From 706ba509e5df0fd23d1e83d17018dc851c6eee67 Mon Sep 17 00:00:00 2001 From: isindir Date: Wed, 26 May 2021 08:18:38 +0100 Subject: [PATCH] fix: set uid,gid,fsownerid to high value and fix securityContext issue (#73) * fix: set uid,gid,fsownerid to high value and fix securityContext issue * set security context to true kubeval envocation --- chart/helm3/sops-secrets-operator/Chart.yaml | 2 +- chart/helm3/sops-secrets-operator/Makefile | 2 +- chart/helm3/sops-secrets-operator/README.md | 7 +- .../templates/operator.yaml | 1 - .../tests/operator_test.yaml | 2 +- chart/helm3/sops-secrets-operator/values.yaml | 8 +- docs/index.yaml | 106 +++++++++++------- docs/sops-secrets-operator-0.8.3.tgz | Bin 0 -> 10375 bytes 8 files changed, 72 insertions(+), 56 deletions(-) create mode 100644 docs/sops-secrets-operator-0.8.3.tgz diff --git a/chart/helm3/sops-secrets-operator/Chart.yaml b/chart/helm3/sops-secrets-operator/Chart.yaml index fc85f79c..530a50a2 100644 --- a/chart/helm3/sops-secrets-operator/Chart.yaml +++ b/chart/helm3/sops-secrets-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -version: 0.8.2 +version: 0.8.3 appVersion: 0.2.1 type: application description: Helm chart deploys sops-secrets-operator diff --git a/chart/helm3/sops-secrets-operator/Makefile b/chart/helm3/sops-secrets-operator/Makefile index c34ee355..e49c55e4 100644 --- a/chart/helm3/sops-secrets-operator/Makefile +++ b/chart/helm3/sops-secrets-operator/Makefile @@ -38,5 +38,5 @@ lint: ## runs helm chart linting @echo '--------------------' validate: ## validates rendered chart templates using 'kubeval' - helm template . | kubeval --ignore-missing-schemas --force-color - + helm template . --set securityContextenabled=true | kubeval --ignore-missing-schemas --force-color - @echo '--------------------' diff --git a/chart/helm3/sops-secrets-operator/README.md b/chart/helm3/sops-secrets-operator/README.md index 6309f4ad..1775dd00 100644 --- a/chart/helm3/sops-secrets-operator/README.md +++ b/chart/helm3/sops-secrets-operator/README.md @@ -147,11 +147,10 @@ The following table lists the configurable parameters of the Sops-secrets-operat | resources | object | `{}` | Operator container resources | | secretsAsEnvVars | list | `[]` | configure custom secrets to be used as environment variables at runtime, see values.yaml | | secretsAsFiles | list | `[]` | configure custom secrets to be mounted at runtime, see values.yaml | -| securityContext.allowPrivilegeEscalation | bool | `false` | allow Privilege escalation | | securityContext.enabled | bool | `false` | Enable securityContext | -| securityContext.fsGroup | int | `1000` | fs group | -| securityContext.runAsGroup | int | `3000` | GID to run as | -| securityContext.runAsUser | int | `1000` | UID to run as | +| securityContext.fsGroup | int | `13001` | fs group | +| securityContext.runAsGroup | int | `13001` | GID to run as | +| securityContext.runAsUser | int | `13001` | UID to run as | | serviceAccount.annotations | object | `{}` | Annotations to be added to the service account | | tolerations | list | `[]` | Tolerations to be applied to operator pod | diff --git a/chart/helm3/sops-secrets-operator/templates/operator.yaml b/chart/helm3/sops-secrets-operator/templates/operator.yaml index e828a12d..c6a1d4a8 100644 --- a/chart/helm3/sops-secrets-operator/templates/operator.yaml +++ b/chart/helm3/sops-secrets-operator/templates/operator.yaml @@ -175,7 +175,6 @@ spec: runAsUser: {{ .Values.securityContext.runAsUser }} runAsGroup: {{ .Values.securityContext.runAsGroup }} fsGroup: {{ .Values.securityContext.fsGroup }} - allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }} {{- end }} {{- with .Values.affinity }} affinity: diff --git a/chart/helm3/sops-secrets-operator/tests/operator_test.yaml b/chart/helm3/sops-secrets-operator/tests/operator_test.yaml index d72a3761..7e7ef727 100644 --- a/chart/helm3/sops-secrets-operator/tests/operator_test.yaml +++ b/chart/helm3/sops-secrets-operator/tests/operator_test.yaml @@ -31,7 +31,7 @@ tests: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sops-secrets-operator app.kubernetes.io/version: 0.2.1 - helm.sh/chart: sops-secrets-operator-0.8.2 + helm.sh/chart: sops-secrets-operator-0.8.3 # template metadata and spec selector - it: should correctly render template metadata and spec selector diff --git a/chart/helm3/sops-secrets-operator/values.yaml b/chart/helm3/sops-secrets-operator/values.yaml index d7fc8485..db629a23 100644 --- a/chart/helm3/sops-secrets-operator/values.yaml +++ b/chart/helm3/sops-secrets-operator/values.yaml @@ -137,13 +137,11 @@ securityContext: # -- Enable securityContext enabled: false # -- UID to run as - runAsUser: 1000 + runAsUser: 13001 # -- GID to run as - runAsGroup: 3000 + runAsGroup: 13001 # -- fs group - fsGroup: 1000 - # -- allow Privilege escalation - allowPrivilegeEscalation: false + fsGroup: 13001 # -- Tolerations to be applied to operator pod tolerations: [] diff --git a/docs/index.yaml b/docs/index.yaml index 47f3de2b..e687284c 100644 --- a/docs/index.yaml +++ b/docs/index.yaml @@ -3,7 +3,27 @@ entries: sops-secrets-operator: - apiVersion: v2 appVersion: 0.2.1 - created: "2021-05-16T14:57:05.986039+01:00" + created: "2021-05-26T07:10:50.660901+01:00" + description: Helm chart deploys sops-secrets-operator + digest: 4a1a3299532a4ec61acb61db45d763385bc3c2bd50c9c1707e3ba258498b5ee5 + keywords: + - gitops + - sops + - kms + - encryption + maintainers: + - email: isindir@users.sf.net + name: isindir + name: sops-secrets-operator + sources: + - https://github.com/isindir/sops-secrets-operator.git + type: application + urls: + - https://isindir.github.io/sops-secrets-operator/sops-secrets-operator-0.8.3.tgz + version: 0.8.3 + - apiVersion: v2 + appVersion: 0.2.1 + created: "2021-05-26T07:10:50.659999+01:00" description: Helm chart deploys sops-secrets-operator digest: d328b4e165c3945430e196a853836dcee9982929fe24455021ddb885099d5334 keywords: @@ -23,7 +43,7 @@ entries: version: 0.8.2 - apiVersion: v2 appVersion: 0.2.0 - created: "2021-05-16T14:57:05.985018+01:00" + created: "2021-05-26T07:10:50.658355+01:00" description: Helm chart deploys sops-secrets-operator digest: d0ac8b738d0f10d64b2fb78c4386efe91de39aa88a4b107fdf9d93a82d18573c keywords: @@ -43,7 +63,7 @@ entries: version: 0.8.1 - apiVersion: v2 appVersion: 0.2.0 - created: "2021-05-16T14:57:05.983739+01:00" + created: "2021-05-26T07:10:50.657217+01:00" description: Helm chart deploys sops-secrets-operator digest: 289d7c6c96f858fe15427b1858fbfcdec373fc345acf52e667df4ca5ee729c10 keywords: @@ -63,7 +83,7 @@ entries: version: 0.8.0 - apiVersion: v2 appVersion: 0.1.17 - created: "2021-05-16T14:57:05.982326+01:00" + created: "2021-05-26T07:10:50.655878+01:00" description: sops secrets operator digest: 1c3c4bba7d66a7621beced04856d9904260558fe10369513743bc322d69482c1 keywords: @@ -83,7 +103,7 @@ entries: version: 0.7.6 - apiVersion: v2 appVersion: 0.1.16 - created: "2021-05-16T14:57:05.980731+01:00" + created: "2021-05-26T07:10:50.654332+01:00" description: sops secrets operator digest: c526d5d4b9c7c2cce1d9da2c75b4e9be7a994f24dce159a659189414a8725eae keywords: @@ -103,7 +123,7 @@ entries: version: 0.7.5 - apiVersion: v2 appVersion: 0.1.16 - created: "2021-05-16T14:57:05.977701+01:00" + created: "2021-05-26T07:10:50.653027+01:00" description: sops secrets operator digest: 572c9015988b76869b58997e02a0c64152283e559721e4883d54f1258a57e8b7 keywords: @@ -123,7 +143,7 @@ entries: version: 0.7.4 - apiVersion: v2 appVersion: 0.1.15 - created: "2021-05-16T14:57:05.975435+01:00" + created: "2021-05-26T07:10:50.65+01:00" description: sops secrets operator digest: 84365f8e919ba9d3a00cfa50435cce6c63a8383357b2fde062b7aab8baeca6eb keywords: @@ -143,7 +163,7 @@ entries: version: 0.7.3 - apiVersion: v2 appVersion: 0.1.14 - created: "2021-05-16T14:57:05.97406+01:00" + created: "2021-05-26T07:10:50.648548+01:00" description: sops secrets operator digest: a1f2375080df20421701a33179b8e947ee682a70084d83d85da707889871ad64 keywords: @@ -163,7 +183,7 @@ entries: version: 0.7.2 - apiVersion: v2 appVersion: 0.1.13 - created: "2021-05-16T14:57:05.972765+01:00" + created: "2021-05-26T07:10:50.647069+01:00" description: sops secrets operator digest: 2e81dc4e4d49d9cd802aff263f005e04fb57df07f33b3ce8643ab287dfd3a7fb keywords: @@ -183,7 +203,7 @@ entries: version: 0.7.1 - apiVersion: v2 appVersion: 0.1.12 - created: "2021-05-16T14:57:05.971297+01:00" + created: "2021-05-26T07:10:50.645914+01:00" description: sops secrets operator digest: 81f59ed60bfa8204ed285476f9ed96a45a6f4e7cc6940a5d246c9241573d93d5 keywords: @@ -203,7 +223,7 @@ entries: version: 0.7.0 - apiVersion: v2 appVersion: 0.1.12 - created: "2021-05-16T14:57:05.970063+01:00" + created: "2021-05-26T07:10:50.64491+01:00" description: sops secrets operator digest: 91c3fbda73ba2d860bdaa21e37bf9afbc260ff767b377a144d0181d116a7ee34 keywords: @@ -223,7 +243,7 @@ entries: version: 0.6.8 - apiVersion: v2 appVersion: 0.1.12 - created: "2021-05-16T14:57:05.969043+01:00" + created: "2021-05-26T07:10:50.643907+01:00" description: sops secrets operator digest: 89d9d41d70d4dafcfb957bd48776ad779d0cef7dbb1ab2daf0b745a53dd6e3c6 maintainers: @@ -238,7 +258,7 @@ entries: version: 0.6.7 - apiVersion: v2 appVersion: 0.1.11 - created: "2021-05-16T14:57:05.968006+01:00" + created: "2021-05-26T07:10:50.642869+01:00" description: sops secrets operator digest: 7b0a65fd6fa9bafa3fd11bfef1a5f91f1e17d8cb8ad65b6377ffdc4d12495d01 maintainers: @@ -253,7 +273,7 @@ entries: version: 0.6.6 - apiVersion: v2 appVersion: 0.1.10 - created: "2021-05-16T14:57:05.966905+01:00" + created: "2021-05-26T07:10:50.641726+01:00" description: sops secrets operator digest: fac31d6cc862cb7b9a81aee52ba1fc4183d70bdcb7424c3dbdd087fb53246b30 maintainers: @@ -268,7 +288,7 @@ entries: version: 0.6.5 - apiVersion: v2 appVersion: 0.1.9 - created: "2021-05-16T14:57:05.965954+01:00" + created: "2021-05-26T07:10:50.640176+01:00" description: sops secrets operator digest: 01347c27e37dfff999ebcee12aae6d0aafa092d7c3b221d566cdf0abe71f4d5a maintainers: @@ -283,7 +303,7 @@ entries: version: 