From a9676c7eb2c58908a8650a08769687aa5a42a58a Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Thu, 10 Jul 2025 14:15:58 +0100 Subject: [PATCH 01/33] add description to the egressMTLS policies. --- pkg/apis/configuration/v1/types.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index e700fd5dba..f7b90f4f56 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -600,6 +600,7 @@ type AccessControl struct { // RateLimit defines a rate limit policy. type RateLimit struct { + //The rate of requests permitted. The rate is specified in requests per second (r/s) or requests per minute (r/m). Rate string `json:"rate"` Key string `json:"key"` Delay *int `json:"delay"` @@ -673,16 +674,25 @@ type IngressMTLS struct { VerifyDepth *int `json:"verifyDepth"` } -// EgressMTLS defines an Egress MTLS policy. +// The EgressMTLS policy configures upstreams authentication and certificate verification. type EgressMTLS struct { + // The name of the Kubernetes secret that stores the TLS certificate and key. It must be in the same namespace as the Policy resource. The secret must be of the type kubernetes.io/tls, the certificate must be stored in the secret under the key tls.crt, and the key must be stored under the key tls.key, otherwise the secret will be rejected as invalid. TLSSecret string `json:"tlsSecret"` + // Enables verification of the upstream HTTPS server certificate. VerifyServer bool `json:"verifyServer"` + // Sets the verification depth in the proxied HTTPS server certificates chain. The default is 1. VerifyDepth *int `json:"verifyDepth"` + // Specifies the protocols for requests to an upstream HTTPS server. The default is TLSv1 TLSv1.1 TLSv1.2. Protocols string `json:"protocols"` + // Enables reuse of SSL sessions to the upstreams. The default is true. SessionReuse *bool `json:"sessionReuse"` + // Specifies the enabled ciphers for requests to an upstream HTTPS server. The default is DEFAULT. Ciphers string `json:"ciphers"` + // The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. TrustedCertSecret string `json:"trustedCertSecret"` + // Enables passing of the server name through Server Name Indication extension. ServerName bool `json:"serverName"` + // Allows overriding the server name used to verify the certificate of the upstream HTTPS server. SSLName string `json:"sslName"` } @@ -720,7 +730,7 @@ type SecurityLog struct { LogDest string `json:"logDest"` } -// APIKey defines an API Key policy. +// The API Key policy configures NGINX to authorize requests which provide a valid API Key in a specified header or query param. type APIKey struct { SuppliedIn *SuppliedIn `json:"suppliedIn"` ClientSecret string `json:"clientSecret"` From 7aa0998e73f52861d087dac9a1eb9d11b2d9bf05 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Fri, 11 Jul 2025 10:53:02 +0100 Subject: [PATCH 02/33] added description to the rest of the policy file --- pkg/apis/configuration/v1/types.go | 70 ++++++++++++++++++++++-------- 1 file changed, 51 insertions(+), 19 deletions(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index f7b90f4f56..a37b77c3be 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -653,80 +653,112 @@ type VariableCondition struct { // JWTAuth holds JWT authentication configuration. type JWTAuth struct { + // The realm of the JWT. Realm string `json:"realm"` Secret string `json:"secret"` + // The token specifies a variable that contains the JSON Web Token. By default the JWT is passed in the Authorization header as a Bearer Token. JWT may be also passed as a cookie or a part of a query string, for example: $cookie_auth_token. Accepted variables are $http_, $arg_, $cookie_. Token string `json:"token"` + // The remote URI where the request will be sent to retrieve JSON Web Key set JwksURI string `json:"jwksURI"` + // Enables in-memory caching of JWKS (JSON Web Key Sets) that are obtained from the jwksURI and sets a valid time for expiration. KeyCache string `json:"keyCache"` } // BasicAuth holds HTTP Basic authentication configuration type BasicAuth struct { + // The realm for the basic authentication. Realm string `json:"realm"` + // The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. Secret string `json:"secret"` } -// IngressMTLS defines an Ingress MTLS policy. +// The IngressMTLS policy configures client certificate verification. type IngressMTLS struct { + // The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. ClientCertSecret string `json:"clientCertSecret"` + // The file name of the Certificate Revocation List. NGINX Ingress Controller will look for this file in /etc/nginx/secrets CrlFileName string `json:"crlFileName"` + // Verification for the client. Possible values are "on", "off", "optional", "optional_no_ca". The default is "on". VerifyClient string `json:"verifyClient"` + // Sets the verification depth in the client certificates chain. The default is 1. VerifyDepth *int `json:"verifyDepth"` } // The EgressMTLS policy configures upstreams authentication and certificate verification. type EgressMTLS struct { - // The name of the Kubernetes secret that stores the TLS certificate and key. It must be in the same namespace as the Policy resource. The secret must be of the type kubernetes.io/tls, the certificate must be stored in the secret under the key tls.crt, and the key must be stored under the key tls.key, otherwise the secret will be rejected as invalid. - TLSSecret string `json:"tlsSecret"` - // Enables verification of the upstream HTTPS server certificate. - VerifyServer bool `json:"verifyServer"` - // Sets the verification depth in the proxied HTTPS server certificates chain. The default is 1. - VerifyDepth *int `json:"verifyDepth"` + // The name of the Kubernetes secret that stores the TLS certificate and key. It must be in the same namespace as the Policy resource. The secret must be of the type kubernetes.io/tls, the certificate must be stored in the secret under the key tls.crt, and the key must be stored under the key tls.key, otherwise the secret will be rejected as invalid. + TLSSecret string `json:"tlsSecret"` + // Enables verification of the upstream HTTPS server certificate. + VerifyServer bool `json:"verifyServer"` + // Sets the verification depth in the proxied HTTPS server certificates chain. The default is 1. + VerifyDepth *int `json:"verifyDepth"` // Specifies the protocols for requests to an upstream HTTPS server. The default is TLSv1 TLSv1.1 TLSv1.2. - Protocols string `json:"protocols"` - // Enables reuse of SSL sessions to the upstreams. The default is true. - SessionReuse *bool `json:"sessionReuse"` - // Specifies the enabled ciphers for requests to an upstream HTTPS server. The default is DEFAULT. - Ciphers string `json:"ciphers"` - // The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. + Protocols string `json:"protocols"` + // Enables reuse of SSL sessions to the upstreams. The default is true. + SessionReuse *bool `json:"sessionReuse"` + // Specifies the enabled ciphers for requests to an upstream HTTPS server. The default is DEFAULT. + Ciphers string `json:"ciphers"` + // The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. TrustedCertSecret string `json:"trustedCertSecret"` - // Enables passing of the server name through Server Name Indication extension. - ServerName bool `json:"serverName"` - // Allows overriding the server name used to verify the certificate of the upstream HTTPS server. - SSLName string `json:"sslName"` + // Enables passing of the server name through Server Name Indication extension. + ServerName bool `json:"serverName"` + // Allows overriding the server name used to verify the certificate of the upstream HTTPS server. + SSLName string `json:"sslName"` } -// OIDC defines an Open ID Connect policy. +// The OIDC policy configures NGINX Plus as a relying party for OpenID Connect authentication. type OIDC struct { + // URL for the authorization endpoint provided by your OpenID Connect provider. AuthEndpoint string `json:"authEndpoint"` + // URL for the token endpoint provided by your OpenID Connect provider. TokenEndpoint string `json:"tokenEndpoint"` + // URL for the JSON Web Key Set (JWK) document provided by your OpenID Connect provider. JWKSURI string `json:"jwksURI"` + // The client ID provided by your OpenID Connect provider. ClientID string `json:"clientID"` + // The name of the Kubernetes secret that stores the client secret provided by your OpenID Connect provider. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/oidc, and the secret under the key client-secret, otherwise the secret will be rejected as invalid. If PKCE is enabled, this should be not configured. ClientSecret string `json:"clientSecret"` + // List of OpenID Connect scopes. The scope openid always needs to be present and others can be added concatenating them with a + sign, for example openid+profile+email, openid+email+userDefinedScope. The default is openid. Scope string `json:"scope"` + // Allows overriding the default redirect URI. The default is /_codexch. RedirectURI string `json:"redirectURI"` + // URL provided by your OpenID Connect provider to request the end user be logged out. EndSessionEndpoint string `json:"endSessionEndpoint"` + // URI to redirect to after the logout has been performed. Requires endSessionEndpoint. The default is /_logout. PostLogoutRedirectURI string `json:"postLogoutRedirectURI"` + // Specifies the maximum timeout in milliseconds for synchronizing ID/access tokens and shared values between Ingress Controller pods. The default is 200. ZoneSyncLeeway *int `json:"zoneSyncLeeway"` + // A list of extra URL arguments to pass to the authorization endpoint provided by your OpenID Connect provider. Arguments must be URL encoded, multiple arguments may be included in the list, for example [ arg1=value1, arg2=value2 ] AuthExtraArgs []string `json:"authExtraArgs"` + // Option of whether Bearer token is used to authorize NGINX to access protected backend. AccessTokenEnable bool `json:"accessTokenEnable"` + // Switches Proof Key for Code Exchange on. The OpenID client needs to be in public mode. clientSecret is not used in this mode. PKCEEnable bool `json:"pkceEnable"` } -// WAF defines an WAF policy. +// The WAF policy configures NGINX Plus to secure client requests using App Protect WAF policies. type WAF struct { + // Enables NGINX App Protect WAF. Enable bool `json:"enable"` + // The App Protect WAF policy of the WAF. Accepts an optional namespace. Mutually exclusive with apBundle. ApPolicy string `json:"apPolicy"` + // The App Protect WAF policy bundle. Mutually exclusive with apPolicy. ApBundle string `json:"apBundle"` + // SecurityLog *SecurityLog `json:"securityLog"` + // SecurityLogs []*SecurityLog `json:"securityLogs"` } // SecurityLog defines the security log of a WAF policy. type SecurityLog struct { + // Enables security log. Enable bool `json:"enable"` + // The App Protect WAF log conf resource. Accepts an optional namespace. Only works with apPolicy. ApLogConf string `json:"apLogConf"` + // The App Protect WAF log bundle resource. Only works with apBundle. ApLogBundle string `json:"apLogBundle"` + // The log destination for the security log. Only accepted variables are syslog:server=:, stderr, . LogDest string `json:"logDest"` } From 3fb5a1dd6f1b92db64ee5fd2ce22a16cfcb6c9de Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Wed, 16 Jul 2025 10:51:28 +0100 Subject: [PATCH 03/33] added description to virtual server routes file --- pkg/apis/configuration/v1/types.go | 550 ++++++++++++++++++----------- 1 file changed, 351 insertions(+), 199 deletions(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index a37b77c3be..d45baf8beb 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -42,39 +42,53 @@ type VirtualServer struct { // VirtualServerSpec is the spec of the VirtualServer resource. type VirtualServerSpec struct { - IngressClass string `json:"ingressClassName"` - Host string `json:"host"` - Listener *VirtualServerListener `json:"listener"` - TLS *TLS `json:"tls"` - Gunzip bool `json:"gunzip"` - Policies []PolicyReference `json:"policies"` - Upstreams []Upstream `json:"upstreams"` - Routes []Route `json:"routes"` - HTTPSnippets string `json:"http-snippets"` - ServerSnippets string `json:"server-snippets"` - Dos string `json:"dos"` - ExternalDNS ExternalDNS `json:"externalDNS"` + // Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ingressClassName of the VirtualServer that references this resource. + IngressClass string `json:"ingressClassName"` + // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. + Host string `json:"host"` + // Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource + Listener *VirtualServerListener `json:"listener"` + // The TLS termination configuration. + TLS *TLS `json:"tls"` + // Enables or disables decompression of gzipped responses for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. If the gunzip value is not set, it defaults to off. + Gunzip bool `json:"gunzip"` + // A list of policies. + Policies []PolicyReference `json:"policies"` + // A list of upstreams. + Upstreams []Upstream `json:"upstreams"` + // A list of routes. + Routes []Route `json:"routes"` + // Sets a custom snippet in the http context. + HTTPSnippets string `json:"http-snippets"` + // Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. + ServerSnippets string `json:"server-snippets"` + // A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. + Dos string `json:"dos"` + // The externalDNS configuration for a VirtualServer. + ExternalDNS ExternalDNS `json:"externalDNS"` // InternalRoute allows for the configuration of internal routing. InternalRoute bool `json:"internalRoute"` } // VirtualServerListener references a custom http and/or https listener defined in GlobalConfiguration. type VirtualServerListener struct { - HTTP string `json:"http"` + // The name of am HTTP listener defined in a GlobalConfiguration resource. + HTTP string `json:"http"` + // The name of an HTTPS listener defined in a GlobalConfiguration resource. HTTPS string `json:"https"` } // ExternalDNS defines externaldns sub-resource of a virtual server. type ExternalDNS struct { - Enable bool `json:"enable"` + // Enables ExternalDNS integration for a VirtualServer resource. The default is false. + Enable bool `json:"enable"` + // The record Type that should be created, e.g. “A”, “AAAA”, “CNAME”. This is automatically computed based on the external endpoints if not defined. RecordType string `json:"recordType,omitempty"` - // TTL for the record + // TTL for the DNS record. This defaults to 0 if not defined. See the ExternalDNS TTL documentation for provider-specific defaults RecordTTL int64 `json:"recordTTL,omitempty"` - // Labels stores labels defined for the Endpoint - // +optional + // Configure labels to be applied to the Endpoint resources that will be consumed by ExternalDNS. Labels map[string]string `json:"labels,omitempty"` - // ProviderSpecific stores provider specific config - // +optional + // Configure provider specific properties which holds the name and value of a configuration which is specific to individual DNS providers. ProviderSpecific ProviderSpecific `json:"providerSpecific,omitempty"` } @@ -92,41 +106,72 @@ type ProviderSpecificProperty struct { // PolicyReference references a policy by name and an optional namespace. type PolicyReference struct { - Name string `json:"name"` + // The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. v + Name string `json:"name"` + // The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. Namespace string `json:"namespace"` } // Upstream defines an upstream. type Upstream struct { - Name string `json:"name"` - Service string `json:"service"` - Subselector map[string]string `json:"subselector"` - Port uint16 `json:"port"` - LBMethod string `json:"lb-method"` - FailTimeout string `json:"fail-timeout"` - MaxFails *int `json:"max-fails"` - MaxConns *int `json:"max-conns"` - Keepalive *int `json:"keepalive"` - ProxyConnectTimeout string `json:"connect-timeout"` - ProxyReadTimeout string `json:"read-timeout"` - ProxySendTimeout string `json:"send-timeout"` - ProxyNextUpstream string `json:"next-upstream"` - ProxyNextUpstreamTimeout string `json:"next-upstream-timeout"` - ProxyNextUpstreamTries int `json:"next-upstream-tries"` - ProxyBuffering *bool `json:"buffering"` - ProxyBuffers *UpstreamBuffers `json:"buffers"` - ProxyBufferSize string `json:"buffer-size"` - ClientMaxBodySize string `json:"client-max-body-size"` - TLS UpstreamTLS `json:"tls"` - HealthCheck *HealthCheck `json:"healthCheck"` - SlowStart string `json:"slow-start"` - Queue *UpstreamQueue `json:"queue"` - SessionCookie *SessionCookie `json:"sessionCookie"` - UseClusterIP bool `json:"use-cluster-ip"` - NTLM bool `json:"ntlm"` - Type string `json:"type"` - Backup string `json:"backup"` - BackupPort *uint16 `json:"backupPort"` + //The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. + Name string `json:"name"` + // The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported (check the prerequisites ). + Service string `json:"service"` + // Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. + Subselector map[string]string `json:"subselector"` + // The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. The port must fall into the range 1..65535. + Port uint16 `json:"port"` + // The load balancing method. To use the round-robin method, specify round_robin. The default is specified in the lb-method ConfigMap key. + LBMethod string `json:"lb-method"` + // The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. See the fail_timeout parameter of the server directive. The default is set in the fail-timeout ConfigMap key. + FailTimeout string `json:"fail-timeout"` + // The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. See the max_fails parameter of the server directive. The default is set in the max-fails ConfigMap key. + MaxFails *int `json:"max-fails"` + // The maximum number of simultaneous active connections to an upstream server. See the max_conns parameter of the server directive. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. + MaxConns *int `json:"max-conns"` + // Configures the cache for connections to upstream servers. The value 0 disables the cache. See the keepalive directive. The default is set in the keepalive ConfigMap key. + Keepalive *int `json:"keepalive"` + // The timeout for establishing a connection with an upstream server. See the proxy_connect_timeout directive. The default is specified in the proxy-connect-timeout ConfigMap key. + ProxyConnectTimeout string `json:"connect-timeout"` + // The timeout for reading a response from an upstream server. See the proxy_read_timeout directive. The default is specified in the proxy-read-timeout ConfigMap key. + ProxyReadTimeout string `json:"read-timeout"` + // The timeout for transmitting a request to an upstream server. See the proxy_send_timeout directive. The default is specified in the proxy-send-timeout ConfigMap key. + ProxySendTimeout string `json:"send-timeout"` + // Specifies in which cases a request should be passed to the next upstream server. See the proxy_next_upstream directive. The default is error timeout. + ProxyNextUpstream string `json:"next-upstream"` + // The time during which a request can be passed to the next upstream server. See the proxy_next_upstream_timeout directive. The 0 value turns off the time limit. The default is 0. + ProxyNextUpstreamTimeout string `json:"next-upstream-timeout"` + // The number of possible tries for passing a request to the next upstream server. See the proxy_next_upstream_tries directive. The 0 value turns off this limit. The default is 0. + ProxyNextUpstreamTries int `json:"next-upstream-tries"` + // Enables buffering of responses from the upstream server. See the proxy_buffering directive. The default is set in the proxy-buffering ConfigMap key. + ProxyBuffering *bool `json:"buffering"` + // Configures the buffers used for reading a response from the upstream server for a single connection. + ProxyBuffers *UpstreamBuffers `json:"buffers"` + // Sets the size of the buffer used for reading the first part of a response received from the upstream server. See the proxy_buffer_size directive. The default is set in the proxy-buffer-size ConfigMap key. + ProxyBufferSize string `json:"buffer-size"` + // Sets the maximum allowed size of the client request body. See the client_max_body_size directive. The default is set in the client-max-body-size ConfigMap key. + ClientMaxBodySize string `json:"client-max-body-size"` + // The TLS configuration for the Upstream. + TLS UpstreamTLS `json:"tls"` + // The health check configuration for the Upstream. See the health_check directive. Note: this feature is supported only in NGINX Plus. + HealthCheck *HealthCheck `json:"healthCheck"` + // The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the slow_start parameter of the server directive. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. + SlowStart string `json:"slow-start"` + // Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. + Queue *UpstreamQueue `json:"queue"` + // The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. + SessionCookie *SessionCookie `json:"sessionCookie"` + //Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like lb-method and next-upstream) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. + UseClusterIP bool `json:"use-cluster-ip"` + // Allows proxying requests with NTLM Authentication. See the ntlm directive. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. + NTLM bool `json:"ntlm"` + // The type of the upstream. Supported values are http and grpc. The default is http. For gRPC, it is necessary to enable HTTP/2 in the ConfigMap and configure TLS termination in the VirtualServer. + Type string `json:"type"` + // The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. + Backup string `json:"backup"` + // The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. + BackupPort *uint16 `json:"backupPort"` } // UpstreamBuffers defines Buffer Configuration for an Upstream. @@ -142,24 +187,42 @@ type UpstreamTLS struct { // HealthCheck defines the parameters for active Upstream HealthChecks. type HealthCheck struct { - Enable bool `json:"enable"` - Path string `json:"path"` - Interval string `json:"interval"` - Jitter string `json:"jitter"` - Fails int `json:"fails"` - Passes int `json:"passes"` - Port int `json:"port"` - TLS *UpstreamTLS `json:"tls"` - ConnectTimeout string `json:"connect-timeout"` - ReadTimeout string `json:"read-timeout"` - SendTimeout string `json:"send-timeout"` - Headers []Header `json:"headers"` - StatusMatch string `json:"statusMatch"` - GRPCStatus *int `json:"grpcStatus"` - GRPCService string `json:"grpcService"` - Mandatory bool `json:"mandatory"` - Persistent bool `json:"persistent"` - KeepaliveTime string `json:"keepalive-time"` + // Enables a health check for an upstream server. The default is false. + Enable bool `json:"enable"` + // The path used for health check requests. The default is /. This is not configurable for gRPC type upstreams. + Path string `json:"path"` + // The interval between two consecutive health checks. The default is 5s. + Interval string `json:"interval"` + // The time within which each health check will be randomly delayed. By default, there is no delay. + Jitter string `json:"jitter"` + // The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. + Fails int `json:"fails"` + // The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. + Passes int `json:"passes"` + // The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. + Port int `json:"port"` + // The TLS configuration used for health check requests. By default, the tls field of the upstream is used. + TLS *UpstreamTLS `json:"tls"` + // The timeout for establishing a connection with an upstream server. By default, the connect-timeout of the upstream is used. + ConnectTimeout string `json:"connect-timeout"` + // The timeout for reading a response from an upstream server. By default, the read-timeout of the upstream is used. + ReadTimeout string `json:"read-timeout"` + // The timeout for transmitting a request to an upstream server. By default, the send-timeout of the upstream is used. + SendTimeout string `json:"send-timeout"` + // The request headers used for health check requests. NGINX Plus always sets the Host, User-Agent and Connection headers for health check requests. + Headers []Header `json:"headers"` + // The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See the documentation of the match directive. This not supported for gRPC type upstreams. + StatusMatch string `json:"statusMatch"` + // The expected gRPC status code of the upstream server response to the Check method. Configure this field only if your gRPC services do not implement the gRPC health checking protocol. For example, configure 12 if the upstream server responds with 12 (UNIMPLEMENTED) status code. Only valid on gRPC type upstreams. + GRPCStatus *int `json:"grpcStatus"` + // The gRPC service to be monitored on the upstream server. Only valid on gRPC type upstreams. + GRPCService string `json:"grpcService"` + // Require every newly added server to pass all configured health checks before NGINX Plus sends traffic to it. If this is not specified, or is set to false, the server will be initially considered healthy. When combined with slow-start, it gives a new server more time to connect to databases and “warm up” before being asked to handle their full share of traffic. + Mandatory bool `json:"mandatory"` + // Set the initial “up” state for a server after reload if the server was considered healthy before reload. Enabling persistent requires that the mandatory parameter is also set to true. + Persistent bool `json:"persistent"` + // Enables keepalive connections for health checks and specifies the time during which requests can be processed through one keepalive connection. The default is 60s. + KeepaliveTime string `json:"keepalive-time"` } // Header defines an HTTP Header. @@ -170,71 +233,108 @@ type Header struct { // SessionCookie defines the parameters for session persistence. type SessionCookie struct { - Enable bool `json:"enable"` - Name string `json:"name"` - Path string `json:"path"` - Expires string `json:"expires"` - Domain string `json:"domain"` - HTTPOnly bool `json:"httpOnly"` - Secure bool `json:"secure"` + // Enables session persistence with a session cookie for an upstream server. The default is false. + Enable bool `json:"enable"` + // The name of the cookie. + Name string `json:"name"` + // The path for which the cookie is set. + Path string `json:"path"` + // The time for which a browser should keep the cookie. Can be set to the special value max , which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. + Expires string `json:"expires"` + // The domain for which the cookie is set. + Domain string `json:"domain"` + // Adds the HttpOnly attribute to the cookie. + HTTPOnly bool `json:"httpOnly"` + // Adds the Secure attribute to the cookie. + Secure bool `json:"secure"` + // Adds the SameSite attribute to the cookie. The allowed values are: strict, lax, none SameSite string `json:"samesite"` } // Route defines a route. type Route struct { - Path string `json:"path"` - Policies []PolicyReference `json:"policies"` - Route string `json:"route"` - Action *Action `json:"action"` - Splits []Split `json:"splits"` - Matches []Match `json:"matches"` - ErrorPages []ErrorPage `json:"errorPages"` - LocationSnippets string `json:"location-snippets"` - Dos string `json:"dos"` + // The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( / , /path ), an exact match ( =/exact/match ), a case insensitive regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive regular expression ( ~^/foo.*\.jpg ). In the case of a prefix (must start with / ) or an exact match (must start with = ), the path must not include any whitespace characters, { , } or ;. In the case of the regex matches, all double quotes " must be escaped and the match can’t end in an unescaped backslash \. The path must be unique among the paths of all routes of the VirtualServer. Check the location directive for more information. + Path string `json:"path"` + // A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. See Applying Policies for more details. + Policies []PolicyReference `json:"policies"` + // The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, tea-namespace/tea. + Route string `json:"route"` + // The default action to perform for a request. + Action *Action `json:"action"` + // The default splits configuration for traffic splitting. Must include at least 2 splits. + Splits []Split `json:"splits"` + // The matching rules for advanced content-based routing. Requires the default Action or Splits. Unmatched requests will be handled by the default Action or Splits. + Matches []Match `json:"matches"` + // The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. + ErrorPages []ErrorPage `json:"errorPages"` + // Sets a custom snippet in the location context. Overrides the location-snippets ConfigMap key. + LocationSnippets string `json:"location-snippets"` + // A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. + Dos string `json:"dos"` } // Action defines an action. type Action struct { - Pass string `json:"pass"` + // Passes requests to an upstream. The upstream with that name must be defined in the resource. + Pass string `json:"pass"` + // Redirects requests to a provided URL. Redirect *ActionRedirect `json:"redirect"` - Return *ActionReturn `json:"return"` - Proxy *ActionProxy `json:"proxy"` + // Returns a preconfigured response. + Return *ActionReturn `json:"return"` + // Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). + Proxy *ActionProxy `json:"proxy"` } // ActionRedirect defines a redirect in an Action. type ActionRedirect struct { - URL string `json:"url"` - Code int `json:"code"` + // The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. + URL string `json:"url"` + // The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. + Code int `json:"code"` } // ActionReturn defines a return in an Action. type ActionReturn struct { - Code int `json:"code"` - Type string `json:"type"` - Body string `json:"body"` + // The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. + Code int `json:"code"` + //The MIME type of the response. The default is text/plain. + Type string `json:"type"` + // The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. + Body string `json:"body"` + // The custom headers of the response. Headers []Header `json:"headers"` } // ActionProxy defines a proxy in an Action. type ActionProxy struct { - Upstream string `json:"upstream"` - RewritePath string `json:"rewritePath"` - RequestHeaders *ProxyRequestHeaders `json:"requestHeaders"` + // The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. + Upstream string `json:"upstream"` + // The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. + RewritePath string `json:"rewritePath"` + // The request headers modifications. + RequestHeaders *ProxyRequestHeaders `json:"requestHeaders"` + // The response headers modifications. ResponseHeaders *ProxyResponseHeaders `json:"responseHeaders"` } // ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type ProxyRequestHeaders struct { - Pass *bool `json:"pass"` - Set []Header `json:"set"` + // Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. + Pass *bool `json:"pass"` + // Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. + Set []Header `json:"set"` } // ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type ProxyResponseHeaders struct { - Hide []string `json:"hide"` - Pass []string `json:"pass"` - Ignore []string `json:"ignore"` - Add []AddHeader `json:"add"` + // The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. + Hide []string `json:"hide"` + // Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. + Pass []string `json:"pass"` + // Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. + Ignore []string `json:"ignore"` + // Adds headers to the response to the client. + Add []AddHeader `json:"add"` } // AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. @@ -245,30 +345,43 @@ type AddHeader struct { // Split defines a split. type Split struct { - Weight int `json:"weight"` + // The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. + Weight int `json:"weight"` + // The action to perform for a request. Action *Action `json:"action"` } // Condition defines a condition in a MatchRule. type Condition struct { - Header string `json:"header"` - Cookie string `json:"cookie"` + // The name of a header. Must consist of alphanumeric characters or -. + Header string `json:"header"` + // The name of a cookie. Must consist of alphanumeric characters or _. + Cookie string `json:"cookie"` + // The name of an argument. Must consist of alphanumeric characters or _. Argument string `json:"argument"` + // The name of an NGINX variable. Must start with $. See the list of the supported variables below the table. Variable string `json:"variable"` - Value string `json:"value"` + // The value to match the condition against. How to define a value is shown below the table. + Value string `json:"value"` } // Match defines a match. type Match struct { + // A list of conditions. Must include at least 1 condition. Conditions []Condition `json:"conditions"` - Action *Action `json:"action"` - Splits []Split `json:"splits"` + // The action to perform for a request. + Action *Action `json:"action"` + // The splits configuration for traffic splitting. Must include at least 2 splits. + Splits []Split `json:"splits"` } // ErrorPage defines an ErrorPage in a Route. type ErrorPage struct { - Codes []int `json:"codes"` - Return *ErrorPageReturn `json:"return"` + // A list of error status codes. + Codes []int `json:"codes"` + // The redirect action for the given status codes. + Return *ErrorPageReturn `json:"return"` + // The canned response action for the given status codes. Redirect *ErrorPageRedirect `json:"redirect"` } @@ -284,15 +397,21 @@ type ErrorPageRedirect struct { // TLS defines TLS configuration for a VirtualServer. type TLS struct { - Secret string `json:"secret"` - Redirect *TLSRedirect `json:"redirect"` + // The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must be of the type kubernetes.io/tls and contain keys named tls.crt and tls.key that contain the certificate and private key as described here. If the secret doesn’t exist or is invalid, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. If the secret is not specified but wildcard TLS secret is configured, NGINX will use the wildcard secret for TLS termination. + Secret string `json:"secret"` + // The redirect configuration of the TLS for a VirtualServer. + Redirect *TLSRedirect `json:"redirect"` + // The cert-manager configuration of the TLS for a VirtualServer. CertManager *CertManager `json:"cert-manager"` } // TLSRedirect defines a redirect for a TLS. type TLSRedirect struct { - Enable bool `json:"enable"` - Code *int `json:"code"` + // Enables a TLS redirect for a VirtualServer. The default is False. + Enable bool `json:"enable"` + // The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. + Code *int `json:"code"` + // The attribute of a request that NGINX will evaluate to send a redirect. The allowed values are scheme (the scheme of the request) or x-forwarded-proto (the X-Forwarded-Proto header of the request). The default is scheme. BasedOn string `json:"basedOn"` } @@ -357,10 +476,14 @@ type VirtualServerRoute struct { // VirtualServerRouteSpec is the spec of the VirtualServerRoute resource. type VirtualServerRouteSpec struct { - IngressClass string `json:"ingressClassName"` - Host string `json:"host"` - Upstreams []Upstream `json:"upstreams"` - Subroutes []Route `json:"subroutes"` + // Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ingressClassName of the VirtualServer that references this resource. + IngressClass string `json:"ingressClassName"` + // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. Must be the same as the host of the VirtualServer that references this resource. + Host string `json:"host"` + // A list of upstreams. + Upstreams []Upstream `json:"upstreams"` + // A list of subroutes. + Subroutes []Route `json:"subroutes"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -375,7 +498,9 @@ type VirtualServerRouteList struct { // UpstreamQueue defines Queue Configuration for an Upstream. type UpstreamQueue struct { - Size int `json:"size"` + // The size of the queue. + Size int `json:"size"` + // The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is 60s. Timeout string `json:"timeout"` } @@ -457,7 +582,8 @@ type TransportServerSpec struct { Upstreams []TransportServerUpstream `json:"upstreams"` UpstreamParameters *UpstreamParameters `json:"upstreamParameters"` SessionParameters *SessionParameters `json:"sessionParameters"` - Action *TransportServerAction `json:"action"` + // The action to perform for a request. + Action *TransportServerAction `json:"action"` } // TransportServerTLS defines TransportServerTLS configuration for a TransportServer. @@ -473,49 +599,75 @@ type TransportServerListener struct { // TransportServerUpstream defines an upstream. type TransportServerUpstream struct { - Name string `json:"name"` - Service string `json:"service"` - Port int `json:"port"` - FailTimeout string `json:"failTimeout"` - MaxFails *int `json:"maxFails"` - MaxConns *int `json:"maxConns"` - HealthCheck *TransportServerHealthCheck `json:"healthCheck"` - LoadBalancingMethod string `json:"loadBalancingMethod"` - Backup string `json:"backup"` - BackupPort *uint16 `json:"backupPort"` + // The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. + Name string `json:"name"` + // The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and close client connections/ignore datagrams. + Service string `json:"service"` + // The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and close client connections/ignore datagrams. The port must fall into the range 1..65535. + Port int `json:"port"` + // Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. The default 1. + FailTimeout string `json:"failTimeout"` + // Sets the number of maximum connections to the proxied server. Default value is zero, meaning there is no limit. The default is 0. + MaxFails *int `json:"maxFails"` + // Sets the time during which the specified number of unsuccessful attempts to communicate with the server should happen to consider the server unavailable and the period of time the server will be considered unavailable. The default is 10s. + MaxConns *int `json:"maxConns"` + // The health check configuration for the Upstream. See the health_check directive. Note: this feature is supported only in NGINX Plus. + HealthCheck *TransportServerHealthCheck `json:"healthCheck"` + // The method used to load balance the upstream servers. By default, connections are distributed between the servers using a weighted round-robin balancing method. See the upstream section for available methods and their details. + LoadBalancingMethod string `json:"loadBalancingMethod"` + // The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. + Backup string `json:"backup"` + // The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. + BackupPort *uint16 `json:"backupPort"` } // TransportServerHealthCheck defines the parameters for active Upstream HealthChecks. type TransportServerHealthCheck struct { - Enabled bool `json:"enable"` - Timeout string `json:"timeout"` - Jitter string `json:"jitter"` - Port int `json:"port"` - Interval string `json:"interval"` - Passes int `json:"passes"` - Fails int `json:"fails"` - Match *TransportServerMatch `json:"match"` + // Enables a health check for an upstream server. The default is false. + Enabled bool `json:"enable"` + // This overrides the timeout set by proxy_timeout which is set in SessionParameters for health checks. The default value is 5s. + Timeout string `json:"timeout"` + // The time within which each health check will be randomly delayed. By default, there is no delay. + Jitter string `json:"jitter"` + // The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. + Port int `json:"port"` + // The interval between two consecutive health checks. The default is 5s. + Interval string `json:"interval"` + // The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. + Passes int `json:"passes"` + // The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. + Fails int `json:"fails"` + // Controls the data to send and the response to expect for the healthcheck. + Match *TransportServerMatch `json:"match"` } // TransportServerMatch defines the parameters of a custom health check. type TransportServerMatch struct { - Send string `json:"send"` + // A string to send to an upstream server. + Send string `json:"send"` + // A literal string or a regular expression that the data obtained from the server should match. The regular expression is specified with the preceding ~* modifier (for case-insensitive matching), or the ~ modifier (for case-sensitive matching). NGINX Ingress Controller validates a regular expression using the RE2 syntax. Expect string `json:"expect"` } // UpstreamParameters defines parameters for an upstream. type UpstreamParameters struct { - UDPRequests *int `json:"udpRequests"` + // The number of datagrams, after receiving which, the next datagram from the same client starts a new session. See the proxy_requests directive. The default is 0. + UDPRequests *int `json:"udpRequests"` + // The number of datagrams expected from the proxied server in response to a client datagram. See the proxy_responses directive. By default, the number of datagrams is not limited. UDPResponses *int `json:"udpResponses"` - - ConnectTimeout string `json:"connectTimeout"` - NextUpstream bool `json:"nextUpstream"` + // The timeout for establishing a connection with a proxied server. See the proxy_connect_timeout directive. The default is 60s. + ConnectTimeout string `json:"connectTimeout"` + // If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. See the proxy_next_upstream directive. The default is true. + NextUpstream bool `json:"nextUpstream"` + // The time allowed to pass a connection to the next server. See the proxy_next_upstream_timeout directive. The default us 0. NextUpstreamTimeout string `json:"nextUpstreamTimeout"` - NextUpstreamTries int `json:"nextUpstreamTries"` + // The number of tries for passing a connection to the next server. See the proxy_next_upstream_tries directive. The default is 0. + NextUpstreamTries int `json:"nextUpstreamTries"` } // SessionParameters defines session parameters. type SessionParameters struct { + // The timeout between two successive read or write operations on client or proxied server connections. See proxy_timeout directive. The default is 10m. Timeout string `json:"timeout"` } @@ -653,35 +805,35 @@ type VariableCondition struct { // JWTAuth holds JWT authentication configuration. type JWTAuth struct { - // The realm of the JWT. - Realm string `json:"realm"` - Secret string `json:"secret"` - // The token specifies a variable that contains the JSON Web Token. By default the JWT is passed in the Authorization header as a Bearer Token. JWT may be also passed as a cookie or a part of a query string, for example: $cookie_auth_token. Accepted variables are $http_, $arg_, $cookie_. - Token string `json:"token"` - // The remote URI where the request will be sent to retrieve JSON Web Key set - JwksURI string `json:"jwksURI"` - // Enables in-memory caching of JWKS (JSON Web Key Sets) that are obtained from the jwksURI and sets a valid time for expiration. + // The realm of the JWT. + Realm string `json:"realm"` + Secret string `json:"secret"` + // The token specifies a variable that contains the JSON Web Token. By default the JWT is passed in the Authorization header as a Bearer Token. JWT may be also passed as a cookie or a part of a query string, for example: $cookie_auth_token. Accepted variables are $http_, $arg_, $cookie_. + Token string `json:"token"` + // The remote URI where the request will be sent to retrieve JSON Web Key set + JwksURI string `json:"jwksURI"` + // Enables in-memory caching of JWKS (JSON Web Key Sets) that are obtained from the jwksURI and sets a valid time for expiration. KeyCache string `json:"keyCache"` } // BasicAuth holds HTTP Basic authentication configuration type BasicAuth struct { - // The realm for the basic authentication. - Realm string `json:"realm"` - // The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. + // The realm for the basic authentication. + Realm string `json:"realm"` + // The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. Secret string `json:"secret"` } // The IngressMTLS policy configures client certificate verification. type IngressMTLS struct { - // The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. + // The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. ClientCertSecret string `json:"clientCertSecret"` - // The file name of the Certificate Revocation List. NGINX Ingress Controller will look for this file in /etc/nginx/secrets - CrlFileName string `json:"crlFileName"` - // Verification for the client. Possible values are "on", "off", "optional", "optional_no_ca". The default is "on". - VerifyClient string `json:"verifyClient"` - // Sets the verification depth in the client certificates chain. The default is 1. - VerifyDepth *int `json:"verifyDepth"` + // The file name of the Certificate Revocation List. NGINX Ingress Controller will look for this file in /etc/nginx/secrets + CrlFileName string `json:"crlFileName"` + // Verification for the client. Possible values are "on", "off", "optional", "optional_no_ca". The default is "on". + VerifyClient string `json:"verifyClient"` + // Sets the verification depth in the client certificates chain. The default is 1. + VerifyDepth *int `json:"verifyDepth"` } // The EgressMTLS policy configures upstreams authentication and certificate verification. @@ -709,57 +861,57 @@ type EgressMTLS struct { // The OIDC policy configures NGINX Plus as a relying party for OpenID Connect authentication. type OIDC struct { // URL for the authorization endpoint provided by your OpenID Connect provider. - AuthEndpoint string `json:"authEndpoint"` - // URL for the token endpoint provided by your OpenID Connect provider. - TokenEndpoint string `json:"tokenEndpoint"` - // URL for the JSON Web Key Set (JWK) document provided by your OpenID Connect provider. - JWKSURI string `json:"jwksURI"` - // The client ID provided by your OpenID Connect provider. - ClientID string `json:"clientID"` - // The name of the Kubernetes secret that stores the client secret provided by your OpenID Connect provider. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/oidc, and the secret under the key client-secret, otherwise the secret will be rejected as invalid. If PKCE is enabled, this should be not configured. - ClientSecret string `json:"clientSecret"` - // List of OpenID Connect scopes. The scope openid always needs to be present and others can be added concatenating them with a + sign, for example openid+profile+email, openid+email+userDefinedScope. The default is openid. - Scope string `json:"scope"` - // Allows overriding the default redirect URI. The default is /_codexch. - RedirectURI string `json:"redirectURI"` - // URL provided by your OpenID Connect provider to request the end user be logged out. - EndSessionEndpoint string `json:"endSessionEndpoint"` - // URI to redirect to after the logout has been performed. Requires endSessionEndpoint. The default is /_logout. - PostLogoutRedirectURI string `json:"postLogoutRedirectURI"` - // Specifies the maximum timeout in milliseconds for synchronizing ID/access tokens and shared values between Ingress Controller pods. The default is 200. - ZoneSyncLeeway *int `json:"zoneSyncLeeway"` - // A list of extra URL arguments to pass to the authorization endpoint provided by your OpenID Connect provider. Arguments must be URL encoded, multiple arguments may be included in the list, for example [ arg1=value1, arg2=value2 ] - AuthExtraArgs []string `json:"authExtraArgs"` - // Option of whether Bearer token is used to authorize NGINX to access protected backend. - AccessTokenEnable bool `json:"accessTokenEnable"` - // Switches Proof Key for Code Exchange on. The OpenID client needs to be in public mode. clientSecret is not used in this mode. - PKCEEnable bool `json:"pkceEnable"` + AuthEndpoint string `json:"authEndpoint"` + // URL for the token endpoint provided by your OpenID Connect provider. + TokenEndpoint string `json:"tokenEndpoint"` + // URL for the JSON Web Key Set (JWK) document provided by your OpenID Connect provider. + JWKSURI string `json:"jwksURI"` + // The client ID provided by your OpenID Connect provider. + ClientID string `json:"clientID"` + // The name of the Kubernetes secret that stores the client secret provided by your OpenID Connect provider. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/oidc, and the secret under the key client-secret, otherwise the secret will be rejected as invalid. If PKCE is enabled, this should be not configured. + ClientSecret string `json:"clientSecret"` + // List of OpenID Connect scopes. The scope openid always needs to be present and others can be added concatenating them with a + sign, for example openid+profile+email, openid+email+userDefinedScope. The default is openid. + Scope string `json:"scope"` + // Allows overriding the default redirect URI. The default is /_codexch. + RedirectURI string `json:"redirectURI"` + // URL provided by your OpenID Connect provider to request the end user be logged out. + EndSessionEndpoint string `json:"endSessionEndpoint"` + // URI to redirect to after the logout has been performed. Requires endSessionEndpoint. The default is /_logout. + PostLogoutRedirectURI string `json:"postLogoutRedirectURI"` + // Specifies the maximum timeout in milliseconds for synchronizing ID/access tokens and shared values between Ingress Controller pods. The default is 200. + ZoneSyncLeeway *int `json:"zoneSyncLeeway"` + // A list of extra URL arguments to pass to the authorization endpoint provided by your OpenID Connect provider. Arguments must be URL encoded, multiple arguments may be included in the list, for example [ arg1=value1, arg2=value2 ] + AuthExtraArgs []string `json:"authExtraArgs"` + // Option of whether Bearer token is used to authorize NGINX to access protected backend. + AccessTokenEnable bool `json:"accessTokenEnable"` + // Switches Proof Key for Code Exchange on. The OpenID client needs to be in public mode. clientSecret is not used in this mode. + PKCEEnable bool `json:"pkceEnable"` } // The WAF policy configures NGINX Plus to secure client requests using App Protect WAF policies. type WAF struct { - // Enables NGINX App Protect WAF. - Enable bool `json:"enable"` - // The App Protect WAF policy of the WAF. Accepts an optional namespace. Mutually exclusive with apBundle. - ApPolicy string `json:"apPolicy"` - // The App Protect WAF policy bundle. Mutually exclusive with apPolicy. - ApBundle string `json:"apBundle"` + // Enables NGINX App Protect WAF. + Enable bool `json:"enable"` + // The App Protect WAF policy of the WAF. Accepts an optional namespace. Mutually exclusive with apBundle. + ApPolicy string `json:"apPolicy"` + // The App Protect WAF policy bundle. Mutually exclusive with apPolicy. + ApBundle string `json:"apBundle"` + // + SecurityLog *SecurityLog `json:"securityLog"` // - SecurityLog *SecurityLog `json:"securityLog"` - // SecurityLogs []*SecurityLog `json:"securityLogs"` } // SecurityLog defines the security log of a WAF policy. type SecurityLog struct { - // Enables security log. - Enable bool `json:"enable"` + // Enables security log. + Enable bool `json:"enable"` // The App Protect WAF log conf resource. Accepts an optional namespace. Only works with apPolicy. - ApLogConf string `json:"apLogConf"` - // The App Protect WAF log bundle resource. Only works with apBundle. + ApLogConf string `json:"apLogConf"` + // The App Protect WAF log bundle resource. Only works with apBundle. ApLogBundle string `json:"apLogBundle"` - // The log destination for the security log. Only accepted variables are syslog:server=:, stderr, . - LogDest string `json:"logDest"` + // The log destination for the security log. Only accepted variables are syslog:server=:, stderr, . + LogDest string `json:"logDest"` } // The API Key policy configures NGINX to authorize requests which provide a valid API Key in a specified header or query param. From e3cc2f15d26dd19ad0f89f71ae59c030fecee3e1 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Wed, 16 Jul 2025 12:36:48 +0100 Subject: [PATCH 04/33] added last description to virtual server routes file and finalised all of the files --- pkg/apis/configuration/v1/types.go | 156 ++++++++++++++++++++++------- 1 file changed, 118 insertions(+), 38 deletions(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index d45baf8beb..903059721a 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -36,7 +36,9 @@ type VirtualServer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - Spec VirtualServerSpec `json:"spec"` + // Spec contains the VirtualServer specification. + Spec VirtualServerSpec `json:"spec"` + // Status contains the current status of the VirtualServer. Status VirtualServerStatus `json:"status"` } @@ -176,12 +178,15 @@ type Upstream struct { // UpstreamBuffers defines Buffer Configuration for an Upstream. type UpstreamBuffers struct { + // Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. Number int `json:"number"` + // Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. Size string `json:"size"` } // UpstreamTLS defines a TLS configuration for an Upstream. type UpstreamTLS struct { + // Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. Enable bool `json:"enable"` } @@ -227,7 +232,9 @@ type HealthCheck struct { // Header defines an HTTP Header. type Header struct { + // The name of the header. Name string `json:"name"` + // The value of the header. Value string `json:"value"` } @@ -340,6 +347,7 @@ type ProxyResponseHeaders struct { // AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. type AddHeader struct { Header `json:",inline"` + // If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. Always bool `json:"always"` } @@ -417,15 +425,24 @@ type TLSRedirect struct { // CertManager defines a cert manager config for a TLS. type CertManager struct { + // the name of a ClusterIssuer. A ClusterIssuer is a cert-manager resource which describes the certificate authority capable of signing certificates. It does not matter which namespace your VirtualServer resides, as ClusterIssuers are non-namespaced resources. Please note that one of issuer and cluster-issuer are required, but they are mutually exclusive - one and only one must be defined. ClusterIssuer string `json:"cluster-issuer"` - Issuer string `json:"issuer"` - IssuerKind string `json:"issuer-kind"` - IssuerGroup string `json:"issuer-group"` - CommonName string `json:"common-name"` - Duration string `json:"duration"` - RenewBefore string `json:"renew-before"` - Usages string `json:"usages"` - IssueTempCert bool `json:"issue-temp-cert"` + // the name of an Issuer. An Issuer is a cert-manager resource which describes the certificate authority capable of signing certificates. The Issuer must be in the same namespace as the VirtualServer resource. Please note that one of issuer and cluster-issuer are required, but they are mutually exclusive - one and only one must be defined. + Issuer string `json:"issuer"` + // The kind of the external issuer resource, for example AWSPCAIssuer. This is only necessary for out-of-tree issuers. This cannot be defined if cluster-issuer is also defined. + IssuerKind string `json:"issuer-kind"` + // The API group of the external issuer controller, for example awspca.cert-manager.io. This is only necessary for out-of-tree issuers. This cannot be defined if cluster-issuer is also defined. + IssuerGroup string `json:"issuer-group"` + // This field allows you to configure spec.commonName for the Certificate to be generated. This configuration adds a CN to the x509 certificate. + CommonName string `json:"common-name"` + // This field allows you to configure spec.duration field for the Certificate to be generated. Must be specified using a Go time.Duration string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. + Duration string `json:"duration"` + // this annotation allows you to configure spec.renewBefore field for the Certificate to be generated. Must be specified using a Go time.Duration string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. + RenewBefore string `json:"renew-before"` + // This field allows you to configure spec.usages field for the Certificate to be generated. Pass a string with comma-separated values i.e. key agreement,digital signature, server auth. An exhaustive list of supported key usages can be found in the the cert-manager api documentation. + Usages string `json:"usages"` + // When true, ask cert-manager for a temporary self-signed certificate pending the issuance of the Certificate. This allows HTTPS-only servers to use ACME HTTP01 challenges when the TLS secret does not exist yet. + IssueTempCert bool `json:"issue-temp-cert"` } // VirtualServerStatus defines the status for the VirtualServer resource. @@ -506,10 +523,15 @@ type UpstreamQueue struct { // VirtualServerRouteStatus defines the status for the VirtualServerRoute resource. type VirtualServerRouteStatus struct { + // Represents the current state of the resource. There are three possible values: Valid, Invalid and Warning. Valid indicates that the resource has been validated and accepted by the Ingress Controller. Invalid means the resource failed validation or NGINX State string `json:"state"` + // The reason of the current state of the resource. Reason string `json:"reason"` + // The message of the current state of the resource. It can contain more detailed information about the reason. Message string `json:"message"` + // Defines how other resources reference this resource. ReferencedBy string `json:"referencedBy"` + // Defines the IPs, hostnames and ports used to connect to this resource. ExternalEndpoints []ExternalEndpoint `json:"externalEndpoints,omitempty"` } @@ -523,22 +545,31 @@ type VirtualServerRouteStatus struct { type GlobalConfiguration struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec GlobalConfigurationSpec `json:"spec"` + // spec field of the GlobalConfiguration resource + Spec GlobalConfigurationSpec `json:"spec"` } // GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. type GlobalConfigurationSpec struct { + // Listeners field of the GlobalConfigurationSpec resource Listeners []Listener `json:"listeners"` } // Listener defines a listener. type Listener struct { + // The name of the listener. The name must be unique across all listeners. Name string `json:"name"` + // The protocol of the listener. For example, HTTP. + Protocol string `json:"protocol"` + // The port on which the listener will accept connections. Port int `json:"port"` + // Custom SNI processing for listener. Allows listener to be used as a passthrough for SNI processing + PassSNI bool `json:"passSNI"` + // ipv4 and ipv6 addresses that NGINX will listen on. Defaults to listening on all available IPv4 and IPv6 addresses. IPv4 string `json:"ipv4"` + // ipv6 addresses that NGINX will listen on. IPv6 string `json:"ipv6"` - Protocol string `json:"protocol"` + // Whether the listener will be listening for SSL connections Ssl bool `json:"ssl"` } @@ -548,6 +579,7 @@ type Listener struct { type GlobalConfigurationList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` + // Items field of the GlobalConfigurationList resource Items []GlobalConfiguration `json:"items"` } @@ -566,21 +598,31 @@ type GlobalConfigurationList struct { type TransportServer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - + // spec field of the TransportServer resource Spec TransportServerSpec `json:"spec"` + // status field of the TransportServer resource Status TransportServerStatus `json:"status"` } // TransportServerSpec is the spec of the TransportServer resource. type TransportServerSpec struct { + // Specifies which Ingress Controller must handle the VirtualServer resource. IngressClass string `json:"ingressClassName"` + // The TLS termination configuration. TLS *TransportServerTLS `json:"tls"` + // Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource Listener TransportServerListener `json:"listener"` + // Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. ServerSnippets string `json:"serverSnippets"` + // Sets a custom snippet in the stream context. Overrides the stream-snippets ConfigMap key. StreamSnippets string `json:"streamSnippets"` + // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. Host string `json:"host"` + // A list of upstreams. Upstreams []TransportServerUpstream `json:"upstreams"` + // The UpstreamParameters are set on stream context UpstreamParameters *UpstreamParameters `json:"upstreamParameters"` + // The parameters of the session to be used for the Server context SessionParameters *SessionParameters `json:"sessionParameters"` // The action to perform for a request. Action *TransportServerAction `json:"action"` @@ -593,7 +635,9 @@ type TransportServerTLS struct { // TransportServerListener defines a listener for a TransportServer. type TransportServerListener struct { + // The name of a listener defined in a GlobalConfiguration resource. Name string `json:"name"` + // The protocol of the listener. Protocol string `json:"protocol"` } @@ -667,19 +711,23 @@ type UpstreamParameters struct { // SessionParameters defines session parameters. type SessionParameters struct { - // The timeout between two successive read or write operations on client or proxied server connections. See proxy_timeout directive. The default is 10m. + // The timeout between two successive read or write operations on client or proxied server connections. See proxy_timeout directive. The default is 10m. Timeout string `json:"timeout"` } // TransportServerAction defines an action. type TransportServerAction struct { + // Passes connections/datagrams to an upstream. The upstream with that name must be defined in the resource. Pass string `json:"pass"` } // TransportServerStatus defines the status for the TransportServer resource. type TransportServerStatus struct { + // Represents the current state of the resource. There are three possible values: Valid, Invalid and Warning. Valid indicates that the resource has been validated and accepted by the Ingress Controller. Invalid means the resource failed validation or State string `json:"state"` + // The reason of the current state of the resource. Reason string `json:"reason"` + // The message of the current state of the resource. It can contain more detailed information about the reason. Message string `json:"message"` } @@ -689,7 +737,7 @@ type TransportServerStatus struct { type TransportServerList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` - + // Items field of the TransportServerList resource Items []TransportServer `json:"items"` } @@ -706,15 +754,19 @@ type TransportServerList struct { type Policy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - + // spec field of the Policy resource Spec PolicySpec `json:"spec"` + // status field of the Policy resource Status PolicyStatus `json:"status"` } // PolicyStatus is the status of the policy resource type PolicyStatus struct { + // Represents the current state of the resource. There are three possible values: Valid, Invalid and Warning. Valid indicates that the resource has been validated and accepted by the Ingress Controller. Invalid means the resource failed validation or State string `json:"state"` + // The reason of the current state of the resource. Reason string `json:"reason"` + // The message of the current state of the resource. It can contain more detailed information about the reason. Message string `json:"message"` } @@ -722,16 +774,26 @@ type PolicyStatus struct { // The spec includes multiple fields, where each field represents a different policy. // Only one policy (field) is allowed. type PolicySpec struct { - IngressClass string `json:"ingressClassName"` + // Specifies which instance of NGINX Ingress Controller must handle the Policy resource. + IngressClass string `json:"ingressClassName"` + // The access control policy based on the client IP address. AccessControl *AccessControl `json:"accessControl"` - RateLimit *RateLimit `json:"rateLimit"` - JWTAuth *JWTAuth `json:"jwt"` - BasicAuth *BasicAuth `json:"basicAuth"` - IngressMTLS *IngressMTLS `json:"ingressMTLS"` - EgressMTLS *EgressMTLS `json:"egressMTLS"` - OIDC *OIDC `json:"oidc"` - WAF *WAF `json:"waf"` - APIKey *APIKey `json:"apiKey"` + // The rate limit policy controls the rate of processing requests per a defined key. + RateLimit *RateLimit `json:"rateLimit"` + // The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens. + JWTAuth *JWTAuth `json:"jwt"` + // The basic auth policy configures NGINX to authenticate client requests using HTTP Basic authentication credentials. + BasicAuth *BasicAuth `json:"basicAuth"` + // The IngressMTLS policy configures client certificate verification. + IngressMTLS *IngressMTLS `json:"ingressMTLS"` + // The EgressMTLS policy configures upstreams authentication and certificate verification. + EgressMTLS *EgressMTLS `json:"egressMTLS"` + // The OpenID Connect policy configures NGINX to authenticate client requests by validating a JWT token against an OAuth2/OIDC token provider, such as Auth0 or Keycloak. + OIDC *OIDC `json:"oidc"` + // The WAF policy configures WAF and log configuration policies for NGINX AppProtect + WAF *WAF `json:"waf"` + // The API Key policy configures NGINX to authorize requests which provide a valid API Key in a specified header or query param. + APIKey *APIKey `json:"apiKey"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -740,7 +802,8 @@ type PolicySpec struct { type PolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` - + + // Items field of the PolicyList resource Items []Policy `json:"items"` } @@ -752,17 +815,29 @@ type AccessControl struct { // RateLimit defines a rate limit policy. type RateLimit struct { - //The rate of requests permitted. The rate is specified in requests per second (r/s) or requests per minute (r/m). - Rate string `json:"rate"` - Key string `json:"key"` - Delay *int `json:"delay"` - NoDelay *bool `json:"noDelay"` - Burst *int `json:"burst"` - ZoneSize string `json:"zoneSize"` - DryRun *bool `json:"dryRun"` - LogLevel string `json:"logLevel"` - RejectCode *int `json:"rejectCode"` - Scale bool `json:"scale"` + // The rate of requests permitted. The rate is specified in requests per second (r/s) or requests per minute (r/m). + Rate string `json:"rate"` + // The key to which the rate limit is applied. Can contain text, variables, or a combination of them. + // Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are + // $binary_remote_addr,$request_uri,$request_method,$url,$http_, $args,$arg_,$cookie_,$jwt_claim_. + Key string `json:"key"` + // The delay parameter specifies a limit at which excessive requests become delayed. If not set all excessive requests are delayed. + Delay *int `json:"delay"` + // Disables the delaying of excessive requests while requests are being limited. Overrides delay if both are set. + NoDelay *bool `json:"noDelay"` + // Excessive requests are delayed until their number exceeds the burst size, in which case the request is terminated with an error. + Burst *int `json:"burst"` + // Size of the shared memory zone. Only positive values are allowed. Allowed suffixes are k or m, if none are present k is assumed. + ZoneSize string `json:"zoneSize"` + // Enables the dry run mode. In this mode, the rate limit is not actually applied, but the number of excessive requests is accounted as usual in the shared memory zone. + DryRun *bool `json:"dryRun"` + // Sets the desired logging level for cases when the server refuses to process requests due to rate exceeding, or delays request processing. Allowed values are info, notice, warn or error. Default is error. + LogLevel string `json:"logLevel"` + // Sets the status code to return in response to rejected requests. Must fall into the range 400..599. Default is 503. + RejectCode *int `json:"rejectCode"` + // Enables a constant rate-limit by dividing the configured rate by the number of nginx-ingress pods currently serving traffic. This adjustment ensures that the rate-limit remains consistent, even as the number of nginx-pods fluctuates due to autoscaling. This will not work properly if requests from a client are not evenly distributed across all ingress pods (Such as with sticky sessions, long lived TCP Connections with many requests, and so forth). In such cases using zone-sync instead would give better results. Enabling zone-sync will suppress this setting. + Scale bool `json:"scale"` + // Add a condition to a rate-limit policy. // +kubebuilder:validation:Optional Condition *RateLimitCondition `json:"condition"` } @@ -806,7 +881,8 @@ type VariableCondition struct { // JWTAuth holds JWT authentication configuration. type JWTAuth struct { // The realm of the JWT. - Realm string `json:"realm"` + Realm string `json:"realm"` + // The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. Secret string `json:"secret"` // The token specifies a variable that contains the JSON Web Token. By default the JWT is passed in the Authorization header as a Bearer Token. JWT may be also passed as a cookie or a part of a query string, for example: $cookie_auth_token. Accepted variables are $http_, $arg_, $cookie_. Token string `json:"token"` @@ -916,12 +992,16 @@ type SecurityLog struct { // The API Key policy configures NGINX to authorize requests which provide a valid API Key in a specified header or query param. type APIKey struct { + // The location of the API Key. For example, $http_auth, $arg_apikey, $cookie_auth. Accepted variables are $http_, $arg_, $cookie_. SuppliedIn *SuppliedIn `json:"suppliedIn"` + // The key to which the API key is applied. Can contain text, variables, or a combination of them. Accepted variables are $http_, $arg_, $cookie_. ClientSecret string `json:"clientSecret"` } // SuppliedIn defines the locations API Key should be supplied in. type SuppliedIn struct { + // The location of the API Key as a request header. For example, $http_auth. Accepted variables are $http_. Header []string `json:"header"` + // The location of the API Key as a query param. For example, $arg_apikey. Accepted variables are $arg_. Query []string `json:"query"` } From 19a0a30d587668fbf6d8d88608872c3c7ed7e9dc Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Thu, 17 Jul 2025 10:23:51 +0100 Subject: [PATCH 05/33] add crds --- .../k8s.nginx.org_globalconfigurations.yaml | 17 +- config/crd/bases/k8s.nginx.org_policies.yaml | 208 +- .../bases/k8s.nginx.org_transportservers.yaml | 137 +- .../k8s.nginx.org_virtualserverroutes.yaml | 649 +++++- .../bases/k8s.nginx.org_virtualservers.yaml | 753 ++++++- deploy/crds.yaml | 1764 +++++++++++++++-- 6 files changed, 3218 insertions(+), 310 deletions(-) diff --git a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml index 3a0ec774c7..8e936f607d 100644 --- a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml +++ b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml @@ -39,24 +39,37 @@ spec: metadata: type: object spec: - description: GlobalConfigurationSpec is the spec of the GlobalConfiguration - resource. + description: spec field of the GlobalConfiguration resource properties: listeners: + description: Listeners field of the GlobalConfigurationSpec resource items: description: Listener defines a listener. properties: ipv4: + description: ipv4 and ipv6 addresses that NGINX will listen + on. Defaults to listening on all available IPv4 and IPv6 addresses. type: string ipv6: + description: ipv6 addresses that NGINX will listen on. type: string name: + description: The name of the listener. The name must be unique + across all listeners. type: string + passSNI: + description: Custom SNI processing for listener. Allows listener + to be used as a passthrough for SNI processing + type: boolean port: + description: The port on which the listener will accept connections. type: integer protocol: + description: The protocol of the listener. For example, HTTP. type: string ssl: + description: Whether the listener will be listening for SSL + connections type: boolean type: object type: array diff --git a/config/crd/bases/k8s.nginx.org_policies.yaml b/config/crd/bases/k8s.nginx.org_policies.yaml index d5a51d49e3..cd27a24a6b 100644 --- a/config/crd/bases/k8s.nginx.org_policies.yaml +++ b/config/crd/bases/k8s.nginx.org_policies.yaml @@ -49,14 +49,10 @@ spec: metadata: type: object spec: - description: |- - PolicySpec is the spec of the Policy resource. - The spec includes multiple fields, where each field represents a different policy. - Only one policy (field) is allowed. + description: spec field of the Policy resource properties: accessControl: - description: AccessControl defines an access policy based on the source - IP of a request. + description: The access control policy based on the client IP address. properties: allow: items: @@ -68,122 +64,235 @@ spec: type: array type: object apiKey: - description: APIKey defines an API Key policy. + description: The API Key policy configures NGINX to authorize requests + which provide a valid API Key in a specified header or query param. properties: clientSecret: + description: The key to which the API key is applied. Can contain + text, variables, or a combination of them. Accepted variables + are $http_, $arg_, $cookie_. type: string suppliedIn: - description: SuppliedIn defines the locations API Key should be - supplied in. + description: The location of the API Key. For example, $http_auth, + $arg_apikey, $cookie_auth. Accepted variables are $http_, $arg_, + $cookie_. properties: header: + description: The location of the API Key as a request header. + For example, $http_auth. Accepted variables are $http_. items: type: string type: array query: + description: The location of the API Key as a query param. + For example, $arg_apikey. Accepted variables are $arg_. items: type: string type: array type: object type: object basicAuth: - description: BasicAuth holds HTTP Basic authentication configuration + description: The basic auth policy configures NGINX to authenticate + client requests using HTTP Basic authentication credentials. properties: realm: + description: The realm for the basic authentication. type: string secret: + description: The name of the Kubernetes secret that stores the + Htpasswd configuration. It must be in the same namespace as + the Policy resource. The secret must be of the type nginx.org/htpasswd, + and the config must be stored in the secret under the key htpasswd, + otherwise the secret will be rejected as invalid. type: string type: object egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. + description: The EgressMTLS policy configures upstreams authentication + and certificate verification. properties: ciphers: + description: Specifies the enabled ciphers for requests to an + upstream HTTPS server. The default is DEFAULT. type: string protocols: + description: Specifies the protocols for requests to an upstream + HTTPS server. The default is TLSv1 TLSv1.1 TLSv1.2. type: string serverName: + description: Enables passing of the server name through Server + Name Indication extension. type: boolean sessionReuse: + description: Enables reuse of SSL sessions to the upstreams. The + default is true. type: boolean sslName: + description: Allows overriding the server name used to verify + the certificate of the upstream HTTPS server. type: string tlsSecret: + description: The name of the Kubernetes secret that stores the + TLS certificate and key. It must be in the same namespace as + the Policy resource. The secret must be of the type kubernetes.io/tls, + the certificate must be stored in the secret under the key tls.crt, + and the key must be stored under the key tls.key, otherwise + the secret will be rejected as invalid. type: string trustedCertSecret: + description: The name of the Kubernetes secret that stores the + CA certificate. It must be in the same namespace as the Policy + resource. The secret must be of the type nginx.org/ca, and the + certificate must be stored in the secret under the key ca.crt, + otherwise the secret will be rejected as invalid. type: string verifyDepth: + description: Sets the verification depth in the proxied HTTPS + server certificates chain. The default is 1. type: integer verifyServer: + description: Enables verification of the upstream HTTPS server + certificate. type: boolean type: object ingressClassName: + description: Specifies which instance of NGINX Ingress Controller + must handle the Policy resource. type: string ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. + description: The IngressMTLS policy configures client certificate + verification. properties: clientCertSecret: + description: The name of the Kubernetes secret that stores the + CA certificate. It must be in the same namespace as the Policy + resource. The secret must be of the type nginx.org/ca, and the + certificate must be stored in the secret under the key ca.crt, + otherwise the secret will be rejected as invalid. type: string crlFileName: + description: The file name of the Certificate Revocation List. + NGINX Ingress Controller will look for this file in /etc/nginx/secrets type: string verifyClient: + description: Verification for the client. Possible values are + "on", "off", "optional", "optional_no_ca". The default is "on". type: string verifyDepth: + description: Sets the verification depth in the client certificates + chain. The default is 1. type: integer type: object jwt: - description: JWTAuth holds JWT authentication configuration. + description: The JWT policy configures NGINX Plus to authenticate + client requests using JSON Web Tokens. properties: jwksURI: + description: The remote URI where the request will be sent to + retrieve JSON Web Key set type: string keyCache: + description: Enables in-memory caching of JWKS (JSON Web Key Sets) + that are obtained from the jwksURI and sets a valid time for + expiration. type: string realm: + description: The realm of the JWT. type: string secret: + description: The name of the Kubernetes secret that stores the + Htpasswd configuration. It must be in the same namespace as + the Policy resource. The secret must be of the type nginx.org/htpasswd, + and the config must be stored in the secret under the key htpasswd, + otherwise the secret will be rejected as invalid. type: string token: + description: 'The token specifies a variable that contains the + JSON Web Token. By default the JWT is passed in the Authorization + header as a Bearer Token. JWT may be also passed as a cookie + or a part of a query string, for example: $cookie_auth_token. + Accepted variables are $http_, $arg_, $cookie_.' type: string type: object oidc: - description: OIDC defines an Open ID Connect policy. + description: The OpenID Connect policy configures NGINX to authenticate + client requests by validating a JWT token against an OAuth2/OIDC + token provider, such as Auth0 or Keycloak. properties: accessTokenEnable: + description: Option of whether Bearer token is used to authorize + NGINX to access protected backend. type: boolean authEndpoint: + description: URL for the authorization endpoint provided by your + OpenID Connect provider. type: string authExtraArgs: + description: A list of extra URL arguments to pass to the authorization + endpoint provided by your OpenID Connect provider. Arguments + must be URL encoded, multiple arguments may be included in the + list, for example [ arg1=value1, arg2=value2 ] items: type: string type: array clientID: + description: The client ID provided by your OpenID Connect provider. type: string clientSecret: + description: The name of the Kubernetes secret that stores the + client secret provided by your OpenID Connect provider. It must + be in the same namespace as the Policy resource. The secret + must be of the type nginx.org/oidc, and the secret under the + key client-secret, otherwise the secret will be rejected as + invalid. If PKCE is enabled, this should be not configured. type: string endSessionEndpoint: + description: URL provided by your OpenID Connect provider to request + the end user be logged out. type: string jwksURI: + description: URL for the JSON Web Key Set (JWK) document provided + by your OpenID Connect provider. type: string pkceEnable: + description: Switches Proof Key for Code Exchange on. The OpenID + client needs to be in public mode. clientSecret is not used + in this mode. type: boolean postLogoutRedirectURI: + description: URI to redirect to after the logout has been performed. + Requires endSessionEndpoint. The default is /_logout. type: string redirectURI: + description: Allows overriding the default redirect URI. The default + is /_codexch. type: string scope: + description: List of OpenID Connect scopes. The scope openid always + needs to be present and others can be added concatenating them + with a + sign, for example openid+profile+email, openid+email+userDefinedScope. + The default is openid. type: string tokenEndpoint: + description: URL for the token endpoint provided by your OpenID + Connect provider. type: string zoneSyncLeeway: + description: Specifies the maximum timeout in milliseconds for + synchronizing ID/access tokens and shared values between Ingress + Controller pods. The default is 200. type: integer type: object rateLimit: - description: RateLimit defines a rate limit policy. + description: The rate limit policy controls the rate of processing + requests per a defined key. properties: burst: + description: Excessive requests are delayed until their number + exceeds the burst size, in which case the request is terminated + with an error. type: integer condition: - description: RateLimitCondition defines a condition for a rate - limit policy. + description: Add a condition to a rate-limit policy. properties: default: description: sets the rate limit in this policy to be the @@ -228,43 +337,89 @@ spec: type: array type: object delay: + description: The delay parameter specifies a limit at which excessive + requests become delayed. If not set all excessive requests are + delayed. type: integer dryRun: + description: Enables the dry run mode. In this mode, the rate + limit is not actually applied, but the number of excessive requests + is accounted as usual in the shared memory zone. type: boolean key: + description: |- + The key to which the rate limit is applied. Can contain text, variables, or a combination of them. + Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are + $binary_remote_addr,$request_uri,$request_method,$url,$http_, $args,$arg_,$cookie_,$jwt_claim_. type: string logLevel: + description: Sets the desired logging level for cases when the + server refuses to process requests due to rate exceeding, or + delays request processing. Allowed values are info, notice, + warn or error. Default is error. type: string noDelay: + description: Disables the delaying of excessive requests while + requests are being limited. Overrides delay if both are set. type: boolean rate: + description: The rate of requests permitted. The rate is specified + in requests per second (r/s) or requests per minute (r/m). type: string rejectCode: + description: Sets the status code to return in response to rejected + requests. Must fall into the range 400..599. Default is 503. type: integer scale: + description: Enables a constant rate-limit by dividing the configured + rate by the number of nginx-ingress pods currently serving traffic. + This adjustment ensures that the rate-limit remains consistent, + even as the number of nginx-pods fluctuates due to autoscaling. + This will not work properly if requests from a client are not + evenly distributed across all ingress pods (Such as with sticky + sessions, long lived TCP Connections with many requests, and + so forth). In such cases using zone-sync instead would give + better results. Enabling zone-sync will suppress this setting. type: boolean zoneSize: + description: Size of the shared memory zone. Only positive values + are allowed. Allowed suffixes are k or m, if none are present + k is assumed. type: string type: object waf: - description: WAF defines an WAF policy. + description: The WAF policy configures WAF and log configuration policies + for NGINX AppProtect properties: apBundle: + description: The App Protect WAF policy bundle. Mutually exclusive + with apPolicy. type: string apPolicy: + description: The App Protect WAF policy of the WAF. Accepts an + optional namespace. Mutually exclusive with apBundle. type: string enable: + description: Enables NGINX App Protect WAF. type: boolean securityLog: description: SecurityLog defines the security log of a WAF policy. properties: apLogBundle: + description: The App Protect WAF log bundle resource. Only + works with apBundle. type: string apLogConf: + description: The App Protect WAF log conf resource. Accepts + an optional namespace. Only works with apPolicy. type: string enable: + description: Enables security log. type: boolean logDest: + description: The log destination for the security log. Only + accepted variables are syslog:server=:, stderr, . type: string type: object securityLogs: @@ -272,25 +427,40 @@ spec: description: SecurityLog defines the security log of a WAF policy. properties: apLogBundle: + description: The App Protect WAF log bundle resource. Only + works with apBundle. type: string apLogConf: + description: The App Protect WAF log conf resource. Accepts + an optional namespace. Only works with apPolicy. type: string enable: + description: Enables security log. type: boolean logDest: + description: The log destination for the security log. Only + accepted variables are syslog:server=:, stderr, . type: string type: object type: array type: object type: object status: - description: PolicyStatus is the status of the policy resource + description: status field of the Policy resource properties: message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string state: + description: 'Represents the current state of the resource. There + are three possible values: Valid, Invalid and Warning. Valid indicates + that the resource has been validated and accepted by the Ingress + Controller. Invalid means the resource failed validation or' type: string type: object type: object diff --git a/config/crd/bases/k8s.nginx.org_transportservers.yaml b/config/crd/bases/k8s.nginx.org_transportservers.yaml index 4021c60492..150ace963d 100644 --- a/config/crd/bases/k8s.nginx.org_transportservers.yaml +++ b/config/crd/bases/k8s.nginx.org_transportservers.yaml @@ -51,121 +51,232 @@ spec: metadata: type: object spec: - description: TransportServerSpec is the spec of the TransportServer resource. + description: spec field of the TransportServer resource properties: action: - description: TransportServerAction defines an action. + description: The action to perform for a request. properties: pass: + description: Passes connections/datagrams to an upstream. The + upstream with that name must be defined in the resource. type: string type: object host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. The host value needs to be unique + among all Ingress and VirtualServer resources. See also Handling + Host and Listener Collisions. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServer + resource. type: string listener: - description: TransportServerListener defines a listener for a TransportServer. + description: Sets a custom HTTP and/or HTTPS listener. Valid fields + are listener.http and listener.https. Each field must reference + the name of a valid listener defined in a GlobalConfiguration resource properties: name: + description: The name of a listener defined in a GlobalConfiguration + resource. type: string protocol: + description: The protocol of the listener. type: string type: object serverSnippets: + description: Sets a custom snippet in server context. Overrides the + server-snippets ConfigMap key. type: string sessionParameters: - description: SessionParameters defines session parameters. + description: The parameters of the session to be used for the Server + context properties: timeout: + description: The timeout between two successive read or write + operations on client or proxied server connections. See proxy_timeout + directive. The default is 10m. type: string type: object streamSnippets: + description: Sets a custom snippet in the stream context. Overrides + the stream-snippets ConfigMap key. type: string tls: - description: TransportServerTLS defines TransportServerTLS configuration - for a TransportServer. + description: The TLS termination configuration. properties: secret: type: string type: object upstreamParameters: - description: UpstreamParameters defines parameters for an upstream. + description: The UpstreamParameters are set on stream context properties: connectTimeout: + description: The timeout for establishing a connection with a + proxied server. See the proxy_connect_timeout directive. The + default is 60s. type: string nextUpstream: + description: If a connection to the proxied server cannot be established, + determines whether a client connection will be passed to the + next server. See the proxy_next_upstream directive. The default + is true. type: boolean nextUpstreamTimeout: + description: The time allowed to pass a connection to the next + server. See the proxy_next_upstream_timeout directive. The default + us 0. type: string nextUpstreamTries: + description: The number of tries for passing a connection to the + next server. See the proxy_next_upstream_tries directive. The + default is 0. type: integer udpRequests: + description: The number of datagrams, after receiving which, the + next datagram from the same client starts a new session. See + the proxy_requests directive. The default is 0. type: integer udpResponses: + description: The number of datagrams expected from the proxied + server in response to a client datagram. See the proxy_responses + directive. By default, the number of datagrams is not limited. type: integer type: object upstreams: + description: A list of upstreams. items: description: TransportServerUpstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random , + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer failTimeout: + description: Sets the number of unsuccessful attempts to communicate + with the server that should happen in the duration set by + the failTimeout parameter to consider the server unavailable. + The default 1. type: string healthCheck: - description: TransportServerHealthCheck defines the parameters - for active Upstream HealthChecks. + description: 'The health check configuration for the Upstream. + See the health_check directive. Note: this feature is supported + only in NGINX Plus.' properties: enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string match: - description: TransportServerMatch defines the parameters - of a custom health check. + description: Controls the data to send and the response + to expect for the healthcheck. properties: expect: + description: A literal string or a regular expression + that the data obtained from the server should match. + The regular expression is specified with the preceding + ~* modifier (for case-insensitive matching), or the + ~ modifier (for case-sensitive matching). NGINX Ingress + Controller validates a regular expression using the + RE2 syntax. type: string send: + description: A string to send to an upstream server. type: string type: object passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer timeout: + description: This overrides the timeout set by proxy_timeout + which is set in SessionParameters for health checks. The + default value is 5s. type: string type: object loadBalancingMethod: + description: The method used to load balance the upstream servers. + By default, connections are distributed between the servers + using a weighted round-robin balancing method. See the upstream + section for available methods and their details. type: string maxConns: + description: Sets the time during which the specified number + of unsuccessful attempts to communicate with the server should + happen to consider the server unavailable and the period of + time the server will be considered unavailable. The default + is 10s. type: integer maxFails: + description: Sets the number of maximum connections to the proxied + server. Default value is zero, meaning there is no limit. + The default is 0. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and close client connections/ignore datagrams. The port must + fall into the range 1..65535. type: integer service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + close client connections/ignore datagrams. type: string type: object type: array type: object status: - description: TransportServerStatus defines the status for the TransportServer - resource. + description: status field of the TransportServer resource properties: message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string state: + description: 'Represents the current state of the resource. There + are three possible values: Valid, Invalid and Warning. Valid indicates + that the resource has been validated and accepted by the Ingress + Controller. Invalid means the resource failed validation or' type: string type: object type: object diff --git a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml index 83ba8379e5..d26c1ead9d 100644 --- a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml @@ -65,295 +65,482 @@ spec: resource. properties: host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. Must be the same as the host of the + VirtualServer that references this resource. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServerRoute + resource. Must be the same as the ingressClassName of the VirtualServer + that references this resource. type: string subroutes: + description: A list of subroutes. items: description: Route defines a route. properties: action: - description: Action defines an action. + description: The default action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the ability + to modify the request/response (for example, rewrite the + URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the proxy_pass_request_header + directive for more information. Default is true. type: boolean set: + description: Allows redefining or appending fields + to present request headers passed to the proxied + upstream servers. See the proxy_set_header directive + for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the response - headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response to the + client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the header + regardless of the response status code**. + Default is false. See the add_header directive + for more information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be passed* + in the response to the client from a proxied upstream + server. See the proxy_hide_header directive for + more information. items: type: string type: array ignore: + description: Disables processing of certain headers** + to the client from a proxied upstream server. + See the proxy_ignore_headers directive for more + information. items: type: string type: array pass: + description: Allows passing the hidden header fields* + to the client from a proxied upstream server. + See the proxy_pass_header directive for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path is + a regular expression – starts with ~ – the rewritePath + can include capture groups with $1-9. For example + $1 for the first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which the requests + will be proxied to. The upstream with that name must + be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301 , 302 , 307 , 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. Supported + NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly brackets. + For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The allowed + values are: 2XX, 4XX or 5XX. The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object dos: + description: A reference to a DosProtectedResource, setting + this enables DOS protection of the VirtualServer route. type: string errorPages: + description: The custom responses for error codes. NGINX will + use those responses instead of returning the error responses + from the upstream servers or the default responses generated + by NGINX. A custom response can be a redirect or a canned + response. For example, a redirect to another URL if an upstream + server responded with a 404 status code. items: description: ErrorPage defines an ErrorPage in a Route. properties: codes: + description: A list of error status codes. items: type: integer type: array redirect: - description: ErrorPageRedirect defines a redirect for - an ErrorPage. + description: The canned response action for the given + status codes. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301 , 302 , 307 , 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. + Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ErrorPageReturn defines a return for an ErrorPage. + description: The redirect action for the given status + codes. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly + brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The + allowed values are: 2XX, 4XX or 5XX. The default + is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object type: array location-snippets: + description: Sets a custom snippet in the location context. + Overrides the location-snippets ConfigMap key. type: string matches: + description: The matching rules for advanced content-based routing. + Requires the default Action or Splits. Unmatched requests + will be handled by the default Action or Splits. items: description: Match defines a match. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the + proxy_pass_request_header directive for + more information. Default is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. See the + proxy_set_header directive for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. See + the add_header directive for more + information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. See the proxy_hide_header + directive for more information. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. See the proxy_ignore_headers directive + for more information. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. See the proxy_pass_header directive + for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301 , 302 , 307 , 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object conditions: + description: A list of conditions. Must include at least + 1 condition. items: description: Condition defines a condition in a MatchRule. properties: argument: + description: The name of an argument. Must consist + of alphanumeric characters or _. type: string cookie: + description: The name of a cookie. Must consist + of alphanumeric characters or _. type: string header: + description: The name of a header. Must consist + of alphanumeric characters or -. type: string value: + description: The value to match the condition against. + How to define a value is shown below the table. type: string variable: + description: The name of an NGINX variable. Must + start with $. See the list of the supported variables + below the table. type: string type: object type: array splits: + description: The splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. + The upstream with that name must be defined + in the resource. type: string proxy: - description: ActionProxy defines a proxy in - an Action. + description: Passes requests to an upstream + with the ability to modify the request/response + (for example, rewrite the URI or modify the + headers). properties: requestHeaders: - description: ProxyRequestHeaders defines - the request headers manipulation in an - ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request + headers to the proxied upstream server. + See the proxy_pass_request_header + directive for more information. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers + passed to the proxied upstream servers. + See the proxy_set_header directive + for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines - the response headers manipulation in an - ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always @@ -361,337 +548,681 @@ spec: NGINX directive. properties: always: + description: If set to true, add + the header regardless of the + response status code**. Default + is false. See the add_header + directive for more information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array hide: + description: The headers that will not + be passed* in the response to the + client from a proxied upstream server. + See the proxy_hide_header directive + for more information. items: type: string type: array ignore: + description: Disables processing of + certain headers** to the client from + a proxied upstream server. See the + proxy_ignore_headers directive for + more information. items: type: string type: array pass: + description: Allows passing the hidden + header fields* to the client from + a proxied upstream server. See the + proxy_pass_header directive for more + information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route + path is a regular expression – starts + with ~ – the rewritePath can include capture + groups with $1-9. For example $1 for the + first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which + the requests will be proxied to. The upstream + with that name must be defined in the + resource. type: string type: object redirect: - description: ActionRedirect defines a redirect - in an Action. + description: Redirects requests to a provided + URL. properties: code: + description: 'The status code of a redirect. + The allowed values are: 301 , 302 , 307 + , 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme + , $http_x_forwarded_proto , $request_uri + , $host. Variables must be enclosed in + curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in - an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. + Supports NGINX variables*. Variables must + be enclosed in curly brackets. For example: + Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. + The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. + The default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall + into the range 0..100. The sum of the weights + of all splits must be equal to 100. type: integer type: object type: array type: object type: array path: + description: 'The path of the route. NGINX will match it against + the URI of a request. Possible values are: a prefix ( / , + /path ), an exact match ( =/exact/match ), a case insensitive + regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive + regular expression ( ~^/foo.*\.jpg ). In the case of a prefix + (must start with / ) or an exact match (must start with = + ), the path must not include any whitespace characters, { + , } or ;. In the case of the regex matches, all double quotes + " must be escaped and the match can’t end in an unescaped + backslash \. The path must be unique among the paths of all + routes of the VirtualServer. Check the location directive + for more information.' type: string policies: + description: A list of policies. The policies override the policies + of the same type defined in the spec of the VirtualServer. + See Applying Policies for more details. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: "The name of a policy. If the policy doesn’t + exist or invalid, NGINX will respond with an error response + with the 500 status code.\tv" type: string namespace: + description: The namespace of a policy. If not specified, + the namespace of the VirtualServer resource is used. type: string type: object type: array route: + description: The name of a VirtualServerRoute resource that + defines this route. If the VirtualServerRoute belongs to a + different namespace than the VirtualServer, you need to include + the namespace. For example, tea-namespace/tea. type: string splits: + description: The default splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the + proxy_pass_request_header directive for + more information. Default is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. See the + proxy_set_header directive for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. See + the add_header directive for more + information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. See the proxy_hide_header + directive for more information. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. See the proxy_ignore_headers directive + for more information. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. See the proxy_pass_header directive + for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301 , 302 , 307 , 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall into the + range 0..100. The sum of the weights of all splits must + be equal to 100. type: integer type: object type: array type: object type: array upstreams: + description: A list of upstreams. items: description: Upstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random , + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer buffer-size: + description: Sets the size of the buffer used for reading the + first part of a response received from the upstream server. + See the proxy_buffer_size directive. The default is set in + the proxy-buffer-size ConfigMap key. type: string buffering: + description: Enables buffering of responses from the upstream + server. See the proxy_buffering directive. The default is + set in the proxy-buffering ConfigMap key. type: boolean buffers: - description: UpstreamBuffers defines Buffer Configuration for - an Upstream. + description: Configures the buffers used for reading a response + from the upstream server for a single connection. properties: number: + description: Configures the number of buffers. The default + is set in the proxy-buffers ConfigMap key. type: integer size: + description: Configures the size of a buffer. The default + is set in the proxy-buffers ConfigMap key. type: string type: object client-max-body-size: + description: Sets the maximum allowed size of the client request + body. See the client_max_body_size directive. The default + is set in the client-max-body-size ConfigMap key. type: string connect-timeout: + description: The timeout for establishing a connection with + an upstream server. See the proxy_connect_timeout directive. + The default is specified in the proxy-connect-timeout ConfigMap + key. type: string fail-timeout: + description: The time during which the specified number of unsuccessful + attempts to communicate with an upstream server should happen + to consider the server unavailable. See the fail_timeout parameter + of the server directive. The default is set in the fail-timeout + ConfigMap key. type: string healthCheck: - description: HealthCheck defines the parameters for active Upstream - HealthChecks. + description: 'The health check configuration for the Upstream. + See the health_check directive. Note: this feature is supported + only in NGINX Plus.' properties: connect-timeout: + description: The timeout for establishing a connection with + an upstream server. By default, the connect-timeout of + the upstream is used. type: string enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer grpcService: + description: The gRPC service to be monitored on the upstream + server. Only valid on gRPC type upstreams. type: string grpcStatus: + description: The expected gRPC status code of the upstream + server response to the Check method. Configure this field + only if your gRPC services do not implement the gRPC health + checking protocol. For example, configure 12 if the upstream + server responds with 12 (UNIMPLEMENTED) status code. Only + valid on gRPC type upstreams. type: integer headers: + description: The request headers used for health check requests. + NGINX Plus always sets the Host, User-Agent and Connection + headers for health check requests. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string keepalive-time: + description: Enables keepalive connections for health checks + and specifies the time during which requests can be processed + through one keepalive connection. The default is 60s. type: string mandatory: + description: Require every newly added server to pass all + configured health checks before NGINX Plus sends traffic + to it. If this is not specified, or is set to false, the + server will be initially considered healthy. When combined + with slow-start, it gives a new server more time to connect + to databases and “warm up” before being asked to handle + their full share of traffic. type: boolean passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer path: + description: The path used for health check requests. The + default is /. This is not configurable for gRPC type upstreams. type: string persistent: + description: Set the initial “up” state for a server after + reload if the server was considered healthy before reload. + Enabling persistent requires that the mandatory parameter + is also set to true. type: boolean port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer read-timeout: + description: The timeout for reading a response from an + upstream server. By default, the read-timeout of the upstream + is used. type: string send-timeout: + description: The timeout for transmitting a request to an + upstream server. By default, the send-timeout of the upstream + is used. type: string statusMatch: + description: 'The expected response status codes of a health + check. By default, the response should have status code + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See + the documentation of the match directive. This not supported + for gRPC type upstreams.' type: string tls: - description: UpstreamTLS defines a TLS configuration for - an Upstream. + description: The TLS configuration used for health check + requests. By default, the tls field of the upstream is + used. properties: enable: + description: 'Enables HTTPS for requests to upstream + servers. The default is False , meaning that HTTP + will be used. Note: by default, NGINX will not verify + the upstream server certificate. To enable the verification, + configure an EgressMTLS Policy.' type: boolean type: object type: object keepalive: + description: Configures the cache for connections to upstream + servers. The value 0 disables the cache. See the keepalive + directive. The default is set in the keepalive ConfigMap key. type: integer lb-method: + description: The load balancing method. To use the round-robin + method, specify round_robin. The default is specified in the + lb-method ConfigMap key. type: string max-conns: + description: 'The maximum number of simultaneous active connections + to an upstream server. See the max_conns parameter of the + server directive. By default there is no limit. Note: if keepalive + connections are enabled, the total number of active and idle + keepalive connections to an upstream server may exceed the + max_conns value.' type: integer max-fails: + description: The number of unsuccessful attempts to communicate + with an upstream server that should happen in the duration + set by the fail-timeout to consider the server unavailable. + See the max_fails parameter of the server directive. The default + is set in the max-fails ConfigMap key. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string next-upstream: + description: Specifies in which cases a request should be passed + to the next upstream server. See the proxy_next_upstream directive. + The default is error timeout. type: string next-upstream-timeout: + description: The time during which a request can be passed to + the next upstream server. See the proxy_next_upstream_timeout + directive. The 0 value turns off the time limit. The default + is 0. type: string next-upstream-tries: + description: The number of possible tries for passing a request + to the next upstream server. See the proxy_next_upstream_tries + directive. The 0 value turns off this limit. The default is + 0. type: integer ntlm: + description: 'Allows proxying requests with NTLM Authentication. + See the ntlm directive. In order for NTLM authentication to + work, it is necessary to enable keepalive connections to upstream + servers using the keepalive field. Note: this feature is supported + only in NGINX Plus.' type: boolean port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and return a 502 response for requests for this upstream. + The port must fall into the range 1..65535. type: integer queue: - description: UpstreamQueue defines Queue Configuration for an - Upstream. + description: 'Configures a queue for an upstream. A client request + will be placed into the queue if an upstream server cannot + be selected immediately while processing the request. By default, + no queue is configured. Note: this feature is supported only + in NGINX Plus.' properties: size: + description: The size of the queue. type: integer timeout: + description: The timeout of the queue. A request cannot + be queued for a period longer than the timeout. The default + is 60s. type: string type: object read-timeout: + description: The timeout for reading a response from an upstream + server. See the proxy_read_timeout directive. The default + is specified in the proxy-read-timeout ConfigMap key. type: string send-timeout: + description: The timeout for transmitting a request to an upstream + server. See the proxy_send_timeout directive. The default + is specified in the proxy-send-timeout ConfigMap key. type: string service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + return a 502 response for requests for this upstream. For + NGINX Plus only, services of type ExternalName are also supported + (check the prerequisites ). type: string sessionCookie: - description: SessionCookie defines the parameters for session - persistence. + description: The SessionCookie field configures session persistence + which allows requests from the same client to be passed to + the same upstream server. The information about the designated + upstream server is passed in a session cookie generated by + NGINX Plus. properties: domain: + description: The domain for which the cookie is set. type: string enable: + description: Enables session persistence with a session + cookie for an upstream server. The default is false. type: boolean expires: + description: The time for which a browser should keep the + cookie. Can be set to the special value max , which will + cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: + description: Adds the HttpOnly attribute to the cookie. type: boolean name: + description: The name of the cookie. type: string path: + description: The path for which the cookie is set. type: string samesite: + description: 'Adds the SameSite attribute to the cookie. + The allowed values are: strict, lax, none' type: string secure: + description: Adds the Secure attribute to the cookie. type: boolean type: object slow-start: + description: 'The slow start allows an upstream server to gradually + recover its weight from 0 to its nominal value after it has + been recovered or became available or when the server becomes + available after a period of time it was considered unavailable. + By default, the slow start is disabled. See the slow_start + parameter of the server directive. Note: The parameter cannot + be used along with the random , hash or ip_hash load balancing + methods and will be ignored.' type: string subselector: additionalProperties: type: string + description: 'Selects the pods within the service using label + keys and values. By default, all pods of the service are selected. + Note: the specified labels are expected to be present in the + pods when they are created. If the pod labels are updated, + NGINX Ingress Controller will not see that change until the + number of the pods is changed.' type: object tls: - description: UpstreamTLS defines a TLS configuration for an - Upstream. + description: The TLS configuration for the Upstream. properties: enable: + description: 'Enables HTTPS for requests to upstream servers. + The default is False , meaning that HTTP will be used. + Note: by default, NGINX will not verify the upstream server + certificate. To enable the verification, configure an + EgressMTLS Policy.' type: boolean type: object type: + description: The type of the upstream. Supported values are + http and grpc. The default is http. For gRPC, it is necessary + to enable HTTP/2 in the ConfigMap and configure TLS termination + in the VirtualServer. type: string use-cluster-ip: + description: Enables using the Cluster IP and port of the service + instead of the default behavior of using the IP and port of + the pods. When this field is enabled, the fields that configure + NGINX behavior related to multiple upstream servers (like + lb-method and next-upstream) will have no effect, as NGINX + Ingress Controller will configure NGINX with only one upstream + server that will match the service Cluster IP. type: boolean type: object type: array @@ -701,6 +1232,8 @@ spec: resource. properties: externalEndpoints: + description: Defines the IPs, hostnames and ports used to connect + to this resource. items: description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. @@ -714,12 +1247,20 @@ spec: type: object type: array message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string referencedBy: + description: Defines how other resources reference this resource. type: string state: + description: 'Represents the current state of the resource. There + are three possible values: Valid, Invalid and Warning. Valid indicates + that the resource has been validated and accepted by the Ingress + Controller. Invalid means the resource failed validation or NGINX' type: string type: object type: object diff --git a/config/crd/bases/k8s.nginx.org_virtualservers.yaml b/config/crd/bases/k8s.nginx.org_virtualservers.yaml index 8cdf187d37..6523c869f9 100644 --- a/config/crd/bases/k8s.nginx.org_virtualservers.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualservers.yaml @@ -61,23 +61,29 @@ spec: metadata: type: object spec: - description: VirtualServerSpec is the spec of the VirtualServer resource. + description: Spec contains the VirtualServer specification. properties: dos: + description: A reference to a DosProtectedResource, setting this enables + DOS protection of the VirtualServer route. type: string externalDNS: - description: ExternalDNS defines externaldns sub-resource of a virtual - server. + description: The externalDNS configuration for a VirtualServer. properties: enable: + description: Enables ExternalDNS integration for a VirtualServer + resource. The default is false. type: boolean labels: additionalProperties: type: string - description: Labels stores labels defined for the Endpoint + description: Configure labels to be applied to the Endpoint resources + that will be consumed by ExternalDNS. type: object providerSpecific: - description: ProviderSpecific stores provider specific config + description: Configure provider specific properties which holds + the name and value of a configuration which is specific to individual + DNS providers. items: description: |- ProviderSpecificProperty defines specific property @@ -92,330 +98,538 @@ spec: type: object type: array recordTTL: - description: TTL for the record + description: TTL for the DNS record. This defaults to 0 if not + defined. See the ExternalDNS TTL documentation for provider-specific + defaults format: int64 type: integer recordType: + description: The record Type that should be created, e.g. “A”, + “AAAA”, “CNAME”. This is automatically computed based on the + external endpoints if not defined. type: string type: object gunzip: + description: Enables or disables decompression of gzipped responses + for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. + If the gunzip value is not set, it defaults to off. type: boolean host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. The host value needs to be unique + among all Ingress and VirtualServer resources. See also Handling + Host and Listener Collisions. type: string http-snippets: + description: Sets a custom snippet in the http context. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServerRoute + resource. Must be the same as the ingressClassName of the VirtualServer + that references this resource. type: string internalRoute: description: InternalRoute allows for the configuration of internal routing. type: boolean listener: - description: VirtualServerListener references a custom http and/or - https listener defined in GlobalConfiguration. + description: Sets a custom HTTP and/or HTTPS listener. Valid fields + are listener.http and listener.https. Each field must reference + the name of a valid listener defined in a GlobalConfiguration resource properties: http: + description: The name of am HTTP listener defined in a GlobalConfiguration + resource. type: string https: + description: The name of an HTTPS listener defined in a GlobalConfiguration + resource. type: string type: object policies: + description: A list of policies. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: "The name of a policy. If the policy doesn’t exist + or invalid, NGINX will respond with an error response with + the 500 status code.\tv" type: string namespace: + description: The namespace of a policy. If not specified, the + namespace of the VirtualServer resource is used. type: string type: object type: array routes: + description: A list of routes. items: description: Route defines a route. properties: action: - description: Action defines an action. + description: The default action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the ability + to modify the request/response (for example, rewrite the + URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the proxy_pass_request_header + directive for more information. Default is true. type: boolean set: + description: Allows redefining or appending fields + to present request headers passed to the proxied + upstream servers. See the proxy_set_header directive + for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the response - headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response to the + client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the header + regardless of the response status code**. + Default is false. See the add_header directive + for more information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be passed* + in the response to the client from a proxied upstream + server. See the proxy_hide_header directive for + more information. items: type: string type: array ignore: + description: Disables processing of certain headers** + to the client from a proxied upstream server. + See the proxy_ignore_headers directive for more + information. items: type: string type: array pass: + description: Allows passing the hidden header fields* + to the client from a proxied upstream server. + See the proxy_pass_header directive for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path is + a regular expression – starts with ~ – the rewritePath + can include capture groups with $1-9. For example + $1 for the first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which the requests + will be proxied to. The upstream with that name must + be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301 , 302 , 307 , 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. Supported + NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly brackets. + For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The allowed + values are: 2XX, 4XX or 5XX. The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object dos: + description: A reference to a DosProtectedResource, setting + this enables DOS protection of the VirtualServer route. type: string errorPages: + description: The custom responses for error codes. NGINX will + use those responses instead of returning the error responses + from the upstream servers or the default responses generated + by NGINX. A custom response can be a redirect or a canned + response. For example, a redirect to another URL if an upstream + server responded with a 404 status code. items: description: ErrorPage defines an ErrorPage in a Route. properties: codes: + description: A list of error status codes. items: type: integer type: array redirect: - description: ErrorPageRedirect defines a redirect for - an ErrorPage. + description: The canned response action for the given + status codes. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301 , 302 , 307 , 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. + Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ErrorPageReturn defines a return for an ErrorPage. + description: The redirect action for the given status + codes. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly + brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The + allowed values are: 2XX, 4XX or 5XX. The default + is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object type: array location-snippets: + description: Sets a custom snippet in the location context. + Overrides the location-snippets ConfigMap key. type: string matches: + description: The matching rules for advanced content-based routing. + Requires the default Action or Splits. Unmatched requests + will be handled by the default Action or Splits. items: description: Match defines a match. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the + proxy_pass_request_header directive for + more information. Default is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. See the + proxy_set_header directive for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. See + the add_header directive for more + information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. See the proxy_hide_header + directive for more information. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. See the proxy_ignore_headers directive + for more information. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. See the proxy_pass_header directive + for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301 , 302 , 307 , 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object conditions: + description: A list of conditions. Must include at least + 1 condition. items: description: Condition defines a condition in a MatchRule. properties: argument: + description: The name of an argument. Must consist + of alphanumeric characters or _. type: string cookie: + description: The name of a cookie. Must consist + of alphanumeric characters or _. type: string header: + description: The name of a header. Must consist + of alphanumeric characters or -. type: string value: + description: The value to match the condition against. + How to define a value is shown below the table. type: string variable: + description: The name of an NGINX variable. Must + start with $. See the list of the supported variables + below the table. type: string type: object type: array splits: + description: The splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. + The upstream with that name must be defined + in the resource. type: string proxy: - description: ActionProxy defines a proxy in - an Action. + description: Passes requests to an upstream + with the ability to modify the request/response + (for example, rewrite the URI or modify the + headers). properties: requestHeaders: - description: ProxyRequestHeaders defines - the request headers manipulation in an - ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request + headers to the proxied upstream server. + See the proxy_pass_request_header + directive for more information. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers + passed to the proxied upstream servers. + See the proxy_set_header directive + for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines - the response headers manipulation in an - ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always @@ -423,384 +637,789 @@ spec: NGINX directive. properties: always: + description: If set to true, add + the header regardless of the + response status code**. Default + is false. See the add_header + directive for more information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array hide: + description: The headers that will not + be passed* in the response to the + client from a proxied upstream server. + See the proxy_hide_header directive + for more information. items: type: string type: array ignore: + description: Disables processing of + certain headers** to the client from + a proxied upstream server. See the + proxy_ignore_headers directive for + more information. items: type: string type: array pass: + description: Allows passing the hidden + header fields* to the client from + a proxied upstream server. See the + proxy_pass_header directive for more + information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route + path is a regular expression – starts + with ~ – the rewritePath can include capture + groups with $1-9. For example $1 for the + first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which + the requests will be proxied to. The upstream + with that name must be defined in the + resource. type: string type: object redirect: - description: ActionRedirect defines a redirect - in an Action. + description: Redirects requests to a provided + URL. properties: code: + description: 'The status code of a redirect. + The allowed values are: 301 , 302 , 307 + , 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme + , $http_x_forwarded_proto , $request_uri + , $host. Variables must be enclosed in + curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in - an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. + Supports NGINX variables*. Variables must + be enclosed in curly brackets. For example: + Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. + The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. + The default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall + into the range 0..100. The sum of the weights + of all splits must be equal to 100. type: integer type: object type: array type: object type: array path: + description: 'The path of the route. NGINX will match it against + the URI of a request. Possible values are: a prefix ( / , + /path ), an exact match ( =/exact/match ), a case insensitive + regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive + regular expression ( ~^/foo.*\.jpg ). In the case of a prefix + (must start with / ) or an exact match (must start with = + ), the path must not include any whitespace characters, { + , } or ;. In the case of the regex matches, all double quotes + " must be escaped and the match can’t end in an unescaped + backslash \. The path must be unique among the paths of all + routes of the VirtualServer. Check the location directive + for more information.' type: string policies: + description: A list of policies. The policies override the policies + of the same type defined in the spec of the VirtualServer. + See Applying Policies for more details. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: "The name of a policy. If the policy doesn’t + exist or invalid, NGINX will respond with an error response + with the 500 status code.\tv" type: string namespace: + description: The namespace of a policy. If not specified, + the namespace of the VirtualServer resource is used. type: string type: object type: array route: + description: The name of a VirtualServerRoute resource that + defines this route. If the VirtualServerRoute belongs to a + different namespace than the VirtualServer, you need to include + the namespace. For example, tea-namespace/tea. type: string splits: + description: The default splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the + proxy_pass_request_header directive for + more information. Default is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. See the + proxy_set_header directive for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. See + the add_header directive for more + information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. See the proxy_hide_header + directive for more information. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. See the proxy_ignore_headers directive + for more information. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. See the proxy_pass_header directive + for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301 , 302 , 307 , 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall into the + range 0..100. The sum of the weights of all splits must + be equal to 100. type: integer type: object type: array type: object type: array server-snippets: + description: Sets a custom snippet in server context. Overrides the + server-snippets ConfigMap key. type: string tls: - description: TLS defines TLS configuration for a VirtualServer. + description: The TLS termination configuration. properties: cert-manager: - description: CertManager defines a cert manager config for a TLS. + description: The cert-manager configuration of the TLS for a VirtualServer. properties: cluster-issuer: + description: the name of a ClusterIssuer. A ClusterIssuer + is a cert-manager resource which describes the certificate + authority capable of signing certificates. It does not matter + which namespace your VirtualServer resides, as ClusterIssuers + are non-namespaced resources. Please note that one of issuer + and cluster-issuer are required, but they are mutually exclusive + - one and only one must be defined. type: string common-name: + description: This field allows you to configure spec.commonName + for the Certificate to be generated. This configuration + adds a CN to the x509 certificate. type: string duration: + description: This field allows you to configure spec.duration + field for the Certificate to be generated. Must be specified + using a Go time.Duration string format, which does not allow + the d (days) suffix. You must specify these values using + s, m, and h suffixes instead. type: string issue-temp-cert: + description: When true, ask cert-manager for a temporary self-signed + certificate pending the issuance of the Certificate. This + allows HTTPS-only servers to use ACME HTTP01 challenges + when the TLS secret does not exist yet. type: boolean issuer: + description: the name of an Issuer. An Issuer is a cert-manager + resource which describes the certificate authority capable + of signing certificates. The Issuer must be in the same + namespace as the VirtualServer resource. Please note that + one of issuer and cluster-issuer are required, but they + are mutually exclusive - one and only one must be defined. type: string issuer-group: + description: The API group of the external issuer controller, + for example awspca.cert-manager.io. This is only necessary + for out-of-tree issuers. This cannot be defined if cluster-issuer + is also defined. type: string issuer-kind: + description: The kind of the external issuer resource, for + example AWSPCAIssuer. This is only necessary for out-of-tree + issuers. This cannot be defined if cluster-issuer is also + defined. type: string renew-before: + description: this annotation allows you to configure spec.renewBefore + field for the Certificate to be generated. Must be specified + using a Go time.Duration string format, which does not allow + the d (days) suffix. You must specify these values using + s, m, and h suffixes instead. type: string usages: + description: This field allows you to configure spec.usages + field for the Certificate to be generated. Pass a string + with comma-separated values i.e. key agreement,digital signature, + server auth. An exhaustive list of supported key usages + can be found in the the cert-manager api documentation. type: string type: object redirect: - description: TLSRedirect defines a redirect for a TLS. + description: The redirect configuration of the TLS for a VirtualServer. properties: basedOn: + description: The attribute of a request that NGINX will evaluate + to send a redirect. The allowed values are scheme (the scheme + of the request) or x-forwarded-proto (the X-Forwarded-Proto + header of the request). The default is scheme. type: string code: + description: 'The status code of a redirect. The allowed values + are: 301 , 302 , 307 , 308. The default is 301.' type: integer enable: + description: Enables a TLS redirect for a VirtualServer. The + default is False. type: boolean type: object secret: + description: The name of a secret with a TLS certificate and key. + The secret must belong to the same namespace as the VirtualServer. + The secret must be of the type kubernetes.io/tls and contain + keys named tls.crt and tls.key that contain the certificate + and private key as described here. If the secret doesn’t exist + or is invalid, NGINX will break any attempt to establish a TLS + connection to the host of the VirtualServer. If the secret is + not specified but wildcard TLS secret is configured, NGINX will + use the wildcard secret for TLS termination. type: string type: object upstreams: + description: A list of upstreams. items: description: Upstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random , + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer buffer-size: + description: Sets the size of the buffer used for reading the + first part of a response received from the upstream server. + See the proxy_buffer_size directive. The default is set in + the proxy-buffer-size ConfigMap key. type: string buffering: + description: Enables buffering of responses from the upstream + server. See the proxy_buffering directive. The default is + set in the proxy-buffering ConfigMap key. type: boolean buffers: - description: UpstreamBuffers defines Buffer Configuration for - an Upstream. + description: Configures the buffers used for reading a response + from the upstream server for a single connection. properties: number: + description: Configures the number of buffers. The default + is set in the proxy-buffers ConfigMap key. type: integer size: + description: Configures the size of a buffer. The default + is set in the proxy-buffers ConfigMap key. type: string type: object client-max-body-size: + description: Sets the maximum allowed size of the client request + body. See the client_max_body_size directive. The default + is set in the client-max-body-size ConfigMap key. type: string connect-timeout: + description: The timeout for establishing a connection with + an upstream server. See the proxy_connect_timeout directive. + The default is specified in the proxy-connect-timeout ConfigMap + key. type: string fail-timeout: + description: The time during which the specified number of unsuccessful + attempts to communicate with an upstream server should happen + to consider the server unavailable. See the fail_timeout parameter + of the server directive. The default is set in the fail-timeout + ConfigMap key. type: string healthCheck: - description: HealthCheck defines the parameters for active Upstream - HealthChecks. + description: 'The health check configuration for the Upstream. + See the health_check directive. Note: this feature is supported + only in NGINX Plus.' properties: connect-timeout: + description: The timeout for establishing a connection with + an upstream server. By default, the connect-timeout of + the upstream is used. type: string enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer grpcService: + description: The gRPC service to be monitored on the upstream + server. Only valid on gRPC type upstreams. type: string grpcStatus: + description: The expected gRPC status code of the upstream + server response to the Check method. Configure this field + only if your gRPC services do not implement the gRPC health + checking protocol. For example, configure 12 if the upstream + server responds with 12 (UNIMPLEMENTED) status code. Only + valid on gRPC type upstreams. type: integer headers: + description: The request headers used for health check requests. + NGINX Plus always sets the Host, User-Agent and Connection + headers for health check requests. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string keepalive-time: + description: Enables keepalive connections for health checks + and specifies the time during which requests can be processed + through one keepalive connection. The default is 60s. type: string mandatory: + description: Require every newly added server to pass all + configured health checks before NGINX Plus sends traffic + to it. If this is not specified, or is set to false, the + server will be initially considered healthy. When combined + with slow-start, it gives a new server more time to connect + to databases and “warm up” before being asked to handle + their full share of traffic. type: boolean passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer path: + description: The path used for health check requests. The + default is /. This is not configurable for gRPC type upstreams. type: string persistent: + description: Set the initial “up” state for a server after + reload if the server was considered healthy before reload. + Enabling persistent requires that the mandatory parameter + is also set to true. type: boolean port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer read-timeout: + description: The timeout for reading a response from an + upstream server. By default, the read-timeout of the upstream + is used. type: string send-timeout: + description: The timeout for transmitting a request to an + upstream server. By default, the send-timeout of the upstream + is used. type: string statusMatch: + description: 'The expected response status codes of a health + check. By default, the response should have status code + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See + the documentation of the match directive. This not supported + for gRPC type upstreams.' type: string tls: - description: UpstreamTLS defines a TLS configuration for - an Upstream. + description: The TLS configuration used for health check + requests. By default, the tls field of the upstream is + used. properties: enable: + description: 'Enables HTTPS for requests to upstream + servers. The default is False , meaning that HTTP + will be used. Note: by default, NGINX will not verify + the upstream server certificate. To enable the verification, + configure an EgressMTLS Policy.' type: boolean type: object type: object keepalive: + description: Configures the cache for connections to upstream + servers. The value 0 disables the cache. See the keepalive + directive. The default is set in the keepalive ConfigMap key. type: integer lb-method: + description: The load balancing method. To use the round-robin + method, specify round_robin. The default is specified in the + lb-method ConfigMap key. type: string max-conns: + description: 'The maximum number of simultaneous active connections + to an upstream server. See the max_conns parameter of the + server directive. By default there is no limit. Note: if keepalive + connections are enabled, the total number of active and idle + keepalive connections to an upstream server may exceed the + max_conns value.' type: integer max-fails: + description: The number of unsuccessful attempts to communicate + with an upstream server that should happen in the duration + set by the fail-timeout to consider the server unavailable. + See the max_fails parameter of the server directive. The default + is set in the max-fails ConfigMap key. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string next-upstream: + description: Specifies in which cases a request should be passed + to the next upstream server. See the proxy_next_upstream directive. + The default is error timeout. type: string next-upstream-timeout: + description: The time during which a request can be passed to + the next upstream server. See the proxy_next_upstream_timeout + directive. The 0 value turns off the time limit. The default + is 0. type: string next-upstream-tries: + description: The number of possible tries for passing a request + to the next upstream server. See the proxy_next_upstream_tries + directive. The 0 value turns off this limit. The default is + 0. type: integer ntlm: + description: 'Allows proxying requests with NTLM Authentication. + See the ntlm directive. In order for NTLM authentication to + work, it is necessary to enable keepalive connections to upstream + servers using the keepalive field. Note: this feature is supported + only in NGINX Plus.' type: boolean port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and return a 502 response for requests for this upstream. + The port must fall into the range 1..65535. type: integer queue: - description: UpstreamQueue defines Queue Configuration for an - Upstream. + description: 'Configures a queue for an upstream. A client request + will be placed into the queue if an upstream server cannot + be selected immediately while processing the request. By default, + no queue is configured. Note: this feature is supported only + in NGINX Plus.' properties: size: + description: The size of the queue. type: integer timeout: + description: The timeout of the queue. A request cannot + be queued for a period longer than the timeout. The default + is 60s. type: string type: object read-timeout: + description: The timeout for reading a response from an upstream + server. See the proxy_read_timeout directive. The default + is specified in the proxy-read-timeout ConfigMap key. type: string send-timeout: + description: The timeout for transmitting a request to an upstream + server. See the proxy_send_timeout directive. The default + is specified in the proxy-send-timeout ConfigMap key. type: string service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + return a 502 response for requests for this upstream. For + NGINX Plus only, services of type ExternalName are also supported + (check the prerequisites ). type: string sessionCookie: - description: SessionCookie defines the parameters for session - persistence. + description: The SessionCookie field configures session persistence + which allows requests from the same client to be passed to + the same upstream server. The information about the designated + upstream server is passed in a session cookie generated by + NGINX Plus. properties: domain: + description: The domain for which the cookie is set. type: string enable: + description: Enables session persistence with a session + cookie for an upstream server. The default is false. type: boolean expires: + description: The time for which a browser should keep the + cookie. Can be set to the special value max , which will + cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: + description: Adds the HttpOnly attribute to the cookie. type: boolean name: + description: The name of the cookie. type: string path: + description: The path for which the cookie is set. type: string samesite: + description: 'Adds the SameSite attribute to the cookie. + The allowed values are: strict, lax, none' type: string secure: + description: Adds the Secure attribute to the cookie. type: boolean type: object slow-start: + description: 'The slow start allows an upstream server to gradually + recover its weight from 0 to its nominal value after it has + been recovered or became available or when the server becomes + available after a period of time it was considered unavailable. + By default, the slow start is disabled. See the slow_start + parameter of the server directive. Note: The parameter cannot + be used along with the random , hash or ip_hash load balancing + methods and will be ignored.' type: string subselector: additionalProperties: type: string + description: 'Selects the pods within the service using label + keys and values. By default, all pods of the service are selected. + Note: the specified labels are expected to be present in the + pods when they are created. If the pod labels are updated, + NGINX Ingress Controller will not see that change until the + number of the pods is changed.' type: object tls: - description: UpstreamTLS defines a TLS configuration for an - Upstream. + description: The TLS configuration for the Upstream. properties: enable: + description: 'Enables HTTPS for requests to upstream servers. + The default is False , meaning that HTTP will be used. + Note: by default, NGINX will not verify the upstream server + certificate. To enable the verification, configure an + EgressMTLS Policy.' type: boolean type: object type: + description: The type of the upstream. Supported values are + http and grpc. The default is http. For gRPC, it is necessary + to enable HTTP/2 in the ConfigMap and configure TLS termination + in the VirtualServer. type: string use-cluster-ip: + description: Enables using the Cluster IP and port of the service + instead of the default behavior of using the IP and port of + the pods. When this field is enabled, the fields that configure + NGINX behavior related to multiple upstream servers (like + lb-method and next-upstream) will have no effect, as NGINX + Ingress Controller will configure NGINX with only one upstream + server that will match the service Cluster IP. type: boolean type: object type: array type: object status: - description: VirtualServerStatus defines the status for the VirtualServer - resource. + description: Status contains the current status of the VirtualServer. properties: externalEndpoints: items: diff --git a/deploy/crds.yaml b/deploy/crds.yaml index 01246997d7..fca6956df6 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -135,24 +135,37 @@ spec: metadata: type: object spec: - description: GlobalConfigurationSpec is the spec of the GlobalConfiguration - resource. + description: spec field of the GlobalConfiguration resource properties: listeners: + description: Listeners field of the GlobalConfigurationSpec resource items: description: Listener defines a listener. properties: ipv4: + description: ipv4 and ipv6 addresses that NGINX will listen + on. Defaults to listening on all available IPv4 and IPv6 addresses. type: string ipv6: + description: ipv6 addresses that NGINX will listen on. type: string name: + description: The name of the listener. The name must be unique + across all listeners. type: string + passSNI: + description: Custom SNI processing for listener. Allows listener + to be used as a passthrough for SNI processing + type: boolean port: + description: The port on which the listener will accept connections. type: integer protocol: + description: The protocol of the listener. For example, HTTP. type: string ssl: + description: Whether the listener will be listening for SSL + connections type: boolean type: object type: array @@ -211,14 +224,10 @@ spec: metadata: type: object spec: - description: |- - PolicySpec is the spec of the Policy resource. - The spec includes multiple fields, where each field represents a different policy. - Only one policy (field) is allowed. + description: spec field of the Policy resource properties: accessControl: - description: AccessControl defines an access policy based on the source - IP of a request. + description: The access control policy based on the client IP address. properties: allow: items: @@ -230,122 +239,235 @@ spec: type: array type: object apiKey: - description: APIKey defines an API Key policy. + description: The API Key policy configures NGINX to authorize requests + which provide a valid API Key in a specified header or query param. properties: clientSecret: + description: The key to which the API key is applied. Can contain + text, variables, or a combination of them. Accepted variables + are $http_, $arg_, $cookie_. type: string suppliedIn: - description: SuppliedIn defines the locations API Key should be - supplied in. + description: The location of the API Key. For example, $http_auth, + $arg_apikey, $cookie_auth. Accepted variables are $http_, $arg_, + $cookie_. properties: header: + description: The location of the API Key as a request header. + For example, $http_auth. Accepted variables are $http_. items: type: string type: array query: + description: The location of the API Key as a query param. + For example, $arg_apikey. Accepted variables are $arg_. items: type: string type: array type: object type: object basicAuth: - description: BasicAuth holds HTTP Basic authentication configuration + description: The basic auth policy configures NGINX to authenticate + client requests using HTTP Basic authentication credentials. properties: realm: + description: The realm for the basic authentication. type: string secret: + description: The name of the Kubernetes secret that stores the + Htpasswd configuration. It must be in the same namespace as + the Policy resource. The secret must be of the type nginx.org/htpasswd, + and the config must be stored in the secret under the key htpasswd, + otherwise the secret will be rejected as invalid. type: string type: object egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. + description: The EgressMTLS policy configures upstreams authentication + and certificate verification. properties: ciphers: + description: Specifies the enabled ciphers for requests to an + upstream HTTPS server. The default is DEFAULT. type: string protocols: + description: Specifies the protocols for requests to an upstream + HTTPS server. The default is TLSv1 TLSv1.1 TLSv1.2. type: string serverName: + description: Enables passing of the server name through Server + Name Indication extension. type: boolean sessionReuse: + description: Enables reuse of SSL sessions to the upstreams. The + default is true. type: boolean sslName: + description: Allows overriding the server name used to verify + the certificate of the upstream HTTPS server. type: string tlsSecret: + description: The name of the Kubernetes secret that stores the + TLS certificate and key. It must be in the same namespace as + the Policy resource. The secret must be of the type kubernetes.io/tls, + the certificate must be stored in the secret under the key tls.crt, + and the key must be stored under the key tls.key, otherwise + the secret will be rejected as invalid. type: string trustedCertSecret: + description: The name of the Kubernetes secret that stores the + CA certificate. It must be in the same namespace as the Policy + resource. The secret must be of the type nginx.org/ca, and the + certificate must be stored in the secret under the key ca.crt, + otherwise the secret will be rejected as invalid. type: string verifyDepth: + description: Sets the verification depth in the proxied HTTPS + server certificates chain. The default is 1. type: integer verifyServer: + description: Enables verification of the upstream HTTPS server + certificate. type: boolean type: object ingressClassName: + description: Specifies which instance of NGINX Ingress Controller + must handle the Policy resource. type: string ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. + description: The IngressMTLS policy configures client certificate + verification. properties: clientCertSecret: + description: The name of the Kubernetes secret that stores the + CA certificate. It must be in the same namespace as the Policy + resource. The secret must be of the type nginx.org/ca, and the + certificate must be stored in the secret under the key ca.crt, + otherwise the secret will be rejected as invalid. type: string crlFileName: + description: The file name of the Certificate Revocation List. + NGINX Ingress Controller will look for this file in /etc/nginx/secrets type: string verifyClient: + description: Verification for the client. Possible values are + "on", "off", "optional", "optional_no_ca". The default is "on". type: string verifyDepth: + description: Sets the verification depth in the client certificates + chain. The default is 1. type: integer type: object jwt: - description: JWTAuth holds JWT authentication configuration. + description: The JWT policy configures NGINX Plus to authenticate + client requests using JSON Web Tokens. properties: jwksURI: + description: The remote URI where the request will be sent to + retrieve JSON Web Key set type: string keyCache: + description: Enables in-memory caching of JWKS (JSON Web Key Sets) + that are obtained from the jwksURI and sets a valid time for + expiration. type: string realm: + description: The realm of the JWT. type: string secret: + description: The name of the Kubernetes secret that stores the + Htpasswd configuration. It must be in the same namespace as + the Policy resource. The secret must be of the type nginx.org/htpasswd, + and the config must be stored in the secret under the key htpasswd, + otherwise the secret will be rejected as invalid. type: string token: + description: 'The token specifies a variable that contains the + JSON Web Token. By default the JWT is passed in the Authorization + header as a Bearer Token. JWT may be also passed as a cookie + or a part of a query string, for example: $cookie_auth_token. + Accepted variables are $http_, $arg_, $cookie_.' type: string type: object oidc: - description: OIDC defines an Open ID Connect policy. + description: The OpenID Connect policy configures NGINX to authenticate + client requests by validating a JWT token against an OAuth2/OIDC + token provider, such as Auth0 or Keycloak. properties: accessTokenEnable: + description: Option of whether Bearer token is used to authorize + NGINX to access protected backend. type: boolean authEndpoint: + description: URL for the authorization endpoint provided by your + OpenID Connect provider. type: string authExtraArgs: + description: A list of extra URL arguments to pass to the authorization + endpoint provided by your OpenID Connect provider. Arguments + must be URL encoded, multiple arguments may be included in the + list, for example [ arg1=value1, arg2=value2 ] items: type: string type: array clientID: + description: The client ID provided by your OpenID Connect provider. type: string clientSecret: + description: The name of the Kubernetes secret that stores the + client secret provided by your OpenID Connect provider. It must + be in the same namespace as the Policy resource. The secret + must be of the type nginx.org/oidc, and the secret under the + key client-secret, otherwise the secret will be rejected as + invalid. If PKCE is enabled, this should be not configured. type: string endSessionEndpoint: + description: URL provided by your OpenID Connect provider to request + the end user be logged out. type: string jwksURI: + description: URL for the JSON Web Key Set (JWK) document provided + by your OpenID Connect provider. type: string pkceEnable: + description: Switches Proof Key for Code Exchange on. The OpenID + client needs to be in public mode. clientSecret is not used + in this mode. type: boolean postLogoutRedirectURI: + description: URI to redirect to after the logout has been performed. + Requires endSessionEndpoint. The default is /_logout. type: string redirectURI: + description: Allows overriding the default redirect URI. The default + is /_codexch. type: string scope: + description: List of OpenID Connect scopes. The scope openid always + needs to be present and others can be added concatenating them + with a + sign, for example openid+profile+email, openid+email+userDefinedScope. + The default is openid. type: string tokenEndpoint: + description: URL for the token endpoint provided by your OpenID + Connect provider. type: string zoneSyncLeeway: + description: Specifies the maximum timeout in milliseconds for + synchronizing ID/access tokens and shared values between Ingress + Controller pods. The default is 200. type: integer type: object rateLimit: - description: RateLimit defines a rate limit policy. + description: The rate limit policy controls the rate of processing + requests per a defined key. properties: burst: + description: Excessive requests are delayed until their number + exceeds the burst size, in which case the request is terminated + with an error. type: integer condition: - description: RateLimitCondition defines a condition for a rate - limit policy. + description: Add a condition to a rate-limit policy. properties: default: description: sets the rate limit in this policy to be the @@ -390,43 +512,89 @@ spec: type: array type: object delay: + description: The delay parameter specifies a limit at which excessive + requests become delayed. If not set all excessive requests are + delayed. type: integer dryRun: + description: Enables the dry run mode. In this mode, the rate + limit is not actually applied, but the number of excessive requests + is accounted as usual in the shared memory zone. type: boolean key: + description: |- + The key to which the rate limit is applied. Can contain text, variables, or a combination of them. + Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are + $binary_remote_addr,$request_uri,$request_method,$url,$http_, $args,$arg_,$cookie_,$jwt_claim_. type: string logLevel: + description: Sets the desired logging level for cases when the + server refuses to process requests due to rate exceeding, or + delays request processing. Allowed values are info, notice, + warn or error. Default is error. type: string noDelay: + description: Disables the delaying of excessive requests while + requests are being limited. Overrides delay if both are set. type: boolean rate: + description: The rate of requests permitted. The rate is specified + in requests per second (r/s) or requests per minute (r/m). type: string rejectCode: + description: Sets the status code to return in response to rejected + requests. Must fall into the range 400..599. Default is 503. type: integer scale: + description: Enables a constant rate-limit by dividing the configured + rate by the number of nginx-ingress pods currently serving traffic. + This adjustment ensures that the rate-limit remains consistent, + even as the number of nginx-pods fluctuates due to autoscaling. + This will not work properly if requests from a client are not + evenly distributed across all ingress pods (Such as with sticky + sessions, long lived TCP Connections with many requests, and + so forth). In such cases using zone-sync instead would give + better results. Enabling zone-sync will suppress this setting. type: boolean zoneSize: + description: Size of the shared memory zone. Only positive values + are allowed. Allowed suffixes are k or m, if none are present + k is assumed. type: string type: object waf: - description: WAF defines an WAF policy. + description: The WAF policy configures WAF and log configuration policies + for NGINX AppProtect properties: apBundle: + description: The App Protect WAF policy bundle. Mutually exclusive + with apPolicy. type: string apPolicy: + description: The App Protect WAF policy of the WAF. Accepts an + optional namespace. Mutually exclusive with apBundle. type: string enable: + description: Enables NGINX App Protect WAF. type: boolean securityLog: description: SecurityLog defines the security log of a WAF policy. properties: apLogBundle: + description: The App Protect WAF log bundle resource. Only + works with apBundle. type: string apLogConf: + description: The App Protect WAF log conf resource. Accepts + an optional namespace. Only works with apPolicy. type: string enable: + description: Enables security log. type: boolean logDest: + description: The log destination for the security log. Only + accepted variables are syslog:server=:, stderr, . type: string type: object securityLogs: @@ -434,25 +602,40 @@ spec: description: SecurityLog defines the security log of a WAF policy. properties: apLogBundle: + description: The App Protect WAF log bundle resource. Only + works with apBundle. type: string apLogConf: + description: The App Protect WAF log conf resource. Accepts + an optional namespace. Only works with apPolicy. type: string enable: + description: Enables security log. type: boolean logDest: + description: The log destination for the security log. Only + accepted variables are syslog:server=:, stderr, . type: string type: object type: array type: object type: object status: - description: PolicyStatus is the status of the policy resource + description: status field of the Policy resource properties: message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string state: + description: 'Represents the current state of the resource. There + are three possible values: Valid, Invalid and Warning. Valid indicates + that the resource has been validated and accepted by the Ingress + Controller. Invalid means the resource failed validation or' type: string type: object type: object @@ -513,121 +696,232 @@ spec: metadata: type: object spec: - description: TransportServerSpec is the spec of the TransportServer resource. + description: spec field of the TransportServer resource properties: action: - description: TransportServerAction defines an action. + description: The action to perform for a request. properties: pass: + description: Passes connections/datagrams to an upstream. The + upstream with that name must be defined in the resource. type: string type: object host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. The host value needs to be unique + among all Ingress and VirtualServer resources. See also Handling + Host and Listener Collisions. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServer + resource. type: string listener: - description: TransportServerListener defines a listener for a TransportServer. + description: Sets a custom HTTP and/or HTTPS listener. Valid fields + are listener.http and listener.https. Each field must reference + the name of a valid listener defined in a GlobalConfiguration resource properties: name: + description: The name of a listener defined in a GlobalConfiguration + resource. type: string protocol: + description: The protocol of the listener. type: string type: object serverSnippets: + description: Sets a custom snippet in server context. Overrides the + server-snippets ConfigMap key. type: string sessionParameters: - description: SessionParameters defines session parameters. + description: The parameters of the session to be used for the Server + context properties: timeout: + description: The timeout between two successive read or write + operations on client or proxied server connections. See proxy_timeout + directive. The default is 10m. type: string type: object streamSnippets: + description: Sets a custom snippet in the stream context. Overrides + the stream-snippets ConfigMap key. type: string tls: - description: TransportServerTLS defines TransportServerTLS configuration - for a TransportServer. + description: The TLS termination configuration. properties: secret: type: string type: object upstreamParameters: - description: UpstreamParameters defines parameters for an upstream. + description: The UpstreamParameters are set on stream context properties: connectTimeout: + description: The timeout for establishing a connection with a + proxied server. See the proxy_connect_timeout directive. The + default is 60s. type: string nextUpstream: + description: If a connection to the proxied server cannot be established, + determines whether a client connection will be passed to the + next server. See the proxy_next_upstream directive. The default + is true. type: boolean nextUpstreamTimeout: + description: The time allowed to pass a connection to the next + server. See the proxy_next_upstream_timeout directive. The default + us 0. type: string nextUpstreamTries: + description: The number of tries for passing a connection to the + next server. See the proxy_next_upstream_tries directive. The + default is 0. type: integer udpRequests: + description: The number of datagrams, after receiving which, the + next datagram from the same client starts a new session. See + the proxy_requests directive. The default is 0. type: integer udpResponses: + description: The number of datagrams expected from the proxied + server in response to a client datagram. See the proxy_responses + directive. By default, the number of datagrams is not limited. type: integer type: object upstreams: + description: A list of upstreams. items: description: TransportServerUpstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random , + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer failTimeout: + description: Sets the number of unsuccessful attempts to communicate + with the server that should happen in the duration set by + the failTimeout parameter to consider the server unavailable. + The default 1. type: string healthCheck: - description: TransportServerHealthCheck defines the parameters - for active Upstream HealthChecks. + description: 'The health check configuration for the Upstream. + See the health_check directive. Note: this feature is supported + only in NGINX Plus.' properties: enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string match: - description: TransportServerMatch defines the parameters - of a custom health check. + description: Controls the data to send and the response + to expect for the healthcheck. properties: expect: + description: A literal string or a regular expression + that the data obtained from the server should match. + The regular expression is specified with the preceding + ~* modifier (for case-insensitive matching), or the + ~ modifier (for case-sensitive matching). NGINX Ingress + Controller validates a regular expression using the + RE2 syntax. type: string send: + description: A string to send to an upstream server. type: string type: object passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer timeout: + description: This overrides the timeout set by proxy_timeout + which is set in SessionParameters for health checks. The + default value is 5s. type: string type: object loadBalancingMethod: + description: The method used to load balance the upstream servers. + By default, connections are distributed between the servers + using a weighted round-robin balancing method. See the upstream + section for available methods and their details. type: string maxConns: + description: Sets the time during which the specified number + of unsuccessful attempts to communicate with the server should + happen to consider the server unavailable and the period of + time the server will be considered unavailable. The default + is 10s. type: integer maxFails: + description: Sets the number of maximum connections to the proxied + server. Default value is zero, meaning there is no limit. + The default is 0. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and close client connections/ignore datagrams. The port must + fall into the range 1..65535. type: integer service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + close client connections/ignore datagrams. type: string type: object type: array type: object status: - description: TransportServerStatus defines the status for the TransportServer - resource. + description: status field of the TransportServer resource properties: message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string state: + description: 'Represents the current state of the resource. There + are three possible values: Valid, Invalid and Warning. Valid indicates + that the resource has been validated and accepted by the Ingress + Controller. Invalid means the resource failed validation or' type: string type: object type: object @@ -702,295 +996,482 @@ spec: resource. properties: host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. Must be the same as the host of the + VirtualServer that references this resource. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServerRoute + resource. Must be the same as the ingressClassName of the VirtualServer + that references this resource. type: string subroutes: + description: A list of subroutes. items: description: Route defines a route. properties: action: - description: Action defines an action. + description: The default action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the ability + to modify the request/response (for example, rewrite the + URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the proxy_pass_request_header + directive for more information. Default is true. type: boolean set: + description: Allows redefining or appending fields + to present request headers passed to the proxied + upstream servers. See the proxy_set_header directive + for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the response - headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response to the + client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the header + regardless of the response status code**. + Default is false. See the add_header directive + for more information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be passed* + in the response to the client from a proxied upstream + server. See the proxy_hide_header directive for + more information. items: type: string type: array ignore: + description: Disables processing of certain headers** + to the client from a proxied upstream server. + See the proxy_ignore_headers directive for more + information. items: type: string type: array pass: + description: Allows passing the hidden header fields* + to the client from a proxied upstream server. + See the proxy_pass_header directive for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path is + a regular expression – starts with ~ – the rewritePath + can include capture groups with $1-9. For example + $1 for the first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which the requests + will be proxied to. The upstream with that name must + be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301 , 302 , 307 , 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. Supported + NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly brackets. + For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The allowed + values are: 2XX, 4XX or 5XX. The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object dos: + description: A reference to a DosProtectedResource, setting + this enables DOS protection of the VirtualServer route. type: string errorPages: + description: The custom responses for error codes. NGINX will + use those responses instead of returning the error responses + from the upstream servers or the default responses generated + by NGINX. A custom response can be a redirect or a canned + response. For example, a redirect to another URL if an upstream + server responded with a 404 status code. items: description: ErrorPage defines an ErrorPage in a Route. properties: codes: + description: A list of error status codes. items: type: integer type: array redirect: - description: ErrorPageRedirect defines a redirect for - an ErrorPage. + description: The canned response action for the given + status codes. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301 , 302 , 307 , 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. + Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ErrorPageReturn defines a return for an ErrorPage. + description: The redirect action for the given status + codes. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly + brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The + allowed values are: 2XX, 4XX or 5XX. The default + is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object type: array location-snippets: + description: Sets a custom snippet in the location context. + Overrides the location-snippets ConfigMap key. type: string matches: + description: The matching rules for advanced content-based routing. + Requires the default Action or Splits. Unmatched requests + will be handled by the default Action or Splits. items: description: Match defines a match. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the + proxy_pass_request_header directive for + more information. Default is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. See the + proxy_set_header directive for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. See + the add_header directive for more + information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. See the proxy_hide_header + directive for more information. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. See the proxy_ignore_headers directive + for more information. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. See the proxy_pass_header directive + for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301 , 302 , 307 , 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object conditions: + description: A list of conditions. Must include at least + 1 condition. items: description: Condition defines a condition in a MatchRule. properties: argument: + description: The name of an argument. Must consist + of alphanumeric characters or _. type: string cookie: + description: The name of a cookie. Must consist + of alphanumeric characters or _. type: string header: + description: The name of a header. Must consist + of alphanumeric characters or -. type: string value: + description: The value to match the condition against. + How to define a value is shown below the table. type: string variable: + description: The name of an NGINX variable. Must + start with $. See the list of the supported variables + below the table. type: string type: object type: array splits: + description: The splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. + The upstream with that name must be defined + in the resource. type: string proxy: - description: ActionProxy defines a proxy in - an Action. + description: Passes requests to an upstream + with the ability to modify the request/response + (for example, rewrite the URI or modify the + headers). properties: requestHeaders: - description: ProxyRequestHeaders defines - the request headers manipulation in an - ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request + headers to the proxied upstream server. + See the proxy_pass_request_header + directive for more information. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers + passed to the proxied upstream servers. + See the proxy_set_header directive + for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines - the response headers manipulation in an - ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always @@ -998,337 +1479,681 @@ spec: NGINX directive. properties: always: + description: If set to true, add + the header regardless of the + response status code**. Default + is false. See the add_header + directive for more information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array hide: + description: The headers that will not + be passed* in the response to the + client from a proxied upstream server. + See the proxy_hide_header directive + for more information. items: type: string type: array ignore: + description: Disables processing of + certain headers** to the client from + a proxied upstream server. See the + proxy_ignore_headers directive for + more information. items: type: string type: array pass: + description: Allows passing the hidden + header fields* to the client from + a proxied upstream server. See the + proxy_pass_header directive for more + information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route + path is a regular expression – starts + with ~ – the rewritePath can include capture + groups with $1-9. For example $1 for the + first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which + the requests will be proxied to. The upstream + with that name must be defined in the + resource. type: string type: object redirect: - description: ActionRedirect defines a redirect - in an Action. + description: Redirects requests to a provided + URL. properties: code: + description: 'The status code of a redirect. + The allowed values are: 301 , 302 , 307 + , 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme + , $http_x_forwarded_proto , $request_uri + , $host. Variables must be enclosed in + curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in - an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. + Supports NGINX variables*. Variables must + be enclosed in curly brackets. For example: + Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. + The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. + The default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall + into the range 0..100. The sum of the weights + of all splits must be equal to 100. type: integer type: object type: array type: object type: array path: + description: 'The path of the route. NGINX will match it against + the URI of a request. Possible values are: a prefix ( / , + /path ), an exact match ( =/exact/match ), a case insensitive + regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive + regular expression ( ~^/foo.*\.jpg ). In the case of a prefix + (must start with / ) or an exact match (must start with = + ), the path must not include any whitespace characters, { + , } or ;. In the case of the regex matches, all double quotes + " must be escaped and the match can’t end in an unescaped + backslash \. The path must be unique among the paths of all + routes of the VirtualServer. Check the location directive + for more information.' type: string policies: + description: A list of policies. The policies override the policies + of the same type defined in the spec of the VirtualServer. + See Applying Policies for more details. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: "The name of a policy. If the policy doesn’t + exist or invalid, NGINX will respond with an error response + with the 500 status code.\tv" type: string namespace: + description: The namespace of a policy. If not specified, + the namespace of the VirtualServer resource is used. type: string type: object type: array route: + description: The name of a VirtualServerRoute resource that + defines this route. If the VirtualServerRoute belongs to a + different namespace than the VirtualServer, you need to include + the namespace. For example, tea-namespace/tea. type: string splits: + description: The default splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the + proxy_pass_request_header directive for + more information. Default is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. See the + proxy_set_header directive for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. See + the add_header directive for more + information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. See the proxy_hide_header + directive for more information. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. See the proxy_ignore_headers directive + for more information. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. See the proxy_pass_header directive + for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301 , 302 , 307 , 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall into the + range 0..100. The sum of the weights of all splits must + be equal to 100. type: integer type: object type: array type: object type: array upstreams: + description: A list of upstreams. items: description: Upstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random , + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer buffer-size: + description: Sets the size of the buffer used for reading the + first part of a response received from the upstream server. + See the proxy_buffer_size directive. The default is set in + the proxy-buffer-size ConfigMap key. type: string buffering: + description: Enables buffering of responses from the upstream + server. See the proxy_buffering directive. The default is + set in the proxy-buffering ConfigMap key. type: boolean buffers: - description: UpstreamBuffers defines Buffer Configuration for - an Upstream. + description: Configures the buffers used for reading a response + from the upstream server for a single connection. properties: number: + description: Configures the number of buffers. The default + is set in the proxy-buffers ConfigMap key. type: integer size: + description: Configures the size of a buffer. The default + is set in the proxy-buffers ConfigMap key. type: string type: object client-max-body-size: + description: Sets the maximum allowed size of the client request + body. See the client_max_body_size directive. The default + is set in the client-max-body-size ConfigMap key. type: string connect-timeout: + description: The timeout for establishing a connection with + an upstream server. See the proxy_connect_timeout directive. + The default is specified in the proxy-connect-timeout ConfigMap + key. type: string fail-timeout: + description: The time during which the specified number of unsuccessful + attempts to communicate with an upstream server should happen + to consider the server unavailable. See the fail_timeout parameter + of the server directive. The default is set in the fail-timeout + ConfigMap key. type: string healthCheck: - description: HealthCheck defines the parameters for active Upstream - HealthChecks. + description: 'The health check configuration for the Upstream. + See the health_check directive. Note: this feature is supported + only in NGINX Plus.' properties: connect-timeout: + description: The timeout for establishing a connection with + an upstream server. By default, the connect-timeout of + the upstream is used. type: string enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer grpcService: + description: The gRPC service to be monitored on the upstream + server. Only valid on gRPC type upstreams. type: string grpcStatus: + description: The expected gRPC status code of the upstream + server response to the Check method. Configure this field + only if your gRPC services do not implement the gRPC health + checking protocol. For example, configure 12 if the upstream + server responds with 12 (UNIMPLEMENTED) status code. Only + valid on gRPC type upstreams. type: integer headers: + description: The request headers used for health check requests. + NGINX Plus always sets the Host, User-Agent and Connection + headers for health check requests. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string keepalive-time: + description: Enables keepalive connections for health checks + and specifies the time during which requests can be processed + through one keepalive connection. The default is 60s. type: string mandatory: + description: Require every newly added server to pass all + configured health checks before NGINX Plus sends traffic + to it. If this is not specified, or is set to false, the + server will be initially considered healthy. When combined + with slow-start, it gives a new server more time to connect + to databases and “warm up” before being asked to handle + their full share of traffic. type: boolean passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer path: + description: The path used for health check requests. The + default is /. This is not configurable for gRPC type upstreams. type: string persistent: + description: Set the initial “up” state for a server after + reload if the server was considered healthy before reload. + Enabling persistent requires that the mandatory parameter + is also set to true. type: boolean port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer read-timeout: + description: The timeout for reading a response from an + upstream server. By default, the read-timeout of the upstream + is used. type: string send-timeout: + description: The timeout for transmitting a request to an + upstream server. By default, the send-timeout of the upstream + is used. type: string statusMatch: + description: 'The expected response status codes of a health + check. By default, the response should have status code + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See + the documentation of the match directive. This not supported + for gRPC type upstreams.' type: string tls: - description: UpstreamTLS defines a TLS configuration for - an Upstream. + description: The TLS configuration used for health check + requests. By default, the tls field of the upstream is + used. properties: enable: + description: 'Enables HTTPS for requests to upstream + servers. The default is False , meaning that HTTP + will be used. Note: by default, NGINX will not verify + the upstream server certificate. To enable the verification, + configure an EgressMTLS Policy.' type: boolean type: object type: object keepalive: + description: Configures the cache for connections to upstream + servers. The value 0 disables the cache. See the keepalive + directive. The default is set in the keepalive ConfigMap key. type: integer lb-method: + description: The load balancing method. To use the round-robin + method, specify round_robin. The default is specified in the + lb-method ConfigMap key. type: string max-conns: + description: 'The maximum number of simultaneous active connections + to an upstream server. See the max_conns parameter of the + server directive. By default there is no limit. Note: if keepalive + connections are enabled, the total number of active and idle + keepalive connections to an upstream server may exceed the + max_conns value.' type: integer max-fails: + description: The number of unsuccessful attempts to communicate + with an upstream server that should happen in the duration + set by the fail-timeout to consider the server unavailable. + See the max_fails parameter of the server directive. The default + is set in the max-fails ConfigMap key. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string next-upstream: + description: Specifies in which cases a request should be passed + to the next upstream server. See the proxy_next_upstream directive. + The default is error timeout. type: string next-upstream-timeout: + description: The time during which a request can be passed to + the next upstream server. See the proxy_next_upstream_timeout + directive. The 0 value turns off the time limit. The default + is 0. type: string next-upstream-tries: + description: The number of possible tries for passing a request + to the next upstream server. See the proxy_next_upstream_tries + directive. The 0 value turns off this limit. The default is + 0. type: integer ntlm: + description: 'Allows proxying requests with NTLM Authentication. + See the ntlm directive. In order for NTLM authentication to + work, it is necessary to enable keepalive connections to upstream + servers using the keepalive field. Note: this feature is supported + only in NGINX Plus.' type: boolean port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and return a 502 response for requests for this upstream. + The port must fall into the range 1..65535. type: integer queue: - description: UpstreamQueue defines Queue Configuration for an - Upstream. + description: 'Configures a queue for an upstream. A client request + will be placed into the queue if an upstream server cannot + be selected immediately while processing the request. By default, + no queue is configured. Note: this feature is supported only + in NGINX Plus.' properties: size: + description: The size of the queue. type: integer timeout: + description: The timeout of the queue. A request cannot + be queued for a period longer than the timeout. The default + is 60s. type: string type: object read-timeout: + description: The timeout for reading a response from an upstream + server. See the proxy_read_timeout directive. The default + is specified in the proxy-read-timeout ConfigMap key. type: string send-timeout: + description: The timeout for transmitting a request to an upstream + server. See the proxy_send_timeout directive. The default + is specified in the proxy-send-timeout ConfigMap key. type: string service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + return a 502 response for requests for this upstream. For + NGINX Plus only, services of type ExternalName are also supported + (check the prerequisites ). type: string sessionCookie: - description: SessionCookie defines the parameters for session - persistence. + description: The SessionCookie field configures session persistence + which allows requests from the same client to be passed to + the same upstream server. The information about the designated + upstream server is passed in a session cookie generated by + NGINX Plus. properties: domain: + description: The domain for which the cookie is set. type: string enable: + description: Enables session persistence with a session + cookie for an upstream server. The default is false. type: boolean expires: + description: The time for which a browser should keep the + cookie. Can be set to the special value max , which will + cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: + description: Adds the HttpOnly attribute to the cookie. type: boolean name: + description: The name of the cookie. type: string path: + description: The path for which the cookie is set. type: string samesite: + description: 'Adds the SameSite attribute to the cookie. + The allowed values are: strict, lax, none' type: string secure: + description: Adds the Secure attribute to the cookie. type: boolean type: object slow-start: + description: 'The slow start allows an upstream server to gradually + recover its weight from 0 to its nominal value after it has + been recovered or became available or when the server becomes + available after a period of time it was considered unavailable. + By default, the slow start is disabled. See the slow_start + parameter of the server directive. Note: The parameter cannot + be used along with the random , hash or ip_hash load balancing + methods and will be ignored.' type: string subselector: additionalProperties: type: string + description: 'Selects the pods within the service using label + keys and values. By default, all pods of the service are selected. + Note: the specified labels are expected to be present in the + pods when they are created. If the pod labels are updated, + NGINX Ingress Controller will not see that change until the + number of the pods is changed.' type: object tls: - description: UpstreamTLS defines a TLS configuration for an - Upstream. + description: The TLS configuration for the Upstream. properties: enable: + description: 'Enables HTTPS for requests to upstream servers. + The default is False , meaning that HTTP will be used. + Note: by default, NGINX will not verify the upstream server + certificate. To enable the verification, configure an + EgressMTLS Policy.' type: boolean type: object type: + description: The type of the upstream. Supported values are + http and grpc. The default is http. For gRPC, it is necessary + to enable HTTP/2 in the ConfigMap and configure TLS termination + in the VirtualServer. type: string use-cluster-ip: + description: Enables using the Cluster IP and port of the service + instead of the default behavior of using the IP and port of + the pods. When this field is enabled, the fields that configure + NGINX behavior related to multiple upstream servers (like + lb-method and next-upstream) will have no effect, as NGINX + Ingress Controller will configure NGINX with only one upstream + server that will match the service Cluster IP. type: boolean type: object type: array @@ -1338,6 +2163,8 @@ spec: resource. properties: externalEndpoints: + description: Defines the IPs, hostnames and ports used to connect + to this resource. items: description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. @@ -1351,12 +2178,20 @@ spec: type: object type: array message: + description: The message of the current state of the resource. It + can contain more detailed information about the reason. type: string reason: + description: The reason of the current state of the resource. type: string referencedBy: + description: Defines how other resources reference this resource. type: string state: + description: 'Represents the current state of the resource. There + are three possible values: Valid, Invalid and Warning. Valid indicates + that the resource has been validated and accepted by the Ingress + Controller. Invalid means the resource failed validation or NGINX' type: string type: object type: object @@ -1427,23 +2262,29 @@ spec: metadata: type: object spec: - description: VirtualServerSpec is the spec of the VirtualServer resource. + description: Spec contains the VirtualServer specification. properties: dos: + description: A reference to a DosProtectedResource, setting this enables + DOS protection of the VirtualServer route. type: string externalDNS: - description: ExternalDNS defines externaldns sub-resource of a virtual - server. + description: The externalDNS configuration for a VirtualServer. properties: enable: + description: Enables ExternalDNS integration for a VirtualServer + resource. The default is false. type: boolean labels: additionalProperties: type: string - description: Labels stores labels defined for the Endpoint + description: Configure labels to be applied to the Endpoint resources + that will be consumed by ExternalDNS. type: object providerSpecific: - description: ProviderSpecific stores provider specific config + description: Configure provider specific properties which holds + the name and value of a configuration which is specific to individual + DNS providers. items: description: |- ProviderSpecificProperty defines specific property @@ -1458,330 +2299,538 @@ spec: type: object type: array recordTTL: - description: TTL for the record + description: TTL for the DNS record. This defaults to 0 if not + defined. See the ExternalDNS TTL documentation for provider-specific + defaults format: int64 type: integer recordType: + description: The record Type that should be created, e.g. “A”, + “AAAA”, “CNAME”. This is automatically computed based on the + external endpoints if not defined. type: string type: object gunzip: + description: Enables or disables decompression of gzipped responses + for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. + If the gunzip value is not set, it defaults to off. type: boolean host: + description: The host (domain name) of the server. Must be a valid + subdomain as defined in RFC 1123, such as my-app or hello.example.com. + When using a wildcard domain like *.example.com the domain must + be contained in double quotes. The host value needs to be unique + among all Ingress and VirtualServer resources. See also Handling + Host and Listener Collisions. type: string http-snippets: + description: Sets a custom snippet in the http context. type: string ingressClassName: + description: Specifies which Ingress Controller must handle the VirtualServerRoute + resource. Must be the same as the ingressClassName of the VirtualServer + that references this resource. type: string internalRoute: description: InternalRoute allows for the configuration of internal routing. type: boolean listener: - description: VirtualServerListener references a custom http and/or - https listener defined in GlobalConfiguration. + description: Sets a custom HTTP and/or HTTPS listener. Valid fields + are listener.http and listener.https. Each field must reference + the name of a valid listener defined in a GlobalConfiguration resource properties: http: + description: The name of am HTTP listener defined in a GlobalConfiguration + resource. type: string https: + description: The name of an HTTPS listener defined in a GlobalConfiguration + resource. type: string type: object policies: + description: A list of policies. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: "The name of a policy. If the policy doesn’t exist + or invalid, NGINX will respond with an error response with + the 500 status code.\tv" type: string namespace: + description: The namespace of a policy. If not specified, the + namespace of the VirtualServer resource is used. type: string type: object type: array routes: + description: A list of routes. items: description: Route defines a route. properties: action: - description: Action defines an action. + description: The default action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the ability + to modify the request/response (for example, rewrite the + URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the proxy_pass_request_header + directive for more information. Default is true. type: boolean set: + description: Allows redefining or appending fields + to present request headers passed to the proxied + upstream servers. See the proxy_set_header directive + for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the response - headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response to the + client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the header + regardless of the response status code**. + Default is false. See the add_header directive + for more information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be passed* + in the response to the client from a proxied upstream + server. See the proxy_hide_header directive for + more information. items: type: string type: array ignore: + description: Disables processing of certain headers** + to the client from a proxied upstream server. + See the proxy_ignore_headers directive for more + information. items: type: string type: array pass: + description: Allows passing the hidden header fields* + to the client from a proxied upstream server. + See the proxy_pass_header directive for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path is + a regular expression – starts with ~ – the rewritePath + can include capture groups with $1-9. For example + $1 for the first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which the requests + will be proxied to. The upstream with that name must + be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301 , 302 , 307 , 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. Supported + NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly brackets. + For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The allowed + values are: 2XX, 4XX or 5XX. The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object dos: + description: A reference to a DosProtectedResource, setting + this enables DOS protection of the VirtualServer route. type: string errorPages: + description: The custom responses for error codes. NGINX will + use those responses instead of returning the error responses + from the upstream servers or the default responses generated + by NGINX. A custom response can be a redirect or a canned + response. For example, a redirect to another URL if an upstream + server responded with a 404 status code. items: description: ErrorPage defines an ErrorPage in a Route. properties: codes: + description: A list of error status codes. items: type: integer type: array redirect: - description: ErrorPageRedirect defines a redirect for - an ErrorPage. + description: The canned response action for the given + status codes. properties: code: + description: 'The status code of a redirect. The allowed + values are: 301 , 302 , 307 , 308. The default is + 301.' type: integer url: + description: 'The URL to redirect the request to. + Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ErrorPageReturn defines a return for an ErrorPage. + description: The redirect action for the given status + codes. properties: body: + description: 'The body of the response. Supports NGINX + variables*. Variables must be enclosed in curly + brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. The + allowed values are: 2XX, 4XX or 5XX. The default + is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The default + is text/plain. type: string type: object type: object type: array location-snippets: + description: Sets a custom snippet in the location context. + Overrides the location-snippets ConfigMap key. type: string matches: + description: The matching rules for advanced content-based routing. + Requires the default Action or Splits. Unmatched requests + will be handled by the default Action or Splits. items: description: Match defines a match. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the + proxy_pass_request_header directive for + more information. Default is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. See the + proxy_set_header directive for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. See + the add_header directive for more + information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. See the proxy_hide_header + directive for more information. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. See the proxy_ignore_headers directive + for more information. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. See the proxy_pass_header directive + for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301 , 302 , 307 , 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object conditions: + description: A list of conditions. Must include at least + 1 condition. items: description: Condition defines a condition in a MatchRule. properties: argument: + description: The name of an argument. Must consist + of alphanumeric characters or _. type: string cookie: + description: The name of a cookie. Must consist + of alphanumeric characters or _. type: string header: + description: The name of a header. Must consist + of alphanumeric characters or -. type: string value: + description: The value to match the condition against. + How to define a value is shown below the table. type: string variable: + description: The name of an NGINX variable. Must + start with $. See the list of the supported variables + below the table. type: string type: object type: array splits: + description: The splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. + The upstream with that name must be defined + in the resource. type: string proxy: - description: ActionProxy defines a proxy in - an Action. + description: Passes requests to an upstream + with the ability to modify the request/response + (for example, rewrite the URI or modify the + headers). properties: requestHeaders: - description: ProxyRequestHeaders defines - the request headers manipulation in an - ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request + headers to the proxied upstream server. + See the proxy_pass_request_header + directive for more information. Default + is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers + passed to the proxied upstream servers. + See the proxy_set_header directive + for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines - the response headers manipulation in an - ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always @@ -1789,384 +2838,789 @@ spec: NGINX directive. properties: always: + description: If set to true, add + the header regardless of the + response status code**. Default + is false. See the add_header + directive for more information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the + header. type: string type: object type: array hide: + description: The headers that will not + be passed* in the response to the + client from a proxied upstream server. + See the proxy_hide_header directive + for more information. items: type: string type: array ignore: + description: Disables processing of + certain headers** to the client from + a proxied upstream server. See the + proxy_ignore_headers directive for + more information. items: type: string type: array pass: + description: Allows passing the hidden + header fields* to the client from + a proxied upstream server. See the + proxy_pass_header directive for more + information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route + path is a regular expression – starts + with ~ – the rewritePath can include capture + groups with $1-9. For example $1 for the + first group, and so on. For more information, + check the rewrite example. type: string upstream: + description: The name of the upstream which + the requests will be proxied to. The upstream + with that name must be defined in the + resource. type: string type: object redirect: - description: ActionRedirect defines a redirect - in an Action. + description: Redirects requests to a provided + URL. properties: code: + description: 'The status code of a redirect. + The allowed values are: 301 , 302 , 307 + , 308. The default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme + , $http_x_forwarded_proto , $request_uri + , $host. Variables must be enclosed in + curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in - an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. + Supports NGINX variables*. Variables must + be enclosed in curly brackets. For example: + Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. + The default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. + The default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall + into the range 0..100. The sum of the weights + of all splits must be equal to 100. type: integer type: object type: array type: object type: array path: + description: 'The path of the route. NGINX will match it against + the URI of a request. Possible values are: a prefix ( / , + /path ), an exact match ( =/exact/match ), a case insensitive + regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive + regular expression ( ~^/foo.*\.jpg ). In the case of a prefix + (must start with / ) or an exact match (must start with = + ), the path must not include any whitespace characters, { + , } or ;. In the case of the regex matches, all double quotes + " must be escaped and the match can’t end in an unescaped + backslash \. The path must be unique among the paths of all + routes of the VirtualServer. Check the location directive + for more information.' type: string policies: + description: A list of policies. The policies override the policies + of the same type defined in the spec of the VirtualServer. + See Applying Policies for more details. items: description: PolicyReference references a policy by name and an optional namespace. properties: name: + description: "The name of a policy. If the policy doesn’t + exist or invalid, NGINX will respond with an error response + with the 500 status code.\tv" type: string namespace: + description: The namespace of a policy. If not specified, + the namespace of the VirtualServer resource is used. type: string type: object type: array route: + description: The name of a VirtualServerRoute resource that + defines this route. If the VirtualServerRoute belongs to a + different namespace than the VirtualServer, you need to include + the namespace. For example, tea-namespace/tea. type: string splits: + description: The default splits configuration for traffic splitting. + Must include at least 2 splits. items: description: Split defines a split. properties: action: - description: Action defines an action. + description: The action to perform for a request. properties: pass: + description: Passes requests to an upstream. The upstream + with that name must be defined in the resource. type: string proxy: - description: ActionProxy defines a proxy in an Action. + description: Passes requests to an upstream with the + ability to modify the request/response (for example, + rewrite the URI or modify the headers). properties: requestHeaders: - description: ProxyRequestHeaders defines the request - headers manipulation in an ActionProxy. + description: The request headers modifications. properties: pass: + description: Passes the original request headers + to the proxied upstream server. See the + proxy_pass_request_header directive for + more information. Default is true. type: boolean set: + description: Allows redefining or appending + fields to present request headers passed + to the proxied upstream servers. See the + proxy_set_header directive for more information. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: object responseHeaders: - description: ProxyResponseHeaders defines the - response headers manipulation in an ActionProxy. + description: The response headers modifications. properties: add: + description: Adds headers to the response + to the client. items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. properties: always: + description: If set to true, add the + header regardless of the response + status code**. Default is false. See + the add_header directive for more + information. type: boolean name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array hide: + description: The headers that will not be + passed* in the response to the client from + a proxied upstream server. See the proxy_hide_header + directive for more information. items: type: string type: array ignore: + description: Disables processing of certain + headers** to the client from a proxied upstream + server. See the proxy_ignore_headers directive + for more information. items: type: string type: array pass: + description: Allows passing the hidden header + fields* to the client from a proxied upstream + server. See the proxy_pass_header directive + for more information. items: type: string type: array type: object rewritePath: + description: The rewritten URI. If the route path + is a regular expression – starts with ~ – the + rewritePath can include capture groups with + $1-9. For example $1 for the first group, and + so on. For more information, check the rewrite + example. type: string upstream: + description: The name of the upstream which the + requests will be proxied to. The upstream with + that name must be defined in the resource. type: string type: object redirect: - description: ActionRedirect defines a redirect in - an Action. + description: Redirects requests to a provided URL. properties: code: + description: 'The status code of a redirect. The + allowed values are: 301 , 302 , 307 , 308. The + default is 301.' type: integer url: + description: 'The URL to redirect the request + to. Supported NGINX variables: $scheme , $http_x_forwarded_proto + , $request_uri , $host. Variables must be enclosed + in curly braces. For example: ${host}${request_uri}.' type: string type: object return: - description: ActionReturn defines a return in an Action. + description: Returns a preconfigured response. properties: body: + description: 'The body of the response. Supports + NGINX variables*. Variables must be enclosed + in curly brackets. For example: Request is ${request_uri}\n.' type: string code: + description: 'The status code of the response. + The allowed values are: 2XX, 4XX or 5XX. The + default is 200.' type: integer headers: + description: The custom headers of the response. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array type: + description: The MIME type of the response. The + default is text/plain. type: string type: object type: object weight: + description: The weight of an action. Must fall into the + range 0..100. The sum of the weights of all splits must + be equal to 100. type: integer type: object type: array type: object type: array server-snippets: + description: Sets a custom snippet in server context. Overrides the + server-snippets ConfigMap key. type: string tls: - description: TLS defines TLS configuration for a VirtualServer. + description: The TLS termination configuration. properties: cert-manager: - description: CertManager defines a cert manager config for a TLS. + description: The cert-manager configuration of the TLS for a VirtualServer. properties: cluster-issuer: + description: the name of a ClusterIssuer. A ClusterIssuer + is a cert-manager resource which describes the certificate + authority capable of signing certificates. It does not matter + which namespace your VirtualServer resides, as ClusterIssuers + are non-namespaced resources. Please note that one of issuer + and cluster-issuer are required, but they are mutually exclusive + - one and only one must be defined. type: string common-name: + description: This field allows you to configure spec.commonName + for the Certificate to be generated. This configuration + adds a CN to the x509 certificate. type: string duration: + description: This field allows you to configure spec.duration + field for the Certificate to be generated. Must be specified + using a Go time.Duration string format, which does not allow + the d (days) suffix. You must specify these values using + s, m, and h suffixes instead. type: string issue-temp-cert: + description: When true, ask cert-manager for a temporary self-signed + certificate pending the issuance of the Certificate. This + allows HTTPS-only servers to use ACME HTTP01 challenges + when the TLS secret does not exist yet. type: boolean issuer: + description: the name of an Issuer. An Issuer is a cert-manager + resource which describes the certificate authority capable + of signing certificates. The Issuer must be in the same + namespace as the VirtualServer resource. Please note that + one of issuer and cluster-issuer are required, but they + are mutually exclusive - one and only one must be defined. type: string issuer-group: + description: The API group of the external issuer controller, + for example awspca.cert-manager.io. This is only necessary + for out-of-tree issuers. This cannot be defined if cluster-issuer + is also defined. type: string issuer-kind: + description: The kind of the external issuer resource, for + example AWSPCAIssuer. This is only necessary for out-of-tree + issuers. This cannot be defined if cluster-issuer is also + defined. type: string renew-before: + description: this annotation allows you to configure spec.renewBefore + field for the Certificate to be generated. Must be specified + using a Go time.Duration string format, which does not allow + the d (days) suffix. You must specify these values using + s, m, and h suffixes instead. type: string usages: + description: This field allows you to configure spec.usages + field for the Certificate to be generated. Pass a string + with comma-separated values i.e. key agreement,digital signature, + server auth. An exhaustive list of supported key usages + can be found in the the cert-manager api documentation. type: string type: object redirect: - description: TLSRedirect defines a redirect for a TLS. + description: The redirect configuration of the TLS for a VirtualServer. properties: basedOn: + description: The attribute of a request that NGINX will evaluate + to send a redirect. The allowed values are scheme (the scheme + of the request) or x-forwarded-proto (the X-Forwarded-Proto + header of the request). The default is scheme. type: string code: + description: 'The status code of a redirect. The allowed values + are: 301 , 302 , 307 , 308. The default is 301.' type: integer enable: + description: Enables a TLS redirect for a VirtualServer. The + default is False. type: boolean type: object secret: + description: The name of a secret with a TLS certificate and key. + The secret must belong to the same namespace as the VirtualServer. + The secret must be of the type kubernetes.io/tls and contain + keys named tls.crt and tls.key that contain the certificate + and private key as described here. If the secret doesn’t exist + or is invalid, NGINX will break any attempt to establish a TLS + connection to the host of the VirtualServer. If the secret is + not specified but wildcard TLS secret is configured, NGINX will + use the wildcard secret for TLS termination. type: string type: object upstreams: + description: A list of upstreams. items: description: Upstream defines an upstream. properties: backup: + description: 'The name of the backup service of type ExternalName. + This will be used when the primary servers are unavailable. + Note: The parameter cannot be used along with the random , + hash or ip_hash load balancing methods.' type: string backupPort: + description: The port of the backup service. The backup port + is required if the backup service name is provided. The port + must fall into the range 1..65535. type: integer buffer-size: + description: Sets the size of the buffer used for reading the + first part of a response received from the upstream server. + See the proxy_buffer_size directive. The default is set in + the proxy-buffer-size ConfigMap key. type: string buffering: + description: Enables buffering of responses from the upstream + server. See the proxy_buffering directive. The default is + set in the proxy-buffering ConfigMap key. type: boolean buffers: - description: UpstreamBuffers defines Buffer Configuration for - an Upstream. + description: Configures the buffers used for reading a response + from the upstream server for a single connection. properties: number: + description: Configures the number of buffers. The default + is set in the proxy-buffers ConfigMap key. type: integer size: + description: Configures the size of a buffer. The default + is set in the proxy-buffers ConfigMap key. type: string type: object client-max-body-size: + description: Sets the maximum allowed size of the client request + body. See the client_max_body_size directive. The default + is set in the client-max-body-size ConfigMap key. type: string connect-timeout: + description: The timeout for establishing a connection with + an upstream server. See the proxy_connect_timeout directive. + The default is specified in the proxy-connect-timeout ConfigMap + key. type: string fail-timeout: + description: The time during which the specified number of unsuccessful + attempts to communicate with an upstream server should happen + to consider the server unavailable. See the fail_timeout parameter + of the server directive. The default is set in the fail-timeout + ConfigMap key. type: string healthCheck: - description: HealthCheck defines the parameters for active Upstream - HealthChecks. + description: 'The health check configuration for the Upstream. + See the health_check directive. Note: this feature is supported + only in NGINX Plus.' properties: connect-timeout: + description: The timeout for establishing a connection with + an upstream server. By default, the connect-timeout of + the upstream is used. type: string enable: + description: Enables a health check for an upstream server. + The default is false. type: boolean fails: + description: The number of consecutive failed health checks + of a particular upstream server after which this server + will be considered unhealthy. The default is 1. type: integer grpcService: + description: The gRPC service to be monitored on the upstream + server. Only valid on gRPC type upstreams. type: string grpcStatus: + description: The expected gRPC status code of the upstream + server response to the Check method. Configure this field + only if your gRPC services do not implement the gRPC health + checking protocol. For example, configure 12 if the upstream + server responds with 12 (UNIMPLEMENTED) status code. Only + valid on gRPC type upstreams. type: integer headers: + description: The request headers used for health check requests. + NGINX Plus always sets the Host, User-Agent and Connection + headers for health check requests. items: description: Header defines an HTTP Header. properties: name: + description: The name of the header. type: string value: + description: The value of the header. type: string type: object type: array interval: + description: The interval between two consecutive health + checks. The default is 5s. type: string jitter: + description: The time within which each health check will + be randomly delayed. By default, there is no delay. type: string keepalive-time: + description: Enables keepalive connections for health checks + and specifies the time during which requests can be processed + through one keepalive connection. The default is 60s. type: string mandatory: + description: Require every newly added server to pass all + configured health checks before NGINX Plus sends traffic + to it. If this is not specified, or is set to false, the + server will be initially considered healthy. When combined + with slow-start, it gives a new server more time to connect + to databases and “warm up” before being asked to handle + their full share of traffic. type: boolean passes: + description: The number of consecutive passed health checks + of a particular upstream server after which the server + will be considered healthy. The default is 1. type: integer path: + description: The path used for health check requests. The + default is /. This is not configurable for gRPC type upstreams. type: string persistent: + description: Set the initial “up” state for a server after + reload if the server was considered healthy before reload. + Enabling persistent requires that the mandatory parameter + is also set to true. type: boolean port: + description: 'The port used for health check requests. By + default, the server port is used. Note: in contrast with + the port of the upstream, this port is not a service port, + but a port of a pod.' type: integer read-timeout: + description: The timeout for reading a response from an + upstream server. By default, the read-timeout of the upstream + is used. type: string send-timeout: + description: The timeout for transmitting a request to an + upstream server. By default, the send-timeout of the upstream + is used. type: string statusMatch: + description: 'The expected response status codes of a health + check. By default, the response should have status code + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See + the documentation of the match directive. This not supported + for gRPC type upstreams.' type: string tls: - description: UpstreamTLS defines a TLS configuration for - an Upstream. + description: The TLS configuration used for health check + requests. By default, the tls field of the upstream is + used. properties: enable: + description: 'Enables HTTPS for requests to upstream + servers. The default is False , meaning that HTTP + will be used. Note: by default, NGINX will not verify + the upstream server certificate. To enable the verification, + configure an EgressMTLS Policy.' type: boolean type: object type: object keepalive: + description: Configures the cache for connections to upstream + servers. The value 0 disables the cache. See the keepalive + directive. The default is set in the keepalive ConfigMap key. type: integer lb-method: + description: The load balancing method. To use the round-robin + method, specify round_robin. The default is specified in the + lb-method ConfigMap key. type: string max-conns: + description: 'The maximum number of simultaneous active connections + to an upstream server. See the max_conns parameter of the + server directive. By default there is no limit. Note: if keepalive + connections are enabled, the total number of active and idle + keepalive connections to an upstream server may exceed the + max_conns value.' type: integer max-fails: + description: The number of unsuccessful attempts to communicate + with an upstream server that should happen in the duration + set by the fail-timeout to consider the server unavailable. + See the max_fails parameter of the server directive. The default + is set in the max-fails ConfigMap key. type: integer name: + description: The name of the upstream. Must be a valid DNS label + as defined in RFC 1035. For example, hello and upstream-123 + are valid. The name must be unique among all upstreams of + the resource. type: string next-upstream: + description: Specifies in which cases a request should be passed + to the next upstream server. See the proxy_next_upstream directive. + The default is error timeout. type: string next-upstream-timeout: + description: The time during which a request can be passed to + the next upstream server. See the proxy_next_upstream_timeout + directive. The 0 value turns off the time limit. The default + is 0. type: string next-upstream-tries: + description: The number of possible tries for passing a request + to the next upstream server. See the proxy_next_upstream_tries + directive. The 0 value turns off this limit. The default is + 0. type: integer ntlm: + description: 'Allows proxying requests with NTLM Authentication. + See the ntlm directive. In order for NTLM authentication to + work, it is necessary to enable keepalive connections to upstream + servers using the keepalive field. Note: this feature is supported + only in NGINX Plus.' type: boolean port: + description: The port of the service. If the service doesn’t + define that port, NGINX will assume the service has zero endpoints + and return a 502 response for requests for this upstream. + The port must fall into the range 1..65535. type: integer queue: - description: UpstreamQueue defines Queue Configuration for an - Upstream. + description: 'Configures a queue for an upstream. A client request + will be placed into the queue if an upstream server cannot + be selected immediately while processing the request. By default, + no queue is configured. Note: this feature is supported only + in NGINX Plus.' properties: size: + description: The size of the queue. type: integer timeout: + description: The timeout of the queue. A request cannot + be queued for a period longer than the timeout. The default + is 60s. type: string type: object read-timeout: + description: The timeout for reading a response from an upstream + server. See the proxy_read_timeout directive. The default + is specified in the proxy-read-timeout ConfigMap key. type: string send-timeout: + description: The timeout for transmitting a request to an upstream + server. See the proxy_send_timeout directive. The default + is specified in the proxy-send-timeout ConfigMap key. type: string service: + description: The name of a service. The service must belong + to the same namespace as the resource. If the service doesn’t + exist, NGINX will assume the service has zero endpoints and + return a 502 response for requests for this upstream. For + NGINX Plus only, services of type ExternalName are also supported + (check the prerequisites ). type: string sessionCookie: - description: SessionCookie defines the parameters for session - persistence. + description: The SessionCookie field configures session persistence + which allows requests from the same client to be passed to + the same upstream server. The information about the designated + upstream server is passed in a session cookie generated by + NGINX Plus. properties: domain: + description: The domain for which the cookie is set. type: string enable: + description: Enables session persistence with a session + cookie for an upstream server. The default is false. type: boolean expires: + description: The time for which a browser should keep the + cookie. Can be set to the special value max , which will + cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: + description: Adds the HttpOnly attribute to the cookie. type: boolean name: + description: The name of the cookie. type: string path: + description: The path for which the cookie is set. type: string samesite: + description: 'Adds the SameSite attribute to the cookie. + The allowed values are: strict, lax, none' type: string secure: + description: Adds the Secure attribute to the cookie. type: boolean type: object slow-start: + description: 'The slow start allows an upstream server to gradually + recover its weight from 0 to its nominal value after it has + been recovered or became available or when the server becomes + available after a period of time it was considered unavailable. + By default, the slow start is disabled. See the slow_start + parameter of the server directive. Note: The parameter cannot + be used along with the random , hash or ip_hash load balancing + methods and will be ignored.' type: string subselector: additionalProperties: type: string + description: 'Selects the pods within the service using label + keys and values. By default, all pods of the service are selected. + Note: the specified labels are expected to be present in the + pods when they are created. If the pod labels are updated, + NGINX Ingress Controller will not see that change until the + number of the pods is changed.' type: object tls: - description: UpstreamTLS defines a TLS configuration for an - Upstream. + description: The TLS configuration for the Upstream. properties: enable: + description: 'Enables HTTPS for requests to upstream servers. + The default is False , meaning that HTTP will be used. + Note: by default, NGINX will not verify the upstream server + certificate. To enable the verification, configure an + EgressMTLS Policy.' type: boolean type: object type: + description: The type of the upstream. Supported values are + http and grpc. The default is http. For gRPC, it is necessary + to enable HTTP/2 in the ConfigMap and configure TLS termination + in the VirtualServer. type: string use-cluster-ip: + description: Enables using the Cluster IP and port of the service + instead of the default behavior of using the IP and port of + the pods. When this field is enabled, the fields that configure + NGINX behavior related to multiple upstream servers (like + lb-method and next-upstream) will have no effect, as NGINX + Ingress Controller will configure NGINX with only one upstream + server that will match the service Cluster IP. type: boolean type: object type: array type: object status: - description: VirtualServerStatus defines the status for the VirtualServer - resource. + description: Status contains the current status of the VirtualServer. properties: externalEndpoints: items: From 10fe27804a79e51ea33ff1b55f30cf3a923f794d Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 17 Jul 2025 09:26:16 +0000 Subject: [PATCH 06/33] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- pkg/apis/configuration/v1/types.go | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 903059721a..62d4bc74a7 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -178,15 +178,15 @@ type Upstream struct { // UpstreamBuffers defines Buffer Configuration for an Upstream. type UpstreamBuffers struct { - // Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. + // Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. Number int `json:"number"` - // Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. + // Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. Size string `json:"size"` } // UpstreamTLS defines a TLS configuration for an Upstream. type UpstreamTLS struct { - // Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. + // Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. Enable bool `json:"enable"` } @@ -232,9 +232,9 @@ type HealthCheck struct { // Header defines an HTTP Header. type Header struct { - // The name of the header. + // The name of the header. Name string `json:"name"` - // The value of the header. + // The value of the header. Value string `json:"value"` } @@ -347,7 +347,7 @@ type ProxyResponseHeaders struct { // AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. type AddHeader struct { Header `json:",inline"` - // If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. + // If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. Always bool `json:"always"` } @@ -546,7 +546,7 @@ type GlobalConfiguration struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // spec field of the GlobalConfiguration resource - Spec GlobalConfigurationSpec `json:"spec"` + Spec GlobalConfigurationSpec `json:"spec"` } // GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. @@ -606,19 +606,19 @@ type TransportServer struct { // TransportServerSpec is the spec of the TransportServer resource. type TransportServerSpec struct { - // Specifies which Ingress Controller must handle the VirtualServer resource. + // Specifies which Ingress Controller must handle the VirtualServer resource. IngressClass string `json:"ingressClassName"` - // The TLS termination configuration. + // The TLS termination configuration. TLS *TransportServerTLS `json:"tls"` - // Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource + // Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource Listener TransportServerListener `json:"listener"` // Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. ServerSnippets string `json:"serverSnippets"` // Sets a custom snippet in the stream context. Overrides the stream-snippets ConfigMap key. StreamSnippets string `json:"streamSnippets"` - // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. + // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. Host string `json:"host"` - // A list of upstreams. + // A list of upstreams. Upstreams []TransportServerUpstream `json:"upstreams"` // The UpstreamParameters are set on stream context UpstreamParameters *UpstreamParameters `json:"upstreamParameters"` @@ -635,9 +635,9 @@ type TransportServerTLS struct { // TransportServerListener defines a listener for a TransportServer. type TransportServerListener struct { - // The name of a listener defined in a GlobalConfiguration resource. + // The name of a listener defined in a GlobalConfiguration resource. Name string `json:"name"` - // The protocol of the listener. + // The protocol of the listener. Protocol string `json:"protocol"` } @@ -802,7 +802,7 @@ type PolicySpec struct { type PolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` - + // Items field of the PolicyList resource Items []Policy `json:"items"` } From 9b459612c12cee4b2ee92fe8d4058017352ae32a Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Thu, 17 Jul 2025 12:04:51 +0100 Subject: [PATCH 07/33] add crds final --- .../crd/k8s.nginx.org_globalconfigurations.md | 15 +- docs/crd/k8s.nginx.org_policies.md | 138 ++--- docs/crd/k8s.nginx.org_transportservers.md | 80 +-- docs/crd/k8s.nginx.org_virtualserverroutes.md | 418 +++++++-------- docs/crd/k8s.nginx.org_virtualservers.md | 482 +++++++++--------- 5 files changed, 567 insertions(+), 566 deletions(-) diff --git a/docs/crd/k8s.nginx.org_globalconfigurations.md b/docs/crd/k8s.nginx.org_globalconfigurations.md index 5ff40014af..a5c61b4ced 100644 --- a/docs/crd/k8s.nginx.org_globalconfigurations.md +++ b/docs/crd/k8s.nginx.org_globalconfigurations.md @@ -15,10 +15,11 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| -| `listeners` | `array` | List of configuration values. | -| `listeners[].ipv4` | `string` | String configuration value. | -| `listeners[].ipv6` | `string` | String configuration value. | -| `listeners[].name` | `string` | String configuration value. | -| `listeners[].port` | `integer` | Numeric configuration value. | -| `listeners[].protocol` | `string` | String configuration value. | -| `listeners[].ssl` | `boolean` | Enable or disable this feature. | +| `listeners` | `array` | Listeners field of the GlobalConfigurationSpec resource | +| `listeners[].ipv4` | `string` | Ipv4 and ipv6 addresses that NGINX will listen on. Defaults to listening on all available IPv4 and IPv6 addresses. | +| `listeners[].ipv6` | `string` | Ipv6 addresses that NGINX will listen on. | +| `listeners[].name` | `string` | The name of the listener. The name must be unique across all listeners. | +| `listeners[].passSNI` | `boolean` | Custom SNI processing for listener. Allows listener to be used as a passthrough for SNI processing | +| `listeners[].port` | `integer` | The port on which the listener will accept connections. | +| `listeners[].protocol` | `string` | The protocol of the listener. For example, HTTP. | +| `listeners[].ssl` | `boolean` | Whether the listener will be listening for SSL connections | diff --git a/docs/crd/k8s.nginx.org_policies.md b/docs/crd/k8s.nginx.org_policies.md index f1021edcbd..ae60d8f366 100644 --- a/docs/crd/k8s.nginx.org_policies.md +++ b/docs/crd/k8s.nginx.org_policies.md @@ -15,56 +15,56 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| -| `accessControl` | `object` | AccessControl defines an access policy based on the source IP of a request. | +| `accessControl` | `object` | The access control policy based on the client IP address. | | `accessControl.allow` | `array[string]` | Configuration field. | | `accessControl.deny` | `array[string]` | Configuration field. | -| `apiKey` | `object` | APIKey defines an API Key policy. | -| `apiKey.clientSecret` | `string` | String configuration value. | -| `apiKey.suppliedIn` | `object` | SuppliedIn defines the locations API Key should be supplied in. | -| `apiKey.suppliedIn.header` | `array[string]` | Configuration field. | -| `apiKey.suppliedIn.query` | `array[string]` | Configuration field. | -| `basicAuth` | `object` | BasicAuth holds HTTP Basic authentication configuration | -| `basicAuth.realm` | `string` | String configuration value. | -| `basicAuth.secret` | `string` | String configuration value. | -| `egressMTLS` | `object` | EgressMTLS defines an Egress MTLS policy. | -| `egressMTLS.ciphers` | `string` | String configuration value. | -| `egressMTLS.protocols` | `string` | String configuration value. | -| `egressMTLS.serverName` | `boolean` | Enable or disable this feature. | -| `egressMTLS.sessionReuse` | `boolean` | Enable or disable this feature. | -| `egressMTLS.sslName` | `string` | String configuration value. | -| `egressMTLS.tlsSecret` | `string` | String configuration value. | -| `egressMTLS.trustedCertSecret` | `string` | String configuration value. | -| `egressMTLS.verifyDepth` | `integer` | Numeric configuration value. | -| `egressMTLS.verifyServer` | `boolean` | Enable or disable this feature. | -| `ingressClassName` | `string` | String configuration value. | -| `ingressMTLS` | `object` | IngressMTLS defines an Ingress MTLS policy. | -| `ingressMTLS.clientCertSecret` | `string` | String configuration value. | -| `ingressMTLS.crlFileName` | `string` | String configuration value. | -| `ingressMTLS.verifyClient` | `string` | String configuration value. | -| `ingressMTLS.verifyDepth` | `integer` | Numeric configuration value. | -| `jwt` | `object` | JWTAuth holds JWT authentication configuration. | -| `jwt.jwksURI` | `string` | String configuration value. | -| `jwt.keyCache` | `string` | String configuration value. | -| `jwt.realm` | `string` | String configuration value. | -| `jwt.secret` | `string` | String configuration value. | -| `jwt.token` | `string` | String configuration value. | -| `oidc` | `object` | OIDC defines an Open ID Connect policy. | -| `oidc.accessTokenEnable` | `boolean` | Enable or disable this feature. | -| `oidc.authEndpoint` | `string` | String configuration value. | -| `oidc.authExtraArgs` | `array[string]` | Configuration field. | -| `oidc.clientID` | `string` | String configuration value. | -| `oidc.clientSecret` | `string` | String configuration value. | -| `oidc.endSessionEndpoint` | `string` | String configuration value. | -| `oidc.jwksURI` | `string` | String configuration value. | -| `oidc.pkceEnable` | `boolean` | Enable or disable this feature. | -| `oidc.postLogoutRedirectURI` | `string` | String configuration value. | -| `oidc.redirectURI` | `string` | String configuration value. | -| `oidc.scope` | `string` | String configuration value. | -| `oidc.tokenEndpoint` | `string` | String configuration value. | -| `oidc.zoneSyncLeeway` | `integer` | Numeric configuration value. | -| `rateLimit` | `object` | RateLimit defines a rate limit policy. | -| `rateLimit.burst` | `integer` | Numeric configuration value. | -| `rateLimit.condition` | `object` | RateLimitCondition defines a condition for a rate limit policy. | +| `apiKey` | `object` | The API Key policy configures NGINX to authorize requests which provide a valid API Key in a specified header or query param. | +| `apiKey.clientSecret` | `string` | The key to which the API key is applied. Can contain text, variables, or a combination of them. Accepted variables are $http_, $arg_, $cookie_. | +| `apiKey.suppliedIn` | `object` | The location of the API Key. For example, $http_auth, $arg_apikey, $cookie_auth. Accepted variables are $http_, $arg_, $cookie_. | +| `apiKey.suppliedIn.header` | `array[string]` | The location of the API Key as a request header. For example, $http_auth. Accepted variables are $http_. | +| `apiKey.suppliedIn.query` | `array[string]` | The location of the API Key as a query param. For example, $arg_apikey. Accepted variables are $arg_. | +| `basicAuth` | `object` | The basic auth policy configures NGINX to authenticate client requests using HTTP Basic authentication credentials. | +| `basicAuth.realm` | `string` | The realm for the basic authentication. | +| `basicAuth.secret` | `string` | The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. | +| `egressMTLS` | `object` | The EgressMTLS policy configures upstreams authentication and certificate verification. | +| `egressMTLS.ciphers` | `string` | Specifies the enabled ciphers for requests to an upstream HTTPS server. The default is DEFAULT. | +| `egressMTLS.protocols` | `string` | Specifies the protocols for requests to an upstream HTTPS server. The default is TLSv1 TLSv1.1 TLSv1.2. | +| `egressMTLS.serverName` | `boolean` | Enables passing of the server name through Server Name Indication extension. | +| `egressMTLS.sessionReuse` | `boolean` | Enables reuse of SSL sessions to the upstreams. The default is true. | +| `egressMTLS.sslName` | `string` | Allows overriding the server name used to verify the certificate of the upstream HTTPS server. | +| `egressMTLS.tlsSecret` | `string` | The name of the Kubernetes secret that stores the TLS certificate and key. It must be in the same namespace as the Policy resource. The secret must be of the type kubernetes.io/tls, the certificate must be stored in the secret under the key tls.crt, and the key must be stored under the key tls.key, otherwise the secret will be rejected as invalid. | +| `egressMTLS.trustedCertSecret` | `string` | The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. | +| `egressMTLS.verifyDepth` | `integer` | Sets the verification depth in the proxied HTTPS server certificates chain. The default is 1. | +| `egressMTLS.verifyServer` | `boolean` | Enables verification of the upstream HTTPS server certificate. | +| `ingressClassName` | `string` | Specifies which instance of NGINX Ingress Controller must handle the Policy resource. | +| `ingressMTLS` | `object` | The IngressMTLS policy configures client certificate verification. | +| `ingressMTLS.clientCertSecret` | `string` | The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/ca, and the certificate must be stored in the secret under the key ca.crt, otherwise the secret will be rejected as invalid. | +| `ingressMTLS.crlFileName` | `string` | The file name of the Certificate Revocation List. NGINX Ingress Controller will look for this file in /etc/nginx/secrets | +| `ingressMTLS.verifyClient` | `string` | Verification for the client. Possible values are "on", "off", "optional", "optional_no_ca". The default is "on". | +| `ingressMTLS.verifyDepth` | `integer` | Sets the verification depth in the client certificates chain. The default is 1. | +| `jwt` | `object` | The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens. | +| `jwt.jwksURI` | `string` | The remote URI where the request will be sent to retrieve JSON Web Key set | +| `jwt.keyCache` | `string` | Enables in-memory caching of JWKS (JSON Web Key Sets) that are obtained from the jwksURI and sets a valid time for expiration. | +| `jwt.realm` | `string` | The realm of the JWT. | +| `jwt.secret` | `string` | The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. | +| `jwt.token` | `string` | The token specifies a variable that contains the JSON Web Token. By default the JWT is passed in the Authorization header as a Bearer Token. JWT may be also passed as a cookie or a part of a query string, for example: $cookie_auth_token. Accepted variables are $http_, $arg_, $cookie_. | +| `oidc` | `object` | The OpenID Connect policy configures NGINX to authenticate client requests by validating a JWT token against an OAuth2/OIDC token provider, such as Auth0 or Keycloak. | +| `oidc.accessTokenEnable` | `boolean` | Option of whether Bearer token is used to authorize NGINX to access protected backend. | +| `oidc.authEndpoint` | `string` | URL for the authorization endpoint provided by your OpenID Connect provider. | +| `oidc.authExtraArgs` | `array[string]` | A list of extra URL arguments to pass to the authorization endpoint provided by your OpenID Connect provider. Arguments must be URL encoded, multiple arguments may be included in the list, for example [ arg1=value1, arg2=value2 ] | +| `oidc.clientID` | `string` | The client ID provided by your OpenID Connect provider. | +| `oidc.clientSecret` | `string` | The name of the Kubernetes secret that stores the client secret provided by your OpenID Connect provider. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/oidc, and the secret under the key client-secret, otherwise the secret will be rejected as invalid. If PKCE is enabled, this should be not configured. | +| `oidc.endSessionEndpoint` | `string` | URL provided by your OpenID Connect provider to request the end user be logged out. | +| `oidc.jwksURI` | `string` | URL for the JSON Web Key Set (JWK) document provided by your OpenID Connect provider. | +| `oidc.pkceEnable` | `boolean` | Switches Proof Key for Code Exchange on. The OpenID client needs to be in public mode. clientSecret is not used in this mode. | +| `oidc.postLogoutRedirectURI` | `string` | URI to redirect to after the logout has been performed. Requires endSessionEndpoint. The default is /_logout. | +| `oidc.redirectURI` | `string` | Allows overriding the default redirect URI. The default is /_codexch. | +| `oidc.scope` | `string` | List of OpenID Connect scopes. The scope openid always needs to be present and others can be added concatenating them with a + sign, for example openid+profile+email, openid+email+userDefinedScope. The default is openid. | +| `oidc.tokenEndpoint` | `string` | URL for the token endpoint provided by your OpenID Connect provider. | +| `oidc.zoneSyncLeeway` | `integer` | Specifies the maximum timeout in milliseconds for synchronizing ID/access tokens and shared values between Ingress Controller pods. The default is 200. | +| `rateLimit` | `object` | The rate limit policy controls the rate of processing requests per a defined key. | +| `rateLimit.burst` | `integer` | Excessive requests are delayed until their number exceeds the burst size, in which case the request is terminated with an error. | +| `rateLimit.condition` | `object` | Add a condition to a rate-limit policy. | | `rateLimit.condition.default` | `boolean` | Sets the rate limit in this policy to be the default if no conditions are met. In a group of policies with the same condition, only one policy can be the default. | | `rateLimit.condition.jwt` | `object` | Defines a JWT condition to rate limit against. | | `rateLimit.condition.jwt.claim` | `string` | The JWT claim to be rate limit by. Nested claims should be separated by "." | @@ -72,26 +72,26 @@ The `.spec` object supports the following fields: | `rateLimit.condition.variables` | `array` | Defines a Variables condition to rate limit against. | | `rateLimit.condition.variables[].match` | `string` | The value of the variable to match against. | | `rateLimit.condition.variables[].name` | `string` | The name of the variable to match against. | -| `rateLimit.delay` | `integer` | Numeric configuration value. | -| `rateLimit.dryRun` | `boolean` | Enable or disable this feature. | -| `rateLimit.key` | `string` | String configuration value. | -| `rateLimit.logLevel` | `string` | String configuration value. | -| `rateLimit.noDelay` | `boolean` | Enable or disable this feature. | -| `rateLimit.rate` | `string` | String configuration value. | -| `rateLimit.rejectCode` | `integer` | Numeric configuration value. | -| `rateLimit.scale` | `boolean` | Enable or disable this feature. | -| `rateLimit.zoneSize` | `string` | String configuration value. | -| `waf` | `object` | WAF defines an WAF policy. | -| `waf.apBundle` | `string` | String configuration value. | -| `waf.apPolicy` | `string` | String configuration value. | -| `waf.enable` | `boolean` | Enable or disable this feature. | +| `rateLimit.delay` | `integer` | The delay parameter specifies a limit at which excessive requests become delayed. If not set all excessive requests are delayed. | +| `rateLimit.dryRun` | `boolean` | Enables the dry run mode. In this mode, the rate limit is not actually applied, but the number of excessive requests is accounted as usual in the shared memory zone. | +| `rateLimit.key` | `string` | The key to which the rate limit is applied. Can contain text, variables, or a combination of them. Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are $binary_remote_addr,$request_uri,$request_method,$url,$http_, $args,$arg_,$cookie_,$jwt_claim_. | +| `rateLimit.logLevel` | `string` | Sets the desired logging level for cases when the server refuses to process requests due to rate exceeding, or delays request processing. Allowed values are info, notice, warn or error. Default is error. | +| `rateLimit.noDelay` | `boolean` | Disables the delaying of excessive requests while requests are being limited. Overrides delay if both are set. | +| `rateLimit.rate` | `string` | The rate of requests permitted. The rate is specified in requests per second (r/s) or requests per minute (r/m). | +| `rateLimit.rejectCode` | `integer` | Sets the status code to return in response to rejected requests. Must fall into the range 400..599. Default is 503. | +| `rateLimit.scale` | `boolean` | Enables a constant rate-limit by dividing the configured rate by the number of nginx-ingress pods currently serving traffic. This adjustment ensures that the rate-limit remains consistent, even as the number of nginx-pods fluctuates due to autoscaling. This will not work properly if requests from a client are not evenly distributed across all ingress pods (Such as with sticky sessions, long lived TCP Connections with many requests, and so forth). In such cases using zone-sync instead would give better results. Enabling zone-sync will suppress this setting. | +| `rateLimit.zoneSize` | `string` | Size of the shared memory zone. Only positive values are allowed. Allowed suffixes are k or m, if none are present k is assumed. | +| `waf` | `object` | The WAF policy configures WAF and log configuration policies for NGINX AppProtect | +| `waf.apBundle` | `string` | The App Protect WAF policy bundle. Mutually exclusive with apPolicy. | +| `waf.apPolicy` | `string` | The App Protect WAF policy of the WAF. Accepts an optional namespace. Mutually exclusive with apBundle. | +| `waf.enable` | `boolean` | Enables NGINX App Protect WAF. | | `waf.securityLog` | `object` | SecurityLog defines the security log of a WAF policy. | -| `waf.securityLog.apLogBundle` | `string` | String configuration value. | -| `waf.securityLog.apLogConf` | `string` | String configuration value. | -| `waf.securityLog.enable` | `boolean` | Enable or disable this feature. | -| `waf.securityLog.logDest` | `string` | String configuration value. | +| `waf.securityLog.apLogBundle` | `string` | The App Protect WAF log bundle resource. Only works with apBundle. | +| `waf.securityLog.apLogConf` | `string` | The App Protect WAF log conf resource. Accepts an optional namespace. Only works with apPolicy. | +| `waf.securityLog.enable` | `boolean` | Enables security log. | +| `waf.securityLog.logDest` | `string` | The log destination for the security log. Only accepted variables are syslog:server=:, stderr, . | | `waf.securityLogs` | `array` | List of configuration values. | -| `waf.securityLogs[].apLogBundle` | `string` | String configuration value. | -| `waf.securityLogs[].apLogConf` | `string` | String configuration value. | -| `waf.securityLogs[].enable` | `boolean` | Enable or disable this feature. | -| `waf.securityLogs[].logDest` | `string` | String configuration value. | +| `waf.securityLogs[].apLogBundle` | `string` | The App Protect WAF log bundle resource. Only works with apBundle. | +| `waf.securityLogs[].apLogConf` | `string` | The App Protect WAF log conf resource. Accepts an optional namespace. Only works with apPolicy. | +| `waf.securityLogs[].enable` | `boolean` | Enables security log. | +| `waf.securityLogs[].logDest` | `string` | The log destination for the security log. Only accepted variables are syslog:server=:, stderr, . | diff --git a/docs/crd/k8s.nginx.org_transportservers.md b/docs/crd/k8s.nginx.org_transportservers.md index ea83fcafe3..698607ab47 100644 --- a/docs/crd/k8s.nginx.org_transportservers.md +++ b/docs/crd/k8s.nginx.org_transportservers.md @@ -15,44 +15,44 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| -| `action` | `object` | TransportServerAction defines an action. | -| `action.pass` | `string` | String configuration value. | -| `host` | `string` | String configuration value. | -| `ingressClassName` | `string` | String configuration value. | -| `listener` | `object` | TransportServerListener defines a listener for a TransportServer. | -| `listener.name` | `string` | String configuration value. | -| `listener.protocol` | `string` | String configuration value. | -| `serverSnippets` | `string` | String configuration value. | -| `sessionParameters` | `object` | SessionParameters defines session parameters. | -| `sessionParameters.timeout` | `string` | String configuration value. | -| `streamSnippets` | `string` | String configuration value. | -| `tls` | `object` | TransportServerTLS defines TransportServerTLS configuration for a TransportServer. | +| `action` | `object` | The action to perform for a request. | +| `action.pass` | `string` | Passes connections/datagrams to an upstream. The upstream with that name must be defined in the resource. | +| `host` | `string` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. | +| `ingressClassName` | `string` | Specifies which Ingress Controller must handle the VirtualServer resource. | +| `listener` | `object` | Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource | +| `listener.name` | `string` | The name of a listener defined in a GlobalConfiguration resource. | +| `listener.protocol` | `string` | The protocol of the listener. | +| `serverSnippets` | `string` | Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. | +| `sessionParameters` | `object` | The parameters of the session to be used for the Server context | +| `sessionParameters.timeout` | `string` | The timeout between two successive read or write operations on client or proxied server connections. See proxy_timeout directive. The default is 10m. | +| `streamSnippets` | `string` | Sets a custom snippet in the stream context. Overrides the stream-snippets ConfigMap key. | +| `tls` | `object` | The TLS termination configuration. | | `tls.secret` | `string` | String configuration value. | -| `upstreamParameters` | `object` | UpstreamParameters defines parameters for an upstream. | -| `upstreamParameters.connectTimeout` | `string` | String configuration value. | -| `upstreamParameters.nextUpstream` | `boolean` | Enable or disable this feature. | -| `upstreamParameters.nextUpstreamTimeout` | `string` | String configuration value. | -| `upstreamParameters.nextUpstreamTries` | `integer` | Numeric configuration value. | -| `upstreamParameters.udpRequests` | `integer` | Numeric configuration value. | -| `upstreamParameters.udpResponses` | `integer` | Numeric configuration value. | -| `upstreams` | `array` | List of configuration values. | -| `upstreams[].backup` | `string` | String configuration value. | -| `upstreams[].backupPort` | `integer` | Numeric configuration value. | -| `upstreams[].failTimeout` | `string` | String configuration value. | -| `upstreams[].healthCheck` | `object` | TransportServerHealthCheck defines the parameters for active Upstream HealthChecks. | -| `upstreams[].healthCheck.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.fails` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.interval` | `string` | String configuration value. | -| `upstreams[].healthCheck.jitter` | `string` | String configuration value. | -| `upstreams[].healthCheck.match` | `object` | TransportServerMatch defines the parameters of a custom health check. | -| `upstreams[].healthCheck.match.expect` | `string` | String configuration value. | -| `upstreams[].healthCheck.match.send` | `string` | String configuration value. | -| `upstreams[].healthCheck.passes` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.port` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.timeout` | `string` | String configuration value. | -| `upstreams[].loadBalancingMethod` | `string` | String configuration value. | -| `upstreams[].maxConns` | `integer` | Numeric configuration value. | -| `upstreams[].maxFails` | `integer` | Numeric configuration value. | -| `upstreams[].name` | `string` | String configuration value. | -| `upstreams[].port` | `integer` | Numeric configuration value. | -| `upstreams[].service` | `string` | String configuration value. | +| `upstreamParameters` | `object` | The UpstreamParameters are set on stream context | +| `upstreamParameters.connectTimeout` | `string` | The timeout for establishing a connection with a proxied server. See the proxy_connect_timeout directive. The default is 60s. | +| `upstreamParameters.nextUpstream` | `boolean` | If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. See the proxy_next_upstream directive. The default is true. | +| `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. See the proxy_next_upstream_timeout directive. The default us 0. | +| `upstreamParameters.nextUpstreamTries` | `integer` | The number of tries for passing a connection to the next server. See the proxy_next_upstream_tries directive. The default is 0. | +| `upstreamParameters.udpRequests` | `integer` | The number of datagrams, after receiving which, the next datagram from the same client starts a new session. See the proxy_requests directive. The default is 0. | +| `upstreamParameters.udpResponses` | `integer` | The number of datagrams expected from the proxied server in response to a client datagram. See the proxy_responses directive. By default, the number of datagrams is not limited. | +| `upstreams` | `array` | A list of upstreams. | +| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. | +| `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | +| `upstreams[].failTimeout` | `string` | Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. The default 1. | +| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. See the health_check directive. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].healthCheck.enable` | `boolean` | Enables a health check for an upstream server. The default is false. | +| `upstreams[].healthCheck.fails` | `integer` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. | +| `upstreams[].healthCheck.interval` | `string` | The interval between two consecutive health checks. The default is 5s. | +| `upstreams[].healthCheck.jitter` | `string` | The time within which each health check will be randomly delayed. By default, there is no delay. | +| `upstreams[].healthCheck.match` | `object` | Controls the data to send and the response to expect for the healthcheck. | +| `upstreams[].healthCheck.match.expect` | `string` | A literal string or a regular expression that the data obtained from the server should match. The regular expression is specified with the preceding ~* modifier (for case-insensitive matching), or the ~ modifier (for case-sensitive matching). NGINX Ingress Controller validates a regular expression using the RE2 syntax. | +| `upstreams[].healthCheck.match.send` | `string` | A string to send to an upstream server. | +| `upstreams[].healthCheck.passes` | `integer` | The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. | +| `upstreams[].healthCheck.port` | `integer` | The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. | +| `upstreams[].healthCheck.timeout` | `string` | This overrides the timeout set by proxy_timeout which is set in SessionParameters for health checks. The default value is 5s. | +| `upstreams[].loadBalancingMethod` | `string` | The method used to load balance the upstream servers. By default, connections are distributed between the servers using a weighted round-robin balancing method. See the upstream section for available methods and their details. | +| `upstreams[].maxConns` | `integer` | Sets the time during which the specified number of unsuccessful attempts to communicate with the server should happen to consider the server unavailable and the period of time the server will be considered unavailable. The default is 10s. | +| `upstreams[].maxFails` | `integer` | Sets the number of maximum connections to the proxied server. Default value is zero, meaning there is no limit. The default is 0. | +| `upstreams[].name` | `string` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. | +| `upstreams[].port` | `integer` | The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and close client connections/ignore datagrams. The port must fall into the range 1..65535. | +| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and close client connections/ignore datagrams. | diff --git a/docs/crd/k8s.nginx.org_virtualserverroutes.md b/docs/crd/k8s.nginx.org_virtualserverroutes.md index 38aaa23e1d..7239527b61 100644 --- a/docs/crd/k8s.nginx.org_virtualserverroutes.md +++ b/docs/crd/k8s.nginx.org_virtualserverroutes.md @@ -15,212 +15,212 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| -| `host` | `string` | String configuration value. | -| `ingressClassName` | `string` | String configuration value. | -| `subroutes` | `array` | List of configuration values. | -| `subroutes[].action` | `object` | Action defines an action. | -| `subroutes[].action.pass` | `string` | String configuration value. | -| `subroutes[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `subroutes[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `subroutes[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `subroutes[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `subroutes[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `subroutes[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `subroutes[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `subroutes[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `subroutes[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `subroutes[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `subroutes[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `subroutes[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `subroutes[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `subroutes[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `subroutes[].action.proxy.rewritePath` | `string` | String configuration value. | -| `subroutes[].action.proxy.upstream` | `string` | String configuration value. | -| `subroutes[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `subroutes[].action.redirect.code` | `integer` | Numeric configuration value. | -| `subroutes[].action.redirect.url` | `string` | String configuration value. | -| `subroutes[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `subroutes[].action.return.body` | `string` | String configuration value. | -| `subroutes[].action.return.code` | `integer` | Numeric configuration value. | -| `subroutes[].action.return.headers` | `array` | List of configuration values. | -| `subroutes[].action.return.headers[].name` | `string` | String configuration value. | -| `subroutes[].action.return.headers[].value` | `string` | String configuration value. | -| `subroutes[].action.return.type` | `string` | String configuration value. | -| `subroutes[].dos` | `string` | String configuration value. | -| `subroutes[].errorPages` | `array` | List of configuration values. | -| `subroutes[].errorPages[].codes` | `array[integer]` | Configuration field. | -| `subroutes[].errorPages[].redirect` | `object` | ErrorPageRedirect defines a redirect for an ErrorPage. | -| `subroutes[].errorPages[].redirect.code` | `integer` | Numeric configuration value. | -| `subroutes[].errorPages[].redirect.url` | `string` | String configuration value. | -| `subroutes[].errorPages[].return` | `object` | ErrorPageReturn defines a return for an ErrorPage. | -| `subroutes[].errorPages[].return.body` | `string` | String configuration value. | -| `subroutes[].errorPages[].return.code` | `integer` | Numeric configuration value. | -| `subroutes[].errorPages[].return.headers` | `array` | List of configuration values. | -| `subroutes[].errorPages[].return.headers[].name` | `string` | String configuration value. | -| `subroutes[].errorPages[].return.headers[].value` | `string` | String configuration value. | -| `subroutes[].errorPages[].return.type` | `string` | String configuration value. | -| `subroutes[].location-snippets` | `string` | String configuration value. | -| `subroutes[].matches` | `array` | List of configuration values. | -| `subroutes[].matches[].action` | `object` | Action defines an action. | -| `subroutes[].matches[].action.pass` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `subroutes[].matches[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `subroutes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `subroutes[].matches[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `subroutes[].matches[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `subroutes[].matches[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `subroutes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `subroutes[].matches[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `subroutes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `subroutes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `subroutes[].matches[].action.proxy.rewritePath` | `string` | String configuration value. | -| `subroutes[].matches[].action.proxy.upstream` | `string` | String configuration value. | -| `subroutes[].matches[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `subroutes[].matches[].action.redirect.code` | `integer` | Numeric configuration value. | -| `subroutes[].matches[].action.redirect.url` | `string` | String configuration value. | -| `subroutes[].matches[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `subroutes[].matches[].action.return.body` | `string` | String configuration value. | -| `subroutes[].matches[].action.return.code` | `integer` | Numeric configuration value. | -| `subroutes[].matches[].action.return.headers` | `array` | List of configuration values. | -| `subroutes[].matches[].action.return.headers[].name` | `string` | String configuration value. | -| `subroutes[].matches[].action.return.headers[].value` | `string` | String configuration value. | -| `subroutes[].matches[].action.return.type` | `string` | String configuration value. | -| `subroutes[].matches[].conditions` | `array` | List of configuration values. | -| `subroutes[].matches[].conditions[].argument` | `string` | String configuration value. | -| `subroutes[].matches[].conditions[].cookie` | `string` | String configuration value. | -| `subroutes[].matches[].conditions[].header` | `string` | String configuration value. | -| `subroutes[].matches[].conditions[].value` | `string` | String configuration value. | -| `subroutes[].matches[].conditions[].variable` | `string` | String configuration value. | -| `subroutes[].matches[].splits` | `array` | List of configuration values. | -| `subroutes[].matches[].splits[].action` | `object` | Action defines an action. | -| `subroutes[].matches[].splits[].action.pass` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `subroutes[].matches[].splits[].action.proxy.rewritePath` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.proxy.upstream` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `subroutes[].matches[].splits[].action.redirect.code` | `integer` | Numeric configuration value. | -| `subroutes[].matches[].splits[].action.redirect.url` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `subroutes[].matches[].splits[].action.return.body` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.return.code` | `integer` | Numeric configuration value. | -| `subroutes[].matches[].splits[].action.return.headers` | `array` | List of configuration values. | -| `subroutes[].matches[].splits[].action.return.headers[].name` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.return.headers[].value` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].action.return.type` | `string` | String configuration value. | -| `subroutes[].matches[].splits[].weight` | `integer` | Numeric configuration value. | -| `subroutes[].path` | `string` | String configuration value. | -| `subroutes[].policies` | `array` | List of configuration values. | -| `subroutes[].policies[].name` | `string` | String configuration value. | -| `subroutes[].policies[].namespace` | `string` | String configuration value. | -| `subroutes[].route` | `string` | String configuration value. | -| `subroutes[].splits` | `array` | List of configuration values. | -| `subroutes[].splits[].action` | `object` | Action defines an action. | -| `subroutes[].splits[].action.pass` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `subroutes[].splits[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `subroutes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `subroutes[].splits[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `subroutes[].splits[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `subroutes[].splits[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `subroutes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `subroutes[].splits[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `subroutes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `subroutes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `subroutes[].splits[].action.proxy.rewritePath` | `string` | String configuration value. | -| `subroutes[].splits[].action.proxy.upstream` | `string` | String configuration value. | -| `subroutes[].splits[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `subroutes[].splits[].action.redirect.code` | `integer` | Numeric configuration value. | -| `subroutes[].splits[].action.redirect.url` | `string` | String configuration value. | -| `subroutes[].splits[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `subroutes[].splits[].action.return.body` | `string` | String configuration value. | -| `subroutes[].splits[].action.return.code` | `integer` | Numeric configuration value. | -| `subroutes[].splits[].action.return.headers` | `array` | List of configuration values. | -| `subroutes[].splits[].action.return.headers[].name` | `string` | String configuration value. | -| `subroutes[].splits[].action.return.headers[].value` | `string` | String configuration value. | -| `subroutes[].splits[].action.return.type` | `string` | String configuration value. | -| `subroutes[].splits[].weight` | `integer` | Numeric configuration value. | -| `upstreams` | `array` | List of configuration values. | -| `upstreams[].backup` | `string` | String configuration value. | -| `upstreams[].backupPort` | `integer` | Numeric configuration value. | -| `upstreams[].buffer-size` | `string` | String configuration value. | -| `upstreams[].buffering` | `boolean` | Enable or disable this feature. | -| `upstreams[].buffers` | `object` | UpstreamBuffers defines Buffer Configuration for an Upstream. | -| `upstreams[].buffers.number` | `integer` | Numeric configuration value. | -| `upstreams[].buffers.size` | `string` | String configuration value. | -| `upstreams[].client-max-body-size` | `string` | String configuration value. | -| `upstreams[].connect-timeout` | `string` | String configuration value. | -| `upstreams[].fail-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck` | `object` | HealthCheck defines the parameters for active Upstream HealthChecks. | -| `upstreams[].healthCheck.connect-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.fails` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.grpcService` | `string` | String configuration value. | -| `upstreams[].healthCheck.grpcStatus` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.headers` | `array` | List of configuration values. | -| `upstreams[].healthCheck.headers[].name` | `string` | String configuration value. | -| `upstreams[].healthCheck.headers[].value` | `string` | String configuration value. | -| `upstreams[].healthCheck.interval` | `string` | String configuration value. | -| `upstreams[].healthCheck.jitter` | `string` | String configuration value. | -| `upstreams[].healthCheck.keepalive-time` | `string` | String configuration value. | -| `upstreams[].healthCheck.mandatory` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.passes` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.path` | `string` | String configuration value. | -| `upstreams[].healthCheck.persistent` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.port` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.read-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.send-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.statusMatch` | `string` | String configuration value. | -| `upstreams[].healthCheck.tls` | `object` | UpstreamTLS defines a TLS configuration for an Upstream. | -| `upstreams[].healthCheck.tls.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].keepalive` | `integer` | Numeric configuration value. | -| `upstreams[].lb-method` | `string` | String configuration value. | -| `upstreams[].max-conns` | `integer` | Numeric configuration value. | -| `upstreams[].max-fails` | `integer` | Numeric configuration value. | -| `upstreams[].name` | `string` | String configuration value. | -| `upstreams[].next-upstream` | `string` | String configuration value. | -| `upstreams[].next-upstream-timeout` | `string` | String configuration value. | -| `upstreams[].next-upstream-tries` | `integer` | Numeric configuration value. | -| `upstreams[].ntlm` | `boolean` | Enable or disable this feature. | -| `upstreams[].port` | `integer` | Numeric configuration value. | -| `upstreams[].queue` | `object` | UpstreamQueue defines Queue Configuration for an Upstream. | -| `upstreams[].queue.size` | `integer` | Numeric configuration value. | -| `upstreams[].queue.timeout` | `string` | String configuration value. | -| `upstreams[].read-timeout` | `string` | String configuration value. | -| `upstreams[].send-timeout` | `string` | String configuration value. | -| `upstreams[].service` | `string` | String configuration value. | -| `upstreams[].sessionCookie` | `object` | SessionCookie defines the parameters for session persistence. | -| `upstreams[].sessionCookie.domain` | `string` | String configuration value. | -| `upstreams[].sessionCookie.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].sessionCookie.expires` | `string` | String configuration value. | -| `upstreams[].sessionCookie.httpOnly` | `boolean` | Enable or disable this feature. | -| `upstreams[].sessionCookie.name` | `string` | String configuration value. | -| `upstreams[].sessionCookie.path` | `string` | String configuration value. | -| `upstreams[].sessionCookie.samesite` | `string` | String configuration value. | -| `upstreams[].sessionCookie.secure` | `boolean` | Enable or disable this feature. | -| `upstreams[].slow-start` | `string` | String configuration value. | -| `upstreams[].subselector` | `object` | Configuration object. | -| `upstreams[].tls` | `object` | UpstreamTLS defines a TLS configuration for an Upstream. | -| `upstreams[].tls.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].type` | `string` | String configuration value. | -| `upstreams[].use-cluster-ip` | `boolean` | Enable or disable this feature. | +| `host` | `string` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. Must be the same as the host of the VirtualServer that references this resource. | +| `ingressClassName` | `string` | Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ingressClassName of the VirtualServer that references this resource. | +| `subroutes` | `array` | A list of subroutes. | +| `subroutes[].action` | `object` | The default action to perform for a request. | +| `subroutes[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `subroutes[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `subroutes[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `subroutes[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | +| `subroutes[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `subroutes[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `subroutes[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `subroutes[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `subroutes[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `subroutes[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `subroutes[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `subroutes[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `subroutes[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | +| `subroutes[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | +| `subroutes[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `subroutes[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `subroutes[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `subroutes[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `subroutes[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `subroutes[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].action.return` | `object` | Returns a preconfigured response. | +| `subroutes[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `subroutes[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `subroutes[].action.return.headers` | `array` | The custom headers of the response. | +| `subroutes[].action.return.headers[].name` | `string` | The name of the header. | +| `subroutes[].action.return.headers[].value` | `string` | The value of the header. | +| `subroutes[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `subroutes[].dos` | `string` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. | +| `subroutes[].errorPages` | `array` | The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. | +| `subroutes[].errorPages[].codes` | `array[integer]` | A list of error status codes. | +| `subroutes[].errorPages[].redirect` | `object` | The canned response action for the given status codes. | +| `subroutes[].errorPages[].redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `subroutes[].errorPages[].redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].errorPages[].return` | `object` | The redirect action for the given status codes. | +| `subroutes[].errorPages[].return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `subroutes[].errorPages[].return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `subroutes[].errorPages[].return.headers` | `array` | The custom headers of the response. | +| `subroutes[].errorPages[].return.headers[].name` | `string` | The name of the header. | +| `subroutes[].errorPages[].return.headers[].value` | `string` | The value of the header. | +| `subroutes[].errorPages[].return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `subroutes[].location-snippets` | `string` | Sets a custom snippet in the location context. Overrides the location-snippets ConfigMap key. | +| `subroutes[].matches` | `array` | The matching rules for advanced content-based routing. Requires the default Action or Splits. Unmatched requests will be handled by the default Action or Splits. | +| `subroutes[].matches[].action` | `object` | The action to perform for a request. | +| `subroutes[].matches[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `subroutes[].matches[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `subroutes[].matches[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `subroutes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | +| `subroutes[].matches[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `subroutes[].matches[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `subroutes[].matches[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `subroutes[].matches[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `subroutes[].matches[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `subroutes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `subroutes[].matches[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `subroutes[].matches[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `subroutes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | +| `subroutes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | +| `subroutes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `subroutes[].matches[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `subroutes[].matches[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `subroutes[].matches[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `subroutes[].matches[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `subroutes[].matches[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].matches[].action.return` | `object` | Returns a preconfigured response. | +| `subroutes[].matches[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `subroutes[].matches[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `subroutes[].matches[].action.return.headers` | `array` | The custom headers of the response. | +| `subroutes[].matches[].action.return.headers[].name` | `string` | The name of the header. | +| `subroutes[].matches[].action.return.headers[].value` | `string` | The value of the header. | +| `subroutes[].matches[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `subroutes[].matches[].conditions` | `array` | A list of conditions. Must include at least 1 condition. | +| `subroutes[].matches[].conditions[].argument` | `string` | The name of an argument. Must consist of alphanumeric characters or _. | +| `subroutes[].matches[].conditions[].cookie` | `string` | The name of a cookie. Must consist of alphanumeric characters or _. | +| `subroutes[].matches[].conditions[].header` | `string` | The name of a header. Must consist of alphanumeric characters or -. | +| `subroutes[].matches[].conditions[].value` | `string` | The value to match the condition against. How to define a value is shown below the table. | +| `subroutes[].matches[].conditions[].variable` | `string` | The name of an NGINX variable. Must start with $. See the list of the supported variables below the table. | +| `subroutes[].matches[].splits` | `array` | The splits configuration for traffic splitting. Must include at least 2 splits. | +| `subroutes[].matches[].splits[].action` | `object` | The action to perform for a request. | +| `subroutes[].matches[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `subroutes[].matches[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `subroutes[].matches[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `subroutes[].matches[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `subroutes[].matches[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `subroutes[].matches[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `subroutes[].matches[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].matches[].splits[].action.return` | `object` | Returns a preconfigured response. | +| `subroutes[].matches[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `subroutes[].matches[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `subroutes[].matches[].splits[].action.return.headers` | `array` | The custom headers of the response. | +| `subroutes[].matches[].splits[].action.return.headers[].name` | `string` | The name of the header. | +| `subroutes[].matches[].splits[].action.return.headers[].value` | `string` | The value of the header. | +| `subroutes[].matches[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `subroutes[].matches[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | +| `subroutes[].path` | `string` | The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( / , /path ), an exact match ( =/exact/match ), a case insensitive regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive regular expression ( ~^/foo.*\.jpg ). In the case of a prefix (must start with / ) or an exact match (must start with = ), the path must not include any whitespace characters, { , } or ;. In the case of the regex matches, all double quotes " must be escaped and the match can’t end in an unescaped backslash \. The path must be unique among the paths of all routes of the VirtualServer. Check the location directive for more information. | +| `subroutes[].policies` | `array` | A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. See Applying Policies for more details. | +| `subroutes[].policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. v | +| `subroutes[].policies[].namespace` | `string` | The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. | +| `subroutes[].route` | `string` | The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, tea-namespace/tea. | +| `subroutes[].splits` | `array` | The default splits configuration for traffic splitting. Must include at least 2 splits. | +| `subroutes[].splits[].action` | `object` | The action to perform for a request. | +| `subroutes[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `subroutes[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `subroutes[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `subroutes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | +| `subroutes[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `subroutes[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `subroutes[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `subroutes[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `subroutes[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `subroutes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `subroutes[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `subroutes[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `subroutes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | +| `subroutes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | +| `subroutes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `subroutes[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `subroutes[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `subroutes[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `subroutes[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `subroutes[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].splits[].action.return` | `object` | Returns a preconfigured response. | +| `subroutes[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `subroutes[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `subroutes[].splits[].action.return.headers` | `array` | The custom headers of the response. | +| `subroutes[].splits[].action.return.headers[].name` | `string` | The name of the header. | +| `subroutes[].splits[].action.return.headers[].value` | `string` | The value of the header. | +| `subroutes[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `subroutes[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | +| `upstreams` | `array` | A list of upstreams. | +| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. | +| `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | +| `upstreams[].buffer-size` | `string` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. See the proxy_buffer_size directive. The default is set in the proxy-buffer-size ConfigMap key. | +| `upstreams[].buffering` | `boolean` | Enables buffering of responses from the upstream server. See the proxy_buffering directive. The default is set in the proxy-buffering ConfigMap key. | +| `upstreams[].buffers` | `object` | Configures the buffers used for reading a response from the upstream server for a single connection. | +| `upstreams[].buffers.number` | `integer` | Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. | +| `upstreams[].buffers.size` | `string` | Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. | +| `upstreams[].client-max-body-size` | `string` | Sets the maximum allowed size of the client request body. See the client_max_body_size directive. The default is set in the client-max-body-size ConfigMap key. | +| `upstreams[].connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. See the proxy_connect_timeout directive. The default is specified in the proxy-connect-timeout ConfigMap key. | +| `upstreams[].fail-timeout` | `string` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. See the fail_timeout parameter of the server directive. The default is set in the fail-timeout ConfigMap key. | +| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. See the health_check directive. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].healthCheck.connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. By default, the connect-timeout of the upstream is used. | +| `upstreams[].healthCheck.enable` | `boolean` | Enables a health check for an upstream server. The default is false. | +| `upstreams[].healthCheck.fails` | `integer` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. | +| `upstreams[].healthCheck.grpcService` | `string` | The gRPC service to be monitored on the upstream server. Only valid on gRPC type upstreams. | +| `upstreams[].healthCheck.grpcStatus` | `integer` | The expected gRPC status code of the upstream server response to the Check method. Configure this field only if your gRPC services do not implement the gRPC health checking protocol. For example, configure 12 if the upstream server responds with 12 (UNIMPLEMENTED) status code. Only valid on gRPC type upstreams. | +| `upstreams[].healthCheck.headers` | `array` | The request headers used for health check requests. NGINX Plus always sets the Host, User-Agent and Connection headers for health check requests. | +| `upstreams[].healthCheck.headers[].name` | `string` | The name of the header. | +| `upstreams[].healthCheck.headers[].value` | `string` | The value of the header. | +| `upstreams[].healthCheck.interval` | `string` | The interval between two consecutive health checks. The default is 5s. | +| `upstreams[].healthCheck.jitter` | `string` | The time within which each health check will be randomly delayed. By default, there is no delay. | +| `upstreams[].healthCheck.keepalive-time` | `string` | Enables keepalive connections for health checks and specifies the time during which requests can be processed through one keepalive connection. The default is 60s. | +| `upstreams[].healthCheck.mandatory` | `boolean` | Require every newly added server to pass all configured health checks before NGINX Plus sends traffic to it. If this is not specified, or is set to false, the server will be initially considered healthy. When combined with slow-start, it gives a new server more time to connect to databases and “warm up” before being asked to handle their full share of traffic. | +| `upstreams[].healthCheck.passes` | `integer` | The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. | +| `upstreams[].healthCheck.path` | `string` | The path used for health check requests. The default is /. This is not configurable for gRPC type upstreams. | +| `upstreams[].healthCheck.persistent` | `boolean` | Set the initial “up” state for a server after reload if the server was considered healthy before reload. Enabling persistent requires that the mandatory parameter is also set to true. | +| `upstreams[].healthCheck.port` | `integer` | The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. | +| `upstreams[].healthCheck.read-timeout` | `string` | The timeout for reading a response from an upstream server. By default, the read-timeout of the upstream is used. | +| `upstreams[].healthCheck.send-timeout` | `string` | The timeout for transmitting a request to an upstream server. By default, the send-timeout of the upstream is used. | +| `upstreams[].healthCheck.statusMatch` | `string` | The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See the documentation of the match directive. This not supported for gRPC type upstreams. | +| `upstreams[].healthCheck.tls` | `object` | The TLS configuration used for health check requests. By default, the tls field of the upstream is used. | +| `upstreams[].healthCheck.tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | +| `upstreams[].keepalive` | `integer` | Configures the cache for connections to upstream servers. The value 0 disables the cache. See the keepalive directive. The default is set in the keepalive ConfigMap key. | +| `upstreams[].lb-method` | `string` | The load balancing method. To use the round-robin method, specify round_robin. The default is specified in the lb-method ConfigMap key. | +| `upstreams[].max-conns` | `integer` | The maximum number of simultaneous active connections to an upstream server. See the max_conns parameter of the server directive. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. | +| `upstreams[].max-fails` | `integer` | The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. See the max_fails parameter of the server directive. The default is set in the max-fails ConfigMap key. | +| `upstreams[].name` | `string` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. | +| `upstreams[].next-upstream` | `string` | Specifies in which cases a request should be passed to the next upstream server. See the proxy_next_upstream directive. The default is error timeout. | +| `upstreams[].next-upstream-timeout` | `string` | The time during which a request can be passed to the next upstream server. See the proxy_next_upstream_timeout directive. The 0 value turns off the time limit. The default is 0. | +| `upstreams[].next-upstream-tries` | `integer` | The number of possible tries for passing a request to the next upstream server. See the proxy_next_upstream_tries directive. The 0 value turns off this limit. The default is 0. | +| `upstreams[].ntlm` | `boolean` | Allows proxying requests with NTLM Authentication. See the ntlm directive. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].port` | `integer` | The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. The port must fall into the range 1..65535. | +| `upstreams[].queue` | `object` | Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].queue.size` | `integer` | The size of the queue. | +| `upstreams[].queue.timeout` | `string` | The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is 60s. | +| `upstreams[].read-timeout` | `string` | The timeout for reading a response from an upstream server. See the proxy_read_timeout directive. The default is specified in the proxy-read-timeout ConfigMap key. | +| `upstreams[].send-timeout` | `string` | The timeout for transmitting a request to an upstream server. See the proxy_send_timeout directive. The default is specified in the proxy-send-timeout ConfigMap key. | +| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported (check the prerequisites ). | +| `upstreams[].sessionCookie` | `object` | The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. | +| `upstreams[].sessionCookie.domain` | `string` | The domain for which the cookie is set. | +| `upstreams[].sessionCookie.enable` | `boolean` | Enables session persistence with a session cookie for an upstream server. The default is false. | +| `upstreams[].sessionCookie.expires` | `string` | The time for which a browser should keep the cookie. Can be set to the special value max , which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. | +| `upstreams[].sessionCookie.httpOnly` | `boolean` | Adds the HttpOnly attribute to the cookie. | +| `upstreams[].sessionCookie.name` | `string` | The name of the cookie. | +| `upstreams[].sessionCookie.path` | `string` | The path for which the cookie is set. | +| `upstreams[].sessionCookie.samesite` | `string` | Adds the SameSite attribute to the cookie. The allowed values are: strict, lax, none | +| `upstreams[].sessionCookie.secure` | `boolean` | Adds the Secure attribute to the cookie. | +| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the slow_start parameter of the server directive. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. | +| `upstreams[].subselector` | `object` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | +| `upstreams[].tls` | `object` | The TLS configuration for the Upstream. | +| `upstreams[].tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | +| `upstreams[].type` | `string` | The type of the upstream. Supported values are http and grpc. The default is http. For gRPC, it is necessary to enable HTTP/2 in the ConfigMap and configure TLS termination in the VirtualServer. | +| `upstreams[].use-cluster-ip` | `boolean` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like lb-method and next-upstream) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | diff --git a/docs/crd/k8s.nginx.org_virtualservers.md b/docs/crd/k8s.nginx.org_virtualservers.md index 0a683122c8..0d705681c7 100644 --- a/docs/crd/k8s.nginx.org_virtualservers.md +++ b/docs/crd/k8s.nginx.org_virtualservers.md @@ -15,247 +15,247 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| -| `dos` | `string` | String configuration value. | -| `externalDNS` | `object` | ExternalDNS defines externaldns sub-resource of a virtual server. | -| `externalDNS.enable` | `boolean` | Enable or disable this feature. | -| `externalDNS.labels` | `object` | Labels stores labels defined for the Endpoint | -| `externalDNS.providerSpecific` | `array` | ProviderSpecific stores provider specific config | +| `dos` | `string` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. | +| `externalDNS` | `object` | The externalDNS configuration for a VirtualServer. | +| `externalDNS.enable` | `boolean` | Enables ExternalDNS integration for a VirtualServer resource. The default is false. | +| `externalDNS.labels` | `object` | Configure labels to be applied to the Endpoint resources that will be consumed by ExternalDNS. | +| `externalDNS.providerSpecific` | `array` | Configure provider specific properties which holds the name and value of a configuration which is specific to individual DNS providers. | | `externalDNS.providerSpecific[].name` | `string` | Name of the property | | `externalDNS.providerSpecific[].value` | `string` | Value of the property | -| `externalDNS.recordTTL` | `integer` | TTL for the record | -| `externalDNS.recordType` | `string` | String configuration value. | -| `gunzip` | `boolean` | Enable or disable this feature. | -| `host` | `string` | String configuration value. | -| `http-snippets` | `string` | String configuration value. | -| `ingressClassName` | `string` | String configuration value. | +| `externalDNS.recordTTL` | `integer` | TTL for the DNS record. This defaults to 0 if not defined. See the ExternalDNS TTL documentation for provider-specific defaults | +| `externalDNS.recordType` | `string` | The record Type that should be created, e.g. “A”, “AAAA”, “CNAME”. This is automatically computed based on the external endpoints if not defined. | +| `gunzip` | `boolean` | Enables or disables decompression of gzipped responses for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. If the gunzip value is not set, it defaults to off. | +| `host` | `string` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. | +| `http-snippets` | `string` | Sets a custom snippet in the http context. | +| `ingressClassName` | `string` | Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ingressClassName of the VirtualServer that references this resource. | | `internalRoute` | `boolean` | InternalRoute allows for the configuration of internal routing. | -| `listener` | `object` | VirtualServerListener references a custom http and/or https listener defined in GlobalConfiguration. | -| `listener.http` | `string` | String configuration value. | -| `listener.https` | `string` | String configuration value. | -| `policies` | `array` | List of configuration values. | -| `policies[].name` | `string` | String configuration value. | -| `policies[].namespace` | `string` | String configuration value. | -| `routes` | `array` | List of configuration values. | -| `routes[].action` | `object` | Action defines an action. | -| `routes[].action.pass` | `string` | String configuration value. | -| `routes[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `routes[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `routes[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `routes[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `routes[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `routes[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `routes[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `routes[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `routes[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `routes[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `routes[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `routes[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `routes[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `routes[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `routes[].action.proxy.rewritePath` | `string` | String configuration value. | -| `routes[].action.proxy.upstream` | `string` | String configuration value. | -| `routes[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `routes[].action.redirect.code` | `integer` | Numeric configuration value. | -| `routes[].action.redirect.url` | `string` | String configuration value. | -| `routes[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `routes[].action.return.body` | `string` | String configuration value. | -| `routes[].action.return.code` | `integer` | Numeric configuration value. | -| `routes[].action.return.headers` | `array` | List of configuration values. | -| `routes[].action.return.headers[].name` | `string` | String configuration value. | -| `routes[].action.return.headers[].value` | `string` | String configuration value. | -| `routes[].action.return.type` | `string` | String configuration value. | -| `routes[].dos` | `string` | String configuration value. | -| `routes[].errorPages` | `array` | List of configuration values. | -| `routes[].errorPages[].codes` | `array[integer]` | Configuration field. | -| `routes[].errorPages[].redirect` | `object` | ErrorPageRedirect defines a redirect for an ErrorPage. | -| `routes[].errorPages[].redirect.code` | `integer` | Numeric configuration value. | -| `routes[].errorPages[].redirect.url` | `string` | String configuration value. | -| `routes[].errorPages[].return` | `object` | ErrorPageReturn defines a return for an ErrorPage. | -| `routes[].errorPages[].return.body` | `string` | String configuration value. | -| `routes[].errorPages[].return.code` | `integer` | Numeric configuration value. | -| `routes[].errorPages[].return.headers` | `array` | List of configuration values. | -| `routes[].errorPages[].return.headers[].name` | `string` | String configuration value. | -| `routes[].errorPages[].return.headers[].value` | `string` | String configuration value. | -| `routes[].errorPages[].return.type` | `string` | String configuration value. | -| `routes[].location-snippets` | `string` | String configuration value. | -| `routes[].matches` | `array` | List of configuration values. | -| `routes[].matches[].action` | `object` | Action defines an action. | -| `routes[].matches[].action.pass` | `string` | String configuration value. | -| `routes[].matches[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `routes[].matches[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `routes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `routes[].matches[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `routes[].matches[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `routes[].matches[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `routes[].matches[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `routes[].matches[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `routes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `routes[].matches[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `routes[].matches[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `routes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `routes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `routes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `routes[].matches[].action.proxy.rewritePath` | `string` | String configuration value. | -| `routes[].matches[].action.proxy.upstream` | `string` | String configuration value. | -| `routes[].matches[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `routes[].matches[].action.redirect.code` | `integer` | Numeric configuration value. | -| `routes[].matches[].action.redirect.url` | `string` | String configuration value. | -| `routes[].matches[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `routes[].matches[].action.return.body` | `string` | String configuration value. | -| `routes[].matches[].action.return.code` | `integer` | Numeric configuration value. | -| `routes[].matches[].action.return.headers` | `array` | List of configuration values. | -| `routes[].matches[].action.return.headers[].name` | `string` | String configuration value. | -| `routes[].matches[].action.return.headers[].value` | `string` | String configuration value. | -| `routes[].matches[].action.return.type` | `string` | String configuration value. | -| `routes[].matches[].conditions` | `array` | List of configuration values. | -| `routes[].matches[].conditions[].argument` | `string` | String configuration value. | -| `routes[].matches[].conditions[].cookie` | `string` | String configuration value. | -| `routes[].matches[].conditions[].header` | `string` | String configuration value. | -| `routes[].matches[].conditions[].value` | `string` | String configuration value. | -| `routes[].matches[].conditions[].variable` | `string` | String configuration value. | -| `routes[].matches[].splits` | `array` | List of configuration values. | -| `routes[].matches[].splits[].action` | `object` | Action defines an action. | -| `routes[].matches[].splits[].action.pass` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `routes[].matches[].splits[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `routes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `routes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `routes[].matches[].splits[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `routes[].matches[].splits[].action.proxy.rewritePath` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.proxy.upstream` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `routes[].matches[].splits[].action.redirect.code` | `integer` | Numeric configuration value. | -| `routes[].matches[].splits[].action.redirect.url` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `routes[].matches[].splits[].action.return.body` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.return.code` | `integer` | Numeric configuration value. | -| `routes[].matches[].splits[].action.return.headers` | `array` | List of configuration values. | -| `routes[].matches[].splits[].action.return.headers[].name` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.return.headers[].value` | `string` | String configuration value. | -| `routes[].matches[].splits[].action.return.type` | `string` | String configuration value. | -| `routes[].matches[].splits[].weight` | `integer` | Numeric configuration value. | -| `routes[].path` | `string` | String configuration value. | -| `routes[].policies` | `array` | List of configuration values. | -| `routes[].policies[].name` | `string` | String configuration value. | -| `routes[].policies[].namespace` | `string` | String configuration value. | -| `routes[].route` | `string` | String configuration value. | -| `routes[].splits` | `array` | List of configuration values. | -| `routes[].splits[].action` | `object` | Action defines an action. | -| `routes[].splits[].action.pass` | `string` | String configuration value. | -| `routes[].splits[].action.proxy` | `object` | ActionProxy defines a proxy in an Action. | -| `routes[].splits[].action.proxy.requestHeaders` | `object` | ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. | -| `routes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Enable or disable this feature. | -| `routes[].splits[].action.proxy.requestHeaders.set` | `array` | List of configuration values. | -| `routes[].splits[].action.proxy.requestHeaders.set[].name` | `string` | String configuration value. | -| `routes[].splits[].action.proxy.requestHeaders.set[].value` | `string` | String configuration value. | -| `routes[].splits[].action.proxy.responseHeaders` | `object` | ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. | -| `routes[].splits[].action.proxy.responseHeaders.add` | `array` | List of configuration values. | -| `routes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | Enable or disable this feature. | -| `routes[].splits[].action.proxy.responseHeaders.add[].name` | `string` | String configuration value. | -| `routes[].splits[].action.proxy.responseHeaders.add[].value` | `string` | String configuration value. | -| `routes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | Configuration field. | -| `routes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Configuration field. | -| `routes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Configuration field. | -| `routes[].splits[].action.proxy.rewritePath` | `string` | String configuration value. | -| `routes[].splits[].action.proxy.upstream` | `string` | String configuration value. | -| `routes[].splits[].action.redirect` | `object` | ActionRedirect defines a redirect in an Action. | -| `routes[].splits[].action.redirect.code` | `integer` | Numeric configuration value. | -| `routes[].splits[].action.redirect.url` | `string` | String configuration value. | -| `routes[].splits[].action.return` | `object` | ActionReturn defines a return in an Action. | -| `routes[].splits[].action.return.body` | `string` | String configuration value. | -| `routes[].splits[].action.return.code` | `integer` | Numeric configuration value. | -| `routes[].splits[].action.return.headers` | `array` | List of configuration values. | -| `routes[].splits[].action.return.headers[].name` | `string` | String configuration value. | -| `routes[].splits[].action.return.headers[].value` | `string` | String configuration value. | -| `routes[].splits[].action.return.type` | `string` | String configuration value. | -| `routes[].splits[].weight` | `integer` | Numeric configuration value. | -| `server-snippets` | `string` | String configuration value. | -| `tls` | `object` | TLS defines TLS configuration for a VirtualServer. | -| `tls.cert-manager` | `object` | CertManager defines a cert manager config for a TLS. | -| `tls.cert-manager.cluster-issuer` | `string` | String configuration value. | -| `tls.cert-manager.common-name` | `string` | String configuration value. | -| `tls.cert-manager.duration` | `string` | String configuration value. | -| `tls.cert-manager.issue-temp-cert` | `boolean` | Enable or disable this feature. | -| `tls.cert-manager.issuer` | `string` | String configuration value. | -| `tls.cert-manager.issuer-group` | `string` | String configuration value. | -| `tls.cert-manager.issuer-kind` | `string` | String configuration value. | -| `tls.cert-manager.renew-before` | `string` | String configuration value. | -| `tls.cert-manager.usages` | `string` | String configuration value. | -| `tls.redirect` | `object` | TLSRedirect defines a redirect for a TLS. | -| `tls.redirect.basedOn` | `string` | String configuration value. | -| `tls.redirect.code` | `integer` | Numeric configuration value. | -| `tls.redirect.enable` | `boolean` | Enable or disable this feature. | -| `tls.secret` | `string` | String configuration value. | -| `upstreams` | `array` | List of configuration values. | -| `upstreams[].backup` | `string` | String configuration value. | -| `upstreams[].backupPort` | `integer` | Numeric configuration value. | -| `upstreams[].buffer-size` | `string` | String configuration value. | -| `upstreams[].buffering` | `boolean` | Enable or disable this feature. | -| `upstreams[].buffers` | `object` | UpstreamBuffers defines Buffer Configuration for an Upstream. | -| `upstreams[].buffers.number` | `integer` | Numeric configuration value. | -| `upstreams[].buffers.size` | `string` | String configuration value. | -| `upstreams[].client-max-body-size` | `string` | String configuration value. | -| `upstreams[].connect-timeout` | `string` | String configuration value. | -| `upstreams[].fail-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck` | `object` | HealthCheck defines the parameters for active Upstream HealthChecks. | -| `upstreams[].healthCheck.connect-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.fails` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.grpcService` | `string` | String configuration value. | -| `upstreams[].healthCheck.grpcStatus` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.headers` | `array` | List of configuration values. | -| `upstreams[].healthCheck.headers[].name` | `string` | String configuration value. | -| `upstreams[].healthCheck.headers[].value` | `string` | String configuration value. | -| `upstreams[].healthCheck.interval` | `string` | String configuration value. | -| `upstreams[].healthCheck.jitter` | `string` | String configuration value. | -| `upstreams[].healthCheck.keepalive-time` | `string` | String configuration value. | -| `upstreams[].healthCheck.mandatory` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.passes` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.path` | `string` | String configuration value. | -| `upstreams[].healthCheck.persistent` | `boolean` | Enable or disable this feature. | -| `upstreams[].healthCheck.port` | `integer` | Numeric configuration value. | -| `upstreams[].healthCheck.read-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.send-timeout` | `string` | String configuration value. | -| `upstreams[].healthCheck.statusMatch` | `string` | String configuration value. | -| `upstreams[].healthCheck.tls` | `object` | UpstreamTLS defines a TLS configuration for an Upstream. | -| `upstreams[].healthCheck.tls.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].keepalive` | `integer` | Numeric configuration value. | -| `upstreams[].lb-method` | `string` | String configuration value. | -| `upstreams[].max-conns` | `integer` | Numeric configuration value. | -| `upstreams[].max-fails` | `integer` | Numeric configuration value. | -| `upstreams[].name` | `string` | String configuration value. | -| `upstreams[].next-upstream` | `string` | String configuration value. | -| `upstreams[].next-upstream-timeout` | `string` | String configuration value. | -| `upstreams[].next-upstream-tries` | `integer` | Numeric configuration value. | -| `upstreams[].ntlm` | `boolean` | Enable or disable this feature. | -| `upstreams[].port` | `integer` | Numeric configuration value. | -| `upstreams[].queue` | `object` | UpstreamQueue defines Queue Configuration for an Upstream. | -| `upstreams[].queue.size` | `integer` | Numeric configuration value. | -| `upstreams[].queue.timeout` | `string` | String configuration value. | -| `upstreams[].read-timeout` | `string` | String configuration value. | -| `upstreams[].send-timeout` | `string` | String configuration value. | -| `upstreams[].service` | `string` | String configuration value. | -| `upstreams[].sessionCookie` | `object` | SessionCookie defines the parameters for session persistence. | -| `upstreams[].sessionCookie.domain` | `string` | String configuration value. | -| `upstreams[].sessionCookie.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].sessionCookie.expires` | `string` | String configuration value. | -| `upstreams[].sessionCookie.httpOnly` | `boolean` | Enable or disable this feature. | -| `upstreams[].sessionCookie.name` | `string` | String configuration value. | -| `upstreams[].sessionCookie.path` | `string` | String configuration value. | -| `upstreams[].sessionCookie.samesite` | `string` | String configuration value. | -| `upstreams[].sessionCookie.secure` | `boolean` | Enable or disable this feature. | -| `upstreams[].slow-start` | `string` | String configuration value. | -| `upstreams[].subselector` | `object` | Configuration object. | -| `upstreams[].tls` | `object` | UpstreamTLS defines a TLS configuration for an Upstream. | -| `upstreams[].tls.enable` | `boolean` | Enable or disable this feature. | -| `upstreams[].type` | `string` | String configuration value. | -| `upstreams[].use-cluster-ip` | `boolean` | Enable or disable this feature. | +| `listener` | `object` | Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource | +| `listener.http` | `string` | The name of am HTTP listener defined in a GlobalConfiguration resource. | +| `listener.https` | `string` | The name of an HTTPS listener defined in a GlobalConfiguration resource. | +| `policies` | `array` | A list of policies. | +| `policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. v | +| `policies[].namespace` | `string` | The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. | +| `routes` | `array` | A list of routes. | +| `routes[].action` | `object` | The default action to perform for a request. | +| `routes[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `routes[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `routes[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `routes[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | +| `routes[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `routes[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `routes[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `routes[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `routes[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `routes[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `routes[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `routes[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `routes[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | +| `routes[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | +| `routes[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `routes[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `routes[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `routes[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `routes[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `routes[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].action.return` | `object` | Returns a preconfigured response. | +| `routes[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `routes[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `routes[].action.return.headers` | `array` | The custom headers of the response. | +| `routes[].action.return.headers[].name` | `string` | The name of the header. | +| `routes[].action.return.headers[].value` | `string` | The value of the header. | +| `routes[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `routes[].dos` | `string` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. | +| `routes[].errorPages` | `array` | The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. | +| `routes[].errorPages[].codes` | `array[integer]` | A list of error status codes. | +| `routes[].errorPages[].redirect` | `object` | The canned response action for the given status codes. | +| `routes[].errorPages[].redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `routes[].errorPages[].redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].errorPages[].return` | `object` | The redirect action for the given status codes. | +| `routes[].errorPages[].return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `routes[].errorPages[].return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `routes[].errorPages[].return.headers` | `array` | The custom headers of the response. | +| `routes[].errorPages[].return.headers[].name` | `string` | The name of the header. | +| `routes[].errorPages[].return.headers[].value` | `string` | The value of the header. | +| `routes[].errorPages[].return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `routes[].location-snippets` | `string` | Sets a custom snippet in the location context. Overrides the location-snippets ConfigMap key. | +| `routes[].matches` | `array` | The matching rules for advanced content-based routing. Requires the default Action or Splits. Unmatched requests will be handled by the default Action or Splits. | +| `routes[].matches[].action` | `object` | The action to perform for a request. | +| `routes[].matches[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `routes[].matches[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `routes[].matches[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `routes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | +| `routes[].matches[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `routes[].matches[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `routes[].matches[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `routes[].matches[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `routes[].matches[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `routes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `routes[].matches[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `routes[].matches[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `routes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | +| `routes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | +| `routes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `routes[].matches[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `routes[].matches[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `routes[].matches[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `routes[].matches[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `routes[].matches[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].matches[].action.return` | `object` | Returns a preconfigured response. | +| `routes[].matches[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `routes[].matches[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `routes[].matches[].action.return.headers` | `array` | The custom headers of the response. | +| `routes[].matches[].action.return.headers[].name` | `string` | The name of the header. | +| `routes[].matches[].action.return.headers[].value` | `string` | The value of the header. | +| `routes[].matches[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `routes[].matches[].conditions` | `array` | A list of conditions. Must include at least 1 condition. | +| `routes[].matches[].conditions[].argument` | `string` | The name of an argument. Must consist of alphanumeric characters or _. | +| `routes[].matches[].conditions[].cookie` | `string` | The name of a cookie. Must consist of alphanumeric characters or _. | +| `routes[].matches[].conditions[].header` | `string` | The name of a header. Must consist of alphanumeric characters or -. | +| `routes[].matches[].conditions[].value` | `string` | The value to match the condition against. How to define a value is shown below the table. | +| `routes[].matches[].conditions[].variable` | `string` | The name of an NGINX variable. Must start with $. See the list of the supported variables below the table. | +| `routes[].matches[].splits` | `array` | The splits configuration for traffic splitting. Must include at least 2 splits. | +| `routes[].matches[].splits[].action` | `object` | The action to perform for a request. | +| `routes[].matches[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `routes[].matches[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `routes[].matches[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `routes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | +| `routes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `routes[].matches[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `routes[].matches[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `routes[].matches[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `routes[].matches[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `routes[].matches[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `routes[].matches[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `routes[].matches[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `routes[].matches[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].matches[].splits[].action.return` | `object` | Returns a preconfigured response. | +| `routes[].matches[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `routes[].matches[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `routes[].matches[].splits[].action.return.headers` | `array` | The custom headers of the response. | +| `routes[].matches[].splits[].action.return.headers[].name` | `string` | The name of the header. | +| `routes[].matches[].splits[].action.return.headers[].value` | `string` | The value of the header. | +| `routes[].matches[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `routes[].matches[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | +| `routes[].path` | `string` | The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( / , /path ), an exact match ( =/exact/match ), a case insensitive regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive regular expression ( ~^/foo.*\.jpg ). In the case of a prefix (must start with / ) or an exact match (must start with = ), the path must not include any whitespace characters, { , } or ;. In the case of the regex matches, all double quotes " must be escaped and the match can’t end in an unescaped backslash \. The path must be unique among the paths of all routes of the VirtualServer. Check the location directive for more information. | +| `routes[].policies` | `array` | A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. See Applying Policies for more details. | +| `routes[].policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. v | +| `routes[].policies[].namespace` | `string` | The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. | +| `routes[].route` | `string` | The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, tea-namespace/tea. | +| `routes[].splits` | `array` | The default splits configuration for traffic splitting. Must include at least 2 splits. | +| `routes[].splits[].action` | `object` | The action to perform for a request. | +| `routes[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | +| `routes[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | +| `routes[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | +| `routes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | +| `routes[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `routes[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | +| `routes[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | +| `routes[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | +| `routes[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | +| `routes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `routes[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | +| `routes[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | +| `routes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | +| `routes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | +| `routes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `routes[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | +| `routes[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | +| `routes[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | +| `routes[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `routes[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].splits[].action.return` | `object` | Returns a preconfigured response. | +| `routes[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | +| `routes[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | +| `routes[].splits[].action.return.headers` | `array` | The custom headers of the response. | +| `routes[].splits[].action.return.headers[].name` | `string` | The name of the header. | +| `routes[].splits[].action.return.headers[].value` | `string` | The value of the header. | +| `routes[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | +| `routes[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | +| `server-snippets` | `string` | Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. | +| `tls` | `object` | The TLS termination configuration. | +| `tls.cert-manager` | `object` | The cert-manager configuration of the TLS for a VirtualServer. | +| `tls.cert-manager.cluster-issuer` | `string` | The name of a ClusterIssuer. A ClusterIssuer is a cert-manager resource which describes the certificate authority capable of signing certificates. It does not matter which namespace your VirtualServer resides, as ClusterIssuers are non-namespaced resources. Please note that one of issuer and cluster-issuer are required, but they are mutually exclusive - one and only one must be defined. | +| `tls.cert-manager.common-name` | `string` | This field allows you to configure spec.commonName for the Certificate to be generated. This configuration adds a CN to the x509 certificate. | +| `tls.cert-manager.duration` | `string` | This field allows you to configure spec.duration field for the Certificate to be generated. Must be specified using a Go time.Duration string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. | +| `tls.cert-manager.issue-temp-cert` | `boolean` | When true, ask cert-manager for a temporary self-signed certificate pending the issuance of the Certificate. This allows HTTPS-only servers to use ACME HTTP01 challenges when the TLS secret does not exist yet. | +| `tls.cert-manager.issuer` | `string` | The name of an Issuer. An Issuer is a cert-manager resource which describes the certificate authority capable of signing certificates. The Issuer must be in the same namespace as the VirtualServer resource. Please note that one of issuer and cluster-issuer are required, but they are mutually exclusive - one and only one must be defined. | +| `tls.cert-manager.issuer-group` | `string` | The API group of the external issuer controller, for example awspca.cert-manager.io. This is only necessary for out-of-tree issuers. This cannot be defined if cluster-issuer is also defined. | +| `tls.cert-manager.issuer-kind` | `string` | The kind of the external issuer resource, for example AWSPCAIssuer. This is only necessary for out-of-tree issuers. This cannot be defined if cluster-issuer is also defined. | +| `tls.cert-manager.renew-before` | `string` | This annotation allows you to configure spec.renewBefore field for the Certificate to be generated. Must be specified using a Go time.Duration string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. | +| `tls.cert-manager.usages` | `string` | This field allows you to configure spec.usages field for the Certificate to be generated. Pass a string with comma-separated values i.e. key agreement,digital signature, server auth. An exhaustive list of supported key usages can be found in the the cert-manager api documentation. | +| `tls.redirect` | `object` | The redirect configuration of the TLS for a VirtualServer. | +| `tls.redirect.basedOn` | `string` | The attribute of a request that NGINX will evaluate to send a redirect. The allowed values are scheme (the scheme of the request) or x-forwarded-proto (the X-Forwarded-Proto header of the request). The default is scheme. | +| `tls.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `tls.redirect.enable` | `boolean` | Enables a TLS redirect for a VirtualServer. The default is False. | +| `tls.secret` | `string` | The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must be of the type kubernetes.io/tls and contain keys named tls.crt and tls.key that contain the certificate and private key as described here. If the secret doesn’t exist or is invalid, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. If the secret is not specified but wildcard TLS secret is configured, NGINX will use the wildcard secret for TLS termination. | +| `upstreams` | `array` | A list of upstreams. | +| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. | +| `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | +| `upstreams[].buffer-size` | `string` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. See the proxy_buffer_size directive. The default is set in the proxy-buffer-size ConfigMap key. | +| `upstreams[].buffering` | `boolean` | Enables buffering of responses from the upstream server. See the proxy_buffering directive. The default is set in the proxy-buffering ConfigMap key. | +| `upstreams[].buffers` | `object` | Configures the buffers used for reading a response from the upstream server for a single connection. | +| `upstreams[].buffers.number` | `integer` | Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. | +| `upstreams[].buffers.size` | `string` | Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. | +| `upstreams[].client-max-body-size` | `string` | Sets the maximum allowed size of the client request body. See the client_max_body_size directive. The default is set in the client-max-body-size ConfigMap key. | +| `upstreams[].connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. See the proxy_connect_timeout directive. The default is specified in the proxy-connect-timeout ConfigMap key. | +| `upstreams[].fail-timeout` | `string` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. See the fail_timeout parameter of the server directive. The default is set in the fail-timeout ConfigMap key. | +| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. See the health_check directive. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].healthCheck.connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. By default, the connect-timeout of the upstream is used. | +| `upstreams[].healthCheck.enable` | `boolean` | Enables a health check for an upstream server. The default is false. | +| `upstreams[].healthCheck.fails` | `integer` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. | +| `upstreams[].healthCheck.grpcService` | `string` | The gRPC service to be monitored on the upstream server. Only valid on gRPC type upstreams. | +| `upstreams[].healthCheck.grpcStatus` | `integer` | The expected gRPC status code of the upstream server response to the Check method. Configure this field only if your gRPC services do not implement the gRPC health checking protocol. For example, configure 12 if the upstream server responds with 12 (UNIMPLEMENTED) status code. Only valid on gRPC type upstreams. | +| `upstreams[].healthCheck.headers` | `array` | The request headers used for health check requests. NGINX Plus always sets the Host, User-Agent and Connection headers for health check requests. | +| `upstreams[].healthCheck.headers[].name` | `string` | The name of the header. | +| `upstreams[].healthCheck.headers[].value` | `string` | The value of the header. | +| `upstreams[].healthCheck.interval` | `string` | The interval between two consecutive health checks. The default is 5s. | +| `upstreams[].healthCheck.jitter` | `string` | The time within which each health check will be randomly delayed. By default, there is no delay. | +| `upstreams[].healthCheck.keepalive-time` | `string` | Enables keepalive connections for health checks and specifies the time during which requests can be processed through one keepalive connection. The default is 60s. | +| `upstreams[].healthCheck.mandatory` | `boolean` | Require every newly added server to pass all configured health checks before NGINX Plus sends traffic to it. If this is not specified, or is set to false, the server will be initially considered healthy. When combined with slow-start, it gives a new server more time to connect to databases and “warm up” before being asked to handle their full share of traffic. | +| `upstreams[].healthCheck.passes` | `integer` | The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. | +| `upstreams[].healthCheck.path` | `string` | The path used for health check requests. The default is /. This is not configurable for gRPC type upstreams. | +| `upstreams[].healthCheck.persistent` | `boolean` | Set the initial “up” state for a server after reload if the server was considered healthy before reload. Enabling persistent requires that the mandatory parameter is also set to true. | +| `upstreams[].healthCheck.port` | `integer` | The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. | +| `upstreams[].healthCheck.read-timeout` | `string` | The timeout for reading a response from an upstream server. By default, the read-timeout of the upstream is used. | +| `upstreams[].healthCheck.send-timeout` | `string` | The timeout for transmitting a request to an upstream server. By default, the send-timeout of the upstream is used. | +| `upstreams[].healthCheck.statusMatch` | `string` | The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See the documentation of the match directive. This not supported for gRPC type upstreams. | +| `upstreams[].healthCheck.tls` | `object` | The TLS configuration used for health check requests. By default, the tls field of the upstream is used. | +| `upstreams[].healthCheck.tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | +| `upstreams[].keepalive` | `integer` | Configures the cache for connections to upstream servers. The value 0 disables the cache. See the keepalive directive. The default is set in the keepalive ConfigMap key. | +| `upstreams[].lb-method` | `string` | The load balancing method. To use the round-robin method, specify round_robin. The default is specified in the lb-method ConfigMap key. | +| `upstreams[].max-conns` | `integer` | The maximum number of simultaneous active connections to an upstream server. See the max_conns parameter of the server directive. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. | +| `upstreams[].max-fails` | `integer` | The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. See the max_fails parameter of the server directive. The default is set in the max-fails ConfigMap key. | +| `upstreams[].name` | `string` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. | +| `upstreams[].next-upstream` | `string` | Specifies in which cases a request should be passed to the next upstream server. See the proxy_next_upstream directive. The default is error timeout. | +| `upstreams[].next-upstream-timeout` | `string` | The time during which a request can be passed to the next upstream server. See the proxy_next_upstream_timeout directive. The 0 value turns off the time limit. The default is 0. | +| `upstreams[].next-upstream-tries` | `integer` | The number of possible tries for passing a request to the next upstream server. See the proxy_next_upstream_tries directive. The 0 value turns off this limit. The default is 0. | +| `upstreams[].ntlm` | `boolean` | Allows proxying requests with NTLM Authentication. See the ntlm directive. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].port` | `integer` | The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. The port must fall into the range 1..65535. | +| `upstreams[].queue` | `object` | Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].queue.size` | `integer` | The size of the queue. | +| `upstreams[].queue.timeout` | `string` | The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is 60s. | +| `upstreams[].read-timeout` | `string` | The timeout for reading a response from an upstream server. See the proxy_read_timeout directive. The default is specified in the proxy-read-timeout ConfigMap key. | +| `upstreams[].send-timeout` | `string` | The timeout for transmitting a request to an upstream server. See the proxy_send_timeout directive. The default is specified in the proxy-send-timeout ConfigMap key. | +| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported (check the prerequisites ). | +| `upstreams[].sessionCookie` | `object` | The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. | +| `upstreams[].sessionCookie.domain` | `string` | The domain for which the cookie is set. | +| `upstreams[].sessionCookie.enable` | `boolean` | Enables session persistence with a session cookie for an upstream server. The default is false. | +| `upstreams[].sessionCookie.expires` | `string` | The time for which a browser should keep the cookie. Can be set to the special value max , which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. | +| `upstreams[].sessionCookie.httpOnly` | `boolean` | Adds the HttpOnly attribute to the cookie. | +| `upstreams[].sessionCookie.name` | `string` | The name of the cookie. | +| `upstreams[].sessionCookie.path` | `string` | The path for which the cookie is set. | +| `upstreams[].sessionCookie.samesite` | `string` | Adds the SameSite attribute to the cookie. The allowed values are: strict, lax, none | +| `upstreams[].sessionCookie.secure` | `boolean` | Adds the Secure attribute to the cookie. | +| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the slow_start parameter of the server directive. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. | +| `upstreams[].subselector` | `object` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | +| `upstreams[].tls` | `object` | The TLS configuration for the Upstream. | +| `upstreams[].tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | +| `upstreams[].type` | `string` | The type of the upstream. Supported values are http and grpc. The default is http. For gRPC, it is necessary to enable HTTP/2 in the ConfigMap and configure TLS termination in the VirtualServer. | +| `upstreams[].use-cluster-ip` | `boolean` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like lb-method and next-upstream) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | From 06991f38022201e3bc081c5ede7497f76bc844e5 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Thu, 17 Jul 2025 12:05:26 +0100 Subject: [PATCH 08/33] add crds final 2 --- go.mod | 16 ++++++++-------- go.sum | 16 ++++++++++++++++ 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index b3ad1ce51f..f4393e77b8 100644 --- a/go.mod +++ b/go.mod @@ -176,16 +176,16 @@ require ( go.opentelemetry.io/proto/otlp v1.7.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.39.0 // indirect - golang.org/x/mod v0.25.0 // indirect - golang.org/x/net v0.41.0 // indirect + golang.org/x/crypto v0.40.0 // indirect + golang.org/x/mod v0.26.0 // indirect + golang.org/x/net v0.42.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sync v0.15.0 // indirect - golang.org/x/sys v0.33.0 // indirect - golang.org/x/term v0.32.0 // indirect - golang.org/x/text v0.26.0 // indirect + golang.org/x/sync v0.16.0 // indirect + golang.org/x/sys v0.34.0 // indirect + golang.org/x/term v0.33.0 // indirect + golang.org/x/text v0.27.0 // indirect golang.org/x/time v0.9.0 // indirect - golang.org/x/tools v0.33.0 // indirect + golang.org/x/tools v0.35.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/grpc v1.73.0 // indirect diff --git a/go.sum b/go.sum index 20fe2ccaee..1614e20a43 100644 --- a/go.sum +++ b/go.sum @@ -459,12 +459,16 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= +golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= +golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg= +golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -479,6 +483,8 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= +golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs= +golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8= golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -488,6 +494,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= +golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -506,6 +514,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= +golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= @@ -514,6 +524,8 @@ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= +golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= @@ -522,6 +534,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= +golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= +golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -532,6 +546,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= +golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0= +golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From b8e1d98574c7f7afb0f82a463cc579d161792447 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Thu, 17 Jul 2025 12:32:29 +0100 Subject: [PATCH 09/33] fixed formatting errors --- cmd/nginx-ingress/main.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 5e76f6ef8b..d62d982333 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -1055,7 +1055,7 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde // Copy pod and update the labels. newPod := pod.DeepCopy() - labels := newPod.ObjectMeta.Labels + labels := newPod.Labels if labels == nil { labels = make(map[string]string) } @@ -1068,7 +1068,7 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde if agentVersion != "" { labels[agentVersionLabel] = agentVersion } - newPod.ObjectMeta.Labels = labels + newPod.Labels = labels _, err = kubeClient.CoreV1().Pods(newPod.ObjectMeta.Namespace).Update(context.TODO(), newPod, meta_v1.UpdateOptions{}) if err != nil { @@ -1081,7 +1081,7 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde fmt.Fprintf(labelsString, "%s=\"%s\", ", key, value) } eventLog.Eventf(newPod, api_v1.EventTypeNormal, nl.EventReasonUpdatePodLabel, "Successfully added version labels, %s", strings.TrimRight(labelsString.String(), ", ")) - nl.Infof(l, "Pod label updated: %s", pod.ObjectMeta.Name) + nl.Infof(l, "Pod label updated: %s", pod.Name) podUpdated = true } @@ -1092,7 +1092,7 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde func createAndValidateHeadlessService(ctx context.Context, kubeClient kubernetes.Interface, cfgParams *configs.ConfigParams, controllerNamespace string, pod *api_v1.Pod) error { l := nl.LoggerFromContext(ctx) - owner := pod.ObjectMeta.OwnerReferences[0] + owner := pod.OwnerReferences[0] name := owner.Name if strings.ToLower(owner.Kind) == "replicaset" { if dash := strings.LastIndex(name, "-"); dash != -1 { @@ -1201,12 +1201,12 @@ func initLogger(logFormat string, level slog.Level, out io.Writer) context.Conte }, } - switch { - case logFormat == "glog": + switch logFormat { + case "glog": h = nic_glog.New(out, &nic_glog.Options{Level: programLevel}) - case logFormat == "json": + case "json": h = slog.NewJSONHandler(out, opts) - case logFormat == "text": + case "text": h = slog.NewTextHandler(out, opts) default: h = nic_glog.New(out, &nic_glog.Options{Level: programLevel}) From 5b7b8006f2040b954f53ca0f7800044734f53483 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Fri, 18 Jul 2025 11:27:09 +0100 Subject: [PATCH 10/33] fixing lint errors --- pkg/apis/configuration/v1/types.go | 70 +++++++++++++++--------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 62d4bc74a7..6fb4ed846f 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -116,7 +116,7 @@ type PolicyReference struct { // Upstream defines an upstream. type Upstream struct { - //The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. + // The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. Name string `json:"name"` // The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported (check the prerequisites ). Service string `json:"service"` @@ -164,7 +164,7 @@ type Upstream struct { Queue *UpstreamQueue `json:"queue"` // The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. SessionCookie *SessionCookie `json:"sessionCookie"` - //Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like lb-method and next-upstream) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. + // Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like lb-method and next-upstream) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. UseClusterIP bool `json:"use-cluster-ip"` // Allows proxying requests with NTLM Authentication. See the ntlm directive. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. NTLM bool `json:"ntlm"` @@ -179,9 +179,9 @@ type Upstream struct { // UpstreamBuffers defines Buffer Configuration for an Upstream. type UpstreamBuffers struct { // Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. - Number int `json:"number"` + Number int `json:"number"` // Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. - Size string `json:"size"` + Size string `json:"size"` } // UpstreamTLS defines a TLS configuration for an Upstream. @@ -233,7 +233,7 @@ type HealthCheck struct { // Header defines an HTTP Header. type Header struct { // The name of the header. - Name string `json:"name"` + Name string `json:"name"` // The value of the header. Value string `json:"value"` } @@ -304,7 +304,7 @@ type ActionRedirect struct { type ActionReturn struct { // The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. Code int `json:"code"` - //The MIME type of the response. The default is text/plain. + // The MIME type of the response. The default is text/plain. Type string `json:"type"` // The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. Body string `json:"body"` @@ -524,13 +524,13 @@ type UpstreamQueue struct { // VirtualServerRouteStatus defines the status for the VirtualServerRoute resource. type VirtualServerRouteStatus struct { // Represents the current state of the resource. There are three possible values: Valid, Invalid and Warning. Valid indicates that the resource has been validated and accepted by the Ingress Controller. Invalid means the resource failed validation or NGINX - State string `json:"state"` + State string `json:"state"` // The reason of the current state of the resource. - Reason string `json:"reason"` + Reason string `json:"reason"` // The message of the current state of the resource. It can contain more detailed information about the reason. - Message string `json:"message"` + Message string `json:"message"` // Defines how other resources reference this resource. - ReferencedBy string `json:"referencedBy"` + ReferencedBy string `json:"referencedBy"` // Defines the IPs, hostnames and ports used to connect to this resource. ExternalEndpoints []ExternalEndpoint `json:"externalEndpoints,omitempty"` } @@ -558,19 +558,19 @@ type GlobalConfigurationSpec struct { // Listener defines a listener. type Listener struct { // The name of the listener. The name must be unique across all listeners. - Name string `json:"name"` + Name string `json:"name"` // The protocol of the listener. For example, HTTP. Protocol string `json:"protocol"` // The port on which the listener will accept connections. - Port int `json:"port"` + Port int `json:"port"` // Custom SNI processing for listener. Allows listener to be used as a passthrough for SNI processing PassSNI bool `json:"passSNI"` // ipv4 and ipv6 addresses that NGINX will listen on. Defaults to listening on all available IPv4 and IPv6 addresses. - IPv4 string `json:"ipv4"` + IPv4 string `json:"ipv4"` // ipv6 addresses that NGINX will listen on. - IPv6 string `json:"ipv6"` + IPv6 string `json:"ipv6"` // Whether the listener will be listening for SSL connections - Ssl bool `json:"ssl"` + Ssl bool `json:"ssl"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -599,7 +599,7 @@ type TransportServer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // spec field of the TransportServer resource - Spec TransportServerSpec `json:"spec"` + Spec TransportServerSpec `json:"spec"` // status field of the TransportServer resource Status TransportServerStatus `json:"status"` } @@ -607,23 +607,23 @@ type TransportServer struct { // TransportServerSpec is the spec of the TransportServer resource. type TransportServerSpec struct { // Specifies which Ingress Controller must handle the VirtualServer resource. - IngressClass string `json:"ingressClassName"` + IngressClass string `json:"ingressClassName"` // The TLS termination configuration. - TLS *TransportServerTLS `json:"tls"` + TLS *TransportServerTLS `json:"tls"` // Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource - Listener TransportServerListener `json:"listener"` + Listener TransportServerListener `json:"listener"` // Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. - ServerSnippets string `json:"serverSnippets"` + ServerSnippets string `json:"serverSnippets"` // Sets a custom snippet in the stream context. Overrides the stream-snippets ConfigMap key. - StreamSnippets string `json:"streamSnippets"` + StreamSnippets string `json:"streamSnippets"` // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. - Host string `json:"host"` + Host string `json:"host"` // A list of upstreams. - Upstreams []TransportServerUpstream `json:"upstreams"` + Upstreams []TransportServerUpstream `json:"upstreams"` // The UpstreamParameters are set on stream context - UpstreamParameters *UpstreamParameters `json:"upstreamParameters"` + UpstreamParameters *UpstreamParameters `json:"upstreamParameters"` // The parameters of the session to be used for the Server context - SessionParameters *SessionParameters `json:"sessionParameters"` + SessionParameters *SessionParameters `json:"sessionParameters"` // The action to perform for a request. Action *TransportServerAction `json:"action"` } @@ -636,7 +636,7 @@ type TransportServerTLS struct { // TransportServerListener defines a listener for a TransportServer. type TransportServerListener struct { // The name of a listener defined in a GlobalConfiguration resource. - Name string `json:"name"` + Name string `json:"name"` // The protocol of the listener. Protocol string `json:"protocol"` } @@ -724,9 +724,9 @@ type TransportServerAction struct { // TransportServerStatus defines the status for the TransportServer resource. type TransportServerStatus struct { // Represents the current state of the resource. There are three possible values: Valid, Invalid and Warning. Valid indicates that the resource has been validated and accepted by the Ingress Controller. Invalid means the resource failed validation or - State string `json:"state"` + State string `json:"state"` // The reason of the current state of the resource. - Reason string `json:"reason"` + Reason string `json:"reason"` // The message of the current state of the resource. It can contain more detailed information about the reason. Message string `json:"message"` } @@ -755,7 +755,7 @@ type Policy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // spec field of the Policy resource - Spec PolicySpec `json:"spec"` + Spec PolicySpec `json:"spec"` // status field of the Policy resource Status PolicyStatus `json:"status"` } @@ -763,9 +763,9 @@ type Policy struct { // PolicyStatus is the status of the policy resource type PolicyStatus struct { // Represents the current state of the resource. There are three possible values: Valid, Invalid and Warning. Valid indicates that the resource has been validated and accepted by the Ingress Controller. Invalid means the resource failed validation or - State string `json:"state"` + State string `json:"state"` // The reason of the current state of the resource. - Reason string `json:"reason"` + Reason string `json:"reason"` // The message of the current state of the resource. It can contain more detailed information about the reason. Message string `json:"message"` } @@ -990,12 +990,12 @@ type SecurityLog struct { LogDest string `json:"logDest"` } -// The API Key policy configures NGINX to authorize requests which provide a valid API Key in a specified header or query param. +// The APIKey policy configures NGINX to authorize requests which provide a valid API Key in a specified header or query param. type APIKey struct { // The location of the API Key. For example, $http_auth, $arg_apikey, $cookie_auth. Accepted variables are $http_, $arg_, $cookie_. - SuppliedIn *SuppliedIn `json:"suppliedIn"` + SuppliedIn *SuppliedIn `json:"suppliedIn"` // The key to which the API key is applied. Can contain text, variables, or a combination of them. Accepted variables are $http_, $arg_, $cookie_. - ClientSecret string `json:"clientSecret"` + ClientSecret string `json:"clientSecret"` } // SuppliedIn defines the locations API Key should be supplied in. @@ -1003,5 +1003,5 @@ type SuppliedIn struct { // The location of the API Key as a request header. For example, $http_auth. Accepted variables are $http_. Header []string `json:"header"` // The location of the API Key as a query param. For example, $arg_apikey. Accepted variables are $arg_. - Query []string `json:"query"` + Query []string `json:"query"` } From 8fa48a4f03ef729841634b1105f1b9f8eb0879c3 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Fri, 18 Jul 2025 11:49:01 +0100 Subject: [PATCH 11/33] updating go mod files --- go.mod | 7 ++++--- go.sum | 20 ++++---------------- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index 9274204aae..9d7b94e8bb 100644 --- a/go.mod +++ b/go.mod @@ -177,9 +177,9 @@ require ( go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect - golang.org/x/crypto v0.39.0 // indirect - golang.org/x/mod v0.25.0 // indirect - golang.org/x/net v0.41.0 // indirect + golang.org/x/crypto v0.40.0 // indirect + golang.org/x/mod v0.26.0 // indirect + golang.org/x/net v0.42.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect golang.org/x/sync v0.16.0 // indirect golang.org/x/sys v0.34.0 // indirect @@ -187,6 +187,7 @@ require ( golang.org/x/text v0.27.0 // indirect golang.org/x/time v0.9.0 // indirect golang.org/x/tools v0.35.0 // indirect + golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/grpc v1.73.0 // indirect diff --git a/go.sum b/go.sum index e7cfe9bfd7..aac8906ef2 100644 --- a/go.sum +++ b/go.sum @@ -461,16 +461,12 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= -golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= -golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg= golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -485,8 +481,6 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= -golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs= golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8= golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= @@ -496,8 +490,6 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= -golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -516,8 +508,6 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -526,8 +516,6 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -536,8 +524,6 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= -golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= @@ -548,10 +534,12 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= -golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0= golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw= +golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY= +golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= +golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= +golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 70a753427546ff372f05372114d4775c8197456b Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Mon, 21 Jul 2025 14:08:33 +0100 Subject: [PATCH 12/33] finalising the updates types.go files --- .../k8s.nginx.org_globalconfigurations.yaml | 10 +- config/crd/bases/k8s.nginx.org_policies.yaml | 7 +- .../bases/k8s.nginx.org_transportservers.yaml | 35 +- .../k8s.nginx.org_virtualserverroutes.yaml | 162 +++----- .../bases/k8s.nginx.org_virtualservers.yaml | 172 +++----- deploy/crds.yaml | 386 +++++++----------- pkg/apis/configuration/v1/types.go | 99 +++-- 7 files changed, 331 insertions(+), 540 deletions(-) diff --git a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml index 8e936f607d..fb32865529 100644 --- a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml +++ b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml @@ -39,7 +39,8 @@ spec: metadata: type: object spec: - description: spec field of the GlobalConfiguration resource + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. properties: listeners: description: Listeners field of the GlobalConfigurationSpec resource @@ -47,8 +48,7 @@ spec: description: Listener defines a listener. properties: ipv4: - description: ipv4 and ipv6 addresses that NGINX will listen - on. Defaults to listening on all available IPv4 and IPv6 addresses. + description: Specifies the IPv4 address to listen on. type: string ipv6: description: ipv6 addresses that NGINX will listen on. @@ -57,10 +57,6 @@ spec: description: The name of the listener. The name must be unique across all listeners. type: string - passSNI: - description: Custom SNI processing for listener. Allows listener - to be used as a passthrough for SNI processing - type: boolean port: description: The port on which the listener will accept connections. type: integer diff --git a/config/crd/bases/k8s.nginx.org_policies.yaml b/config/crd/bases/k8s.nginx.org_policies.yaml index cd27a24a6b..2bb6f3b0d9 100644 --- a/config/crd/bases/k8s.nginx.org_policies.yaml +++ b/config/crd/bases/k8s.nginx.org_policies.yaml @@ -49,7 +49,10 @@ spec: metadata: type: object spec: - description: spec field of the Policy resource + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. properties: accessControl: description: The access control policy based on the client IP address. @@ -350,7 +353,7 @@ spec: description: |- The key to which the rate limit is applied. Can contain text, variables, or a combination of them. Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are - $binary_remote_addr,$request_uri,$request_method,$url,$http_, $args,$arg_,$cookie_,$jwt_claim_. + $binary_remote_addr , $request_uri , $request_method , $url , $http_ , $args , $arg_, $cookie_ ,$jwt_claim_ . type: string logLevel: description: Sets the desired logging level for cases when the diff --git a/config/crd/bases/k8s.nginx.org_transportservers.yaml b/config/crd/bases/k8s.nginx.org_transportservers.yaml index 150ace963d..7585217bcf 100644 --- a/config/crd/bases/k8s.nginx.org_transportservers.yaml +++ b/config/crd/bases/k8s.nginx.org_transportservers.yaml @@ -51,7 +51,7 @@ spec: metadata: type: object spec: - description: spec field of the TransportServer resource + description: TransportServerSpec is the spec of the TransportServer resource. properties: action: description: The action to perform for a request. @@ -66,8 +66,7 @@ spec: subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique - among all Ingress and VirtualServer resources. See also Handling - Host and Listener Collisions. + among all Ingress and VirtualServer resources. type: string ingressClassName: description: Specifies which Ingress Controller must handle the VirtualServer @@ -96,8 +95,8 @@ spec: properties: timeout: description: The timeout between two successive read or write - operations on client or proxied server connections. See proxy_timeout - directive. The default is 10m. + operations on client or proxied server connections. The default + is 10m. type: string type: object streamSnippets: @@ -115,34 +114,30 @@ spec: properties: connectTimeout: description: The timeout for establishing a connection with a - proxied server. See the proxy_connect_timeout directive. The - default is 60s. + proxied server. The default is 60s. type: string nextUpstream: description: If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the - next server. See the proxy_next_upstream directive. The default - is true. + next server. The default is true. type: boolean nextUpstreamTimeout: description: The time allowed to pass a connection to the next - server. See the proxy_next_upstream_timeout directive. The default - us 0. + server. The default us 0. type: string nextUpstreamTries: description: The number of tries for passing a connection to the - next server. See the proxy_next_upstream_tries directive. The - default is 0. + next server. The default is 0. type: integer udpRequests: description: The number of datagrams, after receiving which, the - next datagram from the same client starts a new session. See - the proxy_requests directive. The default is 0. + next datagram from the same client starts a new session. The + default is 0. type: integer udpResponses: description: The number of datagrams expected from the proxied - server in response to a client datagram. See the proxy_responses - directive. By default, the number of datagrams is not limited. + server in response to a client datagram. By default, the number + of datagrams is not limited. type: integer type: object upstreams: @@ -169,8 +164,7 @@ spec: type: string healthCheck: description: 'The health check configuration for the Upstream. - See the health_check directive. Note: this feature is supported - only in NGINX Plus.' + Note: this feature is supported only in NGINX Plus.' properties: enable: description: Enables a health check for an upstream server. @@ -226,8 +220,7 @@ spec: loadBalancingMethod: description: The method used to load balance the upstream servers. By default, connections are distributed between the servers - using a weighted round-robin balancing method. See the upstream - section for available methods and their details. + using a weighted round-robin balancing method. type: string maxConns: description: Sets the time during which the specified number diff --git a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml index d26c1ead9d..888b1f981d 100644 --- a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml @@ -98,14 +98,12 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the proxy_pass_request_header - directive for more information. Default is true. + to the proxied upstream server. Default is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed to the proxied - upstream servers. See the proxy_set_header directive - for more information. + upstream servers. items: description: Header defines an HTTP Header. properties: @@ -132,8 +130,7 @@ spec: always: description: If set to true, add the header regardless of the response status code**. - Default is false. See the add_header directive - for more information. + Default is false. type: boolean name: description: The name of the header. @@ -146,23 +143,19 @@ spec: hide: description: The headers that will not be passed* in the response to the client from a proxied upstream - server. See the proxy_hide_header directive for - more information. + server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream server. - See the proxy_ignore_headers directive for more - information. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream server. - See the proxy_pass_header directive for more information. items: type: string type: array @@ -323,15 +316,13 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the - proxy_pass_request_header directive for - more information. Default is true. + to the proxied upstream server. Default + is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed - to the proxied upstream servers. See the - proxy_set_header directive for more information. + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: @@ -358,9 +349,7 @@ spec: always: description: If set to true, add the header regardless of the response - status code**. Default is false. See - the add_header directive for more - information. + status code**. Default is false. type: boolean name: description: The name of the header. @@ -373,24 +362,21 @@ spec: hide: description: The headers that will not be passed* in the response to the client from - a proxied upstream server. See the proxy_hide_header - directive for more information. + a proxied upstream server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream - server. See the proxy_ignore_headers directive - for more information. + server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream - server. See the proxy_pass_header directive - for more information. + server. items: type: string type: array @@ -476,12 +462,10 @@ spec: type: string value: description: The value to match the condition against. - How to define a value is shown below the table. type: string variable: description: The name of an NGINX variable. Must - start with $. See the list of the supported variables - below the table. + start with $. type: string type: object type: array @@ -510,17 +494,13 @@ spec: properties: pass: description: Passes the original request - headers to the proxied upstream server. - See the proxy_pass_request_header - directive for more information. Default + headers to the proxied upstream server. Default is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed to the proxied upstream servers. - See the proxy_set_header directive - for more information. items: description: Header defines an HTTP Header. @@ -551,8 +531,7 @@ spec: description: If set to true, add the header regardless of the response status code**. Default - is false. See the add_header - directive for more information. + is false. type: boolean name: description: The name of the header. @@ -567,26 +546,20 @@ spec: description: The headers that will not be passed* in the response to the client from a proxied upstream server. - See the proxy_hide_header directive - for more information. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from - a proxied upstream server. See the - proxy_ignore_headers directive for - more information. + a proxied upstream server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from - a proxied upstream server. See the - proxy_pass_header directive for more - information. + a proxied upstream server. items: type: string type: array @@ -682,7 +655,6 @@ spec: policies: description: A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. - See Applying Policies for more details. items: description: PolicyReference references a policy by name and an optional namespace. @@ -727,15 +699,13 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the - proxy_pass_request_header directive for - more information. Default is true. + to the proxied upstream server. Default + is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed - to the proxied upstream servers. See the - proxy_set_header directive for more information. + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: @@ -762,9 +732,7 @@ spec: always: description: If set to true, add the header regardless of the response - status code**. Default is false. See - the add_header directive for more - information. + status code**. Default is false. type: boolean name: description: The name of the header. @@ -777,24 +745,21 @@ spec: hide: description: The headers that will not be passed* in the response to the client from - a proxied upstream server. See the proxy_hide_header - directive for more information. + a proxied upstream server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream - server. See the proxy_ignore_headers directive - for more information. + server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream - server. See the proxy_pass_header directive - for more information. + server. items: type: string type: array @@ -888,13 +853,12 @@ spec: buffer-size: description: Sets the size of the buffer used for reading the first part of a response received from the upstream server. - See the proxy_buffer_size directive. The default is set in - the proxy-buffer-size ConfigMap key. + The default is set in the proxy-buffer-size ConfigMap key. type: string buffering: description: Enables buffering of responses from the upstream - server. See the proxy_buffering directive. The default is - set in the proxy-buffering ConfigMap key. + server. The default is set in the proxy-buffering ConfigMap + key. type: boolean buffers: description: Configures the buffers used for reading a response @@ -911,26 +875,23 @@ spec: type: object client-max-body-size: description: Sets the maximum allowed size of the client request - body. See the client_max_body_size directive. The default - is set in the client-max-body-size ConfigMap key. + body. The default is set in the client-max-body-size ConfigMap + key. type: string connect-timeout: description: The timeout for establishing a connection with - an upstream server. See the proxy_connect_timeout directive. - The default is specified in the proxy-connect-timeout ConfigMap - key. + an upstream server. The default is specified in the proxy-connect-timeout + ConfigMap key. type: string fail-timeout: description: The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen - to consider the server unavailable. See the fail_timeout parameter - of the server directive. The default is set in the fail-timeout - ConfigMap key. + to consider the server unavailable. The default is set in + the fail-timeout ConfigMap key. type: string healthCheck: description: 'The health check configuration for the Upstream. - See the health_check directive. Note: this feature is supported - only in NGINX Plus.' + Note: this feature is supported only in NGINX Plus.' properties: connect-timeout: description: The timeout for establishing a connection with @@ -1029,9 +990,8 @@ spec: statusMatch: description: 'The expected response status codes of a health check. By default, the response should have status code - 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See - the documentation of the match directive. This not supported - for gRPC type upstreams.' + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This + not supported for gRPC type upstreams.' type: string tls: description: The TLS configuration used for health check @@ -1049,8 +1009,8 @@ spec: type: object keepalive: description: Configures the cache for connections to upstream - servers. The value 0 disables the cache. See the keepalive - directive. The default is set in the keepalive ConfigMap key. + servers. The value 0 disables the cache. The default is set + in the keepalive ConfigMap key. type: integer lb-method: description: The load balancing method. To use the round-robin @@ -1059,18 +1019,16 @@ spec: type: string max-conns: description: 'The maximum number of simultaneous active connections - to an upstream server. See the max_conns parameter of the - server directive. By default there is no limit. Note: if keepalive - connections are enabled, the total number of active and idle - keepalive connections to an upstream server may exceed the - max_conns value.' + to an upstream server. By default there is no limit. Note: + if keepalive connections are enabled, the total number of + active and idle keepalive connections to an upstream server + may exceed the max_conns value.' type: integer max-fails: description: The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. - See the max_fails parameter of the server directive. The default - is set in the max-fails ConfigMap key. + The default is set in the max-fails ConfigMap key. type: integer name: description: The name of the upstream. Must be a valid DNS label @@ -1080,27 +1038,24 @@ spec: type: string next-upstream: description: Specifies in which cases a request should be passed - to the next upstream server. See the proxy_next_upstream directive. - The default is error timeout. + to the next upstream server. The default is error timeout. type: string next-upstream-timeout: description: The time during which a request can be passed to - the next upstream server. See the proxy_next_upstream_timeout - directive. The 0 value turns off the time limit. The default - is 0. + the next upstream server. The 0 value turns off the time limit. + The default is 0. type: string next-upstream-tries: description: The number of possible tries for passing a request - to the next upstream server. See the proxy_next_upstream_tries - directive. The 0 value turns off this limit. The default is - 0. + to the next upstream server. The 0 value turns off this limit. + The default is 0. type: integer ntlm: description: 'Allows proxying requests with NTLM Authentication. - See the ntlm directive. In order for NTLM authentication to - work, it is necessary to enable keepalive connections to upstream - servers using the keepalive field. Note: this feature is supported - only in NGINX Plus.' + In order for NTLM authentication to work, it is necessary + to enable keepalive connections to upstream servers using + the keepalive field. Note: this feature is supported only + in NGINX Plus.' type: boolean port: description: The port of the service. If the service doesn’t @@ -1126,13 +1081,13 @@ spec: type: object read-timeout: description: The timeout for reading a response from an upstream - server. See the proxy_read_timeout directive. The default - is specified in the proxy-read-timeout ConfigMap key. + server. The default is specified in the proxy-read-timeout + ConfigMap key. type: string send-timeout: description: The timeout for transmitting a request to an upstream - server. See the proxy_send_timeout directive. The default - is specified in the proxy-send-timeout ConfigMap key. + server. The default is specified in the proxy-send-timeout + ConfigMap key. type: string service: description: The name of a service. The service must belong @@ -1183,10 +1138,9 @@ spec: recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. - By default, the slow start is disabled. See the slow_start - parameter of the server directive. Note: The parameter cannot - be used along with the random , hash or ip_hash load balancing - methods and will be ignored.' + By default, the slow start is disabled. Note: The parameter + cannot be used along with the random , hash or ip_hash load + balancing methods and will be ignored.' type: string subselector: additionalProperties: diff --git a/config/crd/bases/k8s.nginx.org_virtualservers.yaml b/config/crd/bases/k8s.nginx.org_virtualservers.yaml index 6523c869f9..ba0450bf98 100644 --- a/config/crd/bases/k8s.nginx.org_virtualservers.