diff --git a/docs/operations/deployment.md b/docs/operations/deployment.md index 28d88f02..253c74d7 100644 --- a/docs/operations/deployment.md +++ b/docs/operations/deployment.md @@ -2,14 +2,210 @@ ## Introduction Gardener comes with an extension that enables shoot owners to request X.509 compliant certificates for shoot domains. +There are two ways to deploy the `Shoot-Cert-Service` extension: +- the new way via Gardener's resource [Extension (Operator)](https://github.com/gardener/gardener/blob/master/docs/extensions/operator-extension.md) (recommended) +- the traditional way via Gardener's resource [ControllerRegistration](https://github.com/gardener/gardener/blob/master/docs/extensions/controllerregistration.md) -## Extension Installation +## Extension Installation via Operator `Extension` +The `Shoot-Cert-Service` extension can be deployed and configured via Gardener's native resource [Extension (Operator)](https://github.com/gardener/gardener/blob/master/docs/extensions/operator-extension.md). +Here, the Gardener Operator controls the deployment of `Shoot-Cert-Service`: +- It ensures that the `ControllerRegistration` and `ControllerDeployment` is created in the virtual garden +- Optionally it deploys the `cert-controller-manager` to the Garden Runtime cluster. Additionally it may automatically + create the TLS certificate for the virtual kube-apiserver and ingress on the runtime cluster. +- Optionally it deploys the `cert-controller-manager` to the seed and automatically creates the TLS certificates for ingress on the seed itself. + +### Prerequisites +To let the `Shoot-Cert-Service` operate properly, you need to have: +- a [DNS service](https://github.com/gardener/external-dns-management) in your seed +- contact details and optionally a private key for a pre-existing [Let's Encrypt](https://letsencrypt.org/) account (or other backend supporting ACME) +- alternatively to ACME, a custom CA certificate and key can be used + +For the special `cert-controller-manager` deployments on the Garden Runtime and Seed clusters, `DNSRecord` resources +are used to create the necessary DNS records for the ACME challenge. Therefore, the provider extension must also be +installed using an operator `Extension`. The provider extension must support a deployment on the Garden Runtime cluster. + +### Optional deployment of the `cert-controller-manager` to the Garden Runtime cluster + +If the following `extension.extensions.gardener.cloud` resource is created on the runtime cluster, the Gardener Operator +will deploy the extension. As soon as the extension is up, it will deploy a `cert-controller-manager` into the `garden` +namespace working on certificates with the annotation `cert.gardener.cloud/class=garden`. + +```yaml +apiVersion: extensions.gardener.cloud/v1alpha1 +kind: Extension +metadata: + name: shoot-cert-service + namespace: garden +spec: + class: garden + type: shoot-cert-service +``` + +Note, that the default issuer for such certificates is defined in the `extension.operator.gardener.cloud` under +`.spec.deployment.extension.runtimeClusterValues.certificateConfig`. + +You may now use `Certificate` resources on the runtime cluster. +Example: +```yaml +apiVersion: cert.gardener.cloud/v1alpha1 +kind: Certificate +metadata: + annotations: + cert.gardener.cloud/class: garden + name: my-cert + namespace: my-namespace +spec: + dnsNames: + - '*.example.com' + secretRef: + name: my-secretname + namespace: my-namespace +``` + +Optionally, the management of the garden runtime certificate can be enabled in the `extension.operator.gardener.cloud` resource: + +```yaml +apiVersion: operator.gardener.cloud/v1alpha1 +kind: Extension +metadata: + name: shoot-cert-service +spec: + deployment: + extension: + runtimeClusterValues: + gardenerCertificates: + runtimeCluster: + enabled: true + # virtualKubeAPIServerIncludePrimaryDomain: false # set to true to include the first domain of the virtual cluster kube-apiserver + certificateConfig: + defaultIssuer: + # acme: ... # either if you want to use ACME, e.g. Let's Encrypt + # ca: ... # or if you want to use a custom CA +``` + +In this case, the extension will perform additional steps to create a wildcard certificate for the virtual-garden-kube-apiserver service and ingress on the runtime cluster (e.g. for monitoring components). +1. It will run an additional `gardener` controller to fetch the domain names from the `Garden` resource. + For the virtual-garden-kube-apiserver from `.spec.virtualCluster.dns.domains` and for the ingress from `.spec.virtualCluster.ingress.domain`. +2. It will create a `Certificate` resource for the wildcard subdomains `*.