0.6.4 - apiVersion: v2 appVersion: 0.1.8 - created: "2021-05-16T14:57:05.964916+01:00" + created: "2021-05-26T07:10:50.639265+01:00" description: sops secrets operator digest: 6348b1b1b0e8d3df3926e437b2c0f4ad63268d26e2cb54cbecbb564102e6b19c maintainers: @@ -298,7 +318,7 @@ entries: version: 0.6.3 - apiVersion: v2 appVersion: 0.1.7 - created: "2021-05-16T14:57:05.963866+01:00" + created: "2021-05-26T07:10:50.638024+01:00" description: sops secrets operator digest: 710c1c9fa73a2ebf791fda4a608b5e29072d42c0b68c803c7bbeed54a582fd7f maintainers: @@ -313,7 +333,7 @@ entries: version: 0.6.2 - apiVersion: v2 appVersion: 0.1.7 - created: "2021-05-16T14:57:05.962458+01:00" + created: "2021-05-26T07:10:50.636877+01:00" description: sops secrets operator digest: f2a606c3837843241bb9d59adc02c38e1cca98753c602b9f758cc61d735ca7cd maintainers: @@ -328,7 +348,7 @@ entries: version: 0.6.1 - apiVersion: v2 appVersion: 0.1.6 - created: "2021-05-16T14:57:05.958796+01:00" + created: "2021-05-26T07:10:50.635542+01:00" description: sops secrets operator digest: a2bbf9b39ec5f5b82965037f8f245fb3122adbe31b1c7d336fa1f4cddb228b88 maintainers: @@ -343,7 +363,7 @@ entries: version: 0.6.0 - apiVersion: v1 appVersion: 0.1.8 - created: "2021-05-16T14:57:05.957139+01:00" + created: "2021-05-26T07:10:50.633385+01:00" description: sops secrets operator digest: b89986787f33bb6ed9fb0c658431be8646302e9c1a24537c26269c62249fa071 maintainers: @@ -357,7 +377,7 @@ entries: version: 0.5.3 - apiVersion: v1 appVersion: 0.1.7 - created: "2021-05-16T14:57:05.955378+01:00" + created: "2021-05-26T07:10:50.632431+01:00" description: sops secrets operator digest: 9467709cf6fbe8d9d779cedf15fe388af172b609f3ca452ef3d8894f39d999df maintainers: @@ -371,7 +391,7 @@ entries: version: 0.5.2 - apiVersion: v1 appVersion: 0.1.7 - created: "2021-05-16T14:57:05.953848+01:00" + created: "2021-05-26T07:10:50.631604+01:00" description: sops secrets operator digest: b54b5d8497564ddc04bd6d8b105eb0a3559e82ae1f6aab2f59ed3e426f119287 maintainers: @@ -385,7 +405,7 @@ entries: version: 0.5.1 - apiVersion: v1 appVersion: 0.1.6 - created: "2021-05-16T14:57:05.952366+01:00" + created: "2021-05-26T07:10:50.630774+01:00" description: sops secrets operator digest: 177f1ed214d6e72eda589a6ab155a417c1a4229bfda11e87f24af125a3542ad1 maintainers: @@ -399,7 +419,7 @@ entries: version: 0.5.0 - apiVersion: v2 appVersion: 0.1.5 - created: "2021-05-16T14:57:05.950616+01:00" + created: "2021-05-26T07:10:50.629935+01:00" description: sops secrets operator digest: 1535e130357afa883db0b3d30735c817d3b7d412fe5bdfd71534d0c08defa7d1 maintainers: @@ -414,7 +434,7 @@ entries: version: 0.4.8 - apiVersion: v2 appVersion: 0.1.5 - created: "2021-05-16T14:57:05.949434+01:00" + created: "2021-05-26T07:10:50.628783+01:00" description: sops secrets operator digest: 19b11dc2d1945f3c436a7d03763b4391d4a382fc13ea515d25422827d859d6d0 maintainers: @@ -429,7 +449,7 @@ entries: version: 0.4.7 - apiVersion: v2 appVersion: 0.1.5 - created: "2021-05-16T14:57:05.948499+01:00" + created: "2021-05-26T07:10:50.627707+01:00" description: sops secrets operator digest: c839e5d3374b948d27ad49643411f4891fdec44d179dea06423bb0d6e29d5e32 maintainers: @@ -444,7 +464,7 @@ entries: version: 0.4.6 - apiVersion: v2 appVersion: 0.1.4 - created: "2021-05-16T14:57:05.947111+01:00" + created: "2021-05-26T07:10:50.626259+01:00" description: sops secrets operator digest: c71f9f66be32f8b9d3c8d780b09b2455a40fd9755314004efd2bb8d379dafe3c maintainers: @@ -459,7 +479,7 @@ entries: version: 0.4.5 - apiVersion: v2 appVersion: 0.1.3 - created: "2021-05-16T14:57:05.9455+01:00" + created: "2021-05-26T07:10:50.62511+01:00" description: sops secrets operator digest: f3f2f89d4ef6018776df0a12a63dd2f9c9519b9d1ac03a9a405e31d0fd902ba0 maintainers: @@ -474,7 +494,7 @@ entries: version: 0.4.4 - apiVersion: v2 appVersion: 0.1.2 - created: "2021-05-16T14:57:05.944543+01:00" + created: "2021-05-26T07:10:50.624296+01:00" description: sops secrets operator digest: 1fd5eed318627f5ed0656f4e8ce4a25729568a1626ae313bcbe21050f5f26240 maintainers: @@ -489,7 +509,7 @@ entries: version: 0.4.3 - apiVersion: v2 appVersion: 0.1.2 - created: "2021-05-16T14:57:05.943542+01:00" + created: "2021-05-26T07:10:50.623447+01:00" description: sops secrets operator digest: 1f4f9869c75f0922e83ba5d530e101bd4252d5c1c31365800cc9d1425680cf18 maintainers: @@ -504,7 +524,7 @@ entries: version: 0.4.2 - apiVersion: v2 appVersion: 0.1.1 - created: "2021-05-16T14:57:05.942044+01:00" + created: "2021-05-26T07:10:50.621841+01:00" description: sops secrets operator digest: 6b054a4e9f261eea3cb84ee2e70b87b24780f1703e2c218ea5f69b7f82d1876f maintainers: @@ -519,7 +539,7 @@ entries: version: 0.4.1 - apiVersion: v2 appVersion: 0.1.0 - created: "2021-05-16T14:57:05.940687+01:00" + created: "2021-05-26T07:10:50.620856+01:00" description: sops secrets operator digest: 78b62ab37eac1b45f0a68a9752a3615c5d3f1c960bb4057e665923ce104931cf maintainers: @@ -534,7 +554,7 @@ entries: version: 0.4.0 - apiVersion: v1 appVersion: 0.1.5 - created: "2021-05-16T14:57:05.939141+01:00" + created: "2021-05-26T07:10:50.61983+01:00" description: sops secrets operator digest: 41baa3c580cb9d8951c18513a4f04c4dbbfad99de9c62f53de2450c0c7b76725 maintainers: @@ -548,7 +568,7 @@ entries: version: 0.3.7 - apiVersion: v1 appVersion: 0.1.5 - created: "2021-05-16T14:57:05.937389+01:00" + created: "2021-05-26T07:10:50.618187+01:00" description: sops secrets operator digest: 1103b1f7bf7af3f400c172227cd5a3659f3a03e5e8158b19ba0b25f7ed45208b maintainers: @@ -562,7 +582,7 @@ entries: version: 0.3.6 - apiVersion: v1 appVersion: 0.1.5 - created: "2021-05-16T14:57:05.935127+01:00" + created: "2021-05-26T07:10:50.616183+01:00" description: sops secrets operator digest: 15c72ba7fb09d0e980ec32fd94f56893c439c05c435281a9ab9c8bc94bd20063 maintainers: @@ -576,7 +596,7 @@ entries: version: 0.3.5 - apiVersion: v1 appVersion: 0.1.4 - created: "2021-05-16T14:57:05.934088+01:00" + created: "2021-05-26T07:10:50.615267+01:00" description: sops secrets operator digest: 025a6a6381b75286756ef55105ace6e911e5a5818b495ede6356cc8ec572aeac maintainers: @@ -590,7 +610,7 @@ entries: version: 0.3.4 - apiVersion: v1 appVersion: 0.1.3 - created: "2021-05-16T14:57:05.933232+01:00" + created: "2021-05-26T07:10:50.614268+01:00" description: sops secrets operator digest: f61b070b640169439cf4ab500047c1e356748a85871f7aeefde46d63d87d453a maintainers: @@ -604,7 +624,7 @@ entries: version: 0.3.3 - apiVersion: v1 appVersion: 0.1.2 - created: "2021-05-16T14:57:05.932229+01:00" + created: "2021-05-26T07:10:50.612957+01:00" description: sops secrets operator digest: 2b37dc4e545e8a9540f6b7693079b98bf161ec5a68899defcfc9420bdcbb33e3 maintainers: @@ -618,7 +638,7 @@ entries: version: 0.3.2 - apiVersion: v1 appVersion: 0.1.1 - created: "2021-05-16T14:57:05.930597+01:00" + created: "2021-05-26T07:10:50.611731+01:00" description: sops secrets operator digest: 2e2762b8f9d66aab0caacde225955fec8bfd5a4cc10dc6943a1de3809dda4091 maintainers: @@ -632,7 +652,7 @@ entries: version: 0.3.1 - apiVersion: v1 appVersion: 0.1.0 - created: "2021-05-16T14:57:05.929553+01:00" + created: "2021-05-26T07:10:50.61058+01:00" description: sops secrets operator digest: ce84f5b64402a582c7689cb842ba03fb10f968c38b57dc9e05f588493128019a maintainers: @@ -646,7 +666,7 @@ entries: version: 0.3.0 - apiVersion: v2 appVersion: 0.0.10 - created: "2021-05-16T14:57:05.928041+01:00" + created: "2021-05-26T07:10:50.607706+01:00" description: sops secrets operator digest: 5e4c8bc37ea2c819c55b288c0a5e76ff8c9c02be591bd53776606666af45581c maintainers: @@ -661,7 +681,7 @@ entries: version: 0.2.1 - apiVersion: v1 appVersion: 0.0.10 - created: "2021-05-16T14:57:05.926627+01:00" + created: "2021-05-26T07:10:50.606239+01:00" description: sops secrets operator digest: 50b8ebab19008dfc43de1eaee8b0f6287f7a55134585dc6ae88df2520d779f8f maintainers: @@ -673,4 +693,4 @@ entries: urls: - https://isindir.github.io/sops-secrets-operator/sops-secrets-operator-0.1.10.tgz version: 0.1.10 -generated: "2021-05-16T14:57:05.923953+01:00" +generated: "2021-05-26T07:10:50.604253+01:00" diff --git a/docs/sops-secrets-operator-0.8.3.tgz b/docs/sops-secrets-operator-0.8.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..aadf5c1d9c91e51ea7bf3120a71ff01a7fc1d8a4 GIT binary patch literal 10375 zcmV;2D0tT&iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKDJSKPR=;QiTug|>6wA+XrpO}^&z+qq|Xz~r(?fCJ3Tc`rK$ zgj?;_U|WtPH|Y%7zkQENk}ZGr2M}^+9{wSrZKl`IpU4@Es6T_@^al7@T^V7&y>RAQPE4&_OLX*@zy z&~!}s|IP*BA`p`xCDKDE#R(}sdiqy84T9x7Bmi5;Q#w^Sel1doA2b|VI8|RkUT&zIqHBs1#5lUnugDI?$)=aF zu>)>|{`l&7g76s)$!-WTQuO%(v~o(2sfDnv<{^aZfC0=Y`IM8Kpb4fi86!?YmWDK@ zT6k%S5}M|c2=qLmDH?7D==sVwS<6`@qHoJtt|%#)SVEvQ)5`9O$3hF^k@-vOn&Vt328k5{K94 z9EU`|{T1_cQ)!(O&c?Y$SB3YxU}*!`VLD+ASO=UlzF9DI(~EVhia!1?oS~RS2tcdm zK4&RGY=Slvk_{z08;1OiO<)0Ieo5)rOhjsAfK=w?d8DGC|qL}V--gDix(kSsv}4aJHc zp}^BLj99P&V6vC8%Y5#b(4H1J+8#S^-Kq#F@;Mm=zqWQok8^$f@*R zql0grHzhch(-Y3FlqF}-pHE?gaUulpE>oWoNyizZsYF*)x6>IPz0nVYABH{EF&X1> zgw#(9?meB6RKe14DsrsaZ$2yZ2+@>EisO9}5v@pflmF`N=S zrVCJT`+Wh9Rusd58H8_7-nI`wFUm?GKAfOS$#Zgv-tL_sJ@=p+8ple=ROiE7uIB+Z zqhmX2p^p=#yvP_~fk--|oTV^=?Nr~UCIIOXPN3VhDg=~D1_2xLHF{=rIkFvQ3MxIX z)RV|asHb0KJ`G1G%A(=7MY01(b}WzgPSCp#XI*>_vx3h@N(;sKN)0S!P*o-$ECh{! zcaO)iS-2a9dg9)L!G8n`r;QC)GNLdG3_X|1%G08rv>YV40BfiKuB1WBQe}>_ z#3<#5GCYqNuG8USx9!D9*>&VI6;f#-10-ayJXCL1M`eL%WJPnWq3}iN-FIaE3$U)e zN3klT`}7RjJ6ByWCaD^n0!;}gO7Z4`v|vM5BxX0N+thd6FpWm3LQS)0+fOG*@w!fy z9hu5Z>6DdolHybz?koQ3`e%kg8K-GTGaMT#lm)2^k6q^P#gqVm=ey-v7ai_zHX)ug zA%?nk3q)gPE`U;0uSvv7ix7b18A*U~aZTo;XwP;*2dF9+st@ z<*$n!dyZT@w+!7jjL>v!7d^GPKs>c{qL>O`93GFU>JA*Y>RjQG&ywSVbf&Fw-)xWU z{(5$Cw*T(p{qgSp#oqDJPls>4XGk}CgnC13FPA2WF$qMuGO*@xhq@PP>gRbXX+pM< zAeN=DY2X<+yW$|7{eroul6Q8ncY1Js@%HrK;Qa6iND~eplDSzH`4J~Xaj7ivj?71> zc)e09ig{}ldViuZu}hoXIEIC-01={TeZsVWX^MJ%BE$ZKv7TBuDrv$34TVJHGfuLY zs4~|-i0XP&En4HaptcSc3$P1V8qZ7CO&C+mfHKOqA33O-e6(t&x>hvu49h#SN#+%Q z!Fogui(gg$=QxIif?8^mR4;}lGwOd{Og%+y7=4nVnBW=F69*PZt*KKHQkLrx7fzWP zK5AxE<1!b72YPP-$AVcqln4|~aT@CXxfH7V5KCQg)LnyODrKxSVnNC_5_vdP=s(bu zs`X5uX1O`b(U_qdoK{-mRLfJ{S_#BWSRAt(C2R_MtgN(cgvY-tbtI=GQ3z5J5+N|3 zZ$tYzN!UzV^!Yo&I-5@c)6OzET!Eon?57adA zQ%=OHHN4Uy5hNy|k^nO+O^iiSHAho6CTFIkUG|1Kr*gi>Qb|6S>)r#HkWlS&=S=nU z;l9GGdJ!u@;CZ?