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualservers.yaml @@ -61,7 +61,7 @@ spec: metadata: type: object spec: - description: Spec contains the VirtualServer specification. + description: VirtualServerSpec is the spec of the VirtualServer resource. properties: dos: description: A reference to a DosProtectedResource, setting this enables @@ -99,8 +99,7 @@ spec: type: array recordTTL: description: TTL for the DNS record. This defaults to 0 if not - defined. See the ExternalDNS TTL documentation for provider-specific - defaults + defined. format: int64 type: integer recordType: @@ -119,8 +118,7 @@ spec: subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique - among all Ingress and VirtualServer resources. See also Handling - Host and Listener Collisions. + among all Ingress and VirtualServer resources. type: string http-snippets: description: Sets a custom snippet in the http context. @@ -140,7 +138,7 @@ spec: the name of a valid listener defined in a GlobalConfiguration resource properties: http: - description: The name of am HTTP listener defined in a GlobalConfiguration + description: The name of an HTTP listener defined in a GlobalConfiguration resource. type: string https: @@ -187,14 +185,12 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the proxy_pass_request_header - directive for more information. Default is true. + to the proxied upstream server. Default is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed to the proxied - upstream servers. See the proxy_set_header directive - for more information. + upstream servers. items: description: Header defines an HTTP Header. properties: @@ -221,8 +217,7 @@ spec: always: description: If set to true, add the header regardless of the response status code**. - Default is false. See the add_header directive - for more information. + Default is false. type: boolean name: description: The name of the header. @@ -235,23 +230,19 @@ spec: hide: description: The headers that will not be passed* in the response to the client from a proxied upstream - server. See the proxy_hide_header directive for - more information. + server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream server. - See the proxy_ignore_headers directive for more - information. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream server. - See the proxy_pass_header directive for more information. items: type: string type: array @@ -412,15 +403,13 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the - proxy_pass_request_header directive for - more information. Default is true. + to the proxied upstream server. Default + is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed - to the proxied upstream servers. See the - proxy_set_header directive for more information. + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: @@ -447,9 +436,7 @@ spec: always: description: If set to true, add the header regardless of the response - status code**. Default is false. See - the add_header directive for more - information. + status code**. Default is false. type: boolean name: description: The name of the header. @@ -462,24 +449,21 @@ spec: hide: description: The headers that will not be passed* in the response to the client from - a proxied upstream server. See the proxy_hide_header - directive for more information. + a proxied upstream server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream - server. See the proxy_ignore_headers directive - for more information. + server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream - server. See the proxy_pass_header directive - for more information. + server. items: type: string type: array @@ -565,12 +549,10 @@ spec: type: string value: description: The value to match the condition against. - How to define a value is shown below the table. type: string variable: description: The name of an NGINX variable. Must - start with $. See the list of the supported variables - below the table. + start with $. type: string type: object type: array @@ -599,17 +581,13 @@ spec: properties: pass: description: Passes the original request - headers to the proxied upstream server. - See the proxy_pass_request_header - directive for more information. Default + headers to the proxied upstream server. Default is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed to the proxied upstream servers. - See the proxy_set_header directive - for more information. items: description: Header defines an HTTP Header. @@ -640,8 +618,7 @@ spec: description: If set to true, add the header regardless of the response status code**. Default - is false. See the add_header - directive for more information. + is false. type: boolean name: description: The name of the header. @@ -656,26 +633,20 @@ spec: description: The headers that will not be passed* in the response to the client from a proxied upstream server. - See the proxy_hide_header directive - for more information. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from - a proxied upstream server. See the - proxy_ignore_headers directive for - more information. + a proxied upstream server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from - a proxied upstream server. See the - proxy_pass_header directive for more - information. + a proxied upstream server. items: type: string type: array @@ -771,7 +742,6 @@ spec: policies: description: A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. - See Applying Policies for more details. items: description: PolicyReference references a policy by name and an optional namespace. @@ -816,15 +786,13 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the - proxy_pass_request_header directive for - more information. Default is true. + to the proxied upstream server. Default + is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed - to the proxied upstream servers. See the - proxy_set_header directive for more information. + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: @@ -851,9 +819,7 @@ spec: always: description: If set to true, add the header regardless of the response - status code**. Default is false. See - the add_header directive for more - information. + status code**. Default is false. type: boolean name: description: The name of the header. @@ -866,24 +832,21 @@ spec: hide: description: The headers that will not be passed* in the response to the client from - a proxied upstream server. See the proxy_hide_header - directive for more information. + a proxied upstream server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream - server. See the proxy_ignore_headers directive - for more information. + server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream - server. See the proxy_pass_header directive - for more information. + server. items: type: string type: array @@ -1079,13 +1042,12 @@ spec: buffer-size: description: Sets the size of the buffer used for reading the first part of a response received from the upstream server. - See the proxy_buffer_size directive. The default is set in - the proxy-buffer-size ConfigMap key. + The default is set in the proxy-buffer-size ConfigMap key. type: string buffering: description: Enables buffering of responses from the upstream - server. See the proxy_buffering directive. The default is - set in the proxy-buffering ConfigMap key. + server. The default is set in the proxy-buffering ConfigMap + key. type: boolean buffers: description: Configures the buffers used for reading a response @@ -1102,26 +1064,23 @@ spec: type: object client-max-body-size: description: Sets the maximum allowed size of the client request - body. See the client_max_body_size directive. The default - is set in the client-max-body-size ConfigMap key. + body. The default is set in the client-max-body-size ConfigMap + key. type: string connect-timeout: description: The timeout for establishing a connection with - an upstream server. See the proxy_connect_timeout directive. - The default is specified in the proxy-connect-timeout ConfigMap - key. + an upstream server. The default is specified in the proxy-connect-timeout + ConfigMap key. type: string fail-timeout: description: The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen - to consider the server unavailable. See the fail_timeout parameter - of the server directive. The default is set in the fail-timeout - ConfigMap key. + to consider the server unavailable. The default is set in + the fail-timeout ConfigMap key. type: string healthCheck: description: 'The health check configuration for the Upstream. - See the health_check directive. Note: this feature is supported - only in NGINX Plus.' + Note: this feature is supported only in NGINX Plus.' properties: connect-timeout: description: The timeout for establishing a connection with @@ -1220,9 +1179,8 @@ spec: statusMatch: description: 'The expected response status codes of a health check. By default, the response should have status code - 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See - the documentation of the match directive. This not supported - for gRPC type upstreams.' + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This + not supported for gRPC type upstreams.' type: string tls: description: The TLS configuration used for health check @@ -1240,8 +1198,8 @@ spec: type: object keepalive: description: Configures the cache for connections to upstream - servers. The value 0 disables the cache. See the keepalive - directive. The default is set in the keepalive ConfigMap key. + servers. The value 0 disables the cache. The default is set + in the keepalive ConfigMap key. type: integer lb-method: description: The load balancing method. To use the round-robin @@ -1250,18 +1208,16 @@ spec: type: string max-conns: description: 'The maximum number of simultaneous active connections - to an upstream server. See the max_conns parameter of the - server directive. By default there is no limit. Note: if keepalive - connections are enabled, the total number of active and idle - keepalive connections to an upstream server may exceed the - max_conns value.' + to an upstream server. By default there is no limit. Note: + if keepalive connections are enabled, the total number of + active and idle keepalive connections to an upstream server + may exceed the max_conns value.' type: integer max-fails: description: The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. - See the max_fails parameter of the server directive. The default - is set in the max-fails ConfigMap key. + The default is set in the max-fails ConfigMap key. type: integer name: description: The name of the upstream. Must be a valid DNS label @@ -1271,27 +1227,24 @@ spec: type: string next-upstream: description: Specifies in which cases a request should be passed - to the next upstream server. See the proxy_next_upstream directive. - The default is error timeout. + to the next upstream server. The default is error timeout. type: string next-upstream-timeout: description: The time during which a request can be passed to - the next upstream server. See the proxy_next_upstream_timeout - directive. The 0 value turns off the time limit. The default - is 0. + the next upstream server. The 0 value turns off the time limit. + The default is 0. type: string next-upstream-tries: description: The number of possible tries for passing a request - to the next upstream server. See the proxy_next_upstream_tries - directive. The 0 value turns off this limit. The default is - 0. + to the next upstream server. The 0 value turns off this limit. + The default is 0. type: integer ntlm: description: 'Allows proxying requests with NTLM Authentication. - See the ntlm directive. In order for NTLM authentication to - work, it is necessary to enable keepalive connections to upstream - servers using the keepalive field. Note: this feature is supported - only in NGINX Plus.' + In order for NTLM authentication to work, it is necessary + to enable keepalive connections to upstream servers using + the keepalive field. Note: this feature is supported only + in NGINX Plus.' type: boolean port: description: The port of the service. If the service doesn’t @@ -1317,13 +1270,13 @@ spec: type: object read-timeout: description: The timeout for reading a response from an upstream - server. See the proxy_read_timeout directive. The default - is specified in the proxy-read-timeout ConfigMap key. + server. The default is specified in the proxy-read-timeout + ConfigMap key. type: string send-timeout: description: The timeout for transmitting a request to an upstream - server. See the proxy_send_timeout directive. The default - is specified in the proxy-send-timeout ConfigMap key. + server. The default is specified in the proxy-send-timeout + ConfigMap key. type: string service: description: The name of a service. The service must belong @@ -1374,10 +1327,9 @@ spec: recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. - By default, the slow start is disabled. See the slow_start - parameter of the server directive. Note: The parameter cannot - be used along with the random , hash or ip_hash load balancing - methods and will be ignored.' + By default, the slow start is disabled. Note: The parameter + cannot be used along with the random , hash or ip_hash load + balancing methods and will be ignored.' type: string subselector: additionalProperties: diff --git a/deploy/crds.yaml b/deploy/crds.yaml index fca6956df6..146d1e290e 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -135,7 +135,8 @@ spec: metadata: type: object spec: - description: spec field of the GlobalConfiguration resource + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. properties: listeners: description: Listeners field of the GlobalConfigurationSpec resource @@ -143,8 +144,7 @@ spec: description: Listener defines a listener. properties: ipv4: - description: ipv4 and ipv6 addresses that NGINX will listen - on. Defaults to listening on all available IPv4 and IPv6 addresses. + description: Specifies the IPv4 address to listen on. type: string ipv6: description: ipv6 addresses that NGINX will listen on. @@ -153,10 +153,6 @@ spec: description: The name of the listener. The name must be unique across all listeners. type: string - passSNI: - description: Custom SNI processing for listener. Allows listener - to be used as a passthrough for SNI processing - type: boolean port: description: The port on which the listener will accept connections. type: integer @@ -224,7 +220,10 @@ spec: metadata: type: object spec: - description: spec field of the Policy resource + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. properties: accessControl: description: The access control policy based on the client IP address. @@ -525,7 +524,7 @@ spec: description: |- The key to which the rate limit is applied. Can contain text, variables, or a combination of them. Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are - $binary_remote_addr,$request_uri,$request_method,$url,$http_, $args,$arg_,$cookie_,$jwt_claim_. + $binary_remote_addr , $request_uri , $request_method , $url , $http_ , $args , $arg_, $cookie_ ,$jwt_claim_ . type: string logLevel: description: Sets the desired logging level for cases when the @@ -696,7 +695,7 @@ spec: metadata: type: object spec: - description: spec field of the TransportServer resource + description: TransportServerSpec is the spec of the TransportServer resource. properties: action: description: The action to perform for a request. @@ -711,8 +710,7 @@ spec: subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique - among all Ingress and VirtualServer resources. See also Handling - Host and Listener Collisions. + among all Ingress and VirtualServer resources. type: string ingressClassName: description: Specifies which Ingress Controller must handle the VirtualServer @@ -741,8 +739,8 @@ spec: properties: timeout: description: The timeout between two successive read or write - operations on client or proxied server connections. See proxy_timeout - directive. The default is 10m. + operations on client or proxied server connections. The default + is 10m. type: string type: object streamSnippets: @@ -760,34 +758,30 @@ spec: properties: connectTimeout: description: The timeout for establishing a connection with a - proxied server. See the proxy_connect_timeout directive. The - default is 60s. + proxied server. The default is 60s. type: string nextUpstream: description: If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the - next server. See the proxy_next_upstream directive. The default - is true. + next server. The default is true. type: boolean nextUpstreamTimeout: description: The time allowed to pass a connection to the next - server. See the proxy_next_upstream_timeout directive. The default - us 0. + server. The default us 0. type: string nextUpstreamTries: description: The number of tries for passing a connection to the - next server. See the proxy_next_upstream_tries directive. The - default is 0. + next server. The default is 0. type: integer udpRequests: description: The number of datagrams, after receiving which, the - next datagram from the same client starts a new session. See - the proxy_requests directive. The default is 0. + next datagram from the same client starts a new session. The + default is 0. type: integer udpResponses: description: The number of datagrams expected from the proxied - server in response to a client datagram. See the proxy_responses - directive. By default, the number of datagrams is not limited. + server in response to a client datagram. By default, the number + of datagrams is not limited. type: integer type: object upstreams: @@ -814,8 +808,7 @@ spec: type: string healthCheck: description: 'The health check configuration for the Upstream. - See the health_check directive. Note: this feature is supported - only in NGINX Plus.' + Note: this feature is supported only in NGINX Plus.' properties: enable: description: Enables a health check for an upstream server. @@ -871,8 +864,7 @@ spec: loadBalancingMethod: description: The method used to load balance the upstream servers. By default, connections are distributed between the servers - using a weighted round-robin balancing method. See the upstream - section for available methods and their details. + using a weighted round-robin balancing method. type: string maxConns: description: Sets the time during which the specified number @@ -1029,14 +1021,12 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the proxy_pass_request_header - directive for more information. Default is true. + to the proxied upstream server. Default is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed to the proxied - upstream servers. See the proxy_set_header directive - for more information. + upstream servers. items: description: Header defines an HTTP Header. properties: @@ -1063,8 +1053,7 @@ spec: always: description: If set to true, add the header regardless of the response status code**. - Default is false. See the add_header directive - for more information. + Default is false. type: boolean name: description: The name of the header. @@ -1077,23 +1066,19 @@ spec: hide: description: The headers that will not be passed* in the response to the client from a proxied upstream - server. See the proxy_hide_header directive for - more information. + server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream server. - See the proxy_ignore_headers directive for more - information. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream server. - See the proxy_pass_header directive for more information. items: type: string type: array @@ -1254,15 +1239,13 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the - proxy_pass_request_header directive for - more information. Default is true. + to the proxied upstream server. Default + is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed - to the proxied upstream servers. See the - proxy_set_header directive for more information. + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: @@ -1289,9 +1272,7 @@ spec: always: description: If set to true, add the header regardless of the response - status code**. Default is false. See - the add_header directive for more - information. + status code**. Default is false. type: boolean name: description: The name of the header. @@ -1304,24 +1285,21 @@ spec: hide: description: The headers that will not be passed* in the response to the client from - a proxied upstream server. See the proxy_hide_header - directive for more information. + a proxied upstream server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream - server. See the proxy_ignore_headers directive - for more information. + server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream - server. See the proxy_pass_header directive - for more information. + server. items: type: string type: array @@ -1407,12 +1385,10 @@ spec: type: string value: description: The value to match the condition against. - How to define a value is shown below the table. type: string variable: description: The name of an NGINX variable. Must - start with $. See the list of the supported variables - below the table. + start with $. type: string type: object type: array @@ -1441,17 +1417,13 @@ spec: properties: pass: description: Passes the original request - headers to the proxied upstream server. - See the proxy_pass_request_header - directive for more information. Default + headers to the proxied upstream server. Default is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed to the proxied upstream servers. - See the proxy_set_header directive - for more information. items: description: Header defines an HTTP Header. @@ -1482,8 +1454,7 @@ spec: description: If set to true, add the header regardless of the response status code**. Default - is false. See the add_header - directive for more information. + is false. type: boolean name: description: The name of the header. @@ -1498,26 +1469,20 @@ spec: description: The headers that will not be passed* in the response to the client from a proxied upstream server. - See the proxy_hide_header directive - for more information. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from - a proxied upstream server. See the - proxy_ignore_headers directive for - more information. + a proxied upstream server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from - a proxied upstream server. See the - proxy_pass_header directive for more - information. + a proxied upstream server. items: type: string type: array @@ -1613,7 +1578,6 @@ spec: policies: description: A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. - See Applying Policies for more details. items: description: PolicyReference references a policy by name and an optional namespace. @@ -1658,15 +1622,13 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the - proxy_pass_request_header directive for - more information. Default is true. + to the proxied upstream server. Default + is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed - to the proxied upstream servers. See the - proxy_set_header directive for more information. + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: @@ -1693,9 +1655,7 @@ spec: always: description: If set to true, add the header regardless of the response - status code**. Default is false. See - the add_header directive for more - information. + status code**. Default is false. type: boolean name: description: The name of the header. @@ -1708,24 +1668,21 @@ spec: hide: description: The headers that will not be passed* in the response to the client from - a proxied upstream server. See the proxy_hide_header - directive for more information. + a proxied upstream server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream - server. See the proxy_ignore_headers directive - for more information. + server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream - server. See the proxy_pass_header directive - for more information. + server. items: type: string type: array @@ -1819,13 +1776,12 @@ spec: buffer-size: description: Sets the size of the buffer used for reading the first part of a response received from the upstream server. - See the proxy_buffer_size directive. The default is set in - the proxy-buffer-size ConfigMap key. + The default is set in the proxy-buffer-size ConfigMap key. type: string buffering: description: Enables buffering of responses from the upstream - server. See the proxy_buffering directive. The default is - set in the proxy-buffering ConfigMap key. + server. The default is set in the proxy-buffering ConfigMap + key. type: boolean buffers: description: Configures the buffers used for reading a response @@ -1842,26 +1798,23 @@ spec: type: object client-max-body-size: description: Sets the maximum allowed size of the client request - body. See the client_max_body_size directive. The default - is set in the client-max-body-size ConfigMap key. + body. The default is set in the client-max-body-size ConfigMap + key. type: string connect-timeout: description: The timeout for establishing a connection with - an upstream server. See the proxy_connect_timeout directive. - The default is specified in the proxy-connect-timeout ConfigMap - key. + an upstream server. The default is specified in the proxy-connect-timeout + ConfigMap key. type: string fail-timeout: description: The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen - to consider the server unavailable. See the fail_timeout parameter - of the server directive. The default is set in the fail-timeout - ConfigMap key. + to consider the server unavailable. The default is set in + the fail-timeout ConfigMap key. type: string healthCheck: description: 'The health check configuration for the Upstream. - See the health_check directive. Note: this feature is supported - only in NGINX Plus.' + Note: this feature is supported only in NGINX Plus.' properties: connect-timeout: description: The timeout for establishing a connection with @@ -1960,9 +1913,8 @@ spec: statusMatch: description: 'The expected response status codes of a health check. By default, the response should have status code - 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See - the documentation of the match directive. This not supported - for gRPC type upstreams.' + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This + not supported for gRPC type upstreams.' type: string tls: description: The TLS configuration used for health check @@ -1980,8 +1932,8 @@ spec: type: object keepalive: description: Configures the cache for connections to upstream - servers. The value 0 disables the cache. See the keepalive - directive. The default is set in the keepalive ConfigMap key. + servers. The value 0 disables the cache. The default is set + in the keepalive ConfigMap key. type: integer lb-method: description: The load balancing method. To use the round-robin @@ -1990,18 +1942,16 @@ spec: type: string max-conns: description: 'The maximum number of simultaneous active connections - to an upstream server. See the max_conns parameter of the - server directive. By default there is no limit. Note: if keepalive - connections are enabled, the total number of active and idle - keepalive connections to an upstream server may exceed the - max_conns value.' + to an upstream server. By default there is no limit. Note: + if keepalive connections are enabled, the total number of + active and idle keepalive connections to an upstream server + may exceed the max_conns value.' type: integer max-fails: description: The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. - See the max_fails parameter of the server directive. The default - is set in the max-fails ConfigMap key. + The default is set in the max-fails ConfigMap key. type: integer name: description: The name of the upstream. Must be a valid DNS label @@ -2011,27 +1961,24 @@ spec: type: string next-upstream: description: Specifies in which cases a request should be passed - to the next upstream server. See the proxy_next_upstream directive. - The default is error timeout. + to the next upstream server. The default is error timeout. type: string next-upstream-timeout: description: The time during which a request can be passed to - the next upstream server. See the proxy_next_upstream_timeout - directive. The 0 value turns off the time limit. The default - is 0. + the next upstream server. The 0 value turns off the time limit. + The default is 0. type: string next-upstream-tries: description: The number of possible tries for passing a request - to the next upstream server. See the proxy_next_upstream_tries - directive. The 0 value turns off this limit. The default is - 0. + to the next upstream server. The 0 value turns off this limit. + The default is 0. type: integer ntlm: description: 'Allows proxying requests with NTLM Authentication. - See the ntlm directive. In order for NTLM authentication to - work, it is necessary to enable keepalive connections to upstream - servers using the keepalive field. Note: this feature is supported - only in NGINX Plus.' + In order for NTLM authentication to work, it is necessary + to enable keepalive connections to upstream servers using + the keepalive field. Note: this feature is supported only + in NGINX Plus.' type: boolean port: description: The port of the service. If the service doesn’t @@ -2057,13 +2004,13 @@ spec: type: object read-timeout: description: The timeout for reading a response from an upstream - server. See the proxy_read_timeout directive. The default - is specified in the proxy-read-timeout ConfigMap key. + server. The default is specified in the proxy-read-timeout + ConfigMap key. type: string send-timeout: description: The timeout for transmitting a request to an upstream - server. See the proxy_send_timeout directive. The default - is specified in the proxy-send-timeout ConfigMap key. + server. The default is specified in the proxy-send-timeout + ConfigMap key. type: string service: description: The name of a service. The service must belong @@ -2114,10 +2061,9 @@ spec: recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. - By default, the slow start is disabled. See the slow_start - parameter of the server directive. Note: The parameter cannot - be used along with the random , hash or ip_hash load balancing - methods and will be ignored.' + By default, the slow start is disabled. Note: The parameter + cannot be used along with the random , hash or ip_hash load + balancing methods and will be ignored.' type: string subselector: additionalProperties: @@ -2262,7 +2208,7 @@ spec: metadata: type: object spec: - description: Spec contains the VirtualServer specification. + description: VirtualServerSpec is the spec of the VirtualServer resource. properties: dos: description: A reference to a DosProtectedResource, setting this enables @@ -2300,8 +2246,7 @@ spec: type: array recordTTL: description: TTL for the DNS record. This defaults to 0 if not - defined. See the ExternalDNS TTL documentation for provider-specific - defaults + defined. format: int64 type: integer recordType: @@ -2320,8 +2265,7 @@ spec: subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique - among all Ingress and VirtualServer resources. See also Handling - Host and Listener Collisions. + among all Ingress and VirtualServer resources. type: string http-snippets: description: Sets a custom snippet in the http context. @@ -2341,7 +2285,7 @@ spec: the name of a valid listener defined in a GlobalConfiguration resource properties: http: - description: The name of am HTTP listener defined in a GlobalConfiguration + description: The name of an HTTP listener defined in a GlobalConfiguration resource. type: string https: @@ -2388,14 +2332,12 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the proxy_pass_request_header - directive for more information. Default is true. + to the proxied upstream server. Default is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed to the proxied - upstream servers. See the proxy_set_header directive - for more information. + upstream servers. items: description: Header defines an HTTP Header. properties: @@ -2422,8 +2364,7 @@ spec: always: description: If set to true, add the header regardless of the response status code**. - Default is false. See the add_header directive - for more information. + Default is false. type: boolean name: description: The name of the header. @@ -2436,23 +2377,19 @@ spec: hide: description: The headers that will not be passed* in the response to the client from a proxied upstream - server. See the proxy_hide_header directive for - more information. + server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream server. - See the proxy_ignore_headers directive for more - information. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream server. - See the proxy_pass_header directive for more information. items: type: string type: array @@ -2613,15 +2550,13 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the - proxy_pass_request_header directive for - more information. Default is true. + to the proxied upstream server. Default + is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed - to the proxied upstream servers. See the - proxy_set_header directive for more information. + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: @@ -2648,9 +2583,7 @@ spec: always: description: If set to true, add the header regardless of the response - status code**. Default is false. See - the add_header directive for more - information. + status code**. Default is false. type: boolean name: description: The name of the header. @@ -2663,24 +2596,21 @@ spec: hide: description: The headers that will not be passed* in the response to the client from - a proxied upstream server. See the proxy_hide_header - directive for more information. + a proxied upstream server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream - server. See the proxy_ignore_headers directive - for more information. + server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream - server. See the proxy_pass_header directive - for more information. + server. items: type: string type: array @@ -2766,12 +2696,10 @@ spec: type: string value: description: The value to match the condition against. - How to define a value is shown below the table. type: string variable: description: The name of an NGINX variable. Must - start with $. See the list of the supported variables - below the table. + start with $. type: string type: object type: array @@ -2800,17 +2728,13 @@ spec: properties: pass: description: Passes the original request - headers to the proxied upstream server. - See the proxy_pass_request_header - directive for more information. Default + headers to the proxied upstream server. Default is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed to the proxied upstream servers. - See the proxy_set_header directive - for more information. items: description: Header defines an HTTP Header. @@ -2841,8 +2765,7 @@ spec: description: If set to true, add the header regardless of the response status code**. Default - is false. See the add_header - directive for more information. + is false. type: boolean name: description: The name of the header. @@ -2857,26 +2780,20 @@ spec: description: The headers that will not be passed* in the response to the client from a proxied upstream server. - See the proxy_hide_header directive - for more information. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from - a proxied upstream server. See the - proxy_ignore_headers directive for - more information. + a proxied upstream server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from - a proxied upstream server. See the - proxy_pass_header directive for more - information. + a proxied upstream server. items: type: string type: array @@ -2972,7 +2889,6 @@ spec: policies: description: A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. - See Applying Policies for more details. items: description: PolicyReference references a policy by name and an optional namespace. @@ -3017,15 +2933,13 @@ spec: properties: pass: description: Passes the original request headers - to the proxied upstream server. See the - proxy_pass_request_header directive for - more information. Default is true. + to the proxied upstream server. Default + is true. type: boolean set: description: Allows redefining or appending fields to present request headers passed - to the proxied upstream servers. See the - proxy_set_header directive for more information. + to the proxied upstream servers. items: description: Header defines an HTTP Header. properties: @@ -3052,9 +2966,7 @@ spec: always: description: If set to true, add the header regardless of the response - status code**. Default is false. See - the add_header directive for more - information. + status code**. Default is false. type: boolean name: description: The name of the header. @@ -3067,24 +2979,21 @@ spec: hide: description: The headers that will not be passed* in the response to the client from - a proxied upstream server. See the proxy_hide_header - directive for more information. + a proxied upstream server. items: type: string type: array ignore: description: Disables processing of certain headers** to the client from a proxied upstream - server. See the proxy_ignore_headers directive - for more information. + server. items: type: string type: array pass: description: Allows passing the hidden header fields* to the client from a proxied upstream - server. See the proxy_pass_header directive - for more information. + server. items: type: string type: array @@ -3280,13 +3189,12 @@ spec: buffer-size: description: Sets the size of the buffer used for reading the first part of a response received from the upstream server. - See the proxy_buffer_size directive. The default is set in - the proxy-buffer-size ConfigMap key. + The default is set in the proxy-buffer-size ConfigMap key. type: string buffering: description: Enables buffering of responses from the upstream - server. See the proxy_buffering directive. The default is - set in the proxy-buffering ConfigMap key. + server. The default is set in the proxy-buffering ConfigMap + key. type: boolean buffers: description: Configures the buffers used for reading a response @@ -3303,26 +3211,23 @@ spec: type: object client-max-body-size: description: Sets the maximum allowed size of the client request - body. See the client_max_body_size directive. The default - is set in the client-max-body-size ConfigMap key. + body. The default is set in the client-max-body-size ConfigMap + key. type: string connect-timeout: description: The timeout for establishing a connection with - an upstream server. See the proxy_connect_timeout directive. - The default is specified in the proxy-connect-timeout ConfigMap - key. + an upstream server. The default is specified in the proxy-connect-timeout + ConfigMap key. type: string fail-timeout: description: The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen - to consider the server unavailable. See the fail_timeout parameter - of the server directive. The default is set in the fail-timeout - ConfigMap key. + to consider the server unavailable. The default is set in + the fail-timeout ConfigMap key. type: string healthCheck: description: 'The health check configuration for the Upstream. - See the health_check directive. Note: this feature is supported - only in NGINX Plus.' + Note: this feature is supported only in NGINX Plus.' properties: connect-timeout: description: The timeout for establishing a connection with @@ -3421,9 +3326,8 @@ spec: statusMatch: description: 'The expected response status codes of a health check. By default, the response should have status code - 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See - the documentation of the match directive. This not supported - for gRPC type upstreams.' + 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This + not supported for gRPC type upstreams.' type: string tls: description: The TLS configuration used for health check @@ -3441,8 +3345,8 @@ spec: type: object keepalive: description: Configures the cache for connections to upstream - servers. The value 0 disables the cache. See the keepalive - directive. The default is set in the keepalive ConfigMap key. + servers. The value 0 disables the cache. The default is set + in the keepalive ConfigMap key. type: integer lb-method: description: The load balancing method. To use the round-robin @@ -3451,18 +3355,16 @@ spec: type: string max-conns: description: 'The maximum number of simultaneous active connections - to an upstream server. See the max_conns parameter of the - server directive. By default there is no limit. Note: if keepalive - connections are enabled, the total number of active and idle - keepalive connections to an upstream server may exceed the - max_conns value.' + to an upstream server. By default there is no limit. Note: + if keepalive connections are enabled, the total number of + active and idle keepalive connections to an upstream server + may exceed the max_conns value.' type: integer max-fails: description: The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. - See the max_fails parameter of the server directive. The default - is set in the max-fails ConfigMap key. + The default is set in the max-fails ConfigMap key. type: integer name: description: The name of the upstream. Must be a valid DNS label @@ -3472,27 +3374,24 @@ spec: type: string next-upstream: description: Specifies in which cases a request should be passed - to the next upstream server. See the proxy_next_upstream directive. - The default is error timeout. + to the next upstream server. The default is error timeout. type: string next-upstream-timeout: description: The time during which a request can be passed to - the next upstream server. See the proxy_next_upstream_timeout - directive. The 0 value turns off the time limit. The default - is 0. + the next upstream server. The 0 value turns off the time limit. + The default is 0. type: string next-upstream-tries: description: The number of possible tries for passing a request - to the next upstream server. See the proxy_next_upstream_tries - directive. The 0 value turns off this limit. The default is - 0. + to the next upstream server. The 0 value turns off this limit. + The default is 0. type: integer ntlm: description: 'Allows proxying requests with NTLM Authentication. - See the ntlm directive. In order for NTLM authentication to - work, it is necessary to enable keepalive connections to upstream - servers using the keepalive field. Note: this feature is supported - only in NGINX Plus.' + In order for NTLM authentication to work, it is necessary + to enable keepalive connections to upstream servers using + the keepalive field. Note: this feature is supported only + in NGINX Plus.' type: boolean port: description: The port of the service. If the service doesn’t @@ -3518,13 +3417,13 @@ spec: type: object read-timeout: description: The timeout for reading a response from an upstream - server. See the proxy_read_timeout directive. The default - is specified in the proxy-read-timeout ConfigMap key. + server. The default is specified in the proxy-read-timeout + ConfigMap key. type: string send-timeout: description: The timeout for transmitting a request to an upstream - server. See the proxy_send_timeout directive. The default - is specified in the proxy-send-timeout ConfigMap key. + server. The default is specified in the proxy-send-timeout + ConfigMap key. type: string service: description: The name of a service. The service must belong @@ -3575,10 +3474,9 @@ spec: recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. - By default, the slow start is disabled. See the slow_start - parameter of the server directive. Note: The parameter cannot - be used along with the random , hash or ip_hash load balancing - methods and will be ignored.' + By default, the slow start is disabled. Note: The parameter + cannot be used along with the random , hash or ip_hash load + balancing methods and will be ignored.' type: string subselector: additionalProperties: diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 6fb4ed846f..794681dc89 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -35,9 +35,7 @@ const ( type VirtualServer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - - // Spec contains the VirtualServer specification. - Spec VirtualServerSpec `json:"spec"` + Spec VirtualServerSpec `json:"spec"` // Status contains the current status of the VirtualServer. Status VirtualServerStatus `json:"status"` } @@ -46,7 +44,7 @@ type VirtualServer struct { type VirtualServerSpec struct { // Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ingressClassName of the VirtualServer that references this resource. IngressClass string `json:"ingressClassName"` - // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. + // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. Host string `json:"host"` // Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource Listener *VirtualServerListener `json:"listener"` @@ -74,7 +72,7 @@ type VirtualServerSpec struct { // VirtualServerListener references a custom http and/or https listener defined in GlobalConfiguration. type VirtualServerListener struct { - // The name of am HTTP listener defined in a GlobalConfiguration resource. + // The name of an HTTP listener defined in a GlobalConfiguration resource. HTTP string `json:"http"` // The name of an HTTPS listener defined in a GlobalConfiguration resource. HTTPS string `json:"https"` @@ -86,11 +84,13 @@ type ExternalDNS struct { Enable bool `json:"enable"` // The record Type that should be created, e.g. “A”, “AAAA”, “CNAME”. This is automatically computed based on the external endpoints if not defined. RecordType string `json:"recordType,omitempty"` - // TTL for the DNS record. This defaults to 0 if not defined. See the ExternalDNS TTL documentation for provider-specific defaults + // TTL for the DNS record. This defaults to 0 if not defined. RecordTTL int64 `json:"recordTTL,omitempty"` // Configure labels to be applied to the Endpoint resources that will be consumed by ExternalDNS. + // +optional Labels map[string]string `json:"labels,omitempty"` // Configure provider specific properties which holds the name and value of a configuration which is specific to individual DNS providers. + // +optional ProviderSpecific ProviderSpecific `json:"providerSpecific,omitempty"` } @@ -126,39 +126,39 @@ type Upstream struct { Port uint16 `json:"port"` // The load balancing method. To use the round-robin method, specify round_robin. The default is specified in the lb-method ConfigMap key. LBMethod string `json:"lb-method"` - // The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. See the fail_timeout parameter of the server directive. The default is set in the fail-timeout ConfigMap key. + // The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. The default is set in the fail-timeout ConfigMap key. FailTimeout string `json:"fail-timeout"` - // The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. See the max_fails parameter of the server directive. The default is set in the max-fails ConfigMap key. + // The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. The default is set in the max-fails ConfigMap key. MaxFails *int `json:"max-fails"` - // The maximum number of simultaneous active connections to an upstream server. See the max_conns parameter of the server directive. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. + // The maximum number of simultaneous active connections to an upstream server. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. MaxConns *int `json:"max-conns"` - // Configures the cache for connections to upstream servers. The value 0 disables the cache. See the keepalive directive. The default is set in the keepalive ConfigMap key. + // Configures the cache for connections to upstream servers. The value 0 disables the cache. The default is set in the keepalive ConfigMap key. Keepalive *int `json:"keepalive"` - // The timeout for establishing a connection with an upstream server. See the proxy_connect_timeout directive. The default is specified in the proxy-connect-timeout ConfigMap key. + // The timeout for establishing a connection with an upstream server. The default is specified in the proxy-connect-timeout ConfigMap key. ProxyConnectTimeout string `json:"connect-timeout"` - // The timeout for reading a response from an upstream server. See the proxy_read_timeout directive. The default is specified in the proxy-read-timeout ConfigMap key. + // The timeout for reading a response from an upstream server. The default is specified in the proxy-read-timeout ConfigMap key. ProxyReadTimeout string `json:"read-timeout"` - // The timeout for transmitting a request to an upstream server. See the proxy_send_timeout directive. The default is specified in the proxy-send-timeout ConfigMap key. + // The timeout for transmitting a request to an upstream server. The default is specified in the proxy-send-timeout ConfigMap key. ProxySendTimeout string `json:"send-timeout"` - // Specifies in which cases a request should be passed to the next upstream server. See the proxy_next_upstream directive. The default is error timeout. + // Specifies in which cases a request should be passed to the next upstream server. The default is error timeout. ProxyNextUpstream string `json:"next-upstream"` - // The time during which a request can be passed to the next upstream server. See the proxy_next_upstream_timeout directive. The 0 value turns off the time limit. The default is 0. + // The time during which a request can be passed to the next upstream server. The 0 value turns off the time limit. The default is 0. ProxyNextUpstreamTimeout string `json:"next-upstream-timeout"` - // The number of possible tries for passing a request to the next upstream server. See the proxy_next_upstream_tries directive. The 0 value turns off this limit. The default is 0. + // The number of possible tries for passing a request to the next upstream server. The 0 value turns off this limit. The default is 0. ProxyNextUpstreamTries int `json:"next-upstream-tries"` - // Enables buffering of responses from the upstream server. See the proxy_buffering directive. The default is set in the proxy-buffering ConfigMap key. + // Enables buffering of responses from the upstream server. The default is set in the proxy-buffering ConfigMap key. ProxyBuffering *bool `json:"buffering"` // Configures the buffers used for reading a response from the upstream server for a single connection. ProxyBuffers *UpstreamBuffers `json:"buffers"` - // Sets the size of the buffer used for reading the first part of a response received from the upstream server. See the proxy_buffer_size directive. The default is set in the proxy-buffer-size ConfigMap key. + // Sets the size of the buffer used for reading the first part of a response received from the upstream server. The default is set in the proxy-buffer-size ConfigMap key. ProxyBufferSize string `json:"buffer-size"` - // Sets the maximum allowed size of the client request body. See the client_max_body_size directive. The default is set in the client-max-body-size ConfigMap key. + // Sets the maximum allowed size of the client request body. The default is set in the client-max-body-size ConfigMap key. ClientMaxBodySize string `json:"client-max-body-size"` // The TLS configuration for the Upstream. TLS UpstreamTLS `json:"tls"` - // The health check configuration for the Upstream. See the health_check directive. Note: this feature is supported only in NGINX Plus. + // The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. HealthCheck *HealthCheck `json:"healthCheck"` - // The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the slow_start parameter of the server directive. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. + // The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. SlowStart string `json:"slow-start"` // Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. Queue *UpstreamQueue `json:"queue"` @@ -166,7 +166,7 @@ type Upstream struct { SessionCookie *SessionCookie `json:"sessionCookie"` // Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like lb-method and next-upstream) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. UseClusterIP bool `json:"use-cluster-ip"` - // Allows proxying requests with NTLM Authentication. See the ntlm directive. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. + // Allows proxying requests with NTLM Authentication. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. NTLM bool `json:"ntlm"` // The type of the upstream. Supported values are http and grpc. The default is http. For gRPC, it is necessary to enable HTTP/2 in the ConfigMap and configure TLS termination in the VirtualServer. Type string `json:"type"` @@ -216,7 +216,7 @@ type HealthCheck struct { SendTimeout string `json:"send-timeout"` // The request headers used for health check requests. NGINX Plus always sets the Host, User-Agent and Connection headers for health check requests. Headers []Header `json:"headers"` - // The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See the documentation of the match directive. This not supported for gRPC type upstreams. + // The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This not supported for gRPC type upstreams. StatusMatch string `json:"statusMatch"` // The expected gRPC status code of the upstream server response to the Check method. Configure this field only if your gRPC services do not implement the gRPC health checking protocol. For example, configure 12 if the upstream server responds with 12 (UNIMPLEMENTED) status code. Only valid on gRPC type upstreams. GRPCStatus *int `json:"grpcStatus"` @@ -262,7 +262,7 @@ type SessionCookie struct { type Route struct { // The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( / , /path ), an exact match ( =/exact/match ), a case insensitive regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive regular expression ( ~^/foo.*\.jpg ). In the case of a prefix (must start with / ) or an exact match (must start with = ), the path must not include any whitespace characters, { , } or ;. In the case of the regex matches, all double quotes " must be escaped and the match can’t end in an unescaped backslash \. The path must be unique among the paths of all routes of the VirtualServer. Check the location directive for more information. Path string `json:"path"` - // A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. See Applying Policies for more details. + // A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. Policies []PolicyReference `json:"policies"` // The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, tea-namespace/tea. Route string `json:"route"` @@ -326,19 +326,19 @@ type ActionProxy struct { // ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type ProxyRequestHeaders struct { - // Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. + // Passes the original request headers to the proxied upstream server. Default is true. Pass *bool `json:"pass"` - // Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. + // Allows redefining or appending fields to present request headers passed to the proxied upstream servers. Set []Header `json:"set"` } // ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type ProxyResponseHeaders struct { - // The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. + // The headers that will not be passed* in the response to the client from a proxied upstream server. Hide []string `json:"hide"` - // Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. + // Allows passing the hidden header fields* to the client from a proxied upstream server. Pass []string `json:"pass"` - // Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. + // Disables processing of certain headers** to the client from a proxied upstream server. Ignore []string `json:"ignore"` // Adds headers to the response to the client. Add []AddHeader `json:"add"` @@ -347,7 +347,7 @@ type ProxyResponseHeaders struct { // AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. type AddHeader struct { Header `json:",inline"` - // If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. + // If set to true, add the header regardless of the response status code**. Default is false. Always bool `json:"always"` } @@ -367,9 +367,9 @@ type Condition struct { Cookie string `json:"cookie"` // The name of an argument. Must consist of alphanumeric characters or _. Argument string `json:"argument"` - // The name of an NGINX variable. Must start with $. See the list of the supported variables below the table. + // The name of an NGINX variable. Must start with $. Variable string `json:"variable"` - // The value to match the condition against. How to define a value is shown below the table. + // The value to match the condition against. Value string `json:"value"` } @@ -545,8 +545,7 @@ type VirtualServerRouteStatus struct { type GlobalConfiguration struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // spec field of the GlobalConfiguration resource - Spec GlobalConfigurationSpec `json:"spec"` + Spec GlobalConfigurationSpec `json:"spec"` } // GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. @@ -563,9 +562,7 @@ type Listener struct { Protocol string `json:"protocol"` // The port on which the listener will accept connections. Port int `json:"port"` - // Custom SNI processing for listener. Allows listener to be used as a passthrough for SNI processing - PassSNI bool `json:"passSNI"` - // ipv4 and ipv6 addresses that NGINX will listen on. Defaults to listening on all available IPv4 and IPv6 addresses. + // Specifies the IPv4 address to listen on. IPv4 string `json:"ipv4"` // ipv6 addresses that NGINX will listen on. IPv6 string `json:"ipv6"` @@ -598,8 +595,7 @@ type GlobalConfigurationList struct { type TransportServer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // spec field of the TransportServer resource - Spec TransportServerSpec `json:"spec"` + Spec TransportServerSpec `json:"spec"` // status field of the TransportServer resource Status TransportServerStatus `json:"status"` } @@ -616,7 +612,7 @@ type TransportServerSpec struct { ServerSnippets string `json:"serverSnippets"` // Sets a custom snippet in the stream context. Overrides the stream-snippets ConfigMap key. StreamSnippets string `json:"streamSnippets"` - // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. + // The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. Host string `json:"host"` // A list of upstreams. Upstreams []TransportServerUpstream `json:"upstreams"` @@ -655,9 +651,9 @@ type TransportServerUpstream struct { MaxFails *int `json:"maxFails"` // Sets the time during which the specified number of unsuccessful attempts to communicate with the server should happen to consider the server unavailable and the period of time the server will be considered unavailable. The default is 10s. MaxConns *int `json:"maxConns"` - // The health check configuration for the Upstream. See the health_check directive. Note: this feature is supported only in NGINX Plus. + // The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. HealthCheck *TransportServerHealthCheck `json:"healthCheck"` - // The method used to load balance the upstream servers. By default, connections are distributed between the servers using a weighted round-robin balancing method. See the upstream section for available methods and their details. + // The method used to load balance the upstream servers. By default, connections are distributed between the servers using a weighted round-robin balancing method. LoadBalancingMethod string `json:"loadBalancingMethod"` // The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. Backup string `json:"backup"` @@ -695,23 +691,23 @@ type TransportServerMatch struct { // UpstreamParameters defines parameters for an upstream. type UpstreamParameters struct { - // The number of datagrams, after receiving which, the next datagram from the same client starts a new session. See the proxy_requests directive. The default is 0. + // The number of datagrams, after receiving which, the next datagram from the same client starts a new session. The default is 0. UDPRequests *int `json:"udpRequests"` - // The number of datagrams expected from the proxied server in response to a client datagram. See the proxy_responses directive. By default, the number of datagrams is not limited. + // The number of datagrams expected from the proxied server in response to a client datagram. By default, the number of datagrams is not limited. UDPResponses *int `json:"udpResponses"` - // The timeout for establishing a connection with a proxied server. See the proxy_connect_timeout directive. The default is 60s. + // The timeout for establishing a connection with a proxied server. The default is 60s. ConnectTimeout string `json:"connectTimeout"` - // If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. See the proxy_next_upstream directive. The default is true. + // If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. The default is true. NextUpstream bool `json:"nextUpstream"` - // The time allowed to pass a connection to the next server. See the proxy_next_upstream_timeout directive. The default us 0. + // The time allowed to pass a connection to the next server. The default us 0. NextUpstreamTimeout string `json:"nextUpstreamTimeout"` - // The number of tries for passing a connection to the next server. See the proxy_next_upstream_tries directive. The default is 0. + // The number of tries for passing a connection to the next server. The default is 0. NextUpstreamTries int `json:"nextUpstreamTries"` } // SessionParameters defines session parameters. type SessionParameters struct { - // The timeout between two successive read or write operations on client or proxied server connections. See proxy_timeout directive. The default is 10m. + // The timeout between two successive read or write operations on client or proxied server connections. The default is 10m. Timeout string `json:"timeout"` } @@ -754,8 +750,7 @@ type TransportServerList struct { type Policy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // spec field of the Policy resource - Spec PolicySpec `json:"spec"` + Spec PolicySpec `json:"spec"` // status field of the Policy resource Status PolicyStatus `json:"status"` } @@ -819,7 +814,7 @@ type RateLimit struct { Rate string `json:"rate"` // The key to which the rate limit is applied. Can contain text, variables, or a combination of them. // Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are - // $binary_remote_addr,$request_uri,$request_method,$url,$http_, $args,$arg_,$cookie_,$jwt_claim_. + // $binary_remote_addr , $request_uri , $request_method , $url , $http_ , $args , $arg_, $cookie_ ,$jwt_claim_ . Key string `json:"key"` // The delay parameter specifies a limit at which excessive requests become delayed. If not set all excessive requests are delayed. Delay *int `json:"delay"` From 271adb03fc7fcdfb3f681f769238bb5219bc3f83 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Mon, 21 Jul 2025 14:18:55 +0100 Subject: [PATCH 13/33] finalising the updates types.go files 2 --- pkg/apis/configuration/v1/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 794681dc89..4a25b75584 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -108,7 +108,7 @@ type ProviderSpecificProperty struct { // PolicyReference references a policy by name and an optional namespace. type PolicyReference struct { - // The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. v + // The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. Name string `json:"name"` // The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. Namespace string `json:"namespace"` From 6c32c1664e775fc0ce2ebd6efb7e2b8d1ff8c55f Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Mon, 21 Jul 2025 17:20:04 +0100 Subject: [PATCH 14/33] reverting changes in the main.go --- cmd/nginx-ingress/main.go | 17 ++++++++--------- pkg/apis/configuration/v1/types.go | 15 +++++++-------- 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index d62d982333..d487a8204d 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -1055,7 +1055,7 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde // Copy pod and update the labels. newPod := pod.DeepCopy() - labels := newPod.Labels + labels := newPod.ObjectMeta.Labels if labels == nil { labels = make(map[string]string) } @@ -1068,8 +1068,7 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde if agentVersion != "" { labels[agentVersionLabel] = agentVersion } - newPod.Labels = labels - + newPod.ObjectMeta.Labels = labels _, err = kubeClient.CoreV1().Pods(newPod.ObjectMeta.Namespace).Update(context.TODO(), newPod, meta_v1.UpdateOptions{}) if err != nil { nl.Errorf(l, "Error updating pod with labels on attempt %d of %d: %v", i+1, maxRetries, err) @@ -1081,7 +1080,7 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde fmt.Fprintf(labelsString, "%s=\"%s\", ", key, value) } eventLog.Eventf(newPod, api_v1.EventTypeNormal, nl.EventReasonUpdatePodLabel, "Successfully added version labels, %s", strings.TrimRight(labelsString.String(), ", ")) - nl.Infof(l, "Pod label updated: %s", pod.Name) + nl.Infof(l, "Pod label updated: %s", pod.ObjectMeta.Name) podUpdated = true } @@ -1092,7 +1091,7 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde func createAndValidateHeadlessService(ctx context.Context, kubeClient kubernetes.Interface, cfgParams *configs.ConfigParams, controllerNamespace string, pod *api_v1.Pod) error { l := nl.LoggerFromContext(ctx) - owner := pod.OwnerReferences[0] + owner := pod.ObjectMeta.OwnerReferences[0] name := owner.Name if strings.ToLower(owner.Kind) == "replicaset" { if dash := strings.LastIndex(name, "-"); dash != -1 { @@ -1201,12 +1200,12 @@ func initLogger(logFormat string, level slog.Level, out io.Writer) context.Conte }, } - switch logFormat { - case "glog": + switch { + case logFormat == "glog": h = nic_glog.New(out, &nic_glog.Options{Level: programLevel}) - case "json": + case logFormat == "json": h = slog.NewJSONHandler(out, opts) - case "text": + case logFormat == "text": h = slog.NewTextHandler(out, opts) default: h = nic_glog.New(out, &nic_glog.Options{Level: programLevel}) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 4a25b75584..3f3146ebef 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -108,7 +108,7 @@ type ProviderSpecificProperty struct { // PolicyReference references a policy by name and an optional namespace. type PolicyReference struct { - // The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. + // The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. Name string `json:"name"` // The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. Namespace string `json:"namespace"` @@ -118,7 +118,7 @@ type PolicyReference struct { type Upstream struct { // The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. Name string `json:"name"` - // The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported (check the prerequisites ). + // The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported (check the prerequisites). Service string `json:"service"` // Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. Subselector map[string]string `json:"subselector"` @@ -246,7 +246,7 @@ type SessionCookie struct { Name string `json:"name"` // The path for which the cookie is set. Path string `json:"path"` - // The time for which a browser should keep the cookie. Can be set to the special value max , which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. + // The time for which a browser should keep the cookie. Can be set to the special value max, which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. Expires string `json:"expires"` // The domain for which the cookie is set. Domain string `json:"domain"` @@ -564,7 +564,7 @@ type Listener struct { Port int `json:"port"` // Specifies the IPv4 address to listen on. IPv4 string `json:"ipv4"` - // ipv6 addresses that NGINX will listen on. + // ipv6 addresse that NGINX will listen on. IPv6 string `json:"ipv6"` // Whether the listener will be listening for SSL connections Ssl bool `json:"ssl"` @@ -655,7 +655,7 @@ type TransportServerUpstream struct { HealthCheck *TransportServerHealthCheck `json:"healthCheck"` // The method used to load balance the upstream servers. By default, connections are distributed between the servers using a weighted round-robin balancing method. LoadBalancingMethod string `json:"loadBalancingMethod"` - // The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. + // The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. Backup string `json:"backup"` // The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. BackupPort *uint16 `json:"backupPort"` @@ -733,8 +733,7 @@ type TransportServerStatus struct { type TransportServerList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` - // Items field of the TransportServerList resource - Items []TransportServer `json:"items"` + Items []TransportServer `json:"items"` } // +genclient @@ -814,7 +813,7 @@ type RateLimit struct { Rate string `json:"rate"` // The key to which the rate limit is applied. Can contain text, variables, or a combination of them. // Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are - // $binary_remote_addr , $request_uri , $request_method , $url , $http_ , $args , $arg_, $cookie_ ,$jwt_claim_ . + // $binary_remote_addr, $request_uri, $request_method, $url, $http_, $args, $arg_, $cookie_,$jwt_claim_ . Key string `json:"key"` // The delay parameter specifies a limit at which excessive requests become delayed. If not set all excessive requests are delayed. Delay *int `json:"delay"` From fa5963d7b6979cdf6bb32ef913d5c8d46c4c9fc2 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Tue, 22 Jul 2025 12:18:25 +0100 Subject: [PATCH 15/33] addressing comments --- pkg/apis/configuration/v1/types.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 3f3146ebef..bbdf900429 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -118,7 +118,7 @@ type PolicyReference struct { type Upstream struct { // The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. Name string `json:"name"` - // The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported (check the prerequisites). + // The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported . Service string `json:"service"` // Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. Subselector map[string]string `json:"subselector"` @@ -548,7 +548,7 @@ type GlobalConfiguration struct { Spec GlobalConfigurationSpec `json:"spec"` } -// GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. +// The GlobalConfiguration resource defines the global configuration parameters of the Ingress Controller. type GlobalConfigurationSpec struct { // Listeners field of the GlobalConfigurationSpec resource Listeners []Listener `json:"listeners"` @@ -596,7 +596,7 @@ type TransportServer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec TransportServerSpec `json:"spec"` - // status field of the TransportServer resource + // The status of the TransportServer resource Status TransportServerStatus `json:"status"` } @@ -616,7 +616,7 @@ type TransportServerSpec struct { Host string `json:"host"` // A list of upstreams. Upstreams []TransportServerUpstream `json:"upstreams"` - // The UpstreamParameters are set on stream context + // UpstreamParameters defines parameters for an upstream. UpstreamParameters *UpstreamParameters `json:"upstreamParameters"` // The parameters of the session to be used for the Server context SessionParameters *SessionParameters `json:"sessionParameters"` @@ -719,7 +719,7 @@ type TransportServerAction struct { // TransportServerStatus defines the status for the TransportServer resource. type TransportServerStatus struct { - // Represents the current state of the resource. There are three possible values: Valid, Invalid and Warning. Valid indicates that the resource has been validated and accepted by the Ingress Controller. Invalid means the resource failed validation or + // Represents the current state of the resource. Possible values: Valid (resource validated and accepted), Invalid (validation failed or config reload failed), or Warning (validated but may work in degraded state). State string `json:"state"` // The reason of the current state of the resource. Reason string `json:"reason"` @@ -750,7 +750,7 @@ type Policy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec PolicySpec `json:"spec"` - // status field of the Policy resource + // the status of the Policy resource Status PolicyStatus `json:"status"` } From 078d39ca1d322bc6ffded21a38e7391b8325edfd Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Tue, 22 Jul 2025 12:26:01 +0100 Subject: [PATCH 16/33] addressing comment --- .../k8s.nginx.org_globalconfigurations.yaml | 6 +- config/crd/bases/k8s.nginx.org_policies.yaml | 4 +- .../bases/k8s.nginx.org_transportservers.yaml | 14 +-- .../k8s.nginx.org_virtualserverroutes.yaml | 8 +- .../bases/k8s.nginx.org_virtualservers.yaml | 12 +-- deploy/crds.yaml | 44 ++++---- .../crd/k8s.nginx.org_globalconfigurations.md | 5 +- docs/crd/k8s.nginx.org_policies.md | 2 +- docs/crd/k8s.nginx.org_transportservers.md | 24 ++--- docs/crd/k8s.nginx.org_virtualserverroutes.md | 94 ++++++++-------- docs/crd/k8s.nginx.org_virtualservers.md | 102 +++++++++--------- pkg/apis/configuration/v1/types.go | 2 +- 12 files changed, 158 insertions(+), 159 deletions(-) diff --git a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml index fb32865529..0d8c0e65c0 100644 --- a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml +++ b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml @@ -39,8 +39,8 @@ spec: metadata: type: object spec: - description: GlobalConfigurationSpec is the spec of the GlobalConfiguration - resource. + description: The GlobalConfigurationSpec resource defines the global configuration + parameters of the Ingress Controller. properties: listeners: description: Listeners field of the GlobalConfigurationSpec resource @@ -51,7 +51,7 @@ spec: description: Specifies the IPv4 address to listen on. type: string ipv6: - description: ipv6 addresses that NGINX will listen on. + description: ipv6 addresse that NGINX will listen on. type: string name: description: The name of the listener. The name must be unique diff --git a/config/crd/bases/k8s.nginx.org_policies.yaml b/config/crd/bases/k8s.nginx.org_policies.yaml index 2bb6f3b0d9..07ce7c2b60 100644 --- a/config/crd/bases/k8s.nginx.org_policies.yaml +++ b/config/crd/bases/k8s.nginx.org_policies.yaml @@ -353,7 +353,7 @@ spec: description: |- The key to which the rate limit is applied. Can contain text, variables, or a combination of them. Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are - $binary_remote_addr , $request_uri , $request_method , $url , $http_ , $args , $arg_, $cookie_ ,$jwt_claim_ . + $binary_remote_addr, $request_uri, $request_method, $url, $http_, $args, $arg_, $cookie_,$jwt_claim_ . type: string logLevel: description: Sets the desired logging level for cases when the @@ -450,7 +450,7 @@ spec: type: object type: object status: - description: status field of the Policy resource + description: the status of the Policy resource properties: message: description: The message of the current state of the resource. It diff --git a/config/crd/bases/k8s.nginx.org_transportservers.yaml b/config/crd/bases/k8s.nginx.org_transportservers.yaml index 7585217bcf..acd44915fd 100644 --- a/config/crd/bases/k8s.nginx.org_transportservers.yaml +++ b/config/crd/bases/k8s.nginx.org_transportservers.yaml @@ -110,7 +110,7 @@ spec: type: string type: object upstreamParameters: - description: The UpstreamParameters are set on stream context + description: UpstreamParameters defines parameters for an upstream. properties: connectTimeout: description: The timeout for establishing a connection with a @@ -148,7 +148,7 @@ spec: backup: description: 'The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. - Note: The parameter cannot be used along with the random , + Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods.' type: string backupPort: @@ -256,7 +256,7 @@ spec: type: array type: object status: - description: status field of the TransportServer resource + description: The status of the TransportServer resource properties: message: description: The message of the current state of the resource. It @@ -266,10 +266,10 @@ spec: description: The reason of the current state of the resource. type: string state: - description: 'Represents the current state of the resource. There - are three possible values: Valid, Invalid and Warning. Valid indicates - that the resource has been validated and accepted by the Ingress - Controller. Invalid means the resource failed validation or' + description: 'Represents the current state of the resource. Possible + values: Valid (resource validated and accepted), Invalid (validation + failed or config reload failed), or Warning (validated but may work + in degraded state).' type: string type: object type: object diff --git a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml index 888b1f981d..cc04eb180d 100644 --- a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml @@ -660,9 +660,9 @@ spec: an optional namespace. properties: name: - description: "The name of a policy. If the policy doesn’t + description: The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response - with the 500 status code.\tv" + with the 500 status code. type: string namespace: description: The namespace of a policy. If not specified, @@ -1095,7 +1095,7 @@ spec: exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported - (check the prerequisites ). + . type: string sessionCookie: description: The SessionCookie field configures session persistence @@ -1113,7 +1113,7 @@ spec: type: boolean expires: description: The time for which a browser should keep the - cookie. Can be set to the special value max , which will + cookie. Can be set to the special value max, which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: diff --git a/config/crd/bases/k8s.nginx.org_virtualservers.yaml b/config/crd/bases/k8s.nginx.org_virtualservers.yaml index ba0450bf98..dfce31b01b 100644 --- a/config/crd/bases/k8s.nginx.org_virtualservers.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualservers.yaml @@ -153,9 +153,9 @@ spec: optional namespace. properties: name: - description: "The name of a policy. If the policy doesn’t exist + description: The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with - the 500 status code.\tv" + the 500 status code. type: string namespace: description: The namespace of a policy. If not specified, the @@ -747,9 +747,9 @@ spec: an optional namespace. properties: name: - description: "The name of a policy. If the policy doesn’t + description: The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response - with the 500 status code.\tv" + with the 500 status code. type: string namespace: description: The namespace of a policy. If not specified, @@ -1284,7 +1284,7 @@ spec: exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported - (check the prerequisites ). + . type: string sessionCookie: description: The SessionCookie field configures session persistence @@ -1302,7 +1302,7 @@ spec: type: boolean expires: description: The time for which a browser should keep the - cookie. Can be set to the special value max , which will + cookie. Can be set to the special value max, which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: diff --git a/deploy/crds.yaml b/deploy/crds.yaml index 146d1e290e..c2ac09a9ee 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -135,8 +135,8 @@ spec: metadata: type: object spec: - description: GlobalConfigurationSpec is the spec of the GlobalConfiguration - resource. + description: The GlobalConfigurationSpec resource defines the global configuration + parameters of the Ingress Controller. properties: listeners: description: Listeners field of the GlobalConfigurationSpec resource @@ -147,7 +147,7 @@ spec: description: Specifies the IPv4 address to listen on. type: string ipv6: - description: ipv6 addresses that NGINX will listen on. + description: ipv6 addresse that NGINX will listen on. type: string name: description: The name of the listener. The name must be unique @@ -524,7 +524,7 @@ spec: description: |- The key to which the rate limit is applied. Can contain text, variables, or a combination of them. Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are - $binary_remote_addr , $request_uri , $request_method , $url , $http_ , $args , $arg_, $cookie_ ,$jwt_claim_ . + $binary_remote_addr, $request_uri, $request_method, $url, $http_, $args, $arg_, $cookie_,$jwt_claim_ . type: string logLevel: description: Sets the desired logging level for cases when the @@ -621,7 +621,7 @@ spec: type: object type: object status: - description: status field of the Policy resource + description: the status of the Policy resource properties: message: description: The message of the current state of the resource. It @@ -754,7 +754,7 @@ spec: type: string type: object upstreamParameters: - description: The UpstreamParameters are set on stream context + description: UpstreamParameters defines parameters for an upstream. properties: connectTimeout: description: The timeout for establishing a connection with a @@ -792,7 +792,7 @@ spec: backup: description: 'The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. - Note: The parameter cannot be used along with the random , + Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods.' type: string backupPort: @@ -900,7 +900,7 @@ spec: type: array type: object status: - description: status field of the TransportServer resource + description: The status of the TransportServer resource properties: message: description: The message of the current state of the resource. It @@ -910,10 +910,10 @@ spec: description: The reason of the current state of the resource. type: string state: - description: 'Represents the current state of the resource. There - are three possible values: Valid, Invalid and Warning. Valid indicates - that the resource has been validated and accepted by the Ingress - Controller. Invalid means the resource failed validation or' + description: 'Represents the current state of the resource. Possible + values: Valid (resource validated and accepted), Invalid (validation + failed or config reload failed), or Warning (validated but may work + in degraded state).' type: string type: object type: object @@ -1583,9 +1583,9 @@ spec: an optional namespace. properties: name: - description: "The name of a policy. If the policy doesn’t + description: The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response - with the 500 status code.\tv" + with the 500 status code. type: string namespace: description: The namespace of a policy. If not specified, @@ -2018,7 +2018,7 @@ spec: exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported - (check the prerequisites ). + . type: string sessionCookie: description: The SessionCookie field configures session persistence @@ -2036,7 +2036,7 @@ spec: type: boolean expires: description: The time for which a browser should keep the - cookie. Can be set to the special value max , which will + cookie. Can be set to the special value max, which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: @@ -2300,9 +2300,9 @@ spec: optional namespace. properties: name: - description: "The name of a policy. If the policy doesn’t exist + description: The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with - the 500 status code.\tv" + the 500 status code. type: string namespace: description: The namespace of a policy. If not specified, the @@ -2894,9 +2894,9 @@ spec: an optional namespace. properties: name: - description: "The name of a policy. If the policy doesn’t + description: The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response - with the 500 status code.\tv" + with the 500 status code. type: string namespace: description: The namespace of a policy. If not specified, @@ -3431,7 +3431,7 @@ spec: exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported - (check the prerequisites ). + . type: string sessionCookie: description: The SessionCookie field configures session persistence @@ -3449,7 +3449,7 @@ spec: type: boolean expires: description: The time for which a browser should keep the - cookie. Can be set to the special value max , which will + cookie. Can be set to the special value max, which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. type: string httpOnly: diff --git a/docs/crd/k8s.nginx.org_globalconfigurations.md b/docs/crd/k8s.nginx.org_globalconfigurations.md index a5c61b4ced..55beeee5d7 100644 --- a/docs/crd/k8s.nginx.org_globalconfigurations.md +++ b/docs/crd/k8s.nginx.org_globalconfigurations.md @@ -16,10 +16,9 @@ The `.spec` object supports the following fields: | Field | Type | Description | |---|---|---| | `listeners` | `array` | Listeners field of the GlobalConfigurationSpec resource | -| `listeners[].ipv4` | `string` | Ipv4 and ipv6 addresses that NGINX will listen on. Defaults to listening on all available IPv4 and IPv6 addresses. | -| `listeners[].ipv6` | `string` | Ipv6 addresses that NGINX will listen on. | +| `listeners[].ipv4` | `string` | Specifies the IPv4 address to listen on. | +| `listeners[].ipv6` | `string` | Ipv6 addresse that NGINX will listen on. | | `listeners[].name` | `string` | The name of the listener. The name must be unique across all listeners. | -| `listeners[].passSNI` | `boolean` | Custom SNI processing for listener. Allows listener to be used as a passthrough for SNI processing | | `listeners[].port` | `integer` | The port on which the listener will accept connections. | | `listeners[].protocol` | `string` | The protocol of the listener. For example, HTTP. | | `listeners[].ssl` | `boolean` | Whether the listener will be listening for SSL connections | diff --git a/docs/crd/k8s.nginx.org_policies.md b/docs/crd/k8s.nginx.org_policies.md index ae60d8f366..51e9a57664 100644 --- a/docs/crd/k8s.nginx.org_policies.md +++ b/docs/crd/k8s.nginx.org_policies.md @@ -74,7 +74,7 @@ The `.spec` object supports the following fields: | `rateLimit.condition.variables[].name` | `string` | The name of the variable to match against. | | `rateLimit.delay` | `integer` | The delay parameter specifies a limit at which excessive requests become delayed. If not set all excessive requests are delayed. | | `rateLimit.dryRun` | `boolean` | Enables the dry run mode. In this mode, the rate limit is not actually applied, but the number of excessive requests is accounted as usual in the shared memory zone. | -| `rateLimit.key` | `string` | The key to which the rate limit is applied. Can contain text, variables, or a combination of them. Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are $binary_remote_addr,$request_uri,$request_method,$url,$http_, $args,$arg_,$cookie_,$jwt_claim_. | +| `rateLimit.key` | `string` | The key to which the rate limit is applied. Can contain text, variables, or a combination of them. Variables must be surrounded by ${}. For example: ${binary_remote_addr}. Accepted variables are $binary_remote_addr, $request_uri, $request_method, $url, $http_, $args, $arg_, $cookie_,$jwt_claim_ . | | `rateLimit.logLevel` | `string` | Sets the desired logging level for cases when the server refuses to process requests due to rate exceeding, or delays request processing. Allowed values are info, notice, warn or error. Default is error. | | `rateLimit.noDelay` | `boolean` | Disables the delaying of excessive requests while requests are being limited. Overrides delay if both are set. | | `rateLimit.rate` | `string` | The rate of requests permitted. The rate is specified in requests per second (r/s) or requests per minute (r/m). | diff --git a/docs/crd/k8s.nginx.org_transportservers.md b/docs/crd/k8s.nginx.org_transportservers.md index 698607ab47..ec1eb62428 100644 --- a/docs/crd/k8s.nginx.org_transportservers.md +++ b/docs/crd/k8s.nginx.org_transportservers.md @@ -17,29 +17,29 @@ The `.spec` object supports the following fields: |---|---|---| | `action` | `object` | The action to perform for a request. | | `action.pass` | `string` | Passes connections/datagrams to an upstream. The upstream with that name must be defined in the resource. | -| `host` | `string` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. | +| `host` | `string` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. | | `ingressClassName` | `string` | Specifies which Ingress Controller must handle the VirtualServer resource. | | `listener` | `object` | Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource | | `listener.name` | `string` | The name of a listener defined in a GlobalConfiguration resource. | | `listener.protocol` | `string` | The protocol of the listener. | | `serverSnippets` | `string` | Sets a custom snippet in server context. Overrides the server-snippets ConfigMap key. | | `sessionParameters` | `object` | The parameters of the session to be used for the Server context | -| `sessionParameters.timeout` | `string` | The timeout between two successive read or write operations on client or proxied server connections. See proxy_timeout directive. The default is 10m. | +| `sessionParameters.timeout` | `string` | The timeout between two successive read or write operations on client or proxied server connections. The default is 10m. | | `streamSnippets` | `string` | Sets a custom snippet in the stream context. Overrides the stream-snippets ConfigMap key. | | `tls` | `object` | The TLS termination configuration. | | `tls.secret` | `string` | String configuration value. | -| `upstreamParameters` | `object` | The UpstreamParameters are set on stream context | -| `upstreamParameters.connectTimeout` | `string` | The timeout for establishing a connection with a proxied server. See the proxy_connect_timeout directive. The default is 60s. | -| `upstreamParameters.nextUpstream` | `boolean` | If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. See the proxy_next_upstream directive. The default is true. | -| `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. See the proxy_next_upstream_timeout directive. The default us 0. | -| `upstreamParameters.nextUpstreamTries` | `integer` | The number of tries for passing a connection to the next server. See the proxy_next_upstream_tries directive. The default is 0. | -| `upstreamParameters.udpRequests` | `integer` | The number of datagrams, after receiving which, the next datagram from the same client starts a new session. See the proxy_requests directive. The default is 0. | -| `upstreamParameters.udpResponses` | `integer` | The number of datagrams expected from the proxied server in response to a client datagram. See the proxy_responses directive. By default, the number of datagrams is not limited. | +| `upstreamParameters` | `object` | UpstreamParameters defines parameters for an upstream. | +| `upstreamParameters.connectTimeout` | `string` | The timeout for establishing a connection with a proxied server. The default is 60s. | +| `upstreamParameters.nextUpstream` | `boolean` | If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. The default is true. | +| `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. The default us 0. | +| `upstreamParameters.nextUpstreamTries` | `integer` | The number of tries for passing a connection to the next server. The default is 0. | +| `upstreamParameters.udpRequests` | `integer` | The number of datagrams, after receiving which, the next datagram from the same client starts a new session. The default is 0. | +| `upstreamParameters.udpResponses` | `integer` | The number of datagrams expected from the proxied server in response to a client datagram. By default, the number of datagrams is not limited. | | `upstreams` | `array` | A list of upstreams. | -| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. | +| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. | | `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | | `upstreams[].failTimeout` | `string` | Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. The default 1. | -| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. See the health_check directive. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. | | `upstreams[].healthCheck.enable` | `boolean` | Enables a health check for an upstream server. The default is false. | | `upstreams[].healthCheck.fails` | `integer` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. | | `upstreams[].healthCheck.interval` | `string` | The interval between two consecutive health checks. The default is 5s. | @@ -50,7 +50,7 @@ The `.spec` object supports the following fields: | `upstreams[].healthCheck.passes` | `integer` | The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is 1. | | `upstreams[].healthCheck.port` | `integer` | The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. | | `upstreams[].healthCheck.timeout` | `string` | This overrides the timeout set by proxy_timeout which is set in SessionParameters for health checks. The default value is 5s. | -| `upstreams[].loadBalancingMethod` | `string` | The method used to load balance the upstream servers. By default, connections are distributed between the servers using a weighted round-robin balancing method. See the upstream section for available methods and their details. | +| `upstreams[].loadBalancingMethod` | `string` | The method used to load balance the upstream servers. By default, connections are distributed between the servers using a weighted round-robin balancing method. | | `upstreams[].maxConns` | `integer` | Sets the time during which the specified number of unsuccessful attempts to communicate with the server should happen to consider the server unavailable and the period of time the server will be considered unavailable. The default is 10s. | | `upstreams[].maxFails` | `integer` | Sets the number of maximum connections to the proxied server. Default value is zero, meaning there is no limit. The default is 0. | | `upstreams[].name` | `string` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. | diff --git a/docs/crd/k8s.nginx.org_virtualserverroutes.md b/docs/crd/k8s.nginx.org_virtualserverroutes.md index 7239527b61..046c05d9aa 100644 --- a/docs/crd/k8s.nginx.org_virtualserverroutes.md +++ b/docs/crd/k8s.nginx.org_virtualserverroutes.md @@ -22,18 +22,18 @@ The `.spec` object supports the following fields: | `subroutes[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | | `subroutes[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | | `subroutes[].action.proxy.requestHeaders` | `object` | The request headers modifications. | -| `subroutes[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | -| `subroutes[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `subroutes[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `subroutes[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | | `subroutes[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | | `subroutes[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | | `subroutes[].action.proxy.responseHeaders` | `object` | The response headers modifications. | | `subroutes[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | -| `subroutes[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `subroutes[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | | `subroutes[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | | `subroutes[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | -| `subroutes[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | -| `subroutes[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | -| `subroutes[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `subroutes[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `subroutes[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `subroutes[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | | `subroutes[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `subroutes[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `subroutes[].action.redirect` | `object` | Redirects requests to a provided URL. | @@ -65,18 +65,18 @@ The `.spec` object supports the following fields: | `subroutes[].matches[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | | `subroutes[].matches[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | | `subroutes[].matches[].action.proxy.requestHeaders` | `object` | The request headers modifications. | -| `subroutes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | -| `subroutes[].matches[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `subroutes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `subroutes[].matches[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | | `subroutes[].matches[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | | `subroutes[].matches[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | | `subroutes[].matches[].action.proxy.responseHeaders` | `object` | The response headers modifications. | | `subroutes[].matches[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | -| `subroutes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `subroutes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | | `subroutes[].matches[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | | `subroutes[].matches[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | -| `subroutes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | -| `subroutes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | -| `subroutes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `subroutes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `subroutes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `subroutes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | | `subroutes[].matches[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `subroutes[].matches[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `subroutes[].matches[].action.redirect` | `object` | Redirects requests to a provided URL. | @@ -93,25 +93,25 @@ The `.spec` object supports the following fields: | `subroutes[].matches[].conditions[].argument` | `string` | The name of an argument. Must consist of alphanumeric characters or _. | | `subroutes[].matches[].conditions[].cookie` | `string` | The name of a cookie. Must consist of alphanumeric characters or _. | | `subroutes[].matches[].conditions[].header` | `string` | The name of a header. Must consist of alphanumeric characters or -. | -| `subroutes[].matches[].conditions[].value` | `string` | The value to match the condition against. How to define a value is shown below the table. | -| `subroutes[].matches[].conditions[].variable` | `string` | The name of an NGINX variable. Must start with $. See the list of the supported variables below the table. | +| `subroutes[].matches[].conditions[].value` | `string` | The value to match the condition against. | +| `subroutes[].matches[].conditions[].variable` | `string` | The name of an NGINX variable. Must start with $. | | `subroutes[].matches[].splits` | `array` | The splits configuration for traffic splitting. Must include at least 2 splits. | | `subroutes[].matches[].splits[].action` | `object` | The action to perform for a request. | | `subroutes[].matches[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | | `subroutes[].matches[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | | `subroutes[].matches[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | -| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `subroutes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | | `subroutes[].matches[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | | `subroutes[].matches[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | | `subroutes[].matches[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | | `subroutes[].matches[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | | `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | | `subroutes[].matches[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | -| `subroutes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `subroutes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | | `subroutes[].matches[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `subroutes[].matches[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `subroutes[].matches[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | @@ -126,8 +126,8 @@ The `.spec` object supports the following fields: | `subroutes[].matches[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | | `subroutes[].matches[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | | `subroutes[].path` | `string` | The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( / , /path ), an exact match ( =/exact/match ), a case insensitive regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive regular expression ( ~^/foo.*\.jpg ). In the case of a prefix (must start with / ) or an exact match (must start with = ), the path must not include any whitespace characters, { , } or ;. In the case of the regex matches, all double quotes " must be escaped and the match can’t end in an unescaped backslash \. The path must be unique among the paths of all routes of the VirtualServer. Check the location directive for more information. | -| `subroutes[].policies` | `array` | A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. See Applying Policies for more details. | -| `subroutes[].policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. v | +| `subroutes[].policies` | `array` | A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. | +| `subroutes[].policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. | | `subroutes[].policies[].namespace` | `string` | The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. | | `subroutes[].route` | `string` | The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, tea-namespace/tea. | | `subroutes[].splits` | `array` | The default splits configuration for traffic splitting. Must include at least 2 splits. | @@ -135,18 +135,18 @@ The `.spec` object supports the following fields: | `subroutes[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | | `subroutes[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | | `subroutes[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | -| `subroutes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | -| `subroutes[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `subroutes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `subroutes[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | | `subroutes[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | | `subroutes[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | | `subroutes[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | | `subroutes[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | -| `subroutes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `subroutes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | | `subroutes[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | | `subroutes[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | -| `subroutes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | -| `subroutes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | -| `subroutes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `subroutes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `subroutes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `subroutes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | | `subroutes[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `subroutes[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `subroutes[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | @@ -163,15 +163,15 @@ The `.spec` object supports the following fields: | `upstreams` | `array` | A list of upstreams. | | `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. | | `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | -| `upstreams[].buffer-size` | `string` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. See the proxy_buffer_size directive. The default is set in the proxy-buffer-size ConfigMap key. | -| `upstreams[].buffering` | `boolean` | Enables buffering of responses from the upstream server. See the proxy_buffering directive. The default is set in the proxy-buffering ConfigMap key. | +| `upstreams[].buffer-size` | `string` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. The default is set in the proxy-buffer-size ConfigMap key. | +| `upstreams[].buffering` | `boolean` | Enables buffering of responses from the upstream server. The default is set in the proxy-buffering ConfigMap key. | | `upstreams[].buffers` | `object` | Configures the buffers used for reading a response from the upstream server for a single connection. | | `upstreams[].buffers.number` | `integer` | Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. | | `upstreams[].buffers.size` | `string` | Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. | -| `upstreams[].client-max-body-size` | `string` | Sets the maximum allowed size of the client request body. See the client_max_body_size directive. The default is set in the client-max-body-size ConfigMap key. | -| `upstreams[].connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. See the proxy_connect_timeout directive. The default is specified in the proxy-connect-timeout ConfigMap key. | -| `upstreams[].fail-timeout` | `string` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. See the fail_timeout parameter of the server directive. The default is set in the fail-timeout ConfigMap key. | -| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. See the health_check directive. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].client-max-body-size` | `string` | Sets the maximum allowed size of the client request body. The default is set in the client-max-body-size ConfigMap key. | +| `upstreams[].connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. The default is specified in the proxy-connect-timeout ConfigMap key. | +| `upstreams[].fail-timeout` | `string` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. The default is set in the fail-timeout ConfigMap key. | +| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. | | `upstreams[].healthCheck.connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. By default, the connect-timeout of the upstream is used. | | `upstreams[].healthCheck.enable` | `boolean` | Enables a health check for an upstream server. The default is false. | | `upstreams[].healthCheck.fails` | `integer` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. | @@ -190,35 +190,35 @@ The `.spec` object supports the following fields: | `upstreams[].healthCheck.port` | `integer` | The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. | | `upstreams[].healthCheck.read-timeout` | `string` | The timeout for reading a response from an upstream server. By default, the read-timeout of the upstream is used. | | `upstreams[].healthCheck.send-timeout` | `string` | The timeout for transmitting a request to an upstream server. By default, the send-timeout of the upstream is used. | -| `upstreams[].healthCheck.statusMatch` | `string` | The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See the documentation of the match directive. This not supported for gRPC type upstreams. | +| `upstreams[].healthCheck.statusMatch` | `string` | The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This not supported for gRPC type upstreams. | | `upstreams[].healthCheck.tls` | `object` | The TLS configuration used for health check requests. By default, the tls field of the upstream is used. | | `upstreams[].healthCheck.tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | -| `upstreams[].keepalive` | `integer` | Configures the cache for connections to upstream servers. The value 0 disables the cache. See the keepalive directive. The default is set in the keepalive ConfigMap key. | +| `upstreams[].keepalive` | `integer` | Configures the cache for connections to upstream servers. The value 0 disables the cache. The default is set in the keepalive ConfigMap key. | | `upstreams[].lb-method` | `string` | The load balancing method. To use the round-robin method, specify round_robin. The default is specified in the lb-method ConfigMap key. | -| `upstreams[].max-conns` | `integer` | The maximum number of simultaneous active connections to an upstream server. See the max_conns parameter of the server directive. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. | -| `upstreams[].max-fails` | `integer` | The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. See the max_fails parameter of the server directive. The default is set in the max-fails ConfigMap key. | +| `upstreams[].max-conns` | `integer` | The maximum number of simultaneous active connections to an upstream server. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. | +| `upstreams[].max-fails` | `integer` | The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. The default is set in the max-fails ConfigMap key. | | `upstreams[].name` | `string` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. | -| `upstreams[].next-upstream` | `string` | Specifies in which cases a request should be passed to the next upstream server. See the proxy_next_upstream directive. The default is error timeout. | -| `upstreams[].next-upstream-timeout` | `string` | The time during which a request can be passed to the next upstream server. See the proxy_next_upstream_timeout directive. The 0 value turns off the time limit. The default is 0. | -| `upstreams[].next-upstream-tries` | `integer` | The number of possible tries for passing a request to the next upstream server. See the proxy_next_upstream_tries directive. The 0 value turns off this limit. The default is 0. | -| `upstreams[].ntlm` | `boolean` | Allows proxying requests with NTLM Authentication. See the ntlm directive. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].next-upstream` | `string` | Specifies in which cases a request should be passed to the next upstream server. The default is error timeout. | +| `upstreams[].next-upstream-timeout` | `string` | The time during which a request can be passed to the next upstream server. The 0 value turns off the time limit. The default is 0. | +| `upstreams[].next-upstream-tries` | `integer` | The number of possible tries for passing a request to the next upstream server. The 0 value turns off this limit. The default is 0. | +| `upstreams[].ntlm` | `boolean` | Allows proxying requests with NTLM Authentication. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. | | `upstreams[].port` | `integer` | The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. The port must fall into the range 1..65535. | | `upstreams[].queue` | `object` | Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. | | `upstreams[].queue.size` | `integer` | The size of the queue. | | `upstreams[].queue.timeout` | `string` | The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is 60s. | -| `upstreams[].read-timeout` | `string` | The timeout for reading a response from an upstream server. See the proxy_read_timeout directive. The default is specified in the proxy-read-timeout ConfigMap key. | -| `upstreams[].send-timeout` | `string` | The timeout for transmitting a request to an upstream server. See the proxy_send_timeout directive. The default is specified in the proxy-send-timeout ConfigMap key. | -| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported (check the prerequisites ). | +| `upstreams[].read-timeout` | `string` | The timeout for reading a response from an upstream server. The default is specified in the proxy-read-timeout ConfigMap key. | +| `upstreams[].send-timeout` | `string` | The timeout for transmitting a request to an upstream server. The default is specified in the proxy-send-timeout ConfigMap key. | +| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported . | | `upstreams[].sessionCookie` | `object` | The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. | | `upstreams[].sessionCookie.domain` | `string` | The domain for which the cookie is set. | | `upstreams[].sessionCookie.enable` | `boolean` | Enables session persistence with a session cookie for an upstream server. The default is false. | -| `upstreams[].sessionCookie.expires` | `string` | The time for which a browser should keep the cookie. Can be set to the special value max , which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. | +| `upstreams[].sessionCookie.expires` | `string` | The time for which a browser should keep the cookie. Can be set to the special value max, which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. | | `upstreams[].sessionCookie.httpOnly` | `boolean` | Adds the HttpOnly attribute to the cookie. | | `upstreams[].sessionCookie.name` | `string` | The name of the cookie. | | `upstreams[].sessionCookie.path` | `string` | The path for which the cookie is set. | | `upstreams[].sessionCookie.samesite` | `string` | Adds the SameSite attribute to the cookie. The allowed values are: strict, lax, none | | `upstreams[].sessionCookie.secure` | `boolean` | Adds the Secure attribute to the cookie. | -| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the slow_start parameter of the server directive. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. | +| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. | | `upstreams[].subselector` | `object` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | | `upstreams[].tls` | `object` | The TLS configuration for the Upstream. | | `upstreams[].tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | diff --git a/docs/crd/k8s.nginx.org_virtualservers.md b/docs/crd/k8s.nginx.org_virtualservers.md index 0d705681c7..6867f7103d 100644 --- a/docs/crd/k8s.nginx.org_virtualservers.md +++ b/docs/crd/k8s.nginx.org_virtualservers.md @@ -22,36 +22,36 @@ The `.spec` object supports the following fields: | `externalDNS.providerSpecific` | `array` | Configure provider specific properties which holds the name and value of a configuration which is specific to individual DNS providers. | | `externalDNS.providerSpecific[].name` | `string` | Name of the property | | `externalDNS.providerSpecific[].value` | `string` | Value of the property | -| `externalDNS.recordTTL` | `integer` | TTL for the DNS record. This defaults to 0 if not defined. See the ExternalDNS TTL documentation for provider-specific defaults | +| `externalDNS.recordTTL` | `integer` | TTL for the DNS record. This defaults to 0 if not defined. | | `externalDNS.recordType` | `string` | The record Type that should be created, e.g. “A”, “AAAA”, “CNAME”. This is automatically computed based on the external endpoints if not defined. | | `gunzip` | `boolean` | Enables or disables decompression of gzipped responses for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. If the gunzip value is not set, it defaults to off. | -| `host` | `string` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. See also Handling Host and Listener Collisions. | +| `host` | `string` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as my-app or hello.example.com. When using a wildcard domain like *.example.com the domain must be contained in double quotes. The host value needs to be unique among all Ingress and VirtualServer resources. | | `http-snippets` | `string` | Sets a custom snippet in the http context. | | `ingressClassName` | `string` | Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ingressClassName of the VirtualServer that references this resource. | | `internalRoute` | `boolean` | InternalRoute allows for the configuration of internal routing. | | `listener` | `object` | Sets a custom HTTP and/or HTTPS listener. Valid fields are listener.http and listener.https. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource | -| `listener.http` | `string` | The name of am HTTP listener defined in a GlobalConfiguration resource. | +| `listener.http` | `string` | The name of an HTTP listener defined in a GlobalConfiguration resource. | | `listener.https` | `string` | The name of an HTTPS listener defined in a GlobalConfiguration resource. | | `policies` | `array` | A list of policies. | -| `policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. v | +| `policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. | | `policies[].namespace` | `string` | The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. | | `routes` | `array` | A list of routes. | | `routes[].action` | `object` | The default action to perform for a request. | | `routes[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | | `routes[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | | `routes[].action.proxy.requestHeaders` | `object` | The request headers modifications. | -| `routes[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | -| `routes[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `routes[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `routes[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | | `routes[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | | `routes[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | | `routes[].action.proxy.responseHeaders` | `object` | The response headers modifications. | | `routes[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | -| `routes[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `routes[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | | `routes[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | | `routes[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | -| `routes[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | -| `routes[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | -| `routes[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `routes[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `routes[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `routes[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | | `routes[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `routes[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `routes[].action.redirect` | `object` | Redirects requests to a provided URL. | @@ -83,18 +83,18 @@ The `.spec` object supports the following fields: | `routes[].matches[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | | `routes[].matches[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | | `routes[].matches[].action.proxy.requestHeaders` | `object` | The request headers modifications. | -| `routes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | -| `routes[].matches[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `routes[].matches[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `routes[].matches[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | | `routes[].matches[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | | `routes[].matches[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | | `routes[].matches[].action.proxy.responseHeaders` | `object` | The response headers modifications. | | `routes[].matches[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | -| `routes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `routes[].matches[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | | `routes[].matches[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | | `routes[].matches[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | -| `routes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | -| `routes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | -| `routes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `routes[].matches[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `routes[].matches[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `routes[].matches[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | | `routes[].matches[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `routes[].matches[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `routes[].matches[].action.redirect` | `object` | Redirects requests to a provided URL. | @@ -111,25 +111,25 @@ The `.spec` object supports the following fields: | `routes[].matches[].conditions[].argument` | `string` | The name of an argument. Must consist of alphanumeric characters or _. | | `routes[].matches[].conditions[].cookie` | `string` | The name of a cookie. Must consist of alphanumeric characters or _. | | `routes[].matches[].conditions[].header` | `string` | The name of a header. Must consist of alphanumeric characters or -. | -| `routes[].matches[].conditions[].value` | `string` | The value to match the condition against. How to define a value is shown below the table. | -| `routes[].matches[].conditions[].variable` | `string` | The name of an NGINX variable. Must start with $. See the list of the supported variables below the table. | +| `routes[].matches[].conditions[].value` | `string` | The value to match the condition against. | +| `routes[].matches[].conditions[].variable` | `string` | The name of an NGINX variable. Must start with $. | | `routes[].matches[].splits` | `array` | The splits configuration for traffic splitting. Must include at least 2 splits. | | `routes[].matches[].splits[].action` | `object` | The action to perform for a request. | | `routes[].matches[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | | `routes[].matches[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | | `routes[].matches[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | -| `routes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | -| `routes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `routes[].matches[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `routes[].matches[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | | `routes[].matches[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | | `routes[].matches[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | | `routes[].matches[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | | `routes[].matches[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | | `routes[].matches[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | | `routes[].matches[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | -| `routes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `routes[].matches[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | | `routes[].matches[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `routes[].matches[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `routes[].matches[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | @@ -144,8 +144,8 @@ The `.spec` object supports the following fields: | `routes[].matches[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | | `routes[].matches[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | | `routes[].path` | `string` | The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( / , /path ), an exact match ( =/exact/match ), a case insensitive regular expression ( ~*^/Bar.*\.jpg ) or a case sensitive regular expression ( ~^/foo.*\.jpg ). In the case of a prefix (must start with / ) or an exact match (must start with = ), the path must not include any whitespace characters, { , } or ;. In the case of the regex matches, all double quotes " must be escaped and the match can’t end in an unescaped backslash \. The path must be unique among the paths of all routes of the VirtualServer. Check the location directive for more information. | -| `routes[].policies` | `array` | A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. See Applying Policies for more details. | -| `routes[].policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. v | +| `routes[].policies` | `array` | A list of policies. The policies override the policies of the same type defined in the spec of the VirtualServer. | +| `routes[].policies[].name` | `string` | The name of a policy. If the policy doesn’t exist or invalid, NGINX will respond with an error response with the 500 status code. | | `routes[].policies[].namespace` | `string` | The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. | | `routes[].route` | `string` | The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, tea-namespace/tea. | | `routes[].splits` | `array` | The default splits configuration for traffic splitting. Must include at least 2 splits. | @@ -153,18 +153,18 @@ The `.spec` object supports the following fields: | `routes[].splits[].action.pass` | `string` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | | `routes[].splits[].action.proxy` | `object` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | | `routes[].splits[].action.proxy.requestHeaders` | `object` | The request headers modifications. | -| `routes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. See the proxy_pass_request_header directive for more information. Default is true. | -| `routes[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the proxy_set_header directive for more information. | +| `routes[].splits[].action.proxy.requestHeaders.pass` | `boolean` | Passes the original request headers to the proxied upstream server. Default is true. | +| `routes[].splits[].action.proxy.requestHeaders.set` | `array` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. | | `routes[].splits[].action.proxy.requestHeaders.set[].name` | `string` | The name of the header. | | `routes[].splits[].action.proxy.requestHeaders.set[].value` | `string` | The value of the header. | | `routes[].splits[].action.proxy.responseHeaders` | `object` | The response headers modifications. | | `routes[].splits[].action.proxy.responseHeaders.add` | `array` | Adds headers to the response to the client. | -| `routes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. See the add_header directive for more information. | +| `routes[].splits[].action.proxy.responseHeaders.add[].always` | `boolean` | If set to true, add the header regardless of the response status code**. Default is false. | | `routes[].splits[].action.proxy.responseHeaders.add[].name` | `string` | The name of the header. | | `routes[].splits[].action.proxy.responseHeaders.add[].value` | `string` | The value of the header. | -| `routes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the proxy_hide_header directive for more information. | -| `routes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. See the proxy_ignore_headers directive for more information. | -| `routes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the proxy_pass_header directive for more information. | +| `routes[].splits[].action.proxy.responseHeaders.hide` | `array[string]` | The headers that will not be passed* in the response to the client from a proxied upstream server. | +| `routes[].splits[].action.proxy.responseHeaders.ignore` | `array[string]` | Disables processing of certain headers** to the client from a proxied upstream server. | +| `routes[].splits[].action.proxy.responseHeaders.pass` | `array[string]` | Allows passing the hidden header fields* to the client from a proxied upstream server. | | `routes[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `routes[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `routes[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | @@ -198,15 +198,15 @@ The `.spec` object supports the following fields: | `upstreams` | `array` | A list of upstreams. | | `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. | | `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | -| `upstreams[].buffer-size` | `string` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. See the proxy_buffer_size directive. The default is set in the proxy-buffer-size ConfigMap key. | -| `upstreams[].buffering` | `boolean` | Enables buffering of responses from the upstream server. See the proxy_buffering directive. The default is set in the proxy-buffering ConfigMap key. | +| `upstreams[].buffer-size` | `string` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. The default is set in the proxy-buffer-size ConfigMap key. | +| `upstreams[].buffering` | `boolean` | Enables buffering of responses from the upstream server. The default is set in the proxy-buffering ConfigMap key. | | `upstreams[].buffers` | `object` | Configures the buffers used for reading a response from the upstream server for a single connection. | | `upstreams[].buffers.number` | `integer` | Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. | | `upstreams[].buffers.size` | `string` | Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. | -| `upstreams[].client-max-body-size` | `string` | Sets the maximum allowed size of the client request body. See the client_max_body_size directive. The default is set in the client-max-body-size ConfigMap key. | -| `upstreams[].connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. See the proxy_connect_timeout directive. The default is specified in the proxy-connect-timeout ConfigMap key. | -| `upstreams[].fail-timeout` | `string` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. See the fail_timeout parameter of the server directive. The default is set in the fail-timeout ConfigMap key. | -| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. See the health_check directive. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].client-max-body-size` | `string` | Sets the maximum allowed size of the client request body. The default is set in the client-max-body-size ConfigMap key. | +| `upstreams[].connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. The default is specified in the proxy-connect-timeout ConfigMap key. | +| `upstreams[].fail-timeout` | `string` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. The default is set in the fail-timeout ConfigMap key. | +| `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. | | `upstreams[].healthCheck.connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. By default, the connect-timeout of the upstream is used. | | `upstreams[].healthCheck.enable` | `boolean` | Enables a health check for an upstream server. The default is false. | | `upstreams[].healthCheck.fails` | `integer` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. | @@ -225,35 +225,35 @@ The `.spec` object supports the following fields: | `upstreams[].healthCheck.port` | `integer` | The port used for health check requests. By default, the server port is used. Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. | | `upstreams[].healthCheck.read-timeout` | `string` | The timeout for reading a response from an upstream server. By default, the read-timeout of the upstream is used. | | `upstreams[].healthCheck.send-timeout` | `string` | The timeout for transmitting a request to an upstream server. By default, the send-timeout of the upstream is used. | -| `upstreams[].healthCheck.statusMatch` | `string` | The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". See the documentation of the match directive. This not supported for gRPC type upstreams. | +| `upstreams[].healthCheck.statusMatch` | `string` | The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: "200", "! 500", "301-303 307". This not supported for gRPC type upstreams. | | `upstreams[].healthCheck.tls` | `object` | The TLS configuration used for health check requests. By default, the tls field of the upstream is used. | | `upstreams[].healthCheck.tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | -| `upstreams[].keepalive` | `integer` | Configures the cache for connections to upstream servers. The value 0 disables the cache. See the keepalive directive. The default is set in the keepalive ConfigMap key. | +| `upstreams[].keepalive` | `integer` | Configures the cache for connections to upstream servers. The value 0 disables the cache. The default is set in the keepalive ConfigMap key. | | `upstreams[].lb-method` | `string` | The load balancing method. To use the round-robin method, specify round_robin. The default is specified in the lb-method ConfigMap key. | -| `upstreams[].max-conns` | `integer` | The maximum number of simultaneous active connections to an upstream server. See the max_conns parameter of the server directive. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. | -| `upstreams[].max-fails` | `integer` | The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. See the max_fails parameter of the server directive. The default is set in the max-fails ConfigMap key. | +| `upstreams[].max-conns` | `integer` | The maximum number of simultaneous active connections to an upstream server. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the max_conns value. | +| `upstreams[].max-fails` | `integer` | The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the fail-timeout to consider the server unavailable. The default is set in the max-fails ConfigMap key. | | `upstreams[].name` | `string` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, hello and upstream-123 are valid. The name must be unique among all upstreams of the resource. | -| `upstreams[].next-upstream` | `string` | Specifies in which cases a request should be passed to the next upstream server. See the proxy_next_upstream directive. The default is error timeout. | -| `upstreams[].next-upstream-timeout` | `string` | The time during which a request can be passed to the next upstream server. See the proxy_next_upstream_timeout directive. The 0 value turns off the time limit. The default is 0. | -| `upstreams[].next-upstream-tries` | `integer` | The number of possible tries for passing a request to the next upstream server. See the proxy_next_upstream_tries directive. The 0 value turns off this limit. The default is 0. | -| `upstreams[].ntlm` | `boolean` | Allows proxying requests with NTLM Authentication. See the ntlm directive. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. | +| `upstreams[].next-upstream` | `string` | Specifies in which cases a request should be passed to the next upstream server. The default is error timeout. | +| `upstreams[].next-upstream-timeout` | `string` | The time during which a request can be passed to the next upstream server. The 0 value turns off the time limit. The default is 0. | +| `upstreams[].next-upstream-tries` | `integer` | The number of possible tries for passing a request to the next upstream server. The 0 value turns off this limit. The default is 0. | +| `upstreams[].ntlm` | `boolean` | Allows proxying requests with NTLM Authentication. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the keepalive field. Note: this feature is supported only in NGINX Plus. | | `upstreams[].port` | `integer` | The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. The port must fall into the range 1..65535. | | `upstreams[].queue` | `object` | Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. | | `upstreams[].queue.size` | `integer` | The size of the queue. | | `upstreams[].queue.timeout` | `string` | The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is 60s. | -| `upstreams[].read-timeout` | `string` | The timeout for reading a response from an upstream server. See the proxy_read_timeout directive. The default is specified in the proxy-read-timeout ConfigMap key. | -| `upstreams[].send-timeout` | `string` | The timeout for transmitting a request to an upstream server. See the proxy_send_timeout directive. The default is specified in the proxy-send-timeout ConfigMap key. | -| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported (check the prerequisites ). | +| `upstreams[].read-timeout` | `string` | The timeout for reading a response from an upstream server. The default is specified in the proxy-read-timeout ConfigMap key. | +| `upstreams[].send-timeout` | `string` | The timeout for transmitting a request to an upstream server. The default is specified in the proxy-send-timeout ConfigMap key. | +| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported . | | `upstreams[].sessionCookie` | `object` | The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. | | `upstreams[].sessionCookie.domain` | `string` | The domain for which the cookie is set. | | `upstreams[].sessionCookie.enable` | `boolean` | Enables session persistence with a session cookie for an upstream server. The default is false. | -| `upstreams[].sessionCookie.expires` | `string` | The time for which a browser should keep the cookie. Can be set to the special value max , which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. | +| `upstreams[].sessionCookie.expires` | `string` | The time for which a browser should keep the cookie. Can be set to the special value max, which will cause the cookie to expire on 31 Dec 2037 23:55:55 GMT. | | `upstreams[].sessionCookie.httpOnly` | `boolean` | Adds the HttpOnly attribute to the cookie. | | `upstreams[].sessionCookie.name` | `string` | The name of the cookie. | | `upstreams[].sessionCookie.path` | `string` | The path for which the cookie is set. | | `upstreams[].sessionCookie.samesite` | `string` | Adds the SameSite attribute to the cookie. The allowed values are: strict, lax, none | | `upstreams[].sessionCookie.secure` | `boolean` | Adds the Secure attribute to the cookie. | -| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the slow_start parameter of the server directive. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. | +| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. | | `upstreams[].subselector` | `object` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | | `upstreams[].tls` | `object` | The TLS configuration for the Upstream. | | `upstreams[].tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index bbdf900429..1d74d1f311 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -548,7 +548,7 @@ type GlobalConfiguration struct { Spec GlobalConfigurationSpec `json:"spec"` } -// The GlobalConfiguration resource defines the global configuration parameters of the Ingress Controller. +// The GlobalConfigurationSpec resource defines the global configuration parameters of the Ingress Controller. type GlobalConfigurationSpec struct { // Listeners field of the GlobalConfigurationSpec resource Listeners []Listener `json:"listeners"` From a3dc826080d48c4c9a18c6c2b1aef92b0512ec1f Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Tue, 22 Jul 2025 15:55:31 +0100 Subject: [PATCH 17/33] reversing changes to main.go --- cmd/nginx-ingress/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index d487a8204d..e8d3b7d070 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -1069,6 +1069,7 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde labels[agentVersionLabel] = agentVersion } newPod.ObjectMeta.Labels = labels + _, err = kubeClient.CoreV1().Pods(newPod.ObjectMeta.Namespace).Update(context.TODO(), newPod, meta_v1.UpdateOptions{}) if err != nil { nl.Errorf(l, "Error updating pod with labels on attempt %d of %d: %v", i+1, maxRetries, err) From 739eb6fbf1cdb2162dfa33efa7ccc2804010bd8a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 22 Jul 2025 14:56:58 +0000 Subject: [PATCH 18/33] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- cmd/nginx-ingress/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index e8d3b7d070..5e76f6ef8b 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -1069,7 +1069,7 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde labels[agentVersionLabel] = agentVersion } newPod.ObjectMeta.Labels = labels - + _, err = kubeClient.CoreV1().Pods(newPod.ObjectMeta.Namespace).Update(context.TODO(), newPod, meta_v1.UpdateOptions{}) if err != nil { nl.Errorf(l, "Error updating pod with labels on attempt %d of %d: %v", i+1, maxRetries, err) From df962e45623bc5ac5daac478f7b71789b0f72480 Mon Sep 17 00:00:00 2001 From: mohamad_al Date: Wed, 23 Jul 2025 09:30:02 +0100 Subject: [PATCH 19/33] Update pkg/apis/configuration/v1/types.go Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Signed-off-by: mohamad_al --- pkg/apis/configuration/v1/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 1d74d1f311..20318b42a9 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -645,7 +645,7 @@ type TransportServerUpstream struct { Service string `json:"service"` // The port of the service. If the service doesn’t define that port, NGINX will assume the service has zero endpoints and close client connections/ignore datagrams. The port must fall into the range 1..65535. Port int `json:"port"` - // Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. The default 1. + // Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. The default is 1. FailTimeout string `json:"failTimeout"` // Sets the number of maximum connections to the proxied server. Default value is zero, meaning there is no limit. The default is 0. MaxFails *int `json:"maxFails"` From b1ec15321b90cfd257173a910fa9cd53be9e9794 Mon Sep 17 00:00:00 2001 From: mohamad_al Date: Wed, 23 Jul 2025 09:30:14 +0100 Subject: [PATCH 20/33] Update pkg/apis/configuration/v1/types.go Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Signed-off-by: mohamad_al --- pkg/apis/configuration/v1/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 20318b42a9..11e0dc167a 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -699,7 +699,7 @@ type UpstreamParameters struct { ConnectTimeout string `json:"connectTimeout"` // If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. The default is true. NextUpstream bool `json:"nextUpstream"` - // The time allowed to pass a connection to the next server. The default us 0. + // The time allowed to pass a connection to the next server. The default is 0. NextUpstreamTimeout string `json:"nextUpstreamTimeout"` // The number of tries for passing a connection to the next server. The default is 0. NextUpstreamTries int `json:"nextUpstreamTries"` From 92053621aad423917f7c58dc1f499595583bdecc Mon Sep 17 00:00:00 2001 From: mohamad_al Date: Wed, 23 Jul 2025 09:30:36 +0100 Subject: [PATCH 21/33] Update pkg/apis/configuration/v1/types.go Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Signed-off-by: mohamad_al --- pkg/apis/configuration/v1/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 11e0dc167a..7b78b61df9 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -417,7 +417,7 @@ type TLS struct { type TLSRedirect struct { // Enables a TLS redirect for a VirtualServer. The default is False. Enable bool `json:"enable"` - // The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. + // The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. Code *int `json:"code"` // The attribute of a request that NGINX will evaluate to send a redirect. The allowed values are scheme (the scheme of the request) or x-forwarded-proto (the X-Forwarded-Proto header of the request). The default is scheme. BasedOn string `json:"basedOn"` From 8419828ba784255df5f71b7805ebc3e7ca9881b6 Mon Sep 17 00:00:00 2001 From: mohamad_al Date: Wed, 23 Jul 2025 09:30:43 +0100 Subject: [PATCH 22/33] Update pkg/apis/configuration/v1/types.go Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Signed-off-by: mohamad_al --- pkg/apis/configuration/v1/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 7b78b61df9..95c54029e7 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -170,7 +170,7 @@ type Upstream struct { NTLM bool `json:"ntlm"` // The type of the upstream. Supported values are http and grpc. The default is http. For gRPC, it is necessary to enable HTTP/2 in the ConfigMap and configure TLS termination in the VirtualServer. Type string `json:"type"` - // The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. + // The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. Backup string `json:"backup"` // The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. BackupPort *uint16 `json:"backupPort"` From 14ae4a0b80531e4014d08e1ba53b7f51c666deee Mon Sep 17 00:00:00 2001 From: mohamad_al Date: Wed, 23 Jul 2025 09:30:53 +0100 Subject: [PATCH 23/33] Update pkg/apis/configuration/v1/types.go Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Signed-off-by: mohamad_al --- pkg/apis/configuration/v1/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 95c54029e7..ba90ca4380 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -158,7 +158,7 @@ type Upstream struct { TLS UpstreamTLS `json:"tls"` // The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. HealthCheck *HealthCheck `json:"healthCheck"` - // The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. + // The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods and will be ignored. SlowStart string `json:"slow-start"` // Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. Queue *UpstreamQueue `json:"queue"` From dd8a082eda272ee2867befcec5ef0daf80d288d2 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Wed, 23 Jul 2025 09:33:45 +0100 Subject: [PATCH 24/33] fixing commemts issues --- pkg/apis/configuration/v1/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index a3c02b5c11..2a29c51403 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -548,7 +548,7 @@ type GlobalConfiguration struct { Spec GlobalConfigurationSpec `json:"spec"` } -// The GlobalConfigurationSpec resource defines the global configuration parameters of the Ingress Controller. +// GlobalConfigurationSpec resource defines the global configuration parameters of the Ingress Controller. type GlobalConfigurationSpec struct { // Listeners field of the GlobalConfigurationSpec resource Listeners []Listener `json:"listeners"` From 7029a7750dd5b2560ac4e8b12668f2416a76bffc Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Wed, 23 Jul 2025 09:52:23 +0100 Subject: [PATCH 25/33] fixing commemts issues --- config/crd/bases/k8s.nginx.org_globalconfigurations.yaml | 2 +- config/crd/bases/k8s.nginx.org_transportservers.yaml | 2 +- deploy/crds.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml index 0d8c0e65c0..b07a9c16ee 100644 --- a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml +++ b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml @@ -39,7 +39,7 @@ spec: metadata: type: object spec: - description: The GlobalConfigurationSpec resource defines the global configuration + description: GlobalConfigurationSpec resource defines the global configuration parameters of the Ingress Controller. properties: listeners: diff --git a/config/crd/bases/k8s.nginx.org_transportservers.yaml b/config/crd/bases/k8s.nginx.org_transportservers.yaml index acd44915fd..4536d6c432 100644 --- a/config/crd/bases/k8s.nginx.org_transportservers.yaml +++ b/config/crd/bases/k8s.nginx.org_transportservers.yaml @@ -123,7 +123,7 @@ spec: type: boolean nextUpstreamTimeout: description: The time allowed to pass a connection to the next - server. The default us 0. + server. The default is 0. type: string nextUpstreamTries: description: The number of tries for passing a connection to the diff --git a/deploy/crds.yaml b/deploy/crds.yaml index 9eb3e922c7..4744f3e859 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -135,7 +135,7 @@ spec: metadata: type: object spec: - description: The GlobalConfigurationSpec resource defines the global configuration + description: GlobalConfigurationSpec resource defines the global configuration parameters of the Ingress Controller. properties: listeners: @@ -777,7 +777,7 @@ spec: type: boolean nextUpstreamTimeout: description: The time allowed to pass a connection to the next - server. The default us 0. + server. The default is 0. type: string nextUpstreamTries: description: The number of tries for passing a connection to the From 8225cdaf2b5cc7aaccf2d85df0b93d3588f063c1 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Wed, 23 Jul 2025 10:15:31 +0100 Subject: [PATCH 26/33] Update CRDs to match API changes --- .../k8s.nginx.org_globalconfigurations.yaml | 66 ++ .../crds/k8s.nginx.org_policies.yaml | 279 ++++++ .../crds/k8s.nginx.org_transportservers.yaml | 175 ++++ .../k8s.nginx.org_virtualserverroutes.yaml | 729 +++++++++++++++ .../crds/k8s.nginx.org_virtualservers.yaml | 829 ++++++++++++++++++ 5 files changed, 2078 insertions(+) create mode 100644 nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml create mode 100644 nginx-ingress/crds/k8s.nginx.org_policies.yaml create mode 100644 nginx-ingress/crds/k8s.nginx.org_transportservers.yaml create mode 100644 nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml create mode 100644 nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml diff --git a/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml b/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 0000000000..f4f88de755 --- /dev/null +++ b/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + ipv4: + type: string + ipv6: + type: string + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true diff --git a/nginx-ingress/crds/k8s.nginx.org_policies.yaml b/nginx-ingress/crds/k8s.nginx.org_policies.yaml new file mode 100644 index 0000000000..b3cfc72847 --- /dev/null +++ b/nginx-ingress/crds/k8s.nginx.org_policies.yaml @@ -0,0 +1,279 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + apiKey: + description: APIKey defines an API Key policy. + properties: + clientSecret: + type: string + suppliedIn: + description: SuppliedIn defines the locations API Key should be + supplied in. + properties: + header: + items: + type: string + type: array + query: + items: + type: string + type: array + type: object + type: object + basicAuth: + description: BasicAuth holds HTTP Basic authentication configuration + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + endSessionEndpoint: + type: string + jwksURI: + type: string + postLogoutRedirectURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + condition: + description: RateLimitCondition defines a condition for a rate + limit policy. + properties: + default: + description: sets the rate limit in this policy to be the + default if no conditions are met. In a group of policies + with the same JWT condition, only one policy can be the + default. + type: boolean + jwt: + description: defines a JWT condition to rate limit against. + properties: + claim: + description: the JWT claim to be rate limit by. Nested + claims should be separated by "." + pattern: ^([^$\s"'])*$ + type: string + match: + description: the value of the claim to match against. + pattern: ^([^$\s."'])*$ + type: string + required: + - claim + - match + type: object + type: object + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + scale: + type: boolean + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml b/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml new file mode 100644 index 0000000000..9034caf243 --- /dev/null +++ b/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,175 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml b/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 0000000000..7093ff4a5c --- /dev/null +++ b/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,729 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml b/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 0000000000..7c3c9f7a73 --- /dev/null +++ b/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,829 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: |- + ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + listener: + description: VirtualServerListener references a custom http and/or + https listener defined in GlobalConfiguration. + properties: + http: + type: string + https: + type: string + type: object + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issue-temp-cert: + type: boolean + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} From 9fd3dde87be1c2da9d75434239a26bd4ccb37099 Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Wed, 23 Jul 2025 10:17:16 +0100 Subject: [PATCH 27/33] Additional changes to types.go --- docs/crd/k8s.nginx.org_transportservers.md | 2 +- .../complete-example copy/README.md | 80 + .../complete-example copy/cafe-ingress.yaml | 28 + .../complete-example copy/cafe-secret.yaml | 1 + .../complete-example copy/cafe.yaml | 33 + .../complete-example copy/dashboard.png | Bin 0 -> 354834 bytes .../ingress-resources/mo-example/README.md | 80 + .../mo-example/cafe-ingress.yaml | 35 + .../mo-example/cafe-secret.yaml | 1 + .../ingress-resources/mo-example/cafe.yaml | 36 + .../mo-example/dashboard.png | Bin 0 -> 354834 bytes hi.txt | 2342 ++++++++++++++ internal/certmanager/cm_controller_test.go | 4 +- internal/certmanager/helper.go | 6 +- internal/certmanager/helper_test.go | 2 +- internal/certmanager/sync.go | 3 +- internal/configs/configurator.go | 8 +- internal/configs/virtualserver.go | 18 +- internal/configs/virtualserver_test.go | 28 +- internal/externaldns/sync.go | 9 +- internal/k8s/appprotect_dos.go | 5 +- internal/k8s/appprotect_waf.go | 5 +- internal/k8s/controller.go | 16 +- internal/k8s/global_configuration.go | 10 +- internal/k8s/reference_checkers.go | 4 +- internal/k8s/status.go | 5 +- internal/k8s/status_test.go | 4 +- internal/k8s/utils.go | 4 +- internal/metrics/collectors/processes.go | 5 +- nginx-ingress/.helmignore | 2 + nginx-ingress/Chart.yaml | 17 + nginx-ingress/README.md | 3 + .../crds/appprotect.f5.com_aplogconfs.yaml | 83 + .../crds/appprotect.f5.com_appolicies.yaml | 2172 +++++++++++++ .../crds/appprotect.f5.com_apusersigs.yaml | 98 + .../appprotectdos.f5.com_apdoslogconfs.yaml | 68 + .../appprotectdos.f5.com_apdospolicy.yaml | 68 + ...otectdos.f5.com_dosprotectedresources.yaml | 113 + .../externaldns.nginx.org_dnsendpoints.yaml | 97 + nginx-ingress/templates/NOTES.txt | 13 + nginx-ingress/templates/_helpers.tpl | 516 ++++ nginx-ingress/templates/clusterrole.yaml | 180 ++ .../templates/clusterrolebinding.yaml | 16 + .../templates/controller-configmap.yaml | 82 + .../templates/controller-daemonset.yaml | 196 ++ .../templates/controller-deployment.yaml | 203 ++ .../controller-globalconfiguration.yaml | 11 + nginx-ingress/templates/controller-hpa.yaml | 41 + .../templates/controller-ingress-class.yaml | 14 + .../controller-leader-election-configmap.yaml | 13 + nginx-ingress/templates/controller-lease.yaml | 13 + nginx-ingress/templates/controller-pdb.yaml | 23 + .../controller-prometheus-service.yaml | 21 + nginx-ingress/templates/controller-role.yaml | 56 + .../templates/controller-rolebinding.yaml | 17 + .../templates/controller-secret.yaml | 13 + .../templates/controller-service.yaml | 72 + .../templates/controller-serviceaccount.yaml | 25 + .../templates/controller-servicemonitor.yaml | 21 + .../templates/controller-wildcard-secret.yaml | 13 + nginx-ingress/values-icp.yaml | 17 + nginx-ingress/values-nsm.yaml | 6 + nginx-ingress/values-plus.yaml | 6 + nginx-ingress/values.schema.json | 2745 +++++++++++++++++ nginx-ingress/values.yaml | 691 +++++ pkg/apis/configuration/validation/common.go | 2 +- .../externaldns/validation/externaldns.go | 2 +- release_notes.json | 1623 ++++++++++ 68 files changed, 12075 insertions(+), 71 deletions(-) create mode 100644 examples/ingress-resources/complete-example copy/README.md create mode 100644 examples/ingress-resources/complete-example copy/cafe-ingress.yaml create mode 120000 examples/ingress-resources/complete-example copy/cafe-secret.yaml create mode 100644 examples/ingress-resources/complete-example copy/cafe.yaml create mode 100644 examples/ingress-resources/complete-example copy/dashboard.png create mode 100644 examples/ingress-resources/mo-example/README.md create mode 100644 examples/ingress-resources/mo-example/cafe-ingress.yaml create mode 120000 examples/ingress-resources/mo-example/cafe-secret.yaml create mode 100644 examples/ingress-resources/mo-example/cafe.yaml create mode 100644 examples/ingress-resources/mo-example/dashboard.png create mode 100644 hi.txt create mode 100644 nginx-ingress/.helmignore create mode 100644 nginx-ingress/Chart.yaml create mode 100644 nginx-ingress/README.md create mode 100644 nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml create mode 100644 nginx-ingress/crds/appprotect.f5.com_appolicies.yaml create mode 100644 nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml create mode 100644 nginx-ingress/crds/appprotectdos.f5.com_apdoslogconfs.yaml create mode 100644 nginx-ingress/crds/appprotectdos.f5.com_apdospolicy.yaml create mode 100644 nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml create mode 100644 nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml create mode 100644 nginx-ingress/templates/NOTES.txt create mode 100644 nginx-ingress/templates/_helpers.tpl create mode 100644 nginx-ingress/templates/clusterrole.yaml create mode 100644 nginx-ingress/templates/clusterrolebinding.yaml create mode 100644 nginx-ingress/templates/controller-configmap.yaml create mode 100644 nginx-ingress/templates/controller-daemonset.yaml create mode 100644 nginx-ingress/templates/controller-deployment.yaml create mode 100644 nginx-ingress/templates/controller-globalconfiguration.yaml create mode 100644 nginx-ingress/templates/controller-hpa.yaml create mode 100644 nginx-ingress/templates/controller-ingress-class.yaml create mode 100644 nginx-ingress/templates/controller-leader-election-configmap.yaml create mode 100644 nginx-ingress/templates/controller-lease.yaml create mode 100644 nginx-ingress/templates/controller-pdb.yaml create mode 100644 nginx-ingress/templates/controller-prometheus-service.yaml create mode 100644 nginx-ingress/templates/controller-role.yaml create mode 100644 nginx-ingress/templates/controller-rolebinding.yaml create mode 100644 nginx-ingress/templates/controller-secret.yaml create mode 100644 nginx-ingress/templates/controller-service.yaml create mode 100644 nginx-ingress/templates/controller-serviceaccount.yaml create mode 100644 nginx-ingress/templates/controller-servicemonitor.yaml create mode 100644 nginx-ingress/templates/controller-wildcard-secret.yaml create mode 100644 nginx-ingress/values-icp.yaml create mode 100644 nginx-ingress/values-nsm.yaml create mode 100644 nginx-ingress/values-plus.yaml create mode 100644 nginx-ingress/values.schema.json create mode 100644 nginx-ingress/values.yaml create mode 100644 release_notes.json diff --git a/docs/crd/k8s.nginx.org_transportservers.md b/docs/crd/k8s.nginx.org_transportservers.md index ec1eb62428..d001a43de9 100644 --- a/docs/crd/k8s.nginx.org_transportservers.md +++ b/docs/crd/k8s.nginx.org_transportservers.md @@ -31,7 +31,7 @@ The `.spec` object supports the following fields: | `upstreamParameters` | `object` | UpstreamParameters defines parameters for an upstream. | | `upstreamParameters.connectTimeout` | `string` | The timeout for establishing a connection with a proxied server. The default is 60s. | | `upstreamParameters.nextUpstream` | `boolean` | If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. The default is true. | -| `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. The default us 0. | +| `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. The default is 0. | | `upstreamParameters.nextUpstreamTries` | `integer` | The number of tries for passing a connection to the next server. The default is 0. | | `upstreamParameters.udpRequests` | `integer` | The number of datagrams, after receiving which, the next datagram from the same client starts a new session. The default is 0. | | `upstreamParameters.udpResponses` | `integer` | The number of datagrams expected from the proxied server in response to a client datagram. By default, the number of datagrams is not limited. | diff --git a/examples/ingress-resources/complete-example copy/README.md b/examples/ingress-resources/complete-example copy/README.md new file mode 100644 index 0000000000..895537d3bb --- /dev/null +++ b/examples/ingress-resources/complete-example copy/README.md @@ -0,0 +1,80 @@ +# Example + +In this example we deploy the NGINX or NGINX Plus Ingress Controller, a simple web application and then configure load +balancing for that application using the Ingress resource. + +## Running the Example + +## 1. Deploy the Ingress Controller + +1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) + instructions to deploy the Ingress Controller. + +2. Save the public IP address of the Ingress Controller into a shell variable: + + ```console + IC_IP=XXX.YYY.ZZZ.III + ``` + +3. Save the HTTPS port of the Ingress Controller into a shell variable: + + ```console + IC_HTTPS_PORT= + ``` + +## 2. Deploy the Cafe Application + +Create the coffee and the tea deployments and services: + +```console +kubectl create -f cafe.yaml +``` + +## 3. Configure Load Balancing + +1. Create a secret with an SSL certificate and a key: + + ```console + kubectl create -f cafe-secret.yaml + ``` + +2. Create an Ingress resource: + + ```console + kubectl create -f cafe-ingress.yaml + ``` + +## 4. Test the Application + +1. To access the application, curl the coffee and the tea services. We'll use ```curl```'s --insecure option to turn off +certificate verification of our self-signed certificate and the --resolve option to set the Host header of a request +with ```cafe.example.com``` + + To get coffee: + + ```console + curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure + ``` + + ```text + Server address: 10.12.0.18:80 + Server name: coffee-7586895968-r26zn + ... + ``` + + If your prefer tea: + + ```console + $ curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea --insecure + + ```text + Server address: 10.12.0.19:80 + Server name: tea-7cd44fcb4d-xfw2x + ... + ``` + +1. You can view an NGINX status page, either stub_status for NGINX, or the Live Activity Monitoring Dashboard for NGINX + Plus: + 1. Follow the [instructions](https://docs.nginx.com/nginx-ingress-controller/logging-and-monitoring/status-page/) to + access the status page. + 1. For NGINX Plus, If you go to the Upstream tab, you'll see: ![dashboard](dashboard.png) diff --git a/examples/ingress-resources/complete-example copy/cafe-ingress.yaml b/examples/ingress-resources/complete-example copy/cafe-ingress.yaml new file mode 100644 index 0000000000..50a8893990 --- /dev/null +++ b/examples/ingress-resources/complete-example copy/cafe-ingress.yaml @@ -0,0 +1,28 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress +spec: + ingressClassName: nginx + tls: + - hosts: + - cafe.example.com + secretName: cafe-secret + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: Prefix + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: Prefix + backend: + service: + name: coffee-svc + port: + number: 80 diff --git a/examples/ingress-resources/complete-example copy/cafe-secret.yaml b/examples/ingress-resources/complete-example copy/cafe-secret.yaml new file mode 120000 index 0000000000..efa8919b4b --- /dev/null +++ b/examples/ingress-resources/complete-example copy/cafe-secret.yaml @@ -0,0 +1 @@ +../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/complete-example copy/cafe.yaml b/examples/ingress-resources/complete-example copy/cafe.yaml new file mode 100644 index 0000000000..ea16d9d0a6 --- /dev/null +++ b/examples/ingress-resources/complete-example copy/cafe.yaml @@ -0,0 +1,33 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: coffee +spec: + replicas: 2 + selector: + matchLabels: + app: coffee + template: + metadata: + labels: + app: coffee + spec: + containers: + - name: coffee + image: mohamadaldawamneh/http-echo:latest + ports: + - containerPort: 3333 +--- +apiVersion: v1 +kind: Service +metadata: + name: coffee-svc +spec: + ports: + - port: 80 + targetPort: 3333 + protocol: TCP + name: http + selector: + app: coffee +--- diff --git a/examples/ingress-resources/complete-example copy/dashboard.png b/examples/ingress-resources/complete-example copy/dashboard.png new file mode 100644 index 0000000000000000000000000000000000000000..aaa4ebe16192e2f4968ea569e5e824ca5e191a76 GIT binary patch literal 354834 zcma&O1yogCw?BLU=|;Lkq(izvN|5dbDe3M8=>`!{y1To(1nF*&ldi zK97tc=j?O#T6@kl>o)^K*(L+k7;$GzNhrLgUq7m6arM($o~;B&q%2B;Z>q#F{P`;Ur)Q$lzan!NvF# zMx>!^%TSFN0!b6X~fO_AcGiXqdCS(6;>)|@Z?RY5FkDUJn95bY22E@`FVJI~z2M2->p8K=Ticav1eA(QP z!K1@ddl*b2)jG(xM>wT3-u8@C01i~vjUI{!BCUDb`l|*q7U}wJ31!d=2-2S{DY+dy zEGd~C&i2Ux4WuED5Tr`;mUh@6M?4!S?{`{1BG$iJI?phxZj$5JR|t_08js!x4xP4BGO6*@1i=$3w{h{wCa{() zmZcQNvPcIuh+k=U4`uc+;UT+LHh1T?9CL`Et0Y4q%fA+5{sNlHA#$mEf-K^n}N?RJuT z3s-%jaxapP!9;#T^bKrJ~GaZ!~e!AkBd!K-~ZR9WYAd`A(!Q? zW(5xOGo-h0Ll=(Jx};)O5SOi6Cm8|?ZX%VmvVHdl7wA43FDbFc%J&|YFPS*$Wfe>; z({q@;2d?cQESbfKDuU+^Dk}$TS3(gCUSclUVv72aq9LgZA-se6icsa3(OO@L^Q8DA z0FndEpS}a?>iuxcyDCp{xb)KuxCeN2REeNR$gOHVdALixpxUr}{(&!}*n|A`9WO)9 zZTXjQuKTjrCP`3CmY}W)&kPHZOWz}r!MyAa%@p0&Cng-=!9jV0_CTQX%Jck#GYex^ zCShAI1s|Cs1~En%dJ|l|5QZy#bXH9gIW_ikM+$VGA0sY<@;9Bn>-lx;m|8mGkb9x0 z7~YYdOJ9Bg{EryE_nk}HnO7b`6Z+Px=C>Q}EHkS+*;A8NyJhdO@w%U-$10|y6+X2U zqvNzu_|)`Z>%&%5&%qz?&3s~q#CArq=vt_tVBuSWkKRgUuF*_M(L#x!z^$??aXPSj zc<5fR+`6lBmqc)#L^L818B-odsw559>p<{reiMyFw#hYDnL?Dx2Z}j73@hD0R%$b$ z_<^|Uc-s$gLhnCVV#8BM0}4(Db+}&3nB3vl-P?nr9Bp%c3J1#85kWy_fY@(Tb|FPR zAe4L%80kQEh4Mjz?E8cp15)fXQnwQr@K4G2)A%4j4ZZb&TOE1EfA|Bz9Q4(v#|-ou z-06;X_Je1(Wk zu4sf^1)_OJ8*@3Jnger-#T}6%G(wR&z_1B1;ol-Ikcs|R0Ye`$x37CqXTxVC?);|k@C(EdrVBAhw#MG<}&6Ul%lcS`ox!0|Dp9I<=(|8!tLud2gm_8nRCh;s zNqgD7$2oP+j*Bmg{|4U;Uy9AyB4yS!PjaGW3~7ARJi*j@lCSVK#P5wX-diLTLkL6O z4Yq8p@B-sPtjzdQm9kp3Vx3|+EhUc{=g(J;hqQ+j3p&yfW}OiqwpkM2T(g$53Pv*H zqBDQuG&l`uLQj0xGK*KZQQkdCGg&y>n0GFjm`jkAoZT#3uW+44TxOEZscVz8^15}> zy_KR?+&y|Tf}Wt!XVc0{c~x9c)+g_Yb{)igvw*ou)<)o zykE4Fs*?h&6xDVgtACgeTPGKP_4s-|Jo`1B-N#1XEY`AeENlGdx7;Y>0OMHW(k&gj zr1*4|HkI0G6^pFeV5g`{@qHA6slMqT8zp0h@7T3Y)mU@ZHHS46b8ZXphee0hb4rI$ z2Z)Cjha_CgL|KGkMEFFyQ7i=U9Ok_R)!A)4O+4E?)-Ej@IltIu3g-&vf7Mn;vi3I) z-WDMaQ%)I|NyQBnkJn|pWphTh{Tj3-+G!fAoxTiDZcd&n9VzW!{=vWO<$sTi$`Gv{ zO-a1N2cPDb=D@GTC+ObjhUI#AeK)kY!rSjre_j11!O+#PF4}F=@Mrhc{NCi&(3#Bj z^3TOBlY{=N;wz6`o4wJ?)%9n#4jxk84{{wtLj6K^YndI_Z*|{R`$xeVcItN;cOH@@ zk%f}&iyQ?f1$+#g3Azew3>rq_C6^=pF z_`GOnc2a-lMqiW`_mOptTMcv58<-x^o|1@091FZ;lKVy1pEq--DjVrN+`YqLyab~m z=@{+2PddUMx~c+rLsdg3dS+hL=7dVJOCHDh$I*RmRus?uA=~)1D3Mme>ODm+W$vNG zemWY9{$;>XXxU3CD&2G=ZnL|b^SH~`JF)^SVpa$qgMN;}?)G;_7o!Kb&g{*C6y$~? z;v`fd)j{W<_D6Mk57%!`XkF!4y;$g2(v5G8N`LIF-=EUmwtgb*bnh%aI5`-eKXx#% zciu+Ye!VlZ6MH^!j)KS@$lax+gq$y%zCcrj6(81g)_SJ4a~(?2%lj(C=yOh?5F)X| zLXPT0dJZar7h*AjptMwy^M|HB$MuUkJPuauQCCe&&5I#v&(|g&_vtq@&Q18g5;1%1 z6B^0(rOY(uIY@0gk0K`5TL>6?k36h~6NS@-tujjJj%gdnvy^X+%jpYFCrn87=5k`Y zGcC2i>Ag~)YMV1YZR*tHRz1e+m?>s)6j2+{*OH255wV4Z9P4)zKTI+RGi*a@7kG&g- zNks0vgD#%)G)wcfbk?(l_}58E%XiI*(^<6>3u*i>uN@DNR~D5`^y+KVH1yg~58{qI zo-FRlXRqHK+3>H~WgKPPb|MGk1`p!L1mPijMLzVEwGxXP!FYzGF1_y*R%w-CU5!?QZGY7%SB%ObWmA z$d2}qTlsk~ldHCA%dT@}=5X!d*l}4qiMfk~O~a;lVPSW5cB6yz&iIgbqMSB-oBg(V z&vf`~R=Ja|T#NU4Uk`x}XCr6&@?h)bp7Z*lAMg1Q#!zT_3%i2_G;Z#|JABb;EQc6Z=78*T_#!LmwjOC1JVR| zTL}#Z5D1$R{0~A>@zn_k1d(p0tnR2TBh6!IW5uX%WMg2==xSvP+zkTpx$*#St&AP@ zNnNchtsQt=`N@CZ!2`Spf6PQq`ui3~3x0BS8F^9>8+&6?c1AWvW^w@pQc_Yrd!vs$ zilXBGSq@zBlbbp^+VU_lxwyD6y09|Z*qboD;pXOMVrF4tVPOF7U~q7=cGP!euy&yM zv&sLrkEpSOp}m={qnV90DR^If0~;qtesXf~gZ}&ThfZTxv;TRLwZnhd0vKchf5Y^K zk(uegdjm`Pz@PHSo4FcWs*9Rg8CyF5&k$hYV&mfbz2N`%)&D&5e=XJcpQUfunK}OV z(*O07yL zyaMkb_XBTzM2kQmA&{i#TV+>>gJswcn9~a|Yl#=Sq+|j3?y!Z5qM~AG3T3VOVsFLh zGv=^-ctgVGDz8`2(c|+nNXc7gL4J-C9#7{obH=O(*3O*O^UIq=6VT3YAG&6Nmr%uD`cgONG26CGw|QaZBZ*MUe0CcyV!_cO4NykqOWw z&kL~vJ2O(Ac`yvJ7ipZ}llv=jF*AILAiQFtI$!dtFNp#y3c>I0$Yg;zEntFdK`miY zn`qtX1XX!>&GY^<=l?yL4yqRyZ+T$kJbzZ%#Q+b0g$C$^4ekpIICM zn6FPvpc4PPbH%jP79zEJuh`T$(JOX^E?*N)QtN`{M39MT8zCvueJ8`?Q{FlLhQG?k( zyJ|aZ>H?c~qmPXyBk%lh%L6XFaMrv&c(r%+rI0`k^l??;{H>7W5O@6@k#j zg#38WfK8ojC5S%(x+9bd2kpei|C4wR(7)cp@7z5){cYoV2G2a$kk`as^fRX?SYjfOyCnic?p zvMf+rX*~Z3n&)P!%llhOrT#;y+c!5wfKoqT)5(sqc`Pua(SS~kWj_cw*uunkZ7bSk z{H^q_;eSi2VKj*!(DzFb!1QOLtAA>MWdd>~8Ibd%fJ7qY&FbO!%N_mP8UILWl!;3& z8eqN_Q2i38-~+H4`X&OhACqDXNJRCAFk)&KA|(DhG0A5z{!!CC;naSxThagsy*q2P zJphwM5A8}~TG%;T_X1a_jGur<7JmfQ)CS21u(xIb7SwFt=&2&Gx`MLfUPy~Y+lHnC zRFw;(2X-<52mh+8_yxZ;N)qak^rQyR&0w&X>gKH?121I)>@*`$kCX|I7-~S*o{S6W z?k=VAS}Dwv!$3V`#~M%6Sz8mNJ^shvu&h5gNe>XQGK(oag9pl*PS7F9q>?uSC$ z%;43sV8xfLfLTa^*o1LkcU$Tx@Ehpr55`ea=fumD7J|V0Kz-b0HI6y(`LM_Atq&il*75y!# zT7Lp*T~0$9pe#c10I50P5bt+K-f`b?XHU88L5xJ&Je%11x7y?>{3kk5F%rN^LLj)x zgOAjfnvV_4s0i4as7+cABY;TaVdiG=w{-UZ;hwPGPzqpI9{~tYL4_UF!1?ZFgB|IH z3j0$Et`Nt{7k;oQ{EbR^%KjmAhmj0c8gR&!U}v(?eQpb0z4RK;sQU4l;wU_!GPT4w zD)2G?&BnGee|BYmcO(YH4niQ1%-fEnn7jv`-~t9F*L0RYZr}J?Mo@Tw(aPTl|EA`T z%a_xWMFGTA00oXtu)&*T;MG&1VEzNsX@9w?e8$xu+1GL!qXMFT#0CQC z<-MhwGjJh-0Yqn!riHR}I;erNMZ3R+P(rQfW3az)`3gA!JR=N&(D2*s{bD{y0Bct& zA`qQNzI&bd0?~QXcq8L)&9o2UcO=2xA6fycCKX`%`>S|o5x_+dEug1C?pvw6HZU=% z=LP@@`WrE22(@DVp)@h^8xRi!KcsENB4kJz#Q?1J0S^z2)EPQ^C$3DP2B%I==w;)dV9m zO_u=_u{$m>|2N9N_s2?e7^mC-hu)D0cKJ-{i2bqvqaBI> zr3v_+R#LtYMp`T|rGnZqQN6HFT~%LH=HjbKZgZheEH;DtI>${(mht^x-Wiyldz%u^ zOl45G=OsJgX`M`$1>SIau~vmgoBM|#hW65gLfJ|NSC8{#HJZTWMY)qcGfyC}#(Pji zM|Q?SsVS?H^O0hv8Z7WkEHPM3gjb!MUL9B7tm#QG{1B?}VQykS@*U!d>ZKXJ!*l*I z5yoxdbwTiR%cJ7&Pcd4KU-W=qxBFQ@J4sfapV(VNYr=;L2(i* zK+l-=b+799U z)KIx^+|WFV9CWoWVRCGFi&1WUr;g~NX(8C4LBhxC%A*;?SzR~3?lh$I)Ty-RVQ4YK zn0(KMY7?gAp`8nzZpCrdg$#Qhy>=;+Ua)p*elW_byaCtDeiZVZzpP`vRIa$Pv=%0C zOU(7=7>C*C83QvOOUvR@Kn0if>K6IZ+@WIeVyl<2u9*Pw{f_ZN#kC7VfwfgjsQ&4~ ztutjpKL#q24>B+1MTEiw3DOLA2F5N;}z-PoGVKGIfWUB_he^Gy2%HILs;0ygd z;C=Us!9Kry=leMT%ka|xVltoMa_pmk zvKC2iu%@!UsA6AK-dZ5QUPXo1;i59C~4nV9P)WqZNOf3yiJ=FX{_nyb~PWoH!gg>E@`V{;Q*8O=08fy#A``P=ZTw`s_jg0z5uNr^o zS=@+Y3BT6A`3;;u@mD)w(;9H({=YN1?H;!*;Gz|r$+fok1f`Hd4FoY09~;>mL1?$w zBCv#2MVC9C#Vd=p?dK3E-<)|;U6(X(+k0>Lq{6_H@m8lyetfZw;xYG4N89>-CV}as zCrM3vWi^gBZK8x^h2QY?tB8XmW4A$b?ej&)U{qH6O2HMvQ%uN5NWztO`0tsY2gQ`E zR4Z$zzrBc|3^^zbe{piG#f|7gsH;>=rn`76%*VH;8hjTs*gsojQOD!tFLEdosSVGQ zd{w$%jv>%ycM3K4xpuNpL~h@U|MhjtV4>GuliiqHIr)dq;t?Vaa%?fB6;ZMCsFB0| znSZun`40HsM*NcMWbO-)iN%1^vbW?XIY5f)P6LD}cQ*}WK^mACKevh1a3>PSQ~BDDh<+@ev`H-su$uBP9@*AO-SafXDW?lu=Z6l^G1xldlv}9b zbZQlf()-tX|;Ns=%Wek`&>G z!wdel5u4}N0etz86I;fz(YY-&#<0OU}HP2&Ut z;`0kv67}b@Lf(-O2qP#JwcN7)t@b6q_m|NMLnWQpYh72_k$WRC-avG)yL#A<)o`53 zeQN5d>yI{Ev9)ko#Vg)fd$d|@ViT~Lry-+9S&j0>I-AxRV*2j0mY0jlz1$kWyQ+kh zM5N6@6MndlT?-#=~Ar*Q`yITa%WTp!OnkKS*vg$*{i3(Oe%! z_Su>bVK7Wv;DGWFNUz^c)>M=Yr8bzoE2QSP`|dBRCQwH>@{0kcn08rCv+OKs_N|^^ zxNmP6e~X{55T?vME*1l?$MCH!=|3yV6w@DPf9K@o2IRfIr{E0khN9vf7+|EK1J2%L z$?LEHiIl*#_eg{LrQU(&hY!(0%JN*>saKdVY=>s1?X|xw$NdD~NJ78R(dmK`KHYaa zZe~!Yn>OudXn^nCqAWuhx43F9ntVRl?O0sqNb7%ggSN4G?E3XYiTOCxcuda1yp-v6 ze7~>ZS?ACuVpYm+&v9Z|ib^s2T?FR3EXDZdx>@-+{y35&mcbIm<$Gqk-Q)4~!qU-h z5FJliv4EC~s|p-jb=iAORhF{kiBxa!xD$Zed=ciT)1-)oYA|Yo< zp0go)1zn9Ig&R%;QCFc?2A_V$pe;d$W=fi(Cj@*XvqJkx5+r|VLviWQBECn$2o}f% zaLh{W%Q!1TEgEF!A2r&Nc+c&qeV9IL&pv5 z>pV5ZUeJ6L->);p8Ydp^j+;usiyHH_Eu|*gk}#2E zFqi(?z+oE&%A;hDR-ooh8!kIeDMb>&N>*U(KGInltur+-@Cl$$GdR2PZ7m07-fSo8tfce)TN32~pwiUx z7jn{>8=u24Hotr<%CKXp+jw-PL1auDI(9M8MQo=aE(UD^LBTH)eG{jLxvCWvtzIDm0!Z&<^vIY4qonAJT@X67p_HSDhi%6srgVe6$m^m zEJhc#aXZp5YmdplwxstbqMv#TdtobCU7$FKbpj6?_myi$vNdf-9NSbHxs}{UYE++V z-CJb^Rc^V+nekJ}J+j|j2swrvgyt2!uPWIAayWS*aOI}FV4%e^Y7-q9i>)r@P3l+9>25+rCIJ>|Y#qb9wVc-?W0d0jJ?INzz*0|UE?ES1xSK(* zjNX{r2`HfIM-U>g7rbAwv8xLh%F6Utj{Nmp{b*&qUw$s)FJc6hAvVdZ;Ye3oF7)Z8 zb&nvhu8Ajf^ap`6-bp`y%_C05?f7%{(Hk{^xJV4dT|$E$=^^)66onQXwNoYz!2X|M zVlG)3B?CIa9Xr{&qR%&J9QWysSI8}Ozg{LU>df0p-oJ4*7-PHfSbL`CR*Z=%_Gw-` zX*{1^k2X*)R?=CwT@>)9X+}GXKp;&_Z1#)@lcmZw9pp>A-ii8W|1RH=2Bd&Hhn;a} zgDjf~M7;^w7AH2__6G`B(dSe5Rbdl`fjq^qJFj%98{AAEzzV*==| z(D87gzR5KLL8pyu?GWh0WU4>E`wpt|o1I&RFv8p0B;I&)m;(c^veSERyMhA>oEa9Y_>=|kb8azag*39$}$ z9j)9>#-#X)=}zqn1YW)${U z9qCI&o`L}!Cl3zKT5>CFHb=wDL93`<{!Vywv8rDT99F)#4a)_FbORv)8#j}BZEy2%XUc3>x-E~?u*aHDe##UN6B>sMg+ zf__ab+NY3-By z(nHy+v1`ARn<0Q20DvFhj!MV5E~x)Q9f=d% zgIU4nqbZ~As!OT8**e*oORh(z-18DM4iwuhExOB7Ua&-;K{-^}GPq5`UC<2tm9 zREY4pI3oq&M|`mlg7R0!Tw6gD?1Mf=6-kY@_qp<=v;}(_2}MF_B%dCH$2hVO#W|XB zQ?u_#)my=Sh)o(Od;Ka!5ZelzOSwedK7NL4w&%!JZ>>+^H13g*Hmx-T7!H*bp%WV*_X&_SJ#N&uHV$Fb1UQh7zsKdTS49~DVSF2?(&;+TaH0K^<$$0q;lN_U=8LV+ z)-ZqT$9;+K!TKV=S%&*td1Y&%wDg=PGvfKEqgB#@6h^$$op8 zF##0`4O!h*yLcW|MFl^A2MI6{q5|EUmP3Itd&{ymj=)H@a*g1Y7SHBoQPBWHq4pI` z0wwDCBNSvu3a9}X-J2!^(xI4_T|ZBzcN53?N(%i<*3{Kju!R_D>G~R=IraO;Tcc8a zQ&rD!geOG}^S?}EBY%?mfbXYtjJ?A}Y>nQ4toH?MK^SZTAWdYsfTEbOgR|34=cT=Oz(Xfj-JSL(-H3)>)9VdA^nWaVU zga;%BD6dJvsrTg?7w(JFe-%9!6%Cxp*}0)#6_^i50Yfu>n~?)_yhSRHUs9zzTVHp= zbG2_>?!M%eMm$j2kFf!2kM7`}OY32PF|k(a6|cbJCH_RXVv!1ef*UIfvp95=hoMn; z_?SRbv+B4G@f0)v6q(*3!-A!o<;WLqjqP7L?>P0xJDF5S-H7a^s*8t{KM#c>O7`R) z+VuI}pfB)QmHSv{gP{4S)~v4m#3cv3R?_LzvU76w^pUh4VPIf>ej$VU(azqj+8orD z2BeRI5KeeP3HmP4hrX!d0>NK1B%nsKw#!-=d>h{%dW{8q)~2#&0o*ON~f`a%!y$!G7LYl-1??co=Q%>@K|pMSQ#B?ch3 zag#a`g|yBsqCM@)E5 zNW&hhlEK)_Mzmk8YK|2fhv-~ro=&+PmZqqoAv};+(+0hqeP0}w*17Q2+(G+D3IgFK z3XBjEVu55wQ8&Wr8{O&p)lO^~@d9;qfhYZR@S>=5S7FglyVVALQ$j+U`u8o_JH|z? z(=}3pd?phOzZHeFFu63V25R)ZlJYGIAjFwKQgdo~*@}-U93!|R^UiBN3et&YjR6o- zx`UV)bONJZAZ|~aX^co+`)zv{Tpr|N=8eq9#)kNyt&*%SmK1+n_ z>JEsB#@Dmv6^@~I3aAine-8r#ErMw@Dcm}ew`n1;``&7F#s6HncKh=gM)37GrzIgq zq}Wbd^xPWtjdFu9E|;sJTeAbjs5Sm0els*KHfIOqlLUIcOqVM}sKaH0%ip+i$uukQyH!ANP{hnULd`6-PH_xVA*p`AegD~rylqWnu zyS5Y9zBR|D>YXbjf_0K`-;wk{DM61a_@($mW%_&MWXNts=BWimW#x!?pXUvEklV@k zM|2Df%TfY|SS5HiHD%?lRXvsHM1->$REyf^yNb_%g_UPfK@PAyBsc4YHs3FOSo=12 zJeUkQz^XdhdB50JE4YSVr#t1%_7SBmKS;IDD(w%#j?;AFDqP%Z$UpAUyd>iVWR)u4 zRfY5HX;J#=aK@v|t&|nQ=$Dn%-A9JGWR-(7w6k2IkxnK5qawF8XU&iuaE1#Y7H7@I zHZ$950ayK9{}5EG19vK?3M!}pC*L0;{~#&=waC)}C6*C_PgGm+#$4(Z1bVO9gATd( zYX|%DXp_((6maJ@9g%E!P=3b=F>jBN+jVj;co3W=ragZ9k!<3d9-V_;$6j_R>T;72k6(Dv`iH?Pe zLr~!4eS7+{vEWnG}+H8MO&VthOq1;xwxcMfQnm?3$mr*O!~GoJ=#ga^1A-PF&I z-KT4laxInLmLZ^X3bzaJqhn#YburUUM`7?WGBS3qQxsA&(!8~FWJ_W*i|_?G3GStt zT?W{>b|U~~$QFb&Al}jN@ooxej~&rNjrKXKtzZZVeD!&e?cIP4Z7fy?tJRGSPw< zhgAb7SCE-&m&_Vob=nTixgqqVpU8WuCMQLYd(XimT5s2gIv)$M`SKQF5Wx<}1k@8N zFMA@LD*EO@RY%kqs6*Ru@G{aq}u&cd;7h=@(qqDoxeyd79`#&iEq%_4?Dj9)n#|Rmr7KqS8@rl|h z6jVVJ4ZaIDv|ZBRs_$hFL5R4V8Tw%d6eVH66$Yqg=f>h}%5OLJqXg<{XK{m5n`V!u z=XvfD8yDLfU=XOXR_vBKl58eMb7Qv(d-FKvvd~SKC*-Iu^dg8ds#DC0ikxSlIXtS- z^KAnKw5M_h!4cHq_&4DWk84W9)hB=23$6IOcr^RP997eahDvOSgv*J#k`ir1Iuc2l z?zGnLnzL0a3kG|1g)($(QX#X#y$}#j3vZ0lKYvy<`uNdswCzz7PU9}-(n_;lR53Y$ zqkD8FYHNQVC|sN%xU={Y?vX?^<_mn9)I#Doi70W|Vu09Oe0D_=Ja}9NW+k-mC7x*- z@`j*M>Nv{gfufNqmcGU0Mn%t)>&}IV`K1LlFnQ(;{eD`>$K~Oa3;RG%(@TV?&4JRF zzI*XYBT-xe-)0@!*?;PxQ+h%VgflV0FJ3dcjakJ<2N#^2(g|P)V6y?K#?x-a?{Sg; z+lvxo0R2`zJib`lq!-*zgE!EtM6R$JlxDOCT4mo~+(Bo${6I^YJ<}{btJI^wg0oYC zmV3;Nu~R9qlc3x@Mr{dqnx~W3RLEjKSKA0dHV?Bi*Y;0J$qiKAGuOVeJL3oJo)fUk zYU?QTN9sH`huihr8-wfp0cswDG*17APve~4xQy1k@Wb7U1tpTpqshU_lty^7?Pfy? ziV7vE0Y8#ugfVRGnvUjbXh3bbe>e2%!y&d1ZVc*(-u zRWiE$z3k%2stjlt_@6LT3c1)Bh|J9J2AHVXU_%dy`Z2XpP!YvEJzuJ5aHG8Kd`nGF zFMQ@FqN$f>C@H8??ss+gd8|szVA^vA^qvgxk;h7#n;dd5F~$WzyXyuh)SKc=4}Op3 zon0b;9N>*Q>IE=pW}X2qTw*s(+aShyeH0!7`4qakoQg zllF#s{>YH19PC`=UGzaV`DCP_VER=}^g)!bxSu$Nsh3LN4Qm zI+KVmya;hzjAn0X`^C>hwUy2Wj#TgYzE$0R_jnJ=;cR(HA9W*z zgCb>Vs9}4t`g$$pmb0L}M)gr_Dn3msh_jp1q`fE&Cfv^0h1u6Lp8gEKI1$ng)DvQzi}g#MvIx5u9!sbI&SY z>{dy!+Gc!6EV9;)P}L_If7PH-%bZG+)53MB^+WK6%zmh9Sik9O23N|eJtPbpvEPSh zdH=GgOY1u8BgAB3O~@sRTIEww~40aO}-XA~-1d1tj0 z+#pnmH3CMRTR;8y$!29z=tzi#>wmr|+fk5!)9keJ#qel!F;j(8Hf-0EUYfq$xN&bC zd9tPPqyy*X18ZYY}1wGqU`#6*S1we@hW)BcQvw6r6x z`u5z^lrn?#T&@(3s8}OY;?_yVTnwZ&_Q|GKMypcXiCtxpX^Zo+cqx8mYhB(+MJvaM zwL{J*vkLodj_xu#P{)zFziR>70&CNkL7=LXr~q?H?ftUeNr+8gOv3iGi-x+mpb6e? zi|@Yox`T>BuYw@UF;~yz`dg(t%F60hX?3%Tg^$)~vE94l{i0Hb3uLGP6-A2)4*iF6 zB?WEW%i>tVONV#O3xL~@KI12!4rUFHYBCIIXdCKnC|{N7e?m>z3m%{q2m|+tldGIn zS3it3ugEm5b;nkFF?!PHkAkY+l0Z8DOQyL99*~rSmV1?xpy~*xNAflJx#~%oY^^AL z1G*qAsnsxO?TkYSjR5l)8@6ywLp?3{7^Tg>_M1<^Cq-i}8fR*8DqU~-0PR+JIaNt~ zfq71x{VKJBbbU3I?zp|Is!?bL8&OXQhx&jVPV1$R(3e!gZ8J66UYFCZYksgP2#eEG zRQ168nF<(pDKWCx5YzDa$~m{?AS5!dk0!H_T!s?_S@5jpZdbghN0Qqf{#3>1*>=zF zbU>*Ycmr{ozrHl1rd4X1qTu=B*vbRjVj@wEz~uR6y`iPMR07WGSAyGlcCkvgdWz(lvf6YE;z)Gt{6Gwy1ct8 z9OA&>u}+>skhIdA-qPo{rw0(0(RBhK^3N|`kR14g`c;Fqvgx%rs^#?8I>6iZE zB8{!_du*Yl%iRj3VAQ zp!Nm~JA1FN)w%S0(5ano-$lf`x}76!CK!F&89woqkltrU)G@qovRP5qNQ*BFKj}-L z0y;wl$UL;v*e{!w!o6jJ$OZ&+7D5MF8Y%bne(3seo(&b9v9Q>P7kRyQN%qr~fhn%U z=d~FGwLP3koiE)2GS@%b{65`hd^~JbzZ}%)uwyQxTCN-U^mxB$adc{>h^O~dg3IsD z27`pVc6w?HYNJ^zycc>`Q)jgpC=wj)>I7MsJRGaA>bZPcMVjfzlbS+pA@G1 z#-D6jlp*oGa)t!-(Tb}6uS*TOTCZ1(41&!>@vbx@vMs`o&T<idD(idTp*4Wk*t;ow`M-+n{FEA^~5R+w0tX~Wg1>WEoAy5NfL& zdfa{Kf^dOqtz6`VFobwggdin_wP}y_fnzv%r>+rUV?n!^_-Bay=80^rnFNFpyjuI& zAf4+`zIQUMcZ9F6kmKGQ z3cSq5o;S$JQxtFsFUqYz+#Fo^@cMS(nqQ0pbdjFm`S`&6F3IX-%#(DgE3L1#vTDS* zplEEc@?LGu-aOU75ViatXe2eMd3ljLTN3Q zFaUnv`|_={&u_2KOZ_K^Uf?G2R#I5Y>adiP#h1Q67Ra;Pmx5A0dwK*rxh+noj`m;b zFm>fnqBb#jE>V>ctSH4tQ+RTD(suw8zYlLV{-x736$@^36|PB&pX#?X?!zApEN46( z$j}kgK)F+q2-m& z&51tNCwL)k?MKv(Ingy3ga!rhfc>ewbF(bn`%WnWlAf9DePvv^ZAQV%3UN5={aZ|T zPP_mBcsgIZ7-y@p>jnn5FR-Et9z4qrCsX!EElUtNz?JQ}!X^dRSMt~-s3aKZ^y#_U zb$jiRMP(J;szT>9i(dDY@)N)Fl*pnJscM!JfhXPB+{}S z(XY8GH_LGz9Wk-&N`Bi+?^;Wqglx5rxy*T|=+sy<}Yb&ahY1g|{#j%%pKxO%RAh%liB zYHwfJ>iyp^5!@2}JyCkDd}1Uu((dZjpAD`hL&xMM*($o?ER7q#7JlqfcGCCh=6)sW zSz(K+t48*7Dho;zT7lcTLazW@fEa`G{o}_mAqMplL02(jZUj1nldhRxbII+O>X+l< zA#fpmIZ@FW7Rq{$jEwE+99H<-!^!!F&j;0`20wd38LxYZfLW^r@ObRP^{yr=LAC07 z;N>-0J=-E5I3b9-zyF~!9o?-0H^+az{nV2BwffYXka4bjyX`%@Ag5yI4s(Rs`o?;w zq18z87K=^7&c^pzr3zk?IJcEAVdpLv?g;z_uuU-fCgnjGLb|Q)>@X-LXK{i|)(z`0 zytKfdj4eW@HKEqi@Szd#HsQn69ULW%;HIYZDZ2T+Nwy-52Ca{G+yk~Z|5^MUw^1XuGK%8;bNSYb zlz3OkOaJMgsm7q&^HIV6-SKRTajoexjGwo+JL#uS_s51$54YP-?$<|=$-sX-fura7 z=F_K7KlT~)ELU3aF!m7P;l~%m#l*~GqiALTr3<`ZjY(>>4NKgY$@di6ySA>zetDJEB%n3!x#tLdpgASVW}Mx?cNRVq!itR5C}c zuDtbPoz=~5cJxUXB9r=2P%OnebCrs%h5OrEmBo*@AJ@AA)tj9e@HwqZYH^AMpC4YX zdR-H(c%I8RC^d>FYTLszHXpFCS!}D<9z8$Zqn5W`;R`(77&-`|qoaQn@Zu?JIeRbR zWbHB3=?{DQc)e>4rOTJapCEVo2oWRaMYrwp&+ZU^c3*;>KyS zT8Bkc3uuQ~Y`p9CvFIh9USLQh44%HF#j!VQPJUB2?3#Sv)YO>@u?d8K;cdFxm2?*4 zFb=&3fUcOLOBRyBC8}^w-KXQ{CsZ{(FQ>@#V<=dZwc_%&uKaZGu=c0BAiwhDSi|8U19UY>>_K)%H zPP(!NNC1V5Z@>Mu(~F}g`t~hE&gVAe1-*(75C#TCIMH!#Tm2+HJz6%cxx);3ZwIfd zxFpi+o*tNM8R+Qzf6xpiGR;1uS{QJu4Dv46Q>~tTs z?wLu_kJG#@K%i51c&r~I+@cb=^|lA=SG}7TZbk*}Ev+65jH_5L4R2NWwjQ=d4Zms0 zNR{ih+Ma!U+GLdYFv)eez+YT~9zOSFU$ali2U<%E9G4K;c zqv^M{wlu#simIqMJHsQxi-%)}nif9Ak4CnRMpb)xICy~L4^J&B={tkdXMqXGs&JHt zP)R9bHcQ8D4A?bbOiWb{fBGq?>m|e{Cx=&9{%o5rU35O|a-YTomAcD zo|kfK-%N_U9ZrEh!PU2kag?~^(*eh*zU!Jsb=>!?T;|< zFEtr4LgFmwvC0k^Fd`DxwDxC8OF390#rl{!x!i2<3~K7)UZjokUu#<=*EnHddTz$P zBh|gazSWknm2a0&mmb-#>?fYI;aP9>JOa?UgYepEKoGHRCQzMYPnoUb3)`YWEE-Pc zbZ#W+#^`UbT6y5~;ucsqB?pEsfjll?ETN&{@fDJ}J238TY4K(_c}U5-tEE&Nx;D3{}FcH@ofL^yEm&SS}mREa&RRtaJ>h~0tKjJ;QDCPIza zqNTMr5nI(3d&fNQe!jnR&Ohh-IsbTg5b}_?->>VwuIGKfjgoNmWghNz}T&L-fVw*It61-*XJZ{q7E9{ChWU_EUUpZ+?-K7n)0mO z>yt$vR6ua07HHf{ArtmzcjSB?F3iz)t1dxI90)L74UHeQ?(`H{gNeJ4l z3VpthH$<62Tg=NK^HE#!P>z+zkOve|d2G%x))?2RHV z+&s`mxDG66R8LU!M#-5#C^R@E8IQ zOU;M=I^sr-`KffA&-?vZ)OX-is4C~eb*Ac^iPGi_X3=bSYv>0lcU`*MjaO^Y^MfAo=c`fh1_oFkyub2em z%6<8LL_NDV#!?&f$S1l+bivGAcOO#Kc=^(AaMu@mw_OMtyl++065DD0ar8~}JlTfp zF{cv9bd$x8O4u=g`U{B-nkc&o&kKTkFS@j8O>Tu5kSAtOpGZ+Dg>|r}%s``?EHWn! zhjkSl-&v1qkdy=U+0gsSNSjTIVFD;#21my=2b*?A%J^SxZOVu}P2+x#SfWIQr}v2k zix(b5kbU9Vw;Rtk5VWju&195e6MqAjezT-rYtVvzDX-5sZqz5w$*JTA`8npjF=0n5 zuJ!AMv|{n7v*~l2WX)U;XFqJH_GwR+JPUnX<)|U1IS)~^_=OI1n}K1jajy@_cq<9- z-%29|n4+xo#-m}Mj7p4&i(i*mZDLMc8!t{i|BA|M-kEO)gY;1c4jVE6U=o>ho@ZL* zc!OJ??`+z8RsuDO(Zm`N7|!+%^BYQyM|7R7jRozVi9^0&X`@ zyX+0Nk=izxK7wAUP2jhhX)l(%FZEu=K~U8?HZhPrRDjv6Uf+ld5ps>q0PXyr_L z#JVIMJ*H2U0+dKM{|#~9Qg6=qYMmcW=gmabnhfxA(Jvbnl10*Tc3Y`$T1Zn{ts^cdKInfK zl92pDZ-1s8)i$T>m8BH?F>T|PLl>)7B z&P?Ez^!m*+Kx#Ms8KzScs)f($zOLzPVzc{1pa8~by`QnUUy0qH2gp{xvF z&hU(`v+(k&_Ih4dTG0WGedrl~U%Tq)CEMigN%Q`Y)`Y{rE&k+Ze}tacQr^ zg8{N`-Ke8#hIzQDkN>74tz65CSG4jC+CWs>wp7 z#|2>-oQPd)B6AKpKQP)~AJ?C8ir5$6a?t0o(|=)lsq}8u-_A1bw>!{0^?HWCy+=3R zA)S_VG#kVr>TN2Vv#Na~G4m*a$l&bwFfa7O`>T9j4{5X-#;j7rEEfW~eJ?Rg``8L!46X%1t7P!{9 z-Wllx+yVe7(VsGABtd~}@2Ig+HmUf%=b1Fsw6q3Hlh=4|&wSXO!79!|-QN7OTIFA8 zV7k9Fa28e86lTeMA-UMf4|Ngy5U_oCr^YV0#AzI@jnpR`lJn+gOYGne-A+HTui$(h zlQ5H;qKNo6hQkf=TNYr)BB%XMAi1!gQEee8S753qVcN#jHGyca(IUnga^c0GB#a~R zpCgV<8Q!Akwnqn|%I*rVY4Vs*MrnQ*;}S*5(&zE>bC8lH=0*_r)rLwkLp1KtqnXG%cws#erq!+ivGF+zN8X?j+aWp zJ(P1+B|la6Y7|L0X842jW3|UY%F4Ew08*x_o*MvKv_!gER265# z0bl(ZlZ&!3s{%VgZsJ+iaWaJ(?F*pBRt2(uBsT|PQs&7^z)3y-zeGh+;an{4rN&9`4P6B9UAD`J zPd7+u%+I(;nzJ0A8XX{Fy1rk(rJEWSUfqPp!gg%`HGcoQ<>a3jMwF0UsaL}9tU1uz ztVbmC^zb`$WAll>n`b&Nr;C<>#5|80ru|HXqlnXt34rGxitf;7q~`Er5N;WEs=AI= zhI-*aqRGEM$oCfqfWDD|7?Qb306~Y7R=?_4OiplSH>lx49bcarKfmU+sd7_I#HB(zH9koS zhyOKDXt{G8i{W6QW5GEyeV?s0WZ5WxOj_Ts8K3?6n!gXm0KHf*gV4eG$YIk*N+Be{ zl$zAcREB;4ea%yA_GRxxMMXJqu$mT)?PdtJ{-BSxthA?j{rYu}_B{hvDn2vhM;F&3 z%d`Dq-P-kv?kZ4{i%<*~&hlh^rm11ERDoa$7*%WcN=-bd!VO|ohW}BYuA7pil!&x% zDAftZ4ET#pM6d@`ojL?yzm6mw4RT=&2>n!In0J`0DLWj`(N zNpI)Js*$(-o(tTA7m@UfLS*Y%^+4%X({iMf6*!=Yg$KWA^q$~|_L_5(?ao1VywnyFZw$4=>u1( zoGqaDa2cPbEE8(CjQ=X;qWgHDoWZQx`ALoIbd~qZT+5RxbHRS2^+m3*u`%QB`%Ac& z&kfG5FC-}V6A?6;`|`Xx z1Yx>a?e}I}^ak6cQCXEs0~GXYE3@H{lb{sdWWN@z3xXTXwvwJ6jq<0Zx7pWwmp4?# zKx~P|zf-T20$88B)~Js8N%saYn*7lAr#y>yOM^qt+Xw4LM#Kx~)pYc4^wjs-dh>tq z&{AKjHmpLe)dsm7lhTF%vTp5BnF(6)vyHs@nCmTjn&Ln)o3$w%z?!;Ja?KLjZ?0*y zaTg31?Ue=0H`rt$dMt5sHqA}=8@pe8*HBe!pL=8!-9;2%+4&3HnmLlVerJ7=dvW{U zOX;EJUtHc``)4ANM+nsqyCl{h$){HBX(jm+x~b>C3*Watxs&}?_C!j-0lDhMk4`P}-W9<+T(z zZ~g5DdR0|bO%F^dJ38+&ga{!G48bKc#-X~4xIW!X8SKzndO;=l`2lO1iUaNMA||B$pWAcCaN4go%7lPVt;R>I%E}-)8`ve z_D=(=^WI-tkFT)kda0I$nOqKPW(tT+OXx%y|2iN?Kx3#>Vc?bs4w{DI=I~|Me$E)7t)`gj8QpA*9S(M$;fts z2F?h)^+`408fUiOX5H~pI^_4(79?JY9rF-GTJ0<{%M19wPU{7#mRhQ>)tYq$N$VuY zKLUUBu1V=?KWVCf?GzqYh6}CnT-K?AKpOZK-jh>5wC}ltLZP?6t+H+epiA6xVwLXNVMW#QLPDf0Qjp=%&Ta1zC@( zPuB|{_ZDwk8670^)v$Mj$%-_sSSHXmw}kZvs}%l=hywz3roY&<{*U-cTt>uMh53R0 zyymgQuG;?*a^)7C`tRRL=bIew{600#lC(nRJy;gT%Fchd=^jGG?2;Sv~q7 zHvM>7QkNWZkCms{%d(~ZAfQixa-CIY%^7yCVl3?g8#sC0h!UCnrCHC<{PdHiwli|3ai7Z$ds?@`Fj#(0Ei*+4h$JX6 zz6>wN1`N?Ufnx2V1yOuIL=dLC%MF%;{JiN)y|jAM?nYbVpA10o#j!rYFzUER-ovD0 znU$)&lYq2i&;}0n?a}RDeQ)Pqm^ri*p3r6%2d}FSjEWi{%O(UoD{(t@Z*n`g8 zT`<*0-#=A(FUbKlw=sbpW>5GgMb~9M2qZooazYUXQ^`AHCwr~pM;d0}IcpP~Wv+lyzNj{}Nd+`ww)Y{T=oq;JA;n7~y zk9wMbp9OYdy~BoDp{(0T2}qu`5$c20_ppN|xV(DDR8-jTF1Dvdj+I z$Zg6vz7Is}Z&ikS!ZWbFg#k-SVG;UP?LX=9{>@ zvdiBe7cZd<<)M8c72O_$4NWXq0%cw0-0IV410s1&b@*$+cl0-WxF*oRRL+aX{hf0#;=3QM~RhY{Yya*~vp~{&_$+G_K zgOmMLn@SNsfQ_33Ohh|c&dK$kT~`8#Ows^p$THs^BW3ildTJw5tS>myZ~OO;rEe*V zUJ!rO->jl-(lAoR$r|f_-&418z_7OA$diA5V6+d;j~>_pM&7qq`;6Q;gK7XAAWTB0 zeZLJDTzk^Kk~QHVp8tx&9+e*68q&E06BFbl!Fge*Rnjw2Au*YmQoy8Y@o3?Lv$H?& zt@X%Bw06?Fp){Z{xgXzDO6uB^nsWPqiE!Fl^y@RwFa{)G=u4AhAR81nVy>QojTGtq zWgy+U9uyj%E4cqtsiQ4TN$rU^`m5}Z-EyRZOJ-fSnt*fOz%6Jo(Wu80({yf^j;3nw z%P2#-8~`sx#1yyu@$U~lJHKu(x}a4{i~ZZ$qFBOma&nv|{a2#^TE&G)gXd4vDP2*& z^*crx!+wFHx=us<8eW@t!BV~g6{kK-V&z|zt0c*EPkQ*O!&IQ)sQpuWaJ;65+>ohE$y@leaDpPCv$QgvY?@q}c^lgL1ziQqukHNlP=33bp18-EFj@T=Ea9r*pHB&t757hqVGl5U!% zV@!}0mbbHElpM`|ZO@-lNFN!*PE-H>`Rr1=`})}gN@smgDZTA}&hJY`iGlcK$A8^) z$o$WEfAR0m9-$g*ht2yyAZT6v={p~TQXu^X$fx$k`fUyV7m4vWTcOtXDjeLXV>n}4 z{D21B>gq`wZEMPs(OsEupBY~!X?DJ(GzovGp=uE5}=TLlJDpu+pQ zFxE#S-%(%Ul^?MS<<0H`liF`<%SV4Pf@hI;tP7720~H3D7eKFt_VN|@O44zXQ_1SQ z&=Kp^Za=|yWj5%tiOMP@-7vLTGiM7`Gt&Y@%_B%)e z$94a)PDp~4VPagf{+|73*vvYMH&yATxVF4=Y|aw->0V{vwU_T;YJFE2lrT5zc+`6L z3dph@_R|X?miVK-kGcmGp7((hu(qy%sABbaH~0s*tSJ;QhWo3!&JHp>`+kIR1b#|M zS+mx3=o=Odb{3ifD~y%jrl4h2LK?Osow}E;-VaC!y~G-``@?_;zBee)dFT4c=u4Ru%^G;tW^BPl!w8KV=8FNZRv^DyiLBuqCEp{yihgyTFyIY-PN%5SA&@ z^p_wO`g%F)qFjIoUhjHM#mS3y3<1W;d$U{9PU61rU;-$h;oO#YXExhBW z+r_5nYyqIk*vltwle_KZ4`Jgw#3O$a&p4PNMO!hzAZKy;Z7Vv?Zpux$dfi@;VfP|V zblV;j{p0Us5n+UB?UGMsM0Ow0HGF59=_Qasgvq$R}a4;nJK7S3W~WA~c!f)N0;YFe%4aIIEfa^(8YSggO2 z*gR@nt$V|s_OUE(nG1OjguHl=EUR$u#_j5iPnP8>*GpQu`UE|C!n-^qmQ;^lZFxFP z@i-klbDDbR)Z_4HqWb9ZaHh3OK4PKiXa;$}`vjXR=HT>>B>+A7mz_BQZ>?~e({O6# zlmuN~OjrX9PgU3V+}zv=BmG)v2b>Ge2~|=GhCO~3J)H>!y)YIwQE)88_+U~^O;8{Pc0{R`H~6+izFd4V~c?Ylc@H`;tyNtnScSd=Ne6urx@5|AJZ2Sb2gjL`+v>{> z8x`LY+?xX+CWvW%z{W^%yrK5g?&;4|I0|qQ1KdmxV_tGuJ0xdhux|WF?oCG`y29V} z#HxhRhMbwas_Xc`D`aNKpuXQmRN+`6%G+)3hey>oCC+H$?V`u39QDz^s~yv8g8m{d zLdnfWW!Q^#&#JX@31zuP54eIetPFG5iE0^u z$)1t7^}>+mig}pN`hu**%4=hj~{1>en-R{s;O=6 zXIxF!uYR=5JGy_BkDs4$-9oVNE-$~KPX7$B$=~lt&;jC*YkcFDfv=jct}^}5P1mf? zEK(|7m3CfYl>{0NbuaIw%%gKmda~Zdo*>Cp&S0Yd=Z9FvZ&y~=1blX}q23FvXc2Ws zyU!*!#7gxVS*K2(N@M1I#3Id&7;I^(7ZVpd+VPf2+0|$L*Q!@Ncb>^Q?nL!U?snIt zV`H!eqz|~w*tyhdI2;VrTwOyC-j|QAwKL0Hyy~Ui?JYR!d04?HqZzK1G%pjGJm`WX zf&8d)Y{ysy93*DE9n!GZPqy?ep7O<`mX2nAfC640u8)7Q?tfAJg0v$sG4ab2QJUU0 zN!YF}lcaOX-_CxwgB!%~)yjY8*V={OiM_)tHf zI4UZtrz(2@rsa3Q1w2UzlX^*D%ez@)T<^)+pF*T%a*dH3Pd>x1rTSw0^cUeZ6T#Y}*+l)1-FC>rZi`q7GQX$wN|%CILP4)+IKcVK!WK>X_aXMK^J zeAULXhPmM9G;1#fFHvy#bMj{SygtwZ5__WqnkQJ@`rqj%^|bq{d+iy73L)7ls*Wtl z`ADz=>itw_(fgA0LeYw4Xg>}C_XHixD@LugC*~GpT{=BP!V0c2kM$4xKM&vm1{B^t z6ALbx&dP3j+Qys+_te~VW>P&W$XsX+QxMjUV?K2e86viohZQBlkkIY zemKY5EAW>I6F5^;SR1w!TtYj*6pFuVg31|{0__G*J-W+c2yC7YMY6^YUetMSA)_uO zUQLD5e_uKzs<^V%pYD~}({0K8{Y~rS;)1JM$2528wX)cU(a~1hAMPnat?vklN2+*B zg1J>|0jFd-MxUb~5 zl-Ig30U$_waGQ;LI+d?&_%f*_f=iZ%f=5jpGVQVsC%|P4sE0DIe_s7d%=Rj6L^6rx zsYaw-E|vWdZa85tCfZ%YBJ+bTn-%Tl;SbC2`j|N#*Ot01j1=oHj@iUWoKMt1M3~{j znjKlafHhoQm}^5*j`v#04ND8yGwL0mdh}CKyr{4l>bI2YuuwHjB5;TC&uWW8&jaEG zn6%j9oHR}obA$e{B;6u?KOTQY@qY2n>JrTzC{1;XaknOa_(JKdNGt=4y7!wqNW5+- zw%)Z`1J76Joz3T0HMLdtT-6O!l4%>YPNb;U^{2pxJ(t{D z-&`Jo93|Y=DXC8phU;w3*mN4;<|f>|X%c(mTqyOR11t!;1E$8F$ZeP1cCA}vOci&G zBdjDESw6z4_CJ~lD3=W`0dJ=~viYkH#B^_~qaAdc8=HNP^hn2mfibbmz}=bly{1yd zzilSRsQu!!p~XB6boLcVM^@lp!1qt_N?9TjutKG?ZT4B`tI7_bY%AT?gm6%W(}Ag# z2*rNmmFW1$t`j!ds>H*M$u!T`G+g*ob4Y?|gX@P9i-sqf-CfG1f$OUVh0`+XHKmzy zbT(@O#I`JjViUx+8z&1;#m_Z4|O!O<5#v z)reeJ$`$NA+1*tXCu>_Z72DdU&7Axz8iS7GhXg8-v+sVsB!W$x zFnL_mNHKZut+q3TG}AyNURWv~KN)oDf9L8-%L#eVl~h?^&J*F0L?JWv?FiX_-Qz1; zU7T;j4#zyXv~>)35=+s#oKm<*P1zS8L9<7a|D|MrT6+EDJ98eg?008%T-5H_uB@%& zg}In|q4mtdv4M2isrFFw>O*ez3M&x1 zcRnO(&2?sw?Y5gav|2Ekmt&q8_5^49*JUc)wqY4+^4;CIxt6J#*6j0f85y`C^=xo^6u^Qj-t%$01h%i$gDaA8*_P37Sze) zU;vWGV!%rM%v3`K>uY}ZNIFKl`Yzh6?MwgyY#%VYPF4X2TE`3Mr`FnMX5Xk9qOKx9 zDo~`*Q&$HfSZ5rM=-ZWnHQ`1;VR~%;pfFOb-ecMNEl0fY-LB>q1m3V(cn!=-i(~t&5G3t9AFoY zH^M3jX@<8I_j<&<$NOh*0_KhT0nOD>qTPlqjDYE!NeysVy!Z>FXKTa4D!|l7qh2}Q zr%;ec>4r~0Ujt3%&8FNh)v%7v&PTW`1_8qqZS1HT#E+L8eqhh63v!@&f%nsfka!Fm zTH)SdBCB1ylj`;uQ$_GlouYImWgX3grC!l|RYS48D~)-1_bTg#hF%W3L#C6s$H%3g z9go$%6YBAFY$ZK8lI+9EjR?!0JSORo)X@zfgQHJ%d;Rn`PtT<%pLytH$1m2)3vZ8G zij#Es?(!~S?$e#^eCZDyIZ)PAuJHFi7W(Cvgtt! z6Po+lG>Kra87Jwz^lnvwKtEC}e@Ta2KA zbS1OQTp;-iQgY|t^*-wuw7>-~jSZEXRi z-{==>ab+8>?<~#~PAZK$y>e>+3A-|wQh6gwAnvx&l#r)KLHY*x-m^)Cs*ML8K9fP} zfOt9h24@Ga>=&fF#_4^1milhGr>Dnsa?mY3)cY^=u!ajdSuJD+!KkUJ7lTP@;i?gc z_j1h2qe^3NF0>JNlru5(Fj{))j)sm-sjE~5QH7)jU}mI)xR5Mocor0^w7<^=!;6i7 zD$3OEWcKo+MmiiYHaY>)pTD@ccyx~7?+;v5yH)7qZ84?T$mZie)J)=UUPPTogoi(E zoyc;l+m!NLdOnCi&ZGnF7>$*M`!5EGrM1OmtEBlDMa(F?HuMUwZk8Y*2eaQO=}84# z{)PN100Lh{^$MCR%h6{MWP|gh|@f? z>Ba;UM-oKMDELso4J={PFBx>EEHUl_{pIs zMaZtLU!yiX6pnWFb23HTW0{-(_z}T!qpLegbNkuVx}p~lKC#lhma80oCn+iLS5s~h zKT8_dVZuomdZlW2NxVRCiAwEmVZ&k*!y)o?=8oXd%f9jjJW_xC)L z#_y&l!S6!Ycj4E1*4WGWN&>Z##2jm^E}(eD73U^ZDtPc8P`F5 zuI*$zR zb&v8l!tJ{vOSe!zCIM(FJy#6%EhRCLhneaW7+G4_sF^JtObE>?ZP=`5?q4OP@sDDc zuW#F9-W=*mWfq;Oa*ThoXhu`-l=zzFL4TTrR^x~Mxhrtst<^ifagY@aj6#oJz0fGOd zJIJ|^rxD*n*sdY~QZtoHzTc+bNS3r?q5#8j2v8Nw%cDm>0WRfrC~pm9Rv2lBqNnj$ zJ6kE>veo4qJUvHlSp;OS8o8*bV1fA{aMV%piKCk(>8Q?33En>70Nr9Nwd|ZOta~SS z=4>cq4XD%LTL0exLxtn;oKbCy{=lhYMS>3&SyB83B`rw9!P}nSaibygJ}*>SByYQ1 zG7rDhk}QGYm$W;ot^^!S8#SY5_Cv`w$}Y~!-RGZqviWVGaXp?+9B(c3DW*#jqYmnTUaqBt zBs(RA&y*Or6qex%!Ol9AocN3;VEn9LHRQJCn;E`bn-QvZ=HpQ`P~9dJIsJ}UaE;49 zQdT1<@V1DFFpH$?49}f)!cQ_;l2%OL))vfa8Mi!%cHxotdy6~>WeaktUz7k2-#&wY zEAR*b&B*I>C{ft7ZgrIUhX&@~XxBk1PCTrY=I#BTzq;`hihQkRplJykwuqy7-HQyt z%ab{;twM9cd0l``EcocLVh*NVnFuzufLv^#5hG=WSjh4)doRg1ZXI|WyPo3EU{qPy zX(0BQmEtk+ctbDTbh75O^FUUzyKcBtN_c&P5)wAttY6RZzcAG+l(E6uoJm_maqv8V@Rv3%GnG>{s&7%IeWqt28@*{|hdGyA%u4CfR%(Z6n zsT^FibiUbwB9c8`(IZF{DTLSh?5a zy>_;ag6!PEdqX(8Vqhaq3>xIu&gR|0lWhLdMvZ1?E#u8fL#cLaL}7-9CaM8ulsp<< z^nrq|6sj07B+F_(Dd$H!@?s8%>-j4k`VZw6kB}0Fhz10K^kdub9gS@X#nvKKMPtWAR-+7ugXSoH`10koNu^iQ ztviYW?$2taq#u~X#odfrYte|aH4yFV>rJF#ktBdy4sjFJE<(Lgy7>bv(VE?nvpjas z7#8WjGN0?r-%oqHI)=$Czn?c2Xjv$(PBh+@S_JHJp|w$&WBjW;?Nn!&&7S2azP