` for these collected names +3. The cert-controller-manager will request/manage the `Certificate` and create/update the secret `garden/tls` +4. It will run an additional `certificate` controller to watch for this certificate to become ready and then annotates the `virtual-garden-kube-apiserver` deployment. +5. The webhook `sniconfig` will patch the `virtual-garden-kube-apiserver` deployment to use the secret `garden/tls` via `--tls-sni-cert-key` command line option. + +### Optional deployment of `cert-controller-manager` to the Seed cluster + +The management of a garden certificate for the seed's control planes can be enabled with this configuration: + +```yaml +apiVersion: operator.gardener.cloud/v1alpha1 +kind: Extension +metadata: + name: shoot-cert-service +spec: + deployment: + extension: + values: + gardenerCertificates: + seed: + enabled: true + certificateConfig: + defaultIssuer: + # acme: ... # either if you want to use ACME, e.g. Let's Encrypt + # ca: ... # or if you want to use a custom CA + policy: Always # policy should be set to 'Always' to ensure the extension is deployed on all seeds +``` + +The extension will be deployed with an `extension.extensions.gardener.cloud` resource in its deployment namespace. +After the extension is up, it will deploy an own `cert-controller-manager`. +This controller is responsible for certificates annotated with `cert.gardener.cloud/class=seed`. +Additionally, it will create a `Certificate` resource named `garden/ingress-wildcard-cert` for the wildcard subdomain `*.` +of the domain name as specified in the `Seed` resource at `.spec.ingress.domain`. + +After the `cert-controller-manager` has reconciled the certificate successfully, it will create or update the +secret `garden/ingress-wildcard-cert` with the label `gardener.cloud/role=controlplane-cert`. +Later, the Gardenlet may look up the secret by the label and forward it to several control plane components (like kube-apiserver and monitoring). + +### Extension + +An example of an `Extension` for the `Shoot-Cert-Service` can be found at [extension.operator.yaml](../../example/extension.operator.yaml). + +```yaml +apiVersion: operator.gardener.cloud/v1alpha1 +kind: Extension +... +spec: + values: + # gardenerCertificates: + # seed: + # enabled: true + certificateConfig: + defaultIssuer: + acme: + email: foo@example.com + privateKey: |- + -----BEGIN RSA PRIVATE KEY----- + ... + -----END RSA PRIVATE KEY----- + server: https://acme-v02.api.letsencrypt.org/directory + name: default-issuer + # restricted: true # restrict default issuer to any sub-domain of shoot.spec.dns.domain + + # defaultRequestsPerDayQuota: 50 + + # precheckNameservers: 8.8.8.8,8.8.4.4 + + # caCertificates: | # optional custom CA certificates when using private ACME provider + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + # alternatively to the 'acme' section, use a custom CA + # ca: + # certificate: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # certificateKey: | + # -----BEGIN PRIVATE KEY----- + # ... + # -----END PRIVATE KEY----- + # caCertificates: | # optional custom CA certificates when using intermediate CAs + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + shootIssuers: + enabled: false # if true, allows to specify issuers in the shoot clusters + + runtimeClusterValues: + # gardenerCertificates: + # runtimeCluster: + # enabled: true + # virtualKubeAPIServerIncludePrimaryDomain: false # set to true to include the first domain of the virtual cluster kube-apiserver + certificateConfig: + defaultIssuer: + # duplicate the issuer configuration from the 'values.certificateConfig.defaultIssuer' section here + helm: + ociRepository: + ref: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:1.48.0 + policy: Always +``` + +## Extension Installation via `ControllerRegistration` The `Shoot-Cert-Service` extension can be deployed and configured via Gardener's native resource [ControllerRegistration](https://github.com/gardener/gardener/blob/master/docs/extensions/controllerregistration.md). ### Prerequisites To let the `Shoot-Cert-Service` operate properly, you need to have: - a [DNS service](https://github.com/gardener/external-dns-management) in your seed -- contact details and optionally a private key for a pre-existing [Let's Encrypt](https://letsencrypt.org/) account +- contact details and optionally a private key for a pre-existing [Let's Encrypt](https://letsencrypt.org/) account (or other backend supporting ACME) +- alternatively to ACME, a custom CA certificate and key can be used ### ControllerRegistration An example of a `ControllerRegistration` for the `Shoot-Cert-Service` can be found at [controller-registration.yaml](../../example/controller-registration.yaml). diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml index 063897d5..46708cf0 100644 --- a/example/controller-registration.yaml +++ b/example/controller-registration.yaml @@ -4,7 +4,7 @@ kind: ControllerDeployment metadata: name: extension-shoot-cert-service helm: - rawChart: H4sIAAAAAAAAA+w9a3fbtpL9Wv0KrNscJ6lJ2Y7t9Prc23td2W29SRyv5ebcns02hkhIYk2RXIK0oz72t+/MACApii8prvsy2sgUCQxmME8AA2rCY1cEIrbE+0QE0gsDS07DMLEcESeWFPGN54j+Rx9UtqE839+nv1DKf+l659nezu7+7sEB3t95vv38+Uds/8O67VZSmfCYsY9iILqpXtvzP2iZdOK/PRX+zJsEYSzW6AMZfLC3V8t/YPsi/3d3dp/tfcS275zaivIX5/8n7JwniYgDyZKQKRaz26kI2Cj1fNcLJizizjWfCGn3PmGXU08ymUZRGCdwAWLhs4kfjtiMJ84Uam+xWPg88W4EtEumhfs8cAFAICbwNAzY4ygWY++9cNmtB/X+44nNXgf+nIUBtUSUWCRi5nuBsHv28fDdMAHcAMQgnM0AwJvBkLleLHv2xEv69KnQ79mjH+M+fZob00kfP8xXeRP0c0AjoC+N2Njzhew9teVtBJ8jfg2fyQyu/w+qvuGxF6aSnR6fQIdRHP4gnKRne67gfVUPbvXsG+mEruj3fmuudi/d9H8w5XFiz/nMX6ePNv3f3dsv6//27v6D/t9H4ZH3RsTI90N2s9PjUZR93dixtzd6rpBO7EUJ3Tpi34AjYA6KAxuHMUumgn2tRYgNUXDYAASHDZXgsEyq7F7AZ+KQdZK33o3BYdsGJP5A6vSHK9303w0dexKu20eL/u/s7D0v6T9EgAcP+n8fpd9nw/Pjf1tfgfcbhNEcXOY0uQRhOGS7YJjZ8OicDU8YqDoP6Asfg6P0eCKYE84iHszRsec2wAmDJPZGKfhq2ev3ewb+SxCjQArrFKol3tgTMVgTiCymwtoFDYd6k/BwgiAQtJwyy2EbIw4Xn359dHF8cnZy8e6bo8GLd8enF31Tz6LeQt8H+Y3FxJNJTMGFDc2a5JnZ7NPHDk+Ybffh/zcnF8PT12dP9Ffxns8iX/TrgKMbZCcG/OEy+I1qaiTEOpbHNmWfJfMIbGGFotU+efs2YFBuw/haxBCoyKEKwoR7yJI4Ff3NFbDfwPGGwI/iOm3NRcBHAJctIK76IEuvb2JAiEbfCeMYQiCWd8MWuulFRegPFvz3WrrZ/0SATIFEyLVWAlae/0P893z/Yf5/H2VV/r+DKR9My6SdRJ3nAi3+/+D53rMS/5/tPdt58P/3UX76yWIuTMRh1r2BEfoGs375pdctSse2Apw/tugVATk+jKqIL0JfnGUwsYI3ZvYb7qdC2qYLO04hIJiJgWpjKz/kdkfD0gAUOr4Ua1JQTw20ADc39iaKEMuyesVp0zJcO+tU2qplTq7jh6nbv9nhfjTlO71rLwAPPqBKqfKdPU/KVMRnNF/66Sfwq/+bejEMyYYZO+wLYiiIYIRqaQOuPPWTU2ppIyOZJ7OWG2yllkBjLMCTe46+vSYaBgi0WQuZQvtl+altfAH9QEN5LuJjPv+vNEw4Nq9/StStC9ZITRcESVAUbRIbFL8f9pgOwdwWfIqtMm1ZEZMo9m7g2wsxP1bUET7Ldw/XAWVzfxLGXjKdIVDGsq8thLVB+jACben9KC6GRwon/WV1jApQ7gCfk8FxESP6uh5OGaQSVl0RXNQ87igzgH9JMmfc89e0AgjDJgDrWYFCezVQYGPXNkkETEH4AGw0AEJnjZHF9eOIq3XwS/BcYZooWMv3u9mmLrALwrAu0kbwDLLm+yH7ubc6mhm0n2EC683gD7hCESRsbx2EI5iNToVzjV5TsUcaNJcetGpYDajVMHL4IL+nISzeOyQgSfgdLih0BpSN0+56jOVOQkN/lCZTMK4/kqho/OqeqjWGxc7Wty4OeU6Ho2Up1F0Yjser67bDi1XWU+9FGE+WBrvwkAT/LjFGXbgDpAHMMt6/R2mtvqTrLPb2Znyi5w8ZEVMuz2nvkG3IKd/dPzjMh4rq2wmf5L2BpQmSMdt4JP/1SJZrxiIKpZeE8bwJBM0qKgAerg2wmmxDtS+4K2LhCwe1z3PVADROglQTy7QpzmYa53+rzv/ptp7TdN0PbN3/e15e/9/bOXj+MP+/j7K4//exno8OhROL5OPeTCTc5TBF+hgEV23gNcmJnuzqujLijprB2hcgl1wK+8zcBpH/uJdBLsgT1fcCx0/d0tTbBlsyOtgTgWMiBtCJ33r4/vBlZf1XyzRjz4dPafnhZOIFLaagbf9vf7+8/3+wd/Cw/38vRfvUIEw6r8xVLIGNoWGQjLzEVle2F5olrl2zxKWgfEWCkxsW0H6fj8DB4hUrADJY9NWO2IYUEBLV1NGLaqWayl4Zh2U2w2Y8AHccF6Vc3ZoBUAvb9mQkHERHCzlegtfnMWiDwpKxazFX63OgAPqWrkAdmk7UPV0hVrOJYyTbxNOUHnXIrtORiAMBCmY/rUH4aT3CT/8M/IjFbewlwoI4qZoBusIlnxgmxKkvpPlisc1PMcb6Ph/Lt/YNj9/awKK36JkSDsFVDHcf1+Fgf/bPd/ivfqifsFSSsYQoT7j2p5dHXxMrN6t5SYzJo7zfWtkrypr2Xwn23dj/7YP93SX7//xh/+deyn3b/3NlEYv2JrcLS2bz1zFFxrzEYiLeK+BIJ03oaSfJ3PkqjEGpod2j76xHM+uRe/nom8NHrw4fDR/9qDpUINjm91j9HxuP//l3vPjirfvT3i8WfO7qz8v//n7jf54+2XgrP/PFjfD/ATUlXIBFm3/x9vazJ2/lTE4IAKjUFzZU3bwX47Gy/lM0PuORRdPaG5huhrEVAiVknSsNQZv+7x+U4r9nYAEe9P9eSmlhiJj6hpj62vCUNgIW00SLu5aveFShzsVZnNpXtgFOtdB0my+WzAGPIrvgasHgNHVc08QLgPtBVa+0ZagpIqTlu0UhLy16Vw7c4pL27zIOWFn/Y1eumgjeqP87u9vP9sr5P7vPdx7Of9xLKXtyuC4kL1x/LpUrNxoPoxXOLoQM09gRx7hc6dFy47IB8PQONcpRyRt31ORuKRzrKHZ1GxV9uNZovtjK5LLjjr2OHCZxmEYqZlmmjWyZIk2Nmlqmpxu+J5MXhZsv4Ts9iPw05n42bHRPQmSd+jw2d3Hz0wkxkMnsIvank+V1lxbjrktM4f45rlSLeBD66SzIZkpYZzGrf/DqhDL2s6kqlh9kGJzzBGY0NpJd3Pks1FKsGp5cvDm5KNzWaawJIDBp7PaikDSqtpnbUChXUhicvDo6fbkiAsOEJ6lk4XghdbWmf6pLf8Qy+ZdHl98OV+xdCQBVbeyyVEH1ePnd+cmK/YWjHyhhNxZqsDFQhS5mUXXvRqNt0+Cyor5C5ujrZVzc4jiVMNH+2WVuCLwMZBvHdTVbt1vq//Rs8PLb45Pjd8evQQrOioyIYg8TSOaYzb693TxiCliWmaVuSmcKAperDqhfcHR++ubZsPSAVXLXk5QtrfSXDS7sBdwAWJx4QhahoGXKzPHC/VIPm4iGqqc3jlRf2hzA8CrcUb6TKW0sRrgEFSRlMSe6xpjgr2TE1sYAD/iFqe/i+vwNnuqJhRNOAu/HDDYdGsROKThISjDJ+IAZYjcYI9EJQDbjcwBDkpgGBXg3Koxir/D8oReMw0M2TZJIHvb7E5jOaUfkhLNZCi5n3i+eM+i7OKXqS29i8diZQuTlJGks+jCQFqEe0Ca2PXM/ibXrkpslXCs1CAuZ8EY+oD1HRnPdXNGSD7dJmb84GV4ygwCxpMwDpaFZQ5kzAocNRgXtBbJyHIczggnxZBTCOKucfN+DViWgMh3NvERtK2P+GnDMZgMe4Ix/JFgaoaa6NjsN4O5M+AN0eb82G3C0pYVD250RxRBjuYEau4VHxlnXck7p6BCqGT3FJkpfjM7aJQB1SovFZEuVy7LX093RNUBMQif0qXPcN6eLcr9tfVP/wIaiP62uVcan1MjgNvb5BGeGCHQGT5w6J7lYtMUAyYIAC+TRpdUlIcDcV5GERTFwFIYQblUD1g6gEz3Hqi4YahUD+XMzsGAfNSAGt8NbwC2M8WzLyHMhgqslCU+/FBNLjCbVNGjjEhbxnjxZfYUSUSeqPuOglYoGFWUSbrdTz5kWMWyAynI7gLAy4tlj5VzRVuGZLrAaeqyeNEADFZ81UImlVp2rqvE45vPaWtr9dx600+DXGTQjPL/7Iau1jKaotM4uWnVi8jfJ6dAXmGaAm6IIIJUkSrQ3UjoGtiaJOOXD0OHIccI0SL4ETwFVuxk0MKonlc2Vk44FuFERoAsO4evgqEFLdfzCFRjjGchsq5lQHYFdjMC1mJ8ed5Zmqm04AFcal8ERPoFLrmIAQ3mjhOlhQWgjuHAxJmiVtBaBBCxU1siFGK9CVNYo88F0A9lkgktVpZEipc7T0Hc1kPkM4oUYvNarowGNkB4vMz5mDBqhGrmhN1Rg7EGQNqcz7rwQ802bXeb44hOJb6gAj1fvS2g4M5LY06ezVCZPn1IkFlgR6JRwt9gIYrCDPfbtxUsI8PCNEi713sSjLgKHhSY5jTVKLDrTZ0kg3gMbSEMBhpTnK7bIpUynWiAzDJINf1Ug3EQUlo7WsLiEvCp5ioziHErd0bSSbLUSVhBdOkSDjFVsxXG7IypbLTrL0kfrR8FStqT5eaaW6/qWqrzrLub7vCL7Olt5V9zR2a9ZF7WUBAUYKR6/plAOm6BWH58Nixn3NlPbfexqGsrkqhYogKAah3g0+mqLCXtis43Pbfpvg0lkPkyMzZ3D/Wcb2GZjEoYTX1hROvI9x3IDaXFb3bNhPoXV6oSkJWboIDttsUKejd9qw0vMWmpXb8bRbdYSoTFA0fsQn9pm3n4t07aSWeuk7J3M2VqmDG83ErOeGesshg1GQ5/t6SJ6w+wQD1KJrrJ7dNaKqrz2IjAPgynE+iKYiDfc99zuc+phbXM24/G1NOEaIO/lewOVYENgIy7V3CgQgqyWYwBLWrchQA7EDFCTngtclBGyj+trsVs3UWU0m6HlXW0aObXO0KYFu5KVxAFHfMiKrj+nb/ZS1tJOQPHZ0h7EYqc14uUsLRxhWWAbxNJanODqg1dj7sWmIqJ088FoGkr+Ykaz8XFccdq5TQuqDjpr+Zvx994snbEgnY3A9oLBbVtAyRZO8FV+Lp/nS2/q7WFNFlBRhpsIk6Xn9Yu+tGnWZdlXbf4Zzcq2Au9z6Te3MWqrb1X2MvbeyvewrUhnGFtpcB2Et4E19gRMiLNk48WyvkH8DZAFJZV80j7Er1S9MltjJuIYPjWYetxrNDEcEa7u1/olSNVxwAImr5eaGKQMsOyVSvBICV51LFLjf8Y6OREU5GBvRfW5c8vAnSTl/u/IQChL0C4waAZIXAQYe0BBzKJkvsU2zwUt/WzC5QmKDlwAPpsXgrvzzZXlhx62oXIJlUobxtjOZoM0Bmea0MtR4WMTjc0mBWebDi/vn6mCkZ00bwhbEd362Mxi5fyHHNSS1leDsUiee42tlXosWAJcWUP9X7iXjrLt3LwT7QDYT79k+bPd3zpTynS8s2SoghZ0yYiiNKdyCnMQWg5G05h4tIHDoDKQ//TZU4OSBclTqApPlvKoiiNuxjROznLgKIpYST3MMq0W7dWvkm41TNU+f2FPqt5SLucDOfTWYkSpUE3xfPD61avXZ+zs6NWqyUE6XSVYhLrcubJLMCWxgyoETofDb1fOA/tt07BO3keedsI0v36czbZxV2+GeRB8nJjEC6zypBE1kcE7rsLx5N/npxdHl6evz94dH10W2ZSnKu23ZSotEWE2vdX+JgiV1DLGfdruoPdx08NG3N1AnpUqKayPz4bvUKrWTa36/SSj3WmSV8EAGcddTBS403Svn60ld/xhCWCLKV9LwNdMAatK+lqO5puTwJbq31dSWGVgs05OWAWz1s8Sq8gLq+XWCnlilZlhS4CXM8WWqixkjt037wqZZF25d/eJZAU7UJdNVrQLtEBGY77KEkPu99vn7VnVbP5+lr2uvYjJY5iw2exgj97SK59UTRSgxksRTNAMN0wza+Y9jqxczF9EdniRzSIL3uoWJBkGCkbkxnORgC1wQuSdKk0KlpBmcChrODOuST8x0+bRvHJG2kiO8Y+tNOWoxkLN+XU2WiFaXMxJCqs3WksMqyKoYXewZXWxaVfQTTuuc1SYOix6rQCM+qYBtckeezZMZ31vLNDfP8lyWAoEsrMQNUSns1SC1stoFLCivXNgWiNF4edLEGac9W+632I/4LKs710LytciaWlak4C2PFE2qWYN93QM/kuKZEsHh+ZdioDK37bVasbj3Z2D7WmlZoFt1OvEE9qDQfUEh5zc4nRJDw3M+8UtyMotGLjwthIIzWyzJWcQKLSnEnOWRIQ0jObs65ACLJsO3x7r8cjNcejzYGKH8aQfXU/6WLP/yULVldc7YMIJ9voCkRfuEYbPrXJ0stSkkLfJCX9GER+SiEMT8WX7qQoB0fletGICSE4mIlbJqEX7B67tSzFGmXF1DDeirzW6qCcATWYFn1vZIeIVhmwc4rrXAKPs1rH6Kq+LFOFiAFTw8ad1slMVZO/BDm3v5NuFlWR5OjcCACmIatew3J7jhqAGffUOl6CsDK79d/Xgi+qsCfzJoOodquZtQk8Ojta1P6fQVodYhkDQSkCDZOcKQV8xWnJmYbDkF2vcsyoLFmoFQ+RlKClTVAl80Tx1NUVt46gn7a2DeWpqGo+cJ0subI3opM91tkWbNhsrNxqxV7NGUsDgsTYDjn51sqiOCXL6CzuUasJEOUT6fRa4uLvwPOHxRGSPa0HD9GcC0UpQY+A7bPC1blnWbFcWRkYjXRyeLWX4VOJ9/cCMzdgo7+XhpLEr8S2Ute3wl9aPFqHWbCFdizmlWLYHYC9MzVw+ZDH2MpBYmCZRmmjzXZ0pkWV1KtOhNnqREVd9/QUU5sqkdDbtZbfpxg/X3XLk/vPFsEiXCi5VXjsiSxnpVMmQWS8BhijcZFqkLL/TlbwuJGJRKSedt+hrLLwpA4KW/X5Jkex8fclMfgbNsXReTpVb3YKBxB+GI3F12ZWBbAOrriAq830MukwOjR5NpT6N4EujuYV5vvGc4rVUmqUAiHDkLbriXAKvzL0sN+SqmQ7MUM6GgyghpMk65JN6+AuDFAsLzQGu/LfnLDSd18GyhOhd8fu8DLgyrR/TsSkvpTTSjaD1S6KWxt+ED5pJ9LAoZ3eRmA2wVkpcfpHntGO619wIX4nezfrsL1OucDHEBENAJYqFrE/tMqVzYnZuVlYicJg1M3SWsoUAUeQUMb7J/WcIh2aMKEc385x3RGh74jUWqzAcrTr2wYneyjA1VFjS0kZn35Tufe3Ind1uCW4vBsOd3XYHpuv9BX1YifJf0Y1FO7sPbuyv7MZKovbgyZoqPniyQvlzerLGx5Hh0GAK+tU6Cd08X6ivMttodVitbM6VeppKLblyDvVJ630qITMcj2nLL/UTL/IXF7CostzSwGuW0qmSOtzIg3whS/1gt1ruNLkq+qeykdc2OpUgVBW3qoawcESLcETSdFfK0ZBSViWuNQpo4QdH2kb+PD9NZIILOqwpRfZyuER5lPzXiSrlBZPs8Od11nodQ/a7R12iogZ3cZT9CpJe9Ckclsp7yXYa8Zc5JThC9ePtedVa+Fmm5cJOU211YL/elXO3smxNtXVP+106k/LqYnh0Rafl6LeJGhw8ALzKyLii5WK98u8SA66QA1fm5EnWdy08V0R+OJ/RHrdJWjYCqfFckMQaQCJIa1mHFgfoa3hKRK+7KIgEf6jUDAGGERgUlJGXENxWOVlDHsrsw2X2UEnAlk6mKgjI1e723ufw4OrZ9vNdJSJ72387uKrnKEoBscywkYKjKj7rJX/1RttMjFaSPY28ktpK9PcPFNbPPt/7TZA+C/X2QAErrYjrCjPQ1PAUCG1qC+xsagxcbniMrK95XEhxf1YHojkJvPV8TCBuO+S9Qy2ziaiCdLUrCxzT0lJ5aKFtjqHip5eFxN/FUswsbXY1LQalIhpVvZLkqMxjkk7XNdlcxWCi/oRZ4+A2R8t1EXLFjo+OlnUaVP6+kdrV+uxHqpunyY2jJpsmfBXIN22aVRFQiXxxAaQDAXe212Z+MLTboT7Ga9W544G+O94Vy9FsP8SnUaylYIUDfJ3Sa7qdhsIXaut0nCSceU6vI6gOx92KyWkNZ946bH83iduIO9cQ7Lcqy5dQ7/V4bNYockxIxBAKzhnYmHt+64woPz20hm50O9K1hP9qx7qaDo3qkcgOIMH81ZsEtELT7g4rU/GwtLlDHDM6u12blbNE8oVI4rnKyNGkZtnaeZhoWMGW3mqYF4xuYnwrD2YlUZ5NnWZ1yabJqW2wI5rYU0xKhmCpO73/396xNrWNJPPZv0LlXBVJyjK2A2TjKm7PS5wcFQIssGzt5ThKWApoI1s+yYZ4b/Pfb7p7XnpLNjibRJOqAJpXT89Md09Pd4+oAUN2xe9shd5ZLt4W40AW8PTFcqAVXY/rs5RfREBalQKtZE86Ipc0Y++wMmMdwYljpjxocvrNON2Asw+QLU7AVIOkGLO5lW2ExEU8sFJbfQteqKoxHAQX+NHrL/UAm2N8GcOgaFYSPtthPz269PAnEDNmCtKBIMeE4IzFRQRT2PUPjveNk1yOW6y69axwdhZYk9AV7hXZp4Xyau5kq2IBQQ4Z9XEjHoF1WRpcQMF8HXDD5xFE1AmefPI0nWeAExWH8u7GIV3pfGI7gQd7VutvdAOGbXabrkrAqIurGdApGQw7WW11l4EQyxYB8aRs5s0gHUfDS7jIyQayLH0rpbLN8Y2mVH6+xsp92jJu5mMLblMsGwaj8miDAUbEErau4JlhxI+cvsIZAos5CBM6IZ9bPsbsapoh+vPei53sE2cJlJVn/lWwl2xV89lA9ChHpoiQwE0J1aq8s0gPAYHg6FYrD52vfbB6J5fNFnq7pnUDjFo6End7LeOKz5lyLBR09P2ni3bKYFgLL1sxSMHEdo5Uy87TzxukZgaFEz8C6VxEI2eOHEnx7smTg9h6cSfgi943OgUrJU9YAkZthfezPKglxQAsIMvXgTWm8LouvBQCip9A32J0nsSK0oFDIH8j5GS01KY7Dnx7PsJwah+U6inO72BX8mdonU8wV5puF8J3OxbcK4ZKR4j0L1sJxtVgNw7qq9A9TemsWOeha+MFgWVczy02jpnD/mB0NZ988Fb0aMPKB6mQknACRJQbBsw9nJAOlSJA3U4vd+HJcpmFptYMfF36xn/eD8x/WeYfF0/4Lx3z5WWrf/FM+/Pi6Y9/W4XcpZ8SVYqs4dixUKyPFjJi9vUM7QleW17IfvxCwTuykZavdwQxtnkmfdkzi2Bv+WU4JKugKStKA6UIkqAoipWKEGpecAYSZLZH/LbziR2TKMTfZo6XnEg6k+tma2TV6nnyntYIWz4m/+2Z+PT0xyf/bufmP322yQppK+/ivamWXfvi2dMftbynKyzCojteM0VWzCzKRZHMfCKYmdm0wjOzYw9uqFTq6jjDnWppzzHBI3VvsfW5gUW92YudeCLFgTzfcXWuPyMNAt6muEzcy3KkyQV2BU8G8nFJDewEqeiExG3hV72U4/FG5DGa/5nm37DBr402MPAMGWNtZPoZGMrF8MoZWaAhZ+2BPu3OCmw4JI8Z0XCvXI8hfxWt7D34bvzFfCUeSIOT4eAgshCQqjoboJE8MpGMgFC4FQ5SKiX0r8FM0+rlOKOiwDml1nIiga3sDlcH/MrE6XIBvyqGw0rcAc6q0+tvKpDUQ8eFCpxbf2SRqVIdIWrZCFEnEouYnxorSpXJixqlzYfAeGr8KCj3kdCUGkUq0CF6kHhSehQaMnolmHQ70vi7aiMdHRnBnPaGJ2f7r/f3omGKykT3CbWITpH5SAJz7/GcdC6GUo/nzJyycKhiA3q9KAHTyfD86O3w1eXgTMvKD92U+xQe997WSS2RMF2FHZBXPL80o+kF/ut7UVth/ZJD/+NJmBWzCtYCtp4y0MPhr4mxxE1ZYsP575yJ9x9QxW55XhQesqPiQ0DVUUHQJwROtZgaTuvnXwYHbI3GJ6QY8d9cACpF1dLYt1rY7EAJ7CnVRKMOUSVTHaKqDlH1jYaoUpSiRLCqBLIUJakUvCoibxQbHESKJ+zqwjQrxQyzmVRxqAzIkFZWeOgAVnLZWbsuJDtwYQWwvoROJCohLGtT8nOkFS30EN7OQkAWHUF4mSknE57IoCheGL0FvmNQEGMjuuw3IiJd1pqksBxoh5AUmVBrSg44mqV4C8oLl4YP7KdjKxCFAhkjQD2EqqaKEbXCaywSU6bQm7GpE4JwMuJv2hDSTbHvybxSI6zlDC1TUFnZ8PKLK8pw3kpox6Ac4YWiskTNP/GrtAC49b3bjKlPWTRLEHayLy1FOl+TKaqwW+K2Z2lr9+4Gwj+xrhmHCvNcLKn3jOyC176q8MnYlcJVtgsY8ZPsy4Vyvr/FjwsuyTRz2zQqecGW9IEt+Zrg8ky2YEjZLLjCMMo48uYwZb1AFmvWocl18i1+gk5sm3JBJGTxMjsz06Qa5UPedb0j6x2Zk767HckFsJI286ShLLEXw/kIdtuHuedlr/484a/ekPWGhPQdbkg8M5bckFj2HjcktfcEzpVg8ct9YLPeuq+3aL1Fv7stmtvAt2dSkrgtLaEEitVIehRK55rUK1uVwEVCXO+myQkrq7XIT7hYs0Hu3/es2eCdf2nNBgeDazYKZkT1fr88IT9CWoE7NwTLuibnA6W0dQLX8vgjhetlFtUc7Quoa6X3cx+UZ1RxwC/igku9o1t6dDT3hzj1FQZ4qlVTrzFry6gqb7xHzqcPaRXeVi0kQbThNet1BF36Inqdmh5lpJoeVR9dTY/WTI/u+RAtKFGVQ3RNjrKGVZOjmhyVB/frJ0f58dNqjw1CwxIeG/DstzOxP39+VKfcVMoJZJNxpikaz26q8JXthTX2SvXRYWlnawt/shT/+WJnu/Oo+3yr29vu7ezA995Wd7v7yOg88NgxzcH5zTAeBWzQeeWK8r/SlHRtmobKlemVnO0U56Wy/kOKYyachYgFoseQ7t20usfSjeON2+HNJrxrOntoV6cb9/rGtG4tl40B/WtNetuiLWlU3FOLKB/aE/uex/iSsN9lEqIL4P3TBbK3OHDHLgO/hzlTjxH2kMA4JzN0/nHPn09mBE3I4BuxqoRIjNEdDTC6Om6XQZIgIBysmHkzGnBbsZhgGNwsnI