e_4;=m0OORe8ej+5BD*kRXs*QCLJEZBRCPm- zKXrCJ4|)a^Ik$<}V4f1tRxFA z8<=W-qOY517LBdSp8BX}6wN|U$We(78<4hCZ`W z`ZXG$A|Ypfb44)F0)&8Cshefb#O=%Q&KQ!K5t}I(P9mQbcv2Ywhv6f!O)q)Csf8bK zQvwTT)^vwM7-!E7OPw+ZFA^PspOR8CaOBPc1`upz5gMDFg>bxH>QCd~7Q_juA>0ZP zKPzkmHpeh~o5JLPz;T)h1h>%)j3C4r6@uCD^7em0cNSiLh50K4@4zYg%^~?*r2e7> zK@RP+1Rh7@4o=D|tcL5IXZ{pMv#e3M6aU<=?$o~3qZ<+Mh7-D`x4}reczzlO?yb(j zl;FB`LJ4?IVGBk(B3{Zqm$&IznE8P&c@@&w;lHJhR%VGj#&dpP|4Lt`0faHAh=c$e zxZny5(^-PEf|Ixse2~GTQhSM|3X$t`B1oW$k9-P=z`i4LH2XpOC;524QITmgH;a@+ zriubmw67He_CZDLD(}sj{5X`u^NQVbXfJ|3YUNb&DQOrV)96$2-l9kM#Rm zy%->MBHKj(u@yurrdm(DL`Yc$ngsqn^AmKyb+bvzrrC^RQkW#49ewO{*zPqdTb`fb z$3>N$ZMDIh&Pl7`RJMj_V!WYKxx)#g`klAE1LFAD#wmZ|Yi~Ojyk@tHM{xc%)SqMh z5MO)$(x&r&?Jmj2=={g0>BQKJGxG5;n#K`JYyPHnd_q5;zUG&?NlZUFY`vl% zkv9~ApM>O9?~}SfmJI)|Qx9K^&Zky1v}+LG8eg9}iKZoe#IQFAmIAWnf}c{REL z`eZ!L$rBjFEH#fG`q>-ux6wqoO*1%s=S~CCsNq!ZC=br->X)^2qHPfqKk>S5lHKAu zg5*7|0HRha^PE_=2xnVtizHDfE$EW3!qGJi8F^!%+lo-6@d};9j|YfLX>^xaNfQYlou< zjgc>(V%-tG=OpI?zJb9Mb*`Z?Ezjyt+OK;}{K%^Ru0LpUOR0ikalF5vR(q&LwK=nWF?Sx zWZ5>d1hNNYyIMEG8dy8h;`UjT>O-u(k0d%5^)?rE<#>;C0CDUV)Jw|}A6`Ku`@fJA zwywX?7p>?#*sz*ob*;o}3EoJAf1CvzS|Y;3H>mTrRkB zXJ0)vZQ~ebIR)hLonkmzITuEdJKX4(=J8u`c_~-^M@;HrVd@-rE_@VyQ6ZaWu|bWgR(RznQHYOhN(u((UL8BXmp0+tC6c(q#vQ3)iMDH4CxlNn~f|`AT)yRzp>uM1y zx^WCcoH_E!P2_^T6=m!qy2nJ91+ZmdeWcx0 zw;CNTX0@2~z?PF}1CjJ|j%=LFLJzKPo>0!TT3hV89lEB?ITCpxGO=kD3RAPVXIv5+EiOF$(g1w%xxU;i#d8NDiC#>40QG=cuyO z?)cVi>W7p~X_j<+!8vtrtrI{0XVnhrr44yN;vJl4zI?;Fm` z+V1zY9kt;s?6VXdGSu|D#+LJ4ZLhWi(0^I!6m6BZ%=zSH1jw03!yLPktMGTQLsacr zVC@zc4df5{QBs!C?P4@-8C4E%gjYx_WRJq3d=$lg74N+gJ|4! z4}|TocDJ!&1C_f1CVl_Y*&N_<5UAn7+g`7AI$+f;&^K0dh?HQiXVbWj72*$t1`{p! zATSA27hBrAwsYqR&3_|!Sdamv;i;aE4QJX5Hw_him zd|NbK-dtxAW0<=(7N>?U&6_^5w+v2%r@+q0ZG{50YEqiIW;G~HO|ypZS}5|Y>C`Cj zgs;Cbs9YRp)D91$;U&J2_}12@;Z$B0tL%pIEh!mh$dQ9|4c{ou25OPu6KAF{wW1S* z!CGmk)=FWu3~dXGeYh=LXdE*}LZuX<O$aHBf4vk96gbgELu3iGXMDUuy2()K?G@Y%>AAKw*Mb*w^!c_1CXmK%#{PQc( zgyY{`PY^ZQNBzcTW0QvBCEyY=w-revglBgNZ*e3L@2f-&zJCwC%G)*mANa6QdxjQ+ z1uBs*gb(t2K?%?$L=)ShmAiOPqc1uiuc2ritLR_l+X+M9=~LqNY-Gs{qQ5Q@=w2>X zLZlPE7qtnQ7ljb~Ee~_j9ZD?aA>rX5UA~kDFP>myr49BH^EevkZg2b*`QkVlOD<_p ztYPyw1gkeXkE^g=MZHa7(hR-VNi>U(l4yFw9>V1_o<>)&AC0nOKfG*)-hq^GL~;%X z5iW*}L%_}lo%4e?t%IM5tl=~t!e@m(WITj)Hbu%Lf27BroDz=>BAiJ;k2|l=kJ`tr z^V8-@t06cv5t_WMNP7i9?&@Tqbbojdjq8;=X($taExIYNF5yC}*NmhXWLbcpz`w-l zA;llCUP1>wT-FhwcU!%acApr93qipfI0R3B1V3(N5Q3^}>#!}~;LtZ~ZZ-ke6PQ36 z?}r0mST;YhrcWrseIC<>134s45q;P!Zcbicm<{W~5DV7!t8$CRwnh1C=}e`$NQ(%Bl-3 zOg>!RYI^DU38==(_sV|s@uP9BOK%|ei?p%DtgJ8Ag~|+n1pdlRq1Or9VVb!?K+a_< z73FYxd)M-8_vyDiA#b6)o9%0RnaVg?gun3QJp`4U{q={8kFZ~;kNg$nN#U9NQ9u8q zV8d4Exj29xuoovY-veXc1AqJ5-&jKJA=t!exi?v`d444-EdG_DJs#oufB`&U_X zm4e#hwQq^RmDmuB3$edz0BkACh{!&Oxu$9JEhggI?<&Z`-}rAvkRJS_gwpuiXHU zKySb5Ka^ExJ7|*<7jm?2VrPKgL-XX2Y^)-Fvc?Cf*M}B$xGv zA4(JahaZw_frlSTPzlQqW^|3<(-90aocS9}-5B^Oz}e`@duj60%8gsNiNO@ZeNB%U zvFzb*$wBs+({P@#7ZI#hCq3JI{Fr})E8oh8P>dvTUXu7boCCt8o-_1Idqlpl*ow9X zAj0Di%UM*Ol;~4mbe*CcXXNt(fEWvlF_J&sFHuJ7SAraWYF&O@`1z@X~mZa?A$A$p}a{PM)56vVh_VC zC4r{&wQ3dt52l$P<`LPb@xjzH5(sxP78J*?c#RQvkq3i$1cNe`;;SXh-ft!lFR1J2mnOOXdrA-<)Qg zos~5yHu!MiWc!AOzFy;oX5F}^S2QlgNRg!^qQcrh{MSP~e%7#F0hz47KM1l6=aTb8>v z(d9)0D**-Nz?ur9>(?_x@{3rFQblDqw)$vsqrfxEaKUv@&T@UqEOJRNIk8V!olB8r zYM1`m3D>G}E$p^_-MczxDspC3-V}(`*LZ)n7?|CcRcZnLr;qoA?xH` zq){--tmkLM-?sBJ86AIXUfeqoI$9F&q5jOg7y>Mmh2APInswo| zC*idL1|-5!Tq(kCZZ_$`GzzX3T;SR`&Li(rZ7fyh3T4Hc&cb)2QQ*;+vkq{iKiFNo z1dGkW_VyF~kQcVJWf7Z`hL%_T0*kZ7zys3=9mNz)wjQZRT5k&)}c2lwQnFQQrA!kC_w^ zm6GsS5f#(%5JX2La+}ZdY-#7L9l!s=z}$Pkh~bh<#Q6pqjZ-5^#-)85_4=mn*#cttBi#VgiJL&L7DgVd`Q%>8kI7uMAVV`H`GJWB zH@%lZo{>lL?=f5~i^kx|0y3&7Th_#kvUH?l7zz+5dPIC_M%-8^u_CJx5p_#^y6q?m zY!T@4{h)9wMSmyB=*u1_*<8EkIpi-`gf|y_6y1%H!t9OP!dX8(oKZyHGifejwHFo7 zE)N^Rj%eG}-m#x%>Kj(R+uC+o<@2c<8+=rY5`|!@VBBihrR)HQA>_~uW5O;#F)fo@ zjWsT?L@hfEjX`1oNZnrNpw;iUPhaP8-Jo*>y1h=f)f>D6N9|)V5((ES_es7@0S)Ue zq=!7=vO%Pzbe{hp8i9(OM1M*0;@&m3s+7+3SEGF`m|J!OdnE)&g%3yg)rtVM>FfxY zu9BZV6+WYtB#3MxzRs)ki-_rxY!| z!~jz_E?#HA${Vmqjmp%G^+Xbie44q0M{|hQei=^eT@yGhS5^x(G zog2us<kC<^ zl@}&GIGiP^e+9{183m&_VkJq`CT)Oq&)I_#*<$}-?^z5hr1{_Y3yb_@!PkJKC97`& z^gp#)OUBr)AuXb0e0Y9BY>#~6KLDHcApzunAly9(Fi>9Q->>8|+?0$^gpk5qe{WQ_BW!hLj0U zO%M3R1NJ}W*DK1UkNk>3ywlQIW(9AxObaax{E3wxl#bL-EcZ5~dKCBral%`=2I zY!J=E$%t#7`M4YvxxrFTMaL5H3g(NKm*lL#H(_#&f$Y;@n^q4YgUg>y`0b~3S06`y zn9=%Z{Mr_cq+rFr(@cksnxNZqg6oh zfZal_gyeEjElZ-7Q%~Y-af@4wscJZB(9HL^icl!wOU7GZ1A2-CDSEe0;})$>lJ)4` zFRJlTRAbS3er4&`VnOwi3-^-#&q&0q(G^R}RhI<8p3pGS2No|aWWuT3eWMn7Sc~Yf z>q3+G<;Qlj2x_^W{yW6bum>|rthx`=bNqVt;y^{LF2-i>sug<+&Km0#X|TFj1Kru8 ziMKk{WrW?xScPg+8SU9(Eowd|34CXCKzNESu|M&!zgXZ2Rc$W;XjJKYJHhVrLO>hd z6m755a}9WzWAY_@Y*Fp0ZYi$;A=@*YPlS>ZhtHYv6~4%!d}-X~bjHjppq`NL_U^~D z%H7pLr~3|6?il>JdRJv2b}?6);GZ-H2XES^uf>5@V6a7~3(x++LFaVPIvo_x#Ktyj z9mvECes~pKLd2Cvvk;H66gO~VNHcl3F{Fn2uEHw%xu^Ww3Inx^`KIuCsB(vJIl>nS z^IERi7T*tud%ho51M0&nOSjsmS=Xn7V_V6 z$b&jinaBsF&+-8foFw_}1eF0+GKH5(5zD6-OQsk$MoFX$JH`^aqVN*A=<@gvdgdy) zy;kmZ)^uB)dz#7wxylnQ8Bfc8IR6Sh>il&MRW>vSfD&k0{zBU+3=ZHZa8)UyKvmnr zqF}Ne40}+)iO+aB^@vdbbnywEg@;kCjK1l*oe<;f;!jU_2a~2_Um}yjlD_oHO{AoC3WzB1_z;cC*54|3BG9>z7gUW%6MLQ?!*HBU z*txNCw;_HzSG$JrIv-TgZ@9{Z3V05x;|$ToD9?&68}!;I;H23fw0b|c-pNZQjm)tX zN8I1pf3Y{0JuJf**y*BuMbgZj=Piu(O(*fkekd*?;!D&Q@j?vt7sJ)#XOd9?qPhu= zOMc|b1b!^rn@vK(9kJ^adIro*D05pNcNCenb;+Ngx{@615@4@KWiwo_fBX;Pz2@K_K$}xoa zLX1ZcgWE+6A0=*=;>a{1m&*i#batU-7UuL<^6D2Dq!!2W(uac5#)g~*q~MHKjI}9S z2EYoCE}>J|V!vA!f>X<2%gc#lcs$;P`HWJOVngK}nLq5rT(qDH+*MXm1M!$kXd|G0 zFk<7aJ1%%p{BLoHFOUOj0L_Xcxj$Th#TA|4yr?iH)k?voV^kNrOw4O21e30Kvfcps zn}VDM@h6PM&kKrp5HL_axs*nT6_{vK>NCMrbR~Xg0p81H8t{nCER_JHzo>8go zV2Sx?4}J=qZECzs7O@vEbcU9GKD^CbVgp|BB=A#dBrq#5WSk<>fS0o{-O` zn7{bQ%qVC^-=D`p2FhOhk(@9GQ5X{OCMjV|icm=3q#3|0#f%|%JRC=)7tNJ|Kfy_1 zl%|P$ap7mv-=)^%!;{}l9asqtse|WcE;>OOM}VF$x5l5;hRW=XlTb<2aL7y+btVfX zdEUqulPJyFaRa9_LPw<8Mc@zLpbxvM0}nNoAm|7EwHD114;?)i2ksDppBTCKpZ|ns z?p^FZ|A{Rc`W4Y~AE~3C?#SHc`(W!Jn#NHI0e^ogpAp#1oS!PZlX5J@A$NK1D_uiZ z?nF+QTap3sWpMJD=!y~Wd`Wm+5;A!z6mkL{4w3vxXQCd0fF4vvaORRx0%1n)Pl>N6 zo+VJ`jPXfvW&&RZVa&dtoFh~<^VxF;k6{FcD;km?&XS@K$@D7e2??r4wldRspdirq zF6Hw}QK>GOpO7Y_TQ(^nO_pa*^LGjVz^Mq)?ADoua11lyBq5}{%b5WEO%AfW*Hwua zPCeD2HHjz7oTphy)|`2EDzA`T5Q(inbh9YwCeg?bShnkeRVbW;j$DcMyTiF%* zZ_kS+T3>QbG;uAB-9NiLXj*Uvr}hJ+K=U6X1KI|4%%ps?b3-q$%qQ%2f)@v|{Lk=~ zaQ!kC^=dZrs)jSqN4%`*Txiu0zEd2A|Lx}UdhD~(w%L0I(QJ}wZbyP!kujDtw$+X* zXH2OBI>5;#i_?DXMqhI70bYu=<@s99W>}v~BW|ELae8XnQU>!u`z8?g)z&U~0B=SJz?&$65 z!D;iP^?v6}_sknA)Of9T1W&rR$2E75#n|NZ*^tIZ0k}Hfc%#Qj~wa#XnW(R z>r>^Kqj0EGV*_mUcFM21K>Z~ax_p+!_u>#@C>=R@;d-C}RF72Jr8ih$amjm}L677# zG^Nd@L0T$1mI};Tr92~HRbz2ROed!RdYN#q#c(AGi>Y}6=!S3O4zDLxn1VuWTq3%P zh}aS~zcz>i9Mfk?DhLg=Qpq6HUiY^C4~|>SQ}DKnR0BYwyF$Q~hSll@e>pc7j$L*t zTj*c#m#^P_J^kAI`pwrTf`$;)sNyssU(tW6xSpKogCYcKPva=b+%N;qGyDTOfrpFK zA#_Imct$3l0yly5h0iReMtUyXqDCQbR1^g}da)5u{y1aUY^++RthN6rwz=S_{^pC_ z{>5%DvfIDd>|bp5JO!py??AY%Dx`w`6ntN}u&w|4NX>GSmIj8vGY-c1gJVb&D(zC#^xV;Z%-}o3GC)6AMJQ6c#twRU|%r(Nitmg3l{>4PySK)_QqZ5|al{p~d1>f8GM!d6*+jl5Lon6mk@R_Tb?l=zA9@xUr8TUg_NU9UQqc)BP&RI1n6 z!@J*ueS_;j2u(xuH9hDoextu|${Q~f^|IQYXQ&gy@0;B&QKGe4y#~W8(}5uhJh6-H{({+1)V)G2 z?lLZRo45b*vG~7scX{f``;dafLWI^jH?3yTW1)-Tm@S7z5Y-!u+;nEL>s0PES*7J3 zRM8|K3o|Ak2)L3DR9Tfj)%Wf(%noL07EP&jZV2})^b$ql{kQbTk?RX*3vtnno+8QC zeGN0DK(c5U1^II=`a(WR80NoCg9G+imo+yiMBlV239Pe}yPo0o3*9U#$L&|YogDAs zU}sRR-rzX?&3e5LlPj3ufBYe=b4=fFR{YJg`cDkdCa}Dk5eqbckM8v)s2({D2W;NO zi63U5vNzu(6&|V{*mO3xC)%u+Gyh^Di#s$B$pY z4@VKW6>ohEr!|Q(A{h-A`4W}O#4Cs$mM6Uau2g}iEXdODOC@l|H>Mc!!gr?SL?Jh* zG z6HtxFOS8NVRponefHiTxYFKLgU&d4~5(Bg4Z7LF{G<+1fu-Mi2kPz)ev_>(pk;ot| zR%(_J8e8Xe$W8(5g7sKhn5@I7GG!idP12>B?V5CzId~OGm-(1skS?|1qez$K)N&8$ z($2SQlr9^I4ANz#W*OaYZRJIT`eY3lV>?W-B~HcXPk?f96CU|$ zaLEjXSPcAnt#WtRI%>W>9-KGv8=UiQr#G0h_XGCUy#Z@^c7|Wb+A`-VG++6qaLG_2 zLA;e+*s0vLejD_f=LenBqxNeop;VWe6qd4JLKa#rPVy5@^}f?Ar9E=9$#AZqYU3bh zeA}_Ycp=RK=LWa2QD@}xP!zV-mG9FujWN{jhlJLeDlr(LLi3jeck162sKf8A!>CSs zVX(hiJE^`%(TdsKnJ?;RKBw>Q&J9818~mOXt%hjQtGemVxFR$9u&;aIcAr}_9`ioZ5=uQUtQAfV|?y4aS4t#bF*vggWWmC=58Q>66Ksl zx%G)Q26!`sF^#Exo(na2uHVHy*X|G8&|64gv!}uyTV0;4X2^vB#q?d^W?GN2F}o@1 z!A+-LA8+POa@B_$Dk?^8t&$7(F^j3%Ri$gg`LJo@^34zC&N=<1-YTQe?w=;s+vf8$ z_mmZ0$@p;ctPC9nJaTv-oc;aIH#>N0-|u|COVT*-6BYWH3X9Q#vc+^g+_B3mK5yB~ zEW6=kGP5+hso2cYOsO*FlHJBCFqanESQcAJH?qvZa|f5)GRa{r=f zOq%Aa$IvtuUu#)8VJqTD1~6+k0(%!Hx_RYQ!$x9 zP4_8V2sC#QFn`orG~`y02W4dJZir)+9|sI1O&rPIK@L<}Q0QYMe} zUtdNCH_`Vj1q=B5%nc9{7m;{9`+OLMsqevLokP>(Hn8*Z1Ebhd>S&!F_FBz;=d}B#*X*}+(7o1i z^S9O^`t0CMvu7Bbw)n@}R_~qK#IP{#u*AX`6jtF^MCUm$i@!<26d^Q->Ahs|b6DyxQuvvw$3K7!nl99cvq&_)ATExR zMa&mPs73pA?h`9{XjP9?s;4P zSSJ!Ib8)3Q6JYXD6)9W=FDef z^%!^ZN5}eBO}=QwSI=B49bHC#=z-n=W%*QfV7504 zRR^#6rWr$?M^~G1Dk)LqrohFfALel(?WoNJ+5jhRa!GFhQxfulIK?$w)h@+A>giLD z6<@FcX(U-zZ(u&rMt!IVb*mxam%F$A6I*lZAkXJ#QL!IW1hE-g<6{LyPNWe10^P7@ zyC7p{Me#sXdXsC^5{Qp8JK`mbiU%<$3dy`U;}Hehb(I%3tFH2m*mzjX$n7e{J&cYX zpWxI{;`E@Nw`JmL0%;5~G-`sS&f-O;@zRE|5d9K*U@BU_*~HECyrrv&@~5|dAJzOd zhMn49U0NI>;7@HSj(qj~c1e40oY@(E;9f$|8-Tp51n|QwV%(1H6LhNk!piqz<)tI2 z|JjGbc`R=?$h??H8am+ zGswCa<8v||aT(R4C>aFlqZ@}Ss(mjqI7HJl=&q{}p#bY4O5Fe{qEW${>h{5Lzd(_b zg8l6&(#Kz4@oM>_ZIq`>AG-m+&@3)oSwE02A$q{>$i4) z&~H@kNImws)_hUyi}^ut3NtXo1w26(O^0qqu?NR~n!ym7GwP))OAcNCX~_CMxYTLbvf#HkDTv)KNa1$e?hjh0 zt)4lTo3<_`!n9fSG1v1JFf?xHdfotkO=z2Q`{Qu2PFc#hNSW$ddjM2o~M_797_rgL?aWxf>(D&`CqWrDl=8#DJe^PgY!Y>us|s3Ckn*Qey@4Ekg7Z%cnu2$EP|x)r`1F#Kk|%ldM=DuU;3iOt zrnO~7SqDW8xHS(7m-)d~Sv#kGnmY>fBGH5Xqc4A}fn%L?(WJ?!q+Ec9@(-&4Y3@5_m2r)c3mb5Sq{fwa<6n(oUn4~M zZ5q^wwNjIHp4o6J2Pu!+m*83Lsd7-&E(EvlK|SO-L+O=$mRdBBh9vvo^`HIQMwe$i0N897GIdrgRJ) z;0V9=Fa0=2jqBes)t6Y~y$({x?bFxbr2V?r9JD*9pmPL%J2?hN z?c-M8S#E~H8nBJS0gmviR#r>cW*5&}FrikP_v|8{dJ-W`>4#&wqf&Qmg=2fKsU!73 zr%r!0PQ6>UhL~VWE?u!NPGAf}51h7sJwI#?n&*e@9*EFk!yj=hfS=+t`I&zO@r4=( zpls=tEeh|@H(0si7|h5a-|As*Tg0X42N1u6!zWsKFv(1Ew#n&$IHwE!_}I#MFFNPZ z^tcha7 z+ip!qmniVM^lNJ|;}Bk}ZL~{_+k)yy`5X<&LO6S?nD9tSb@=iX1aGCp-G%{Hy0yAB z7Tt|TSfCiKQA75-rR;7Y3n7`ExZxOLW-$XL1N))OM^+wE8HhIN!8q`Tt|fNhzPuyw z#S3NS*S=m4xK_H{{oTECJ2AdS{G-U6gh7tKdMpp&wf#$MF5ADxyL1Cr4pk8%4$TJI zk=3tA!ZrR4|5`>fFNI^^3=&qc`KtB0eR_A)Z*-3O4d;X7%9fwL`EBT zR}of|PHG#ssEKn}{DM^)VNt*?;R9){#h;4=x|iBF#*{`mG?}aTDm)bI1no~v=aqC(b zOi=BeIJ5f|z{49v0%a&A2qVwM^BlPq5(S!_^UzldOsKy%e`%g~x`TG-w7-N6C0GEg z3erwxqDtd@W)YfeHz8gf!V-Q8;50_Rgkb8%xMns6 zf5wip~Ekx4ZJs-U5wru;GvYk7XyJojb)~Z&kn_}crIvj7nZ*nAN#0x=~|#GMS7!da4wgj3rRTy!eoi`YXP`2o17Ec-4wXxaG~ z!7AiGTVd~*x-n9g_`ljVfoxmb_P`CjsToVc;(*;#n_ z1a?gPFQ9otf+%THthH_x`vDZj!(uV$)>mX3v$sfnS5UlZ+jw z%09To|G^2Sr!dSw78|AljB2BzA?vg0>|*CpCx`c#>L1GFk{W51jd0o zgade!HJpv7>Q2JHJm*V&K8d1Bgpn`?Q9(lUl3^(L;7^7IByk3l)S(-K3kcj<7ERsE zAG$$s3p|*?Wa@{|qoz(o_LAW&Nsx+|L}?bfQwX92bxvUhW;nnRHR``<_F9MMr=7#r zdHWE+@XAl35UZ9e>e{SOC*4lJ#Y{a?EL(5(rgeN$Xb!p_o!$o4 z>v*5Pc2h8hAw-*$M_!707qvX~*z<&Y)v(&d&x|H+6)&}rp^Sv!VMUPE7LiHY)yiT< zpERLSRK%W3Xs-oLx|-^e<^y+=XygZoM+?^T5;8Al%$gtiDG9?aDiHM*RhL&q5oXdz zS3=^OMezja=Zf4AU}dN^u-^4x%fj3d7w+(K7UOfA`SF;130y?(5j!|7pyMzG z)p(TmK)-P`h*~3t?UCyTM0pRR_?F*vj`)?4)KA{?rl2YgVSq^pq(ChZ{@5p%df1JJ0;5! z0kdJ9G^+=sUF}9>Dhepc{Ka7M-K_`~9F5>G^RM9B6ee2y9{cij63v9Gj7QiIWxSlq z-QSP!#h-czlQA^56W$Q(h#a%8p>?agNd z#HamelpXuwWi#{+FjrC+U@miPsej9#16A%M1n2Tc7z^zU|Ej}L=3Q=7u!doCX1~{r zW#wFYs+wfa?*&+yj3Vy((_NFE%5PkI_|UYpwn`KLc1@GF6n>SS2Fg3*7sc~uR6P08 zGj4e>Nwf@Q;#gf+2plYFR>PK$g&+5jn7o{rc8fqnlXMk`x=28+o%MhRF~Nj{J|4o4 zLh9N)j>h@$u{%p)>jn;Igrs`g99L{h3Zwi2lhlvG0$}D2Im9$`lZ?NIv;&gc3H_O= z|Bkvn3qYt%9hp9`2Y;XW3G@zqA>)#nK2lo&o7-vNhnH-nd{_WSZ!6#v#kZw^C=CTS zd~^j%K~Ngz5VFLdp15fSlb_+Oy}#5<7@u%Ymmk}(WEG%cY_Gwio8dw@w4K&pxGz}< zLujkPVR~dC5Uz=M%USHX8O%Ac7>ud4z$XE8!?$rK@aVN%368OKF+p9hXi7toe+4Ih z5%&ts^4?|#oE?n0y|CYgUI`5&w$c1a;Nue@ ze7TRi#7X4MhS|Ot?TEjK_>$~{`jwm1qd2Sodz3_D(e!&_knVko%hZk8uN&Yr${^SW zmA@aI_d1pN1z$fe84Ztbs?E+lQcc$odc* z?Wr4sbP~-14*~E)cC`g>+-V%ZeG`a=0du}QWb>qEd4ry!$%i?I@bfim0J9OXd4)8Vj}qTEOANzk;69EQrRbrCq+_4XKrESvLeDTSS>o+T2i?Jf5Dp zr8G?mKXZGIDcaevPWYTy^Rr@0#TU~ste*I_Y0bp%rIku&aU3O?)PR15+h}`$vNTIj zj$di(>kQN)<2j?`+bPUkmC4d4qDJlGM@+SJLbWN__^N*4hxH3LCB#gJi63VvaX6cG zX5Ecr)X8~5dSH+^MeWu$F_Ot$Yf7uTZh#Z_1`PZujAo?ZFMciYOT9~{2InYEDNOP%il zgfVzQ#+`+kAAtA3`PXok1fZINY6S8O;ni#4e0?{`viN)$d2sFk^!t9jzPtBbZKt+V z+ui?u=li`n$*NO#W50g2TPGgt`UJW`Hu)DhZ|?2vIN*%LUW5>Du6X$1 zcvq`cf;MZlyTgbn9o|8Ot^lq8Qpt%5&V&mZxda@>AomjE0c-iUH+}|o%|};hx%kL` z0lPxv8>aQ{4xM%gp9o8^M?NN3#p1j%4$uSX3^D#_76iAoTFnnZJM=Sf5QUlR^8`Vp zdq0aviVU$tA@xh*?u!geG7f4=;D z{yzerR3~mdgVQ*0Gue+@4Pl0?$2bc7A@PSUHO9`)&dzt=evALz+1XM5-Tmg9@BU}^ z#mg5jUwpf}v$yj^#`4g`XJ`tN+=#_gL!W{vbbhcU6$!Fkxm5NQ({T z^CxcXQ-|0-pkMmoxOVw{TJxj&)$Wr^KlJv&Dfz04`#oVM6Ed?xcMA8B!NIsoIt*7Q zZVl~0A&&p5fcd`NiO?m10d!M> zex=qUf7MP2a=66=CVu9Q)h0COE3%uwlQf3I{U?al{s`3K$m_#^oCFH91jjdk9~=#Ik=6<(T5@C zhvNjMDQQy$ZSp5=z&o?nP-@&Vv^Bz|e~^i?Z^}$^k4{npFCqd3;P4)>tJNz1vpS!D zYB7DVpK|(tlvd-b;qscF{4CJ_FL!pnRrLSPci(*XMgKp>50xSKyYVy_BfXzyFdV{K zb{j+Bgrn3!^0Be8A=#&In)tLYZ5DiM=rSF$CHqa>LpO6zaEiw{y&O%T>vh85 zb{~+OBWTw#i_8IGqDxSp0d_GE^ zGuRh3|A$lavT|6vq8G&XQy)UU{Cu*Xa_9fZgVor(SkVEn$p5>y_d+@U@9w64a4$8WK*eA*VYZ@#l&1W#934jST?7VBl&>VO_* zpYWjYEO9e9rbm5pKI=t6;D_V4xWU70d#i3-3-&1njbbV=I{FDDq*p1--503DnJ4w9hvRmLX$s|dh?K}&k<#!)m5 zV4t`gYU5!{7pXbKbxv7TJ>z7?!+4lLq#}GbNLQQCcoVHYNTv|OS5>Xe(?oZt@?9PIqk9CN^2kJLWiB)sUXAuwsnT9h= z;wa4EO_uA$WEM8lw`qZIdge>wKT7et({j!I(9d|3X1Y*ZhO;z_rfsRyD>(K;X1T;> zv&G)8mYXpzjl?ObClx)oY|z5U4btW&{xTyDWVioMI*Htv*6Z!;GjKn23 zcb+dq%wiUjZy2OiYoqV^Rf5Ey?7G9k3AkM?<_(pNf9i%_&WBa7nNBvvKdVFW&mZ~k z08B4EKLOPk6tKh+1oX(`4y*=#5DX3OrPpm{nXhZSZO(1GJK}W7%>llZNyRzi>#Z)n z;wjw3bRT|lL(hJyyLSETC`!7CKXsE^%2EYd47IP0 zqNEy=9-kdsEu*^hHx_hOIKv>$t_1OY?QN}AbHp-o_b2U=-7-n5paVb zx(2wVX)eQP3c)Ov=0TnY6&?Ev(NRf~#~ZVs>j_R|h0~aiVFs$zH1<81fNCF92jB&J z;Z}RSu#sA=!vk0 zG2Z#e)3j_@7fG(vNurpenL4Rap)Ue-UhFhOi!N$nlVCHcg69ni439X0v75ju=~&HUzGxuOeGHKmZPOp6ZDKfyu0v4mS=o)8#cf*` z`PSCAm|PO~a-^(Y2FcH`^C{SRwOOj(=Q7f;Ea40`wZOsD7&>$__rgt~W@<+XZyHBw zHcnvrdr-!j_Ab`SzsnfGNVIi`SPpzY(zo}bIjumu;m4wJ|$Y(W2A~M ze^4tS(0A!}dufdvx#+CKEg+uppekFTg_e+hT1j9Wr9KXqCNj?)v$cbXn`E_S9Mg-| z0w7nkg=kf+;CFi1*<(O(zT)YIV z@2bnd``NTCt&5(t+Jr8J@IT~yfsh3FKor%FJ(bzs6F|JH(w>a$c_9}9&!3ChZH z@A$#RI0;sk;v`ro#HQ)tVkO;P`=m*8@(I)1*UH9N`oC$mPMfceTbf|*(`5TN<_Omc zusGflx0P2*VRfKW;jVCt8F1U6k{fB?EAdQx@WKN`Zl%%9sOadL@7KmtYyR~*hEX^4 zf+5wWYZ{*K#KlANW=lC8%DjCNcW>v(dhTZ*=yp~JSxNJDr?cq=OrC=Z4qhP#q^)}n z9b%ZBQHy?uKTSXSVYY1&Z&}lmo8r4W1D4hUu|vhKvZf2!3bMs;L7OZ}pbZztuE#A? zQ<4N~bGR@5JP$R;P766u;}4cje^6reRu`vml=4LoPyH*>v&?WR&E&hC0$CKo@rn#X zF>3F|?spU*pI<~#mS%|?i!p<85fDMkDQ!&ayll|P3c-17x->Q~t^PZW!sRAA9>z5> zBo9F_&e+t@GE?CUAWk;$hcM*!NMRHD@6WQeVq!?za=A%M4!mHNW-wtxI0I<(OjM~!oW%=p~)g!c*#($6{55j2WSE8`jJD(7P@s+d-#h3Z7sK> z1^h5eVbTp|V?Wg58G+;<^TRQSal=$|gB>R{FD7YFe^!4c{+%wku`Ud3g*cGlfY88% zTyGYJ2sy&0KIz;J!W$o7NsY2iw6tc|N+ zpq>G^Lc%Y8#4motFMdQ7-7kK`FMh;7rXMkm64`;s&DU;}*k8K&p%h8Da(^LjmI`Xo zGtqy$S8gZH(%QeLH)icv4iz0(Y`~0#4&*|G=cE-af z9QorDH$GMNalUE{wJK?9n@&E3!X4^Qa@DYastp0ZgiXIEt1d zJL*xF0od8!(5?itW4rSg;q*}ILPY9NQ;wHbk`x9iYiF@i@3Sn^N}%icAxzV55?vTo zu-roQJWR4Iehn25Z(PKm%4o4-rvrMvUiuWxYm*+rz`b3R&_Th%&{c*Vmr4_%&dro1 zg8ay(@5%zy3g!tAN3I{t5;&M7Fr7q!R~Dw)PZfClploTVYQNQ81A%`93z_r(v-hUm zZQMx1=<}Js0-^m*B!z5=)Z%60yjPZFM~N-z5#?lZGdU*M4U&kOjh;rgB*yXm?f0Ot zH@mq=va^hM&SWeSC~Sp7?d3JN8*chz{XwYdPvV|1v$V21Bc>1UUhvWfc~5BR16>I# z#TSpkV(X?GirHvHvMPhJ+bzeV+D_s(zqOT*Yw{Y^3DZmI6y)H}skjOo^gE<#!y!S< z_f6DnH{EXn`AxN*UG0suq(7Fcnj5K`V`{l}oQ*sc>X+?To{d_-EW7OUO_;Jf%$-6V zA6IIMDj(iTAye(_`AT6z+S*mgFW?-hY2YrFkXCp|w>>`OjIo67riQy@h< zW+N5lQE}#ab?9>(zV56CZOb#RhElbNDrU3l=jE}ibh@i!+k9zmNMkY}xI!SUQ0$t< zHU2lvsg!Lv=!r)}!?<{!b-(}dVU5MtI~lUStrSqg^@Y%{HFB) z=SW%(tOXL*@|oqTTi)JDuSX*i;%r4fz1dz%xauu-ViN!HYfp-g`>nUl72@#n%ZCB+ za44AM>GD%7_drO0bBn2IbxMsMSUPsGXg|s6z8Xa-ggG1L&8j(Qj4E~We5*1tBw0qH z!y==}s27e&RKzqH9gh-bzCOAkVF8|kPS-ZNCUi8;pQFy!R!O*t^jH@po0L5aa+b1~ zji%p|dJo6y<=T$3z6X&1w&x}Dbw3q}ecjJ(vgO*(61isG&wP#lqO|zlz_-r4>(A!i zaB+;Y=(f0+k^dC*mZ`xj%M~fA zW|++3+}3Wi$Z8~2>n;i`Y1fgD=SvIrUlWy_wWOke@8)Ouy#?6nlxU^Fmag4phbs@U ziU@IUCb0Piuv;J5qIoEO$n4>r4)Sh;-Rtq{ZM@Cdei|#=GB&oAj(M)7Z1KU(>wafj z+3gN(*5tVO%oYdt8au7KuPYZ;s)N74e0M*CR|3DC7uP%=E;32;=^>RR?d>49^4Xg2 zu{De6Wt1uRxf5kxs3ok^dEL+PRYSj(uR+D!-LYl62~O`D{bvB**(d11tL;ucZRIMh z(9AtzDB8LT34ZL>tzO2du9gBzQ>8{7S_wp?HQkKFm$GPrXQ zqaruv;+J6gJjQOS-6d%1GOq3S=-9sE?%!>=yPH1h^z--go>W6$=}B}Pj8<_*s@C`+jg<@EeFF6^*#bjL&$C=`dIm|>$bZ0)yDA{(MXo7ojVh(nipI+v;_Nb(k4tc? za-*M@8qanSBcWduq*9%3R8gxNtyr(yqG!crS|&ZnGI2L`2zvJjoTX}BEr53?997h8kLbMd%gdd%_im_HK-obS+}oIm_r-7~Yfr@OFdyDF&nA6=jH;qz%fJ`Yq= z|5x#`w=DrYxBhQutMg>9TdM!Nz0=)&sQ>#pKA)og@2uGKXDyZC#@)~ zcX!#M!lm~2S68_5m~Cm{&Y!y^uv4Pn-+EL!$*!X!oihcd|zWs>LWGG{R0p-l2andFBu z$$z;r$@f|y>(5_v`Jqhme;tl}f@;fu5-f6#J%du0?U?br4W%XjyU*OEEB9Nb(}8x+ zL~8MXcO1;klT$fZeckVx=&XlCTz^m^t~;mV`jaK&s?5o-eA1{tNlGs3x%^3F{zVOE zv*nuSp<2lQd%qF4sduYOnUfS}PNw#K*gl&|Dv;afr}e&dJwjD7yHtg{l&@YjDox=I zW0gUb#vV^tg!Zv>C23=N|rAGw=c=GPBU=FW8Z zx>ep0PKgxv)SL~o`3NAdA^OKZpCj||JRm&8{nmp#i_ynqPfY^eDl{~#zwAR#wJc7mv%L`?N;%h@jSFMU zAo)kZiGH(|liLUdqs=jiCpH>9h}mczb-(#Xr-uFe@KE!tCJW?4&9lXQA8MXG)I9t9 z)I9UkN&Zzzp3RqL>+_CO2%Pr0u9P+H&-XD*`8}UAWVz`*4R0Re`9qs#E2#<|jJ^-m zmmaDwErY=i)t4TsFa33^FFn*j`rFk(TG9Rc7M|bBle^j(E7ZCmOPn3^I;t4)h7e|wkbumyGZO|}d zliC4uRx?tw(sSmj4$x)|m`xYVkp6QSHnX+>-J+%P89gI7``F2BES}|J>DaRb%`5I& zo~}wuSUpLnxa)?Pr&DNl;pFBdm|*GjG&#B=*>uLiUH5*R<7`Asu^NbM8=~g_;hX=5 zHy1O5Ru%~)po$TM5PnEAh}E5nK{7HTH?L?Cp=PkL+4Sb%v)GPWwFJfuLa-YtXoWPt zC==ZZ3;6gEs?nHbEZq27X+6yd?Dv7BAyrs$UL=X*5LfP@sE>y%UjE3tOio7gt}sc} z1tJ6KkcOXT)(CBqB+sTPqe<=>hg=ytrb7}=!`Q0}mNK5hM0|A;xv}Y(45G{$kWmeB zH^2DSWK>~M)?4<^(zo*uLeIML1S)o~0(fZ)A9VB&I{F74eR;YMI{F74{a;c?pR&wX z&KuG0>^4;^SM9%Vzbk`UBG=5X_zItx<^Nhxuu zvFjMon$b7C_H)btbIJRIq3pp>_FyP`FqAzQ%2uE_{{@D!mDI-O7;R|coYJgKM_)WQ zgY|>G?yqjILyPMiEw#&{$EFXU9{nrYErHukqJJqzEM+|OI#iYFtK5>gu?|&&*}{N_ zIVgIxvdkLlWcZqMT}_SyXiO zVW&%FYAdg;Dp8yKe8nLeab>9Gez%v( zyz13e$XP0ceHYyH$NGa%)1SmWVP0WutH!`?7=iU)pNsWhs5dn@HkwX^5* z-`*PgS0&3(S4?n$i@~BAgrEDQ7v!$vW3;K9y*C9?v|~0>F;x|3u2+XX$Kfxk+UP;4 zT0|AUS@rYsSXMgS)v@ia<+>cwY8uzLt2L|I*7&N`w6pGL%jIP%b+7hCD^r_h+p|P9 z+ehA?f^*RO@xnJ--A|bKqDp8!niV|T1eMyRZg2h(Og&|Y;KELmc={ZPSy$m=Wyepc z>z!fHW(68EC$D9lBvTef=D_ot)&ra)Y&ozNNLb4!cdl-Ed!N=GjYx>I72R5AdoAJF zx|CN_!XnaBbs_Ak+;3N`U%!N<6Ay=iRi3Ui(Q+q*^f$Mdpw^_+>4de*7mN0jobIcE zlzy1AVcx8ohQ_W^H_!7bBSVs9BswfInv8nkm_$WPlhN@gVdm?j8xj`aWb1ToqiaG( zdsuUi>MjSh+%c_4vvL-btX#dp`Eo^qpdWs| zL@CO-CXhu2kd^BCyKl981YTOO|C*>g|0Pj-alQZBfSolGRSdRtnP5BIO1kGyWzCsy z%enQDEt-dV*KJy^yBy@*2D{he)!TTRv;8#op=GQ?D;@J(8_(i{o7er$R-W4(+N`l` z@tG}-3BR8b(RJ__SfcJ{@Jisfb4!}%lw^uRqYukzk(L;z+5u^Co%M2`Phn(UXkwm! zdMk{iCcD&J7is3|^i21IYSqwhwb>POcgL3PCOEzCt2zVtfzbaA2>pjYYf||IDYR>k z`cvn|UIH~LhWdmYcWsXG`}duD@cz7$?`K-&E$*Ul2>n*T0P&K`!PBd78RyelMsL1H z;wPH997W8%@#&D(clcb!-Shre8@T862k(4Px%0J%QITbNF`K!3?OZoq{}N2lGO-}{ z7zwiC?%!>=yW0orj9B->09Hd^iHCI@@m6u#t2T&~#{OVy;w~Z#wHsJ6yBW#NMRocc zc|#|3PKcH>l4xzGXXbikkw6#C1^wib52-i*_DuQgnYAq18m(`3hj3p(y-~In?$T4` zQf*~Q$b5Ory$(Ve6D7@B8FDnr)A2gE)%L&hog57T3f0-^8$Ex!qF9Be|ofC zeX%u|JQt4}rpFv_sQEK-!1<0p%1O#E{4g_{d%6pYwyT1G|Bv_aAI(kunsTq+yDoj* z4x#q7;CB9Jh0oU3*4C5VUHJd4t*!F^Z|!z>{-?9Ox4pN$+u7=F{m)jnyS@A5f6&${ zgWUF0@Em9VvvudO%8UDpeCE4ERF+xCDOK6Po+EC|$HC=O9#FP<)oEPPBzlg#LhlWi zf+nB3D7y;uuQyOTePkW|j~^SOm<@1zD5s<|h($zd_F=J2Cy3sZnMZIZnr_JdAAP2) ze3rWZ8H>rvx88mh-T%FvC#CzpwY}4Qxc{HyQ@a1z0EabK9e%<^K4uyHO;#2tU-@$u z6Yr+Sj@!nnt{UMOs~Cye9?-WHdLAt9AfU=4st%fs@F}DQ&VM zu67WF?S+d5O^}~OFn; zz+5uGi@~oX6uf>L$-VR4VwQr*y)GvXkzp}W$(|g-EcTwh&RCJoIn3KE<}b?nJbad= z|2m=9Em^=t^nbg%SEm14J39~b|8sm?3UBDRblj98p(a_Rliaa7v!H3dV7Nc}R{eE8OVWQ?V)E0_|GnM43i|(` z|NAVTN1E|OLzW>N$H-N3sYEjnbH#&3&0_)m|6;Gj=av!X=vnpc!b!q%H+01LVp0B< zDj3G*yi=l%+Ug|VySl`f3L?0nxK=dr#;n!&uXvrB2NHXZ&zjZBTirU;?c_M-&xLa< zbzIiwr@O}tM=x=VlaORRu*RI@WTfpmb-ylq6t&R(b16;Rq={|M&k;gyW^;t7%=@dR z7D+RfvyjEl(Z#`8!UEh~>!!~kO5WStCHJ%@SMCbi zTLYnPst$<8f;clliM{l>KDO7MMLK68=@L`?b#ha6!^|JtiO8Mj;byBE8ryx`q{^;hd2ZuN55XQ0j^ow#P^xir4rZZ{sGV}%2VI}dBgas(9^#8MDT;^`NS zN9Y|V5gJU9+!6WUqMV^{Ou|bWtB%;v?>`_zmJuYFn4BgfRHXO$O3!+{{rz9+|BBb~ z&-l#zb*S^-;xSw*ocT}v(k%C4RMN0N_@(%xr9S&vMgGSsWcR-Pf1d1i%lJ^)<@E?BAXrxsxSup-yzU`!Br^+v!#K zDeV7GIy3sez3tA!{r?=FIY|WPN2@3&zp9_h#G+E>xP7$AUGDppo>tu(UQQeLhZv%? z2vTxcUd>;5fwOXzqw;N?<`=u8-@+Ar2|x52A9UaU{Pw=*OE{j_v#BKq@3M3Es*c?= zUfrJI3x;i%eY=}L`&wGI98BIoq zYV+hiz}0z|4%A~{sV5*b!2zuc9>gl=Cu#k2FHSI7T)@puhtNXr&to*&Wg2wz{K_N#vf=*tgK zXdFH6eEf1<&l)O%=VJo1&Y4ZxEy91U5KL@jhl;~23xl8eSk zg!nbh!?E6Ju|YI9z~~VDjGFF_p)X#DFWgyvYzmyo$Hc7`h2&7}XXx>Vv*W{$-cQ#8 zGar9}y5DR@nwv zMRC`^{Z2!@4Q_(`3Z~!utpD*-1+#=Y!;+9cESom037y#R!zd%a_Y|r!sJ9SNEBF_wNIyx>7Lxl}eG`8CTfy~z3j$#JLQsyE#pV*QEuC-<95E=Q8=V>$O~g6(b4A7NTs zn2~*Ac>A}UZE$LBV{-Q;vOxZRz>p?bW|V}%WQT(5oGt z_ry;yO%}ZE_bs0+xc?DJV>X?TTX_B3&;0w}+1q)tJCpx!?}7jSET58O?ceJ^O#ACn z6P%{prWkXyXL7FMYjH1DG(kb%KROA)eFO*8Il9ReCe`T&l6)r2!;kx_s0zAzEzpHqyWHj?Go+eZDO2<+v>#9_2x2z|HKlv7QhQ|t#XF(;t+YnGX_<~qC>e2lxhd%T#qs=d-UWzl)n zF)I~9_2b8-x~;dV*LsVKwfxD+&r%n0DU5N849rI5+%k#>%_fL9rR-;l?3I7fv#BU7 zQU_!vTRBZ=ZVP;uAvQV5i?mc`-*>b3033_omoCgNPi$UQ{*X;3*j0VE(U;2G?o0Q( zcIf{3jidd}Ca9eauV#m>t4hBaGoF71-dO*1;7l$fnxS^O5}*;cAnMBeI|cNY1YOQR z4BZ4=bTKAq$l{n?gAX9&kPu>p*mA^+6e6&PEJKj@ zoTD@&s1s}l9U%fbkgsVRqX9u-OmIRXRHTR|2!pF*ro*UA`%3m=oad>#8?}w9YNxd= zp3DToJ3Xsn;87I?^P+;BojW>QVMuqhZ!1<;F=FL{`Esppzc2g`-k6yM&fl52Nfefy zLtRRQnkm##T9-sBm4p5`M0k_rq2!1*tz7Rk<;6fYtoYR*qr#R^Fy#qlAD@w7)mmPFOEqPLY5oqVV%$ta7KhUYc+A?0*JSdlLc%5U$(8e$q38Mzo| zgpXNVrQj$*EBEl>@d6@!SAbXUaho?SrdMR{?eQAi_VW0nJlvhz-yMG^?|gMi2Xlv; z<3qaR#qojN`QG^8R=PIQ`xK;JM*}M3+^S?3w_A=!wVlLoerx-7I(_Cpu}*hCxqw=B zUCDWsJ|H7$j6;H&@0$?X?|c);Z>j}2wI5PYdn{M-B_GSB(C+Z8B zGh+58OxYb~876Q6!}PdfFKalJ$CW#KKA&T$C~N1r*C|PvMWm+`q_(g7t;aIip`O<0 zd}_wQ!=WG-4wC9`?gxI(Vv@P8vp_cNmn)8W2 z`o*}LjkJagEh%`+Y{Z;xsB#TkVMpe7zt^p)S+4JAy5RO#Zp7TuytgjGTmjpwY5V)) z;(0SRuJ!p_Yw87~4>iPR2|3TNu3fodo>Nij8TKo2FV(LaOO~zay@X#;X(Rq#k)sRj z|7kS1dj!}5|DR5$+bzd`J?TF9|9zIvLi@jKicdkqZK8`*3NRKOQl1r1B=cnvjaJSa z^XD+eFKaKnzw}-UE!xYQFz?;=J)z0|6{fL3go@GKpZ|VD@xSP^i2mO$ssME`ep zw`b`8L;U~e`BW5+s%LB0DxZmUNb9#old|`y>&~-|I_r)jQiZQ+Ew2mx?wW4$PyYDa zJ@U0CXQWQ_Si9A>y>HjKMgGEB;Io+u7YI;pnnf2~N_ivacbu0Ua+TbW3#ZpCmpGgI z&p-OASAG`I|2tOxlAi_if45t%|JZr5xBcM%`&m9K@&9+MCi3SXwV%)FwnqP93Pde* zzb&<#Q#fkwK&uuOtM9#fNiiSR!g47U%_|F~`0bV|kutZ->{c$A)ElR|S5w27bJkAt z<1-a1?|(UGvZda7G(YIRc5Llkf05zgkcO_CTIEl3CNc+9{qwifrrfRm+LCbR6cI44 zb@%C1x22rwmT;$&-gFE6=$5o^SCpM`n=W5*W`Q-lu7Zo`P?;OM+R3bTy6#L}ce}Z> zt@F`ab+Ypu_tft!o9ne#jhvjvY&aAsy2N4e%F~*Asmkzgd$?t_`a&qaA49c0Zr&mA zPk}Q0Ryf0NJ>NT2hO%CaE8oz2s0QWhBJWTfX|AGjVTsf~v#9j9{FLOsU`*l(9VILy z_cz9(`0w3rS^u}Q-PwJR|31g(5jw-Upd7%|$dgCcW0IgjLE}j9J1Gt?@rdxC@d#av zDc2kiM|@1;7>!~!kk$*Dj9TK3W$dKNUNVYvS|SgaCljykg$_CHUfT~Ha3C*zHDp+`6O*@{C|x{=m(rpR&aED zc*Gk)nz3I=m^T6%5xgneW$f3+>5nHz=e6(NaGzm6sEqah`+B6$PG zgfs{`6K9(`W@g)FW^dUQ>?_Z49Fq*uWXQxhNO=>qvxqZ9bI1{2#PL*Z82wE!ofi03 z1@L!igvGJBHHvjCT+YywU_0n)2wTDSo&m9CKFVoC!D|CNG9?`K$M_|@8;3OOgBq(p#)mk^;%^7GLHf>9 z1N%4$Gr{>r3a!$N-AvyPis6uC9C7*^aR3-Z?L096J0RcK; z*9!Lr1d32|5(Um0Iu&bpMQ>0hE;}418)}_0QsK|8lF|WX5V*7Foz=TUofe7Egm8{W z1PwDbL3=^xsl=0RaD&zisyGPHeP)1moLe!bu3h-VYedd7k04UvUjWCa7Etg&OiP0eMm!p7^)Qwh5O3$1%H> z)irW75jBJVN~l=XiiQQ3!o5(5H{C z$21(nUB^*GB3o)+>k*KCL{Xt`f*pUWV)%ti*b25Jgif#%bPR~jcI~nEdf%2F4gtv- zz``?|+S&3@T(J#@FHwp)zh+saRKVsH61|`5-u3jqpQmwOayE)%>E$@f4`iG|-@b7B)P<-{Ayp z`%Hk?Ye^FUKNT-WtZxDgtEvo*Nao}gu)w!9aOb`q3wiB|*vkg-VAo8r>s;m`O-O`N776O7 zyerWF+$*`HD=E%!PNbhY4D4RLlts=Sbo3Aoha(?g@X*P{;Q@xijKxAFROfe72F60& zs(`wH4D1D+CzcLu%bN!vyyu)mh}_^w8WT;8B{EB=1ohBZC{HvLhaSzmTn;~s`Vh2p z3Y*IN;sF!<-PsQgOt^}NBvd%rd8W2Zz)CdRHV`PN>K1|0B*sM&j$0mV?kS5bUm(PjWd(TLzK=v=}${EN*t? zrk=1X#XeNdr4Z~l((Y>LETat4sKnUfXIJhpKzdROsite!blobg!&^qoM$C5V=uRDf z<~}_YB#;XFtTqtOGTuV0o~3y_FNQ-D(@P=^Ax{&#S{r2Sk|Zb>*LB^2(W!u;&OpD*Eb(R}=g7HPjFIXPZP z={1L$NINVN{Gq20!Wq#;Bhi2i1y?9QYB^adU(93-DcD}=A{oNAWtZbV_;$9$qZwjL z$PLZ8#55s=E15mbNSllG3aMbExEVVN%=0wNori1V`0d&0`NjUp1!|+0=STbBAD_HN z(r(cEVq@d$LH12!W8?7j$CHcWw@2vh@#}9d(90uqe)PZZj?a${(W}#Qw10x$oxMKa zKRo(kV?!|HL#Z;RTot{viD!j4F=Yk9vDAE&1su(;qcxYrDQo+SA&xoeueZc%1(&XL z*c%%W15Fkl4oR4c0X8qFHMm<}1KoI{=!Foj9ML3IY5HE1Dj zWm5D4ZQajmU*4abUL5s;N%YHF`I~hyQD;zI474&H8*v?kL5)EDydUSV;xoQ`EfqI0XpB)YNFKf;p>xMQ6Y`G*;4q8WmUYY~t3Y$oT zu)wcgj&m|B;vUJNJq+aR=h#g8mo?4cjEe!-#sfaylnTC04vfO4J#aZE9LETo*eGv( ziUMp2A!yrNElZH3URPgCS5|h}FXfa$laT|iYru7CDQV>kqsz8SAJZzGUu8Ez<(KKB zQXQyrf+%AJU<2s>r7=Uz#f8$IEVG^0*bJgFaeLIoola~FA@84UCgP|Amw zWV&f2MJGvw*guUc5xT}%B2Gz~9j#JV@>ThbyT?*7S;VgLr$;AgOovlLEAk?h#n;Cy z%SocMZ@K0>P!T$CpBT8iGq+KyBoH33B1dCsKf`GnPkmJn4N1ZYcYy90pxrVrp)ctE z*|D-8S{_g0Vn#y2W!nNhni9Ap>{g7h3=!FOVC-lZzU*K1KK%;$B>{S1X-v#{nUY z0Y&2KIG2F|F%syUNGbHpwRcN5M4#+R;wa>V0U-&Rut?r*njqhm%}h<3m&DX|mQaV{ z1RbAQ%>z6kZ5&N#f=Cjjj3&;@ugyz7aIG8!2}cKt7^4()>sEAAS61Spn2{JuW2h_7 zyAI+G%#MNSqm%0ZB6+t7j^h@Zkcbu&*#8)3BT{Ah1Hkrd9cG;qTi=H}W)UCR9h_8F z6Ky)xIo`}T+v@!g19etm^0tB<2gox6V;SYQtx9UHI8>~406sMUXBjBLSWFZlrSb`m zDpV8lsVH+q+Hh4Q4nwrea<`p!#wn~Vox;k5a9h6)RfD`{Y!nl85VIlz-vvA(@Kn4z ze*;G+gI=`%j{|g919e_{5)<{tM}t6mrsPy1URguVrIO8oXm05$IGO&OlpwpjAlimLqI*jZe^Yj^?#efW&;7gh9wMa>iKPqrZ{93)XC(i_GMm@CJ~)Z<@Jw+497{d;2dmVTpK$T`fsh`Rwec zS@)USnfTqu1Vzs&VY+Jm^DF3pnC>rckbTI@^~(kT?Hjx z0A^5xmn1(D!ZGhlXD9Lf2xyujW-i* zYpME&>+b^JHk00}xADqHN2`x3n0l$7OmT)MBqy0WK-bKE1%=r&hqQII+z6Ab*FotQ zBwFMICt+??EnIOj3CXWncB%4)0cMXf=1~1^@T_u5AoPemvX=E94x~L01ORE6)^E3b z&w+7VcR)Y2pzV|LvKZ+bQ*e@<#l?sws{D=9*IbXClI$QYgTUEl~cn_Nt~TQQmj@cKYmA_5r_3C7BC3hMT3L6xPa>D;2~poA|yMC!@kg zX>(n+d}W!`Ha+U@Zlkq=R~(VxdVor)z#5e_#XXws3fOY$ClX~;WVx?BM{COB0&9>i zrZ|pWz+Jm3^?Gn;H$3-DiO|L&eQyr?7_xMVFp4S95gRJjI%jDA{Nni4{=voR`A_e^ zJ$-v5*q$=0({;S?SK#}eIq!Ezy&(X@f4~op!5dhfyTfR-41ddwE+>*axeL}fCwIH^ zmTwIe+6d+eN;4?lQIEqcheEgSnFdkc0=IxwbFf!;<2*SZJrthbUJ&|hh<(!NZB7`x+i zE5>nk+fu7tmXNgbjSZlXl7{l3^^sB#BPnAFN(3a>_dHkLj4pH=PGE1*k6L?ICC`E^ zqYV5~14DBM;Ij&Nz&z#U5?jU;&1n+CQl{vdWCVp+!4-7YJ?Wp1= zCgu!fMY8SyGxvNItH9IXi37r1=+3r}I^~tx2Zv-RCRZeOpqMLIQq#?zt$AqVC6I}e zC7tsnOP}*o4l<=7mRRea1HxRBS*`6H2s;i0Kg^->T?%oIW13(gV{%PCyt{6EuvZZL zo;pg{j&yl3M`~N-ym8{x#S2)$GaPYu?+Qb+3XGg*#gE)qycg ze8Vbwpr?*5V9V~+jMLs+5FND|ZAoK8)bAag|8R8v{$Fq3yg&Na#rgjGgVU3fBk{=h zQNdkYb3!9JD`ARx+Mn3~g3bzxkSF$#pV=sadP&4PT(J32axL)=X#3?;j&MpXOymB) z=h2=j4{LEnUEO>?7t(41NB=s*Avtp^g!JtgJ9>x~k+dFt)WeMl`Z8b}L{k zJnX$-*FrGyHcx$y(bveC?URv=@3I)OfYOXa(ljG(j1wVZO=ET>6MVD6%ex2q?U?|q zQo-;#Cso0VV$LP&SLN%Dg3)!&{Oyt5U zcX~H?Y9ZLTg{SUYLS`bYRUI59_NZ5MjtXA#(VmL`i49p$0^XAIb#A|jD^TyuQ=_Cy zS%h$s)3zxGWikZhtn!E~R1-DekQC!xUR^zG0NE_gpdMpMLA*#db;(r19XYpjB&wp5;=3Qj`&YYr|F`vbU1MQzJYUB zem|fw5xZ8nIaeei^%apZJGUqAA&j`~k$!8#C_92_-7gqOoD3iq=2HW+Tf!(%$$Bxq z)u~3s7;hMk1}Y53!hTW#+uF!=W&$1AX0F^C+#PNAS$F-cBkj^N64ZQ(uDW)#ym_fO17TM~=sYXmF0;dFM%qT}p>|m@(&8H@%1rmg*?{JmxOHw6A4|+-gaBp7i3;L` zH_%ZsWLZcc`3Q>X#Keje%IF=6b5`7~G>++VQGGLbpR-}!M}k=!<1Ff%$Zr$g=8o(U zkmVN7-PO-}S-3c-qWt)FU%5mg=@Y4+OXUNSk}RH@m<(yPZ4Y_hvhK4x>v%ReTLk@U zhqLFtW6r&NljpN#7J`W!a2PwmE$^pd_NW_dY5vRhG2sEuYXB^NZ`*h^c{*aWc8xg_ z#~89mdq4O2whHjX*E|T>q`z*5upa##AEAx#W|)xv0Ed?(iTa8(X^%RS>VrhStw&dy zu%m5NjJCu!8U}gSZlk?_{|j{r^lXiTpe6{{G>$@?MbfZlA=%gq?>zbtN0O100Ym%i zFk>SVFe_t70{AkZ40b~Le_FVmS-3soGup7M9g7{x4-b6zpDgNSHe<($gV^)d5Yo+@ z@VxE11e;DaqQMuAD=I=cwp$q>*wV)+;6%K!N0_~7WIcXYpF z%+LSW-Ro@cmhwMtcb+`d|NAT-wCJO_iZ_a*nA1|*e!9U{3w?)^La;&It*xEfPU10q zzPWjQeH~yJCSciUQwKO~LPge#qw}{tw10Al4o*)Fk1vi-PkInS{H}M@LgzIvyG4 zYQO-!Qp%*X$Wq1$x4UW%T%S=>L21HLI9j9YvMakLSxeaj#3X1U|J?#{6f4m{K~X^= zVh1ub!3iD_8KOQ!ya>l?Vl5#T!14!EIeQGS-JQ9n0-IQd)+k+<$HT`omCi)Ne2P+% zL0rz-?$-ZVhv9@gAvazFDsrCV1f(TC#+l%%Bt*K71|%Uv8d4nl(4BeOBmapNO|-@` z_*d3kcTXK+)gpRDqe8&Skc%G*0J$MqNI?#A0}}zywg!$~$aWa+PWrQpC7A&e05{_{~L#!`Ip5cUBcS3>6;+xnA%NWV+0dOsU zfu_K_x6F`DQVN0;OinG+x*&QBcBxkgv4Qf?a;EO?ghUiW+7M^iKeFs{hA4oOrK6|+?!)@+=r7tX2j{OzYHNg{fK1|(+J>vk6oNk*?^mUFQoyjjKoF-G+s zsMRY-au4*x2f)d*1g>Hv#t_(_v5BNrVko3_p)&i4B?cq{cXu44j9gJT%9g7HY9SKi z0n7AXEYrvA-X>EVHq8hpN#2qk$=72R!=*qhqaz9_N@vb|mL6+5HT1533zfG|?ViA9 ztvtSl?_pyyGQrf`Pe^+wFh%T3OXeEPNIXR`O)g>M1~dUY5mNfPK6FT&HpC%35-sPA zG@CjzDX}|*4ehBP2vV-z_{tM6-vM)Fo$<^DYN1NKrDh%in0F?C!^+iJZz-$_=du^e zYA4@vE=4ZWUg9{`WSbX*3C$Jp(0m7A7tCBH2}$hq2Gc6GLZ31`cXMA0mr((|iWpwt z`+$sbJVb0*&%7-6+M}jfQ&Yi`@4X?*Y=|H^QN|J)w!|q6a13~Kor!)4Fds#twU*)* zxSLMwMu~mOxxFl~|GYK#DYBKFoiSMA%n41D(_Tz@&Rg!2WmqAZ^_IINTzUZtRs-Hh z)j}S>c=;r^Vt6fg(_0Q1@vy+zZAeZ=d05COC>Rmq-838dBTzj1G?5#<3I19&K87se zDGdu&@OX+QIJ=YzK*JqrmWyyYN|YKO&ImTP5)%cnYM!thVdUP`pgDVmOZ>H2w!VQ2 zSsr%-1$~^92DLG&83_qc^1;*_$6i8C{!@@7m*!2DrA$88g5hrIVCpxjYy{ z2Na{MxI!Q^dSzk@*pga@RTTioc2fZMjaSISIXNt-5C#QzE7Du7q zx&R#y#rYdqi03pHIBgCkr>gD_9%1n_5IH5duh|F7@YWgQybT)$`Ak?L_$T?dDqMKY z3!00i#$;qtQtQcEo}fe(=Mgw~6Xe9X616Ry&>qfIFH4`t1US_kZ0pIigo&DE(!!{^ zDO%95cT7EbnyZqpgZ3-cxPrN6*ueO%kk9O{s(KPhQm_-CbK+`-0vLLNr8qIH>UQJudM{KQc=Pfjn65007$qDLU&26H`zV7Z-f+}q`lfQp+k zv$Jqs4k#^pV#w;CviE7EBbD2#y_((aS40gcgIowKp|#AuI$)}IxN=_s*>H|xg1Hc< zTrIuoVs9(NJM-synpn@#?zP<^53BgxIsDTl<{px{_u5xLAv&~lMm(7#`vT6wXIX1@ zm$Byc94(iU4JvkNSh^{|KwLrEbQ1{>_;TB*EDpskWAsvs$98UN(Q)Y&a6x5!Er zz_x<2UNQhB#g}sw0!T%A7;sJzT&u_BR&elEwO3&>Qa&zr^=w!%o0h#cI(>7sDB^18 z%vAz-VrWO3XD2XYt@2)B!*z#jB3WsHN1j^7NGc^sz&ns#5O#Eu3XoMT7svzjPG<8H zho)1M$5RQ>F_0Mj#3Etlq%YKCdF0DK-nH=^%^*Az9Z* zTOVcr6PAlk#(D$q%YaFtOkCR$hrj63OEiE%voYQV5Lhn&ZOrbO;AL5 zn9+ec3L|vT5uMe~>f5BxO}z#cPk`L1CjmO797HFQiB>=2Ozg|lTmm!I!Bh&cAbATB z%aQ>&#YnnWYb{vI9+n-;jSad*@c?>J#^e_qL=%<rz{Di(gJ~?b5LZt=xCIxRgvl2+6NFql~ zYHtweNwKC=Q*>lUL`*C$Ep*9-UmY(A%T)gKzgw zF7{s@zd6462~gFTj(Kkgu|SJ zb-en1Nb2c5A1p%yePppLexNi0(tmw|N4^eU^wur`);R!No2`7HgoZco41-5ab6a5VK)myV+#2VP1IpJbk)@utj)EF>sg6q$4nyZ zh_UFJ#;)%067ig+DISp)@B~G!@(L80e2s8CEE3Dyz#~}U2?CW;ve4TPIWXbtEx<#; zpqCYK3Wiap{K0bF2#>y!Mgj` zwQMY$Yi`qAXgFp}YC%EM=^5KW=ZY{I5}+q7$eofxMNYYhRH{K0^_v3Tkx4>xb03ZM zHr8`TY!E9g6!0yZg6s&+SDIQN3rw!%E6P1{4++q>>{>`dQj|0s2K(s%w(A3rmLztp zA%^ExW)V>0s;>nhwPY0L3!IL%qF9PX&-))7eSAg1y$E8A-om9osC_TAU_1zA=VS5bEUw z0`wz6IOfb2UsMJIEwn+#OTZh>Wsy`6yMWD1^<%6}s{>+PR=`54XTn9tW|~n@Tnif9 z6mNxZ`Bcs?P$v&_YV7f9=d|6`sAsH_183owUTI2cjfo$o)9Lgh`k;%umaMEFp}9hm z$dQ?R^l7;cp=eDsFg};-{}dp!JfbQJ+oIu`jfd39f?WjCXfVpKIF8iM2B0m&p2|)m zGR`%+FLF6m{?Bc2?MG-S4!w@|P(Ei3S4-*bm!2NwUV}Og{EqCmX1rnBdW3jW&`54- zb?St0XvD6FOq=d9oJw0_`E@?KuHYd|;Lral`Tv`$c=tKRT>t;>-rnx+PTBu|XK&}h z|NnD*9-;4EWz5fB`7Irdk&4EWyd{)zIv8V>Zu~4GKoL332}g${$28`R#s>P{77^$K zPrqtx_;B~Vz(jy&dV>Z@Rk5ORj3VZ<8qXV$VmghPUk+hRN8@uKqLQs?Kys}KOwFRct7)0~8Pk&(tlDZT5r`zDRE)|SepQZ5}}ixjb8 zqmA};J%2BFzKt%fSt)!@x(0+eku~8tIMrdfd5y*!h9e|{q-8ES6tTplv2`HkFL1~(r;1fs<0Z*}~otjN%KDboc|+f}x+^}cuu zn36<2=UC;T``Kw{;o0I~rC`p@b;CMK&@m-R-st!H1I)*b6~aPApGKpxv2k*GarAs+ z1D#>%e`kuFNDN9M40tA<@nJ@wb|@?o*f+qmwI{(1+D}vEcDgP%>p*5|!l+2-e+q)$ z%8>H!$+S^}zls&&wvP=%55!bo`Q^lIl{-^eKou_MdB&0v=+|Z|nCr9`4sdh~vXri} z;>2z1xMJH_R@#wD{VO8K1kR#T=2EA%VBL`rUou$-abu&=5S*nF8?dPNxmZm^f z_+vvA593*(?JX8EfxLJjn`{cOaY2%hY$_A;=6A2oPhW4!S$_4?{@XWSc~kxB6^#if z&}q(PV!)tr?9@*doODJbA7{Op`ip5*Jc9aIoIQNrKx!|3!jt$p`WR(t`UVCDw545eHeOwp}qa*xtDh2(9a;EtCwy1P;wrO9muUPVx<(wYbA6R0)ZcDsVBK4ZKM|1hJ6O)Yw54#rrVN2>T7ujIs?EXB#Wz+ z(8hVHj&n2tr9lp<<ICIR zbj>YDH5N2p!P%&g52vy!EAq6+9rqAT(n4EcbEI6`+-q=r24lZFe*+AGEGS3wK<)tq z%a^y{GzkejR4ScVLazO4)RM^vp}s755dsc66>q`h?h#;9h}NgP_4M?3=v555h9D}L zNj@^>Hk)k4NqRQ7PB>b_wq~9Hii?~X*PHd0x*JGV+jURid7~4c*J_7ByPD({)L^QU zJ6RHUcG|mmeSXw?f41N2{djtQ_~P-}WicRO9>YF?FQ(be#xEZb1;QP zXg)N}$Q6|#4W;z|a<#~)^POz{T5bOSpib-iGP@}5ndjG849 z8BO9HiH27V~=NJvDYpmCfFq65|=X#upEr+_y! z!-!GEU9tLX*YVZaLJFl31!+bh=7h_4#5m=c1bjvlZIhFe1fs%a`Zu6!j$e+M3NVjA ze@l=5BlOlx*W~!{_q~BEoaewFsCB6fxzEw|-qx1o3EZQckO@WNfO zWYyyUD7QL`a?kk(QCFM0bPSz2r%(&RJA>WZK$tm%y`8u9`?qK!<|MmM=Rk2-sJh+g z&O^$|{_a+EZaK7`{_fV+s?#rTz#Jr$S-V9v_RU6(%p+A;NnySww2Tr=*X{i+p> zzVRMl_mMK%XQ`oHQ>C4YI9iw1{sED^149#>D_@8z7C|OUbg%8tiiZ9!?(Z+&)mPc6 zmur2~4;l?2MFG{cn|9Up^537uD7JG zA$b3i2>m=J8Tn=Hkx_}YoxN-iS=OG_OSL`S_WCV#YWP8^_MlXIR9VQVBx0HJZRnZ` zAsJ9!u8+yvj2+P)0Ud}zDaNo`aT({uA+vqq=NEiWoU%#H(-)( ze1kSNj^Cc0o?q;rTs+@^B)VqcazRApD0T9xw+;fgsyu0}3w1k@k*G)_oP^W9efN|Z zn5xowioB26HJadLs^=^nnN6N!qtAeh$HuQt*$cnqdSR!s%o*iM)d;x*zynmPaILP% zYDmF1OlnDKt{m!x%&4XOO3|K5*%T!O*tthwY0IRpMW^fl5@jdJ>2FHSoXCj45XZ!8 z1o>DcT*#6Qms~@IG39VlPbQ@4igIQ0H*leF?E9{fNX9K!7dta8!bf;1dVzL)x~hHvfzt6D~M5Vi351+_(0t406cGs1*cGR2Ha;?;5a1i zvZ1|pI;SKq-D@S2LaPH-BzfOGQ@-S(%4M{_hH2oqEhq3zzqQ;MtL|Is^p-`5PCxiW zI03t|EJE1Z3W*e>(xsh;9}+RvDk|Tun`B2a&A9@NA-RU7`6XPj$a40>fs!T8366fu zXinY=It);)1d`y1(nep&phyl@h6X|(K3I>0rhfpzu!v)U2Tc^9k00A&>h1I@Y<~^w zX)7%FW;G~s-IZ{}jP`A|JsA}|X4f2bOM9ueOT0mPC6lS@SjHnW@2z>QoO#V{XP|YK zgw}!iwIRbgNP{)ctzZo#uW8V*2iO3}s0-bTx6{eA4x}I}h}?vB8_kftl}C_he>YH) zFq{sL-222|be-FD@~YRkFjwW|RZkbx!+hr9tst0kLyOe!EX{{P#5g_^fcht|dhd_V z`tBRo7bmEQg*>Ld;m~DXAQ`0js)wY@4T&5M9`4$;xM!ZTvt-aTnG$^+O~HM`IwmR+ppcK{&H|V_PRcq(iA`OA&p?Pw&u(i zo!7`+K%h&Ly?FfL^}*Tu$;L(3&8Jzi9zi)#S`5OeXaVvS6|3Ruo*vszbqKRb><~c?NIWl<@id8W;U2d z7W#u?V?f0E4z2E6*S-%8giur9Nb@;rmS)t1P>yDrv0q7;zo(IC^R@l+8`FSZ;hem` zBvaMs|BBD-ui~e+_`E!NeSCt>&X0fCzc@nQAN>U1{yX`<>ht2ozZ3ZC=;W}XnSv~R zRo{~drm-6J|M}IOUqJCB7^zjMMTx8K_jjgjCXI`H{JzMj_(f9-eZC62fo8BxCYp9P z#eY@boL!Qn+*vkLU2#gGB+Vu?b%)e7c;4UaZasS+k}Q8;WU&iK(5w;^HHE9rrs%-^ z)vW?3V*{3NUUdTTX*QHc#%W@zTTAv(p|**8`?&}HB9^XR8l_c0*=EE-E{Lm;{^1{1 zE3hd&O*Yrd4yqDoeKIIRrlhN_ht9K(s^Ydd{{6b>m(kx*DKD#)M2O%lra~NkgseIP z)PT?wl4T7D3Z+X@vx?$0(SYa_?2cYSI_jzyOU>hwOuuMo?;y3A>L(yNH1y2MqcClY z(Ku?i#S+?LPA`JZs#(B^^|WF^0j0`OX71jV{4^YDE`2aOlCBIGqcH8s%e61>#&cuY zP(0joU<%E*at0DzPVj_0uU@FcyZuCl)_S;?7P(xECC{qPzbTbFZ@I=f59`g*p4S=` z07)o#z<;Jaf$3{kSo!(jTZrZpXs6vGQtdUJL$s^g-7ooe#<(LPpM_LG(w#97Pj}DtIi`6Q>*^LeKJt3*MZWF45ipxdj@HKDq?Y?_;Kp!qe zD7WgQ&Te6{StU@$RtZ5Vi%?9iNbGy5my`CCeRkAT6s!zVPnm(iLM6B+8!WC{ncyQF zj%h;HWUd*>ba@s_t~o=ij*be`T{N?~M$Kjz4F$vqz)#{3;4yGE2! zQ@@J{^$7haOKZyPUT$^9=gY`f@?;l^MfjTcwgX+m@WtZ~`#<*H_qN|3ogAK>9-mw+ z7OW(MjEpEtRR8m%*T<(P%XW2yInjCl;NYm&69U;%a-D?X$#bxTql5FK3kR5%?%d6l zSJ9}?OpWTl)%NN_;JWkao1^z9`)`k2ao2_&Kvhd#WKi0&uP3gsRnDR>m8a_32~_v% znX|;y#I!e1aNJ@-ssJY3L&-12n}YE0d~=j-W;lsRFwQ6Ox<}v958JmO3^I|9jybR{ z$i|ri03CkcG6dvQ|I$1B{JxnRQn?ggy)>SYjYXCjUc(%*G-b+0Dj`6aZC-lhHdVS! z7ZkjcSs~DDJ!sg6-#Y2*M-)P2Cj+qgD7)_EQ?4rsacPaRqwD!go}NX#g<$)B7GhDC z;)z9o5zWWN08U>Ja20mCnP-G-%GkY4o(t|_Q}%7|Bmh#HOf#QpR|St^|@t1WNTJBhB6Tc(T6S`{hWz_wjhO zua+dRKiq{t{;(ZLO5za7-uC;K?+(5{x-gV-IY9UDl>M;EV+MS1Y18lgsQtOO-KohG zd`a=--?pUkzm?b!lP?v(3(QeE9<8lN3_4W6E`|$n)w3S`GZUHPk9T*X$l-pMgq1u0pb>w9!XR;ct8XXfMmv3PuU7z z0xRWz&2xcehYENJZJ(px+kfZ*m!4o_O0QDz8x6aRBW)*Mka2s6g3X%EZ-|2{owOJG zrOx^J?GjG7WJ%88rFV#l0{w$e9D$c(&eMrP|A^%})!Lp^c=!g@G)H>T@O7qP!lWAK=a!XT8OmiVszpxNq z%*^skyYFffg94E=z^XfDEwRRw7j|~Fh~lI?NOao05OdOk0$5TPAs#S2WiXvPXuuNi z1sfK*Xc^)-UXE$`0;y1eA~gn8$wC)j83Y-Cy}#+OET4t5meQK5U_Yo|UO})p<63z;$skZlpGt`_%^>&Y@ndYZ_GHxwF zhmR9C7q$ii*sBF$h&hBcLkMhwRVF>tc4NaG=H2neMhk6hoFDZr(Eb_x1r;GTHXKJH zxj7pfK?6dqWDaZfxY^jAYdqC)R2_fx1-Aeo1XCt72ksVEt0`kI#OtMfEE%IuhdCZh~y;8-BVtZjEeZ?-LX;` ze!D*#j0*|5?kkLN9ge|`VHC(Fct2@inc71j33!Lau_*v59t4({r1TIT8{6F5x?+;d z?u`<19n*vaf>uekPNxAi@F3ApjxancEtAK51eaB6gS7J~whbN5DduD5az(LefmYjX=eWNTAiml^JAUMRDZbl3J8r8Z`F3Ba zVO4%_z8)ZZ0%A309^@t^Va`$W-$~QNOsS3K8hi8-%tB`_u352+44kpbIT#6r(0-or zPrQqEDrjg;6LzX28Y8STxUL*e6GU@xDbaPxCqKliR0>hKI+4n1z=c8(%Ezx48yohcwZQS%}SjQGVVWeTlO?h-vuc z`U;+vinz2jFyFsYLG(Bir(*Q&Wq17q$(g;FGow~jw+QE0JpF2Z%P=yEwGcF22BOB~ zN}QUkL067wg?Hf#1a!FM?IatKsO3^IA%0vElDgUDxM$bE{_au1k7NW#Q=?H+O;zbQvrhdQ#^D&fEoON`82-4q!1& zeZ*P9?|4N@r5fz4lU`Hh771B8Jxz|TNH*=MRDe1Tk&mIujHJcxX@a_2GTIg0hXg~S zcd#0jBH#NS4v?EX!)@`x^xb%wOmT`Ts6>gd{r&Tc<5&9!7pLbxz5n*~?a?O5L$_a% zGFRuP5*va8CuchIV9V~Lw2{nYNan`9WTnwrf(T^OHsfAgGrg7EvM<-_uBU2`S`DejlA;?-QzyNY{M#jg1kEzd zq}~xZc28Lm`c-3VU)xkxS3#~Xtrc$NL8t+Nr;zPu_OvSLvr#fQXR+lZ+?4X)0X>JesR!Q4-#+O$@YG~6g~y=0&cWL518bJUO7Xn?~@u^D~mc$8&s zf>Wo8mDkuGIB4A0(Yjhz6}nz_wW^%l>^?MfM9B{ThHLwCTUkZbYT7rGxGj56aB3=N ziND|C)W&Db@8pj37Gecf8EztaoZ)=@9Bt;4)WZVRZ*w`cuj{>0f$D!w^ag&*VC@OX zuUU3^#$p;y8x8MI?LbF3x`y-w$p|V$fjUb56ZnFdT|32{O@`$F$;2xp30Wbyf=In3 zAeY+}&uEI>Y&ET7lN#dr~X`>Gx`>j9{l4RXaiy&)&f}Gr~UI`iyNSELs6`+E*Z8A0R zzL<#2Hc@fXIokvSKdwk91OAmVw+Uq7ZP;5`c6xBOR9}5?v3}!tOH_GG2o70%FK45# z<%f^(4>euyTeF^!C5b?aD}hDjC5TG`S!um==E^5lmO|AvX`to}WUckuxr?>GtiIM# z-_nxAymg0m72sOnb(>k4!1=qk|0)&LP-;t^8w^-SH-j-AutKVI$c^-Ke)|&mCeQ`9 z(XG`?-@X0UR}xgCaU=_Ji`nV$LM!_`Use!PnID(PTKntd#!G`y+tbgnTGOpo+OvM# zL{%J@4*aDkDtIZx+7+{^$qJaF)}C#3w$=lEPLeGd6UQCSsbd2@1}4Wc>i7E#_d)dO z_m$10KbuXcs&Pa6?Sx}SWvN>6i=Q1w-OK8jF|k}&_pc#KpeF2^D!{57%2Cc(yzW#g z(D~?f5Z=v4*&)$2$M^SB$;{gP875&PiSSZ&3l7#GTLTCm8h9p2t zLSmK@YId?ayBRV&v(C(>Kxp;~0uL-S6)cEK5W#{-6a!(oX=-~mh5smEIIE5;~$7bygu=eA%Pd^q#p^A#5fE9K;IQ1 zkYWS5RDg47=C7!)N|F$_TTvO{W>@!s(kCh$QwPX1oaC#t!jT55Bj~%N4nR{-+o@+7 z7NjVg-3FBFDZ_bM;VLNXC6>{RiI0X+Kt7vc~aU%_Q3QNz((D^6h!QzoMg@AIAYzjb}#)BrgXJ1>AEy3)6=W%^DaB zx{$&FsUS81hdC>Qg4hA57D?v7SoIpN)SC`73AkSx>#`IIipp7o-6hnIuM*)eKC{*IA7yd3@>lup?l6d(?5SOg82&U+Ui;q$@i)PEDL|Nrdy9(jO zgF;_7U%^F7VI##tQCLm~9<(O9npzHBTYdfUMxD+V_De)wS6a6% ziIQkffCUa3S84+S?c>WSrJx#dhhtfgkihX0s?Fx(iFGR|IX13fU?S*9Cq~jxI+qb8 zlrq_(6(Ig{Ni88t zl*G6ciJg!@qIA`knwVJRXF$ptD9NAX{Q+Tx0pw;p9$J4)AmL8iyf)zURq1HsE^#K} zmlx&CL%TuNoHWDBPXas#Mi%DEMHfs4R1P{Vc$-C+sTBFFn7qTP&NL=5t6g!Vy#LK?Lb;GN4EcSX_*BWED;gZr~3gQ_NEGjFDZ<;Rw!9L~^R;I@uzF-&8e4 zf}9Hc1Wnlr(S{O7@Bs-hSnLEjDUtIQWm{A(f|vA4QbK~tlL-kn zwM3-0_=>h%la>`PGKgK46!DgU$bPG))X~WAOx{&S3xM%aUgV7HVgtldq}fc$95Ex> zECT@)Jve)$@*||8XqNtscuXq}ZieANkc*kb`&^V{XPJ@<-iKW@xu1gW1KLTW&@nh% zUX{sIu@`SccD3GuO(Q3R3>?m!7Fz*NA!|Oc^M1)5bmH38dE0$eP+=ufj2EnvsB+5M z+m>wWm28_t3Cg3}Bo}gVx0NuQBv4g|KTu!O5$t$`NTbJwkWr{xNb%(2eKyp>28B;p z@q~p*VXlcR`Twi1!9gj0fwn5iY=T|fi4zPUp z1A^CRtuef7%eD8}D!E&jh$NdO`nyDkn}le3mC!nmM}MUdBi$+BjtMfEY4mq1D+5h4 zAyUv`Pke%vgLqtsIV!XB>*_z7M6F1aSSH$q0B1#hN4Uh89b;$}$&iqt?4%YUNwY&v zK!Nr$qC|=j;yQgu5s(FuOc{TGW%2KNeF6L00FuI39S#-1QSMC@vc@jou`v$#_$BuM z)6+LzZ`_jOf-PFQ8D|njs1GKZVu!K%dAC(bT4aZFwIbZCWL{Qz@ZcmhI@`2H4w_>n z=Qr;z&|dsa_Yh*xjruEqfzkn3t>icS;tu6penw7KA<9?g7*RN8s@epKAPy&CB8_C3 zNg8OSC2jyErltYP7_I)Am6x8KixU>3Km_7*hL=f078H5wY`6&+k-Z?mk`ygsnmX_B zrr%uN>qT~1H|?SXk!X$R5GSvnqQPedYNc{>^lDErEGVZ0h7X8<<-LTtHS!6EHzEUZ zImNKZZ-IDrhR^kcETXbAqQYp3IPmlCAQ^+K6}(#nRt^jpo}QQGC`ix98VCjyx8QaSRdPDLO(B;2CMtp49LB{)l6viby-R%yACS6Ip z0x0Gc;~N@7#Z5a~SAcsk?PWOm)euFa>j5a)7`!}9{06&pi5@LXy9Q&`V1!iXX^aq& z4^i+hGNuVsa1WJfZRpM{`}X>Hj*)nD<)^$j&R>9=4!C%hRr~>>=0D|7H9;T}Pc;fl znUG4UMuC4aT^C1Cw{S}%yQ!)X8OS|}j3MzTlP)qt6ReO9t~|79{UY@S1f`^}Of(q@ zW%2-Y0mQQfm0=`$s@j7Rfxz<;h-2I!DPHrg4(Cl*k}4HKfJ+xginNdllF%0(aj3ut z{P0gB_Yob{sEc6(luO%2SGfi44PFRd5o0JEBa-7V8b(7qPb29Fa{mx_$)pGoj$))4 zs(x#-t>K8eutUfm1#G~}aB_|$t@YeUd8jgs3(?;+opP|w0vXckM?J*&a0_C*Q6n|E zF@eL)pl$#q;hyHPN&{GAI4?__;_v{9q7X6)+*Qhy(^j5!D+XqLeI3#wpLNT#5^Y|A z=gX^ziijdijQ6UDh~e)|LYX2UTtSzV@_d;NMe?1Dmg#TAjRmS=HWAB*FzDm7M{c)_ zEI|U7W`&9~SsvMYPt->Kh1e=^@|X{Z)+|R9n63f&ji9fWs~lgUx(&!Vf($4j-OAwW zA+rzso@8eT@^05Gk*Ll~jM|TyxbJC^X;@|{A5}#%Ex==13Sib?k|KahiEP zC=C_rIZO@jLg6_$)i|joDc?D4%G;snqB(e{z(xx+Cw)F2Mnv$~D&Vf-C?DfO39VFz zjBDqy6+5U1w^&LtX`uY^#S-Heiz&`sED4OOOtg1FZqQb#l(tHK)+)~> zUYQlJ0+I3gwXQ1yRY4FjniL66@K2WFyaCEfD|N~dnUS?Z%``yCg~o}Uv!n`&^I%Ot z4QrqTcvv~j9Z`+@&{|5Rf-YdVW`Pa7iy4LHTvd8!J-k^%>|wZ5yX#8s`l_s$#q`B? z@x2b2*2sB_Nfk6M$yvph(}I9*#S~YCOv$opEpJgJ)vHF6^x+&&6wWfJ2D+n=NqJ`i zkS>>9XM8jmr}u2360-&YVN+w+j1L~rI%<>TTqH@kKHfNw z@*CrTjCl`GOslHd$)Y!18-`5srx7PLAePcB3q+T|_$8cQD|C=^oM{MibZUuH@fg${ z3?`3r#CbGKAi7KqS)J2hqe*zJpMaY#33$_Dk>y^W@tE?XjV2&5kQSSfKirX@n-vRO zEG3F*v940v9lU6hVYqmKwq@YhgLKkUHy#?3=3G1+GRzpHi7l6^;serX;(DBgzYQ7@ zjmn~?@}RunwduT1d9Rn@yf)m*HkfjijSwgoT|h~Y^D!LLfzjZ8+-zVsH(aoB-K@P) z!Kw*hd|Wqc&m`BBl&PuRa>vJmZa!KRDKFiP8(^0^nPF?khy>BbPG+uK1iQQn11;LG zS!|}mE2G`$!6Zl6VxgTDn>~C;zM8H&XsN9N?EwPqQCHip#|Fb47!nmod)mb^ev!6K zq9rL3KBLnMhc_NR1N1qk2+5$N#~G^qyeL^wMhGiXImJ?STc9+Qv2tlNpOVu6_Q6>s z0PGWMi7LQe=NYYR@DLI9KDmw6NBQCS5T^FMTOQq2>f_y@N2N(Od$?KlN4*=|Df%dX z{iqtTV;1R;6-%h)La``UU_#Ft8qHNsGTKnR)*w#9sJ6<}TOzuA2LvwFlAtQ92Dfn8 z9Eua0$kF~J1X9~CY@!I=aA*cjb5?O$5&&W?AX1E5)0^ku?IxJ&PPxnva0as{98E5! zuRGW(Xv~dpBBa=pk@;ZX4Bk&-i*#u>4 z(3E66#)(N!^QsW^L~4>S5hn%o;mm<98fr#?r={TORmB>N|abSQeacTfHCPoVK8Bs#7@-w~ii zRpa&1KByUh*yN<7JVvgR>GB8gSH4)1@XNt{Ni%Ej+OPJ}H$;8XUKp7MPz#&7G zKY%NQXO5hZQ(5Q!|-Bs>egn34N0Nx;bnilLI+`Ye`e<3fOlgF{kYfO>8jf^>f}x5@N6k|w z-{IB!y%}&#jW8Jpvs?wF3Y4b6o~QtKI`POt3FXpIQj1?OO$!I7XQ;y3grcBfG)2Hs z9X}z!(i&!}2898VhR%d^${fZ`hzKV%aIA6L5J%et+Ruv&q@EL01NATT(m^f;*w~=} zFA0cMC46OrF$e}OQC_DyD~a-kf~o>fwxuLp$lMWdU95=0$3_^s=w--~rsL^Gi-1uO za6Ek|B??F;CwWxmX%Nd0oUzCRc(!LaFBJ&1NOMwn=ple>7d{xc3Gp?+u}6&JXv^^C z<|=1M;H1uoQ#+~=IAjMi;I<58^h@{qM+J=%Vdj2;;n6!JONpXRj4BFYfwl=rE2RNW zoMfZ;L;#LXRVN-*h6ylGY@Ickd2*8ciG)D};941O0B+9k)xfDUz3MMx1_P`!5_s8F zS4V573~3~ak|EB#az|_#BJ#U|bI0;TG)j4c$_AT&IFUAFJLNT*+VBtY;RJ9f;Dz$p zVUu-y8&=evAuy4{Y;i03W?;554JL#ME-rt-8Ja3e$ge-3L!<#ZO=Mi~Ek>bAC|n3V zQ0pk^aKX69R0)L(q(=}U7m16Dk|>tps9Y`6>cNjdp%IP1vyp&D&9nxL{tn)ajG8$Q zhd`|{Sve$X5m?%Q+TX$1kx&c8;Re+H7Df-{JLjwp;V>zCH4)D|<%}>k3&tuc;1S_s z*SiLQ4GTQT6-_B#bL=Op^I1OnuKfNoH*+>lm8wGG;*3?<9lQxhJl6&^E4rU~j4FzQ$i7TZmDL3t6d=v}td!9R9_PmHo>4|C` zYKjxuKn9M;R2^0DtGrpQG^Y(<#{{L?p3B&o)Jbw-o^v4+1}eDccaz^;8bgkA$VGmf zp-HG#=Q5u6YPDDGYMQT5!`4r(NfsxgRT}?5k5{clr?$a zY>Yp|wLnKcT`oPwPd2ScOSp`IlJH)ByNFA`WuB5ye!8S;HC0{24H5}qC4@10gq46h zbF{0Y2QC+UYXG&h>=scxgauAAS($KJB;c?o+Ph&9Fu4QkBA`tfr5a?Y?t@xghm(XV z^d5=H97#3?12;YiMgtrxJgUa9nL~Qu>34Rzpc165D9Q<_YX*gxwm67d?rV*5_A4 zGTe|mO;_KegqKRO`yq?`O_Y%7fJnP-dP)W>2a3B8q?g{6NL4-S zqUQBmo7X_=4sP~njT4PCoKlNa#)%+=QmG?TJtN_FaZ1B)VJELAbSQ=ic|2X57HwEk zXIS8hyl5oga`Ix?if8@?f*(^95zTNod7j~sF_IZOByg$99|kze5gmDEz)33SWfzzV zq)@>0!V!Fq%5Xb~Q zh!IjunHtut8WN_T=hGRRveXLZqbPx)N_4NYpc-VM z*hWpEa}+3z+Np(_4fhboe??3IDM{<*T>*&qg=8Ei#eEpg+XL!*J+RwD7xioSE&kH# zkVBWvNQwlR*|AzqbF?TH2z&`Grz9~Nt>sb%a%13!t^At z@xt)+I3Zkdv^XJh5MlyNxtYiU1IMz#OAGQ&q=3F3L5K9#^=ybwPZ-3^1qOkkw2dq_ z3_YWlA(0R?l^X`JVZ>7>H>yFO#@Pf$%9+WHOCmN5h?&ZbOCmN5h?&ZbOCmN5h?&Zb zOCmOcLn34umP<0zD79c=Q|-GBa#_cZs31H1I(TuOR2$>t1RG;G-0JxBTZR_`oBs4Gn4i)UQ&CPoNT&VukQU+ zZmDdt5sZ&Uha7$*fd^tWaHjN8{S+@XI3?Yoi?%7TdnVpOns%~@8VeAEE>;bkvG#IG zFi&0^Yv%Z>MM2M15m5-%OhGjM=3!C54_kS>+r)}%f&wWC=HuP84uwLRa*q}miO%O- zCb)z}L1ZS=&Je4vMS;gLX{?M3dZt%V=$Vu>lxct+SBrwSfVZ+J)r#AHZ~(eev%N}R zv|UdBD8Dk1XAbh-B)_?MNWbVFd(xOXR`b!kE-RVAh{ z?E7OlZi<$Is1Uq<8I2QBJctdz9W-r7FVO%L@VnDs9U>0(RY(p4Cb@E;5Hz9{jbCwi znL<@&P_9zifmm8k0~h?k>QM?N3qac%3bB$Zi54LWy_3Rvc!#F~9Fb&K5HcA7qJbVR zc^*!hg@Abvo;ssZt&ysWk}RVU5SJ>2x;0U<Nwy#*_LA z8ueU`>!|{F1Sl2{jV4SOd*HIV2=3Gfc$L=$K*;pCSr znHLS|dgbFh?2}eC4$~vMvcV__v^&7LDb8i$C8|L|ZDx)_N&^Eyv?y>M(dfNWjdTf| zTNPv%gr0jepNPP*o{Qd%oeFUDbgF7Rrn9!gMi)7AS@|O1G4K-fRT%IPIBpaUd_>@G z%)=V%MtbClBj6!55Nj!+NJQWzveM~Pfk&Kp1mH4FA_8|&e#*s2Rf-}6$&P#(HAlP| z@CavqR5M2hdcNOqbyUzG7f1Yi17hyND}F>Vw{Zbq2`%J%MwALPMU3=Wveu4&#GWVU zXF$S#8g7Wx0{8N~m!%z~1`o}-k!J?cf`_6X0r?fA7i0suMKy5Bg?sQ2l%El8F5V#L z8UPzTI^}aL5qBoAQ6&n++!OH8Zd~R8xksAEVKo4LNx)Smdo~8c$G;kUM)YGV`|ARL zGbrspVfrB8#t>G<9a+RS0Js35KwiIEb---qM&QV4rSX94uC+nHk!Aq3Ax!=dWVb6y zgQ+uSq&3f~WJF1HhFWvv+%Mw9pUCL#=4la?vXNDE)vwBS0c=QBh>jFJ`>FIuAMF5+ z6m#|ijl+o;zHaM>f-g5Rfe*EH`Q6yfyF@swjq*{Gc@DiEV~1PTjvlooyH~Ia6z7K9 z-p59RpFn$q!#a)l;YOzP3Hyl#KF`v_jp4xx{Ot5R09%Awp@w>927%WJh#>IkqaDTR z85vm)M{!QpnBwfrMxVY;Mwr5PWMvd)jnJUcsPI+uvKf4B?m5*C-Kg-*Uh5S2reaFh z@WLgQ%>EvM7E3eK0x?bve1YcZ3S9{to&$8HpHV&f@J&7ry+z5q3@=jwk#>`$hXyBE z;v@)fRziS|j|NNa8Ll9Q&uC&SBKI^xDCFT5+O8iA0Ll*4y6-eB1N>E6*-n1Z00F5OW2-$apy%#6x1)gV`W`w4;}GSYCRD)iEr+XYW2?A7q2zj|xG7 z2GBr<&Bak;)Fl^7qb|8%8WnUhMRg`c9T#W@&_q>;LQyctAgV&Vn1ydldDu{4IO@M% zTN#yNEAxpCWF>JhZaRx|303IUm_t`(yMvdFRvIAvIy)2PCS@5)4C0k&q36(5g&{aI zC(nVRrexNqHV%C@CeHh-YdDcTlYB&t-hDhQ3 zA1Maocyvbx%Lm*;1fG*Jc^}1aCK5G6X#(7+4Uw!Du&SBJa@GTl*n?a#dt~wz9LrPg zF8EjUBl%7K$%-l?s))qplk9x)4V+{ST~$CaLXh~;%n`~SKg9@80R2BX#{yiDOdG=& zG)cJ{8!=@3*H3bCK%fV+e2I-%V1{cF^`yfe0sK|5TF7=9tqKtCC97e;Rmz41u8nMJ z1mHo(y(w_B^S%*)E3s$8)!3?F;A(`LO8741ky zTh+jsn*cXYO=Su^y2Mmb0FRJ-N(a1Qsi&d`9xA<*4tT?oON9ikh{{Tzk?q0&M*_0Q zCmLUzFC4frFX}%C+{FuY0nf9t7ZOU(tGp#sVio7oln_P5Yg`nEBmv6nAy6z!vq~*i zEviV0V8hY?M~&7$N!l7J^_l$4A; ze-l!{%4ry(7fL&ApwQEK)sQO*xwPnlV^H!J&8-DqSJbE?4PMdNxnR=>nS2cH>nM>y zV=7|NQVO9OMhy##YA8i4T1^ZA7id(6KSTEEixxQP2e5rX58NaTf;n&>!==l$$r}RP z$8egW<{A{B3Lh=-FbZf`;2|@oHe}7iD4#i)2s}su4NvwED(J-l*UUQ{@K7pf zgMf!oK*ItLr3GFnaFfLR{}k}XRX{a(ivOGfs-Mv%);@!g`R7&7U>q)1@6_TJU0V4N zx@RzIjiPu45Bs-johINep~`8(a+g@&)MI372@NgaLaCb#5^!OZO$6MaZz{@W!Ke&1 z&_*ZDqSH1dTJSL(qSjDU?=md6&fX=>vD;ocL=T8y647svA||6y^`LYhd=kFF-xU zr03-#?l2S-aH{h{f+o5ce8U{04#?N}4rUGpawxuxgD%2RjHqd68?v-th=v^*q)xvM z1+pP}bx4rrTD1}6g=o`}KpJ#uBghNUp&8CAK!!5Wu&PlUq7a}Hb=xBw_fWi6H5JVo zpla!W2h|iaZb=!YF?nL-w26^{>+k30a5Z=F3j`SgI8@idmc@}Vko7uE6}1bgK&AtZ zGZz&E`xaJ%LiCdY-Ixcd8aVA2Km+}vtFtsk!Hf!KcxcACSd^q-JB>LWBXS+a^8t$P zuyu(d0VmFFgDF=T&AGL)@X9ts$tQ>poU;TsbSfK>a=Vp!ek6U@E;Q?o z=0^GbG$nv?S}36;#wT~fIibY>i*y4Y#W5aQlyHtkrwQgxWz-UyO&>=cmX&y#X3y=0CXKL1ZmTvgfh}0Bf>CjG(v-g zkOsJ^xmE@q(k2_yGTJcU0mj71L}`!WRSgh66rS-~;{;&=K&y z7YE$59Ah-K7{e4|L?i1=V7MG(2;hctj9TF4(Ji21g&4!m+)xEGni7}|s(%>*xarG? zyyk9Y9|ymLT(AzN0Uqgbf^7Im?-3?eJ?#t)br0oX8?D%3D2QR}#%XbAv`TT2z^e{8 zrr84-=t3yn`OE?S#S;~`@#m!MmRaMcp3fm56L|AItZaJd9D@ZVZ7 zK@T}htpq&@8of$FXp{^$Zap52e%ICmHK`lNe()D~*jaI&H(rog(^>)VTC%f0 zzGaY-Ax^#QQW-*N74n?>o6tJrLELqhSDXj(P4(tC9ck4hSDXj%OTqkBUj}32MTh8K`C@Cj%rZ& zx0T`ujnAbmy2%@?C2LVslo1ZWq zQ2;miK1PLwjuRriVYj48njWZEU#oJ%cm3YF;)fWKkac z7zuEhWhk7I8|dj14ffhn2w^6mErAfZ@)h{G-&urG3>cbA~8ta^UMM|`J8!2P@^c?DX$gAI8vM3uEU7t6zQp#Zmc z+@6cP9c6Ts#tpg(YJj6R#}Sm*sFG^ng?jST0Kdi7$Ce!V&D#iE{ik*jbikFFhRiPN zjMC>QH1Lrkyz2YH01t?!J{gSxynr}|hX$^=j~jtU`w0y^s}h&Yfd{aSMLR9s?G})3 z=G3Eue+3l&*+7NZ?g`yP2+Amd`>0C2+pG?_kE$%zy2h&MI^hx7+q^u4DRk4SGdftP z$gkW?Qi=^|r+a~W&Aix)4!8+mT_h4Z7o(DVM&N3NYHh$w2#zza5DkI%N(pbxGzT8Z zD_Mg?!?I3XAaI?3vI+1De*g~++}u-H%j6gR{2dXv!Dm?m{Nf+K5pcy7USCB-GhCKz z%vHDzy;;U-@OCBwr>~0qgBK_lOJjdCp9sH<4~>-`2e-hKn>-bp;eeY0RDRFN3to+w zvSrG{Ln7#>{LDi(K8d;cY+9}$P0SD3aiQEi_06F|Zk9>hR_%#Px1RO$~a2JmQ zzGjPv9vWxDuyk(&8~P;|xwY6Xj()_|+o_!{LP_Kpzn@m_gs7A(4{pW*UD%79^7~l^dyq4ni}#^6 z#Q8%{KP#9r)d}KIbeP1We02<0!Us6F+#x;$ezXz23&W2ONM61{`0)WL2tkCOhhgaw znv%=|oJia-1>|O$#F7#ZM4CfyBm!W0FLIut;J<*6;wUeTd{a@?VR)LNXOyhm90RV3 zp+t|3aU)clVPIr;IUGI78Hc5YT%8$c2VXPTu%iE-Inyd8EH?UBHj z2YV!kf^Bl$uLjP(w%)en;L+hyNR(JQQm^#jFjJ`0kPrzM%}D~qf?U#GerHbvj0Zh@ zl~Uz2;5j3S4=fHc$t6lofa)3`NGh!Z8qm4;$s zc1@FD?*6ZOhYW#Lqr9~D3-yE)4)Wjopst5(e0~kdAjTKPznMd#d8fJrEE3IAY=hon z8^9#dyt)2uToUH3XoxH%8_PF899Z?0C|QC!qD&`^|zp(Z%PnrQkLxap%s*n(Zqs{lH;G8BX%0*eYe<6+6(gcHy@Sd&~v+OYsjRpE?C2%gO{gcm?oWhy{P<53Fx z^o%^!FUS*024cu3wavy zx(#Zm^X5&%zT+WB)A+XAV#$}|Z6&lsjklErN@#(jC0ZPBV|Y7NA)+)*R(V=hQDm)< z8nJ1yl)$A@6=Evo@}*W*S}Q9nD^n}UCsji+d!_ah+Zc$&nqWr4psjv^mv|S?rXgSE zzX=#5gP#{9F%6g5LSW2FzryvG_kkRU>;@xp9gv5;v;>Bsj7&Vqo&YFL4&#+?yQIpq z9QU6HC^stSEYd)#-~kH{E;sF;}e0O zr701rB_4cjL}B{83&}?!;*sKn&Nx!4#%6(>;G;NfC{W`fM&vpYfrk-9xrDupJ-nut z(N*APE%vy6h^&{9m$Eooj3?#oMU)i^?hV={+29q4Q&WdN+YeTNI_Kn6xX zYviBYUKM*#_Dig2rCdHb6~sc!W5Zz{lm*8Hv?QMN}Nw zQjPp(k+m7!?88#PL@F!fuvm~=jGTr*m+S$PT+|Uk;z0#3l;H$>#GFw`dl^v@sx)d; zp=wttprlgZqoq>bjk8pY)76X+jiabiD5^?1LupB3IByS>fs1zcfLo`BHpvtv_Mm!T z7(HYd@g|bW2QOI+2X!g@B~`))BwV#pq@{r0rfwL`cF}V@0Q!U`srp@k1iVGJc2?l4 zf`8h`5)hsZ;#m18((|o{7hE(tpamKi0nu@=c_+WXS5{d|cz2amWF|wNPm0_eUK_2% z8#Wch_DPDOj|f#1lRo;k@(3=L62(+}B%)?=Jc$_q-3GK0Lu)FiCi_94D+ETO!9;sp zdCz#e#Fx<=(3fQKGj?p`vvUEKwU_tAt@@jf5I1h(c>9Eeczc{JAwJ|tU3=QQCfmEF z^pA*th&528fYm77VuRTv)?