&ctUFu{j??)%F(5nCk4JtB(D z0e%TB1yKY?jSl$6i>)bkC5+#p*zWrK8WLtOr>q6~6y_0lIZQH+9u1hfr8Hw+r7e7X zSm2BDcUEPc^@}uD+*igA-w4Whd?2B5w(cGq_vKS|Hx2LDxQEmOHcynnzWbpXQ{9g^ zg}eX7gS^W5Tk`KAsPKW8he35$>(GGkYJ)n?tR9;eDTaX9-?QzC-ROtwp`yi<&D@`a zjO=!M+F_%ARiJIZ=Cu`S;o1Ut1d5^R4B-;%HJ%Rn&!^9F{i`>j+`luxWZL|_f%f;& z@OjzDWb0nFR8Z1}KgXM~=K}P2NKpEfn9H4*AoW6>%(D%9jNywHoRG$y&^N!#ttLNG z-h7HQa|*H2O;nsd0wANfcpaHexpjcaiXGOWzL+)34!R($NcJgKTGw>@*WRcVL37T~1bV-|j1S_vnH3IdDZtnaSl6S;J?#@B=Y-)v$8R`XL6Gi9^?g4hi%}NSs&I@e zu#u;F1^lDrgKy^cZnsGH&(Ajlpsm+@W0=I+N>bL(kHXkZpJa`6~|PjLHS zTxsSwrgYG>>10ri1GRGm_l6SyFDJI#rhRiLY58-E;zg}*=IC0FLxy|ka=rz|DJ1CJ zPge>hD*t96XDxtH*!)fODIhRVfqf@YhoGRNHEj1u9GD%q4AgMmpFi{uL`0-C3#HGscW7o+z8 zd*;%iv(V$bhoVGQ)2egB7)h>8P=^dq_Z(793E%6e1xOldpGVV zMtrIJg~}44)VGZP$fFps;GniQ5-pv4B}U*1E2kYrwven?nrwm9Te5%AuwQsz(F|c7 zwx6mvnrTUP1mWZaDm^h$Dy;muTnjp@O$&L^H}lM%DQdh)xbqNx<)eUCQp8T-PFaV0 zTRG*EupK#GfmxIL-FwR{=YDP1B>Y<1nM0X|obv{o_wrOdCgCl;S)RwI2(H^GQzWrD z&0IoaVroNSUS7&OahgW52FFDO)L5~V#8pJD!8zhb!;1;(!?U^dttAXj!WH$gWN)2d zOkfl;9bpPBL25Tx;=((Cp6E-!P#J(w+RyF>tUv%JNwht0>yhkC!$lv%Dh?2gdHu^} z=TtV+Q?JQFX3Y@WGHgO_JEa3(koXXL;#s1|0z`*&McVz$Wr`wM**9tS!ObKV@dsz% z(UM2A)So|pUaCz4c4Q0?K8$PhS2_;gA57=ncThepu{tn+w-3VA0Y9H!IP%Ee&MwvP z$9}HDA+|XJJu6e=l#?!lXT_pvN7aHp$U6jBQk>wC7Xd4T@%^*umGj5mep!OXwLg6n z4SPQ~SGT}~q@^`Z4mYjO%q0#cIdo@Rq?6-g{#y9!kGX>@L$HLpQTC5`gl4Mj;X^p$XD0b{mWctk$ro@=aGzUYJ8SzZX_0O0Q?{qS_O9pWv862u!Cg^MBN;r5l z`OMp}?B>Ffb#lsvDxku6E$Yv8rO$?Uu-=LxqTgggt%M5??W5pE(I6Bn_~TFNE~=(5`rRW7QJD^Wm>i$WaLeT}V<82Q3{|Hy z3@tAUQjZImQaJG};KM9mok6~=oW*>36N%J|-qEwHVHIv$7W(L4A8zTV(fO-C)L)L` zzv~V_kX(?JJdxog)7|azScr#;bnm0AwDeT5?T+|nu3s$J2(@Y%#{3NI^`-D)`DmDsuq4 zkw3mWo7mrV#G;T4^yHOVOZ802oD|ivhS6(p3#y(wvS6W}T02(=Z?RxeyK}XddM2(V zX&}74sj>~z_~BLQ;%?ZGcxO}gh!)W}<(B`+tD4}OrKBos`WU^$6P!uV9qWY`X4^p- zOHpB)kJLpYb;IARumD-XEU^yIU43&+*~w|F+rK&atcXFQ{ZK|{jXSvHL+$1=#RAGM zJ5(-f>4CQ0?xQlM+k#Bc>himgs3~dugVZ_#-Q@dHXqI>++m)IX?n~)~xg3Gx`Uk;s z8?{pTwO@>NPIl={;u=J+p_=Jj(ngFeWsiwhXB(GibwhVD<4HS!?IX(xNV~r3U)GTi z>%+2!mu>5OJILl0egAy%`*Sr@$hFl&qi#9x8%akZ;I;qJ%8GbF=g9ak2Mu#QP+-d+ ze}BFbh+`;)d*kGUw04(9uAWKiyt&(2NgH==#%5!v94*xXjpcXyYAsFE>$o@%kqQzN ztI;XCcOJKQG1)9l=! zk%zZ`Uv7WY$13Qsf1Lc*dCG#GdHg`*`(QRXNynhna%Ajnw-)HDZ(m2&+Uw8joT5t3 zJhi`tQJ{m8``Ge53!|4FMHK}Dx2BRkz3yg8RM%4*d`IzsnPA;2$RSU==}1G2kvO?Q z5QCu1rO&f|(^jva*WWmqYUrI9%eMGGy8yZ?FE~nP%S~trJ|*r(U~K!t0^zs=YUAMO+Myu03QsF6+6 z)sVquC0zxq*bm~KpUp`U>^EYb#8g(3(nnE`w?CT^{3^R?HrdT3zdS;;ThM|M?Yqh$ z(r0mFsCI2HN56rCr-rt9+Rp zu|*VCw`1uKw2gQ9;{0R+&fRBl{&f3Lhgm2=#T=M4gK%+t|wEEx)R zYGLzRP_akC8lhEVMznYz#Qr0a@3H1mx0#7oE>SQod&v2dE`BW}!=ET^b9m>Vzv}AvLEOY)~!V`%{Ij5=t{}y-M8|}f1&LK z%%wAoiwWyBAn}2>19q;1+Q^4zd%h-;F1)9Ev2&0Q#3WgWLBk9#q0`R4N>SE9@c}F! z!~wIL=ACMH*q0l<#uYZH6TqQMREKd0-sAqS-CMAd1<5F9ras_d2Go{RJY90RRGqOn z&vO~#9x z5*+bH6$Nf}Hxz^=d<{U>A{f2*wmda)j~Xoa&eLh*f7UL*FE%7I0zCkvWh6ToXm*;j zM&v3>_41#+YgUZBzKhplk3;dKBOnaIc#`;9$UIbt3vY)qcx?-MViZ7H(< z3JumTCH;V%sunU^>NB&oEQayl#bHAW-@89N1+V)kUCzWMVjD}BY)+tm!=|#Eq#ZJi zc9TY*ub9^)FHJt4*iNGYvUuyR4~h!<`{1I7TNmR4u6Q~TYmTs16+ z{Hy`s_7zPk#+R)#r7q58^9yac$#*#XZq0;Lq7`+hIr06SwVg&?Q|mmVr4ze8ZV{N> zDPnK+y@cmL?58Z<{n#i^x#My@AnuXF?eU?l6Q_?v9s!-6mj9w$t{VI=_TDlq>aJ@W zr&OdA5s?N#5D<`-20>Clq+6u~WQOik0qF*5Bm_z6E>Re|I|gLPp}YC-(fhvN=Xl=x z^78%m|8RZrn30*^>{x5;Cp4LAv zea$-k+=M-6Sb&3*Xe$CF_v<*Xw9&39ML-lz;*cMF!*Yi!8;2Eo;y+sy7YuY%^u!j9 zoQ>Rz+V?}m&JSzy@m%!X$;?meUvncJ-WIb>a){TucjgSTNAsYpmG7GS=~nA}THs_7 z6#KiE;Y+1Pvk`A^Y@|!6Ro{)VN;3RieApoa}Dc-b7W>!@JP-xiQ;`yHP78W^7rS_IX^f%xqbxgV9C%IrH6xXyVdu+i(O zJ?YH~yBvL+M($8@+=_Nu>dO^Y7Tw=g-{>@Rv1(VSv&-?22ZGx3=t& zkFuluqr@|65Icdg&s<#kb5eMp`bP0hYmrek)!-por4f4k~g4FBN}K7Y4(Bhy`5W7$MiVz|&!#WAw<9m5Ui={DA5?(AnTPMPobMB+crHP)NO(SoQ7 z4;Ri$$rMgv(+3h34Jb%-lf?`?*I#U@GqOvF%+!c%QWfE~Kg9I*WkP9q&Qo1wdR!Zi z=pOY3+K!!Dw~40%&B4#?u}))CAiIcbjCaGR6pqQAqt^RH>H;&6)n=2EAEU$V2cBB{ zSgW)U7*6R{7-r_NX)?%z&0IOnTu`7TmZBL`F&-;{FtldLRe-1*Hl-L_-{mV8u=N2S z9V?M_W)Rs}J$UQB?wtf)4K=Z0WbHU_9l`2QNkXaRz_{kb`E>K-#Gzqxi$bwe+xE)y zZMdtd`(jnd>!}={-L-*%W1F`wPcDI)n~7y~Bg&OBQ8+u4{iL%+*>7025*+~@>EUJ; zFtE_a^BKkrA0hA%+c)E)A8c+Gfp{y&?SEkJzUGWK=aO`f55MMNo(FdZnhmPn#(gQh zzrh)C%bgJv>ySWVO;P>!54iu>HX2w+DF%o(t?TOi0l%(Q<`Y*6-wQ z1qo_RvsiPVg6(AGU*8W7zFvG#t@Zp}C~gN%Py%1+BR92~(UIyg&dhwgb~0KJ4(SV+ z?!KI|TS<85LHnH0YQ;V^GoeQ4J{wc`(GH2czK6H7aMsA1ueR>5r)3Dzl$e)#{db!-q|_ZEPZNqdn?Ze-tR(%TP@H8 zB4`m@E>tWi57<^f1MqXK2AHKq{8r_1V+$||-h>ez-|A8@A zq|R25Nn2(%|)IZL|*u}to&Kc{vRgBj_A*Q>T*{G%`bgWoG{j^FOkffSph4I)4*}>4v zCM$~y89Ennac~eLW44+7*mSPEbso^_@{z0s^L3W*|A@;-#SEQEeXZ6mcCirk@A%%$@-zJA{nuoz=hKJ55Dax%VCt5UB$qL8(lTi~%&UG@1@@cs5PJrDSP z<_zwfS31_UT;(@9r!wu$TU~Vc z+z%2ou8XCzp;zc$8RjKW`fhkuZLd?FXHcPRQ?V%f@@1Oc#`I%t(%BbNIglq4WtV!k z5`wSq6dSW-=H)#pHMcq0x1?vub>6eC4}q6`A9V*E5Q1%yfE1s=S%3cqzs0s%gvzs$ zCzZhz9tp(&ePH}>c$UAtob%bEXMW?mN0%#XBAuE;g!9f298z9iUiMHr1@m4-IaP}C~qpe%?nBp8+nxG$h z7Dee_&~`X&h&cX8B9&oTLk>X7ihFCce;vbkO`&2Koi~goU5a#1G_^B}zfBxILUP6g3cjVXyAO?5OH}6UJ$;Zu9%NK~qluS8_B3qVa!M7}==FjFTI=F( z&sIf+^wSqr(SN^7>P-|p!m}#pNX1uw$II)z{ghpxe?dYu17Mw&ftZ!QzIUo}%czHw zsI^rI-4V{P)HZE< zV$SAo-L^2^UcDUSc==3n28!Ch^C`pn+-v9{2Fa;m0;ue{P1k|V*fmEP>&O1VINm(Q z8faR%^;8GnkJ3I)Kjo{*xq8Lr+|@*srRV;kQfkdcF+9mtpDkW1C#P(Biw zz@|0eGJ3P6%(_*U3};fhA?DEjq!*kR|Fwb|<(O{X1zChD4yPYi=}6RWl3m==zegUZ z(I!BrSuyleM6u)J@G>vP!4!@_|PsACNs*7u8smcdQ7}pZWu;+NxT0`nx z%`MC0K_sxh7cvV>(3gS)$jz;H;eqXrGRofxv>N7=v{b%KY6@zQH6eziteaV-)Q*Ih zE-a>=JQ(h3@mI(Ik)l~-c|s}QaOV`6W2D1!Qm{Rj-ZP^9tCTfc!D1I!s&5}Dv&%$g zw3OAFZ>Y%IXtZ-kJ+CfJOUHuU_>!oM#EsG9U9{Ww?S(RHy#OVo*Od6v}xPAM;T^a4!xw$0iK zG;||q@Ph_NLlE$|A=yJaIs)Oiw!2M~ptP00uv9GMcvV-c#?a6zX>4WQFfLxmrxW5N`I9~_Z`$`AL1gD(X9X`$() zV%@A=vDT4=QT!9Pq>Y}uEp{OvO5ce7BuiReb^(ehZPrVXcWylr$?9oq>DhXhtyW8L z%NNb&%gfc!-}ps+sJkxM$&#*@A5w#8L;*x2)%h2@BtJ#3(LR-(H2L5bjn`^E;lcp~ zpC(pA{lmvb;N#(`&}=rZ;n5(q40xFNm2gTTY)cTIT3Qz+*-&?UXpW41yy>*|CxvrE zQMJ@Drp>Om1JM!RDkYum5coE)TF<^VU!7fgbqQ7fg4iu&kA#=A;eCv?r@rC8S+tlJ zPC$F%IwLy&!`o0e%XUx$0~QibAn^7#GbuxPcvwp2;y;+cwl>OxnYh$_t3d5n?xjis zyS?4V`8xom&v39n)4Ez5XgiN6WM~hl<>3uDgtV`t*?jMo<6qyo3dAXHBeME1TB=`W z@U>(@Q+ddpTbMA7b&mqw-V5q-flK3>ptLTu$61Xkapzg;6pnd=ew^NXe&4kT?W56g zbbMNiy#*_bqhVg*&^^=n=(p>U?i1^?&g~oqS7`)In3u5s>#d_-?$6=%pZjs>^}`Iz zVul^$HLij%k>)xJhVGS?_9s#f6kra!_O@tRq%oETcMa=nHOpgfjb=Y{RROhSd-qcc z;_nbOH019SRiBR4X>YKh%JW(T9)IA|^Rv56sk)Xg$QXhU94Krv-)U`tW2Us$+!m1ZPXXz}r1mjHQ-p^(Zq zjNa`6!HE1&)c$qT`7nB$mR-XvO)7 z+`hjNCBk2uAc+>oKqyA@2@51XpWufy0TlM_tr>wY;!2*4ZyCKP9;i(Twmd@9l0IsQ z2%T?<+t--byA`C0<_y_?$$uV*OGlNuPbHtxKs~T#Rb~23jgVg<4=c=-d+k0n*h3Q( zUIxEcNez~w^E%z6W^YTkHNXcGSmV2wTT%O9r6AikRG4z$`u4KHg$_=|_Fg9D zM)=tTenlp04H>Q1>sb1=-$BM1s5H(S#_)(wdRW)r6N8N)Wtn?PffBS4@7gOEgfw0h z@1J>{1f3ft-k+#vZme^h$~Svv7-zFeF7>{+t$ud!QO~382wd!^K72zt^%4I!)?4g32?!ZNX4=>!g}lK|528*y z9(@ElP^FodzkDx1)pGP{tWfGrhuM|4C z5Q26LzziPy*k_q)M@Ym{Pfz5V;;+5r*06BX11dT`yt)T3>#BZL;2K<>@^DLkc(e*z z%rrHL^$HO-U9smhp4#==$2Z9WCPiOliHda0LGyv%V7MVJs6s#1})>_YI z*{_Xd_c~jAv6`&Gel*iYs?ZQQ&T3wGQE6SCc+@rjB5A{xZgi?fi!a5}?N_|Qn^Jh? z_)R1zHx|+G2`l7z1anT#dUPCrGX;1GduevU<%<*6U-J)!w>NN<3wz9rkpw0~7lYT>$cL2R9z%(>wpc5nj-s5q7*{%w>l88xL z;UwNLFyG#^_|DCZo?viui^)Lmj&r8qYm0i6r-DmI@!>iNR3~BBm-iMVdanMV0WXPV zNj)OI^@7YQ=G3CM^8Nlnrq4z6gvliXg))PZ_3c^0p7-jH2#j1E$4G4UdJZlZTQr^| z4$s}IGVIy>T92M`zmaleZIu3shn;VfTFezE$*w8wOp~^e*4jIy9yzHNJ{xaEs92%} zSuCh1zNL$6)y?~#LBk!)^4~mU7N|KldRNJQvPFQ31h%jGm98>g@IV%5o~pm<_?)Iz zw*Qvcplx1s%2+-neM$!0ckDzn2EHMoaM|Uu(9>0l^dGOSHpaHF^MiLV{RFdn4P`&;{;JLJZWuw85^9zCBQp-np37N46>LpMDXcF0MeVQ$psb!;LP&0V4(*TKMA#vwpLR{ZYl6r8aN|(C+jTN$X zN7i}sNqBKYYK;cR;Zr95lls)qIkewsnHbH}pEgJ~)dq#?oDz}3zacYu$%z8ahm4c%qkuf7I_2#jVB|9%6 zk?jSmc{JP}B`Mbq5u4av`4~<);rKV}59R=<&PdPiB>)0GXd$8OJ9G3GDYki?| zC%ePw)aioVb?Q`a;z zd0>~*RLfTogD?8nf3q&{(SI!q-VZkJH@fEN+yjP-d2>B{6{LrXb!U)U9mcO3I>Tc>fay{Dgbj-vtsCSSF^AkSg0J<1E7vp zsthjAMrP$}Cj%wwI8 z+^BbzkEnMRr#Dqu)3X?qVRprf?Vl?QYbWsb8?b-|nf~UsGMabwuhq3rD7pex_cdyD zzwq1^1{N&><+gGsgp=cUbV6W^1-jhA$Q8Kh$Vv?zk($rpOr?F9SE3nxFK@ z!cyDfexrx~dHIsm(pKOQysam}gO53CK~CKHW0ZQ7tZw>4;Ak*twZ++poe0k()}`eV zN^j97HHW-K9TiBAdV^wlo8S*G=>+3T>w=StRel5+NIQx=Js(@7pP0B-DxN=i^5g48 zd(Npnu$=d_w;pz6e-JEQd%$1Qb6aO|>jb}{-8066nPo>^9%5Gi>aL0VMn(&xyosF3 za(tgS!AfPtDjcFTXUag=OZ(8gAuZsgv+J_y_Evjaag|fT>OB_DmQk7h8_zQJTv+%& zBWG>gM*7nD=-yQ?S8q236e60V4LaiA;4jpEPLH=Y>+f?DT^lfw$?g*T@v!GMTxUyE ztHIDVm}4KddVg_OSPN8H&%Cd{JmD|p<9y>{V&sM>G@hFocI$KAO<9?Ub_d}Mw^8M1 zWA+En6O4Wrl8ez8{jwaeD2n&Mph}_)YS;^|CjfCr1K|;`mu&fq_do;0GOqr{{`|)+ znq>QVhFPBk^@E>%UkXy^LAytO^^Cch#zwxyHbx{7yF<>dZ zevwHCp6~+YZ#PRAzrv>JZN#c1c>SD+>W9@;8b9pT7k}_DAa=h1h!~UDA`p4dqoNS{ zZt(>0T`_lTD@sl3m32WzbfbeVQemmT4#)oE@-#a9Ts;4^Z`@$|+Oi_JQAfG*Y>IZ^$|@GjH;lsq%B$eyRbeAA;ufd8#+gPb`IOiTr0&&v#8Qy*ge0U~J$c-%!EJ*8~hOnoV{fCubX7xhR+26=<1VkM5AE5&$W(L>B)@ zD`0Izm-3Jc1+JSY2xmqSL=sc{(7tsZbi}JbTaiBzJc@h2Y}5>W-(9fyQNTvosV*-4 zgoJ#-PP~}mNd;{f`BK|Vvj07Xf0?8I`u6a~FMKKD2S90!F{K82pUyd))gBUvA|0UuhO&*+Hv0glhHl;^}KfrFl8`0E0jHMCgrDljOMLL0z`P& zbToMjM9rVKlLR%O2gWoSTl5tslRl#1bGA#Q?Q6H^6(9E4MXRCzP==6JDbNvQaA5bO|(XUwUAUCF0k5TjkLB?F2(mO80k9q%rx09dU4#;ejal z4n0saIy6z-SC2A((ArswoW0Mm81PBW- z$yYkB@If$OP0mFCC;WSh!ol=YEBxEcOaL{&bClqf7MaCA0;5||^FlVd%sY0qU8Sip z$yvJhC(jH2wY8Gn@iAa8cu`yXIw(LHHIO^HSGL)(CB4vWXyjIZhd=*&*kVDrKaJ;0 zx38pB7})PnCA7_uu*;|=_XFqlQkcJ$6Cc?cH?QA8`1)_MZ-1%AUJ_W?G=fHVmM;Iv z-2OeTe?1Oz9iaKXT4|yG>;M1c?L)8(e{A!?+WpUG&RhoPBjm%~W8i%J&;S2lAN#Lw z|C#XLtHl3V(|>mO|3Sk35$XR2ZTv@v|Bsga?W=!`);~t;H-_jREB%|r`QOU*kCpz% zO8>Pr`R7>r-}>^`YvuLNvGkk8`M*rkKUVtxT9Ut(wSTPiKUVs$mFxc(R$2@TYa1t! zu9sN>bpd{zk8|+{7=H_hp?P1v`xH>&fD07Q^!3?5N7E?Ke?_3R@Px;FFuVKg z<%=tnrnU`0Q3V_vImjH%i ztG`72_c9}<;0?$sP^+e4zNn>!1S_Ugr_JY`!%7clvG@U9 zWLF_*{PX_2pV-|#OcPq2Q$)Z)E$GmB+8-UYH)5LNervPr;=fyd|nyelq8cdBrXF4sxYk z;9V{YOBQmtZxKFe54iolq4-I67P`3BP-NDizv`<3!zJV%rVF4klhx9SbMA>@)j@!M zTiEWWhA)!-%>^Jzg3?F-8#G>t_hiS#(Y)=5z)J{AyW8JNuJ_=LUjAmV!*KBwn|7wO zhKMS6K=qo|P@6y?0$RzJd>@Lb1I&VRU<L3ya`8G=zX9M!JPq>X?E`3&%{dQ?Tl z#KfOj!t3?est^%hkl*cr42yjQn#vdy;d@<-rVG5x8hgV@`L~vd#s}-o*H*n6hv>Y# zJYL)jDt?=9c;eK;E`ymPRko%_UrFkFP3ElZr+u$bx}U$uzDmP#7X$W!DtgW~n2qk@ z;v9Yv8OUC*$yU4hb&d<$Xm_{t2$BtA9w*`xL9`j5O}@2vZINK zNqn?l`t+-}L}g`V&kPJUR%A6EiL8|lWXQ*|73?fK_4X}NTPT2`P-4J}sKVz?rgflo zcS&@uymj68hQN(dsXl7m*Ff%X1M%~>&LGCRE+YzFE?0c&#QtsiA{7&7b&TfHwY=z{ zfyX&??#AtOL>W-m9=UPD?l71%Vbwm#fbo(Bm%z-A$41T2_2|25r2P^(nLQ0p!e#mP z*RB%`4GnFBHup6P<8`i%{Ck5cdW+-7Gm%On;h0wlDyxNoI)iJ|LwuT7Mg@*f-^P4E zD~_P`qS$q!xY)_nD2$nH_Up)2PB&Wa&rIv6D53Qddx_fD7F1q{<_xv3@OVzT-|nlo z-HrD$Z8^@xPCGRbeFq6PBZorEYmt4ywN;XwCsX|ow}i%&8y?xX6<8>7u5$$5tW#$< zWQQ!iRm6EN8H3jqr4v9-Mt%GwuJ%E_!7~?grQr3c8jTPt;T5uHuGrK%nA^Cs4#;7J z;^N{w`TpY}=s9DGTk-BvA6@<;rG*VvSTq4TLNgS$)U z!{<{ExKa9Ig4=Ef=JW#CCL$?WiT`effu8;R!)FGoJlz)iHTE5Cf%Wjf%=4;*yK&)T zFys#X4svdl@UoA})Qf2$CKYsqM;pZl;k1~I%GSvyOjtUosCIs9oQy+LD6@lRqo`D%w`pWzBG;2FthX3)AZ}@yKR7Z{*%D3w;dO=e>J5I55h4UU{}QK!ytLu8f!ECR(?U7TB)MH|l&odPk%f#_q8d z*#B82YoGI5Mo4;k58PiKP0I{aB8c2rGc}04-_zC>4s@AN3?ka`RiCt8TGUk<>F|tR{}5ua=?Z8Hg^1f|nF!#J zu1<9N;g1^G3@n^(8*s!``PzaeYwyojuyv$U8f=4sa^hpax~0?3RvSQ5I#kd31WYm> z^QilJ)v5xH>ysXrVKUcctbtZC)qCNAs+kA|a1Yn4lpEy~{Po$~JAJ7Z9pSBFbaqPE zzoS{{eejS``Z$?tef*YzeV%sAB%e6M`Bf$YFYeCHEyY-h6p^bm6`GZllcUyPjmb>T z0A;~rPyP!1Iv4)}-^rhwZGjrCzbZBj@>=}yv5PG@%a9D96LZmUugBS<=mk?@-F|%S z(L#cW>^`8k?sO|O?MdFwWOtVZ?JL<)X2;0LX!M}eLHc6BhX5xwDhdWJ#G9U*NSK&> z8e0X&=Ia=B6t(+&?M^q*S$uRfafSTU0#K^?iiWd%Az%^~_FN_>$}PD%O38g^Ct3gz zD4Ax9o({!BtH#=mj7Y_8p6tB5sD_KPjc3ZrFV6R2fQU~LK2qZdJ=%_KxR2`e@~UIu zb#*`qM5)k!AGi;x&NYz5N!y<2)z#NWD;f=C57!rV=WEqH8{GjpFfldz0GL{3)^x_QG~cVc>vi2Mu*0-BU+G`gVPfIjv^IcB=3O8mJl|izp(% zoE&CbyxH?%iU>78LXMrnyVxuqJZ%Oq29@klP zq1$)v-4hQyuEIHYe00QI9mX!WU9_eK#MD)fwB@%Y!!%)b=uk9g#7mCk8vf-ehIC8} zSld&}TwXy%v@xAC%_~m!yiCO9@$qDWt(mP8;W;$OBZu813-B=)WnOP z>2rDO7a#qoI8&~GHX-2mx)y1J=13Y2A3KAdAx5KLUa;cWAsdg5_mJ~VSE%vUOcfq` z`nqkn!nqpQ^U><}^j$p^D$s1E1Pj}9H-_X2p>8^CK^HXyYtCl3$uTV1Hm5@rwx_+5 zIcE|u=~<2)6UW_zT5BYLC+T`=303k2($jzO&rIc2Crp^cE%~$YguB-B1QQSwtgwl0 zfh}Qsz+2z##?PmR{fy+Ef{y~pTwZQ&iQjmY?V>vIw^DMs@FZZ0>z-hR5kCTE$@Ag_ z-T}-_7nGH9u&b+!m~yuk#fvUhd?dwnu{dU$QYO*$0y?B-X)k6A4xSg#tF;i&A!56k z`n=c8z>{kwr?xu4R=$E9TC1#{uRX8RqIczuJ+X0JR~(l#!;=rs*OAxvKn&4&rg@Rx zoGC>Q;+pe&K04;cZsiv|^|-CFSOT?TlDG87RJP@>bS${%e%o79sn9v!-i90n z;Ou*5VqQ7{ghq!@oZps(c!#irt)gvngrA+{W|}KSuZ9lhcoK@J%->gK6FUoBcW)S1 zaKKdT>~fD8zmgr|+H7_WXuCkh(So0+(>FMpIUzrB8_ylazoSFK3N4SP?OzdmbYv;H7y(%u;4YV zGc9L2n6>|M&vaBC?AU*fNGiTE6@U^l4A{!7Ea(DS zkS7S()l0^6_#VWiq(Ie6hG>UXl!Vpn)J6{Ao^ZT!5x`)q3}(>80j&;mMfvWSh#jN)-C*`tbLQI)cS70*v&|+Sv?`F3cF_iun{|LPy^Dw6YQ}2` zu6r~`eQ|G^r;kmi{541OXgBZ6HPQ3Kx$Oba7klN#S&**h*`CQ}wd2Ngf0>1btzLUa zhcR$KmA#EA_lGQxjvn(AC_co5UF?Wn7Sv?*b=y}JMbkRZ%h2gT-J{L_HRzMNFpRSsUmJm#wS)Aa}NN3pX zVK{I4Id%k!zZrXLyt2f>xjj6)P2B3~w5sdkr^^fR?wr}CY@aQ*gmYH)Zmk(!Iw=9HK?{PH?QXLIvKW)kalbG2@zS7?MMtb?@WOs9CP%&T zQ+IK-qr6sEBZIR+&T{5bsaSLE&b*C;iKo_t6YsqYB*D&ttkxOM^5UU$c1@pe`dMMF zr~mmd649q|Iz6;#lVLS46lbTR*n6pOk#49M;az0YAu;?uot^Zg@nzh3M?&Vo`rZEJ zQ=L`ZHwz{Py@^Sf8|@KVmux!Ri-uEQcn}Sq{&*^TG)bOu5lX(mJ^!6K&chu#cCm2T zdAlB?%F$VN2Da_-dEq#PPhM1df$sRn4BEDDihTsqglCFFdR~%2_Xg72tXe&!j^&bG zPqg%!%0TAI(#>V}#7D5{&7AJMz57 zhA?0k`_KypfzcYkkh(*z>Sr6vs$=4-V1JM6)d0E{<#A~afzAj&3x>|(ss2cTo`tVh z{(+t5K8lkc>amkxa(hr<l7M|N9NHbi5(i0Ly9stU8Iqu;o2LX!&lllAnq_c{feo{7yd9oy98q z7!!2RqOwto8lK$({LuWs^TXV*tp_*msmH|EH#`n%o&iJ-6-|?lJLoS?jWn545;&+Q zl{1sN7VZf;Tn?+-Kt4b5JZ<&-mUp|(dB@~v`k;Ps#lX)S#OZW=Q+D8@7NDZ;GG$QT zTlPGiqh2UkPL#K{F2bV{8ilk%7nl0dO|0|}EGz}yoo`&6Z}ev=Q6p7nEI_zXd%E4h z3A&GPZRVv|>s{hkE8iy(D~R-|*pE4FX;@rX=!xp9(tv3w_JqOCnVmO+leS|?V%xux z81VRyxNEY<8uOSDi9w2GGV7{~6}HV|DXJDQT3>$Z$LfEX*MyEZNUo76hU(B%*~%Fm zS(4l}Di`ECRYs7%o&V}kivR&v@gO&LnZobcI4par_DwcU-$Mk;biq7KYQ2oqV}DIg%vn zrMyWbg20>3Z;o;jwn4mKI*l*Od`WC-vC8Va*KM#!-i+wh?$>aw^+PMxj#kB`5u~Q4 z%ovK+Odv`eY8n8ZvMJYgJ4+!9Fox?cCSDP!b=w=#NEiy*bDr7&K|!ZnQ#bPKDiSI{ zdAbU0cV|Zu`UvnQ`tX$eKEFbaWP`4Im=o2VHN@)p8dY*)}I%c_2%V?kYCNOmm7RZjL3YzPy&5MjbzMZZXu=&6Y>)x|2 z&u1}OocB4A(9`%Z+!Ij|Q8AQEkc9GuDhLegSIXd)@9mM( z{KUVu{1H`f&WcWU&Y~g?0quqsOH#d^#2}tci&8k@RLA^Oka+)`WrITk?w`!JB_`X%3QvFBezt~dWBfE`jH43&;&bwMzxd?u z-{+Z^Ji{o;jpp;9mBa_PO2*$KF)&eLlz9nPm_mFr6JQi$49HmzRs#(N?g#f>*f$ znnCx7QZwJSP--ul!=n*Y>@W-!Hc=n3PqtXEACQ8(f=)3VTs=Z`U03CiaHBXO=VDag zQB+fyogD_g3Kvlv4k_s`U7ri)n+^j_Y+Bd4t3-ysvtG4D%6$htXUpQh80hp5r(B$x za=m-aa|6mY*Ag7*yhG+egalEBkI?C6^Kd@pk226&Ikb-HNQ=MtX&XuOU^@&q{vuWo zMBay^IWtHFVdKR6Vex8k=#b}^Pd`>CdOp0xgk7aJM5tBmm9j{xKAtxvQdQ=kHB`mF z@u#Ac@E)yLt%%q3)GqFPPUvXi`&ot`lN?s+91z;L&X&Yv!?Y0WwEbw?78ghYNiEQCc3sd1i3rSQaPq8o*;@EpjcyioYK zQY7yn+js4xrTl#q?0u(r|KT;;K)m~^wh0Kqic$Q#3sdeV`~GY==9bl|COO2Sr7Z=x ze8VFnI({~wc|iHSfmeKCF9j)`&#}UWn&WfO5#V$iBfbM!KbRs?5~3wyR4j!~RM}?f zS~XqTFS2bVof#s22X|hiEZQw!mXiK#F2jAQ^QtAa;)m~G<>(+j%P?)d~6 zpl1-$#D3Z7KmZ;pdB>)UXJmA!EWg|irYCCAHD;&tZ!EjwJ1&P{!@)#*4gZepe%Ttc z7lpHm&kb86`*oFPRpvoPWzVu{KQX+U1aHZHz*cSX%kw9DD&#X|3rk#NHq z_2Z1z2Er=1IY6#z`cp;ZqqtU9>7~6T20s{E~P!(qov5^X%dXZ_?&E<-J%}rDb-7KK<~oYh|3v5lh}Dm%?!QRNFE47Wu%A-$c)wy(jPScyVH5za=>;d{;L-wtU+RFKjUg6K;fcCz(VI zU#fv5r?);Fy*I8;{?ONQhmkBoxJ6TgbW(AkdWb9#XYgSOBl*Ps_xk!zc5&gXm_c8I zYtoO|^aQkmEsFW~<0D=g=D;V1J_NX}TawAwDOX#^DTnbjwkiZoPB4%^?%*Sh9?yDq zv=FL1XLeXJqMI@~+wx_yNvhzuKV-r@e!(!Md9QJy&1iU*%p(OBaPSkCPCc} zyM3eZCDM+dfZIq_6|I-|+2hTEx`UJD9j3VrgI!t@cghd;Y*UZ#X%++_+k?|S|{~yo(=7vO~i;A;{}q3z>c!kN!-3Jr39TfuH6S;K%0#o`o*mQ%@snB;|6e zJlEPejYIAQVKs}J1cRa}kW;d%QP9xq8)=|4uU^*IrD@-wSSl;>+!?1q9tFn9HGjly zq{MyMfir(Na9TM<4ree=k+rt#ImboT2pA#!q@$xFLF90V8m+MYIA_D&UuYSxl0m@BZAeX{OrSA;@fe_k z6Ko(mT)wr{N?j4qh|J4DtH`PQ!dIwW)}Aa~+gmX7$<}?>07si^7<_Da-9Sy4mzjkn z9}<7Il86EpNp{XbTsE-oxH?*tk5kpUnw?Z1mp7vyI6kHE5|8V`hQCphh}nspl5J8w zL*g^@^E{03eFIgsR}RN`lwlOFgB&g!?!0XdnTS!es5Y3=cwiXA;oAL#4({wZeP78- z?b1VA^79`$syA*bvhr<{UtlB&8%9!!*}JNd`vkAuhZ74+ACw)ReVWNOKpSy(S7^hq z)vvNm!yLtTzzkYeteNC!8T^_RH0C4lequNFc#`ycy?7sw3grtuN|7W1l`$oik1BO+ z3I_>0Irn)-1a*AMyAJG}Cblwr_$9`NM@>mc642qkuD-b2}9$!yP}77G}vrh1N%V6ao`^`qdMf`n?Z5hu~jM&CG*Jf<7OG%$!)_rsX3Y$W?^r5(Ff)l#=q2 zty}AupXw6|L{02cIKN$uaUZlT$sHvY8b;q)Hm6X*Wyqm%9&nNOC_2j1xY?t+?~+6g zx6N~GwoM&wW|V|X_$CMT#Fx)ZI~*5vefgWiN2VV5-N;jC=;_(VmJm(S-pcfYcaoTI z3Vlt3#A&A~E)3RpPXMu~H}jq*86-`fi1k zT3>nBS};lMc!`YdDRPF)4+nWnA6tixNQLE zuzdVi0u6n`06g$3vNN7bomm9g{2<_?PK+=xHzFwl9Z^n;9h&p^fCmlMbClsHni@vK z1j7aeKYaA298aj7Q$i&#b)C6d2-G-P4;Tb}?QX6Tsn*^Bl?(A?uNRU_SkEZR8DML# zBhKy?GR`FD`jh7QK?U z%Y?VH;;!~0R$2SRX9IW!RyUSU)0S{bqbD?YF3H&H4_scg)-fve@<>Qs(i-D3!Gg zAJ*oY_aq2^Jc*A`bI^1y&(e1I-rsV)3`Y+-O?-woGBiXs5fDonc*=ZBFle%+sVCfc z!yOXC=h3i`)Bc^@>=+Gr7P$zwOkYn2#u{ zX7i<1mmoiRVLIwCQ=FSM`iNxZ@;<5H!f;tT3z}LBQxF}gyTha!7d}_Vk6Gh#0b(K1X$f=d3zyaIBe%m@KUN3}F?1ESvynma z#9hX2X^m0z$iFjLc!K*Wx>4MN7mxadRI4nj0Gg9oS~|FD_^;H`x3!IfhKsr&3jY3D zMIYhEY6--|k|C}JwYVanv0fFx7y!vXvJI?u0v)y`)tt&VrhxB`9Q8;i6{L3G4R>3!Fo^U#-$_}}Lyi>2S`^lm zld>KfjK}n(^SrT~D39yO6d4}Q3HXv|_4VrTM15iR9w|t`0v!w-X&sBfvF`xYFPR|c zP=D4UsHLlW9|U?l?12Z9P9sm@8H?wI7srKL)v|#HqWm|_40c8j97&Jnp&fz2>C7Kg z?u$|#SuPI=Pd;#DtCL_OuMpD{(i~PRi0DwCK` zOF()zqB+S70J#%dFqQed>S2x;#&9{9-CL%s%Ng;sRHOj4oAdn zt@PT3@dAiM-WHCVs%09HI(whwR9l92#9qu(wIvm)#a!5Vxm#{3O2)v)Ra){X*e3Q_ zBXOs?svv=?r;0A~L4?GoQKrxu*q(mm6q;6vMXoLp_nxIv?$%WPdeXg2d#-sFJ+kkVX-Z7LbOaq*IZWj-f+hfB}XYdf?r2pZj^Q>v`^Tj^}yf zzu!Mz7fyZm-fOMB;B0~Pl(YoV(cCNVX%6t>w zFPc`?%%x{dKDkrCGh$#ulNZI@$VW4VX8Npm_e-kmg*|->1=X4UWQA#crg*HKr46TA z=c<;HB+|4kZ*dy#Z4x+~>O&`~+}i1bj9?9 z%tAreVtVNqvA%T!4NMkxd*^vvG*7Fd!#-IXL}ibd$#0Hp$LSPx!lP}oeI(#M3gRxG zZ>oJc8FLu${fhbW#(u`rXsG5B^j-Uhr}2(m+kyD!sWgjfwT>193TJmI@=ZE1^@Tco z4I6Q+L3Fn{-DeyVM5jqqLzOpf0;E0UMs> z9_hhYt_$598v)a!rwXbI^eTHAraiJ6kEhVoi;IgT?E}B+E8zF2^BNOwKs^khrlYOB zpC(T%TerLKDum~y)8t>x4=Ex>x7NY!W<~|c*rTucebW^MxkWWo z3jV@N-&$)(#i5WGhaHUP*kBmHwOK-M67hh*)P#1tivbj-Pi7P0(Q8i&BMM+gcodQ5 zndBFht$q0{q}o{Cx;7bziEk*e4C9}m_~i5~Z9`~Zv6iohV4D)EmxOG}^Pxox7msj@ zZX}6A1?mG6cQBf)@G^D=QbB=Z$ay<`qZ26h z$py3lYKfjmQt`Am9EQb%hG%;?)iq!zoPO5!-!l~L@R8({ScoV5yCgM02XS8C)Ii5D zzE#kH6h6iHKytWd2)<$O&u9V0j*Lx{EF4;K3>g`IEWHUE6mF0!&uv3{-PRMepPK#_Kokx#LR6rr*_tBm88%hx zN|VR*m8uvLQxy)Tk5l%F? zobjnm3s_pIxhvX)NZ4an5ukc|{;G6W7C)8oV@@^!wsQnIn(rzsJZ;ym6_DNNzI@RI zK1O%!Ll;#rX0?!T#yCfk0FM`G@`}w8`CdJqX4b{A#q7DzG3e6#&}~pHtrL}br7;O zWBV=^1U5;NBX!b39E9MszjR>YP-&Kb`zs?0f~P^QdnV8wIOWdfF8xpnV%d#88-%Wqc!+v<@gdG+B*M{N6zKlq~h|M7|+(#qIJ381}1#p&Qms*+5vSjVwl=! zXo9G(!KFh02yyo27CrN;N5N~uo+JuT1(DDZixSSDlAK6r?qF<{lAQye71gY=%>(p> zbX=eWnl_dHOgi8~{0kepcDs(ah8ZiB#tM_^qjM+VaRfK2=1F9UGLqNdj*(7eJDo;~ z?`c~IHeOD)eY-wWMCaX8J<@H70zg)Q9`SvBBd+xW5USFk>-P=SEAP9Xx)GhoV2reE zZP*RX76dh?Y~2EbXso@yXKLo~vfWy}BsC7PGGKhl?ss2d^0<4i05$b(rZfENaCkig zhPcH?7=5|huLxE|+z~56kQNh8W^XX>Scgtl40AXbYbEvxtQhpxl{QnuOxvmy8W)_B zw#+F!bx=0ep1hq(RvON0?zxsCvF^f=ShF4YXmE9>%;MNC!x3SJiJ#rc?2RKA)c77T z>}pW>ROhLk%|yfSXq|h0iQPO4w7c~s)aBH8r;KS;=aO)$`n10-Nc9wK7LgPnbMwZn z;7`e8m28;zV_-KSnE)A)79vDK?}Pc&y#)e*oQ5ni=}&w zT_PyDAS1j{vO6TY?D^7d`KSg$!l>{{&8lq)T#9A6u=A50d4RRosm8U5dff<>2{!~T zzzb$m8gCust{sHB_9#+xt|{p$rbyzOV7>?n`b{L*N63LPB;5zQl@oS$_VAAAWPe^1 z7x9xK9H6EIc%|g;@3Mas0W%gd_{m%fJA~S@WfwUw9k*U46f_4nrX9as%?b;GK4)uu z-&4}Y0wH`hA`#tF@qN#}Fkrtt6W?Si0)DZ<1GC!1P`Y=t;o4{oKJ|c+(FHv^aa0BK zZ~1W^`#mDV(X)hS{8VM`Q%*=@noP3D!ZOX;SAtLH!uVreESVXgFWHR8yl15$)66u> zmyEZtu@*Cjl)yA&3bh9}-9y6(E0?1%>)du7q~o0b+z zP3|sjE$VBJ%WYo1^`r9^srO2yAq$~1lVpD4OMd7*GKMTo4apnT2d*hkt?}c@-obfL z+12i~?K0=r9H>|lZn}3*-|V9g<@a74v4r<-H$Vb}P{e`Uj8cXk-!rZ_U|GAw{ z>xW{M4XDWrh;j^)2mALpPli4_Lb18&rfaVz@e$Ncf!dP2Hg4UAi+l zi*YKJmbqg=d43#m`i{zzr#_$_`Y&u4YN;og9TcZRJ=I1p>x!O@kLw-+{1*dT7{}QO zQqsE?BCU%X>Avv&GS{y64El>x58FpJ5K%jCOpc)ks*pHjUiIwj%Rf=N6S2ebPF^F` za*eAcaNY7pszP&bnzCkmj%}%UUcSLTJ~YTlO$Kwy)l@~-`8wL$qrf<8WsSFHJCIcN zd-twkIaWCfBArePu?-FtWEH-R?yFA0x+ok{09X1yT(|c{O~mXCqF2n1f812ttXb zZhQYBv14z`s)tNn_UrfOHA$ji^mZ{_rRf{nNyTvbKZ2t5je;GfP`1^@)-pLJ(Ue$2 ztr7)!zSXSH?KFIEk;RO3w(qQ65XX9u7M|A4 zZyIK|KHU;siQ!ey05NL)Iuqi2+WL@zrl{k@!`wvP$>9i?`hHLT_OFD@?H?c8GUwDp zF+H|rCVF$eLIp#@Gv&p)mLBCtyELAIkchpZjor-r1sUOjQ?8y7tW5RRI7{TdrdsqG zy~L#3AYMo65xrx#pwj|-z1oMcn-A|~C}!Cl4-0Q+9NxedyiHQOhgP?hU#O?kGsQSX zcGZ`iS*SVhhP^!OR%@I(u$jn)t`SNqrmZo=fEP&&`9dNWX!V!L#MTSe}qm5)9X49*`C|!*oB*hXwW4; zsIS#-nKUe^$S0 zxDqYc+)$MxM@8y97i?Y7?WU@~A3RgDY&T_{LC_9@E=fEu9c@mz(l;DEY(a{+w)Dt`wig6*iEp`t?HG5IKyu6tJ z@x13ygLYm%th`s6Y$jO#mEe^M<&CHKhkFzDYD(vgtWSay8Xw#R1-~MiMu3hpXbjGf zkXoC^)eQp$E|!(YTVG(L?6R%)j*qI(xk3*%=PKS0>S{HdPRyJxxmwpsy4JCU zR#eP%{<2)sHBsXfNV0tk|Ao?nX+iwDZ4U}U@~lvLw)|Bu*D4O7KexgSb?qYTpM1mH zsd}YS2(5d9<($dP?~kQ9Tryvj%NWW_TAQ#x=qy*Isi)81wy_Wu&-!qF$x8!ol7}8$ zMIDK<3h!1iPe2HI%{+GM?RDi$p9tZ1L5Qsrx97>Yl+n^07jOua(wzNd)2`vqdssTG zWjRl+D9+A^yxA#gqBrts)yjn?)QnHeb6lj>7&3dX?zv{pao|p3J2R^JM=j~C z`K~U5US+3=(A(C#JMY7+$FW30=YB)J#h^owvihA9?ssx}IUZ;4`XodJ0lP+`yV>_AG5xINY9$TCkgQ+|G%H|$%ykq5a#W5qp_1I~lT|P^H7%I%n%U`*$GU{0VLj13o&&;uYe_qBgW4;| z{m@0Ykye3)k*~5tgs6oiRa(7(Wtp@8;aYykcepV$M?ITF`2wM+U@xUjg=l%z_%Ixu zwDuYG3c4eq#!&iFr+I(LHeW-ucHOu{@S0wYbGrM~@?mXwO(*2){sPKVY`sN{gd{?t z9C|(oDMu7!E2^b5?n^sT<>WmcygEpI9Hd7>_v2GT{~S#*`LxUTAWhClT!4;kL)%Wc z*A?c>QCzL-joqQHxA(LKKCD*zA>p*W`wAk;*1b)$I&d{L1SUWWLexu=)b-YoLC& zNgW~X@9o)2d28V6O{u*=XH(;}keLb}y|XS_gucxA#Qc%kjehr!pR3%2OhMzb$YLPQ-g;6C^SzZEAIOb&s#k zEL=WvN|?gnM;Wv29~u8>A7rxYIQ_IpQ~b{-*;62J)vs+#7Ih6=?V;Lxtl_8Wx^`8r zQb1`nIqZ}>UedQg+=#t67x`+}VokFDhA`5EFp7f9?nw3#QQ^dPrMkq~i4*k4yXy}S zlGqhB!_&St&JvgD!Et2kn5K0q+N7YI;@Q3f7K5lg!IagTc9Ekq*N=q8@Ec6ZjY`ZC zEYVkk1Bqd+7hN>%QihAOs?}NwY4yg0E_CS4I<4DfG@X#?+a0rz1jN;J-o7Wi9`>57%@1kTK;rY`~EoD9T$Unl5}0CoXJu3 zOV!5J&lklw9!e;8jDw{y&lTs z;*fFchkWLo0j;A+J3UAxJ&B{`jP7dj)p1BZb$(G^#rF$-$*948f_7^4peAHbvbE$n z54v403R)58d!3c_DHbRxBblS;F+qy#*6YdWE2Vj#(?Km;GZPaCV*4W4;uDAm6e6v; zj}(kx%+cLW$UQeiNkmy)eN;Y|Y7v~`TgWqUWk(lrm3u@(K$4?ctT8Pzx8!>liD08K z+>|w)O$0$0ndUfO&}#0J&aOc%Ub!s57ON(JrW0?hyKiC(`LL(afvGSL()9j5D2)io zVQcT+ofI&y5^g=ojNtJ|p|`&6VK8BhH|D_-@<^O4LEOo*R7D1_x`+6e8eh_IV`2Hv zl$zWX;fu6dyG}!VOA8GML&-`iir-|?lqud3lN@U`hKojI)P^aCOX?vcjfRb6eXB=v zw#{^`U8zFpH{X~P9>4zH3$S>QOC;bD>1EC%E*AzAHX$|p7FM7**CG@a^Yr%)bpoun8+!afNWiP6`VI{^{ zjYFDb6=C8+++NrtlW>`~)|fCnN4;@(9`2tGw>E#PiEX`Y`^;J!5(T^H-oNMPg31fGJ&JbiKvSn+3bpY*;y zA9PzCq9$Kl=`Eg9$RTdeYyp*cQw2-YU8k3OW%iX%hbY71P9PgFPJ_M!+WYgQ$xsWU zXN%(({4rPeq0A)ZyA!8a}JV-w4n522dw#*T1xm}Fe{^SmHtvxAc--+6{!p4yP z*2ceLQ~>BJFn?C@!?(bLR#-NWT9!y5a+r3$of6*`@?`YNeNp6>eIgS6?T_C^x1iV= zSABZE%7dc__SbCZNPqIOOo4WiaDM#_m$T@wQZ>4DHq3rp7v)b%D-)wKd;*T z9Ml(5CxK}knNaq|0>HUFm8d3mBYJ$-OXECLc<#+j-J$IL>MN*ueR?vfSP)Hr&GGe) zE-Ng?62W4_%1KsLK&ku>lwPm2HRnrA%<{g3@GWKMXiht>XM10FYj*8+PS+;qK6oC+ z4Ag4H?zXpoJW7}<-EbW=f#nXLywZ7I@)+QXMeN+Bs&`4MZ6*og>oYYK%+0H2oNvod zf7Da!dOz%b`ODH6I&{C&_6!!SFS!_b)pbGj%PfRy3`Okzv_9TIodd+H6=>5^`)Cty_jiYedtpyX53}QrjVN|(k~!*fD;H2b zLjncHu~%wOXgfqSSu?pFL=zzef8G^!^%L=dXuQ(`QEPf&D9u^rH@F-zanJkjt-`A= z3I@}POhio2>Y?$IqP1zs08CPPl0D-xN&o(>*51dHRt#0Fqz=5gICXb9n$qjxe{lh@ zJUdG>U;ikd+?KwZ3xep^ffYOEKR;adzg;2TIXQU>5i{YbM9JQ$HUWB+Lie0@5jB%x2L-jzr6Bk)>YN&RcXN14RuVid#Xs! z>no@w-yPGTS`{vMkK9NwgJ+wlMf3BP4w<8;fJ^YOrg8p~NLETA2gYVm;x2!FtDLyr z2;RE+uxBI8-v{HV%Dh@FQaD%rY|g5Kt4iiU)iP~|2L0J^?W2WiBKo-2G?i}&Qx7rY zhCSraHO2qCVa9#tVTtfAH}!gQ?~^Y!{zpFb8EN7etnOx^eV4q|)KEy5XVK}?+euRg z-c09A+*>p|VBSR{sd3*P*1xLSmEe4yH*+uUvf>PLHBwj%8YVPmpX}jyOsQCkR6hQj z1_WH^x7;PUPE$G1Qe#=qV^T6yR4=@VOdT;jExN9ASoWBTr|ZlBJ=Rh*tYR1!^I;4f z8(0~5E4QIdVc+|4c!~8OB}7T9)sPm;+t8kPe0>&G#H+{Va=s){`VXFhy;fOjBVO`&&^U6w0S++-I_ff4q)Wc$1>n zGZkvO&Mc^ce&AEcpTzF#lC(=dB~)f6#tJ_ks`;1;TcId_@b3tJx=(AG*A!R(oc*Sa z&Oy2+dH5JipF=9yb`Y+-Fc|DHgv==;-hp=dFM5JxHA?>L07scloIB1uJk~H>4{`}B z4dAA;hubqfo6MaKB>q5MLtR3^)41Cp5w~m$%1JKtHANT{B532gj;-d*@hB9q%L^{c z7%Ywmqv=m(i4;C{R!XnG6)yUoR`CsV-&p@R3MWD)fzjQ=c_nu<2uf4XvH&I7%Q`k( z#%V-GDbN~51>K*}r9mbvo2!60TnBgkX@POiA3#@JQCkQZdqJkveo+Z~dW8f3Gl-7c zk!|xjTlEOC{L~Py~eY$2hdY^ElOpQ}=oDhBN^VaRDiC5?|Lvjar#iRuwd%Q2K(JBuzEOKopsEi&(mCUTbg`wWY6djpG#^<%!B07 zS7$E0*dFU)53=Qw+LS?Es6qc@=qL0M-@)QiFW<;{h>}YMdR(g)WqWkmvBYb97+(~= zcc?;#0zl1s2_ihL`zSnS-&TSQzMSt4Pl9=-3aTc#&8(lKvpuS9&6%9oteW!meL04Q_9=$~k1FZ20%PTvX*| z`i0ZlVx_tCWSuUNMf{42sBpS`B&B-~1_SQ`d4!O4NSeoey@wSm=BRn7#_PSW71o($ zUAXgJ$@W39vjL=Q zMQRdD8#}bGb8f7|fgfk7newr1v!AA#-}}AfCI+%R9Ki3%VI( z3K~?kBuDmL*T?xsY*ctJ03kQ%@N6h({8f=>RNwX7t#gF4KXx!Rp06~ z8&`?j4QhTIlv688PEVOYT87Cojxp9p>j|JMxf3)8*G;jW9Dx4(4>)9`jh193;3Tni zfGvA&R4d;0Ie6h2_JaMIXlloZCKiUv`g%5{B%2hLXVV<3dq;#2qr04X#m!T!3*Sz? z0)>Wb;&%8-UfuwVh*V`kTkheIJ*-0lllW|^?2ZZ~-4?~^_*oU3rTL{~;!4LeNIb9Z z9?y_~td*eHB11gnN_Rq11 z;g#~6<%UeK<6Y{#XV7=986HMD2tHl&J8t!;yvuZdA#XgLe>#uo zHJFm-PaPZ|8&8~Jg{8l_t0Eqqu;CW=)Hjk=B8UD~`D`agx|iol3+a~kji;!W52|Yf zm>0^Ze*MQ{HPv@nwuX1K6(yt8GD%N6!>-eXY z0;$d8baNq+qUf=V?A_(GR@yVgEqHYz(W?3Cus!=Z4A*t@&1fkpp55SmEa3XCyJq@O>?=zcTz1Xq>w5@NvuMp?i)m~T^QX0_}t$DS+YCfBlX!k+#WR7&no$dm{e?en(+!jxmY;(XS zOcPHB@;Rm-`y4CDGGOEIsmB4#cl6R9UHQ9V+<%nHEs~oQX-xX45X!;Bol{)zwno)a zIa3WA6P0SfdtIYW?deGVH(Lk;M0PNE8@0USDguTVTPzdTiYQswitHXC8c!iTl4o8h zjZi}hPTf0|(;oTWXo!}<-9!OfD@}eQbE!cqrAW0P1JC^p+hk(w5y%|tW<8F7X*4sA zmpi2%mi#Vn*_5?qP7e6-i07p0`DQ7B-`f z1VuiS#W{zUl#>=~4?xT3cJMlK_JM%W|HfL~Y zQIZeUBN29M2DXyU7K26_E*q1Un)fQXEZRf?uff)@uUmZ=87g^%rpi45xyiauFeSrp z0&g&(;;y=c>zm!Ptw+ZvNgs6Mxr>9mCkmHBiw~qC$hDRN5cX0`d4%wXN!w9ZQo*k;K%rrLYlxPPT2-;6`Ad{RTrWEUv+irV4 zW_gleVnkkaqlARyY@!jH_&7=EDZJ_zF+eAldE1XB1M@5g=o1)3!fb7Q54(&OR`ZK0 zNHPpD;#!98nFcYsM9;P0`eOyN6~h*#vbi84iUvI!Gpju(Qp1cd>|rmCUki!Wx}sw_ zFlwWqw{~#96O`?$L66Z-b7`Z`si6SM(yn8kyy#iKzYutpW}yZJ-$@aOY`)-EX#Q;G zV+g*90eJ37%)Xb(S@E98DpDsEH6V|rp}JpuT}sto-YSFfhLjz%MU65Qj&G(+T5!p59Vw3;@m6RZsm%I7d~5aV(xVS5T=g2x!?P+6s^vU(-(mHx)B7BxodDeD!+`Lf zCD?(smc(s7i>Mvv9B=c{9gsEWm#yAe;`i2X&{FduF_GQq zuv6=2g~%hku|x69b9*yqr~BQHMz+{O=tZ2{3tnN3&M-zxWwu;?F;kW=!61`fy1sEGpJMebE zt-y}ZcM8{mX$MJQ_5esr#ofJ{DsPx9q&|`4^J+-r3-%!ov}@p9n6U;C3oh+6*5F+W zs1YRS#N3K^*C!AsPtIWz&y$gnZG&o+rpx;HVvS}b7VUdhyNg2f!lpex`*oK1D;LiWn~ARl2cW9-~b`(xk{$!WQ}*nvbX2_uSB zOI#8=K@Th)k2lQC1vF~(bai7*h@xPuN7eoQ^DBedikPB8n3Rs5UT+vlX~X`s=QACh z`?wz&65q-r#t{i#d5u!9bsAhpnQH}gM$!tu6d@8n2ekT&@B?fjm56>(>iY;vslB6c zYW_!n=uL*VuPBwbe#Niq)CUks#P2wI`gSMqZ~LC1&u}{*gy+as@N6QipO}HdE;nXt zti-qEi>-nj*F{<*pnq+M)al^ZzJWOTqT!GU;mH&wunuDRZebA3I>$;Z>>J|MZ{%`Stw zc7j0|q3g=!k44@XX=~r3F!FK;-H=QXye=h?a7}M6KK!DOh~A6)$MDs- zNuT5O?RvDg+G+3Ep`=U8M4#ZX{_+(I57`QI!!evgze+vpN#c@I_VLHtaU^&~?u#)S zf-FcXB0-xp$N?yw6xD>K=2u{8V&`XLp&X8zD-lpEocn=d#6d<3&h8-td^(_?hxaM^QE0K2(7XbL|X3%#a8urSU zCP(1#yMB}K*Z|z%Z&6^%CL_oL(thI<1J9Vmf7`rG`KW0_GTKStRy&zY9nHNlJ}POK($$K<_&lP`^1{oS(a?Nz?6%!aKo*(Ow9A*hy;fjo(v;eqdE^_$qZY zb7G-EtQ9ZG8(&au7fd=u%&ezWTzoUvkga! zNfC|bsGU3SW$+0o;%%lWFbg~65+K|wIS;J@oh@d7;&37?A>wbKrGEfV{g*D&hAJ)i z9f^#*vJPa^jqlGq?Ebnh>MY#?Jfhm!Os6`Li<5v@vdk@e$IE&jwy8s5Hr%2Mt|K}W zLE4IXRllepstOPTI$k^m^STO#92z3PBN^h=C^B5d5p&L^KLnHDlyK7!-*69H{HE0jV67w_l*-nS3_mcOZ0;}E%@bqD|wB|U$q zb=(x?v-q;fO*X=fvz3k32x~sGI$4 zuN>S8RF@U;gsJkBEx=LTP`A9{Px1h8%mzr}JqGk;1Ym231~&h}M64!<8wV#ly_ppi znjpBD1T#>-nbM7~=S&kPJbbvFe?qBv%5lr#3Qw;s4eog5nxcDqfqaL5b zC%gfESa|LWZjR<}(w_`b4EP4+2f!nHqI<2HnJ5z00&qPw9XKN1nj>C48}Owi-s9c1 zK)kx2abF`GPykyx&T;o9V0VDM1S*TfXuC1n~ z)Mx!&V#>ZUYx14=`1mC)MLvs_B*3Mp0S`wr`%SjaItNJ+foWiq_~h~T!5sKdKuuct zEIpDOkW2CM82P*_NI0zVnBqkML66MK5UNA+; z;3Uzagp!Tm;@4cD4g!l=yuZCbacZh0jSC`5Ex^Z3(kNL7?%x6D`IbC14eUZ9?vb9` ziOBw;&wq<1$Me4h2(OcvLKXf$d!!z`ZNU7&;yUB)8WNWD;y0zXf8}BR`#)cz!A{)L z>HhWWr8`h`T)pX``?g8-YF_>`lZ7ic|9(M#@+w0zjLJBH+S~t5Blv*>>}*F9 zA0UbRou>TvWq{)r!P(#JVUq{{+fU;3;h$Tk|9Q@Udl#IkYJP|QKTw4K`4**8u={t; z4T}A*my1WRf|J5z&FJdiyBPnmBT*(mqLnXX;f8wt&jtO-nf|x84B#l$MG9G*aK!Qd z%a1d303D3J@_6Szp6Gub=YI;oza-UJ_sP=V(^&oK7fF2p_MVmM)6#FlkpEng5-ZrN zm9Ggu&;RFZzuP?jJ2;#Ckh}Xgt+0Rg&{3*juLdpo<1ha|5DsN>Ae1J?3IAk#@BcW) z|D(YFi*x=z3jEK7^ZzLDpQ-s@{NMlI3Vd)j=1H@8FR$$EEEIFM#OkJz)ie1k@{iQ{ zXy)#Jsd)67S^&c1p7TlnNS#3QJehKc@w1c@ZibiFG}JHu*lv&UTTFdd9;|V9T=QlD zUmDXJV*byggz{x<3G%ro=&`A>g5)eAORR7#VqZuA3*r$Z@ghm(0wTtXZM^Z_l?o45-_% z{P`mP;V<_c6W*HJ0?GYw9OKJ=_>0Rg6=uQIkCx0h!%i6!QU`K|wgQxc^q*|wKl}yo zHYu^22gfsK5x|8+K;8n*xSO(pSH1}&lLByznd)Lo+u3K=)WvjtK@ZNs!F;3x$R~J# z0T%GitMn4IfX~bQEZ5>4{|kJ_ce6rN|F71|{pzAcOPfGqxcD4NQkLtm#+KLA$jFk2 z+4YA_1Pk~s=U&0$|3Ym3(R%%7FW&n#2#6A@Z{TKZ;BXN%`WI+xjjjnfFJHqoaBCT~ zM$n0VmR|;PLt&7>{_QX2^q>5oTxb*Emxu(1N4$0@r2A%`)oA$UHYg>BfYLLg&y~pH zOd#vr>OB#EF6*1DoAL9!&Zo6E0gC>2hx2yA`rn^}V-9SrC{2oNH(l0pYnMX$0Zy?V|4#9sdZ z^rYZOl4w^&-khT&(q~D6?dcR7*rBdERXzS2Yx7^H_?h%N4sEvu7#QagtlrU*ykZ-QPz=3geXo&PKsNfEbkU6!eEM zKnU7;eAnc9wZx6p+8z2$Z0`KoXaC!t`{&#kt#V+FpqGpQe52PvDl^1NC&}IGn)*>Q z02ClsNuOsu4kpcDwz+#biuuaNGU%V1IKN)n)VV^z8OOAPB8M|F!C%nw^;_4sXLL`O zMCf+rc@7K*_J>qXx(Pq|1vP;xb%bv;VpFY_Zh6I_#>dNC2-ucgQi4vEuRneeCdDVc zq3_!`KXYv8#lf^nzgtcI=cY%>=uR=<*^kpXJUsO77pusPyNDaN@u&feRPgM0Jq^EsP!a#(zjv$E8Vf$IVG!K&Y!W#nqSMmrj=*V(Gk_wzmJa2DKh*R zxEuEP3pdi24sGXMPIU}^EPd`97~orGlZdv#y9 zATl=A?OMMI>15#+Vt1X>ZN2Y4v^Tg_)gNu$w{t8Ly@=;;em(IMiN+Zd)u7;EoaV`6 z_L1qAJB>|@U|n)Sc#;$u%`r~vm4xGnTgD5vujA3HQx>1zPurt<$bd{Sh!J!b3C`zp zHOh#2NNQTcJ)|Wtwb@Ll5DxxNjqy!>teZ=F0?xiJghY`k{#YX~qO;QzJ+HYFftUKR zWG4(S-5nIb54};H9W8;r5=lPTZolpY=re=>%3*W9|AaQUP5g@+TKD6 z@d+Kjp9BlDo`@2c$C8$J@}4|jg1V~F4IIC7K~!gx2d~Iy#fF^Q=|7UEv&jyI?uN2E z3`JmHSDM~U%1MoW_j)n*I_&ydWO@1=yy5IubBQWaMY=5L{)m-2K3bu4&o^FDAy^OrH*JM<6(7qrMZ$`PuVkHSBx73U^I$^D zJLWF$EKmliwD73D6rzPlvUc>MICyvIiZOw$Jz548)V7J(Cz|UjVrCT?VKT)pjlDq6 z>)#+f3u+0Z5~s_|NzMbo#ReV@Gu$DCf9eqd8zpt+QZb%zVDWs;J#vOJJmG^4YQgWr z4>+hlhHM*K3uWN9X-xz?A@kju&!U?rwY^6!YH09gVePXg`>KRc#L15AeVz(Skreip zz7x~$GS=fAsDpPBrH;}Tca4k*wp9I6L${`1+xVid8RI*mUm>5xOZhTvcBUFSK%n2t zZ~m$g!Dilen7U}=mCE>PIYVu8E%B_?X#b2gPoM-(IL}SkiRBu(e{&G&eBDPUhmHMS zVs?7fpMP<6`nxfM%iPVnWONirJ2?Z<%-}D%D(bw?WqFx2ccIa*kvHt`GxbNbB`u4r zNqrBto6Cs?OKbb3I8zz2Z0ft@ayZ%L4h$utY&|1Q9nu50ey9>E7!JJGsS;+IVu2c`TiRGf{|6< zecjtVvLlnN4136gHhLm#GJ%-f`uIBC4x^<+Jp@f9=DnYE(HDW z)^i=V9*g4pNjc@L>C5s@MMSNp^AzTmZ_QH9Iy9{tXL&T#_`TV-4N7-U z-11(Sge_uYO?vAthZIRxna~WQ!^XY$LKMZlMbenpGGFcy7_`h!ox1Rym6KTtk~h1! zaNot4>9bO!du65rJigVu?C;D{{Yk5~&*TfjgLh0o7Zt8QFrVrL(qEk__^J*PiJWy9 zeupbz{ny^)o2&*WaHb87B*J@}`d4A3)% zjf+5~HWD~kE|lTLpKt%>`t{Y@{BLoTGQ>A@v9Af+6Msg>4mAel(G33NBKg?IJ<&6duMsyPd5NZ`ejc9Zwmt8KMIlO$R5K+Ro$R|B4{OJ<6 z|HT{N{0Lt-YMu)N=SQR+u)npsO(ReRa)S` z!uxv0Nr=xcw|R`Njwwr&b=gy40nkCGB^BxJWv=L8`R@I8#nRU&9Z=?cZK7GK>= z6>_oZk)V&@hN6#0-)MS3o@3oAmmX?RwtV{fQv-9cZC03R` z!Kjaq_HN{Vz13M;0{>wB)!zy8G^ig(3=*G$eB6lg2Lv~gT zD{D3r=7jG{65VchW;sI@v`i#N_}#ed$5xKh>(q*Swdg0Nv<}ZCrDSdl3_N@E2OC1I09N8h(E6Z4B;1L6~l+q%mdDZF0^!SJ9a%a8VK z;?O|Lln(rf+x5uwmoh`g+D#a~;2g1=d(TCM`FaVpMDOp=tjcC%p3y(#8Gd+A7c0Bo zsCzC98teGPNzDprZ8mmo$*G-26*Q1%wSdP#A-|I~pXy#J#MA;vQFYl4l} ze&T~D)yLcFT^h)9!Mi8VH`0tZdf#1+GFTr~OzBn#bcQFR-6rBkYnDj(HnNhQ^lIE3 zVbM7}A0I*HEXfAdTYZ}*!G03LQ(08BYjo4;97#wEt(XG#`9$xpBYU>c*3j}-T8HlQ zn8vz@{ZmXzs_D#OkLxSQ9z@7@^Uw!TK=9Ill-={fcg!YX`{5laIJi_kiaaVf->xV* z9_pRETZ!l0AZc@}=g{sI*|A%%3!h-)+j=zpv(xm?YBwHqQigZ=3S4OJ5o>u^mT_D; zKNjx$<5<;o^0Lo~(!Aa)DMgt*{A2Xb* zr-ervKED%1e25)(rz|6{g0>~P?fjjb6%Y68&x-Ev_Xf&rYoQgUuISWr%9)CKs(S?o zSFy?Am(C|Ee2nOnEzd3AZp!gc%sL&~mZ8f-6v$vgZ5?Ho^K2b2J+i<58f%rPK}j`S z!RoI#5juRY(MQt{+o{Ew?=$C?eQ8*&DBW}1E7y;UmFCg%ZH|<*$%%$OC3@w0F||8f zz2QrSDH8|^Q1I_U;R~~(|1!hAJo|A_j%X7F}&m{p;)6{TSqH@`2;OA0WGws@5*Z3J&PEi zM6tIA?`ff)Vok_mmB&0m1uer-7k};Mda=&M?{uCyXK<1)XKe1z=?%579K&2p3}n(< zugNao-nJWBARTtSrizId-)8M;(Q?QqY%=n zz0<68De8E zH7_17^Ci1~zxmX6IUlQ~eI0eVKP8|o-B$r-Xd7Ov_40>qmFMQHw2ilAelZ-x`~)oe zqW*Gcx!;A%D1g@S(p=CVy-qD^WDziEV)Yp+9hw#$!N-`beth}KU6IE7vX4F@TSP=J z^eJK+5RMvNJdKcj1G`Ts*3gwWiDsy*BZ-`Hc&q;SgeOK) z_j!Y0z#35r)^+ezL~*2dpgEi>V#clWbbU{@{i@yQ7I_QN`pQU=fTJFktP^Kol=vlR?$ovzdA7t2EcUF15%7i#}(jCH=H|FV{7t#Et zvHpW)+unTcahx&HLvH)6^{T#``+cd1IbSV%+19UTK@(1|XRhynnSHGw9k`lzjLQ>( zsiVTiBpgy^_z!Cg4HbSN2K+>yO!cVV5wlgCcI0JLH6~bqua_4`-v2=S^zqdM?ck|$ z(<~WfbBf>`idz}Z;qeAp)l>vnTYKO5A8Clk6mFgZcLc@DU)Vlp4r%LZ;beNB`5`l= zZ)jk`=?h`|F2PrqEsk5_l%Irpt|)#bY-ikOjeCE(4kuKsTvw*VOtRfV#$E6wb!#F% zZsEC6&{Lk#zI(cRhujM?f>sy{zk#33V8HP08UD7(4TdwrJ5njC1SY=U^c>bb@9e3_ z&YyE{*SjW{nxy@9s*y{&Mw8ZD7oSykM2iVEBA=xtOFVR`P@ceqrov}3WUZ{Db|XU9 zWa7vCmtxW=2gaG3A9ytN%v&m6mUbIa!^7{2_Oy+Vu1489H@Q|_4c+)DSMB*UhU45^ zd0w2zQ^#_zpJXht2I?D}9<6UgE{t39C@L0S`k*L}D8L_l+A&gf! zPtLj~mGCEN2$HqptzQ38qK!esJIAw4au)q4jj;WQBKcL(a;5)^uy+ctJM6lC8#ZXe zX2rH`+qN6qTyfIaHX1u=+&GPG+eWiu@73r1zJ0Ra=h{c>a2?I-Kj#>~F>XBd{TO@S z??a1|u%@&vMw;jdDlS1-w6MWQ^Dy5tV`xiShKG!rjfGFALU%GlpG$v*!$a~N*rb}*53@U@X|<#dSjexM9~Gm z<;UF{HdN?@h5k7(_q++Gnnb<@O08gK6vJd~{c4)-=u>Svy;`Dsf1dkl>wptuk^kF&O? zYy`P2(ctxrhi#H$#Bc(vGzj7S8!|jjf~?8^{jv-eBLYF1Qo8fCLz;Y)_Ri;)$Jq`h zt~t9+3g)zPkeq(&dRO|MJRk4WChwb{?hm_?7 zCi8JXy`XCWh^LN-fzK#PYWSE#mFgJ-fg{-!7BKrea1Uh_%@g3q9K)#lMxq5Hrx$fO zXq-2st@v8j%n$4xCsj;0y3=5tS|-z=74#+RZEKf;Ui$v+k2dp{?KZUlI#fpZtC$g5 zW!9324yRC(^~QTRb8^6!pQG=}t|B(qzGrCDIa|TPcO#u!C#$YMT8I&!SorLO% zed*wb5^Nku&F1NJ0S%UtA>9x5`6-Z^ir`pdCR{JKXY{j$+R;L$*Zn}B7QDyS+fh5$ zTl8FKZp_EZyP~bl3WXTBnd}|9j{%3G!@dKh(hF&%#$u6aw9LY z+tp~(AAU1|VC~16;#dz48qpOI1PHG7(~~ctHZaMW(LME3R_v*51GR?Bk{Q0?Nx^)D1$%Oag78DM zgJym&C5t!pCUNp)TQeBl)RMh%>Gl)eJR4P%`KsGdo~-dYZeP_&UY{FJ z${@rsgyvW#)lq3WeRoQtldeqQXaFGz{wh3l=S7owt%L5lkoM(jU?sM^aykPx1u5F20ciF@rlNG^2?pmZ&tLVKU zk>4*@$R9D923|1#u9|p$V%%~;DYpgC2LDw-aqB?iVA=|UXefQ(ZKn2jx>F+!hA?eZ zrb+oxOJ&vKj{*u&j#!UOrMFv}WQHZi!$x_!!Es*mf@7Ynd6VG!EX568Br=K^QTPjz zcp=@rrcRx>HhFffMu~=Tj=oqlonf`tF_EGgoh$ZK5=geKyrRezlkpW6ebgb1qz0)z0?_7 z3PGB#Mi>ttTgkXCl_vKOcwqMrjD{>yMmd@s&|XTV$6XLk4sz$RZnN^aOgO#{lC#zH zOd?>Y-BD2)uA?MP+9+)x@t$8V)&}UW-`$-!6cU7m^8e z0aM7gsDFo;rnj@*fAO_#AW<=h2v>uGiIdht0CazvC8dPCYb4=3_fa?)-Y`lSHg?+t z+Alw)?&qBGT*g7}i|W!ckvT-vLX_AA-@qf|8kW6KAwZgn`&5O;Hxd5l2kPn9Cm{HL zvxeIp6w(WzJ`@faH9&*J$ceyxVU-u05pQ{y?|Ef#3OqB9##t2eAJfMxls<}aWN4Sf z3BM%ftCDf36`G$KJD-i;tRb2-h!J)5u!ms+MP_Q%ei>OxTJQqT@vTcI!F-igi@>V-0YbO?13K#EDx2?Y6HuL9(jknWZGI&9px3#;o={PnN zW^~NOqIa&VL%>{bEI|(k^z2bd4a*w~U$aE`%!8X$-q2KZ@lQnNGM)D)ssTyqdZC%R z^+pY5ByT?SN>9GDlhYmpSDUdQtTP&J5lBTrW^8y^nUNPK&oOu@KEn@!#Z4^jeBrS^ z;BcmmlfzTyz^&A&KD%)N9d5IGGl?!Kbo8SOGr)H|`8!b{QWc5Q-zt32Z;mBAC`<2| z0(n-Af_A%-?({bzAU59l4a>1%rh)Bdml2O$1Oox-c>iM?U*WP~$AQ!l)TS1*Ac~i8 zY-(o#M`>mlkK)-igr{6OMx%?VK+QFjV^6W1dL;ts?O7jZ1r_V=kJ#JkO8=aPZ z`X4_MoQ-;KuK6T~ROp>REm4E_s(7v&HpbV@*mR{E>VaKX4pHI{Ll4A6)7Tx(b`VT@L!ixARGp~=yu|P!kS#rx?Wn7 z4n+OU6LlkP7JArw6XC|tF(_gLe0Uv=`r``h_T)n8*K{O*sDwrfCDz%Fj-9wF`ALtK zct0bj9Px<=mu8#~9=Y}kTO}onL40tW_74`2$yLt*lA;7X>;~hSSV-@jgJFijPfSr= zwqFUbdu%*_TNQ%;1w$~+-FqST18Ibil*H8TwZ4J|i}R0uY?SG9;V%Gs33`b17H)Ye z)7A&T%liWUij;~&4=H|`z7i3T+x#!hxh3U{GjFylI%W29M8{dFjm#1ufU#QmJ)Dfo zN=ZpjArX6}b}qTrfC=t0@~Bqq{Z4xrFEzA?49D`DH%6QwV~xn+9U8GDEb!2l^hh1+PJGKZo6b#A^oZU#M6sP3=fdTC{52`)^%JsO>0=-E&vR*r)|tvd znIZFxDWB6h5$+b*c_V^SYnn46n5iL;(No==uFqJo^nMTqN_x2sAJ?|7df_l@UY z^Rb$vj=L^xMJMo_2-VNNdpSrAgxm(bMK$^5j;}4sNgmoALiQy-E2wRx7XZqiQny+% z!+S*w-;@bWM$lTz=m@`(O-@ocHQVT^QD}svywt!~rcR1C4%vY{v z1lqD9{D=`hZ7!jla-nq?kpx66&Pg@aD9GjL+iAIZP{?p%tG-ND>a;1dEPCXT_D&6G z-7*{61@Ss3ZZj)WcxKlD+S33p9fvb6)n=mP_4XKJn{S=i?RM6>szMJPisvSc^Jl0_ z!o2ciWA2$$e=Z#=;%g?oqp^XLg^PmoprRWH_QaQVP)7AIVbUp%g{B$iAD{iXQspTS z=Hky}KAKro(=|5c zvT;EDf*Tc3xK)vSIHSLWR> zx@^*Pbf$IH=8y@?w+XJB-!fD&X$Os!VSf3=Uk7e3ZXZ~Hebt8hS+(BI%v-1;_a0vk zJQxqs=!WC?Rxy!SnG^blqAdOLy%^mGhQa$a)@XR{&VtSDR5%*QUeD~-z9SA0p#21K7_5kdn#LcA&RMimiQy% zIMv8m%*_G)j4kvqT8;ka&+tEei}8BV(B#@x-cCNz z)bOQ|!2EsMXOHG*#N>?+oM>M(@;8Dt|M+3+<&K=&wj=WKg@j6Iv)fgHp6&kUc z+l!iJ4(hm$F0Gbg{}IV7y)+gT?LyzIgN7`g*O)aOeybz=pS1i~?BHHTI~@wzqV z6EUMdFU3C>i6F~1iWGMiqb|5u$G3JNg`_t`drg{JJss!y=Vl#g^=~&1KnA?V&hS4 z9XMGitpRfVmeF>UI|ot;e`gD7d61g(FC)}@?$oIkBTdUQCp{_>xUAc1d)r98YJ5~F zzgh9%<6Ca3#Yk8{R9x1dsDyfxRM#dx_0ycc`@+x0RPG!n?h(;Pt|-N1c4n06>RTS? z!Hywu@o2&07arK#_Sd^t5uXTBG;+Ti?kA>XnMJp4|sZoZDM!i@` zeD#91o4ym_R;gW*b?Shbvh2BDh}`nr3tJ83D~`&&Cz=7?49OoGWJmMO?4pf2(_bJc z;SJY(nzI~Y>b3(SU<2@jh=CrT3Tn;M!Ohqhh$jSPelbkxR5{*=-G zr<-KwFF`2VB_xFrO%Cg=VJcW&D{#0hgFT$>ktb*Zxn5d??{7 z`%+5ZND`&V+w)zh(i=6{W-t1*B2s3uQ>}anF{2l7zN}Et#e7&GAk?kj+7&gMG5%va zng{Lk!3#MtH}1GWWI1X~uIR$wU)|Es%0dPq;~{m2w#h7JB%cy~4OrNOyQLs-^f%w* z=o*F?HQD`^ORpKBs1GA%IHT;>5JzGMLiQvNm*C{*-Ic9Sb$_W6yOm_BR!Y5hxryRA>IU*u(*?YKOC- z2Ug-pKE*Cz(LMyoZIV|vYb@ea^HV7HfuRx0`B1Ca3q)Kc(an_(0ucLBfrsS*@w{9- zD!mxk#W^?`qU;-EZwu>#%H$F);mp#jL}tXlEVagJZ9Rm>_Q{vt8<4TK(vmk(Z_zD6oPFd!2G;C#h;SyXm^U%q{CMH1%xDOQn$@KU zILCaALER@@W-ElxS|9A?n%lxVF?(Ik&+Z?tE7BJ@qg!fSJoh<;mT(>^c}xbt6O7lF zK7U!-itzZ_(Jq7^j9BN94=1I0yW^}=$t9@z(GvV(W=_A^A@*FPUp*ozYx^2$`?$OG zv1Lv@=0xoO6tL?&CUa|{FI`ID9P^`|F zbQq;Xs>J*c#4>Mo`&6l`%qhxPa<#e{-ln-`)!pIxO|F@A;H9rVOf`8VA+ z2++INm!}c@OFag^c(IBdluRPv#)BN4LSr>%60(L=SbJ9BvWIy}!{+*Y%C$8C>+Mjt`MbPxT zT#wOe`JSljFVdc1Z@`72n%WjJjNyOU+d-SMRfey1z4r~QDEHss3}-pT>IR;#H=#0kVMHZ-)l6GbsDA{|F=)N zW*OImoB1RxG#K?85w0`RQ!>mjlyZQrr_jj~rv0%C zhL;_ici@4{>4%D3R$+O7FfQ@FNye{%>=>2gYnXy&Pa6T^MRl5Gl(kh%=wZ7!Orjfm zmy8xY&mwZ%lfCIxgE|s5rt&irqT{woaK zoa2}D8J@ML^j_EktNc#Wn)({C!#AyTF<|*0Ix6PC-?)s=HW( zl)d$<`rQIm*CYU!xL){6zD~Yh+I-UQ4~e?phB25Y4l9sf8U!wA4L6Ufa--@_O$5B5 z1f4I5kXM^e4&jFppROfZF@ZTu5@}KR6B}Q#EZo;r`JNi2(h_#W8kzo}&nh}3=2fKB*NNYIL}qq@Ta-k9w^svk-&>FJAkX z3hKGmgM>6mVT%ueq%a`PAMe~6A(wmPUZ}q~IUfS;W0RCaCY#YF8rGQr@cv2HrWLp@ zuXzn^N1*aR{;cmR~Rr>dv;y%>M8T_*JW?a(xW?U_KZSNFr zCjxlLzEY>lTL~G&VtRV$@|6# zq8?M+kQ+2>&+peq*y^^zL=*1;b3M!8F zmNo+_$2+YHai(cu@(;tWo!l>#I$qb+&H^EXK~pdcX5&b&nX0OJp{M%$+W%Pf5L zCUUAa23%?YL3YZ5$rvoT=sx9Ex(oc>*{&`q!G33P9GE_6i&KeC=G&k3z)XoYr64-G za%sTO-D11^>_l5Xbzc%Y4zV)bWC$E|ElA4c+z4ymaip38Q1Y9sPvH&yaaVI-d0?UZKCWTmskuCOM~D8RSjm(T^)R^L9?Xu2wn@~ZyAmXJ-Zk<&h~EPI9!RH-7o&E@Yt26-0i0P z;I#TAiuo?yMj)&nKxzYr$6g*0u!S2%xKvsnfWO)UR*#eXH2yZP0p9EeKrCsDCcHa9dbzSQUkffxq7H~5RX zoa3Pbn`}tuOAvbp?L&}wq@0UU!jhP7O;1tomm!c=}J!WU{Sk)hn{al zX9l0J*MbZfq?;w&hZeiZW{R-aONuyseq3I)^JL zi1i;LDzeL($&I~G-u%sUkdI zsOKLk0R@{u+vRmyb)TBLrNm|^d@W5UUx%tw!*1f)m-If-(lmG)eU-VS5^EFtb>``Y zo!9`CLewr>FJB|J5R@_8MK;oSe9sQV0_tuzuM*gZpXujTXBR&JfNpQ09c|W>z!Cs7 zVEIk~{WRAgM0-p;cLQo{s8P{7Y4m?4=8T@C2e$e$0o$ z7&2(8d__15BvzW+{2_8z%U$RM*o*5>4CVT$`?XXtfgOia5sfD zQMq7!pK>LI;IZ|x>AjlB zzsCD~CZ>82pZL}!;Q-QI-(V1!C%|ZiYQFNyrsHGL8=?`@B=}pZVR?-znnN1B_~&m_ zA`3>!9Y-T2f_U5!D9}J|6T$>7#r9#?$PZ=-BmFg6tPfw#=|c?hZ|{+3`*jy#@oP_H zp@y0}Jl(%vF>E`$7$wRL(y3ivrzp1<1l#s#69_DQFk1}n`89ps$PF@n;AeV4E2?qd$Y;=(i{TJ8(C2y|3ld$? zZ`+=%NOd)Bn1P$)e4mYVV;GrYsG*E$>DST=oonjAN^`0)?5)T`6`a1-`Kkdm2OdQI zxJhk|3~~0Om;y+^JhiEgFjz-2;}{XJnUB$Kdg6OGH{Vm>f55mAnQ3U@%`eQ0%#m;D zh$L1&^J?KC86Qx1ePt( zzTJcV6o5%8&w8YSHnO@!r)rmX>>1naIr(6FZ5wS%5yUzOzr7Cp1(VWZW;7E8A%;X0 zx#;(C3=**Duy8vu*%)#S(amF<91+_DZNJ30O$H=KQ9^BS9L&m%4cmAZ&)c+f0LP!h z23WNxg*I!e05Bt$%0~XFtGEFk&Q@MG9LS54%Y0c)o#f#rtC_yj;xIwb1M`wgu0uIQxtbntPkox=%7D9-V0gq##@3W zytVfWjShI?GQVGD^5g!NVtxcWbiZ+wMViG<_Ls>@!lVq+ITxK8rE-SBNC_RKq|c6T zMeapeQBse^K`k`?Sa6;4nft9Y&&ECRFlLqZ`HmCsZEN|tZq6Azcm9KQ@_A|H^u1uD zAS<6+X6k9j;QGq;{MAulk}0Yz6n`zMRkWt3q2`8!$uL)N4tvq25OVf~J;Sx2Vd z|Fct00>*8QdpjCNN(iUifh-*8;+4%--C&7#XH*f_+{@>|oGb0{nL%7Bz-NrU<@+2( zYs>$YM7luov04E>ua8dX3~xNcPYUd4lJc1IGmj#}e3@F|Mv0royyiD(kYCxUr&843 zNyb3r*axVQX^O22B)SJA-1(n|bhX0W7CPZ>%@4W3N7xypY1I2SsWluM8@@QRHCnSU zno0H9=32&{VO?>MCb`5hq2X5219Jmf^aYAF{(#BX6rMs@{z}9*3UnRs|IAGZTyQzQ zne2&~zXdvgJ`K3U?u9s)N@{_V&dI9i2Y3i>p5KmxF@cCcvj(Gy$HLlgFvao)QI}ho zbAWG$dCgxBhUwG}kPe;3MWutM^*?7(m}tLb9pqo2&wA5-x^CBgZ)1`~WJzj3kzT1< z^wZa_K?mlsZZ@>tcFqjB!VW9!-z64*+0XnpB}ez_Qh2OmJiKT%gkTNWjgMS{?&aS} zhUk5t_<7%m!aumxn&hY!lkQ1V-#rd2hRkn%atFni#6^G7=J9(pfuj){ChyTJnliZv zs{M2`Cz13K0|Cwr#M(|^Rm)cr$X<{_I3MYfdtKcCE>~tnmOPGe&dLj zJfMq{G;@F!_zvkL^-o@0wzOsWFB}pea2P&5$Ma?-#`2{<0TFzZP^|4Qybyr)VK+}7OW-jTS$Cvb8y|SZ%{tF=6bxi zXC*Ora{}D%cKsKKoT@6IQJ?e<7S#>?JUE2-hpVkPaG~qBe@;E6%i9vTjw>4ch%zpw zfoJ}E&`va1-%twp0t(2MCWxO9R}94z2}LT*jf5ekIB{dlp2s7(vy-$@gtGN(!+Mit zHnB=&96{nRp5Ep&VVQGz**9JeEuL-?Bcpuy=~^SjWzjpBRG3cr^sX;Ypk|Q{R8pUS zudA7LNBz&()$2BgG^H#{7gM~(I<3*VOAT-UL?rh(I(ofA9RJ*F(dt~)Qv(X_F(arF z8NFswzIP0XR2SZEqIhB6XOPGZJW}rh3!*a$OfdA!si5MIe#W8r#CS)PR{54iTZm^T5aA< znK_9bDCfOw;r*tiaRgDVQ2c>CJE{C5J!4}QFZWdAgl&WQRfpjag}!5#&gG%kGovs0 zUK{7o5%5^q~j7kX`@qGA`h$er}CmRMet!m-8gPb!Avgj zv`oV#Gux47@2@Psa5uuhi?SW1N8-npGKtJkdxi9DE-ybaQc~m`@nRBiZ}t}@)9O#+ z9kSyIiO13a7mL7(Mbad}8R3xbC0V^$;Tk~Z@aRc9DdqexxXXCJ_hG{V=K%cbbT9wI zx`~%OE;x}GNF}t``Dxbu^8r`99bHZtWu0PR`SQ@Ci1di+hl(`(j4y!W=Utmx8?#$J zL=G3V{Iex)Vk6WK+Tsqm$~05?2MdxTVV8(z+Lvgw`RWXKZwVZ%bdyHjWHU2IyuJSY-CCoc=+ z>{vi(YY+OsBSp5cSd-GLE@w!J z{h5qw^wgseG)P5<$3(B{r$|I&QniUP)WtE+ryrp$3>S*a6W7NuYf-tv%QOAE3kT>C z1#mAz_1#)!{^|P_2-i*Th}ximb>UN*>W)YSGOOYxL0#vBMa{l!8;DRVI#SRDX+fE9 zX2&!(qm`@Qh!f7C{N+uKK^G#|@kpfP$C(X!YCl@~6psgfW`TYbhTFg9$jHLl5OWaIqW%XAIXtH^@ z-K5X;3w;#_;~(4WutvFtZrMidp|tu}TlaZN6U>~wtIovr8jN4jlKE@BbrBkwD? zH`YzLV7UQr=hFZEhS1h(J*bb65UGM^WMpJ`Vl1SdhF>Mm@f4LB7uHr_5cub{nyV|_ z-30!zkdU|0#mopGxvJ#oMX}ysxu;bzH3fcsZcLL?A#1<*iMOHXogWN`l*n#kDn2)U z0xI%{9T0-8UYetj#Hylw?${d-1Z(h)JtgI^ok`+&Aa$|GUS z@e^!JrnYws%rH)~57yGZ=UDeXMe(878cp6b7}rvHJsiIshA=sJQzn#T@P^5){Ke}MeeD-eCzRHn3exmQa9H;`&cS2pag}`e`t}0rnjd8RiVdWr zxazxk-|s5&;&jiW{vhm43??p9g8Bk^K<^^G{F?4HBeq^;z~Xa788=4yEpANWYOu{y z!In;@cb*5K!yO-QO3}$%I`-EmZE6-?UfhX^iMH8>`ugel`65L0955nCgb+_}5KwD( zChQa{{I}>#_!(27O}0drb8I(>ExaQ*6}~h0)CKuf&Y7@9GS;Hf5jrQTS#pYkw)!o>XBZ|(_qrtP{`4<>AMIz)8TuUj7GGxGPu|%1ECPBNi zw0!&Sq*otZe=jdIC8ic=j!ew5Jf$g3LIUd-IX|0qih!_)8u<*SaYr3uz zpniwH&#l!-^K^M4yvit}oW67U+Zlod{-jM>s`O+pG5d`{8<>~elraO9%i&_T(X?}E z0u)SW3FE6CH}K~rAtXW1T$3uA!%3E+bbQI?t+0wtC-8)1Km1Qh%+vci{Q>!;L6L({ ziH7XopqVj$paRR&R%LHSDKa%<)A*i{7L&reh3vlewX{lcEL%kQy#9pwg6hSA8;yKE zzk3xhnrfdM^VP|*VVD;Md7B>jh}fp)dr_PPgtL~5VUtx~`&LJ5zvZPR`F-5t|NBLI zY2o|`z1P2h&^(&I%8l&EI}(11-KSjl5}Qp8Oi8=$LjF#i1W&Z#GQN8yOAh=GbZwyj z$?}$>wq@j0yOt2~^$5d`?b4!R@4Y{zF>6Fll@XI-;k4;z7oE`H3>ev)hG&SwBC74z z9ihEu>MH=^|DJ^Xg3UjHt|oPzHnvw8A?Stgt_$H#ee^%>^7a>=`N(KlLr+W(Ge1Rn z2&&Bl|6PD&!>5(7kht9}usXlj{Yh3E$r!DA|UViVG_1pBJst=z?5AHq%OCK!H45(eDCwqkoqw zAA`dmPOESx8nZ6{AMh4DRmCLQJKyLMU8$>+Sc^G2aoBv?x8& zpS zU5zHVWQlFtQYfj;eZJXP2p*ru3%6EM*^(w$B_olP)~@%9h_IQN)1vdC7@Zxxiun7i zcb>P077!{68h|8UmY)i~Rmz1Ab#^TUxKQisC81}as4fmFpAZsHeNK)HS*kU4!??F7 z?=+qLg63J93fHleWO1u2-oRHlJi6g2yta~-H$fJx@2Wy0m+N>rs`J-H67B8kKTf(h zFNK!Z#kt7SPqnf{P7~_;g=))mqq)zrFF$MrDoy7Q-!vV3<1L)Mp}^_F3jh1r4j!p8 z(eT@T+_^KH|oCkisgkfq3-0G##e}-YrPhvm(X-tU`8rJmYGc``% zZdPVaqizp*koeJUHdX0SFb}}S1I{TepD-%8o3jk|WYFrvY2~-&kTY>YX6?#D0z>1~ z6)c(xIH=SPfPLq(eyB!3)mP0#tJ=CxD^Q8uySe|ys0+UJzcp3FLzB=5X^c`> zxYqJFK(>0ciFZi2mYFbe zX?Myu2yeGI;~5`o-`MLHmQRi<#nJd~JsDyhaJlvrS32wsvPBph0MNY9T-aa@*`z0n z?6|s(7`8FJbVEMcJr5(v@p#*Qx015ui|ZexrTPGV{j8KAim-3;q6{7@x<6{?j(jj~ zF59AC$wC=^DkXWH(U5Vqf~({I9v8;7)og-`jy#X^!=RbperN~qp}-6S7}tbBZHt#Y zIS(p!O9|eGH~#rWMQ*l~3Fql3V)d&*KX?|qzp+xJbdk+<60w#fBl3h4h--3y2Tb-t zh51X9Byv;O$%`;z{^tYws>;S(W8Lb095er8u>-gK2#{VnWWN;Sm^}@sVK%#8|`rqjV_D%1&SJ{im{yVeIRU@&d^VBL)af8G7js9 zS`#;$JUUymhT{QY)s(LF8^oT{0j8J`Ic%cW+;uhgh(_Ic>fxe8y8~ zGf|KeTK(m!^Q}<9QLpLYUDJP!=v&z+nM2tX5fL$M$`Z)>v#sWu>qBvLN~2xbV~wWO zwPLenaAC-I2RD;L%Ra)3+4t$sFSW=naFU=G`oI6;R;7)01)Q}=5VmSb!8Ge{dxY=d zHqN#1TETpl(?roz*l~X_zr@P;id0LgMPpNC;2d!p(W5}znsk44(E857aCW1bsJ_@za4yjogs$kPu}P>abJ2UJ1|(m7KEIrUzsZZk|+FUKZBwwS4#{{G9#2QLPt{ ze5JwAtaQQeF1kh$V=S>T$%lCp&)A-^YXMMzPw{ppqxV0YO8lSRv7l#5_g@Y+2uM^+ zqDqbg);7`4_l3HspQ-YKP4&3;^~fwkhAwGQpSE@!iHM0I6ueq8lT9D1`AEq74JjgB zvcVF>yxAi-=X>ERi6JGg6~IRXGaTtzncS}{@&t32!*YIEBi6PJjKw`YEk8l*=(+#UP>T_4U*|T&(1sv93{D+AvYumXO}3)&Cbf z@P|tb4n%|E~f5wmg}YfC%H=v z=|#~F#d56!&|FKbSlCj|^2y=Xnb49S**(2r`KO2}wR}fo!0aRkHWm9w&XpRe)4Z#E z_#sn(T`_xIahS8iSu$JUm+D%L(*fjMJPaqXxf1LB4GEExFCgpn!y9WlLsym1Ne7yQ zT~33_75 zNcM>VX#OR{wn=i{cqIjm6O1;H zrA{5z*eyumA8k=aX>yueeEHCqZ!=(^Wc*;`fEVPLZ)DGB>N7RCENbl?a|3rP@Js+N z8l`H4yQL^A(*N(nHBW5GQdY$rlLSl|NY{x_(3?y z^Fo&c_XN%k8&6&Gmn_Ck;6xF|JSLnpNkNC|#7QOdE8SQY4UhmsyYK9<8{6k&d%~0F zyCvJ*ik?Vtq1#4bUS3nES_KeCZhxP9R-&e~q@1~bF!?i_9wql~;m#+z?KOTkFlxJz z5~#?fF4!tU+jev-_ z$R?yBrZ=MN0|_ooUO8EQ9LXjTqlFEPa@PnIEXzITA4Kv<3e5T6HzS5xKR|}73Au@4 z1%#zG#esb@F_S<3MKI7$j~GA*K7|yGB!Q9cW6CC9F|O=r4M`FXA6=JZ5Gn0$R$kX- z_Sb39ovB*GR~|d*ZWxoHZ3oJg&FT@v z=)1q2m2CCDd%(A3hw;|ER8!FDs3Lc#{j_!x_Mekg^lRbnTrH zcW+F>AGI%bx>e&q%;E-D<`Q`BAon#Qy=>!Xdcib=9Cqm_%o_3c zWi>8j-eX`BuKfN$g8{Dqc1Hz*_+>7i9qVF&IWs)NH)4*BO8uA2I%kDgo0;Get!~jL zepJ7_C~-nnnuU8$0+uU{AyQHH|B01t1tIL+Z-lB{&W)rjd-*fhe^VTl5iEW$ivBT* zS6E$*?be7jyk;NDadT*Kf~|W-JuSTni(Z^-KGCca2mF9D5fJ*O{DSC3fGF14_OgyR z<3WV$5b~yNUCZcjFzoA)_!t>{P)T4*tbqup5n=B4(lQAYl z2rwpul5MKKM9X~BmyD7hUUNG7qtG~~=ab=4^HYp9kCAPXcxK(%furQ}fUJ$ujGBv}XIU*xO zFfM5zO%L`cMeK=Do!bq9eMZV;9iP(23bhc4=Doxg%KUO#eS8p#PR*y3kGdpG^^;4{ zv7$~DYAP$Qzib4fW-sch zLUgZ#)^*9vOf{F6dWuz#xp6a<^8du9MODB->HmL&0_^#Ph170Qn1dtC7(}XR_9RY1 zu_0VUkGYJ%8AV8lljbF1fcd@1L|VvuaXRC=FPXnIg`&+k?OzvoTrX-)ekZbi0b3}> z0W4LmB_?RxMS{i{jo(uTcILSf->grxRg$MsYL4a*?G*2^#B+Gip-_obgOt|9G*chM zW;HvVf_UMYVp;O#iQcG_Z&h@ER5X*&Rf-YQYyABfe#z`Id@kkq8u14Umz!gsy&vV8@#(J>V62joua*05X-uI5Uhj<|pebRV1Ho_=RkT(gWF9WRa zIJspC0~0Eu=B;j&Zclxitu3qKYwBlEe3KAe@-4bFPbN6^Ns9XXZSE4z=B}Nzzs+Cj zO0e=s*z=7hnOTQ{tI1kx-xd!U*kImaif!=r7{8 zTVzD#MnjHN2-iFx(T4~PuHur2miNk4{9TVS-_i3Y6l;USlB_$Jr^oNPibVP5W-y60 z9=qTLQ60SMEU=)0wh>`Xd?r1=;IL6uV0>vJP-d^lv)JUKOai!Q(SO1eMPYa^9)OVV zu9PVMvsRaxer-p~H@1u4~s`+E-W z7grVMHsS>{^})>RzM$5knfcPRlcLv4x|A#Jbb|MOs4p7ZAXZ5G8fvfIoQ!-KcT_7i znAW$#fl2MHt^_JsM+-MwR1;&A&+G6^bJS%$#^Wegy!a1kf=6;Zmf~71eq~ME>ht-o zs|ELy?L0&qLy=mPsJ)p(QGIp!1S5YmQ9f~8 z7Ej{|PwNQCfzR!YNW>3Y+_cTZ%f9jyGtodk*mGu{rRX*cQ52 zo9uDunodC{9w+YB#i}?|HfoNs-)p5pEs~;N`G<;vA>c!9gvg^Yk&wq{>YTUP#TygA z0xaY?*X51acmkR5f$@oS{3i~0ZozwC0Zgk!c5EPgN=LK&?+feW-p0epNnS@ z#r{bZmG04>jjdUlPCfCF?(==?jk?4_km5ut(@Bg1fRz6FfInBne zs({sj`YYLtQ{SRr$hp_;MfDl{w9C!ljG(1!blZFQu>m4$x|`C%^0+QstToR(yzv)J ze*zpRmC87UWH>DqU-dku?yCAY(3-U%>1ARB!tc=OAb9h=kevR>5%sGsL~_j{uyUuh zimdc!7^{rq5|clfwfK!`Cr3JlUqZ7t^Rn>7d$u*?WFDhe;#~C>o(>F;2P>Cz@-rv7 zQ#l1z>pfQ|MZaJ|ZV$A9EHPiccapyC%>do|au9}hyjdxFDE7?tiq zO+<}@%S~r<3FIeO{ejy>^#_e{WH*xMkw< z?{_l?eEYo^%r@wf2bY4L*z`J&8?r^7002P0;}j0M^L;s$^DKHSqZ z^6`#mu3FoN%czo}o-pgZ7NN_ZZ;NrP^^%8cpAzQyT5(S4*lTc9=a{+?se`#*6m(N; z$OIG%!oJ<0kwPr52xIKaDCHc4lW`#_R*bhi<@)|S4e~9*?Z39OPIg`myZul}+Hq+{ zSk=!@;5O}@ISr_&Ls_Vr)AZhx%!y~N!!Sfz%;@N4tUOMQqx@IRi*w)iU&Q&r6&TB? zvJrPa-VVM#=|>!(Xhq&<1eO2j)(O_$H&>l3EZoo)esW--xNWk2m$YKW)L84e(<4iV z#uD75$#cTRWHL?@ot3*AYy zC)~agQ#&2~67sw<|G7B-X|9mD<3D!+lvpEWx^>c9cycdadS2=F8OoJto)hZbG3B{Z z{mO2>6mo9_=($YZu)p^F9|Z>)z`6Q4rrZH;VP@hTrYdar+ieon1wNb@J2VSH?GiBEHB<95g zhV$A6^)xmP%EuKgpnGZb9f^355PhiRh_oCB8|j~1CPu8%EvBX|(|7(Z?%U<9maqDu z#!#s)6D{Z6P4go7v%6@U+fVldt|&-8`Q`iG3}aH7QDuL{#pZ-qltQQ4-oIJKSrjS# zw3v}3LU$GCw#%2@MaGr>!%{E$ZqyO2EcWTkz6Ujck+izsN~OpzYUc+bmoXv>(IM5+ zUrtVZOdRj2lsKlgMrFWN?TR4#WLdO4u9q;t{=(-wjtq!2%cCDZLapwCh*gc+q&Ud_ z){_fm^uCR1~d;9ArxZBRkt+aavUxK|0ZI7$y9VI z1^D;uXGTL;b6w%X4Hfssvz+f)qG00~nbpWIr`e*DFd%C(5gL~c{HkudKX8I_blK$>ph$6&eHxq zr&JQy3$|2QxSSC4b&J$fpH$NCQNpHV67yFQoUg7&jTCwAoNDHp4%~BQNR1&lVEjG1 z#punI{O`B4ZIJ(liy+_fX;S^YWqEpB9(d%PZ=@Fn46QOMi+;84RTG0ej1%L&qen~s zYyc3Y(Ub)YtmxP3W*Dl@nn*GJ za!9Q>%O~j~estxVOMG6fmDph!S}LVi&;Z0Hsf~HO&S(&v`{M)7)UYpLidJ*xN4w0o zH@hI;hz@BsRe3#P1M1}ksN6LN*q`r4PRpqw`X1@^%@|et)LEij$-La2cRsZADkI@X z*?hB&-<25ud5}7#>g_%B<=5sXRKrX|J0rh%Qk zMpLxe{Z$ zeN|D+@qwQ9=>XM1Cywr2dSNT~6{esq|1x)enHk)NJB*pqJ0V2#^0?T+3f$O{1 zi&e$K6hk;(x6`iS+XeBJ=>&1IZ%B8%rFrm^QIV8DM*(MA=OFxPC1u#!O;L>YoW|Un z8hbbGD>!z4bt-xD%nP$VQC#PSDb`nMU|BGto`@~?K7Pe*%slWcuVUt9&DvY=+$=o!`aI{3X7wlm#b)+M2C% z>@GC{Ys9W1oU<%h573Pxm+5r3m1aIy=`(b9GNX2M>6~uGQORo(@bo1aJ2{ zpdoT#b9|9%KQv-5>k5jNa|r4<9<8mu8f3*9)V)l{Z~ZYwmR;pUD_ZslI|nC|^WE+RR{rd4c!ru`;^ z6?ok_Cle+cnM!dZYvAT)Ij%E2h0Obg^&9`YT~*0EL4^N;!St9}3UB3g_r$R;(q9qJ z^olA~jN3xFi3wwHk17wuI|!ER`EFARL$P{_ES=P_Axc+H_xA>pJk&cApcGcaQAXXp zjGQK&-6u}VX0x)LueMfHtLabOUDsGkdqpv6lf(LawgV5iIG0zxhG}=V-=0a8+=n)} z?QsfwI8{bm^}BX9Qi!h|lCehR2NRp0be^U+ayh`AI;y*|3OR5SKCXt*ckbvtCCFe7 zv@BWAleU*U+1{knCOLA{rT*Jag!Bwd<>hfU1bI=PTspXMn$n|T?L03Wsy}Aj5W)Q; zyJ)d67QRZoI6_74ji>;}sa$Oz@))V4hqvXOZ9s=b$`^zo>v;~{(Y`xHMQ46LI%j83 z_Jl#f<$IGOPn8{-*bw{z1?v+K@tRbdZ({o;AeYZB8((J$?Y7(`5SkN#Vm!)Ca+R5RH%NpT1`1RREh z=Nye-NsHISDeqq0yx*XWxBh|Ws$&$5M$2N79>29}y4yur zgPO?pis*fa%X0z%L!CxWEz;%{jfHDn<;kZiKr&Y4#{tH@N z3`GVmk42yoAg!)a)o{wb-|&yg3iO?O?+qhSkinFya^Irk|0z~cucLTBL zkp}{HLWEv>k#G4Pa0e+n!bexTejE5*Pl^IAvRI80=X1~#X7foF*zMAl5`ApT%&CrP zY{Qvf6DQiFQU7V=@8kWws|oIndk=&In&-}ImNbQDeLK-hu9{yv{hG0drK_tjBPg-= zFWfzh2-Z+sCg3TPs#ZWhcLRguN%s{yO2SSw3%6V;7=jN}yYv0_X-1BQcdN+gU;G;& zL(S)J*9YJQ?$N=7l({oRUmfM{sx9Lvi%yjo)~m0##W5>bi&Z8P%;Vi(1V5>;Ir{YH zjDk4p#65lwuB;#u94+B=2@a(ff!=2xr7$N>q*_FLH(&?>MPMpz-~fQGO9>aWj%zo< zCRY#&4tEfu`+r#Y<@V5Z;ji~m4E|C?_!k>^l5xiiUSRWCftL~&i^P*sA8!-?_zj*; zB__nC9aXC?ap{%L<&9?>AoYRZ;v}-79C@0qC8h<4jLupZ@?9%dwwVa3ZWEWQVNPs zzdW$uL7vI)AvApJ1#pvCHLuRwub>(Z@HiVu_hQ9*E4{QT-3X~=LIdo0>B^vyx5nM3 zQ=?Z*3V17@_R3vuyr%eGXBTL&n@OD5K(WIgfd>!B*9%FG4@*es)g;z|G9?#F6welGrJ`Qe9h~ zWA-~A@K`+xGn?nE|6@yjJHr0ty>^;_y8CjeDqT-P!Scb4w6f3LWhLDi9eaywJ;&CBBg3?`a%|cPM6nJx_3`>O$%Pa2uirvb zuLWuAxiQ3W+9fN&2tc$I94t=xf$+BwH7dTl;oz>mB;J&24G~Zb>X$V0$KPsHbz|V_ z65NeO`vI*E#}>)6Ud-#`k$O{O1uFLru0MdFBY^2xQv}S62$`eob6THO%hNez^AkGk zPAH1;mh$?tpU@ex^X_GMgs%Z5y9|9H=P%b6O_*ll9!cy0CAsiHQz`$t90_@=X&!!p zn*TtjS-YwBe-|TqRTxga2L=j2ho`H>pm+{@Xe>PrmYVcZc- z@@Z8i5LkofZvDu>;pEpgK&$`*z$7WbXt5xka=RrP#VU_z7oZY#FY?|2FtKW-bfYd% z;43{YgYWdayiUT069r?`WD+9JXC%k%byIZl=^anCo8v5e530p{HtZlwSOv({NOJ;F z@ZB!6EK^zhgh#(-3;mWq5zF`H`!Si6*v3AQILM4U>g@QJtNTke5`NF37u`MSvyfo2 zv$H#-W&QyUk`kkZ{bq6jXA0!N1P>6QSE*9Azs(F^c*|*e16OGiwk}n8KdQk6+mI^i zq4p>#Vdbe*?@8gxS@+o$4PrG{#eka(={C!ecWV~_T#hCEegVBWy}FEP80S&*zKnp| z?4PLg)*XhM&dLQxF8_9F!Z&7PV_b^VUBXK)r>c0+xmN!NS^Fk7692QR>fyi;|=jkPEZUG5GGIu{de$Hz!&~j3sFfw z**|jn^O(D*8H;M3&{UM%2_Wv;cp}>?E3rpXySZ7I?Pg%36dc|1UkCU%{ItV=FUlZ_ zz8%k^6t{3zyb$-yq~qi0d`oi&iQ`Pgycb6NblneYA?&uP`4!$927*VAS^>VVLwGWb z;9o4<{|_PHTWIREP!V`oTFTA)U0vR$3!9saYf02LVlUH)h%F5z1H_@q)t!{${}Nj_ zpYVDf(;jj(Z*^z<8JOaZrL6fGwii(-sTNo`0}r;Oh4_33MitpAs% z{&S}wLcmMRhA{st1OL^u{C6h2#Rtsuf9U>?*!~|r|Ia1tKXUay5~=^_@Bdt+{zQ8J zk*oj6)xQb({~y*PK0~~ftHW83JAos<^H|K4kCo_Kn}3EG89g|3P31p5+QCif2bXJj zIQSo9RD=kDeB1v*qrp(zUfy%kBxgw(u zXO^`P)jxbsioV$&V%XFC%B1Ky-U{hx?A?T+9ib9csZzNT(KZ3Zup`qxj{iX0Gb~C#@V(1!&Pc77n|E zL&Wgb2u97QPQnP#!k4Sn%EWc%0zn!6@d2ecZ-2fC268Xs$0WJ26!hs4uD2a8JSpg} z##}bZY28Qa9eJz&mRkbWC^9a_W|1meBy7_Ds8m_`Y3R&AX*+@Fhel>E?H%1geC&KPTo(xOUtf@>-ekgVam>&yzVJA2oyIfXE9+ zz2wb?f2u;L*8XU(mEfsven)Kx0VKf#7vgnoVG9o1jXjD7Lf z-O0gq=FBC1M-9x%cgy8n>nsI&g(~8CMvL!Q8wmwX2>*(rr9B{u{cvnMZNQ5g-;M5n z`C0deSU(FuY+60_gi-bUH?gCa25I*Ik&~7MN?iC|Yyae-+x3cHK*s--^*UY=?)5!+ z&?D04MY;f~eio%yI5M8vL5c7`oC1tF56*7ym!fN&%|p9cLtvD8Zf$8_8L zl}9}Id_jQJTYr>$_3;KMhKYVv4~XY$U3EhKiboaOTMBQ0vEc>MpJnv?y?I91TXs>p zfZPujXuqG5$NcD@!uebGOV;<_({Ra?ER)T+2XHaivW)8wv5Mcss_(Nl;g2-|#J*nM zgRus=N^uSUN5%f5V*gL7*!nvq7E{ZejE8>9*#-#|hLFmLw4uiulFyV_e7wsmMJi_f zVDZl08!>l4ZWC_UoJqJV+B8YTEV(j@Ts}>Lg>~RlM4STSq#~?4*Qj7pP$5uwdut5y1A3l1q0Z6AIW z`+4|9Xy;R^7g2&>xJEHnYj-m0^~EPOMoO;k>?v2PLj%e}I_jv8*Kn%X024!@5&V># z*^z|8gQqT!5A6oxU!dG`6SE)l9)T`JP7Qg_el`4nKpGL_wG- z{XMtGs@)eR%(XEw8j_OiVT5f8RZd^se!RCDwb-Db&MPuqP1OxM7?#ucO561w#SW3IDh3IV$rJNk+`m@H z+8~2;HBTzR%Hnp+SZ~CN&E<%D?`yE5Nn_|rOAoRMa=5d6aum#CG9KQPaYQS|3XXs* z{MhGQ3uRF4Mg^bFj*rB#8XnZejVZ4r`6<)5M@qP8FU{IyHzdioQKwBcTjlm49LLCh z@H;aOGuiQb4nS~vfPR9eT1N7*yhEjR0d|;%D;K3n-=v}^>6^#BV~ERYwrptE1i8p3 zzP?|lNtekbp77iLeJcXR#5+yz>qO5UzxA`sHwMAWZBNB{u8xF9a+wx(i2q*c9-Af* zeLxFw_kfPs>#g~INFcA_8aJ5DgIk~8qwh0x(=pxxmxAdjBhE@Z$-DIoB1YAM3zNN6 z>RHa{V{s0jK~I|O3mZ2MJthx7r?9^B%6S*d?7ig#q;~D7s2+q-Y^Sl*GBhM*k1sXU z!Kj)!Ok1$mt>OY6+z;=honggmaxUybQs%hzyl^SI@|aW>-a&rg>1DIwL}2R<=ESF) zxtjm!wR3Ow82awLg1WQN$%6+HYE>*>J?s`hkzy6QF;yu647sDF(gzvx+&{s%ma-wJt=9X zMZ?|McQ`=YPtp$YFx?D3*N<;qiTMJZ02e|{jD(d-ZsTa~j|RpYmAHExXn(Plxk?+@ zBZ2MvH~LWO@Ei3jZ+|=1ALVXR6CJs_GgB+|87sF_ED}-;3d`>Nlj~1`2*ROO zgdXwOz2D^A&!Z=eEV^gQMy4q~M$#bivX|=JZW0|_!3~=>=2YrB+iu})%dRX@R`8TK zz!E31M=~jkHL541mN!Rm54TcIk!Fi{?A-?+mH~b-we1702C>D?g2=l>M;+>Za<8gE z!mQzWm2!@ztS(BihYO-i;e$flUWextJk%k7+D*U1nz3N1+Fq3;xzT}y%>4B*navf; zCx}TINTcsS%xgpLK&uL=TZ7vP1@FcyyG_bnU(}1OXBMtT?Y5qT1;M>OsED(K4%)PH zMZ)faZrEDOy|H3iRZ`)Z*vP(2@|0@6Hulc<`i8T?t?I3W{VbWVO2znk*g&k7kyPoh zE3*!M0yx9-xZC?(UL$Y1DlZpzP6UG?wAoxs;qkO!~(C(9Fc=Rv@<(T zW-En3rQgieF-{UjK7VSrH#WSzYHrW)_1SQlE+sys9V=xFzPpNEfP#Te-WASx zy^2g(j|+EXIpKuW!vLI~2hNN6u2ua9i4~s2sj=Miw)2P7p?R?;#y~P5Tr&S1sFW6} zwYv(7(5Kv7R(xvgl7p(ySRLE-*_$=Ou$obBSU9?e_}yZyz-9TXuh#-Het(7OyImrW zSI;O{T4sb>{dw{(a2&)qi^~SKd?^nVygS7UhGQytlbnGtIu#H9J~v=pmV+!YGsERm z=l$9$Peq}n(5b1QJ3h_eBTre`?ID{vt`axeujR^6(Z*=WDrw2lhWf6j%CG>k&_E_e z^4gj&f)#uN;c1}+;=~`WY(X*Fy+d9prs|Gnv8FGUEaGSEbhFXP0^5rMOl$v0id2_z zR=FgFhjZWs9b}FEzxdTzJKwTS?x*`72x#>oP zfPI*NYb2Ztl>U%=9gfp{K3Lx*I(S+5PSWix_58_UjoGZURmxkVXYtO~8~JyzqbTaN z;V%r6Dmj)y62gYYW!;&P)?uTps|}-j&@(|jmbsxdY|M#GsM!wPpd3o})e@%qbtj`l zeO&9iKaqWg)o(kvDngG^&~WmxvMy4$fiRYU0|ohlhuO`qhHm)p4m0oU78WBx7wFqwQ{LKsW|Q8 zE8C(^*#%jn^2AozIs0`cdvBC{FIO>lDfS16cuGg1a0|{$bE=eBl+rljCG6YZy$^0- zofj48{sm>`QC1rL$?o-;Y}ds3ptF;ic9I8fa>6jYmq=?7x9=AoOp_skMcAHZ5Aoey zp%JH4PZw+`I(54W-#gArwICTLy?lRK!@DNkTj<&J=+J;h%v)1AO-Zu1D^xFAX%JZ; zs00&O*CX8RpHQI+dTH}QKSe?(01$Zct$dB%%*%Wi0shMMh;yR>VsJln2K+6#%&IyqVD z9zh#U>rCp0l1hRGY1J?boaVL6^?dw^;?3fd<6)jx*cHvB`}weE0&D+l?PyA8Y^|~q zF{2gj)ycIdN%g8H=b$-os}rhs8z6w9WgO?)o zc$;G*PFBO!N?=2O%&FyjxR~2JWYy+zbK-X+A?nu30$_lPXAIe~AjaP5w>Bov!jH*L z?~#cfUSC>BDj3{ag-V31P@ zHi}ozRrcB0amkzjE5dW#Rx~c$ZYUekiFj%%7wE6)#bSgf$UYjQ)?c(4I*Nxi=`2@X z*<99nxw(j#-rSr~LE%qmlr!mws_95NN<)?DNGh{!8g?WF?%67eiO6R@9ge7O zjq@?SNrCWX2O%^3by})MI71ag?eZR+GX;|l6cZ?Z&*Xd_F+=(nrQb_hybSu-H%=1e zK`!y5%&7gAKoOL@5j)T~&o+SBhRq)y%cUH@ST4$lgoLy99q>gJ$JQ*MNT@vZv}Pxe zNu{WgdB(E-!uEZ!TwYN#wz4-YN$2CtFZC^Ying;v5-%sqRzKe1NQWko_#Im5^7jfU zn-}nwNmYZUIKmx{B&DocR>Ke-3NY5EUcSC+=DljuPd#!EJlDbxy26epELp9w|L`wE zvp{L8CJq#XcUVZI(dcG=MwRq)CZG$^*}*P*Cv9#M>>v~tk_M4B=fn`GJVm>@|9S@6 z<;l)uKJAdWT$zDm?<#E1i_j)!+PP#Oi(IYaUZz`BM7|a>?6nTXF{}FZG4kjzwT%*d zG#p9Rxw0GD%rfW0UH7aEi&m{E;a=db$lK_gQ=v=bEHv-ACD~vm>i3zf6dmtiowwU0 zhTufaKQ3&VVb>5RGKaz^$BWFnS%2m@eY-QC0}>Nd_A#We$!SKrI#D~i7r|4k`0!Kj zSVX^G(8h)rc}-l+{xTedKy{DDy^7YSchQ80IRmz7Is%UBO~P+z9vTxCFFG9|8qqOD z$4v)F+Ml;PR7?yqaM%x>n zEc9g8klgLH)GyDMTxY{}PoCwVp^4KVw?_IfB^T3;Bw9{=u{e0C#=P=o)WY(WPlfGN zT4U~smb;&8QLK2QjoA@VT40pcJZ51xzfXU4p}9Wn*Z~s|&vSmkr7Oq{_N5F%TKE%h zSoo`m*Jv3Z+aGPqT&zO3zI;zxnDg|Ngu%^{HWS2ItAR9tBm8sl-y#_~S-$is`_y!l zd+uADC`HlHA(s@hiAI|bt-F0;oSvFk&w7c;jf(K%c#}z}A&)qgvfTJXW5mpGqegWx z_#W0IHR#gjh2jhoZEiNXco*8PzY0!=&#Y8??ZEiuuC4}Ell zEw^$c@+^*Y{m6dXs@tuV><)Mj2cx zwWs*AuDS>8uyyB%%yE*vz;}Rj+ZZL!af@-@6O}E2KvnT;*S9*R&aPVteky1-i?YaW zB2e~eT_)}o^HGynZ;nz%qVza>?FWytx`21mB$mzrB#kOsWsMcz&*p!*CAmLT31OE# zovIM^D9`5!(Ty$^<;8#}1iqq)FNldhz85KA2L!>KzVCK{Qu=4b_R~b9KgUSb9+ENI$;Pk zbXLx-Cm`J+@pH{h{-Mu;+Go{%Mzmn8)GuRxKg7G*^U#_z35%tz>G_Quhv=x`8riv* zd01tbxC33>bQ@952ZVMHsPN3kCg}2W^J)x`(#}-~P2tZq7K6Ephkn#r6pxvvb;!H8 z`TnC0J(U03tb7H}NQkM|{)oc9 z^6OFL+z5rf@dAD4Y?JmtcX`Te%Tyc9hEDN0p_VP;$+p7dbAvy*@g1nki>1*V_)|gm z)cBlYG)Zq*+SBxT&SH%(=R^$nCDoZz6;p!w21&P<-eO%~D_EKn1IuTSEv~^Z@RCbXvCF&ncP6q$3T_#3 z5iMj`D?E<#DMy;X*jj_4hSl=KAh!ob90#KC;?`;+-* zivr&!e&f?NVd(M0JFcGYxMU}yh7-pFi9~a!qK`#W>Lwo}s<<2_kY^wCVO^lPdR*D6 z{`byu`$I(4%zvg^f&3=mHG$@r3)3g8Lj$HNtzWBnt>z|{dk+;TV|$>5ZZYXf1T3&lAD}mUWRG_|MD>wakAN6{?Htr1^GeAI)+|4XzgEPX;;EalF3DkuF z>NY&|n|k_a|IYX{=CuL$!@##Q?>BGQ$v`c5j)i~Lcv5Y;_Nze8j~q^i`FHAU8*IuQ ztN{#^Jv*N4>Sh>feP}_SDUNnlq1PQh%TEueX7yYWGLsSFGRb3wGHEZBkUq>kij(V;*iZI8N zHTfhi3;(ETTRVAY1WRU`U`3+!!=! zW?8!Wyv;VhLQF{SZbI^^!A7;>6%G2)w~3n9Mdvq#cOr$GAkIrxR^x(P-dAFjBkfq( zl{!%`@9dnSqy&2rJ7%tiOqfnA8 zjj=LyLLWOMv+oP&^gJ!AJ%a>O&W(%t^@nB!9YiLvp~P&Y;e0eN0?ml_b&%qCbl5;t zqTW%MWV2Q-$Na-*j|qWX`hRHxV4{Nt2X5zzV257PN(u+d;B;WiT?)a$1DLOpUSVZ zJx7gr9Gf2h;yUAQ_94P3$XxA)&k z{B2PsXajXo)|n(vjxfG*wBmWQgx=brUZ7dhD(57ndKACMcp>+O-|%suZ`fc#0d5ec zO{{4jA*!R+w1>hva3(;AlMlT`J`NLr+AU9BjgF*^+A$QBLVi0SoYqRJ?E`U^_Vva# z9+dUvmk5ip>1Q3fnx62I?d+Db*sxFM;v$6!pA45c{GG=yNQJl)n z`M5qDcY-)=W$1l=Xqf_+l;g+52Lyx_O(yKscu;^BZ0eyhqE?oj&r)Ymwa*Y2x&wfB z87NP*>syBHiB8Sm$KJVDOJ~e}{p+$_KS~`Wo0E|-dcBsu!gsTKuii~UGGkOBaTt3`e z31$PVhg|JuZUv{rgTKV3d_$AGkG=T!au8Q$K%0D58ou$TLd*TMHd&v7H_%M zIAL$mVfzkWbD!U_YU|_3dY5|~%v64`*6oZ`f1!Li$}oMd=(kz1o7D5>vH|f6%M|B* zY?YMfz;%wbO4{v~U3-mMJ($gofa+T;d`;g{>{_l-O0Wm(AuVR2H}bG0w9GJ4*42&Z zs!>GS6AdKN&R`GS9OcL7E5XhjX?JQYR7PnRCl0=Bh&Z2SI2~C^Y!x%t9NW68YqA}p z@t)4`LJ*d}J$oI7jGhjHsVS$P}G<`d^#OSIb ztO6=HNSW9fLi}dWMR(~N$3#a%<8%fppD()SSIu^!Q+IZg7er=%FMO~4E3F~xdAYyG zp@{Br_j*f+$}9X}le7Lg>!d!5o?E~94TVQvLP2~<+{81+Jfm$GRrn-z z{cePGaeB!7RU2>JMfL%be+ZTy>9zemYW`2t>`9^z(xFY9z18VFPs|1`%{83H~fq!+od zPvZ{_Xs){Fo=8}YlYGFvGKQCoslc4f|l=j38Q(=dUztA)UaYW`9^8m&9$bBk`K zNxJzpnfLsHyL7WMPY&}-?H(6Tb5=JowOCZJ=hR59D$BliMU4lgRvs#()u-T#2_%}M z-m9cNR~cG8p%(YvCEazQ{OL}P;BkXwX*{DPVuvomKMXC!!`!a%s2INH;rj5QwAaOBp6W#X?IaXFl6lEAV)fZ4 z&Hanf>3iz2HZ*ORHr;5z9PJKg>cV-Tt*(fM%;jcWs)(EPUB7dy;+ic=hdhskTNl8r zMxoTl-TE2i?VJ^N9;m1$V+l<0nM*L9~V`dX0#UURVno|mM8_j8&G#6{#ZNF;8zW$)mn zMu|$(fS+ZatpOGS3e%-Kf#a1dE+a%J&li40^oBf(|9KU7ym=t!T}Q0nnK9)FdIdp0 z1owp=jAmANr{6u~+t#I%3K5)4Sqn&04l|?WDSvki@&{hX{1!I8B%r=rY=F07`3-y5 zQ2FKwX;Rsbg==NlVBQgN{U>*MuMRT3GTmbikG6JQrOUNgHrqxKqTAh3LR5Rm&$ecj zE>97-b$R8yWVHG}8~qxc6MT*wMq=LyG;9cejmkI~Bhf95RGIhdu5ha5%T-EU(qBur zJGjR$pD(`yHaN3S;XrwVV%B@&OAmS*QW}sM#F=@^Je$eYAvEG;yZiF&R<^yAo)m8A zgp=Hx(=N|tk3Z*Rd7UUTp>Mz-TJp4sIb`Oys3R}HV#9a+1|=EGeu`s9`Hu3V0=@lM zBoR-*xxM~PCqqsz1(>!BMKvTn-jCIAJ6NnO?SJlXC(}OuSew>s3%X@2&U3OvowV8S ze)d9E%vXMzYb=bY`vSt|7;$ue&iGqV|Ha=ptq%ca3Xljr>M z`6YjU$lW4&9}(e1YESgskZ0De0moAP@wCXKNd4wKGq;aP39AaSt3d<$Agn>AnQ@5M zyFq=gstkeStHs!e8(KpJ***_AbdxFRSd3Hw#hIP`Wb${Z{O2x!{4t*qjltMy6&?nH z#vdo!S#5-PZjb6ky~#l?hjrDxU_28-hYfLU)4{L9&I?CX6`8#S0YrBPKtUG68-rmd!=pMe_K8I5mGrlDwVuBqlFYRNl`ZIGgRj5Gf}du z?Jbu{1GNQ1BHUZez>+kL^5Cj(&bBp8AM1UwD}C~i&Dtu`dJmU159=>~T6mx|?T~fN zJR{r1_qvP4exr>ZVwEblfbQhgl*rqb-S^>&ZZj((SJOSEh>(HqEsc~SFnXuvS+0lr zg-adHr!%a60V zbszWFpmn0lPo+)we_g@~(=xpwqh8X8N>0qC=h>@oWO!N@B@AJ${mygif$$j7%3`0E z(Fs~x3(DOb!|BcSA3qGG#pT;YPEUBxs#;dDs9)7gB6a)s!)#Y9RiEVv}KQ# zr>lJfu96H;j7ylvxN3swIz zrwcY%8JZcfSg)NozzoVTd)4eDR}AyjK;_Ia#@NNsSP*92i5;UfnTen@xxj@_4Zv>; zQI%OGqysGrwWUOET32B2SAqouXmE;#3YQR}c>6*QTXwZktbu}N5+oemCNq``+YXf; z)CJ8h&58%MqMM&QOqa*eO*Pki5}#IgJe%`Pieek56!GI~Nf8>b_5|Jc6v)FRJ^UH3w!tliPScFH*yH|WVWM+)y zcd7D^#Sj7_e~(9^^rZ_~iETAN3ru;#_V@_7w-P%yQ`V`mEAV<{XC|zC3ZdHx@fXQY z{5Ik9aZ19_+~(e%whZFOGDc@BXy%l%XzHj`JE}a|jt-fHvP|)6VgXfD@g`!-st!iR z{Ond6hX(Yi9TaditR)MEg#hvGOR-N|=Ib)mSc(5KItAt4g7h6ho(e`!i>&tU!Q-aN zTZF=GnI=5JuPaw2i#5s`W9~$UM!T=!ZHk@Q+e@837-t-Vhws4uaTrck{vs*PL6+|l>qA5S#{ z9^-44Ur39_H|2{jp%tNf@HB0;-pnIs+vwEy4v`ZO2-Z;OD=u;WfuCEOeiTQi%U3(P zkpf&IyTpQbhbn3Gw|YzAdn;+ed!73tk+8&9fo?%a5cy^5Hi4|Tiq@tliDJr+#D+um z)q>Hgpy%KRN=>jBg)_7KmDO-Pl&Id47X~J()wrQQEw};YD*HKjzO`a&+iQarI=%bO z5S;z70l84T3cI9^yZo`U!!qId2>tND1(eNkPV3JN`NY{bf_W=wa^7iaV{n`fp!uCTfqrVgbPL*r=9jKY@K#%#@A(^4Tac-lpUVC`VZ=h*H^$@^aikLclY?)T(Zg%8G0@s zE)u+{P)eT6F%Odj24xhH!0UD8o2y%DkPFn+tGXJxei9xK99a}KuyW8^#&5kkHBysr zQrPa{mMeokaJZP_ifJ{OS~sO5wWCx8 zA-CEYkl#C+I9>kHlD2dQrvF5N$F!7PEl>OyKpmEKM?IVQ>}&2n$`gqL$rA>Q?1 z4ZutZ6gQ2LV;xEkB*vK()>Rz3U`^DL>6Xks!+@JKnO?t!5nlG?85QM@?^NE9<3+>g zUtvjf#1w8dSE+8lA6odHFdbcD(F?AQjkkpW`{PaYw+UpdN0K{jPkU#dZh5TLDjI4d z4?E6{gKL#SeOYWSad|N2;EIaciH}!6L|*phvF9k4b++AlE|u|168mBKzWFWOxzwERtzS)QlFe~&D5*=@l4&|{HK)99q)-k{()%Wj{` z;Lu$MLy?SGvZR(9tRi)^iHC-8krRL20y+bjFz^lo=taP=Kj2gjsbWN1nfR zHjJ*YfIVAh;vWfGFNa>pnB1K2}3<;o2av6>dTZQbi6$$ z3+H|c41&bc|}b>Adn zz}PFl7s{Ion(CoGlF9njmhRWMm*7)bzF13}-Rsu?CAh8VdZn<4+3%rp15`?6ENI)?1cCt zQyQYWV5#BtO8QA}^aiV^mv*V=4z8fhW|#rl9Ag z=k{;+)6%O^6^9V9o@e3xllGQ`SNcH88T7+EVV~CAubT}coJCZjQ1uR24tLFY(6Q7e zsp|IaQf9-KOHho#OtbtThN$E8GB?VXyrIZEu;<2K`PT$zJYHpuq(Cdyjtc09R3vm} zC%Cf|!|Ie!IUx<5lb!|A-;8?dLqtKVwft4~O*|IDX&Rj8ACWLsVsDcun%Pvq%W5NT zfzEDbT`&G{`&@g>#dB(4)7CeqgtE0#m!7+Ej+?hbs48=^`sZPRON%=Ns^0GS2!2H3yM9-?|t?z}kX)$c9WFnjL3_FjAKwZ7|fJ13;RK3(^%0c6bBTW`YwumJPxz!Hsu zdtKXmWOkczE)}59c7}CH5)N9kI;jhnZLy6G&F~j=co@S-(&!nZ#YyB11Y3Gl=I^a` zhkEX@wW*==;u4z&e6u%&eGmVr5ry5R@+k)%fs9E1HH0E7Ag<&<;c3qndh5!Vnk)98 ziJgoq%32dw-{l1x%Y5fmoNX8(Woz__;8!7kC!;1*#H?JSg`R$3mshcQVGSGyH=mlp zR!t&)n;~%zTbJ0e*{$i`3+2{p+FZ2hN3Og*9UNjgY3ogCk(>#AWIvkREO#xmPwM+c z(<(9rvy*-lkIqJ9C`0!H^BnLn^93xtM(x|1Kb?E}jDY)Z+=i*xZ(WL)>oFyc?O2S? zl;epI8h?DhN!wwm7;I0^fpXG*RxV5JZCN>8k;!(%u_^JwXImsXE8wMdqh)W|yNil& zHRc;?XZ3sZlMPa!b}X{n=FN)n9&y2>o|^#93WThFwN~tF>0UQqdrG=r2?R(jT_`i% zZ|5g8g4Y9qd@17BrN$FjpP|&t9$P8_xLNJ}iAu|=X-eMPnDeC~lb&iWom`J6yY;Ir zN4ej3b%q2MFH(1O%s8yv;ZjQx9K(OpBF`PKtFudZWXgcz2wVBI>s?uOXT~gjk{pJ2 z5#i~QTCB{8Mu59V?4?>xb^aR>lI{QI)WrzYX?QA~_%}y;Yo4Y!-H^x&rpxbN*1U>; zXt9+hK?uiY%!aD@vCWZ(d?TVjZ9+T4Ai@>;{zLYlBJ8;tS+iC~m!n|8)6Xui# zv$|bC0WP)JxhuZbPrvKg_GXt!&>V4QF~e3mr9dCohQ~&h4f2}p;y#Y6g?+Yk-K8E_ z_bB%VG`1p)l+R3y!E5)r3R*4LW=m_5E|j_|6dmV(TUu0#@`p5kbovzR%6T!$!d$hC zR2iBSneMWjQQk%-HF!4g#_sQFZ=10pGWdY;Po%7hAU^ee7Za@>=sty4A-TUjixZ-ng(YW?xZa@H!eeh;{{=nc5D-OM!ZXj;8%bk z;W5@9iMB%!{_J>emf?X^-oO}n(MS0z2yzb|R5!kz^W%s`n?7fvH4)_Ghs$?$-P-^z zUWJhstuFT`885w4ty%OtE-`oQ0<-F!`+axk}jl z>-PC{s`!$aJ^*__9;38TlPL~=%iX!m;iQvDd75fD6MWCM%F5k7%fHYssKk36+=`Wl zJ7@C@xqUf#rBw0=BRtc%A(CD?a>VovP%BN`Op8GjgBQ}){N{)l>Pd$KUf9At=r1ZC`>B{PsJonLjwpFURA56C>|*qclg=K9Hb!EegAYqqcchFt ztXAq2y&Z)tt99!|)>yTf17&azdC`{wyQQ8^Lrq!pd2x8g@j7kP(j#4Lz8n~H$xD}yRR zR-nCjIPy-guYyLeSBu>e)%i3v5E&KpXUY%@ih?HyQ)B95ce89|15d|+=1ZGq`}$KMe>Q}kp2G}2A;9L58Wr< zQkYnz!ML(=&1$dbjKS@tWvY5F7s=`$rIhtr=yKl>&tr}19wOT6@V`C?Ca4y>BU>zU z6Wj!z_dD}QGV|tA%=YK8Uh+~xrjxmdsfTU^;*$Z+|G@et(oq}(!mWFNEz?Smymhl& zI>pi(jC@>&c`U1`!6QJ7PXRaVRI@Uea+PwO262(w?0j+Yp*#N=3_AVX2yHKffEeY0 zY!WB3=CRH3&jX}FhB+3xWi~~M>lu9@Z*y|1ZCH%u_2v3+d@KW)q-BnfH`~DMkt1I%L)(jL-kyBq1Zl;aY zWw7BusI{A0x2*ONi@yur1Dm5{V z_i&Rnsd{==a^2_sL=p3So?~J}_UHRDcD3p#&#rnxZx3{hb@E zcNqmFxPdqyVqlb}rC@AcXC!y5s*#?cv;!Gqmlx$r?Oua!CBS3a1+|}jj*dv{UgGW90pn@XDtCee}&XiXdrnGVwGyT;w`9~J0o2->h!?M zq-VY_X?87CU~;gub8?WIT7uOpUE~Sh_D;NPt4r9Msl={g^+p^vq$K9&&QZ3E@fb_D zph0|2MWA%v+*6>Vj*bMzh!0MRL&G&5-1A;Kn6x;{zjQZE%D!uop^7{~oaE?JOpA+w z)`Pv&xR6|9f^M)TfD-mN;q*;t`X-ws&qjX`oVUVn1N?5EPu}=g(I!cSVdhOY(4XQN zc6oyzK;Sq#DiLrH^#)&BF2!X($mpoyts~#M0hIwOIV0BJD3`=*bDR-Jjq>Jaq@^W` zAjyW@rlhpZoJ})k8jjgcq`o|B}ASm_na_oAf4;h*Ii=k7FNa@|Hb5{WFv zJI9nJpE~tI^~t^IZ@Y3HNy`V@p%`5J_^DhEVE&Vf`zh; z5Z)A%%eGNyE6kLwY5_Yc-RU+Hcp#9@({C>Cr7y%vyKSCma4dlF|Wt#b2XJ?*Ucwr!x(mmX`2p)-y$Sh59^ zYly$`S++RqY`t;BXK5sLdp(w0nYlp~&byo6i*;yht9@|H6uZ`8_cyovRPX!w5*wHD zK>wm_NQ|A?ZE?8p&lC=Pne^Cu%AIvz#w@nb1MFqJ+lkGM!%Nj&OXIgp`iC-9xlGjA zp3$Wk+jm+ftv9EZAq^dTKEie&)x5Z_W`z|AD~vjbklX1l|M^B0J;EIQ;NV8XhxFmJ z?_*f_KA2~S>1S1i1k&`Jb0uYBt#(mF-)d&bl6uH9TeiUS32{Ve%=Y8j#f6ITgM;xG0UfQ^iW}T(h8UnEg$Hs{f zSH0*2YDjmk8om_Ppw5!_^sc2!DgvmhBI6x{%Mfo{dmlO%&WvQ)vRX;cTDP8&P_9@Z z^2E5yD&_RGEoH%YYRafz(kl*cVsKU*zs(ZYrwS%3a{7FPdb!KJ3t3?Hz9(7G!^*SJ zVL;iRr_^)7AjYCBnzB8z;1|~F__4}BQjE}q>`%{40P9sV^5}+t@opY?gfg1q=7$zR z-T;lSlQfK}5e?Ox2NTLQvinW0oL;IRh!`$JG;y8L)VqgwQAo)MdB%0ec%+-sM89nC zm4}ep1vE$_#L{e;+SJU{Y$kFPx>v~s2+n1^(|m*7vi$ye*!mMWl7ouWITpT%4>EZx zGEIljl&dC$(s96+TT^lK)PMZ8IzmHpMMq+e#bV3nMEEbScq0C&aa=H63)ne+;5R zrKbzfK3a~GVHsjJwl^y}Op?SeYuE3j`b-VGsQ1gEJ*&N!G&eNgIWugWq{eSg4fBLR z4pVK3U3~gDFOQh$E&;7p1{aq!P^{`W&JzZM-5 zs~{FCiOc$=+jfAYpxIN&-mjvb_mZ6aE%zb9$*VFeC{e&pC#15{8s#j1rZv=dc6D+d zK2yf&wb@%q9pouj`LHzqd&C?Q??}U4}~Tu9T3>|)A_sv&%TiP z6nA*$sSVEdv#Bi}AJ{2PzG%$fEu%PdYvCbCmNAstiF>>iy=1d9vhjFJsDOOZYv);k zw^q=;1NxCh0I&3gR~~tx`HAv|r>U5OKkRGdnD2KPtnp`>sd5ejeLnhQcePU$2FCLYM->6zAYzf zv(oj8V+{i>o^VLN_;$_tA95X#d?T&=tvhft@q zy{@suMJRS(IS_8Y3@-Ea6#xVy{88@1bptjt&b2hdHYHv3twj^!pt4_n zLRuGJixMWg;j_f{Xt*go$69^wu>ypHU^!p3eyn64Dz}uO#_xQ1rY+(L+nV6xPhLLQ z3Cx04+2mF`d5w$zli^U4)(F{X{u5uydsY78d06h~IYz887nBn*W5n7ca$<((hmT76=a-eNpw*d-P$GZtULpe!!+K^0qI+ovYd&%P zcSNcDUEg+87G^pSkI>0wGoGmxlcVDD%MBeuBj3Kx%4yJ=4|m_mbn*oEr=-g4m64I3 zj!laYA_do9x-a{&oY^Vb@K3osh#ilE=w92(#DGefJ4#8&wVwj(R!W#M%C%F%VOFHD zo$zeaN=cE9W!m=lF@1DQ-u93fIqfk_>wD?kW);h#SZsrZ z94YVsR5J;+0C2#coC4jFaz+UD>j%`fS98sl;C;T!aI*Qe?Jn2tI)t@f<4vWWj>g05 zT@nQMyEvW?opkpAdMnSF{jn2@h7yD#D3T)vqiauRi9uYQJWA#^7PcG<+G7VZJi{+| zaKcQ?<7(u<`qXAp2A~b94M59OMx9NQ^IKc7tv}LgYh{^O=LfO8bugK2t!iPN@K0AA zz^c4PBNO6QM)fUUcBUNzXbe1lD{h^}7KJ~O;M@=wXWLE6DL2B%fGX((vCpY$NS6QV z2z#$|gp+j9O8_W=c%h>O24DE$!@HZH%O^|Du$g#yTAx4)N?PlRH*+!WQJ9lDWn&DWw+q^adYi_3sIga)62LzY6Qzo5ey1!~<4sGf`jA z+JZenw~$g5+iCl0cAWPQtPh&^wztP1i8fgr9<=&${YE-JRS%uC_wytDMfrsGBWWMc z&elU$w)Aw^(Oz9Ewu&a0}%KfuVM$Hm2Ho5n&X9(cE9S=W`e=wP3S&_#6 z7~e{QhvUoqN%#cNS6cl=Pggj{;Y1lg)3_`!BoqHs}{1AEO%g5Qd160rWNO(rHpsBRQ^OjVyWdov*7S zAw@~39O>{ZE+v4#Tkzm{+2Oq|Pa+{Nh2tF@?ZjTM4lZ84>!(rLQ0;{;5c1*;(` z>8d#5v&k^9rI}xEx3b1SrytdGMkvBEX6ko4>WtH}$a?yvvl7MZ?`^@e1NYr;MMnme z>`rCu;$YotO#OvQo(yrNW3C>*XjyULmfnbec16e#@7~Rbd>uFw&AP>6;H5H#n|tlS z6iu=sx6{&EfQ4bG*KNwoJx!$th9z}q+*zu8pRjvrL?mKsyqGAVw&ijDAv=|k>H0#b zADs-_F)oiyg2poi_6Jb((G!9KzZIt!TK*;ptDpXxGEtJF)I`l&Q*)Y~bcMFjSX7R! z3F%5*Qu?{nTAvS*$zyn7QJ5KBlbJ-2Ng?(hixJ1-F^{AE^9I$<^h|h^TN_#7SLW5%;uz`PBRn4;4fdZUxXJ|=I9yl(eJ*UK^+vA=7pKKN z5+MMrd55t(`w3b;B(Wf_ z(v<0pV0&59>l?;5>)=!i^r&{XrY|a zcFGamOW{j8!5>^MJ_>#LotF<%%fh0JM~53vzf)A1yxxhkoly{5f=fQBZn`hwqZG@P zHJnzRcK(V^-anN3Z^~Tt`#g|?XamHwURw(Nd@|=VPC7ZfA~VP8?_e6j$^)M=RK-5p z_w=kF!Mz=CGvK#vI}bN`hK%dehneY$T{Q|%k1~f;Mx8lolu+1IgNTMMwY0Jz!K0`Z z))<}q435R~5i4CitaSEz*-Xvnr!KLhk$Fy0W7t=PH!V-StqM*=@?Q^yx{yAtl+;JF zg~0^ZT?4B}2P4Tb&Kz$rLZ}Lw+;EkTd3r%dRlQBzqpIWbL>$06;luCe#wH(Guiw%F;8t4i|2E0BlmpZ*y}au{Rsw)aN#|K zv|sWDCnGF{0~X5l-!+mOpyxQhIrf*Vyk!qFhs3j{|1nSdE&Gh#9BGi!6=3Z>`xSwu zU}0nucrSzAr>_G521N4Z6-fC?b6hDl|P(B6O1)dv8Imhi0W_!fWEHB{KLtktJ~k?M6<(`#C_uz1BJ zOCSR@7zrXuC0hV%jV1RMU}^$mr@yCsegh!L1!f)2L+nYC9>>$6<9%>C=zTT07Pduo z$sC0J+hkBB?%HK-=?jbWD%VePo`Ra5rK>T z$>c_sctY)4Xvi5e7UiO|H?=`B+t}ui6qm(Hk}e>R%v@6c(nx#w7GQqX0##C$|1TE6 ztm(GDo{RTAEkR&T8f2ec*ZF*XF@r`S{`Sq#!%{}>MnFCAXSD=90LXjM-E!IY^Fsh* zd@YBn{`vb&U?wIQiDdcjn==BdZA4N9L4AdbTkM7dbZAV3)_;`;OL<_k0rOKc6g)5z zbPbdJawy>aNZvI}p7?Od`1?3?dr!q5UfY$9x(HzJnJRkBM@Y_H*Wf~@~zTQW2MIZZ`**IHDpbOCbd)Y_X>OI?8AIJKs_JrILl zqA>CMtAH6;y&{*21%@(QUm^#Xo8t1ve_p~c;C@9eAOGLS7kS73kCqDntQ_qYHpC~2 z_M>_Ff>|o?Fw(#6+28T~{bl_3;|M>?0;whTmLn!Mk~@FSmSjDDtZ`h%H7SMw8sO?I zFF@7ym7u@^#0W}m5C5{c<-NK2`CeD#^~*o;1HcYV2d=UJ{Bwi-=$2JAKrI@LT^5RX zDtTeirbZk^zD8%;O7_<{k}a%~nC{$Pq6GKLiR@wJ0KMy9?_PE7M7Ey*`1t}?(`_|Z zq~@O7fDiqw^N!89@}Qzp40!q*f8i1Sl43x}d_`g*i*rCG4c??Y%z_)?C| zSa-$940ss_==S;5+cvI36;CptR042Y^G2A9N68p7)Z~*F_%nf{gH%;OR4Lo7j#&Qh zWL(2bxwgcXa{J&u@T@IIzy3VyRh%^h7*&`Yn60s^Xsjf#?8Dp-{QdIHOC%b5P1Yfm zsCl*>b0aI7S^CTQr|4?7k5&xtzBbZli80SncDlOOJ(7@ZA9@YFnp&ad4`R^>sL$Z-2+#m5eLVCww|aH zbr($y4VR;g#%p-D z_`gbO?X_R4SIH(4>?3%}W&xphuoD2Hu_Bg%=@aIi<^5%w|2~_YaqUd?%;eo|#sSXj zBb0qieO^~zA;}m)V9qxDRAByYz%lFn(!@znweR|K$zyG)?Js)$r{jBH@t`-Nx zhj%Ofv80d6&3jRQhWx%jG@#__O>ylS0htV=9uEumKg3_}-|Tu^E{J}qnv0XJ1>Q)! zSFvylfAPMg@9TfRi!s{$`p0%k{KdAg@LM(h*Oszx40xDK0e+$?;%SlGt^Ly5D5+ z@ROxoFq~nJ-~A5$A|r|KtN+IK{&(y}L^##U3}9?buZI!#YV0V^B3YvS(jYS1|9foZ zYq)N+pAQKb-=|+Ydg~!B8hB-{fPPj<(8R<(+tK}ZOab<=_%@-JOiEOYsCN(X7isY3 z>Hf?w@VQ*_TO7?)jDq?EP0w!tR%O3WrlPM^(OMi=?3^%LFfT3X$```>U+ z$o>q+rXtr?FbWJ;0=c%M%m)mYoI@$G-31co^Zsj2#(@dIpdz{#+4R>PZoLP${Rq_k z^FvnouUEyTu{sRh30Ne*g_7@%a`5>Sg6A0V=!Ik{DI@yN+yhf-E)q~aABN{R{I=ze zs-(YT?DfZ_?QLY=&!1@U6Nggm+uqW+{%5YPOcg=&U81_eUY3SnUBUk>vtN?v-k+a5 z`SseCv2JKwo8)({TVFPEYTl_m3~jkqfBW51s-eGLt&{YXk}G%8Qw{@C58K1c-o^rs zNVDnO5WqR#`*oIozoT>gKEkDe1m8Qe#Ne(dvo-cFN98kGPW5I5<^=}Tp+I6k3 z7q(^yoz-+5!FZ26?Yswyc-94Nztx;EH6MI)|*F1zq{o(PAYZaVBOgPqCO@`oXyX7^EsLnQZ*NwnTNA9&+53oLN&p6H-)%q zSCmViQKV-WkGxQSOD!Wn_D&b1ZRDuCGBaFHjj%|&>+WQE70`INQQ^6wY|y?Y6LdQ0&&gFqT0WUIpMTPG9?-r&khq-);`^Bd zneJwgLsprz8^}#3!7*GOt{!%wd0X~Vc4dS$Yb{-{xG=H=S|2%2)8a8K40w!OmMQ4^1(p3{*ixl+RC*;V-7r(CZZi5stDN4^jwYH+k1e$9!6+G5d6b zKkIUcsKaSB9pxbygSCwmRyVX)#&n}Sl0?4y=@I z7Z$#y!%Ea8EqhJ%?ITXtm{Q6vTDZ4LZf!GfczBvy<uWt}19cd&+@Lzlb~}vCMdR*nP+qmqSt#8@!BuVxdL`@-##hD^5?STab1C1r!`l)!w z1RaDj!CB>*l;=MDZ~@xL*%I`mn$vdx* zm^qGM!XIfELAnOr;F+?q`-xEkmwy5U#v=lSl^?I=C~RVxQ#8BPkQDPcRE}5AuiNRH zoyuL~Wz9ol9p;3BGe7Vp?7}$xRG=x8aKpy%ho16@&v zDN7GQJQpK_7p{^G5@KxkU8Vgd$d40PY4OuH4w>B?YdJA9M$kRBH@wwfKIUTq_?@LG zRxi)E#_TynL5}UYY{SfT;mn&|F_>PtJD8#>esZi7*0XgIHD&nrdDg?}eEpwC1(9_{ z-6EOX?_`!8ev^CVAoGB$|RYfHmJPffd#;d9Gd3n0%m`dabxg(~*-+ z$-R#2O-orELMV3ZBo5JDTA2~Jk)!k@0EjtbOB3;+UWea95zM^FbkCeM`V?Wi9LZ1E z{ao+X|Le~lke7>)*rm>J50{NWR*WoNem^2AX;hV*thfD-1<-T|9_wnbLAU&HwRIuv z2sit3{!vM{;Fk=}I7*aTHIEIm37jrr($}xk#jRp2Dt9(x*p`AC$IJ^M zYroeazxSd(woc{Gyo%tIije3>NT$^`+~sKIdLij*TdtGTd>2wZy{ppa5=CjPh zvR>L9*)ZaFI3haz(Mt~fQ3eXT&%SKAsr*lUi0>TZW*VL@`AVEptT0G0vDXhdCV^86 zZ+>EPs{_%2FOHTZ7iX9iW9ance~qdLn7x z?|Q#H2DzyzGbPtIG{xu{Wl65SB{;vRZgiSmX<%6iXVCBO>4tkMzC4uR^hn_TWS#T0 zSQ@>%pk3yXVK;HJSF#6eKg7h-*{?e)P zGT^RI0u-P}W-erAMOhtj{N2-wCSCo7JdRmYNAd9BJFy!Hb1=VW^4o`#K6GXyyk5q$ zBuiZqV8+jZ#6qz{QGGHE7yEL$FKZU$aW=!|OVt@XMFNuCfO4(sbf-A6RJBi+qn=$I z98X*ObSZDB@x#G%RY4ARxbK~O?3o7OJd64=MjNbxiu*uhu_p@NlV`um;^JnMZLJ=U z#Mjxw)Km@G_rrk|{mU{O4?1Zj<|^sxi#vY5dHyvwd;jF4MhBGgPKT&ww*czoom-ov zQh)U^``vw^I9)R(1ffXT%&1S=v^xx?(hnC0phd!$90D?fKjE^1)0{I8!#kimFpiZw zPKzi#zsf^`&v$Y{GydcXqN%Q{JJWaE6VC~1FFH`Ei2~han_nc!@tWkdsGj>Iq@##U z!xbF*IYK}x8qSAUFU!=#itq#Dnx;L3erZfnXhtW`dXfYGMHq0d^WrbslNEM-u1VB$ zRp@W>d*NsGOR9daBmKOsX6s#9+QYpQg+{RS=s0#!sgu#*hz92@eDk=5G=uN4?_&-I zZ})B=-##{0S+^J_^+56EGo_#K+fB$#ZRVtQWy{xcv^(uX*!Z0!)w~1po(6{PZ1%XB zEK0ie(U^Cdi2##RB%~k`b&NR2_XD!4(6zoOOriSow0QEQ~i-?$S5!f7p`n6 zk!5}^!iH@YkUtBah0MLlTY9XoNS9>R8Dr2i^16j*N7v}I+{z5sO;yhI z)qy6m=CL;20_OMUb9V)lfYPP-YYE4xuCix&=3@B^ z+eVYzE50RX?~zZcPj-6%VJEh*(BU@nGo;gU(nl3M&gQ31Rr}nxu*B%LkG37>WLPF{ zYdu^CndoHHXt!Ez;U#~RC*K77kYeGb%9_6Q-q%`k$*+X#()g%kC|fh-++xKd#b>U8 z#?4`6`5Dqjhm;znrPPeJpK>NHESlVt6NHKlzw4|9eSoBKf*n?CCK4EZUlYtDHVJX5y$4J74g0=0PXjolK90=A$hHAcL4^+v0Y zKNy!A6So9|N+;Y55_d}JVq<*lD08|dEI#32unQmc-ZPii78#|Ienu{d-bVec0nFlW zBhp+Wx1&Kz{`We#{LbfFFv4-Mu#wsH9TeSU&6=@n7K!)6BzQ!L7UKCTWc zq7S$w{>|mJ6BKUNrMs^I7bfpU+KCkLpw zWM|iWilPWC(#Z5TQT<8l)^_R8$JVEFtqZBRZx){8_v#mohBj591M(MLzXK{C>>J@Xa>D_4my2R7gsdOi&Kt%`MqP%bw0 zyziKMQQmexrYkiNIb*o2h5%R7N#2u52?J2k&7QdZP6r-8m5!G@w+=}=?oqfRQTZUB zAGF}4rzh6-LltsvakCGm712Gk2QWO7P7C1Q>WeI);`O4s+P+QR-#j+`Mct+IHyl*S+`)B7~=^iPpY+H?BeG8<4jR!02A3i?pyMCg*Yki`0e0} zH4VDy&EttkO4Q@)0_(1{E($zywUaei3+?9LkA1Y)-dbSC^jL7r>rzu?o0TW^q+w&1 z&Ye4HCy4Y56A`plu~7qkH<&w!|MFlmulEe!(Y$X=Hrb3^OP_hg4=11Ds;hewRZzH%o zoNDd5IFiXT(LdpuSL1n$l#jd-j_Ta9D$M?jZ=%H>vNjnFrmT z?SEEyhp@K!DXPgCUOXJG@vNyXdP>{xt03#Q1fN-Kq_q~-*nxV>OX{8t-EAuV^zoYa zltN9VXA$%Qm-ZivOQf)c$y7TVhK6b%dvRSE7t%IGeaHFHJmVQaiCAXdBv^-<_0Hj;hk9 zR8|^%wxmUo6_adynh#<-$1fh!aX56SR$V6hybuznbDWCLVC`o)8~*W54Q1+?E;m}) ze_$|C=T>`HK@3vYto~t2HmVS3vu{Rxv#Vlx`BR_IvXMw>MXE!%rihbBiWg9;#1sqI z)p;ix3nFc?$7B8EgDBs$M+HXe>uj1JSG^pAg|()Bs)H7RGDOqEk297@>B|_YFWaoV zuJ(<^YF=&cI*oL&CARLO4#sb}>q%NJd3TN@1$O3jrv2hvzH7C{z12+i&^ zxUkB-Qaav1>(c=bkJXyjo#RhgediPJ*~Zc?0qr>VTn0dS&2uKiTE#B;jL{tGa(S;AuQN z2$CNde^QE06w4$hb6aA2k{W3Hx%E=IRK!X0W%#(KnKR6Yc7b-`rzHJqLcmd2j!b`d z%#3mmy-cu1tItBsO>e+c3S<|=7~qTqy-ao{Y8U%SoY~HMq0xBIV_G!k2Tj|W4~}3m zdULA5>735iuQk4&WEK*T4%%Px*%j#a^@405sf&*(Jl@TcH@siqu&w77RX9qtkifT* zS$o2gV20?4DnO+Y?aD))zb+STdpAF;HZSC#S(GSn9cUP2w@7NDO)I|{40l^n-*0)j z!lJ%SVY>D^vJ4|~?39%XiLo*8YIs(z)jGl!x$vu#8k^)eDlAawKGbLu&eh*^mR&sM zpyiV5?QVN&IgpBbA0?d8D0_27>7}pEgm}t3dliM2k$^$ZgtCJmXV56dGnb2RPI%#~ zsv>%*yd%iiN!j4?IGiWkXyx_P2Fs+u&Y-+q)AN!uFr)rCm0$p0gSoJ(R#lUFXEe6t z#p0@@6V$Cw%A=)%cU0MQkQZ})Bmz)!XTsk~z z%O)k6^PFYsJo&n#agP|{xM{jDzR4&d<1 z#^B3gqG2q-{M^i=PB+kovNYk^FkQ6UjHWN?cNU}WUP!==%Ee@o)V+UD2Wq3`2gTfE ztK82cNBk7i46FSDM2G4eK0Aao!MnGm_LmT7Gx){4?AEmz*a&Y8&4t@?ub z3qi-o5jreO*23-JG>01{akr%rkv~R<0s?uLlEWa|#bGO*&U@Y;2QxzbzF!*rFgPG1 zT>upv1x_5k>YSUm{yv9j|NPx3Fsd)Ms9)CvOqm(A{`!zsV!1xFfI|qXS8#LH)=$3G zem$|dz|j=!yEy>vqUS0j=P4N^*4p>U{h8Kj0vo1W_xEgHv{(nyk=3hH$i(zH8)qrG zy2^DuBv@O2!eudd2}7F3HZks28NPL}BKzcdR1Wu%K3ea`LfMc|-~xJht7CXu6L6%p zkrPE>7Bhe*BeYCBvDb5y9o6d?J24p*QyY)VvgS1SUt`vX1zYnt@i4j-D)GO2BKSJsm^m?{b3Ahen z0Xg?U<5F^&g|BY@#+Tkl_Ic}jzBA+#msRUSEeAr-kRPZA2!*9gr>*{PdwiyPIx9Dn z*P0BYc(nL@H_=~*PMlxtj#K!(Ay$QBKB`&5uR9<(qkm#e^OZ2Ao7~~V1Y4Z*>v6uK z^9Desr|x2SogN58Sv0};#_A7J6I9L4vnKi$8)=ce4 zRx-f;XzDV%^frPvmEalteB+elPhne@$#61Qj!qLUcDss4Lnr)~W}jigQdt@|>|wyR ztq7%Bfa|hcr9?tfMrux+W?{(XhlhJ4)qNR`aPjhQw8CmsO=Wl*T6>Cdc>Aj-6g|Dw z{Zb>=9@}P9Cg>70f4q@(lh&D_5c2lT=o>g`GzZn|^)LRl%)0l%8uzw^Sp|K4A=9fj z^6o|ElVZd^i;$9bb^2Z?!)%TAldBiv2&Ipj%^=DUJh3y8rnoRODR3HEFc*YY>fdpn zs+E;?E38m^rQ8d1lY|&AQ!)E9Q>u}0k3U$iVEWP7= zzSx0I;N#WKrLbv_CVA0+*#?Od3N?r5T9tn?T(OuCLQOo(HSB%xR04A==?0BXgJtMYBM~<04M%EPgw`auQdu$JTJm(X&>7issqI4GD`2-sw~+W6#mmIgyw_ zl!+Rl^4KL>)3|$H`z@RA=co{brO zp>gjpVE@&c-+tn&nB_b2g3hsnd5t+Ge&#=nZJ{E%8fT7K%CgAtre?wYxM8TX=PU9N zeIMyFyY8sBR$yBNHpWCYC>@CD;ckMKEw7|+V7&yKfTb&yq2ck3r1M-7R?YxggWUm;q#y$oTVGqSC)Vc zC>}Xwc|uW&OdZim*r#5~>ub^I{*;CkRM-4#aW#e`8bWj6qQ1(gW1H1!_z(4V+fUTe z{t@4Gm$vbkJmVgHCD?sEe)59LWRaf?x>jR#ub#8eog&K1-oKQq=EcBO@A%@!gH?eIxcPW?S`PYYtq5fE|J_)!=3&| z;-i9sFIf}Iw%B`fuxq=EF3akp!PtYm&b!tiR@xodM1(Ti2nVaOs$V0o-He0;_~zNh zTheE9{e@0Ns03VjD$07=OYi1(x;1*0b_r`!a`1c`aHDypTfS|PZ4Mh$eyS1Qo7dV# z4ZdqkN7ivCUn08%pN7Sf7S!}rQOp(3dg{B4=4EHuQqEJ+40yS2A*y}!fu zXPaRyoX`5w)Fg)YeXp~bC7tyVWj0i#lQ(>~Z{U6!uH!E1y00HYYy0xRqM|c>pPd?Y zX%FKsmHencVWf*t7CwZPH;i@moDh^qVAhox0YMd^|d z6#)V1lrBM}L`n&f?rsqf=>}y0>F%C^k&u?|8XAUy0cNP7<~@41M4;ex_s$V4xHMCM#R-ULSJb!M89GWNORuo zmC?(dgcW00>0fQYigIZX+>Yl7{&3G%hg>WW40Uyh0rf=y!feU=*8pMET^* zt8Uim=&ju81T}7};n}2v2Nm5$t(G^YW2|~Fd;%4jbBO4k+}#m$Dr)F=Th!l&CTUC} zWV)Uk^=$b;1c!ILt(&6gZ7NBU5lI0+a}?!vYr)C2QtyH15-}`=XKih8LKZ_&Br|l8 z+3Hkiw-4kYS`23QiwXHN_xT?&4q?VL$M-g#s5YX}DkOe&B-<;Pmq6hSyhIpD_l!g; zMvgjN9@1fu`!*)z+bK~O9Z)Q6K@dxU;&wgoW%rWxqU9Om5}>qv#KY(zfq5C|A|pDy zfb-OebGB?E;uGe0LA2QsMu5HBkmt>}+~aJ*bAVPmp9HcC!jyj7Awl_#rwV)Jx=z9+|z2-hSS@4G-?gs<{MFcSNM>o4q3U^!5nZ1CK~|XnUjlg=kl% z)|+DDR|*>%f+J}6@AqcdECcHLsE25X${L@}`?Xk#k9@Y}Cq8m$yy7H-4fz~dBfh{i zFG0`X6aH7F+9ZNU0{n@uSyIc=+J=2GV5SnKhgRAtbr!T8FMeusL zJNZ*xn=7)SD?M)aU!<9$ENCD6lo6M)(B&QKws>1z;n5U`aDYt1jgV5;SIaEWHnLeK zjAl&U;JdsA*@Ll}N_Cq;L8*;uGv|#O{B1WNK$FALcnotkJ5{+?8F z8@Sn=#rg_?+su(Llj&7}X@59FFTUZokbCMPRegEAoO!c23~OJD2(Jjf;R>-Im&>;0 z!lm~~7L>)7JX6Z^GZ)}_1kVDc8VJQ&tD$k8b-Xk$s+-3o8){G7n$4xzIVfJTuh2SA=sy( zzvs*M3;WxPK085Lb~P<#Dndxl7xtO1Nt2{0hABpGOd@x&eqKLjK)R%{Evqq?-kuSR z0j&c&uT}~6c%C*yD+)C~cLMKVY~0Rweg^Md$5rsZJ(O;s*$hJRO|98a@PKgWns z5RqJ!9&a`!G)EMw%jr#GAx1C1plLAu*BlZe(zl<2*Wqy%s7ROW3`}XY`WpIN56$GG zNhm4QJMNHuWH5!9(jlUKm6=>_g=%&i`cy{smFHY%$ac;@9W*&^a*m2o@3W-~E!OdxAIn+BHrr+zAD;ll-^ztVKvBhfy**CA;E1QWM@5O7BR|$;| z#g6AH$@_{vEB;wXMr_$af&eJ`OvHgP9&93~j0V04Zdcliex3kf8s%gsv5J1sf6Qs-qd#b<#2{({(~9gDM>vg;3+oS(Bt+Gn|+oT$5U_r-gOk=c#xa2 z{_!uS^9S~z>fK-lUTE3FISL3h{+qnq8{;tJEj zS}Cp}D-m%-)DDBd_Ak!T)BK;;W~QRD^-e|82b`pmky?+WHWtO0VGM6rJ1Pp7)z`WO zqxaDPK%?OB>)N;cfs?+oUnT2ZB?8q@NgkL6 zE9$%->NA6?E%z{Qut}os9=1ard=>}CzIQo~?k&Q&7POEec z8I9gY)Lt{;>UV~86PdKIb1&Pc)P3l6s6rO<)*AFU<^WQ_XK&86g)gpxt01#I`dBFg zv2KBSr^OU6H4nT??+QkOGKK81WS!dt0$t6O{Sx~9r;n2MSSeG_cO43iju+Ddk7puo z!fxY7`gVPvOX}m8v>8BZBv)1Ikf^Na^5;ENF>@C!2TIpp#`X z`;(8~o&L({lRdhp=O;VjW?>uMHO8ygc1xvbGScpQtr8LEB69i#)lLfG8IM{p%I_9- zy*E9k3g2xav*-{hzvgW`aL*jVMZeRm66!t^LyuNAkc?(4B|2K7R31sNshCXccMCBU zi=i1rdGH$G_FKBXq2!r*W}XgVhw1e5Rmzjw`ReNT?jBX4Gs2+)ghi~nRT|Y%-Z6eW zX-6TM>JC@4(JoDh9%oyxhu-$R{mztL@a>xo8OcFND`e_-qX0SY%C&XzA#+z-{SXJ& z=-2}H3O%)q{3|l$))}cXl+N_@15rZu`7}N)nTl{f0~u*;_j%aL4nRjf{x-hkmqM98$t0`TLa$Y9Ts<4P5;# z9DSI7;8=d&(xX(0(HGNAXToLtdcm5uYyJ#B0jpw*T*sigOl(^^(1@l-7`tCJoxpNt z==GrIHqL4R04i_ToE+EZ?hN2TBY*C3e3Mo&1bAU}>70E7T3=&y9aba=pVv*XhM zpa3Li(R7jO-Z3dl_R$rkSaVN%Siu>xny>}SA23jy z|L`el8DhMr&8m2!R3{^|vhCO9SJZ}2LG-PP5$e(@hI&bgu7ezUuCwF2+8zc%4%-u| z?Q`GuWDRYSBe>bg&lTB1A=;PxRqMIicb_eO_b`t`=LdBQ_6p=P4YQ|63Nv?<8@}&f zIujfJX^v@WJAb0TVGjGMKPrWCzn|@$I~l@NK4Q46u!I=MxW9|u>g5j6h-<4k$pS&k zw4A@3TlcQa9HP)8R{DCc*R&*wKS0kC87U^U7Iofac)OKKP%nIG6f#;YQ!>|r6;Vij zqwI%}s?XJ{9Cf`Ib?M`mMkXyY$Rcqg4dv3g1IF1s20`nLLVD_0Cy0V1&j`0qg^COS zKtlcikk#Q`6}a`WO{wyXugOo?ZP&L2NET5clO}IBEkitWR0=8BuVQE?z>p6eI*;Fs z+3NC$iW~k>iPRR<8M+o(xWpa6#agbE{xcO+rW(^ z7ej*SBg=Xa~MZYqrcN;Jvs?l7|wAcE6|Y8?0$&i?RnxY z*IMtHtacftJi6d!OjsZyhCrkySddWPlPb%LYzqN-?7IGJQMdMc2XJB)VruU&=tuWU zG@vwenq?X)473@6)`x}sa~{IOh}MR`&Rr%5noTg+6 zd!nSm`DptUc;sA+xg^tUyIUk&h$V*LG|}fuQ&)k!m752C!;m$4)c7>@gH1}0uV-U6HIOZBxEejNLW+%!~Jao>{s!U zgj27YHQ)BGabd47X6d$iOZkrSk23r%HXg+avS>BEUQY9AcKJEIT!FvnaK29aR~Jq_ z%l3S!dx2zDG{Q`U`XIHw&6?-pmgrWWbvJ*S@xt@xq`QPB2|Epz1kBX(5QqAmxlQVC zpCS|S%5AW>|Eyt3y`BY>PT9_!_ZvAEG&~OvF?a31vA4{AQ;9Rc1OoyE=HQ z4Us_y(nhL;E$91SHviC3~!DB?bzm%G-v72#acN!llEy zT*Fqg&DOrG+RpCWIrCgY$2SL2_^ZbcOHvgiiiJumV{~%n?BZ*}^prn&+kN!lhWu1S zD$}@VsGbynjzvCXX=-BmiQgm?UVM z%13!RiK}cJeH`oAyz?Ro8ZVWU_G~O^H z;YmMs+)dM~_7+4gw(7x>6I44&}2&Pv$?dEFbtUp*>uaEQR(B+Aa z1k-ls&#lQ~AM-ly*Fu^bMcp#5B*<<*jV_991<(fOkw22ZOkHn(p#mFD8$+eHJvrywfHxNnm$@gP(j*A= zsrG9RTfgr(V}GRLnnA`k1DwNUG?2UK0TGFime4u8!|-iF)bq!P#tsEOXI(_x&}H@8 z2JjUpYle-mQ`e)fNe*8Sx1{b3>J)8W^}00Qx@fnaaVd*tEk5r%QhIt3iv5ykGH#&r z-pTIsmyf-@;g@q3KOq-`*^7^iqCOzL7&ELYyqfDRWJ~M|c-NqbRAVq&pHJ6|QA%>j zT&3*~*C!W-KZ8HyHKuvLd}j6I!erbh-i0T7kV~%IT*`~S`g%b_qOqBI@(de?+fF6N z4zFp(RDZ`}c622b?~iTbnRXXJotQIMt5Aa-D=}s&#HX1Yjb2iIJ@CaO)cp-%%dX7o zwqNpjp;5~(QxTt&$2J}<`(y(OlW|n~G_Bt8wokiA;-ZUN^<6|Tj%o@T8Ob*mg!;$7 zmD23QxGo_<6wdlDeEHIPgHC@phY~Cgd&iBNMo@Pg6SJ5s6#^bxx`v6`d=+K_$GG)Q zBgNKm3M$_-#p4EEwCSSrPChJb*Jp=o26MEi1oQXP^0z!v z8oJQ}uhWXNGo@IaH}n$XeaGdSUMZS6gL!wquWWXB{OTu zdBZUDMk0I&$QJTZc%de762%4D1BN-Pk+RiC=mLwMv%A)Lx3|I5XPFuKynAPFAGTI~ z$qSB$evF;Pr1Ujo6KYW1wv_Ho2a(O4Y9u<>UOuP*OR{F3pS8b|K)RbB{JLk{zPfR1 zfBlsdGR3D!-U6t)|!pz zMvzHpKaEYay?)_00!X^wp;muwhI^%%iGjynP5N!Xf3&T@&$yKtqG+v_Eb(ov{m{LU{ z*(~D4ING!MV-i)ZKaJ0E>xvU6TGGUL5$SU^t=glsaC*a}R-@$(sGtLWL@HbajhGon z45p8#3K&`!x{06QK6TR#cjrYlnNVgU%0F+?Mtj6R7g)V(JX0yN`&3z`wrbWsZI7QzF4KMAsr@UvsosN7r9cO_TBN&@_1?0 zxr1H;^ioJq^l(?-yL*USdCP#k9`r;(fApH<&NIHuH)dQ(cGbQ#Iua*VAy~sYGZ9_{ z4hLwWUf|t>uM`MTtRB68Jn|I9S)9;+n6NtDo2O+kFw>(ZkyPUGvzVW?`>HhMYe@U7 zlyG(d_Jy0fx!{p*`f>lw@z#ND`ZW%ah!S*S%aR%`B#Q zsK>X)x}*2(YPI6tmBcJWY$tfImtcy*YV z$DgRO-KhtpqU?FZp`fE(&KdP)RTAp78&%@p+FA-ME*B(7@$UTvCFCH{4S1HTi)MU| z9`9C!g&qu%s3+rCE+^4$61Wr9y7L0P5#!{=$z5S*sjJ6JFZj+9bewbEdu_UyVzu~; z^xQY4+${?LpWBa(<|!Fq8ez!$C>Clh+7eDzGFDjkQADL$v}H&NHJSE7)YUz~{HB<; zg`!9Q-asQvK&CDVG6bnrAbRcgT^2@3GgnvY8NcLL7DKjej)sWkZmtppJv!JC16%yG z-1CT{S)t)pj3}vh&Q8B6Mk4%u4o{Gyo+}Z~2?`gA%d@r>;|r+v*>x>H2N&Fn79dvd zTW84KfeO8?dnle(DmF6MvnOYx@shU5hR+VeFjM;yIkU81y{*Ax+alJeh3IdO+k3=% zmu6vvL8EWT=Y213_v^W#MLze#uxjUxYTv7u`B(UF_`D`{{aHp5Tdj1biTdBf5!pD} z=hPG6=^DIT6J!^H2v+S?;h}c)yw_3d{ohkHV(rCPLoy~2mRjpZ6-o`F^krzp$;*&K ze>hBOuYg0fVJZX8lEe>KWXUK5We-YslHp)308_+T)7N1FOAVaCt|GxTXT9+3lmsH! zohH8^D@#uJ>d4R~Z+_l4SbW@i>vL#Pfx*1wrq%#f>37e%y4hxu&133GLD_=Wjz*q? z%5%Lzi}lXl2tEP+nE+7T(h!(t+OEIF3K0-fcvV1=q<}sDUYe@e13Qz{AYu>jdN#Lg z5K{@ORjwYR>I1cC<#k(y-E`AAZprLBVM=B1KsL6=re933A_qnCB}dmR3G4e^5Xb~N z3B3ID8qdAJNI%=q`826LkNJdG`Fjl?BGMP?pFp3MGsG5%lKNvuGxzo>%p3eN-ld|) zh2D=l1%X7lpPp<$I0_ghFSdLArFC^OC3*v9*jk2ZT&+5Mr#8%}$@3;>JqjmZ|rdB(O# znn-z2A$smT5)Q@5`CfQj0hDspFGMfR=xqA3Io5{v`Fao6EFKl-Am>EcE(brdUk*$$ zyw7ZDcxim(kq3EoF+ZhKl0ohUd$K|&a@YQo+Z&r5$4g^C!U@^y6*l9s4o@00-%q;G z5Zk-gJ>;a-YTO@oXD=WgK@84t?=ov>J!VKdY5In~OpHkk-A*toP*+8s8K=D&CSvWc z3SrxBdRK-l9=Z1yGvK1p9%cqMNA%6)8}+oFl>6?7em1^8~lNT73JlszuzJ+)qn_8 zS-tCKb5aK!dgM}hrVxl9Jr zx26S+`aQiwd6Gee_xAX@y>tbk=HAa?Ok&kW`SVAW=bbQiqX28Mjm*bY%F*KBz9-r> zm-y~yLPy`EjJNV;E~7mq>#&Bm zye$QjBEOe-<=lil3gP3*Zs)?hV)pJh6X)*o{LL?7Xib{HOU-(GepBIF2fJMg174;c z`TeaGz83FqT9|y;e^}B@;l~#su6dtD-h_@E!Rx(ITASTH|3{o7NSEU2t}N#BA*p@J zFT`E~V+9`VGQ`~H_HzBMLlna>$QdQ(qvH9rhi#FG#8EWbXQ)-@fLe3ajh+g?c*+1v z)C}CWCD+_HArwE{X-U~L3cKU={#yYt-2Q>}4++l(viQ^(_jET)!_A)3ivm3;P*YHp zC_id>2T@$_ys}BLnOFZVTF7&4o?OirVLlbecmm&PU!|Q(-ll3CN&uJ=5^UtK*UY}= z)xXq8UscB_rPNTI7-4SY>=*m<2X2g~71R#aM);x*5hC*VKalH=jAbX_tZb#s;+ zZZKeWNcYpsr+R>l@2jatY2j*w&*e+mo_MJ?N;GafJ}ETPFTb4ml^1ni#ZzN`mqHAg z0_VIq=6U?_nAv zVj4#At&Z5|R3%*SgH0j6h~!?&HHbL+OAYlXR<3(2z<5^&s7bX(-~K9lv!jagx@b&# zv*{=sXm-{TA=}pUv_i^`E=V+CPF1^NcJ;{{uEU&f0`|AmUlm+2E@ZnT2Ctv9t26DC z9=A1fDJ7x4VCSdwf_LTbp}#Ml%V5ep(P8_ZIiY2j2b#MvbD6Ebx?OQPej&M}{N0T! zv@2%5>v(_;&)OwKq{_F4phj5|oAr>=#~iLqf7#m-XSkj4(kuHa`mJ`D!3^tF;|KVX zE?nVB^Kw{&=a3Wi2shz{;&z{ZM$Dv}ibM>rx@LuMPIx$DLyyC&<%#<^Ms2uD66907 zQsCbK6 zsrK~;^S>vO@>E-pZf>?^SG7eB;xUefz%yFHi(nW2prgJYxO5dTONY}$ zxB+wKh}N`!`7!R|sg@_vzUP_w(r%SM(EfUzp|wN(o5rI@g=g;Y0VYqGNr|(2Y1T2^p5&On_&w&g_Gfbn zr?;|ZfB2pBw_FmlX-&tm^`$j!?yAo`Ae4MywA#GyQ9wVupe{6+Nl(*vW8uiHxdu@p zQA7!^KK}Nvq{nLdn1LyeLqh!gQ>hWA5iZxL4YalvyO}2L&ECG*4bV~+pdfZu;|f^` z&tNOdV<~p>E&J|C*4`(xYz9I+2?;hFy?9u&1ow}+Y3jqR0v<}(o;mOFNU}yX<>_nM z={xWGAeI*fJ2RPbC=$7w_NLo@O$kJ6-=HO8)C9~@EDjfMqjxZ+eLv@L_NqPDYTTc8 z8e2f{wkE1HGSkU$Tvy#S@CP5HlB3Zsxb4TM6tb%g z(tS{m0v$S%m8J~Mm#;_?eH*Q z(nxq|XS5Q~VDP2hfHHnB784{B4c(bU5^p%E@T4zH36&e|(v2IyANIj+Z0H+cs_qya zjPlq7p|smGc_UM9?yB9uDuX5JEtT@0_(N=KA@${@IkZfI8jAu7&y*M4h|)lG{wBI4 zd(oeDDo9AA9^>Plg0B2)sw^!q(zf*&4)`34;2i0f=`f7pON~}R@RMCtV-;uBV{#xTlmz9pLidhbxd*blyvE?IKRP4-p{l#?s%+U)E@9J|W^$&{mWpO^b z*3h~0Pn7*$4H$dIAeBqR&d9EF#{i^FPr72H-W4_mi@SQRnqgl{)w7tuvu)q3ORIKS zctTn9eW`|>GTX1vZTYLk8>&`2FL!m{d9H@c02z;$-hAGJoz6zP76u57Jp}#eU6AbK z?&fQcPcowKiQi)6e9b&`IVF|!NXnzDH=2Ml-5Wg3Jppo6gn(RiS}_=I)ozE;#^-e? zB)-SY$kaL*_U0jL(9eyp&Sf19lI37#M7g>Yxx8JV@y(rg zmMk~19HK$BdlIt+H_b^gUwpBw*ww6N86)FG0h0thKEmX73D=ceLNQa ze9S(`XngOr@T#~2MseN1{(c6XR8H_u8-7I-Z*gacvg_h*lS2ttd;_ruj?61yU-So# z7T?vVbwXGDz3)f6bs=#`(}7<<{mA>h$SR*4bN*rq zI4iP3m*GG!CGY%=KrEj^!+pHXVH=i!ZLkY%G^<9^S634w6Hv{Db2i0_r8+2~+=fGS zs4i%Pn#M;X#%HHlJ>S^m=^gZ)RE7kKJ(EP`%*oY{AC1MSd_8XBNZ5;eG{r&zxi{n_ zBtBbG=hu3H*4q37xZI+^%~$}iz64&-e!eJ}5meE&w{b3h6#4Q`= zq&@vbCB<|V?&!!#2@3yRZO5bDu%J${qw-_c+SLNlhWDtu@Yg}E`>Yz$=rn!~(+!rD zT77nEZ@VllhZip;Ad7aT=r@N2%)Vo~A7=K-gGpX&1$h^$Nc4Mdn2O`iqjGdg&z-hs zy!*zYUw+>aGM5~m2un|~x}bO}oKSq$ZevDlXOq+QdUgAzK10mmnYuuKqW4ekaG6Vn zA0v%SLDfl-%|#EZc)K2LCpn0NxQ-j;HP>3`nwNi)EbNQlUq2%e0gJEh5MKG8s^j(-#;2bPfNvHXtPl_wOCH z&td_t)b1!+e{(Hr2Gzym(R)ZcH6-}77~k%87O3{Eiaak@uE0GsawssUv}g+R}+zqAUav*5t^cnEu5P~q?#UVj_76SqW%YbPJ*o?q6f z&&%5bW?`ZKTWIcD&^4UHf@@^IJM9*L(p+Lt2kYggXOGDqz(tJmtNG(u)mcPrGKyoUdbr{%erEAKueJ8(fn^&z|YD{ zIb+rDHn^%CUR6XQeZWg;3o&M|Y@1wWdy^vquh)v;m<2+9tHbn@^-O#gGvv`(Ent`j zR3~!o{@1E_61bv04dv&Q3;J*C>6Au_q-BRMf*^Y4Si+T-s#3Sac0)B3|yP)DDUq0XnGZ$bp=ZhO(bN5%e zJd^>kKK7A)z?%2>7s>O)YSh?jUITmz3#Q#=Tp+)#|5ot3c0l&0+;}Tc zdhEuhdnP2Y-?(v&KT!0nv-#-fg2nU~bo;`&*vjwUiUH&`87peR3X4`L%m@E5>%S!f zzrIL6dCuGd2o#QTikSj8%nkgZ$kJq}%iWI;zw)f!;CLm?b6YbPr1pvWv)ng|9zP`s z8pY0K??=(FXW-v%1b+vJRZ0Kl>(VUOA*b`e0dVu!AFoatJfNCTJRZ9oCPpD1<)f9& z5Iuy)A5~1<>{ACt+{6U;#K%_FltJ%PG7sv(zg9H&PT06wfW~5r*B!>c<^OJd5CqKl zo?_GQmJ$zO#>2ko)IWhG{adS2FoV|tnEsX9K-u8Hw_pk&p$qhp0VeueweimLw~){$ z8PEgT=?5$aq@O=^|0MQ?_(B}TvBsWt{$aoEX2bpk>&_-EVx?FVpa1^$2Y1ZDtSXP6 zF&MtUb2R6YS?|DOWDHTw8*F39YfFpqq7M6FDEb+7ck7->){U{Bm>h{m2IWe z8S5cidFSEZ2C-8E^bn&$R7aU#S^_D-jZnq$Pdp6k0uP&0NoOO(wR;XIXx7PR7c1ct z_UK4I-o(dSb9VJ4{M%pd{N*nR57}47t%1ksss^4EqydlnH5$R>vBr=|Bl)*d_weChq-cG2P8}j_gu~`Y%FBW*Z z?||k54tg`>x?_6&mNx!BYR!Kq<3IK5zmvGnZ9rPLWlh=o->w3{5BM|A%Nu|38UF3s zzkc~I)b|%SeWjYUN)nst>0)mbQg`N3F)1L98~kto5w8ePIM;eVQU5Q;g#ZwwA*;{7 zqr2bZ$PK(k*z;R58342YZ;nnE?N(v^wx< zWBK2_82}if08Mg1F`_&ungyMP~v z5Xi86`LAE+KU-?}8DNU3&%eRR-_Yq_mme_$*1P#h?(W~X_P;dGpC4pd0j4Ow{Tqnk zc8dLHbG(uUtoIw){QbTE9~^w_k0V+C<4FJ6i2r%cek0F+9O>U8^#5g^KhZ4xk0brh z$>bkL`tQ@)pXB_HBmLt@|9sm1dms1*BmK7!^8e=;De9TDBo=LkiinYGX5&CrDf8{} zXFg_{BOmO)l09Fa9tybMq?)pp?F~jI5A|kWHKB@Z`h3dH;EGH=Rak#RXC_2^dCVa} zW}|%m<@>ZB6TdJXG5sS@Np9%rxeMw!H;0kYRF9hw>;eCKwFC{n?2>IgDv|LL8xHo$HK}v=HO?BU{vJ~T-eD$9mdAFSN}4~VsO4Zy)3fw9W}OC+!T0syten(|_{kvJ$KRA0bp zweNvg#TyA7IHEWG?LSst0S(;u%~T`fVO%oI}R>phl( zzvKfh%)G9?c_?<3LNj@|o>-k0IT5h}8px-J=CPE*uO4R2pub)h3 zBK+8fN~6Xk73#inMC7vGuffFWzp<##CUrHpxsHTI#+%;Y`RinXKPxMS-|HPR3gOsaaLd7fdAcnY zj2imP>f~xz^L)S6EP%nApm7Yl=3&rHs z=K83r$xYg`jlq8MR(DXTXR~P{icA;!B;^X7{g&DSvT?OR(6numBq%9p%yb!Ncn00n zWhg(`H0(_3Q0%tY4*=_^d<#7P9 z#88hUTBekPHOa3Jq|WAqEVvbVlB5slaY4_eJyKy%i`RtE<5ZKqfQ{!~{{0G=QHBK3 z;O7*tynOe_*DxK>*b>Pj0{!#h$On)(y-t>;#9)wAELDb|vA-iyRNr+$1QX&9yUgS1 z5AKJuHTbgVeh@Ba4O;cV%1vH&16-Yvl+C^_%gJ7$-L=@gg;0Vl%kwi;^q<$_;nNZQ<*rX&JRL5jjH zEWmMAW;GFtW+#coIzi_F0n&O0W?eyvv9)fjqc$?y>ZyzGlxUNi<_)}Q5$nJU>)~sd zi^b|h#e@N6ARRjan9Oh}LF3cC!T4gk2@JI4W7b++3sc(3waLuC>Q^Mr{Y2ru#07g;Z0J zH3XCx`oh~n;e6E0VL?J?9yaR>TjK&!7wSthH>_;^2bZI66{-bR>!sc1?$QXn(D|~! z<4)RFKy|Ongtg036+=9a?KZ1MX3PyJP`hAv7%(HU4fyGeQjasvl27<{WBi{ulvkkS zL>YWev!f*-*~Sgqjr+m3SKBvFB=gM%LY#hyd|RK-sAx{etSH7oQ2{OfmnNboLQ=yo zICa-pwUAiL*82{vf`+48P3cp$;{BJG@AQTCTu^{E&#%v^-Sc-eHq&B}Ogj6;KG*n}Oz!*@tA_#?eoZ@)hWqwNJp8lmdYBe`{Vhj;^1o zg!x^eO@1}K8iIN+`)nrF={?&_#2C1)gH(Sy_-uv{MO=uV4rorj(@u@Z@G20FedTcl zUr9<~0_ooMXU=fRfZn-X#wm4`lLd9~#jbPiT`V+lQel_JlTxrBG&NHru1fnn83I~+ zD#Q;jk|MCK>wQ0={+KVwOFG|0CI;v$4#>UEtHk`8to7iM$w*|qeq^(p-p`_Df_tb1^}cY1EVQG-o5FK* z=m~@KU>Bz%c5;LZ)`Ysqaq;teSZX%Gd&d$c6~Nvb;HGBH^3l2uLV@!=I&SMvIuw0> zz}=)1^$Z+@4UAW%TjUGt1{VhseL-xycH9? zT9Q)gv|0xXxavdmcm^0$*c#d$vCp3nb{w|b$Lzh$bVqJ41M@Z`hMY!=g_#J>gAT4s z6jd~{nTT3P1!#b)y@p0EULV6+T-Mj6>NhwfYxEUC#7s$567R2~r2Mb?Mt~2q({|st z3X*fwgeT;pVbQaGv#C=ElaEhr?*pVa@jJdk@z*e=ajpqe$G|y=mt9>>3t@{`-f)LJ zNh_usZW$_8ehzEhRz|m_tPZPARjNw;>Yd} zS-2nnluJK*aQ)?=AWl_{$9)h8@=IgkJs}hLd^U0jweCnz$dtN9G_GK@L_F9T2({O~ zHFg+2>+7#Emt%=msi3 zV(3sGEY5@oP>>zJV5F}d@qK7qQC^v8SbZnYviepWa$V)8m(!!#%Q$6d_HmbM7N73? zwGSoj3r#6CxZnG{c6DZ{C~aVInFI`i;3uFwTS^LSon z-}gv$In`rmgvzZgPmTRn&yXJW1Kai@=&fGqs0t3^XK{U}wj0}dD^n{>uWTUl7e%G< zv;MY&Vw>T48Z-m%>VS^l$$YxGtMh))1B zETNDTrU4aP&E{3DxIrb&tl3}h?Uq;i_9hm6mp1ZSp3O}d*=$(-MCw8T0lDIP$85S1?wDBz@p;har^ z8IL7pBA*+yC&tA*=}9mtcir1W*6C6OoVa0#=97x0QlP^e-B&*|rCjfGjBy;g>!NG8 zQ)=ecr^!o`)YT$fo|iQKva~ZM^pLb_vJ&!FosEJ8l3MDLkqLbzM^uaKVy-6SUC5;(%yV7}wBE^h2| zRJ}7W-A$R+y4*9&I_u{v*AVk&0eptLByuCe$NALx#IAgvR_Sktka z#dfH12V;?;!IYi_d}5A;{5@L^deWY|_rg>iWrJv*5S&4G`ity)LTyV7sit6taTq49 zp4|qwrmF^Y-1A<>c@8mC?g^U;#8r9PC7jV?Ct2e1lJE3Gz>Xj&)eH@zPUL{L<|?~@ z*+I!I5d{_vKAB~1JiDC~@S|r7>2a+w$@f2!-C6o|U_tL_lg!FO7EJ}=2O z#$#!*Q}ZTZewcr~IDL1Ht6*V)i9Y2bslZ~{p`m}7$~A^6xz4{{>g0T-9} z^KLx1$;qEiLplz|No`?dI@|7bjNmMzR^)Z0y`P(W^5W|RJMv>2hELGpikzrIMIo@K zR^|!gW2wD7jF7WNb$)Y`6D%`rPV(=11H_ za2Amk{N8K7_0k>5m&NyE4=@n%%MpSZWAFFn2Zm*aB^6w~yB_jhu6kCwQ@xrJTl|Z21=nk$mWW_Vz=hvS(;l+AM#^NEGp-hGO{LMD53V~o1V!A3W=I&k1 zO#?3CxpHbopQ4?_j}>eg|;E1@M|=0V{vPx>gzc8%^E+NyE0Ov z)q!nWY9$Kp{Yu8F!g#EMYfX*1mvukSWZDi49+8^N@lBi*cqD_WKHFq9Q8srJpBuaO ziJ9BCrHKl`pFp+Lqo-ts6_9xh&I%G~BqixF#^E0jbJlr9;64+N%}Eryi`@w2@XjJL zWbFT8@4cgffZ zqhuOra%!M|$M?>i;hk^h-dStzTHinON3)vlK2>#gJ$vtG@2c9Tyu=v43beMJv2&Z9 zcAR0Vl34grv%t2gu#xN^fYl^sXe1$_OPl>HK$7xlO(tcLsI9-#k*Hs4h@-ENpydwM zCSLZwJyaae+9nFLQb;~zN9N{akQ~#fzVY+hphY)K$U+Z6(i1jxKA*L{cCnc?o}|up z@?mZ472_p`-Ds@GQHE=ATnq!E_l0P9UH+RU)s0J2+6fP+Au0K*2)n5C^rKDf#-$`P zW^#TVn#E~zN?XCK&86|D0%|o4e&w=t`Q;XYoGspMHAY3wm@yS&lP zt52R`bn6cU#qoFGF!?1yV|AiQLAPBROeZf#-2~vBnQF-L@-Qh(H zj|k67=m%I}vEHp9xT5f|R&Gie(Xp6uZ`r&_pO{5S$S+fsP$6}m;r}T_*Egw86#kYdQu@2FK0mLVhK|fw1}uXYJf~kfR>uy~;#)5uvZ0R#DkY7*3 zQS`_1J{}16MeFIa+I4#5@*X{ql{pf-D&qga_e+8%$!zDn(L`c{=(eKaLr3nhi^2F} z;SVs!v1)A#MHBp7zA>X;Gv9b#e-e0@RyH@u4}M!T{R#kdcz3vx!X1oGw99}c;}iE` z@Z(B4G+{rMp@!i?)>xN@j>e&jg+_N`#wfs@8mVGs8*mLA)!&u+qsEAvrKYlF(~|M1 z7|gkU=`qHA=Ts}ScL}>mJ1rZ*U1IfU!b+%3gvl1${n%rUnPk6zCMVcYQ=)nF$Jc1b zfZhI3A(JU?^BrYD`8VpX-;~-_=PFLL-D9G`{a)B#*d^b?ctyr2ECF$D2OeD>kNtVD znBtboWOKV!O~KsPg(_3}U6Wung&n3XgvMB6mBH&ekuGgcP@{F$=-12LmE8y>r>wWF zb;Qn%hiao|baT%2t)7-^>Dq+ZTm$=Yf@Ju<>7w=$yw=uw`UY3^tnnAt5hJIbdsn&7 zA-#9c4Jygj6hQmtPZ%dpuc0U6NKeRmgBT&cQJRjP zOB@u1CNW3@%M@3d!{a?sg~#icLO&TKjNIr8#?v4Af3NxkzN~cL^E8+8)ZcA}bhhp- zpFul16KN7RUE{xL#?nPUtNUbXoXfgk*i&6T=i9LEjM1$PU3Jng|tdF2+X{_IrK_*^;?Z2jDn{=NI)bzQIm#nw*mBpF_lPS}MXJyGtno+S2w#i=Qw@hw8M zAA*-}UVKdcR0_|unkfjlJ(h0X=&3i#A4@iOay8)YN&VD0Z&gq_Q+T9y>2TTWa__8k zZTOT>0B@WH-}ZHEKw03v#IDrTxu2)LW4Dt2*Ta(knqAsP;K6u~-P$_fdatx)SI>Ql zwPQiYm<-Sg$9n4n%qGB|P!W@wjUAu^O^rlT>$65MYm3OO^ zcI)fo&+ia^njz;^)tu}VI%~YBhxiS8&g12FF0s60P|*m9a>yc&U(-{8DT-ldohKzW z_8R?+eYcuF5=94|8Xu?3Kh7U#5AG@q9s_0dbCQN{gs&OnVBS8A@^x#Z#a|jjdGN2C^uDLB~XL4n8oGDD#EPyJiwuAhk@JaVg`$tPA`b4C6 zybBJC5*_>{j)p+XLt<>_B1x01(pdbAM%`J}rfOLXuaF|p%GIlevdRjLH9Xa(2GOB7 z;K0S&m)^RC2**Z??c6kGZv?&bw_&Cpc4~_vVP$odWTB@UGx9pnccV8Fwi`36v-MaL zCSfHX`lk<`%#v0pA7`N9JHJN7`a3@w;VGrLszfZOI z|B$vUqzD`3Gt zYOa$f1p<@aq7|7Et2NZtA_y+KQ6qm=R4gB7Afw5GIs3V_z_|$XmHi0pUc%)^7LTlI zPPRz_Tq4oJ)**qYv6sn>B$%<;J9V$MLP=BPkmI~7CK^zaV=c(K;i+Q%l6~b*3P(-6 z`{tMX?=Ob3c__bSjFPtC*v0+K3D(T2;+B9q{S?vJu-Sn1Dq zkLMTh?1;bT^}yR`QQY6j#{p<sS?23IWo-doxbBL78W`(sw4*fNt7F#z!FPSHFP(ewwAAta|sMUPMg# z(++d6@}hD-8B{U8ndwuskkGcPW!`*QH#~H3ez4bo>~ZN+KiAte%)(?^Q3Q)V7T@efvicLT=cG+jy3TZS@Nvi2 z{GWB*VzRy&AwsT-tZAVfOps4C6^u#tkYYCI_on-qINz?Gmr`{Pc7x!BPYn~%d%Fl8 zSsYv^%Q_fOVcE097DD!I8vUfbP<~87Pdc}D#Yd5^X?OLgP#gy6Ko;kr!K2$(`@Lk% z7%xQd=THp;j+gr@@=y^?FUjK{Zg4&|bKPu*6!2JboiYe4aEta9%S<=tqiws>na2q9 z;yFecevO?`tT$4|h~qSq!oSMOl6N3AX|mn+>{NMcmZbsDdaC(VVtk=S?4Z?sf?DcC zX02cy5qVLaZ7uXqTOWoswqCdpUI?DDon_t3ew&D+a%oQ3Im&@Z$a4r@GbEIruy4o+ z0|E-86G0lKteV1 z4r%<rNUPiszF7cLk?H_F>!g6bmQXr2?I5JiV?jz0W(?3}cHlH3godl)jT-FEa;Il1XntZ5^kT~BUP;ypOSE|Ji{sJ zMh`4&cg0@6lSa{BbqxuIF1h`8JdYkR@+*cb3Z4biP>hQ)Ypx3de5S*!E0;bPw9G*$ zNl@cULC|@`F~cZ0YJ0EbQwVtU>apGJTvM4_G=w5}uZj(m!Zz>Z6>GA{3y|AtJW_?) z>0IshYq9cZVOoy}Nxd%v+?3(W*8qgS?#H~tn-ub{Go0T3y5|Dsj_Oot`2-&dtQaPj zLz8xcjiuhkh_m7asysV23lq-@~D|Y!NCHWdK1o@lBM7MM?lS!)xYj&(*I)xtZIr*1 z4~QuC*!a>D7Dp&1RLJq9-cz5n1zE@CXqTz;+|%+$H=-3JcE!z=Dj=imX z-@b!8)3~ccT=8>7@~1)mKK}zFoj2O=b2$`+qe*isC(qA`A#-6Zddntuw+CB0viiZ# za~wtu1Lj_mnCJ2;MfZ<{9&u}Ev9akC6KD=C)C6V1k70*;bTp^%{WTu0x4w zP{YMd!_!_RcH!ERP0HRo+n?X>q>SPlGxRO`)~)=UR7+yyR1)bi@U2c$S$`od*fJy5 zyZ>%qTGr6Ah-Q_bZ8+l(9tHl zbOmY+6}5{H9Y1KL+2SuJ8hb(O2ZDIwM7}X=!;FD`UAk=PA8BKJNFYFIq=Wux^i{Ev z{Nrt`2OYMQq%R8)YtYliq33*YcTd>#Yj!fDNQO0v?u5#Yd;iF(L#zh*M^q7S<9mM= zf_AhHx;Jw?sfB*!vD_?cbEfoLSPJEteQxroYBS=AKr5x((u0#Q-c=72JP|zRb5Jb$ z_-vNi`+8dN_Cr5Y_~_B*y-jwNhrTxVbM{Pz;fb|^b3Np7cGPP9^+G4Vh5?5Ye~VTY z`%Aav7};Q4q>N%tx`vP#_~++|;CGJ%C?8UA2m^7-q(!aN;4H1g8g`(&A2jwTh`>Cx zS2A}qokGyI-oCIvZ#=^ine}W`dUaxsYw1oZrE|M-k`XNtTTxqd#aynPHNJ}ip54?Y z_RKk{cm+IRLCCup_Fnr&F0@yu&RWP~#|;08IM4m1h2CiB$bJNo?qs6TE^(Cmtu^)#1*zt=diZNV%-Q(5sMV73Rf@ zDJR@q2(}TCY#1FYB&(?zg(@s*4)csVMo|Cq1l<|Q3EF&TooaZ(4!D>WZ_eCb zR@$wWzn56ooMfGmjhe&}-4^fnI6@!i;)ki*k^hpP?bbY-DDVgXO6}}@V7A!kcHW1H zorO7irU=Qa`hrOhjd1-w|BiGn`jalUh7eA{a?ssVpI+Z_9Vz+UzsZeTnWc>In<^^5hG0vDSW|61x^ z0f$LI@k36-hxwm2h%m_p6y z`F1pG${5li*dx65zUkwHAtE%}t917+^c&-ngK%uM#RYg)XK!Ij6yanS954aA<40rV zf%-g*xwqM-rkZbYd4J3m$D2&VyB)3DX#lvy=eN=lFWXqjKNbCVEr6oT14rdDu>KpL z$tz`wVSf~33L!>kvhPF-N40P>#Y-!#qNLwG#zgA@|NTT^jH_d{_!V0*<8CcmJES(O zz(*YsQXI&P>HJXxc8G{u@_5KX!-P;=KRDY@^*<4t@mA)X=@N=|$-3)+QLwnA!+DW~ z8A(-4^ss7EE3X6vH*X2&$=c_04x|m7#4fN=yCTh1jv| zQ-{U31Q3x2H*K+TuB6Nif!7WDwU5)>mwJ?FX)k7qqH8>aoO)UkH0BuNS=^7pX=1j< z6fBO&cE&z?UZ@K5+Rr$-cYXV)QkS38#!bA?^z7-oARtJh>P~gM1E9yc%gv|1n~ z;XZ4Ingv=Bs`l_BKC7YDqMt7ii~#!(Skc_Cyze`c zkI^}v*RW6kUU(OlyIf^9|CH5;O?contHHLB9y{GfYobh(V0F&O!h#pG!5Pfxw~N5) zZ60%NgWe?N9UoSE0rGQVg~3D-6P?97J8k0q>#?eZ2_HXh(k=?e{u;$-d3t7~;WK4< zJCugfF|N2<`@q5qQpbmwX1~X2c&vNK)3X#vcW;)B#J*Ri=7){OuaFO6N}Ioz$TqQd zIG$JX+Ur~2;;n^a-Oze}f$%xxE1v^*Sk2CP?mgUV3s)R%EP>H*|1wC*E$MZh!3i=L zt3OfLZhTaT#yl~sfz1ufOLe5m!x>&SGwE+}a>sI#40akke0OzR&5JF#n*Bc4T3Eu{6jWZ5_Z$RrvVDjc z6B!QUeVM75c(58&<)i(LML@@%Xh)kXtC1@ZVY!ud_W4tfl8_3c;sUrhC1Yk}$XHv> z7j+XmlM0|7E>B$hpLPP7ee7$QeSo53bPBQF7JRoPAtEzQH=;{T<=f!(XlBWKy|GBV zc`U>NFE=`0nRpjr|J6jHd!s}ve3KoBmPF7vk~;$+Q(4wGJbvA3%~5>ik?#;O6`7ip zimL4cay3Uy!Ns^j(62QOB`#mI@}dMGKdp!dlngcSD2|nwo1(_E`>2z~K0B^m#$nH{ zOgat{fA7(1mzG&sG7AqC99HQQUa7Ce>s{NAEt7b_Z0usqs5q-S&-p+f_%Ibs&6nL{^ZmqO!CnH zZk4P40FB3rl{e|shadNS8*qa0k#7A@)C?ZP@<<}O+HDaY849iXpc zMhzMOhBUieR(*c24&hzHQ2q$sh-aQ5=8#1P5cbl=XDwxzvmV{KIxtt|-=uPPFzY81 zyH7lv4Uf9TcXLZ8wL5I#QNpGvU__YK`U8i@*6i|$#q!U*JfF2a7ua(IqeqoyrWv=a zyp=TP4M@*?cMvzGO*_J=%KNAyP&0<{(*pKA^)}J75nErVs>Z^mW${*_(7Cv2>!bq0 zoj5T_J>Avqq^qh?K5fn%&t#k7gV{26A7|ID%|2r08PdtRLPM9)3Fqy`*PQwgt>L|r zDdYshG%t_zrVjsuD!C zwH-O1(lpBo-K+B=Z?4ZE%#C|*Af6gyJ1|m>6ORT3sHLvs&Q6uHJ{0nG-0oz_;H1_i zmi-ihz@G73^T^qXZPpz<`#N||?|`Kx+3Z@pS(WMZ@w|m#^2i8ru+k4{7#%z&^gfLc z5%yMMu*2Jj zzdZjRum7WUziJ$y5qdt1P9@Cp>jTlJl>}0GruXHZ|1ZM;nt7KD0Uc{0V}pxrjFNsUoYtkWMew%qk{ii5B{bR zfB$ZP9|O2Pn-OS8l3(_30?NR{x-GfmulV@W_2K?Kw>a`0%l4 z?OB*aq^~gpI&6R$blN<6^)E03UHZ~R&~o<1cBP~lW@Pj#CF0RF=HPpe7Bu;i>t7(n zl9C@l%Zv&b?6d+novYV6b^^-#b?QgT(ck-@`Tg&2Gi)*02_?gYql;~b6GM^a<}gJ84xdc3>FIYxc@OzHi4j%u0B;$8ek;2e!EBc#2xF|-gZ`?a__f& zSVRI9#i@bc_5i44ncKU~bzN!+G_X@VzBb2_uD6{$K>NScaiV25U_fR$y|dHAd*uFUb%k#T@qT55Zia&zc-rKfAe2`NG4&Q@65tT zfh9ctb%Cy9xv{5-L!I^J$vV=Qk=7ffcdmoyE5Lli)r_hCg=TfI3jkD0(c|1HsZnlR zVPuyZ=Ru5<-}lv12r|1qjJpg#02qUN@V~~P7+6Cr11HJz7mNd#VD?~ozZM6?k3QE3 zE$hV8v~0xW^oI@{NrDiru z7Jyui>t8Kl(aPp?5nh+G70~qG%jus$!jfp6l_bQEBvRj({#ny21brf@0h6dLH?5t| z(29BEZX{^A^!D&|fvc(j%IqP<_E*LHCjtQm^fFp<9tycc6o5=gjp#61j`@$>My@v5 zBc|F@EyNeM`z|~Hlpt`*D6fzHI}oS^y-1Mxvtjs0f#u5zpnadC!cLHBzLPJmzan&nwq`#VXNkDyOG#o(eqB(Tzo+@{H1{9% z1AJzAe_dBs*KrejH!yyB_|;O?YNDC>`rBj&p31e!L}N}B?sw~(ZeIyp_M+E<(b-^ZH|igWcTCJv07NKSFca6(+Hr6Pl#8qJ9$ZVV0QlA#{T0z zX>BpR&%DH6fy$|7tlPJZhxX_Zb%{n$3zg(M+&z6xBfzsTc$7iqUyS~g*^mPWi89Mi zkLx#g4IY033V^V?>!>q0!~j>)MTMVo#9AeJ?^~uAr|8^zrCiWtzv6V;Zmo!|__2$5 znixH3a?I#YIv;iWu5ZfoPtN~%^naGv;{n&T{#5*1w8=(>t`DgN4#*RcUz4|c-9`p} z&q-5{`U+aMuOc2mvo%-v^)bo;)?E4P58;31cJ8gCP9SJkPSB*-#(NMnF`RtrV8-D9 zzSW`FfuA*2v6lGz{@_#sG$(JW#Q$CMKHKCCTLhUBEnD9rf%zUgWi2gkZ(H)%5zacC zm<*|9P(Xu~kQq0Ltw%)k`6i@X;QwacB&JhP~NI=sWhu^?#YGs3@kIW@df zi*l&pq45-L=q)k<{4fPh;Pv^Bd=1#^Y_+04DB(ZB_FsMC^WXRM+a_25Nci_UKmz3g3_xI3nfjz1JO(z$3i&kQ5tvb42gE{@SD*m8`+NIh|3ND+tx}`;kU0_1SuiDI1 zOLMCK3t15oc!_d@Cb7tqGbz|81$N8>VKWyz!^d2r)O_3hbf8I%-&;BVHnuRpcFqKo zAg(*^>)-$Fm$wh=C3|i}@}#@5-SxHc51q{vqb88#Z*6}iEucPg_J7yIE%B>&Z5W-5 zTtY0Tf|PDHxwE0=9a*`v?pU-iT(9eJ%(w^Om16L%{=Y!R3`l=ZGZQr`qyV)19?`+L zFmY#A@~!7gDnA-<`Vq;B;I--W-AY&}$W%Aj;d+ZN9|IowKEv3vKe>|Y1NrM0FGGII zNaAXJPK~P!=ZQFNYgf7z4z}iGaYK*i}kq(cZ^P#mNGKe8z1^=0giMqV>}}PEPk53 zY8&e9M)wMv1DgKtst9Bdz2*lp5t*2vb_E`1Qc30-%OPNv4!8lTaf`ls~P-<{C*wg@BG912E?j%YZFPuZC%As z(*J_km&M9iQ`Vl^>55EG``v1du$Z;fnj)EkBXZI<& zLz~gEggs2+by_aff&_^`q*B-Uuh5}nhJk8;p6J;GF8Z1Zs7|o)EHQRYq}sR7W}==B zo6k_!FRhx42@KCZ@NGEXjGAfUELR$PAr3qn;f80g<#WPuO|vW6gYv^oTWwB~oQ&k{ zoq0}a+46D=*+WKrcw;l8f`s;$BSM>K+mj;@;jzN%7jlttXH7%HFEdBPb(iJ_V`JlH z)74bvD3gG4dqbIH(c0og`scQ#E{<}VbDD*O!9|7I=q0kr%q5D;qQ-nn12wb&Z=W@y zyva6s>wMUU%B$d$3AV_k%aC4wibSN_b1+g%7r=zx4Sx9<|Mvo{(JsFPmUK=wPqF41R*~Q<$~#!T3CJ##V3oKiNjcx*d7J*i zt#~WZGVy#Wa^$u#fxQ}EqyWn8BH@)XvfLzd}r--(vk;W>KH6^!PYwYa)}cTZvb4 zkdH}0N+F_Xbpg zj%V&Tl)-9^~IjL{j})`$#%EiVNG>@P~V8SZ0^Xjf?6h^%30M!a|3 z{>AH-yGRME21V_rkpR^e@+w?=R5*@S6c9S35JAogPNklqs%fx>XCG15OHI#4kz;`l z)AixYFbJWK=L-%rlsU29OLHFk>vB0ju(_sfkkxS%x@-t!Z0J~rPT9fd8Zy z?VT=qW-F#yYvAGhsy{7#G^lQ1IOW);rfvHRlFrjq1#NUWw@oe>rfhh0tWwh5yF!)- zVOWb#CJI{F$O~jZx!v)QW~$=gnRk=P-FaZTCf&xpS5;(4vb0ZUg`U!#Ps>yXA3ET( zK#wwiZ=p+Mh&)FHnzg<|0Q+Z)E4F`#MFXcfh_7$PW`6Ky*ds9B+;r9RAgX80Ob$Ug zV{y4PFU}74dddppZx%~^@Yu0iN(gZ#HQ)eHp9#U4&9X!!!EA&`Wk+AbkQ4%9PQ`iF zIKE=vFgmpYFggo4Q=?`fRP*GHukYva8lAqQ!)Pn>n_6iUp!B_14LuZd5@fL~I|$@p z?>US=@9EKvBP;~h+t<9_AiUExV0U?cH{kt#WzLo>@am5Dt^%d0PT;h)^ugfk>$4X;IB=HFhuceFaWzOJ(vYVka|M~O=D&o zp75T9L1Aal8zx}H)VHlNa`|tu@im6Rtb}OiVsCRZ4hhyk@XU*Vi zrpL&wK)#D5H&mFewFhAzw{EC>wqnFeMeh|jla(aJ-Uvl4Wa=VazjyeRI?sy zH7lL^I4OC^iaZUyg`T=ESTi~=h@@H!G+F6JX@@h3|G;IfPMXNe28gM7=BosN4Bldc z!+4cMD!H#7PiKu2<{(BV>-_LoM8r+qZK|f2=q^sP$2Wp*JgeYW9I3tevd>Gb{-d$| zk?PN{i4y3rXYTum*cO&lA+V25phUBwi#@AVVN%}m?)dDc8JfrGS%ACBYk&94$uA~V zH>!G)e`x5*?v!#n9tG*-Uurk+i+O^jl+iUshv*IEy31}?v-h2bno~c7PjU~8fjxcW zW6m|xrsEuiIYAouT=P_SxM*PIY+327y2V$gU$^E+i{6~T^>rn#{HuK~I9n^ybXYnE zF}@@=k2mnO+Q({K*al2Z8Ua(dV$Y9x%E;~WtcXt*Cq0whKy`ov z?&HLP_+j>3BMRcZ;m69FIe1BZ+Ur=-F(PROLqzrQheL9q>Z#2FcKB`ZhPdAt$l%m)z`$ zuRiuT$7nY8|Kg|)KII{sJXla>E?PC+L3ii`PCG_z}Bko2nygNJyd+bNXsU$V3(3!P^^3Xm+Hc?T)% z>?DTw&P46O?Tb2|%GxMo$FkGPt(GjU%90I7=gp)i z0*$JYx*i1i&GwbA<5MXxx)Z;=?1;RuQxRX9p|%LW{~%)qTP#67(^p*jL?bQpMLD;R z`}1;@t=QCQsiPa*UmM#ZZg~W$WRm1Hyu#?7lv$~_g8^I^pu%XRnxuo^f*@tE4Q6Pc z7mqE##Vc8DR$qh#IkxDJUpc)6?RTH>Cj9!QkFl9IaoGnE3Kd`hxhpj#Pcp+_vuw!g zeq=c}Puq-c<2*%0tFDw)(esj1HIVDb=_Y-%!>DWMPtxn%iCJ>TCpcUDX4-&j=xX`A zUZwx@K`~ab`us@pf@}|Q*J7n9?>CqHxA!z0s0<{mJmhZZ-b~kt-$1ByAFhYDuqdFN zUfyiBs&Nxzso`CJ2fy{WKhMwW4Mc;rgJ(==viM|nBrZ|Hs;0MSWnr!o;@I3wA3%8L zrcTRozqjoxg6$bjm(Mr+=5&lbJ48oabZ!Y6MiQksNxI z!X?DK_uMrN<>L(RY=j8Q8jhSPkSWlXo`1f2w=B6UOPA9pbrOmNdmCH)z)cGYg{U?) z6Ciq~y26@@X1g8N+f8&ilU5dLm!aWUCC?7#1+yi59Gj1L?;Z|hNFy*KS#i!<(9DqI zJ(X@c7^Jy1CRPiX4_YSZMBVQ)+xH#4u27S_g56K({c(DQTn=Hm8LU4?Yw<& zO2sFea~)-BVhp4$5?B&?=LmOZOWdy9A1~}F+5%tl6|;Kxj>K+;^nYzyzr#2zTr078 zi8FP1Ap`&tVJZ||k51=qVL!$6U9YUr&oxf*lW=E%^ zl0>0M2IWyV&M&5h3g~R-JwxaDkkEHxD7Q<^24(@dH^Z=S4e{!NIoifk;CN`a_GfNg zl~@49K7T@SvG4To;KXL6o)-tJh*TK+q}ZGy8}Z799~R+ie(drOYaG>ntBu3{@@i}# zf%wzmStsNA1a*?H36YIWuD%BkrgtClI^L<#DLr0VtEviCH!mY7?l!Tu8(IJCl36|Ol$py~%WfR*W%?|wGI=2a zUvdn82hlvB)J?gzPkN5Yen6n#X^Gc~gK2n_qGEaCcLR+eB`n#T4*w!#-a}eLl2?7^xqvfS1l zk?jSuS<~}CI_Zeu3C;(-Ldj<4^_vr`DZRMBN(`+ACM)MA;oGJy1Bb7MW0T{t`4s10 z_rG)pw4WDTftIT~1IW788>*5OxSJEAy>iS>#8kH8Z$zB*RCkLRU-l6vq6htF#x%`e zpr_9|GfWA0qN$$3+5b|?%yLOc#HAo%pU>4qa%XZ=EQeL*38aE?W9}9*)GYRpKfL;hU;RsiZUsn< zmQbSnBrb@^9$tL#T1USt5?cmVH+DW;l)QRSZ}*B^bohO^zSi!`_bgba(+V&6?I-2b znxY0#N3mU)k(Z>wWcXbDu{T1urQIbIt2ZNy&%4Ub{6l?&C*B3X&Nda!y-?$JDo+QG zaE>3zFOA`$C24n)waj)ir40fo>-=v%3nHj#s(-9tU({873spt%-EbW^=r@v;jMb1I zCMNp2B#4l5oK2-`0FQTmf$(d5QHnvG)%H77RWmo|%h!mG6L2!=ErZ?annJZkjF- z&FL?KLJS}6sbZ-N%%F1K&wu7?ESirM;C7a>Xf!&PSPx8Ob$vBkMH{Q8U93ih>UDRW z#&d&pbz9wPM{s4#?87wK>XWrG9y2QW#ku$O)@D{;4A!9J^o1YS!IpGzwp}MJ_;Kbz zeHUSbbUGjS*XB&cUt?ofKfXM?1r(Ippb?i~m8H>(Vv2~HrhaQ$f!NIqSQ2RkWg;XDq`MH>d*h?g&iK;{3Wpx~mRg{4 zxegj1H>l_r_cuQ9-fuixIiO|WG_3H9ewE-KN0|zw@+4C9$03UbedG2V-9OPn>%;=y};%B9jqjxmn-uIj;1!VzCaluvN)RCI{HY`s$0!XTv_eh%Nz^e)gMJU{+Qc{Ok)FMVf+(A8qacUn?< zy<-3Sqe)aub&V(&^UoaPr&TjobuR#PdlwmudaOw2Fe7WtwLb^;jmS>4l4p@eiXXq? z^M0vYWLIiu0(3IHP+8_8 z_*1c%FPN|3hB?IJe?%(~4Z7-nmCmUOc<^+D+9}UgdxCd8Z3lJ1VZsBQM~+|}k|w@o zv0+$%qU+92$;s)e^~-ec+wIeAl0w!zZU}<$V<3t4tkZ6w)DnLZ>!B>ZJ_*l! zXi)yl%5ff00&SMJq{&6sMNG%8xDU$3mk%uwEH>yM&?~mFxGYN&<9l7Vc}2dG`x3G; z&SbEXJ*gc)9I|8XgBNMeH1!LrX<(7X0=?A0G_e-YdM^Hz-LSsc(hBcKN0o*tDtBx^ z=;kq{SlMy6_M|(lTNXuQ)OcL5t6as|dz5ETm6;hV%%l(DIqW0gH)S@rm>S@x8JVTN zaq~pUquBrTipFciIMgt%$!9nx6E?mHCh=xl1y0o=aZX!3_t@djp+wG9lmJac9o36N zRue>_gtUwB-9))A0-N~Q`1X}Uyxc~JZCMu?@qv%S70vmfEY}Kq1ylR-M61si*Mst+ zW)D%6zvryt#0!hl1uE`s{XBv9oZFG=FZH=K4F)v7r-OS8WL9y7gjxt~r!{YiqR3Dj zqb~G;f@Gf9FWp&zV>7Arh)V7--A1G&)Pu?VDCo!Jx!h3TBLZ7a^tU0~Vz-_450u|7 zRLzb$NX<@~mR7vqNGKkspB)Lk42a9}_uuB|CK~P0aUN4=4L>f;Zk)5^e7|CVV;diPza779(Xk*YgiTv@$o_$w~z}t7snd^)RW+ zC|-i;oGCPKFeLKeMWLpe>Vr6nCF|r?V}`1tW{9GSqSeHeMKUF$xMNIHKLnXnv6H-v zikBOk{58CO+Q#%$v0S+${Rz(26QC>`OP4T}vl{(PKP8ekkfX0Q@EF8xe+k~|H0Hji z5ux29q$eRWDe)$TN2m&c5Hq7UjLk{0sZ*yD6Y6=ajntn)n~I)lrRP7t*-(uC%BRyd zc4v*aFb$XQYEyN1@?&|}~8vpyt7m6zgGGcjP^i&gFWp6UXLJBtWW zJzPc~G-@7+O+1b#K~PZNsTR5hjZ=Lu0E|&0B#o#nGO!x|)@`c%>{W zy=nI~Fq31YrJ?@gz4qB}U)9tV&+duoZHB|QB!l36pAI5!6_MeG+wB8K-7a%oE>B(! zAEj$=x>`?oi5K+@De!=gMyIE|Mmf5C_7Y4LU9nc*PknwluiR+d;Uhy2vDb5{!-`G=b*P4A0apF<5` zjUgErzf=nR6=iZBq z3+a-rFGYHnq&39PzLc@{aD(4R6nP;l@Aym>@8Vx|7FOOzOJ`X6IbCk^_5CCue~{s& z;kUuFyE#3Tm_K$&Jm16~GEW0QLI9uqopq~gRn@|+!s^c{WyjIT?tZ4UL6Q&7WhhK! z?+4S*S}Te6aY#Dwd%b-vnF|k@!Y0~X@W7Pk1sgXf4xQ&N3g^!M>wD~a+*S#@U* zIUPL4xK1E+2RPvt`ll0a zk}iE52pbT7ccr7~>qzn0UY=^I7*73MEMG>;?J3mx53(7jm znixfAN_oe6zMM`MfoyVV6BL`!t>UE>J^ElF=hi5>zf*R`w+t#Y$X3F)ixC z3jNiuO9yOja?#Qp+3DU|cvYy@zh!kE=n{JpoM>gUuCbfcNB-@N9;!^!4msSt-6CsG z{c~>>(}1qOERhx=xsR!jK2vA_38iYJY9*%!IDTqRve?U(Iy(g$%`a_z-S zwf;a_;VD8??fkl6KDrp4(rcuq=g9ljfhJK?e;^Sk9fzk}Xc4{c`l85h|6G4_{bsYm z5u2)lN^kSAsWld^8$^AlXV){@$NqkDOtlLZEqV~xpm0b0JblFvKf8_;NGx+V3q)d5 z)yr92Tvn1W;jg{JI?}89buvL1Xqw5zjygn4ZO5mL)0~|bQ%6|R4t^tjS;;X!dXzqR z2<*GVfz*Y#Pay2OV52hNdh=(>o$TGsZ-VfIVa8gJi-XcCGy>NobWaaMV(G zT6u;C0HWUY8t5M-t9(ypibDz@!CPqju9n&daWekSx9xnv`2^Fm_J=58r~@}bXb3`B z=sfRQwKHAd`c3(fqsKF#!T-nJdqy?YZEeGVG(kW`inO4pC?KHpj-p^eP-#*l(u?#S zARq!NO?{lB~KF>Fv=RIS5KfW>E?>#><#vaMq zYiF%F_ng<7Yp!cD)~#lqqU=Ppg|$~pQcN^tYQlhupLs(gdESbc~pDG?pjfQAhRM2EaEQ z=|81i$@{{<%+7u9yR%`-lUM4*^K` zu^{XNSCAw5Q`^fIEEfc;Amh%74c-Uvt3SujLhBwZDRs(MH~BB;E6X_=X(`{n<_-qI zPQ@IJgX0UFc>VArZ}CG;N&^`WYDg`!3<&Idcg%bV9QcESaTsb;Q8$<(Li zC(lL4bT)&Pg`kzOor~QMb7Uy$qzFwZRyGd!(Th-(VyOqMa$I-ZON`1e$scC*514}@pBH@ey7KB*6hkD)+4IDwL##mD+W&aH*DRZEsvYs zbdD!~*MmnGcyD#my#BKG7IilsX)P90+`X4F>sAnlWs-XS^ zz)SK>Y1Q5W;?q|E8wU`a(}GgDLnohxcsPqZz{TcK$W&;xnBQx&NK|Vv^)1YwcJ*YW z1I3utUA4%ZUM$wsGqmiRN!z*flvkIGgX$}ZJrYwl9ZTwsUtr|< zY6FoCmvhN4owF0Kp2|$zc`V?z@lM(0ZM4PMD(s85_7eb`!ra$KJ*LE_H(?om2mT7! z#{DUaz?-j4AuVhBCpkr1L9G}`iP<=crPm5*FGB0K! zvk1nw!kX2of773x16A8;1?}n$V-Yy}YA<7U1oT;kf5D7s*_Ea-y7gNUx8+oBwr0)= z09%?41NPcSzp3xCUGy-Z;{C@pY4s8_|aKv$dBrvz`n5N&us;WV}4 zA z1XTvwU3C3K0KJQxO&*m^dl%Y!_j9yrsd?8rEptyQ1~tf0nWP+m;HfVyqU;QG=bT5U zNB{)yMs<|;iG%-O=Ih350WcvaBdhT~?niB;BBUsn>qf=RAz3Xs%uf^Y2@jK$@dM&IE&PYi6Yo!eQ~duzru@MJGjf#5&qiz%*2Yw*U(BM;le((Zow zRa9Iohdf4$rF)|S#tEbFK=kp^IMVAw+t&&NVyh9z|L=DW+~Z!EYl37$@mQ31AaNSy zM-Id{pyY5Wg8PIqB(I0`9@rM2Ds5VD8{&o|O;&ZUS5?HlhO?wLm+rG6c37*SaBU9aTYHxPv>55miO3izPuuBCdvyGe( zIZ)G`A3HL_AZzU@E7cC|w~bhI`umVCp3w>8`TfL8f_Sa%3otPznmrx$G-Lc5%s+Nn zuFJ+JV!8&i(aG_m@;Vyb<2(>vvLCA}d`OAV6JCh5+KMg0*d81-tcoBN(PvoRmU#M^ zW+cbdiFSNL3|m9+Bl19m?XmaKkd90H69PA<_Zw8@P;Qx?O_~Cj(Epr}!I}t=Oai=s z&!(@YzC(zQMD?l1s*rvFzw)hU$uR)1A?;86Iv9m6@d+3rit|j7@C5*+aj8zfGh9 z8={8QD(p@KpFbcJf^JhPm4~I$|LL5;SD5ry=E9qx%pq7zYcYeinQ-U!qE{+tto>#W z9XUyD*|t@}H|5y>bJXelf3gbh^6mHJC@Q`Dbf$O?S`HJ^wEs=v<9zyX{B5uMk;4yY z(TUX88Dw$ss**{)y7d7^R7E0KlGf;A0YH7KiGhrHHjW)kzb>{tLT17iQTq+v=|(rY zf5xO>jJ(nBytSpqH@6-I+CO(d*&NU`Mh0B-0ckP)V9x~7LBfG_kXdD=g+SMvxA$~2 zdAy7zhGCT-ri`Yo!55_qX_i#{ZQ+VLJK@;`>6nm|A%&a#5gvB~={y@CLVqY=!-W!* zNkRlFHPPR-VI$BHoNx1v*GV`AU?YTPH)-hB>x(%{T&`=WwS2{Avq`!gt(rw;N1S#T z2|q|>{p^2r-xwVCeKTaCnww{K_hS_ZlcHRos_Q)~<*QtwqqWv_#og(S8+g)YlRwa7 zO(EQJ+YoOUpbKztTN>mY%op5TT&JwmgCl^-75d{DQ*$XW&Af)uTAMXLPu6Qp5h&R! zMC4YE=RHhUhm47~6K;G`4PX|%@tQCZpfxnmiMF~(epTyPuv@-Lb})@yOTXe5+F6&f z*Aqu<*mfOTdgYbNGtNGFJ}G{C?uLx{xtyDnTioolSvOgM>MW7f0^XVctT6s3WvW$O z15)U*iV^H!b2>zj^^*{LP1jsNN(uJ9w1<&q^$Y%q!lp4nWY$5~7aLcV(}9|IJe2M= zp|=!1FCO)46SLq4(Z?sBM4E2j%vFIjj!ZvaI~2_M<}<&VgCy?_M3w0?Jnc8iZ#W|D3uc(zo2&9Ru%f zIcR+6)!Ib<^>IIms5+liVCtTZz9{65%n9QuY-CZ%=GWZ^#*&F^Vush| z!Xo*DRJo{O2=^CYPJOE5$|s)-#Cv3H_V53iKi_uv>W;dy9>Qh>(q-UW_hNi!0#lPn z`DfaaAmqFK>v6j*fCqZnY|3u!iH+ZJxFsIFe=|U?DR(Yn-{Wr8aS=&%JF*w;?#AyQ zT>j<;*Xab?EAxG{{3_ew(95T^Etk})kowYb-2E(Fb-Ch#_I?!Nyc35fef*gxuw z06BJa_y^>yhP;ojsbf63&jWcumqhiQo&sj|tY&5|i%O}%jG!+uyd~Dyp>)@rN#ARn zH(jiAA~$P2cwFj%2So0H8#ia{Un6K2LOdR^uO( zn~$hOp@^mkN=Wq!A?&bYOiVV z%%a{N(Xoq4|Gk2;jA)PP^Ct!IoLH~rj>iqR58jp0r{jK|gR3&LQ`Oh&%>^>4#vOR*sitkgmYlNrNNcP-ehN z4U$xh$9f})=@w+h8Y)sTRAJR|8M%ET<1mH2-S3fjcDR`2Ioy)4a*_}P!0`J0ksRh0Ej&-?+bg%LY zZQks613N7xIlvP!M*i7#{r9=Wyv6RI3WnY?v8$_EXj1v{8>3f4!51Mk< zhKhSQ*y}sKeeX%Z^)UIu>kSYFQpgO0=*6fGEG^L(zQKb{azZ)#NJZuPVe_A0v+X3! zaSoHy-W84b6my)hQu@sz9>Ero&4zU!vKLw6XI@9Fsqo~=dopRX)xQ#o?1Y}g$m}7J zKS}suXcvm~>*Sr4#%%i*8kZkvB&K}_noCoy{d(oQJKt2TwhSbt`5yK0)|0mZPSW;d zuKYroz`!yYFCP*~3)#EEO_(AU5{@(yS9Y}m4|Kg}4q6^TC)b;PAx3y5&IB*73#)B; z?;0nT&7hxkunUu>_X(ta2lQds%KU(>`jZ3A}W3i`7Bw0LP zq^;uem5rdnRTyrJ&c7Z)wZ3jAFs!)R8;$2t;ToQ0i^wcer8l6x56z2y?T;P@%H&ph zSF{pL@sOjls!lIFkmGy)6TShh-Ch~%0pJG7SG?gRU5u<}OEaHP1W={+GE4ZI6d6+x zUN%jE#5b84!h@XlnoY>ROldX4QKAQLitiW8W6d_1o+er07{~YL=)1S=)okrw^4FL+ zy`4_~z8rO;>I3gp4v9--d1s~YiMC`uvGM$HN-o6#V}&9x+=qF{W8q?_p?G{B3^Eb z?V@EOws*AmpriqoUGhb_+C~Lk#Up7D-}6GjnyH6){E|_itZ@e2fUoW1{08sXBYv%B ztXW#-5QMRpbi&rI7_rlx?NGB@1u?(<=5pmE=?qYgA`^8nIr;O^RTIwKB2CR_yuv*6 zI5Wd88KD)qbUFtD`cYk~H=WMc)J%i^J~cgQ<;Hk1z4o*0@S?5RFQW#+i*-?pwdR_? zURf34^sUO@|Dj;vq5g!{SG!?R{sNi{Pc?(w$gNe!V~O7%@{1x3m~0G$la5G(J+|<>EiDf2!(`n7Hs(GM?_Lt-80_8+GOX1l;D%gTTjY@NRA&AYP5#W%sIcgWevM+sr}8BYaMWl-^Q_%8o&n+Dc^(9#$)E+-gWQwD zgHdrTh7&5GAxT|VUI=}T%<+WALdg4WxO5d^(UEbIUF`)h+07e$H)}TR`|`#N$kEDK z1PIBA55gkm<5rTw!Mpy#CidH1>5rLU##4p{$l~b%6+bZr_uXvA&mE#gmIUn<l-G&mo+|K)?(Ts?SZXOgkdCiw*2Jt+Q!+@BlM#pEg7W2 zCf-k9E*c+=njb2)X~{M()aVG+G4!gzos^!N0~L6#joTk#nHn57_Q(CT><@ctDu9Yn zlTI5g*`tn|8c<0=rp#q)IdKM$xJBFUgSTbo4# zL)^ZzjUd!w>GDrTWnvWkKHQ>SUwrZ;Lo~v5#F|fWRwb1lvBR+RC`Q2~`Z z0xFfpVc=PSha<cUorG@s6Q`hV3C8iU@+#z+fKQucC|wvF zwOJ?Qul-b%xW$4@CGFtQZmn|Dx$|k8YrBaZja4YcYZHp1$}3pzy$Lj{T?NVU@&@a4 z-icFqhPy(4_3i5~k=*;+wsX{5O&80-@M!;K&Ru(l$rjv0D0#+}Uu^W$4E8|8K^~68 zFQ+`s47OB#vG}sv4ykAiXV}t=0<_=0eqmeq746b6LHh*ri`>pbkA-i2fAktROR}ci zS`w}@M^US zQJx}5z^WV)4W(Pit_s3wRsOliw{A$q1CEAl)=$s8^}1~#sr zP3Ntgd76B6-<9}fFA#s*Gut3J@vAbq-8wmVY1tv9!b2D1wl!4j9{@*SidGB;@M5MD zVhv}lpBdr|?pl%SuByJ&;OCJL^%hGXQZakGxC2-|tyVA_E`}H)v5A*e5wfYjxNF89 z{T+SPjM#w{$Lv-`RN-6Pq^HDBjU>8k6!eaaOzYqE-a?s8rBLS0H%Wf6?se3|B1bnf z9WNn=_vP%Zjg>cA|V!nRV^Qy6|vw{!umkTvW;-X8H0hJ6)q)iJ5#?z+7(I@NxpS*>sv zr;bT|TAB^-5I(-XcvUiF@Y2fQsg>wa>|tx21-?Mxv9nYpi26q&qr&936TO`xy z-UMx)0j)IISYCMV^E!tn@N26~|Ko?rs9!#~1CERyt&OUUl9q7%kFi$ma&5j)Bc+3b zjXGyog?FS4ghd6BhO@+)UHyR5nlIi5p#%%f@3bL`8VkF5(6^OU~!jW6Uw1B{Ld$sqAoi9)lXRkkk zT^fv5<=mU-qJ7)Pw#a6_VgCGLs27)`FzdO}%&2rz3b{Csb*j$T&1Y#8z)>TGzTs2241cYpo(FBf~l{6RdEc;NP+53Ij${NuL=s;U%n!CKGn|FgS)x#Q0V z{PB(L6QEt35ry3Or@+bZe>|Cz>NGt)zu@4*f(QTR*~O>n`8A$1@@r5DY5modpOTVt ziCX?4+vz{X@jpD6U-h#T(C&df@KJ61yXh5v{-88f!Tihr<9+{lP~|mX*bi?8@tn?+ z{i|s(H8u4|*3~O|SN=H&h+AO4z$|Ndg| z6VUF8ry~WSJ&OC3l+VGaK@BKr0MeT^acOD_)SX^7gYE8c`eRJZiu4KC8Y|--eCsaZ zXz|DmZBbKkgFi?yl~kbj-*^Al|8WrqCMcxt;L&M*MtTl~*3y^HmGUGvV|sWSifjlI z06PWHK{8$NE~(Mcfe`pY84NW6m-ugZNz+h&w5b4BefZyN4mC3{hyLOQC&df|6i(Z6`;PK7yj11^MDYwKF90E{u_NUVg-c#jr~8urlO|*KgLe|N7%o; z+W#d^=|95$kFfv$Y{q*{De8vTD#IMq{`6kKb{AxQcb8PF{FS+WZ3i`1tCH}RQ>Qw$ zl?bVR(aj_DBT#7Lfaa5No=5lh@n1@fZu|p$h__NHtMs|7*mDKnVw5$Dyg0J{TXSCK zP&aD#>w4Rt2~Ihm2g$M-S=lI=Gq*^m^N%lf<2t{z~ zS>QR$7Tm*?{dJ7|NJPD?KABOhNonlB@Zvv#65yAI1;sZhmu!$bRcmTG0zeo4g4X^* zjQ_kyHUyAkX9?T?iJp3c0Z2;2p7i6|$&2Yw6oNE{Mb-uoYX_2U9^x1WY&2r{`l5Li zssoH?oc&Cc!83evZr^GgU7-`mSKMd^H10#kXy(!4xB*9@m<9?!rq?Q|{+=!!F#vlX zn0|Znzn?(3Hj1!NxHzd9FHb+c5j+E+ZPlAeZxoBMQW3@mu|8;walWux0(xUe&&fffb4 zoKf~R!^G!uIHQml^S4*&iRG%sHyX6M8s#sM9MvA_dtHZbe%uke9lJp6zv^qVHIs5F zoTuL<(4Y467Tg`HwBjDU+^@8k?oNlm9XMaPgg@%Q5>OmT2*MAjVHyHI?tN2hyk1#h ziCBUZHF0fYo9`Beo22FJRlzC_);wOm{G1@24#y{D2u#D$#Z3E=A9}#@5(%i8{bN&z zwsgQ5x_?=qeXgJpJzi~#?*G*QJxJ$GS4sKPhW$^bCV1{VCqRv563U?J)ITuy_ZwAz z2VjGe8HrQ;ck90fYJj}t#?9X)92)+PU93`30?f!yAC~{S@WX4?-$hHR0Dfi4&A;Oh z00s5$x+hn={%r^Wh<&)lkNhtFP^s{jsSOrA3-n5pcqQWR0sXf#02HA3UG9WY)#?1; z*57UGfyj#+hi;t6zZ?AY@4-L(&*1;xNj{H3b#7Gxi9N!!uo;+~D{0*AZnKjIJIEPl zYSGcsKC&Ao_(AQ=DuDXl!|3C}+T&~qHA3H$0YF@z1}Xm*s7E8fPZ$lqeDU9fjHDR= z4(9X5fW`!Q{T(v`itJE*Z1@~!`R~@wQ`i2eH1fN^&Q$te>ugmH`rpM$9>x9JI9)36 zH?QT>09-$|-haC@Q+}XVMxlr7e+SV1TU-DThy!Z=4LIs@<@4;{Z9Rg4UPbe+82-D# zSDyw34}=N-Gx&c(tl#C8{v-MSsQurD|8JY}&sXpt@BBKD)ek=2vXq6&y}fCE>1~ZE zH?23;M6Sl2qje1_$9oM4Q3eW-hfmf{N1H-gw~N)xSE>`eU;ALtb>f8dwbJeCo8~=e zpEnL(q2DnEvOb#bJ8Ns=J0l*l!+Fi6dqo^s zLS&f3lt7bg)lJ2>fyCgtmE6`8=k(L@Dz%);7Q}aY=e$V3o->&>q;Shv5oYzLEmB1S z7GkT0%fRe!o;W+R5Xr}uqI7EJuTJi97P0Cn5GH2L z2WG6RwHFo%);wo~_B__O&Qo+pL&|~*Y z;14qy5fy6qsPHlsUS{F9;vC+m&7I`^35bT)6-4DiZ0n(ph56wr2YI)7lXM-HVU+(B zqq(xL=r0zm^S^Rw8Li$$B#DJtkgc!JoFsOwzm9MSYt6UmXhC2wk|pvG!zX{nz*hwU z&ri~w?tb*op!i@HmAlwL=Hkm1up00iHjM3r(eZcu znu0)A!d#%ro!+-%TFvbP6*mgb3CNQsc;~|g6wB=&GAjp)@*Mp*dh>Aw;jOqq{B`n_ zt;G-XBAHw`Ep+N5hiI6_iLFNMqHv+L-Hq?2i{>X0t%)6Z6__?>mGfRR9vbPzqlF!r z=`5|7(?y$~{b~>UAg$3cD6nZQmqQpRgMN{2_f99{{6xC3#kOnI54J+u*7r68Z@(P8 z(BtW#qNGx~bXKE5g#=;=Zy>Lp>=IA5V#RSFme6Tszt`Fq%2*k0k)kwOCMNgHG5y9Z z-%rVS-i0k)Vn_?vIB{8^yX5#<)k1mWj5o?XRq(Xr%c|IiImjKf3zkEfBRWZ0j3rbp zW{z83B|t|lQ*b<$gR&Eo=-`CxE5I(h%>wCuAvP)rW$wnwX$KWSWC+QGSS$uX)xaml z{cx$dt?!*9!@C3r!sB=HeJ`B}`*JwaFik$#G(YtADkiya_YBWZfTKgpEb!qeyshRP zn*J>_(Mt0;Z4|q@)2soW&t_|Fcs@29$3aG?F-%)oRD^ z6IYofFu)ySD`QrW)2dG8Ez-9s>YP4eU-4n6`H}we8-&D|#8W@?MFw8V9t_=^sDbtW z@@ZUy&vH9)matMl+|Q^g8(s|Z-{JNS=S3PoC6|p1c_8-6Gq_-`pQD5yNdw^xs6f*f z!?6*(KM9MYDcB;vTFx!riE{<}-YntsydAAONKy97(Fr6Yo*TsV>;rdHy^15s+xgbB zbabn^^hMKY+Y!%bODRe!Q<2iMQ2Gj~le0Nm=L(>!PX)h>9?-lB!j}zT8Ec?+1REup zj@;8}MI_1KBf7F|DJsVK*zd*j(a&FE>}?DQr`ZZOUlWaJ*ju`w4Kg#kD|#yLjpYZ6 zHCi{oQI#7NK)Ls-F@uUVnHofDU%<*HiY0^ew7uWK(Cr?-I*rr%fguyX=!>j@hl&$M z=~^?U_1C7S1Fok*c3)0R{<3XeLApX~xA6M%%THyc+%Ink|H#z}L`Rpd^dE)1d5W3H1!;N~+~oAY7{c{3s*N3LpU^=$2FItay{ z<|>Inhp;F~p3^!u4}2NLWi#qz|M`X9jX~^q)FYm5hX%U)cyCM~jnZ)?DyW zL=J@#ca0JSHxIcdzD~pI=H{X%X~yp^PM$Aml9m}#D{H*f_N61Y<-4|s;V9R+`WZWr zhRR8Z?9mQXG)XL-J2j1|W|MjT5Y$oM_XY)vPrw(?beyN8B3(XOSo#OK59o-Gm0ZtwrL~7`l+t<8La$0VIF5$djdh^1xKa!nFPiNRjv@(sb(BvY~_K z7=_tkm|I#n2q1nC_%TDo?KV?qu|$TFkP4h$W)(`kW@+>m;M#1DOl2QbzW7cqlRvXr za%3oUmQuft-Q|2OW$k?M?rG&Xkq`Cn#FwB5I@h}{BgWsYm@89@~$x7-g81S`k+bN zV0F3<4+kBYJk$ zla_a~T&b57KHb{Xb7u%R-Wc#C^F=oNVZ&M|?bOiieUfKZc0F^(XDABada?UU z41j~y$EZ{DYeS`Ib!K2#ikmh<0o-7Q#bUM~MGk~wt&+b}UA&Vk{H_LSM}e;81fCGX z!I0ijcQbTy>U&}6JmbQ>ui)*yu{=oc*cpm0x z#Jt^%&wPVZF$AFCV`U0OAdVy5~yPCur(%bbU`E=Rc%aew&qMK0KxbML55uy(Y?7X}e9 z4~vg0Au)ZS(_|M}6JxfHi^LZeWXuXXRAlCb>gzz=sj{`hd-Zq&p!YJ_i8h;|(qHr9 zw^aCOhx_cHs%PGsaY+zf%5p&88s3_6^S_I_xpO)oBH&}x3BR}jG8@s0##L@NO&A<~ zFM@kWGK;$U>^vSs_jwAU#VXZbk=K5@k?pEAL^{f#6#_Ge83Qv#XIPP7j(hxkG)nG5 z7zlFZOaQ<7hZXQo#E75?=Y9E1M>L^s`{l9O!WJ7M>4h&jyEq)P7_cX-3FoWfUN=Vewzob=-OPOr_7ciI$q42?2q&xiu+njw$xqg&d<3A1}U z93Ml>#Y<8lPPfyP70y}1G`vv0i*uz|frb_s+M%UoZ+Lzmm3De%@p{GD!1Wq1Qt-^I zzs`g{p~>dG+t!*-qhQ5i+jsZsO?n0IO$LZ^Y2lV~cDjOX&ap?(zH9a3d{_lOjCak` zE8D@24h`0aQTMm!DsGticdH#kZ-bB{CBsg>uZvWb>A&cIzSkMGB<&_b8wRyc&+;k$ z_!?jV{pGlwqm_qc5*^CnEBV7lr%t^~OH<{gB;(hcUo>5!nliA6Tv-IlVjKI*n^{nH zu2?{^o)M&`kXy|@uWmHULJOXw>`QkA+bT)3@{&WfFV_*rgM?**V24< zk9SwQr&}{nybLl;NPiXZvr{{3JMmB*WwRsQbl&l;GYz!(9~NVixeFBR@=sJ1FqK?( z&jSC5dlw%QPw>c0O>J$#0mVJd-5K|Rt3ZjG$AQ}+per1rCJ)Sf=0h#5t*`m+v~k2I znfcxDMJF1>O-@c)Iys5@0{L0-<6x+g?_!ipoD9leA|*3Zo1L9KF7sqRw`(8}SFtpd z{Wt=eBnH;{eKI-eWX=y$e1)8J!3=y1a0N#l3-bidMo4J$JbJ|@IA2m`DXr99Vezp3GxfPd{J~sA-dPtb?!h^Q^}+g%&B#4?Bn;oyl@E?AiGsPb%HX({HleF z&FjyKyuPdV+}0=DQoD@j{3~@qd&6zgl5v`*1qn*t{*^9U$=4J-t)4%orr&RD_P_0g z*(LS{?@VP!ji+yr6vzlA^2pC@eB5kS*H5}IMy&88Wc5( z>Lcb+9~P5GNROEUjM-+Icjwfk%sdYQEvE?D?7eS5wHDM zzhn=n2iTN8q{;A;gg9R;K2oem$ew{r6k`tkr&Q}sRv0DCO$3 zRq?^8T`Vk+pPO!TiYpjDuCR#{z(-yapi__g35mX9lTjR-XD=p9U!?t6jEpUg={Cch z9Yk=crTSbarkTuQ4KVcRla}vSn1h}k2;te5kLcY=Ba0jbUWP`uAUPiJk--4J5^%!^ z%h6EE^Gr1!1_3!e0q9y+4xibU!G!4+-IMX89(~}YdGZlqt(9;j@@U0$YRG^rJq)@< z)~y>L{8~GF(jJONOW|H?DkdDTFkNNsAzdldf8$jl^h`z2Wp;IC${9RaRe>|~Zb=#O zhS&%HE6hMrWs@1}WV1%4mgBP;k`ThY0jm%6dW~>OCl4ZTr8c<~j2L_@9>@vtj!Jr! zTJEmJ3qN-%F(%ypCmuRUcw#K@IlZdAYB-w9=%Rlb9}sa~)KlIYse8WQ7H-F0t2gUv zlzt6VTkoG|l52ufN96R6KCb8**?;w5e}VFGdi-SSF_!}Sa7bFc^Nl>Y9&LH0XYf70 zI!>l1X7Y(YZY4ZU?~Ld`VszCSmRYMB`1*N!5Z60*`7rXJ>x#y_rRg=o1G(P=&~dt> zdc`j{3i#3MUi!*k<*2Crj6d@x@j<*_*~ND@(%CWR+o&qNtz*R3U5*qrRo^ zDN;ol#v}g`d5!1ME=nw;UJwEXsIi09x+ZpZEH{1%bbUWHNnEyd6D0>43XZ4O*Y7Jg zMLXE#!t%%Wqz+uhaJ2C{bq-GOqz2Y*gL3c}_b;)MeF@p|Au+>^2SbIi^^RAbh^0vC zz|@Pl9u8~r88tZz5S*_(Dcq~O)sd;KrIbLN-`twF+~~@V80uYXO~kkM;5)(x>TO>~ zHf3F);UYjsAADMHy~+B3hRaSN>f4%CA7O2#nUzjUQh!8N{2nf=Th_?cO$e`+m{QTB zBB})k)q$=hVF`-?Pfv1`pzS6g54C`Sx_yh`9aUG~$`QCia^%WxqRJC_aD9^K40pnw zp$aEa^Ttbs5wXWRZ?s93lmENw5t z#=|Z|!&P@pGA?H~4@R%cAUPDq^-#xG_i?(=-~&_XxE!6H@f!sDAEmL9>CgEHtIWab zQ@R3n^;wl}4?iQCN6NATm%kHXiv>g2*$QNR1A6O51@X|Br5(GY{Uf;c!zq4I=r|H` zMb6Jr@gnr_>3z-d?}BdWXKu|E@@R`E@O&tvUA#5+tMe3H{5;wxBz6&|8*2 zoSLg;?|Vim^}G*R?<@}tAo8DjFTB|46-=1Q;x=Hf z^H;l-48fN8i(M=}ymhbf>s1T7atA|s-bY#&5D!FRCN5~K4XE$NU@?(XwK{drh*w<%t`qwf`xyu9u2P6#(qtFg|a4_g{s)ag3T_Q@pJ zj?Ehr1mL?rd(YXbe@32Qr39={2lTdJJ^LL#pXHX`g<9bc(7=v&@`w`Zh1 zh+fJFtehGqKFTCA;%U){_lIw@D|EU>bkIl%?Z~Ti&V8mb#KZT}gnF(3MZA@>-c>z# zX9g^p7H$*Jc@=**Ko@Ij79T)J#<`Dky>Cb>7tfu&peh2RF_GzJUp5j1%u#0$IIO-%Q)-y0OW$mejpB%Tl`)>yH2Fbmy(mrU z)YzEM#&bIR8v{|)Z=5}pE~wWEp|64lIpRV>86kS6Y&@m1xd~luv;8o=RdA!@S>*5K%sj#AKeWv9$Evj}vh+%4TZ z-hV%n*S!C$+#Y4ciTCaq7&?h?vb*G+6h!?fE3svY=kvwm%lyE3&gjKDxS9>u`Sc=LB8iF*1= z`0q#(=f6gh$P7OKuLn9c-VnoAkG*F_;i_!*5BQ0NaZ)bo?t+^{^8Q=4*nY7r3mVwCbL_7+kUwh{$H1 zE6TdzlBcXrkAeL$9*Om`}#o5^K6*oTY{X^ClTuZWRDA)<$f+@6_dp~6VK zBs-8vFDFP*mu2trI%O^L$jmrHLC*6Js8b;gOO!&DDa4=2#ryXN=;|uVT&Cq0n`0R} ziG=ZvCNv*Wm*Y5zm${CDpE{HbV0s#wJi-W}{s zv8)u@uALc|^%#FKns>J%mqkx8{q+(et7{@lBR+(#;8fNg{-Dh*0p?Dk$ab>~NN$K3 zIi#wnw0RDk?MC6xda+zplSv}eR#=E>Yk*34zU2Gwn`NXvWL{YhcoLHE<6J=)Y?Bt0 zcO2`})$|<^l`_M6o|{2`z~H@C{J1#y(y#hw-_5_=r^03-~ar^ z=UF|!7wZnegp{R`MZq`;ZLKyz(Y|XH@IJu`iIq5=4(25FyIR;ujhM`yTZv>Art!ua zQD-<_clZvi%n{FEYcp%??a)~V>`^nTYMIIFtRMEs+ZW3F zEat^UfYq1f4GV{gzI;y*rJmg30!%}CFZg$O3PgrQXyW+&@b|)E)?_LMleQQXpVYwy+VoW7c@Y~#WIeZ}77jP~XriJzW#hX( zd6>PTg#NW27C7;=Hc1q(bT5KS<$)$VRl_ZyD~nB=DKF`#nITy2UB`E+#HM3{z>lBB z1%X`3O*438OOuhI>ovKA1DkPM3$%yla%HN#xPFIsTlA{TQ`RQY&*=w#Oa?IR00X~D z`}gjJmb~6qgGFC^a|{U%oY6lXyiLyPaSRln%S`w2%HEw;|9mI-P;F$0)k7%oIuDuU zCjKFdiisRg`%rApG#$23$;EPw*w_+48Y%Nv>3HtgJQ&=nB=f*9L~0P!RauddZ$sHR z3#^!b&R6d*8=v`b!@JQs*!Ys+@G5O+j#>TL1bK#zZm<*kP)@|2_9%mLv;YWhr5nxF z@#GbUPw}tCFY+9vpTcclT2+Cg`j6SiTHiNxA5>4|LqGrG)v#2Iqgk@_ET5S)7RIuM zg6W?q$)^$7p81vhghg^rP*h!^rgyAwc69R~kSq^>8p$x)(e}ukAxNU}sa)9DHM7a2 zX9sVn+_71sVBLN}9l&=B)IIYn7n6%gD><5S7-k!f3m%fHa&fPMSv;6#4xZe-{!9vV zbtGC*R%6XoQ`kS>^hl-Z?kDRjK%PieO?8067sNOWP@>sCm8ft0I2dc|X6^U&xV5-a z2e*;G^wJCN^HOnoHlaC;VSkw1#1!gY8b)0S4@-`l6zmD%kUX#Jx1Lc1zqOfpGs8kz z?m)E;zWs|;YO8L=CjR}fVBF5);tuwnn^1I|WGXEYrY`hBMX{vJct`VL3F!0wg`CGL z-Q(pG1HMaLlLfOwY}o^(P{^7as`b$+k=}%XXA{WfF27e+R@*zBSq|JJ-}MRGe6r7y zPZ2gH#d5i27o3*q=kM#WF&iG2?_qrAT4wQH*3NOz#qj>I5)@lkRVthBQ9u?(9a$5E zO8_f4#JK0C-4CeAy(U}JF=;47Q(rdQXP}g*&`?vD0oy7Qig^9L`4dgIw&?)MW@Uj! z|Fmj<2kVly85W`ZL_$R(F>+Ssc|A+t0#!?~MqCP)igZ6{+~51RDKd0!Ghy-H#GoFK z7ppf85EwY4fr;z=+TCtpj@&i>Vzgs`JTE8b_3S4r7*cjhf3+3OgQPw9!fsOkkMPjf zzc3|Df->8-XtkS)0V0mGo)F*roXk3Vi{|67nF3(5a;pY)man(?LzdcGRwyS(sOI=n z;6}7ds|{Zl`=ZAcO;dR;ucn(d_DmIe9Sy!By_tZ*O7&Zdv*AMCUimnoAAyaHg_FQX}f=Pq0a!ftc! zLYl`70i$h={>ovD3>S^qbc(8#eqbhfcl=;x#jhybI0>pa zWxbTpx)s6JLujqc%+3nh0XwnpU%N@F8aCLP^?eL@SR7*3*DxXL`bT6xkUib{1y$V0 ztY#n6yl+8Vw3%Amu?%nN%?_EL;>xs&LCKxPgBy|@HYYUA+NlX;vmKJ@h(aRD}L+R*h!W$N=EVqLt%onts3Vibxy1Ssz#}j)RYfVSr4}D2b`vx#< z#1Rag&xs|c5B_G)!|>K04vXg7>mQWVnjmX>L_QdcJ8l37yCOd>drIQsL1x}6zE&mj zp84gVfc*(w+2ee+sRw$uUV(o;-N-z_6fg;waQfQ<@-W{~bf1s?vN<2!W+649^}*(+ z(}&A2cd8O@xib|ve{U75Psh^z-YRDQ2Y3rEar6d~9=ebz42;G#`s_KSk}AlnGcLm~ zYpWHI@;4LO7pxh316F#>iBWbU&l^=@cI-nUHVb%ko;HA9Rc(IR3JAFG3*D{bw{$8}(%o!AN~Cks-QAno z@5#(HGhW_vJu`DZ?{U2EhwBq_AhXW3{vGT8ThCC)0uSVHLQKEdZu%nc6reJ45IzBN z$CH{o_%4n;Q<$aVHoJU%Lb-a8q0<8t2P>UB>))yf5#`p>L`W4na2SvDEhb!tUre0& z#)4yS1Ao*40xng-^K-ofx1ARgs_R^R*s4h#7~K$?6igMiPHmlXPE1b&XwOJH(t*KA zXX)^fY}QB!Czf+spL{^f93O!R;nNAP>sj_I!S?WhZ%c84Mdc@zep^X}0UI{yn5Jn- z==wdUC1u#L#CmC~<`+yHT~~eDk*<%{v#spZFo9bV4D8Uovrab5c*Lv41Tj_pxPHnA5YjG)`D~%QT>m&zc0BaZ-FWA$ zYqW}#kK-*eAp;;iL5%(EqFXT*0Hu|0S2YX6VBHCrJ&5K&S;7TN!f-EYavGQqDdlINcugVN){CZi!j-_yO@r=F=I!@FY zm+$;uhqA`0%{#I*uHpIA6wq!tak{p4+NdZ-v7kaR+Kmuhm)~1H61`hg>x`*3OX(Lo zT!E_C|6Uxdl27UK042y;=MKKru`YLd0P5mAvG-6j9Nr0nwBanP7f_O4I@<*?J`HQZ z-<**xo;)iFwco};i9_+2@Z|e07p`{Z$(*xwBmLm~+yztQW?A#nlc@DTu$uLH;0+cP z4aWfV^@9QaIU-?upoL&$xJD9Qlk&1&qh5n@XQ6ITDz-7`*=QdRo;QI)Vbhdf-wy#M z^$SJ43nn|;48dXDcUNNZD|-rB08Nb_EY>mgt zfMqYHEiW(co}Sh|+{`bgzkLq-5CE~HwP}KyJQfvAX9l31ZV{|v(yzBoyR&5D31O_D zrj)CzHBq+f#*;BE>6>D{$k6TqhZl{%$0+Hc zs31sib7A^maS2f}I&Vb^RZfWgrRwYgYDY}oc|twpeBGA-C!W$bo*&0#CCop;t>S9p z>(FU(K#U&_natv=dDTu4rIYn`xz-PGzFxRp;I&aVhplrRh`a3#2h)Ml!(m8eZeOK& z><(0_xC1Ye^b^<0#e~2^#tT6g|cXAs3WJX6Xf4SdE&dRM~5Hsk9W9y`xFF#|O)aMw^i7IwKx_vP&7FOSC-!C57blkloB4 z&-WY|{NSvMrnU-DMjF- zQk{NnnJ%_))TM%6*7mq1uU$Yzaore5TUgN5Ay0nBgR81!#bKjj@gC)%mN`SI*BD0e z%*$NOhiJ=_ohB!wckPWziI6MGbqhu>jFsn3ta$7(*1|>{3M7#$>Ls&2Z<+dz(|ZXQ5rLrRv7zMJzh{ob*xe>6|YWM8}g^Z z&@HrklDpp3JH*YdvuT<3$oXCTX}18~)(7q_KDMm>?{PUA6reA7#EmjiZvdJ3?m7CT zLxbwvjhRW{VvQks!Hu>31hpe%)G86qw}~J@K74srB_c%^d$*A*ImM0Y%lej;(hx%2UJOYzva_Jjhqh{DkrfZ|tV zlQzSU(dz(8?Y6T)I|qQHPA2lQ)-O-*f$u6_o=8%X$kJyo=^>d7tR9-qLm_Xv^MZZR z4?(T%A|unyccD!Ha>y*I0xf6lWeNm?p!?&rmlOk2ro0_5FV34*J%K;Er-i+}!m-YxFCA`$?k&p@TO z4*)@wU35NB$?0TV3}y7%PYF?)>VjKNWLTsMM#W~xNfRJKeaJH2c_r6Wyr}m$rXBM` zOv08C{7ylPg{k-vPb3O@=lpP7&hZmYH?*sp<)gqB4Sp>hDRfq zYZy{h0JmX(qpE!~l*qTch0?S;>28l0p(gV3Cdx?GB47)Lj*^n!6Bah^?+(_Q1-n_Z zhl;w>V}ih06=u7FAnYldD{V9W)F5B&g?)zL{t8xxL@#FSQdpux;Pr}nnAAZmrE@%; zxh08Ua$6TFVQV}PUiGVfSkd!XhJHNnIy!uD6GmPd+4<|e2k~cNGmg}>pn^I2NhO>Z zZ#y9Df(C2*^WobOyNxT~|gyC!Ku#6_N3t`<;F@Glar|3Cz2vkd`&-bKgU~bBdB0e}9doumaXl8muNOX(ovgfb?0Wgd4y3KP-vxo}Ln5rTX0;&!B#1$6UArqH z3obBEsRo!At#d}pjM?0Jckt!T`MXLNoQmR=icaJ(9w7JxRbqlhFJqf;} z9Py9SN7}QMtJ=FRSzbN{t<%Dg#U%r*rZ>kz=G7u2 zcYer!q%1-(dIasfV4(nabfIJ^;V>Siv&rs2OHJdwIvyXqu>R2N5_-6P-+z#lMEFJr z($!SnJvjZ4!tBOy&BO7*k;UW-oN`50(QH;GMY7mW3HeYygziCiMyZXiP2SY-Y2G-w z!k5lK;eG+pulDrAXp0`%Gvn#vcZa}>I&i*x5;rgHUqc5ULC=ytx_3lFNWhHD;63&5 z3eYDH9@35MzDj1`6>H!bXC4HP??A8kqo2Qp{^{&JDIYhgCg&ANbH>#C5R*P~N*y;) zksZsPNrRAq{0h_%yyNTFeIC1w&YpQF-v}9kRP#~ZHtXZFDV<@YTkq+FP zMJZO#U2}f;6m6sHgUu9vmDLns)v{z>fxzyHzwJ%!k)4Mhi+<;cU|Ut}klN04-8~GV z{(z%59O~+OXo7RGVY8(iYxU>T4hfB9t)~{w{uaEa11p$Cl@z*Q;_USFFvlw4?YgEL zw2=p6<3Pk(P;8|?6~{-J?=~vHy2i--)pJc3WKO9SH`QsN)t$v53xJNu=`E~;=ei&h0Q_)g?A-fLXYQ9Wmq^1RjmJ%V zjiR&omnhYR`}fZewYQH_(Y1;p8nAMEp|Ph9Iv9%09hoem7obdq@0Szmgsu!tK z1I#G~en7XDm()WhfM(#auNT<50&~ol2_W;G@HEg1fPn@-GH?!^nfdG9;u7do=W6l# z=FSWv3v#e0g={JO0kfI+vu*c@0%HHTxN;nvqSOl%<2EOe%k-t`sO@vwGLFAKg`ZJ6x>cI7Lwfmt8rZU+rd@Z zy8n*D{&yDm7xDS;AoTyu6u8HeM_#{S0sQTWaNpb4voG9X5w`93)L&ld0QV5@^|bHY zCQLiG3De6*Q*pgSD?>Zb@%TQ>6{6%cBA;olkBEPGm~|Jx=a7S*J^st#_q(s%;SSAP zI?dSaNw`vw=}h4}0PIkeDv@Ni$*id(Hux@AtfL?72p2UlVSql_yN04>=uy#{_9^M0vuP0O(8~x z_;zZ*+4J-wL=3Mm@AD;_Yz>k0j2Rz6%>>dLha7%q9oS;8J3C?l?vLH0IaC3*y03_` z_OER9=^Y1cID0~)6!~(or7L@x4~6}!N5c*xz)V&jt=u0I+PJTZZynD!NW^da`4j5i z{*#+h#tM8_z1MZ)11t*N9uOcBIDCEmrts|uk?y7Zj0C?k&A0C^;3pDKsMUYi_#XoJ z2O~@P5t4yx4Zu}eH6%LIC!HE4c09dfrtqB`T%N`~5D%}UKGR}m&#K$eddT*Bxji8D z7Y|>e`e9jzqFZ_tlJfs0Juq(NgV;6&g?J4%B(`A5pWLrF4BcikX6!TF3Vvr+cO?sF zuiGZ{`!V1V!hqR%YYAzRzi{2_M7LTww|{dMix5%{w-lRg)@)lREZX}vtlUhKza46+ zQ@RMSH6Cuc;l1k*i;>^~bP9~-`r$l(My3Ha1mH32n=l=4lR2C{32h3FOyAp(aaIKAeMm#XnNQ~>AwQ_yrv$&gYVMFup@kzf`VnbRVKEy z$W@rZTvNl>tFBwcqQwBmAHz=fhqh%X-7YL6E%hHnpft3^rc-yyoF9Dab^o@ZDx5wpB%Z>8z&SW?6UF%7bOb*Ffzn4#|K7 zMgFfPX!iOe&P!yf9N(5ogotvuWxzg?5apPy7`3!RxWKIW4Odl`sc_4;rT5>Jz*iC( z01;uNBmez3fBqlGequd{k*MBBeiqnbtSDqe@x#I0fRLJb>8RO3tsnyMU5W4h1&#HK zAcftgG%sZYeo%+s#O6nJ03vEYxAq{{AA{kRxgOSxt#?8$95hoDnWzCAj`EeO3O)dm zLkEyh)qUzeBowGw-FC0&euXgo!{Yq$7r%-wFntMZTU6*gIm>5}YoCu&TU)!&rU#YG z^vKNk^AVFg5ict&Cabp?;O#iO;ve!ZMgx3+R4MxXAEf$I!dyJNwVITWa(BD0OI*Y? zfB|AztIj%Ny3V>6W8JS9auhCQdlQ)uqnHU!^i z@GwO#B!n%ZeVFOB(@agy#cqdYjOnk`)8j<;@S2qKT%#Y*L6~K$%WqnayWQ6$)4Tvg z*T$4aEW^%s@ls{U-O2RZt*JU+X!+8-#Kq2sA<~zvF<@uMZ`@mD4By^v7MJ}BS)=aC z4W8$B-!3M4=dS4fg~v!lp;)3i!9L80`@t0Y2(Xi!CV4h%rMbpe`QIddB~68L^IDGD zrT`BB-LvmCsCAO}i*YL{MJS3P-P(8!+)qgnJGeGm3ZG7tG6ytQwDF)V3vSWF)~*ri zQDWyMveFaB`Hi{x)+v^oHJ(76RQ^IjerE0%{jJf7xQU7QfDoXLA<$Qq^X&QBu)4^4 z4Iel`k6)fAJ^jv4mhun2{zrBWG&DDljJ%8{r>88@O6iXqHly*@V7H5Ns$5~#u}fNI z(TeX~%V~#d_G}2S{lhIM5fQsw0MFQv`=q3aU|{!Uw~H-}j^#{+T;7dH1}OlWuLGTa z170vNHv7?Y|9tX4)1TM6dh>~R7rHg|35bT|54EC+7Qh@DQu;grw9mc1Lri*}6077qgTzu>oYf-;iT226lE{-gu*y<`Zny=`>IgH+ZPdQj15vKe5+z_^Qq$?Qn`z zBVEz(f5SJ=lhI(j$Sq`Ob`GO;58HTBaV4vF%4pSENW5Y)C|y+7uJNDBFOQnu{K+_| z7)`9m@m#Y7-0lcn2}|lfj26|cVoffpV39Ta9q{Du&{WK)xdRQe;h=+*2?b!)K1&hE zj33M*nojrtoRZ!jtZt$6zagt-N^^6vO_K&EoNHF|-0^W`)!O*Vnnf1K%DvEY$PtoX z<6SlTPi1xt9rJsCzdBID#h=ztrlvP0LJ6L^LeBXYU`2BXHUphYjU6_%7%$ z4?bptW)iTiH484CxPQ(DG#~=zCEcFtx(WN-9b6w*0TKD9YF8ntH-EU&!$JzrpT2T} zgkNl$e#QTL;P$85|1-gHseq6OQ4|L4AHV0*pvjYjPGM~_H+pFN2Tb7Kv4lW*glJ*_ zZrKDeAbH078uRooVAg(KGXu}p7kKzCpANVaZhy!Xma+8LDc4VHlt2-Zfs*yQ%Mp_< z_TN1Fzo=0lbsHPM4I5WsIeqXyDfEB%%|Id$eG8WBF8|d71pmGvF{wL%?}T)9kZYtr z{%4_1Miv61v`6JJCiWk--@g;g_=xr20`Mh%d5QbaoKPVVP#bVFH2oWH;0FyK-~6&&Um>9W zn>RQ?8fsqhJ`eClyS>QUNIQ0x(X6Vjb5G>>BM!QRZjlyzm+(Z_y`Z0U>_7Xw2^U{5 z>=KLv;8T2G^qo5hcYb%)uqM2q?zN)c%68St_Ris}cJVCUbEyh10EVJfmaXxw*LfS| zdrH`OXNbT1+~q8h$khVQnZlEC4SWCx?_D|RPvZQaKTb6uiU6HoYH4{w1Hjvjvc++c zL*4A{?d^1N?a>e-FSkW~7XLv$WI^!UPZ4~*W5c$4+H690qWv4vS>XOtoW@Uo`J1>6Dy-r*iY8xtG2ETR5v z+e6W1t#S`j9pvd)vlz@Iz}RWic%tTVeKOt_0&qoC2-eo#aDB)PCPNVwnoxp%xc{H_ z6ovqTU5vK@Nz{Fjn}Y~8FU5f{mQJL>EX+_eWrtFB81qh!CT@rUp9wr#1n< zFYGw|M&)@lt;bV=HGEpD(BbW7c%Eei{$TYOc)Uv9yY3@quDA8>a4@j`2E*sVnV3pwE^8jm!`(+QOo9c)&roK)Q!$ zjVPw~v8Eir-*stU%j2bAL~ZYKb}H7`<22E<4W}PA@UTlq!~OA$x$mC*wYNS!3gsF| zlBFByXAR6CY^-xa$HR%=UHOuF34_1=*rNMIX7uE5tNmX`d4rIth};)1vNw|-uD3c& zfKT3++^yFY>U)upAc}_~_{isM5n{UstK^-Ajkh<9fhc~(l~iDqxNazNm#rRMs>7I+ z7i4|c-HGiloL&n)ked@AT!n2`k%*$czQWy+<|m?n`T@gFFm2DOe*qM#*_6D8^BqI0 zVXf*IRdQDYW=AgDu$;%B%a{8v`Rw%6`{Q(4fTP>^a(cVdH$Xd*Kaxs`_L;MiB16A` zY8bb#3mYNkDhQrz`*UE<`zGFpZZ5z*Vq&lT$=C&{;--7LS}qoC+7#2Ud{QT7RNz_T zYXksE2pazHKcW$gw z^1fc#ujk?QAQ;4w}(%xp*~Ew{@DtUkJA6lWX9iKq)Rt|HM$`pd@_y z?(B>IE3{6Si^T*iOO-&4me}nzb;@~LA8b+Yw`l) z0QgANts6FJ*c-V;l$Yn7Jck3}&oV5K>0t|(`iuTO3pO`vVlGRjq(lxWsCd6LXEHdE zZo!oT;%~-bcYxc*Q?2s>UYVSa>4<(dEb6yV!e2JcwM>wyFvN7-4Y!h-M?)5Fe90GP zE93T?gCd25D#jY?*gVHa49^CO7&?E25UpMvBk5qH)j!wS;x}|Z`xiha&Y1AVgaeu5 z)iwEHkAGclg|ApOMh&ZzJJvVYDv#1}5{`nRI^dd}9M{;6Qb_ z`;*GG%1}pecF!V9ozYw_(n7jP2Yb?o$~Qp{w*h2N{!#+m z*D~|HfROHa&pFDIxApzZ3fL_xzyda(zuxYgcSwP8*ivHNd<9Rd%;8sDIB)x~P6}+5 z_>Q(BFSLvqAGegN5MllPH3p{82)Vw1{#~AEE97tH7;jA5Sf zI)6R&-xI;F!k$%PV53=>&dSs`6}0uijj6t zW%x<*IL*)s=xzI9{j--o>Z&QwCCaPhiq|o5W1sJF5VF7zPT#GLtW?E+R-?f}FWbI6 zXk6R;B?CbkPky%mN_5tpj__k>Dv=>Pai^z}!g_$AhqM^n zyq50ye(*lck|qjb3Crs5kJJewDczYVUwzQNC-c$h2=9sG5374b_sS^--SaaNWT13+zKm zZu~LsurXd|!yBW`kSl#8VqZS$<|6~L7UMxvJ_I>2kv7tV{7y7>1ZAYYyNkPt$~b1? z2N;r6m`K)IbK%}8*fiqrq!WF}9@wUY;XTJin2hVnwbA*IF;qkRXNSI}1fL479>QVb zP;_Y_DnTUh|292)CaaAF{)%RgJGdz&AvR0jr#WPc7F%r+2*Qq?csMl(wZ5lZtbzNE zkRZ~Jsx;KraqIzq`K#!ncMXW@X&ke@si;!}ZWZJ5SDpNM#O`5OW^Ht;Yp;QC1wKF! zV(Y+_Bjo;i`%zpA+agw)X0&s>b;ZTqs5YsAsi_bQ)*84>$*@-bHAycW8Sk++oK;+m z8U=@pr4ptxO@^#CCpyX(VVFW&+MH=-)e3k0?#hXU!v`|I#S7#_i1#=mwPW>d=R^pF z0~Tig`A2i&dpLr~{tCh{dCvr&??}u0ERSRs&Cih~qs8SbzU-`v4<3L-a0A00yj_8q?0A@@?cC@Btq>;4qp`zoHYvqXVpogKHZEK5E-R zGeG%OXGf6>47n!tI9`zQ@`wR{2;C|IV-saPTg@vK-2{@4KokL@M?k)vzWW zR2WJ)rf`q8oLJSnKmv9IaTGuraT2pvgCGBVhF=fHA?}0T#o>1tivJbKh@OfRYjQBE-J2Mnz56tK4sCQyIKefcP9(%)MACJ-u$B!MWovzy}*LK#; zU)2zK<}~E7K7V!*=wPIs^8PdX3cUFzRYxs0GL1(RYz1yvPi?<^-k6lHJB?cl+K2fze(va0zvbqzaGZxTh>XDd>+$ z-b_nM3O^3vjO3x-?#mjdYADIY7C|pNjaA)j`z(*@bMn#2vA5=P( zrVOWy)=>g04x!KuJxJ`x`*624`obf4RLppcKc!AdM?j!H1FJWWsAk$JHO)-iMDz6y z(Iv;&xb3VB+v()=f<5~FN4sg!fP^weO7t@d^Wmb*k$BGEzf|MRRdA-RXhM9_+dqLLLT3gv7Q%k28YeTE|KY<3A5iuERH@G@O z$9lUTY*Bz+l~f+=@(|h!BcoUHFR)j}sPHn>Oi63aMPgy?F_7Ztn%}?2cDWBJ)`dSx z0Pg&sNMF0L_-)TLp5m9L3L#Ta5Y7t9Pm#J;)z2BEB;9JOoOvLiC>WQ*Kekf3U}5;3gajOMk%Jv|oOdw1!` zm~utU4Ye+^qWbPVX%9RheR#_Bf_F2Quh4VG4ZZV4SwOJ`co;y~dOZG2N1rhAArij) z^yrOH`K5Zj-Fl|@6IG$h?Q%QM-IE%Z<@P6g1=RRDI82`JTQ76bx`x+rtqCYw!{SqE zlYFiYT0GB(=PD*?^^a?M?7a9a0#(u%=H0=PJyU!0IGv(z#G^kr;Ia1C62^deDTvZ+ z!iEONP_B;G_FA%7pgNBdY%TDzb**+zPE>|2a~1dUrERu8@gdW&uiqM!42#EV3IEf! z-M3Hup_kOn?Ay0g2)+^C4sT`Ul_hAU3?By-Ym^~i)x`% z`WY?pk?=$ExbVuSDj0q~9^Zmit+;bFRf69;ePs9kY$bVLhKMNhwL!M10^z`>vbdv0 zMs5h74ZLQMkQKpxq?^E51~gW3gjM4a?F>p!d1hG=S@`{!r_>|I4NdqPD&PFtU&yt* zN6byn|5A;dX9=PtQ@_J_?*Tjn>O~;axt1xJTPX0jXf~=l?X*ETA}LHY*R@i<5UsJY z_u-Qb^7fLs*DCllOOvM(@66mQQC6y%(FThUM$5`D)-HQF5DLz z^-#7Vp6}9qYJI7dltVk1naD?uDLaT26c2^eZA;`tP51?0RNJux$0J2N^NoAp?p;TA z1Z#x5--cLfdy?TQizTxb%XArPC@;*o%i^3!A6sw`%4)I>sT6GOcFXk`(4G z386~);F|{F`$`ZvN01A?Pc7d0VD34lVY=`>**ZfUV`GTx6H!o6!1I8QglnI;-?RzN z#07N6^hx`^QKSf_9DQ&+uaKe}n;$Z-$Bg%!3?6Fn+I81@T6b_=6^6n^{-wPJH?bjo z*QWXVBWFYKr^A)xxt3{Cwy5ma8tS1_l-@M!*UN`)mQ9zF87|&m=T2L^+OcNKLP{>X zVu-unq)<{|r|_e(!$ZHD$rhpinJ0#$0nEsvq!|6p$ikfS;`y9VI9i`5jH%{W(D18A z(UOh925jn%Ha|iBUag3ds-hf!PD6X{4Tb9_dz$xa?#U?sto+^9tl5grxyewNO`EP! z?~Qj26WbLjoha<;jke>csx|Vg`<`$LFnID{90=&-#3cK-EP}2yNy-LC_A=!^%R4QL zKB8WHCn>h;T8({b5gaRV_v6!HM%#=cx#u4oPH=@ab108y= zmusk=J$(8lZK1whF;YU~7X#ZD=BBRf2QZo;zFO4%cqCA$_Fxu#IR2Q53Wg_z! zI?@^A;{%ezApjq9~LqikH|`bp3?IwAU?JYb11(qk_Z;+LG)J+vHG>(z%h@(&Flr z5I~vSV3*E>vZK5D6l$o3^G8UAf3{NMj(SMmg}bk|#KCp}7hD|%{T8&IJcgJxTvp11 zgrB9 zQvo2)4Yy`r@tpjq8!z(cPNK^gE!6D^$V{MiA?YbsCc7|OXld*F$tsh(X4NmdM3g;! zzd2vLc-#_HdFt??iIG4rl+DGBVRMgL-$o7rqWzgpC9K_x1JS|ybYr|KiwqLg=ls65 zmw{t{=3q!Bl;t6g#5*$kjM7Yer+jfjWq0C?Q&RiuQFIy#zZrve3lJ!%?-b?k)SZ=O zPf%-y4Jo6yZb)?UQh6LEV>k`|TQP53XF(i?#hpeQ*{z%z31#+7xV1F*BCas#Gw+eM z0z}asyxipYFay|}9hpPEn&U*Zd3V+kDJKH@1F8tpAX)WrF=I}4YrrPTs-#8mogj$Rc@5hT zkh`j0d3s_hTuPq5CeO{+Vz)CF{9&&T!Fm#Nt%q}Cw~}+|XtfN$KFS<5CY)3hiQssQ zUzSh6sZv%#K3qCpdrw0bPGHLfAL=3qL_^^_<(==az9HfW`Q)UzeM{ZDx!mhCj1VR) z!vvySI|TcFR%*(%_X;9aRm>;vtKz^*S@zV_65^XQ20cpDRSAI>N;(G{MXySBZ_xHBzY-`zzMOj-3P za`?o~QJ1jN8v!kRj_XJF-~}~<3e1MzU@AI(yqfO$R0b++KG{1qxIt>v^C$V(Bq056 z3?p!W#N6$Pz(-w<7Gsu>U-JvdxM}NLO zbkL=qG`sYLExbu54rvyj?BWyt{Z)=feWwfRN*tZ)W22w49!9sJ81oJ2geD!A;+-T* z9@^XR79Kqv9KX@y-ey?UYmxNcj6^^t)!e8;ua$CDox)f%^vpwavCht9&DBbg35Yws z6F^iI!+Rt7k=KhTiQ?OnrnfGXGSXXT0|_EZ9N9QLmsnXtgl3DCr=!6;F8*FQGx)tS z_$8t~_h#WK#xQ)9??MonGkZ?X z*FkGIQKC<^TiO{?B8W>34;=}3^>|bBY6P@Kx_?}?l5jQCW48cFUs!6pEIEO#)OYu$ z(JmbrOp$hR*anHVDel!E$p*q;>^6 zJI~R(oblij4T5|cxaAP+Wo0q!--IdDCnYCG#l#T2Mtv5D-X)&s5c$dqw@_|)NP~u%YSVh-2QrHOD)mTX34!3nx7%+UnBvltDY#u#n0gLc z;a|>0J!0fptVtk z?n2e@XFo0Rcen*dZdob0w^>A0tB>-%?ke!emDtQN|JM_+0>npx3>`iP&|Cn_)y) zz51kOK`<^iWc=+x1&+58M?%b1nZdn;slZ{M1 zlMCv-$oag0%V^UZSXPzdNktWjwzvzsIq*K{u&|lmF7KDz#j1S{%kIEO5?Q~3bJsjY z)32Fy;x4n)Xm$S7B{3rYlC@KVO7AB5!!mokQZNR2J;{qBZMrdQ3(khJ+n~^$ti%+Z zp59xAfrO&?X+S>CBaQZiVpl6sh~KLErc!kl3U@Jz(PZ|$jPr11J`=geF5~+lckaCA zB_GW&&s4%LyYr&fMTD$+?b`~Oh2%|_(B1=MK@!n|0MClE;*KXP5=3~S2#2=Qpbx$l zV5cgrCt*IJc1uCN+Xu9mKu~mZKDv^?zQ%7u_iWie{34=ATFiH6Gyr zZwldR^IRUi@xde32I50k+e#vfod-bndJZ1w^D5(tL}sXZKw-i{eTrZ)at8f-kiuM{6*BN>Hx6huXy zQ2z2m9146DjUY0)yWU3k!)HG|8Vq_S=x`)zx5pus*~-bNh&)Y-L#A}~!BYH3jES*| zjFV3IJ{C9DPFJ z-lNN%sEaYx~fp-)bt<;1BR@R#N5 zIvP$j?&|I_$kt93k_r z(w@2-zA5JLsZwW|yY6nTo1&9y0kBo%O^P;z#>krw5rcXoE#!#l{&ua5d>Vo#zX!O%jR zx^&U2dGU&Eo|_g~ce}O^r2B;-;1vaeZ{7z*QV#`eNjMQ!=fpSXR(Gd`9hkbg>SDi| zH}Y1K$oC7pwMMn;$(UR8Kd#0)6Bcj~?|o1=v|D!Yr7|_HC;TGZ?QR0Lcijr~W((ps zbW9d9$B8@v)n~Cs{<;{>;!o^uI`2ezwC4%pC_N7+f`=$M+{^abVFm}cS?dOPs`{U& z2e7s<^M2&Li|`oFr~A!;=PcN4POXyEA{(?DZ-z!@{WaG+Z6}PewNG5ppdy~>O2d@A zs7q_vOZ{R|Wct$2=DggiDt%V|pg~IdvG)!fnq#^X2 zG4c74PbUm(U^kaocArpzI8YVAJ}~*avEn$jw=&8_IEC0uFn@08 z#5z3S)KW(^qS(n4_as(k1R~fO>R(hBL>BpDyJQRoWoC5emz4WG?;*EUVo(ssA%#|d z=b#@K<{ujwT2;EE&GqnHgcWd+He<1S?)ucz{1n;|Z?)_rg#{2FJ>nX8jfm0>R8a0f zsvicDX)Gs}%Wo%gDjS4IJv-`1RkZ7O#+4pC)0CcIuUvY>;EH5UKNmq#byru7dFGfv ze~UFbqpzkEt_n{C`O_t~|J~QgO1}1Gd7;Z94xSVKV<29=6-n}q(B}&|bf0ajo$M?x ziy9>mcC)us&B``sV*~ih+Tb+ka&?|K<;m-Lb#-ZSZg-uynpbT1V{dQgO0Ys2_J%8~ zvHfF$vm};Z*|>D1`)rHt^plt9C|uXoV^xN%@NBk;P4IqLev0b)xETA;Xtv4@yKF58 z{XHGl%rZQCulna*tr;6f^sFc4H+GbU(gfUj1#n>!eSLKHRqom&glY^GUgM!(xG@Ii zlSP3LxwuY8`l7IN2s$eCGLi3IWNbn1(Ok`@B+>o0Rn3|Fa zbYezxQ*<3E)Po`YM1mHqqOIlap8QNR)WTs-Oti0eY__3t^KLkf6Kv+nhF^OYoYCTM(n1VJ0{ZSit`NaZ3JO zc^$nCNw?qgv~4)14Vl@H@^1Ii8#eW-``AVnqjpuFI$-YYD#aOX33shdZP|1{E)o(a z-VJD7H3oNi<~{_o#W;aH-0%YwZ^+mD(Ar^7-YtS&GX{u>-AsvmuUkZ^UNi7%pmc8V zO~Ei8y+&e_t3|+ZZ=@1EoJ6g8Gp#-yBue96yI5C0vyd}K&DJ4e^0<9{?ml`~dZhXa z)0J*4Z*`ROGMtS@Hc}@if*c-K>t?Z#gJAl@0{Rs(@5m^Ej%SLYR~ z0nx07(}Qf*SxXt5?`{UDV>53Wy+J+DsnO?`E%q|iccm0qJD&;6RL#Y_OH5uLl}}!v zMR3UYu=Gm)otbkHh@$0iONb)*QP#!L8ZXCzmdao_v*jH4en3cB$-eXFVMW1%D;zeg zK2mXn!-cj0yHQnjD0zDVhTvYq(LPYiS{RZ=c3a2igojjzWFZ>JeBg3%D|Um&}52lk~f(bg=Fb34)wp(%vS5qvfs7F{5%?9 zE~t?CI#fiG+}g{8uC8N3NeHs~U`#qXznC>HW(h?I9`bUojuK0}^c@lrYZd+AN8!53 zE(@iqPKzj7srG)H47qxR(W{RHjO6Y~FUo5OAzGVC4#s+n>orWA-Ox>rmjQ6;Da&&QY+%dLz7E}?T3mT`|6r(9Ewyv<1~r zh{=OpOHnE*O)|awkl{m~W30d+ey!d);v_`*9iJ%*DzY*gbhIfi-y^tSVB@83J{e`%c%}DblMd*~WFaCx%RZ<|YzSF< z)DR*Y#QSkw)@t_JGOGLNW60PC{vqxxHAM(tagwRA+n2-Rv*~R&aCnDycU{}eyu*p0 zt6K$zkZ@g!@N3sfLW}VM_+(*;3|=gav9g|lNiFzfI})GrM(jMEScPau>4&Fc79Zga z!D-m{ZeW1%+HCZ_!<{M85OJ{|n=L8$B<(p^A?>-pt56hBVYew73`V*#Z>GUzTP#{V zcy;7a;3`Jw*(b2Y%!>|Pj3TNBc>~SS^WNP#F&fILvNq6Odp-sA3_mLp(t0FFWX5D! zl%ye-A}9Uf3nNTjcU4}>w}y|&jSf85BNx+%dcp#F2nRKH(T6n^_-rPWE)}qX>DRGG zUmxDYEcarB+Ap?ct%?gfJS@+AzdF#Iu(56VmWESw{|uwW_j{VUOq7>w1~V$TQ6V9P z(TOVG;a&}1q;!^rH#k-u87H|5zYZ8_PaolP3DczSEHS*o7A+FtA7>eYL6nAY$S$f2&VOKBJlWP@NV1e z({ z48Qs(8tm09VOvhoKY()^?n~f61l}~~Sm6?R4Db3JKawR-fN+*%l%fo1La)_JY}QN4 zZT>%W{bO|BTk}5-H)_<_wr$(C&Bjg|+qP}nXd2sgW81zzIp_OZ|NFtYo}?=)YxS)? zd(X@Z0}{EEge8-ht&9tLI4ipFeMU5?J=%0CPryVJQy@blXirA$tWPE~N;NUOkdUYu zR5`M?x;Kg~N4c$9wST15;8ZE3aWdeW71om$XR?V=V0SP?#s+-%VsZt4`t%SXRGJzB zuSz8paIg^)4WsM-X=OW3%qZ}Q8RL!K`xeK;M2Tq`pc$0jVP2NW#{RU?qoEm1T5S;F z<;)iKYEYbIQ#r4qAiY>BZxgRP{F9xb;@BN5$b9>mEp`*vFfKjColI`pZcsz^kjm*c@Bs>?W=bwTIz4E_6Mp@#BySa+}hx4xcz6AI`yU73f? zY&Nq)b(Ubpp++C;giG^Cln*ATwj|g_@(I*jlC_v z_J7(G9_Z`o^y;9^^~uqaI+B(TpRyHMw_4!=*d%1MMoE+Y1RH zgvGYpXWg&RR_@o~a{E@$@fNE|Gyo_j=GYMfq&yaOH5$IS|g;!xT z?(gGRt}nlQ8>H{%WuvNhv%+rX4yq z*`&YOL4=248YP_{fsl;(y+oOir{>;@A9#?x7GH~dyY{7w1dj$|vYRpS5(pbZ19vQg zq{}Tmc~yiO5@x`fYeS^G3}4ex3BA*9w3hpP8}z(_dLb%?uuzUS+u`@OXDcONs#FM{ zs!(DpPKIu_Ed1WEF_$6w16n&;Oz6C~o?l}rs{y3@3{M>APB z!+VE9IgMjE<(c)U`jPr1|K#!3;HGRTZ6|i-6(4qH@-FkuT1_@|8w&(i+QrYRa(yAH zlS53%(T{LN9?S!hSKH(I_BP^Jx`#YJ021`H6%qT(C#z#tDQ7h*=k0V~^4r~J<{}6m>=Tur!wHdq{+w-fvch!VpIsV`6y*oBw1`>QF6Kx+)BNskZL13@k(4f@wS9@gY;NEP+WGN z@rn%y_GdcrxkjMto7px$&YYyRrTh0txc+L|^9;yiyOCwPPPzP2f3-a+?^^!NKKB0h zP=4HMGXQH`o&5qj(mh19MHd1&>`ne% zQXl;~Mh*_y1hF_|fTd%xQ0V4Fbdz^L%_btWVi2a_uREvw8h_wVwJWSl;P}a7L4&xd zwJ46LRC2@3LdL^-Ld~?f*X$rM<|M4&@{J+JAe)of;jfQwBTlMVvcM9EVZ#yoWk zV(qtuvOQC>{SeLB!C z)Nr+1l#QvvNrp)Dhg zehAg_%~=;em=#r?eJ{2=$5N2;)FO^HPP7l75-Oaa_>U&G1G|Xvh~pfAR-SlxBRf06 zn8@{YJ>0&#uV%{ye7S834!QhV@IofQhaWqVrW`?4(_#wsrQA9#Trt{c$GOOY7V)?Y zmk(kNePTlJZzUm(H@GtMBO(IzfMobnSCCZ^nNE!`35F{Fn|~0`58_vxR7*W)JXE(= zX13omuO-h_t#WBf*SCK}@E7|xye`j$PCKd$RGu;&r+T_4pVW4~S$NA3z4o``#+moD z{k0PEws84-N#azXg12E-q&<@{`1}Q=NOa=8!n3*xuzoHwk2C<{-Fqk<&LquvA)#d- z7%Zjzu!zIyXrkc)0k`~G1%GlYAlSDv7-D!J4k32t{ky2l)mxMa-6y;bM`dgVx`l7(SuxEWcG_Ty0u&1-~tYbO5PJ0eflNG-X;a<(NiP3}nc{@8iZ$(rdu+!&PtAP3!vHX| zd``?8(VR1cJ3lE_u7s23qX-m3ak9Du`7T+gB=ID54G2K=N19 zj)Bx*3bDVciYk(Xits)5mQ9s&9acQ|bkhit*XtPYj1GgUE6$Hq8#hnyHH*)*_7?7; zZ%)ef_8?gxXzCB&P3LXPd;Q5wvNwbhh#Jj(RGYF&4@I1HeGm}9{H>|A87L7gTkFS< z7h2ULw@eN0u%mxE>OHisg*fOyl!ozItjVt#2cF_VdsVHDhu2b$;yq~RWAk~^V6C*E z6elavTv>8Usx6Gc(rQ4ejjC!()g-Ll8&c3xA-WNl2KcrFXWytwRDArRR?5d>pXWe1aB`@dLcSXmwJz0+7IVry^|$V@MG>r`wr~bppm$~ z8{o7wpAW(}FuR=ru(_&KaJd$k7~UST1zHX1PA#Swdu6sA5XmN-*jBh}KNE8!59DW7 z+|Q@iM#Y?OGmhk=RP}**1A=_H-6pVvv2kmJ`~L!Qq;TWgUc2&t{|Nl~n*}%NVjXU0 zgO9dAturj zME9gr?P}G3=-22SgZ7hXZKckVa3mxU8gf= zo1lyf;pdBd&kTXhuut*LuqhubBr)v}7q(+p)aLdsWRI;ZnakOuEZ%OtR^q>8h?bXO z`0r=bmw2fOf8Qo_)O9aMS}v@~F4{Fq8u+%H2u*G8ks1O{&PTFiKd~^mwNut?yLkxq zVHyR4NrBS1yZ3!~=>9qnPE+O~`0c6HLEj|&n!a(Q3s^2G&AWoY1>J8eDrK7!*^B?% ztFzo-LgR4pW2wcUmRK%QdIXQWF0ZE z3f9!5e~@6gcWXSnQa1xI-o?b3Tzo;S=%I3+4fJwv^lk6n zT@OGI#RN~VyO$ncKWj*&?}lTY7RV5kD4q`0i62K5R*v5gD`X&Q?8#T&v!1B}Mriz* zI}HjD<7NY8dFFvudC}ZKnd?*~B4A#xt66^Fx)E5wfdbSFB^4hqH)tITdUa~$#wBjjJ^iLE>$70T*?LW#J4WkB ze_*9uCh4d9{4h$ksk~46`NH}Z&GPx-)Rafhq4lCQO+5N!mTcmQwN%n0$S-Qo6J6P+ z8W!Z|`}R++8RIKG7QebOtTlTy$!Bxn_%y<^JM(h3(P~?eBK@{2irqFBq_Ep{nr|<+ z6Hsh<{ZwjMJCj9)M|Zv!cvb`a`ssmi_PEq$G=ZCx1a%`Ns_#qm2Xqf;lfM%8ziU7G zZwTU`Kr4FZN+EUCc0ZCo;tk)jgTstOjJJ`as6CMoV)e3*4=3LHD*0fS$Sh zVWa?5j3@iGONpLwnLUtaHJ;Xp(qVHx_3*Na2gBDL>P9{;93-^MKeL0l)Hnj1UbcB_ z33Z{!=W{Zj=WpknE!F_=vC$C7FMZomit z8WdhHP2VvLoPGE1?<2d1;wNTZKm{g=NDQFQG}T7QMnKak|96;ldl(U3_if|h|k3WUROAAat}vI zm)=M8ZeY}d65C(;8c(b=JabSdoj7xEgA!k(f$we-Nwo8FoP&a~Yb+Pm_?5rGK6r|& zWyPSrK{%dP4{n8bmYx(SdZ?aY^~&ImzSR-nQw_msWQ3s84UqJ|jXtwW+BThRq5qlO zoEu(Dcyx<+z@~q&%=<}?+Wx#`_yg7?6Ds*KsxDTixdaUbi3U?f zgN+dX7aJiPXmp;knDyq4Oc(ERH&pzUFP?FkZID?wL;v}(~KmBHZKCS`s zki-N8d{}F&c>jl9)i(CQskx|&d$!L6_NX?nrr7=*=Ne!%+K-TlpVB;_C0`T%6^%*dE3*YQv)`_$H(Hv zS87)B;U|d;%R!JN2O!H8_IKM-^c9NDv&ZAp@-SQ@GKEc>t$PGK* zpy*DG>?u4$xG6uZB+B!OF#-pGe1R#^E`~J!15EJ?OX|$-(wUC~80<$27xF175o#}h_W}-~l3p(#vl5Ji%YNiqJYAi*< zDRs-ocEr7(LnellnQ=<8w^j08ue9({l6@@5UM?BOf;AUZh96*|!4=i@AfdaT(QsiW zU5gdH)pl^8e0fMREZX~)uItkUA;%7taVmxdT^+&^e8LjbdE>F3n5HNC-ub%_Bgeh3sq8l=vo|Vg&D+OEVFf@yo=()+n%#?bM}2QY=0{oCZWhOn5`S{ zW1$Yv2neR>ZPB6LEm;-_Wc=9s(2ZECJ#GLPPl3?mfUbeb5r9;e9z$&rTY_Z?CSs`& z>^AbYwoZK-@e*s>9*dk3dn6#luPX$)w?hswjG3PE4n)VzjRm*l-i2#v-v(!Rcni(Y zo-sVQ*Y-m(|~6nx*= z0Hj;o_4A?C|Dj2H_xp+@S?Aa$nSstPL|Wog|9EY$+O@-Nq zciZ!xX<&#mCRwj*&n*cBMjd*!_M>(wQ#q72R-?Mu0hkV+GA>Tb?anP%&8C$(4~1mu z6=P}%ya6N`Mu-~^n$N*9G7W+UGO}|XCc2VqPqI`_9;U_X;X_J$c~*f@!}qKD{HbeU zf6=}ZEJ?2_os^XtIe8HYI%Ir@c6+L78;a(@LfQ2N{#_4{;k2^AW{(A#l)nml4yqRr zP6k+)ZYcYK8Ndf)b;$KqXKl!PW$Ku%Dh9m08iRBBGo23kMn~;Uxa%GfoANNMifhxS z2obl^NfWa>A}%z<7aoqN-#8H+Y-LA8A{0YDtK;ZUoD(UdL&qVqZj8*k5N1&c4rf4M zF)hwN6=IV4LN#6xT{l#Zw$raOVA#6r5~+RqfD>^HSZo}Z%BZ2R7j z7dM=rY}8QsgQPhRL80SFf5D_aKqbEqZ$ z(Cygax)U^N-iGBs0_--z&zGOMe*@s9^4S+%jKh9?9adW&pPn9G_N=r~a?&?iDvm9~ zgKYS$0s+DPt4i3yrj5^JWvWBLzF{Hen~%d>C(f$&jzx)9x0NHe;J9Om!DekbnRNHU zM7NfVk;nVY9C@pH$?G>5SS#QgE5dJ<#CkVB5&gl9vFGDLCvan(pL`x#>uD-PZ~+@f}Khk7hWty_Whted~qae=4(Q3SajW#^KzkUo|<$h zi3;>Rd%dMmD`aH%27O|;ex;+1APZV6LW#a2o6zMBZIyCN?u08`h379AF~}2Q{7}4O?L^A6d&0+CP_*U`4S0Tguigazz}6f67im zn#codT|-esOqs^UA=6Y#ERjtbUq~TG9AmAunEz25@#d-J^YRie-&zRDs)_c*`|lx# z8|hUfDsFRY`m0H8X7JwMw-#RT0lY$?ZP{-eK{af_h5Ecju+Bo`8p9|k{F^Yk&9Y)p z?`!3IPq506l5As_V#JL<*k(l{$-Yu!_Kzda7T6>hojnfq?9I>O8aNC-N)d(RA-e^y zh+(*{y%~j{yWSiGpp~5k<*SvaMT*+0_=9SCkNPb0F8MZa&bmpzd))hZMMaofcv_LF zDjbaT$R(I#wR$NG6o_Q`2)Z4(wjc5`UzJaRs%F1B9x8!Gjf#5tnQU|I4)ulyT#Nj~ zAA%AQVPP`clOiYA0kHJ_W;V&nf;iUKT)F<8PANfui?q~3gU;l+eJ|a(@i?T?19uEa z1U+CFhu(B1q{3CsN;TQ3~(2lHddidlmiXA`@VrU@4(x^gcv3s1-+mC=cpiLjMUa6eYwZJyXSh-vvNzU4Cx1VB*l%_D zt%~Zw51ZSY*AorUR)c#$*MI!C_?mwQA(RA2;O#T`Cm%n*eN?TB5*zF z#{^li(TNbQU_)tZS%r%}VD58(ZdaEDXSLS$NK5SpgzBN*o}8oSp#uOSKlh&0tOxN> z)4uc}gFEWv%Yc|T;GS$zB|0zON6rd57ke-)S8e=~q#S7w(Io)ji-CrQXo&R&iiZ^! zt1O;DYRTuyxEL11`j3LIe;mm1{sGhK< zTEo|CuZvSkgZA4sDH}{ZX>nkqSSjm-< zRRT8g`O$+^D52enOH@@*ZW~ztjBWmry`)CyCHY4w1uw-MY@SQ|=;Y!-w1~*V0oH-+ zknr&}Ar_U9fF+z^v_={~_KAU2zM0;sJ^~g4*>Ez!VX78PHH1poe}u^T)+d?BHape# zbP^GvPC#B=j;Vg`7QaG3LWqshRwWi2jL=JgvZKGz;*N!*&@rE~rd>|>rz6PZpr`(9 z%S$akBOQB}8{ijBTSNBpS?;XoZX8%|KB%ppmdt6Spu_eY z?0UV0@D+D14s(1i9`)bWx`YLJrwueh949%3&Yzzw^RQqF|BK}d=a-5Y+hh^T)Xt`-9#Zz`D&BdJPUC6Fg*uTD9&z{j?z0|UXgdW8H9}=q zwM11*Yjh}gDY)2eJy9mC*)7H=(b6{?5q5Gt#*Jt*fXO-;Fn^!%~oS5_v8o0Qq6vP!*oDua^ zSJ1KBP(RNT`eZn~fQ8f`m&4mD9azuKxZ&v_WUA5@4X~Np|0f4~Klwj77^x&_q!I9q zJTbnORkP*Z+~THtz@uWoBp6PMgw%r3wh(ZnVNh@^DG3xT73E3}g-2o#vv-DypPH>tvm{fHlpM#4 zBz}S-$aT}=XVaFK^nC;4Je~n9Kra9tAoY$!Atwm6(9DeTgoNZMwA=t=Y$~lz86APH zP0dGTifKs(or4dnnuKM>lNPxMWcIOEcA>btI-Zi~7a%+w2@N>mMaY`C4~gQ4an3zW zO;DxbSCstDI8+!Gwlc{xEH@E{9m(iE@F0X?lKZc;d1g)^y9H~e13+9|GXWbJVS;Rd z+g~rygfnxFn5EE(2UNb4rp2uVbdgH=*17lukO!6+S0r;e|2twl|;CY zb4U!MXGw$@dO~CWI)DFU8OI71ggYI?D}gIrZ2xdl-ptm~sogMRx|2dt9c?D);psTK zlB>1~EC|pyMNBJ>oW=c~`~Cv-gATr>iLNY9yI{tnD8*wXeMF0=h)w<{+$yX~k8}9o zQz5c(txMB;cu79fVRP54=eMG zHORx7V_g1gK-;q^%y#BaRMhQTUsC*CIoAWNU4`SSwK=X&U%cpz&|}$Z!T;L=X;2E1J=+8Y`wEyHvn=@ctM4B zMUG*JAJShDO}`e@Wcc5_{qKyx3}pDPlv0yN(Rdt@y4F%+uf#<=vkGVg5|6)>0aCBG zOD9fqA4*8tRV^6_hW9!SR*@f^6zPs>71iydRgWH*U58t{kVS-mj4>Xdf9WLY?%gnA zZ_Jy+>dc$FcSoVksOLA(iig4OBaI>Nz=^_Xs*S0;n3r7@uHN{|?`TSMayTkptN?H5 z&l(%~A_>_%lpe>&C@1Nw=!U}Te#ekp!n1<9kpCP;I5(&PcXA;iR_D*3zaPZ|gdvYu zQ(PtXYtFOKJm{29n3lhiG&q~|ht$-P6dY8_LR0>ZOF{}a4T_AW&LvyH0RdrfTnKM~ z*r~UfhYShHwNT?onaQkIyKZK{Sh$4~!(gtL2$2O|GuHV~YX7a%Y*@2Slij-DleolX ze&nJ(AgvTJj*p*nIuVZVK1^~b+#3#rjI18L;Djgy=4L42X{pg)s4jl+Lc8WkCQ^^5e-Eg8k271^>#N1 z(99-QS@t!TFDJLARbVYXmciAuyr?sp6lLmJ@=Lz3kcLXvFSWUiPr5bu;?ka(uA~!u zOFjif7}P6t@nFf|RyeIbg(W7488h}_4SP2~4()e;`6*)eTT3LQ2HCP$WUuToOkb`G z5b`E#l8esX-1!X^;)7VhsRDv8lxYj30AV8+=iL^Dirj*e5C zn1yms%@RYwsLE4W$jVdMOXk@bgsF#b6xOBImZEW?-23@Wy{Gr&-6pVAZs$(o)ibW* zlMYd&W>}PJs^Hy{vFmmW%V%uzc~^qTt-uIXUMw`FwuuR9R!Jh2TXRv*NHPJoQ@G<2 zQ+}RcQ1d>nm|z6~741KFvG>NICpBdD*~j-?of9XZxnfk6^x$Yg$X4aujaV0(Gd3r3 zw3Ay^30wh(oQv~sK(39CVPR@;aA0wEy?*WH$ zx0*sn_j)jz!?xh8Kp4y2W#|tfTUYakdf9#8d=$Q+s@V9TmJ(aJ;TMq_{ zC~W#ES}z;RUd9}vCpVsNF9oUemRYaobEJZfV<%X4uS~B;I`kYXS$>~@0UiWj-J-y# zLCXKtEsEq{hZug>rlZ{q0H6oi6L$dYAP@`^DK>;02!m`y>o1sttsgE`ecnzG6yb{* z7VF-=l@ZuzOWFv(sYinC-%>~xTn;cQ3x$tM7vtihST>fF*FwL!m52)?9kX|5Cd}l@ zJ0#Ct(Z>4qz!rmdOX1l}X)K*ag>BB2faH`#qD$F@<}Ot}4pvErVz?b@aEm4O*tG1x zO)naCt;RnwL3Ck9T)3ddw+HI-ZRyoxXErge)kqucSF%j1Hdg$~x-mb3;I~I)jhR+Z zwthFxNrt*6L^xd*Z~4K_?n)40%=*glHFg!3*T0iwWd5dX@1_Zz%WecKwI-cCVoCqS zaiSyK?}D)1s+REZD&$cZ2}3uUI5*4D3I^^a;&P;Bq?NT_OLm#&$3k1vtr3tF zXcJfYm6>;$X6>3Dz+Jc!C-jj1<)#!&<|f-bbKDU9h$ZhWQ#aX=RtND#^-jcvUy38X`+jQ=u5ypqgWC!ECAsk1Io{E30|Hw(5Bq zaJvvfYBvn<2b}(06C}NZjgn0~2{C7{p1W~n=^CdqYpi@n{6VMhoP-hJlhWj_&Z0Z`9W0&0Y_(&ESr*FJzE7Ixh-Pb2x01)dTq859x}1Q5;tw8 z@&m8%o^`8jAZ=qKyMNF;&gd8Arl~6a>j|gjz)qZBc&DP^RRc>eOHi7WbzaPXF7xK4 zmty}`G)ogX;jFrY9-F3K8Gva(;mD=&qHrLWERg;=rP&f$30;5;jNf{c-}*6(hKpm8F^dKNY>jB z^gGGd4v;u8DEYs3fN(&S{fhDdq{R*hdP<-)>H4%`AUD)K-zyrmx*54Zg#D%^15{Fy z;?{j(A#(Xc7$q4U2Qbz~NLDhp%GrQaS$TDVnZYbA-}pZT(@BgWf{O4IWj0I-ux^>@ zo%mBfy^Z=y@K&>t8LceRQIxG5P7*{{N!>C0YTMsIjs@XFG>1aP^*EadM{4F($ksSZ z5ymLxg+oyM`7E@UR!!_|45WbvmzNEMbh|_K_a3n;v10<8l0*j|+718hLD16BHliJP zuWN)Dq@fzGOcP@%mJKbVFKYu^NfVuyOSm}Xi}!UJNY>W?QCEOFX1L8=x)I}XjO_`J z;Kvs>V62q60cg@&N$EXXV#Yri^FMlwohOP#<^|;Tj=wuBI0dc8@O< z9-mMJCou*sZXOCds<|qq1tla`G{i$KJi=#4MwplTo$H-{D}OY_xO}!$MVY&_7&(8C7h3&aIYHn7>nURzp}`j0_Fa z`GkMwWuQ}9cHzcvQ26s;fHR&5ayl>!@`QWUOrXYw^7TL~RsZRG<$10WY6M(@VDSknSIKwfe zqBQX!6#=2ENYGv$eZS$ZL}U2E_wG7M3oAju-0wuRRi!J^-)wr!fiM*^USSp|tO>^P zqDUBi+)}8viKGz6K^Qq7W*#JEN`n5-)!J59SHmi67IrI(3~`GLinA$l1)(L>?<}CFUh!FJ7+mArkLh3&?CctM_RE&+7n{L|}EPnEx00S3%;=spc zU%Wx4X28w*1&^VCV-o9{vB1U7;CUykgL~Yf4l`uc)y2>A%;fr zq%HmSmXV#d?W-9&XffysR-K<}dKNha(VG~L z9zv=pM-ot=c9MRHmYBQjGsi7-|LrpIk_@v(E!vm&f@4uO80U`oIN3S18fbAG*_MIn zD%w?RhWeO>29S+a8IeQdKdhpRmm`cJ2wORzd&L0%nu|C2#P=Uu$%ngqtnQsCV~*>- zXloX6Mh?c`IMOL zs>=#rjkt7e`DR`RLD~BLPCU7MLafquvbL?iTh&c6ZSv5Z?ji&)5>Wfl)E6oox^bK% zx+&tl1=|}nU6724~-_Vmn+zs zHy|&`(VqFmJ)~~J6`qJN2r1q>dM!>a3~w&9JEOWxhuRs=SpHKDWg-chFop1FsM>|F zVf7%8E&<}aitQJHmfgEkZPxL?(B#36xzQqSERDF4upsT{hkB*e(h`qo*7;1B=fw9?^A~7`EHdT2sqynEBP8NzE9N+j*2mhQr)wR!rhmh z9RjqiE7CY{d(q-@J`Ycm6RQ2LuK?t~Q%xFl0hZ`s&Oo?L&en&780g+T&q#`55Xy&6 zydN^ZVvFGB8Wapt${Y@4+8fOI2Nfl)<(BXFI(FlHLOe?n4L5#RLL@Es!4`wVp{ijV zgi>&7I4RXxzqt5Z5F$=U>^s7*?G*rr^ruM-=lFbZ06_fCKz$r@9>jcXv|b2ebbtX` zEJ*(r;TiWGv1o)_w;(d?M>%Ya8g(yhjhLZV{+jn2_C=N!zi!-pUHp}vOP{Pyh*Lyb z2P7VRn?}*#P?dA4T|-!4W(PJ`PB&J85QSX+cQGbl5ST9lL?fz!*Z;7K^^5sxc6(#p zhXe!G<_@Uw#F4u$8R88x3XQ03x`~sDE0~VodT_5}!%VKvKCG7Yod**;mwZzpIy9@O z?4{#84*&hR`=z?ONj_13D@okX)+R6`FkwS4j+a`PChG}uLO5$3x=Dg5U6z*=WLO|9 zHMH`J&L7ak!ng_ij|E0T(B+4+@iqriBYeu;y?b^3tn>ZlkR-S~nE>;ih#fK^TOq7C zeN7W$^q6Ugk6(Gm*M@s^kj;bgfeZiCV=@#->kpEOC262P6;ht8o} zia0TuBixz!)S|Lbh5Pd$E9H!pT$39jt~W9^T9FSGMmTT61xUuw_Aaah?u>hmq?!|O z4fj=%c`Z>{0ur#i$!=e31)B66eA`vT-mG@H{^f%mVTK@>mM*!k(!AIZ|X>}HLcdeEv%REP(g z!d^|7f3cQ1Ar>jfw(wp&(OVmqC{`R4QHnoWW`g$>P>#K%$Q_A8#oiUw{Ozsr20Nr$ z#ABeipC@B?e?q#^e8;f+V54Vzr(!@D6GZp(3;bG{ik7vs{|&?Z`OE)>i56rbR*`%e z{+=~+sL5ejEGp~wBrqbD;3PTk+l{9NB46S?KXMBiXPTHYMh8HQE)3r>xKLBCy4AwS z&@JRUjI73TN39lf$a{JKoy|GKaR{n}zLe`8-=70}t?8Bvy7d5q+4ly=v+Sq(`~qV1 zTzcYs#OGrfN+ff#;tc(!VI$y6?P|v(`4i1()+|Pi9V4u%xd2YYNLW2iOccw_7&)F= zXlX%aah#;S_*(}*vO%LEZ}?{yIx7{S1iq3w!BQP7bEkUDDhZWLD|El{ib7p0Xtb7N z+<_&NKz(3S*U5|1%EB?Q7mPwlrkO_*WRsRfol8br4yK|zo|PRnrKrF^MvQgc?W!WN zit`H2K^-sf{w11}zz%lagm>JD0dJ)|;t^Lc51^~kMrOLx=qDpomo0`X^~Qtcg52;X4=rRRdC#2<~~-d`JdMhF2LbOwH(U$zVDvwPwt719Y56 zk-zrOal{QIov`)h3ZNz|p;NVoHWc!~S0!R=8ABL!S$z7_ec8GqpI%;Kd{EZ&)*Vl^!J zTVZoEa40hyaw8W$xl!j$bjo?kFIxDqBdk@R zMXTus^)&tW{?Irc=AJ(Jz*H?G9`UOFtTvpcXw$A}gvIE_4_LkoC-U5jzuk*6vpj}L zDeL|!M5yqt^u4tOF}r;CCOg>&4cR}XIrjTD&?(y|W7X)Eg2WTjG2?|Oo+qPmD1oL(JIODa95EK_)!aD%ySz;t3la7neF!qxMWa>dqSCoL(q+E`ao0w=OYAB*X^;jUV7H zY$+<-p4T)UVh>rhcBO36fLd{JeYq1`8$w1tk(xxBukjf6-tY>ix3^%;6jm=JWC4~o zEZ_QuP<&%o<_1<{lNytGjUi5QdwiSj?x4tc&FL}Y)d)?~fmN%Ywti?T;z;L~7x}49 z8KAU9XUIC(KHQvXthKs)G|=x{j^?$Rnj~qoH!%Nceg^wmuu{oNmU%?dMx1(vioCS8 z6tV}cXudvS_qb0CM!|T-*f)`TEbf@xaZzICDUttEktOIwg)+*6g2G@@V-nYC`t7vv zg>=TXs3$ExUKYJLZrm>EH0Q3axvu(GMqNq4kWN}*;*Y&`c1S4Lj`rErmxI*i-!rjA z51d1Dx)Q7G;+Bzj2+TFG#+g&!Ugg>3(QT_BhP?pWYg3U2jq|vK<+mw!d~^2u3Mp{@ z?(q9{&wP-HZW|%Es%;jmsa8_7gh64(kJ*=;GZ`&_OJWTco3$O$+qzMFGw#whmgtyU zeEf8_kuwHDvUixp3LQwKb747 zP_gUy|J?s$&mR7DQ+_=mUq_i< zM%^IbLiA<;ulj$&_j?sV-3|!USB6%4pl^ci=lxZczC-b$P5!sm@Q36V;zFK5b0Nv} zO*Ljpq;%b8r{U^;pFFvLo?RWOdT9@ptx7l`ezoUIQ(8m$k zecAHvG$O=7|IPgG7Y2AZ;xCa%td+~yzjv4{+6(ZN2V94J4#BQVPY5^m5TZikMv#i~ zvKDgdn8;(ZD&Rfckl-1eoc~ns)Bvk`s>k5pRpD0)_^%w6W9`5H^E;u4{-GsT-unpg ztSv8Q`bxmX+>DORM^4jV9; z8J_*K)6sq=bl$H3-twQt^j|WT0ARl=t(Nvj7#qOoqsOfc@SxdBV{L@#hd5pLW0Dr0 z@k|b;Y7-dc?LLUWIS>_&#jiaV@PPON5bR%R0k};4j%i}v$A#ctlw z1<6Zzz`XBwN^dSxw%1?m8IGlcyAUXCQX=|X_@|thkH`fXvE6DUq}W|p2EgYM4*H`; z`^4Dj^EG?nKW$_Hw~P&{>-}u<_I~Lzlt`gO@5%1*7aF{SiRFAGf$VzKvSwRK?*;K| zhFEslg7RVntm#s{@U60qUeOxNp+;#+_!(qczLhxkxfa8Uop@Q#1KR4^_u z=8DthX4ls!sPNO8Zto+YKP<3)ij0B4&ZW@SbD*gzpgZMX?fZzbF2UDr1&y@~5e2QwWp4)DX)969+;vxf5 zOf6nN8ajQqX7{*0h$xUqoC;P&P#*_=RUUE&=^D&L zgh%k<@QPDmNmm+}*ak)rG4iig!Pz*Fp>f}r1%x(I1)BV%?L&TEq^M-6q|xcAny9L% z{#5aT)XGZo*?R5tq|^KT$cO|4xJr!8MKO5FLX<{yl}w`HI7*v}iiPl7mC+*j3~zmEwKq+P=KLBP;G*ZHMgg1!Mm z;QRi6KlnqSIv-XoZ%*|-(_8R=nZ0-vod14*0?c-6t<>#W?IZ#OTWBoX93Rh;9(-+(|ZP}uJylpOZe)Sxn^-tV-J)8>f2=Ip*T_&iKmY?u(P zz3=jU6liz2$keAaIBeU}B1bd4{`xtVPe(1e=X!?hr;674oUt`b<>RfO%j>4FIrhQ! zd>{2$W1wL8&7qHc1p(L@l6~pq^CCG$Vkz=d*VL<1%I0}_=wuZSi|GIF`Ty@tTxiAO zgwc5&O943NAd=uv#tjAZ|@5?~?-~NB>y=PdH>+>#3QLq6j3er(jM4E!q zA=p5qEd@oSM5IX#9Rh@a2#81%2p}b>6p<2Y=s|if(gFksEwn%)fe=UtoVb?jfA-n? zzt6S5?(6z}fG=;7dGloEnS1WJ=XpKY?U=rNV7&VN`Q2X#Y!VPfD>g^%`;vS`g07h$ zEP1<@uK+4Ti!p$U@XWl!!>LO(v~oC1`GZQ#qaJ_8l54uKC?0AZtUv=E9ppO2?6&i% z+HP$?MODLvKVlp)@@5x*-<9!cH|$$;tE3TW>d4_Q2~$5x^GH|})8E(r$Di%Le!#(Q zmd4#S*~O_E&#-G!FDf2t&{qwsJiLwt=rL3JI{NLlmIsn$1LscOqzqaX$TQV63?+>J zFQ25z!cxQK$@nh&8T&1O{ZR8mviDvdl$v)W<_S#(imwXNwF?T&-R~#v#{|wNz~cy* zS|==@*`@z=CI9s<&2PcJr^|+A0KNqCy#_2zJ@vK|OlgC>?Scr>k|Ji(SLc;f7bc`+{6CkSO1Iq{Li8HAHVwFuE_uX!hihgKYsOJf%8AP$^V`E zvydXw9-#4nH8cwa2hvRrzoUdoZvVT{4%&oZ5B!pe?+!Q6U@Ry|G&uO!-rI7fkjbN+ zfJ#i|JS^K+GMC><>mN`OvU)D-;8q4zP#|RNY*zj2qU}o+e=kzs`B{|-b5Kk;6U*q) zUXOe#&qgU5YaCurn@tpbymRT#N)CE4m(TYwE#`_dvpX|0lXOmAK6^*6h-pu}QYYcz zkB7wj&nG1Q+*?H{6FE=8!2C8?!6o@prPMk1$M0UpjyB z>?zHdU}J~#Y@#MZR(yXxAp7x;!d*Eg<>>tTDY<6BfpXIlKQ_%wgZGEK^LYX5*}j4D z$Uk5!q@O42U}R#|aQ)0XF-`Cp?I>?XDZzY1MW10SFGp$ffhe8Dt|sx|wBpsbr!%H#lAqmN%?{90Z%Odc7*&M|*1>GS?= z$<_a?+Yg@8qVNjMOJ`a~PQ*c!h%eY&Tr}-ZNu@dbkEOKCBZ4JIk93MlGx}RM zD_IudBUkk=F^e^DTiNFQ>#yxBBk)Nj_eg#g4jzWT-?&zH?{_4;mSiqYa7jwP&lZ9_ zeWND_`Of(5!y8P>EKhQtUI;eViLm|i0dZRYIQ*^LvsRy6nMqwWS-@I zNy5x#-#E)3ysu&wOf|C41C(lu#xUU?2uhDV_-$+D7Q;JOQDkxdr9+7I=E*V^;N0HyY3Y+1b$=}d*=2gEmQO(yw>*4E z*?O5iW8Men(HXRSaM{a)yQ`?Dm!Yd4((5kC-E)06^;7bsU7f(z-(k;)krxjbkyDU8 zaw|;U*D~gCzP?i$w}4f!kGEO!O}4M-G$u3*dr*f)Jzj&}ZwFe{NWE_OmbfsuDA64? z`GZ@TGIcD)I`7RD(~9(qk$jO6e}^!AlwjO37@%*YOtbBU0{Li61l2#!-0VT63X zX-^viL&MMI`Te5h|K<&^>R{7Nmqn(P6@c{m$3Q-)3&Ip|4 zaV}g!bLhG}iTFWhfLD?BCXG*7LR^7DU8-!3EoUF=oR8tro`TgDASVW@QbfWv zKjOl`*wN9aS1c;byYQl+RoZ{`Or9 z=rzVho@aHBU39tJW3k2xypFN{{JDFZ+!G!h+xZCjhI5JS?t=X9<#>D z)}t)s@H@uG4G@Ks)mp-gb14bH`jQ*7x!r71S}$KPa=>tN{~gSI(foaDl6i`sex?ZI zg%*(P^KcKn7VtVvZGZP`8HsEA(>?Jdk-R&N{24Pp*SP0GMD}VpUsu;X>HzO9ahQFi z;e=~E^PwdrHCw$#9gD4sg!47qxn2W6Ynh!xVWrFB2eZNMd=DTkTf#CQ&{0{4$$&?kuI4Lg=o5f`RD~%Ih=1#-w=o_s@Z>Kb z<>>V`z{l&dZzvX$i>*m5XH^vTm%tN0>B@ZM=j7=0kDGm~YO)DRlt~GY|Hqp-31B`T zw9eUoRHU9)oXk8`x4*T^pjtDe2kY_KeW?cqX(zTEPY*J8>UuMgvVDg`T0UYLnpGoK zdCo9W9M5r|>89WK;4OzhaAAhNZe@9wNtW@6v}I}Kq-WOuf-cdQCsNL1wKz19x7R;) z>>Lu3#g;RZY<=|(MK40DCuzxB;cX@d`;Jz>C{rl!AzwxKW@(PnUTbc%+L15EFDF4C zX%A$;G9+Q04;KYq$A9n{hre#(q&-PDQv12G9Rq~_TFAE63~eYM5qT0%&nxbp+_N|v zSe{Um+c{_`(=*xA-(qQv3ajU6>1g8m2QR$1oAr~N_auAO{`%tz(tTA9kBZTa;m1Hw zhWzDx(xnuI0^9lSi>9Z?^wI!gczfB8Xmu|K;R_-k;19=Z6gP($r|3rTmkLzr!cj+@ z?>sbeP-PtVESKvw6lADg3}jl9Z)Eb4ms|+o>WYwOsK})gBha$RuELsz4z*{cj_}Je zme;1TWEg9z|BX8tZPXDLqUgm$A{p2??J1?JrtPXNoE z^*PMvG`ew)=RM5qnW;}w% z>wd{~&3Fj@eDheYev-nAh7P{LfK6VtQcx6gr!r(=R=fu!xGtca5Ar6ETg%iY48Y}r z1=|MtYXT$5{@ARUDnl7z0y^OJVdK=>Ajpa&4#5>&p96ew0+Lh(H4C~JtcgE)i>Sia z_Px9ER=3RaJjjt(BR3Z(9r#vE=L_tk)2pRovDTL4$%woR>sK({4M7vo)P>;n(Qj6@ zXISI<-n&a&NIft23wP9GZv7^h{*97QRzQ|lif9Ie8ci~D{|VP%&A%9c-+;(u1ChiH z3V6JtkzQ)14*P{rEMWvaD7cX;T4!fgEUfBcvb`McSe&5}*XeH-jNN77?aIndYS|dA z&&2QsO~Ey(w@5j4e>Fvrj1sCb?5S-@^cMaeZlIvjFo4?r7L>bJ$=@>YxdguwD-t&okU*Fmp5F#pZZibwNTN*w0IKX4C`$# z9a64zJd{wbcC}iq^8J!Q%2l*<$n0M(`&j2=u?WNDBkm$iq2^{&b~ zEyG@Gql+4bD0>*(y}V}P!B#P`-}BIMT-LmH?cnKE$ZY~;bScF5HqcRN2-oIB z(pk=byhKQn5vU1_t&&UMmi#&2Ea?TF+f?ZEwm3FOQ!9pldz3BQ!Qz$2ytHzGcM|?Z zRcb0)rFk7(HoFyd*%NIHX&cWW<{2gLc^37o?0muW6bfUJ2eofKtrZ8L*1X?(dJ{8i zRAxK&6VtdmPG(XQ$LtF6Nh~I2(|Hv&3O@`oHLlo`!$;`o(P=Ty<-UX(_|5qnm3L>k ziI6(mSH!O#X`grsjCO7;m)S3F%l1D~DDYP4_+|ZtEUDgazI@1YQc+WSziODIGj)q| zQ9zyd1YEH`e~-MIM&jj74>}4>a&61jt>eL0P4aH|q2B%E)^3=ZG|@T#e-* z#5aj8+pZMgXsx6dZ4w>+^RoS&Pt~>4x1QN~JDJx0CFhHWd@~&jP}o^!9ccKr6k48; zw>Sl~zjBy14^}iJI`Lx5Z`eT36FMNvpFLyn>K??irh&eGfm5RGeQ1J@`=Nqb1L(!w zIDj;sEPZ-rfc|L7v}SjVd&s4jn49WOCk)}AN#M9Sbb=gS8kZB6Pukm%Fj-z9)3#39xMo?jkEg)@#SZT@TkwYbkEp3r z+24zbu2i@p>RcWIhDX$!7bmvb4iNdYm`uaIgqgjQIT+7IC!s~9+t)xe<1Vp73MF?{Gy1(SUzY|b*n3CWYZ&>7vm*ce z!cYz*4TWUF(tnPqJe_QQ?^H>ECR~#hjD9(J`36%BvrFv+WuRxG(R=dp)+gWhzP9rA ztB_5i?9YImU+i+Bo8{>N{;~>XUYYCZQg9K-y$D-k`-6|Zv>)nptj+*2<3TL>)a@86AjfjQ-JuPslUuIqEH$bbgdztse5N5+ZYJsuZKM-Nc`F2*jYL zhx+*9&cAkQ%m$TY0)s*;xx+qh8kM0aK0-g9ssZaM!ygB7VYSy^j zS2-}h9$+BUT%)B$w7=$TIjnTwzNepN57W)K^n<}v7}YXp7&7;zs0R4y`1928g_cdM zTVdGvZhujkLn|O0Y@9p^Ix^pyVflnj3o{ORQGChNy{`0yvt@1#d=lzfhefGy&T>oVHejWxx zq{FG1Ifzh@`h`qgwYM2tW4c7VAdn|~)7=&hZOFg;DGjiR>=FHBVVz7-tBj=u&DFyznPBGXE~ zTA5I)nVb?eSAZLj)$kVBrE-@!qk^XBLk<&lwvp@GEoR8A2xUtD&Am)cevzWG>F_2< z87_@p_G8$}ZUU^^x0V?A#EhREKg+7}!xR0+*S1K3iZS5LV_lxzIiF(?`lHJYSMece z0oxN}LZ@)dkkbQFg|LCG{+Su-C0ZhDQp=GX3(L5GlNBu&%iH;d?HfaBhTU%8|HyRxg! zaQ0x3i=Rv1gEj{m<*%v(r_5)5{t#fmd-JP6zOmXidEA}~PAHqOt9}UI>Fj64$+cCL z(Y}Jx1oXx*Nn$p zDR+(aRh&muCGy&m_k~BcXk?O9k8z`*a+M)$+RC(5>JN$cP){_HYUEZTMAvINlAalq z+l8id4tZljn>Ks9)V2%vSD70SKLdC%q8%X(5jl#qjxvY5hL}l3zlS?qMVyU*!Yz%; z)5g;s@$p5Z=i}<##(~e&$>DX?@7u76Mx7E=x>6?`^SHF0ge+|I1SiE@QG7!8m=A?~ z+}z1xQ`vgfxe|it+7f`DI`^z#r%{^gaNQESte38iQEk{>{b@?w{uZ#(jI~tu*vytn zTf3H_RANfN$}O3Rt#^EH5Xa57TMo>>6yKgbxLH%GBe|Sec_QJdig@4XUi3epweEKb znaim;*50y7t`f*NG5I-*HA#LZK%n6>*lIzI@0gdyxRLF4tL=naY?a4X{YqlPRrOTu z4FTg6Rq9qj*_^B5jh$a?Y|roqZ#XbJ;k4Q{4aI?;7{b6&yz<3OzQH>wb=2Z+D&fHy zd}QVgpuc|YvNlBkdRV(%`7^;%DBjS~z}gITO!;_2x#HT(riNI?F#K|m@>O3M@~N}i zuG}e>(tujOhdhSUy46vkdjl3v_CT|qpDPzj+115^GAOplrm(r2}&^BMw+=WLt z%mGgQ=*O{q=CbkI3S8FmYr}Flw-P;fMGh}ceDEB-fK=w7TT<%XXh}mGSkPh%(F0Xl zg;1pqQf6q#odMUEEYJYk*EV76f`uA?O-zhP7dYEm%mxmT#dp-NQ@Bt(O5a`DqY^$v z5Xz*jg#WZME?KRok`ba2OzZjV(Vw5GIo zea86!40=lbm2~sp37kcv#W+{NX4V$Ww0Q-4fz!yFCXcG#QZ< zBli=a%eIg-mqtKlW`OSDo9@Qup7~!Ja`zZ4+D?GF0yXTGMl zvzq4KLGG(2G)`_+)6CM&ZuQ_WyC2YEIRE5wD`hHo^$jrF}C9WIbA$cmJR>zZ! zFgA;rpKPLap!$*|Z&Zm>U>QIdwkP>@1Fg(k?k`gtYZ110L*x(H!Y|2)g~*^>E8R=_ zAi(e@u{SYE4EEC04vZ(euazzpYi%>rJ0M&uXfXVRlIE^P?}BP$gRJEDXHfM6`t33j z#!eNEYF$Z3wZ2}vGfX86yIgcG0yC=a7|k0lxonVu6PtT0E~Zo+`j-#(rOG$jO^u;x z#e~atw1;zZQ-z$*8!H8?U+#B@nlDUM=_DzNCdWPpUr$k#ECOl=+{>Bvhi#zQAERe* zsXya(YE+sxY7jEv-AIIoS=}DbLqk251Ona5>Q4E>D$>l{-w3!}di6B2gfC?KxLN$( zF;P(l^~z?cXCrOIkHwk>1R#o}qJ4%2W382Ha5XnE`xBii;idy+qb|J*=q=T8?71MW z(_q0@>dcOFE`1*PVPDTmt}q&}ZRgEv7+&AzZ*^V7sl~{e+WKl&)5d8zA9a=98HF7( z3{ink1(~5JAXv{kO7UO504fYMJpdWaDw0PC9>E%K>ieUmLD)3@#V2dQ=*>H{vCg48 z(1oUAxH&AO&48=1;RpYq;Z)G@USbKSOr{{V2=PWyr9UvE_omDzHR%;yZARakkvhDJ z8Fae72NUUd)h5NxQbtcWAs%2ZCVRpA>`lbavD(Lo4=DGC3QF*iI#|-CMFA`P;})u^ zUFEMn9TLh)nItXL8hDTr7_i_2{8|&BwaZQ#U*pHM8~6$=gMKXym?I8q2eN&7rEaU( zY0W5I!4p%(6n}HdLUlAY9YX|@x%|{37^aTM|_J9pilH@L1ETBjpwcC4Q6=j;9 zmYnKAEDInfWGI6VP|9*Ex{`D~ngo3WD{kKzJq1>#pA_2O*+{QS#vUzJ+Y^zfHeXcHaOxi*8rt^drk9j*eN zOxIzRUB$RO>yzx`T524+#HaEryl|h6!EGc**uHFqg60cxeOtG2rTOlaw_Dh0&$rXCy@z8!$nJM75%2L$)cY5C9 zY;70{JPIA}dG&aht{r~G6Z2G=y3ShGLW0R1roEC}WQE`d4-`>38E_L^5+G32O_tyl zL**}&oQ?%#ql-YrFiep56QAO#bpRl}lS(pH->a=PALrM}_MLsMAO@UbHG2-Q5Hc@N z>IjT#WT=ce?$K;quxCwgP`HQGbr+jsJ8U*5H`-m*KwriT?};2v*jfZxYE_=v#@R1? z3c#dea4kJ14_v#tyV4*JXR885G6D5S zhI!m?MBOe1KKg}fn-)32U={y?C3jgON8p7n61Zc710#z;xr|Q5m?9hdfi2bcP@XPl zQrw*i09<8Njp9lTz<*6*6GiazCxD7yTua6V>5RQVty^&#f1_zU6+68XY-YFM3U+Mq zhzDlGM~VnvuXvy=%cqpb)lvssE1fQ=qs%6-3y&g(ju0sn_z)tYmw5f>s3+WVQs<=M zqFc)5=FWdKyvIeW%tF@`Tg#LbLLguqxUxX&I#IEjbW1*74x`;7r`a zRqcb7$E#EfAc2NXrR3u1Hf)(mhr1wR0vB{Ay--L{Qa0t2+;H*D4bSt%_Y{;p{T+QnDxBSHUSeXa!mB)`PVbvPcVnMIgRC+J2NM6a&)DGEeXP| z%HdchFuK4x1?^}yo$EJyUhX@c|By7cMcOwJPU2Pjys59U(HAh*H3e+Qf%qD-(FlPH zzwYz9i_ED8u`?d(m17X8@>`&?`kQlS@IT)`-%Oou1z)hj{2H;EsC>Zw&W~+(63bL* z$POII3vGa3LFHyls2}vNYd{hyx{;A>8FNzf={?jXJ70WOe{e zsYw~-OOc1n#G*FE%~cI&)=;^7R36+$59B6%#4tjJ3{hd^QTqnw)Jb#MPvYUUD@L_l z*CM8Unf}?zL8!QsY`?T^H?Kn3TL%S_ZQW881YrlO`V@X4QM}N^ z0^d6u7rl|RyeM`NiAHz1#o?Q{_SefVkpf^r$4v9 zgrq!S#i6cB90}FP7ms$?yF2hDM+V^ezY9Z!~qXWgJIvA zz=AGFx4Y*jQ7XBzeb$d?*0qjiC!=qrsg)M}T3x*B_*YT%}MlM&2}D? zWjxO*A=4*jD2TziI~-rAi!qQ+A5@%}COWM=|BRcof(m?)uK$cSj~6qu>$YZpq%9kG z7VQH;;#ffqZ9zc@m>5yyqpf--9dENU#kWfBz56w~tC6$u-$pE7NcNiHw*2{FNe;T6 zy|>%OD^E8UY`KT)e&o>X)ZNz^>^s5`0UayM5*S}HKsWpI34PLuP@2bH_xB_kwV3I=~@le$I~8WV?2ytsv3nrG?|jm z)!=T4iRszvmB!(VS9dxy zfX6xS5{6Mb?uNjC61YWcvJZz7{Nzbrj*ZJ_FpK4g6*P+?wWo=mx4qH7C0(r3F|2IU zIer8qT8wJCR|b7ud6;RAxl|_77neDKL+a`3r7(IA!XXtF;t&@Ue?OI`igzG#NF=Xz z#OtGyV_VldHq)V>6F9zE?-q}SdFlWM%N%-@vXQ!th>aoF^PM{%1?*3L<%~zOTl;@t zx89dkDa}wluEbaBkPNr08Ijri&cnsfm2rPBt7r6*Gg{I|W5{iG9saYsW@PTBI$iiN z*goGz1#ppA;j5Al{q?qY(^+)^)|g-cH(v}mF^E29jTdCFhbsa(S}ilzyt{_>ly}1y zQFZlhHkjz=OZf>N^8yWFIAqku?5@NfHCf|vP}w$&kLtBl!m0FYM$J!^;(QcNu*7~y znx;Lh`HFPAe-Qe2N@8M(VIZE2e&)`5+7<4*1%!-vZWT;rgNdaY`4i{*=B@g^)8GJ_ zpebIcaA8WbAt$@Knxv?OXv4_^s7>*<(3pmAI*ag^d&@$pS8C8 zH~n)T`B(_}IgrieXcz!U$O+0@emdg+twC5-YFUHf=a!jJv;jUU0=C;&J6EKwFt0I+ z}jMQTpp4fOptunGwNQa#rk|ir431EN8QKgs}?F286sLS;^>qJ8}7EM2X z_px8bZD_ObmO_(Ham^h65aLG>)U5_JhskIG9y$F^EG`#s!#JK-lGka4m@Sg$_Q(%m zaU0F$;*ELHj()1Fq0ViaoIN8uEIAA8m1icC5;qznCOAguja#OrOy zTXEwI1qTMheHO~lf~F2d3kI7X>rNUb?fV`yoDx>DxM)N5$(5w~T(v(HQ)E=o3`0GD z&@Km5H!3|u*TP+>`Pp+r35h6|lK_v&J>`xSKS@QkagC@&$b82$O}1DoxDiUH;(Qi0 zx7<@ahsa4o_WrG#)6DuU^doMc(zKLb032Gc%FpCFfeK?jy&{N8nbAeZHCNY1eT+wURC#OHWx=u?U-&3y!OsAJ8&|)&)c`=vuT; z2IK)ecQm55`LHN1J~`Z${(S}+xKcphic}avr?(^3o}svYWy%x83g)J}UDR-+FOy6Uu|V+xK%U?$9+CZP;e?i~GorXq^p0RtwgCwJ4jR?}ve zFM!@qV0dI;$z4F3?{m2vMG0Ptohks*QIP@gw=^H2c^j5z5qf>}Kq+foXk1E1#-mFO ztX3ubtDzkcEh1{jrRDqqINJ^}?K8Zaw&_IbUMZLJuXuvd12dvZrQA9U{jvBWdf9RL zNhJ<V}cj{JLJ6ZwoVoZ>Z&DL;0g&h1j9y{Ns2?ZOxOY1B37N?>;Fc zjqg(ykz1&tu^C&}G*__Yv&PrnzYKr#)(6Ne690h&^!fV6eViI_YRtzqm9{C|h78gN z57!ytEBc;9mqqMvaE$FcIOuk+ww!=(0}5xO>{}+6o#%>6GcMnyMclJjjqUT2IU~+L za2OmgV4o4>QTJDL<#e`R zGJBOwZz*KR2_0D==VoZ&)BkDtu(xnC)dpjqaF>%i#R3H`IiIx?W%p9N_aD7;*1g}6 zQNaMd0|u6A`)_ZSbnBePEWiD7b;Q`dUz&;>A%M$<>ryqE{0VPS677DfQ5(6%<^yg% zFAJQ;Rioc1LJ!FNMwFlJ;phn4O_f7?wuZ;vdD@2NFb;}ec=5zqzn zvdP2@*ZP2dx5Jszxv^Qbv86M2HEZlvOs4ErN>O}H=s^I#V(bLr3L7~Zc@N0JSe_W#?OTOHU8ncWy?Aj-&1w_3TvMRpI(&kF-;twYt6G4lF$64SNYFY zIW7-vPWuNDZ}k%?c8;w!A~#2xL;` z_NqDxsf&BF@nq)q)ao@#QJ8nZsIq`N+;Ku%tMRS>d|l7*^_E&L?3)oB`uUS`F4X}piF;JrDbI2@mQ=+Uz88MVh0j{`I@$Pt{F`#XRt;% zv2!;WGl4P3&LdwuVU3$!z|E*$Rh8p90{`JA4<)!j9NlXUxpfKcqX%}|9G#%2eyn8y zA0E+a?Dkp{6waBOrzNS%(^1lW1Cx_8ua+=b&9U)S#oY^h%Z>t-OhqN~JpUx@|0Z1*^Ypj~_ z?2L(-Exe~}RU&Z&_j>jc9JqY0+Z5m<>@)%~y;uTH^>c`wYILanCAkjZYapsT{v4{{ zTxZv7$ml1`7>nKHr%(AA5(13b+h_w_zk&RQMcA0R?`^u1>Okea)%QV;e&6S+b`%$r z8CWSezQ^7yWgpG2$g;^GO>OrZBeSdcK6Gl~IKD1XNIaLck-do>cW3UR92cIY9_Gsw z4XbhQntNr{N1nITtqnJa7bJNjYr`qJ#xvD&|Ip4%EW_f1iPQvf|805j4Yh~H9AAyFSyBJQJDM>@LqYiC)XXR>j@^D@4bfEj-jl6^9J0vX0#A>E zz=eIXc+%j;;4^vxvjaY;())-?V48H8HQHWwVO`yrlTUZH%j2E@rTPR z@}xIEeb%{j6Pb(s(TI&x>QPikha6?W;sO{F^)yjooKz}BdG|^O{;i|5a5>t3VRHFW zxS1Hg+TjNV6iU+@%%TQ$e;+C@NTbz-+*?_SfHh|V8*31kFEZfG3N9ywgi7{x1 zC2tRZs%p>A80?Hd9%HA^V>}E3Cj{gzd#|eMkzwT+dJV5#xAZ{Yv&VmC=QTz>SfIuc zYOVAX^Rz%lu_xzQwDy#nJd<*9N@>s#Yuw3*;X5c+b>02YIQcr9t!K?E3eIwTr$g(sP?(@mq={7_8=w`^!BGHfBHO1X=RFr>1nR z-DCJGMjZQjq9!ysB*Q&b{yx>o!h%&c)?lG`{2&~9Z1sr(@7KZ?+srd)-!=R!0}&ll`Q*4v(31oeJsQMn?@ot+mTz4 zu>Fl_bv#Y`$pmQukRh%bl&UnF=$uL_1y0S_kL=0 ztd`xv%TB&gyHIW&ko<-C=x%}b zKH^!DUBqv#NDgSuSm3SCyT&g<^Hd%WVxuOQTe2SJMON7L=QQ3hFOxyDS1YER7ah>} zFUjN5$y+%GHd;|ZSB>s}#M_sR5G!0H*XU-8{>}`b;|=a*Jh(?=8>bbKXX$$GFY-Xi zs3G0S54xHhvweq(`gOB2EJ+NT7vMYHJgk$%+f-4C9e}M!Ex&2x=m?tWa2l>`d{6^g zDOo>kKjB_i(Ke(p%cc94<`(^Yv0fqU^lw-H#4f5GldNLw3NMGVHu-E{Tjh2EHf>c; z5uU5~F607P7aYPrZ>uIJEg)jLx}{rkOi{-*fW(Dac9x_gxj2=Hk%Ru1>tCxVlig3K z?rgQZdmS^QawwS;DU`B%aZ!Kx-y3>)PEApaz3Bi(*rlkawLbP&q}Lc%x%pb+IAd(T zKhd?7X|YQLB_U6+kU42*$iaqu>kvrSn^>ezec;qYePfNQbKwJihc1b^9m53GAJuyq zO8W3mVOXQqqHx>oxksJJE^J(7qj|<}2{TA(d2++?Ud)DFdllawrTWTC#zYM!k-2lt zh1Q$;PQ#cSuVMW35my5e#2`BOKq6Dnwc5fA;EVk3w*>2G!ooLb<>MZv^e%|gwtfnu ze%j``R5p5hn@zodRT@NghM^I6do5oDCN%@a9rUIH&}IkgVa#ed9af561wox+z73|MVS`*x!5pi{VCp@uH2-u}bjH zod<~wO7?FyJT67^ELohI+TC@VPS<F_7!0!P+vqQ2p{qNIbGLh{Gzk%x(b=2a!%o;E)&T$rjdVefKXm(J1NiNM$% zOseN#+ag_523^Nh24&#tV%nA}5>fD#F(XJW#A$rmK;X zTR2d7lZ`{$Vg1}{z#0eNVLNI5pz^cZz5sCe&Tt;RLmq#b;~UL-?W z=Y*f)J)Ov17P1HslgC4`0~^=s{o{jawdMH;JwYs`mmAs zL)O=)G-Xze(~l{fO;J4T>lO#+t4F(dyNOR0;NEGZuZ)d~11F_)6{Got&1~-iRO_8SG`YsCBj=LDa>hMI*iYe)kUYWv3pd~UygfjV4i6Sv*8FminX!vVUx!^(+k z0=7Gyo62UmEHk@huUVRSbO^Eb?A27) zeP6a;q-{EO6p90RTVC`)6CQzp&wmH%cNn(Ei6@Wb?}EQs>{9mg5WKoygJx)bV)?mP zpLeG{pR3GvdKjQr>Dk549-X)tIdBk@LEu2Y-|eV8lI`1e%nX-!d- z<^taE1)QPsNH{%=9XMAH^?Xxxx81PeG9)v^UD;*W-^IRhKX4-DgNAt_;z4nT);G^F zDBLl>K;`i&Mw*+ws+)x}7udkwv&M@53Y?N@$css0J2b^3RFvF8t+VE^pEsUsQF2qb z1{rND!ja0+!`rC(YwwQ?w+8{tNag9Er7UbM#;eFB+06C{CVq)$GXB=B+I|C}bD$la zG^^w7vVK^*2B;kH+fzr$(R=vNZU(Z`z1;s6Jk@+RDya&HtzyMKv<(^BMKocTM{C7swU{Y`v|KAFIzbF8)&Oi#21ywDIH=xO1SmW^eWkUqB|pSntv zw_+;Oj?g)B{iGh&`(sdg|3*iCpn-~R!Z&Nb(eMh(3%?Glo6wA1N}%VzQXrSVkow5O~~IZ8~VtGZZiI&3bP{&%I$(&La!R z)4Td{3RjqZSYS=+?tEVQwfCCZd_zVD$AdjY(Ho%Ucf-83A24CcQc3*}Qa)_H`Dy4t zH&qrdZm`8r_AAMD9PVEM&yCJ!2_G5>!ruIR5$w;|efbZ(lVQNSG({%UIoXDMF43an z*}=rVBa_!0@xg8i{3Er!$pEa_9+&sa37SgDI?jHP+{|=y!3cJ-!(AmHe5aTpBEcpK ziM2D~^8eby^G}L?4^8Dw3r)@NrXjnFWqrFgL4XB;ZPiKvI=Ax$&Y;}lYM+tXfr;c> zQfcq!2$<@pRFoIIm;T(+b!sw)qsp+SKcD(hAp9vx-0|Lw@Y;x~$R}~n#qhDJnZ$XF zL(T|zb=|4uM~M_Ibms1~vliN0nY6w1Lm-ZFXpWU}r;HqPQ)FU@&lzOe*jIIs&HLnb zq>7(%sR@U3LQQgJ{9~Y)wmaBvg+sX%0(QXtV$PwJUZ^mW_x``87)-bNV{ zrM^qXjs^g8GhRDYau@BMZaTqtf%<7GZSUB zD7waiPl+q(8y4W2_VO8xR3MkiZvxY{T(r%F-uH^h8E5cE+z&Xm25LdQ$y{jK_gA-}G*F zrO?=!rZ8nY2|b~-p2E1N@C-2z7d=bBiy$Yzdt13-)oMM@a?OT1K3*LQ zQ0wu}HL?DuEPJ62`LZFI2WmkL`w1WyQhr9zmZxuOli1rAzb!Y-+jR`<8)0j{QkL#P zdalTu^q|wIqI6Y6S8j$i;d@&nSKFcEXDIvr-7L=|xnvc-A+Cw>0|RNU)eedD!5JqL z3vvtFNNmAU$&s}SqlgTHZ(l3`MflW>);_oICni2gGN!AY+Ajrt;|mtV_EtUcV2y)B z+zeXj>raB@R8f>qilZ9u6ApJAtQ$@M`ra4dmRkH1&LVYP^i01;OSGT-a>9wmrkjQ_ z8SghArEj>@m+*XmHE9r#`~MKqOw4B(&~=2l^Ai)&FgXqWyjKYOHA4VneK~pJm{VQX zd!#DV;$9WluyHaDd~32DRoQ!EwOIwPffUfgUW^u5ST5GZ3gJ>ad}ZU4R3*`TQJZMy z&asHaZW_rj4B)l|M0f{PLNy}OwCf!Nea#f7UEmHyRzQKuGc$hHdD5UGq%yV^^eo`K z6trd3PG}LZ#8$lql#dH^jYAPi*7g|k`SK>j=@Q3|3TdvWczJ9ZLbAvNZ2Dz&Ls+FO zzU~fr-_mk8W2m2C>S+@}lW)iVsi(?wp>I8PTGHv8@^Vm|Tg6}+SZwlH;lDJp_laAm z1Dkw9V-7L8p1>on$C&+fZ`$|5%=0l&ZOqGF#GW54K)ivHGfFVi#XKnV9P?(Vu%3rS zOg##bF!aN>KP85F$>U9Wx2^WXi10*P^&J(rz1K|=TN>)sT26fqf#AmtEYQ!~{4HV4@6U2IRYv7w$CLzXoIi{|6$M@xa{ks2OCp8Zk zGipymR#665u~@#UDH4*>K0StGD0-8w(W9rsCwEn}$WD3OFU&q+*8E`PKy=TmUVLNh zwc|b`Z%t*qA1yLQU>O#Tv4^~%R(UkIz$6TASURjo(zeC^ff zLXFDi_>N3yI9W@)Z1#1P$jW^t3#hmz9WEz)r4=730d zcY{)gPU$>!$l=iS->AQ<=YR2z@s9W69pkz30%7g7*IaXc=Uj7r_DtHLBG9Mry%!$g zu^dFCLQ|N1=y=va;7#ZVwQKNyD~NhheT9@U@@u(c-9{s#{T{vVu&ScH*~dW(33rc> zaBkb+dJDT$(laByJkjZnqi(9R_~0Go?`LAJ*i6_Gi9QN05)Cv1Xe6Aoa^ z`mZiA#Yjc0mhSoZ$GuCYyk9Nz=*?9-8~*N~d!2ek50x6 zedpxZBLis!ne6nKwRF}g&clMd|4tVOL;@xhN z9*xTMw$Q7&H`&2M@>4f}FhBV@bT~5Ld!3Qs7@Qd`BMM+*{c=&95<6-PXt0ltCfS31 z(z~P&T3zHVg%y4zEwVu@SP#f<=yJ>bfHI@@QGI}9OghvVK#e-m&$fjzEE}iVDlwM#zxo%4dHyx(bk^@Q&_!QE zlYK~rtekY-2w$yKT=Z0KRy)8ugl2g!1y*G-AAo@M+J>cn_cZK8v;lAJU(b_NGOPJ|5@X%?iH)*t8 zQ8PC;Ehf4gX%4qdzC2FeC-zp*=OLI@o@RKeC`h-*Eku4LeqMJy^XziNYRKHmJUzP9 zVNJLF=I6vMyIlv5*;U;@__DW(x+y&;cni9JJY#%Red{r-rI1g5-M35gY3o|(+5E$e z)vKjP`oApI+ZVnE{1&ViT=TBBrhp|orq3Nh92{;s9NDjEx*aA7MOcD;kep`X=1saq z&#w+cTZ(f&@c|cQ!{>+6%LU3!KSAR?&;_cr)ddTPr|a02&+WZ*>z8vj+rW6f zaC89%QN=Uayj~wXl2iT3>0b@Lu%ePy$f7O$`gnz{ez(@tbw^v(6S%G>mOhmZ7ovE& z7`}mMn+$(jG}~I-Juk&*`<`I39tHh_d$`genA@bcU5A1N0k-=5^=scIyH;*t(boH| z)Qnv2ZF4dv;ufqqq1Yq}9h;gb1Y#0E!6h=)(}l=mvo;z>M9jdk-t1WBXX}Z`f*tGg$d0QT@ zEG@!LPoY9BedoIbTeVjSA5Pi^-BGteBW*gaI?3F)rCeY!_f>p^Bc`r-dsNdz&-4%1 ziv69=iD#N-0UmQsj%LR2`CAVbqZ*bS8{`Z=#^sxy=R3pZ*TXcB1AbG@FI)N-t*S1- z2?s3UuH$k`EZcTnX!iQ{&QL2_X~_v>bQi7$ghnwgq;>++W?|0Of!^|RZ)TN-(~nd0 z(pJ!__S;b(9`K4|rz-ob^W zWd7Gx$G-XDfiNx7WR<>@XHB)wxWZ4?+7Vyi?8)0uotGLQbnL4-n^Pc>U1P+K$R1{= zZ)c9TmmS*dv`rl(GY*vr*sGp9ik~|=TGZ+^k>=w6 z&^~(LVT!k>-r3_azjblL1~K6zy1JV>)Z*Ugv90l$BCgKZTn107ohwHHP!Ks%`40qO zzRc;ACNs(Mw?MNVm8)v~*vgg@_o9L~1Q%yZQ(Jh57e{T2XINOTQgSBB*kIv1^lo1H zlG24hhkyny&xqY98u%{SeW%T=r4pp+_t2lMTZ8I4I;W)>UnA@oj)+#Al``2L;WmA3FHPhE>iumbGuwYVsmR|9r zcEfWck25^;D&_N?7>vY>1S}SoSWr=(PN{X%(ly+)MjUs}i?b!rcY!-JC(E08__EMM zN4;0#)m-^vTL7(f><}p5F>-qET^6FnuGgN$DOUl{&W|PlSoMvnJg!!s(7D;o+Znzt z2BbYo!eve+b%jQh`)d6a35h9C6^6jpj0ym|L?XCYw+b|lqGA3Almd`v2tXZ87BDQ_ zLV_fqC$X_dv{EblS+pWOm8Mkp6b`YU72ywka}7pIS%CbcLv8svN9st40QYY#6)32x z13)WvTvKvCKXE@;*O#t;m*nyQpp`lw&USBMPB%M3EEdqUngfcfy9GuVeg)vO{wJ%8 zM6;QZ}wTkg&FD}b?<8=tpY6pH~7>k|e$<3=xm6PAA9{=4F^i}&qLt^JLs z$Tw94S{6R4+)$c_uqMLvM3;u4a4bso0cAx=1@tCJ6Vq5n+2t{x2Z&&Maxed{3^_If0@g>fy+IJrLuh zp8>g_O0V?1&x5`W1MV;@h;T{%<5}bZ7i$cV$f7RCKW>y3!`$*9+)<=p8WEww_|3YY zVjPFHflqJt)ExHGO*S%zr7dala$L=Fxhwx=eg0Pfg>A~VkK_fg90TDB(&lS_FuY3P z4^Lq6|MUr#K_q@R11?%E$H~U*s{O2Hf&0QdjHou&9#wW7@qdg>N*`opz#Mg}_G5?- z2Bm=_HF3 z%!4KbQueRt_>Bp8549#$Sab+jFTb@&{YQ_h2?gE*m$cM(e-XlmWgrwUHBHjM|5=7<7-B#;x?t5Q0VJM$r@V$R7N*HQ(&N5~ z6apgt(kB~nHF;>O7Kjh5#2l6NE-4T0;aI`{x^c}=lzew1oTw8~INk$sBm@2ZrbAg&4Z8B!-BK-R4rY8uA-gNoQE;Ii|0-45;0)kTr^% z?E3SC|G!plCbB;du<#^Q;zb&>h>$rSFR~Q{FndBO)2{{5OE04}5&wm>7r%ko!#=VC zVFU+2qte4FUi_JSH!yjZi)SM6mr_{|Tu;`JP=rDwWHSEL+LmXt{1?Awk)K8rBLX$3 zzc-o~p8W}I^(wnBr%izfl1epXKc@@;QbC0TBsAmv3qe%>*2d3I-tQ_-KF}Swl7s!N zrJ|7a9|7X~qZ#R81cVn-X%7Q3c}WN6X9EKk*dx733y1Q}%N z9jF0?G6z86=&V;|=>>>|AIDgh8~5zLu}KH^)I%FbWn@j_CHX_UQ|3&(*LFQA3;gkZ;#UK$rF?udBB{; zaocjb08SF!tV}?3Hxem-8o-w=RE@j+Pu-~eHDPJ#>SX}Qnh79TU!DPw)_VZb%5i>? z!w zqf;7EWT27a+ZO;Zib(XgRnDmeh>0L!#781z&JU2=rbpDT$dJegD;$rs=);Ak^pbU~ ze^*vxJ&i^e@%e9}yMH07s+qoXbt3N^d~k9Kf;uC#`6*NLD`VS zpcq;J%BE00RqTm`2Tj+2!hgyp@%Cw1mq>y z(L?_|>dxPh}&yj2-`t^ttKpNE2~>PwV^uvp~cOCCgLyyNR32k*55Z z<4Rt#|3~%%HaVvW&_W4mn3YApbpjayI+BU&ALFv7>Ts?qjg9Lg8^s0o!6a@>*o$XK zWRfC9HNe+77d2X z>?k#XfVtO-=a7qidEEChn!XgsO6 zS}+(6vhBhBw+lySfi2C)e;X?J#2)ZnYo9Bb|BRInjJ03$ilz-E$Kb(TlCJf9jRv+B z-~Vo{|KD$|bjm)+#TC#UTTITPpr4T7>ilyy*;z*l2;+V~ns{rYbO#BxE`upS2J$vRP29o!X`q$cR&M}*zvDGJ(2n#NLI1U@P-Bl&|cScISMPt9U)v1>o z83kR>WkyO>ukFeisyT1nWjlMB5TXIeJnb~)M~q7b<} z=#*N|Ny8I6yT1WS%kzB=6R(WxTkzd>^k!=<^mCLN=5w+mLSGrH7pZ=mDvNWLaJ}Mk z-CL-E${7&YZ6rS6Qxl)LfgeAVPyEmUNrXF1kl2>R4PXsn(Ms<0zWFsUZeikt_UI0F z!aquG3PE5d`{Ssm$y5iQ`^~ZtJ%s%(Bk`s&Dc4Nd*DfxaxA-h0K7i0uG_kIGA9m`o z;>Q&sAi(mX@Mgnt+;KUMuU(^OS(wh-XT0kQPk)&?#o1E~2}9QAJgh@#H{}z65Cxt^ zADLuu+8;`LDwKIMrIv;INe+`iX{bO61iM0V9ik3H! z2NG~E0NcW3=1BZqeS*-n*Ot%)9=lcCL&JwsA^-FWzRjHYrK1v3${~2#zHSm z#k-Cdz5@fz)neQybqV4vWj}=Q3DxjuXEg{b5);O*H~T^T`ouqctKI}$6eBZVaytB_ zvP?ge6JYCT_XQmCYFw#eF;B!|RALs8!+@PC&6 z`gQ5OL_^JEqLr$F-ELfCcYm=a)5y?ijqNALbBr@mO9-;z0fwdF=vZXoj}Ude5pY68 z5GmvRw5}2T$q|0B4-%@f;;5mSG@c3N=Z{F9JB>Km0{;y9K6mkG8sYUGKJpUW;vM1L z`sw3gGh5BEB9WOY19rrl;KozPlh7yo)>COY`^a6t*2I5&D~bP7`YQ5_pSdv?V!}o- zcUx>W5s_d!8a6YcWR`=Yas|$fb(VSONPF;8=_a1M3zV99(h&)2TQWQZa3CqcG<|Ni{PVSM?35iFwdhfM`JnVJ^Fe zX#$N+F?bnAL@z@l=UjOmFQ2zd;h4p-tL>L@cDG}wkFnyxH(p<#_@?FE?`%RrS<}T4 zXGO8Mj-jzyX`T4)YndH9{Vvtptb}BqiEk;GXbtWfU(eGBOz*8$F3C`Qp|e>*8bm4! zH2HCWllaoze|+FN<2%3pTtu8zL`&geE{OqNm?Sshl#>{H5#1|~XfwWy+|;B(lS{gg z$2vt@)_lJ&8pwVV+r&SvDzsJgmhkua`SQ6>e1xCj$VqA-?hYZU7-|!P)(?8@XmdY- z4x~PAoo3q^15f+2+I+gHX{cX@Oys&xrt|u4_vzbi2U4_XoERScZ?_=XvTc`~iZ;n+ z%TKMNiBd?nd?h@!6Fwg0?>$h3h3)$n`;L{oZ4)9zj5z9KVs(jYypWvn8U+HMbh0r!2GKD%4gFiX*UoFEt+D}sSqu?G#mMYZbpv3T#}&X2ky)F z+#L2;cZ2wA1P_)aLe_~8(b=80b!FaV*06QSp+g)(k>&0hrg3LO$7H~Q6D-gGCB|1B zN4b%@FmjKK*x0F)UeZC%>odZE$988gMRLXkiB3 z<=Z-rvgy_-UwrpL{{^A1?l%yYt@949SFxcVBP<=Fu8u==cY8eVBuu!5_WSu9x8k{K z806cf`GwUR2K#w><-hTUu%JfojiC(gSr zSXA}6Fk^J}!!7Aak&o+H;*P7;u5`+{M%_o@xz2DElIc#3#+&UB%8jr+6B~Pa!VvJB z)q#`Of$I!WOg)ITmYR#W-sm*D>6Av4&@?Isw1_30fCFPEFu4GQvo|$e>LFF&JXc|n zN|W(M&d9GjcERk0DPO_a<{Iru7f&@5E!>;m9}{SDr%^j&oN%Mnt}B<`HNMA>y-fYu z=aRFwV@n$ZOBf`lH7Y%cDsa4=haXJaPm&qqW$8#|X5I3;DxH<}HY~e|>tpfMd2P4d5-s%e z5}`CE9h-&NH7B9Y!RVsO#}#dc_wC@UwENHOi;QW}k8WjnWhM23OMl_9iD2w9o3pyt z-}?thhT2%=O_o-POlx??5N~g(-jUQh+7O-YUwNiFmhYcyjr2L6{XWbbU%h7!=Q}{> zSz`wci8sM76KV{tdhibFrL$9KnskvkMVR-QrL^JvvQ&Er?v`xaJ_q7&S_3mP4Uc37 z9jEfIqVgGH5_uv^V<|O|nKIukejqQO;x|+|Q}eR8dSBmvOhPl`L@g$h-mDk)O7n|A z_ak0I(}dnfDF?Oc2iZ)^O%NRZ#nFrBz8dWD!@5LSa465Mg1JoTIiQIrcY7#xK%Xq0Ys3vOYBN*J?3brK@oAutjH&|Zzxq<#7lSl1 zD>*bT8uDiVf$ayLr*Or*WRR(Y1cvfh>sJ z2laW0{qrb(WA_Rl$2@HbhC`=cCc!^8YPFIU4`bmvQxHF-b2g~f)YUrIm#v$l1?M1j zxynfXI5m>6ADqks+eMqMFC~t>ORnp2$_-YsRl4aEO72*!&wXdANqS|EyQ~Yd(TA$q zwzE$X4})(us4D}8PKUhSBeEdHp<*HaXmL^RZ6CjN^g7`{VpH`FITte~n*~LRvgmGr zQct`tPAN2TZ3a&()iZTEH09uuU7w>(1cDhisqV)-8!ynfcJz)@T-?QbO9+TfbJbrj2 zmsgizH0ij4#=iPO`rGXz&xp0=K_W`t z3eQ`-Ek>3+Jks-Dl((Ipjd!t`{g;tUj%C$zRPAn>j{`4MA+R|1kCy261Q_RUUQZwE zwxv(>a-iV>RQ$`nT}!J`2QKkxCn|6iM*G6u-M4uj-A0}0|8@U&lQ_g$# zd1M=X)JGgwmBQ2|4S-)4wX!PS(SNU3^7&H7cBZMm``zT#kgcrghD%#C;e@wV`G@5_ z?u;{c&q|>Qc#mApfsz7u$E9zp^^G{ge=LBM`(pwfD(NzH=mg^gwdXZoNOOgw#BrNw(A{hwY5R6KwAu30;q**JS3f2XFzYiyrE3;x^|!7?fZQ5JtQ}Q z9e!JU^^D2#XHHO?q$lo0k0l>OS|}jW>RcLkxAXPZqsAlLyG8?OM?Ur|bu=TFrL5bI zVkSB(9~~OG(_!(;m$=!bw~c(!B2=V3*u>ekWj6mtlP7q{vljR3mpP=vv?=MVlHG;t zU{a{G7}Qo@c>R(>;M)Bx+Z%o$oF+jyxDLOV9sDrA6KE?xM4H~*_4A*LqQ^$zu@k%; zSm*ep-;Ohzq@b7kntQWXhpu=b$m~+V5{_}y0BL4%fvF2RYK@Iu_gT|}9afTeHAOM? zcj{ddTnHuTdaPJIZTJZX>6ddG?NHl7----pWTETH7G$5J<3-y~USB~t&X<&T@9vHk z+|-)X-;_59%(i;=jA#I+wZ7f({UYi1ufm(!s+toEbAWq*7uKW zzkw}m>dQ`#=U#Iuk)-g0JeMHx`uq?!38|xc*O9G)@XFDld5O_m25~;z6B}4DxVfLu z#3)aV7Bye`zRv^ibCpn=K(UsuF|SVpl5S-3sq}D$c1dm_upUD zE>*RMZkT;{2TqZg6u+{I;Ib=ibx&p~P*twaG^Jvc>&O|Q1vKy5FGcPT_ZH@EIbWTf zUT@#IpYb)GxUlhY7|hWmk*i)b7++si1|ndw`X?pB$!*XZ8dw7wBFfT=+=M=j`ZoIb#sB? zOnf&es<{GIw1H$8xH6}< z&PQZ$p_ctg z#pVU|jr_3c5w|&<(2w4E@Qs<_u&wn1&l!wed`Au!qvD3MxY(l0(g8DsryEL+j#-;R zj%>uS%w{N8GHm(PE(>f|6a10x-R|>17HBbaUT>Q6yKUOKDnH_bRXUNHE0I!J414(~ zn=6`cfGMLLME$@kb&CLVHj=irJrlQ5@O!ar)?|w_Tt$(8(dvv&bhq6NWXu9NdaLPk z?#JsmwFh6TrzTXqnd8M=j9X>c&u!Lwz9(FG_{oomZA-?)FMa;fhz(uWE6ioN7fE({ zWx91Q!B^DL;q4J)B^kGrWlDYW;q5reTziS^hpLRHc%N6@JU^BoV1q9j!NohKd}0iq zx=#gNVlDLKFz=L~2A|hFFHh^@vPu3tFI$rk;&Goj@oY_sG8k*HU7i6hP5|liDzvy(dAxnbPMWayZnRcL}WbklpNKSA3DKV?KWuyDV5gWKeMcJoZn)rGWl zpA)KZMsSCW9cgnyxa!Yi1{yG)?JYgQ?!ca$%Jf|>S|Fkk~{qsy? z{mv4k1>2`+(Zp|XJ!oCnB!H)FgjA9=mbZt$ciB3UTMgXo5W$yvI6QSeJVSS~*q?#9XzJn@grgSgYZu5CKwYo`nEOw#2*1bsWZ^}&DK|3u=y4^ACHAJ7vKk;PM;&>diJtma<0AQFr?}AZiWZumdRrZazzlm< zz%{Be~4V24C-iz35H@r4#On zcDkb8VDmu26IIW?LxrZ_)W7C4J`$;}vD`uNP}59-(M-)L7_`OE#CTjMFkew|p{2d) zv02L=@HouB*yCl^_5I>ON+b^NB%BMd;r3 z3X3S`EiaAK;c);R*Bi+t6ZZP1Dp2hoqNc#x)1+l9LwRXO!YO8CZJuBneRmhFv|DcX` z9=P#ghjH7hfRRP)uyI;f>S>G7J>^nmrb>wh4<-Eh0`;r}q-)f|rq_x<@Fw;R|H;}V z2TMjh-fiIpf6tNl9A`?%i)DLjmdQNKl3>(o|Da*KXa3HC#ncndco9t_sAI@(Z?1+i z6K&oPJSS(tt9;zVxwOVAc0JA>G<-O`gK_%a<>-d*azJItkBZxLcfsL{dPt=baScO} zT=s1uV!6z6ldep+&QZuk!`nICo$_xbR=ne%q=kQ+P%bjnD|^&u(7fptz-``e?QeX) zTArNoz9Fehp*?6pl}zH@wcN|E z{mf>h9AC!ohY1;HJ@S`ClRh7so&B`2!kO_IXV9TETEuj3B#$++a3y@BEmH+bvcVo-Yrt^CXj0SzE+v1rUNI0@?@>oDl|7)}* z>?GnOaBD7b*ezgO_M~OSJOj^a{B<$BcbbXCJqqt>{>%=noBraDx-fXSPI=v45>8obQ9YjW zs9(i(KN4Zs57D4czj{;dQ;i(B(>ekxsz~n)%|3>-V*INsu8E19V*W%bYZ7*Vvq)&i zci@R>nOqd-$~KaZ&dG0)qmCMuahzbtU)>mIv>3j-nPChuSQYYxci(h;EQ4i*z=WPK z)~}>dKHcyq9nO=6{1BT|^VnJRNwsfI55nr{iBg)EIUeNltAP?;b#Q&%c=ouFA`ROh z=D^(o%okLd?q5)LRxH$iTB6-u$u3{yZe@n_Fn?TU!ijG6$%sxzVbG@{YBMK~j>4}SPYa{Y`nkhcpVHBfn3{AmPkGS~ zAL>;E{GC>$0aYnH3-@$Nlo(5HDaChq6Ld*9?}0`AGQq);mVvJ>J?n7CPy>HHxnJ4W z;iU>HM*~Saz~$n|Ql4RuDa}(2#;sO%KaAsr2^R{sc;1{6BvAapm%SzYOn#yXKO^H~VzWcuuZ9gj zR_4O2C>3qISEGsWxnh*=lo392ihVy`GCoAzad)bxpqaEjVh9)dO ze_5Of1uJew44>w2{`gAaB}DvjC9oG>hGoUtl#VXp$;&Yj#kE^~s%p_?&>Mg_S9CUF zDra{<&PoZ8j7}?BfUx23{58LsmI_L1FJ^d^>b!BWI^}v&h|sGW&fs`7!~b4dH0BA6 zG-)PKS3j__$_OnUHSGSo7u_rAHdbTNmD^^J_FN=3v9;LM?-PzIp)qD2ydk%N_9FSwrdpXD^mMwyZi6uIn5NZrg#;Xb=7JXb z1tc&gCob+rCQn*kLP`1V>IxrM=C{L?Y_Yy+kY{jt#COl$Egv0j-gI6szNBb_K`xP> z%VW#iE<;Y1fp32ZA6v0F@rA!uZj58vt88F#$@N^-ISWO+;qMNgwr#4`6L6@)pkqjG ze%q{gI+QozbZ|xO$*h+zx;ZmDqe)@|0h3Hr-qAV>yQSe|dVJPUOOd#?hPt2LZ9DAX zmv4#p^@7JXk&+UeHP<*7n-!FLj#yIbrn3!e zNJX85UB85gL+=Z2fF#aV?8{k74|zIH^RUv^D<%W%J*44`CK37iC>2!58b@82neYyn zqRK0e?|MfP)9xM?8q7cav-Jer%tXjyM#%aqt%TJvQ*;9Q)f!pNz=%rFS3m>vwp6mL z*=C1}can$q>md)CnPf(7mEekpHD)ptaoJI&+VP}?xFvLSx4*HbLQrgei$>>M70fbm ze|gAQTfpHNcFVDK!=o^)a*&2Xo?Ny?$wHgnf%?1^mn2`YRnlp~+Cqq_=8!Ha_RXzx zy{zbSO8<RjgcG_Go@!RJKrHEfnk-P3sKIL=Q z_BWIikfugYl8t~cT~PNt(n?UyAgYKY0)OUERJ|-s4q}QD=p60CMgvi31(QYbuH$DL zAdL*S9l%ZMkoz3q>}FA8j$l2DBpNNB(&XTT>q+JTvCWqUv0sGFrn487j~oB zQipCoMY@_T*sAtnnr5MP+%hArv!I34& z$L&s*Aw)V6ThU2!V+%6*k}m*;5;v(B1~ZFlWY1&km#ohDzjuSHjnZeoGg~g!r(`Z# z5awU|LaOjYH0A(Jt28R|_neJ0QlSr>t8T`R_cA7uMZG~5*oe?+#k+M1E2eDFMZYh7 zYeR?v*)4{%mwgpqW6$$wJhjs@w=j|obPj?DL<|+zbnVXYz(kN^+kEj58-!00RL)A% zJ6lh}^7~6pglmu zM=0|Qui0?B1g};n>T7=YH`zCRLP`f777eG9ocKtPTzX+3_cee0)s^UgNV1#K?fQD| zC*xvs4udOs!d}WzttaP3)ZJQ6W?U?Uf8L^dauvq$L9+q zzxbYby218OgR>wZ!JR3+{2Szms(58`Yf zg6HYowY{f#!!+q7-_{fBb&4atUQOEsGA=kMXRdK2DN^r)^PyOJrWW;j$|k9J>)&qG z19P6^HR<9`pa0Qf)g=92x2yJ<82Gufs=e)#8^PgPuAX7e_3v5CTWAV0-uJw@=ND@? z5VL*R7CGi9sB;rh=3HwE5;p1`#-XhxP;clAikyn*X=5@{Q= zXYTGEZ29GlLhOcxo=`yU$QV*VrTsIjs+LWm;O`J+s6FkK40*X~ofF}Q=3DFIg&Ain z+Vu@GYj)x--Z*|oN9v!OTD4vs?AN^0&-9Pv-lgK%HlBJlm3a1h3SgFU#j4q|CMnEO(i!tC+9H_9pB6XikP6R}?kqW6LzLIXZogjoWvN z`0W%hq2OI!e*)sukfwe9Gk>+(i}EU`f4a=of}H#uZkcQmlSuGg7g$!6ZxB{z-Et}*odNTxp-)$*{& zM;qQ(61(q_j>>kD@{5!S7Hb1NSsb= zcN**9^@EmFkD>{!$eRJL-z0jU@jIKpaaGwXJdG+H=cqV0X}XWeZG2U9oE5W@d|V=P z%Z4U;b&-5lmzF|IVe!ISQq|_2(%lo?fKN|YatA*S;7mzLe1J6*JY$;SFV8W*FZ0>e z8%>yJdf(QomhOE7wm}F5jR{LGH6v!<%roDa!0lppwSF|)$#jGc$c2vBa`HUSeRQ=xL>Fe93TlIbL zWqfaUFPNU8hn#PsJio<)2Zf!qsA~mrDEMu$c|_|Y34&Li);}m+JmfM3MR%gg?Ue^% z4KVs#1Mfs!c*`n}pjhv6bUviQ{++-)>Y@+k)T3G3Va>WlkM!bY969yTLue4GM5Vo+ zMLltG({^SOl*>4|zo(alprVafS3 zJj-g%K18LO&0lTq&?L`X@wOWgWtp;-%CCsk5BV)I*-QDzqU5+z3V4zuX8oH+WaKlF z(=8R`U`F-}H}#hnhv=r7OyN7ZII^FE8jW%;1vZ?m_N4oq;-@afxyYL6Tq9zQ@~w_l z8p$)~h1-o>C-_P8$D-g{-!-jDeve^T5Z&4hGZ7*Y4O?ko2cHe4-jClRX2u#3x~GJK zutzK=NvH18lon>b3!hnpFC1dQbn5!^*qaEH%O!j?D8LDBW>*(NSI1T6iItIV1{OF+ zNLQuyUavR^fdVaZ$P+>%y#*U^N$$->f@c)sX4Ad%DFimeww-CB_WR(S2z2CyF@L** zVT;7UoiRQG#HEkJCn*k1I{rRlW3B23Le-8Dd|=sG8JW;li&P7w*2r}C-UKb{=9Ojf z;1(wbhyg_Zj@hX#hi`h6yEm$0&Bscf|1|7put4XIzF77Zca(UE`?Dk?tnLcU>lviM zs|+pE!BHmx*<9oTlS}DiIp?u7;S_Q7Ox?Giv?b-aBT16dUTrRx)!%%iBXl{mYhv?B z88m5MkM{MR`zo`I9`Sj4E7#B#KgT`hw|)LVSSHaLRk_23Xc{IIe2D?HT^zR%HoeTu z5XJk2uYVYwk$an_F~PnxDb4XtpR{_v@Pd#}YFaZ;sDFA-aI@8|4v!D)a5op>m}NQQ zVdd86X|s{EI(RZ3i(?}!N*pX>O(%O-#QuOZ;>7_ zEG3{I>ze}DR&`?%oa&S%Z{f|Y40qddkAQ4)<4D%FL(n(|t*{S_l%{0*T4%XM z71N0rRaimY|3Y`0i*OO`(a#}*r3}>J3^KxxRz5Nnv1)h zP58ddJr`E=<+2VH^|AeQ+Z6_Kky-rAtxIo3%GhHq%sXnQ0v}&w#yM4@z<9_=C?Mv3 zjNhp>Ji^vPT*22g172p7f=&AB3%Vw}&2dq4UK_KzGAaj?)yBAs&hzLT`)|9q!IEi( z-73@O0iOgL&WakE*iNumKdc*~6?`!3WysRk=1d6cKZqi>(&~rLvQ0W1S%aD{9zP*_ z^n~mM#S@te*e+>=TTy~l(Au;cBXjE&YEs=y z)1CVaAmAX!v5~erYLdA31zqYIq#AqMKbFVb&(`1)l!bU&iz4|5RR_D$x$Ba~Y{RfF z%m7!h@+y8gOQ1@srO;@~f}pJDF}l+!OlY?fWcyZGgK*p@3Nme!an?CZ#`2^=ml@iw!up($owlqh@t#<)MRgWm=;>&- zfAiV1vF&>^`pB1(-bGc1M544786%dTiSn_uQStZ;t~8Oysh!Ejx1-}e*RhcQEV_4y zn7Gx%KX^r2xHu$f0RSB_yuZsFvpNf$K<(OH@!AZ4ipW~OclffQS~$kc6x53Hmt}V9 zY-7--mkD{~%>pZdiwUWGgKg;P4`b$Q{NS5Ctu4-bhh22I&MsW$KPuQn;-%m?u#RE)Y2cdc;w_o|2c zS&`sjr1dHTD_xAurcGV?y|t}M%~HrQ6p><{)9dd?B4OB4>Ypd8#O)VjhFK_{d+k)8 zWE>O#EeRj;#(en0MSuG4IGES*UXB4iZdZ=Z#N?KFwyqG?#l`3kf2Eeay;WjUs!8O z(=LEtUV34odo9iK;^#myK=gq^R0SlR!a|Gcp4oZ*DTgvE)!1467d!L-ol(QUtbfX5cPgH3!4$T;4`Ow82Vsy`X+)3i zPnQDMgX(U^JSXe6wY*yb@dt-V-k~;N)t0z{^*5w%(zP6zKbdnWkT6BW4I$}%U}ou5 zP`NvDkTwNXC-aZ7!tFU9S6EIVR3QQXI)zBUZ^L z$FSkgxxdN|aPA*w_#3GV4zi?*nDhNCuK^zqRdUA?xr`M#YAMj{Z03fF$)^nqnkR9+~P zJQ0vMToD%~)Xc1aPR_UdQjRKb!qi;@)1B}g-?&{QI?oqwIo^`6fL-ro?ef_XZcfBs z*M)Lzk`waxea}K8(PFU!oj&QJZS9bJtsin{2Qd~(v4}VMz58pb59LID`v0)^)BZ{@X+`h$_?g8+#Rkm~EcafMp5!ri9AR*YFoOzBy|DdDIoS;7)i+muHDY9J zY?s5Q*BHZL;SJ0)spepO$io5I5qy4L_ecUyvU(vH-kh>~i^%})PP&-<#Yb9}2Pvi% zHy5~@cl)W2*w^0a&EcsNEx(Co`6h+}6)3Asc?wn>Y3((sL)9VBFV`NX1l`vH#gi3R zs`j5YF2oIzh~X1O59ruv!Uk#?`X-5L7cUj%ePxHV1!s$3NtO1Ab4!HuS;HcU5ZXI4IjQeh)}TFJS~+qJMWr%Y=!=daRx;6t2gzJPOUc!|BOPp*$w0l*g*CW1H?y4YDatJdWNTt z2$%Ow=`s8M?+fL_z%65g9Y^Y+m*N%YKQ}XF(`;miJkmviVUC4UD&?x4i8@M!S{~DD zXIosuYy*{g6U%3BKl>O>r#`h=3>SqMep@EN0=)t0AU?k26DUJbgX!3WY9|!sPhS^m zkN)FNKkm2p|8+Qy0gf(xa`*8i3EKl;lK<#z)bGoh!)^>X*Nm}9&P{T--?oaT$SL9F zmsS*9aL4(4Fa$6@GAhqqG8)3cPx=E8&@c{Pe5eHVzH>7=R!gm2(%ucL80l3Jy^a9p z*PB$$G@sa;hN&Q1xCfyUQJJIps}t=q{UuDhi!WQ8@ml)0B$UVHGuiiyX$m?Fm$_d3 z*eDm5Y$l4XrYSmlKeVvKuH7ew)xFywAtX_JOC57;-tjATbGtxJf!&YIKwK)r89Gww zoVARqHRw>MH8kJcKdnF9{Gg`aW;g=>)W?Fc>|-~6W;DiPq@GH7p7qiMImIN95@nl7 zZodmA_2^L<yS=(isH+-D0}Y) zc*RqJ(uHuuh7UhzSWVgH_ALwgg3KA$8hPVgaKEBxsGasHzuo1epvq!XGYhPyscdl~IM@q)W<$E8a>awE^JWRo#*O1ZZD zG>L#iJ>r=m1)?p#cN;iaYFySVyX4Rx$N@{M_G-WSF~=x<#Y?ctc(PM2&r`cnliqA* zL*@5%Hxb88`^RxEJ+`yZ`S-aTY9vzc(4I2yCaMf?>KG&s^emi-IqSwIEjgLvZ29!r z1Wg1p60t-+?Do=Rq;2*GtQ7wm%z>Yh6q(XMjA2`IPGixmJo9;W8`KMyO$8svVRU0U zj_41}1Pm$`Gr2>f1DXqvF;;`Bb zc{8Nm`cd!5HEeGLSfPD}@_*m(k<{$zj6Pqm%PuKSv^X|3pGJy(-Y>V93H zQa8hWqh14>a$mX<6yVuOQ6bijUrI5>dOz=?U*5~?VSKHqDR{$Eb8p>bO_8PCo5n_c zfiP>y9gw2x)~MQNI##`+XoF^WC8|qJsm;Gq*i>C=RAIPD3fysiTmRrihU7Jc013y} zml^j1MB>UGu6OHoeGj|)jAza6CpKI(Ji9X=)j`c_Q!<;xSMxuAe*-2WJl+PG{*3-r zyzpooL>`cuM4lOR14|B?Fuiv?$|Kjhu`I@<+LleM*AStH0zJ^u51L-eJugeLMg*%io<9LhjhS?p)iVjsY9d4o{;?!3GausaS9wMFE#svaC4otU_E^HQ<~J z8xUgta!!i7B~loa>=Eybc;3GqPa@Er9jp7$E#B-+qYAAj+pAQ0j zUx{>OeiX!>&uAuA2PTjS*Oum3h^z(pv=`8*5iHyvDJ~K!((T?)qjPS?wtk$A!shTUwiq^!Ndx_tS<& zm7m>IUL7mflDGgyQ%T}k7ll$R?x+n!(-4L%K=S=U{4}Jy{qotE*paAlut+YT@>2Us zd)zGbWn`V(VZljk)>w|*e&bQQ;wh$%h^I`6c&62jLow;uP*dV&`-dSn7sC@0wi941N zeXH={x@c>}ETqUIlYdKd-!xSEUY!k(Qmo*Rl|CB`Hk0RISpKC*qq8u zVlm#l+WjGJD{QZx^|&2yGM^h))HBBBI$8wIs&yYy-G9s^{(Dq~^EK#;eIk~kb`{Wp zHeXyc7BQG{4p@_8;XAX@m))F%Y(DG$jd3JhC<*2~^$AmsnK_s1d~^7blBe3h2ygdc z!D8Yu|# zm%np)U4oTKR0mhgi=x`2v`?8Fp)Q~90??_DC%7bgf(^7L6f@?W#RsdCXvLQc9HEJL zFXtBpA!HVS*C$oJ6`(AOc^6&#^dsDHBTsJMD|~YYDp^xo&ygA$%J;BLw#hw?FQqZm zz|7QF8z)V#OX}4ZbBc-$d;i$%@8<2!IzY%9HSPzkD%1=5*!$rtk!N$vv7efFBW*(@ zrxK;~C%#p0Mrgswr*F@Bi|nj9oC!tg7ms$x2F-wC=jC{_Y3D9A1k446%-XHP`=#@j zGi4Cs!_&`FuELMR1;!a}p3VmM;n(D#M5$Jom}3Cqmg-Q3X=u38IBH@fTj=2~Pfabz zS9~`CNF|UukSZF=P%kuFSDhh1VSMY;;|>?JE4zL zke=fcc-EL7O($f2cLF_q{*qS-m>1D({lJWeT5?UU2P$>v2vMMKW||cGb8^#{!;eWI z?u*;ma5Ax&|MjTeK$;@tvHs+l8p1_U#tDaKvyQ}fLIrRM z6uey~y(XKgdR(jF>{@AT4GA+Y($J`O7^-Ll@qXjDrwn5{{`IloTtmfG=rJcB zflJ=e`*{yVpJOvkY}#`c_vNZcyW8%ElgAhLs+WjWUdpXNQ(J)uxX3xTQY8~&rJqOV z_ON}`MK>yJkgEbbcdJlQ6Fr;nDUzwb>wv$!D(VhVvG+@U#XfSIrHQHZGH>cwZN9|J zFX=@~6;9CgQvL3FPMlsODzgfA-U;}1?xvV+KGJRp~+p123c z#VD4RJM5ywd;pEWFePVwUhESTH2Jmb6HUPPes@}!WSm+}hL<$yh2Z3;7Nr7Vm2=UK zSdBF{PM=un3zmWD{hdU}4U_rEMK6f8qv4B$zqzm}eJ0NPT9o%G?WxmG(H<7I8{N~* zmG7ID1o`5A>=40G=H1LDS5viqpK_0+;byvo7Zfwq8TCE_0$&lAI`iy2=%QF}HUTFJ z>&mV^J@fQwWKyNJR5lsWc?&xwG?`&qR=j!}gaIAD6UQ}+x;fE8$K?c83v5V&TQ&it5qpKu7h&-|D>WvkttDB1tOLsAL7O|rU2=Ch$ zV%OY%8lkc8iwtlRk)6>7>b>YT+63ZHT1l{KXq>pbt`NSCKs)|^Wf>i$E@%g z_YQ+ORmtJLeu1dTO0kMntLXEDC5?^B$%rd#NV0&*GJ*KoisYJL5kx}I*7v69 z1HZI#vn$>}2ZMgK<0ACe>KPRnl@zxES4kCmIgn*|8E@~q5R#lWKp32HjbAblTSYKR zSeazvORxrP|6MVd@XNQm&*V-d`%iF9g5}Zaja}Vi&FC>KK6jhVJFARbap$CVkp-jh zO?0Az4p(c3oLK?Uavp27UQO1I7nw6`kAidu zgR;9m6W4lgFHB5&M}kw0Lk6~zS+YBx5`EgtKXhoZ6#dFbAZ;r^zutn%TtQ{+Y*I&3 z#bo6PfViXF;eD4cJldeIz-Alh7FXsyMxVN(6WH0vZeO0-4rEDhZOtfC;}sUe)cisn zAD3lT2DZI{yl`Ka#wyLX*Yuw6aMFJ72k^T;l5#gae|ReRoy_F? z6k)DVE7=?y4LhPX%^ckU$8O~$HI)nP#DT@lpR2sPBB#A~f@Z*H-sRGIHW}5L8ETHG z{tQbPKz?}~73Tq$v>51b&3h;c5HaD47WT@_i598>7J|-A;oDmYmfMuaO;pYijtQuc zeYQ-ma2<+wDYXUt6L)Uxiw3Ol99_u(yDGe>7PsWwvoUsfE8$++h7C3#fW`(0} zYI8&*+%vpVJjVIPvS(#mrustzIj`8Ip&fS1WA65NVDikauVBDdIi3v=JKwT-QxShk zlG8@V@9N8DjLb2W8vP{yk3H;CHsC}VTk<>3+s?)Dtt?#88P%RZ^~Q*OJ-8f16OlJ? znU;p+HoJMWO%S-@A=)s250ezX7_!}QW9Q$DccFxz^CAO(LBFm0hB8)!rW5fQu+C9d zrEQ@bU^@aupal^;6jqjjbimU{n%*&Jk5-63nQ8vi)*t^NfQ*<7_-G)Wc1@5xQk0B#|cy7Pmd-y_i z_W9%5H3^YKK@Y1c)8$B@!70(E!}k!N#!Wo_v+`jo;JUSnFUcWnPGQkpm$4BKLO{=9 zTEch|S3Un;zg#LYfhfvhhRmx8k4u2e9ic8wU&+zK#YX|7X0~#8^#V=E;KNe=j{}if zq+m)^(u3`2DaS-%GpE_Ua#^5#hB=%1n#!QAlyAw*vo|W>!I?gn&fzk>RDrCy(PLp> z@9!lq_+&k(Sw=#W1-0;4Q<+oDxNe=K*q@+PR3 zupdC%7~6M1j|Y2eG;Mid_3*B|zbCq<(zvsfftG@@;k-yguNVW3^Wk47ZL|O&2`VSA z3YDK7p+vQQ?i5;nDBvqR&2>D354GHEH2o1t=KP$TP{HRYlYGc=`vtKYV!*(xJIk2- zaMfl4C`$RBC092opk|jZQ~Yv4n^1O*X_JD_ub`IOa?PuQWCfKoTo}45t2%y4XosIK zzO+h1X`js{Fe_ui9e@fdy4iXXb@PIjZ0+QQ{u0yx=fG)o#>V|}kG;(+8&W1(}&%6M>u0?QDLS{`!l04CZr4H ziu~~bJ=VM?+_XgcH13feF2|nFr&YSvsoj;5jIsljMkS!y+BU#nSy6uyqkM_~WP9>Sl!Nz*_diynJIk8#AYXB#a>%&jBt=7zjKd#*}EI^FQnG4^a4{vzZwJ_743% zH>sz?xDwzur|zl5PPew?x#8Ia7+XvP&l@lUxQX8o#Ejee>jgGH>L(rmKHRoXS|NoV zbzx!kKA!176M7*5#QvN2QL!z8=#VA62W#P$=myNVZD`ux+5~VWo}!=d@FirtBMG|U z2*)A(`xx}6ZIeVhihF?VhsyhUiW*f88kGnJ>aPOS9`{n^u4lETdA$QtSEyT@uBnAY zI`%7~-I}GKGh8$=p*>hTc-OYT5kf?tBKF5wzldrc)4_sJbo%S_G2LJHAOzjHs|JlT z9M!*2*AyyoB>di@Dm4=0$fNDQ z`=I8C{m1Z5kL%+cs-aAw0F{l-4Or;09iF}wWb7&i$ck&9vP)ooPWR`Qu>VsvWg1=R zy*qR+pU&@dI{^xZZM;A=7{MO@>LDQfk92q=Q4V~z6!Hy??Glxyxt{T`U@RbFj)gS0 z#`}Yc*{fwr%nlNXTijvxKCzfZxgpV?)PI%vKoKmP0+UYsQ;;wm7o(5S|LjG|WvCWv z&W!$OSwn(_s6Z}iZht&qQ}B! zabKG`l_K1W8o;wCv+>%OOB_^#w)`Jmtzgava^lCZWj+Lcm!nI||HYTn-3=trRaN<= z*ujSr%;0}T60JF=&(Io|8T3W`-)x$XE8$nn>jWdh{HA~+qVq8!7m7dLqXnpZsh+{t z&o!R7m;nx|F!~#?=X~+wem3L(enK!{kF++UZSYk=oyy$HwVRMpME)*#kJJ3htd#|MeVd4gJ9|C;a&;edW3sYX5<=ltALX%h zyLn9WFKVLUd`v~{TzQh7YYDnW%n<`d0VJ`@-*EegL_%EK4|O{%N;U{$pt6wCk!ww% zD4~J68OvGP|A6qXz>+_k-wDIMoeZm&bQlBn1|9Q*%99wmFDACQ*>^wrQ59vm);zQ; zUwrsCk5arsyDSRjA(ML$@PtIdTh$~Rhwv{3%r3ym&MGb1lQxmaeuaaIi%Wg~(OWsdOzIb9MK_i9eVyT5sHh zC;M)Lh6TEW{k~BB8OZ<9N5bwg%D-v1&ZPF>UyA9kum-vhSQu|4I39e&#Qm?o|NZp8 zZDX`B+${ZJ8%rnOEGEBs8?adeaq#~IlK!%?OVIgYqA+2rh-Bn{DEz;l{LgK%EZQGX ziz;08pF!=PnFnAJqXv(`jjQ^15cl8I_}|+f&(Tr2D$)f16<7V$`x6ONN4UL=(vSb^ zp#SHgNo1S+na|@tAml#*%D-0UJsPSbCb~G{cmLAi|8>#+n_&io|5*&_iT{kT{%<5bl3sy?;3F&*uDRtNw4|o z_K#Nm2afzNFzK&H|G*Ix8UDd>{|)Z_H#+(M102y;ez1lo4v?qydpjYaoudNI+W^?J zP|XdHSs??OT~91&)y{T4HT{I!Kldi8t5+)24JA9HxY%Y&+TLo-%-$=c{IN{p*S^`U zcAWGGbI6_p<`EcubA#!7QF81ml$IYFy6oC%w`#re)1qnJg&@E%V>4#ed8JKKxc9Iz zrde9k1-GDL$j|@Pvv73-i4ce2!LU6CvAiH`!qKlFaTSIZ#|Qc=uHcKeJbWq?DyFR; z{68&Q5pxX?f!t#VsYNBJUO4r-iU9&sk+ubgAd$pS)UC5+o~%wn8kMG92P|4aEH3-oVmB!d;GD^+54K# ztkcyvyxMJ$VqrzABkz5RTVcW(tTnd4r;m-y7q-OzALr@`a?}ZLN;{OH@!w`r)R(H4 zj+X*S))$VG%w#h$^!2zBKa1a@trxIPAFBO#Dl~xNkK^PExt=qMI80WTzL0U&@!qL$ zQ#R_>ri5;<=`Wc;C-eoebEbFd)wY|~JDFU(3~K|e(=zIJa}VMzJ7()+%Uh243cov? zVcf2z35*1ih0CyP8ue*3T|vr*-aG;h-kFf-pD*4-ffJ?*4f0Fwy}gzk6U3b!^V3fE zdR!tGBuc0PE^e*zQ9;@Xsp7lm^Pcw|X#?A#iT?EW7dUqMRuuG>*5ihHJ>5M+Z;nBH z<0VMiyzMt{hh&2QbRWQ&z_82aU9TU$UhGy(}8b-($e}73d zw_*Q)fo~)dmq%|?^X=HkM!O9Savp=;WKEXiWIrHHd+GyveaJk)CNb4qGI5ZPy@gvb zNEoaznQ@or!Qcx#6~5XLNE-cFS&RYT=!v)>^K3mFF<)7|v+BRsvbW2wJg*RYXQg=I+$wLs$ro9&6JlS-&4h-u=^_tySdt^vlch$FvtP=Rkz`W*KHiR^0s~SnZw(6_Zd#A6`)RA`Jx7T8l|HDsAqj6~7RUm^(IkXQa5ko4 zn3wt~rD&V|j@`QHm>&@7A_pZcxO#V8HYd4C*xNg9knxsjZ zC&FhaYXMJoJXUXuOp6AUFMbTDCaL@WPO~;ZtNny`Jo8@gt$GKd1?nrb0N*i114I$T z7`jl<8BYI}6Zmzq7&XHdP6_f$XgLd${Fq5*^}EnMd)*)aIKK<`{+hTz_V#O^G5$;1 zo5*0@IUVb{L_1Hew7dDoUUi+kPlsGg7L7VBlpSbp0Xjvep?0>!>t{Ux^Lr*_yd9;0 zp`Q(DRPvK}4I+ICpBE?g6Nu+a0w@Pd2d0Xm;5BbR`h%M?!GJ}ooQJI-qDu~BYJK7m@&*eFPCA^--h9@I_+H_+ zSPnp(LrzEYH8+x!5(ChyDS?e3O@Y>djHdoDLn4t~`ltj>As_?JQzri=&Gg55_!(&Z zNwiQRh{qV2uH9`(nBU~M;Tf~dgwo3 {#Xf!G{A0L`h~i3EXOy zso`Q_Xl!&4B(>VAAlcAqba?o99Kf_?QG;gPvlZahR=%a8f$G3!a$)T+e z^*w0a$!HrL9Pp%Kd5sBFe+Q?l5&D9w*&HNwCG}WB2rq<9I~sd;?-+8=ZC4q8uMmQ~ zs5cMNbAEK=KrQ0OcW>7tFgSe71L}M{@Le;xj52x?d&OfDl7s~j`<+hK!jL)6Pv|9W z<2ZbtewPWf-(5O1%%p{#&=z7t{3`f3e@)V2M^1f>^7OM_?rv9TrKWky18NIn&@{(Z3#^AJZ>V=@5`*FVkhhd_#*REXygZn%A?Z=zL$M*_DKQb2Mk_r$R zslP9!e1}e)ue7Zl!kpY3P1AOpZ+uo&4+)3nUJi*o*`Dyr7;WQ3*%Q6!+xEM87wi@9 z;gjv-_wD=R*Vx!exU2vcRG+3)@pJ`s?B`*+=xkxOxUWpnDSHSCq?){3g!J8~7N ze%AVVD=JA8;^esc>ax|L()%k{VkLYRUp-WxWHEhsAd+jJWZ0HU1bA|>Kh0O1ZH?UNhtHVM;{i-W zH^rtHBBArimVh-ovQItnF(*Gz@8&#-YzBq<;wwuuP($Ap0SEDdg&~RnW_b@9q0L zs!6JDx>-ZH=Mai;o!BWoLi~{HB?s^tIWt@SeSQ$(yK-Pf=SUi9y*)$2_V8Ndl<4y6 zE0ko~CjlBlWXH3d$Th1!OqX3zW&SAfrFf~beA#>%Ap^TYd~1D<9{R%3&jYgKowU#U zN@f4U8MAhtry~*TTju&$DoT<;-ZG{Ng4ttH76#{*wZ6<)c&SLw%!Ss^vH~%#UWWt4 z=jib%!RF6%ba^m8oPU1BW|~4A&zWVr{4nmbt^ICD5Cz?Juob-Js+|93;iBbmjn$#j z$llfHr{wkvg3WiFQ8#YatyeB(X>?v4F6x982X*L2K81H5g`dUghnCOZ8f=%oYMFW8 z97Z;tDR8nOtY4a@8S(1@g^8gsx8Qv=>h2E^;=9!*?4$68wQuyGd@zmKemz69H!Dpk z)IQ-DpQanppW%tB0y@@Km*%f3R-7;3D2v-_6NA>TOB}4T#?89k z@8*khGE-5$5@DS^S^JlBu@ge(0mA*!1S;Et4o>2e^DA&cXGO0KeXJjrXRnW#^!=_K ztbYDfKGh8-aV@za@rhsDKVlXq4Djg4W0IlHtN2w1J}3G9On3!J;)ievo-4o>e`mP( z0;AVg2jml6&#{ImU1Cy5D=?Hb1T8q$I-eQp-;37btUb%V}0xQaS*RBBlZn0 zt?Y$&<0_81?acG=Cd;)WEhjmfX1~(w$nLc>xuZB9SeI zlMXyYw;%Y4{^NN2!r|Jgw1hwamH&V=%&+k6v)8R5+u9lyW4zMi;X7^~xc7@cqY-|) z$!RH6iq*6}?oDO*{X%ktqYhFq;&=H5A z?HD}uI?#h#APMz|Oyz~wrQ#ej$w%C`O2;@mH{{rhf8%AE(YdU} zy?mA1JIzwsanx}^H)+0OHHY)t$dej+&cS=Bb+s$zn?d2>ho#3)XFrDB8#c?V-Y=EZ z+b5k)CtdVTEe~b?foP*VNkz*prrOxwX)P94xjMDDEDlC;2k89jqQp+Ig+yVi%}1UY zKA;9qbl*dpKryg4XkgVK>5hpVE1%LMDeVP%pHSdN;n_&+y=eXy8^1_r^>kHgs6?x3 zPl{oCUT*p)Vt0IlkehPFSN<;Mf~&8UF_=A+X)ZpsVsgOh!tIl*=P^cV&P9AzTWRuk zOSxPEocN$E2NAg^%cMCQ(6plExB=IbvS!z{=3|rDtezdnh-h5F$Ta7)7lxnTiXqWh zyN7sfW{o*oR4YhW38nB-H<}hR(1(?hp(LxE3xKV$rS2@~ zyr8e3-@Yd+#05!0=?qxSgugM|e`M7)Fx@w`Tr~nNkv&0Rxx=Ud$5&T_iwQH$;|EI) zD!bHVX490>*P&Z}Z}NPWB+>yc(@^jMA$0}KEYEbAdwk5fbxc&w?-HWojHgkXtl)In z`SpGbf*}y%ce`lX31QTc7&%mNOJCfq;Svg3Lp~q0cb)i1<%BBn@_`65lHYw<1BvO< z%HUDRHMd_P4)Hi^Uj5qMVtM0!x=FpusZTKhjqk6Q^Ap%SSGo6`uOawkM*}(byv_9Z zW$Jv6nwjMl7Wm$hL%7F0OE|uT_Z3TVvz6ZOLW-w?8Il>jm5#aR%F1=v1v@OlEt2)G zVGmM0DT2dOMne-Eu?0y*42`hO;$%E4R$~^|m5j}$DzGz8W4d8#op#Hgz*Td<&xr`j zeRsaLU*c^Ni5*VNwg(}-1^e;v1tg5DFn6jE1O%i$1OaIMnqs`__YJn3Na@Vxt!Kc|5ll+{1>h!$b$(Y(A``OfHPbrn_8Nb)p1>_k4o*)b8eNXsDz08Rnsw^9%_?O(@eN0w%@n>6J)GC+ zA?)9vy7Q^$g8l@sA3yv4naWT7Aut`2s7HekzQo%bW} z`%AjY1`0Yn*G*74_;Qi}Y8!b>T6k$cUHOT;d^W|HdELx3bF<(>%kA0N(jke?a%ue6 z>R8&qK=0vmXPH56v6buJhR?!-K{^HZ({_5c&$FhTc%#-ZU@u+8df$L=v{>!UGaFm> zm6JWZ6Aem{<7xAEf)z@g6k;pN6gMfqjw(W&vIvDaD}J~geDOwH27Bgx|Ki{$G)}+r z2qlH)2_Fa&eFVa~QdQ_;KTmiW@6jm`*Q1!VE)l=M%9&EJGmL=Wh}* z)g(Wa2HT9OktAxgY-9uq%?5JaFGZexOJklNjhmy(B^Hs|q>`Uv@8rF45NQ_}JW)Mf zn#91fn$Vi%;~#0l1?A2L^&ceq5Tu(wwK=`s!8Pst7E+N&m*Pc5Jsp$0=;brV{SqQl zH8_Dq`sGQ#61pJpX`Tws3KpYeHgN!*IrEpax5&1d3u2rw0n}>$$Q4N_NRz=1+{1M6G(-7<3rAb9V)(v&D&ewzUPJ7OSsvzWhZHkrq%$c7bDptuAn6wY*2@w)wscR1L9j`j zCt+={X8}rVccuor4_~d~gz^W-?PhU_hKhLM+ju=-^SY6JKOBTB8i@MoaSc5Kw5N25 zur!;=fovyZ&UbgS%=;RyyTAuQ-0}jvLBETHH(iFxnl>jO%3XMJsRs>L%H^CFaAl5t z6WB8og8H|m?N`5l1B=KUDt!PEMQOE>W6ePH{k^WKcI`C@v?EaC^C?_;u?YF?a-Qps zm+hLjfQw@DGp`!fg3Eq_{+ED@uUH}8Y>L>xxS)>Y2lL>?eynG4H_}oVK4Z?VSs&x` zLHyBoK?@D&y_a?x(z1{(X5Tx9elh6;@Vg8;hRhl71*5Hvf1om_9#>t=U8|)Y z_!YD%63=C0H-rBg?{KVZ?`?UPfLD!VXv>vOa>mg?(8w?>1^#1nf%lSU4(Azzz|*LCr(-Xtz%PDduvO5l0J@(#NvLH zlnw@R99xJp>rVD@Na zA+*megop0ek?@HqTwPeTdiu7YIJzl9WVe0aj2(KV{3Bzea4)^RvDF7I>L4Qlu<35x zF2j+?EJ9oBx+AxD338TeLr&)QrD+SdQ4&6t-DM*)+Ai_h`O8l{d(>jR$}+DPOL1QLfjFCQ z<-Jz8$^2oiz5;!1ilPPA+g#E4JP+UGhX?_gpjw|BU8e%=C2r3W*xPKw`L zKxoX_>T!zLwkL-#w}tObLo&@OR@sZ&1w&Sk9WJ9i-kBjaYkap6cZ=oQTgt{eoA#GC z{DM)GjKL8zHHQb1WPzc`V}Gcr8|NEpHp12a9}7LJT`_NfX`Iu>166|%~- zxSAWte~U3Yb22r`DD>2SegkbyPh#p2ZRaiQHg5u-6>I$!#ZyEXKlPFl7P|{}@K_=q zC!jHf_**+XSNmDIrBV5TxaBVYJTGDeE?2ux_fTQ()w~l_R^J09HA~8nOsrZUPpU#!PXS45! zWL&}(dg)ih{KhxJ;S?a6$|@iC;GO+B2c?qUZDV}BYoPf&?zCLZK24`vMA_6 zhocfWoyVk`1ctQ6=!*6AbmT`}IC)0LN-oU~(vc%Khwv`-bA-|}{1=%lEdfzB8jFJy zk2WpR?edwk7f3~6FJf@bZg)m8Vv<;|CucltNA#80u1~@I<5gdob-qm5BYt8dEj^EI z-7#xxW{L)U2kld?gCYQjGG2UxhxJ!Ua+4lMrl|dYr0~FlZ}y1owP-=KBYQ^2-mrV(+c{_=)OW;b4j>lI zsb>J5;ykyAZE8SCgxEylGtoYWviX)m*!Bq^0s7j_Gex*!&|gp1A-xvGLaS@Qrlbt) zVNYh$vHrK(-aUnNbKXvyeFlq%pO=p`+-)DVRz+V&{+ox|M10R*k$fwT_CIqgP1-+) zntt_7T6^WYPv06VTNIMPCg=FM0Sf=YbdGhpDm!E3k)n5nNM0Yx4H6W`?R<|OoZsTg ze?}bbO-jb-4o=(MRvf0sX>>4&P~}-1TMz78_6DzJP|oOsn$8#&Gb%sqDPN`K%^4!H z81pI}54*6#oHj=dV22j=?i;FemG0`bC#+0M4Y8dEC%;gu&y$B=OTQSxy&mm^yovCZ-H2^GOMIW(3jVcldKRH+GG)%Z>zFj4mIV zv18ACzuUVqAJFLqY;PsshDSh78*W0AWn)>Ry^9euN9C{g+z|l3+;Hfeva6mUJHI$a z_%Bt?;3$9I*bbn>#bKi+?%yV&Wt6m>IRjgWWm>t1>`5eGVw@7lV8=PPo%ZkdtlLK2 zG%Z$`eBi&CRyc|iu@_^ei6TOrVLwSqD(as&TZica{fc0~0KfXlue=tN9tBS2UbG;b03(G zi-Sqhi8sv-6gd?A$>z6x@kiJc$@{tS7_I= zl5XWj2VYX`;5>5;Y+BA9DDtI3lZ!lJRUb=%S^%vRudPGzy+)&1v@ zZS%Nh*TDgj3Cm_i&hy&8+?cC<&F{sk2Y_RnxtR@nLmD5G>6!L+clTBeT}cajCd^uI zb9l_Ib8&;A3XBkmOelGc42f`Desx5_Bo^VDyjGHdRw5M^S&SGJT<755ic-Gdn88VQ zZlcWN58XaN0H0dQ3PbHE%|*S4DTn=^8F}EvW^d`mce-qc25vVRehHZ*$?uKeE#4&b za=cakXQWqKeIbmEPD5sqjw7obr^Rugpb}%G7eC&<`+eo=QgEZhNL-H~n+6ZFuW?Qo z@q0ZkhU4s(ldq;k&9-|6a{Vwhn{-&t$9>OTM@|Bfip;9dA5`BSINAI7txp2?%V3i? z4QKE7-$PkQyfR1}=X;HTUKS_-kus{h9{$^d=XXaVxuq`4quT0)kgwZkh`pas509|B zxyBj+5|7x|lgXM&xRH|;Lne=kuj80}X*e2MX7Jw7xJTavDZ|c(WW1Emtf=xtj7`8mXvhrr4Igei(ZjXcNX4GK11^7Wt>rK5x#fZfPvHtPy z!7`vY!3aWp^aJ4=l(b@_Fn52K(FT6a>8yWhx zisD+8`Z3>wI%pq!Z4GVJ)=-B!TjVpE^SAt=pfX&Q_?I@x(SKmgl9n)aV|+xlgpR{9 zzlLwm^-+gGR;q-%i5ES*XjXEaBSx!1xcir#>DmXhqvu+DWGInRt{q$?FZLJTI8pp= z4{FXOdF)L@*pXj(hl2tKNchZ*j?0!MT*bo5*Qxd1z*dy1d;6h#pWq%2cwiMXIJ9c@ zMA>s`($vWf38!m@b(`LNBVy1jxL&9(5vsAK$NcJ;k%KRM!*YtA2&nxQ^cYNiuH~ zmAm`$S8%Nwmx7FOK}$Hfvr4KQ_aAr)Q+UuUYjIdaY!p16|1 z)bqO0!BG^Sw-9t0aL7nB`WEKu$!7pf|78%1i5J#0FlRj`h*=OHk>;bn;8b#hpTh>Xe-QV`CiD+pp?Y&P`Y(TXqR%s zY1>)UosJ|JCsD~FOga^Re(P^6Kag@YVhP(D?JhL^f(cOy1seu!9uA1KwiFC2 z!yedzHlpM%1Ohl0h*oKPNkYi@f3f$TVNGRg7$_YP0Tn4qRTNZ8P?X**fCz$$^e#&8 zy@h~?j3A&QO`3{;NRt|R5QNZ?UPI^|LJ0|^-i^+TbLPyMIp^N{;}(DLJo^cI?Y+vk zzVH3kTJO6hrhRnk_^jboP%e~Gn;7qUT`GAD78j-NtjM|jGR}mkiN@m}qve)bo6d^G zAeomnY^+#DhVAQW5DQ^N=!nVrt*sKAEZ=PEt@R@}&@h zuRhM_mv(n{6drj(Dp6>?QZ(0F(p?{5YXb3Aw)Ve7xS ze3Kxpgz0IAhI<1MX6<9)9S`AewqQAYiK*cx)opqub{FBH%08uJS3hOw`14-MiPO8# zQ??()pC^k*HOy>U>|7z|)gpq&$2oUNQJJ1}U7sH+FjpV~Uuo=`saT*Hs5^m~&M=uT z`!!mJzIMl?jVhyLjC5w~m+8}o1CO@noAG1sAi|OoVn;-@iX)m+m)?&{*9a84Dqa&820;Z|ct6e)H^_Q2sf>I`mEHDvD z`Dfb96U#ioLW-+v92jIPIg3X;6o2m6O^U5^{Lw`b9HvOC2W4!LUHfYrMQl;G1Q)dS z$NghX50!&?V`X2RFLKwKGq>ZG<{eI9O}(V*&>OF4#D&tMwi4wmA?%bbZk((Jol!yy z)bHtcGIe6aHyiaT7?l?$`4tbuN^?Jk!>86MlJ!f1SJtJMjMlrfGLBVVZhu_06ir`f zf_#SMr3+u*@GV4n4*PMVjtQ2wq}TBDJ2&9>s+rA9SVGqDnBTD@;0o zOqUbCBh#N~vz+D8CXJ!#RQi~iMw7&$ zsn2FL@zHL1&GhOW!RH>4+q~IF{ByVO5eUAYsyGSWDb8h{Z0(jc9%qum zN-ClW-g?OMoe{^a&zp5Hned4QG)!7UC^mxqeIZI_=L!QR0X;PkNB=9bTk@=u66+=a zlgSTvEaO4CNSAa^e97Ek##elA!}w5W_&nD=1xXoveb3cs7w&u7Hz zt8R0qw9^@uEVnB#mgqPqSi9YzV^0t(ga_#QsI0uQfh+h)!U&V-9vt3!xP|Xk@#l`y zphn) z;OK^D{K7*}+#`nA>44M97Fx6oidJh;B=GKZaCzz$< z!&q;$s&Ka++L*eSBtElhKNnP2O*XDPfibO&l<9RUTWp;ft7X(YADt*1}JN!ELTD1*Pb!5K@}{oGzIXqZsoC^0onCSPzM_HpJbA zqmAaX*2O&Wb#l~qFVa;FCmY(4^<17^8t)W^C|=q*i=J_};^JVRi4%WPg*}~a?<+aB zw`5rpusu3?VOgBF#=rKXi`*N;Y_sFbDo#w|gyrUjTaDkthm#dro|fm#V6_RI&*Tr5 zdrL&TeAtjU4Fs5AC2asQ$`5#BO~QybSub~0GCUkR%V_KK@JQi;$>e(voSOVw)G(Kh zL8b2NW5sYNcu!jL+!|lJL2lOzKE?5;`p6Fvb_a>L$dh!dX2?lZyL_|q{pHVFx>2z` zF`gXE)T$oa*i?jg`t&)HDXC#ByP{mjU|`#(r;kq|=3UGaFEHA~lSJ5CG{Nq@fw82k zp-7X6ML$n5|2c_5)rD|TIa?l^4bpZtN)@HZSc&^0+>;A)4ccJ8N=jD%vnwdIVJjC+ z&Z71_LOD=DTWETgjIQuI=-&216%dQz&PLfGGI}p2U8OsSd-*NaXPxz=c{=CIB0i-k zUeYJl<<-o^vhJFc(<_kGc&y=Bmwr(jUtUSK`#cMSTk`J}+VnSMhaC9SoX$X>Wz!ru ze1j&9yl97BZCtO*tyT(>S%tsUehm)f#bkFkl0XOX>+9w|FdL+o;}qFO=&M3JYOwLe zZ(0CK+RSqc4K5!o;hQDxPcE|@J+QNV3HZ_j<~E-KUoD~aB&>uk->L(fPG~ZZPI@=e zq(sa~ckm9q<-A7Q?-SeP5NP~umDRCkYM4Ld2;g#5m5W<|b<`nWPd-IPt2+7~xYC}z z04xsPo|4JMx)^=N2mYaY<{ZK;&cjmEZ+LRguq^p&rB-uWdU#C=Bhdl8+HCZh;N0S7 z6|_><`qIJXmOX6ODF=ue!GDYzzAvcWqWrnJ4qxn9Yv*k;s%<$mg3&x^Ym;r3Pxaj4 zrIsm$d*{{-tzZgDDxi<}m4lUG!4$JWtf>9#-+%n~i+aMr1Ih)4Sl}U4H-8j=LrVpu zthd#RZ~R?h;Biq5Kyh_Zib}yZv)^C5{|+O5eu_%kxYLn8e)?9aKfnKLB2dZK{r~@c zxfk_wm+^`_EuW?8Hls3zTJdJvi;}-&jb7{JjP*{a!F=!j`78V~6M_$KMTfWI=Z5Cy zUJmiv=l~mKj)S>(kNm^-LSf1><}-*zJ1io zA2&*hJ#-F-&JHU0oIi5x9~^c^^?ukE1sv?3T&@M0VwQYl zt(I83xTGC)5jS8?-dXHhP#V0kM8hxD;3)7wq&c? zsr*Byia!D#d*t~O(Nh$DiP7CZfLO_{0z%YNyU;pzY6RK8WH{?I;< zG)($;C}_hGJT6R7Bio~eVVIR38?(Kfr2VPw+(pN>atX;FR92*Hf&aq*xqjS#r2D~tv-(Rs!Q8|+ z@?{*d4h_vnKkjzw0cDG*?e%{^FqRrmW+p_0LwQ~Ig%A9w{5 zvN;}1h+TkOsM>%kaS%IBzkt_{9u3YL(TY{x!_P=d+$!_H`Q1TgyVys4AC7uQ#$Dp2 zv7KB`8ZDiA()6Xv`H}k;Z+)xY&3(}Rp5K9vXk|b0CE)utVy)w}{16+TBBT2aJ|M`{ z8iUSF)gO^j*_fv5G{xSyMh~)PgR94!oRpr|xv`{8G+Fa9p#0tL{=)^QE&!lE+yzb- z1l>4v)XyOoacHE;FF`vTN`CfN0Y4Je8}auRs%$|6%uWG*CgbZATjD(F zKQe?wrjWja%A_UW8YN?MeMp#z`El>VTwIRll-{<>^#18+(+Pf`qj?}1r)O{azuV)nQzLdSn2s8 z=t5Q47Oqe&eQzXPwy&5`Sy9JK_&3x0t7!??Ovp>X&mC>40MYWt2wVI8sO1_frx3;7 z#27MiA`)`Se^1{mMvSo4-lKi#wh3hm6aN^^e;AtI=D>Ske(FTDrU4mI$E`mkL{3LJ z6)0pPWa%NiD(S%bNoLGt{i~EMorYsa|KW+(UjY6i|1Sb)3dJnP9d61N&{c%w--iov z*f&R1`)`g2=mqwBFGY_2R{Ov1E@i9z;&&PU&FLHfqUo8|Q~%I_OM*a#FIe{T<-fWC z+mN5#{?p)oPPKoHBR`$YPxt!WB7hw3XJGjONq(Tb9~0*P0U>qAkd9x8NFpvGSTYt( z(DD(AIQLT5se!3VFy>O#b~@@h7DjeP6E?(`A3rFp!Gzf^MKuA8&c@hi!cutmJ3M*E z5>3chc;~_Qgeh>V%yvrRnjUYwAI^p)qZZf}@`3msRtO-;%lfPbqT7(Z3OK?7$2)x` zKj+z7EXErnEbD44kYjm@CsevaM;u^9hf`U)wP#$${e4MjOV0&uZ{P{X0vnK(+aQ%f z((*zEC~$osgK#S)+hT7W>yuH9=l1~+b_5Xcj&vsH z7OI%{WV8N|)3#)y=LQHT8vNIFj10}E9 zWVnEpusvZ>iyI{O125Of0lT%xn7Ta{lHV(kieFBXuyM~k%q-%`WATJobZyYC8Zuh3 z8lB&OU%|3uAS-Xjf@XELaT{suWEfDIf!y7PCA z{BEAsS0_he(o`0@!;j4AybiuEc>CD&b;`B*>!%q1E$TJ19}bq6G`#RRhn`<4fD^oe z0!!k&64E>_5jBC};fnxs8St z=3TzV9{=n@Prgf_JPjX>{+dNQi3}tQ* zElDOCp$A~wTY;RHZnuR)2ngHl_39qDInlk;e`%Y^u}84^=wc8HX`{LaMV_+u#4CA0 z97L{1x&&UpjVhT&*Ws{cTn@VIil!kzX?zbf2%D}3?L)Rl_KbGAs0fqs3qrdJGX4`Z z{4vg6uQlpE;1oMAYW7uqKPYv}>89C%(^Pcq&La3>dyvt_Q>CqJl-$a@F#zm-~(vGO_9s`U+Jv-kQs)M)8Ey;LVZI z&d4gBbrLioAJwb>4!PItUb@RQz_hXG9D)pxtJ;S9ypxMzZa{EdQxp?QTn3h049{gB50)2i!Jdtw29_^8h5U&&uvfIdFo||w zE#00lLpNzNn|?qwhC|T#;*A@@6vL6g3G21{6kB~tBx`h=68D*7Qe*wr2RKQ~(v*$V z)Q@9^423BCUiw#%U0~d`Bv5$gPD)&v+}CQ4!^>~|H6>vdzJN6ks+m2-p+O=l8inJ` zly@?lGQ@Q-c+0F+ZEhHORlAO-7Tq+x`gQKu$cn=qA+wyzTwdj3z~Y^4e*L!V$qsm9 zm^k&puaLKm!L+ps2K*_DwL73|{3||HLgWTyldDt+G#4f4S`$o`65GhA?iqq$7<=m5 ztHlb`=v|0f=;D#`69umqddA4hj6Dg$Vv2HYEnHl87L>%&M_i5rS+Twk`uYHf&owLhPcY%8bJD*w|jEG zMg^qW?n$X05@hn*y~!D{_~Zi12{;%BM>1P=)Vg(=@U5;L4kpYwQ@H1Vhy-mI7nq>zH0Mc+P0r&y&mo0r?Yig`P2(8$|LVjibzX-kReH;XWBI#6gaC zNDUBG{#j?gmoJ<@ZG5e!KJ25s(OrKblBawc?Q?+vR8c{gxtVPw z!l&R^U%m-40-MhLB^ApHH`b5G0e4%W1HE`1n=GS|bzZaEY;*#H{gAKw#ON!8VYVdYo%s2S9dGL;Waa zi0-_rVHye-XELlhxCY?8eaMQ-(Sl!}0?a+zCHq~bZC9lU7z{Ys-4>n7sPC<2oSLb1 z%Yv-BE;ZX!=8L+6h0X=l?9JcD1biTHt@M}k!pX$$bgdnjj>z)8yk(Uk>^=UJ`-0z% zDdJYc#{(&^ffK$tcZ}|Y1!D$OTBA^=CQpZ49KWm#4Kb1nOig336S)+5fesBpt zg2x)hY<$Uc8tx-C(_})n3+SJE#DbZbGpqWz+0upBS(PG%mF-T3=7|T?77b?RHf;_x zh9}#-9#~1_)7ij4fI5$^gu`{9Kk}!x%wRj!t zBZ%5r*PKq1I(F1J;|inI2;K+U>%SW9@>q`ia7AudYb8T2D`;)dy9T@A)&igLMde3b ztv0OIIl+V`JZ_v>iDXe zYp~E9I4REqPw&iremDI|u($V#h(1`fEw043N=CkOa%R0sYsQ7F=SOjgQL~N8Ntnv~ z+TkT!nB&Mt{;YhB%x+L#_`M9m939kyI$mw81;%?gc$~=C z<3>2kbwh07;Ypi2mtDcVbb|Tejr2sn(F*fJ!4tKw8K22)8AoFSs29Sq8cWFGmgU7B zJ?A&&#tCnEX6eRfSTH!MSAE4k-i*|hriEAE_;7v_rT;8ywlg#J-h0}EN<#Gc7+lOu zlve)HV&W(RgB}J-!j7Hd$cscOsPEMwlp@*w+dh4@xF0^t>7r-Yc zHdQ#|%1G{&terhg4q*J7RAGR@bQ>fUZ@|d^;BvJdDO+^&+nK-YeA8Bz zkb+=Tnzw5_z+=>w;>zHWx#3|@t2vBY~80S38!7YyGu%!;1FMr?!t!7s&-| zZiTHs=3=v9ziOIg)xjZkFgDH;er535Cx0(V?~*s(Yguce&azwSV}&&z+(MUvpGQit z0e>HTpK|H9e%>PGuG0c<1H(drrj zNq}v5uazl~OU3|1fxlUv=87*#g<##$ouD9vWkiZXVEM5%K4+D})OPkrcPO{U1QYP# z;2}~^ZfpDE2pJ#HqmfRw##L3P)qY9~Blx?g&!;OAGF(*CO>wnAAY-*I-HNR4NeGe) z0992Scjh7wEE~TEbG~G*2ph|X5MC@gkhQCTiQjBi>UHk1aXOl#jnL^DP$xnk*)xc6 z9jobvoWo8`8e^G^iSKtd2;I(MxOQZ`h0G|~Lcm|t9Ao42Zpa*Ww?Hw&c6-VaKuT_6 zRd^sEf~U;c$L=JGo;C`UnZ-1^$~DCBAfv@w0}eci7z|peh)xHS_0YXngU0TZ?wpN| zS7demYT!2ZdA8(%DR@i_Q6+BJ1?=T)pWN7BsXGeBK&z#c^M_-?e75m%oobeRn52o% zvwMAuBrG!OownF@#;IBxr3yYoWi}N8jouiR7Woit9c#Zx>!Kti$YYY?yH+TAy%O?IQ2^qcf3f zydxYLsiFCcB|b2=+Fpe&X1RDRt1H&>+9OyC(d90#0R?UjQiIb2*iMoDJC|^&1eY~6 zF7j+y1Kcbns(xFE2?hv#;^p;(!{)N?xX#-PBqx1i@d-pVsUCQC4v5TxiB0gMU+er$`0BWDd@#>` z@&^Kse7ya!hs0Dj9I-pYn7lg!x2kk`Tr^1@R$?b?C_UbM?BWS$)oZ9&ESs*d)#YtW zTo?lWd>U;|9+oyDnYbuVh6DSU5L|ohg?{m91jEemLZtAwgp3SRi0lGB_$N;H0-PAt zqxURBD0g>iZBZaykvAOVD76=;#fv017OKI}0|h~g*r3C>+C8^bhC{rh&qIyAcMXui zmxN6DSz+eVNJ~J{%BR-TfHeH23%n~*MHT{{s3f#ULv8#6-LI?Ii2*14!}1S96cYi{^5IqK9s;${bQE{AGM-+IUT z3^R3)N|VssanB6j?JIUk_aho|Q>9{DF4wtl`&y5~r4srKDPy)SyVA`z*hheFLRVJ` zvc&;ajU|%4C0)2xY~0L9oG`aw>gW3}{adVuZdfN5BtEpd!Hc(1i=GxCHyMxfB*;Z1 z6uQ9WpvA{e#9}kXMOZUtS2ow;?t@iNqB5jnNL8E6lvJYZE!MgbVotgV0;}!u{_tc% z5Psu|i#3uF;2jTKDZzo@0aKW~5s}PRMF~HXMJ2_3@@Zzt*6DUOK74e*fK2*JAGyu> zfhb=xab|T@2;Q$AovCy8-AH@0Wy*xY{T9S=%uB=PASb=<*-HW9pqlG=saUW^BBdxq z>X%D4mEd768y%3fvQ|+yq4iQfHi@J7Gt)N;b5UXIWAK!v3UX}&Kq931n>B%UGG=}r z3KQUaMYoY{HCHSyhEx*PZ>gRcpaGmb%bNH~cmk?IQqf^uYFnB}8aGg`7%p@#*>h`g zG%0cKnUV6a%3Rt)%~^kmVyB;QvnH#e)`d7CO4h9XK2*h8fI#$PO9r-8h?65J12LEa zA!2R>V2=kCMs}O0HhGR!&uC^~rb?3;>}`TxN;`LGo5EUN+S`Ec!uFhill&brQZtUi zDwJyli&F!HgYS`HCMi9wC*FdFsvWl4c6NL#Ipm%e% zM(b$cQM&1N`m&-ngHiPG&g}}(NjI>QqDa9dCP%ID2CJi&u)BH}CzEqm-a8@&9vhFJ zp@jIAkQNY=b&l0wFE-JpfH{xurF+;)r-X!7y`|%n`(Zux7n7<=r8n;f+VAni=oPv& zk3pqo;>_sZ*K`}z6(4b_EjwOl+Q!G)kgw!nJmDuXBBio9omu9)jnS(ChSRL})vA>K zG<=WvP|S%d4bVDZh|Y96Yc98)Shgun-B*9=J(N$+hdN3NA4=q^MG>EW4!aYd6APkj z@j^Fi$lWxJF7EI(PDNy@6`gpPWXFEu3^_wYqVr+LmNzHLq}!B}+c~_>4^<)H>$+ex zXR%&ZT^W79{8aaWes<2efXi(c%Ovj8N}LnFId=SE(%{T{t7^v0u7Jv3&3=w9oSfAT z-Xm81^h{D^3bzu^!=%7>r6!0Ay&G42YhOkui+wS^CiX@h-Mhf_6!j-G{N#j4x70VY z5;<|7dL8R8G1Q$nLm@+xh_Tky+>Qf`?-6X7W+98ZruB+tM}0EfZq~qy>Z%? z;qk~4;{~ykotXrZ{e=m!)Egbv6Rm4pO1>#+fhKjjM-GFBpYrLifg+EmE$c4@`FB_? z-Q%#QyO_XyUZp8`H_vveZ9>Z5smilK&bYaxkF5ox(DNLnflFN;G+pxPv71$+*s?nt zT^zmi0d>cHH2UGUL?yAT+_OB`_M}-=qG?OnuBwY<%hw^300$*S0zX>9MUc8KG}>;& zUqL{;u09ZqZN|QMmllkP!-cuQ39Xgu6_X8N6C@>*$L?$MT9WG5Ufb5k0%>x1Wh)0= zwD3Z+4WrOu`Uja@t|^*li~L+bX59$l;`?fBCJe6u4s~=qHEy}I9#li-$3yX5)-^cQ z^$I`Yt}`UGSV{sFUKATDM8Em@^A*DGXXhHfGnH?u$FiA9G#5fgg+$Qbby&ts{DghB zq@i`|oPIB3h}C18Mg?N;7*{f|$kODLkJ&1e@F;+sVk7V-H8pCbv_Kaur6ZA&>{cH4 zF4$WiypjtdYwfx79CcNeuE=xGsAl_(YcEVK4$tg`53$UeA(#gpdMo#&i1Sf0 z2%y4lfU8)5Xk%WdvYEC>`zTveh{YHb>Fd3=|g#M zO?U$gIM+AQM&@>Je1>1k`3wm^vTgjF;aYmU{0U{c?kl%Ri``(|L;iAH6M?Fpu1H57;zDsP>3jb%KT9c#mX=KNZHxEDhT#b zqQ_Lt8Itg?axD6t1q70rKR(VAnFwfYRMp8{r5uIcs7mLZF&M48TMmNLqaJWDiz3f@ zzph4xtO*+i4@sBEm1*C9?Vhq0z#dKmgn=B_lf!isvvwcrFKh#HEDF|H*}j{88!6!z z1#gMG+BvK2aBgCaXc9osa~qr~yE@rz33`(|?JV7TUg2n>fkhg?gceYj2AI%sU+3^+ zt;5b_D{@$!I<8^nF_9#~V!2u=zo$|hGF~N&C$_q`S~>6C_hav~GAXv*y8vji00hT9 z&1Sb;zJ!}rALe$tdsn_`vRG=$5F|M-p(U7=r@9`8iqSA37btz;%Vrj`dXlBdZuT}^ z@m}MJB?lo_ng+Ve4igwh^Ki~|X@B4ybQUV_ip`4AiD5cRNa*P}VA;z}(QLAzEJD#V zsCHmsrMI=!orr@2N9Z{5ieZrt7ocX@`LlbN=ViI>0et{qnrQ9@#Ec~A`4_0FqG2hF zo0!Z|rdq%yhQOP9j^ z#^za{m8vgU%NL}EW$hJ?70~4v*{s(#<&LaPmmKGgP4y-7yXx*?mgycZP$~#1zfqv7 z1TW!;SL7b$>F}C%Irk;4X?zSdF7D2#a7QMLd6TyD2_3C2d11LC+B0u1DCoZA)lrj= z*V68?Q2-{D(faTSU^PO@*}0i(id`vk4_n#U5r z?spGB)~Ua$?`Yp0B-F28sp(e`+_C;}c0%eD4L=`G^+!m?8Hb%40GxTR@FYo7wMu!> zF}gc;&h+CF$Je?oFHcv9&_s}p)C7dn8V{^-G-4ZhLK*^w#OAEeAM{a^+mv!GKq+X! zlveumHG^I}xCC9lQZgwR$*V9Q-`yM$V3la8I&OI-CluFfs8|heYVzH@k13RoMBhX< zWrdA*c0|t7ILkVC*J*P(hg9pVbls)jEE_k#ep1&i7vqBtgpF^h*Mdw&f8k>}@#Or_ zV{aYyO<6YA@f+vlWv&6zT!-AUT?YV0+s&yzFxossT{+hmNx(u#fQ!<&Og5{}gwiuP zfWMe(Jk*=?yc!IR8;kMK9PzQuDRxN(D=y00KZKEbtevm6hxv+*Z!TGURry*u?mJ3F zxt2#8cTXu2;GA#+pG<>}aU6(c8JD%^wbX0Ph<#D{xvB19v#r`bO&)n5L@E`(N3G(* zFEcLY{Y}0_=)tG^lSNv`w~d7lnefH=0q1INc<$N?)p}W641O(dR$X}n#6f4!$S`?? zIX)aKY#qfMT1+3ZzR~Jj^RoZi`h_HLsRvY=RqxnNx@Q;i6iT{~*gmTuFQjbogw`E; zpGV&KPC?^s8EW?(#fxJJV)u{}5>P(SDh!E?(f7bZXNdjNJ)+jt_|N6!OnCnh0Nj8a zR<`&?C(0;&qzo!*cni(fJ5PDJWq1y_tlS)Zc_b zAYH`Xhm@T0EyRWPRJE!1HtU0h0;a>azmcS;D)im1+{ac_rd5CSd#}9YUN=UNP2{fQ z&^nE5S;zI2rRSmg)giH-aC<#Q9}8*9rBK(a_}|1?P7-SxMoW{a!a4kapi=W>!R8DQ zRN_`W3-p1Y0{R|Qlr_c>v1^C9N^e(uy$I=fxD|MEdE#WY!TrJmny0^xv`?oWD`pZKoWE)mL#;TniWSU&5-nPZ=K{k;~PTD_? z)JfSAMhTrsMd66kgu^5C4o7#nni{PIq;no-(?2@RpXaH3Hd`t1Hd`RKwPL~L>Z^9b zY|LR4<-OB0HLF-TzuTC}DYKdY8=;BXYAzH486$_FL}7gn>K}-btpJqZbDJc;bbw{imtNEluW^b7yb+%VnJu%IZV)KYzGMIAbe^p;8 z{y(L@vd4HWW=7V1^Q8K!7V5&96rlnq$jM$FA6$k24P;>W z95%mjI{10%m*vTsIbUq;gQq(F9Zd3q^ywsu^49V=CKDm0$&aBcPYM;dEj&sbJh!D6 zZ>CTC7gKxOEtnf4e)a~JoEGxBTcL6VWPl1H(I}H~0@N-|=QkqiP5vmh(waWpfr%Ty zx5O&Oc;GiJ@u+o2m9XRP4J6OW)^7HGQ-94{m@(0o5)rzP@m6eQ@`V*z$>7y@Ib|W# zhm2cM`4X>_0AiB|lf{YU>PlcQCjL7rbvYLv<2|z@oV&T4?68T;Po0T0t7h~>@!qM} z)`Id?97XBEUFP(cWI~?O%&%2T9eH`371*)K==JJtW%y{r+xBg+o#$rD{&=ALU`o=ezjOkaSPg-6k6I`lZ-J*bVN1(tGd)p+25L0L-H z+CBj+<&^!pl=G|Piht~+mrw&2+GU|@q6bkLc?J_v|A187~xgpwZ+f5Uah5>9FikFu#h~&48qbK z?F$*Z8*H~Q1z=<=fr*Nu<5~GidwCD`wZP=~Z9mHH`d*&U-qLdnZ_=MqE)EEgn6(p_ zs7aMeGBPTGX;%Q_%{Z)OjwN7?`11p+W8X*FZ zK>R4&br0KlT3#??kT{wD>XCl+=bW%4+--CH_?&4U*bObj)_IzX*t{P#5outI!q1PEIXPR!OG}B5K*F zvXG-svFmG1a;V3_)55|7%$XtEaA-S}rGfOy8Ylqs^Od({^q^tGJAgE1p(<(@C`lHX9I?hKlKvE4q7iQ3Bey!2aXU zx64}@8UYBk?E+o)^Vbwjz2u~Oa$ck)mEeQ|xpW&YnY+4qz_1^!?ErB^`Ri_TsCu0i zAP><|=JsOKxsA-QE@Nx&{7ZQa__)w`tJs?UlcL&&igmoDcV0mCCMjcDH`b6W9|2#& z+Kd_gf^TNIW|}WJQ;~sj@z^om!GnbqDmk0xHpec3GMyeiY;V?UcPbZ;H#?Cb3X*Ft z+`clgf^~O#pj`d5@fG`CQp^xt=VJvyBfah&>Y?i7uEA`?GefqLB420N*1KjVYwEk_ zo&dvl&Ch!M8X&_Qh2?jlYSj>^^pT`SG2vO9Zfj zcCH|0^H-%EME%g|1Hue-JOqQ9e3ON)vfkBJBDKfd{43@S=HvIo4$TU-M{W4Z4+nl# za&S3D7sb*p(^}g_RMu=WyX?vX(?7xqZcz4+bWNq%(4!w}vMhhmbfk?ltoXgeJ#55t z1O_ys>fK=RU0tPT*`wsmX-R56kkj04g)_<)inI;+#vT&cg~%mZ>=R)|p8~Om@Mpcx z)JE!x{rUWQ7vd;eru423HK+&=H8?e~Ofb@iyq7p)9gnQ8ji1kSwY=4S9uW9rmvs^q z{*q@cRa(+WFy(4cA5LA_iwtUL?LkM=mPCky=l)t%1z5fKFH}_!vF>j{q-LWU4;Q6% zPk->thTN{WrsgNVGeg?2PiYf7tF|@LQWsP#^Tb6itHYGmSLd4*8?PUY@eeISp~C9| zB(p00vzNWkuyqPbr5Vdab2ZcSzL^)FuiE41;^ys7=xXL=pU!vX2=4lPCGfDIoAiO0 zm_`JpWFfmyh(UESV@-a`eFx;ha>PiKet}DK088k#gn}U-*;V;ypM$JMv)U6+whvWS zb&THfCEwM9_cZMs9HM~Jz#8Gi{F@fQ!SCA$x8Dr;m{c3Cm+&;>eI)y;=RId44{{XD z-|yG*pqmZ#X*eB`Pyh&c^1{PM4l8q#ha-o2>z3^Uzpfy=EThUwT1E}!R-7K002-Zx z6tnarYw&1l)o{%-eAXD#Z@MgrfG*1ei;AJ!ve>~sih|Rf>LDgziDf;STMt8PD??h3 zJo1R4PmT?mo=|jsZk3h=Jld zg}hrz&as#FlCEQ1=BU%2Bo~Y?!*&o;8EeZ)iHu(Ek2Y!KIMjjDA~}E-OBl0CvH49t z(BsLvUKYF~%)B;6era18%BPJ*vT=Bepm|nC5v`n_y``C=Hd)1~q=_X&*-0m|8oaB? zw;G*npLI}aAdCUV+IQv2N91+JC7#P&?>MQRcVG1ymNj<-v$Pw^DJ6f~ijp%(%~V$Vgi42s;8eC7*`-?F0d)vdBV8dj~DinxZj z)b;xr#2qbVFTBx`w6e@x?ArLSm*kbEH~Z?5&!IU%b%9pUnz9i;(+g>LSNp65SHk#L zDc7u17{soE#Y~WL#qxolUgW|YlZk$YCy0P0SbL8yCB=Plo9VF4mj>25=fvkHb8yaC zFaNlVKhE%M*vF*KZ5-YnSX?&)5aO^gkkdZaUAS1Grjmz#Xh(ZMWilrxqNM8=irI5a z%F&G!D_1RV%Wyr&cRXh4-L}>%!rW>x(L1-}TWG)aw9D*V%j)b1VGC*_X9Q_F)G%`h zBj~rP=!|*fhXE8>PzO*TGX+a!X&Q?Kn=jHvLyf)lxFbeF6K84jkI@?nKTyjL7vD|l z46ZTwP@UQCusMjB5P8Rzy!e|Q%eD)*w@sLDiL{2=g!5jTb&a`n&+XCMLLI8^Ib;eR z6-GZJ>zvu41J!?G$lwK5bCL0YIO*7+X1^zj8=U4wrM{$ zjG6Vr&<0|yVbSIf7#6C*Jm2+8PV}u{MmT25lB?N>XxEG4fIy3>jF`L`Ov#QimEJgW zb9SaEbijCy^`&|QWsD^^e`TD5B=c98qYvHt2O<`m&6{5s@lb!O_fyW!dq*Z69p6FZ zXKZa|oHY7feMad2V$KuOdqn$qf{za)5^ z0aiqwOYE8urZZiovef2UGR1B$%3;=DmbmB2GTY;~Hld1R9~ZjcWh?pfs_-$b z;1(+v347Z;mFwGAAbg536U5KeJ=?&U-8LJus4f;`@2|35lf(sWWYh$h-F@e&{yTlh z6d}iXYKetcH5EABo0(u9X{Okut3=)`S=@^WCGI6;c)aDU%34rzTdxq)I{!H)U6lng z%+OwUtQM1$Ko8Itg0kk9j zBfg}J?4A;q#-O}vHT;)$%k=ob-c>6fBu;*n{O%KKo#cfLz?j0>Nf2);HTcfg)o4=J zPV|xuRK|frQon0XaH5x3wdUno+skuZTWZl5sN2Ee7t(Qk%#z%I|+7a>9 zHD>F`QAHL%8II>_iY397go`3R9>Oj4NBWV-!OwFbT-A$~tfj>^L~p&+iUt#|j2b(N-gRJgA>mJ9F8xZqN&09w`D ziyu-L6d^$XqmL*!@dtH{AN0c?OuLXhwteE~`o9xDe=2GG{c-O9TZ9c(==hNpZW+%* zT>@vg)Cyy{r?^?r&C6f9KuM)?czJA5O0 zLESKR#&RoY&&#iJwhTUU3^;F56tl~bDEvZ`B7fiT*gI1au^%|hsdoA%uHCkrS0d9ufG}{9-f*c#fr165Na|1qH z4!6?2)8Ill&P`(bBKx6ERBJ~+!EE)xt)lxd@)96TGLi?)Kf*6wwXYE3-{vg_=nAFo z2oC)g^qfk}*5NvLel&@3my{y2dCv(*Ty(u!4t+xhh!)4j-VJBlhKGbeK|X<>`Oe`l09X_k{cJd4aSB zkUH4pI3R$k?UKi;`8Z{|@roNtL!a;Dvy@uCIi^|v_&_34fQgj+Z55hG8-(4->Fa!y zeO`|pPYdd44nOm}$hvLNz}DWk`Ch`{QPFWeHlsKB(yy+juO_N8=upru@rN9}cbaDL z_0^F)*GuKJOimQ$HPUQm%K50IRIty4A2!twIg)C)-WA0D$$DY|ObSZ#d7`qBx-aJW z-?RX@r~Wy^0e+T|Cq}?|*8jc~MaY$dK(V{}$p4`X@Pa3Rq@iDnWWW1=UB7Q#edsPw z?0FSV@V9{SUo}n~5NK?sS&2##kT$lf?L#_$(2g^U;vX}Yqdg8YZpgRW?yI~6c2fd{~ zwSe;?CFShNvD@wckpBOvZ^Ul^#jY$bC;#bje{YsQr`n&oQTgXo`_tU`Io19=qkc}c zKTVpSQSC>F`ED%#?}%y}b;(jLB>R@Z2mfPaJ8f(aR1$Si}M4;C_gX9|LJjmYgfVb z;`AVru#3o`8n18WNC+fPPIST z=g+D3rw;kQJk=~LsbULLqr*wqp&5*?kZN6^ATt8?Hb3Jd-YE_b-ZWd@7{Vd!a$&|* z<%5@M1U|WjU;9$3;Cx<> zpTO2p?&ST!GdF_xgH4LzeLArhf_4gLgj}@0e364C=DQi^jg_91B+fW(YD2)+@|GOl z*vmE}PsA*#R$L(F@3mwNmpb3te%B1i4)PZjw9c-yY`>AWX6f9gr0qcTQF^)wQR0P2 zKnH&rbH-cb;TP97d!mx3`7+7*c-MtJ&Dzvv2vnv=Yi42P%WJO-#eSwyah-ZeuYYln z%CZ(4bmo4_jgAhNo>34U zhzKkl<*~KA7r!ihF;004hZo}IP_j-?cE!gok+KJZN8|! z!VacUVrP8nW`6=pQzI4{ennvU8PY8K!q+5WDXRswDwZS!4CS6{S3Md6n0LV1xX%datXF21ue_zT~fhro|4! zfzyR`3efw%frk)(0F^OiFFp0eY?yBDZp)O4W)wlNUAwz2YF2A_owyuWlmmHQ&22Sl zzB1adlc;STaV@=zs>skTrqC%Q-+JstBgb^FfEQJApBpKXYo@2UHE*f#BBzYs8D>Ys zWiDoi@*Eas z@B~g= z4DM`KCYeG8Mm;nyBg+*7GM3OAB_7$~LyiR}Ld<9b=`rWC6hoq^9>IC+#{bILg6l=u z4qva!B+&gX0&Sp5l`9uan0Sy<199LE$gLDmtHax`;vbwmj5j+tOIq+G6CLgg`X`4m z>m1%A{2zsV30P8D_;*=Oi%qteT9(!{W#yJ>TDZ_MlT9U7=B{X(yJ#+m8;~_-WonI? zxga%~j4Q6VLz`M|ST3jtq^5?5gbN4=eAk(gn(yEL`+6Rp?t_%a@oZTU0uu0jKmvrW5ACnTkJj8t zQp_=zfn~k&8 zGD&*!{RQHZI@iyEzq;^{u-cSNgt`^ulA*{$ZYG+6U(AMElR~(!ZS??2Xd7#_Uu1Is!tyflAe>bg&urRa0{3 zQS-S*R+)4<25-%sLS~L~wR0Ey6@q8As1uWXwj~u>()oqf!_xGa4ce8tXBTqn?EMC~ zA%yrr$vk?@>pm*CKD-xYN8`{%Gejz<%F^Zdu1v%(jKkcYsGrLk2HK}>*EXc78H%n# za(tppHwH9lc6JOwF^t&b+k@6=pFObBfQ0ohIYD3PFRf8=tTIgl*i(s%EGA8;5*}tC_P9uV?hB zg5|5o=wJ`isAu|d$lyt)VslQi;i>|IeT*oBq#@GPKva`4{B$~n*r*x46BS8_9L!Pk zP4=4oxK&R*vECeukq)7NH*Wt~G8;WGJV(y2)@{a0SX{&Qx`p<%7O(MRg1)hZ_at+T z31V;{ul-}Q_8IpH74xmw=+6juQOnHL$xef;I@EE=NIhB^Fc>p%BI*nRX*#{w!PbxB z_}m}5gvWR0gw>}oSa*P6q)wI6(nhoOj!qavEnLn*=0<;M^dl8cBQjlP=~tX%gafKr ziDwbjNZA7$U>-e+$0T=?7k#tNUuC}6p^S`GpBd@#S8?aJ>`=Vaw|^w9Y>zrB0MSAg zETkrIZ*j5{Qpnz9cR!-1Ve@pOff4dLFE$JFX-+TC<8^1e2Y>3fA((%rnGNy?o0;5+ zO}2vye#@|)ZP{4n`E&E-`gjDoAO_69+;0QN7$vEjrblOoH$Qug=)|0G*%|G1j`@b~ zALM*r!)4*5Xwe({tR7rzMv#uv^k>TMd9-;`C{gbgqx6HS0vj?V162zN;Ap~^?Z0_X zp@z>klFz>W)THr7pds1K<`#M6j9#k^W%=BvBN0P_yXY;MeQ-fcuDPzn)pz3rB(KrO zFi?^>HK>CAQtweFn(ia*9cY}IA50)OCzn_?!8C@HMJTkW-Q3U|Pe!pagSE}Ha`;Ja z+I*oRh$J!~N>u!0(JiVERc3^=$hDrNYGf9*_4$K_B}2xYE!PT+yT{MxcdT)&_NME& zPYbelfI9^VK`4WyaV+P`)v2)E`?yd)?0`(3ri z$u~C5%nT?P$l4C}QL#2VPC)j&yLE7rC`OI}KNJ`f%6C2xv>3l;B-^61gZ<|1EsK$^ z5=(vYY`!WKGJXL|_8>V`|+j+B>; zopnb0y2e}Iq^`nxuKdKE;5VDCsW>s|L*c=_}UL) zr&x60)2=x}pNotRH0(qMhwgl`?(M|n^J*Nl{{4pC6VzXX8)#>-&)g4$O*-xrd7F$} z(|s~XcM|lTUGM3d@uTMi#VC9+AOL$zIoZ}!%|wy338(J+gQNGEv*eH2N-H|D`7@U? zp9{A3sexPjQ&EpD&96S{m}Hthz9^#I`UD#t7f)tPfNFS)@B4$VPpj!8aP#5Wr&+f5 zrC;oYP%?3Qi19hP`Fv|)L_}zC=-&PKtc2qFjgKndZlgv2OkeCH_8-Pa3OB|a5N8^M zZi!ew2Fbe11T!*GhaV#Ks)ec|u+($}Eujr;{k_}Dh!}b_X{fry=Gi9~Ne@@)9fUlQ zPM81&4*D@dKwUEu`??sd;e>GHKw|i(7H0$iPHdm}ZAIb*fC=W&e&$ucyNqm_!^O!hktI?|9<^%;lXY3M}YJ2b{n5* z#RSk)1wHu%Vw5xwHp)K7dL%Cm^cz2JK-voG0UKTV$n`7St` z`(y=K*WsC=1ar*q*=jLUAM^W>oV*2*l<|wRWES62Hi9w_KVU>7>Yg#@=Jyk8BPRn1 zgfo@ZNPf3>bz4Ol$LU~hlr-S%(YW_k=;>z>W`S0klLQ`7zp8m%e<+&MuoWShop49* z9U3GM2X^q2o+HnZse1cI23Zq>kVP}@heTEC5j{^6%6x;dK*Gu(hach7Konn)SfHSh z9AP}7NuIFUV72X>IiouW*F6m$FlC#w{`9Tgj|vVo)di#Vy)mzV7il&)EyOl|^4IiW z1yw^}L30(eFU!uxE4ApAWG5uRp3RE6UZ8d8(^S%CHY3)`tagt&I7{&g&RZ8#ht!$x zUf3vIP)oc%Gez%^WOg~2Fc9nG$;j!9LYKv%OmRCSzM0t_Khin3a6z(Q5nT5r#@K1y zZsT2xX(y^~dyC_$9Ls`EtI-52#b`>+Uf2{w+HuZqs2#$X;>`DW7Xq4HP_${A}bOsKHxr zh9u6Ur<^?hDy}0MDGWmCoxfGESulSsC&@hg5F{oNQPlQ)0}dU&F9}BN1+6n_y_pDX zDV?~Mhu3>fEZ;O1z1dpIbzGk#`Pm2=u6-uMffDdp(nvIZA0EO7k_hHYgrQ0gf#ULN zJn`KpWb2Z%8@oBkJ76bzxs^L?8ttx;G`ecRN}i1H5j#sFSF4+3fP#d;;Fg-;O^}lW_{q8a#z(i&GuEJT4F)5k)9H zg*Vd)=j{}m&PuLc*oFflI@cJQq|tzKS{&Y5Z<6&kd)__*HrqyHd1V*;0}89$X(o!; zM6l$QPfr0w%hBkJ%W*~hgdv!VR{j1^FYDd}@q^^Jf4i4o zh^b`qxyBn;yx_`CVZiXUiTtov;_>lyd;RN=y(eXwsj$U96$qmoj-_T7^upD?^TFdUZTqz~0!(K{=KJ|-wZA)T z<2b)4`AOThkL*khGf+8^6n5?lJ<(+R)$3r+-5TJ0wLJ?I^?*#3!`U&%!vkmrY7n(V zl@d%MTSGVV&8fCS%~+<9tER@;wlw2INqOBCQSiH*=!5z&!7Zrud#R{ z;wX-fnZrRV>{0}DmhI~B=>koCF(k%Rf2V>?tzu!)4%x6s+I9_}r^evO;1 z%M5n=6?XN#4p0a=FLEUNQ7eYT2A8WCHhe9Weu72EV9pv~40L5NYyOWdeDAD|=z_8Yw;ZdLP87eYbL zgwyIo(T>Cd$>3r}s#Zr1&Hra4L>Io0<$Ph!Xyd@a3D`>hBH}{SbjkDGLCFlXpfPdI z+0~K^AEbVCUf4VZ{pwA za;96&>fay4`-6*bFFTv3^)C+nxLf1w%1@#CQH#CDL~dFKA_V@?BeA0$n}+`_HjP#> zVDjy)H{;lF1v|lYsQHbo0?S6!5hH0|S?v!%ZnIs}yz%NZ2xGZ@f>fig-q@vmD9H>d zjsexqydMzSTrFkR%zS9$LO}Y}i$SoVNDhx+9aY#I#7n_?Tm_ENfIZ4G#VC4)D_k0% z7*f6s8}d=uH}209AOU&HKWIBmDR$UbAOAr@{GfesnzNwTU9tGKc3@J}eV5Ku8nPYT z7n8;qy(1v|g7S~Y{i5;Y$GhRwmcJ9?+Rp?tzn(zwy2eVRQ|2p!p@j|OyuTvkf{3J; zE`$`(eV2g^U=%M7?ucDfIQW31WAYBfc;7DK1t*ZtDHyfa60J$FnR<5!EJ z)z+6Qm_JTc>70eC7i1Grx^csb?T|fj&owXG*L|9!G*}G)DLdZTgR1`PBl*~g`S*Q! z3md9AuOF%e<#ufNaG@%VuDES4tDsbpO^~!RWQn&9$DJNCN7rXU?cc@6ko>69H+HdxreMg?deSbVWM$ zpF-Pkt)GH#HTD4=Ut2A`^Sqgq2xG`MkIe)Z}kyO;Z&zW<^u(Au?o5jQSf zSe9w&h`g=misK4niQ?ZtIx`i;-G^JSR=6AL0k>_>zlOS0M<0SPs*fiTZ8qEuhxIh1 zD^4s0{zGxQ9YwxG_DjO_%1=t_nP*>4{?Rqj{)^x02MJ<5;p$K6vE2u=6=6v&-c|xw zR>lD6Wu@d`iDkQC4xtNfn*mK5QTnt9?OVG$S)Hilt+D-`W%&YuDj_gf;&h#)sxPcX zZ(ML4JCmZ3q`1xM1B%0F_O3SHMDdD`{HJEsZWZf=C7-D(?+O6$rA;OK(wl*>L4i-N z?*t4s9)Cy=4Yx4;k~rRakD*m8sKnZuNGp0IMZn`8WGBLk$7ktP9JCGE^Kr4RwJS4z zV{)gs>ng9aL>xSh0B@zDL#>P0bB*sOb7$*~NKxYgWMEhWr%cRzZRT?1%=$4R@(6^C zMCWooF8rrr9enT{A`VbRABwu;=}Cq{4b`?A|73-BwPIK*WtMZR7Ybm7Q}c4 ziw2Hd{-d}*QygVqYMpk2|M0;3R&$f}f!RH+ zrx}eqL|}(qn=+~6wGXbZCnsU=K2&U{<)cy*15)K5SSzOJ?Mf&nAwo*0N8Nv1=l7K;1c{WUAJy4o=7df{c0LdTg| zj&bWO9JKnw{%+H1!ua;utyZ%q-%RgmZMIJd4iWbq>x-Z+Q2%(<=xaIPTHGC2(W(&H z!SPI75i+0O6j|?HV@8WUFhKr6uMIeW^o}~U!FYR%Q9xo}w?hST&*Ai{fd`^09liY%)~;v!haJxvTM?*87m$%9o#7 z3Pr6eLbRUrs>=l^Yz~Y(R6?4&-qSJoPi(c_%c}#IKz81Phwdrc5&cLp0KOrjYEAzK zK}PVfaG;++XpDh=(PbbqS{p<*-Gu?J`jQJ$0SL3oS5SH_$07VwAhE%$#~3}se%4f} zVyxJt7ozE;Vr7@jc>UA)!G>1KU|ZDSYigWWYc)EWPW@H)sK2>*)Z1fJT>K!)7Anp# zd(A#t7*jA^&9@D)@kk!8DhRMPZ8CBH8Kb`VMXUkr;*QqTMbC1Nr9mvn5+0J(aV$i7 zdn#nQs=8_nY!~P4L1>{1GhuVH+?s{g8gD3y*esLcsKA@dj)$Cv9inNL^0iJ%Hqw=8 zOtO?*VK&nqMq7;X1ij;_4JmShc=|E597KElHtQhQyQG+Dt5L4Em(`Dfh2;jF#PCCB zz>iT8`XalZbja~eUQHCfT%YPnJ>5KjaL?(So1ZP?(k;9T zRbIcFMOT)0)mjn5j}RohDJu|2B6^fLFUJE>2A$-z&baMclVmqDWY@mR{ZE;ZesiH+ z`=V4nA|7UTUUEY9!Eyw4`)&1-m!@al$x)lW*X)qXKKbGmvsN+tjxkm>;l}~rW{#!B z=xwgdM9pfumPHKm--%K1%ezSH z*t;2MiXxEt+f}D_oY2ksbFt?dqR`*dW^-166wFRf1bCj*CYm!i9Gck%VS@&=~)h;YW-^*aDHu z4?*;TGK*Q^U)^3&KS3l`h^DgI2?SKnK%OSo&{$lIlun?H_C~SrhZ*Ud`nKTdh3sSL zMCuG0K=o!kh6{gUd%ou`(&7rHctKI|jajmxl}CyB!G^Ay$&jc+C5^nCW4!1!BB-=1QCF^W?Pl)zn`euf0$`Q2D)zk?Q5x)SaJQ-i2y>Xn9vI zyTeP~)_cWq9mzkftwhypAbEi>T{XSqgXQyXXJZve=q_57!3gbcgdo+c-~ZFQ^TABM z)1J}AgX!KSL-#QnOs=4H4WSP3;nn|?+!=Qu#?mC`njKWUG@(DZbbFVM;-2ZmXs=Zb z%$@HehW*y}7q>z|HGiGE$}@wvIY|HybLpNc!h3JkC+oOF(yJU7+f;IFGBeN~lN{KYHY zcI!d=C`v%7A;u;Xl26wVIM@lU&^U(!3Tv9xs}7Ngg}r%5@R{($Cf;1*5&ijug^w2I z>QoM0JqJ6a>|bvhz9jVq0k-4UA0C9RO#z#0teHkvZtG)ne_xOX`aPOy6E~}CedmYS zVa}pqibu;{%?V*^e54a@%s7w?_KYaGG?qEpIN9IyY0RE9A3H#;!0||Epc_-8nZcd9 zQ;tRmkMapAk6BaE#pH7>y>%zu9M)^|PjEu8jPju?Dc@V^<<_fE^yVVxT-Iy>x@*O9 zW^~(msYT-vWy%X|(9|_DTA*(Y7T1=&?VQbuV!4|}G3d7aC0{n(S4SW1G_T2b5dITn zJNOD_4#pb&1wirF$|-OoNZDfJnVn|z`+ug!ZOYlSB{A#|@3DiA2Qp?u&wI{_@LP-8 zC# z3Pjw2ArP^zKPM9AU-=GPEh5eP?W{xdOx&T~7=tBTY$k(Mr>hQ&e;N@8OpGf&=T~V$Z=Uj$=dexET8)ApI*aNNO%48UB1T}nN zD8k*FCG{8Z^F{{M^jgL!QlQvJg#|m+RZQoojf^4!lOLLRt@2@BYi$HR>6=19yJmau z?wwy1DVR8*(OJ0lr;atR2)RjgKe+9NP%lJD49sE*M8ChW^O0G^PbKEZm05LJ%^+(% zaP^hLBq{Iu(4r_2Is^Ax{o&ufCN6I(iv)#v zw2nynMrr6H9u@DzWbvFb(8<(59hq=GViCbs+-FON)(ZtC{S!|Hl@v~DA|nM zZnXFcXoKEmhi)yJ$*%)bF5!%i@_eA(twzl4Xde$#;kk;jxVxEU#hPti_4K~SQs-2T zc!BSP!={;YW|aq@e{8%PHaYE5ft%(nAnllTM*@Wp-^R}EeK_@q@$i=3o9AFZGtGTE z%Fwy)S>~sCi%ho01*!5*vP8$nI0-1SOr94FLZ(WLeWJmQCnbs2!{Y7-k3g<6FxRC*oQOjtBwDW$h#-OwC+yt^F;yQ9VUVV%a z%bmV)y{trq9D+%7HBiQRPQeb-sLpu?<&Xn-KCdbHEMZg zpD*>iEo*AmG|3f$ZVZ)@*GNX_r-PXbL{-6An?uG`(d>bmiE3}Frx$Q@*^MCw&w$Hc z(Awi?CxIMkw)01-e*fcUpu?1X3{yxw=CY8_Sqxt6lpg+YJR;*&W3+Wm_4aaIh2wqe z`o>scYjdkQ3WM*B3;H8C0lN<)@Y*+G^y3`(URV1dxY$mfzU1|)VDesvT>X)DHDC?T zuHu!Q=wPI2)Si0v1mo_5c(tf?e~j~wv{EwAW)CYI2@j6}6l=6Z)p)V~E=XTQ}Z!jp?zA;te@?+@G(xybk@$qu`=MWh{0pOu ze%kM9vfT-7l5mG}0k>Ag>W83>X7i&7+?-6c5o@5eIJnUjJ*uak5N!^gt+=7&gtY+eS3OlR|DtIX3|!4IrxmZsonGWyv?7b{It8wQ?)kBqfyb9ZhnO{sZ1iTu zoqr zDie@h>URzBE_W~*ZJI?}~_m>7S*v%+IVZE!Tu$?I?MnEvJc zqIQeA$rh?K*pZXLd?FF(jbfB+cacy!oi0ANXUglAW6Qc+PmBr_9|N-jRn;OF-Q5tA zt<3(0!fhn8(0%gv>VJ4iwPM2*FB7nH+nKrKOc#hy`$BbOI-{-pi%UT-=YcO*=~MGB zz=gLB3yi-_}HpeFe13)CfSn7Y-+3DGf8b|&+#Qdgsv!e`qH?$;>Kj)i;~ z?w6GDo<;=ux1mc~Uom~RfUR(-8uBM)8x?1FQM)JWe}#sP-VTInRB@ zoAYLYBw`&CFHTt- zb1o};xPp{P^cdmb&`y&5lBs0HPZF2*JVWX1QE|91_?>1bSob&Zj#{oW{g6K^^+oYk z`;E^SV~69Ns#l%)?q<;!Gn?%@Pcp_#tH&yCdC5*;`Fod<11+DW*Fw>tZpBe=1~SJV zKU8fL^CBiv({i>4`NLW|TOdsj_1H;2?t&P=dW#~`UPVTCGv64zuNqwWsb|7UuUTj{ z1!KjaPSmi&L0dwPbRy@U9s6=2_-I_zE?q2e>auCW^KFIacQp(20<%nx*2FBvVAM~Q za4d7JGdX@HRkb=dvLNzib!G5^(C9CvujMWWbFXxj;an}RwuU(}0d