83SeSJwMERjL2JgN5NKEDfm0bb+NMIb6ze9g5rQcwTJGAMECGHI9AdM9Zyjhg7unWCu4AJ4XpxCQQ1DExf4Qcr32Jl0xe1IzA9mYILl/G39hkff/snhhfwKTGaWpOpDSF9bT7NHwrjcTmjG0OwvVHYpndFTkcB2+mTa70Ck+LHIP7PtZXQTJnCZkaNENp0Iu6GyUJTH/ZgU1u3AjDIibSuxsT+4F+9WIDc+1jBy210SKz4nR+A1WliU/tmwPahO3ZMhmeUZIK+iMtcrr7NNkCkhm7XH5tcWZt3ykML8MnWloXwTtvzrBCjUERISFYziVqqQZwkL3Ryu5CzES5Ye2PzpfSMS6xbPjWD0Qjo2GHlyeRXLoyFKdfMZZYEbsMoTcFPQE60FYDfjtlB/9hnxHcRwSbmtacyM0JL/PHY0r1yTGOzGoCmYXLKt7vpzEabERmN8xygGpEKY+sTVOJm4Cb4Mk1GrueEuxrcihXh77zw6WIyCvUhQHs3juXNbpAwVm9bq1yin2B25VgzUwoQu1nyg5FRE40UTBG/k6EK4vXkAUf1yCVSBNY8pVo5dLb0VpRTKPrcxdm+hIm85BPZotZaaUdlqK1Wygh22y4Vj1LQyOYs1ak2MS2Jh0gDthvCaMw754pV/8hambh8NeaxJL2qDoM2Bzx7T+Uylve7706MZqsZb4ue1jVB+YQSg6mEh6x5pSpHosZAVoi3zRaWDXsRRChk8PauTgwoW+S6dowuQAtyP3MPx900Ssvz9LrO5FanC0S9DoaDV8OTy+HBcO9s/+jwEl5nPj0e7On+peii95qx2+hZG2ObpXha4XfyaZUurUnDiIpCkoB3/93gzfCcAXt0cnl0Pjz59WT/LAFr3yChPLyUks4mdqB9iBKxYjlHytl6GU1BwCZh5v/G2kyp8ScE9h+zH+zAA24y3U6BjHUL7vjOO2BVYXLOUqRUDQNjqEXoTxDwiP7Eso8m3qIffVdgyWkpEFgzwEtMUjn4IsgiVCW4ch6OSNjXl632jICRxyXbkZYq4aoqpqind1Yk9s5ESFaSXsAXRiM+fy5EPA/19M63WRNbvRRJ6aHO/1X1P1PfZuQ6mKP28WpuXzvFiqAC/U+382I7pv/Z6ez0av3POpKu+5miyKq0P8e+/UrO9U8411+ZGqjqIU8ct5hc+8uEa3Q8h+J4/iU1K5zMhc74FgLFjKcQNrD5912j2+7tmB1GffasKWmlXNbeW9Y0n+72G3d2rgsi8wnJgAs27UMGEky6OOEMvDtrEQ7gYNpYA1Gq09pSVfofXFmj8pp/SgX0f3vreTdG/3s7L57X9H8dKa7/x/m15rMbP3D/oDAPifhmdLo98T0nhR1ENLKq5CHJQl+1rj+YeyDMmhAP5w1EKMMhmIYWCy4RrCxyTWmKgJ9g2MsI9hX/Ss8sm2hggr/cAXdZqSNVNPbnpox+WwwAvasqfqPoKkmosm45kkDxCHB6MBsNiOazZrLxZjPZjJQklkRjWvi+lKnCOEnioy3D+GV0Kh+olYhS2EuiLGuXZa6YgO2hMP7hysU4nPRdlYhlVQSWQmWBWX252WhyE6gm/eVA6Bvxh7ziwA+Fcw2Xj2k9qEvneDurDmjk+wHDU/4UIBWIYVLrEM3C1HozVu1FfJfBBk2jlBbKTCN9ui5PA19DEqAwORUpoRdTZoZcskL99yr0JdEtnUCS/aScOrPnowox09ZGdZ1ucp5T41XGN3Q0Tsm9jiEBEalJ/aAQKspfmqBOw2ST2q5dsll7zBYVm/HAuWZFg/z9M57P8MkMrp8m0jMPrBSavfFsQz/GrCYD/USU9jsThdg4uHpZTFoO3hoyUqsmOpbHUjgXQWZM3s5p5Maw8RCqiC8tmK8pVT3/CWVrlSNgwfmPHfbi9l/Pt3o79flvHam0xYhOICUZ5PvwwbWCCQMhzYoi08gKIkuarJRnmzPfBFOTsG9svP9fcxr4M3/ke81+82zvuNlqQl6zr13VcR6yR1fqZMpxTLYqny82qkFgeXDx7Ngm2cqY9JJDaHIzjwhgcThidjKtOOhLAcMHlwvIujAkp98U6lUOgaZfZf02Y5HE9atLBiM12qzUMxMpTWS+smdlZ8BQ4oKlXeQQ/ZVyaqHSJpNDzoD3j9kXmu+Guv7iqw27IZut7KVIhfgy6RtslSwhQKuuaQFpPW9tPce/aJEeC2iEZbnR1C761QoUy5KD6YayQrPMys0YlLzTjF4BrP964gFU70vyf4skr3JiQAH/BwVwjP9vQ3bN/9eQ4mefOGsXIvbXde+3NurKTjs+Wk1E0XXmf3QYMj/As3V/7ZNE1f1/O7WqXv8U3v/3ei/i9z/btf/HelKMacP0cgYdk/lhpYcjJhgxoSquDTkHlRbLO/btAS/GmPmSJMNkMJQkG0K2SRmEkPt0M9zoN6I10nYYP7q6sZLMItsjUBoJe52xOxmQ1KxbAI2dsR8sMuSUJFBt1UqbqqYLLKVq4gAjwgpJTtIGMM3JB74nHH2ULVNZskl6SB2r9IXMmTQZEkaiF26rcg8k3tSpIJWj//zVi6qEn6cC+r8FND9K/7u92v5rPYl8HpA4Tv3QnSEBc+bg3G/a/ugjeIJ8vG7bzq3yVWAnJNDHbk7nV2wXy++b+iVzGp2YWdd9/gYLHD81D4r9D4f+7JieDmk06IZryG+4+hrlPmAQ9cVNWeMxvJE+k89R8xNqy3Da120jFLqrq4WB6hflk9TgJaHlqKJLGrQ+FiaZolX1PIk70Rz3hMdPQ5xbf+j80Gk0ImfMfoP7NQd0jO3C+abRUNcX4LDcYLRRwWNrgCS51uMEB3oc4T/d3g/v3EK63ARW3Ww0NEt5KBTzyugb2+xjpgW9kHFB5JYOBJKzJhuS15F9ctlIc7ToG887bG5pWfUbj9Pa6rLP2kVaZqmGVkjNhpzdE/6uzLETvLIWP8/ZqGB+wP6Wl6B3ZPscWHCahyfRaXpocvCTXC48SCXE3pgswE/d5A/3wqPr+GgfxuKzJ2GbMlL4LUJojShyBgzMYQW9vvG7fzNhtZx/aI9K8xLC20y8XwO1zdtOr82WddtzZmxjjYLFdNb2g+tNm8kXoMZY8MoQysO6ls9a+XM2OzudkOWdnR3g1np1eNrpGuw0xZbJ5JreP6Ka7i3D7FuHrbo/2Zcj8QbtR2eBFQ+c2UZoDKlzQ2gN5Io1If00fLN/aND/J6cD4/hk/3xwNjTeDn/DfFm63Y7VHB6+Sq+BxUZsLh8b+BLu3cQA+k3vcrPFNnZsF2Ik0OrAcAkArWXsDcQMWqHBFjS8EzVzbzHuyGDv3ZDntjgc+hJEBLD6Ub+dx7Fhao/qRQanjU0OLaOs1oFEfLRfQH9K31mITes7FaVTtm5gg6MQTs85MYrXxn8t+H+rvYUFR5YWoCYkEOX7xPwBsijIIQV+nGPkL76sCONsdd66Nt8VxaiUg8lF4/011uCPcRKh4McHScWROrIG+Dt/LXLuxPeL6CmUhbCbkM8DQWPKTgwpkcUYISBkoN+thpIIycapW8YNPeuagYxEQNU2I1ez2CEyaI2bkYFW0GgkXbL6xvsLYLlpnhRsgpEAkx8PEeOIswe1i8cL2r7E0k40mePand3Mr4CkKYEive4SkkrWOKlBlEuanXav/ZLxQ1G535Bvc/a54VNEkZ0207hY8pxh6RfhE9vrrEXErVOd6lSnOtWpTnWqU53qVKc61alOdapTnepUpzrVqU51qlOd6lSnOtWpTnWqU53q9G2m/wOQtV+PAEABAA== + rawChart: H4sIAAAAAAAAA+w9/XfbNpL9tforcG7znKQmZTu20/Xb7a4ru60vieOz3Lztu9zGEAlJrCmSR5B21I/7229mAJAUxS8pjttujTYyRQKDGcwngAE14bErAhFb4n0iAumFgSWnYZhYjogTS4r4xnNE/5MPKttQnu/v018o5b90vfNsb2d3f/fgAO/vPN9+/vwTtv9h3XYrqUx4zNgnMRDdVK/t+R+0TDrx354Kf+ZNgjAWa/SBDD7Y26vlP7B9kf+7O7vP9j5h23dObUX5k/P/M3bOk0TEgWRJyBSL2e1UBGyUer7rBRMWceeaT4S0e5+xy6knmUyjKIwTuACx8NnED0dsxhNnCrW3WCx8nng3Atol08J9HrgAIBATeBoG7HEUi7H3Xrjs1oN6//HEZq8Df87CgFoiSiwSMfO9QNg9+3j4bpgAbgBiEM5mAODNYMhcL5Y9e+IlffpU6Pfs0U9xnz7Njemkjx/mq7wJ+jmgEdCXRmzs+UL2ntryNoLPEb+Gz2QG1/8HVd/w2AtTyU6PT6DDKA5/FE7Ssz1X8L6qB7d69o10Qlf0e781V7uXbvo/mPI4sed85q/TR5v+7+7tl/V/e3f/Qf/vo/DIeyNi5Pshu9np8SjKvm7s2NsbPVdIJ/aihG4dse/AETAHxYGNw5glU8G+1SLEhig4bACCw4ZKcFgmVXYv4DNxyDrJW+/G4LBtAxJ/IHX6w5Vu+u+Gjj0J1+2jRf93dvael/QfIsCDB/2/j9Lvs+H58T+tb8D7DcJoDi5zmlyCMByyXTDMbHh0zoYnDFSdB/SFj8FRejwRzAlnEQ/m6NhzG+CEQRJ7oxR8tez1+z0D/yWIUSCFdQrVEm/siRisCUQWU2HtgoZDvUl4OEEQCFpOmeWwjRGHi8+/Pbo4Pjk7uXj33dHgxbvj04u+qWdRb6Hvg/zGYuLJJKbgwoZmTfLMbPb5Y4cnzLb78P+bk4vh6euzJ/qreM9nkS/6dcDRDbITA/5wGfxGNTUSYh3LY5uyz5J5BLawQtFqn7x9GzAot2F8LWIIVORQBWHCPWRJnIr+5grYb+B4Q+BHcZ225iLgI4DLFhBXfZCl1zcxIESj74RxDCEQy7thC930oiL0Bwv+ey3d7H8iQKZAIuRaKwErz/8h/nu+/zD/v4+yKv/fwZQPpmXSTqLOc4EW/3/wfO9Zif/P9p7tPPj/+yg//2wxFybiMOvewAh9g1m//trrFqVjWwHOH1v0ioAcH0ZVxBehL84ymFjBGzP7DfdTIW3ThR2nEBDMxEC1sZUfcrujYWkACh1fijUpqKcGWoCbG3sTRYhlWb3itGkZrp11Km3VMifX8cPU7d/scD+a8p3etReABx9QpVT5zp4nZSriM5ov/fwz+NX/Tb0YhmTDjB32BTEURDBCtbQBV576ySm1tJGRzJNZyw22UkugMRbgyT1H314TDQME2qyFTKH9svzUNr6AfqChPBfxMZ//VxomHJvXPyXq1gVrpKYLgiQoijaJDYrfD3tMh2BuCz7FVpm2rIhJFHs38O2FmB8r6gif5buH64CyuT8JYy+ZzhAoY9nXFsLaIH0Ygbb0fhIXwyOFk/6yOkYFKHeAz8nguIgRfV0PpwxSCauuCC5qHneUGcC/JJkz7vlrWgGEYROA9axAob0aKLCxa5skAqYgfAA2GgChs8bI4vpxxNU6+CV4rjBNFKzl+91sUxfYBWFYF2kjeAZZ8/2Q/dJbHc0M2i8wgfVm8AdcoQgStrcOwhHMRqfCuUavqdgjDZpLD1o1rAbUahg5fJDf0xAW7x0SkCT8ARcUOgPKxml3PcZyJ6GhP0qTKRjXn0hUNH51T9Uaw2Jn61sXhzynw9GyFOouDMfj1XXb4cUq66n3IownS4NdeEiCf5cYoy7cAdIAZhnv36O0Vl/SdRZ7ezM+0fOHjIgpl+e0d8g25JTv7h8c5kNF9e2ET/LewNIEyZhtPJL/eCTLNWMRhdJLwnjeBIJmFRUAD9cGWE22odoX3BWx8IWD2ue5agAaJ0GqiWXaFGczjfO/Vef/dFvPabruB7bu/z0vr//v7Rw8f5j/30dZ3P/7VM9Hh8KJRfJpbyYS7nKYIn0Kgqs28JrkRE92dV0ZcUfNYO0LkEsuhX1mboPIf9rLIBfkiep7geOnbmnqbYMtGR3sicAxEQPoxG89fH/4srL+q2WasefDp7T8cDLxghZT0Lb/t79f3v8/2Dt42P+/l6J9ahAmnVfmKpbAxtAwSEZeYqsr2wvNEteuWeJSUL4hwckNC2i/z0fgYPGKFQAZLPpqR2xDCgiJauroRbVSTWWvjMMym2EzHoA7jotSrm7NAKiFbXsyEg6io4UcL8Hr8xi0QWHJ2LWYq/U5UAB9S1egDk0n6p6uEKvZxDGSbeJpSo86ZNfpSMSBAAWzn9Yg/LQe4af/DvyIxW3sJcKCOKmaAbrCJZ8YJsSpL6T5YrHNzzHG+lc+lm/tGx6/tYFFb9EzJRyCqxjuPq7Dwf7i7+/wX/1QP2GpJGMJUZ5w7c8vj74lVm5W85IYk0d5v7WyV5Q17b8S7Lux/9sH+7tL9v/5w/7PvZT7tv/nyiIW7U1uF5bM5scxRca8xGIi3ivgSCdN6Gknydz5JoxBqaHdox+sRzPrkXv56LvDR68OHw0f/aQ6VCDY5r+w+t82Hv/9r3jx1Vv3571fLfjc1Z+X//2vjf95+mTjrfzCFzfC/xvUlHABFm3+1dvbL568lTM5IQCgUl/ZUHXzXozHyvpP0fiMRxZNa29guhnGVgiUkHWuNARt+r9/UIr/noEFeND/eymlhSFi6hti6mvDU9oIWEwTLe5avuJRhToXZ3FqX9kGONVC022+WDIHPIrsgqsFg9PUcU0TLwDuB1W90pahpoiQlu8Whby06F05cItL2r/LOGBl/Y9duWoieKP+7+xu7+2Uz3/sPt/dftD/+yhlTw7XheSF6y+lcuVG42G0wtmFkGEaO+IYlys9Wm5cNgCe3qFGOSp5446a3C2FYx3Frm6jog/XGs0XW5lcdtyx15HDJA7TSMUsy7SRLVOkqVFTy/R0w/dk8qJw8yV8pweRn8bcz4aN7kmIrFOfx+Yubn46IQYymV3E/nSyvO7SYtx1iSncP8eVahEPQj+dBdlMCessZvUPXp1Qxn42VcXyowyDc57AjMZGsos7n4VailXDk4s3JxeF2zqNNQEEJo3dXhSSRtU2cxsK5UoKg5NXR6cvV0RgmPAklSwcL6Su1vRPdemPWCb/8ujy++GKvSsBoKqNXZYqqB4vfzg/WbG/cPQjJezGQg02BqrQxSyq7t1otG0aXFbUV8gcfbuMi1scpxIm2j+7zA2Bl4Fs47iuZut2S/2fng1efn98cvzu+DVIwVmREVHsYQLJHLPZt7ebR0wByzKz1E3pTEHgctUB9QuOzk/fPBuWHrBK7nqSsqWV/rLBhb2AGwCLE0/IIhS0TJk5Xrhf6mET0VD19MaR6kubAxhehTvKdzKljcUIl6CCpCzmRNcYE/yVjNjaGOABvzD1XVyfv8FTPbFwwkng/ZTBpkOD2CkFB0kJJhkfMEPsBmMkOgHIZnwOYEgS06AA70aFUewVnj/0gnF4yKZJEsnDfn8C0zntiJxwNkvB5cz7xXMGfRenVH3pTSweO1OIvJwkjUUfBtIi1APaxLZn7mexdl1ys4RrpQZhIRPeyAe058horpsrWvLhNinzFyfDS2YQIJaUeaA0NGsoc0bgsMGooL1AVo7jcEYwIZ6MQhhnlZPve9CqBFSmo5mXqG1lzF8DjtlswAOc8Y8ESyPUVNdmpwHcnQl/gC7vY7MBR1taOLTdGVEMMZYbqLFbeGScdS3nlI4OoZrRU2yi9MXorF0CUKe0WEy2VLksez3dHV0DxCR0Qp86x31zuij329Y39Q9sKPrT6lplfEqNDG5jn09wZohAZ/DEqXOSi0VbDJAsCLBAHl1aXRICzH0VSVgUA0dhCOFWNWDtADrRc6zqgqFWMZA/NwML9lEDYnA7vAXcwhjPtow8FyK4WpLw9EsxscRoUk2DNi5hEe/Jk9VXKBF1ouozDlqpaFBRJuF2O/WcaRHDBqgstwMIKyOePVbOFW0VnukCq6HH6kkDNFDxWQOVWGrVuaoaj2M+r62l3X/nQTsNPs6gGeH53Q9ZrWU0RaV1dtGqE5O/SU6HvsA0A9wURQCpJFGivZHSMbA1ScQpH4YOR44TpkHyNXgKqNrNoIFRPalsrpx0LMCNigBdcAhfB0cNWqrjF67AGM9AZlvNhOoI7GIErsX89LizNFNtwwG40rgMjvAJXHIVAxjKGyVMDwtCG8GFizFBq6S1CCRgobJGLsR4FaKyRpkPphvIJhNcqiqNFCl1noa+q4HMZxAvxOC1Xh0NaIT0eJnxMWPQCNXIDb2hAmMPgrQ5nXHnhZhv2uwyxxefSHxDBXi8el9Cw5mRxJ4+naUyefqUIrHAikCnhLvFRhCDHeyx7y9eQoCHb5RwqfcmHnUROCw0yWmsUWLRmT5LAvEe2EAaCjCkPF+xRS5lOtUCmWGQbPirAuEmorB0tIbFJeRVyVNkFOdQ6o6mlWSrlbCC6NIhGmSsYiuO2x1R2WrRWZY+Wj8KlrIlzc8ztVzXt1TlXXcx3+cV2dfZyrvijs5+zbqopSQowEjx+DWFctgEtfr4bFjMuLeZ2u5jV9NQJle1QAEE1TjEo9FXW0zYE5ttfGnTfxtMIvNhYmzuHO4/28A2G5MwnPjCitKR7zmWG0iL2+qeDfMprFYnJC0xQwfZaYsV8mz8VhteYtZSu3ozjm6zlgiNAYreh/jUNvP2sUzbSmatk7J3MmdrmTK83UjMemassxg2GA19tqeL6A2zQzxIJbrK7tFZK6ry2ovAPAymEOuLYCLecN9zu8+ph7XN2YzH19KEa4C8l+8NVIINgY24VHOjQAiyWo4BLGndhgA5EDNATXoucFFGyD6ur8Vu3USV0WyGlne1aeTUOkObFuxKVhIHHPEhK7r+nL7ZS1lLOwHFZ0t7EIud1oiXs7RwhGWBbRBLa3GCqw9ejbkXm4qI0s0Ho2ko+ZMZzcbHccVp5zYtqDrorOVvxt97s3TGgnQ2AtsLBrdtASVbOMFX+bl8ni+9qbeHNVlARRluIkyWntcv+tKmWZdlX7X5ZzQr2wq8z6Xf3Maorb5V2cvYeyvfw7YinWFspcF1EN4G1tgTMCHOko0Xy/oG8TdAFpRU8kn7EL9S9cpsjZmIY/jUYOpxr9HEcES4ut/qlyBVxwELmLxeamKQMsCyVyrBIyV41bFIjf8Z6+REUJCDvRXV584tA3eSlPu/IwOhLEG7wKAZIHERYOwBBTGLkvkW2zwXtPSzCZcnKDpwAfhsXgjuzjdXlh962IbKJVQqbRhjO5sN0hicaUIvR4WPTTQ2mxScbTq8vH+mCkZ20rwhbEV062Mzi5XzH3JQS1pfDcYiee41tlbqsWAJcGUN9X/hXjrKtnPzTrQDYD//muXPemPkXdf05nK94nFWGxOIi4nQHyV1yin22J4/RUlR5YTnILQcjL0xTWkDB03lK//b51oNSvYmT7gqPFnKuiqOuBnTODnLgaPgYiX1MMvLWrRuHyU5a5iqrIDCDla9XV3OHnLoHceIUqGa4vng9atXr8/Y2dGrVVOJdHJLsAh1uXNlxWACYwdVCJwOh9+vnDX22yZtnbyPPO2yaTb+OJub4x7gDLMm+DgxaRpY5UkjaiKDd1yF48k/z08vji5PX5+9Oz66LLIpT2zab8trWiLCbJGr3VAQKqlljPu0OUJv76aHjbi7gTwrVVJYH58N36FUrZuI9ftJXbvTlLCCATJuvphWcKfJYb9YS877w9LFFhPEloCvmTBWlSK2HPs3p4wt1b+vFLLKMGidDLIKZq2fU1aRRVbLrRWyyirzyJYAL+eVLVVZyDO7b94V8s66cu/u084KdqAu96xoF2g5jcZ8lQWJ3O+3z/Kzqtls/yx7uXsRk8cwvbPZwR6901c+qZpWQI2XIpigGW6YlNbMkhxZufS/iOzwIptzFrzVLUgyDBSMyI3nIgFb4ITIO1WaFCwhzfdQ1nAeXZOsYibZo3nl/LWRHOMfW2nKUY2FWiHQuWuFaHExgyms3pYtMayKoIa9xJa1yKY9RDftuCpSYeqw6JUFMOqbBtQme+zZMPn1vbFAf/8ky3gpEMjOQtQQnfxSCVovulHAivbOgWmNFIUfO0GYcda/6X6L/YiLuL53LSi7i6SlaQUD2vJE2aSaFd/TMfgvKZItHRyaNy8CKn/ZVmsfj3d3DranlZoFtlGvKk9oxwbVExxycovTJT00McyNbkFWbsHAhbeVQGhymy1Qg0ChPZWY4SQipGE0Z9+GFGDZdFT3WI9Hbo5DnwcTO4wn/eh60sea/c8Wqq68OgITTrDXF4i8cI8wfG6Vo5OlJoUsT074M4r4kEQcmogv209VCIjODqP1FUByMhGxSl0t2j9wbV+LMcqMq2O4EX2t0UU9AWgyK/jcyo4crzBk4xBXyQYYZbeO1Td5XaQIFwOggo8/xJOdwSB7D3ZoeyffXKwky9OZFABIQVR7jOX2HLcPNeird7hgZWVw7b+qB19V51jgDwxV72c1byp6cnC0rv05hbY6xDIEglYCGiQ7Vwj6itECNQuDJb9Y455