{ZJvZz=rV`Q5j+?F^AAu{Q@-P*>o8m6RP37Kvsol}Gb zK7et3SKvbLtQ3bbOY;FqmIU@nfvQq6H5Lg}mCcgP0bX!pwZY9J9U&2jjL*+j$qFCv z@KCWKCUeT@rfM}g&LVEk=ys>s=KJRuHa2b$6OU*XXRq!W54kNC*t_-wB?3*A^+(w0 zQ|ZWKV2()z1Mk^eV_N95K)gDM*a}O2jlQ*Yq%{1{9b`_)4*z#?@fjali76ySUn*0 zrVJKMC3GpnxdFwYM5@Ss0OTtsxz(WbS_DP(=%i_qh_4c)nlySZBL)d5Eztde;eZEK z-;*sI3hWG?lLVe+;V`@)KZQVOB32(jLPC*s2rpDnf}3_*6A}_oE&^H*6H!wi<1Ljy z1%*vNB=uE7Lid13TRloQ(gocjyC)!VxqIOEjZcV*U$1219otT}}%kT>#a^46O=b^SLh=Mp9Bz zQs3Ua(SMVYk_`V%?w!=DXH0TRpOii+y_1uACdDKr_wAe9D+VMr>P$m?0-{6-F-aE< z%Q(6JM?PJ^Z9@d!t5d!S69B{oz=8LRNUq!Hq(et-7kxuZ0svqH&J1q2a+9Quf_!mj zr0yc{QJkBSFZr;OZZsPjPG4OI8EQm884%R*DHw{%oJ+g_M3+D#kw%hfB7sGrryx{& zfkMGHya#v~nsuXV2(FPX(ZC`fh{znKe@c?wZ1kf_P<*;cU0h^{mc<~xD6>_vJ;ucg z0xkM^&JF3Q*3y(sXaboXy0ekQkv0H;OkkF#1le5RQmbc!;X|{B7eRd^-A}nn@qI}@ zmSQ~BnnvZGNyr+5p9WYss~x39%zZ;5$c1hl)S3ib=5pD1w>jTs#GxY zkfa)ggWN!m ze6HmEnSlw33{f3NI>?%qXScZ(dzi+~A~Q5U6FOXsWlsm2_!` zK`kKB^a<4<=bC0VgPI9;s@BmC>$E7+PfgjXphLX7NI759*+=>DDcoBrBwqJZJwRa*e+1r;vC6y!^@D6+-!8yd3gmM7!?x5@wQN&ZW0IQuWZviNmCkW9xaMvkWqAFqtAQpXc%QDk_o*o7nxE|r|>aO9>Y`}%8U4CPKS zmSn{)#$O8W9RTpe`qib2oE|sW&P{%pLhhs_S}6$Ype!(8>Qo53e*^o$ZgL-){b}+7 z2r`E|u)84q1D;qCFGoviw}eH#Hq$~e>M$*C&;Wt<^8;-?;>X*jOaTmek_lZ3242KL z)Ghm42vo)c;<`e)U0hkL==+%GKpN=YJzgOtK*wLGwxFx%Dy4n2OpK{2QPTY=WEG!< za*jQg_ljy0OqF7m_W~qoSXsvCF7>3$0&FEQK8EvZC{GIlFGLyuHG=(vt*Bk~M$-zq zg!23CKsH+kchI&T6h}J54~lXeNOsT_E-|<%4aCL*EuFQt-Q;Ry-VJNjg~K4ju40DM zuYt*U<0jfC^g!mju2EWx&4vlxHQ6rra+LMkx3|&m}noLWWXtyN*yV^=#H)Q!J4hRgGX5a-(Q|)qU;gc_r!P9P!db_4-1d-Mn zr!}TQnX5&lYqE;=R1;FD==~Ge7zr)XlDZb4$f^;D*8Fl>5EwUY9ZZR|b)>+Ck~*n& zdsk#t?n;EGpBE%8*ho-SlN!PqXvb+lUnBuT;23_GVZ70G5Dx=q6+Hq_MFF5IZbrG? zIxIZApce?l-rCb9yMxJ!p;ilNEE8;yUW9>TZP6joeo?;8i8v*t!3{4+tyePRLR}0c zA<~rzB5B*uDJsABLZzL!@H%D32`?=HvD^i$9OybcJuk~qke-o+sUmB5PGjm@r^c|R z>anWH1LW}n4aS-Lq?9x;_hAX59TuZjxtCoMXxi?hM2QxVi@!(?HweV$j>jql`oAHH zuBmx851xtILA?**KY=oT&16w5S}-{%5ns(cOeJ<7a488~%IGSaI$|O1XDOF{46808 zh}>;7t0z%qG>47IqD1>avQ0%==1oA<2e%t4Z-C|`fuTj5GXpz=l~N)op;2aBNyX4y zSB4+6i%yiPaoDc^4O(!oUMVIzZoj0zU4ad;>LA4T|5HxU=YPuS|CCc*o4-dn4XYD| z*rBQYlKLeZv`zi;MyYc~J^ugn$NwVz5#S>jpT{Yx#-twqyvIymkR1*2VGj>=s)R46 zZ9!+c!M#kSl&ciE z_ag1FM1D<>O_J!0<2{-Q%Tq%WLh%<7lixvgL?29|3mXZc)49|l`S8diMo3BmLV$w; zCN+qdQFxq3!Zpo6cT@jw0{2qCQ2p=ocYX}-zatBV7N%!r6%WrJk>$9UH(%{1{QGZG zpI$wU@4vlz_fGoX`|m&TF?;_-^{&83Vj_UoNfEnkqZ_1Lkypg}HN~p_F|Z}zP$Vi) zvp2Zp&~p)aZji?4BA9F|f`YH7tq8z$fg7H zV8x7K>BEO+<>n8y`P?>35Y3Y?&6CY&o{*54KYI9x?7S?H?Er;Yw~x#&%*q5q@(V%w za6p6uCdq%z+GvtpiGdP1RFM*8(xYXNiSF!U>usxalI)!Fw~UBJE}>jyP)PzP(n><* z!IVcoo^>njxgke7DY`pH_iM+OM=Xh2ykWqN4dk>26Ad63r@TxLeer3P{7A{3DHPS8-=wP zMGz@&i*N87xXH>!T$K&IBQ0sFv$0rCnvf znN^7&0Z3Uer%YKVu7?gV7T{)p5pc!>k>Ol)kWW4`R7xmpMN|?Rx(Tkbh=I2N#o0UA z1_rads|@Gaq?D59+EL@kwiZhRlAEvK;+0ztWdjZug=)T55YHJBgovW;G_~vzCE}c@ zP`);yZdwwY3{RX^;pAvHaF>|SN_HnGqy3PuC}T+(2jLQw8L*feebjz%o+`w2v<*PD!vmWKLO_ zYl#l;x+oYBnP%upxDgl$#NtyJie*KKVJUAc@zBPR!Ll?Y`?wHxNvonorwt6D7?uRa z5Kl3D@?-SS{)RIlW8XwD>SY7@P>LYni2&u1(h`4UHi%PQ-DNfxXe-U3IAeGdX54^f zTr?-r@iyQnWBfP`6<5Mj0=m0bFq7eVjf9St5~}3P#Qw`Qx6ZFF&4O+Scsu7d@>0yBR_ zDJ|%@A8J8xM>L%62Pm#!)+#;#Ib@(yzvb{wz-UF@34Ls!kWkX}7zh^nT6wP%oKQ=X z&v9O0ybM$+p&%hAk?#4h6jfm1_zJv_;69LWZUA{0ju(6s3;C10w_NHQ*+2U++#Otu z9bQtj54;x-Bf|YZDWz{;!~MT^-=4kycmMwUMlmC)`4Evwuy}Ztz0Kc&L zIq${52*3YRl9Q8r8{J+C5@|r)_)OzcyM|w1W@z&aRCkvuDj3)pnBpRXCRZdqh{HRWiy(+aL)^G)*h_=ZJ%pur!QuF zQv0vkBmJ&%epz3?@y1oN4nFZ6D=u97++7o9o&s5Jp`f<) zoTGa`FMj;nC3Rl^<(}tL6JOn*`$@`YL+FvW`Ck5P)Zwca&F9A7C-z-3a6nO_@8Pst zuVuztiei5`FHSoCUc5utQ~cGw9y|Z+TJx`&n`W%r=PHX?Ry(0~=koE#zw7J#mZW;2Q9dFI-GPC(!&x_yW-`J$S8CUWAqSR*>{rrEs z&fL0s^pEQ@pIp>*!LWIg>}|)+?fUr_U-jE`@Ny|ee8HOgnRnB!&n*LHrhHTXnDft@ zyG=+LA2)kzr^oN#{PZ=q&$)TeMBDJ3VY6EBTkCq)KCsvG;%`+oKQ7w8b?E!>+g4Z{QkX<4J^oda`Q6>pI!6o?+dQJYjl&vwKsjA0+uKEmu{NzEtC}ay$>x5Z z|Nawiw(D`-sq}~Et>`$e%e?KL!>NmYow57Yrz;$FO&<8*mD_7uKe2qlzbB9V*O3tq zpT6Pk8y@dCCHK{w4*Qz^`QBGw9PWEn`AKF<%Q@M%HOX%0`p1=P9{#44^LX>&EriuuyS_VO#=@EWWcttN z?@H_O+r9#KYuN0vcBk8ooBMXh#m>${W;a{7bI6J9d-k699a(36{mVa|EL%H$!3SNR zn$d0d;ncHJPL&_s>G|t*XUnJa1~0tb^5u{9#VK`jXAV9-Z*|MAu^;6($yuJhc>n0! zu{($7?)a<4k+r4E3TFOP`)vIWpY2=s*Oqrv_}%P+VRseQwq|baUOaJ8pTLV7cGg_e zWaxk19<=hWm(HKtarWbvPIqn2Z9P|Zb^BKB{#duA)1&wQnZNUoCf#;Fy5QgYt*h5H zOFsMPCkOxUOY5n}n`W=rx#i)yGdDEfQeN$A+2;uR{=WJoPvx#@GR@BSKB{MpLBt+H;ozv+TucYR-1ykJKA z8MB+_Y#W|*UGq_n{wFG1)wHX;s&ezm*NJUqN& zW3#$xDbx3^?*1b4*5m;zURnQ2S=QQ#%~HSp>>=^xmmTH#trxoXjbAjiU8~sy=H9tb7t(^D;A$iJKMB#i-ViK`C{7BgMXTH za9-^r_0xKvdD%I;|4S>`&Ic+_uDmZ{b<5w`#m~O-cK2;;m(LFzIND_Eoz`AQx=va% ze$R~Rx;yHZw>sQ@)Slmd-Sqx1uGKBO?5=B5lNoy~F3`E`fvHU^+kV`7$^iTBekU$F zF{A%yPyTMHn0D9d)lWXRtj9y&zO{3B-oM{}cFFj!nT5~y>9I{5;K^w<{MmIme|4Bt zw*Kb3EGK$YoPX`;?s4~}ZlAopplj>qiE}O=URV5NZujD0HTg}RPr7AVyQMMQi}xhF zlGo#hM>5i$ZMC{(+Yi5fXV-zb%TLbtEb^?K@N524>z0)De52i&%RcV^@w4wAk4?_K z_nN?*+#l+G=#oD>kVlJ~azu@6KKWBt3^nPY=GbzJ*} zXUDK1A9mc?d)&#AMZ&i|%eK$XOWwZWy~L^>1y7wCQqtv>PxgO*V&v&#pWSQu_9PrI z5f1p&vM*D%K0G_-`19+!-P&bE%xBFu3P*qWdD7&wpQJsT{dz&#g1e^spW3-}%Hi9u z*tRlx*JZ<(|9tB6{a63B^wDW|Jhk#A@v5w2w>HV?T61dUTStoy4y3m9XI}F6zWU3r z>kqyE(nkqDOl@WvW&ix^!kd=n)WvLiuy*~svzD#)yf$RUl`}rNN;)~|#+Gwx+tg$> z9lLw<<4d=HJFwZJtRp)nJ=~-srv2gZx4qY;S9`)=G>+1}sl zku}Y?UbpM?m*>8Gx8%^W)h)Zsr7cCVGZW+67cX%x?XzZ0>BGe}@&0Shyw6N(U-VwH zyCzshJ>B8=-{-N%|5e`q1L4&0!#nqWTH5>02REJm`M0GluYC4C*EK`Bu7sEr?H;{o z={IxpkN2y2^IFdxMhtDERb=Kw$SfC1ZAdncwGV$LsheryfkZ+1cUG z_x7Iq^6A0ZDPv-r#5o_xt(hg9KImL}VD)#CZu{n|hnw_poL*IO)ir^WzWb+6e{$r| zH@)pXrnVev`q2HI-yS;ic;&I9SGPO++KCD7JL8=XD1aa-P^}xZ@%e~riV7~$#2!>wjWClb)J(5 zMKxG_E^W=s*)g4;DKGLTcB!3zxcJapflVK`@*aGuZ?hYBJX4rIaJIeYnvGj3+upJ1 zOx%fY_wJeAG2!2Rw!YIhcFfZ=y7g?*?qu8NzY({!Y&G!ex^{QOUDJPBr{#yPuS*!z z>Fhfn{90x|y(9lbMail3!{1(e->c0}=U35nhgv??YS!j=?6G4WeJCwv&bC)JjQ`-< zx!)vi8rY=ndgi*e&iR{$4p{rpy_V0@?!G0b)7vKw?)-Jv{vY2Ozx$7IDPPPU`@w@h ze^AqQ&5>b3*{R8UroEmv?LW;XuOH!V|9Zc#&3J-nw{`FOLX`WM`)uzw6_l}1)o$pk4 zY=iC8x&M1&N1K|=iO{_OOp%I@*J-1C_YBiOZF<8N4W z<)RMMgwb7ec*m}=-sjQ^eHQ9)<1DBZQrYxe>-&M_5*v?eC8WB z_1X7EuDhyjj*Ba&pL}k5lRxL~e`3x__pKFk_if$3{lJvX?{toxH{Vl}SzdUy?LBX= zy}5JGHTg{)KaQVv<(boadYyah>5?&97rDnzSy47^?lFSL4|Ju5H@A=}2cPuZh z5`X{U-gES>U!J$u|MYR^BeDIno8-8=OaGoSYwhM;O}_i&&EFh{j}AV${jPg%6YmfFrFCUXL@9hoKvsdi9;cTb-d!@pD)W@{v_+|T# zjSxDX_+jtLLE}F^F#3T58+*Mn^SuXed-AzKP0lCQyfvI2S9@??%8w5o*f?yNqqcR` z)jyp}v!|Q^HPaX0#x;8<^H}?<+J89qW1GG7g`!S@y7gBVH#>In-XE%KHrChuIIXJg zudExMXu9Bor62!i<7?gCJ!JW9?}~38-_+M}bWqC&r+!g#+CFcqbM)~~rI-F_RdIe} zZPA1WZVtn$Oh?z3#T(RJE3@1qmH z{PNt3qyK7t^!Z!I-Z$6hS(GLY8MuYo8$0jLrVBn;llb3NF}-XL8kytwrG zgj1i2t6z2R`0(ood)NQaeMZ|rLe&edc68C<2ST>m!p z)yTB{UrlhgY@T@SjDKgmd$9R8O-JwlX4mM1wi^eQZ=XB$t_f2=o9w%}EaPzD1J`@k zuJgO=mSo*VGxO{puEVXtZ*MNR zZ^p(AYhDs9S+_RHxqHl-vH39*o8NtK{vUl07k5tGFg>Sk$+J~g*?&AV;^eW>GY+-1 z(N4ZRXV(1()(q=XP&@az@;^WN;@5jOT+y$Wf5jv9)kltv>-(uI?copB9Jr$T`pY}k zpKg9|?Q0`0Klj3f z_2rvg{VU#n_j+b-htBK0bN02VSRf- zemVW}hc8Q<*KEO*aetlIckaQ>%V%`UTd{0o_tlFQ&$^@NaADt(8-#bQt2$qPuEk>? zTzNy>D=$2Erg^P(X3pZn^^5O2H*Ed-oL>uT=RW7IU+-ABVbT>vo-5B(EqQoA>-EKR zo`3WC+5P@ndiR7AOH$VK-FaY2#p2uJ@^YHwJUMSnd;f^T2^-#+u=dp-Ct2CY?oA$F zSMlOsWls(Aub8)UuA}61kJb-0UC?Xs=!xrIYgO5?W=d_(mG9bbi2H5e_3Ml0cyFw; zz5MImjm=-WvdEKgV%;oZbtmtX2YYpBp2(!`dH&n{ro%1cJs>dIbvogfMLS-(xsLj{ z#kzeRJ2tiEWjD!ra@Lz`o3(77xccV6`TByVc}LyEtR>r>Pgg9SGWm)Vm9;(37R`P8 z=JHjs$#KqX#}9F*>+btc_8Z5iwrsI-{xN6W#H@+K0s}h644$@X-F2^3{M&MNOZ~{@ z2iw#v-*#qB?TRK>vVqgTj<)`I=!W%9mZOx9`7ko4Pp#v+2ZHRYf z?z66z_7hn@jb8gY9Ck^Yn&nkRuRj0DtSwj2 z3peGrTt7KuSBv{|U%2D-muF3X?5XwZzxaAN{o%~jQ`)ZR-aL`%v@5%|Ns}JquNmKQ zecqhKcbxmBZT+s>4nH@8p7_;Qrx*W=iL(^#Zqsh!?K`?{x&GF1Pql7)Vz+bj@u{n) zwEdiEyCi1XZ9jE;O>*k) z`+fE5vu#$iZ=T3l?p`ku zcfDUfa(SmVHC=yA&3V7-x>c7Kecfc$@@A{gw)uP{)4OBS`YWX0JJi&qj#_-}`usVQ z3u@=qt@*}(_|aQOS1j6|&ARIPWR-tXQ1Scii$>nst>A&*Kb`xTYcON66wR&TI$T}X z{`+6XefdMj#8W@~{FM8y-@mQ>?$*(VQdS>s`SL@(E^D5+?X_9&)IafEhnzQ#pBy*r zjlSheWB>L3SAAGU*UvV-N$1>^uKdlM!~IO< z*oE`EeYvEl<#*5J7XRP+{5c=Dsp)#8+UBo(>LK2Lbir5kGk@MU;lbR0KV5RD-!4#- zR`5V`&-eQ}Y#Y!#aobA{`?x0y`Y-9S_p4nMO)ECnJKWEV`Dt~<3wcA2x;nI3KNO9& z=DA!S)4T4n+NSg05chm{+Y4(GV*gY51DM z_qX`-y9J-UeEG@L^}~AI_5SX5UrukfoJ!btZPDR%HQ?iKKl^%` zSl21*z18by-q&=(pGkKea8<;$p4)VRdz9@fKiKQKzxT+_=cm?n${KvfuV-hTZ8~Av zE1SODm-gV@%V%`^obJ&4wdQZU+W*gkFO6LPdXDGix4G?`?!L09DrMI9aTUkL58js8 zJaOBrU1oe5^I6AcT=}oJ{^-d3dgT)Fk-H9E@$lU%oI{<~{r(X>bDHGzTygHhS$%5G zU9qNiYKMIO`uby6uDy2IFqfZe`Dx2HUTt#Uoe=GKXZFoi@6et8@0j)3llT5m*KKpL?fW2?EnX@H%O5Yn>*5ABiT9MVWZaVCBd+pqZU#+?< zHFoQP<10pO*;-N&*Lq3+wKLk5WE^N$0T-rCP1lv*#oY91MZYssdp!2?3tPB?uCL8} zWnjhWDVMjYneo{B1fxa&+Bjvzool>LZC}-Q&Dzyd+N@~5wKK@A{cz!%pW6%2QQ~i;C`7Pf1qfJWrLkFH2cDbc!?k%3&XWPBn^hB#4`wV;| zt$cRu$+?r)K3Mfa`~LeAulRNAqr+HB(cH9MZJcB8&sn(o=Usizr{6aq=U4x#nEd8% zO(GrQf|roJYx^tY6r zo8N1G%Y(^v^_?b_&3$`e-XjN=AuO`2dk24-d1F9o@pP|c&T;d;*_pPvb4Kic;1u52 z)B5|}ZN<)y99TMRL$@t)|Mzv}3mrU`qPf|y)^1o9mPM#KC+nno!0!{jgLRrtIz3Cp!4Am+pb*vD42T-n!>3%ruov=>u;I!$Cc$1ou90& zTIK$C(*^GTTu1$tz%{$_|6}h-z@sRZh9IKrfr5$`*e)OmWH;H|ECdNjfCvdO;S?}C z+3DRKn4MW>W^<54z#9P-d_O9R$Mb?GDvF4RNEE>vR1iVAd>+Ulf(NLm{9pGRJ2N|b zC7UR|%=eyTXZonBuCA`GuC5Ype{p!v6%%GzC$-;lv>cr|(EyZuxL!J}$u3a;Mjw{>twcpLYOI^Osz(ycfT- zVZeD`Jy&_tu7&@aQ|>&TSeEk8_}vyqBe&=BHN)ngcfs;rb#tE?yrlDYxm`ZACsUWs zo}YbR*KdF5c^^Ah8ngbl-g5T%I^s$H_>T()c7FdX;pqH3Rt&1T4R`-d&2_sHZvO4* znk(|#k61Kp(RKY&um14sRm&<4K2Ui)vCEAK3&~Ble)Q1?CCk^{u`eMV0g%0^N8{mH z&%XBCu~o;W_NjiS7n(~GD^_wl9g`n<@B95d4&6I%`1n9$%sBp-L#s5>|3 zg10-q{Cmxmffq}S+;jPi)6V#*YC-pNpUi)__m7`l_vHIm?!4^g&;K*J$DO+#8=i=m z@{>pp#YY-Az_11OWZ+zx^Px0Pg z?kv0ZtX;jgynpBn$EtSsRvlTht6^Z(UFJs<9Yt52bJ1_zf49EzYSDI6)vFW!J+t>E z?%O(~Crtjmr01B%1@D(NE;z(7orZRp)c^IID)Pnuq@US)#lnBRvaemIPOsE2dUEHW z(!{CvT#E&B@^c-R%^!U4!=Glsp4esXudg@WIC$K;2Yhc$n2i_DWtabY?QMJ7_1OEvipG+?FWmFuxg*lt z)AoFv)My)g_aD1=uI~BF=>s-h^EhGwSN|`ax9%ypZ)Qhd&55l$PHaF6-q)O^?y{r9|N;&wqZ#s&fyXvEr-Sw>R7|GUxaoGo2kKH&`}a zQMoFy%c6vZ!0RbUuF9onybhYu8i5J*M#ssQg=g_^ta{ zyYl;AIBMm&BhudN-09A9g`>8;FHIela`1M%a#IOaosQHzGUxl*y%&G?$Abnv(MZ%xc5WL ze)+|Mw4_cQlizvu(c7-++-_ax@&8@YtEgn|uBYC9_L>DdsliLSn#!uzB@KJ;v+WIc zY`rOAA-QMA;YNSst%EOgJ<$8Ps}Fy?;kViaMF)TBch`IECpZ2+xcA2Qmu=KZ8j8xEI$^~9oGuN?ovF(P4Mjd=rmao?YA`Rtc* zk0a(P-#%!;pqZTpWOds6;hW3)R6T4?S-g1Y%O4cBzaqHyuc<{{Ea-&-I)++U$RdUH;)yUru|RLTz50{8R0LvpbAB zEqTRhUw*ZH?Hz}bZ|b^aZSKYIPQG>5rAVDady4scMhA3<_YD1b(bcm* zJ2YlVdSig+Kt6#X$cE-TVm%snona7^JvtPHV7mc`d+Z#_$e{#)_r|)f?3AerS z)VkYuJw5zv)A)~tzMC=!zy0HfT^y@dmQ22Q&A9pd7Hpn&<0b4F6V`v>8nyaLX%Dhx z!kBM&o%XxwjMaTM&vLl^3x6K^XvRampZM?GUSI5Ld@o_)CF#GMKifNR*K@ep2X{Vq z+Tn91eZBHd%bmOa^Y)6~XO39nO}_Nw@3&-h|L~)nkC$Dr{PCh4Up8)@Ii=Bj;=ZG= z-7>D~`}5aKod1+%f68I1*A=I|aYMx`6^E#=pGSMbf6we)Og-}9#Nynw7u59fEgdpq z&e|J_Dn>0?^+ZFQ$_bV?hyXC8ldZO*-?S<`pT?L7X@{L16~ zKEC$wAk&H!v+kcY;^*ldyU**1H>TSLkD>$nFmMO)c9b!(ow zY3*e>Hs8`tyMF!k!xvt=yU$g(XP{{|<-%2$&3ZcFUaI}>McD`M*!5h-bCd3@O5a_y zeRD&nE0&C2eO1*uto4*noN#E@t-S3>>E5!G6>t9epB0mKrc`bIxPIYJ7aq%8aaRJL zaPM_rZu<4<>C=Z*9#8J_K*GX|wcj0HKltkNe)Ip3;QD@lVz-Hv$CE#JY{k}H3rBEQ zv@1Dl(!0~F>x(a&bH^hyd%xk|@Y+XP|M#Px9zrK6Ugz7^NJu&;@_iUR^A9BU6 zpI%;H-D%F+&z-B1KR)AvTmet<+N4|T;(Y@PqM;!AXtG?pa9k{i0!Hr;f?Hdc9@Q#YudjVS<@5tb?{j9S4;uJH=D53d zbfnUje*KE=M4e-3_jmu;z2&C?pZcF!^5)@*kIzqZ%pSOY@VNa|)hBx_Uw!V^=cfHa z4qH8O&8zR-yg#wqT_tm8oOaRHM|W23T-R}Dcgc|SL-O^{OgioCPnYf-vVPEx>#aBM zet7tz!NV#(os>SH)A+Kd7WDi0n&0kuy)x;i_pUVGb7#WBw^y9~^Rk-0#lK#9gzWxq z?~9)sk^JlD$GA_IZD0G|SN_i~yk-Bw_ZlufG|%7n*O%AKaC#=xdJpX`ymWrT!nYrG zJf8n@#qeLem$iHH#Y zvg-<;KXLEI7niV0Yv-(V9;@B^wteAi9rsOLzw4&Yo}c_x$3(~MSI>KT=b3-@cTDa+ zr-!>&1)Ji3xXSk{`2qRP75-<&KlIf-^|#&M&@tzwJD>Q}UVn7A@YS8$j}Io(N*lY> zw$Gp3;h`rdeX(iP((Y%KrM%T=c7wCxflqEY()q5jZ+Edjm)MJ1RCWK3b?x8!^!cB1 zHdX&;%(~ydIDF-IwY`5Zf15w?tHJ}{rW|H_?Q8$kr>lQrcm8oj-|Lf}>-+3*=blcp zA6v2RzL}OzC%PRNz~7SpaNW-h`L}Sn=jL~N=d=$TvtJ#4)8r>QO*?7!jaoe73b(6* zE&9PN{M5~#BXpgT^7B_mzw$dy4qd$d!XxcAxi5USpb9b1rX|0D!xafxTUY<^h2tdA zYsR)~58r>$iLBv&Bp;e+-|+sPc}FkYyWD>7p4)%yf7z&U8(-^ezGq&-!naE<{x<1} zp8Jn|Kj4P;rAzr=|CpIlS-bF#Mqi!1wfy?-C$1lUarZwq z{CaD{1&8PZtMX4=(f`kyC-Y!y!#gKskA&*{jY`l@Ba4e@!YR()IYK4>Me8GYai%7@BC+b z2*+n!x@QnK;?RjJ)9&A2I${3g)bBPwxqCovHb3Wn%jr)Jz4(pSTveCmoH+SwUiHA5 zFB*D2|NZP&Grs%!zt^v>KX~H(Lt7fpf3xW!Q%ub!V>jV1H`@dVYcX6lPKQ`WS{F&Je7399;{RjK^y?6Ul zsVCYkANM#x`;R|2cFVijx6SD{)VZhY{C7&GE-$!h@UYc6pC|v?XK%{V+}GwjYTEhV zr85Qi{f{9mg!yq5CA@Alu;xEFoC|Kfe^hIQRHA2eS4OZHoD{jqb*d)Hi6xu@Iw zF8%hv+J46x=AYcZwd}T)A5Fin_pw2H zcQrES-*!*Jo>9B5P8pK$!erRCqvbG`cTXO}IpRqw0b`xKS=$B9P|FL=p$-u;73>b|-@X6FcJ{!t8~*54^V=sG&kwlmm1}<9efgLwPl|tE*Dn*7uY0{Fb9wbwSN1=0 zFyrg>`Gp?{cZ|&Fm^{Co{k_~_mGx(iANu>%w@kN-IQj|JCQ8-y|A*6lv;>3cR^ zm^*aQ;eFd5_~6jm#@F9GdC0%F@9?V!emLfp++(?2-ud_TtG_be|H*{IgHB(O(r(wA zohOuj{-E&0nu@(kCueTmwI=J>%om=0Y|_rRmiKsncZcMw4uAHl`vCvTn%AG*y=Oy@ z+lP-$a?Cz$>yAAQXK&xP^aC>U-OZn${>a(&cWoWfVZ)$jHZO9_nSO5x`_8K5PMZ=; zgL^LSUVF=$8N%`pkAJ?s!};&LF!a~PZtpC+liNJs^?N_x>GM_`f3U;UnR#!mD?ack zbH(uwK7IK5W7|7Cux#PK?(Or?ogWNeKwevUY+d6;U1u!*B>joT=dS!?NsqJcxcRA> zy~{c+{$tl|GaD|g=`iod`_7oMPRRaZ_rW9iHy!-Xg)_LC2}OBR`w0K4`zGP3MMuwl zEWKybpAU6xygK3ge?LED+m@_^n-1S_ zzw_%o^Tr&msGh#=#%+AgpWV*7=l=93yWf4^g^kyDOz!B~*yGcOQ}6h(=aCsb5`W6Q zpf1(?!I1VN9>3H6-Yxy_u0L(X@eW&@ckSy>cVs$@-TV8_FIF*g&-MSD)v&$q*%x`g z96I%ZLGvE7JpXC=1J6wFIPV0zdc&@Di^o2F(!O)cN%GL^w`X+im^|Np@Y{nA!Ty8J zI9C1Ufa=2=F77aPz@)oQ^lr>ddTsj4rBhz%S!4fg%~Pw>-`bmzUf1==HI8#XytIzq z?3}k|#xp~{zU*mJzpRZt<_=$RZDW_&j%&aF?@J4JZe8W9I(KEm{7die@MYuLJCA>H z_TH+eYNziRT%EMywuF=e-!EF!XH~m>!{?s6e)`M~OLBL6f7-mM?)9s)(_Z-F#HSBE zpSI%UQ1iTHA6?z6AZ_YVIC5#%>vK+nPQn zrwx4W_c7Bxdy#tQ{Mo;r>FATtCt=u!FW=Sf;SXjVoVnSte@urFEBST9lTG8z=lidp zFw*n9GxbEykxMV-kDmB(N5a5_fqQ*jmsZ^SdN?)EQt7C9TgUV5TWzlryJ{_G7Oj5()zPvN53 z2@8jJ@O+=Lsd(V8=WVR>9P&@t?4JACp>3z{Wp3NEcPD-L_}$y5AF=%36#ocF3SWJe zKJJt6mONDcT;J=azA<_QdFv(VWyf>h&v|pMb7t4Zb33`Nec*{jbo=AfsMY)p|M%{_ z<1TvfzR8cDpXivKar=gQ{l)JTfABEexTpQF4LvrWHhgLB3!j+=p0V@b;m++l-@oI_ zy`xsI_{h<9(>MQF;jd5L_1m|L<~cjBJF&4_?g{RfyGFfm{}%U)CHH@vwkvrt<4T|Q zfOjM9==|2cMW5f$*#6>931`h*x^>XWOTRedvB_UFF3zbi|9r(c!tu;qXPsf5cTM{d zkIzcB`oHEDJ~(CJ?;VyuxbcP&-f?p~9IUSQo|biO-OiUkIqJRD+hOQT+mUH+{by^! z#LAj;S6wtW%W=nma@&&=yr)k&edUfNyOwy5tsZdqUAt&-Vf78)ZR)n{jg>dOSNHVu zoqCy17PlYqczcW0|H0-7e>S*&XD>bY^8Zce|E#;}(EbU}kZ+AkpK-%8?f-ml@yYb@ z-!|kNa}<0vW6C$36X)Oh(&Jmxd(UFh2i-BP%Z|k#Ea>)J!lZqND@HaPdiRU}KJt>| zJgU?*-h9rpD<%zm@ueTvtnI$N&#{_bi~7u(vvUi3?nT#BZ|E`i_JLP-OrBr#$l9Hm z-8cW-YxW=KEWiEGv;7vFT$(WHoce|bfBN+4SFZWo*?D-u_4g$#e7o02yDKu*AIq-E z-oB&py^l8g7WO}K@sSz1&s=}^Ka@7BnkH*}x!(w^o;Oo0PCKt@v zyW)|AWx_8#j{Nxgv%CF>N-0Q{=vDQ@hNrgwE7xTiKKIj`{z#e9Y1q_;ZC~A!P~Cpt zO(*F`p8o!|?H#(zpZwU&-V54)*D&J8@rNIIb3rxn>X|v`y}hBwy{|rES~>Y}O3C80 zx{mn%l5an5|ABeJBQtw1xN^=7+a8*F|0h++v)6XW>5y~tJ2NgHdC{0zSI?}NZ{O2l zjep4_i?6Yf(@qxl{`#9SyBa=A9^LDv z3ziq8(M7A>i@xY|*{j>$-+hgD-q?P>?Rak0wR^9xwkDh$llk+SaaB{V?l(Vq%Wcbs zclD%Pcpb>z)8%@2I5JmwxvB*q?u5=H;fIKRf@5$IZphHWb>P z-+IjUWvb(n?fV-O9H%eZF@4Y&NBR-4>Hn6VxbV!X?1!Gc6rirDWubPs1Zba`%;W_wD$zF|YAV*RgA+JUTUN<&I~P4_#id>*&fJzdW;k-s!8_ z9k&n6+5X9ztYhsY=j6pNJ-#)w_q|`apQK*7Z31`N#-peADgFFI;i}Z`_nrRYn>`Nx zcyXtf+D}~i%oDG4``vZh1G5JB9=c{%R_AVY!zw$EF1YH7j>+fm=so9}+=ba)l0TUD z)F%@xUvc=J^OGOX|MKGHXKr8q<<#6GkFW2LGsE}snvHM$ ze*KD_8@FwH(f-ibEn_xZIQ^$S<~0TFM-<%H|A+r>c&EpTiSB*(?3|SS`DOKN`seG9 z=AQj|*ZS<`yO!j-9^5!%bA569&z5w2e&9;y4QCI3_-N)emVxt1AGl@uZ&U9%X&e5l zef_pCmUY;+_qA81?7!!(arBp0Ed0NZw;vx?@WP1pBMSaKe*2n?hd1xIAUQj8+5`Xn zaLUlLK0NSY<=q`N-;~?^*>;z|W!t&d zg0`oi;PLqr4z<6%op9`Ua>A1vdfayV$m#nBk7N5E0|h@k-wC|1zGGuv;!ktle)f{Q z8Ow?~lr}CHN(}B&cb++I|Ngr&s55@M~MGc?YECi?U;Q2`RC6+^U0aL<6im1$##XK4}q?me#~gs zu3c}TaJ)bg0!aCQ^CuUl&dzl zg3TsYxYlp}u3fu!?TQLZ3Z5O}xbd&P%+mJ6{OIm~NhwdfkP&z*%{r&XqmPL9KQpuR z_dheU+VcOj%0ogQWJt(3DahMR790uBuDWSy0)SJJ>)Ms*M1f?J7BLWvl^0l!a6_w` zW!*F+d=!r(pO}Cg-oOsBt*KU~C{AU8yiLCnp`I zRc4Z8|4PD^4s+6M{ZlJ5p)Ct$kq~B)>HS@#EsIFau%)FtVU9^jl41vGscET})HF+4 z=4hMEo|$F0h9z?U~O}?RUX~^7vnxyXo7RYR-6A>wp9K6&qz;ioByrx z=;A*}v8C+N4Ch%t=Y&c;FDVqYDw(qvda(d7XAPswfk;U{za5w}%t~N-FJ)NCmKt0u zM|?4bs3J!B0<~(qJnF@5R({u@!uU7Cl2C>?5d6yy(oZ2Q{s!Z(n*Ux%Qhsl|1VF_3 zpBkk9XQgGe&HvVT;x+#>g6BY5#F>*5Tq!Hu#L3W2oUE|ZKkd{(;%_njs`<}*37T%b z^*?z2XJod`|5kba()k~Hxs7h>WQ3jnwo?a*zs30D_-|rV-@tY(1&4@ko+yYg|82J5 z{NI_`ZSmh)Wit^zpYqdYvu0XTO=5I%pSVvK1BSa;P8Fv#84wI$E2luG zVBsK*qbRDQe2Y1iabR#Uc%}(}#8G7hLyF6j#JHLS1EAOEA$W?%nT~4&$naDpMN@*9 z_nBn?FAxk#a3pVWvR)re5sVXBO^|U@4739`EBI)WhxJ0cCK12NuE28c6cgn{SjZ(R zDS;up6t+kZJP*Zq*3PM#2|#(>s-G5Iz+$td*4S*>Rv+UwO@+19EJtGVsmg2;_+hdH zf=ye1_)QX3IO3#54s>Z!QciQYHRvTM+8#(}%nw#Uj3gg6)eI5esmeo=qnv|D$fM@G zXo@pd7pGLvd@u#sdlY$TF$zX6K_LGtr?yko*V&5xY7TFE!aWh?e;gu#hL`{8saZCi z{7*|wO>eXRw#w79Cm2Svl>`k6@I;pK;QI)U@InD{IA=#G4GA75;{+c-@DPG305mHl z=fd%L^_7#Q473#E25L)lvJ!q>%96p0_1z*UnCDQ(`F@T=>qa1zfIBR(cJWOabW^;* z)k=~12{$bD({wp>a!^1BnZ#DKK}YSNuEEq30BsX?;H{PaE+M=yP(szD9lr&@qAENB z){0-1T9PR|pC))7HCwLwjni~Uf?OQ}TtrZksHhAFU4iur$z)OfV$sYg!dW$c1;Wjz zAe?bic6^>EqbAj*SluaKa5E+V1i~%r1QrrjQUqh^Z{cz>OgJTCInMP`3y1)5N?Dq6 z){37Cpo{R+0uKA!Cy%ZsYWY5Za!L3J1Wtw3N6e7YCmBGRhjP^XK1Hq)Rw(5l4;i74 z*qlNI&6$IhVpB-g$*1^v$XVQeii9b+13smvkAoJUpQb6sZ4uw$mJkOhpxS}DE3v0h zK2e>aYo&BHh^YX95~HzKVim}b+mO?W$#KI8FXVlM6Iyk6@y3V= z1V5EeQRa@t$C4IBJ4iv8h{#!d992aK&?1j@ii~YfjIYAC=tVfbmC?Z?A#i?(1`Q`C zz=5@CYN{A^A3~(HaRi_k7t492oE(gtd9!CvP$U4s&oMk0l2<+)Pt20M;vzu8O26BU zbD=T7OEDA)D^;`zr-4YNEx2Por6+3M!ZMahg7;XIc1=L+!wzs_89dR-1x^lVkJdjt zGKw5isf==(Y#>0d4>2c5#4=A-)9@H_5KBiqmPu%$^~8V5Nek_|9#NZ7_9iwazt%K} z+ALxyL8Tk2#UT1DhIucAoR`AcX?eSn4b}qzTg^aD&YB{pSdb#ad(r;c$5IR)^)f$` z$B*G5XLs?#IM(k&-3K>r(uY=-#H744H;8H`!82Sz3geg$g;+`j>}^mA64<91+6O|_Xcw8U=$5R2Ju z@|;d2Et(H-;JuU*$3lorrLws59yKcF*dhD^>&5x&bydX)MX?NCvBeFw$)wuN8-nM@1Vp7O(4R=_P(s|} zxAITK(lk*8%ftqG(TXW8!F(;_^l&W0`o*-NlmNUe3GIMok^$>-CF4vn0<0i>KDt)< zB_>ivD=y7C3EDu@FtC*15$kWwN|Dl#TEy|OR1>t-BY5ea!^Y%W#^sH)j4T{mI1+&! z04^WHW(Q{0$F;$Th+nryL{XEX@}%L?-f ziVLk?vL`Q22#er>7LH{Fi_DQoqrxc-Eu5cGWo$q)L2EkF1FZ1$Uk5IhxdwS9LV+qJ z5mw0!v>>6v@+)zPvddr4r(!G@)M*IuH!;l~PMJwDyZ{LjF)`{1cfnLq9Lr#gG8mlw& z9)g495WmX>Io@ms=FHU8;vwb+^fgaX->52xRyQe|7x4K7F$bS&1;a_L{R|03dg8oZ zDL~0-6-32Q3!qc9Kc(;j(gk#DAzlad)XP`nA4EPV<*f;(V;(Ore3gCypmhKjtdKKZ zp)IFDtq3IPYfK6B(n{(G(iD#BNzgP~ZIPrgZxL8aCA82iK|(T+%AL2cf(LRI!9y@u zVw2(qP1O)i@UA1JHp!2k5orn=2K|BuGJ?FihGb8tn1B$^FrT}^Q%P8*F6G@K+L_`+ zlv0j*U8#u77bqT<@qo`gypqsz38=SV10hz=#MG%YjTCZT!0$aQFDS2ZA^b*Hz*`$Q zajWHV#!XxQG^;Hu$C_$QO-aiDUNTc$Nt7)2`1CE@^cFR!(ZSZ<5FC%y%wQBvJ+)0M z5ZEIC6l%gKA5c|YYm#&qPc3;h7a;M2w$~iqOiKlD@>z%k7$5{Gdvhhr3ek+Z+=PC_ zrHKL=fvd%a6pILymDJ2RlMHOR*p6sN_SROQw-sXJR^DR=^^$=Z^t>{ql44SLkNg5U zJuEO6usG$O;Gr0|)oeu5D3A>~)*2Y~Fzbjf>PJ!a2@;V=!^wJ;T|N(Z$nX>*xZ0GM zq=OF)LN&`x1q97v)1e9=z;YoV)PpYRa+*b1xBU7gEm!1gSxXdH0BfMrFC~7~Go17S z@0yigTHRB&^8iwwI242QMwTI^B(E%qlVW1(36S$r*l^+I2q(lQ#Hef)PL^>(pTMUe zVj;22r}$X$KPf%sRw6UZ{%;wLY{tM*rC5y;V^u-d8*2Uv^N!G7ulsaDp9VW~8T?v?mUDlgN^=l;s3z zD=+I&BUyqRLeK=`M4L8-1SN7gH3)o^#&?C7Qf1!4Kmie!V%+k(l%A+X3xWp$9I(2} z5ZWc^OQlSz1XBwLQoII%gg@G+ifOVzwTE(gfS0Hhb64VvIiv*ZXb+TdrFa0*U)air zl`PqOoD6t28PfvR5MCb*aY}Wm8k#}ki5y@VU@eo3*enOE*vA9yPXn;vv$4QYfS$B! zY9fB67%9^`%OFOLBX#ALv5sM>lmG~jnO1>SR4Nl20Sf}qivA7ar^tproUYWO+L#*{ z{G2rFCoNKTTn=rQU^PM0DLpyJ3moMXEK)NrmcyXSkjus{V+_hMq-8iCx_DM&0k%}D z_&>Cy8}7PF<&=j47%Lj|rISV=9yRvt35r~@xg}Y1EGgO{2C82TlFCa4a zqe~vCx0NCVAz*12-JD1R@*~NUPZN|^vTCb{Uph8lvDwR}dZoom=wdl2pUTMDpetEF zLpECq;6*J8As}(3Z2rJ#$kPgS?<1tV$T}$T84`j8@At5Atl9$^Y41l;XoII5vg!}K zC5dbTVl$}@2?c$GMh0Ny5oJb#f(HKp7q5nDZ8IqKp7;+aU3PUQ4F5;JT)EKLC!GBK;k0y z^!rFcfaL;52+&=tbG-xQ0wExTkXXjf4gxP4IC=G_U@J#-x&l(lIF`oe7rfLQ4~3MT zB2X4ygo=W^NeiZ3S=P%~dWjAR+iUC^=J?OL$7Fz6_4^Q&rgxCQdd1X$a)fL0W^4 zB}b}D_*gQ}NVUids6oLDGFEjot+;MrYo7Q88)0RDqHD~k8L@?6HZ4bUO2?&mp0zP) z8hp#M{Vsc<`vR` z@xiARj6<4+q)Fl`$#^G%29+006G%O9vK&$v#MUHxBIXj+@uGx)w2;fjShTg%C@nmo zvC1d<8};l7SVn>Zsfx+!vbb&3oDUm4J0>DL3w4Z~c zJsjjcEKS-$7S`$TFst6$OeO{5*ucqb8E7;E>V;@?$pct}SOFglo1}NfUJ|O?P@+Ur z*=URmFT*whI9m<@O*N1$qEL=3ZG5z%yG?r+P<77OTi=?WahEJGoguFcdh zgAY`e5{aAOzG16D6`B?4sgkP|5aAvzjs_YVzUdxo@{Yu!420sl zmTJw?_{*jSIe_VWPTSnTg51CiJ*46Qb+C_=ytgy*Dl=e5y>nC?U}~bs#634%(gP4A zbA!cP7(r(&>Wqb5C~+4;-~kXUfd4MA;lo3Uf$~AVky8gRx)}$Q2hj`F1375I!&Jyr zVU6yux&IOI{*P=&;!{dSjV>&=3N=EkeMGqbnH_xp$CjSjcK@eUp1ysh+dXKx@DT#m zf~!3gEgo%Qen9$dC6w;)&}=OvLEpY6llt74U{HNgONJz(yXlRH5CM?op2Ta_==-`43 z?tC;0+|tpEa!iTjzBv>`^2w$Mkr}OJ5?w_l29%B}A3dzBu)Lx)ue^NRsIr3GUWsTq za|$%>O7e2ESQKRfgu*B!S$JiomzcrAf+;-9_z1z1Yp%1Bgg~eqa}+PX1~aG!l>`s7 zGJwTGLMKbYBoiWnL>(k-G0P}E5u9JoXHM4ZB^Xk|T1E|(i*gjDJ)_0Kd4a_u2(`dM zp17X{fn zM7u^)MoT`>!A2WFGr_R)yv8R>lv!%I6n0Kx0nhpcUcNsnwV?5?2%50G-6Tt7#cRYY zpX{3zI!aqgD?XG)kf>x^$*6+DilS1TM8oFOD5tAdPEi8%@)J`hTX}&H{JfPQNe-=q z_?`5l!JHHXLg}co(K;ZS(mmQEV%Ed`$*u+sX64i>%8^f!*D%Tj62+UlI`)?2FDjk{ zKtqE{2APe8ki-b;$=ypLKd@LZDS9ci_-iJ#$WHhgn1-j+J`Q2|O1Wp?C2D~{Ooe~| zE?5n`6yp~lZ|sj!R4O?}DVLkAN*I}Ogy0nIej-ERNo)swH0y7bGfHNuj&k_>Xy!PaZ8|7T^(9dIDAbpkzz<#1LQfSHX2ze2DQb5)FeETR`effG|dh2 zOpBV4o65%l63MI_g}(c@VsXXT7eQ{yjtL^WugJ?NGR!9OIAlonl41iTlYrxJa=_iTW?*icl^*~^yo6YrrgKk(e zlwwF=ws4ask^OqrOCi3^Nmy|)jms-5DJmJJI0fLVxFi&yQ-CB$RAH|NK^ppC2pSra zl7UaUfUQKQpzxNJ7dV!2)3tzuNOKVVhy@l9RV*dn^x*=K@PJ|f0el=w`o;SeDszt2 z)Q@6ZtYX(AStoB*hYt$e!%p$A)fRzG!9Ky**T^FEVnMxFR3$az^VjVEW3c~Jcp&YA z9B&nTv4w&OZ~sZlwxwq4>_2H~skS!zPis7Nbt!#873H<#^HLW@LnQZey@)JM543~6 zDGd!KRLWFXiYYJk}iXbeprizwYv`kDfFMV72r`1YU=I+Mav zCa?m^2&vWyedGtFOvnOJQ4A>o@{e8^EqiYCgQ9{{SwzHEH0yr=R?XX(0rYVcBe;OM zH*e|9n{};;{l>y3q5nP=xkvPqGhm{o4{I+a3W=(AV&qXsip;eUET|zyJOGecMAzIL zCQ`T8RK5|Jr3?ywPBbYJJ|D;WI0`d^5>FBD`XpnHPc-I)7m`}LkJ64tH1N<{1-X3I z>qA^*9+YddW>`{_!9bfe+mdPq)_lT8;J}F#$nMGBi*1 zYO@smOjTZ1q(jwE6m6vr(yoIF>Xd#(at?>I7o=HjHo*IR*bpU748_k82j-A`)sYIW z9FHntAF%SR_=N-B$@*ZjsnRb1sqy}p7t*Y@R6w$jXZi?oXMhrt0ndVJh_6iH8z^2M zEruM$;+1k)FkjQGn{rxBc{I-^qvB2iHG>2;0nmPc#;h+3ahjN3E4$U>D_T6hAWAUO z$$DVSRH97^P^X*+8GN*AgVaey<>CSMOzF+rF^7h$tsh)Ga28efiX;r*iI%A%x2m4Q z>K>ZadQ>9UD8xj#*%R3B8>~bUO*PwReYgnqV8&EWLm)!~fTpOvk4P=5>u>}^=FvV6 zQR4RkTWXW2sfkk(4Q18Kc#Kq5RgI0zMioQR*$6&EN{1}iVziczU&GQja7G&==c;T^ zF>$U^FC^|^>|9~V5Dm{oMHBT<#Yi7jRRna*{DvzLWGrU^Ed6T%BMR;|*6MO!lH z;(M=Ap{%YD5nb6_?9-Hv0ae*GQ3-1k4sE$m%rin|MU81jDD@)Ca!t|D^Ch^&X!aPA z?if%Q@mXvjo}+Zv%@>Hs7?zGf@f)MoF+X<$$24N^g3nyexQ87gf;5|5W zcp%_Gc-tK=Bcjmc(TI|mhSb4mM9*m2_;-OIOyaRYSWGnmvWg9nH4dU>Xy;B8d~~FG zy^5QvIK{>f%OOjB!^g>M+Nhb%~iiL#Q zP+7*LGY+Q}nRX%SML|4N(;}hMDkPJ{K#cU#%cbZjA@$WO80=8mq?GQY2y2kaIxe+? z-K`>@AE@pNn*UNY3~NO3(8F*;Eu@Ks(ZW=OL?wfh!ALejH;krwAmw^po#?bx7w`#E zFI+6AJB(3Xr3|5a8e+!YirrWg>tKaHxXFId%sX?|8vxp_wJ zNL|IFb~la6@l#>l=EK{>&I1FgaX60bZYqL25m;Oxh4l%BIjy|D6sxk3LlR7mZcCzG zQnfMh!fppufxS-Ql{3tGX9;V1P~#tD6+n{)PQ(5WVX7r*>ghM0!QlianJ1aeL45@n zI@)#&w%uW|k+~+UAw+Hb4+IDd-Edf9g=!&~Vojr4cv)VFZ^2t-U5|{~}Pj>uE3+FYd zlnn0^`B%HKw>?dKVz~by+OfQZFVlq|S06(K?i( zA#WW4%r(~tLlt$DZbdyrG8N&rV zkfQ{&SZhkk`S?_YMeJpjD5{agQa!q|);!6g3+e&IkZ9MD7V4}e6dQ<}Q*Fz3X*Vt! z7kW*FwaK8DxKOJOov{)URrB~NC~5}O1D+wKLZ|2jl#5;~>V&~cA6R!I^LrS&smsMg zv!JP=?B(SKMN);Up>&fGgxOzv?Xd0nn>;bB|GEP$OVs*6g!SK+mZ6XTm6_R=|G#yf zI@P7{5DI{lEv#?o#a*4LOSga<9-k();PP#J?E24G$8jj1h$AG)_ppnNvI>Yzh8{9w#>v&Hx zKaEEJx4Ne{sFnwf%Y$xJFm?=S(QTdDqvTXx4Z^JhVMj_FA-p7AWhAB*uM& z;7JC(Dr*JEtK@iH9S*f9eg_Q=7{p$3_fU{N)Pu^b49Gb3zy?e7$O~FDEY}dzLTAyg zblQx8VmqQ07@vNIY33icD#alGC1(K(U*(L=0vJ*LXX@pDT6T7NoBVH$M|a95JA|mh z+8PRENia2C97`RY%92=@96=>Pbi|ae$f=V%YArLo4>|)mvs5-6eG_s}HlPXb3a5py zpp9gh6tb{3FN4^RE>}Z1;EbxPM5dU-Q%Qs-vP*yu&?9Dw=x@u(mR<-1=Y|4KoT(}* z=QxU;X+m>>T!5t!R5;SeKT+Q6pBUu7HkL^YD?r5apNveM{7=uwXw&~&<$oNVg)aVoDHvat8DWVuF=c?rSk8L2`mHpHTaRSKRe=U>UA zX|@_r3{EVn&PgQ+YL(Ouya)}I$`MfGloMr)>p(ph$9lEh>gXju26PMfdc+X%T9?GA zseQ&aX7Up?pQ)UGLa!Lj^Y#!8UvrmznYKRo~Au9$$!lKgwx6T86k#cAcFi)&CE*I z@BcD0+vI<%JaqOx8u9NL~8qON9-eF{sjXi2BfxvV=ajj^)!+(T!xkS$}7A@QlN za#rBe9RNfRy`1_vU_A*WgN{7(!L@Z3mT1AyWSb6D)+M2i3{Z%6G*Bu0YG7T&u_9!H zk0oT*o}e?97Bo%%Gtbpel_!?2Cfb(*q<7ppD=IPlQ6EPxd>pQ?&m&D!%>KpI$ zK+;b`PVEzd^fc9LQBsAfVGdTwa32PHnc%QoD!{Wss+b~47?xBNyg*U)TO*ewgSuK$ zMW^LTlE&qt7)nruBbDET?pmqS^lk-~hMb-gR4+q!uCCdX{sqW+DF!z%j3b<|6mk?x zmP04YkZM@M71IdAC>xAO7wGhJlu(;5hA+@3rAJa#Qy?IPT>LPO_4_nH>06V^!~%|y z{ZI{!`n$5aDA}eW?fa9$86hJ=sWx>4$E?yDJ=Ebjf)GKRoUf#FRG*`Z3k3E#cY3@m zX+f)p>i8Z{{m{}pWO#O+WC|CMOUf7?5LX7n$U&a`&3@r#Yh_3 zi593-4;X2N+0wKv1dR-Olx+M!^;kekCB>xh9^G4uQ}?1?=NjRiN>ZE@uF7aAy@+2* zMSu1b-PmAg(4c|r)YPUn;G!5Zn!3Q^MO5+$9*_zwUZO_)+XgHQD*%g__{_>Pgpc>I zf?4yLW_h8Xi}f?48PtPGItT!$AviY=oF2BC0hY3GQ=IcNdAyVp!ybz$0O5oS<`%hS zjfe?m&2SK@8WbxQBLebzRuSi%!B{BtwnsA}y2`x2GHg}pdl>2H3?m_8QXxTP!O;XU z@pl#qv95DXWXC9(&k#h&R2ehkkfPBgdBsH)1%*S#4AU_czWpeTBF7M1t>k$I%r1iF zp*}bs2`l~XP<~)?e{$yPYe!a$9W`=HabZP4QJHbS<|w9tIZ`L3qsm5Cl#D4JQW&O} z2p)pkPQpa|3OPX)z=jp%jm`^6=HMHy1%yBpP+Tag8jf`^9V*HSOGg&v=Z!8JRZ>wr zs-Q3gDHNMUlueB(4@K1|oH&dlIff&(pNDcXt)Ubhk;OEi%8Ak|h8B$sg?^|&j*?4R zN(9%HU^X#|xfT_aMgR`gIGW0j2-^r)TLxXhUnAK7)HwtUygkt~71r7#IqfuwC-X;+ zDIZ-}R*_d)T2Yc$9AZ#H*klNw^0#&m9HO)0JlxmtQRSn<2)S66xX_(M6gi=MtR#Wc zGLs?B6QG$)e+n>q^vtdEPgWxwXiu-Y%j#BXY;Nixm=kEK3Mw&!jkOI;5iO*!CSYa? z0B5kv0U>ufz-YIl0yN5a#rg&jWT!w7VFl+W0nBtC+8iX6EWZ9#oAyx-}BJU`mQLEgjCWSEBZMfFX&2#WS|Fq)?H zMPuJgXd{9f&u(p*)|=iIV1dSS-ca>33~g>zZ?>{xWl0@%n#Gg4wwlV6x@MZemAaOi z#g@9Zn!uN#Z5mBeOd_qc8iPnA#UvU9G|axua8~_|j5RU>VbF?8RICW;gd&fmF056U z0W}y*R7VClh5`Ls1O$x`3N#ARHI-sbV14nJ3DyW4F;+FJjcOSlPzBcvZ7?%{Nt7fi zArid+iB5QkQb8-E0vmuPY!VE}dI~XLc=`qLol~x-C1CjdRZv>E=FzXE#8ylqt4V|i znd>b|f~YSqL|CFiEKktu6KV@6&JOCL=`iHf=Jkam$pW<)$O(z9-$xPxEEhOJfbLq6 zv_Szyw1rghM6}5h%Ak1p&m69zvb*G1nx+`{7+k~-7(Y#$fPoK06gq+^!t!Z?@{X20 z4`nZ4y%!D$9;P7w5p_pFo>AhXaUxMuHbQhmxu6*1P>zdbn4uu(99r{2?T-QgftAr> zmedP!ZMr25Vu31J;6x8!BfFOY+Xl{XG&`Vae#q+;Qz=nJXg!OXZs;=-ACs zFtaX~IVlna%O{lN4=)>4GHOhDMgFMb;-b-ExI9##grL5oT&>YEt${!q&&aEnx_id& zEe}AT1Z-&L)tQ#OrVuR*G0TXSmkVvz30mwrLDT)_gXmH)BqZC!;uhb8B^LXI6f#wY z#SD5Dd^E0U28lRpvbjq971W;DDeh0qpjT3CerKTVs)qEX?W%@~McS@vv|ZI`yQ3S#2uxb)3@lXphG${XorIxMz2rR%u;*f5b&7)|Fc&d^LK_}&^1q4u^884B`7=T(%C8dH{E zSTUxoD5R~y$5D*n0%m15WbaL;^yaVTdD_d8Fqfowggu5Ngzt;AM@mXk5i_oqEj2Es zdFADQsbNbG%s<4gWym+-Y@3Eas(0HhXKe8Zf^V4q79jvWahcG+HHiE#K9ROXvc!qw zj@`J)rf!mqTWiK%$+*F0ZJCUl{Ofo0t;|F5++v4lv$m1G8i^>U=3i18INF7L!^8EMl~W|{5QCFU}PdQ{8mHp0>!xTb$cTs>kMd0 zU14nCn!Y{wc2!h;UBAeQ_8RZis!a7+OJBISQiO$)yNpPJov|Gzb!aOrxRoX}l;Q~Z>@%P-3_@gjRZ z?MI7qQK<>7TGHQkP{K0Mq}kPlbb9i|=Hny~oEr+_rccwB_BMMgB#nwje>Fq4J+1o0 zDE~P~kg)}Si9-HoWoGN-e_C2*Tl|++d7`_&(K4$9Vy07hg$Pp9r3>TnjMEYnMn&!; z5I@CW11J}wS%Mrw&;;W|%a!J8gQgwxNL4|zw29GHHUvV~z5HpcVOzAzs17!vvIx`w|QcvMaXKE+RJhAG7GkPo(_+=~;UH-Z=|1ZahxmT8wJxZ3>pk_Rs)D zWxFW0r`kOl5M5WeiHm95S{l5TN0c_$ zv9iT7fENgcBsh|{I9accrjSl&HJN($1fxd|C@33XGC3R$C(H0G4NbiOTB!iV@B%^8 zsBR?7R8;g3Jg9__0RrR&(a*k`<)(@-lng5>84rpWL?S*J zI3XukBn*;)i}piCAaTE?9P5RG2l_F02&@lvkLfXFL}{5810TndR*FqY5_zMPgZL%@ zPYIAWnJgecc3`vG()yV!A|h#4o2?&UIq_GzHPuoH1tJ}NFC7bf99u=9jWOf^@Ao0q z8R3jz@G~Uj=vp*H6yxFuUf}#r!Oua7zc2^N1Bl6G8qF%4iC&7N!X!aIB~=zH^}yk+ zwMZ`<_HZn25d-xFiicwQ(Wpo9vZ*w_ylUEG0(+pEOfnlv_{y;}HJ)o|&>@&uN^pc1 zA}*Mm*wd%{NCG^>GYrraFYvgTz*iu62tnphxm8F4($9%R#R!Vsm`sB}-@ciU$Jy3LZ#t%8*xyn>mxIKF}|S=BWn-Q1r_}OwfuC>R5!mNwrP&z!J*? zVk{rGr+FP?L>^;A$PA2|ElI2L*Vk14XD7;G}BJ8L~)Y0vrrQhlDFq zZ55(n?`t^%{i!BK;AR+G1v!o)ArBk|m6QJdh>nr2_ZTB8U;YV!s8acFi>T~~C;DqT zwEbbb5bFYRA;}FCX(xUjV$DZI3)x4Q*APS3K{SMD;SrVHo{dM8AiWf$;1Xh7l_r`u zt}TM7WI`-uIYHmD22re=snL^dkLW{O7*^eJ3m~dGcGnMSJtzx&#FNx`MAawvzIcpj z{1DaWBQS1Lzq}|5i!@V_@Ig8g+Bp&&N5pN#sRxdUlN}(DWFe0|j0uty?^y$%AMGSX zsFA1;HA6@OA4~E{L5Qk7KtmHwK~yRZoT$9G`Km=bIA>t*fh1Mjo;ZxCc(t61q$_X$vBv;&$9hv9Y78LDa|cl)y$n)c{evlD7C$4;;a_(W1s!g{VNdqp4;VpoMIj$R&_P60$I7Z4+!i+fwZdsshBf=UQ@*tAV!Bt&u4 z^`^;Pj3^Q&qok!iVl(xiT)fg)(S7RZ_cFmT!koVJRVS-^`8Bvw<1NjMYdvuA0tW@Brzz|k7E!~M zHF`wjyu8)}M;={G)P`OBVnsA$@FEAO2RMjPQ32NDk*uV&h_}>J4;-mY6-5%Fy8F}N zTdN1di7L@(F0aryKmsK3-VC@X8e#)JBuH#n^q`Bj#AZX z2KX_68ec^Hm_Nhz7i3{*oks$+A|iywwe^Vl^v1B@{z98lTJ(_-jR>J}Z9SscD_oAk zZ`4*jDDitMA&2H4F3c+lTjPe4F{r>{Yo;&?oAw~s3Rn&Wpelw>;3xrjSrS@79!;~= zkdzdCJ8-a!BN=t!Wd&G4_UT9q2@w6JStmg|@L`yPb-9cw9O_Gx5H(J)pjk%) zBdQD~K19Vjx(A75H5t^6gA!JNc94(#mC-iGjT7vmRf=H3ah5ec%S)KF4Mv)g0bU&Oz|NFl=#>9??MdxiFfM3Q;lm4ZvY&0KvKaUhJ*XQi#THMAiA~LNuvC6s_}k z;lNuqj$n8~a#>>IZqtq{qMCqNp-$7v{ER?(ArK3zyoQ>EM`TdriKseqS;!HU3x&Zr zk?{G%G6D;{1jPWBGxlnW{=_sMhz5nH3oCW8*+F!~^tmS~@$i}mLG++vL_s3SVl%xH zYmYz`kS{5$3`K|<2iprdqJcnWieH@CRZSDm4~I_!iK31>%E-e(M_{bh8&Ez;bZ8WX zE5!qd{vs5+hHO5zh8lQD1vH4N7m7TFh{`QQz&Ki9!;EP24uaJY(jv7~4+CA*NApxc z2y_M_sikBrp_-@|gzmVmp@~@P5!FT&2q|@S!3QXpjGs7FDIPe~kp<$iw#0WtL&YJ` z9qs3lBnNp(#1b3?gk-d?_CN;kRZfJf8r66qI&pF{YGXv59!UCW$QfI5_5I1_PQ;#5 zb9kUs2Z^lUkkEmie3%yOlNxcMCJm?lN!MFjUrI!~&D`1qh z^@vK@$-=6D{z{VKa6FD$d9F&RD(JTW&h@}yHaA&>2O}EE4Z9vs#d690I$v?WR;{KI z)^UE~%(|+G$)T)(2+=%T44`tYgQn967_N_>E{JH85BO#MZGEU0I}#9d)sLUMsZ`qEdW&q?wmXQGdb-qY}igVjMAy zsEuV8AQGk6KJif+;)f{Va-j`wgliJ@AWtgS%E-nKQGul)7iseX>cMEG zT&togUGQmYZS{you}MSy6%#mKfjVTIz+wk?ffZfn1VVr=Kh48}$D0Lh!M13ro7kTR)#fbV?l8-;{#ud?#kq0&Wh_(!lQpfQ^G$^-g2o*4oBq=Fq zjieZO#Z<5@i*r3_jx-8^Xn3(3glTK>ZnH7P{%BDu46$hpxaBxm8REdZBBIeL46$nr z@j^Ckh(@O{G(}^G52|s{7^D%6N@0jmW8mY5aok2UI)x#6jUkRWN*%`u(dZP0CTR?D z;oW#58im3TtHuyNxf?e`qf;1~p)oWQ=eVt-Q7Q~g(iq~zyUoT_fSi|N@O&G_5l&dD zPOEEleL&2QE8&DQ!(&|Kb|7%0X2koYaeLxm2UPN$Mbk<>$S)m}QVhK;SF2=5Q?jC^ z(3F>I89$tQAa-g8jAi=*<4Nn!cwZ-!^?WMc0CoszCi(CtPEx?)5Cpw7e9<+{UIDv>H+?!zHr#`cMZjk9k$ferrz=~L{xQ+(x^ZE#md&fGd_soqu@NJ z6Ri^w&JIlp4 z7;%AzLQ-7r8wNU2_Y$gx(ajev$}RK6LF#Jr;72$Nt_S0AWQkhV4`^yC1O(93N9#-_ z1ah9GI6iTZMhq0HS#GL$qdPLD67QC%Yc&UhXhDrba19Nj*!!ZeMt~ec7_dq`C}5dB z0$w^P4gx1lp&cmJeX)RYvJ4{zK8^2s8ix_p@-D?t0!7dTkS1yk)T4TUzko{UVmYYr zE%0H+rFbCL7vjsexa0KHX4DQw)E7$xVF?&4{Y&8 zRG_?&^$Vdetq0>gkWnFq%JYErx3q3l4>FrmI~Y+HLD7B=j`nbn_pr2HD%FExilMxI zFPe-<*TBB2Ql-F|sZS+>Q9+7?93*i$NCLtoKn{3_D!e@TolXczNQQS%sRvo{MHKhT z^RXc+Rf>$MRM6$8wb)7&2#ct#xrlO*AgO3q(t1#>Ur4p}TWTeZgVfa_8eZ(`q^?r8 zHNih=z5Q)0nUcoyVNiQh=3xY}}U9df=#2O&2T0rtnUV@IgB;BUQqjtote^ z>@)YbPy)+^kWON-AHhRm1HGh}39Nh} zxm?qR==-TkBIAP`f!;R_(Kw4E8Bs!EQuR@rhI!>K4V^S@JUbBnxUM|4aLMl(W$^HVgkIWR^xLX`7UIl6f;qG6((pUTnA z19CTt^Y75--fD%nWe|;@ZWP6_aJb{(7DY7<$H6k9Q60pb$_FsUh=wo-p30U$V?;w3 z1W#p4pfRE$41%Y!CD0hr5C*}2f+aAjgP2qK044;Y#$xv`l)7=7qfwp1{1c>ZROc}N z1gRUPB@Ab1F++?1Ej$R7EAw>Ome;E5%`jOclkk;(eDYf}_Mtzepa7k{L^7 zobiX3GG@y@%}oeC76&_^-$xPxEEhOJfbPf_n#SPbfS1a*{7zKv*ik3cV&i-ni<3o* zfS9AgzTRY#x0jG`dIAZSRq5Lu77GsrFcsG3;vtxrto%9Ip+wik25oh2Z-*5OWjO$A z2(OQZ$+2YtpJW0+>^3-lb*{Malmk;I2M2!6_10RHpw6f%5H77aQOQ;X@?PVMJGyY4 zsvz95d#4f>8=?6Lx)yK{agh?G7hy?hKmZgY9z~OWF-)^cCL$q+gd4--#jck1bE-7%K(WF&Jp|*{ zyGv7Ipc@=pTOi!n0FA`}Dd!3!DVGa!s3p2$*DnHFYj;N$)N9&w90a<~a)D)Iexu3I!9!+v_7ZiVrMY9CZ6>f|EfI`?c!k0L2HT8&XdU zmO&$BG05X%N0SQ;s>uQjk^NUKMaSo9dtREg=vUO_~Y+*bA8BjL9?XWhFD;sQp_`DmZYGhGes)q2PSv{ zA~I)~Rhnm;wT{y~pc3g}bR~?YE?GSVMYC90JC0kDyIFN@o)v1YTs4(#SG%2j2jhj4F7kbvKTn{xgrF;hLwI` zs@gMMoS0gX8P@@sNRnI35Dc*Ayjiqj;wICDGO0?OcKmS$;S_kqPeB0XZuebHvI!2|D z>#!X1jxTO`_^kH1KQf z(Jp`Zc_Y?IRW!-BGDk;x&UBwIVRIlXMobkb6SPgxe?&F}Mb^hGx1=13zv~-yjTXvc z${&xAm+ayuOcj~?I1wIx^{>S=;zlJ&ReFlFFuJWj+t>^Hqmr+ z7Ywa!w+vrti{x@RuNko{Kh0s)0$#Q_g(J%-({FW_5XKvRmYH5D`)Q1xfGD2N<5`j9 zp_qUy>7-fqb&^-tC_1)$S&M{$`q=?gM~iINm0H{v`M0%h;tJ)~8@cH>ptCxuyq0l- zCh0guF_`VvZUf*^C{D||;D3-JWOALUhQkgoI%VOYl!uI95v~1Bg0;+-b{Q1JluAJF&a^+8`uemL(V#H%=s zLB0w*RucM9-U9iLhrN>cc7&la9n7n6qRJIh*Tk4&Q@_e1bY>EnWJ*RXbs*qzDq=Pb z<5JIMoFJuc(i#4n%QTv9*aD2wSdy?M-}J2(R zS@d|Qrs{e0LXMuQ7o%r;(Qt46OhzwupAKg)9uHoGPY2dyI>@xn=Vp+^Q;+J+vUjvM zdLA6@?LFPGnv!GEq|s6P`Dg}s3uRd?W=U-rD2sxllB7nQjJ!i^3Ifx z`AeB3msA#z6)o4*xaJoJ1kQ4omg%*0wy$og@^Gqh8CJ1f#pBCge(c665U2UEJBB}u zCa?C7-SLlIZ(cukfBTI+T0g)cRK*7)xi9ie!pY+pHP*!=>i!9EiX^-D&m6p?JU0rrT$S_e_CknBORsistEK?P+NwKI|j=5hsAaSSDLNK9}y;;8Up6 z3DAU4>!3M|bKq|CRU0>E!(Uhm*5?@6qAg!;Ae_my@$M=gp@-Opf*s z&k*OQZ}uk_lTb|9l9s8Jj8oXw?Vtlp90N16Ht=nW8uF@aU34_+qyZchfC=8YOx0W- zi(SRAE?JSfBAawCWG&r;>{k?b!Sy&*wu%i|yQ+5)k^PV_7=3M}jjK>h#7DIeQG?9A+mMZY(oQ&d1m)OUcElm=obNJiJ(Jcy`y?EO!#*3> z*4mhON{&VsGT{m1ZS>ougjdSowWe%9w&zBwZtTZp4k4l|mkSF4o%8HVYWFPLi}m^1 zDd@m2uPe}?7>ZZYP`plmTL&OH0e_g19Or$_-NUzWE|$_dV}JopJr5Ed5p8i>mS=H5 zocp0LyLuw!%lkA(PxUZ-+TNzBVeH4*%K=PtuwLM7+rMeM)r`NZf3YRptk)Co){9I= zs?#~l9~hA;I3HxTLE()(2;@iN+KtY*&2e%ZN)E4NDhlciog^5XMVbz0zX3;r6|00> z#VJJ(WHOEPD%p6apc^X`XKJNT8{GyM$M-SkxN0hRY%%vw5f_E%tEqSqBh90t&yrj- zm1b#!{p@7DC_gKu$LTyNevYQR4qL-BKUjYM|Bu|!@Q=zzZScPQaCUHdbohF5ad`5! z{LY3DlKkci>!z5RJkG7pYMscLTB0Y)h|5+OE=fkcY#-^e8}@jlNAu8YWW zNF@w0)ga;_0X_o`*6I8mFv`SagcOO^AB(k%*VNOWK>h*U8x2-*Zo~ph;y#q?wb|)A zj`;9;!~*umIE}=^eWzINaG(uomC|4*SXcKwefxc!Mi_PX=Kc2}h0RzJc=P^yL1&8% zESD6W=X6vJ6)uB#NA^N#Sv~VKf8m`IMW$%L@u@fJkiAIOo=JTdh_^aB9xWPXSA-c z$;biNqKpFh56E~iSQkk$7(Ls4KBAo`*D<5>%2_(RtASi0YjGpXz)R3~U>yh7qbnqs zB2^`g$#whyEd-fDw`w1HDH4jeOxxChqBc=DS;?QYLzkEqtF;ZbM8Shj$aF!$Qeuy& z@sJ~)_%k|#9zEiaNo#rX4yDn^4@>l43?Drz0~s-F(#3y9PV7c{1^oz4Z;t=88>ci_ zCUN@FjKv4LA~!cTzL`pAi-DZ#A|Isc#tcT!UpyIyE5oeQRPoklp25y!JO%lpM?nr)j3zFKEr5oENQ2KPT#~tFy0C28^Tryb zD0Wq4na)^3tD;(`%HluK3*#~WA5?-i%$h{)6~}i5vCerhC4VG`)*!G}=$&rF4Qw|U z?sE)2(EAF-E>p1J%6N9A-i6FRtLp*v**RArq;r7vT&ZX(XCFm*IlRiu|MOzQJDtO~ z-<=5Y^5x&eqem36S=%Q@<;7Y&dem_Z-^1xIxh^!v&cvzk4y8w+;DBOd!q6MRMUvEp zusH%@rFA_R5TloXTSh8Jw{s}okl;a4+_kT3frIz|a^HC-JP^q=&hlG?5Ldr??S<(1 zs%G_6{lm9! zg7=4$;PlP@yW`Wz(b0|vv(*kOkpUH@jKdYYES(6BR%>*!lkSU^zNX_XQ|N#|O)>Q` z!7A|+I(jdBr8P-Vku5C_+pHL6SqNik4rgPR@M<&+pM}F9d-~kk;_NE`(6q%SC3+Fh zsGC$rD*TD`NNJYbLrY!<0qzVUl_;i$5$MVyf|Ci@UD}7o&Rx3B^jc-frslS|@>mkZ zPli}4gF{AKq?0cvmH^_-^U-z89vQ32#H*ExVwtN1wBy6$)04A{$=i#uaIvDeS!}SV z)An4y78^MzQ7idT2~+~%TNeW5twaNR&Xpui@}%0Ka>Ezopb58Hl!OcoNP||vohCB< z=a+1D!3Yk zqwpMzX(HbQ5F}cs!_Fal7eGk>F@ppSHtTt8hwmwz7fC`FLM&CX29$8lDPmkt6&{AR z)d`2_5fA8zS0KIPVMao5rxS=PggW0`q1u89OQt9%5cGz|^}DF&*RI$Lp`XeOOt6PdS+^^S(3jy_j8N&EdVjkx^?WBYaNM)R#EZr zf_;_~6j%O~V545`Z1cRSpVdqRaV}sv@%*ympMdI_=*0rX3;$4uvm6CoM{n*#aR)vr z!Eg{k^Q%4^Yh*5Nl%>B}b%w5!I+4_2=T1ei6h1ME;9Y5)-Je`cUQN#V&ELczU#$nA zp%m-TA$fu>=d4I;xy#-jq2%AyI_LZt>4=cMMkP&}>MZEc+qyN_K}W?%DH9UL%kf-9 z9Wq`i4z3}k)5(vBU=#n7QW|lc0Ad&ONYlh6D)m}V!s1L;J6osWVsteyf(F82DYj$x zKiaX|l!sBWKrbW8J(^YMnM}Mj?{jo}iMnzrd=dF!CEb(+N5>F$%HRwukXQs%uqc`7 zlxUqT)k>BQM&w-9gHf@7&*RMGJ`Y9i>B;1X%J2?Ux^S+SJrQMkT|!d9@&EPP@lL#d z%fhHkygNTQYqr3UDv{|#l?`lk7Nh^ctHX=8ljB45T{;SWQ0Zoo0hWQot+V(#PSiqS z?TL060e!cDv*jy&!%~#@El}DwUw^*D52!|SiJEe-l+J`(8h$7*e!{M<0?{KvH_?yw=r;ndL-Wv^fhu;i$hr7Gaz7fMOKi%d}0iyXg!{0qt zeRBUxeqQVKM%YCDtYH+BX*AGTOPZ{$(2!I55vihLCD-BCo%z4%=brnY(=R`d4cxW= zpFJ7Y_W$U~@bTCE|7ZN%Gw1jBCi>2*Y^FWk7o=m=$l#6BpC}8g#%RdFA*0A;?W%vt zoZVv-z|*;Q8E9L*EQ0pe=Y{+BDifw8tGk);J@^0iywrQ}guC|tli_Y{|L;8+4!`dI zKjY`W+BYbBj;aZ!IxF)_i3iw}WYF`mVg(5mjbxC56J;b>y$~GNu-{0z0NB zXZ9uz$~2J+bz0sN(CPI!qifs|p29O0zx>we2~q80ELI!)`&+qEWecy%F+LR{@EU)w zHuTng#nCFS6KM=|d+z;>p+;L{t*zO)*AtnVkHse!Q-V2TS1{$wP0d{-f=?|+9E)Z* z9U*eL7>m&;+^dvUdj6y%M6c)WS&$`iIAaH2b1nu7R1YS}jog?ABA%BOqC{-OgGA=a zR9+g z(MTs{wFFn*Dit!z~}TY>QsQ`G+gx_?RccTc2d~w)8wy%W$OvmJz%4bV_a0jdT;>_ktvK!ulRhC2W*^xej-F!a7 z`QurRn{k8f+{Ji^XH+O0CP~ROoHEoAqLxI&#O5eg3@N1nojxv;oE$z;k*JJI$#vmu z{@4v0C+w#rdzLs_6-gei6BW2|=m_qW1H&YVHJs|GIkVrrFcvWZ-vfl>w_vNjXL*m0 z#b`Jjbt<^TCndz>cArp5=id)-`J6ra0auG2boc=eRe_p#IuZ+D6q6cLmzwP&5NwbD zcZnfB9EKGeu8q#g-sI4A1%m6J(uTt7WkA9yEn}tZX%ndh;tv{K!ml87u%C^e+CPD! z>jhxl3B0ZRtI%m*==r?Qp`4d;y-qgnFS3lG&sWc6(jsVVixzwlJ{@F5n#U_;OZVK! zghB@2yn7w|FgXg24&EOe0oYrr$l_?<*^q&wALbBx$PpM2jHcPKxgY>4}n zo@IhKxi}bu+)<{5{jG}Lju6|c%wivBUZ^eK)GGkJ_8F`{hS|-Fgrl|Ql!9q_Ks8zy zn0}0hf!7Q20mLLPPBxWWL zvLf}WkN`(O+An?DHGmyS|8?LZ$8F|VjkkfyMq-a^z;OhP?ISv%#`X=oI!3NgiGhZ9 zWUa1Or-qTX<>z*Ku)G$?@8U%HBJ1mVbnPF3SK@7GF0;ejicwqqq=8Wzg8c^o2{1I0 zBgdjm^#v$M`nI<;u!<7r(NxH6Vg4Zad>kF(Xp;<6Mk>-P+gPzOq%B)i%WTavnHo8> z!N-3ZxIf4Quv%Z%iig3U44)F)OaI$CQD#tP z1T?UCSG2srJJV}NAs&Nu>{W^xH_+$2UJX1>j6L|KMK0hRz=oGLT*_V!Q2Xi*lssz3 z1p9KU2>C1%J9^6k>nsa$9ZXd~&az;h=@mMmOn}a^AYaN9IW{}Xyp8~(Iw}vmdb3SJ zq-q$l$d@Y3?diIeJW&Qt=`Kt!l%Z4Vienqe&cRc)R(BGg7awsO;feL)?^9W&67g$* z=0OUHlL`HoXNAe}`BIzQJ;p}(q}E`yaq&~DjltNj(Tm-1^z?Z+42Of=Ct?-tdG~?1 zGOV|4Z<3%cnzr686i;!%jVX3|qP-OM_zr-!Z5Yv7jF@_3?#?++J{17_0p&VFRoW}_ zJ5>}8ntT4L`>eXFpj%tE$ z=jxKAN=20Rt+G{&W{X88X9^97_p(&XbUIV(+zbGEV9RE(*7Sdap6xZ(X`ttzj2og! z@5LJ!@6^9Pa4a4V>&)0{$kk2CPsgN3ooWO8!f&2$)}R~H^;@i49iF0AJ+ps}#ao>! zbkk({7)vj8s{RI45_P0bb(XUtZ{?^XEu&X5k?D+cSl-%pJ_zQXrgw)-{@4U%RWbW) z(1RWWfCm6BZSEGrF++dK0X8z-__ch?np=jG5m$H@rA;4;7}on-=+?)Ynsfh(3|E~2 zNxH1{8J@8TTW2D~@|d8Xmaw2_taJp_QR`!qs-|;}woZXizaVyP&nROAQwE?!bK-$@ zcxsUiz={%DDmFl`?l$vb;CkRG<}K#FS)z+5;Gn4t)FpKzlVs4#l*zMrmIvI;TxSTn zh1{CD+GlW%ke*@I6M1R^F&c*SKRD7`wXSBtMfNiaay0gO;&5)wE&Ym9lI#%w;XnEt zw`cQsH|Vx~((T&hS!YCxHXt+3D3r{^8gp={FE}pA*z?efo!SBF<6+VwN%|tyjiJye zE@GU8fYyC6TWW3U_cgdtRTc{IaIxM6I>$1RScFk#K={#vDDo(XpVOVymKv$N7C5DM#`&Jm{2Nct&#OZs=f3!9{%at5trkE03-7bPrbMAM8 zF0fGC^~X9=?D7c2nUc{DS)8kr6t}&J|Eb2}`J1?f;{thBuhFd4xD@AHM&%rDT8OZG z4QCE}ubNhl`^gF*C1pB6?}b;eWzZv_0=}#>R;E)0bL@`w%B7mtZ|P0om=a7Y(Iy=- zQLx|uXZ9^ws#xlfl2t)wlE%afT+mNEb}F*VfVx2k1)SW29#(ASl*}*Nvz=KW( z9tZZxmmMd^(sMY9hreK|av5-ukdCP22J@+J!Qnr>kH_M}KRSY!z_xBk4Qm}8`7PEu znzV@)<*lDB1oGZpc8GSRv5dnyZ7`s z#wW9N0e=oxold0)E^igSi_>~h;jpe2<8_0%v$p2!El+*^Vx=RhiHm;EknVeDNfJNl zQ=US#v@RDwquwgjbxZf6tuRdod3mRHR&n^mMkFZmQM6I7Cv?hCfT-B7*7->i>~5X= z6?gbnmvqDG33c@YU;d zZ~DE2hWmQ-?LdJWB%nbCJ?~?DveU7R@e26Xup$cV-dBm-_+|+q)>Tu*2%hEfO6ekZ z5BEAk)GyED~lRd1Ugi&3Xjy^;Rj;OzY|&{P(*eq$5LPV}r*Un#d1Gc?ac(`JXM zGD%zSJE9E$2yIHrDLl`gop49B^6$6!!W4U zxL8pyv=`wW8V#;tQ#>AWoE2aAbU}*&OJhDiT+J#Zfm;U`xHb%*R_`HgM1R!+PQS*0 zHDbV8!=t_c)Xe}XtJ<}Nl(mp!Ju>PG!1S3M6G#4hMlVEz)3x)uZQO1P zzZ0U#fB#irL*HSXx(nLcYp!FAaVa}c2@W&Hwo`etzi)(fvQPy4|tpvYG(v9Ppa!Y%!o;d)+=X2T=jq zQfXp(Mn&oJSefov{DQlt+YA?T@4Q|NhQ?zr^gPZJd@*q$Z{^Fm&Q@J-n+Pw1NyeU@Exhljpw%$z-{Y#_u5vGd5i#vGn!YkVTBNe+g>9z z><*ti-_pR6#IZ*bq9g>@dbTe9LR`E)efNbBG2GU`B4Sm;L#OTcZJWlqAMdkm+Nj&x zN@Y0mKHWHWH@jkqYugr>YMm&VZedw$^6>`V%C1U0^gUkbhiq>H0kphDouxSt$g1Z0 zxEHrv#!;lw=KckVG3KQp^HTLa3QRDle^G-);3q74BgN|XoHw7dfZGsLUs%l2akuc) zuv_QOUnB$Vu0w{cAb&Q(O0KfiMsp9!ug<6g|NZv0rqb7+uRmXZzWmSs1ONd4|GGz= I@BlOl0KB Date: Fri, 27 Mar 2020 15:04:26 -0700 Subject: [PATCH 14/28] adding more files to avoid checking in version tars to gitignore --- Openshift4/.gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Openshift4/.gitignore b/Openshift4/.gitignore index bc88a61..f2ea4b7 100644 --- a/Openshift4/.gitignore +++ b/Openshift4/.gitignore @@ -2,3 +2,5 @@ artifactory.cluster.license jfrog.team.crt jfrog.team.key artifactory-ha-operator/helm-charts/openshift-artifactory-ha +*.tar.gz +*.tgz From cedcddbd9ef3ebb7122ca7421f6028f510e07fc7 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Tue, 31 Mar 2020 11:53:40 -0700 Subject: [PATCH 15/28] updates for openshift submitted for certification --- .../artifactory-ha-operator/.osdk-scorecard.yaml | 10 ++++++++++ ...ctory-ha-operator.v1.0.0.clusterserviceversion.yaml | 2 +- ...ctory-ha-operator.v1.0.0.clusterserviceversion.yaml | 2 +- .../artifactory-ha-operator/deploy/operator.yaml | 2 +- 4 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 Openshift4/artifactory-ha-operator/.osdk-scorecard.yaml diff --git a/Openshift4/artifactory-ha-operator/.osdk-scorecard.yaml b/Openshift4/artifactory-ha-operator/.osdk-scorecard.yaml new file mode 100644 index 0000000..ec871bb --- /dev/null +++ b/Openshift4/artifactory-ha-operator/.osdk-scorecard.yaml @@ -0,0 +1,10 @@ +scorecard: + output: json + plugins: + - basic: + cr-manifest: + - "deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml" + - olm: + cr-manifest: + - "deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml" + csv-path: "deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml" diff --git a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index befdf1a..e66aa57 100644 --- a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -133,7 +133,7 @@ spec: - name: OPERATOR_NAME value: artifactory-ha-operator - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: quay.io/jfrog/artifactory-rh-pro + value: registry.connect.redhat.com/jfrog/artifactory-pro - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY value: quay.io/jfrog/nginx-artifactory-rh-pro - name: DATABASE_TYPE diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index befdf1a..e66aa57 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -133,7 +133,7 @@ spec: - name: OPERATOR_NAME value: artifactory-ha-operator - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: quay.io/jfrog/artifactory-rh-pro + value: registry.connect.redhat.com/jfrog/artifactory-pro - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY value: quay.io/jfrog/nginx-artifactory-rh-pro - name: DATABASE_TYPE diff --git a/Openshift4/artifactory-ha-operator/deploy/operator.yaml b/Openshift4/artifactory-ha-operator/deploy/operator.yaml index 51f05a8..3fcd108 100644 --- a/Openshift4/artifactory-ha-operator/deploy/operator.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/operator.yaml @@ -29,7 +29,7 @@ spec: - name: OPERATOR_NAME value: "artifactory-ha-operator" - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: "quay.io/jfrog/artifactory-rh-pro" + value: "registry.connect.redhat.com/jfrog/artifactory-pro" - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY value: "quay.io/jfrog/nginx-artifactory-rh-pro" - name: DATABASE_TYPE From 611e9648155b73318f8a9188b1a13b6d880d162b Mon Sep 17 00:00:00 2001 From: John Peterson Date: Fri, 3 Apr 2020 14:08:27 -0700 Subject: [PATCH 16/28] Updates to Openshift Operator v7.3.2 certification passed --- .../artifactory-ha-operator/build/Dockerfile | 5 + ...operator.v1.0.0.clusterserviceversion.yaml | 7 +- ...operator.v1.0.0.clusterserviceversion.yaml | 7 +- .../artifactory-ha-operator/licenses/LICENSE | 202 ++++++++++++++++++ 4 files changed, 213 insertions(+), 8 deletions(-) create mode 100755 Openshift4/artifactory-ha-operator/licenses/LICENSE diff --git a/Openshift4/artifactory-ha-operator/build/Dockerfile b/Openshift4/artifactory-ha-operator/build/Dockerfile index f871c9f..4e9ec36 100644 --- a/Openshift4/artifactory-ha-operator/build/Dockerfile +++ b/Openshift4/artifactory-ha-operator/build/Dockerfile @@ -1,4 +1,9 @@ FROM quay.io/operator-framework/helm-operator:v0.16.0 +LABEL name="JFrog Artifactory Enterprise Operator" \ + description="Operator to deploy JFrog Artifactory Enterprise based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Artifactory Enterprise Operator" +COPY licenses/ /licenses COPY watches.yaml ${HOME}/watches.yaml COPY helm-charts/ ${HOME}/helm-charts/ diff --git a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index e66aa57..8b4167b 100644 --- a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -133,9 +133,9 @@ spec: - name: OPERATOR_NAME value: artifactory-ha-operator - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: registry.connect.redhat.com/jfrog/artifactory-pro + value: registry.connect.redhat.com/jfrog/artifactory-pro:7.3.2 - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY - value: quay.io/jfrog/nginx-artifactory-rh-pro + value: registry.redhat.io/rhel8/nginx-116:latest - name: DATABASE_TYPE value: OVERRIDE - name: DATABASE_DRIVER @@ -146,7 +146,7 @@ spec: value: OVERRIDE - name: DATABASE_PASSWORD value: OVERRIDE - image: quay.io/jfrog/artifactory-ha-operator + image: registry.connect.redhat.com/jfrog/artifactory-operator:7.3.2 imagePullPolicy: IfNotPresent name: artifactory-ha-operator resources: {} @@ -277,5 +277,4 @@ spec: - "rpm" - "yum" maturity: alpha - replaces: artifactory-ha-operator.v0.0.0 version: 1.0.0 diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index e66aa57..8b4167b 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -133,9 +133,9 @@ spec: - name: OPERATOR_NAME value: artifactory-ha-operator - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: registry.connect.redhat.com/jfrog/artifactory-pro + value: registry.connect.redhat.com/jfrog/artifactory-pro:7.3.2 - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY - value: quay.io/jfrog/nginx-artifactory-rh-pro + value: registry.redhat.io/rhel8/nginx-116:latest - name: DATABASE_TYPE value: OVERRIDE - name: DATABASE_DRIVER @@ -146,7 +146,7 @@ spec: value: OVERRIDE - name: DATABASE_PASSWORD value: OVERRIDE - image: quay.io/jfrog/artifactory-ha-operator + image: registry.connect.redhat.com/jfrog/artifactory-operator:7.3.2 imagePullPolicy: IfNotPresent name: artifactory-ha-operator resources: {} @@ -277,5 +277,4 @@ spec: - "rpm" - "yum" maturity: alpha - replaces: artifactory-ha-operator.v0.0.0 version: 1.0.0 diff --git a/Openshift4/artifactory-ha-operator/licenses/LICENSE b/Openshift4/artifactory-ha-operator/licenses/LICENSE new file mode 100755 index 0000000..d645695 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/licenses/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. From 68862f8d7dd3c71f4d43299b0ccef2546e291685 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Mon, 6 Apr 2020 10:14:13 -0700 Subject: [PATCH 17/28] Updates to readme files --- Openshift4/README.md | 21 +++++-- Openshift4/artifactory-ha-operator/README.md | 60 +++++++------------- 2 files changed, 38 insertions(+), 43 deletions(-) diff --git a/Openshift4/README.md b/Openshift4/README.md index b68063b..08eaaad 100644 --- a/Openshift4/README.md +++ b/Openshift4/README.md @@ -1,5 +1,8 @@ -# Artifactory HA Operator -This code base is intended to deploy Artifactory HA as an operator to an Openshift4 cluster. You can run the operator either through the operator-sdk, operator.yaml, or the Operatorhub. +# JFrog Artifactory Enterprise Operator + +This code base is intended to deploy Artifactory Enterprise (HA) as an operator to an Openshift4 cluster. + +You can run the operator either through the operator-sdk, operator.yaml, or the OperatorHub OLM (CSV). Openshift OperatorHub has the latest official supported Cluster Service Version (CSV) for the OLM catalog. @@ -19,15 +22,23 @@ Or run it locally using CodeReadyContainers. [Code Ready Container Installer](https://cloud.redhat.com/openshift/install/crc/installer-provisioned) +Note if you are going to use CodeReadyContainers to test this Operator you will need to ensure: + +``` + - create at least one Persistent volume of 200Gi per Artifactory node used in HA configuration +``` + ###### Openshift 4 Command Line Tools +Download and install the Openshift command line tool: oc + [Getting Started with CLI](https://docs.openshift.com/container-platform/4.2/cli_reference/openshift_cli/getting-started-cli.html) ## Next Steps -To install Artifactory HA as an Openshift 4 operator please use the console's OperatorHub to install the official operator. +To install JFrog Artifactory Enterprise as an Openshift 4 operator please use the console's OperatorHub to install the official operator. This is the easiest way to install it. -To install the operator locally please refer to the instructions that can be found in the README under artifactory-ha-operator. +If you wish to install the operator locally please refer to the instructions that can be found in the README under artifactory-ha-operator. ## Contributing Please read [CONTRIBUTING.md](JFrog-Cloud-Installers/Openshift4/artifactory-ha-operator/CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us. @@ -36,3 +47,5 @@ Please read [CONTRIBUTING.md](JFrog-Cloud-Installers/Openshift4/artifactory-ha-o We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/jfrog/JFrog-Cloud-Installers/tags). ## Contact + +Github issues \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/README.md b/Openshift4/artifactory-ha-operator/README.md index 7b25a3b..9a96d75 100644 --- a/Openshift4/artifactory-ha-operator/README.md +++ b/Openshift4/artifactory-ha-operator/README.md @@ -1,4 +1,5 @@ -# Artifactory HA Operator +# JFrog Artifactory Enterprise Operator + This code base is intended to deploy Artifactory HA as an operator to an Openshift4 cluster. You can run the operator either through the operator-sdk, operator.yaml, or the Operatorhub. Openshift OperatorHub has the latest official supported Cluster Service Version (CSV) for the OLM catalog. @@ -19,8 +20,16 @@ Or run it locally using CodeReadyContainers. [Code Ready Container Installer](https://cloud.redhat.com/openshift/install/crc/installer-provisioned) +Note if you are going to use CodeReadyContainers to test this Operator you will need to ensure: + +``` + - create at least one Persistent volume of 200Gi per Artifactory node used in HA configuration +``` + ###### Openshift 4 Command Line Tools +Download and install the Openshift command line tool: oc + [Getting Started with CLI](https://docs.openshift.com/container-platform/4.2/cli_reference/openshift_cli/getting-started-cli.html) ## Cluster Setup @@ -36,53 +45,24 @@ oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:art Where anyuid is the Security context constraint being applied to the service account artifactory-ha-operator in namespace jfrog-artifactory. -If you run setup.sh these will be created on the cluster your kubectl or oc program is connected to. +In addition to this the restricted scc policy will need to be changed to allow anyuid: -###### Security Context Constraints - Hostpath - -Openshift does not have the hostpath plugin enabled by default. - -A security context constraint has been created for hostpath in deploy/hostpathscc.yaml - -You can apply the security context constraint and hostpath plugin patch via these commands: - -``` -oc apply -f deploy/hostpathscc.yaml -oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' -oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:artifactory-ha-operator +``` +oc patch scc restricted --patch '{"fsGroup":{"type":"RunAsAny"},"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"RunAsAny"}}' --type=merge ``` -Or if you run setup.sh these will already be done. +The privileged scc policy will need to be changed to include the artifactory-ha-operator as an admin account: -###### Persistent Volumes +``` +oc patch scc privileged --patch '{"users":["system:admin","system:serviceaccount:openshift-infra:build-controller","system:serviceaccount:jfrog-artifactory:artifactory-ha-operator"]}' --type=merge +``` + +###### Persistent Volumes on Code Ready Containers Artifactory HA nodes by default request persistent volume claims 200 Gbs in size. If your cluster does not already have existing persistent volumes that are 200Gi you will need to create new persistent volumes that are large enough to bound the claims to. -Example persistent volumes can be found at: - -``` -helm-charts/openshift-artifactory-ha/pv-examples -``` - -If you create the five folders on each node: - -``` -mkdir -p /mnt/pv-data/pv0001-large -mkdir -p /mnt/pv-data/pv0002-large -mkdir -p /mnt/pv-data/pv0003-large -mkdir -p /mnt/pv-data/pv0004-large -mkdir -p /mnt/pv-data/pv0005-large -``` - -You can then apply the example persistent volumes to your cluster with: - -``` -oc apply -f helm-charts/openshift-artifactory-ha/pv-examples -``` - - ## Installation types ###### OLM Catalog To install via the OLM catalog download the operator from the Operator hub and install it via the Openshift console GUI @@ -160,3 +140,5 @@ Please read [CONTRIBUTING.md](JFrog-Cloud-Installers/Openshift4/artifactory-ha-o We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/jfrog/JFrog-Cloud-Installers/tags). ## Contact + +Github Issues \ No newline at end of file From 673b827a837efeafae4019b94281a0475cbc972f Mon Sep 17 00:00:00 2001 From: John Peterson Date: Mon, 6 Apr 2020 11:42:39 -0700 Subject: [PATCH 18/28] fixing the issue with helm installation due to single quotes --- .../artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml | 2 +- .../artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index 8b4167b..a04c545 100644 --- a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -31,7 +31,7 @@ metadata: "user": "OVERRIDE" }, "initContainerImage": "registry.redhat.io/ubi8-minimal", - "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default 'derby' .