U{y}+T>=v@ z_R9C2jh*y&9MAX@L6R#J!u+G~>}uAgBbMwuI!FWC$ax=0_9<&K${}3z$?;N*Hh}Nr z1<;SG44I}v{-7f*f-9#fk@5W@KV$x?4;uf47898cxWeh2ym}b!U7vHPO=j2(yDBZI zDQW0nS?cWBZAmd4zp46YnsYC`&z3WAK;fy^DlhWuh1uxKD{9TAu)XR0s34Gdp;jFN z4h*|EW*qdu`Q&<1w&9Rw z+!a{;B%y6Nq02bJ+-h$l(^w6UN7XZA4et|DV3Ddq zUP_Qll12=NJo4F~LeoKc+Twn*M6+eY0IQy8snNM6c*3U0^})@j7S<~w_xI0#%&!TK zK}>&YpQb5U1?ieJRuskOSL2)7(ombw!cWY}uE`Q)Fkh2%pG}>iy=;*Zi{j4nY~ zeV#c(+hpDmWEMvE?Gk`IxRY=0_V@Hz5J^0KQ#W!}bL{VSW~aP4za?{Py!+`66i^Pd z0?L8f*K5Hgc?69MFKhbVWzAYm2VfoIfyEZh#LB+Cvwfh4<4DR>!^A7{t~!4u*BE!? z6f)1@*${%jt=}3fNl)Q^=7v_t$EE3b1Wy78af<#&TtWB2K^E`{?Y+Eq!OLK^sa?-- zM^7>~v4an$H`G5k;g{nH!XT_bnCe=EoTcK5&!@(v!Uy6>NMVgmKXf*7s&9XsfAaI) zz?(TXpK)glmn|#^6`!YgOsuzF%jb+};xP%`Dl;bsk<41NBm5y=9U+R`9Of*LP&_DU zjt1>sRkK#mL<6klun3#nBH&~tfX(Ovk=rLalDh^ySKHrM9G{Y05nCtlgdc)x;cgA!rZ!vI;7VMRNDG10oVmH;>{Au!g<8g47~<28#~Td9 z6xRa+8!F8yl1eZ=16{|+@BVskLr7nXJ znUF3TQu^RaPLnROxG#pwRcCy5MhY)ZiRR8;kbF52fXwBZU6~P_14H{Cq8c6`*Pq#l z>+aS#s0cV#){n9Kw$!8!Gn|g|ws3d+F98(#uTt7B-gc6y?TP0%R)lE&skAdIBjdg+ zM0!N5H$pgC4J>F{a4T}5;<|!y!9gblbM@BTg#2a@`nW-qNAW`m|K(ACcT1sb&xRV> z&3r!m?OmmedjI`~X?4gcU?FoV8_7n$1D(flA(EE63%|x34wSChjOJtan$HcxF9|fl2{8NPneU0g)Z;~GTGfKigUOa znxHlt?LC93VZW{>|6VsL*0`sLx(*YT6ns8djGhErw&*cnNJ>+NViQ|>xQabrYlY2x zhuzn9w7MmpjuoEAmQg_ww(Wk*Ail?RC_|sgxN}x&lvjmk4X-)g4aVN#zMCta#Zun9 zeJsCvFb&#qr|`r_TlpJ7y)}hy=XD;+c>V3gs;%}(v5c`}xLDYYBw3C6aU!sJtbAbo z*4kb<6~(-i+Z8EUuD@v>4=OolNT1xUCVi}s+no%oCP>blc+R#5bZ^s_V%5<3>C#l$GScPDd#R%0c3rLw=$T}VA2}9m zCc8sh6Ij|jR;e}~!dm@rDXlwkd%*E66xTr&{~%hx{f5h{>1xTV)TZx-8q8XfJ32t* zj&`lf^@BcuotJEmOYvT@d7 zW2imGD#vD-5?dU=jmaTIq3-&{#gHP6NVmK&2BHLL>h*2&ui1at^(lMxr{$WIpm$~; zP|!)JH%EsMeEvzNQ97=#qnDCb`}MKUH_&v)>@ic1U+)BUSRP*nkl)H=wQx`A(5vcd zKl5t8A=K0}b6M5N_Ax+7>!4o6uG|-MVHa=`3a~Wd?WH-hD{}uXgRL(AHL+9a>z+P%}IYeWDp%HTgs=}08sQXF%dXhW0S%K64KlVHS<1FYiBLO&?v^u z@&d_ZvmPk~Mig8_gbp8weZGD|xA$0j_vPfYL{{p5IIuipt>4^^ zuMSCz+IZfKelAMAU3QlnS5EG2f^pBPm2!p7ZbDqzC@Ws$P71!~Mh(I>OL(iSAIZ<# zk!rIbU%v6hm$krtKr+;E z-SRglPP!euS$Rv{!6%T;Pa7wXkKf#Mu zl}#t0f@mLk84vc!o!?x#t4CElRgFca9@hF^;q1nX@-3h3x(Ke~o|g^oI} zLo(dP6xQy>FPc@#$%-^vVo$CKTJs(a7EW1c?900Mea?@p7H+O#TWG*PK6cM~uA0;7 z*!xwvHUb`CxZk2smc74Sw*mA!l_OE1GTf;XpZ}L7EEm^n8^zT3^WYcbJ@143ZT??W zX1#d&x<)*W))(vK!IIj)*(W9A&g!*Ahhm#nBUQQy8)u%1g4(YhZ2qgl7A~8REn&$l z>EH_4rh+9pA5h5>6=1W^;CRhAomWq)O=^_QOg16l0@yq&-1eu74_E5~ zq&i>^m3iaa)&N92#_ugyeqbTQt!vL9ibv`qDi7*P56|T!$DrxU?rQn2zv*{7zE<1l zVtp467~Iq7FVyU)Zj-8j+aRMXn`nIZTEZ&g?1oSr+NC z5-#cQ?K5urF9+iYEhD` zZni(GalSWCMFB3G;o4E&FixNY;4@`C-8g$SL7 zPX!|3_0<4NGH*r87@&0;&=Jq66bISPpr2!*r|S|!w0-Z zL1c~9vZpGI0o-dEhyG;y@~mGJozS~VYkI2Vl?5H_D|V`;yZ06SFWd7UDfIj}%&UhA z0vw;iTl}j&i)okdzZVr%%B;&CA}9B@&DXd+Zkd~I*)J~teqF`n42>r)F;?{7EDxU` z+}UIJ-LQ9pvHJ0m-A;%i6oqx$22m7u*ZBRE@+$!6)ZNpV=1#3-#@g%gXhwuAg|C1kmHjx_=1=@i2q4Y>FFQ#g7sV-V)oI zt4Il=bd)8e6`pA+o)onsi=negqMjaz6?C5F)$nxTt8pi&!Y*$ zlb5-tEZz1guo`dMC)p( zEorJs1F0n1^$WI1-&y7hi!LmgTy2oo@+nZNjzCy)SD~UYJR5kyG{3I4agK7H2Ay~& zlj(nE7x)}d$N}i2ZE=199$3X7g|j^8+n}QN7DNV$pT?p74eXXQE;dzX_l<^fK6z@H z=+pZSf4=_DvhJM)D{3$vu_^N7X%iy3g^x( z^ZW2lK(AkyCEK3-_Zxez+^vnRx&$eRT{wA#hOfVCBL@C6N%}6*-K6?MY{4cNK+%S} z`Cc{@b-!+Y26m4FOsdcOzfUTi0W8!`qVBkI*^M_TYycgu@0YMD@deg!Qs;i#`Acw; z-~A>6ev zIrsiA>!Xx9@n5nnZik(h7+8h1T|O<%{u1EeZ@9Fp!Ut`8^XpuzuF?h(^^|-D5J-B` zLY9eKc2j>pQ(F@VB;~Y8M7C&Xcqt39!++H@u8r54%`Rtf#dJi>x&Z zsS)fd6tS2u`|Y3=HY5-%eF zUfKW>=Y-=s_rv`d`KAnSz$pmftT7QU`#&;UHtjZ-r;v-``tZq0_O&a$1gbcY4@$Jt zb`8)-fVpNR`+sFAu!Fr}hTpY*`IlM{w}Wz}3EOj=sB!ed!CZ(q{1BOMXM>wW=^@8h zQL=#ZEm)3yuKbtU@5KexPee8_lk_W9tZ)*w5i+{1O{KfVeNcH~IAfViw_{6(!g**E z-~9KR(mw$Y^hWpE)dVK#?`Jxm#-U77y~Xf4V5a_QXh57q%=Z~xmv8>|!v3HfT&^558Fq-=M`xmNGes^q3WN zV0_~HUevbygpEC+TMQZdF#*B{rP>MLew6$M>du1ZRtBdJO@wmAr>NUR!OL!X_xH4l zCRdT*@b;9b*pISAf5Fj5Ra#nYeCu#hQPKN6>qsJLL=;zfkoQ$^%XI%O_w#$Y{5KJt z#O2YRo&tC(O;4+>nmI?bu7|dn%)8ps^Eu^pg7P>*8-Lhr+0g$-2IkhZcEh2mx-L|G z6)OyH9of78Zz6=uFnm!%kv0oARYehcA`k5SR@G#q6)OQT(#aN}w=54bhM9&JGCKZR zBA`C;QUfKQRr2E=b_BnhOh6) zx2Jr?2G@b)PLVHhTn4AWGK-#dZ9EV+ZqA`MZ%M4Qap%4~VEQ>zP+ECWaCF6n~3M?gB-48kOe7|0d74;l#_14JV+U#IauKs-POD&AG)gDbF1 zhHsLJ7<^JL^z=;REfE2#B9jY?@QY#)Qi)YBv#W1C`w5b~^45T2KPnUD5J@W!5I6Rb z2giW%EF3apu(TyE0O4QwRyZRI|D_>Ic(4DoZzf53<+S+7?$- zL^W-jOiMi~JfMYl>dQw~&onnq;RCX!vh9|==(j4dR@)-Bpo?{ilUAkmcpHA!yeYbg z6+& z!=HsGa8$aDScMwMYsg3$YPa9M!1 zOBicnooOsDFQ2KKFE49@n#^CawUfc*|M2Cp<5S8Ff1J>B44A|GwzdR{Cp_w)e~*r+ z&;(KjbEtR6l(UvxS8uZUj5tyj@Jbt&GAzF2iOh5l$P2fHv8%8JLd-PckRCP5oi+mR z%d>|z1ok-jI5^Y?42}5f!4qIEG7$Z((Eyg)^J7DJft@xm1Anc@DtNVdW$VX@)-gIf zhX&ogAZJQ`H#xkCs0>1tX;5SVsLk~w(pZAUO8h!t(%u31f+U`*XG7`pYC~&Ihd@D4;!*KFZ z>NaX$es{7_llcyc!uI+i4bT5jBOOoFA_+h5(r}O%96h~k7O~GZeYRVG?-7RqO?x1y zm3JKI(}5Zf_8er{VMcbg33d9u2B~j-d~B-rMa>mXMb>Zt1@>yu@l@SHJD%fIMT85^ z(g9Om4ni(j*L)$?o%D4wkJDa=BvVdkZs9Jzl;7rW>$QwXcOR~l6R&^C8?>?!my0|- zF-Cdz)e#tA2s;KrZ8+-)meMz8$(HRN+8LVw^ zOr#S{dSG;G3Re{L4L>YCB9p~0V_lJBuIl#Y21mAj<;S)IKlrNDb;Zqf7hB?hV39Bj zObl0KkBgwG;_PkVn2ut5JuQ5cjz0x2%?a)8pZ>1mJY~qyB%I8qXdBAFP{HIjj`84< z)EpQ~p$C-e%`Tkwo}a-h_@)G5(F`(iM*J1FmBy^5SF=ftEV~wIFX>)~lQ|*A%X7bM z&ZiGvR1S1`dn%fZD?lwls)SJ8J}s#6q)J;siOOJJkxNd|B>otn^WUfKqwPBFpN9tX zEz24vK~AC7QBBeC!E5kVXqylK7}dpfSbS!q>)FgA7`F?k$^WKLd~bl zPkb$q3)VGoG{oazVJ}%aDpiXoE&gJ9m=G=K=(;aMhquo>b=pLj{s{;+)kXjsIi%NF zVULfX{pG6N<~qUfMyj+;LcQnj;T=cTQ#+u8(I@#hbJx05RyV&+68zrLJB=?ZUfK`rBZE0jm2VF1Mvd>65h)2yJzmaqU zAZd6@pR1*qePxK(CIv~-R=FlggC~;4j-IYqE>dn<3cB)6fV`c=ar8E$+0j0cPoH@zx@jNrR0>`&Hn>NuDU1y literal 0 HcmV?d00001 diff --git a/examples/ingress-resources/mo-example/README.md b/examples/ingress-resources/mo-example/README.md new file mode 100644 index 0000000000..895537d3bb --- /dev/null +++ b/examples/ingress-resources/mo-example/README.md @@ -0,0 +1,80 @@ +# Example + +In this example we deploy the NGINX or NGINX Plus Ingress Controller, a simple web application and then configure load +balancing for that application using the Ingress resource. + +## Running the Example + +## 1. Deploy the Ingress Controller + +1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) + instructions to deploy the Ingress Controller. + +2. Save the public IP address of the Ingress Controller into a shell variable: + + ```console + IC_IP=XXX.YYY.ZZZ.III + ``` + +3. Save the HTTPS port of the Ingress Controller into a shell variable: + + ```console + IC_HTTPS_PORT= + ``` + +## 2. Deploy the Cafe Application + +Create the coffee and the tea deployments and services: + +```console +kubectl create -f cafe.yaml +``` + +## 3. Configure Load Balancing + +1. Create a secret with an SSL certificate and a key: + + ```console + kubectl create -f cafe-secret.yaml + ``` + +2. Create an Ingress resource: + + ```console + kubectl create -f cafe-ingress.yaml + ``` + +## 4. Test the Application + +1. To access the application, curl the coffee and the tea services. We'll use ```curl```'s --insecure option to turn off +certificate verification of our self-signed certificate and the --resolve option to set the Host header of a request +with ```cafe.example.com``` + + To get coffee: + + ```console + curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure + ``` + + ```text + Server address: 10.12.0.18:80 + Server name: coffee-7586895968-r26zn + ... + ``` + + If your prefer tea: + + ```console + $ curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea --insecure + + ```text + Server address: 10.12.0.19:80 + Server name: tea-7cd44fcb4d-xfw2x + ... + ``` + +1. You can view an NGINX status page, either stub_status for NGINX, or the Live Activity Monitoring Dashboard for NGINX + Plus: + 1. Follow the [instructions](https://docs.nginx.com/nginx-ingress-controller/logging-and-monitoring/status-page/) to + access the status page. + 1. For NGINX Plus, If you go to the Upstream tab, you'll see: ![dashboard](dashboard.png) diff --git a/examples/ingress-resources/mo-example/cafe-ingress.yaml b/examples/ingress-resources/mo-example/cafe-ingress.yaml new file mode 100644 index 0000000000..ecb487f661 --- /dev/null +++ b/examples/ingress-resources/mo-example/cafe-ingress.yaml @@ -0,0 +1,35 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: mo-ingress +spec: + ingressClassName: nginx + tls: + - hosts: + - mo.example.com + secretName: mo-secret + rules: + - host: mo.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mo-webserver-svc + port: + number: 80 + - path: /about + pathType: Prefix + backend: + service: + name: mo-webserver-svc + port: + number: 80 + - path: /projects + pathType: Prefix + backend: + service: + name: mo-webserver-svc + port: + number: 80 \ No newline at end of file diff --git a/examples/ingress-resources/mo-example/cafe-secret.yaml b/examples/ingress-resources/mo-example/cafe-secret.yaml new file mode 120000 index 0000000000..efa8919b4b --- /dev/null +++ b/examples/ingress-resources/mo-example/cafe-secret.yaml @@ -0,0 +1 @@ +../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/mo-example/cafe.yaml b/examples/ingress-resources/mo-example/cafe.yaml new file mode 100644 index 0000000000..d19c0d3385 --- /dev/null +++ b/examples/ingress-resources/mo-example/cafe.yaml @@ -0,0 +1,36 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mo-webserver +spec: + replicas: 2 + selector: + matchLabels: + app: mo-webserver + template: + metadata: + labels: + app: mo-webserver + spec: + containers: + - name: mo-webserver + image: mohamadaldawamneh/http-echo:latest + ports: + - containerPort: 3333 + env: + - name: TEXT + value: "Welcome to Mo's Website!" +--- +apiVersion: v1 +kind: Service +metadata: + name: mo-webserver-svc +spec: + ports: + - port: 80 + targetPort: 3333 + protocol: TCP + name: http + selector: + app: mo-webserver +--- \ No newline at end of file diff --git a/examples/ingress-resources/mo-example/dashboard.png b/examples/ingress-resources/mo-example/dashboard.png new file mode 100644 index 0000000000000000000000000000000000000000..aaa4ebe16192e2f4968ea569e5e824ca5e191a76 GIT binary patch literal 354834 zcma&O1yogCw?BLU=|;Lkq(izvN|5dbDe3M8=>`!{y1To(1nF*&ldi zK97tc=j?O#T6@kl>o)^K*(L+k7;$GzNhrLgUq7m6arM($o~;B&q%2B;Z>q#F{P`;Ur)Q$lzan!NvF# zMx>!^%TSFN0!b6X~fO_AcGiXqdCS(6;>)|@Z?RY5FkDUJn95bY22E@`FVJI~z2M2->p8K=Ticav1eA(QP z!K1@ddl*b2)jG(xM>wT3-u8@C01i~vjUI{!BCUDb`l|*q7U}wJ31!d=2-2S{DY+dy zEGd~C&i2Ux4WuED5Tr`;mUh@6M?4!S?{`{1BG$iJI?phxZj$5JR|t_08js!x4xP4BGO6*@1i=$3w{h{wCa{() zmZcQNvPcIuh+k=U4`uc+;UT+LHh1T?9CL`Et0Y4q%fA+5{sNlHA#$mEf-K^n}N?RJuT z3s-%jaxapP!9;#T^bKrJ~GaZ!~e!AkBd!K-~ZR9WYAd`A(!Q? zW(5xOGo-h0Ll=(Jx};)O5SOi6Cm8|?ZX%VmvVHdl7wA43FDbFc%J&|YFPS*$Wfe>; z({q@;2d?cQESbfKDuU+^Dk}$TS3(gCUSclUVv72aq9LgZA-se6icsa3(OO@L^Q8DA z0FndEpS}a?>iuxcyDCp{xb)KuxCeN2REeNR$gOHVdALixpxUr}{(&!}*n|A`9WO)9 zZTXjQuKTjrCP`3CmY}W)&kPHZOWz}r!MyAa%@p0&Cng-=!9jV0_CTQX%Jck#GYex^ zCShAI1s|Cs1~En%dJ|l|5QZy#bXH9gIW_ikM+$VGA0sY<@;9Bn>-lx;m|8mGkb9x0 z7~YYdOJ9Bg{EryE_nk}HnO7b`6Z+Px=C>Q}EHkS+*;A8NyJhdO@w%U-$10|y6+X2U zqvNzu_|)`Z>%&%5&%qz?&3s~q#CArq=vt_tVBuSWkKRgUuF*_M(L#x!z^$??aXPSj zc<5fR+`6lBmqc)#L^L818B-odsw559>p<{reiMyFw#hYDnL?Dx2Z}j73@hD0R%$b$ z_<^|Uc-s$gLhnCVV#8BM0}4(Db+}&3nB3vl-P?nr9Bp%c3J1#85kWy_fY@(Tb|FPR zAe4L%80kQEh4Mjz?E8cp15)fXQnwQr@K4G2)A%4j4ZZb&TOE1EfA|Bz9Q4(v#|-ou z-06;X_Je1(Wk zu4sf^1)_OJ8*@3Jnger-#T}6%G(wR&z_1B1;ol-Ikcs|R0Ye`$x37CqXTxVC?);|k@C(EdrVBAhw#MG<}&6Ul%lcS`ox!0|Dp9I<=(|8!tLud2gm_8nRCh;s zNqgD7$2oP+j*Bmg{|4U;Uy9AyB4yS!PjaGW3~7ARJi*j@lCSVK#P5wX-diLTLkL6O z4Yq8p@B-sPtjzdQm9kp3Vx3|+EhUc{=g(J;hqQ+j3p&yfW}OiqwpkM2T(g$53Pv*H zqBDQuG&l`uLQj0xGK*KZQQkdCGg&y>n0GFjm`jkAoZT#3uW+44TxOEZscVz8^15}> zy_KR?+&y|Tf}Wt!XVc0{c~x9c)+g_Yb{)igvw*ou)<)o zykE4Fs*?h&6xDVgtACgeTPGKP_4s-|Jo`1B-N#1XEY`AeENlGdx7;Y>0OMHW(k&gj zr1*4|HkI0G6^pFeV5g`{@qHA6slMqT8zp0h@7T3Y)mU@ZHHS46b8ZXphee0hb4rI$ z2Z)Cjha_CgL|KGkMEFFyQ7i=U9Ok_R)!A)4O+4E?)-Ej@IltIu3g-&vf7Mn;vi3I) z-WDMaQ%)I|NyQBnkJn|pWphTh{Tj3-+G!fAoxTiDZcd&n9VzW!{=vWO<$sTi$`Gv{ zO-a1N2cPDb=D@GTC+ObjhUI#AeK)kY!rSjre_j11!O+#PF4}F=@Mrhc{NCi&(3#Bj z^3TOBlY{=N;wz6`o4wJ?)%9n#4jxk84{{wtLj6K^YndI_Z*|{R`$xeVcItN;cOH@@ zk%f}&iyQ?f1$+#g3Azew3>rq_C6^=pF z_`GOnc2a-lMqiW`_mOptTMcv58<-x^o|1@091FZ;lKVy1pEq--DjVrN+`YqLyab~m z=@{+2PddUMx~c+rLsdg3dS+hL=7dVJOCHDh$I*RmRus?uA=~)1D3Mme>ODm+W$vNG zemWY9{$;>XXxU3CD&2G=ZnL|b^SH~`JF)^SVpa$qgMN;}?)G;_7o!Kb&g{*C6y$~? z;v`fd)j{W<_D6Mk57%!`XkF!4y;$g2(v5G8N`LIF-=EUmwtgb*bnh%aI5`-eKXx#% zciu+Ye!VlZ6MH^!j)KS@$lax+gq$y%zCcrj6(81g)_SJ4a~(?2%lj(C=yOh?5F)X| zLXPT0dJZar7h*AjptMwy^M|HB$MuUkJPuauQCCe&&5I#v&(|g&_vtq@&Q18g5;1%1 z6B^0(rOY(uIY@0gk0K`5TL>6?k36h~6NS@-tujjJj%gdnvy^X+%jpYFCrn87=5k`Y zGcC2i>Ag~)YMV1YZR*tHRz1e+m?>s)6j2+{*OH255wV4Z9P4)zKTI+RGi*a@7kG&g- zNks0vgD#%)G)wcfbk?(l_}58E%XiI*(^<6>3u*i>uN@DNR~D5`^y+KVH1yg~58{qI zo-FRlXRqHK+3>H~WgKPPb|MGk1`p!L1mPijMLzVEwGxXP!FYzGF1_y*R%w-CU5!?QZGY7%SB%ObWmA z$d2}qTlsk~ldHCA%dT@}=5X!d*l}4qiMfk~O~a;lVPSW5cB6yz&iIgbqMSB-oBg(V z&vf`~R=Ja|T#NU4Uk`x}XCr6&@?h)bp7Z*lAMg1Q#!zT_3%i2_G;Z#|JABb;EQc6Z=78*T_#!LmwjOC1JVR| zTL}#Z5D1$R{0~A>@zn_k1d(p0tnR2TBh6!IW5uX%WMg2==xSvP+zkTpx$*#St&AP@ zNnNchtsQt=`N@CZ!2`Spf6PQq`ui3~3x0BS8F^9>8+&6?c1AWvW^w@pQc_Yrd!vs$ zilXBGSq@zBlbbp^+VU_lxwyD6y09|Z*qboD;pXOMVrF4tVPOF7U~q7=cGP!euy&yM zv&sLrkEpSOp}m={qnV90DR^If0~;qtesXf~gZ}&ThfZTxv;TRLwZnhd0vKchf5Y^K zk(uegdjm`Pz@PHSo4FcWs*9Rg8CyF5&k$hYV&mfbz2N`%)&D&5e=XJcpQUfunK}OV z(*O07yL zyaMkb_XBTzM2kQmA&{i#TV+>>gJswcn9~a|Yl#=Sq+|j3?y!Z5qM~AG3T3VOVsFLh zGv=^-ctgVGDz8`2(c|+nNXc7gL4J-C9#7{obH=O(*3O*O^UIq=6VT3YAG&6Nmr%uD`cgONG26CGw|QaZBZ*MUe0CcyV!_cO4NykqOWw z&kL~vJ2O(Ac`yvJ7ipZ}llv=jF*AILAiQFtI$!dtFNp#y3c>I0$Yg;zEntFdK`miY zn`qtX1XX!>&GY^<=l?yL4yqRyZ+T$kJbzZ%#Q+b0g$C$^4ekpIICM zn6FPvpc4PPbH%jP79zEJuh`T$(JOX^E?*N)QtN`{M39MT8zCvueJ8`?Q{FlLhQG?k( zyJ|aZ>H?c~qmPXyBk%lh%L6XFaMrv&c(r%+rI0`k^l??;{H>7W5O@6@k#j zg#38WfK8ojC5S%(x+9bd2kpei|C4wR(7)cp@7z5){cYoV2G2a$kk`as^fRX?SYjfOyCnic?p zvMf+rX*~Z3n&)P!%llhOrT#;y+c!5wfKoqT)5(sqc`Pua(SS~kWj_cw*uunkZ7bSk z{H^q_;eSi2VKj*!(DzFb!1QOLtAA>MWdd>~8Ibd%fJ7qY&FbO!%N_mP8UILWl!;3& z8eqN_Q2i38-~+H4`X&OhACqDXNJRCAFk)&KA|(DhG0A5z{!!CC;naSxThagsy*q2P zJphwM5A8}~TG%;T_X1a_jGur<7JmfQ)CS21u(xIb7SwFt=&2&Gx`MLfUPy~Y+lHnC zRFw;(2X-<52mh+8_yxZ;N)qak^rQyR&0w&X>gKH?121I)>@*`$kCX|I7-~S*o{S6W z?k=VAS}Dwv!$3V`#~M%6Sz8mNJ^shvu&h5gNe>XQGK(oag9pl*PS7F9q>?uSC$ z%;43sV8xfLfLTa^*o1LkcU$Tx@Ehpr55`ea=fumD7J|V0Kz-b0HI6y(`LM_Atq&il*75y!# zT7Lp*T~0$9pe#c10I50P5bt+K-f`b?XHU88L5xJ&Je%11x7y?>{3kk5F%rN^LLj)x zgOAjfnvV_4s0i4as7+cABY;TaVdiG=w{-UZ;hwPGPzqpI9{~tYL4_UF!1?ZFgB|IH z3j0$Et`Nt{7k;oQ{EbR^%KjmAhmj0c8gR&!U}v(?eQpb0z4RK;sQU4l;wU_!GPT4w zD)2G?&BnGee|BYmcO(YH4niQ1%-fEnn7jv`-~t9F*L0RYZr}J?Mo@Tw(aPTl|EA`T z%a_xWMFGTA00oXtu)&*T;MG&1VEzNsX@9w?e8$xu+1GL!qXMFT#0CQC z<-MhwGjJh-0Yqn!riHR}I;erNMZ3R+P(rQfW3az)`3gA!JR=N&(D2*s{bD{y0Bct& zA`qQNzI&bd0?~QXcq8L)&9o2UcO=2xA6fycCKX`%`>S|o5x_+dEug1C?pvw6HZU=% z=LP@@`WrE22(@DVp)@h^8xRi!KcsENB4kJz#Q?1J0S^z2)EPQ^C$3DP2B%I==w;)dV9m zO_u=_u{$m>|2N9N_s2?e7^mC-hu)D0cKJ-{i2bqvqaBI> zr3v_+R#LtYMp`T|rGnZqQN6HFT~%LH=HjbKZgZheEH;DtI>${(mht^x-Wiyldz%u^ zOl45G=OsJgX`M`$1>SIau~vmgoBM|#hW65gLfJ|NSC8{#HJZTWMY)qcGfyC}#(Pji zM|Q?SsVS?H^O0hv8Z7WkEHPM3gjb!MUL9B7tm#QG{1B?}VQykS@*U!d>ZKXJ!*l*I z5yoxdbwTiR%cJ7&Pcd4KU-W=qxBFQ@J4sfapV(VNYr=;L2(i* zK+l-=b+799U z)KIx^+|WFV9CWoWVRCGFi&1WUr;g~NX(8C4LBhxC%A*;?SzR~3?lh$I)Ty-RVQ4YK zn0(KMY7?gAp`8nzZpCrdg$#Qhy>=;+Ua)p*elW_byaCtDeiZVZzpP`vRIa$Pv=%0C zOU(7=7>C*C83QvOOUvR@Kn0if>K6IZ+@WIeVyl<2u9*Pw{f_ZN#kC7VfwfgjsQ&4~ ztutjpKL#q24>B+1MTEiw3DOLA2F5N;}z-PoGVKGIfWUB_he^Gy2%HILs;0ygd z;C=Us!9Kry=leMT%ka|xVltoMa_pmk zvKC2iu%@!UsA6AK-dZ5QUPXo1;i59C~4nV9P)WqZNOf3yiJ=FX{_nyb~PWoH!gg>E@`V{;Q*8O=08fy#A``P=ZTw`s_jg0z5uNr^o zS=@+Y3BT6A`3;;u@mD)w(;9H({=YN1?H;!*;Gz|r$+fok1f`Hd4FoY09~;>mL1?$w zBCv#2MVC9C#Vd=p?dK3E-<)|;U6(X(+k0>Lq{6_H@m8lyetfZw;xYG4N89>-CV}as zCrM3vWi^gBZK8x^h2QY?tB8XmW4A$b?ej&)U{qH6O2HMvQ%uN5NWztO`0tsY2gQ`E zR4Z$zzrBc|3^^zbe{piG#f|7gsH;>=rn`76%*VH;8hjTs*gsojQOD!tFLEdosSVGQ zd{w$%jv>%ycM3K4xpuNpL~h@U|MhjtV4>GuliiqHIr)dq;t?Vaa%?fB6;ZMCsFB0| znSZun`40HsM*NcMWbO-)iN%1^vbW?XIY5f)P6LD}cQ*}WK^mACKevh1a3>PSQ~BDDh<+@ev`H-su$uBP9@*AO-SafXDW?lu=Z6l^G1xldlv}9b zbZQlf()-tX|;Ns=%Wek`&>G z!wdel5u4}N0etz86I;fz(YY-&#<0OU}HP2&Ut z;`0kv67}b@Lf(-O2qP#JwcN7)t@b6q_m|NMLnWQpYh72_k$WRC-avG)yL#A<)o`53 zeQN5d>yI{Ev9)ko#Vg)fd$d|@ViT~Lry-+9S&j0>I-AxRV*2j0mY0jlz1$kWyQ+kh zM5N6@6MndlT?-#=~Ar*Q`yITa%WTp!OnkKS*vg$*{i3(Oe%! z_Su>bVK7Wv;DGWFNUz^c)>M=Yr8bzoE2QSP`|dBRCQwH>@{0kcn08rCv+OKs_N|^^ zxNmP6e~X{55T?vME*1l?$MCH!=|3yV6w@DPf9K@o2IRfIr{E0khN9vf7+|EK1J2%L z$?LEHiIl*#_eg{LrQU(&hY!(0%JN*>saKdVY=>s1?X|xw$NdD~NJ78R(dmK`KHYaa zZe~!Yn>OudXn^nCqAWuhx43F9ntVRl?O0sqNb7%ggSN4G?E3XYiTOCxcuda1yp-v6 ze7~>ZS?ACuVpYm+&v9Z|ib^s2T?FR3EXDZdx>@-+{y35&mcbIm<$Gqk-Q)4~!qU-h z5FJliv4EC~s|p-jb=iAORhF{kiBxa!xD$Zed=ciT)1-)oYA|Yo< zp0go)1zn9Ig&R%;QCFc?2A_V$pe;d$W=fi(Cj@*XvqJkx5+r|VLviWQBECn$2o}f% zaLh{W%Q!1TEgEF!A2r&Nc+c&qeV9IL&pv5 z>pV5ZUeJ6L->);p8Ydp^j+;usiyHH_Eu|*gk}#2E zFqi(?z+oE&%A;hDR-ooh8!kIeDMb>&N>*U(KGInltur+-@Cl$$GdR2PZ7m07-fSo8tfce)TN32~pwiUx z7jn{>8=u24Hotr<%CKXp+jw-PL1auDI(9M8MQo=aE(UD^LBTH)eG{jLxvCWvtzIDm0!Z&<^vIY4qonAJT@X67p_HSDhi%6srgVe6$m^m zEJhc#aXZp5YmdplwxstbqMv#TdtobCU7$FKbpj6?_myi$vNdf-9NSbHxs}{UYE++V z-CJb^Rc^V+nekJ}J+j|j2swrvgyt2!uPWIAayWS*aOI}FV4%e^Y7-q9i>)r@P3l+9>25+rCIJ>|Y#qb9wVc-?W0d0jJ?INzz*0|UE?ES1xSK(* zjNX{r2`HfIM-U>g7rbAwv8xLh%F6Utj{Nmp{b*&qUw$s)FJc6hAvVdZ;Ye3oF7)Z8 zb&nvhu8Ajf^ap`6-bp`y%_C05?f7%{(Hk{^xJV4dT|$E$=^^)66onQXwNoYz!2X|M zVlG)3B?CIa9Xr{&qR%&J9QWysSI8}Ozg{LU>df0p-oJ4*7-PHfSbL`CR*Z=%_Gw-` zX*{1^k2X*)R?=CwT@>)9X+}GXKp;&_Z1#)@lcmZw9pp>A-ii8W|1RH=2Bd&Hhn;a} zgDjf~M7;^w7AH2__6G`B(dSe5Rbdl`fjq^qJFj%98{AAEzzV*==| z(D87gzR5KLL8pyu?GWh0WU4>E`wpt|o1I&RFv8p0B;I&)m;(c^veSERyMhA>oEa9Y_>=|kb8azag*39$}$ z9j)9>#-#X)=}zqn1YW)${U z9qCI&o`L}!Cl3zKT5>CFHb=wDL93`<{!Vywv8rDT99F)#4a)_FbORv)8#j}BZEy2%XUc3>x-E~?u*aHDe##UN6B>sMg+ zf__ab+NY3-By z(nHy+v1`ARn<0Q20DvFhj!MV5E~x)Q9f=d% zgIU4nqbZ~As!OT8**e*oORh(z-18DM4iwuhExOB7Ua&-;K{-^}GPq5`UC<2tm9 zREY4pI3oq&M|`mlg7R0!Tw6gD?1Mf=6-kY@_qp<=v;}(_2}MF_B%dCH$2hVO#W|XB zQ?u_#)my=Sh)o(Od;Ka!5ZelzOSwedK7NL4w&%!JZ>>+^H13g*Hmx-T7!H*bp%WV*_X&_SJ#N&uHV$Fb1UQh7zsKdTS49~DVSF2?(&;+TaH0K^<$$0q;lN_U=8LV+ z)-ZqT$9;+K!TKV=S%&*td1Y&%wDg=PGvfKEqgB#@6h^$$op8 zF##0`4O!h*yLcW|MFl^A2MI6{q5|EUmP3Itd&{ymj=)H@a*g1Y7SHBoQPBWHq4pI` z0wwDCBNSvu3a9}X-J2!^(xI4_T|ZBzcN53?N(%i<*3{Kju!R_D>G~R=IraO;Tcc8a zQ&rD!geOG}^S?}EBY%?mfbXYtjJ?A}Y>nQ4toH?MK^SZTAWdYsfTEbOgR|34=cT=Oz(Xfj-JSL(-H3)>)9VdA^nWaVU zga;%BD6dJvsrTg?7w(JFe-%9!6%Cxp*}0)#6_^i50Yfu>n~?)_yhSRHUs9zzTVHp= zbG2_>?!M%eMm$j2kFf!2kM7`}OY32PF|k(a6|cbJCH_RXVv!1ef*UIfvp95=hoMn; z_?SRbv+B4G@f0)v6q(*3!-A!o<;WLqjqP7L?>P0xJDF5S-H7a^s*8t{KM#c>O7`R) z+VuI}pfB)QmHSv{gP{4S)~v4m#3cv3R?_LzvU76w^pUh4VPIf>ej$VU(azqj+8orD z2BeRI5KeeP3HmP4hrX!d0>NK1B%nsKw#!-=d>h{%dW{8q)~2#&0o*ON~f`a%!y$!G7LYl-1??co=Q%>@K|pMSQ#B?ch3 zag#a`g|yBsqCM@)E5 zNW&hhlEK)_Mzmk8YK|2fhv-~ro=&+PmZqqoAv};+(+0hqeP0}w*17Q2+(G+D3IgFK z3XBjEVu55wQ8&Wr8{O&p)lO^~@d9;qfhYZR@S>=5S7FglyVVALQ$j+U`u8o_JH|z? z(=}3pd?phOzZHeFFu63V25R)ZlJYGIAjFwKQgdo~*@}-U93!|R^UiBN3et&YjR6o- zx`UV)bONJZAZ|~aX^co+`)zv{Tpr|N=8eq9#)kNyt&*%SmK1+n_ z>JEsB#@Dmv6^@~I3aAine-8r#ErMw@Dcm}ew`n1;``&7F#s6HncKh=gM)37GrzIgq zq}Wbd^xPWtjdFu9E|;sJTeAbjs5Sm0els*KHfIOqlLUIcOqVM}sKaH0%ip+i$uukQyH!ANP{hnULd`6-PH_xVA*p`AegD~rylqWnu zyS5Y9zBR|D>YXbjf_0K`-;wk{DM61a_@($mW%_&MWXNts=BWimW#x!?pXUvEklV@k zM|2Df%TfY|SS5HiHD%?lRXvsHM1->$REyf^yNb_%g_UPfK@PAyBsc4YHs3FOSo=12 zJeUkQz^XdhdB50JE4YSVr#t1%_7SBmKS;IDD(w%#j?;AFDqP%Z$UpAUyd>iVWR)u4 zRfY5HX;J#=aK@v|t&|nQ=$Dn%-A9JGWR-(7w6k2IkxnK5qawF8XU&iuaE1#Y7H7@I zHZ$950ayK9{}5EG19vK?3M!}pC*L0;{~#&=waC)}C6*C_PgGm+#$4(Z1bVO9gATd( zYX|%DXp_((6maJ@9g%E!P=3b=F>jBN+jVj;co3W=ragZ9k!<3d9-V_;$6j_R>T;72k6(Dv`iH?Pe zLr~!4eS7+{vEWnG}+H8MO&VthOq1;xwxcMfQnm?3$mr*O!~GoJ=#ga^1A-PF&I z-KT4laxInLmLZ^X3bzaJqhn#YburUUM`7?WGBS3qQxsA&(!8~FWJ_W*i|_?G3GStt zT?W{>b|U~~$QFb&Al}jN@ooxej~&rNjrKXKtzZZVeD!&e?cIP4Z7fy?tJRGSPw< zhgAb7SCE-&m&_Vob=nTixgqqVpU8WuCMQLYd(XimT5s2gIv)$M`SKQF5Wx<}1k@8N zFMA@LD*EO@RY%kqs6*Ru@G{aq}u&cd;7h=@(qqDoxeyd79`#&iEq%_4?Dj9)n#|Rmr7KqS8@rl|h z6jVVJ4ZaIDv|ZBRs_$hFL5R4V8Tw%d6eVH66$Yqg=f>h}%5OLJqXg<{XK{m5n`V!u z=XvfD8yDLfU=XOXR_vBKl58eMb7Qv(d-FKvvd~SKC*-Iu^dg8ds#DC0ikxSlIXtS- z^KAnKw5M_h!4cHq_&4DWk84W9)hB=23$6IOcr^RP997eahDvOSgv*J#k`ir1Iuc2l z?zGnLnzL0a3kG|1g)($(QX#X#y$}#j3vZ0lKYvy<`uNdswCzz7PU9}-(n_;lR53Y$ zqkD8FYHNQVC|sN%xU={Y?vX?^<_mn9)I#Doi70W|Vu09Oe0D_=Ja}9NW+k-mC7x*- z@`j*M>Nv{gfufNqmcGU0Mn%t)>&}IV`K1LlFnQ(;{eD`>$K~Oa3;RG%(@TV?&4JRF zzI*XYBT-xe-)0@!*?;PxQ+h%VgflV0FJ3dcjakJ<2N#^2(g|P)V6y?K#?x-a?{Sg; z+lvxo0R2`zJib`lq!-*zgE!EtM6R$JlxDOCT4mo~+(Bo${6I^YJ<}{btJI^wg0oYC zmV3;Nu~R9qlc3x@Mr{dqnx~W3RLEjKSKA0dHV?Bi*Y;0J$qiKAGuOVeJL3oJo)fUk zYU?QTN9sH`huihr8-wfp0cswDG*17APve~4xQy1k@Wb7U1tpTpqshU_lty^7?Pfy? ziV7vE0Y8#ugfVRGnvUjbXh3bbe>e2%!y&d1ZVc*(-u zRWiE$z3k%2stjlt_@6LT3c1)Bh|J9J2AHVXU_%dy`Z2XpP!YvEJzuJ5aHG8Kd`nGF zFMQ@FqN$f>C@H8??ss+gd8|szVA^vA^qvgxk;h7#n;dd5F~$WzyXyuh)SKc=4}Op3 zon0b;9N>*Q>IE=pW}X2qTw*s(+aShyeH0!7`4qakoQg zllF#s{>YH19PC`=UGzaV`DCP_VER=}^g)!bxSu$Nsh3LN4Qm zI+KVmya;hzjAn0X`^C>hwUy2Wj#TgYzE$0R_jnJ=;cR(HA9W*z zgCb>Vs9}4t`g$$pmb0L}M)gr_Dn3msh_jp1q`fE&Cfv^0h1u6Lp8gEKI1$ng)DvQzi}g#MvIx5u9!sbI&SY z>{dy!+Gc!6EV9;)P}L_If7PH-%bZG+)53MB^+WK6%zmh9Sik9O23N|eJtPbpvEPSh zdH=GgOY1u8BgAB3O~@sRTIEww~40aO}-XA~-1d1tj0 z+#pnmH3CMRTR;8y$!29z=tzi#>wmr|+fk5!)9keJ#qel!F;j(8Hf-0EUYfq$xN&bC zd9tPPqyy*X18ZYY}1wGqU`#6*S1we@hW)BcQvw6r6x z`u5z^lrn?#T&@(3s8}OY;?_yVTnwZ&_Q|GKMypcXiCtxpX^Zo+cqx8mYhB(+MJvaM zwL{J*vkLodj_xu#P{)zFziR>70&CNkL7=LXr~q?H?ftUeNr+8gOv3iGi-x+mpb6e? zi|@Yox`T>BuYw@UF;~yz`dg(t%F60hX?3%Tg^$)~vE94l{i0Hb3uLGP6-A2)4*iF6 zB?WEW%i>tVONV#O3xL~@KI12!4rUFHYBCIIXdCKnC|{N7e?m>z3m%{q2m|+tldGIn zS3it3ugEm5b;nkFF?!PHkAkY+l0Z8DOQyL99*~rSmV1?xpy~*xNAflJx#~%oY^^AL z1G*qAsnsxO?TkYSjR5l)8@6ywLp?3{7^Tg>_M1<^Cq-i}8fR*8DqU~-0PR+JIaNt~ zfq71x{VKJBbbU3I?zp|Is!?bL8&OXQhx&jVPV1$R(3e!gZ8J66UYFCZYksgP2#eEG zRQ168nF<(pDKWCx5YzDa$~m{?AS5!dk0!H_T!s?_S@5jpZdbghN0Qqf{#3>1*>=zF zbU>*Ycmr{ozrHl1rd4X1qTu=B*vbRjVj@wEz~uR6y`iPMR07WGSAyGlcCkvgdWz(lvf6YE;z)Gt{6Gwy1ct8 z9OA&>u}+>skhIdA-qPo{rw0(0(RBhK^3N|`kR14g`c;Fqvgx%rs^#?8I>6iZE zB8{!_du*Yl%iRj3VAQ zp!Nm~JA1FN)w%S0(5ano-$lf`x}76!CK!F&89woqkltrU)G@qovRP5qNQ*BFKj}-L z0y;wl$UL;v*e{!w!o6jJ$OZ&+7D5MF8Y%bne(3seo(&b9v9Q>P7kRyQN%qr~fhn%U z=d~FGwLP3koiE)2GS@%b{65`hd^~JbzZ}%)uwyQxTCN-U^mxB$adc{>h^O~dg3IsD z27`pVc6w?HYNJ^zycc>`Q)jgpC=wj)>I7MsJRGaA>bZPcMVjfzlbS+pA@G1 z#-D6jlp*oGa)t!-(Tb}6uS*TOTCZ1(41&!>@vbx@vMs`o&T<idD(idTp*4Wk*t;ow`M-+n{FEA^~5R+w0tX~Wg1>WEoAy5NfL& zdfa{Kf^dOqtz6`VFobwggdin_wP}y_fnzv%r>+rUV?n!^_-Bay=80^rnFNFpyjuI& zAf4+`zIQUMcZ9F6kmKGQ z3cSq5o;S$JQxtFsFUqYz+#Fo^@cMS(nqQ0pbdjFm`S`&6F3IX-%#(DgE3L1#vTDS* zplEEc@?LGu-aOU75ViatXe2eMd3ljLTN3Q zFaUnv`|_={&u_2KOZ_K^Uf?G2R#I5Y>adiP#h1Q67Ra;Pmx5A0dwK*rxh+noj`m;b zFm>fnqBb#jE>V>ctSH4tQ+RTD(suw8zYlLV{-x736$@^36|PB&pX#?X?!zApEN46( z$j}kgK)F+q2-m& z&51tNCwL)k?MKv(Ingy3ga!rhfc>ewbF(bn`%WnWlAf9DePvv^ZAQV%3UN5={aZ|T zPP_mBcsgIZ7-y@p>jnn5FR-Et9z4qrCsX!EElUtNz?JQ}!X^dRSMt~-s3aKZ^y#_U zb$jiRMP(J;szT>9i(dDY@)N)Fl*pnJscM!JfhXPB+{}S z(XY8GH_LGz9Wk-&N`Bi+?^;Wqglx5rxy*T|=+sy<}Yb&ahY1g|{#j%%pKxO%RAh%liB zYHwfJ>iyp^5!@2}JyCkDd}1Uu((dZjpAD`hL&xMM*($o?ER7q#7JlqfcGCCh=6)sW zSz(K+t48*7Dho;zT7lcTLazW@fEa`G{o}_mAqMplL02(jZUj1nldhRxbII+O>X+l< zA#fpmIZ@FW7Rq{$jEwE+99H<-!^!!F&j;0`20wd38LxYZfLW^r@ObRP^{yr=LAC07 z;N>-0J=-E5I3b9-zyF~!9o?-0H^+az{nV2BwffYXka4bjyX`%@Ag5yI4s(Rs`o?;w zq18z87K=^7&c^pzr3zk?IJcEAVdpLv?g;z_uuU-fCgnjGLb|Q)>@X-LXK{i|)(z`0 zytKfdj4eW@HKEqi@Szd#HsQn69ULW%;HIYZDZ2T+Nwy-52Ca{G+yk~Z|5^MUw^1XuGK%8;bNSYb zlz3OkOaJMgsm7q&^HIV6-SKRTajoexjGwo+JL#uS_s51$54YP-?$<|=$-sX-fura7 z=F_K7KlT~)ELU3aF!m7P;l~%m#l*~GqiALTr3<`ZjY(>>4NKgY$@di6ySA>zetDJEB%n3!x#tLdpgASVW}Mx?cNRVq!itR5C}c zuDtbPoz=~5cJxUXB9r=2P%OnebCrs%h5OrEmBo*@AJ@AA)tj9e@HwqZYH^AMpC4YX zdR-H(c%I8RC^d>FYTLszHXpFCS!}D<9z8$Zqn5W`;R`(77&-`|qoaQn@Zu?JIeRbR zWbHB3=?{DQc)e>4rOTJapCEVo2oWRaMYrwp&+ZU^c3*;>KyS zT8Bkc3uuQ~Y`p9CvFIh9USLQh44%HF#j!VQPJUB2?3#Sv)YO>@u?d8K;cdFxm2?*4 zFb=&3fUcOLOBRyBC8}^w-KXQ{CsZ{(FQ>@#V<=dZwc_%&uKaZGu=c0BAiwhDSi|8U19UY>>_K)%H zPP(!NNC1V5Z@>Mu(~F}g`t~hE&gVAe1-*(75C#TCIMH!#Tm2+HJz6%cxx);3ZwIfd zxFpi+o*tNM8R+Qzf6xpiGR;1uS{QJu4Dv46Q>~tTs z?wLu_kJG#@K%i51c&r~I+@cb=^|lA=SG}7TZbk*}Ev+65jH_5L4R2NWwjQ=d4Zms0 zNR{ih+Ma!U+GLdYFv)eez+YT~9zOSFU$ali2U<%E9G4K;c zqv^M{wlu#simIqMJHsQxi-%)}nif9Ak4CnRMpb)xICy~L4^J&B={tkdXMqXGs&JHt zP)R9bHcQ8D4A?bbOiWb{fBGq?>m|e{Cx=&9{%o5rU35O|a-YTomAcD zo|kfK-%N_U9ZrEh!PU2kag?~^(*eh*zU!Jsb=>!?T;|< zFEtr4LgFmwvC0k^Fd`DxwDxC8OF390#rl{!x!i2<3~K7)UZjokUu#<=*EnHddTz$P zBh|gazSWknm2a0&mmb-#>?fYI;aP9>JOa?UgYepEKoGHRCQzMYPnoUb3)`YWEE-Pc zbZ#W+#^`UbT6y5~;ucsqB?pEsfjll?ETN&{@fDJ}J238TY4K(_c}U5-tEE&Nx;D3{}FcH@ofL^yEm&SS}mREa&RRtaJ>h~0tKjJ;QDCPIza zqNTMr5nI(3d&fNQe!jnR&Ohh-IsbTg5b}_?->>VwuIGKfjgoNmWghNz}T&L-fVw*It61-*XJZ{q7E9{ChWU_EUUpZ+?-K7n)0mO z>yt$vR6ua07HHf{ArtmzcjSB?F3iz)t1dxI90)L74UHeQ?(`H{gNeJ4l z3VpthH$<62Tg=NK^HE#!P>z+zkOve|d2G%x))?2RHV z+&s`mxDG66R8LU!M#-5#C^R@E8IQ zOU;M=I^sr-`KffA&-?vZ)OX-is4C~eb*Ac^iPGi_X3=bSYv>0lcU`*MjaO^Y^MfAo=c`fh1_oFkyub2em z%6<8LL_NDV#!?&f$S1l+bivGAcOO#Kc=^(AaMu@mw_OMtyl++065DD0ar8~}JlTfp zF{cv9bd$x8O4u=g`U{B-nkc&o&kKTkFS@j8O>Tu5kSAtOpGZ+Dg>|r}%s``?EHWn! zhjkSl-&v1qkdy=U+0gsSNSjTIVFD;#21my=2b*?A%J^SxZOVu}P2+x#SfWIQr}v2k zix(b5kbU9Vw;Rtk5VWju&195e6MqAjezT-rYtVvzDX-5sZqz5w$*JTA`8npjF=0n5 zuJ!AMv|{n7v*~l2WX)U;XFqJH_GwR+JPUnX<)|U1IS)~^_=OI1n}K1jajy@_cq<9- z-%29|n4+xo#-m}Mj7p4&i(i*mZDLMc8!t{i|BA|M-kEO)gY;1c4jVE6U=o>ho@ZL* zc!OJ??`+z8RsuDO(Zm`N7|!+%^BYQyM|7R7jRozVi9^0&X`@ zyX+0Nk=izxK7wAUP2jhhX)l(%FZEu=K~U8?HZhPrRDjv6Uf+ld5ps>q0PXyr_L z#JVIMJ*H2U0+dKM{|#~9Qg6=qYMmcW=gmabnhfxA(Jvbnl10*Tc3Y`$T1Zn{ts^cdKInfK zl92pDZ-1s8)i$T>m8BH?F>T|PLl>)7B z&P?Ez^!m*+Kx#Ms8KzScs)f($zOLzPVzc{1pa8~by`QnUUy0qH2gp{xvF z&hU(`v+(k&_Ih4dTG0WGedrl~U%Tq)CEMigN%Q`Y)`Y{rE&k+Ze}tacQr^ zg8{N`-Ke8#hIzQDkN>74tz65CSG4jC+CWs>wp7 z#|2>-oQPd)B6AKpKQP)~AJ?C8ir5$6a?t0o(|=)lsq}8u-_A1bw>!{0^?HWCy+=3R zA)S_VG#kVr>TN2Vv#Na~G4m*a$l&bwFfa7O`>T9j4{5X-#;j7rEEfW~eJ?Rg``8L!46X%1t7P!{9 z-Wllx+yVe7(VsGABtd~}@2Ig+HmUf%=b1Fsw6q3Hlh=4|&wSXO!79!|-QN7OTIFA8 zV7k9Fa28e86lTeMA-UMf4|Ngy5U_oCr^YV0#AzI@jnpR`lJn+gOYGne-A+HTui$(h zlQ5H;qKNo6hQkf=TNYr)BB%XMAi1!gQEee8S753qVcN#jHGyca(IUnga^c0GB#a~R zpCgV<8Q!Akwnqn|%I*rVY4Vs*MrnQ*;}S*5(&zE>bC8lH=0*_r)rLwkLp1KtqnXG%cws#erq!+ivGF+zN8X?j+aWp zJ(P1+B|la6Y7|L0X842jW3|UY%F4Ew08*x_o*MvKv_!gER265# z0bl(ZlZ&!3s{%VgZsJ+iaWaJ(?F*pBRt2(uBsT|PQs&7^z)3y-zeGh+;an{4rN&9`4P6B9UAD`J zPd7+u%+I(;nzJ0A8XX{Fy1rk(rJEWSUfqPp!gg%`HGcoQ<>a3jMwF0UsaL}9tU1uz ztVbmC^zb`$WAll>n`b&Nr;C<>#5|80ru|HXqlnXt34rGxitf;7q~`Er5N;WEs=AI= zhI-*aqRGEM$oCfqfWDD|7?Qb306~Y7R=?_4OiplSH>lx49bcarKfmU+sd7_I#HB(zH9koS zhyOKDXt{G8i{W6QW5GEyeV?s0WZ5WxOj_Ts8K3?6n!gXm0KHf*gV4eG$YIk*N+Be{ zl$zAcREB;4ea%yA_GRxxMMXJqu$mT)?PdtJ{-BSxthA?j{rYu}_B{hvDn2vhM;F&3 z%d`Dq-P-kv?kZ4{i%<*~&hlh^rm11ERDoa$7*%WcN=-bd!VO|ohW}BYuA7pil!&x% zDAftZ4ET#pM6d@`ojL?yzm6mw4RT=&2>n!In0J`0DLWj`(N zNpI)Js*$(-o(tTA7m@UfLS*Y%^+4%X({iMf6*!=Yg$KWA^q$~|_L_5(?ao1VywnyFZw$4=>u1( zoGqaDa2cPbEE8(CjQ=X;qWgHDoWZQx`ALoIbd~qZT+5RxbHRS2^+m3*u`%QB`%Ac& z&kfG5FC-}V6A?6;`|`Xx z1Yx>a?e}I}^ak6cQCXEs0~GXYE3@H{lb{sdWWN@z3xXTXwvwJ6jq<0Zx7pWwmp4?# zKx~P|zf-T20$88B)~Js8N%saYn*7lAr#y>yOM^qt+Xw4LM#Kx~)pYc4^wjs-dh>tq z&{AKjHmpLe)dsm7lhTF%vTp5BnF(6)vyHs@nCmTjn&Ln)o3$w%z?!;Ja?KLjZ?0*y zaTg31?Ue=0H`rt$dMt5sHqA}=8@pe8*HBe!pL=8!-9;2%+4&3HnmLlVerJ7=dvW{U zOX;EJUtHc``)4ANM+nsqyCl{h$){HBX(jm+x~b>C3*Watxs&}?_C!j-0lDhMk4`P}-W9<+T(z zZ~g5DdR0|bO%F^dJ38+&ga{!G48bKc#-X~4xIW!X8SKzndO;=l`2lO1iUaNMA||B$pWAcCaN4go%7lPVt;R>I%E}-)8`ve z_D=(=^WI-tkFT)kda0I$nOqKPW(tT+OXx%y|2iN?Kx3#>Vc?bs4w{DI=I~|Me$E)7t)`gj8QpA*9S(M$;fts z2F?h)^+`408fUiOX5H~pI^_4(79?JY9rF-GTJ0<{%M19wPU{7#mRhQ>)tYq$N$VuY zKLUUBu1V=?KWVCf?GzqYh6}CnT-K?AKpOZK-jh>5wC}ltLZP?6t+H+epiA6xVwLXNVMW#QLPDf0Qjp=%&Ta1zC@( zPuB|{_ZDwk8670^)v$Mj$%-_sSSHXmw}kZvs}%l=hywz3roY&<{*U-cTt>uMh53R0 zyymgQuG;?*a^)7C`tRRL=bIew{600#lC(nRJy;gT%Fchd=^jGG?2;Sv~q7 zHvM>7QkNWZkCms{%d(~ZAfQixa-CIY%^7yCVl3?g8#sC0h!UCnrCHC<{PdHiwli|3ai7Z$ds?@`Fj#(0Ei*+4h$JX6 zz6>wN1`N?Ufnx2V1yOuIL=dLC%MF%;{JiN)y|jAM?nYbVpA10o#j!rYFzUER-ovD0 znU$)&lYq2i&;}0n?a}RDeQ)Pqm^ri*p3r6%2d}FSjEWi{%O(UoD{(t@Z*n`g8 zT`<*0-#=A(FUbKlw=sbpW>5GgMb~9M2qZooazYUXQ^`AHCwr~pM;d0}IcpP~Wv+lyzNj{}Nd+`ww)Y{T=oq;JA;n7~y zk9wMbp9OYdy~BoDp{(0T2}qu`5$c20_ppN|xV(DDR8-jTF1Dvdj+I z$Zg6vz7Is}Z&ikS!ZWbFg#k-SVG;UP?LX=9{>@ zvdiBe7cZd<<)M8c72O_$4NWXq0%cw0-0IV410s1&b@*$+cl0-WxF*oRRL+aX{hf0#;=3QM~RhY{Yya*~vp~{&_$+G_K zgOmMLn@SNsfQ_33Ohh|c&dK$kT~`8#Ows^p$THs^BW3ildTJw5tS>myZ~OO;rEe*V zUJ!rO->jl-(lAoR$r|f_-&418z_7OA$diA5V6+d;j~>_pM&7qq`;6Q;gK7XAAWTB0 zeZLJDTzk^Kk~QHVp8tx&9+e*68q&E06BFbl!Fge*Rnjw2Au*YmQoy8Y@o3?Lv$H?& zt@X%Bw06?Fp){Z{xgXzDO6uB^nsWPqiE!Fl^y@RwFa{)G=u4AhAR81nVy>QojTGtq zWgy+U9uyj%E4cqtsiQ4TN$rU^`m5}Z-EyRZOJ-fSnt*fOz%6Jo(Wu80({yf^j;3nw z%P2#-8~`sx#1yyu@$U~lJHKu(x}a4{i~ZZ$qFBOma&nv|{a2#^TE&G)gXd4vDP2*& z^*crx!+wFHx=us<8eW@t!BV~g6{kK-V&z|zt0c*EPkQ*O!&IQ)sQpuWaJ;65+>ohE$y@leaDpPCv$QgvY?@q}c^lgL1ziQqukHNlP=33bp18-EFj@T=Ea9r*pHB&t757hqVGl5U!% zV@!}0mbbHElpM`|ZO@-lNFN!*PE-H>`Rr1=`})}gN@smgDZTA}&hJY`iGlcK$A8^) z$o$WEfAR0m9-$g*ht2yyAZT6v={p~TQXu^X$fx$k`fUyV7m4vWTcOtXDjeLXV>n}4 z{D21B>gq`wZEMPs(OsEupBY~!X?DJ(GzovGp=uE5}=TLlJDpu+pQ zFxE#S-%(%Ul^?MS<<0H`liF`<%SV4Pf@hI;tP7720~H3D7eKFt_VN|@O44zXQ_1SQ z&=Kp^Za=|yWj5%tiOMP@-7vLTGiM7`Gt&Y@%_B%)e z$94a)PDp~4VPagf{+|73*vvYMH&yATxVF4=Y|aw->0V{vwU_T;YJFE2lrT5zc+`6L z3dph@_R|X?miVK-kGcmGp7((hu(qy%sABbaH~0s*tSJ;QhWo3!&JHp>`+kIR1b#|M zS+mx3=o=Odb{3ifD~y%jrl4h2LK?Osow}E;-VaC!y~G-``@?_;zBee)dFT4c=u4Ru%^G;tW^BPl!w8KV=8FNZRv^DyiLBuqCEp{yihgyTFyIY-PN%5SA&@ z^p_wO`g%F)qFjIoUhjHM#mS3y3<1W;d$U{9PU61rU;-$h;oO#YXExhBW z+r_5nYyqIk*vltwle_KZ4`Jgw#3O$a&p4PNMO!hzAZKy;Z7Vv?Zpux$dfi@;VfP|V zblV;j{p0Us5n+UB?UGMsM0Ow0HGF59=_Qasgvq$R}a4;nJK7S3W~WA~c!f)N0;YFe%4aIIEfa^(8YSggO2 z*gR@nt$V|s_OUE(nG1OjguHl=EUR$u#_j5iPnP8>*GpQu`UE|C!n-^qmQ;^lZFxFP z@i-klbDDbR)Z_4HqWb9ZaHh3OK4PKiXa;$}`vjXR=HT>>B>+A7mz_BQZ>?~e({O6# zlmuN~OjrX9PgU3V+}zv=BmG)v2b>Ge2~|=GhCO~3J)H>!y)YIwQE)88_+U~^O;8{Pc0{R`H~6+izFd4V~c?Ylc@H`;tyNtnScSd=Ne6urx@5|AJZ2Sb2gjL`+v>{> z8x`LY+?xX+CWvW%z{W^%yrK5g?&;4|I0|qQ1KdmxV_tGuJ0xdhux|WF?oCG`y29V} z#HxhRhMbwas_Xc`D`aNKpuXQmRN+`6%G+)3hey>oCC+H$?V`u39QDz^s~yv8g8m{d zLdnfWW!Q^#&#JX@31zuP54eIetPFG5iE0^u z$)1t7^}>+mig}pN`hu**%4=hj~{1>en-R{s;O=6 zXIxF!uYR=5JGy_BkDs4$-9oVNE-$~KPX7$B$=~lt&;jC*YkcFDfv=jct}^}5P1mf? zEK(|7m3CfYl>{0NbuaIw%%gKmda~Zdo*>Cp&S0Yd=Z9FvZ&y~=1blX}q23FvXc2Ws zyU!*!#7gxVS*K2(N@M1I#3Id&7;I^(7ZVpd+VPf2+0|$L*Q!@Ncb>^Q?nL!U?snIt zV`H!eqz|~w*tyhdI2;VrTwOyC-j|QAwKL0Hyy~Ui?JYR!d04?HqZzK1G%pjGJm`WX zf&8d)Y{ysy93*DE9n!GZPqy?ep7O<`mX2nAfC640u8)7Q?tfAJg0v$sG4ab2QJUU0 zN!YF}lcaOX-_CxwgB!%~)yjY8*V={OiM_)tHf zI4UZtrz(2@rsa3Q1w2UzlX^*D%ez@)T<^)+pF*T%a*dH3Pd>x1rTSw0^cUeZ6T#Y}*+l)1-FC>rZi`q7GQX$wN|%CILP4)+IKcVK!WK>X_aXMK^J zeAULXhPmM9G;1#fFHvy#bMj{SygtwZ5__WqnkQJ@`rqj%^|bq{d+iy73L)7ls*Wtl z`ADz=>itw_(fgA0LeYw4Xg>}C_XHixD@LugC*~GpT{=BP!V0c2kM$4xKM&vm1{B^t z6ALbx&dP3j+Qys+_te~VW>P&W$XsX+QxMjUV?K2e86viohZQBlkkIY zemKY5EAW>I6F5^;SR1w!TtYj*6pFuVg31|{0__G*J-W+c2yC7YMY6^YUetMSA)_uO zUQLD5e_uKzs<^V%pYD~}({0K8{Y~rS;)1JM$2528wX)cU(a~1hAMPnat?vklN2+*B zg1J>|0jFd-MxUb~5 zl-Ig30U$_waGQ;LI+d?&_%f*_f=iZ%f=5jpGVQVsC%|P4sE0DIe_s7d%=Rj6L^6rx zsYaw-E|vWdZa85tCfZ%YBJ+bTn-%Tl;SbC2`j|N#*Ot01j1=oHj@iUWoKMt1M3~{j znjKlafHhoQm}^5*j`v#04ND8yGwL0mdh}CKyr{4l>bI2YuuwHjB5;TC&uWW8&jaEG zn6%j9oHR}obA$e{B;6u?KOTQY@qY2n>JrTzC{1;XaknOa_(JKdNGt=4y7!wqNW5+- zw%)Z`1J76Joz3T0HMLdtT-6O!l4%>YPNb;U^{2pxJ(t{D z-&`Jo93|Y=DXC8phU;w3*mN4;<|f>|X%c(mTqyOR11t!;1E$8F$ZeP1cCA}vOci&G zBdjDESw6z4_CJ~lD3=W`0dJ=~viYkH#B^_~qaAdc8=HNP^hn2mfibbmz}=bly{1yd zzilSRsQu!!p~XB6boLcVM^@lp!1qt_N?9TjutKG?ZT4B`tI7_bY%AT?gm6%W(}Ag# z2*rNmmFW1$t`j!ds>H*M$u!T`G+g*ob4Y?|gX@P9i-sqf-CfG1f$OUVh0`+XHKmzy zbT(@O#I`JjViUx+8z&1;#m_Z4|O!O<5#v z)reeJ$`$NA+1*tXCu>_Z72DdU&7Axz8iS7GhXg8-v+sVsB!W$x zFnL_mNHKZut+q3TG}AyNURWv~KN)oDf9L8-%L#eVl~h?^&J*F0L?JWv?FiX_-Qz1; zU7T;j4#zyXv~>)35=+s#oKm<*P1zS8L9<7a|D|MrT6+EDJ98eg?008%T-5H_uB@%& zg}In|q4mtdv4M2isrFFw>O*ez3M&x1 zcRnO(&2?sw?Y5gav|2Ekmt&q8_5^49*JUc)wqY4+^4;CIxt6J#*6j0f85y`C^=xo^6u^Qj-t%$01h%i$gDaA8*_P37Sze) zU;vWGV!%rM%v3`K>uY}ZNIFKl`Yzh6?MwgyY#%VYPF4X2TE`3Mr`FnMX5Xk9qOKx9 zDo~`*Q&$HfSZ5rM=-ZWnHQ`1;VR~%;pfFOb-ecMNEl0fY-LB>q1m3V(cn!=-i(~t&5G3t9AFoY zH^M3jX@<8I_j<&<$NOh*0_KhT0nOD>qTPlqjDYE!NeysVy!Z>FXKTa4D!|l7qh2}Q zr%;ec>4r~0Ujt3%&8FNh)v%7v&PTW`1_8qqZS1HT#E+L8eqhh63v!@&f%nsfka!Fm zTH)SdBCB1ylj`;uQ$_GlouYImWgX3grC!l|RYS48D~)-1_bTg#hF%W3L#C6s$H%3g z9go$%6YBAFY$ZK8lI+9EjR?!0JSORo)X@zfgQHJ%d;Rn`PtT<%pLytH$1m2)3vZ8G zij#Es?(!~S?$e#^eCZDyIZ)PAuJHFi7W(Cvgtt! z6Po+lG>Kra87Jwz^lnvwKtEC}e@Ta2KA zbS1OQTp;-iQgY|t^*-wuw7>-~jSZEXRi z-{==>ab+8>?<~#~PAZK$y>e>+3A-|wQh6gwAnvx&l#r)KLHY*x-m^)Cs*ML8K9fP} zfOt9h24@Ga>=&fF#_4^1milhGr>Dnsa?mY3)cY^=u!ajdSuJD+!KkUJ7lTP@;i?gc z_j1h2qe^3NF0>JNlru5(Fj{))j)sm-sjE~5QH7)jU}mI)xR5Mocor0^w7<^=!;6i7 zD$3OEWcKo+MmiiYHaY>)pTD@ccyx~7?+;v5yH)7qZ84?T$mZie)J)=UUPPTogoi(E zoyc;l+m!NLdOnCi&ZGnF7>$*M`!5EGrM1OmtEBlDMa(F?HuMUwZk8Y*2eaQO=}84# z{)PN100Lh{^$MCR%h6{MWP|gh|@f? z>Ba;UM-oKMDELso4J={PFBx>EEHUl_{pIs zMaZtLU!yiX6pnWFb23HTW0{-(_z}T!qpLegbNkuVx}p~lKC#lhma80oCn+iLS5s~h zKT8_dVZuomdZlW2NxVRCiAwEmVZ&k*!y)o?=8oXd%f9jjJW_xC)L z#_y&l!S6!Ycj4E1*4WGWN&>Z##2jm^E}(eD73U^ZDtPc8P`F5 zuI*$zR zb&v8l!tJ{vOSe!zCIM(FJy#6%EhRCLhneaW7+G4_sF^JtObE>?ZP=`5?q4OP@sDDc zuW#F9-W=*mWfq;Oa*ThoXhu`-l=zzFL4TTrR^x~Mxhrtst<^ifagY@aj6#oJz0fGOd zJIJ|^rxD*n*sdY~QZtoHzTc+bNS3r?q5#8j2v8Nw%cDm>0WRfrC~pm9Rv2lBqNnj$ zJ6kE>veo4qJUvHlSp;OS8o8*bV1fA{aMV%piKCk(>8Q?33En>70Nr9Nwd|ZOta~SS z=4>cq4XD%LTL0exLxtn;oKbCy{=lhYMS>3&SyB83B`rw9!P}nSaibygJ}*>SByYQ1 zG7rDhk}QGYm$W;ot^^!S8#SY5_Cv`w$}Y~!-RGZqviWVGaXp?+9B(c3DW*#jqYmnTUaqBt zBs(RA&y*Or6qex%!Ol9AocN3;VEn9LHRQJCn;E`bn-QvZ=HpQ`P~9dJIsJ}UaE;49 zQdT1<@V1DFFpH$?49}f)!cQ_;l2%OL))vfa8Mi!%cHxotdy6~>WeaktUz7k2-#&wY zEAR*b&B*I>C{ft7ZgrIUhX&@~XxBk1PCTrY=I#BTzq;`hihQkRplJykwuqy7-HQyt z%ab{;twM9cd0l``EcocLVh*NVnFuzufLv^#5hG=WSjh4)doRg1ZXI|WyPo3EU{qPy zX(0BQmEtk+ctbDTbh75O^FUUzyKcBtN_c&P5)wAttY6RZzcAG+l(E6uoJm_maqv8V@Rv3%GnG>{s&7%IeWqt28@*{|hdGyA%u4CfR%(Z6n zsT^FibiUbwB9c8`(IZF{DTLSh?5a zy>_;ag6!PEdqX(8Vqhaq3>xIu&gR|0lWhLdMvZ1?E#u8fL#cLaL}7-9CaM8ulsp<< z^nrq|6sj07B+F_(Dd$H!@?s8%>-j4k`VZw6kB}0Fhz10K^kdub9gS@X#nvKKMPtWAR-+7ugXSoH`10koNu^iQ ztviYW?$2taq#u~X#odfrYte|aH4yFV>rJF#ktBdy4sjFJE<(Lgy7>bv(VE?nvpjas z7#8WjGN0?r-%oqHI)=$Czn?c2Xjv$(PBh+@S_JHJp|w$&WBjW;?Nn!&&7S2azP

&ctUFu{j??)%F(5nCk4JtB(D z0e%TB1yKY?jSl$6i>)bkC5+#p*zWrK8WLtOr>q6~6y_0lIZQH+9u1hfr8Hw+r7e7X zSm2BDcUEPc^@}uD+*igA-w4Whd?2B5w(cGq_vKS|Hx2LDxQEmOHcynnzWbpXQ{9g^ zg}eX7gS^W5Tk`KAsPKW8he35$>(GGkYJ)n?tR9;eDTaX9-?QzC-ROtwp`yi<&D@`a zjO=!M+F_%ARiJIZ=Cu`S;o1Ut1d5^R4B-;%HJ%Rn&!^9F{i`>j+`luxWZL|_f%f;& z@OjzDWb0nFR8Z1}KgXM~=K}P2NKpEfn9H4*AoW6>%(D%9jNywHoRG$y&^N!#ttLNG z-h7HQa|*H2O;nsd0wANfcpaHexpjcaiXGOWzL+)34!R($NcJgKTGw>@*WRcVL37T~1bV-|j1S_vnH3IdDZtnaSl6S;J?#@B=Y-)v$8R`XL6Gi9^?g4hi%}NSs&I@e zu#u;F1^lDrgKy^cZnsGH&(Ajlpsm+@W0=I+N>bL(kHXkZpJa`6~|PjLHS zTxsSwrgYG>>10ri1GRGm_l6SyFDJI#rhRiLY58-E;zg}*=IC0FLxy|ka=rz|DJ1CJ zPge>hD*t96XDxtH*!)fODIhRVfqf@YhoGRNHEj1u9GD%q4AgMmpFi{uL`0-C3#HGscW7o+z8 zd*;%iv(V$bhoVGQ)2egB7)h>8P=^dq_Z(793E%6e1xOldpGVV zMtrIJg~}44)VGZP$fFps;GniQ5-pv4B}U*1E2kYrwven?nrwm9Te5%AuwQsz(F|c7 zwx6mvnrTUP1mWZaDm^h$Dy;muTnjp@O$&L^H}lM%DQdh)xbqNx<)eUCQp8T-PFaV0 zTRG*EupK#GfmxIL-FwR{=YDP1B>Y<1nM0X|obv{o_wrOdCgCl;S)RwI2(H^GQzWrD z&0IoaVroNSUS7&OahgW52FFDO)L5~V#8pJD!8zhb!;1;(!?U^dttAXj!WH$gWN)2d zOkfl;9bpPBL25Tx;=((Cp6E-!P#J(w+RyF>tUv%JNwht0>yhkC!$lv%Dh?2gdHu^} z=TtV+Q?JQFX3Y@WGHgO_JEa3(koXXL;#s1|0z`*&McVz$Wr`wM**9tS!ObKV@dsz% z(UM2A)So|pUaCz4c4Q0?K8$PhS2_;gA57=ncThepu{tn+w-3VA0Y9H!IP%Ee&MwvP z$9}HDA+|XJJu6e=l#?!lXT_pvN7aHp$U6jBQk>wC7Xd4T@%^*umGj5mep!OXwLg6n z4SPQ~SGT}~q@^`Z4mYjO%q0#cIdo@Rq?6-g{#y9!kGX>@L$HLpQTC5`gl4Mj;X^p$XD0b{mWctk$ro@=aGzUYJ8SzZX_0O0Q?{qS_O9pWv862u!Cg^MBN;r5l z`OMp}?B>Ffb#lsvDxku6E$Yv8rO$?Uu-=LxqTgggt%M5??W5pE(I6Bn_~TFNE~=(5`rRW7QJD^Wm>i$WaLeT}V<82Q3{|Hy z3@tAUQjZImQaJG};KM9mok6~=oW*>36N%J|-qEwHVHIv$7W(L4A8zTV(fO-C)L)L` zzv~V_kX(?JJdxog)7|azScr#;bnm0AwDeT5?T+|nu3s$J2(@Y%#{3NI^`-D)`DmDsuq4 zkw3mWo7mrV#G;T4^yHOVOZ802oD|ivhS6(p3#y(wvS6W}T02(=Z?RxeyK}XddM2(V zX&}74sj>~z_~BLQ;%?ZGcxO}gh!)W}<(B`+tD4}OrKBos`WU^$6P!uV9qWY`X4^p- zOHpB)kJLpYb;IARumD-XEU^yIU43&+*~w|F+rK&atcXFQ{ZK|{jXSvHL+$1=#RAGM zJ5(-f>4CQ0?xQlM+k#Bc>himgs3~dugVZ_#-Q@dHXqI>++m)IX?n~)~xg3Gx`Uk;s z8?{pTwO@>NPIl={;u=J+p_=Jj(ngFeWsiwhXB(GibwhVD<4HS!?IX(xNV~r3U)GTi z>%+2!mu>5OJILl0egAy%`*Sr@$hFl&qi#9x8%akZ;I;qJ%8GbF=g9ak2Mu#QP+-d+ ze}BFbh+`;)d*kGUw04(9uAWKiyt&(2NgH==#%5!v94*xXjpcXyYAsFE>$o@%kqQzN ztI;XCcOJKQG1)9l=! zk%zZ`Uv7WY$13Qsf1Lc*dCG#GdHg`*`(QRXNynhna%Ajnw-)HDZ(m2&+Uw8joT5t3 zJhi`tQJ{m8``Ge53!|4FMHK}Dx2BRkz3yg8RM%4*d`IzsnPA;2$RSU==}1G2kvO?Q z5QCu1rO&f|(^jva*WWmqYUrI9%eMGGy8yZ?FE~nP%S~trJ|*r(U~K!t0^zs=YUAMO+Myu03QsF6+6 z)sVquC0zxq*bm~KpUp`U>^EYb#8g(3(nnE`w?CT^{3^R?HrdT3zdS;;ThM|M?Yqh$ z(r0mFsCI2HN56rCr-rt9+Rp zu|*VCw`1uKw2gQ9;{0R+&fRBl{&f3Lhgm2=#T=M4gK%+t|wEEx)R zYGLzRP_akC8lhEVMznYz#Qr0a@3H1mx0#7oE>SQod&v2dE`BW}!=ET^b9m>Vzv}AvLEOY)~!V`%{Ij5=t{}y-M8|}f1&LK z%%wAoiwWyBAn}2>19q;1+Q^4zd%h-;F1)9Ev2&0Q#3WgWLBk9#q0`R4N>SE9@c}F! z!~wIL=ACMH*q0l<#uYZH6TqQMREKd0-sAqS-CMAd1<5F9ras_d2Go{RJY90RRGqOn z&vO~#9x z5*+bH6$Nf}Hxz^=d<{U>A{f2*wmda)j~Xoa&eLh*f7UL*FE%7I0zCkvWh6ToXm*;j zM&v3>_41#+YgUZBzKhplk3;dKBOnaIc#`;9$UIbt3vY)qcx?-MViZ7H(< z3JumTCH;V%sunU^>NB&oEQayl#bHAW-@89N1+V)kUCzWMVjD}BY)+tm!=|#Eq#ZJi zc9TY*ub9^)FHJt4*iNGYvUuyR4~h!<`{1I7TNmR4u6Q~TYmTs16+ z{Hy`s_7zPk#+R)#r7q58^9yac$#*#XZq0;Lq7`+hIr06SwVg&?Q|mmVr4ze8ZV{N> zDPnK+y@cmL?58Z<{n#i^x#My@AnuXF?eU?l6Q_?v9s!-6mj9w$t{VI=_TDlq>aJ@W zr&OdA5s?N#5D<`-20>Clq+6u~WQOik0qF*5Bm_z6E>Re|I|gLPp}YC-(fhvN=Xl=x z^78%m|8RZrn30*^>{x5;Cp4LAv zea$-k+=M-6Sb&3*Xe$CF_v<*Xw9&39ML-lz;*cMF!*Yi!8;2Eo;y+sy7YuY%^u!j9 zoQ>Rz+V?}m&JSzy@m%!X$;?meUvncJ-WIb>a){TucjgSTNAsYpmG7GS=~nA}THs_7 z6#KiE;Y+1Pvk`A^Y@|!6Ro{)VN;3RieApoa}Dc-b7W>!@JP-xiQ;`yHP78W^7rS_IX^f%xqbxgV9C%IrH6xXyVdu+i(O zJ?YH~yBvL+M($8@+=_Nu>dO^Y7Tw=g-{>@Rv1(VSv&-?22ZGx3=t& zkFuluqr@|65Icdg&s<#kb5eMp`bP0hYmrek)!-por4f4k~g4FBN}K7Y4(Bhy`5W7$MiVz|&!#WAw<9m5Ui={DA5?(AnTPMPobMB+crHP)NO(SoQ7 z4;Ri$$rMgv(+3h34Jb%-lf?`?*I#U@GqOvF%+!c%QWfE~Kg9I*WkP9q&Qo1wdR!Zi z=pOY3+K!!Dw~40%&B4#?u}))CAiIcbjCaGR6pqQAqt^RH>H;&6)n=2EAEU$V2cBB{ zSgW)U7*6R{7-r_NX)?%z&0IOnTu`7TmZBL`F&-;{FtldLRe-1*Hl-L_-{mV8u=N2S z9V?M_W)Rs}J$UQB?wtf)4K=Z0WbHU_9l`2QNkXaRz_{kb`E>K-#Gzqxi$bwe+xE)y zZMdtd`(jnd>!}={-L-*%W1F`wPcDI)n~7y~Bg&OBQ8+u4{iL%+*>7025*+~@>EUJ; zFtE_a^BKkrA0hA%+c)E)A8c+Gfp{y&?SEkJzUGWK=aO`f55MMNo(FdZnhmPn#(gQh zzrh)C%bgJv>ySWVO;P>!54iu>HX2w+DF%o(t?TOi0l%(Q<`Y*6-wQ z1qo_RvsiPVg6(AGU*8W7zFvG#t@Zp}C~gN%Py%1+BR92~(UIyg&dhwgb~0KJ4(SV+ z?!KI|TS<85LHnH0YQ;V^GoeQ4J{wc`(GH2czK6H7aMsA1ueR>5r)3Dzl$e)#{db!-q|_ZEPZNqdn?Ze-tR(%TP@H8 zB4`m@E>tWi57<^f1MqXK2AHKq{8r_1V+$||-h>ez-|A8@A zq|R25Nn2(%|)IZL|*u}to&Kc{vRgBj_A*Q>T*{G%`bgWoG{j^FOkffSph4I)4*}>4v zCM$~y89Ennac~eLW44+7*mSPEbso^_@{z0s^L3W*|A@;-#SEQEeXZ6mcCirk@A%%$@-zJA{nuoz=hKJ55Dax%VCt5UB$qL8(lTi~%&UG@1@@cs5PJrDSP z<_zwfS31_UT;(@9r!wu$TU~Vc z+z%2ou8XCzp;zc$8RjKW`fhkuZLd?FXHcPRQ?V%f@@1Oc#`I%t(%BbNIglq4WtV!k z5`wSq6dSW-=H)#pHMcq0x1?vub>6eC4}q6`A9V*E5Q1%yfE1s=S%3cqzs0s%gvzs$ zCzZhz9tp(&ePH}>c$UAtob%bEXMW?mN0%#XBAuE;g!9f298z9iUiMHr1@m4-IaP}C~qpe%?nBp8+nxG$h z7Dee_&~`X&h&cX8B9&oTLk>X7ihFCce;vbkO`&2Koi~goU5a#1G_^B}zfBxILUP6g3cjVXyAO?5OH}6UJ$;Zu9%NK~qluS8_B3qVa!M7}==FjFTI=F( z&sIf+^wSqr(SN^7>P-|p!m}#pNX1uw$II)z{ghpxe?dYu17Mw&ftZ!QzIUo}%czHw zsI^rI-4V{P)HZE< zV$SAo-L^2^UcDUSc==3n28!Ch^C`pn+-v9{2Fa;m0;ue{P1k|V*fmEP>&O1VINm(Q z8faR%^;8GnkJ3I)Kjo{*xq8Lr+|@*srRV;kQfkdcF+9mtpDkW1C#P(Biw zz@|0eGJ3P6%(_*U3};fhA?DEjq!*kR|Fwb|<(O{X1zChD4yPYi=}6RWl3m==zegUZ z(I!BrSuyleM6u)J@G>vP!4!@_|PsACNs*7u8smcdQ7}pZWu;+NxT0`nx z%`MC0K_sxh7cvV>(3gS)$jz;H;eqXrGRofxv>N7=v{b%KY6@zQH6eziteaV-)Q*Ih zE-a>=JQ(h3@mI(Ik)l~-c|s}QaOV`6W2D1!Qm{Rj-ZP^9tCTfc!D1I!s&5}Dv&%$g zw3OAFZ>Y%IXtZ-kJ+CfJOUHuU_>!oM#EsG9U9{Ww?S(RHy#OVo*Od6v}xPAM;T^a4!xw$0iK zG;||q@Ph_NLlE$|A=yJaIs)Oiw!2M~ptP00uv9GMcvV-c#?a6zX>4WQFfLxmrxW5N`I9~_Z`$`AL1gD(X9X`$() zV%@A=vDT4=QT!9Pq>Y}uEp{OvO5ce7BuiReb^(ehZPrVXcWylr$?9oq>DhXhtyW8L z%NNb&%gfc!-}ps+sJkxM$&#*@A5w#8L;*x2)%h2@BtJ#3(LR-(H2L5bjn`^E;lcp~ zpC(pA{lmvb;N#(`&}=rZ;n5(q40xFNm2gTTY)cTIT3Qz+*-&?UXpW41yy>*|CxvrE zQMJ@Drp>Om1JM!RDkYum5coE)TF<^VU!7fgbqQ7fg4iu&kA#=A;eCv?r@rC8S+tlJ zPC$F%IwLy&!`o0e%XUx$0~QibAn^7#GbuxPcvwp2;y;+cwl>OxnYh$_t3d5n?xjis zyS?4V`8xom&v39n)4Ez5XgiN6WM~hl<>3uDgtV`t*?jMo<6qyo3dAXHBeME1TB=`W z@U>(@Q+ddpTbMA7b&mqw-V5q-flK3>ptLTu$61Xkapzg;6pnd=ew^NXe&4kT?W56g zbbMNiy#*_bqhVg*&^^=n=(p>U?i1^?&g~oqS7`)In3u5s>#d_-?$6=%pZjs>^}`Iz zVul^$HLij%k>)xJhVGS?_9s#f6kra!_O@tRq%oETcMa=nHOpgfjb=Y{RROhSd-qcc z;_nbOH019SRiBR4X>YKh%JW(T9)IA|^Rv56sk)Xg$QXhU94Krv-)U`tW2Us$+!m1ZPXXz}r1mjHQ-p^(Zq zjNa`6!HE1&)c$qT`7nB$mR-XvO)7 z+`hjNCBk2uAc+>oKqyA@2@51XpWufy0TlM_tr>wY;!2*4ZyCKP9;i(Twmd@9l0IsQ z2%T?<+t--byA`C0<_y_?$$uV*OGlNuPbHtxKs~T#Rb~23jgVg<4=c=-d+k0n*h3Q( zUIxEcNez~w^E%z6W^YTkHNXcGSmV2wTT%O9r6AikRG4z$`u4KHg$_=|_Fg9D zM)=tTenlp04H>Q1>sb1=-$BM1s5H(S#_)(wdRW)r6N8N)Wtn?PffBS4@7gOEgfw0h z@1J>{1f3ft-k+#vZme^h$~Svv7-zFeF7>{+t$ud!QO~382wd!^K72zt^%4I!)?4g32?!ZNX4=>!g}lK|528*y z9(@ElP^FodzkDx1)pGP{tWfGrhuM|4C z5Q26LzziPy*k_q)M@Ym{Pfz5V;;+5r*06BX11dT`yt)T3>#BZL;2K<>@^DLkc(e*z z%rrHL^$HO-U9smhp4#==$2Z9WCPiOliHda0LGyv%V7MVJs6s#1})>_YI z*{_Xd_c~jAv6`&Gel*iYs?ZQQ&T3wGQE6SCc+@rjB5A{xZgi?fi!a5}?N_|Qn^Jh? z_)R1zHx|+G2`l7z1anT#dUPCrGX;1GduevU<%<*6U-J)!w>NN<3wz9rkpw0~7lYT>$cL2R9z%(>wpc5nj-s5q7*{%w>l88xL z;UwNLFyG#^_|DCZo?viui^)Lmj&r8qYm0i6r-DmI@!>iNR3~BBm-iMVdanMV0WXPV zNj)OI^@7YQ=G3CM^8Nlnrq4z6gvliXg))PZ_3c^0p7-jH2#j1E$4G4UdJZlZTQr^| z4$s}IGVIy>T92M`zmaleZIu3shn;VfTFezE$*w8wOp~^e*4jIy9yzHNJ{xaEs92%} zSuCh1zNL$6)y?~#LBk!)^4~mU7N|KldRNJQvPFQ31h%jGm98>g@IV%5o~pm<_?)Iz zw*Qvcplx1s%2+-neM$!0ckDzn2EHMoaM|Uu(9>0l^dGOSHpaHF^MiLV{RFdn4P`&;{;JLJZWuw85^9zCBQp-np37N46>LpMDXcF0MeVQ$psb!;LP&0V4(*TKMA#vwpLR{ZYl6r8aN|(C+jTN$X zN7i}sNqBKYYK;cR;Zr95lls)qIkewsnHbH}pEgJ~)dq#?oDz}3zacYu$%z8ahm4c%qkuf7I_2#jVB|9%6 zk?jSmc{JP}B`Mbq5u4av`4~<);rKV}59R=<&PdPiB>)0GXd$8OJ9G3GDYki?| zC%ePw)aioVb?Q`a;z zd0>~*RLfTogD?8nf3q&{(SI!q-VZkJH@fEN+yjP-d2>B{6{LrXb!U)U9mcO3I>Tc>fay{Dgbj-vtsCSSF^AkSg0J<1E7vp zsthjAMrP$}Cj%wwI8 z+^BbzkEnMRr#Dqu)3X?qVRprf?Vl?QYbWsb8?b-|nf~UsGMabwuhq3rD7pex_cdyD zzwq1^1{N&><+gGsgp=cUbV6W^1-jhA$Q8Kh$Vv?zk($rpOr?F9SE3nxFK@ z!cyDfexrx~dHIsm(pKOQysam}gO53CK~CKHW0ZQ7tZw>4;Ak*twZ++poe0k()}`eV zN^j97HHW-K9TiBAdV^wlo8S*G=>+3T>w=StRel5+NIQx=Js(@7pP0B-DxN=i^5g48 zd(Npnu$=d_w;pz6e-JEQd%$1Qb6aO|>jb}{-8066nPo>^9%5Gi>aL0VMn(&xyosF3 za(tgS!AfPtDjcFTXUag=OZ(8gAuZsgv+J_y_Evjaag|fT>OB_DmQk7h8_zQJTv+%& zBWG>gM*7nD=-yQ?S8q236e60V4LaiA;4jpEPLH=Y>+f?DT^lfw$?g*T@v!GMTxUyE ztHIDVm}4KddVg_OSPN8H&%Cd{JmD|p<9y>{V&sM>G@hFocI$KAO<9?Ub_d}Mw^8M1 zWA+En6O4Wrl8ez8{jwaeD2n&Mph}_)YS;^|CjfCr1K|;`mu&fq_do;0GOqr{{`|)+ znq>QVhFPBk^@E>%UkXy^LAytO^^Cch#zwxyHbx{7yF<>dZ zevwHCp6~+YZ#PRAzrv>JZN#c1c>SD+>W9@;8b9pT7k}_DAa=h1h!~UDA`p4dqoNS{ zZt(>0T`_lTD@sl3m32WzbfbeVQemmT4#)oE@-#a9Ts;4^Z`@$|+Oi_JQAfG*Y>IZ^$|@GjH;lsq%B$eyRbeAA;ufd8#+gPb`IOiTr0&&v#8Qy*ge0U~J$c-%!EJ*8~hOnoV{fCubX7xhR+26=<1VkM5AE5&$W(L>B)@ zD`0Izm-3Jc1+JSY2xmqSL=sc{(7tsZbi}JbTaiBzJc@h2Y}5>W-(9fyQNTvosV*-4 zgoJ#-PP~}mNd;{f`BK|Vvj07Xf0?8I`u6a~FMKKD2S90!F{K82pUyd))gBUvA|0UuhO&*+Hv0glhHl;^}KfrFl8`0E0jHMCgrDljOMLL0z`P& zbToMjM9rVKlLR%O2gWoSTl5tslRl#1bGA#Q?Q6H^6(9E4MXRCzP==6JDbNvQaA5bO|(XUwUAUCF0k5TjkLB?F2(mO80k9q%rx09dU4#;ejal z4n0saIy6z-SC2A((ArswoW0Mm81PBW- z$yYkB@If$OP0mFCC;WSh!ol=YEBxEcOaL{&bClqf7MaCA0;5||^FlVd%sY0qU8Sip z$yvJhC(jH2wY8Gn@iAa8cu`yXIw(LHHIO^HSGL)(CB4vWXyjIZhd=*&*kVDrKaJ;0 zx38pB7})PnCA7_uu*;|=_XFqlQkcJ$6Cc?cH?QA8`1)_MZ-1%AUJ_W?G=fHVmM;Iv z-2OeTe?1Oz9iaKXT4|yG>;M1c?L)8(e{A!?+WpUG&RhoPBjm%~W8i%J&;S2lAN#Lw z|C#XLtHl3V(|>mO|3Sk35$XR2ZTv@v|Bsga?W=!`);~t;H-_jREB%|r`QOU*kCpz% zO8>Pr`R7>r-}>^`YvuLNvGkk8`M*rkKUVtxT9Ut(wSTPiKUVs$mFxc(R$2@TYa1t! zu9sN>bpd{zk8|+{7=H_hp?P1v`xH>&fD07Q^!3?5N7E?Ke?_3R@Px;FFuVKg z<%=tnrnU`0Q3V_vImjH%i ztG`72_c9}<;0?$sP^+e4zNn>!1S_Ugr_JY`!%7clvG@U9 zWLF_*{PX_2pV-|#OcPq2Q$)Z)E$GmB+8-UYH)5LNervPr;=fyd|nyelq8cdBrXF4sxYk z;9V{YOBQmtZxKFe54iolq4-I67P`3BP-NDizv`<3!zJV%rVF4klhx9SbMA>@)j@!M zTiEWWhA)!-%>^Jzg3?F-8#G>t_hiS#(Y)=5z)J{AyW8JNuJ_=LUjAmV!*KBwn|7wO zhKMS6K=qo|P@6y?0$RzJd>@Lb1I&VRU<L3ya`8G=zX9M!JPq>X?E`3&%{dQ?Tl z#KfOj!t3?est^%hkl*cr42yjQn#vdy;d@<-rVG5x8hgV@`L~vd#s}-o*H*n6hv>Y# zJYL)jDt?=9c;eK;E`ymPRko%_UrFkFP3ElZr+u$bx}U$uzDmP#7X$W!DtgW~n2qk@ z;v9Yv8OUC*$yU4hb&d<$Xm_{t2$BtA9w*`xL9`j5O}@2vZINK zNqn?l`t+-}L}g`V&kPJUR%A6EiL8|lWXQ*|73?fK_4X}NTPT2`P-4J}sKVz?rgflo zcS&@uymj68hQN(dsXl7m*Ff%X1M%~>&LGCRE+YzFE?0c&#QtsiA{7&7b&TfHwY=z{ zfyX&??#AtOL>W-m9=UPD?l71%Vbwm#fbo(Bm%z-A$41T2_2|25r2P^(nLQ0p!e#mP z*RB%`4GnFBHup6P<8`i%{Ck5cdW+-7Gm%On;h0wlDyxNoI)iJ|LwuT7Mg@*f-^P4E zD~_P`qS$q!xY)_nD2$nH_Up)2PB&Wa&rIv6D53Qddx_fD7F1q{<_xv3@OVzT-|nlo z-HrD$Z8^@xPCGRbeFq6PBZorEYmt4ywN;XwCsX|ow}i%&8y?xX6<8>7u5$$5tW#$< zWQQ!iRm6EN8H3jqr4v9-Mt%GwuJ%E_!7~?grQr3c8jTPt;T5uHuGrK%nA^Cs4#;7J z;^N{w`TpY}=s9DGTk-BvA6@<;rG*VvSTq4TLNgS$)U z!{<{ExKa9Ig4=Ef=JW#CCL$?WiT`effu8;R!)FGoJlz)iHTE5Cf%Wjf%=4;*yK&)T zFys#X4svdl@UoA})Qf2$CKYsqM;pZl;k1~I%GSvyOjtUosCIs9oQy+LD6@lRqo`D%w`pWzBG;2FthX3)AZ}@yKR7Z{*%D3w;dO=e>J5I55h4UU{}QK!ytLu8f!ECR(?U7TB)MH|l&odPk%f#_q8d z*#B82YoGI5Mo4;k58PiKP0I{aB8c2rGc}04-_zC>4s@AN3?ka`RiCt8TGUk<>F|tR{}5ua=?Z8Hg^1f|nF!#J zu1<9N;g1^G3@n^(8*s!``PzaeYwyojuyv$U8f=4sa^hpax~0?3RvSQ5I#kd31WYm> z^QilJ)v5xH>ysXrVKUcctbtZC)qCNAs+kA|a1Yn4lpEy~{Po$~JAJ7Z9pSBFbaqPE zzoS{{eejS``Z$?tef*YzeV%sAB%e6M`Bf$YFYeCHEyY-h6p^bm6`GZllcUyPjmb>T z0A;~rPyP!1Iv4)}-^rhwZGjrCzbZBj@>=}yv5PG@%a9D96LZmUugBS<=mk?@-F|%S z(L#cW>^`8k?sO|O?MdFwWOtVZ?JL<)X2;0LX!M}eLHc6BhX5xwDhdWJ#G9U*NSK&> z8e0X&=Ia=B6t(+&?M^q*S$uRfafSTU0#K^?iiWd%Az%^~_FN_>$}PD%O38g^Ct3gz zD4Ax9o({!BtH#=mj7Y_8p6tB5sD_KPjc3ZrFV6R2fQU~LK2qZdJ=%_KxR2`e@~UIu zb#*`qM5)k!AGi;x&NYz5N!y<2)z#NWD;f=C57!rV=WEqH8{GjpFfldz0GL{3)^x_QG~cVc>vi2Mu*0-BU+G`gVPfIjv^IcB=3O8mJl|izp(% zoE&CbyxH?%iU>78LXMrnyVxuqJZ%Oq29@klP zq1$)v-4hQyuEIHYe00QI9mX!WU9_eK#MD)fwB@%Y!!%)b=uk9g#7mCk8vf-ehIC8} zSld&}TwXy%v@xAC%_~m!yiCO9@$qDWt(mP8;W;$OBZu813-B=)WnOP z>2rDO7a#qoI8&~GHX-2mx)y1J=13Y2A3KAdAx5KLUa;cWAsdg5_mJ~VSE%vUOcfq` z`nqkn!nqpQ^U><}^j$p^D$s1E1Pj}9H-_X2p>8^CK^HXyYtCl3$uTV1Hm5@rwx_+5 zIcE|u=~<2)6UW_zT5BYLC+T`=303k2($jzO&rIc2Crp^cE%~$YguB-B1QQSwtgwl0 zfh}Qsz+2z##?PmR{fy+Ef{y~pTwZQ&iQjmY?V>vIw^DMs@FZZ0>z-hR5kCTE$@Ag_ z-T}-_7nGH9u&b+!m~yuk#fvUhd?dwnu{dU$QYO*$0y?B-X)k6A4xSg#tF;i&A!56k z`n=c8z>{kwr?xu4R=$E9TC1#{uRX8RqIczuJ+X0JR~(l#!;=rs*OAxvKn&4&rg@Rx zoGC>Q;+pe&K04;cZsiv|^|-CFSOT?TlDG87RJP@>bS${%e%o79sn9v!-i90n z;Ou*5VqQ7{ghq!@oZps(c!#irt)gvngrA+{W|}KSuZ9lhcoK@J%->gK6FUoBcW)S1 zaKKdT>~fD8zmgr|+H7_WXuCkh(So0+(>FMpIUzrB8_ylazoSFK3N4SP?OzdmbYv;H7y(%u;4YV zGc9L2n6>|M&vaBC?AU*fNGiTE6@U^l4A{!7Ea(DS zkS7S()l0^6_#VWiq(Ie6hG>UXl!Vpn)J6{Ao^ZT!5x`)q3}(>80j&;mMfvWSh#jN)-C*`tbLQI)cS70*v&|+Sv?`F3cF_iun{|LPy^Dw6YQ}2` zu6r~`eQ|G^r;kmi{541OXgBZ6HPQ3Kx$Oba7klN#S&**h*`CQ}wd2Ngf0>1btzLUa zhcR$KmA#EA_lGQxjvn(AC_co5UF?Wn7Sv?*b=y}JMbkRZ%h2gT-J{L_HRzMNFpRSsUmJm#wS)Aa}NN3pX zVK{I4Id%k!zZrXLyt2f>xjj6)P2B3~w5sdkr^^fR?wr}CY@aQ*gmYH)Zmk(!Iw=9HK?{PH?QXLIvKW)kalbG2@zS7?MMtb?@WOs9CP%&T zQ+IK-qr6sEBZIR+&T{5bsaSLE&b*C;iKo_t6YsqYB*D&ttkxOM^5UU$c1@pe`dMMF zr~mmd649q|Iz6;#lVLS46lbTR*n6pOk#49M;az0YAu;?uot^Zg@nzh3M?&Vo`rZEJ zQ=L`ZHwz{Py@^Sf8|@KVmux!Ri-uEQcn}Sq{&*^TG)bOu5lX(mJ^!6K&chu#cCm2T zdAlB?%F$VN2Da_-dEq#PPhM1df$sRn4BEDDihTsqglCFFdR~%2_Xg72tXe&!j^&bG zPqg%!%0TAI(#>V}#7D5{&7AJMz57 zhA?0k`_KypfzcYkkh(*z>Sr6vs$=4-V1JM6)d0E{<#A~afzAj&3x>|(ss2cTo`tVh z{(+t5K8lkc>amkxa(hr<l7M|N9NHbi5(i0Ly9stU8Iqu;o2LX!&lllAnq_c{feo{7yd9oy98q z7!!2RqOwto8lK$({LuWs^TXV*tp_*msmH|EH#`n%o&iJ-6-|?lJLoS?jWn545;&+Q zl{1sN7VZf;Tn?+-Kt4b5JZ<&-mUp|(dB@~v`k;Ps#lX)S#OZW=Q+D8@7NDZ;GG$QT zTlPGiqh2UkPL#K{F2bV{8ilk%7nl0dO|0|}EGz}yoo`&6Z}ev=Q6p7nEI_zXd%E4h z3A&GPZRVv|>s{hkE8iy(D~R-|*pE4FX;@rX=!xp9(tv3w_JqOCnVmO+leS|?V%xux z81VRyxNEY<8uOSDi9w2GGV7{~6}HV|DXJDQT3>$Z$LfEX*MyEZNUo76hU(B%*~%Fm zS(4l}Di`ECRYs7%o&V}kivR&v@gO&LnZobcI4par_DwcU-$Mk;biq7KYQ2oqV}DIg%vn zrMyWbg20>3Z;o;jwn4mKI*l*Od`WC-vC8Va*KM#!-i+wh?$>aw^+PMxj#kB`5u~Q4 z%ovK+Odv`eY8n8ZvMJYgJ4+!9Fox?cCSDP!b=w=#NEiy*bDr7&K|!ZnQ#bPKDiSI{ zdAbU0cV|Zu`UvnQ`tX$eKEFbaWP`4Im=o2VHN@)p8dY*)}I%c_2%V?kYCNOmm7RZjL3YzPy&5MjbzMZZXu=&6Y>)x|2 z&u1}OocB4A(9`%Z+!Ij|Q8AQEkc9GuDhLegSIXd)@9mM( z{KUVu{1H`f&WcWU&Y~g?0quqsOH#d^#2}tci&8k@RLA^Oka+)`WrITk?w`!JB_`X%3QvFBezt~dWBfE`jH43&;&bwMzxd?u z-{+Z^Ji{o;jpp;9mBa_PO2*$KF)&eLlz9nPm_mFr6JQi$49HmzRs#(N?g#f>*f$ znnCx7QZwJSP--ul!=n*Y>@W-!Hc=n3PqtXEACQ8(f=)3VTs=Z`U03CiaHBXO=VDag zQB+fyogD_g3Kvlv4k_s`U7ri)n+^j_Y+Bd4t3-ysvtG4D%6$htXUpQh80hp5r(B$x za=m-aa|6mY*Ag7*yhG+egalEBkI?C6^Kd@pk226&Ikb-HNQ=MtX&XuOU^@&q{vuWo zMBay^IWtHFVdKR6Vex8k=#b}^Pd`>CdOp0xgk7aJM5tBmm9j{xKAtxvQdQ=kHB`mF z@u#Ac@E)yLt%%q3)GqFPPUvXi`&ot`lN?s+91z;L&X&Yv!?Y0WwEbw?78ghYNiEQCc3sd1i3rSQaPq8o*;@EpjcyioYK zQY7yn+js4xrTl#q?0u(r|KT;;K)m~^wh0Kqic$Q#3sdeV`~GY==9bl|COO2Sr7Z=x ze8VFnI({~wc|iHSfmeKCF9j)`&#}UWn&WfO5#V$iBfbM!KbRs?5~3wyR4j!~RM}?f zS~XqTFS2bVof#s22X|hiEZQw!mXiK#F2jAQ^QtAa;)m~G<>(+j%P?)d~6 zpl1-$#D3Z7KmZ;pdB>)UXJmA!EWg|irYCCAHD;&tZ!EjwJ1&P{!@)#*4gZepe%Ttc z7lpHm&kb86`*oFPRpvoPWzVu{KQX+U1aHZHz*cSX%kw9DD&#X|3rk#NHq z_2Z1z2Er=1IY6#z`cp;ZqqtU9>7~6T20s{E~P!(qov5^X%dXZ_?&E<-J%}rDb-7KK<~oYh|3v5lh}Dm%?!QRNFE47Wu%A-$c)wy(jPScyVH5za=>;d{;L-wtU+RFKjUg6K;fcCz(VI zU#fv5r?);Fy*I8;{?ONQhmkBoxJ6TgbW(AkdWb9#XYgSOBl*Ps_xk!zc5&gXm_c8I zYtoO|^aQkmEsFW~<0D=g=D;V1J_NX}TawAwDOX#^DTnbjwkiZoPB4%^?%*Sh9?yDq zv=FL1XLeXJqMI@~+wx_yNvhzuKV-r@e!(!Md9QJy&1iU*%p(OBaPSkCPCc} zyM3eZCDM+dfZIq_6|I-|+2hTEx`UJD9j3VrgI!t@cghd;Y*UZ#X%++_+k?|S|{~yo(=7vO~i;A;{}q3z>c!kN!-3Jr39TfuH6S;K%0#o`o*mQ%@snB;|6e zJlEPejYIAQVKs}J1cRa}kW;d%QP9xq8)=|4uU^*IrD@-wSSl;>+!?1q9tFn9HGjly zq{MyMfir(Na9TM<4ree=k+rt#ImboT2pA#!q@$xFLF90V8m+MYIA_D&UuYSxl0m@BZAeX{OrSA;@fe_k z6Ko(mT)wr{N?j4qh|J4DtH`PQ!dIwW)}Aa~+gmX7$<}?>07si^7<_Da-9Sy4mzjkn z9}<7Il86EpNp{XbTsE-oxH?*tk5kpUnw?Z1mp7vyI6kHE5|8V`hQCphh}nspl5J8w zL*g^@^E{03eFIgsR}RN`lwlOFgB&g!?!0XdnTS!es5Y3=cwiXA;oAL#4({wZeP78- z?b1VA^79`$syA*bvhr<{UtlB&8%9!!*}JNd`vkAuhZ74+ACw)ReVWNOKpSy(S7^hq z)vvNm!yLtTzzkYeteNC!8T^_RH0C4lequNFc#`ycy?7sw3grtuN|7W1l`$oik1BO+ z3I_>0Irn)-1a*AMyAJG}Cblwr_$9`NM@>mc642qkuD-b2}9$!yP}77G}vrh1N%V6ao`^`qdMf`n?Z5hu~jM&CG*Jf<7OG%$!)_rsX3Y$W?^r5(Ff)l#=q2 zty}AupXw6|L{02cIKN$uaUZlT$sHvY8b;q)Hm6X*Wyqm%9&nNOC_2j1xY?t+?~+6g zx6N~GwoM&wW|V|X_$CMT#Fx)ZI~*5vefgWiN2VV5-N;jC=;_(VmJm(S-pcfYcaoTI z3Vlt3#A&A~E)3RpPXMu~H}jq*86-`fi1k zT3>nBS};lMc!`YdDRPF)4+nWnA6tixNQLE zuzdVi0u6n`06g$3vNN7bomm9g{2<_?PK+=xHzFwl9Z^n;9h&p^fCmlMbClsHni@vK z1j7aeKYaA298aj7Q$i&#b)C6d2-G-P4;Tb}?QX6Tsn*^Bl?(A?uNRU_SkEZR8DML# zBhKy?GR`FD`jh7QK?U z%Y?VH;;!~0R$2SRX9IW!RyUSU)0S{bqbD?YF3H&H4_scg)-fve@<>Qs(i-D3!Gg zAJ*oY_aq2^Jc*A`bI^1y&(e1I-rsV)3`Y+-O?-woGBiXs5fDonc*=ZBFle%+sVCfc z!yOXC=h3i`)Bc^@>=+Gr7P$zwOkYn2#u{ zX7i<1mmoiRVLIwCQ=FSM`iNxZ@;<5H!f;tT3z}LBQxF}gyTha!7d}_Vk6Gh#0b(K1X$f=d3zyaIBe%m@KUN3}F?1ESvynma z#9hX2X^m0z$iFjLc!K*Wx>4MN7mxadRI4nj0Gg9oS~|FD_^;H`x3!IfhKsr&3jY3D zMIYhEY6--|k|C}JwYVanv0fFx7y!vXvJI?u0v)y`)tt&VrhxB`9Q8;i6{L3G4R>3!Fo^U#-$_}}Lyi>2S`^lm zld>KfjK}n(^SrT~D39yO6d4}Q3HXv|_4VrTM15iR9w|t`0v!w-X&sBfvF`xYFPR|c zP=D4UsHLlW9|U?l?12Z9P9sm@8H?wI7srKL)v|#HqWm|_40c8j97&Jnp&fz2>C7Kg z?u$|#SuPI=Pd;#DtCL_OuMpD{(i~PRi0DwCK` zOF()zqB+S70J#%dFqQed>S2x;#&9{9-CL%s%Ng;sRHOj4oAdn zt@PT3@dAiM-WHCVs%09HI(whwR9l92#9qu(wIvm)#a!5Vxm#{3O2)v)Ra){X*e3Q_ zBXOs?svv=?r;0A~L4?GoQKrxu*q(mm6q;6vMXoLp_nxIv?$%WPdeXg2d#-sFJ+kkVX-Z7LbOaq*IZWj-f+hfB}XYdf?r2pZj^Q>v`^Tj^}yf zzu!Mz7fyZm-fOMB;B0~Pl(YoV(cCNVX%6t>w zFPc`?%%x{dKDkrCGh$#ulNZI@$VW4VX8Npm_e-kmg*|->1=X4UWQA#crg*HKr46TA z=c<;HB+|4kZ*dy#Z4x+~>O&`~+}i1bj9?9 z%tAreVtVNqvA%T!4NMkxd*^vvG*7Fd!#-IXL}ibd$#0Hp$LSPx!lP}oeI(#M3gRxG zZ>oJc8FLu${fhbW#(u`rXsG5B^j-Uhr}2(m+kyD!sWgjfwT>193TJmI@=ZE1^@Tco z4I6Q+L3Fn{-DeyVM5jqqLzOpf0;E0UMs> z9_hhYt_$598v)a!rwXbI^eTHAraiJ6kEhVoi;IgT?E}B+E8zF2^BNOwKs^khrlYOB zpC(T%TerLKDum~y)8t>x4=Ex>x7NY!W<~|c*rTucebW^MxkWWo z3jV@N-&$)(#i5WGhaHUP*kBmHwOK-M67hh*)P#1tivbj-Pi7P0(Q8i&BMM+gcodQ5 zndBFht$q0{q}o{Cx;7bziEk*e4C9}m_~i5~Z9`~Zv6iohV4D)EmxOG}^Pxox7msj@ zZX}6A1?mG6cQBf)@G^D=QbB=Z$ay<`qZ26h z$py3lYKfjmQt`Am9EQb%hG%;?)iq!zoPO5!-!l~L@R8({ScoV5yCgM02XS8C)Ii5D zzE#kH6h6iHKytWd2)<$O&u9V0j*Lx{EF4;K3>g`IEWHUE6mF0!&uv3{-PRMepPK#_Kokx#LR6rr*_tBm88%hx zN|VR*m8uvLQxy)Tk5l%F? zobjnm3s_pIxhvX)NZ4an5ukc|{;G6W7C)8oV@@^!wsQnIn(rzsJZ;ym6_DNNzI@RI zK1O%!Ll;#rX0?!T#yCfk0FM`G@`}w8`CdJqX4b{A#q7DzG3e6#&}~pHtrL}br7;O zWBV=^1U5;NBX!b39E9MszjR>YP-&Kb`zs?0f~P^QdnV8wIOWdfF8xpnV%d#88-%Wqc!+v<@gdG+B*M{N6zKlq~h|M7|+(#qIJ381}1#p&Qms*+5vSjVwl=! zXo9G(!KFh02yyo27CrN;N5N~uo+JuT1(DDZixSSDlAK6r?qF<{lAQye71gY=%>(p> zbX=eWnl_dHOgi8~{0kepcDs(ah8ZiB#tM_^qjM+VaRfK2=1F9UGLqNdj*(7eJDo;~ z?`c~IHeOD)eY-wWMCaX8J<@H70zg)Q9`SvBBd+xW5USFk>-P=SEAP9Xx)GhoV2reE zZP*RX76dh?Y~2EbXso@yXKLo~vfWy}BsC7PGGKhl?ss2d^0<4i05$b(rZfENaCkig zhPcH?7=5|huLxE|+z~56kQNh8W^XX>Scgtl40AXbYbEvxtQhpxl{QnuOxvmy8W)_B zw#+F!bx=0ep1hq(RvON0?zxsCvF^f=ShF4YXmE9>%;MNC!x3SJiJ#rc?2RKA)c77T z>}pW>ROhLk%|yfSXq|h0iQPO4w7c~s)aBH8r;KS;=aO)$`n10-Nc9wK7LgPnbMwZn z;7`e8m28;zV_-KSnE)A)79vDK?}Pc&y#)e*oQ5ni=}&w zT_PyDAS1j{vO6TY?D^7d`KSg$!l>{{&8lq)T#9A6u=A50d4RRosm8U5dff<>2{!~T zzzb$m8gCust{sHB_9#+xt|{p$rbyzOV7>?n`b{L*N63LPB;5zQl@oS$_VAAAWPe^1 z7x9xK9H6EIc%|g;@3Mas0W%gd_{m%fJA~S@WfwUw9k*U46f_4nrX9as%?b;GK4)uu z-&4}Y0wH`hA`#tF@qN#}Fkrtt6W?Si0)DZ<1GC!1P`Y=t;o4{oKJ|c+(FHv^aa0BK zZ~1W^`#mDV(X)hS{8VM`Q%*=@noP3D!ZOX;SAtLH!uVreESVXgFWHR8yl15$)66u> zmyEZtu@*Cjl)yA&3bh9}-9y6(E0?1%>)du7q~o0b+z zP3|sjE$VBJ%WYo1^`r9^srO2yAq$~1lVpD4OMd7*GKMTo4apnT2d*hkt?}c@-obfL z+12i~?K0=r9H>|lZn}3*-|V9g<@a74v4r<-H$Vb}P{e`Uj8cXk-!rZ_U|GAw{ z>xW{M4XDWrh;j^)2mALpPli4_Lb18&rfaVz@e$Ncf!dP2Hg4UAi+l zi*YKJmbqg=d43#m`i{zzr#_$_`Y&u4YN;og9TcZRJ=I1p>x!O@kLw-+{1*dT7{}QO zQqsE?BCU%X>Avv&GS{y64El>x58FpJ5K%jCOpc)ks*pHjUiIwj%Rf=N6S2ebPF^F` za*eAcaNY7pszP&bnzCkmj%}%UUcSLTJ~YTlO$Kwy)l@~-`8wL$qrf<8WsSFHJCIcN zd-twkIaWCfBArePu?-FtWEH-R?yFA0x+ok{09X1yT(|c{O~mXCqF2n1f812ttXb zZhQYBv14z`s)tNn_UrfOHA$ji^mZ{_rRf{nNyTvbKZ2t5je;GfP`1^@)-pLJ(Ue$2 ztr7)!zSXSH?KFIEk;RO3w(qQ65XX9u7M|A4 zZyIK|KHU;siQ!ey05NL)Iuqi2+WL@zrl{k@!`wvP$>9i?`hHLT_OFD@?H?c8GUwDp zF+H|rCVF$eLIp#@Gv&p)mLBCtyELAIkchpZjor-r1sUOjQ?8y7tW5RRI7{TdrdsqG zy~L#3AYMo65xrx#pwj|-z1oMcn-A|~C}!Cl4-0Q+9NxedyiHQOhgP?hU#O?kGsQSX zcGZ`iS*SVhhP^!OR%@I(u$jn)t`SNqrmZo=fEP&&`9dNWX!V!L#MTSe}qm5)9X49*`C|!*oB*hXwW4; zsIS#-nKUe^$S0 zxDqYc+)$MxM@8y97i?Y7?WU@~A3RgDY&T_{LC_9@E=fEu9c@mz(l;DEY(a{+w)Dt`wig6*iEp`t?HG5IKyu6tJ z@x13ygLYm%th`s6Y$jO#mEe^M<&CHKhkFzDYD(vgtWSay8Xw#R1-~MiMu3hpXbjGf zkXoC^)eQp$E|!(YTVG(L?6R%)j*qI(xk3*%=PKS0>S{HdPRyJxxmwpsy4JCU zR#eP%{<2)sHBsXfNV0tk|Ao?nX+iwDZ4U}U@~lvLw)|Bu*D4O7KexgSb?qYTpM1mH zsd}YS2(5d9<($dP?~kQ9Tryvj%NWW_TAQ#x=qy*Isi)81wy_Wu&-!qF$x8!ol7}8$ zMIDK<3h!1iPe2HI%{+GM?RDi$p9tZ1L5Qsrx97>Yl+n^07jOua(wzNd)2`vqdssTG zWjRl+D9+A^yxA#gqBrts)yjn?)QnHeb6lj>7&3dX?zv{pao|p3J2R^JM=j~C z`K~U5US+3=(A(C#JMY7+$FW30=YB)J#h^owvihA9?ssx}IUZ;4`XodJ0lP+`yV>_AG5xINY9$TCkgQ+|G%H|$%ykq5a#W5qp_1I~lT|P^H7%I%n%U`*$GU{0VLj13o&&;uYe_qBgW4;| z{m@0Ykye3)k*~5tgs6oiRa(7(Wtp@8;aYykcepV$M?ITF`2wM+U@xUjg=l%z_%Ixu zwDuYG3c4eq#!&iFr+I(LHeW-ucHOu{@S0wYbGrM~@?mXwO(*2){sPKVY`sN{gd{?t z9C|(oDMu7!E2^b5?n^sT<>WmcygEpI9Hd7>_v2GT{~S#*`LxUTAWhClT!4;kL)%Wc z*A?c>QCzL-joqQHxA(LKKCD*zA>p*W`wAk;*1b)$I&d{L1SUWWLexu=)b-YoLC& zNgW~X@9o)2d28V6O{u*=XH(;}keLb}y|XS_gucxA#Qc%kjehr!pR3%2OhMzb$YLPQ-g;6C^SzZEAIOb&s#k zEL=WvN|?gnM;Wv29~u8>A7rxYIQ_IpQ~b{-*;62J)vs+#7Ih6=?V;Lxtl_8Wx^`8r zQb1`nIqZ}>UedQg+=#t67x`+}VokFDhA`5EFp7f9?nw3#QQ^dPrMkq~i4*k4yXy}S zlGqhB!_&St&JvgD!Et2kn5K0q+N7YI;@Q3f7K5lg!IagTc9Ekq*N=q8@Ec6ZjY`ZC zEYVkk1Bqd+7hN>%QihAOs?}NwY4yg0E_CS4I<4DfG@X#?+a0rz1jN;J-o7Wi9`>57%@1kTK;rY`~EoD9T$Unl5}0CoXJu3 zOV!5J&lklw9!e;8jDw{y&lTs z;*fFchkWLo0j;A+J3UAxJ&B{`jP7dj)p1BZb$(G^#rF$-$*948f_7^4peAHbvbE$n z54v403R)58d!3c_DHbRxBblS;F+qy#*6YdWE2Vj#(?Km;GZPaCV*4W4;uDAm6e6v; zj}(kx%+cLW$UQeiNkmy)eN;Y|Y7v~`TgWqUWk(lrm3u@(K$4?ctT8Pzx8!>liD08K z+>|w)O$0$0ndUfO&}#0J&aOc%Ub!s57ON(JrW0?hyKiC(`LL(afvGSL()9j5D2)io zVQcT+ofI&y5^g=ojNtJ|p|`&6VK8BhH|D_-@<^O4LEOo*R7D1_x`+6e8eh_IV`2Hv zl$zWX;fu6dyG}!VOA8GML&-`iir-|?lqud3lN@U`hKojI)P^aCOX?vcjfRb6eXB=v zw#{^`U8zFpH{X~P9>4zH3$S>QOC;bD>1EC%E*AzAHX$|p7FM7**CG@a^Yr%)bpoun8+!afNWiP6`VI{^{ zjYFDb6=C8+++NrtlW>`~)|fCnN4;@(9`2tGw>E#PiEX`Y`^;J!5(T^H-oNMPg31fGJ&JbiKvSn+3bpY*;y zA9PzCq9$Kl=`Eg9$RTdeYyp*cQw2-YU8k3OW%iX%hbY71P9PgFPJ_M!+WYgQ$xsWU zXN%(({4rPeq0A)ZyA!8a}JV-w4n522dw#*T1xm}Fe{^SmHtvxAc--+6{!p4yP z*2ceLQ~>BJFn?C@!?(bLR#-NWT9!y5a+r3$of6*`@?`YNeNp6>eIgS6?T_C^x1iV= zSABZE%7dc__SbCZNPqIOOo4WiaDM#_m$T@wQZ>4DHq3rp7v)b%D-)wKd;*T z9Ml(5CxK}knNaq|0>HUFm8d3mBYJ$-OXECLc<#+j-J$IL>MN*ueR?vfSP)Hr&GGe) zE-Ng?62W4_%1KsLK&ku>lwPm2HRnrA%<{g3@GWKMXiht>XM10FYj*8+PS+;qK6oC+ z4Ag4H?zXpoJW7}<-EbW=f#nXLywZ7I@)+QXMeN+Bs&`4MZ6*og>oYYK%+0H2oNvod zf7Da!dOz%b`ODH6I&{C&_6!!SFS!_b)pbGj%PfRy3`Okzv_9TIodd+H6=>5^`)Cty_jiYedtpyX53}QrjVN|(k~!*fD;H2b zLjncHu~%wOXgfqSSu?pFL=zzef8G^!^%L=dXuQ(`QEPf&D9u^rH@F-zanJkjt-`A= z3I@}POhio2>Y?$IqP1zs08CPPl0D-xN&o(>*51dHRt#0Fqz=5gICXb9n$qjxe{lh@ zJUdG>U;ikd+?KwZ3xep^ffYOEKR;adzg;2TIXQU>5i{YbM9JQ$HUWB+Lie0@5jB%x2L-jzr6Bk)>YN&RcXN14RuVid#Xs! z>no@w-yPGTS`{vMkK9NwgJ+wlMf3BP4w<8;fJ^YOrg8p~NLETA2gYVm;x2!FtDLyr z2;RE+uxBI8-v{HV%Dh@FQaD%rY|g5Kt4iiU)iP~|2L0J^?W2WiBKo-2G?i}&Qx7rY zhCSraHO2qCVa9#tVTtfAH}!gQ?~^Y!{zpFb8EN7etnOx^eV4q|)KEy5XVK}?+euRg z-c09A+*>p|VBSR{sd3*P*1xLSmEe4yH*+uUvf>PLHBwj%8YVPmpX}jyOsQCkR6hQj z1_WH^x7;PUPE$G1Qe#=qV^T6yR4=@VOdT;jExN9ASoWBTr|ZlBJ=Rh*tYR1!^I;4f z8(0~5E4QIdVc+|4c!~8OB}7T9)sPm;+t8kPe0>&G#H+{Va=s){`VXFhy;fOjBVO`&&^U6w0S++-I_ff4q)Wc$1>n zGZkvO&Mc^ce&AEcpTzF#lC(=dB~)f6#tJ_ks`;1;TcId_@b3tJx=(AG*A!R(oc*Sa z&Oy2+dH5JipF=9yb`Y+-Fc|DHgv==;-hp=dFM5JxHA?>L07scloIB1uJk~H>4{`}B z4dAA;hubqfo6MaKB>q5MLtR3^)41Cp5w~m$%1JKtHANT{B532gj;-d*@hB9q%L^{c z7%Ywmqv=m(i4;C{R!XnG6)yUoR`CsV-&p@R3MWD)fzjQ=c_nu<2uf4XvH&I7%Q`k( z#%V-GDbN~51>K*}r9mbvo2!60TnBgkX@POiA3#@JQCkQZdqJkveo+Z~dW8f3Gl-7c zk!|xjTlEOC{L~Py~eY$2hdY^ElOpQ}=oDhBN^VaRDiC5?|Lvjar#iRuwd%Q2K(JBuzEOKopsEi&(mCUTbg`wWY6djpG#^<%!B07 zS7$E0*dFU)53=Qw+LS?Es6qc@=qL0M-@)QiFW<;{h>}YMdR(g)WqWkmvBYb97+(~= zcc?;#0zl1s2_ihL`zSnS-&TSQzMSt4Pl9=-3aTc#&8(lKvpuS9&6%9oteW!meL04Q_9=$~k1FZ20%PTvX*| z`i0ZlVx_tCWSuUNMf{42sBpS`B&B-~1_SQ`d4!O4NSeoey@wSm=BRn7#_PSW71o($ zUAXgJ$@W39vjL=Q zMQRdD8#}bGb8f7|fgfk7newr1v!AA#-}}AfCI+%R9Ki3%VI( z3K~?kBuDmL*T?xsY*ctJ03kQ%@N6h({8f=>RNwX7t#gF4KXx!Rp06~ z8&`?j4QhTIlv688PEVOYT87Cojxp9p>j|JMxf3)8*G;jW9Dx4(4>)9`jh193;3Tni zfGvA&R4d;0Ie6h2_JaMIXlloZCKiUv`g%5{B%2hLXVV<3dq;#2qr04X#m!T!3*Sz? z0)>Wb;&%8-UfuwVh*V`kTkheIJ*-0lllW|^?2ZZ~-4?~^_*oU3rTL{~;!4LeNIb9Z z9?y_~td*eHB11gnN_Rq11 z;g#~6<%UeK<6Y{#XV7=986HMD2tHl&J8t!;yvuZdA#XgLe>#uo zHJFm-PaPZ|8&8~Jg{8l_t0Eqqu;CW=)Hjk=B8UD~`D`agx|iol3+a~kji;!W52|Yf zm>0^Ze*MQ{HPv@nwuX1K6(yt8GD%N6!>-eXY z0;$d8baNq+qUf=V?A_(GR@yVgEqHYz(W?3Cus!=Z4A*t@&1fkpp55SmEa3XCyJq@O>?=zcTz1Xq>w5@NvuMp?i)m~T^QX0_}t$DS+YCfBlX!k+#WR7&no$dm{e?en(+!jxmY;(XS zOcPHB@;Rm-`y4CDGGOEIsmB4#cl6R9UHQ9V+<%nHEs~oQX-xX45X!;Bol{)zwno)a zIa3WA6P0SfdtIYW?deGVH(Lk;M0PNE8@0USDguTVTPzdTiYQswitHXC8c!iTl4o8h zjZi}hPTf0|(;oTWXo!}<-9!OfD@}eQbE!cqrAW0P1JC^p+hk(w5y%|tW<8F7X*4sA zmpi2%mi#Vn*_5?qP7e6-i07p0`DQ7B-`f z1VuiS#W{zUl#>=~4?xT3cJMlK_JM%W|HfL~Y zQIZeUBN29M2DXyU7K26_E*q1Un)fQXEZRf?uff)@uUmZ=87g^%rpi45xyiauFeSrp z0&g&(;;y=c>zm!Ptw+ZvNgs6Mxr>9mCkmHBiw~qC$hDRN5cX0`d4%wXN!w9ZQo*k;K%rrLYlxPPT2-;6`Ad{RTrWEUv+irV4 zW_gleVnkkaqlARyY@!jH_&7=EDZJ_zF+eAldE1XB1M@5g=o1)3!fb7Q54(&OR`ZK0 zNHPpD;#!98nFcYsM9;P0`eOyN6~h*#vbi84iUvI!Gpju(Qp1cd>|rmCUki!Wx}sw_ zFlwWqw{~#96O`?$L66Z-b7`Z`si6SM(yn8kyy#iKzYutpW}yZJ-$@aOY`)-EX#Q;G zV+g*90eJ37%)Xb(S@E98DpDsEH6V|rp}JpuT}sto-YSFfhLjz%MU65Qj&G(+T5!p59Vw3;@m6RZsm%I7d~5aV(xVS5T=g2x!?P+6s^vU(-(mHx)B7BxodDeD!+`Lf zCD?(smc(s7i>Mvv9B=c{9gsEWm#yAe;`i2X&{FduF_GQq zuv6=2g~%hku|x69b9*yqr~BQHMz+{O=tZ2{3tnN3&M-zxWwu;?F;kW=!61`fy1sEGpJMebE zt-y}ZcM8{mX$MJQ_5esr#ofJ{DsPx9q&|`4^J+-r3-%!ov}@p9n6U;C3oh+6*5F+W zs1YRS#N3K^*C!AsPtIWz&y$gnZG&o+rpx;HVvS}b7VUdhyNg2f!lpex`*oK1D;LiWn~ARl2cW9-~b`(xk{$!WQ}*nvbX2_uSB zOI#8=K@Th)k2lQC1vF~(bai7*h@xPuN7eoQ^DBedikPB8n3Rs5UT+vlX~X`s=QACh z`?wz&65q-r#t{i#d5u!9bsAhpnQH}gM$!tu6d@8n2ekT&@B?fjm56>(>iY;vslB6c zYW_!n=uL*VuPBwbe#Niq)CUks#P2wI`gSMqZ~LC1&u}{*gy+as@N6QipO}HdE;nXt zti-qEi>-nj*F{<*pnq+M)al^ZzJWOTqT!GU;mH&wunuDRZebA3I>$;Z>>J|MZ{%`Stw zc7j0|q3g=!k44@XX=~r3F!FK;-H=QXye=h?a7}M6KK!DOh~A6)$MDs- zNuT5O?RvDg+G+3Ep`=U8M4#ZX{_+(I57`QI!!evgze+vpN#c@I_VLHtaU^&~?u#)S zf-FcXB0-xp$N?yw6xD>K=2u{8V&`XLp&X8zD-lpEocn=d#6d<3&h8-td^(_?hxaM^QE0K2(7XbL|X3%#a8urSU zCP(1#yMB}K*Z|z%Z&6^%CL_oL(thI<1J9Vmf7`rG`KW0_GTKStRy&zY9nHNlJ}POK($$K<_&lP`^1{oS(a?Nz?6%!aKo*(Ow9A*hy;fjo(v;eqdE^_$qZY zb7G-EtQ9ZG8(&au7fd=u%&ezWTzoUvkga! zNfC|bsGU3SW$+0o;%%lWFbg~65+K|wIS;J@oh@d7;&37?A>wbKrGEfV{g*D&hAJ)i z9f^#*vJPa^jqlGq?Ebnh>MY#?Jfhm!Os6`Li<5v@vdk@e$IE&jwy8s5Hr%2Mt|K}W zLE4IXRllepstOPTI$k^m^STO#92z3PBN^h=C^B5d5p&L^KLnHDlyK7!-*69H{HE0jV67w_l*-nS3_mcOZ0;}E%@bqD|wB|U$q zb=(x?v-q;fO*X=fvz3k32x~sGI$4 zuN>S8RF@U;gsJkBEx=LTP`A9{Px1h8%mzr}JqGk;1Ym231~&h}M64!<8wV#ly_ppi znjpBD1T#>-nbM7~=S&kPJbbvFe?qBv%5lr#3Qw;s4eog5nxcDqfqaL5b zC%gfESa|LWZjR<}(w_`b4EP4+2f!nHqI<2HnJ5z00&qPw9XKN1nj>C48}Owi-s9c1 zK)kx2abF`GPykyx&T;o9V0VDM1S*TfXuC1n~ z)Mx!&V#>ZUYx14=`1mC)MLvs_B*3Mp0S`wr`%SjaItNJ+foWiq_~h~T!5sKdKuuct zEIpDOkW2CM82P*_NI0zVnBqkML66MK5UNA+; z;3Uzagp!Tm;@4cD4g!l=yuZCbacZh0jSC`5Ex^Z3(kNL7?%x6D`IbC14eUZ9?vb9` ziOBw;&wq<1$Me4h2(OcvLKXf$d!!z`ZNU7&;yUB)8WNWD;y0zXf8}BR`#)cz!A{)L z>HhWWr8`h`T)pX``?g8-YF_>`lZ7ic|9(M#@+w0zjLJBH+S~t5Blv*>>}*F9 zA0UbRou>TvWq{)r!P(#JVUq{{+fU;3;h$Tk|9Q@Udl#IkYJP|QKTw4K`4**8u={t; z4T}A*my1WRf|J5z&FJdiyBPnmBT*(mqLnXX;f8wt&jtO-nf|x84B#l$MG9G*aK!Qd z%a1d303D3J@_6Szp6Gub=YI;oza-UJ_sP=V(^&oK7fF2p_MVmM)6#FlkpEng5-ZrN zm9Ggu&;RFZzuP?jJ2;#Ckh}Xgt+0Rg&{3*juLdpo<1ha|5DsN>Ae1J?3IAk#@BcW) z|D(YFi*x=z3jEK7^ZzLDpQ-s@{NMlI3Vd)j=1H@8FR$$EEEIFM#OkJz)ie1k@{iQ{ zXy)#Jsd)67S^&c1p7TlnNS#3QJehKc@w1c@ZibiFG}JHu*lv&UTTFdd9;|V9T=QlD zUmDXJV*byggz{x<3G%ro=&`A>g5)eAORR7#VqZuA3*r$Z@ghm(0wTtXZM^Z_l?o45-_% z{P`mP;V<_c6W*HJ0?GYw9OKJ=_>0Rg6=uQIkCx0h!%i6!QU`K|wgQxc^q*|wKl}yo zHYu^22gfsK5x|8+K;8n*xSO(pSH1}&lLByznd)Lo+u3K=)WvjtK@ZNs!F;3x$R~J# z0T%GitMn4IfX~bQEZ5>4{|kJ_ce6rN|F71|{pzAcOPfGqxcD4NQkLtm#+KLA$jFk2 z+4YA_1Pk~s=U&0$|3Ym3(R%%7FW&n#2#6A@Z{TKZ;BXN%`WI+xjjjnfFJHqoaBCT~ zM$n0VmR|;PLt&7>{_QX2^q>5oTxb*Emxu(1N4$0@r2A%`)oA$UHYg>BfYLLg&y~pH zOd#vr>OB#EF6*1DoAL9!&Zo6E0gC>2hx2yA`rn^}V-9SrC{2oNH(l0pYnMX$0Zy?V|4#9sdZ z^rYZOl4w^&-khT&(q~D6?dcR7*rBdERXzS2Yx7^H_?h%N4sEvu7#QagtlrU*ykZ-QPz=3geXo&PKsNfEbkU6!eEM zKnU7;eAnc9wZx6p+8z2$Z0`KoXaC!t`{&#kt#V+FpqGpQe52PvDl^1NC&}IGn)*>Q z02ClsNuOsu4kpcDwz+#biuuaNGU%V1IKN)n)VV^z8OOAPB8M|F!C%nw^;_4sXLL`O zMCf+rc@7K*_J>qXx(Pq|1vP;xb%bv;VpFY_Zh6I_#>dNC2-ucgQi4vEuRneeCdDVc zq3_!`KXYv8#lf^nzgtcI=cY%>=uR=<*^kpXJUsO77pusPyNDaN@u&feRPgM0Jq^EsP!a#(zjv$E8Vf$IVG!K&Y!W#nqSMmrj=*V(Gk_wzmJa2DKh*R zxEuEP3pdi24sGXMPIU}^EPd`97~orGlZdv#y9 zATl=A?OMMI>15#+Vt1X>ZN2Y4v^Tg_)gNu$w{t8Ly@=;;em(IMiN+Zd)u7;EoaV`6 z_L1qAJB>|@U|n)Sc#;$u%`r~vm4xGnTgD5vujA3HQx>1zPurt<$bd{Sh!J!b3C`zp zHOh#2NNQTcJ)|Wtwb@Ll5DxxNjqy!>teZ=F0?xiJghY`k{#YX~qO;QzJ+HYFftUKR zWG4(S-5nIb54};H9W8;r5=lPTZolpY=re=>%3*W9|AaQUP5g@+TKD6 z@d+Kjp9BlDo`@2c$C8$J@}4|jg1V~F4IIC7K~!gx2d~Iy#fF^Q=|7UEv&jyI?uN2E z3`JmHSDM~U%1MoW_j)n*I_&ydWO@1=yy5IubBQWaMY=5L{)m-2K3bu4&o^FDAy^OrH*JM<6(7qrMZ$`PuVkHSBx73U^I$^D zJLWF$EKmliwD73D6rzPlvUc>MICyvIiZOw$Jz548)V7J(Cz|UjVrCT?VKT)pjlDq6 z>)#+f3u+0Z5~s_|NzMbo#ReV@Gu$DCf9eqd8zpt+QZb%zVDWs;J#vOJJmG^4YQgWr z4>+hlhHM*K3uWN9X-xz?A@kju&!U?rwY^6!YH09gVePXg`>KRc#L15AeVz(Skreip zz7x~$GS=fAsDpPBrH;}Tca4k*wp9I6L${`1+xVid8RI*mUm>5xOZhTvcBUFSK%n2t zZ~m$g!Dilen7U}=mCE>PIYVu8E%B_?X#b2gPoM-(IL}SkiRBu(e{&G&eBDPUhmHMS zVs?7fpMP<6`nxfM%iPVnWONirJ2?Z<%-}D%D(bw?WqFx2ccIa*kvHt`GxbNbB`u4r zNqrBto6Cs?OKbb3I8zz2Z0ft@ayZ%L4h$utY&|1Q9nu50ey9>E7!JJGsS;+IVu2c`TiRGf{|6< zecjtVvLlnN4136gHhLm#GJ%-f`uIBC4x^<+Jp@f9=DnYE(HDW z)^i=V9*g4pNjc@L>C5s@MMSNp^AzTmZ_QH9Iy9{tXL&T#_`TV-4N7-U z-11(Sge_uYO?vAthZIRxna~WQ!^XY$LKMZlMbenpGGFcy7_`h!ox1Rym6KTtk~h1! zaNot4>9bO!du65rJigVu?C;D{{Yk5~&*TfjgLh0o7Zt8QFrVrL(qEk__^J*PiJWy9 zeupbz{ny^)o2&*WaHb87B*J@}`d4A3)% zjf+5~HWD~kE|lTLpKt%>`t{Y@{BLoTGQ>A@v9Af+6Msg>4mAel(G33NBKg?IJ<&6duMsyPd5NZ`ejc9Zwmt8KMIlO$R5K+Ro$R|B4{OJ<6 z|HT{N{0Lt-YMu)N=SQR+u)npsO(ReRa)S` z!uxv0Nr=xcw|R`Njwwr&b=gy40nkCGB^BxJWv=L8`R@I8#nRU&9Z=?cZK7GK>= z6>_oZk)V&@hN6#0-)MS3o@3oAmmX?RwtV{fQv-9cZC03R` z!Kjaq_HN{Vz13M;0{>wB)!zy8G^ig(3=*G$eB6lg2Lv~gT zD{D3r=7jG{65VchW;sI@v`i#N_}#ed$5xKh>(q*Swdg0Nv<}ZCrDSdl3_N@E2OC1I09N8h(E6Z4B;1L6~l+q%mdDZF0^!SJ9a%a8VK z;?O|Lln(rf+x5uwmoh`g+D#a~;2g1=d(TCM`FaVpMDOp=tjcC%p3y(#8Gd+A7c0Bo zsCzC98teGPNzDprZ8mmo$*G-26*Q1%wSdP#A-|I~pXy#J#MA;vQFYl4l} ze&T~D)yLcFT^h)9!Mi8VH`0tZdf#1+GFTr~OzBn#bcQFR-6rBkYnDj(HnNhQ^lIE3 zVbM7}A0I*HEXfAdTYZ}*!G03LQ(08BYjo4;97#wEt(XG#`9$xpBYU>c*3j}-T8HlQ zn8vz@{ZmXzs_D#OkLxSQ9z@7@^Uw!TK=9Ill-={fcg!YX`{5laIJi_kiaaVf->xV* z9_pRETZ!l0AZc@}=g{sI*|A%%3!h-)+j=zpv(xm?YBwHqQigZ=3S4OJ5o>u^mT_D; zKNjx$<5<;o^0Lo~(!Aa)DMgt*{A2Xb* zr-ervKED%1e25)(rz|6{g0>~P?fjjb6%Y68&x-Ev_Xf&rYoQgUuISWr%9)CKs(S?o zSFy?Am(C|Ee2nOnEzd3AZp!gc%sL&~mZ8f-6v$vgZ5?Ho^K2b2J+i<58f%rPK}j`S z!RoI#5juRY(MQt{+o{Ew?=$C?eQ8*&DBW}1E7y;UmFCg%ZH|<*$%%$OC3@w0F||8f zz2QrSDH8|^Q1I_U;R~~(|1!hAJo|A_j%X7F}&m{p;)6{TSqH@`2;OA0WGws@5*Z3J&PEi zM6tIA?`ff)Vok_mmB&0m1uer-7k};Mda=&M?{uCyXK<1)XKe1z=?%579K&2p3}n(< zugNao-nJWBARTtSrizId-)8M;(Q?QqY%=n zz0<68De8E zH7_17^Ci1~zxmX6IUlQ~eI0eVKP8|o-B$r-Xd7Ov_40>qmFMQHw2ilAelZ-x`~)oe zqW*Gcx!;A%D1g@S(p=CVy-qD^WDziEV)Yp+9hw#$!N-`beth}KU6IE7vX4F@TSP=J z^eJK+5RMvNJdKcj1G`Ts*3gwWiDsy*BZ-`Hc&q;SgeOK) z_j!Y0z#35r)^+ezL~*2dpgEi>V#clWbbU{@{i@yQ7I_QN`pQU=fTJFktP^Kol=vlR?$ovzdA7t2EcUF15%7i#}(jCH=H|FV{7t#Et zvHpW)+unTcahx&HLvH)6^{T#``+cd1IbSV%+19UTK@(1|XRhynnSHGw9k`lzjLQ>( zsiVTiBpgy^_z!Cg4HbSN2K+>yO!cVV5wlgCcI0JLH6~bqua_4`-v2=S^zqdM?ck|$ z(<~WfbBf>`idz}Z;qeAp)l>vnTYKO5A8Clk6mFgZcLc@DU)Vlp4r%LZ;beNB`5`l= zZ)jk`=?h`|F2PrqEsk5_l%Irpt|)#bY-ikOjeCE(4kuKsTvw*VOtRfV#$E6wb!#F% zZsEC6&{Lk#zI(cRhujM?f>sy{zk#33V8HP08UD7(4TdwrJ5njC1SY=U^c>bb@9e3_ z&YyE{*SjW{nxy@9s*y{&Mw8ZD7oSykM2iVEBA=xtOFVR`P@ceqrov}3WUZ{Db|XU9 zWa7vCmtxW=2gaG3A9ytN%v&m6mUbIa!^7{2_Oy+Vu1489H@Q|_4c+)DSMB*UhU45^ zd0w2zQ^#_zpJXht2I?D}9<6UgE{t39C@L0S`k*L}D8L_l+A&gf! zPtLj~mGCEN2$HqptzQ38qK!esJIAw4au)q4jj;WQBKcL(a;5)^uy+ctJM6lC8#ZXe zX2rH`+qN6qTyfIaHX1u=+&GPG+eWiu@73r1zJ0Ra=h{c>a2?I-Kj#>~F>XBd{TO@S z??a1|u%@&vMw;jdDlS1-w6MWQ^Dy5tV`xiShKG!rjfGFALU%GlpG$v*!$a~N*rb}*53@U@X|<#dSjexM9~Gm z<;UF{HdN?@h5k7(_q++Gnnb<@O08gK6vJd~{c4)-=u>Svy;`Dsf1dkl>wptuk^kF&O? zYy`P2(ctxrhi#H$#Bc(vGzj7S8!|jjf~?8^{jv-eBLYF1Qo8fCLz;Y)_Ri;)$Jq`h zt~t9+3g)zPkeq(&dRO|MJRk4WChwb{?hm_?7 zCi8JXy`XCWh^LN-fzK#PYWSE#mFgJ-fg{-!7BKrea1Uh_%@g3q9K)#lMxq5Hrx$fO zXq-2st@v8j%n$4xCsj;0y3=5tS|-z=74#+RZEKf;Ui$v+k2dp{?KZUlI#fpZtC$g5 zW!9324yRC(^~QTRb8^6!pQG=}t|B(qzGrCDIa|TPcO#u!C#$YMT8I&!SorLO% zed*wb5^Nku&F1NJ0S%UtA>9x5`6-Z^ir`pdCR{JKXY{j$+R;L$*Zn}B7QDyS+fh5$ zTl8FKZp_EZyP~bl3WXTBnd}|9j{%3G!@dKh(hF&%#$u6aw9LY z+tp~(AAU1|VC~16;#dz48qpOI1PHG7(~~ctHZaMW(LME3R_v*51GR?Bk{Q0?Nx^)D1$%Oag78DM zgJym&C5t!pCUNp)TQeBl)RMh%>Gl)eJR4P%`KsGdo~-dYZeP_&UY{FJ z${@rsgyvW#)lq3WeRoQtldeqQXaFGz{wh3l=S7owt%L5lkoM(jU?sM^aykPx1u5F20ciF@rlNG^2?pmZ&tLVKU zk>4*@$R9D923|1#u9|p$V%%~;DYpgC2LDw-aqB?iVA=|UXefQ(ZKn2jx>F+!hA?eZ zrb+oxOJ&vKj{*u&j#!UOrMFv}WQHZi!$x_!!Es*mf@7Ynd6VG!EX568Br=K^QTPjz zcp=@rrcRx>HhFffMu~=Tj=oqlonf`tF_EGgoh$ZK5=geKyrRezlkpW6ebgb1qz0)z0?_7 z3PGB#Mi>ttTgkXCl_vKOcwqMrjD{>yMmd@s&|XTV$6XLk4sz$RZnN^aOgO#{lC#zH zOd?>Y-BD2)uA?MP+9+)x@t$8V)&}UW-`$-!6cU7m^8e z0aM7gsDFo;rnj@*fAO_#AW<=h2v>uGiIdht0CazvC8dPCYb4=3_fa?)-Y`lSHg?+t z+Alw)?&qBGT*g7}i|W!ckvT-vLX_AA-@qf|8kW6KAwZgn`&5O;Hxd5l2kPn9Cm{HL zvxeIp6w(WzJ`@faH9&*J$ceyxVU-u05pQ{y?|Ef#3OqB9##t2eAJfMxls<}aWN4Sf z3BM%ftCDf36`G$KJD-i;tRb2-h!J)5u!ms+MP_Q%ei>OxTJQqT@vTcI!F-igi@>V-0YbO?13K#EDx2?Y6HuL9(jknWZGI&9px3#;o={PnN zW^~NOqIa&VL%>{bEI|(k^z2bd4a*w~U$aE`%!8X$-q2KZ@lQnNGM)D)ssTyqdZC%R z^+pY5ByT?SN>9GDlhYmpSDUdQtTP&J5lBTrW^8y^nUNPK&oOu@KEn@!#Z4^jeBrS^ z;BcmmlfzTyz^&A&KD%)N9d5IGGl?!Kbo8SOGr)H|`8!b{QWc5Q-zt32Z;mBAC`<2| z0(n-Af_A%-?({bzAU59l4a>1%rh)Bdml2O$1Oox-c>iM?U*WP~$AQ!l)TS1*Ac~i8 zY-(o#M`>mlkK)-igr{6OMx%?VK+QFjV^6W1dL;ts?O7jZ1r_V=kJ#JkO8=aPZ z`X4_MoQ-;KuK6T~ROp>REm4E_s(7v&HpbV@*mR{E>VaKX4pHI{Ll4A6)7Tx(b`VT@L!ixARGp~=yu|P!kS#rx?Wn7 z4n+OU6LlkP7JArw6XC|tF(_gLe0Uv=`r``h_T)n8*K{O*sDwrfCDz%Fj-9wF`ALtK zct0bj9Px<=mu8#~9=Y}kTO}onL40tW_74`2$yLt*lA;7X>;~hSSV-@jgJFijPfSr= zwqFUbdu%*_TNQ%;1w$~+-FqST18Ibil*H8TwZ4J|i}R0uY?SG9;V%Gs33`b17H)Ye z)7A&T%liWUij;~&4=H|`z7i3T+x#!hxh3U{GjFylI%W29M8{dFjm#1ufU#QmJ)Dfo zN=ZpjArX6}b}qTrfC=t0@~Bqq{Z4xrFEzA?49D`DH%6QwV~xn+9U8GDEb!2l^hh1+PJGKZo6b#A^oZU#M6sP3=fdTC{52`)^%JsO>0=-E&vR*r)|tvd znIZFxDWB6h5$+b*c_V^SYnn46n5iL;(No==uFqJo^nMTqN_x2sAJ?|7df_l@UY z^Rb$vj=L^xMJMo_2-VNNdpSrAgxm(bMK$^5j;}4sNgmoALiQy-E2wRx7XZqiQny+% z!+S*w-;@bWM$lTz=m@`(O-@ocHQVT^QD}svywt!~rcR1C4%vY{v z1lqD9{D=`hZ7!jla-nq?kpx66&Pg@aD9GjL+iAIZP{?p%tG-ND>a;1dEPCXT_D&6G z-7*{61@Ss3ZZj)WcxKlD+S33p9fvb6)n=mP_4XKJn{S=i?RM6>szMJPisvSc^Jl0_ z!o2ciWA2$$e=Z#=;%g?oqp^XLg^PmoprRWH_QaQVP)7AIVbUp%g{B$iAD{iXQspTS z=Hky}KAKro(=|5c zvT;EDf*Tc3xK)vSIHSLWR> zx@^*Pbf$IH=8y@?w+XJB-!fD&X$Os!VSf3=Uk7e3ZXZ~Hebt8hS+(BI%v-1;_a0vk zJQxqs=!WC?Rxy!SnG^blqAdOLy%^mGhQa$a)@XR{&VtSDR5%*QUeD~-z9SA0p#21K7_5kdn#LcA&RMimiQy% zIMv8m%*_G)j4kvqT8;ka&+tEei}8BV(B#@x-cCNz z)bOQ|!2EsMXOHG*#N>?+oM>M(@;8Dt|M+3+<&K=&wj=WKg@j6Iv)fgHp6&kUc z+l!iJ4(hm$F0Gbg{}IV7y)+gT?LyzIgN7`g*O)aOeybz=pS1i~?BHHTI~@wzqV z6EUMdFU3C>i6F~1iWGMiqb|5u$G3JNg`_t`drg{JJss!y=Vl#g^=~&1KnA?V&hS4 z9XMGitpRfVmeF>UI|ot;e`gD7d61g(FC)}@?$oIkBTdUQCp{_>xUAc1d)r98YJ5~F zzgh9%<6Ca3#Yk8{R9x1dsDyfxRM#dx_0ycc`@+x0RPG!n?h(;Pt|-N1c4n06>RTS? z!Hywu@o2&07arK#_Sd^t5uXTBG;+Ti?kA>XnMJp4|sZoZDM!i@` zeD#91o4ym_R;gW*b?Shbvh2BDh}`nr3tJ83D~`&&Cz=7?49OoGWJmMO?4pf2(_bJc z;SJY(nzI~Y>b3(SU<2@jh=CrT3Tn;M!Ohqhh$jSPelbkxR5{*=-G zr<-KwFF`2VB_xFrO%Cg=VJcW&D{#0hgFT$>ktb*Zxn5d??{7 z`%+5ZND`&V+w)zh(i=6{W-t1*B2s3uQ>}anF{2l7zN}Et#e7&GAk?kj+7&gMG5%va zng{Lk!3#MtH}1GWWI1X~uIR$wU)|Es%0dPq;~{m2w#h7JB%cy~4OrNOyQLs-^f%w* z=o*F?HQD`^ORpKBs1GA%IHT;>5JzGMLiQvNm*C{*-Ic9Sb$_W6yOm_BR!Y5hxryRA>IU*u(*?YKOC- z2Ug-pKE*Cz(LMyoZIV|vYb@ea^HV7HfuRx0`B1Ca3q)Kc(an_(0ucLBfrsS*@w{9- zD!mxk#W^?`qU;-EZwu>#%H$F);mp#jL}tXlEVagJZ9Rm>_Q{vt8<4TK(vmk(Z_zD6oPFd!2G;C#h;SyXm^U%q{CMH1%xDOQn$@KU zILCaALER@@W-ElxS|9A?n%lxVF?(Ik&+Z?tE7BJ@qg!fSJoh<;mT(>^c}xbt6O7lF zK7U!-itzZ_(Jq7^j9BN94=1I0yW^}=$t9@z(GvV(W=_A^A@*FPUp*ozYx^2$`?$OG zv1Lv@=0xoO6tL?&CUa|{FI`ID9P^`|F zbQq;Xs>J*c#4>Mo`&6l`%qhxPa<#e{-ln-`)!pIxO|F@A;H9rVOf`8VA+ z2++INm!}c@OFag^c(IBdluRPv#)BN4LSr>%60(L=SbJ9BvWIy}!{+*Y%C$8C>+Mjt`MbPxT zT#wOe`JSljFVdc1Z@`72n%WjJjNyOU+d-SMRfey1z4r~QDEHss3}-pT>IR;#H=#0kVMHZ-)l6GbsDA{|F=)N zW*OImoB1RxG#K?85w0`RQ!>mjlyZQrr_jj~rv0%C zhL;_ici@4{>4%D3R$+O7FfQ@FNye{%>=>2gYnXy&Pa6T^MRl5Gl(kh%=wZ7!Orjfm zmy8xY&mwZ%lfCIxgE|s5rt&irqT{woaK zoa2}D8J@ML^j_EktNc#Wn)({C!#AyTF<|*0Ix6PC-?)s=HW( zl)d$<`rQIm*CYU!xL){6zD~Yh+I-UQ4~e?phB25Y4l9sf8U!wA4L6Ufa--@_O$5B5 z1f4I5kXM^e4&jFppROfZF@ZTu5@}KR6B}Q#EZo;r`JNi2(h_#W8kzo}&nh}3=2fKB*NNYIL}qq@Ta-k9w^svk-&>FJAkX z3hKGmgM>6mVT%ueq%a`PAMe~6A(wmPUZ}q~IUfS;W0RCaCY#YF8rGQr@cv2HrWLp@ zuXzn^N1*aR{;cmR~Rr>dv;y%>M8T_*JW?a(xW?U_KZSNFr zCjxlLzEY>lTL~G&VtRV$@|6# zq8?M+kQ+2>&+peq*y^^zL=*1;b3M!8F zmNo+_$2+YHai(cu@(;tWo!l>#I$qb+&H^EXK~pdcX5&b&nX0OJp{M%$+W%Pf5L zCUUAa23%?YL3YZ5$rvoT=sx9Ex(oc>*{&`q!G33P9GE_6i&KeC=G&k3z)XoYr64-G za%sTO-D11^>_l5Xbzc%Y4zV)bWC$E|ElA4c+z4ymaip38Q1Y9sPvH&yaaVI-d0?UZKCWTmskuCOM~D8RSjm(T^)R^L9?Xu2wn@~ZyAmXJ-Zk<&h~EPI9!RH-7o&E@Yt26-0i0P z;I#TAiuo?yMj)&nKxzYr$6g*0u!S2%xKvsnfWO)UR*#eXH2yZP0p9EeKrCsDCcHa9dbzSQUkffxq7H~5RX zoa3Pbn`}tuOAvbp?L&}wq@0UU!jhP7O;1tomm!c=}J!WU{Sk)hn{al zX9l0J*MbZfq?;w&hZeiZW{R-aONuyseq3I)^JL zi1i;LDzeL($&I~G-u%sUkdI zsOKLk0R@{u+vRmyb)TBLrNm|^d@W5UUx%tw!*1f)m-If-(lmG)eU-VS5^EFtb>``Y zo!9`CLewr>FJB|J5R@_8MK;oSe9sQV0_tuzuM*gZpXujTXBR&JfNpQ09c|W>z!Cs7 zVEIk~{WRAgM0-p;cLQo{s8P{7Y4m?4=8T@C2e$e$0o$ z7&2(8d__15BvzW+{2_8z%U$RM*o*5>4CVT$`?XXtfgOia5sfD zQMq7!pK>LI;IZ|x>AjlB zzsCD~CZ>82pZL}!;Q-QI-(V1!C%|ZiYQFNyrsHGL8=?`@B=}pZVR?-znnN1B_~&m_ zA`3>!9Y-T2f_U5!D9}J|6T$>7#r9#?$PZ=-BmFg6tPfw#=|c?hZ|{+3`*jy#@oP_H zp@y0}Jl(%vF>E`$7$wRL(y3ivrzp1<1l#s#69_DQFk1}n`89ps$PF@n;AeV4E2?qd$Y;=(i{TJ8(C2y|3ld$? zZ`+=%NOd)Bn1P$)e4mYVV;GrYsG*E$>DST=oonjAN^`0)?5)T`6`a1-`Kkdm2OdQI zxJhk|3~~0Om;y+^JhiEgFjz-2;}{XJnUB$Kdg6OGH{Vm>f55mAnQ3U@%`eQ0%#m;D zh$L1&^J?KC86Qx1ePt( zzTJcV6o5%8&w8YSHnO@!r)rmX>>1naIr(6FZ5wS%5yUzOzr7Cp1(VWZW;7E8A%;X0 zx#;(C3=**Duy8vu*%)#S(amF<91+_DZNJ30O$H=KQ9^BS9L&m%4cmAZ&)c+f0LP!h z23WNxg*I!e05Bt$%0~XFtGEFk&Q@MG9LS54%Y0c)o#f#rtC_yj;xIwb1M`wgu0uIQxtbntPkox=%7D9-V0gq##@3W zytVfWjShI?GQVGD^5g!NVtxcWbiZ+wMViG<_Ls>@!lVq+ITxK8rE-SBNC_RKq|c6T zMeapeQBse^K`k`?Sa6;4nft9Y&&ECRFlLqZ`HmCsZEN|tZq6Azcm9KQ@_A|H^u1uD zAS<6+X6k9j;QGq;{MAulk}0Yz6n`zMRkWt3q2`8!$uL)N4tvq25OVf~J;Sx2Vd z|Fct00>*8QdpjCNN(iUifh-*8;+4%--C&7#XH*f_+{@>|oGb0{nL%7Bz-NrU<@+2( zYs>$YM7luov04E>ua8dX3~xNcPYUd4lJc1IGmj#}e3@F|Mv0royyiD(kYCxUr&843 zNyb3r*axVQX^O22B)SJA-1(n|bhX0W7CPZ>%@4W3N7xypY1I2SsWluM8@@QRHCnSU zno0H9=32&{VO?>MCb`5hq2X5219Jmf^aYAF{(#BX6rMs@{z}9*3UnRs|IAGZTyQzQ zne2&~zXdvgJ`K3U?u9s)N@{_V&dI9i2Y3i>p5KmxF@cCcvj(Gy$HLlgFvao)QI}ho zbAWG$dCgxBhUwG}kPe;3MWutM^*?7(m}tLb9pqo2&wA5-x^CBgZ)1`~WJzj3kzT1< z^wZa_K?mlsZZ@>tcFqjB!VW9!-z64*+0XnpB}ez_Qh2OmJiKT%gkTNWjgMS{?&aS} zhUk5t_<7%m!aumxn&hY!lkQ1V-#rd2hRkn%atFni#6^G7=J9(pfuj){ChyTJnliZv zs{M2`Cz13K0|Cwr#M(|^Rm)cr$X<{_I3MYfdtKcCE>~tnmOPGe&dLj zJfMq{G;@F!_zvkL^-o@0wzOsWFB}pea2P&5$Ma?-#`2{<0TFzZP^|4Qybyr)VK+}7OW-jTS$Cvb8y|SZ%{tF=6bxi zXC*Ora{}D%cKsKKoT@6IQJ?e<7S#>?JUE2-hpVkPaG~qBe@;E6%i9vTjw>4ch%zpw zfoJ}E&`va1-%twp0t(2MCWxO9R}94z2}LT*jf5ekIB{dlp2s7(vy-$@gtGN(!+Mit zHnB=&96{nRp5Ep&VVQGz**9JeEuL-?Bcpuy=~^SjWzjpBRG3cr^sX;Ypk|Q{R8pUS zudA7LNBz&()$2BgG^H#{7gM~(I<3*VOAT-UL?rh(I(ofA9RJ*F(dt~)Qv(X_F(arF z8NFswzIP0XR2SZEqIhB6XOPGZJW}rh3!*a$OfdA!si5MIe#W8r#CS)PR{54iTZm^T5aA< znK_9bDCfOw;r*tiaRgDVQ2c>CJE{C5J!4}QFZWdAgl&WQRfpjag}!5#&gG%kGovs0 zUK{7o5%5^q~j7kX`@qGA`h$er}CmRMet!m-8gPb!Avgj zv`oV#Gux47@2@Psa5uuhi?SW1N8-npGKtJkdxi9DE-ybaQc~m`@nRBiZ}t}@)9O#+ z9kSyIiO13a7mL7(Mbad}8R3xbC0V^$;Tk~Z@aRc9DdqexxXXCJ_hG{V=K%cbbT9wI zx`~%OE;x}GNF}t``Dxbu^8r`99bHZtWu0PR`SQ@Ci1di+hl(`(j4y!W=Utmx8?#$J zL=G3V{Iex)Vk6WK+Tsqm$~05?2MdxTVV8(z+Lvgw`RWXKZwVZ%bdyHjWHU2IyuJSY-CCoc=+ z>{vi(YY+OsBSp5cSd-GLE@w!J z{h5qw^wgseG)P5<$3(B{r$|I&QniUP)WtE+ryrp$3>S*a6W7NuYf-tv%QOAE3kT>C z1#mAz_1#)!{^|P_2-i*Th}ximb>UN*>W)YSGOOYxL0#vBMa{l!8;DRVI#SRDX+fE9 zX2&!(qm`@Qh!f7C{N+uKK^G#|@kpfP$C(X!YCl@~6psgfW`TYbhTFg9$jHLl5OWaIqW%XAIXtH^@ z-K5X;3w;#_;~(4WutvFtZrMidp|tu}TlaZN6U>~wtIovr8jN4jlKE@BbrBkwD? zH`YzLV7UQr=hFZEhS1h(J*bb65UGM^WMpJ`Vl1SdhF>Mm@f4LB7uHr_5cub{nyV|_ z-30!zkdU|0#mopGxvJ#oMX}ysxu;bzH3fcsZcLL?A#1<*iMOHXogWN`l*n#kDn2)U z0xI%{9T0-8UYetj#Hylw?${d-1Z(h)JtgI^ok`+&Aa$|GUS z@e^!JrnYws%rH)~57yGZ=UDeXMe(878cp6b7}rvHJsiIshA=sJQzn#T@P^5){Ke}MeeD-eCzRHn3exmQa9H;`&cS2pag}`e`t}0rnjd8RiVdWr zxazxk-|s5&;&jiW{vhm43??p9g8Bk^K<^^G{F?4HBeq^;z~Xa788=4yEpANWYOu{y z!In;@cb*5K!yO-QO3}$%I`-EmZE6-?UfhX^iMH8>`ugel`65L0955nCgb+_}5KwD( zChQa{{I}>#_!(27O}0drb8I(>ExaQ*6}~h0)CKuf&Y7@9GS;Hf5jrQTS#pYkw)!o>XBZ|(_qrtP{`4<>AMIz)8TuUj7GGxGPu|%1ECPBNi zw0!&Sq*otZe=jdIC8ic=j!ew5Jf$g3LIUd-IX|0qih!_)8u<*SaYr3uz zpniwH&#l!-^K^M4yvit}oW67U+Zlod{-jM>s`O+pG5d`{8<>~elraO9%i&_T(X?}E z0u)SW3FE6CH}K~rAtXW1T$3uA!%3E+bbQI?t+0wtC-8)1Km1Qh%+vci{Q>!;L6L({ ziH7XopqVj$paRR&R%LHSDKa%<)A*i{7L&reh3vlewX{lcEL%kQy#9pwg6hSA8;yKE zzk3xhnrfdM^VP|*VVD;Md7B>jh}fp)dr_PPgtL~5VUtx~`&LJ5zvZPR`F-5t|NBLI zY2o|`z1P2h&^(&I%8l&EI}(11-KSjl5}Qp8Oi8=$LjF#i1W&Z#GQN8yOAh=GbZwyj z$?}$>wq@j0yOt2~^$5d`?b4!R@4Y{zF>6Fll@XI-;k4;z7oE`H3>ev)hG&SwBC74z z9ihEu>MH=^|DJ^Xg3UjHt|oPzHnvw8A?Stgt_$H#ee^%>^7a>=`N(KlLr+W(Ge1Rn z2&&Bl|6PD&!>5(7kht9}usXlj{Yh3E$r!DA|UViVG_1pBJst=z?5AHq%OCK!H45(eDCwqkoqw zAA`dmPOESx8nZ6{AMh4DRmCLQJKyLMU8$>+Sc^G2aoBv?x8& zpS zU5zHVWQlFtQYfj;eZJXP2p*ru3%6EM*^(w$B_olP)~@%9h_IQN)1vdC7@Zxxiun7i zcb>P077!{68h|8UmY)i~Rmz1Ab#^TUxKQisC81}as4fmFpAZsHeNK)HS*kU4!??F7 z?=+qLg63J93fHleWO1u2-oRHlJi6g2yta~-H$fJx@2Wy0m+N>rs`J-H67B8kKTf(h zFNK!Z#kt7SPqnf{P7~_;g=))mqq)zrFF$MrDoy7Q-!vV3<1L)Mp}^_F3jh1r4j!p8 z(eT@T+_^KH|oCkisgkfq3-0G##e}-YrPhvm(X-tU`8rJmYGc``% zZdPVaqizp*koeJUHdX0SFb}}S1I{TepD-%8o3jk|WYFrvY2~-&kTY>YX6?#D0z>1~ z6)c(xIH=SPfPLq(eyB!3)mP0#tJ=CxD^Q8uySe|ys0+UJzcp3FLzB=5X^c`> zxYqJFK(>0ciFZi2mYFbe zX?Myu2yeGI;~5`o-`MLHmQRi<#nJd~JsDyhaJlvrS32wsvPBph0MNY9T-aa@*`z0n z?6|s(7`8FJbVEMcJr5(v@p#*Qx015ui|ZexrTPGV{j8KAim-3;q6{7@x<6{?j(jj~ zF59AC$wC=^DkXWH(U5Vqf~({I9v8;7)og-`jy#X^!=RbperN~qp}-6S7}tbBZHt#Y zIS(p!O9|eGH~#rWMQ*l~3Fql3V)d&*KX?|qzp+xJbdk+<60w#fBl3h4h--3y2Tb-t zh51X9Byv;O$%`;z{^tYws>;S(W8Lb095er8u>-gK2#{VnWWN;Sm^}@sVK%#8|`rqjV_D%1&SJ{im{yVeIRU@&d^VBL)af8G7js9 zS`#;$JUUymhT{QY)s(LF8^oT{0j8J`Ic%cW+;uhgh(_Ic>fxe8y8~ zGf|KeTK(m!^Q}<9QLpLYUDJP!=v&z+nM2tX5fL$M$`Z)>v#sWu>qBvLN~2xbV~wWO zwPLenaAC-I2RD;L%Ra)3+4t$sFSW=naFU=G`oI6;R;7)01)Q}=5VmSb!8Ge{dxY=d zHqN#1TETpl(?roz*l~X_zr@P;id0LgMPpNC;2d!p(W5}znsk44(E857aCW1bsJ_@za4yjogs$kPu}P>abJ2UJ1|(m7KEIrUzsZZk|+FUKZBwwS4#{{G9#2QLPt{ ze5JwAtaQQeF1kh$V=S>T$%lCp&)A-^YXMMzPw{ppqxV0YO8lSRv7l#5_g@Y+2uM^+ zqDqbg);7`4_l3HspQ-YKP4&3;^~fwkhAwGQpSE@!iHM0I6ueq8lT9D1`AEq74JjgB zvcVF>yxAi-=X>ERi6JGg6~IRXGaTtzncS}{@&t32!*YIEBi6PJjKw`YEk8l*=(+#UP>T_4U*|T&(1sv93{D+AvYumXO}3)&Cbf z@P|tb4n%|E~f5wmg}YfC%H=v z=|#~F#d56!&|FKbSlCj|^2y=Xnb49S**(2r`KO2}wR}fo!0aRkHWm9w&XpRe)4Z#E z_#sn(T`_xIahS8iSu$JUm+D%L(*fjMJPaqXxf1LB4GEExFCgpn!y9WlLsym1Ne7yQ zT~33_75 zNcM>VX#OR{wn=i{cqIjm6O1;H zrA{5z*eyumA8k=aX>yueeEHCqZ!=(^Wc*;`fEVPLZ)DGB>N7RCENbl?a|3rP@Js+N z8l`H4yQL^A(*N(nHBW5GQdY$rlLSl|NY{x_(3?y z^Fo&c_XN%k8&6&Gmn_Ck;6xF|JSLnpNkNC|#7QOdE8SQY4UhmsyYK9<8{6k&d%~0F zyCvJ*ik?Vtq1#4bUS3nES_KeCZhxP9R-&e~q@1~bF!?i_9wql~;m#+z?KOTkFlxJz z5~#?fF4!tU+jev-_ z$R?yBrZ=MN0|_ooUO8EQ9LXjTqlFEPa@PnIEXzITA4Kv<3e5T6HzS5xKR|}73Au@4 z1%#zG#esb@F_S<3MKI7$j~GA*K7|yGB!Q9cW6CC9F|O=r4M`FXA6=JZ5Gn0$R$kX- z_Sb39ovB*GR~|d*ZWxoHZ3oJg&FT@v z=)1q2m2CCDd%(A3hw;|ER8!FDs3Lc#{j_!x_Mekg^lRbnTrH zcW+F>AGI%bx>e&q%;E-D<`Q`BAon#Qy=>!Xdcib=9Cqm_%o_3c zWi>8j-eX`BuKfN$g8{Dqc1Hz*_+>7i9qVF&IWs)NH)4*BO8uA2I%kDgo0;Get!~jL zepJ7_C~-nnnuU8$0+uU{AyQHH|B01t1tIL+Z-lB{&W)rjd-*fhe^VTl5iEW$ivBT* zS6E$*?be7jyk;NDadT*Kf~|W-JuSTni(Z^-KGCca2mF9D5fJ*O{DSC3fGF14_OgyR z<3WV$5b~yNUCZcjFzoA)_!t>{P)T4*tbqup5n=B4(lQAYl z2rwpul5MKKM9X~BmyD7hUUNG7qtG~~=ab=4^HYp9kCAPXcxK(%furQ}fUJ$ujGBv}XIU*xO zFfM5zO%L`cMeK=Do!bq9eMZV;9iP(23bhc4=Doxg%KUO#eS8p#PR*y3kGdpG^^;4{ zv7$~DYAP$Qzib4fW-sch zLUgZ#)^*9vOf{F6dWuz#xp6a<^8du9MODB->HmL&0_^#Ph170Qn1dtC7(}XR_9RY1 zu_0VUkGYJ%8AV8lljbF1fcd@1L|VvuaXRC=FPXnIg`&+k?OzvoTrX-)ekZbi0b3}> z0W4LmB_?RxMS{i{jo(uTcILSf->grxRg$MsYL4a*?G*2^#B+Gip-_obgOt|9G*chM zW;HvVf_UMYVp;O#iQcG_Z&h@ER5X*&Rf-YQYyABfe#z`Id@kkq8u14Umz!gsy&vV8@#(J>V62joua*05X-uI5Uhj<|pebRV1Ho_=RkT(gWF9WRa zIJspC0~0Eu=B;j&Zclxitu3qKYwBlEe3KAe@-4bFPbN6^Ns9XXZSE4z=B}Nzzs+Cj zO0e=s*z=7hnOTQ{tI1kx-xd!U*kImaif!=r7{8 zTVzD#MnjHN2-iFx(T4~PuHur2miNk4{9TVS-_i3Y6l;USlB_$Jr^oNPibVP5W-y60 z9=qTLQ60SMEU=)0wh>`Xd?r1=;IL6uV0>vJP-d^lv)JUKOai!Q(SO1eMPYa^9)OVV zu9PVMvsRaxer-p~H@1u4~s`+E-W z7grVMHsS>{^})>RzM$5knfcPRlcLv4x|A#Jbb|MOs4p7ZAXZ5G8fvfIoQ!-KcT_7i znAW$#fl2MHt^_JsM+-MwR1;&A&+G6^bJS%$#^Wegy!a1kf=6;Zmf~71eq~ME>ht-o zs|ELy?L0&qLy=mPsJ)p(QGIp!1S5YmQ9f~8 z7Ej{|PwNQCfzR!YNW>3Y+_cTZ%f9jyGtodk*mGu{rRX*cQ52 zo9uDunodC{9w+YB#i}?|HfoNs-)p5pEs~;N`G<;vA>c!9gvg^Yk&wq{>YTUP#TygA z0xaY?*X51acmkR5f$@oS{3i~0ZozwC0Zgk!c5EPgN=LK&?+feW-p0epNnS@ z#r{bZmG04>jjdUlPCfCF?(==?jk?4_km5ut(@Bg1fRz6FfInBne zs({sj`YYLtQ{SRr$hp_;MfDl{w9C!ljG(1!blZFQu>m4$x|`C%^0+QstToR(yzv)J ze*zpRmC87UWH>DqU-dku?yCAY(3-U%>1ARB!tc=OAb9h=kevR>5%sGsL~_j{uyUuh zimdc!7^{rq5|clfwfK!`Cr3JlUqZ7t^Rn>7d$u*?WFDhe;#~C>o(>F;2P>Cz@-rv7 zQ#l1z>pfQ|MZaJ|ZV$A9EHPiccapyC%>do|au9}hyjdxFDE7?tiq zO+<}@%S~r<3FIeO{ejy>^#_e{WH*xMkw< z?{_l?eEYo^%r@wf2bY4L*z`J&8?r^7002P0;}j0M^L;s$^DKHSqZ z^6`#mu3FoN%czo}o-pgZ7NN_ZZ;NrP^^%8cpAzQyT5(S4*lTc9=a{+?se`#*6m(N; z$OIG%!oJ<0kwPr52xIKaDCHc4lW`#_R*bhi<@)|S4e~9*?Z39OPIg`myZul}+Hq+{ zSk=!@;5O}@ISr_&Ls_Vr)AZhx%!y~N!!Sfz%;@N4tUOMQqx@IRi*w)iU&Q&r6&TB? zvJrPa-VVM#=|>!(Xhq&<1eO2j)(O_$H&>l3EZoo)esW--xNWk2m$YKW)L84e(<4iV z#uD75$#cTRWHL?@ot3*AYy zC)~agQ#&2~67sw<|G7B-X|9mD<3D!+lvpEWx^>c9cycdadS2=F8OoJto)hZbG3B{Z z{mO2>6mo9_=($YZu)p^F9|Z>)z`6Q4rrZH;VP@hTrYdar+ieon1wNb@J2VSH?GiBEHB<95g zhV$A6^)xmP%EuKgpnGZb9f^355PhiRh_oCB8|j~1CPu8%EvBX|(|7(Z?%U<9maqDu z#!#s)6D{Z6P4go7v%6@U+fVldt|&-8`Q`iG3}aH7QDuL{#pZ-qltQQ4-oIJKSrjS# zw3v}3LU$GCw#%2@MaGr>!%{E$ZqyO2EcWTkz6Ujck+izsN~OpzYUc+bmoXv>(IM5+ zUrtVZOdRj2lsKlgMrFWN?TR4#WLdO4u9q;t{=(-wjtq!2%cCDZLapwCh*gc+q&Ud_ z){_fm^uCR1~d;9ArxZBRkt+aavUxK|0ZI7$y9VI z1^D;uXGTL;b6w%X4Hfssvz+f)qG00~nbpWIr`e*DFd%C(5gL~c{HkudKX8I_blK$>ph$6&eHxq zr&JQy3$|2QxSSC4b&J$fpH$NCQNpHV67yFQoUg7&jTCwAoNDHp4%~BQNR1&lVEjG1 z#punI{O`B4ZIJ(liy+_fX;S^YWqEpB9(d%PZ=@Fn46QOMi+;84RTG0ej1%L&qen~s zYyc3Y(Ub)YtmxP3W*Dl@nn*GJ za!9Q>%O~j~estxVOMG6fmDph!S}LVi&;Z0Hsf~HO&S(&v`{M)7)UYpLidJ*xN4w0o zH@hI;hz@BsRe3#P1M1}ksN6LN*q`r4PRpqw`X1@^%@|et)LEij$-La2cRsZADkI@X z*?hB&-<25ud5}7#>g_%B<=5sXRKrX|J0rh%Qk zMpLxe{Z$ zeN|D+@qwQ9=>XM1Cywr2dSNT~6{esq|1x)enHk)NJB*pqJ0V2#^0?T+3f$O{1 zi&e$K6hk;(x6`iS+XeBJ=>&1IZ%B8%rFrm^QIV8DM*(MA=OFxPC1u#!O;L>YoW|Un z8hbbGD>!z4bt-xD%nP$VQC#PSDb`nMU|BGto`@~?K7Pe*%slWcuVUt9&DvY=+$=o!`aI{3X7wlm#b)+M2C% z>@GC{Ys9W1oU<%h573Pxm+5r3m1aIy=`(b9GNX2M>6~uGQORo(@bo1aJ2{ zpdoT#b9|9%KQv-5>k5jNa|r4<9<8mu8f3*9)V)l{Z~ZYwmR;pUD_ZslI|nC|^WE+RR{rd4c!ru`;^ z6?ok_Cle+cnM!dZYvAT)Ij%E2h0Obg^&9`YT~*0EL4^N;!St9}3UB3g_r$R;(q9qJ z^olA~jN3xFi3wwHk17wuI|!ER`EFARL$P{_ES=P_Axc+H_xA>pJk&cApcGcaQAXXp zjGQK&-6u}VX0x)LueMfHtLabOUDsGkdqpv6lf(LawgV5iIG0zxhG}=V-=0a8+=n)} z?QsfwI8{bm^}BX9Qi!h|lCehR2NRp0be^U+ayh`AI;y*|3OR5SKCXt*ckbvtCCFe7 zv@BWAleU*U+1{knCOLA{rT*Jag!Bwd<>hfU1bI=PTspXMn$n|T?L03Wsy}Aj5W)Q; zyJ)d67QRZoI6_74ji>;}sa$Oz@))V4hqvXOZ9s=b$`^zo>v;~{(Y`xHMQ46LI%j83 z_Jl#f<$IGOPn8{-*bw{z1?v+K@tRbdZ({o;AeYZB8((J$?Y7(`5SkN#Vm!)Ca+R5RH%NpT1`1RREh z=Nye-NsHISDeqq0yx*XWxBh|Ws$&$5M$2N79>29}y4yur zgPO?pis*fa%X0z%L!CxWEz;%{jfHDn<;kZiKr&Y4#{tH@N z3`GVmk42yoAg!)a)o{wb-|&yg3iO?O?+qhSkinFya^Irk|0z~cucLTBL zkp}{HLWEv>k#G4Pa0e+n!bexTejE5*Pl^IAvRI80=X1~#X7foF*zMAl5`ApT%&CrP zY{Qvf6DQiFQU7V=@8kWws|oIndk=&In&-}ImNbQDeLK-hu9{yv{hG0drK_tjBPg-= zFWfzh2-Z+sCg3TPs#ZWhcLRguN%s{yO2SSw3%6V;7=jN}yYv0_X-1BQcdN+gU;G;& zL(S)J*9YJQ?$N=7l({oRUmfM{sx9Lvi%yjo)~m0##W5>bi&Z8P%;Vi(1V5>;Ir{YH zjDk4p#65lwuB;#u94+B=2@a(ff!=2xr7$N>q*_FLH(&?>MPMpz-~fQGO9>aWj%zo< zCRY#&4tEfu`+r#Y<@V5Z;ji~m4E|C?_!k>^l5xiiUSRWCftL~&i^P*sA8!-?_zj*; zB__nC9aXC?ap{%L<&9?>AoYRZ;v}-79C@0qC8h<4jLupZ@?9%dwwVa3ZWEWQVNPs zzdW$uL7vI)AvApJ1#pvCHLuRwub>(Z@HiVu_hQ9*E4{QT-3X~=LIdo0>B^vyx5nM3 zQ=?Z*3V17@_R3vuyr%eGXBTL&n@OD5K(WIgfd>!B*9%FG4@*es)g;z|G9?#F6welGrJ`Qe9h~ zWA-~A@K`+xGn?nE|6@yjJHr0ty>^;_y8CjeDqT-P!Scb4w6f3LWhLDi9eaywJ;&CBBg3?`a%|cPM6nJx_3`>O$%Pa2uirvb zuLWuAxiQ3W+9fN&2tc$I94t=xf$+BwH7dTl;oz>mB;J&24G~Zb>X$V0$KPsHbz|V_ z65NeO`vI*E#}>)6Ud-#`k$O{O1uFLru0MdFBY^2xQv}S62$`eob6THO%hNez^AkGk zPAH1;mh$?tpU@ex^X_GMgs%Z5y9|9H=P%b6O_*ll9!cy0CAsiHQz`$t90_@=X&!!p zn*TtjS-YwBe-|TqRTxga2L=j2ho`H>pm+{@Xe>PrmYVcZc- z@@Z8i5LkofZvDu>;pEpgK&$`*z$7WbXt5xka=RrP#VU_z7oZY#FY?|2FtKW-bfYd% z;43{YgYWdayiUT069r?`WD+9JXC%k%byIZl=^anCo8v5e530p{HtZlwSOv({NOJ;F z@ZB!6EK^zhgh#(-3;mWq5zF`H`!Si6*v3AQILM4U>g@QJtNTke5`NF37u`MSvyfo2 zv$H#-W&QyUk`kkZ{bq6jXA0!N1P>6QSE*9Azs(F^c*|*e16OGiwk}n8KdQk6+mI^i zq4p>#Vdbe*?@8gxS@+o$4PrG{#eka(={C!ecWV~_T#hCEegVBWy}FEP80S&*zKnp| z?4PLg)*XhM&dLQxF8_9F!Z&7PV_b^VUBXK)r>c0+xmN!NS^Fk7692QR>fyi;|=jkPEZUG5GGIu{de$Hz!&~j3sFfw z**|jn^O(D*8H;M3&{UM%2_Wv;cp}>?E3rpXySZ7I?Pg%36dc|1UkCU%{ItV=FUlZ_ zz8%k^6t{3zyb$-yq~qi0d`oi&iQ`Pgycb6NblneYA?&uP`4!$927*VAS^>VVLwGWb z;9o4<{|_PHTWIREP!V`oTFTA)U0vR$3!9saYf02LVlUH)h%F5z1H_@q)t!{${}Nj_ zpYVDf(;jj(Z*^z<8JOaZrL6fGwii(-sTNo`0}r;Oh4_33MitpAs% z{&S}wLcmMRhA{st1OL^u{C6h2#Rtsuf9U>?*!~|r|Ia1tKXUay5~=^_@Bdt+{zQ8J zk*oj6)xQb({~y*PK0~~ftHW83JAos<^H|K4kCo_Kn}3EG89g|3P31p5+QCif2bXJj zIQSo9RD=kDeB1v*qrp(zUfy%kBxgw(u zXO^`P)jxbsioV$&V%XFC%B1Ky-U{hx?A?T+9ib9csZzNT(KZ3Zup`qxj{iX0Gb~C#@V(1!&Pc77n|E zL&Wgb2u97QPQnP#!k4Sn%EWc%0zn!6@d2ecZ-2fC268Xs$0WJ26!hs4uD2a8JSpg} z##}bZY28Qa9eJz&mRkbWC^9a_W|1meBy7_Ds8m_`Y3R&AX*+@Fhel>E?H%1geC&KPTo(xOUtf@>-ekgVam>&yzVJA2oyIfXE9+ zz2wb?f2u;L*8XU(mEfsven)Kx0VKf#7vgnoVG9o1jXjD7Lf z-O0gq=FBC1M-9x%cgy8n>nsI&g(~8CMvL!Q8wmwX2>*(rr9B{u{cvnMZNQ5g-;M5n z`C0deSU(FuY+60_gi-bUH?gCa25I*Ik&~7MN?iC|Yyae-+x3cHK*s--^*UY=?)5!+ z&?D04MY;f~eio%yI5M8vL5c7`oC1tF56*7ym!fN&%|p9cLtvD8Zf$8_8L zl}9}Id_jQJTYr>$_3;KMhKYVv4~XY$U3EhKiboaOTMBQ0vEc>MpJnv?y?I91TXs>p zfZPujXuqG5$NcD@!uebGOV;<_({Ra?ER)T+2XHaivW)8wv5Mcss_(Nl;g2-|#J*nM zgRus=N^uSUN5%f5V*gL7*!nvq7E{ZejE8>9*#-#|hLFmLw4uiulFyV_e7wsmMJi_f zVDZl08!>l4ZWC_UoJqJV+B8YTEV(j@Ts}>Lg>~RlM4STSq#~?4*Qj7pP$5uwdut5y1A3l1q0Z6AIW z`+4|9Xy;R^7g2&>xJEHnYj-m0^~EPOMoO;k>?v2PLj%e}I_jv8*Kn%X024!@5&V># z*^z|8gQqT!5A6oxU!dG`6SE)l9)T`JP7Qg_el`4nKpGL_wG- z{XMtGs@)eR%(XEw8j_OiVT5f8RZd^se!RCDwb-Db&MPuqP1OxM7?#ucO561w#SW3IDh3IV$rJNk+`m@H z+8~2;HBTzR%Hnp+SZ~CN&E<%D?`yE5Nn_|rOAoRMa=5d6aum#CG9KQPaYQS|3XXs* z{MhGQ3uRF4Mg^bFj*rB#8XnZejVZ4r`6<)5M@qP8FU{IyHzdioQKwBcTjlm49LLCh z@H;aOGuiQb4nS~vfPR9eT1N7*yhEjR0d|;%D;K3n-=v}^>6^#BV~ERYwrptE1i8p3 zzP?|lNtekbp77iLeJcXR#5+yz>qO5UzxA`sHwMAWZBNB{u8xF9a+wx(i2q*c9-Af* zeLxFw_kfPs>#g~INFcA_8aJ5DgIk~8qwh0x(=pxxmxAdjBhE@Z$-DIoB1YAM3zNN6 z>RHa{V{s0jK~I|O3mZ2MJthx7r?9^B%6S*d?7ig#q;~D7s2+q-Y^Sl*GBhM*k1sXU z!Kj)!Ok1$mt>OY6+z;=honggmaxUybQs%hzyl^SI@|aW>-a&rg>1DIwL}2R<=ESF) zxtjm!wR3Ow82awLg1WQN$%6+HYE>*>J?s`hkzy6QF;yu647sDF(gzvx+&{s%ma-wJt=9X zMZ?|McQ`=YPtp$YFx?D3*N<;qiTMJZ02e|{jD(d-ZsTa~j|RpYmAHExXn(Plxk?+@ zBZ2MvH~LWO@Ei3jZ+|=1ALVXR6CJs_GgB+|87sF_ED}-;3d`>Nlj~1`2*ROO zgdXwOz2D^A&!Z=eEV^gQMy4q~M$#bivX|=JZW0|_!3~=>=2YrB+iu})%dRX@R`8TK zz!E31M=~jkHL541mN!Rm54TcIk!Fi{?A-?+mH~b-we1702C>D?g2=l>M;+>Za<8gE z!mQzWm2!@ztS(BihYO-i;e$flUWextJk%k7+D*U1nz3N1+Fq3;xzT}y%>4B*navf; zCx}TINTcsS%xgpLK&uL=TZ7vP1@FcyyG_bnU(}1OXBMtT?Y5qT1;M>OsED(K4%)PH zMZ)faZrEDOy|H3iRZ`)Z*vP(2@|0@6Hulc<`i8T?t?I3W{VbWVO2znk*g&k7kyPoh zE3*!M0yx9-xZC?(UL$Y1DlZpzP6UG?wAoxs;qkO!~(C(9Fc=Rv@<(T zW-En3rQgieF-{UjK7VSrH#WSzYHrW)_1SQlE+sys9V=xFzPpNEfP#Te-WASx zy^2g(j|+EXIpKuW!vLI~2hNN6u2ua9i4~s2sj=Miw)2P7p?R?;#y~P5Tr&S1sFW6} zwYv(7(5Kv7R(xvgl7p(ySRLE-*_$=Ou$obBSU9?e_}yZyz-9TXuh#-Het(7OyImrW zSI;O{T4sb>{dw{(a2&)qi^~SKd?^nVygS7UhGQytlbnGtIu#H9J~v=pmV+!YGsERm z=l$9$Peq}n(5b1QJ3h_eBTre`?ID{vt`axeujR^6(Z*=WDrw2lhWf6j%CG>k&_E_e z^4gj&f)#uN;c1}+;=~`WY(X*Fy+d9prs|Gnv8FGUEaGSEbhFXP0^5rMOl$v0id2_z zR=FgFhjZWs9b}FEzxdTzJKwTS?x*`72x#>oP zfPI*NYb2Ztl>U%=9gfp{K3Lx*I(S+5PSWix_58_UjoGZURmxkVXYtO~8~JyzqbTaN z;V%r6Dmj)y62gYYW!;&P)?uTps|}-j&@(|jmbsxdY|M#GsM!wPpd3o})e@%qbtj`l zeO&9iKaqWg)o(kvDngG^&~WmxvMy4$fiRYU0|ohlhuO`qhHm)p4m0oU78WBx7wFqwQ{LKsW|Q8 zE8C(^*#%jn^2AozIs0`cdvBC{FIO>lDfS16cuGg1a0|{$bE=eBl+rljCG6YZy$^0- zofj48{sm>`QC1rL$?o-;Y}ds3ptF;ic9I8fa>6jYmq=?7x9=AoOp_skMcAHZ5Aoey zp%JH4PZw+`I(54W-#gArwICTLy?lRK!@DNkTj<&J=+J;h%v)1AO-Zu1D^xFAX%JZ; zs00&O*CX8RpHQI+dTH}QKSe?(01$Zct$dB%%*%Wi0shMMh;yR>VsJln2K+6#%&IyqVD z9zh#U>rCp0l1hRGY1J?boaVL6^?dw^;?3fd<6)jx*cHvB`}weE0&D+l?PyA8Y^|~q zF{2gj)ycIdN%g8H=b$-os}rhs8z6w9WgO?)o zc$;G*PFBO!N?=2O%&FyjxR~2JWYy+zbK-X+A?nu30$_lPXAIe~AjaP5w>Bov!jH*L z?~#cfUSC>BDj3{ag-V31P@ zHi}ozRrcB0amkzjE5dW#Rx~c$ZYUekiFj%%7wE6)#bSgf$UYjQ)?c(4I*Nxi=`2@X z*<99nxw(j#-rSr~LE%qmlr!mws_95NN<)?DNGh{!8g?WF?%67eiO6R@9ge7O zjq@?SNrCWX2O%^3by})MI71ag?eZR+GX;|l6cZ?Z&*Xd_F+=(nrQb_hybSu-H%=1e zK`!y5%&7gAKoOL@5j)T~&o+SBhRq)y%cUH@ST4$lgoLy99q>gJ$JQ*MNT@vZv}Pxe zNu{WgdB(E-!uEZ!TwYN#wz4-YN$2CtFZC^Ying;v5-%sqRzKe1NQWko_#Im5^7jfU zn-}nwNmYZUIKmx{B&DocR>Ke-3NY5EUcSC+=DljuPd#!EJlDbxy26epELp9w|L`wE zvp{L8CJq#XcUVZI(dcG=MwRq)CZG$^*}*P*Cv9#M>>v~tk_M4B=fn`GJVm>@|9S@6 z<;l)uKJAdWT$zDm?<#E1i_j)!+PP#Oi(IYaUZz`BM7|a>?6nTXF{}FZG4kjzwT%*d zG#p9Rxw0GD%rfW0UH7aEi&m{E;a=db$lK_gQ=v=bEHv-ACD~vm>i3zf6dmtiowwU0 zhTufaKQ3&VVb>5RGKaz^$BWFnS%2m@eY-QC0}>Nd_A#We$!SKrI#D~i7r|4k`0!Kj zSVX^G(8h)rc}-l+{xTedKy{DDy^7YSchQ80IRmz7Is%UBO~P+z9vTxCFFG9|8qqOD z$4v)F+Ml;PR7?yqaM%x>n zEc9g8klgLH)GyDMTxY{}PoCwVp^4KVw?_IfB^T3;Bw9{=u{e0C#=P=o)WY(WPlfGN zT4U~smb;&8QLK2QjoA@VT40pcJZ51xzfXU4p}9Wn*Z~s|&vSmkr7Oq{_N5F%TKE%h zSoo`m*Jv3Z+aGPqT&zO3zI;zxnDg|Ngu%^{HWS2ItAR9tBm8sl-y#_~S-$is`_y!l zd+uADC`HlHA(s@hiAI|bt-F0;oSvFk&w7c;jf(K%c#}z}A&)qgvfTJXW5mpGqegWx z_#W0IHR#gjh2jhoZEiNXco*8PzY0!=&#Y8??ZEiuuC4}Ell zEw^$c@+^*Y{m6dXs@tuV><)Mj2cx zwWs*AuDS>8uyyB%%yE*vz;}Rj+ZZL!af@-@6O}E2KvnT;*S9*R&aPVteky1-i?YaW zB2e~eT_)}o^HGynZ;nz%qVza>?FWytx`21mB$mzrB#kOsWsMcz&*p!*CAmLT31OE# zovIM^D9`5!(Ty$^<;8#}1iqq)FNldhz85KA2L!>KzVCK{Qu=4b_R~b9KgUSb9+ENI$;Pk zbXLx-Cm`J+@pH{h{-Mu;+Go{%Mzmn8)GuRxKg7G*^U#_z35%tz>G_Quhv=x`8riv* zd01tbxC33>bQ@952ZVMHsPN3kCg}2W^J)x`(#}-~P2tZq7K6Ephkn#r6pxvvb;!H8 z`TnC0J(U03tb7H}NQkM|{)oc9 z^6OFL+z5rf@dAD4Y?JmtcX`Te%Tyc9hEDN0p_VP;$+p7dbAvy*@g1nki>1*V_)|gm z)cBlYG)Zq*+SBxT&SH%(=R^$nCDoZz6;p!w21&P<-eO%~D_EKn1IuTSEv~^Z@RCbXvCF&ncP6q$3T_#3 z5iMj`D?E<#DMy;X*jj_4hSl=KAh!ob90#KC;?`;+-* zivr&!e&f?NVd(M0JFcGYxMU}yh7-pFi9~a!qK`#W>Lwo}s<<2_kY^wCVO^lPdR*D6 z{`byu`$I(4%zvg^f&3=mHG$@r3)3g8Lj$HNtzWBnt>z|{dk+;TV|$>5ZZYXf1T3&lAD}mUWRG_|MD>wakAN6{?Htr1^GeAI)+|4XzgEPX;;EalF3DkuF z>NY&|n|k_a|IYX{=CuL$!@##Q?>BGQ$v`c5j)i~Lcv5Y;_Nze8j~q^i`FHAU8*IuQ ztN{#^Jv*N4>Sh>feP}_SDUNnlq1PQh%TEueX7yYWGLsSFGRb3wGHEZBkUq>kij(V;*iZI8N zHTfhi3;(ETTRVAY1WRU`U`3+!!=! zW?8!Wyv;VhLQF{SZbI^^!A7;>6%G2)w~3n9Mdvq#cOr$GAkIrxR^x(P-dAFjBkfq( zl{!%`@9dnSqy&2rJ7%tiOqfnA8 zjj=LyLLWOMv+oP&^gJ!AJ%a>O&W(%t^@nB!9YiLvp~P&Y;e0eN0?ml_b&%qCbl5;t zqTW%MWV2Q-$Na-*j|qWX`hRHxV4{Nt2X5zzV257PN(u+d;B;WiT?)a$1DLOpUSVZ zJx7gr9Gf2h;yUAQ_94P3$XxA)&k z{B2PsXajXo)|n(vjxfG*wBmWQgx=brUZ7dhD(57ndKACMcp>+O-|%suZ`fc#0d5ec zO{{4jA*!R+w1>hva3(;AlMlT`J`NLr+AU9BjgF*^+A$QBLVi0SoYqRJ?E`U^_Vva# z9+dUvmk5ip>1Q3fnx62I?d+Db*sxFM;v$6!pA45c{GG=yNQJl)n z`M5qDcY-)=W$1l=Xqf_+l;g+52Lyx_O(yKscu;^BZ0eyhqE?oj&r)Ymwa*Y2x&wfB z87NP*>syBHiB8Sm$KJVDOJ~e}{p+$_KS~`Wo0E|-dcBsu!gsTKuii~UGGkOBaTt3`e z31$PVhg|JuZUv{rgTKV3d_$AGkG=T!au8Q$K%0D58ou$TLd*TMHd&v7H_%M zIAL$mVfzkWbD!U_YU|_3dY5|~%v64`*6oZ`f1!Li$}oMd=(kz1o7D5>vH|f6%M|B* zY?YMfz;%wbO4{v~U3-mMJ($gofa+T;d`;g{>{_l-O0Wm(AuVR2H}bG0w9GJ4*42&Z zs!>GS6AdKN&R`GS9OcL7E5XhjX?JQYR7PnRCl0=Bh&Z2SI2~C^Y!x%t9NW68YqA}p z@t)4`LJ*d}J$oI7jGhjHsVS$P}G<`d^#OSIb ztO6=HNSW9fLi}dWMR(~N$3#a%<8%fppD()SSIu^!Q+IZg7er=%FMO~4E3F~xdAYyG zp@{Br_j*f+$}9X}le7Lg>!d!5o?E~94TVQvLP2~<+{81+Jfm$GRrn-z z{cePGaeB!7RU2>JMfL%be+ZTy>9zemYW`2t>`9^z(xFY9z18VFPs|1`%{83H~fq!+od zPvZ{_Xs){Fo=8}YlYGFvGKQCoslc4f|l=j38Q(=dUztA)UaYW`9^8m&9$bBk`K zNxJzpnfLsHyL7WMPY&}-?H(6Tb5=JowOCZJ=hR59D$BliMU4lgRvs#()u-T#2_%}M z-m9cNR~cG8p%(YvCEazQ{OL}P;BkXwX*{DPVuvomKMXC!!`!a%s2INH;rj5QwAaOBp6W#X?IaXFl6lEAV)fZ4 z&Hanf>3iz2HZ*ORHr;5z9PJKg>cV-Tt*(fM%;jcWs)(EPUB7dy;+ic=hdhskTNl8r zMxoTl-TE2i?VJ^N9;m1$V+l<0nM*L9~V`dX0#UURVno|mM8_j8&G#6{#ZNF;8zW$)mn zMu|$(fS+ZatpOGS3e%-Kf#a1dE+a%J&li40^oBf(|9KU7ym=t!T}Q0nnK9)FdIdp0 z1owp=jAmANr{6u~+t#I%3K5)4Sqn&04l|?WDSvki@&{hX{1!I8B%r=rY=F07`3-y5 zQ2FKwX;Rsbg==NlVBQgN{U>*MuMRT3GTmbikG6JQrOUNgHrqxKqTAh3LR5Rm&$ecj zE>97-b$R8yWVHG}8~qxc6MT*wMq=LyG;9cejmkI~Bhf95RGIhdu5ha5%T-EU(qBur zJGjR$pD(`yHaN3S;XrwVV%B@&OAmS*QW}sM#F=@^Je$eYAvEG;yZiF&R<^yAo)m8A zgp=Hx(=N|tk3Z*Rd7UUTp>Mz-TJp4sIb`Oys3R}HV#9a+1|=EGeu`s9`Hu3V0=@lM zBoR-*xxM~PCqqsz1(>!BMKvTn-jCIAJ6NnO?SJlXC(}OuSew>s3%X@2&U3OvowV8S ze)d9E%vXMzYb=bY`vSt|7;$ue&iGqV|Ha=ptq%ca3Xljr>M z`6YjU$lW4&9}(e1YESgskZ0De0moAP@wCXKNd4wKGq;aP39AaSt3d<$Agn>AnQ@5M zyFq=gstkeStHs!e8(KpJ***_AbdxFRSd3Hw#hIP`Wb${Z{O2x!{4t*qjltMy6&?nH z#vdo!S#5-PZjb6ky~#l?hjrDxU_28-hYfLU)4{L9&I?CX6`8#S0YrBPKtUG68-rmd!=pMe_K8I5mGrlDwVuBqlFYRNl`ZIGgRj5Gf}du z?Jbu{1GNQ1BHUZez>+kL^5Cj(&bBp8AM1UwD}C~i&Dtu`dJmU159=>~T6mx|?T~fN zJR{r1_qvP4exr>ZVwEblfbQhgl*rqb-S^>&ZZj((SJOSEh>(HqEsc~SFnXuvS+0lr zg-adHr!%a60V zbszWFpmn0lPo+)we_g@~(=xpwqh8X8N>0qC=h>@oWO!N@B@AJ${mygif$$j7%3`0E z(Fs~x3(DOb!|BcSA3qGG#pT;YPEUBxs#;dDs9)7gB6a)s!)#Y9RiEVv}KQ# zr>lJfu96H;j7ylvxN3swIz zrwcY%8JZcfSg)NozzoVTd)4eDR}AyjK;_Ia#@NNsSP*92i5;UfnTen@xxj@_4Zv>; zQI%OGqysGrwWUOET32B2SAqouXmE;#3YQR}c>6*QTXwZktbu}N5+oemCNq``+YXf; z)CJ8h&58%MqMM&QOqa*eO*Pki5}#IgJe%`Pieek56!GI~Nf8>b_5|Jc6v)FRJ^UH3w!tliPScFH*yH|WVWM+)y zcd7D^#Sj7_e~(9^^rZ_~iETAN3ru;#_V@_7w-P%yQ`V`mEAV<{XC|zC3ZdHx@fXQY z{5Ik9aZ19_+~(e%whZFOGDc@BXy%l%XzHj`JE}a|jt-fHvP|)6VgXfD@g`!-st!iR z{Ond6hX(Yi9TaditR)MEg#hvGOR-N|=Ib)mSc(5KItAt4g7h6ho(e`!i>&tU!Q-aN zTZF=GnI=5JuPaw2i#5s`W9~$UM!T=!ZHk@Q+e@837-t-Vhws4uaTrck{vs*PL6+|l>qA5S#{ z9^-44Ur39_H|2{jp%tNf@HB0;-pnIs+vwEy4v`ZO2-Z;OD=u;WfuCEOeiTQi%U3(P zkpf&IyTpQbhbn3Gw|YzAdn;+ed!73tk+8&9fo?%a5cy^5Hi4|Tiq@tliDJr+#D+um z)q>Hgpy%KRN=>jBg)_7KmDO-Pl&Id47X~J()wrQQEw};YD*HKjzO`a&+iQarI=%bO z5S;z70l84T3cI9^yZo`U!!qId2>tND1(eNkPV3JN`NY{bf_W=wa^7iaV{n`fp!uCTfqrVgbPL*r=9jKY@K#%#@A(^4Tac-lpUVC`VZ=h*H^$@^aikLclY?)T(Zg%8G0@s zE)u+{P)eT6F%Odj24xhH!0UD8o2y%DkPFn+tGXJxei9xK99a}KuyW8^#&5kkHBysr zQrPa{mMeokaJZP_ifJ{OS~sO5wWCx8 zA-CEYkl#C+I9>kHlD2dQrvF5N$F!7PEl>OyKpmEKM?IVQ>}&2n$`gqL$rA>Q?1 z4ZutZ6gQ2LV;xEkB*vK()>Rz3U`^DL>6Xks!+@JKnO?t!5nlG?85QM@?^NE9<3+>g zUtvjf#1w8dSE+8lA6odHFdbcD(F?AQjkkpW`{PaYw+UpdN0K{jPkU#dZh5TLDjI4d z4?E6{gKL#SeOYWSad|N2;EIaciH}!6L|*phvF9k4b++AlE|u|168mBKzWFWOxzwERtzS)QlFe~&D5*=@l4&|{HK)99q)-k{()%Wj{` z;Lu$MLy?SGvZR(9tRi)^iHC-8krRL20y+bjFz^lo=taP=Kj2gjsbWN1nfR zHjJ*YfIVAh;vWfGFNa>pnB1K2}3<;o2av6>dTZQbi6$$ z3+H|c41&bc|}b>Adn zz}PFl7s{Ion(CoGlF9njmhRWMm*7)bzF13}-Rsu?CAh8VdZn<4+3%rp15`?6ENI)?1cCt zQyQYWV5#BtO8QA}^aiV^mv*V=4z8fhW|#rl9Ag z=k{;+)6%O^6^9V9o@e3xllGQ`SNcH88T7+EVV~CAubT}coJCZjQ1uR24tLFY(6Q7e zsp|IaQf9-KOHho#OtbtThN$E8GB?VXyrIZEu;<2K`PT$zJYHpuq(Cdyjtc09R3vm} zC%Cf|!|Ie!IUx<5lb!|A-;8?dLqtKVwft4~O*|IDX&Rj8ACWLsVsDcun%Pvq%W5NT zfzEDbT`&G{`&@g>#dB(4)7CeqgtE0#m!7+Ej+?hbs48=^`sZPRON%=Ns^0GS2!2H3yM9-?|t?z}kX)$c9WFnjL3_FjAKwZ7|fJ13;RK3(^%0c6bBTW`YwumJPxz!Hsu zdtKXmWOkczE)}59c7}CH5)N9kI;jhnZLy6G&F~j=co@S-(&!nZ#YyB11Y3Gl=I^a` zhkEX@wW*==;u4z&e6u%&eGmVr5ry5R@+k)%fs9E1HH0E7Ag<&<;c3qndh5!Vnk)98 ziJgoq%32dw-{l1x%Y5fmoNX8(Woz__;8!7kC!;1*#H?JSg`R$3mshcQVGSGyH=mlp zR!t&)n;~%zTbJ0e*{$i`3+2{p+FZ2hN3Og*9UNjgY3ogCk(>#AWIvkREO#xmPwM+c z(<(9rvy*-lkIqJ9C`0!H^BnLn^93xtM(x|1Kb?E}jDY)Z+=i*xZ(WL)>oFyc?O2S? zl;epI8h?DhN!wwm7;I0^fpXG*RxV5JZCN>8k;!(%u_^JwXImsXE8wMdqh)W|yNil& zHRc;?XZ3sZlMPa!b}X{n=FN)n9&y2>o|^#93WThFwN~tF>0UQqdrG=r2?R(jT_`i% zZ|5g8g4Y9qd@17BrN$FjpP|&t9$P8_xLNJ}iAu|=X-eMPnDeC~lb&iWom`J6yY;Ir zN4ej3b%q2MFH(1O%s8yv;ZjQx9K(OpBF`PKtFudZWXgcz2wVBI>s?uOXT~gjk{pJ2 z5#i~QTCB{8Mu59V?4?>xb^aR>lI{QI)WrzYX?QA~_%}y;Yo4Y!-H^x&rpxbN*1U>; zXt9+hK?uiY%!aD@vCWZ(d?TVjZ9+T4Ai@>;{zLYlBJ8;tS+iC~m!n|8)6Xui# zv$|bC0WP)JxhuZbPrvKg_GXt!&>V4QF~e3mr9dCohQ~&h4f2}p;y#Y6g?+Yk-K8E_ z_bB%VG`1p)l+R3y!E5)r3R*4LW=m_5E|j_|6dmV(TUu0#@`p5kbovzR%6T!$!d$hC zR2iBSneMWjQQk%-HF!4g#_sQFZ=10pGWdY;Po%7hAU^ee7Za@>=sty4A-TUjixZ-ng(YW?xZa@H!eeh;{{=nc5D-OM!ZXj;8%bk z;W5@9iMB%!{_J>emf?X^-oO}n(MS0z2yzb|R5!kz^W%s`n?7fvH4)_Ghs$?$-P-^z zUWJhstuFT`885w4ty%OtE-`oQ0<-F!`+axk}jl z>-PC{s`!$aJ^*__9;38TlPL~=%iX!m;iQvDd75fD6MWCM%F5k7%fHYssKk36+=`Wl zJ7@C@xqUf#rBw0=BRtc%A(CD?a>VovP%BN`Op8GjgBQ}){N{)l>Pd$KUf9At=r1ZC`>B{PsJonLjwpFURA56C>|*qclg=K9Hb!EegAYqqcchFt ztXAq2y&Z)tt99!|)>yTf17&azdC`{wyQQ8^Lrq!pd2x8g@j7kP(j#4Lz8n~H$xD}yRR zR-nCjIPy-guYyLeSBu>e)%i3v5E&KpXUY%@ih?HyQ)B95ce89|15d|+=1ZGq`}$KMe>Q}kp2G}2A;9L58Wr< zQkYnz!ML(=&1$dbjKS@tWvY5F7s=`$rIhtr=yKl>&tr}19wOT6@V`C?Ca4y>BU>zU z6Wj!z_dD}QGV|tA%=YK8Uh+~xrjxmdsfTU^;*$Z+|G@et(oq}(!mWFNEz?Smymhl& zI>pi(jC@>&c`U1`!6QJ7PXRaVRI@Uea+PwO262(w?0j+Yp*#N=3_AVX2yHKffEeY0 zY!WB3=CRH3&jX}FhB+3xWi~~M>lu9@Z*y|1ZCH%u_2v3+d@KW)q-BnfH`~DMkt1I%L)(jL-kyBq1Zl;aY zWw7BusI{A0x2*ONi@yur1Dm5{V z_i&Rnsd{==a^2_sL=p3So?~J}_UHRDcD3p#&#rnxZx3{hb@E zcNqmFxPdqyVqlb}rC@AcXC!y5s*#?cv;!Gqmlx$r?Oua!CBS3a1+|}jj*dv{UgGW90pn@XDtCee}&XiXdrnGVwGyT;w`9~J0o2->h!?M zq-VY_X?87CU~;gub8?WIT7uOpUE~Sh_D;NPt4r9Msl={g^+p^vq$K9&&QZ3E@fb_D zph0|2MWA%v+*6>Vj*bMzh!0MRL&G&5-1A;Kn6x;{zjQZE%D!uop^7{~oaE?JOpA+w z)`Pv&xR6|9f^M)TfD-mN;q*;t`X-ws&qjX`oVUVn1N?5EPu}=g(I!cSVdhOY(4XQN zc6oyzK;Sq#DiLrH^#)&BF2!X($mpoyts~#M0hIwOIV0BJD3`=*bDR-Jjq>Jaq@^W` zAjyW@rlhpZoJ})k8jjgcq`o|B}ASm_na_oAf4;h*Ii=k7FNa@|Hb5{WFv zJI9nJpE~tI^~t^IZ@Y3HNy`V@p%`5J_^DhEVE&Vf`zh; z5Z)A%%eGNyE6kLwY5_Yc-RU+Hcp#9@({C>Cr7y%vyKSCma4dlF|Wt#b2XJ?*Ucwr!x(mmX`2p)-y$Sh59^ zYly$`S++RqY`t;BXK5sLdp(w0nYlp~&byo6i*;yht9@|H6uZ`8_cyovRPX!w5*wHD zK>wm_NQ|A?ZE?8p&lC=Pne^Cu%AIvz#w@nb1MFqJ+lkGM!%Nj&OXIgp`iC-9xlGjA zp3$Wk+jm+ftv9EZAq^dTKEie&)x5Z_W`z|AD~vjbklX1l|M^B0J;EIQ;NV8XhxFmJ z?_*f_KA2~S>1S1i1k&`Jb0uYBt#(mF-)d&bl6uH9TeiUS32{Ve%=Y8j#f6ITgM;xG0UfQ^iW}T(h8UnEg$Hs{f zSH0*2YDjmk8om_Ppw5!_^sc2!DgvmhBI6x{%Mfo{dmlO%&WvQ)vRX;cTDP8&P_9@Z z^2E5yD&_RGEoH%YYRafz(kl*cVsKU*zs(ZYrwS%3a{7FPdb!KJ3t3?Hz9(7G!^*SJ zVL;iRr_^)7AjYCBnzB8z;1|~F__4}BQjE}q>`%{40P9sV^5}+t@opY?gfg1q=7$zR z-T;lSlQfK}5e?Ox2NTLQvinW0oL;IRh!`$JG;y8L)VqgwQAo)MdB%0ec%+-sM89nC zm4}ep1vE$_#L{e;+SJU{Y$kFPx>v~s2+n1^(|m*7vi$ye*!mMWl7ouWITpT%4>EZx zGEIljl&dC$(s96+TT^lK)PMZ8IzmHpMMq+e#bV3nMEEbScq0C&aa=H63)ne+;5R zrKbzfK3a~GVHsjJwl^y}Op?SeYuE3j`b-VGsQ1gEJ*&N!G&eNgIWugWq{eSg4fBLR z4pVK3U3~gDFOQh$E&;7p1{aq!P^{`W&JzZM-5 zs~{FCiOc$=+jfAYpxIN&-mjvb_mZ6aE%zb9$*VFeC{e&pC#15{8s#j1rZv=dc6D+d zK2yf&wb@%q9pouj`LHzqd&C?Q??}U4}~Tu9T3>|)A_sv&%TiP z6nA*$sSVEdv#Bi}AJ{2PzG%$fEu%PdYvCbCmNAstiF>>iy=1d9vhjFJsDOOZYv);k zw^q=;1NxCh0I&3gR~~tx`HAv|r>U5OKkRGdnD2KPtnp`>sd5ejeLnhQcePU$2FCLYM->6zAYzf zv(oj8V+{i>o^VLN_;$_tA95X#d?T&=tvhft@q zy{@suMJRS(IS_8Y3@-Ea6#xVy{88@1bptjt&b2hdHYHv3twj^!pt4_n zLRuGJixMWg;j_f{Xt*go$69^wu>ypHU^!p3eyn64Dz}uO#_xQ1rY+(L+nV6xPhLLQ z3Cx04+2mF`d5w$zli^U4)(F{X{u5uydsY78d06h~IYz887nBn*W5n7ca$<((hmT76=a-eNpw*d-P$GZtULpe!!+K^0qI+ovYd&%P zcSNcDUEg+87G^pSkI>0wGoGmxlcVDD%MBeuBj3Kx%4yJ=4|m_mbn*oEr=-g4m64I3 zj!laYA_do9x-a{&oY^Vb@K3osh#ilE=w92(#DGefJ4#8&wVwj(R!W#M%C%F%VOFHD zo$zeaN=cE9W!m=lF@1DQ-u93fIqfk_>wD?kW);h#SZsrZ z94YVsR5J;+0C2#coC4jFaz+UD>j%`fS98sl;C;T!aI*Qe?Jn2tI)t@f<4vWWj>g05 zT@nQMyEvW?opkpAdMnSF{jn2@h7yD#D3T)vqiauRi9uYQJWA#^7PcG<+G7VZJi{+| zaKcQ?<7(u<`qXAp2A~b94M59OMx9NQ^IKc7tv}LgYh{^O=LfO8bugK2t!iPN@K0AA zz^c4PBNO6QM)fUUcBUNzXbe1lD{h^}7KJ~O;M@=wXWLE6DL2B%fGX((vCpY$NS6QV z2z#$|gp+j9O8_W=c%h>O24DE$!@HZH%O^|Du$g#yTAx4)N?PlRH*+!WQJ9lDWn&DWw+q^adYi_3sIga)62LzY6Qzo5ey1!~<4sGf`jA z+JZenw~$g5+iCl0cAWPQtPh&^wztP1i8fgr9<=&${YE-JRS%uC_wytDMfrsGBWWMc z&elU$w)Aw^(Oz9Ewu&a0}%KfuVM$Hm2Ho5n&X9(cE9S=W`e=wP3S&_#6 z7~e{QhvUoqN%#cNS6cl=Pggj{;Y1lg)3_`!BoqHs}{1AEO%g5Qd160rWNO(rHpsBRQ^OjVyWdov*7S zAw@~39O>{ZE+v4#Tkzm{+2Oq|Pa+{Nh2tF@?ZjTM4lZ84>!(rLQ0;{;5c1*;(` z>8d#5v&k^9rI}xEx3b1SrytdGMkvBEX6ko4>WtH}$a?yvvl7MZ?`^@e1NYr;MMnme z>`rCu;$YotO#OvQo(yrNW3C>*XjyULmfnbec16e#@7~Rbd>uFw&AP>6;H5H#n|tlS z6iu=sx6{&EfQ4bG*KNwoJx!$th9z}q+*zu8pRjvrL?mKsyqGAVw&ijDAv=|k>H0#b zADs-_F)oiyg2poi_6Jb((G!9KzZIt!TK*;ptDpXxGEtJF)I`l&Q*)Y~bcMFjSX7R! z3F%5*Qu?{nTAvS*$zyn7QJ5KBlbJ-2Ng?(hixJ1-F^{AE^9I$<^h|h^TN_#7SLW5%;uz`PBRn4;4fdZUxXJ|=I9yl(eJ*UK^+vA=7pKKN z5+MMrd55t(`w3b;B(Wf_ z(v<0pV0&59>l?;5>)=!i^r&{XrY|a zcFGamOW{j8!5>^MJ_>#LotF<%%fh0JM~53vzf)A1yxxhkoly{5f=fQBZn`hwqZG@P zHJnzRcK(V^-anN3Z^~Tt`#g|?XamHwURw(Nd@|=VPC7ZfA~VP8?_e6j$^)M=RK-5p z_w=kF!Mz=CGvK#vI}bN`hK%dehneY$T{Q|%k1~f;Mx8lolu+1IgNTMMwY0Jz!K0`Z z))<}q435R~5i4CitaSEz*-Xvnr!KLhk$Fy0W7t=PH!V-StqM*=@?Q^yx{yAtl+;JF zg~0^ZT?4B}2P4Tb&Kz$rLZ}Lw+;EkTd3r%dRlQBzqpIWbL>$06;luCe#wH(Guiw%F;8t4i|2E0BlmpZ*y}au{Rsw)aN#|K zv|sWDCnGF{0~X5l-!+mOpyxQhIrf*Vyk!qFhs3j{|1nSdE&Gh#9BGi!6=3Z>`xSwu zU}0nucrSzAr>_G521N4Z6-fC?b6hDl|P(B6O1)dv8Imhi0W_!fWEHB{KLtktJ~k?M6<(`#C_uz1BJ zOCSR@7zrXuC0hV%jV1RMU}^$mr@yCsegh!L1!f)2L+nYC9>>$6<9%>C=zTT07Pduo z$sC0J+hkBB?%HK-=?jbWD%VePo`Ra5rK>T z$>c_sctY)4Xvi5e7UiO|H?=`B+t}ui6qm(Hk}e>R%v@6c(nx#w7GQqX0##C$|1TE6 ztm(GDo{RTAEkR&T8f2ec*ZF*XF@r`S{`Sq#!%{}>MnFCAXSD=90LXjM-E!IY^Fsh* zd@YBn{`vb&U?wIQiDdcjn==BdZA4N9L4AdbTkM7dbZAV3)_;`;OL<_k0rOKc6g)5z zbPbdJawy>aNZvI}p7?Od`1?3?dr!q5UfY$9x(HzJnJRkBM@Y_H*Wf~@~zTQW2MIZZ`**IHDpbOCbd)Y_X>OI?8AIJKs_JrILl zqA>CMtAH6;y&{*21%@(QUm^#Xo8t1ve_p~c;C@9eAOGLS7kS73kCqDntQ_qYHpC~2 z_M>_Ff>|o?Fw(#6+28T~{bl_3;|M>?0;whTmLn!Mk~@FSmSjDDtZ`h%H7SMw8sO?I zFF@7ym7u@^#0W}m5C5{c<-NK2`CeD#^~*o;1HcYV2d=UJ{Bwi-=$2JAKrI@LT^5RX zDtTeirbZk^zD8%;O7_<{k}a%~nC{$Pq6GKLiR@wJ0KMy9?_PE7M7Ey*`1t}?(`_|Z zq~@O7fDiqw^N!89@}Qzp40!q*f8i1Sl43x}d_`g*i*rCG4c??Y%z_)?C| zSa-$940ss_==S;5+cvI36;CptR042Y^G2A9N68p7)Z~*F_%nf{gH%;OR4Lo7j#&Qh zWL(2bxwgcXa{J&u@T@IIzy3VyRh%^h7*&`Yn60s^Xsjf#?8Dp-{QdIHOC%b5P1Yfm zsCl*>b0aI7S^CTQr|4?7k5&xtzBbZli80SncDlOOJ(7@ZA9@YFnp&ad4`R^>sL$Z-2+#m5eLVCww|aH zbr($y4VR;g#%p-D z_`gbO?X_R4SIH(4>?3%}W&xphuoD2Hu_Bg%=@aIi<^5%w|2~_YaqUd?%;eo|#sSXj zBb0qieO^~zA;}m)V9qxDRAByYz%lFn(!@znweR|K$zyG)?Js)$r{jBH@t`-Nx zhj%Ofv80d6&3jRQhWx%jG@#__O>ylS0htV=9uEumKg3_}-|Tu^E{J}qnv0XJ1>Q)! zSFvylfAPMg@9TfRi!s{$`p0%k{KdAg@LM(h*Oszx40xDK0e+$?;%SlGt^Ly5D5+ z@ROxoFq~nJ-~A5$A|r|KtN+IK{&(y}L^##U3}9?buZI!#YV0V^B3YvS(jYS1|9foZ zYq)N+pAQKb-=|+Ydg~!B8hB-{fPPj<(8R<(+tK}ZOab<=_%@-JOiEOYsCN(X7isY3 z>Hf?w@VQ*_TO7?)jDq?EP0w!tR%O3WrlPM^(OMi=?3^%LFfT3X$```>U+ z$o>q+rXtr?FbWJ;0=c%M%m)mYoI@$G-31co^Zsj2#(@dIpdz{#+4R>PZoLP${Rq_k z^FvnouUEyTu{sRh30Ne*g_7@%a`5>Sg6A0V=!Ik{DI@yN+yhf-E)q~aABN{R{I=ze zs-(YT?DfZ_?QLY=&!1@U6Nggm+uqW+{%5YPOcg=&U81_eUY3SnUBUk>vtN?v-k+a5 z`SseCv2JKwo8)({TVFPEYTl_m3~jkqfBW51s-eGLt&{YXk}G%8Qw{@C58K1c-o^rs zNVDnO5WqR#`*oIozoT>gKEkDe1m8Qe#Ne(dvo-cFN98kGPW5I5<^=}Tp+I6k3 z7q(^yoz-+5!FZ26?Yswyc-94Nztx;EH6MI)|*F1zq{o(PAYZaVBOgPqCO@`oXyX7^EsLnQZ*NwnTNA9&+53oLN&p6H-)%q zSCmViQKV-WkGxQSOD!Wn_D&b1ZRDuCGBaFHjj%|&>+WQE70`INQQ^6wY|y?Y6LdQ0&&gFqT0WUIpMTPG9?-r&khq-);`^Bd zneJwgLsprz8^}#3!7*GOt{!%wd0X~Vc4dS$Yb{-{xG=H=S|2%2)8a8K40w!OmMQ4^1(p3{*ixl+RC*;V-7r(CZZi5stDN4^jwYH+k1e$9!6+G5d6b zKkIUcsKaSB9pxbygSCwmRyVX)#&n}Sl0?4y=@I z7Z$#y!%Ea8EqhJ%?ITXtm{Q6vTDZ4LZf!GfczBvy<uWt}19cd&+@Lzlb~}vCMdR*nP+qmqSt#8@!BuVxdL`@-##hD^5?STab1C1r!`l)!w z1RaDj!CB>*l;=MDZ~@xL*%I`mn$vdx* zm^qGM!XIfELAnOr;F+?q`-xEkmwy5U#v=lSl^?I=C~RVxQ#8BPkQDPcRE}5AuiNRH zoyuL~Wz9ol9p;3BGe7Vp?7}$xRG=x8aKpy%ho16@&v zDN7GQJQpK_7p{^G5@KxkU8Vgd$d40PY4OuH4w>B?YdJA9M$kRBH@wwfKIUTq_?@LG zRxi)E#_TynL5}UYY{SfT;mn&|F_>PtJD8#>esZi7*0XgIHD&nrdDg?}eEpwC1(9_{ z-6EOX?_`!8ev^CVAoGB$|RYfHmJPffd#;d9Gd3n0%m`dabxg(~*-+ z$-R#2O-orELMV3ZBo5JDTA2~Jk)!k@0EjtbOB3;+UWea95zM^FbkCeM`V?Wi9LZ1E z{ao+X|Le~lke7>)*rm>J50{NWR*WoNem^2AX;hV*thfD-1<-T|9_wnbLAU&HwRIuv z2sit3{!vM{;Fk=}I7*aTHIEIm37jrr($}xk#jRp2Dt9(x*p`AC$IJ^M zYroeazxSd(woc{Gyo%tIije3>NT$^`+~sKIdLij*TdtGTd>2wZy{ppa5=CjPh zvR>L9*)ZaFI3haz(Mt~fQ3eXT&%SKAsr*lUi0>TZW*VL@`AVEptT0G0vDXhdCV^86 zZ+>EPs{_%2FOHTZ7iX9iW9ance~qdLn7x z?|Q#H2DzyzGbPtIG{xu{Wl65SB{;vRZgiSmX<%6iXVCBO>4tkMzC4uR^hn_TWS#T0 zSQ@>%pk3yXVK;HJSF#6eKg7h-*{?e)P zGT^RI0u-P}W-erAMOhtj{N2-wCSCo7JdRmYNAd9BJFy!Hb1=VW^4o`#K6GXyyk5q$ zBuiZqV8+jZ#6qz{QGGHE7yEL$FKZU$aW=!|OVt@XMFNuCfO4(sbf-A6RJBi+qn=$I z98X*ObSZDB@x#G%RY4ARxbK~O?3o7OJd64=MjNbxiu*uhu_p@NlV`um;^JnMZLJ=U z#Mjxw)Km@G_rrk|{mU{O4?1Zj<|^sxi#vY5dHyvwd;jF4MhBGgPKT&ww*czoom-ov zQh)U^``vw^I9)R(1ffXT%&1S=v^xx?(hnC0phd!$90D?fKjE^1)0{I8!#kimFpiZw zPKzi#zsf^`&v$Y{GydcXqN%Q{JJWaE6VC~1FFH`Ei2~han_nc!@tWkdsGj>Iq@##U z!xbF*IYK}x8qSAUFU!=#itq#Dnx;L3erZfnXhtW`dXfYGMHq0d^WrbslNEM-u1VB$ zRp@W>d*NsGOR9daBmKOsX6s#9+QYpQg+{RS=s0#!sgu#*hz92@eDk=5G=uN4?_&-I zZ})B=-##{0S+^J_^+56EGo_#K+fB$#ZRVtQWy{xcv^(uX*!Z0!)w~1po(6{PZ1%XB zEK0ie(U^Cdi2##RB%~k`b&NR2_XD!4(6zoOOriSow0QEQ~i-?$S5!f7p`n6 zk!5}^!iH@YkUtBah0MLlTY9XoNS9>R8Dr2i^16j*N7v}I+{z5sO;yhI z)qy6m=CL;20_OMUb9V)lfYPP-YYE4xuCix&=3@B^ z+eVYzE50RX?~zZcPj-6%VJEh*(BU@nGo;gU(nl3M&gQ31Rr}nxu*B%LkG37>WLPF{ zYdu^CndoHHXt!Ez;U#~RC*K77kYeGb%9_6Q-q%`k$*+X#()g%kC|fh-++xKd#b>U8 z#?4`6`5Dqjhm;znrPPeJpK>NHESlVt6NHKlzw4|9eSoBKf*n?CCK4EZUlYtDHVJX5y$4J74g0=0PXjolK90=A$hHAcL4^+v0Y zKNy!A6So9|N+;Y55_d}JVq<*lD08|dEI#32unQmc-ZPii78#|Ienu{d-bVec0nFlW zBhp+Wx1&Kz{`We#{LbfFFv4-Mu#wsH9TeSU&6=@n7K!)6BzQ!L7UKCTWc zq7S$w{>|mJ6BKUNrMs^I7bfpU+KCkLpw zWM|iWilPWC(#Z5TQT<8l)^_R8$JVEFtqZBRZx){8_v#mohBj591M(MLzXK{C>>J@Xa>D_4my2R7gsdOi&Kt%`MqP%bw0 zyziKMQQmexrYkiNIb*o2h5%R7N#2u52?J2k&7QdZP6r-8m5!G@w+=}=?oqfRQTZUB zAGF}4rzh6-LltsvakCGm712Gk2QWO7P7C1Q>WeI);`O4s+P+QR-#j+`Mct+IHyl*S+`)B7~=^iPpY+H?BeG8<4jR!02A3i?pyMCg*Yki`0e0} zH4VDy&EttkO4Q@)0_(1{E($zywUaei3+?9LkA1Y)-dbSC^jL7r>rzu?o0TW^q+w&1 z&Ye4HCy4Y56A`plu~7qkH<&w!|MFlmulEe!(Y$X=Hrb3^OP_hg4=11Ds;hewRZzH%o zoNDd5IFiXT(LdpuSL1n$l#jd-j_Ta9D$M?jZ=%H>vNjnFrmT z?SEEyhp@K!DXPgCUOXJG@vNyXdP>{xt03#Q1fN-Kq_q~-*nxV>OX{8t-EAuV^zoYa zltN9VXA$%Qm-ZivOQf)c$y7TVhK6b%dvRSE7t%IGeaHFHJmVQaiCAXdBv^-<_0Hj;hk9 zR8|^%wxmUo6_adynh#<-$1fh!aX56SR$V6hybuznbDWCLVC`o)8~*W54Q1+?E;m}) ze_$|C=T>`HK@3vYto~t2HmVS3vu{Rxv#Vlx`BR_IvXMw>MXE!%rihbBiWg9;#1sqI z)p;ix3nFc?$7B8EgDBs$M+HXe>uj1JSG^pAg|()Bs)H7RGDOqEk297@>B|_YFWaoV zuJ(<^YF=&cI*oL&CARLO4#sb}>q%NJd3TN@1$O3jrv2hvzH7C{z12+i&^ zxUkB-Qaav1>(c=bkJXyjo#RhgediPJ*~Zc?0qr>VTn0dS&2uKiTE#B;jL{tGa(S;AuQN z2$CNde^QE06w4$hb6aA2k{W3Hx%E=IRK!X0W%#(KnKR6Yc7b-`rzHJqLcmd2j!b`d z%#3mmy-cu1tItBsO>e+c3S<|=7~qTqy-ao{Y8U%SoY~HMq0xBIV_G!k2Tj|W4~}3m zdULA5>735iuQk4&WEK*T4%%Px*%j#a^@405sf&*(Jl@TcH@siqu&w77RX9qtkifT* zS$o2gV20?4DnO+Y?aD))zb+STdpAF;HZSC#S(GSn9cUP2w@7NDO)I|{40l^n-*0)j z!lJ%SVY>D^vJ4|~?39%XiLo*8YIs(z)jGl!x$vu#8k^)eDlAawKGbLu&eh*^mR&sM zpyiV5?QVN&IgpBbA0?d8D0_27>7}pEgm}t3dliM2k$^$ZgtCJmXV56dGnb2RPI%#~ zsv>%*yd%iiN!j4?IGiWkXyx_P2Fs+u&Y-+q)AN!uFr)rCm0$p0gSoJ(R#lUFXEe6t z#p0@@6V$Cw%A=)%cU0MQkQZ})Bmz)!XTsk~z z%O)k6^PFYsJo&n#agP|{xM{jDzR4&d<1 z#^B3gqG2q-{M^i=PB+kovNYk^FkQ6UjHWN?cNU}WUP!==%Ee@o)V+UD2Wq3`2gTfE ztK82cNBk7i46FSDM2G4eK0Aao!MnGm_LmT7Gx){4?AEmz*a&Y8&4t@?ub z3qi-o5jreO*23-JG>01{akr%rkv~R<0s?uLlEWa|#bGO*&U@Y;2QxzbzF!*rFgPG1 zT>upv1x_5k>YSUm{yv9j|NPx3Fsd)Ms9)CvOqm(A{`!zsV!1xFfI|qXS8#LH)=$3G zem$|dz|j=!yEy>vqUS0j=P4N^*4p>U{h8Kj0vo1W_xEgHv{(nyk=3hH$i(zH8)qrG zy2^DuBv@O2!eudd2}7F3HZks28NPL}BKzcdR1Wu%K3ea`LfMc|-~xJht7CXu6L6%p zkrPE>7Bhe*BeYCBvDb5y9o6d?J24p*QyY)VvgS1SUt`vX1zYnt@i4j-D)GO2BKSJsm^m?{b3Ahen z0Xg?U<5F^&g|BY@#+Tkl_Ic}jzBA+#msRUSEeAr-kRPZA2!*9gr>*{PdwiyPIx9Dn z*P0BYc(nL@H_=~*PMlxtj#K!(Ay$QBKB`&5uR9<(qkm#e^OZ2Ao7~~V1Y4Z*>v6uK z^9Desr|x2SogN58Sv0};#_A7J6I9L4vnKi$8)=ce4 zRx-f;XzDV%^frPvmEalteB+elPhne@$#61Qj!qLUcDss4Lnr)~W}jigQdt@|>|wyR ztq7%Bfa|hcr9?tfMrux+W?{(XhlhJ4)qNR`aPjhQw8CmsO=Wl*T6>Cdc>Aj-6g|Dw z{Zb>=9@}P9Cg>70f4q@(lh&D_5c2lT=o>g`GzZn|^)LRl%)0l%8uzw^Sp|K4A=9fj z^6o|ElVZd^i;$9bb^2Z?!)%TAldBiv2&Ipj%^=DUJh3y8rnoRODR3HEFc*YY>fdpn zs+E;?E38m^rQ8d1lY|&AQ!)E9Q>u}0k3U$iVEWP7= zzSx0I;N#WKrLbv_CVA0+*#?Od3N?r5T9tn?T(OuCLQOo(HSB%xR04A==?0BXgJtMYBM~<04M%EPgw`auQdu$JTJm(X&>7issqI4GD`2-sw~+W6#mmIgyw_ zl!+Rl^4KL>)3|$H`z@RA=co{brO zp>gjpVE@&c-+tn&nB_b2g3hsnd5t+Ge&#=nZJ{E%8fT7K%CgAtre?wYxM8TX=PU9N zeIMyFyY8sBR$yBNHpWCYC>@CD;ckMKEw7|+V7&yKfTb&yq2ck3r1M-7R?YxggWUm;q#y$oTVGqSC)Vc zC>}Xwc|uW&OdZim*r#5~>ub^I{*;CkRM-4#aW#e`8bWj6qQ1(gW1H1!_z(4V+fUTe z{t@4Gm$vbkJmVgHCD?sEe)59LWRaf?x>jR#ub#8eog&K1-oKQq=EcBO@A%@!gH?eIxcPW?S`PYYtq5fE|J_)!=3&| z;-i9sFIf}Iw%B`fuxq=EF3akp!PtYm&b!tiR@xodM1(Ti2nVaOs$V0o-He0;_~zNh zTheE9{e@0Ns03VjD$07=OYi1(x;1*0b_r`!a`1c`aHDypTfS|PZ4Mh$eyS1Qo7dV# z4ZdqkN7ivCUn08%pN7Sf7S!}rQOp(3dg{B4=4EHuQqEJ+40yS2A*y}!fu zXPaRyoX`5w)Fg)YeXp~bC7tyVWj0i#lQ(>~Z{U6!uH!E1y00HYYy0xRqM|c>pPd?Y zX%FKsmHencVWf*t7CwZPH;i@moDh^qVAhox0YMd^|d z6#)V1lrBM}L`n&f?rsqf=>}y0>F%C^k&u?|8XAUy0cNP7<~@41M4;ex_s$V4xHMCM#R-ULSJb!M89GWNORuo zmC?(dgcW00>0fQYigIZX+>Yl7{&3G%hg>WW40Uyh0rf=y!feU=*8pMET^* zt8Uim=&ju81T}7};n}2v2Nm5$t(G^YW2|~Fd;%4jbBO4k+}#m$Dr)F=Th!l&CTUC} zWV)Uk^=$b;1c!ILt(&6gZ7NBU5lI0+a}?!vYr)C2QtyH15-}`=XKih8LKZ_&Br|l8 z+3Hkiw-4kYS`23QiwXHN_xT?&4q?VL$M-g#s5YX}DkOe&B-<;Pmq6hSyhIpD_l!g; zMvgjN9@1fu`!*)z+bK~O9Z)Q6K@dxU;&wgoW%rWxqU9Om5}>qv#KY(zfq5C|A|pDy zfb-OebGB?E;uGe0LA2QsMu5HBkmt>}+~aJ*bAVPmp9HcC!jyj7Awl_#rwV)Jx=z9+|z2-hSS@4G-?gs<{MFcSNM>o4q3U^!5nZ1CK~|XnUjlg=kl% z)|+DDR|*>%f+J}6@AqcdECcHLsE25X${L@}`?Xk#k9@Y}Cq8m$yy7H-4fz~dBfh{i zFG0`X6aH7F+9ZNU0{n@uSyIc=+J=2GV5SnKhgRAtbr!T8FMeusL zJNZ*xn=7)SD?M)aU!<9$ENCD6lo6M)(B&QKws>1z;n5U`aDYt1jgV5;SIaEWHnLeK zjAl&U;JdsA*@Ll}N_Cq;L8*;uGv|#O{B1WNK$FALcnotkJ5{+?8F z8@Sn=#rg_?+su(Llj&7}X@59FFTUZokbCMPRegEAoO!c23~OJD2(Jjf;R>-Im&>;0 z!lm~~7L>)7JX6Z^GZ)}_1kVDc8VJQ&tD$k8b-Xk$s+-3o8){G7n$4xzIVfJTuh2SA=sy( zzvs*M3;WxPK085Lb~P<#Dndxl7xtO1Nt2{0hABpGOd@x&eqKLjK)R%{Evqq?-kuSR z0j&c&uT}~6c%C*yD+)C~cLMKVY~0Rweg^Md$5rsZJ(O;s*$hJRO|98a@PKgWns z5RqJ!9&a`!G)EMw%jr#GAx1C1plLAu*BlZe(zl<2*Wqy%s7ROW3`}XY`WpIN56$GG zNhm4QJMNHuWH5!9(jlUKm6=>_g=%&i`cy{smFHY%$ac;@9W*&^a*m2o@3W-~E!OdxAIn+BHrr+zAD;ll-^ztVKvBhfy**CA;E1QWM@5O7BR|$;| z#g6AH$@_{vEB;wXMr_$af&eJ`OvHgP9&93~j0V04Zdcliex3kf8s%gsv5J1sf6Qs-qd#b<#2{({(~9gDM>vg;3+oS(Bt+Gn|+oT$5U_r-gOk=c#xa2 z{_!uS^9S~z>fK-lUTE3FISL3h{+qnq8{;tJEj zS}Cp}D-m%-)DDBd_Ak!T)BK;;W~QRD^-e|82b`pmky?+WHWtO0VGM6rJ1Pp7)z`WO zqxaDPK%?OB>)N;cfs?+oUnT2ZB?8q@NgkL6 zE9$%->NA6?E%z{Qut}os9=1ard=>}CzIQo~?k&Q&7POEec z8I9gY)Lt{;>UV~86PdKIb1&Pc)P3l6s6rO<)*AFU<^WQ_XK&86g)gpxt01#I`dBFg zv2KBSr^OU6H4nT??+QkOGKK81WS!dt0$t6O{Sx~9r;n2MSSeG_cO43iju+Ddk7puo z!fxY7`gVPvOX}m8v>8BZBv)1Ikf^Na^5;ENF>@C!2TIpp#`X z`;(8~o&L({lRdhp=O;VjW?>uMHO8ygc1xvbGScpQtr8LEB69i#)lLfG8IM{p%I_9- zy*E9k3g2xav*-{hzvgW`aL*jVMZeRm66!t^LyuNAkc?(4B|2K7R31sNshCXccMCBU zi=i1rdGH$G_FKBXq2!r*W}XgVhw1e5Rmzjw`ReNT?jBX4Gs2+)ghi~nRT|Y%-Z6eW zX-6TM>JC@4(JoDh9%oyxhu-$R{mztL@a>xo8OcFND`e_-qX0SY%C&XzA#+z-{SXJ& z=-2}H3O%)q{3|l$))}cXl+N_@15rZu`7}N)nTl{f0~u*;_j%aL4nRjf{x-hkmqM98$t0`TLa$Y9Ts<4P5;# z9DSI7;8=d&(xX(0(HGNAXToLtdcm5uYyJ#B0jpw*T*sigOl(^^(1@l-7`tCJoxpNt z==GrIHqL4R04i_ToE+EZ?hN2TBY*C3e3Mo&1bAU}>70E7T3=&y9aba=pVv*XhM zpa3Li(R7jO-Z3dl_R$rkSaVN%Siu>xny>}SA23jy z|L`el8DhMr&8m2!R3{^|vhCO9SJZ}2LG-PP5$e(@hI&bgu7ezUuCwF2+8zc%4%-u| z?Q`GuWDRYSBe>bg&lTB1A=;PxRqMIicb_eO_b`t`=LdBQ_6p=P4YQ|63Nv?<8@}&f zIujfJX^v@WJAb0TVGjGMKPrWCzn|@$I~l@NK4Q46u!I=MxW9|u>g5j6h-<4k$pS&k zw4A@3TlcQa9HP)8R{DCc*R&*wKS0kC87U^U7Iofac)OKKP%nIG6f#;YQ!>|r6;Vij zqwI%}s?XJ{9Cf`Ib?M`mMkXyY$Rcqg4dv3g1IF1s20`nLLVD_0Cy0V1&j`0qg^COS zKtlcikk#Q`6}a`WO{wyXugOo?ZP&L2NET5clO}IBEkitWR0=8BuVQE?z>p6eI*;Fs z+3NC$iW~k>iPRR<8M+o(xWpa6#agbE{xcO+rW(^ z7ej*SBg=Xa~MZYqrcN;Jvs?l7|wAcE6|Y8?0$&i?RnxY z*IMtHtacftJi6d!OjsZyhCrkySddWPlPb%LYzqN-?7IGJQMdMc2XJB)VruU&=tuWU zG@vwenq?X)473@6)`x}sa~{IOh}MR`&Rr%5noTg+6 zd!nSm`DptUc;sA+xg^tUyIUk&h$V*LG|}fuQ&)k!m752C!;m$4)c7>@gH1}0uV-U6HIOZBxEejNLW+%!~Jao>{s!U zgj27YHQ)BGabd47X6d$iOZkrSk23r%HXg+avS>BEUQY9AcKJEIT!FvnaK29aR~Jq_ z%l3S!dx2zDG{Q`U`XIHw&6?-pmgrWWbvJ*S@xt@xq`QPB2|Epz1kBX(5QqAmxlQVC zpCS|S%5AW>|Eyt3y`BY>PT9_!_ZvAEG&~OvF?a31vA4{AQ;9Rc1OoyE=HQ z4Us_y(nhL;E$91SHviC3~!DB?bzm%G-v72#acN!llEy zT*Fqg&DOrG+RpCWIrCgY$2SL2_^ZbcOHvgiiiJumV{~%n?BZ*}^prn&+kN!lhWu1S zD$}@VsGbynjzvCXX=-BmiQgm?UVM z%13!RiK}cJeH`oAyz?Ro8ZVWU_G~O^H z;YmMs+)dM~_7+4gw(7x>6I44&}2&Pv$?dEFbtUp*>uaEQR(B+Aa z1k-ls&#lQ~AM-ly*Fu^bMcp#5B*<<*jV_991<(fOkw22ZOkHn(p#mFD8$+eHJvrywfHxNnm$@gP(j*A= zsrG9RTfgr(V}GRLnnA`k1DwNUG?2UK0TGFime4u8!|-iF)bq!P#tsEOXI(_x&}H@8 z2JjUpYle-mQ`e)fNe*8Sx1{b3>J)8W^}00Qx@fnaaVd*tEk5r%QhIt3iv5ykGH#&r z-pTIsmyf-@;g@q3KOq-`*^7^iqCOzL7&ELYyqfDRWJ~M|c-NqbRAVq&pHJ6|QA%>j zT&3*~*C!W-KZ8HyHKuvLd}j6I!erbh-i0T7kV~%IT*`~S`g%b_qOqBI@(de?+fF6N z4zFp(RDZ`}c622b?~iTbnRXXJotQIMt5Aa-D=}s&#HX1Yjb2iIJ@CaO)cp-%%dX7o zwqNpjp;5~(QxTt&$2J}<`(y(OlW|n~G_Bt8wokiA;-ZUN^<6|Tj%o@T8Ob*mg!;$7 zmD23QxGo_<6wdlDeEHIPgHC@phY~Cgd&iBNMo@Pg6SJ5s6#^bxx`v6`d=+K_$GG)Q zBgNKm3M$_-#p4EEwCSSrPChJb*Jp=o26MEi1oQXP^0z!v z8oJQ}uhWXNGo@IaH}n$XeaGdSUMZS6gL!wquWWXB{OTu zdBZUDMk0I&$QJTZc%de762%4D1BN-Pk+RiC=mLwMv%A)Lx3|I5XPFuKynAPFAGTI~ z$qSB$evF;Pr1Ujo6KYW1wv_Ho2a(O4Y9u<>UOuP*OR{F3pS8b|K)RbB{JLk{zPfR1 zfBlsdGR3D!-U6t)|!pz zMvzHpKaEYay?)_00!X^wp;muwhI^%%iGjynP5N!Xf3&T@&$yKtqG+v_Eb(ov{m{LU{ z*(~D4ING!MV-i)ZKaJ0E>xvU6TGGUL5$SU^t=glsaC*a}R-@$(sGtLWL@HbajhGon z45p8#3K&`!x{06QK6TR#cjrYlnNVgU%0F+?Mtj6R7g)V(JX0yN`&3z`wrbWsZI7QzF4KMAsr@UvsosN7r9cO_TBN&@_1?0 zxr1H;^ioJq^l(?-yL*USdCP#k9`r;(fApH<&NIHuH)dQ(cGbQ#Iua*VAy~sYGZ9_{ z4hLwWUf|t>uM`MTtRB68Jn|I9S)9;+n6NtDo2O+kFw>(ZkyPUGvzVW?`>HhMYe@U7 zlyG(d_Jy0fx!{p*`f>lw@z#ND`ZW%ah!S*S%aR%`B#Q zsK>X)x}*2(YPI6tmBcJWY$tfImtcy*YV z$DgRO-KhtpqU?FZp`fE(&KdP)RTAp78&%@p+FA-ME*B(7@$UTvCFCH{4S1HTi)MU| z9`9C!g&qu%s3+rCE+^4$61Wr9y7L0P5#!{=$z5S*sjJ6JFZj+9bewbEdu_UyVzu~; z^xQY4+${?LpWBa(<|!Fq8ez!$C>Clh+7eDzGFDjkQADL$v}H&NHJSE7)YUz~{HB<; zg`!9Q-asQvK&CDVG6bnrAbRcgT^2@3GgnvY8NcLL7DKjej)sWkZmtppJv!JC16%yG z-1CT{S)t)pj3}vh&Q8B6Mk4%u4o{Gyo+}Z~2?`gA%d@r>;|r+v*>x>H2N&Fn79dvd zTW84KfeO8?dnle(DmF6MvnOYx@shU5hR+VeFjM;yIkU81y{*Ax+alJeh3IdO+k3=% zmu6vvL8EWT=Y213_v^W#MLze#uxjUxYTv7u`B(UF_`D`{{aHp5Tdj1biTdBf5!pD} z=hPG6=^DIT6J!^H2v+S?;h}c)yw_3d{ohkHV(rCPLoy~2mRjpZ6-o`F^krzp$;*&K ze>hBOuYg0fVJZX8lEe>KWXUK5We-YslHp)308_+T)7N1FOAVaCt|GxTXT9+3lmsH! zohH8^D@#uJ>d4R~Z+_l4SbW@i>vL#Pfx*1wrq%#f>37e%y4hxu&133GLD_=Wjz*q? z%5%Lzi}lXl2tEP+nE+7T(h!(t+OEIF3K0-fcvV1=q<}sDUYe@e13Qz{AYu>jdN#Lg z5K{@ORjwYR>I1cC<#k(y-E`AAZprLBVM=B1KsL6=re933A_qnCB}dmR3G4e^5Xb~N z3B3ID8qdAJNI%=q`826LkNJdG`Fjl?BGMP?pFp3MGsG5%lKNvuGxzo>%p3eN-ld|) zh2D=l1%X7lpPp<$I0_ghFSdLArFC^OC3*v9*jk2ZT&+5Mr#8%}$@3;>JqjmZ|rdB(O# znn-z2A$smT5)Q@5`CfQj0hDspFGMfR=xqA3Io5{v`Fao6EFKl-Am>EcE(brdUk*$$ zyw7ZDcxim(kq3EoF+ZhKl0ohUd$K|&a@YQo+Z&r5$4g^C!U@^y6*l9s4o@00-%q;G z5Zk-gJ>;a-YTO@oXD=WgK@84t?=ov>J!VKdY5In~OpHkk-A*toP*+8s8K=D&CSvWc z3SrxBdRK-l9=Z1yGvK1p9%cqMNA%6)8}+oFl>6?7em1^8~lNT73JlszuzJ+)qn_8 zS-tCKb5aK!dgM}hrVxl9Jr zx26S+`aQiwd6Gee_xAX@y>tbk=HAa?Ok&kW`SVAW=bbQiqX28Mjm*bY%F*KBz9-r> zm-y~yLPy`EjJNV;E~7mq>#&Bm zye$QjBEOe-<=lil3gP3*Zs)?hV)pJh6X)*o{LL?7Xib{HOU-(GepBIF2fJMg174;c z`TeaGz83FqT9|y;e^}B@;l~#su6dtD-h_@E!Rx(ITASTH|3{o7NSEU2t}N#BA*p@J zFT`E~V+9`VGQ`~H_HzBMLlna>$QdQ(qvH9rhi#FG#8EWbXQ)-@fLe3ajh+g?c*+1v z)C}CWCD+_HArwE{X-U~L3cKU={#yYt-2Q>}4++l(viQ^(_jET)!_A)3ivm3;P*YHp zC_id>2T@$_ys}BLnOFZVTF7&4o?OirVLlbecmm&PU!|Q(-ll3CN&uJ=5^UtK*UY}= z)xXq8UscB_rPNTI7-4SY>=*m<2X2g~71R#aM);x*5hC*VKalH=jAbX_tZb#s;+ zZZKeWNcYpsr+R>l@2jatY2j*w&*e+mo_MJ?N;GafJ}ETPFTb4ml^1ni#ZzN`mqHAg z0_VIq=6U?_nAv zVj4#At&Z5|R3%*SgH0j6h~!?&HHbL+OAYlXR<3(2z<5^&s7bX(-~K9lv!jagx@b&# zv*{=sXm-{TA=}pUv_i^`E=V+CPF1^NcJ;{{uEU&f0`|AmUlm+2E@ZnT2Ctv9t26DC z9=A1fDJ7x4VCSdwf_LTbp}#Ml%V5ep(P8_ZIiY2j2b#MvbD6Ebx?OQPej&M}{N0T! zv@2%5>v(_;&)OwKq{_F4phj5|oAr>=#~iLqf7#m-XSkj4(kuHa`mJ`D!3^tF;|KVX zE?nVB^Kw{&=a3Wi2shz{;&z{ZM$Dv}ibM>rx@LuMPIx$DLyyC&<%#<^Ms2uD66907 zQsCbK6 zsrK~;^S>vO@>E-pZf>?^SG7eB;xUefz%yFHi(nW2prgJYxO5dTONY}$ zxB+wKh}N`!`7!R|sg@_vzUP_w(r%SM(EfUzp|wN(o5rI@g=g;Y0VYqGNr|(2Y1T2^p5&On_&w&g_Gfbn zr?;|ZfB2pBw_FmlX-&tm^`$j!?yAo`Ae4MywA#GyQ9wVupe{6+Nl(*vW8uiHxdu@p zQA7!^KK}Nvq{nLdn1LyeLqh!gQ>hWA5iZxL4YalvyO}2L&ECG*4bV~+pdfZu;|f^` z&tNOdV<~p>E&J|C*4`(xYz9I+2?;hFy?9u&1ow}+Y3jqR0v<}(o;mOFNU}yX<>_nM z={xWGAeI*fJ2RPbC=$7w_NLo@O$kJ6-=HO8)C9~@EDjfMqjxZ+eLv@L_NqPDYTTc8 z8e2f{wkE1HGSkU$Tvy#S@CP5HlB3Zsxb4TM6tb%g z(tS{m0v$S%m8J~Mm#;_?eH*Q z(nxq|XS5Q~VDP2hfHHnB784{B4c(bU5^p%E@T4zH36&e|(v2IyANIj+Z0H+cs_qya zjPlq7p|smGc_UM9?yB9uDuX5JEtT@0_(N=KA@${@IkZfI8jAu7&y*M4h|)lG{wBI4 zd(oeDDo9AA9^>Plg0B2)sw^!q(zf*&4)`34;2i0f=`f7pON~}R@RMCtV-;uBV{#xTlmz9pLidhbxd*blyvE?IKRP4-p{l#?s%+U)E@9J|W^$&{mWpO^b z*3h~0Pn7*$4H$dIAeBqR&d9EF#{i^FPr72H-W4_mi@SQRnqgl{)w7tuvu)q3ORIKS zctTn9eW`|>GTX1vZTYLk8>&`2FL!m{d9H@c02z;$-hAGJoz6zP76u57Jp}#eU6AbK z?&fQcPcowKiQi)6e9b&`IVF|!NXnzDH=2Ml-5Wg3Jppo6gn(RiS}_=I)ozE;#^-e? zB)-SY$kaL*_U0jL(9eyp&Sf19lI37#M7g>Yxx8JV@y(rg zmMk~19HK$BdlIt+H_b^gUwpBw*ww6N86)FG0h0thKEmX73D=ceLNQa ze9S(`XngOr@T#~2MseN1{(c6XR8H_u8-7I-Z*gacvg_h*lS2ttd;_ruj?61yU-So# z7T?vVbwXGDz3)f6bs=#`(}7<<{mA>h$SR*4bN*rq zI4iP3m*GG!CGY%=KrEj^!+pHXVH=i!ZLkY%G^<9^S634w6Hv{Db2i0_r8+2~+=fGS zs4i%Pn#M;X#%HHlJ>S^m=^gZ)RE7kKJ(EP`%*oY{AC1MSd_8XBNZ5;eG{r&zxi{n_ zBtBbG=hu3H*4q37xZI+^%~$}iz64&-e!eJ}5meE&w{b3h6#4Q`= zq&@vbCB<|V?&!!#2@3yRZO5bDu%J${qw-_c+SLNlhWDtu@Yg}E`>Yz$=rn!~(+!rD zT77nEZ@VllhZip;Ad7aT=r@N2%)Vo~A7=K-gGpX&1$h^$Nc4Mdn2O`iqjGdg&z-hs zy!*zYUw+>aGM5~m2un|~x}bO}oKSq$ZevDlXOq+QdUgAzK10mmnYuuKqW4ekaG6Vn zA0v%SLDfl-%|#EZc)K2LCpn0NxQ-j;HP>3`nwNi)EbNQlUq2%e0gJEh5MKG8s^j(-#;2bPfNvHXtPl_wOCH z&td_t)b1!+e{(Hr2Gzym(R)ZcH6-}77~k%87O3{Eiaak@uE0GsawssUv}g+R}+zqAUav*5t^cnEu5P~q?#UVj_76SqW%YbPJ*o?q6f z&&%5bW?`ZKTWIcD&^4UHf@@^IJM9*L(p+Lt2kYggXOGDqz(tJmtNG(u)mcPrGKyoUdbr{%erEAKueJ8(fn^&z|YD{ zIb+rDHn^%CUR6XQeZWg;3o&M|Y@1wWdy^vquh)v;m<2+9tHbn@^-O#gGvv`(Ent`j zR3~!o{@1E_61bv04dv&Q3;J*C>6Au_q-BRMf*^Y4Si+T-s#3Sac0)B3|yP)DDUq0XnGZ$bp=ZhO(bN5%e zJd^>kKK7A)z?%2>7s>O)YSh?jUITmz3#Q#=Tp+)#|5ot3c0l&0+;}Tc zdhEuhdnP2Y-?(v&KT!0nv-#-fg2nU~bo;`&*vjwUiUH&`87peR3X4`L%m@E5>%S!f zzrIL6dCuGd2o#QTikSj8%nkgZ$kJq}%iWI;zw)f!;CLm?b6YbPr1pvWv)ng|9zP`s z8pY0K??=(FXW-v%1b+vJRZ0Kl>(VUOA*b`e0dVu!AFoatJfNCTJRZ9oCPpD1<)f9& z5Iuy)A5~1<>{ACt+{6U;#K%_FltJ%PG7sv(zg9H&PT06wfW~5r*B!>c<^OJd5CqKl zo?_GQmJ$zO#>2ko)IWhG{adS2FoV|tnEsX9K-u8Hw_pk&p$qhp0VeueweimLw~){$ z8PEgT=?5$aq@O=^|0MQ?_(B}TvBsWt{$aoEX2bpk>&_-EVx?FVpa1^$2Y1ZDtSXP6 zF&MtUb2R6YS?|DOWDHTw8*F39YfFpqq7M6FDEb+7ck7->){U{Bm>h{m2IWe z8S5cidFSEZ2C-8E^bn&$R7aU#S^_D-jZnq$Pdp6k0uP&0NoOO(wR;XIXx7PR7c1ct z_UK4I-o(dSb9VJ4{M%pd{N*nR57}47t%1ksss^4EqydlnH5$R>vBr=|Bl)*d_weChq-cG2P8}j_gu~`Y%FBW*Z z?||k54tg`>x?_6&mNx!BYR!Kq<3IK5zmvGnZ9rPLWlh=o->w3{5BM|A%Nu|38UF3s zzkc~I)b|%SeWjYUN)nst>0)mbQg`N3F)1L98~kto5w8ePIM;eVQU5Q;g#ZwwA*;{7 zqr2bZ$PK(k*z;R58342YZ;nnE?N(v^wx< zWBK2_82}if08Mg1F`_&ungyMP~v z5Xi86`LAE+KU-?}8DNU3&%eRR-_Yq_mme_$*1P#h?(W~X_P;dGpC4pd0j4Ow{Tqnk zc8dLHbG(uUtoIw){QbTE9~^w_k0V+C<4FJ6i2r%cek0F+9O>U8^#5g^KhZ4xk0brh z$>bkL`tQ@)pXB_HBmLt@|9sm1dms1*BmK7!^8e=;De9TDBo=LkiinYGX5&CrDf8{} zXFg_{BOmO)l09Fa9tybMq?)pp?F~jI5A|kWHKB@Z`h3dH;EGH=Rak#RXC_2^dCVa} zW}|%m<@>ZB6TdJXG5sS@Np9%rxeMw!H;0kYRF9hw>;eCKwFC{n?2>IgDv|LL8xHo$HK}v=HO?BU{vJ~T-eD$9mdAFSN}4~VsO4Zy)3fw9W}OC+!T0syten(|_{kvJ$KRA0bp zweNvg#TyA7IHEWG?LSst0S(;u%~T`fVO%oI}R>phl( zzvKfh%)G9?c_?<3LNj@|o>-k0IT5h}8px-J=CPE*uO4R2pub)h3 zBK+8fN~6Xk73#inMC7vGuffFWzp<##CUrHpxsHTI#+%;Y`RinXKPxMS-|HPR3gOsaaLd7fdAcnY zj2imP>f~xz^L)S6EP%nApm7Yl=3&rHs z=K83r$xYg`jlq8MR(DXTXR~P{icA;!B;^X7{g&DSvT?OR(6numBq%9p%yb!Ncn00n zWhg(`H0(_3Q0%tY4*=_^d<#7P9 z#88hUTBekPHOa3Jq|WAqEVvbVlB5slaY4_eJyKy%i`RtE<5ZKqfQ{!~{{0G=QHBK3 z;O7*tynOe_*DxK>*b>Pj0{!#h$On)(y-t>;#9)wAELDb|vA-iyRNr+$1QX&9yUgS1 z5AKJuHTbgVeh@Ba4O;cV%1vH&16-Yvl+C^_%gJ7$-L=@gg;0Vl%kwi;^q<$_;nNZQ<*rX&JRL5jjH zEWmMAW;GFtW+#coIzi_F0n&O0W?eyvv9)fjqc$?y>ZyzGlxUNi<_)}Q5$nJU>)~sd zi^b|h#e@N6ARRjan9Oh}LF3cC!T4gk2@JI4W7b++3sc(3waLuC>Q^Mr{Y2ru#07g;Z0J zH3XCx`oh~n;e6E0VL?J?9yaR>TjK&!7wSthH>_;^2bZI66{-bR>!sc1?$QXn(D|~! z<4)RFKy|Ongtg036+=9a?KZ1MX3PyJP`hAv7%(HU4fyGeQjasvl27<{WBi{ulvkkS zL>YWev!f*-*~Sgqjr+m3SKBvFB=gM%LY#hyd|RK-sAx{etSH7oQ2{OfmnNboLQ=yo zICa-pwUAiL*82{vf`+48P3cp$;{BJG@AQTCTu^{E&#%v^-Sc-eHq&B}Ogj6;KG*n}Oz!*@tA_#?eoZ@)hWqwNJp8lmdYBe`{Vhj;^1o zg!x^eO@1}K8iIN+`)nrF={?&_#2C1)gH(Sy_-uv{MO=uV4rorj(@u@Z@G20FedTcl zUr9<~0_ooMXU=fRfZn-X#wm4`lLd9~#jbPiT`V+lQel_JlTxrBG&NHru1fnn83I~+ zD#Q;jk|MCK>wQ0={+KVwOFG|0CI;v$4#>UEtHk`8to7iM$w*|qeq^(p-p`_Df_tb1^}cY1EVQG-o5FK* z=m~@KU>Bz%c5;LZ)`Ysqaq;teSZX%Gd&d$c6~Nvb;HGBH^3l2uLV@!=I&SMvIuw0> zz}=)1^$Z+@4UAW%TjUGt1{VhseL-xycH9? zT9Q)gv|0xXxavdmcm^0$*c#d$vCp3nb{w|b$Lzh$bVqJ41M@Z`hMY!=g_#J>gAT4s z6jd~{nTT3P1!#b)y@p0EULV6+T-Mj6>NhwfYxEUC#7s$567R2~r2Mb?Mt~2q({|st z3X*fwgeT;pVbQaGv#C=ElaEhr?*pVa@jJdk@z*e=ajpqe$G|y=mt9>>3t@{`-f)LJ zNh_usZW$_8ehzEhRz|m_tPZPARjNw;>Yd} zS-2nnluJK*aQ)?=AWl_{$9)h8@=IgkJs}hLd^U0jweCnz$dtN9G_GK@L_F9T2({O~ zHFg+2>+7#Emt%=msi3 zV(3sGEY5@oP>>zJV5F}d@qK7qQC^v8SbZnYviepWa$V)8m(!!#%Q$6d_HmbM7N73? zwGSoj3r#6CxZnG{c6DZ{C~aVInFI`i;3uFwTS^LSon z-}gv$In`rmgvzZgPmTRn&yXJW1Kai@=&fGqs0t3^XK{U}wj0}dD^n{>uWTUl7e%G< zv;MY&Vw>T48Z-m%>VS^l$$YxGtMh))1B zETNDTrU4aP&E{3DxIrb&tl3}h?Uq;i_9hm6mp1ZSp3O}d*=$(-MCw8T0lDIP$85S1?wDBz@p;har^ z8IL7pBA*+yC&tA*=}9mtcir1W*6C6OoVa0#=97x0QlP^e-B&*|rCjfGjBy;g>!NG8 zQ)=ecr^!o`)YT$fo|iQKva~ZM^pLb_vJ&!FosEJ8l3MDLkqLbzM^uaKVy-6SUC5;(%yV7}wBE^h2| zRJ}7W-A$R+y4*9&I_u{v*AVk&0eptLByuCe$NALx#IAgvR_Sktka z#dfH12V;?;!IYi_d}5A;{5@L^deWY|_rg>iWrJv*5S&4G`ity)LTyV7sit6taTq49 zp4|qwrmF^Y-1A<>c@8mC?g^U;#8r9PC7jV?Ct2e1lJE3Gz>Xj&)eH@zPUL{L<|?~@ z*+I!I5d{_vKAB~1JiDC~@S|r7>2a+w$@f2!-C6o|U_tL_lg!FO7EJ}=2O z#$#!*Q}ZTZewcr~IDL1Ht6*V)i9Y2bslZ~{p`m}7$~A^6xz4{{>g0T-9} z^KLx1$;qEiLplz|No`?dI@|7bjNmMzR^)Z0y`P(W^5W|RJMv>2hELGpikzrIMIo@K zR^|!gW2wD7jF7WNb$)Y`6D%`rPV(=11H_ za2Amk{N8K7_0k>5m&NyE4=@n%%MpSZWAFFn2Zm*aB^6w~yB_jhu6kCwQ@xrJTl|Z21=nk$mWW_Vz=hvS(;l+AM#^NEGp-hGO{LMD53V~o1V!A3W=I&k1 zO#?3CxpHbopQ4?_j}>eg|;E1@M|=0V{vPx>gzc8%^E+NyE0Ov z)q!nWY9$Kp{Yu8F!g#EMYfX*1mvukSWZDi49+8^N@lBi*cqD_WKHFq9Q8srJpBuaO ziJ9BCrHKl`pFp+Lqo-ts6_9xh&I%G~BqixF#^E0jbJlr9;64+N%}Eryi`@w2@XjJL zWbFT8@4cgffZ zqhuOra%!M|$M?>i;hk^h-dStzTHinON3)vlK2>#gJ$vtG@2c9Tyu=v43beMJv2&Z9 zcAR0Vl34grv%t2gu#xN^fYl^sXe1$_OPl>HK$7xlO(tcLsI9-#k*Hs4h@-ENpydwM zCSLZwJyaae+9nFLQb;~zN9N{akQ~#fzVY+hphY)K$U+Z6(i1jxKA*L{cCnc?o}|up z@?mZ472_p`-Ds@GQHE=ATnq!E_l0P9UH+RU)s0J2+6fP+Au0K*2)n5C^rKDf#-$`P zW^#TVn#E~zN?XCK&86|D0%|o4e&w=t`Q;XYoGspMHAY3wm@yS&lP zt52R`bn6cU#qoFGF!?1yV|AiQLAPBROeZf#-2~vBnQF-L@-Qh(H zj|k67=m%I}vEHp9xT5f|R&Gie(Xp6uZ`r&_pO{5S$S+fsP$6}m;r}T_*Egw86#kYdQu@2FK0mLVhK|fw1}uXYJf~kfR>uy~;#)5uvZ0R#DkY7*3 zQS`_1J{}16MeFIa+I4#5@*X{ql{pf-D&qga_e+8%$!zDn(L`c{=(eKaLr3nhi^2F} z;SVs!v1)A#MHBp7zA>X;Gv9b#e-e0@RyH@u4}M!T{R#kdcz3vx!X1oGw99}c;}iE` z@Z(B4G+{rMp@!i?)>xN@j>e&jg+_N`#wfs@8mVGs8*mLA)!&u+qsEAvrKYlF(~|M1 z7|gkU=`qHA=Ts}ScL}>mJ1rZ*U1IfU!b+%3gvl1${n%rUnPk6zCMVcYQ=)nF$Jc1b zfZhI3A(JU?^BrYD`8VpX-;~-_=PFLL-D9G`{a)B#*d^b?ctyr2ECF$D2OeD>kNtVD znBtboWOKV!O~KsPg(_3}U6Wung&n3XgvMB6mBH&ekuGgcP@{F$=-12LmE8y>r>wWF zb;Qn%hiao|baT%2t)7-^>Dq+ZTm$=Yf@Ju<>7w=$yw=uw`UY3^tnnAt5hJIbdsn&7 zA-#9c4Jygj6hQmtPZ%dpuc0U6NKeRmgBT&cQJRjP zOB@u1CNW3@%M@3d!{a?sg~#icLO&TKjNIr8#?v4Af3NxkzN~cL^E8+8)ZcA}bhhp- zpFul16KN7RUE{xL#?nPUtNUbXoXfgk*i&6T=i9LEjM1$PU3Jng|tdF2+X{_IrK_*^;?Z2jDn{=NI)bzQIm#nw*mBpF_lPS}MXJyGtno+S2w#i=Qw@hw8M zAA*-}UVKdcR0_|unkfjlJ(h0X=&3i#A4@iOay8)YN&VD0Z&gq_Q+T9y>2TTWa__8k zZTOT>0B@WH-}ZHEKw03v#IDrTxu2)LW4Dt2*Ta(knqAsP;K6u~-P$_fdatx)SI>Ql zwPQiYm<-Sg$9n4n%qGB|P!W@wjUAu^O^rlT>$65MYm3OO^ zcI)fo&+ia^njz;^)tu}VI%~YBhxiS8&g12FF0s60P|*m9a>yc&U(-{8DT-ldohKzW z_8R?+eYcuF5=94|8Xu?3Kh7U#5AG@q9s_0dbCQN{gs&OnVBS8A@^x#Z#a|jjdGN2C^uDLB~XL4n8oGDD#EPyJiwuAhk@JaVg`$tPA`b4C6 zybBJC5*_>{j)p+XLt<>_B1x01(pdbAM%`J}rfOLXuaF|p%GIlevdRjLH9Xa(2GOB7 z;K0S&m)^RC2**Z??c6kGZv?&bw_&Cpc4~_vVP$odWTB@UGx9pnccV8Fwi`36v-MaL zCSfHX`lk<`%#v0pA7`N9JHJN7`a3@w;VGrLszfZOI z|B$vUqzD`3Gt zYOa$f1p<@aq7|7Et2NZtA_y+KQ6qm=R4gB7Afw5GIs3V_z_|$XmHi0pUc%)^7LTlI zPPRz_Tq4oJ)**qYv6sn>B$%<;J9V$MLP=BPkmI~7CK^zaV=c(K;i+Q%l6~b*3P(-6 z`{tMX?=Ob3c__bSjFPtC*v0+K3D(T2;+B9q{S?vJu-Sn1Dq zkLMTh?1;bT^}yR`QQY6j#{p<sS?23IWo-doxbBL78W`(sw4*fNt7F#z!FPSHFP(ewwAAta|sMUPMg# z(++d6@}hD-8B{U8ndwuskkGcPW!`*QH#~H3ez4bo>~ZN+KiAte%)(?^Q3Q)V7T@efvicLT=cG+jy3TZS@Nvi2 z{GWB*VzRy&AwsT-tZAVfOps4C6^u#tkYYCI_on-qINz?Gmr`{Pc7x!BPYn~%d%Fl8 zSsYv^%Q_fOVcE097DD!I8vUfbP<~87Pdc}D#Yd5^X?OLgP#gy6Ko;kr!K2$(`@Lk% z7%xQd=THp;j+gr@@=y^?FUjK{Zg4&|bKPu*6!2JboiYe4aEta9%S<=tqiws>na2q9 z;yFecevO?`tT$4|h~qSq!oSMOl6N3AX|mn+>{NMcmZbsDdaC(VVtk=S?4Z?sf?DcC zX02cy5qVLaZ7uXqTOWoswqCdpUI?DDon_t3ew&D+a%oQ3Im&@Z$a4r@GbEIruy4o+ z0|E-86G0lKteV1 z4r%<rNUPiszF7cLk?H_F>!g6bmQXr2?I5JiV?jz0W(?3}cHlH3godl)jT-FEa;Il1XntZ5^kT~BUP;ypOSE|Ji{sJ zMh`4&cg0@6lSa{BbqxuIF1h`8JdYkR@+*cb3Z4biP>hQ)Ypx3de5S*!E0;bPw9G*$ zNl@cULC|@`F~cZ0YJ0EbQwVtU>apGJTvM4_G=w5}uZj(m!Zz>Z6>GA{3y|AtJW_?) z>0IshYq9cZVOoy}Nxd%v+?3(W*8qgS?#H~tn-ub{Go0T3y5|Dsj_Oot`2-&dtQaPj zLz8xcjiuhkh_m7asysV23lq-@~D|Y!NCHWdK1o@lBM7MM?lS!)xYj&(*I)xtZIr*1 z4~QuC*!a>D7Dp&1RLJq9-cz5n1zE@CXqTz;+|%+$H=-3JcE!z=Dj=imX z-@b!8)3~ccT=8>7@~1)mKK}zFoj2O=b2$`+qe*isC(qA`A#-6Zddntuw+CB0viiZ# za~wtu1Lj_mnCJ2;MfZ<{9&u}Ev9akC6KD=C)C6V1k70*;bTp^%{WTu0x4w zP{YMd!_!_RcH!ERP0HRo+n?X>q>SPlGxRO`)~)=UR7+yyR1)bi@U2c$S$`od*fJy5 zyZ>%qTGr6Ah-Q_bZ8+l(9tHl zbOmY+6}5{H9Y1KL+2SuJ8hb(O2ZDIwM7}X=!;FD`UAk=PA8BKJNFYFIq=Wux^i{Ev z{Nrt`2OYMQq%R8)YtYliq33*YcTd>#Yj!fDNQO0v?u5#Yd;iF(L#zh*M^q7S<9mM= zf_AhHx;Jw?sfB*!vD_?cbEfoLSPJEteQxroYBS=AKr5x((u0#Q-c=72JP|zRb5Jb$ z_-vNi`+8dN_Cr5Y_~_B*y-jwNhrTxVbM{Pz;fb|^b3Np7cGPP9^+G4Vh5?5Ye~VTY z`%Aav7};Q4q>N%tx`vP#_~++|;CGJ%C?8UA2m^7-q(!aN;4H1g8g`(&A2jwTh`>Cx zS2A}qokGyI-oCIvZ#=^ine}W`dUaxsYw1oZrE|M-k`XNtTTxqd#aynPHNJ}ip54?Y z_RKk{cm+IRLCCup_Fnr&F0@yu&RWP~#|;08IM4m1h2CiB$bJNo?qs6TE^(Cmtu^)#1*zt=diZNV%-Q(5sMV73Rf@ zDJR@q2(}TCY#1FYB&(?zg(@s*4)csVMo|Cq1l<|Q3EF&TooaZ(4!D>WZ_eCb zR@$wWzn56ooMfGmjhe&}-4^fnI6@!i;)ki*k^hpP?bbY-DDVgXO6}}@V7A!kcHW1H zorO7irU=Qa`hrOhjd1-w|BiGn`jalUh7eA{a?ssVpI+Z_9Vz+UzsZeTnWc>In<^^5hG0vDSW|61x^ z0f$LI@k36-hxwm2h%m_p6y z`F1pG${5li*dx65zUkwHAtE%}t917+^c&-ngK%uM#RYg)XK!Ij6yanS954aA<40rV zf%-g*xwqM-rkZbYd4J3m$D2&VyB)3DX#lvy=eN=lFWXqjKNbCVEr6oT14rdDu>KpL z$tz`wVSf~33L!>kvhPF-N40P>#Y-!#qNLwG#zgA@|NTT^jH_d{_!V0*<8CcmJES(O zz(*YsQXI&P>HJXxc8G{u@_5KX!-P;=KRDY@^*<4t@mA)X=@N=|$-3)+QLwnA!+DW~ z8A(-4^ss7EE3X6vH*X2&$=c_04x|m7#4fN=yCTh1jv| zQ-{U31Q3x2H*K+TuB6Nif!7WDwU5)>mwJ?FX)k7qqH8>aoO)UkH0BuNS=^7pX=1j< z6fBO&cE&z?UZ@K5+Rr$-cYXV)QkS38#!bA?^z7-oARtJh>P~gM1E9yc%gv|1n~ z;XZ4Ingv=Bs`l_BKC7YDqMt7ii~#!(Skc_Cyze`c zkI^}v*RW6kUU(OlyIf^9|CH5;O?contHHLB9y{GfYobh(V0F&O!h#pG!5Pfxw~N5) zZ60%NgWe?N9UoSE0rGQVg~3D-6P?97J8k0q>#?eZ2_HXh(k=?e{u;$-d3t7~;WK4< zJCugfF|N2<`@q5qQpbmwX1~X2c&vNK)3X#vcW;)B#J*Ri=7){OuaFO6N}Ioz$TqQd zIG$JX+Ur~2;;n^a-Oze}f$%xxE1v^*Sk2CP?mgUV3s)R%EP>H*|1wC*E$MZh!3i=L zt3OfLZhTaT#yl~sfz1ufOLe5m!x>&SGwE+}a>sI#40akke0OzR&5JF#n*Bc4T3Eu{6jWZ5_Z$RrvVDjc z6B!QUeVM75c(58&<)i(LML@@%Xh)kXtC1@ZVY!ud_W4tfl8_3c;sUrhC1Yk}$XHv> z7j+XmlM0|7E>B$hpLPP7ee7$QeSo53bPBQF7JRoPAtEzQH=;{T<=f!(XlBWKy|GBV zc`U>NFE=`0nRpjr|J6jHd!s}ve3KoBmPF7vk~;$+Q(4wGJbvA3%~5>ik?#;O6`7ip zimL4cay3Uy!Ns^j(62QOB`#mI@}dMGKdp!dlngcSD2|nwo1(_E`>2z~K0B^m#$nH{ zOgat{fA7(1mzG&sG7AqC99HQQUa7Ce>s{NAEt7b_Z0usqs5q-S&-p+f_%Ibs&6nL{^ZmqO!CnH zZk4P40FB3rl{e|shadNS8*qa0k#7A@)C?ZP@<<}O+HDaY849iXpc zMhzMOhBUieR(*c24&hzHQ2q$sh-aQ5=8#1P5cbl=XDwxzvmV{KIxtt|-=uPPFzY81 zyH7lv4Uf9TcXLZ8wL5I#QNpGvU__YK`U8i@*6i|$#q!U*JfF2a7ua(IqeqoyrWv=a zyp=TP4M@*?cMvzGO*_J=%KNAyP&0<{(*pKA^)}J75nErVs>Z^mW${*_(7Cv2>!bq0 zoj5T_J>Avqq^qh?K5fn%&t#k7gV{26A7|ID%|2r08PdtRLPM9)3Fqy`*PQwgt>L|r zDdYshG%t_zrVjsuD!C zwH-O1(lpBo-K+B=Z?4ZE%#C|*Af6gyJ1|m>6ORT3sHLvs&Q6uHJ{0nG-0oz_;H1_i zmi-ihz@G73^T^qXZPpz<`#N||?|`Kx+3Z@pS(WMZ@w|m#^2i8ru+k4{7#%z&^gfLc z5%yMMu*2Jj zzdZjRum7WUziJ$y5qdt1P9@Cp>jTlJl>}0GruXHZ|1ZM;nt7KD0Uc{0V}pxrjFNsUoYtkWMew%qk{ii5B{bR zfB$ZP9|O2Pn-OS8l3(_30?NR{x-GfmulV@W_2K?Kw>a`0%l4 z?OB*aq^~gpI&6R$blN<6^)E03UHZ~R&~o<1cBP~lW@Pj#CF0RF=HPpe7Bu;i>t7(n zl9C@l%Zv&b?6d+novYV6b^^-#b?QgT(ck-@`Tg&2Gi)*02_?gYql;~b6GM^a<}gJ84xdc3>FIYxc@OzHi4j%u0B;$8ek;2e!EBc#2xF|-gZ`?a__f& zSVRI9#i@bc_5i44ncKU~bzN!+G_X@VzBb2_uD6{$K>NScaiV25U_fR$y|dHAd*uFUb%k#T@qT55Zia&zc-rKfAe2`NG4&Q@65tT zfh9ctb%Cy9xv{5-L!I^J$vV=Qk=7ffcdmoyE5Lli)r_hCg=TfI3jkD0(c|1HsZnlR zVPuyZ=Ru5<-}lv12r|1qjJpg#02qUN@V~~P7+6Cr11HJz7mNd#VD?~ozZM6?k3QE3 zE$hV8v~0xW^oI@{NrDiru z7Jyui>t8Kl(aPp?5nh+G70~qG%jus$!jfp6l_bQEBvRj({#ny21brf@0h6dLH?5t| z(29BEZX{^A^!D&|fvc(j%IqP<_E*LHCjtQm^fFp<9tycc6o5=gjp#61j`@$>My@v5 zBc|F@EyNeM`z|~Hlpt`*D6fzHI}oS^y-1Mxvtjs0f#u5zpnadC!cLHBzLPJmzan&nwq`#VXNkDyOG#o(eqB(Tzo+@{H1{9% z1AJzAe_dBs*KrejH!yyB_|;O?YNDC>`rBj&p31e!L}N}B?sw~(ZeIyp_M+E<(b-^ZH|igWcTCJv07NKSFca6(+Hr6Pl#8qJ9$ZVV0QlA#{T0z zX>BpR&%DH6fy$|7tlPJZhxX_Zb%{n$3zg(M+&z6xBfzsTc$7iqUyS~g*^mPWi89Mi zkLx#g4IY033V^V?>!>q0!~j>)MTMVo#9AeJ?^~uAr|8^zrCiWtzv6V;Zmo!|__2$5 znixH3a?I#YIv;iWu5ZfoPtN~%^naGv;{n&T{#5*1w8=(>t`DgN4#*RcUz4|c-9`p} z&q-5{`U+aMuOc2mvo%-v^)bo;)?E4P58;31cJ8gCP9SJkPSB*-#(NMnF`RtrV8-D9 zzSW`FfuA*2v6lGz{@_#sG$(JW#Q$CMKHKCCTLhUBEnD9rf%zUgWi2gkZ(H)%5zacC zm<*|9P(Xu~kQq0Ltw%)k`6i@X;QwacB&JhP~NI=sWhu^?#YGs3@kIW@df zi*l&pq45-L=q)k<{4fPh;Pv^Bd=1#^Y_+04DB(ZB_FsMC^WXRM+a_25Nci_UKmz3g3_xI3nfjz1JO(z$3i&kQ5tvb42gE{@SD*m8`+NIh|3ND+tx}`;kU0_1SuiDI1 zOLMCK3t15oc!_d@Cb7tqGbz|81$N8>VKWyz!^d2r)O_3hbf8I%-&;BVHnuRpcFqKo zAg(*^>)-$Fm$wh=C3|i}@}#@5-SxHc51q{vqb88#Z*6}iEucPg_J7yIE%B>&Z5W-5 zTtY0Tf|PDHxwE0=9a*`v?pU-iT(9eJ%(w^Om16L%{=Y!R3`l=ZGZQr`qyV)19?`+L zFmY#A@~!7gDnA-<`Vq;B;I--W-AY&}$W%Aj;d+ZN9|IowKEv3vKe>|Y1NrM0FGGII zNaAXJPK~P!=ZQFNYgf7z4z}iGaYK*i}kq(cZ^P#mNGKe8z1^=0giMqV>}}PEPk53 zY8&e9M)wMv1DgKtst9Bdz2*lp5t*2vb_E`1Qc30-%OPNv4!8lTaf`ls~P-<{C*wg@BG912E?j%YZFPuZC%As z(*J_km&M9iQ`Vl^>55EG``v1du$Z;fnj)EkBXZI<& zLz~gEggs2+by_aff&_^`q*B-Uuh5}nhJk8;p6J;GF8Z1Zs7|o)EHQRYq}sR7W}==B zo6k_!FRhx42@KCZ@NGEXjGAfUELR$PAr3qn;f80g<#WPuO|vW6gYv^oTWwB~oQ&k{ zoq0}a+46D=*+WKrcw;l8f`s;$BSM>K+mj;@;jzN%7jlttXH7%HFEdBPb(iJ_V`JlH z)74bvD3gG4dqbIH(c0og`scQ#E{<}VbDD*O!9|7I=q0kr%q5D;qQ-nn12wb&Z=W@y zyva6s>wMUU%B$d$3AV_k%aC4wibSN_b1+g%7r=zx4Sx9<|Mvo{(JsFPmUK=wPqF41R*~Q<$~#!T3CJ##V3oKiNjcx*d7J*i zt#~WZGVy#Wa^$u#fxQ}EqyWn8BH@)XvfLzd}r--(vk;W>KH6^!PYwYa)}cTZvb4 zkdH}0N+F_Xbpg zj%V&Tl)-9^~IjL{j})`$#%EiVNG>@P~V8SZ0^Xjf?6h^%30M!a|3 z{>AH-yGRME21V_rkpR^e@+w?=R5*@S6c9S35JAogPNklqs%fx>XCG15OHI#4kz;`l z)AixYFbJWK=L-%rlsU29OLHFk>vB0ju(_sfkkxS%x@-t!Z0J~rPT9fd8Zy z?VT=qW-F#yYvAGhsy{7#G^lQ1IOW);rfvHRlFrjq1#NUWw@oe>rfhh0tWwh5yF!)- zVOWb#CJI{F$O~jZx!v)QW~$=gnRk=P-FaZTCf&xpS5;(4vb0ZUg`U!#Ps>yXA3ET( zK#wwiZ=p+Mh&)FHnzg<|0Q+Z)E4F`#MFXcfh_7$PW`6Ky*ds9B+;r9RAgX80Ob$Ug zV{y4PFU}74dddppZx%~^@Yu0iN(gZ#HQ)eHp9#U4&9X!!!EA&`Wk+AbkQ4%9PQ`iF zIKE=vFgmpYFggo4Q=?`fRP*GHukYva8lAqQ!)Pn>n_6iUp!B_14LuZd5@fL~I|$@p z?>US=@9EKvBP;~h+t<9_AiUExV0U?cH{kt#WzLo>@am5Dt^%d0PT;h)^ugfk>$4X;IB=HFhuceFaWzOJ(vYVka|M~O=D&o zp75T9L1Aal8zx}H)VHlNa`|tu@im6Rtb}OiVsCRZ4hhyk@XU*Vi zrpL&wK)#D5H&mFewFhAzw{EC>wqnFeMeh|jla(aJ-Uvl4Wa=VazjyeRI?sy zH7lL^I4OC^iaZUyg`T=ESTi~=h@@H!G+F6JX@@h3|G;IfPMXNe28gM7=BosN4Bldc z!+4cMD!H#7PiKu2<{(BV>-_LoM8r+qZK|f2=q^sP$2Wp*JgeYW9I3tevd>Gb{-d$| zk?PN{i4y3rXYTum*cO&lA+V25phUBwi#@AVVN%}m?)dDc8JfrGS%ACBYk&94$uA~V zH>!G)e`x5*?v!#n9tG*-Uurk+i+O^jl+iUshv*IEy31}?v-h2bno~c7PjU~8fjxcW zW6m|xrsEuiIYAouT=P_SxM*PIY+327y2V$gU$^E+i{6~T^>rn#{HuK~I9n^ybXYnE zF}@@=k2mnO+Q({K*al2Z8Ua(dV$Y9x%E;~WtcXt*Cq0whKy`ov z?&HLP_+j>3BMRcZ;m69FIe1BZ+Ur=-F(PROLqzrQheL9q>Z#2FcKB`ZhPdAt$l%m)z`$ zuRiuT$7nY8|Kg|)KII{sJXla>E?PC+L3ii`PCG_z}Bko2nygNJyd+bNXsU$V3(3!P^^3Xm+Hc?T)% z>?DTw&P46O?Tb2|%GxMo$FkGPt(GjU%90I7=gp)i z0*$JYx*i1i&GwbA<5MXxx)Z;=?1;RuQxRX9p|%LW{~%)qTP#67(^p*jL?bQpMLD;R z`}1;@t=QCQsiPa*UmM#ZZg~W$WRm1Hyu#?7lv$~_g8^I^pu%XRnxuo^f*@tE4Q6Pc z7mqE##Vc8DR$qh#IkxDJUpc)6?RTH>Cj9!QkFl9IaoGnE3Kd`hxhpj#Pcp+_vuw!g zeq=c}Puq-c<2*%0tFDw)(esj1HIVDb=_Y-%!>DWMPtxn%iCJ>TCpcUDX4-&j=xX`A zUZwx@K`~ab`us@pf@}|Q*J7n9?>CqHxA!z0s0<{mJmhZZ-b~kt-$1ByAFhYDuqdFN zUfyiBs&Nxzso`CJ2fy{WKhMwW4Mc;rgJ(==viM|nBrZ|Hs;0MSWnr!o;@I3wA3%8L zrcTRozqjoxg6$bjm(Mr+=5&lbJ48oabZ!Y6MiQksNxI z!X?DK_uMrN<>L(RY=j8Q8jhSPkSWlXo`1f2w=B6UOPA9pbrOmNdmCH)z)cGYg{U?) z6Ciq~y26@@X1g8N+f8&ilU5dLm!aWUCC?7#1+yi59Gj1L?;Z|hNFy*KS#i!<(9DqI zJ(X@c7^Jy1CRPiX4_YSZMBVQ)+xH#4u27S_g56K({c(DQTn=Hm8LU4?Yw<& zO2sFea~)-BVhp4$5?B&?=LmOZOWdy9A1~}F+5%tl6|;Kxj>K+;^nYzyzr#2zTr078 zi8FP1Ap`&tVJZ||k51=qVL!$6U9YUr&oxf*lW=E%^ zl0>0M2IWyV&M&5h3g~R-JwxaDkkEHxD7Q<^24(@dH^Z=S4e{!NIoifk;CN`a_GfNg zl~@49K7T@SvG4To;KXL6o)-tJh*TK+q}ZGy8}Z799~R+ie(drOYaG>ntBu3{@@i}# zf%wzmStsNA1a*?H36YIWuD%BkrgtClI^L<#DLr0VtEviCH!mY7?l!Tu8(IJCl36|Ol$py~%WfR*W%?|wGI=2a zUvdn82hlvB)J?gzPkN5Yen6n#X^Gc~gK2n_qGEaCcLR+eB`n#T4*w!#-a}eLl2?7^xqvfS1l zk?jSuS<~}CI_Zeu3C;(-Ldj<4^_vr`DZRMBN(`+ACM)MA;oGJy1Bb7MW0T{t`4s10 z_rG)pw4WDTftIT~1IW788>*5OxSJEAy>iS>#8kH8Z$zB*RCkLRU-l6vq6htF#x%`e zpr_9|GfWA0qN$$3+5b|?%yLOc#HAo%pU>4qa%XZ=EQeL*38aE?W9}9*)GYRpKfL;hU;RsiZUsn< zmQbSnBrb@^9$tL#T1USt5?cmVH+DW;l)QRSZ}*B^bohO^zSi!`_bgba(+V&6?I-2b znxY0#N3mU)k(Z>wWcXbDu{T1urQIbIt2ZNy&%4Ub{6l?&C*B3X&Nda!y-?$JDo+QG zaE>3zFOA`$C24n)waj)ir40fo>-=v%3nHj#s(-9tU({873spt%-EbW^=r@v;jMb1I zCMNp2B#4l5oK2-`0FQTmf$(d5QHnvG)%H77RWmo|%h!mG6L2!=ErZ?annJZkjF- z&FL?KLJS}6sbZ-N%%F1K&wu7?ESirM;C7a>Xf!&PSPx8Ob$vBkMH{Q8U93ih>UDRW z#&d&pbz9wPM{s4#?87wK>XWrG9y2QW#ku$O)@D{;4A!9J^o1YS!IpGzwp}MJ_;Kbz zeHUSbbUGjS*XB&cUt?ofKfXM?1r(Ippb?i~m8H>(Vv2~HrhaQ$f!NIqSQ2RkWg;XDq`MH>d*h?g&iK;{3Wpx~mRg{4 zxegj1H>l_r_cuQ9-fuixIiO|WG_3H9ewE-KN0|zw@+4C9$03UbedG2V-9OPn>%;=y};%B9jqjxmn-uIj;1!VzCaluvN)RCI{HY`s$0!XTv_eh%Nz^e)gMJU{+Qc{Ok)FMVf+(A8qacUn?< zy<-3Sqe)aub&V(&^UoaPr&TjobuR#PdlwmudaOw2Fe7WtwLb^;jmS>4l4p@eiXXq? z^M0vYWLIiu0(3IHP+8_8 z_*1c%FPN|3hB?IJe?%(~4Z7-nmCmUOc<^+D+9}UgdxCd8Z3lJ1VZsBQM~+|}k|w@o zv0+$%qU+92$;s)e^~-ec+wIeAl0w!zZU}<$V<3t4tkZ6w)DnLZ>!B>ZJ_*l! zXi)yl%5ff00&SMJq{&6sMNG%8xDU$3mk%uwEH>yM&?~mFxGYN&<9l7Vc}2dG`x3G; z&SbEXJ*gc)9I|8XgBNMeH1!LrX<(7X0=?A0G_e-YdM^Hz-LSsc(hBcKN0o*tDtBx^ z=;kq{SlMy6_M|(lTNXuQ)OcL5t6as|dz5ETm6;hV%%l(DIqW0gH)S@rm>S@x8JVTN zaq~pUquBrTipFciIMgt%$!9nx6E?mHCh=xl1y0o=aZX!3_t@djp+wG9lmJac9o36N zRue>_gtUwB-9))A0-N~Q`1X}Uyxc~JZCMu?@qv%S70vmfEY}Kq1ylR-M61si*Mst+ zW)D%6zvryt#0!hl1uE`s{XBv9oZFG=FZH=K4F)v7r-OS8WL9y7gjxt~r!{YiqR3Dj zqb~G;f@Gf9FWp&zV>7Arh)V7--A1G&)Pu?VDCo!Jx!h3TBLZ7a^tU0~Vz-_450u|7 zRLzb$NX<@~mR7vqNGKkspB)Lk42a9}_uuB|CK~P0aUN4=4L>f;Zk)5^e7|CVV;diPza779(Xk*YgiTv@$o_$w~z}t7snd^)RW+ zC|-i;oGCPKFeLKeMWLpe>Vr6nCF|r?V}`1tW{9GSqSeHeMKUF$xMNIHKLnXnv6H-v zikBOk{58CO+Q#%$v0S+${Rz(26QC>`OP4T}vl{(PKP8ekkfX0Q@EF8xe+k~|H0Hji z5ux29q$eRWDe)$TN2m&c5Hq7UjLk{0sZ*yD6Y6=ajntn)n~I)lrRP7t*-(uC%BRyd zc4v*aFb$XQYEyN1@?&|}~8vpyt7m6zgGGcjP^i&gFWp6UXLJBtWW zJzPc~G-@7+O+1b#K~PZNsTR5hjZ=Lu0E|&0B#o#nGO!x|)@`c%>{W zy=nI~Fq31YrJ?@gz4qB}U)9tV&+duoZHB|QB!l36pAI5!6_MeG+wB8K-7a%oE>B(! zAEj$=x>`?oi5K+@De!=gMyIE|Mmf5C_7Y4LU9nc*PknwluiR+d;Uhy2vDb5{!-`G=b*P4A0apF<5` zjUgErzf=nR6=iZBq z3+a-rFGYHnq&39PzLc@{aD(4R6nP;l@Aym>@8Vx|7FOOzOJ`X6IbCk^_5CCue~{s& z;kUuFyE#3Tm_K$&Jm16~GEW0QLI9uqopq~gRn@|+!s^c{WyjIT?tZ4UL6Q&7WhhK! z?+4S*S}Te6aY#Dwd%b-vnF|k@!Y0~X@W7Pk1sgXf4xQ&N3g^!M>wD~a+*S#@U* zIUPL4xK1E+2RPvt`ll0a zk}iE52pbT7ccr7~>qzn0UY=^I7*73MEMG>;?J3mx53(7jm znixfAN_oe6zMM`MfoyVV6BL`!t>UE>J^ElF=hi5>zf*R`w+t#Y$X3F)ixC z3jNiuO9yOja?#Qp+3DU|cvYy@zh!kE=n{JpoM>gUuCbfcNB-@N9;!^!4msSt-6CsG z{c~>>(}1qOERhx=xsR!jK2vA_38iYJY9*%!IDTqRve?U(Iy(g$%`a_z-S zwf;a_;VD8??fkl6KDrp4(rcuq=g9ljfhJK?e;^Sk9fzk}Xc4{c`l85h|6G4_{bsYm z5u2)lN^kSAsWld^8$^AlXV){@$NqkDOtlLZEqV~xpm0b0JblFvKf8_;NGx+V3q)d5 z)yr92Tvn1W;jg{JI?}89buvL1Xqw5zjygn4ZO5mL)0~|bQ%6|R4t^tjS;;X!dXzqR z2<*GVfz*Y#Pay2OV52hNdh=(>o$TGsZ-VfIVa8gJi-XcCGy>NobWaaMV(G zT6u;C0HWUY8t5M-t9(ypibDz@!CPqju9n&daWekSx9xnv`2^Fm_J=58r~@}bXb3`B z=sfRQwKHAd`c3(fqsKF#!T-nJdqy?YZEeGVG(kW`inO4pC?KHpj-p^eP-#*l(u?#S zARq!NO?{lB~KF>Fv=RIS5KfW>E?>#><#vaMq zYiF%F_ng<7Yp!cD)~#lqqU=Ppg|$~pQcN^tYQlhupLs(gdESbc~pDG?pjfQAhRM2EaEQ z=|81i$@{{<%+7u9yR%`-lUM4*^K` zu^{XNSCAw5Q`^fIEEfc;Amh%74c-Uvt3SujLhBwZDRs(MH~BB;E6X_=X(`{n<_-qI zPQ@IJgX0UFc>VArZ}CG;N&^`WYDg`!3<&Idcg%bV9QcESaTsb;Q8$<(Li zC(lL4bT)&Pg`kzOor~QMb7Uy$qzFwZRyGd!(Th-(VyOqMa$I-ZON`1e$scC*514}@pBH@ey7KB*6hkD)+4IDwL##mD+W&aH*DRZEsvYs zbdD!~*MmnGcyD#my#BKG7IilsX)P90+`X4F>sAnlWs-XS^ zz)SK>Y1Q5W;?q|E8wU`a(}GgDLnohxcsPqZz{TcK$W&;xnBQx&NK|Vv^)1YwcJ*YW z1I3utUA4%ZUM$wsGqmiRN!z*flvkIGgX$}ZJrYwl9ZTwsUtr|< zY6FoCmvhN4owF0Kp2|$zc`V?z@lM(0ZM4PMD(s85_7eb`!ra$KJ*LE_H(?om2mT7! z#{DUaz?-j4AuVhBCpkr1L9G}`iP<=crPm5*FGB0K! zvk1nw!kX2of773x16A8;1?}n$V-Yy}YA<7U1oT;kf5D7s*_Ea-y7gNUx8+oBwr0)= z09%?41NPcSzp3xCUGy-Z;{C@pY4s8_|aKv$dBrvz`n5N&us;WV}4 zA z1XTvwU3C3K0KJQxO&*m^dl%Y!_j9yrsd?8rEptyQ1~tf0nWP+m;HfVyqU;QG=bT5U zNB{)yMs<|;iG%-O=Ih350WcvaBdhT~?niB;BBUsn>qf=RAz3Xs%uf^Y2@jK$@dM&IE&PYi6Yo!eQ~duzru@MJGjf#5&qiz%*2Yw*U(BM;le((Zow zRa9Iohdf4$rF)|S#tEbFK=kp^IMVAw+t&&NVyh9z|L=DW+~Z!EYl37$@mQ31AaNSy zM-Id{pyY5Wg8PIqB(I0`9@rM2Ds5VD8{&o|O;&ZUS5?HlhO?wLm+rG6c37*SaBU9aTYHxPv>55miO3izPuuBCdvyGe( zIZ)G`A3HL_AZzU@E7cC|w~bhI`umVCp3w>8`TfL8f_Sa%3otPznmrx$G-Lc5%s+Nn zuFJ+JV!8&i(aG_m@;Vyb<2(>vvLCA}d`OAV6JCh5+KMg0*d81-tcoBN(PvoRmU#M^ zW+cbdiFSNL3|m9+Bl19m?XmaKkd90H69PA<_Zw8@P;Qx?O_~Cj(Epr}!I}t=Oai=s z&!(@YzC(zQMD?l1s*rvFzw)hU$uR)1A?;86Iv9m6@d+3rit|j7@C5*+aj8zfGh9 z8={8QD(p@KpFbcJf^JhPm4~I$|LL5;SD5ry=E9qx%pq7zYcYeinQ-U!qE{+tto>#W z9XUyD*|t@}H|5y>bJXelf3gbh^6mHJC@Q`Dbf$O?S`HJ^wEs=v<9zyX{B5uMk;4yY z(TUX88Dw$ss**{)y7d7^R7E0KlGf;A0YH7KiGhrHHjW)kzb>{tLT17iQTq+v=|(rY zf5xO>jJ(nBytSpqH@6-I+CO(d*&NU`Mh0B-0ckP)V9x~7LBfG_kXdD=g+SMvxA$~2 zdAy7zhGCT-ri`Yo!55_qX_i#{ZQ+VLJK@;`>6nm|A%&a#5gvB~={y@CLVqY=!-W!* zNkRlFHPPR-VI$BHoNx1v*GV`AU?YTPH)-hB>x(%{T&`=WwS2{Avq`!gt(rw;N1S#T z2|q|>{p^2r-xwVCeKTaCnww{K_hS_ZlcHRos_Q)~<*QtwqqWv_#og(S8+g)YlRwa7 zO(EQJ+YoOUpbKztTN>mY%op5TT&JwmgCl^-75d{DQ*$XW&Af)uTAMXLPu6Qp5h&R! zMC4YE=RHhUhm47~6K;G`4PX|%@tQCZpfxnmiMF~(epTyPuv@-Lb})@yOTXe5+F6&f z*Aqu<*mfOTdgYbNGtNGFJ}G{C?uLx{xtyDnTioolSvOgM>MW7f0^XVctT6s3WvW$O z15)U*iV^H!b2>zj^^*{LP1jsNN(uJ9w1<&q^$Y%q!lp4nWY$5~7aLcV(}9|IJe2M= zp|=!1FCO)46SLq4(Z?sBM4E2j%vFIjj!ZvaI~2_M<}<&VgCy?_M3w0?Jnc8iZ#W|D3uc(zo2&9Ru%f zIcR+6)!Ib<^>IIms5+liVCtTZz9{65%n9QuY-CZ%=GWZ^#*&F^Vush| z!Xo*DRJo{O2=^CYPJOE5$|s)-#Cv3H_V53iKi_uv>W;dy9>Qh>(q-UW_hNi!0#lPn z`DfaaAmqFK>v6j*fCqZnY|3u!iH+ZJxFsIFe=|U?DR(Yn-{Wr8aS=&%JF*w;?#AyQ zT>j<;*Xab?EAxG{{3_ew(95T^Etk})kowYb-2E(Fb-Ch#_I?!Nyc35fef*gxuw z06BJa_y^>yhP;ojsbf63&jWcumqhiQo&sj|tY&5|i%O}%jG!+uyd~Dyp>)@rN#ARn zH(jiAA~$P2cwFj%2So0H8#ia{Un6K2LOdR^uO( zn~$hOp@^mkN=Wq!A?&bYOiVV z%%a{N(Xoq4|Gk2;jA)PP^Ct!IoLH~rj>iqR58jp0r{jK|gR3&LQ`Oh&%>^>4#vOR*sitkgmYlNrNNcP-ehN z4U$xh$9f})=@w+h8Y)sTRAJR|8M%ET<1mH2-S3fjcDR`2Ioy)4a*_}P!0`J0ksRh0Ej&-?+bg%LY zZQks613N7xIlvP!M*i7#{r9=Wyv6RI3WnY?v8$_EXj1v{8>3f4!51Mk< zhKhSQ*y}sKeeX%Z^)UIu>kSYFQpgO0=*6fGEG^L(zQKb{azZ)#NJZuPVe_A0v+X3! zaSoHy-W84b6my)hQu@sz9>Ero&4zU!vKLw6XI@9Fsqo~=dopRX)xQ#o?1Y}g$m}7J zKS}suXcvm~>*Sr4#%%i*8kZkvB&K}_noCoy{d(oQJKt2TwhSbt`5yK0)|0mZPSW;d zuKYroz`!yYFCP*~3)#EEO_(AU5{@(yS9Y}m4|Kg}4q6^TC)b;PAx3y5&IB*73#)B; z?;0nT&7hxkunUu>_X(ta2lQds%KU(>`jZ3A}W3i`7Bw0LP zq^;uem5rdnRTyrJ&c7Z)wZ3jAFs!)R8;$2t;ToQ0i^wcer8l6x56z2y?T;P@%H&ph zSF{pL@sOjls!lIFkmGy)6TShh-Ch~%0pJG7SG?gRU5u<}OEaHP1W={+GE4ZI6d6+x zUN%jE#5b84!h@XlnoY>ROldX4QKAQLitiW8W6d_1o+er07{~YL=)1S=)okrw^4FL+ zy`4_~z8rO;>I3gp4v9--d1s~YiMC`uvGM$HN-o6#V}&9x+=qF{W8q?_p?G{B3^Eb z?V@EOws*AmpriqoUGhb_+C~Lk#Up7D-}6GjnyH6){E|_itZ@e2fUoW1{08sXBYv%B ztXW#-5QMRpbi&rI7_rlx?NGB@1u?(<=5pmE=?qYgA`^8nIr;O^RTIwKB2CR_yuv*6 zI5Wd88KD)qbUFtD`cYk~H=WMc)J%i^J~cgQ<;Hk1z4o*0@S?5RFQW#+i*-?pwdR_? zURf34^sUO@|Dj;vq5g!{SG!?R{sNi{Pc?(w$gNe!V~O7%@{1x3m~0G$la5G(J+|<>EiDf2!(`n7Hs(GM?_Lt-80_8+GOX1l;D%gTTjY@NRA&AYP5#W%sIcgWevM+sr}8BYaMWl-^Q_%8o&n+Dc^(9#$)E+-gWQwD zgHdrTh7&5GAxT|VUI=}T%<+WALdg4WxO5d^(UEbIUF`)h+07e$H)}TR`|`#N$kEDK z1PIBA55gkm<5rTw!Mpy#CidH1>5rLU##4p{$l~b%6+bZr_uXvA&mE#gmIUn<l-G&mo+|K)?(Ts?SZXOgkdCiw*2Jt+Q!+@BlM#pEg7W2 zCf-k9E*c+=njb2)X~{M()aVG+G4!gzos^!N0~L6#joTk#nHn57_Q(CT><@ctDu9Yn zlTI5g*`tn|8c<0=rp#q)IdKM$xJBFUgSTbo4# zL)^ZzjUd!w>GDrTWnvWkKHQ>SUwrZ;Lo~v5#F|fWRwb1lvBR+RC`Q2~`Z z0xFfpVc=PSha<cUorG@s6Q`hV3C8iU@+#z+fKQucC|wvF zwOJ?Qul-b%xW$4@CGFtQZmn|Dx$|k8YrBaZja4YcYZHp1$}3pzy$Lj{T?NVU@&@a4 z-icFqhPy(4_3i5~k=*;+wsX{5O&80-@M!;K&Ru(l$rjv0D0#+}Uu^W$4E8|8K^~68 zFQ+`s47OB#vG}sv4ykAiXV}t=0<_=0eqmeq746b6LHh*ri`>pbkA-i2fAktROR}ci zS`w}@M^US zQJx}5z^WV)4W(Pit_s3wRsOliw{A$q1CEAl)=$s8^}1~#sr zP3Ntgd76B6-<9}fFA#s*Gut3J@vAbq-8wmVY1tv9!b2D1wl!4j9{@*SidGB;@M5MD zVhv}lpBdr|?pl%SuByJ&;OCJL^%hGXQZakGxC2-|tyVA_E`}H)v5A*e5wfYjxNF89 z{T+SPjM#w{$Lv-`RN-6Pq^HDBjU>8k6!eaaOzYqE-a?s8rBLS0H%Wf6?se3|B1bnf z9WNn=_vP%Zjg>cA|V!nRV^Qy6|vw{!umkTvW;-X8H0hJ6)q)iJ5#?z+7(I@NxpS*>sv zr;bT|TAB^-5I(-XcvUiF@Y2fQsg>wa>|tx21-?Mxv9nYpi26q&qr&936TO`xy z-UMx)0j)IISYCMV^E!tn@N26~|Ko?rs9!#~1CERyt&OUUl9q7%kFi$ma&5j)Bc+3b zjXGyog?FS4ghd6BhO@+)UHyR5nlIi5p#%%f@3bL`8VkF5(6^OU~!jW6Uw1B{Ld$sqAoi9)lXRkkk zT^fv5<=mU-qJ7)Pw#a6_VgCGLs27)`FzdO}%&2rz3b{Csb*j$T&1Y#8z)>TGzTs2241cYpo(FBf~l{6RdEc;NP+53Ij${NuL=s;U%n!CKGn|FgS)x#Q0V z{PB(L6QEt35ry3Or@+bZe>|Cz>NGt)zu@4*f(QTR*~O>n`8A$1@@r5DY5modpOTVt ziCX?4+vz{X@jpD6U-h#T(C&df@KJ61yXh5v{-88f!Tihr<9+{lP~|mX*bi?8@tn?+ z{i|s(H8u4|*3~O|SN=H&h+AO4z$|Ndg| z6VUF8ry~WSJ&OC3l+VGaK@BKr0MeT^acOD_)SX^7gYE8c`eRJZiu4KC8Y|--eCsaZ zXz|DmZBbKkgFi?yl~kbj-*^Al|8WrqCMcxt;L&M*MtTl~*3y^HmGUGvV|sWSifjlI z06PWHK{8$NE~(Mcfe`pY84NW6m-ugZNz+h&w5b4BefZyN4mC3{hyLOQC&df|6i(Z6`;PK7yj11^MDYwKF90E{u_NUVg-c#jr~8urlO|*KgLe|N7%o; z+W#d^=|95$kFfv$Y{q*{De8vTD#IMq{`6kKb{AxQcb8PF{FS+WZ3i`1tCH}RQ>Qw$ zl?bVR(aj_DBT#7Lfaa5No=5lh@n1@fZu|p$h__NHtMs|7*mDKnVw5$Dyg0J{TXSCK zP&aD#>w4Rt2~Ihm2g$M-S=lI=Gq*^m^N%lf<2t{z~ zS>QR$7Tm*?{dJ7|NJPD?KABOhNonlB@Zvv#65yAI1;sZhmu!$bRcmTG0zeo4g4X^* zjQ_kyHUyAkX9?T?iJp3c0Z2;2p7i6|$&2Yw6oNE{Mb-uoYX_2U9^x1WY&2r{`l5Li zssoH?oc&Cc!83evZr^GgU7-`mSKMd^H10#kXy(!4xB*9@m<9?!rq?Q|{+=!!F#vlX zn0|Znzn?(3Hj1!NxHzd9FHb+c5j+E+ZPlAeZxoBMQW3@mu|8;walWux0(xUe&&fffb4 zoKf~R!^G!uIHQml^S4*&iRG%sHyX6M8s#sM9MvA_dtHZbe%uke9lJp6zv^qVHIs5F zoTuL<(4Y467Tg`HwBjDU+^@8k?oNlm9XMaPgg@%Q5>OmT2*MAjVHyHI?tN2hyk1#h ziCBUZHF0fYo9`Beo22FJRlzC_);wOm{G1@24#y{D2u#D$#Z3E=A9}#@5(%i8{bN&z zwsgQ5x_?=qeXgJpJzi~#?*G*QJxJ$GS4sKPhW$^bCV1{VCqRv563U?J)ITuy_ZwAz z2VjGe8HrQ;ck90fYJj}t#?9X)92)+PU93`30?f!yAC~{S@WX4?-$hHR0Dfi4&A;Oh z00s5$x+hn={%r^Wh<&)lkNhtFP^s{jsSOrA3-n5pcqQWR0sXf#02HA3UG9WY)#?1; z*57UGfyj#+hi;t6zZ?AY@4-L(&*1;xNj{H3b#7Gxi9N!!uo;+~D{0*AZnKjIJIEPl zYSGcsKC&Ao_(AQ=DuDXl!|3C}+T&~qHA3H$0YF@z1}Xm*s7E8fPZ$lqeDU9fjHDR= z4(9X5fW`!Q{T(v`itJE*Z1@~!`R~@wQ`i2eH1fN^&Q$te>ugmH`rpM$9>x9JI9)36 zH?QT>09-$|-haC@Q+}XVMxlr7e+SV1TU-DThy!Z=4LIs@<@4;{Z9Rg4UPbe+82-D# zSDyw34}=N-Gx&c(tl#C8{v-MSsQurD|8JY}&sXpt@BBKD)ek=2vXq6&y}fCE>1~ZE zH?23;M6Sl2qje1_$9oM4Q3eW-hfmf{N1H-gw~N)xSE>`eU;ALtb>f8dwbJeCo8~=e zpEnL(q2DnEvOb#bJ8Ns=J0l*l!+Fi6dqo^s zLS&f3lt7bg)lJ2>fyCgtmE6`8=k(L@Dz%);7Q}aY=e$V3o->&>q;Shv5oYzLEmB1S z7GkT0%fRe!o;W+R5Xr}uqI7EJuTJi97P0Cn5GH2L z2WG6RwHFo%);wo~_B__O&Qo+pL&|~*Y z;14qy5fy6qsPHlsUS{F9;vC+m&7I`^35bT)6-4DiZ0n(ph56wr2YI)7lXM-HVU+(B zqq(xL=r0zm^S^Rw8Li$$B#DJtkgc!JoFsOwzm9MSYt6UmXhC2wk|pvG!zX{nz*hwU z&ri~w?tb*op!i@HmAlwL=Hkm1up00iHjM3r(eZcu znu0)A!d#%ro!+-%TFvbP6*mgb3CNQsc;~|g6wB=&GAjp)@*Mp*dh>Aw;jOqq{B`n_ zt;G-XBAHw`Ep+N5hiI6_iLFNMqHv+L-Hq?2i{>X0t%)6Z6__?>mGfRR9vbPzqlF!r z=`5|7(?y$~{b~>UAg$3cD6nZQmqQpRgMN{2_f99{{6xC3#kOnI54J+u*7r68Z@(P8 z(BtW#qNGx~bXKE5g#=;=Zy>Lp>=IA5V#RSFme6Tszt`Fq%2*k0k)kwOCMNgHG5y9Z z-%rVS-i0k)Vn_?vIB{8^yX5#<)k1mWj5o?XRq(Xr%c|IiImjKf3zkEfBRWZ0j3rbp zW{z83B|t|lQ*b<$gR&Eo=-`CxE5I(h%>wCuAvP)rW$wnwX$KWSWC+QGSS$uX)xaml z{cx$dt?!*9!@C3r!sB=HeJ`B}`*JwaFik$#G(YtADkiya_YBWZfTKgpEb!qeyshRP zn*J>_(Mt0;Z4|q@)2soW&t_|Fcs@29$3aG?F-%)oRD^ z6IYofFu)ySD`QrW)2dG8Ez-9s>YP4eU-4n6`H}we8-&D|#8W@?MFw8V9t_=^sDbtW z@@ZUy&vH9)matMl+|Q^g8(s|Z-{JNS=S3PoC6|p1c_8-6Gq_-`pQD5yNdw^xs6f*f z!?6*(KM9MYDcB;vTFx!riE{<}-YntsydAAONKy97(Fr6Yo*TsV>;rdHy^15s+xgbB zbabn^^hMKY+Y!%bODRe!Q<2iMQ2Gj~le0Nm=L(>!PX)h>9?-lB!j}zT8Ec?+1REup zj@;8}MI_1KBf7F|DJsVK*zd*j(a&FE>}?DQr`ZZOUlWaJ*ju`w4Kg#kD|#yLjpYZ6 zHCi{oQI#7NK)Ls-F@uUVnHofDU%<*HiY0^ew7uWK(Cr?-I*rr%fguyX=!>j@hl&$M z=~^?U_1C7S1Fok*c3)0R{<3XeLApX~xA6M%%THyc+%Ink|H#z}L`Rpd^dE)1d5W3H1!;N~+~oAY7{c{3s*N3LpU^=$2FItay{ z<|>Inhp;F~p3^!u4}2NLWi#qz|M`X9jX~^q)FYm5hX%U)cyCM~jnZ)?DyW zL=J@#ca0JSHxIcdzD~pI=H{X%X~yp^PM$Aml9m}#D{H*f_N61Y<-4|s;V9R+`WZWr zhRR8Z?9mQXG)XL-J2j1|W|MjT5Y$oM_XY)vPrw(?beyN8B3(XOSo#OK59o-Gm0ZtwrL~7`l+t<8La$0VIF5$djdh^1xKa!nFPiNRjv@(sb(BvY~_K z7=_tkm|I#n2q1nC_%TDo?KV?qu|$TFkP4h$W)(`kW@+>m;M#1DOl2QbzW7cqlRvXr za%3oUmQuft-Q|2OW$k?M?rG&Xkq`Cn#FwB5I@h}{BgWsYm@89@~$x7-g81S`k+bN zV0F3<4+kBYJk$ zla_a~T&b57KHb{Xb7u%R-Wc#C^F=oNVZ&M|?bOiieUfKZc0F^(XDABada?UU z41j~y$EZ{DYeS`Ib!K2#ikmh<0o-7Q#bUM~MGk~wt&+b}UA&Vk{H_LSM}e;81fCGX z!I0ijcQbTy>U&}6JmbQ>ui)*yu{=oc*cpm0x z#Jt^%&wPVZF$AFCV`U0OAdVy5~yPCur(%bbU`E=Rc%aew&qMK0KxbML55uy(Y?7X}e9 z4~vg0Au)ZS(_|M}6JxfHi^LZeWXuXXRAlCb>gzz=sj{`hd-Zq&p!YJ_i8h;|(qHr9 zw^aCOhx_cHs%PGsaY+zf%5p&88s3_6^S_I_xpO)oBH&}x3BR}jG8@s0##L@NO&A<~ zFM@kWGK;$U>^vSs_jwAU#VXZbk=K5@k?pEAL^{f#6#_Ge83Qv#XIPP7j(hxkG)nG5 z7zlFZOaQ<7hZXQo#E75?=Y9E1M>L^s`{l9O!WJ7M>4h&jyEq)P7_cX-3FoWfUN=Vewzob=-OPOr_7ciI$q42?2q&xiu+njw$xqg&d<3A1}U z93Ml>#Y<8lPPfyP70y}1G`vv0i*uz|frb_s+M%UoZ+Lzmm3De%@p{GD!1Wq1Qt-^I zzs`g{p~>dG+t!*-qhQ5i+jsZsO?n0IO$LZ^Y2lV~cDjOX&ap?(zH9a3d{_lOjCak` zE8D@24h`0aQTMm!DsGticdH#kZ-bB{CBsg>uZvWb>A&cIzSkMGB<&_b8wRyc&+;k$ z_!?jV{pGlwqm_qc5*^CnEBV7lr%t^~OH<{gB;(hcUo>5!nliA6Tv-IlVjKI*n^{nH zu2?{^o)M&`kXy|@uWmHULJOXw>`QkA+bT)3@{&WfFV_*rgM?**V24< zk9SwQr&}{nybLl;NPiXZvr{{3JMmB*WwRsQbl&l;GYz!(9~NVixeFBR@=sJ1FqK?( z&jSC5dlw%QPw>c0O>J$#0mVJd-5K|Rt3ZjG$AQ}+per1rCJ)Sf=0h#5t*`m+v~k2I znfcxDMJF1>O-@c)Iys5@0{L0-<6x+g?_!ipoD9leA|*3Zo1L9KF7sqRw`(8}SFtpd z{Wt=eBnH;{eKI-eWX=y$e1)8J!3=y1a0N#l3-bidMo4J$JbJ|@IA2m`DXr99Vezp3GxfPd{J~sA-dPtb?!h^Q^}+g%&B#4?Bn;oyl@E?AiGsPb%HX({HleF z&FjyKyuPdV+}0=DQoD@j{3~@qd&6zgl5v`*1qn*t{*^9U$=4J-t)4%orr&RD_P_0g z*(LS{?@VP!ji+yr6vzlA^2pC@eB5kS*H5}IMy&88Wc5( z>Lcb+9~P5GNROEUjM-+Icjwfk%sdYQEvE?D?7eS5wHDM zzhn=n2iTN8q{;A;gg9R;K2oem$ew{r6k`tkr&Q}sRv0DCO$3 zRq?^8T`Vk+pPO!TiYpjDuCR#{z(-yapi__g35mX9lTjR-XD=p9U!?t6jEpUg={Cch z9Yk=crTSbarkTuQ4KVcRla}vSn1h}k2;te5kLcY=Ba0jbUWP`uAUPiJk--4J5^%!^ z%h6EE^Gr1!1_3!e0q9y+4xibU!G!4+-IMX89(~}YdGZlqt(9;j@@U0$YRG^rJq)@< z)~y>L{8~GF(jJONOW|H?DkdDTFkNNsAzdldf8$jl^h`z2Wp;IC${9RaRe>|~Zb=#O zhS&%HE6hMrWs@1}WV1%4mgBP;k`ThY0jm%6dW~>OCl4ZTr8c<~j2L_@9>@vtj!Jr! zTJEmJ3qN-%F(%ypCmuRUcw#K@IlZdAYB-w9=%Rlb9}sa~)KlIYse8WQ7H-F0t2gUv zlzt6VTkoG|l52ufN96R6KCb8**?;w5e}VFGdi-SSF_!}Sa7bFc^Nl>Y9&LH0XYf70 zI!>l1X7Y(YZY4ZU?~Ld`VszCSmRYMB`1*N!5Z60*`7rXJ>x#y_rRg=o1G(P=&~dt> zdc`j{3i#3MUi!*k<*2Crj6d@x@j<*_*~ND@(%CWR+o&qNtz*R3U5*qrRo^ zDN;ol#v}g`d5!1ME=nw;UJwEXsIi09x+ZpZEH{1%bbUWHNnEyd6D0>43XZ4O*Y7Jg zMLXE#!t%%Wqz+uhaJ2C{bq-GOqz2Y*gL3c}_b;)MeF@p|Au+>^2SbIi^^RAbh^0vC zz|@Pl9u8~r88tZz5S*_(Dcq~O)sd;KrIbLN-`twF+~~@V80uYXO~kkM;5)(x>TO>~ zHf3F);UYjsAADMHy~+B3hRaSN>f4%CA7O2#nUzjUQh!8N{2nf=Th_?cO$e`+m{QTB zBB})k)q$=hVF`-?Pfv1`pzS6g54C`Sx_yh`9aUG~$`QCia^%WxqRJC_aD9^K40pnw zp$aEa^Ttbs5wXWRZ?s93lmENw5t z#=|Z|!&P@pGA?H~4@R%cAUPDq^-#xG_i?(=-~&_XxE!6H@f!sDAEmL9>CgEHtIWab zQ@R3n^;wl}4?iQCN6NATm%kHXiv>g2*$QNR1A6O51@X|Br5(GY{Uf;c!zq4I=r|H` zMb6Jr@gnr_>3z-d?}BdWXKu|E@@R`E@O&tvUA#5+tMe3H{5;wxBz6&|8*2 zoSLg;?|Vim^}G*R?<@}tAo8DjFTB|46-=1Q;x=Hf z^H;l-48fN8i(M=}ymhbf>s1T7atA|s-bY#&5D!FRCN5~K4XE$NU@?(XwK{drh*w<%t`qwf`xyu9u2P6#(qtFg|a4_g{s)ag3T_Q@pJ zj?Ehr1mL?rd(YXbe@32Qr39={2lTdJJ^LL#pXHX`g<9bc(7=v&@`w`Zh1 zh+fJFtehGqKFTCA;%U){_lIw@D|EU>bkIl%?Z~Ti&V8mb#KZT}gnF(3MZA@>-c>z# zX9g^p7H$*Jc@=**Ko@Ij79T)J#<`Dky>Cb>7tfu&peh2RF_GzJUp5j1%u#0$IIO-%Q)-y0OW$mejpB%Tl`)>yH2Fbmy(mrU z)YzEM#&bIR8v{|)Z=5}pE~wWEp|64lIpRV>86kS6Y&@m1xd~luv;8o=RdA!@S>*5K%sj#AKeWv9$Evj}vh+%4TZ z-hV%n*S!C$+#Y4ciTCaq7&?h?vb*G+6h!?fE3svY=kvwm%lyE3&gjKDxS9>u`Sc=LB8iF*1= z`0q#(=f6gh$P7OKuLn9c-VnoAkG*F_;i_!*5BQ0NaZ)bo?t+^{^8Q=4*nY7r3mVwCbL_7+kUwh{$H1 zE6TdzlBcXrkAeL$9*Om`}#o5^K6*oTY{X^ClTuZWRDA)<$f+@6_dp~6VK zBs-8vFDFP*mu2trI%O^L$jmrHLC*6Js8b;gOO!&DDa4=2#ryXN=;|uVT&Cq0n`0R} ziG=ZvCNv*Wm*Y5zm${CDpE{HbV0s#wJi-W}{s zv8)u@uALc|^%#FKns>J%mqkx8{q+(et7{@lBR+(#;8fNg{-Dh*0p?Dk$ab>~NN$K3 zIi#wnw0RDk?MC6xda+zplSv}eR#=E>Yk*34zU2Gwn`NXvWL{YhcoLHE<6J=)Y?Bt0 zcO2`})$|<^l`_M6o|{2`z~H@C{J1#y(y#hw-_5_=r^03-~ar^ z=UF|!7wZnegp{R`MZq`;ZLKyz(Y|XH@IJu`iIq5=4(25FyIR;ujhM`yTZv>Art!ua zQD-<_clZvi%n{FEYcp%??a)~V>`^nTYMIIFtRMEs+ZW3F zEat^UfYq1f4GV{gzI;y*rJmg30!%}CFZg$O3PgrQXyW+&@b|)E)?_LMleQQXpVYwy+VoW7c@Y~#WIeZ}77jP~XriJzW#hX( zd6>PTg#NW27C7;=Hc1q(bT5KS<$)$VRl_ZyD~nB=DKF`#nITy2UB`E+#HM3{z>lBB z1%X`3O*438OOuhI>ovKA1DkPM3$%yla%HN#xPFIsTlA{TQ`RQY&*=w#Oa?IR00X~D z`}gjJmb~6qgGFC^a|{U%oY6lXyiLyPaSRln%S`w2%HEw;|9mI-P;F$0)k7%oIuDuU zCjKFdiisRg`%rApG#$23$;EPw*w_+48Y%Nv>3HtgJQ&=nB=f*9L~0P!RauddZ$sHR z3#^!b&R6d*8=v`b!@JQs*!Ys+@G5O+j#>TL1bK#zZm<*kP)@|2_9%mLv;YWhr5nxF z@#GbUPw}tCFY+9vpTcclT2+Cg`j6SiTHiNxA5>4|LqGrG)v#2Iqgk@_ET5S)7RIuM zg6W?q$)^$7p81vhghg^rP*h!^rgyAwc69R~kSq^>8p$x)(e}ukAxNU}sa)9DHM7a2 zX9sVn+_71sVBLN}9l&=B)IIYn7n6%gD><5S7-k!f3m%fHa&fPMSv;6#4xZe-{!9vV zbtGC*R%6XoQ`kS>^hl-Z?kDRjK%PieO?8067sNOWP@>sCm8ft0I2dc|X6^U&xV5-a z2e*;G^wJCN^HOnoHlaC;VSkw1#1!gY8b)0S4@-`l6zmD%kUX#Jx1Lc1zqOfpGs8kz z?m)E;zWs|;YO8L=CjR}fVBF5);tuwnn^1I|WGXEYrY`hBMX{vJct`VL3F!0wg`CGL z-Q(pG1HMaLlLfOwY}o^(P{^7as`b$+k=}%XXA{WfF27e+R@*zBSq|JJ-}MRGe6r7y zPZ2gH#d5i27o3*q=kM#WF&iG2?_qrAT4wQH*3NOz#qj>I5)@lkRVthBQ9u?(9a$5E zO8_f4#JK0C-4CeAy(U}JF=;47Q(rdQXP}g*&`?vD0oy7Qig^9L`4dgIw&?)MW@Uj! z|Fmj<2kVly85W`ZL_$R(F>+Ssc|A+t0#!?~MqCP)igZ6{+~51RDKd0!Ghy-H#GoFK z7ppf85EwY4fr;z=+TCtpj@&i>Vzgs`JTE8b_3S4r7*cjhf3+3OgQPw9!fsOkkMPjf zzc3|Df->8-XtkS)0V0mGo)F*roXk3Vi{|67nF3(5a;pY)man(?LzdcGRwyS(sOI=n z;6}7ds|{Zl`=ZAcO;dR;ucn(d_DmIe9Sy!By_tZ*O7&Zdv*AMCUimnoAAyaHg_FQX}f=Pq0a!ftc! zLYl`70i$h={>ovD3>S^qbc(8#eqbhfcl=;x#jhybI0>pa zWxbTpx)s6JLujqc%+3nh0XwnpU%N@F8aCLP^?eL@SR7*3*DxXL`bT6xkUib{1y$V0 ztY#n6yl+8Vw3%Amu?%nN%?_EL;>xs&LCKxPgBy|@HYYUA+NlX;vmKJ@h(aRD}L+R*h!W$N=EVqLt%onts3Vibxy1Ssz#}j)RYfVSr4}D2b`vx#< z#1Rag&xs|c5B_G)!|>K04vXg7>mQWVnjmX>L_QdcJ8l37yCOd>drIQsL1x}6zE&mj zp84gVfc*(w+2ee+sRw$uUV(o;-N-z_6fg;waQfQ<@-W{~bf1s?vN<2!W+649^}*(+ z(}&A2cd8O@xib|ve{U75Psh^z-YRDQ2Y3rEar6d~9=ebz42;G#`s_KSk}AlnGcLm~ zYpWHI@;4LO7pxh316F#>iBWbU&l^=@cI-nUHVb%ko;HA9Rc(IR3JAFG3*D{bw{$8}(%o!AN~Cks-QAno z@5#(HGhW_vJu`DZ?{U2EhwBq_AhXW3{vGT8ThCC)0uSVHLQKEdZu%nc6reJ45IzBN z$CH{o_%4n;Q<$aVHoJU%Lb-a8q0<8t2P>UB>))yf5#`p>L`W4na2SvDEhb!tUre0& z#)4yS1Ao*40xng-^K-ofx1ARgs_R^R*s4h#7~K$?6igMiPHmlXPE1b&XwOJH(t*KA zXX)^fY}QB!Czf+spL{^f93O!R;nNAP>sj_I!S?WhZ%c84Mdc@zep^X}0UI{yn5Jn- z==wdUC1u#L#CmC~<`+yHT~~eDk*<%{v#spZFo9bV4D8Uovrab5c*Lv41Tj_pxPHnA5YjG)`D~%QT>m&zc0BaZ-FWA$ zYqW}#kK-*eAp;;iL5%(EqFXT*0Hu|0S2YX6VBHCrJ&5K&S;7TN!f-EYavGQqDdlINcugVN){CZi!j-_yO@r=F=I!@FY zm+$;uhqA`0%{#I*uHpIA6wq!tak{p4+NdZ-v7kaR+Kmuhm)~1H61`hg>x`*3OX(Lo zT!E_C|6Uxdl27UK042y;=MKKru`YLd0P5mAvG-6j9Nr0nwBanP7f_O4I@<*?J`HQZ z-<**xo;)iFwco};i9_+2@Z|e07p`{Z$(*xwBmLm~+yztQW?A#nlc@DTu$uLH;0+cP z4aWfV^@9QaIU-?upoL&$xJD9Qlk&1&qh5n@XQ6ITDz-7`*=QdRo;QI)Vbhdf-wy#M z^$SJ43nn|;48dXDcUNNZD|-rB08Nb_EY>mgt zfMqYHEiW(co}Sh|+{`bgzkLq-5CE~HwP}KyJQfvAX9l31ZV{|v(yzBoyR&5D31O_D zrj)CzHBq+f#*;BE>6>D{$k6TqhZl{%$0+Hc zs31sib7A^maS2f}I&Vb^RZfWgrRwYgYDY}oc|twpeBGA-C!W$bo*&0#CCop;t>S9p z>(FU(K#U&_natv=dDTu4rIYn`xz-PGzFxRp;I&aVhplrRh`a3#2h)Ml!(m8eZeOK& z><(0_xC1Ye^b^<0#e~2^#tT6g|cXAs3WJX6Xf4SdE&dRM~5Hsk9W9y`xFF#|O)aMw^i7IwKx_vP&7FOSC-!C57blkloB4 z&-WY|{NSvMrnU-DMjF- zQk{NnnJ%_))TM%6*7mq1uU$Yzaore5TUgN5Ay0nBgR81!#bKjj@gC)%mN`SI*BD0e z%*$NOhiJ=_ohB!wckPWziI6MGbqhu>jFsn3ta$7(*1|>{3M7#$>Ls&2Z<+dz(|ZXQ5rLrRv7zMJzh{ob*xe>6|YWM8}g^Z z&@HrklDpp3JH*YdvuT<3$oXCTX}18~)(7q_KDMm>?{PUA6reA7#EmjiZvdJ3?m7CT zLxbwvjhRW{VvQks!Hu>31hpe%)G86qw}~J@K74srB_c%^d$*A*ImM0Y%lej;(hx%2UJOYzva_Jjhqh{DkrfZ|tV zlQzSU(dz(8?Y6T)I|qQHPA2lQ)-O-*f$u6_o=8%X$kJyo=^>d7tR9-qLm_Xv^MZZR z4?(T%A|unyccD!Ha>y*I0xf6lWeNm?p!?&rmlOk2ro0_5FV34*J%K;Er-i+}!m-YxFCA`$?k&p@TO z4*)@wU35NB$?0TV3}y7%PYF?)>VjKNWLTsMM#W~xNfRJKeaJH2c_r6Wyr}m$rXBM` zOv08C{7ylPg{k-vPb3O@=lpP7&hZmYH?*sp<)gqB4Sp>hDRfq zYZy{h0JmX(qpE!~l*qTch0?S;>28l0p(gV3Cdx?GB47)Lj*^n!6Bah^?+(_Q1-n_Z zhl;w>V}ih06=u7FAnYldD{V9W)F5B&g?)zL{t8xxL@#FSQdpux;Pr}nnAAZmrE@%; zxh08Ua$6TFVQV}PUiGVfSkd!XhJHNnIy!uD6GmPd+4<|e2k~cNGmg}>pn^I2NhO>Z zZ#y9Df(C2*^WobOyNxT~|gyC!Ku#6_N3t`<;F@Glar|3Cz2vkd`&-bKgU~bBdB0e}9doumaXl8muNOX(ovgfb?0Wgd4y3KP-vxo}Ln5rTX0;&!B#1$6UArqH z3obBEsRo!At#d}pjM?0Jckt!T`MXLNoQmR=icaJ(9w7JxRbqlhFJqf;} z9Py9SN7}QMtJ=FRSzbN{t<%Dg#U%r*rZ>kz=G7u2 zcYer!q%1-(dIasfV4(nabfIJ^;V>Siv&rs2OHJdwIvyXqu>R2N5_-6P-+z#lMEFJr z($!SnJvjZ4!tBOy&BO7*k;UW-oN`50(QH;GMY7mW3HeYygziCiMyZXiP2SY-Y2G-w z!k5lK;eG+pulDrAXp0`%Gvn#vcZa}>I&i*x5;rgHUqc5ULC=ytx_3lFNWhHD;63&5 z3eYDH9@35MzDj1`6>H!bXC4HP??A8kqo2Qp{^{&JDIYhgCg&ANbH>#C5R*P~N*y;) zksZsPNrRAq{0h_%yyNTFeIC1w&YpQF-v}9kRP#~ZHtXZFDV<@YTkq+FP zMJZO#U2}f;6m6sHgUu9vmDLns)v{z>fxzyHzwJ%!k)4Mhi+<;cU|Ut}klN04-8~GV z{(z%59O~+OXo7RGVY8(iYxU>T4hfB9t)~{w{uaEa11p$Cl@z*Q;_USFFvlw4?YgEL zw2=p6<3Pk(P;8|?6~{-J?=~vHy2i--)pJc3WKO9SH`QsN)t$v53xJNu=`E~;=ei&h0Q_)g?A-fLXYQ9Wmq^1RjmJ%V zjiR&omnhYR`}fZewYQH_(Y1;p8nAMEp|Ph9Iv9%09hoem7obdq@0Szmgsu!tK z1I#G~en7XDm()WhfM(#auNT<50&~ol2_W;G@HEg1fPn@-GH?!^nfdG9;u7do=W6l# z=FSWv3v#e0g={JO0kfI+vu*c@0%HHTxN;nvqSOl%<2EOe%k-t`sO@vwGLFAKg`ZJ6x>cI7Lwfmt8rZU+rd@Z zy8n*D{&yDm7xDS;AoTyu6u8HeM_#{S0sQTWaNpb4voG9X5w`93)L&ld0QV5@^|bHY zCQLiG3De6*Q*pgSD?>Zb@%TQ>6{6%cBA;olkBEPGm~|Jx=a7S*J^st#_q(s%;SSAP zI?dSaNw`vw=}h4}0PIkeDv@Ni$*id(Hux@AtfL?72p2UlVSql_yN04>=uy#{_9^M0vuP0O(8~x z_;zZ*+4J-wL=3Mm@AD;_Yz>k0j2Rz6%>>dLha7%q9oS;8J3C?l?vLH0IaC3*y03_` z_OER9=^Y1cID0~)6!~(or7L@x4~6}!N5c*xz)V&jt=u0I+PJTZZynD!NW^da`4j5i z{*#+h#tM8_z1MZ)11t*N9uOcBIDCEmrts|uk?y7Zj0C?k&A0C^;3pDKsMUYi_#XoJ z2O~@P5t4yx4Zu}eH6%LIC!HE4c09dfrtqB`T%N`~5D%}UKGR}m&#K$eddT*Bxji8D z7Y|>e`e9jzqFZ_tlJfs0Juq(NgV;6&g?J4%B(`A5pWLrF4BcikX6!TF3Vvr+cO?sF zuiGZ{`!V1V!hqR%YYAzRzi{2_M7LTww|{dMix5%{w-lRg)@)lREZX}vtlUhKza46+ zQ@RMSH6Cuc;l1k*i;>^~bP9~-`r$l(My3Ha1mH32n=l=4lR2C{32h3FOyAp(aaIKAeMm#XnNQ~>AwQ_yrv$&gYVMFup@kzf`VnbRVKEy z$W@rZTvNl>tFBwcqQwBmAHz=fhqh%X-7YL6E%hHnpft3^rc-yyoF9Dab^o@ZDx5wpB%Z>8z&SW?6UF%7bOb*Ffzn4#|K7 zMgFfPX!iOe&P!yf9N(5ogotvuWxzg?5apPy7`3!RxWKIW4Odl`sc_4;rT5>Jz*iC( z01;uNBmez3fBqlGequd{k*MBBeiqnbtSDqe@x#I0fRLJb>8RO3tsnyMU5W4h1&#HK zAcftgG%sZYeo%+s#O6nJ03vEYxAq{{AA{kRxgOSxt#?8$95hoDnWzCAj`EeO3O)dm zLkEyh)qUzeBowGw-FC0&euXgo!{Yq$7r%-wFntMZTU6*gIm>5}YoCu&TU)!&rU#YG z^vKNk^AVFg5ict&Cabp?;O#iO;ve!ZMgx3+R4MxXAEf$I!dyJNwVITWa(BD0OI*Y? zfB|AztIj%Ny3V>6W8JS9auhCQdlQ)uqnHU!^i z@GwO#B!n%ZeVFOB(@agy#cqdYjOnk`)8j<;@S2qKT%#Y*L6~K$%WqnayWQ6$)4Tvg z*T$4aEW^%s@ls{U-O2RZt*JU+X!+8-#Kq2sA<~zvF<@uMZ`@mD4By^v7MJ}BS)=aC z4W8$B-!3M4=dS4fg~v!lp;)3i!9L80`@t0Y2(Xi!CV4h%rMbpe`QIddB~68L^IDGD zrT`BB-LvmCsCAO}i*YL{MJS3P-P(8!+)qgnJGeGm3ZG7tG6ytQwDF)V3vSWF)~*ri zQDWyMveFaB`Hi{x)+v^oHJ(76RQ^IjerE0%{jJf7xQU7QfDoXLA<$Qq^X&QBu)4^4 z4Iel`k6)fAJ^jv4mhun2{zrBWG&DDljJ%8{r>88@O6iXqHly*@V7H5Ns$5~#u}fNI z(TeX~%V~#d_G}2S{lhIM5fQsw0MFQv`=q3aU|{!Uw~H-}j^#{+T;7dH1}OlWuLGTa z170vNHv7?Y|9tX4)1TM6dh>~R7rHg|35bT|54EC+7Qh@DQu;grw9mc1Lri*}6077qgTzu>oYf-;iT226lE{-gu*y<`Zny=`>IgH+ZPdQj15vKe5+z_^Qq$?Qn`z zBVEz(f5SJ=lhI(j$Sq`Ob`GO;58HTBaV4vF%4pSENW5Y)C|y+7uJNDBFOQnu{K+_| z7)`9m@m#Y7-0lcn2}|lfj26|cVoffpV39Ta9q{Du&{WK)xdRQe;h=+*2?b!)K1&hE zj33M*nojrtoRZ!jtZt$6zagt-N^^6vO_K&EoNHF|-0^W`)!O*Vnnf1K%DvEY$PtoX z<6SlTPi1xt9rJsCzdBID#h=ztrlvP0LJ6L^LeBXYU`2BXHUphYjU6_%7%$ z4?bptW)iTiH484CxPQ(DG#~=zCEcFtx(WN-9b6w*0TKD9YF8ntH-EU&!$JzrpT2T} zgkNl$e#QTL;P$85|1-gHseq6OQ4|L4AHV0*pvjYjPGM~_H+pFN2Tb7Kv4lW*glJ*_ zZrKDeAbH078uRooVAg(KGXu}p7kKzCpANVaZhy!Xma+8LDc4VHlt2-Zfs*yQ%Mp_< z_TN1Fzo=0lbsHPM4I5WsIeqXyDfEB%%|Id$eG8WBF8|d71pmGvF{wL%?}T)9kZYtr z{%4_1Miv61v`6JJCiWk--@g;g_=xr20`Mh%d5QbaoKPVVP#bVFH2oWH;0FyK-~6&&Um>9W zn>RQ?8fsqhJ`eClyS>QUNIQ0x(X6Vjb5G>>BM!QRZjlyzm+(Z_y`Z0U>_7Xw2^U{5 z>=KLv;8T2G^qo5hcYb%)uqM2q?zN)c%68St_Ris}cJVCUbEyh10EVJfmaXxw*LfS| zdrH`OXNbT1+~q8h$khVQnZlEC4SWCx?_D|RPvZQaKTb6uiU6HoYH4{w1Hjvjvc++c zL*4A{?d^1N?a>e-FSkW~7XLv$WI^!UPZ4~*W5c$4+H690qWv4vS>XOtoW@Uo`J1>6Dy-r*iY8xtG2ETR5v z+e6W1t#S`j9pvd)vlz@Iz}RWic%tTVeKOt_0&qoC2-eo#aDB)PCPNVwnoxp%xc{H_ z6ovqTU5vK@Nz{Fjn}Y~8FU5f{mQJL>EX+_eWrtFB81qh!CT@rUp9wr#1n< zFYGw|M&)@lt;bV=HGEpD(BbW7c%Eei{$TYOc)Uv9yY3@quDA8>a4@j`2E*sVnV3pwE^8jm!`(+QOo9c)&roK)Q!$ zjVPw~v8Eir-*stU%j2bAL~ZYKb}H7`<22E<4W}PA@UTlq!~OA$x$mC*wYNS!3gsF| zlBFByXAR6CY^-xa$HR%=UHOuF34_1=*rNMIX7uE5tNmX`d4rIth};)1vNw|-uD3c& zfKT3++^yFY>U)upAc}_~_{isM5n{UstK^-Ajkh<9fhc~(l~iDqxNazNm#rRMs>7I+ z7i4|c-HGiloL&n)ked@AT!n2`k%*$czQWy+<|m?n`T@gFFm2DOe*qM#*_6D8^BqI0 zVXf*IRdQDYW=AgDu$;%B%a{8v`Rw%6`{Q(4fTP>^a(cVdH$Xd*Kaxs`_L;MiB16A` zY8bb#3mYNkDhQrz`*UE<`zGFpZZ5z*Vq&lT$=C&{;--7LS}qoC+7#2Ud{QT7RNz_T zYXksE2pazHKcW$gw z^1fc#ujk?QAQ;4w}(%xp*~Ew{@DtUkJA6lWX9iKq)Rt|HM$`pd@_y z?(B>IE3{6Si^T*iOO-&4me}nzb;@~LA8b+Yw`l) z0QgANts6FJ*c-V;l$Yn7Jck3}&oV5K>0t|(`iuTO3pO`vVlGRjq(lxWsCd6LXEHdE zZo!oT;%~-bcYxc*Q?2s>UYVSa>4<(dEb6yV!e2JcwM>wyFvN7-4Y!h-M?)5Fe90GP zE93T?gCd25D#jY?*gVHa49^CO7&?E25UpMvBk5qH)j!wS;x}|Z`xiha&Y1AVgaeu5 z)iwEHkAGclg|ApOMh&ZzJJvVYDv#1}5{`nRI^dd}9M{;6Qb_ z`;*GG%1}pecF!V9ozYw_(n7jP2Yb?o$~Qp{w*h2N{!#+m z*D~|HfROHa&pFDIxApzZ3fL_xzyda(zuxYgcSwP8*ivHNd<9Rd%;8sDIB)x~P6}+5 z_>Q(BFSLvqAGegN5MllPH3p{82)Vw1{#~AEE97tH7;jA5Sf zI)6R&-xI;F!k$%PV53=>&dSs`6}0uijj6t zW%x<*IL*)s=xzI9{j--o>Z&QwCCaPhiq|o5W1sJF5VF7zPT#GLtW?E+R-?f}FWbI6 zXk6R;B?CbkPky%mN_5tpj__k>Dv=>Pai^z}!g_$AhqM^n zyq50ye(*lck|qjb3Crs5kJJewDczYVUwzQNC-c$h2=9sG5374b_sS^--SaaNWT13+zKm zZu~LsurXd|!yBW`kSl#8VqZS$<|6~L7UMxvJ_I>2kv7tV{7y7>1ZAYYyNkPt$~b1? z2N;r6m`K)IbK%}8*fiqrq!WF}9@wUY;XTJin2hVnwbA*IF;qkRXNSI}1fL479>QVb zP;_Y_DnTUh|292)CaaAF{)%RgJGdz&AvR0jr#WPc7F%r+2*Qq?csMl(wZ5lZtbzNE zkRZ~Jsx;KraqIzq`K#!ncMXW@X&ke@si;!}ZWZJ5SDpNM#O`5OW^Ht;Yp;QC1wKF! zV(Y+_Bjo;i`%zpA+agw)X0&s>b;ZTqs5YsAsi_bQ)*84>$*@-bHAycW8Sk++oK;+m z8U=@pr4ptxO@^#CCpyX(VVFW&+MH=-)e3k0?#hXU!v`|I#S7#_i1#=mwPW>d=R^pF z0~Tig`A2i&dpLr~{tCh{dCvr&??}u0ERSRs&Cih~qs8SbzU-`v4<3L-a0A00yj_8q?0A@@?cC@Btq>;4qp`zoHYvqXVpogKHZEK5E-R zGeG%OXGf6>47n!tI9`zQ@`wR{2;C|IV-saPTg@vK-2{@4KokL@M?k)vzWW zR2WJ)rf`q8oLJSnKmv9IaTGuraT2pvgCGBVhF=fHA?}0T#o>1tivJbKh@OfRYjQBE-J2Mnz56tK4sCQyIKefcP9(%)MACJ-u$B!MWovzy}*LK#; zU)2zK<}~E7K7V!*=wPIs^8PdX3cUFzRYxs0GL1(RYz1yvPi?<^-k6lHJB?cl+K2fze(va0zvbqzaGZxTh>XDd>+$ z-b_nM3O^3vjO3x-?#mjdYADIY7C|pNjaA)j`z(*@bMn#2vA5=P( zrVOWy)=>g04x!KuJxJ`x`*624`obf4RLppcKc!AdM?j!H1FJWWsAk$JHO)-iMDz6y z(Iv;&xb3VB+v()=f<5~FN4sg!fP^weO7t@d^Wmb*k$BGEzf|MRRdA-RXhM9_+dqLLLT3gv7Q%k28YeTE|KY<3A5iuERH@G@O z$9lUTY*Bz+l~f+=@(|h!BcoUHFR)j}sPHn>Oi63aMPgy?F_7Ztn%}?2cDWBJ)`dSx z0Pg&sNMF0L_-)TLp5m9L3L#Ta5Y7t9Pm#J;)z2BEB;9JOoOvLiC>WQ*Kekf3U}5;3gajOMk%Jv|oOdw1!` zm~utU4Ye+^qWbPVX%9RheR#_Bf_F2Quh4VG4ZZV4SwOJ`co;y~dOZG2N1rhAArij) z^yrOH`K5Zj-Fl|@6IG$h?Q%QM-IE%Z<@P6g1=RRDI82`JTQ76bx`x+rtqCYw!{SqE zlYFiYT0GB(=PD*?^^a?M?7a9a0#(u%=H0=PJyU!0IGv(z#G^kr;Ia1C62^deDTvZ+ z!iEONP_B;G_FA%7pgNBdY%TDzb**+zPE>|2a~1dUrERu8@gdW&uiqM!42#EV3IEf! z-M3Hup_kOn?Ay0g2)+^C4sT`Ul_hAU3?By-Ym^~i)x`% z`WY?pk?=$ExbVuSDj0q~9^Zmit+;bFRf69;ePs9kY$bVLhKMNhwL!M10^z`>vbdv0 zMs5h74ZLQMkQKpxq?^E51~gW3gjM4a?F>p!d1hG=S@`{!r_>|I4NdqPD&PFtU&yt* zN6byn|5A;dX9=PtQ@_J_?*Tjn>O~;axt1xJTPX0jXf~=l?X*ETA}LHY*R@i<5UsJY z_u-Qb^7fLs*DCllOOvM(@66mQQC6y%(FThUM$5`D)-HQF5DLz z^-#7Vp6}9qYJI7dltVk1naD?uDLaT26c2^eZA;`tP51?0RNJux$0J2N^NoAp?p;TA z1Z#x5--cLfdy?TQizTxb%XArPC@;*o%i^3!A6sw`%4)I>sT6GOcFXk`(4G z386~);F|{F`$`ZvN01A?Pc7d0VD34lVY=`>**ZfUV`GTx6H!o6!1I8QglnI;-?RzN z#07N6^hx`^QKSf_9DQ&+uaKe}n;$Z-$Bg%!3?6Fn+I81@T6b_=6^6n^{-wPJH?bjo z*QWXVBWFYKr^A)xxt3{Cwy5ma8tS1_l-@M!*UN`)mQ9zF87|&m=T2L^+OcNKLP{>X zVu-unq)<{|r|_e(!$ZHD$rhpinJ0#$0nEsvq!|6p$ikfS;`y9VI9i`5jH%{W(D18A z(UOh925jn%Ha|iBUag3ds-hf!PD6X{4Tb9_dz$xa?#U?sto+^9tl5grxyewNO`EP! z?~Qj26WbLjoha<;jke>csx|Vg`<`$LFnID{90=&-#3cK-EP}2yNy-LC_A=!^%R4QL zKB8WHCn>h;T8({b5gaRV_v6!HM%#=cx#u4oPH=@ab108y= zmusk=J$(8lZK1whF;YU~7X#ZD=BBRf2QZo;zFO4%cqCA$_Fxu#IR2Q53Wg_z! zI?@^A;{%ezApjq9~LqikH|`bp3?IwAU?JYb11(qk_Z;+LG)J+vHG>(z%h@(&Flr z5I~vSV3*E>vZK5D6l$o3^G8UAf3{NMj(SMmg}bk|#KCp}7hD|%{T8&IJcgJxTvp11 zgrB9 zQvo2)4Yy`r@tpjq8!z(cPNK^gE!6D^$V{MiA?YbsCc7|OXld*F$tsh(X4NmdM3g;! zzd2vLc-#_HdFt??iIG4rl+DGBVRMgL-$o7rqWzgpC9K_x1JS|ybYr|KiwqLg=ls65 zmw{t{=3q!Bl;t6g#5*$kjM7Yer+jfjWq0C?Q&RiuQFIy#zZrve3lJ!%?-b?k)SZ=O zPf%-y4Jo6yZb)?UQh6LEV>k`|TQP53XF(i?#hpeQ*{z%z31#+7xV1F*BCas#Gw+eM z0z}asyxipYFay|}9hpPEn&U*Zd3V+kDJKH@1F8tpAX)WrF=I}4YrrPTs-#8mogj$Rc@5hT zkh`j0d3s_hTuPq5CeO{+Vz)CF{9&&T!Fm#Nt%q}Cw~}+|XtfN$KFS<5CY)3hiQssQ zUzSh6sZv%#K3qCpdrw0bPGHLfAL=3qL_^^_<(==az9HfW`Q)UzeM{ZDx!mhCj1VR) z!vvySI|TcFR%*(%_X;9aRm>;vtKz^*S@zV_65^XQ20cpDRSAI>N;(G{MXySBZ_xHBzY-`zzMOj-3P za`?o~QJ1jN8v!kRj_XJF-~}~<3e1MzU@AI(yqfO$R0b++KG{1qxIt>v^C$V(Bq056 z3?p!W#N6$Pz(-w<7Gsu>U-JvdxM}NLO zbkL=qG`sYLExbu54rvyj?BWyt{Z)=feWwfRN*tZ)W22w49!9sJ81oJ2geD!A;+-T* z9@^XR79Kqv9KX@y-ey?UYmxNcj6^^t)!e8;ua$CDox)f%^vpwavCht9&DBbg35Yws z6F^iI!+Rt7k=KhTiQ?OnrnfGXGSXXT0|_EZ9N9QLmsnXtgl3DCr=!6;F8*FQGx)tS z_$8t~_h#WK#xQ)9??MonGkZ?X z*FkGIQKC<^TiO{?B8W>34;=}3^>|bBY6P@Kx_?}?l5jQCW48cFUs!6pEIEO#)OYu$ z(JmbrOp$hR*anHVDel!E$p*q;>^6 zJI~R(oblij4T5|cxaAP+Wo0q!--IdDCnYCG#l#T2Mtv5D-X)&s5c$dqw@_|)NP~u%YSVh-2QrHOD)mTX34!3nx7%+UnBvltDY#u#n0gLc z;a|>0J!0fptVtk z?n2e@XFo0Rcen*dZdob0w^>A0tB>-%?ke!emDtQN|JM_+0>npx3>`iP&|Cn_)y) zz51kOK`<^iWc=+x1&+58M?%b1nZdn;slZ{M1 zlMCv-$oag0%V^UZSXPzdNktWjwzvzsIq*K{u&|lmF7KDz#j1S{%kIEO5?Q~3bJsjY z)32Fy;x4n)Xm$S7B{3rYlC@KVO7AB5!!mokQZNR2J;{qBZMrdQ3(khJ+n~^$ti%+Z zp59xAfrO&?X+S>CBaQZiVpl6sh~KLErc!kl3U@Jz(PZ|$jPr11J`=geF5~+lckaCA zB_GW&&s4%LyYr&fMTD$+?b`~Oh2%|_(B1=MK@!n|0MClE;*KXP5=3~S2#2=Qpbx$l zV5cgrCt*IJc1uCN+Xu9mKu~mZKDv^?zQ%7u_iWie{34=ATFiH6Gyr zZwldR^IRUi@xde32I50k+e#vfod-bndJZ1w^D5(tL}sXZKw-i{eTrZ)at8f-kiuM{6*BN>Hx6huXy zQ2z2m9146DjUY0)yWU3k!)HG|8Vq_S=x`)zx5pus*~-bNh&)Y-L#A}~!BYH3jES*| zjFV3IJ{C9DPFJ z-lNN%sEaYx~fp-)bt<;1BR@R#N5 zIvP$j?&|I_$kt93k_r z(w@2-zA5JLsZwW|yY6nTo1&9y0kBo%O^P;z#>krw5rcXoE#!#l{&ua5d>Vo#zX!O%jR zx^&U2dGU&Eo|_g~ce}O^r2B;-;1vaeZ{7z*QV#`eNjMQ!=fpSXR(Gd`9hkbg>SDi| zH}Y1K$oC7pwMMn;$(UR8Kd#0)6Bcj~?|o1=v|D!Yr7|_HC;TGZ?QR0Lcijr~W((ps zbW9d9$B8@v)n~Cs{<;{>;!o^uI`2ezwC4%pC_N7+f`=$M+{^abVFm}cS?dOPs`{U& z2e7s<^M2&Li|`oFr~A!;=PcN4POXyEA{(?DZ-z!@{WaG+Z6}PewNG5ppdy~>O2d@A zs7q_vOZ{R|Wct$2=DggiDt%V|pg~IdvG)!fnq#^X2 zG4c74PbUm(U^kaocArpzI8YVAJ}~*avEn$jw=&8_IEC0uFn@08 z#5z3S)KW(^qS(n4_as(k1R~fO>R(hBL>BpDyJQRoWoC5emz4WG?;*EUVo(ssA%#|d z=b#@K<{ujwT2;EE&GqnHgcWd+He<1S?)ucz{1n;|Z?)_rg#{2FJ>nX8jfm0>R8a0f zsvicDX)Gs}%Wo%gDjS4IJv-`1RkZ7O#+4pC)0CcIuUvY>;EH5UKNmq#byru7dFGfv ze~UFbqpzkEt_n{C`O_t~|J~QgO1}1Gd7;Z94xSVKV<29=6-n}q(B}&|bf0ajo$M?x ziy9>mcC)us&B``sV*~ih+Tb+ka&?|K<;m-Lb#-ZSZg-uynpbT1V{dQgO0Ys2_J%8~ zvHfF$vm};Z*|>D1`)rHt^plt9C|uXoV^xN%@NBk;P4IqLev0b)xETA;Xtv4@yKF58 z{XHGl%rZQCulna*tr;6f^sFc4H+GbU(gfUj1#n>!eSLKHRqom&glY^GUgM!(xG@Ii zlSP3LxwuY8`l7IN2s$eCGLi3IWNbn1(Ok`@B+>o0Rn3|Fa zbYezxQ*<3E)Po`YM1mHqqOIlap8QNR)WTs-Oti0eY__3t^KLkf6Kv+nhF^OYoYCTM(n1VJ0{ZSit`NaZ3JO zc^$nCNw?qgv~4)14Vl@H@^1Ii8#eW-``AVnqjpuFI$-YYD#aOX33shdZP|1{E)o(a z-VJD7H3oNi<~{_o#W;aH-0%YwZ^+mD(Ar^7-YtS&GX{u>-AsvmuUkZ^UNi7%pmc8V zO~Ei8y+&e_t3|+ZZ=@1EoJ6g8Gp#-yBue96yI5C0vyd}K&DJ4e^0<9{?ml`~dZhXa z)0J*4Z*`ROGMtS@Hc}@if*c-K>t?Z#gJAl@0{Rs(@5m^Ej%SLYR~ z0nx07(}Qf*SxXt5?`{UDV>53Wy+J+DsnO?`E%q|iccm0qJD&;6RL#Y_OH5uLl}}!v zMR3UYu=Gm)otbkHh@$0iONb)*QP#!L8ZXCzmdao_v*jH4en3cB$-eXFVMW1%D;zeg zK2mXn!-cj0yHQnjD0zDVhTvYq(LPYiS{RZ=c3a2igojjzWFZ>JeBg3%D|Um&}52lk~f(bg=Fb34)wp(%vS5qvfs7F{5%?9 zE~t?CI#fiG+}g{8uC8N3NeHs~U`#qXznC>HW(h?I9`bUojuK0}^c@lrYZd+AN8!53 zE(@iqPKzj7srG)H47qxR(W{RHjO6Y~FUo5OAzGVC4#s+n>orWA-Ox>rmjQ6;Da&&QY+%dLz7E}?T3mT`|6r(9Ewyv<1~r zh{=OpOHnE*O)|awkl{m~W30d+ey!d);v_`*9iJ%*DzY*gbhIfi-y^tSVB@83J{e`%c%}DblMd*~WFaCx%RZ<|YzSF< z)DR*Y#QSkw)@t_JGOGLNW60PC{vqxxHAM(tagwRA+n2-Rv*~R&aCnDycU{}eyu*p0 zt6K$zkZ@g!@N3sfLW}VM_+(*;3|=gav9g|lNiFzfI})GrM(jMEScPau>4&Fc79Zga z!D-m{ZeW1%+HCZ_!<{M85OJ{|n=L8$B<(p^A?>-pt56hBVYew73`V*#Z>GUzTP#{V zcy;7a;3`Jw*(b2Y%!>|Pj3TNBc>~SS^WNP#F&fILvNq6Odp-sA3_mLp(t0FFWX5D! zl%ye-A}9Uf3nNTjcU4}>w}y|&jSf85BNx+%dcp#F2nRKH(T6n^_-rPWE)}qX>DRGG zUmxDYEcarB+Ap?ct%?gfJS@+AzdF#Iu(56VmWESw{|uwW_j{VUOq7>w1~V$TQ6V9P z(TOVG;a&}1q;!^rH#k-u87H|5zYZ8_PaolP3DczSEHS*o7A+FtA7>eYL6nAY$S$f2&VOKBJlWP@NV1e z({ z48Qs(8tm09VOvhoKY()^?n~f61l}~~Sm6?R4Db3JKawR-fN+*%l%fo1La)_JY}QN4 zZT>%W{bO|BTk}5-H)_<_wr$(C&Bjg|+qP}nXd2sgW81zzIp_OZ|NFtYo}?=)YxS)? zd(X@Z0}{EEge8-ht&9tLI4ipFeMU5?J=%0CPryVJQy@blXirA$tWPE~N;NUOkdUYu zR5`M?x;Kg~N4c$9wST15;8ZE3aWdeW71om$XR?V=V0SP?#s+-%VsZt4`t%SXRGJzB zuSz8paIg^)4WsM-X=OW3%qZ}Q8RL!K`xeK;M2Tq`pc$0jVP2NW#{RU?qoEm1T5S;F z<;)iKYEYbIQ#r4qAiY>BZxgRP{F9xb;@BN5$b9>mEp`*vFfKjColI`pZcsz^kjm*c@Bs>?W=bwTIz4E_6Mp@#BySa+}hx4xcz6AI`yU73f? zY&Nq)b(Ubpp++C;giG^Cln*ATwj|g_@(I*jlC_v z_J7(G9_Z`o^y;9^^~uqaI+B(TpRyHMw_4!=*d%1MMoE+Y1RH zgvGYpXWg&RR_@o~a{E@$@fNE|Gyo_j=GYMfq&yaOH5$IS|g;!xT z?(gGRt}nlQ8>H{%WuvNhv%+rX4yq z*`&YOL4=248YP_{fsl;(y+oOir{>;@A9#?x7GH~dyY{7w1dj$|vYRpS5(pbZ19vQg zq{}Tmc~yiO5@x`fYeS^G3}4ex3BA*9w3hpP8}z(_dLb%?uuzUS+u`@OXDcONs#FM{ zs!(DpPKIu_Ed1WEF_$6w16n&;Oz6C~o?l}rs{y3@3{M>APB z!+VE9IgMjE<(c)U`jPr1|K#!3;HGRTZ6|i-6(4qH@-FkuT1_@|8w&(i+QrYRa(yAH zlS53%(T{LN9?S!hSKH(I_BP^Jx`#YJ021`H6%qT(C#z#tDQ7h*=k0V~^4r~J<{}6m>=Tur!wHdq{+w-fvch!VpIsV`6y*oBw1`>QF6Kx+)BNskZL13@k(4f@wS9@gY;NEP+WGN z@rn%y_GdcrxkjMto7px$&YYyRrTh0txc+L|^9;yiyOCwPPPzP2f3-a+?^^!NKKB0h zP=4HMGXQH`o&5qj(mh19MHd1&>`ne% zQXl;~Mh*_y1hF_|fTd%xQ0V4Fbdz^L%_btWVi2a_uREvw8h_wVwJWSl;P}a7L4&xd zwJ46LRC2@3LdL^-Ld~?f*X$rM<|M4&@{J+JAe)of;jfQwBTlMVvcM9EVZ#yoWk zV(qtuvOQC>{SeLB!C z)Nr+1l#QvvNrp)Dhg zehAg_%~=;em=#r?eJ{2=$5N2;)FO^HPP7l75-Oaa_>U&G1G|Xvh~pfAR-SlxBRf06 zn8@{YJ>0&#uV%{ye7S834!QhV@IofQhaWqVrW`?4(_#wsrQA9#Trt{c$GOOY7V)?Y zmk(kNePTlJZzUm(H@GtMBO(IzfMobnSCCZ^nNE!`35F{Fn|~0`58_vxR7*W)JXE(= zX13omuO-h_t#WBf*SCK}@E7|xye`j$PCKd$RGu;&r+T_4pVW4~S$NA3z4o``#+moD z{k0PEws84-N#azXg12E-q&<@{`1}Q=NOa=8!n3*xuzoHwk2C<{-Fqk<&LquvA)#d- z7%Zjzu!zIyXrkc)0k`~G1%GlYAlSDv7-D!J4k32t{ky2l)mxMa-6y;bM`dgVx`l7(SuxEWcG_Ty0u&1-~tYbO5PJ0eflNG-X;a<(NiP3}nc{@8iZ$(rdu+!&PtAP3!vHX| zd``?8(VR1cJ3lE_u7s23qX-m3ak9Du`7T+gB=ID54G2K=N19 zj)Bx*3bDVciYk(Xits)5mQ9s&9acQ|bkhit*XtPYj1GgUE6$Hq8#hnyHH*)*_7?7; zZ%)ef_8?gxXzCB&P3LXPd;Q5wvNwbhh#Jj(RGYF&4@I1HeGm}9{H>|A87L7gTkFS< z7h2ULw@eN0u%mxE>OHisg*fOyl!ozItjVt#2cF_VdsVHDhu2b$;yq~RWAk~^V6C*E z6elavTv>8Usx6Gc(rQ4ejjC!()g-Ll8&c3xA-WNl2KcrFXWytwRDArRR?5d>pXWe1aB`@dLcSXmwJz0+7IVry^|$V@MG>r`wr~bppm$~ z8{o7wpAW(}FuR=ru(_&KaJd$k7~UST1zHX1PA#Swdu6sA5XmN-*jBh}KNE8!59DW7 z+|Q@iM#Y?OGmhk=RP}**1A=_H-6pVvv2kmJ`~L!Qq;TWgUc2&t{|Nl~n*}%NVjXU0 zgO9dAturj zME9gr?P}G3=-22SgZ7hXZKckVa3mxU8gf= zo1lyf;pdBd&kTXhuut*LuqhubBr)v}7q(+p)aLdsWRI;ZnakOuEZ%OtR^q>8h?bXO z`0r=bmw2fOf8Qo_)O9aMS}v@~F4{Fq8u+%H2u*G8ks1O{&PTFiKd~^mwNut?yLkxq zVHyR4NrBS1yZ3!~=>9qnPE+O~`0c6HLEj|&n!a(Q3s^2G&AWoY1>J8eDrK7!*^B?% ztFzo-LgR4pW2wcUmRK%QdIXQWF0ZE z3f9!5e~@6gcWXSnQa1xI-o?b3Tzo;S=%I3+4fJwv^lk6n zT@OGI#RN~VyO$ncKWj*&?}lTY7RV5kD4q`0i62K5R*v5gD`X&Q?8#T&v!1B}Mriz* zI}HjD<7NY8dFFvudC}ZKnd?*~B4A#xt66^Fx)E5wfdbSFB^4hqH)tITdUa~$#wBjjJ^iLE>$70T*?LW#J4WkB ze_*9uCh4d9{4h$ksk~46`NH}Z&GPx-)Rafhq4lCQO+5N!mTcmQwN%n0$S-Qo6J6P+ z8W!Z|`}R++8RIKG7QebOtTlTy$!Bxn_%y<^JM(h3(P~?eBK@{2irqFBq_Ep{nr|<+ z6Hsh<{ZwjMJCj9)M|Zv!cvb`a`ssmi_PEq$G=ZCx1a%`Ns_#qm2Xqf;lfM%8ziU7G zZwTU`Kr4FZN+EUCc0ZCo;tk)jgTstOjJJ`as6CMoV)e3*4=3LHD*0fS$Sh zVWa?5j3@iGONpLwnLUtaHJ;Xp(qVHx_3*Na2gBDL>P9{;93-^MKeL0l)Hnj1UbcB_ z33Z{!=W{Zj=WpknE!F_=vC$C7FMZomit z8WdhHP2VvLoPGE1?<2d1;wNTZKm{g=NDQFQG}T7QMnKak|96;ldl(U3_if|h|k3WUROAAat}vI zm)=M8ZeY}d65C(;8c(b=JabSdoj7xEgA!k(f$we-Nwo8FoP&a~Yb+Pm_?5rGK6r|& zWyPSrK{%dP4{n8bmYx(SdZ?aY^~&ImzSR-nQw_msWQ3s84UqJ|jXtwW+BThRq5qlO zoEu(Dcyx<+z@~q&%=<}?+Wx#`_yg7?6Ds*KsxDTixdaUbi3U?f zgN+dX7aJiPXmp;knDyq4Oc(ERH&pzUFP?FkZID?wL;v}(~KmBHZKCS`s zki-N8d{}F&c>jl9)i(CQskx|&d$!L6_NX?nrr7=*=Ne!%+K-TlpVB;_C0`T%6^%*dE3*YQv)`_$H(Hv zS87)B;U|d;%R!JN2O!H8_IKM-^c9NDv&ZAp@-SQ@GKEc>t$PGK* zpy*DG>?u4$xG6uZB+B!OF#-pGe1R#^E`~J!15EJ?OX|$-(wUC~80<$27xF175o#}h_W}-~l3p(#vl5Ji%YNiqJYAi*< zDRs-ocEr7(LnellnQ=<8w^j08ue9({l6@@5UM?BOf;AUZh96*|!4=i@AfdaT(QsiW zU5gdH)pl^8e0fMREZX~)uItkUA;%7taVmxdT^+&^e8LjbdE>F3n5HNC-ub%_Bgeh3sq8l=vo|Vg&D+OEVFf@yo=()+n%#?bM}2QY=0{oCZWhOn5`S{ zW1$Yv2neR>ZPB6LEm;-_Wc=9s(2ZECJ#GLPPl3?mfUbeb5r9;e9z$&rTY_Z?CSs`& z>^AbYwoZK-@e*s>9*dk3dn6#luPX$)w?hswjG3PE4n)VzjRm*l-i2#v-v(!Rcni(Y zo-sVQ*Y-m(|~6nx*= z0Hj;o_4A?C|Dj2H_xp+@S?Aa$nSstPL|Wog|9EY$+O@-Nq zciZ!xX<&#mCRwj*&n*cBMjd*!_M>(wQ#q72R-?Mu0hkV+GA>Tb?anP%&8C$(4~1mu z6=P}%ya6N`Mu-~^n$N*9G7W+UGO}|XCc2VqPqI`_9;U_X;X_J$c~*f@!}qKD{HbeU zf6=}ZEJ?2_os^XtIe8HYI%Ir@c6+L78;a(@LfQ2N{#_4{;k2^AW{(A#l)nml4yqRr zP6k+)ZYcYK8Ndf)b;$KqXKl!PW$Ku%Dh9m08iRBBGo23kMn~;Uxa%GfoANNMifhxS z2obl^NfWa>A}%z<7aoqN-#8H+Y-LA8A{0YDtK;ZUoD(UdL&qVqZj8*k5N1&c4rf4M zF)hwN6=IV4LN#6xT{l#Zw$raOVA#6r5~+RqfD>^HSZo}Z%BZ2R7j z7dM=rY}8QsgQPhRL80SFf5D_aKqbEqZ$ z(Cygax)U^N-iGBs0_--z&zGOMe*@s9^4S+%jKh9?9adW&pPn9G_N=r~a?&?iDvm9~ zgKYS$0s+DPt4i3yrj5^JWvWBLzF{Hen~%d>C(f$&jzx)9x0NHe;J9Om!DekbnRNHU zM7NfVk;nVY9C@pH$?G>5SS#QgE5dJ<#CkVB5&gl9vFGDLCvan(pL`x#>uD-PZ~+@f}Khk7hWty_Whted~qae=4(Q3SajW#^KzkUo|<$h zi3;>Rd%dMmD`aH%27O|;ex;+1APZV6LW#a2o6zMBZIyCN?u08`h379AF~}2Q{7}4O?L^A6d&0+CP_*U`4S0Tguigazz}6f67im zn#codT|-esOqs^UA=6Y#ERjtbUq~TG9AmAunEz25@#d-J^YRie-&zRDs)_c*`|lx# z8|hUfDsFRY`m0H8X7JwMw-#RT0lY$?ZP{-eK{af_h5Ecju+Bo`8p9|k{F^Yk&9Y)p z?`!3IPq506l5As_V#JL<*k(l{$-Yu!_Kzda7T6>hojnfq?9I>O8aNC-N)d(RA-e^y zh+(*{y%~j{yWSiGpp~5k<*SvaMT*+0_=9SCkNPb0F8MZa&bmpzd))hZMMaofcv_LF zDjbaT$R(I#wR$NG6o_Q`2)Z4(wjc5`UzJaRs%F1B9x8!Gjf#5tnQU|I4)ulyT#Nj~ zAA%AQVPP`clOiYA0kHJ_W;V&nf;iUKT)F<8PANfui?q~3gU;l+eJ|a(@i?T?19uEa z1U+CFhu(B1q{3CsN;TQ3~(2lHddidlmiXA`@VrU@4(x^gcv3s1-+mC=cpiLjMUa6eYwZJyXSh-vvNzU4Cx1VB*l%_D zt%~Zw51ZSY*AorUR)c#$*MI!C_?mwQA(RA2;O#T`Cm%n*eN?TB5*zF z#{^li(TNbQU_)tZS%r%}VD58(ZdaEDXSLS$NK5SpgzBN*o}8oSp#uOSKlh&0tOxN> z)4uc}gFEWv%Yc|T;GS$zB|0zON6rd57ke-)S8e=~q#S7w(Io)ji-CrQXo&R&iiZ^! zt1O;DYRTuyxEL11`j3LIe;mm1{sGhK< zTEo|CuZvSkgZA4sDH}{ZX>nkqSSjm-< zRRT8g`O$+^D52enOH@@*ZW~ztjBWmry`)CyCHY4w1uw-MY@SQ|=;Y!-w1~*V0oH-+ zknr&}Ar_U9fF+z^v_={~_KAU2zM0;sJ^~g4*>Ez!VX78PHH1poe}u^T)+d?BHape# zbP^GvPC#B=j;Vg`7QaG3LWqshRwWi2jL=JgvZKGz;*N!*&@rE~rd>|>rz6PZpr`(9 z%S$akBOQB}8{ijBTSNBpS?;XoZX8%|KB%ppmdt6Spu_eY z?0UV0@D+D14s(1i9`)bWx`YLJrwueh949%3&Yzzw^RQqF|BK}d=a-5Y+hh^T)Xt`-9#Zz`D&BdJPUC6Fg*uTD9&z{j?z0|UXgdW8H9}=q zwM11*Yjh}gDY)2eJy9mC*)7H=(b6{?5q5Gt#*Jt*fXO-;Fn^!%~oS5_v8o0Qq6vP!*oDua^ zSJ1KBP(RNT`eZn~fQ8f`m&4mD9azuKxZ&v_WUA5@4X~Np|0f4~Klwj77^x&_q!I9q zJTbnORkP*Z+~THtz@uWoBp6PMgw%r3wh(ZnVNh@^DG3xT73E3}g-2o#vv-DypPH>tvm{fHlpM#4 zBz}S-$aT}=XVaFK^nC;4Je~n9Kra9tAoY$!Atwm6(9DeTgoNZMwA=t=Y$~lz86APH zP0dGTifKs(or4dnnuKM>lNPxMWcIOEcA>btI-Zi~7a%+w2@N>mMaY`C4~gQ4an3zW zO;DxbSCstDI8+!Gwlc{xEH@E{9m(iE@F0X?lKZc;d1g)^y9H~e13+9|GXWbJVS;Rd z+g~rygfnxFn5EE(2UNb4rp2uVbdgH=*17lukO!6+S0r;e|2twl|;CY zb4U!MXGw$@dO~CWI)DFU8OI71ggYI?D}gIrZ2xdl-ptm~sogMRx|2dt9c?D);psTK zlB>1~EC|pyMNBJ>oW=c~`~Cv-gATr>iLNY9yI{tnD8*wXeMF0=h)w<{+$yX~k8}9o zQz5c(txMB;cu79fVRP54=eMG zHORx7V_g1gK-;q^%y#BaRMhQTUsC*CIoAWNU4`SSwK=X&U%cpz&|}$Z!T;L=X;2E1J=+8Y`wEyHvn=@ctM4B zMUG*JAJShDO}`e@Wcc5_{qKyx3}pDPlv0yN(Rdt@y4F%+uf#<=vkGVg5|6)>0aCBG zOD9fqA4*8tRV^6_hW9!SR*@f^6zPs>71iydRgWH*U58t{kVS-mj4>Xdf9WLY?%gnA zZ_Jy+>dc$FcSoVksOLA(iig4OBaI>Nz=^_Xs*S0;n3r7@uHN{|?`TSMayTkptN?H5 z&l(%~A_>_%lpe>&C@1Nw=!U}Te#ekp!n1<9kpCP;I5(&PcXA;iR_D*3zaPZ|gdvYu zQ(PtXYtFOKJm{29n3lhiG&q~|ht$-P6dY8_LR0>ZOF{}a4T_AW&LvyH0RdrfTnKM~ z*r~UfhYShHwNT?onaQkIyKZK{Sh$4~!(gtL2$2O|GuHV~YX7a%Y*@2Slij-DleolX ze&nJ(AgvTJj*p*nIuVZVK1^~b+#3#rjI18L;Djgy=4L42X{pg)s4jl+Lc8WkCQ^^5e-Eg8k271^>#N1 z(99-QS@t!TFDJLARbVYXmciAuyr?sp6lLmJ@=Lz3kcLXvFSWUiPr5bu;?ka(uA~!u zOFjif7}P6t@nFf|RyeIbg(W7488h}_4SP2~4()e;`6*)eTT3LQ2HCP$WUuToOkb`G z5b`E#l8esX-1!X^;)7VhsRDv8lxYj30AV8+=iL^Dirj*e5C zn1yms%@RYwsLE4W$jVdMOXk@bgsF#b6xOBImZEW?-23@Wy{Gr&-6pVAZs$(o)ibW* zlMYd&W>}PJs^Hy{vFmmW%V%uzc~^qTt-uIXUMw`FwuuR9R!Jh2TXRv*NHPJoQ@G<2 zQ+}RcQ1d>nm|z6~741KFvG>NICpBdD*~j-?of9XZxnfk6^x$Yg$X4aujaV0(Gd3r3 zw3Ay^30wh(oQv~sK(39CVPR@;aA0wEy?*WH$ zx0*sn_j)jz!?xh8Kp4y2W#|tfTUYakdf9#8d=$Q+s@V9TmJ(aJ;TMq_{ zC~W#ES}z;RUd9}vCpVsNF9oUemRYaobEJZfV<%X4uS~B;I`kYXS$>~@0UiWj-J-y# zLCXKtEsEq{hZug>rlZ{q0H6oi6L$dYAP@`^DK>;02!m`y>o1sttsgE`ecnzG6yb{* z7VF-=l@ZuzOWFv(sYinC-%>~xTn;cQ3x$tM7vtihST>fF*FwL!m52)?9kX|5Cd}l@ zJ0#Ct(Z>4qz!rmdOX1l}X)K*ag>BB2faH`#qD$F@<}Ot}4pvErVz?b@aEm4O*tG1x zO)naCt;RnwL3Ck9T)3ddw+HI-ZRyoxXErge)kqucSF%j1Hdg$~x-mb3;I~I)jhR+Z zwthFxNrt*6L^xd*Z~4K_?n)40%=*glHFg!3*T0iwWd5dX@1_Zz%WecKwI-cCVoCqS zaiSyK?}D)1s+REZD&$cZ2}3uUI5*4D3I^^a;&P;Bq?NT_OLm#&$3k1vtr3tF zXcJfYm6>;$X6>3Dz+Jc!C-jj1<)#!&<|f-bbKDU9h$ZhWQ#aX=RtND#^-jcvUy38X`+jQ=u5ypqgWC!ECAsk1Io{E30|Hw(5Bq zaJvvfYBvn<2b}(06C}NZjgn0~2{C7{p1W~n=^CdqYpi@n{6VMhoP-hJlhWj_&Z0Z`9W0&0Y_(&ESr*FJzE7Ixh-Pb2x01)dTq859x}1Q5;tw8 z@&m8%o^`8jAZ=qKyMNF;&gd8Arl~6a>j|gjz)qZBc&DP^RRc>eOHi7WbzaPXF7xK4 zmty}`G)ogX;jFrY9-F3K8Gva(;mD=&qHrLWERg;=rP&f$30;5;jNf{c-}*6(hKpm8F^dKNY>jB z^gGGd4v;u8DEYs3fN(&S{fhDdq{R*hdP<-)>H4%`AUD)K-zyrmx*54Zg#D%^15{Fy z;?{j(A#(Xc7$q4U2Qbz~NLDhp%GrQaS$TDVnZYbA-}pZT(@BgWf{O4IWj0I-ux^>@ zo%mBfy^Z=y@K&>t8LceRQIxG5P7*{{N!>C0YTMsIjs@XFG>1aP^*EadM{4F($ksSZ z5ymLxg+oyM`7E@UR!!_|45WbvmzNEMbh|_K_a3n;v10<8l0*j|+718hLD16BHliJP zuWN)Dq@fzGOcP@%mJKbVFKYu^NfVuyOSm}Xi}!UJNY>W?QCEOFX1L8=x)I}XjO_`J z;Kvs>V62q60cg@&N$EXXV#Yri^FMlwohOP#<^|;Tj=wuBI0dc8@O< z9-mMJCou*sZXOCds<|qq1tla`G{i$KJi=#4MwplTo$H-{D}OY_xO}!$MVY&_7&(8C7h3&aIYHn7>nURzp}`j0_Fa z`GkMwWuQ}9cHzcvQ26s;fHR&5ayl>!@`QWUOrXYw^7TL~RsZRG<$10WY6M(@VDSknSIKwfe zqBQX!6#=2ENYGv$eZS$ZL}U2E_wG7M3oAju-0wuRRi!J^-)wr!fiM*^USSp|tO>^P zqDUBi+)}8viKGz6K^Qq7W*#JEN`n5-)!J59SHmi67IrI(3~`GLinA$l1)(L>?<}CFUh!FJ7+mArkLh3&?CctM_RE&+7n{L|}EPnEx00S3%;=spc zU%Wx4X28w*1&^VCV-o9{vB1U7;CUykgL~Yf4l`uc)y2>A%;fr zq%HmSmXV#d?W-9&XffysR-K<}dKNha(VG~L z9zv=pM-ot=c9MRHmYBQjGsi7-|LrpIk_@v(E!vm&f@4uO80U`oIN3S18fbAG*_MIn zD%w?RhWeO>29S+a8IeQdKdhpRmm`cJ2wORzd&L0%nu|C2#P=Uu$%ngqtnQsCV~*>- zXloX6Mh?c`IMOL zs>=#rjkt7e`DR`RLD~BLPCU7MLafquvbL?iTh&c6ZSv5Z?ji&)5>Wfl)E6oox^bK% zx+&tl1=|}nU6724~-_Vmn+zs zHy|&`(VqFmJ)~~J6`qJN2r1q>dM!>a3~w&9JEOWxhuRs=SpHKDWg-chFop1FsM>|F zVf7%8E&<}aitQJHmfgEkZPxL?(B#36xzQqSERDF4upsT{hkB*e(h`qo*7;1B=fw9?^A~7`EHdT2sqynEBP8NzE9N+j*2mhQr)wR!rhmh z9RjqiE7CY{d(q-@J`Ycm6RQ2LuK?t~Q%xFl0hZ`s&Oo?L&en&780g+T&q#`55Xy&6 zydN^ZVvFGB8Wapt${Y@4+8fOI2Nfl)<(BXFI(FlHLOe?n4L5#RLL@Es!4`wVp{ijV zgi>&7I4RXxzqt5Z5F$=U>^s7*?G*rr^ruM-=lFbZ06_fCKz$r@9>jcXv|b2ebbtX` zEJ*(r;TiWGv1o)_w;(d?M>%Ya8g(yhjhLZV{+jn2_C=N!zi!-pUHp}vOP{Pyh*Lyb z2P7VRn?}*#P?dA4T|-!4W(PJ`PB&J85QSX+cQGbl5ST9lL?fz!*Z;7K^^5sxc6(#p zhXe!G<_@Uw#F4u$8R88x3XQ03x`~sDE0~VodT_5}!%VKvKCG7Yod**;mwZzpIy9@O z?4{#84*&hR`=z?ONj_13D@okX)+R6`FkwS4j+a`PChG}uLO5$3x=Dg5U6z*=WLO|9 zHMH`J&L7ak!ng_ij|E0T(B+4+@iqriBYeu;y?b^3tn>ZlkR-S~nE>;ih#fK^TOq7C zeN7W$^q6Ugk6(Gm*M@s^kj;bgfeZiCV=@#->kpEOC262P6;ht8o} zia0TuBixz!)S|Lbh5Pd$E9H!pT$39jt~W9^T9FSGMmTT61xUuw_Aaah?u>hmq?!|O z4fj=%c`Z>{0ur#i$!=e31)B66eA`vT-mG@H{^f%mVTK@>mM*!k(!AIZ|X>}HLcdeEv%REP(g z!d^|7f3cQ1Ar>jfw(wp&(OVmqC{`R4QHnoWW`g$>P>#K%$Q_A8#oiUw{Ozsr20Nr$ z#ABeipC@B?e?q#^e8;f+V54Vzr(!@D6GZp(3;bG{ik7vs{|&?Z`OE)>i56rbR*`%e z{+=~+sL5ejEGp~wBrqbD;3PTk+l{9NB46S?KXMBiXPTHYMh8HQE)3r>xKLBCy4AwS z&@JRUjI73TN39lf$a{JKoy|GKaR{n}zLe`8-=70}t?8Bvy7d5q+4ly=v+Sq(`~qV1 zTzcYs#OGrfN+ff#;tc(!VI$y6?P|v(`4i1()+|Pi9V4u%xd2YYNLW2iOccw_7&)F= zXlX%aah#;S_*(}*vO%LEZ}?{yIx7{S1iq3w!BQP7bEkUDDhZWLD|El{ib7p0Xtb7N z+<_&NKz(3S*U5|1%EB?Q7mPwlrkO_*WRsRfol8br4yK|zo|PRnrKrF^MvQgc?W!WN zit`H2K^-sf{w11}zz%lagm>JD0dJ)|;t^Lc51^~kMrOLx=qDpomo0`X^~Qtcg52;X4=rRRdC#2<~~-d`JdMhF2LbOwH(U$zVDvwPwt719Y56 zk-zrOal{QIov`)h3ZNz|p;NVoHWc!~S0!R=8ABL!S$z7_ec8GqpI%;Kd{EZ&)*Vl^!J zTVZoEa40hyaw8W$xl!j$bjo?kFIxDqBdk@R zMXTus^)&tW{?Irc=AJ(Jz*H?G9`UOFtTvpcXw$A}gvIE_4_LkoC-U5jzuk*6vpj}L zDeL|!M5yqt^u4tOF}r;CCOg>&4cR}XIrjTD&?(y|W7X)Eg2WTjG2?|Oo+qPmD1oL(JIODa95EK_)!aD%ySz;t3la7neF!qxMWa>dqSCoL(q+E`ao0w=OYAB*X^;jUV7H zY$+<-p4T)UVh>rhcBO36fLd{JeYq1`8$w1tk(xxBukjf6-tY>ix3^%;6jm=JWC4~o zEZ_QuP<&%o<_1<{lNytGjUi5QdwiSj?x4tc&FL}Y)d)?~fmN%Ywti?T;z;L~7x}49 z8KAU9XUIC(KHQvXthKs)G|=x{j^?$Rnj~qoH!%Nceg^wmuu{oNmU%?dMx1(vioCS8 z6tV}cXudvS_qb0CM!|T-*f)`TEbf@xaZzICDUttEktOIwg)+*6g2G@@V-nYC`t7vv zg>=TXs3$ExUKYJLZrm>EH0Q3axvu(GMqNq4kWN}*;*Y&`c1S4Lj`rErmxI*i-!rjA z51d1Dx)Q7G;+Bzj2+TFG#+g&!Ugg>3(QT_BhP?pWYg3U2jq|vK<+mw!d~^2u3Mp{@ z?(q9{&wP-HZW|%Es%;jmsa8_7gh64(kJ*=;GZ`&_OJWTco3$O$+qzMFGw#whmgtyU zeEf8_kuwHDvUixp3LQwKb747 zP_gUy|J?s$&mR7DQ+_=mUq_i< zM%^IbLiA<;ulj$&_j?sV-3|!USB6%4pl^ci=lxZczC-b$P5!sm@Q36V;zFK5b0Nv} zO*Ljpq;%b8r{U^;pFFvLo?RWOdT9@ptx7l`ezoUIQ(8m$k zecAHvG$O=7|IPgG7Y2AZ;xCa%td+~yzjv4{+6(ZN2V94J4#BQVPY5^m5TZikMv#i~ zvKDgdn8;(ZD&Rfckl-1eoc~ns)Bvk`s>k5pRpD0)_^%w6W9`5H^E;u4{-GsT-unpg ztSv8Q`bxmX+>DORM^4jV9; z8J_*K)6sq=bl$H3-twQt^j|WT0ARl=t(Nvj7#qOoqsOfc@SxdBV{L@#hd5pLW0Dr0 z@k|b;Y7-dc?LLUWIS>_&#jiaV@PPON5bR%R0k};4j%i}v$A#ctlw z1<6Zzz`XBwN^dSxw%1?m8IGlcyAUXCQX=|X_@|thkH`fXvE6DUq}W|p2EgYM4*H`; z`^4Dj^EG?nKW$_Hw~P&{>-}u<_I~Lzlt`gO@5%1*7aF{SiRFAGf$VzKvSwRK?*;K| zhFEslg7RVntm#s{@U60qUeOxNp+;#+_!(qczLhxkxfa8Uop@Q#1KR4^_u z=8DthX4ls!sPNO8Zto+YKP<3)ij0B4&ZW@SbD*gzpgZMX?fZzbF2UDr1&y@~5e2QwWp4)DX)969+;vxf5 zOf6nN8ajQqX7{*0h$xUqoC;P&P#*_=RUUE&=^D&L zgh%k<@QPDmNmm+}*ak)rG4iig!Pz*Fp>f}r1%x(I1)BV%?L&TEq^M-6q|xcAny9L% z{#5aT)XGZo*?R5tq|^KT$cO|4xJr!8MKO5FLX<{yl}w`HI7*v}iiPl7mC+*j3~zmEwKq+P=KLBP;G*ZHMgg1!Mm z;QRi6KlnqSIv-XoZ%*|-(_8R=nZ0-vod14*0?c-6t<>#W?IZ#OTWBoX93Rh;9(-+(|ZP}uJylpOZe)Sxn^-tV-J)8>f2=Ip*T_&iKmY?u(P zz3=jU6liz2$keAaIBeU}B1bd4{`xtVPe(1e=X!?hr;674oUt`b<>RfO%j>4FIrhQ! zd>{2$W1wL8&7qHc1p(L@l6~pq^CCG$Vkz=d*VL<1%I0}_=wuZSi|GIF`Ty@tTxiAO zgwc5&O943NAd=uv#tjAZ|@5?~?-~NB>y=PdH>+>#3QLq6j3er(jM4E!q zA=p5qEd@oSM5IX#9Rh@a2#81%2p}b>6p<2Y=s|if(gFksEwn%)fe=UtoVb?jfA-n? zzt6S5?(6z}fG=;7dGloEnS1WJ=XpKY?U=rNV7&VN`Q2X#Y!VPfD>g^%`;vS`g07h$ zEP1<@uK+4Ti!p$U@XWl!!>LO(v~oC1`GZQ#qaJ_8l54uKC?0AZtUv=E9ppO2?6&i% z+HP$?MODLvKVlp)@@5x*-<9!cH|$$;tE3TW>d4_Q2~$5x^GH|})8E(r$Di%Le!#(Q zmd4#S*~O_E&#-G!FDf2t&{qwsJiLwt=rL3JI{NLlmIsn$1LscOqzqaX$TQV63?+>J zFQ25z!cxQK$@nh&8T&1O{ZR8mviDvdl$v)W<_S#(imwXNwF?T&-R~#v#{|wNz~cy* zS|==@*`@z=CI9s<&2PcJr^|+A0KNqCy#_2zJ@vK|OlgC>?Scr>k|Ji(SLc;f7bc`+{6CkSO1Iq{Li8HAHVwFuE_uX!hihgKYsOJf%8AP$^V`E zvydXw9-#4nH8cwa2hvRrzoUdoZvVT{4%&oZ5B!pe?+!Q6U@Ry|G&uO!-rI7fkjbN+ zfJ#i|JS^K+GMC><>mN`OvU)D-;8q4zP#|RNY*zj2qU}o+e=kzs`B{|-b5Kk;6U*q) zUXOe#&qgU5YaCurn@tpbymRT#N)CE4m(TYwE#`_dvpX|0lXOmAK6^*6h-pu}QYYcz zkB7wj&nG1Q+*?H{6FE=8!2C8?!6o@prPMk1$M0UpjyB z>?zHdU}J~#Y@#MZR(yXxAp7x;!d*Eg<>>tTDY<6BfpXIlKQ_%wgZGEK^LYX5*}j4D z$Uk5!q@O42U}R#|aQ)0XF-`Cp?I>?XDZzY1MW10SFGp$ffhe8Dt|sx|wBpsbr!%H#lAqmN%?{90Z%Odc7*&M|*1>GS?= z$<_a?+Yg@8qVNjMOJ`a~PQ*c!h%eY&Tr}-ZNu@dbkEOKCBZ4JIk93MlGx}RM zD_IudBUkk=F^e^DTiNFQ>#yxBBk)Nj_eg#g4jzWT-?&zH?{_4;mSiqYa7jwP&lZ9_ zeWND_`Of(5!y8P>EKhQtUI;eViLm|i0dZRYIQ*^LvsRy6nMqwWS-@I zNy5x#-#E)3ysu&wOf|C41C(lu#xUU?2uhDV_-$+D7Q;JOQDkxdr9+7I=E*V^;N0HyY3Y+1b$=}d*=2gEmQO(yw>*4E z*?O5iW8Men(HXRSaM{a)yQ`?Dm!Yd4((5kC-E)06^;7bsU7f(z-(k;)krxjbkyDU8 zaw|;U*D~gCzP?i$w}4f!kGEO!O}4M-G$u3*dr*f)Jzj&}ZwFe{NWE_OmbfsuDA64? z`GZ@TGIcD)I`7RD(~9(qk$jO6e}^!AlwjO37@%*YOtbBU0{Li61l2#!-0VT63X zX-^viL&MMI`Te5h|K<&^>R{7Nmqn(P6@c{m$3Q-)3&Ip|4 zaV}g!bLhG}iTFWhfLD?BCXG*7LR^7DU8-!3EoUF=oR8tro`TgDASVW@QbfWv zKjOl`*wN9aS1c;byYQl+RoZ{`Or9 z=rzVho@aHBU39tJW3k2xypFN{{JDFZ+!G!h+xZCjhI5JS?t=X9<#>D z)}t)s@H@uG4G@Ks)mp-gb14bH`jQ*7x!r71S}$KPa=>tN{~gSI(foaDl6i`sex?ZI zg%*(P^KcKn7VtVvZGZP`8HsEA(>?Jdk-R&N{24Pp*SP0GMD}VpUsu;X>HzO9ahQFi z;e=~E^PwdrHCw$#9gD4sg!47qxn2W6Ynh!xVWrFB2eZNMd=DTkTf#CQ&{0{4$$&?kuI4Lg=o5f`RD~%Ih=1#-w=o_s@Z>Kb z<>>V`z{l&dZzvX$i>*m5XH^vTm%tN0>B@ZM=j7=0kDGm~YO)DRlt~GY|Hqp-31B`T zw9eUoRHU9)oXk8`x4*T^pjtDe2kY_KeW?cqX(zTEPY*J8>UuMgvVDg`T0UYLnpGoK zdCo9W9M5r|>89WK;4OzhaAAhNZe@9wNtW@6v}I}Kq-WOuf-cdQCsNL1wKz19x7R;) z>>Lu3#g;RZY<=|(MK40DCuzxB;cX@d`;Jz>C{rl!AzwxKW@(PnUTbc%+L15EFDF4C zX%A$;G9+Q04;KYq$A9n{hre#(q&-PDQv12G9Rq~_TFAE63~eYM5qT0%&nxbp+_N|v zSe{Um+c{_`(=*xA-(qQv3ajU6>1g8m2QR$1oAr~N_auAO{`%tz(tTA9kBZTa;m1Hw zhWzDx(xnuI0^9lSi>9Z?^wI!gczfB8Xmu|K;R_-k;19=Z6gP($r|3rTmkLzr!cj+@ z?>sbeP-PtVESKvw6lADg3}jl9Z)Eb4ms|+o>WYwOsK})gBha$RuELsz4z*{cj_}Je zme;1TWEg9z|BX8tZPXDLqUgm$A{p2??J1?JrtPXNoE z^*PMvG`ew)=RM5qnW;}w% z>wd{~&3Fj@eDheYev-nAh7P{LfK6VtQcx6gr!r(=R=fu!xGtca5Ar6ETg%iY48Y}r z1=|MtYXT$5{@ARUDnl7z0y^OJVdK=>Ajpa&4#5>&p96ew0+Lh(H4C~JtcgE)i>Sia z_Px9ER=3RaJjjt(BR3Z(9r#vE=L_tk)2pRovDTL4$%woR>sK({4M7vo)P>;n(Qj6@ zXISI<-n&a&NIft23wP9GZv7^h{*97QRzQ|lif9Ie8ci~D{|VP%&A%9c-+;(u1ChiH z3V6JtkzQ)14*P{rEMWvaD7cX;T4!fgEUfBcvb`McSe&5}*XeH-jNN77?aIndYS|dA z&&2QsO~Ey(w@5j4e>Fvrj1sCb?5S-@^cMaeZlIvjFo4?r7L>bJ$=@>YxdguwD-t&okU*Fmp5F#pZZibwNTN*w0IKX4C`$# z9a64zJd{wbcC}iq^8J!Q%2l*<$n0M(`&j2=u?WNDBkm$iq2^{&b~ zEyG@Gql+4bD0>*(y}V}P!B#P`-}BIMT-LmH?cnKE$ZY~;bScF5HqcRN2-oIB z(pk=byhKQn5vU1_t&&UMmi#&2Ea?TF+f?ZEwm3FOQ!9pldz3BQ!Qz$2ytHzGcM|?Z zRcb0)rFk7(HoFyd*%NIHX&cWW<{2gLc^37o?0muW6bfUJ2eofKtrZ8L*1X?(dJ{8i zRAxK&6VtdmPG(XQ$LtF6Nh~I2(|Hv&3O@`oHLlo`!$;`o(P=Ty<-UX(_|5qnm3L>k ziI6(mSH!O#X`grsjCO7;m)S3F%l1D~DDYP4_+|ZtEUDgazI@1YQc+WSziODIGj)q| zQ9zyd1YEH`e~-MIM&jj74>}4>a&61jt>eL0P4aH|q2B%E)^3=ZG|@T#e-* z#5aj8+pZMgXsx6dZ4w>+^RoS&Pt~>4x1QN~JDJx0CFhHWd@~&jP}o^!9ccKr6k48; zw>Sl~zjBy14^}iJI`Lx5Z`eT36FMNvpFLyn>K??irh&eGfm5RGeQ1J@`=Nqb1L(!w zIDj;sEPZ-rfc|L7v}SjVd&s4jn49WOCk)}AN#M9Sbb=gS8kZB6Pukm%Fj-z9)3#39xMo?jkEg)@#SZT@TkwYbkEp3r z+24zbu2i@p>RcWIhDX$!7bmvb4iNdYm`uaIgqgjQIT+7IC!s~9+t)xe<1Vp73MF?{Gy1(SUzY|b*n3CWYZ&>7vm*ce z!cYz*4TWUF(tnPqJe_QQ?^H>ECR~#hjD9(J`36%BvrFv+WuRxG(R=dp)+gWhzP9rA ztB_5i?9YImU+i+Bo8{>N{;~>XUYYCZQg9K-y$D-k`-6|Zv>)nptj+*2<3TL>)a@86AjfjQ-JuPslUuIqEH$bbgdztse5N5+ZYJsuZKM-Nc`F2*jYL zhx+*9&cAkQ%m$TY0)s*;xx+qh8kM0aK0-g9ssZaM!ygB7VYSy^j zS2-}h9$+BUT%)B$w7=$TIjnTwzNepN57W)K^n<}v7}YXp7&7;zs0R4y`1928g_cdM zTVdGvZhujkLn|O0Y@9p^Ix^pyVflnj3o{ORQGChNy{`0yvt@1#d=lzfhefGy&T>oVHejWxx zq{FG1Ifzh@`h`qgwYM2tW4c7VAdn|~)7=&hZOFg;DGjiR>=FHBVVz7-tBj=u&DFyznPBGXE~ zTA5I)nVb?eSAZLj)$kVBrE-@!qk^XBLk<&lwvp@GEoR8A2xUtD&Am)cevzWG>F_2< z87_@p_G8$}ZUU^^x0V?A#EhREKg+7}!xR0+*S1K3iZS5LV_lxzIiF(?`lHJYSMece z0oxN}LZ@)dkkbQFg|LCG{+Su-C0ZhDQp=GX3(L5GlNBu&%iH;d?HfaBhTU%8|HyRxg! zaQ0x3i=Rv1gEj{m<*%v(r_5)5{t#fmd-JP6zOmXidEA}~PAHqOt9}UI>Fj64$+cCL z(Y}Jx1oXx*Nn$p zDR+(aRh&muCGy&m_k~BcXk?O9k8z`*a+M)$+RC(5>JN$cP){_HYUEZTMAvINlAalq z+l8id4tZljn>Ks9)V2%vSD70SKLdC%q8%X(5jl#qjxvY5hL}l3zlS?qMVyU*!Yz%; z)5g;s@$p5Z=i}<##(~e&$>DX?@7u76Mx7E=x>6?`^SHF0ge+|I1SiE@QG7!8m=A?~ z+}z1xQ`vgfxe|it+7f`DI`^z#r%{^gaNQESte38iQEk{>{b@?w{uZ#(jI~tu*vytn zTf3H_RANfN$}O3Rt#^EH5Xa57TMo>>6yKgbxLH%GBe|Sec_QJdig@4XUi3epweEKb znaim;*50y7t`f*NG5I-*HA#LZK%n6>*lIzI@0gdyxRLF4tL=naY?a4X{YqlPRrOTu z4FTg6Rq9qj*_^B5jh$a?Y|roqZ#XbJ;k4Q{4aI?;7{b6&yz<3OzQH>wb=2Z+D&fHy zd}QVgpuc|YvNlBkdRV(%`7^;%DBjS~z}gITO!;_2x#HT(riNI?F#K|m@>O3M@~N}i zuG}e>(tujOhdhSUy46vkdjl3v_CT|qpDPzj+115^GAOplrm(r2}&^BMw+=WLt z%mGgQ=*O{q=CbkI3S8FmYr}Flw-P;fMGh}ceDEB-fK=w7TT<%XXh}mGSkPh%(F0Xl zg;1pqQf6q#odMUEEYJYk*EV76f`uA?O-zhP7dYEm%mxmT#dp-NQ@Bt(O5a`DqY^$v z5Xz*jg#WZME?KRok`ba2OzZjV(Vw5GIo zea86!40=lbm2~sp37kcv#W+{NX4V$Ww0Q-4fz!yFCXcG#QZ< zBli=a%eIg-mqtKlW`OSDo9@Qup7~!Ja`zZ4+D?GF0yXTGMl zvzq4KLGG(2G)`_+)6CM&ZuQ_WyC2YEIRE5wD`hHo^$jrF}C9WIbA$cmJR>zZ! zFgA;rpKPLap!$*|Z&Zm>U>QIdwkP>@1Fg(k?k`gtYZ110L*x(H!Y|2)g~*^>E8R=_ zAi(e@u{SYE4EEC04vZ(euazzpYi%>rJ0M&uXfXVRlIE^P?}BP$gRJEDXHfM6`t33j z#!eNEYF$Z3wZ2}vGfX86yIgcG0yC=a7|k0lxonVu6PtT0E~Zo+`j-#(rOG$jO^u;x z#e~atw1;zZQ-z$*8!H8?U+#B@nlDUM=_DzNCdWPpUr$k#ECOl=+{>Bvhi#zQAERe* zsXya(YE+sxY7jEv-AIIoS=}DbLqk251Ona5>Q4E>D$>l{-w3!}di6B2gfC?KxLN$( zF;P(l^~z?cXCrOIkHwk>1R#o}qJ4%2W382Ha5XnE`xBii;idy+qb|J*=q=T8?71MW z(_q0@>dcOFE`1*PVPDTmt}q&}ZRgEv7+&AzZ*^V7sl~{e+WKl&)5d8zA9a=98HF7( z3{ink1(~5JAXv{kO7UO504fYMJpdWaDw0PC9>E%K>ieUmLD)3@#V2dQ=*>H{vCg48 z(1oUAxH&AO&48=1;RpYq;Z)G@USbKSOr{{V2=PWyr9UvE_omDzHR%;yZARakkvhDJ z8Fae72NUUd)h5NxQbtcWAs%2ZCVRpA>`lbavD(Lo4=DGC3QF*iI#|-CMFA`P;})u^ zUFEMn9TLh)nItXL8hDTr7_i_2{8|&BwaZQ#U*pHM8~6$=gMKXym?I8q2eN&7rEaU( zY0W5I!4p%(6n}HdLUlAY9YX|@x%|{37^aTM|_J9pilH@L1ETBjpwcC4Q6=j;9 zmYnKAEDInfWGI6VP|9*Ex{`D~ngo3WD{kKzJq1>#pA_2O*+{QS#vUzJ+Y^zfHeXcHaOxi*8rt^drk9j*eN zOxIzRUB$RO>yzx`T524+#HaEryl|h6!EGc**uHFqg60cxeOtG2rTOlaw_Dh0&$rXCy@z8!$nJM75%2L$)cY5C9 zY;70{JPIA}dG&aht{r~G6Z2G=y3ShGLW0R1roEC}WQE`d4-`>38E_L^5+G32O_tyl zL**}&oQ?%#ql-YrFiep56QAO#bpRl}lS(pH->a=PALrM}_MLsMAO@UbHG2-Q5Hc@N z>IjT#WT=ce?$K;quxCwgP`HQGbr+jsJ8U*5H`-m*KwriT?};2v*jfZxYE_=v#@R1? z3c#dea4kJ14_v#tyV4*JXR885G6D5S zhI!m?MBOe1KKg}fn-)32U={y?C3jgON8p7n61Zc710#z;xr|Q5m?9hdfi2bcP@XPl zQrw*i09<8Njp9lTz<*6*6GiazCxD7yTua6V>5RQVty^&#f1_zU6+68XY-YFM3U+Mq zhzDlGM~VnvuXvy=%cqpb)lvssE1fQ=qs%6-3y&g(ju0sn_z)tYmw5f>s3+WVQs<=M zqFc)5=FWdKyvIeW%tF@`Tg#LbLLguqxUxX&I#IEjbW1*74x`;7r`a zRqcb7$E#EfAc2NXrR3u1Hf)(mhr1wR0vB{Ay--L{Qa0t2+;H*D4bSt%_Y{;p{T+QnDxBSHUSeXa!mB)`PVbvPcVnMIgRC+J2NM6a&)DGEeXP| z%HdchFuK4x1?^}yo$EJyUhX@c|By7cMcOwJPU2Pjys59U(HAh*H3e+Qf%qD-(FlPH zzwYz9i_ED8u`?d(m17X8@>`&?`kQlS@IT)`-%Oou1z)hj{2H;EsC>Zw&W~+(63bL* z$POII3vGa3LFHyls2}vNYd{hyx{;A>8FNzf={?jXJ70WOe{e zsYw~-OOc1n#G*FE%~cI&)=;^7R36+$59B6%#4tjJ3{hd^QTqnw)Jb#MPvYUUD@L_l z*CM8Unf}?zL8!QsY`?T^H?Kn3TL%S_ZQW881YrlO`V@X4QM}N^ z0^d6u7rl|RyeM`NiAHz1#o?Q{_SefVkpf^r$4v9 zgrq!S#i6cB90}FP7ms$?yF2hDM+V^ezY9Z!~qXWgJIvA zz=AGFx4Y*jQ7XBzeb$d?*0qjiC!=qrsg)M}T3x*B_*YT%}MlM&2}D? zWjxO*A=4*jD2TziI~-rAi!qQ+A5@%}COWM=|BRcof(m?)uK$cSj~6qu>$YZpq%9kG z7VQH;;#ffqZ9zc@m>5yyqpf--9dENU#kWfBz56w~tC6$u-$pE7NcNiHw*2{FNe;T6 zy|>%OD^E8UY`KT)e&o>X)ZNz^>^s5`0UayM5*S}HKsWpI34PLuP@2bH_xB_kwV3I=~@le$I~8WV?2ytsv3nrG?|jm z)!=T4iRszvmB!(VS9dxy zfX6xS5{6Mb?uNjC61YWcvJZz7{Nzbrj*ZJ_FpK4g6*P+?wWo=mx4qH7C0(r3F|2IU zIer8qT8wJCR|b7ud6;RAxl|_77neDKL+a`3r7(IA!XXtF;t&@Ue?OI`igzG#NF=Xz z#OtGyV_VldHq)V>6F9zE?-q}SdFlWM%N%-@vXQ!th>aoF^PM{%1?*3L<%~zOTl;@t zx89dkDa}wluEbaBkPNr08Ijri&cnsfm2rPBt7r6*Gg{I|W5{iG9saYsW@PTBI$iiN z*goGz1#ppA;j5Al{q?qY(^+)^)|g-cH(v}mF^E29jTdCFhbsa(S}ilzyt{_>ly}1y zQFZlhHkjz=OZf>N^8yWFIAqku?5@NfHCf|vP}w$&kLtBl!m0FYM$J!^;(QcNu*7~y znx;Lh`HFPAe-Qe2N@8M(VIZE2e&)`5+7<4*1%!-vZWT;rgNdaY`4i{*=B@g^)8GJ_ zpebIcaA8WbAt$@Knxv?OXv4_^s7>*<(3pmAI*ag^d&@$pS8C8 zH~n)T`B(_}IgrieXcz!U$O+0@emdg+twC5-YFUHf=a!jJv;jUU0=C;&J6EKwFt0I+ z}jMQTpp4fOptunGwNQa#rk|ir431EN8QKgs}?F286sLS;^>qJ8}7EM2X z_px8bZD_ObmO_(Ham^h65aLG>)U5_JhskIG9y$F^EG`#s!#JK-lGka4m@Sg$_Q(%m zaU0F$;*ELHj()1Fq0ViaoIN8uEIAA8m1icC5;qznCOAguja#OrOy zTXEwI1qTMheHO~lf~F2d3kI7X>rNUb?fV`yoDx>DxM)N5$(5w~T(v(HQ)E=o3`0GD z&@Km5H!3|u*TP+>`Pp+r35h6|lK_v&J>`xSKS@QkagC@&$b82$O}1DoxDiUH;(Qi0 zx7<@ahsa4o_WrG#)6DuU^doMc(zKLb032Gc%FpCFfeK?jy&{N8nbAeZHCNY1eT+wURC#OHWx=u?U-&3y!OsAJ8&|)&)c`=vuT; z2IK)ecQm55`LHN1J~`Z${(S}+xKcphic}avr?(^3o}svYWy%x83g)J}UDR-+FOy6Uu|V+xK%U?$9+CZP;e?i~GorXq^p0RtwgCwJ4jR?}ve zFM!@qV0dI;$z4F3?{m2vMG0Ptohks*QIP@gw=^H2c^j5z5qf>}Kq+foXk1E1#-mFO ztX3ubtDzkcEh1{jrRDqqINJ^}?K8Zaw&_IbUMZLJuXuvd12dvZrQA9U{jvBWdf9RL zNhJ<V}cj{JLJ6ZwoVoZ>Z&DL;0g&h1j9y{Ns2?ZOxOY1B37N?>;Fc zjqg(ykz1&tu^C&}G*__Yv&PrnzYKr#)(6Ne690h&^!fV6eViI_YRtzqm9{C|h78gN z57!ytEBc;9mqqMvaE$FcIOuk+ww!=(0}5xO>{}+6o#%>6GcMnyMclJjjqUT2IU~+L za2OmgV4o4>QTJDL<#e`R zGJBOwZz*KR2_0D==VoZ&)BkDtu(xnC)dpjqaF>%i#R3H`IiIx?W%p9N_aD7;*1g}6 zQNaMd0|u6A`)_ZSbnBePEWiD7b;Q`dUz&;>A%M$<>ryqE{0VPS677DfQ5(6%<^yg% zFAJQ;Rioc1LJ!FNMwFlJ;phn4O_f7?wuZ;vdD@2NFb;}ec=5zqzn zvdP2@*ZP2dx5Jszxv^Qbv86M2HEZlvOs4ErN>O}H=s^I#V(bLr3L7~Zc@N0JSe_W#?OTOHU8ncWy?Aj-&1w_3TvMRpI(&kF-;twYt6G4lF$64SNYFY zIW7-vPWuNDZ}k%?c8;w!A~#2xL;` z_NqDxsf&BF@nq)q)ao@#QJ8nZsIq`N+;Ku%tMRS>d|l7*^_E&L?3)oB`uUS`F4X}piF;JrDbI2@mQ=+Uz88MVh0j{`I@$Pt{F`#XRt;% zv2!;WGl4P3&LdwuVU3$!z|E*$Rh8p90{`JA4<)!j9NlXUxpfKcqX%}|9G#%2eyn8y zA0E+a?Dkp{6waBOrzNS%(^1lW1Cx_8ua+=b&9U)S#oY^h%Z>t-OhqN~JpUx@|0Z1*^Ypj~_ z?2L(-Exe~}RU&Z&_j>jc9JqY0+Z5m<>@)%~y;uTH^>c`wYILanCAkjZYapsT{v4{{ zTxZv7$ml1`7>nKHr%(AA5(13b+h_w_zk&RQMcA0R?`^u1>Okea)%QV;e&6S+b`%$r z8CWSezQ^7yWgpG2$g;^GO>OrZBeSdcK6Gl~IKD1XNIaLck-do>cW3UR92cIY9_Gsw z4XbhQntNr{N1nITtqnJa7bJNjYr`qJ#xvD&|Ip4%EW_f1iPQvf|805j4Yh~H9AAyFSyBJQJDM>@LqYiC)XXR>j@^D@4bfEj-jl6^9J0vX0#A>E zz=eIXc+%j;;4^vxvjaY;())-?V48H8HQHWwVO`yrlTUZH%j2E@rTPR z@}xIEeb%{j6Pb(s(TI&x>QPikha6?W;sO{F^)yjooKz}BdG|^O{;i|5a5>t3VRHFW zxS1Hg+TjNV6iU+@%%TQ$e;+C@NTbz-+*?_SfHh|V8*31kFEZfG3N9ywgi7{x1 zC2tRZs%p>A80?Hd9%HA^V>}E3Cj{gzd#|eMkzwT+dJV5#xAZ{Yv&VmC=QTz>SfIuc zYOVAX^Rz%lu_xzQwDy#nJd<*9N@>s#Yuw3*;X5c+b>02YIQcr9t!K?E3eIwTr$g(sP?(@mq={7_8=w`^!BGHfBHO1X=RFr>1nR z-DCJGMjZQjq9!ysB*Q&b{yx>o!h%&c)?lG`{2&~9Z1sr(@7KZ?+srd)-!=R!0}&ll`Q*4v(31oeJsQMn?@ot+mTz4 zu>Fl_bv#Y`$pmQukRh%bl&UnF=$uL_1y0S_kL=0 ztd`xv%TB&gyHIW&ko<-C=x%}b zKH^!DUBqv#NDgSuSm3SCyT&g<^Hd%WVxuOQTe2SJMON7L=QQ3hFOxyDS1YER7ah>} zFUjN5$y+%GHd;|ZSB>s}#M_sR5G!0H*XU-8{>}`b;|=a*Jh(?=8>bbKXX$$GFY-Xi zs3G0S54xHhvweq(`gOB2EJ+NT7vMYHJgk$%+f-4C9e}M!Ex&2x=m?tWa2l>`d{6^g zDOo>kKjB_i(Ke(p%cc94<`(^Yv0fqU^lw-H#4f5GldNLw3NMGVHu-E{Tjh2EHf>c; z5uU5~F607P7aYPrZ>uIJEg)jLx}{rkOi{-*fW(Dac9x_gxj2=Hk%Ru1>tCxVlig3K z?rgQZdmS^QawwS;DU`B%aZ!Kx-y3>)PEApaz3Bi(*rlkawLbP&q}Lc%x%pb+IAd(T zKhd?7X|YQLB_U6+kU42*$iaqu>kvrSn^>ezec;qYePfNQbKwJihc1b^9m53GAJuyq zO8W3mVOXQqqHx>oxksJJE^J(7qj|<}2{TA(d2++?Ud)DFdllawrTWTC#zYM!k-2lt zh1Q$;PQ#cSuVMW35my5e#2`BOKq6Dnwc5fA;EVk3w*>2G!ooLb<>MZv^e%|gwtfnu ze%j``R5p5hn@zodRT@NghM^I6do5oDCN%@a9rUIH&}IkgVa#ed9af561wox+z73|MVS`*x!5pi{VCp@uH2-u}bjH zod<~wO7?FyJT67^ELohI+TC@VPS<F_7!0!P+vqQ2p{qNIbGLh{Gzk%x(b=2a!%o;E)&T$rjdVefKXm(J1NiNM$% zOseN#+ag_523^Nh24&#tV%nA}5>fD#F(XJW#A$rmK;X zTR2d7lZ`{$Vg1}{z#0eNVLNI5pz^cZz5sCe&Tt;RLmq#b;~UL-?W z=Y*f)J)Ov17P1HslgC4`0~^=s{o{jawdMH;JwYs`mmAs zL)O=)G-Xze(~l{fO;J4T>lO#+t4F(dyNOR0;NEGZuZ)d~11F_)6{Got&1~-iRO_8SG`YsCBj=LDa>hMI*iYe)kUYWv3pd~UygfjV4i6Sv*8FminX!vVUx!^(+k z0=7Gyo62UmEHk@huUVRSbO^Eb?A27) zeP6a;q-{EO6p90RTVC`)6CQzp&wmH%cNn(Ei6@Wb?}EQs>{9mg5WKoygJx)bV)?mP zpLeG{pR3GvdKjQr>Dk549-X)tIdBk@LEu2Y-|eV8lI`1e%nX-!d- z<^taE1)QPsNH{%=9XMAH^?Xxxx81PeG9)v^UD;*W-^IRhKX4-DgNAt_;z4nT);G^F zDBLl>K;`i&Mw*+ws+)x}7udkwv&M@53Y?N@$css0J2b^3RFvF8t+VE^pEsUsQF2qb z1{rND!ja0+!`rC(YwwQ?w+8{tNag9Er7UbM#;eFB+06C{CVq)$GXB=B+I|C}bD$la zG^^w7vVK^*2B;kH+fzr$(R=vNZU(Z`z1;s6Jk@+RDya&HtzyMKv<(^BMKocTM{C7swU{Y`v|KAFIzbF8)&Oi#21ywDIH=xO1SmW^eWkUqB|pSntv zw_+;Oj?g)B{iGh&`(sdg|3*iCpn-~R!Z&Nb(eMh(3%?Glo6wA1N}%VzQXrSVkow5O~~IZ8~VtGZZiI&3bP{&%I$(&La!R z)4Td{3RjqZSYS=+?tEVQwfCCZd_zVD$AdjY(Ho%Ucf-83A24CcQc3*}Qa)_H`Dy4t zH&qrdZm`8r_AAMD9PVEM&yCJ!2_G5>!ruIR5$w;|efbZ(lVQNSG({%UIoXDMF43an z*}=rVBa_!0@xg8i{3Er!$pEa_9+&sa37SgDI?jHP+{|=y!3cJ-!(AmHe5aTpBEcpK ziM2D~^8eby^G}L?4^8Dw3r)@NrXjnFWqrFgL4XB;ZPiKvI=Ax$&Y;}lYM+tXfr;c> zQfcq!2$<@pRFoIIm;T(+b!sw)qsp+SKcD(hAp9vx-0|Lw@Y;x~$R}~n#qhDJnZ$XF zL(T|zb=|4uM~M_Ibms1~vliN0nY6w1Lm-ZFXpWU}r;HqPQ)FU@&lzOe*jIIs&HLnb zq>7(%sR@U3LQQgJ{9~Y)wmaBvg+sX%0(QXtV$PwJUZ^mW_x``87)-bNV{ zrM^qXjs^g8GhRDYau@BMZaTqtf%<7GZSUB zD7waiPl+q(8y4W2_VO8xR3MkiZvxY{T(r%F-uH^h8E5cE+z&Xm25LdQ$y{jK_gA-}G*F zrO?=!rZ8nY2|b~-p2E1N@C-2z7d=bBiy$Yzdt13-)oMM@a?OT1K3*LQ zQ0wu}HL?DuEPJ62`LZFI2WmkL`w1WyQhr9zmZxuOli1rAzb!Y-+jR`<8)0j{QkL#P zdalTu^q|wIqI6Y6S8j$i;d@&nSKFcEXDIvr-7L=|xnvc-A+Cw>0|RNU)eedD!5JqL z3vvtFNNmAU$&s}SqlgTHZ(l3`MflW>);_oICni2gGN!AY+Ajrt;|mtV_EtUcV2y)B z+zeXj>raB@R8f>qilZ9u6ApJAtQ$@M`ra4dmRkH1&LVYP^i01;OSGT-a>9wmrkjQ_ z8SghArEj>@m+*XmHE9r#`~MKqOw4B(&~=2l^Ai)&FgXqWyjKYOHA4VneK~pJm{VQX zd!#DV;$9WluyHaDd~32DRoQ!EwOIwPffUfgUW^u5ST5GZ3gJ>ad}ZU4R3*`TQJZMy z&asHaZW_rj4B)l|M0f{PLNy}OwCf!Nea#f7UEmHyRzQKuGc$hHdD5UGq%yV^^eo`K z6trd3PG}LZ#8$lql#dH^jYAPi*7g|k`SK>j=@Q3|3TdvWczJ9ZLbAvNZ2Dz&Ls+FO zzU~fr-_mk8W2m2C>S+@}lW)iVsi(?wp>I8PTGHv8@^Vm|Tg6}+SZwlH;lDJp_laAm z1Dkw9V-7L8p1>on$C&+fZ`$|5%=0l&ZOqGF#GW54K)ivHGfFVi#XKnV9P?(Vu%3rS zOg##bF!aN>KP85F$>U9Wx2^WXi10*P^&J(rz1K|=TN>)sT26fqf#AmtEYQ!~{4HV4@6U2IRYv7w$CLzXoIi{|6$M@xa{ks2OCp8Zk zGipymR#665u~@#UDH4*>K0StGD0-8w(W9rsCwEn}$WD3OFU&q+*8E`PKy=TmUVLNh zwc|b`Z%t*qA1yLQU>O#Tv4^~%R(UkIz$6TASURjo(zeC^ff zLXFDi_>N3yI9W@)Z1#1P$jW^t3#hmz9WEz)r4=730d zcY{)gPU$>!$l=iS->AQ<=YR2z@s9W69pkz30%7g7*IaXc=Uj7r_DtHLBG9Mry%!$g zu^dFCLQ|N1=y=va;7#ZVwQKNyD~NhheT9@U@@u(c-9{s#{T{vVu&ScH*~dW(33rc> zaBkb+dJDT$(laByJkjZnqi(9R_~0Go?`LAJ*i6_Gi9QN05)Cv1Xe6Aoa^ z`mZiA#Yjc0mhSoZ$GuCYyk9Nz=*?9-8~*N~d!2ek50x6 zedpxZBLis!ne6nKwRF}g&clMd|4tVOL;@xhN z9*xTMw$Q7&H`&2M@>4f}FhBV@bT~5Ld!3Qs7@Qd`BMM+*{c=&95<6-PXt0ltCfS31 z(z~P&T3zHVg%y4zEwVu@SP#f<=yJ>bfHI@@QGI}9OghvVK#e-m&$fjzEE}iVDlwM#zxo%4dHyx(bk^@Q&_!QE zlYK~rtekY-2w$yKT=Z0KRy)8ugl2g!1y*G-AAo@M+J>cn_cZK8v;lAJU(b_NGOPJ|5@X%?iH)*t8 zQ8PC;Ehf4gX%4qdzC2FeC-zp*=OLI@o@RKeC`h-*Eku4LeqMJy^XziNYRKHmJUzP9 zVNJLF=I6vMyIlv5*;U;@__DW(x+y&;cni9JJY#%Red{r-rI1g5-M35gY3o|(+5E$e z)vKjP`oApI+ZVnE{1&ViT=TBBrhp|orq3Nh92{;s9NDjEx*aA7MOcD;kep`X=1saq z&#w+cTZ(f&@c|cQ!{>+6%LU3!KSAR?&;_cr)ddTPr|a02&+WZ*>z8vj+rW6f zaC89%QN=Uayj~wXl2iT3>0b@Lu%ePy$f7O$`gnz{ez(@tbw^v(6S%G>mOhmZ7ovE& z7`}mMn+$(jG}~I-Juk&*`<`I39tHh_d$`genA@bcU5A1N0k-=5^=scIyH;*t(boH| z)Qnv2ZF4dv;ufqqq1Yq}9h;gb1Y#0E!6h=)(}l=mvo;z>M9jdk-t1WBXX}Z`f*tGg$d0QT@ zEG@!LPoY9BedoIbTeVjSA5Pi^-BGteBW*gaI?3F)rCeY!_f>p^Bc`r-dsNdz&-4%1 ziv69=iD#N-0UmQsj%LR2`CAVbqZ*bS8{`Z=#^sxy=R3pZ*TXcB1AbG@FI)N-t*S1- z2?s3UuH$k`EZcTnX!iQ{&QL2_X~_v>bQi7$ghnwgq;>++W?|0Of!^|RZ)TN-(~nd0 z(pJ!__S;b(9`K4|rz-ob^W zWd7Gx$G-XDfiNx7WR<>@XHB)wxWZ4?+7Vyi?8)0uotGLQbnL4-n^Pc>U1P+K$R1{= zZ)c9TmmS*dv`rl(GY*vr*sGp9ik~|=TGZ+^k>=w6 z&^~(LVT!k>-r3_azjblL1~K6zy1JV>)Z*Ugv90l$BCgKZTn107ohwHHP!Ks%`40qO zzRc;ACNs(Mw?MNVm8)v~*vgg@_o9L~1Q%yZQ(Jh57e{T2XINOTQgSBB*kIv1^lo1H zlG24hhkyny&xqY98u%{SeW%T=r4pp+_t2lMTZ8I4I;W)>UnA@oj)+#Al``2L;WmA3FHPhE>iumbGuwYVsmR|9r zcEfWck25^;D&_N?7>vY>1S}SoSWr=(PN{X%(ly+)MjUs}i?b!rcY!-JC(E08__EMM zN4;0#)m-^vTL7(f><}p5F>-qET^6FnuGgN$DOUl{&W|PlSoMvnJg!!s(7D;o+Znzt z2BbYo!eve+b%jQh`)d6a35h9C6^6jpj0ym|L?XCYw+b|lqGA3Almd`v2tXZ87BDQ_ zLV_fqC$X_dv{EblS+pWOm8Mkp6b`YU72ywka}7pIS%CbcLv8svN9st40QYY#6)32x z13)WvTvKvCKXE@;*O#t;m*nyQpp`lw&USBMPB%M3EEdqUngfcfy9GuVeg)vO{wJ%8 zM6;QZ}wTkg&FD}b?