VWbBQKxgiL0NJmaJK4IvmqaspahtHPWlvHcxTU9N45Dy1cmEjRaeIrrOJ2rQ1Wbktib2aNZICBo+1GXD0i5ZFdUyQ01/Yz1QTJso40m+/wOXEhecJjycie1wLGqY/E4hWghoD32E7sHWDs2ZzszAyGuni8Gwpw6fS9OsHZmzGRnkvDyeNXYlvoawtH6C0frQItWbD6VrMKSGzPQB7YWrm8iGLsZeBxMI0idJEm+/qvIosB1SZDrUtjIy46usvoDBXJgG0aee7TTd+vO6WUfefL4ZFulRwqbLgEVnKX6dKhsx6CTBE4ZbUImX5na7kdSERi0pQ6byhX2PhTRkQtOzXTopk5+tLZvIzaI6l83Kq3OoWDCT+jByJq8uuDGQbWHUFUZnvY9BlMm70aCr1aQRfGs0tzAqO5xSvpdIsBUCEI2/RFecSeGXuZZkkV810YD5zNhxECSFN1iGf1MNfGKRYWGgOcOW/PcOh6XQPliVE74rf52XAlYcAMHmbslhKI90IWr9Samn8TfigmUQPi3J2F2ncAGulNOcXeQY8JofNjfCV6N2szxUz5QoXQ0wwBFSiWMj6RDBTOqdx52ZlJQKHWTNDZym3CBBFThHjm9x/hnBoxogyejPPeUeEtqdpY7EKw9GqYx+cFq4MU0OFJS1tdPZNyeHXjtzZ7ZYO92Iw3Nltd2C63p/Qh5Uo/4huLNrZfXBjf2Y3VhK1B0/WVPHBkxXKv6cna3wcGQ4NpqBfrZPQzfOF+ioPjlaH1crmXKmnqdSSWedQn7Tep9I3w/GYtvxSP/Eif3EBiyrLLQ28ZimdKqmjkDzIF7LUz3ur5U6Tq6J/WBt5baNTCUJVcatqCAsHughHJE13pRwNKWVVmlujgBZ+nqRt5M/zs0cmuKCjnVJkr5JLlEfJf8uoUl4wJQ9/jGetlzdkv5LUJSpqcBdH2W8m6UWfwtGqvJdspxF/x1OCI1Q/9Z5XrYWf5WUu7DTVVgf26105dyvL7VRb97TfpfMury6GR1d0to5+yajBwQPAq4yMK1ou1iv/LjHgCjlwZc6pZH3XwnNF5IfzGe1xmxRnI5AazwVJrAEkgrSWdWhxgL6Gp0T0uouCSPCHSs0QYBiBQUEZeQnBbZWTNeShzD5cZg+VBGzpZKqCgFztbu99CQ+unm0/31Uisrf9l4Oreo6iFBDLDBspOKris17yV++/zcRoJdnTyCuprUR//0Bh/ezLvd8E6bNQbw8UsNKKuK4wA00NT4HQprbAzqbGwOWGx8j6mseFhPhndSCaU8ZbT9ME4rZDljzUMpuIKkhXu7LAMS0tlUcc2uYYKn56WUj8XSzFzNJmV9NiUCqiUdUrSY7KPCbpdF2TzVUMJurPozUObnO0XBchV+z46GhZp0HlbyepXa3PftK6eZrcOGqyacJXgXzTplkVAZXIFxdAOhBwZ3tt5udFux0BZLxWnTse/7vjXbEczfYjfxrFWgpWOO7XKb2m29kpfP22TsdJwpnn9DqC6nA4rpic1nBCrsP2d5O4jbhzDcF+q7J8DfVej8dmjSLHhEQMoeCcgY2557fOiPKzRmvoRrcDYEv4r3YIrOmIqR6J7LgSzF+9SUArNO3usDIVD0ubO8Qxo5PetVk5SyRfiCSeq4wcTWqWrZ2HiYYVbOkdiHnB6CbGd/hgVhLl2fx/e0/b1DaS9H72r1A5V0WSsoxxgOy6KrePA07OFQJeQ7jay+WhhKWALrLlk2yI7zb//bqn503vkg1kk2hSFUCaGfX09HT39HT3ZK2sMt40arQ5fIQPdohOyaAslR+vaIFDdsXvQKG3lstOi9lAVnhRxnqgFR2P67OUX0VAWpUDbeRPOqEANuPguLJgneCOY6EiaHK+m7G7wWAfZFucgakOyTBmcy/bCIuLRGCl9voGY1ZVZ2wQXOFnMYKpG9gc58sYBkW3kvHZDvz06NDDn2GGmTlqB4IdE4IziIsYpvDr74+GxjhX4habbj0rXJwF1ix0RXhF9m6hvJk72asgIHxDTn3ciUdgXdbGgFF0X0fc8HlEFXXGdj55ls4zxInKWnl77ZCtdDmzncDDNat9b3KNjm12m45K0KmLmxlYCDM6dkJrdZbBIJY9IuLJ2My7YXycOV7iQU42kGX5WymTbU4kNZXy8zVVwdaWcb2cWniaYtk4GPWOFhhiRJCwdYmXEjP8yOkrnCH0mMOkojOK0OVjzG6mOaI/6z7fz95xlkBZeeFfBXvJXrWYDYYeFcgUURK4K6GiyluL7BCYNo5OtfLQ+cpHr3cK2Wyxuz/SPoOCWoYd73RbxiWfMxVYKPjo+88f2imDgR5+acUgRRfbJeNadp593iAzMxqc+BZIlyIaO3PkSIpXT54eBPTizjByvWd0CiglT1lCQW2Fd0Me1JMSABay5avAmlIyXhfvFUHDT6AvMdpPsoYygEMgfyvkbLTUohsFvr2csORrH5XpKS7vcFXyS2udzzhXmm0Xk307Fp4rhspGyPhfthGMm8GuHWavYuFpymYFHw9dmx0QWMbV0oJxLBz4A/hqPvvgvei5iVUMUiEn4QyIODcOmEc4MT5UigHtdLq5hCfrZVaaWwuMdekZ//++b/7DMv/z4TH/pWP+ctHqfXiq/fnhya9/2YTdpe8SVYnQcGxbKOijxQQxPD1j/gSvLC+EH+8o1Uc20vLtjqjGNs9kLHtmFfa1/Dockk3QlJXTgUoESViVqZWKEWpRcAZjyLBG/LbzGbZJlBBwOydKThRdyO1kW2QV9Tx+TzQC5GPy356KR09+ffzPdu77J0+3oZJGeR/em4rs2h+ePvlVe/dkAyIsOuM1U3TFzKpcFcl8Twwz8zVReObr2PUcqpQ6Os4Ip1o7ckzISD1a7OHCwKLR7MVBPJHqyJ5vuTnXX5AFgZ2muKDuZQXS5AK7QSQDxbikpoHCUrRD4r7wmx7K8dQkchvN/0yLb9jix0ZbLE0NOWNtZcYZGCrE8NKZWGghh/7QnnZrBTZukqfANNxL1wPkb2KVvYPYjT9ZrMQ9WXAyAhzEKwZIVZsN8kiex0hmQChcCkcpjRL212ChWfVyglGZwjmn3nLyhm0cDlenB8vE6XrpwSomz0qcAS6q8+vvKu3UfeeFCpwbf2KRq1KdIWrdDFFjiUX2PjVXlKqTlzVKmw+B8dT8UVjvE6EpNYtUoEN0L/mk9Cw05PRKMOl+pPFb2CY6OjKSOR0MxmfDV8ODaJqiMtl9Qi2jU2Q+ksDceT4nXYoxrcdzFk5ZOFS1Pt11lIBpPDg/eTM4vOifaa/yUzflXpzHo7d1VkssTDdhBxQVzw/NaHpR/vpe1FdYP+TQ/3gcZuWsQlpgvacM9Hjw98RY4q4sseH8ewnq/UdmYrc8LwoP+VHxITDTUUHSJwac6jE1ndZv7/pHQKPxCSlG/HeXgEpxtTTxrQgbNpQonlJdNOoUVbLUKarqFFXfaYoqxSlKJKtKIEtxkkrJqyL6RrHDQaR6wq8uTPNSzHCbSVWHyoCMZWODhw5gpZCdB7eFZCcurADW17CJRDWEdX1Kfov0oqUeYqezmJBFRxA7zJSTiRdqUBYvlr0Fn7OkIMZWlOy3IipdFk1SWg7mh5BUmZjVlAJwNE/xFtYXIQ0f4adjKxCFAZllgLoPU00VJ2qF11gmpkylN2NRJxThZMbftCGku2LfkXulxljLOVqmoLKy4+VXN5SxeSthHcN6hBfKyhJ1/2RPpQfAje/dZEx9CtGswdjJv7QU63xFrqjCb4n7nqXR7u01pn+CT4OECvNCLOnrGa8L7garIidjRwqX2SFgJE+yDxfKxf4WX0W4ptDM7dOoFAVbMga25N2D6wvZgiFli+AKwygTyJsjlPUKWaJZhyY3yLf4wjqxbMolkZDVy6zMTJdqph/yT9crsl6ROeWHW5FcASvpM08WyhJrMVxOcLV9XHpeNvXnKX/1gqwXJJYfcEGyPWPJBcnq3uGCpP4e474SPX55DOyTeonWSzSz/GBLNLeD78+lJHFaWsIIFGuRjCiUwTWpR7aqYIiEON5N0xM2NmtRnHCxZYPCv+/YssE//rUtGxwMbtkomBH19buVCfkZ0grCuTFZ1hUFHyijrRO4lsevNHxYYVEt0L6Au1a6bfdeZUaVAPwiKbjWrbulR0dzf8ymvsIAT7Vm6u5mjYyqysY7lHz6kDaRbdVSEkQ7fmC7juBLX8WuU/OjjFLzo+qjq/nRA/OjO95EC05UZRNds6OsYdXsqGZH5cH99tlRfv60OmKD0LBGxAZeEu7M7C9ffvrhSqmwjm2QNXPmDrutElK2V9bUK/WNDpT93V32E0rs507n+d7zn3ae7e5097r7+/i8u7uz9+wno3PPY2dlieFshvFTAIPOq1f0/hstyWCleaiCkw7lbKeEI5WNCFIyMBH+Q0KNxQDp8UqbxyBdO960HV5v402li/sOXrp2r65N68ZyYQwsYtak2yrakuvEY6+IlzEPYd/zQNIIj1zQ+VwE728uMrLVkTt1AfwuezP3gFWHBMY5OZbzhwf+crYgaEKAbwJNCZEs63Y0ZejmuF0HSYKBcLBiDsvMJduKZfli6crC5XSblJgIHBzB7GsiRXcTK9DzptE2/jDCa6u7tw89iHnCgqwec95wBLpTEBbnDGMnN05wG4BarVeXQFDHKMYVfljjG9bY9EXrCEyP5xiUZfylfcbH334JeMEoEaOpdZnaEeOvzSf5QwGplTO6KabPm4RtuinkdBLASp9d6Q1AL5+iQr/UKKGZMoXNjBYh9ulEAgiTleY+rsGmRrcCMHwT6V2NCf7gT71Yytu7oOD1FjoWqH7rB+hHmljUvhnAOnSnjgl4ZrpJ0BOZlsu1t2EBRFronvqxyZWt+Ud5sgA+2RpZiHizA88KWV6JCAvJ6ibRSnXIJskLndxPyNkIV9Df1PxFxrol6JZPTX8yQT52XHky+SEKiDAVbLkOSbBlGOUp7BGyE40C2LMRbN1HPjDfVQSb7F17Ll9GeIk/nVp6nI1pbFcD0DRMzvlebDuLyXZER+MyB7lGpMHU+oyNuGO3idFJs4nrOeELDW4litjvvPLpajYJ9SFgf9eO5S2uGWOs3rfWuMR3gsWlYy1MqUC8yNIfjIyWzO3AFBk5AVWYgScPOGpHQY4iVeYptcrhs6WXYmZLzUITluiFE4KA/AWjmQskhwtODi3quZW2hU6u3zI9RqrabohAmbfOJVT8BPVnLifNPPmETRWlT5BbvCBANwSupRFWS87jXYEsmuowaDTEXx+otyCy/+W7M6PZasb7ost+TTSHMY3HVMpPFl1SkxPRoi8bxPuGhWEjL0EVkCko9gudmdFr8da1Y3wNe5D8iMdcvkiTFPyd3taZ3eh8jbjv0aB/OBhfDI4GB2fDk+MLvC/6dNQ/0CNeWdDgK1AXort/lm0tJfaLPacoWxlkm3TVWGOR3bjBYml5b0Aj6I+GFH04JMSNAuDqweqQUipFEEbjPB+Oz971jy7evHs5uIDWF6eD8TkM/PR4eDE8Pjh6dzi4GI2Hb/vj3y8OT972h8dxBCQUqGLdLnVQoePY6fyCx8gPBocA0uvx4PT04vD4NBOctGlnnYPeAruaMImMYoiLdG0BJCDq9eAcaOZkfHECePz7eHiWIJmeQXu78EIqzNvsA9qDqCwsBlBu1/Q6muUIkLLwf4c+U1r8gTc+TOEH7JsxfmqnU4CcG8zT4LxFjSdMLp2UzY6GgSm2olWQ0AMihjXLPpl5q170wok1p6Vg35MBXmKSysEXQRahKqHc5eGI9ow699DulzDylK12pKdKuKqKKfrSWyuSlGkmFHTJtvEJsOovXwoRz3OAvfVt6GK3m6JwJ+w/Ve1/slp581+B/a/T2et2Yva/Z8+fd2v730MUTuCYdrW8ZCkpGnS7opYBKbbtlcktyOQ4EBVTLI4bmBcTJia2+NDpD2k5BpINfdB5CRfLYhvOD0OSYHyzJwhV1//ct0HdDZbsPOlyaV85xQcBBesfDwBi63+/s1+v/wcp+hqdM5OFsv6PfPtQzvVLNtff2DFAVSOfWOdT6/O7Gbfoew5lZv5TWtY5+w6d6Q2m/prOMRFs868vjJ12d9/sgNpwYM3pVMKF/nB7w6e7/dpdnOsbueWM9tArmPYBgISTLixcfe/WWoV9NEw28rSJunxrpSr/Dy6tSQXVj5UC/r+333kW4//d/ee7Nf9/iBI//2Xzay0X137g/oeUo0TGSjKZjH3PSREHkRM5VfOYNjHf9FlvsPRwF2pihrPXmHOSDcHM1m0bEfMBywFJGMFQDWDYl/zpFfO5M5nLIPvlFqXLRh9SVWN/bst85sUA0E3Z4jfKl5WEKuuUOwkUz+mppyfTgGg+bSY7bzaT3UhNYk00piVkTZkqlvlOPLRlYtaMj8orxyWiFPaSKMtaZZkUE8AaCuMPLl2WWZmeqxqxVxWBpeSHGChVbjaa3Km1SX85mMxM/CGPuNmDwrlG55O0Lyino3g/mw5o4vsB4Cl/ChgXiGFS+yBz9FX0Zmz6FfFcpo81jVJWfDON9elnIRr4GpIQhcmpSEmmmzIzFGQb6r9X4S+Jz9IOJPmdlF1n9nxUYWYabXBV2g9KH+tVMsUniSI1XXF89UfTVN35gLkiX/08MzEcOtDyg8Ih0fu1Wfc8THap8Yc1u7WnQL5AW4FzBVWD/JU6XS7YdUv8JJGY3DKwUqTD1tMtHc+baVsviaf/YEoXjIMfBIpJy8FbQ2b51pTU8lgKlyJBmcn7OY34pjTuw+jxVfX/qvs/cUpSZQtYsP+DzV7C/r/b3a/3fw9RSnsM6mxLMie+Ou7dKpiw3mtedJlOtpgr2IRanm0ufBNdDcOesfX+v8154C/8ie81e82zg1Gz1cR3zZ525s05+wG5VJEr34h8Fb982KoGgeWh45Fjm+QradLdPKHJ3fwigMXhiPlJtuKgrwUMH1wuIA+FITn9pjCvcgg0+yp8txm7G0J3/QAYqdNmpS+DSmkykSi/rPzMACUuelpHNtHfqPyMHl1xsTgcwROa74Y6t+bUxj5DPrvZpEiVOJn0DKCSNZRI9WkiIO3Lu7vP2F9EpCMBjYgVMpqao5SiQEGWHEw3lA2aZSg3Y1DSGSF6BPDwxxP3YHpfU/5bpA+VUwMKz/934/bfPXxdy/8HKPEdSVy0C8X32zr3ezDuCnsQn7k7RdF15n9yAJkf8SLSP/cpWdX1fzO3qh7/FJ7/d7vx+L/u3t5Ovf4fosSENk4vF9AxnR8pPZyAYgRKVdxGcY5WKng38u0+rwbCfE2WYQIMJdmG0G1SBiH0Pj0MI/pMugFR7Ah76OpehvIVOQ2iKUc42k3dWZ+0Zt11b+pM/WCVoackgWqrXtrUNF1hKdWSDTCirJDmJH2o04I88Xki0FM5IZZlm2Ra1LFKT8gPUdMhcSR65baqd0/qTV0KSjn+z+8xqsr4eSk8/38W1/92us9r/v8ghWLeGHOc+6G7YAzMWWK6FtP2J58wEvDTVdt2blSsGuyQ0Eq6PV9ewiqWz7f1Q+Y0PrGwrnr8Vi3cfmoRdMOPx/5iRJdBNRp0wjXgJ1w9jXMfAUQ9cVLWeAQbsgUa4kPM3yi2ry3DaV+1jVDYri5XBjO/qJjUBq+JPUcNXdIT/ZHwpRa9qgun3JkWuC0iPhti3/pz5+dOoxHZY/YaPFNFQNvYHdzfNBrqUAFTUDSANyp4bA2QpNR6lJBAjyLyZ6f781u3kC83UVQ3Gw0t0ggrxaLyesYePMyMQBI6LqrcMgBLStZkR/I4skche2mBdj3jWQfmlsiq13iU1tcOPNbOxjJrNbRKajbk7I75TWEjJzi0Vr8tYVQ4P+g4z2vQzeA9DiymQZksxPTQ5LBHklx42mHMpjRbYeYRk1/F7n/k17Cy7Kr2LGzTixR5yyC0JpQLCQfmQEWvZ/zLv55BK+f/nM8WpjJtT/wpryGijcWNZNjavOl020DWbc9ZwMKaBKv5ou0HV9s26BdoxljxxpicybqSFxX6S5id/U4I787OjtjSOjw+7ewYsJsCMpld0Y121NK9Acy+cYDq/oAnJ+JW8U/OijU8chZboTGgjxvCaiAp1sTycvB6eGzQ/+PTvjEaD8/7ZwPjzeB39l7WbrdjLQfHh+ktWLUJzOUjg91tfjszkH/j4S4LBp06totZb4g6WAIchNYyDvpiBq3QAILGm/8W7g3LJNU/eDvgb1scDp0EGQKgfTTi8lFsmNo1qZHBaWOTQ8uoq31AIj76XUR/yrezEJv27VSUzoFucIEzJZwu6AOO12b/Wvj/bnuXVZxY+lk4gShvnOdXSkZBDimV75LlcuRkRRgH6rxxbb4qilEpB5OLxrvrrMGvVyZGwbcPkosz7ggd8JtbWxTcz26ko8utVsJvQl74hp0pPzHGiSwQhIiQvn7iGUomJDunz4I09KwrAJkxAdXajByYsg8yAa1JM3LQChqNZEhrz3j/AUVuWggUTDBjwBSAR8w4EqVF/bLtBS1fEmljTee4chfXy0tkaUqhSG+7hqaSNU7qkOklzU672/4F5GGaNweJcLHby5ldmlXLy8Is7vDIWwH2hkAEnLjZzJ8dnUYWMXIkSo2GSQUpuMaQQiNqVf8qgPGYWUGsBhrOVOoLFlNEyExCbxhlA24jg2G/ttjHP7pBuOAdRjLpF0AF43Q+s8/YdJsoju70eMij8dT89xrytu0eOb4JCnhkREKdeqVmg7XLy5NBv4h0Gd3Og+x+6lKXutSlLnWpS13qUpe61KUudalLXepSl7rUpS51qUtd6lKXunxH5X9/w1PRAEABAA== values: image: tag: v1.48.0-dev diff --git a/example/extension.operator.yaml b/example/extension.operator.yaml new file mode 100644 index 00000000..9fbf39ce --- /dev/null +++ b/example/extension.operator.yaml @@ -0,0 +1,51 @@ +apiVersion: operator.gardener.cloud/v1alpha1 +kind: Extension +metadata: + name: extension-shoot-cert-service + annotations: + security.gardener.cloud/pod-security-enforce: baseline +spec: + resources: + - kind: Extension + #globallyEnabled: true + type: shoot-cert-service + workerlessSupported: true + deployment: + extension: + runtimeClusterValues: + # gardenerCertificates: + # runtimeCluster: + # enabled: true + # virtualKubeAPIServerIncludePrimaryDomain: false + certificateConfig: + defaultIssuer: + name: garden + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: some.user@example.com + #As an alternative to ACME issuer, use own root or intermediate certificate for a CA issuer + # ca: + # certificate: ... + # certificateKey: ... + image: + tag: v1.48.0-dev-12345678 + values: + # gardenerCertificates: + # seed: + # enabled: true + certificateConfig: + defaultIssuer: + name: garden + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: some.user@example.com + #As an alternative to ACME issuer, use own root or intermediate certificate for a CA issuer + # ca: + # certificate: ... + # certificateKey: ... + tag: v1.48.0-dev-12345678 + helm: + ociRepository: + ref: europe-docker.pkg.dev/gardener-project/snapshots/charts/gardener/extensions/shoot-cert-service:1.48.0-dev-12345678 + # ref: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:1.48.0 + policy: Always \ No newline at end of file