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/{{ default 'openshift' .Values.installer.platform }}\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", + "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default \"derby\" .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/{{ default 'openshift' .Values.installer.platform }}\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", "nginx": { "http": { "externalPort": 80, diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index 8b4167b..a04c545 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -31,7 +31,7 @@ metadata: "user": "OVERRIDE" }, "initContainerImage": "registry.redhat.io/ubi8-minimal", - "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default 'derby' .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/{{ default 'openshift' .Values.installer.platform }}\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", + "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default \"derby\" .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/{{ default 'openshift' .Values.installer.platform }}\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", "nginx": { "http": { "externalPort": 80, From 26a9b625ddbcf8366a97f9a40b0ea4c47d6816af Mon Sep 17 00:00:00 2001 From: John Peterson Date: Wed, 8 Apr 2020 11:03:30 -0700 Subject: [PATCH 19/28] Openshift4 Marketplace v1.0.0 CSV --- ...operator.v1.0.0.clusterserviceversion.yaml | 34 +++++++++++++++---- ...operator.v1.0.0.clusterserviceversion.yaml | 34 +++++++++++++++---- 2 files changed, 54 insertions(+), 14 deletions(-) diff --git a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index a04c545..5fbcf18 100644 --- a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -13,9 +13,9 @@ metadata: "spec": { "artifactory-ha": { "artifactory": { - "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n #image: \"{{ .Values.initContainerImage }}\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", + "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", "image": { - "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro" + "repository": "registry.connect.redhat.com/jfrog/artifactory-pro:7.3.2" }, "node": { "waitForPrimaryStartup": { @@ -31,7 +31,7 @@ metadata: "user": "OVERRIDE" }, "initContainerImage": "registry.redhat.io/ubi8-minimal", - "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default \"derby\" .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/{{ default 'openshift' .Values.installer.platform }}\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", + "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/openshift\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", "nginx": { "http": { "externalPort": 80, @@ -42,7 +42,7 @@ metadata: "internalPort": 8443 }, "image": { - "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro" + "repository": "registry.redhat.io/rhel8/nginx-116:latest" }, "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n" }, @@ -91,7 +91,7 @@ spec: description: Openshift 4 Operator to deploy JFrog Artifactory Enterprise displayName: JFrog Artifactory Enterprise Operator provider: - name: JFrog LTD + name: JFrog links: - name: JFrog url: https://www.jfrog.com @@ -164,6 +164,7 @@ spec: - events - configmaps - secrets + - serviceaccounts verbs: - create - delete @@ -195,9 +196,10 @@ spec: - get - apiGroups: - "" + resourceNames: + - artifactory-ha-operator resources: - - configmaps - - secrets + - '*' verbs: - '*' - apiGroups: @@ -246,6 +248,24 @@ spec: - patch - update - watch + - apiGroups: + - networking.k8s.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - policy + resources: + - '*' + verbs: + - '*' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - '*' + verbs: + - '*' serviceAccountName: artifactory-ha-operator strategy: deployment installModes: diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index a04c545..5fbcf18 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -13,9 +13,9 @@ metadata: "spec": { "artifactory-ha": { "artifactory": { - "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n #image: \"{{ .Values.initContainerImage }}\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", + "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", "image": { - "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/artifactory-pro" + "repository": "registry.connect.redhat.com/jfrog/artifactory-pro:7.3.2" }, "node": { "waitForPrimaryStartup": { @@ -31,7 +31,7 @@ metadata: "user": "OVERRIDE" }, "initContainerImage": "registry.redhat.io/ubi8-minimal", - "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default \"derby\" .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/{{ default 'openshift' .Values.installer.platform }}\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", + "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/openshift\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", "nginx": { "http": { "externalPort": 80, @@ -42,7 +42,7 @@ metadata: "internalPort": 8443 }, "image": { - "repository": "image-registry.openshift-image-registry.svc:5000/jfrog-artifactory/nginx-artifactory-pro" + "repository": "registry.redhat.io/rhel8/nginx-116:latest" }, "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n" }, @@ -91,7 +91,7 @@ spec: description: Openshift 4 Operator to deploy JFrog Artifactory Enterprise displayName: JFrog Artifactory Enterprise Operator provider: - name: JFrog LTD + name: JFrog links: - name: JFrog url: https://www.jfrog.com @@ -164,6 +164,7 @@ spec: - events - configmaps - secrets + - serviceaccounts verbs: - create - delete @@ -195,9 +196,10 @@ spec: - get - apiGroups: - "" + resourceNames: + - artifactory-ha-operator resources: - - configmaps - - secrets + - '*' verbs: - '*' - apiGroups: @@ -246,6 +248,24 @@ spec: - patch - update - watch + - apiGroups: + - networking.k8s.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - policy + resources: + - '*' + verbs: + - '*' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - '*' + verbs: + - '*' serviceAccountName: artifactory-ha-operator strategy: deployment installModes: From 5da9306e51bb9a8c7cc49bf6cb721bf7f2a1a47b Mon Sep 17 00:00:00 2001 From: John Peterson Date: Fri, 10 Apr 2020 12:31:38 -0700 Subject: [PATCH 20/28] updates to fix the issues with artifactory-ha v2.2.9 --- .../openshift-artifactory-ha/Chart.yaml | 2 +- .../charts/artifactory-ha-2.1.3.tgz | Bin 130327 -> 0 bytes .../requirements.lock | 6 ++--- .../requirements.yaml | 2 +- .../openshift-artifactory-ha/values.yaml | 24 ++++++++++++------ 5 files changed, 21 insertions(+), 13 deletions(-) delete mode 100644 Openshift4/openshift-artifactory-ha/charts/artifactory-ha-2.1.3.tgz diff --git a/Openshift4/openshift-artifactory-ha/Chart.yaml b/Openshift4/openshift-artifactory-ha/Chart.yaml index 42b4f95..6bb6d23 100755 --- a/Openshift4/openshift-artifactory-ha/Chart.yaml +++ b/Openshift4/openshift-artifactory-ha/Chart.yaml @@ -21,4 +21,4 @@ name: openshift-artifactory-ha sources: - https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view - https://github.com/jfrog/charts -version: 2.1.3 +version: 2.2.9 diff --git a/Openshift4/openshift-artifactory-ha/charts/artifactory-ha-2.1.3.tgz b/Openshift4/openshift-artifactory-ha/charts/artifactory-ha-2.1.3.tgz deleted file mode 100644 index 8d21a4f514e4bbfe76883c2898dfee5b0bf721d0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 130327 zcmV)ZK&!tWiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ}dfT>=Fn<2lRiLzbV)sN}cAWMoads73PSpBqEhjzsH9aas zLK13{UUy8OkoUd0y^`O90YHKuk|pP(d-jdmCzeQHFc<)XnZaNN$AV6Xu6cyJF^vQ~dK1zs z5_9aMa}qI5<+MS^IK)#DBc4PNivU(?@UJXJ5q2-}R6d)qIKYBGt|2r|sP7@c zn9mUoJ+wbSoWv4xvo>P^>7tns5%0EI*Vot0Unen}HeD99tjXG{QCDJQ3dZ=lIi+Hj zj1x{`mxY3a0xCiEmMbSVZv~hO61TX(W1qANliz1kmU|{2G^21@yCm~#7JIx~YapvY zt$_e~t${pp#Ufq{FbxH!A&H?Z2{84$2nSTmF8@94NDZM7%WlF88uF~DheJwyQc+gF z`JKdBY2tg>!xe?qi>zRb1Gl1>J4-Gv?P4^*Jg6ub(;(r$*EH5Sveh_CVwXUF&1j5i zC}KRf=pV(*OI*?V{xD|KM$dw97PHnBCD&GUHISvzt6iC?x!vqEcWQt3+WFt`DJ+32 z>?eeOz`Tx%D&KLgwIX)ZcfJ|`W3#5i#vgyJCZ`L-@#f)-9Il|~& z@A#;pc)1`Rnoys}0x!umjtRP+kr25v90JSNAZH{dP4tc>h|gH!d+0J`*XVkN1)8%2 z$$B26;qF}1I$n4#NS)O@Sv<|Uaoc{08vb98rCt8Jit76dG;(U6LL zrn&DRz*Evi4)!A&lI~8k({^e#8ghYspTyl7LSh~f`8V>hkp1ae?+4+8b&+$69%;Tc z@Equ0a_M)oEo(NZFl-ZjzP-J{3o(S%@;#DqWUqMy)h`ddMoTJadWt(yE-&L}q~SdcCf zaYAYc#mt9^hLD7w_=F?DbfG312sB~7&#u*^mxU3Jh)XBb1>jIKmemxH2Eq}26|*GL z59FgqkM!4=q}#E1Cq*mj5}rOFp%*b4itI_mJoDp<#AB=Sl!)~EH5TqH{pC|GfSN-E zUy_m~p;(=U8nFge6?sEFu5E18^eYXrf~XskClQcN5Ssw$hPgVD#tA1)Rdz5zArpub z0RpE2CK;Lp_ZVRXh;lR~A&If%YzdbWO9GxGz7OvO3FNdSMl7l!gu{>t7$@FEw|A0< z$n^vi)XS`kCfMh)lAio8v3p5EPZ2pSWIBf4$a$I05QIZCP%u$UTo!w>OEbm=@1mc6 zhWV8U5}#o)>!OxKDdQ9RVNPx?<18D^50dUg)AcduT_m~rO+_)`^9FXMNa#rHof<+u z9uq$UD`GsEP`3fh7Lgl4;t=~4uV|RQ629q~oLjJLQIK$f#smd8OtA0IHE}#dLl`1C z96Z9V8gH2Nvf_!Ba&asgdsY5J+;=QhGbyK8A;%4O=3|JvSFS?%o`G)$OmS1 z268BxOO6 zgpySewNqz13fiO-RI%&mRkx)_N_96Yr^lnv-;JssZ`ge)k%2u_}lgBt) z15dK*?0JsoX?6x1u$o_bTb_53$J|R2H;tA^nSO6f3SBg&BE$i07cIZp0HM(IUW`!_-o)RP0Cx+V8P z681b#PByvnok!n1a%yTG-R!e4B(CPQPG`5>h8CsZCabxmdKW;5)89!K?Y3Xh8ZujW zS95|`bkXjUo$Z>v-<#EoV)9!;Y|a*t0Ep`BcD9eHV;;LvB2j9$1O3RS0j;Xmc~z{m zt1E@fBk2-??N9BsC#M(I{&}XTH~fzy#jYt=EE#Qzi-wZFbJTymc z!UYSEkwKA11g5@HFc6E8C0V0u>id9))bB*i)UhRhFQ!*Y7f@Ks_N0U$aZY0YG4ct% zBCt&WkCuc-B#4BZ5=rdmYhHtD=vD$t969#~U|fCH*vq`Z_R7Mg7K*el0X&->KDnHl3 zgxLgSp%P_JPA~eXfsXMF4U#~~62wzeOp5Io=9Huh4T+bvNIB}X%|}jp{bC>FQRsxx z2aIfu6x43MBFyX4D-y@lBPspmXlcS2IUWkWDRd)G0bRqqJQC zXig&%<~Ez}+6pHy-FP%6YRD)DSzGR5Fr;$mKyW)b93pZ>LXluUFT_B(*FC9rV7Wsc z(73Q`WrGk&jRQ(bEhmZYFAGQ>Qll2LXfFSj2!&XP2zF<=`NtJiqR|(^T{Ev6jmC@#E@B+D#x%t7oC_9{=1pKEN+dN~9}9X#DseQ$ z1dgXfbdem~g6{QTjBMS+r|!qXNNHKrBQB0Jc~q};4i<#sG?21ZhOZPxZTpVFj zSHVP^>gQYd#kZE#=QDQAQJjRJ&82N3%u&pkK%3MD^`7jMDfwe9A?G2=`B( zRh+m9NY*SAc1<~)_~%lK7* zFe?O#*spmqR&dhV=56lO$k4jDS?BiN9ov#r*nZQeg^hd3=8X#WsL~Qsbjg^cUMQux zT-kZ0%^c&%LZzzsqE^+Y7uwcSVI>4s9K%HeWE;t6j9oUAO=}r&UDTAVY^7YL&|FMb zZOtxO-BzJQdZ1!RovsmKSR%B)l3*gCbU=*(yCNzS^3UiV=6 z(-?NDB&5G31gYZybV=q-)Gun{A@hhjr2|tW7&~!bSNcjd^NuCR#bJ8Tidd)(5VDS8 z+{j@O2|4#sj6)AKX5KHsPR|b z7#j&-5)(c{1LafiIx{U1z} zDeN(v1?vt=N^s^AQ1R6nM#uz;i8A29fh;T%7Mh}3ao4|&*wmQVYRERZRGl-`4BO~= z0o6J%jbL;Bw%KmBn;l0R>N3NltUMZ_gJzOp!!&| zZ{i`$Q$?`KdRu@CCq+KPQewwKN~~a3XqHH)JyqE0@ z0JQNw6?in$vQSj7nly-5ESfig4+tBPyZBs^B}FEKN<;0m1Xgk! z4hN+fm;gt`)os_$1gpHz)8w-*`lDgw3*ycgax$hT3oEOzmZ6*i5E6Q;fFP148i1ng zk;dK}s7(szjc||=`N@=qT(haukZ1=MDIDmRkJMoRl#zAL;A!ffrUft@yEA%48qD|7 zb1iOOg3Ytx`UHny`-X?tWGp*qem=UrP2H7{6U-ZM9N9FkOb%+IySqoaZ~Yq)t36MV zPVd5Uc(g+v`u^bMzCJL8t{=~bzxl0W98-KSZk@*1^_A8V#RLrS`{_=8JtYD)PEm_R zqI^iz5@1|x`E=Y0=KMFmp*I5-H-5!exUt*pG@o>uzv4J`UHH`{p|B3WTo$Ohl@MAA z!hO)494#0ZWn#$1OyIqK$hB1`Q^KK+8Yu}QM~WP^Nq9wL7J{42l_cXBPC#Z@fEY3c zI{~yRk}!YjCYY2~ViXeMnYotv?5O3e{dp1QP>e`<8Bp(M?Y=e5cD1=diT%U=`P=^a z=pV;NBb(vL4O6cfebVN9*Z!{KtWx*5_m9!V>+^o^U|0aLtsEk%A?)w>hr=b6cbC+) zTJQhk;=DK7KRr1dyedGrukD9aP3xTWW&2C39lRW!ot_>+AA9>3gSY)c@lKIGc8$To zQMr7+`0=~Zu)lxazZmsT-j3e(a_Ai99HJCw`+>~Q$;8`)|=Pz4(L^whkDBlhg= zC7J6(gVTf4E;^()NG`O~Nb}5q1Y;6|zQEC@o5V2*g+EtTu_&eij^}1K*WTzL1bNCT z#^+p+;2jQpwLu`nXE-LFae(vLbV|c%<_~AdMd>q34q9Nb$!ejyJ6#W!&-c17UGzdf zzP)XzUAEHlqdL?~NsvNAsBvJI#C#sQO_#;wj4^*meYtT82bZ86OgX^Nwz|j$CFDYputelr)#?T6DyREZL8V)I z;f_YOu@~Vl8aOfZtKPiFLvqS2ygMraT@}SJqJg{mC zuinATSz!S+E6J;LSgT2iWZ~ic(DE)G8T4iMInoxDS9QUCQht)y?;__{Z|rt0&&?KG zWjQB4!JIUu@Q&{88dd>|Pg)IYt<|itR&}Yef2Fp4tB;)DdSlcbSAKbj#Zw#10X)t+ zlDc_1_cd!gLak=A>n;V7*}#gIU7P|HtBNMEpDSrPQ(0IG)H%qN-O9l8T=~+ZF^b%R zNmFSavx#6CfEJx**!33RQSgpS(O_{U#MG@QoypauQkSCgjF$q!3VqI6iqsKIHVaeN zrbRNrqPh#&z&(8^W01K_EyiI{{Q?&Ea+7MOu?5Yh)30179dcmh-L+cF%`mk+EN{tK zK;c5&h5T??gZHoTVvSXnda=&RE56hiFI0;%C-x=POsVR%S~7+XCdPaU*ZA!NTYW+2 zjKxCx9v_^h7E{;&e0B{+Ivk=-d;5vhJ#Do$PC^d)C<_~KPz^V+;4%^#Q>9@`IJ^kx zE2X<;&7<$y-)+|r%Hd=lnvz!2>HCgVY0>+HdR^3M@3duvB@$G110t@TF9iy$PJFhVI;$_k4OqLURo$CfK9!D~j1zIjQOQXY#?K z+X9ig=%ucLwQxjRSDlv9m0B}`eKFJbeW;+=KOjDyr@iQWr#xjRnEFXfE@m;|Gv)&o zD&3;=<0wxI{gfv#18pcZxTl~y_Q|^O^fUBgg?k&|P-lC&#>7iP4~Oo&i*}T^u6=}h zh2v_&m}9ZkW4XJbbAr7eV=BmL=-QV=w%hGjw3c&XHiweh{3ux7psnmjWhYkvaB_Ol z*9S>p3a8VM#YCS{=&3y>KD$=dssLXSlth)#6c#VDH~$FqP26tHI4bW%+af$sl-I7xW`_xrU`*oEi5xO)jpW8g?%o<$(X&%lq>fq9P#ub*{mjuD z4h^)g*5mT2DSB={dSTV!ir`MesjB8UkJ0svx-;Zau8e-(Jj4NYm8TDWQR~tRz=rAy&6&#xus@l%P7#2IvGB@MBabsJn-fP*5Lje&CoJrry`@ z;3@xuhGGjfEa|?`HJ*$cWy;*%R^Th;VnZ&01!>@G922LttnWF!D%Wt!v|5@Om2aN6 z^fan18q&pcsMvtLlfGER578=*?(UwqasZ0Zi#zcuEfniODi z8a{93UKDEq+UeVf#4ZU1o|40ukYR*f^1PKVQf}6C^2N4nEB$ppDgP&~+*a$5#p-HT zZryHzxVrT?z5NT?Q_2vfoSlY8SvZdCtoah5p^LIHIZxA;7lC}<%9UR*82PctagygP zwdcH8XuB?LO4}cCQ(Ad@X}EsE1&NCbBz?Y!cjgz28#B&NRDg`3Uc}3nP6{W#KB@sN zT|*W|>FQa5qgm`lj(7Fa%fa_aNJ%J;Xh4Nrt-0TeDg`tgMmQ#KBJd-M`*4SZ#S*~6 zcdPG()|6jo=XV+X||l%0!wL3c%!qJt3oX~fnET<&s*?)z1|wl zTg|zLbhC2)mq&L-+)HIVe6iD(voiZ#EUVAd2Hp!nz`a-j?L2Q~Z;ExaZR-WxeSh9E zKP#!Fz?I2`D%R(WNFLMFC!=GZxtHl`g@{kB<@;RambS_f>dJ~~UMVl?rmx^_YE@XG z-mSlre$aOKF}A{wvkiXAE%2l5WaVAVnE#5@FFjwj71_&J#Pe(w%O8s>mMa(Mpn_6( zx_D1qxTmSNcGoLQeBi$PA$#%~yDo5DB2a*DklAFxe!Y~ve%YRj6nXH(f6!j}iTApX zv2U$}dd_~S@V6f=mqymTs_bEbTdBTyj|3w~5Xt8)5k${h=GVIYTZsiN+|LHy3tiOp zS>l-rS<4k7hY2FO3Uw54ZKZ9Rny?;HFh%&_>wOyfEA2}82GXj~LI$YV#5i#;)t#jE z+sNudBNnJ)D-^1KDrtLYCG zBL2`3P_?Zw(BM8?EL}$mRfj;0tDT|%+WT>chCAr(&f2mk)Hf$PdyeMnvK75LWou;{ zef9R)NOuRm^ARjRRp3^)0^KXiSx{FN=gLTf6la0DU#hF5o z@6bImUapIu({%DtX2pjpLLaUKeJTa$p>p*aqF8z8KY{4YEZ17e&8EFoyAWVM2@wBYR4w3HKu z?vb)q6r2{G7C(>4)DT8})!bxSB1BnGU0wD}rMBgQSWcE-K|If9*JZ$ma7$%KJ<<=| zcn+DOejxKfRj-#7hsL4NrKMIK(G)+p(55L|flvB6*M9bN?e_L1y6l*Fq`JZEeXd38 z@j8<>;RJ#@gf7|7g8EjpTwM@QSP0{JYeB6thK0Kn%NrGOLe_v?xquQ*&SJvpG^F9w zbR&CWu(!&T4DECpLY9*LO+;hkND82;UjfVowHC|=(5DY$7K#JNC!iN?iMv!3%VtOA z+x6yU2I2=YKf^SxT%HxB6t}CaZ6lVIe<)sODtSxcI!Xz#tXLI&the{$Q6=}Tb|{}Z z&!Y$HiVGCQkESKAtQ!6)jsPFuoL|QBUM z)ZJSZaF$%80>}JzaeE7mfZwy;Gvp)H;@w?-&sb4c`uJyP>D8%{ZY1BJmp&V3H+?>i zo|Ltj9+H32n?P@>pv(v8QH!Bfy!oPMebKWjsaYhQp4(a0q6$V~lGB=7t}qJA9hd)i zs2>Zj20_8xJ%rBkdkLT6AoKH|Vt(=?%+lmEyU((@w-%o)VXE^euPk6nkaDp!t%|T9 zZ9oeeF$UOm+fer1w26|Xc3q7#g}<6tSsJKweIn(mD!!Ei_7Rkzw5_!ip|xZ)c(S4L zs4tbr>`UviPIlkVL|o9p+ygvE*yoUKJBzlhZpa}QuKlH#F(LW_4m~u6C`QIHU*Gh{ zDmAk4*55qo4WXtE#l5A&SU_A$lshCK}qcPX96>v-t#}k!GSE7P2@KY2dzMzp$ zazP;=x@5E5Epzj*`ZA*mkL#%bdNX#70vwvCE{jPan2N*EM4JbCPufGBt*mh!!ujm& zK39h%Y1ofr317$D5bn$biq=_Ru84}NltF?hXDdVuY@)lnh8&tkbmcal1ELKkH@i$H zS{IxeUm5mB!B%8`+W(XlZ zVjofmK!B)b%|ekV*lAvcT%;jguHp)A7J929^&+w&rWEPlNlR>OpkW%893yu|ea}iI z$tLS&aY`Y3Cf3@zDRXl9O(m2pAl5jGp0*^cj-CciZFN>?#Q+&hbYA0=!y&>vy;>Ai577`vi^WDkx8uyVta7BngX4tu`&fNyZJ(vBU_% zxnmdPk-?c9Knp25jm9#XgcIJR(O&)b9tVGolDV3)o$ z!%>_UOGa>(LR)jlRV5ck*rj4_0w<}bFv(6M9hnX?DXumWDH zfhZ;s%xoGW>|No|g$OfIB6O-2u)9D;Z!2rGrm;#rW+nYd-#|6<+X!miR1{FO!x808 zmj!0l7%OeQ6Do#KnxIC}Gt2IaP-ZUe7B{TM)JH)+vD!pRoyehvcFZ#fHP~}k5Exk*9TFS37Ka=jdbVuFS{=odrTUqH0|MGf6AO62O?=IpIKaQN5Yiy1v`T(U%4l4) zrg1CAp+}lCp`%B^yy||81%$7;vtTyl=bJfb>wfIzRz3sE%@K=hSWlO&B>PmWi=5t% z!zYc`$G!c=@O5u{_o-uvWj)WM5&-s*Wr~+V9TA8rrpR}S;byX;I;oc$1whsHDG5b0 zz&9pIh1!ccStj%Q=U6`eSgKJP!djYr;Zd3`r#zZDJ@-C_q%WzfVx_eB@Ki-b+gD=E z;LPrvPSq=Sq3anHMCFVLONr-Ax}?p7lS$$uIx(>c%`2eC-VwvzOYBQd5~nfURNy(v zRW>D)mS%8<_6G;&>QE*XzO>HLg_J%9(h!m*oO>p2lgW`{%WUCwwS^zLoYL>@HzcBGwp)oYpt)Yl9A8ms4nwAhTo=m8VApWOO zsDfC38ct>5D-jF=Mqz;2*YK^b-KSNS@MnH1Dh zQNEm#EDKdQwjs!oGnCOtG|`#Pav=xaPKO~u{hH>NFw|BV(I7y&TwZ*(FrR)t9ByZ4 z=kKcIP3dv1JhHkQl8Gp@2X*sdFnHQi5)&0P&ZCnFi6L;~n22ja)QCq`{~%;zp^qCI zXdmQ5YJyPGI7>ka)fClDVkwAG=dq9=*|r3sn^?eQ5@lV~qij%?I6l^P zrZ_Q4oAVhxa*)&{E95*DELU96;c23j<-BZ4?6ih9lBMjz> zG>IaFx+l#k`b8z8Yy|UIMfPu06RFYurC>+Uc_%XrHa1Y2&^=4TX;H0)a(QI4>6=R= zTT0>niaOb2lS5V|kuBtYFIL^IsH*eTee5-!>u9QhTZsd?3S}C=W~#!?Y0%lUhU}DM zcBLqluJcp|xCyxI!PK#y+{k{WPwZSUUDSE1AO9NM+^g(Gu=fAn?zGcKkai*c#kpV9 ztw3ANWeJg6Cd@!9Z->bem*(D(3@8=FjM2r7TJhk*+a*plf4Ii`doJ4u2_%=Px+^+G{=rhc{>-(sJ7dJlp= zJDg2~BiF4n!?EW)gQRyV>xc5RFvenzLWXcCXv4H>WGWS;-i)_k5%bw}uCg&)riP&= zWi68w1~!E(`9UQsRQz{EPG~Xf|A!c%>h%hIP)E4kSLUm2coxtwHP#sOX(hk3H^Tqb z{Ia;?f8m$^1Nh|zD$oob*d*IPE3sIq0AMOgL6&Wi>l#yW$YL$(0#it$Ou;N=2LgxMT5x+6K65uk`^jO1~OsSRANUt@X9i=ff||*>h#z00f}Q4!*6(Sq-xmE();QqrMo9ES>AL_M>;v_ufKG$86dQ~YU(7dPj#V!VDi z9$47}xQGc3P{6#zR~{P5u!Ao4&-BYQl{drQNEd7+JccyEfJjR{<*jgfGg6gw!6s+V zQj^i}HB#piXy2wLyw`Z#YF4I?L2uJd)dzx=X(@YW+gi}w-Lq^bj@iw81ZKY5TSPPcyj?SFN@dgmgevwlEu@BO zBq>;g^`!mxr;Cf(;5ysiJ+n5oBB1T|ldAXC2&qwz3HC<%VjS9j(r%}8Qnvk(il@4? z$e4Na>H?|_J&b9QZ+8m?I0+XZq27;^$%Moy2`;PNa`dEK`I4t476A|>h(?lEjlfk^ z({i^RNGo5R9J+m&!(dZivuha14ZajT{(x2u;<07fy_@xn)Xv&Qey-z zoIfL{uGzbTjN`(iIu}?Z9Mx5`b3wQyqd-m_@QlfX#3Z(A=ob?H2v12U98>m2qIQjA zk9hK%^QZ!ALBVP35slCu%AuY%0GRKg_m16__Z9}w9T;a-EbF6P3Np^_p*s9cpK1yi z`0&H7rOB~}3}MnYKpXj@NU03*NV8P{Zhk@U>?YC|x(8XwnDB^&oTxWNoYV5T-&QFY zDb=_=c6Qrude-}F2;XO8r9_JdZKau1g7i3N+$i+q!Z14p3(cDi;YOp7MG2o3-dqwA zVV_=+bVZ}5yJ@xQ?=-SY8^&$1Y$-!Dz1BBP`NeSjS}sGUEq@gDbk$)vM=kE>ocmG) z5zJ*iM;AxKtB(4&Y5s2OzdO&;3NDe&D&=?$!gB7ngwLC9EGl7*F3J2M@Gi+bgU1P% z%xDC+5lmL`;qa*237%O!Ccu)^#^TawCYfb628CNt8yiNdaLdw1Ufigpye(zCmZOmQ z&@B>9s;WrTpIPm|E!D=Ne5FeUeQ~p@ctI*EwYyUG-r*j@cv#~ zG79?7&3}6?^{*Grziqv5t}H&TE@)avsJn-zCp4VKl5NR-g69&nXaZ>^iX*2fK{X2Z zIg#U_KM)N)xfir0PNlvyQ30wXL!(5PMn*h3L7U}G6_^g%LysP9S+Y7O0xc?w>fD`? zfaGOo<;9UnteGWTYn-}>wHJVkp>Gu6oQt8w_VZkSW5d$RmH3~Wb^f^8-fC?&zu7`Ls5qi6rR=u=Osn2$)wj_& zCit>QHFuVTm&6;17>8UkLlU|SOt{%bq@_41OM{>QB3%1fEfs|{$y*kl6(ThHd%Inw zS!p>MA+6gL%eahPQZjECU&K>W)iQVdk^QJd=4HCK~b zeUa?NHVzGp29OL@*R8mfd@ndy{0mTBj@4@^F6TZ9OrDPSA#lj#qq-`FJ+G)6Jj?Ek zWh=s7me%UX7P%68lbE9aEbs=ouIstAUpd)7_DnA%QZ6{@x9Xi|7C!d2@i~^^J;-IK z-4zTgMOQZMpcc@OUM6GmSf61jFR~Nn5efb=tgCDAkV!Z}w)+`CQP%U)<81X8d@kBwSawbc3aiiZDRxJTgXW2z0^fCLQ-)hIw!CVVQ`kt3*`|7*}ktC!l~ar zGq(x;`@jB=_ICX5|N6gKj#)Uu`tSexKSxq)|L_0$zv>{!%-jp*3}?*e8i2whf1{LKePdCs(|LnZK-@E7^bPEU0 z#&a$vk&j*Cq469Yb=psN8%Le?w@={;0-7Wufx}Wb!Uu?U>r&X)7;m7W7LdLu*5Da> zCDlp2vc2xsaGT!?9?X3yZ?%wzs4{!8pbdoRTTdD5p@(+_y;!beGh#cgbAsUfv{>0xCJ|EXiLF zNICgI%x!2r6yPwyzCV{=@RWEJ+1TZL2hST*>s<#>)smCms%pwRt5)qxQ{j@5_XF901m|OdMftG2rn!#3VxqEzL(%-fG36ys9iL5k z6Ac8yoF@T+`-kSbs(dFfpBZ6{sBFvWUghaaEdIP%GcD%)AIy3$`y!g+i#-k;?Q%eT z%msCuE^EmOyk)8?-eQ~#(6`OqW=9?71JZ9|zl$96tGnBN@&t%4NF2}*=STq zfvYdrNNp<7Y11cH#P1>+PFO1PH09ROUH6tfSQxFfcF$5o=(mI< zq{-D?ng6WWBh;i}lo+?mhSpz|%T2YU2G=Ax84)(=qWbOr(dn??1(skmY}qlMO)AuQ zQ2)MZW>`!p@jVNqQQVR9>m(MAWo4O;wEvpbj(V>qVK=oFhk+ zdAhUPX>Ygx((dd&-G1^H)czP9yzi56f#bilKe(-8=l(@L`z)NsSR}r_;{{&YAPIn5 ztq1Ol#6w^S&dCt3dtcRROMJir%ms;cJbztI3KE+k6U!@P8qpToTo6ApgYF!D;K$hl z&#BrstA5arz4Md7$t$#Sjc;n-NW$iYFx3TgN#;^S<3g$+TDTUrSVxSBY{5qYuO!Xh zhf+oZ|70Ic7IQ1Woxz!;u~tG%40atNb*EiwZ(!hB19%;g8}KYV?hP;c=c6C`@Am4O zEFvN2K8odZY|O|F+S%S(AM-jQ?u?=OZ3g`A0Ys<<{>eTP_!;IZbWNrer&CcdWs0?< z!Bo$#T*n`M9?W|_7}^BABK}-m0CI7tJe^S#lSVO!33LNP&s?RA8|cih(-NeM_mh1-9}oThba1kegLa;-$w3P|)ByiD9Q1!U4>hyP>h`10hWRJ_ zEaF5(RunNVrZM5a`L>r;?Vxwjd)XWIyR{33$c>1xE7Gu$W6Vi<&FwMVNzFw)tLa&K z@N#t48xDUwJwMp1Z(b&2;tC%wzBC%(2p(aVfW~>Q&XJlY>C?MAl&_*Uk(FvTn7VKJ z2b#ttLRlZT=aE^~72EbvPK$A0B>p$U9)de9%8ot|GjguDex z@QAog36=lU{<#@yT<#pB!SkgdCl#i7e}Jtbrh~Hro+@g|L$IZS1c0dWif-zoVFJ(e zk2^)A?LAKBQjhmz#ZyMb_Di3vr_Oc;PLm#ca>dsCNK;A4+ zBVyjFbJ<6Z%Yul7BouokC)Q8}HFg%x`G5!vj7yf(v)o`JF>GkprWM(&=@0s@{aw4O zd=G3&X4Y_7Afu&bdfQDn0LrmC8tO2LF}vo5fZV9K7Wrnrgt2YA_(CJLTwdOHF9A6RdtNbF+ zH0gOBdfhWfD$gWWKt#QQg=tA^8Sm?3cb0o8IlQ@2&k;sfa1Gk@D;GlV`ue&FC)W@> z&t>7nPe|yJmPdKy<9X}+;;{9)_qTyM3j-tB-*D*tZAe6-&eH=H6XX$rsn46GiF$i0 z=L?Ig4czK>eA5IsX#N`9q!Lk81&BXWS^Dm-_Wkic@+W^?BX`Lm*<7^4RNp+b7!jDq z1`|-WuW=~UctPw3*(CUPfg;X=C=n)*?5{2hIrDXt4lC}1b6MKb_L(m0s zj@gn1XWeCr?^252-5DYB?0j(CJAXI&w7ZZ&<^%Vjg3!I7=S!!Kv6A(VU-r*Gaj!qZ zu3Oj%j&YO|OJFZE(YVujA@>Kk7^Mz!K4g~g#AArhP{TzIY+CP~`fYj6fG)e<1bFYD z7cVR{osTiPmFSkn`d)1F1Gf}Y$>oo561o{5_#lECAZt={k#lfmbCGfn{ul&b3EkEF zn9J=fz*Bu)`}}9&`QK<@1mXKho2u;4Xvw;V6RcG;2Q+1s%!@*@om49F2*K6HX9k0kN`OC?Y6N9`KI`|0)x6j&iiA9jFgZ zh9>I`kBGa~l)8z&6QF>knhvlg^^6w0u`!1W1-`Gby^q}4Ze1~v&CAkcURdDavv+0A zY2ld?M9<;e0!VSKTox-Mm|HYX0a`u$koEFq8ZI~!fv#g8W&)Qh4lZ+UTHR^N?kpVYY?#Y7o2??8CcknY3@gRf#S+gc z3HN(>5H5Dm&eL71B#DJCJEYT)c>D6f=E7URMswamA@wb?NT9M=30Q}W0sm=epb0?# zK;x%RNa!M61RNsLB0rFMu7o|Hf3~vr2|f$;e`Voqj2RPL#5iiWG4XhFj)S$$0r%+t zozBj7UjN_jJn4M#|NSf<`-DKU+bSEBnhHHHprJVxy04gr1^$7|x9+i`*;ULro2;T@ zrz)Sj8jfh1lIN;ZGY65~^or3sX({v5Ig7%oZudpea%hD}I49O|S!bFza0jp=fm{-R<_5_5V3O%0H!Q?ztug1O%NdtZ22`(=ZVqw!*XNweAA1 zh;EoIa$B#zyK7`mjCTK#MY1L9*rKJiZnxFCHR|P`GX5*A|Ea6wWu0VmT^ZnB{qIS; zxc`6q<^1>aeAd|ib6KsMrG(SXV$SD#biZ{#TfP;aOwO3P(Z8%tm=`jpuF?tha&7*~ zC4E+xH0~W}mHBo8n6DPKOH^|KQHH<4iC1`Q`{Z5i-B`EU10QT~$(;1~Y?IX*=} z?qhP){IvO3tDOhKg9O)msRw??V|mE zd;8mOzpVey@sT?<`0Fpb3Znn&8{?I#pccp;$}j4YU+88Y#whCRGm3g8qo}XKDe5Iw zq2daiM)y)O=zp@CRIzyU#mgegF3L@N%F`wy#o#@cVI(5Y1QSa60-JYYP zi^0#6Jtxe54oC0gle#L2)ZY`k`02%{cXoC(*zdhO>hC$Dlio zoeukZj{2>CTI~<}C&R(T;B9~OL;v0AZSUxf#Bsz)$f=-Lkd$XMqn<~?(a1)80}Ua$ z4pQ-Z(IuHHnhoC#0oL$!@4SC7`u_0z^wpd5qdi9@<53s&-o(CBReIRpe{(*#csKg~ zba3)R|6N*(6E}&eNTV(+udPDbRMt;p!PrE|gHboV57N5e|4hBgCcp2!?Y%xd?q}V@ zSNJsx$YSs&KmrU@TF*pBfXj20P37vTp&Ff?4liDv_lJ8<7Kvba<%9FV+x~gESudtn zBwk+E9>%m{vS28)TEqT1TzW27jE$nDWUChNH^;hYujiKQ%@A|_WFF8=Yb1DaOh@zNzi7T>XK5FY}qM?qDqkK+P zd>|}l;EWkkA+gF*tg5iPsly=+Ib3blDZ2ziDy5DlkGj1~bYuz85YdIiCyQ#20Zxt< zs-acsX}VuAVb6OnUk)yg|6|nK2X+ihC^y++JRVbV{998YYF*2?AJE`zIT#w{hC|W~ zE{LjqOkyrk84ceJFZ#!$cfDh|kbv=n5a|@kr9p-q$*!B1hTCQ(tWa)_V#!sd1}DRd z-qBJ2TsN8OVdzR#vq#kvKO02duz^iB?XN2e!} z%n+;EXQ3u&R!YxcAmyGT305p&nAM(Rm{Sh9zRoPLsRDOzrLl0hDv|NJl%Jb#PQE~H zYVA3>pM|1kBJ4Tln}w4BKRW8Y>>uqpXKMQx{>PCjl%K-7P~V>Us$4qTbdhtIUBPcw zQ@!(x!C`Oz;`IETDb*{+ZTbR{k(rL$Tb!dk8*of z^gPJ7g%J<1@0(D^CZs)9{Dy=)i6uW0h;jrWwkZpVWPx!^T;W5+4De5PV?shL3TNrJ z_S(%|dn%r)bS6?<#`;DCM7CGC$W&NyH_LB$c7A$%b^-HybTBv{9i8s?vg2|_8utBry=ndiDvc42SXC0YgRqAc;XmFs|`><5Jo@xqKe~HXB3Ky06#8QgT^U3+c>3F@ zC_Co{vkaheI5&`Hp&Vs7x=ln8#SzYqM+g0v89=Ewj1KyTy*Eb}d&L|adER8|nn{!G zTNyaH;P#y2$j+Eai~;e0VXfoPLsam5oRNG(dH@!;b1{zy@(8C=2dr$=@R2-VSmFzz zW@BSTmz(9)DMN$2T4HiO|3^TCCCP_KPzI~X~F7M{~!NyOSk!r zy;7Use5SS9{HC}xS8e*^F2?3JxwW?{5+AtQn&0TfwL*Kj<&@6Ve^$)K_jP+Z_Rr5x z&qvjJ(jZhp%c_=GPEO9M)R)-aRGp19RwU(!1`&&e7KXG4rn1h#ok}aPTtGO-Qvv}d z#{?;puH+kU&W|Ld%aC1{ME-*PuC#J<2CsZ)vP$>a1^=XOWhS^{xANAvT(_)B_n9kI z?ZI%Anb@nqsDpzF@x~I8@|x*tdP0Q)pUFk*=?cq0<>aaRQC=jzS2SVC@b|+l%k&jW zdrqvsALarvKW7A4Be6%g5 z_WaS-ibvdvT@G2{qs5vzQY z;+l{!i(;*5sFLWM`B+R?95mmDo9|Ly8mVmxTKj>_Rai~9b%|b}p(ZGNRXJqy=8ggk_udgkcI=rRdxNv8wXK~BY|T%}>;$Rh4r^4(fY|rh zHAnSZTj9IYd7D$or?99I7`H>0RIlz7_=?N>F1N^2hlmu8waU|%#Z_+J0vO#-34j_Id5-!a|fp(-?ciaGN)0ug-f1Fzc1$ z%Uy0(!cpp&_$-{l5|gSe8YjXqZAfeigrkw%&wbg zUu|#!mNPAcVGM|vF_r3+sbEN29Z08pZXO-KIl35}9rZ_NuSUcD*L`3$D)uix6>?(%lMuasr4RIS>ux43b;{|D3y9|<&}85LNJuJq(uNRhh| zZ#eHCrZYdF+-**LHl>_R1Wf-i=ChWd(a2>!i}?tL-bn32!sM!U_kDunJ?B07N#$ln z$bIQ21fJ}C_iXps)4!YN=fpcmd>>wQp6ztZ^LIqDdGmP3D*iI2)0xO%b^iWs+6ePK zRV66$yphkQQxd--;+T2l9AD>FnpzCU;0;jkIC;}zT|T!Bii4BG)4ci0#P`T*TE?h@ z{>wM7s>^@P9pwB}zm+ZA{fsKB|JXY}sjgkWHRQYdnt#pfw~Fw05~d?x16T(+3n0S= zvJA8$^}~Rt=C|Su%a6n-8HV~T%r}X6V|O|7YmZpt+uWFa(2zX{xiv=ZLGY^vZUgP( zhzjgeNDPr`m_89w4%K3}Hr*9RSv{>7Xcp5c4Y6YAS!^E5;(iD3;i(T@aq zO!E1dV4VX9B4IWQM28go7cqA8bkF$C*NvSvSL{d5iB7k^oy~~5s?~ZiiwX7?fRk_n zOv7aWw0rl(JX(y@ZiW+|5#O)GX#+Zj1_y>%IEsAg!agS$%Dmch=*v2TgC+Qv8}iw- zxKpUP;FLhv?8+{ahbA|ul8RFW?H2a3yLu;Ez4w7vv(CeU=x`?Jn#GqKd2})%F$sk~ zhb(5E6!ouXM9icH3F7*zlQ*rG!vg?A`AEVT@g#~^EQq(K61M~3M#IE?tP zHuTps>JyY@KlfOM4vP_$%;FbLenV~a?JrfOQ10CJRyWqI(;UOgN|6vb@7tYr{vG!T ziBQLCASC4<7G?O1T@O`Tx#8SELxE$JHb%eCItTPYf3*r9t2}BU6A;9e3XaZV1}Sd_ z2WazbaIlqCAD#_PMrVVAz4})ch##o$D|?}8&RC8(orc(dtOHw0jmMJ%(QvUaPKa_p3kBNTMqHo6QI7O^2o;?86XkFu zhY=-_F{mjOjc?^wXWeQXHKqb}DpzNTgy^p?7E>)<0GJA0C0}F7vXm-!zn}+~Jq$8M zuu~L5Kp?H(ZZ{k$ayk}hl=IZsKRvnV|Kp;X8|jyO^-V~49G4hLHt);oWJO~~r>{mY z`>%U%2dC%YpLpEA=v6me0nn*$mNX(IVQ=N$=)>5$u4k#mCAO((WfIrut1!U+oQiT6 z=e>P(C#Ul5>+^o^V9${vMgDz7VNKc5(cq+?iHYf87{O48aLiS@zOv=BI!=%S3_gqUh1t_Tii0XFVvR{&11wbI-ZJ`EQaSm9f z2s6FQd*UEH`fq62)rAx7a4sdH)M68}K=B>*poxA|w=`S^-bsjt6B<%Mkk44uL~l4z zTa;kPBjaS6iVqj;kopVt%KB|5w~Vvb0>@JVS77!kR@Zs|U~n!+^Yp}Kr-MVS4fzC7 zE;|=t&WZOJ;W3Lv#k$R!S>M_Ntz|mGn8T+ zNnDATQ@?%NKYw{T?2oi=_|+atPnOWn=&yfWSW3hRxu*zVP~BVIyezC_IZ(YNyg&XZ zycrITj^0&6si0edc10e$fvlkLYV@Q$fjmZF6yXFZPo%F<10?fo0Pj{BLDigKi918q z=vPY6l9<&)uZ159nx7|C9qXk#3z&zVK54JsfK~g5O^tTSD^#QRp;Qpd%nTBZ<>#~A zKwj~g7DOC9?xkgR(*F?{lN$1D1}+lsol0g@wc{hF{_iVo>?`&@Yb@nCX1Z4N|3EGQ zTj;Qt$zFcdG@J?cIkC`LEITY%zIo!AwNzEgEZ-$X(&bwk0yVIp{F;@!Og<p%&ErQw5xwi=-;rDN-Kp(pifGz=difvxwIDAlZ zKlaW~?(Y()iw^;Ra(dCfAN&|g1rGGsTqA-CpV%jIl40e3z~T1$_Rh{vouGaT7Yq%(0glwPrEQxi2%2i#M zE)w3|#)=;_I6gZ)zv!J@pjE5XZw*pab5gf&X6;IaS8e$LpM~vL4_rUYpH6ICoF1Hl zK8COwKhTR@?7Im>sqslT6*J_`LmW`K6U-53$}q;kEGdhV(32|XCBiYw@kF2d~DQ~Llx(m)2;NCsB{#>IO@gt5Bj$)#`P}761Yx2lLA&Ubb z?2LM8@@J{`OP#A}X(8D+^dnI>8#%cmF+>0WpFfVSXVje`*H7TkQMm)EgudX#!@!{i z28}~1FI&m^#SJ`LBl-n3lrC-X=C*&~BW|DxhGg-k1(lwhLS3{E=fxotNav7? za4gqX=JdUpLfn#rXRkyUYB_jalp_5sr3l)xS}&VOHlCu8U89K6Q1Ig7waS^H)h*Z% zVghH6E=iBZl91jsxxnrvxp8MWoDy&=N?qk!ohQ3bcRQ^_u8oES-N2#O5QH=YYnZ+@ zd^Y9s0T&)i1QfyYVMC(OpkYJINQ2{mGz1Mw$bvcK1$wb52tf^;jp$aH2;9;JoNQ9#!6Iu(Yc+UuPIYvSqQE4bI&B<$aaH7|2cG<@xuH=$baJ`bW!@qVj zB;e5%G6NE!AzWWW3D`Hfi1HuEe3)Y6)Ne1z{LVpt{i^{1K8AaGrviIT?nV6;+Ev}p zLn|McT#|WN9!hEP1DW$Z$K22OLwV=_aY^QX2zE&Ir%}`GL$UF2dU5RWTwt2|6R`C7D+fRQvH#j<72d*s8(U zuA`CYxdjeBscjxM3~j%k$_WpLgDP)p5|W!p?IT7I(5HoJqURb0#tC72L{!e`T#-V2&On`Yffx1=RCoswNT+X!>U@Jj4I%BVP=h4^vefS7= zdm2iK`NfMI1G01qw1E!bOxs+5mej!ET)?G?1_~fRp{=r7QN7RtZ>fz9bfB-ulkkeh zEDR)PF|3Cx>x9~P#SDFaI6~NG=4UEC8dz_QR+b5>mt>xWLCnNU%#9U8U*X>{Ftns; z(CQXm?=AS4_un6)epOFate=4?M07>vPZy@tjOpXsTrGW{va*)ycfLXRqsh|`uPV%z z-yinFtG&8P@JYfeA!UFmeyR-BGN94BoxZW+4QiqC@*soJe0r79C9A*JzC=1qiDKf?QKV#j( zc~#P;uF7hZ`BX6)=Y9BfV@LZu8^8|e>P5*j=VB?l^QB`!n{?7 z(a2HP&`|yM@Xg8oN$@becfRL%nELY~9pU=j6**+SN8&w4|MZ+HSS|~qm~eiiXwUcV6MnS%){Nzpp)70~ z2#)p(SV0id{sUE9sf3S{!e3WRD`6Vo8-VE`$97IO=Psv{m)N~bBHeBt?+3Ryq`#Bn zv4foL-C~oR{!UKKYOq^7E)A7gemYvH&!*4@DJUB1!k%77KTFZ#r@C2jKbO{2&+`iP zrKo9}>9RGuZw>}F^~P{?`s)1jqIc2XKRr2w3Z`9)Z`9MNnyHVJa~e+BW%@+-q+S?- z3`lWKq;End=!683$iOq-lj>5XrI26;oz;)cE>cERk>WR{ai%Z|;)yy!v0e?9k;()y2l}_MF z>Xa|5xUBNChS!6Gz4|8gP$Mad8djkb91v41+^P^Y>N$vVf!8w(j5<*-Kr9to7MyNQ zc-}{*xHYCFLsnuFh23sHX5sg2e8}P>vxpwH)!7Sa%wi#lk*!N}$;j*wX=%w3Hz^zG zW0yYY)aa2Lvrypiqb;QZ%N{HLNTpcG*Cm*aWil)sYuvLB>$n!LSx~tZTif(@>7AnB z={4Lqsqd8d%8w+~Y!Xi3PK3T(L?oKsK+2g1bb3RoQ;YRIEq?gMq{rL;aJRDY3b~nQ!$VAF--w>weVa*paA)v(N0S*8t=su zsXXYY%EIRc-d?FMIZo4PaK(3R(n+P62)Bx4s zuHF-hD3^{U2b0t%JOc^N-;dEX93jb3kc+pGz?nB3MaL*k!cd()!wn#Hi%KqHSsc#a zWzp;!Y82Be>XWIpXKSCyd{2~E7_#ccwyBvTYWU?TX6eh%%noZ)*4aXTpcFu{b|bf~ zENpeXMwaYA8ym=IS;U$xQf|YBC!2zYnEJAq%R&{foEr;@96wW;f??R4_Kr=+5^xz{ z0obm%jSELq+~C%ud`W@Xz;alM^+?cEPVo65tlx>aI{y>pO1@@k@9j*P&( z)5S1Rv2>x6sSQ+j^j@yMbo<_3+yPnQVI6?z-4l?XKT_ZM06e3D2`d2hHtQ3WXc>l9sAt74BIqhq6$`>PNn=LSu9kS zXZ!-G3lemfBy4a}RB{cIf^!mcNfdPwnU+&W8wXU%1GxsJOrxkQziIM1ws2OzwTX4N zP|#Y~gzVF2YDOJ6f3~JtsXgtZwfXTz)=VV_eI|nBrmdsYCu=dT-J(SbIrG&uyX<(J zU56@-SA|GQbP$gM=K7LVrujJ9&CWveE{A8yd9Gk&lK^eI+TuYcQBe%fZ zQN<0`pw23-+cuX7C!F+eh?|rox+V9gmR$cV?C;=F9}|3e#%Nf$4S)*4)3S1l?}QfP zLA{i9z@0G-tAc*AAlad;%%|vrit>U%RWoO?)TKxWp^-vYCoPKA;qzQasuVO#NJVrP zq|-g221o9UQMV#EN%_`e&h6!c)ZkL(hndtKAlzxdCrlt3L_Q=DA}W@js@hy#UR%vF zmbZSDtYaTXMgJ%Q11g!g*3-LJRJ+soB3J4Xz(n8ceUR2&t#set#L~H~k_uc{&WNd{ zNjW}gANTx82q)m973V#2Qc=69fg4vyILlXg#hOw^__33 zeQsbn+(axEX#f9b@9Y2CHj>7lpYvC2g&QCj+d$g1N6&rgfJuA>?6aM=c@mBj*4ow~ zOR6OEa>U=i{rlNh?W-&sL(*Qj`!rzh&d$!x%+Aiv&NK(jE=~zoq2?3=`jk-Gga9k!@6{txD)QCTtaDe%Q1F|>JR6GI*jlx>M zjcXyPOP26`&P6lLC6oTWB z%3Ry{DNVSM;_T(@B>=sc^wS=(VcYoo<^lUwx0R|R;M8j*LpKbs7S(hTF$G0g%N(g< zIpIj4PLL--e%o*L8h`!kU-74>uiK};k&kwFz7alp-Rr#VHgX zuV6?8NO*LHw+%{86peXb6)IMxuB`>LzGLg?54?(9I(lsXapO}E(qBq zTZESb}e5`X>Gr>4%PG*1q@!sx(ZU{8PJ`2G(BMl9cG9EKo7NMM!9alShwrvX=F^)`Y#_p2}Vc6N4DgCcL)Wn(rfcYFKQ-JQK})W#{y*bC1W z`&G0tsV&fE?uX-(bbJ&gY-|mV)Jh!pTm6;@-_>D?;cTihv2r@$^wp{Pl7+;X$pqP& z;U1tG>REdZNC$Ow{FKM6iLjJ|V&%@zW{yL8W+5IEdV(G{0R+_`LzalVh=rN&?%2{; zEI9PTXN=k_z~_#T2!IFX5Yz0$y#e8DdO5oqOXZ;iF6XQ_E5Uj>hwJRe zVJa-Ba#h~0BpV7HR8|zeS`$0YWOn2Od@7a{5wNqR(CR^0lfz#ddkU(RZ>gza?{MSz z(9K+&%|d^dkG+Z{09dtoiI*~MI2Sl%8(c(Dmf}R$xVj+BhQz6K9VM5FqGk(`kBy0s zxKp5AGZZH*93r%%BJr1@%@GfsX31=r%@XJU?L@_m?tE&@P8Nse4pkP#V;YdP(FUbI z#yCN27So`b5LE6c8S_0;F@wqX4T)HF)(!n8&O{f^ujqMzwztbCS4n7Yq;?ZVav$WK zwNBzwa6W>3^gMF?fcOh3)hyry4mQ1R#Q(`)n)RUT{fcb2E=*`mYokr%`N??}onzC< zP~i$8*ubx9HP%Gu6tVZ5=mlX;n@WRC?vTy7)M%Ta37nHOG%|!b`lcG^Q<8gc06b;+ zZH7Ohxr||&;YS1<`W)=4fw#sa4g_dA8xA4#pjQI}NaAA?=z6tUO=YK{o5{lnqu3Jc zPU(|>-l?SiY)E3OaER{5)VmlD$Mo)c4jK(Cn=7UZv0Wm{Nw3hlJ>&5J7m2dk=fVB?Xz>=v%N3zz4J6n8jg<;Kn+z73DZZ6C38Zm2rnQk z4ic%{kpT^Un6K<=MH$KDYA?xmENFr_V6B|TZ;-Qdw5c>ITj+OCJstvw^TIy(I(#lp zb02)|KF5(U$v*h{EsdMo2VcK-)G4S*>P8>^%lW2wm0CIkr;*@Ic6Lky2fo8ikv`dq&#njMiMMS?QR{nXlM z6pST+y%$BIvc*2=Yg{K37x6`i(!5yIJIp)p?So@K#d){#aJ%8e4{{#zv1bNHaggA% zGR1ivATL7}moxy8@o8vF|fIEWVKxT-O5@C48E6304x-S3`6QD!`jpjAYt z82v1QhHO+`D4*iNX#n#bYBE61rM6w+N3=`5;( zRRsCPrxj%RjBiT*mgw(XSg4yHvQjOLFcLQqS|HXKECc-TD!POo(f98wbOa&ro*lF4 zH|&V5++T^~vG?s+2B$H$_{1Y4hr_#wN6&l|>$N8V#xbv3|88OY>W8Ofcz$1yvS#9ztmGlKjksN=3IO&Hwk=_Pu5TI+eUDW znUESii004(yEJ%cgiqu(a2j2sKXJm1c-}r#T zgvK82t;V9`yCEDt8I1&?BS{_zh<*N4#%LFA@Z5{E=ql<<^4PFDb0kz)s<9$Ovq9q>KRe9pG1(#1MMdiSN#(W!ise=B1psW`LM zk!wJQlOW%n*&pIEl-Z&Q8o&iWO0Fo;q^ueJOjD-2#%3?gEhI1CT#6$W>k{z@ovQJ38-nvmEI0H%gQn}@Vj81^v*|cJp|QY z+rfofcg!kXCKmt79+51Nu$W(16}p^f)T7`^6r<#_^9+p+);We#OryNRV=SF*sSsiz z#S}`|NhXulM6n)Bqkv}VU?~|_Boe%GgI`!)V^bw!oJQGXDzU0PYLY($5tr)6J?Bp2 zL*>q4<$HwKXxt7@nlxbTwWo*7xy5|&rnF15B-q>*jnWm#p@KG0gnmDW$YV%lPnx*t zggnHQTg@FYP*MSzWR1%I%6i?YBpII14pZK89<3ip0xdCP)(=KrG0<+71Y~wn)}nh* zj02RPI;hL!poV6{#gEP>ZhGQo!-@Ldr)Y~;d6K54-Vys#mjr#f8jitx!gNk$_k+V; zqPHGQ zr0>~gNw5uYUWqi0kVVGV$sJB`j&l5<%x?UF)7&_-Sb!7{j-ES4dtJ7YDcJ6xA9oI# z$8S3Q0Xe6Vniq%@>n!)1#Z2_0^D)fY=`mXHNt9-*@r#H;Lw`3TsJK3!xMq1$w(7bG zekAq2A~ZgeR`D9*D;f{F0ngiPSRHly$t40fB5(&d0h>F1wSA|apeSlb(G1tGqHTpo zY~Ve8Q=}Y~OhkDnybRA%k>d=9`A~;Gacz zK>0crdN)*)>5g`$?n$0>z;ybJ`h$!Kg4W6ZqH) znAwI+ut}6;SV56M(ydv{UQUnvB+Y;qWvd?RO}frdw-n(m5HZ~@f%XUySj0M|Z?oML zOlQLhu2n|UxULKR_TeJrO_=K@FpWlD2r&5THvSjqw@=%*?Kj* z)9lIA>I*Ut)uKcNEOS}j=`1H-*<1x^{sSLxz35l)7l&obu73Td`t?cm>%JhB`CBYH zkK938BjeU8cMPO3^IMpLkKhA&r7Alc?_`+Lv5wpa9Fb&A`A}zgj?hC)lI9lx9K@ON zVZU0C5Z5A%u3$0>qHCoV;Ws;bFTQ`VQ=dfF)hwzGqiO6Wu$o;*RdN(e!D^cCA^fLlP3id9}V3U0;lq-*?)8XORLv! zcTOGP%M9?Mwp)9)t*QBLb1-Q2P8*va{`ukkPW7)J&i?YDvZ*!u;RorXB0&E{V9x$h z3?Lv`U@dis^v*|4=NkT%-LhzG5Z-EY!0=Rrha%% z7lFs(PW{lI&ZcFgf&bk^e7*bi*R^K?GrmF}?g<|%*gBOaG0V{GpFTzFNdMlWe>dsN z{Z~%mlyur4A=%w{RwFlnd-ykDdscRRf0VNq8TIK?>62G7F^o2fFsCZ~ogr;8X!3>F zF{IH7L|EgjG_2i4u!8ciss><6F0aDpH_NJz7cc+%-M8N}?U5z^w0b@9Gl+u@tD_{E zR$Z(es)`2}on>O+1_215i_1jdaEZkAvHJk`Pw!#!C;rr6c3-(ll>wGYjAM~w4~7#r zaffKL<;_X|yDK-@Apd;*_4}{h@8kCSXJ^mm&fEZ-&#El&ujv>Y&qU}F@Z9FOGM-v8 zIE|wOCs}0$@>t4&gxxy(8EE#KUD_jsZbHv(tjcTXfds|@!Z(9A__{(U<%ho*z?W@h#s`E({886urIEFW79~1eS12f$#j!0TDHF>{$cOhJw<;89nUR>Dig=O=*rO-om z|K=txFrL;ccfzFS_)k8`dEF77e)IU5{QVIp`y?klYj4+x6otnc-=scP=b|rcgO+VW zUbYQ+*)|@WZ60BKAer|)(!~SsE5g8MEL>9<{R}}P(GG=SQZ^=x6MRI{nUH?5A`@nR z8t&VyZ#wewJDYX?!)9gkL-^qX`VP%??rh>uHj7z-Q+q{Le0*d~oaB0xU(j(Aj(rll zDJ0a!?Oe~wJd`^$t{ItY$9>M+v76TaSr-UT)}p?E^q7LH^1uTPsjsvjol{Lin9a15 ztRA;vEt53AK+}_~!eJD8{Ch31k{+z1gr-=lYpK;{*mMIgCvkyc>@A2HdT zv~tJMnIpRKna$;I#7RkC2|g5UWgi~}(Y>3yMg=@{&*=Hc550H)kQiWNq3a85we!I9 zfYg{_752a(%Z7?L6Hixj_`B#3f9NN+^7g#J@-@`;*Z`JI?LEG)!B2W9^tl77*pDid zq@p>nJniYh?e7hmEUPStZDnS-=k4$F`t9$Q^pGUG<-32JcbkJZjl6Y%EHi=T1u-9M zDeaLvx4+AAJ4>yg4F9WwTG%)$k`T3AI#|l<#tw^7A&AhmnX6%$cL$x5Zl~WeqNjdW zjGNrrgcz+w@GC9{#n0UnKLr;-G`s}vD8mms0-6cd!-+By$TMMhwWa3PKj^i)X38sH z70*m+Y^AuoQIQDn+0CJkjN1!6Q~h!K^zCowhwc8L*M9XDrazDJ zQ3xHo5TvJ1O|$Gl?~R+;YMyoa;AQPbAJb3M8LSBxk!u|AJJW!sNe*F{MQO=l z4`7&e`sOdse`)m^&Ue%F&y%?ciw@318QlFQ(B8A&P6&y7O&10nx z$t+6D2E8WCQ{mN`q39j`n5SByf6Fi3Ha6JXMLgN)Iuz;g8sGV*ma=x@hphGhlu8er zb_Q?Sr>|M8W~YxPb3!k~e43$w6ic{ISZkCHZeys2#HjYw9cegsq)n;t4*6}E&SGRq zLJxHMHPFBG;}~1Q2zAq)nVv7laDXq!V}lb5_@2;WPo9v$+)(>CtR6A`RvOS^E$1;X z?eNMCd=K;Mke2}?t6Bpmq^`AAc~CP!lv$A!3DUIqQy=kT^#F@MJm<+4=s`D(9DC_C zmR3`I-x@LhA0Ox}Pc!mf!{Us|7AwmpeQ8VslxA+$FszSLxl`saUtrH;NLxV6iu3hb zn&w8D!h9PP9GOjEX5i~_F&OjeQTjAUVj3iZmgQwFcF*QIE#9+dn>Y~?x%s`*7y!RJ zLd^S~zw8v-Ys*186bfPnILNTZf+cb=XPTmYZ@_Nfgn{~^axIy)%)1e;AR%o> zBnGHXwRjbrc24sYFAuvtk^O=f{-LkPt8{uPrGUIOf#vol_O9|#cP7CPV0_mu?NufB zqGh+B1pydpf^zdd!uAf!mLYEwIj~Q;M+p1E+@Rf!_CO5?uU81G(A+IdT=Q)IxcZwQ zuw|NSPdita(;Dx^V-xaEM&JTs+rkY3=%G!El}UQeGOlz^kKf_^PNWIWvzfqj!mLsd zB{*Ni(4D0?{}&Fm!dWNKVfBIS)&C}i@I?uH_DZ1ITUHM&?6JHmU}diS!~?{oO}A?9 zK~(A*ccU~LCyPauiX6^lOK6`b4v7-rrl~&;jfq}NQYcCYlO^7cmPGo;@%dqM&^+&T zI)nR*m?>vY%1?%vY>X5*-@j7TZ zcZq3Cj6mw1o4LaMjgoz!U=qSNxPFxRBROYOpXLCPb}0M&NDdJh6dOc=P!P1u6gaxblEWaBpEyFkeLuR1nLGfQCXLbxcnLq5~IHb>q*;~iW{-AyE$m}i=EWwKW^zn~do#I)`zma%16h{QbqMt!8mE@* zg@)GTS+jRhzK7V>BuysDu#W|KlKw6yPbP8^i4uVAOMgB1rr};(_}R%nJ|Cgtg?t}* z>!5_V|L&pTztRSxLs@zcF(6XBjhHYOKNmI=<)f1OiD^=FOOXKXs~_0K05m-haUgsB z;L@rQ*)8yKnY1h4gC6_Php7}f-bv^a2u6ED=rMywQio`{=IOUIuvSetpN~uOsH>^x zJxGeKvH0VLdMnG=9s_>O*!D2;el%ZgVzdF{=XB4yiGvf7oaMhb1Xg9HlB8 zJU>T)!#*qzhZ4e(;P4MEa5ylMIOCs{J8>fO59zbY9Vg_x_N?Ln-h{%IN)X`y7eR0< z{|l-i1Uo>;)(C;~AyftuN6Eip1?_(PQ6H5LB0lr^xOf5|ml*lu_y@y$bwTOFESHTa z3~t4`$0^L7H~jP650M7!>f{MuV0>m+V{CyPz2mJW-B?n`AdW1F=mt>O9B6{yg zv*IKBBHYYmV}k7`$9|}0?ZD}~{Sb#qxSpqr3b`7g)!sxwp>?g2TbdQm^*n-7Wf%R4 zvjaYTDKGTU&G;1*2FbGtR*!&F5fE`e_4;=m0OORe8ej+5BD*kRXs*QCLJEZBRCPm- zKXrCJ4|)a^Ik$<}V4f1tRxFA z8<=W-qOY517LBdSp8BX}6wN|U$We(78<4hCZ`W z`ZXG$A|Ypfb44)F0)&8Cshefb#O=%Q&KQ!K5t}I(P9mQbcv2Ywhv6f!O)q)Csf8bK zQvwTT)^vwM7-!E7OPw+ZFA^PspOR8CaOBPc1`upz5gMDFg>bxH>QCd~7Q_juA>0ZP zKPzkmHpeh~o5JLPz;T)h1h>%)j3C4r6@uCD^7em0cNSiLh50K4@4zYg%^~?*r2e7> zK@RP+1Rh7@4o=D|tcL5IXZ{pMv#e3M6aU<=?$o~3qZ<+Mh7-D`x4}reczzlO?yb(j zl;FB`LJ4?IVGBk(B3{Zqm$&IznE8P&c@@&w;lHJhR%VGj#&dpP|4Lt`0faHAh=c$e zxZny5(^-PEf|Ixse2~GTQhSM|3X$t`B1oW$k9-P=z`i4LH2XpOC;524QITmgH;a@+ zriubmw67He_CZDLD(}sj{5X`u^NQVbXfJ|3YUNb&DQOrV)96$2-l9kM#Rm zy%->MBHKj(u@yurrdm(DL`Yc$ngsqn^AmKyb+bvzrrC^RQkW#49ewO{*zPqdTb`fb z$3>N$ZMDIh&Pl7`RJMj_V!WYKxx)#g`klAE1LFAD#wmZ|Yi~Ojyk@tHM{xc%)SqMh z5MO)$(x&r&?Jmj2=={g0>BQKJGxG5;n#K`JYyPHnd_q5;zUG&?NlZUFY`vl% zkv9~ApM>O9?~}SfmJI)|Qx9K^&Zky1v}+LG8eg9}iKZoe#IQFAmIAWnf}c{REL z`eZ!L$rBjFEH#fG`q>-ux6wqoO*1%s=S~CCsNq!ZC=br->X)^2qHPfqKk>S5lHKAu zg5*7|0HRha^PE_=2xnVtizHDfE$EW3!qGJi8F^!%+lo-6@d};9j|YfLX>^xaNfQYlou< zjgc>(V%-tG=OpI?zJb9Mb*`Z?Ezjyt+OK;}{K%^Ru0LpUOR0ikalF5vR(q&LwK=nWF?Sx zWZ5>d1hNNYyIMEG8dy8h;`UjT>O-u(k0d%5^)?rE<#>;C0CDUV)Jw|}A6`Ku`@fJA zwywX?7p>?#*sz*ob*;o}3EoJAf1CvzS|Y;3H>mTrRkB zXJ0)vZQ~ebIR)hLonkmzITuEdJKX4(=J8u`c_~-^M@;HrVd@-rE_@VyQ6ZaWu|bWgR(RznQHYOhN(u((UL8BXmp0+tC6c(q#vQ3)iMDH4CxlNn~f|`AT)yRzp>uM1y zx^WCcoH_E!P2_^T6=m!qy2nJ91+ZmdeWcx0 zw;CNTX0@2~z?PF}1CjJ|j%=LFLJzKPo>0!TT3hV89lEB?ITCpxGO=kD3RAPVXIv5+EiOF$(g1w%xxU;i#d8NDiC#>40QG=cuyO z?)cVi>W7p~X_j<+!8vtrtrI{0XVnhrr44yN;vJl4zI?;Fm` z+V1zY9kt;s?6VXdGSu|D#+LJ4ZLhWi(0^I!6m6BZ%=zSH1jw03!yLPktMGTQLsacr zVC@zc4df5{QBs!C?P4@-8C4E%gjYx_WRJq3d=$lg74N+gJ|4! z4}|TocDJ!&1C_f1CVl_Y*&N_<5UAn7+g`7AI$+f;&^K0dh?HQiXVbWj72*$t1`{p! zATSA27hBrAwsYqR&3_|!Sdamv;i;aE4QJX5Hw_him zd|NbK-dtxAW0<=(7N>?U&6_^5w+v2%r@+q0ZG{50YEqiIW;G~HO|ypZS}5|Y>C`Cj zgs;Cbs9YRp)D91$;U&J2_}12@;Z$B0tL%pIEh!mh$dQ9|4c{ou25OPu6KAF{wW1S* z!CGmk)=FWu3~dXGeYh=LXdE*}LZuX<O$aHBf4vk96gbgELu3iGXMDUuy2()K?G@Y%>AAKw*Mb*w^!c_1CXmK%#{PQc( zgyY{`PY^ZQNBzcTW0QvBCEyY=w-revglBgNZ*e3L@2f-&zJCwC%G)*mANa6QdxjQ+ z1uBs*gb(t2K?%?$L=)ShmAiOPqc1uiuc2ritLR_l+X+M9=~LqNY-Gs{qQ5Q@=w2>X zLZlPE7qtnQ7ljb~Ee~_j9ZD?aA>rX5UA~kDFP>myr49BH^EevkZg2b*`QkVlOD<_p ztYPyw1gkeXkE^g=MZHa7(hR-VNi>U(l4yFw9>V1_o<>)&AC0nOKfG*)-hq^GL~;%X z5iW*}L%_}lo%4e?t%IM5tl=~t!e@m(WITj)Hbu%Lf27BroDz=>BAiJ;k2|l=kJ`tr z^V8-@t06cv5t_WMNP7i9?&@Tqbbojdjq8;=X($taExIYNF5yC}*NmhXWLbcpz`w-l zA;llCUP1>wT-FhwcU!%acApr93qipfI0R3B1V3(N5Q3^}>#!}~;LtZ~ZZ-ke6PQ36 z?}r0mST;YhrcWrseIC<>134s45q;P!Zcbicm<{W~5DV7!t8$CRwnh1C=}e`$NQ(%Bl-3 zOg>!RYI^DU38==(_sV|s@uP9BOK%|ei?p%DtgJ8Ag~|+n1pdlRq1Or9VVb!?K+a_< z73FYxd)M-8_vyDiA#b6)o9%0RnaVg?gun3QJp`4U{q={8kFZ~;kNg$nN#U9NQ9u8q zV8d4Exj29xuoovY-veXc1AqJ5-&jKJA=t!exi?v`d444-EdG_DJs#oufB`&U_X zm4e#hwQq^RmDmuB3$edz0BkACh{!&Oxu$9JEhggI?<&Z`-}rAvkRJS_gwpuiXHU zKySb5Ka^ExJ7|*<7jm?2VrPKgL-XX2Y^)-Fvc?Cf*M}B$xGv zA4(JahaZw_frlSTPzlQqW^|3<(-90aocS9}-5B^Oz}e`@duj60%8gsNiNO@ZeNB%U zvFzb*$wBs+({P@#7ZI#hCq3JI{Fr})E8oh8P>dvTUXu7boCCt8o-_1Idqlpl*ow9X zAj0Di%UM*Ol;~4mbe*CcXXNt(fEWvlF_J&sFHuJ7SAraWYF&O@`1z@X~mZa?A$A$p}a{PM)56vVh_VC zC4r{&wQ3dt52l$P<`LPb@xjzH5(sxP78J*?c#RQvkq3i$1cNe`;;SXh-ft!lFR1J2mnOOXdrA-<)Qg zos~5yHu!MiWc!AOzFy;oX5F}^S2QlgNRg!^qQcrh{MSP~e%7#F0hz47KM1l6=aTb8>v z(d9)0D**-Nz?ur9>(?_x@{3rFQblDqw)$vsqrfxEaKUv@&T@UqEOJRNIk8V!olB8r zYM1`m3D>G}E$p^_-MczxDspC3-V}(`*LZ)n7?|CcRcZnLr;qoA?xH` zq){--tmkLM-?sBJ86AIXUfeqoI$9F&q5jOg7y>Mmh2APInswo| zC*idL1|-5!Tq(kCZZ_$`GzzX3T;SR`&Li(rZ7fyh3T4Hc&cb)2QQ*;+vkq{iKiFNo z1dGkW_VyF~kQcVJWf7Z`hL%_T0*kZ7zys3=9mNz)wjQZRT5k&)}c2lwQnFQQrA!kC_w^ zm6GsS5f#(%5JX2La+}ZdY-#7L9l!s=z}$Pkh~bh<#Q6pqjZ-5^#-)85_4=mn*#cttBi#VgiJL&L7DgVd`Q%>8kI7uMAVV`H`GJWB zH@%lZo{>lL?=f5~i^kx|0y3&7Th_#kvUH?l7zz+5dPIC_M%-8^u_CJx5p_#^y6q?m zY!T@4{h)9wMSmyB=*u1_*<8EkIpi-`gf|y_6y1%H!t9OP!dX8(oKZyHGifejwHFo7 zE)N^Rj%eG}-m#x%>Kj(R+uC+o<@2c<8+=rY5`|!@VBBihrR)HQA>_~uW5O;#F)fo@ zjWsT?L@hfEjX`1oNZnrNpw;iUPhaP8-Jo*>y1h=f)f>D6N9|)V5((ES_es7@0S)Ue zq=!7=vO%Pzbe{hp8i9(OM1M*0;@&m3s+7+3SEGF`m|J!OdnE)&g%3yg)rtVM>FfxY zu9BZV6+WYtB#3MxzRs)ki-_rxY!| z!~jz_E?#HA${Vmqjmp%G^+Xbie44q0M{|hQei=^eT@yGhS5^x(G zog2us<kC<^ zl@}&GIGiP^e+9{183m&_VkJq`CT)Oq&)I_#*<$}-?^z5hr1{_Y3yb_@!PkJKC97`& z^gp#)OUBr)AuXb0e0Y9BY>#~6KLDHcApzunAly9(Fi>9Q->>8|+?0$^gpk5qe{WQ_BW!hLj0U zO%M3R1NJ}W*DK1UkNk>3ywlQIW(9AxObaax{E3wxl#bL-EcZ5~dKCBral%`=2I zY!J=E$%t#7`M4YvxxrFTMaL5H3g(NKm*lL#H(_#&f$Y;@n^q4YgUg>y`0b~3S06`y zn9=%Z{Mr_cq+rFr(@cksnxNZqg6oh zfZal_gyeEjElZ-7Q%~Y-af@4wscJZB(9HL^icl!wOU7GZ1A2-CDSEe0;})$>lJ)4` zFRJlTRAbS3er4&`VnOwi3-^-#&q&0q(G^R}RhI<8p3pGS2No|aWWuT3eWMn7Sc~Yf z>q3+G<;Qlj2x_^W{yW6bum>|rthx`=bNqVt;y^{LF2-i>sug<+&Km0#X|TFj1Kru8 ziMKk{WrW?xScPg+8SU9(Eowd|34CXCKzNESu|M&!zgXZ2Rc$W;XjJKYJHhVrLO>hd z6m755a}9WzWAY_@Y*Fp0ZYi$;A=@*YPlS>ZhtHYv6~4%!d}-X~bjHjppq`NL_U^~D z%H7pLr~3|6?il>JdRJv2b}?6);GZ-H2XES^uf>5@V6a7~3(x++LFaVPIvo_x#Ktyj z9mvECes~pKLd2Cvvk;H66gO~VNHcl3F{Fn2uEHw%xu^Ww3Inx^`KIuCsB(vJIl>nS z^IERi7T*tud%ho51M0&nOSjsmS=Xn7V_V6 z$b&jinaBsF&+-8foFw_}1eF0+GKH5(5zD6-OQsk$MoFX$JH`^aqVN*A=<@gvdgdy) zy;kmZ)^uB)dz#7wxylnQ8Bfc8IR6Sh>il&MRW>vSfD&k0{zBU+3=ZHZa8)UyKvmnr zqF}Ne40}+)iO+aB^@vdbbnywEg@;kCjK1l*oe<;f;!jU_2a~2_Um}yjlD_oHO{AoC3WzB1_z;cC*54|3BG9>z7gUW%6MLQ?!*HBU z*txNCw;_HzSG$JrIv-TgZ@9{Z3V05x;|$ToD9?&68}!;I;H23fw0b|c-pNZQjm)tX zN8I1pf3Y{0JuJf**y*BuMbgZj=Piu(O(*fkekd*?;!D&Q@j?vt7sJ)#XOd9?qPhu= zOMc|b1b!^rn@vK(9kJ^adIro*D05pNcNCenb;+Ngx{@615@4@KWiwo_fBX;Pz2@K_K$}xoa zLX1ZcgWE+6A0=*=;>a{1m&*i#batU-7UuL<^6D2Dq!!2W(uac5#)g~*q~MHKjI}9S z2EYoCE}>J|V!vA!f>X<2%gc#lcs$;P`HWJOVngK}nLq5rT(qDH+*MXm1M!$kXd|G0 zFk<7aJ1%%p{BLoHFOUOj0L_Xcxj$Th#TA|4yr?iH)k?voV^kNrOw4O21e30Kvfcps zn}VDM@h6PM&kKrp5HL_axs*nT6_{vK>NCMrbR~Xg0p81H8t{nCER_JHzo>8go zV2Sx?4}J=qZECzs7O@vEbcU9GKD^CbVgp|BB=A#dBrq#5WSk<>fS0o{-O` zn7{bQ%qVC^-=D`p2FhOhk(@9GQ5X{OCMjV|icm=3q#3|0#f%|%JRC=)7tNJ|Kfy_1 zl%|P$ap7mv-=)^%!;{}l9asqtse|WcE;>OOM}VF$x5l5;hRW=XlTb<2aL7y+btVfX zdEUqulPJyFaRa9_LPw<8Mc@zLpbxvM0}nNoAm|7EwHD114;?)i2ksDppBTCKpZ|ns z?p^FZ|A{Rc`W4Y~AE~3C?#SHc`(W!Jn#NHI0e^ogpAp#1oS!PZlX5J@A$NK1D_uiZ z?nF+QTap3sWpMJD=!y~Wd`Wm+5;A!z6mkL{4w3vxXQCd0fF4vvaORRx0%1n)Pl>N6 zo+VJ`jPXfvW&&RZVa&dtoFh~<^VxF;k6{FcD;km?&XS@K$@D7e2??r4wldRspdirq zF6Hw}QK>GOpO7Y_TQ(^nO_pa*^LGjVz^Mq)?ADoua11lyBq5}{%b5WEO%AfW*Hwua zPCeD2HHjz7oTphy)|`2EDzA`T5Q(inbh9YwCeg?bShnkeRVbW;j$DcMyTiF%* zZ_kS+T3>QbG;uAB-9NiLXj*Uvr}hJ+K=U6X1KI|4%%ps?b3-q$%qQ%2f)@v|{Lk=~ zaQ!kC^=dZrs)jSqN4%`*Txiu0zEd2A|Lx}UdhD~(w%L0I(QJ}wZbyP!kujDtw$+X* zXH2OBI>5;#i_?DXMqhI70bYu=<@s99W>}v~BW|ELae8XnQU>!u`z8?g)z&U~0B=SJz?&$65 z!D;iP^?v6}_sknA)Of9T1W&rR$2E75#n|NZ*^tIZ0k}Hfc%#Qj~wa#XnW(R z>r>^Kqj0EGV*_mUcFM21K>Z~ax_p+!_u>#@C>=R@;d-C}RF72Jr8ih$amjm}L677# zG^Nd@L0T$1mI};Tr92~HRbz2ROed!RdYN#q#c(AGi>Y}6=!S3O4zDLxn1VuWTq3%P zh}aS~zcz>i9Mfk?DhLg=Qpq6HUiY^C4~|>SQ}DKnR0BYwyF$Q~hSll@e>pc7j$L*t zTj*c#m#^P_J^kAI`pwrTf`$;)sNyssU(tW6xSpKogCYcKPva=b+%N;qGyDTOfrpFK zA#_Imct$3l0yly5h0iReMtUyXqDCQbR1^g}da)5u{y1aUY^++RthN6rwz=S_{^pC_ z{>5%DvfIDd>|bp5JO!py??AY%Dx`w`6ntN}u&w|4NX>GSmIj8vGY-c1gJVb&D(zC#^xV;Z%-}o3GC)6AMJQ6c#twRU|%r(Nitmg3l{>4PySK)_QqZ5|al{p~d1>f8GM!d6*+jl5Lon6mk@R_Tb?l=zA9@xUr8TUg_NU9UQqc)BP&RI1n6 z!@J*ueS_;j2u(xuH9hDoextu|${Q~f^|IQYXQ&gy@0;B&QKGe4y#~W8(}5uhJh6-H{({+1)V)G2 z?lLZRo45b*vG~7scX{f``;dafLWI^jH?3yTW1)-Tm@S7z5Y-!u+;nEL>s0PES*7J3 zRM8|K3o|Ak2)L3DR9Tfj)%Wf(%noL07EP&jZV2})^b$ql{kQbTk?RX*3vtnno+8QC zeGN0DK(c5U1^II=`a(WR80NoCg9G+imo+yiMBlV239Pe}yPo0o3*9U#$L&|YogDAs zU}sRR-rzX?&3e5LlPj3ufBYe=b4=fFR{YJg`cDkdCa}Dk5eqbckM8v)s2({D2W;NO zi63U5vNzu(6&|V{*mO3xC)%u+Gyh^Di#s$B$pY z4@VKW6>ohEr!|Q(A{h-A`4W}O#4Cs$mM6Uau2g}iEXdODOC@l|H>Mc!!gr?SL?Jh* zG z6HtxFOS8NVRponefHiTxYFKLgU&d4~5(Bg4Z7LF{G<+1fu-Mi2kPz)ev_>(pk;ot| zR%(_J8e8Xe$W8(5g7sKhn5@I7GG!idP12>B?V5CzId~OGm-(1skS?|1qez$K)N&8$ z($2SQlr9^I4ANz#W*OaYZRJIT`eY3lV>?W-B~HcXPk?f96CU|$ zaLEjXSPcAnt#WtRI%>W>9-KGv8=UiQr#G0h_XGCUy#Z@^c7|Wb+A`-VG++6qaLG_2 zLA;e+*s0vLejD_f=LenBqxNeop;VWe6qd4JLKa#rPVy5@^}f?Ar9E=9$#AZqYU3bh zeA}_Ycp=RK=LWa2QD@}xP!zV-mG9FujWN{jhlJLeDlr(LLi3jeck162sKf8A!>CSs zVX(hiJE^`%(TdsKnJ?;RKBw>Q&J9818~mOXt%hjQtGemVxFR$9u&;aIcAr}_9`ioZ5=uQUtQAfV|?y4aS4t#bF*vggWWmC=58Q>66Ksl zx%G)Q26!`sF^#Exo(na2uHVHy*X|G8&|64gv!}uyTV0;4X2^vB#q?d^W?GN2F}o@1 z!A+-LA8+POa@B_$Dk?^8t&$7(F^j3%Ri$gg`LJo@^34zC&N=<1-YTQe?w=;s+vf8$ z_mmZ0$@p;ctPC9nJaTv-oc;aIH#>N0-|u|COVT*-6BYWH3X9Q#vc+^g+_B3mK5yB~ zEW6=kGP5+hso2cYOsO*FlHJBCFqanESQcAJH?qvZa|f5)GRa{r=f zOq%Aa$IvtuUu#)8VJqTD1~6+k0(%!Hx_RYQ!$x9 zP4_8V2sC#QFn`orG~`y02W4dJZir)+9|sI1O&rPIK@L<}Q0QYMe} zUtdNCH_`Vj1q=B5%nc9{7m;{9`+OLMsqevLokP>(Hn8*Z1Ebhd>S&!F_FBz;=d}B#*X*}+(7o1i z^S9O^`t0CMvu7Bbw)n@}R_~qK#IP{#u*AX`6jtF^MCUm$i@!<26d^Q->Ahs|b6DyxQuvvw$3K7!nl99cvq&_)ATExR zMa&mPs73pA?h`9{XjP9?s;4P zSSJ!Ib8)3Q6JYXD6)9W=FDef z^%!^ZN5}eBO}=QwSI=B49bHC#=z-n=W%*QfV7504 zRR^#6rWr$?M^~G1Dk)LqrohFfALel(?WoNJ+5jhRa!GFhQxfulIK?