<8=tpY6pH~7>k|e$<3=xm6PAA9{=4F^i}&qLt^JLs z$Tw94S{6R4+)$c_uqMLvM3;u4a4bso0cAx=1@tCJ6Vq5n+2t{x2Z&&Maxed{3^_If0@g>fy+IJrLuh zp8>g_O0V?1&x5`W1MV;@h;T{%<5}bZ7i$cV$f7RCKW>y3!`$*9+)<=p8WEww_|3YY zVjPFHflqJt)ExHGO*S%zr7dala$L=Fxhwx=eg0Pfg>A~VkK_fg90TDB(&lS_FuY3P z4^Lq6|MUr#K_q@R11?%E$H~U*s{O2Hf&0QdjHou&9#wW7@qdg>N*`opz#Mg}_G5?- z2Bm=_HF3 z%!4KbQueRt_>Bp8549#$Sab+jFTb@&{YQ_h2?gE*m$cM(e-XlmWgrwUHBHjM|5=7<7-B#;x?t5Q0VJM$r@V$R7N*HQ(&N5~ z6apgt(kB~nHF;>O7Kjh5#2l6NE-4T0;aI`{x^c}=lzew1oTw8~INk$sBm@2ZrbAg&4Z8B!-BK-R4rY8uA-gNoQE;Ii|0-45;0)kTr^% z?E3SC|G!plCbB;du<#^Q;zb&>h>$rSFR~Q{FndBO)2{{5OE04}5&wm>7r%ko!#=VC zVFU+2qte4FUi_JSH!yjZi)SM6mr_{|Tu;`JP=rDwWHSEL+LmXt{1?Awk)K8rBLX$3 zzc-o~p8W}I^(wnBr%izfl1epXKc@@;QbC0TBsAmv3qe%>*2d3I-tQ_-KF}Swl7s!N zrJ|7a9|7X~qZ#R81cVn-X%7Q3c}WN6X9EKk*dx733y1Q}%N z9jF0?G6z86=&V;|=>>>|AIDgh8~5zLu}KH^)I%FbWn@j_CHX_UQ|3&(*LFQA3;gkZ;#UK$rF?udBB{; zaocjb08SF!tV}?3Hxem-8o-w=RE@j+Pu-~eHDPJ#>SX}Qnh79TU!DPw)_VZb%5i>? z!w zqf;7EWT27a+ZO;Zib(XgRnDmeh>0L!#781z&JU2=rbpDT$dJegD;$rs=);Ak^pbU~ ze^*vxJ&i^e@%e9}yMH07s+qoXbt3N^d~k9Kf;uC#`6*NLD`VS zpcq;J%BE00RqTm`2Tj+2!hgyp@%Cw1mq>y z(L?_|>dxPh}&yj2-`t^ttKpNE2~>PwV^uvp~cOCCgLyyNR32k*55Z z<4Rt#|3~%%HaVvW&_W4mn3YApbpjayI+BU&ALFv7>Ts?qjg9Lg8^s0o!6a@>*o$XK zWRfC9HNe+77d2X z>?k#XfVtO-=a7qidEEChn!XgsO6 zS}+(6vhBhBw+lySfi2C)e;X?J#2)ZnYo9Bb|BRInjJ03$ilz-E$Kb(TlCJf9jRv+B z-~Vo{|KD$|bjm)+#TC#UTTITPpr4T7>ilyy*;z*l2;+V~ns{rYbO#BxE`upS2J$vRP29o!X`q$cR&M}*zvDGJ(2n#NLI1U@P-Bl&|cScISMPt9U)v1>o z83kR>WkyO>ukFeisyT1nWjlMB5TXIeJnb~)M~q7b<} z=#*N|Ny8I6yT1WS%kzB=6R(WxTkzd>^k!=<^mCLN=5w+mLSGrH7pZ=mDvNWLaJ}Mk z-CL-E${7&YZ6rS6Qxl)LfgeAVPyEmUNrXF1kl2>R4PXsn(Ms<0zWFsUZeikt_UI0F z!aquG3PE5d`{Ssm$y5iQ`^~ZtJ%s%(Bk`s&Dc4Nd*DfxaxA-h0K7i0uG_kIGA9m`o z;>Q&sAi(mX@Mgnt+;KUMuU(^OS(wh-XT0kQPk)&?#o1E~2}9QAJgh@#H{}z65Cxt^ zADLuu+8;`LDwKIMrIv;INe+`iX{bO61iM0V9ik3H! z2NG~E0NcW3=1BZqeS*-n*Ot%)9=lcCL&JwsA^-FWzRjHYrK1v3${~2#zHSm z#k-Cdz5@fz)neQybqV4vWj}=Q3DxjuXEg{b5);O*H~T^T`ouqctKI}$6eBZVaytB_ zvP?ge6JYCT_XQmCYFw#eF;B!|RALs8!+@PC&6 z`gQ5OL_^JEqLr$F-ELfCcYm=a)5y?ijqNALbBr@mO9-;z0fwdF=vZXoj}Ude5pY68 z5GmvRw5}2T$q|0B4-%@f;;5mSG@c3N=Z{F9JB>Km0{;y9K6mkG8sYUGKJpUW;vM1L z`sw3gGh5BEB9WOY19rrl;KozPlh7yo)>COY`^a6t*2I5&D~bP7`YQ5_pSdv?V!}o- zcUx>W5s_d!8a6YcWR`=Yas|$fb(VSONPF;8=_a1M3zV99(h&)2TQWQZa3CqcG<|Ni{PVSM?35iFwdhfM`JnVJ^Fe zX#$N+F?bnAL@z@l=UjOmFQ2zd;h4p-tL>L@cDG}wkFnyxH(p<#_@?FE?`%RrS<}T4 zXGO8Mj-jzyX`T4)YndH9{Vvtptb}BqiEk;GXbtWfU(eGBOz*8$F3C`Qp|e>*8bm4! zH2HCWllaoze|+FN<2%3pTtu8zL`&geE{OqNm?Sshl#>{H5#1|~XfwWy+|;B(lS{gg z$2vt@)_lJ&8pwVV+r&SvDzsJgmhkua`SQ6>e1xCj$VqA-?hYZU7-|!P)(?8@XmdY- z4x~PAoo3q^15f+2+I+gHX{cX@Oys&xrt|u4_vzbi2U4_XoERScZ?_=XvTc`~iZ;n+ z%TKMNiBd?nd?h@!6Fwg0?>$h3h3)$n`;L{oZ4)9zj5z9KVs(jYypWvn8U+HMbh0r!2GKD%4gFiX*UoFEt+D}sSqu?G#mMYZbpv3T#}&X2ky)F z+#L2;cZ2wA1P_)aLe_~8(b=80b!FaV*06QSp+g)(k>&0hrg3LO$7H~Q6D-gGCB|1B zN4b%@FmjKK*x0F)UeZC%>odZE$988gMRLXkiB3 z<=Z-rvgy_-UwrpL{{^A1?l%yYt@949SFxcVBP<=Fu8u==cY8eVBuu!5_WSu9x8k{K z806cf`GwUR2K#w><-hTUu%JfojiC(gSr zSXA}6Fk^J}!!7Aak&o+H;*P7;u5`+{M%_o@xz2DElIc#3#+&UB%8jr+6B~Pa!VvJB z)q#`Of$I!WOg)ITmYR#W-sm*D>6Av4&@?Isw1_30fCFPEFu4GQvo|$e>LFF&JXc|n zN|W(M&d9GjcERk0DPO_a<{Iru7f&@5E!>;m9}{SDr%^j&oN%Mnt}B<`HNMA>y-fYu z=aRFwV@n$ZOBf`lH7Y%cDsa4=haXJaPm&qqW$8#|X5I3;DxH<}HY~e|>tpfMd2P4d5-s%e z5}`CE9h-&NH7B9Y!RVsO#}#dc_wC@UwENHOi;QW}k8WjnWhM23OMl_9iD2w9o3pyt z-}?thhT2%=O_o-POlx??5N~g(-jUQh+7O-YUwNiFmhYcyjr2L6{XWbbU%h7!=Q}{> zSz`wci8sM76KV{tdhibFrL$9KnskvkMVR-QrL^JvvQ&Er?v`xaJ_q7&S_3mP4Uc37 z9jEfIqVgGH5_uv^V<|O|nKIukejqQO;x|+|Q}eR8dSBmvOhPl`L@g$h-mDk)O7n|A z_ak0I(}dnfDF?Oc2iZ)^O%NRZ#nFrBz8dWD!@5LSa465Mg1JoTIiQIrcY7#xK%Xq0Ys3vOYBN*J?3brK@oAutjH&|Zzxq<#7lSl1 zD>*bT8uDiVf$ayLr*Or*WRR(Y1cvfh>sJ z2laW0{qrb(WA_Rl$2@HbhC`=cCc!^8YPFIU4`bmvQxHF-b2g~f)YUrIm#v$l1?M1j zxynfXI5m>6ADqks+eMqMFC~t>ORnp2$_-YsRl4aEO72*!&wXdANqS|EyQ~Yd(TA$q zwzE$X4})(us4D}8PKUhSBeEdHp<*HaXmL^RZ6CjN^g7`{VpH`FITte~n*~LRvgmGr zQct`tPAN2TZ3a&()iZTEH09uuU7w>(1cDhisqV)-8!ynfcJz)@T-?QbO9+TfbJbrj2 zmsgizH0ij4#=iPO`rGXz&xp0=K_W`t z3eQ`-Ek>3+Jks-Dl((Ipjd!t`{g;tUj%C$zRPAn>j{`4MA+R|1kCy261Q_RUUQZwE zwxv(>a-iV>RQ$`nT}!J`2QKkxCn|6iM*G6u-M4uj-A0}0|8@U&lQ_g$# zd1M=X)JGgwmBQ2|4S-)4wX!PS(SNU3^7&H7cBZMm``zT#kgcrghD%#C;e@wV`G@5_ z?u;{c&q|>Qc#mApfsz7u$E9zp^^G{ge=LBM`(pwfD(NzH=mg^gwdXZoNOOgw#BrNw(A{hwY5R6KwAu30;q**JS3f2XFzYiyrE3;x^|!7?fZQ5JtQ}Q z9e!JU^^D2#XHHO?q$lo0k0l>OS|}jW>RcLkxAXPZqsAlLyG8?OM?Ur|bu=TFrL5bI zVkSB(9~~OG(_!(;m$=!bw~c(!B2=V3*u>ekWj6mtlP7q{vljR3mpP=vv?=MVlHG;t zU{a{G7}Qo@c>R(>;M)Bx+Z%o$oF+jyxDLOV9sDrA6KE?xM4H~*_4A*LqQ^$zu@k%; zSm*ep-;Ohzq@b7kntQWXhpu=b$m~+V5{_}y0BL4%fvF2RYK@Iu_gT|}9afTeHAOM? zcj{ddTnHuTdaPJIZTJZX>6ddG?NHl7----pWTETH7G$5J<3-y~USB~t&X<&T@9vHk z+|-)X-;_59%(i;=jA#I+wZ7f({UYi1ufm(!s+toEbAWq*7uKW zzkw}m>dQ`#=U#Iuk)-g0JeMHx`uq?!38|xc*O9G)@XFDld5O_m25~;z6B}4DxVfLu z#3)aV7Bye`zRv^ibCpn=K(UsuF|SVpl5S-3sq}D$c1dm_upUD zE>*RMZkT;{2TqZg6u+{I;Ib=ibx&p~P*twaG^Jvc>&O|Q1vKy5FGcPT_ZH@EIbWTf zUT@#IpYb)GxUlhY7|hWmk*i)b7++si1|ndw`X?pB$!*XZ8dw7wBFfT=+=M=j`ZoIb#sB? zOnf&es<{GIw1H$8xH6}< z&PQZ$p_ctg z#pVU|jr_3c5w|&<(2w4E@Qs<_u&wn1&l!wed`Au!qvD3MxY(l0(g8DsryEL+j#-;R zj%>uS%w{N8GHm(PE(>f|6a10x-R|>17HBbaUT>Q6yKUOKDnH_bRXUNHE0I!J414(~ zn=6`cfGMLLME$@kb&CLVHj=irJrlQ5@O!ar)?|w_Tt$(8(dvv&bhq6NWXu9NdaLPk z?#JsmwFh6TrzTXqnd8M=j9X>c&u!Lwz9(FG_{oomZA-?)FMa;fhz(uWE6ioN7fE({ zWx91Q!B^DL;q4J)B^kGrWlDYW;q5reTziS^hpLRHc%N6@JU^BoV1q9j!NohKd}0iq zx=#gNVlDLKFz=L~2A|hFFHh^@vPu3tFI$rk;&Goj@oY_sG8k*HU7i6hP5|liDzvy(dAxnbPMWayZnRcL}WbklpNKSA3DKV?KWuyDV5gWKeMcJoZn)rGWl zpA)KZMsSCW9cgnyxa!Yi1{yG)?JYgQ?!ca$%Jf|>S|Fkk~{qsy? z{mv4k1>2`+(Zp|XJ!oCnB!H)FgjA9=mbZt$ciB3UTMgXo5W$yvI6QSeJVSS~*q?#9XzJn@grgSgYZu5CKwYo`nEOw#2*1bsWZ^}&DK|3u=y4^ACHAJ7vKk;PM;&>diJtma<0AQFr?}AZiWZumdRrZazzlm< zz%{Be~4V24C-iz35H@r4#On zcDkb8VDmu26IIW?LxrZ_)W7C4J`$;}vD`uNP}59-(M-)L7_`OE#CTjMFkew|p{2d) zv02L=@HouB*yCl^_5I>ON+b^NB%BMd;r3 z3X3S`EiaAK;c);R*Bi+t6ZZP1Dp2hoqNc#x)1+l9LwRXO!YO8CZJuBneRmhFv|DcX` z9=P#ghjH7hfRRP)uyI;f>S>G7J>^nmrb>wh4<-Eh0`;r}q-)f|rq_x<@Fw;R|H;}V z2TMjh-fiIpf6tNl9A`?%i)DLjmdQNKl3>(o|Da*KXa3HC#ncndco9t_sAI@(Z?1+i z6K&oPJSS(tt9;zVxwOVAc0JA>G<-O`gK_%a<>-d*azJItkBZxLcfsL{dPt=baScO} zT=s1uV!6z6ldep+&QZuk!`nICo$_xbR=ne%q=kQ+P%bjnD|^&u(7fptz-``e?QeX) zTArNoz9Fehp*?6pl}zH@wcN|E z{mf>h9AC!ohY1;HJ@S`ClRh7so&B`2!kO_IXV9TETEuj3B#$++a3y@BEmH+bvcVo-Yrt^CXj0SzE+v1rUNI0@?@>oDl|7)}* z>?GnOaBD7b*ezgO_M~OSJOj^a{B<$BcbbXCJqqt>{>%=noBraDx-fXSPI=v45>8obQ9YjW zs9(i(KN4Zs57D4czj{;dQ;i(B(>ekxsz~n)%|3>-V*INsu8E19V*W%bYZ7*Vvq)&i zci@R>nOqd-$~KaZ&dG0)qmCMuahzbtU)>mIv>3j-nPChuSQYYxci(h;EQ4i*z=WPK z)~}>dKHcyq9nO=6{1BT|^VnJRNwsfI55nr{iBg)EIUeNltAP?;b#Q&%c=ouFA`ROh z=D^(o%okLd?q5)LRxH$iTB6-u$u3{yZe@n_Fn?TU!ijG6$%sxzVbG@{YBMK~j>4}SPYa{Y`nkhcpVHBfn3{AmPkGS~ zAL>;E{GC>$0aYnH3-@$Nlo(5HDaChq6Ld*9?}0`AGQq);mVvJ>J?n7CPy>HHxnJ4W z;iU>HM*~Saz~$n|Ql4RuDa}(2#;sO%KaAsr2^R{sc;1{6BvAapm%SzYOn#yXKO^H~VzWcuuZ9gj zR_4O2C>3qISEGsWxnh*=lo392ihVy`GCoAzad)bxpqaEjVh9)dO ze_5Of1uJew44>w2{`gAaB}DvjC9oG>hGoUtl#VXp$;&Yj#kE^~s%p_?&>Mg_S9CUF zDra{<&PoZ8j7}?BfUx23{58LsmI_L1FJ^d^>b!BWI^}v&h|sGW&fs`7!~b4dH0BA6 zG-)PKS3j__$_OnUHSGSo7u_rAHdbTNmD^^J_FN=3v9;LM?-PzIp)qD2ydk%N_9FSwrdpXD^mMwyZi6uIn5NZrg#;Xb=7JXb z1tc&gCob+rCQn*kLP`1V>IxrM=C{L?Y_Yy+kY{jt#COl$Egv0j-gI6szNBb_K`xP> z%VW#iE<;Y1fp32ZA6v0F@rA!uZj58vt88F#$@N^-ISWO+;qMNgwr#4`6L6@)pkqjG ze%q{gI+QozbZ|xO$*h+zx;ZmDqe)@|0h3Hr-qAV>yQSe|dVJPUOOd#?hPt2LZ9DAX zmv4#p^@7JXk&+UeHP<*7n-!FLj#yIbrn3!e zNJX85UB85gL+=Z2fF#aV?8{k74|zIH^RUv^D<%W%J*44`CK37iC>2!58b@82neYyn zqRK0e?|MfP)9xM?8q7cav-Jer%tXjyM#%aqt%TJvQ*;9Q)f!pNz=%rFS3m>vwp6mL z*=C1}can$q>md)CnPf(7mEekpHD)ptaoJI&+VP}?xFvLSx4*HbLQrgei$>>M70fbm ze|gAQTfpHNcFVDK!=o^)a*&2Xo?Ny?$wHgnf%?1^mn2`YRnlp~+Cqq_=8!Ha_RXzx zy{zbSO8<RjgcG_Go@!RJKrHEfnk-P3sKIL=Q z_BWIikfugYl8t~cT~PNt(n?UyAgYKY0)OUERJ|-s4q}QD=p60CMgvi31(QYbuH$DL zAdL*S9l%ZMkoz3q>}FA8j$l2DBpNNB(&XTT>q+JTvCWqUv0sGFrn487j~oB zQipCoMY@_T*sAtnnr5MP+%hArv!I34& z$L&s*Aw)V6ThU2!V+%6*k}m*;5;v(B1~ZFlWY1&km#ohDzjuSHjnZeoGg~g!r(`Z# z5awU|LaOjYH0A(Jt28R|_neJ0QlSr>t8T`R_cA7uMZG~5*oe?+#k+M1E2eDFMZYh7 zYeR?v*)4{%mwgpqW6$$wJhjs@w=j|obPj?DL<|+zbnVXYz(kN^+kEj58-!00RL)A% zJ6lh}^7~6pglmu zM=0|Qui0?B1g};n>T7=YH`zCRLP`f777eG9ocKtPTzX+3_cee0)s^UgNV1#K?fQD| zC*xvs4udOs!d}WzttaP3)ZJQ6W?U?Uf8L^dauvq$L9+q zzxbYby218OgR>wZ!JR3+{2Szms(58`Yf zg6HYowY{f#!!+q7-_{fBb&4atUQOEsGA=kMXRdK2DN^r)^PyOJrWW;j$|k9J>)&qG z19P6^HR<9`pa0Qf)g=92x2yJ<82Gufs=e)#8^PgPuAX7e_3v5CTWAV0-uJw@=ND@? z5VL*R7CGi9sB;rh=3HwE5;p1`#-XhxP;clAikyn*X=5@{Q= zXYTGEZ29GlLhOcxo=`yU$QV*VrTsIjs+LWm;O`J+s6FkK40*X~ofF}Q=3DFIg&Ain z+Vu@GYj)x--Z*|oN9v!OTD4vs?AN^0&-9Pv-lgK%HlBJlm3a1h3SgFU#j4q|CMnEO(i!tC+9H_9pB6XikP6R}?kqW6LzLIXZogjoWvN z`0W%hq2OI!e*)sukfwe9Gk>+(i}EU`f4a=of}H#uZkcQmlSuGg7g$!6ZxB{z-Et}*odNTxp-)$*{& zM;qQ(61(q_j>>kD@{5!S7Hb1NSsb= zcN**9^@EmFkD>{!$eRJL-z0jU@jIKpaaGwXJdG+H=cqV0X}XWeZG2U9oE5W@d|V=P z%Z4U;b&-5lmzF|IVe!ISQq|_2(%lo?fKN|YatA*S;7mzLe1J6*JY$;SFV8W*FZ0>e z8%>yJdf(QomhOE7wm}F5jR{LGH6v!<%roDa!0lppwSF|)$#jGc$c2vBa`HUSeRQ=xL>Fe93TlIbL zWqfaUFPNU8hn#PsJio<)2Zf!qsA~mrDEMu$c|_|Y34&Li);}m+JmfM3MR%gg?Ue^% z4KVs#1Mfs!c*`n}pjhv6bUviQ{++-)>Y@+k)T3G3Va>WlkM!bY969yTLue4GM5Vo+ zMLltG({^SOl*>4|zo(alprVafS3 zJj-g%K18LO&0lTq&?L`X@wOWgWtp;-%CCsk5BV)I*-QDzqU5+z3V4zuX8oH+WaKlF z(=8R`U`F-}H}#hnhv=r7OyN7ZII^FE8jW%;1vZ?m_N4oq;-@afxyYL6Tq9zQ@~w_l z8p$)~h1-o>C-_P8$D-g{-!-jDeve^T5Z&4hGZ7*Y4O?ko2cHe4-jClRX2u#3x~GJK zutzK=NvH18lon>b3!hnpFC1dQbn5!^*qaEH%O!j?D8LDBW>*(NSI1T6iItIV1{OF+ zNLQuyUavR^fdVaZ$P+>%y#*U^N$$->f@c)sX4Ad%DFimeww-CB_WR(S2z2CyF@L** zVT;7UoiRQG#HEkJCn*k1I{rRlW3B23Le-8Dd|=sG8JW;li&P7w*2r}C-UKb{=9Ojf z;1(wbhyg_Zj@hX#hi`h6yEm$0&Bscf|1|7put4XIzF77Zca(UE`?Dk?tnLcU>lviM zs|+pE!BHmx*<9oTlS}DiIp?u7;S_Q7Ox?Giv?b-aBT16dUTrRx)!%%iBXl{mYhv?B z88m5MkM{MR`zo`I9`Sj4E7#B#KgT`hw|)LVSSHaLRk_23Xc{IIe2D?HT^zR%HoeTu z5XJk2uYVYwk$an_F~PnxDb4XtpR{_v@Pd#}YFaZ;sDFA-aI@8|4v!D)a5op>m}NQQ zVdd86X|s{EI(RZ3i(?}!N*pX>O(%O-#QuOZ;>7_ zEG3{I>ze}DR&`?%oa&S%Z{f|Y40qddkAQ4)<4D%FL(n(|t*{S_l%{0*T4%XM z71N0rRaimY|3Y`0i*OO`(a#}*r3}>J3^KxxRz5Nnv1)h zP58ddJr`E=<+2VH^|AeQ+Z6_Kky-rAtxIo3%GhHq%sXnQ0v}&w#yM4@z<9_=C?Mv3 zjNhp>Ji^vPT*22g172p7f=&AB3%Vw}&2dq4UK_KzGAaj?)yBAs&hzLT`)|9q!IEi( z-73@O0iOgL&WakE*iNumKdc*~6?`!3WysRk=1d6cKZqi>(&~rLvQ0W1S%aD{9zP*_ z^n~mM#S@te*e+>=TTy~l(Au;cBXjE&YEs=y z)1CVaAmAX!v5~erYLdA31zqYIq#AqMKbFVb&(`1)l!bU&iz4|5RR_D$x$Ba~Y{RfF z%m7!h@+y8gOQ1@srO;@~f}pJDF}l+!OlY?fWcyZGgK*p@3Nme!an?CZ#`2^=ml@iw!up($owlqh@t#<)MRgWm=;>&- zfAiV1vF&>^`pB1(-bGc1M544786%dTiSn_uQStZ;t~8Oysh!Ejx1-}e*RhcQEV_4y zn7Gx%KX^r2xHu$f0RSB_yuZsFvpNf$K<(OH@!AZ4ipW~OclffQS~$kc6x53Hmt}V9 zY-7--mkD{~%>pZdiwUWGgKg;P4`b$Q{NS5Ctu4-bhh22I&MsW$KPuQn;-%m?u#RE)Y2cdc;w_o|2c zS&`sjr1dHTD_xAurcGV?y|t}M%~HrQ6p><{)9dd?B4OB4>Ypd8#O)VjhFK_{d+k)8 zWE>O#EeRj;#(en0MSuG4IGES*UXB4iZdZ=Z#N?KFwyqG?#l`3kf2Eeay;WjUs!8O z(=LEtUV34odo9iK;^#myK=gq^R0SlR!a|Gcp4oZ*DTgvE)!1467d!L-ol(QUtbfX5cPgH3!4$T;4`Ow82Vsy`X+)3i zPnQDMgX(U^JSXe6wY*yb@dt-V-k~;N)t0z{^*5w%(zP6zKbdnWkT6BW4I$}%U}ou5 zP`NvDkTwNXC-aZ7!tFU9S6EIVR3QQXI)zBUZ^L z$FSkgxxdN|aPA*w_#3GV4zi?*nDhNCuK^zqRdUA?xr`M#YAMj{Z03fF$)^nqnkR9+~P zJQ0vMToD%~)Xc1aPR_UdQjRKb!qi;@)1B}g-?&{QI?oqwIo^`6fL-ro?ef_XZcfBs z*M)Lzk`waxea}K8(PFU!oj&QJZS9bJtsin{2Qd~(v4}VMz58pb59LID`v0)^)BZ{@X+`h$_?g8+#Rkm~EcafMp5!ri9AR*YFoOzBy|DdDIoS;7)i+muHDY9J zY?s5Q*BHZL;SJ0)spepO$io5I5qy4L_ecUyvU(vH-kh>~i^%})PP&-<#Yb9}2Pvi% zHy5~@cl)W2*w^0a&EcsNEx(Co`6h+}6)3Asc?wn>Y3((sL)9VBFV`NX1l`vH#gi3R zs`j5YF2oIzh~X1O59ruv!Uk#?`X-5L7cUj%ePxHV1!s$3NtO1Ab4!HuS;HcU5ZXI4IjQeh)}TFJS~+qJMWr%Y=!=daRx;6t2gzJPOUc!|BOPp*$w0l*g*CW1H?y4YDatJdWNTt z2$%Ow=`s8M?+fL_z%65g9Y^Y+m*N%YKQ}XF(`;miJkmviVUC4UD&?x4i8@M!S{~DD zXIosuYy*{g6U%3BKl>O>r#`h=3>SqMep@EN0=)t0AU?k26DUJbgX!3WY9|!sPhS^m zkN)FNKkm2p|8+Qy0gf(xa`*8i3EKl;lK<#z)bGoh!)^>X*Nm}9&P{T--?oaT$SL9F zmsS*9aL4(4Fa$6@GAhqqG8)3cPx=E8&@c{Pe5eHVzH>7=R!gm2(%ucL80l3Jy^a9p z*PB$$G@sa;hN&Q1xCfyUQJJIps}t=q{UuDhi!WQ8@ml)0B$UVHGuiiyX$m?Fm$_d3 z*eDm5Y$l4XrYSmlKeVvKuH7ew)xFywAtX_JOC57;-tjATbGtxJf!&YIKwK)r89Gww zoVARqHRw>MH8kJcKdnF9{Gg`aW;g=>)W?Fc>|-~6W;DiPq@GH7p7qiMImIN95@nl7 zZodmA_2^L<yS=(isH+-D0}Y) zc*RqJ(uHuuh7UhzSWVgH_ALwgg3KA$8hPVgaKEBxsGasHzuo1epvq!XGYhPyscdl~IM@q)W<$E8a>awE^JWRo#*O1ZZD zG>L#iJ>r=m1)?p#cN;iaYFySVyX4Rx$N@{M_G-WSF~=x<#Y?ctc(PM2&r`cnliqA* zL*@5%Hxb88`^RxEJ+`yZ`S-aTY9vzc(4I2yCaMf?>KG&s^emi-IqSwIEjgLvZ29!r z1Wg1p60t-+?Do=Rq;2*GtQ7wm%z>Yh6q(XMjA2`IPGixmJo9;W8`KMyO$8svVRU0U zj_41}1Pm$`Gr2>f1DXqvF;;`Bb zc{8Nm`cd!5HEeGLSfPD}@_*m(k<{$zj6Pqm%PuKSv^X|3pGJy(-Y>V93H zQa8hWqh14>a$mX<6yVuOQ6bijUrI5>dOz=?U*5~?VSKHqDR{$Eb8p>bO_8PCo5n_c zfiP>y9gw2x)~MQNI##`+XoF^WC8|qJsm;Gq*i>C=RAIPD3fysiTmRrihU7Jc013y} zml^j1MB>UGu6OHoeGj|)jAza6CpKI(Ji9X=)j`c_Q!<;xSMxuAe*-2WJl+PG{*3-r zyzpooL>`cuM4lOR14|B?Fuiv?$|Kjhu`I@<+LleM*AStH0zJ^u51L-eJugeLMg*%io<9LhjhS?p)iVjsY9d4o{;?!3GausaS9wMFE#svaC4otU_E^HQ<~J z8xUgta!!i7B~loa>=Eybc;3GqPa@Er9jp7$E#B-+qYAAj+pAQ0j zUx{>OeiX!>&uAuA2PTjS*Oum3h^z(pv=`8*5iHyvDJ~K!((T?)qjPS?wtk$A!shTUwiq^!Ndx_tS<& zm7m>IUL7mflDGgyQ%T}k7ll$R?x+n!(-4L%K=S=U{4}Jy{qotE*paAlut+YT@>2Us zd)zGbWn`V(VZljk)>w|*e&bQQ;wh$%h^I`6c&62jLow;uP*dV&`-dSn7sC@0wi941N zeXH={x@c>}ETqUIlYdKd-!xSEUY!k(Qmo*Rl|CB`Hk0RISpKC*qq8u zVlm#l+WjGJD{QZx^|&2yGM^h))HBBBI$8wIs&yYy-G9s^{(Dq~^EK#;eIk~kb`{Wp zHeXyc7BQG{4p@_8;XAX@m))F%Y(DG$jd3JhC<*2~^$AmsnK_s1d~^7blBe3h2ygdc z!D8Yu|# zm%np)U4oTKR0mhgi=x`2v`?8Fp)Q~90??_DC%7bgf(^7L6f@?W#RsdCXvLQc9HEJL zFXtBpA!HVS*C$oJ6`(AOc^6&#^dsDHBTsJMD|~YYDp^xo&ygA$%J;BLw#hw?FQqZm zz|7QF8z)V#OX}4ZbBc-$d;i$%@8<2!IzY%9HSPzkD%1=5*!$rtk!N$vv7efFBW*(@ zrxK;~C%#p0Mrgswr*F@Bi|nj9oC!tg7ms$x2F-wC=jC{_Y3D9A1k446%-XHP`=#@j zGi4Cs!_&`FuELMR1;!a}p3VmM;n(D#M5$Jom}3Cqmg-Q3X=u38IBH@fTj=2~Pfabz zS9~`CNF|UukSZF=P%kuFSDhh1VSMY;;|>?JE4zL zke=fcc-EL7O($f2cLF_q{*qS-m>1D({lJWeT5?UU2P$>v2vMMKW||cGb8^#{!;eWI z?u*;ma5Ax&|MjTeK$;@tvHs+l8p1_U#tDaKvyQ}fLIrRM z6uey~y(XKgdR(jF>{@AT4GA+Y($J`O7^-Ll@qXjDrwn5{{`IloTtmfG=rJcB zflJ=e`*{yVpJOvkY}#`c_vNZcyW8%ElgAhLs+WjWUdpXNQ(J)uxX3xTQY8~&rJqOV z_ON}`MK>yJkgEbbcdJlQ6Fr;nDUzwb>wv$!D(VhVvG+@U#XfSIrHQHZGH>cwZN9|J zFX=@~6;9CgQvL3FPMlsODzgfA-U;}1?xvV+KGJRp~+p123c z#VD4RJM5ywd;pEWFePVwUhESTH2Jmb6HUPPes@}!WSm+}hL<$yh2Z3;7Nr7Vm2=UK zSdBF{PM=un3zmWD{hdU}4U_rEMK6f8qv4B$zqzm}eJ0NPT9o%G?WxmG(H<7I8{N~* zmG7ID1o`5A>=40G=H1LDS5viqpK_0+;byvo7Zfwq8TCE_0$&lAI`iy2=%QF}HUTFJ z>&mV^J@fQwWKyNJR5lsWc?&xwG?`&qR=j!}gaIAD6UQ}+x;fE8$K?c83v5V&TQ&it5qpKu7h&-|D>WvkttDB1tOLsAL7O|rU2=Ch$ zV%OY%8lkc8iwtlRk)6>7>b>YT+63ZHT1l{KXq>pbt`NSCKs)|^Wf>i$E@%g z_YQ+ORmtJLeu1dTO0kMntLXEDC5?^B$%rd#NV0&*GJ*KoisYJL5kx}I*7v69 z1HZI#vn$>}2ZMgK<0ACe>KPRnl@zxES4kCmIgn*|8E@~q5R#lWKp32HjbAblTSYKR zSeazvORxrP|6MVd@XNQm&*V-d`%iF9g5}Zaja}Vi&FC>KK6jhVJFARbap$CVkp-jh zO?0Az4p(c3oLK?Uavp27UQO1I7nw6`kAidu zgR;9m6W4lgFHB5&M}kw0Lk6~zS+YBx5`EgtKXhoZ6#dFbAZ;r^zutn%TtQ{+Y*I&3 z#bo6PfViXF;eD4cJldeIz-Alh7FXsyMxVN(6WH0vZeO0-4rEDhZOtfC;}sUe)cisn zAD3lT2DZI{yl`Ka#wyLX*Yuw6aMFJ72k^T;l5#gae|ReRoy_F? z6k)DVE7=?y4LhPX%^ckU$8O~$HI)nP#DT@lpR2sPBB#A~f@Z*H-sRGIHW}5L8ETHG z{tQbPKz?}~73Tq$v>51b&3h;c5HaD47WT@_i598>7J|-A;oDmYmfMuaO;pYijtQuc zeYQ-ma2<+wDYXUt6L)Uxiw3Ol99_u(yDGe>7PsWwvoUsfE8$++h7C3#fW`(0} zYI8&*+%vpVJjVIPvS(#mrustzIj`8Ip&fS1WA65NVDikauVBDdIi3v=JKwT-QxShk zlG8@V@9N8DjLb2W8vP{yk3H;CHsC}VTk<>3+s?)Dtt?#88P%RZ^~Q*OJ-8f16OlJ? znU;p+HoJMWO%S-@A=)s250ezX7_!}QW9Q$DccFxz^CAO(LBFm0hB8)!rW5fQu+C9d zrEQ@bU^@aupal^;6jqjjbimU{n%*&Jk5-63nQ8vi)*t^NfQ*<7_-G)Wc1@5xQk0B#|cy7Pmd-y_i z_W9%5H3^YKK@Y1c)8$B@!70(E!}k!N#!Wo_v+`jo;JUSnFUcWnPGQkpm$4BKLO{=9 zTEch|S3Un;zg#LYfhfvhhRmx8k4u2e9ic8wU&+zK#YX|7X0~#8^#V=E;KNe=j{}if zq+m)^(u3`2DaS-%GpE_Ua#^5#hB=%1n#!QAlyAw*vo|W>!I?gn&fzk>RDrCy(PLp> z@9!lq_+&k(Sw=#W1-0;4Q<+oDxNe=K*q@+PR3 zupdC%7~6M1j|Y2eG;Mid_3*B|zbCq<(zvsfftG@@;k-yguNVW3^Wk47ZL|O&2`VSA z3YDK7p+vQQ?i5;nDBvqR&2>D354GHEH2o1t=KP$TP{HRYlYGc=`vtKYV!*(xJIk2- zaMfl4C`$RBC092opk|jZQ~Yv4n^1O*X_JD_ub`IOa?PuQWCfKoTo}45t2%y4XosIK zzO+h1X`js{Fe_ui9e@fdy4iXXb@PIjZ0+QQ{u0yx=fG)o#>V|}kG;(+8&W1(}&%6M>u0?QDLS{`!l04CZr4H ziu~~bJ=VM?+_XgcH13feF2|nFr&YSvsoj;5jIsljMkS!y+BU#nSy6uyqkM_~WP9>Sl!Nz*_diynJIk8#AYXB#a>%&jBt=7zjKd#*}EI^FQnG4^a4{vzZwJ_743% zH>sz?xDwzur|zl5PPew?x#8Ia7+XvP&l@lUxQX8o#Ejee>jgGH>L(rmKHRoXS|NoV zbzx!kKA!176M7*5#QvN2QL!z8=#VA62W#P$=myNVZD`ux+5~VWo}!=d@FirtBMG|U z2*)A(`xx}6ZIeVhihF?VhsyhUiW*f88kGnJ>aPOS9`{n^u4lETdA$QtSEyT@uBnAY zI`%7~-I}GKGh8$=p*>hTc-OYT5kf?tBKF5wzldrc)4_sJbo%S_G2LJHAOzjHs|JlT z9M!*2*AyyoB>di@Dm4=0$fNDQ z`=I8C{m1Z5kL%+cs-aAw0F{l-4Or;09iF}wWb7&i$ck&9vP)ooPWR`Qu>VsvWg1=R zy*qR+pU&@dI{^xZZM;A=7{MO@>LDQfk92q=Q4V~z6!Hy??Glxyxt{T`U@RbFj)gS0 z#`}Yc*{fwr%nlNXTijvxKCzfZxgpV?)PI%vKoKmP0+UYsQ;;wm7o(5S|LjG|WvCWv z&W!$OSwn(_s6Z}iZht&qQ}B! zabKG`l_K1W8o;wCv+>%OOB_^#w)`Jmtzgava^lCZWj+Lcm!nI||HYTn-3=trRaN<= z*ujSr%;0}T60JF=&(Io|8T3W`-)x$XE8$nn>jWdh{HA~+qVq8!7m7dLqXnpZsh+{t z&o!R7m;nx|F!~#?=X~+wem3L(enK!{kF++UZSYk=oyy$HwVRMpME)*#kJJ3htd#|MeVd4gJ9|C;a&;edW3sYX5<=ltALX%h zyLn9WFKVLUd`v~{TzQh7YYDnW%n<`d0VJ`@-*EegL_%EK4|O{%N;U{$pt6wCk!ww% zD4~J68OvGP|A6qXz>+_k-wDIMoeZm&bQlBn1|9Q*%99wmFDACQ*>^wrQ59vm);zQ; zUwrsCk5arsyDSRjA(ML$@PtIdTh$~Rhwv{3%r3ym&MGb1lQxmaeuaaIi%Wg~(OWsdOzIb9MK_i9eVyT5sHh zC;M)Lh6TEW{k~BB8OZ<9N5bwg%D-v1&ZPF>UyA9kum-vhSQu|4I39e&#Qm?o|NZp8 zZDX`B+${ZJ8%rnOEGEBs8?adeaq#~IlK!%?OVIgYqA+2rh-Bn{DEz;l{LgK%EZQGX ziz;08pF!=PnFnAJqXv(`jjQ^15cl8I_}|+f&(Tr2D$)f16<7V$`x6ONN4UL=(vSb^ zp#SHgNo1S+na|@tAml#*%D-0UJsPSbCb~G{cmLAi|8>#+n_&io|5*&_iT{kT{%<5bl3sy?;3F&*uDRtNw4|o z_K#Nm2afzNFzK&H|G*Ix8UDd>{|)Z_H#+(M102y;ez1lo4v?qydpjYaoudNI+W^?J zP|XdHSs??OT~91&)y{T4HT{I!Kldi8t5+)24JA9HxY%Y&+TLo-%-$=c{IN{p*S^`U zcAWGGbI6_p<`EcubA#!7QF81ml$IYFy6oC%w`#re)1qnJg&@E%V>4#ed8JKKxc9Iz zrde9k1-GDL$j|@Pvv73-i4ce2!LU6CvAiH`!qKlFaTSIZ#|Qc=uHcKeJbWq?DyFR; z{68&Q5pxX?f!t#VsYNBJUO4r-iU9&sk+ubgAd$pS)UC5+o~%wn8kMG92P|4aEH3-oVmB!d;GD^+54K# ztkcyvyxMJ$VqrzABkz5RTVcW(tTnd4r;m-y7q-OzALr@`a?}ZLN;{OH@!w`r)R(H4 zj+X*S))$VG%w#h$^!2zBKa1a@trxIPAFBO#Dl~xNkK^PExt=qMI80WTzL0U&@!qL$ zQ#R_>ri5;<=`Wc;C-eoebEbFd)wY|~JDFU(3~K|e(=zIJa}VMzJ7()+%Uh243cov? zVcf2z35*1ih0CyP8ue*3T|vr*-aG;h-kFf-pD*4-ffJ?*4f0Fwy}gzk6U3b!^V3fE zdR!tGBuc0PE^e*zQ9;@Xsp7lm^Pcw|X#?A#iT?EW7dUqMRuuG>*5ihHJ>5M+Z;nBH z<0VMiyzMt{hh&2QbRWQ&z_82aU9TU$UhGy(}8b-($e}73d zw_*Q)fo~)dmq%|?^X=HkM!O9Savp=;WKEXiWIrHHd+GyveaJk)CNb4qGI5ZPy@gvb zNEoaznQ@or!Qcx#6~5XLNE-cFS&RYT=!v)>^K3mFF<)7|v+BRsvbW2wJg*RYXQg=I+$wLs$ro9&6JlS-&4h-u=^_tySdt^vlch$FvtP=Rkz`W*KHiR^0s~SnZw(6_Zd#A6`)RA`Jx7T8l|HDsAqj6~7RUm^(IkXQa5ko4 zn3wt~rD&V|j@`QHm>&@7A_pZcxO#V8HYd4C*xNg9knxsjZ zC&FhaYXMJoJXUXuOp6AUFMbTDCaL@WPO~;ZtNny`Jo8@gt$GKd1?nrb0N*i114I$T z7`jl<8BYI}6Zmzq7&XHdP6_f$XgLd${Fq5*^}EnMd)*)aIKK<`{+hTz_V#O^G5$;1 zo5*0@IUVb{L_1Hew7dDoUUi+kPlsGg7L7VBlpSbp0Xjvep?0>!>t{Ux^Lr*_yd9;0 zp`Q(DRPvK}4I+ICpBE?g6Nu+a0w@Pd2d0Xm;5BbR`h%M?!GJ}ooQJI-qDu~BYJK7m@&*eFPCA^--h9@I_+H_+ zSPnp(LrzEYH8+x!5(ChyDS?e3O@Y>djHdoDLn4t~`ltj>As_?JQzri=&Gg55_!(&Z zNwiQRh{qV2uH9`(nBU~M;Tf~dgwo3 {#Xf!G{A0L`h~i3EXOy zso`Q_Xl!&4B(>VAAlcAqba?o99Kf_?QG;gPvlZahR=%a8f$G3!a$)T+e z^*w0a$!HrL9Pp%Kd5sBFe+Q?l5&D9w*&HNwCG}WB2rq<9I~sd;?-+8=ZC4q8uMmQ~ zs5cMNbAEK=KrQ0OcW>7tFgSe71L}M{@Le;xj52x?d&OfDl7s~j`<+hK!jL)6Pv|9W z<2ZbtewPWf-(5O1%%p{#&=z7t{3`f3e@)V2M^1f>^7OM_?rv9TrKWky18NIn&@{(Z3#^AJZ>V=@5`*FVkhhd_#*REXygZn%A?Z=zL$M*_DKQb2Mk_r$R zslP9!e1}e)ue7Zl!kpY3P1AOpZ+uo&4+)3nUJi*o*`Dyr7;WQ3*%Q6!+xEM87wi@9 z;gjv-_wD=R*Vx!exU2vcRG+3)@pJ`s?B`*+=xkxOxUWpnDSHSCq?){3g!J8~7N ze%AVVD=JA8;^esc>ax|L()%k{VkLYRUp-WxWHEhsAd+jJWZ0HU1bA|>Kh0O1ZH?UNhtHVM;{i-W zH^rtHBBArimVh-ovQItnF(*Gz@8&#-YzBq<;wwuuP($Ap0SEDdg&~RnW_b@9q0L zs!6JDx>-ZH=Mai;o!BWoLi~{HB?s^tIWt@SeSQ$(yK-Pf=SUi9y*)$2_V8Ndl<4y6 zE0ko~CjlBlWXH3d$Th1!OqX3zW&SAfrFf~beA#>%Ap^TYd~1D<9{R%3&jYgKowU#U zN@f4U8MAhtry~*TTju&$DoT<;-ZG{Ng4ttH76#{*wZ6<)c&SLw%!Ss^vH~%#UWWt4 z=jib%!RF6%ba^m8oPU1BW|~4A&zWVr{4nmbt^ICD5Cz?Juob-Js+|93;iBbmjn$#j z$llfHr{wkvg3WiFQ8#YatyeB(X>?v4F6x982X*L2K81H5g`dUghnCOZ8f=%oYMFW8 z97Z;tDR8nOtY4a@8S(1@g^8gsx8Qv=>h2E^;=9!*?4$68wQuyGd@zmKemz69H!Dpk z)IQ-DpQanppW%tB0y@@Km*%f3R-7;3D2v-_6NA>TOB}4T#?89k z@8*khGE-5$5@DS^S^JlBu@ge(0mA*!1S;Et4o>2e^DA&cXGO0KeXJjrXRnW#^!=_K ztbYDfKGh8-aV@za@rhsDKVlXq4Djg4W0IlHtN2w1J}3G9On3!J;)ievo-4o>e`mP( z0;AVg2jml6&#{ImU1Cy5D=?Hb1T8q$I-eQp-;37btUb%V}0xQaS*RBBlZn0 zt?Y$&<0_81?acG=Cd;)WEhjmfX1~(w$nLc>xuZB9SeI zlMXyYw;%Y4{^NN2!r|Jgw1hwamH&V=%&+k6v)8R5+u9lyW4zMi;X7^~xc7@cqY-|) z$!RH6iq*6}?oDO*{X%ktqYhFq;&=H5A z?HD}uI?#h#APMz|Oyz~wrQ#ej$w%C`O2;@mH{{rhf8%AE(YdU} zy?mA1JIzwsanx}^H)+0OHHY)t$dej+&cS=Bb+s$zn?d2>ho#3)XFrDB8#c?V-Y=EZ z+b5k)CtdVTEe~b?foP*VNkz*prrOxwX)P94xjMDDEDlC;2k89jqQp+Ig+yVi%}1UY zKA;9qbl*dpKryg4XkgVK>5hpVE1%LMDeVP%pHSdN;n_&+y=eXy8^1_r^>kHgs6?x3 zPl{oCUT*p)Vt0IlkehPFSN<;Mf~&8UF_=A+X)ZpsVsgOh!tIl*=P^cV&P9AzTWRuk zOSxPEocN$E2NAg^%cMCQ(6plExB=IbvS!z{=3|rDtezdnh-h5F$Ta7)7lxnTiXqWh zyN7sfW{o*oR4YhW38nB-H<}hR(1(?hp(LxE3xKV$rS2@~ zyr8e3-@Yd+#05!0=?qxSgugM|e`M7)Fx@w`Tr~nNkv&0Rxx=Ud$5&T_iwQH$;|EI) zD!bHVX490>*P&Z}Z}NPWB+>yc(@^jMA$0}KEYEbAdwk5fbxc&w?-HWojHgkXtl)In z`SpGbf*}y%ce`lX31QTc7&%mNOJCfq;Svg3Lp~q0cb)i1<%BBn@_`65lHYw<1BvO< z%HUDRHMd_P4)Hi^Uj5qMVtM0!x=FpusZTKhjqk6Q^Ap%SSGo6`uOawkM*}(byv_9Z zW$Jv6nwjMl7Wm$hL%7F0OE|uT_Z3TVvz6ZOLW-w?8Il>jm5#aR%F1=v1v@OlEt2)G zVGmM0DT2dOMne-Eu?0y*42`hO;$%E4R$~^|m5j}$DzGz8W4d8#op#Hgz*Td<&xr`j zeRsaLU*c^Ni5*VNwg(}-1^e;v1tg5DFn6jE1O%i$1OaIMnqs`__YJn3Na@Vxt!Kc|5ll+{1>h!$b$(Y(A``OfHPbrn_8Nb)p1>_k4o*)b8eNXsDz08Rnsw^9%_?O(@eN0w%@n>6J)GC+ zA?)9vy7Q^$g8l@sA3yv4naWT7Aut`2s7HekzQo%bW} z`%AjY1`0Yn*G*74_;Qi}Y8!b>T6k$cUHOT;d^W|HdELx3bF<(>%kA0N(jke?a%ue6 z>R8&qK=0vmXPH56v6buJhR?!-K{^HZ({_5c&$FhTc%#-ZU@u+8df$L=v{>!UGaFm> zm6JWZ6Aem{<7xAEf)z@g6k;pN6gMfqjw(W&vIvDaD}J~geDOwH27Bgx|Ki{$G)}+r z2qlH)2_Fa&eFVa~QdQ_;KTmiW@6jm`*Q1!VE)l=M%9&EJGmL=Wh}* z)g(Wa2HT9OktAxgY-9uq%?5JaFGZexOJklNjhmy(B^Hs|q>`Uv@8rF45NQ_}JW)Mf zn#91fn$Vi%;~#0l1?A2L^&ceq5Tu(wwK=`s!8Pst7E+N&m*Pc5Jsp$0=;brV{SqQl zH8_Dq`sGQ#61pJpX`Tws3KpYeHgN!*IrEpax5&1d3u2rw0n}>$$Q4N_NRz=1+{1M6G(-7<3rAb9V)(v&D&ewzUPJ7OSsvzWhZHkrq%$c7bDptuAn6wY*2@w)wscR1L9j`j zCt+={X8}rVccuor4_~d~gz^W-?PhU_hKhLM+ju=-^SY6JKOBTB8i@MoaSc5Kw5N25 zur!;=fovyZ&UbgS%=;RyyTAuQ-0}jvLBETHH(iFxnl>jO%3XMJsRs>L%H^CFaAl5t z6WB8og8H|m?N`5l1B=KUDt!PEMQOE>W6ePH{k^WKcI`C@v?EaC^C?_;u?YF?a-Qps zm+hLjfQw@DGp`!fg3Eq_{+ED@uUH}8Y>L>xxS)>Y2lL>?eynG4H_}oVK4Z?VSs&x` zLHyBoK?@D&y_a?x(z1{(X5Tx9elh6;@Vg8;hRhl71*5Hvf1om_9#>t=U8|)Y z_!YD%63=C0H-rBg?{KVZ?`?UPfLD!VXv>vOa>mg?(8w?>1^#1nf%lSU4(Azzz|*LCr(-Xtz%PDduvO5l0J@(#NvLH zlnw@R99xJp>rVD@Na zA+*megop0ek?@HqTwPeTdiu7YIJzl9WVe0aj2(KV{3Bzea4)^RvDF7I>L4Qlu<35x zF2j+?EJ9oBx+AxD338TeLr&)QrD+SdQ4&6t-DM*)+Ai_h`O8l{d(>jR$}+DPOL1QLfjFCQ z<-Jz8$^2oiz5;!1ilPPA+g#E4JP+UGhX?_gpjw|BU8e%=C2r3W*xPKw`L zKxoX_>T!zLwkL-#w}tObLo&@OR@sZ&1w&Sk9WJ9i-kBjaYkap6cZ=oQTgt{eoA#GC z{DM)GjKL8zHHQb1WPzc`V}Gcr8|NEpHp12a9}7LJT`_NfX`Iu>166|%~- zxSAWte~U3Yb22r`DD>2SegkbyPh#p2ZRaiQHg5u-6>I$!#ZyEXKlPFl7P|{}@K_=q zC!jHf_**+XSNmDIrBV5TxaBVYJTGDeE?2ux_fTQ()w~l_R^J09HA~8nOsrZUPpU#!PXS45! zWL&}(dg)ih{KhxJ;S?a6$|@iC;GO+B2c?qUZDV}BYoPf&?zCLZK24`vMA_6 zhocfWoyVk`1ctQ6=!*6AbmT`}IC)0LN-oU~(vc%Khwv`-bA-|}{1=%lEdfzB8jFJy zk2WpR?edwk7f3~6FJf@bZg)m8Vv<;|CucltNA#80u1~@I<5gdob-qm5BYt8dEj^EI z-7#xxW{L)U2kld?gCYQjGG2UxhxJ!Ua+4lMrl|dYr0~FlZ}y1owP-=KBYQ^2-mrV(+c{_=)OW;b4j>lI zsb>J5;ykyAZE8SCgxEylGtoYWviX)m*!Bq^0s7j_Gex*!&|gp1A-xvGLaS@Qrlbt) zVNYh$vHrK(-aUnNbKXvyeFlq%pO=p`+-)DVRz+V&{+ox|M10R*k$fwT_CIqgP1-+) zntt_7T6^WYPv06VTNIMPCg=FM0Sf=YbdGhpDm!E3k)n5nNM0Yx4H6W`?R<|OoZsTg ze?}bbO-jb-4o=(MRvf0sX>>4&P~}-1TMz78_6DzJP|oOsn$8#&Gb%sqDPN`K%^4!H z81pI}54*6#oHj=dV22j=?i;FemG0`bC#+0M4Y8dEC%;gu&y$B=OTQSxy&mm^yovCZ-H2^GOMIW(3jVcldKRH+GG)%Z>zFj4mIV zv18ACzuUVqAJFLqY;PsshDSh78*W0AWn)>Ry^9euN9C{g+z|l3+;Hfeva6mUJHI$a z_%Bt?;3$9I*bbn>#bKi+?%yV&Wt6m>IRjgWWm>t1>`5eGVw@7lV8=PPo%ZkdtlLK2 zG%Z$`eBi&CRyc|iu@_^ei6TOrVLwSqD(as&TZica{fc0~0KfXlue=tN9tBS2UbG;b03(G zi-Sqhi8sv-6gd?A$>z6x@kiJc$@{tS7_I= zl5XWj2VYX`;5>5;Y+BA9DDtI3lZ!lJRUb=%S^%vRudPGzy+)&1v@ zZS%Nh*TDgj3Cm_i&hy&8+?cC<&F{sk2Y_RnxtR@nLmD5G>6!L+clTBeT}cajCd^uI zb9l_Ib8&;A3XBkmOelGc42f`Desx5_Bo^VDyjGHdRw5M^S&SGJT<755ic-Gdn88VQ zZlcWN58XaN0H0dQ3PbHE%|*S4DTn=^8F}EvW^d`mce-qc25vVRehHZ*$?uKeE#4&b za=cakXQWqKeIbmEPD5sqjw7obr^Rugpb}%G7eC&<`+eo=QgEZhNL-H~n+6ZFuW?Qo z@q0ZkhU4s(ldq;k&9-|6a{Vwhn{-&t$9>OTM@|Bfip;9dA5`BSINAI7txp2?%V3i? z4QKE7-$PkQyfR1}=X;HTUKS_-kus{h9{$^d=XXaVxuq`4quT0)kgwZkh`pas509|B zxyBj+5|7x|lgXM&xRH|;Lne=kuj80}X*e2MX7Jw7xJTavDZ|c(WW1Emtf=xtj7`8mXvhrr4Igei(ZjXcNX4GK11^7Wt>rK5x#fZfPvHtPy z!7`vY!3aWp^aJ4=l(b@_Fn52K(FT6a>8yWhx zisD+8`Z3>wI%pq!Z4GVJ)=-B!TjVpE^SAt=pfX&Q_?I@x(SKmgl9n)aV|+xlgpR{9 zzlLwm^-+gGR;q-%i5ES*XjXEaBSx!1xcir#>DmXhqvu+DWGInRt{q$?FZLJTI8pp= z4{FXOdF)L@*pXj(hl2tKNchZ*j?0!MT*bo5*Qxd1z*dy1d;6h#pWq%2cwiMXIJ9c@ zMA>s`($vWf38!m@b(`LNBVy1jxL&9(5vsAK$NcJ;k%KRM!*YtA2&nxQ^cYNiuH~ zmAm`$S8%Nwmx7FOK}$Hfvr4KQ_aAr)Q+UuUYjIdaY!p16|1 z)bqO0!BG^Sw-9t0aL7nB`WEKu$!7pf|78%1i5J#0FlRj`h*=OHk>;bn;8b#hpTh>Xe-QV`CiD+pp?Y&P`Y(TXqR%s zY1>)UosJ|JCsD~FOga^Re(P^6Kag@YVhP(D?JhL^f(cOy1seu!9uA1KwiFC2 z!yedzHlpM%1Ohl0h*oKPNkYi@f3f$TVNGRg7$_YP0Tn4qRTNZ8P?X**fCz$$^e#&8 zy@h~?j3A&QO`3{;NRt|R5QNZ?UPI^|LJ0|^-i^+TbLPyMIp^N{;}(DLJo^cI?Y+vk zzVH3kTJO6hrhRnk_^jboP%e~Gn;7qUT`GAD78j-NtjM|jGR}mkiN@m}qve)bo6d^G zAeomnY^+#DhVAQW5DQ^N=!nVrt*sKAEZ=PEt@R@}&@h zuRhM_mv(n{6drj(Dp6>?QZ(0F(p?{5YXb3Aw)Ve7xS ze3Kxpgz0IAhI<1MX6<9)9S`AewqQAYiK*cx)opqub{FBH%08uJS3hOw`14-MiPO8# zQ??()pC^k*HOy>U>|7z|)gpq&$2oUNQJJ1}U7sH+FjpV~Uuo=`saT*Hs5^m~&M=uT z`!!mJzIMl?jVhyLjC5w~m+8}o1CO@noAG1sAi|OoVn;-@iX)m+m)?&{*9a84Dqa&820;Z|ct6e)H^_Q2sf>I`mEHDvD z`Dfb96U#ioLW-+v92jIPIg3X;6o2m6O^U5^{Lw`b9HvOC2W4!LUHfYrMQl;G1Q)dS z$NghX50!&?V`X2RFLKwKGq>ZG<{eI9O}(V*&>OF4#D&tMwi4wmA?%bbZk((Jol!yy z)bHtcGIe6aHyiaT7?l?$`4tbuN^?Jk!>86MlJ!f1SJtJMjMlrfGLBVVZhu_06ir`f zf_#SMr3+u*@GV4n4*PMVjtQ2wq}TBDJ2&9>s+rA9SVGqDnBTD@;0o zOqUbCBh#N~vz+D8CXJ!#RQi~iMw7&$ zsn2FL@zHL1&GhOW!RH>4+q~IF{ByVO5eUAYsyGSWDb8h{Z0(jc9%qum zN-ClW-g?OMoe{^a&zp5Hned4QG)!7UC^mxqeIZI_=L!QR0X;PkNB=9bTk@=u66+=a zlgSTvEaO4CNSAa^e97Ek##elA!}w5W_&nD=1xXoveb3cs7w&u7Hz zt8R0qw9^@uEVnB#mgqPqSi9YzV^0t(ga_#QsI0uQfh+h)!U&V-9vt3!xP|Xk@#l`y zphn) z;OK^D{K7*}+#`nA>44M97Fx6oidJh;B=GKZaCzz$< z!&q;$s&Ka++L*eSBtElhKNnP2O*XDPfibO&l<9RUTWp;ft7X(YADt*1}JN!ELTD1*Pb!5K@}{oGzIXqZsoC^0onCSPzM_HpJbA zqmAaX*2O&Wb#l~qFVa;FCmY(4^<17^8t)W^C|=q*i=J_};^JVRi4%WPg*}~a?<+aB zw`5rpusu3?VOgBF#=rKXi`*N;Y_sFbDo#w|gyrUjTaDkthm#dro|fm#V6_RI&*Tr5 zdrL&TeAtjU4Fs5AC2asQ$`5#BO~QybSub~0GCUkR%V_KK@JQi;$>e(voSOVw)G(Kh zL8b2NW5sYNcu!jL+!|lJL2lOzKE?5;`p6Fvb_a>L$dh!dX2?lZyL_|q{pHVFx>2z` zF`gXE)T$oa*i?jg`t&)HDXC#ByP{mjU|`#(r;kq|=3UGaFEHA~lSJ5CG{Nq@fw82k zp-7X6ML$n5|2c_5)rD|TIa?l^4bpZtN)@HZSc&^0+>;A)4ccJ8N=jD%vnwdIVJjC+ z&Z71_LOD=DTWETgjIQuI=-&216%dQz&PLfGGI}p2U8OsSd-*NaXPxz=c{=CIB0i-k zUeYJl<<-o^vhJFc(<_kGc&y=Bmwr(jUtUSK`#cMSTk`J}+VnSMhaC9SoX$X>Wz!ru ze1j&9yl97BZCtO*tyT(>S%tsUehm)f#bkFkl0XOX>+9w|FdL+o;}qFO=&M3JYOwLe zZ(0CK+RSqc4K5!o;hQDxPcE|@J+QNV3HZ_j<~E-KUoD~aB&>uk->L(fPG~ZZPI@=e zq(sa~ckm9q<-A7Q?-SeP5NP~umDRCkYM4Ld2;g#5m5W<|b<`nWPd-IPt2+7~xYC}z z04xsPo|4JMx)^=N2mYaY<{ZK;&cjmEZ+LRguq^p&rB-uWdU#C=Bhdl8+HCZh;N0S7 z6|_><`qIJXmOX6ODF=ue!GDYzzAvcWqWrnJ4qxn9Yv*k;s%<$mg3&x^Ym;r3Pxaj4 zrIsm$d*{{-tzZgDDxi<}m4lUG!4$JWtf>9#-+%n~i+aMr1Ih)4Sl}U4H-8j=LrVpu zthd#RZ~R?h;Biq5Kyh_Zib}yZv)^C5{|+O5eu_%kxYLn8e)?9aKfnKLB2dZK{r~@c zxfk_wm+^`_EuW?8Hls3zTJdJvi;}-&jb7{JjP*{a!F=!j`78V~6M_$KMTfWI=Z5Cy zUJmiv=l~mKj)S>(kNm^-LSf1><}-*zJ1io zA2&*hJ#-F-&JHU0oIi5x9~^c^^?ukE1sv?3T&@M0VwQYl zt(I83xTGC)5jS8?-dXHhP#V0kM8hxD;3)7wq&c? zsr*Byia!D#d*t~O(Nh$DiP7CZfLO_{0z%YNyU;pzY6RK8WH{?I;< zG)($;C}_hGJT6R7Bio~eVVIR38?(Kfr2VPw+(pN>atX;FR92*Hf&aq*xqjS#r2D~tv-(Rs!Q8|+ z@?{*d4h_vnKkjzw0cDG*?e%{^FqRrmW+p_0LwQ~Ig%A9w{5 zvN;}1h+TkOsM>%kaS%IBzkt_{9u3YL(TY{x!_P=d+$!_H`Q1TgyVys4AC7uQ#$Dp2 zv7KB`8ZDiA()6Xv`H}k;Z+)xY&3(}Rp5K9vXk|b0CE)utVy)w}{16+TBBT2aJ|M`{ z8iUSF)gO^j*_fv5G{xSyMh~)PgR94!oRpr|xv`{8G+Fa9p#0tL{=)^QE&!lE+yzb- z1l>4v)XyOoacHE;FF`vTN`CfN0Y4Je8}auRs%$|6%uWG*CgbZATjD(F zKQe?wrjWja%A_UW8YN?MeMp#z`El>VTwIRll-{<>^#18+(+Pf`qj?}1r)O{azuV)nQzLdSn2s8 z=t5Q47Oqe&eQzXPwy&5`Sy9JK_&3x0t7!??Ovp>X&mC>40MYWt2wVI8sO1_frx3;7 z#27MiA`)`Se^1{mMvSo4-lKi#wh3hm6aN^^e;AtI=D>Ske(FTDrU4mI$E`mkL{3LJ z6)0pPWa%NiD(S%bNoLGt{i~EMorYsa|KW+(UjY6i|1Sb)3dJnP9d61N&{c%w--iov z*f&R1`)`g2=mqwBFGY_2R{Ov1E@i9z;&&PU&FLHfqUo8|Q~%I_OM*a#FIe{T<-fWC z+mN5#{?p)oPPKoHBR`$YPxt!WB7hw3XJGjONq(Tb9~0*P0U>qAkd9x8NFpvGSTYt( z(DD(AIQLT5se!3VFy>O#b~@@h7DjeP6E?(`A3rFp!Gzf^MKuA8&c@hi!cutmJ3M*E z5>3chc;~_Qgeh>V%yvrRnjUYwAI^p)qZZf}@`3msRtO-;%lfPbqT7(Z3OK?7$2)x` zKj+z7EXErnEbD44kYjm@CsevaM;u^9hf`U)wP#$${e4MjOV0&uZ{P{X0vnK(+aQ%f z((*zEC~$osgK#S)+hT7W>yuH9=l1~+b_5Xcj&vsH z7OI%{WV8N|)3#)y=LQHT8vNIFj10}E9 zWVnEpusvZ>iyI{O125Of0lT%xn7Ta{lHV(kieFBXuyM~k%q-%`WATJobZyYC8Zuh3 z8lB&OU%|3uAS-Xjf@XELaT{suWEfDIf!y7PCA z{BEAsS0_he(o`0@!;j4AybiuEc>CD&b;`B*>!%q1E$TJ19}bq6G`#RRhn`<4fD^oe z0!!k&64E>_5jBC};fnxs8St z=3TzV9{=n@Prgf_JPjX>{+dNQi3}tQ* zElDOCp$A~wTY;RHZnuR)2ngHl_39qDInlk;e`%Y^u}84^=wc8HX`{LaMV_+u#4CA0 z97L{1x&&UpjVhT&*Ws{cTn@VIil!kzX?zbf2%D}3?L)Rl_KbGAs0fqs3qrdJGX4`Z z{4vg6uQlpE;1oMAYW7uqKPYv}>89C%(^Pcq&La3>dyvt_Q>CqJl-$a@F#zm-~(vGO_9s`U+Jv-kQs)M)8Ey;LVZI z&d4gBbrLioAJwb>4!PItUb@RQz_hXG9D)pxtJ;S9ypxMzZa{EdQxp?QTn3h049{gB50)2i!Jdtw29_^8h5U&&uvfIdFo||w zE#00lLpNzNn|?qwhC|T#;*A@@6vL6g3G21{6kB~tBx`h=68D*7Qe*wr2RKQ~(v*$V z)Q@9^423BCUiw#%U0~d`Bv5$gPD)&v+}CQ4!^>~|H6>vdzJN6ks+m2-p+O=l8inJ` zly@?lGQ@Q-c+0F+ZEhHORlAO-7Tq+x`gQKu$cn=qA+wyzTwdj3z~Y^4e*L!V$qsm9 zm^k&puaLKm!L+ps2K*_DwL73|{3||HLgWTyldDt+G#4f4S`$o`65GhA?iqq$7<=m5 ztHlb`=v|0f=;D#`69umqddA4hj6Dg$Vv2HYEnHl87L>%&M_i5rS+Twk`uYHf&owLhPcY%8bJD*w|jEG zMg^qW?n$X05@hn*y~!D{_~Zi12{;%BM>1P=)Vg(=@U5;L4kpYwQ@H1Vhy-mI7nq>zH0Mc+P0r&y&mo0r?Yig`P2(8$|LVjibzX-kReH;XWBI#6gaC zNDUBG{#j?gmoJ<@ZG5e!KJ25s(OrKblBawc?Q?+vR8c{gxtVPw z!l&R^U%m-40-MhLB^ApHH`b5G0e4%W1HE`1n=GS|bzZaEY;*#H{gAKw#ON!8VYVdYo%s2S9dGL;Waa zi0-_rVHye-XELlhxCY?8eaMQ-(Sl!}0?a+zCHq~bZC9lU7z{Ys-4>n7sPC<2oSLb1 z%Yv-BE;ZX!=8L+6h0X=l?9JcD1biTHt@M}k!pX$$bgdnjj>z)8yk(Uk>^=UJ`-0z% zDdJYc#{(&^ffK$tcZ}|Y1!D$OTBA^=CQpZ49KWm#4Kb1nOig336S)+5fesBpt zg2x)hY<$Uc8tx-C(_})n3+SJE#DbZbGpqWz+0upBS(PG%mF-T3=7|T?77b?RHf;_x zh9}#-9#~1_)7ij4fI5$^gu`{9Kk}!x%wRj!t zBZ%5r*PKq1I(F1J;|inI2;K+U>%SW9@>q`ia7AudYb8T2D`;)dy9T@A)&igLMde3b ztv0OIIl+V`JZ_v>iDXe zYp~E9I4REqPw&iremDI|u($V#h(1`fEw043N=CkOa%R0sYsQ7F=SOjgQL~N8Ntnv~ z+TkT!nB&Mt{;YhB%x+L#_`M9m939kyI$mw81;%?gc$~=C z<3>2kbwh07;Ypi2mtDcVbb|Tejr2sn(F*fJ!4tKw8K22)8AoFSs29Sq8cWFGmgU7B zJ?A&&#tCnEX6eRfSTH!MSAE4k-i*|hriEAE_;7v_rT;8ywlg#J-h0}EN<#Gc7+lOu zlve)HV&W(RgB}J-!j7Hd$cscOsPEMwlp@*w+dh4@xF0^t>7r-Yc zHdQ#|%1G{&terhg4q*J7RAGR@bQ>fUZ@|d^;BvJdDO+^&+nK-YeA8Bz zkb+=Tnzw5_z+=>w;>zHWx#3|@t2vBY~80S38!7YyGu%!;1FMr?!t!7s&-| zZiTHs=3=v9ziOIg)xjZkFgDH;er535Cx0(V?~*s(Yguce&azwSV}&&z+(MUvpGQit z0e>HTpK|H9e%>PGuG0c<1H(drrj zNq}v5uazl~OU3|1fxlUv=87*#g<##$ouD9vWkiZXVEM5%K4+D})OPkrcPO{U1QYP# z;2}~^ZfpDE2pJ#HqmfRw##L3P)qY9~Blx?g&!;OAGF(*CO>wnAAY-*I-HNR4NeGe) z0992Scjh7wEE~TEbG~G*2ph|X5MC@gkhQCTiQjBi>UHk1aXOl#jnL^DP$xnk*)xc6 z9jobvoWo8`8e^G^iSKtd2;I(MxOQZ`h0G|~Lcm|t9Ao42Zpa*Ww?Hw&c6-VaKuT_6 zRd^sEf~U;c$L=JGo;C`UnZ-1^$~DCBAfv@w0}eci7z|peh)xHS_0YXngU0TZ?wpN| zS7demYT!2ZdA8(%DR@i_Q6+BJ1?=T)pWN7BsXGeBK&z#c^M_-?e75m%oobeRn52o% zvwMAuBrG!OownF@#;IBxr3yYoWi}N8jouiR7Woit9c#Zx>!Kti$YYY?yH+TAy%O?IQ2^qcf3f zydxYLsiFCcB|b2=+Fpe&X1RDRt1H&>+9OyC(d90#0R?UjQiIb2*iMoDJC|^&1eY~6 zF7j+y1Kcbns(xFE2?hv#;^p;(!{)N?xX#-PBqx1i@d-pVsUCQC4v5TxiB0gMU+er$`0BWDd@#>` z@&^Kse7ya!hs0Dj9I-pYn7lg!x2kk`Tr^1@R$?b?C_UbM?BWS$)oZ9&ESs*d)#YtW zTo?lWd>U;|9+oyDnYbuVh6DSU5L|ohg?{m91jEemLZtAwgp3SRi0lGB_$N;H0-PAt zqxURBD0g>iZBZaykvAOVD76=;#fv017OKI}0|h~g*r3C>+C8^bhC{rh&qIyAcMXui zmxN6DSz+eVNJ~J{%BR-TfHeH23%n~*MHT{{s3f#ULv8#6-LI?Ii2*14!}1S96cYi{^5IqK9s;${bQE{AGM-+IUT z3^R3)N|VssanB6j?JIUk_aho|Q>9{DF4wtl`&y5~r4srKDPy)SyVA`z*hheFLRVJ` zvc&;ajU|%4C0)2xY~0L9oG`aw>gW3}{adVuZdfN5BtEpd!Hc(1i=GxCHyMxfB*;Z1 z6uQ9WpvA{e#9}kXMOZUtS2ow;?t@iNqB5jnNL8E6lvJYZE!MgbVotgV0;}!u{_tc% z5Psu|i#3uF;2jTKDZzo@0aKW~5s}PRMF~HXMJ2_3@@Zzt*6DUOK74e*fK2*JAGyu> zfhb=xab|T@2;Q$AovCy8-AH@0Wy*xY{T9S=%uB=PASb=<*-HW9pqlG=saUW^BBdxq z>X%D4mEd768y%3fvQ|+yq4iQfHi@J7Gt)N;b5UXIWAK!v3UX}&Kq931n>B%UGG=}r z3KQUaMYoY{HCHSyhEx*PZ>gRcpaGmb%bNH~cmk?IQqf^uYFnB}8aGg`7%p@#*>h`g zG%0cKnUV6a%3Rt)%~^kmVyB;QvnH#e)`d7CO4h9XK2*h8fI#$PO9r-8h?65J12LEa zA!2R>V2=kCMs}O0HhGR!&uC^~rb?3;>}`TxN;`LGo5EUN+S`Ec!uFhill&brQZtUi zDwJyli&F!HgYS`HCMi9wC*FdFsvWl4c6NL#Ipm%e% zM(b$cQM&1N`m&-ngHiPG&g}}(NjI>QqDa9dCP%ID2CJi&u)BH}CzEqm-a8@&9vhFJ zp@jIAkQNY=b&l0wFE-JpfH{xurF+;)r-X!7y`|%n`(Zux7n7<=r8n;f+VAni=oPv& zk3pqo;>_sZ*K`}z6(4b_EjwOl+Q!G)kgw!nJmDuXBBio9omu9)jnS(ChSRL})vA>K zG<=WvP|S%d4bVDZh|Y96Yc98)Shgun-B*9=J(N$+hdN3NA4=q^MG>EW4!aYd6APkj z@j^Fi$lWxJF7EI(PDNy@6`gpPWXFEu3^_wYqVr+LmNzHLq}!B}+c~_>4^<)H>$+ex zXR%&ZT^W79{8aaWes<2efXi(c%Ovj8N}LnFId=SE(%{T{t7^v0u7Jv3&3=w9oSfAT z-Xm81^h{D^3bzu^!=%7>r6!0Ay&G42YhOkui+wS^CiX@h-Mhf_6!j-G{N#j4x70VY z5;<|7dL8R8G1Q$nLm@+xh_Tky+>Qf`?-6X7W+98ZruB+tM}0EfZq~qy>Z%? z;qk~4;{~ykotXrZ{e=m!)Egbv6Rm4pO1>#+fhKjjM-GFBpYrLifg+EmE$c4@`FB_? z-Q%#QyO_XyUZp8`H_vveZ9>Z5smilK&bYaxkF5ox(DNLnflFN;G+pxPv71$+*s?nt zT^zmi0d>cHH2UGUL?yAT+_OB`_M}-=qG?OnuBwY<%hw^300$*S0zX>9MUc8KG}>;& zUqL{;u09ZqZN|QMmllkP!-cuQ39Xgu6_X8N6C@>*$L?$MT9WG5Ufb5k0%>x1Wh)0= zwD3Z+4WrOu`Uja@t|^*li~L+bX59$l;`?fBCJe6u4s~=qHEy}I9#li-$3yX5)-^cQ z^$I`Yt}`UGSV{sFUKATDM8Em@^A*DGXXhHfGnH?u$FiA9G#5fgg+$Qbby&ts{DghB zq@i`|oPIB3h}C18Mg?N;7*{f|$kODLkJ&1e@F;+sVk7V-H8pCbv_Kaur6ZA&>{cH4 zF4$WiypjtdYwfx79CcNeuE=xGsAl_(YcEVK4$tg`53$UeA(#gpdMo#&i1Sf0 z2%y4lfU8)5Xk%WdvYEC>`zTveh{YHb>Fd3=|g#M zO?U$gIM+AQM&@>Je1>1k`3wm^vTgjF;aYmU{0U{c?kl%Ri``(|L;iAH6M?Fpu1H57;zDsP>3jb%KT9c#mX=KNZHxEDhT#b zqQ_Lt8Itg?axD6t1q70rKR(VAnFwfYRMp8{r5uIcs7mLZF&M48TMmNLqaJWDiz3f@ zzph4xtO*+i4@sBEm1*C9?Vhq0z#dKmgn=B_lf!isvvwcrFKh#HEDF|H*}j{88!6!z z1#gMG+BvK2aBgCaXc9osa~qr~yE@rz33`(|?JV7TUg2n>fkhg?gceYj2AI%sU+3^+ zt;5b_D{@$!I<8^nF_9#~V!2u=zo$|hGF~N&C$_q`S~>6C_hav~GAXv*y8vji00hT9 z&1Sb;zJ!}rALe$tdsn_`vRG=$5F|M-p(U7=r@9`8iqSA37btz;%Vrj`dXlBdZuT}^ z@m}MJB?lo_ng+Ve4igwh^Ki~|X@B4ybQUV_ip`4AiD5cRNa*P}VA;z}(QLAzEJD#V zsCHmsrMI=!orr@2N9Z{5ieZrt7ocX@`LlbN=ViI>0et{qnrQ9@#Ec~A`4_0FqG2hF zo0!Z|rdq%yhQOP9j^ z#^za{m8vgU%NL}EW$hJ?70~4v*{s(#<&LaPmmKGgP4y-7yXx*?mgycZP$~#1zfqv7 z1TW!;SL7b$>F}C%Irk;4X?zSdF7D2#a7QMLd6TyD2_3C2d11LC+B0u1DCoZA)lrj= z*V68?Q2-{D(faTSU^PO@*}0i(id`vk4_n#U5r z?spGB)~Ua$?`Yp0B-F28sp(e`+_C;}c0%eD4L=`G^+!m?8Hb%40GxTR@FYo7wMu!> zF}gc;&h+CF$Je?oFHcv9&_s}p)C7dn8V{^-G-4ZhLK*^w#OAEeAM{a^+mv!GKq+X! zlveumHG^I}xCC9lQZgwR$*V9Q-`yM$V3la8I&OI-CluFfs8|heYVzH@k13RoMBhX< zWrdA*c0|t7ILkVC*J*P(hg9pVbls)jEE_k#ep1&i7vqBtgpF^h*Mdw&f8k>}@#Or_ zV{aYyO<6YA@f+vlWv&6zT!-AUT?YV0+s&yzFxossT{+hmNx(u#fQ!<&Og5{}gwiuP zfWMe(Jk*=?yc!IR8;kMK9PzQuDRxN(D=y00KZKEbtevm6hxv+*Z!TGURry*u?mJ3F zxt2#8cTXu2;GA#+pG<>}aU6(c8JD%^wbX0Ph<#D{xvB19v#r`bO&)n5L@E`(N3G(* zFEcLY{Y}0_=)tG^lSNv`w~d7lnefH=0q1INc<$N?)p}W641O(dR$X}n#6f4!$S`?? zIX)aKY#qfMT1+3ZzR~Jj^RoZi`h_HLsRvY=RqxnNx@Q;i6iT{~*gmTuFQjbogw`E; zpGV&KPC?^s8EW?(#fxJJV)u{}5>P(SDh!E?(f7bZXNdjNJ)+jt_|N6!OnCnh0Nj8a zR<`&?C(0;&qzo!*cni(fJ5PDJWq1y_tlS)Zc_b zAYH`Xhm@T0EyRWPRJE!1HtU0h0;a>azmcS;D)im1+{ac_rd5CSd#}9YUN=UNP2{fQ z&^nE5S;zI2rRSmg)giH-aC<#Q9}8*9rBK(a_}|1?P7-SxMoW{a!a4kapi=W>!R8DQ zRN_`W3-p1Y0{R|Qlr_c>v1^C9N^e(uy$I=fxD|MEdE#WY!TrJmny0^xv`?oWD`pZKoWE)mL#;TniWSU&5-nPZ=K{k;~PTD_? z)JfSAMhTrsMd66kgu^5C4o7#nni{PIq;no-(?2@RpXaH3Hd`t1Hd`RKwPL~L>Z^9b zY|LR4<-OB0HLF-TzuTC}DYKdY8=;BXYAzH486$_FL}7gn>K}-btpJqZbDJc;bbw{imtNEluW^b7yb+%VnJu%IZV)KYzGMIAbe^p;8 z{y(L@vd4HWW=7V1^Q8K!7V5&96rlnq$jM$FA6$k24P;>W z95%mjI{10%m*vTsIbUq;gQq(F9Zd3q^ywsu^49V=CKDm0$&aBcPYM;dEj&sbJh!D6 zZ>CTC7gKxOEtnf4e)a~JoEGxBTcL6VWPl1H(I}H~0@N-|=QkqiP5vmh(waWpfr%Ty zx5O&Oc;GiJ@u+o2m9XRP4J6OW)^7HGQ-94{m@(0o5)rzP@m6eQ@`V*z$>7y@Ib|W# zhm2cM`4X>_0AiB|lf{YU>PlcQCjL7rbvYLv<2|z@oV&T4?68T;Po0T0t7h~>@!qM} z)`Id?97XBEUFP(cWI~?O%&%2T9eH`371*)K==JJtW%y{r+xBg+o#$rD{&=ALU`o=ezjOkaSPg-6k6I`lZ-J*bVN1(tGd)p+25L0L-H z+CBj+<&^!pl=G|Piht~+mrw&2+GU|@q6bkLc?J_v|A187~xgpwZ+f5Uah5>9FikFu#h~&48qbK z?F$*Z8*H~Q1z=<=fr*Nu<5~GidwCD`wZP=~Z9mHH`d*&U-qLdnZ_=MqE)EEgn6(p_ zs7aMeGBPTGX;%Q_%{Z)OjwN7?`11p+W8X*FZ zK>R4&br0KlT3#??kT{wD>XCl+=bW%4+--CH_?&4U*bObj)_IzX*t{P#5outI!q1PEIXPR!OG}B5K*F zvXG-svFmG1a;V3_)55|7%$XtEaA-S}rGfOy8Ylqs^Od({^q^tGJAgE1p(<(@C`lHX9I?hKlKvE4q7iQ3Bey!2aXU zx64}@8UYBk?E+o)^Vbwjz2u~Oa$ck)mEeQ|xpW&YnY+4qz_1^!?ErB^`Ri_TsCu0i zAP><|=JsOKxsA-QE@Nx&{7ZQa__)w`tJs?UlcL&&igmoDcV0mCCMjcDH`b6W9|2#& z+Kd_gf^TNIW|}WJQ;~sj@z^om!GnbqDmk0xHpec3GMyeiY;V?UcPbZ;H#?Cb3X*Ft z+`clgf^~O#pj`d5@fG`CQp^xt=VJvyBfah&>Y?i7uEA`?GefqLB420N*1KjVYwEk_ zo&dvl&Ch!M8X&_Qh2?jlYSj>^^pT`SG2vO9Zfj zcCH|0^H-%EME%g|1Hue-JOqQ9e3ON)vfkBJBDKfd{43@S=HvIo4$TU-M{W4Z4+nl# za&S3D7sb*p(^}g_RMu=WyX?vX(?7xqZcz4+bWNq%(4!w}vMhhmbfk?ltoXgeJ#55t z1O_ys>fK=RU0tPT*`wsmX-R56kkj04g)_<)inI;+#vT&cg~%mZ>=R)|p8~Om@Mpcx z)JE!x{rUWQ7vd;eru423HK+&=H8?e~Ofb@iyq7p)9gnQ8ji1kSwY=4S9uW9rmvs^q z{*q@cRa(+WFy(4cA5LA_iwtUL?LkM=mPCky=l)t%1z5fKFH}_!vF>j{q-LWU4;Q6% zPk->thTN{WrsgNVGeg?2PiYf7tF|@LQWsP#^Tb6itHYGmSLd4*8?PUY@eeISp~C9| zB(p00vzNWkuyqPbr5Vdab2ZcSzL^)FuiE41;^ys7=xXL=pU!vX2=4lPCGfDIoAiO0 zm_`JpWFfmyh(UESV@-a`eFx;ha>PiKet}DK088k#gn}U-*;V;ypM$JMv)U6+whvWS zb&THfCEwM9_cZMs9HM~Jz#8Gi{F@fQ!SCA$x8Dr;m{c3Cm+&;>eI)y;=RId44{{XD z-|yG*pqmZ#X*eB`Pyh&c^1{PM4l8q#ha-o2>z3^Uzpfy=EThUwT1E}!R-7K002-Zx z6tnarYw&1l)o{%-eAXD#Z@MgrfG*1ei;AJ!ve>~sih|Rf>LDgziDf;STMt8PD??h3 zJo1R4PmT?mo=|jsZk3h=Jld zg}hrz&as#FlCEQ1=BU%2Bo~Y?!*&o;8EeZ)iHu(Ek2Y!KIMjjDA~}E-OBl0CvH49t z(BsLvUKYF~%)B;6era18%BPJ*vT=Bepm|nC5v`n_y``C=Hd)1~q=_X&*-0m|8oaB? zw;G*npLI}aAdCUV+IQv2N91+JC7#P&?>MQRcVG1ymNj<-v$Pw^DJ6f~ijp%(%~V$Vgi42s;8eC7*`-?F0d)vdBV8dj~DinxZj z)b;xr#2qbVFTBx`w6e@x?ArLSm*kbEH~Z?5&!IU%b%9pUnz9i;(+g>LSNp65SHk#L zDc7u17{soE#Y~WL#qxolUgW|YlZk$YCy0P0SbL8yCB=Plo9VF4mj>25=fvkHb8yaC zFaNlVKhE%M*vF*KZ5-YnSX?&)5aO^gkkdZaUAS1Grjmz#Xh(ZMWilrxqNM8=irI5a z%F&G!D_1RV%Wyr&cRXh4-L}>%!rW>x(L1-}TWG)aw9D*V%j)b1VGC*_X9Q_F)G%`h zBj~rP=!|*fhXE8>PzO*TGX+a!X&Q?Kn=jHvLyf)lxFbeF6K84jkI@?nKTyjL7vD|l z46ZTwP@UQCusMjB5P8Rzy!e|Q%eD)*w@sLDiL{2=g!5jTb&a`n&+XCMLLI8^Ib;eR z6-GZJ>zvu41J!?G$lwK5bCL0YIO*7+X1^zj8=U4wrM{$ zjG6Vr&<0|yVbSIf7#6C*Jm2+8PV}u{MmT25lB?N>XxEG4fIy3>jF`L`Ov#QimEJgW zb9SaEbijCy^`&|QWsD^^e`TD5B=c98qYvHt2O<`m&6{5s@lb!O_fyW!dq*Z69p6FZ zXKZa|oHY7feMad2V$KuOdqn$qf{za)5^ z0aiqwOYE8urZZiovef2UGR1B$%3;=DmbmB2GTY;~Hld1R9~ZjcWh?pfs_-$b z;1(+v347Z;mFwGAAbg536U5KeJ=?&U-8LJus4f;`@2|35lf(sWWYh$h-F@e&{yTlh z6d}iXYKetcH5EABo0(u9X{Okut3=)`S=@^WCGI6;c)aDU%34rzTdxq)I{!H)U6lng z%+OwUtQM1$Ko8Itg0kk9j zBfg}J?4A;q#-O}vHT;)$%k=ob-c>6fBu;*n{O%KKo#cfLz?j0>Nf2);HTcfg)o4=J zPV|xuRK|frQon0XaH5x3wdUno+skuZTWZl5sN2Ee7t(Qk%#z%I|+7a>9 zHD>F`QAHL%8II>_iY397go`3R9>Oj4NBWV-!OwFbT-A$~tfj>^L~p&+iUt#|j2b(N-gRJgA>mJ9F8xZqN&09w`D ziyu-L6d^$XqmL*!@dtH{AN0c?OuLXhwteE~`o9xDe=2GG{c-O9TZ9c(==hNpZW+%* zT>@vg)Cyy{r?^?r&C6f9KuM)?czJA5O0 zLESKR#&RoY&&#iJwhTUU3^;F56tl~bDEvZ`B7fiT*gI1au^%|hsdoA%uHCkrS0d9ufG}{9-f*c#fr165Na|1qH z4!6?2)8Ill&P`(bBKx6ERBJ~+!EE)xt)lxd@)96TGLi?)Kf*6wwXYE3-{vg_=nAFo z2oC)g^qfk}*5NvLel&@3my{y2dCv(*Ty(u!4t+xhh!)4j-VJBlhKGbeK|X<>`Oe`l09X_k{cJd4aSB zkUH4pI3R$k?UKi;`8Z{|@roNtL!a;Dvy@uCIi^|v_&_34fQgj+Z55hG8-(4->Fa!y zeO`|pPYdd44nOm}$hvLNz}DWk`Ch`{QPFWeHlsKB(yy+juO_N8=upru@rN9}cbaDL z_0^F)*GuKJOimQ$HPUQm%K50IRIty4A2!twIg)C)-WA0D$$DY|ObSZ#d7`qBx-aJW z-?RX@r~Wy^0e+T|Cq}?|*8jc~MaY$dK(V{}$p4`X@Pa3Rq@iDnWWW1=UB7Q#edsPw z?0FSV@V9{SUo}n~5NK?sS&2##kT$lf?L#_$(2g^U;vX}Yqdg8YZpgRW?yI~6c2fd{~ zwSe;?CFShNvD@wckpBOvZ^Ul^#jY$bC;#bje{YsQr`n&oQTgXo`_tU`Io19=qkc}c zKTVpSQSC>F`ED%#?}%y}b;(jLB>R@Z2mfPaJ8f(aR1$Si}M4;C_gX9|LJjmYgfVb z;`AVru#3o`8n18WNC+fPPIST z=g+D3rw;kQJk=~LsbULLqr*wqp&5*?kZN6^ATt8?Hb3Jd-YE_b-ZWd@7{Vd!a$&|* z<%5@M1U|WjU;9$3;Cx<> zpTO2p?&ST!GdF_xgH4LzeLArhf_4gLgj}@0e364C=DQi^jg_91B+fW(YD2)+@|GOl z*vmE}PsA*#R$L(F@3mwNmpb3te%B1i4)PZjw9c-yY`>AWX6f9gr0qcTQF^)wQR0P2 zKnH&rbH-cb;TP97d!mx3`7+7*c-MtJ&Dzvv2vnv=Yi42P%WJO-#eSwyah-ZeuYYln z%CZ(4bmo4_jgAhNo>34U zhzKkl<*~KA7r!ihF;004hZo}IP_j-?cE!gok+KJZN8|! z!VacUVrP8nW`6=pQzI4{ennvU8PY8K!q+5WDXRswDwZS!4CS6{S3Md6n0LV1xX%datXF21ue_zT~fhro|4! zfzyR`3efw%frk)(0F^OiFFp0eY?yBDZp)O4W)wlNUAwz2YF2A_owyuWlmmHQ&22Sl zzB1adlc;STaV@=zs>skTrqC%Q-+JstBgb^FfEQJApBpKXYo@2UHE*f#BBzYs8D>Ys zWiDoi@*Eas z@B~g= z4DM`KCYeG8Mm;nyBg+*7GM3OAB_7$~LyiR}Ld<9b=`rWC6hoq^9>IC+#{bILg6l=u z4qva!B+&gX0&Sp5l`9uan0Sy<199LE$gLDmtHax`;vbwmj5j+tOIq+G6CLgg`X`4m z>m1%A{2zsV30P8D_;*=Oi%qteT9(!{W#yJ>TDZ_MlT9U7=B{X(yJ#+m8;~_-WonI? zxga%~j4Q6VLz`M|ST3jtq^5?5gbN4=eAk(gn(yEL`+6Rp?t_%a@oZTU0uu0jKmvrW5ACnTkJj8t zQp_=zfn~k&8 zGD&*!{RQHZI@iyEzq;^{u-cSNgt`^ulA*{$ZYG+6U(AMElR~(!ZS??2Xd7#_Uu1Is!tyflAe>bg&urRa0{3 zQS-S*R+)4<25-%sLS~L~wR0Ey6@q8As1uWXwj~u>()oqf!_xGa4ce8tXBTqn?EMC~ zA%yrr$vk?@>pm*CKD-xYN8`{%Gejz<%F^Zdu1v%(jKkcYsGrLk2HK}>*EXc78H%n# za(tppHwH9lc6JOwF^t&b+k@6=pFObBfQ0ohIYD3PFRf8=tTIgl*i(s%EGA8;5*}tC_P9uV?hB zg5|5o=wJ`isAu|d$lyt)VslQi;i>|IeT*oBq#@GPKva`4{B$~n*r*x46BS8_9L!Pk zP4=4oxK&R*vECeukq)7NH*Wt~G8;WGJV(y2)@{a0SX{&Qx`p<%7O(MRg1)hZ_at+T z31V;{ul-}Q_8IpH74xmw=+6juQOnHL$xef;I@EE=NIhB^Fc>p%BI*nRX*#{w!PbxB z_}m}5gvWR0gw>}oSa*P6q)wI6(nhoOj!qavEnLn*=0<;M^dl8cBQjlP=~tX%gafKr ziDwbjNZA7$U>-e+$0T=?7k#tNUuC}6p^S`GpBd@#S8?aJ>`=Vaw|^w9Y>zrB0MSAg zETkrIZ*j5{Qpnz9cR!-1Ve@pOff4dLFE$JFX-+TC<8^1e2Y>3fA((%rnGNy?o0;5+ zO}2vye#@|)ZP{4n`E&E-`gjDoAO_69+;0QN7$vEjrblOoH$Qug=)|0G*%|G1j`@b~ zALM*r!)4*5Xwe({tR7rzMv#uv^k>TMd9-;`C{gbgqx6HS0vj?V162zN;Ap~^?Z0_X zp@z>klFz>W)THr7pds1K<`#M6j9#k^W%=BvBN0P_yXY;MeQ-fcuDPzn)pz3rB(KrO zFi?^>HK>CAQtweFn(ia*9cY}IA50)OCzn_?!8C@HMJTkW-Q3U|Pe!pagSE}Ha`;Ja z+I*oRh$J!~N>u!0(JiVERc3^=$hDrNYGf9*_4$K_B}2xYE!PT+yT{MxcdT)&_NME& zPYbelfI9^VK`4WyaV+P`)v2)E`?yd)?0`(3ri z$u~C5%nT?P$l4C}QL#2VPC)j&yLE7rC`OI}KNJ`f%6C2xv>3l;B-^61gZ<|1EsK$^ z5=(vYY`!WKGJXL|_8>V`|+j+B>; zopnb0y2e}Iq^`nxuKdKE;5VDCsW>s|L*c=_}UL) zr&x60)2=x}pNotRH0(qMhwgl`?(M|n^J*Nl{{4pC6VzXX8)#>-&)g4$O*-xrd7F$} z(|s~XcM|lTUGM3d@uTMi#VC9+AOL$zIoZ}!%|wy338(J+gQNGEv*eH2N-H|D`7@U? zp9{A3sexPjQ&EpD&96S{m}Hthz9^#I`UD#t7f)tPfNFS)@B4$VPpj!8aP#5Wr&+f5 zrC;oYP%?3Qi19hP`Fv|)L_}zC=-&PKtc2qFjgKndZlgv2OkeCH_8-Pa3OB|a5N8^M zZi!ew2Fbe11T!*GhaV#Ks)ec|u+($}Eujr;{k_}Dh!}b_X{fry=Gi9~Ne@@)9fUlQ zPM81&4*D@dKwUEu`??sd;e>GHKw|i(7H0$iPHdm}ZAIb*fC=W&e&$ucyNqm_!^O!hktI?|9<^%;lXY3M}YJ2b{n5* z#RSk)1wHu%Vw5xwHp)K7dL%Cm^cz2JK-voG0UKTV$n`7St` z`(y=K*WsC=1ar*q*=jLUAM^W>oV*2*l<|wRWES62Hi9w_KVU>7>Yg#@=Jyk8BPRn1 zgfo@ZNPf3>bz4Ol$LU~hlr-S%(YW_k=;>z>W`S0klLQ`7zp8m%e<+&MuoWShop49* z9U3GM2X^q2o+HnZse1cI23Zq>kVP}@heTEC5j{^6%6x;dK*Gu(hach7Konn)SfHSh z9AP}7NuIFUV72X>IiouW*F6m$FlC#w{`9Tgj|vVo)di#Vy)mzV7il&)EyOl|^4IiW z1yw^}L30(eFU!uxE4ApAWG5uRp3RE6UZ8d8(^S%CHY3)`tagt&I7{&g&RZ8#ht!$x zUf3vIP)oc%Gez%^WOg~2Fc9nG$;j!9LYKv%OmRCSzM0t_Khin3a6z(Q5nT5r#@K1y zZsT2xX(y^~dyC_$9Ls`EtI-52#b`>+Uf2{w+HuZqs2#$X;>`DW7Xq4HP_${A}bOsKHxr zh9u6Ur<^?hDy}0MDGWmCoxfGESulSsC&@hg5F{oNQPlQ)0}dU&F9}BN1+6n_y_pDX zDV?~Mhu3>fEZ;O1z1dpIbzGk#`Pm2=u6-uMffDdp(nvIZA0EO7k_hHYgrQ0gf#ULN zJn`KpWb2Z%8@oBkJ76bzxs^L?8ttx;G`ecRN}i1H5j#sFSF4+3fP#d;;Fg-;O^}lW_{q8a#z(i&GuEJT4F)5k)9H zg*Vd)=j{}m&PuLc*oFflI@cJQq|tzKS{&Y5Z<6&kd)__*HrqyHd1V*;0}89$X(o!; zM6l$QPfr0w%hBkJ%W*~hgdv!VR{j1^FYDd}@q^^Jf4i4o zh^b`qxyBn;yx_`CVZiXUiTtov;_>lyd;RN=y(eXwsj$U96$qmoj-_T7^upD?^TFdUZTqz~0!(K{=KJ|-wZA)T z<2b)4`AOThkL*khGf+8^6n5?lJ<(+R)$3r+-5TJ0wLJ?I^?*#3!`U&%!vkmrY7n(V zl@d%MTSGVV&8fCS%~+<9tER@;wlw2INqOBCQSiH*=!5z&!7Zrud#R{ z;wX-fnZrRV>{0}DmhI~B=>koCF(k%Rf2V>?tzu!)4%x6s+I9_}r^evO;1 z%M5n=6?XN#4p0a=FLEUNQ7eYT2A8WCHhe9Weu72EV9pv~40L5NYyOWdeDAD|=z_8Yw;ZdLP87eYbL zgwyIo(T>Cd$>3r}s#Zr1&Hra4L>Io0<$Ph!Xyd@a3D`>hBH}{SbjkDGLCFlXpfPdI z+0~K^AEbVCUf4VZ{pwA za;96&>fay4`-6*bFFTv3^)C+nxLf1w%1@#CQH#CDL~dFKA_V@?BeA0$n}+`_HjP#> zVDjy)H{;lF1v|lYsQHbo0?S6!5hH0|S?v!%ZnIs}yz%NZ2xGZ@f>fig-q@vmD9H>d zjsexqydMzSTrFkR%zS9$LO}Y}i$SoVNDhx+9aY#I#7n_?Tm_ENfIZ4G#VC4)D_k0% z7*f6s8}d=uH}209AOU&HKWIBmDR$UbAOAr@{GfesnzNwTU9tGKc3@J}eV5Ku8nPYT z7n8;qy(1v|g7S~Y{i5;Y$GhRwmcJ9?+Rp?tzn(zwy2eVRQ|2p!p@j|OyuTvkf{3J; zE`$`(eV2g^U=%M7?ucDfIQW31WAYBfc;7DK1t*ZtDHyfa60J$FnR<5!EJ z)z+6Qm_JTc>70eC7i1Grx^csb?T|fj&owXG*L|9!G*}G)DLdZTgR1`PBl*~g`S*Q! z3md9AuOF%e<#ufNaG@%VuDES4tDsbpO^~!RWQn&9$DJNCN7rXU?cc@6ko>69H+HdxreMg?deSbVWM$ zpF-Pkt)GH#HTD4=Ut2A`^Sqgq2xG`MkIe)Z}kyO;Z&zW<^u(Au?o5jQSf zSe9w&h`g=misK4niQ?ZtIx`i;-G^JSR=6AL0k>_>zlOS0M<0SPs*fiTZ8qEuhxIh1 zD^4s0{zGxQ9YwxG_DjO_%1=t_nP*>4{?Rqj{)^x02MJ<5;p$K6vE2u=6=6v&-c|xw zR>lD6Wu@d`iDkQC4xtNfn*mK5QTnt9?OVG$S)Hilt+D-`W%&YuDj_gf;&h#)sxPcX zZ(ML4JCmZ3q`1xM1B%0F_O3SHMDdD`{HJEsZWZf=C7-D(?+O6$rA;OK(wl*>L4i-N z?*t4s9)Cy=4Yx4;k~rRakD*m8sKnZuNGp0IMZn`8WGBLk$7ktP9JCGE^Kr4RwJS4z zV{)gs>ng9aL>xSh0B@zDL#>P0bB*sOb7$*~NKxYgWMEhWr%cRzZRT?1%=$4R@(6^C zMCWooF8rrr9enT{A`VbRABwu;=}Cq{4b`?A|73-BwPIK*WtMZR7Ybm7Q}c4 ziw2Hd{-d}*QygVqYMpk2|M0;3R&$f}f!RH+ zrx}eqL|}(qn=+~6wGXbZCnsU=K2&U{<)cy*15)K5SSzOJ?Mf&nAwo*0N8Nv1=l7K;1c{WUAJy4o=7df{c0LdTg| zj&bWO9JKnw{%+H1!ua;utyZ%q-%RgmZMIJd4iWbq>x-Z+Q2%(<=xaIPTHGC2(W(&H z!SPI75i+0O6j|?HV@8WUFhKr6uMIeW^o}~U!FYR%Q9xo}w?hST&*Ai{fd`^09liY%)~;v!haJxvTM?*87m$%9o#7 z3Pr6eLbRUrs>=l^Yz~Y(R6?4&-qSJoPi(c_%c}#IKz81Phwdrc5&cLp0KOrjYEAzK zK}PVfaG;++XpDh=(PbbqS{p<*-Gu?J`jQJ$0SL3oS5SH_$07VwAhE%$#~3}se%4f} zVyxJt7ozE;Vr7@jc>UA)!G>1KU|ZDSYigWWYc)EWPW@H)sK2>*)Z1fJT>K!)7Anp# zd(A#t7*jA^&9@D)@kk!8DhRMPZ8CBH8Kb`VMXUkr;*QqTMbC1Nr9mvn5+0J(aV$i7 zdn#nQs=8_nY!~P4L1>{1GhuVH+?s{g8gD3y*esLcsKA@dj)$Cv9inNL^0iJ%Hqw=8 zOtO?*VK&nqMq7;X1ij;_4JmShc=|E597KElHtQhQyQG+Dt5L4Em(`Dfh2;jF#PCCB zz>iT8`XalZbja~eUQHCfT%YPnJ>5KjaL?(So1ZP?(k;9T zRbIcFMOT)0)mjn5j}RohDJu|2B6^fLFUJE>2A$-z&baMclVmqDWY@mR{ZE;ZesiH+ z`=V4nA|7UTUUEY9!Eyw4`)&1-m!@al$x)lW*X)qXKKbGmvsN+tjxkm>;l}~rW{#!B z=xwgdM9pfumPHKm--%K1%ezSH z*t;2MiXxEt+f}D_oY2ksbFt?dqR`*dW^-166wFRf1bCj*CYm!i9Gck%VS@&=~)h;YW-^*aDHu z4?*;TGK*Q^U)^3&KS3l`h^DgI2?SKnK%OSo&{$lIlun?H_C~SrhZ*Ud`nKTdh3sSL zMCuG0K=o!kh6{gUd%ou`(&7rHctKI|jajmxl}CyB!G^Ay$&jc+C5^nCW4!1!BB-=1QCF^W?Pl)zn`euf0$`Q2D)zk?Q5x)SaJQ-i2y>Xn9vI zyTeP~)_cWq9mzkftwhypAbEi>T{XSqgXQyXXJZve=q_57!3gbcgdo+c-~ZFQ^TABM z)1J}AgX!KSL-#QnOs=4H4WSP3;nn|?+!=Qu#?mC`njKWUG@(DZbbFVM;-2ZmXs=Zb z%$@HehW*y}7q>z|HGiGE$}@wvIY|HybLpNc!h3JkC+oOF(yJU7+f;IFGBeN~lN{KYHY zcI!d=C`v%7A;u;Xl26wVIM@lU&^U(!3Tv9xs}7Ngg}r%5@R{($Cf;1*5&ijug^w2I z>QoM0JqJ6a>|bvhz9jVq0k-4UA0C9RO#z#0teHkvZtG)ne_xOX`aPOy6E~}CedmYS zVa}pqibu;{%?V*^e54a@%s7w?_KYaGG?qEpIN9IyY0RE9A3H#;!0||Epc_-8nZcd9 zQ;tRmkMapAk6BaE#pH7>y>%zu9M)^|PjEu8jPju?Dc@V^<<_fE^yVVxT-Iy>x@*O9 zW^~(msYT-vWy%X|(9|_DTA*(Y7T1=&?VQbuV!4|}G3d7aC0{n(S4SW1G_T2b5dITn zJNOD_4#pb&1wirF$|-OoNZDfJnVn|z`+ug!ZOYlSB{A#|@3DiA2Qp?u&wI{_@LP-8 zC# z3Pjw2ArP^zKPM9AU-=GPEh5eP?W{xdOx&T~7=tBTY$k(Mr>hQ&e;N@8OpGf&=T~V$Z=Uj$=dexET8)ApI*aNNO%48UB1T}nN zD8k*FCG{8Z^F{{M^jgL!QlQvJg#|m+RZQoojf^4!lOLLRt@2@BYi$HR>6=19yJmau z?wwy1DVR8*(OJ0lr;atR2)RjgKe+9NP%lJD49sE*M8ChW^O0G^PbKEZm05LJ%^+(% zaP^hLBq{Iu(4r_2Is^Ax{o&ufCN6I(iv)#v zw2nynMrr6H9u@DzWbvFb(8<(59hq=GViCbs+-FON)(ZtC{S!|Hl@v~DA|nM zZnXFcXoKEmhi)yJ$*%)bF5!%i@_eA(twzl4Xde$#;kk;jxVxEU#hPti_4K~SQs-2T zc!BSP!={;YW|aq@e{8%PHaYE5ft%(nAnllTM*@Wp-^R}EeK_@q@$i=3o9AFZGtGTE z%Fwy)S>~sCi%ho01*!5*vP8$nI0-1SOr94FLZ(WLeWJmQCnbs2!{Y7-k3g<6FxRC*oQOjtBwDW$h#-OwC+yt^F;yQ9VUVV%a z%bmV)y{trq9D+%7HBiQRPQeb-sLpu?<&Xn-KCdbHEMZg zpD*>iEo*AmG|3f$ZVZ)@*GNX_r-PXbL{-6An?uG`(d>bmiE3}Frx$Q@*^MCw&w$Hc z(Awi?CxIMkw)01-e*fcUpu?1X3{yxw=CY8_Sqxt6lpg+YJR;*&W3+Wm_4aaIh2wqe z`o>scYjdkQ3WM*B3;H8C0lN<)@Y*+G^y3`(URV1dxY$mfzU1|)VDesvT>X)DHDC?T zuHu!Q=wPI2)Si0v1mo_5c(tf?e~j~wv{EwAW)CYI2@j6}6l=6Z)p)V~E=XTQ}Z!jp?zA;te@?+@G(xybk@$qu`=MWh{0pOu ze%kM9vfT-7l5mG}0k>Ag>W83>X7i&7+?-6c5o@5eIJnUjJ*uak5N!^gt+=7&gtY+eS3OlR|DtIX3|!4IrxmZsonGWyv?7b{It8wQ?)kBqfyb9ZhnO{sZ1iTu zoqr zDie@h>URzBE_W~*ZJI?}~_m>7S*v%+IVZE!Tu$?I?MnEvJc zqIQeA$rh?K*pZXLd?FF(jbfB+cacy!oi0ANXUglAW6Qc+PmBr_9|N-jRn;OF-Q5tA zt<3(0!fhn8(0%gv>VJ4iwPM2*FB7nH+nKrKOc#hy`$BbOI-{-pi%UT-=YcO*=~MGB zz=gLB3yi-_}HpeFe13)CfSn7Y-+3DGf8b|&+#Qdgsv!e`qH?$;>Kj)i;~ z?w6GDo<;=ux1mc~Uom~RfUR(-8uBM)8x?1FQM)JWe}#sP-VTInRB@ zoAYLYBw`&CFHTt- zb1o};xPp{P^cdmb&`y&5lBs0HPZF2*JVWX1QE|91_?>1bSob&Zj#{oW{g6K^^+oYk z`;E^SV~69Ns#l%)?q<;!Gn?%@Pcp_#tH&yCdC5*;`Fod<11+DW*Fw>tZpBe=1~SJV zKU8fL^CBiv({i>4`NLW|TOdsj_1H;2?t&P=dW#~`UPVTCGv64zuNqwWsb|7UuUTj{ z1!KjaPSmi&L0dwPbRy@U9s6=2_-I_zE?q2e>auCW^KFIacQp(20<%nx*2FBvVAM~Q za4d7JGdX@HRkb=dvLNzib!G5^(C9CvujMWWbFXxj;an}RwuU(}0d

U{y}+T>=v@ z_R9C2jh*y&9MAX@L6R#J!u+G~>}uAgBbMwuI!FWC$ax=0_9<&K${}3z$?;N*Hh}Nr z1<;SG44I}v{-7f*f-9#fk@5W@KV$x?4;uf47898cxWeh2ym}b!U7vHPO=j2(yDBZI zDQW0nS?cWBZAmd4zp46YnsYC`&z3WAK;fy^DlhWuh1uxKD{9TAu)XR0s34Gdp;jFN z4h*|EW*qdu`Q&<1w&9Rw z+!a{;B%y6Nq02bJ+-h$l(^w6UN7XZA4et|DV3Ddq zUP_Qll12=NJo4F~LeoKc+Twn*M6+eY0IQy8snNM6c*3U0^})@j7S<~w_xI0#%&!TK zK}>&YpQb5U1?ieJRuskOSL2)7(ombw!cWY}uE`Q)Fkh2%pG}>iy=;*Zi{j4nY~ zeV#c(+hpDmWEMvE?Gk`IxRY=0_V@Hz5J^0KQ#W!}bL{VSW~aP4za?{Py!+`66i^Pd z0?L8f*K5Hgc?69MFKhbVWzAYm2VfoIfyEZh#LB+Cvwfh4<4DR>!^A7{t~!4u*BE!? z6f)1@*${%jt=}3fNl)Q^=7v_t$EE3b1Wy78af<#&TtWB2K^E`{?Y+Eq!OLK^sa?-- zM^7>~v4an$H`G5k;g{nH!XT_bnCe=EoTcK5&!@(v!Uy6>NMVgmKXf*7s&9XsfAaI) zz?(TXpK)glmn|#^6`!YgOsuzF%jb+};xP%`Dl;bsk<41NBm5y=9U+R`9Of*LP&_DU zjt1>sRkK#mL<6klun3#nBH&~tfX(Ovk=rLalDh^ySKHrM9G{Y05nCtlgdc)x;cgA!rZ!vI;7VMRNDG10oVmH;>{Au!g<8g47~<28#~Td9 z6xRa+8!F8yl1eZ=16{|+@BVskLr7nXJ znUF3TQu^RaPLnROxG#pwRcCy5MhY)ZiRR8;kbF52fXwBZU6~P_14H{Cq8c6`*Pq#l z>+aS#s0cV#){n9Kw$!8!Gn|g|ws3d+F98(#uTt7B-gc6y?TP0%R)lE&skAdIBjdg+ zM0!N5H$pgC4J>F{a4T}5;<|!y!9gblbM@BTg#2a@`nW-qNAW`m|K(ACcT1sb&xRV> z&3r!m?OmmedjI`~X?4gcU?FoV8_7n$1D(flA(EE63%|x34wSChjOJtan$HcxF9|fl2{8NPneU0g)Z;~GTGfKigUOa znxHlt?LC93VZW{>|6VsL*0`sLx(*YT6ns8djGhErw&*cnNJ>+NViQ|>xQabrYlY2x zhuzn9w7MmpjuoEAmQg_ww(Wk*Ail?RC_|sgxN}x&lvjmk4X-)g4aVN#zMCta#Zun9 zeJsCvFb&#qr|`r_TlpJ7y)}hy=XD;+c>V3gs;%}(v5c`}xLDYYBw3C6aU!sJtbAbo z*4kb<6~(-i+Z8EUuD@v>4=OolNT1xUCVi}s+no%oCP>blc+R#5bZ^s_V%5<3>C#l$GScPDd#R%0c3rLw=$T}VA2}9m zCc8sh6Ij|jR;e}~!dm@rDXlwkd%*E66xTr&{~%hx{f5h{>1xTV)TZx-8q8XfJ32t* zj&`lf^@BcuotJEmOYvT@d7 zW2imGD#vD-5?dU=jmaTIq3-&{#gHP6NVmK&2BHLL>h*2&ui1at^(lMxr{$WIpm$~; zP|!)JH%EsMeEvzNQ97=#qnDCb`}MKUH_&v)>@ic1U+)BUSRP*nkl)H=wQx`A(5vcd zKl5t8A=K0}b6M5N_Ax+7>!4o6uG|-MVHa=`3a~Wd?WH-hD{}uXgRL(AHL+9a>z+P%}IYeWDp%HTgs=}08sQXF%dXhW0S%K64KlVHS<1FYiBLO&?v^u z@&d_ZvmPk~Mig8_gbp8weZGD|xA$0j_vPfYL{{p5IIuipt>4^^ zuMSCz+IZfKelAMAU3QlnS5EG2f^pBPm2!p7ZbDqzC@Ws$P71!~Mh(I>OL(iSAIZ<# zk!rIbU%v6hm$krtKr+;E z-SRglPP!euS$Rv{!6%T;Pa7wXkKf#Mu zl}#t0f@mLk84vc!o!?x#t4CElRgFca9@hF^;q1nX@-3h3x(Ke~o|g^oI} zLo(dP6xQy>FPc@#$%-^vVo$CKTJs(a7EW1c?900Mea?@p7H+O#TWG*PK6cM~uA0;7 z*!xwvHUb`CxZk2smc74Sw*mA!l_OE1GTf;XpZ}L7EEm^n8^zT3^WYcbJ@143ZT??W zX1#d&x<)*W))(vK!IIj)*(W9A&g!*Ahhm#nBUQQy8)u%1g4(YhZ2qgl7A~8REn&$l z>EH_4rh+9pA5h5>6=1W^;CRhAomWq)O=^_QOg16l0@yq&-1eu74_E5~ zq&i>^m3iaa)&N92#_ugyeqbTQt!vL9ibv`qDi7*P56|T!$DrxU?rQn2zv*{7zE<1l zVtp467~Iq7FVyU)Zj-8j+aRMXn`nIZTEZ&g?1oSr+NC z5-#cQ?K5urF9+iYEhD` zZni(GalSWCMFB3G;o4E&FixNY;4@`C-8g$SL7 zPX!|3_0<4NGH*r87@&0;&=Jq66bISPpr2!*r|S|!w0-Z zL1c~9vZpGI0o-dEhyG;y@~mGJozS~VYkI2Vl?5H_D|V`;yZ06SFWd7UDfIj}%&UhA z0vw;iTl}j&i)okdzZVr%%B;&CA}9B@&DXd+Zkd~I*)J~teqF`n42>r)F;?{7EDxU` z+}UIJ-LQ9pvHJ0m-A;%i6oqx$22m7u*ZBRE@+$!6)ZNpV=1#3-#@g%gXhwuAg|C1kmHjx_=1=@i2q4Y>FFQ#g7sV-V)oI zt4Il=bd)8e6`pA+o)onsi=negqMjaz6?C5F)$nxTt8pi&!Y*$ zlb5-tEZz1guo`dMC)p( zEorJs1F0n1^$WI1-&y7hi!LmgTy2oo@+nZNjzCy)SD~UYJR5kyG{3I4agK7H2Ay~& zlj(nE7x)}d$N}i2ZE=199$3X7g|j^8+n}QN7DNV$pT?p74eXXQE;dzX_l<^fK6z@H z=+pZSf4=_DvhJM)D{3$vu_^N7X%iy3g^x( z^ZW2lK(AkyCEK3-_Zxez+^vnRx&$eRT{wA#hOfVCBL@C6N%}6*-K6?MY{4cNK+%S} z`Cc{@b-!+Y26m4FOsdcOzfUTi0W8!`qVBkI*^M_TYycgu@0YMD@deg!Qs;i#`Acw; z-~A>6ev zIrsiA>!Xx9@n5nnZik(h7+8h1T|O<%{u1EeZ@9Fp!Ut`8^XpuzuF?h(^^|-D5J-B` zLY9eKc2j>pQ(F@VB;~Y8M7C&Xcqt39!++H@u8r54%`Rtf#dJi>x&Z zsS)fd6tS2u`|Y3=HY5-%eF zUfKW>=Y-=s_rv`d`KAnSz$pmftT7QU`#&;UHtjZ-r;v-``tZq0_O&a$1gbcY4@$Jt zb`8)-fVpNR`+sFAu!Fr}hTpY*`IlM{w}Wz}3EOj=sB!ed!CZ(q{1BOMXM>wW=^@8h zQL=#ZEm)3yuKbtU@5KexPee8_lk_W9tZ)*w5i+{1O{KfVeNcH~IAfViw_{6(!g**E z-~9KR(mw$Y^hWpE)dVK#?`Jxm#-U77y~Xf4V5a_QXh57q%=Z~xmv8>|!v3HfT&^558Fq-=M`xmNGes^q3WN zV0_~HUevbygpEC+TMQZdF#*B{rP>MLew6$M>du1ZRtBdJO@wmAr>NUR!OL!X_xH4l zCRdT*@b;9b*pISAf5Fj5Ra#nYeCu#hQPKN6>qsJLL=;zfkoQ$^%XI%O_w#$Y{5KJt z#O2YRo&tC(O;4+>nmI?bu7|dn%)8ps^Eu^pg7P>*8-Lhr+0g$-2IkhZcEh2mx-L|G z6)OyH9of78Zz6=uFnm!%kv0oARYehcA`k5SR@G#q6)OQT(#aN}w=54bhM9&JGCKZR zBA`C;QUfKQRr2E=b_BnhOh6) zx2Jr?2G@b)PLVHhTn4AWGK-#dZ9EV+ZqA`MZ%M4Qap%4~VEQ>zP+ECWaCF6n~3M?gB-48kOe7|0d74;l#_14JV+U#IauKs-POD&AG)gDbF1 zhHsLJ7<^JL^z=;REfE2#B9jY?@QY#)Qi)YBv#W1C`w5b~^45T2KPnUD5J@W!5I6Rb z2giW%EF3apu(TyE0O4QwRyZRI|D_>Ic(4DoZzf53<+S+7?$- zL^W-jOiMi~JfMYl>dQw~&onnq;RCX!vh9|==(j4dR@)-Bpo?{ilUAkmcpHA!yeYbg z6+& z!=HsGa8$aDScMwMYsg3$YPa9M!1 zOBicnooOsDFQ2KKFE49@n#^CawUfc*|M2Cp<5S8Ff1J>B44A|GwzdR{Cp_w)e~*r+ z&;(KjbEtR6l(UvxS8uZUj5tyj@Jbt&GAzF2iOh5l$P2fHv8%8JLd-PckRCP5oi+mR z%d>|z1ok-jI5^Y?42}5f!4qIEG7$Z((Eyg)^J7DJft@xm1Anc@DtNVdW$VX@)-gIf zhX&ogAZJQ`H#xkCs0>1tX;5SVsLk~w(pZAUO8h!t(%u31f+U`*XG7`pYC~&Ihd@D4;!*KFZ z>NaX$es{7_llcyc!uI+i4bT5jBOOoFA_+h5(r}O%96h~k7O~GZeYRVG?-7RqO?x1y zm3JKI(}5Zf_8er{VMcbg33d9u2B~j-d~B-rMa>mXMb>Zt1@>yu@l@SHJD%fIMT85^ z(g9Om4ni(j*L)$?o%D4wkJDa=BvVdkZs9Jzl;7rW>$QwXcOR~l6R&^C8?>?!my0|- zF-Cdz)e#tA2s;KrZ8+-)meMz8$(HRN+8LVw^ zOr#S{dSG;G3Re{L4L>YCB9p~0V_lJBuIl#Y21mAj<;S)IKlrNDb;Zqf7hB?hV39Bj zObl0KkBgwG;_PkVn2ut5JuQ5cjz0x2%?a)8pZ>1mJY~qyB%I8qXdBAFP{HIjj`84< z)EpQ~p$C-e%`Tkwo}a-h_@)G5(F`(iM*J1FmBy^5SF=ftEV~wIFX>)~lQ|*A%X7bM z&ZiGvR1S1`dn%fZD?lwls)SJ8J}s#6q)J;siOOJJkxNd|B>otn^WUfKqwPBFpN9tX zEz24vK~AC7QBBeC!E5kVXqylK7}dpfSbS!q>)FgA7`F?k$^WKLd~bl zPkb$q3)VGoG{oazVJ}%aDpiXoE&gJ9m=G=K=(;aMhquo>b=pLj{s{;+)kXjsIi%NF zVULfX{pG6N<~qUfMyj+;LcQnj;T=cTQ#+u8(I@#hbJx05RyV&+68zrLJB=?ZUfK`rBZE0jm2VF1Mvd>65h)2yJzmaqU zAZd6@pR1*qePxK(CIv~-R=FlggC~;4j-IYqE>dn<3cB)6fV`c=ar8E$+0j0cPoH@zx@jNrR0>`&Hn>NuDU1y literal 0 HcmV?d00001 diff --git a/hi.txt b/hi.txt new file mode 100644 index 0000000000..3f4676ab35 --- /dev/null +++ b/hi.txt @@ -0,0 +1,2342 @@ +NGINX Ingress Controller Version=5.0.0 Commit=5f85b44c19247eb0e99bbabd114274409e841fb2 Date=2025-04-15T16:27:08Z DirtyState=false Arch=linux/arm64 Go=go1.24.2 +I20250501 16:13:00.737858 1 flags.go:288] Starting with flags: ["-nginx-plus=false" "-nginx-reload-timeout=60000" "-enable-app-protect=false" "-enable-app-protect-dos=false" "-nginx-configmaps=default/nginx-ingress" "-ingress-class=nginx" "-health-status=false" "-health-status-uri=/nginx-health" "-nginx-debug=false" "-log-level=info" "-log-format=glog" "-nginx-status=true" "-nginx-status-port=8080" "-nginx-status-allow-cidrs=127.0.0.1" "-report-ingress-status" "-enable-leader-election=true" "-leader-election-lock-name=nginx-ingress-leader-election" "-enable-prometheus-metrics=true" "-prometheus-metrics-listen-port=9113" "-prometheus-tls-secret=" "-enable-service-insight=false" "-service-insight-listen-port=9114" "-service-insight-tls-secret=" "-enable-custom-resources=true" "-enable-snippets=false" "-disable-ipv6=false" "-enable-tls-passthrough=false" "-enable-cert-manager=false" "-enable-oidc=false" "-enable-external-dns=false" "-default-http-listener-port=80" "-default-https-listener-port=443" "-ready-status=true" "-ready-status-port=8081" "-enable-latency-metrics=false" "-ssl-dynamic-reload=true" "-enable-telemetry-reporting=true" "-weight-changes-dynamic-reload=false"] +I20250501 16:13:00.743252 1 main.go:424] Kubernetes version: 1.32.0 +I20250501 16:13:00.749664 1 main.go:579] Using nginx version: nginx/1.27.4 + +I20250501 16:13:00.757557 1 main.go:1074] Pod label updated: nginx-ingress-controller-5cfb8c9f87-4rvh4 +I20250501 16:13:00.757811 1 main.go:107] Event(v1.ObjectReference{Kind:"Pod", Namespace:"default", Name:"nginx-ingress-controller-5cfb8c9f87-4rvh4", UID:"b48df7db-be51-415e-9575-f6017829292c", APIVersion:"v1", ResourceVersion:"411", FieldPath:""}): type: 'Normal' reason: 'UpdatePodLabel' Successfully added version labels, app.kubernetes.io/version="5.0.0", app.kubernetes.io/instance="nginx-ingress", app.kubernetes.io/name="nginx-ingress", pod-template-hash="5cfb8c9f87", app.nginx.org/version="1.27.4" +2025/05/01 16:13:00 [notice] 17#17: js vm init njs: 0000AAAACEE7F900 +2025/05/01 16:13:00 [notice] 17#17: using the "epoll" event method +2025/05/01 16:13:00 [notice] 17#17: nginx/1.27.4 +2025/05/01 16:13:00 [notice] 17#17: built by gcc 12.2.0 (Debian 12.2.0-14) +2025/05/01 16:13:00 [notice] 17#17: OS: Linux 6.10.14-linuxkit +2025/05/01 16:13:00 [notice] 17#17: getrlimit(RLIMIT_NOFILE): 1048576:1048576 +2025/05/01 16:13:00 [notice] 17#17: start worker processes +2025/05/01 16:13:00 [notice] 17#17: start worker process 18 +2025/05/01 16:13:00 [notice] 17#17: start worker process 19 +2025/05/01 16:13:00 [notice] 17#17: start worker process 20 +2025/05/01 16:13:00 [notice] 17#17: start worker process 21 +2025/05/01 16:13:00 [notice] 17#17: start worker process 22 +2025/05/01 16:13:00 [notice] 17#17: start worker process 23 +2025/05/01 16:13:00 [notice] 17#17: start worker process 24 +2025/05/01 16:13:00 [notice] 17#17: start worker process 25 +I0501 16:13:00.770865 1 leaderelection.go:257] attempting to acquire leader lease default/nginx-ingress-leader-election... +I20250501 16:13:00.770822 1 listener.go:47] Starting prometheus listener on: :9113/metrics +2025/05/01 16:13:00 [notice] 17#17: start worker process 27 +2025/05/01 16:13:00 [notice] 17#17: start worker process 29 +I20250501 16:13:00.773471 1 service.go:32] Adding service: kubernetes +I20250501 16:13:00.773495 1 service.go:32] Adding service: nginx-ingress-controller +I20250501 16:13:00.773508 1 service.go:32] Adding service: kube-dns +I0501 16:13:00.778516 1 leaderelection.go:271] successfully acquired lease default/nginx-ingress-leader-election +2025/05/01 16:13:00 [notice] 17#17: signal 1 (SIGHUP) received from 33, reconfiguring +2025/05/01 16:13:00 [notice] 17#17: reconfiguring +2025/05/01 16:13:00 [notice] 17#17: js vm init njs: 0000AAAACEEF0E00 +2025/05/01 16:13:00 [notice] 17#17: using the "epoll" event method +2025/05/01 16:13:00 [notice] 17#17: start worker processes +2025/05/01 16:13:00 [notice] 17#17: start worker process 34 +2025/05/01 16:13:00 [notice] 17#17: start worker process 35 +2025/05/01 16:13:00 [notice] 17#17: start worker process 36 +2025/05/01 16:13:00 [notice] 17#17: start worker process 37 +2025/05/01 16:13:00 [notice] 17#17: start worker process 38 +2025/05/01 16:13:00 [notice] 17#17: start worker process 39 +2025/05/01 16:13:00 [notice] 17#17: start worker process 40 +2025/05/01 16:13:00 [notice] 17#17: start worker process 41 +2025/05/01 16:13:00 [notice] 17#17: start worker process 42 +2025/05/01 16:13:00 [notice] 17#17: start worker process 43 +2025/05/01 16:13:00 [notice] 18#18: gracefully shutting down +2025/05/01 16:13:00 [notice] 19#19: gracefully shutting down +2025/05/01 16:13:00 [notice] 20#20: gracefully shutting down +2025/05/01 16:13:00 [notice] 19#19: exiting +2025/05/01 16:13:00 [notice] 20#20: exiting +2025/05/01 16:13:00 [notice] 23#23: gracefully shutting down +2025/05/01 16:13:00 [notice] 23#23: exiting +2025/05/01 16:13:00 [notice] 21#21: gracefully shutting down +2025/05/01 16:13:00 [notice] 22#22: gracefully shutting down +2025/05/01 16:13:00 [notice] 24#24: gracefully shutting down +2025/05/01 16:13:00 [notice] 25#25: gracefully shutting down +2025/05/01 16:13:00 [notice] 22#22: exiting +2025/05/01 16:13:00 [notice] 21#21: exiting +2025/05/01 16:13:00 [notice] 24#24: exiting +2025/05/01 16:13:00 [notice] 25#25: exiting +2025/05/01 16:13:00 [notice] 18#18: exiting +2025/05/01 16:13:00 [notice] 29#29: gracefully shutting down +2025/05/01 16:13:00 [notice] 29#29: exiting +2025/05/01 16:13:00 [notice] 20#20: exit +2025/05/01 16:13:00 [notice] 24#24: exit +2025/05/01 16:13:00 [notice] 19#19: exit +2025/05/01 16:13:00 [notice] 25#25: exit +2025/05/01 16:13:00 [notice] 21#21: exit +2025/05/01 16:13:00 [notice] 23#23: exit +2025/05/01 16:13:00 [notice] 22#22: exit +2025/05/01 16:13:00 [notice] 18#18: exit +2025/05/01 16:13:00 [notice] 29#29: exit +2025/05/01 16:13:00 [notice] 27#27: gracefully shutting down +2025/05/01 16:13:00 [notice] 27#27: exiting +2025/05/01 16:13:00 [notice] 27#27: exit +I20250501 16:13:00.991260 1 main.go:107] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"default", Name:"nginx-ingress", UID:"9f7e7add-dfe2-4e2f-9381-2e6025ae4168", APIVersion:"v1", ResourceVersion:"364", FieldPath:""}): type: 'Normal' reason: 'Updated' ConfigMap default/nginx-ingress updated without error +2025/05/01 16:13:01 [notice] 17#17: signal 17 (SIGCHLD) received from 20 +2025/05/01 16:13:01 [notice] 17#17: worker process 19 exited with code 0 +2025/05/01 16:13:01 [notice] 17#17: worker process 20 exited with code 0 +2025/05/01 16:13:01 [notice] 17#17: worker process 22 exited with code 0 +2025/05/01 16:13:01 [notice] 17#17: worker process 23 exited with code 0 +2025/05/01 16:13:01 [notice] 17#17: worker process 24 exited with code 0 +2025/05/01 16:13:01 [notice] 17#17: worker process 29 exited with code 0 +2025/05/01 16:13:01 [notice] 17#17: signal 29 (SIGIO) received +2025/05/01 16:13:01 [notice] 17#17: signal 17 (SIGCHLD) received from 19 +2025/05/01 16:13:01 [notice] 17#17: signal 17 (SIGCHLD) received from 25 +2025/05/01 16:13:01 [notice] 17#17: worker process 21 exited with code 0 +2025/05/01 16:13:01 [notice] 17#17: worker process 25 exited with code 0 +2025/05/01 16:13:01 [notice] 17#17: worker process 27 exited with code 0 +2025/05/01 16:13:01 [notice] 17#17: signal 29 (SIGIO) received +2025/05/01 16:13:01 [notice] 17#17: signal 17 (SIGCHLD) received from 27 +2025/05/01 16:13:01 [notice] 17#17: signal 17 (SIGCHLD) received from 18 +2025/05/01 16:13:01 [notice] 17#17: worker process 18 exited with code 0 +2025/05/01 16:13:01 [notice] 17#17: signal 29 (SIGIO) received +I20250501 16:15:40.671873 1 service.go:32] Adding service: coffee-svc +I20250501 16:15:40.753379 1 service.go:32] Adding service: tea-svc +2025/05/01 16:16:46 [notice] 17#17: signal 1 (SIGHUP) received from 47, reconfiguring +2025/05/01 16:16:46 [notice] 17#17: reconfiguring +2025/05/01 16:16:46 [notice] 17#17: js vm init njs: 0000AAAACEE84880 +2025/05/01 16:16:46 [notice] 17#17: using the "epoll" event method +2025/05/01 16:16:46 [notice] 17#17: start worker processes +2025/05/01 16:16:46 [notice] 17#17: start worker process 48 +2025/05/01 16:16:46 [notice] 17#17: start worker process 49 +2025/05/01 16:16:46 [notice] 17#17: start worker process 50 +2025/05/01 16:16:46 [notice] 17#17: start worker process 51 +2025/05/01 16:16:46 [notice] 17#17: start worker process 52 +2025/05/01 16:16:46 [notice] 17#17: start worker process 53 +2025/05/01 16:16:46 [notice] 17#17: start worker process 54 +2025/05/01 16:16:46 [notice] 17#17: start worker process 55 +2025/05/01 16:16:46 [notice] 17#17: start worker process 56 +2025/05/01 16:16:46 [notice] 17#17: start worker process 57 +2025/05/01 16:16:46 [notice] 36#36: gracefully shutting down +2025/05/01 16:16:46 [notice] 35#35: gracefully shutting down +2025/05/01 16:16:46 [notice] 34#34: gracefully shutting down +2025/05/01 16:16:46 [notice] 38#38: gracefully shutting down +2025/05/01 16:16:46 [notice] 40#40: gracefully shutting down +2025/05/01 16:16:46 [notice] 39#39: gracefully shutting down +2025/05/01 16:16:46 [notice] 37#37: gracefully shutting down +2025/05/01 16:16:46 [notice] 41#41: gracefully shutting down +2025/05/01 16:16:46 [notice] 43#43: gracefully shutting down +2025/05/01 16:16:46 [notice] 38#38: exiting +2025/05/01 16:16:46 [notice] 35#35: exiting +2025/05/01 16:16:46 [notice] 34#34: exiting +2025/05/01 16:16:46 [notice] 40#40: exiting +2025/05/01 16:16:46 [notice] 36#36: exiting +2025/05/01 16:16:46 [notice] 39#39: exiting +2025/05/01 16:16:46 [notice] 41#41: exiting +2025/05/01 16:16:46 [notice] 37#37: exiting +2025/05/01 16:16:46 [notice] 43#43: exiting +2025/05/01 16:16:46 [notice] 42#42: gracefully shutting down +2025/05/01 16:16:46 [notice] 36#36: exit +2025/05/01 16:16:46 [notice] 38#38: exit +2025/05/01 16:16:46 [notice] 42#42: exiting +2025/05/01 16:16:46 [notice] 43#43: exit +2025/05/01 16:16:46 [notice] 34#34: exit +2025/05/01 16:16:46 [notice] 39#39: exit +2025/05/01 16:16:46 [notice] 37#37: exit +2025/05/01 16:16:46 [notice] 41#41: exit +2025/05/01 16:16:46 [notice] 35#35: exit +2025/05/01 16:16:46 [notice] 42#42: exit +2025/05/01 16:16:46 [notice] 40#40: exit +I20250501 16:16:46.224592 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"95d571e9-f2c0-483b-b427-8d914611affa", APIVersion:"networking.k8s.io/v1", ResourceVersion:"773", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated +2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 34 +2025/05/01 16:16:46 [notice] 17#17: worker process 34 exited with code 0 +2025/05/01 16:16:46 [notice] 17#17: worker process 36 exited with code 0 +2025/05/01 16:16:46 [notice] 17#17: signal 29 (SIGIO) received +2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 36 +2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 40 +2025/05/01 16:16:46 [notice] 17#17: worker process 40 exited with code 0 +2025/05/01 16:16:46 [notice] 17#17: worker process 38 exited with code 0 +2025/05/01 16:16:46 [notice] 17#17: worker process 35 exited with code 0 +2025/05/01 16:16:46 [notice] 17#17: worker process 39 exited with code 0 +2025/05/01 16:16:46 [notice] 17#17: worker process 41 exited with code 0 +2025/05/01 16:16:46 [notice] 17#17: worker process 42 exited with code 0 +2025/05/01 16:16:46 [notice] 17#17: signal 29 (SIGIO) received +2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 42 +2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 43 +2025/05/01 16:16:46 [notice] 17#17: worker process 43 exited with code 0 +2025/05/01 16:16:46 [notice] 17#17: worker process 37 exited with code 0 +2025/05/01 16:16:46 [notice] 17#17: signal 29 (SIGIO) received +2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 37 +10.244.0.1 - - [01/May/2025:16:54:09 +0000] "GET / HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [01/May/2025:16:54:09 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://127.0.0.1:51678/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [01/May/2025:16:54:13 +0000] "GET / HTTP/1.1" 400 657 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [01/May/2025:16:54:13 +0000] "GET /favicon.ico HTTP/1.1" 400 657 "http://127.0.0.1:51679/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [02/May/2025:08:41:19 +0000] "GET / HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [02/May/2025:08:41:20 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://127.0.0.1:55912/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [02/May/2025:08:41:25 +0000] "GET / HTTP/1.1" 400 657 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [02/May/2025:08:41:25 +0000] "GET /favicon.ico HTTP/1.1" 400 657 "http://127.0.0.1:55913/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [02/May/2025:08:43:45 +0000] "GET / HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [02/May/2025:08:43:45 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://127.0.0.1:56272/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [02/May/2025:08:44:32 +0000] "GET / HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [02/May/2025:08:44:50 +0000] "GET / HTTP/1.1" 400 657 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +10.244.0.1 - - [02/May/2025:08:44:50 +0000] "GET /favicon.ico HTTP/1.1" 400 657 "http://127.0.0.1:56273/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" +I20250502 08:53:54.506422 1 manager.go:195] Deleting config from /etc/nginx/conf.d/default-cafe-ingress.conf +2025/05/02 08:53:54 [notice] 17#17: signal 1 (SIGHUP) received from 66, reconfiguring +2025/05/02 08:53:54 [notice] 17#17: reconfiguring +I20250502 08:53:54.524603 1 service.go:50] Removing service: coffee-svc +2025/05/02 08:53:54 [notice] 17#17: js vm init njs: 0000AAAACEEF5480 +2025/05/02 08:53:54 [notice] 17#17: using the "epoll" event method +2025/05/02 08:53:54 [notice] 17#17: start worker processes +2025/05/02 08:53:54 [notice] 17#17: start worker process 67 +2025/05/02 08:53:54 [notice] 17#17: start worker process 68 +2025/05/02 08:53:54 [notice] 17#17: start worker process 69 +2025/05/02 08:53:54 [notice] 17#17: start worker process 70 +2025/05/02 08:53:54 [notice] 17#17: start worker process 71 +2025/05/02 08:53:54 [notice] 17#17: start worker process 72 +2025/05/02 08:53:54 [notice] 17#17: start worker process 73 +2025/05/02 08:53:54 [notice] 17#17: start worker process 74 +2025/05/02 08:53:54 [notice] 17#17: start worker process 75 +2025/05/02 08:53:54 [notice] 17#17: start worker process 76 +I20250502 08:53:54.560556 1 service.go:50] Removing service: tea-svc +2025/05/02 08:53:54 [notice] 49#49: gracefully shutting down +2025/05/02 08:53:54 [notice] 50#50: gracefully shutting down +2025/05/02 08:53:54 [notice] 50#50: exiting +2025/05/02 08:53:54 [notice] 48#48: gracefully shutting down +2025/05/02 08:53:54 [notice] 48#48: exiting +2025/05/02 08:53:54 [notice] 52#52: gracefully shutting down +2025/05/02 08:53:54 [notice] 53#53: gracefully shutting down +2025/05/02 08:53:54 [notice] 51#51: gracefully shutting down +2025/05/02 08:53:54 [notice] 53#53: exiting +2025/05/02 08:53:54 [notice] 51#51: exiting +2025/05/02 08:53:54 [notice] 49#49: exiting +2025/05/02 08:53:54 [notice] 56#56: gracefully shutting down +2025/05/02 08:53:54 [notice] 54#54: gracefully shutting down +2025/05/02 08:53:54 [notice] 54#54: exiting +2025/05/02 08:53:54 [notice] 55#55: gracefully shutting down +2025/05/02 08:53:54 [notice] 52#52: exiting +2025/05/02 08:53:54 [notice] 55#55: exiting +2025/05/02 08:53:54 [notice] 48#48: exit +2025/05/02 08:53:54 [notice] 54#54: exit +2025/05/02 08:53:54 [notice] 52#52: exit +2025/05/02 08:53:54 [notice] 56#56: exiting +2025/05/02 08:53:54 [notice] 53#53: exit +2025/05/02 08:53:54 [notice] 51#51: exit +2025/05/02 08:53:54 [notice] 50#50: exit +2025/05/02 08:53:54 [notice] 56#56: exit +2025/05/02 08:53:54 [notice] 57#57: gracefully shutting down +2025/05/02 08:53:54 [notice] 55#55: exit +2025/05/02 08:53:54 [notice] 57#57: exiting +2025/05/02 08:53:54 [notice] 57#57: exit +2025/05/02 08:53:54 [notice] 49#49: exit +2025/05/02 08:53:54 [notice] 17#17: signal 1 (SIGHUP) received from 78, reconfiguring +2025/05/02 08:53:54 [notice] 17#17: reconfiguring +2025/05/02 08:53:54 [notice] 17#17: js vm init njs: 0000AAAACEF3BA80 +2025/05/02 08:53:54 [notice] 17#17: using the "epoll" event method +2025/05/02 08:53:54 [notice] 17#17: start worker processes +2025/05/02 08:53:54 [notice] 17#17: start worker process 79 +2025/05/02 08:53:54 [notice] 17#17: start worker process 80 +2025/05/02 08:53:54 [notice] 17#17: start worker process 81 +2025/05/02 08:53:54 [notice] 17#17: start worker process 82 +2025/05/02 08:53:54 [notice] 17#17: start worker process 83 +2025/05/02 08:53:54 [notice] 17#17: start worker process 84 +2025/05/02 08:53:54 [notice] 17#17: start worker process 85 +2025/05/02 08:53:54 [notice] 17#17: start worker process 86 +2025/05/02 08:53:54 [notice] 17#17: start worker process 87 +2025/05/02 08:53:54 [notice] 17#17: start worker process 88 +2025/05/02 08:53:54 [notice] 68#68: gracefully shutting down +2025/05/02 08:53:54 [notice] 68#68: exiting +2025/05/02 08:53:54 [notice] 67#67: gracefully shutting down +2025/05/02 08:53:54 [notice] 67#67: exiting +2025/05/02 08:53:54 [notice] 67#67: exit +2025/05/02 08:53:54 [notice] 68#68: exit +2025/05/02 08:53:54 [notice] 69#69: gracefully shutting down +2025/05/02 08:53:54 [notice] 72#72: gracefully shutting down +2025/05/02 08:53:54 [notice] 70#70: gracefully shutting down +2025/05/02 08:53:54 [notice] 71#71: gracefully shutting down +2025/05/02 08:53:54 [notice] 72#72: exiting +2025/05/02 08:53:54 [notice] 69#69: exiting +2025/05/02 08:53:54 [notice] 70#70: exiting +2025/05/02 08:53:54 [notice] 71#71: exiting +2025/05/02 08:53:54 [notice] 71#71: exit +2025/05/02 08:53:54 [notice] 69#69: exit +2025/05/02 08:53:54 [notice] 72#72: exit +2025/05/02 08:53:54 [notice] 70#70: exit +2025/05/02 08:53:54 [notice] 73#73: gracefully shutting down +2025/05/02 08:53:54 [notice] 73#73: exiting +2025/05/02 08:53:54 [notice] 73#73: exit +2025/05/02 08:53:54 [notice] 74#74: gracefully shutting down +2025/05/02 08:53:54 [notice] 75#75: gracefully shutting down +2025/05/02 08:53:54 [notice] 74#74: exiting +2025/05/02 08:53:54 [notice] 75#75: exiting +2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 56 +2025/05/02 08:53:54 [notice] 76#76: gracefully shutting down +2025/05/02 08:53:54 [notice] 76#76: exiting +2025/05/02 08:53:54 [notice] 17#17: worker process 48 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: worker process 49 exited with code 0 +2025/05/02 08:53:54 [notice] 74#74: exit +2025/05/02 08:53:54 [notice] 17#17: worker process 50 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: worker process 51 exited with code 0 +2025/05/02 08:53:54 [notice] 76#76: exit +2025/05/02 08:53:54 [notice] 75#75: exit +2025/05/02 08:53:54 [notice] 17#17: worker process 52 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: worker process 53 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: worker process 54 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: worker process 55 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: worker process 56 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: worker process 57 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 69 +2025/05/02 08:53:54 [notice] 17#17: worker process 69 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 70 +2025/05/02 08:53:54 [notice] 17#17: worker process 70 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 67 +2025/05/02 08:53:54 [notice] 17#17: worker process 67 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 68 +2025/05/02 08:53:54 [notice] 17#17: worker process 68 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: worker process 73 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 75 +2025/05/02 08:53:54 [notice] 17#17: worker process 72 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: worker process 75 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 71 +2025/05/02 08:53:54 [notice] 17#17: worker process 71 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: worker process 74 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 74 +2025/05/02 08:53:54 [notice] 17#17: worker process 76 exited with code 0 +2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received +W20250502 08:54:22.915598 1 controller.go:2158] Error trying to get the secret cafe-secret for Ingress cafe-ingress: secret doesn't exist or of an unsupported type +W20250502 08:54:22.915663 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: service default/tea-svc doesn't exist +W20250502 08:54:22.915671 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: service default/coffee-svc doesn't exist +2025/05/02 08:54:22 [notice] 17#17: signal 1 (SIGHUP) received from 90, reconfiguring +2025/05/02 08:54:22 [notice] 17#17: reconfiguring +2025/05/02 08:54:22 [notice] 17#17: js vm init njs: 0000AAAACEEF5480 +2025/05/02 08:54:22 [notice] 17#17: using the "epoll" event method +2025/05/02 08:54:22 [notice] 17#17: start worker processes +2025/05/02 08:54:22 [notice] 17#17: start worker process 91 +2025/05/02 08:54:22 [notice] 17#17: start worker process 92 +2025/05/02 08:54:22 [notice] 17#17: start worker process 93 +2025/05/02 08:54:22 [notice] 17#17: start worker process 94 +2025/05/02 08:54:22 [notice] 17#17: start worker process 95 +2025/05/02 08:54:22 [notice] 17#17: start worker process 96 +2025/05/02 08:54:22 [notice] 17#17: start worker process 97 +2025/05/02 08:54:22 [notice] 17#17: start worker process 98 +2025/05/02 08:54:22 [notice] 17#17: start worker process 99 +2025/05/02 08:54:22 [notice] 17#17: start worker process 100 +I20250502 08:54:22.958461 1 service.go:32] Adding service: coffee-svc +2025/05/02 08:54:23 [notice] 87#87: gracefully shutting down +2025/05/02 08:54:23 [notice] 80#80: gracefully shutting down +2025/05/02 08:54:23 [notice] 80#80: exiting +2025/05/02 08:54:23 [notice] 87#87: exiting +2025/05/02 08:54:23 [notice] 87#87: exit +2025/05/02 08:54:23 [notice] 82#82: gracefully shutting down +2025/05/02 08:54:23 [notice] 82#82: exiting +2025/05/02 08:54:23 [notice] 85#85: gracefully shutting down +2025/05/02 08:54:23 [notice] 85#85: exiting +2025/05/02 08:54:23 [notice] 80#80: exit +2025/05/02 08:54:23 [notice] 85#85: exit +2025/05/02 08:54:23 [notice] 86#86: gracefully shutting down +2025/05/02 08:54:23 [notice] 86#86: exiting +2025/05/02 08:54:23 [notice] 79#79: gracefully shutting down +2025/05/02 08:54:23 [notice] 79#79: exiting +2025/05/02 08:54:23 [notice] 88#88: gracefully shutting down +2025/05/02 08:54:23 [notice] 88#88: exiting +2025/05/02 08:54:23 [notice] 88#88: exit +2025/05/02 08:54:23 [notice] 82#82: exit +2025/05/02 08:54:23 [notice] 79#79: exit +2025/05/02 08:54:23 [notice] 84#84: gracefully shutting down +2025/05/02 08:54:23 [notice] 83#83: gracefully shutting down +2025/05/02 08:54:23 [notice] 83#83: exiting +2025/05/02 08:54:23 [notice] 83#83: exit +2025/05/02 08:54:23 [notice] 86#86: exit +2025/05/02 08:54:23 [notice] 81#81: gracefully shutting down +2025/05/02 08:54:23 [notice] 81#81: exiting +2025/05/02 08:54:23 [notice] 81#81: exit +2025/05/02 08:54:23 [notice] 84#84: exiting +2025/05/02 08:54:23 [notice] 84#84: exit +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 80 +2025/05/02 08:54:23 [notice] 17#17: worker process 80 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 79 +2025/05/02 08:54:23 [notice] 17#17: worker process 79 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 83 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 85 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 82 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 86 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 87 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 82 +2025/05/02 08:54:23 [notice] 17#17: worker process 81 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 81 +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 88 +2025/05/02 08:54:23 [notice] 17#17: worker process 88 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +W20250502 08:54:23.154245 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: service default/tea-svc doesn't exist +I20250502 08:54:23.154225 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Warning' reason: 'AddedOrUpdatedWithWarning' Configuration for default/cafe-ingress was added or updated ; with warning(s): TLS secret cafe-secret is invalid: secret doesn't exist or of an unsupported type +W20250502 08:54:23.154346 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc +I20250502 08:54:23.154598 1 service.go:258] Syncing service default/coffee-svc +I20250502 08:54:23.154623 1 service.go:260] Updating 1 resources +W20250502 08:54:23.154628 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: service default/tea-svc doesn't exist +W20250502 08:54:23.154633 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc +I20250502 08:54:23.154755 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated +W20250502 08:54:23.155433 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: service default/tea-svc doesn't exist +W20250502 08:54:23.155448 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc +I20250502 08:54:23.155717 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated +I20250502 08:54:23.157472 1 service.go:32] Adding service: tea-svc +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 84 +2025/05/02 08:54:23 [notice] 17#17: worker process 84 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 1 (SIGHUP) received from 102, reconfiguring +2025/05/02 08:54:23 [notice] 17#17: reconfiguring +2025/05/02 08:54:23 [notice] 17#17: js vm init njs: 0000AAAACEEAA380 +2025/05/02 08:54:23 [notice] 17#17: using the "epoll" event method +2025/05/02 08:54:23 [notice] 17#17: start worker processes +2025/05/02 08:54:23 [notice] 17#17: start worker process 103 +2025/05/02 08:54:23 [notice] 17#17: start worker process 104 +2025/05/02 08:54:23 [notice] 17#17: start worker process 105 +2025/05/02 08:54:23 [notice] 17#17: start worker process 106 +2025/05/02 08:54:23 [notice] 17#17: start worker process 107 +2025/05/02 08:54:23 [notice] 17#17: start worker process 108 +2025/05/02 08:54:23 [notice] 17#17: start worker process 109 +2025/05/02 08:54:23 [notice] 17#17: start worker process 110 +2025/05/02 08:54:23 [notice] 17#17: start worker process 111 +2025/05/02 08:54:23 [notice] 17#17: start worker process 112 +2025/05/02 08:54:23 [notice] 92#92: gracefully shutting down +2025/05/02 08:54:23 [notice] 93#93: gracefully shutting down +2025/05/02 08:54:23 [notice] 91#91: gracefully shutting down +2025/05/02 08:54:23 [notice] 94#94: gracefully shutting down +2025/05/02 08:54:23 [notice] 95#95: gracefully shutting down +2025/05/02 08:54:23 [notice] 94#94: exiting +2025/05/02 08:54:23 [notice] 91#91: exiting +2025/05/02 08:54:23 [notice] 92#92: exiting +2025/05/02 08:54:23 [notice] 93#93: exiting +2025/05/02 08:54:23 [notice] 95#95: exiting +2025/05/02 08:54:23 [notice] 96#96: gracefully shutting down +2025/05/02 08:54:23 [notice] 97#97: gracefully shutting down +2025/05/02 08:54:23 [notice] 97#97: exiting +2025/05/02 08:54:23 [notice] 96#96: exiting +2025/05/02 08:54:23 [notice] 99#99: gracefully shutting down +2025/05/02 08:54:23 [notice] 99#99: exiting +2025/05/02 08:54:23 [notice] 95#95: exit +2025/05/02 08:54:23 [notice] 92#92: exit +2025/05/02 08:54:23 [notice] 91#91: exit +2025/05/02 08:54:23 [notice] 93#93: exit +2025/05/02 08:54:23 [notice] 94#94: exit +2025/05/02 08:54:23 [notice] 100#100: gracefully shutting down +2025/05/02 08:54:23 [notice] 100#100: exiting +2025/05/02 08:54:23 [notice] 97#97: exit +2025/05/02 08:54:23 [notice] 96#96: exit +2025/05/02 08:54:23 [notice] 98#98: gracefully shutting down +2025/05/02 08:54:23 [notice] 98#98: exiting +2025/05/02 08:54:23 [notice] 100#100: exit +2025/05/02 08:54:23 [notice] 98#98: exit +2025/05/02 08:54:23 [notice] 99#99: exit +I20250502 08:54:23.302569 1 service.go:258] Syncing service default/tea-svc +I20250502 08:54:23.302587 1 service.go:260] Updating 1 resources +W20250502 08:54:23.302614 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: no endpointslices for target port 8080 in service tea-svc +W20250502 08:54:23.302624 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 99 +2025/05/02 08:54:23 [notice] 17#17: worker process 93 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 94 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 95 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 97 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 99 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 95 +2025/05/02 08:54:23 [notice] 17#17: worker process 91 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 100 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 98 +2025/05/02 08:54:23 [notice] 17#17: worker process 98 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 92 +2025/05/02 08:54:23 [notice] 17#17: worker process 92 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 1 (SIGHUP) received from 114, reconfiguring +2025/05/02 08:54:23 [notice] 17#17: reconfiguring +2025/05/02 08:54:23 [notice] 17#17: js vm init njs: 0000AAAACEEFE200 +2025/05/02 08:54:23 [notice] 17#17: using the "epoll" event method +2025/05/02 08:54:23 [notice] 17#17: start worker processes +2025/05/02 08:54:23 [notice] 17#17: start worker process 115 +2025/05/02 08:54:23 [notice] 17#17: start worker process 116 +2025/05/02 08:54:23 [notice] 17#17: start worker process 117 +2025/05/02 08:54:23 [notice] 17#17: start worker process 118 +2025/05/02 08:54:23 [notice] 17#17: start worker process 119 +2025/05/02 08:54:23 [notice] 17#17: start worker process 120 +2025/05/02 08:54:23 [notice] 17#17: start worker process 121 +2025/05/02 08:54:23 [notice] 17#17: start worker process 122 +2025/05/02 08:54:23 [notice] 17#17: start worker process 123 +2025/05/02 08:54:23 [notice] 17#17: start worker process 124 +2025/05/02 08:54:23 [notice] 103#103: gracefully shutting down +2025/05/02 08:54:23 [notice] 104#104: gracefully shutting down +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 96 +2025/05/02 08:54:23 [notice] 17#17: worker process 96 exited with code 0 +2025/05/02 08:54:23 [notice] 103#103: exiting +2025/05/02 08:54:23 [notice] 104#104: exiting +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 105#105: gracefully shutting down +2025/05/02 08:54:23 [notice] 105#105: exiting +2025/05/02 08:54:23 [notice] 106#106: gracefully shutting down +2025/05/02 08:54:23 [notice] 106#106: exiting +2025/05/02 08:54:23 [notice] 103#103: exit +2025/05/02 08:54:23 [notice] 104#104: exit +2025/05/02 08:54:23 [notice] 107#107: gracefully shutting down +2025/05/02 08:54:23 [notice] 107#107: exiting +2025/05/02 08:54:23 [notice] 106#106: exit +2025/05/02 08:54:23 [notice] 107#107: exit +2025/05/02 08:54:23 [notice] 108#108: gracefully shutting down +2025/05/02 08:54:23 [notice] 108#108: exiting +2025/05/02 08:54:23 [notice] 112#112: gracefully shutting down +2025/05/02 08:54:23 [notice] 112#112: exiting +2025/05/02 08:54:23 [notice] 105#105: exit +2025/05/02 08:54:23 [notice] 109#109: gracefully shutting down +2025/05/02 08:54:23 [notice] 109#109: exiting +2025/05/02 08:54:23 [notice] 108#108: exit +2025/05/02 08:54:23 [notice] 109#109: exit +2025/05/02 08:54:23 [notice] 110#110: gracefully shutting down +2025/05/02 08:54:23 [notice] 111#111: gracefully shutting down +2025/05/02 08:54:23 [notice] 110#110: exiting +2025/05/02 08:54:23 [notice] 111#111: exiting +2025/05/02 08:54:23 [notice] 112#112: exit +2025/05/02 08:54:23 [notice] 110#110: exit +2025/05/02 08:54:23 [notice] 111#111: exit +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 104 +2025/05/02 08:54:23 [notice] 17#17: worker process 104 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 110 exited with code 0 +W20250502 08:54:23.449757 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: no endpointslices for target port 8080 in service tea-svc +W20250502 08:54:23.449780 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc +I20250502 08:54:23.450600 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 110 +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 108 +2025/05/02 08:54:23 [notice] 17#17: worker process 108 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 106 +2025/05/02 08:54:23 [notice] 17#17: worker process 106 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 112 +2025/05/02 08:54:23 [notice] 17#17: worker process 112 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 103 +2025/05/02 08:54:23 [notice] 17#17: worker process 103 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 111 +2025/05/02 08:54:23 [notice] 17#17: worker process 105 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 111 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 107 +2025/05/02 08:54:23 [notice] 17#17: worker process 107 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 109 +2025/05/02 08:54:23 [notice] 17#17: worker process 109 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 1 (SIGHUP) received from 126, reconfiguring +2025/05/02 08:54:23 [notice] 17#17: reconfiguring +2025/05/02 08:54:23 [notice] 17#17: js vm init njs: 0000AAAACEEF5480 +2025/05/02 08:54:23 [notice] 17#17: using the "epoll" event method +2025/05/02 08:54:23 [notice] 17#17: start worker processes +2025/05/02 08:54:23 [notice] 17#17: start worker process 127 +2025/05/02 08:54:23 [notice] 17#17: start worker process 128 +2025/05/02 08:54:23 [notice] 17#17: start worker process 129 +2025/05/02 08:54:23 [notice] 17#17: start worker process 130 +2025/05/02 08:54:23 [notice] 17#17: start worker process 131 +2025/05/02 08:54:23 [notice] 17#17: start worker process 132 +2025/05/02 08:54:23 [notice] 17#17: start worker process 133 +2025/05/02 08:54:23 [notice] 17#17: start worker process 134 +2025/05/02 08:54:23 [notice] 17#17: start worker process 135 +2025/05/02 08:54:23 [notice] 17#17: start worker process 136 +2025/05/02 08:54:23 [notice] 123#123: gracefully shutting down +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 117#117: gracefully shutting down +2025/05/02 08:54:23 [notice] 124#124: gracefully shutting down +2025/05/02 08:54:23 [notice] 123#123: exiting +2025/05/02 08:54:23 [notice] 124#124: exiting +2025/05/02 08:54:23 [notice] 116#116: gracefully shutting down +2025/05/02 08:54:23 [notice] 117#117: exiting +2025/05/02 08:54:23 [notice] 122#122: gracefully shutting down +2025/05/02 08:54:23 [notice] 116#116: exiting +2025/05/02 08:54:23 [notice] 122#122: exiting +2025/05/02 08:54:23 [notice] 118#118: gracefully shutting down +2025/05/02 08:54:23 [notice] 118#118: exiting +2025/05/02 08:54:23 [notice] 116#116: exit +2025/05/02 08:54:23 [notice] 123#123: exit +2025/05/02 08:54:23 [notice] 122#122: exit +2025/05/02 08:54:23 [notice] 119#119: gracefully shutting down +2025/05/02 08:54:23 [notice] 124#124: exit +2025/05/02 08:54:23 [notice] 119#119: exiting +2025/05/02 08:54:23 [notice] 118#118: exit +2025/05/02 08:54:23 [notice] 119#119: exit +2025/05/02 08:54:23 [notice] 120#120: gracefully shutting down +2025/05/02 08:54:23 [notice] 121#121: gracefully shutting down +2025/05/02 08:54:23 [notice] 120#120: exiting +2025/05/02 08:54:23 [notice] 121#121: exiting +2025/05/02 08:54:23 [notice] 117#117: exit +2025/05/02 08:54:23 [notice] 120#120: exit +2025/05/02 08:54:23 [notice] 121#121: exit +2025/05/02 08:54:23 [notice] 115#115: gracefully shutting down +2025/05/02 08:54:23 [notice] 115#115: exiting +2025/05/02 08:54:23 [notice] 115#115: exit +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 116 +2025/05/02 08:54:23 [notice] 17#17: worker process 116 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 118 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 119 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 120 +2025/05/02 08:54:23 [notice] 17#17: worker process 120 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 124 +2025/05/02 08:54:23 [notice] 17#17: worker process 124 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 115 +2025/05/02 08:54:23 [notice] 17#17: worker process 115 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 121 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 122 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: worker process 123 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 122 +2025/05/02 08:54:23 [notice] 17#17: worker process 117 exited with code 0 +2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received +W20250502 08:54:23.901594 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: no endpointslices for target port 8080 in service tea-svc +2025/05/02 08:54:23 [notice] 17#17: signal 1 (SIGHUP) received from 138, reconfiguring +2025/05/02 08:54:23 [notice] 17#17: reconfiguring +2025/05/02 08:54:23 [notice] 17#17: js vm init njs: 0000AAAACEE94880 +2025/05/02 08:54:23 [notice] 17#17: using the "epoll" event method +2025/05/02 08:54:23 [notice] 17#17: start worker processes +2025/05/02 08:54:23 [notice] 17#17: start worker process 139 +2025/05/02 08:54:23 [notice] 17#17: start worker process 140 +2025/05/02 08:54:23 [notice] 17#17: start worker process 141 +2025/05/02 08:54:23 [notice] 17#17: start worker process 142 +2025/05/02 08:54:23 [notice] 17#17: start worker process 143 +2025/05/02 08:54:23 [notice] 17#17: start worker process 144 +2025/05/02 08:54:23 [notice] 17#17: start worker process 145 +2025/05/02 08:54:23 [notice] 17#17: start worker process 146 +2025/05/02 08:54:23 [notice] 17#17: start worker process 147 +2025/05/02 08:54:23 [notice] 17#17: start worker process 148 +2025/05/02 08:54:24 [notice] 127#127: gracefully shutting down +2025/05/02 08:54:24 [notice] 129#129: gracefully shutting down +2025/05/02 08:54:24 [notice] 127#127: exiting +2025/05/02 08:54:24 [notice] 128#128: gracefully shutting down +2025/05/02 08:54:24 [notice] 129#129: exiting +2025/05/02 08:54:24 [notice] 128#128: exiting +2025/05/02 08:54:24 [notice] 129#129: exit +2025/05/02 08:54:24 [notice] 128#128: exit +2025/05/02 08:54:24 [notice] 127#127: exit +2025/05/02 08:54:24 [notice] 134#134: gracefully shutting down +2025/05/02 08:54:24 [notice] 134#134: exiting +2025/05/02 08:54:24 [notice] 131#131: gracefully shutting down +2025/05/02 08:54:24 [notice] 132#132: gracefully shutting down +2025/05/02 08:54:24 [notice] 130#130: gracefully shutting down +2025/05/02 08:54:24 [notice] 131#131: exiting +2025/05/02 08:54:24 [notice] 132#132: exiting +2025/05/02 08:54:24 [notice] 130#130: exiting +2025/05/02 08:54:24 [notice] 134#134: exit +2025/05/02 08:54:24 [notice] 131#131: exit +2025/05/02 08:54:24 [notice] 130#130: exit +2025/05/02 08:54:24 [notice] 136#136: gracefully shutting down +2025/05/02 08:54:24 [notice] 136#136: exiting +2025/05/02 08:54:24 [notice] 135#135: gracefully shutting down +2025/05/02 08:54:24 [notice] 133#133: gracefully shutting down +2025/05/02 08:54:24 [notice] 135#135: exiting +2025/05/02 08:54:24 [notice] 136#136: exit +2025/05/02 08:54:24 [notice] 133#133: exiting +2025/05/02 08:54:24 [notice] 135#135: exit +2025/05/02 08:54:24 [notice] 133#133: exit +2025/05/02 08:54:24 [notice] 132#132: exit +W20250502 08:54:24.077181 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: no endpointslices for target port 8080 in service tea-svc +2025/05/02 08:54:24 [notice] 17#17: signal 1 (SIGHUP) received from 150, reconfiguring +2025/05/02 08:54:24 [notice] 17#17: reconfiguring +2025/05/02 08:54:24 [notice] 17#17: js vm init njs: 0000AAAACEF07300 +2025/05/02 08:54:24 [notice] 17#17: using the "epoll" event method +2025/05/02 08:54:24 [notice] 17#17: start worker processes +2025/05/02 08:54:24 [notice] 17#17: start worker process 151 +2025/05/02 08:54:24 [notice] 17#17: start worker process 152 +2025/05/02 08:54:24 [notice] 17#17: start worker process 153 +2025/05/02 08:54:24 [notice] 17#17: start worker process 154 +2025/05/02 08:54:24 [notice] 17#17: start worker process 155 +2025/05/02 08:54:24 [notice] 17#17: start worker process 156 +2025/05/02 08:54:24 [notice] 17#17: start worker process 157 +2025/05/02 08:54:24 [notice] 17#17: start worker process 158 +2025/05/02 08:54:24 [notice] 17#17: start worker process 159 +2025/05/02 08:54:24 [notice] 17#17: start worker process 160 +2025/05/02 08:54:24 [notice] 139#139: gracefully shutting down +2025/05/02 08:54:24 [notice] 139#139: exiting +2025/05/02 08:54:24 [notice] 139#139: exit +2025/05/02 08:54:24 [notice] 142#142: gracefully shutting down +2025/05/02 08:54:24 [notice] 140#140: gracefully shutting down +2025/05/02 08:54:24 [notice] 142#142: exiting +2025/05/02 08:54:24 [notice] 141#141: gracefully shutting down +2025/05/02 08:54:24 [notice] 140#140: exiting +2025/05/02 08:54:24 [notice] 141#141: exiting +2025/05/02 08:54:24 [notice] 142#142: exit +2025/05/02 08:54:24 [notice] 141#141: exit +2025/05/02 08:54:24 [notice] 140#140: exit +2025/05/02 08:54:24 [notice] 145#145: gracefully shutting down +2025/05/02 08:54:24 [notice] 144#144: gracefully shutting down +2025/05/02 08:54:24 [notice] 143#143: gracefully shutting down +2025/05/02 08:54:24 [notice] 145#145: exiting +2025/05/02 08:54:24 [notice] 144#144: exiting +2025/05/02 08:54:24 [notice] 143#143: exiting +2025/05/02 08:54:24 [notice] 145#145: exit +2025/05/02 08:54:24 [notice] 144#144: exit +2025/05/02 08:54:24 [notice] 143#143: exit +2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 131 +2025/05/02 08:54:24 [notice] 17#17: worker process 127 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 128 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 129 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 130 exited with code 0 +2025/05/02 08:54:24 [notice] 148#148: gracefully shutting down +2025/05/02 08:54:24 [notice] 17#17: worker process 131 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 132 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 133 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 134 exited with code 0 +2025/05/02 08:54:24 [notice] 146#146: gracefully shutting down +2025/05/02 08:54:24 [notice] 17#17: worker process 135 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 136 exited with code 0 +2025/05/02 08:54:24 [notice] 148#148: exiting +2025/05/02 08:54:24 [notice] 146#146: exiting +2025/05/02 08:54:24 [notice] 147#147: gracefully shutting down +2025/05/02 08:54:24 [notice] 147#147: exiting +2025/05/02 08:54:24 [notice] 146#146: exit +2025/05/02 08:54:24 [notice] 148#148: exit +2025/05/02 08:54:24 [notice] 147#147: exit +2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 141 +2025/05/02 08:54:24 [notice] 17#17: worker process 141 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 144 +2025/05/02 08:54:24 [notice] 17#17: worker process 144 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 148 +2025/05/02 08:54:24 [notice] 17#17: worker process 139 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 142 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 143 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 146 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 147 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: worker process 148 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 139 +2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 145 +2025/05/02 08:54:24 [notice] 17#17: worker process 145 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 140 +2025/05/02 08:54:24 [notice] 17#17: worker process 140 exited with code 0 +2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:24 [notice] 17#17: signal 1 (SIGHUP) received from 162, reconfiguring +2025/05/02 08:54:24 [notice] 17#17: reconfiguring +2025/05/02 08:54:24 [notice] 17#17: js vm init njs: 0000AAAACEF27F80 +2025/05/02 08:54:24 [notice] 17#17: using the "epoll" event method +2025/05/02 08:54:24 [notice] 17#17: start worker processes +2025/05/02 08:54:24 [notice] 17#17: start worker process 163 +2025/05/02 08:54:24 [notice] 17#17: start worker process 164 +2025/05/02 08:54:24 [notice] 17#17: start worker process 165 +2025/05/02 08:54:24 [notice] 17#17: start worker process 166 +2025/05/02 08:54:24 [notice] 17#17: start worker process 167 +2025/05/02 08:54:24 [notice] 17#17: start worker process 168 +2025/05/02 08:54:24 [notice] 17#17: start worker process 169 +2025/05/02 08:54:24 [notice] 17#17: start worker process 170 +2025/05/02 08:54:24 [notice] 17#17: start worker process 171 +2025/05/02 08:54:24 [notice] 17#17: start worker process 172 +2025/05/02 08:54:25 [notice] 151#151: gracefully shutting down +2025/05/02 08:54:25 [notice] 153#153: gracefully shutting down +2025/05/02 08:54:25 [notice] 152#152: gracefully shutting down +2025/05/02 08:54:25 [notice] 160#160: gracefully shutting down +2025/05/02 08:54:25 [notice] 154#154: gracefully shutting down +2025/05/02 08:54:25 [notice] 153#153: exiting +2025/05/02 08:54:25 [notice] 159#159: gracefully shutting down +2025/05/02 08:54:25 [notice] 151#151: exiting +2025/05/02 08:54:25 [notice] 152#152: exiting +2025/05/02 08:54:25 [notice] 160#160: exiting +2025/05/02 08:54:25 [notice] 155#155: gracefully shutting down +2025/05/02 08:54:25 [notice] 156#156: gracefully shutting down +2025/05/02 08:54:25 [notice] 154#154: exiting +2025/05/02 08:54:25 [notice] 159#159: exiting +2025/05/02 08:54:25 [notice] 156#156: exiting +2025/05/02 08:54:25 [notice] 155#155: exiting +2025/05/02 08:54:25 [notice] 158#158: gracefully shutting down +2025/05/02 08:54:25 [notice] 157#157: gracefully shutting down +2025/05/02 08:54:25 [notice] 157#157: exiting +2025/05/02 08:54:25 [notice] 158#158: exiting +2025/05/02 08:54:25 [notice] 156#156: exit +2025/05/02 08:54:25 [notice] 153#153: exit +2025/05/02 08:54:25 [notice] 154#154: exit +2025/05/02 08:54:25 [notice] 155#155: exit +2025/05/02 08:54:25 [notice] 152#152: exit +2025/05/02 08:54:25 [notice] 151#151: exit +2025/05/02 08:54:25 [notice] 160#160: exit +2025/05/02 08:54:25 [notice] 159#159: exit +2025/05/02 08:54:25 [notice] 157#157: exit +2025/05/02 08:54:25 [notice] 158#158: exit +2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 154 +2025/05/02 08:54:25 [notice] 17#17: worker process 154 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 158 +2025/05/02 08:54:25 [notice] 17#17: worker process 157 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 158 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 160 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 160 +2025/05/02 08:54:25 [notice] 17#17: worker process 151 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 153 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 152 +2025/05/02 08:54:25 [notice] 17#17: worker process 152 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 155 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 156 +2025/05/02 08:54:25 [notice] 17#17: worker process 156 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 159 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:25 [notice] 17#17: signal 1 (SIGHUP) received from 174, reconfiguring +2025/05/02 08:54:25 [notice] 17#17: reconfiguring +2025/05/02 08:54:25 [notice] 17#17: js vm init njs: 0000AAAACEE0E900 +2025/05/02 08:54:25 [notice] 17#17: using the "epoll" event method +2025/05/02 08:54:25 [notice] 17#17: start worker processes +2025/05/02 08:54:25 [notice] 17#17: start worker process 175 +2025/05/02 08:54:25 [notice] 17#17: start worker process 176 +2025/05/02 08:54:25 [notice] 17#17: start worker process 177 +2025/05/02 08:54:25 [notice] 17#17: start worker process 178 +2025/05/02 08:54:25 [notice] 17#17: start worker process 179 +2025/05/02 08:54:25 [notice] 17#17: start worker process 180 +2025/05/02 08:54:25 [notice] 17#17: start worker process 181 +2025/05/02 08:54:25 [notice] 17#17: start worker process 182 +2025/05/02 08:54:25 [notice] 17#17: start worker process 183 +2025/05/02 08:54:25 [notice] 17#17: start worker process 184 +2025/05/02 08:54:25 [notice] 163#163: gracefully shutting down +2025/05/02 08:54:25 [notice] 164#164: gracefully shutting down +2025/05/02 08:54:25 [notice] 164#164: exiting +2025/05/02 08:54:25 [notice] 172#172: gracefully shutting down +2025/05/02 08:54:25 [notice] 163#163: exiting +2025/05/02 08:54:25 [notice] 172#172: exiting +2025/05/02 08:54:25 [notice] 166#166: gracefully shutting down +2025/05/02 08:54:25 [notice] 170#170: gracefully shutting down +2025/05/02 08:54:25 [notice] 165#165: gracefully shutting down +2025/05/02 08:54:25 [notice] 167#167: gracefully shutting down +2025/05/02 08:54:25 [notice] 167#167: exiting +2025/05/02 08:54:25 [notice] 166#166: exiting +2025/05/02 08:54:25 [notice] 170#170: exiting +2025/05/02 08:54:25 [notice] 165#165: exiting +2025/05/02 08:54:25 [notice] 168#168: gracefully shutting down +2025/05/02 08:54:25 [notice] 169#169: gracefully shutting down +2025/05/02 08:54:25 [notice] 168#168: exiting +2025/05/02 08:54:25 [notice] 164#164: exit +2025/05/02 08:54:25 [notice] 163#163: exit +2025/05/02 08:54:25 [notice] 170#170: exit +2025/05/02 08:54:25 [notice] 165#165: exit +2025/05/02 08:54:25 [notice] 167#167: exit +2025/05/02 08:54:25 [notice] 166#166: exit +2025/05/02 08:54:25 [notice] 172#172: exit +2025/05/02 08:54:25 [notice] 168#168: exit +2025/05/02 08:54:25 [notice] 169#169: exiting +2025/05/02 08:54:25 [notice] 171#171: gracefully shutting down +2025/05/02 08:54:25 [notice] 171#171: exiting +2025/05/02 08:54:25 [notice] 169#169: exit +2025/05/02 08:54:25 [notice] 171#171: exit +2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 163 +2025/05/02 08:54:25 [notice] 17#17: worker process 163 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 170 +2025/05/02 08:54:25 [notice] 17#17: worker process 164 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 165 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 166 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 167 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 170 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 169 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 171 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 168 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: worker process 172 exited with code 0 +2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received +2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 169 +10.244.0.1 - - [02/May/2025:08:56:11 +0000] "GET /coffee HTTP/1.1" 400 255 "-" "curl/8.7.1" "-" +10.244.0.1 - - [02/May/2025:08:58:41 +0000] "GET /coffee HTTP/1.1" 200 161 "-" "curl/8.7.1" "-" +10.244.0.1 - - [02/May/2025:10:36:23 +0000] "GET /coffee HTTP/1.1" 200 161 "-" "curl/8.7.1" "-" +E0502 10:43:45.064589 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:43:46.124787 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:43:46.124876 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:43:49.065132 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:43:49.065398 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:43:55.419280 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:43:55.419359 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:44:02.677045 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:44:02.677223 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:44:18.286690 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:44:18.286830 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:44:44.821958 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:44:44.822259 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:45:23.892200 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:45:23.892394 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +E0502 10:46:15.403613 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:46:16.697432 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:46:16.697578 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:46:16.729418 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:46:16.729532 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:46:18.946618 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:46:18.946720 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:46:22.727144 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:46:22.727256 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:46:34.919894 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:46:34.920005 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:46:47.933050 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:46:47.933230 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:47:07.155683 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:47:07.155845 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +E0502 10:47:09.567159 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:47:10.575523 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:47:10.575555 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:47:12.414696 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:47:12.414757 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:47:15.731966 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:47:15.732029 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +E0502 10:47:23.888434 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:47:24.952229 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:47:24.952323 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:47:26.025671 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:47:26.025714 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +E0502 10:47:27.210913 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:47:28.137366 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:47:28.137473 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:47:28.723085 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:47:28.723251 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:47:30.862520 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:47:30.862632 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:47:34.065191 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:47:34.065276 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:47:37.000051 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:47:37.000150 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:47:38.144915 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:47:38.145142 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:47:40.593173 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:47:40.593269 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:47:45.971296 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:47:45.971346 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:47:48.164560 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:47:48.164602 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:48:00.576892 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:48:00.576966 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:48:04.747277 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:48:04.747327 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:48:10.630104 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:48:10.630166 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:48:17.164043 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:48:17.164139 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +E0502 10:48:22.748616 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:48:23.991249 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:48:23.991299 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:48:26.628773 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:48:26.628969 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:48:30.134976 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:48:30.135060 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:48:33.326637 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:48:33.326773 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:48:37.454711 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:48:37.454754 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:48:40.419179 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:48:40.419273 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:48:41.768785 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:48:41.768842 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +E0502 10:48:46.867998 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:48:48.254676 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:48:48.254827 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:48:49.957062 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:48:49.957158 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:48:52.412125 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:48:52.412238 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:48:53.188107 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:48:53.188180 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:48:55.794122 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:48:55.794219 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:48:56.089622 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:48:56.089661 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:49:01.312657 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:49:01.312764 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:49:16.512840 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:49:16.512946 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:49:26.000096 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:49:26.000130 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:49:28.851737 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:49:28.851840 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:49:30.998265 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:49:30.998318 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:49:36.001377 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:49:36.001424 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:49:43.363715 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:49:43.363819 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +E0502 10:49:52.197516 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:49:53.173938 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:49:53.174032 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:49:53.923612 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:49:53.923707 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:49:54.988636 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:49:54.988673 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:49:55.092349 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:49:55.092401 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:50:00.579847 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:50:00.579944 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:50:06.836417 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:50:06.836534 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:50:08.100010 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:50:08.100109 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:50:18.107195 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:50:18.107281 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:50:21.231226 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:50:21.231282 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:50:25.073311 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:50:25.073363 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:50:29.814298 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:50:29.814404 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:50:35.550501 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:50:35.550620 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:50:42.480688 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:50:42.480761 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:50:48.562543 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:50:48.562629 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +E0502 10:50:53.804129 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:50:55.154414 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:50:55.154463 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:50:57.165913 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:50:57.166007 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:50:58.119001 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:50:58.119106 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:51:00.449916 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:51:00.450041 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:51:01.246804 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:51:01.246850 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:51:02.707010 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:51:02.707159 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:51:09.045801 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:51:09.045954 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:51:10.946872 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:51:10.946980 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:51:26.666787 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:51:26.666906 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:51:26.956291 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:51:26.956353 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:51:29.523481 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:51:29.523536 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:51:30.477904 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:51:30.477991 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:51:32.055614 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:51:32.055695 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:51:33.548308 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:51:33.548342 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:51:49.556609 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:51:49.556659 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:51:56.925764 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:51:56.925863 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:52:08.227763 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:52:08.227848 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:52:13.301158 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:52:13.301229 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:52:14.915056 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:52:14.915136 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:52:24.854879 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:52:24.854977 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:52:25.603227 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:52:25.603316 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:52:29.282246 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:52:29.282338 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:52:31.469377 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:52:31.469417 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:52:38.431450 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:52:38.431552 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:52:41.854951 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:52:41.854993 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:52:46.807614 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:52:46.807700 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:52:51.709176 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:52:51.709205 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:53:00.280790 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:53:00.280920 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:53:05.818105 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:53:05.818199 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:53:10.517744 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:53:10.518005 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:53:16.036538 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:53:16.036621 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:53:16.058202 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:53:16.058236 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:53:20.180692 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:53:20.180781 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:53:27.261665 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:53:27.261768 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:53:28.657273 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:53:28.657387 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:53:48.271454 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:53:48.271558 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:53:52.976303 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:53:52.976419 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:53:58.901956 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:53:58.902055 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:53:59.110533 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:53:59.110729 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:53:59.692224 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:53:59.692346 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:54:01.161860 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:54:01.161924 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:54:01.992858 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:54:01.992926 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:54:04.980830 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:54:04.980871 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:54:13.808892 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:54:13.808990 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:54:22.480105 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:54:22.480144 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:54:38.789063 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:54:38.789225 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:54:43.780494 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:54:43.780636 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:54:45.283721 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:54:45.283794 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:54:49.913812 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:54:49.913991 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:54:52.091310 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:54:52.091419 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:54:52.579356 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:54:52.579435 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:54:52.645216 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:54:52.645324 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:55:00.522611 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:55:00.522701 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:55:09.901201 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:55:09.901282 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:55:15.796262 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:55:15.796301 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:55:16.763862 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:55:16.763978 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:55:26.709760 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:55:26.709852 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:55:33.035629 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:55:33.035703 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:55:36.992670 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:55:36.992733 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:55:44.597515 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:55:44.597665 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:55:46.815729 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:55:46.815815 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:55:50.441393 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:55:50.441456 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:55:52.556756 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:55:52.556885 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:55:53.066048 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:55:53.066207 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:55:57.057443 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:55:57.057533 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:56:16.367623 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:56:16.367707 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:56:18.104315 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:56:18.104415 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:56:29.327082 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:56:29.327146 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:56:35.959046 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:56:35.959116 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:56:36.192187 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:56:36.192320 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:56:42.237335 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:56:42.237456 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:56:48.314114 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:56:48.314159 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:56:48.639416 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:56:48.639503 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:56:53.091830 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:56:53.092063 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:57:04.704801 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:57:04.704855 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:57:10.441071 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:57:10.441257 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:57:12.365810 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:57:12.365925 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:57:13.060638 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:57:13.060709 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:57:29.312178 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:57:29.312278 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:57:29.981237 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:57:29.981366 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:57:30.436887 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:57:30.437002 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:57:34.039426 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:57:34.039523 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:57:38.319690 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:57:38.319802 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:57:43.545726 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:57:43.545836 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:57:47.233015 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:57:47.233077 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:57:53.035510 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:57:53.035595 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:58:00.147571 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:58:00.147670 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:58:12.091782 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:58:12.091825 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:58:15.490635 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:58:15.490712 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:58:16.755984 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:58:16.756085 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:58:23.092408 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:58:23.092487 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:58:23.316390 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:58:23.316428 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:58:26.432637 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:58:26.432673 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:58:28.611149 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:58:28.611344 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:58:33.523199 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:58:33.523259 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:58:55.444014 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:58:55.444125 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:58:56.877256 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:58:56.877382 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:59:06.386190 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 10:59:06.386285 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:59:08.318666 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:59:08.318796 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:59:10.120072 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:59:10.120223 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:59:10.977667 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:59:10.977730 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:59:14.180932 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 10:59:14.180985 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:59:15.342459 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 10:59:15.342568 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:59:23.298346 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 10:59:23.298465 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:59:31.117451 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 10:59:31.117571 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 10:59:42.774208 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 10:59:42.774273 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 10:59:43.247980 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 10:59:43.248134 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 10:59:52.242577 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 10:59:52.242632 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:00:01.024755 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:00:01.024857 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:00:02.267334 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:00:02.267385 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:00:02.739168 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:00:02.739262 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:00:07.364595 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:00:07.364706 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:00:12.223716 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:00:12.223755 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:00:13.650055 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:00:13.650153 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:00:14.589368 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:00:14.589473 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:00:20.589862 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:00:20.589962 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:00:42.844051 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:00:42.844164 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:00:43.627121 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:00:43.627663 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:00:43.820563 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:00:43.820618 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:00:49.894018 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:00:49.894095 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:00:56.206247 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:00:56.206310 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:00:56.723847 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:00:56.723982 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:01:01.028295 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:01:01.028448 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:01:12.619949 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:01:12.619989 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:01:13.085904 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:01:13.086011 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:01:16.464542 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:01:16.464585 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:01:25.788399 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:01:25.788642 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:01:27.439420 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:01:27.439461 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:01:31.483378 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:01:31.483410 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:01:34.620137 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:01:34.620232 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:01:35.881583 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:01:35.881669 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:01:38.535188 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:01:38.535238 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:01:46.703173 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:01:46.703300 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:01:49.422503 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:01:49.422774 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:02:01.813445 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:02:01.813576 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:02:02.339549 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:02:02.339612 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:02:03.858858 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:02:03.858902 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:02:10.213522 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:02:10.213605 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:02:12.156258 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:02:12.156305 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:02:15.495001 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:02:15.495043 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:02:19.514554 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:02:19.514614 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:02:22.844375 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:02:22.844492 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:02:27.600705 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:02:27.600845 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:02:33.760002 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:02:33.760116 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:02:53.284072 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:02:53.284191 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:02:56.816442 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:02:56.816551 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:02:58.177325 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:02:58.177447 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:02:59.408905 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:02:59.408993 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:03:00.161569 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:03:00.161613 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:03:01.311080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:03:01.311157 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:03:03.748154 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:03:03.748313 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:03:07.555373 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:03:07.555489 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:03:09.148984 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:03:09.149082 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:03:30.549495 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:03:30.549787 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:03:35.998482 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:03:35.998534 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:03:41.406059 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:03:41.406129 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:03:41.563711 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:03:41.563765 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:03:46.170906 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:03:46.171073 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:03:48.321355 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:03:48.321557 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:03:53.853674 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:03:53.853766 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:03:55.467164 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:03:55.467284 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:03:58.039000 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:03:58.039044 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:04:07.824808 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:04:07.824939 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:04:18.253571 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:04:18.253806 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:04:23.733455 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:04:23.733557 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:04:27.304894 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:04:27.305122 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:04:29.225140 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:04:29.225210 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:04:30.640736 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:04:30.640819 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:04:33.923491 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:04:33.923597 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:04:37.300488 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:04:37.300536 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:04:38.319376 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:04:38.319418 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:04:50.612991 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:04:50.613093 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:04:59.459218 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:04:59.459255 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:05:05.820216 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:05:05.820291 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:05:08.620297 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:05:08.620386 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:05:13.726571 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:05:13.726664 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:05:16.500087 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:05:16.500129 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:05:19.761009 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:05:19.761123 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:05:22.191119 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:05:22.191155 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:05:25.313863 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:05:25.314006 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:05:30.285810 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:05:30.285925 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:05:51.592172 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:05:51.592232 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:05:59.027833 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:05:59.027943 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:05:59.301055 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:05:59.301214 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:05:59.366574 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:05:59.366691 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:06:00.999237 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:06:00.999366 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:06:05.572668 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:06:05.572748 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:06:08.275927 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:06:08.276082 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:06:11.770584 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:06:11.770723 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:06:15.348705 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:06:15.348984 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:06:39.320220 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:06:39.320343 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:06:39.873954 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:06:39.874066 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:06:46.058080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:06:46.058205 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:06:49.683849 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:06:49.683906 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:06:49.749739 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:06:49.749828 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:06:52.330231 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:06:52.330288 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:06:57.375583 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:06:57.375684 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:06:57.415550 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:06:57.415680 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:07:02.695933 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:07:02.696122 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:07:17.806327 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:07:17.806417 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:07:25.461321 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:07:25.461389 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:07:27.105176 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:07:27.105282 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:07:33.562731 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:07:33.562790 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:07:34.995624 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:07:34.995754 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:07:39.137895 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:07:39.137984 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:07:41.415685 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:07:41.415778 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:07:51.827975 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:07:51.828043 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:07:55.753635 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:07:55.753673 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:07:56.186294 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:07:56.186383 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:08:06.727805 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:08:06.727869 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:08:09.632844 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:08:09.632965 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:08:11.455221 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:08:11.455345 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:08:13.033393 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:08:13.033489 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:08:14.801709 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:08:14.801778 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:08:16.395564 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:08:16.395660 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:08:31.198204 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:08:31.198436 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:08:37.355914 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:08:37.355996 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:08:45.558000 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:08:45.558104 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:08:59.374276 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:08:59.374446 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:09:02.803232 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:09:02.803403 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:09:05.220801 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:09:05.220915 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:09:06.559575 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:09:06.559645 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:09:06.941743 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:09:06.941782 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:09:07.759824 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:09:07.759930 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:09:08.613067 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:09:08.613201 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:09:25.052257 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:09:25.052352 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:09:25.139256 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:09:25.139333 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:09:36.996590 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:09:36.996633 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:09:37.216855 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:09:37.216909 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:09:39.587710 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:09:39.587896 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:09:47.185235 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:09:47.185457 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:09:48.186466 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:09:48.186555 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:09:59.242026 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:09:59.242124 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:10:02.591974 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:10:02.592072 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:10:03.250204 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:10:03.250410 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:10:08.222515 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:10:08.222555 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:10:17.142080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:10:17.142282 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:10:19.051920 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:10:19.052022 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:10:34.396024 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:10:34.396177 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:10:34.910098 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:10:34.910143 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:10:36.952478 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:10:36.952523 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:10:45.928335 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:10:45.928516 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:10:46.046337 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:10:46.046459 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:10:46.466069 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:10:46.466208 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:10:48.604339 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:10:48.604470 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:11:05.564521 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:11:05.564603 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:11:11.783516 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:11:11.783705 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:11:20.527718 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:11:20.527796 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:11:22.297732 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:11:22.297782 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:11:26.191336 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:11:26.191491 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:11:30.760903 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:11:30.761083 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:11:31.534631 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:11:31.534683 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:11:31.641501 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:11:31.641558 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:11:32.810315 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:11:32.810369 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:11:46.623238 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:11:46.623485 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:11:53.649031 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:11:53.649082 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:11:54.574430 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:11:54.574547 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:12:01.106792 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:12:01.106889 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:12:04.169001 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:12:04.169061 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:12:04.861394 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:12:04.861442 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:12:15.812521 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:12:15.812559 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:12:18.343157 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:12:18.343215 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:12:27.592135 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:12:27.592282 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:12:27.741619 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:12:27.741803 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:12:38.608957 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:12:38.609030 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:12:41.230864 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:12:41.230920 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:12:47.442444 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:12:47.442482 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:12:53.831963 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:12:53.832043 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:12:54.075812 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:12:54.075873 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:12:55.503594 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:12:55.503642 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:13:06.613981 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:13:06.614129 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:13:14.318023 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:13:14.318338 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:13:17.613767 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:13:17.613932 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:13:20.280392 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:13:20.280469 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:13:25.302955 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:13:25.303021 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:13:28.848170 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:13:28.848307 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:13:36.001754 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:13:36.001803 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:13:38.107309 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:13:38.107341 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:13:38.682148 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:13:38.682209 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:13:51.136730 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:13:51.137103 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:13:54.581762 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:13:54.581893 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:14:06.286056 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:14:06.286220 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:14:09.244533 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:14:09.244630 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:14:09.975842 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:14:09.975965 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:14:17.010688 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:14:17.010820 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:14:22.701961 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:14:22.702012 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:14:23.893009 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:14:23.893168 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:14:27.909989 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:14:27.910042 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:14:31.718127 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:14:31.718277 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:14:43.241553 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:14:43.241712 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:14:45.117833 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:14:45.118063 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:14:57.743796 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:14:57.743891 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:14:59.869135 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:14:59.869170 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:15:00.134513 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:15:00.134595 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:15:02.675343 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:15:02.675384 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:15:16.564826 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:15:16.564893 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:15:21.255146 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:15:21.255334 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:15:22.290327 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:15:22.290481 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:15:24.305102 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:15:24.305238 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:15:25.726583 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:15:25.726764 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:15:36.755757 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:15:36.755827 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:15:41.803330 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:15:41.803421 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:15:42.953253 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:15:42.953388 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:15:51.066466 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:15:51.066613 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:15:57.318497 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:15:57.318558 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:15:59.023158 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:15:59.023290 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:16:07.471676 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:16:07.471724 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:16:10.415308 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:16:10.415466 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:16:13.293698 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:16:13.293792 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:16:18.200614 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:16:18.200742 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:16:31.362273 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:16:31.362385 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:16:32.821981 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:16:32.822023 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:16:34.524963 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:16:34.525085 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:16:35.451053 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:16:35.451094 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:16:47.160021 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:16:47.160287 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:16:48.653489 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:16:48.653655 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:16:55.824140 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:16:55.824266 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:17:04.652527 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:17:04.652816 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:17:05.463341 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:17:05.463407 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:17:08.675845 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:17:08.675986 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:17:11.706495 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:17:11.706708 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:17:17.902139 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:17:17.902210 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:17:23.462765 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:17:23.462820 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:17:25.736265 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:17:25.736379 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:17:26.625748 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:17:26.625807 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:17:26.647760 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:17:26.647827 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:17:44.684553 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:17:44.684660 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:17:49.378237 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:17:49.378396 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:17:57.385715 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:17:57.385777 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:17:57.849009 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:17:57.849117 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:18:07.155668 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:18:07.155782 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:18:12.778080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:18:12.778118 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:18:14.597196 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:18:14.597320 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:18:15.220126 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:18:15.220195 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:18:16.414731 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:18:16.414825 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:18:31.165930 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:18:31.166049 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:18:31.245263 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:18:31.245379 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:18:31.990625 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:18:31.990744 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:18:36.652906 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:18:36.652965 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:18:47.376075 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:18:47.376220 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:18:53.154034 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:18:53.154160 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:19:00.070656 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:19:00.070750 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:19:01.509545 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:19:01.509593 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:19:06.336606 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:19:06.336736 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:19:06.850944 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:19:06.851025 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:19:15.572886 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:19:15.572967 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:19:20.157037 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:19:20.157229 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:19:21.052080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:19:21.052201 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:19:24.811505 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:19:24.811648 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:19:33.925392 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:19:33.925491 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:19:39.480556 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:19:39.480598 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:19:42.589617 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:19:42.589666 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:19:51.232996 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:19:51.233131 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:19:59.420776 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:19:59.420819 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:20:05.176584 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:20:05.176743 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:20:09.842957 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:20:09.843075 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:20:13.730177 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:20:13.730299 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:20:17.430820 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:20:17.430919 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:20:20.819984 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:20:20.820031 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:20:22.029854 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:20:22.029970 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:20:22.716650 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:20:22.716685 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:20:40.767031 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:20:40.767286 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:20:46.294529 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:20:46.294691 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:20:49.074449 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:20:49.074558 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:20:50.355690 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:20:50.355886 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:20:52.407081 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:20:52.407241 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:20:57.461635 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:20:57.461680 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:21:00.972373 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:21:00.972481 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:21:01.960202 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:21:01.960408 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:21:21.173655 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:21:21.173817 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:21:23.004316 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:21:23.004374 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:21:32.470654 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:21:32.470821 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:21:34.344491 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:21:34.344633 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:21:36.950509 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:21:36.950649 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:21:41.006110 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:21:41.006310 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:21:44.037160 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:21:44.037377 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:21:44.795252 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:21:44.795309 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:21:46.104300 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:21:46.104428 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:21:53.204458 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:21:53.204560 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:22:09.853622 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:22:09.853792 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:22:12.369167 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:22:12.369320 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:22:13.595072 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:22:13.595200 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:22:18.910326 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:22:18.910393 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:22:20.707871 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:22:20.708089 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:22:25.250079 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:22:25.250297 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:22:28.200839 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:22:28.200913 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:22:29.010027 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:22:29.010123 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:22:29.979617 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:22:29.979690 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:22:46.521747 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:22:46.521965 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:22:51.547493 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:22:51.547605 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:23:06.638998 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:23:06.639229 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:23:07.585676 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:23:07.585773 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:23:07.719292 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:23:07.719448 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:23:09.867752 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:23:09.867879 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:23:11.588609 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:23:11.588674 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:23:23.711500 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:23:23.711693 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:23:25.145804 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:23:25.145972 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:23:33.406037 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:23:33.406207 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:23:43.821775 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:23:43.821911 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:23:44.675951 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:23:44.676021 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:23:46.384109 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:23:46.384280 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:23:59.734978 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:23:59.735283 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:24:00.856700 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:24:00.856853 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:24:06.608975 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:24:06.609209 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:24:08.311351 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:24:08.311463 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:24:10.440161 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:24:10.440217 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:24:16.766643 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:24:16.766739 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:24:18.844067 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:24:18.844298 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:24:23.040272 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:24:23.040323 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:24:24.251853 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:24:24.251951 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:24:44.822454 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:24:44.822717 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:24:48.460559 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:24:48.460739 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:24:48.853889 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:24:48.854106 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:24:56.939191 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:24:56.939510 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:24:59.628323 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:24:59.628421 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:25:01.411408 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:25:01.411514 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:25:03.454208 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:25:03.454455 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:25:15.111030 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:25:15.111314 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:25:22.458828 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:25:22.458980 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:25:33.934994 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:25:33.935161 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:25:35.352373 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:25:35.352574 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:25:35.353560 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:25:35.353669 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:25:42.565396 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:25:42.565690 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:25:42.617179 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:25:42.617254 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:25:42.989899 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:25:42.990042 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:25:49.913324 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:25:49.914302 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:25:53.105156 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:25:53.105261 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:25:58.611759 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:25:58.611928 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:26:18.718249 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:26:18.718369 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:26:19.094367 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:26:19.094427 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:26:22.499147 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:26:22.499242 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:26:26.628227 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:26:26.628396 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:26:29.434548 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:26:29.434637 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:26:40.412536 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:26:40.412721 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:26:40.729570 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:26:40.729738 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:26:45.055623 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:26:45.055871 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:26:51.982634 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:26:51.982689 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:26:58.109460 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:26:58.109515 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:27:07.799958 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:27:07.800069 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:27:08.957191 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:27:08.957335 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:27:10.535490 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:27:10.535605 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:27:14.415210 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:27:14.415318 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:27:17.410682 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:27:17.410769 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:27:19.655905 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:27:19.656084 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:27:36.311743 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:27:36.311815 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:27:40.726479 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:27:40.726608 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:27:43.800855 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:27:43.800974 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:27:46.666681 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:27:46.666731 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:27:49.406641 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:27:49.406760 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:27:51.298850 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:27:51.298967 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:27:57.117187 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:27:57.117225 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:27:59.543491 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:27:59.543548 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:28:09.933536 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:28:09.933696 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:28:19.655838 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:28:19.655888 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:28:20.981156 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:28:20.981252 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:28:22.020167 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:28:22.020257 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:28:34.220440 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:28:34.220501 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:28:40.638474 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:28:40.638584 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:28:41.601610 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:28:41.601702 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:28:42.615840 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:28:42.615943 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:28:46.360773 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:28:46.360946 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:28:54.438454 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:28:54.438613 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:28:55.897988 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:28:55.898092 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:28:56.558082 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:28:56.558177 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:29:11.435828 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:29:11.435891 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:29:19.667236 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:29:19.667369 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:29:20.017418 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:29:20.017565 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:29:20.814244 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:29:20.814408 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:29:34.666704 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:29:34.666786 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:29:41.281418 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:29:41.281513 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:29:42.195119 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:29:42.195200 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:29:43.714682 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:29:43.714924 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:29:43.821120 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:29:43.821172 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:29:53.606531 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:29:53.606730 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:29:55.443929 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:29:55.443976 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:30:12.663332 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:30:12.663584 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:30:16.804852 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:30:16.804987 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:30:19.078856 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:30:19.078957 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:30:20.165811 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:30:20.165877 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:30:23.489562 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:30:23.489630 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:30:28.216445 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:30:28.216586 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:30:33.057110 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:30:33.057214 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:30:34.574741 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:30:34.574874 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:30:42.681477 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:30:42.681600 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:30:48.972125 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:30:48.972212 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:30:59.151077 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:30:59.151174 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:30:59.207160 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:30:59.207208 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:31:06.844731 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:31:06.844910 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:31:10.970266 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:31:10.970412 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:31:14.312994 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:31:14.313154 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:31:16.944179 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:31:16.944222 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:31:17.397530 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:31:17.397599 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:31:19.569323 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:31:19.569394 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:31:31.329701 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:31:31.329801 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:31:34.370711 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:31:34.370905 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:31:47.079147 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:31:47.079296 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:31:50.154498 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:31:50.154612 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:31:52.171401 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:31:52.171515 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:31:56.116343 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:31:56.116401 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:32:02.845169 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:32:02.845248 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:32:06.014998 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:32:06.015133 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:32:12.042466 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:32:12.042540 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:32:18.979724 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:32:18.979791 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:32:26.381649 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:32:26.381718 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:32:31.464461 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:32:31.464523 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:32:32.347274 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:32:32.347357 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:32:40.443090 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:32:40.443231 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:32:43.288732 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:32:43.288768 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:32:44.770090 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:32:44.770217 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:32:51.843434 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:32:51.843475 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:32:59.425401 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:32:59.425531 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:32:59.908562 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:32:59.908683 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:33:05.810707 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:33:05.810811 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:33:09.880856 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:33:09.880968 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:33:21.651285 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:33:21.651396 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:33:25.275711 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:33:25.275853 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:33:32.478130 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:33:32.478226 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:33:37.473489 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:33:37.473529 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:33:45.334828 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:33:45.334924 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:33:49.751843 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:33:49.751943 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:33:51.180701 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:33:51.180758 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:33:57.790879 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:33:57.791156 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:34:01.906220 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:34:01.906346 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:34:10.463253 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:34:10.463459 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:34:20.088416 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:34:20.088514 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:34:23.982372 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:34:23.982528 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:34:30.423742 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:34:30.423891 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:34:33.219572 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:34:33.219751 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:34:38.315838 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:34:38.315938 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:34:39.727372 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:34:39.727472 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:34:41.532949 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:34:41.533000 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:34:50.742218 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:34:50.742393 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:34:54.098361 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:34:54.098463 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:35:02.482027 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:35:02.482138 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:35:03.135401 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:35:03.135476 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:35:14.965122 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:35:14.965260 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:35:16.621733 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:35:16.621776 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:35:17.473784 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:35:17.473823 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:35:21.600301 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:35:21.600354 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:35:22.044384 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:35:22.044498 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:35:29.263425 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:35:29.263583 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:35:38.772233 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:35:38.772412 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:35:42.574892 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:35:42.575005 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:35:48.633121 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:35:48.633252 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:35:49.865758 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:35:49.865916 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:36:05.010840 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:36:05.010973 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:36:06.775890 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:36:06.776012 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:36:15.189263 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:36:15.189324 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:36:16.921515 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:36:16.921684 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:36:20.311383 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:36:20.311515 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:36:20.796721 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:36:20.796791 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:36:23.319439 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:36:23.319537 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:36:25.601022 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:36:25.601067 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:36:25.765008 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:36:25.765176 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:36:50.676870 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:36:50.676977 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:36:51.427840 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:36:51.427890 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:36:53.846982 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:36:53.847033 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:36:58.555452 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:36:58.555643 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:36:58.599946 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:36:58.599994 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:36:58.604460 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:36:58.604492 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:36:59.821163 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:36:59.821258 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:37:05.303430 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:37:05.303532 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:37:06.499164 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:37:06.499323 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:37:30.215738 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:37:30.215878 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:37:40.299556 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:37:40.299861 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:37:41.566601 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:37:41.566855 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:37:44.542555 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:37:44.542670 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:37:47.842864 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:37:47.842941 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:37:48.850516 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:37:48.850569 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:37:49.712680 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:37:49.712850 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:37:50.299840 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:37:50.299886 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:37:57.050573 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:37:57.050699 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:38:14.134702 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:38:14.135028 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:38:18.606500 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:38:18.606534 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:38:25.082529 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:38:25.082691 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:38:25.475486 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:38:25.475544 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:38:25.858627 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:38:25.858746 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:38:25.868865 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:38:25.868915 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:38:31.002586 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:38:31.002696 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:38:31.044027 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:38:31.044086 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:38:33.257033 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:38:33.257132 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:38:53.072255 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:38:53.072307 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:38:54.113122 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:38:54.113163 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:39:00.558707 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:39:00.558929 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:39:02.301196 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:39:02.301353 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:39:02.524272 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:39:02.524798 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:39:02.789080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:39:02.789169 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:39:02.967341 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:39:02.967397 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:39:12.821367 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:39:12.821412 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:39:17.581328 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:39:17.581399 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:39:31.492256 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:39:31.492366 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:39:36.306129 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:39:36.306304 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:39:44.344691 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:39:44.344882 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:39:48.732421 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:39:48.732588 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:39:53.341136 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:39:53.341304 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:39:54.642227 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:39:54.642317 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:40:00.126248 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:40:00.126294 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:40:00.819369 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:40:00.819493 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:40:02.120085 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:40:02.120173 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:40:30.370229 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:40:30.370356 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:40:35.801097 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:40:35.801379 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:40:37.139276 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:40:37.139424 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:40:39.055355 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:40:39.055427 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:40:43.656964 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:40:43.657022 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:40:45.404654 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:40:45.404822 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:40:48.632377 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:40:48.632449 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:40:51.488619 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:40:51.488697 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:41:01.318100 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:41:01.318194 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:41:05.879653 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:41:05.879821 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:41:16.535794 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:41:16.535928 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:41:20.817324 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:41:20.817463 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:41:23.174394 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:41:23.174679 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:41:27.150756 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:41:27.150884 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:41:29.024714 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:41:29.024787 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:41:30.201947 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:41:30.202006 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:41:39.314521 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:41:39.314608 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:41:47.868133 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:41:47.868562 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:41:48.845661 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:41:48.845741 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:42:04.631479 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:42:04.631823 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:42:09.532668 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:42:09.532921 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:42:11.650911 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:42:11.651032 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:42:14.198155 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:42:14.198255 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:42:18.686068 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:42:18.686253 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:42:19.161904 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:42:19.162014 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:42:22.483087 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:42:22.483169 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:42:32.751119 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:42:32.751294 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:42:42.631401 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:42:42.631670 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:42:46.490925 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:42:46.491128 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:42:51.113040 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:42:51.113204 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:42:51.286883 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:42:51.287009 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:42:56.515081 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:42:56.515159 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:42:58.709477 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:42:58.709542 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:43:01.259248 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:43:01.259444 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:43:03.943600 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:43:03.943645 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:43:05.031915 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:43:05.032088 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:43:17.194042 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:43:17.194124 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:43:29.581923 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:43:29.581961 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:43:30.305232 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:43:30.305304 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:43:33.783653 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:43:33.783721 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:43:38.233320 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:43:38.233410 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:43:45.227629 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:43:45.227805 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:43:47.105361 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:43:47.105465 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:43:57.716210 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:43:57.716347 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:44:03.396664 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:44:03.397056 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:44:06.245618 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:44:06.245754 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:44:13.384137 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:44:13.384366 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:44:22.852526 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:44:22.852650 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:44:27.528867 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:44:27.528940 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:44:28.156164 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:44:28.156261 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:44:35.797057 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:44:35.797180 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:44:41.632989 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:44:41.633126 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:44:44.811962 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:44:44.812015 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:44:47.377746 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:44:47.377859 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:44:48.371953 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:44:48.372076 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:44:51.725755 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:44:51.725859 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:44:55.717522 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:44:55.717669 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:45:02.274737 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:45:02.274870 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:45:06.826555 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:45:06.826647 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:45:09.288422 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:45:09.288516 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:45:17.424697 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:45:17.425042 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:45:42.738316 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:45:42.738553 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:45:43.925634 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:45:43.925728 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:45:44.135789 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:45:44.135892 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:45:46.846191 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:45:46.846231 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:45:47.467369 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:45:47.467485 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:45:48.970005 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:45:48.970095 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:45:56.644849 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:45:56.645080 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:45:59.139592 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:45:59.139681 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:46:03.043717 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope +E0502 11:46:03.043866 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:46:26.490960 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:46:26.491038 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:46:30.767624 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope +E0502 11:46:30.767734 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:46:31.076482 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope +E0502 11:46:31.076660 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:46:36.824477 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope +E0502 11:46:36.824591 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" +W0502 11:46:41.567069 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope +E0502 11:46:41.567207 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" +W0502 11:46:43.075711 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope +E0502 11:46:43.075806 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:46:50.602327 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope +E0502 11:46:50.602716 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" +W0502 11:46:50.976617 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope +E0502 11:46:50.976687 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" diff --git a/internal/certmanager/cm_controller_test.go b/internal/certmanager/cm_controller_test.go index 2d0cde941d..bdf4beb90d 100644 --- a/internal/certmanager/cm_controller_test.go +++ b/internal/certmanager/cm_controller_test.go @@ -140,8 +140,8 @@ func Test_controller_Register(t *testing.T) { ig := make(map[string]*namespacedInformer) nsi := &namespacedInformer{ - cmSharedInformerFactory: b.Context.SharedInformerFactory, - kubeSharedInformerFactory: b.Context.KubeSharedInformerFactory, + cmSharedInformerFactory: b.SharedInformerFactory, + kubeSharedInformerFactory: b.KubeSharedInformerFactory, vsSharedInformerFactory: b.VsSharedInformerFactory, } diff --git a/internal/certmanager/helper.go b/internal/certmanager/helper.go index 7f076cd254..39a30c29b8 100644 --- a/internal/certmanager/helper.go +++ b/internal/certmanager/helper.go @@ -118,10 +118,10 @@ func translateVsSpec(crt *cmapi.Certificate, vsCmSpec *vsapi.CertManager) error } if vsCmSpec.IssueTempCert { - if crt.ObjectMeta.Annotations == nil { - crt.ObjectMeta.Annotations = make(map[string]string) + if crt.Annotations == nil { + crt.Annotations = make(map[string]string) } - crt.ObjectMeta.Annotations[certMgrTempCertAnnotation] = "true" + crt.Annotations[certMgrTempCertAnnotation] = "true" } if len(errs) > 0 { diff --git a/internal/certmanager/helper_test.go b/internal/certmanager/helper_test.go index 4824e28852..3880a3afeb 100644 --- a/internal/certmanager/helper_test.go +++ b/internal/certmanager/helper_test.go @@ -87,7 +87,7 @@ func Test_translateVsSpec(t *testing.T) { a.Equal(&metav1.Duration{Duration: time.Hour * 24 * 7}, crt.Spec.Duration) a.Equal(&metav1.Duration{Duration: time.Hour * 24}, crt.Spec.RenewBefore) a.Equal([]cmapi.KeyUsage{cmapi.UsageServerAuth, cmapi.UsageSigning}, crt.Spec.Usages) - a.Equal("true", crt.ObjectMeta.Annotations[certMgrTempCertAnnotation]) + a.Equal("true", crt.Annotations[certMgrTempCertAnnotation]) }, }, "nil cm spec": { diff --git a/internal/certmanager/sync.go b/internal/certmanager/sync.go index 5b362a7b83..a8a0d0a566 100644 --- a/internal/certmanager/sync.go +++ b/internal/certmanager/sync.go @@ -33,7 +33,6 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/client-go/tools/record" nl "github.com/nginx/kubernetes-ingress/internal/logger" @@ -138,7 +137,7 @@ func buildCertificates( return nil, nil, err } - var controllerGVK schema.GroupVersionKind = vsGVK + controllerGVK := vsGVK hosts := []string{vs.Spec.Host} crt := &cmapi.Certificate{ diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go index d7ebe63c4b..e7c85acee2 100644 --- a/internal/configs/configurator.go +++ b/internal/configs/configurator.go @@ -1275,7 +1275,7 @@ func (cnf *Configurator) updatePlusEndpoints(ingEx *IngressEx) error { } for _, rule := range ingEx.Ingress.Spec.Rules { - if rule.IngressRuleValue.HTTP == nil { + if rule.HTTP == nil { continue } @@ -1540,7 +1540,7 @@ func (cnf *Configurator) BatchDeleteIngresses(deletedKeys []string) []error { } func keyToFileName(key string) string { - return strings.Replace(key, "/", "-", -1) + return strings.ReplaceAll(key, "/", "-") } func objectMetaToFileName(meta *meta_v1.ObjectMeta) string { @@ -1560,12 +1560,12 @@ func getFileNameForTransportServer(transportServer *conf_v1.TransportServer) str } func getFileNameForVirtualServerFromKey(key string) string { - replaced := strings.Replace(key, "/", "_", -1) + replaced := strings.ReplaceAll(key, "/", "_") return fmt.Sprintf("vs_%s", replaced) } func getFileNameForTransportServerFromKey(key string) string { - replaced := strings.Replace(key, "/", "_", -1) + replaced := strings.ReplaceAll(key, "/", "_") return fmt.Sprintf("ts_%s", replaced) } diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index 9cc56a1942..93fc8bf4b6 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -403,11 +403,7 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig( vsc.clearWarnings() var maps []version2.Map - useCustomListeners := false - - if vsEx.VirtualServer.Spec.Listener != nil { - useCustomListeners = true - } + useCustomListeners := vsEx.VirtualServer.Spec.Listener != nil sslConfig := vsc.generateSSLConfig(vsEx.VirtualServer, vsEx.VirtualServer.Spec.TLS, vsEx.VirtualServer.Namespace, vsEx.SecretRefs, vsc.cfgParams) tlsRedirectConfig := generateTLSRedirectConfig(vsEx.VirtualServer.Spec.TLS) @@ -1505,7 +1501,7 @@ func (p *policiesCfg) addAPIKeyConfig( } func rfc1123ToSnake(rfc1123String string) string { - return strings.Replace(rfc1123String, "-", "_", -1) + return strings.ReplaceAll(rfc1123String, "-", "_") } func generateAPIKeyClients(secretData map[string][]byte) []apiKeyClient { @@ -2196,9 +2192,10 @@ func GenerateExternalNameSvcKey(namespace string, service string) string { } func generateLBMethod(method string, defaultMethod string) string { - if method == "" { + switch method { + case "": return defaultMethod - } else if method == "round_robin" { + case "round_robin": return "" } return method @@ -2230,10 +2227,7 @@ func generateRewrites(path string, proxy *conf_v1.ActionProxy, internal bool, or path = originalPath } - isRegex := false - if strings.HasPrefix(path, "~") { - isRegex = true - } + isRegex := strings.HasPrefix(path, "~") trimmedPath := strings.TrimPrefix(strings.TrimPrefix(path, "~"), "*") trimmedPath = strings.TrimSpace(trimmedPath) diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index 106e4162e2..f9d61d42b3 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -2899,8 +2899,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpAndHttpsListeners(t *testing.T Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.ObjectMeta.Namespace, - VSName: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.ObjectMeta.Name, + VSNamespace: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.Namespace, + VSName: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.Name, DisableIPV6: true, HTTPPort: virtualServerExWithCustomHTTPAndHTTPSListeners.