$eimwxG<-1_6t>*kwsLPd%d=X+i9nHh?IAR&7SN48XEEW`b-9}1 zni~S1EK9=RcbJAJ6J?Lj3vM~~oBgKQ#IJBz@McdNYf2szt55%9ch4Da4vW;p|NXX- z+xLHq-MRkJ@%h17AV14{;8=G4qyDb$|GpW%eEqcl`xwu%{=b-#I3rvHGQ0Cpz>@yo zdGq2$wf}bpgI7=e|0vHNfAqJ|j3y%_hy-g#&NK3(vbJ$JB_p)e|N7NarM!dB8O-ie zy$@^Gr!Y4Mo+;-mn}DVS_1X^+RLvgp%d%iU1p2@k%<$kBZI`)Qyy#Y`$uvZ-U%;O< zIm;&#`Wf~75}2}2)Zdy~tA7g|lU$iHpK=_Vg=>~UI|A=lqM<{1sc@(^33Nq5taP_v z2|@4jE5cJEiO{W|P!f;z1{ciVcDt7f^!#cLoY_A*Q)OW#k&$pS@D3-4lUUg{8i=vP zjDcg8?$vdlwx1O7hT0VwZFk8_{?JLm+xixIQKqxNN*xf364KwHF{2+>?_-C~f-f3M zaH^T6D;Km@-mXocS{=&?>iwJW|4sC2&@|q4q^|4liZnXitcH>~PgY$FU2Wt>mxAr1 zmAf12^g0{o@?QUKj``6ooO|Jrpx*!Nq25LBE@O=)2}{j}*Qylj(i$Yrvf#QHU;$-) zz1sQX549MG^YIdW5}>bNy(x*4Kur6tv&!!RXUsjrJ1=~xJ|Uf zDjWwCs794r^eJbu0IPW03MIiQj>y=*npbJE+Yz_Qi~t3SY!`F}WQ z%>TpT;K~2zQ63}5N*h_F3|($Fg3)ue|Jdt*}JCccw{#Hyoz7Z&`XHKV=VEg z@ZeczX#0TIl<<&IG$U_0469@Ubc<*@R*U+VidKXWdJv`44rsCN(2hmN8UBe|un0zb! z|K`oGq5pTD^#7wgwS@t{!eOEM!3ZhUIDEsooH9{FP^8EJ+hGnUPeAvbpWJbg2~xO;}1L zQ}b64GESHXLYB1A4)&=j-9fxQ+-~A9-f}_d8rXt>Wule62B`XTOk!gGv?yaLIvA(^ zyn&bZrKdlkDURtEQg3%x7p)6_ErDpx?(69Piz`K18m&7IEZhHm^Qz|myR-9pXYi!| zALCh~{~K!kKePy}J~8}@Oamgn`kjOlW&*oVaeX=OL!J5|GTdhF!)us^SWHgIL~)@x zRo(-))gB9aVWCaGZ2U)IcF)!Sa{F&McwOKBf3@@GY5YIN)3W||+`y`!8fTd(*Yf4fsDBw7E+gPyV{TxH%FN(i z%hCv~x0Cj%Pt;oIy`cf22i3*vYhzSgfHTw;9Inlf)mumoLgxmNVyR^RiIcdiTEWL3 zYKmI}iz{q-P{!PaH3-?B)>AOJ_}P}#uc4Kw8W+?G5)=^2AasjTml^hZg(1~@UPpHo zc?;XMc(TY{Um40%D)(4<2inqYoj%ofKbaekpG^e{tWZJ-ED}n$hNz`)%euk_|1VmV{x944~m0M zoAka>;k{Z1;gqww2AEy_v=D?}ZUwc1vi+rC`qyMGhU-G^n_H4l+n)`C@yfV%9I>c~ zT)3eB%Tr@_kW@sV=cqz>6_i&u(bun|#%GBm^!00Rk+d}Glov{?G#D9YymbxHCi?bW z)$h6rwM%{)tV1os%)wtNx1fI+i(<08Bd>`sW}#nR=3I-ew&A~2?*6+BiiKR{IE~0k zg5wUGv@u{R&hx5B@v~lz6FfdnT@x#0bng*XQFsy#Sd6^(gR5$S=Lg|F)P2I!B&oj1WC7z9IIt3q$j_w|iSA1*3ZE4oU= zy_XqejLVubd1jr%V}i$oBe2CNOTmj;={nBhm~dn`66oSIjkF6Lc)*cVnA@?OASw_` z<2hV~#i67#(gvp97>(Tr?2VS18`J)nKqwL){PTaT*p%g!>RS5%z!#kP_NuW{&EDQM zpSo(sEb`%QZChRV&{ea%EZYsBcA>Tgs-~8ltKl8msptD;As3%hHB)1#bY`mKYm69s zu@RZ3*slzVW0u$n+d{(tZN+RDLAHRKnaIt%G^8Rpd_x$kq=wk2mVE^Fg{BZaESsUrC z#!KJsE}`wmRomnzmAl?Um;{wp16;;S3zl>!qYrd@!nIYnyN7ZP;?JX}Hta5_-VpvR*0| zlr`vIWk&MXTJCB}>dW#vjwO22y{ue2cUo4pIOtpBG;syAt5mO^F?ImGD2t2?4p+spa~~`_9avoJf+U%o?^A9ru6HtPwf%!dN@RHh+O%LR zF_kTC_ri5qta1(8a|L73R`zm9somCYN=?gcZ~Zv;wVmFo!z)U;taGn$FRKg1+{%*` zYEJ6amb1OM*j*l~*z4T)Wp@RSbGN)KlCxw)8xAzK>r0jUfRchFePz9 zqm*&-063P7|JQZ@zu~LbuU|cl|HpWqp%W}6;W|Q!?s9Z9B`LbfX$*lbGaO#yh=?Kp zu*kEFaVe0Pk~l_D%&xS11x=%E#7T@{dmgrf%l9}Pd(TixA{}4sdB(|vezx&f|Hq~Y zO3G5GsYpT@;Sg~r@Phrbi!;eM@tz@b+xVBgGc=}LctJ#EAO6+kd%@Kg-iLqfi)qwX z|Ja{mmi9|PS2(=RGac#4+X}=@=4}O6_}beFWRiJX|Id4de!-lwT%g1K1K|Z3XTOtB zdI231+}Gte``rs>B4lF%uwn7wefsn%*z)jI7;Jf4!KY83ysZFVh2B;$qlxzcUlWD) zJ8F~m@qc=-yZ_-JNX8F>WAXUk84g~*sE_}_aOY|KKgRQ{BY3{Ia;Sgr*)w#e!!z%( zG4Z@D^uO*BZ~q?v>HPh_@1Op==UrZ2nrOP--*x0-8QTDug}=SdDBu*pSr*TcKQSct zLp~N3^Tlk4<7|qD7v=Sti;$0X066dONX>aD&mxY;1o=LADaA41(2QuOy^sE{hmh}A zsZvDfXmo)aXYTUy()0eI6f7s`vRUBL#5sfyR1nh;h(-p14U15BI1J&0n4!Ix#M>!pnz6r7B8&GyD$%iYYQ<=n@-WCM*Y|z~i=~IUp z#&OJU1Tu%WYD&q44H2rCu>~=4TVUE~dve;0nyWYnAs!p`a7$RtEY1b8AiXW5qjol` z&fqnUR43B(cYP2p6so8N5x65b(I-`3K_m_Jt~Kzk8aIcjEP`Nr9!