$w)h@+A>giLD z6<@FcX(U-zZ(u&rMt!IVb*mxam%F$A6I*lZAkXJ#QL!IW1hE-g<6{LyPNWe10^P7@ zyC7p{Me#sXdXsC^5{Qp8JK`mbiU%<$3dy`U;}Hehb(I%3tFH2m*mzjX$n7e{J&cYX zpWxI{;`E@Nw`JmL0%;5~G-`sS&f-O;@zRE|5d9K*U@BU_*~HECyrrv&@~5|dAJzOd zhMn49U0NI>;7@HSj(qj~c1e40oY@(E;9f$|8-Tp51n|QwV%(1H6LhNk!piqz<)tI2 z|JjGbc`R=?$h??H8am+ zGswCa<8v||aT(R4C>aFlqZ@}Ss(mjqI7HJl=&q{}p#bY4O5Fe{qEW${>h{5Lzd(_b zg8l6&(#Kz4@oM>_ZIq`>AG-m+&@3)oSwE02A$q{>$i4) z&~H@kNImws)_hUyi}^ut3NtXo1w26(O^0qqu?NR~n!ym7GwP))OAcNCX~_CMxYTLbvf#HkDTv)KNa1$e?hjh0 zt)4lTo3<_`!n9fSG1v1JFf?xHdfotkO=z2Q`{Qu2PFc#hNSW$ddjM2o~M_797_rgL?aWxf>(D&`CqWrDl=8#DJe^PgY!Y>us|s3Ckn*Qey@4Ekg7Z%cnu2$EP|x)r`1F#Kk|%ldM=DuU;3iOt zrnO~7SqDW8xHS(7m-)d~Sv#kGnmY>fBGH5Xqc4A}fn%L?(WJ?!q+Ec9@(-&4Y3@5_m2r)c3mb5Sq{fwa<6n(oUn4~M zZ5q^wwNjIHp4o6J2Pu!+m*83Lsd7-&E(EvlK|SO-L+O=$mRdBBh9vvo^`HIQMwe$i0N897GIdrgRJ) z;0V9=Fa0=2jqBes)t6Y~y$({x?bFxbr2V?r9JD*9pmPL%J2?hN z?c-M8S#E~H8nBJS0gmviR#r>cW*5&}FrikP_v|8{dJ-W`>4#&wqf&Qmg=2fKsU!73 zr%r!0PQ6>UhL~VWE?u!NPGAf}51h7sJwI#?n&*e@9*EFk!yj=hfS=+t`I&zO@r4=( zpls=tEeh|@H(0si7|h5a-|As*Tg0X42N1u6!zWsKFv(1Ew#n&$IHwE!_}I#MFFNPZ z^tcha7 z+ip!qmniVM^lNJ|;}Bk}ZL~{_+k)yy`5X<&LO6S?nD9tSb@=iX1aGCp-G%{Hy0yAB z7Tt|TSfCiKQA75-rR;7Y3n7`ExZxOLW-$XL1N))OM^+wE8HhIN!8q`Tt|fNhzPuyw z#S3NS*S=m4xK_H{{oTECJ2AdS{G-U6gh7tKdMpp&wf#$MF5ADxyL1Cr4pk8%4$TJI zk=3tA!ZrR4|5`>fFNI^^3=&qc`KtB0eR_A)Z*-3O4d;X7%9fwL`EBT zR}of|PHG#ssEKn}{DM^)VNt*?;R9){#h;4=x|iBF#*{`mG?}aTDm)bI1no~v=aqC(b zOi=BeIJ5f|z{49v0%a&A2qVwM^BlPq5(S!_^UzldOsKy%e`%g~x`TG-w7-N6C0GEg z3erwxqDtd@W)YfeHz8gf!V-Q8;50_Rgkb8%xMns6 zf5wip~Ekx4ZJs-U5wru;GvYk7XyJojb)~Z&kn_}crIvj7nZ*nAN#0x=~|#GMS7!da4wgj3rRTy!eoi`YXP`2o17Ec-4wXxaG~ z!7AiGTVd~*x-n9g_`ljVfoxmb_P`CjsToVc;(*;#n_ z1a?gPFQ9otf+%THthH_x`vDZj!(uV$)>mX3v$sfnS5UlZ+jw z%09To|G^2Sr!dSw78|AljB2BzA?vg0>|*CpCx`c#>L1GFk{W51jd0o zgade!HJpv7>Q2JHJm*V&K8d1Bgpn`?Q9(lUl3^(L;7^7IByk3l)S(-K3kcj<7ERsE zAG$$s3p|*?Wa@{|qoz(o_LAW&Nsx+|L}?bfQwX92bxvUhW;nnRHR``<_F9MMr=7#r zdHWE+@XAl35UZ9e>e{SOC*4lJ#Y{a?EL(5(rgeN$Xb!p_o!$o4 z>v*5Pc2h8hAw-*$M_!707qvX~*z<&Y)v(&d&x|H+6)&}rp^Sv!VMUPE7LiHY)yiT< zpERLSRK%W3Xs-oLx|-^e<^y+=XygZoM+?^T5;8Al%$gtiDG9?aDiHM*RhL&q5oXdz zS3=^OMezja=Zf4AU}dN^u-^4x%fj3d7w+(K7UOfA`SF;130y?(5j!|7pyMzG z)p(TmK)-P`h*~3t?UCyTM0pRR_?F*vj`)?4)KA{?rl2YgVSq^pq(ChZ{@5p%df1JJ0;5! z0kdJ9G^+=sUF}9>Dhepc{Ka7M-K_`~9F5>G^RM9B6ee2y9{cij63v9Gj7QiIWxSlq z-QSP!#h-czlQA^56W$Q(h#a%8p>?agNd z#HamelpXuwWi#{+FjrC+U@miPsej9#16A%M1n2Tc7z^zU|Ej}L=3Q=7u!doCX1~{r zW#wFYs+wfa?*&+yj3Vy((_NFE%5PkI_|UYpwn`KLc1@GF6n>SS2Fg3*7sc~uR6P08 zGj4e>Nwf@Q;#gf+2plYFR>PK$g&+5jn7o{rc8fqnlXMk`x=28+o%MhRF~Nj{J|4o4 zLh9N)j>h@$u{%p)>jn;Igrs`g99L{h3Zwi2lhlvG0$}D2Im9$`lZ?NIv;&gc3H_O= z|Bkvn3qYt%9hp9`2Y;XW3G@zqA>)#nK2lo&o7-vNhnH-nd{_WSZ!6#v#kZw^C=CTS zd~^j%K~Ngz5VFLdp15fSlb_+Oy}#5<7@u%Ymmk}(WEG%cY_Gwio8dw@w4K&pxGz}< zLujkPVR~dC5Uz=M%USHX8O%Ac7>ud4z$XE8!?$rK@aVN%368OKF+p9hXi7toe+4Ih z5%&ts^4?|#oE?n0y|CYgUI`5&w$c1a;Nue@ ze7TRi#7X4MhS|Ot?TEjK_>$~{`jwm1qd2Sodz3_D(e!&_knVko%hZk8uN&Yr${^SW zmA@aI_d1pN1z$fe84Ztbs?E+lQcc$odc* z?Wr4sbP~-14*~E)cC`g>+-V%ZeG`a=0du}QWb>qEd4ry!$%i?I@bfim0J9OXd4)8Vj}qTEOANzk;69EQrRbrCq+_4XKrESvLeDTSS>o+T2i?Jf5Dp zr8G?mKXZGIDcaevPWYTy^Rr@0#TU~ste*I_Y0bp%rIku&aU3O?)PR15+h}`$vNTIj zj$di(>kQN)<2j?`+bPUkmC4d4qDJlGM@+SJLbWN__^N*4hxH3LCB#gJi63VvaX6cG zX5Ecr)X8~5dSH+^MeWu$F_Ot$Yf7uTZh#Z_1`PZujAo?ZFMciYOT9~{2InYEDNOP%il zgfVzQ#+`+kAAtA3`PXok1fZINY6S8O;ni#4e0?{`viN)$d2sFk^!t9jzPtBbZKt+V z+ui?u=li`n$*NO#W50g2TPGgt`UJW`Hu)DhZ|?2vIN*%LUW5>Du6X$1 zcvq`cf;MZlyTgbn9o|8Ot^lq8Qpt%5&V&mZxda@>AomjE0c-iUH+}|o%|};hx%kL` z0lPxv8>aQ{4xM%gp9o8^M?NN3#p1j%4$uSX3^D#_76iAoTFnnZJM=Sf5QUlR^8`Vp zdq0aviVU$tA@xh*?u!geG7f4=;D z{yzerR3~mdgVQ*0Gue+@4Pl0?$2bc7A@PSUHO9`)&dzt=evALz+1XM5-Tmg9@BU}^ z#mg5jUwpf}v$yj^#`4g`XJ`tN+=#_gL!W{vbbhcU6$!Fkxm5NQ({T z^CxcXQ-|0-pkMmoxOVw{TJxj&)$Wr^KlJv&Dfz04`#oVM6Ed?xcMA8B!NIsoIt*7Q zZVl~0A&&p5fcd`NiO?m10d!M> zex=qUf7MP2a=66=CVu9Q)h0COE3%uwlQf3I{U?al{s`3K$m_#^oCFH91jjdk9~=#Ik=6<(T5@C zhvNjMDQQy$ZSp5=z&o?nP-@&Vv^Bz|e~^i?Z^}$^k4{npFCqd3;P4)>tJNz1vpS!D zYB7DVpK|(tlvd-b;qscF{4CJ_FL!pnRrLSPci(*XMgKp>50xSKyYVy_BfXzyFdV{K zb{j+Bgrn3!^0Be8A=#&In)tLYZ5DiM=rSF$CHqa>LpO6zaEiw{y&O%T>vh85 zb{~+OBWTw#i_8IGqDxSp0d_GE^ zGuRh3|A$lavT|6vq8G&XQy)UU{Cu*Xa_9fZgVor(SkVEn$p5>y_d+@U@9w64a4$8WK*eA*VYZ@#l&1W#934jST?7VBl&>VO_* zpYWjYEO9e9rbm5pKI=t6;D_V4xWU70d#i3-3-&1njbbV=I{FDDq*p1--503DnJ4w9hvRmLX$s|dh?K}&k<#!)m5 zV4t`gYU5!{7pXbKbxv7TJ>z7?!+4lLq#}GbNLQQCcoVHYNTv|OS5>Xe(?oZt@?9PIqk9CN^2kJLWiB)sUXAuwsnT9h= z;wa4EO_uA$WEM8lw`qZIdge>wKT7et({j!I(9d|3X1Y*ZhO;z_rfsRyD>(K;X1T;> zv&G)8mYXpzjl?ObClx)oY|z5U4btW&{xTyDWVioMI*Htv*6Z!;GjKn23 zcb+dq%wiUjZy2OiYoqV^Rf5Ey?7G9k3AkM?<_(pNf9i%_&WBa7nNBvvKdVFW&mZ~k z08B4EKLOPk6tKh+1oX(`4y*=#5DX3OrPpm{nXhZSZO(1GJK}W7%>llZNyRzi>#Z)n z;wjw3bRT|lL(hJyyLSETC`!7CKXsE^%2EYd47IP0 zqNEy=9-kdsEu*^hHx_hOIKv>$t_1OY?QN}AbHp-o_b2U=-7-n5paVb zx(2wVX)eQP3c)Ov=0TnY6&?Ev(NRf~#~ZVs>j_R|h0~aiVFs$zH1<81fNCF92jB&J z;Z}RSu#sA=!vk0 zG2Z#e)3j_@7fG(vNurpenL4Rap)Ue-UhFhOi!N$nlVCHcg69ni439X0v75ju=~&HUzGxuOeGHKmZPOp6ZDKfyu0v4mS=o)8#cf*` z`PSCAm|PO~a-^(Y2FcH`^C{SRwOOj(=Q7f;Ea40`wZOsD7&>$__rgt~W@<+XZyHBw zHcnvrdr-!j_Ab`SzsnfGNVIi`SPpzY(zo}bIjumu;m4wJ|$Y(W2A~M ze^4tS(0A!}dufdvx#+CKEg+uppekFTg_e+hT1j9Wr9KXqCNj?)v$cbXn`E_S9Mg-| z0w7nkg=kf+;CFi1*<(O(zT)YIV z@2bnd``NTCt&5(t+Jr8J@IT~yfsh3FKor%FJ(bzs6F|JH(w>a$c_9}9&!3ChZH z@A$#RI0;sk;v`ro#HQ)tVkO;P`=m*8@(I)1*UH9N`oC$mPMfceTbf|*(`5TN<_Omc zusGflx0P2*VRfKW;jVCt8F1U6k{fB?EAdQx@WKN`Zl%%9sOadL@7KmtYyR~*hEX^4 zf+5wWYZ{*K#KlANW=lC8%DjCNcW>v(dhTZ*=yp~JSxNJDr?cq=OrC=Z4qhP#q^)}n z9b%ZBQHy?uKTSXSVYY1&Z&}lmo8r4W1D4hUu|vhKvZf2!3bMs;L7OZ}pbZztuE#A? zQ<4N~bGR@5JP$R;P766u;}4cje^6reRu`vml=4LoPyH*>v&?WR&E&hC0$CKo@rn#X zF>3F|?spU*pI<~#mS%|?i!p<85fDMkDQ!&ayll|P3c-17x->Q~t^PZW!sRAA9>z5> zBo9F_&e+t@GE?CUAWk;$hcM*!NMRHD@6WQeVq!?za=A%M4!mHNW-wtxI0I<(OjM~!oW%=p~)g!c*#($6{55j2WSE8`jJD(7P@s+d-#h3Z7sK> z1^h5eVbTp|V?Wg58G+;<^TRQSal=$|gB>R{FD7YFe^!4c{+%wku`Ud3g*cGlfY88% zTyGYJ2sy&0KIz;J!W$o7NsY2iw6tc|N+ zpq>G^Lc%Y8#4motFMdQ7-7kK`FMh;7rXMkm64`;s&DU;}*k8K&p%h8Da(^LjmI`Xo zGtqy$S8gZH(%QeLH)icv4iz0(Y`~0#4&*|G=cE-af z9QorDH$GMNalUE{wJK?9n@&E3!X4^Qa@DYastp0ZgiXIEt1d zJL*xF0od8!(5?itW4rSg;q*}ILPY9NQ;wHbk`x9iYiF@i@3Sn^N}%icAxzV55?vTo zu-roQJWR4Iehn25Z(PKm%4o4-rvrMvUiuWxYm*+rz`b3R&_Th%&{c*Vmr4_%&dro1 zg8ay(@5%zy3g!tAN3I{t5;&M7Fr7q!R~Dw)PZfClploTVYQNQ81A%`93z_r(v-hUm zZQMx1=<}Js0-^m*B!z5=)Z%60yjPZFM~N-z5#?lZGdU*M4U&kOjh;rgB*yXm?f0Ot zH@mq=va^hM&SWeSC~Sp7?d3JN8*chz{XwYdPvV|1v$V21Bc>1UUhvWfc~5BR16>I# z#TSpkV(X?GirHvHvMPhJ+bzeV+D_s(zqOT*Yw{Y^3DZmI6y)H}skjOo^gE<#!y!S< z_f6DnH{EXn`AxN*UG0suq(7Fcnj5K`V`{l}oQ*sc>X+?To{d_-EW7OUO_;Jf%$-6V zA6IIMDj(iTAye(_`AT6z+S*mgFW?-hY2YrFkXCp|w>>`OjIo67riQy@h< zW+N5lQE}#ab?9>(zV56CZOb#RhElbNDrU3l=jE}ibh@i!+k9zmNMkY}xI!SUQ0$t< zHU2lvsg!Lv=!r)}!?<{!b-(}dVU5MtI~lUStrSqg^@Y%{HFB) z=SW%(tOXL*@|oqTTi)JDuSX*i;%r4fz1dz%xauu-ViN!HYfp-g`>nUl72@#n%ZCB+ za44AM>GD%7_drO0bBn2IbxMsMSUPsGXg|s6z8Xa-ggG1L&8j(Qj4E~We5*1tBw0qH z!y==}s27e&RKzqH9gh-bzCOAkVF8|kPS-ZNCUi8;pQFy!R!O*t^jH@po0L5aa+b1~ zji%p|dJo6y<=T$3z6X&1w&x}Dbw3q}ecjJ(vgO*(61isG&wP#lqO|zlz_-r4>(A!i zaB+;Y=(f0+k^dC*mZ`xj%M~fA zW|++3+}3Wi$Z8~2>n;i`Y1fgD=SvIrUlWy_wWOke@8)Ouy#?6nlxU^Fmag4phbs@U ziU@IUCb0Piuv;J5qIoEO$n4>r4)Sh;-Rtq{ZM@Cdei|#=GB&oAj(M)7Z1KU(>wafj z+3gN(*5tVO%oYdt8au7KuPYZ;s)N74e0M*CR|3DC7uP%=E;32;=^>RR?d>49^4Xg2 zu{De6Wt1uRxf5kxs3ok^dEL+PRYSj(uR+D!-LYl62~O`D{bvB**(d11tL;ucZRIMh z(9AtzDB8LT34ZL>tzO2du9gBzQ>8{7S_wp?HQkKFm$GPrXQ zqaruv;+J6gJjQOS-6d%1GOq3S=-9sE?%!>=yPH1h^z--go>W6$=}B}Pj8<_*s@C`+jg<@EeFF6^*#bjL&$C=`dIm|>$bZ0)yDA{(MXo7ojVh(nipI+v;_Nb(k4tc? za-*M@8qanSBcWduq*9%3R8gxNtyr(yqG!crS|&ZnGI2L`2zvJjoTX}BEr53?997h8kLbMd%gdd%_im_HK-obS+}oIm_r-7~Yfr@OFdyDF&nA6=jH;qz%fJ`Yq= z|5x#`w=DrYxBhQutMg>9TdM!Nz0=)&sQ>#pKA)og@2uGKXDyZC#@)~ zcX!#M!lm~2S68_5m~Cm{&Y!y^uv4Pn-+EL!$*!X!oihcd|zWs>LWGG{R0p-l2andFBu z$$z;r$@f|y>(5_v`Jqhme;tl}f@;fu5-f6#J%du0?U?br4W%XjyU*OEEB9Nb(}8x+ zL~8MXcO1;klT$fZeckVx=&XlCTz^m^t~;mV`jaK&s?5o-eA1{tNlGs3x%^3F{zVOE zv*nuSp<2lQd%qF4sduYOnUfS}PNw#K*gl&|Dv;afr}e&dJwjD7yHtg{l&@YjDox=I zW0gUb#vV^tg!Zv>C23=N|rAGw=c=GPBU=FW8Z zx>ep0PKgxv)SL~o`3NAdA^OKZpCj||JRm&8{nmp#i_ynqPfY^eDl{~#zwAR#wJc7mv%L`?N;%h@jSFMU zAo)kZiGH(|liLUdqs=jiCpH>9h}mczb-(#Xr-uFe@KE!tCJW?4&9lXQA8MXG)I9t9 z)I9UkN&Zzzp3RqL>+_CO2%Pr0u9P+H&-XD*`8}UAWVz`*4R0Re`9qs#E2#<|jJ^-m zmmaDwErY=i)t4TsFa33^FFn*j`rFk(TG9Rc7M|bBle^j(E7ZCmOPn3^I;t4)h7e|wkbumyGZO|}d zliC4uRx?tw(sSmj4$x)|m`xYVkp6QSHnX+>-J+%P89gI7``F2BES}|J>DaRb%`5I& zo~}wuSUpLnxa)?Pr&DNl;pFBdm|*GjG&#B=*>uLiUH5*R<7`Asu^NbM8=~g_;hX=5 zHy1O5Ru%~)po$TM5PnEAh}E5nK{7HTH?L?Cp=PkL+4Sb%v)GPWwFJfuLa-YtXoWPt zC==ZZ3;6gEs?nHbEZq27X+6yd?Dv7BAyrs$UL=X*5LfP@sE>y%UjE3tOio7gt}sc} z1tJ6KkcOXT)(CBqB+sTPqe<=>hg=ytrb7}=!`Q0}mNK5hM0|A;xv}Y(45G{$kWmeB zH^2DSWK>~M)?4<^(zo*uLeIML1S)o~0(fZ)A9VB&I{F74eR;YMI{F74{a;c?pR&wX z&KuG0>^4;^SM9%Vzbk`UBG=5X_zItx<^Nhxuu zvFjMon$b7C_H)btbIJRIq3pp>_FyP`FqAzQ%2uE_{{@D!mDI-O7;R|coYJgKM_)WQ zgY|>G?yqjILyPMiEw#&{$EFXU9{nrYErHukqJJqzEM+|OI#iYFtK5>gu?|&&*}{N_ zIVgIxvdkLlWcZqMT}_SyXiO zVW&%FYAdg;Dp8yKe8nLeab>9Gez%v( zyz13e$XP0ceHYyH$NGa%)1SmWVP0WutH!`?7=iU)pNsWhs5dn@HkwX^5* z-`*PgS0&3(S4?n$i@~BAgrEDQ7v!$vW3;K9y*C9?v|~0>F;x|3u2+XX$Kfxk+UP;4 zT0|AUS@rYsSXMgS)v@ia<+>cwY8uzLt2L|I*7&N`w6pGL%jIP%b+7hCD^r_h+p|P9 z+ehA?f^*RO@xnJ--A|bKqDp8!niV|T1eMyRZg2h(Og&|Y;KELmc={ZPSy$m=Wyepc z>z!fHW(68EC$D9lBvTef=D_ot)&ra)Y&ozNNLb4!cdl-Ed!N=GjYx>I72R5AdoAJF zx|CN_!XnaBbs_Ak+;3N`U%!N<6Ay=iRi3Ui(Q+q*^f$Mdpw^_+>4de*7mN0jobIcE zlzy1AVcx8ohQ_W^H_!7bBSVs9BswfInv8nkm_$WPlhN@gVdm?j8xj`aWb1ToqiaG( zdsuUi>MjSh+%c_4vvL-btX#dp`Eo^qpdWs| zL@CO-CXhu2kd^BCyKl981YTOO|C*>g|0Pj-alQZBfSolGRSdRtnP5BIO1kGyWzCsy z%enQDEt-dV*KJy^yBy@*2D{he)!TTRv;8#op=GQ?D;@J(8_(i{o7er$R-W4(+N`l` z@tG}-3BR8b(RJ__SfcJ{@Jisfb4!}%lw^uRqYukzk(L;z+5u^Co%M2`Phn(UXkwm! zdMk{iCcD&J7is3|^i21IYSqwhwb>POcgL3PCOEzCt2zVtfzbaA2>pjYYf||IDYR>k z`cvn|UIH~LhWdmYcWsXG`}duD@cz7$?`K-&E$*Ul2>n*T0P&K`!PBd78RyelMsL1H z;wPH997W8%@#&D(clcb!-Shre8@T862k(4Px%0J%QITbNF`K!3?OZoq{}N2lGO-}{ z7zwiC?%!>=yW0orj9B->09Hd^iHCI@@m6u#t2T&~#{OVy;w~Z#wHsJ6yBW#NMRocc zc|#|3PKcH>l4xzGXXbikkw6#C1^wib52-i*_DuQgnYAq18m(`3hj3p(y-~In?$T4` zQf*~Q$b5Ory$(Ve6D7@B8FDnr)A2gE)%L&hog57T3f0-^8$Ex!qF9Be|ofC zeX%u|JQt4}rpFv_sQEK-!1<0p%1O#E{4g_{d%6pYwyT1G|Bv_aAI(kunsTq+yDoj* z4x#q7;CB9Jh0oU3*4C5VUHJd4t*!F^Z|!z>{-?9Ox4pN$+u7=F{m)jnyS@A5f6&${ zgWUF0@Em9VvvudO%8UDpeCE4ERF+xCDOK6Po+EC|$HC=O9#FP<)oEPPBzlg#LhlWi zf+nB3D7y;uuQyOTePkW|j~^SOm<@1zD5s<|h($zd_F=J2Cy3sZnMZIZnr_JdAAP2) ze3rWZ8H>rvx88mh-T%FvC#CzpwY}4Qxc{HyQ@a1z0EabK9e%<^K4uyHO;#2tU-@$u z6Yr+Sj@!nnt{UMOs~Cye9?-WHdLAt9AfU=4st%fs@F}DQ&VM zu67WF?S+d5O^}~OFn; zz+5uGi@~oX6uf>L$-VR4VwQr*y)GvXkzp}W$(|g-EcTwh&RCJoIn3KE<}b?nJbad= z|2m=9Em^=t^nbg%SEm14J39~b|8sm?3UBDRblj98p(a_Rliaa7v!H3dV7Nc}R{eE8OVWQ?V)E0_|GnM43i|(` z|NAVTN1E|OLzW>N$H-N3sYEjnbH#&3&0_)m|6;Gj=av!X=vnpc!b!q%H+01LVp0B< zDj3G*yi=l%+Ug|VySl`f3L?0nxK=dr#;n!&uXvrB2NHXZ&zjZBTirU;?c_M-&xLa< zbzIiwr@O}tM=x=VlaORRu*RI@WTfpmb-ylq6t&R(b16;Rq={|M&k;gyW^;t7%=@dR z7D+RfvyjEl(Z#`8!UEh~>!!~kO5WStCHJ%@SMCbi zTLYnPst$<8f;clliM{l>KDO7MMLK68=@L`?b#ha6!^|JtiO8Mj;byBE8ryx`q{^;hd2ZuN55XQ0j^ow#P^xir4rZZ{sGV}%2VI}dBgas(9^#8MDT;^`NS zN9Y|V5gJU9+!6WUqMV^{Ou|bWtB%;v?>`_zmJuYFn4BgfRHXO$O3!+{{rz9+|BBb~ z&-l#zb*S^-;xSw*ocT}v(k%C4RMN0N_@(%xr9S&vMgGSsWcR-Pf1d1i%lJ^)<@E?BAXrxsxSup-yzU`!Br^+v!#K zDeV7GIy3sez3tA!{r?=FIY|WPN2@3&zp9_h#G+E>xP7$AUGDppo>tu(UQQeLhZv%? z2vTxcUd>;5fwOXzqw;N?<`=u8-@+Ar2|x52A9UaU{Pw=*OE{j_v#BKq@3M3Es*c?= zUfrJI3x;i%eY=}L`&wGI98BIoq zYV+hiz}0z|4%A~{sV5*b!2zuc9>gl=Cu#k2FHSI7T)@puhtNXr&to*&Wg2wz{K_N#vf=*tgK zXdFH6eEf1<&l)O%=VJo1&Y4ZxEy91U5KL@jhl;~23xl8eSk zg!nbh!?E6Ju|YI9z~~VDjGFF_p)X#DFWgyvYzmyo$Hc7`h2&7}XXx>Vv*W{$-cQ#8 zGar9}y5DR@nwv zMRC`^{Z2!@4Q_(`3Z~!utpD*-1+#=Y!;+9cESom037y#R!zd%a_Y|r!sJ9SNEBF_wNIyx>7Lxl}eG`8CTfy~z3j$#JLQsyE#pV*QEuC-<95E=Q8=V>$O~g6(b4A7NTs zn2~*Ac>A}UZE$LBV{-Q;vOxZRz>p?bW|V}%WQT(5oGt z_ry;yO%}ZE_bs0+xc?DJV>X?TTX_B3&;0w}+1q)tJCpx!?}7jSET58O?ceJ^O#ACn z6P%{prWkXyXL7FMYjH1DG(kb%KROA)eFO*8Il9ReCe`T&l6)r2!;kx_s0zAzEzpHqyWHj?Go+eZDO2<+v>#9_2x2z|HKlv7QhQ|t#XF(;t+YnGX_<~qC>e2lxhd%T#qs=d-UWzl)n zF)I~9_2b8-x~;dV*LsVKwfxD+&r%n0DU5N849rI5+%k#>%_fL9rR-;l?3I7fv#BU7 zQU_!vTRBZ=ZVP;uAvQV5i?mc`-*>b3033_omoCgNPi$UQ{*X;3*j0VE(U;2G?o0Q( zcIf{3jidd}Ca9eauV#m>t4hBaGoF71-dO*1;7l$fnxS^O5}*;cAnMBeI|cNY1YOQR z4BZ4=bTKAq$l{n?gAX9&kPu>p*mA^+6e6&PEJKj@ zoTD@&s1s}l9U%fbkgsVRqX9u-OmIRXRHTR|2!pF*ro*UA`%3m=oad>#8?}w9YNxd= zp3DToJ3Xsn;87I?^P+;BojW>QVMuqhZ!1<;F=FL{`Esppzc2g`-k6yM&fl52Nfefy zLtRRQnkm##T9-sBm4p5`M0k_rq2!1*tz7Rk<;6fYtoYR*qr#R^Fy#qlAD@w7)mmPFOEqPLY5oqVV%$ta7KhUYc+A?0*JSdlLc%5U$(8e$q38Mzo| zgpXNVrQj$*EBEl>@d6@!SAbXUaho?SrdMR{?eQAi_VW0nJlvhz-yMG^?|gMi2Xlv; z<3qaR#qojN`QG^8R=PIQ`xK;JM*}M3+^S?3w_A=!wVlLoerx-7I(_Cpu}*hCxqw=B zUCDWsJ|H7$j6;H&@0$?X?|c);Z>j}2wI5PYdn{M-B_GSB(C+Z8B zGh+58OxYb~876Q6!}PdfFKalJ$CW#KKA&T$C~N1r*C|PvMWm+`q_(g7t;aIip`O<0 zd}_wQ!=WG-4wC9`?gxI(Vv@P8vp_cNmn)8W2 z`o*}LjkJagEh%`+Y{Z;xsB#TkVMpe7zt^p)S+4JAy5RO#Zp7TuytgjGTmjpwY5V)) z;(0SRuJ!p_Yw87~4>iPR2|3TNu3fodo>Nij8TKo2FV(LaOO~zay@X#;X(Rq#k)sRj z|7kS1dj!}5|DR5$+bzd`J?TF9|9zIvLi@jKicdkqZK8`*3NRKOQl1r1B=cnvjaJSa z^XD+eFKaKnzw}-UE!xYQFz?;=J)z0|6{fL3go@GKpZ|VD@xSP^i2mO$ssME`ep zw`b`8L;U~e`BW5+s%LB0DxZmUNb9#old|`y>&~-|I_r)jQiZQ+Ew2mx?wW4$PyYDa zJ@U0CXQWQ_Si9A>y>HjKMgGEB;Io+u7YI;pnnf2~N_ivacbu0Ua+TbW3#ZpCmpGgI z&p-OASAG`I|2tOxlAi_if45t%|JZr5xBcM%`&m9K@&9+MCi3SXwV%)FwnqP93Pde* zzb&<#Q#fkwK&uuOtM9#fNiiSR!g47U%_|F~`0bV|kutZ->{c$A)ElR|S5w27bJkAt z<1-a1?|(UGvZda7G(YIRc5Llkf05zgkcO_CTIEl3CNc+9{qwifrrfRm+LCbR6cI44 zb@%C1x22rwmT;$&-gFE6=$5o^SCpM`n=W5*W`Q-lu7Zo`P?;OM+R3bTy6#L}ce}Z> zt@F`ab+Ypu_tft!o9ne#jhvjvY&aAsy2N4e%F~*Asmkzgd$?t_`a&qaA49c0Zr&mA zPk}Q0Ryf0NJ>NT2hO%CaE8oz2s0QWhBJWTfX|AGjVTsf~v#9j9{FLOsU`*l(9VILy z_cz9(`0w3rS^u}Q-PwJR|31g(5jw-Upd7%|$dgCcW0IgjLE}j9J1Gt?@rdxC@d#av zDc2kiM|@1;7>!~!kk$*Dj9TK3W$dKNUNVYvS|SgaCljykg$_CHUfT~Ha3C*zHDp+`6O*@{C|x{=m(rpR&aED zc*Gk)nz3I=m^T6%5xgneW$f3+>5nHz=e6(NaGzm6sEqah`+B6$PG zgfs{`6K9(`W@g)FW^dUQ>?_Z49Fq*uWXQxhNO=>qvxqZ9bI1{2#PL*Z82wE!ofi03 z1@L!igvGJBHHvjCT+YywU_0n)2wTDSo&m9CKFVoC!D|CNG9?`K$M_|@8;3OOgBq(p#)mk^;%^7GLHf>9 z1N%4$Gr{>r3a!$N-AvyPis6uC9C7*^aR3-Z?L096J0RcK; z*9!Lr1d32|5(Um0Iu&bpMQ>0hE;}418)}_0QsK|8lF|WX5V*7Foz=TUofe7Egm8{W z1PwDbL3=^xsl=0RaD&zisyGPHeP)1moLe!bu3h-VYedd7k04UvUjWCa7Etg&OiP0eMm!p7^)Qwh5O3$1%H> z)irW75jBJVN~l=XiiQQ3!o5(5H{C z$21(nUB^*GB3o)+>k*KCL{Xt`f*pUWV)%ti*b25Jgif#%bPR~jcI~nEdf%2F4gtv- zz``?|+S&3@T(J#@FHwp)zh+saRKVsH61|`5-u3jqpQmwOayE)%>E$@f4`iG|-@b7B)P<-{Ayp z`%Hk?Ye^FUKNT-WtZxDgtEvo*Nao}gu)w!9aOb`q3wiB|*vkg-VAo8r>s;m`O-O`N776O7 zyerWF+$*`HD=E%!PNbhY4D4RLlts=Sbo3Aoha(?g@X*P{;Q@xijKxAFROfe72F60& zs(`wH4D1D+CzcLu%bN!vyyu)mh}_^w8WT;8B{EB=1ohBZC{HvLhaSzmTn;~s`Vh2p z3Y*IN;sF!<-PsQgOt^}NBvd%rd8W2Zz)CdRHV`PN>K1|0B*sM&j$0mV?kS5bUm(PjWd(TLzK=v=}${EN*t? zrk=1X#XeNdr4Z~l((Y>LETat4sKnUfXIJhpKzdROsite!blobg!&^qoM$C5V=uRDf z<~}_YB#;XFtTqtOGTuV0o~3y_FNQ-D(@P=^Ax{&#S{r2Sk|Zb>*LB^2(W!u;&OpD*Eb(R}=g7HPjFIXPZP z={1L$NINVN{Gq20!Wq#;Bhi2i1y?9QYB^adU(93-DcD}=A{oNAWtZbV_;$9$qZwjL z$PLZ8#55s=E15mbNSllG3aMbExEVVN%=0wNori1V`0d&0`NjUp1!|+0=STbBAD_HN z(r(cEVq@d$LH12!W8?7j$CHcWw@2vh@#}9d(90uqe)PZZj?a${(W}#Qw10x$oxMKa zKRo(kV?!|HL#Z;RTot{viD!j4F=Yk9vDAE&1su(;qcxYrDQo+SA&xoeueZc%1(&XL z*c%%W15Fkl4oR4c0X8qFHMm<}1KoI{=!Foj9ML3IY5HE1Dj zWm5D4ZQajmU*4abUL5s;N%YHF`I~hyQD;zI474&H8*v?kL5)EDydUSV;xoQ`EfqI0XpB)YNFKf;p>xMQ6Y`G*;4q8WmUYY~t3Y$oT zu)wcgj&m|B;vUJNJq+aR=h#g8mo?4cjEe!-#sfaylnTC04vfO4J#aZE9LETo*eGv( ziUMp2A!yrNElZH3URPgCS5|h}FXfa$laT|iYru7CDQV>kqsz8SAJZzGUu8Ez<(KKB zQXQyrf+%AJU<2s>r7=Uz#f8$IEVG^0*bJgFaeLIoola~FA@84UCgP|Amw zWV&f2MJGvw*guUc5xT}%B2Gz~9j#JV@>ThbyT?*7S;VgLr$;AgOovlLEAk?h#n;Cy z%SocMZ@K0>P!T$CpBT8iGq+KyBoH33B1dCsKf`GnPkmJn4N1ZYcYy90pxrVrp)ctE z*|D-8S{_g0Vn#y2W!nNhni9Ap>{g7h3=!FOVC-lZzU*K1KK%;$B>{S1X-v#{nUY z0Y&2KIG2F|F%syUNGbHpwRcN5M4#+R;wa>V0U-&Rut?r*njqhm%}h<3m&DX|mQaV{ z1RbAQ%>z6kZ5&N#f=Cjjj3&;@ugyz7aIG8!2}cKt7^4()>sEAAS61Spn2{JuW2h_7 zyAI+G%#MNSqm%0ZB6+t7j^h@Zkcbu&*#8)3BT{Ah1Hkrd9cG;qTi=H}W)UCR9h_8F z6Ky)xIo`}T+v@!g19etm^0tB<2gox6V;SYQtx9UHI8>~406sMUXBjBLSWFZlrSb`m zDpV8lsVH+q+Hh4Q4nwrea<`p!#wn~Vox;k5a9h6)RfD`{Y!nl85VIlz-vvA(@Kn4z ze*;G+gI=`%j{|g919e_{5)<{tM}t6mrsPy1URguVrIO8oXm05$IGO&OlpwpjAlimLqI*jZe^Yj^?#efW&;7gh9wMa>iKPqrZ{93)XC(i_GMm@CJ~)Z<@Jw+497{d;2dmVTpK$T`fsh`Rwec zS@)USnfTqu1Vzs&VY+Jm^DF3pnC>rckbTI@^~(kT?Hjx z0A^5xmn1(D!ZGhlXD9Lf2xyujW-i* zYpME&>+b^JHk00}xADqHN2`x3n0l$7OmT)MBqy0WK-bKE1%=r&hqQII+z6Ab*FotQ zBwFMICt+??EnIOj3CXWncB%4)0cMXf=1~1^@T_u5AoPemvX=E94x~L01ORE6)^E3b z&w+7VcR)Y2pzV|LvKZ+bQ*e@<#l?sws{D=9*IbXClI$QYgTUEl~cn_Nt~TQQmj@cKYmA_5r_3C7BC3hMT3L6xPa>D;2~poA|yMC!@kg zX>(n+d}W!`Ha+U@Zlkq=R~(VxdVor)z#5e_#XXws3fOY$ClX~;WVx?BM{COB0&9>i zrZ|pWz+Jm3^?Gn;H$3-DiO|L&eQyr?7_xMVFp4S95gRJjI%jDA{Nni4{=voR`A_e^ zJ$-v5*q$=0({;S?SK#}eIq!Ezy&(X@f4~op!5dhfyTfR-41ddwE+>*axeL}fCwIH^ zmTwIe+6d+eN;4?lQIEqcheEgSnFdkc0=IxwbFf!;<2*SZJrthbUJ&|hh<(!NZB7`x+i zE5>nk+fu7tmXNgbjSZlXl7{l3^^sB#BPnAFN(3a>_dHkLj4pH=PGE1*k6L?ICC`E^ zqYV5~14DBM;Ij&Nz&z#U5?jU;&1n+CQl{vdWCVp+!4-7YJ?Wp1= zCgu!fMY8SyGxvNItH9IXi37r1=+3r}I^~tx2Zv-RCRZeOpqMLIQq#?zt$AqVC6I}e zC7tsnOP}*o4l<=7mRRea1HxRBS*`6H2s;i0Kg^->T?%oIW13(gV{%PCyt{6EuvZZL zo;pg{j&yl3M`~N-ym8{x#S2)$GaPYu?+Qb+3XGg*#gE)qycg ze8Vbwpr?*5V9V~+jMLs+5FND|ZAoK8)bAag|8R8v{$Fq3yg&Na#rgjGgVU3fBk{=h zQNdkYb3!9JD`ARx+Mn3~g3bzxkSF$#pV=sadP&4PT(J32axL)=X#3?;j&MpXOymB) z=h2=j4{LEnUEO>?7t(41NB=s*Avtp^g!JtgJ9>x~k+dFt)WeMl`Z8b}L{k zJnX$-*FrGyHcx$y(bveC?URv=@3I)OfYOXa(ljG(j1wVZO=ET>6MVD6%ex2q?U?|q zQo-;#Cso0VV$LP&SLN%Dg3)!&{Oyt5U zcX~H?Y9ZLTg{SUYLS`bYRUI59_NZ5MjtXA#(VmL`i49p$0^XAIb#A|jD^TyuQ=_Cy zS%h$s)3zxGWikZhtn!E~R1-DekQC!xUR^zG0NE_gpdMpMLA*#db;(r19XYpjB&wp5;=3Qj`&YYr|F`vbU1MQzJYUB zem|fw5xZ8nIaeei^%apZJGUqAA&j`~k$!8#C_92_-7gqOoD3iq=2HW+Tf!(%$$Bxq z)u~3s7;hMk1}Y53!hTW#+uF!=W&$1AX0F^C+#PNAS$F-cBkj^N64ZQ(uDW)#ym_fO17TM~=sYXmF0;dFM%qT}p>|m@(&8H@%1rmg*?{JmxOHw6A4|+-gaBp7i3;L` zH_%ZsWLZcc`3Q>X#Keje%IF=6b5`7~G>++VQGGLbpR-}!M}k=!<1Ff%$Zr$g=8o(U zkmVN7-PO-}S-3c-qWt)FU%5mg=@Y4+OXUNSk}RH@m<(yPZ4Y_hvhK4x>v%ReTLk@U zhqLFtW6r&NljpN#7J`W!a2PwmE$^pd_NW_dY5vRhG2sEuYXB^NZ`*h^c{*aWc8xg_ z#~89mdq4O2whHjX*E|T>q`z*5upa##AEAx#W|)xv0Ed?(iTa8(X^%RS>VrhStw&dy zu%m5NjJCu!8U}gSZlk?_{|j{r^lXiTpe6{{G>$@?MbfZlA=%gq?>zbtN0O100Ym%i zFk>SVFe_t70{AkZ40b~Le_FVmS-3soGup7M9g7{x4-b6zpDgNSHe<($gV^)d5Yo+@ z@VxE11e;DaqQMuAD=I=cwp$q>*wV)+;6%K!N0_~7WIcXYpF z%+LSW-Ro@cmhwMtcb+`d|NAT-wCJO_iZ_a*nA1|*e!9U{3w?)^La;&It*xEfPU10q zzPWjQeH~yJCSciUQwKO~LPge#qw}{tw10Al4o*)Fk1vi-PkInS{H}M@LgzIvyG4 zYQO-!Qp%*X$Wq1$x4UW%T%S=>L21HLI9j9YvMakLSxeaj#3X1U|J?#{6f4m{K~X^= zVh1ub!3iD_8KOQ!ya>l?Vl5#T!14!EIeQGS-JQ9n0-IQd)+k+<$HT`omCi)Ne2P+% zL0rz-?$-ZVhv9@gAvazFDsrCV1f(TC#+l%%Bt*K71|%Uv8d4nl(4BeOBmapNO|-@` z_*d3kcTXK+)gpRDqe8&Skc%G*0J$MqNI?#A0}}zywg!$~$aWa+PWrQpC7A&e05{_{~L#!`Ip5cUBcS3>6;+xnA%NWV+0dOsU zfu_K_x6F`DQVN0;OinG+x*&QBcBxkgv4Qf?a;EO?ghUiW+7M^iKeFs{hA4oOrK6|+?!)@+=r7tX2j{OzYHNg{fK1|(+J>vk6oNk*?^mUFQoyjjKoF-G+s zsMRY-au4*x2f)d*1g>Hv#t_(_v5BNrVko3_p)&i4B?cq{cXu44j9gJT%9g7HY9SKi z0n7AXEYrvA-X>EVHq8hpN#2qk$=72R!=*qhqaz9_N@vb|mL6+5HT1533zfG|?ViA9 ztvtSl?_pyyGQrf`Pe^+wFh%T3OXeEPNIXR`O)g>M1~dUY5mNfPK6FT&HpC%35-sPA zG@CjzDX}|*4ehBP2vV-z_{tM6-vM)Fo$<^DYN1NKrDh%in0F?C!^+iJZz-$_=du^e zYA4@vE=4ZWUg9{`WSbX*3C$Jp(0m7A7tCBH2}$hq2Gc6GLZ31`cXMA0mr((|iWpwt z`+$sbJVb0*&%7-6+M}jfQ&Yi`@4X?*Y=|H^QN|J)w!|q6a13~Kor!)4Fds#twU*)* zxSLMwMu~mOxxFl~|GYK#DYBKFoiSMA%n41D(_Tz@&Rg!2WmqAZ^_IINTzUZtRs-Hh z)j}S>c=;r^Vt6fg(_0Q1@vy+zZAeZ=d05COC>Rmq-838dBTzj1G?5#<3I19&K87se zDGdu&@OX+QIJ=YzK*JqrmWyyYN|YKO&ImTP5)%cnYM!thVdUP`pgDVmOZ>H2w!VQ2 zSsr%-1$~^92DLG&83_qc^1;*_$6i8C{!@@7m*!2DrA$88g5hrIVCpxjYy{ z2Na{MxI!Q^dSzk@*pga@RTTioc2fZMjaSISIXNt-5C#QzE7Du7q zx&R#y#rYdqi03pHIBgCkr>gD_9%1n_5IH5duh|F7@YWgQybT)$`Ak?L_$T?dDqMKY z3!00i#$;qtQtQcEo}fe(=Mgw~6Xe9X616Ry&>qfIFH4`t1US_kZ0pIigo&DE(!!{^ zDO%95cT7EbnyZqpgZ3-cxPrN6*ueO%kk9O{s(KPhQm_-CbK+`-0vLLNr8qIH>UQJudM{KQc=Pfjn65007$qDLU&26H`zV7Z-f+}q`lfQp+k zv$Jqs4k#^pV#w;CviE7EBbD2#y_((aS40gcgIowKp|#AuI$)}IxN=_s*>H|xg1Hc< zTrIuoVs9(NJM-synpn@#?zP<^53BgxIsDTl<{px{_u5xLAv&~lMm(7#`vT6wXIX1@ zm$Byc94(iU4JvkNSh^{|KwLrEbQ1{>_;TB*EDpskWAsvs$98UN(Q)Y&a6x5!Er zz_x<2UNQhB#g}sw0!T%A7;sJzT&u_BR&elEwO3&>Qa&zr^=w!%o0h#cI(>7sDB^18 z%vAz-VrWO3XD2XYt@2)B!*z#jB3WsHN1j^7NGc^sz&ns#5O#Eu3XoMT7svzjPG<8H zho)1M$5RQ>F_0Mj#3Etlq%YKCdF0DK-nH=^%^*Az9Z* zTOVcr6PAlk#(D$q%YaFtOkCR$hrj63OEiE%voYQV5Lhn&ZOrbO;AL5 zn9+ec3L|vT5uMe~>f5BxO}z#cPk`L1CjmO797HFQiB>=2Ozg|lTmm!I!Bh&cAbATB z%aQ>&#YnnWYb{vI9+n-;jSad*@c?>J#^e_qL=%<rz{Di(gJ~?b5LZt=xCIxRgvl2+6NFql~ zYHtweNwKC=Q*>lUL`*C$Ep*9-UmY(A%T)gKzgw zF7{s@zd6462~gFTj(Kkgu|SJ zb-en1Nb2c5A1p%yePppLexNi0(tmw|N4^eU^wur`);R!No2`7HgoZco41-5ab6a5VK)myV+#2VP1IpJbk)@utj)EF>sg6q$4nyZ zh_UFJ#;)%067ig+DISp)@B~G!@(L80e2s8CEE3Dyz#~}U2?CW;ve4TPIWXbtEx<#; zpqCYK3Wiap{K0bF2#>y!Mgj` zwQMY$Yi`qAXgFp}YC%EM=^5KW=ZY{I5}+q7$eofxMNYYhRH{K0^_v3Tkx4>xb03ZM zHr8`TY!E9g6!0yZg6s&+SDIQN3rw!%E6P1{4++q>>{>`dQj|0s2K(s%w(A3rmLztp zA%^ExW)V>0s;>nhwPY0L3!IL%qF9PX&-))7eSAg1y$E8A-om9osC_TAU_1zA=VS5bEUw z0`wz6IOfb2UsMJIEwn+#OTZh>Wsy`6yMWD1^<%6}s{>+PR=`54XTn9tW|~n@Tnif9 z6mNxZ`Bcs?P$v&_YV7f9=d|6`sAsH_183owUTI2cjfo$o)9Lgh`k;%umaMEFp}9hm z$dQ?R^l7;cp=eDsFg};-{}dp!JfbQJ+oIu`jfd39f?WjCXfVpKIF8iM2B0m&p2|)m zGR`%+FLF6m{?Bc2?MG-S4!w@|P(Ei3S4-*bm!2NwUV}Og{EqCmX1rnBdW3jW&`54- zb?St0XvD6FOq=d9oJw0_`E@?KuHYd|;Lral`Tv`$c=tKRT>t;>-rnx+PTBu|XK&}h z|NnD*9-;4EWz5fB`7Irdk&4EWyd{)zIv8V>Zu~4GKoL332}g${$28`R#s>P{77^$K zPrqtx_;B~Vz(jy&dV>Z@Rk5ORj3VZ<8qXV$VmghPUk+hRN8@uKqLQs?Kys}KOwFRct7)0~8Pk&(tlDZT5r`zDRE)|SepQZ5}}ixjb8 zqmA};J%2BFzKt%fSt)!@x(0+eku~8tIMrdfd5y*!h9e|{q-8ES6tTplv2`HkFL1~(r;1fs<0Z*}~otjN%KDboc|+f}x+^}cuu zn36<2=UC;T``Kw{;o0I~rC`p@b;CMK&@m-R-st!H1I)*b6~aPApGKpxv2k*GarAs+ z1D#>%e`kuFNDN9M40tA<@nJ@wb|@?o*f+qmwI{(1+D}vEcDgP%>p*5|!l+2-e+q)$ z%8>H!$+S^}zls&&wvP=%55!bo`Q^lIl{-^eKou_MdB&0v=+|Z|nCr9`4sdh~vXri} z;>2z1xMJH_R@#wD{VO8K1kR#T=2EA%VBL`rUou$-abu&=5S*nF8?dPNxmZm^f z_+vvA593*(?JX8EfxLJjn`{cOaY2%hY$_A;=6A2oPhW4!S$_4?{@XWSc~kxB6^#if z&}q(PV!)tr?9@*doODJbA7{Op`ip5*Jc9aIoIQNrKx!|3!jt$p`WR(t`UVCDw545eHeOwp}qa*xtDh2(9a;EtCwy1P;wrO9muUPVx<(wYbA6R0)ZcDsVBK4ZKM|1hJ6O)Yw54#rrVN2>T7ujIs?EXB#Wz+ z(8hVHj&n2tr9lp<<ICIR zbj>YDH5N2p!P%&g52vy!EAq6+9rqAT(n4EcbEI6`+-q=r24lZFe*+AGEGS3wK<)tq z%a^y{GzkejR4ScVLazO4)RM^vp}s755dsc66>q`h?h#;9h}NgP_4M?3=v555h9D}L zNj@^>Hk)k4NqRQ7PB>b_wq~9Hii?~X*PHd0x*JGV+jURid7~4c*J_7ByPD({)L^QU zJ6RHUcG|mmeSXw?f41N2{djtQ_~P-}WicRO9>YF?FQ(be#xEZb1;QP zXg)N}$Q6|#4W;z|a<#~)^POz{T5bOSpib-iGP@}5ndjG849 z8BO9HiH27V~=NJvDYpmCfFq65|=X#upEr+_y! z!-!GEU9tLX*YVZaLJFl31!+bh=7h_4#5m=c1bjvlZIhFe1fs%a`Zu6!j$e+M3NVjA ze@l=5BlOlx*W~!{_q~BEoaewFsCB6fxzEw|-qx1o3EZQckO@WNfO zWYyyUD7QL`a?kk(QCFM0bPSz2r%(&RJA>WZK$tm%y`8u9`?qK!<|MmM=Rk2-sJh+g z&O^$|{_a+EZaK7`{_fV+s?#rTz#Jr$S-V9v_RU6(%p+A;NnySww2Tr=*X{i+p> zzVRMl_mMK%XQ`oHQ>C4YI9iw1{sED^149#>D_@8z7C|OUbg%8tiiZ9!?(Z+&)mPc6 zmur2~4;l?2MFG{cn|9Up^537uD7JG zA$b3i2>m=J8Tn=Hkx_}YoxN-iS=OG_OSL`S_WCV#YWP8^_MlXIR9VQVBx0HJZRnZ` zAsJ9!u8+yvj2+P)0Ud}zDaNo`aT({uA+vqq=NEiWoU%#H(-)( ze1kSNj^Cc0o?q;rTs+@^B)VqcazRApD0T9xw+;fgsyu0}3w1k@k*G)_oP^W9efN|Z zn5xowioB26HJadLs^=^nnN6N!qtAeh$HuQt*$cnqdSR!s%o*iM)d;x*zynmPaILP% zYDmF1OlnDKt{m!x%&4XOO3|K5*%T!O*tthwY0IRpMW^fl5@jdJ>2FHSoXCj45XZ!8 z1o>DcT*#6Qms~@IG39VlPbQ@4igIQ0H*leF?E9{fNX9K!7dta8!bf;1dVzL)x~hHvfzt6D~M5Vi351+_(0t406cGs1*cGR2Ha;?;5a1i zvZ1|pI;SKq-D@S2LaPH-BzfOGQ@-S(%4M{_hH2oqEhq3zzqQ;MtL|Is^p-`5PCxiW zI03t|EJE1Z3W*e>(xsh;9}+RvDk|Tun`B2a&A9@NA-RU7`6XPj$a40>fs!T8366fu zXinY=It);)1d`y1(nep&phyl@h6X|(K3I>0rhfpzu!v)U2Tc^9k00A&>h1I@Y<~^w zX)7%FW;G~s-IZ{}jP`A|JsA}|X4f2bOM9ueOT0mPC6lS@SjHnW@2z>QoO#V{XP|YK zgw}!iwIRbgNP{)ctzZo#uW8V*2iO3}s0-bTx6{eA4x}I}h}?vB8_kftl}C_he>YH) zFq{sL-222|be-FD@~YRkFjwW|RZkbx!+hr9tst0kLyOe!EX{{P#5g_^fcht|dhd_V z`tBRo7bmEQg*>Ld;m~DXAQ`0js)wY@4T&5M9`4$;xM!ZTvt-aTnG$^+O~HM`IwmR+ppcK{&H|V_PRcq(iA`OA&p?Pw&u(i zo!7`+K%h&Ly?FfL^}*Tu$;L(3&8Jzi9zi)#S`5OeXaVvS6|3Ruo*vszbqKRb><~c?NIWl<@id8W;U2d z7W#u?V?f0E4z2E6*S-%8giur9Nb@;rmS)t1P>yDrv0q7;zo(IC^R@l+8`FSZ;hem` zBvaMs|BBD-ui~e+_`E!NeSCt>&X0fCzc@nQAN>U1{yX`<>ht2ozZ3ZC=;W}XnSv~R zRo{~drm-6J|M}IOUqJCB7^zjMMTx8K_jjgjCXI`H{JzMj_(f9-eZC62fo8BxCYp9P z#eY@boL!Qn+*vkLU2#gGB+Vu?b%)e7c;4UaZasS+k}Q8;WU&iK(5w;^HHE9rrs%-^ z)vW?3V*{3NUUdTTX*QHc#%W@zTTAv(p|**8`?&}HB9^XR8l_c0*=EE-E{Lm;{^1{1 zE3hd&O*Yrd4yqDoeKIIRrlhN_ht9K(s^Ydd{{6b>m(kx*DKD#)M2O%lra~NkgseIP z)PT?wl4T7D3Z+X@vx?$0(SYa_?2cYSI_jzyOU>hwOuuMo?;y3A>L(yNH1y2MqcClY z(Ku?i#S+?LPA`JZs#(B^^|WF^0j0`OX71jV{4^YDE`2aOlCBIGqcH8s%e61>#&cuY zP(0joU<%E*at0DzPVj_0uU@FcyZuCl)_S;?7P(xECC{qPzbTbFZ@I=f59`g*p4S=` z07)o#z<;Jaf$3{kSo!(jTZrZpXs6vGQtdUJL$s^g-7ooe#<(LPpM_LG(w#97Pj}DtIi`6Q>*^LeKJt3*MZWF45ipxdj@HKDq?Y?_;Kp!qe zD7WgQ&Te6{StU@$RtZ5Vi%?9iNbGy5my`CCeRkAT6s!zVPnm(iLM6B+8!WC{ncyQF zj%h;HWUd*>ba@s_t~o=ij*be`T{N?~M$Kjz4F$vqz)#{3;4yGE2! zQ@@J{^$7haOKZyPUT$^9=gY`f@?;l^MfjTcwgX+m@WtZ~`#<*H_qN|3ogAK>9-mw+ z7OW(MjEpEtRR8m%*T<(P%XW2yInjCl;NYm&69U;%a-D?X$#bxTql5FK3kR5%?%d6l zSJ9}?OpWTl)%NN_;JWkao1^z9`)`k2ao2_&Kvhd#WKi0&uP3gsRnDR>m8a_32~_v% znX|;y#I!e1aNJ@-ssJY3L&-12n}YE0d~=j-W;lsRFwQ6Ox<}v958JmO3^I|9jybR{ z$i|ri03CkcG6dvQ|I$1B{JxnRQn?ggy)>SYjYXCjUc(%*G-b+0Dj`6aZC-lhHdVS! z7ZkjcSs~DDJ!sg6-#Y2*M-)P2Cj+qgD7)_EQ?4rsacPaRqwD!go}NX#g<$)B7GhDC z;)z9o5zWWN08U>Ja20mCnP-G-%GkY4o(t|_Q}%7|Bmh#HOf#QpR|St^|@t1WNTJBhB6Tc(T6S`{hWz_wjhO zua+dRKiq{t{;(ZLO5za7-uC;K?+(5{x-gV-IY9UDl>M;EV+MS1Y18lgsQtOO-KohG zd`a=--?pUkzm?b!lP?v(3(QeE9<8lN3_4W6E`|$n)w3S`GZUHPk9T*X$l-pMgq1u0pb>w9!XR;ct8XXfMmv3PuU7z z0xRWz&2xcehYENJZJ(px+kfZ*m!4o_O0QDz8x6aRBW)*Mka2s6g3X%EZ-|2{owOJG zrOx^J?GjG7WJ%88rFV#l0{w$e9D$c(&eMrP|A^%})!Lp^c=!g@G)H>T@O7qP!lWAK=a!XT8OmiVszpxNq z%*^skyYFffg94E=z^XfDEwRRw7j|~Fh~lI?NOao05OdOk0$5TPAs#S2WiXvPXuuNi z1sfK*Xc^)-UXE$`0;y1eA~gn8$wC)j83Y-Cy}#+OET4t5meQK5U_Yo|UO})p<63z;$skZlpGt`_%^>&Y@ndYZ_GHxwF zhmR9C7q$ii*sBF$h&hBcLkMhwRVF>tc4NaG=H2neMhk6hoFDZr(Eb_x1r;GTHXKJH zxj7pfK?6dqWDaZfxY^jAYdqC)R2_fx1-Aeo1XCt72ksVEt0`kI#OtMfEE%IuhdCZh~y;8-BVtZjEeZ?-LX;` ze!D*#j0*|5?kkLN9ge|`VHC(Fct2@inc71j33!Lau_*v59t4({r1TIT8{6F5x?+;d z?u`<19n*vaf>uekPNxAi@F3ApjxancEtAK51eaB6gS7J~whbN5DduD5az(LefmYjX=eWNTAiml^JAUMRDZbl3J8r8Z`F3Ba zVO4%_z8)ZZ0%A309^@t^Va`$W-$~QNOsS3K8hi8-%tB`_u352+44kpbIT#6r(0-or zPrQqEDrjg;6LzX28Y8STxUL*e6GU@xDbaPxCqKliR0>hKI+4n1z=c8(%Ezx48yohcwZQS%}SjQGVVWeTlO?h-vuc z`U;+vinz2jFyFsYLG(Bir(*Q&Wq17q$(g;FGow~jw+QE0JpF2Z%P=yEwGcF22BOB~ zN}QUkL067wg?Hf#1a!FM?IatKsO3^IA%0vElDgUDxM$bE{_au1k7NW#Q=?H+O;zbQvrhdQ#^D&fEoON`82-4q!1& zeZ*P9?|4N@r5fz4lU`Hh771B8Jxz|TNH*=MRDe1Tk&mIujHJcxX@a_2GTIg0hXg~S zcd#0jBH#NS4v?EX!)@`x^xb%wOmT`Ts6>gd{r&Tc<5&9!7pLbxz5n*~?a?O5L$_a% zGFRuP5*va8CuchIV9V~Lw2{nYNan`9WTnwrf(T^OHsfAgGrg7EvM<-_uBU2`S`DejlA;?-QzyNY{M#jg1kEzd zq}~xZc28Lm`c-3VU)xkxS3#~Xtrc$NL8t+Nr;zPu_OvSLvr#fQXR+lZ+?4X)0X>JesR!Q4-#+O$@YG~6g~y=0&cWL518bJUO7Xn?~@u^D~mc$8&s zf>Wo8mDkuGIB4A0(Yjhz6}nz_wW^%l>^?MfM9B{ThHLwCTUkZbYT7rGxGj56aB3=N ziND|C)W&Db@8pj37Gecf8EztaoZ)=@9Bt;4)WZVRZ*w`cuj{>0f$D!w^ag&*VC@OX zuUU3^#$p;y8x8MI?LbF3x`y-w$p|V$fjUb56ZnFdT|32{O@`$F$;2xp30Wbyf=In3 zAeY+}&uEI>Y&ET7lN#dr~X`>Gx`>j9{l4RXaiy&)&f}Gr~UI`iyNSELs6`+E*Z8A0R zzL<#2Hc@fXIokvSKdwk91OAmVw+Uq7ZP;5`c6xBOR9}5?v3}!tOH_GG2o70%FK45# z<%f^(4>euyTeF^!C5b?aD}hDjC5TG`S!um==E^5lmO|AvX`to}WUckuxr?>GtiIM# z-_nxAymg0m72sOnb(>k4!1=qk|0)&LP-;t^8w^-SH-j-AutKVI$c^-Ke)|&mCeQ`9 z(XG`?-@X0UR}xgCaU=_Ji`nV$LM!_`Use!PnID(PTKntd#!G`y+tbgnTGOpo+OvM# zL{%J@4*aDkDtIZx+7+{^$qJaF)}C#3w$=lEPLeGd6UQCSsbd2@1}4Wc>i7E#_d)dO z_m$10KbuXcs&Pa6?Sx}SWvN>6i=Q1w-OK8jF|k}&_pc#KpeF2^D!{57%2Cc(yzW#g z(D~?f5Z=v4*&)$2$M^SB$;{gP875&PiSSZ&3l7#GTLTCm8h9p2t zLSmK@YId?ayBRV&v(C(>Kxp;~0uL-S6)cEK5W#{-6a!(oX=-~mh5smEIIE5;~$7bygu=eA%Pd^q#p^A#5fE9K;IQ1 zkYWS5RDg47=C7!)N|F$_TTvO{W>@!s(kCh$QwPX1oaC#t!jT55Bj~%N4nR{-+o@+7 z7NjVg-3FBFDZ_bM;VLNXC6>{RiI0X+Kt7vc~aU%_Q3QNz((D^6h!QzoMg@AIAYzjb}#)BrgXJ1>AEy3)6=W%^DaB zx{$&FsUS81hdC>Qg4hA57D?v7SoIpN)SC`73AkSx>#`IIipp7o-6hnIuM*)eKC{*IA7yd3@>lup?l6d(?5SOg82&U+Ui;q$@i)PEDL|Nrdy9(jO zgF;_7U%^F7VI##tQCLm~9<(O9npzHBTYdfUMxD+V_De)wS6a6% ziIQkffCUa3S84+S?c>WSrJx#dhhtfgkihX0s?Fx(iFGR|IX13fU?S*9Cq~jxI+qb8 zlrq_(6(Ig{Ni88t zl*G6ciJg!@qIA`knwVJRXF$ptD9NAX{Q+Tx0pw;p9$J4)AmL8iyf)zURq1HsE^#K} zmlx&CL%TuNoHWDBPXas#Mi%DEMHfs4R1P{Vc$-C+sTBFFn7qTP&NL=5t6g!Vy#LK?Lb;GN4EcSX_*BWED;gZr~3gQ_NEGjFDZ<;Rw!9L~^R;I@uzF-&8e4 zf}9Hc1Wnlr(S{O7@Bs-hSnLEjDUtIQWm{A(f|vA4QbK~tlL-kn zwM3-0_=>h%la>`PGKgK46!DgU$bPG))X~WAOx{&S3xM%aUgV7HVgtldq}fc$95Ex> zECT@)Jve)$@*||8XqNtscuXq}ZieANkc*kb`&^V{XPJ@<-iKW@xu1gW1KLTW&@nh% zUX{sIu@`SccD3GuO(Q3R3>?m!7Fz*NA!|Oc^M1)5bmH38dE0$eP+=ufj2EnvsB+5M z+m>wWm28_t3Cg3}Bo}gVx0NuQBv4g|KTu!O5$t$`NTbJwkWr{xNb%(2eKyp>28B;p z@q~p*VXlcR`Twi1!9gj0fwn5iY=T|fi4zPUp z1A^CRtuef7%eD8}D!E&jh$NdO`nyDkn}le3mC!nmM}MUdBi$+BjtMfEY4mq1D+5h4 zAyUv`Pke%vgLqtsIV!XB>*_z7M6F1aSSH$q0B1#hN4Uh89b;$}$&iqt?4%YUNwY&v zK!Nr$qC|=j;yQgu5s(FuOc{TGW%2KNeF6L00FuI39S#-1QSMC@vc@jou`v$#_$BuM z)6+LzZ`_jOf-PFQ8D|njs1GKZVu!K%dAC(bT4aZFwIbZCWL{Qz@ZcmhI@`2H4w_>n z=Qr;z&|dsa_Yh*xjruEqfzkn3t>icS;tu6penw7KA<9?g7*RN8s@epKAPy&CB8_C3 zNg8OSC2jyErltYP7_I)Am6x8KixU>3Km_7*hL=f078H5wY`6&+k-Z?mk`ygsnmX_B zrr%uN>qT~1H|?SXk!X$R5GSvnqQPedYNc{>^lDErEGVZ0h7X8<<-LTtHS!6EHzEUZ zImNKZZ-IDrhR^kcETXbAqQYp3IPmlCAQ^+K6}(#nRt^jpo}QQGC`ix98VCjyx8QaSRdPDLO(B;2CMtp49LB{)l6viby-R%yACS6Ip z0x0Gc;~N@7#Z5a~SAcsk?PWOm)euFa>j5a)7`!}9{06&pi5@LXy9Q&`V1!iXX^aq& z4^i+hGNuVsa1WJfZRpM{`}X>Hj*)nD<)^$j&R>9=4!C%hRr~>>=0D|7H9;T}Pc;fl znUG4UMuC4aT^C1Cw{S}%yQ!)X8OS|}j3MzTlP)qt6ReO9t~|79{UY@S1f`^}Of(q@ zW%2-Y0mQQfm0=`$s@j7Rfxz<;h-2I!DPHrg4(Cl*k}4HKfJ+xginNdllF%0(aj3ut z{P0gB_Yob{sEc6(luO%2SGfi44PFRd5o0JEBa-7V8b(7qPb29Fa{mx_$)pGoj$))4 zs(x#-t>K8eutUfm1#G~}aB_|$t@YeUd8jgs3(?;+opP|w0vXckM?J*&a0_C*Q6n|E zF@eL)pl$#q;hyHPN&{GAI4?__;_v{9q7X6)+*Qhy(^j5!D+XqLeI3#wpLNT#5^Y|A z=gX^ziijdijQ6UDh~e)|LYX2UTtSzV@_d;NMe?1Dmg#TAjRmS=HWAB*FzDm7M{c)_ zEI|U7W`&9~SsvMYPt->Kh1e=^@|X{Z)+|R9n63f&ji9fWs~lgUx(&!Vf($4j-OAwW zA+rzso@8eT@^05Gk*Ll~jM|TyxbJC^X;@|{A5}#%Ex==13Sib?k|KahiEP zC=C_rIZO@jLg6_$)i|joDc?D4%G;snqB(e{z(xx+Cw)F2Mnv$~D&Vf-C?DfO39VFz zjBDqy6+5U1w^&LtX`uY^#S-Heiz&`sED4OOOtg1FZqQb#l(tHK)+)~> zUYQlJ0+I3gwXQ1yRY4FjniL66@K2WFyaCEfD|N~dnUS?Z%``yCg~o}Uv!n`&^I%Ot z4QrqTcvv~j9Z`+@&{|5Rf-YdVW`Pa7iy4LHTvd8!J-k^%>|wZ5yX#8s`l_s$#q`B? z@x2b2*2sB_Nfk6M$yvph(}I9*#S~YCOv$opEpJgJ)vHF6^x+&&6wWfJ2D+n=NqJ`i zkS>>9XM8jmr}u2360-&YVN+w+j1L~rI%<>TTqH@kKHfNw z@*CrTjCl`GOslHd$)Y!18-`5srx7PLAePcB3q+T|_$8cQD|C=^oM{MibZUuH@fg${ z3?`3r#CbGKAi7KqS)J2hqe*zJpMaY#33$_Dk>y^W@tE?XjV2&5kQSSfKirX@n-vRO zEG3F*v940v9lU6hVYqmKwq@YhgLKkUHy#?3=3G1+GRzpHi7l6^;serX;(DBgzYQ7@ zjmn~?@}RunwduT1d9Rn@yf)m*HkfjijSwgoT|h~Y^D!LLfzjZ8+-zVsH(aoB-K@P) z!Kw*hd|Wqc&m`BBl&PuRa>vJmZa!KRDKFiP8(^0^nPF?khy>BbPG+uK1iQQn11;LG zS!|}mE2G`$!6Zl6VxgTDn>~C;zM8H&XsN9N?EwPqQCHip#|Fb47!nmod)mb^ev!6K zq9rL3KBLnMhc_NR1N1qk2+5$N#~G^qyeL^wMhGiXImJ?STc9+Qv2tlNpOVu6_Q6>s z0PGWMi7LQe=NYYR@DLI9KDmw6NBQCS5T^FMTOQq2>f_y@N2N(Od$?KlN4*=|Df%dX z{iqtTV;1R;6-%h)La``UU_#Ft8qHNsGTKnR)*w#9sJ6<}TOzuA2LvwFlAtQ92Dfn8 z9Eua0$kF~J1X9~CY@!I=aA*cjb5?O$5&&W?AX1E5)0^ku?IxJ&PPxnva0as{98E5! zuRGW(Xv~dpBBa=pk@;ZX4Bk&-i*#u>4 z(3E66#)(N!^QsW^L~4>S5hn%o;mm<98fr#?r={TORmB>N|abSQeacTfHCPoVK8Bs#7@-w~ii zRpa&1KByUh*yN<7JVvgR>GB8gSH4)1@XNt{Ni%Ej+OPJ}H$;8XUKp7MPz#&7G zKY%NQXO5hZQ(5Q!|-Bs>egn34N0Nx;bnilLI+`Ye`e<3fOlgF{kYfO>8jf^>f}x5@N6k|w z-{IB!y%}&#jW8Jpvs?wF3Y4b6o~QtKI`POt3FXpIQj1?OO$!I7XQ;y3grcBfG)2Hs z9X}z!(i&!}2898VhR%d^${fZ`hzKV%aIA6L5J%et+Ruv&q@EL01NATT(m^f;*w~=} zFA0cMC46OrF$e}OQC_DyD~a-kf~o>fwxuLp$lMWdU95=0$3_^s=w--~rsL^Gi-1uO za6Ek|B??F;CwWxmX%Nd0oUzCRc(!LaFBJ&1NOMwn=ple>7d{xc3Gp?+u}6&JXv^^C z<|=1M;H1uoQ#+~=IAjMi;I<58^h@{qM+J=%Vdj2;;n6!JONpXRj4BFYfwl=rE2RNW zoMfZ;L;#LXRVN-*h6ylGY@Ickd2*8ciG)D};941O0B+9k)xfDUz3MMx1_P`!5_s8F zS4V573~3~ak|EB#az|_#BJ#U|bI0;TG)j4c$_AT&IFUAFJLNT*+VBtY;RJ9f;Dz$p zVUu-y8&=evAuy4{Y;i03W?;554JL#ME-rt-8Ja3e$ge-3L!<#ZO=Mi~Ek>bAC|n3V zQ0pk^aKX69R0)L(q(=}U7m16Dk|>tps9Y`6>cNjdp%IP1vyp&D&9nxL{tn)ajG8$Q zhd`|{Sve$X5m?%Q+TX$1kx&c8;Re+H7Df-{JLjwp;V>zCH4)D|<%}>k3&tuc;1S_s z*SiLQ4GTQT6-_B#bL=Op^I1OnuKfNoH*+>lm8wGG;*3?<9lQxhJl6&^E4rU~j4FzQ$i7TZmDL3t6d=v}td!9R9_PmHo>4|C` zYKjxuKn9M;R2^0DtGrpQG^Y(<#{{L?p3B&o)Jbw-o^v4+1}eDccaz^;8bgkA$VGmf zp-HG#=Q5u6YPDDGYMQT5!`4r(NfsxgRT}?5k5{clr?$a zY>Yp|wLnKcT`oPwPd2ScOSp`IlJH)ByNFA`WuB5ye!8S;HC0{24H5}qC4@10gq46h zbF{0Y2QC+UYXG&h>=scxgauAAS($KJB;c?o+Ph&9Fu4QkBA`tfr5a?Y?t@xghm(XV z^d5=H97#3?12;YiMgtrxJgUa9nL~Qu>34Rzpc165D9Q<_YX*gxwm67d?rV*5_A4 zGTe|mO;_KegqKRO`yq?`O_Y%7fJnP-dP)W>2a3B8q?g{6NL4-S zqUQBmo7X_=4sP~njT4PCoKlNa#)%+=QmG?TJtN_FaZ1B)VJELAbSQ=ic|2X57HwEk zXIS8hyl5oga`Ix?if8@?f*(^95zTNod7j~sF_IZOByg$99|kze5gmDEz)33SWfzzV zq)@>0!V!Fq%5Xb~Q zh!IjunHtut8WN_T=hGRRveXLZqbPx)N_4NYpc-VM z*hWpEa}+3z+Np(_4fhboe??3IDM{<*T>*&qg=8Ei#eEpg+XL!*J+RwD7xioSE&kH# zkVBWvNQwlR*|AzqbF?TH2z&`Grz9~Nt>sb%a%13!t^At z@xt)+I3Zkdv^XJh5MlyNxtYiU1IMz#OAGQ&q=3F3L5K9#^=ybwPZ-3^1qOkkw2dq_ z3_YWlA(0R?l^X`JVZ>7>H>yFO#@Pf$%9+WHOCmN5h?&ZbOCmN5h?&ZbOCmN5h?&Zb zOCmOcLn34umP<0zD79c=Q|-GBa#_cZs31H1I(TuOR2$>t1RG;G-0JxBTZR_`oBs4Gn4i)UQ&CPoNT&VukQU+ zZmDdt5sZ&Uha7$*fd^tWaHjN8{S+@XI3?Yoi?%7TdnVpOns%~@8VeAEE>;bkvG#IG zFi&0^Yv%Z>MM2M15m5-%OhGjM=3!C54_kS>+r)}%f&wWC=HuP84uwLRa*q}miO%O- zCb)z}L1ZS=&Je4vMS;gLX{?M3dZt%V=$Vu>lxct+SBrwSfVZ+J)r#AHZ~(eev%N}R zv|UdBD8Dk1XAbh-B)_?MNWbVFd(xOXR`b!kE-RVAh{ z?E7OlZi<$Is1Uq<8I2QBJctdz9W-r7FVO%L@VnDs9U>0(RY(p4Cb@E;5Hz9{jbCwi znL<@&P_9zifmm8k0~h?k>QM?N3qac%3bB$Zi54LWy_3Rvc!#F~9Fb&K5HcA7qJbVR zc^*!hg@Abvo;ssZt&ysWk}RVU5SJ>2x;0U<Nwy#*_LA z8ueU`>!|{F1Sl2{jV4SOd*HIV2=3Gfc$L=$K*;pCSr znHLS|dgbFh?2}eC4$~vMvcV__v^&7LDb8i$C8|L|ZDx)_N&^Eyv?y>M(dfNWjdTf| zTNPv%gr0jepNPP*o{Qd%oeFUDbgF7Rrn9!gMi)7AS@|O1G4K-fRT%IPIBpaUd_>@G z%)=V%MtbClBj6!55Nj!+NJQWzveM~Pfk&Kp1mH4FA_8|&e#*s2Rf-}6$&P#(HAlP| z@CavqR5M2hdcNOqbyUzG7f1Yi17hyND}F>Vw{Zbq2`%J%MwALPMU3=Wveu4&#GWVU zXF$S#8g7Wx0{8N~m!%z~1`o}-k!J?cf`_6X0r?fA7i0suMKy5Bg?sQ2l%El8F5V#L z8UPzTI^}aL5qBoAQ6&n++!OH8Zd~R8xksAEVKo4LNx)Smdo~8c$G;kUM)YGV`|ARL zGbrspVfrB8#t>G<9a+RS0Js35KwiIEb---qM&QV4rSX94uC+nHk!Aq3Ax!=dWVb6y zgQ+uSq&3f~WJF1HhFWvv+%Mw9pUCL#=4la?vXNDE)vwBS0c=QBh>jFJ`>FIuAMF5+ z6m#|ijl+o;zHaM>f-g5Rfe*EH`Q6yfyF@swjq*{Gc@DiEV~1PTjvlooyH~Ia6z7K9 z-p59RpFn$q!#a)l;YOzP3Hyl#KF`v_jp4xx{Ot5R09%Awp@w>927%WJh#>IkqaDTR z85vm)M{!QpnBwfrMxVY;Mwr5PWMvd)jnJUcsPI+uvKf4B?m5*C-Kg-*Uh5S2reaFh z@WLgQ%>EvM7E3eK0x?bve1YcZ3S9{to&$8HpHV&f@J&7ry+z5q3@=jwk#>`$hXyBE z;v@)fRziS|j|NNa8Ll9Q&uC&SBKI^xDCFT5+O8iA0Ll*4y6-eB1N>E6*-n1Z00F5OW2-$apy%#6x1)gV`W`w4;}GSYCRD)iEr+XYW2?A7q2zj|xG7 z2GBr<&Bak;)Fl^7qb|8%8WnUhMRg`c9T#W@&_q>;LQyctAgV&Vn1ydldDu{4IO@M% zTN#yNEAxpCWF>JhZaRx|303IUm_t`(yMvdFRvIAvIy)2PCS@5)4C0k&q36(5g&{aI zC(nVRrexNqHV%C@CeHh-YdDcTlYB&t-hDhQ3 zA1Maocyvbx%Lm*;1fG*Jc^}1aCK5G6X#(7+4Uw!Du&SBJa@GTl*n?a#dt~wz9LrPg zF8EjUBl%7K$%-l?s))qplk9x)4V+{ST~$CaLXh~;%n`~SKg9@80R2BX#{yiDOdG=& zG)cJ{8!=@3*H3bCK%fV+e2I-%V1{cF^`yfe0sK|5TF7=9tqKtCC97e;Rmz41u8nMJ z1mHo(y(w_B^S%*)E3s$8)!3?F;A(`LO8741ky zTh+jsn*cXYO=Su^y2Mmb0FRJ-N(a1Qsi&d`9xA<*4tT?oON9ikh{{Tzk?q0&M*_0Q zCmLUzFC4frFX}%C+{FuY0nf9t7ZOU(tGp#sVio7oln_P5Yg`nEBmv6nAy6z!vq~*i zEviV0V8hY?M~&7$N!l7J^_l$4A; ze-l!{%4ry(7fL&ApwQEK)sQO*xwPnlV^H!J&8-DqSJbE?4PMdNxnR=>nS2cH>nM>y zV=7|NQVO9OMhy##YA8i4T1^ZA7id(6KSTEEixxQP2e5rX58NaTf;n&>!==l$$r}RP z$8egW<{A{B3Lh=-FbZf`;2|@oHe}7iD4#i)2s}su4NvwED(J-l*UUQ{@K7pf zgMf!oK*ItLr3GFnaFfLR{}k}XRX{a(ivOGfs-Mv%);@!g`R7&7U>q)1@6_TJU0V4N zx@RzIjiPu45Bs-johINep~`8(a+g@&)MI372@NgaLaCb#5^!OZO$6MaZz{@W!Ke&1 z&_*ZDqSH1dTJSL(qSjDU?=md6&fX=>vD;ocL=T8y647svA||6y^`LYhd=kFF-xU zr03-#?l2S-aH{h{f+o5ce8U{04#?N}4rUGpawxuxgD%2RjHqd68?v-th=v^*q)xvM z1+pP}bx4rrTD1}6g=o`}KpJ#uBghNUp&8CAK!!5Wu&PlUq7a}Hb=xBw_fWi6H5JVo zpla!W2h|iaZb=!YF?nL-w26^{>+k30a5Z=F3j`SgI8@idmc@}Vko7uE6}1bgK&AtZ zGZz&E`xaJ%LiCdY-Ixcd8aVA2Km+}vtFtsk!Hf!KcxcACSd^q-JB>LWBXS+a^8t$P zuyu(d0VmFFgDF=T&AGL)@X9ts$tQ>poU;TsbSfK>a=Vp!ek6U@E;Q?o z=0^GbG$nv?S}36;#wT~fIibY>i*y4Y#W5aQlyHtkrwQgxWz-UyO&>=cmX&y#X3y=0CXKL1ZmTvgfh}0Bf>CjG(v-g zkOsJ^xmE@q(k2_yGTJcU0mj71L}`!WRSgh66rS-~;{;&=K&y z7YE$59Ah-K7{e4|L?i1=V7MG(2;hctj9TF4(Ji21g&4!m+)xEGni7}|s(%>*xarG? zyyk9Y9|ymLT(AzN0Uqgbf^7Im?-3?eJ?#t)br0oX8?D%3D2QR}#%XbAv`TT2z^e{8 zrr84-=t3yn`OE?S#S;~`@#m!MmRaMcp3fm56L|AItZaJd9D@ZVZ7 zK@T}htpq&@8of$FXp{^$Zap52e%ICmHK`lNe()D~*jaI&H(rog(^>)VTC%f0 zzGaY-Ax^#QQW-*N74n?>o6tJrLELqhSDXj(P4(tC9ck4hSDXj%OTqkBUj}32MTh8K`C@Cj%rZ& zx0T`ujnAbmy2%@?C2LVslo1ZWq zQ2;miK1PLwjuRriVYj48njWZEU#oJ%cm3YF;)fWKkac z7zuEhWhk7I8|dj14ffhn2w^6mErAfZ@)h{G-&urG3>cbA~8ta^UMM|`J8!2P@^c?DX$gAI8vM3uEU7t6zQp#Zmc z+@6cP9c6Ts#tpg(YJj6R#}Sm*sFG^ng?jST0Kdi7$Ce!V&D#iE{ik*jbikFFhRiPN zjMC>QH1Lrkyz2YH01t?!J{gSxynr}|hX$^=j~jtU`w0y^s}h&Yfd{aSMLR9s?G})3 z=G3Eue+3l&*+7NZ?g`yP2+Amd`>0C2+pG?_kE$%zy2h&MI^hx7+q^u4DRk4SGdftP z$gkW?Qi=^|r+a~W&Aix)4!8+mT_h4Z7o(DVM&N3NYHh$w2#zza5DkI%N(pbxGzT8Z zD_Mg?!?I3XAaI?3vI+1De*g~++}u-H%j6gR{2dXv!Dm?m{Nf+K5pcy7USCB-GhCKz z%vHDzy;;U-@OCBwr>~0qgBK_lOJjdCp9sH<4~>-`2e-hKn>-bp;eeY0RDRFN3to+w zvSrG{Ln7#>{LDi(K8d;cY+9}$P0SD3aiQEi_06F|Zk9>hR_%#Px1RO$~a2JmQ zzGjPv9vWxDuyk(&8~P;|xwY6Xj()_|+o_!{LP_Kpzn@m_gs7A(4{pW*UD%79^7~l^dyq4ni}#^6 z#Q8%{KP#9r)d}KIbeP1We02<0!Us6F+#x;$ezXz23&W2ONM61{`0)WL2tkCOhhgaw znv%=|oJia-1>|O$#F7#ZM4CfyBm!W0FLIut;J<*6;wUeTd{a@?VR)LNXOyhm90RV3 zp+t|3aU)clVPIr;IUGI78Hc5YT%8$c2VXPTu%iE-Inyd8EH?UBHj z2YV!kf^Bl$uLjP(w%)en;L+hyNR(JQQm^#jFjJ`0kPrzM%}D~qf?U#GerHbvj0Zh@ zl~Uz2;5j3S4=fHc$t6lofa)3`NGh!Z8qm4;$s zc1@FD?*6ZOhYW#Lqr9~D3-yE)4)Wjopst5(e0~kdAjTKPznMd#d8fJrEE3IAY=hon z8^9#dyt)2uToUH3XoxH%8_PF899Z?0C|QC!qD&`^|zp(Z%PnrQkLxap%s*n(Zqs{lH;G8BX%0*eYe<6+6(gcHy@Sd&~v+OYsjRpE?C2%gO{gcm?oWhy{P<53Fx z^o%^!FUS*024cu3wavy zx(#Zm^X5&%zT+WB)A+XAV#$}|Z6&lsjklErN@#(jC0ZPBV|Y7NA)+)*R(V=hQDm)< z8nJ1yl)$A@6=Evo@}*W*S}Q9nD^n}UCsji+d!_ah+Zc$&nqWr4psjv^mv|S?rXgSE zzX=#5gP#{9F%6g5LSW2FzryvG_kkRU>;@xp9gv5;v;>Bsj7&Vqo&YFL4&#+?yQIpq z9QU6HC^stSEYd)#-~kH{E;sF;}e0O zr701rB_4cjL}B{83&}?!;*sKn&Nx!4#%6(>;G;NfC{W`fM&vpYfrk-9xrDupJ-nut z(N*APE%vy6h^&{9m$Eooj3?#oMU)i^?hV={+29q4Q&WdN+YeTNI_Kn6xX zYviBYUKM*#_Dig2rCdHb6~sc!W5Zz{lm*8Hv?QMN}Nw zQjPp(k+m7!?88#PL@F!fuvm~=jGTr*m+S$PT+|Uk;z0#3l;H$>#GFw`dl^v@sx)d; zp=wttprlgZqoq>bjk8pY)76X+jiabiD5^?1LupB3IByS>fs1zcfLo`BHpvtv_Mm!T z7(HYd@g|bW2QOI+2X!g@B~`))BwV#pq@{r0rfwL`cF}V@0Q!U`srp@k1iVGJc2?l4 zf`8h`5)hsZ;#m18((|o{7hE(tpamKi0nu@=c_+WXS5{d|cz2amWF|wNPm0_eUK_2% z8#Wch_DPDOj|f#1lRo;k@(3=L62(+}B%)?=Jc$_q-3GK0Lu)FiCi_94D+ETO!9;sp zdCz#e#Fx<=(3fQKGj?p`vvUEKwU_tAt@@jf5I1h(c>9Eeczc{JAwJ|tU3=QQCfmEF z^pA*th&528fYm77VuRTv)?{ZJvZz=rV`Q5j+?F^AAu{Q@-P*>o8m6RP37Kvsol}Gb zK7et3SKvbLtQ3bbOY;FqmIU@nfvQq6H5Lg}mCcgP0bX!pwZY9J9U&2jjL*+j$qFCv z@KCWKCUeT@rfM}g&LVEk=ys>s=KJRuHa2b$6OU*XXRq!W54kNC*t_-wB?3*A^+(w0 zQ|ZWKV2()z1Mk^eV_N95K)gDM*a}O2jlQ*Yq%{1{9b`_)4*z#?@fjali76ySUn*0 zrVJKMC3GpnxdFwYM5@Ss0OTtsxz(WbS_DP(=%i_qh_4c)nlySZBL)d5Eztde;eZEK z-;*sI3hWG?lLVe+;V`@)KZQVOB32(jLPC*s2rpDnf}3_*6A}_oE&^H*6H!wi<1Ljy z1%*vNB=uE7Lid13TRloQ(gocjyC)!VxqIOEjZcV*U$1219otT}}%kT>#a^46O=b^SLh=Mp9Bz zQs3Ua(SMVYk_`V%?w!=DXH0TRpOii+y_1uACdDKr_wAe9D+VMr>P$m?0-{6-F-aE< z%Q(6JM?PJ^Z9@d!t5d!S69B{oz=8LRNUq!Hq(et-7kxuZ0svqH&J1q2a+9Quf_!mj zr0yc{QJkBSFZr;OZZsPjPG4OI8EQm884%R*DHw{%oJ+g_M3+D#kw%hfB7sGrryx{& zfkMGHya#v~nsuXV2(FPX(ZC`fh{znKe@c?wZ1kf_P<*;cU0h^{mc<~xD6>_vJ;ucg z0xkM^&JF3Q*3y(sXaboXy0ekQkv0H;OkkF#1le5RQmbc!;X|{B7eRd^-A}nn@qI}@ zmSQ~BnnvZGNyr+5p9WYss~x39%zZ;5$c1hl)S3ib=5pD1w>jTs#GxY zkfa)ggWN!m ze6HmEnSlw33{f3NI>?%qXScZ(dzi+~A~Q5U6FOXsWlsm2_!` zK`kKB^a<4<=bC0VgPI9;s@BmC>$E7+PfgjXphLX7NI759*+=>DDcoBrBwqJZJwRa*e+1r;vC6y!^@D6+-!8yd3gmM7!?x5@wQN&ZW0IQuWZviNmCkW9xaMvkWqAFqtAQpXc%QDk_o*o7nxE|r|>aO9>Y`}%8U4CPKS zmSn{)#$O8W9RTpe`qib2oE|sW&P{%pLhhs_S}6$Ype!(8>Qo53e*^o$ZgL-){b}+7 z2r`E|u)84q1D;qCFGoviw}eH#Hq$~e>M$*C&;Wt<^8;-?;>X*jOaTmek_lZ3242KL z)Ghm42vo)c;<`e)U0hkL==+%GKpN=YJzgOtK*wLGwxFx%Dy4n2OpK{2QPTY=WEG!< za*jQg_ljy0OqF7m_W~qoSXsvCF7>3$0&FEQK8EvZC{GIlFGLyuHG=(vt*Bk~M$-zq zg!23CKsH+kchI&T6h}J54~lXeNOsT_E-|<%4aCL*EuFQt-Q;Ry-VJNjg~K4ju40DM zuYt*U<0jfC^g!mju2EWx&4vlxHQ6rra+LMkx3|&m}noLWWXtyN*yV^=#H)Q!J4hRgGX5a-(Q|)qU;gc_r!P9P!db_4-1d-Mn zr!}TQnX5&lYqE;=R1;FD==~Ge7zr)XlDZb4$f^;D*8Fl>5EwUY9ZZR|b)>+Ck~*n& zdsk#t?n;EGpBE%8*ho-SlN!PqXvb+lUnBuT;23_GVZ70G5Dx=q6+Hq_MFF5IZbrG? zIxIZApce?l-rCb9yMxJ!p;ilNEE8;yUW9>TZP6joeo?;8i8v*t!3{4+tyePRLR}0c zA<~rzB5B*uDJsABLZzL!@H%D32`?=HvD^i$9OybcJuk~qke-o+sUmB5PGjm@r^c|R z>anWH1LW}n4aS-Lq?9x;_hAX59TuZjxtCoMXxi?hM2QxVi@!(?HweV$j>jql`oAHH zuBmx851xtILA?**KY=oT&16w5S}-{%5ns(cOeJ<7a488~%IGSaI$|O1XDOF{46808 zh}>;7t0z%qG>47IqD1>avQ0%==1oA<2e%t4Z-C|`fuTj5GXpz=l~N)op;2aBNyX4y zSB4+6i%yiPaoDc^4O(!oUMVIzZoj0zU4ad;>LA4T|5HxU=YPuS|CCc*o4-dn4XYD| z*rBQYlKLeZv`zi;MyYc~J^ugn$NwVz5#S>jpT{Yx#-twqyvIymkR1*2VGj>=s)R46 zZ9!+c!M#kSl&ciE z_ag1FM1D<>O_J!0<2{-Q%Tq%WLh%<7lixvgL?29|3mXZc)49|l`S8diMo3BmLV$w; zCN+qdQFxq3!Zpo6cT@jw0{2qCQ2p=ocYX}-zatBV7N%!r6%WrJk>$9UH(%{1{QGZG zpI$wU@4vlz_fGoX`|m&TF?;_-^{&83Vj_UoNfEnkqZ_1Lkypg}HN~p_F|Z}zP$Vi) zvp2Zp&~p)aZji?4BA9F|f`YH7tq8z$fg7H zV8x7K>BEO+<>n8y`P?>35Y3Y?&6CY&o{*54KYI9x?7S?H?Er;Yw~x#&%*q5q@(V%w za6p6uCdq%z+GvtpiGdP1RFM*8(xYXNiSF!U>usxalI)!Fw~UBJE}>jyP)PzP(n><* z!IVcoo^>njxgke7DY`pH_iM+OM=Xh2ykWqN4dk>26Ad63r@TxLeer3P{7A{3DHPS8-=wP zMGz@&i*N87xXH>!T$K&IBQ0sFv$0rCnvf znN^7&0Z3Uer%YKVu7?gV7T{)p5pc!>k>Ol)kWW4`R7xmpMN|?Rx(Tkbh=I2N#o0UA z1_rads|@Gaq?D59+EL@kwiZhRlAEvK;+0ztWdjZug=)T55YHJBgovW;G_~vzCE}c@ zP`);yZdwwY3{RX^;pAvHaF>|SN_HnGqy3PuC}T+(2jLQw8L*feebjz%o+`w2v<*PD!vmWKLO_ zYl#l;x+oYBnP%upxDgl$#NtyJie*KKVJUAc@zBPR!Ll?Y`?wHxNvonorwt6D7?uRa z5Kl3D@?-SS{)RIlW8XwD>SY7@P>LYni2&u1(h`4UHi%PQ-DNfxXe-U3IAeGdX54^f zTr?-r@iyQnWBfP`6<5Mj0=m0bFq7eVjf9St5~}3P#Qw`Qx6ZFF&4O+Scsu7d@>0yBR_ zDJ|%@A8J8xM>L%62Pm#!)+#;#Ib@(yzvb{wz-UF@34Ls!kWkX}7zh^nT6wP%oKQ=X z&v9O0ybM$+p&%hAk?#4h6jfm1_zJv_;69LWZUA{0ju(6s3;C10w_NHQ*+2U++#Otu z9bQtj54;x-Bf|YZDWz{;!~MT^-=4kycmMwUMlmC)`4Evwuy}Ztz0Kc&L zIq${52*3YRl9Q8r8{J+C5@|r)_)OzcyM|w1W@z&aRCkvuDj3)pnBpRXCRZdqh{HRWiy(+aL)^G)*h_=ZJ%pur!QuF zQv0vkBmJ&%epz3?@y1oN4nFZ6D=u97++7o9o&s5Jp`f<) zoTGa`FMj;nC3Rl^<(}tL6JOn*`$@`YL+FvW`Ck5P)Zwca&F9A7C-z-3a6nO_@8Pst zuVuztiei5`FHSoCUc5utQ~cGw9y|Z+TJx`&n`W%r=PHX?Ry(0~=koE#zw7J#mZW;2Q9dFI-GPC(!&x_yW-`J$S8CUWAqSR*>{rrEs z&fL0s^pEQ@pIp>*!LWIg>}|)+?fUr_U-jE`@Ny|ee8HOgnRnB!&n*LHrhHTXnDft@ zyG=+LA2)kzr^oN#{PZ=q&$)TeMBDJ3VY6EBTkCq)KCsvG;%`+oKQ7w8b?E!>+g4Z{QkX<4J^oda`Q6>pI!6o?+dQJYjl&vwKsjA0+uKEmu{NzEtC}ay$>x5Z z|Nawiw(D`-sq}~Et>`$e%e?KL!>NmYow57Yrz;$FO&<8*mD_7uKe2qlzbB9V*O3tq zpT6Pk8y@dCCHK{w4*Qz^`QBGw9PWEn`AKF<%Q@M%HOX%0`p1=P9{#44^LX>&EriuuyS_VO#=@EWWcttN z?@H_O+r9#KYuN0vcBk8ooBMXh#m>${W;a{7bI6J9d-k699a(36{mVa|EL%H$!3SNR zn$d0d;ncHJPL&_s>G|t*XUnJa1~0tb^5u{9#VK`jXAV9-Z*|MAu^;6($yuJhc>n0! zu{($7?)a<4k+r4E3TFOP`)vIWpY2=s*Oqrv_}%P+VRseQwq|baUOaJ8pTLV7cGg_e zWaxk19<=hWm(HKtarWbvPIqn2Z9P|Zb^BKB{#duA)1&wQnZNUoCf#;Fy5QgYt*h5H zOFsMPCkOxUOY5n}n`W=rx#i)yGdDEfQeN$A+2;uR{=WJoPvx#@GR@BSKB{MpLBt+H;ozv+TucYR-1ykJKA z8MB+_Y#W|*UGq_n{wFG1)wHX;s&ezm*NJUqN& zW3#$xDbx3^?*1b4*5m;zURnQ2S=QQ#%~HSp>>=^xmmTH#trxoXjbAjiU8~sy=H9tb7t(^D;A$iJKMB#i-ViK`C{7BgMXTH za9-^r_0xKvdD%I;|4S>`&Ic+_uDmZ{b<5w`#m~O-cK2;;m(LFzIND_Eoz`AQx=va% ze$R~Rx;yHZw>sQ@)Slmd-Sqx1uGKBO?5=B5lNoy~F3`E`fvHU^+kV`7$^iTBekU$F zF{A%yPyTMHn0D9d)lWXRtj9y&zO{3B-oM{}cFFj!nT5~y>9I{5;K^w<{MmIme|4Bt zw*Kb3EGK$YoPX`;?s4~}ZlAopplj>qiE}O=URV5NZujD0HTg}RPr7AVyQMMQi}xhF zlGo#hM>5i$ZMC{(+Yi5fXV-zb%TLbtEb^?K@N524>z0)De52i&%RcV^@w4wAk4?_K z_nN?*+#l+G=#oD>kVlJ~azu@6KKWBt3^nPY=GbzJ*} zXUDK1A9mc?d)&#AMZ&i|%eK$XOWwZWy~L^>1y7wCQqtv>PxgO*V&v&#pWSQu_9PrI z5f1p&vM*D%K0G_-`19+!-P&bE%xBFu3P*qWdD7&wpQJsT{dz&#g1e^spW3-}%Hi9u z*tRlx*JZ<(|9tB6{a63B^wDW|Jhk#A@v5w2w>HV?T61dUTStoy4y3m9XI}F6zWU3r z>kqyE(nkqDOl@WvW&ix^!kd=n)WvLiuy*~svzD#)yf$RUl`}rNN;)~|#+Gwx+tg$> z9lLw<<4d=HJFwZJtRp)nJ=~-srv2gZx4qY;S9`)=G>+1}sl zku}Y?UbpM?m*>8Gx8%^W)h)Zsr7cCVGZW+67cX%x?XzZ0>BGe}@&0Shyw6N(U-VwH zyCzshJ>B8=-{-N%|5e`q1L4&0!#nqWTH5>02REJm`M0GluYC4C*EK`Bu7sEr?H;{o z={IxpkN2y2^IFdxMhtDERb=Kw$SfC1ZAdncwGV$LsheryfkZ+1cUG z_x7Iq^6A0ZDPv-r#5o_xt(hg9KImL}VD)#CZu{n|hnw_poL*IO)ir^WzWb+6e{$r| zH@)pXrnVev`q2HI-yS;ic;&I9SGPO++KCD7JL8=XD1aa-P^}xZ@%e~riV7~$#2!>wjWClb)J(5 zMKxG_E^W=s*)g4;DKGLTcB!3zxcJapflVK`@*aGuZ?hYBJX4rIaJIeYnvGj3+upJ1 zOx%fY_wJeAG2!2Rw!YIhcFfZ=y7g?*?qu8NzY({!Y&G!ex^{QOUDJPBr{#yPuS*!z z>Fhfn{90x|y(9lbMail3!{1(e->c0}=U35nhgv??YS!j=?6G4WeJCwv&bC)JjQ`-< zx!)vi8rY=ndgi*e&iR{$4p{rpy_V0@?!G0b)7vKw?)-Jv{vY2Ozx$7IDPPPU`@w@h ze^AqQ&5>b3*{R8UroEmv?LW;XuOH!V|9Zc#&3J-nw{`FOLX`WM`)uzw6_l}1)o$pk4 zY=iC8x&M1&N1K|=iO{_OOp%I@*J-1C_YBiOZF<8N4W z<)RMMgwb7ec*m}=-sjQ^eHQ9)<1DBZQrYxe>-&M_5*v?eC8WB z_1X7EuDhyjj*Ba&pL}k5lRxL~e`3x__pKFk_if$3{lJvX?{toxH{Vl}SzdUy?LBX= zy}5JGHTg{)KaQVv<(boadYyah>5?&97rDnzSy47^?lFSL4|Ju5H@A=}2cPuZh z5`X{U-gES>U!J$u|MYR^BeDIno8-8=OaGoSYwhM;O}_i&&EFh{j}AV${jPg%6YmfFrFCUXL@9hoKvsdi9;cTb-d!@pD)W@{v_+|T# zjSxDX_+jtLLE}F^F#3T58+*Mn^SuXed-AzKP0lCQyfvI2S9@??%8w5o*f?yNqqcR` z)jyp}v!|Q^HPaX0#x;8<^H}?<+J89qW1GG7g`!S@y7gBVH#>In-XE%KHrChuIIXJg zudExMXu9Bor62!i<7?gCJ!JW9?}~38-_+M}bWqC&r+!g#+CFcqbM)~~rI-F_RdIe} zZPA1WZVtn$Oh?z3#T(RJE3@1qmH z{PNt3qyK7t^!Z!I-Z$6hS(GLY8MuYo8$0jLrVBn;llb3NF}-XL8kytwrG zgj1i2t6z2R`0(ood)NQaeMZ|rLe&edc68C<2ST>m!p z)yTB{UrlhgY@T@SjDKgmd$9R8O-JwlX4mM1wi^eQZ=XB$t_f2=o9w%}EaPzD1J`@k zuJgO=mSo*VGxO{puEVXtZ*MNR zZ^p(AYhDs9S+_RHxqHl-vH39*o8NtK{vUl07k5tGFg>Sk$+J~g*?&AV;^eW>GY+-1 z(N4ZRXV(1()(q=XP&@az@;^WN;@5jOT+y$Wf5jv9)kltv>-(uI?copB9Jr$T`pY}k zpKg9|?Q0`0Klj3f z_2rvg{VU#n_j+b-htBK0bN02VSRf- zemVW}hc8Q<*KEO*aetlIckaQ>%V%`UTd{0o_tlFQ&$^@NaADt(8-#bQt2$qPuEk>? zTzNy>D=$2Erg^P(X3pZn^^5O2H*Ed-oL>uT=RW7IU+-ABVbT>vo-5B(EqQoA>-EKR zo`3WC+5P@ndiR7AOH$VK-FaY2#p2uJ@^YHwJUMSnd;f^T2^-#+u=dp-Ct2CY?oA$F zSMlOsWls(Aub8)UuA}61kJb-0UC?Xs=!xrIYgO5?W=d_(mG9bbi2H5e_3Ml0cyFw; zz5MImjm=-WvdEKgV%;oZbtmtX2YYpBp2(!`dH&n{ro%1cJs>dIbvogfMLS-(xsLj{ z#kzeRJ2tiEWjD!ra@Lz`o3(77xccV6`TByVc}LyEtR>r>Pgg9SGWm)Vm9;(37R`P8 z=JHjs$#KqX#}9F*>+btc_8Z5iwrsI-{xN6W#H@+K0s}h644$@X-F2^3{M&MNOZ~{@ z2iw#v-*#qB?TRK>vVqgTj<)`I=!W%9mZOx9`7ko4Pp#v+2ZHRYf z?z66z_7hn@jb8gY9Ck^Yn&nkRuRj0DtSwj2 z3peGrTt7KuSBv{|U%2D-muF3X?5XwZzxaAN{o%~jQ`)ZR-aL`%v@5%|Ns}JquNmKQ zecqhKcbxmBZT+s>4nH@8p7_;Qrx*W=iL(^#Zqsh!?K`?{x&GF1Pql7)Vz+bj@u{n) zwEdiEyCi1XZ9jE;O>*k) z`+fE5vu#$iZ=T3l?p`ku zcfDUfa(SmVHC=yA&3V7-x>c7Kecfc$@@A{gw)uP{)4OBS`YWX0JJi&qj#_-}`usVQ z3u@=qt@*}(_|aQOS1j6|&ARIPWR-tXQ1Scii$>nst>A&*Kb`xTYcON66wR&TI$T}X z{`+6XefdMj#8W@~{FM8y-@mQ>?$*(VQdS>s`SL@(E^D5+?X_9&)IafEhnzQ#pBy*r zjlSheWB>L3SAAGU*UvV-N$1>^uKdlM!~IO< z*oE`EeYvEl<#*5J7XRP+{5c=Dsp)#8+UBo(>LK2Lbir5kGk@MU;lbR0KV5RD-!4#- zR`5V`&-eQ}Y#Y!#aobA{`?x0y`Y-9S_p4nMO)ECnJKWEV`Dt~<3wcA2x;nI3KNO9& z=DA!S)4T4n+NSg05chm{+Y4(GV*gY51DM z_qX`-y9J-UeEG@L^}~AI_5SX5UrukfoJ!btZPDR%HQ?iKKl^%` zSl21*z18by-q&=(pGkKea8<;$p4)VRdz9@fKiKQKzxT+_=cm?n${KvfuV-hTZ8~Av zE1SODm-gV@%V%`^obJ&4wdQZU+W*gkFO6LPdXDGix4G?`?!L09DrMI9aTUkL58js8 zJaOBrU1oe5^I6AcT=}oJ{^-d3dgT)Fk-H9E@$lU%oI{<~{r(X>bDHGzTygHhS$%5G zU9qNiYKMIO`uby6uDy2IFqfZe`Dx2HUTt#Uoe=GKXZFoi@6et8@0j)3llT5m*KKpL?fW2?EnX@H%O5Yn>*5ABiT9MVWZaVCBd+pqZU#+?< zHFoQP<10pO*;-N&*Lq3+wKLk5WE^N$0T-rCP1lv*#oY91MZYssdp!2?3tPB?uCL8} zWnjhWDVMjYneo{B1fxa&+Bjvzool>LZC}-Q&Dzyd+N@~5wKK@A{cz!%pW6%2QQ~i;C`7Pf1qfJWrLkFH2cDbc!?k%3&XWPBn^hB#4`wV;| zt$cRu$+?r)K3Mfa`~LeAulRNAqr+HB(cH9MZJcB8&sn(o=Usizr{6aq=U4x#nEd8% zO(GrQf|roJYx^tY6r zo8N1G%Y(^v^_?b_&3$`e-XjN=AuO`2dk24-d1F9o@pP|c&T;d;*_pPvb4Kic;1u52 z)B5|}ZN<)y99TMRL$@t)|Mzv}3mrU`qPf|y)^1o9mPM#KC+nno!0!{jgLRrtIz3Cp!4Am+pb*vD42T-n!>3%ruov=>u;I!$Cc$1ou90& zTIK$C(*^GTTu1$tz%{$_|6}h-z@sRZh9IKrfr5$`*e)OmWH;H|ECdNjfCvdO;S?}C z+3DRKn4MW>W^<54z#9P-d_O9R$Mb?GDvF4RNEE>vR1iVAd>+Ulf(NLm{9pGRJ2N|b zC7UR|%=eyTXZonBuCA`GuC5Ype{p!v6%%GzC$-;lv>cr|(EyZuxL!J}$u3a;Mjw{>twcpLYOI^Osz(ycfT- zVZeD`Jy&_tu7&@aQ|>&TSeEk8_}vyqBe&=BHN)ngcfs;rb#tE?yrlDYxm`ZACsUWs zo}YbR*KdF5c^^Ah8ngbl-g5T%I^s$H_>T()c7FdX;pqH3Rt&1T4R`-d&2_sHZvO4* znk(|#k61Kp(RKY&um14sRm&<4K2Ui)vCEAK3&~Ble)Q1?CCk^{u`eMV0g%0^N8{mH z&%XBCu~o;W_NjiS7n(~GD^_wl9g`n<@B95d4&6I%`1n9$%sBp-L#s5>|3 zg10-q{Cmxmffq}S+;jPi)6V#*YC-pNpUi)__m7`l_vHIm?!4^g&;K*J$DO+#8=i=m z@{>pp#YY-Az_11OWZ+zx^Px0Pg z?kv0ZtX;jgynpBn$EtSsRvlTht6^Z(UFJs<9Yt52bJ1_zf49EzYSDI6)vFW!J+t>E z?%O(~Crtjmr01B%1@D(NE;z(7orZRp)c^IID)Pnuq@US)#lnBRvaemIPOsE2dUEHW z(!{CvT#E&B@^c-R%^!U4!=Glsp4esXudg@WIC$K;2Yhc$n2i_DWtabY?QMJ7_1OEvipG+?FWmFuxg*lt z)AoFv)My)g_aD1=uI~BF=>s-h^EhGwSN|`ax9%ypZ)Qhd&55l$PHaF6-q)O^?y{r9|N;&wqZ#s&fyXvEr-Sw>R7|GUxaoGo2kKH&`}a zQMoFy%c6vZ!0RbUuF9onybhYu8i5J*M#ssQg=g_^ta{ zyYl;AIBMm&BhudN-09A9g`>8;FHIela`1M%a#IOaosQHzGUxl*y%&G?$Abnv(MZ%xc5WL ze)+|Mw4_cQlizvu(c7-++-_ax@&8@YtEgn|uBYC9_L>DdsliLSn#!uzB@KJ;v+WIc zY`rOAA-QMA;YNSst%EOgJ<$8Ps}Fy?;kViaMF)TBch`IECpZ2+xcA2Qmu=KZ8j8xEI$^~9oGuN?ovF(P4Mjd=rmao?YA`Rtc* zk0a(P-#%!;pqZTpWOds6;hW3)R6T4?S-g1Y%O4cBzaqHyuc<{{Ea-&-I)++U$RdUH;)yUru|RLTz50{8R0LvpbAB zEqTRhUw*ZH?Hz}bZ|b^aZSKYIPQG>5rAVDady4scMhA3<_YD1b(bcm* zJ2YlVdSig+Kt6#X$cE-TVm%snona7^JvtPHV7mc`d+Z#_$e{#)_r|)f?3AerS z)VkYuJw5zv)A)~tzMC=!zy0HfT^y@dmQ22Q&A9pd7Hpn&<0b4F6V`v>8nyaLX%Dhx z!kBM&o%XxwjMaTM&vLl^3x6K^XvRampZM?GUSI5Ld@o_)CF#GMKifNR*K@ep2X{Vq z+Tn91eZBHd%bmOa^Y)6~XO39nO}_Nw@3&-h|L~)nkC$Dr{PCh4Up8)@Ii=Bj;=ZG= z-7>D~`}5aKod1+%f68I1*A=I|aYMx`6^E#=pGSMbf6we)Og-}9#Nynw7u59fEgdpq z&e|J_Dn>0?^+ZFQ$_bV?hyXC8ldZO*-?S<`pT?L7X@{L16~ zKEC$wAk&H!v+kcY;^*ldyU**1H>TSLkD>$nFmMO)c9b!(ow zY3*e>Hs8`tyMF!k!xvt=yU$g(XP{{|<-%2$&3ZcFUaI}>McD`M*!5h-bCd3@O5a_y zeRD&nE0&C2eO1*uto4*noN#E@t-S3>>E5!G6>t9epB0mKrc`bIxPIYJ7aq%8aaRJL zaPM_rZu<4<>C=Z*9#8J_K*GX|wcj0HKltkNe)Ip3;QD@lVz-Hv$CE#JY{k}H3rBEQ zv@1Dl(!0~F>x(a&bH^hyd%xk|@Y+XP|M#Px9zrK6Ugz7^NJu&;@_iUR^A9BU6 zpI%;H-D%F+&z-B1KR)AvTmet<+N4|T;(Y@PqM;!AXtG?pa9k{i0!Hr;f?Hdc9@Q#YudjVS<@5tb?{j9S4;uJH=D53d zbfnUje*KE=M4e-3_jmu;z2&C?pZcF!^5)@*kIzqZ%pSOY@VNa|)hBx_Uw!V^=cfHa z4qH8O&8zR-yg#wqT_tm8oOaRHM|W23T-R}Dcgc|SL-O^{OgioCPnYf-vVPEx>#aBM zet7tz!NV#(os>SH)A+Kd7WDi0n&0kuy)x;i_pUVGb7#WBw^y9~^Rk-0#lK#9gzWxq z?~9)sk^JlD$GA_IZD0G|SN_i~yk-Bw_ZlufG|%7n*O%AKaC#=xdJpX`ymWrT!nYrG zJf8n@#qeLem$iHH#Y zvg-<;KXLEI7niV0Yv-(V9;@B^wteAi9rsOLzw4&Yo}c_x$3(~MSI>KT=b3-@cTDa+ zr-!>&1)Ji3xXSk{`2qRP75-<&KlIf-^|#&M&@tzwJD>Q}UVn7A@YS8$j}Io(N*lY> zw$Gp3;h`rdeX(iP((Y%KrM%T=c7wCxflqEY()q5jZ+Edjm)MJ1RCWK3b?x8!^!cB1 zHdX&;%(~ydIDF-IwY`5Zf15w?tHJ}{rW|H_?Q8$kr>lQrcm8oj-|Lf}>-+3*=blcp zA6v2RzL}OzC%PRNz~7SpaNW-h`L}Sn=jL~N=d=$TvtJ#4)8r>QO*?7!jaoe73b(6* zE&9PN{M5~#BXpgT^7B_mzw$dy4qd$d!XxcAxi5USpb9b1rX|0D!xafxTUY<^h2tdA zYsR)~58r>$iLBv&Bp;e+-|+sPc}FkYyWD>7p4)%yf7z&U8(-^ezGq&-!naE<{x<1} zp8Jn|Kj4P;rAzr=|CpIlS-bF#Mqi!1wfy?-C$1lUarZwq z{CaD{1&8PZtMX4=(f`kyC-Y!y!#gKskA&*{jY`l@Ba4e@!YR()IYK4>Me8GYai%7@BC+b z2*+n!x@QnK;?RjJ)9&A2I${3g)bBPwxqCovHb3Wn%jr)Jz4(pSTveCmoH+SwUiHA5 zFB*D2|NZP&Grs%!zt^v>KX~H(Lt7fpf3xW!Q%ub!V>jV1H`@dVYcX6lPKQ`WS{F&Je7399;{RjK^y?6Ul zsVCYkANM#x`;R|2cFVijx6SD{)VZhY{C7&GE-$!h@UYc6pC|v?XK%{V+}GwjYTEhV zr85Qi{f{9mg!yq5CA@Alu;xEFoC|Kfe^hIQRHA2eS4OZHoD{jqb*d)Hi6xu@Iw zF8%hv+J46x=AYcZwd}T)A5Fin_pw2H zcQrES-*!*Jo>9B5P8pK$!erRCqvbG`cTXO}IpRqw0b`xKS=$B9P|FL=p$-u;73>b|-@X6FcJ{!t8~*54^V=sG&kwlmm1}<9efgLwPl|tE*Dn*7uY0{Fb9wbwSN1=0 zFyrg>`Gp?{cZ|&Fm^{Co{k_~_mGx(iANu>%w@kN-IQj|JCQ8-y|A*6lv;>3cR^ zm^*aQ;eFd5_~6jm#@F9GdC0%F@9?V!emLfp++(?2-ud_TtG_be|H*{IgHB(O(r(wA zohOuj{-E&0nu@(kCueTmwI=J>%om=0Y|_rRmiKsncZcMw4uAHl`vCvTn%AG*y=Oy@ z+lP-$a?Cz$>yAAQXK&xP^aC>U-OZn${>a(&cWoWfVZ)$jHZO9_nSO5x`_8K5PMZ=; zgL^LSUVF=$8N%`pkAJ?s!};&LF!a~PZtpC+liNJs^?N_x>GM_`f3U;UnR#!mD?ack zbH(uwK7IK5W7|7Cux#PK?(Or?ogWNeKwevUY+d6;U1u!*B>joT=dS!?NsqJcxcRA> zy~{c+{$tl|GaD|g=`iod`_7oMPRRaZ_rW9iHy!-Xg)_LC2}OBR`w0K4`zGP3MMuwl zEWKybpAU6xygK3ge?LED+m@_^n-1S_ zzw_%o^Tr&msGh#=#%+AgpWV*7=l=93yWf4^g^kyDOz!B~*yGcOQ}6h(=aCsb5`W6Q zpf1(?!I1VN9>3H6-Yxy_u0L(X@eW&@ckSy>cVs$@-TV8_FIF*g&-MSD)v&$q*%x`g z96I%ZLGvE7JpXC=1J6wFIPV0zdc&@Di^o2F(!O)cN%GL^w`X+im^|Np@Y{nA!Ty8J zI9C1Ufa=2=F77aPz@)oQ^lr>ddTsj4rBhz%S!4fg%~Pw>-`bmzUf1==HI8#XytIzq z?3}k|#xp~{zU*mJzpRZt<_=$RZDW_&j%&aF?@J4JZe8W9I(KEm{7die@MYuLJCA>H z_TH+eYNziRT%EMywuF=e-!EF!XH~m>!{?s6e)`M~OLBL6f7-mM?)9s)(_Z-F#HSBE zpSI%UQ1iTHA6?z6AZ_YVIC5#%>vK+nPQn zrwx4W_c7Bxdy#tQ{Mo;r>FATtCt=u!FW=Sf;SXjVoVnSte@urFEBST9lTG8z=lidp zFw*n9GxbEykxMV-kDmB(N5a5_fqQ*jmsZ^SdN?)EQt7C9TgUV5TWzlryJ{_G7Oj5()zPvN53 z2@8jJ@O+=Lsd(V8=WVR>9P&@t?4JACp>3z{Wp3NEcPD-L_}$y5AF=%36#ocF3SWJe zKJJt6mONDcT;J=azA<_QdFv(VWyf>h&v|pMb7t4Zb33`Nec*{jbo=AfsMY)p|M%{_ z<1TvfzR8cDpXivKar=gQ{l)JTfABEexTpQF4LvrWHhgLB3!j+=p0V@b;m++l-@oI_ zy`xsI_{h<9(>MQF;jd5L_1m|L<~cjBJF&4_?g{RfyGFfm{}%U)CHH@vwkvrt<4T|Q zfOjM9==|2cMW5f$*#6>931`h*x^>XWOTRedvB_UFF3zbi|9r(c!tu;qXPsf5cTM{d zkIzcB`oHEDJ~(CJ?;VyuxbcP&-f?p~9IUSQo|biO-OiUkIqJRD+hOQT+mUH+{by^! z#LAj;S6wtW%W=nma@&&=yr)k&edUfNyOwy5tsZdqUAt&-Vf78)ZR)n{jg>dOSNHVu zoqCy17PlYqczcW0|H0-7e>S*&XD>bY^8Zce|E#;}(EbU}kZ+AkpK-%8?f-ml@yYb@ z-!|kNa}<0vW6C$36X)Oh(&Jmxd(UFh2i-BP%Z|k#Ea>)J!lZqND@HaPdiRU}KJt>| zJgU?*-h9rpD<%zm@ueTvtnI$N&#{_bi~7u(vvUi3?nT#BZ|E`i_JLP-OrBr#$l9Hm z-8cW-YxW=KEWiEGv;7vFT$(WHoce|bfBN+4SFZWo*?D-u_4g$#e7o02yDKu*AIq-E z-oB&py^l8g7WO}K@sSz1&s=}^Ka@7BnkH*}x!(w^o;Oo0PCKt@v zyW)|AWx_8#j{Nxgv%CF>N-0Q{=vDQ@hNrgwE7xTiKKIj`{z#e9Y1q_;ZC~A!P~Cpt zO(*F`p8o!|?H#(zpZwU&-V54)*D&J8@rNIIb3rxn>X|v`y}hBwy{|rES~>Y}O3C80 zx{mn%l5an5|ABeJBQtw1xN^=7+a8*F|0h++v)6XW>5y~tJ2NgHdC{0zSI?}NZ{O2l zjep4_i?6Yf(@qxl{`#9SyBa=A9^LDv z3ziq8(M7A>i@xY|*{j>$-+hgD-q?P>?Rak0wR^9xwkDh$llk+SaaB{V?l(Vq%Wcbs zclD%Pcpb>z)8%@2I5JmwxvB*q?u5=H;fIKRf@5$IZphHWb>P z-+IjUWvb(n?fV-O9H%eZF@4Y&NBR-4>Hn6VxbV!X?1!Gc6rirDWubPs1Zba`%;W_wD$zF|YAV*RgA+JUTUN<&I~P4_#id>*&fJzdW;k-s!8_ z9k&n6+5X9ztYhsY=j6pNJ-#)w_q|`apQK*7Z31`N#-peADgFFI;i}Z`_nrRYn>`Nx zcyXtf+D}~i%oDG4``vZh1G5JB9=c{%R_AVY!zw$EF1YH7j>+fm=so9}+=ba)l0TUD z)F%@xUvc=J^OGOX|MKGHXKr8q<<#6GkFW2LGsE}snvHM$ ze*KD_8@FwH(f-ibEn_xZIQ^$S<~0TFM-<%H|A+r>c&EpTiSB*(?3|SS`DOKN`seG9 z=AQj|*ZS<`yO!j-9^5!%bA569&z5w2e&9;y4QCI3_-N)emVxt1AGl@uZ&U9%X&e5l zef_pCmUY;+_qA81?7!!(arBp0Ed0NZw;vx?@WP1pBMSaKe*2n?hd1xIAUQj8+5`Xn zaLUlLK0NSY<=q`N-;~?^*>;z|W!t&d zg0`oi;PLqr4z<6%op9`Ua>A1vdfayV$m#nBk7N5E0|h@k-wC|1zGGuv;!ktle)f{Q z8Ow?~lr}CHN(}B&cb++I|Ngr&s55@M~MGc?YECi?U;Q2`RC6+^U0aL<6im1$##XK4}q?me#~gs zu3c}TaJ)bg0!aCQ^CuUl&dzl zg3TsYxYlp}u3fu!?TQLZ3Z5O}xbd&P%+mJ6{OIm~NhwdfkP&z*%{r&XqmPL9KQpuR z_dheU+VcOj%0ogQWJt(3DahMR790uBuDWSy0)SJJ>)Ms*M1f?J7BLWvl^0l!a6_w` zW!*F+d=!r(pO}Cg-oOsBt*KU~C{AU8yiLCnp`I zRc4Z8|4PD^4s+6M{ZlJ5p)Ct$kq~B)>HS@#EsIFau%)FtVU9^jl41vGscET})HF+4 z=4hMEo|$F0h9z?U~O}?RUX~^7vnxyXo7RYR-6A>wp9K6&qz;ioByrx z=;A*}v8C+N4Ch%t=Y&c;FDVqYDw(qvda(d7XAPswfk;U{za5w}%t~N-FJ)NCmKt0u zM|?4bs3J!B0<~(qJnF@5R({u@!uU7Cl2C>?5d6yy(oZ2Q{s!Z(n*Ux%Qhsl|1VF_3 zpBkk9XQgGe&HvVT;x+#>g6BY5#F>*5Tq!Hu#L3W2oUE|ZKkd{(;%_njs`<}*37T%b z^*?z2XJod`|5kba()k~Hxs7h>WQ3jnwo?a*zs30D_-|rV-@tY(1&4@ko+yYg|82J5 z{NI_`ZSmh)Wit^zpYqdYvu0XTO=5I%pSVvK1BSa;P8Fv#84wI$E2luG zVBsK*qbRDQe2Y1iabR#Uc%}(}#8G7hLyF6j#JHLS1EAOEA$W?%nT~4&$naDpMN@*9 z_nBn?FAxk#a3pVWvR)re5sVXBO^|U@4739`EBI)WhxJ0cCK12NuE28c6cgn{SjZ(R zDS;up6t+kZJP*Zq*3PM#2|#(>s-G5Iz+$td*4S*>Rv+UwO@+19EJtGVsmg2;_+hdH zf=ye1_)QX3IO3#54s>Z!QciQYHRvTM+8#(}%nw#Uj3gg6)eI5esmeo=qnv|D$fM@G zXo@pd7pGLvd@u#sdlY$TF$zX6K_LGtr?yko*V&5xY7TFE!aWh?e;gu#hL`{8saZCi z{7*|wO>eXRw#w79Cm2Svl>`k6@I;pK;QI)U@InD{IA=#G4GA75;{+c-@DPG305mHl z=fd%L^_7#Q473#E25L)lvJ!q>%96p0_1z*UnCDQ(`F@T=>qa1zfIBR(cJWOabW^;* z)k=~12{$bD({wp>a!^1BnZ#DKK}YSNuEEq30BsX?;H{PaE+M=yP(szD9lr&@qAENB z){0-1T9PR|pC))7HCwLwjni~Uf?OQ}TtrZksHhAFU4iur$z)OfV$sYg!dW$c1;Wjz zAe?bic6^>EqbAj*SluaKa5E+V1i~%r1QrrjQUqh^Z{cz>OgJTCInMP`3y1)5N?Dq6 z){37Cpo{R+0uKA!Cy%ZsYWY5Za!L3J1Wtw3N6e7YCmBGRhjP^XK1Hq)Rw(5l4;i74 z*qlNI&6$IhVpB-g$*1^v$XVQeii9b+13smvkAoJUpQb6sZ4uw$mJkOhpxS}DE3v0h zK2e>aYo&BHh^YX95~HzKVim}b+mO?W$#KI8FXVlM6Iyk6@y3V= z1V5EeQRa@t$C4IBJ4iv8h{#!d992aK&?1j@ii~YfjIYAC=tVfbmC?Z?A#i?(1`Q`C zz=5@CYN{A^A3~(HaRi_k7t492oE(gtd9!CvP$U4s&oMk0l2<+)Pt20M;vzu8O26BU zbD=T7OEDA)D^;`zr-4YNEx2Por6+3M!ZMahg7;XIc1=L+!wzs_89dR-1x^lVkJdjt zGKw5isf==(Y#>0d4>2c5#4=A-)9@H_5KBiqmPu%$^~8V5Nek_|9#NZ7_9iwazt%K} z+ALxyL8Tk2#UT1DhIucAoR`AcX?eSn4b}qzTg^aD&YB{pSdb#ad(r;c$5IR)^)f$` z$B*G5XLs?#IM(k&-3K>r(uY=-#H744H;8H`!82Sz3geg$g;+`j>}^mA64<91+6O|_Xcw8U=$5R2Ju z@|;d2Et(H-;JuU*$3lorrLws59yKcF*dhD^>&5x&bydX)MX?NCvBeFw$)wuN8-nM@1Vp7O(4R=_P(s|} zxAITK(lk*8%ftqG(TXW8!F(;_^l&W0`o*-NlmNUe3GIMok^$>-CF4vn0<0i>KDt)< zB_>ivD=y7C3EDu@FtC*15$kWwN|Dl#TEy|OR1>t-BY5ea!^Y%W#^sH)j4T{mI1+&! z04^WHW(Q{0$F;$Th+nryL{XEX@}%L?-f ziVLk?vL`Q22#er>7LH{Fi_DQoqrxc-Eu5cGWo$q)L2EkF1FZ1$Uk5IhxdwS9LV+qJ z5mw0!v>>6v@+)zPvddr4r(!G@)M*IuH!;l~PMJwDyZ{LjF)`{1cfnLq9Lr#gG8mlw& z9)g495WmX>Io@ms=FHU8;vwb+^fgaX->52xRyQe|7x4K7F$bS&1;a_L{R|03dg8oZ zDL~0-6-32Q3!qc9Kc(;j(gk#DAzlad)XP`nA4EPV<*f;(V;(Ore3gCypmhKjtdKKZ zp)IFDtq3IPYfK6B(n{(G(iD#BNzgP~ZIPrgZxL8aCA82iK|(T+%AL2cf(LRI!9y@u zVw2(qP1O)i@UA1JHp!2k5orn=2K|BuGJ?FihGb8tn1B$^FrT}^Q%P8*F6G@K+L_`+ zlv0j*U8#u77bqT<@qo`gypqsz38=SV10hz=#MG%YjTCZT!0$aQFDS2ZA^b*Hz*`$Q zajWHV#!XxQG^;Hu$C_$QO-aiDUNTc$Nt7)2`1CE@^cFR!(ZSZ<5FC%y%wQBvJ+)0M z5ZEIC6l%gKA5c|YYm#&qPc3;h7a;M2w$~iqOiKlD@>z%k7$5{Gdvhhr3ek+Z+=PC_ zrHKL=fvd%a6pILymDJ2RlMHOR*p6sN_SROQw-sXJR^DR=^^$=Z^t>{ql44SLkNg5U zJuEO6usG$O;Gr0|)oeu5D3A>~)*2Y~Fzbjf>PJ!a2@;V=!^wJ;T|N(Z$nX>*xZ0GM zq=OF)LN&`x1q97v)1e9=z;YoV)PpYRa+*b1xBU7gEm!1gSxXdH0BfMrFC~7~Go17S z@0yigTHRB&^8iwwI242QMwTI^B(E%qlVW1(36S$r*l^+I2q(lQ#Hef)PL^>(pTMUe zVj;22r}$X$KPf%sRw6UZ{%;wLY{tM*rC5y;V^u-d8*2Uv^N!G7ulsaDp9VW~8T?v?mUDlgN^=l;s3z zD=+I&BUyqRLeK=`M4L8-1SN7gH3)o^#&?C7Qf1!4Kmie!V%+k(l%A+X3xWp$9I(2} z5ZWc^OQlSz1XBwLQoII%gg@G+ifOVzwTE(gfS0Hhb64VvIiv*ZXb+TdrFa0*U)air zl`PqOoD6t28PfvR5MCb*aY}Wm8k#}ki5y@VU@eo3*enOE*vA9yPXn;vv$4QYfS$B! zY9fB67%9^`%OFOLBX#ALv5sM>lmG~jnO1>SR4Nl20Sf}qivA7ar^tproUYWO+L#*{ z{G2rFCoNKTTn=rQU^PM0DLpyJ3moMXEK)NrmcyXSkjus{V+_hMq-8iCx_DM&0k%}D z_&>Cy8}7PF<&=j47%Lj|rISV=9yRvt35r~@xg}Y1EGgO{2C82TlFCa4a zqe~vCx0NCVAz*12-JD1R@*~NUPZN|^vTCb{Uph8lvDwR}dZoom=wdl2pUTMDpetEF zLpECq;6*J8As}(3Z2rJ#$kPgS?<1tV$T}$T84`j8@At5Atl9$^Y41l;XoII5vg!}K zC5dbTVl$}@2?c$GMh0Ny5oJb#f(HKp7q5nDZ8IqKp7;+aU3PUQ4F5;JT)EKLC!GBK;k0y z^!rFcfaL;52+&=tbG-xQ0wExTkXXjf4gxP4IC=G_U@J#-x&l(lIF`oe7rfLQ4~3MT zB2X4ygo=W^NeiZ3S=P%~dWjAR+iUC^=J?OL$7Fz6_4^Q&rgxCQdd1X$a)fL0W^4 zB}b}D_*gQ}NVUids6oLDGFEjot+;MrYo7Q88)0RDqHD~k8L@?6HZ4bUO2?&mp0zP) z8hp#M{Vsc<`vR` z@xiARj6<4+q)Fl`$#^G%29+006G%O9vK&$v#MUHxBIXj+@uGx)w2;fjShTg%C@nmo zvC1d<8};l7SVn>Zsfx+!vbb&3oDUm4J0>DL3w4Z~c zJsjjcEKS-$7S`$TFst6$OeO{5*ucqb8E7;E>V;@?$pct}SOFglo1}NfUJ|O?P@+Ur z*=URmFT*whI9m<@O*N1$qEL=3ZG5z%yG?r+P<77OTi=?WahEJGoguFcdh zgAY`e5{aAOzG16D6`B?4sgkP|5aAvzjs_YVzUdxo@{Yu!420sl zmTJw?_{*jSIe_VWPTSnTg51CiJ*46Qb+C_=ytgy*Dl=e5y>nC?U}~bs#634%(gP4A zbA!cP7(r(&>Wqb5C~+4;-~kXUfd4MA;lo3Uf$~AVky8gRx)}$Q2hj`F1375I!&Jyr zVU6yux&IOI{*P=&;!{dSjV>&=3N=EkeMGqbnH_xp$CjSjcK@eUp1ysh+dXKx@DT#m zf~!3gEgo%Qen9$dC6w;)&}=OvLEpY6llt74U{HNgONJz(yXlRH5CM?op2Ta_==-`43 z?tC;0+|tpEa!iTjzBv>`^2w$Mkr}OJ5?w_l29%B}A3dzBu)Lx)ue^NRsIr3GUWsTq za|$%>O7e2ESQKRfgu*B!S$JiomzcrAf+;-9_z1z1Yp%1Bgg~eqa}+PX1~aG!l>`s7 zGJwTGLMKbYBoiWnL>(k-G0P}E5u9JoXHM4ZB^Xk|T1E|(i*gjDJ)_0Kd4a_u2(`dM zp17X{fn zM7u^)MoT`>!A2WFGr_R)yv8R>lv!%I6n0Kx0nhpcUcNsnwV?5?2%50G-6Tt7#cRYY zpX{3zI!aqgD?XG)kf>x^$*6+DilS1TM8oFOD5tAdPEi8%@)J`hTX}&H{JfPQNe-=q z_?`5l!JHHXLg}co(K;ZS(mmQEV%Ed`$*u+sX64i>%8^f!*D%Tj62+UlI`)?2FDjk{ zKtqE{2APe8ki-b;$=ypLKd@LZDS9ci_-iJ#$WHhgn1-j+J`Q2|O1Wp?C2D~{Ooe~| zE?5n`6yp~lZ|sj!R4O?}DVLkAN*I}Ogy0nIej-ERNo)swH0y7bGfHNuj&k_>Xy!PaZ8|7T^(9dIDAbpkzz<#1LQfSHX2ze2DQb5)FeETR`effG|dh2 zOpBV4o65%l63MI_g}(c@VsXXT7eQ{yjtL^WugJ?NGR!9OIAlonl41iTlYrxJa=_iTW?*icl^*~^yo6YrrgKk(e zlwwF=ws4ask^OqrOCi3^Nmy|)jms-5DJmJJI0fLVxFi&yQ-CB$RAH|NK^ppC2pSra zl7UaUfUQKQpzxNJ7dV!2)3tzuNOKVVhy@l9RV*dn^x*=K@PJ|f0el=w`o;SeDszt2 z)Q@6ZtYX(AStoB*hYt$e!%p$A)fRzG!9Ky**T^FEVnMxFR3$az^VjVEW3c~Jcp&YA z9B&nTv4w&OZ~sZlwxwq4>_2H~skS!zPis7Nbt!#873H<#^HLW@LnQZey@)JM543~6 zDGd!KRLWFXiYYJk}iXbeprizwYv`kDfFMV72r`1YU=I+Mav zCa?m^2&vWyedGtFOvnOJQ4A>o@{e8^EqiYCgQ9{{SwzHEH0yr=R?XX(0rYVcBe;OM zH*e|9n{};;{l>y3q5nP=xkvPqGhm{o4{I+a3W=(AV&qXsip;eUET|zyJOGecMAzIL zCQ`T8RK5|Jr3?ywPBbYJJ|D;WI0`d^5>FBD`XpnHPc-I)7m`}LkJ64tH1N<{1-X3I z>qA^*9+YddW>`{_!9bfe+mdPq)_lT8;J}F#$nMGBi*1 zYO@smOjTZ1q(jwE6m6vr(yoIF>Xd#(at?>I7o=HjHo*IR*bpU748_k82j-A`)sYIW z9FHntAF%SR_=N-B$@*ZjsnRb1sqy}p7t*Y@R6w$jXZi?oXMhrt0ndVJh_6iH8z^2M zEruM$;+1k)FkjQGn{rxBc{I-^qvB2iHG>2;0nmPc#;h+3ahjN3E4$U>D_T6hAWAUO z$$DVSRH97^P^X*+8GN*AgVaey<>CSMOzF+rF^7h$tsh)Ga28efiX;r*iI%A%x2m4Q z>K>ZadQ>9UD8xj#*%R3B8>~bUO*PwReYgnqV8&EWLm)!~fTpOvk4P=5>u>}^=FvV6 zQR4RkTWXW2sfkk(4Q18Kc#Kq5RgI0zMioQR*$6&EN{1}iVziczU&GQja7G&==c;T^ zF>$U^FC^|^>|9~V5Dm{oMHBT<#Yi7jRRna*{DvzLWGrU^Ed6T%BMR;|*6MO!lH z;(M=Ap{%YD5nb6_?9-Hv0ae*GQ3-1k4sE$m%rin|MU81jDD@)Ca!t|D^Ch^&X!aPA z?if%Q@mXvjo}+Zv%@>Hs7?zGf@f)MoF+X<$$24N^g3nyexQ87gf;5|5W zcp%_Gc-tK=Bcjmc(TI|mhSb4mM9*m2_;-OIOyaRYSWGnmvWg9nH4dU>Xy;B8d~~FG zy^5QvIK{>f%OOjB!^g>M+Nhb%~iiL#Q zP+7*LGY+Q}nRX%SML|4N(;}hMDkPJ{K#cU#%cbZjA@$WO80=8mq?GQY2y2kaIxe+? z-K`>@AE@pNn*UNY3~NO3(8F*;Eu@Ks(ZW=OL?wfh!ALejH;krwAmw^po#?bx7w`#E zFI+6AJB(3Xr3|5a8e+!YirrWg>tKaHxXFId%sX?|8vxp_wJ zNL|IFb~la6@l#>l=EK{>&I1FgaX60bZYqL25m;Oxh4l%BIjy|D6sxk3LlR7mZcCzG zQnfMh!fppufxS-Ql{3tGX9;V1P~#tD6+n{)PQ(5WVX7r*>ghM0!QlianJ1aeL45@n zI@)#&w%uW|k+~+UAw+Hb4+IDd-Edf9g=!&~Vojr4cv)VFZ^2t-U5|{~}Pj>uE3+FYd zlnn0^`B%HKw>?dKVz~by+OfQZFVlq|S06(K?i( zA#WW4%r(~tLlt$DZbdyrG8N&rV zkfQ{&SZhkk`S?_YMeJpjD5{agQa!q|);!6g3+e&IkZ9MD7V4}e6dQ<}Q*Fz3X*Vt! z7kW*FwaK8DxKOJOov{)URrB~NC~5}O1D+wKLZ|2jl#5;~>V&~cA6R!I^LrS&smsMg zv!JP=?B(SKMN);Up>&fGgxOzv?Xd0nn>;bB|GEP$OVs*6g!SK+mZ6XTm6_R=|G#yf zI@P7{5DI{lEv#?o#a*4LOSga<9-k();PP#J?E24G$8jj1h$AG)_ppnNvI>Yzh8{9w#>v&Hx zKaEEJx4Ne{sFnwf%Y$xJFm?=S(QTdDqvTXx4Z^JhVMj_FA-p7AWhAB*uM& z;7JC(Dr*JEtK@iH9S*f9eg_Q=7{p$3_fU{N)Pu^b49Gb3zy?e7$O~FDEY}dzLTAyg zblQx8VmqQ07@vNIY33icD#alGC1(K(U*(L=0vJ*LXX@pDT6T7NoBVH$M|a95JA|mh z+8PRENia2C97`RY%92=@96=>Pbi|ae$f=V%YArLo4>|)mvs5-6eG_s}HlPXb3a5py zpp9gh6tb{3FN4^RE>}Z1;EbxPM5dU-Q%Qs-vP*yu&?9Dw=x@u(mR<-1=Y|4KoT(}* z=QxU;X+m>>T!5t!R5;SeKT+Q6pBUu7HkL^YD?r5apNveM{7=uwXw&~&<$oNVg)aVoDHvat8DWVuF=c?rSk8L2`mHpHTaRSKRe=U>UA zX|@_r3{EVn&PgQ+YL(Ouya)}I$`MfGloMr)>p(ph$9lEh>gXju26PMfdc+X%T9?GA zseQ&aX7Up?pQ)UGLa!Lj^Y#!8UvrmznYKRo~Au9$$!lKgwx6T86k#cAcFi)&CE*I z@BcD0+vI<%JaqOx8u9NL~8qON9-eF{sjXi2BfxvV=ajj^)!+(T!xkS$}7A@QlN za#rBe9RNfRy`1_vU_A*WgN{7(!L@Z3mT1AyWSb6D)+M2i3{Z%6G*Bu0YG7T&u_9!H zk0oT*o}e?97Bo%%Gtbpel_!?2Cfb(*q<7ppD=IPlQ6EPxd>pQ?&m&D!%>KpI$ zK+;b`PVEzd^fc9LQBsAfVGdTwa32PHnc%QoD!{Wss+b~47?xBNyg*U)TO*ewgSuK$ zMW^LTlE&qt7)nruBbDET?pmqS^lk-~hMb-gR4+q!uCCdX{sqW+DF!z%j3b<|6mk?x zmP04YkZM@M71IdAC>xAO7wGhJlu(;5hA+@3rAJa#Qy?IPT>LPO_4_nH>06V^!~%|y z{ZI{!`n$5aDA}eW?fa9$86hJ=sWx>4$E?yDJ=Ebjf)GKRoUf#FRG*`Z3k3E#cY3@m zX+f)p>i8Z{{m{}pWO#O+WC|CMOUf7?5LX7n$U&a`&3@r#Yh_3 zi593-4;X2N+0wKv1dR-Olx+M!^;kekCB>xh9^G4uQ}?1?=NjRiN>ZE@uF7aAy@+2* zMSu1b-PmAg(4c|r)YPUn;G!5Zn!3Q^MO5+$9*_zwUZO_)+XgHQD*%g__{_>Pgpc>I zf?4yLW_h8Xi}f?48PtPGItT!$AviY=oF2BC0hY3GQ=IcNdAyVp!ybz$0O5oS<`%hS zjfe?m&2SK@8WbxQBLebzRuSi%!B{BtwnsA}y2`x2GHg}pdl>2H3?m_8QXxTP!O;XU z@pl#qv95DXWXC9(&k#h&R2ehkkfPBgdBsH)1%*S#4AU_czWpeTBF7M1t>k$I%r1iF zp*}bs2`l~XP<~)?e{$yPYe!a$9W`=HabZP4QJHbS<|w9tIZ`L3qsm5Cl#D4JQW&O} z2p)pkPQpa|3OPX)z=jp%jm`^6=HMHy1%yBpP+Tag8jf`^9V*HSOGg&v=Z!8JRZ>wr zs-Q3gDHNMUlueB(4@K1|oH&dlIff&(pNDcXt)Ubhk;OEi%8Ak|h8B$sg?^|&j*?4R zN(9%HU^X#|xfT_aMgR`gIGW0j2-^r)TLxXhUnAK7)HwtUygkt~71r7#IqfuwC-X;+ zDIZ-}R*_d)T2Yc$9AZ#H*klNw^0#&m9HO)0JlxmtQRSn<2)S66xX_(M6gi=MtR#Wc zGLs?B6QG$)e+n>q^vtdEPgWxwXiu-Y%j#BXY;Nixm=kEK3Mw&!jkOI;5iO*!CSYa? z0B5kv0U>ufz-YIl0yN5a#rg&jWT!w7VFl+W0nBtC+8iX6EWZ9#oAyx-}BJU`mQLEgjCWSEBZMfFX&2#WS|Fq)?H zMPuJgXd{9f&u(p*)|=iIV1dSS-ca>33~g>zZ?>{xWl0@%n#Gg4wwlV6x@MZemAaOi z#g@9Zn!uN#Z5mBeOd_qc8iPnA#UvU9G|axua8~_|j5RU>VbF?8RICW;gd&fmF056U z0W}y*R7VClh5`Ls1O$x`3N#ARHI-sbV14nJ3DyW4F;+FJjcOSlPzBcvZ7?%{Nt7fi zArid+iB5QkQb8-E0vmuPY!VE}dI~XLc=`qLol~x-C1CjdRZv>E=FzXE#8ylqt4V|i znd>b|f~YSqL|CFiEKktu6KV@6&JOCL=`iHf=Jkam$pW<)$O(z9-$xPxEEhOJfbLq6 zv_Szyw1rghM6}5h%Ak1p&m69zvb*G1nx+`{7+k~-7(Y#$fPoK06gq+^!t!Z?@{X20 z4`nZ4y%!D$9;P7w5p_pFo>AhXaUxMuHbQhmxu6*1P>zdbn4uu(99r{2?T-QgftAr> zmedP!ZMr25Vu31J;6x8!BfFOY+Xl{XG&`Vae#q+;Qz=nJXg!OXZs;=-ACs zFtaX~IVlna%O{lN4=)>4GHOhDMgFMb;-b-ExI9##grL5oT&>YEt${!q&&aEnx_id& zEe}AT1Z-&L)tQ#OrVuR*G0TXSmkVvz30mwrLDT)_gXmH)BqZC!;uhb8B^LXI6f#wY z#SD5Dd^E0U28lRpvbjq971W;DDeh0qpjT3CerKTVs)qEX?W%@~McS@vv|ZI`yQ3S#2uxb)3@lXphG${XorIxMz2rR%u;*f5b&7)|Fc&d^LK_}&^1q4u^884B`7=T(%C8dH{E zSTUxoD5R~y$5D*n0%m15WbaL;^yaVTdD_d8Fqfowggu5Ngzt;AM@mXk5i_oqEj2Es zdFADQsbNbG%s<4gWym+-Y@3Eas(0HhXKe8Zf^V4q79jvWahcG+HHiE#K9ROXvc!qw zj@`J)rf!mqTWiK%$+*F0ZJCUl{Ofo0t;|F5++v4lv$m1G8i^>U=3i18INF7L!^8EMl~W|{5QCFU}PdQ{8mHp0>!xTb$cTs>kMd0 zU14nCn!Y{wc2!h;UBAeQ_8RZis!a7+OJBISQiO$)yNpPJov|Gzb!aOrxRoX}l;Q~Z>@%P-3_@gjRZ z?MI7qQK<>7TGHQkP{K0Mq}kPlbb9i|=Hny~oEr+_rccwB_BMMgB#nwje>Fq4J+1o0 zDE~P~kg)}Si9-HoWoGN-e_C2*Tl|++d7`_&(K4$9Vy07hg$Pp9r3>TnjMEYnMn&!; z5I@CW11J}wS%Mrw&;;W|%a!J8gQgwxNL4|zw29GHHUvV~z5HpcVOzAzs17!vvIx`w|QcvMaXKE+RJhAG7GkPo(_+=~;UH-Z=|1ZahxmT8wJxZ3>pk_Rs)D zWxFW0r`kOl5M5WeiHm95S{l5TN0c_$ zv9iT7fENgcBsh|{I9accrjSl&HJN($1fxd|C@33XGC3R$C(H0G4NbiOTB!iV@B%^8 zsBR?7R8;g3Jg9__0RrR&(a*k`<)(@-lng5>84rpWL?S*J zI3XukBn*;)i}piCAaTE?9P5RG2l_F02&@lvkLfXFL}{5810TndR*FqY5_zMPgZL%@ zPYIAWnJgecc3`vG()yV!A|h#4o2?&UIq_GzHPuoH1tJ}NFC7bf99u=9jWOf^@Ao0q z8R3jz@G~Uj=vp*H6yxFuUf}#r!Oua7zc2^N1Bl6G8qF%4iC&7N!X!aIB~=zH^}yk+ zwMZ`<_HZn25d-xFiicwQ(Wpo9vZ*w_ylUEG0(+pEOfnlv_{y;}HJ)o|&>@&uN^pc1 zA}*Mm*wd%{NCG^>GYrraFYvgTz*iu62tnphxm8F4($9%R#R!Vsm`sB}-@ciU$Jy3LZ#t%8*xyn>mxIKF}|S=BWn-Q1r_}OwfuC>R5!mNwrP&z!J*? zVk{rGr+FP?L>^;A$PA2|ElI2L*Vk14XD7;G}BJ8L~)Y0vrrQhlDFq zZ55(n?`t^%{i!BK;AR+G1v!o)ArBk|m6QJdh>nr2_ZTB8U;YV!s8acFi>T~~C;DqT zwEbbb5bFYRA;}FCX(xUjV$DZI3)x4Q*APS3K{SMD;SrVHo{dM8AiWf$;1Xh7l_r`u zt}TM7WI`-uIYHmD22re=snL^dkLW{O7*^eJ3m~dGcGnMSJtzx&#FNx`MAawvzIcpj z{1DaWBQS1Lzq}|5i!@V_@Ig8g+Bp&&N5pN#sRxdUlN}(DWFe0|j0uty?^y$%AMGSX zsFA1;HA6@OA4~E{L5Qk7KtmHwK~yRZoT$9G`Km=bIA>t*fh1Mjo;ZxCc(t61q$_X$vBv;&$9hv9Y78LDa|cl)y$n)c{evlD7C$4;;a_(W1s!g{VNdqp4;VpoMIj$R&_P60$I7Z4+!i+fwZdsshBf=UQ@*tAV!Bt&u4 z^`^;Pj3^Q&qok!iVl(xiT)fg)(S7RZ_cFmT!koVJRVS-^`8Bvw<1NjMYdvuA0tW@Brzz|k7E!~M zHF`wjyu8)}M;={G)P`OBVnsA$@FEAO2RMjPQ32NDk*uV&h_}>J4;-mY6-5%Fy8F}N zTdN1di7L@(F0aryKmsK3-VC@X8e#)JBuH#n^q`Bj#AZX z2KX_68ec^Hm_Nhz7i3{*oks$+A|iywwe^Vl^v1B@{z98lTJ(_-jR>J}Z9SscD_oAk zZ`4*jDDitMA&2H4F3c+lTjPe4F{r>{Yo;&?oAw~s3Rn&Wpelw>;3xrjSrS@79!;~= zkdzdCJ8-a!BN=t!Wd&G4_UT9q2@w6JStmg|@L`yPb-9cw9O_Gx5H(J)pjk%) zBdQD~K19Vjx(A75H5t^6gA!JNc94(#mC-iGjT7vmRf=H3ah5ec%S)KF4Mv)g0bU&Oz|NFl=#>9??MdxiFfM3Q;lm4ZvY&0KvKaUhJ*XQi#THMAiA~LNuvC6s_}k z;lNuqj$n8~a#>>IZqtq{qMCqNp-$7v{ER?(ArK3zyoQ>EM`TdriKseqS;!HU3x&Zr zk?{G%G6D;{1jPWBGxlnW{=_sMhz5nH3oCW8*+F!~^tmS~@$i}mLG++vL_s3SVl%xH zYmYz`kS{5$3`K|<2iprdqJcnWieH@CRZSDm4~I_!iK31>%E-e(M_{bh8&Ez;bZ8WX zE5!qd{vs5+hHO5zh8lQD1vH4N7m7TFh{`QQz&Ki9!;EP24uaJY(jv7~4+CA*NApxc z2y_M_sikBrp_-@|gzmVmp@~@P5!FT&2q|@S!3QXpjGs7FDIPe~kp<$iw#0WtL&YJ` z9qs3lBnNp(#1b3?gk-d?_CN;kRZfJf8r66qI&pF{YGXv59!UCW$QfI5_5I1_PQ;#5 zb9kUs2Z^lUkkEmie3%yOlNxcMCJm?lN!MFjUrI!~&D`1qh z^@vK@$-=6D{z{VKa6FD$d9F&RD(JTW&h@}yHaA&>2O}EE4Z9vs#d690I$v?WR;{KI z)^UE~%(|+G$)T)(2+=%T44`tYgQn967_N_>E{JH85BO#MZGEU0I}#9d)sLUMsZ`qEdW&q?wmXQGdb-qY}igVjMAy zsEuV8AQGk6KJif+;)f{Va-j`wgliJ@AWtgS%E-nKQGul)7iseX>cMEG zT&togUGQmYZS{you}MSy6%#mKfjVTIz+wk?ffZfn1VVr=Kh48}$D0Lh!M13ro7kTR)#fbV?l8-;{#ud?#kq0&Wh_(!lQpfQ^G$^-g2o*4oBq=Fq zjieZO#Z<5@i*r3_jx-8^Xn3(3glTK>ZnH7P{%BDu46$hpxaBxm8REdZBBIeL46$nr z@j^Ckh(@O{G(}^G52|s{7^D%6N@0jmW8mY5aok2UI)x#6jUkRWN*%`u(dZP0CTR?D z;oW#58im3TtHuyNxf?e`qf;1~p)oWQ=eVt-Q7Q~g(iq~zyUoT_fSi|N@O&G_5l&dD zPOEEleL&2QE8&DQ!(&|Kb|7%0X2koYaeLxm2UPN$Mbk<>$S)m}QVhK;SF2=5Q?jC^ z(3F>I89$tQAa-g8jAi=*<4Nn!cwZ-!^?WMc0CoszCi(CtPEx?)5Cpw7e9<+{UIDv>H+?!zHr#`cMZjk9k$ferrz=~L{xQ+(x^ZE#md&fGd_soqu@NJ z6Ri^w&JIlp4 z7;%AzLQ-7r8wNU2_Y$gx(ajev$}RK6LF#Jr;72$Nt_S0AWQkhV4`^yC1O(93N9#-_ z1ah9GI6iTZMhq0HS#GL$qdPLD67QC%Yc&UhXhDrba19Nj*!!ZeMt~ec7_dq`C}5dB z0$w^P4gx1lp&cmJeX)RYvJ4{zK8^2s8ix_p@-D?t0!7dTkS1yk)T4TUzko{UVmYYr zE%0H+rFbCL7vjsexa0KHX4DQw)E7$xVF?&4{Y&8 zRG_?&^$Vdetq0>gkWnFq%JYErx3q3l4>FrmI~Y+HLD7B=j`nbn_pr2HD%FExilMxI zFPe-<*TBB2Ql-F|sZS+>Q9+7?93*i$NCLtoKn{3_D!e@TolXczNQQS%sRvo{MHKhT z^RXc+Rf>$MRM6$8wb)7&2#ct#xrlO*AgO3q(t1#>Ur4p}TWTeZgVfa_8eZ(`q^?r8 zHNih=z5Q)0nUcoyVNiQh=3xY}}U9df=#2O&2T0rtnUV@IgB;BUQqjtote^ z>@)YbPy)+^kWON-AHhRm1HGh}39Nh} zxm?qR==-TkBIAP`f!;R_(Kw4E8Bs!EQuR@rhI!>K4V^S@JUbBnxUM|4aLMl(W$^HVgkIWR^xLX`7UIl6f;qG6((pUTnA z19CTt^Y75--fD%nWe|;@ZWP6_aJb{(7DY7<$H6k9Q60pb$_FsUh=wo-p30U$V?;w3 z1W#p4pfRE$41%Y!CD0hr5C*}2f+aAjgP2qK044;Y#$xv`l)7=7qfwp1{1c>ZROc}N z1gRUPB@Ab1F++?1Ej$R7EAw>Ome;E5%`jOclkk;(eDYf}_Mtzepa7k{L^7 zobiX3GG@y@%}oeC76&_^-$xPxEEhOJfbPf_n#SPbfS1a*{7zKv*ik3cV&i-ni<3o* zfS9AgzTRY#x0jG`dIAZSRq5Lu77GsrFcsG3;vtxrto%9Ip+wik25oh2Z-*5OWjO$A z2(OQZ$+2YtpJW0+>^3-lb*{Malmk;I2M2!6_10RHpw6f%5H77aQOQ;X@?PVMJGyY4 zsvz95d#4f>8=?6Lx)yK{agh?G7hy?hKmZgY9z~OWF-)^cCL$q+gd4--#jck1bE-7%K(WF&Jp|*{ zyGv7Ipc@=pTOi!n0FA`}Dd!3!DVGa!s3p2$*DnHFYj;N$)N9&w90a<~a)D)Iexu3I!9!+v_7ZiVrMY9CZ6>f|EfI`?c!k0L2HT8&XdU zmO&$BG05X%N0SQ;s>uQjk^NUKMaSo9dtREg=vUO_~Y+*bA8BjL9?XWhFD;sQp_`DmZYGhGes)q2PSv{ zA~I)~Rhnm;wT{y~pc3g}bR~?YE?GSVMYC90JC0kDyIFN@o)v1YTs4(#SG%2j2jhj4F7kbvKTn{xgrF;hLwI` zs@gMMoS0gX8P@@sNRnI35Dc*Ayjiqj;wICDGO0?OcKmS$;S_kqPeB0XZuebHvI!2|D z>#!X1jxTO`_^kH1KQf z(Jp`Zc_Y?IRW!-BGDk;x&UBwIVRIlXMobkb6SPgxe?&F}Mb^hGx1=13zv~-yjTXvc z${&xAm+ayuOcj~?I1wIx^{>S=;zlJ&ReFlFFuJWj+t>^Hqmr+ z7Ywa!w+vrti{x@RuNko{Kh0s)0$#Q_g(J%-({FW_5XKvRmYH5D`)Q1xfGD2N<5`j9 zp_qUy>7-fqb&^-tC_1)$S&M{$`q=?gM~iINm0H{v`M0%h;tJ)~8@cH>ptCxuyq0l- zCh0guF_`VvZUf*^C{D||;D3-JWOALUhQkgoI%VOYl!uI95v~1Bg0;+-b{Q1JluAJF&a^+8`uemL(V#H%=s zLB0w*RucM9-U9iLhrN>cc7&la9n7n6qRJIh*Tk4&Q@_e1bY>EnWJ*RXbs*qzDq=Pb z<5JIMoFJuc(i#4n%QTv9*aD2wSdy?M-}J2(R zS@d|Qrs{e0LXMuQ7o%r;(Qt46OhzwupAKg)9uHoGPY2dyI>@xn=Vp+^Q;+J+vUjvM zdLA6@?LFPGnv!GEq|s6P`Dg}s3uRd?W=U-rD2sxllB7nQjJ!i^3Ifx z`AeB3msA#z6)o4*xaJoJ1kQ4omg%*0wy$og@^Gqh8CJ1f#pBCge(c665U2UEJBB}u zCa?C7-SLlIZ(cukfBTI+T0g)cRK*7)xi9ie!pY+pHP*!=>i!9EiX^-D&m6p?JU0rrT$S_e_CknBORsistEK?P+NwKI|j=5hsAaSSDLNK9}y;;8Up6 z3DAU4>!3M|bKq|CRU0>E!(Uhm*5?@6qAg!;Ae_my@$M=gp@-Opf*s z&k*OQZ}uk_lTb|9l9s8Jj8oXw?Vtlp90N16Ht=nW8uF@aU34_+qyZchfC=8YOx0W- zi(SRAE?JSfBAawCWG&r;>{k?b!Sy&*wu%i|yQ+5)k^PV_7=3M}jjK>h#7DIeQG?9A+mMZY(oQ&d1m)OUcElm=obNJiJ(Jcy`y?EO!#*3> z*4mhON{&VsGT{m1ZS>ougjdSowWe%9w&zBwZtTZp4k4l|mkSF4o%8HVYWFPLi}m^1 zDd@m2uPe}?7>ZZYP`plmTL&OH0e_g19Or$_-NUzWE|$_dV}JopJr5Ed5p8i>mS=H5 zocp0LyLuw!%lkA(PxUZ-+TNzBVeH4*%K=PtuwLM7+rMeM)r`NZf3YRptk)Co){9I= zs?#~l9~hA;I3HxTLE()(2;@iN+KtY*&2e%ZN)E4NDhlciog^5XMVbz0zX3;r6|00> z#VJJ(WHOEPD%p6apc^X`XKJNT8{GyM$M-SkxN0hRY%%vw5f_E%tEqSqBh90t&yrj- zm1b#!{p@7DC_gKu$LTyNevYQR4qL-BKUjYM|Bu|!@Q=zzZScPQaCUHdbohF5ad`5! z{LY3DlKkci>!z5RJkG7pYMscLTB0Y)h|5+OE=fkcY#-^e8}@jlNAu8YWW zNF@w0)ga;_0X_o`*6I8mFv`SagcOO^AB(k%*VNOWK>h*U8x2-*Zo~ph;y#q?wb|)A zj`;9;!~*umIE}=^eWzINaG(uomC|4*SXcKwefxc!Mi_PX=Kc2}h0RzJc=P^yL1&8% zESD6W=X6vJ6)uB#NA^N#Sv~VKf8m`IMW$%L@u@fJkiAIOo=JTdh_^aB9xWPXSA-c z$;biNqKpFh56E~iSQkk$7(Ls4KBAo`*D<5>%2_(RtASi0YjGpXz)R3~U>yh7qbnqs zB2^`g$#whyEd-fDw`w1HDH4jeOxxChqBc=DS;?QYLzkEqtF;ZbM8Shj$aF!$Qeuy& z@sJ~)_%k|#9zEiaNo#rX4yDn^4@>l43?Drz0~s-F(#3y9PV7c{1^oz4Z;t=88>ci_ zCUN@FjKv4LA~!cTzL`pAi-DZ#A|Isc#tcT!UpyIyE5oeQRPoklp25y!JO%lpM?nr)j3zFKEr5oENQ2KPT#~tFy0C28^Tryb zD0Wq4na)^3tD;(`%HluK3*#~WA5?-i%$h{)6~}i5vCerhC4VG`)*!G}=$&rF4Qw|U z?sE)2(EAF-E>p1J%6N9A-i6FRtLp*v**RArq;r7vT&ZX(XCFm*IlRiu|MOzQJDtO~ z-<=5Y^5x&eqem36S=%Q@<;7Y&dem_Z-^1xIxh^!v&cvzk4y8w+;DBOd!q6MRMUvEp zusH%@rFA_R5TloXTSh8Jw{s}okl;a4+_kT3frIz|a^HC-JP^q=&hlG?5Ldr??S<(1 zs%G_6{lm9! zg7=4$;PlP@yW`Wz(b0|vv(*kOkpUH@jKdYYES(6BR%>*!lkSU^zNX_XQ|N#|O)>Q` z!7A|+I(jdBr8P-Vku5C_+pHL6SqNik4rgPR@M<&+pM}F9d-~kk;_NE`(6q%SC3+Fh zsGC$rD*TD`NNJYbLrY!<0qzVUl_;i$5$MVyf|Ci@UD}7o&Rx3B^jc-frslS|@>mkZ zPli}4gF{AKq?0cvmH^_-^U-z89vQ32#H*ExVwtN1wBy6$)04A{$=i#uaIvDeS!}SV z)An4y78^MzQ7idT2~+~%TNeW5twaNR&Xpui@}%0Ka>Ezopb58Hl!OcoNP||vohCB< z=a+1D!3Yk zqwpMzX(HbQ5F}cs!_Fal7eGk>F@ppSHtTt8hwmwz7fC`FLM&CX29$8lDPmkt6&{AR z)d`2_5fA8zS0KIPVMao5rxS=PggW0`q1u89OQt9%5cGz|^}DF&*RI$Lp`XeOOt6PdS+^^S(3jy_j8N&EdVjkx^?WBYaNM)R#EZr zf_;_~6j%O~V545`Z1cRSpVdqRaV}sv@%*ympMdI_=*0rX3;$4uvm6CoM{n*#aR)vr z!Eg{k^Q%4^Yh*5Nl%>B}b%w5!I+4_2=T1ei6h1ME;9Y5)-Je`cUQN#V&ELczU#$nA zp%m-TA$fu>=d4I;xy#-jq2%AyI_LZt>4=cMMkP&}>MZEc+qyN_K}W?%DH9UL%kf-9 z9Wq`i4z3}k)5(vBU=#n7QW|lc0Ad&ONYlh6D)m}V!s1L;J6osWVsteyf(F82DYj$x zKiaX|l!sBWKrbW8J(^YMnM}Mj?{jo}iMnzrd=dF!CEb(+N5>F$%HRwukXQs%uqc`7 zlxUqT)k>BQM&w-9gHf@7&*RMGJ`Y9i>B;1X%J2?Ux^S+SJrQMkT|!d9@&EPP@lL#d z%fhHkygNTQYqr3UDv{|#l?`lk7Nh^ctHX=8ljB45T{;SWQ0Zoo0hWQot+V(#PSiqS z?TL060e!cDv*jy&!%~#@El}DwUw^*D52!|SiJEe-l+J`(8h$7*e!{M<0?{KvH_?yw=r;ndL-Wv^fhu;i$hr7Gaz7fMOKi%d}0iyXg!{0qt zeRBUxeqQVKM%YCDtYH+BX*AGTOPZ{$(2!I55vihLCD-BCo%z4%=brnY(=R`d4cxW= zpFJ7Y_W$U~@bTCE|7ZN%Gw1jBCi>2*Y^FWk7o=m=$l#6BpC}8g#%RdFA*0A;?W%vt zoZVv-z|*;Q8E9L*EQ0pe=Y{+BDifw8tGk);J@^0iywrQ}guC|tli_Y{|L;8+4!`dI zKjY`W+BYbBj;aZ!IxF)_i3iw}WYF`mVg(5mjbxC56J;b>y$~GNu-{0z0NB zXZ9uz$~2J+bz0sN(CPI!qifs|p29O0zx>we2~q80ELI!)`&+qEWecy%F+LR{@EU)w zHuTng#nCFS6KM=|d+z;>p+;L{t*zO)*AtnVkHse!Q-V2TS1{$wP0d{-f=?|+9E)Z* z9U*eL7>m&;+^dvUdj6y%M6c)WS&$`iIAaH2b1nu7R1YS}jog?ABA%BOqC{-OgGA=a zR9+g z(MTs{wFFn*Dit!z~}TY>QsQ`G+gx_?RccTc2d~w)8wy%W$OvmJz%4bV_a0jdT;>_ktvK!ulRhC2W*^xej-F!a7 z`QurRn{k8f+{Ji^XH+O0CP~ROoHEoAqLxI&#O5eg3@N1nojxv;oE$z;k*JJI$#vmu z{@4v0C+w#rdzLs_6-gei6BW2|=m_qW1H&YVHJs|GIkVrrFcvWZ-vfl>w_vNjXL*m0 z#b`Jjbt<^TCndz>cArp5=id)-`J6ra0auG2boc=eRe_p#IuZ+D6q6cLmzwP&5NwbD zcZnfB9EKGeu8q#g-sI4A1%m6J(uTt7WkA9yEn}tZX%ndh;tv{K!ml87u%C^e+CPD! z>jhxl3B0ZRtI%m*==r?Qp`4d;y-qgnFS3lG&sWc6(jsVVixzwlJ{@F5n#U_;OZVK! zghB@2yn7w|FgXg24&EOe0oYrr$l_?<*^q&wALbBx$PpM2jHcPKxgY>4}n zo@IhKxi}bu+)<{5{jG}Lju6|c%wivBUZ^eK)GGkJ_8F`{hS|-Fgrl|Ql!9q_Ks8zy zn0}0hf!7Q20mLLPPBxWWL zvLf}WkN`(O+An?DHGmyS|8?LZ$8F|VjkkfyMq-a^z;OhP?ISv%#`X=oI!3NgiGhZ9 zWUa1Or-qTX<>z*Ku)G$?@8U%HBJ1mVbnPF3SK@7GF0;ejicwqqq=8Wzg8c^o2{1I0 zBgdjm^#v$M`nI<;u!<7r(NxH6Vg4Zad>kF(Xp;<6Mk>-P+gPzOq%B)i%WTavnHo8> z!N-3ZxIf4Quv%Z%iig3U44)F)OaI$CQD#tP z1T?UCSG2srJJV}NAs&Nu>{W^xH_+$2UJX1>j6L|KMK0hRz=oGLT*_V!Q2Xi*lssz3 z1p9KU2>C1%J9^6k>nsa$9ZXd~&az;h=@mMmOn}a^AYaN9IW{}Xyp8~(Iw}vmdb3SJ zq-q$l$d@Y3?diIeJW&Qt=`Kt!l%Z4Vienqe&cRc)R(BGg7awsO;feL)?^9W&67g$* z=0OUHlL`HoXNAe}`BIzQJ;p}(q}E`yaq&~DjltNj(Tm-1^z?Z+42Of=Ct?-tdG~?1 zGOV|4Z<3%cnzr686i;!%jVX3|qP-OM_zr-!Z5Yv7jF@_3?#?++J{17_0p&VFRoW}_ zJ5>}8ntT4L`>eXFpj%tE$ z=jxKAN=20Rt+G{&W{X88X9^97_p(&XbUIV(+zbGEV9RE(*7Sdap6xZ(X`ttzj2og! z@5LJ!@6^9Pa4a4V>&)0{$kk2CPsgN3ooWO8!f&2$)}R~H^;@i49iF0AJ+ps}#ao>! zbkk({7)vj8s{RI45_P0bb(XUtZ{?^XEu&X5k?D+cSl-%pJ_zQXrgw)-{@4U%RWbW) z(1RWWfCm6BZSEGrF++dK0X8z-__ch?np=jG5m$H@rA;4;7}on-=+?)Ynsfh(3|E~2 zNxH1{8J@8TTW2D~@|d8Xmaw2_taJp_QR`!qs-|;}woZXizaVyP&nROAQwE?!bK-$@ zcxsUiz={%DDmFl`?l$vb;CkRG<}K#FS)z+5;Gn4t)FpKzlVs4#l*zMrmIvI;TxSTn zh1{CD+GlW%ke*@I6M1R^F&c*SKRD7`wXSBtMfNiaay0gO;&5)wE&Ym9lI#%w;XnEt zw`cQsH|Vx~((T&hS!YCxHXt+3D3r{^8gp={FE}pA*z?efo!SBF<6+VwN%|tyjiJye zE@GU8fYyC6TWW3U_cgdtRTc{IaIxM6I>$1RScFk#K={#vDDo(XpVOVymKv$N7C5DM#`&Jm{2Nct&#OZs=f3!9{%at5trkE03-7bPrbMAM8 zF0fGC^~X9=?D7c2nUc{DS)8kr6t}&J|Eb2}`J1?f;{thBuhFd4xD@AHM&%rDT8OZG z4QCE}ubNhl`^gF*C1pB6?}b;eWzZv_0=}#>R;E)0bL@`w%B7mtZ|P0om=a7Y(Iy=- zQLx|uXZ9^ws#xlfl2t)wlE%afT+mNEb}F*VfVx2k1)SW29#(ASl*}*Nvz=KW( z9tZZxmmMd^(sMY9hreK|av5-ukdCP22J@+J!Qnr>kH_M}KRSY!z_xBk4Qm}8`7PEu znzV@)<*lDB1oGZpc8GSRv5dnyZ7`s z#wW9N0e=oxold0)E^igSi_>~h;jpe2<8_0%v$p2!El+*^Vx=RhiHm;EknVeDNfJNl zQ=US#v@RDwquwgjbxZf6tuRdod3mRHR&n^mMkFZmQM6I7Cv?hCfT-B7*7->i>~5X= z6?gbnmvqDG33c@YU;d zZ~DE2hWmQ-?LdJWB%nbCJ?~?DveU7R@e26Xup$cV-dBm-_+|+q)>Tu*2%hEfO6ekZ z5BEAk)GyED~lRd1Ugi&3Xjy^;Rj;OzY|&{P(*eq$5LPV}r*Un#d1Gc?ac(`JXM zGD%zSJE9E$2yIHrDLl`gop49B^6$6!!W4U zxL8pyv=`wW8V#;tQ#>AWoE2aAbU}*&OJhDiT+J#Zfm;U`xHb%*R_`HgM1R!+PQS*0 zHDbV8!=t_c)Xe}XtJ<}Nl(mp!Ju>PG!1S3M6G#4hMlVEz)3x)uZQO1P zzZ0U#fB#irL*HSXx(nLcYp!FAaVa}c2@W&Hwo`etzi)(fvQPy4|tpvYG(v9Ppa!Y%!o;d)+=X2T=jq zQfXp(Mn&oJSefov{DQlt+YA?T@4Q|NhQ?zr^gPZJd@*q$Z{^Fm&Q@J-n+Pw1NyeU@Exhljpw%$z-{Y#_u5vGd5i#vGn!YkVTBNe+g>9z z><*ti-_pR6#IZ*bq9g>@dbTe9LR`E)efNbBG2GU`B4Sm;L#OTcZJWlqAMdkm+Nj&x zN@Y0mKHWHWH@jkqYugr>YMm&VZedw$^6>`V%C1U0^gUkbhiq>H0kphDouxSt$g1Z0 zxEHrv#!;lw=KckVG3KQp^HTLa3QRDle^G-);3q74BgN|XoHw7dfZGsLUs%l2akuc) zuv_QOUnB$Vu0w{cAb&Q(O0KfiMsp9!ug<6g|NZv0rqb7+uRmXZzWmSs1ONd4|GGz= I@BlOl0KB Date: Fri, 10 Apr 2020 12:47:40 -0700 Subject: [PATCH 21/28] Updates to operator to version 2.2.9 of helm ha chart --- ...a-operator.v1.0.0.clusterserviceversion.yaml | 9 +++++---- Openshift4/openshift-artifactory-ha/values.yaml | 17 +++++------------ 2 files changed, 10 insertions(+), 16 deletions(-) diff --git a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index 5fbcf18..f699c0c 100644 --- a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -13,10 +13,11 @@ metadata: "spec": { "artifactory-ha": { "artifactory": { - "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", + "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n #image: \"{{ .Values.initContainerImage }}\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", "image": { "repository": "registry.connect.redhat.com/jfrog/artifactory-pro:7.3.2" }, + "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "node": { "waitForPrimaryStartup": { "enabled": false @@ -31,7 +32,7 @@ metadata: "user": "OVERRIDE" }, "initContainerImage": "registry.redhat.io/ubi8-minimal", - "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/openshift\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", + "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/Openshift\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", "nginx": { "http": { "externalPort": 80, @@ -56,8 +57,8 @@ metadata: ] capabilities: Basic Install categories: "Developer Tools,Integration & Delivery" - description: "Artifactory HA deploys Artifactory in a high availability environment across multiple pods" - containerImage: quay.io/jfrog/artifactory-ha-operator + description: "JFrog Artifactory Enterprise deploys Artifactory in a high availability environment across multiple pods" + containerImage: registry.connect.redhat.com/jfrog/artifactory-operator:7.3.2 createdAt: 2020-03-25T00:00:00Z support: JFrog certified: "true" diff --git a/Openshift4/openshift-artifactory-ha/values.yaml b/Openshift4/openshift-artifactory-ha/values.yaml index 1839a7e..180ae4b 100755 --- a/Openshift4/openshift-artifactory-ha/values.yaml +++ b/Openshift4/openshift-artifactory-ha/values.yaml @@ -5,19 +5,12 @@ artifactory-ha: ################################### # EDIT TO YOUR DB CONFIGURATION ################################### - #database: - # type: "OVERRIDE" - # driver: "OVERRIDE" - # url: "OVERRIDE" - # user: "postgres" - # password: "OVERRIDE" - database: - type: "postgresql" - driver: "org.postgresql.Driver" - url: "jdbc:postgresql://postgres-postgresql:5432/artifactory" - user: "artifactory" - password: "password" + type: "OVERRIDE" + driver: "OVERRIDE" + url: "OVERRIDE" + user: "postgres" + password: "OVERRIDE" ################################### # DO NOT EDIT FURTHER From 5234afa864bcd9d5b4a5ab3660310ece9b10e729 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Mon, 13 Apr 2020 10:37:19 -0700 Subject: [PATCH 22/28] Openshift artifactory-ha helm chart changes for version 2.3.0 of jfrog/artifactory-ha chart --- .../openshift-artifactory-ha/CHANGELOG.md | 11 ++++++++++- Openshift4/openshift-artifactory-ha/Chart.yaml | 17 ++++++----------- .../openshift-artifactory-ha/helminstall.sh | 14 +++----------- .../openshift-artifactory-ha/hostpathscc.yaml | 18 ------------------ .../openshift-artifactory-ha/requirements.yaml | 2 +- Openshift4/openshift-artifactory-ha/scc.yaml | 18 ------------------ .../openshift-artifactory-ha/values.yaml | 16 ++++++++++------ 7 files changed, 30 insertions(+), 66 deletions(-) delete mode 100644 Openshift4/openshift-artifactory-ha/hostpathscc.yaml delete mode 100644 Openshift4/openshift-artifactory-ha/scc.yaml diff --git a/Openshift4/openshift-artifactory-ha/CHANGELOG.md b/Openshift4/openshift-artifactory-ha/CHANGELOG.md index 1315675..d3a13f7 100755 --- a/Openshift4/openshift-artifactory-ha/CHANGELOG.md +++ b/Openshift4/openshift-artifactory-ha/CHANGELOG.md @@ -1,5 +1,14 @@ # JFrog Openshift Artifactory-ha Chart Changelog All changes to this chart will be documented in this file. -## [1.0.0] - March 09, 2020 +## [2.3.0] - April 13, 2020 +* Updating to latest jfrog/artifactory-ha helm chart version 2.3.0 + +## [2.2.9] - April 11, 2020 +* Fixed issues with master key + +## [2.1.9] - March 17, 2020 +* Updated Artifactory version to 7.3.2 + +## [2.0.35] - March 09, 2020 * Updated Artifactory version to 7.2.1 diff --git a/Openshift4/openshift-artifactory-ha/Chart.yaml b/Openshift4/openshift-artifactory-ha/Chart.yaml index 6bb6d23..a9c3cb5 100755 --- a/Openshift4/openshift-artifactory-ha/Chart.yaml +++ b/Openshift4/openshift-artifactory-ha/Chart.yaml @@ -1,7 +1,6 @@ apiVersion: v1 appVersion: 7.3.2 -description: Universal Repository Manager supporting all major packaging formats, - build tools and CI servers. +description: Openshift JFrog Artifactory HA subcharting Artifactory HA to work in Openshift environment home: https://www.jfrog.com/artifactory/ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-ha/logo/artifactory-logo.png keywords: @@ -9,16 +8,12 @@ keywords: - jfrog - devops maintainers: -- email: amithk@jfrog.com - name: amithins -- email: daniele@jfrog.com - name: danielezer -- email: eldada@jfrog.com - name: eldada -- email: rimasm@jfrog.com - name: rimusz +- email: vinaya@jfrog.com + name: Vinay Aggarwal +- email: johnp@jfrog.com + name: John Peterson name: openshift-artifactory-ha sources: - https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view - https://github.com/jfrog/charts -version: 2.2.9 +version: 2.3.0 diff --git a/Openshift4/openshift-artifactory-ha/helminstall.sh b/Openshift4/openshift-artifactory-ha/helminstall.sh index d6767a7..062e677 100755 --- a/Openshift4/openshift-artifactory-ha/helminstall.sh +++ b/Openshift4/openshift-artifactory-ha/helminstall.sh @@ -4,22 +4,14 @@ if [[ -z "$1" ]] then echo "Skipping creation of persistent volume examples. Ensure there is available PVs 200Gi per node for HA." else - oc new-project jfrog-artifactory - oc create serviceaccount svcaccount -n jfrog-artifactory - oc adm policy add-scc-to-user privileged system:serviceaccount:jfrog-artifactory:svcaccount - oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:svcaccount - oc adm policy add-scc-to-group anyuid system:authenticated - - # enables hostPath plugin for openshift system wide - oc create -f hostpathscc.yaml -n jfrog-artifactory - oc patch securitycontextconstraints.security.openshift.io/hostpath --type=merge --patch='{"allowHostDirVolumePlugin": true}' - oc adm policy add-scc-to-user hostpath system:serviceaccount:jfrog-artifactory:svcaccount + # patch the restricted scc to allow the pods to run as anyuid + oc patch scc restricted --patch '{"fsGroup":{"type":"RunAsAny"},"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"RunAsAny"}}' --type=merge # create the license secret oc create secret generic artifactory-license --from-file=artifactory.cluster.license # create the tls secret - oc create secret tls tls-ingress --cert=jfrog.team.crt --key=jfrog.team.key + oc create secret tls tls-ingress --cert=tls.crt --key=tls.key fi # install via helm diff --git a/Openshift4/openshift-artifactory-ha/hostpathscc.yaml b/Openshift4/openshift-artifactory-ha/hostpathscc.yaml deleted file mode 100644 index 13eef79..0000000 --- a/Openshift4/openshift-artifactory-ha/hostpathscc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -kind: SecurityContextConstraints -apiVersion: v1 -metadata: - name: hostpath -allowPrivilegedContainer: false -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -fsGroup: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: -- artifactory -groups: -- artifactory -- jfrog-artifactory diff --git a/Openshift4/openshift-artifactory-ha/requirements.yaml b/Openshift4/openshift-artifactory-ha/requirements.yaml index 43476d8..45e29e2 100644 --- a/Openshift4/openshift-artifactory-ha/requirements.yaml +++ b/Openshift4/openshift-artifactory-ha/requirements.yaml @@ -1,4 +1,4 @@ dependencies: - name: artifactory-ha - version: 2.2.9 + version: 2.3.0 repository: https://charts.jfrog.io/ diff --git a/Openshift4/openshift-artifactory-ha/scc.yaml b/Openshift4/openshift-artifactory-ha/scc.yaml deleted file mode 100644 index 13eef79..0000000 --- a/Openshift4/openshift-artifactory-ha/scc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -kind: SecurityContextConstraints -apiVersion: v1 -metadata: - name: hostpath -allowPrivilegedContainer: false -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -fsGroup: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: -- artifactory -groups: -- artifactory -- jfrog-artifactory diff --git a/Openshift4/openshift-artifactory-ha/values.yaml b/Openshift4/openshift-artifactory-ha/values.yaml index 180ae4b..d0185fe 100755 --- a/Openshift4/openshift-artifactory-ha/values.yaml +++ b/Openshift4/openshift-artifactory-ha/values.yaml @@ -1,6 +1,7 @@ -# Openshift artifactory ha -# Requires one custom init container -# to resolve the user id perm issue with redhat +# Openshift Artifactory HA +# This helm chart subcharts the latest jfrog/artifactory-ha chart +# and applies various things like initContainers, nginx mainConf, etc +# to enable the artifactory-ha helm chart to work in an openshift environment artifactory-ha: ################################### # EDIT TO YOUR DB CONFIGURATION @@ -9,7 +10,7 @@ artifactory-ha: type: "OVERRIDE" driver: "OVERRIDE" url: "OVERRIDE" - user: "postgres" + user: "OVERRIDE" password: "OVERRIDE" ################################### @@ -36,7 +37,8 @@ artifactory-ha: name: volume ## Change to use RH UBI images image: - repository: quay.io/jfrog/artifactory-rh-pro + repository: registry.connect.redhat.com/jfrog/artifactory-pro + version: 7.3.2 node: waitForPrimaryStartup: enabled: false @@ -45,7 +47,9 @@ artifactory-ha: enabled: false nginx: image: - repository: quay.io/jfrog/nginx-artifactory-rh-pro + repository: registry.redhat.io/rhel8/nginx-116 + version: latest + tlsSecretName: "OVERRIDE" http: externalPort: 80 internalPort: 8080 From dffdb33ae14a4e498c31d5e300692d1deafa4b63 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Mon, 13 Apr 2020 13:35:14 -0700 Subject: [PATCH 23/28] Updates to openshift for new marketplace submission --- ...operator.v1.0.0.clusterserviceversion.yaml | 30 ++-- ...io_v1alpha1_openshiftartifactoryha_cr.yaml | 23 +-- ...operator.v1.0.0.clusterserviceversion.yaml | 35 ++-- .../deploy/operator.yaml | 16 +- .../artifactory-ha-operator/deploy/role.yaml | 162 ++++++++++-------- .../artifactory-ha-operator/watches.yaml | 7 +- .../openshift-artifactory-ha/helminstall.sh | 31 +++- .../requirements.lock | 6 +- .../openshift-artifactory-ha/values.yaml | 6 +- 9 files changed, 165 insertions(+), 151 deletions(-) diff --git a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index f699c0c..bd487bc 100644 --- a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -8,17 +8,19 @@ metadata: "apiVersion": "charts.helm.k8s.io/v1alpha1", "kind": "OpenshiftArtifactoryHa", "metadata": { - "name": "osartifactoryha" + "name": "openshiftartifactoryha" }, "spec": { "artifactory-ha": { "artifactory": { - "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n #image: \"{{ .Values.initContainerImage }}\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", + "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", "image": { - "repository": "registry.connect.redhat.com/jfrog/artifactory-pro:7.3.2" + "repository": "registry.connect.redhat.com/jfrog/artifactory-pro", + "version": "7.3.2" }, "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "node": { + "replicaCount": 2, "waitForPrimaryStartup": { "enabled": false } @@ -43,9 +45,11 @@ metadata: "internalPort": 8443 }, "image": { - "repository": "registry.redhat.io/rhel8/nginx-116:latest" + "repository": "registry.redhat.io/rhel8/nginx-116", + "version": "latest" }, "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n" + "tlsSecretName": "OVERRIDE" }, "postgresql": { "enabled": false @@ -134,21 +138,11 @@ spec: - name: OPERATOR_NAME value: artifactory-ha-operator - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: registry.connect.redhat.com/jfrog/artifactory-pro:7.3.2 + value: registry.connect.redhat.com/jfrog/artifactory-pro - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY - value: registry.redhat.io/rhel8/nginx-116:latest - - name: DATABASE_TYPE - value: OVERRIDE - - name: DATABASE_DRIVER - value: OVERRIDE - - name: DATABASE_URL - value: OVERRIDE - - name: DATABASE_USER - value: OVERRIDE - - name: DATABASE_PASSWORD - value: OVERRIDE - image: registry.connect.redhat.com/jfrog/artifactory-operator:7.3.2 - imagePullPolicy: IfNotPresent + value: registry.redhat.io/rhel8/nginx-116 + image: registry.connect.redhat.com/jfrog/artifactory-operator + imagePullPolicy: Always name: artifactory-ha-operator resources: {} serviceAccountName: artifactory-ha-operator diff --git a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml index 54b7bf3..fbc6476 100644 --- a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml @@ -4,16 +4,9 @@ metadata: name: openshiftartifactoryha spec: artifactory-ha: - database: - driver: OVERRIDE - password: OVERRIDE - type: OVERRIDE - url: OVERRIDE - user: OVERRIDE artifactory: customInitContainersBegin: | - name: "redhat-custom-setup" - #image: "{{ .Values.initContainerImage }}" image: {{ index .Values "initContainerImage" }} imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" command: @@ -26,12 +19,20 @@ spec: - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" name: volume image: - repository: quay.io/jfrog/artifactory-rh-pro + repository: registry.connect.redhat.com/jfrog/artifactory-pro + version: 7.3.2 + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF node: waitForPrimaryStartup: enabled: false + database: + driver: OVERRIDE + password: OVERRIDE + type: OVERRIDE + url: OVERRIDE + user: OVERRIDE initContainerImage: registry.redhat.io/ubi8-minimal - installerInfo: '{ "productId": "Openshift_artifactory-ha/{{ .Chart.Version }}", "features": [ { "featureId": "ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}" }, { "featureId": "{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ default \"derby\" .Values.database.type }}{{ end }}/0.0.0" }, { "featureId": "Platform/{{ default \"openshift\" .Values.installer.platform }}" }, { "featureId": "Partner/ACC-006983" }, { "featureId": "Channel/Openshift" } ] }' + installerInfo: '{ "productId": "Openshift_artifactory-ha/{{ .Chart.Version }}", "features": [ { "featureId": "ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}" }, { "featureId": "{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ .Values.database.type }}{{ end }}/0.0.0" }, { "featureId": "Platform/Openshift" }, { "featureId": "Partner/ACC-006983" }, { "featureId": "Channel/Openshift" } ] }' nginx: http: externalPort: 80 @@ -40,7 +41,8 @@ spec: externalPort: 443 internalPort: 8443 image: - repository: quay.io/jfrog/nginx-artifactory-rh-pro + repository: registry.redhat.io/rhel8/nginx-116 + version: latest mainConf: | # Main Nginx configuration file worker_processes 4; @@ -91,6 +93,7 @@ spec: #gzip on; include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf; } + tlsSecretName: OVERRIDE postgresql: enabled: false waitForDatabase: false diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index 5fbcf18..addb1fa 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -8,16 +8,19 @@ metadata: "apiVersion": "charts.helm.k8s.io/v1alpha1", "kind": "OpenshiftArtifactoryHa", "metadata": { - "name": "osartifactoryha" + "name": "openshiftartifactoryha" }, "spec": { "artifactory-ha": { "artifactory": { "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", "image": { - "repository": "registry.connect.redhat.com/jfrog/artifactory-pro:7.3.2" + "repository": "registry.connect.redhat.com/jfrog/artifactory-pro", + "version": "7.3.2" }, + "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "node": { + "replicaCount": 2, "waitForPrimaryStartup": { "enabled": false } @@ -31,7 +34,7 @@ metadata: "user": "OVERRIDE" }, "initContainerImage": "registry.redhat.io/ubi8-minimal", - "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/openshift\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", + "installerInfo": "{ \"productId\": \"Openshift_artifactory-ha/{{ .Chart.Version }}\", \"features\": [ { \"featureId\": \"ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}\" }, { \"featureId\": \"{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ .Values.database.type }}{{ end }}/0.0.0\" }, { \"featureId\": \"Platform/Openshift\" }, { \"featureId\": \"Partner/ACC-006983\" }, { \"featureId\": \"Channel/Openshift\" } ] }", "nginx": { "http": { "externalPort": 80, @@ -42,9 +45,11 @@ metadata: "internalPort": 8443 }, "image": { - "repository": "registry.redhat.io/rhel8/nginx-116:latest" + "repository": "registry.redhat.io/rhel8/nginx-116", + "version": "latest" }, "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n" + "tlsSecretName": "OVERRIDE" }, "postgresql": { "enabled": false @@ -56,8 +61,8 @@ metadata: ] capabilities: Basic Install categories: "Developer Tools,Integration & Delivery" - description: "Artifactory HA deploys Artifactory in a high availability environment across multiple pods" - containerImage: quay.io/jfrog/artifactory-ha-operator + description: "JFrog Artifactory Enterprise deploys Artifactory in a high availability environment across multiple pods" + containerImage: registry.connect.redhat.com/jfrog/artifactory-operator createdAt: 2020-03-25T00:00:00Z support: JFrog certified: "true" @@ -133,21 +138,11 @@ spec: - name: OPERATOR_NAME value: artifactory-ha-operator - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: registry.connect.redhat.com/jfrog/artifactory-pro:7.3.2 + value: registry.connect.redhat.com/jfrog/artifactory-pro - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY - value: registry.redhat.io/rhel8/nginx-116:latest - - name: DATABASE_TYPE - value: OVERRIDE - - name: DATABASE_DRIVER - value: OVERRIDE - - name: DATABASE_URL - value: OVERRIDE - - name: DATABASE_USER - value: OVERRIDE - - name: DATABASE_PASSWORD - value: OVERRIDE - image: registry.connect.redhat.com/jfrog/artifactory-operator:7.3.2 - imagePullPolicy: IfNotPresent + value: registry.redhat.io/rhel8/nginx-116 + image: registry.connect.redhat.com/jfrog/artifactory-operator + imagePullPolicy: Always name: artifactory-ha-operator resources: {} serviceAccountName: artifactory-ha-operator diff --git a/Openshift4/artifactory-ha-operator/deploy/operator.yaml b/Openshift4/artifactory-ha-operator/deploy/operator.yaml index 3fcd108..4d16016 100644 --- a/Openshift4/artifactory-ha-operator/deploy/operator.