%4E@Ln+{h2%I> zlzwcL;IdEG8LykJY_e2AFJt6rkfVOT;`z6U%ylx;RdPzuN2O>=3QQ1>O>1?OC;PgU zFeYtX@QG3%o+-Ik;;)@n(MKiltl(5z{{0Lvyv%OXu@~`{etf%k;+52>v22H(SwwcWN;2CZZwnnzIVBurxensk2Iv2r z9Up5WjYwr$kgHU)w}yXbt?Godmcmf&j(lnYztxQNqhqs78OJixt^ zINw!pZ46P+&z~j7E}M;ZQgez!7A|8vQyY>r-H>RCXFAwFj=_7QRzph!mPPIIdvkIE zxy%Sps1P;+rWz|Ib~13`ph&{h-!GMc(nMM?w1z%AJ~^vKu5Hz53Hw6h7{iS5%%*or zBOjEkIiJ5KbAP52EK~-m4vmb;n91mHAI48Ll(dZ)+YG?`uQ-N{C9!Z6S3Dj%$1%uI zRFR;Fpv!AA7lHgNFSV$(NxdOcPjqDkZwvjZ7WrEG)i+0;m6TlCQ`Sop`CZ4#r4TH) z%?d%6N=zc@RqZT)IOn9NL{lqzSZjtbDR)KxUjJ$&)O8RLxh|X%8LktX3PK;dIQ??Zb5I} zqVsu1&~1_IO8r&jwL`bwt*;*aul=v`7yR;W%V@y2h{26=bc-(k__-geJ*3DIwicIb^Dn(}t9IVI|H)-^}{0*Y42a!^uL29CN#`hut;uh&zM z?vW#)fuOid+Kyy-+5iWlJ*v1>>zr7D0v;)7E96vg02R@-nq;k>U;*G2?kTrAivKOT z{P-L6#>!Fs0ZvN@&N^jlWX%GQQJB?4Z&lH9t-j`)(o>=ky@k0_EHR6^Z^aZUC8(yu zNRwd?ooA%LUb`k;$NLD`Ra!}LTv)o9@gPZNH2N%BB45UNq&MnCSv2g~7d!gJj**?N zTt*hjBDwjNDUJ&K)(57-RA|vRV{G9OQ^&dUjc~Sls@J-=#mT!j8ot`@RXnwOqn!bC z?4m?lO`PD2ev4=d$bK07Fa&LU=iFaS425U;D$Q!PYN%VaFu4~XZQP!#^r60#sTF!> zI!6bNbFr@iXW@=r8~9>gC~pK-079n8wu(^F)^qRT)~CF?B$@=s<*kw>3MIpG+8d>L z97A8+G2J2HG&g4&2;mY>Z`4!Twzu7b8#ldCPpuM_0;}G$>5Y1jxlU`c^-?1~aAL%7 zkrvTqRB^wlA~e7y)%LX#CRX6;yH8cwR?N0g|6CaqD^084%BnO{3r@9_50YOINVuyl z*^0QgEzG55#}Yk-$N>2=mFN(=>+8+Q!qdj4DG5vyX?uDWaDULpIJ#Zqx7g#(5Y zPG>YG5jhYcj*YZ7ZB8hQio%FErCUHRuwL6UDz!qf9t*w78PHZ zij}-e-L=8Dw}JKNmdc&Ze`^izmK4eW-}S4l3&qNrpU|!6+2oD{htqNs$~mLF^nF1j zx+e1pVoWI#sJrr zt&@-)vKPV>;OvnZMOQ3iZl?NJr?RW4v$NFb_y^kBI;Yvz)(HJ4%K?x*8L(>Oqcc8! zd+z+${L8pLK0TfOU#{Pb6N%RGoDpkyf-mv^8oV05s`-Dvcr|#6|M)16=li}_4FX2V zXGu~xGi(OEgu{=I{&co*WiXGOjd_q}98Xj#O4|Tvl*yD6&i* z9i4AT*u|iFr`9i;2G|>;LK)A9u5UG%&}k`-^?a@~geG{7H~|YNPaSw>o<$!R*T>K!RF!Ns)EpI&_|#3W4P5jr3vj_ zA`T@<3SC>Au4*UOcVuo?F`?tI(aM}Lk(kDHC4g3t1#^sZfmiF$W35-LRe?;3hqh;_ zDBVX4VVb>bW#I2c&f}GuT=u-~m!D7H-x+b+9K3S1FF@HWk&}O7F{L5nnYk`ekr{q>nfYf3@G1h+!1XU8INwwNNE*?UTtF1K zyTZ68^NRZSw>3r^h?2f`7VsSd1ZsBur&{ZAdpzT>#+T=i61X?Gs2z*@6d5Ax&(hhre#p^M#M!!E3=FL@^6FDg z^~79XeV43x`Dfv{=@=M*t+CK8i8_zlstD=iA8OqBTf`2-p9)DJqKw`btfP0xOAb3-WnJ0(6NI&{8$X3`!RS~O4Q;_VMr1e7Dxi*|c+nrciD}ccME?5KL6&5t~aW1E; zLKI@E%h%q^SZtTU32GUFpfQUFLuY4MH{Z7I@=@cs!+vN)@ph4QNN7USLztG(aAnh? zojkuj?XF}Az@hGnwg8lMb=QjKfH_TGW(Jg)G*zg23SDo@s^(7Pr4oDRcDP~!8$ve%>Pi;9~!u7sKJOp8t99^3}^H|DVTreBbv(PNf=U&5#Iip;>s+ zT@3iBk`vPNpv=hg5PF7iMs*f*IkJZ-0&doEu1qd9ytF@i;oAWt4GTedndQkxRJ^Ns z9k59yC1F{xbO5OrxA_ch*(nzLCW=8t&A|k!bT~A@X}vuk2a>gkRd1bX8C)+($Aq_4 z2UO;cw8dLGGC40y66xY?gDvD!jw=U%*}_y5Cf>OokhF(T8-fpAP8$AowA8p=G65^;RTBtmv`Y}f-UEQ#}v~=M1xG&?4;ctuQa0dvvx|a*I zZfmt7TY%f%15K;gMH$=Nz1uQEuO5=PSDH(;=yL_Z^{8~^i9E!4M^|&px~_@iK$Tlr zVq6;PTr&f-P7<8}7mFY*b>>yCGL@9zt8j!qefm_q2*+fEzI^$zK6@9pW3l+xsi;r_ zedAm{ExlVcXBsy?zfu3duR5{?Vr{yrQKQy1-6>*i-2Y_mPcgr8CK3B(&T{U4YiZgM zllN%dS{>gC;^W}A4ili>tb1V@c42W@1d>$0wgZ<3pPwJ^ACDlu1qzieQqra`PeM@c z#o@d+|0ON37Pd8W2(M+C0skO^WlCjvGq2wIlu5g--YopEqp^~txH%R(iJ%i3)U7@o zqbw>>*8{&jzzAzl{LCTCh;U=AVrOQp1wTzF@I)juHmthN( zj@7C!FcY;=CtWbZFLA8FRD`EL6u*%eQsvzE*Xo$tU}KsH5g`VslmH;i%YipT_iqk zc2##~?1w|YK>c;5AM0Xv7S%fc;U=9&=XR0X>QPwz;OK^HHMN$P{NZR=NxEv8&>jf; z&Yd{WnLqvEs9J|7J6&VVoN6|Pn;^12)T)si$|0pq?+IfCF-}VMUZ2RYKVhuQAMK`D zOXkjr@^=}mhP+1_qzaSSm(~^wNoQz=c{w4L^PK4-CsTS6BmP0TMbg>gO@>EKz6|^^ zd|94L+3aLYV2ZY}IPiEZmQ=MEzSs0k(%Hx1Z;Khfb~@=*l1W$D>m-3LIhjQ@PTEqP zOnanRcnzktX1DH|p@Ap*mQ`awR`q4IkYku^n+PMdFqCyp!Ck*ayi$)1Uphh?EG53Y zVZNMlLP{SB8{Bn-HsA}CVX0H1Ez`tY!IEk?a+}g}W*|r4O z_iOgf8qID`tNmEbuBFtzU$bAV-|Ut|-H+RJ>QSJm(`@X~6ZOsU6B=f)c&~87( zU1OZa1nO)sPCFgoqO=r-q1?AYpOU}V1hvwuZ2c+ z$tfL*!_EyY=W=5%Q~%}ysz!W}u=wsVlo>-pLK>|Cuk zr|{5NGTbXA9%&QoKD??Oimbz>D2s+`pxC(^ik)s0