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/operator.yaml @@ -15,8 +15,8 @@ spec: serviceAccountName: artifactory-ha-operator containers: - name: artifactory-ha-operator - image: quay.io/jfrog/artifactory-ha-operator - imagePullPolicy: IfNotPresent + image: registry.connect.redhat.com/jfrog/artifactory-operator + imagePullPolicy: Always env: - name: WATCH_NAMESPACE valueFrom: @@ -31,14 +31,4 @@ spec: - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY value: "registry.connect.redhat.com/jfrog/artifactory-pro" - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY - value: "quay.io/jfrog/nginx-artifactory-rh-pro" - - name: DATABASE_TYPE - value: "OVERRIDE" - - name: DATABASE_DRIVER - value: "OVERRIDE" - - name: DATABASE_URL - value: "OVERRIDE" - - name: DATABASE_USER - value: "OVERRIDE" - - name: DATABASE_PASSWORD - value: "OVERRIDE" \ No newline at end of file + value: "registry.redhat.io/rhel8/nginx-116" \ No newline at end of file diff --git a/Openshift4/artifactory-ha-operator/deploy/role.yaml b/Openshift4/artifactory-ha-operator/deploy/role.yaml index b18faa9..0cdfc5b 100644 --- a/Openshift4/artifactory-ha-operator/deploy/role.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/role.yaml @@ -5,95 +5,115 @@ metadata: name: artifactory-ha-operator rules: - apiGroups: - - "" + - "" resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - - apps + - apps resources: - - deployments - - daemonsets - - replicasets - - statefulsets + - deployments + - daemonsets + - replicasets + - statefulsets verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - - "" + - "" resources: - - namespaces + - namespaces verbs: - - get + - get - apiGroups: - - "" - resources: - - configmaps - - secrets - verbs: - - '*' -- apiGroups: - - "" - resources: - - events - verbs: - - create -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - apps + - "" resourceNames: - - artifactory-ha-operator + - artifactory-ha-operator resources: - - deployments/finalizers + - '*' verbs: - - update + - '*' - apiGroups: - - "" + - "" resources: - - pods + - events verbs: - - get + - create - apiGroups: - - apps + - monitoring.coreos.com resources: - - replicasets - - deployments + - servicemonitors verbs: - - get + - get + - create - apiGroups: - - charts.helm.k8s.io + - apps + resourceNames: + - artifactory-ha-operator resources: - - '*' + - deployments/finalizers verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get +- apiGroups: + - charts.helm.k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.k8s.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - policy + resources: + - '*' + verbs: + - '*' +- apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - '*' + verbs: + - '*' diff --git a/Openshift4/artifactory-ha-operator/watches.yaml b/Openshift4/artifactory-ha-operator/watches.yaml index 843b786..53c1b2e 100644 --- a/Openshift4/artifactory-ha-operator/watches.yaml +++ b/Openshift4/artifactory-ha-operator/watches.yaml @@ -5,9 +5,4 @@ chart: helm-charts/openshift-artifactory-ha overrideValues: artifactory-ha.artifactory.image.repository: $RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - artifactory-ha.nginx.image.repository: $RELATED_IMAGE_NGINX_IMAGE_REPOSITORY - artifactory-ha.database.type: $DATABASE_TYPE - artifactory-ha.database.driver: $DATABASE_DRIVER - artifactory-ha.database.url: $DATABASE_URL - artifactory-ha.database.user: $DATABASE_USER - artifactory-ha.database.password: $DATABASE_PASSWORD + artifactory-ha.nginx.image.repository: $RELATED_IMAGE_NGINX_IMAGE_REPOSITORY \ No newline at end of file diff --git a/Openshift4/openshift-artifactory-ha/helminstall.sh b/Openshift4/openshift-artifactory-ha/helminstall.sh index 062e677..471bf15 100755 --- a/Openshift4/openshift-artifactory-ha/helminstall.sh +++ b/Openshift4/openshift-artifactory-ha/helminstall.sh @@ -1,8 +1,22 @@ #!/usr/bin/env bash -if [[ -z "$1" ]] -then - echo "Skipping creation of persistent volume examples. Ensure there is available PVs 200Gi per node for HA." +# PreReq'd: +# helm install postgres bitnami/postgresql +# follow artifactory postgresql db setup: +# https://www.jfrog.com/confluence/display/JFROG/PostgreSQL +POSTGRES=$(helm ls | grep postgres | wc -l) + +if [[ "$POSTGRES" =~ (0) ]] +then + echo "External DB is required to run Jfrog Openshift Artifactory Helm chart" + echo "" + echo "Postgresql helm chart must be installed prior to installing this helm installer script." + echo "" + echo "helm install postgres bitnami/postgresql" + echo "" + echo "follow artifactory postgresql db setup:" + echo "https://www.jfrog.com/confluence/display/JFROG/PostgreSQL" + exit 1 else # patch the restricted scc to allow the pods to run as anyuid oc patch scc restricted --patch '{"fsGroup":{"type":"RunAsAny"},"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"RunAsAny"}}' --type=merge @@ -12,9 +26,14 @@ else # create the tls secret oc create secret tls tls-ingress --cert=tls.crt --key=tls.key -fi +fi -# install via helm +# install via helm with default postgresql configuration helm install artifactory-ha . \ --set artifactory-ha.nginx.tlsSecretName=tls-ingress \ - --set artifactory-ha.artifactory.license.secret=artifactory-license,artifactory-ha.artifactory.license.dataKey=artifactory.cluster.license + --set artifactory-ha.artifactory.license.secret=artifactory-license,artifactory-ha.artifactory.license.dataKey=artifactory.cluster.license \ + --set artifactory-ha.database.type=postgresql \ + --set artifactory-ha.database.driver=org.postgresql.Driver \ + --set artifactory-ha.database.url=jdbc:postgresql://postgres-postgresql:5432/artifactory \ + --set artifactory-ha.database.user=artifactory \ + --set artifactory-ha.database.password=password \ No newline at end of file diff --git a/Openshift4/openshift-artifactory-ha/requirements.lock b/Openshift4/openshift-artifactory-ha/requirements.lock index dc292b2..2987889 100644 --- a/Openshift4/openshift-artifactory-ha/requirements.lock +++ b/Openshift4/openshift-artifactory-ha/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: artifactory-ha repository: https://charts.jfrog.io/ - version: 2.2.9 -digest: sha256:65c1deae2ede50a40b62012243657a2ebfcc05bbd5b7f95bd8786bbb9425f13b -generated: "2020-04-10T10:49:58.221628-07:00" + version: 2.3.0 +digest: sha256:1a0b97f17a29da8dfe7f7dfbf5860258f216d1d82b06ffb55733b85f09e7cbaf +generated: "2020-04-13T11:22:22.813393-07:00" diff --git a/Openshift4/openshift-artifactory-ha/values.yaml b/Openshift4/openshift-artifactory-ha/values.yaml index d0185fe..9c9974d 100755 --- a/Openshift4/openshift-artifactory-ha/values.yaml +++ b/Openshift4/openshift-artifactory-ha/values.yaml @@ -12,10 +12,6 @@ artifactory-ha: url: "OVERRIDE" user: "OVERRIDE" password: "OVERRIDE" - - ################################### - # DO NOT EDIT FURTHER - ################################### initContainerImage: registry.redhat.io/ubi8-minimal waitForDatabase: false installerInfo: '{ "productId": "Openshift_artifactory-ha/{{ .Chart.Version }}", "features": [ { "featureId": "ArtifactoryVersion/{{ default .Chart.AppVersion .Values.artifactory.image.version }}" }, { "featureId": "{{ if .Values.postgresql.enabled }}postgresql{{ else }}{{ .Values.database.type }}{{ end }}/0.0.0" }, { "featureId": "Platform/Openshift" }, { "featureId": "Partner/ACC-006983" }, { "featureId": "Channel/Openshift" } ] }' @@ -40,6 +36,7 @@ artifactory-ha: repository: registry.connect.redhat.com/jfrog/artifactory-pro version: 7.3.2 node: + replicaCount: 2 waitForPrimaryStartup: enabled: false masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF @@ -49,6 +46,7 @@ artifactory-ha: image: repository: registry.redhat.io/rhel8/nginx-116 version: latest + ## K8S secret name for the TLS secret to be used for SSL tlsSecretName: "OVERRIDE" http: externalPort: 80 From a286059593d99f380c74bed30af26c0600fd944a Mon Sep 17 00:00:00 2001 From: John Peterson Date: Tue, 14 Apr 2020 14:14:32 -0700 Subject: [PATCH 24/28] updates to operator v1.0.0 w/ bug fix for the master key issue --- ...ory-ha-operator.v1.0.0.clusterserviceversion.yaml | 12 ++++++------ ...ory-ha-operator.v1.0.0.clusterserviceversion.yaml | 12 ++++++------ Openshift4/artifactory-ha-operator/watches.yaml | 4 ++-- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index bd487bc..26a23ce 100644 --- a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -16,7 +16,7 @@ metadata: "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", "image": { "repository": "registry.connect.redhat.com/jfrog/artifactory-pro", - "version": "7.3.2" + "version": "7.3" }, "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "node": { @@ -48,7 +48,7 @@ metadata: "repository": "registry.redhat.io/rhel8/nginx-116", "version": "latest" }, - "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n" + "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n", "tlsSecretName": "OVERRIDE" }, "postgresql": { @@ -62,7 +62,7 @@ metadata: capabilities: Basic Install categories: "Developer Tools,Integration & Delivery" description: "JFrog Artifactory Enterprise deploys Artifactory in a high availability environment across multiple pods" - containerImage: registry.connect.redhat.com/jfrog/artifactory-operator:7.3.2 + containerImage: registry.connect.redhat.com/jfrog/artifactory-operator:7.3 createdAt: 2020-03-25T00:00:00Z support: JFrog certified: "true" @@ -138,10 +138,10 @@ spec: - name: OPERATOR_NAME value: artifactory-ha-operator - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: registry.connect.redhat.com/jfrog/artifactory-pro + value: registry.connect.redhat.com/jfrog/artifactory-pro:7.3 - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY - value: registry.redhat.io/rhel8/nginx-116 - image: registry.connect.redhat.com/jfrog/artifactory-operator + value: registry.redhat.io/rhel8/nginx-116:latest + image: registry.connect.redhat.com/jfrog/artifactory-operator:7.3 imagePullPolicy: Always name: artifactory-ha-operator resources: {} diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index addb1fa..26a23ce 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -16,7 +16,7 @@ metadata: "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", "image": { "repository": "registry.connect.redhat.com/jfrog/artifactory-pro", - "version": "7.3.2" + "version": "7.3" }, "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "node": { @@ -48,7 +48,7 @@ metadata: "repository": "registry.redhat.io/rhel8/nginx-116", "version": "latest" }, - "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n" + "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n", "tlsSecretName": "OVERRIDE" }, "postgresql": { @@ -62,7 +62,7 @@ metadata: capabilities: Basic Install categories: "Developer Tools,Integration & Delivery" description: "JFrog Artifactory Enterprise deploys Artifactory in a high availability environment across multiple pods" - containerImage: registry.connect.redhat.com/jfrog/artifactory-operator + containerImage: registry.connect.redhat.com/jfrog/artifactory-operator:7.3 createdAt: 2020-03-25T00:00:00Z support: JFrog certified: "true" @@ -138,10 +138,10 @@ spec: - name: OPERATOR_NAME value: artifactory-ha-operator - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: registry.connect.redhat.com/jfrog/artifactory-pro + value: registry.connect.redhat.com/jfrog/artifactory-pro:7.3 - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY - value: registry.redhat.io/rhel8/nginx-116 - image: registry.connect.redhat.com/jfrog/artifactory-operator + value: registry.redhat.io/rhel8/nginx-116:latest + image: registry.connect.redhat.com/jfrog/artifactory-operator:7.3 imagePullPolicy: Always name: artifactory-ha-operator resources: {} diff --git a/Openshift4/artifactory-ha-operator/watches.yaml b/Openshift4/artifactory-ha-operator/watches.yaml index 53c1b2e..5e71caa 100644 --- a/Openshift4/artifactory-ha-operator/watches.yaml +++ b/Openshift4/artifactory-ha-operator/watches.yaml @@ -4,5 +4,5 @@ kind: OpenshiftArtifactoryHa chart: helm-charts/openshift-artifactory-ha overrideValues: - artifactory-ha.artifactory.image.repository: $RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - artifactory-ha.nginx.image.repository: $RELATED_IMAGE_NGINX_IMAGE_REPOSITORY \ No newline at end of file + artifactory-ha.artifactory.image.override: $RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY + artifactory-ha.nginx.image.override: $RELATED_IMAGE_NGINX_IMAGE_REPOSITORY \ No newline at end of file From f1539489771b5a685c2eae134da11ef2d39fe55c Mon Sep 17 00:00:00 2001 From: John Peterson Date: Fri, 24 Apr 2020 15:53:22 -0700 Subject: [PATCH 25/28] openshift artifactory ha updates to v7.4.1 and openshift xray v3.2.3 helm charts --- Openshift4/.gitignore | 4 +- .../openshift-artifactory-ha/Chart.yaml | 4 +- .../openshift-artifactory-ha/helminstall.sh | 34 ++- .../requirements.lock | 6 +- .../requirements.yaml | 2 +- .../openshift-artifactory-ha/values.yaml | 9 +- Openshift4/openshift-xray/CHANGELOG.md | 17 ++ Openshift4/openshift-xray/Chart.yaml | 16 ++ Openshift4/openshift-xray/LICENSE | 201 ++++++++++++++++++ Openshift4/openshift-xray/helminstall.sh | 71 +++++++ Openshift4/openshift-xray/rabbitmq.yaml | 25 +++ .../openshift-xray/rabbitmqservice.yaml | 26 +++ Openshift4/openshift-xray/requirements.lock | 6 + Openshift4/openshift-xray/requirements.yaml | 4 + Openshift4/openshift-xray/values.yaml | 77 +++++++ 15 files changed, 483 insertions(+), 19 deletions(-) create mode 100755 Openshift4/openshift-xray/CHANGELOG.md create mode 100755 Openshift4/openshift-xray/Chart.yaml create mode 100755 Openshift4/openshift-xray/LICENSE create mode 100755 Openshift4/openshift-xray/helminstall.sh create mode 100644 Openshift4/openshift-xray/rabbitmq.yaml create mode 100644 Openshift4/openshift-xray/rabbitmqservice.yaml create mode 100644 Openshift4/openshift-xray/requirements.lock create mode 100644 Openshift4/openshift-xray/requirements.yaml create mode 100755 Openshift4/openshift-xray/values.yaml diff --git a/Openshift4/.gitignore b/Openshift4/.gitignore index f2ea4b7..fd52f89 100644 --- a/Openshift4/.gitignore +++ b/Openshift4/.gitignore @@ -1,6 +1,6 @@ artifactory.cluster.license -jfrog.team.crt -jfrog.team.key +tls.crt +tls.key artifactory-ha-operator/helm-charts/openshift-artifactory-ha *.tar.gz *.tgz diff --git a/Openshift4/openshift-artifactory-ha/Chart.yaml b/Openshift4/openshift-artifactory-ha/Chart.yaml index a9c3cb5..adcd7f7 100755 --- a/Openshift4/openshift-artifactory-ha/Chart.yaml +++ b/Openshift4/openshift-artifactory-ha/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 7.3.2 +appVersion: 7.4.1 description: Openshift JFrog Artifactory HA subcharting Artifactory HA to work in Openshift environment home: https://www.jfrog.com/artifactory/ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-ha/logo/artifactory-logo.png @@ -16,4 +16,4 @@ name: openshift-artifactory-ha sources: - https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view - https://github.com/jfrog/charts -version: 2.3.0 +version: 2.4.2 diff --git a/Openshift4/openshift-artifactory-ha/helminstall.sh b/Openshift4/openshift-artifactory-ha/helminstall.sh index 471bf15..5b7feb8 100755 --- a/Openshift4/openshift-artifactory-ha/helminstall.sh +++ b/Openshift4/openshift-artifactory-ha/helminstall.sh @@ -18,22 +18,38 @@ then echo "https://www.jfrog.com/confluence/display/JFROG/PostgreSQL" exit 1 else - # patch the restricted scc to allow the pods to run as anyuid - oc patch scc restricted --patch '{"fsGroup":{"type":"RunAsAny"},"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"RunAsAny"}}' --type=merge - - # create the license secret - oc create secret generic artifactory-license --from-file=artifactory.cluster.license - - # create the tls secret - oc create secret tls tls-ingress --cert=tls.crt --key=tls.key + if [[ -z "$1" ]] + then + echo "Installing Jfrog Artifactory Openshift Helm" + else + echo "Patching Environment for RunAsAnyUid" + # patch the restricted scc to allow the pods to run as anyuid + oc patch scc restricted --patch '{"fsGroup":{"type":"RunAsAny"},"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"RunAsAny"}}' --type=merge + if [[ -f "artifactory.cluster.license" ]] + then + echo "Creating k8s secret for Artifactory cluster licenses from file: artifactory.cluster.license" + # create the license secret + oc create secret generic artifactory-license --from-file=artifactory.cluster.license + fi + + if [[ -f "tls.crt" ]] + then + echo "Creating k8s secret for TLS tls-ingress from files tls.crt & tls.key" + # create the tls secret + oc create secret tls tls-ingress --cert=tls.crt --key=tls.key + fi + fi fi # install via helm with default postgresql configuration helm install artifactory-ha . \ + --set artifactory-ha.nginx.service.ssloffload=true \ --set artifactory-ha.nginx.tlsSecretName=tls-ingress \ + --set artifactory-ha.artifactory.node.replicaCount=1 \ --set artifactory-ha.artifactory.license.secret=artifactory-license,artifactory-ha.artifactory.license.dataKey=artifactory.cluster.license \ --set artifactory-ha.database.type=postgresql \ --set artifactory-ha.database.driver=org.postgresql.Driver \ --set artifactory-ha.database.url=jdbc:postgresql://postgres-postgresql:5432/artifactory \ --set artifactory-ha.database.user=artifactory \ - --set artifactory-ha.database.password=password \ No newline at end of file + --set artifactory-ha.database.password=password + diff --git a/Openshift4/openshift-artifactory-ha/requirements.lock b/Openshift4/openshift-artifactory-ha/requirements.lock index 2987889..ea28887 100644 --- a/Openshift4/openshift-artifactory-ha/requirements.lock +++ b/Openshift4/openshift-artifactory-ha/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: artifactory-ha repository: https://charts.jfrog.io/ - version: 2.3.0 -digest: sha256:1a0b97f17a29da8dfe7f7dfbf5860258f216d1d82b06ffb55733b85f09e7cbaf -generated: "2020-04-13T11:22:22.813393-07:00" + version: 2.4.2 +digest: sha256:e9f80a6605bf281075c8b34fc9590728af545ed1f152a72ff985fea3708cd5f3 +generated: "2020-04-21T13:04:32.953359-07:00" diff --git a/Openshift4/openshift-artifactory-ha/requirements.yaml b/Openshift4/openshift-artifactory-ha/requirements.yaml index 45e29e2..b650c03 100644 --- a/Openshift4/openshift-artifactory-ha/requirements.yaml +++ b/Openshift4/openshift-artifactory-ha/requirements.yaml @@ -1,4 +1,4 @@ dependencies: - name: artifactory-ha - version: 2.3.0 + version: 2.4.2 repository: https://charts.jfrog.io/ diff --git a/Openshift4/openshift-artifactory-ha/values.yaml b/Openshift4/openshift-artifactory-ha/values.yaml index 9c9974d..28b4a9e 100755 --- a/Openshift4/openshift-artifactory-ha/values.yaml +++ b/Openshift4/openshift-artifactory-ha/values.yaml @@ -33,13 +33,16 @@ artifactory-ha: name: volume ## Change to use RH UBI images image: - repository: registry.connect.redhat.com/jfrog/artifactory-pro - version: 7.3.2 + repository: quay.io/jfrog/artifactory-rh-pro + version: 7.4.1 + #repository: registry.connect.redhat.com/jfrog/artifactory-pro + #version: 7.3.2 node: replicaCount: 2 waitForPrimaryStartup: enabled: false masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE postgresql: enabled: false nginx: @@ -48,6 +51,8 @@ artifactory-ha: version: latest ## K8S secret name for the TLS secret to be used for SSL tlsSecretName: "OVERRIDE" + service: + ssloffload: false http: externalPort: 80 internalPort: 8080 diff --git a/Openshift4/openshift-xray/CHANGELOG.md b/Openshift4/openshift-xray/CHANGELOG.md new file mode 100755 index 0000000..c907895 --- /dev/null +++ b/Openshift4/openshift-xray/CHANGELOG.md @@ -0,0 +1,17 @@ +# JFrog Openshift Artifactory-Xray Chart Changelog +All changes to this chart will be documented in this file. + +## [2.4.0] - April 14, 2020 +* Updating to latest jfrog/artifactory-ha helm chart version 2.4.0 adding new requirements.yaml entry for xray helm charts to combine together into one umbrella chart + +## [2.3.0] - April 13, 2020 +* Updating to latest jfrog/artifactory-ha helm chart version 2.3.0 + +## [2.2.9] - April 11, 2020 +* Fixed issues with master key + +## [2.1.9] - March 17, 2020 +* Updated Artifactory version to 7.3.2 + +## [2.0.35] - March 09, 2020 +* Updated Artifactory version to 7.2.1 diff --git a/Openshift4/openshift-xray/Chart.yaml b/Openshift4/openshift-xray/Chart.yaml new file mode 100755 index 0000000..a98e701 --- /dev/null +++ b/Openshift4/openshift-xray/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: 3.2.3 +description: Universal component scan for security and license inventory and impact analysis +sources: +- https://bintray.com/jfrog/product/xray/view +- https://github.com/jfrog/charts +keywords: +- xray +- jfrog +maintainers: +- email: vinaya@jfrog.com + name: Vinay Aggarwal +- email: johnp@jfrog.com + name: John Peterson +name: openshift-xray +version: 3.2.4 diff --git a/Openshift4/openshift-xray/LICENSE b/Openshift4/openshift-xray/LICENSE new file mode 100755 index 0000000..8dada3e --- /dev/null +++ b/Openshift4/openshift-xray/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Openshift4/openshift-xray/helminstall.sh b/Openshift4/openshift-xray/helminstall.sh new file mode 100755 index 0000000..94aa1ef --- /dev/null +++ b/Openshift4/openshift-xray/helminstall.sh @@ -0,0 +1,71 @@ +#!/usr/bin/env bash + +# PreReq'd: +# helm install postgres bitnami/postgresql +# follow artifactory postgresql db setup: +# https://www.jfrog.com/confluence/display/JFROG/PostgreSQL +POSTGRES=$(helm ls | grep postgres | wc -l) +ARTIFACTORY=$(helm ls | grep artifactory | wc -l) +if [[ "$POSTGRES" =~ (0) ]] +then + echo "External DB is required to run Jfrog Openshift Xray Helm chart" + echo "" + echo "Postgresql helm chart must be installed prior to installing this helm installer script." + echo "" + echo "helm install postgres bitnami/postgresql" + echo "" + echo "follow artifactory postgresql db setup:" + echo "https://www.jfrog.com/confluence/display/JFROG/PostgreSQL" + exit 1 +elif [[ "$ARTIFACTORY" =~ (0) ]] +then + echo "Artifactory Instance is required to run Jfrog Openshift Xray Helm chart" + echo "" + echo "Please use helm to first install Artifactory: openshift-artifactory-ha" + echo "" + echo "Then install Openshift xray helm chart once artifactory is ready." + echo "" + exit 1 +else + echo "Installing Openshift Xray Helm" +fi + +DBURL="" +if [[ -z "$1" ]] +then + DBURL="postgres://postgres-postgresql:5432/xraydb?sslmode=disable" +else + DBURL=$1 +fi + +DBUSER="" +if [[ -z "$2" ]] +then + DBUSER="artifactory" +else + DBUSER=$2 +fi + +DBPASS="" +if [[ -z "$3" ]] +then + DBPASS="password" +else + DBPASS=$3 +fi + +JFROGURL="" +if [[ -z "$4" ]] +then + JFROGURL="http://artifactory-ha-nginx" +else + JFROGURL=$4 +fi + + +# install via helm with default postgresql configuration +helm install xray . \ + --set xray.database.url=$DBURL \ + --set xray.database.user=$DBUSER \ + --set xray.database.password=$DBPASS \ + --set xray.xray.jfrogUrl=$JFROGURL diff --git a/Openshift4/openshift-xray/rabbitmq.yaml b/Openshift4/openshift-xray/rabbitmq.yaml new file mode 100644 index 0000000..521df8e --- /dev/null +++ b/Openshift4/openshift-xray/rabbitmq.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: rabbitmq + name: rabbitmq + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: rabbitmq + template: + metadata: + labels: + app: rabbitmq + spec: + containers: + - image: quay.io/jfrog/xray-rabbitmq-rh:3.8.0 + imagePullPolicy: "Always" + name: xray-rabbitmq + ports: + - containerPort: 4369 + - containerPort: 5672 + - containerPort: 25672 diff --git a/Openshift4/openshift-xray/rabbitmqservice.yaml b/Openshift4/openshift-xray/rabbitmqservice.yaml new file mode 100644 index 0000000..a8f108a --- /dev/null +++ b/Openshift4/openshift-xray/rabbitmqservice.yaml @@ -0,0 +1,26 @@ +kind: Service +apiVersion: v1 +metadata: + name: rabbitmq-lb + labels: + app: rabbitmq +spec: + selector: + app: rabbitmq + ports: + - name: port1 + protocol: TCP + port: 4369 + targetPort: 4369 + - name: port3 + protocol: TCP + port: 5672 + targetPort: 5672 + - name: port4 + protocol: TCP + port: 25672 + targetPort: 25672 + type: ClusterIP + + + diff --git a/Openshift4/openshift-xray/requirements.lock b/Openshift4/openshift-xray/requirements.lock new file mode 100644 index 0000000..d205d69 --- /dev/null +++ b/Openshift4/openshift-xray/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: xray + repository: https://charts.jfrog.io/ + version: 3.2.4 +digest: sha256:78c6667a953eef5337a57d67214ac327a0e7779349982325f697e906fdaba1a8 +generated: "2020-04-21T11:17:43.64727-07:00" diff --git a/Openshift4/openshift-xray/requirements.yaml b/Openshift4/openshift-xray/requirements.yaml new file mode 100644 index 0000000..7bf9701 --- /dev/null +++ b/Openshift4/openshift-xray/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: + - name: xray + version: 3.2.4 + repository: https://charts.jfrog.io/ diff --git a/Openshift4/openshift-xray/values.yaml b/Openshift4/openshift-xray/values.yaml new file mode 100755 index 0000000..bdf7275 --- /dev/null +++ b/Openshift4/openshift-xray/values.yaml @@ -0,0 +1,77 @@ +# Openshift Jfrog Xray +xray: + replicaCount: 1 + xray: + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + consoleLog: false + jfrogUrl: "OVERRIDE" + postgresql: + enabled: false + database: + url: "OVERRIDE" + user: "OVERRIDE" + password: "OVERRIDE" + rabbitmq-ha: + enabled: true + replicaCount: 1 + image: + tag: 3.7.21-alpine + rabbitmqUsername: guest + rabbitmqPassword: "" + persistentVolume: + enabled: true + size: 20Gi + rbac: + create: true + preStartCommand: + global: + postgresqlTlsSecret: + analysis: + name: xray-analysis + image: + repository: quay.io/jfrog/xray-analysis-rh + # version: + updateStrategy: RollingUpdate + podManagementPolicy: Parallel + preStartCommand: + indexer: + name: xray-indexer + image: + repository: quay.io/jfrog/xray-indexer-rh + # version: + updateStrategy: RollingUpdate + podManagementPolicy: Parallel + persist: + name: xray-persist + image: + repository: quay.io/jfrog/xray-persist-rh + # version: + updateStrategy: RollingUpdate + podManagementPolicy: Parallel + persistence: + size: 10Gi + preStartCommand: + server: + name: xray-server + image: + repository: quay.io/jfrog/xray-server-rh + # version: + updateStrategy: RollingUpdate + podManagementPolicy: Parallel + replicaCount: 1 + router: + name: router + image: + repository: quay.io/jfrog/router-rh + version: 1.2.1 + imagePullPolicy: IfNotPresent + rabbitmq-ha: + enabled: true + replicaCount: 1 + image: + repository: quay.io/jfrog/xray-rabbitmq-rh + tag: 3.8.0 + rabbitmqEpmdPort: 4369 + rabbitmqNodePort: 5672 + rabbitmqManagerPort: 15672 \ No newline at end of file From fb0328dcef2c9db092cb5a1a76f6747a30ef9060 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Tue, 12 May 2020 11:39:07 -0700 Subject: [PATCH 26/28] updating openshift artifactory-ha to latest artifactoryha helm chart 2.4.6 --- Openshift4/openshift-artifactory-ha/CHANGELOG.md | 3 +++ Openshift4/openshift-artifactory-ha/Chart.yaml | 4 ++-- Openshift4/openshift-artifactory-ha/requirements.lock | 6 +++--- Openshift4/openshift-artifactory-ha/requirements.yaml | 2 +- Openshift4/openshift-artifactory-ha/values.yaml | 6 ++---- 5 files changed, 11 insertions(+), 10 deletions(-) diff --git a/Openshift4/openshift-artifactory-ha/CHANGELOG.md b/Openshift4/openshift-artifactory-ha/CHANGELOG.md index d3a13f7..02341d1 100755 --- a/Openshift4/openshift-artifactory-ha/CHANGELOG.md +++ b/Openshift4/openshift-artifactory-ha/CHANGELOG.md @@ -1,6 +1,9 @@ # JFrog Openshift Artifactory-ha Chart Changelog All changes to this chart will be documented in this file. +## [2.4.6] - May 12, 2020 +* Updating to latest jfrog/artifactory-ha helm chart version 2.4.6 artifactory version 7.4.3 + ## [2.3.0] - April 13, 2020 * Updating to latest jfrog/artifactory-ha helm chart version 2.3.0 diff --git a/Openshift4/openshift-artifactory-ha/Chart.yaml b/Openshift4/openshift-artifactory-ha/Chart.yaml index adcd7f7..841bbe1 100755 --- a/Openshift4/openshift-artifactory-ha/Chart.yaml +++ b/Openshift4/openshift-artifactory-ha/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 7.4.1 +appVersion: 7.4.3 description: Openshift JFrog Artifactory HA subcharting Artifactory HA to work in Openshift environment home: https://www.jfrog.com/artifactory/ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-ha/logo/artifactory-logo.png @@ -16,4 +16,4 @@ name: openshift-artifactory-ha sources: - https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view - https://github.com/jfrog/charts -version: 2.4.2 +version: 2.4.6 diff --git a/Openshift4/openshift-artifactory-ha/requirements.lock b/Openshift4/openshift-artifactory-ha/requirements.lock index ea28887..aece72c 100644 --- a/Openshift4/openshift-artifactory-ha/requirements.lock +++ b/Openshift4/openshift-artifactory-ha/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: artifactory-ha repository: https://charts.jfrog.io/ - version: 2.4.2 -digest: sha256:e9f80a6605bf281075c8b34fc9590728af545ed1f152a72ff985fea3708cd5f3 -generated: "2020-04-21T13:04:32.953359-07:00" + version: 2.4.6 +digest: sha256:e0c6b67c9745748aba555b2383d832fee3a977fcde31c5a4f3a5f73f4a357a92 +generated: "2020-05-12T11:37:46.61737-07:00" diff --git a/Openshift4/openshift-artifactory-ha/requirements.yaml b/Openshift4/openshift-artifactory-ha/requirements.yaml index b650c03..a85b71a 100644 --- a/Openshift4/openshift-artifactory-ha/requirements.yaml +++ b/Openshift4/openshift-artifactory-ha/requirements.yaml @@ -1,4 +1,4 @@ dependencies: - name: artifactory-ha - version: 2.4.2 + version: 2.4.6 repository: https://charts.jfrog.io/ diff --git a/Openshift4/openshift-artifactory-ha/values.yaml b/Openshift4/openshift-artifactory-ha/values.yaml index 28b4a9e..ef19542 100755 --- a/Openshift4/openshift-artifactory-ha/values.yaml +++ b/Openshift4/openshift-artifactory-ha/values.yaml @@ -33,10 +33,8 @@ artifactory-ha: name: volume ## Change to use RH UBI images image: - repository: quay.io/jfrog/artifactory-rh-pro - version: 7.4.1 - #repository: registry.connect.redhat.com/jfrog/artifactory-pro - #version: 7.3.2 + repository: registry.connect.redhat.com/jfrog/artifactory-pro + version: 7.4.3 node: replicaCount: 2 waitForPrimaryStartup: From 077c60eb5e49ab4e274c2547d0900b2fd2b9c36d Mon Sep 17 00:00:00 2001 From: John Peterson Date: Tue, 12 May 2020 12:33:01 -0700 Subject: [PATCH 27/28] Operator RT version 7.4.3 --- Openshift4/artifactory-ha-operator/CHANGELOG.md | 17 +++++++++++++++++ ...a-operator.v1.0.0.clusterserviceversion.yaml | 6 +++++- ...s.io_v1alpha1_openshiftartifactoryha_cr.yaml | 6 +++++- ...a-operator.v1.0.0.clusterserviceversion.yaml | 6 +++++- 4 files changed, 32 insertions(+), 3 deletions(-) create mode 100755 Openshift4/artifactory-ha-operator/CHANGELOG.md diff --git a/Openshift4/artifactory-ha-operator/CHANGELOG.md b/Openshift4/artifactory-ha-operator/CHANGELOG.md new file mode 100755 index 0000000..02341d1 --- /dev/null +++ b/Openshift4/artifactory-ha-operator/CHANGELOG.md @@ -0,0 +1,17 @@ +# JFrog Openshift Artifactory-ha Chart Changelog +All changes to this chart will be documented in this file. + +## [2.4.6] - May 12, 2020 +* Updating to latest jfrog/artifactory-ha helm chart version 2.4.6 artifactory version 7.4.3 + +## [2.3.0] - April 13, 2020 +* Updating to latest jfrog/artifactory-ha helm chart version 2.3.0 + +## [2.2.9] - April 11, 2020 +* Fixed issues with master key + +## [2.1.9] - March 17, 2020 +* Updated Artifactory version to 7.3.2 + +## [2.0.35] - March 09, 2020 +* Updated Artifactory version to 7.2.1 diff --git a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index 26a23ce..2602018 100644 --- a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -16,8 +16,9 @@ metadata: "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", "image": { "repository": "registry.connect.redhat.com/jfrog/artifactory-pro", - "version": "7.3" + "version": "7.4.3" }, + "joinKey": "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE", "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "node": { "replicaCount": 2, @@ -49,6 +50,9 @@ metadata: "version": "latest" }, "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n", + "service": { + "ssloffload": false + }, "tlsSecretName": "OVERRIDE" }, "postgresql": { diff --git a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml index fbc6476..d149a42 100644 --- a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftartifactoryha_cr.yaml @@ -20,9 +20,11 @@ spec: name: volume image: repository: registry.connect.redhat.com/jfrog/artifactory-pro - version: 7.3.2 + version: 7.4.3 + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF node: + replicaCount: 2 waitForPrimaryStartup: enabled: false database: @@ -94,6 +96,8 @@ spec: include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf; } tlsSecretName: OVERRIDE + service: + ssloffload: false postgresql: enabled: false waitForDatabase: false diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index 26a23ce..2602018 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -16,8 +16,9 @@ metadata: "customInitContainersBegin": "- name: \"redhat-custom-setup\"\n image: {{ index .Values \"initContainerImage\" }}\n imagePullPolicy: \"{{ .Values.artifactory.image.pullPolicy }}\"\n command:\n - 'sh'\n - '-c'\n - 'chown -R 1030:1030 {{ .Values.artifactory.persistence.mountPath }}'\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: \"{{ .Values.artifactory.persistence.mountPath }}\"\n name: volume\n", "image": { "repository": "registry.connect.redhat.com/jfrog/artifactory-pro", - "version": "7.3" + "version": "7.4.3" }, + "joinKey": "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE", "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "node": { "replicaCount": 2, @@ -49,6 +50,9 @@ metadata: "version": "latest" }, "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n", + "service": { + "ssloffload": false + }, "tlsSecretName": "OVERRIDE" }, "postgresql": { From 127ed35f4a6cc2faaa352b88a6485575bc86a55a Mon Sep 17 00:00:00 2001 From: John Peterson Date: Fri, 22 May 2020 12:21:05 -0700 Subject: [PATCH 28/28] JFrog Xray Openshift helm chart and operator --- .../artifactory-ha-operator/build/Dockerfile | 6 +- ...operator.v1.0.0.clusterserviceversion.yaml | 30 +- ...lm.k8s.io_openshiftartifactoryhas_crd.yaml | 1 + ...operator.v1.0.0.clusterserviceversion.yaml | 30 +- Openshift4/openshift-xray/Chart.yaml | 4 +- Openshift4/openshift-xray/helminstall.sh | 2 +- Openshift4/openshift-xray/requirements.lock | 6 +- Openshift4/openshift-xray/requirements.yaml | 2 +- Openshift4/openshift-xray/values.yaml | 20 +- Openshift4/xray-operator/CHANGELOG.md | 6 + Openshift4/xray-operator/CONTRIBUTING.md | 62 ++++ Openshift4/xray-operator/README.md | 90 +++++ Openshift4/xray-operator/build/Dockerfile | 11 + .../bundle/openshiftxray-operator.crd.yaml | 23 ++ .../openshiftxray-operator.package.yaml | 4 + ...operator.v1.0.0.clusterserviceversion.yaml | 339 ++++++++++++++++++ ...charts.helm.k8s.io_openshiftxrays_crd.yaml | 23 ++ ...helm.k8s.io_v1alpha1_openshiftxray_cr.yaml | 69 ++++ ...operator.v1.0.0.clusterserviceversion.yaml | 339 ++++++++++++++++++ .../xray-operator/xray-operator.package.yaml | 5 + Openshift4/xray-operator/deploy/operator.yaml | 42 +++ Openshift4/xray-operator/deploy/role.yaml | 119 ++++++ .../xray-operator/deploy/role_binding.yaml | 11 + .../xray-operator/deploy/service_account.yaml | 4 + .../xray-operator/deploy/subscription.yaml | 10 + .../helm-charts/openshift-xray/CHANGELOG.md | 17 + .../helm-charts/openshift-xray/Chart.yaml | 17 + .../helm-charts/openshift-xray/LICENSE | 201 +++++++++++ .../helm-charts/openshift-xray/helminstall.sh | 71 ++++ .../helm-charts/openshift-xray/rabbitmq.yaml | 25 ++ .../openshift-xray/rabbitmqservice.yaml | 26 ++ .../openshift-xray/requirements.lock | 6 + .../openshift-xray/requirements.yaml | 4 + .../helm-charts/openshift-xray/values.yaml | 63 ++++ Openshift4/xray-operator/licenses/LICENSE | 202 +++++++++++ Openshift4/xray-operator/watches.yaml | 5 + 36 files changed, 1846 insertions(+), 49 deletions(-) create mode 100755 Openshift4/xray-operator/CHANGELOG.md create mode 100644 Openshift4/xray-operator/CONTRIBUTING.md create mode 100644 Openshift4/xray-operator/README.md create mode 100644 Openshift4/xray-operator/build/Dockerfile create mode 100644 Openshift4/xray-operator/bundle/openshiftxray-operator.crd.yaml create mode 100644 Openshift4/xray-operator/bundle/openshiftxray-operator.package.yaml create mode 100644 Openshift4/xray-operator/bundle/xray-operator.v1.0.0.clusterserviceversion.yaml create mode 100644 Openshift4/xray-operator/deploy/crds/charts.helm.k8s.io_openshiftxrays_crd.yaml create mode 100644 Openshift4/xray-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftxray_cr.yaml create mode 100644 Openshift4/xray-operator/deploy/olm-catalog/xray-operator/1.0.0/xray-operator.v1.0.0.clusterserviceversion.yaml create mode 100644 Openshift4/xray-operator/deploy/olm-catalog/xray-operator/xray-operator.package.yaml create mode 100644 Openshift4/xray-operator/deploy/operator.yaml create mode 100644 Openshift4/xray-operator/deploy/role.yaml create mode 100644 Openshift4/xray-operator/deploy/role_binding.yaml create mode 100644 Openshift4/xray-operator/deploy/service_account.yaml create mode 100644 Openshift4/xray-operator/deploy/subscription.yaml create mode 100644 Openshift4/xray-operator/helm-charts/openshift-xray/CHANGELOG.md create mode 100644 Openshift4/xray-operator/helm-charts/openshift-xray/Chart.yaml create mode 100644 Openshift4/xray-operator/helm-charts/openshift-xray/LICENSE create mode 100644 Openshift4/xray-operator/helm-charts/openshift-xray/helminstall.sh create mode 100644 Openshift4/xray-operator/helm-charts/openshift-xray/rabbitmq.yaml create mode 100644 Openshift4/xray-operator/helm-charts/openshift-xray/rabbitmqservice.yaml create mode 100644 Openshift4/xray-operator/helm-charts/openshift-xray/requirements.lock create mode 100644 Openshift4/xray-operator/helm-charts/openshift-xray/requirements.yaml create mode 100644 Openshift4/xray-operator/helm-charts/openshift-xray/values.yaml create mode 100755 Openshift4/xray-operator/licenses/LICENSE create mode 100644 Openshift4/xray-operator/watches.yaml diff --git a/Openshift4/artifactory-ha-operator/build/Dockerfile b/Openshift4/artifactory-ha-operator/build/Dockerfile index 4e9ec36..92415b9 100644 --- a/Openshift4/artifactory-ha-operator/build/Dockerfile +++ b/Openshift4/artifactory-ha-operator/build/Dockerfile @@ -1,9 +1,11 @@ FROM quay.io/operator-framework/helm-operator:v0.16.0 LABEL name="JFrog Artifactory Enterprise Operator" \ - description="Operator to deploy JFrog Artifactory Enterprise based on the Red Hat Universal Base Image." \ + description="Openshift operator to deploy JFrog Artifactory Enterprise based on the Red Hat Universal Base Image." \ vendor="JFrog" \ - summary="JFrog Artifactory Enterprise Operator" + summary="JFrog Artifactory Enterprise Operator" \ + com.jfrog.license_terms="https://jfrog.com/artifactory/eula/" + COPY licenses/ /licenses COPY watches.yaml ${HOME}/watches.yaml COPY helm-charts/ ${HOME}/helm-charts/ diff --git a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index 2602018..a9ac115 100644 --- a/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/bundle/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -49,7 +49,7 @@ metadata: "repository": "registry.redhat.io/rhel8/nginx-116", "version": "latest" }, - "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n", + "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \\\"$remote_user\\\" '\n 'local_time = \\\"$time_local\\\" '\n 'host = $host '\n 'request = \\\"$request\\\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \\\"$upstream_addr\\\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \\\"$http_referer\\\" '\n 'UA = \\\"$http_user_agent\\\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n", "service": { "ssloffload": false }, @@ -66,13 +66,13 @@ metadata: capabilities: Basic Install categories: "Developer Tools,Integration & Delivery" description: "JFrog Artifactory Enterprise deploys Artifactory in a high availability environment across multiple pods" - containerImage: registry.connect.redhat.com/jfrog/artifactory-operator:7.3 + containerImage: registry.connect.redhat.com/jfrog/artifactory-operator:7.4 createdAt: 2020-03-25T00:00:00Z support: JFrog certified: "true" repository: https://github.com/jfrog/JFrog-Cloud-Installers/tree/openshift4/Openshift4 name: artifactory-ha-operator.v1.0.0 - namespace: jfrog-artifactory + namespace: placeholder spec: apiservicedefinitions: {} customresourcedefinitions: @@ -117,7 +117,7 @@ spec: install: spec: deployments: - - name: artifactory-ha-operator + - name: artifactory-ha-operatorvi spec: replicas: 1 selector: @@ -142,10 +142,10 @@ spec: - name: OPERATOR_NAME value: artifactory-ha-operator - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: registry.connect.redhat.com/jfrog/artifactory-pro:7.3 + value: registry.connect.redhat.com/jfrog/artifactory-pro:7.4.3 - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY value: registry.redhat.io/rhel8/nginx-116:latest - image: registry.connect.redhat.com/jfrog/artifactory-operator:7.3 + image: registry.connect.redhat.com/jfrog/artifactory-operator:7.4 imagePullPolicy: Always name: artifactory-ha-operator resources: {} @@ -260,7 +260,7 @@ spec: verbs: - '*' - apiGroups: - - 'rbac.authorization.k8s.io' + - rbac.authorization.k8s.io resources: - '*' verbs: @@ -268,14 +268,14 @@ spec: serviceAccountName: artifactory-ha-operator strategy: deployment installModes: - - supported: true - type: OwnNamespace - - supported: true - type: SingleNamespace - - supported: false - type: MultiNamespace - - supported: true - type: AllNamespaces + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces keywords: - "DevOps" - "CI/CD" diff --git a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_openshiftartifactoryhas_crd.yaml b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_openshiftartifactoryhas_crd.yaml index a125712..17df5a1 100644 --- a/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_openshiftartifactoryhas_crd.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/crds/charts.helm.k8s.io_openshiftartifactoryhas_crd.yaml @@ -16,6 +16,7 @@ spec: openAPIV3Schema: type: object x-kubernetes-preserve-unknown-fields: true + version: v1alpha1 versions: - name: v1alpha1 served: true diff --git a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml index 2602018..a9ac115 100644 --- a/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml +++ b/Openshift4/artifactory-ha-operator/deploy/olm-catalog/artifactory-ha-operator/1.0.0/artifactory-ha-operator.v1.0.0.clusterserviceversion.yaml @@ -49,7 +49,7 @@ metadata: "repository": "registry.redhat.io/rhel8/nginx-116", "version": "latest" }, - "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \"$remote_user\" '\n 'local_time = \"$time_local\" '\n 'host = $host '\n 'request = \"$request\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \"$upstream_addr\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \"$http_referer\" '\n 'UA = \"$http_user_agent\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n", + "mainConf": "# Main Nginx configuration file\nworker_processes 4;\nerror_log {{ .Values.nginx.persistence.mountPath }}/logs//error.log warn;\npid /tmp/nginx.pid;\nevents {\n worker_connections 1024;\n}\nhttp {\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n variables_hash_max_size 1024;\n variables_hash_bucket_size 64;\n server_names_hash_max_size 4096;\n server_names_hash_bucket_size 128;\n types_hash_max_size 2048;\n types_hash_bucket_size 64;\n proxy_read_timeout 2400s;\n client_header_timeout 2400s;\n client_body_timeout 2400s;\n proxy_connect_timeout 75s;\n proxy_send_timeout 2400s;\n proxy_buffer_size 32k;\n proxy_buffers 40 32k;\n proxy_busy_buffers_size 64k;\n proxy_temp_file_write_size 250m;\n proxy_http_version 1.1;\n client_body_buffer_size 128k;\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n log_format timing 'ip = $remote_addr '\n 'user = \\\"$remote_user\\\" '\n 'local_time = \\\"$time_local\\\" '\n 'host = $host '\n 'request = \\\"$request\\\" '\n 'status = $status '\n 'bytes = $body_bytes_sent '\n 'upstream = \\\"$upstream_addr\\\" '\n 'upstream_time = $upstream_response_time '\n 'request_time = $request_time '\n 'referer = \\\"$http_referer\\\" '\n 'UA = \\\"$http_user_agent\\\"';\n access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;\n sendfile on;\n #tcp_nopush on;\n keepalive_timeout 65;\n #gzip on;\n include {{ .Values.nginx.persistence.mountPath }}/conf.d/*.conf;\n}\n", "service": { "ssloffload": false }, @@ -66,13 +66,13 @@ metadata: capabilities: Basic Install categories: "Developer Tools,Integration & Delivery" description: "JFrog Artifactory Enterprise deploys Artifactory in a high availability environment across multiple pods" - containerImage: registry.connect.redhat.com/jfrog/artifactory-operator:7.3 + containerImage: registry.connect.redhat.com/jfrog/artifactory-operator:7.4 createdAt: 2020-03-25T00:00:00Z support: JFrog certified: "true" repository: https://github.com/jfrog/JFrog-Cloud-Installers/tree/openshift4/Openshift4 name: artifactory-ha-operator.v1.0.0 - namespace: jfrog-artifactory + namespace: placeholder spec: apiservicedefinitions: {} customresourcedefinitions: @@ -117,7 +117,7 @@ spec: install: spec: deployments: - - name: artifactory-ha-operator + - name: artifactory-ha-operatorvi spec: replicas: 1 selector: @@ -142,10 +142,10 @@ spec: - name: OPERATOR_NAME value: artifactory-ha-operator - name: RELATED_IMAGE_ARTIFACTORY_IMAGE_REPOSITORY - value: registry.connect.redhat.com/jfrog/artifactory-pro:7.3 + value: registry.connect.redhat.com/jfrog/artifactory-pro:7.4.3 - name: RELATED_IMAGE_NGINX_IMAGE_REPOSITORY value: registry.redhat.io/rhel8/nginx-116:latest - image: registry.connect.redhat.com/jfrog/artifactory-operator:7.3 + image: registry.connect.redhat.com/jfrog/artifactory-operator:7.4 imagePullPolicy: Always name: artifactory-ha-operator resources: {} @@ -260,7 +260,7 @@ spec: verbs: - '*' - apiGroups: - - 'rbac.authorization.k8s.io' + - rbac.authorization.k8s.io resources: - '*' verbs: @@ -268,14 +268,14 @@ spec: serviceAccountName: artifactory-ha-operator strategy: deployment installModes: - - supported: true - type: OwnNamespace - - supported: true - type: SingleNamespace - - supported: false - type: MultiNamespace - - supported: true - type: AllNamespaces + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces keywords: - "DevOps" - "CI/CD" diff --git a/Openshift4/openshift-xray/Chart.yaml b/Openshift4/openshift-xray/Chart.yaml index a98e701..5be21b7 100755 --- a/Openshift4/openshift-xray/Chart.yaml +++ b/Openshift4/openshift-xray/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 3.2.3 +appVersion: 3.3.0 description: Universal component scan for security and license inventory and impact analysis sources: - https://bintray.com/jfrog/product/xray/view @@ -13,4 +13,4 @@ maintainers: - email: johnp@jfrog.com name: John Peterson name: openshift-xray -version: 3.2.4 +version: 3.3.1 diff --git a/Openshift4/openshift-xray/helminstall.sh b/Openshift4/openshift-xray/helminstall.sh index 94aa1ef..2260da1 100755 --- a/Openshift4/openshift-xray/helminstall.sh +++ b/Openshift4/openshift-xray/helminstall.sh @@ -57,7 +57,7 @@ fi JFROGURL="" if [[ -z "$4" ]] then - JFROGURL="http://artifactory-ha-nginx" + JFROGURL="http://openshiftartifactoryha-nginx" else JFROGURL=$4 fi diff --git a/Openshift4/openshift-xray/requirements.lock b/Openshift4/openshift-xray/requirements.lock index d205d69..80b1b54 100644 --- a/Openshift4/openshift-xray/requirements.lock +++ b/Openshift4/openshift-xray/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: xray repository: https://charts.jfrog.io/ - version: 3.2.4 -digest: sha256:78c6667a953eef5337a57d67214ac327a0e7779349982325f697e906fdaba1a8 -generated: "2020-04-21T11:17:43.64727-07:00" + version: 3.3.1 +digest: sha256:22010f573f0dfaf95a05835e6b712ef74438aa7c5f39674cd8fd27390bc99d7e +generated: "2020-05-21T13:54:18.60088-07:00" diff --git a/Openshift4/openshift-xray/requirements.yaml b/Openshift4/openshift-xray/requirements.yaml index 7bf9701..34dd60c 100644 --- a/Openshift4/openshift-xray/requirements.yaml +++ b/Openshift4/openshift-xray/requirements.yaml @@ -1,4 +1,4 @@ dependencies: - name: xray - version: 3.2.4 + version: 3.3.1 repository: https://charts.jfrog.io/ diff --git a/Openshift4/openshift-xray/values.yaml b/Openshift4/openshift-xray/values.yaml index bdf7275..bca4e65 100755 --- a/Openshift4/openshift-xray/values.yaml +++ b/Openshift4/openshift-xray/values.yaml @@ -30,23 +30,23 @@ xray: analysis: name: xray-analysis image: - repository: quay.io/jfrog/xray-analysis-rh - # version: + repository: registry.connect.redhat.com/jfrog/xray-analysis + version: 3.3.0 updateStrategy: RollingUpdate podManagementPolicy: Parallel preStartCommand: indexer: name: xray-indexer image: - repository: quay.io/jfrog/xray-indexer-rh - # version: + repository: registry.connect.redhat.com/jfrog/xray-indexer + version: 3.3.0 updateStrategy: RollingUpdate podManagementPolicy: Parallel persist: name: xray-persist image: - repository: quay.io/jfrog/xray-persist-rh - # version: + repository: registry.connect.redhat.com/jfrog/xray-persist + version: 3.3.0 updateStrategy: RollingUpdate podManagementPolicy: Parallel persistence: @@ -55,22 +55,22 @@ xray: server: name: xray-server image: - repository: quay.io/jfrog/xray-server-rh - # version: + repository: registry.connect.redhat.com/jfrog/xray-server + version: 3.3.0 updateStrategy: RollingUpdate podManagementPolicy: Parallel replicaCount: 1 router: name: router image: - repository: quay.io/jfrog/router-rh + repository: registry.connect.redhat.com/jfrog/xray-router version: 1.2.1 imagePullPolicy: IfNotPresent rabbitmq-ha: enabled: true replicaCount: 1 image: - repository: quay.io/jfrog/xray-rabbitmq-rh + repository: registry.connect.redhat.com/jfrog/xray-rabbitmq tag: 3.8.0 rabbitmqEpmdPort: 4369 rabbitmqNodePort: 5672 diff --git a/Openshift4/xray-operator/CHANGELOG.md b/Openshift4/xray-operator/CHANGELOG.md new file mode 100755 index 0000000..96e3feb --- /dev/null +++ b/Openshift4/xray-operator/CHANGELOG.md @@ -0,0 +1,6 @@ +# JFrog Openshift Xray Chart Changelog +All changes to this chart will be documented in this file. + +## [3.3.0] - May 22, 2020 +* Deploying JFrog Xray 3.3.0 as an Operator initial version of Jfrog Xray supported + diff --git a/Openshift4/xray-operator/CONTRIBUTING.md b/Openshift4/xray-operator/CONTRIBUTING.md new file mode 100644 index 0000000..83961a0 --- /dev/null +++ b/Openshift4/xray-operator/CONTRIBUTING.md @@ -0,0 +1,62 @@ +# Contributing + +When contributing to this repository, please first discuss the change you wish to make via slack, issue, email, or any other method with the owners of this repository before making a change. + +Note we have a code of conduct, please follow it in all your interactions with the project. + +## Pull Request Process + +Ensure any install or build dependencies are removed before the end of the layer when doing a build. + +Update the README.md with details of changes to the interface, this includes new environment variables, exposed ports, useful file locations and container parameters. + +Increase the version numbers in any examples files and the README.md to the new version that this Pull Request would represent. The versioning scheme we use is SemVer. + +You may merge the Pull Request in once you have the sign-off of one other developer. + +## Code of Conduct +### Our Pledge + +In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. + +### Our Standards + +Examples of behavior that contributes to creating a positive environment include: + + ``` + Using welcoming and inclusive language + Being respectful of differing viewpoints and experiences + Gracefully accepting constructive criticism + Focusing on what is best for the company + Showing empathy towards other colleagues + ``` + +Examples of unacceptable behavior by participants include: + + ``` + The use of sexualized language or imagery and unwelcome sexual attention or advances + Trolling, insulting/derogatory comments, and personal or political attacks + Public or private harassment + Publishing others' private information, such as a physical or electronic address, without explicit permission + Other conduct which could reasonably be considered inappropriate in a professional setting + ``` + +### Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project. Examples of representing a project include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. + +Attribution + + This Code of Conduct is adapted from the [Contributor Covenant version 1.4] (http://contributor-covenant.org/version/1/4) diff --git a/Openshift4/xray-operator/README.md b/Openshift4/xray-operator/README.md new file mode 100644 index 0000000..dc3da1a --- /dev/null +++ b/Openshift4/xray-operator/README.md @@ -0,0 +1,90 @@ +# JFrog Xray Enterprise Operator + +This code base is intended to deploy Xray as an operator to an Openshift4 cluster. You can run the operator either through the operator-sdk, operator.yaml, or the Operatorhub. + +Openshift OperatorHub has the latest official supported Cluster Service Version (CSV) for the OLM catalog. + +## Getting Started + +These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system. + +## Prerequisites + +###### Openshift 4 Cluster + +Available on AWS, GCP, or Azure. Follow the Cloud installer guide available here: + +[Openshift 4 Installers](https://cloud.redhat.com/openshift/install) + +Or run it locally using CodeReadyContainers. + +[Code Ready Container Installer](https://cloud.redhat.com/openshift/install/crc/installer-provisioned) + +###### Openshift 4 Command Line Tools + +Download and install the Openshift command line tool: oc + +[Getting Started with CLI](https://docs.openshift.com/container-platform/4.2/cli_reference/openshift_cli/getting-started-cli.html) + +## Cluster Setup +###### Security Context Constraints - Anyuid + +Openshift only allows statefulsets / pods to run in specific user and group id ranges. +Xray currently uses users outside of this allowed range. +For this reason the service account for the operator in the jfrog-artifactory namespace must be granted anyuid privileges. + +``` +oc adm policy add-scc-to-user anyuid system:serviceaccount:jfrog-artifactory:xray-operator +``` + +Where anyuid is the Security context constraint being applied to the service account artifactory-ha-operator in namespace jfrog-artifactory. + +In addition to this the restricted scc policy will need to be changed to allow anyuid: + +``` +oc patch scc restricted --patch '{"fsGroup":{"type":"RunAsAny"},"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"RunAsAny"}}' --type=merge +``` + +## Installation types +###### OLM Catalog +To install via the OLM catalog download the operator from the Operator hub and install it via the Openshift console GUI + +To test OLM catalog installs you will need to deploy the lastest ClusterServiceVersion found at: + +``` +deploy/olm-catalog/artifactory-ha-operator/X.X.X/xray-operator.vX.X.X.clusterserviceversion.yaml +``` + +This will install the operator into whatever cluster your kubectl or oc program is currently logged into. + +Please refer to Local Testing section below for full instructions. + +###### Operator YAML +To install the operator via the Operator YAML follow the Local Testing tests. + +Instead of running operator-sdk up local for the last step run: + +``` +oc apply -f deploy/operator.yaml +``` + +This will deploy the operator into the cluster. + +###### Operator-sdk local + +Run: + +``` +cd JFrog-Cloud-Installers/Openshift4/xray-operator +operator-sdk up local +``` + +## Contributing +Please read [CONTRIBUTING.md](JFrog-Cloud-Installers/Openshift4/xray-operator/CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us. + +## Versioning +We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/jfrog/JFrog-Cloud-Installers/tags). + +## Contact + +Github Issues \ No newline at end of file diff --git a/Openshift4/xray-operator/build/Dockerfile b/Openshift4/xray-operator/build/Dockerfile new file mode 100644 index 0000000..484be52 --- /dev/null +++ b/Openshift4/xray-operator/build/Dockerfile @@ -0,0 +1,11 @@ +FROM quay.io/operator-framework/helm-operator:v0.16.0 + +LABEL name="JFrog Xray Enterprise Operator" \ + description="Openshift operator to deploy JFrog Xray Enterprise based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Xray Enterprise Operator" \ + com.jfrog.license_terms="https://jfrog.com/xray/eula/" + +COPY licenses/ /licenses +COPY watches.yaml ${HOME}/watches.yaml +COPY helm-charts/ ${HOME}/helm-charts/ diff --git a/Openshift4/xray-operator/bundle/openshiftxray-operator.crd.yaml b/Openshift4/xray-operator/bundle/openshiftxray-operator.crd.yaml new file mode 100644 index 0000000..a71c3d6 --- /dev/null +++ b/Openshift4/xray-operator/bundle/openshiftxray-operator.crd.yaml @@ -0,0 +1,23 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: openshiftxrays.charts.helm.k8s.io +spec: + group: charts.helm.k8s.io + names: + kind: OpenshiftXray + listKind: OpenshiftXrayList + plural: openshiftxrays + singular: openshiftxray + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true diff --git a/Openshift4/xray-operator/bundle/openshiftxray-operator.package.yaml b/Openshift4/xray-operator/bundle/openshiftxray-operator.package.yaml new file mode 100644 index 0000000..b8e4a5c --- /dev/null +++ b/Openshift4/xray-operator/bundle/openshiftxray-operator.package.yaml @@ -0,0 +1,4 @@ +packageName: openshiftxray-operator +channels: + - name: alpha + currentCSV: xray-operator.v1.0.0 \ No newline at end of file diff --git a/Openshift4/xray-operator/bundle/xray-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/xray-operator/bundle/xray-operator.v1.0.0.clusterserviceversion.yaml new file mode 100644 index 0000000..97910b4 --- /dev/null +++ b/Openshift4/xray-operator/bundle/xray-operator.v1.0.0.clusterserviceversion.yaml @@ -0,0 +1,339 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "charts.helm.k8s.io/v1alpha1", + "kind": "OpenshiftXray", + "metadata": { + "name": "openshiftxray" + }, + "spec": { + "xray": { + "analysis": { + "image": { + "repository": "registry.connect.redhat.com/jfrog/xray-analysis", + "version": "3.3.0" + }, + "name": "xray-analysis", + "podManagementPolicy": "Parallel", + "preStartCommand": null, + "updateStrategy": "RollingUpdate" + }, + "database": { + "password": "OVERRIDE", + "url": "OVERRIDE", + "user": "OVERRIDE" + }, + "global": { + "postgresqlTlsSecret": null + }, + "indexer": { + "image": { + "repository": "registry.connect.redhat.com/jfrog/xray-indexer", + "version": "3.3.0" + }, + "name": "xray-indexer", + "podManagementPolicy": "Parallel", + "updateStrategy": "RollingUpdate" + }, + "persist": { + "image": { + "repository": "registry.connect.redhat.com/jfrog/xray-persist", + "version": "3.3.0" + }, + "name": "xray-persist", + "persistence": { + "size": "10Gi" + }, + "podManagementPolicy": "Parallel", + "preStartCommand": null, + "updateStrategy": "RollingUpdate" + }, + "postgresql": { + "enabled": false + }, + "rabbitmq-ha": { + "enabled": true, + "image": { + "repository": "registry.connect.redhat.com/jfrog/xray-rabbitmq", + "tag": "3.8.0" + }, + "rabbitmqEpmdPort": 4369, + "rabbitmqManagerPort": 15672, + "rabbitmqNodePort": 5672, + "replicaCount": 1 + }, + "replicaCount": 1, + "router": { + "image": { + "imagePullPolicy": "IfNotPresent", + "repository": "registry.connect.redhat.com/jfrog/xray-router", + "version": "1.2.1" + }, + "name": "router" + }, + "server": { + "image": { + "repository": "registry.connect.redhat.com/jfrog/xray-server", + "version": "3.3.0" + }, + "name": "xray-server", + "podManagementPolicy": "Parallel", + "replicaCount": 1, + "updateStrategy": "RollingUpdate" + }, + "xray": { + "consoleLog": false, + "jfrogUrl": "OVERRIDE", + "joinKey": "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE", + "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + } + } + } + } + ] + capabilities: Basic Install + categories: "Developer Tools,Integration & Delivery" + description: "JFrog Xray Enterprise deploys Xray security scanner into Openshift" + containerImage: registry.connect.redhat.com/jfrog/xray-operator:3.3.0 + createdAt: 2020-05-22T00:00:00Z + support: JFrog + certified: "true" + repository: https://github.com/jfrog/JFrog-Cloud-Installers/tree/openshift4/Openshift4 + name: xray-operator.v1.0.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: Represents Xray Instances + displayName: Xray + kind: OpenshiftXray + name: openshiftxrays.charts.helm.k8s.io + resources: + - kind: Deployment + version: v1 + - kind: Service + version: v1 + - kind: ReplicaSet + version: v1 + - kind: Pod + version: v1 + - kind: Secret + version: v1 + - kind: ConfigMap + version: v1 + - kind: StatefulSet + version: apps/v1 + version: v1alpha1 + description: Openshift 4 Operator to deploy JFrog Xray + displayName: JFrog Xray Enterprise Operator + provider: + name: JFrog + links: + - name: JFrog + url: https://www.jfrog.com + - name: JFrog Artifact Repository + url: https://jfrog.com/artifactory/ + - name: Artifactory Video + url: https://www.youtube.com/watch?v=r2_A5CPo43U + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAMkAAADCCAYAAADjAebGAAAKN2lDQ1BzUkdCIElFQzYxOTY2LTIuMQAAeJydlndUU9kWh8+9N71QkhCKlNBraFICSA29SJEuKjEJEErAkAAiNkRUcERRkaYIMijggKNDkbEiioUBUbHrBBlE1HFwFBuWSWStGd+8ee/Nm98f935rn73P3Wfvfda6AJD8gwXCTFgJgAyhWBTh58WIjYtnYAcBDPAAA2wA4HCzs0IW+EYCmQJ82IxsmRP4F726DiD5+yrTP4zBAP+flLlZIjEAUJiM5/L42VwZF8k4PVecJbdPyZi2NE3OMErOIlmCMlaTc/IsW3z2mWUPOfMyhDwZy3PO4mXw5Nwn4405Er6MkWAZF+cI+LkyviZjg3RJhkDGb+SxGXxONgAoktwu5nNTZGwtY5IoMoIt43kA4EjJX/DSL1jMzxPLD8XOzFouEiSniBkmXFOGjZMTi+HPz03ni8XMMA43jSPiMdiZGVkc4XIAZs/8WRR5bRmyIjvYODk4MG0tbb4o1H9d/JuS93aWXoR/7hlEH/jD9ld+mQ0AsKZltdn6h21pFQBd6wFQu/2HzWAvAIqyvnUOfXEeunxeUsTiLGcrq9zcXEsBn2spL+jv+p8Of0NffM9Svt3v5WF485M4knQxQ143bmZ6pkTEyM7icPkM5p+H+B8H/nUeFhH8JL6IL5RFRMumTCBMlrVbyBOIBZlChkD4n5r4D8P+pNm5lona+BHQllgCpSEaQH4eACgqESAJe2Qr0O99C8ZHA/nNi9GZmJ37z4L+fVe4TP7IFiR/jmNHRDK4ElHO7Jr8WgI0IABFQAPqQBvoAxPABLbAEbgAD+ADAkEoiARxYDHgghSQAUQgFxSAtaAYlIKtYCeoBnWgETSDNnAYdIFj4DQ4By6By2AE3AFSMA6egCnwCsxAEISFyBAVUod0IEPIHLKFWJAb5AMFQxFQHJQIJUNCSAIVQOugUqgcqobqoWboW+godBq6AA1Dt6BRaBL6FXoHIzAJpsFasBFsBbNgTzgIjoQXwcnwMjgfLoK3wJVwA3wQ7oRPw5fgEVgKP4GnEYAQETqiizARFsJGQpF4JAkRIauQEqQCaUDakB6kH7mKSJGnyFsUBkVFMVBMlAvKHxWF4qKWoVahNqOqUQdQnag+1FXUKGoK9RFNRmuizdHO6AB0LDoZnYsuRlegm9Ad6LPoEfQ4+hUGg6FjjDGOGH9MHCYVswKzGbMb0445hRnGjGGmsVisOtYc64oNxXKwYmwxtgp7EHsSewU7jn2DI+J0cLY4X1w8TogrxFXgWnAncFdwE7gZvBLeEO+MD8Xz8MvxZfhGfA9+CD+OnyEoE4wJroRIQiphLaGS0EY4S7hLeEEkEvWITsRwooC4hlhJPEQ8TxwlviVRSGYkNimBJCFtIe0nnSLdIr0gk8lGZA9yPFlM3kJuJp8h3ye/UaAqWCoEKPAUVivUKHQqXFF4pohXNFT0VFysmK9YoXhEcUjxqRJeyUiJrcRRWqVUo3RU6YbStDJV2UY5VDlDebNyi/IF5UcULMWI4kPhUYoo+yhnKGNUhKpPZVO51HXURupZ6jgNQzOmBdBSaaW0b2iDtCkVioqdSrRKnkqNynEVKR2hG9ED6On0Mvph+nX6O1UtVU9Vvuom1TbVK6qv1eaoeajx1UrU2tVG1N6pM9R91NPUt6l3qd/TQGmYaYRr5Grs0Tir8XQObY7LHO6ckjmH59zWhDXNNCM0V2ju0xzQnNbS1vLTytKq0jqj9VSbru2hnaq9Q/uE9qQOVcdNR6CzQ+ekzmOGCsOTkc6oZPQxpnQ1df11Jbr1uoO6M3rGelF6hXrtevf0Cfos/ST9Hfq9+lMGOgYhBgUGrQa3DfGGLMMUw12G/YavjYyNYow2GHUZPTJWMw4wzjduNb5rQjZxN1lm0mByzRRjyjJNM91tetkMNrM3SzGrMRsyh80dzAXmu82HLdAWThZCiwaLG0wS05OZw2xljlrSLYMtCy27LJ9ZGVjFW22z6rf6aG1vnW7daH3HhmITaFNo02Pzq62ZLde2xvbaXPJc37mr53bPfW5nbse322N3055qH2K/wb7X/oODo4PIoc1h0tHAMdGx1vEGi8YKY21mnXdCO3k5rXY65vTW2cFZ7HzY+RcXpkuaS4vLo3nG8/jzGueNueq5clzrXaVuDLdEt71uUnddd457g/sDD30PnkeTx4SnqWeq50HPZ17WXiKvDq/XbGf2SvYpb8Tbz7vEe9CH4hPlU+1z31fPN9m31XfKz95vhd8pf7R/kP82/xsBWgHcgOaAqUDHwJWBfUGkoAVB1UEPgs2CRcE9IXBIYMj2kLvzDecL53eFgtCA0O2h98KMw5aFfR+OCQ8Lrwl/GGETURDRv4C6YMmClgWvIr0iyyLvRJlESaJ6oxWjE6Kbo1/HeMeUx0hjrWJXxl6K04gTxHXHY+Oj45vipxf6LNy5cDzBPqE44foi40V5iy4s1licvvj4EsUlnCVHEtGJMYktie85oZwGzvTSgKW1S6e4bO4u7hOeB28Hb5Lvyi/nTyS5JpUnPUp2Td6ePJninlKR8lTAFlQLnqf6p9alvk4LTduf9ik9Jr09A5eRmHFUSBGmCfsytTPzMoezzLOKs6TLnJftXDYlChI1ZUPZi7K7xTTZz9SAxESyXjKa45ZTk/MmNzr3SJ5ynjBvYLnZ8k3LJ/J9879egVrBXdFboFuwtmB0pefK+lXQqqWrelfrry5aPb7Gb82BtYS1aWt/KLQuLC98uS5mXU+RVtGaorH1futbixWKRcU3NrhsqNuI2ijYOLhp7qaqTR9LeCUXS61LK0rfb+ZuvviVzVeVX33akrRlsMyhbM9WzFbh1uvb3LcdKFcuzy8f2x6yvXMHY0fJjpc7l+y8UGFXUbeLsEuyS1oZXNldZVC1tep9dUr1SI1XTXutZu2m2te7ebuv7PHY01anVVda926vYO/Ner/6zgajhop9mH05+x42Rjf2f836urlJo6m06cN+4X7pgYgDfc2Ozc0tmi1lrXCrpHXyYMLBy994f9Pdxmyrb6e3lx4ChySHHn+b+O31w0GHe4+wjrR9Z/hdbQe1o6QT6lzeOdWV0iXtjusePhp4tLfHpafje8vv9x/TPVZzXOV42QnCiaITn07mn5w+lXXq6enk02O9S3rvnIk9c60vvG/wbNDZ8+d8z53p9+w/ed71/LELzheOXmRd7LrkcKlzwH6g4wf7HzoGHQY7hxyHui87Xe4Znjd84or7ldNXva+euxZw7dLI/JHh61HXb95IuCG9ybv56Fb6ree3c27P3FlzF3235J7SvYr7mvcbfjT9sV3qID0+6j068GDBgztj3LEnP2X/9H686CH5YcWEzkTzI9tHxyZ9Jy8/Xvh4/EnWk5mnxT8r/1z7zOTZd794/DIwFTs1/lz0/NOvm1+ov9j/0u5l73TY9P1XGa9mXpe8UX9z4C3rbf+7mHcTM7nvse8rP5h+6PkY9PHup4xPn34D94Tz+49wZioAAAAJcEhZcwAACxIAAAsSAdLdfvwAACAASURBVHic7V0HfBzF1Z83u3un5iLJGGzAdoyDgWDAgIxtSdd0xZiaxEASWiDARw9gei8hQCghhN5CJ4BDMHGMdbqiU7ExpgZCb4ZgTLFsg2Wr3O18792d7JN0ZfeaTvb9f7/T3u3N7oz25j/z3swrshCCEfg1nJvqG44F4HWMCQlPrwQmWgKt3oB6laqyIorYRiHTnzBBTI6ngLGjIqeBAUSOZpNjpdXrvDLg8DyuqqoYuqYWUcTQIEwSU73jtC0EGYSJjMOjZq/jQL6AH6POU0N5bF8RGaDe49pHkthM/G27u4W6eKmt6ZuhbtNwhIwdXzJX2y+hWSMFfmWqtv8Xj3/IQ7uKyBA4+58uS3BX32cj8A6LxzWz2d740VC2azhCrhtl3QcJsqOWwiiEzZ+1ZNYdy+Ys+yHXDUsEi98+Gxi/HlszDT/2oO60Aph6p9/W1DRUbSpIcDhnwJkq4OIsPJ49FM0pFNQ8UKNUTKk6hgl2NHZo7PusmwnxzKqelZd8MOeD7njXyAByhY46RpcYR/4Sj3/LSot1YrbPsb0RpCX4dkTfOdSdDsUecbDJ63S1NLg9Q9GuAsXYOOd2zXsrCgjYR+oqplQ+xOg5xApOAOeOM0wche9+F+86uWNd72tjqpW1+L5SS0VCCAsbIpIYGduXxRAkBpxzQJGRFUmyBV/ia1S/MwAdQ9OUoYfF7/qFxOEZFtXDBwIATqh1225od/o+Hvid/PY83wazx3UEl9jf8fOYVJXhzeKNUHlBD4j/GBgLsjj/KA4M+wxBkwoWgrHX8Jns2e+cUP89VO0ZSuy70DZ61EiFZpC4BIkCFFk6AI+DSUJ/AvZGr7nRvBdXjH9DFriSVym+zKC9GaHd6vnK6nNdhoy4kQ1caRCsqJDGAAmxAIAfv/kzY6+0tIaeYbahbNXQYNRI+Qg8jE5VTgj4Pt75zcwKuAJfo8xyoNlrPxP73014qjTefdQQPJp2a7MAv63xT1av8yVUTC/Ej7/Gl4Sv7pAQFw9luwoNAVvTIqvfebpgMA9//f91bgzOV6/yBYe6XUMD2FdDoVWre1c2x/ui3/QT3Sz8a73f7paF9CiO1QfEfi8EuwFnnfa025ol+Bvcb+PhWLPPcQMwOIKB+lJLg+eVoW5XocFvdd+Dh3uGuh0FgGRiVh/OT7i6Fe9kq9XzAb/GVmcyKSehTHMkztUGlbEHA7bGRzJpabaBo+W7eLhmqNtRRKFDvJtsHxBnhvuarY1PJ/o+IcOiU/O90VcRRQxbbOgMPl5RrvyekfVIf3QIIe5oaQ1ez6yJr9cyDRVRxLDGioN939csqtmjvLxqDgh1Jyagi4F47/uO1cvfnvd2T6rFjIxJYvU5rAz4efiW9JdynLw+wEb8vadjw1/b57VvyvT+abRnlgB+C74tYaq4trnBvTDfbSgUYMcoKy+tPETt7nK3zG1ZO9TtGUqsOHjFRjw8n861GZHE4nedA8BvY/0EPpiOn6YbqiuOq3XbDo+3OZMrWNyWnUExvgR9m2gcnrd4nUciUf6RrzYUEirKKp9iAIdJpSXN+DGJQFFEMqRNkmiH/BNLrBH9zCArfvMS876BOYHv0q1HD0Ax0LJw7C4zBw4PmBvNS2mJOx9tKBRYmiw/Adl4WOQTWCwe10+Lxo3pIW2SgCLTDreSvBDbiRuMZC5yXrr16AMcFudkJZKZxK+j89OGwgBwQ33sZ8HVvfGw1ZIExWz8f/kswVinYGpTwNb0YbbunTZJenrV9wyKRPsqyW3sAU6Y/Kjt0k+P93WlW5cWYB0lEycoO8dvAvwaH+KDfluTP5dtKCgA2z/2IwcYN1RNySXqmmx7KrJ8Dwt71EY6IzCuWn3O+wKtwbOzsYGaNklI17D6nY9gk05IUXT0xJ3kI/H4WLp1aUF5+XcqY+MTkRbwId6DRNon12QtGACri/2ID2b7oWpKrmD2Og9SZOU5Ntg6hOPIeJq5XtmA7y/MtJ6MFPeeNZ1nGKrKx2KDDkpakMP5fAF/MpdejbSUZ/W7yClszwRFpk7cWbkSj5fmqg2FAtQDt+PGkr1jz4FGn6HhAvK6lCWIR5AtAHZmzaKaq6MrW2kjI5LQEi+/xna42STfgC2azxKLXtPMlfb/w+PdWu9t8bsOZUJEXIoBnmy2Ni5OdY0Q6i0A/JGEBYBdYG5qWBhweJdrbcdwBFeMh9Ch/1kxZUgakwNQTAazyX4//qCJCRJBqaKMIKv1zzOpL+N9kqjMdwF26mUQ8TMZGbcghz9Y3JZ/NTubU1oRW/zOi3HkuyEajYLwa7PP8QtUxl5Idl2zrelRi8+1K16WaLaQuSw9Nr1p+r5vON7oTNWOYQsOxww+CT/Nf0NyA7PJQdbNNRqKdvR+8eNXmdaXtR13HOmfx478DgdOexLxRJ5KkI1PT1swzRbe5UyAaQtsFWOqlasHnAa8742c84WpIrY02xovQ7GL9mZuZ3EJC7uOlseSqc2xKf6lYYmIIqtY4ny1vbnRPG64L4XXLqgtNVRVXJs6JANB3LLi5BW9mdaZVbMUWnbDUXrmKGm7hwHgyEEFgNWOqR53J747JdE9FCXcpnhLy1NNbgeJDCmXMf3Wxr+hXL6IG42otAHVNZAsx+DM147E3urs0pAgpHfF7ULcoNCK17/y26LswlBdfiYedkpVTgjxfEtr8OZsbKFm3XaLxBgc8X9l8trfQJHpejZINoaTUSRaiSP+9fGuf/0w3zqLz/kEkuy4gd+pIDQr/tENzAv2XWi7ftQI5TzsNrTKYdzcCsbuMHmd77c0uJu13rPQYfY6XZzDEYlL8BlsGJOkrqlurCKXp1p4oXiLNyNBLsuW/0xODByjItGNOFr/Bzvjk2yAVxjqDNfhd+txJL8z3vW9HZ2nGqrKO7EgyZ5l+PqOCXYLduhP9baFSIeHK1EUfAFFtpfYlgAJisThHyiemNscvnf03rfQQDvsXDamcogjr9Mr8tGeXAAJcitL5mEo2PKgys5ptTe+nE0PzJxaAdOKFHbOAzjAv0gXiPmKVPI7rH5nt9/qfmDgdVHDyNP5NbazZ83qHrlszrK1mUaPRFHwdavPcThqNy1sy/9dpcjyEovHZR3OJhv4jPfgkpH811PshcB+FHFmOAapw//xcBzk4ixIhPERU8XlAYfnuVxEGc25qTzpKabFpplSacmz+CPZY75CnsB9OKNIiXSD6HTZwbIUidhva1qGxMTZKzYmFewIEgvgjOIcbjNK/Yv1I6SKsrOx85AIUqbhEm5g7GA8PpTjpmUV0Vny4ThfdQomru78eO1fwgp6jiJW58WfhMy0cVY40Fwv30E7oTFf0Yxyt8XvHN1sdd+Yj7Zs6AxeX1GuUHyl2NBE41DhbcWZ5sh8BLnDZyEfcADbQZFge8alEahHGCLfhIKqynsAxMZQKLRRVVmXJCk9QnQGQyEDQhoJwElp3RUl73p5RNlcfK8nbhqZbNCq3rAhSWS100ArpgNCXgkPsuKkNqtnZa7tm/PmdBWdFU7HmeNDJAbJln0KPdCeiNXnHB/o8Jyb61jD5IBj9btITzp1wFejURR7yepz/fH7jlV/SLZMrQcUEMzcZKcl8XoBrBb/2z3NJmU3/GwYXFpiUvipYFeWY9c7ylEeH1AUNK2BDgYwE4oue+EM/5/0bpA/0GBiMikUK2t6zOkeJtRLAq3e2/OV7SDvnokoWt2ORPkCf+InWKxJAcBZ5mrHJBQhjm49tPXHnDZCFQ8zDgNJQpCwE10xpnr8L3BWuQBnlZfSuX2tu7bKIJXPQVK4zF6HA0+FjQvT7NbZBu05Xc4odkEBg2JUm+rtj+IzmxtzejUOofMC9qZ2PYq5xes8Cv/pM1hYehBPBdZ4btMzGA+J+y5tPGInbMCf60XWPyDeIXJF2Ssmd8O8Fqf3v7mqHxW8V7Hzrsa3OyQo8jNs22KccV5DLfDBTZt6X1g+17c60f1IJKislPfnnFnwR3UalAraDZYLhBTxMM/scZkD9sZApjey+FyX4aS2d6Ch6ahsKc2RIO6OR/Dtb7acFe+K3p45AQ0WG7FAHfRkJMj9W87APuZqO1kfJNyrG4gh83EnJbreb6+TmdTIYh30ge0mKfIr+M9dHGjx3KVlSiVbntmzZ49pc7R9q6Vu+jGRAMvw7c9TFN0PO/p+ZaXK3diej4SA9/EckaULO0YZ6gU4Q8AuY6oVeuiSlroLBMAl9rBpsWn/dN16wyN9leM2fA7hANxmT8Nf8dCaacNoR91cZafIJbG+QS+HNnXN1dvWqPvEHwd/AyfXe1wPh5eKNWBIA0FQ6KJav73WwCQSa6bFfFWG/8gd5nrH0Ra//bxmq2dponvU+e0TsdyTSK59rV5nrb/B/YaWuoVg7+EPnIokfaCVOLIJ6x9wOl29oDAwWSoteXHfhbZDontJmmHxuHbHkf4+fLvZsUswTiuXGZEESVtpqK5YGHtfvPOyru4f5yybqz+TwYQJnILSxQ3diyqfEw+FTxIChS7FH8o0aqRMeyn9fCAoOB4wqR11GB/qEfd3MrZkRYN7PX1F5uBgNP6fwqSLsVx5pDzcjH/tgyqJD02zztYNqBs1QlmGA9EZOBD5UpXG0XemxMVpIAGJQf36Do4XWqIkJgQRTyotJYLEGGKKN9b/EJz7+mHppfro7la/KDFKcWNHo76o+fcfcpIQaCSrWVTjKi+v+ifJ9AO/x3M2VLRtFfi/oZhEBnqcG0to55wPKNhAbpwoyqUc0YCR/MxTFdv6geItDkReq8/1Pj4QIsq72OG/xffdQqhlHGBnLLQXnjfJEpuQZPlh70RfpILVbz8EJIkWcmJt7D7DBhw4cJajCDBlZaMPxV9ufEjA620OTyCRLrRsju9/Fp/jVABOLhpbVhMFe39NR+8TWttXECQhkGPM1CVTDx1vmPgMRfhIUIx+ofHJ7iOAX42HhpQVAmynu5FbM8JkYbtt+UiPSNcgsvMBi207JFvgGIjwEm+9cg2ARHGcYytbJ0LsoKX2/pYB5GhVUV5Fs80E+iwB2avZV6DIfUR4vyQOmm1ND9U12doVST5FAExFgrzTxdQ/UTYFre0sGJIQKBYrPrh5JpPyRJIcjklBsw7OJgemWr5FJXyv4a1SFB5KSpQ5eHhES9lZS2w7mU3KU6yf/hFGkAn1yGZ703uxJ8nMXzaU0G86YEUSalDk9tW6a2vane1x86+0OXy04JJ2MJKCIgmBNh2RKMfgA6Qp9Fdp3QT4zXwBdydaC5/eNL18tDy2GIcqy+AgKCLNI6nKWbzOX5YYFTJFGqRUC8HOaR5g9RBdEqYN4ERL9pMNcgXNRhn7s8dDwZGEECXKsUgU+pgOUX5mrrafjse/xvtytDRmoFlKEVkB2C1+19xErtazG22TjAblZuAwL/714vZmm/uugWfxtyTbtOSDGrBfsG2JJIQ+opjqZQMA/EL/HeA6nKIXDPTEoyVjBaRiJPocASXYp80+x+9a7d5/kEJNZjm1bsd+EmcnI0HIR6gk3nURJynP/IFUsPjtJmDSVRqqLs+89fFRsCQhEFGmLZj26zFV455PGZFlMEZxQ8lf2ADzC5lJtPuaMutREWljJAf+nNnr+M7qd63GI0VpqUp6hWDtvR2dxwzcOK5ZZBtTUabQHpiWjdpFGbQ5KQqaJAQyNJz8qG3exJ2VJfiwzDovPwJHtXkBW9OCvhNCqPcA8EHLzEVkHdtFX0lBaeo6hThoxYDg6lE9hGK1pXTVxbu0rf8heEG6DU2FgicJgQLK1Xidh1UA84cDcusAjmp31TXVtfSZrFDEFavPuTDJMvPWAlri/CdTBWUkfk8IWCe4OiJiai/2wN65O1kko3i0B0sgAuUB/u7uHw5fMWfwZqGp2k7u3QcmuZaWml/G/+/pQJtnQS4tgocFSQi00z7b5zjQyKANZxQ9MaTIL/oRlI0P6tt06gH1DAOTaHe/OgdN7cEOuEoA+wE74EbasQTayBJkih9encl1h9xErs7rf+y9LYG5yev4erHvw9QlU41j5UnTJYnNBCHqkDi0x5QHcVQ8sKp75VnxUrBZfI6jkcwXDb6EfYzP894QhF5otXo+2Xw+9a5YRhg2JCGQ26nF45oLEiNbrpTptGNACVPJG/HP9IFMYSx+1ynYeTNNyUCsexWY8KlCLBe0A9zm+V+yUS1iTqPszphEo/l0AOyYDPBzNizpRXNIZb/TEwsg2klfjr5upw2+ujp5JufsYGDhiDc/ybxd/bAORd4zm21NT8b70up11gDnA126V+GDvqy1temxfPmQxGJYkYRAvuj1HtchshQ2oUgVwS8GcAPqJwHydQ/fx9r4PBLlIeyZv9PbBiTGf5AYD27cFHxu0A5zilEtGsWFXi1958IKaqnsxDmHxAt66Z3haPa6ItDquSXTThR1jmujF86+l9Q3WmdwWT6JRczWtbgIJ8Pfe1jo/HabJ27AOEoPARKQAr75dxWC3b+mo3d+eId8iNJrDzuSEMjE2eJ1ngAcyKRa6whs5ABPT1tg26/PJGF98Nvfj5bHUiwqTXZHSA43Y6Hrm62eltSltYO8JfFAu89P1TxQo5ROrmyQOK3KhZe+RyW/WrwbCoaOa3F4X8t2J4qKpxQSdrlpselCqcR4AkqPp+kUd6mNb2Bvn58sqn+t2zbFoCikP/VFsyHHu+ObbY3/TLP5WcOwJAmhucH9jMXn3A0ArtZ+Few6plr5G46QR1IHoBhhdX77YQqTyLckSWoC8YYagnOz4aSUCtGIg0voVbOo5syK0sp5OMPQSE46VOyAsBpH2Vu+7ll5Z6LUytlE1JfjNn4Nv72+vuFQHHB+T8mBUlz2jirU61tbvc8mm+EsfvsMJAjZZPXtqK8O9QbntDi9b2Wp+Rlh2JKE0GL3XGv2OmgW0OoXQpiH+gmZMNxAH8gwzuRucEiK3MwG6zkbsSNe2tLhuTPXvvfxEI2GTsugj6GIOR5FTMpLWRFSxWebPl27PBshPPUi2tkpJvMLZHCICv8xEBEyaXaRcED5jJE1sRDPB+ze5vBslGCGI/3HbJLPAiaRY1TfgsY3SCwzEiRrSXgyxbAmCf0A9S/WHy+PKJ2Ko9oe2q+EP1h9jjf7jCDJVRjlYRNI4eiGu0QLvSpC7DeFEo8LRcxVjJZ0+5DjFR0twDa9iYc3ExZIMHfQLrypyX6o2aTQQLV7zFedoWDwIBQdC4YghGFNEgIFjcAOPg87+Aqm3TSBM+BP4nUH9JEAj+/VeJ37lQOE3T2/7vn8vHyIMdsSwnHCRpQdj7M/xfOdOqiAKk4J61YFhmFPEgJ1cIvPcUbS3CSDUYnE+vdMn2PWy7amNXQi6vV4Rk4auQ3D7HPsCoyfIY8o+y1LlJqDsSf8De6n8tgszdgqSEII5ybxu6woHx+v47KflgL/59QlUx3FWSP7QJ1lf4mLSzjww1lyN9B1Gzp7z81Xu/RiqyEJYX3w2zNGy2MpcvruKQtvQf04w8SHUU4+JhdxZLdFULginKUvlSVyxU69Qi+YuCm6DF6QGDYkodhWVVWSBUelyp7eDf+O54VGS7o4tR+DZWj3OHn67BgAwG/MHgdtcOXEHyEfCK9+cXaqAHYYROR9yuTlU4PBW/KV/s7kddolDldyaZC3YTKs7+7+UXOawKFAQZMkvBNdLv8cu/GhY6qVGajYXRPoaLov2XIs7ahb/M5rgcF1uioDSmnn/LbZ6r4l44bnEWR7Nc448RJZAiJ4acy4TblY5nFZ/qXV73qoq/uH+cviGBJmirC1bqX9l4LDfCTIDL3XC8GeyUW7somCIwntOJftMvownA2OryhXKJ+Ggk/y3109wf0o+oWWe7S0BG80mxTyP5mpp24k1p+wQ62hTFnptD3fQLGmdrxxEtk5JRMviTcnlRhH2nCkP76lwd2WjbopoY4sl51ornL8H9YwKV3DM6HmNnV5NlAwJKFIG6Wl8pkVU6pod7kvz8ZGnD3OCTg89+jRF8j+CMWu45FotIavw74r3KEesHidG2lHX8d1eQWJntVVyvUo1tBSqtaQJpNxpA/gIHA/KslXpKMDUDifivKqg3D0P0aRyynogyEzs0zxVavTszRXKROyhSEnicVt2ZkpxsvKShValYo1I/8ACXKEv8H9djoPkfKiWH2uP+CPGDftXBJIwOFx7EwGnFEe119zbmH1Oo9E0ZOC8E1I43Ii1Kk4Qx9t9TsfVYOhJ1qX+lckMhmhWb1icuWeDEQ9A25HgtAWZlnWoswI9uJwWCwZMpLsu9A2etRI+SpQjJSvxDjg6yUoQx+Vqay64ZOOm3FmokAS01IW7g9S+h+z+pxHdfcGz1zq8n2eSTuyASTHNMbhL/jKRpSXEThpnon6yplmk2O9xe+i4ORfAvmiYJ/AXluF7yfgs6OwroacxcMHNa2o/fnGkJAER+ljR40Mj4aD0peRaXRLa+8Z6lXLMk4KSbZN9R7XKbLE2lk64RoBDjIaFCsq9DevD35381DkfqcIIwZFvgJnNwqikIvfaxRSYHbsiTyFIwsGf+xuzk9VmSGvJKHVqvIy+b6E0U8oa6q96aJsTsFkVo+ixd00cqZ5izJU6K8aLW93ktnnunrjJx2P5sOwMBp+5yJ8ncjiJvwZ3sAf+PWc56HJEvJGElSk90VZ+HkWm2YhBvjQbm22NV6YCyUu+OOmS+WKssNxiNQQVCARYEcO7AEUQS5H0t20LvjdY7mYWUxepwXrOQvJQT74wymdgy4AEwkzBcQDJUbatMmo6o2Anw3khSQo8zo5cCJIXANEJMiTLQ1NF+RqlSNsBOl3nYFixMIs3A5JDnePlsfeYPG5HmUQwrb7VmQy+9U12XaTZflXOGP9SuIw2PBvK4RQtaU96ANtHuPzvg91s7cCbcH7s5WjXQtyThKz1+niHKhzDlTOIxBs+Rdf9p6kt5PRJpYeH49ma+OLSJRn0o0xHAejIglspLPNXsdKVPIX4//SJtSeZS1LW1YmWjGihEOzZlkmy7K0PzBOtmY2RVZ0evoNfwS5qoskhE1dvVeVlSofmE3KKSZ3w/H5csrKKUnwH9lbUuTnWCKCMLa2u7f3VxQySOs9w74IHsfZdSOtzfhR10MKBjvPVuRyWsbUE0RCCyaGswoDOw24kZlNjh4UyT7HGacDRwH634KCAeo2bDv8bmc2dCF8CgWrEkWBTwaKJ4DP9Q58rpeHs6H5XNcHWnv/mOtZJWckiW48kQ96wpi7OHecp2d5ddaSWSNx1KYoG+NwFPmL3jZR7C2Lz3EOANecmyJN0LJpNCsWxPwtIor2dC/sYeq9BiZRbGDayLzGZFIaDlhsO0pPyge9yBlJKsorL2FJzCVQtmpptTc9qlUPodWeEuNIiqTxM7xYS2zYuKBQNla/i/ZODk73HkVkBvztdSntsaBwUPj7UcQbCuBBg48JRbDlKLXMzVUy2pyQJGKYqCTNBxEKMc1LvSavc7LRoFCkjfAus8rU1zNpX1d372klRoUsVVNEIikiFxBCTZl6Lvn17HXUB/ePOTUBxa8AKvUOrTkz9SAnJCkvV45hSWM0ieZWu1uT4kaGdKhH0EPdbIYBIDLKd0iGkmaf6xwObFgYMm5l+LLV7k3L1KgPkd9/kABbzTg01rpts9udvo8zaeBA5IQkwMRByaVw0OQ/QLZD5VOqSPHvt7eiqjzjzbWArfERi89pBQjvZBeRJ+As8FzGm8UCjAm613YGRV44vWn6jGzuYeVIJ4H9kny5oWfNBk1h8it2qSK9xjTwPAdBpMnY5Lu3o/NUQ3XFz/BtsvYWkT2oIQjdn+lNBBMTIeEgDHuMlre7Ed+cpeVepOumWjzKOknClqNTqpIFXG5rHxBmPx7IOhgU48XxvsMHVIuHuLFk9YDaYW40H8KVkqXkE5Hp/YpIiWdbrZ4PMrkBbQGYPY7ZyUvBaajI36tFkceZ51azz/E4ZRtIVCZXq1sJZS0hhCZdBBQDKf7xfUEAfjFtwbRzKHdJes3bAsqEhXKsw6AoFJ0xaWbfIjLC+q7u3oxziJg9DXUazIskLkvkqZkyKAgAexcYf97qc5zvtzXdFq9M1klCxn/RXOtxw4biVJlyJIkmcDk6SZHtq6t2OBaPD6XZzH4gRQ+JYo7Goo1rW1ZERiAl5DitnqXJIBg/X8ueE+qa82oW1ZwWjYKZ+H5CvI9lUTjht1r9zkq/1X3FwDK5mklotogbelTLylTtaAf5fyTNkgTAr521ZNZz2fKPJqIcsNg2s6xUfh7vPisb9ywijF5VqCeiOPNi6qLJYfa4GrjEDtVYvKy8fBS5bydfbgYRk1MTLscZZe3AGSUnJBFC/Qd24vgkEZBSH5FATNWwRz2+xDiSMrUem0YT44J2bacumWodb5x4C9ZPQeqKG+WZ4dNgiB3dam/Sbac1EGQFbFAqdEkOoPLdWCqSMNbfJAr4zRav85PmBvdmY9ickOTrni8WYEe7iczLB34nQKT0ORcAIzT2zmOQ+W8kkiXTQTRI3Vlmr3MRB7i3qNCnBRRxxG0bOtfekErc0YLIYlAlxRzQJwoDVKQqIkJSKfR3SODA4cF6j2tFNP5ybkhCHc3ic1yGot4jg1sFSVIcRMCBrddcGTLf6nWu8ze4H9bVyBQINLgbaxfU7mGoqriAwg3hqZQPvAjK0xhObnRTtmypwntlu1Q+QTni9V5LKflSFuLquDhOq2Nkid2Lx7BolzPbrRa79zGzx37EwNTSSJzdUl6sivfDmQa1gWPZByw+V2WzrfHWNJqaENGl6mvNS8z3cKPxPGz96SxxLNttGR8IJIe6qeuhaB6TrICiwoyZEjaSTcvOTqV+lAIoLSTy3zkEpRQrJR7KGUloVxXlyOMMSvmyLRaxjOidUikOrPW8a652fMPi+MAnAP6v7BaLz7lH58a1Z2Vjiu/XnkgKt0vqX6z/o1xeeizWRmT5WTbrxdCg7wAAIABJREFUGIZAUUQ8iwroswG79+VsRz2h1HDV1QqlFt8rzVt0btq09hUN5RLGZhPAaZ8udyQhkDfZ7Eaby2gI70FEbK+A1VII/mT+zeRMZfU7cQSBc/TUh7PUiRXlVTNQnjw2mjsjq4i2mUxq7iZ3ZGTmsVjrL/HzztmuqwARQha8xgTzhFT2r/b2plc2O5Zl2aPU7HP9lkvsDpbEzUIDnk81WFI/lEeUJQzJirKMnTa1c+6ZSFv+WFEdKMbF+HFPfJVIFSUUCOLRZNd1dQdvLTEq8cINpcKeKE+SQ86NPR0bbtCyu58OoglKX+ecn1fvaZiOhDlIoNwMkZFpawjc0C3IqY28LZnaGgxubOkXf1m3hpAalibLT0Ay/JUPENHTgBrqDd6UqhBKBbQCm6x/caYYD8qLj3uzs/nLGq+zrgJ1B/x4BI74tLyalCS08YQd/Y/kWJNGlQpedwUq3cfiiH9Jq937TK6CoEXv+3r0dd30punlI/h2NZyzmcDgAOxk+2BbaFWmkJeT1+E/8S428D9hYrDQ6193f/lWvtJRhEf0irILQDaez/RF3IwPIe7S5FvC4bRURfCZHJC3aCnRBDlHWr3OU7Bxt1JwiGZrozvZNd93rLpxTPW4OWlv7gGbhFr90yav4wKs75qWhqZ/5TpiYNT6tDn6CmOmz1GNv/weKuNTeWQPiHzaJ7HIkmZlLtsTBZnvrMbe84UQ7Aus/3N8CJ9xpn6ysSv0Xi69+pIhrJhXy6ehyEOrh0k3j3Xgv993BC9NVcjit9uASRpiRYspeQ9O529w34/i10tMMfyOL+DeZMEcyDar1m8/wsAk8mRLJ6xnGDga7IuHhWav4y2cWW7p6Fj9bDbsvrQimkmrNfrqh9oFtaVihHF7hcP2IMvVQqhVAHw0/jgVqDmWYuPLcTZSAMIiXMzvJYjsNNJ34ZtuEIDyt7oBr1mngugQeBRc/U7t3fTdsjnL1hZSONHZPsf2BoDTxlQrFAtNb876ZPhOhNjP+1KQJwIF4zCbHCnFsQhg1JBEcCTxCw9XU2PZvORlyV2z3m93ykwiz8SUeywpsDcH/viY6vE3WXyuB4MQejidgATZRFRn+jz6yg0KJCC1CUVuicMpRuBHMv26Zip0qEKdE7A3pUwEa6p3kJi1f6pyUfQMacDsZLm9Y0Hm1eEHDNCII2s2wu+Mx5H5SoVJFGjOh53o8WDnpn8Ol4iCwwl1fvtERUhkrHosEiT1HllaEF/1BoNz2hy+d1KVxAF3qgySxlkk7I//zZBHldeKlgb3p7Xu2gMMSsXf8aMjS7fl4Z1czuwoF99r8TlfwsfyvNrVvTibm2LbGmiPAyRxuGAwDweiGpbYQypjUFAJ0dM9r80V+DpV2YgOpJCnq9YszVTBO8OGJARagkQ95kBzleMifOxXMx0p3zSgNBKjGH4hlZYGrT4Xhb1ZrDLV09rqfVPrrLctgsJHlZZWmjiAA9kwFyS2G8slMyIIoVZ2U+cnHVdric0cdb+g3XtdGQZUIXK7mZgLRBX9P9Z7XItlSdyPP0ZNDqqR8Rc249HMcZpBJW+N1e9qxVErEAqxtq7POt7KR9DsQoVpsakSjCUzUKOsw4+WivIq+g2yrWMkwztMqKc025qWMVvqwmFvRq/jQabfvGXNpk/XeocdSfpAO+o4OswyVTtOxhGL9lLG5rA6WoE5HOs5XJYYq5hS1YWkeRNHsleQOG+IYPCNtT98+14+V8zyhRqvc1Q5V/dmTNqXCTEd54cZONOSvdNQ7PusE0xcv2bN13dofdbhGcRrvwff/lZ3bYLdT4PhsCUJITqr3DtryaynSgwjz8efjcxYMjFl0AoKUzoTlf+Z4Z6iyGxM9fheq9/5Efadd5E8H4IQnwiufhwKSR+3O5u+LqQl2IGYtmCaoapqh0kAfAoIdYpgfBf838jebo8KDjuTh0+4YNZSXOnGJnym93Ru7L1BTxq7yY/aSswTHJST8Yg06lyv9nT9md4Ma5L0IeqdeGXNItsd5eXyOTja0RJfVZ6boVCkDjzuEe5L5BHKJEYzD071GyOxgckoEGhTbzWtmgghVjOVf43KzppQqHddryyvfa3N82M29B8yMZd2GT1SCoYqFYVXgYBqclMQnI2HsOEo7IDt2IF8fpDgtAcV8aoAXkimAT8gOR4MqezWPt8OraC9mAkTwqk+UgSNSAChXhk1bN06SNKH6Chz+fSm6TeM5tsdj+rEGdGOO9Qo6yNQ5GNEqSXXauqa5M0gS0pYqEf9R6AoR7v2P+J0H94sxMK0YdgDEV9xFfAXFNSb8TK6A55TQIRj45JJB71GokgYCcqt8L4qw6/+BCggOvTHJ/gv3r1BwENRSw1dQH11ppFzWsVKLx+NYN5Aq/fOPn1nqyJJH6KmIXejwnaP2dNgwQ51UjS71nCI5k49tyL8gv4ntxz7rxxBbIHhC9IxXkRyPIwdtDGd2ZT0D1OV42KcvSlWdHorn4J93hvq/E1s/VslSfoQ1QNop95PiUxHjFDmcRBHYY+i5JxbbRapYQTsiGIpDmLPiO6uZ/rEGy0rVgNBm4TmajuFrc0kiMd3QmVzKftA7MmtmiSxiKYRo2XABym+sCSVH8qBUco1MvoeDjPM1gKcMUQLEmNhd3fvC5mGGZq6ZKpxvGHSRTJIFO0zk99xdW+w19Hm8L038ItthiSxiI4UYcKQaftIaYyVA7hQsbWj2JIj04ltGIJ9LIB5hVCXqBu6vNky/zH7HIcjQW7O2FRJsPdFqBtnkObP4n29TZIkFlH9ZVH0xWr99h1lAVZgvB71aloZIWVbf3rrbRco4oqPRNhZC1pDEPK32bJrRGr1OVCk4jdw4OYs3O6Frp4fjk8Wv22bJ8lAkNUxHp6IvsK7y7y0tAZ/+Bk409QgcfZhEXfd4a8qZwerkBVv4vNZgY/klc7O3lf07GXogcVvnwFMuoIBz0YCpk6migsDDs89qfawiiRJgaihozv6CoOIw4wle3MOe+K4uTuAwNkGKKuX1sAVwxFrkAjvCQHv4vDwHvard6C3+63NynaOQO4U9fUNcwH4uUiQNFT6uHipu6f39HA0eQ1raEWSpIEocZpZjPchgXI6yvLIXTlXpwDAJGAwUUScxXaCSDBuMm8p1BmI/Ndpw44U6c+R/F8Kpq5kID5SN/V8lG+r6HDOzdLK35pN9t/3i7aTGT4QqrgoNjqjFhRJkkVE5dpXo69BoJWYathxnMHAxzImjUG5fSzOQmMgkpZuNMrwlfi+XESyhFUAHUV4xaYEqUV7jbRszWNeaswrNGDzcSMwsVGEPRbFBuxo64A8FhlbDyrrEBy+D4XYt5Lo/uaLVfxrPRmQc4moSHVCRXkV5bVMlsJDDz5F0eqmDZ+u/Vs6hqlFkuQR0cAKn7NceiEOQ9BiiUHAUahrnIgEyWY8s1eRHH8OtAWfDaexbkjvJkWSFDEkiBLjlwyAYhjMxtkvWyuIFGr1uWAI7m+1N0YCdadJjj4USVJEXkA+HRSfDHW1uSj6HWigSCXZIwaJikvw9eyGzo6F2Y7gWSRJETmDudE8jikGMwfuMnsdc/DUDlm8Pe29NKGO9VLox41NuYxPUCRJEVmD2efYlQuoE8BqgYGJG0qyEbSDEIwEzxPLVQFLhRAtFPMgS/dOibyThAK1QU9Ic5Q+Awt1J1qLr/fbd5EYmxgKSe/r9TcoIn2Q6FTXZP+JRGF5OJsuGOwLjO2HM0b1YHN8XehGfWIl3o/ysH8EqniXgXh7w8Z1b2VbhNKDvJOkhPGHwci1pvRCyJSKOm5QY0lIJwKwS8mxyepzfY6/zstCsJdDKlv+1Ve9bxbKsubWhp89aykXAkaGQPwgqew9JMo39NzZFhP/8rCfixB9OkcQdREK3LAJQFBn39C3FK2C+FZV+eqent7/rTi4+ZtC9ODcesStSEaqSUiaXxFpJk5Qei1+19v4Y71O8W3x2b8pOje9VYytlTmiERKzHrW/UILoDcTWQ5LBUKLhTUkUYBIlBRpRplr9rs9xRKMgZu8Ipr6HI9uHQ7GjXMTwwdZMknig6X8yzjaT8Xho3wqkVFrKkDzfMsE+Ekx8grPSZygKfIry8GchAV9907vyq3xFWC+i8LCtkSQZxiI5xgKD2vCnMH8gHCdkvHES+Z1/R+E08RwFcPgWiUY+KZ/6re57hrLRReQeRZJoA0lsY/EQju0Fm0PrkHk4K5JkK0eRJBlAMMjbWn0RQ4ciSTKBYJ8MdROKyD2KJMkIanEm2QZQJEkGAPJTKGKrx7ZGkjd7g73HZutmq1axj7N1ryIKF9sUSchbT0s2pCKKiMU2RZIiikgHRZIUsU2BghFGY61pRpEkRWwzoKB2o6Wxz1o8LmezvXFQONNEKJIkh4gE6ZbswPiOzbbGvyQrS342pQJcgrO9UHnaDgC4oFhXqlixZm3w36lyk8cD+X0csNiyo6LIu0kcxolwVBZRAirbKECsJ9u0zk71w1wFk9MKSvhZVSVNwH95JyHUkRx4Kf7fIRXERgDxbXe3+sXyuc1fpWtGT7laKqZUns+AU0Y0BSR2Hz4bs9b7FUmSRVDo/9rRjhpJEnMYA8eokcoMFnnGal2TrbHN4Xt/4DWRjLDydaXAT6OwQbFpFMIHDmxMtfJDvcfV0GpvjBuqaGAbTNUOF157hNnrcLJIvK8t96O/fEvyhopyiVn9zg8pJ4cA9e8tDb7WXPt0mJeYt+OK8RDBwYmtqMH/7yd9zQOIuqBwMj+NtLHEKFEipPUWv+stYKJFDUFzcN2Gpe3z2jclqydMjsmVR1TsUnUFfoyN8Vxf73H8jkXiQadEkSQZAjvveM6ZE39Tl7naQamzq+P45nFZUk7A40WxJ80+x77YQZ7Ft7ukqKa0C8RHyQpEO8TJ2IYL8eNEff8F7IpN3hWYdJrZ43jf7HPd1NrR9Hg03V7WYPHbTVjH+dxYciCLJCDSg1FY3sTILVhilxuqK7qQ3OTo1aYK8RoXsDIUCvVIMh/JBPxUANRWTKmirAFxo2ri73VTXVPdiwPTLMRDkSQZwOp3/VOWwukbUv7eAOznLIYkFq/zMJzyn2KRQHTJIVhLsoxPJGujOPFIViIdAtsNx/K/IdnOQRKfGLA1vZ7pLSl3iMz4nUgQe8bt24ISbKwFjxYOEZ9hiUe7szYX4ipZLr8Nj8ekKlgkSSYQ4rMYk+BU+Cnl8Vtqa/oGyfVr4EAJL7U9fxD/jneadA6Tx3EpiihXa76XduyNusFSq9d5tr/BfX+6N0ER6VSZSZSgs+BywOAPdzS277Fma6M7WbkiSTKAECyAFDlXa3kjY3uZvU4D10MQqicEiwaeC+seHvv9WP+JWu+TBowol9yHYs3OgQbPlXp0lUjudPttqPuck8P2ZQwQ7K7aBbV7JdNviiTJACEBK/Q8QMG4HfUXygys57IPmu2Ng/QRczXlJodcEiQGcDnqKkSQK7VegTPcjXgoaIKEAWyKUlV2HL67L1GRIkkyAIUxQtFpDYtEi08JHPUvYDoj7ohocqFY4Mh+Cd7mZD33yRjArkDR639aRC/Ut45CcfLCfDQrc4gHWlpDDyXL01gkSeagUV4TSVgaIalQwulHEpPXWSdxuFbvfbICDnegMv9qMmU+vLxrLLkrn81KE9/g61y/1f00syYvuK2RpKTWbUs7quBGWPv1QJMGHOlXYs+fmXnT4mJdW1uwrS/gczSJJmWYTed368LWvoE8/R4bXYV03Y/pV6aNqMw/he3YO1FgDG40Xsq0DxoDsQaf53/xef6ARwNElrJpxS6deHe0GjiC9U/l14n/+8sC2IL1wW8f12qesk2RhEIMGRQl6X5DMhhYNQXV+1e/k4J9lcO0PEvCKQOiQILMTyOJJiqk4rqu7h/vis0LWP9i/QhpRNnvsOm0Cz1Sx/2mjjNMOh+P1w/8osbrHFXB4RSd7aNnGFBVdlVre1PrwPzts5bYdjIalNNQVJ3Pwmsfmu/56sovew/ecUelShLdRhESG1rntn6fzkbpNkWSnADEdxkmrwpHRBdMtAshVnOAUvyBp1NKAiHUzaIWZdEqMY68QOe9NwgWcjVbPUsHfhEN0nc7ik9unB18TEcqO+ywF8/0Oe592da0JvZ8OYh5+G3qfZ9YCPHnQKvn/DA54uyiRFNYX1bvCe9JNeL7Km2NZA0TdpaOarY1Prr5XJrB74okyRAUqjPNBAI0oj3ULdTLae9k4JfTm6ZfIHfLm0e9EuOI/2P6Mz+dHo8gsUD94l3Uc45BPadJx30rShicySKz0GYAcJfO9vkDds98LaM7meRY/K4TcDjSnMoN23MVX8CfyNRyoEiSTMEhnbCpm4Qqjm1ucP8jUYFYeTmy5+A4VWcdrwYamp7QMnq2NLg9Vp+zkVEue40AgFOxA/5hQAfUp5sJmj+0iz/N1sYXrT7XcpwlDtB4yU9M1Q7S6JJuFqZCkSQZAn/hTp3CVjd2q0MCdrdX6wX1bgflk5+sqxZVPKCnAwrBHkAxSs9MsIO5qoEWTsMzEPlpjJbH7qTj+u8Cdm+bbhEIBA4soJUkyCdBdmJFkgwlsB/2hOMMawT22jsD9kbNBCFwKSzr62pXdzCoq2OsV79bMpqP7WG0PqERgvHDWZQk5XL1GKavke+ko0QLBm/p22iC6XrrGIgiSTJHMHWRGAimyysuAnDovGBlOEe5DpB4h6LMGzpEGRS5hKXvvSSgXA9FhBBpBSgHFa/TMShhm/TMbnFRJEmG4JyWLKWc3Z+MIo3A99B1kRBpBbugFBXY/TSTBHvg7qbFpspoRH5dgwXoWc6NASpARp1PW99qWxwUSVLgUATss9lDSiuAaXZNHYAPdZYHMJQSgdtZT89aZtSxNwkwSWddYXAQu+gUPZM6ZmlBkSQFDg6wdxqXfZFWZUL8j2m2/I+Cs93xb3vr8tY1ZpODslhpHbl3P2CxbYflc32r9VUITl3FBfta3/0HY1sjySeoKt6Y7sVC8Ley2RhNADFFr9KuChE3x2TK6xj7Rq/gyKPuwbSYa/G73sGWztB6aWmJchYeL9NaF5kUGRTll7oaCOxtXeXjYJsiCcrc3wRsjZr8mgsHoF/xVHlaJJEi9k66IPrt1As/tlcrSWjSOt/scfm0rPbVumurFKXiGaZTlxGq8OgpHw/bFEmGKcbpvUBl6aygMdYTCv5o4Iqua7CjV26uNxh6TpLli5KVHwADl9hii8/5R7Wr6454KfnId798cuUvDHIFSQCTdDWOsbWdm9a+pPOaQSiSpNAhwtlsdYFztSedqiRJ1n2dEGLzyN7i8L5m9bnasb21Om5hAICrpdLSS61+1+t4v3eReD8IwUbicULFlCqamfQYYMY0jt2bjdTWRZIUOkCU6tVJKGpIOlUJAfr2fNjgpVw1FJzPZbmd6V8Xp03MmUiYsGmL3vWDOPh6gxA3ZXwXViTJMADk7TeS1G6JSTq3LwD67ZoHHN7lKD5dR7NDFpumF2pIFScmizCjB0WSFD669F4gSZJm05JY9DJu1H2hEIOcr1rsnmvNHns1EuisdNqRKZC181sa3Euydb8iSQodgm3SrZOkuZstMdB9nQAYROKoTdbZVq/zfcbhZpaFXW+NCGGLzm22uv+azZsWSVLoALJx0qmTCP2dPVyVzHVfByyxDZa/wX23yetcJHEgv5Oj8aVv6UwfvhQs9Ntmq8eX7RsXSVLwgK90XwFCr3NW9Do+Ru81qOwn3TFHsYd2/0+Y7XNcbAQ4Dmu5BD9XJrtGJ9bjbHvH9x29f0onqLgWFElS8BD/0zuTgA5X3P5VqeMY6HOzBGCrUpWx+O2zDYyfgaUPZuku5/YHrcItQ5nuqe7uH56K9d3PBYokKXCoAv6rxzKcAABj06uN76D7EqEOipTfByTHDBDSbQBSrU6eEwleEELQUraM/89GrGidYLAShcn/dKr8tWytXGlBkSQFDi7EW3o3DVAESs+HAthPdF4huno2/DfeFxa/83Jg0tV4T337JUIs7A0FL46XpmKoUCRJgWNV78r/jDdO0mNdS4P21HTqAsH21DnifxhP1KEIk8DgOp3V031O8tvcz+m8LucokqTAQUHgrD5nq54gDdjR9+HXcD4whlUyhAPfGSftp6txQgxaSarz2ycqTLomXvGkt2LsiFTR3YcKRZIMA6As/hIO8HqCNIwy19nJD+UNrReMM04yM50RHYUIx8HqB1lIxyBJ9S71bmxZ06TL7z+fGAYkgZymJhsO2NTV+0xZqXIL05OugYeTC2kmCeI3OpvVsWbt14MsbFF92l/nfQhl5mq7B/WYRhBiI4vYkPV7qSB6APhGEWKdIdG7prubrc5XrsfCJ4lIN+7e1gPy3rP4XW6cTeZqvQZ1glNqFtX8SYsVrMVt2RkU41F62oQj19Nvz3t7kCElnq9KzzYRLHidhUH8NFV9+RNBovcKU+RwpjFa4XoPa21TQ7Cktb3Jr0fE1Iq8kwSYkPSs+wtgWc3bN1wBQr2FAddMEsS4ivLKOznnv0sWuod0F7PJcTfTJ2oF8Za3JfhOt61ZBhjFwgHxYCaX2Pn4f3xp9TluWdXzxX2JAnqng/zPJAC6lgSRVNv8TELw25r8Vr9zGT6RWdqvghNMHrtx34W2M14/zLdu4LfTFkwzmCIEOVhnc55oaXB/GrdGJj7U7YeePeyMA8lfxhsnnWpqajiW/FuycdOhELd0rpsXZ5I+oOR5DjAJiaI9+jAA/GbUSGUOimuP40cfqOJrVcBILokZY6rHU5rmVJl/B2Jdt1AvTthGlXmAszN13jPb2F2S5TYUx47zWxszXlLOO0lw3pd0yqy6HYG2VjRbPa9Yfc77sOefpvNS0hN+z+gVzo9OSE9zEEI9P16A7z50frp2ccUuVZ/j7SelVUH2QOLj02afQwRsTQsyudFQzCT6lhnT9NfeWtHT0TnfUF1Rh2+n5btu/C2ebLY1PZSszIqTV/TWe1y/liVGARjK89S0RJA48MesXucH/gZ32lFThkJxH61zFMuJZedwBWWJrffbfy4zqQ0/6re1ShtixZo1QU2R7VvtjS+b3A21KPLcpdPfPRcoFRwe5NfwWemufA3BTAL6zLghrdQGWzVarZ5PcLQ+MDpap5t6TQ/+q3Z3H/T2vIDmAavF6aUYZXWzG22TDAblYBwWaTefgldTpq68zjAUC8xUZ/85vk2Y6iIZ8kqSaJ4NbZmK+pCFCHxbI3C0ftPicc1CJXlxGiniNANFrBZ106bD44X70YJo4O47Y89R1i7ZWD5OiizhVqBUVMFUUQq0qMNBwvcKjv4GEGoZDpLbYTffkUXESwqpmpZrMnA4gw0Hkhyw2EL/rE6dRF2Zo+YMe1B+9xqvc/8KgNvx42+zfHsUTcSfOj9eeyXpGdm8cdQoUrcPSDglnjLiYCTSeSwyM+mBaabPUT0whZ0W5JUkBoO0j95ruIC4pthFRBD1qzjB7HE9waVwCNd0zEL6AWcPXyjELmq1u19Nlb45n4iS6ym+gD9jrrY/QPtAOi6nODC0x7QoZckByCtJgHG9eTY2BNZ63k14PyFW4k3btNcPaaUkSAY1KNZLstDcBuyC6QWzTgEKFYri7AyT12YFJp2Epw5i+rwAyQ7qBcFCD9BSs976UUfaR5JYnZayoIp2f4Nbj11ZP1AKutoFtWcYqsudUVFMEzgLp7AoXJJMftRWMnGCoss+CNGWLCkkPuj78XB/Zi3LDNFd3fqhbEMfouYnZL7u49fYZHO9VCOA74dTA0V+3wlHiQoQzIjHH4UQPwCwL1Co+iikhl5rW+p/IxO7J1liZKaiad4JZeF50Sqfxed6Ev+HC7Vegw9HM6FikTeSTJwg0waYLt9r/Kf+naPmbPWI5n9fFn2lht45PgYk65cCN2stv4llHumdgAR5U98VoiKdevJCEloGNBoUvY443aK765mcNKiIrMJAeQlBu6nMa23BTtaQeb1CFSroSg2XnttFzkkS9Xh7Gt+O0HMdigNPBuYE0kohUER+wUFsr2eDeEa9REu/uleZBgIAdK1wARNp7bnllCRkhm2qtz/M9Ob3JnPrUM8fctGmIrIP7Ky6IjSWCCAFf2EmdU5bYKsYU60cp+caIeB/6dSVM5JE/BTs9+Ij1OvxRm6hf2p2NH+Wi3YVkQuAPtMhDhfyBXxRskWZVBhTLd/BdOq4KkWeSQM5IUnNopoyc739MXx4+lJ3RfDamo5V12e9UUXkDqr4WE/aaCw521Rlv3/agmmnxfNuTIbIKikRRNceCaFr7drgyzqvCSPrJKn326dWlFeiDpJWkvnvRLD7CL0ProihxYZP175ZMaWKZhPNq0coop04pnrcTKvfdeP3a3r/mSpEKSUhLSuVfz5xgjKf6feBIfHk3+mGQc06SSQmkadbOgT5UQ0GDwkUxaxhBzJbwc7+T3x7rL4rgTb3HkPdosfid72PM8wHKGqTjVgXADMIIch2ayc8P6WsVNmZpesEwyiIOLs93WuzTpIeof7GCJzW5vVEA1wfUsXBLQ7v8my3p4j8INQbvFVS5GNYeh3ZgBfthce9YoNVQhbSXRGQeC+2NLh1WEX0R9ZJQl5rZp/jYA58KYtYeSaHYJ+rTD2spaHpP9luSxH5A5nGW3yuB7BfnzLUbRmAjl4InZ7JDXKiuAdsTe+aPa5fcolRXKZkgcr+tWFj74n5ip9URG6xpqN3PopO5GT1s6FuSxS9KKEc1d7g0Z2+IhY5WwImgzuzz3U6B/ZAnK87VEFWpk0PJQt3U8TwAinGFrflQFCMAaZP3M4FelShHo0SSmHncQ/YGh+0+J1TgEFfbu8elK/u7untvK7d2d5RDDu39aHZ2fxlrd9eb2ASbRbq9fnIFr4VLPTrgC07Wa9ybpbS0uK51GyyjxUCvuvu6f3rsjm+tHY9ixg+aLd6vpq6ZGrtOOPEa3CAPJdBy7cAAAAAtklEQVSl6U2YBkgqeULt7pqfTZOmnJMkan59Yq7rKaKwEI2geHG93/6AJKTzUKH/LctdglHynHwBxasbUR9+Pds3L/xYwEUMa1DQCjycYVpsuhxKSg9DHZUCeZNZfaZ5E38QgjWDEI3dIP6RLBZYpiiSpIi8IBpI4hF6UUCQek/D7sDYdGB8FwFsMp7fDgSrZkCRVISBcgGj8NSDn7tQhurAsqsEE1+ByshT9e1AW/DtqM9MzvH/uFCgxBI9EGYAAAAASUVORK5CYII= + mediatype: image/png + maintainers: + - name: JFrog, Ltd + email: integrations@jfrog.com + install: + spec: + deployments: + - name: xray-operator + spec: + replicas: 1 + selector: + matchLabels: + name: xray-operator + strategy: {} + template: + metadata: + labels: + name: xray-operator + spec: + containers: + - env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.annotations['olm.targetNamespaces'] + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: xray-operator + - name: RELATED_IMAGE_XRAY_SERVER_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-server:3.3.0 + - name: RELATED_IMAGE_XRAY_ANALYSIS_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-analysis:3.3.0 + - name: RELATED_IMAGE_XRAY_PERSIST_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-persist:3.3.0 + - name: RELATED_IMAGE_XRAY_INDEXER_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-indexer:3.3.0 + - name: RELATED_IMAGE_XRAY_ROUTER_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-router:1.2.1 + - name: RELATED_IMAGE_XRAY_RABBITMQ_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-rabbitmq:3.8.0 + image: registry.connect.redhat.com/jfrog/xray-operator:3.3.0 + imagePullPolicy: Always + name: xray-operator + resources: {} + serviceAccountName: xray-operator + permissions: + - rules: + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resourceNames: + - xray-operator + resources: + - '*' + verbs: + - '*' + - apiGroups: + - "" + resources: + - events + verbs: + - create + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - xray-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - apiGroups: + - charts.helm.k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.k8s.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - policy + resources: + - '*' + verbs: + - '*' + - apiGroups: + - rbac.authorization.k8s.io + resources: + - '*' + verbs: + - '*' + serviceAccountName: xray-operator + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - "DevOps" + - "CI/CD" + - "Developers" + - "Software" + - "Productivity" + - "Artifact Repository" + - "Repository Manager" + - "Docker" + - "Maven" + - "Git" + - "Helm" + - "npm" + - "go" + - "golang" + - "kubernetes" + - "k8s" + - "rpm" + - "yum" + maturity: alpha + version: 1.0.0 diff --git a/Openshift4/xray-operator/deploy/crds/charts.helm.k8s.io_openshiftxrays_crd.yaml b/Openshift4/xray-operator/deploy/crds/charts.helm.k8s.io_openshiftxrays_crd.yaml new file mode 100644 index 0000000..a71c3d6 --- /dev/null +++ b/Openshift4/xray-operator/deploy/crds/charts.helm.k8s.io_openshiftxrays_crd.yaml @@ -0,0 +1,23 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: openshiftxrays.charts.helm.k8s.io +spec: + group: charts.helm.k8s.io + names: + kind: OpenshiftXray + listKind: OpenshiftXrayList + plural: openshiftxrays + singular: openshiftxray + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true diff --git a/Openshift4/xray-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftxray_cr.yaml b/Openshift4/xray-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftxray_cr.yaml new file mode 100644 index 0000000..d9eff16 --- /dev/null +++ b/Openshift4/xray-operator/deploy/crds/charts.helm.k8s.io_v1alpha1_openshiftxray_cr.yaml @@ -0,0 +1,69 @@ +apiVersion: charts.helm.k8s.io/v1alpha1 +kind: OpenshiftXray +metadata: + name: openshiftxray +spec: + xray: + analysis: + image: + repository: registry.connect.redhat.com/jfrog/xray-analysis + version: 3.3.0 + name: xray-analysis + podManagementPolicy: Parallel + preStartCommand: null + updateStrategy: RollingUpdate + database: + password: OVERRIDE + url: OVERRIDE + user: OVERRIDE + global: + postgresqlTlsSecret: null + indexer: + image: + repository: registry.connect.redhat.com/jfrog/xray-indexer + version: 3.3.0 + name: xray-indexer + podManagementPolicy: Parallel + updateStrategy: RollingUpdate + persist: + image: + repository: registry.connect.redhat.com/jfrog/xray-persist + version: 3.3.0 + name: xray-persist + persistence: + size: 10Gi + podManagementPolicy: Parallel + preStartCommand: null + updateStrategy: RollingUpdate + postgresql: + enabled: false + rabbitmq-ha: + enabled: true + image: + repository: registry.connect.redhat.com/jfrog/xray-rabbitmq + tag: 3.8.0 + rabbitmqEpmdPort: 4369 + rabbitmqManagerPort: 15672 + rabbitmqNodePort: 5672 + replicaCount: 1 + replicaCount: 1 + router: + image: + imagePullPolicy: IfNotPresent + repository: registry.connect.redhat.com/jfrog/xray-router + version: 1.2.1 + name: router + server: + image: + repository: registry.connect.redhat.com/jfrog/xray-server + version: 3.3.0 + name: xray-server + podManagementPolicy: Parallel + replicaCount: 1 + updateStrategy: RollingUpdate + xray: + consoleLog: false + jfrogUrl: OVERRIDE + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + diff --git a/Openshift4/xray-operator/deploy/olm-catalog/xray-operator/1.0.0/xray-operator.v1.0.0.clusterserviceversion.yaml b/Openshift4/xray-operator/deploy/olm-catalog/xray-operator/1.0.0/xray-operator.v1.0.0.clusterserviceversion.yaml new file mode 100644 index 0000000..97910b4 --- /dev/null +++ b/Openshift4/xray-operator/deploy/olm-catalog/xray-operator/1.0.0/xray-operator.v1.0.0.clusterserviceversion.yaml @@ -0,0 +1,339 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "charts.helm.k8s.io/v1alpha1", + "kind": "OpenshiftXray", + "metadata": { + "name": "openshiftxray" + }, + "spec": { + "xray": { + "analysis": { + "image": { + "repository": "registry.connect.redhat.com/jfrog/xray-analysis", + "version": "3.3.0" + }, + "name": "xray-analysis", + "podManagementPolicy": "Parallel", + "preStartCommand": null, + "updateStrategy": "RollingUpdate" + }, + "database": { + "password": "OVERRIDE", + "url": "OVERRIDE", + "user": "OVERRIDE" + }, + "global": { + "postgresqlTlsSecret": null + }, + "indexer": { + "image": { + "repository": "registry.connect.redhat.com/jfrog/xray-indexer", + "version": "3.3.0" + }, + "name": "xray-indexer", + "podManagementPolicy": "Parallel", + "updateStrategy": "RollingUpdate" + }, + "persist": { + "image": { + "repository": "registry.connect.redhat.com/jfrog/xray-persist", + "version": "3.3.0" + }, + "name": "xray-persist", + "persistence": { + "size": "10Gi" + }, + "podManagementPolicy": "Parallel", + "preStartCommand": null, + "updateStrategy": "RollingUpdate" + }, + "postgresql": { + "enabled": false + }, + "rabbitmq-ha": { + "enabled": true, + "image": { + "repository": "registry.connect.redhat.com/jfrog/xray-rabbitmq", + "tag": "3.8.0" + }, + "rabbitmqEpmdPort": 4369, + "rabbitmqManagerPort": 15672, + "rabbitmqNodePort": 5672, + "replicaCount": 1 + }, + "replicaCount": 1, + "router": { + "image": { + "imagePullPolicy": "IfNotPresent", + "repository": "registry.connect.redhat.com/jfrog/xray-router", + "version": "1.2.1" + }, + "name": "router" + }, + "server": { + "image": { + "repository": "registry.connect.redhat.com/jfrog/xray-server", + "version": "3.3.0" + }, + "name": "xray-server", + "podManagementPolicy": "Parallel", + "replicaCount": 1, + "updateStrategy": "RollingUpdate" + }, + "xray": { + "consoleLog": false, + "jfrogUrl": "OVERRIDE", + "joinKey": "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE", + "masterKey": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + } + } + } + } + ] + capabilities: Basic Install + categories: "Developer Tools,Integration & Delivery" + description: "JFrog Xray Enterprise deploys Xray security scanner into Openshift" + containerImage: registry.connect.redhat.com/jfrog/xray-operator:3.3.0 + createdAt: 2020-05-22T00:00:00Z + support: JFrog + certified: "true" + repository: https://github.com/jfrog/JFrog-Cloud-Installers/tree/openshift4/Openshift4 + name: xray-operator.v1.0.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: Represents Xray Instances + displayName: Xray + kind: OpenshiftXray + name: openshiftxrays.charts.helm.k8s.io + resources: + - kind: Deployment + version: v1 + - kind: Service + version: v1 + - kind: ReplicaSet + version: v1 + - kind: Pod + version: v1 + - kind: Secret + version: v1 + - kind: ConfigMap + version: v1 + - kind: StatefulSet + version: apps/v1 + version: v1alpha1 + description: Openshift 4 Operator to deploy JFrog Xray + displayName: JFrog Xray Enterprise Operator + provider: + name: JFrog + links: + - name: JFrog + url: https://www.jfrog.com + - name: JFrog Artifact Repository + url: https://jfrog.com/artifactory/ + - name: Artifactory Video + url: https://www.youtube.com/watch?v=r2_A5CPo43U + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAMkAAADCCAYAAADjAebGAAAKN2lDQ1BzUkdCIElFQzYxOTY2LTIuMQAAeJydlndUU9kWh8+9N71QkhCKlNBraFICSA29SJEuKjEJEErAkAAiNkRUcERRkaYIMijggKNDkbEiioUBUbHrBBlE1HFwFBuWSWStGd+8ee/Nm98f935rn73P3Wfvfda6AJD8gwXCTFgJgAyhWBTh58WIjYtnYAcBDPAAA2wA4HCzs0IW+EYCmQJ82IxsmRP4F726DiD5+yrTP4zBAP+flLlZIjEAUJiM5/L42VwZF8k4PVecJbdPyZi2NE3OMErOIlmCMlaTc/IsW3z2mWUPOfMyhDwZy3PO4mXw5Nwn4405Er6MkWAZF+cI+LkyviZjg3RJhkDGb+SxGXxONgAoktwu5nNTZGwtY5IoMoIt43kA4EjJX/DSL1jMzxPLD8XOzFouEiSniBkmXFOGjZMTi+HPz03ni8XMMA43jSPiMdiZGVkc4XIAZs/8WRR5bRmyIjvYODk4MG0tbb4o1H9d/JuS93aWXoR/7hlEH/jD9ld+mQ0AsKZltdn6h21pFQBd6wFQu/2HzWAvAIqyvnUOfXEeunxeUsTiLGcrq9zcXEsBn2spL+jv+p8Of0NffM9Svt3v5WF485M4knQxQ143bmZ6pkTEyM7icPkM5p+H+B8H/nUeFhH8JL6IL5RFRMumTCBMlrVbyBOIBZlChkD4n5r4D8P+pNm5lona+BHQllgCpSEaQH4eACgqESAJe2Qr0O99C8ZHA/nNi9GZmJ37z4L+fVe4TP7IFiR/jmNHRDK4ElHO7Jr8WgI0IABFQAPqQBvoAxPABLbAEbgAD+ADAkEoiARxYDHgghSQAUQgFxSAtaAYlIKtYCeoBnWgETSDNnAYdIFj4DQ4By6By2AE3AFSMA6egCnwCsxAEISFyBAVUod0IEPIHLKFWJAb5AMFQxFQHJQIJUNCSAIVQOugUqgcqobqoWboW+godBq6AA1Dt6BRaBL6FXoHIzAJpsFasBFsBbNgTzgIjoQXwcnwMjgfLoK3wJVwA3wQ7oRPw5fgEVgKP4GnEYAQETqiizARFsJGQpF4JAkRIauQEqQCaUDakB6kH7mKSJGnyFsUBkVFMVBMlAvKHxWF4qKWoVahNqOqUQdQnag+1FXUKGoK9RFNRmuizdHO6AB0LDoZnYsuRlegm9Ad6LPoEfQ4+hUGg6FjjDGOGH9MHCYVswKzGbMb0445hRnGjGGmsVisOtYc64oNxXKwYmwxtgp7EHsSewU7jn2DI+J0cLY4X1w8TogrxFXgWnAncFdwE7gZvBLeEO+MD8Xz8MvxZfhGfA9+CD+OnyEoE4wJroRIQiphLaGS0EY4S7hLeEEkEvWITsRwooC4hlhJPEQ8TxwlviVRSGYkNimBJCFtIe0nnSLdIr0gk8lGZA9yPFlM3kJuJp8h3ye/UaAqWCoEKPAUVivUKHQqXFF4pohXNFT0VFysmK9YoXhEcUjxqRJeyUiJrcRRWqVUo3RU6YbStDJV2UY5VDlDebNyi/IF5UcULMWI4kPhUYoo+yhnKGNUhKpPZVO51HXURupZ6jgNQzOmBdBSaaW0b2iDtCkVioqdSrRKnkqNynEVKR2hG9ED6On0Mvph+nX6O1UtVU9Vvuom1TbVK6qv1eaoeajx1UrU2tVG1N6pM9R91NPUt6l3qd/TQGmYaYRr5Grs0Tir8XQObY7LHO6ckjmH59zWhDXNNCM0V2ju0xzQnNbS1vLTytKq0jqj9VSbru2hnaq9Q/uE9qQOVcdNR6CzQ+ekzmOGCsOTkc6oZPQxpnQ1df11Jbr1uoO6M3rGelF6hXrtevf0Cfos/ST9Hfq9+lMGOgYhBgUGrQa3DfGGLMMUw12G/YavjYyNYow2GHUZPTJWMw4wzjduNb5rQjZxN1lm0mByzRRjyjJNM91tetkMNrM3SzGrMRsyh80dzAXmu82HLdAWThZCiwaLG0wS05OZw2xljlrSLYMtCy27LJ9ZGVjFW22z6rf6aG1vnW7daH3HhmITaFNo02Pzq62ZLde2xvbaXPJc37mr53bPfW5nbse322N3055qH2K/wb7X/oODo4PIoc1h0tHAMdGx1vEGi8YKY21mnXdCO3k5rXY65vTW2cFZ7HzY+RcXpkuaS4vLo3nG8/jzGueNueq5clzrXaVuDLdEt71uUnddd457g/sDD30PnkeTx4SnqWeq50HPZ17WXiKvDq/XbGf2SvYpb8Tbz7vEe9CH4hPlU+1z31fPN9m31XfKz95vhd8pf7R/kP82/xsBWgHcgOaAqUDHwJWBfUGkoAVB1UEPgs2CRcE9IXBIYMj2kLvzDecL53eFgtCA0O2h98KMw5aFfR+OCQ8Lrwl/GGETURDRv4C6YMmClgWvIr0iyyLvRJlESaJ6oxWjE6Kbo1/HeMeUx0hjrWJXxl6K04gTxHXHY+Oj45vipxf6LNy5cDzBPqE44foi40V5iy4s1licvvj4EsUlnCVHEtGJMYktie85oZwGzvTSgKW1S6e4bO4u7hOeB28Hb5Lvyi/nTyS5JpUnPUp2Td6ePJninlKR8lTAFlQLnqf6p9alvk4LTduf9ik9Jr09A5eRmHFUSBGmCfsytTPzMoezzLOKs6TLnJftXDYlChI1ZUPZi7K7xTTZz9SAxESyXjKa45ZTk/MmNzr3SJ5ynjBvYLnZ8k3LJ/J9879egVrBXdFboFuwtmB0pefK+lXQqqWrelfrry5aPb7Gb82BtYS1aWt/KLQuLC98uS5mXU+RVtGaorH1futbixWKRcU3NrhsqNuI2ijYOLhp7qaqTR9LeCUXS61LK0rfb+ZuvviVzVeVX33akrRlsMyhbM9WzFbh1uvb3LcdKFcuzy8f2x6yvXMHY0fJjpc7l+y8UGFXUbeLsEuyS1oZXNldZVC1tep9dUr1SI1XTXutZu2m2te7ebuv7PHY01anVVda926vYO/Ner/6zgajhop9mH05+x42Rjf2f836urlJo6m06cN+4X7pgYgDfc2Ozc0tmi1lrXCrpHXyYMLBy994f9Pdxmyrb6e3lx4ChySHHn+b+O31w0GHe4+wjrR9Z/hdbQe1o6QT6lzeOdWV0iXtjusePhp4tLfHpafje8vv9x/TPVZzXOV42QnCiaITn07mn5w+lXXq6enk02O9S3rvnIk9c60vvG/wbNDZ8+d8z53p9+w/ed71/LELzheOXmRd7LrkcKlzwH6g4wf7HzoGHQY7hxyHui87Xe4Znjd84or7ldNXva+euxZw7dLI/JHh61HXb95IuCG9ybv56Fb6ree3c27P3FlzF3235J7SvYr7mvcbfjT9sV3qID0+6j068GDBgztj3LEnP2X/9H686CH5YcWEzkTzI9tHxyZ9Jy8/Xvh4/EnWk5mnxT8r/1z7zOTZd794/DIwFTs1/lz0/NOvm1+ov9j/0u5l73TY9P1XGa9mXpe8UX9z4C3rbf+7mHcTM7nvse8rP5h+6PkY9PHup4xPn34D94Tz+49wZioAAAAJcEhZcwAACxIAAAsSAdLdfvwAACAASURBVHic7V0HfBzF1Z83u3un5iLJGGzAdoyDgWDAgIxtSdd0xZiaxEASWiDARw9gei8hQCghhN5CJ4BDMHGMdbqiU7ExpgZCb4ZgTLFsg2Wr3O18792d7JN0ZfeaTvb9f7/T3u3N7oz25j/z3swrshCCEfg1nJvqG44F4HWMCQlPrwQmWgKt3oB6laqyIorYRiHTnzBBTI6ngLGjIqeBAUSOZpNjpdXrvDLg8DyuqqoYuqYWUcTQIEwSU73jtC0EGYSJjMOjZq/jQL6AH6POU0N5bF8RGaDe49pHkthM/G27u4W6eKmt6ZuhbtNwhIwdXzJX2y+hWSMFfmWqtv8Xj3/IQ7uKyBA4+58uS3BX32cj8A6LxzWz2d740VC2azhCrhtl3QcJsqOWwiiEzZ+1ZNYdy+Ys+yHXDUsEi98+Gxi/HlszDT/2oO60Aph6p9/W1DRUbSpIcDhnwJkq4OIsPJ49FM0pFNQ8UKNUTKk6hgl2NHZo7PusmwnxzKqelZd8MOeD7njXyAByhY46RpcYR/4Sj3/LSot1YrbPsb0RpCX4dkTfOdSdDsUecbDJ63S1NLg9Q9GuAsXYOOd2zXsrCgjYR+oqplQ+xOg5xApOAOeOM0wche9+F+86uWNd72tjqpW1+L5SS0VCCAsbIpIYGduXxRAkBpxzQJGRFUmyBV/ia1S/MwAdQ9OUoYfF7/qFxOEZFtXDBwIATqh1225od/o+Hvid/PY83wazx3UEl9jf8fOYVJXhzeKNUHlBD4j/GBgLsjj/KA4M+wxBkwoWgrHX8Jns2e+cUP89VO0ZSuy70DZ61EiFZpC4BIkCFFk6AI+DSUJ/AvZGr7nRvBdXjH9DFriSVym+zKC9GaHd6vnK6nNdhoy4kQ1caRCsqJDGAAmxAIAfv/kzY6+0tIaeYbahbNXQYNRI+Qg8jE5VTgj4Pt75zcwKuAJfo8xyoNlrPxP73014qjTefdQQPJp2a7MAv63xT1av8yVUTC/Ej7/Gl4Sv7pAQFw9luwoNAVvTIqvfebpgMA9//f91bgzOV6/yBYe6XUMD2FdDoVWre1c2x/ui3/QT3Sz8a73f7paF9CiO1QfEfi8EuwFnnfa025ol+Bvcb+PhWLPPcQMwOIKB+lJLg+eVoW5XocFvdd+Dh3uGuh0FgGRiVh/OT7i6Fe9kq9XzAb/GVmcyKSehTHMkztUGlbEHA7bGRzJpabaBo+W7eLhmqNtRRKFDvJtsHxBnhvuarY1PJ/o+IcOiU/O90VcRRQxbbOgMPl5RrvyekfVIf3QIIe5oaQ1ez6yJr9cyDRVRxLDGioN939csqtmjvLxqDgh1Jyagi4F47/uO1cvfnvd2T6rFjIxJYvU5rAz4efiW9JdynLw+wEb8vadjw1/b57VvyvT+abRnlgB+C74tYaq4trnBvTDfbSgUYMcoKy+tPETt7nK3zG1ZO9TtGUqsOHjFRjw8n861GZHE4nedA8BvY/0EPpiOn6YbqiuOq3XbDo+3OZMrWNyWnUExvgR9m2gcnrd4nUciUf6RrzYUEirKKp9iAIdJpSXN+DGJQFFEMqRNkmiH/BNLrBH9zCArfvMS876BOYHv0q1HD0Ax0LJw7C4zBw4PmBvNS2mJOx9tKBRYmiw/Adl4WOQTWCwe10+Lxo3pIW2SgCLTDreSvBDbiRuMZC5yXrr16AMcFudkJZKZxK+j89OGwgBwQ33sZ8HVvfGw1ZIExWz8f/kswVinYGpTwNb0YbbunTZJenrV9wyKRPsqyW3sAU6Y/Kjt0k+P93WlW5cWYB0lEycoO8dvAvwaH+KDfluTP5dtKCgA2z/2IwcYN1RNySXqmmx7KrJ8Dwt71EY6IzCuWn3O+wKtwbOzsYGaNklI17D6nY9gk05IUXT0xJ3kI/H4WLp1aUF5+XcqY+MTkRbwId6DRNon12QtGACri/2ID2b7oWpKrmD2Og9SZOU5Ntg6hOPIeJq5XtmA7y/MtJ6MFPeeNZ1nGKrKx2KDDkpakMP5fAF/MpdejbSUZ/W7yClszwRFpk7cWbkSj5fmqg2FAtQDt+PGkr1jz4FGn6HhAvK6lCWIR5AtAHZmzaKaq6MrW2kjI5LQEi+/xna42STfgC2azxKLXtPMlfb/w+PdWu9t8bsOZUJEXIoBnmy2Ni5OdY0Q6i0A/JGEBYBdYG5qWBhweJdrbcdwBFeMh9Ch/1kxZUgakwNQTAazyX4//qCJCRJBqaKMIKv1zzOpL+N9kqjMdwF26mUQ8TMZGbcghz9Y3JZ/NTubU1oRW/zOi3HkuyEajYLwa7PP8QtUxl5Idl2zrelRi8+1K16WaLaQuSw9Nr1p+r5vON7oTNWOYQsOxww+CT/Nf0NyA7PJQdbNNRqKdvR+8eNXmdaXtR13HOmfx478DgdOexLxRJ5KkI1PT1swzRbe5UyAaQtsFWOqlasHnAa8742c84WpIrY02xovQ7GL9mZuZ3EJC7uOlseSqc2xKf6lYYmIIqtY4ny1vbnRPG64L4XXLqgtNVRVXJs6JANB3LLi5BW9mdaZVbMUWnbDUXrmKGm7hwHgyEEFgNWOqR53J747JdE9FCXcpnhLy1NNbgeJDCmXMf3Wxr+hXL6IG42otAHVNZAsx+DM147E3urs0pAgpHfF7ULcoNCK17/y26LswlBdfiYedkpVTgjxfEtr8OZsbKFm3XaLxBgc8X9l8trfQJHpejZINoaTUSRaiSP+9fGuf/0w3zqLz/kEkuy4gd+pIDQr/tENzAv2XWi7ftQI5TzsNrTKYdzcCsbuMHmd77c0uJu13rPQYfY6XZzDEYlL8BlsGJOkrqlurCKXp1p4oXiLNyNBLsuW/0xODByjItGNOFr/Bzvjk2yAVxjqDNfhd+txJL8z3vW9HZ2nGqrKO7EgyZ5l+PqOCXYLduhP9baFSIeHK1EUfAFFtpfYlgAJisThHyiemNscvnf03rfQQDvsXDamcogjr9Mr8tGeXAAJcitL5mEo2PKgys5ptTe+nE0PzJxaAdOKFHbOAzjAv0gXiPmKVPI7rH5nt9/qfmDgdVHDyNP5NbazZ83qHrlszrK1mUaPRFHwdavPcThqNy1sy/9dpcjyEovHZR3OJhv4jPfgkpH811PshcB+FHFmOAapw//xcBzk4ixIhPERU8XlAYfnuVxEGc25qTzpKabFpplSacmz+CPZY75CnsB9OKNIiXSD6HTZwbIUidhva1qGxMTZKzYmFewIEgvgjOIcbjNK/Yv1I6SKsrOx85AIUqbhEm5g7GA8PpTjpmUV0Vny4ThfdQomru78eO1fwgp6jiJW58WfhMy0cVY40Fwv30E7oTFf0Yxyt8XvHN1sdd+Yj7Zs6AxeX1GuUHyl2NBE41DhbcWZ5sh8BLnDZyEfcADbQZFge8alEahHGCLfhIKqynsAxMZQKLRRVVmXJCk9QnQGQyEDQhoJwElp3RUl73p5RNlcfK8nbhqZbNCq3rAhSWS100ArpgNCXgkPsuKkNqtnZa7tm/PmdBWdFU7HmeNDJAbJln0KPdCeiNXnHB/o8Jyb61jD5IBj9btITzp1wFejURR7yepz/fH7jlV/SLZMrQcUEMzcZKcl8XoBrBb/2z3NJmU3/GwYXFpiUvipYFeWY9c7ylEeH1AUNK2BDgYwE4oue+EM/5/0bpA/0GBiMikUK2t6zOkeJtRLAq3e2/OV7SDvnokoWt2ORPkCf+InWKxJAcBZ5mrHJBQhjm49tPXHnDZCFQ8zDgNJQpCwE10xpnr8L3BWuQBnlZfSuX2tu7bKIJXPQVK4zF6HA0+FjQvT7NbZBu05Xc4odkEBg2JUm+rtj+IzmxtzejUOofMC9qZ2PYq5xes8Cv/pM1hYehBPBdZ4btMzGA+J+y5tPGInbMCf60XWPyDeIXJF2Ssmd8O8Fqf3v7mqHxW8V7Hzrsa3OyQo8jNs22KccV5DLfDBTZt6X1g+17c60f1IJKislPfnnFnwR3UalAraDZYLhBTxMM/scZkD9sZApjey+FyX4aS2d6Ch6ahsKc2RIO6OR/Dtb7acFe+K3p45AQ0WG7FAHfRkJMj9W87APuZqO1kfJNyrG4gh83EnJbreb6+TmdTIYh30ge0mKfIr+M9dHGjx3KVlSiVbntmzZ49pc7R9q6Vu+jGRAMvw7c9TFN0PO/p+ZaXK3diej4SA9/EckaULO0YZ6gU4Q8AuY6oVeuiSlroLBMAl9rBpsWn/dN16wyN9leM2fA7hANxmT8Nf8dCaacNoR91cZafIJbG+QS+HNnXN1dvWqPvEHwd/AyfXe1wPh5eKNWBIA0FQ6KJav73WwCQSa6bFfFWG/8gd5nrH0Ra//bxmq2dponvU+e0TsdyTSK59rV5nrb/B/YaWuoVg7+EPnIokfaCVOLIJ6x9wOl29oDAwWSoteXHfhbZDontJmmHxuHbHkf4+fLvZsUswTiuXGZEESVtpqK5YGHtfvPOyru4f5yybqz+TwYQJnILSxQ3diyqfEw+FTxIChS7FH8o0aqRMeyn9fCAoOB4wqR11GB/qEfd3MrZkRYN7PX1F5uBgNP6fwqSLsVx5pDzcjH/tgyqJD02zztYNqBs1QlmGA9EZOBD5UpXG0XemxMVpIAGJQf36Do4XWqIkJgQRTyotJYLEGGKKN9b/EJz7+mHppfro7la/KDFKcWNHo76o+fcfcpIQaCSrWVTjKi+v+ifJ9AO/x3M2VLRtFfi/oZhEBnqcG0to55wPKNhAbpwoyqUc0YCR/MxTFdv6geItDkReq8/1Pj4QIsq72OG/xffdQqhlHGBnLLQXnjfJEpuQZPlh70RfpILVbz8EJIkWcmJt7D7DBhw4cJajCDBlZaMPxV9ufEjA620OTyCRLrRsju9/Fp/jVABOLhpbVhMFe39NR+8TWttXECQhkGPM1CVTDx1vmPgMRfhIUIx+ofHJ7iOAX42HhpQVAmynu5FbM8JkYbtt+UiPSNcgsvMBi207JFvgGIjwEm+9cg2ARHGcYytbJ0LsoKX2/pYB5GhVUV5Fs80E+iwB2avZV6DIfUR4vyQOmm1ND9U12doVST5FAExFgrzTxdQ/UTYFre0sGJIQKBYrPrh5JpPyRJIcjklBsw7OJgemWr5FJXyv4a1SFB5KSpQ5eHhES9lZS2w7mU3KU6yf/hFGkAn1yGZ703uxJ8nMXzaU0G86YEUSalDk9tW6a2vane1x86+0OXy04JJ2MJKCIgmBNh2RKMfgA6Qp9Fdp3QT4zXwBdydaC5/eNL18tDy2GIcqy+AgKCLNI6nKWbzOX5YYFTJFGqRUC8HOaR5g9RBdEqYN4ERL9pMNcgXNRhn7s8dDwZGEECXKsUgU+pgOUX5mrrafjse/xvtytDRmoFlKEVkB2C1+19xErtazG22TjAblZuAwL/714vZmm/uugWfxtyTbtOSDGrBfsG2JJIQ+opjqZQMA/EL/HeA6nKIXDPTEoyVjBaRiJPocASXYp80+x+9a7d5/kEJNZjm1bsd+EmcnI0HIR6gk3nURJynP/IFUsPjtJmDSVRqqLs+89fFRsCQhEFGmLZj26zFV455PGZFlMEZxQ8lf2ADzC5lJtPuaMutREWljJAf+nNnr+M7qd63GI0VpqUp6hWDtvR2dxwzcOK5ZZBtTUabQHpiWjdpFGbQ5KQqaJAQyNJz8qG3exJ2VJfiwzDovPwJHtXkBW9OCvhNCqPcA8EHLzEVkHdtFX0lBaeo6hThoxYDg6lE9hGK1pXTVxbu0rf8heEG6DU2FgicJgQLK1Xidh1UA84cDcusAjmp31TXVtfSZrFDEFavPuTDJMvPWAlri/CdTBWUkfk8IWCe4OiJiai/2wN65O1kko3i0B0sgAuUB/u7uHw5fMWfwZqGp2k7u3QcmuZaWml/G/+/pQJtnQS4tgocFSQi00z7b5zjQyKANZxQ9MaTIL/oRlI0P6tt06gH1DAOTaHe/OgdN7cEOuEoA+wE74EbasQTayBJkih9encl1h9xErs7rf+y9LYG5yev4erHvw9QlU41j5UnTJYnNBCHqkDi0x5QHcVQ8sKp75VnxUrBZfI6jkcwXDb6EfYzP894QhF5otXo+2Xw+9a5YRhg2JCGQ26nF45oLEiNbrpTptGNACVPJG/HP9IFMYSx+1ynYeTNNyUCsexWY8KlCLBe0A9zm+V+yUS1iTqPszphEo/l0AOyYDPBzNizpRXNIZb/TEwsg2klfjr5upw2+ujp5JufsYGDhiDc/ybxd/bAORd4zm21NT8b70up11gDnA126V+GDvqy1temxfPmQxGJYkYRAvuj1HtchshQ2oUgVwS8GcAPqJwHydQ/fx9r4PBLlIeyZv9PbBiTGf5AYD27cFHxu0A5zilEtGsWFXi1958IKaqnsxDmHxAt66Z3haPa6ItDquSXTThR1jmujF86+l9Q3WmdwWT6JRczWtbgIJ8Pfe1jo/HabJ27AOEoPARKQAr75dxWC3b+mo3d+eId8iNJrDzuSEMjE2eJ1ngAcyKRa6whs5ABPT1tg26/PJGF98Nvfj5bHUiwqTXZHSA43Y6Hrm62eltSltYO8JfFAu89P1TxQo5ROrmyQOK3KhZe+RyW/WrwbCoaOa3F4X8t2J4qKpxQSdrlpselCqcR4AkqPp+kUd6mNb2Bvn58sqn+t2zbFoCikP/VFsyHHu+ObbY3/TLP5WcOwJAmhucH9jMXn3A0ArtZ+Few6plr5G46QR1IHoBhhdX77YQqTyLckSWoC8YYagnOz4aSUCtGIg0voVbOo5syK0sp5OMPQSE46VOyAsBpH2Vu+7ll5Z6LUytlE1JfjNn4Nv72+vuFQHHB+T8mBUlz2jirU61tbvc8mm+EsfvsMJAjZZPXtqK8O9QbntDi9b2Wp+Rlh2JKE0GL3XGv2OmgW0OoXQpiH+gmZMNxAH8gwzuRucEiK3MwG6zkbsSNe2tLhuTPXvvfxEI2GTsugj6GIOR5FTMpLWRFSxWebPl27PBshPPUi2tkpJvMLZHCICv8xEBEyaXaRcED5jJE1sRDPB+ze5vBslGCGI/3HbJLPAiaRY1TfgsY3SCwzEiRrSXgyxbAmCf0A9S/WHy+PKJ2Ko9oe2q+EP1h9jjf7jCDJVRjlYRNI4eiGu0QLvSpC7DeFEo8LRcxVjJZ0+5DjFR0twDa9iYc3ExZIMHfQLrypyX6o2aTQQLV7zFedoWDwIBQdC4YghGFNEgIFjcAOPg87+Aqm3TSBM+BP4nUH9JEAj+/VeJ37lQOE3T2/7vn8vHyIMdsSwnHCRpQdj7M/xfOdOqiAKk4J61YFhmFPEgJ1cIvPcUbS3CSDUYnE+vdMn2PWy7amNXQi6vV4Rk4auQ3D7HPsCoyfIY8o+y1LlJqDsSf8De6n8tgszdgqSEII5ybxu6woHx+v47KflgL/59QlUx3FWSP7QJ1lf4mLSzjww1lyN9B1Gzp7z81Xu/RiqyEJYX3w2zNGy2MpcvruKQtvQf04w8SHUU4+JhdxZLdFULginKUvlSVyxU69Qi+YuCm6DF6QGDYkodhWVVWSBUelyp7eDf+O54VGS7o4tR+DZWj3OHn67BgAwG/MHgdtcOXEHyEfCK9+cXaqAHYYROR9yuTlU4PBW/KV/s7kddolDldyaZC3YTKs7+7+UXOawKFAQZMkvBNdLv8cu/GhY6qVGajYXRPoaLov2XIs7ahb/M5rgcF1uioDSmnn/LbZ6r4l44bnEWR7Nc448RJZAiJ4acy4TblY5nFZ/qXV73qoq/uH+cviGBJmirC1bqX9l4LDfCTIDL3XC8GeyUW7somCIwntOJftMvownA2OryhXKJ+Ggk/y3109wf0o+oWWe7S0BG80mxTyP5mpp24k1p+wQ62hTFnptD3fQLGmdrxxEtk5JRMviTcnlRhH2nCkP76lwd2WjbopoY4sl51ornL8H9YwKV3DM6HmNnV5NlAwJKFIG6Wl8pkVU6pod7kvz8ZGnD3OCTg89+jRF8j+CMWu45FotIavw74r3KEesHidG2lHX8d1eQWJntVVyvUo1tBSqtaQJpNxpA/gIHA/KslXpKMDUDifivKqg3D0P0aRyynogyEzs0zxVavTszRXKROyhSEnicVt2ZkpxsvKShValYo1I/8ACXKEv8H9djoPkfKiWH2uP+CPGDftXBJIwOFx7EwGnFEe119zbmH1Oo9E0ZOC8E1I43Ii1Kk4Qx9t9TsfVYOhJ1qX+lckMhmhWb1icuWeDEQ9A25HgtAWZlnWoswI9uJwWCwZMpLsu9A2etRI+SpQjJSvxDjg6yUoQx+Vqay64ZOOm3FmokAS01IW7g9S+h+z+pxHdfcGz1zq8n2eSTuyASTHNMbhL/jKRpSXEThpnon6yplmk2O9xe+i4ORfAvmiYJ/AXluF7yfgs6OwroacxcMHNa2o/fnGkJAER+ljR40Mj4aD0peRaXRLa+8Z6lXLMk4KSbZN9R7XKbLE2lk64RoBDjIaFCsq9DevD35381DkfqcIIwZFvgJnNwqikIvfaxRSYHbsiTyFIwsGf+xuzk9VmSGvJKHVqvIy+b6E0U8oa6q96aJsTsFkVo+ixd00cqZ5izJU6K8aLW93ktnnunrjJx2P5sOwMBp+5yJ8ncjiJvwZ3sAf+PWc56HJEvJGElSk90VZ+HkWm2YhBvjQbm22NV6YCyUu+OOmS+WKssNxiNQQVCARYEcO7AEUQS5H0t20LvjdY7mYWUxepwXrOQvJQT74wymdgy4AEwkzBcQDJUbatMmo6o2Anw3khSQo8zo5cCJIXANEJMiTLQ1NF+RqlSNsBOl3nYFixMIs3A5JDnePlsfeYPG5HmUQwrb7VmQy+9U12XaTZflXOGP9SuIw2PBvK4RQtaU96ANtHuPzvg91s7cCbcH7s5WjXQtyThKz1+niHKhzDlTOIxBs+Rdf9p6kt5PRJpYeH49ma+OLSJRn0o0xHAejIglspLPNXsdKVPIX4//SJtSeZS1LW1YmWjGihEOzZlkmy7K0PzBOtmY2RVZ0evoNfwS5qoskhE1dvVeVlSofmE3KKSZ3w/H5csrKKUnwH9lbUuTnWCKCMLa2u7f3VxQySOs9w74IHsfZdSOtzfhR10MKBjvPVuRyWsbUE0RCCyaGswoDOw24kZlNjh4UyT7HGacDRwH634KCAeo2bDv8bmc2dCF8CgWrEkWBTwaKJ4DP9Q58rpeHs6H5XNcHWnv/mOtZJWckiW48kQ96wpi7OHecp2d5ddaSWSNx1KYoG+NwFPmL3jZR7C2Lz3EOANecmyJN0LJpNCsWxPwtIor2dC/sYeq9BiZRbGDayLzGZFIaDlhsO0pPyge9yBlJKsorL2FJzCVQtmpptTc9qlUPodWeEuNIiqTxM7xYS2zYuKBQNla/i/ZODk73HkVkBvztdSntsaBwUPj7UcQbCuBBg48JRbDlKLXMzVUy2pyQJGKYqCTNBxEKMc1LvSavc7LRoFCkjfAus8rU1zNpX1d372klRoUsVVNEIikiFxBCTZl6Lvn17HXUB/ePOTUBxa8AKvUOrTkz9SAnJCkvV45hSWM0ieZWu1uT4kaGdKhH0EPdbIYBIDLKd0iGkmaf6xwObFgYMm5l+LLV7k3L1KgPkd9/kABbzTg01rpts9udvo8zaeBA5IQkwMRByaVw0OQ/QLZD5VOqSPHvt7eiqjzjzbWArfERi89pBQjvZBeRJ+As8FzGm8UCjAm613YGRV44vWn6jGzuYeVIJ4H9kny5oWfNBk1h8it2qSK9xjTwPAdBpMnY5Lu3o/NUQ3XFz/BtsvYWkT2oIQjdn+lNBBMTIeEgDHuMlre7Ed+cpeVepOumWjzKOknClqNTqpIFXG5rHxBmPx7IOhgU48XxvsMHVIuHuLFk9YDaYW40H8KVkqXkE5Hp/YpIiWdbrZ4PMrkBbQGYPY7ZyUvBaajI36tFkceZ51azz/E4ZRtIVCZXq1sJZS0hhCZdBBQDKf7xfUEAfjFtwbRzKHdJes3bAsqEhXKsw6AoFJ0xaWbfIjLC+q7u3oxziJg9DXUazIskLkvkqZkyKAgAexcYf97qc5zvtzXdFq9M1klCxn/RXOtxw4biVJlyJIkmcDk6SZHtq6t2OBaPD6XZzH4gRQ+JYo7Goo1rW1ZERiAl5DitnqXJIBg/X8ueE+qa82oW1ZwWjYKZ+H5CvI9lUTjht1r9zkq/1X3FwDK5mklotogbelTLylTtaAf5fyTNkgTAr521ZNZz2fKPJqIcsNg2s6xUfh7vPisb9ywijF5VqCeiOPNi6qLJYfa4GrjEDtVYvKy8fBS5bydfbgYRk1MTLscZZe3AGSUnJBFC/Qd24vgkEZBSH5FATNWwRz2+xDiSMrUem0YT44J2bacumWodb5x4C9ZPQeqKG+WZ4dNgiB3dam/Sbac1EGQFbFAqdEkOoPLdWCqSMNbfJAr4zRav85PmBvdmY9ickOTrni8WYEe7iczLB34nQKT0ORcAIzT2zmOQ+W8kkiXTQTRI3Vlmr3MRB7i3qNCnBRRxxG0bOtfekErc0YLIYlAlxRzQJwoDVKQqIkJSKfR3SODA4cF6j2tFNP5ybkhCHc3ic1yGot4jg1sFSVIcRMCBrddcGTLf6nWu8ze4H9bVyBQINLgbaxfU7mGoqriAwg3hqZQPvAjK0xhObnRTtmypwntlu1Q+QTni9V5LKflSFuLquDhOq2Nkid2Lx7BolzPbrRa79zGzx37EwNTSSJzdUl6sivfDmQa1gWPZByw+V2WzrfHWNJqaENGl6mvNS8z3cKPxPGz96SxxLNttGR8IJIe6qeuhaB6TrICiwoyZEjaSTcvOTqV+lAIoLSTy3zkEpRQrJR7KGUloVxXlyOMMSvmyLRaxjOidUikOrPW8a652fMPi+MAnAP6v7BaLz7lH58a1Z2Vjiu/XnkgKt0vqX6z/o1xeeizWRmT5WTbrxdCg7wAAIABJREFUGIZAUUQ8iwroswG79+VsRz2h1HDV1QqlFt8rzVt0btq09hUN5RLGZhPAaZ8udyQhkDfZ7Eaby2gI70FEbK+A1VII/mT+zeRMZfU7cQSBc/TUh7PUiRXlVTNQnjw2mjsjq4i2mUxq7iZ3ZGTmsVjrL/HzztmuqwARQha8xgTzhFT2r/b2plc2O5Zl2aPU7HP9lkvsDpbEzUIDnk81WFI/lEeUJQzJirKMnTa1c+6ZSFv+WFEdKMbF+HFPfJVIFSUUCOLRZNd1dQdvLTEq8cINpcKeKE+SQ86NPR0bbtCyu58OoglKX+ecn1fvaZiOhDlIoNwMkZFpawjc0C3IqY28LZnaGgxubOkXf1m3hpAalibLT0Ay/JUPENHTgBrqDd6UqhBKBbQCm6x/caYYD8qLj3uzs/nLGq+zrgJ1B/x4BI74tLyalCS08YQd/Y/kWJNGlQpedwUq3cfiiH9Jq937TK6CoEXv+3r0dd30punlI/h2NZyzmcDgAOxk+2BbaFWmkJeT1+E/8S428D9hYrDQ6193f/lWvtJRhEf0irILQDaez/RF3IwPIe7S5FvC4bRURfCZHJC3aCnRBDlHWr3OU7Bxt1JwiGZrozvZNd93rLpxTPW4OWlv7gGbhFr90yav4wKs75qWhqZ/5TpiYNT6tDn6CmOmz1GNv/weKuNTeWQPiHzaJ7HIkmZlLtsTBZnvrMbe84UQ7Aus/3N8CJ9xpn6ysSv0Xi69+pIhrJhXy6ehyEOrh0k3j3Xgv993BC9NVcjit9uASRpiRYspeQ9O529w34/i10tMMfyOL+DeZMEcyDar1m8/wsAk8mRLJ6xnGDga7IuHhWav4y2cWW7p6Fj9bDbsvrQimkmrNfrqh9oFtaVihHF7hcP2IMvVQqhVAHw0/jgVqDmWYuPLcTZSAMIiXMzvJYjsNNJ34ZtuEIDyt7oBr1mngugQeBRc/U7t3fTdsjnL1hZSONHZPsf2BoDTxlQrFAtNb876ZPhOhNjP+1KQJwIF4zCbHCnFsQhg1JBEcCTxCw9XU2PZvORlyV2z3m93ykwiz8SUeywpsDcH/viY6vE3WXyuB4MQejidgATZRFRn+jz6yg0KJCC1CUVuicMpRuBHMv26Zip0qEKdE7A3pUwEa6p3kJi1f6pyUfQMacDsZLm9Y0Hm1eEHDNCII2s2wu+Mx5H5SoVJFGjOh53o8WDnpn8Ol4iCwwl1fvtERUhkrHosEiT1HllaEF/1BoNz2hy+d1KVxAF3qgySxlkk7I//zZBHldeKlgb3p7Xu2gMMSsXf8aMjS7fl4Z1czuwoF99r8TlfwsfyvNrVvTibm2LbGmiPAyRxuGAwDweiGpbYQypjUFAJ0dM9r80V+DpV2YgOpJCnq9YszVTBO8OGJARagkQ95kBzleMifOxXMx0p3zSgNBKjGH4hlZYGrT4Xhb1ZrDLV09rqfVPrrLctgsJHlZZWmjiAA9kwFyS2G8slMyIIoVZ2U+cnHVdric0cdb+g3XtdGQZUIXK7mZgLRBX9P9Z7XItlSdyPP0ZNDqqR8Rc249HMcZpBJW+N1e9qxVErEAqxtq7POt7KR9DsQoVpsakSjCUzUKOsw4+WivIq+g2yrWMkwztMqKc025qWMVvqwmFvRq/jQabfvGXNpk/XeocdSfpAO+o4OswyVTtOxhGL9lLG5rA6WoE5HOs5XJYYq5hS1YWkeRNHsleQOG+IYPCNtT98+14+V8zyhRqvc1Q5V/dmTNqXCTEd54cZONOSvdNQ7PusE0xcv2bN13dofdbhGcRrvwff/lZ3bYLdT4PhsCUJITqr3DtryaynSgwjz8efjcxYMjFl0AoKUzoTlf+Z4Z6iyGxM9fheq9/5Efadd5E8H4IQnwiufhwKSR+3O5u+LqQl2IGYtmCaoapqh0kAfAoIdYpgfBf838jebo8KDjuTh0+4YNZSXOnGJnym93Ru7L1BTxq7yY/aSswTHJST8Yg06lyv9nT9md4Ma5L0IeqdeGXNItsd5eXyOTja0RJfVZ6boVCkDjzuEe5L5BHKJEYzD071GyOxgckoEGhTbzWtmgghVjOVf43KzppQqHddryyvfa3N82M29B8yMZd2GT1SCoYqFYVXgYBqclMQnI2HsOEo7IDt2IF8fpDgtAcV8aoAXkimAT8gOR4MqezWPt8OraC9mAkTwqk+UgSNSAChXhk1bN06SNKH6Chz+fSm6TeM5tsdj+rEGdGOO9Qo6yNQ5GNEqSXXauqa5M0gS0pYqEf9R6AoR7v2P+J0H94sxMK0YdgDEV9xFfAXFNSb8TK6A55TQIRj45JJB71GokgYCcqt8L4qw6/+BCggOvTHJ/gv3r1BwENRSw1dQH11ppFzWsVKLx+NYN5Aq/fOPn1nqyJJH6KmIXejwnaP2dNgwQ51UjS71nCI5k49tyL8gv4ntxz7rxxBbIHhC9IxXkRyPIwdtDGd2ZT0D1OV42KcvSlWdHorn4J93hvq/E1s/VslSfoQ1QNop95PiUxHjFDmcRBHYY+i5JxbbRapYQTsiGIpDmLPiO6uZ/rEGy0rVgNBm4TmajuFrc0kiMd3QmVzKftA7MmtmiSxiKYRo2XABym+sCSVH8qBUco1MvoeDjPM1gKcMUQLEmNhd3fvC5mGGZq6ZKpxvGHSRTJIFO0zk99xdW+w19Hm8L038ItthiSxiI4UYcKQaftIaYyVA7hQsbWj2JIj04ltGIJ9LIB5hVCXqBu6vNky/zH7HIcjQW7O2FRJsPdFqBtnkObP4n29TZIkFlH9ZVH0xWr99h1lAVZgvB71aloZIWVbf3rrbRco4oqPRNhZC1pDEPK32bJrRGr1OVCk4jdw4OYs3O6Frp4fjk8Wv22bJ8lAkNUxHp6IvsK7y7y0tAZ/+Bk409QgcfZhEXfd4a8qZwerkBVv4vNZgY/klc7O3lf07GXogcVvnwFMuoIBz0YCpk6migsDDs89qfawiiRJgaihozv6CoOIw4wle3MOe+K4uTuAwNkGKKuX1sAVwxFrkAjvCQHv4vDwHvard6C3+63NynaOQO4U9fUNcwH4uUiQNFT6uHipu6f39HA0eQ1raEWSpIEocZpZjPchgXI6yvLIXTlXpwDAJGAwUUScxXaCSDBuMm8p1BmI/Ndpw44U6c+R/F8Kpq5kID5SN/V8lG+r6HDOzdLK35pN9t/3i7aTGT4QqrgoNjqjFhRJkkVE5dpXo69BoJWYathxnMHAxzImjUG5fSzOQmMgkpZuNMrwlfi+XESyhFUAHUV4xaYEqUV7jbRszWNeaswrNGDzcSMwsVGEPRbFBuxo64A8FhlbDyrrEBy+D4XYt5Lo/uaLVfxrPRmQc4moSHVCRXkV5bVMlsJDDz5F0eqmDZ+u/Vs6hqlFkuQR0cAKn7NceiEOQ9BiiUHAUahrnIgEyWY8s1eRHH8OtAWfDaexbkjvJkWSFDEkiBLjlwyAYhjMxtkvWyuIFGr1uWAI7m+1N0YCdadJjj4USVJEXkA+HRSfDHW1uSj6HWigSCXZIwaJikvw9eyGzo6F2Y7gWSRJETmDudE8jikGMwfuMnsdc/DUDlm8Pe29NKGO9VLox41NuYxPUCRJEVmD2efYlQuoE8BqgYGJG0qyEbSDEIwEzxPLVQFLhRAtFPMgS/dOibyThAK1QU9Ic5Q+Awt1J1qLr/fbd5EYmxgKSe/r9TcoIn2Q6FTXZP+JRGF5OJsuGOwLjO2HM0b1YHN8XehGfWIl3o/ysH8EqniXgXh7w8Z1b2VbhNKDvJOkhPGHwci1pvRCyJSKOm5QY0lIJwKwS8mxyepzfY6/zstCsJdDKlv+1Ve9bxbKsubWhp89aykXAkaGQPwgqew9JMo39NzZFhP/8rCfixB9OkcQdREK3LAJQFBn39C3FK2C+FZV+eqent7/rTi4+ZtC9ODcesStSEaqSUiaXxFpJk5Qei1+19v4Y71O8W3x2b8pOje9VYytlTmiERKzHrW/UILoDcTWQ5LBUKLhTUkUYBIlBRpRplr9rs9xRKMgZu8Ipr6HI9uHQ7GjXMTwwdZMknig6X8yzjaT8Xho3wqkVFrKkDzfMsE+Ekx8grPSZygKfIry8GchAV9907vyq3xFWC+i8LCtkSQZxiI5xgKD2vCnMH8gHCdkvHES+Z1/R+E08RwFcPgWiUY+KZ/6re57hrLRReQeRZJoA0lsY/EQju0Fm0PrkHk4K5JkK0eRJBlAMMjbWn0RQ4ciSTKBYJ8MdROKyD2KJMkIanEm2QZQJEkGAPJTKGKrx7ZGkjd7g73HZutmq1axj7N1ryIKF9sUSchbT0s2pCKKiMU2RZIiikgHRZIUsU2BghFGY61pRpEkRWwzoKB2o6Wxz1o8LmezvXFQONNEKJIkh4gE6ZbswPiOzbbGvyQrS342pQJcgrO9UHnaDgC4oFhXqlixZm3w36lyk8cD+X0csNiyo6LIu0kcxolwVBZRAirbKECsJ9u0zk71w1wFk9MKSvhZVSVNwH95JyHUkRx4Kf7fIRXERgDxbXe3+sXyuc1fpWtGT7laKqZUns+AU0Y0BSR2Hz4bs9b7FUmSRVDo/9rRjhpJEnMYA8eokcoMFnnGal2TrbHN4Xt/4DWRjLDydaXAT6OwQbFpFMIHDmxMtfJDvcfV0GpvjBuqaGAbTNUOF157hNnrcLJIvK8t96O/fEvyhopyiVn9zg8pJ4cA9e8tDb7WXPt0mJeYt+OK8RDBwYmtqMH/7yd9zQOIuqBwMj+NtLHEKFEipPUWv+stYKJFDUFzcN2Gpe3z2jclqydMjsmVR1TsUnUFfoyN8Vxf73H8jkXiQadEkSQZAjvveM6ZE39Tl7naQamzq+P45nFZUk7A40WxJ80+x77YQZ7Ft7ukqKa0C8RHyQpEO8TJ2IYL8eNEff8F7IpN3hWYdJrZ43jf7HPd1NrR9Hg03V7WYPHbTVjH+dxYciCLJCDSg1FY3sTILVhilxuqK7qQ3OTo1aYK8RoXsDIUCvVIMh/JBPxUANRWTKmirAFxo2ri73VTXVPdiwPTLMRDkSQZwOp3/VOWwukbUv7eAOznLIYkFq/zMJzyn2KRQHTJIVhLsoxPJGujOPFIViIdAtsNx/K/IdnOQRKfGLA1vZ7pLSl3iMz4nUgQe8bt24ISbKwFjxYOEZ9hiUe7szYX4ipZLr8Nj8ekKlgkSSYQ4rMYk+BU+Cnl8Vtqa/oGyfVr4EAJL7U9fxD/jneadA6Tx3EpiihXa76XduyNusFSq9d5tr/BfX+6N0ER6VSZSZSgs+BywOAPdzS277Fma6M7WbkiSTKAECyAFDlXa3kjY3uZvU4D10MQqicEiwaeC+seHvv9WP+JWu+TBowol9yHYs3OgQbPlXp0lUjudPttqPuck8P2ZQwQ7K7aBbV7JdNviiTJACEBK/Q8QMG4HfUXygys57IPmu2Ng/QRczXlJodcEiQGcDnqKkSQK7VegTPcjXgoaIKEAWyKUlV2HL67L1GRIkkyAIUxQtFpDYtEi08JHPUvYDoj7ohocqFY4Mh+Cd7mZD33yRjArkDR639aRC/Ut45CcfLCfDQrc4gHWlpDDyXL01gkSeagUV4TSVgaIalQwulHEpPXWSdxuFbvfbICDnegMv9qMmU+vLxrLLkrn81KE9/g61y/1f00syYvuK2RpKTWbUs7quBGWPv1QJMGHOlXYs+fmXnT4mJdW1uwrS/gczSJJmWYTed368LWvoE8/R4bXYV03Y/pV6aNqMw/he3YO1FgDG40Xsq0DxoDsQaf53/xef6ARwNElrJpxS6deHe0GjiC9U/l14n/+8sC2IL1wW8f12qesk2RhEIMGRQl6X5DMhhYNQXV+1e/k4J9lcO0PEvCKQOiQILMTyOJJiqk4rqu7h/vis0LWP9i/QhpRNnvsOm0Cz1Sx/2mjjNMOh+P1w/8osbrHFXB4RSd7aNnGFBVdlVre1PrwPzts5bYdjIalNNQVJ3Pwmsfmu/56sovew/ecUelShLdRhESG1rntn6fzkbpNkWSnADEdxkmrwpHRBdMtAshVnOAUvyBp1NKAiHUzaIWZdEqMY68QOe9NwgWcjVbPUsHfhEN0nc7ik9unB18TEcqO+ywF8/0Oe592da0JvZ8OYh5+G3qfZ9YCPHnQKvn/DA54uyiRFNYX1bvCe9JNeL7Km2NZA0TdpaOarY1Prr5XJrB74okyRAUqjPNBAI0oj3ULdTLae9k4JfTm6ZfIHfLm0e9EuOI/2P6Mz+dHo8gsUD94l3Uc45BPadJx30rShicySKz0GYAcJfO9vkDds98LaM7meRY/K4TcDjSnMoN23MVX8CfyNRyoEiSTMEhnbCpm4Qqjm1ucP8jUYFYeTmy5+A4VWcdrwYamp7QMnq2NLg9Vp+zkVEue40AgFOxA/5hQAfUp5sJmj+0iz/N1sYXrT7XcpwlDtB4yU9M1Q7S6JJuFqZCkSQZAn/hTp3CVjd2q0MCdrdX6wX1bgflk5+sqxZVPKCnAwrBHkAxSs9MsIO5qoEWTsMzEPlpjJbH7qTj+u8Cdm+bbhEIBA4soJUkyCdBdmJFkgwlsB/2hOMMawT22jsD9kbNBCFwKSzr62pXdzCoq2OsV79bMpqP7WG0PqERgvHDWZQk5XL1GKavke+ko0QLBm/p22iC6XrrGIgiSTJHMHWRGAimyysuAnDovGBlOEe5DpB4h6LMGzpEGRS5hKXvvSSgXA9FhBBpBSgHFa/TMShhm/TMbnFRJEmG4JyWLKWc3Z+MIo3A99B1kRBpBbugFBXY/TSTBHvg7qbFpspoRH5dgwXoWc6NASpARp1PW99qWxwUSVLgUATss9lDSiuAaXZNHYAPdZYHMJQSgdtZT89aZtSxNwkwSWddYXAQu+gUPZM6ZmlBkSQFDg6wdxqXfZFWZUL8j2m2/I+Cs93xb3vr8tY1ZpODslhpHbl3P2CxbYflc32r9VUITl3FBfta3/0HY1sjySeoKt6Y7sVC8Ley2RhNADFFr9KuChE3x2TK6xj7Rq/gyKPuwbSYa/G73sGWztB6aWmJchYeL9NaF5kUGRTll7oaCOxtXeXjYJsiCcrc3wRsjZr8mgsHoF/xVHlaJJEi9k66IPrt1As/tlcrSWjSOt/scfm0rPbVumurFKXiGaZTlxGq8OgpHw/bFEmGKcbpvUBl6aygMdYTCv5o4Iqua7CjV26uNxh6TpLli5KVHwADl9hii8/5R7Wr6454KfnId798cuUvDHIFSQCTdDWOsbWdm9a+pPOaQSiSpNAhwtlsdYFztSedqiRJ1n2dEGLzyN7i8L5m9bnasb21Om5hAICrpdLSS61+1+t4v3eReD8IwUbicULFlCqamfQYYMY0jt2bjdTWRZIUOkCU6tVJKGpIOlUJAfr2fNjgpVw1FJzPZbmd6V8Xp03MmUiYsGmL3vWDOPh6gxA3ZXwXViTJMADk7TeS1G6JSTq3LwD67ZoHHN7lKD5dR7NDFpumF2pIFScmizCjB0WSFD669F4gSZJm05JY9DJu1H2hEIOcr1rsnmvNHns1EuisdNqRKZC181sa3Euydb8iSQodgm3SrZOkuZstMdB9nQAYROKoTdbZVq/zfcbhZpaFXW+NCGGLzm22uv+azZsWSVLoALJx0qmTCP2dPVyVzHVfByyxDZa/wX23yetcJHEgv5Oj8aVv6UwfvhQs9Ntmq8eX7RsXSVLwgK90XwFCr3NW9Do+Ru81qOwn3TFHsYd2/0+Y7XNcbAQ4Dmu5BD9XJrtGJ9bjbHvH9x29f0onqLgWFElS8BD/0zuTgA5X3P5VqeMY6HOzBGCrUpWx+O2zDYyfgaUPZuku5/YHrcItQ5nuqe7uH56K9d3PBYokKXCoAv6rxzKcAABj06uN76D7EqEOipTfByTHDBDSbQBSrU6eEwleEELQUraM/89GrGidYLAShcn/dKr8tWytXGlBkSQFDi7EW3o3DVAESs+HAthPdF4huno2/DfeFxa/83Jg0tV4T337JUIs7A0FL46XpmKoUCRJgWNV78r/jDdO0mNdS4P21HTqAsH21DnifxhP1KEIk8DgOp3V031O8tvcz+m8LucokqTAQUHgrD5nq54gDdjR9+HXcD4whlUyhAPfGSftp6txQgxaSarz2ycqTLomXvGkt2LsiFTR3YcKRZIMA6As/hIO8HqCNIwy19nJD+UNrReMM04yM50RHYUIx8HqB1lIxyBJ9S71bmxZ06TL7z+fGAYkgZymJhsO2NTV+0xZqXIL05OugYeTC2kmCeI3OpvVsWbt14MsbFF92l/nfQhl5mq7B/WYRhBiI4vYkPV7qSB6APhGEWKdIdG7prubrc5XrsfCJ4lIN+7e1gPy3rP4XW6cTeZqvQZ1glNqFtX8SYsVrMVt2RkU41F62oQj19Nvz3t7kCElnq9KzzYRLHidhUH8NFV9+RNBovcKU+RwpjFa4XoPa21TQ7Cktb3Jr0fE1Iq8kwSYkPSs+wtgWc3bN1wBQr2FAddMEsS4ivLKOznnv0sWuod0F7PJcTfTJ2oF8Za3JfhOt61ZBhjFwgHxYCaX2Pn4f3xp9TluWdXzxX2JAnqng/zPJAC6lgSRVNv8TELw25r8Vr9zGT6RWdqvghNMHrtx34W2M14/zLdu4LfTFkwzmCIEOVhnc55oaXB/GrdGJj7U7YeePeyMA8lfxhsnnWpqajiW/FuycdOhELd0rpsXZ5I+oOR5DjAJiaI9+jAA/GbUSGUOimuP40cfqOJrVcBILokZY6rHU5rmVJl/B2Jdt1AvTthGlXmAszN13jPb2F2S5TYUx47zWxszXlLOO0lw3pd0yqy6HYG2VjRbPa9Yfc77sOefpvNS0hN+z+gVzo9OSE9zEEI9P16A7z50frp2ccUuVZ/j7SelVUH2QOLj02afQwRsTQsyudFQzCT6lhnT9NfeWtHT0TnfUF1Rh2+n5btu/C2ebLY1PZSszIqTV/TWe1y/liVGARjK89S0RJA48MesXucH/gZ32lFThkJxH61zFMuJZedwBWWJrffbfy4zqQ0/6re1ShtixZo1QU2R7VvtjS+b3A21KPLcpdPfPRcoFRwe5NfwWemufA3BTAL6zLghrdQGWzVarZ5PcLQ+MDpap5t6TQ/+q3Z3H/T2vIDmAavF6aUYZXWzG22TDAblYBwWaTefgldTpq68zjAUC8xUZ/85vk2Y6iIZ8kqSaJ4NbZmK+pCFCHxbI3C0ftPicc1CJXlxGiniNANFrBZ106bD44X70YJo4O47Y89R1i7ZWD5OiizhVqBUVMFUUQq0qMNBwvcKjv4GEGoZDpLbYTffkUXESwqpmpZrMnA4gw0Hkhyw2EL/rE6dRF2Zo+YMe1B+9xqvc/8KgNvx42+zfHsUTcSfOj9eeyXpGdm8cdQoUrcPSDglnjLiYCTSeSwyM+mBaabPUT0whZ0W5JUkBoO0j95ruIC4pthFRBD1qzjB7HE9waVwCNd0zEL6AWcPXyjELmq1u19Nlb45n4iS6ym+gD9jrrY/QPtAOi6nODC0x7QoZckByCtJgHG9eTY2BNZ63k14PyFW4k3btNcPaaUkSAY1KNZLstDcBuyC6QWzTgEKFYri7AyT12YFJp2Epw5i+rwAyQ7qBcFCD9BSs976UUfaR5JYnZayoIp2f4Nbj11ZP1AKutoFtWcYqsudUVFMEzgLp7AoXJJMftRWMnGCoss+CNGWLCkkPuj78XB/Zi3LDNFd3fqhbEMfouYnZL7u49fYZHO9VCOA74dTA0V+3wlHiQoQzIjHH4UQPwCwL1Co+iikhl5rW+p/IxO7J1liZKaiad4JZeF50Sqfxed6Ev+HC7Vegw9HM6FikTeSTJwg0waYLt9r/Kf+naPmbPWI5n9fFn2lht45PgYk65cCN2stv4llHumdgAR5U98VoiKdevJCEloGNBoUvY443aK765mcNKiIrMJAeQlBu6nMa23BTtaQeb1CFSroSg2XnttFzkkS9Xh7Gt+O0HMdigNPBuYE0kohUER+wUFsr2eDeEa9REu/uleZBgIAdK1wARNp7bnllCRkhm2qtz/M9Ob3JnPrUM8fctGmIrIP7Ky6IjSWCCAFf2EmdU5bYKsYU60cp+caIeB/6dSVM5JE/BTs9+Ij1OvxRm6hf2p2NH+Wi3YVkQuAPtMhDhfyBXxRskWZVBhTLd/BdOq4KkWeSQM5IUnNopoyc739MXx4+lJ3RfDamo5V12e9UUXkDqr4WE/aaCw521Rlv3/agmmnxfNuTIbIKikRRNceCaFr7drgyzqvCSPrJKn326dWlFeiDpJWkvnvRLD7CL0ProihxYZP175ZMaWKZhPNq0coop04pnrcTKvfdeP3a3r/mSpEKSUhLSuVfz5xgjKf6feBIfHk3+mGQc06SSQmkadbOgT5UQ0GDwkUxaxhBzJbwc7+T3x7rL4rgTb3HkPdosfid72PM8wHKGqTjVgXADMIIch2ayc8P6WsVNmZpesEwyiIOLs93WuzTpIeof7GCJzW5vVEA1wfUsXBLQ7v8my3p4j8INQbvFVS5GNYeh3ZgBfthce9YoNVQhbSXRGQeC+2NLh1WEX0R9ZJQl5rZp/jYA58KYtYeSaHYJ+rTD2spaHpP9luSxH5A5nGW3yuB7BfnzLUbRmAjl4InZ7JDXKiuAdsTe+aPa5fcolRXKZkgcr+tWFj74n5ip9URG6xpqN3PopO5GT1s6FuSxS9KKEc1d7g0Z2+IhY5WwImgzuzz3U6B/ZAnK87VEFWpk0PJQt3U8TwAinGFrflQFCMAaZP3M4FelShHo0SSmHncQ/YGh+0+J1TgEFfbu8elK/u7untvK7d2d5RDDu39aHZ2fxlrd9eb2ASbRbq9fnIFr4VLPTrgC07Wa9ybpbS0uK51GyyjxUCvuvu6f3rsjm+tHY9ixg+aLd6vpq6ZGrtOOPEa3CAPJdBy7cAAAAAtklEQVSl6U2YBkgqeULt7pqfTZOmnJMkan59Yq7rKaKwEI2geHG93/6AJKTzUKH/LctdglHynHwBxasbUR9+Pds3L/xYwEUMa1DQCjycYVpsuhxKSg9DHZUCeZNZfaZ5E38QgjWDEI3dIP6RLBZYpiiSpIi8IBpI4hF6UUCQek/D7sDYdGB8FwFsMp7fDgSrZkCRVISBcgGj8NSDn7tQhurAsqsEE1+ByshT9e1AW/DtqM9MzvH/uFCgxBI9EGYAAAAASUVORK5CYII= + mediatype: image/png + maintainers: + - name: JFrog, Ltd + email: integrations@jfrog.com + install: + spec: + deployments: + - name: xray-operator + spec: + replicas: 1 + selector: + matchLabels: + name: xray-operator + strategy: {} + template: + metadata: + labels: + name: xray-operator + spec: + containers: + - env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.annotations['olm.targetNamespaces'] + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: xray-operator + - name: RELATED_IMAGE_XRAY_SERVER_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-server:3.3.0 + - name: RELATED_IMAGE_XRAY_ANALYSIS_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-analysis:3.3.0 + - name: RELATED_IMAGE_XRAY_PERSIST_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-persist:3.3.0 + - name: RELATED_IMAGE_XRAY_INDEXER_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-indexer:3.3.0 + - name: RELATED_IMAGE_XRAY_ROUTER_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-router:1.2.1 + - name: RELATED_IMAGE_XRAY_RABBITMQ_IMAGE_REPOSITORY + value: registry.connect.redhat.com/jfrog/xray-rabbitmq:3.8.0 + image: registry.connect.redhat.com/jfrog/xray-operator:3.3.0 + imagePullPolicy: Always + name: xray-operator + resources: {} + serviceAccountName: xray-operator + permissions: + - rules: + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resourceNames: + - xray-operator + resources: + - '*' + verbs: + - '*' + - apiGroups: + - "" + resources: + - events + verbs: + - create + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - xray-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - apiGroups: + - charts.helm.k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.k8s.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - policy + resources: + - '*' + verbs: + - '*' + - apiGroups: + - rbac.authorization.k8s.io + resources: + - '*' + verbs: + - '*' + serviceAccountName: xray-operator + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - "DevOps" + - "CI/CD" + - "Developers" + - "Software" + - "Productivity" + - "Artifact Repository" + - "Repository Manager" + - "Docker" + - "Maven" + - "Git" + - "Helm" + - "npm" + - "go" + - "golang" + - "kubernetes" + - "k8s" + - "rpm" + - "yum" + maturity: alpha + version: 1.0.0 diff --git a/Openshift4/xray-operator/deploy/olm-catalog/xray-operator/xray-operator.package.yaml b/Openshift4/xray-operator/deploy/olm-catalog/xray-operator/xray-operator.package.yaml new file mode 100644 index 0000000..00ecf78 --- /dev/null +++ b/Openshift4/xray-operator/deploy/olm-catalog/xray-operator/xray-operator.package.yaml @@ -0,0 +1,5 @@ +channels: +- currentCSV: xray-operator.v1.0.0 + name: alpha +defaultChannel: alpha +packageName: xray-operator diff --git a/Openshift4/xray-operator/deploy/operator.yaml b/Openshift4/xray-operator/deploy/operator.yaml new file mode 100644 index 0000000..c23a7ee --- /dev/null +++ b/Openshift4/xray-operator/deploy/operator.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: xray-operator +spec: + replicas: 1 + selector: + matchLabels: + name: xray-operator + template: + metadata: + labels: + name: xray-operator + spec: + serviceAccountName: xray-operator + containers: + - name: xray-operator + image: registry.connect.redhat.com/jfrog/xray-operator + imagePullPolicy: Always + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "xray-operator" + - name: RELATED_IMAGE_XRAY_SERVER_IMAGE_REPOSITORY + value: "registry.connect.redhat.com/jfrog/xray-server" + - name: RELATED_IMAGE_XRAY_ANALYSIS_IMAGE_REPOSITORY + value: "registry.connect.redhat.com/jfrog/xray-analysis" + - name: RELATED_IMAGE_XRAY_PERSIST_IMAGE_REPOSITORY + value: "registry.connect.redhat.com/jfrog/xray-persist" + - name: RELATED_IMAGE_XRAY_INDEXER_IMAGE_REPOSITORY + value: "registry.connect.redhat.com/jfrog/xray-indexer" + - name: RELATED_IMAGE_XRAY_ROUTER_IMAGE_REPOSITORY + value: "registry.connect.redhat.com/jfrog/xray-router" + - name: RELATED_IMAGE_XRAY_RABBITMQ_IMAGE_REPOSITORY + value: "registry.connect.redhat.com/jfrog/xray-rabbitmq" \ No newline at end of file diff --git a/Openshift4/xray-operator/deploy/role.yaml b/Openshift4/xray-operator/deploy/role.yaml new file mode 100644 index 0000000..e38561a --- /dev/null +++ b/Openshift4/xray-operator/deploy/role.yaml @@ -0,0 +1,119 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: xray-operator +rules: + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resourceNames: + - xray-operator + resources: + - '*' + verbs: + - '*' + - apiGroups: + - "" + resources: + - events + verbs: + - create + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - xray-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - apiGroups: + - charts.helm.k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.k8s.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - policy + resources: + - '*' + verbs: + - '*' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - '*' + verbs: + - '*' diff --git a/Openshift4/xray-operator/deploy/role_binding.yaml b/Openshift4/xray-operator/deploy/role_binding.yaml new file mode 100644 index 0000000..55b2172 --- /dev/null +++ b/Openshift4/xray-operator/deploy/role_binding.yaml @@ -0,0 +1,11 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: xray-operator +subjects: +- kind: ServiceAccount + name: xray-operator +roleRef: + kind: Role + name: xray-operator + apiGroup: rbac.authorization.k8s.io diff --git a/Openshift4/xray-operator/deploy/service_account.yaml b/Openshift4/xray-operator/deploy/service_account.yaml new file mode 100644 index 0000000..dc86cfc --- /dev/null +++ b/Openshift4/xray-operator/deploy/service_account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: xray-operator diff --git a/Openshift4/xray-operator/deploy/subscription.yaml b/Openshift4/xray-operator/deploy/subscription.yaml new file mode 100644 index 0000000..c9c7e8f --- /dev/null +++ b/Openshift4/xray-operator/deploy/subscription.yaml @@ -0,0 +1,10 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: xray-operator + namespace: jfrog-artifactory +spec: + channel: alpha + name: xray-operator + source: xray-operator-csc + sourceNamespace: openshift-operators diff --git a/Openshift4/xray-operator/helm-charts/openshift-xray/CHANGELOG.md b/Openshift4/xray-operator/helm-charts/openshift-xray/CHANGELOG.md new file mode 100644 index 0000000..c907895 --- /dev/null +++ b/Openshift4/xray-operator/helm-charts/openshift-xray/CHANGELOG.md @@ -0,0 +1,17 @@ +# JFrog Openshift Artifactory-Xray Chart Changelog +All changes to this chart will be documented in this file. + +## [2.4.0] - April 14, 2020 +* Updating to latest jfrog/artifactory-ha helm chart version 2.4.0 adding new requirements.yaml entry for xray helm charts to combine together into one umbrella chart + +## [2.3.0] - April 13, 2020 +* Updating to latest jfrog/artifactory-ha helm chart version 2.3.0 + +## [2.2.9] - April 11, 2020 +* Fixed issues with master key + +## [2.1.9] - March 17, 2020 +* Updated Artifactory version to 7.3.2 + +## [2.0.35] - March 09, 2020 +* Updated Artifactory version to 7.2.1 diff --git a/Openshift4/xray-operator/helm-charts/openshift-xray/Chart.yaml b/Openshift4/xray-operator/helm-charts/openshift-xray/Chart.yaml new file mode 100644 index 0000000..6337c50 --- /dev/null +++ b/Openshift4/xray-operator/helm-charts/openshift-xray/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +appVersion: 3.3.0 +description: Universal component scan for security and license inventory and impact + analysis +keywords: +- xray +- jfrog +maintainers: +- email: vinaya@jfrog.com + name: Vinay Aggarwal +- email: johnp@jfrog.com + name: John Peterson +name: openshift-xray +sources: +- https://bintray.com/jfrog/product/xray/view +- https://github.com/jfrog/charts +version: 3.3.1 diff --git a/Openshift4/xray-operator/helm-charts/openshift-xray/LICENSE b/Openshift4/xray-operator/helm-charts/openshift-xray/LICENSE new file mode 100644 index 0000000..8dada3e --- /dev/null +++ b/Openshift4/xray-operator/helm-charts/openshift-xray/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Openshift4/xray-operator/helm-charts/openshift-xray/helminstall.sh b/Openshift4/xray-operator/helm-charts/openshift-xray/helminstall.sh new file mode 100644 index 0000000..2260da1 --- /dev/null +++ b/Openshift4/xray-operator/helm-charts/openshift-xray/helminstall.sh @@ -0,0 +1,71 @@ +#!/usr/bin/env bash + +# PreReq'd: +# helm install postgres bitnami/postgresql +# follow artifactory postgresql db setup: +# https://www.jfrog.com/confluence/display/JFROG/PostgreSQL +POSTGRES=$(helm ls | grep postgres | wc -l) +ARTIFACTORY=$(helm ls | grep artifactory | wc -l) +if [[ "$POSTGRES" =~ (0) ]] +then + echo "External DB is required to run Jfrog Openshift Xray Helm chart" + echo "" + echo "Postgresql helm chart must be installed prior to installing this helm installer script." + echo "" + echo "helm install postgres bitnami/postgresql" + echo "" + echo "follow artifactory postgresql db setup:" + echo "https://www.jfrog.com/confluence/display/JFROG/PostgreSQL" + exit 1 +elif [[ "$ARTIFACTORY" =~ (0) ]] +then + echo "Artifactory Instance is required to run Jfrog Openshift Xray Helm chart" + echo "" + echo "Please use helm to first install Artifactory: openshift-artifactory-ha" + echo "" + echo "Then install Openshift xray helm chart once artifactory is ready." + echo "" + exit 1 +else + echo "Installing Openshift Xray Helm" +fi + +DBURL="" +if [[ -z "$1" ]] +then + DBURL="postgres://postgres-postgresql:5432/xraydb?sslmode=disable" +else + DBURL=$1 +fi + +DBUSER="" +if [[ -z "$2" ]] +then + DBUSER="artifactory" +else + DBUSER=$2 +fi + +DBPASS="" +if [[ -z "$3" ]] +then + DBPASS="password" +else + DBPASS=$3 +fi + +JFROGURL="" +if [[ -z "$4" ]] +then + JFROGURL="http://openshiftartifactoryha-nginx" +else + JFROGURL=$4 +fi + + +# install via helm with default postgresql configuration +helm install xray . \ + --set xray.database.url=$DBURL \ + --set xray.database.user=$DBUSER \ + --set xray.database.password=$DBPASS \ + --set xray.xray.jfrogUrl=$JFROGURL diff --git a/Openshift4/xray-operator/helm-charts/openshift-xray/rabbitmq.yaml b/Openshift4/xray-operator/helm-charts/openshift-xray/rabbitmq.yaml new file mode 100644 index 0000000..521df8e --- /dev/null +++ b/Openshift4/xray-operator/helm-charts/openshift-xray/rabbitmq.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: rabbitmq + name: rabbitmq + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: rabbitmq + template: + metadata: + labels: + app: rabbitmq + spec: + containers: + - image: quay.io/jfrog/xray-rabbitmq-rh:3.8.0 + imagePullPolicy: "Always" + name: xray-rabbitmq + ports: + - containerPort: 4369 + - containerPort: 5672 + - containerPort: 25672 diff --git a/Openshift4/xray-operator/helm-charts/openshift-xray/rabbitmqservice.yaml b/Openshift4/xray-operator/helm-charts/openshift-xray/rabbitmqservice.yaml new file mode 100644 index 0000000..a8f108a --- /dev/null +++ b/Openshift4/xray-operator/helm-charts/openshift-xray/rabbitmqservice.yaml @@ -0,0 +1,26 @@ +kind: Service +apiVersion: v1 +metadata: + name: rabbitmq-lb + labels: + app: rabbitmq +spec: + selector: + app: rabbitmq + ports: + - name: port1 + protocol: TCP + port: 4369 + targetPort: 4369 + - name: port3 + protocol: TCP + port: 5672 + targetPort: 5672 + - name: port4 + protocol: TCP + port: 25672 + targetPort: 25672 + type: ClusterIP + + + diff --git a/Openshift4/xray-operator/helm-charts/openshift-xray/requirements.lock b/Openshift4/xray-operator/helm-charts/openshift-xray/requirements.lock new file mode 100644 index 0000000..80b1b54 --- /dev/null +++ b/Openshift4/xray-operator/helm-charts/openshift-xray/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: xray + repository: https://charts.jfrog.io/ + version: 3.3.1 +digest: sha256:22010f573f0dfaf95a05835e6b712ef74438aa7c5f39674cd8fd27390bc99d7e +generated: "2020-05-21T13:54:18.60088-07:00" diff --git a/Openshift4/xray-operator/helm-charts/openshift-xray/requirements.yaml b/Openshift4/xray-operator/helm-charts/openshift-xray/requirements.yaml new file mode 100644 index 0000000..34dd60c --- /dev/null +++ b/Openshift4/xray-operator/helm-charts/openshift-xray/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: + - name: xray + version: 3.3.1 + repository: https://charts.jfrog.io/ diff --git a/Openshift4/xray-operator/helm-charts/openshift-xray/values.yaml b/Openshift4/xray-operator/helm-charts/openshift-xray/values.yaml new file mode 100644 index 0000000..6542caf --- /dev/null +++ b/Openshift4/xray-operator/helm-charts/openshift-xray/values.yaml @@ -0,0 +1,63 @@ +xray: + analysis: + image: + repository: registry.connect.redhat.com/jfrog/xray-analysis + version: 3.3.0 + name: xray-analysis + podManagementPolicy: Parallel + preStartCommand: null + updateStrategy: RollingUpdate + database: + password: OVERRIDE + url: OVERRIDE + user: OVERRIDE + global: + postgresqlTlsSecret: null + indexer: + image: + repository: registry.connect.redhat.com/jfrog/xray-indexer + version: 3.3.0 + name: xray-indexer + podManagementPolicy: Parallel + updateStrategy: RollingUpdate + persist: + image: + repository: registry.connect.redhat.com/jfrog/xray-persist + version: 3.3.0 + name: xray-persist + persistence: + size: 10Gi + podManagementPolicy: Parallel + preStartCommand: null + updateStrategy: RollingUpdate + postgresql: + enabled: false + rabbitmq-ha: + enabled: true + image: + repository: registry.connect.redhat.com/jfrog/xray-rabbitmq + tag: 3.8.0 + rabbitmqEpmdPort: 4369 + rabbitmqManagerPort: 15672 + rabbitmqNodePort: 5672 + replicaCount: 1 + replicaCount: 1 + router: + image: + imagePullPolicy: IfNotPresent + repository: registry.connect.redhat.com/jfrog/xray-router + version: 1.2.1 + name: router + server: + image: + repository: registry.connect.redhat.com/jfrog/xray-server + version: 3.3.0 + name: xray-server + podManagementPolicy: Parallel + replicaCount: 1 + updateStrategy: RollingUpdate + xray: + consoleLog: false + jfrogUrl: OVERRIDE + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF diff --git a/Openshift4/xray-operator/licenses/LICENSE b/Openshift4/xray-operator/licenses/LICENSE new file mode 100755 index 0000000..d645695 --- /dev/null +++ b/Openshift4/xray-operator/licenses/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Openshift4/xray-operator/watches.yaml b/Openshift4/xray-operator/watches.yaml new file mode 100644 index 0000000..3fc15af --- /dev/null +++ b/Openshift4/xray-operator/watches.yaml @@ -0,0 +1,5 @@ +--- +- version: v1alpha1 + group: charts.helm.k8s.io + kind: OpenshiftXray + chart: helm-charts/openshift-xray