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPAndHTTPSListeners.HTTPSPort, @@ -2948,8 +2948,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpListener(t *testing.T) { Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPListener.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPListener.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPListener.VirtualServer.ObjectMeta.Namespace, - VSName: virtualServerExWithCustomHTTPListener.VirtualServer.ObjectMeta.Name, + VSNamespace: virtualServerExWithCustomHTTPListener.VirtualServer.Namespace, + VSName: virtualServerExWithCustomHTTPListener.VirtualServer.Name, DisableIPV6: true, HTTPPort: virtualServerExWithCustomHTTPListener.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPListener.HTTPSPort, @@ -2997,8 +2997,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpsListener(t *testing.T) { Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPSListener.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPSListener.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPSListener.VirtualServer.ObjectMeta.Namespace, - VSName: virtualServerExWithCustomHTTPSListener.VirtualServer.ObjectMeta.Name, + VSNamespace: virtualServerExWithCustomHTTPSListener.VirtualServer.Namespace, + VSName: virtualServerExWithCustomHTTPSListener.VirtualServer.Name, DisableIPV6: true, HTTPPort: virtualServerExWithCustomHTTPSListener.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPSListener.HTTPSPort, @@ -3046,8 +3046,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpAndHttpsIPListeners(t *testing Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.ObjectMeta.Namespace, - VSName: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.ObjectMeta.Name, + VSNamespace: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.Namespace, + VSName: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.Name, DisableIPV6: false, HTTPPort: virtualServerExWithCustomHTTPAndHTTPSIPListeners.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPAndHTTPSIPListeners.HTTPSPort, @@ -3099,8 +3099,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpIPListener(t *testing.T) { Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPIPListener.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPIPListener.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPIPListener.VirtualServer.ObjectMeta.Namespace, - VSName: virtualServerExWithCustomHTTPIPListener.VirtualServer.ObjectMeta.Name, + VSNamespace: virtualServerExWithCustomHTTPIPListener.VirtualServer.Namespace, + VSName: virtualServerExWithCustomHTTPIPListener.VirtualServer.Name, DisableIPV6: false, HTTPPort: virtualServerExWithCustomHTTPIPListener.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPIPListener.HTTPSPort, @@ -3152,8 +3152,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpsIPListener(t *testing.T) { Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPSIPListener.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPSIPListener.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPSIPListener.VirtualServer.ObjectMeta.Namespace, - VSName: virtualServerExWithCustomHTTPSIPListener.VirtualServer.ObjectMeta.Name, + VSNamespace: virtualServerExWithCustomHTTPSIPListener.VirtualServer.Namespace, + VSName: virtualServerExWithCustomHTTPSIPListener.VirtualServer.Name, DisableIPV6: false, HTTPPort: virtualServerExWithCustomHTTPSIPListener.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPSIPListener.HTTPSPort, @@ -3205,8 +3205,8 @@ func TestGenerateVirtualServerConfigWithNilListener(t *testing.T) { Server: version2.Server{ ServerName: virtualServerExWithNilListener.VirtualServer.Spec.Host, StatusZone: virtualServerExWithNilListener.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithNilListener.VirtualServer.ObjectMeta.Namespace, - VSName: virtualServerExWithNilListener.VirtualServer.ObjectMeta.Name, + VSNamespace: virtualServerExWithNilListener.VirtualServer.Namespace, + VSName: virtualServerExWithNilListener.VirtualServer.Name, DisableIPV6: true, HTTPPort: virtualServerExWithNilListener.HTTPPort, HTTPSPort: virtualServerExWithNilListener.HTTPSPort, diff --git a/internal/externaldns/sync.go b/internal/externaldns/sync.go index 0cc6448deb..7c717364b0 100644 --- a/internal/externaldns/sync.go +++ b/internal/externaldns/sync.go @@ -12,7 +12,6 @@ import ( clientset "github.com/nginx/kubernetes-ingress/pkg/client/clientset/versioned" extdnslisters "github.com/nginx/kubernetes-ingress/pkg/client/listers/externaldns/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/runtime/schema" validators "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation/field" @@ -150,19 +149,19 @@ func buildDNSEndpoint(ctx context.Context, extdnsLister extdnslisters.DNSEndpoin var err error l := nl.LoggerFromContext(ctx) - existingDNSEndpoint, err = extdnsLister.DNSEndpoints(vs.Namespace).Get(vs.ObjectMeta.Name) + existingDNSEndpoint, err = extdnsLister.DNSEndpoints(vs.Namespace).Get(vs.Name) if !apierrors.IsNotFound(err) && err != nil { return nil, nil, err } - var controllerGVK schema.GroupVersionKind = vsGVK + controllerGVK := vsGVK ownerRef := *metav1.NewControllerRef(vs, controllerGVK) blockOwnerDeletion := false ownerRef.BlockOwnerDeletion = &blockOwnerDeletion dnsEndpoint := &extdnsapi.DNSEndpoint{ ObjectMeta: metav1.ObjectMeta{ - Name: vs.ObjectMeta.Name, + Name: vs.Name, Namespace: vs.Namespace, Labels: vs.Labels, OwnerReferences: []metav1.OwnerReference{ownerRef}, @@ -246,7 +245,7 @@ func buildProviderSpecificProperties(extdnsSpec vsapi.ExternalDNS) extdnsapi.Pro } func extdnsendpointNeedsUpdate(dnsA, dnsB *extdnsapi.DNSEndpoint) bool { - if !cmp.Equal(dnsA.ObjectMeta.Name, dnsB.ObjectMeta.Name) { + if !cmp.Equal(dnsA.Name, dnsB.Name) { return true } if !cmp.Equal(dnsA.Labels, dnsB.Labels) { diff --git a/internal/k8s/appprotect_dos.go b/internal/k8s/appprotect_dos.go index babfcd2425..a85ce22411 100644 --- a/internal/k8s/appprotect_dos.go +++ b/internal/k8s/appprotect_dos.go @@ -207,7 +207,8 @@ func (lbc *LoadBalancerController) processAppProtectDosChanges(changes []appprot nl.Debugf(lbc.Logger, "Processing %v App Protect Dos changes", len(changes)) for _, c := range changes { - if c.Op == appprotectdos.AddOrUpdate { + switch c.Op { + case appprotectdos.AddOrUpdate: switch impl := c.Resource.(type) { case *appprotectdos.DosProtectedResourceEx: nl.Debugf(lbc.Logger, "handling change UPDATE OR ADD for DOS protected %s/%s", impl.Obj.Namespace, impl.Obj.Name) @@ -231,7 +232,7 @@ func (lbc *LoadBalancerController) processAppProtectDosChanges(changes []appprot } lbc.recorder.Event(impl.Obj, eventType, eventTitle, msg) } - } else if c.Op == appprotectdos.Delete { + case appprotectdos.Delete: switch impl := c.Resource.(type) { case *appprotectdos.DosPolicyEx: lbc.configurator.DeleteAppProtectDosPolicy(impl.Obj) diff --git a/internal/k8s/appprotect_waf.go b/internal/k8s/appprotect_waf.go index 8ed8748f23..600018efb1 100644 --- a/internal/k8s/appprotect_waf.go +++ b/internal/k8s/appprotect_waf.go @@ -356,7 +356,8 @@ func (lbc *LoadBalancerController) processAppProtectChanges(changes []appprotect nl.Debugf(lbc.Logger, "Processing %v App Protect changes", len(changes)) for _, c := range changes { - if c.Op == appprotect.AddOrUpdate { + switch c.Op { + case appprotect.AddOrUpdate: switch impl := c.Resource.(type) { case *appprotect.PolicyEx: namespace := impl.Obj.GetNamespace() @@ -387,7 +388,7 @@ func (lbc *LoadBalancerController) processAppProtectChanges(changes []appprotect lbc.updateResourcesStatusAndEvents(resources, warnings, updateErr) lbc.recorder.Eventf(impl.Obj, api_v1.EventTypeNormal, nl.EventReasonAddedOrUpdated, "AppProtectLogConfig %v was added or updated", namespace+"/"+name) } - } else if c.Op == appprotect.Delete { + case appprotect.Delete: switch impl := c.Resource.(type) { case *appprotect.PolicyEx: namespace := impl.Obj.GetNamespace() diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index dcdca18b94..62a9e0efe5 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -1276,7 +1276,8 @@ func (lbc *LoadBalancerController) processChanges(changes []ResourceChange) { nl.Debugf(lbc.Logger, "Processing %v changes", len(changes)) for _, c := range changes { - if c.Op == AddOrUpdate { + switch c.Op { + case AddOrUpdate: switch impl := c.Resource.(type) { case *VirtualServerConfiguration: vsEx := lbc.createVirtualServerEx(impl.VirtualServer, impl.VirtualServerRoutes) @@ -1301,7 +1302,7 @@ func (lbc *LoadBalancerController) processChanges(changes []ResourceChange) { warnings, addOrUpdateErr := lbc.configurator.AddOrUpdateTransportServer(tsEx) lbc.updateTransportServerStatusAndEvents(impl, warnings, addOrUpdateErr) } - } else if c.Op == Delete { + case Delete: switch impl := c.Resource.(type) { case *VirtualServerConfiguration: key := getResourceKey(&impl.VirtualServer.ObjectMeta) @@ -2293,7 +2294,7 @@ func (lbc *LoadBalancerController) createIngressEx(ing *networking.Ingress, vali } // check if rule has any paths - if rule.IngressRuleValue.HTTP == nil { + if rule.HTTP == nil { continue } @@ -3080,7 +3081,7 @@ func findProbeForPods(pods []*api_v1.Pod, svcPort *api_v1.ServicePort) *api_v1.P for _, port := range container.Ports { if compareContainerPortAndServicePort(port, *svcPort) { // only http ReadinessProbes are useful for us - if container.ReadinessProbe != nil && container.ReadinessProbe.ProbeHandler.HTTPGet != nil && container.ReadinessProbe.PeriodSeconds > 0 { + if container.ReadinessProbe != nil && container.ReadinessProbe.HTTPGet != nil && container.ReadinessProbe.PeriodSeconds > 0 { return container.ReadinessProbe } } @@ -3555,12 +3556,13 @@ func (lbc *LoadBalancerController) haltIfVSConfigInvalid(vsNew *conf_v1.VirtualS } for _, c := range changes { - if c.Op == AddOrUpdate { + switch c.Op { + case AddOrUpdate: switch impl := c.Resource.(type) { case *VirtualServerConfiguration: lbc.updateVirtualServerStatusAndEvents(impl, configs.Warnings{}, nil) } - } else if c.Op == Delete { + case Delete: switch impl := c.Resource.(type) { case *VirtualServerConfiguration: key := getResourceKey(&impl.VirtualServer.ObjectMeta) @@ -3646,7 +3648,7 @@ func (lbc *LoadBalancerController) vsrHasWeightChanges(vsrOld *conf_v1.VirtualSe } func (lbc *LoadBalancerController) createCombinedDeploymentHeadlessServiceName() string { - owner := lbc.metadata.pod.ObjectMeta.OwnerReferences[0] + owner := lbc.metadata.pod.OwnerReferences[0] name := owner.Name if strings.ToLower(owner.Kind) == "replicaset" { if dash := strings.LastIndex(name, "-"); dash != -1 { diff --git a/internal/k8s/global_configuration.go b/internal/k8s/global_configuration.go index 4e87ca1d70..8869f121e9 100644 --- a/internal/k8s/global_configuration.go +++ b/internal/k8s/global_configuration.go @@ -123,23 +123,25 @@ func (lbc *LoadBalancerController) processChangesFromGlobalConfiguration(changes for _, c := range changes { switch impl := c.Resource.(type) { case *VirtualServerConfiguration: - if c.Op == AddOrUpdate { + switch c.Op { + case AddOrUpdate: vsEx := lbc.createVirtualServerEx(impl.VirtualServer, impl.VirtualServerRoutes) updatedVSExes = append(updatedVSExes, vsEx) updatedResources = append(updatedResources, impl) - } else if c.Op == Delete { + case Delete: key := getResourceKey(&impl.VirtualServer.ObjectMeta) deletedVSKeys = append(deletedVSKeys, key) } case *TransportServerConfiguration: - if c.Op == AddOrUpdate { + switch c.Op { + case AddOrUpdate: tsEx := lbc.createTransportServerEx(impl.TransportServer, impl.ListenerPort, impl.IPv4, impl.IPv6) updatedTSExes = append(updatedTSExes, tsEx) updatedResources = append(updatedResources, impl) - } else if c.Op == Delete { + case Delete: key := getResourceKey(&impl.TransportServer.ObjectMeta) deletedTSKeys = append(deletedTSKeys, key) diff --git a/internal/k8s/reference_checkers.go b/internal/k8s/reference_checkers.go index 97c522691a..4855a9522d 100644 --- a/internal/k8s/reference_checkers.go +++ b/internal/k8s/reference_checkers.go @@ -121,10 +121,10 @@ func (rc *serviceReferenceChecker) IsReferencedByIngress(svcNamespace string, sv } } for _, rules := range ing.Spec.Rules { - if rules.IngressRuleValue.HTTP == nil { + if rules.HTTP == nil { continue } - for _, p := range rules.IngressRuleValue.HTTP.Paths { + for _, p := range rules.HTTP.Paths { if p.Backend.Service.Name == svcName { return true } diff --git a/internal/k8s/status.go b/internal/k8s/status.go index a9c8c49b1b..0352d8d8c3 100644 --- a/internal/k8s/status.go +++ b/internal/k8s/status.go @@ -230,13 +230,14 @@ var ( ) func isRequiredPort(port intstr.IntOrString) bool { - if port.Type == intstr.Int { + switch port.Type { + case intstr.Int: for _, p := range intPorts { if p == port.IntVal { return true } } - } else if port.Type == intstr.String { + case intstr.String: for _, p := range stringPorts { if p == port.StrVal { return true diff --git a/internal/k8s/status_test.go b/internal/k8s/status_test.go index a3911a6b85..4513ed4dd9 100644 --- a/internal/k8s/status_test.go +++ b/internal/k8s/status_test.go @@ -238,7 +238,7 @@ func TestStatusUpdateWithExternalStatusAndExternalService(t *testing.T) { }, ) - err := ingLister.Store.Add(&ing) + err := ingLister.Add(&ing) if err != nil { t.Errorf("Error adding Ingress to the ingress lister: %v", err) } @@ -357,7 +357,7 @@ func TestStatusUpdateWithExternalStatusAndIngressLink(t *testing.T) { }, ) - err := ingLister.Store.Add(&ing) + err := ingLister.Add(&ing) if err != nil { t.Errorf("Error adding Ingress to the ingress lister: %v", err) } diff --git a/internal/k8s/utils.go b/internal/k8s/utils.go index 3b8618054b..a7ebd97087 100644 --- a/internal/k8s/utils.go +++ b/internal/k8s/utils.go @@ -42,7 +42,7 @@ type storeToIngressLister struct { // GetByKeySafe calls Store.GetByKeySafe and returns a copy of the ingress, so it is // safe to modify. func (s *storeToIngressLister) GetByKeySafe(key string) (ing *networking.Ingress, exists bool, err error) { - item, exists, err := s.Store.GetByKey(key) + item, exists, err := s.GetByKey(key) if !exists || err != nil { return nil, exists, err } @@ -91,7 +91,7 @@ type storeToEndpointSliceLister struct { // GetServiceEndpointSlices returns the endpoints of a service, matched on service name. func (s *storeToEndpointSliceLister) GetServiceEndpointSlices(svc *v1.Service) (endpointSlices []discovery_v1.EndpointSlice, err error) { - for _, epStore := range s.Store.List() { + for _, epStore := range s.List() { ep := *epStore.(*discovery_v1.EndpointSlice) if svc.Name == ep.Labels["kubernetes.io/service-name"] && svc.Namespace == ep.Namespace { endpointSlices = append(endpointSlices, ep) diff --git a/internal/metrics/collectors/processes.go b/internal/metrics/collectors/processes.go index 21763f0fe8..67ae70ce46 100644 --- a/internal/metrics/collectors/processes.go +++ b/internal/metrics/collectors/processes.go @@ -72,9 +72,10 @@ func getWorkerProcesses() (int, int, error) { } text := string(bytes.TrimRight(content, "\x00")) - if text == "nginx: worker process" { + switch text { + case "nginx: worker process": workerProcesses++ - } else if text == "nginx: worker process is shutting down" { + case "nginx: worker process is shutting down": prevWorkerProcesses++ } } diff --git a/nginx-ingress/.helmignore b/nginx-ingress/.helmignore new file mode 100644 index 0000000000..c1347c2c27 --- /dev/null +++ b/nginx-ingress/.helmignore @@ -0,0 +1,2 @@ +# Patterns to ignore when building packages. +*.png diff --git a/nginx-ingress/Chart.yaml b/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..98e0157a33 --- /dev/null +++ b/nginx-ingress/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: NGINX Ingress Controller +home: https://github.com/nginx/kubernetes-ingress +icon: https://raw.githubusercontent.com/nginx/kubernetes-ingress/v5.0.0/charts/nginx-ingress/chart-icon.png +keywords: +- ingress +- nginx +kubeVersion: '>= 1.23.0-0' +maintainers: +- email: kubernetes@nginx.com + name: nginx +name: nginx-ingress +sources: +- https://github.com/nginx/kubernetes-ingress/tree/v5.0.0/charts/nginx-ingress +type: application +version: 2.1.0 diff --git a/nginx-ingress/README.md b/nginx-ingress/README.md new file mode 100644 index 0000000000..ff68d539d2 --- /dev/null +++ b/nginx-ingress/README.md @@ -0,0 +1,3 @@ +# Helm Documentation + +Please refer to the [Installation with Helm](https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/) guide in the NGINX Ingress Controller documentation site. diff --git a/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml b/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml new file mode 100644 index 0000000000..8aacce99c3 --- /dev/null +++ b/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml @@ -0,0 +1,83 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: aplogconfs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|[1-9][0-9]{3}|10[0-2][0-9][0-9]|[1-9]k|10k|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml b/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml new file mode 100644 index 0000000000..4929c96247 --- /dev/null +++ b/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml @@ -0,0 +1,2172 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: appolicies.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: + action: + type: string + description: + type: string + entity: + properties: + name: + type: string + type: object + entityChanges: + properties: + type: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of cookies + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer + maxHeaders: + maximum: 150 + minimum: 1 + type: integer + maxParams: + maximum: 5000 + minimum: 1 + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - VIOL_ACCESS_INVALID + - VIOL_ACCESS_MALFORMED + - VIOL_ACCESS_MISSING + - VIOL_ACCESS_UNAUTHORIZED + - VIOL_ASM_COOKIE_HIJACKING + - VIOL_ASM_COOKIE_MODIFIED + - VIOL_BLACKLISTED_IP + - VIOL_COOKIE_EXPIRED + - VIOL_COOKIE_LENGTH + - VIOL_COOKIE_MALFORMED + - VIOL_COOKIE_MODIFIED + - VIOL_CSRF + - VIOL_DATA_GUARD + - VIOL_ENCODING + - VIOL_EVASION + - VIOL_FILE_UPLOAD + - VIOL_FILE_UPLOAD_IN_BODY + - VIOL_FILETYPE + - VIOL_GRAPHQL_ERROR_RESPONSE + - VIOL_GRAPHQL_FORMAT + - VIOL_GRAPHQL_INTROSPECTION_QUERY + - VIOL_GRAPHQL_MALFORMED + - VIOL_GRPC_FORMAT + - VIOL_GRPC_MALFORMED + - VIOL_GRPC_METHOD + - VIOL_HEADER_LENGTH + - VIOL_HEADER_METACHAR + - VIOL_HEADER_REPEATED + - VIOL_HTTP_PROTOCOL + - VIOL_HTTP_RESPONSE_STATUS + - VIOL_JSON_FORMAT + - VIOL_JSON_MALFORMED + - VIOL_JSON_SCHEMA + - VIOL_MANDATORY_HEADER + - VIOL_MANDATORY_PARAMETER + - VIOL_MANDATORY_REQUEST_BODY + - VIOL_METHOD + - VIOL_PARAMETER + - VIOL_PARAMETER_ARRAY_VALUE + - VIOL_PARAMETER_DATA_TYPE + - VIOL_PARAMETER_EMPTY_VALUE + - VIOL_PARAMETER_LOCATION + - VIOL_PARAMETER_MULTIPART_NULL_VALUE + - VIOL_PARAMETER_NAME_METACHAR + - VIOL_PARAMETER_NUMERIC_VALUE + - VIOL_PARAMETER_REPEATED + - VIOL_PARAMETER_STATIC_VALUE + - VIOL_PARAMETER_VALUE_BASE64 + - VIOL_PARAMETER_VALUE_LENGTH + - VIOL_PARAMETER_VALUE_METACHAR + - VIOL_PARAMETER_VALUE_REGEXP + - VIOL_POST_DATA_LENGTH + - VIOL_QUERY_STRING_LENGTH + - VIOL_RATING_NEED_EXAMINATION + - VIOL_RATING_THREAT + - VIOL_REQUEST_LENGTH + - VIOL_REQUEST_MAX_LENGTH + - VIOL_THREAT_CAMPAIGN + - VIOL_URL + - VIOL_URL_CONTENT_TYPE + - VIOL_URL_LENGTH + - VIOL_URL_METACHAR + - VIOL_XML_FORMAT + - VIOL_XML_MALFORMED + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: + properties: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: + type: string + type: object + type: array + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + maskValueInLogs: + type: boolean + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + customPatterns: + type: boolean + customPatternsList: + items: + type: string + type: array + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + firstCustomCharactersToExpose: + type: integer + lastCcnDigitsToExpose: + type: integer + lastCustomCharactersToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + graphql-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensitiveData: + items: + properties: + parameterName: + type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharCheck: + type: boolean + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLengthOfJSONData: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumAttributesPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumChildrenPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentSize: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumElements: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNSDeclarations: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNameLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNamespaceLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + useXmlResponsePage: + type: boolean + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + type: object + type: object + type: object + served: true + storage: true diff --git a/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml b/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml new file mode 100644 index 0000000000..6d71ed6336 --- /dev/null +++ b/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml @@ -0,0 +1,98 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: apusersigs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APUserSig + listKind: APUserSigList + plural: apusersigs + singular: apusersig + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: + properties: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: + properties: + name: + type: string + type: object + type: array + type: object + type: array + softwareVersion: + type: string + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/nginx-ingress/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/nginx-ingress/crds/appprotectdos.f5.com_apdoslogconfs.yaml new file mode 100644 index 0000000000..e23e87184b --- /dev/null +++ b/nginx-ingress/crds/appprotectdos.f5.com_apdoslogconfs.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdoslogconfs.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosLogConf + listKind: APDosLogConfList + plural: apdoslogconfs + singular: apdoslogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosLogConf is the Schema for the APDosLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosLogConfSpec defines the desired state of APDosLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + type: object + filter: + properties: + traffic-mitigation-stats: + enum: + - none + - all + default: all + type: string + bad-actors: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + attack-signatures: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/nginx-ingress/crds/appprotectdos.f5.com_apdospolicy.yaml b/nginx-ingress/crds/appprotectdos.f5.com_apdospolicy.yaml new file mode 100644 index 0000000000..a16399a1a2 --- /dev/null +++ b/nginx-ingress/crds/appprotectdos.f5.com_apdospolicy.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdospolicies.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosPolicy + listKind: APDosPoliciesList + plural: apdospolicies + singular: apdospolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + description: APDosPolicy is the Schema for the APDosPolicy API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + description: APDosPolicySpec defines the desired state of APDosPolicy + properties: + mitigation_mode: + enum: + - "standard" + - "conservative" + - "none" + default: "standard" + type: string + signatures: + enum: + - "on" + - "off" + default: "on" + type: string + bad_actors: + enum: + - "on" + - "off" + default: "on" + type: string + automation_tools_detection: + enum: + - "on" + - "off" + default: "on" + type: string + tls_fingerprint: + enum: + - "on" + - "off" + default: "on" + type: string + served: true + storage: true diff --git a/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml new file mode 100644 index 0000000000..9c3ce82174 --- /dev/null +++ b/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -0,0 +1,113 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + allowList: + description: AllowList is a list of allowed IPs and subnet masks + items: + description: AllowListEntry represents an IP address and a subnet + mask. + properties: + ipWithMask: + type: string + type: object + type: array + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml b/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml new file mode 100644 index 0000000000..bca4965c46 --- /dev/null +++ b/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/nginx-ingress/templates/NOTES.txt b/nginx-ingress/templates/NOTES.txt new file mode 100644 index 0000000000..1fcca30c24 --- /dev/null +++ b/nginx-ingress/templates/NOTES.txt @@ -0,0 +1,13 @@ +NGINX Ingress Controller {{ .Chart.AppVersion }} has been installed. + +For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/ + +Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/ + +{{ if .Release.IsUpgrade -}} +If you are upgrading from a version of the chart that uses older Custom Resource Definitions (CRD) it is necessary to manually upgrade the CRDs as this is not managed by Helm. +To update to the latest version of the CRDs: + $ kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{ .Chart.AppVersion }}/deploy/crds.yaml + +More details on upgrading the CRDs: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/#upgrading-the-crds +{{- end -}} diff --git a/nginx-ingress/templates/_helpers.tpl b/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..d3dc468085 --- /dev/null +++ b/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,516 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified controller service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.service.name" -}} +{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nginx-ingress.labels" -}} +helm.sh/chart: {{ include "nginx-ingress.chart" . }} +{{ include "nginx-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Pod labels +*/}} +{{- define "nginx-ingress.podLabels" -}} +{{- include "nginx-ingress.selectorLabels" . }} +{{- if .Values.nginxServiceMesh.enable }} +nsm.nginx.com/enable-ingress: "true" +nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" +nsm.nginx.com/{{ .Values.controller.kind }}: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} +agent-configuration-revision-hash: {{ include "nginx-ingress.agentConfiguration" . | sha1sum | trunc 8 | quote }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nginx-ingress.selectorLabels" -}} +{{- if .Values.controller.selectorLabels -}} +{{ toYaml .Values.controller.selectorLabels }} +{{- else -}} +app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap. +*/}} +{{- define "nginx-ingress.configName" -}} +{{- if .Values.controller.customConfigMap -}} +{{ .Values.controller.customConfigMap }} +{{- else -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap used for NGINX Agent. +*/}} +{{- define "nginx-ingress.agentConfigName" -}} +{{- if ne (.Values.nginxAgent.customConfigMap | default "") "" -}} +{{ .Values.nginxAgent.customConfigMap }} +{{- else -}} +{{- printf "%s-agent-config" (include "nginx-ingress.fullname" . | trunc 49 | trimSuffix "-") -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the mgmt configmap. +*/}} +{{- define "nginx-ingress.mgmtConfigName" -}} +{{- if .Values.controller.mgmt.configMapName -}} +{{ .Values.controller.mgmt.configMapName }} +{{- else -}} +{{- default (printf "%s-mgmt" (include "nginx-ingress.fullname" .)) -}} +{{- end -}} +{{- end -}} + +{{/* +Expand license token secret name. +*/}} +{{- define "nginx-ingress.licenseTokenSecretName" -}} +{{- if hasKey .Values.controller.mgmt "licenseTokenSecretName" -}} +{{- .Values.controller.mgmt.licenseTokenSecretName -}} +{{- else }} +{{- fail "Error: When using Nginx Plus, 'controller.mgmt.licenseTokenSecretName' must be set." }} +{{- end -}} +{{- end -}} + +{{/* +Expand leader election lock name. +*/}} +{{- define "nginx-ingress.leaderElectionName" -}} +{{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} +{{ .Values.controller.reportIngressStatus.leaderElectionLockName }} +{{- else -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand service account name. +*/}} +{{- define "nginx-ingress.serviceAccountName" -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} +{{- end -}} + +{{/* +Expand default TLS name. +*/}} +{{- define "nginx-ingress.defaultTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} +{{- end -}} + +{{/* +Expand wildcard TLS name. +*/}} +{{- define "nginx-ingress.wildcardTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} +{{- end -}} + +{{- define "nginx-ingress.tag" -}} +{{- default .Chart.AppVersion .Values.controller.image.tag -}} +{{- end -}} + +{{/* +Expand image name. +*/}} +{{- define "nginx-ingress.image" -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{- define "nap-enforcer.image" -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.enforcer.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{- define "nap-config-manager.image" -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.configManager.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{/* +Accepts an image struct like .Values.controller.image along with a default value to use +if the digest or tag is not set. Can be called like: +include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion +*/}} +{{- define "nginx-ingress.image-digest-or-tag" -}} +{{- if .image.digest -}} +{{- printf "%s@%s" .image.repository .image.digest -}} +{{- else -}} +{{- printf "%s:%s" .image.repository (default .default .image.tag) -}} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.prometheus.serviceName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} +{{- end -}} + +{{/* +return if readOnlyRootFilesystem is enabled or not. +*/}} +{{- define "nginx-ingress.readOnlyRootFilesystem" -}} +{{- if or .Values.controller.readOnlyRootFilesystem (and .Values.controller.securityContext .Values.controller.securityContext.readOnlyRootFilesystem) -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} + +{{/* +Build the args for the service binary. +*/}} +{{- define "nginx-ingress.args" -}} +{{- if and .Values.controller.debug .Values.controller.debug.enable }} +- --listen=:2345 +- --headless=true +- --log=true +- --log-output=debugger,debuglineerr,gdbwire,lldbout,rpc,dap,fncall,minidump,stack +- --accept-multiclient +- --api-version=2 +- exec +- ./nginx-ingress +{{- if .Values.controller.debug.continue }} +- --continue +{{- end }} +- -- +{{- end }} +- -nginx-plus={{ .Values.controller.nginxplus }} +- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} +- -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} +- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.v5 }} +- -app-protect-enforcer-address="{{ .Values.controller.appprotect.enforcer.host | default "127.0.0.1" }}:{{ .Values.controller.appprotect.enforcer.port | default 50000 }}" +{{- end }} +- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} +- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} +- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} +- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} +- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} +- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.nginxplus }} +- -mgmt-configmap=$(POD_NAMESPACE)/{{ include "nginx-ingress.mgmtConfigName" . }} +{{- end }} +{{- if .Values.controller.defaultTLS.secret }} +- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} +- -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} +- -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} +- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} +- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} +- -health-status={{ .Values.controller.healthStatus }} +- -health-status-uri={{ .Values.controller.healthStatusURI }} +- -nginx-debug={{ .Values.controller.nginxDebug }} +- -log-level={{ .Values.controller.logLevel }} +- -log-format={{ .Values.controller.logFormat }} +- -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} +- -nginx-status-port={{ .Values.controller.nginxStatus.port }} +- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} +- -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} +- -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} +- -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} +- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} +- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} +- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} +- -enable-prometheus-metrics={{ .Values.prometheus.create }} +- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} +- -prometheus-tls-secret={{ .Values.prometheus.secret }} +- -enable-service-insight={{ .Values.serviceInsight.create }} +- -service-insight-listen-port={{ .Values.serviceInsight.port }} +- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} +- -enable-custom-resources={{ .Values.controller.enableCustomResources }} +- -enable-snippets={{ .Values.controller.enableSnippets }} +- -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} +- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} +- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{- end }} +- -enable-cert-manager={{ .Values.controller.enableCertManager }} +- -enable-oidc={{ .Values.controller.enableOIDC }} +- -enable-external-dns={{ .Values.controller.enableExternalDNS }} +- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} +- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} +{{- if .Values.controller.globalConfiguration.create }} +- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} +- -ready-status={{ .Values.controller.readyStatus.enable }} +- -ready-status-port={{ .Values.controller.readyStatus.port }} +- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }} +- -enable-telemetry-reporting={{ .Values.controller.telemetryReporting.enable}} +- -weight-changes-dynamic-reload={{ .Values.controller.enableWeightChangesDynamicReload}} +{{- if .Values.nginxAgent.enable }} +- -agent=true +- -agent-instance-group={{ default (include "nginx-ingress.controller.fullname" .) .Values.nginxAgent.instanceGroup }} +{{- end }} +{{- end -}} + +{{/* +Volumes for controller. +*/}} +{{- define "nginx-ingress.volumes" -}} +{{- $volumesSet := "false" }} +volumes: +{{- if eq (include "nginx-ingress.volumeEntries" .) "" -}} +{{ toYaml list | printf " %s" }} +{{- else }} +{{ include "nginx-ingress.volumeEntries" . }} +{{- end -}} +{{- end -}} + +{{/* +List of volumes for controller. +*/}} +{{- define "nginx-ingress.volumeEntries" -}} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} +- name: nginx-etc + emptyDir: {} +- name: nginx-cache + emptyDir: {} +- name: nginx-lib + emptyDir: {} +- name: nginx-state + emptyDir: {} +- name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.appprotect.v5 }} +{{ toYaml .Values.controller.appprotect.volumes }} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes }} +{{- end }} +{{- if .Values.nginxAgent.enable }} +- name: agent-conf + configMap: + name: {{ include "nginx-ingress.agentConfigName" . }} +- name: agent-dynamic + emptyDir: {} +{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} +- name: nginx-agent-tls + projected: + sources: +{{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} + - secret: + name: {{ .Values.nginxAgent.instanceManager.tls.secret }} +{{- end }} +{{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} + - secret: + name: {{ .Values.nginxAgent.instanceManager.tls.caSecret }} +{{- end }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Volume mounts for controller. +*/}} +{{- define "nginx-ingress.volumeMounts" -}} +{{- $volumesSet := "false" }} +volumeMounts: +{{- if eq (include "nginx-ingress.volumeMountEntries" .) "" -}} +{{ toYaml list | printf " %s" }} +{{- else }} +{{ include "nginx-ingress.volumeMountEntries" . }} +{{- end -}} +{{- end -}} +{{- define "nginx-ingress.volumeMountEntries" -}} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} +- mountPath: /etc/nginx + name: nginx-etc +- mountPath: /var/cache/nginx + name: nginx-cache +- mountPath: /var/lib/nginx + name: nginx-lib +- mountPath: /var/lib/nginx/state + name: nginx-state +- mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.appprotect.v5 }} +- name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config +- name: app-protect-config + mountPath: /opt/app_protect/config + # app-protect-bundles is mounted so that Ingress Controller + # can verify that referenced bundles are present +- name: app-protect-bundles + mountPath: /etc/app_protect/bundles +{{- end }} +{{- if .Values.controller.volumeMounts }} +{{ toYaml .Values.controller.volumeMounts }} +{{- end }} +{{- if .Values.nginxAgent.enable }} +- name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf +- name: agent-dynamic + mountPath: /var/lib/nginx-agent +{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} +- name: nginx-agent-tls + mountPath: /etc/ssl/nms + readOnly: true +{{- end }} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.appprotect.v5" -}} +{{- if .Values.controller.appprotect.v5}} +- name: waf-enforcer + image: {{ include "nap-enforcer.image" . }} + imagePullPolicy: "{{ .Values.controller.appprotect.enforcer.image.pullPolicy }}" +{{- if .Values.controller.appprotect.enforcer.securityContext }} + securityContext: +{{ toYaml .Values.controller.appprotect.enforcer.securityContext | nindent 6 }} +{{- end }} + env: + - name: ENFORCER_PORT + value: "{{ .Values.controller.appprotect.enforcer.port | default 50000 }}" + - name: ENFORCER_CONFIG_TIMEOUT + value: "0" + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config +- name: waf-config-mgr + image: {{ include "nap-config-manager.image" . }} + imagePullPolicy: "{{ .Values.controller.appprotect.configManager.image.pullPolicy }}" +{{- if .Values.controller.appprotect.configManager.securityContext }} + securityContext: +{{ toYaml .Values.controller.appprotect.configManager.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles +{{- end}} +{{- end -}} + +{{- define "nginx-ingress.agentConfiguration" -}} +log: + level: {{ .Values.nginxAgent.logLevel }} + path: "" +server: + host: {{ required ".Values.nginxAgent.instanceManager.host is required when setting .Values.nginxAgent.enable to true" .Values.nginxAgent.instanceManager.host }} + grpcPort: {{ .Values.nginxAgent.instanceManager.grpcPort }} +{{- if ne (.Values.nginxAgent.instanceManager.sni | default "") "" }} + metrics: {{ .Values.nginxAgent.instanceManager.sni }} + command: {{ .Values.nginxAgent.instanceManager.sni }} +{{- end }} +{{- if .Values.nginxAgent.instanceManager.tls }} +tls: + enable: {{ .Values.nginxAgent.instanceManager.tls.enable | default true }} + skip_verify: {{ .Values.nginxAgent.instanceManager.tls.skipVerify | default false }} + {{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} + ca: "/etc/ssl/nms/ca.crt" + {{- end }} + {{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} + cert: "/etc/ssl/nms/tls.crt" + key: "/etc/ssl/nms/tls.key" + {{- end }} +{{- end }} +features: + - registration + - nginx-counting + - metrics-sender + - dataplane-status +extensions: + - nginx-app-protect + - nap-monitoring +nginx_app_protect: + report_interval: 15s + precompiled_publication: true +nap_monitoring: + collector_buffer_size: {{ .Values.nginxAgent.napMonitoring.collectorBufferSize }} + processor_buffer_size: {{ .Values.nginxAgent.napMonitoring.processorBufferSize }} + syslog_ip: {{ .Values.nginxAgent.syslog.host }} + syslog_port: {{ .Values.nginxAgent.syslog.port }} + +{{ end -}} diff --git a/nginx-ingress/templates/clusterrole.yaml b/nginx-ingress/templates/clusterrole.yaml new file mode 100644 index 0000000000..7c3a5c89f3 --- /dev/null +++ b/nginx-ingress/templates/clusterrole.yaml @@ -0,0 +1,180 @@ +{{- if and .Values.rbac.create .Values.rbac.clusterrole.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "apps" + resources: + - replicasets + - daemonsets + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list +{{- if .Values.controller.reportIngressStatus.enable }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +{{- end }} +{{- if .Values.controller.appprotect.enable }} +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.appprotectdos.enable }} +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.enableCustomResources }} +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +{{- end }} +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- apiGroups: + - cis.f5.com + resources: + - ingresslinks + verbs: + - list + - watch + - get +{{- end }} +{{- if .Values.controller.enableCertManager }} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - list + - watch + - get + - update + - create + - delete +{{- end }} +{{- if .Values.controller.enableExternalDNS }} +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +{{- end }} +{{- end}} diff --git a/nginx-ingress/templates/clusterrolebinding.yaml b/nginx-ingress/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ed06c48ccb --- /dev/null +++ b/nginx-ingress/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "nginx-ingress.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/nginx-ingress/templates/controller-configmap.yaml b/nginx-ingress/templates/controller-configmap.yaml new file mode 100644 index 0000000000..a341ec084c --- /dev/null +++ b/nginx-ingress/templates/controller-configmap.yaml @@ -0,0 +1,82 @@ +{{- if not .Values.controller.customConfigMap -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.configName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: +{{ toYaml (default dict .Values.controller.config.entries) | indent 2 }} +{{- end }} +--- +{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.agentConfigName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: + nginx-agent.conf: |- +{{ include "nginx-ingress.agentConfiguration" . | indent 4 }} +{{- end }} +--- +{{- if .Values.controller.nginxplus }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.mgmtConfigName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: + license-token-secret-name: {{ required "When using Nginx Plus, 'controller.mgmt.licenseTokenSecretName' cannot be empty " (include "nginx-ingress.licenseTokenSecretName" . ) }} +{{- if hasKey .Values.controller.mgmt "sslVerify" }} + ssl-verify: {{ quote .Values.controller.mgmt.sslVerify }} +{{- end }} +{{- if hasKey .Values.controller.mgmt "enforceInitialReport" }} + enforce-initial-report: {{ quote .Values.controller.mgmt.enforceInitialReport }} +{{- end }} +{{- if hasKey .Values.controller.mgmt "usageReport" }} +{{- if hasKey .Values.controller.mgmt.usageReport "endpoint" }} + usage-report-endpoint: {{ quote .Values.controller.mgmt.usageReport.endpoint }} +{{- end }} +{{- if hasKey .Values.controller.mgmt.usageReport "interval" }} + usage-report-interval: {{ quote .Values.controller.mgmt.usageReport.interval }} +{{- end }} +{{- if hasKey .Values.controller.mgmt.usageReport "proxyHost" }} + usage-report-proxy-host: {{ quote .Values.controller.mgmt.usageReport.proxyHost }} +{{- end }} +{{- end }} +{{- if hasKey .Values.controller.mgmt "sslTrustedCertificateSecretName" }} + ssl-trusted-certificate-secret-name: {{ quote .Values.controller.mgmt.sslTrustedCertificateSecretName }} +{{- end }} +{{- if hasKey .Values.controller.mgmt "sslCertificateSecretName" }} + ssl-certificate-secret-name: {{ quote .Values.controller.mgmt.sslCertificateSecretName}} +{{- end }} +{{- if hasKey .Values.controller.mgmt "resolver" }} +{{- if hasKey .Values.controller.mgmt.resolver "addresses" }} + resolver-addresses: {{ join "," .Values.controller.mgmt.resolver.addresses | quote }} +{{- end }} +{{- if hasKey .Values.controller.mgmt.resolver "ipv6" }} + resolver-ipv6: {{ quote .Values.controller.mgmt.resolver.ipv6 }} +{{- end }} +{{- if hasKey .Values.controller.mgmt.resolver "valid" }} + resolver-valid: {{ quote .Values.controller.mgmt.resolver.valid }} +{{- end }} +{{- end }} +{{- end }} diff --git a/nginx-ingress/templates/controller-daemonset.yaml b/nginx-ingress/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..653ef4eb9e --- /dev/null +++ b/nginx-ingress/templates/controller-daemonset.yaml @@ -0,0 +1,196 @@ +{{- if eq .Values.controller.kind "daemonset" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.podLabels" . | nindent 8 }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- include "nginx-ingress.volumes" . | indent 6 }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - name: {{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{ if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{ end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- end }} +{{- include "nginx-ingress.volumeMounts" . | indent 8 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} +{{- if hasKey .Values.controller.mgmt "usageReport" -}} +{{- if hasKey .Values.controller.mgmt.usageReport "proxyCredentialsSecretName" }} +{{- if not (hasKey .Values.controller.mgmt.usageReport "proxyHost") -}} +{{- fail "Error: 'controller.mgmt.usageReport.proxyHost' must be set when using 'controller.mgmt.usageReport.proxyCredentialsSecretName'." }} +{{- end }} + - name: PROXY_USER + valueFrom: + secretKeyRef: + name: {{ .Values.controller.mgmt.usageReport.proxyCredentialsSecretName }} + key: username + - name: PROXY_PASS + valueFrom: + secretKeyRef: + name: {{ .Values.controller.mgmt.usageReport.proxyCredentialsSecretName }} + key: password +{{- end }} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} + +{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} + +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- end }} + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + updateStrategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/nginx-ingress/templates/controller-deployment.yaml b/nginx-ingress/templates/controller-deployment.yaml new file mode 100644 index 0000000000..9f2c6bd1e3 --- /dev/null +++ b/nginx-ingress/templates/controller-deployment.yaml @@ -0,0 +1,203 @@ +{{- if eq .Values.controller.kind "deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.podLabels" . | nindent 8 }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} +{{- end }} +{{- include "nginx-ingress.volumes" . | indent 6 }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - image: {{ include "nginx-ingress.image" . }} + name: {{ include "nginx-ingress.name" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{- if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{- end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- end }} +{{- include "nginx-ingress.volumeMounts" . | indent 8 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} +{{- if hasKey .Values.controller.mgmt "usageReport" -}} +{{- if hasKey .Values.controller.mgmt.usageReport "proxyCredentialsSecretName" }} +{{- if not (hasKey .Values.controller.mgmt.usageReport "proxyHost") -}} +{{- fail "Error: 'controller.mgmt.usageReport.proxyHost' must be set when using 'controller.mgmt.usageReport.proxyCredentialsSecretName'." }} +{{- end }} + - name: PROXY_USER + valueFrom: + secretKeyRef: + name: {{ .Values.controller.mgmt.usageReport.proxyCredentialsSecretName }} + key: username + - name: PROXY_PASS + valueFrom: + secretKeyRef: + name: {{ .Values.controller.mgmt.usageReport.proxyCredentialsSecretName }} + key: password +{{- end }} +{{- end }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} + +{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} + +{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- end }} + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/nginx-ingress/templates/controller-globalconfiguration.yaml b/nginx-ingress/templates/controller-globalconfiguration.yaml new file mode 100644 index 0000000000..939923f2e0 --- /dev/null +++ b/nginx-ingress/templates/controller-globalconfiguration.yaml @@ -0,0 +1,11 @@ +{{ if .Values.controller.globalConfiguration.create }} +apiVersion: k8s.nginx.org/v1 +kind: GlobalConfiguration +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: +{{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} +{{- end }} diff --git a/nginx-ingress/templates/controller-hpa.yaml b/nginx-ingress/templates/controller-hpa.yaml new file mode 100644 index 0000000000..971aca90d3 --- /dev/null +++ b/nginx-ingress/templates/controller-hpa.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "nginx-ingress.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} +{{- if .Values.controller.autoscaling.behavior }} + behavior: +{{ toYaml .Values.controller.autoscaling.behavior | indent 4 }} +{{- end }} + metrics: + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/nginx-ingress/templates/controller-ingress-class.yaml b/nginx-ingress/templates/controller-ingress-class.yaml new file mode 100644 index 0000000000..a351d697c6 --- /dev/null +++ b/nginx-ingress/templates/controller-ingress-class.yaml @@ -0,0 +1,14 @@ +{{ if .Values.controller.ingressClass.create }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClass.name }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.ingressClass.setAsDefaultIngress }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: nginx.org/ingress-controller +{{ end }} diff --git a/nginx-ingress/templates/controller-leader-election-configmap.yaml b/nginx-ingress/templates/controller-leader-election-configmap.yaml new file mode 100644 index 0000000000..440914eb3e --- /dev/null +++ b/nginx-ingress/templates/controller-leader-election-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations: +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/nginx-ingress/templates/controller-lease.yaml b/nginx-ingress/templates/controller-lease.yaml new file mode 100644 index 0000000000..6a761acb51 --- /dev/null +++ b/nginx-ingress/templates/controller-lease.yaml @@ -0,0 +1,13 @@ +{{ if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations: +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/nginx-ingress/templates/controller-pdb.yaml b/nginx-ingress/templates/controller-pdb.yaml new file mode 100644 index 0000000000..1c3ddc8ae5 --- /dev/null +++ b/nginx-ingress/templates/controller-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.podDisruptionBudget.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.podDisruptionBudget.annotations }} + annotations: +{{ toYaml .Values.controller.podDisruptionBudget.annotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} +{{- if .Values.controller.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.controller.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/nginx-ingress/templates/controller-prometheus-service.yaml b/nginx-ingress/templates/controller-prometheus-service.yaml new file mode 100644 index 0000000000..d36514284b --- /dev/null +++ b/nginx-ingress/templates/controller-prometheus-service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.prometheus.create .Values.prometheus.service.create}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.prometheus.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.service.labels -}} + {{- toYaml .Values.prometheus.service.labels | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - name: prometheus + protocol: TCP + port: {{ .Values.prometheus.port }} + targetPort: {{ .Values.prometheus.port }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/nginx-ingress/templates/controller-role.yaml b/nginx-ingress/templates/controller-role.yaml new file mode 100644 index 0000000000..cb75d99cc3 --- /dev/null +++ b/nginx-ingress/templates/controller-role.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - {{ include "nginx-ingress.leaderElectionName" . }} + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +{{- end }} diff --git a/nginx-ingress/templates/controller-rolebinding.yaml b/nginx-ingress/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..51ee528da3 --- /dev/null +++ b/nginx-ingress/templates/controller-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "nginx-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/nginx-ingress/templates/controller-secret.yaml b/nginx-ingress/templates/controller-secret.yaml new file mode 100644 index 0000000000..f9941e8878 --- /dev/null +++ b/nginx-ingress/templates/controller-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.defaultTLS.secret) (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.defaultTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.defaultTLS.cert }} + tls.key: {{ .Values.controller.defaultTLS.key }} +{{- end }} diff --git a/nginx-ingress/templates/controller-service.yaml b/nginx-ingress/templates/controller-service.yaml new file mode 100644 index 0000000000..0073813227 --- /dev/null +++ b/nginx-ingress/templates/controller-service.yaml @@ -0,0 +1,72 @@ +{{- if .Values.controller.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.controller.service.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.service.extraLabels }} +{{ toYaml .Values.controller.service.extraLabels | indent 4 }} +{{- end }} +{{- if .Values.controller.service.annotations }} + annotations: +{{ toYaml .Values.controller.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} + {{- end }} + {{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} +{{- end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.controller.service.ipFamilies }} + ipFamilies: {{ .Values.controller.service.ipFamilies }} + {{- end }} + ports: +{{- if .Values.controller.service.customPorts }} +{{ toYaml .Values.controller.service.customPorts | indent 2 }} +{{ end }} +{{- if .Values.controller.service.httpPort.enable }} + - port: {{ .Values.controller.service.httpPort.port }} + targetPort: {{ .Values.controller.service.httpPort.targetPort }} + protocol: TCP + name: {{ .Values.controller.service.httpPort.name }} + {{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + nodePort: {{ .Values.controller.service.httpPort.nodePort }} + {{- end }} +{{- end }} +{{- if .Values.controller.service.httpsPort.enable }} + - port: {{ .Values.controller.service.httpsPort.port }} + targetPort: {{ .Values.controller.service.httpsPort.targetPort }} + protocol: TCP + name: {{ .Values.controller.service.httpsPort.name }} + {{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + nodePort: {{ .Values.controller.service.httpsPort.nodePort }} + {{- end }} +{{- end }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} + {{- if .Values.controller.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} + {{- end }} +{{- end }} diff --git a/nginx-ingress/templates/controller-serviceaccount.yaml b/nginx-ingress/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..8cde4f5b01 --- /dev/null +++ b/nginx-ingress/templates/controller-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx-ingress.serviceAccountName" . }} +{{- if .Values.controller.serviceAccount.annotations }} + annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }} +imagePullSecrets: +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretName }} +- name: {{ .Values.controller.serviceAccount.imagePullSecretName}} +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretsNames }} +{{- range .Values.controller.serviceAccount.imagePullSecretsNames }} +- name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/nginx-ingress/templates/controller-servicemonitor.yaml b/nginx-ingress/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..e1a4268f95 --- /dev/null +++ b/nginx-ingress/templates/controller-servicemonitor.yaml @@ -0,0 +1,21 @@ +{{- if .Values.prometheus.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.serviceMonitor.labels -}} + {{- toYaml .Values.prometheus.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- if .Values.prometheus.serviceMonitor.selectorMatchLabels -}} + {{- toYaml .Values.prometheus.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- end }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + endpoints: + {{- toYaml .Values.prometheus.serviceMonitor.endpoints | nindent 4 }} +{{- end }} diff --git a/nginx-ingress/templates/controller-wildcard-secret.yaml b/nginx-ingress/templates/controller-wildcard-secret.yaml new file mode 100644 index 0000000000..3abe16c4c3 --- /dev/null +++ b/nginx-ingress/templates/controller-wildcard-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.wildcardTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.wildcardTLS.cert }} + tls.key: {{ .Values.controller.wildcardTLS.key }} +{{- end }} diff --git a/nginx-ingress/values-icp.yaml b/nginx-ingress/values-icp.yaml new file mode 100644 index 0000000000..2ff124b245 --- /dev/null +++ b/nginx-ingress/values-icp.yaml @@ -0,0 +1,17 @@ +controller: + name: controller + kind: daemonset + nginxplus: true + image: + repository: mycluster.icp:8500/kube-system/nginx-plus-ingress + tag: "5.0.0" + nodeSelector: + beta.kubernetes.io/arch: "amd64" + proxy: true + terminationGracePeriodSeconds: 60 + tolerations: + - key: "dedicated" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" diff --git a/nginx-ingress/values-nsm.yaml b/nginx-ingress/values-nsm.yaml new file mode 100644 index 0000000000..47d11e0571 --- /dev/null +++ b/nginx-ingress/values-nsm.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + enableLatencyMetrics: true +nginxServiceMesh: + enable: true + enableEgress: true diff --git a/nginx-ingress/values-plus.yaml b/nginx-ingress/values-plus.yaml new file mode 100644 index 0000000000..bf2d5bc56b --- /dev/null +++ b/nginx-ingress/values-plus.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + nginxplus: true + image: + repository: nginx-plus-ingress + tag: "5.0.0" diff --git a/nginx-ingress/values.schema.json b/nginx-ingress/values.schema.json new file mode 100644 index 0000000000..9357682e08 --- /dev/null +++ b/nginx-ingress/values.schema.json @@ -0,0 +1,2745 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "type": "object", + "default": {}, + "title": "Root Schema", + "required": [ + "controller", + "rbac", + "prometheus", + "serviceInsight", + "nginxServiceMesh" + ], + "properties": { + "controller": { + "type": "object", + "default": {}, + "title": "The Ingress Controller Helm Schema", + "required": [ + "name", + "kind", + "image" + ], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name of the Ingress Controller", + "examples": [ + "controller" + ] + }, + "kind": { + "type": "string", + "default": "", + "title": "The kind of the Ingress Controller", + "enum": [ + "deployment", + "daemonset" + ], + "examples": [ + "deployment", + "daemonset" + ] + }, + "selectorLabels": { + "type": "object", + "default": {}, + "title": "The selectorLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "nginxplus": { + "type": "boolean", + "default": false, + "title": "Deploys the Ingress Controller for NGINX Plus", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "object", + "default": {}, + "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", + "examples": [ + false, + true + ] + }, + "continue": { + "type": "boolean", + "default": true, + "title": "Starts Delve with --continue which means that IC will not wait for a debugger attach to start", + "examples": [ + false, + true + ] + } + }, + "examples": [ + { + "enable": true, + "continue": "fatal" + } + ] + }, + "mgmt": { + "type": "object", + "default": {}, + "title": "The mgmt block Schema", + "properties": { + "licenseTokenSecretName": { + "type": "string", + "default": "", + "title": "The licenseTokenSecretName Schema", + "examples": [ + "nginx-plus-secret", + "license-token", + "license" + ] + }, + "sslCertificateSecretName": { + "type": "string", + "default": "", + "title": "The sslCertificateSecretName Schema", + "examples": [ + "ssl-certificate" + ] + }, + "usageReport": { + "type": "object", + "default": {}, + "title": "The usageReport Schema", + "properties": { + "endpoint": { + "type": "string", + "title": "The endpoint of the usageReport", + "default": "", + "examples": [ + "", + "product.connect.nginx.com", + "nginx-mgmt.local" + ] + }, + "interval": { + "type": "string", + "pattern": "^[0-9]+[mhd]$", + "default": "1h", + "title": "The usage report interval Schema", + "examples": [ + "1m", + "1h", + "24h" + ] + }, + "proxyHost": { + "type": "string", + "title": "The proxy hostname with optional port", + "default": "", + "examples": [ + "proxy.example.com", + "proxy.local", + "proxy", + "192.168.1.254", + "proxy.example.com:3128", + "proxy.local:3128", + "proxy:3128", + "192.168.1.254:3128" + ] + }, + "proxyCredentialsSecretName": { + "type": "string", + "default": "", + "title": "The secret containing the proxy username/password combination. Must contain a `username` and `password` field", + "examples": [ + "proxy-credentials" + ] + } + } + }, + "enforceInitialReport": { + "type": "boolean", + "default": false, + "title": "The enforceInitialReport Schema", + "examples": [ + true, + false + ] + }, + "sslVerify": { + "type": "boolean", + "default": true, + "title": "The sslVerify Schema", + "examples": [ + true, + false + ] + }, + "resolver": { + "type": "object", + "default": {}, + "title": "The resolver Schema", + "properties": { + "addresses": { + "type": "array", + "default": [], + "title": "List of resolver addresses/fqdns" + }, + "valid": { + "type": "string", + "pattern": "^[0-9]+[smhdwMy]$", + "title": "A valid nginx time", + "examples": [ + "1m", + "5d" + ] + }, + "ipv6": { + "type": "boolean", + "title": "turn on or off ipv6 support", + "default": false + } + } + }, + "sslTrustedCertificateSecretName": { + "type": "string", + "default": "ssl-trusted-cert", + "title": "The sslTrustedCertificateSecretName Schema", + "examples": [ + "ssl-trusted-cert", + "certificate-secret" + ] + }, + "configMapName": { + "type": "string", + "default": "", + "title": "The configMap Schema", + "examples": [ + "" + ] + } + }, + "examples": [ + { + "licenseTokenSecretName": "license-token" + } + ] + }, + "nginxReloadTimeout": { + "type": "integer", + "default": 0, + "title": "Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start", + "examples": [ + 60000 + ] + }, + "appprotect": { + "type": "object", + "default": {}, + "title": "The App Protect WAF Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect WAF module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "v5": { + "type": "boolean", + "default": false, + "title": "Enables App Protect WAF v5.", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "string", + "default": "", + "title": "The logLevel for App Protect WAF", + "enum": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ], + "examples": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ] + }, + "volumes": { + "type": "array", + "default": [ + { + "name": "app-protect-bd-config", + "emptyDir": {} + }, + { + "name": "app-protect-config", + "emptyDir": {} + }, + { + "name": "app-protect-bundles", + "emptyDir": {} + } + ], + "title": "Volumes for App Protect WAF v5", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "enforcer": { + "type": "object", + "properties": { + "host": { + "type": "string", + "default": "127.0.0.1", + "title": "Port which the App Protect WAF v5 Enforcer process runs on", + "examples": [ + "127.0.0.1" + ] + }, + "port": { + "type": "integer", + "default": 50000, + "title": "Port which the App Protect WAF v5 Enforcer process runs on", + "examples": [ + 50000 + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "private-registry.nginx.com/nap/waf-enforcer", + "title": "The repository of the App Protect WAF v5 Enforcer image", + "examples": [ + "private-registry.nginx.com/nap/waf-enforcer" + ] + }, + "tag": { + "type": "string", + "default": "5.6.0", + "title": "The tag of the App Protect WAF v5 Enforcer image", + "examples": [ + "5.6.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the App Protect WAF v5 Enforcer image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the App Protect WAF v5 Enforcer image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "private-registry.nginx.com/nap/waf-enforcer", + "tag": "5.6.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "securityContext": { + "type": "object", + "default": {}, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + } + } + }, + "configManager": { + "type": "object", + "properties": { + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "private-registry.nginx.com/nap/waf-config-mgr", + "title": "The repository of the App Protect WAF v5 Config Manager image", + "examples": [ + "private-registry.nginx.com/nap/waf-config-mgr" + ] + }, + "tag": { + "type": "string", + "default": "5.6.0", + "title": "The tag of the App Protect WAF v5 Config Manager image", + "examples": [ + "5.6.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the App Protect WAF v5 Config Manager image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the App Protect WAF v5 Config Manager image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "private-registry.nginx.com/nap/waf-config-mgr", + "tag": "5.6.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "securityContext": { + "type": "object", + "default": { + "allowPrivilegeEscalation": false, + "runAsUser": 101, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "all" + ] + } + }, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + } + } + } + }, + "examples": [ + { + "enable": true, + "logLevel": "fatal" + } + ] + }, + "appprotectdos": { + "type": "object", + "default": {}, + "title": "The App Protect DoS Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect DoS module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "boolean", + "default": false, + "title": "debugging for App Protect DoS", + "examples": [ + false, + true + ] + }, + "maxWorkers": { + "type": "integer", + "default": 0, + "title": "Max number of nginx processes to support", + "examples": [ + 0 + ] + }, + "maxDaemons": { + "type": "integer", + "default": 0, + "title": "Max number of ADMD instances", + "examples": [ + 0 + ] + }, + "memory": { + "type": "integer", + "default": 0, + "title": "RAM memory size to consume in MB", + "examples": [ + 0 + ] + } + }, + "examples": [ + { + "enable": true, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + } + ] + }, + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "The hostNetwork Schema", + "examples": [ + false, + true + ] + }, + "hostPort": { + "type": "object", + "default": {}, + "title": "The hostPort Schema", + "patternProperties": { + "^.*$": { + "anyOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + }, + { + "type": "boolean" + } + ] + } + }, + "additionalProperties": false + }, + "containerPort": { + "type": "object", + "default": {}, + "title": "The containerPort Schema", + "patternProperties": { + "^.*$": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + } + }, + "additionalProperties": false + }, + "dnsPolicy": { + "type": "string", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + }, + { + "enum": [ + "ClusterFirstWithHostNet", + "ClusterFirst", + "Default", + "None" + ] + } + ] + }, + "nginxDebug": { + "type": "boolean", + "default": false, + "title": "Enables debugging for NGINX", + "examples": [ + false, + true + ] + }, + "shareProcessNamespace": { + "type": "boolean", + "default": false, + "title": "Enables sharing of the process namespace between pods within the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "string", + "default": "info", + "title": "The logLevel of the Ingress Controller", + "enum": [ + "trace", + "debug", + "info", + "warning", + "error", + "fatal" + ], + "examples": [ + "info" + ] + }, + "logFormat": { + "type": "string", + "default": "glog", + "title": "The logFormat of the Ingress Controller", + "enum": [ + "glog", + "json", + "text" + ], + "examples": [ + "json" + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts to expose on the NGINX Ingress Controller pod", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + }, + "examples": [ + [ + { + "name": "http", + "containerPort": 80, + "protocol": "TCP" + }, + { + "name": "https", + "containerPort": 443, + "protocol": "TCP" + } + ] + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "nginx/nginx-ingress", + "title": "The repository of the Ingress Controller", + "examples": [ + "nginx/nginx-ingress" + ] + }, + "tag": { + "type": "string", + "default": "5.0.0", + "title": "The tag of the Ingress Controller image", + "examples": [ + "5.0.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the Ingress Controller image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the Ingress Controller image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "nginx/nginx-ingress", + "tag": "5.0.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "lifecycle": { + "type": "object", + "default": {}, + "title": "The lifecycle Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + }, + "customConfigMap": { + "type": "string", + "default": "", + "title": "The customConfigMap Schema", + "examples": [ + "" + ] + }, + "config": { + "type": "object", + "default": {}, + "title": "The config Schema", + "required": [], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "entries": { + "type": "object", + "default": {}, + "title": "The entries Schema", + "required": [], + "properties": {}, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "name": "", + "annotations": {}, + "entries": {} + } + ] + }, + "defaultTLS": { + "type": "object", + "default": {}, + "title": "The defaultTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "wildcardTLS": { + "type": "object", + "default": {}, + "title": "The wildcardTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [ + "" + ] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [ + "" + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "nodeSelector": { + "type": "object", + "default": {}, + "title": "The nodeSelector Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "default": 30, + "title": "The terminationGracePeriodSeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + }, + "podSecurityContext": { + "type": "object", + "default": {}, + "title": "The podSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + }, + "securityContext": { + "type": "object", + "default": {}, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "initContainerSecurityContext": { + "type": "object", + "default": {}, + "title": "The initContainerSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "resources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "initContainerResources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "tolerations": { + "type": "array", + "default": [], + "title": "The tolerations Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + } + }, + "affinity": { + "type": "object", + "default": {}, + "title": "The affinity Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + }, + "topologySpreadConstraints": { + "type": "object", + "default": {}, + "title": "The topologySpreadConstraints Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + }, + "env": { + "type": "array", + "default": [], + "title": "The env Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + } + }, + "volumes": { + "type": "array", + "default": [], + "title": "The volumes Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "volumeMounts": { + "type": "array", + "default": [], + "title": "The volumeMounts Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + } + }, + "initContainers": { + "type": "array", + "default": [], + "title": "The initContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "minReadySeconds": { + "type": "integer", + "default": 0, + "title": "The minReadySeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + }, + "strategy": { + "type": "object", + "default": {}, + "title": "The strategy Schema", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + }, + { + "properties": { + "type": { + "type": "string", + "enum": [ + "Recreate", + "RollingUpdate", + "OnDelete" + ] + } + } + } + ] + }, + "extraContainers": { + "type": "array", + "default": [], + "title": "The extraContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "replicaCount": { + "type": "integer", + "default": 1, + "title": "The replicaCount", + "examples": [ + 1 + ] + }, + "ingressClass": { + "type": "object", + "default": {}, + "title": "The ingressClass", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "The create", + "examples": [ + true + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The ingressClass name", + "examples": [ + "nginx" + ] + }, + "setAsDefaultIngress": { + "type": "boolean", + "default": false, + "title": "The setAsDefaultIngress", + "examples": [ + false + ] + } + } + }, + "watchNamespace": { + "type": "string", + "default": "", + "title": "The watchNamespace", + "examples": [ + "" + ] + }, + "watchSecretNamespace": { + "type": "string", + "default": "", + "title": "The watchSecretNamespace", + "examples": [ + "" + ] + }, + "enableCustomResources": { + "type": "boolean", + "default": false, + "title": "The enableCustomResources", + "examples": [ + true + ] + }, + "enableOIDC": { + "type": "boolean", + "default": false, + "title": "The enableOIDC", + "examples": [ + false + ] + }, + "enableTLSPassthrough": { + "type": "boolean", + "default": false, + "title": "The enableTLSPassthrough", + "examples": [ + false + ] + }, + "tlsPassthroughPort": { + "type": "integer", + "default": 443, + "title": "The tlsPassthroughPort", + "examples": [ + 443 + ] + }, + "enableCertManager": { + "type": "boolean", + "default": false, + "title": "The enableCertManager", + "examples": [ + false + ] + }, + "enableExternalDNS": { + "type": "boolean", + "default": false, + "title": "The enableExternalDNS", + "examples": [ + false + ] + }, + "globalConfiguration": { + "type": "object", + "default": {}, + "title": "The globalConfiguration Schema", + "required": [ + "create", + "spec" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + false + ] + }, + "spec": { + "type": "object", + "default": {}, + "title": "The spec Schema", + "required": [], + "properties": { + "listeners": { + "type": "array", + "default": [], + "title": "The listeners Schema", + "items": { + "type": "object", + "default": {}, + "properties": { + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 5353 + ] + }, + "protocol": { + "type": "string", + "default": "", + "title": "The protocol", + "examples": [ + "TCP" + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The name", + "examples": [ + "dns-tcp" + ] + }, + "ipv4": { + "type": "string", + "default": "", + "title": "The ipv4 ip", + "examples": [ + "127.0.0.1" + ] + }, + "ipv6": { + "type": "string", + "default": "", + "title": "The ipv6 ip", + "examples": [ + "::1" + ] + } + } + } + } + }, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "create": false, + "spec": {} + } + ] + }, + "enableSnippets": { + "type": "boolean", + "default": false, + "title": "The enableSnippets", + "examples": [ + false + ] + }, + "healthStatus": { + "type": "boolean", + "default": false, + "title": "The healthStatus", + "examples": [ + false + ] + }, + "healthStatusURI": { + "type": "string", + "format": "uri-reference", + "default": "/nginx-health", + "title": "The healthStatusURI Schema", + "examples": [ + "/nginx-health" + ] + }, + "nginxStatus": { + "type": "object", + "default": {}, + "title": "The nginxStatus Schema", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 8080, + "title": "The port", + "examples": [ + 8080 + ] + }, + "allowCidrs": { + "type": "string", + "default": "127.0.0.1", + "title": "The allowCidrs", + "examples": [ + "127.0.0.1" + ] + } + }, + "examples": [ + { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + } + ] + }, + "service": { + "type": "object", + "default": {}, + "title": "The service Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "type": { + "type": "string", + "default": "", + "title": "The type", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + }, + "externalTrafficPolicy": { + "type": "string", + "default": "", + "title": "The externalTrafficPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels", + "required": [], + "properties": {}, + "examples": [ + {} + ] + }, + "loadBalancerIP": { + "type": "string", + "default": "", + "title": "The loadBalancerIP", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + }, + "externalIPs": { + "type": "array", + "default": [], + "title": "The externalIPs", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + }, + "loadBalancerSourceRanges": { + "type": "array", + "default": [], + "title": "The loadBalancerSourceRanges", + "items": {}, + "examples": [ + [] + ] + }, + "allocateLoadBalancerNodePorts": { + "type": "boolean", + "default": false, + "title": "The allocateLoadBalancerNodePorts Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + }, + "ipFamilyPolicy": { + "type": "string", + "default": "", + "title": "The ipFamilyPolicy Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "examples": [ + "" + ] + }, + "ipFamilies": { + "type": "array", + "default": [], + "title": "The ipFamilies Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + }, + "httpPort": { + "type": "object", + "default": {}, + "title": "The httpPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 80 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 80 + ] + }, + "name": { + "type": "string", + "default": "http", + "title": "The httpPort name", + "examples": [ + "http" + ] + } + }, + "examples": [ + { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80, + "name": "http" + } + ] + }, + "httpsPort": { + "type": "object", + "default": {}, + "title": "The httpsPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 443 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 443 + ] + } + }, + "name": { + "type": "string", + "default": "https", + "title": "The httpsPort name", + "examples": [ + "https" + ] + }, + "examples": [ + { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443, + "name": "https" + } + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts", + "items": { + "type": "object", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + } + } + }, + "examples": [ + { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "name": "", + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80, + "name": "http" + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443, + "name": "https" + }, + "customPorts": [] + } + ] + }, + "serviceAccount": { + "type": "object", + "default": {}, + "title": "The serviceAccount Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "imagePullSecretName": { + "type": "string", + "default": "", + "title": "The imagePullSecretName", + "examples": [ + "" + ] + }, + "imagePullSecretsNames": { + "type": "array", + "default": [], + "title": "The imagePullSecretName list", + "examples": [ + [] + ] + } + }, + "oneOf": [ + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "minItems": 1 + } + }, + "required": [ + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "minLength": 1 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "not": { + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + } + } + ], + "examples": [ + { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + } + ] + }, + "reportIngressStatus": { + "type": "object", + "default": {}, + "title": "The reportIngressStatus Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "externalService": { + "type": "string", + "default": "", + "title": "The externalService", + "examples": [ + "" + ] + }, + "ingressLink": { + "type": "string", + "default": "", + "title": "The ingressLink", + "examples": [ + "" + ] + }, + "enableLeaderElection": { + "type": "boolean", + "default": false, + "title": "The enableLeaderElection", + "examples": [ + true + ] + }, + "leaderElectionLockName": { + "type": "string", + "default": "", + "title": "The leaderElectionLockName", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + } + }, + "examples": [ + { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + } + ] + }, + "pod": { + "type": "object", + "default": {}, + "title": "The pod Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + }, + "examples": [ + { + "annotations": {}, + "extraLabels": {} + } + ] + }, + "priorityClassName": { + "type": "string", + "default": "", + "title": "The priorityClassName", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + }, + "podDisruptionBudget": { + "type": "object", + "default": {}, + "title": "The podDisruptionBudget Schema", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "minAvailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + }, + "maxUnavailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + } + }, + "examples": [ + { + "enable": true, + "minAvailable": 1 + }, + { + "enable": true, + "maxUnavailable": 1 + } + ] + }, + "readyStatus": { + "type": "object", + "default": {}, + "title": "The readyStatus", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 8081 + ] + }, + "initialDelaySeconds": { + "type": "integer", + "default": 0, + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + } + }, + "examples": [ + { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + } + ] + }, + "enableLatencyMetrics": { + "type": "boolean", + "default": false, + "title": "The enableLatencyMetrics", + "examples": [ + false + ] + }, + "disableIPV6": { + "type": "boolean", + "default": false, + "title": "The disableIPV6", + "examples": [ + false + ] + }, + "defaultHTTPListenerPort": { + "type": "integer", + "default": 80, + "title": "The defaultHTTPListenerPort", + "examples": [ + 80 + ] + }, + "defaultHTTPSListenerPort": { + "type": "integer", + "default": 443, + "title": "The defaultHTTPSListenerPort", + "examples": [ + 443 + ] + }, + "readOnlyRootFilesystem": { + "type": "boolean", + "default": false, + "title": "The readOnlyRootFilesystem", + "examples": [ + false + ] + }, + "enableSSLDynamicReload": { + "type": "boolean", + "default": true, + "title": "Enable dynamic certificate reloads for NGINX Plus", + "examples": [ + true + ] + }, + "telemetryReporting": { + "type": "object", + "default": {}, + "title": "Configure telemetry reporting options", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": true, + "title": "Enable telemetry reporting", + "examples": [ + true + ] + } + } + }, + "enableWeightChangesDynamicReload": { + "type": "boolean", + "default": false, + "title": "Enables weight changes without reloading for NGINX Plus", + "examples": [ + false + ] + } + }, + "examples": [ + { + "name": "controller", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "v5": false, + "logLevel": "fatal", + "volumes": [ + { + "name": "app-protect-bd-config", + "emptyDir": {} + }, + { + "name": "app-protect-config", + "emptyDir": {} + }, + { + "name": "app-protect-bundles", + "emptyDir": {} + } + ], + "enforcer": { + "host": "127.0.0.1", + "port": 50000, + "image": { + "repository": "private-registry.nginx.com/nap/waf-enforcer", + "tag": "5.6.0", + "pullPolicy": "IfNotPresent" + }, + "securityContext": {} + }, + "configManager": { + "image": { + "repository": "private-registry.nginx.com/nap/waf-config-mgr", + "tag": "5.6.0", + "pullPolicy": "IfNotPresent" + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "runAsUser": 101, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "all" + ] + } + } + } + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "hostPort": { + "enable": false, + "http": 80, + "https": 443 + }, + "containerPort": { + "http": 80, + "https": 443 + }, + "dnsPolicy": "ClusterFirst", + "nginxDebug": false, + "shareProcessNamespace": false, + "logLevel": "info", + "logFormat": "glog", + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "5.0.0", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "autoscaling": { + "enabled": false, + "annotations": {}, + "minReplicas": 1, + "maxReplicas": 3, + "targetCPUUtilizationPercentage": 50, + "targetMemoryUtilizationPercentage": 50, + "behavior": {} + }, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "podSecurityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "securityContext": {}, + "initContainerSecurityContext": {}, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "podDisruptionBudget": { + "enabled": false, + "annotations": {}, + "minAvailable": 1, + "minUnavailable": 1 + }, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": { + "name": "nginx", + "create": true, + "setAsDefaultIngress": false + }, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "clusterIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "nodePort": 8443, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "nodePort": 8443, + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "annotations": {}, + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false, + "enableSSLDynamicReload": true, + "telemetryReporting": { + "enable": true + }, + "enableWeightChangesDynamicReload": false + } + ] + }, + "rbac": { + "type": "object", + "default": {}, + "title": "The rbac Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + true + ] + } + }, + "examples": [ + { + "create": true + } + ] + }, + "prometheus": { + "type": "object", + "default": {}, + "title": "The prometheus Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9113, + "title": "The port", + "examples": [ + 9113 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + }, + "service": { + "type": "object", + "default": {}, + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + } + }, + "serviceMonitor": { + "type": "object", + "default": {}, + "title": "The serviceMonitor Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + false + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + }, + "selectorMatchLabels": { + "type": "object", + "default": {}, + "title": "The selectorMatchLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "endpoints": { + "type": "array", + "default": [], + "title": "The endpoints", + "required": [], + "items": {} + } + }, + "examples": [ + { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": [] + } + ] + } + }, + "examples": [ + { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http" + } + ] + }, + "serviceInsight": { + "type": "object", + "default": {}, + "title": "The Service Insight Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9114, + "title": "The port", + "examples": [ + 9114 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + } + }, + "examples": [ + { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + } + ] + }, + "nginxServiceMesh": { + "type": "object", + "default": {}, + "title": "The nginxServiceMesh Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + false + ] + }, + "enableEgress": { + "type": "boolean", + "default": false, + "title": "The enableEgress", + "examples": [ + false + ] + } + }, + "examples": [ + { + "enable": false, + "enableEgress": false + } + ] + }, + "nginxAgent": { + "type": "object", + "default": { + "enable": false + }, + "title": "Configuration for NGINX Agent.", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable NGINX Agent", + "examples": [ + false + ] + }, + "instanceGroup": { + "type": "string", + "default": "", + "title": "Set the --instance-group argument for NGINX Agent", + "examples": [ + "my-instance-group" + ] + }, + "logLevel": { + "type": "string", + "default": "info", + "title": "Log level for NGINX Agent", + "enum": [ + "panic", + "fatal", + "error", + "info", + "debug", + "trace" + ], + "examples": [ + "error" + ] + }, + "instanceManager": { + "type": "object", + "default": {}, + "title": "Configuration for the connection to NGINX Instance Manager", + "examples": [], + "required": [ + "host" + ], + "properties": { + "host": { + "type": "string", + "title": "FQDN or IP for connecting to NGINX Instance Manager", + "examples": [ + "nim.example.com" + ] + }, + "grpcPort": { + "type": "integer", + "title": "Port for connecting to NGINX Instance Manager", + "default": 443, + "examples": [ + 443 + ] + }, + "sni": { + "type": "string", + "title": "Server Name Indication for NGINX Instance Manager", + "default": "", + "examples": [ + "nim.example.com" + ] + }, + "tls": { + "type": "object", + "default": {}, + "title": "TLS configuration for connection between NGINX Agent and NGINX Instance Manager", + "properties": { + "enable": { + "type": "boolean", + "default": "true", + "title": "enable TLS for NGINX Instance Manager connection" + }, + "secret": { + "type": "string", + "default": "", + "title": "kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and NGINX Instance Manager" + }, + "caSecret": { + "type": "string", + "default": "", + "title": "nginx.org/ca secret for verification of Instance Manager TLS" + }, + "skipVerify": { + "type": "boolean", + "default": "false", + "title": "skip certificate verification" + } + } + } + } + }, + "syslog": { + "type": "object", + "default": { + "host": "127.0.0.1", + "port": 1514 + }, + "title": "Syslog listener which NGINX Agent uses to accept messages from App Protect WAF", + "properties": { + "host": { + "type": "string", + "title": "Address for NGINX Agent to run syslog listener", + "default": "127.0.0.1", + "examples": [ + "127.0.0.1" + ] + }, + "port": { + "type": "integer", + "title": "Port for NGINX Agent to run syslog listener", + "default": 1514, + "examples": [ + 1514 + ] + } + } + }, + "napMonitoring": { + "type": "object", + "default": {}, + "title": "NGINX App Protect Monitoring config", + "properties": { + "collectorBufferSize": { + "type": "integer", + "default": 50000, + "title": "Buffer size for collector. Will contain log lines and parsed log lines", + "examples": [ + 50000 + ] + }, + "processorBufferSize": { + "type": "integer", + "default": 50000, + "title": "Buffer size for processor. Will contain log lines and parsed log lines", + "examples": [ + 50000 + ] + } + } + }, + "customConfigMap": { + "type": "string", + "title": "The name of a custom ConfigMap to use instead of the one provided by default", + "default": "", + "examples": [ + "my-custom-configmap" + ] + } + } + } + }, + "examples": [ + { + "controller": { + "name": "controller", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "v5": false, + "logLevel": "fatal", + "volumes": [ + { + "name": "app-protect-bd-config", + "emptyDir": {} + }, + { + "name": "app-protect-config", + "emptyDir": {} + }, + { + "name": "app-protect-bundles", + "emptyDir": {} + } + ], + "enforcer": { + "host": "127.0.0.1", + "port": 50000, + "image": { + "repository": "private-registry.nginx.com/nap/waf-enforcer", + "tag": "5.6.0", + "pullPolicy": "IfNotPresent" + }, + "securityContext": {} + }, + "configManager": { + "image": { + "repository": "private-registry.nginx.com/nap/waf-config-mgr", + "tag": "5.6.0", + "pullPolicy": "IfNotPresent" + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "runAsUser": 101, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "all" + ] + } + } + } + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "hostPort": { + "enable": false, + "http": 80, + "https": 443 + }, + "containerPort": { + "http": 80, + "https": 443 + }, + "dnsPolicy": "ClusterFirst", + "nginxDebug": false, + "shareProcessNamespace": false, + "logLevel": "info", + "logFormat": "glog", + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "5.0.0", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "autoscaling": { + "enabled": false, + "annotations": {}, + "minReplicas": 1, + "maxReplicas": 3, + "targetCPUUtilizationPercentage": 50, + "targetMemoryUtilizationPercentage": 50, + "behavior": {} + }, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "podSecurityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "securityContext": {}, + "initContainerSecurityContext": {}, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "podDisruptionBudget": { + "enabled": false, + "annotations": {}, + "minAvailable": 1, + "minUnavailable": 1 + }, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": { + "name": "nginx", + "create": true, + "setAsDefaultIngress": false + }, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "clusterIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "nodePort": 8080, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "nodePort": 8443, + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "annotations": {}, + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false, + "enableSSLDynamicReload": true, + "telemetryReporting": { + "enable": true + }, + "enableWeightChangesDynamicReload": false + }, + "rbac": { + "create": true, + "clusterrole": { + "create": true + } + }, + "prometheus": { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http", + "service": { + "create": false, + "labels": { + "service": "nginx-ingress-prometheus-service" + } + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": { + "service": "nginx-ingress-prometheus-service" + }, + "endpoints": [ + { + "port": "prometheus" + } + ] + } + }, + "serviceInsight": { + "create": false, + "port": 9114, + "secret": "", + "scheme": "http" + }, + "nginxServiceMesh": { + "enable": false, + "enableEgress": false + }, + "nginxAgent": { + "enable": false, + "instanceGroup": "", + "logLevel": "error", + "syslog": { + "host": "127.0.0.1", + "port": 1514 + }, + "napMonitoring": { + "collectorBufferSize": 50000, + "processorBufferSize": 50000 + }, + "instanceManager": { + "host": "", + "grpcPort": 443, + "sni": "", + "tls": { + "enabled": true, + "skipVerify": false, + "secret": "", + "caSecret": "" + } + }, + "customConfigMap": "" + } + } + ] +} diff --git a/nginx-ingress/values.yaml b/nginx-ingress/values.yaml new file mode 100644 index 0000000000..48bf04d894 --- /dev/null +++ b/nginx-ingress/values.yaml @@ -0,0 +1,691 @@ +controller: + ## The name of the Ingress Controller daemonset or deployment. + name: controller + + ## The kind of the Ingress Controller installation - deployment or daemonset. + kind: deployment + + ## The selectorLabels used to override the default values. + selectorLabels: {} + + ## Annotations for deployments and daemonsets + annotations: {} + + ## Deploys the Ingress Controller for NGINX Plus. + nginxplus: false + + ## Configures NGINX mgmt block for NGINX Plus + mgmt: + ## Secret name of license token for NGINX Plus + licenseTokenSecretName: "license-token" # required for NGINX Plus + + ## Enables the 180-day grace period for sending the initial usage report + # enforceInitialReport: false + + # usageReport: + # endpoint: "product.connect.nginx.com" # Endpoint for usage report + # interval: 1h + # proxyHost: "proxy.example.com:3138" # Proxy server for usage report, with optional port + # proxyCredentialsSecretName: "proxy-credentials" # Secret containing proxy credentials, must contain a `username` and `password` field + + ## Configures the ssl_verify directive in the mgmt block + # sslVerify: true + + ## Configures the resolver directive in the mgmt block + # resolver: + # ipv6: true + # valid: 1s + # addresses: + # - kube-dns.kube-system.svc.cluster.local + + ## Secret containing TLS client certificate + # sslCertificateSecretName: ssl-certificate # kubernetes.io/tls secret type + + ## Secret containing trusted CA certificate + # sslTrustedCertificateSecretName: ssl-trusted-cert + + # configMapName allows changing the name of the MGMT config map + # the name should not include a namespace + # configMapName: "" + + + ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + nginxReloadTimeout: 60000 + + ## Support for App Protect WAF + appprotect: + ## Enable the App Protect WAF module in the Ingress Controller. + enable: false + ## Enables App Protect WAF v5. + v5: false + ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace + # logLevel: fatal + + # Volumes for App Protect WAF v5 + # Required volumes are: app-protect-bd-config, app-protect-config, and app-protect-bundles + volumes: + - name: app-protect-bd-config + emptyDir: {} + - name: app-protect-config + emptyDir: {} + - name: app-protect-bundles + emptyDir: {} + + ## Configuration for App Protect WAF v5 Enforcer + enforcer: + # Host that the App Protect WAF v5 Enforcer runs on. + # This will normally be "127.0.0.1" as the Enforcer container + # will run in the same pod as the Ingress Controller container. + host: "127.0.0.1" + # Port that the App Protect WAF v5 Enforcer runs on. + port: 50000 + image: + ## The image repository of the App Protect WAF v5 Enforcer. + repository: private-registry.nginx.com/nap/waf-enforcer + + ## The tag of the App Protect WAF v5 Enforcer image. + tag: "5.6.0" + ## The digest of the App Protect WAF v5 Enforcer image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the App Protect WAF v5 Enforcer image. + pullPolicy: IfNotPresent + securityContext: {} + + ## Configuration for App Protect WAF v5 Configuration Manager + configManager: + image: + ## The image repository of the App Protect WAF v5 Configuration Manager. + repository: private-registry.nginx.com/nap/waf-config-mgr + + ## The tag of the App Protect WAF v5 Configuration Manager image. + tag: "5.6.0" + ## The digest of the App Protect WAF v5 Configuration Manager image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the App Protect WAF v5 Configuration Manager image. + pullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - all + + ## Support for App Protect DoS + appprotectdos: + ## Enable the App Protect DoS module in the Ingress Controller. + enable: false + ## Enable debugging for App Protect DoS. + debug: false + ## Max number of nginx processes to support. + maxWorkers: 0 + ## Max number of ADMD instances. + maxDaemons: 0 + ## RAM memory size to consume in MB. + memory: 0 + + ## Enables the Ingress Controller pods to use the host's network namespace. + hostNetwork: false + + ## The hostPort configuration for the Ingress Controller pods. + hostPort: + ## Enables hostPort for the Ingress Controller pods. + enable: false + + ## The HTTP hostPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS hostPort configuration for the Ingress Controller pods. + https: 443 + + containerPort: + ## The HTTP containerPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS containerPort configuration for the Ingress Controller pods. + https: 443 + + ## DNS policy for the Ingress Controller pods + dnsPolicy: ClusterFirst + + ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. + nginxDebug: false + + ## Share process namespace between containers in the Ingress Controller pod. + shareProcessNamespace: false + + ## The log level of the Ingress Controller. Options include: trace, debug, info, warning, error, fatal + logLevel: info + + ## Sets the log format of Ingress Controller. Options include: glog, json, text + logFormat: glog + + ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + + image: + ## The image repository of the Ingress Controller. + repository: nginx/nginx-ingress + + ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. + # tag: "5.0.0" + ## The digest of the Ingress Controller image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the Ingress Controller image. + pullPolicy: IfNotPresent + + ## The lifecycle of the Ingress Controller pods. + lifecycle: {} + + ## The custom ConfigMap to use instead of the one provided by default + customConfigMap: "" + + config: + ## The name of the ConfigMap used by the Ingress Controller. + ## Autogenerated if not set or set to "". + # name: nginx-config + + ## The annotations of the Ingress Controller configmap. + annotations: {} + + ## The entries of the ConfigMap for customizing NGINX configuration. + entries: {} + + ## It is recommended to use your own TLS certificates and keys + defaultTLS: + ## The base64-encoded TLS certificate for the default HTTPS server. + ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + cert: "" + + ## The base64-encoded TLS key for the default HTTPS server. + ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + key: "" + + ## The secret with a TLS certificate and key for the default HTTPS server. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. + ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + ## Format: / + secret: "" + + wildcardTLS: + ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + cert: "" + + ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + key: "" + + ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. + ## Format: / + secret: "" + + ## The node selector for pod assignment for the Ingress Controller pods. + # nodeSelector: {} + + ## The termination grace period of the Ingress Controller pod. + terminationGracePeriodSeconds: 30 + + ## HorizontalPodAutoscaling (HPA) + autoscaling: + ## Enables HorizontalPodAutoscaling. + enabled: false + ## The annotations of the Ingress Controller HorizontalPodAutoscaler. + annotations: {} + ## Minimum number of replicas for the HPA. + minReplicas: 1 + ## Maximum number of replicas for the HPA. + maxReplicas: 3 + ## The target cpu utilization percentage. + targetCPUUtilizationPercentage: 50 + ## The target memory utilization percentage. + targetMemoryUtilizationPercentage: 50 + ## Custom behavior policies + behavior: {} + + ## The resources of the Ingress Controller pods. + resources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The security context for the Ingress Controller pods. + podSecurityContext: + seccompProfile: + type: RuntimeDefault + + ## The security context for the Ingress Controller containers. + securityContext: + {} # Remove curly brackets before adding values + # allowPrivilegeEscalation: true + # readOnlyRootFilesystem: true + # runAsUser: 101 #nginx + # runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # add: + # - NET_BIND_SERVICE + + ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerSecurityContext: {} + + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerResources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The tolerations of the Ingress Controller pods. + tolerations: [] + + ## The affinity of the Ingress Controller pods. + affinity: {} + + ## The topology spread constraints of the Ingress controller pods. + # topologySpreadConstraints: {} + + ## The additional environment variables to be set on the Ingress Controller pods. + env: [] + # - name: MY_VAR + # value: myvalue + + ## The volumes of the Ingress Controller pods. + volumes: [] + # - name: extra-conf + # configMap: + # name: extra-conf + + ## The volumeMounts of the Ingress Controller pods. + volumeMounts: [] + # - name: extra-conf + # mountPath: /etc/nginx/conf.d/extra.conf + # subPath: extra.conf + + ## InitContainers for the Ingress Controller pods. + initContainers: [] + # - name: init-container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is initial setup!'] + + ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. + minReadySeconds: 0 + + ## Pod disruption budget for the Ingress Controller pods. + podDisruptionBudget: + ## Enables PodDisruptionBudget. + enabled: false + ## The annotations of the Ingress Controller pod disruption budget. + annotations: {} + ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". + # minAvailable: 1 + ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". + # maxUnavailable: 1 + + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + strategy: {} + + ## Extra containers for the Ingress Controller pods. + extraContainers: [] + # - name: container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is a sidecar!'] + + ## The number of replicas of the Ingress Controller deployment. + replicaCount: 1 + + ## Configures the ingress class the Ingress Controller uses. + ingressClass: + ## A class of the Ingress Controller. + + ## IngressClass resource with the name equal to the class must be deployed. Otherwise, + ## the Ingress Controller will fail to start. + ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. + + ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. + name: nginx + + ## Creates a new IngressClass object with the name "controller.ingressClass.name". To use an existing IngressClass with the same name, set this value to false. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. + create: true + + ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". + setAsDefaultIngress: false + + ## Comma separated list of namespaces to watch for Ingress resources. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + watchNamespace: "" + + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + watchNamespaceLabel: "" + + ## Comma separated list of namespaces to watch for Secret resources. By default, the Ingress Controller watches all namespaces. + watchSecretNamespace: "" + + ## Enable the custom resources. + enableCustomResources: true + + ## Enable OIDC policies. + enableOIDC: false + + ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. + enableTLSPassthrough: false + + ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. + tlsPassthroughPort: 443 + + ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. + enableCertManager: false + + ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. + enableExternalDNS: false + + globalConfiguration: + ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. + create: false + + ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. + spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. + # listeners: + # - name: dns-udp + # port: 5353 + # protocol: UDP + # - name: dns-tcp + # port: 5353 + # protocol: TCP + + ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. + enableSnippets: false + + ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. + ## Useful for external health-checking of the Ingress Controller. + healthStatus: false + + ## Sets the URI of health status location in the default server. Requires controller.healthStatus. + healthStatusURI: "/nginx-health" + + nginxStatus: + ## Enable the NGINX stub_status, or the NGINX Plus API. + enable: true + + ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. + port: 8080 + + ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. + allowCidrs: "127.0.0.1" + + service: + ## Creates a service to expose the Ingress Controller pods. + create: true + + ## The type of service to create for the Ingress Controller. + type: LoadBalancer + + ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. + externalTrafficPolicy: Local + + ## The annotations of the Ingress Controller service. + annotations: {} + + ## The extra labels of the service. + extraLabels: {} + + ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerIP: "" + + ## The ClusterIP for the Ingress Controller service, autoassigned if not specified. + clusterIP: "" + + ## The list of external IPs for the Ingress Controller service. + externalIPs: [] + + ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerSourceRanges: [] + + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + ## Dual stack preference. + ## Valid values: SingleStack, PreferDualStack, RequireDualStack + # ipFamilyPolicy: SingleStack + + ## List of IP families assigned to this service. + ## Valid values: IPv4, IPv6 + # ipFamilies: + # - IPv6 + + httpPort: + ## Enables the HTTP port for the Ingress Controller service. + enable: true + + ## The HTTP port of the Ingress Controller service. + port: 80 + + ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort or LoadBalancer. + # nodePort: 80 + + ## The HTTP port on the POD where the Ingress Controller service is running. + targetPort: 80 + + ## The name of the HTTP port. + name: "http" + + httpsPort: + ## Enables the HTTPS port for the Ingress Controller service. + enable: true + + ## The HTTPS port of the Ingress Controller service. + port: 443 + + ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort or LoadBalancer. + # nodePort: 443 + + ## The HTTPS port on the POD where the Ingress Controller service is running. + targetPort: 443 + + ## The name of the HTTPS port. + name: "https" + + ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + + serviceAccount: + ## The annotations of the service account of the Ingress Controller pods. + annotations: {} + + ## The name of the service account of the Ingress Controller pods. Used for RBAC. + ## Autogenerated if not set or set to "". + # name: nginx-ingress + + ## The name of the secret containing docker registry credentials. + ## Secret must exist in the same namespace as the helm release. + imagePullSecretName: "" + + ## A list of secret names containing docker registry credentials. + ## Secrets must exist in the same namespace as the helm release. + imagePullSecretsNames: [] + + reportIngressStatus: + ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. + ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, + ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. + ## Note: controller.config.entries.external-status-address takes precedence over the others. + enable: true + + ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. + ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ## The default is autogenerated and matches the created service (see controller.service.create). + # externalService: nginx-ingress + + ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. + ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ingressLink: "" + + ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. + enableLeaderElection: true + + ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. + ## The default is autogenerated. + leaderElectionLockName: "" + + ## The annotations of the leader election Lease. + annotations: {} + + pod: + ## The annotations of the Ingress Controller pod. + annotations: {} + + ## The additional extra labels of the Ingress Controller pod. + extraLabels: {} + + ## The PriorityClass of the Ingress Controller pods. + # priorityClassName: "" + + readyStatus: + ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. + enable: true + + ## Set the port where the readiness endpoint is exposed. + port: 8081 + + ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. + initialDelaySeconds: 0 + + ## Enable collection of latency metrics for upstreams. Requires prometheus.create. + enableLatencyMetrics: false + + ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. + disableIPV6: false + + ## Sets the port for the HTTP `default_server` listener. + defaultHTTPListenerPort: 80 + + ## Sets the port for the HTTPS `default_server` listener. + defaultHTTPSListenerPort: 443 + + ## Configure root filesystem as read-only and add volumes for temporary data. + ## Three major releases after 3.5.x this argument will be moved to the `securityContext` section. + ## This value will not be used if `controller.securityContext` is set + readOnlyRootFilesystem: false + + ## Enable dynamic reloading of certificates + enableSSLDynamicReload: true + + ## Configure telemetry reporting options + telemetryReporting: + ## Enable telemetry reporting + enable: true + + ## Allows weight adjustments without reloading the NGINX Configuration for two-way splits in NGINX Plus. + ## May require increasing map_hash_bucket_size, map_hash_max_size, + ## variable_hash_bucket_size, and variable_hash_max_size in the ConfigMap based on the number of two-way splits. + enableWeightChangesDynamicReload: false + +rbac: + ## Configures RBAC. + create: true + + clusterrole: + ## Create ClusterRole + create: true + +prometheus: + ## Expose NGINX or NGINX Plus metrics in the Prometheus format. + create: true + + ## Configures the port to scrape the metrics. + port: 9113 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + + service: + ## Creates a ClusterIP Service to expose Prometheus metrics internally + ## Requires prometheus.create=true + create: false + + labels: + service: "nginx-ingress-prometheus-service" + + serviceMonitor: + ## Creates a serviceMonitor to expose statistics on the kubernetes pods. + create: false + + ## Kubernetes object labels to attach to the serviceMonitor object. + labels: {} + + ## A set of labels to allow the selection of endpoints for the ServiceMonitor. + selectorMatchLabels: + service: "nginx-ingress-prometheus-service" + + ## A list of endpoints allowed as part of this ServiceMonitor. + ## Matches on the name of a Service port. + endpoints: + - port: prometheus + +serviceInsight: + ## Expose NGINX Plus Service Insight endpoint. + create: false + + ## Configures the port to expose endpoint. + port: 9114 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + +nginxServiceMesh: + ## Enables integration with NGINX Service Mesh. + enable: false + + ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. + ## Requires nginxServiceMesh.enable + enableEgress: false + +nginxAgent: + ## Enables NGINX Agent. + enable: false + ## If nginxAgent.instanceGroup is not set the value of nginx-ingress.controller.fullname will be used + instanceGroup: "" + logLevel: "error" + ## Syslog listener which NGINX Agent uses to accept messages from App Protect WAF + syslog: + host: "127.0.0.1" + port: 1514 + napMonitoring: + collectorBufferSize: 50000 + processorBufferSize: 50000 + instanceManager: + # FQDN or IP for connecting to NGINX Instance Manager, e.g. nim.example.com + host: "" + grpcPort: 443 + sni: "" + tls: + enabled: true + skipVerify: false + ## kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager + secret: "" + ## nginx.org/ca secret for verification of Instance Manager TLS + caSecret: "" + ## The name of a custom ConfigMap to use instead of the one provided by default + customConfigMap: "" diff --git a/pkg/apis/configuration/validation/common.go b/pkg/apis/configuration/validation/common.go index 10ba10e399..ab0d3a59ef 100644 --- a/pkg/apis/configuration/validation/common.go +++ b/pkg/apis/configuration/validation/common.go @@ -38,7 +38,7 @@ func validateVariable(nVar string, validVars map[string]bool, fieldPath *field.P // isValidSpecialHeaderLikeVariable validates special variables $http_, $jwt_header_, $jwt_claim_ func isValidSpecialHeaderLikeVariable(value string) []string { // underscores in a header-like variable represent '-'. - errMsgs := validation.IsHTTPHeaderName(strings.Replace(value, "_", "-", -1)) + errMsgs := validation.IsHTTPHeaderName(strings.ReplaceAll(value, "_", "-")) if len(errMsgs) >= 1 || strings.Contains(value, "-") { return []string{"a valid special variable must consists of alphanumeric characters or '_'"} } diff --git a/pkg/apis/externaldns/validation/externaldns.go b/pkg/apis/externaldns/validation/externaldns.go index bcfd81556f..da27da6756 100644 --- a/pkg/apis/externaldns/validation/externaldns.go +++ b/pkg/apis/externaldns/validation/externaldns.go @@ -53,7 +53,7 @@ func validateTargets(targets v1.Targets) error { switch { case strings.Contains(target, ":"): if errMsg := validation.IsValidIPForLegacyField(field.NewPath(""), target, false, nil); len(errMsg) > 0 { - return fmt.Errorf("%w: target %q is invalid: %s", ErrTypeInvalid, target, errMsg[0]) + return fmt.Errorf("%w: target %q is invalid: %w", ErrTypeInvalid, target, errMsg[0]) } default: if err := isFullyQualifiedDomainName(target); err != nil { diff --git a/release_notes.json b/release_notes.json new file mode 100644 index 0000000000..89c5fcc2e7 --- /dev/null +++ b/release_notes.json @@ -0,0 +1,1623 @@ +{ + "Miscellaneous": [ + { + "title": "PR #1373", + "number": 1373, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1373" + }, + { + "title": "PR #1439", + "number": 1439, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1439" + }, + { + "title": "PR #1440", + "number": 1440, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1440" + }, + { + "title": "PR #1304", + "number": 1304, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1304" + }, + { + "title": "PR #1281", + "number": 1281, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1281" + }, + { + "title": "PR #1290", + "number": 1290, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1290" + }, + { + "title": "PR #1232", + "number": 1232, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1232" + }, + { + "title": "PR #1228", + "number": 1228, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1228" + }, + { + "title": "PR #1299", + "number": 1299, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1299" + }, + { + "title": "PR #1291", + "number": 1291, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1291" + }, + { + "title": "PR #1290", + "number": 1290, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1290" + }, + { + "title": "PR #1225", + "number": 1225, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1225" + }, + { + "title": "PR #1237", + "number": 1237, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1237" + }, + { + "title": "PR #1270", + "number": 1270, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1270" + }, + { + "title": "PR #1277", + "number": 1277, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1277" + }, + { + "title": "PR #1232", + "number": 1232, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1232" + }, + { + "title": "PR #1225", + "number": 1225, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1225" + }, + { + "title": "PR #1180", + "number": 1180, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1180" + }, + { + "title": "PR #1166", + "number": 1166, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1166" + }, + { + "title": "PR #1154", + "number": 1154, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1154" + }, + { + "title": "PR #1120", + "number": 1120, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1120" + }, + { + "title": "PR #1058", + "number": 1058, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1058" + }, + { + "title": "PR #1147", + "number": 1147, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1147" + }, + { + "title": "PR #1131", + "number": 1131, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1131" + }, + { + "title": "PR #1100", + "number": 1100, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1100" + }, + { + "title": "PR #1085", + "number": 1085, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1085" + }, + { + "title": "PR #1105", + "number": 1105, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1105" + }, + { + "title": "PR #1133", + "number": 1133, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1133" + }, + { + "title": "PR #1148", + "number": 1148, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1148" + }, + { + "title": "PR #1182", + "number": 1182, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1182" + }, + { + "title": "PR #1036", + "number": 1036, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1036" + }, + { + "title": "PR #1028", + "number": 1028, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1028" + }, + { + "title": "PR #1019", + "number": 1019, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1019" + }, + { + "title": "PR #1006", + "number": 1006, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1006" + }, + { + "title": "PR #994", + "number": 994, + "url": "https://github.com/nginx/kubernetes-ingress/pull/994" + }, + { + "title": "PR #973", + "number": 973, + "url": "https://github.com/nginx/kubernetes-ingress/pull/973" + }, + { + "title": "PR #1035", + "number": 1035, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1035" + }, + { + "title": "PR #1034", + "number": 1034, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1034" + }, + { + "title": "PR #1029", + "number": 1029, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" + }, + { + "title": "PR #1003", + "number": 1003, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1003" + }, + { + "title": "PR #1047", + "number": 1047, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1047" + }, + { + "title": "PR #1009", + "number": 1009, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1009" + }, + { + "title": "PR #1029", + "number": 1029, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" + }, + { + "title": "PR #980", + "number": 980, + "url": "https://github.com/nginx/kubernetes-ingress/pull/980" + }, + { + "title": "PR #868", + "number": 868, + "url": "https://github.com/nginx/kubernetes-ingress/pull/868" + }, + { + "title": "PR #847", + "number": 847, + "url": "https://github.com/nginx/kubernetes-ingress/pull/847" + }, + { + "title": "PR #921", + "number": 921, + "url": "https://github.com/nginx/kubernetes-ingress/pull/921" + }, + { + "title": "PR #878", + "number": 878, + "url": "https://github.com/nginx/kubernetes-ingress/pull/878" + }, + { + "title": "PR #807", + "number": 807, + "url": "https://github.com/nginx/kubernetes-ingress/pull/807" + }, + { + "title": "PR #854", + "number": 854, + "url": "https://github.com/nginx/kubernetes-ingress/pull/854" + }, + { + "title": "PR #852", + "number": 852, + "url": "https://github.com/nginx/kubernetes-ingress/pull/852" + }, + { + "title": "PR #847", + "number": 847, + "url": "https://github.com/nginx/kubernetes-ingress/pull/847" + }, + { + "title": "PR #827", + "number": 827, + "url": "https://github.com/nginx/kubernetes-ingress/pull/827" + }, + { + "title": "PR #825", + "number": 825, + "url": "https://github.com/nginx/kubernetes-ingress/pull/825" + }, + { + "title": "PR #780", + "number": 780, + "url": "https://github.com/nginx/kubernetes-ingress/pull/780" + }, + { + "title": "PR #778", + "number": 778, + "url": "https://github.com/nginx/kubernetes-ingress/pull/778" + }, + { + "title": "PR #766", + "number": 766, + "url": "https://github.com/nginx/kubernetes-ingress/pull/766" + }, + { + "title": "PR #748", + "number": 748, + "url": "https://github.com/nginx/kubernetes-ingress/pull/748" + }, + { + "title": "PR #745", + "number": 745, + "url": "https://github.com/nginx/kubernetes-ingress/pull/745" + }, + { + "title": "PR #728", + "number": 728, + "url": "https://github.com/nginx/kubernetes-ingress/pull/728" + }, + { + "title": "PR #724", + "number": 724, + "url": "https://github.com/nginx/kubernetes-ingress/pull/724" + }, + { + "title": "PR #712", + "number": 712, + "url": "https://github.com/nginx/kubernetes-ingress/pull/712" + }, + { + "title": "PR #707", + "number": 707, + "url": "https://github.com/nginx/kubernetes-ingress/pull/707" + }, + { + "title": "PR #701", + "number": 701, + "url": "https://github.com/nginx/kubernetes-ingress/pull/701" + }, + { + "title": "PR #693", + "number": 693, + "url": "https://github.com/nginx/kubernetes-ingress/pull/693" + }, + { + "title": "PR #670", + "number": 670, + "url": "https://github.com/nginx/kubernetes-ingress/pull/670" + }, + { + "title": "PR #660", + "number": 660, + "url": "https://github.com/nginx/kubernetes-ingress/pull/660" + }, + { + "title": "PR #659", + "number": 659, + "url": "https://github.com/nginx/kubernetes-ingress/pull/659" + }, + { + "title": "PR #655", + "number": 655, + "url": "https://github.com/nginx/kubernetes-ingress/pull/655" + }, + { + "title": "PR #653", + "number": 653, + "url": "https://github.com/nginx/kubernetes-ingress/pull/653" + }, + { + "title": "PR #641", + "number": 641, + "url": "https://github.com/nginx/kubernetes-ingress/pull/641" + }, + { + "title": "PR #635", + "number": 635, + "url": "https://github.com/nginx/kubernetes-ingress/pull/635" + }, + { + "title": "PR #634", + "number": 634, + "url": "https://github.com/nginx/kubernetes-ingress/pull/634" + }, + { + "title": "PR #628", + "number": 628, + "url": "https://github.com/nginx/kubernetes-ingress/pull/628" + }, + { + "title": "PR #621", + "number": 621, + "url": "https://github.com/nginx/kubernetes-ingress/pull/621" + }, + { + "title": "PR #617", + "number": 617, + "url": "https://github.com/nginx/kubernetes-ingress/pull/617" + }, + { + "title": "PR #612", + "number": 612, + "url": "https://github.com/nginx/kubernetes-ingress/pull/612" + }, + { + "title": "PR #607", + "number": 607, + "url": "https://github.com/nginx/kubernetes-ingress/pull/607" + }, + { + "title": "PR #596", + "number": 596, + "url": "https://github.com/nginx/kubernetes-ingress/pull/596" + }, + { + "title": "PR #750", + "number": 750, + "url": "https://github.com/nginx/kubernetes-ingress/pull/750" + }, + { + "title": "PR #636", + "number": 636, + "url": "https://github.com/nginx/kubernetes-ingress/pull/636" + }, + { + "title": "PR #600", + "number": 600, + "url": "https://github.com/nginx/kubernetes-ingress/pull/600" + }, + { + "title": "PR #581", + "number": 581, + "url": "https://github.com/nginx/kubernetes-ingress/pull/581" + }, + { + "title": "PR #722", + "number": 722, + "url": "https://github.com/nginx/kubernetes-ingress/pull/722" + }, + { + "title": "PR #573", + "number": 573, + "url": "https://github.com/nginx/kubernetes-ingress/pull/573" + }, + { + "title": "PR #799", + "number": 779, + "url": "https://github.com/nginx/kubernetes-ingress/pull/779" + }, + { + "title": "PR #772", + "number": 772, + "url": "https://github.com/nginx/kubernetes-ingress/pull/772" + }, + { + "title": "PR #748", + "number": 748, + "url": "https://github.com/nginx/kubernetes-ingress/pull/748" + }, + { + "title": "PR #745", + "number": 745, + "url": "https://github.com/nginx/kubernetes-ingress/pull/745" + }, + { + "title": "PR #710", + "number": 710, + "url": "https://github.com/nginx/kubernetes-ingress/pull/710" + }, + { + "title": "PR #603", + "number": 603, + "url": "https://github.com/nginx/kubernetes-ingress/pull/603" + }, + { + "title": "PR #593", + "number": 593, + "url": "https://github.com/nginx/kubernetes-ingress/pull/593" + }, + { + "title": "PR #593", + "number": 593, + "url": "https://github.com/nginx/kubernetes-ingress/pull/593" + }, + { + "title": "PR #562", + "number": 562, + "url": "https://github.com/nginx/kubernetes-ingress/pull/562" + }, + { + "title": "PR #561", + "number": 561, + "url": "https://github.com/nginx/kubernetes-ingress/pull/561" + }, + { + "title": "PR #553", + "number": 553, + "url": "https://github.com/nginx/kubernetes-ingress/pull/553" + }, + { + "title": "PR #534", + "number": 534, + "url": "https://github.com/nginx/kubernetes-ingress/pull/534" + }, + { + "title": "PR #479", + "number": 479, + "url": "https://github.com/nginx/kubernetes-ingress/pull/479" + }, + { + "title": "PR #468", + "number": 468, + "url": "https://github.com/nginx/kubernetes-ingress/pull/468" + }, + { + "title": "PR #456", + "number": 456, + "url": "https://github.com/nginx/kubernetes-ingress/pull/456" + }, + { + "title": "PR #546", + "number": 546, + "url": "https://github.com/nginx/kubernetes-ingress/pull/546" + }, + { + "title": "PR #542", + "number": 542, + "url": "https://github.com/nginx/kubernetes-ingress/pull/542" + }, + { + "title": "PR #430", + "number": 430, + "url": "https://github.com/nginx/kubernetes-ingress/pull/430" + }, + { + "title": "PR #420", + "number": 420, + "url": "https://github.com/nginx/kubernetes-ingress/pull/420" + }, + { + "title": "PR #398", + "number": 398, + "url": "https://github.com/nginx/kubernetes-ingress/pull/398" + }, + { + "title": "PR #393", + "number": 393, + "url": "https://github.com/nginx/kubernetes-ingress/pull/393" + }, + { + "title": "PR #390", + "number": 390, + "url": "https://github.com/nginx/kubernetes-ingress/pull/390" + }, + { + "title": "PR #377", + "number": 377, + "url": "https://github.com/nginx/kubernetes-ingress/pull/377" + }, + { + "title": "PR #335", + "number": 335, + "url": "https://github.com/nginx/kubernetes-ingress/pull/335" + }, + { + "title": "PR #430", + "number": 430, + "url": "https://github.com/nginx/kubernetes-ingress/pull/430" + }, + { + "title": "PR #399", + "number": 399, + "url": "https://github.com/nginx/kubernetes-ingress/pull/399" + }, + { + "title": "PR #357", + "number": 357, + "url": "https://github.com/nginx/kubernetes-ingress/pull/357" + }, + { + "title": "PR #347", + "number": 347, + "url": "https://github.com/nginx/kubernetes-ingress/pull/347" + }, + { + "title": "PR #391", + "number": 391, + "url": "https://github.com/nginx/kubernetes-ingress/pull/391" + }, + { + "title": "PR #344", + "number": 344, + "url": "https://github.com/nginx/kubernetes-ingress/pull/344" + }, + { + "title": "PR #435", + "number": 435, + "url": "https://github.com/nginx/kubernetes-ingress/pull/435" + }, + { + "title": "PR #433", + "number": 433, + "url": "https://github.com/nginx/kubernetes-ingress/pull/433" + }, + { + "title": "PR #432", + "number": 432, + "url": "https://github.com/nginx/kubernetes-ingress/pull/432" + }, + { + "title": "PR #418", + "number": 418, + "url": "https://github.com/nginx/kubernetes-ingress/pull/418" + }, + { + "title": "PR #406", + "number": 406, + "url": "https://github.com/nginx/kubernetes-ingress/pull/406" + }, + { + "title": "PR #381", + "number": 381, + "url": "https://github.com/nginx/kubernetes-ingress/pull/381" + }, + { + "title": "PR #349", + "number": 349, + "url": "https://github.com/nginx/kubernetes-ingress/pull/349" + }, + { + "title": "PR #343", + "number": 343, + "url": "https://github.com/nginx/kubernetes-ingress/pull/343" + }, + { + "title": "PR #330", + "number": 330, + "url": "https://github.com/nginx/kubernetes-ingress/pull/330" + }, + { + "title": "PR #329", + "number": 329, + "url": "https://github.com/nginx/kubernetes-ingress/pull/329" + }, + { + "title": "PR #279", + "number": 279, + "url": "https://github.com/nginx/kubernetes-ingress/pull/279" + }, + { + "title": "PR #278", + "number": 278, + "url": "https://github.com/nginx/kubernetes-ingress/pull/278" + }, + { + "title": "PR #277", + "number": 277, + "url": "https://github.com/nginx/kubernetes-ingress/pull/277" + }, + { + "title": "PR #276", + "number": 276, + "url": "https://github.com/nginx/kubernetes-ingress/pull/276" + }, + { + "title": "PR #274", + "number": 274, + "url": "https://github.com/nginx/kubernetes-ingress/pull/274" + }, + { + "title": "PR #272", + "number": 272, + "url": "https://github.com/nginx/kubernetes-ingress/pull/272" + }, + { + "title": "PR #268", + "number": 268, + "url": "https://github.com/nginx/kubernetes-ingress/pull/268" + }, + { + "title": "PR #266", + "number": 266, + "url": "https://github.com/nginx/kubernetes-ingress/pull/266" + }, + { + "title": "PR #261", + "number": 261, + "url": "https://github.com/nginx/kubernetes-ingress/pull/261" + }, + { + "title": "PR #258", + "number": 258, + "url": "https://github.com/nginx/kubernetes-ingress/pull/258" + }, + { + "title": "PR #256", + "number": 256, + "url": "https://github.com/nginx/kubernetes-ingress/pull/256" + }, + { + "title": "PR #249", + "number": 249, + "url": "https://github.com/nginx/kubernetes-ingress/pull/249" + }, + { + "title": "PR #241", + "number": 241, + "url": "https://github.com/nginx/kubernetes-ingress/pull/241" + }, + { + "title": "PR #240", + "number": 240, + "url": "https://github.com/nginx/kubernetes-ingress/pull/240" + }, + { + "title": "PR #239", + "number": 239, + "url": "https://github.com/nginx/kubernetes-ingress/pull/239" + }, + { + "title": "PR #238", + "number": 238, + "url": "https://github.com/nginx/kubernetes-ingress/pull/238" + }, + { + "title": "PR #237", + "number": 237, + "url": "https://github.com/nginx/kubernetes-ingress/pull/237" + }, + { + "title": "PR #236", + "number": 236, + "url": "https://github.com/nginx/kubernetes-ingress/pull/236" + }, + { + "title": "PR #235", + "number": 235, + "url": "https://github.com/nginx/kubernetes-ingress/pull/235" + }, + { + "title": "PR #234", + "number": 234, + "url": "https://github.com/nginx/kubernetes-ingress/pull/234" + }, + { + "title": "PR #233", + "number": 233, + "url": "https://github.com/nginx/kubernetes-ingress/pull/233" + }, + { + "title": "PR #231", + "number": 231, + "url": "https://github.com/nginx/kubernetes-ingress/pull/231" + }, + { + "title": "PR #248", + "number": 248, + "url": "https://github.com/nginx/kubernetes-ingress/pull/248" + }, + { + "title": "PR #252", + "number": 252, + "url": "https://github.com/nginx/kubernetes-ingress/pull/252" + }, + { + "title": "PR #270", + "number": 270, + "url": "https://github.com/nginx/kubernetes-ingress/pull/270" + }, + { + "title": "PR #228", + "number": 228, + "url": "https://github.com/nginx/kubernetes-ingress/pull/228" + }, + { + "title": "PR #223", + "number": 223, + "url": "https://github.com/nginx/kubernetes-ingress/pull/223" + }, + { + "title": "PR #221", + "number": 221, + "url": "https://github.com/nginx/kubernetes-ingress/pull/221" + }, + { + "title": "PR #220", + "number": 220, + "url": "https://github.com/nginx/kubernetes-ingress/pull/220" + }, + { + "title": "PR #213", + "number": 213, + "url": "https://github.com/nginx/kubernetes-ingress/pull/213" + }, + { + "title": "PR #211", + "number": 211, + "url": "https://github.com/nginx/kubernetes-ingress/pull/211" + }, + { + "title": "PR #208", + "number": 208, + "url": "https://github.com/nginx/kubernetes-ingress/pull/208" + }, + { + "title": "PR #199", + "number": 199, + "url": "https://github.com/nginx/kubernetes-ingress/pull/199" + }, + { + "title": "PR #194", + "number": 194, + "url": "https://github.com/nginx/kubernetes-ingress/pull/194" + }, + { + "title": "PR #193", + "number": 193, + "url": "https://github.com/nginx/kubernetes-ingress/pull/193" + }, + { + "title": "PR #192", + "number": 192, + "url": "https://github.com/nginx/kubernetes-ingress/pull/192" + }, + { + "title": "PR #186", + "number": 186, + "url": "https://github.com/nginx/kubernetes-ingress/pull/186" + }, + { + "title": "PR #184", + "number": 184, + "url": "https://github.com/nginx/kubernetes-ingress/pull/184" + }, + { + "title": "PR #175", + "number": 175, + "url": "https://github.com/nginx/kubernetes-ingress/pull/175" + }, + { + "title": "PR #171", + "number": 171, + "url": "https://github.com/nginx/kubernetes-ingress/pull/171" + }, + { + "title": "PR #170", + "number": 170, + "url": "https://github.com/nginx/kubernetes-ingress/pull/170" + }, + { + "title": "PR #169", + "number": 169, + "url": "https://github.com/nginx/kubernetes-ingress/pull/169" + }, + { + "title": "PR #168", + "number": 168, + "url": "https://github.com/nginx/kubernetes-ingress/pull/168" + }, + { + "title": "PR #166", + "number": 166, + "url": "https://github.com/nginx/kubernetes-ingress/pull/166" + }, + { + "title": "PR #160", + "number": 160, + "url": "https://github.com/nginx/kubernetes-ingress/pull/160" + }, + { + "title": "PR #157", + "number": 157, + "url": "https://github.com/nginx/kubernetes-ingress/pull/157" + }, + { + "title": "PR #156", + "number": 156, + "url": "https://github.com/nginx/kubernetes-ingress/pull/156" + }, + { + "title": "PR #155", + "number": 155, + "url": "https://github.com/nginx/kubernetes-ingress/pull/155" + }, + { + "title": "PR #154", + "number": 154, + "url": "https://github.com/nginx/kubernetes-ingress/pull/154" + }, + { + "title": "PR #151", + "number": 151, + "url": "https://github.com/nginx/kubernetes-ingress/pull/151" + }, + { + "title": "PR #146", + "number": 146, + "url": "https://github.com/nginx/kubernetes-ingress/pull/146" + }, + { + "title": "PR #141", + "number": 141, + "url": "https://github.com/nginx/kubernetes-ingress/pull/141" + }, + { + "title": "PR #140", + "number": 140, + "url": "https://github.com/nginx/kubernetes-ingress/pull/140" + }, + { + "title": "PR #117", + "number": 117, + "url": "https://github.com/nginx/kubernetes-ingress/pull/117" + }, + { + "title": "PR #116", + "number": 116, + "url": "https://github.com/nginx/kubernetes-ingress/pull/116" + }, + { + "title": "PR #113", + "number": 113, + "url": "https://github.com/nginx/kubernetes-ingress/pull/113" + }, + { + "title": "PR #108", + "number": 108, + "url": "https://github.com/nginx/kubernetes-ingress/pull/108" + }, + { + "title": "PR #103", + "number": 103, + "url": "https://github.com/nginx/kubernetes-ingress/pull/103" + }, + { + "title": "PR #100", + "number": 100, + "url": "https://github.com/nginx/kubernetes-ingress/pull/100" + }, + { + "title": "PR #95", + "number": 95, + "url": "https://github.com/nginx/kubernetes-ingress/pull/95" + }, + { + "title": "PR #93", + "number": 93, + "url": "https://github.com/nginx/kubernetes-ingress/pull/93" + }, + { + "title": "PR #91", + "number": 91, + "url": "https://github.com/nginx/kubernetes-ingress/pull/91" + }, + { + "title": "PR #88", + "number": 88, + "url": "https://github.com/nginx/kubernetes-ingress/pull/88" + }, + { + "title": "PR #85", + "number": 85, + "url": "https://github.com/nginx/kubernetes-ingress/pull/85" + }, + { + "title": "PR #84", + "number": 84, + "url": "https://github.com/nginx/kubernetes-ingress/pull/84" + }, + { + "title": "PR #81", + "number": 81, + "url": "https://github.com/nginx/kubernetes-ingress/pull/81" + }, + { + "title": "PR #75", + "number": 75, + "url": "https://github.com/nginx/kubernetes-ingress/pull/75" + }, + { + "title": "PR #74", + "number": 74, + "url": "https://github.com/nginx/kubernetes-ingress/pull/74" + }, + { + "title": "PR #70", + "number": 70, + "url": "https://github.com/nginx/kubernetes-ingress/pull/70" + }, + { + "title": "PR #68", + "number": 68, + "url": "https://github.com/nginx/kubernetes-ingress/pull/68" + }, + { + "title": "PR #66", + "number": 66, + "url": "https://github.com/nginx/kubernetes-ingress/pull/66" + }, + { + "title": "PR #65", + "number": 65, + "url": "https://github.com/nginx/kubernetes-ingress/pull/65" + }, + { + "title": "PR #64", + "number": 64, + "url": "https://github.com/nginx/kubernetes-ingress/pull/64" + }, + { + "title": "PR #62", + "number": 62, + "url": "https://github.com/nginx/kubernetes-ingress/pull/62" + }, + { + "title": "PR #54", + "number": 54, + "url": "https://github.com/nginx/kubernetes-ingress/pull/54" + }, + { + "title": "PR #55", + "number": 55, + "url": "https://github.com/nginx/kubernetes-ingress/pull/55" + }, + { + "title": "PR #58", + "number": 58, + "url": "https://github.com/nginx/kubernetes-ingress/pull/58" + } + ], + "Enhancements": [ + { + "title": "PR #1266", + "number": 1266, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1266" + }, + { + "title": "PR #1233", + "number": 1233, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1233" + }, + { + "title": "PR #1231", + "number": 1231, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1231" + }, + { + "title": "PR #1270", + "number": 1270, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1270" + }, + { + "title": "PR #1277", + "number": 1277, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1277" + }, + { + "title": "PR #1265", + "number": 1265, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1265" + }, + { + "title": "PR #1262", + "number": 1262, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1262" + }, + { + "title": "PR #1263", + "number": 1263, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1263" + }, + { + "title": "PR #1264", + "number": 1264, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1264" + }, + { + "title": "PR #1256", + "number": 1256, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1256" + }, + { + "title": "PR #1260", + "number": 1260, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1260" + }, + { + "title": "PR #1240", + "number": 1240, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1240" + }, + { + "title": "PR #1235", + "number": 1235, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1235" + }, + { + "title": "PR #1282", + "number": 1282, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1282" + }, + { + "title": "PR #1293", + "number": 1293, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1293" + }, + { + "title": "PR #1303", + "number": 1303, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1303" + }, + { + "title": "PR #1315", + "number": 1315, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1315" + }, + { + "title": "PR #1133", + "number": 1133, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1133" + }, + { + "title": "PR #1130", + "number": 1130, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1130" + }, + { + "title": "PR #1076", + "number": 1076, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1076" + }, + { + "title": "PR #1075", + "number": 1075, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1075" + }, + { + "title": "PR #1178", + "number": 1178, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1178" + }, + { + "title": "PR #1158", + "number": 1158, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1158" + }, + { + "title": "PR #1137", + "number": 1137, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1137" + }, + { + "title": "PR #1107", + "number": 1107, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1107" + }, + { + "title": "PR #1099", + "number": 1099, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1099" + }, + { + "title": "PR #1088", + "number": 1088, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1088" + }, + { + "title": "PR #1080", + "number": 1080, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1080" + }, + { + "title": "PR #1078", + "number": 1078, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1078" + }, + { + "title": "PR #1083", + "number": 1083, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1083" + }, + { + "title": "PR #1092", + "number": 1092, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1092" + }, + { + "title": "PR #1089", + "number": 1089, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1089" + }, + { + "title": "PR #1174", + "number": 1174, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1174" + }, + { + "title": "PR #1175", + "number": 1175, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1175" + }, + { + "title": "PR #1171", + "number": 1171, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1171" + }, + { + "title": "PR #1035", + "number": 1035, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1035" + }, + { + "title": "PR #1029", + "number": 1029, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" + }, + { + "title": "PR #995", + "number": 995, + "url": "https://github.com/nginx/kubernetes-ingress/pull/995" + }, + { + "title": "PR #946", + "number": 946, + "url": "https://github.com/nginx/kubernetes-ingress/pull/946" + }, + { + "title": "PR #948", + "number": 948, + "url": "https://github.com/nginx/kubernetes-ingress/pull/948" + }, + { + "title": "PR #972", + "number": 972, + "url": "https://github.com/nginx/kubernetes-ingress/pull/972" + }, + { + "title": "PR #965", + "number": 965, + "url": "https://github.com/nginx/kubernetes-ingress/pull/965" + }, + { + "title": "PR #902", + "number": 902, + "url": "https://github.com/nginx/kubernetes-ingress/pull/902" + }, + { + "title": "PR #894", + "number": 894, + "url": "https://github.com/nginx/kubernetes-ingress/pull/894" + }, + { + "title": "PR #857", + "number": 857, + "url": "https://github.com/nginx/kubernetes-ingress/pull/857" + }, + { + "title": "PR #852", + "number": 852, + "url": "https://github.com/nginx/kubernetes-ingress/pull/852" + }, + { + "title": "PR #845", + "number": 845, + "url": "https://github.com/nginx/kubernetes-ingress/pull/845" + }, + { + "title": "PR #827", + "number": 827, + "url": "https://github.com/nginx/kubernetes-ingress/pull/827" + }, + { + "title": "PR #850", + "number": 850, + "url": "https://github.com/nginx/kubernetes-ingress/pull/850" + }, + { + "title": "PR #832", + "number": 832, + "url": "https://github.com/nginx/kubernetes-ingress/pull/832" + }, + { + "title": "PR #825", + "number": 825, + "url": "https://github.com/nginx/kubernetes-ingress/pull/825" + }, + { + "title": "PR #750", + "number": 750, + "url": "https://github.com/nginx/kubernetes-ingress/pull/750" + }, + { + "title": "PR #691", + "number": 691, + "url": "https://github.com/nginx/kubernetes-ingress/pull/691" + }, + { + "title": "PR #631", + "number": 631, + "url": "https://github.com/nginx/kubernetes-ingress/pull/631" + }, + { + "title": "PR #629", + "number": 629, + "url": "https://github.com/nginx/kubernetes-ingress/pull/629" + }, + { + "title": "PR #616", + "number": 616, + "url": "https://github.com/nginx/kubernetes-ingress/pull/616" + }, + { + "title": "PR #615", + "number": 615, + "url": "https://github.com/nginx/kubernetes-ingress/pull/615" + }, + { + "title": "PR #614", + "number": 614, + "url": "https://github.com/nginx/kubernetes-ingress/pull/614" + }, + { + "title": "PR #678", + "number": 678, + "url": "https://github.com/nginx/kubernetes-ingress/pull/678" + }, + { + "title": "PR #694", + "number": 694, + "url": "https://github.com/nginx/kubernetes-ingress/pull/694" + }, + { + "title": "PR #713", + "number": 713, + "url": "https://github.com/nginx/kubernetes-ingress/pull/713" + }, + { + "title": "PR #560", + "number": 560, + "url": "https://github.com/nginx/kubernetes-ingress/pull/560" + }, + { + "title": "PR #554", + "number": 554, + "url": "https://github.com/nginx/kubernetes-ingress/pull/554" + }, + { + "title": "PR #496", + "number": 496, + "url": "https://github.com/nginx/kubernetes-ingress/pull/496" + }, + { + "title": "PR #485", + "number": 485, + "url": "https://github.com/nginx/kubernetes-ingress/pull/485" + }, + { + "title": "PR #565", + "number": 565, + "url": "https://github.com/nginx/kubernetes-ingress/pull/565" + }, + { + "title": "PR #511", + "number": 511, + "url": "https://github.com/nginx/kubernetes-ingress/pull/511" + }, + { + "title": "PR #504", + "number": 504, + "url": "https://github.com/nginx/kubernetes-ingress/pull/504" + }, + { + "title": "PR #401", + "number": 401, + "url": "https://github.com/nginx/kubernetes-ingress/pull/401" + }, + { + "title": "PR #387", + "number": 387, + "url": "https://github.com/nginx/kubernetes-ingress/pull/387" + }, + { + "title": "PR #376", + "number": 376, + "url": "https://github.com/nginx/kubernetes-ingress/pull/376" + }, + { + "title": "PR #375", + "number": 375, + "url": "https://github.com/nginx/kubernetes-ingress/pull/375" + }, + { + "title": "PR #346", + "number": 346, + "url": "https://github.com/nginx/kubernetes-ingress/pull/346" + }, + { + "title": "PR #344", + "number": 344, + "url": "https://github.com/nginx/kubernetes-ingress/pull/344" + }, + { + "title": "PR #342", + "number": 342, + "url": "https://github.com/nginx/kubernetes-ingress/pull/342" + }, + { + "title": "PR #320", + "number": 340, + "url": "https://github.com/nginx/kubernetes-ingress/pull/340" + }, + { + "title": "PR #434", + "number": 434, + "url": "https://github.com/nginx/kubernetes-ingress/pull/434" + }, + { + "title": "PR #432", + "number": 432, + "url": "https://github.com/nginx/kubernetes-ingress/pull/432" + }, + { + "title": "PR #419", + "number": 419, + "url": "https://github.com/nginx/kubernetes-ingress/pull/419" + }, + { + "title": "PR #403", + "number": 403, + "url": "https://github.com/nginx/kubernetes-ingress/pull/403" + }, + { + "title": "PR #400", + "number": 400, + "url": "https://github.com/nginx/kubernetes-ingress/pull/400" + }, + { + "title": "PR #399", + "number": 399, + "url": "https://github.com/nginx/kubernetes-ingress/pull/399" + }, + { + "title": "PR #391", + "number": 391, + "url": "https://github.com/nginx/kubernetes-ingress/pull/391" + }, + { + "title": "PR #389", + "number": 389, + "url": "https://github.com/nginx/kubernetes-ingress/pull/389" + }, + { + "title": "PR #380", + "number": 380, + "url": "https://github.com/nginx/kubernetes-ingress/pull/380" + }, + { + "title": "PR #362", + "number": 362, + "url": "https://github.com/nginx/kubernetes-ingress/pull/362" + }, + { + "title": "PR #357", + "number": 357, + "url": "https://github.com/nginx/kubernetes-ingress/pull/357" + }, + { + "title": "PR #351", + "number": 351, + "url": "https://github.com/nginx/kubernetes-ingress/pull/351" + }, + { + "title": "PR #325", + "number": 325, + "url": "https://github.com/nginx/kubernetes-ingress/pull/325" + }, + { + "title": "PR #311", + "number": 311, + "url": "https://github.com/nginx/kubernetes-ingress/pull/311" + }, + { + "title": "PR #310", + "number": 310, + "url": "https://github.com/nginx/kubernetes-ingress/pull/310" + }, + { + "title": "PR #308", + "number": 308, + "url": "https://github.com/nginx/kubernetes-ingress/pull/308" + }, + { + "title": "PR #303", + "number": 303, + "url": "https://github.com/nginx/kubernetes-ingress/pull/303" + }, + { + "title": "PR #301", + "number": 301, + "url": "https://github.com/nginx/kubernetes-ingress/pull/301" + }, + { + "title": "PR #298", + "number": 298, + "url": "https://github.com/nginx/kubernetes-ingress/pull/298" + }, + { + "title": "PR #296", + "number": 296, + "url": "https://github.com/nginx/kubernetes-ingress/pull/296" + }, + { + "title": "PR #295", + "number": 295, + "url": "https://github.com/nginx/kubernetes-ingress/pull/295" + }, + { + "title": "PR #294", + "number": 294, + "url": "https://github.com/nginx/kubernetes-ingress/pull/294" + }, + { + "title": "PR #287", + "number": 287, + "url": "https://github.com/nginx/kubernetes-ingress/pull/287" + }, + { + "title": "PR #286", + "number": 286, + "url": "https://github.com/nginx/kubernetes-ingress/pull/286" + } + ], + "Bug Fixes": [ + { + "title": "PR #1179", + "number": 1179, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1179" + }, + { + "title": "PR #1129", + "number": 1129, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1129" + }, + { + "title": "PR #1110", + "number": 1110, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1110" + }, + { + "title": "PR #1030", + "number": 1030, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1030" + }, + { + "title": "PR #953", + "number": 953, + "url": "https://github.com/nginx/kubernetes-ingress/pull/953" + }, + { + "title": "PR #828", + "number": 828, + "url": "https://github.com/nginx/kubernetes-ingress/pull/828" + }, + { + "title": "PR #788", + "number": 788, + "url": "https://github.com/nginx/kubernetes-ingress/pull/788" + }, + { + "title": "PR #736", + "number": 736, + "url": "https://github.com/nginx/kubernetes-ingress/pull/736" + }, + { + "title": "PR #686", + "number": 686, + "url": "https://github.com/nginx/kubernetes-ingress/pull/686" + }, + { + "title": "PR #664", + "number": 664, + "url": "https://github.com/nginx/kubernetes-ingress/pull/664" + }, + { + "title": "PR #632", + "number": 632, + "url": "https://github.com/nginx/kubernetes-ingress/pull/632" + }, + { + "title": "PR #520", + "number": 520, + "url": "https://github.com/nginx/kubernetes-ingress/pull/520" + }, + { + "title": "PR #481", + "number": 481, + "url": "https://github.com/nginx/kubernetes-ingress/pull/481" + }, + { + "title": "PR #439", + "number": 439, + "url": "https://github.com/nginx/kubernetes-ingress/pull/439" + }, + { + "title": "PR #429", + "number": 429, + "url": "https://github.com/nginx/kubernetes-ingress/pull/429" + }, + { + "title": "PR #386", + "number": 386, + "url": "https://github.com/nginx/kubernetes-ingress/pull/386" + }, + { + "title": "PR #379", + "number": 379, + "url": "https://github.com/nginx/kubernetes-ingress/pull/379" + }, + { + "title": "PR #365", + "number": 365, + "url": "https://github.com/nginx/kubernetes-ingress/pull/365" + }, + { + "title": "PR #348", + "number": 348, + "url": "https://github.com/nginx/kubernetes-ingress/pull/348" + }, + { + "title": "PR #326", + "number": 326, + "url": "https://github.com/nginx/kubernetes-ingress/pull/326" + }, + { + "title": "PR #284", + "number": 284, + "url": "https://github.com/nginx/kubernetes-ingress/pull/284" + } + ] +} \ No newline at end of file From 7a9b64b55a472848f82713df2ac4dd930f2d72e2 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 23 Jul 2025 09:20:10 +0000 Subject: [PATCH 28/33] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .../mo-example/cafe-ingress.yaml | 2 +- .../ingress-resources/mo-example/cafe.yaml | 2 +- hi.txt | 10 +- release_notes.json | 3244 ++++++++--------- 4 files changed, 1629 insertions(+), 1629 deletions(-) diff --git a/examples/ingress-resources/mo-example/cafe-ingress.yaml b/examples/ingress-resources/mo-example/cafe-ingress.yaml index ecb487f661..2edbeff3fe 100644 --- a/examples/ingress-resources/mo-example/cafe-ingress.yaml +++ b/examples/ingress-resources/mo-example/cafe-ingress.yaml @@ -32,4 +32,4 @@ spec: service: name: mo-webserver-svc port: - number: 80 \ No newline at end of file + number: 80 diff --git a/examples/ingress-resources/mo-example/cafe.yaml b/examples/ingress-resources/mo-example/cafe.yaml index d19c0d3385..b8e51dff3e 100644 --- a/examples/ingress-resources/mo-example/cafe.yaml +++ b/examples/ingress-resources/mo-example/cafe.yaml @@ -33,4 +33,4 @@ spec: name: http selector: app: mo-webserver ---- \ No newline at end of file +--- diff --git a/hi.txt b/hi.txt index 3f4676ab35..4a72ae8938 100644 --- a/hi.txt +++ b/hi.txt @@ -8,7 +8,7 @@ I20250501 16:13:00.757811 1 main.go:107] Event(v1.ObjectReference{Kind:"Pod", 2025/05/01 16:13:00 [notice] 17#17: js vm init njs: 0000AAAACEE7F900 2025/05/01 16:13:00 [notice] 17#17: using the "epoll" event method 2025/05/01 16:13:00 [notice] 17#17: nginx/1.27.4 -2025/05/01 16:13:00 [notice] 17#17: built by gcc 12.2.0 (Debian 12.2.0-14) +2025/05/01 16:13:00 [notice] 17#17: built by gcc 12.2.0 (Debian 12.2.0-14) 2025/05/01 16:13:00 [notice] 17#17: OS: Linux 6.10.14-linuxkit 2025/05/01 16:13:00 [notice] 17#17: getrlimit(RLIMIT_NOFILE): 1048576:1048576 2025/05/01 16:13:00 [notice] 17#17: start worker processes @@ -139,7 +139,7 @@ I20250501 16:15:40.753379 1 service.go:32] Adding service: tea-svc 2025/05/01 16:16:46 [notice] 35#35: exit 2025/05/01 16:16:46 [notice] 42#42: exit 2025/05/01 16:16:46 [notice] 40#40: exit -I20250501 16:16:46.224592 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"95d571e9-f2c0-483b-b427-8d914611affa", APIVersion:"networking.k8s.io/v1", ResourceVersion:"773", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated +I20250501 16:16:46.224592 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"95d571e9-f2c0-483b-b427-8d914611affa", APIVersion:"networking.k8s.io/v1", ResourceVersion:"773", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated 2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 34 2025/05/01 16:16:46 [notice] 17#17: worker process 34 exited with code 0 2025/05/01 16:16:46 [notice] 17#17: worker process 36 exited with code 0 @@ -375,10 +375,10 @@ I20250502 08:54:23.154598 1 service.go:258] Syncing service default/coffee-svc I20250502 08:54:23.154623 1 service.go:260] Updating 1 resources W20250502 08:54:23.154628 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: service default/tea-svc doesn't exist W20250502 08:54:23.154633 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc -I20250502 08:54:23.154755 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated +I20250502 08:54:23.154755 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated W20250502 08:54:23.155433 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: service default/tea-svc doesn't exist W20250502 08:54:23.155448 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc -I20250502 08:54:23.155717 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated +I20250502 08:54:23.155717 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated I20250502 08:54:23.157472 1 service.go:32] Adding service: tea-svc 2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 84 2025/05/02 08:54:23 [notice] 17#17: worker process 84 exited with code 0 @@ -502,7 +502,7 @@ W20250502 08:54:23.302624 1 controller.go:2313] Error retrieving endpoints for 2025/05/02 08:54:23 [notice] 17#17: worker process 110 exited with code 0 W20250502 08:54:23.449757 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: no endpointslices for target port 8080 in service tea-svc W20250502 08:54:23.449780 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc -I20250502 08:54:23.450600 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated +I20250502 08:54:23.450600 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated 2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received 2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 110 2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 108 diff --git a/release_notes.json b/release_notes.json index 89c5fcc2e7..affc9ca004 100644 --- a/release_notes.json +++ b/release_notes.json @@ -1,1623 +1,1623 @@ { - "Miscellaneous": [ - { - "title": "PR #1373", - "number": 1373, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1373" - }, - { - "title": "PR #1439", - "number": 1439, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1439" - }, - { - "title": "PR #1440", - "number": 1440, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1440" - }, - { - "title": "PR #1304", - "number": 1304, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1304" - }, - { - "title": "PR #1281", - "number": 1281, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1281" - }, - { - "title": "PR #1290", - "number": 1290, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1290" - }, - { - "title": "PR #1232", - "number": 1232, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1232" - }, - { - "title": "PR #1228", - "number": 1228, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1228" - }, - { - "title": "PR #1299", - "number": 1299, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1299" - }, - { - "title": "PR #1291", - "number": 1291, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1291" - }, - { - "title": "PR #1290", - "number": 1290, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1290" - }, - { - "title": "PR #1225", - "number": 1225, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1225" - }, - { - "title": "PR #1237", - "number": 1237, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1237" - }, - { - "title": "PR #1270", - "number": 1270, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1270" - }, - { - "title": "PR #1277", - "number": 1277, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1277" - }, - { - "title": "PR #1232", - "number": 1232, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1232" - }, - { - "title": "PR #1225", - "number": 1225, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1225" - }, - { - "title": "PR #1180", - "number": 1180, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1180" - }, - { - "title": "PR #1166", - "number": 1166, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1166" - }, - { - "title": "PR #1154", - "number": 1154, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1154" - }, - { - "title": "PR #1120", - "number": 1120, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1120" - }, - { - "title": "PR #1058", - "number": 1058, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1058" - }, - { - "title": "PR #1147", - "number": 1147, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1147" - }, - { - "title": "PR #1131", - "number": 1131, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1131" - }, - { - "title": "PR #1100", - "number": 1100, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1100" - }, - { - "title": "PR #1085", - "number": 1085, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1085" - }, - { - "title": "PR #1105", - "number": 1105, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1105" - }, - { - "title": "PR #1133", - "number": 1133, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1133" - }, - { - "title": "PR #1148", - "number": 1148, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1148" - }, - { - "title": "PR #1182", - "number": 1182, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1182" - }, - { - "title": "PR #1036", - "number": 1036, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1036" - }, - { - "title": "PR #1028", - "number": 1028, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1028" - }, - { - "title": "PR #1019", - "number": 1019, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1019" - }, - { - "title": "PR #1006", - "number": 1006, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1006" - }, - { - "title": "PR #994", - "number": 994, - "url": "https://github.com/nginx/kubernetes-ingress/pull/994" - }, - { - "title": "PR #973", - "number": 973, - "url": "https://github.com/nginx/kubernetes-ingress/pull/973" - }, - { - "title": "PR #1035", - "number": 1035, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1035" - }, - { - "title": "PR #1034", - "number": 1034, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1034" - }, - { - "title": "PR #1029", - "number": 1029, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" - }, - { - "title": "PR #1003", - "number": 1003, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1003" - }, - { - "title": "PR #1047", - "number": 1047, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1047" - }, - { - "title": "PR #1009", - "number": 1009, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1009" - }, - { - "title": "PR #1029", - "number": 1029, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" - }, - { - "title": "PR #980", - "number": 980, - "url": "https://github.com/nginx/kubernetes-ingress/pull/980" - }, - { - "title": "PR #868", - "number": 868, - "url": "https://github.com/nginx/kubernetes-ingress/pull/868" - }, - { - "title": "PR #847", - "number": 847, - "url": "https://github.com/nginx/kubernetes-ingress/pull/847" - }, - { - "title": "PR #921", - "number": 921, - "url": "https://github.com/nginx/kubernetes-ingress/pull/921" - }, - { - "title": "PR #878", - "number": 878, - "url": "https://github.com/nginx/kubernetes-ingress/pull/878" - }, - { - "title": "PR #807", - "number": 807, - "url": "https://github.com/nginx/kubernetes-ingress/pull/807" - }, - { - "title": "PR #854", - "number": 854, - "url": "https://github.com/nginx/kubernetes-ingress/pull/854" - }, - { - "title": "PR #852", - "number": 852, - "url": "https://github.com/nginx/kubernetes-ingress/pull/852" - }, - { - "title": "PR #847", - "number": 847, - "url": "https://github.com/nginx/kubernetes-ingress/pull/847" - }, - { - "title": "PR #827", - "number": 827, - "url": "https://github.com/nginx/kubernetes-ingress/pull/827" - }, - { - "title": "PR #825", - "number": 825, - "url": "https://github.com/nginx/kubernetes-ingress/pull/825" - }, - { - "title": "PR #780", - "number": 780, - "url": "https://github.com/nginx/kubernetes-ingress/pull/780" - }, - { - "title": "PR #778", - "number": 778, - "url": "https://github.com/nginx/kubernetes-ingress/pull/778" - }, - { - "title": "PR #766", - "number": 766, - "url": "https://github.com/nginx/kubernetes-ingress/pull/766" - }, - { - "title": "PR #748", - "number": 748, - "url": "https://github.com/nginx/kubernetes-ingress/pull/748" - }, - { - "title": "PR #745", - "number": 745, - "url": "https://github.com/nginx/kubernetes-ingress/pull/745" - }, - { - "title": "PR #728", - "number": 728, - "url": "https://github.com/nginx/kubernetes-ingress/pull/728" - }, - { - "title": "PR #724", - "number": 724, - "url": "https://github.com/nginx/kubernetes-ingress/pull/724" - }, - { - "title": "PR #712", - "number": 712, - "url": "https://github.com/nginx/kubernetes-ingress/pull/712" - }, - { - "title": "PR #707", - "number": 707, - "url": "https://github.com/nginx/kubernetes-ingress/pull/707" - }, - { - "title": "PR #701", - "number": 701, - "url": "https://github.com/nginx/kubernetes-ingress/pull/701" - }, - { - "title": "PR #693", - "number": 693, - "url": "https://github.com/nginx/kubernetes-ingress/pull/693" - }, - { - "title": "PR #670", - "number": 670, - "url": "https://github.com/nginx/kubernetes-ingress/pull/670" - }, - { - "title": "PR #660", - "number": 660, - "url": "https://github.com/nginx/kubernetes-ingress/pull/660" - }, - { - "title": "PR #659", - "number": 659, - "url": "https://github.com/nginx/kubernetes-ingress/pull/659" - }, - { - "title": "PR #655", - "number": 655, - "url": "https://github.com/nginx/kubernetes-ingress/pull/655" - }, - { - "title": "PR #653", - "number": 653, - "url": "https://github.com/nginx/kubernetes-ingress/pull/653" - }, - { - "title": "PR #641", - "number": 641, - "url": "https://github.com/nginx/kubernetes-ingress/pull/641" - }, - { - "title": "PR #635", - "number": 635, - "url": "https://github.com/nginx/kubernetes-ingress/pull/635" - }, - { - "title": "PR #634", - "number": 634, - "url": "https://github.com/nginx/kubernetes-ingress/pull/634" - }, - { - "title": "PR #628", - "number": 628, - "url": "https://github.com/nginx/kubernetes-ingress/pull/628" - }, - { - "title": "PR #621", - "number": 621, - "url": "https://github.com/nginx/kubernetes-ingress/pull/621" - }, - { - "title": "PR #617", - "number": 617, - "url": "https://github.com/nginx/kubernetes-ingress/pull/617" - }, - { - "title": "PR #612", - "number": 612, - "url": "https://github.com/nginx/kubernetes-ingress/pull/612" - }, - { - "title": "PR #607", - "number": 607, - "url": "https://github.com/nginx/kubernetes-ingress/pull/607" - }, - { - "title": "PR #596", - "number": 596, - "url": "https://github.com/nginx/kubernetes-ingress/pull/596" - }, - { - "title": "PR #750", - "number": 750, - "url": "https://github.com/nginx/kubernetes-ingress/pull/750" - }, - { - "title": "PR #636", - "number": 636, - "url": "https://github.com/nginx/kubernetes-ingress/pull/636" - }, - { - "title": "PR #600", - "number": 600, - "url": "https://github.com/nginx/kubernetes-ingress/pull/600" - }, - { - "title": "PR #581", - "number": 581, - "url": "https://github.com/nginx/kubernetes-ingress/pull/581" - }, - { - "title": "PR #722", - "number": 722, - "url": "https://github.com/nginx/kubernetes-ingress/pull/722" - }, - { - "title": "PR #573", - "number": 573, - "url": "https://github.com/nginx/kubernetes-ingress/pull/573" - }, - { - "title": "PR #799", - "number": 779, - "url": "https://github.com/nginx/kubernetes-ingress/pull/779" - }, - { - "title": "PR #772", - "number": 772, - "url": "https://github.com/nginx/kubernetes-ingress/pull/772" - }, - { - "title": "PR #748", - "number": 748, - "url": "https://github.com/nginx/kubernetes-ingress/pull/748" - }, - { - "title": "PR #745", - "number": 745, - "url": "https://github.com/nginx/kubernetes-ingress/pull/745" - }, - { - "title": "PR #710", - "number": 710, - "url": "https://github.com/nginx/kubernetes-ingress/pull/710" - }, - { - "title": "PR #603", - "number": 603, - "url": "https://github.com/nginx/kubernetes-ingress/pull/603" - }, - { - "title": "PR #593", - "number": 593, - "url": "https://github.com/nginx/kubernetes-ingress/pull/593" - }, - { - "title": "PR #593", - "number": 593, - "url": "https://github.com/nginx/kubernetes-ingress/pull/593" - }, - { - "title": "PR #562", - "number": 562, - "url": "https://github.com/nginx/kubernetes-ingress/pull/562" - }, - { - "title": "PR #561", - "number": 561, - "url": "https://github.com/nginx/kubernetes-ingress/pull/561" - }, - { - "title": "PR #553", - "number": 553, - "url": "https://github.com/nginx/kubernetes-ingress/pull/553" - }, - { - "title": "PR #534", - "number": 534, - "url": "https://github.com/nginx/kubernetes-ingress/pull/534" - }, - { - "title": "PR #479", - "number": 479, - "url": "https://github.com/nginx/kubernetes-ingress/pull/479" - }, - { - "title": "PR #468", - "number": 468, - "url": "https://github.com/nginx/kubernetes-ingress/pull/468" - }, - { - "title": "PR #456", - "number": 456, - "url": "https://github.com/nginx/kubernetes-ingress/pull/456" - }, - { - "title": "PR #546", - "number": 546, - "url": "https://github.com/nginx/kubernetes-ingress/pull/546" - }, - { - "title": "PR #542", - "number": 542, - "url": "https://github.com/nginx/kubernetes-ingress/pull/542" - }, - { - "title": "PR #430", - "number": 430, - "url": "https://github.com/nginx/kubernetes-ingress/pull/430" - }, - { - "title": "PR #420", - "number": 420, - "url": "https://github.com/nginx/kubernetes-ingress/pull/420" - }, - { - "title": "PR #398", - "number": 398, - "url": "https://github.com/nginx/kubernetes-ingress/pull/398" - }, - { - "title": "PR #393", - "number": 393, - "url": "https://github.com/nginx/kubernetes-ingress/pull/393" - }, - { - "title": "PR #390", - "number": 390, - "url": "https://github.com/nginx/kubernetes-ingress/pull/390" - }, - { - "title": "PR #377", - "number": 377, - "url": "https://github.com/nginx/kubernetes-ingress/pull/377" - }, - { - "title": "PR #335", - "number": 335, - "url": "https://github.com/nginx/kubernetes-ingress/pull/335" - }, - { - "title": "PR #430", - "number": 430, - "url": "https://github.com/nginx/kubernetes-ingress/pull/430" - }, - { - "title": "PR #399", - "number": 399, - "url": "https://github.com/nginx/kubernetes-ingress/pull/399" - }, - { - "title": "PR #357", - "number": 357, - "url": "https://github.com/nginx/kubernetes-ingress/pull/357" - }, - { - "title": "PR #347", - "number": 347, - "url": "https://github.com/nginx/kubernetes-ingress/pull/347" - }, - { - "title": "PR #391", - "number": 391, - "url": "https://github.com/nginx/kubernetes-ingress/pull/391" - }, - { - "title": "PR #344", - "number": 344, - "url": "https://github.com/nginx/kubernetes-ingress/pull/344" - }, - { - "title": "PR #435", - "number": 435, - "url": "https://github.com/nginx/kubernetes-ingress/pull/435" - }, - { - "title": "PR #433", - "number": 433, - "url": "https://github.com/nginx/kubernetes-ingress/pull/433" - }, - { - "title": "PR #432", - "number": 432, - "url": "https://github.com/nginx/kubernetes-ingress/pull/432" - }, - { - "title": "PR #418", - "number": 418, - "url": "https://github.com/nginx/kubernetes-ingress/pull/418" - }, - { - "title": "PR #406", - "number": 406, - "url": "https://github.com/nginx/kubernetes-ingress/pull/406" - }, - { - "title": "PR #381", - "number": 381, - "url": "https://github.com/nginx/kubernetes-ingress/pull/381" - }, - { - "title": "PR #349", - "number": 349, - "url": "https://github.com/nginx/kubernetes-ingress/pull/349" - }, - { - "title": "PR #343", - "number": 343, - "url": "https://github.com/nginx/kubernetes-ingress/pull/343" - }, - { - "title": "PR #330", - "number": 330, - "url": "https://github.com/nginx/kubernetes-ingress/pull/330" - }, - { - "title": "PR #329", - "number": 329, - "url": "https://github.com/nginx/kubernetes-ingress/pull/329" - }, - { - "title": "PR #279", - "number": 279, - "url": "https://github.com/nginx/kubernetes-ingress/pull/279" - }, - { - "title": "PR #278", - "number": 278, - "url": "https://github.com/nginx/kubernetes-ingress/pull/278" - }, - { - "title": "PR #277", - "number": 277, - "url": "https://github.com/nginx/kubernetes-ingress/pull/277" - }, - { - "title": "PR #276", - "number": 276, - "url": "https://github.com/nginx/kubernetes-ingress/pull/276" - }, - { - "title": "PR #274", - "number": 274, - "url": "https://github.com/nginx/kubernetes-ingress/pull/274" - }, - { - "title": "PR #272", - "number": 272, - "url": "https://github.com/nginx/kubernetes-ingress/pull/272" - }, - { - "title": "PR #268", - "number": 268, - "url": "https://github.com/nginx/kubernetes-ingress/pull/268" - }, - { - "title": "PR #266", - "number": 266, - "url": "https://github.com/nginx/kubernetes-ingress/pull/266" - }, - { - "title": "PR #261", - "number": 261, - "url": "https://github.com/nginx/kubernetes-ingress/pull/261" - }, - { - "title": "PR #258", - "number": 258, - "url": "https://github.com/nginx/kubernetes-ingress/pull/258" - }, - { - "title": "PR #256", - "number": 256, - "url": "https://github.com/nginx/kubernetes-ingress/pull/256" - }, - { - "title": "PR #249", - "number": 249, - "url": "https://github.com/nginx/kubernetes-ingress/pull/249" - }, - { - "title": "PR #241", - "number": 241, - "url": "https://github.com/nginx/kubernetes-ingress/pull/241" - }, - { - "title": "PR #240", - "number": 240, - "url": "https://github.com/nginx/kubernetes-ingress/pull/240" - }, - { - "title": "PR #239", - "number": 239, - "url": "https://github.com/nginx/kubernetes-ingress/pull/239" - }, - { - "title": "PR #238", - "number": 238, - "url": "https://github.com/nginx/kubernetes-ingress/pull/238" - }, - { - "title": "PR #237", - "number": 237, - "url": "https://github.com/nginx/kubernetes-ingress/pull/237" - }, - { - "title": "PR #236", - "number": 236, - "url": "https://github.com/nginx/kubernetes-ingress/pull/236" - }, - { - "title": "PR #235", - "number": 235, - "url": "https://github.com/nginx/kubernetes-ingress/pull/235" - }, - { - "title": "PR #234", - "number": 234, - "url": "https://github.com/nginx/kubernetes-ingress/pull/234" - }, - { - "title": "PR #233", - "number": 233, - "url": "https://github.com/nginx/kubernetes-ingress/pull/233" - }, - { - "title": "PR #231", - "number": 231, - "url": "https://github.com/nginx/kubernetes-ingress/pull/231" - }, - { - "title": "PR #248", - "number": 248, - "url": "https://github.com/nginx/kubernetes-ingress/pull/248" - }, - { - "title": "PR #252", - "number": 252, - "url": "https://github.com/nginx/kubernetes-ingress/pull/252" - }, - { - "title": "PR #270", - "number": 270, - "url": "https://github.com/nginx/kubernetes-ingress/pull/270" - }, - { - "title": "PR #228", - "number": 228, - "url": "https://github.com/nginx/kubernetes-ingress/pull/228" - }, - { - "title": "PR #223", - "number": 223, - "url": "https://github.com/nginx/kubernetes-ingress/pull/223" - }, - { - "title": "PR #221", - "number": 221, - "url": "https://github.com/nginx/kubernetes-ingress/pull/221" - }, - { - "title": "PR #220", - "number": 220, - "url": "https://github.com/nginx/kubernetes-ingress/pull/220" - }, - { - "title": "PR #213", - "number": 213, - "url": "https://github.com/nginx/kubernetes-ingress/pull/213" - }, - { - "title": "PR #211", - "number": 211, - "url": "https://github.com/nginx/kubernetes-ingress/pull/211" - }, - { - "title": "PR #208", - "number": 208, - "url": "https://github.com/nginx/kubernetes-ingress/pull/208" - }, - { - "title": "PR #199", - "number": 199, - "url": "https://github.com/nginx/kubernetes-ingress/pull/199" - }, - { - "title": "PR #194", - "number": 194, - "url": "https://github.com/nginx/kubernetes-ingress/pull/194" - }, - { - "title": "PR #193", - "number": 193, - "url": "https://github.com/nginx/kubernetes-ingress/pull/193" - }, - { - "title": "PR #192", - "number": 192, - "url": "https://github.com/nginx/kubernetes-ingress/pull/192" - }, - { - "title": "PR #186", - "number": 186, - "url": "https://github.com/nginx/kubernetes-ingress/pull/186" - }, - { - "title": "PR #184", - "number": 184, - "url": "https://github.com/nginx/kubernetes-ingress/pull/184" - }, - { - "title": "PR #175", - "number": 175, - "url": "https://github.com/nginx/kubernetes-ingress/pull/175" - }, - { - "title": "PR #171", - "number": 171, - "url": "https://github.com/nginx/kubernetes-ingress/pull/171" - }, - { - "title": "PR #170", - "number": 170, - "url": "https://github.com/nginx/kubernetes-ingress/pull/170" - }, - { - "title": "PR #169", - "number": 169, - "url": "https://github.com/nginx/kubernetes-ingress/pull/169" - }, - { - "title": "PR #168", - "number": 168, - "url": "https://github.com/nginx/kubernetes-ingress/pull/168" - }, - { - "title": "PR #166", - "number": 166, - "url": "https://github.com/nginx/kubernetes-ingress/pull/166" - }, - { - "title": "PR #160", - "number": 160, - "url": "https://github.com/nginx/kubernetes-ingress/pull/160" - }, - { - "title": "PR #157", - "number": 157, - "url": "https://github.com/nginx/kubernetes-ingress/pull/157" - }, - { - "title": "PR #156", - "number": 156, - "url": "https://github.com/nginx/kubernetes-ingress/pull/156" - }, - { - "title": "PR #155", - "number": 155, - "url": "https://github.com/nginx/kubernetes-ingress/pull/155" - }, - { - "title": "PR #154", - "number": 154, - "url": "https://github.com/nginx/kubernetes-ingress/pull/154" - }, - { - "title": "PR #151", - "number": 151, - "url": "https://github.com/nginx/kubernetes-ingress/pull/151" - }, - { - "title": "PR #146", - "number": 146, - "url": "https://github.com/nginx/kubernetes-ingress/pull/146" - }, - { - "title": "PR #141", - "number": 141, - "url": "https://github.com/nginx/kubernetes-ingress/pull/141" - }, - { - "title": "PR #140", - "number": 140, - "url": "https://github.com/nginx/kubernetes-ingress/pull/140" - }, - { - "title": "PR #117", - "number": 117, - "url": "https://github.com/nginx/kubernetes-ingress/pull/117" - }, - { - "title": "PR #116", - "number": 116, - "url": "https://github.com/nginx/kubernetes-ingress/pull/116" - }, - { - "title": "PR #113", - "number": 113, - "url": "https://github.com/nginx/kubernetes-ingress/pull/113" - }, - { - "title": "PR #108", - "number": 108, - "url": "https://github.com/nginx/kubernetes-ingress/pull/108" - }, - { - "title": "PR #103", - "number": 103, - "url": "https://github.com/nginx/kubernetes-ingress/pull/103" - }, - { - "title": "PR #100", - "number": 100, - "url": "https://github.com/nginx/kubernetes-ingress/pull/100" - }, - { - "title": "PR #95", - "number": 95, - "url": "https://github.com/nginx/kubernetes-ingress/pull/95" - }, - { - "title": "PR #93", - "number": 93, - "url": "https://github.com/nginx/kubernetes-ingress/pull/93" - }, - { - "title": "PR #91", - "number": 91, - "url": "https://github.com/nginx/kubernetes-ingress/pull/91" - }, - { - "title": "PR #88", - "number": 88, - "url": "https://github.com/nginx/kubernetes-ingress/pull/88" - }, - { - "title": "PR #85", - "number": 85, - "url": "https://github.com/nginx/kubernetes-ingress/pull/85" - }, - { - "title": "PR #84", - "number": 84, - "url": "https://github.com/nginx/kubernetes-ingress/pull/84" - }, - { - "title": "PR #81", - "number": 81, - "url": "https://github.com/nginx/kubernetes-ingress/pull/81" - }, - { - "title": "PR #75", - "number": 75, - "url": "https://github.com/nginx/kubernetes-ingress/pull/75" - }, - { - "title": "PR #74", - "number": 74, - "url": "https://github.com/nginx/kubernetes-ingress/pull/74" - }, - { - "title": "PR #70", - "number": 70, - "url": "https://github.com/nginx/kubernetes-ingress/pull/70" - }, - { - "title": "PR #68", - "number": 68, - "url": "https://github.com/nginx/kubernetes-ingress/pull/68" - }, - { - "title": "PR #66", - "number": 66, - "url": "https://github.com/nginx/kubernetes-ingress/pull/66" - }, - { - "title": "PR #65", - "number": 65, - "url": "https://github.com/nginx/kubernetes-ingress/pull/65" - }, - { - "title": "PR #64", - "number": 64, - "url": "https://github.com/nginx/kubernetes-ingress/pull/64" - }, - { - "title": "PR #62", - "number": 62, - "url": "https://github.com/nginx/kubernetes-ingress/pull/62" - }, - { - "title": "PR #54", - "number": 54, - "url": "https://github.com/nginx/kubernetes-ingress/pull/54" - }, - { - "title": "PR #55", - "number": 55, - "url": "https://github.com/nginx/kubernetes-ingress/pull/55" - }, - { - "title": "PR #58", - "number": 58, - "url": "https://github.com/nginx/kubernetes-ingress/pull/58" - } - ], - "Enhancements": [ - { - "title": "PR #1266", - "number": 1266, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1266" - }, - { - "title": "PR #1233", - "number": 1233, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1233" - }, - { - "title": "PR #1231", - "number": 1231, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1231" - }, - { - "title": "PR #1270", - "number": 1270, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1270" - }, - { - "title": "PR #1277", - "number": 1277, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1277" - }, - { - "title": "PR #1265", - "number": 1265, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1265" - }, - { - "title": "PR #1262", - "number": 1262, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1262" - }, - { - "title": "PR #1263", - "number": 1263, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1263" - }, - { - "title": "PR #1264", - "number": 1264, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1264" - }, - { - "title": "PR #1256", - "number": 1256, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1256" - }, - { - "title": "PR #1260", - "number": 1260, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1260" - }, - { - "title": "PR #1240", - "number": 1240, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1240" - }, - { - "title": "PR #1235", - "number": 1235, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1235" - }, - { - "title": "PR #1282", - "number": 1282, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1282" - }, - { - "title": "PR #1293", - "number": 1293, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1293" - }, - { - "title": "PR #1303", - "number": 1303, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1303" - }, - { - "title": "PR #1315", - "number": 1315, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1315" - }, - { - "title": "PR #1133", - "number": 1133, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1133" - }, - { - "title": "PR #1130", - "number": 1130, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1130" - }, - { - "title": "PR #1076", - "number": 1076, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1076" - }, - { - "title": "PR #1075", - "number": 1075, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1075" - }, - { - "title": "PR #1178", - "number": 1178, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1178" - }, - { - "title": "PR #1158", - "number": 1158, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1158" - }, - { - "title": "PR #1137", - "number": 1137, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1137" - }, - { - "title": "PR #1107", - "number": 1107, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1107" - }, - { - "title": "PR #1099", - "number": 1099, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1099" - }, - { - "title": "PR #1088", - "number": 1088, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1088" - }, - { - "title": "PR #1080", - "number": 1080, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1080" - }, - { - "title": "PR #1078", - "number": 1078, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1078" - }, - { - "title": "PR #1083", - "number": 1083, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1083" - }, - { - "title": "PR #1092", - "number": 1092, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1092" - }, - { - "title": "PR #1089", - "number": 1089, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1089" - }, - { - "title": "PR #1174", - "number": 1174, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1174" - }, - { - "title": "PR #1175", - "number": 1175, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1175" - }, - { - "title": "PR #1171", - "number": 1171, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1171" - }, - { - "title": "PR #1035", - "number": 1035, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1035" - }, - { - "title": "PR #1029", - "number": 1029, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" - }, - { - "title": "PR #995", - "number": 995, - "url": "https://github.com/nginx/kubernetes-ingress/pull/995" - }, - { - "title": "PR #946", - "number": 946, - "url": "https://github.com/nginx/kubernetes-ingress/pull/946" - }, - { - "title": "PR #948", - "number": 948, - "url": "https://github.com/nginx/kubernetes-ingress/pull/948" - }, - { - "title": "PR #972", - "number": 972, - "url": "https://github.com/nginx/kubernetes-ingress/pull/972" - }, - { - "title": "PR #965", - "number": 965, - "url": "https://github.com/nginx/kubernetes-ingress/pull/965" - }, - { - "title": "PR #902", - "number": 902, - "url": "https://github.com/nginx/kubernetes-ingress/pull/902" - }, - { - "title": "PR #894", - "number": 894, - "url": "https://github.com/nginx/kubernetes-ingress/pull/894" - }, - { - "title": "PR #857", - "number": 857, - "url": "https://github.com/nginx/kubernetes-ingress/pull/857" - }, - { - "title": "PR #852", - "number": 852, - "url": "https://github.com/nginx/kubernetes-ingress/pull/852" - }, - { - "title": "PR #845", - "number": 845, - "url": "https://github.com/nginx/kubernetes-ingress/pull/845" - }, - { - "title": "PR #827", - "number": 827, - "url": "https://github.com/nginx/kubernetes-ingress/pull/827" - }, - { - "title": "PR #850", - "number": 850, - "url": "https://github.com/nginx/kubernetes-ingress/pull/850" - }, - { - "title": "PR #832", - "number": 832, - "url": "https://github.com/nginx/kubernetes-ingress/pull/832" - }, - { - "title": "PR #825", - "number": 825, - "url": "https://github.com/nginx/kubernetes-ingress/pull/825" - }, - { - "title": "PR #750", - "number": 750, - "url": "https://github.com/nginx/kubernetes-ingress/pull/750" - }, - { - "title": "PR #691", - "number": 691, - "url": "https://github.com/nginx/kubernetes-ingress/pull/691" - }, - { - "title": "PR #631", - "number": 631, - "url": "https://github.com/nginx/kubernetes-ingress/pull/631" - }, - { - "title": "PR #629", - "number": 629, - "url": "https://github.com/nginx/kubernetes-ingress/pull/629" - }, - { - "title": "PR #616", - "number": 616, - "url": "https://github.com/nginx/kubernetes-ingress/pull/616" - }, - { - "title": "PR #615", - "number": 615, - "url": "https://github.com/nginx/kubernetes-ingress/pull/615" - }, - { - "title": "PR #614", - "number": 614, - "url": "https://github.com/nginx/kubernetes-ingress/pull/614" - }, - { - "title": "PR #678", - "number": 678, - "url": "https://github.com/nginx/kubernetes-ingress/pull/678" - }, - { - "title": "PR #694", - "number": 694, - "url": "https://github.com/nginx/kubernetes-ingress/pull/694" - }, - { - "title": "PR #713", - "number": 713, - "url": "https://github.com/nginx/kubernetes-ingress/pull/713" - }, - { - "title": "PR #560", - "number": 560, - "url": "https://github.com/nginx/kubernetes-ingress/pull/560" - }, - { - "title": "PR #554", - "number": 554, - "url": "https://github.com/nginx/kubernetes-ingress/pull/554" - }, - { - "title": "PR #496", - "number": 496, - "url": "https://github.com/nginx/kubernetes-ingress/pull/496" - }, - { - "title": "PR #485", - "number": 485, - "url": "https://github.com/nginx/kubernetes-ingress/pull/485" - }, - { - "title": "PR #565", - "number": 565, - "url": "https://github.com/nginx/kubernetes-ingress/pull/565" - }, - { - "title": "PR #511", - "number": 511, - "url": "https://github.com/nginx/kubernetes-ingress/pull/511" - }, - { - "title": "PR #504", - "number": 504, - "url": "https://github.com/nginx/kubernetes-ingress/pull/504" - }, - { - "title": "PR #401", - "number": 401, - "url": "https://github.com/nginx/kubernetes-ingress/pull/401" - }, - { - "title": "PR #387", - "number": 387, - "url": "https://github.com/nginx/kubernetes-ingress/pull/387" - }, - { - "title": "PR #376", - "number": 376, - "url": "https://github.com/nginx/kubernetes-ingress/pull/376" - }, - { - "title": "PR #375", - "number": 375, - "url": "https://github.com/nginx/kubernetes-ingress/pull/375" - }, - { - "title": "PR #346", - "number": 346, - "url": "https://github.com/nginx/kubernetes-ingress/pull/346" - }, - { - "title": "PR #344", - "number": 344, - "url": "https://github.com/nginx/kubernetes-ingress/pull/344" - }, - { - "title": "PR #342", - "number": 342, - "url": "https://github.com/nginx/kubernetes-ingress/pull/342" - }, - { - "title": "PR #320", - "number": 340, - "url": "https://github.com/nginx/kubernetes-ingress/pull/340" - }, - { - "title": "PR #434", - "number": 434, - "url": "https://github.com/nginx/kubernetes-ingress/pull/434" - }, - { - "title": "PR #432", - "number": 432, - "url": "https://github.com/nginx/kubernetes-ingress/pull/432" - }, - { - "title": "PR #419", - "number": 419, - "url": "https://github.com/nginx/kubernetes-ingress/pull/419" - }, - { - "title": "PR #403", - "number": 403, - "url": "https://github.com/nginx/kubernetes-ingress/pull/403" - }, - { - "title": "PR #400", - "number": 400, - "url": "https://github.com/nginx/kubernetes-ingress/pull/400" - }, - { - "title": "PR #399", - "number": 399, - "url": "https://github.com/nginx/kubernetes-ingress/pull/399" - }, - { - "title": "PR #391", - "number": 391, - "url": "https://github.com/nginx/kubernetes-ingress/pull/391" - }, - { - "title": "PR #389", - "number": 389, - "url": "https://github.com/nginx/kubernetes-ingress/pull/389" - }, - { - "title": "PR #380", - "number": 380, - "url": "https://github.com/nginx/kubernetes-ingress/pull/380" - }, - { - "title": "PR #362", - "number": 362, - "url": "https://github.com/nginx/kubernetes-ingress/pull/362" - }, - { - "title": "PR #357", - "number": 357, - "url": "https://github.com/nginx/kubernetes-ingress/pull/357" - }, - { - "title": "PR #351", - "number": 351, - "url": "https://github.com/nginx/kubernetes-ingress/pull/351" - }, - { - "title": "PR #325", - "number": 325, - "url": "https://github.com/nginx/kubernetes-ingress/pull/325" - }, - { - "title": "PR #311", - "number": 311, - "url": "https://github.com/nginx/kubernetes-ingress/pull/311" - }, - { - "title": "PR #310", - "number": 310, - "url": "https://github.com/nginx/kubernetes-ingress/pull/310" - }, - { - "title": "PR #308", - "number": 308, - "url": "https://github.com/nginx/kubernetes-ingress/pull/308" - }, - { - "title": "PR #303", - "number": 303, - "url": "https://github.com/nginx/kubernetes-ingress/pull/303" - }, - { - "title": "PR #301", - "number": 301, - "url": "https://github.com/nginx/kubernetes-ingress/pull/301" - }, - { - "title": "PR #298", - "number": 298, - "url": "https://github.com/nginx/kubernetes-ingress/pull/298" - }, - { - "title": "PR #296", - "number": 296, - "url": "https://github.com/nginx/kubernetes-ingress/pull/296" - }, - { - "title": "PR #295", - "number": 295, - "url": "https://github.com/nginx/kubernetes-ingress/pull/295" - }, - { - "title": "PR #294", - "number": 294, - "url": "https://github.com/nginx/kubernetes-ingress/pull/294" - }, - { - "title": "PR #287", - "number": 287, - "url": "https://github.com/nginx/kubernetes-ingress/pull/287" - }, - { - "title": "PR #286", - "number": 286, - "url": "https://github.com/nginx/kubernetes-ingress/pull/286" - } - ], - "Bug Fixes": [ - { - "title": "PR #1179", - "number": 1179, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1179" - }, - { - "title": "PR #1129", - "number": 1129, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1129" - }, - { - "title": "PR #1110", - "number": 1110, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1110" - }, - { - "title": "PR #1030", - "number": 1030, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1030" - }, - { - "title": "PR #953", - "number": 953, - "url": "https://github.com/nginx/kubernetes-ingress/pull/953" - }, - { - "title": "PR #828", - "number": 828, - "url": "https://github.com/nginx/kubernetes-ingress/pull/828" - }, - { - "title": "PR #788", - "number": 788, - "url": "https://github.com/nginx/kubernetes-ingress/pull/788" - }, - { - "title": "PR #736", - "number": 736, - "url": "https://github.com/nginx/kubernetes-ingress/pull/736" - }, - { - "title": "PR #686", - "number": 686, - "url": "https://github.com/nginx/kubernetes-ingress/pull/686" - }, - { - "title": "PR #664", - "number": 664, - "url": "https://github.com/nginx/kubernetes-ingress/pull/664" - }, - { - "title": "PR #632", - "number": 632, - "url": "https://github.com/nginx/kubernetes-ingress/pull/632" - }, - { - "title": "PR #520", - "number": 520, - "url": "https://github.com/nginx/kubernetes-ingress/pull/520" - }, - { - "title": "PR #481", - "number": 481, - "url": "https://github.com/nginx/kubernetes-ingress/pull/481" - }, - { - "title": "PR #439", - "number": 439, - "url": "https://github.com/nginx/kubernetes-ingress/pull/439" - }, - { - "title": "PR #429", - "number": 429, - "url": "https://github.com/nginx/kubernetes-ingress/pull/429" - }, - { - "title": "PR #386", - "number": 386, - "url": "https://github.com/nginx/kubernetes-ingress/pull/386" - }, - { - "title": "PR #379", - "number": 379, - "url": "https://github.com/nginx/kubernetes-ingress/pull/379" - }, - { - "title": "PR #365", - "number": 365, - "url": "https://github.com/nginx/kubernetes-ingress/pull/365" - }, - { - "title": "PR #348", - "number": 348, - "url": "https://github.com/nginx/kubernetes-ingress/pull/348" - }, - { - "title": "PR #326", - "number": 326, - "url": "https://github.com/nginx/kubernetes-ingress/pull/326" - }, - { - "title": "PR #284", - "number": 284, - "url": "https://github.com/nginx/kubernetes-ingress/pull/284" - } - ] -} \ No newline at end of file + "Miscellaneous": [ + { + "title": "PR #1373", + "number": 1373, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1373" + }, + { + "title": "PR #1439", + "number": 1439, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1439" + }, + { + "title": "PR #1440", + "number": 1440, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1440" + }, + { + "title": "PR #1304", + "number": 1304, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1304" + }, + { + "title": "PR #1281", + "number": 1281, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1281" + }, + { + "title": "PR #1290", + "number": 1290, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1290" + }, + { + "title": "PR #1232", + "number": 1232, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1232" + }, + { + "title": "PR #1228", + "number": 1228, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1228" + }, + { + "title": "PR #1299", + "number": 1299, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1299" + }, + { + "title": "PR #1291", + "number": 1291, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1291" + }, + { + "title": "PR #1290", + "number": 1290, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1290" + }, + { + "title": "PR #1225", + "number": 1225, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1225" + }, + { + "title": "PR #1237", + "number": 1237, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1237" + }, + { + "title": "PR #1270", + "number": 1270, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1270" + }, + { + "title": "PR #1277", + "number": 1277, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1277" + }, + { + "title": "PR #1232", + "number": 1232, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1232" + }, + { + "title": "PR #1225", + "number": 1225, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1225" + }, + { + "title": "PR #1180", + "number": 1180, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1180" + }, + { + "title": "PR #1166", + "number": 1166, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1166" + }, + { + "title": "PR #1154", + "number": 1154, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1154" + }, + { + "title": "PR #1120", + "number": 1120, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1120" + }, + { + "title": "PR #1058", + "number": 1058, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1058" + }, + { + "title": "PR #1147", + "number": 1147, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1147" + }, + { + "title": "PR #1131", + "number": 1131, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1131" + }, + { + "title": "PR #1100", + "number": 1100, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1100" + }, + { + "title": "PR #1085", + "number": 1085, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1085" + }, + { + "title": "PR #1105", + "number": 1105, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1105" + }, + { + "title": "PR #1133", + "number": 1133, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1133" + }, + { + "title": "PR #1148", + "number": 1148, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1148" + }, + { + "title": "PR #1182", + "number": 1182, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1182" + }, + { + "title": "PR #1036", + "number": 1036, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1036" + }, + { + "title": "PR #1028", + "number": 1028, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1028" + }, + { + "title": "PR #1019", + "number": 1019, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1019" + }, + { + "title": "PR #1006", + "number": 1006, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1006" + }, + { + "title": "PR #994", + "number": 994, + "url": "https://github.com/nginx/kubernetes-ingress/pull/994" + }, + { + "title": "PR #973", + "number": 973, + "url": "https://github.com/nginx/kubernetes-ingress/pull/973" + }, + { + "title": "PR #1035", + "number": 1035, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1035" + }, + { + "title": "PR #1034", + "number": 1034, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1034" + }, + { + "title": "PR #1029", + "number": 1029, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" + }, + { + "title": "PR #1003", + "number": 1003, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1003" + }, + { + "title": "PR #1047", + "number": 1047, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1047" + }, + { + "title": "PR #1009", + "number": 1009, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1009" + }, + { + "title": "PR #1029", + "number": 1029, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" + }, + { + "title": "PR #980", + "number": 980, + "url": "https://github.com/nginx/kubernetes-ingress/pull/980" + }, + { + "title": "PR #868", + "number": 868, + "url": "https://github.com/nginx/kubernetes-ingress/pull/868" + }, + { + "title": "PR #847", + "number": 847, + "url": "https://github.com/nginx/kubernetes-ingress/pull/847" + }, + { + "title": "PR #921", + "number": 921, + "url": "https://github.com/nginx/kubernetes-ingress/pull/921" + }, + { + "title": "PR #878", + "number": 878, + "url": "https://github.com/nginx/kubernetes-ingress/pull/878" + }, + { + "title": "PR #807", + "number": 807, + "url": "https://github.com/nginx/kubernetes-ingress/pull/807" + }, + { + "title": "PR #854", + "number": 854, + "url": "https://github.com/nginx/kubernetes-ingress/pull/854" + }, + { + "title": "PR #852", + "number": 852, + "url": "https://github.com/nginx/kubernetes-ingress/pull/852" + }, + { + "title": "PR #847", + "number": 847, + "url": "https://github.com/nginx/kubernetes-ingress/pull/847" + }, + { + "title": "PR #827", + "number": 827, + "url": "https://github.com/nginx/kubernetes-ingress/pull/827" + }, + { + "title": "PR #825", + "number": 825, + "url": "https://github.com/nginx/kubernetes-ingress/pull/825" + }, + { + "title": "PR #780", + "number": 780, + "url": "https://github.com/nginx/kubernetes-ingress/pull/780" + }, + { + "title": "PR #778", + "number": 778, + "url": "https://github.com/nginx/kubernetes-ingress/pull/778" + }, + { + "title": "PR #766", + "number": 766, + "url": "https://github.com/nginx/kubernetes-ingress/pull/766" + }, + { + "title": "PR #748", + "number": 748, + "url": "https://github.com/nginx/kubernetes-ingress/pull/748" + }, + { + "title": "PR #745", + "number": 745, + "url": "https://github.com/nginx/kubernetes-ingress/pull/745" + }, + { + "title": "PR #728", + "number": 728, + "url": "https://github.com/nginx/kubernetes-ingress/pull/728" + }, + { + "title": "PR #724", + "number": 724, + "url": "https://github.com/nginx/kubernetes-ingress/pull/724" + }, + { + "title": "PR #712", + "number": 712, + "url": "https://github.com/nginx/kubernetes-ingress/pull/712" + }, + { + "title": "PR #707", + "number": 707, + "url": "https://github.com/nginx/kubernetes-ingress/pull/707" + }, + { + "title": "PR #701", + "number": 701, + "url": "https://github.com/nginx/kubernetes-ingress/pull/701" + }, + { + "title": "PR #693", + "number": 693, + "url": "https://github.com/nginx/kubernetes-ingress/pull/693" + }, + { + "title": "PR #670", + "number": 670, + "url": "https://github.com/nginx/kubernetes-ingress/pull/670" + }, + { + "title": "PR #660", + "number": 660, + "url": "https://github.com/nginx/kubernetes-ingress/pull/660" + }, + { + "title": "PR #659", + "number": 659, + "url": "https://github.com/nginx/kubernetes-ingress/pull/659" + }, + { + "title": "PR #655", + "number": 655, + "url": "https://github.com/nginx/kubernetes-ingress/pull/655" + }, + { + "title": "PR #653", + "number": 653, + "url": "https://github.com/nginx/kubernetes-ingress/pull/653" + }, + { + "title": "PR #641", + "number": 641, + "url": "https://github.com/nginx/kubernetes-ingress/pull/641" + }, + { + "title": "PR #635", + "number": 635, + "url": "https://github.com/nginx/kubernetes-ingress/pull/635" + }, + { + "title": "PR #634", + "number": 634, + "url": "https://github.com/nginx/kubernetes-ingress/pull/634" + }, + { + "title": "PR #628", + "number": 628, + "url": "https://github.com/nginx/kubernetes-ingress/pull/628" + }, + { + "title": "PR #621", + "number": 621, + "url": "https://github.com/nginx/kubernetes-ingress/pull/621" + }, + { + "title": "PR #617", + "number": 617, + "url": "https://github.com/nginx/kubernetes-ingress/pull/617" + }, + { + "title": "PR #612", + "number": 612, + "url": "https://github.com/nginx/kubernetes-ingress/pull/612" + }, + { + "title": "PR #607", + "number": 607, + "url": "https://github.com/nginx/kubernetes-ingress/pull/607" + }, + { + "title": "PR #596", + "number": 596, + "url": "https://github.com/nginx/kubernetes-ingress/pull/596" + }, + { + "title": "PR #750", + "number": 750, + "url": "https://github.com/nginx/kubernetes-ingress/pull/750" + }, + { + "title": "PR #636", + "number": 636, + "url": "https://github.com/nginx/kubernetes-ingress/pull/636" + }, + { + "title": "PR #600", + "number": 600, + "url": "https://github.com/nginx/kubernetes-ingress/pull/600" + }, + { + "title": "PR #581", + "number": 581, + "url": "https://github.com/nginx/kubernetes-ingress/pull/581" + }, + { + "title": "PR #722", + "number": 722, + "url": "https://github.com/nginx/kubernetes-ingress/pull/722" + }, + { + "title": "PR #573", + "number": 573, + "url": "https://github.com/nginx/kubernetes-ingress/pull/573" + }, + { + "title": "PR #799", + "number": 779, + "url": "https://github.com/nginx/kubernetes-ingress/pull/779" + }, + { + "title": "PR #772", + "number": 772, + "url": "https://github.com/nginx/kubernetes-ingress/pull/772" + }, + { + "title": "PR #748", + "number": 748, + "url": "https://github.com/nginx/kubernetes-ingress/pull/748" + }, + { + "title": "PR #745", + "number": 745, + "url": "https://github.com/nginx/kubernetes-ingress/pull/745" + }, + { + "title": "PR #710", + "number": 710, + "url": "https://github.com/nginx/kubernetes-ingress/pull/710" + }, + { + "title": "PR #603", + "number": 603, + "url": "https://github.com/nginx/kubernetes-ingress/pull/603" + }, + { + "title": "PR #593", + "number": 593, + "url": "https://github.com/nginx/kubernetes-ingress/pull/593" + }, + { + "title": "PR #593", + "number": 593, + "url": "https://github.com/nginx/kubernetes-ingress/pull/593" + }, + { + "title": "PR #562", + "number": 562, + "url": "https://github.com/nginx/kubernetes-ingress/pull/562" + }, + { + "title": "PR #561", + "number": 561, + "url": "https://github.com/nginx/kubernetes-ingress/pull/561" + }, + { + "title": "PR #553", + "number": 553, + "url": "https://github.com/nginx/kubernetes-ingress/pull/553" + }, + { + "title": "PR #534", + "number": 534, + "url": "https://github.com/nginx/kubernetes-ingress/pull/534" + }, + { + "title": "PR #479", + "number": 479, + "url": "https://github.com/nginx/kubernetes-ingress/pull/479" + }, + { + "title": "PR #468", + "number": 468, + "url": "https://github.com/nginx/kubernetes-ingress/pull/468" + }, + { + "title": "PR #456", + "number": 456, + "url": "https://github.com/nginx/kubernetes-ingress/pull/456" + }, + { + "title": "PR #546", + "number": 546, + "url": "https://github.com/nginx/kubernetes-ingress/pull/546" + }, + { + "title": "PR #542", + "number": 542, + "url": "https://github.com/nginx/kubernetes-ingress/pull/542" + }, + { + "title": "PR #430", + "number": 430, + "url": "https://github.com/nginx/kubernetes-ingress/pull/430" + }, + { + "title": "PR #420", + "number": 420, + "url": "https://github.com/nginx/kubernetes-ingress/pull/420" + }, + { + "title": "PR #398", + "number": 398, + "url": "https://github.com/nginx/kubernetes-ingress/pull/398" + }, + { + "title": "PR #393", + "number": 393, + "url": "https://github.com/nginx/kubernetes-ingress/pull/393" + }, + { + "title": "PR #390", + "number": 390, + "url": "https://github.com/nginx/kubernetes-ingress/pull/390" + }, + { + "title": "PR #377", + "number": 377, + "url": "https://github.com/nginx/kubernetes-ingress/pull/377" + }, + { + "title": "PR #335", + "number": 335, + "url": "https://github.com/nginx/kubernetes-ingress/pull/335" + }, + { + "title": "PR #430", + "number": 430, + "url": "https://github.com/nginx/kubernetes-ingress/pull/430" + }, + { + "title": "PR #399", + "number": 399, + "url": "https://github.com/nginx/kubernetes-ingress/pull/399" + }, + { + "title": "PR #357", + "number": 357, + "url": "https://github.com/nginx/kubernetes-ingress/pull/357" + }, + { + "title": "PR #347", + "number": 347, + "url": "https://github.com/nginx/kubernetes-ingress/pull/347" + }, + { + "title": "PR #391", + "number": 391, + "url": "https://github.com/nginx/kubernetes-ingress/pull/391" + }, + { + "title": "PR #344", + "number": 344, + "url": "https://github.com/nginx/kubernetes-ingress/pull/344" + }, + { + "title": "PR #435", + "number": 435, + "url": "https://github.com/nginx/kubernetes-ingress/pull/435" + }, + { + "title": "PR #433", + "number": 433, + "url": "https://github.com/nginx/kubernetes-ingress/pull/433" + }, + { + "title": "PR #432", + "number": 432, + "url": "https://github.com/nginx/kubernetes-ingress/pull/432" + }, + { + "title": "PR #418", + "number": 418, + "url": "https://github.com/nginx/kubernetes-ingress/pull/418" + }, + { + "title": "PR #406", + "number": 406, + "url": "https://github.com/nginx/kubernetes-ingress/pull/406" + }, + { + "title": "PR #381", + "number": 381, + "url": "https://github.com/nginx/kubernetes-ingress/pull/381" + }, + { + "title": "PR #349", + "number": 349, + "url": "https://github.com/nginx/kubernetes-ingress/pull/349" + }, + { + "title": "PR #343", + "number": 343, + "url": "https://github.com/nginx/kubernetes-ingress/pull/343" + }, + { + "title": "PR #330", + "number": 330, + "url": "https://github.com/nginx/kubernetes-ingress/pull/330" + }, + { + "title": "PR #329", + "number": 329, + "url": "https://github.com/nginx/kubernetes-ingress/pull/329" + }, + { + "title": "PR #279", + "number": 279, + "url": "https://github.com/nginx/kubernetes-ingress/pull/279" + }, + { + "title": "PR #278", + "number": 278, + "url": "https://github.com/nginx/kubernetes-ingress/pull/278" + }, + { + "title": "PR #277", + "number": 277, + "url": "https://github.com/nginx/kubernetes-ingress/pull/277" + }, + { + "title": "PR #276", + "number": 276, + "url": "https://github.com/nginx/kubernetes-ingress/pull/276" + }, + { + "title": "PR #274", + "number": 274, + "url": "https://github.com/nginx/kubernetes-ingress/pull/274" + }, + { + "title": "PR #272", + "number": 272, + "url": "https://github.com/nginx/kubernetes-ingress/pull/272" + }, + { + "title": "PR #268", + "number": 268, + "url": "https://github.com/nginx/kubernetes-ingress/pull/268" + }, + { + "title": "PR #266", + "number": 266, + "url": "https://github.com/nginx/kubernetes-ingress/pull/266" + }, + { + "title": "PR #261", + "number": 261, + "url": "https://github.com/nginx/kubernetes-ingress/pull/261" + }, + { + "title": "PR #258", + "number": 258, + "url": "https://github.com/nginx/kubernetes-ingress/pull/258" + }, + { + "title": "PR #256", + "number": 256, + "url": "https://github.com/nginx/kubernetes-ingress/pull/256" + }, + { + "title": "PR #249", + "number": 249, + "url": "https://github.com/nginx/kubernetes-ingress/pull/249" + }, + { + "title": "PR #241", + "number": 241, + "url": "https://github.com/nginx/kubernetes-ingress/pull/241" + }, + { + "title": "PR #240", + "number": 240, + "url": "https://github.com/nginx/kubernetes-ingress/pull/240" + }, + { + "title": "PR #239", + "number": 239, + "url": "https://github.com/nginx/kubernetes-ingress/pull/239" + }, + { + "title": "PR #238", + "number": 238, + "url": "https://github.com/nginx/kubernetes-ingress/pull/238" + }, + { + "title": "PR #237", + "number": 237, + "url": "https://github.com/nginx/kubernetes-ingress/pull/237" + }, + { + "title": "PR #236", + "number": 236, + "url": "https://github.com/nginx/kubernetes-ingress/pull/236" + }, + { + "title": "PR #235", + "number": 235, + "url": "https://github.com/nginx/kubernetes-ingress/pull/235" + }, + { + "title": "PR #234", + "number": 234, + "url": "https://github.com/nginx/kubernetes-ingress/pull/234" + }, + { + "title": "PR #233", + "number": 233, + "url": "https://github.com/nginx/kubernetes-ingress/pull/233" + }, + { + "title": "PR #231", + "number": 231, + "url": "https://github.com/nginx/kubernetes-ingress/pull/231" + }, + { + "title": "PR #248", + "number": 248, + "url": "https://github.com/nginx/kubernetes-ingress/pull/248" + }, + { + "title": "PR #252", + "number": 252, + "url": "https://github.com/nginx/kubernetes-ingress/pull/252" + }, + { + "title": "PR #270", + "number": 270, + "url": "https://github.com/nginx/kubernetes-ingress/pull/270" + }, + { + "title": "PR #228", + "number": 228, + "url": "https://github.com/nginx/kubernetes-ingress/pull/228" + }, + { + "title": "PR #223", + "number": 223, + "url": "https://github.com/nginx/kubernetes-ingress/pull/223" + }, + { + "title": "PR #221", + "number": 221, + "url": "https://github.com/nginx/kubernetes-ingress/pull/221" + }, + { + "title": "PR #220", + "number": 220, + "url": "https://github.com/nginx/kubernetes-ingress/pull/220" + }, + { + "title": "PR #213", + "number": 213, + "url": "https://github.com/nginx/kubernetes-ingress/pull/213" + }, + { + "title": "PR #211", + "number": 211, + "url": "https://github.com/nginx/kubernetes-ingress/pull/211" + }, + { + "title": "PR #208", + "number": 208, + "url": "https://github.com/nginx/kubernetes-ingress/pull/208" + }, + { + "title": "PR #199", + "number": 199, + "url": "https://github.com/nginx/kubernetes-ingress/pull/199" + }, + { + "title": "PR #194", + "number": 194, + "url": "https://github.com/nginx/kubernetes-ingress/pull/194" + }, + { + "title": "PR #193", + "number": 193, + "url": "https://github.com/nginx/kubernetes-ingress/pull/193" + }, + { + "title": "PR #192", + "number": 192, + "url": "https://github.com/nginx/kubernetes-ingress/pull/192" + }, + { + "title": "PR #186", + "number": 186, + "url": "https://github.com/nginx/kubernetes-ingress/pull/186" + }, + { + "title": "PR #184", + "number": 184, + "url": "https://github.com/nginx/kubernetes-ingress/pull/184" + }, + { + "title": "PR #175", + "number": 175, + "url": "https://github.com/nginx/kubernetes-ingress/pull/175" + }, + { + "title": "PR #171", + "number": 171, + "url": "https://github.com/nginx/kubernetes-ingress/pull/171" + }, + { + "title": "PR #170", + "number": 170, + "url": "https://github.com/nginx/kubernetes-ingress/pull/170" + }, + { + "title": "PR #169", + "number": 169, + "url": "https://github.com/nginx/kubernetes-ingress/pull/169" + }, + { + "title": "PR #168", + "number": 168, + "url": "https://github.com/nginx/kubernetes-ingress/pull/168" + }, + { + "title": "PR #166", + "number": 166, + "url": "https://github.com/nginx/kubernetes-ingress/pull/166" + }, + { + "title": "PR #160", + "number": 160, + "url": "https://github.com/nginx/kubernetes-ingress/pull/160" + }, + { + "title": "PR #157", + "number": 157, + "url": "https://github.com/nginx/kubernetes-ingress/pull/157" + }, + { + "title": "PR #156", + "number": 156, + "url": "https://github.com/nginx/kubernetes-ingress/pull/156" + }, + { + "title": "PR #155", + "number": 155, + "url": "https://github.com/nginx/kubernetes-ingress/pull/155" + }, + { + "title": "PR #154", + "number": 154, + "url": "https://github.com/nginx/kubernetes-ingress/pull/154" + }, + { + "title": "PR #151", + "number": 151, + "url": "https://github.com/nginx/kubernetes-ingress/pull/151" + }, + { + "title": "PR #146", + "number": 146, + "url": "https://github.com/nginx/kubernetes-ingress/pull/146" + }, + { + "title": "PR #141", + "number": 141, + "url": "https://github.com/nginx/kubernetes-ingress/pull/141" + }, + { + "title": "PR #140", + "number": 140, + "url": "https://github.com/nginx/kubernetes-ingress/pull/140" + }, + { + "title": "PR #117", + "number": 117, + "url": "https://github.com/nginx/kubernetes-ingress/pull/117" + }, + { + "title": "PR #116", + "number": 116, + "url": "https://github.com/nginx/kubernetes-ingress/pull/116" + }, + { + "title": "PR #113", + "number": 113, + "url": "https://github.com/nginx/kubernetes-ingress/pull/113" + }, + { + "title": "PR #108", + "number": 108, + "url": "https://github.com/nginx/kubernetes-ingress/pull/108" + }, + { + "title": "PR #103", + "number": 103, + "url": "https://github.com/nginx/kubernetes-ingress/pull/103" + }, + { + "title": "PR #100", + "number": 100, + "url": "https://github.com/nginx/kubernetes-ingress/pull/100" + }, + { + "title": "PR #95", + "number": 95, + "url": "https://github.com/nginx/kubernetes-ingress/pull/95" + }, + { + "title": "PR #93", + "number": 93, + "url": "https://github.com/nginx/kubernetes-ingress/pull/93" + }, + { + "title": "PR #91", + "number": 91, + "url": "https://github.com/nginx/kubernetes-ingress/pull/91" + }, + { + "title": "PR #88", + "number": 88, + "url": "https://github.com/nginx/kubernetes-ingress/pull/88" + }, + { + "title": "PR #85", + "number": 85, + "url": "https://github.com/nginx/kubernetes-ingress/pull/85" + }, + { + "title": "PR #84", + "number": 84, + "url": "https://github.com/nginx/kubernetes-ingress/pull/84" + }, + { + "title": "PR #81", + "number": 81, + "url": "https://github.com/nginx/kubernetes-ingress/pull/81" + }, + { + "title": "PR #75", + "number": 75, + "url": "https://github.com/nginx/kubernetes-ingress/pull/75" + }, + { + "title": "PR #74", + "number": 74, + "url": "https://github.com/nginx/kubernetes-ingress/pull/74" + }, + { + "title": "PR #70", + "number": 70, + "url": "https://github.com/nginx/kubernetes-ingress/pull/70" + }, + { + "title": "PR #68", + "number": 68, + "url": "https://github.com/nginx/kubernetes-ingress/pull/68" + }, + { + "title": "PR #66", + "number": 66, + "url": "https://github.com/nginx/kubernetes-ingress/pull/66" + }, + { + "title": "PR #65", + "number": 65, + "url": "https://github.com/nginx/kubernetes-ingress/pull/65" + }, + { + "title": "PR #64", + "number": 64, + "url": "https://github.com/nginx/kubernetes-ingress/pull/64" + }, + { + "title": "PR #62", + "number": 62, + "url": "https://github.com/nginx/kubernetes-ingress/pull/62" + }, + { + "title": "PR #54", + "number": 54, + "url": "https://github.com/nginx/kubernetes-ingress/pull/54" + }, + { + "title": "PR #55", + "number": 55, + "url": "https://github.com/nginx/kubernetes-ingress/pull/55" + }, + { + "title": "PR #58", + "number": 58, + "url": "https://github.com/nginx/kubernetes-ingress/pull/58" + } + ], + "Enhancements": [ + { + "title": "PR #1266", + "number": 1266, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1266" + }, + { + "title": "PR #1233", + "number": 1233, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1233" + }, + { + "title": "PR #1231", + "number": 1231, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1231" + }, + { + "title": "PR #1270", + "number": 1270, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1270" + }, + { + "title": "PR #1277", + "number": 1277, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1277" + }, + { + "title": "PR #1265", + "number": 1265, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1265" + }, + { + "title": "PR #1262", + "number": 1262, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1262" + }, + { + "title": "PR #1263", + "number": 1263, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1263" + }, + { + "title": "PR #1264", + "number": 1264, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1264" + }, + { + "title": "PR #1256", + "number": 1256, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1256" + }, + { + "title": "PR #1260", + "number": 1260, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1260" + }, + { + "title": "PR #1240", + "number": 1240, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1240" + }, + { + "title": "PR #1235", + "number": 1235, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1235" + }, + { + "title": "PR #1282", + "number": 1282, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1282" + }, + { + "title": "PR #1293", + "number": 1293, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1293" + }, + { + "title": "PR #1303", + "number": 1303, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1303" + }, + { + "title": "PR #1315", + "number": 1315, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1315" + }, + { + "title": "PR #1133", + "number": 1133, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1133" + }, + { + "title": "PR #1130", + "number": 1130, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1130" + }, + { + "title": "PR #1076", + "number": 1076, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1076" + }, + { + "title": "PR #1075", + "number": 1075, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1075" + }, + { + "title": "PR #1178", + "number": 1178, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1178" + }, + { + "title": "PR #1158", + "number": 1158, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1158" + }, + { + "title": "PR #1137", + "number": 1137, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1137" + }, + { + "title": "PR #1107", + "number": 1107, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1107" + }, + { + "title": "PR #1099", + "number": 1099, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1099" + }, + { + "title": "PR #1088", + "number": 1088, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1088" + }, + { + "title": "PR #1080", + "number": 1080, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1080" + }, + { + "title": "PR #1078", + "number": 1078, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1078" + }, + { + "title": "PR #1083", + "number": 1083, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1083" + }, + { + "title": "PR #1092", + "number": 1092, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1092" + }, + { + "title": "PR #1089", + "number": 1089, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1089" + }, + { + "title": "PR #1174", + "number": 1174, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1174" + }, + { + "title": "PR #1175", + "number": 1175, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1175" + }, + { + "title": "PR #1171", + "number": 1171, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1171" + }, + { + "title": "PR #1035", + "number": 1035, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1035" + }, + { + "title": "PR #1029", + "number": 1029, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" + }, + { + "title": "PR #995", + "number": 995, + "url": "https://github.com/nginx/kubernetes-ingress/pull/995" + }, + { + "title": "PR #946", + "number": 946, + "url": "https://github.com/nginx/kubernetes-ingress/pull/946" + }, + { + "title": "PR #948", + "number": 948, + "url": "https://github.com/nginx/kubernetes-ingress/pull/948" + }, + { + "title": "PR #972", + "number": 972, + "url": "https://github.com/nginx/kubernetes-ingress/pull/972" + }, + { + "title": "PR #965", + "number": 965, + "url": "https://github.com/nginx/kubernetes-ingress/pull/965" + }, + { + "title": "PR #902", + "number": 902, + "url": "https://github.com/nginx/kubernetes-ingress/pull/902" + }, + { + "title": "PR #894", + "number": 894, + "url": "https://github.com/nginx/kubernetes-ingress/pull/894" + }, + { + "title": "PR #857", + "number": 857, + "url": "https://github.com/nginx/kubernetes-ingress/pull/857" + }, + { + "title": "PR #852", + "number": 852, + "url": "https://github.com/nginx/kubernetes-ingress/pull/852" + }, + { + "title": "PR #845", + "number": 845, + "url": "https://github.com/nginx/kubernetes-ingress/pull/845" + }, + { + "title": "PR #827", + "number": 827, + "url": "https://github.com/nginx/kubernetes-ingress/pull/827" + }, + { + "title": "PR #850", + "number": 850, + "url": "https://github.com/nginx/kubernetes-ingress/pull/850" + }, + { + "title": "PR #832", + "number": 832, + "url": "https://github.com/nginx/kubernetes-ingress/pull/832" + }, + { + "title": "PR #825", + "number": 825, + "url": "https://github.com/nginx/kubernetes-ingress/pull/825" + }, + { + "title": "PR #750", + "number": 750, + "url": "https://github.com/nginx/kubernetes-ingress/pull/750" + }, + { + "title": "PR #691", + "number": 691, + "url": "https://github.com/nginx/kubernetes-ingress/pull/691" + }, + { + "title": "PR #631", + "number": 631, + "url": "https://github.com/nginx/kubernetes-ingress/pull/631" + }, + { + "title": "PR #629", + "number": 629, + "url": "https://github.com/nginx/kubernetes-ingress/pull/629" + }, + { + "title": "PR #616", + "number": 616, + "url": "https://github.com/nginx/kubernetes-ingress/pull/616" + }, + { + "title": "PR #615", + "number": 615, + "url": "https://github.com/nginx/kubernetes-ingress/pull/615" + }, + { + "title": "PR #614", + "number": 614, + "url": "https://github.com/nginx/kubernetes-ingress/pull/614" + }, + { + "title": "PR #678", + "number": 678, + "url": "https://github.com/nginx/kubernetes-ingress/pull/678" + }, + { + "title": "PR #694", + "number": 694, + "url": "https://github.com/nginx/kubernetes-ingress/pull/694" + }, + { + "title": "PR #713", + "number": 713, + "url": "https://github.com/nginx/kubernetes-ingress/pull/713" + }, + { + "title": "PR #560", + "number": 560, + "url": "https://github.com/nginx/kubernetes-ingress/pull/560" + }, + { + "title": "PR #554", + "number": 554, + "url": "https://github.com/nginx/kubernetes-ingress/pull/554" + }, + { + "title": "PR #496", + "number": 496, + "url": "https://github.com/nginx/kubernetes-ingress/pull/496" + }, + { + "title": "PR #485", + "number": 485, + "url": "https://github.com/nginx/kubernetes-ingress/pull/485" + }, + { + "title": "PR #565", + "number": 565, + "url": "https://github.com/nginx/kubernetes-ingress/pull/565" + }, + { + "title": "PR #511", + "number": 511, + "url": "https://github.com/nginx/kubernetes-ingress/pull/511" + }, + { + "title": "PR #504", + "number": 504, + "url": "https://github.com/nginx/kubernetes-ingress/pull/504" + }, + { + "title": "PR #401", + "number": 401, + "url": "https://github.com/nginx/kubernetes-ingress/pull/401" + }, + { + "title": "PR #387", + "number": 387, + "url": "https://github.com/nginx/kubernetes-ingress/pull/387" + }, + { + "title": "PR #376", + "number": 376, + "url": "https://github.com/nginx/kubernetes-ingress/pull/376" + }, + { + "title": "PR #375", + "number": 375, + "url": "https://github.com/nginx/kubernetes-ingress/pull/375" + }, + { + "title": "PR #346", + "number": 346, + "url": "https://github.com/nginx/kubernetes-ingress/pull/346" + }, + { + "title": "PR #344", + "number": 344, + "url": "https://github.com/nginx/kubernetes-ingress/pull/344" + }, + { + "title": "PR #342", + "number": 342, + "url": "https://github.com/nginx/kubernetes-ingress/pull/342" + }, + { + "title": "PR #320", + "number": 340, + "url": "https://github.com/nginx/kubernetes-ingress/pull/340" + }, + { + "title": "PR #434", + "number": 434, + "url": "https://github.com/nginx/kubernetes-ingress/pull/434" + }, + { + "title": "PR #432", + "number": 432, + "url": "https://github.com/nginx/kubernetes-ingress/pull/432" + }, + { + "title": "PR #419", + "number": 419, + "url": "https://github.com/nginx/kubernetes-ingress/pull/419" + }, + { + "title": "PR #403", + "number": 403, + "url": "https://github.com/nginx/kubernetes-ingress/pull/403" + }, + { + "title": "PR #400", + "number": 400, + "url": "https://github.com/nginx/kubernetes-ingress/pull/400" + }, + { + "title": "PR #399", + "number": 399, + "url": "https://github.com/nginx/kubernetes-ingress/pull/399" + }, + { + "title": "PR #391", + "number": 391, + "url": "https://github.com/nginx/kubernetes-ingress/pull/391" + }, + { + "title": "PR #389", + "number": 389, + "url": "https://github.com/nginx/kubernetes-ingress/pull/389" + }, + { + "title": "PR #380", + "number": 380, + "url": "https://github.com/nginx/kubernetes-ingress/pull/380" + }, + { + "title": "PR #362", + "number": 362, + "url": "https://github.com/nginx/kubernetes-ingress/pull/362" + }, + { + "title": "PR #357", + "number": 357, + "url": "https://github.com/nginx/kubernetes-ingress/pull/357" + }, + { + "title": "PR #351", + "number": 351, + "url": "https://github.com/nginx/kubernetes-ingress/pull/351" + }, + { + "title": "PR #325", + "number": 325, + "url": "https://github.com/nginx/kubernetes-ingress/pull/325" + }, + { + "title": "PR #311", + "number": 311, + "url": "https://github.com/nginx/kubernetes-ingress/pull/311" + }, + { + "title": "PR #310", + "number": 310, + "url": "https://github.com/nginx/kubernetes-ingress/pull/310" + }, + { + "title": "PR #308", + "number": 308, + "url": "https://github.com/nginx/kubernetes-ingress/pull/308" + }, + { + "title": "PR #303", + "number": 303, + "url": "https://github.com/nginx/kubernetes-ingress/pull/303" + }, + { + "title": "PR #301", + "number": 301, + "url": "https://github.com/nginx/kubernetes-ingress/pull/301" + }, + { + "title": "PR #298", + "number": 298, + "url": "https://github.com/nginx/kubernetes-ingress/pull/298" + }, + { + "title": "PR #296", + "number": 296, + "url": "https://github.com/nginx/kubernetes-ingress/pull/296" + }, + { + "title": "PR #295", + "number": 295, + "url": "https://github.com/nginx/kubernetes-ingress/pull/295" + }, + { + "title": "PR #294", + "number": 294, + "url": "https://github.com/nginx/kubernetes-ingress/pull/294" + }, + { + "title": "PR #287", + "number": 287, + "url": "https://github.com/nginx/kubernetes-ingress/pull/287" + }, + { + "title": "PR #286", + "number": 286, + "url": "https://github.com/nginx/kubernetes-ingress/pull/286" + } + ], + "Bug Fixes": [ + { + "title": "PR #1179", + "number": 1179, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1179" + }, + { + "title": "PR #1129", + "number": 1129, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1129" + }, + { + "title": "PR #1110", + "number": 1110, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1110" + }, + { + "title": "PR #1030", + "number": 1030, + "url": "https://github.com/nginx/kubernetes-ingress/pull/1030" + }, + { + "title": "PR #953", + "number": 953, + "url": "https://github.com/nginx/kubernetes-ingress/pull/953" + }, + { + "title": "PR #828", + "number": 828, + "url": "https://github.com/nginx/kubernetes-ingress/pull/828" + }, + { + "title": "PR #788", + "number": 788, + "url": "https://github.com/nginx/kubernetes-ingress/pull/788" + }, + { + "title": "PR #736", + "number": 736, + "url": "https://github.com/nginx/kubernetes-ingress/pull/736" + }, + { + "title": "PR #686", + "number": 686, + "url": "https://github.com/nginx/kubernetes-ingress/pull/686" + }, + { + "title": "PR #664", + "number": 664, + "url": "https://github.com/nginx/kubernetes-ingress/pull/664" + }, + { + "title": "PR #632", + "number": 632, + "url": "https://github.com/nginx/kubernetes-ingress/pull/632" + }, + { + "title": "PR #520", + "number": 520, + "url": "https://github.com/nginx/kubernetes-ingress/pull/520" + }, + { + "title": "PR #481", + "number": 481, + "url": "https://github.com/nginx/kubernetes-ingress/pull/481" + }, + { + "title": "PR #439", + "number": 439, + "url": "https://github.com/nginx/kubernetes-ingress/pull/439" + }, + { + "title": "PR #429", + "number": 429, + "url": "https://github.com/nginx/kubernetes-ingress/pull/429" + }, + { + "title": "PR #386", + "number": 386, + "url": "https://github.com/nginx/kubernetes-ingress/pull/386" + }, + { + "title": "PR #379", + "number": 379, + "url": "https://github.com/nginx/kubernetes-ingress/pull/379" + }, + { + "title": "PR #365", + "number": 365, + "url": "https://github.com/nginx/kubernetes-ingress/pull/365" + }, + { + "title": "PR #348", + "number": 348, + "url": "https://github.com/nginx/kubernetes-ingress/pull/348" + }, + { + "title": "PR #326", + "number": 326, + "url": "https://github.com/nginx/kubernetes-ingress/pull/326" + }, + { + "title": "PR #284", + "number": 284, + "url": "https://github.com/nginx/kubernetes-ingress/pull/284" + } + ] +} From 3d4790f39941c310f0d12f3872b912083682e3cc Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Wed, 23 Jul 2025 11:27:56 +0100 Subject: [PATCH 29/33] testing precommit --- config/crd/bases/k8s.nginx.org_transportservers.yaml | 2 +- .../crd/bases/k8s.nginx.org_virtualserverroutes.yaml | 4 ++-- config/crd/bases/k8s.nginx.org_virtualservers.yaml | 6 +++--- deploy/crds.yaml | 12 ++++++------ docs/crd/k8s.nginx.org_policies.md | 2 ++ docs/crd/k8s.nginx.org_transportservers.md | 2 +- docs/crd/k8s.nginx.org_virtualserverroutes.md | 4 ++-- docs/crd/k8s.nginx.org_virtualservers.md | 6 +++--- 8 files changed, 20 insertions(+), 18 deletions(-) diff --git a/config/crd/bases/k8s.nginx.org_transportservers.yaml b/config/crd/bases/k8s.nginx.org_transportservers.yaml index 4536d6c432..4171b314ae 100644 --- a/config/crd/bases/k8s.nginx.org_transportservers.yaml +++ b/config/crd/bases/k8s.nginx.org_transportservers.yaml @@ -160,7 +160,7 @@ spec: description: Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. - The default 1. + The default is 1. type: string healthCheck: description: 'The health check configuration for the Upstream. diff --git a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml index cc04eb180d..6d5ccd8f8b 100644 --- a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml @@ -842,7 +842,7 @@ spec: backup: description: 'The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. - Note: The parameter cannot be used along with the random , + Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods.' type: string backupPort: @@ -1139,7 +1139,7 @@ spec: been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter - cannot be used along with the random , hash or ip_hash load + cannot be used along with the random, hash or ip_hash load balancing methods and will be ignored.' type: string subselector: diff --git a/config/crd/bases/k8s.nginx.org_virtualservers.yaml b/config/crd/bases/k8s.nginx.org_virtualservers.yaml index dfce31b01b..6da1e18582 100644 --- a/config/crd/bases/k8s.nginx.org_virtualservers.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualservers.yaml @@ -1004,7 +1004,7 @@ spec: type: string code: description: 'The status code of a redirect. The allowed values - are: 301 , 302 , 307 , 308. The default is 301.' + are: 301, 302, 307 or 308. The default is 301.' type: integer enable: description: Enables a TLS redirect for a VirtualServer. The @@ -1031,7 +1031,7 @@ spec: backup: description: 'The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. - Note: The parameter cannot be used along with the random , + Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods.' type: string backupPort: @@ -1328,7 +1328,7 @@ spec: been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter - cannot be used along with the random , hash or ip_hash load + cannot be used along with the random, hash or ip_hash load balancing methods and will be ignored.' type: string subselector: diff --git a/deploy/crds.yaml b/deploy/crds.yaml index 4744f3e859..c2097c5a58 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -814,7 +814,7 @@ spec: description: Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. - The default 1. + The default is 1. type: string healthCheck: description: 'The health check configuration for the Upstream. @@ -1775,7 +1775,7 @@ spec: backup: description: 'The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. - Note: The parameter cannot be used along with the random , + Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods.' type: string backupPort: @@ -2072,7 +2072,7 @@ spec: been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter - cannot be used along with the random , hash or ip_hash load + cannot be used along with the random, hash or ip_hash load balancing methods and will be ignored.' type: string subselector: @@ -3161,7 +3161,7 @@ spec: type: string code: description: 'The status code of a redirect. The allowed values - are: 301 , 302 , 307 , 308. The default is 301.' + are: 301, 302, 307 or 308. The default is 301.' type: integer enable: description: Enables a TLS redirect for a VirtualServer. The @@ -3188,7 +3188,7 @@ spec: backup: description: 'The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. - Note: The parameter cannot be used along with the random , + Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods.' type: string backupPort: @@ -3485,7 +3485,7 @@ spec: been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter - cannot be used along with the random , hash or ip_hash load + cannot be used along with the random, hash or ip_hash load balancing methods and will be ignored.' type: string subselector: diff --git a/docs/crd/k8s.nginx.org_policies.md b/docs/crd/k8s.nginx.org_policies.md index 51e9a57664..dd20548824 100644 --- a/docs/crd/k8s.nginx.org_policies.md +++ b/docs/crd/k8s.nginx.org_policies.md @@ -47,6 +47,8 @@ The `.spec` object supports the following fields: | `jwt.keyCache` | `string` | Enables in-memory caching of JWKS (JSON Web Key Sets) that are obtained from the jwksURI and sets a valid time for expiration. | | `jwt.realm` | `string` | The realm of the JWT. | | `jwt.secret` | `string` | The name of the Kubernetes secret that stores the Htpasswd configuration. It must be in the same namespace as the Policy resource. The secret must be of the type nginx.org/htpasswd, and the config must be stored in the secret under the key htpasswd, otherwise the secret will be rejected as invalid. | +| `jwt.sniEnabled` | `boolean` | Enables SNI (Server Name Indication) for the JWT policy. This is useful when the remote server requires SNI to serve the correct certificate. | +| `jwt.sniName` | `string` | The SNI name to use when connecting to the remote server. If not set, the hostname from the ``jwksURI`` will be used. | | `jwt.token` | `string` | The token specifies a variable that contains the JSON Web Token. By default the JWT is passed in the Authorization header as a Bearer Token. JWT may be also passed as a cookie or a part of a query string, for example: $cookie_auth_token. Accepted variables are $http_, $arg_, $cookie_. | | `oidc` | `object` | The OpenID Connect policy configures NGINX to authenticate client requests by validating a JWT token against an OAuth2/OIDC token provider, such as Auth0 or Keycloak. | | `oidc.accessTokenEnable` | `boolean` | Option of whether Bearer token is used to authorize NGINX to access protected backend. | diff --git a/docs/crd/k8s.nginx.org_transportservers.md b/docs/crd/k8s.nginx.org_transportservers.md index d001a43de9..0a986b3ca9 100644 --- a/docs/crd/k8s.nginx.org_transportservers.md +++ b/docs/crd/k8s.nginx.org_transportservers.md @@ -38,7 +38,7 @@ The `.spec` object supports the following fields: | `upstreams` | `array` | A list of upstreams. | | `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. | | `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | -| `upstreams[].failTimeout` | `string` | Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. The default 1. | +| `upstreams[].failTimeout` | `string` | Sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the failTimeout parameter to consider the server unavailable. The default is 1. | | `upstreams[].healthCheck` | `object` | The health check configuration for the Upstream. Note: this feature is supported only in NGINX Plus. | | `upstreams[].healthCheck.enable` | `boolean` | Enables a health check for an upstream server. The default is false. | | `upstreams[].healthCheck.fails` | `integer` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is 1. | diff --git a/docs/crd/k8s.nginx.org_virtualserverroutes.md b/docs/crd/k8s.nginx.org_virtualserverroutes.md index 046c05d9aa..2fddbc2992 100644 --- a/docs/crd/k8s.nginx.org_virtualserverroutes.md +++ b/docs/crd/k8s.nginx.org_virtualserverroutes.md @@ -161,7 +161,7 @@ The `.spec` object supports the following fields: | `subroutes[].splits[].action.return.type` | `string` | The MIME type of the response. The default is text/plain. | | `subroutes[].splits[].weight` | `integer` | The weight of an action. Must fall into the range 0..100. The sum of the weights of all splits must be equal to 100. | | `upstreams` | `array` | A list of upstreams. | -| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. | +| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. | | `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | | `upstreams[].buffer-size` | `string` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. The default is set in the proxy-buffer-size ConfigMap key. | | `upstreams[].buffering` | `boolean` | Enables buffering of responses from the upstream server. The default is set in the proxy-buffering ConfigMap key. | @@ -218,7 +218,7 @@ The `.spec` object supports the following fields: | `upstreams[].sessionCookie.path` | `string` | The path for which the cookie is set. | | `upstreams[].sessionCookie.samesite` | `string` | Adds the SameSite attribute to the cookie. The allowed values are: strict, lax, none | | `upstreams[].sessionCookie.secure` | `boolean` | Adds the Secure attribute to the cookie. | -| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. | +| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods and will be ignored. | | `upstreams[].subselector` | `object` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | | `upstreams[].tls` | `object` | The TLS configuration for the Upstream. | | `upstreams[].tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | diff --git a/docs/crd/k8s.nginx.org_virtualservers.md b/docs/crd/k8s.nginx.org_virtualservers.md index 6867f7103d..83eee730f8 100644 --- a/docs/crd/k8s.nginx.org_virtualservers.md +++ b/docs/crd/k8s.nginx.org_virtualservers.md @@ -192,11 +192,11 @@ The `.spec` object supports the following fields: | `tls.cert-manager.usages` | `string` | This field allows you to configure spec.usages field for the Certificate to be generated. Pass a string with comma-separated values i.e. key agreement,digital signature, server auth. An exhaustive list of supported key usages can be found in the the cert-manager api documentation. | | `tls.redirect` | `object` | The redirect configuration of the TLS for a VirtualServer. | | `tls.redirect.basedOn` | `string` | The attribute of a request that NGINX will evaluate to send a redirect. The allowed values are scheme (the scheme of the request) or x-forwarded-proto (the X-Forwarded-Proto header of the request). The default is scheme. | -| `tls.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | +| `tls.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | | `tls.redirect.enable` | `boolean` | Enables a TLS redirect for a VirtualServer. The default is False. | | `tls.secret` | `string` | The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must be of the type kubernetes.io/tls and contain keys named tls.crt and tls.key that contain the certificate and private key as described here. If the secret doesn’t exist or is invalid, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. If the secret is not specified but wildcard TLS secret is configured, NGINX will use the wildcard secret for TLS termination. | | `upstreams` | `array` | A list of upstreams. | -| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods. | +| `upstreams[].backup` | `string` | The name of the backup service of type ExternalName. This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods. | | `upstreams[].backupPort` | `integer` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range 1..65535. | | `upstreams[].buffer-size` | `string` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. The default is set in the proxy-buffer-size ConfigMap key. | | `upstreams[].buffering` | `boolean` | Enables buffering of responses from the upstream server. The default is set in the proxy-buffering ConfigMap key. | @@ -253,7 +253,7 @@ The `.spec` object supports the following fields: | `upstreams[].sessionCookie.path` | `string` | The path for which the cookie is set. | | `upstreams[].sessionCookie.samesite` | `string` | Adds the SameSite attribute to the cookie. The allowed values are: strict, lax, none | | `upstreams[].sessionCookie.secure` | `boolean` | Adds the Secure attribute to the cookie. | -| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random , hash or ip_hash load balancing methods and will be ignored. | +| `upstreams[].slow-start` | `string` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. Note: The parameter cannot be used along with the random, hash or ip_hash load balancing methods and will be ignored. | | `upstreams[].subselector` | `object` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | | `upstreams[].tls` | `object` | The TLS configuration for the Upstream. | | `upstreams[].tls.enable` | `boolean` | Enables HTTPS for requests to upstream servers. The default is False , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an EgressMTLS Policy. | From 0c95004edf0d0987fc895b4f9ea4e5ae2fbbfa3d Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Wed, 23 Jul 2025 11:48:58 +0100 Subject: [PATCH 30/33] Revert "Additional changes to types.go" This reverts commit 9fd3dde87be1c2da9d75434239a26bd4ccb37099. --- docs/crd/k8s.nginx.org_transportservers.md | 2 +- .../complete-example copy/README.md | 80 - .../complete-example copy/cafe-ingress.yaml | 28 - .../complete-example copy/cafe-secret.yaml | 1 - .../complete-example copy/cafe.yaml | 33 - .../complete-example copy/dashboard.png | Bin 354834 -> 0 bytes .../ingress-resources/mo-example/README.md | 80 - .../mo-example/cafe-ingress.yaml | 35 - .../mo-example/cafe-secret.yaml | 1 - .../ingress-resources/mo-example/cafe.yaml | 36 - .../mo-example/dashboard.png | Bin 354834 -> 0 bytes hi.txt | 2342 -------------- internal/certmanager/cm_controller_test.go | 4 +- internal/certmanager/helper.go | 6 +- internal/certmanager/helper_test.go | 2 +- internal/certmanager/sync.go | 3 +- internal/configs/configurator.go | 8 +- internal/configs/virtualserver.go | 18 +- internal/configs/virtualserver_test.go | 28 +- internal/externaldns/sync.go | 9 +- internal/k8s/appprotect_dos.go | 5 +- internal/k8s/appprotect_waf.go | 5 +- internal/k8s/controller.go | 16 +- internal/k8s/global_configuration.go | 10 +- internal/k8s/reference_checkers.go | 4 +- internal/k8s/status.go | 5 +- internal/k8s/status_test.go | 4 +- internal/k8s/utils.go | 4 +- internal/metrics/collectors/processes.go | 5 +- nginx-ingress/.helmignore | 2 - nginx-ingress/Chart.yaml | 17 - nginx-ingress/README.md | 3 - .../crds/appprotect.f5.com_aplogconfs.yaml | 83 - .../crds/appprotect.f5.com_appolicies.yaml | 2172 ------------- .../crds/appprotect.f5.com_apusersigs.yaml | 98 - .../appprotectdos.f5.com_apdoslogconfs.yaml | 68 - .../appprotectdos.f5.com_apdospolicy.yaml | 68 - ...otectdos.f5.com_dosprotectedresources.yaml | 113 - .../externaldns.nginx.org_dnsendpoints.yaml | 97 - nginx-ingress/templates/NOTES.txt | 13 - nginx-ingress/templates/_helpers.tpl | 516 ---- nginx-ingress/templates/clusterrole.yaml | 180 -- .../templates/clusterrolebinding.yaml | 16 - .../templates/controller-configmap.yaml | 82 - .../templates/controller-daemonset.yaml | 196 -- .../templates/controller-deployment.yaml | 203 -- .../controller-globalconfiguration.yaml | 11 - nginx-ingress/templates/controller-hpa.yaml | 41 - .../templates/controller-ingress-class.yaml | 14 - .../controller-leader-election-configmap.yaml | 13 - nginx-ingress/templates/controller-lease.yaml | 13 - nginx-ingress/templates/controller-pdb.yaml | 23 - .../controller-prometheus-service.yaml | 21 - nginx-ingress/templates/controller-role.yaml | 56 - .../templates/controller-rolebinding.yaml | 17 - .../templates/controller-secret.yaml | 13 - .../templates/controller-service.yaml | 72 - .../templates/controller-serviceaccount.yaml | 25 - .../templates/controller-servicemonitor.yaml | 21 - .../templates/controller-wildcard-secret.yaml | 13 - nginx-ingress/values-icp.yaml | 17 - nginx-ingress/values-nsm.yaml | 6 - nginx-ingress/values-plus.yaml | 6 - nginx-ingress/values.schema.json | 2745 ----------------- nginx-ingress/values.yaml | 691 ----- pkg/apis/configuration/validation/common.go | 2 +- .../externaldns/validation/externaldns.go | 2 +- release_notes.json | 1623 ---------- 68 files changed, 71 insertions(+), 12075 deletions(-) delete mode 100644 examples/ingress-resources/complete-example copy/README.md delete mode 100644 examples/ingress-resources/complete-example copy/cafe-ingress.yaml delete mode 120000 examples/ingress-resources/complete-example copy/cafe-secret.yaml delete mode 100644 examples/ingress-resources/complete-example copy/cafe.yaml delete mode 100644 examples/ingress-resources/complete-example copy/dashboard.png delete mode 100644 examples/ingress-resources/mo-example/README.md delete mode 100644 examples/ingress-resources/mo-example/cafe-ingress.yaml delete mode 120000 examples/ingress-resources/mo-example/cafe-secret.yaml delete mode 100644 examples/ingress-resources/mo-example/cafe.yaml delete mode 100644 examples/ingress-resources/mo-example/dashboard.png delete mode 100644 hi.txt delete mode 100644 nginx-ingress/.helmignore delete mode 100644 nginx-ingress/Chart.yaml delete mode 100644 nginx-ingress/README.md delete mode 100644 nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml delete mode 100644 nginx-ingress/crds/appprotect.f5.com_appolicies.yaml delete mode 100644 nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml delete mode 100644 nginx-ingress/crds/appprotectdos.f5.com_apdoslogconfs.yaml delete mode 100644 nginx-ingress/crds/appprotectdos.f5.com_apdospolicy.yaml delete mode 100644 nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml delete mode 100644 nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml delete mode 100644 nginx-ingress/templates/NOTES.txt delete mode 100644 nginx-ingress/templates/_helpers.tpl delete mode 100644 nginx-ingress/templates/clusterrole.yaml delete mode 100644 nginx-ingress/templates/clusterrolebinding.yaml delete mode 100644 nginx-ingress/templates/controller-configmap.yaml delete mode 100644 nginx-ingress/templates/controller-daemonset.yaml delete mode 100644 nginx-ingress/templates/controller-deployment.yaml delete mode 100644 nginx-ingress/templates/controller-globalconfiguration.yaml delete mode 100644 nginx-ingress/templates/controller-hpa.yaml delete mode 100644 nginx-ingress/templates/controller-ingress-class.yaml delete mode 100644 nginx-ingress/templates/controller-leader-election-configmap.yaml delete mode 100644 nginx-ingress/templates/controller-lease.yaml delete mode 100644 nginx-ingress/templates/controller-pdb.yaml delete mode 100644 nginx-ingress/templates/controller-prometheus-service.yaml delete mode 100644 nginx-ingress/templates/controller-role.yaml delete mode 100644 nginx-ingress/templates/controller-rolebinding.yaml delete mode 100644 nginx-ingress/templates/controller-secret.yaml delete mode 100644 nginx-ingress/templates/controller-service.yaml delete mode 100644 nginx-ingress/templates/controller-serviceaccount.yaml delete mode 100644 nginx-ingress/templates/controller-servicemonitor.yaml delete mode 100644 nginx-ingress/templates/controller-wildcard-secret.yaml delete mode 100644 nginx-ingress/values-icp.yaml delete mode 100644 nginx-ingress/values-nsm.yaml delete mode 100644 nginx-ingress/values-plus.yaml delete mode 100644 nginx-ingress/values.schema.json delete mode 100644 nginx-ingress/values.yaml delete mode 100644 release_notes.json diff --git a/docs/crd/k8s.nginx.org_transportservers.md b/docs/crd/k8s.nginx.org_transportservers.md index 0a986b3ca9..94ce901990 100644 --- a/docs/crd/k8s.nginx.org_transportservers.md +++ b/docs/crd/k8s.nginx.org_transportservers.md @@ -31,7 +31,7 @@ The `.spec` object supports the following fields: | `upstreamParameters` | `object` | UpstreamParameters defines parameters for an upstream. | | `upstreamParameters.connectTimeout` | `string` | The timeout for establishing a connection with a proxied server. The default is 60s. | | `upstreamParameters.nextUpstream` | `boolean` | If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. The default is true. | -| `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. The default is 0. | +| `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. The default us 0. | | `upstreamParameters.nextUpstreamTries` | `integer` | The number of tries for passing a connection to the next server. The default is 0. | | `upstreamParameters.udpRequests` | `integer` | The number of datagrams, after receiving which, the next datagram from the same client starts a new session. The default is 0. | | `upstreamParameters.udpResponses` | `integer` | The number of datagrams expected from the proxied server in response to a client datagram. By default, the number of datagrams is not limited. | diff --git a/examples/ingress-resources/complete-example copy/README.md b/examples/ingress-resources/complete-example copy/README.md deleted file mode 100644 index 895537d3bb..0000000000 --- a/examples/ingress-resources/complete-example copy/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# Example - -In this example we deploy the NGINX or NGINX Plus Ingress Controller, a simple web application and then configure load -balancing for that application using the Ingress resource. - -## Running the Example - -## 1. Deploy the Ingress Controller - -1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) - instructions to deploy the Ingress Controller. - -2. Save the public IP address of the Ingress Controller into a shell variable: - - ```console - IC_IP=XXX.YYY.ZZZ.III - ``` - -3. Save the HTTPS port of the Ingress Controller into a shell variable: - - ```console - IC_HTTPS_PORT= - ``` - -## 2. Deploy the Cafe Application - -Create the coffee and the tea deployments and services: - -```console -kubectl create -f cafe.yaml -``` - -## 3. Configure Load Balancing - -1. Create a secret with an SSL certificate and a key: - - ```console - kubectl create -f cafe-secret.yaml - ``` - -2. Create an Ingress resource: - - ```console - kubectl create -f cafe-ingress.yaml - ``` - -## 4. Test the Application - -1. To access the application, curl the coffee and the tea services. We'll use ```curl```'s --insecure option to turn off -certificate verification of our self-signed certificate and the --resolve option to set the Host header of a request -with ```cafe.example.com``` - - To get coffee: - - ```console - curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure - ``` - - ```text - Server address: 10.12.0.18:80 - Server name: coffee-7586895968-r26zn - ... - ``` - - If your prefer tea: - - ```console - $ curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea --insecure - - ```text - Server address: 10.12.0.19:80 - Server name: tea-7cd44fcb4d-xfw2x - ... - ``` - -1. You can view an NGINX status page, either stub_status for NGINX, or the Live Activity Monitoring Dashboard for NGINX - Plus: - 1. Follow the [instructions](https://docs.nginx.com/nginx-ingress-controller/logging-and-monitoring/status-page/) to - access the status page. - 1. For NGINX Plus, If you go to the Upstream tab, you'll see: ![dashboard](dashboard.png) diff --git a/examples/ingress-resources/complete-example copy/cafe-ingress.yaml b/examples/ingress-resources/complete-example copy/cafe-ingress.yaml deleted file mode 100644 index 50a8893990..0000000000 --- a/examples/ingress-resources/complete-example copy/cafe-ingress.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress -spec: - ingressClassName: nginx - tls: - - hosts: - - cafe.example.com - secretName: cafe-secret - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 diff --git a/examples/ingress-resources/complete-example copy/cafe-secret.yaml b/examples/ingress-resources/complete-example copy/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/ingress-resources/complete-example copy/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/complete-example copy/cafe.yaml b/examples/ingress-resources/complete-example copy/cafe.yaml deleted file mode 100644 index ea16d9d0a6..0000000000 --- a/examples/ingress-resources/complete-example copy/cafe.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: coffee -spec: - replicas: 2 - selector: - matchLabels: - app: coffee - template: - metadata: - labels: - app: coffee - spec: - containers: - - name: coffee - image: mohamadaldawamneh/http-echo:latest - ports: - - containerPort: 3333 ---- -apiVersion: v1 -kind: Service -metadata: - name: coffee-svc -spec: - ports: - - port: 80 - targetPort: 3333 - protocol: TCP - name: http - selector: - app: coffee ---- diff --git a/examples/ingress-resources/complete-example copy/dashboard.png b/examples/ingress-resources/complete-example copy/dashboard.png deleted file mode 100644 index aaa4ebe16192e2f4968ea569e5e824ca5e191a76..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 354834 zcma&O1yogCw?BLU=|;Lkq(izvN|5dbDe3M8=>`!{y1To(1nF*&ldi zK97tc=j?O#T6@kl>o)^K*(L+k7;$GzNhrLgUq7m6arM($o~;B&q%2B;Z>q#F{P`;Ur)Q$lzan!NvF# zMx>!^%TSFN0!b6X~fO_AcGiXqdCS(6;>)|@Z?RY5FkDUJn95bY22E@`FVJI~z2M2->p8K=Ticav1eA(QP z!K1@ddl*b2)jG(xM>wT3-u8@C01i~vjUI{!BCUDb`l|*q7U}wJ31!d=2-2S{DY+dy zEGd~C&i2Ux4WuED5Tr`;mUh@6M?4!S?{`{1BG$iJI?phxZj$5JR|t_08js!x4xP4BGO6*@1i=$3w{h{wCa{() zmZcQNvPcIuh+k=U4`uc+;UT+LHh1T?9CL`Et0Y4q%fA+5{sNlHA#$mEf-K^n}N?RJuT z3s-%jaxapP!9;#T^bKrJ~GaZ!~e!AkBd!K-~ZR9WYAd`A(!Q? zW(5xOGo-h0Ll=(Jx};)O5SOi6Cm8|?ZX%VmvVHdl7wA43FDbFc%J&|YFPS*$Wfe>; z({q@;2d?cQESbfKDuU+^Dk}$TS3(gCUSclUVv72aq9LgZA-se6icsa3(OO@L^Q8DA z0FndEpS}a?>iuxcyDCp{xb)KuxCeN2REeNR$gOHVdALixpxUr}{(&!}*n|A`9WO)9 zZTXjQuKTjrCP`3CmY}W)&kPHZOWz}r!MyAa%@p0&Cng-=!9jV0_CTQX%Jck#GYex^ zCShAI1s|Cs1~En%dJ|l|5QZy#bXH9gIW_ikM+$VGA0sY<@;9Bn>-lx;m|8mGkb9x0 z7~YYdOJ9Bg{EryE_nk}HnO7b`6Z+Px=C>Q}EHkS+*;A8NyJhdO@w%U-$10|y6+X2U zqvNzu_|)`Z>%&%5&%qz?&3s~q#CArq=vt_tVBuSWkKRgUuF*_M(L#x!z^$??aXPSj zc<5fR+`6lBmqc)#L^L818B-odsw559>p<{reiMyFw#hYDnL?Dx2Z}j73@hD0R%$b$ z_<^|Uc-s$gLhnCVV#8BM0}4(Db+}&3nB3vl-P?nr9Bp%c3J1#85kWy_fY@(Tb|FPR zAe4L%80kQEh4Mjz?E8cp15)fXQnwQr@K4G2)A%4j4ZZb&TOE1EfA|Bz9Q4(v#|-ou z-06;X_Je1(Wk zu4sf^1)_OJ8*@3Jnger-#T}6%G(wR&z_1B1;ol-Ikcs|R0Ye`$x37CqXTxVC?);|k@C(EdrVBAhw#MG<}&6Ul%lcS`ox!0|Dp9I<=(|8!tLud2gm_8nRCh;s zNqgD7$2oP+j*Bmg{|4U;Uy9AyB4yS!PjaGW3~7ARJi*j@lCSVK#P5wX-diLTLkL6O z4Yq8p@B-sPtjzdQm9kp3Vx3|+EhUc{=g(J;hqQ+j3p&yfW}OiqwpkM2T(g$53Pv*H zqBDQuG&l`uLQj0xGK*KZQQkdCGg&y>n0GFjm`jkAoZT#3uW+44TxOEZscVz8^15}> zy_KR?+&y|Tf}Wt!XVc0{c~x9c)+g_Yb{)igvw*ou)<)o zykE4Fs*?h&6xDVgtACgeTPGKP_4s-|Jo`1B-N#1XEY`AeENlGdx7;Y>0OMHW(k&gj zr1*4|HkI0G6^pFeV5g`{@qHA6slMqT8zp0h@7T3Y)mU@ZHHS46b8ZXphee0hb4rI$ z2Z)Cjha_CgL|KGkMEFFyQ7i=U9Ok_R)!A)4O+4E?)-Ej@IltIu3g-&vf7Mn;vi3I) z-WDMaQ%)I|NyQBnkJn|pWphTh{Tj3-+G!fAoxTiDZcd&n9VzW!{=vWO<$sTi$`Gv{ zO-a1N2cPDb=D@GTC+ObjhUI#AeK)kY!rSjre_j11!O+#PF4}F=@Mrhc{NCi&(3#Bj z^3TOBlY{=N;wz6`o4wJ?)%9n#4jxk84{{wtLj6K^YndI_Z*|{R`$xeVcItN;cOH@@ zk%f}&iyQ?f1$+#g3Azew3>rq_C6^=pF z_`GOnc2a-lMqiW`_mOptTMcv58<-x^o|1@091FZ;lKVy1pEq--DjVrN+`YqLyab~m z=@{+2PddUMx~c+rLsdg3dS+hL=7dVJOCHDh$I*RmRus?uA=~)1D3Mme>ODm+W$vNG zemWY9{$;>XXxU3CD&2G=ZnL|b^SH~`JF)^SVpa$qgMN;}?)G;_7o!Kb&g{*C6y$~? z;v`fd)j{W<_D6Mk57%!`XkF!4y;$g2(v5G8N`LIF-=EUmwtgb*bnh%aI5`-eKXx#% zciu+Ye!VlZ6MH^!j)KS@$lax+gq$y%zCcrj6(81g)_SJ4a~(?2%lj(C=yOh?5F)X| zLXPT0dJZar7h*AjptMwy^M|HB$MuUkJPuauQCCe&&5I#v&(|g&_vtq@&Q18g5;1%1 z6B^0(rOY(uIY@0gk0K`5TL>6?k36h~6NS@-tujjJj%gdnvy^X+%jpYFCrn87=5k`Y zGcC2i>Ag~)YMV1YZR*tHRz1e+m?>s)6j2+{*OH255wV4Z9P4)zKTI+RGi*a@7kG&g- zNks0vgD#%)G)wcfbk?(l_}58E%XiI*(^<6>3u*i>uN@DNR~D5`^y+KVH1yg~58{qI zo-FRlXRqHK+3>H~WgKPPb|MGk1`p!L1mPijMLzVEwGxXP!FYzGF1_y*R%w-CU5!?QZGY7%SB%ObWmA z$d2}qTlsk~ldHCA%dT@}=5X!d*l}4qiMfk~O~a;lVPSW5cB6yz&iIgbqMSB-oBg(V z&vf`~R=Ja|T#NU4Uk`x}XCr6&@?h)bp7Z*lAMg1Q#!zT_3%i2_G;Z#|JABb;EQc6Z=78*T_#!LmwjOC1JVR| zTL}#Z5D1$R{0~A>@zn_k1d(p0tnR2TBh6!IW5uX%WMg2==xSvP+zkTpx$*#St&AP@ zNnNchtsQt=`N@CZ!2`Spf6PQq`ui3~3x0BS8F^9>8+&6?c1AWvW^w@pQc_Yrd!vs$ zilXBGSq@zBlbbp^+VU_lxwyD6y09|Z*qboD;pXOMVrF4tVPOF7U~q7=cGP!euy&yM zv&sLrkEpSOp}m={qnV90DR^If0~;qtesXf~gZ}&ThfZTxv;TRLwZnhd0vKchf5Y^K zk(uegdjm`Pz@PHSo4FcWs*9Rg8CyF5&k$hYV&mfbz2N`%)&D&5e=XJcpQUfunK}OV z(*O07yL zyaMkb_XBTzM2kQmA&{i#TV+>>gJswcn9~a|Yl#=Sq+|j3?y!Z5qM~AG3T3VOVsFLh zGv=^-ctgVGDz8`2(c|+nNXc7gL4J-C9#7{obH=O(*3O*O^UIq=6VT3YAG&6Nmr%uD`cgONG26CGw|QaZBZ*MUe0CcyV!_cO4NykqOWw z&kL~vJ2O(Ac`yvJ7ipZ}llv=jF*AILAiQFtI$!dtFNp#y3c>I0$Yg;zEntFdK`miY zn`qtX1XX!>&GY^<=l?yL4yqRyZ+T$kJbzZ%#Q+b0g$C$^4ekpIICM zn6FPvpc4PPbH%jP79zEJuh`T$(JOX^E?*N)QtN`{M39MT8zCvueJ8`?Q{FlLhQG?k( zyJ|aZ>H?c~qmPXyBk%lh%L6XFaMrv&c(r%+rI0`k^l??;{H>7W5O@6@k#j zg#38WfK8ojC5S%(x+9bd2kpei|C4wR(7)cp@7z5){cYoV2G2a$kk`as^fRX?SYjfOyCnic?p zvMf+rX*~Z3n&)P!%llhOrT#;y+c!5wfKoqT)5(sqc`Pua(SS~kWj_cw*uunkZ7bSk z{H^q_;eSi2VKj*!(DzFb!1QOLtAA>MWdd>~8Ibd%fJ7qY&FbO!%N_mP8UILWl!;3& z8eqN_Q2i38-~+H4`X&OhACqDXNJRCAFk)&KA|(DhG0A5z{!!CC;naSxThagsy*q2P zJphwM5A8}~TG%;T_X1a_jGur<7JmfQ)CS21u(xIb7SwFt=&2&Gx`MLfUPy~Y+lHnC zRFw;(2X-<52mh+8_yxZ;N)qak^rQyR&0w&X>gKH?121I)>@*`$kCX|I7-~S*o{S6W z?k=VAS}Dwv!$3V`#~M%6Sz8mNJ^shvu&h5gNe>XQGK(oag9pl*PS7F9q>?uSC$ z%;43sV8xfLfLTa^*o1LkcU$Tx@Ehpr55`ea=fumD7J|V0Kz-b0HI6y(`LM_Atq&il*75y!# zT7Lp*T~0$9pe#c10I50P5bt+K-f`b?XHU88L5xJ&Je%11x7y?>{3kk5F%rN^LLj)x zgOAjfnvV_4s0i4as7+cABY;TaVdiG=w{-UZ;hwPGPzqpI9{~tYL4_UF!1?ZFgB|IH z3j0$Et`Nt{7k;oQ{EbR^%KjmAhmj0c8gR&!U}v(?eQpb0z4RK;sQU4l;wU_!GPT4w zD)2G?&BnGee|BYmcO(YH4niQ1%-fEnn7jv`-~t9F*L0RYZr}J?Mo@Tw(aPTl|EA`T z%a_xWMFGTA00oXtu)&*T;MG&1VEzNsX@9w?e8$xu+1GL!qXMFT#0CQC z<-MhwGjJh-0Yqn!riHR}I;erNMZ3R+P(rQfW3az)`3gA!JR=N&(D2*s{bD{y0Bct& zA`qQNzI&bd0?~QXcq8L)&9o2UcO=2xA6fycCKX`%`>S|o5x_+dEug1C?pvw6HZU=% z=LP@@`WrE22(@DVp)@h^8xRi!KcsENB4kJz#Q?1J0S^z2)EPQ^C$3DP2B%I==w;)dV9m zO_u=_u{$m>|2N9N_s2?e7^mC-hu)D0cKJ-{i2bqvqaBI> zr3v_+R#LtYMp`T|rGnZqQN6HFT~%LH=HjbKZgZheEH;DtI>${(mht^x-Wiyldz%u^ zOl45G=OsJgX`M`$1>SIau~vmgoBM|#hW65gLfJ|NSC8{#HJZTWMY)qcGfyC}#(Pji zM|Q?SsVS?H^O0hv8Z7WkEHPM3gjb!MUL9B7tm#QG{1B?}VQykS@*U!d>ZKXJ!*l*I z5yoxdbwTiR%cJ7&Pcd4KU-W=qxBFQ@J4sfapV(VNYr=;L2(i* zK+l-=b+799U z)KIx^+|WFV9CWoWVRCGFi&1WUr;g~NX(8C4LBhxC%A*;?SzR~3?lh$I)Ty-RVQ4YK zn0(KMY7?gAp`8nzZpCrdg$#Qhy>=;+Ua)p*elW_byaCtDeiZVZzpP`vRIa$Pv=%0C zOU(7=7>C*C83QvOOUvR@Kn0if>K6IZ+@WIeVyl<2u9*Pw{f_ZN#kC7VfwfgjsQ&4~ ztutjpKL#q24>B+1MTEiw3DOLA2F5N;}z-PoGVKGIfWUB_he^Gy2%HILs;0ygd z;C=Us!9Kry=leMT%ka|xVltoMa_pmk zvKC2iu%@!UsA6AK-dZ5QUPXo1;i59C~4nV9P)WqZNOf3yiJ=FX{_nyb~PWoH!gg>E@`V{;Q*8O=08fy#A``P=ZTw`s_jg0z5uNr^o zS=@+Y3BT6A`3;;u@mD)w(;9H({=YN1?H;!*;Gz|r$+fok1f`Hd4FoY09~;>mL1?$w zBCv#2MVC9C#Vd=p?dK3E-<)|;U6(X(+k0>Lq{6_H@m8lyetfZw;xYG4N89>-CV}as zCrM3vWi^gBZK8x^h2QY?tB8XmW4A$b?ej&)U{qH6O2HMvQ%uN5NWztO`0tsY2gQ`E zR4Z$zzrBc|3^^zbe{piG#f|7gsH;>=rn`76%*VH;8hjTs*gsojQOD!tFLEdosSVGQ zd{w$%jv>%ycM3K4xpuNpL~h@U|MhjtV4>GuliiqHIr)dq;t?Vaa%?fB6;ZMCsFB0| znSZun`40HsM*NcMWbO-)iN%1^vbW?XIY5f)P6LD}cQ*}WK^mACKevh1a3>PSQ~BDDh<+@ev`H-su$uBP9@*AO-SafXDW?lu=Z6l^G1xldlv}9b zbZQlf()-tX|;Ns=%Wek`&>G z!wdel5u4}N0etz86I;fz(YY-&#<0OU}HP2&Ut z;`0kv67}b@Lf(-O2qP#JwcN7)t@b6q_m|NMLnWQpYh72_k$WRC-avG)yL#A<)o`53 zeQN5d>yI{Ev9)ko#Vg)fd$d|@ViT~Lry-+9S&j0>I-AxRV*2j0mY0jlz1$kWyQ+kh zM5N6@6MndlT?-#=~Ar*Q`yITa%WTp!OnkKS*vg$*{i3(Oe%! z_Su>bVK7Wv;DGWFNUz^c)>M=Yr8bzoE2QSP`|dBRCQwH>@{0kcn08rCv+OKs_N|^^ zxNmP6e~X{55T?vME*1l?$MCH!=|3yV6w@DPf9K@o2IRfIr{E0khN9vf7+|EK1J2%L z$?LEHiIl*#_eg{LrQU(&hY!(0%JN*>saKdVY=>s1?X|xw$NdD~NJ78R(dmK`KHYaa zZe~!Yn>OudXn^nCqAWuhx43F9ntVRl?O0sqNb7%ggSN4G?E3XYiTOCxcuda1yp-v6 ze7~>ZS?ACuVpYm+&v9Z|ib^s2T?FR3EXDZdx>@-+{y35&mcbIm<$Gqk-Q)4~!qU-h z5FJliv4EC~s|p-jb=iAORhF{kiBxa!xD$Zed=ciT)1-)oYA|Yo< zp0go)1zn9Ig&R%;QCFc?2A_V$pe;d$W=fi(Cj@*XvqJkx5+r|VLviWQBECn$2o}f% zaLh{W%Q!1TEgEF!A2r&Nc+c&qeV9IL&pv5 z>pV5ZUeJ6L->);p8Ydp^j+;usiyHH_Eu|*gk}#2E zFqi(?z+oE&%A;hDR-ooh8!kIeDMb>&N>*U(KGInltur+-@Cl$$GdR2PZ7m07-fSo8tfce)TN32~pwiUx z7jn{>8=u24Hotr<%CKXp+jw-PL1auDI(9M8MQo=aE(UD^LBTH)eG{jLxvCWvtzIDm0!Z&<^vIY4qonAJT@X67p_HSDhi%6srgVe6$m^m zEJhc#aXZp5YmdplwxstbqMv#TdtobCU7$FKbpj6?_myi$vNdf-9NSbHxs}{UYE++V z-CJb^Rc^V+nekJ}J+j|j2swrvgyt2!uPWIAayWS*aOI}FV4%e^Y7-q9i>)r@P3l+9>25+rCIJ>|Y#qb9wVc-?W0d0jJ?INzz*0|UE?ES1xSK(* zjNX{r2`HfIM-U>g7rbAwv8xLh%F6Utj{Nmp{b*&qUw$s)FJc6hAvVdZ;Ye3oF7)Z8 zb&nvhu8Ajf^ap`6-bp`y%_C05?f7%{(Hk{^xJV4dT|$E$=^^)66onQXwNoYz!2X|M zVlG)3B?CIa9Xr{&qR%&J9QWysSI8}Ozg{LU>df0p-oJ4*7-PHfSbL`CR*Z=%_Gw-` zX*{1^k2X*)R?=CwT@>)9X+}GXKp;&_Z1#)@lcmZw9pp>A-ii8W|1RH=2Bd&Hhn;a} zgDjf~M7;^w7AH2__6G`B(dSe5Rbdl`fjq^qJFj%98{AAEzzV*==| z(D87gzR5KLL8pyu?GWh0WU4>E`wpt|o1I&RFv8p0B;I&)m;(c^veSERyMhA>oEa9Y_>=|kb8azag*39$}$ z9j)9>#-#X)=}zqn1YW)${U z9qCI&o`L}!Cl3zKT5>CFHb=wDL93`<{!Vywv8rDT99F)#4a)_FbORv)8#j}BZEy2%XUc3>x-E~?u*aHDe##UN6B>sMg+ zf__ab+NY3-By z(nHy+v1`ARn<0Q20DvFhj!MV5E~x)Q9f=d% zgIU4nqbZ~As!OT8**e*oORh(z-18DM4iwuhExOB7Ua&-;K{-^}GPq5`UC<2tm9 zREY4pI3oq&M|`mlg7R0!Tw6gD?1Mf=6-kY@_qp<=v;}(_2}MF_B%dCH$2hVO#W|XB zQ?u_#)my=Sh)o(Od;Ka!5ZelzOSwedK7NL4w&%!JZ>>+^H13g*Hmx-T7!H*bp%WV*_X&_SJ#N&uHV$Fb1UQh7zsKdTS49~DVSF2?(&;+TaH0K^<$$0q;lN_U=8LV+ z)-ZqT$9;+K!TKV=S%&*td1Y&%wDg=PGvfKEqgB#@6h^$$op8 zF##0`4O!h*yLcW|MFl^A2MI6{q5|EUmP3Itd&{ymj=)H@a*g1Y7SHBoQPBWHq4pI` z0wwDCBNSvu3a9}X-J2!^(xI4_T|ZBzcN53?N(%i<*3{Kju!R_D>G~R=IraO;Tcc8a zQ&rD!geOG}^S?}EBY%?mfbXYtjJ?A}Y>nQ4toH?MK^SZTAWdYsfTEbOgR|34=cT=Oz(Xfj-JSL(-H3)>)9VdA^nWaVU zga;%BD6dJvsrTg?7w(JFe-%9!6%Cxp*}0)#6_^i50Yfu>n~?)_yhSRHUs9zzTVHp= zbG2_>?!M%eMm$j2kFf!2kM7`}OY32PF|k(a6|cbJCH_RXVv!1ef*UIfvp95=hoMn; z_?SRbv+B4G@f0)v6q(*3!-A!o<;WLqjqP7L?>P0xJDF5S-H7a^s*8t{KM#c>O7`R) z+VuI}pfB)QmHSv{gP{4S)~v4m#3cv3R?_LzvU76w^pUh4VPIf>ej$VU(azqj+8orD z2BeRI5KeeP3HmP4hrX!d0>NK1B%nsKw#!-=d>h{%dW{8q)~2#&0o*ON~f`a%!y$!G7LYl-1??co=Q%>@K|pMSQ#B?ch3 zag#a`g|yBsqCM@)E5 zNW&hhlEK)_Mzmk8YK|2fhv-~ro=&+PmZqqoAv};+(+0hqeP0}w*17Q2+(G+D3IgFK z3XBjEVu55wQ8&Wr8{O&p)lO^~@d9;qfhYZR@S>=5S7FglyVVALQ$j+U`u8o_JH|z? z(=}3pd?phOzZHeFFu63V25R)ZlJYGIAjFwKQgdo~*@}-U93!|R^UiBN3et&YjR6o- zx`UV)bONJZAZ|~aX^co+`)zv{Tpr|N=8eq9#)kNyt&*%SmK1+n_ z>JEsB#@Dmv6^@~I3aAine-8r#ErMw@Dcm}ew`n1;``&7F#s6HncKh=gM)37GrzIgq zq}Wbd^xPWtjdFu9E|;sJTeAbjs5Sm0els*KHfIOqlLUIcOqVM}sKaH0%ip+i$uukQyH!ANP{hnULd`6-PH_xVA*p`AegD~rylqWnu zyS5Y9zBR|D>YXbjf_0K`-;wk{DM61a_@($mW%_&MWXNts=BWimW#x!?pXUvEklV@k zM|2Df%TfY|SS5HiHD%?lRXvsHM1->$REyf^yNb_%g_UPfK@PAyBsc4YHs3FOSo=12 zJeUkQz^XdhdB50JE4YSVr#t1%_7SBmKS;IDD(w%#j?;AFDqP%Z$UpAUyd>iVWR)u4 zRfY5HX;J#=aK@v|t&|nQ=$Dn%-A9JGWR-(7w6k2IkxnK5qawF8XU&iuaE1#Y7H7@I zHZ$950ayK9{}5EG19vK?3M!}pC*L0;{~#&=waC)}C6*C_PgGm+#$4(Z1bVO9gATd( zYX|%DXp_((6maJ@9g%E!P=3b=F>jBN+jVj;co3W=ragZ9k!<3d9-V_;$6j_R>T;72k6(Dv`iH?Pe zLr~!4eS7+{vEWnG}+H8MO&VthOq1;xwxcMfQnm?3$mr*O!~GoJ=#ga^1A-PF&I z-KT4laxInLmLZ^X3bzaJqhn#YburUUM`7?WGBS3qQxsA&(!8~FWJ_W*i|_?G3GStt zT?W{>b|U~~$QFb&Al}jN@ooxej~&rNjrKXKtzZZVeD!&e?cIP4Z7fy?tJRGSPw< zhgAb7SCE-&m&_Vob=nTixgqqVpU8WuCMQLYd(XimT5s2gIv)$M`SKQF5Wx<}1k@8N zFMA@LD*EO@RY%kqs6*Ru@G{aq}u&cd;7h=@(qqDoxeyd79`#&iEq%_4?Dj9)n#|Rmr7KqS8@rl|h z6jVVJ4ZaIDv|ZBRs_$hFL5R4V8Tw%d6eVH66$Yqg=f>h}%5OLJqXg<{XK{m5n`V!u z=XvfD8yDLfU=XOXR_vBKl58eMb7Qv(d-FKvvd~SKC*-Iu^dg8ds#DC0ikxSlIXtS- z^KAnKw5M_h!4cHq_&4DWk84W9)hB=23$6IOcr^RP997eahDvOSgv*J#k`ir1Iuc2l z?zGnLnzL0a3kG|1g)($(QX#X#y$}#j3vZ0lKYvy<`uNdswCzz7PU9}-(n_;lR53Y$ zqkD8FYHNQVC|sN%xU={Y?vX?^<_mn9)I#Doi70W|Vu09Oe0D_=Ja}9NW+k-mC7x*- z@`j*M>Nv{gfufNqmcGU0Mn%t)>&}IV`K1LlFnQ(;{eD`>$K~Oa3;RG%(@TV?&4JRF zzI*XYBT-xe-)0@!*?;PxQ+h%VgflV0FJ3dcjakJ<2N#^2(g|P)V6y?K#?x-a?{Sg; z+lvxo0R2`zJib`lq!-*zgE!EtM6R$JlxDOCT4mo~+(Bo${6I^YJ<}{btJI^wg0oYC zmV3;Nu~R9qlc3x@Mr{dqnx~W3RLEjKSKA0dHV?Bi*Y;0J$qiKAGuOVeJL3oJo)fUk zYU?QTN9sH`huihr8-wfp0cswDG*17APve~4xQy1k@Wb7U1tpTpqshU_lty^7?Pfy? ziV7vE0Y8#ugfVRGnvUjbXh3bbe>e2%!y&d1ZVc*(-u zRWiE$z3k%2stjlt_@6LT3c1)Bh|J9J2AHVXU_%dy`Z2XpP!YvEJzuJ5aHG8Kd`nGF zFMQ@FqN$f>C@H8??ss+gd8|szVA^vA^qvgxk;h7#n;dd5F~$WzyXyuh)SKc=4}Op3 zon0b;9N>*Q>IE=pW}X2qTw*s(+aShyeH0!7`4qakoQg zllF#s{>YH19PC`=UGzaV`DCP_VER=}^g)!bxSu$Nsh3LN4Qm zI+KVmya;hzjAn0X`^C>hwUy2Wj#TgYzE$0R_jnJ=;cR(HA9W*z zgCb>Vs9}4t`g$$pmb0L}M)gr_Dn3msh_jp1q`fE&Cfv^0h1u6Lp8gEKI1$ng)DvQzi}g#MvIx5u9!sbI&SY z>{dy!+Gc!6EV9;)P}L_If7PH-%bZG+)53MB^+WK6%zmh9Sik9O23N|eJtPbpvEPSh zdH=GgOY1u8BgAB3O~@sRTIEww~40aO}-XA~-1d1tj0 z+#pnmH3CMRTR;8y$!29z=tzi#>wmr|+fk5!)9keJ#qel!F;j(8Hf-0EUYfq$xN&bC zd9tPPqyy*X18ZYY}1wGqU`#6*S1we@hW)BcQvw6r6x z`u5z^lrn?#T&@(3s8}OY;?_yVTnwZ&_Q|GKMypcXiCtxpX^Zo+cqx8mYhB(+MJvaM zwL{J*vkLodj_xu#P{)zFziR>70&CNkL7=LXr~q?H?ftUeNr+8gOv3iGi-x+mpb6e? zi|@Yox`T>BuYw@UF;~yz`dg(t%F60hX?3%Tg^$)~vE94l{i0Hb3uLGP6-A2)4*iF6 zB?WEW%i>tVONV#O3xL~@KI12!4rUFHYBCIIXdCKnC|{N7e?m>z3m%{q2m|+tldGIn zS3it3ugEm5b;nkFF?!PHkAkY+l0Z8DOQyL99*~rSmV1?xpy~*xNAflJx#~%oY^^AL z1G*qAsnsxO?TkYSjR5l)8@6ywLp?3{7^Tg>_M1<^Cq-i}8fR*8DqU~-0PR+JIaNt~ zfq71x{VKJBbbU3I?zp|Is!?bL8&OXQhx&jVPV1$R(3e!gZ8J66UYFCZYksgP2#eEG zRQ168nF<(pDKWCx5YzDa$~m{?AS5!dk0!H_T!s?_S@5jpZdbghN0Qqf{#3>1*>=zF zbU>*Ycmr{ozrHl1rd4X1qTu=B*vbRjVj@wEz~uR6y`iPMR07WGSAyGlcCkvgdWz(lvf6YE;z)Gt{6Gwy1ct8 z9OA&>u}+>skhIdA-qPo{rw0(0(RBhK^3N|`kR14g`c;Fqvgx%rs^#?8I>6iZE zB8{!_du*Yl%iRj3VAQ zp!Nm~JA1FN)w%S0(5ano-$lf`x}76!CK!F&89woqkltrU)G@qovRP5qNQ*BFKj}-L z0y;wl$UL;v*e{!w!o6jJ$OZ&+7D5MF8Y%bne(3seo(&b9v9Q>P7kRyQN%qr~fhn%U z=d~FGwLP3koiE)2GS@%b{65`hd^~JbzZ}%)uwyQxTCN-U^mxB$adc{>h^O~dg3IsD z27`pVc6w?HYNJ^zycc>`Q)jgpC=wj)>I7MsJRGaA>bZPcMVjfzlbS+pA@G1 z#-D6jlp*oGa)t!-(Tb}6uS*TOTCZ1(41&!>@vbx@vMs`o&T<idD(idTp*4Wk*t;ow`M-+n{FEA^~5R+w0tX~Wg1>WEoAy5NfL& zdfa{Kf^dOqtz6`VFobwggdin_wP}y_fnzv%r>+rUV?n!^_-Bay=80^rnFNFpyjuI& zAf4+`zIQUMcZ9F6kmKGQ z3cSq5o;S$JQxtFsFUqYz+#Fo^@cMS(nqQ0pbdjFm`S`&6F3IX-%#(DgE3L1#vTDS* zplEEc@?LGu-aOU75ViatXe2eMd3ljLTN3Q zFaUnv`|_={&u_2KOZ_K^Uf?G2R#I5Y>adiP#h1Q67Ra;Pmx5A0dwK*rxh+noj`m;b zFm>fnqBb#jE>V>ctSH4tQ+RTD(suw8zYlLV{-x736$@^36|PB&pX#?X?!zApEN46( z$j}kgK)F+q2-m& z&51tNCwL)k?MKv(Ingy3ga!rhfc>ewbF(bn`%WnWlAf9DePvv^ZAQV%3UN5={aZ|T zPP_mBcsgIZ7-y@p>jnn5FR-Et9z4qrCsX!EElUtNz?JQ}!X^dRSMt~-s3aKZ^y#_U zb$jiRMP(J;szT>9i(dDY@)N)Fl*pnJscM!JfhXPB+{}S z(XY8GH_LGz9Wk-&N`Bi+?^;Wqglx5rxy*T|=+sy<}Yb&ahY1g|{#j%%pKxO%RAh%liB zYHwfJ>iyp^5!@2}JyCkDd}1Uu((dZjpAD`hL&xMM*($o?ER7q#7JlqfcGCCh=6)sW zSz(K+t48*7Dho;zT7lcTLazW@fEa`G{o}_mAqMplL02(jZUj1nldhRxbII+O>X+l< zA#fpmIZ@FW7Rq{$jEwE+99H<-!^!!F&j;0`20wd38LxYZfLW^r@ObRP^{yr=LAC07 z;N>-0J=-E5I3b9-zyF~!9o?-0H^+az{nV2BwffYXka4bjyX`%@Ag5yI4s(Rs`o?;w zq18z87K=^7&c^pzr3zk?IJcEAVdpLv?g;z_uuU-fCgnjGLb|Q)>@X-LXK{i|)(z`0 zytKfdj4eW@HKEqi@Szd#HsQn69ULW%;HIYZDZ2T+Nwy-52Ca{G+yk~Z|5^MUw^1XuGK%8;bNSYb zlz3OkOaJMgsm7q&^HIV6-SKRTajoexjGwo+JL#uS_s51$54YP-?$<|=$-sX-fura7 z=F_K7KlT~)ELU3aF!m7P;l~%m#l*~GqiALTr3<`ZjY(>>4NKgY$@di6ySA>zetDJEB%n3!x#tLdpgASVW}Mx?cNRVq!itR5C}c zuDtbPoz=~5cJxUXB9r=2P%OnebCrs%h5OrEmBo*@AJ@AA)tj9e@HwqZYH^AMpC4YX zdR-H(c%I8RC^d>FYTLszHXpFCS!}D<9z8$Zqn5W`;R`(77&-`|qoaQn@Zu?JIeRbR zWbHB3=?{DQc)e>4rOTJapCEVo2oWRaMYrwp&+ZU^c3*;>KyS zT8Bkc3uuQ~Y`p9CvFIh9USLQh44%HF#j!VQPJUB2?3#Sv)YO>@u?d8K;cdFxm2?*4 zFb=&3fUcOLOBRyBC8}^w-KXQ{CsZ{(FQ>@#V<=dZwc_%&uKaZGu=c0BAiwhDSi|8U19UY>>_K)%H zPP(!NNC1V5Z@>Mu(~F}g`t~hE&gVAe1-*(75C#TCIMH!#Tm2+HJz6%cxx);3ZwIfd zxFpi+o*tNM8R+Qzf6xpiGR;1uS{QJu4Dv46Q>~tTs z?wLu_kJG#@K%i51c&r~I+@cb=^|lA=SG}7TZbk*}Ev+65jH_5L4R2NWwjQ=d4Zms0 zNR{ih+Ma!U+GLdYFv)eez+YT~9zOSFU$ali2U<%E9G4K;c zqv^M{wlu#simIqMJHsQxi-%)}nif9Ak4CnRMpb)xICy~L4^J&B={tkdXMqXGs&JHt zP)R9bHcQ8D4A?bbOiWb{fBGq?>m|e{Cx=&9{%o5rU35O|a-YTomAcD zo|kfK-%N_U9ZrEh!PU2kag?~^(*eh*zU!Jsb=>!?T;|< zFEtr4LgFmwvC0k^Fd`DxwDxC8OF390#rl{!x!i2<3~K7)UZjokUu#<=*EnHddTz$P zBh|gazSWknm2a0&mmb-#>?fYI;aP9>JOa?UgYepEKoGHRCQzMYPnoUb3)`YWEE-Pc zbZ#W+#^`UbT6y5~;ucsqB?pEsfjll?ETN&{@fDJ}J238TY4K(_c}U5-tEE&Nx;D3{}FcH@ofL^yEm&SS}mREa&RRtaJ>h~0tKjJ;QDCPIza zqNTMr5nI(3d&fNQe!jnR&Ohh-IsbTg5b}_?->>VwuIGKfjgoNmWghNz}T&L-fVw*It61-*XJZ{q7E9{ChWU_EUUpZ+?-K7n)0mO z>yt$vR6ua07HHf{ArtmzcjSB?F3iz)t1dxI90)L74UHeQ?(`H{gNeJ4l z3VpthH$<62Tg=NK^HE#!P>z+zkOve|d2G%x))?2RHV z+&s`mxDG66R8LU!M#-5#C^R@E8IQ zOU;M=I^sr-`KffA&-?vZ)OX-is4C~eb*Ac^iPGi_X3=bSYv>0lcU`*MjaO^Y^MfAo=c`fh1_oFkyub2em z%6<8LL_NDV#!?&f$S1l+bivGAcOO#Kc=^(AaMu@mw_OMtyl++065DD0ar8~}JlTfp zF{cv9bd$x8O4u=g`U{B-nkc&o&kKTkFS@j8O>Tu5kSAtOpGZ+Dg>|r}%s``?EHWn! zhjkSl-&v1qkdy=U+0gsSNSjTIVFD;#21my=2b*?A%J^SxZOVu}P2+x#SfWIQr}v2k zix(b5kbU9Vw;Rtk5VWju&195e6MqAjezT-rYtVvzDX-5sZqz5w$*JTA`8npjF=0n5 zuJ!AMv|{n7v*~l2WX)U;XFqJH_GwR+JPUnX<)|U1IS)~^_=OI1n}K1jajy@_cq<9- z-%29|n4+xo#-m}Mj7p4&i(i*mZDLMc8!t{i|BA|M-kEO)gY;1c4jVE6U=o>ho@ZL* zc!OJ??`+z8RsuDO(Zm`N7|!+%^BYQyM|7R7jRozVi9^0&X`@ zyX+0Nk=izxK7wAUP2jhhX)l(%FZEu=K~U8?HZhPrRDjv6Uf+ld5ps>q0PXyr_L z#JVIMJ*H2U0+dKM{|#~9Qg6=qYMmcW=gmabnhfxA(Jvbnl10*Tc3Y`$T1Zn{ts^cdKInfK zl92pDZ-1s8)i$T>m8BH?F>T|PLl>)7B z&P?Ez^!m*+Kx#Ms8KzScs)f($zOLzPVzc{1pa8~by`QnUUy0qH2gp{xvF z&hU(`v+(k&_Ih4dTG0WGedrl~U%Tq)CEMigN%Q`Y)`Y{rE&k+Ze}tacQr^ zg8{N`-Ke8#hIzQDkN>74tz65CSG4jC+CWs>wp7 z#|2>-oQPd)B6AKpKQP)~AJ?C8ir5$6a?t0o(|=)lsq}8u-_A1bw>!{0^?HWCy+=3R zA)S_VG#kVr>TN2Vv#Na~G4m*a$l&bwFfa7O`>T9j4{5X-#;j7rEEfW~eJ?Rg``8L!46X%1t7P!{9 z-Wllx+yVe7(VsGABtd~}@2Ig+HmUf%=b1Fsw6q3Hlh=4|&wSXO!79!|-QN7OTIFA8 zV7k9Fa28e86lTeMA-UMf4|Ngy5U_oCr^YV0#AzI@jnpR`lJn+gOYGne-A+HTui$(h zlQ5H;qKNo6hQkf=TNYr)BB%XMAi1!gQEee8S753qVcN#jHGyca(IUnga^c0GB#a~R zpCgV<8Q!Akwnqn|%I*rVY4Vs*MrnQ*;}S*5(&zE>bC8lH=0*_r)rLwkLp1KtqnXG%cws#erq!+ivGF+zN8X?j+aWp zJ(P1+B|la6Y7|L0X842jW3|UY%F4Ew08*x_o*MvKv_!gER265# z0bl(ZlZ&!3s{%VgZsJ+iaWaJ(?F*pBRt2(uBsT|PQs&7^z)3y-zeGh+;an{4rN&9`4P6B9UAD`J zPd7+u%+I(;nzJ0A8XX{Fy1rk(rJEWSUfqPp!gg%`HGcoQ<>a3jMwF0UsaL}9tU1uz ztVbmC^zb`$WAll>n`b&Nr;C<>#5|80ru|HXqlnXt34rGxitf;7q~`Er5N;WEs=AI= zhI-*aqRGEM$oCfqfWDD|7?Qb306~Y7R=?_4OiplSH>lx49bcarKfmU+sd7_I#HB(zH9koS zhyOKDXt{G8i{W6QW5GEyeV?s0WZ5WxOj_Ts8K3?6n!gXm0KHf*gV4eG$YIk*N+Be{ zl$zAcREB;4ea%yA_GRxxMMXJqu$mT)?PdtJ{-BSxthA?j{rYu}_B{hvDn2vhM;F&3 z%d`Dq-P-kv?kZ4{i%<*~&hlh^rm11ERDoa$7*%WcN=-bd!VO|ohW}BYuA7pil!&x% zDAftZ4ET#pM6d@`ojL?yzm6mw4RT=&2>n!In0J`0DLWj`(N zNpI)Js*$(-o(tTA7m@UfLS*Y%^+4%X({iMf6*!=Yg$KWA^q$~|_L_5(?ao1VywnyFZw$4=>u1( zoGqaDa2cPbEE8(CjQ=X;qWgHDoWZQx`ALoIbd~qZT+5RxbHRS2^+m3*u`%QB`%Ac& z&kfG5FC-}V6A?6;`|`Xx z1Yx>a?e}I}^ak6cQCXEs0~GXYE3@H{lb{sdWWN@z3xXTXwvwJ6jq<0Zx7pWwmp4?# zKx~P|zf-T20$88B)~Js8N%saYn*7lAr#y>yOM^qt+Xw4LM#Kx~)pYc4^wjs-dh>tq z&{AKjHmpLe)dsm7lhTF%vTp5BnF(6)vyHs@nCmTjn&Ln)o3$w%z?!;Ja?KLjZ?0*y zaTg31?Ue=0H`rt$dMt5sHqA}=8@pe8*HBe!pL=8!-9;2%+4&3HnmLlVerJ7=dvW{U zOX;EJUtHc``)4ANM+nsqyCl{h$){HBX(jm+x~b>C3*Watxs&}?_C!j-0lDhMk4`P}-W9<+T(z zZ~g5DdR0|bO%F^dJ38+&ga{!G48bKc#-X~4xIW!X8SKzndO;=l`2lO1iUaNMA||B$pWAcCaN4go%7lPVt;R>I%E}-)8`ve z_D=(=^WI-tkFT)kda0I$nOqKPW(tT+OXx%y|2iN?Kx3#>Vc?bs4w{DI=I~|Me$E)7t)`gj8QpA*9S(M$;fts z2F?h)^+`408fUiOX5H~pI^_4(79?JY9rF-GTJ0<{%M19wPU{7#mRhQ>)tYq$N$VuY zKLUUBu1V=?KWVCf?GzqYh6}CnT-K?AKpOZK-jh>5wC}ltLZP?6t+H+epiA6xVwLXNVMW#QLPDf0Qjp=%&Ta1zC@( zPuB|{_ZDwk8670^)v$Mj$%-_sSSHXmw}kZvs}%l=hywz3roY&<{*U-cTt>uMh53R0 zyymgQuG;?*a^)7C`tRRL=bIew{600#lC(nRJy;gT%Fchd=^jGG?2;Sv~q7 zHvM>7QkNWZkCms{%d(~ZAfQixa-CIY%^7yCVl3?g8#sC0h!UCnrCHC<{PdHiwli|3ai7Z$ds?@`Fj#(0Ei*+4h$JX6 zz6>wN1`N?Ufnx2V1yOuIL=dLC%MF%;{JiN)y|jAM?nYbVpA10o#j!rYFzUER-ovD0 znU$)&lYq2i&;}0n?a}RDeQ)Pqm^ri*p3r6%2d}FSjEWi{%O(UoD{(t@Z*n`g8 zT`<*0-#=A(FUbKlw=sbpW>5GgMb~9M2qZooazYUXQ^`AHCwr~pM;d0}IcpP~Wv+lyzNj{}Nd+`ww)Y{T=oq;JA;n7~y zk9wMbp9OYdy~BoDp{(0T2}qu`5$c20_ppN|xV(DDR8-jTF1Dvdj+I z$Zg6vz7Is}Z&ikS!ZWbFg#k-SVG;UP?LX=9{>@ zvdiBe7cZd<<)M8c72O_$4NWXq0%cw0-0IV410s1&b@*$+cl0-WxF*oRRL+aX{hf0#;=3QM~RhY{Yya*~vp~{&_$+G_K zgOmMLn@SNsfQ_33Ohh|c&dK$kT~`8#Ows^p$THs^BW3ildTJw5tS>myZ~OO;rEe*V zUJ!rO->jl-(lAoR$r|f_-&418z_7OA$diA5V6+d;j~>_pM&7qq`;6Q;gK7XAAWTB0 zeZLJDTzk^Kk~QHVp8tx&9+e*68q&E06BFbl!Fge*Rnjw2Au*YmQoy8Y@o3?Lv$H?& zt@X%Bw06?Fp){Z{xgXzDO6uB^nsWPqiE!Fl^y@RwFa{)G=u4AhAR81nVy>QojTGtq zWgy+U9uyj%E4cqtsiQ4TN$rU^`m5}Z-EyRZOJ-fSnt*fOz%6Jo(Wu80({yf^j;3nw z%P2#-8~`sx#1yyu@$U~lJHKu(x}a4{i~ZZ$qFBOma&nv|{a2#^TE&G)gXd4vDP2*& z^*crx!+wFHx=us<8eW@t!BV~g6{kK-V&z|zt0c*EPkQ*O!&IQ)sQpuWaJ;65+>ohE$y@leaDpPCv$QgvY?@q}c^lgL1ziQqukHNlP=33bp18-EFj@T=Ea9r*pHB&t757hqVGl5U!% zV@!}0mbbHElpM`|ZO@-lNFN!*PE-H>`Rr1=`})}gN@smgDZTA}&hJY`iGlcK$A8^) z$o$WEfAR0m9-$g*ht2yyAZT6v={p~TQXu^X$fx$k`fUyV7m4vWTcOtXDjeLXV>n}4 z{D21B>gq`wZEMPs(OsEupBY~!X?DJ(GzovGp=uE5}=TLlJDpu+pQ zFxE#S-%(%Ul^?MS<<0H`liF`<%SV4Pf@hI;tP7720~H3D7eKFt_VN|@O44zXQ_1SQ z&=Kp^Za=|yWj5%tiOMP@-7vLTGiM7`Gt&Y@%_B%)e z$94a)PDp~4VPagf{+|73*vvYMH&yATxVF4=Y|aw->0V{vwU_T;YJFE2lrT5zc+`6L z3dph@_R|X?miVK-kGcmGp7((hu(qy%sABbaH~0s*tSJ;QhWo3!&JHp>`+kIR1b#|M zS+mx3=o=Odb{3ifD~y%jrl4h2LK?Osow}E;-VaC!y~G-``@?_;zBee)dFT4c=u4Ru%^G;tW^BPl!w8KV=8FNZRv^DyiLBuqCEp{yihgyTFyIY-PN%5SA&@ z^p_wO`g%F)qFjIoUhjHM#mS3y3<1W;d$U{9PU61rU;-$h;oO#YXExhBW z+r_5nYyqIk*vltwle_KZ4`Jgw#3O$a&p4PNMO!hzAZKy;Z7Vv?Zpux$dfi@;VfP|V zblV;j{p0Us5n+UB?UGMsM0Ow0HGF59=_Qasgvq$R}a4;nJK7S3W~WA~c!f)N0;YFe%4aIIEfa^(8YSggO2 z*gR@nt$V|s_OUE(nG1OjguHl=EUR$u#_j5iPnP8>*GpQu`UE|C!n-^qmQ;^lZFxFP z@i-klbDDbR)Z_4HqWb9ZaHh3OK4PKiXa;$}`vjXR=HT>>B>+A7mz_BQZ>?~e({O6# zlmuN~OjrX9PgU3V+}zv=BmG)v2b>Ge2~|=GhCO~3J)H>!y)YIwQE)88_+U~^O;8{Pc0{R`H~6+izFd4V~c?Ylc@H`;tyNtnScSd=Ne6urx@5|AJZ2Sb2gjL`+v>{> z8x`LY+?xX+CWvW%z{W^%yrK5g?&;4|I0|qQ1KdmxV_tGuJ0xdhux|WF?oCG`y29V} z#HxhRhMbwas_Xc`D`aNKpuXQmRN+`6%G+)3hey>oCC+H$?V`u39QDz^s~yv8g8m{d zLdnfWW!Q^#&#JX@31zuP54eIetPFG5iE0^u z$)1t7^}>+mig}pN`hu**%4=hj~{1>en-R{s;O=6 zXIxF!uYR=5JGy_BkDs4$-9oVNE-$~KPX7$B$=~lt&;jC*YkcFDfv=jct}^}5P1mf? zEK(|7m3CfYl>{0NbuaIw%%gKmda~Zdo*>Cp&S0Yd=Z9FvZ&y~=1blX}q23FvXc2Ws zyU!*!#7gxVS*K2(N@M1I#3Id&7;I^(7ZVpd+VPf2+0|$L*Q!@Ncb>^Q?nL!U?snIt zV`H!eqz|~w*tyhdI2;VrTwOyC-j|QAwKL0Hyy~Ui?JYR!d04?HqZzK1G%pjGJm`WX zf&8d)Y{ysy93*DE9n!GZPqy?ep7O<`mX2nAfC640u8)7Q?tfAJg0v$sG4ab2QJUU0 zN!YF}lcaOX-_CxwgB!%~)yjY8*V={OiM_)tHf zI4UZtrz(2@rsa3Q1w2UzlX^*D%ez@)T<^)+pF*T%a*dH3Pd>x1rTSw0^cUeZ6T#Y}*+l)1-FC>rZi`q7GQX$wN|%CILP4)+IKcVK!WK>X_aXMK^J zeAULXhPmM9G;1#fFHvy#bMj{SygtwZ5__WqnkQJ@`rqj%^|bq{d+iy73L)7ls*Wtl z`ADz=>itw_(fgA0LeYw4Xg>}C_XHixD@LugC*~GpT{=BP!V0c2kM$4xKM&vm1{B^t z6ALbx&dP3j+Qys+_te~VW>P&W$XsX+QxMjUV?K2e86viohZQBlkkIY zemKY5EAW>I6F5^;SR1w!TtYj*6pFuVg31|{0__G*J-W+c2yC7YMY6^YUetMSA)_uO zUQLD5e_uKzs<^V%pYD~}({0K8{Y~rS;)1JM$2528wX)cU(a~1hAMPnat?vklN2+*B zg1J>|0jFd-MxUb~5 zl-Ig30U$_waGQ;LI+d?&_%f*_f=iZ%f=5jpGVQVsC%|P4sE0DIe_s7d%=Rj6L^6rx zsYaw-E|vWdZa85tCfZ%YBJ+bTn-%Tl;SbC2`j|N#*Ot01j1=oHj@iUWoKMt1M3~{j znjKlafHhoQm}^5*j`v#04ND8yGwL0mdh}CKyr{4l>bI2YuuwHjB5;TC&uWW8&jaEG zn6%j9oHR}obA$e{B;6u?KOTQY@qY2n>JrTzC{1;XaknOa_(JKdNGt=4y7!wqNW5+- zw%)Z`1J76Joz3T0HMLdtT-6O!l4%>YPNb;U^{2pxJ(t{D z-&`Jo93|Y=DXC8phU;w3*mN4;<|f>|X%c(mTqyOR11t!;1E$8F$ZeP1cCA}vOci&G zBdjDESw6z4_CJ~lD3=W`0dJ=~viYkH#B^_~qaAdc8=HNP^hn2mfibbmz}=bly{1yd zzilSRsQu!!p~XB6boLcVM^@lp!1qt_N?9TjutKG?ZT4B`tI7_bY%AT?gm6%W(}Ag# z2*rNmmFW1$t`j!ds>H*M$u!T`G+g*ob4Y?|gX@P9i-sqf-CfG1f$OUVh0`+XHKmzy zbT(@O#I`JjViUx+8z&1;#m_Z4|O!O<5#v z)reeJ$`$NA+1*tXCu>_Z72DdU&7Axz8iS7GhXg8-v+sVsB!W$x zFnL_mNHKZut+q3TG}AyNURWv~KN)oDf9L8-%L#eVl~h?^&J*F0L?JWv?FiX_-Qz1; zU7T;j4#zyXv~>)35=+s#oKm<*P1zS8L9<7a|D|MrT6+EDJ98eg?008%T-5H_uB@%& zg}In|q4mtdv4M2isrFFw>O*ez3M&x1 zcRnO(&2?sw?Y5gav|2Ekmt&q8_5^49*JUc)wqY4+^4;CIxt6J#*6j0f85y`C^=xo^6u^Qj-t%$01h%i$gDaA8*_P37Sze) zU;vWGV!%rM%v3`K>uY}ZNIFKl`Yzh6?MwgyY#%VYPF4X2TE`3Mr`FnMX5Xk9qOKx9 zDo~`*Q&$HfSZ5rM=-ZWnHQ`1;VR~%;pfFOb-ecMNEl0fY-LB>q1m3V(cn!=-i(~t&5G3t9AFoY zH^M3jX@<8I_j<&<$NOh*0_KhT0nOD>qTPlqjDYE!NeysVy!Z>FXKTa4D!|l7qh2}Q zr%;ec>4r~0Ujt3%&8FNh)v%7v&PTW`1_8qqZS1HT#E+L8eqhh63v!@&f%nsfka!Fm zTH)SdBCB1ylj`;uQ$_GlouYImWgX3grC!l|RYS48D~)-1_bTg#hF%W3L#C6s$H%3g z9go$%6YBAFY$ZK8lI+9EjR?!0JSORo)X@zfgQHJ%d;Rn`PtT<%pLytH$1m2)3vZ8G zij#Es?(!~S?$e#^eCZDyIZ)PAuJHFi7W(Cvgtt! z6Po+lG>Kra87Jwz^lnvwKtEC}e@Ta2KA zbS1OQTp;-iQgY|t^*-wuw7>-~jSZEXRi z-{==>ab+8>?<~#~PAZK$y>e>+3A-|wQh6gwAnvx&l#r)KLHY*x-m^)Cs*ML8K9fP} zfOt9h24@Ga>=&fF#_4^1milhGr>Dnsa?mY3)cY^=u!ajdSuJD+!KkUJ7lTP@;i?gc z_j1h2qe^3NF0>JNlru5(Fj{))j)sm-sjE~5QH7)jU}mI)xR5Mocor0^w7<^=!;6i7 zD$3OEWcKo+MmiiYHaY>)pTD@ccyx~7?+;v5yH)7qZ84?T$mZie)J)=UUPPTogoi(E zoyc;l+m!NLdOnCi&ZGnF7>$*M`!5EGrM1OmtEBlDMa(F?HuMUwZk8Y*2eaQO=}84# z{)PN100Lh{^$MCR%h6{MWP|gh|@f? z>Ba;UM-oKMDELso4J={PFBx>EEHUl_{pIs zMaZtLU!yiX6pnWFb23HTW0{-(_z}T!qpLegbNkuVx}p~lKC#lhma80oCn+iLS5s~h zKT8_dVZuomdZlW2NxVRCiAwEmVZ&k*!y)o?=8oXd%f9jjJW_xC)L z#_y&l!S6!Ycj4E1*4WGWN&>Z##2jm^E}(eD73U^ZDtPc8P`F5 zuI*$zR zb&v8l!tJ{vOSe!zCIM(FJy#6%EhRCLhneaW7+G4_sF^JtObE>?ZP=`5?q4OP@sDDc zuW#F9-W=*mWfq;Oa*ThoXhu`-l=zzFL4TTrR^x~Mxhrtst<^ifagY@aj6#oJz0fGOd zJIJ|^rxD*n*sdY~QZtoHzTc+bNS3r?q5#8j2v8Nw%cDm>0WRfrC~pm9Rv2lBqNnj$ zJ6kE>veo4qJUvHlSp;OS8o8*bV1fA{aMV%piKCk(>8Q?33En>70Nr9Nwd|ZOta~SS z=4>cq4XD%LTL0exLxtn;oKbCy{=lhYMS>3&SyB83B`rw9!P}nSaibygJ}*>SByYQ1 zG7rDhk}QGYm$W;ot^^!S8#SY5_Cv`w$}Y~!-RGZqviWVGaXp?+9B(c3DW*#jqYmnTUaqBt zBs(RA&y*Or6qex%!Ol9AocN3;VEn9LHRQJCn;E`bn-QvZ=HpQ`P~9dJIsJ}UaE;49 zQdT1<@V1DFFpH$?49}f)!cQ_;l2%OL))vfa8Mi!%cHxotdy6~>WeaktUz7k2-#&wY zEAR*b&B*I>C{ft7ZgrIUhX&@~XxBk1PCTrY=I#BTzq;`hihQkRplJykwuqy7-HQyt z%ab{;twM9cd0l``EcocLVh*NVnFuzufLv^#5hG=WSjh4)doRg1ZXI|WyPo3EU{qPy zX(0BQmEtk+ctbDTbh75O^FUUzyKcBtN_c&P5)wAttY6RZzcAG+l(E6uoJm_maqv8V@Rv3%GnG>{s&7%IeWqt28@*{|hdGyA%u4CfR%(Z6n zsT^FibiUbwB9c8`(IZF{DTLSh?5a zy>_;ag6!PEdqX(8Vqhaq3>xIu&gR|0lWhLdMvZ1?E#u8fL#cLaL}7-9CaM8ulsp<< z^nrq|6sj07B+F_(Dd$H!@?s8%>-j4k`VZw6kB}0Fhz10K^kdub9gS@X#nvKKMPtWAR-+7ugXSoH`10koNu^iQ ztviYW?$2taq#u~X#odfrYte|aH4yFV>rJF#ktBdy4sjFJE<(Lgy7>bv(VE?nvpjas z7#8WjGN0?r-%oqHI)=$Czn?c2Xjv$(PBh+@S_JHJp|w$&WBjW;?Nn!&&7S2azP

&ctUFu{j??)%F(5nCk4JtB(D z0e%TB1yKY?jSl$6i>)bkC5+#p*zWrK8WLtOr>q6~6y_0lIZQH+9u1hfr8Hw+r7e7X zSm2BDcUEPc^@}uD+*igA-w4Whd?2B5w(cGq_vKS|Hx2LDxQEmOHcynnzWbpXQ{9g^ zg}eX7gS^W5Tk`KAsPKW8he35$>(GGkYJ)n?tR9;eDTaX9-?QzC-ROtwp`yi<&D@`a zjO=!M+F_%ARiJIZ=Cu`S;o1Ut1d5^R4B-;%HJ%Rn&!^9F{i`>j+`luxWZL|_f%f;& z@OjzDWb0nFR8Z1}KgXM~=K}P2NKpEfn9H4*AoW6>%(D%9jNywHoRG$y&^N!#ttLNG z-h7HQa|*H2O;nsd0wANfcpaHexpjcaiXGOWzL+)34!R($NcJgKTGw>@*WRcVL37T~1bV-|j1S_vnH3IdDZtnaSl6S;J?#@B=Y-)v$8R`XL6Gi9^?g4hi%}NSs&I@e zu#u;F1^lDrgKy^cZnsGH&(Ajlpsm+@W0=I+N>bL(kHXkZpJa`6~|PjLHS zTxsSwrgYG>>10ri1GRGm_l6SyFDJI#rhRiLY58-E;zg}*=IC0FLxy|ka=rz|DJ1CJ zPge>hD*t96XDxtH*!)fODIhRVfqf@YhoGRNHEj1u9GD%q4AgMmpFi{uL`0-C3#HGscW7o+z8 zd*;%iv(V$bhoVGQ)2egB7)h>8P=^dq_Z(793E%6e1xOldpGVV zMtrIJg~}44)VGZP$fFps;GniQ5-pv4B}U*1E2kYrwven?nrwm9Te5%AuwQsz(F|c7 zwx6mvnrTUP1mWZaDm^h$Dy;muTnjp@O$&L^H}lM%DQdh)xbqNx<)eUCQp8T-PFaV0 zTRG*EupK#GfmxIL-FwR{=YDP1B>Y<1nM0X|obv{o_wrOdCgCl;S)RwI2(H^GQzWrD z&0IoaVroNSUS7&OahgW52FFDO)L5~V#8pJD!8zhb!;1;(!?U^dttAXj!WH$gWN)2d zOkfl;9bpPBL25Tx;=((Cp6E-!P#J(w+RyF>tUv%JNwht0>yhkC!$lv%Dh?2gdHu^} z=TtV+Q?JQFX3Y@WGHgO_JEa3(koXXL;#s1|0z`*&McVz$Wr`wM**9tS!ObKV@dsz% z(UM2A)So|pUaCz4c4Q0?K8$PhS2_;gA57=ncThepu{tn+w-3VA0Y9H!IP%Ee&MwvP z$9}HDA+|XJJu6e=l#?!lXT_pvN7aHp$U6jBQk>wC7Xd4T@%^*umGj5mep!OXwLg6n z4SPQ~SGT}~q@^`Z4mYjO%q0#cIdo@Rq?6-g{#y9!kGX>@L$HLpQTC5`gl4Mj;X^p$XD0b{mWctk$ro@=aGzUYJ8SzZX_0O0Q?{qS_O9pWv862u!Cg^MBN;r5l z`OMp}?B>Ffb#lsvDxku6E$Yv8rO$?Uu-=LxqTgggt%M5??W5pE(I6Bn_~TFNE~=(5`rRW7QJD^Wm>i$WaLeT}V<82Q3{|Hy z3@tAUQjZImQaJG};KM9mok6~=oW*>36N%J|-qEwHVHIv$7W(L4A8zTV(fO-C)L)L` zzv~V_kX(?JJdxog)7|azScr#;bnm0AwDeT5?T+|nu3s$J2(@Y%#{3NI^`-D)`DmDsuq4 zkw3mWo7mrV#G;T4^yHOVOZ802oD|ivhS6(p3#y(wvS6W}T02(=Z?RxeyK}XddM2(V zX&}74sj>~z_~BLQ;%?ZGcxO}gh!)W}<(B`+tD4}OrKBos`WU^$6P!uV9qWY`X4^p- zOHpB)kJLpYb;IARumD-XEU^yIU43&+*~w|F+rK&atcXFQ{ZK|{jXSvHL+$1=#RAGM zJ5(-f>4CQ0?xQlM+k#Bc>himgs3~dugVZ_#-Q@dHXqI>++m)IX?n~)~xg3Gx`Uk;s z8?{pTwO@>NPIl={;u=J+p_=Jj(ngFeWsiwhXB(GibwhVD<4HS!?IX(xNV~r3U)GTi z>%+2!mu>5OJILl0egAy%`*Sr@$hFl&qi#9x8%akZ;I;qJ%8GbF=g9ak2Mu#QP+-d+ ze}BFbh+`;)d*kGUw04(9uAWKiyt&(2NgH==#%5!v94*xXjpcXyYAsFE>$o@%kqQzN ztI;XCcOJKQG1)9l=! zk%zZ`Uv7WY$13Qsf1Lc*dCG#GdHg`*`(QRXNynhna%Ajnw-)HDZ(m2&+Uw8joT5t3 zJhi`tQJ{m8``Ge53!|4FMHK}Dx2BRkz3yg8RM%4*d`IzsnPA;2$RSU==}1G2kvO?Q z5QCu1rO&f|(^jva*WWmqYUrI9%eMGGy8yZ?FE~nP%S~trJ|*r(U~K!t0^zs=YUAMO+Myu03QsF6+6 z)sVquC0zxq*bm~KpUp`U>^EYb#8g(3(nnE`w?CT^{3^R?HrdT3zdS;;ThM|M?Yqh$ z(r0mFsCI2HN56rCr-rt9+Rp zu|*VCw`1uKw2gQ9;{0R+&fRBl{&f3Lhgm2=#T=M4gK%+t|wEEx)R zYGLzRP_akC8lhEVMznYz#Qr0a@3H1mx0#7oE>SQod&v2dE`BW}!=ET^b9m>Vzv}AvLEOY)~!V`%{Ij5=t{}y-M8|}f1&LK z%%wAoiwWyBAn}2>19q;1+Q^4zd%h-;F1)9Ev2&0Q#3WgWLBk9#q0`R4N>SE9@c}F! z!~wIL=ACMH*q0l<#uYZH6TqQMREKd0-sAqS-CMAd1<5F9ras_d2Go{RJY90RRGqOn z&vO~#9x z5*+bH6$Nf}Hxz^=d<{U>A{f2*wmda)j~Xoa&eLh*f7UL*FE%7I0zCkvWh6ToXm*;j zM&v3>_41#+YgUZBzKhplk3;dKBOnaIc#`;9$UIbt3vY)qcx?-MViZ7H(< z3JumTCH;V%sunU^>NB&oEQayl#bHAW-@89N1+V)kUCzWMVjD}BY)+tm!=|#Eq#ZJi zc9TY*ub9^)FHJt4*iNGYvUuyR4~h!<`{1I7TNmR4u6Q~TYmTs16+ z{Hy`s_7zPk#+R)#r7q58^9yac$#*#XZq0;Lq7`+hIr06SwVg&?Q|mmVr4ze8ZV{N> zDPnK+y@cmL?58Z<{n#i^x#My@AnuXF?eU?l6Q_?v9s!-6mj9w$t{VI=_TDlq>aJ@W zr&OdA5s?N#5D<`-20>Clq+6u~WQOik0qF*5Bm_z6E>Re|I|gLPp}YC-(fhvN=Xl=x z^78%m|8RZrn30*^>{x5;Cp4LAv zea$-k+=M-6Sb&3*Xe$CF_v<*Xw9&39ML-lz;*cMF!*Yi!8;2Eo;y+sy7YuY%^u!j9 zoQ>Rz+V?}m&JSzy@m%!X$;?meUvncJ-WIb>a){TucjgSTNAsYpmG7GS=~nA}THs_7 z6#KiE;Y+1Pvk`A^Y@|!6Ro{)VN;3RieApoa}Dc-b7W>!@JP-xiQ;`yHP78W^7rS_IX^f%xqbxgV9C%IrH6xXyVdu+i(O zJ?YH~yBvL+M($8@+=_Nu>dO^Y7Tw=g-{>@Rv1(VSv&-?22ZGx3=t& zkFuluqr@|65Icdg&s<#kb5eMp`bP0hYmrek)!-por4f4k~g4FBN}K7Y4(Bhy`5W7$MiVz|&!#WAw<9m5Ui={DA5?(AnTPMPobMB+crHP)NO(SoQ7 z4;Ri$$rMgv(+3h34Jb%-lf?`?*I#U@GqOvF%+!c%QWfE~Kg9I*WkP9q&Qo1wdR!Zi z=pOY3+K!!Dw~40%&B4#?u}))CAiIcbjCaGR6pqQAqt^RH>H;&6)n=2EAEU$V2cBB{ zSgW)U7*6R{7-r_NX)?%z&0IOnTu`7TmZBL`F&-;{FtldLRe-1*Hl-L_-{mV8u=N2S z9V?M_W)Rs}J$UQB?wtf)4K=Z0WbHU_9l`2QNkXaRz_{kb`E>K-#Gzqxi$bwe+xE)y zZMdtd`(jnd>!}={-L-*%W1F`wPcDI)n~7y~Bg&OBQ8+u4{iL%+*>7025*+~@>EUJ; zFtE_a^BKkrA0hA%+c)E)A8c+Gfp{y&?SEkJzUGWK=aO`f55MMNo(FdZnhmPn#(gQh zzrh)C%bgJv>ySWVO;P>!54iu>HX2w+DF%o(t?TOi0l%(Q<`Y*6-wQ z1qo_RvsiPVg6(AGU*8W7zFvG#t@Zp}C~gN%Py%1+BR92~(UIyg&dhwgb~0KJ4(SV+ z?!KI|TS<85LHnH0YQ;V^GoeQ4J{wc`(GH2czK6H7aMsA1ueR>5r)3Dzl$e)#{db!-q|_ZEPZNqdn?Ze-tR(%TP@H8 zB4`m@E>tWi57<^f1MqXK2AHKq{8r_1V+$||-h>ez-|A8@A zq|R25Nn2(%|)IZL|*u}to&Kc{vRgBj_A*Q>T*{G%`bgWoG{j^FOkffSph4I)4*}>4v zCM$~y89Ennac~eLW44+7*mSPEbso^_@{z0s^L3W*|A@;-#SEQEeXZ6mcCirk@A%%$@-zJA{nuoz=hKJ55Dax%VCt5UB$qL8(lTi~%&UG@1@@cs5PJrDSP z<_zwfS31_UT;(@9r!wu$TU~Vc z+z%2ou8XCzp;zc$8RjKW`fhkuZLd?FXHcPRQ?V%f@@1Oc#`I%t(%BbNIglq4WtV!k z5`wSq6dSW-=H)#pHMcq0x1?vub>6eC4}q6`A9V*E5Q1%yfE1s=S%3cqzs0s%gvzs$ zCzZhz9tp(&ePH}>c$UAtob%bEXMW?mN0%#XBAuE;g!9f298z9iUiMHr1@m4-IaP}C~qpe%?nBp8+nxG$h z7Dee_&~`X&h&cX8B9&oTLk>X7ihFCce;vbkO`&2Koi~goU5a#1G_^B}zfBxILUP6g3cjVXyAO?5OH}6UJ$;Zu9%NK~qluS8_B3qVa!M7}==FjFTI=F( z&sIf+^wSqr(SN^7>P-|p!m}#pNX1uw$II)z{ghpxe?dYu17Mw&ftZ!QzIUo}%czHw zsI^rI-4V{P)HZE< zV$SAo-L^2^UcDUSc==3n28!Ch^C`pn+-v9{2Fa;m0;ue{P1k|V*fmEP>&O1VINm(Q z8faR%^;8GnkJ3I)Kjo{*xq8Lr+|@*srRV;kQfkdcF+9mtpDkW1C#P(Biw zz@|0eGJ3P6%(_*U3};fhA?DEjq!*kR|Fwb|<(O{X1zChD4yPYi=}6RWl3m==zegUZ z(I!BrSuyleM6u)J@G>vP!4!@_|PsACNs*7u8smcdQ7}pZWu;+NxT0`nx z%`MC0K_sxh7cvV>(3gS)$jz;H;eqXrGRofxv>N7=v{b%KY6@zQH6eziteaV-)Q*Ih zE-a>=JQ(h3@mI(Ik)l~-c|s}QaOV`6W2D1!Qm{Rj-ZP^9tCTfc!D1I!s&5}Dv&%$g zw3OAFZ>Y%IXtZ-kJ+CfJOUHuU_>!oM#EsG9U9{Ww?S(RHy#OVo*Od6v}xPAM;T^a4!xw$0iK zG;||q@Ph_NLlE$|A=yJaIs)Oiw!2M~ptP00uv9GMcvV-c#?a6zX>4WQFfLxmrxW5N`I9~_Z`$`AL1gD(X9X`$() zV%@A=vDT4=QT!9Pq>Y}uEp{OvO5ce7BuiReb^(ehZPrVXcWylr$?9oq>DhXhtyW8L z%NNb&%gfc!-}ps+sJkxM$&#*@A5w#8L;*x2)%h2@BtJ#3(LR-(H2L5bjn`^E;lcp~ zpC(pA{lmvb;N#(`&}=rZ;n5(q40xFNm2gTTY)cTIT3Qz+*-&?UXpW41yy>*|CxvrE zQMJ@Drp>Om1JM!RDkYum5coE)TF<^VU!7fgbqQ7fg4iu&kA#=A;eCv?r@rC8S+tlJ zPC$F%IwLy&!`o0e%XUx$0~QibAn^7#GbuxPcvwp2;y;+cwl>OxnYh$_t3d5n?xjis zyS?4V`8xom&v39n)4Ez5XgiN6WM~hl<>3uDgtV`t*?jMo<6qyo3dAXHBeME1TB=`W z@U>(@Q+ddpTbMA7b&mqw-V5q-flK3>ptLTu$61Xkapzg;6pnd=ew^NXe&4kT?W56g zbbMNiy#*_bqhVg*&^^=n=(p>U?i1^?&g~oqS7`)In3u5s>#d_-?$6=%pZjs>^}`Iz zVul^$HLij%k>)xJhVGS?_9s#f6kra!_O@tRq%oETcMa=nHOpgfjb=Y{RROhSd-qcc z;_nbOH019SRiBR4X>YKh%JW(T9)IA|^Rv56sk)Xg$QXhU94Krv-)U`tW2Us$+!m1ZPXXz}r1mjHQ-p^(Zq zjNa`6!HE1&)c$qT`7nB$mR-XvO)7 z+`hjNCBk2uAc+>oKqyA@2@51XpWufy0TlM_tr>wY;!2*4ZyCKP9;i(Twmd@9l0IsQ z2%T?<+t--byA`C0<_y_?$$uV*OGlNuPbHtxKs~T#Rb~23jgVg<4=c=-d+k0n*h3Q( zUIxEcNez~w^E%z6W^YTkHNXcGSmV2wTT%O9r6AikRG4z$`u4KHg$_=|_Fg9D zM)=tTenlp04H>Q1>sb1=-$BM1s5H(S#_)(wdRW)r6N8N)Wtn?PffBS4@7gOEgfw0h z@1J>{1f3ft-k+#vZme^h$~Svv7-zFeF7>{+t$ud!QO~382wd!^K72zt^%4I!)?4g32?!ZNX4=>!g}lK|528*y z9(@ElP^FodzkDx1)pGP{tWfGrhuM|4C z5Q26LzziPy*k_q)M@Ym{Pfz5V;;+5r*06BX11dT`yt)T3>#BZL;2K<>@^DLkc(e*z z%rrHL^$HO-U9smhp4#==$2Z9WCPiOliHda0LGyv%V7MVJs6s#1})>_YI z*{_Xd_c~jAv6`&Gel*iYs?ZQQ&T3wGQE6SCc+@rjB5A{xZgi?fi!a5}?N_|Qn^Jh? z_)R1zHx|+G2`l7z1anT#dUPCrGX;1GduevU<%<*6U-J)!w>NN<3wz9rkpw0~7lYT>$cL2R9z%(>wpc5nj-s5q7*{%w>l88xL z;UwNLFyG#^_|DCZo?viui^)Lmj&r8qYm0i6r-DmI@!>iNR3~BBm-iMVdanMV0WXPV zNj)OI^@7YQ=G3CM^8Nlnrq4z6gvliXg))PZ_3c^0p7-jH2#j1E$4G4UdJZlZTQr^| z4$s}IGVIy>T92M`zmaleZIu3shn;VfTFezE$*w8wOp~^e*4jIy9yzHNJ{xaEs92%} zSuCh1zNL$6)y?~#LBk!)^4~mU7N|KldRNJQvPFQ31h%jGm98>g@IV%5o~pm<_?)Iz zw*Qvcplx1s%2+-neM$!0ckDzn2EHMoaM|Uu(9>0l^dGOSHpaHF^MiLV{RFdn4P`&;{;JLJZWuw85^9zCBQp-np37N46>LpMDXcF0MeVQ$psb!;LP&0V4(*TKMA#vwpLR{ZYl6r8aN|(C+jTN$X zN7i}sNqBKYYK;cR;Zr95lls)qIkewsnHbH}pEgJ~)dq#?oDz}3zacYu$%z8ahm4c%qkuf7I_2#jVB|9%6 zk?jSmc{JP}B`Mbq5u4av`4~<);rKV}59R=<&PdPiB>)0GXd$8OJ9G3GDYki?| zC%ePw)aioVb?Q`a;z zd0>~*RLfTogD?8nf3q&{(SI!q-VZkJH@fEN+yjP-d2>B{6{LrXb!U)U9mcO3I>Tc>fay{Dgbj-vtsCSSF^AkSg0J<1E7vp zsthjAMrP$}Cj%wwI8 z+^BbzkEnMRr#Dqu)3X?qVRprf?Vl?QYbWsb8?b-|nf~UsGMabwuhq3rD7pex_cdyD zzwq1^1{N&><+gGsgp=cUbV6W^1-jhA$Q8Kh$Vv?zk($rpOr?F9SE3nxFK@ z!cyDfexrx~dHIsm(pKOQysam}gO53CK~CKHW0ZQ7tZw>4;Ak*twZ++poe0k()}`eV zN^j97HHW-K9TiBAdV^wlo8S*G=>+3T>w=StRel5+NIQx=Js(@7pP0B-DxN=i^5g48 zd(Npnu$=d_w;pz6e-JEQd%$1Qb6aO|>jb}{-8066nPo>^9%5Gi>aL0VMn(&xyosF3 za(tgS!AfPtDjcFTXUag=OZ(8gAuZsgv+J_y_Evjaag|fT>OB_DmQk7h8_zQJTv+%& zBWG>gM*7nD=-yQ?S8q236e60V4LaiA;4jpEPLH=Y>+f?DT^lfw$?g*T@v!GMTxUyE ztHIDVm}4KddVg_OSPN8H&%Cd{JmD|p<9y>{V&sM>G@hFocI$KAO<9?Ub_d}Mw^8M1 zWA+En6O4Wrl8ez8{jwaeD2n&Mph}_)YS;^|CjfCr1K|;`mu&fq_do;0GOqr{{`|)+ znq>QVhFPBk^@E>%UkXy^LAytO^^Cch#zwxyHbx{7yF<>dZ zevwHCp6~+YZ#PRAzrv>JZN#c1c>SD+>W9@;8b9pT7k}_DAa=h1h!~UDA`p4dqoNS{ zZt(>0T`_lTD@sl3m32WzbfbeVQemmT4#)oE@-#a9Ts;4^Z`@$|+Oi_JQAfG*Y>IZ^$|@GjH;lsq%B$eyRbeAA;ufd8#+gPb`IOiTr0&&v#8Qy*ge0U~J$c-%!EJ*8~hOnoV{fCubX7xhR+26=<1VkM5AE5&$W(L>B)@ zD`0Izm-3Jc1+JSY2xmqSL=sc{(7tsZbi}JbTaiBzJc@h2Y}5>W-(9fyQNTvosV*-4 zgoJ#-PP~}mNd;{f`BK|Vvj07Xf0?8I`u6a~FMKKD2S90!F{K82pUyd))gBUvA|0UuhO&*+Hv0glhHl;^}KfrFl8`0E0jHMCgrDljOMLL0z`P& zbToMjM9rVKlLR%O2gWoSTl5tslRl#1bGA#Q?Q6H^6(9E4MXRCzP==6JDbNvQaA5bO|(XUwUAUCF0k5TjkLB?F2(mO80k9q%rx09dU4#;ejal z4n0saIy6z-SC2A((ArswoW0Mm81PBW- z$yYkB@If$OP0mFCC;WSh!ol=YEBxEcOaL{&bClqf7MaCA0;5||^FlVd%sY0qU8Sip z$yvJhC(jH2wY8Gn@iAa8cu`yXIw(LHHIO^HSGL)(CB4vWXyjIZhd=*&*kVDrKaJ;0 zx38pB7})PnCA7_uu*;|=_XFqlQkcJ$6Cc?cH?QA8`1)_MZ-1%AUJ_W?G=fHVmM;Iv z-2OeTe?1Oz9iaKXT4|yG>;M1c?L)8(e{A!?+WpUG&RhoPBjm%~W8i%J&;S2lAN#Lw z|C#XLtHl3V(|>mO|3Sk35$XR2ZTv@v|Bsga?W=!`);~t;H-_jREB%|r`QOU*kCpz% zO8>Pr`R7>r-}>^`YvuLNvGkk8`M*rkKUVtxT9Ut(wSTPiKUVs$mFxc(R$2@TYa1t! zu9sN>bpd{zk8|+{7=H_hp?P1v`xH>&fD07Q^!3?5N7E?Ke?_3R@Px;FFuVKg z<%=tnrnU`0Q3V_vImjH%i ztG`72_c9}<;0?$sP^+e4zNn>!1S_Ugr_JY`!%7clvG@U9 zWLF_*{PX_2pV-|#OcPq2Q$)Z)E$GmB+8-UYH)5LNervPr;=fyd|nyelq8cdBrXF4sxYk z;9V{YOBQmtZxKFe54iolq4-I67P`3BP-NDizv`<3!zJV%rVF4klhx9SbMA>@)j@!M zTiEWWhA)!-%>^Jzg3?F-8#G>t_hiS#(Y)=5z)J{AyW8JNuJ_=LUjAmV!*KBwn|7wO zhKMS6K=qo|P@6y?0$RzJd>@Lb1I&VRU<L3ya`8G=zX9M!JPq>X?E`3&%{dQ?Tl z#KfOj!t3?est^%hkl*cr42yjQn#vdy;d@<-rVG5x8hgV@`L~vd#s}-o*H*n6hv>Y# zJYL)jDt?=9c;eK;E`ymPRko%_UrFkFP3ElZr+u$bx}U$uzDmP#7X$W!DtgW~n2qk@ z;v9Yv8OUC*$yU4hb&d<$Xm_{t2$BtA9w*`xL9`j5O}@2vZINK zNqn?l`t+-}L}g`V&kPJUR%A6EiL8|lWXQ*|73?fK_4X}NTPT2`P-4J}sKVz?rgflo zcS&@uymj68hQN(dsXl7m*Ff%X1M%~>&LGCRE+YzFE?0c&#QtsiA{7&7b&TfHwY=z{ zfyX&??#AtOL>W-m9=UPD?l71%Vbwm#fbo(Bm%z-A$41T2_2|25r2P^(nLQ0p!e#mP z*RB%`4GnFBHup6P<8`i%{Ck5cdW+-7Gm%On;h0wlDyxNoI)iJ|LwuT7Mg@*f-^P4E zD~_P`qS$q!xY)_nD2$nH_Up)2PB&Wa&rIv6D53Qddx_fD7F1q{<_xv3@OVzT-|nlo z-HrD$Z8^@xPCGRbeFq6PBZorEYmt4ywN;XwCsX|ow}i%&8y?xX6<8>7u5$$5tW#$< zWQQ!iRm6EN8H3jqr4v9-Mt%GwuJ%E_!7~?grQr3c8jTPt;T5uHuGrK%nA^Cs4#;7J z;^N{w`TpY}=s9DGTk-BvA6@<;rG*VvSTq4TLNgS$)U z!{<{ExKa9Ig4=Ef=JW#CCL$?WiT`effu8;R!)FGoJlz)iHTE5Cf%Wjf%=4;*yK&)T zFys#X4svdl@UoA})Qf2$CKYsqM;pZl;k1~I%GSvyOjtUosCIs9oQy+LD6@lRqo`D%w`pWzBG;2FthX3)AZ}@yKR7Z{*%D3w;dO=e>J5I55h4UU{}QK!ytLu8f!ECR(?U7TB)MH|l&odPk%f#_q8d z*#B82YoGI5Mo4;k58PiKP0I{aB8c2rGc}04-_zC>4s@AN3?ka`RiCt8TGUk<>F|tR{}5ua=?Z8Hg^1f|nF!#J zu1<9N;g1^G3@n^(8*s!``PzaeYwyojuyv$U8f=4sa^hpax~0?3RvSQ5I#kd31WYm> z^QilJ)v5xH>ysXrVKUcctbtZC)qCNAs+kA|a1Yn4lpEy~{Po$~JAJ7Z9pSBFbaqPE zzoS{{eejS``Z$?tef*YzeV%sAB%e6M`Bf$YFYeCHEyY-h6p^bm6`GZllcUyPjmb>T z0A;~rPyP!1Iv4)}-^rhwZGjrCzbZBj@>=}yv5PG@%a9D96LZmUugBS<=mk?@-F|%S z(L#cW>^`8k?sO|O?MdFwWOtVZ?JL<)X2;0LX!M}eLHc6BhX5xwDhdWJ#G9U*NSK&> z8e0X&=Ia=B6t(+&?M^q*S$uRfafSTU0#K^?iiWd%Az%^~_FN_>$}PD%O38g^Ct3gz zD4Ax9o({!BtH#=mj7Y_8p6tB5sD_KPjc3ZrFV6R2fQU~LK2qZdJ=%_KxR2`e@~UIu zb#*`qM5)k!AGi;x&NYz5N!y<2)z#NWD;f=C57!rV=WEqH8{GjpFfldz0GL{3)^x_QG~cVc>vi2Mu*0-BU+G`gVPfIjv^IcB=3O8mJl|izp(% zoE&CbyxH?%iU>78LXMrnyVxuqJZ%Oq29@klP zq1$)v-4hQyuEIHYe00QI9mX!WU9_eK#MD)fwB@%Y!!%)b=uk9g#7mCk8vf-ehIC8} zSld&}TwXy%v@xAC%_~m!yiCO9@$qDWt(mP8;W;$OBZu813-B=)WnOP z>2rDO7a#qoI8&~GHX-2mx)y1J=13Y2A3KAdAx5KLUa;cWAsdg5_mJ~VSE%vUOcfq` z`nqkn!nqpQ^U><}^j$p^D$s1E1Pj}9H-_X2p>8^CK^HXyYtCl3$uTV1Hm5@rwx_+5 zIcE|u=~<2)6UW_zT5BYLC+T`=303k2($jzO&rIc2Crp^cE%~$YguB-B1QQSwtgwl0 zfh}Qsz+2z##?PmR{fy+Ef{y~pTwZQ&iQjmY?V>vIw^DMs@FZZ0>z-hR5kCTE$@Ag_ z-T}-_7nGH9u&b+!m~yuk#fvUhd?dwnu{dU$QYO*$0y?B-X)k6A4xSg#tF;i&A!56k z`n=c8z>{kwr?xu4R=$E9TC1#{uRX8RqIczuJ+X0JR~(l#!;=rs*OAxvKn&4&rg@Rx zoGC>Q;+pe&K04;cZsiv|^|-CFSOT?TlDG87RJP@>bS${%e%o79sn9v!-i90n z;Ou*5VqQ7{ghq!@oZps(c!#irt)gvngrA+{W|}KSuZ9lhcoK@J%->gK6FUoBcW)S1 zaKKdT>~fD8zmgr|+H7_WXuCkh(So0+(>FMpIUzrB8_ylazoSFK3N4SP?OzdmbYv;H7y(%u;4YV zGc9L2n6>|M&vaBC?AU*fNGiTE6@U^l4A{!7Ea(DS zkS7S()l0^6_#VWiq(Ie6hG>UXl!Vpn)J6{Ao^ZT!5x`)q3}(>80j&;mMfvWSh#jN)-C*`tbLQI)cS70*v&|+Sv?`F3cF_iun{|LPy^Dw6YQ}2` zu6r~`eQ|G^r;kmi{541OXgBZ6HPQ3Kx$Oba7klN#S&**h*`CQ}wd2Ngf0>1btzLUa zhcR$KmA#EA_lGQxjvn(AC_co5UF?Wn7Sv?*b=y}JMbkRZ%h2gT-J{L_HRzMNFpRSsUmJm#wS)Aa}NN3pX zVK{I4Id%k!zZrXLyt2f>xjj6)P2B3~w5sdkr^^fR?wr}CY@aQ*gmYH)Zmk(!Iw=9HK?{PH?QXLIvKW)kalbG2@zS7?MMtb?@WOs9CP%&T zQ+IK-qr6sEBZIR+&T{5bsaSLE&b*C;iKo_t6YsqYB*D&ttkxOM^5UU$c1@pe`dMMF zr~mmd649q|Iz6;#lVLS46lbTR*n6pOk#49M;az0YAu;?uot^Zg@nzh3M?&Vo`rZEJ zQ=L`ZHwz{Py@^Sf8|@KVmux!Ri-uEQcn}Sq{&*^TG)bOu5lX(mJ^!6K&chu#cCm2T zdAlB?%F$VN2Da_-dEq#PPhM1df$sRn4BEDDihTsqglCFFdR~%2_Xg72tXe&!j^&bG zPqg%!%0TAI(#>V}#7D5{&7AJMz57 zhA?0k`_KypfzcYkkh(*z>Sr6vs$=4-V1JM6)d0E{<#A~afzAj&3x>|(ss2cTo`tVh z{(+t5K8lkc>amkxa(hr<l7M|N9NHbi5(i0Ly9stU8Iqu;o2LX!&lllAnq_c{feo{7yd9oy98q z7!!2RqOwto8lK$({LuWs^TXV*tp_*msmH|EH#`n%o&iJ-6-|?lJLoS?jWn545;&+Q zl{1sN7VZf;Tn?+-Kt4b5JZ<&-mUp|(dB@~v`k;Ps#lX)S#OZW=Q+D8@7NDZ;GG$QT zTlPGiqh2UkPL#K{F2bV{8ilk%7nl0dO|0|}EGz}yoo`&6Z}ev=Q6p7nEI_zXd%E4h z3A&GPZRVv|>s{hkE8iy(D~R-|*pE4FX;@rX=!xp9(tv3w_JqOCnVmO+leS|?V%xux z81VRyxNEY<8uOSDi9w2GGV7{~6}HV|DXJDQT3>$Z$LfEX*MyEZNUo76hU(B%*~%Fm zS(4l}Di`ECRYs7%o&V}kivR&v@gO&LnZobcI4par_DwcU-$Mk;biq7KYQ2oqV}DIg%vn zrMyWbg20>3Z;o;jwn4mKI*l*Od`WC-vC8Va*KM#!-i+wh?$>aw^+PMxj#kB`5u~Q4 z%ovK+Odv`eY8n8ZvMJYgJ4+!9Fox?cCSDP!b=w=#NEiy*bDr7&K|!ZnQ#bPKDiSI{ zdAbU0cV|Zu`UvnQ`tX$eKEFbaWP`4Im=o2VHN@)p8dY*)}I%c_2%V?kYCNOmm7RZjL3YzPy&5MjbzMZZXu=&6Y>)x|2 z&u1}OocB4A(9`%Z+!Ij|Q8AQEkc9GuDhLegSIXd)@9mM( z{KUVu{1H`f&WcWU&Y~g?0quqsOH#d^#2}tci&8k@RLA^Oka+)`WrITk?w`!JB_`X%3QvFBezt~dWBfE`jH43&;&bwMzxd?u z-{+Z^Ji{o;jpp;9mBa_PO2*$KF)&eLlz9nPm_mFr6JQi$49HmzRs#(N?g#f>*f$ znnCx7QZwJSP--ul!=n*Y>@W-!Hc=n3PqtXEACQ8(f=)3VTs=Z`U03CiaHBXO=VDag zQB+fyogD_g3Kvlv4k_s`U7ri)n+^j_Y+Bd4t3-ysvtG4D%6$htXUpQh80hp5r(B$x za=m-aa|6mY*Ag7*yhG+egalEBkI?C6^Kd@pk226&Ikb-HNQ=MtX&XuOU^@&q{vuWo zMBay^IWtHFVdKR6Vex8k=#b}^Pd`>CdOp0xgk7aJM5tBmm9j{xKAtxvQdQ=kHB`mF z@u#Ac@E)yLt%%q3)GqFPPUvXi`&ot`lN?s+91z;L&X&Yv!?Y0WwEbw?78ghYNiEQCc3sd1i3rSQaPq8o*;@EpjcyioYK zQY7yn+js4xrTl#q?0u(r|KT;;K)m~^wh0Kqic$Q#3sdeV`~GY==9bl|COO2Sr7Z=x ze8VFnI({~wc|iHSfmeKCF9j)`&#}UWn&WfO5#V$iBfbM!KbRs?5~3wyR4j!~RM}?f zS~XqTFS2bVof#s22X|hiEZQw!mXiK#F2jAQ^QtAa;)m~G<>(+j%P?)d~6 zpl1-$#D3Z7KmZ;pdB>)UXJmA!EWg|irYCCAHD;&tZ!EjwJ1&P{!@)#*4gZepe%Ttc z7lpHm&kb86`*oFPRpvoPWzVu{KQX+U1aHZHz*cSX%kw9DD&#X|3rk#NHq z_2Z1z2Er=1IY6#z`cp;ZqqtU9>7~6T20s{E~P!(qov5^X%dXZ_?&E<-J%}rDb-7KK<~oYh|3v5lh}Dm%?!QRNFE47Wu%A-$c)wy(jPScyVH5za=>;d{;L-wtU+RFKjUg6K;fcCz(VI zU#fv5r?);Fy*I8;{?ONQhmkBoxJ6TgbW(AkdWb9#XYgSOBl*Ps_xk!zc5&gXm_c8I zYtoO|^aQkmEsFW~<0D=g=D;V1J_NX}TawAwDOX#^DTnbjwkiZoPB4%^?%*Sh9?yDq zv=FL1XLeXJqMI@~+wx_yNvhzuKV-r@e!(!Md9QJy&1iU*%p(OBaPSkCPCc} zyM3eZCDM+dfZIq_6|I-|+2hTEx`UJD9j3VrgI!t@cghd;Y*UZ#X%++_+k?|S|{~yo(=7vO~i;A;{}q3z>c!kN!-3Jr39TfuH6S;K%0#o`o*mQ%@snB;|6e zJlEPejYIAQVKs}J1cRa}kW;d%QP9xq8)=|4uU^*IrD@-wSSl;>+!?1q9tFn9HGjly zq{MyMfir(Na9TM<4ree=k+rt#ImboT2pA#!q@$xFLF90V8m+MYIA_D&UuYSxl0m@BZAeX{OrSA;@fe_k z6Ko(mT)wr{N?j4qh|J4DtH`PQ!dIwW)}Aa~+gmX7$<}?>07si^7<_Da-9Sy4mzjkn z9}<7Il86EpNp{XbTsE-oxH?*tk5kpUnw?Z1mp7vyI6kHE5|8V`hQCphh}nspl5J8w zL*g^@^E{03eFIgsR}RN`lwlOFgB&g!?!0XdnTS!es5Y3=cwiXA;oAL#4({wZeP78- z?b1VA^79`$syA*bvhr<{UtlB&8%9!!*}JNd`vkAuhZ74+ACw)ReVWNOKpSy(S7^hq z)vvNm!yLtTzzkYeteNC!8T^_RH0C4lequNFc#`ycy?7sw3grtuN|7W1l`$oik1BO+ z3I_>0Irn)-1a*AMyAJG}Cblwr_$9`NM@>mc642qkuD-b2}9$!yP}77G}vrh1N%V6ao`^`qdMf`n?Z5hu~jM&CG*Jf<7OG%$!)_rsX3Y$W?^r5(Ff)l#=q2 zty}AupXw6|L{02cIKN$uaUZlT$sHvY8b;q)Hm6X*Wyqm%9&nNOC_2j1xY?t+?~+6g zx6N~GwoM&wW|V|X_$CMT#Fx)ZI~*5vefgWiN2VV5-N;jC=;_(VmJm(S-pcfYcaoTI z3Vlt3#A&A~E)3RpPXMu~H}jq*86-`fi1k zT3>nBS};lMc!`YdDRPF)4+nWnA6tixNQLE zuzdVi0u6n`06g$3vNN7bomm9g{2<_?PK+=xHzFwl9Z^n;9h&p^fCmlMbClsHni@vK z1j7aeKYaA298aj7Q$i&#b)C6d2-G-P4;Tb}?QX6Tsn*^Bl?(A?uNRU_SkEZR8DML# zBhKy?GR`FD`jh7QK?U z%Y?VH;;!~0R$2SRX9IW!RyUSU)0S{bqbD?YF3H&H4_scg)-fve@<>Qs(i-D3!Gg zAJ*oY_aq2^Jc*A`bI^1y&(e1I-rsV)3`Y+-O?-woGBiXs5fDonc*=ZBFle%+sVCfc z!yOXC=h3i`)Bc^@>=+Gr7P$zwOkYn2#u{ zX7i<1mmoiRVLIwCQ=FSM`iNxZ@;<5H!f;tT3z}LBQxF}gyTha!7d}_Vk6Gh#0b(K1X$f=d3zyaIBe%m@KUN3}F?1ESvynma z#9hX2X^m0z$iFjLc!K*Wx>4MN7mxadRI4nj0Gg9oS~|FD_^;H`x3!IfhKsr&3jY3D zMIYhEY6--|k|C}JwYVanv0fFx7y!vXvJI?u0v)y`)tt&VrhxB`9Q8;i6{L3G4R>3!Fo^U#-$_}}Lyi>2S`^lm zld>KfjK}n(^SrT~D39yO6d4}Q3HXv|_4VrTM15iR9w|t`0v!w-X&sBfvF`xYFPR|c zP=D4UsHLlW9|U?l?12Z9P9sm@8H?wI7srKL)v|#HqWm|_40c8j97&Jnp&fz2>C7Kg z?u$|#SuPI=Pd;#DtCL_OuMpD{(i~PRi0DwCK` zOF()zqB+S70J#%dFqQed>S2x;#&9{9-CL%s%Ng;sRHOj4oAdn zt@PT3@dAiM-WHCVs%09HI(whwR9l92#9qu(wIvm)#a!5Vxm#{3O2)v)Ra){X*e3Q_ zBXOs?svv=?r;0A~L4?GoQKrxu*q(mm6q;6vMXoLp_nxIv?$%WPdeXg2d#-sFJ+kkVX-Z7LbOaq*IZWj-f+hfB}XYdf?r2pZj^Q>v`^Tj^}yf zzu!Mz7fyZm-fOMB;B0~Pl(YoV(cCNVX%6t>w zFPc`?%%x{dKDkrCGh$#ulNZI@$VW4VX8Npm_e-kmg*|->1=X4UWQA#crg*HKr46TA z=c<;HB+|4kZ*dy#Z4x+~>O&`~+}i1bj9?9 z%tAreVtVNqvA%T!4NMkxd*^vvG*7Fd!#-IXL}ibd$#0Hp$LSPx!lP}oeI(#M3gRxG zZ>oJc8FLu${fhbW#(u`rXsG5B^j-Uhr}2(m+kyD!sWgjfwT>193TJmI@=ZE1^@Tco z4I6Q+L3Fn{-DeyVM5jqqLzOpf0;E0UMs> z9_hhYt_$598v)a!rwXbI^eTHAraiJ6kEhVoi;IgT?E}B+E8zF2^BNOwKs^khrlYOB zpC(T%TerLKDum~y)8t>x4=Ex>x7NY!W<~|c*rTucebW^MxkWWo z3jV@N-&$)(#i5WGhaHUP*kBmHwOK-M67hh*)P#1tivbj-Pi7P0(Q8i&BMM+gcodQ5 zndBFht$q0{q}o{Cx;7bziEk*e4C9}m_~i5~Z9`~Zv6iohV4D)EmxOG}^Pxox7msj@ zZX}6A1?mG6cQBf)@G^D=QbB=Z$ay<`qZ26h z$py3lYKfjmQt`Am9EQb%hG%;?)iq!zoPO5!-!l~L@R8({ScoV5yCgM02XS8C)Ii5D zzE#kH6h6iHKytWd2)<$O&u9V0j*Lx{EF4;K3>g`IEWHUE6mF0!&uv3{-PRMepPK#_Kokx#LR6rr*_tBm88%hx zN|VR*m8uvLQxy)Tk5l%F? zobjnm3s_pIxhvX)NZ4an5ukc|{;G6W7C)8oV@@^!wsQnIn(rzsJZ;ym6_DNNzI@RI zK1O%!Ll;#rX0?!T#yCfk0FM`G@`}w8`CdJqX4b{A#q7DzG3e6#&}~pHtrL}br7;O zWBV=^1U5;NBX!b39E9MszjR>YP-&Kb`zs?0f~P^QdnV8wIOWdfF8xpnV%d#88-%Wqc!+v<@gdG+B*M{N6zKlq~h|M7|+(#qIJ381}1#p&Qms*+5vSjVwl=! zXo9G(!KFh02yyo27CrN;N5N~uo+JuT1(DDZixSSDlAK6r?qF<{lAQye71gY=%>(p> zbX=eWnl_dHOgi8~{0kepcDs(ah8ZiB#tM_^qjM+VaRfK2=1F9UGLqNdj*(7eJDo;~ z?`c~IHeOD)eY-wWMCaX8J<@H70zg)Q9`SvBBd+xW5USFk>-P=SEAP9Xx)GhoV2reE zZP*RX76dh?Y~2EbXso@yXKLo~vfWy}BsC7PGGKhl?ss2d^0<4i05$b(rZfENaCkig zhPcH?7=5|huLxE|+z~56kQNh8W^XX>Scgtl40AXbYbEvxtQhpxl{QnuOxvmy8W)_B zw#+F!bx=0ep1hq(RvON0?zxsCvF^f=ShF4YXmE9>%;MNC!x3SJiJ#rc?2RKA)c77T z>}pW>ROhLk%|yfSXq|h0iQPO4w7c~s)aBH8r;KS;=aO)$`n10-Nc9wK7LgPnbMwZn z;7`e8m28;zV_-KSnE)A)79vDK?}Pc&y#)e*oQ5ni=}&w zT_PyDAS1j{vO6TY?D^7d`KSg$!l>{{&8lq)T#9A6u=A50d4RRosm8U5dff<>2{!~T zzzb$m8gCust{sHB_9#+xt|{p$rbyzOV7>?n`b{L*N63LPB;5zQl@oS$_VAAAWPe^1 z7x9xK9H6EIc%|g;@3Mas0W%gd_{m%fJA~S@WfwUw9k*U46f_4nrX9as%?b;GK4)uu z-&4}Y0wH`hA`#tF@qN#}Fkrtt6W?Si0)DZ<1GC!1P`Y=t;o4{oKJ|c+(FHv^aa0BK zZ~1W^`#mDV(X)hS{8VM`Q%*=@noP3D!ZOX;SAtLH!uVreESVXgFWHR8yl15$)66u> zmyEZtu@*Cjl)yA&3bh9}-9y6(E0?1%>)du7q~o0b+z zP3|sjE$VBJ%WYo1^`r9^srO2yAq$~1lVpD4OMd7*GKMTo4apnT2d*hkt?}c@-obfL z+12i~?K0=r9H>|lZn}3*-|V9g<@a74v4r<-H$Vb}P{e`Uj8cXk-!rZ_U|GAw{ z>xW{M4XDWrh;j^)2mALpPli4_Lb18&rfaVz@e$Ncf!dP2Hg4UAi+l zi*YKJmbqg=d43#m`i{zzr#_$_`Y&u4YN;og9TcZRJ=I1p>x!O@kLw-+{1*dT7{}QO zQqsE?BCU%X>Avv&GS{y64El>x58FpJ5K%jCOpc)ks*pHjUiIwj%Rf=N6S2ebPF^F` za*eAcaNY7pszP&bnzCkmj%}%UUcSLTJ~YTlO$Kwy)l@~-`8wL$qrf<8WsSFHJCIcN zd-twkIaWCfBArePu?-FtWEH-R?yFA0x+ok{09X1yT(|c{O~mXCqF2n1f812ttXb zZhQYBv14z`s)tNn_UrfOHA$ji^mZ{_rRf{nNyTvbKZ2t5je;GfP`1^@)-pLJ(Ue$2 ztr7)!zSXSH?KFIEk;RO3w(qQ65XX9u7M|A4 zZyIK|KHU;siQ!ey05NL)Iuqi2+WL@zrl{k@!`wvP$>9i?`hHLT_OFD@?H?c8GUwDp zF+H|rCVF$eLIp#@Gv&p)mLBCtyELAIkchpZjor-r1sUOjQ?8y7tW5RRI7{TdrdsqG zy~L#3AYMo65xrx#pwj|-z1oMcn-A|~C}!Cl4-0Q+9NxedyiHQOhgP?hU#O?kGsQSX zcGZ`iS*SVhhP^!OR%@I(u$jn)t`SNqrmZo=fEP&&`9dNWX!V!L#MTSe}qm5)9X49*`C|!*oB*hXwW4; zsIS#-nKUe^$S0 zxDqYc+)$MxM@8y97i?Y7?WU@~A3RgDY&T_{LC_9@E=fEu9c@mz(l;DEY(a{+w)Dt`wig6*iEp`t?HG5IKyu6tJ z@x13ygLYm%th`s6Y$jO#mEe^M<&CHKhkFzDYD(vgtWSay8Xw#R1-~MiMu3hpXbjGf zkXoC^)eQp$E|!(YTVG(L?6R%)j*qI(xk3*%=PKS0>S{HdPRyJxxmwpsy4JCU zR#eP%{<2)sHBsXfNV0tk|Ao?nX+iwDZ4U}U@~lvLw)|Bu*D4O7KexgSb?qYTpM1mH zsd}YS2(5d9<($dP?~kQ9Tryvj%NWW_TAQ#x=qy*Isi)81wy_Wu&-!qF$x8!ol7}8$ zMIDK<3h!1iPe2HI%{+GM?RDi$p9tZ1L5Qsrx97>Yl+n^07jOua(wzNd)2`vqdssTG zWjRl+D9+A^yxA#gqBrts)yjn?)QnHeb6lj>7&3dX?zv{pao|p3J2R^JM=j~C z`K~U5US+3=(A(C#JMY7+$FW30=YB)J#h^owvihA9?ssx}IUZ;4`XodJ0lP+`yV>_AG5xINY9$TCkgQ+|G%H|$%ykq5a#W5qp_1I~lT|P^H7%I%n%U`*$GU{0VLj13o&&;uYe_qBgW4;| z{m@0Ykye3)k*~5tgs6oiRa(7(Wtp@8;aYykcepV$M?ITF`2wM+U@xUjg=l%z_%Ixu zwDuYG3c4eq#!&iFr+I(LHeW-ucHOu{@S0wYbGrM~@?mXwO(*2){sPKVY`sN{gd{?t z9C|(oDMu7!E2^b5?n^sT<>WmcygEpI9Hd7>_v2GT{~S#*`LxUTAWhClT!4;kL)%Wc z*A?c>QCzL-joqQHxA(LKKCD*zA>p*W`wAk;*1b)$I&d{L1SUWWLexu=)b-YoLC& zNgW~X@9o)2d28V6O{u*=XH(;}keLb}y|XS_gucxA#Qc%kjehr!pR3%2OhMzb$YLPQ-g;6C^SzZEAIOb&s#k zEL=WvN|?gnM;Wv29~u8>A7rxYIQ_IpQ~b{-*;62J)vs+#7Ih6=?V;Lxtl_8Wx^`8r zQb1`nIqZ}>UedQg+=#t67x`+}VokFDhA`5EFp7f9?nw3#QQ^dPrMkq~i4*k4yXy}S zlGqhB!_&St&JvgD!Et2kn5K0q+N7YI;@Q3f7K5lg!IagTc9Ekq*N=q8@Ec6ZjY`ZC zEYVkk1Bqd+7hN>%QihAOs?}NwY4yg0E_CS4I<4DfG@X#?+a0rz1jN;J-o7Wi9`>57%@1kTK;rY`~EoD9T$Unl5}0CoXJu3 zOV!5J&lklw9!e;8jDw{y&lTs z;*fFchkWLo0j;A+J3UAxJ&B{`jP7dj)p1BZb$(G^#rF$-$*948f_7^4peAHbvbE$n z54v403R)58d!3c_DHbRxBblS;F+qy#*6YdWE2Vj#(?Km;GZPaCV*4W4;uDAm6e6v; zj}(kx%+cLW$UQeiNkmy)eN;Y|Y7v~`TgWqUWk(lrm3u@(K$4?ctT8Pzx8!>liD08K z+>|w)O$0$0ndUfO&}#0J&aOc%Ub!s57ON(JrW0?hyKiC(`LL(afvGSL()9j5D2)io zVQcT+ofI&y5^g=ojNtJ|p|`&6VK8BhH|D_-@<^O4LEOo*R7D1_x`+6e8eh_IV`2Hv zl$zWX;fu6dyG}!VOA8GML&-`iir-|?lqud3lN@U`hKojI)P^aCOX?vcjfRb6eXB=v zw#{^`U8zFpH{X~P9>4zH3$S>QOC;bD>1EC%E*AzAHX$|p7FM7**CG@a^Yr%)bpoun8+!afNWiP6`VI{^{ zjYFDb6=C8+++NrtlW>`~)|fCnN4;@(9`2tGw>E#PiEX`Y`^;J!5(T^H-oNMPg31fGJ&JbiKvSn+3bpY*;y zA9PzCq9$Kl=`Eg9$RTdeYyp*cQw2-YU8k3OW%iX%hbY71P9PgFPJ_M!+WYgQ$xsWU zXN%(({4rPeq0A)ZyA!8a}JV-w4n522dw#*T1xm}Fe{^SmHtvxAc--+6{!p4yP z*2ceLQ~>BJFn?C@!?(bLR#-NWT9!y5a+r3$of6*`@?`YNeNp6>eIgS6?T_C^x1iV= zSABZE%7dc__SbCZNPqIOOo4WiaDM#_m$T@wQZ>4DHq3rp7v)b%D-)wKd;*T z9Ml(5CxK}knNaq|0>HUFm8d3mBYJ$-OXECLc<#+j-J$IL>MN*ueR?vfSP)Hr&GGe) zE-Ng?62W4_%1KsLK&ku>lwPm2HRnrA%<{g3@GWKMXiht>XM10FYj*8+PS+;qK6oC+ z4Ag4H?zXpoJW7}<-EbW=f#nXLywZ7I@)+QXMeN+Bs&`4MZ6*og>oYYK%+0H2oNvod zf7Da!dOz%b`ODH6I&{C&_6!!SFS!_b)pbGj%PfRy3`Okzv_9TIodd+H6=>5^`)Cty_jiYedtpyX53}QrjVN|(k~!*fD;H2b zLjncHu~%wOXgfqSSu?pFL=zzef8G^!^%L=dXuQ(`QEPf&D9u^rH@F-zanJkjt-`A= z3I@}POhio2>Y?$IqP1zs08CPPl0D-xN&o(>*51dHRt#0Fqz=5gICXb9n$qjxe{lh@ zJUdG>U;ikd+?KwZ3xep^ffYOEKR;adzg;2TIXQU>5i{YbM9JQ$HUWB+Lie0@5jB%x2L-jzr6Bk)>YN&RcXN14RuVid#Xs! z>no@w-yPGTS`{vMkK9NwgJ+wlMf3BP4w<8;fJ^YOrg8p~NLETA2gYVm;x2!FtDLyr z2;RE+uxBI8-v{HV%Dh@FQaD%rY|g5Kt4iiU)iP~|2L0J^?W2WiBKo-2G?i}&Qx7rY zhCSraHO2qCVa9#tVTtfAH}!gQ?~^Y!{zpFb8EN7etnOx^eV4q|)KEy5XVK}?+euRg z-c09A+*>p|VBSR{sd3*P*1xLSmEe4yH*+uUvf>PLHBwj%8YVPmpX}jyOsQCkR6hQj z1_WH^x7;PUPE$G1Qe#=qV^T6yR4=@VOdT;jExN9ASoWBTr|ZlBJ=Rh*tYR1!^I;4f z8(0~5E4QIdVc+|4c!~8OB}7T9)sPm;+t8kPe0>&G#H+{Va=s){`VXFhy;fOjBVO`&&^U6w0S++-I_ff4q)Wc$1>n zGZkvO&Mc^ce&AEcpTzF#lC(=dB~)f6#tJ_ks`;1;TcId_@b3tJx=(AG*A!R(oc*Sa z&Oy2+dH5JipF=9yb`Y+-Fc|DHgv==;-hp=dFM5JxHA?>L07scloIB1uJk~H>4{`}B z4dAA;hubqfo6MaKB>q5MLtR3^)41Cp5w~m$%1JKtHANT{B532gj;-d*@hB9q%L^{c z7%Ywmqv=m(i4;C{R!XnG6)yUoR`CsV-&p@R3MWD)fzjQ=c_nu<2uf4XvH&I7%Q`k( z#%V-GDbN~51>K*}r9mbvo2!60TnBgkX@POiA3#@JQCkQZdqJkveo+Z~dW8f3Gl-7c zk!|xjTlEOC{L~Py~eY$2hdY^ElOpQ}=oDhBN^VaRDiC5?|Lvjar#iRuwd%Q2K(JBuzEOKopsEi&(mCUTbg`wWY6djpG#^<%!B07 zS7$E0*dFU)53=Qw+LS?Es6qc@=qL0M-@)QiFW<;{h>}YMdR(g)WqWkmvBYb97+(~= zcc?;#0zl1s2_ihL`zSnS-&TSQzMSt4Pl9=-3aTc#&8(lKvpuS9&6%9oteW!meL04Q_9=$~k1FZ20%PTvX*| z`i0ZlVx_tCWSuUNMf{42sBpS`B&B-~1_SQ`d4!O4NSeoey@wSm=BRn7#_PSW71o($ zUAXgJ$@W39vjL=Q zMQRdD8#}bGb8f7|fgfk7newr1v!AA#-}}AfCI+%R9Ki3%VI( z3K~?kBuDmL*T?xsY*ctJ03kQ%@N6h({8f=>RNwX7t#gF4KXx!Rp06~ z8&`?j4QhTIlv688PEVOYT87Cojxp9p>j|JMxf3)8*G;jW9Dx4(4>)9`jh193;3Tni zfGvA&R4d;0Ie6h2_JaMIXlloZCKiUv`g%5{B%2hLXVV<3dq;#2qr04X#m!T!3*Sz? z0)>Wb;&%8-UfuwVh*V`kTkheIJ*-0lllW|^?2ZZ~-4?~^_*oU3rTL{~;!4LeNIb9Z z9?y_~td*eHB11gnN_Rq11 z;g#~6<%UeK<6Y{#XV7=986HMD2tHl&J8t!;yvuZdA#XgLe>#uo zHJFm-PaPZ|8&8~Jg{8l_t0Eqqu;CW=)Hjk=B8UD~`D`agx|iol3+a~kji;!W52|Yf zm>0^Ze*MQ{HPv@nwuX1K6(yt8GD%N6!>-eXY z0;$d8baNq+qUf=V?A_(GR@yVgEqHYz(W?3Cus!=Z4A*t@&1fkpp55SmEa3XCyJq@O>?=zcTz1Xq>w5@NvuMp?i)m~T^QX0_}t$DS+YCfBlX!k+#WR7&no$dm{e?en(+!jxmY;(XS zOcPHB@;Rm-`y4CDGGOEIsmB4#cl6R9UHQ9V+<%nHEs~oQX-xX45X!;Bol{)zwno)a zIa3WA6P0SfdtIYW?deGVH(Lk;M0PNE8@0USDguTVTPzdTiYQswitHXC8c!iTl4o8h zjZi}hPTf0|(;oTWXo!}<-9!OfD@}eQbE!cqrAW0P1JC^p+hk(w5y%|tW<8F7X*4sA zmpi2%mi#Vn*_5?qP7e6-i07p0`DQ7B-`f z1VuiS#W{zUl#>=~4?xT3cJMlK_JM%W|HfL~Y zQIZeUBN29M2DXyU7K26_E*q1Un)fQXEZRf?uff)@uUmZ=87g^%rpi45xyiauFeSrp z0&g&(;;y=c>zm!Ptw+ZvNgs6Mxr>9mCkmHBiw~qC$hDRN5cX0`d4%wXN!w9ZQo*k;K%rrLYlxPPT2-;6`Ad{RTrWEUv+irV4 zW_gleVnkkaqlARyY@!jH_&7=EDZJ_zF+eAldE1XB1M@5g=o1)3!fb7Q54(&OR`ZK0 zNHPpD;#!98nFcYsM9;P0`eOyN6~h*#vbi84iUvI!Gpju(Qp1cd>|rmCUki!Wx}sw_ zFlwWqw{~#96O`?$L66Z-b7`Z`si6SM(yn8kyy#iKzYutpW}yZJ-$@aOY`)-EX#Q;G zV+g*90eJ37%)Xb(S@E98DpDsEH6V|rp}JpuT}sto-YSFfhLjz%MU65Qj&G(+T5!p59Vw3;@m6RZsm%I7d~5aV(xVS5T=g2x!?P+6s^vU(-(mHx)B7BxodDeD!+`Lf zCD?(smc(s7i>Mvv9B=c{9gsEWm#yAe;`i2X&{FduF_GQq zuv6=2g~%hku|x69b9*yqr~BQHMz+{O=tZ2{3tnN3&M-zxWwu;?F;kW=!61`fy1sEGpJMebE zt-y}ZcM8{mX$MJQ_5esr#ofJ{DsPx9q&|`4^J+-r3-%!ov}@p9n6U;C3oh+6*5F+W zs1YRS#N3K^*C!AsPtIWz&y$gnZG&o+rpx;HVvS}b7VUdhyNg2f!lpex`*oK1D;LiWn~ARl2cW9-~b`(xk{$!WQ}*nvbX2_uSB zOI#8=K@Th)k2lQC1vF~(bai7*h@xPuN7eoQ^DBedikPB8n3Rs5UT+vlX~X`s=QACh z`?wz&65q-r#t{i#d5u!9bsAhpnQH}gM$!tu6d@8n2ekT&@B?fjm56>(>iY;vslB6c zYW_!n=uL*VuPBwbe#Niq)CUks#P2wI`gSMqZ~LC1&u}{*gy+as@N6QipO}HdE;nXt zti-qEi>-nj*F{<*pnq+M)al^ZzJWOTqT!GU;mH&wunuDRZebA3I>$;Z>>J|MZ{%`Stw zc7j0|q3g=!k44@XX=~r3F!FK;-H=QXye=h?a7}M6KK!DOh~A6)$MDs- zNuT5O?RvDg+G+3Ep`=U8M4#ZX{_+(I57`QI!!evgze+vpN#c@I_VLHtaU^&~?u#)S zf-FcXB0-xp$N?yw6xD>K=2u{8V&`XLp&X8zD-lpEocn=d#6d<3&h8-td^(_?hxaM^QE0K2(7XbL|X3%#a8urSU zCP(1#yMB}K*Z|z%Z&6^%CL_oL(thI<1J9Vmf7`rG`KW0_GTKStRy&zY9nHNlJ}POK($$K<_&lP`^1{oS(a?Nz?6%!aKo*(Ow9A*hy;fjo(v;eqdE^_$qZY zb7G-EtQ9ZG8(&au7fd=u%&ezWTzoUvkga! zNfC|bsGU3SW$+0o;%%lWFbg~65+K|wIS;J@oh@d7;&37?A>wbKrGEfV{g*D&hAJ)i z9f^#*vJPa^jqlGq?Ebnh>MY#?Jfhm!Os6`Li<5v@vdk@e$IE&jwy8s5Hr%2Mt|K}W zLE4IXRllepstOPTI$k^m^STO#92z3PBN^h=C^B5d5p&L^KLnHDlyK7!-*69H{HE0jV67w_l*-nS3_mcOZ0;}E%@bqD|wB|U$q zb=(x?v-q;fO*X=fvz3k32x~sGI$4 zuN>S8RF@U;gsJkBEx=LTP`A9{Px1h8%mzr}JqGk;1Ym231~&h}M64!<8wV#ly_ppi znjpBD1T#>-nbM7~=S&kPJbbvFe?qBv%5lr#3Qw;s4eog5nxcDqfqaL5b zC%gfESa|LWZjR<}(w_`b4EP4+2f!nHqI<2HnJ5z00&qPw9XKN1nj>C48}Owi-s9c1 zK)kx2abF`GPykyx&T;o9V0VDM1S*TfXuC1n~ z)Mx!&V#>ZUYx14=`1mC)MLvs_B*3Mp0S`wr`%SjaItNJ+foWiq_~h~T!5sKdKuuct zEIpDOkW2CM82P*_NI0zVnBqkML66MK5UNA+; z;3Uzagp!Tm;@4cD4g!l=yuZCbacZh0jSC`5Ex^Z3(kNL7?%x6D`IbC14eUZ9?vb9` ziOBw;&wq<1$Me4h2(OcvLKXf$d!!z`ZNU7&;yUB)8WNWD;y0zXf8}BR`#)cz!A{)L z>HhWWr8`h`T)pX``?g8-YF_>`lZ7ic|9(M#@+w0zjLJBH+S~t5Blv*>>}*F9 zA0UbRou>TvWq{)r!P(#JVUq{{+fU;3;h$Tk|9Q@Udl#IkYJP|QKTw4K`4**8u={t; z4T}A*my1WRf|J5z&FJdiyBPnmBT*(mqLnXX;f8wt&jtO-nf|x84B#l$MG9G*aK!Qd z%a1d303D3J@_6Szp6Gub=YI;oza-UJ_sP=V(^&oK7fF2p_MVmM)6#FlkpEng5-ZrN zm9Ggu&;RFZzuP?jJ2;#Ckh}Xgt+0Rg&{3*juLdpo<1ha|5DsN>Ae1J?3IAk#@BcW) z|D(YFi*x=z3jEK7^ZzLDpQ-s@{NMlI3Vd)j=1H@8FR$$EEEIFM#OkJz)ie1k@{iQ{ zXy)#Jsd)67S^&c1p7TlnNS#3QJehKc@w1c@ZibiFG}JHu*lv&UTTFdd9;|V9T=QlD zUmDXJV*byggz{x<3G%ro=&`A>g5)eAORR7#VqZuA3*r$Z@ghm(0wTtXZM^Z_l?o45-_% z{P`mP;V<_c6W*HJ0?GYw9OKJ=_>0Rg6=uQIkCx0h!%i6!QU`K|wgQxc^q*|wKl}yo zHYu^22gfsK5x|8+K;8n*xSO(pSH1}&lLByznd)Lo+u3K=)WvjtK@ZNs!F;3x$R~J# z0T%GitMn4IfX~bQEZ5>4{|kJ_ce6rN|F71|{pzAcOPfGqxcD4NQkLtm#+KLA$jFk2 z+4YA_1Pk~s=U&0$|3Ym3(R%%7FW&n#2#6A@Z{TKZ;BXN%`WI+xjjjnfFJHqoaBCT~ zM$n0VmR|;PLt&7>{_QX2^q>5oTxb*Emxu(1N4$0@r2A%`)oA$UHYg>BfYLLg&y~pH zOd#vr>OB#EF6*1DoAL9!&Zo6E0gC>2hx2yA`rn^}V-9SrC{2oNH(l0pYnMX$0Zy?V|4#9sdZ z^rYZOl4w^&-khT&(q~D6?dcR7*rBdERXzS2Yx7^H_?h%N4sEvu7#QagtlrU*ykZ-QPz=3geXo&PKsNfEbkU6!eEM zKnU7;eAnc9wZx6p+8z2$Z0`KoXaC!t`{&#kt#V+FpqGpQe52PvDl^1NC&}IGn)*>Q z02ClsNuOsu4kpcDwz+#biuuaNGU%V1IKN)n)VV^z8OOAPB8M|F!C%nw^;_4sXLL`O zMCf+rc@7K*_J>qXx(Pq|1vP;xb%bv;VpFY_Zh6I_#>dNC2-ucgQi4vEuRneeCdDVc zq3_!`KXYv8#lf^nzgtcI=cY%>=uR=<*^kpXJUsO77pusPyNDaN@u&feRPgM0Jq^EsP!a#(zjv$E8Vf$IVG!K&Y!W#nqSMmrj=*V(Gk_wzmJa2DKh*R zxEuEP3pdi24sGXMPIU}^EPd`97~orGlZdv#y9 zATl=A?OMMI>15#+Vt1X>ZN2Y4v^Tg_)gNu$w{t8Ly@=;;em(IMiN+Zd)u7;EoaV`6 z_L1qAJB>|@U|n)Sc#;$u%`r~vm4xGnTgD5vujA3HQx>1zPurt<$bd{Sh!J!b3C`zp zHOh#2NNQTcJ)|Wtwb@Ll5DxxNjqy!>teZ=F0?xiJghY`k{#YX~qO;QzJ+HYFftUKR zWG4(S-5nIb54};H9W8;r5=lPTZolpY=re=>%3*W9|AaQUP5g@+TKD6 z@d+Kjp9BlDo`@2c$C8$J@}4|jg1V~F4IIC7K~!gx2d~Iy#fF^Q=|7UEv&jyI?uN2E z3`JmHSDM~U%1MoW_j)n*I_&ydWO@1=yy5IubBQWaMY=5L{)m-2K3bu4&o^FDAy^OrH*JM<6(7qrMZ$`PuVkHSBx73U^I$^D zJLWF$EKmliwD73D6rzPlvUc>MICyvIiZOw$Jz548)V7J(Cz|UjVrCT?VKT)pjlDq6 z>)#+f3u+0Z5~s_|NzMbo#ReV@Gu$DCf9eqd8zpt+QZb%zVDWs;J#vOJJmG^4YQgWr z4>+hlhHM*K3uWN9X-xz?A@kju&!U?rwY^6!YH09gVePXg`>KRc#L15AeVz(Skreip zz7x~$GS=fAsDpPBrH;}Tca4k*wp9I6L${`1+xVid8RI*mUm>5xOZhTvcBUFSK%n2t zZ~m$g!Dilen7U}=mCE>PIYVu8E%B_?X#b2gPoM-(IL}SkiRBu(e{&G&eBDPUhmHMS zVs?7fpMP<6`nxfM%iPVnWONirJ2?Z<%-}D%D(bw?WqFx2ccIa*kvHt`GxbNbB`u4r zNqrBto6Cs?OKbb3I8zz2Z0ft@ayZ%L4h$utY&|1Q9nu50ey9>E7!JJGsS;+IVu2c`TiRGf{|6< zecjtVvLlnN4136gHhLm#GJ%-f`uIBC4x^<+Jp@f9=DnYE(HDW z)^i=V9*g4pNjc@L>C5s@MMSNp^AzTmZ_QH9Iy9{tXL&T#_`TV-4N7-U z-11(Sge_uYO?vAthZIRxna~WQ!^XY$LKMZlMbenpGGFcy7_`h!ox1Rym6KTtk~h1! zaNot4>9bO!du65rJigVu?C;D{{Yk5~&*TfjgLh0o7Zt8QFrVrL(qEk__^J*PiJWy9 zeupbz{ny^)o2&*WaHb87B*J@}`d4A3)% zjf+5~HWD~kE|lTLpKt%>`t{Y@{BLoTGQ>A@v9Af+6Msg>4mAel(G33NBKg?IJ<&6duMsyPd5NZ`ejc9Zwmt8KMIlO$R5K+Ro$R|B4{OJ<6 z|HT{N{0Lt-YMu)N=SQR+u)npsO(ReRa)S` z!uxv0Nr=xcw|R`Njwwr&b=gy40nkCGB^BxJWv=L8`R@I8#nRU&9Z=?cZK7GK>= z6>_oZk)V&@hN6#0-)MS3o@3oAmmX?RwtV{fQv-9cZC03R` z!Kjaq_HN{Vz13M;0{>wB)!zy8G^ig(3=*G$eB6lg2Lv~gT zD{D3r=7jG{65VchW;sI@v`i#N_}#ed$5xKh>(q*Swdg0Nv<}ZCrDSdl3_N@E2OC1I09N8h(E6Z4B;1L6~l+q%mdDZF0^!SJ9a%a8VK z;?O|Lln(rf+x5uwmoh`g+D#a~;2g1=d(TCM`FaVpMDOp=tjcC%p3y(#8Gd+A7c0Bo zsCzC98teGPNzDprZ8mmo$*G-26*Q1%wSdP#A-|I~pXy#J#MA;vQFYl4l} ze&T~D)yLcFT^h)9!Mi8VH`0tZdf#1+GFTr~OzBn#bcQFR-6rBkYnDj(HnNhQ^lIE3 zVbM7}A0I*HEXfAdTYZ}*!G03LQ(08BYjo4;97#wEt(XG#`9$xpBYU>c*3j}-T8HlQ zn8vz@{ZmXzs_D#OkLxSQ9z@7@^Uw!TK=9Ill-={fcg!YX`{5laIJi_kiaaVf->xV* z9_pRETZ!l0AZc@}=g{sI*|A%%3!h-)+j=zpv(xm?YBwHqQigZ=3S4OJ5o>u^mT_D; zKNjx$<5<;o^0Lo~(!Aa)DMgt*{A2Xb* zr-ervKED%1e25)(rz|6{g0>~P?fjjb6%Y68&x-Ev_Xf&rYoQgUuISWr%9)CKs(S?o zSFy?Am(C|Ee2nOnEzd3AZp!gc%sL&~mZ8f-6v$vgZ5?Ho^K2b2J+i<58f%rPK}j`S z!RoI#5juRY(MQt{+o{Ew?=$C?eQ8*&DBW}1E7y;UmFCg%ZH|<*$%%$OC3@w0F||8f zz2QrSDH8|^Q1I_U;R~~(|1!hAJo|A_j%X7F}&m{p;)6{TSqH@`2;OA0WGws@5*Z3J&PEi zM6tIA?`ff)Vok_mmB&0m1uer-7k};Mda=&M?{uCyXK<1)XKe1z=?%579K&2p3}n(< zugNao-nJWBARTtSrizId-)8M;(Q?QqY%=n zz0<68De8E zH7_17^Ci1~zxmX6IUlQ~eI0eVKP8|o-B$r-Xd7Ov_40>qmFMQHw2ilAelZ-x`~)oe zqW*Gcx!;A%D1g@S(p=CVy-qD^WDziEV)Yp+9hw#$!N-`beth}KU6IE7vX4F@TSP=J z^eJK+5RMvNJdKcj1G`Ts*3gwWiDsy*BZ-`Hc&q;SgeOK) z_j!Y0z#35r)^+ezL~*2dpgEi>V#clWbbU{@{i@yQ7I_QN`pQU=fTJFktP^Kol=vlR?$ovzdA7t2EcUF15%7i#}(jCH=H|FV{7t#Et zvHpW)+unTcahx&HLvH)6^{T#``+cd1IbSV%+19UTK@(1|XRhynnSHGw9k`lzjLQ>( zsiVTiBpgy^_z!Cg4HbSN2K+>yO!cVV5wlgCcI0JLH6~bqua_4`-v2=S^zqdM?ck|$ z(<~WfbBf>`idz}Z;qeAp)l>vnTYKO5A8Clk6mFgZcLc@DU)Vlp4r%LZ;beNB`5`l= zZ)jk`=?h`|F2PrqEsk5_l%Irpt|)#bY-ikOjeCE(4kuKsTvw*VOtRfV#$E6wb!#F% zZsEC6&{Lk#zI(cRhujM?f>sy{zk#33V8HP08UD7(4TdwrJ5njC1SY=U^c>bb@9e3_ z&YyE{*SjW{nxy@9s*y{&Mw8ZD7oSykM2iVEBA=xtOFVR`P@ceqrov}3WUZ{Db|XU9 zWa7vCmtxW=2gaG3A9ytN%v&m6mUbIa!^7{2_Oy+Vu1489H@Q|_4c+)DSMB*UhU45^ zd0w2zQ^#_zpJXht2I?D}9<6UgE{t39C@L0S`k*L}D8L_l+A&gf! zPtLj~mGCEN2$HqptzQ38qK!esJIAw4au)q4jj;WQBKcL(a;5)^uy+ctJM6lC8#ZXe zX2rH`+qN6qTyfIaHX1u=+&GPG+eWiu@73r1zJ0Ra=h{c>a2?I-Kj#>~F>XBd{TO@S z??a1|u%@&vMw;jdDlS1-w6MWQ^Dy5tV`xiShKG!rjfGFALU%GlpG$v*!$a~N*rb}*53@U@X|<#dSjexM9~Gm z<;UF{HdN?@h5k7(_q++Gnnb<@O08gK6vJd~{c4)-=u>Svy;`Dsf1dkl>wptuk^kF&O? zYy`P2(ctxrhi#H$#Bc(vGzj7S8!|jjf~?8^{jv-eBLYF1Qo8fCLz;Y)_Ri;)$Jq`h zt~t9+3g)zPkeq(&dRO|MJRk4WChwb{?hm_?7 zCi8JXy`XCWh^LN-fzK#PYWSE#mFgJ-fg{-!7BKrea1Uh_%@g3q9K)#lMxq5Hrx$fO zXq-2st@v8j%n$4xCsj;0y3=5tS|-z=74#+RZEKf;Ui$v+k2dp{?KZUlI#fpZtC$g5 zW!9324yRC(^~QTRb8^6!pQG=}t|B(qzGrCDIa|TPcO#u!C#$YMT8I&!SorLO% zed*wb5^Nku&F1NJ0S%UtA>9x5`6-Z^ir`pdCR{JKXY{j$+R;L$*Zn}B7QDyS+fh5$ zTl8FKZp_EZyP~bl3WXTBnd}|9j{%3G!@dKh(hF&%#$u6aw9LY z+tp~(AAU1|VC~16;#dz48qpOI1PHG7(~~ctHZaMW(LME3R_v*51GR?Bk{Q0?Nx^)D1$%Oag78DM zgJym&C5t!pCUNp)TQeBl)RMh%>Gl)eJR4P%`KsGdo~-dYZeP_&UY{FJ z${@rsgyvW#)lq3WeRoQtldeqQXaFGz{wh3l=S7owt%L5lkoM(jU?sM^aykPx1u5F20ciF@rlNG^2?pmZ&tLVKU zk>4*@$R9D923|1#u9|p$V%%~;DYpgC2LDw-aqB?iVA=|UXefQ(ZKn2jx>F+!hA?eZ zrb+oxOJ&vKj{*u&j#!UOrMFv}WQHZi!$x_!!Es*mf@7Ynd6VG!EX568Br=K^QTPjz zcp=@rrcRx>HhFffMu~=Tj=oqlonf`tF_EGgoh$ZK5=geKyrRezlkpW6ebgb1qz0)z0?_7 z3PGB#Mi>ttTgkXCl_vKOcwqMrjD{>yMmd@s&|XTV$6XLk4sz$RZnN^aOgO#{lC#zH zOd?>Y-BD2)uA?MP+9+)x@t$8V)&}UW-`$-!6cU7m^8e z0aM7gsDFo;rnj@*fAO_#AW<=h2v>uGiIdht0CazvC8dPCYb4=3_fa?)-Y`lSHg?+t z+Alw)?&qBGT*g7}i|W!ckvT-vLX_AA-@qf|8kW6KAwZgn`&5O;Hxd5l2kPn9Cm{HL zvxeIp6w(WzJ`@faH9&*J$ceyxVU-u05pQ{y?|Ef#3OqB9##t2eAJfMxls<}aWN4Sf z3BM%ftCDf36`G$KJD-i;tRb2-h!J)5u!ms+MP_Q%ei>OxTJQqT@vTcI!F-igi@>V-0YbO?13K#EDx2?Y6HuL9(jknWZGI&9px3#;o={PnN zW^~NOqIa&VL%>{bEI|(k^z2bd4a*w~U$aE`%!8X$-q2KZ@lQnNGM)D)ssTyqdZC%R z^+pY5ByT?SN>9GDlhYmpSDUdQtTP&J5lBTrW^8y^nUNPK&oOu@KEn@!#Z4^jeBrS^ z;BcmmlfzTyz^&A&KD%)N9d5IGGl?!Kbo8SOGr)H|`8!b{QWc5Q-zt32Z;mBAC`<2| z0(n-Af_A%-?({bzAU59l4a>1%rh)Bdml2O$1Oox-c>iM?U*WP~$AQ!l)TS1*Ac~i8 zY-(o#M`>mlkK)-igr{6OMx%?VK+QFjV^6W1dL;ts?O7jZ1r_V=kJ#JkO8=aPZ z`X4_MoQ-;KuK6T~ROp>REm4E_s(7v&HpbV@*mR{E>VaKX4pHI{Ll4A6)7Tx(b`VT@L!ixARGp~=yu|P!kS#rx?Wn7 z4n+OU6LlkP7JArw6XC|tF(_gLe0Uv=`r``h_T)n8*K{O*sDwrfCDz%Fj-9wF`ALtK zct0bj9Px<=mu8#~9=Y}kTO}onL40tW_74`2$yLt*lA;7X>;~hSSV-@jgJFijPfSr= zwqFUbdu%*_TNQ%;1w$~+-FqST18Ibil*H8TwZ4J|i}R0uY?SG9;V%Gs33`b17H)Ye z)7A&T%liWUij;~&4=H|`z7i3T+x#!hxh3U{GjFylI%W29M8{dFjm#1ufU#QmJ)Dfo zN=ZpjArX6}b}qTrfC=t0@~Bqq{Z4xrFEzA?49D`DH%6QwV~xn+9U8GDEb!2l^hh1+PJGKZo6b#A^oZU#M6sP3=fdTC{52`)^%JsO>0=-E&vR*r)|tvd znIZFxDWB6h5$+b*c_V^SYnn46n5iL;(No==uFqJo^nMTqN_x2sAJ?|7df_l@UY z^Rb$vj=L^xMJMo_2-VNNdpSrAgxm(bMK$^5j;}4sNgmoALiQy-E2wRx7XZqiQny+% z!+S*w-;@bWM$lTz=m@`(O-@ocHQVT^QD}svywt!~rcR1C4%vY{v z1lqD9{D=`hZ7!jla-nq?kpx66&Pg@aD9GjL+iAIZP{?p%tG-ND>a;1dEPCXT_D&6G z-7*{61@Ss3ZZj)WcxKlD+S33p9fvb6)n=mP_4XKJn{S=i?RM6>szMJPisvSc^Jl0_ z!o2ciWA2$$e=Z#=;%g?oqp^XLg^PmoprRWH_QaQVP)7AIVbUp%g{B$iAD{iXQspTS z=Hky}KAKro(=|5c zvT;EDf*Tc3xK)vSIHSLWR> zx@^*Pbf$IH=8y@?w+XJB-!fD&X$Os!VSf3=Uk7e3ZXZ~Hebt8hS+(BI%v-1;_a0vk zJQxqs=!WC?Rxy!SnG^blqAdOLy%^mGhQa$a)@XR{&VtSDR5%*QUeD~-z9SA0p#21K7_5kdn#LcA&RMimiQy% zIMv8m%*_G)j4kvqT8;ka&+tEei}8BV(B#@x-cCNz z)bOQ|!2EsMXOHG*#N>?+oM>M(@;8Dt|M+3+<&K=&wj=WKg@j6Iv)fgHp6&kUc z+l!iJ4(hm$F0Gbg{}IV7y)+gT?LyzIgN7`g*O)aOeybz=pS1i~?BHHTI~@wzqV z6EUMdFU3C>i6F~1iWGMiqb|5u$G3JNg`_t`drg{JJss!y=Vl#g^=~&1KnA?V&hS4 z9XMGitpRfVmeF>UI|ot;e`gD7d61g(FC)}@?$oIkBTdUQCp{_>xUAc1d)r98YJ5~F zzgh9%<6Ca3#Yk8{R9x1dsDyfxRM#dx_0ycc`@+x0RPG!n?h(;Pt|-N1c4n06>RTS? z!Hywu@o2&07arK#_Sd^t5uXTBG;+Ti?kA>XnMJp4|sZoZDM!i@` zeD#91o4ym_R;gW*b?Shbvh2BDh}`nr3tJ83D~`&&Cz=7?49OoGWJmMO?4pf2(_bJc z;SJY(nzI~Y>b3(SU<2@jh=CrT3Tn;M!Ohqhh$jSPelbkxR5{*=-G zr<-KwFF`2VB_xFrO%Cg=VJcW&D{#0hgFT$>ktb*Zxn5d??{7 z`%+5ZND`&V+w)zh(i=6{W-t1*B2s3uQ>}anF{2l7zN}Et#e7&GAk?kj+7&gMG5%va zng{Lk!3#MtH}1GWWI1X~uIR$wU)|Es%0dPq;~{m2w#h7JB%cy~4OrNOyQLs-^f%w* z=o*F?HQD`^ORpKBs1GA%IHT;>5JzGMLiQvNm*C{*-Ic9Sb$_W6yOm_BR!Y5hxryRA>IU*u(*?YKOC- z2Ug-pKE*Cz(LMyoZIV|vYb@ea^HV7HfuRx0`B1Ca3q)Kc(an_(0ucLBfrsS*@w{9- zD!mxk#W^?`qU;-EZwu>#%H$F);mp#jL}tXlEVagJZ9Rm>_Q{vt8<4TK(vmk(Z_zD6oPFd!2G;C#h;SyXm^U%q{CMH1%xDOQn$@KU zILCaALER@@W-ElxS|9A?n%lxVF?(Ik&+Z?tE7BJ@qg!fSJoh<;mT(>^c}xbt6O7lF zK7U!-itzZ_(Jq7^j9BN94=1I0yW^}=$t9@z(GvV(W=_A^A@*FPUp*ozYx^2$`?$OG zv1Lv@=0xoO6tL?&CUa|{FI`ID9P^`|F zbQq;Xs>J*c#4>Mo`&6l`%qhxPa<#e{-ln-`)!pIxO|F@A;H9rVOf`8VA+ z2++INm!}c@OFag^c(IBdluRPv#)BN4LSr>%60(L=SbJ9BvWIy}!{+*Y%C$8C>+Mjt`MbPxT zT#wOe`JSljFVdc1Z@`72n%WjJjNyOU+d-SMRfey1z4r~QDEHss3}-pT>IR;#H=#0kVMHZ-)l6GbsDA{|F=)N zW*OImoB1RxG#K?85w0`RQ!>mjlyZQrr_jj~rv0%C zhL;_ici@4{>4%D3R$+O7FfQ@FNye{%>=>2gYnXy&Pa6T^MRl5Gl(kh%=wZ7!Orjfm zmy8xY&mwZ%lfCIxgE|s5rt&irqT{woaK zoa2}D8J@ML^j_EktNc#Wn)({C!#AyTF<|*0Ix6PC-?)s=HW( zl)d$<`rQIm*CYU!xL){6zD~Yh+I-UQ4~e?phB25Y4l9sf8U!wA4L6Ufa--@_O$5B5 z1f4I5kXM^e4&jFppROfZF@ZTu5@}KR6B}Q#EZo;r`JNi2(h_#W8kzo}&nh}3=2fKB*NNYIL}qq@Ta-k9w^svk-&>FJAkX z3hKGmgM>6mVT%ueq%a`PAMe~6A(wmPUZ}q~IUfS;W0RCaCY#YF8rGQr@cv2HrWLp@ zuXzn^N1*aR{;cmR~Rr>dv;y%>M8T_*JW?a(xW?U_KZSNFr zCjxlLzEY>lTL~G&VtRV$@|6# zq8?M+kQ+2>&+peq*y^^zL=*1;b3M!8F zmNo+_$2+YHai(cu@(;tWo!l>#I$qb+&H^EXK~pdcX5&b&nX0OJp{M%$+W%Pf5L zCUUAa23%?YL3YZ5$rvoT=sx9Ex(oc>*{&`q!G33P9GE_6i&KeC=G&k3z)XoYr64-G za%sTO-D11^>_l5Xbzc%Y4zV)bWC$E|ElA4c+z4ymaip38Q1Y9sPvH&yaaVI-d0?UZKCWTmskuCOM~D8RSjm(T^)R^L9?Xu2wn@~ZyAmXJ-Zk<&h~EPI9!RH-7o&E@Yt26-0i0P z;I#TAiuo?yMj)&nKxzYr$6g*0u!S2%xKvsnfWO)UR*#eXH2yZP0p9EeKrCsDCcHa9dbzSQUkffxq7H~5RX zoa3Pbn`}tuOAvbp?L&}wq@0UU!jhP7O;1tomm!c=}J!WU{Sk)hn{al zX9l0J*MbZfq?;w&hZeiZW{R-aONuyseq3I)^JL zi1i;LDzeL($&I~G-u%sUkdI zsOKLk0R@{u+vRmyb)TBLrNm|^d@W5UUx%tw!*1f)m-If-(lmG)eU-VS5^EFtb>``Y zo!9`CLewr>FJB|J5R@_8MK;oSe9sQV0_tuzuM*gZpXujTXBR&JfNpQ09c|W>z!Cs7 zVEIk~{WRAgM0-p;cLQo{s8P{7Y4m?4=8T@C2e$e$0o$ z7&2(8d__15BvzW+{2_8z%U$RM*o*5>4CVT$`?XXtfgOia5sfD zQMq7!pK>LI;IZ|x>AjlB zzsCD~CZ>82pZL}!;Q-QI-(V1!C%|ZiYQFNyrsHGL8=?`@B=}pZVR?-znnN1B_~&m_ zA`3>!9Y-T2f_U5!D9}J|6T$>7#r9#?$PZ=-BmFg6tPfw#=|c?hZ|{+3`*jy#@oP_H zp@y0}Jl(%vF>E`$7$wRL(y3ivrzp1<1l#s#69_DQFk1}n`89ps$PF@n;AeV4E2?qd$Y;=(i{TJ8(C2y|3ld$? zZ`+=%NOd)Bn1P$)e4mYVV;GrYsG*E$>DST=oonjAN^`0)?5)T`6`a1-`Kkdm2OdQI zxJhk|3~~0Om;y+^JhiEgFjz-2;}{XJnUB$Kdg6OGH{Vm>f55mAnQ3U@%`eQ0%#m;D zh$L1&^J?KC86Qx1ePt( zzTJcV6o5%8&w8YSHnO@!r)rmX>>1naIr(6FZ5wS%5yUzOzr7Cp1(VWZW;7E8A%;X0 zx#;(C3=**Duy8vu*%)#S(amF<91+_DZNJ30O$H=KQ9^BS9L&m%4cmAZ&)c+f0LP!h z23WNxg*I!e05Bt$%0~XFtGEFk&Q@MG9LS54%Y0c)o#f#rtC_yj;xIwb1M`wgu0uIQxtbntPkox=%7D9-V0gq##@3W zytVfWjShI?GQVGD^5g!NVtxcWbiZ+wMViG<_Ls>@!lVq+ITxK8rE-SBNC_RKq|c6T zMeapeQBse^K`k`?Sa6;4nft9Y&&ECRFlLqZ`HmCsZEN|tZq6Azcm9KQ@_A|H^u1uD zAS<6+X6k9j;QGq;{MAulk}0Yz6n`zMRkWt3q2`8!$uL)N4tvq25OVf~J;Sx2Vd z|Fct00>*8QdpjCNN(iUifh-*8;+4%--C&7#XH*f_+{@>|oGb0{nL%7Bz-NrU<@+2( zYs>$YM7luov04E>ua8dX3~xNcPYUd4lJc1IGmj#}e3@F|Mv0royyiD(kYCxUr&843 zNyb3r*axVQX^O22B)SJA-1(n|bhX0W7CPZ>%@4W3N7xypY1I2SsWluM8@@QRHCnSU zno0H9=32&{VO?>MCb`5hq2X5219Jmf^aYAF{(#BX6rMs@{z}9*3UnRs|IAGZTyQzQ zne2&~zXdvgJ`K3U?u9s)N@{_V&dI9i2Y3i>p5KmxF@cCcvj(Gy$HLlgFvao)QI}ho zbAWG$dCgxBhUwG}kPe;3MWutM^*?7(m}tLb9pqo2&wA5-x^CBgZ)1`~WJzj3kzT1< z^wZa_K?mlsZZ@>tcFqjB!VW9!-z64*+0XnpB}ez_Qh2OmJiKT%gkTNWjgMS{?&aS} zhUk5t_<7%m!aumxn&hY!lkQ1V-#rd2hRkn%atFni#6^G7=J9(pfuj){ChyTJnliZv zs{M2`Cz13K0|Cwr#M(|^Rm)cr$X<{_I3MYfdtKcCE>~tnmOPGe&dLj zJfMq{G;@F!_zvkL^-o@0wzOsWFB}pea2P&5$Ma?-#`2{<0TFzZP^|4Qybyr)VK+}7OW-jTS$Cvb8y|SZ%{tF=6bxi zXC*Ora{}D%cKsKKoT@6IQJ?e<7S#>?JUE2-hpVkPaG~qBe@;E6%i9vTjw>4ch%zpw zfoJ}E&`va1-%twp0t(2MCWxO9R}94z2}LT*jf5ekIB{dlp2s7(vy-$@gtGN(!+Mit zHnB=&96{nRp5Ep&VVQGz**9JeEuL-?Bcpuy=~^SjWzjpBRG3cr^sX;Ypk|Q{R8pUS zudA7LNBz&()$2BgG^H#{7gM~(I<3*VOAT-UL?rh(I(ofA9RJ*F(dt~)Qv(X_F(arF z8NFswzIP0XR2SZEqIhB6XOPGZJW}rh3!*a$OfdA!si5MIe#W8r#CS)PR{54iTZm^T5aA< znK_9bDCfOw;r*tiaRgDVQ2c>CJE{C5J!4}QFZWdAgl&WQRfpjag}!5#&gG%kGovs0 zUK{7o5%5^q~j7kX`@qGA`h$er}CmRMet!m-8gPb!Avgj zv`oV#Gux47@2@Psa5uuhi?SW1N8-npGKtJkdxi9DE-ybaQc~m`@nRBiZ}t}@)9O#+ z9kSyIiO13a7mL7(Mbad}8R3xbC0V^$;Tk~Z@aRc9DdqexxXXCJ_hG{V=K%cbbT9wI zx`~%OE;x}GNF}t``Dxbu^8r`99bHZtWu0PR`SQ@Ci1di+hl(`(j4y!W=Utmx8?#$J zL=G3V{Iex)Vk6WK+Tsqm$~05?2MdxTVV8(z+Lvgw`RWXKZwVZ%bdyHjWHU2IyuJSY-CCoc=+ z>{vi(YY+OsBSp5cSd-GLE@w!J z{h5qw^wgseG)P5<$3(B{r$|I&QniUP)WtE+ryrp$3>S*a6W7NuYf-tv%QOAE3kT>C z1#mAz_1#)!{^|P_2-i*Th}ximb>UN*>W)YSGOOYxL0#vBMa{l!8;DRVI#SRDX+fE9 zX2&!(qm`@Qh!f7C{N+uKK^G#|@kpfP$C(X!YCl@~6psgfW`TYbhTFg9$jHLl5OWaIqW%XAIXtH^@ z-K5X;3w;#_;~(4WutvFtZrMidp|tu}TlaZN6U>~wtIovr8jN4jlKE@BbrBkwD? zH`YzLV7UQr=hFZEhS1h(J*bb65UGM^WMpJ`Vl1SdhF>Mm@f4LB7uHr_5cub{nyV|_ z-30!zkdU|0#mopGxvJ#oMX}ysxu;bzH3fcsZcLL?A#1<*iMOHXogWN`l*n#kDn2)U z0xI%{9T0-8UYetj#Hylw?${d-1Z(h)JtgI^ok`+&Aa$|GUS z@e^!JrnYws%rH)~57yGZ=UDeXMe(878cp6b7}rvHJsiIshA=sJQzn#T@P^5){Ke}MeeD-eCzRHn3exmQa9H;`&cS2pag}`e`t}0rnjd8RiVdWr zxazxk-|s5&;&jiW{vhm43??p9g8Bk^K<^^G{F?4HBeq^;z~Xa788=4yEpANWYOu{y z!In;@cb*5K!yO-QO3}$%I`-EmZE6-?UfhX^iMH8>`ugel`65L0955nCgb+_}5KwD( zChQa{{I}>#_!(27O}0drb8I(>ExaQ*6}~h0)CKuf&Y7@9GS;Hf5jrQTS#pYkw)!o>XBZ|(_qrtP{`4<>AMIz)8TuUj7GGxGPu|%1ECPBNi zw0!&Sq*otZe=jdIC8ic=j!ew5Jf$g3LIUd-IX|0qih!_)8u<*SaYr3uz zpniwH&#l!-^K^M4yvit}oW67U+Zlod{-jM>s`O+pG5d`{8<>~elraO9%i&_T(X?}E z0u)SW3FE6CH}K~rAtXW1T$3uA!%3E+bbQI?t+0wtC-8)1Km1Qh%+vci{Q>!;L6L({ ziH7XopqVj$paRR&R%LHSDKa%<)A*i{7L&reh3vlewX{lcEL%kQy#9pwg6hSA8;yKE zzk3xhnrfdM^VP|*VVD;Md7B>jh}fp)dr_PPgtL~5VUtx~`&LJ5zvZPR`F-5t|NBLI zY2o|`z1P2h&^(&I%8l&EI}(11-KSjl5}Qp8Oi8=$LjF#i1W&Z#GQN8yOAh=GbZwyj z$?}$>wq@j0yOt2~^$5d`?b4!R@4Y{zF>6Fll@XI-;k4;z7oE`H3>ev)hG&SwBC74z z9ihEu>MH=^|DJ^Xg3UjHt|oPzHnvw8A?Stgt_$H#ee^%>^7a>=`N(KlLr+W(Ge1Rn z2&&Bl|6PD&!>5(7kht9}usXlj{Yh3E$r!DA|UViVG_1pBJst=z?5AHq%OCK!H45(eDCwqkoqw zAA`dmPOESx8nZ6{AMh4DRmCLQJKyLMU8$>+Sc^G2aoBv?x8& zpS zU5zHVWQlFtQYfj;eZJXP2p*ru3%6EM*^(w$B_olP)~@%9h_IQN)1vdC7@Zxxiun7i zcb>P077!{68h|8UmY)i~Rmz1Ab#^TUxKQisC81}as4fmFpAZsHeNK)HS*kU4!??F7 z?=+qLg63J93fHleWO1u2-oRHlJi6g2yta~-H$fJx@2Wy0m+N>rs`J-H67B8kKTf(h zFNK!Z#kt7SPqnf{P7~_;g=))mqq)zrFF$MrDoy7Q-!vV3<1L)Mp}^_F3jh1r4j!p8 z(eT@T+_^KH|oCkisgkfq3-0G##e}-YrPhvm(X-tU`8rJmYGc``% zZdPVaqizp*koeJUHdX0SFb}}S1I{TepD-%8o3jk|WYFrvY2~-&kTY>YX6?#D0z>1~ z6)c(xIH=SPfPLq(eyB!3)mP0#tJ=CxD^Q8uySe|ys0+UJzcp3FLzB=5X^c`> zxYqJFK(>0ciFZi2mYFbe zX?Myu2yeGI;~5`o-`MLHmQRi<#nJd~JsDyhaJlvrS32wsvPBph0MNY9T-aa@*`z0n z?6|s(7`8FJbVEMcJr5(v@p#*Qx015ui|ZexrTPGV{j8KAim-3;q6{7@x<6{?j(jj~ zF59AC$wC=^DkXWH(U5Vqf~({I9v8;7)og-`jy#X^!=RbperN~qp}-6S7}tbBZHt#Y zIS(p!O9|eGH~#rWMQ*l~3Fql3V)d&*KX?|qzp+xJbdk+<60w#fBl3h4h--3y2Tb-t zh51X9Byv;O$%`;z{^tYws>;S(W8Lb095er8u>-gK2#{VnWWN;Sm^}@sVK%#8|`rqjV_D%1&SJ{im{yVeIRU@&d^VBL)af8G7js9 zS`#;$JUUymhT{QY)s(LF8^oT{0j8J`Ic%cW+;uhgh(_Ic>fxe8y8~ zGf|KeTK(m!^Q}<9QLpLYUDJP!=v&z+nM2tX5fL$M$`Z)>v#sWu>qBvLN~2xbV~wWO zwPLenaAC-I2RD;L%Ra)3+4t$sFSW=naFU=G`oI6;R;7)01)Q}=5VmSb!8Ge{dxY=d zHqN#1TETpl(?roz*l~X_zr@P;id0LgMPpNC;2d!p(W5}znsk44(E857aCW1bsJ_@za4yjogs$kPu}P>abJ2UJ1|(m7KEIrUzsZZk|+FUKZBwwS4#{{G9#2QLPt{ ze5JwAtaQQeF1kh$V=S>T$%lCp&)A-^YXMMzPw{ppqxV0YO8lSRv7l#5_g@Y+2uM^+ zqDqbg);7`4_l3HspQ-YKP4&3;^~fwkhAwGQpSE@!iHM0I6ueq8lT9D1`AEq74JjgB zvcVF>yxAi-=X>ERi6JGg6~IRXGaTtzncS}{@&t32!*YIEBi6PJjKw`YEk8l*=(+#UP>T_4U*|T&(1sv93{D+AvYumXO}3)&Cbf z@P|tb4n%|E~f5wmg}YfC%H=v z=|#~F#d56!&|FKbSlCj|^2y=Xnb49S**(2r`KO2}wR}fo!0aRkHWm9w&XpRe)4Z#E z_#sn(T`_xIahS8iSu$JUm+D%L(*fjMJPaqXxf1LB4GEExFCgpn!y9WlLsym1Ne7yQ zT~33_75 zNcM>VX#OR{wn=i{cqIjm6O1;H zrA{5z*eyumA8k=aX>yueeEHCqZ!=(^Wc*;`fEVPLZ)DGB>N7RCENbl?a|3rP@Js+N z8l`H4yQL^A(*N(nHBW5GQdY$rlLSl|NY{x_(3?y z^Fo&c_XN%k8&6&Gmn_Ck;6xF|JSLnpNkNC|#7QOdE8SQY4UhmsyYK9<8{6k&d%~0F zyCvJ*ik?Vtq1#4bUS3nES_KeCZhxP9R-&e~q@1~bF!?i_9wql~;m#+z?KOTkFlxJz z5~#?fF4!tU+jev-_ z$R?yBrZ=MN0|_ooUO8EQ9LXjTqlFEPa@PnIEXzITA4Kv<3e5T6HzS5xKR|}73Au@4 z1%#zG#esb@F_S<3MKI7$j~GA*K7|yGB!Q9cW6CC9F|O=r4M`FXA6=JZ5Gn0$R$kX- z_Sb39ovB*GR~|d*ZWxoHZ3oJg&FT@v z=)1q2m2CCDd%(A3hw;|ER8!FDs3Lc#{j_!x_Mekg^lRbnTrH zcW+F>AGI%bx>e&q%;E-D<`Q`BAon#Qy=>!Xdcib=9Cqm_%o_3c zWi>8j-eX`BuKfN$g8{Dqc1Hz*_+>7i9qVF&IWs)NH)4*BO8uA2I%kDgo0;Get!~jL zepJ7_C~-nnnuU8$0+uU{AyQHH|B01t1tIL+Z-lB{&W)rjd-*fhe^VTl5iEW$ivBT* zS6E$*?be7jyk;NDadT*Kf~|W-JuSTni(Z^-KGCca2mF9D5fJ*O{DSC3fGF14_OgyR z<3WV$5b~yNUCZcjFzoA)_!t>{P)T4*tbqup5n=B4(lQAYl z2rwpul5MKKM9X~BmyD7hUUNG7qtG~~=ab=4^HYp9kCAPXcxK(%furQ}fUJ$ujGBv}XIU*xO zFfM5zO%L`cMeK=Do!bq9eMZV;9iP(23bhc4=Doxg%KUO#eS8p#PR*y3kGdpG^^;4{ zv7$~DYAP$Qzib4fW-sch zLUgZ#)^*9vOf{F6dWuz#xp6a<^8du9MODB->HmL&0_^#Ph170Qn1dtC7(}XR_9RY1 zu_0VUkGYJ%8AV8lljbF1fcd@1L|VvuaXRC=FPXnIg`&+k?OzvoTrX-)ekZbi0b3}> z0W4LmB_?RxMS{i{jo(uTcILSf->grxRg$MsYL4a*?G*2^#B+Gip-_obgOt|9G*chM zW;HvVf_UMYVp;O#iQcG_Z&h@ER5X*&Rf-YQYyABfe#z`Id@kkq8u14Umz!gsy&vV8@#(J>V62joua*05X-uI5Uhj<|pebRV1Ho_=RkT(gWF9WRa zIJspC0~0Eu=B;j&Zclxitu3qKYwBlEe3KAe@-4bFPbN6^Ns9XXZSE4z=B}Nzzs+Cj zO0e=s*z=7hnOTQ{tI1kx-xd!U*kImaif!=r7{8 zTVzD#MnjHN2-iFx(T4~PuHur2miNk4{9TVS-_i3Y6l;USlB_$Jr^oNPibVP5W-y60 z9=qTLQ60SMEU=)0wh>`Xd?r1=;IL6uV0>vJP-d^lv)JUKOai!Q(SO1eMPYa^9)OVV zu9PVMvsRaxer-p~H@1u4~s`+E-W z7grVMHsS>{^})>RzM$5knfcPRlcLv4x|A#Jbb|MOs4p7ZAXZ5G8fvfIoQ!-KcT_7i znAW$#fl2MHt^_JsM+-MwR1;&A&+G6^bJS%$#^Wegy!a1kf=6;Zmf~71eq~ME>ht-o zs|ELy?L0&qLy=mPsJ)p(QGIp!1S5YmQ9f~8 z7Ej{|PwNQCfzR!YNW>3Y+_cTZ%f9jyGtodk*mGu{rRX*cQ52 zo9uDunodC{9w+YB#i}?|HfoNs-)p5pEs~;N`G<;vA>c!9gvg^Yk&wq{>YTUP#TygA z0xaY?*X51acmkR5f$@oS{3i~0ZozwC0Zgk!c5EPgN=LK&?+feW-p0epNnS@ z#r{bZmG04>jjdUlPCfCF?(==?jk?4_km5ut(@Bg1fRz6FfInBne zs({sj`YYLtQ{SRr$hp_;MfDl{w9C!ljG(1!blZFQu>m4$x|`C%^0+QstToR(yzv)J ze*zpRmC87UWH>DqU-dku?yCAY(3-U%>1ARB!tc=OAb9h=kevR>5%sGsL~_j{uyUuh zimdc!7^{rq5|clfwfK!`Cr3JlUqZ7t^Rn>7d$u*?WFDhe;#~C>o(>F;2P>Cz@-rv7 zQ#l1z>pfQ|MZaJ|ZV$A9EHPiccapyC%>do|au9}hyjdxFDE7?tiq zO+<}@%S~r<3FIeO{ejy>^#_e{WH*xMkw< z?{_l?eEYo^%r@wf2bY4L*z`J&8?r^7002P0;}j0M^L;s$^DKHSqZ z^6`#mu3FoN%czo}o-pgZ7NN_ZZ;NrP^^%8cpAzQyT5(S4*lTc9=a{+?se`#*6m(N; z$OIG%!oJ<0kwPr52xIKaDCHc4lW`#_R*bhi<@)|S4e~9*?Z39OPIg`myZul}+Hq+{ zSk=!@;5O}@ISr_&Ls_Vr)AZhx%!y~N!!Sfz%;@N4tUOMQqx@IRi*w)iU&Q&r6&TB? zvJrPa-VVM#=|>!(Xhq&<1eO2j)(O_$H&>l3EZoo)esW--xNWk2m$YKW)L84e(<4iV z#uD75$#cTRWHL?@ot3*AYy zC)~agQ#&2~67sw<|G7B-X|9mD<3D!+lvpEWx^>c9cycdadS2=F8OoJto)hZbG3B{Z z{mO2>6mo9_=($YZu)p^F9|Z>)z`6Q4rrZH;VP@hTrYdar+ieon1wNb@J2VSH?GiBEHB<95g zhV$A6^)xmP%EuKgpnGZb9f^355PhiRh_oCB8|j~1CPu8%EvBX|(|7(Z?%U<9maqDu z#!#s)6D{Z6P4go7v%6@U+fVldt|&-8`Q`iG3}aH7QDuL{#pZ-qltQQ4-oIJKSrjS# zw3v}3LU$GCw#%2@MaGr>!%{E$ZqyO2EcWTkz6Ujck+izsN~OpzYUc+bmoXv>(IM5+ zUrtVZOdRj2lsKlgMrFWN?TR4#WLdO4u9q;t{=(-wjtq!2%cCDZLapwCh*gc+q&Ud_ z){_fm^uCR1~d;9ArxZBRkt+aavUxK|0ZI7$y9VI z1^D;uXGTL;b6w%X4Hfssvz+f)qG00~nbpWIr`e*DFd%C(5gL~c{HkudKX8I_blK$>ph$6&eHxq zr&JQy3$|2QxSSC4b&J$fpH$NCQNpHV67yFQoUg7&jTCwAoNDHp4%~BQNR1&lVEjG1 z#punI{O`B4ZIJ(liy+_fX;S^YWqEpB9(d%PZ=@Fn46QOMi+;84RTG0ej1%L&qen~s zYyc3Y(Ub)YtmxP3W*Dl@nn*GJ za!9Q>%O~j~estxVOMG6fmDph!S}LVi&;Z0Hsf~HO&S(&v`{M)7)UYpLidJ*xN4w0o zH@hI;hz@BsRe3#P1M1}ksN6LN*q`r4PRpqw`X1@^%@|et)LEij$-La2cRsZADkI@X z*?hB&-<25ud5}7#>g_%B<=5sXRKrX|J0rh%Qk zMpLxe{Z$ zeN|D+@qwQ9=>XM1Cywr2dSNT~6{esq|1x)enHk)NJB*pqJ0V2#^0?T+3f$O{1 zi&e$K6hk;(x6`iS+XeBJ=>&1IZ%B8%rFrm^QIV8DM*(MA=OFxPC1u#!O;L>YoW|Un z8hbbGD>!z4bt-xD%nP$VQC#PSDb`nMU|BGto`@~?K7Pe*%slWcuVUt9&DvY=+$=o!`aI{3X7wlm#b)+M2C% z>@GC{Ys9W1oU<%h573Pxm+5r3m1aIy=`(b9GNX2M>6~uGQORo(@bo1aJ2{ zpdoT#b9|9%KQv-5>k5jNa|r4<9<8mu8f3*9)V)l{Z~ZYwmR;pUD_ZslI|nC|^WE+RR{rd4c!ru`;^ z6?ok_Cle+cnM!dZYvAT)Ij%E2h0Obg^&9`YT~*0EL4^N;!St9}3UB3g_r$R;(q9qJ z^olA~jN3xFi3wwHk17wuI|!ER`EFARL$P{_ES=P_Axc+H_xA>pJk&cApcGcaQAXXp zjGQK&-6u}VX0x)LueMfHtLabOUDsGkdqpv6lf(LawgV5iIG0zxhG}=V-=0a8+=n)} z?QsfwI8{bm^}BX9Qi!h|lCehR2NRp0be^U+ayh`AI;y*|3OR5SKCXt*ckbvtCCFe7 zv@BWAleU*U+1{knCOLA{rT*Jag!Bwd<>hfU1bI=PTspXMn$n|T?L03Wsy}Aj5W)Q; zyJ)d67QRZoI6_74ji>;}sa$Oz@))V4hqvXOZ9s=b$`^zo>v;~{(Y`xHMQ46LI%j83 z_Jl#f<$IGOPn8{-*bw{z1?v+K@tRbdZ({o;AeYZB8((J$?Y7(`5SkN#Vm!)Ca+R5RH%NpT1`1RREh z=Nye-NsHISDeqq0yx*XWxBh|Ws$&$5M$2N79>29}y4yur zgPO?pis*fa%X0z%L!CxWEz;%{jfHDn<;kZiKr&Y4#{tH@N z3`GVmk42yoAg!)a)o{wb-|&yg3iO?O?+qhSkinFya^Irk|0z~cucLTBL zkp}{HLWEv>k#G4Pa0e+n!bexTejE5*Pl^IAvRI80=X1~#X7foF*zMAl5`ApT%&CrP zY{Qvf6DQiFQU7V=@8kWws|oIndk=&In&-}ImNbQDeLK-hu9{yv{hG0drK_tjBPg-= zFWfzh2-Z+sCg3TPs#ZWhcLRguN%s{yO2SSw3%6V;7=jN}yYv0_X-1BQcdN+gU;G;& zL(S)J*9YJQ?$N=7l({oRUmfM{sx9Lvi%yjo)~m0##W5>bi&Z8P%;Vi(1V5>;Ir{YH zjDk4p#65lwuB;#u94+B=2@a(ff!=2xr7$N>q*_FLH(&?>MPMpz-~fQGO9>aWj%zo< zCRY#&4tEfu`+r#Y<@V5Z;ji~m4E|C?_!k>^l5xiiUSRWCftL~&i^P*sA8!-?_zj*; zB__nC9aXC?ap{%L<&9?>AoYRZ;v}-79C@0qC8h<4jLupZ@?9%dwwVa3ZWEWQVNPs zzdW$uL7vI)AvApJ1#pvCHLuRwub>(Z@HiVu_hQ9*E4{QT-3X~=LIdo0>B^vyx5nM3 zQ=?Z*3V17@_R3vuyr%eGXBTL&n@OD5K(WIgfd>!B*9%FG4@*es)g;z|G9?#F6welGrJ`Qe9h~ zWA-~A@K`+xGn?nE|6@yjJHr0ty>^;_y8CjeDqT-P!Scb4w6f3LWhLDi9eaywJ;&CBBg3?`a%|cPM6nJx_3`>O$%Pa2uirvb zuLWuAxiQ3W+9fN&2tc$I94t=xf$+BwH7dTl;oz>mB;J&24G~Zb>X$V0$KPsHbz|V_ z65NeO`vI*E#}>)6Ud-#`k$O{O1uFLru0MdFBY^2xQv}S62$`eob6THO%hNez^AkGk zPAH1;mh$?tpU@ex^X_GMgs%Z5y9|9H=P%b6O_*ll9!cy0CAsiHQz`$t90_@=X&!!p zn*TtjS-YwBe-|TqRTxga2L=j2ho`H>pm+{@Xe>PrmYVcZc- z@@Z8i5LkofZvDu>;pEpgK&$`*z$7WbXt5xka=RrP#VU_z7oZY#FY?|2FtKW-bfYd% z;43{YgYWdayiUT069r?`WD+9JXC%k%byIZl=^anCo8v5e530p{HtZlwSOv({NOJ;F z@ZB!6EK^zhgh#(-3;mWq5zF`H`!Si6*v3AQILM4U>g@QJtNTke5`NF37u`MSvyfo2 zv$H#-W&QyUk`kkZ{bq6jXA0!N1P>6QSE*9Azs(F^c*|*e16OGiwk}n8KdQk6+mI^i zq4p>#Vdbe*?@8gxS@+o$4PrG{#eka(={C!ecWV~_T#hCEegVBWy}FEP80S&*zKnp| z?4PLg)*XhM&dLQxF8_9F!Z&7PV_b^VUBXK)r>c0+xmN!NS^Fk7692QR>fyi;|=jkPEZUG5GGIu{de$Hz!&~j3sFfw z**|jn^O(D*8H;M3&{UM%2_Wv;cp}>?E3rpXySZ7I?Pg%36dc|1UkCU%{ItV=FUlZ_ zz8%k^6t{3zyb$-yq~qi0d`oi&iQ`Pgycb6NblneYA?&uP`4!$927*VAS^>VVLwGWb z;9o4<{|_PHTWIREP!V`oTFTA)U0vR$3!9saYf02LVlUH)h%F5z1H_@q)t!{${}Nj_ zpYVDf(;jj(Z*^z<8JOaZrL6fGwii(-sTNo`0}r;Oh4_33MitpAs% z{&S}wLcmMRhA{st1OL^u{C6h2#Rtsuf9U>?*!~|r|Ia1tKXUay5~=^_@Bdt+{zQ8J zk*oj6)xQb({~y*PK0~~ftHW83JAos<^H|K4kCo_Kn}3EG89g|3P31p5+QCif2bXJj zIQSo9RD=kDeB1v*qrp(zUfy%kBxgw(u zXO^`P)jxbsioV$&V%XFC%B1Ky-U{hx?A?T+9ib9csZzNT(KZ3Zup`qxj{iX0Gb~C#@V(1!&Pc77n|E zL&Wgb2u97QPQnP#!k4Sn%EWc%0zn!6@d2ecZ-2fC268Xs$0WJ26!hs4uD2a8JSpg} z##}bZY28Qa9eJz&mRkbWC^9a_W|1meBy7_Ds8m_`Y3R&AX*+@Fhel>E?H%1geC&KPTo(xOUtf@>-ekgVam>&yzVJA2oyIfXE9+ zz2wb?f2u;L*8XU(mEfsven)Kx0VKf#7vgnoVG9o1jXjD7Lf z-O0gq=FBC1M-9x%cgy8n>nsI&g(~8CMvL!Q8wmwX2>*(rr9B{u{cvnMZNQ5g-;M5n z`C0deSU(FuY+60_gi-bUH?gCa25I*Ik&~7MN?iC|Yyae-+x3cHK*s--^*UY=?)5!+ z&?D04MY;f~eio%yI5M8vL5c7`oC1tF56*7ym!fN&%|p9cLtvD8Zf$8_8L zl}9}Id_jQJTYr>$_3;KMhKYVv4~XY$U3EhKiboaOTMBQ0vEc>MpJnv?y?I91TXs>p zfZPujXuqG5$NcD@!uebGOV;<_({Ra?ER)T+2XHaivW)8wv5Mcss_(Nl;g2-|#J*nM zgRus=N^uSUN5%f5V*gL7*!nvq7E{ZejE8>9*#-#|hLFmLw4uiulFyV_e7wsmMJi_f zVDZl08!>l4ZWC_UoJqJV+B8YTEV(j@Ts}>Lg>~RlM4STSq#~?4*Qj7pP$5uwdut5y1A3l1q0Z6AIW z`+4|9Xy;R^7g2&>xJEHnYj-m0^~EPOMoO;k>?v2PLj%e}I_jv8*Kn%X024!@5&V># z*^z|8gQqT!5A6oxU!dG`6SE)l9)T`JP7Qg_el`4nKpGL_wG- z{XMtGs@)eR%(XEw8j_OiVT5f8RZd^se!RCDwb-Db&MPuqP1OxM7?#ucO561w#SW3IDh3IV$rJNk+`m@H z+8~2;HBTzR%Hnp+SZ~CN&E<%D?`yE5Nn_|rOAoRMa=5d6aum#CG9KQPaYQS|3XXs* z{MhGQ3uRF4Mg^bFj*rB#8XnZejVZ4r`6<)5M@qP8FU{IyHzdioQKwBcTjlm49LLCh z@H;aOGuiQb4nS~vfPR9eT1N7*yhEjR0d|;%D;K3n-=v}^>6^#BV~ERYwrptE1i8p3 zzP?|lNtekbp77iLeJcXR#5+yz>qO5UzxA`sHwMAWZBNB{u8xF9a+wx(i2q*c9-Af* zeLxFw_kfPs>#g~INFcA_8aJ5DgIk~8qwh0x(=pxxmxAdjBhE@Z$-DIoB1YAM3zNN6 z>RHa{V{s0jK~I|O3mZ2MJthx7r?9^B%6S*d?7ig#q;~D7s2+q-Y^Sl*GBhM*k1sXU z!Kj)!Ok1$mt>OY6+z;=honggmaxUybQs%hzyl^SI@|aW>-a&rg>1DIwL}2R<=ESF) zxtjm!wR3Ow82awLg1WQN$%6+HYE>*>J?s`hkzy6QF;yu647sDF(gzvx+&{s%ma-wJt=9X zMZ?|McQ`=YPtp$YFx?D3*N<;qiTMJZ02e|{jD(d-ZsTa~j|RpYmAHExXn(Plxk?+@ zBZ2MvH~LWO@Ei3jZ+|=1ALVXR6CJs_GgB+|87sF_ED}-;3d`>Nlj~1`2*ROO zgdXwOz2D^A&!Z=eEV^gQMy4q~M$#bivX|=JZW0|_!3~=>=2YrB+iu})%dRX@R`8TK zz!E31M=~jkHL541mN!Rm54TcIk!Fi{?A-?+mH~b-we1702C>D?g2=l>M;+>Za<8gE z!mQzWm2!@ztS(BihYO-i;e$flUWextJk%k7+D*U1nz3N1+Fq3;xzT}y%>4B*navf; zCx}TINTcsS%xgpLK&uL=TZ7vP1@FcyyG_bnU(}1OXBMtT?Y5qT1;M>OsED(K4%)PH zMZ)faZrEDOy|H3iRZ`)Z*vP(2@|0@6Hulc<`i8T?t?I3W{VbWVO2znk*g&k7kyPoh zE3*!M0yx9-xZC?(UL$Y1DlZpzP6UG?wAoxs;qkO!~(C(9Fc=Rv@<(T zW-En3rQgieF-{UjK7VSrH#WSzYHrW)_1SQlE+sys9V=xFzPpNEfP#Te-WASx zy^2g(j|+EXIpKuW!vLI~2hNN6u2ua9i4~s2sj=Miw)2P7p?R?;#y~P5Tr&S1sFW6} zwYv(7(5Kv7R(xvgl7p(ySRLE-*_$=Ou$obBSU9?e_}yZyz-9TXuh#-Het(7OyImrW zSI;O{T4sb>{dw{(a2&)qi^~SKd?^nVygS7UhGQytlbnGtIu#H9J~v=pmV+!YGsERm z=l$9$Peq}n(5b1QJ3h_eBTre`?ID{vt`axeujR^6(Z*=WDrw2lhWf6j%CG>k&_E_e z^4gj&f)#uN;c1}+;=~`WY(X*Fy+d9prs|Gnv8FGUEaGSEbhFXP0^5rMOl$v0id2_z zR=FgFhjZWs9b}FEzxdTzJKwTS?x*`72x#>oP zfPI*NYb2Ztl>U%=9gfp{K3Lx*I(S+5PSWix_58_UjoGZURmxkVXYtO~8~JyzqbTaN z;V%r6Dmj)y62gYYW!;&P)?uTps|}-j&@(|jmbsxdY|M#GsM!wPpd3o})e@%qbtj`l zeO&9iKaqWg)o(kvDngG^&~WmxvMy4$fiRYU0|ohlhuO`qhHm)p4m0oU78WBx7wFqwQ{LKsW|Q8 zE8C(^*#%jn^2AozIs0`cdvBC{FIO>lDfS16cuGg1a0|{$bE=eBl+rljCG6YZy$^0- zofj48{sm>`QC1rL$?o-;Y}ds3ptF;ic9I8fa>6jYmq=?7x9=AoOp_skMcAHZ5Aoey zp%JH4PZw+`I(54W-#gArwICTLy?lRK!@DNkTj<&J=+J;h%v)1AO-Zu1D^xFAX%JZ; zs00&O*CX8RpHQI+dTH}QKSe?(01$Zct$dB%%*%Wi0shMMh;yR>VsJln2K+6#%&IyqVD z9zh#U>rCp0l1hRGY1J?boaVL6^?dw^;?3fd<6)jx*cHvB`}weE0&D+l?PyA8Y^|~q zF{2gj)ycIdN%g8H=b$-os}rhs8z6w9WgO?)o zc$;G*PFBO!N?=2O%&FyjxR~2JWYy+zbK-X+A?nu30$_lPXAIe~AjaP5w>Bov!jH*L z?~#cfUSC>BDj3{ag-V31P@ zHi}ozRrcB0amkzjE5dW#Rx~c$ZYUekiFj%%7wE6)#bSgf$UYjQ)?c(4I*Nxi=`2@X z*<99nxw(j#-rSr~LE%qmlr!mws_95NN<)?DNGh{!8g?WF?%67eiO6R@9ge7O zjq@?SNrCWX2O%^3by})MI71ag?eZR+GX;|l6cZ?Z&*Xd_F+=(nrQb_hybSu-H%=1e zK`!y5%&7gAKoOL@5j)T~&o+SBhRq)y%cUH@ST4$lgoLy99q>gJ$JQ*MNT@vZv}Pxe zNu{WgdB(E-!uEZ!TwYN#wz4-YN$2CtFZC^Ying;v5-%sqRzKe1NQWko_#Im5^7jfU zn-}nwNmYZUIKmx{B&DocR>Ke-3NY5EUcSC+=DljuPd#!EJlDbxy26epELp9w|L`wE zvp{L8CJq#XcUVZI(dcG=MwRq)CZG$^*}*P*Cv9#M>>v~tk_M4B=fn`GJVm>@|9S@6 z<;l)uKJAdWT$zDm?<#E1i_j)!+PP#Oi(IYaUZz`BM7|a>?6nTXF{}FZG4kjzwT%*d zG#p9Rxw0GD%rfW0UH7aEi&m{E;a=db$lK_gQ=v=bEHv-ACD~vm>i3zf6dmtiowwU0 zhTufaKQ3&VVb>5RGKaz^$BWFnS%2m@eY-QC0}>Nd_A#We$!SKrI#D~i7r|4k`0!Kj zSVX^G(8h)rc}-l+{xTedKy{DDy^7YSchQ80IRmz7Is%UBO~P+z9vTxCFFG9|8qqOD z$4v)F+Ml;PR7?yqaM%x>n zEc9g8klgLH)GyDMTxY{}PoCwVp^4KVw?_IfB^T3;Bw9{=u{e0C#=P=o)WY(WPlfGN zT4U~smb;&8QLK2QjoA@VT40pcJZ51xzfXU4p}9Wn*Z~s|&vSmkr7Oq{_N5F%TKE%h zSoo`m*Jv3Z+aGPqT&zO3zI;zxnDg|Ngu%^{HWS2ItAR9tBm8sl-y#_~S-$is`_y!l zd+uADC`HlHA(s@hiAI|bt-F0;oSvFk&w7c;jf(K%c#}z}A&)qgvfTJXW5mpGqegWx z_#W0IHR#gjh2jhoZEiNXco*8PzY0!=&#Y8??ZEiuuC4}Ell zEw^$c@+^*Y{m6dXs@tuV><)Mj2cx zwWs*AuDS>8uyyB%%yE*vz;}Rj+ZZL!af@-@6O}E2KvnT;*S9*R&aPVteky1-i?YaW zB2e~eT_)}o^HGynZ;nz%qVza>?FWytx`21mB$mzrB#kOsWsMcz&*p!*CAmLT31OE# zovIM^D9`5!(Ty$^<;8#}1iqq)FNldhz85KA2L!>KzVCK{Qu=4b_R~b9KgUSb9+ENI$;Pk zbXLx-Cm`J+@pH{h{-Mu;+Go{%Mzmn8)GuRxKg7G*^U#_z35%tz>G_Quhv=x`8riv* zd01tbxC33>bQ@952ZVMHsPN3kCg}2W^J)x`(#}-~P2tZq7K6Ephkn#r6pxvvb;!H8 z`TnC0J(U03tb7H}NQkM|{)oc9 z^6OFL+z5rf@dAD4Y?JmtcX`Te%Tyc9hEDN0p_VP;$+p7dbAvy*@g1nki>1*V_)|gm z)cBlYG)Zq*+SBxT&SH%(=R^$nCDoZz6;p!w21&P<-eO%~D_EKn1IuTSEv~^Z@RCbXvCF&ncP6q$3T_#3 z5iMj`D?E<#DMy;X*jj_4hSl=KAh!ob90#KC;?`;+-* zivr&!e&f?NVd(M0JFcGYxMU}yh7-pFi9~a!qK`#W>Lwo}s<<2_kY^wCVO^lPdR*D6 z{`byu`$I(4%zvg^f&3=mHG$@r3)3g8Lj$HNtzWBnt>z|{dk+;TV|$>5ZZYXf1T3&lAD}mUWRG_|MD>wakAN6{?Htr1^GeAI)+|4XzgEPX;;EalF3DkuF z>NY&|n|k_a|IYX{=CuL$!@##Q?>BGQ$v`c5j)i~Lcv5Y;_Nze8j~q^i`FHAU8*IuQ ztN{#^Jv*N4>Sh>feP}_SDUNnlq1PQh%TEueX7yYWGLsSFGRb3wGHEZBkUq>kij(V;*iZI8N zHTfhi3;(ETTRVAY1WRU`U`3+!!=! zW?8!Wyv;VhLQF{SZbI^^!A7;>6%G2)w~3n9Mdvq#cOr$GAkIrxR^x(P-dAFjBkfq( zl{!%`@9dnSqy&2rJ7%tiOqfnA8 zjj=LyLLWOMv+oP&^gJ!AJ%a>O&W(%t^@nB!9YiLvp~P&Y;e0eN0?ml_b&%qCbl5;t zqTW%MWV2Q-$Na-*j|qWX`hRHxV4{Nt2X5zzV257PN(u+d;B;WiT?)a$1DLOpUSVZ zJx7gr9Gf2h;yUAQ_94P3$XxA)&k z{B2PsXajXo)|n(vjxfG*wBmWQgx=brUZ7dhD(57ndKACMcp>+O-|%suZ`fc#0d5ec zO{{4jA*!R+w1>hva3(;AlMlT`J`NLr+AU9BjgF*^+A$QBLVi0SoYqRJ?E`U^_Vva# z9+dUvmk5ip>1Q3fnx62I?d+Db*sxFM;v$6!pA45c{GG=yNQJl)n z`M5qDcY-)=W$1l=Xqf_+l;g+52Lyx_O(yKscu;^BZ0eyhqE?oj&r)Ymwa*Y2x&wfB z87NP*>syBHiB8Sm$KJVDOJ~e}{p+$_KS~`Wo0E|-dcBsu!gsTKuii~UGGkOBaTt3`e z31$PVhg|JuZUv{rgTKV3d_$AGkG=T!au8Q$K%0D58ou$TLd*TMHd&v7H_%M zIAL$mVfzkWbD!U_YU|_3dY5|~%v64`*6oZ`f1!Li$}oMd=(kz1o7D5>vH|f6%M|B* zY?YMfz;%wbO4{v~U3-mMJ($gofa+T;d`;g{>{_l-O0Wm(AuVR2H}bG0w9GJ4*42&Z zs!>GS6AdKN&R`GS9OcL7E5XhjX?JQYR7PnRCl0=Bh&Z2SI2~C^Y!x%t9NW68YqA}p z@t)4`LJ*d}J$oI7jGhjHsVS$P}G<`d^#OSIb ztO6=HNSW9fLi}dWMR(~N$3#a%<8%fppD()SSIu^!Q+IZg7er=%FMO~4E3F~xdAYyG zp@{Br_j*f+$}9X}le7Lg>!d!5o?E~94TVQvLP2~<+{81+Jfm$GRrn-z z{cePGaeB!7RU2>JMfL%be+ZTy>9zemYW`2t>`9^z(xFY9z18VFPs|1`%{83H~fq!+od zPvZ{_Xs){Fo=8}YlYGFvGKQCoslc4f|l=j38Q(=dUztA)UaYW`9^8m&9$bBk`K zNxJzpnfLsHyL7WMPY&}-?H(6Tb5=JowOCZJ=hR59D$BliMU4lgRvs#()u-T#2_%}M z-m9cNR~cG8p%(YvCEazQ{OL}P;BkXwX*{DPVuvomKMXC!!`!a%s2INH;rj5QwAaOBp6W#X?IaXFl6lEAV)fZ4 z&Hanf>3iz2HZ*ORHr;5z9PJKg>cV-Tt*(fM%;jcWs)(EPUB7dy;+ic=hdhskTNl8r zMxoTl-TE2i?VJ^N9;m1$V+l<0nM*L9~V`dX0#UURVno|mM8_j8&G#6{#ZNF;8zW$)mn zMu|$(fS+ZatpOGS3e%-Kf#a1dE+a%J&li40^oBf(|9KU7ym=t!T}Q0nnK9)FdIdp0 z1owp=jAmANr{6u~+t#I%3K5)4Sqn&04l|?WDSvki@&{hX{1!I8B%r=rY=F07`3-y5 zQ2FKwX;Rsbg==NlVBQgN{U>*MuMRT3GTmbikG6JQrOUNgHrqxKqTAh3LR5Rm&$ecj zE>97-b$R8yWVHG}8~qxc6MT*wMq=LyG;9cejmkI~Bhf95RGIhdu5ha5%T-EU(qBur zJGjR$pD(`yHaN3S;XrwVV%B@&OAmS*QW}sM#F=@^Je$eYAvEG;yZiF&R<^yAo)m8A zgp=Hx(=N|tk3Z*Rd7UUTp>Mz-TJp4sIb`Oys3R}HV#9a+1|=EGeu`s9`Hu3V0=@lM zBoR-*xxM~PCqqsz1(>!BMKvTn-jCIAJ6NnO?SJlXC(}OuSew>s3%X@2&U3OvowV8S ze)d9E%vXMzYb=bY`vSt|7;$ue&iGqV|Ha=ptq%ca3Xljr>M z`6YjU$lW4&9}(e1YESgskZ0De0moAP@wCXKNd4wKGq;aP39AaSt3d<$Agn>AnQ@5M zyFq=gstkeStHs!e8(KpJ***_AbdxFRSd3Hw#hIP`Wb${Z{O2x!{4t*qjltMy6&?nH z#vdo!S#5-PZjb6ky~#l?hjrDxU_28-hYfLU)4{L9&I?CX6`8#S0YrBPKtUG68-rmd!=pMe_K8I5mGrlDwVuBqlFYRNl`ZIGgRj5Gf}du z?Jbu{1GNQ1BHUZez>+kL^5Cj(&bBp8AM1UwD}C~i&Dtu`dJmU159=>~T6mx|?T~fN zJR{r1_qvP4exr>ZVwEblfbQhgl*rqb-S^>&ZZj((SJOSEh>(HqEsc~SFnXuvS+0lr zg-adHr!%a60V zbszWFpmn0lPo+)we_g@~(=xpwqh8X8N>0qC=h>@oWO!N@B@AJ${mygif$$j7%3`0E z(Fs~x3(DOb!|BcSA3qGG#pT;YPEUBxs#;dDs9)7gB6a)s!)#Y9RiEVv}KQ# zr>lJfu96H;j7ylvxN3swIz zrwcY%8JZcfSg)NozzoVTd)4eDR}AyjK;_Ia#@NNsSP*92i5;UfnTen@xxj@_4Zv>; zQI%OGqysGrwWUOET32B2SAqouXmE;#3YQR}c>6*QTXwZktbu}N5+oemCNq``+YXf; z)CJ8h&58%MqMM&QOqa*eO*Pki5}#IgJe%`Pieek56!GI~Nf8>b_5|Jc6v)FRJ^UH3w!tliPScFH*yH|WVWM+)y zcd7D^#Sj7_e~(9^^rZ_~iETAN3ru;#_V@_7w-P%yQ`V`mEAV<{XC|zC3ZdHx@fXQY z{5Ik9aZ19_+~(e%whZFOGDc@BXy%l%XzHj`JE}a|jt-fHvP|)6VgXfD@g`!-st!iR z{Ond6hX(Yi9TaditR)MEg#hvGOR-N|=Ib)mSc(5KItAt4g7h6ho(e`!i>&tU!Q-aN zTZF=GnI=5JuPaw2i#5s`W9~$UM!T=!ZHk@Q+e@837-t-Vhws4uaTrck{vs*PL6+|l>qA5S#{ z9^-44Ur39_H|2{jp%tNf@HB0;-pnIs+vwEy4v`ZO2-Z;OD=u;WfuCEOeiTQi%U3(P zkpf&IyTpQbhbn3Gw|YzAdn;+ed!73tk+8&9fo?%a5cy^5Hi4|Tiq@tliDJr+#D+um z)q>Hgpy%KRN=>jBg)_7KmDO-Pl&Id47X~J()wrQQEw};YD*HKjzO`a&+iQarI=%bO z5S;z70l84T3cI9^yZo`U!!qId2>tND1(eNkPV3JN`NY{bf_W=wa^7iaV{n`fp!uCTfqrVgbPL*r=9jKY@K#%#@A(^4Tac-lpUVC`VZ=h*H^$@^aikLclY?)T(Zg%8G0@s zE)u+{P)eT6F%Odj24xhH!0UD8o2y%DkPFn+tGXJxei9xK99a}KuyW8^#&5kkHBysr zQrPa{mMeokaJZP_ifJ{OS~sO5wWCx8 zA-CEYkl#C+I9>kHlD2dQrvF5N$F!7PEl>OyKpmEKM?IVQ>}&2n$`gqL$rA>Q?1 z4ZutZ6gQ2LV;xEkB*vK()>Rz3U`^DL>6Xks!+@JKnO?t!5nlG?85QM@?^NE9<3+>g zUtvjf#1w8dSE+8lA6odHFdbcD(F?AQjkkpW`{PaYw+UpdN0K{jPkU#dZh5TLDjI4d z4?E6{gKL#SeOYWSad|N2;EIaciH}!6L|*phvF9k4b++AlE|u|168mBKzWFWOxzwERtzS)QlFe~&D5*=@l4&|{HK)99q)-k{()%Wj{` z;Lu$MLy?SGvZR(9tRi)^iHC-8krRL20y+bjFz^lo=taP=Kj2gjsbWN1nfR zHjJ*YfIVAh;vWfGFNa>pnB1K2}3<;o2av6>dTZQbi6$$ z3+H|c41&bc|}b>Adn zz}PFl7s{Ion(CoGlF9njmhRWMm*7)bzF13}-Rsu?CAh8VdZn<4+3%rp15`?6ENI)?1cCt zQyQYWV5#BtO8QA}^aiV^mv*V=4z8fhW|#rl9Ag z=k{;+)6%O^6^9V9o@e3xllGQ`SNcH88T7+EVV~CAubT}coJCZjQ1uR24tLFY(6Q7e zsp|IaQf9-KOHho#OtbtThN$E8GB?VXyrIZEu;<2K`PT$zJYHpuq(Cdyjtc09R3vm} zC%Cf|!|Ie!IUx<5lb!|A-;8?dLqtKVwft4~O*|IDX&Rj8ACWLsVsDcun%Pvq%W5NT zfzEDbT`&G{`&@g>#dB(4)7CeqgtE0#m!7+Ej+?hbs48=^`sZPRON%=Ns^0GS2!2H3yM9-?|t?z}kX)$c9WFnjL3_FjAKwZ7|fJ13;RK3(^%0c6bBTW`YwumJPxz!Hsu zdtKXmWOkczE)}59c7}CH5)N9kI;jhnZLy6G&F~j=co@S-(&!nZ#YyB11Y3Gl=I^a` zhkEX@wW*==;u4z&e6u%&eGmVr5ry5R@+k)%fs9E1HH0E7Ag<&<;c3qndh5!Vnk)98 ziJgoq%32dw-{l1x%Y5fmoNX8(Woz__;8!7kC!;1*#H?JSg`R$3mshcQVGSGyH=mlp zR!t&)n;~%zTbJ0e*{$i`3+2{p+FZ2hN3Og*9UNjgY3ogCk(>#AWIvkREO#xmPwM+c z(<(9rvy*-lkIqJ9C`0!H^BnLn^93xtM(x|1Kb?E}jDY)Z+=i*xZ(WL)>oFyc?O2S? zl;epI8h?DhN!wwm7;I0^fpXG*RxV5JZCN>8k;!(%u_^JwXImsXE8wMdqh)W|yNil& zHRc;?XZ3sZlMPa!b}X{n=FN)n9&y2>o|^#93WThFwN~tF>0UQqdrG=r2?R(jT_`i% zZ|5g8g4Y9qd@17BrN$FjpP|&t9$P8_xLNJ}iAu|=X-eMPnDeC~lb&iWom`J6yY;Ir zN4ej3b%q2MFH(1O%s8yv;ZjQx9K(OpBF`PKtFudZWXgcz2wVBI>s?uOXT~gjk{pJ2 z5#i~QTCB{8Mu59V?4?>xb^aR>lI{QI)WrzYX?QA~_%}y;Yo4Y!-H^x&rpxbN*1U>; zXt9+hK?uiY%!aD@vCWZ(d?TVjZ9+T4Ai@>;{zLYlBJ8;tS+iC~m!n|8)6Xui# zv$|bC0WP)JxhuZbPrvKg_GXt!&>V4QF~e3mr9dCohQ~&h4f2}p;y#Y6g?+Yk-K8E_ z_bB%VG`1p)l+R3y!E5)r3R*4LW=m_5E|j_|6dmV(TUu0#@`p5kbovzR%6T!$!d$hC zR2iBSneMWjQQk%-HF!4g#_sQFZ=10pGWdY;Po%7hAU^ee7Za@>=sty4A-TUjixZ-ng(YW?xZa@H!eeh;{{=nc5D-OM!ZXj;8%bk z;W5@9iMB%!{_J>emf?X^-oO}n(MS0z2yzb|R5!kz^W%s`n?7fvH4)_Ghs$?$-P-^z zUWJhstuFT`885w4ty%OtE-`oQ0<-F!`+axk}jl z>-PC{s`!$aJ^*__9;38TlPL~=%iX!m;iQvDd75fD6MWCM%F5k7%fHYssKk36+=`Wl zJ7@C@xqUf#rBw0=BRtc%A(CD?a>VovP%BN`Op8GjgBQ}){N{)l>Pd$KUf9At=r1ZC`>B{PsJonLjwpFURA56C>|*qclg=K9Hb!EegAYqqcchFt ztXAq2y&Z)tt99!|)>yTf17&azdC`{wyQQ8^Lrq!pd2x8g@j7kP(j#4Lz8n~H$xD}yRR zR-nCjIPy-guYyLeSBu>e)%i3v5E&KpXUY%@ih?HyQ)B95ce89|15d|+=1ZGq`}$KMe>Q}kp2G}2A;9L58Wr< zQkYnz!ML(=&1$dbjKS@tWvY5F7s=`$rIhtr=yKl>&tr}19wOT6@V`C?Ca4y>BU>zU z6Wj!z_dD}QGV|tA%=YK8Uh+~xrjxmdsfTU^;*$Z+|G@et(oq}(!mWFNEz?Smymhl& zI>pi(jC@>&c`U1`!6QJ7PXRaVRI@Uea+PwO262(w?0j+Yp*#N=3_AVX2yHKffEeY0 zY!WB3=CRH3&jX}FhB+3xWi~~M>lu9@Z*y|1ZCH%u_2v3+d@KW)q-BnfH`~DMkt1I%L)(jL-kyBq1Zl;aY zWw7BusI{A0x2*ONi@yur1Dm5{V z_i&Rnsd{==a^2_sL=p3So?~J}_UHRDcD3p#&#rnxZx3{hb@E zcNqmFxPdqyVqlb}rC@AcXC!y5s*#?cv;!Gqmlx$r?Oua!CBS3a1+|}jj*dv{UgGW90pn@XDtCee}&XiXdrnGVwGyT;w`9~J0o2->h!?M zq-VY_X?87CU~;gub8?WIT7uOpUE~Sh_D;NPt4r9Msl={g^+p^vq$K9&&QZ3E@fb_D zph0|2MWA%v+*6>Vj*bMzh!0MRL&G&5-1A;Kn6x;{zjQZE%D!uop^7{~oaE?JOpA+w z)`Pv&xR6|9f^M)TfD-mN;q*;t`X-ws&qjX`oVUVn1N?5EPu}=g(I!cSVdhOY(4XQN zc6oyzK;Sq#DiLrH^#)&BF2!X($mpoyts~#M0hIwOIV0BJD3`=*bDR-Jjq>Jaq@^W` zAjyW@rlhpZoJ})k8jjgcq`o|B}ASm_na_oAf4;h*Ii=k7FNa@|Hb5{WFv zJI9nJpE~tI^~t^IZ@Y3HNy`V@p%`5J_^DhEVE&Vf`zh; z5Z)A%%eGNyE6kLwY5_Yc-RU+Hcp#9@({C>Cr7y%vyKSCma4dlF|Wt#b2XJ?*Ucwr!x(mmX`2p)-y$Sh59^ zYly$`S++RqY`t;BXK5sLdp(w0nYlp~&byo6i*;yht9@|H6uZ`8_cyovRPX!w5*wHD zK>wm_NQ|A?ZE?8p&lC=Pne^Cu%AIvz#w@nb1MFqJ+lkGM!%Nj&OXIgp`iC-9xlGjA zp3$Wk+jm+ftv9EZAq^dTKEie&)x5Z_W`z|AD~vjbklX1l|M^B0J;EIQ;NV8XhxFmJ z?_*f_KA2~S>1S1i1k&`Jb0uYBt#(mF-)d&bl6uH9TeiUS32{Ve%=Y8j#f6ITgM;xG0UfQ^iW}T(h8UnEg$Hs{f zSH0*2YDjmk8om_Ppw5!_^sc2!DgvmhBI6x{%Mfo{dmlO%&WvQ)vRX;cTDP8&P_9@Z z^2E5yD&_RGEoH%YYRafz(kl*cVsKU*zs(ZYrwS%3a{7FPdb!KJ3t3?Hz9(7G!^*SJ zVL;iRr_^)7AjYCBnzB8z;1|~F__4}BQjE}q>`%{40P9sV^5}+t@opY?gfg1q=7$zR z-T;lSlQfK}5e?Ox2NTLQvinW0oL;IRh!`$JG;y8L)VqgwQAo)MdB%0ec%+-sM89nC zm4}ep1vE$_#L{e;+SJU{Y$kFPx>v~s2+n1^(|m*7vi$ye*!mMWl7ouWITpT%4>EZx zGEIljl&dC$(s96+TT^lK)PMZ8IzmHpMMq+e#bV3nMEEbScq0C&aa=H63)ne+;5R zrKbzfK3a~GVHsjJwl^y}Op?SeYuE3j`b-VGsQ1gEJ*&N!G&eNgIWugWq{eSg4fBLR z4pVK3U3~gDFOQh$E&;7p1{aq!P^{`W&JzZM-5 zs~{FCiOc$=+jfAYpxIN&-mjvb_mZ6aE%zb9$*VFeC{e&pC#15{8s#j1rZv=dc6D+d zK2yf&wb@%q9pouj`LHzqd&C?Q??}U4}~Tu9T3>|)A_sv&%TiP z6nA*$sSVEdv#Bi}AJ{2PzG%$fEu%PdYvCbCmNAstiF>>iy=1d9vhjFJsDOOZYv);k zw^q=;1NxCh0I&3gR~~tx`HAv|r>U5OKkRGdnD2KPtnp`>sd5ejeLnhQcePU$2FCLYM->6zAYzf zv(oj8V+{i>o^VLN_;$_tA95X#d?T&=tvhft@q zy{@suMJRS(IS_8Y3@-Ea6#xVy{88@1bptjt&b2hdHYHv3twj^!pt4_n zLRuGJixMWg;j_f{Xt*go$69^wu>ypHU^!p3eyn64Dz}uO#_xQ1rY+(L+nV6xPhLLQ z3Cx04+2mF`d5w$zli^U4)(F{X{u5uydsY78d06h~IYz887nBn*W5n7ca$<((hmT76=a-eNpw*d-P$GZtULpe!!+K^0qI+ovYd&%P zcSNcDUEg+87G^pSkI>0wGoGmxlcVDD%MBeuBj3Kx%4yJ=4|m_mbn*oEr=-g4m64I3 zj!laYA_do9x-a{&oY^Vb@K3osh#ilE=w92(#DGefJ4#8&wVwj(R!W#M%C%F%VOFHD zo$zeaN=cE9W!m=lF@1DQ-u93fIqfk_>wD?kW);h#SZsrZ z94YVsR5J;+0C2#coC4jFaz+UD>j%`fS98sl;C;T!aI*Qe?Jn2tI)t@f<4vWWj>g05 zT@nQMyEvW?opkpAdMnSF{jn2@h7yD#D3T)vqiauRi9uYQJWA#^7PcG<+G7VZJi{+| zaKcQ?<7(u<`qXAp2A~b94M59OMx9NQ^IKc7tv}LgYh{^O=LfO8bugK2t!iPN@K0AA zz^c4PBNO6QM)fUUcBUNzXbe1lD{h^}7KJ~O;M@=wXWLE6DL2B%fGX((vCpY$NS6QV z2z#$|gp+j9O8_W=c%h>O24DE$!@HZH%O^|Du$g#yTAx4)N?PlRH*+!WQJ9lDWn&DWw+q^adYi_3sIga)62LzY6Qzo5ey1!~<4sGf`jA z+JZenw~$g5+iCl0cAWPQtPh&^wztP1i8fgr9<=&${YE-JRS%uC_wytDMfrsGBWWMc z&elU$w)Aw^(Oz9Ewu&a0}%KfuVM$Hm2Ho5n&X9(cE9S=W`e=wP3S&_#6 z7~e{QhvUoqN%#cNS6cl=Pggj{;Y1lg)3_`!BoqHs}{1AEO%g5Qd160rWNO(rHpsBRQ^OjVyWdov*7S zAw@~39O>{ZE+v4#Tkzm{+2Oq|Pa+{Nh2tF@?ZjTM4lZ84>!(rLQ0;{;5c1*;(` z>8d#5v&k^9rI}xEx3b1SrytdGMkvBEX6ko4>WtH}$a?yvvl7MZ?`^@e1NYr;MMnme z>`rCu;$YotO#OvQo(yrNW3C>*XjyULmfnbec16e#@7~Rbd>uFw&AP>6;H5H#n|tlS z6iu=sx6{&EfQ4bG*KNwoJx!$th9z}q+*zu8pRjvrL?mKsyqGAVw&ijDAv=|k>H0#b zADs-_F)oiyg2poi_6Jb((G!9KzZIt!TK*;ptDpXxGEtJF)I`l&Q*)Y~bcMFjSX7R! z3F%5*Qu?{nTAvS*$zyn7QJ5KBlbJ-2Ng?(hixJ1-F^{AE^9I$<^h|h^TN_#7SLW5%;uz`PBRn4;4fdZUxXJ|=I9yl(eJ*UK^+vA=7pKKN z5+MMrd55t(`w3b;B(Wf_ z(v<0pV0&59>l?;5>)=!i^r&{XrY|a zcFGamOW{j8!5>^MJ_>#LotF<%%fh0JM~53vzf)A1yxxhkoly{5f=fQBZn`hwqZG@P zHJnzRcK(V^-anN3Z^~Tt`#g|?XamHwURw(Nd@|=VPC7ZfA~VP8?_e6j$^)M=RK-5p z_w=kF!Mz=CGvK#vI}bN`hK%dehneY$T{Q|%k1~f;Mx8lolu+1IgNTMMwY0Jz!K0`Z z))<}q435R~5i4CitaSEz*-Xvnr!KLhk$Fy0W7t=PH!V-StqM*=@?Q^yx{yAtl+;JF zg~0^ZT?4B}2P4Tb&Kz$rLZ}Lw+;EkTd3r%dRlQBzqpIWbL>$06;luCe#wH(Guiw%F;8t4i|2E0BlmpZ*y}au{Rsw)aN#|K zv|sWDCnGF{0~X5l-!+mOpyxQhIrf*Vyk!qFhs3j{|1nSdE&Gh#9BGi!6=3Z>`xSwu zU}0nucrSzAr>_G521N4Z6-fC?b6hDl|P(B6O1)dv8Imhi0W_!fWEHB{KLtktJ~k?M6<(`#C_uz1BJ zOCSR@7zrXuC0hV%jV1RMU}^$mr@yCsegh!L1!f)2L+nYC9>>$6<9%>C=zTT07Pduo z$sC0J+hkBB?%HK-=?jbWD%VePo`Ra5rK>T z$>c_sctY)4Xvi5e7UiO|H?=`B+t}ui6qm(Hk}e>R%v@6c(nx#w7GQqX0##C$|1TE6 ztm(GDo{RTAEkR&T8f2ec*ZF*XF@r`S{`Sq#!%{}>MnFCAXSD=90LXjM-E!IY^Fsh* zd@YBn{`vb&U?wIQiDdcjn==BdZA4N9L4AdbTkM7dbZAV3)_;`;OL<_k0rOKc6g)5z zbPbdJawy>aNZvI}p7?Od`1?3?dr!q5UfY$9x(HzJnJRkBM@Y_H*Wf~@~zTQW2MIZZ`**IHDpbOCbd)Y_X>OI?8AIJKs_JrILl zqA>CMtAH6;y&{*21%@(QUm^#Xo8t1ve_p~c;C@9eAOGLS7kS73kCqDntQ_qYHpC~2 z_M>_Ff>|o?Fw(#6+28T~{bl_3;|M>?0;whTmLn!Mk~@FSmSjDDtZ`h%H7SMw8sO?I zFF@7ym7u@^#0W}m5C5{c<-NK2`CeD#^~*o;1HcYV2d=UJ{Bwi-=$2JAKrI@LT^5RX zDtTeirbZk^zD8%;O7_<{k}a%~nC{$Pq6GKLiR@wJ0KMy9?_PE7M7Ey*`1t}?(`_|Z zq~@O7fDiqw^N!89@}Qzp40!q*f8i1Sl43x}d_`g*i*rCG4c??Y%z_)?C| zSa-$940ss_==S;5+cvI36;CptR042Y^G2A9N68p7)Z~*F_%nf{gH%;OR4Lo7j#&Qh zWL(2bxwgcXa{J&u@T@IIzy3VyRh%^h7*&`Yn60s^Xsjf#?8Dp-{QdIHOC%b5P1Yfm zsCl*>b0aI7S^CTQr|4?7k5&xtzBbZli80SncDlOOJ(7@ZA9@YFnp&ad4`R^>sL$Z-2+#m5eLVCww|aH zbr($y4VR;g#%p-D z_`gbO?X_R4SIH(4>?3%}W&xphuoD2Hu_Bg%=@aIi<^5%w|2~_YaqUd?%;eo|#sSXj zBb0qieO^~zA;}m)V9qxDRAByYz%lFn(!@znweR|K$zyG)?Js)$r{jBH@t`-Nx zhj%Ofv80d6&3jRQhWx%jG@#__O>ylS0htV=9uEumKg3_}-|Tu^E{J}qnv0XJ1>Q)! zSFvylfAPMg@9TfRi!s{$`p0%k{KdAg@LM(h*Oszx40xDK0e+$?;%SlGt^Ly5D5+ z@ROxoFq~nJ-~A5$A|r|KtN+IK{&(y}L^##U3}9?buZI!#YV0V^B3YvS(jYS1|9foZ zYq)N+pAQKb-=|+Ydg~!B8hB-{fPPj<(8R<(+tK}ZOab<=_%@-JOiEOYsCN(X7isY3 z>Hf?w@VQ*_TO7?)jDq?EP0w!tR%O3WrlPM^(OMi=?3^%LFfT3X$```>U+ z$o>q+rXtr?FbWJ;0=c%M%m)mYoI@$G-31co^Zsj2#(@dIpdz{#+4R>PZoLP${Rq_k z^FvnouUEyTu{sRh30Ne*g_7@%a`5>Sg6A0V=!Ik{DI@yN+yhf-E)q~aABN{R{I=ze zs-(YT?DfZ_?QLY=&!1@U6Nggm+uqW+{%5YPOcg=&U81_eUY3SnUBUk>vtN?v-k+a5 z`SseCv2JKwo8)({TVFPEYTl_m3~jkqfBW51s-eGLt&{YXk}G%8Qw{@C58K1c-o^rs zNVDnO5WqR#`*oIozoT>gKEkDe1m8Qe#Ne(dvo-cFN98kGPW5I5<^=}Tp+I6k3 z7q(^yoz-+5!FZ26?Yswyc-94Nztx;EH6MI)|*F1zq{o(PAYZaVBOgPqCO@`oXyX7^EsLnQZ*NwnTNA9&+53oLN&p6H-)%q zSCmViQKV-WkGxQSOD!Wn_D&b1ZRDuCGBaFHjj%|&>+WQE70`INQQ^6wY|y?Y6LdQ0&&gFqT0WUIpMTPG9?-r&khq-);`^Bd zneJwgLsprz8^}#3!7*GOt{!%wd0X~Vc4dS$Yb{-{xG=H=S|2%2)8a8K40w!OmMQ4^1(p3{*ixl+RC*;V-7r(CZZi5stDN4^jwYH+k1e$9!6+G5d6b zKkIUcsKaSB9pxbygSCwmRyVX)#&n}Sl0?4y=@I z7Z$#y!%Ea8EqhJ%?ITXtm{Q6vTDZ4LZf!GfczBvy<uWt}19cd&+@Lzlb~}vCMdR*nP+qmqSt#8@!BuVxdL`@-##hD^5?STab1C1r!`l)!w z1RaDj!CB>*l;=MDZ~@xL*%I`mn$vdx* zm^qGM!XIfELAnOr;F+?q`-xEkmwy5U#v=lSl^?I=C~RVxQ#8BPkQDPcRE}5AuiNRH zoyuL~Wz9ol9p;3BGe7Vp?7}$xRG=x8aKpy%ho16@&v zDN7GQJQpK_7p{^G5@KxkU8Vgd$d40PY4OuH4w>B?YdJA9M$kRBH@wwfKIUTq_?@LG zRxi)E#_TynL5}UYY{SfT;mn&|F_>PtJD8#>esZi7*0XgIHD&nrdDg?}eEpwC1(9_{ z-6EOX?_`!8ev^CVAoGB$|RYfHmJPffd#;d9Gd3n0%m`dabxg(~*-+ z$-R#2O-orELMV3ZBo5JDTA2~Jk)!k@0EjtbOB3;+UWea95zM^FbkCeM`V?Wi9LZ1E z{ao+X|Le~lke7>)*rm>J50{NWR*WoNem^2AX;hV*thfD-1<-T|9_wnbLAU&HwRIuv z2sit3{!vM{;Fk=}I7*aTHIEIm37jrr($}xk#jRp2Dt9(x*p`AC$IJ^M zYroeazxSd(woc{Gyo%tIije3>NT$^`+~sKIdLij*TdtGTd>2wZy{ppa5=CjPh zvR>L9*)ZaFI3haz(Mt~fQ3eXT&%SKAsr*lUi0>TZW*VL@`AVEptT0G0vDXhdCV^86 zZ+>EPs{_%2FOHTZ7iX9iW9ance~qdLn7x z?|Q#H2DzyzGbPtIG{xu{Wl65SB{;vRZgiSmX<%6iXVCBO>4tkMzC4uR^hn_TWS#T0 zSQ@>%pk3yXVK;HJSF#6eKg7h-*{?e)P zGT^RI0u-P}W-erAMOhtj{N2-wCSCo7JdRmYNAd9BJFy!Hb1=VW^4o`#K6GXyyk5q$ zBuiZqV8+jZ#6qz{QGGHE7yEL$FKZU$aW=!|OVt@XMFNuCfO4(sbf-A6RJBi+qn=$I z98X*ObSZDB@x#G%RY4ARxbK~O?3o7OJd64=MjNbxiu*uhu_p@NlV`um;^JnMZLJ=U z#Mjxw)Km@G_rrk|{mU{O4?1Zj<|^sxi#vY5dHyvwd;jF4MhBGgPKT&ww*czoom-ov zQh)U^``vw^I9)R(1ffXT%&1S=v^xx?(hnC0phd!$90D?fKjE^1)0{I8!#kimFpiZw zPKzi#zsf^`&v$Y{GydcXqN%Q{JJWaE6VC~1FFH`Ei2~han_nc!@tWkdsGj>Iq@##U z!xbF*IYK}x8qSAUFU!=#itq#Dnx;L3erZfnXhtW`dXfYGMHq0d^WrbslNEM-u1VB$ zRp@W>d*NsGOR9daBmKOsX6s#9+QYpQg+{RS=s0#!sgu#*hz92@eDk=5G=uN4?_&-I zZ})B=-##{0S+^J_^+56EGo_#K+fB$#ZRVtQWy{xcv^(uX*!Z0!)w~1po(6{PZ1%XB zEK0ie(U^Cdi2##RB%~k`b&NR2_XD!4(6zoOOriSow0QEQ~i-?$S5!f7p`n6 zk!5}^!iH@YkUtBah0MLlTY9XoNS9>R8Dr2i^16j*N7v}I+{z5sO;yhI z)qy6m=CL;20_OMUb9V)lfYPP-YYE4xuCix&=3@B^ z+eVYzE50RX?~zZcPj-6%VJEh*(BU@nGo;gU(nl3M&gQ31Rr}nxu*B%LkG37>WLPF{ zYdu^CndoHHXt!Ez;U#~RC*K77kYeGb%9_6Q-q%`k$*+X#()g%kC|fh-++xKd#b>U8 z#?4`6`5Dqjhm;znrPPeJpK>NHESlVt6NHKlzw4|9eSoBKf*n?CCK4EZUlYtDHVJX5y$4J74g0=0PXjolK90=A$hHAcL4^+v0Y zKNy!A6So9|N+;Y55_d}JVq<*lD08|dEI#32unQmc-ZPii78#|Ienu{d-bVec0nFlW zBhp+Wx1&Kz{`We#{LbfFFv4-Mu#wsH9TeSU&6=@n7K!)6BzQ!L7UKCTWc zq7S$w{>|mJ6BKUNrMs^I7bfpU+KCkLpw zWM|iWilPWC(#Z5TQT<8l)^_R8$JVEFtqZBRZx){8_v#mohBj591M(MLzXK{C>>J@Xa>D_4my2R7gsdOi&Kt%`MqP%bw0 zyziKMQQmexrYkiNIb*o2h5%R7N#2u52?J2k&7QdZP6r-8m5!G@w+=}=?oqfRQTZUB zAGF}4rzh6-LltsvakCGm712Gk2QWO7P7C1Q>WeI);`O4s+P+QR-#j+`Mct+IHyl*S+`)B7~=^iPpY+H?BeG8<4jR!02A3i?pyMCg*Yki`0e0} zH4VDy&EttkO4Q@)0_(1{E($zywUaei3+?9LkA1Y)-dbSC^jL7r>rzu?o0TW^q+w&1 z&Ye4HCy4Y56A`plu~7qkH<&w!|MFlmulEe!(Y$X=Hrb3^OP_hg4=11Ds;hewRZzH%o zoNDd5IFiXT(LdpuSL1n$l#jd-j_Ta9D$M?jZ=%H>vNjnFrmT z?SEEyhp@K!DXPgCUOXJG@vNyXdP>{xt03#Q1fN-Kq_q~-*nxV>OX{8t-EAuV^zoYa zltN9VXA$%Qm-ZivOQf)c$y7TVhK6b%dvRSE7t%IGeaHFHJmVQaiCAXdBv^-<_0Hj;hk9 zR8|^%wxmUo6_adynh#<-$1fh!aX56SR$V6hybuznbDWCLVC`o)8~*W54Q1+?E;m}) ze_$|C=T>`HK@3vYto~t2HmVS3vu{Rxv#Vlx`BR_IvXMw>MXE!%rihbBiWg9;#1sqI z)p;ix3nFc?$7B8EgDBs$M+HXe>uj1JSG^pAg|()Bs)H7RGDOqEk297@>B|_YFWaoV zuJ(<^YF=&cI*oL&CARLO4#sb}>q%NJd3TN@1$O3jrv2hvzH7C{z12+i&^ zxUkB-Qaav1>(c=bkJXyjo#RhgediPJ*~Zc?0qr>VTn0dS&2uKiTE#B;jL{tGa(S;AuQN z2$CNde^QE06w4$hb6aA2k{W3Hx%E=IRK!X0W%#(KnKR6Yc7b-`rzHJqLcmd2j!b`d z%#3mmy-cu1tItBsO>e+c3S<|=7~qTqy-ao{Y8U%SoY~HMq0xBIV_G!k2Tj|W4~}3m zdULA5>735iuQk4&WEK*T4%%Px*%j#a^@405sf&*(Jl@TcH@siqu&w77RX9qtkifT* zS$o2gV20?4DnO+Y?aD))zb+STdpAF;HZSC#S(GSn9cUP2w@7NDO)I|{40l^n-*0)j z!lJ%SVY>D^vJ4|~?39%XiLo*8YIs(z)jGl!x$vu#8k^)eDlAawKGbLu&eh*^mR&sM zpyiV5?QVN&IgpBbA0?d8D0_27>7}pEgm}t3dliM2k$^$ZgtCJmXV56dGnb2RPI%#~ zsv>%*yd%iiN!j4?IGiWkXyx_P2Fs+u&Y-+q)AN!uFr)rCm0$p0gSoJ(R#lUFXEe6t z#p0@@6V$Cw%A=)%cU0MQkQZ})Bmz)!XTsk~z z%O)k6^PFYsJo&n#agP|{xM{jDzR4&d<1 z#^B3gqG2q-{M^i=PB+kovNYk^FkQ6UjHWN?cNU}WUP!==%Ee@o)V+UD2Wq3`2gTfE ztK82cNBk7i46FSDM2G4eK0Aao!MnGm_LmT7Gx){4?AEmz*a&Y8&4t@?ub z3qi-o5jreO*23-JG>01{akr%rkv~R<0s?uLlEWa|#bGO*&U@Y;2QxzbzF!*rFgPG1 zT>upv1x_5k>YSUm{yv9j|NPx3Fsd)Ms9)CvOqm(A{`!zsV!1xFfI|qXS8#LH)=$3G zem$|dz|j=!yEy>vqUS0j=P4N^*4p>U{h8Kj0vo1W_xEgHv{(nyk=3hH$i(zH8)qrG zy2^DuBv@O2!eudd2}7F3HZks28NPL}BKzcdR1Wu%K3ea`LfMc|-~xJht7CXu6L6%p zkrPE>7Bhe*BeYCBvDb5y9o6d?J24p*QyY)VvgS1SUt`vX1zYnt@i4j-D)GO2BKSJsm^m?{b3Ahen z0Xg?U<5F^&g|BY@#+Tkl_Ic}jzBA+#msRUSEeAr-kRPZA2!*9gr>*{PdwiyPIx9Dn z*P0BYc(nL@H_=~*PMlxtj#K!(Ay$QBKB`&5uR9<(qkm#e^OZ2Ao7~~V1Y4Z*>v6uK z^9Desr|x2SogN58Sv0};#_A7J6I9L4vnKi$8)=ce4 zRx-f;XzDV%^frPvmEalteB+elPhne@$#61Qj!qLUcDss4Lnr)~W}jigQdt@|>|wyR ztq7%Bfa|hcr9?tfMrux+W?{(XhlhJ4)qNR`aPjhQw8CmsO=Wl*T6>Cdc>Aj-6g|Dw z{Zb>=9@}P9Cg>70f4q@(lh&D_5c2lT=o>g`GzZn|^)LRl%)0l%8uzw^Sp|K4A=9fj z^6o|ElVZd^i;$9bb^2Z?!)%TAldBiv2&Ipj%^=DUJh3y8rnoRODR3HEFc*YY>fdpn zs+E;?E38m^rQ8d1lY|&AQ!)E9Q>u}0k3U$iVEWP7= zzSx0I;N#WKrLbv_CVA0+*#?Od3N?r5T9tn?T(OuCLQOo(HSB%xR04A==?0BXgJtMYBM~<04M%EPgw`auQdu$JTJm(X&>7issqI4GD`2-sw~+W6#mmIgyw_ zl!+Rl^4KL>)3|$H`z@RA=co{brO zp>gjpVE@&c-+tn&nB_b2g3hsnd5t+Ge&#=nZJ{E%8fT7K%CgAtre?wYxM8TX=PU9N zeIMyFyY8sBR$yBNHpWCYC>@CD;ckMKEw7|+V7&yKfTb&yq2ck3r1M-7R?YxggWUm;q#y$oTVGqSC)Vc zC>}Xwc|uW&OdZim*r#5~>ub^I{*;CkRM-4#aW#e`8bWj6qQ1(gW1H1!_z(4V+fUTe z{t@4Gm$vbkJmVgHCD?sEe)59LWRaf?x>jR#ub#8eog&K1-oKQq=EcBO@A%@!gH?eIxcPW?S`PYYtq5fE|J_)!=3&| z;-i9sFIf}Iw%B`fuxq=EF3akp!PtYm&b!tiR@xodM1(Ti2nVaOs$V0o-He0;_~zNh zTheE9{e@0Ns03VjD$07=OYi1(x;1*0b_r`!a`1c`aHDypTfS|PZ4Mh$eyS1Qo7dV# z4ZdqkN7ivCUn08%pN7Sf7S!}rQOp(3dg{B4=4EHuQqEJ+40yS2A*y}!fu zXPaRyoX`5w)Fg)YeXp~bC7tyVWj0i#lQ(>~Z{U6!uH!E1y00HYYy0xRqM|c>pPd?Y zX%FKsmHencVWf*t7CwZPH;i@moDh^qVAhox0YMd^|d z6#)V1lrBM}L`n&f?rsqf=>}y0>F%C^k&u?|8XAUy0cNP7<~@41M4;ex_s$V4xHMCM#R-ULSJb!M89GWNORuo zmC?(dgcW00>0fQYigIZX+>Yl7{&3G%hg>WW40Uyh0rf=y!feU=*8pMET^* zt8Uim=&ju81T}7};n}2v2Nm5$t(G^YW2|~Fd;%4jbBO4k+}#m$Dr)F=Th!l&CTUC} zWV)Uk^=$b;1c!ILt(&6gZ7NBU5lI0+a}?!vYr)C2QtyH15-}`=XKih8LKZ_&Br|l8 z+3Hkiw-4kYS`23QiwXHN_xT?&4q?VL$M-g#s5YX}DkOe&B-<;Pmq6hSyhIpD_l!g; zMvgjN9@1fu`!*)z+bK~O9Z)Q6K@dxU;&wgoW%rWxqU9Om5}>qv#KY(zfq5C|A|pDy zfb-OebGB?E;uGe0LA2QsMu5HBkmt>}+~aJ*bAVPmp9HcC!jyj7Awl_#rwV)Jx=z9+|z2-hSS@4G-?gs<{MFcSNM>o4q3U^!5nZ1CK~|XnUjlg=kl% z)|+DDR|*>%f+J}6@AqcdECcHLsE25X${L@}`?Xk#k9@Y}Cq8m$yy7H-4fz~dBfh{i zFG0`X6aH7F+9ZNU0{n@uSyIc=+J=2GV5SnKhgRAtbr!T8FMeusL zJNZ*xn=7)SD?M)aU!<9$ENCD6lo6M)(B&QKws>1z;n5U`aDYt1jgV5;SIaEWHnLeK zjAl&U;JdsA*@Ll}N_Cq;L8*;uGv|#O{B1WNK$FALcnotkJ5{+?8F z8@Sn=#rg_?+su(Llj&7}X@59FFTUZokbCMPRegEAoO!c23~OJD2(Jjf;R>-Im&>;0 z!lm~~7L>)7JX6Z^GZ)}_1kVDc8VJQ&tD$k8b-Xk$s+-3o8){G7n$4xzIVfJTuh2SA=sy( zzvs*M3;WxPK085Lb~P<#Dndxl7xtO1Nt2{0hABpGOd@x&eqKLjK)R%{Evqq?-kuSR z0j&c&uT}~6c%C*yD+)C~cLMKVY~0Rweg^Md$5rsZJ(O;s*$hJRO|98a@PKgWns z5RqJ!9&a`!G)EMw%jr#GAx1C1plLAu*BlZe(zl<2*Wqy%s7ROW3`}XY`WpIN56$GG zNhm4QJMNHuWH5!9(jlUKm6=>_g=%&i`cy{smFHY%$ac;@9W*&^a*m2o@3W-~E!OdxAIn+BHrr+zAD;ll-^ztVKvBhfy**CA;E1QWM@5O7BR|$;| z#g6AH$@_{vEB;wXMr_$af&eJ`OvHgP9&93~j0V04Zdcliex3kf8s%gsv5J1sf6Qs-qd#b<#2{({(~9gDM>vg;3+oS(Bt+Gn|+oT$5U_r-gOk=c#xa2 z{_!uS^9S~z>fK-lUTE3FISL3h{+qnq8{;tJEj zS}Cp}D-m%-)DDBd_Ak!T)BK;;W~QRD^-e|82b`pmky?+WHWtO0VGM6rJ1Pp7)z`WO zqxaDPK%?OB>)N;cfs?+oUnT2ZB?8q@NgkL6 zE9$%->NA6?E%z{Qut}os9=1ard=>}CzIQo~?k&Q&7POEec z8I9gY)Lt{;>UV~86PdKIb1&Pc)P3l6s6rO<)*AFU<^WQ_XK&86g)gpxt01#I`dBFg zv2KBSr^OU6H4nT??+QkOGKK81WS!dt0$t6O{Sx~9r;n2MSSeG_cO43iju+Ddk7puo z!fxY7`gVPvOX}m8v>8BZBv)1Ikf^Na^5;ENF>@C!2TIpp#`X z`;(8~o&L({lRdhp=O;VjW?>uMHO8ygc1xvbGScpQtr8LEB69i#)lLfG8IM{p%I_9- zy*E9k3g2xav*-{hzvgW`aL*jVMZeRm66!t^LyuNAkc?(4B|2K7R31sNshCXccMCBU zi=i1rdGH$G_FKBXq2!r*W}XgVhw1e5Rmzjw`ReNT?jBX4Gs2+)ghi~nRT|Y%-Z6eW zX-6TM>JC@4(JoDh9%oyxhu-$R{mztL@a>xo8OcFND`e_-qX0SY%C&XzA#+z-{SXJ& z=-2}H3O%)q{3|l$))}cXl+N_@15rZu`7}N)nTl{f0~u*;_j%aL4nRjf{x-hkmqM98$t0`TLa$Y9Ts<4P5;# z9DSI7;8=d&(xX(0(HGNAXToLtdcm5uYyJ#B0jpw*T*sigOl(^^(1@l-7`tCJoxpNt z==GrIHqL4R04i_ToE+EZ?hN2TBY*C3e3Mo&1bAU}>70E7T3=&y9aba=pVv*XhM zpa3Li(R7jO-Z3dl_R$rkSaVN%Siu>xny>}SA23jy z|L`el8DhMr&8m2!R3{^|vhCO9SJZ}2LG-PP5$e(@hI&bgu7ezUuCwF2+8zc%4%-u| z?Q`GuWDRYSBe>bg&lTB1A=;PxRqMIicb_eO_b`t`=LdBQ_6p=P4YQ|63Nv?<8@}&f zIujfJX^v@WJAb0TVGjGMKPrWCzn|@$I~l@NK4Q46u!I=MxW9|u>g5j6h-<4k$pS&k zw4A@3TlcQa9HP)8R{DCc*R&*wKS0kC87U^U7Iofac)OKKP%nIG6f#;YQ!>|r6;Vij zqwI%}s?XJ{9Cf`Ib?M`mMkXyY$Rcqg4dv3g1IF1s20`nLLVD_0Cy0V1&j`0qg^COS zKtlcikk#Q`6}a`WO{wyXugOo?ZP&L2NET5clO}IBEkitWR0=8BuVQE?z>p6eI*;Fs z+3NC$iW~k>iPRR<8M+o(xWpa6#agbE{xcO+rW(^ z7ej*SBg=Xa~MZYqrcN;Jvs?l7|wAcE6|Y8?0$&i?RnxY z*IMtHtacftJi6d!OjsZyhCrkySddWPlPb%LYzqN-?7IGJQMdMc2XJB)VruU&=tuWU zG@vwenq?X)473@6)`x}sa~{IOh}MR`&Rr%5noTg+6 zd!nSm`DptUc;sA+xg^tUyIUk&h$V*LG|}fuQ&)k!m752C!;m$4)c7>@gH1}0uV-U6HIOZBxEejNLW+%!~Jao>{s!U zgj27YHQ)BGabd47X6d$iOZkrSk23r%HXg+avS>BEUQY9AcKJEIT!FvnaK29aR~Jq_ z%l3S!dx2zDG{Q`U`XIHw&6?-pmgrWWbvJ*S@xt@xq`QPB2|Epz1kBX(5QqAmxlQVC zpCS|S%5AW>|Eyt3y`BY>PT9_!_ZvAEG&~OvF?a31vA4{AQ;9Rc1OoyE=HQ z4Us_y(nhL;E$91SHviC3~!DB?bzm%G-v72#acN!llEy zT*Fqg&DOrG+RpCWIrCgY$2SL2_^ZbcOHvgiiiJumV{~%n?BZ*}^prn&+kN!lhWu1S zD$}@VsGbynjzvCXX=-BmiQgm?UVM z%13!RiK}cJeH`oAyz?Ro8ZVWU_G~O^H z;YmMs+)dM~_7+4gw(7x>6I44&}2&Pv$?dEFbtUp*>uaEQR(B+Aa z1k-ls&#lQ~AM-ly*Fu^bMcp#5B*<<*jV_991<(fOkw22ZOkHn(p#mFD8$+eHJvrywfHxNnm$@gP(j*A= zsrG9RTfgr(V}GRLnnA`k1DwNUG?2UK0TGFime4u8!|-iF)bq!P#tsEOXI(_x&}H@8 z2JjUpYle-mQ`e)fNe*8Sx1{b3>J)8W^}00Qx@fnaaVd*tEk5r%QhIt3iv5ykGH#&r z-pTIsmyf-@;g@q3KOq-`*^7^iqCOzL7&ELYyqfDRWJ~M|c-NqbRAVq&pHJ6|QA%>j zT&3*~*C!W-KZ8HyHKuvLd}j6I!erbh-i0T7kV~%IT*`~S`g%b_qOqBI@(de?+fF6N z4zFp(RDZ`}c622b?~iTbnRXXJotQIMt5Aa-D=}s&#HX1Yjb2iIJ@CaO)cp-%%dX7o zwqNpjp;5~(QxTt&$2J}<`(y(OlW|n~G_Bt8wokiA;-ZUN^<6|Tj%o@T8Ob*mg!;$7 zmD23QxGo_<6wdlDeEHIPgHC@phY~Cgd&iBNMo@Pg6SJ5s6#^bxx`v6`d=+K_$GG)Q zBgNKm3M$_-#p4EEwCSSrPChJb*Jp=o26MEi1oQXP^0z!v z8oJQ}uhWXNGo@IaH}n$XeaGdSUMZS6gL!wquWWXB{OTu zdBZUDMk0I&$QJTZc%de762%4D1BN-Pk+RiC=mLwMv%A)Lx3|I5XPFuKynAPFAGTI~ z$qSB$evF;Pr1Ujo6KYW1wv_Ho2a(O4Y9u<>UOuP*OR{F3pS8b|K)RbB{JLk{zPfR1 zfBlsdGR3D!-U6t)|!pz zMvzHpKaEYay?)_00!X^wp;muwhI^%%iGjynP5N!Xf3&T@&$yKtqG+v_Eb(ov{m{LU{ z*(~D4ING!MV-i)ZKaJ0E>xvU6TGGUL5$SU^t=glsaC*a}R-@$(sGtLWL@HbajhGon z45p8#3K&`!x{06QK6TR#cjrYlnNVgU%0F+?Mtj6R7g)V(JX0yN`&3z`wrbWsZI7QzF4KMAsr@UvsosN7r9cO_TBN&@_1?0 zxr1H;^ioJq^l(?-yL*USdCP#k9`r;(fApH<&NIHuH)dQ(cGbQ#Iua*VAy~sYGZ9_{ z4hLwWUf|t>uM`MTtRB68Jn|I9S)9;+n6NtDo2O+kFw>(ZkyPUGvzVW?`>HhMYe@U7 zlyG(d_Jy0fx!{p*`f>lw@z#ND`ZW%ah!S*S%aR%`B#Q zsK>X)x}*2(YPI6tmBcJWY$tfImtcy*YV z$DgRO-KhtpqU?FZp`fE(&KdP)RTAp78&%@p+FA-ME*B(7@$UTvCFCH{4S1HTi)MU| z9`9C!g&qu%s3+rCE+^4$61Wr9y7L0P5#!{=$z5S*sjJ6JFZj+9bewbEdu_UyVzu~; z^xQY4+${?LpWBa(<|!Fq8ez!$C>Clh+7eDzGFDjkQADL$v}H&NHJSE7)YUz~{HB<; zg`!9Q-asQvK&CDVG6bnrAbRcgT^2@3GgnvY8NcLL7DKjej)sWkZmtppJv!JC16%yG z-1CT{S)t)pj3}vh&Q8B6Mk4%u4o{Gyo+}Z~2?`gA%d@r>;|r+v*>x>H2N&Fn79dvd zTW84KfeO8?dnle(DmF6MvnOYx@shU5hR+VeFjM;yIkU81y{*Ax+alJeh3IdO+k3=% zmu6vvL8EWT=Y213_v^W#MLze#uxjUxYTv7u`B(UF_`D`{{aHp5Tdj1biTdBf5!pD} z=hPG6=^DIT6J!^H2v+S?;h}c)yw_3d{ohkHV(rCPLoy~2mRjpZ6-o`F^krzp$;*&K ze>hBOuYg0fVJZX8lEe>KWXUK5We-YslHp)308_+T)7N1FOAVaCt|GxTXT9+3lmsH! zohH8^D@#uJ>d4R~Z+_l4SbW@i>vL#Pfx*1wrq%#f>37e%y4hxu&133GLD_=Wjz*q? z%5%Lzi}lXl2tEP+nE+7T(h!(t+OEIF3K0-fcvV1=q<}sDUYe@e13Qz{AYu>jdN#Lg z5K{@ORjwYR>I1cC<#k(y-E`AAZprLBVM=B1KsL6=re933A_qnCB}dmR3G4e^5Xb~N z3B3ID8qdAJNI%=q`826LkNJdG`Fjl?BGMP?pFp3MGsG5%lKNvuGxzo>%p3eN-ld|) zh2D=l1%X7lpPp<$I0_ghFSdLArFC^OC3*v9*jk2ZT&+5Mr#8%}$@3;>JqjmZ|rdB(O# znn-z2A$smT5)Q@5`CfQj0hDspFGMfR=xqA3Io5{v`Fao6EFKl-Am>EcE(brdUk*$$ zyw7ZDcxim(kq3EoF+ZhKl0ohUd$K|&a@YQo+Z&r5$4g^C!U@^y6*l9s4o@00-%q;G z5Zk-gJ>;a-YTO@oXD=WgK@84t?=ov>J!VKdY5In~OpHkk-A*toP*+8s8K=D&CSvWc z3SrxBdRK-l9=Z1yGvK1p9%cqMNA%6)8}+oFl>6?7em1^8~lNT73JlszuzJ+)qn_8 zS-tCKb5aK!dgM}hrVxl9Jr zx26S+`aQiwd6Gee_xAX@y>tbk=HAa?Ok&kW`SVAW=bbQiqX28Mjm*bY%F*KBz9-r> zm-y~yLPy`EjJNV;E~7mq>#&Bm zye$QjBEOe-<=lil3gP3*Zs)?hV)pJh6X)*o{LL?7Xib{HOU-(GepBIF2fJMg174;c z`TeaGz83FqT9|y;e^}B@;l~#su6dtD-h_@E!Rx(ITASTH|3{o7NSEU2t}N#BA*p@J zFT`E~V+9`VGQ`~H_HzBMLlna>$QdQ(qvH9rhi#FG#8EWbXQ)-@fLe3ajh+g?c*+1v z)C}CWCD+_HArwE{X-U~L3cKU={#yYt-2Q>}4++l(viQ^(_jET)!_A)3ivm3;P*YHp zC_id>2T@$_ys}BLnOFZVTF7&4o?OirVLlbecmm&PU!|Q(-ll3CN&uJ=5^UtK*UY}= z)xXq8UscB_rPNTI7-4SY>=*m<2X2g~71R#aM);x*5hC*VKalH=jAbX_tZb#s;+ zZZKeWNcYpsr+R>l@2jatY2j*w&*e+mo_MJ?N;GafJ}ETPFTb4ml^1ni#ZzN`mqHAg z0_VIq=6U?_nAv zVj4#At&Z5|R3%*SgH0j6h~!?&HHbL+OAYlXR<3(2z<5^&s7bX(-~K9lv!jagx@b&# zv*{=sXm-{TA=}pUv_i^`E=V+CPF1^NcJ;{{uEU&f0`|AmUlm+2E@ZnT2Ctv9t26DC z9=A1fDJ7x4VCSdwf_LTbp}#Ml%V5ep(P8_ZIiY2j2b#MvbD6Ebx?OQPej&M}{N0T! zv@2%5>v(_;&)OwKq{_F4phj5|oAr>=#~iLqf7#m-XSkj4(kuHa`mJ`D!3^tF;|KVX zE?nVB^Kw{&=a3Wi2shz{;&z{ZM$Dv}ibM>rx@LuMPIx$DLyyC&<%#<^Ms2uD66907 zQsCbK6 zsrK~;^S>vO@>E-pZf>?^SG7eB;xUefz%yFHi(nW2prgJYxO5dTONY}$ zxB+wKh}N`!`7!R|sg@_vzUP_w(r%SM(EfUzp|wN(o5rI@g=g;Y0VYqGNr|(2Y1T2^p5&On_&w&g_Gfbn zr?;|ZfB2pBw_FmlX-&tm^`$j!?yAo`Ae4MywA#GyQ9wVupe{6+Nl(*vW8uiHxdu@p zQA7!^KK}Nvq{nLdn1LyeLqh!gQ>hWA5iZxL4YalvyO}2L&ECG*4bV~+pdfZu;|f^` z&tNOdV<~p>E&J|C*4`(xYz9I+2?;hFy?9u&1ow}+Y3jqR0v<}(o;mOFNU}yX<>_nM z={xWGAeI*fJ2RPbC=$7w_NLo@O$kJ6-=HO8)C9~@EDjfMqjxZ+eLv@L_NqPDYTTc8 z8e2f{wkE1HGSkU$Tvy#S@CP5HlB3Zsxb4TM6tb%g z(tS{m0v$S%m8J~Mm#;_?eH*Q z(nxq|XS5Q~VDP2hfHHnB784{B4c(bU5^p%E@T4zH36&e|(v2IyANIj+Z0H+cs_qya zjPlq7p|smGc_UM9?yB9uDuX5JEtT@0_(N=KA@${@IkZfI8jAu7&y*M4h|)lG{wBI4 zd(oeDDo9AA9^>Plg0B2)sw^!q(zf*&4)`34;2i0f=`f7pON~}R@RMCtV-;uBV{#xTlmz9pLidhbxd*blyvE?IKRP4-p{l#?s%+U)E@9J|W^$&{mWpO^b z*3h~0Pn7*$4H$dIAeBqR&d9EF#{i^FPr72H-W4_mi@SQRnqgl{)w7tuvu)q3ORIKS zctTn9eW`|>GTX1vZTYLk8>&`2FL!m{d9H@c02z;$-hAGJoz6zP76u57Jp}#eU6AbK z?&fQcPcowKiQi)6e9b&`IVF|!NXnzDH=2Ml-5Wg3Jppo6gn(RiS}_=I)ozE;#^-e? zB)-SY$kaL*_U0jL(9eyp&Sf19lI37#M7g>Yxx8JV@y(rg zmMk~19HK$BdlIt+H_b^gUwpBw*ww6N86)FG0h0thKEmX73D=ceLNQa ze9S(`XngOr@T#~2MseN1{(c6XR8H_u8-7I-Z*gacvg_h*lS2ttd;_ruj?61yU-So# z7T?vVbwXGDz3)f6bs=#`(}7<<{mA>h$SR*4bN*rq zI4iP3m*GG!CGY%=KrEj^!+pHXVH=i!ZLkY%G^<9^S634w6Hv{Db2i0_r8+2~+=fGS zs4i%Pn#M;X#%HHlJ>S^m=^gZ)RE7kKJ(EP`%*oY{AC1MSd_8XBNZ5;eG{r&zxi{n_ zBtBbG=hu3H*4q37xZI+^%~$}iz64&-e!eJ}5meE&w{b3h6#4Q`= zq&@vbCB<|V?&!!#2@3yRZO5bDu%J${qw-_c+SLNlhWDtu@Yg}E`>Yz$=rn!~(+!rD zT77nEZ@VllhZip;Ad7aT=r@N2%)Vo~A7=K-gGpX&1$h^$Nc4Mdn2O`iqjGdg&z-hs zy!*zYUw+>aGM5~m2un|~x}bO}oKSq$ZevDlXOq+QdUgAzK10mmnYuuKqW4ekaG6Vn zA0v%SLDfl-%|#EZc)K2LCpn0NxQ-j;HP>3`nwNi)EbNQlUq2%e0gJEh5MKG8s^j(-#;2bPfNvHXtPl_wOCH z&td_t)b1!+e{(Hr2Gzym(R)ZcH6-}77~k%87O3{Eiaak@uE0GsawssUv}g+R}+zqAUav*5t^cnEu5P~q?#UVj_76SqW%YbPJ*o?q6f z&&%5bW?`ZKTWIcD&^4UHf@@^IJM9*L(p+Lt2kYggXOGDqz(tJmtNG(u)mcPrGKyoUdbr{%erEAKueJ8(fn^&z|YD{ zIb+rDHn^%CUR6XQeZWg;3o&M|Y@1wWdy^vquh)v;m<2+9tHbn@^-O#gGvv`(Ent`j zR3~!o{@1E_61bv04dv&Q3;J*C>6Au_q-BRMf*^Y4Si+T-s#3Sac0)B3|yP)DDUq0XnGZ$bp=ZhO(bN5%e zJd^>kKK7A)z?%2>7s>O)YSh?jUITmz3#Q#=Tp+)#|5ot3c0l&0+;}Tc zdhEuhdnP2Y-?(v&KT!0nv-#-fg2nU~bo;`&*vjwUiUH&`87peR3X4`L%m@E5>%S!f zzrIL6dCuGd2o#QTikSj8%nkgZ$kJq}%iWI;zw)f!;CLm?b6YbPr1pvWv)ng|9zP`s z8pY0K??=(FXW-v%1b+vJRZ0Kl>(VUOA*b`e0dVu!AFoatJfNCTJRZ9oCPpD1<)f9& z5Iuy)A5~1<>{ACt+{6U;#K%_FltJ%PG7sv(zg9H&PT06wfW~5r*B!>c<^OJd5CqKl zo?_GQmJ$zO#>2ko)IWhG{adS2FoV|tnEsX9K-u8Hw_pk&p$qhp0VeueweimLw~){$ z8PEgT=?5$aq@O=^|0MQ?_(B}TvBsWt{$aoEX2bpk>&_-EVx?FVpa1^$2Y1ZDtSXP6 zF&MtUb2R6YS?|DOWDHTw8*F39YfFpqq7M6FDEb+7ck7->){U{Bm>h{m2IWe z8S5cidFSEZ2C-8E^bn&$R7aU#S^_D-jZnq$Pdp6k0uP&0NoOO(wR;XIXx7PR7c1ct z_UK4I-o(dSb9VJ4{M%pd{N*nR57}47t%1ksss^4EqydlnH5$R>vBr=|Bl)*d_weChq-cG2P8}j_gu~`Y%FBW*Z z?||k54tg`>x?_6&mNx!BYR!Kq<3IK5zmvGnZ9rPLWlh=o->w3{5BM|A%Nu|38UF3s zzkc~I)b|%SeWjYUN)nst>0)mbQg`N3F)1L98~kto5w8ePIM;eVQU5Q;g#ZwwA*;{7 zqr2bZ$PK(k*z;R58342YZ;nnE?N(v^wx< zWBK2_82}if08Mg1F`_&ungyMP~v z5Xi86`LAE+KU-?}8DNU3&%eRR-_Yq_mme_$*1P#h?(W~X_P;dGpC4pd0j4Ow{Tqnk zc8dLHbG(uUtoIw){QbTE9~^w_k0V+C<4FJ6i2r%cek0F+9O>U8^#5g^KhZ4xk0brh z$>bkL`tQ@)pXB_HBmLt@|9sm1dms1*BmK7!^8e=;De9TDBo=LkiinYGX5&CrDf8{} zXFg_{BOmO)l09Fa9tybMq?)pp?F~jI5A|kWHKB@Z`h3dH;EGH=Rak#RXC_2^dCVa} zW}|%m<@>ZB6TdJXG5sS@Np9%rxeMw!H;0kYRF9hw>;eCKwFC{n?2>IgDv|LL8xHo$HK}v=HO?BU{vJ~T-eD$9mdAFSN}4~VsO4Zy)3fw9W}OC+!T0syten(|_{kvJ$KRA0bp zweNvg#TyA7IHEWG?LSst0S(;u%~T`fVO%oI}R>phl( zzvKfh%)G9?c_?<3LNj@|o>-k0IT5h}8px-J=CPE*uO4R2pub)h3 zBK+8fN~6Xk73#inMC7vGuffFWzp<##CUrHpxsHTI#+%;Y`RinXKPxMS-|HPR3gOsaaLd7fdAcnY zj2imP>f~xz^L)S6EP%nApm7Yl=3&rHs z=K83r$xYg`jlq8MR(DXTXR~P{icA;!B;^X7{g&DSvT?OR(6numBq%9p%yb!Ncn00n zWhg(`H0(_3Q0%tY4*=_^d<#7P9 z#88hUTBekPHOa3Jq|WAqEVvbVlB5slaY4_eJyKy%i`RtE<5ZKqfQ{!~{{0G=QHBK3 z;O7*tynOe_*DxK>*b>Pj0{!#h$On)(y-t>;#9)wAELDb|vA-iyRNr+$1QX&9yUgS1 z5AKJuHTbgVeh@Ba4O;cV%1vH&16-Yvl+C^_%gJ7$-L=@gg;0Vl%kwi;^q<$_;nNZQ<*rX&JRL5jjH zEWmMAW;GFtW+#coIzi_F0n&O0W?eyvv9)fjqc$?y>ZyzGlxUNi<_)}Q5$nJU>)~sd zi^b|h#e@N6ARRjan9Oh}LF3cC!T4gk2@JI4W7b++3sc(3waLuC>Q^Mr{Y2ru#07g;Z0J zH3XCx`oh~n;e6E0VL?J?9yaR>TjK&!7wSthH>_;^2bZI66{-bR>!sc1?$QXn(D|~! z<4)RFKy|Ongtg036+=9a?KZ1MX3PyJP`hAv7%(HU4fyGeQjasvl27<{WBi{ulvkkS zL>YWev!f*-*~Sgqjr+m3SKBvFB=gM%LY#hyd|RK-sAx{etSH7oQ2{OfmnNboLQ=yo zICa-pwUAiL*82{vf`+48P3cp$;{BJG@AQTCTu^{E&#%v^-Sc-eHq&B}Ogj6;KG*n}Oz!*@tA_#?eoZ@)hWqwNJp8lmdYBe`{Vhj;^1o zg!x^eO@1}K8iIN+`)nrF={?&_#2C1)gH(Sy_-uv{MO=uV4rorj(@u@Z@G20FedTcl zUr9<~0_ooMXU=fRfZn-X#wm4`lLd9~#jbPiT`V+lQel_JlTxrBG&NHru1fnn83I~+ zD#Q;jk|MCK>wQ0={+KVwOFG|0CI;v$4#>UEtHk`8to7iM$w*|qeq^(p-p`_Df_tb1^}cY1EVQG-o5FK* z=m~@KU>Bz%c5;LZ)`Ysqaq;teSZX%Gd&d$c6~Nvb;HGBH^3l2uLV@!=I&SMvIuw0> zz}=)1^$Z+@4UAW%TjUGt1{VhseL-xycH9? zT9Q)gv|0xXxavdmcm^0$*c#d$vCp3nb{w|b$Lzh$bVqJ41M@Z`hMY!=g_#J>gAT4s z6jd~{nTT3P1!#b)y@p0EULV6+T-Mj6>NhwfYxEUC#7s$567R2~r2Mb?Mt~2q({|st z3X*fwgeT;pVbQaGv#C=ElaEhr?*pVa@jJdk@z*e=ajpqe$G|y=mt9>>3t@{`-f)LJ zNh_usZW$_8ehzEhRz|m_tPZPARjNw;>Yd} zS-2nnluJK*aQ)?=AWl_{$9)h8@=IgkJs}hLd^U0jweCnz$dtN9G_GK@L_F9T2({O~ zHFg+2>+7#Emt%=msi3 zV(3sGEY5@oP>>zJV5F}d@qK7qQC^v8SbZnYviepWa$V)8m(!!#%Q$6d_HmbM7N73? zwGSoj3r#6CxZnG{c6DZ{C~aVInFI`i;3uFwTS^LSon z-}gv$In`rmgvzZgPmTRn&yXJW1Kai@=&fGqs0t3^XK{U}wj0}dD^n{>uWTUl7e%G< zv;MY&Vw>T48Z-m%>VS^l$$YxGtMh))1B zETNDTrU4aP&E{3DxIrb&tl3}h?Uq;i_9hm6mp1ZSp3O}d*=$(-MCw8T0lDIP$85S1?wDBz@p;har^ z8IL7pBA*+yC&tA*=}9mtcir1W*6C6OoVa0#=97x0QlP^e-B&*|rCjfGjBy;g>!NG8 zQ)=ecr^!o`)YT$fo|iQKva~ZM^pLb_vJ&!FosEJ8l3MDLkqLbzM^uaKVy-6SUC5;(%yV7}wBE^h2| zRJ}7W-A$R+y4*9&I_u{v*AVk&0eptLByuCe$NALx#IAgvR_Sktka z#dfH12V;?;!IYi_d}5A;{5@L^deWY|_rg>iWrJv*5S&4G`ity)LTyV7sit6taTq49 zp4|qwrmF^Y-1A<>c@8mC?g^U;#8r9PC7jV?Ct2e1lJE3Gz>Xj&)eH@zPUL{L<|?~@ z*+I!I5d{_vKAB~1JiDC~@S|r7>2a+w$@f2!-C6o|U_tL_lg!FO7EJ}=2O z#$#!*Q}ZTZewcr~IDL1Ht6*V)i9Y2bslZ~{p`m}7$~A^6xz4{{>g0T-9} z^KLx1$;qEiLplz|No`?dI@|7bjNmMzR^)Z0y`P(W^5W|RJMv>2hELGpikzrIMIo@K zR^|!gW2wD7jF7WNb$)Y`6D%`rPV(=11H_ za2Amk{N8K7_0k>5m&NyE4=@n%%MpSZWAFFn2Zm*aB^6w~yB_jhu6kCwQ@xrJTl|Z21=nk$mWW_Vz=hvS(;l+AM#^NEGp-hGO{LMD53V~o1V!A3W=I&k1 zO#?3CxpHbopQ4?_j}>eg|;E1@M|=0V{vPx>gzc8%^E+NyE0Ov z)q!nWY9$Kp{Yu8F!g#EMYfX*1mvukSWZDi49+8^N@lBi*cqD_WKHFq9Q8srJpBuaO ziJ9BCrHKl`pFp+Lqo-ts6_9xh&I%G~BqixF#^E0jbJlr9;64+N%}Eryi`@w2@XjJL zWbFT8@4cgffZ zqhuOra%!M|$M?>i;hk^h-dStzTHinON3)vlK2>#gJ$vtG@2c9Tyu=v43beMJv2&Z9 zcAR0Vl34grv%t2gu#xN^fYl^sXe1$_OPl>HK$7xlO(tcLsI9-#k*Hs4h@-ENpydwM zCSLZwJyaae+9nFLQb;~zN9N{akQ~#fzVY+hphY)K$U+Z6(i1jxKA*L{cCnc?o}|up z@?mZ472_p`-Ds@GQHE=ATnq!E_l0P9UH+RU)s0J2+6fP+Au0K*2)n5C^rKDf#-$`P zW^#TVn#E~zN?XCK&86|D0%|o4e&w=t`Q;XYoGspMHAY3wm@yS&lP zt52R`bn6cU#qoFGF!?1yV|AiQLAPBROeZf#-2~vBnQF-L@-Qh(H zj|k67=m%I}vEHp9xT5f|R&Gie(Xp6uZ`r&_pO{5S$S+fsP$6}m;r}T_*Egw86#kYdQu@2FK0mLVhK|fw1}uXYJf~kfR>uy~;#)5uvZ0R#DkY7*3 zQS`_1J{}16MeFIa+I4#5@*X{ql{pf-D&qga_e+8%$!zDn(L`c{=(eKaLr3nhi^2F} z;SVs!v1)A#MHBp7zA>X;Gv9b#e-e0@RyH@u4}M!T{R#kdcz3vx!X1oGw99}c;}iE` z@Z(B4G+{rMp@!i?)>xN@j>e&jg+_N`#wfs@8mVGs8*mLA)!&u+qsEAvrKYlF(~|M1 z7|gkU=`qHA=Ts}ScL}>mJ1rZ*U1IfU!b+%3gvl1${n%rUnPk6zCMVcYQ=)nF$Jc1b zfZhI3A(JU?^BrYD`8VpX-;~-_=PFLL-D9G`{a)B#*d^b?ctyr2ECF$D2OeD>kNtVD znBtboWOKV!O~KsPg(_3}U6Wung&n3XgvMB6mBH&ekuGgcP@{F$=-12LmE8y>r>wWF zb;Qn%hiao|baT%2t)7-^>Dq+ZTm$=Yf@Ju<>7w=$yw=uw`UY3^tnnAt5hJIbdsn&7 zA-#9c4Jygj6hQmtPZ%dpuc0U6NKeRmgBT&cQJRjP zOB@u1CNW3@%M@3d!{a?sg~#icLO&TKjNIr8#?v4Af3NxkzN~cL^E8+8)ZcA}bhhp- zpFul16KN7RUE{xL#?nPUtNUbXoXfgk*i&6T=i9LEjM1$PU3Jng|tdF2+X{_IrK_*^;?Z2jDn{=NI)bzQIm#nw*mBpF_lPS}MXJyGtno+S2w#i=Qw@hw8M zAA*-}UVKdcR0_|unkfjlJ(h0X=&3i#A4@iOay8)YN&VD0Z&gq_Q+T9y>2TTWa__8k zZTOT>0B@WH-}ZHEKw03v#IDrTxu2)LW4Dt2*Ta(knqAsP;K6u~-P$_fdatx)SI>Ql zwPQiYm<-Sg$9n4n%qGB|P!W@wjUAu^O^rlT>$65MYm3OO^ zcI)fo&+ia^njz;^)tu}VI%~YBhxiS8&g12FF0s60P|*m9a>yc&U(-{8DT-ldohKzW z_8R?+eYcuF5=94|8Xu?3Kh7U#5AG@q9s_0dbCQN{gs&OnVBS8A@^x#Z#a|jjdGN2C^uDLB~XL4n8oGDD#EPyJiwuAhk@JaVg`$tPA`b4C6 zybBJC5*_>{j)p+XLt<>_B1x01(pdbAM%`J}rfOLXuaF|p%GIlevdRjLH9Xa(2GOB7 z;K0S&m)^RC2**Z??c6kGZv?&bw_&Cpc4~_vVP$odWTB@UGx9pnccV8Fwi`36v-MaL zCSfHX`lk<`%#v0pA7`N9JHJN7`a3@w;VGrLszfZOI z|B$vUqzD`3Gt zYOa$f1p<@aq7|7Et2NZtA_y+KQ6qm=R4gB7Afw5GIs3V_z_|$XmHi0pUc%)^7LTlI zPPRz_Tq4oJ)**qYv6sn>B$%<;J9V$MLP=BPkmI~7CK^zaV=c(K;i+Q%l6~b*3P(-6 z`{tMX?=Ob3c__bSjFPtC*v0+K3D(T2;+B9q{S?vJu-Sn1Dq zkLMTh?1;bT^}yR`QQY6j#{p<sS?23IWo-doxbBL78W`(sw4*fNt7F#z!FPSHFP(ewwAAta|sMUPMg# z(++d6@}hD-8B{U8ndwuskkGcPW!`*QH#~H3ez4bo>~ZN+KiAte%)(?^Q3Q)V7T@efvicLT=cG+jy3TZS@Nvi2 z{GWB*VzRy&AwsT-tZAVfOps4C6^u#tkYYCI_on-qINz?Gmr`{Pc7x!BPYn~%d%Fl8 zSsYv^%Q_fOVcE097DD!I8vUfbP<~87Pdc}D#Yd5^X?OLgP#gy6Ko;kr!K2$(`@Lk% z7%xQd=THp;j+gr@@=y^?FUjK{Zg4&|bKPu*6!2JboiYe4aEta9%S<=tqiws>na2q9 z;yFecevO?`tT$4|h~qSq!oSMOl6N3AX|mn+>{NMcmZbsDdaC(VVtk=S?4Z?sf?DcC zX02cy5qVLaZ7uXqTOWoswqCdpUI?DDon_t3ew&D+a%oQ3Im&@Z$a4r@GbEIruy4o+ z0|E-86G0lKteV1 z4r%<rNUPiszF7cLk?H_F>!g6bmQXr2?I5JiV?jz0W(?3}cHlH3godl)jT-FEa;Il1XntZ5^kT~BUP;ypOSE|Ji{sJ zMh`4&cg0@6lSa{BbqxuIF1h`8JdYkR@+*cb3Z4biP>hQ)Ypx3de5S*!E0;bPw9G*$ zNl@cULC|@`F~cZ0YJ0EbQwVtU>apGJTvM4_G=w5}uZj(m!Zz>Z6>GA{3y|AtJW_?) z>0IshYq9cZVOoy}Nxd%v+?3(W*8qgS?#H~tn-ub{Go0T3y5|Dsj_Oot`2-&dtQaPj zLz8xcjiuhkh_m7asysV23lq-@~D|Y!NCHWdK1o@lBM7MM?lS!)xYj&(*I)xtZIr*1 z4~QuC*!a>D7Dp&1RLJq9-cz5n1zE@CXqTz;+|%+$H=-3JcE!z=Dj=imX z-@b!8)3~ccT=8>7@~1)mKK}zFoj2O=b2$`+qe*isC(qA`A#-6Zddntuw+CB0viiZ# za~wtu1Lj_mnCJ2;MfZ<{9&u}Ev9akC6KD=C)C6V1k70*;bTp^%{WTu0x4w zP{YMd!_!_RcH!ERP0HRo+n?X>q>SPlGxRO`)~)=UR7+yyR1)bi@U2c$S$`od*fJy5 zyZ>%qTGr6Ah-Q_bZ8+l(9tHl zbOmY+6}5{H9Y1KL+2SuJ8hb(O2ZDIwM7}X=!;FD`UAk=PA8BKJNFYFIq=Wux^i{Ev z{Nrt`2OYMQq%R8)YtYliq33*YcTd>#Yj!fDNQO0v?u5#Yd;iF(L#zh*M^q7S<9mM= zf_AhHx;Jw?sfB*!vD_?cbEfoLSPJEteQxroYBS=AKr5x((u0#Q-c=72JP|zRb5Jb$ z_-vNi`+8dN_Cr5Y_~_B*y-jwNhrTxVbM{Pz;fb|^b3Np7cGPP9^+G4Vh5?5Ye~VTY z`%Aav7};Q4q>N%tx`vP#_~++|;CGJ%C?8UA2m^7-q(!aN;4H1g8g`(&A2jwTh`>Cx zS2A}qokGyI-oCIvZ#=^ine}W`dUaxsYw1oZrE|M-k`XNtTTxqd#aynPHNJ}ip54?Y z_RKk{cm+IRLCCup_Fnr&F0@yu&RWP~#|;08IM4m1h2CiB$bJNo?qs6TE^(Cmtu^)#1*zt=diZNV%-Q(5sMV73Rf@ zDJR@q2(}TCY#1FYB&(?zg(@s*4)csVMo|Cq1l<|Q3EF&TooaZ(4!D>WZ_eCb zR@$wWzn56ooMfGmjhe&}-4^fnI6@!i;)ki*k^hpP?bbY-DDVgXO6}}@V7A!kcHW1H zorO7irU=Qa`hrOhjd1-w|BiGn`jalUh7eA{a?ssVpI+Z_9Vz+UzsZeTnWc>In<^^5hG0vDSW|61x^ z0f$LI@k36-hxwm2h%m_p6y z`F1pG${5li*dx65zUkwHAtE%}t917+^c&-ngK%uM#RYg)XK!Ij6yanS954aA<40rV zf%-g*xwqM-rkZbYd4J3m$D2&VyB)3DX#lvy=eN=lFWXqjKNbCVEr6oT14rdDu>KpL z$tz`wVSf~33L!>kvhPF-N40P>#Y-!#qNLwG#zgA@|NTT^jH_d{_!V0*<8CcmJES(O zz(*YsQXI&P>HJXxc8G{u@_5KX!-P;=KRDY@^*<4t@mA)X=@N=|$-3)+QLwnA!+DW~ z8A(-4^ss7EE3X6vH*X2&$=c_04x|m7#4fN=yCTh1jv| zQ-{U31Q3x2H*K+TuB6Nif!7WDwU5)>mwJ?FX)k7qqH8>aoO)UkH0BuNS=^7pX=1j< z6fBO&cE&z?UZ@K5+Rr$-cYXV)QkS38#!bA?^z7-oARtJh>P~gM1E9yc%gv|1n~ z;XZ4Ingv=Bs`l_BKC7YDqMt7ii~#!(Skc_Cyze`c zkI^}v*RW6kUU(OlyIf^9|CH5;O?contHHLB9y{GfYobh(V0F&O!h#pG!5Pfxw~N5) zZ60%NgWe?N9UoSE0rGQVg~3D-6P?97J8k0q>#?eZ2_HXh(k=?e{u;$-d3t7~;WK4< zJCugfF|N2<`@q5qQpbmwX1~X2c&vNK)3X#vcW;)B#J*Ri=7){OuaFO6N}Ioz$TqQd zIG$JX+Ur~2;;n^a-Oze}f$%xxE1v^*Sk2CP?mgUV3s)R%EP>H*|1wC*E$MZh!3i=L zt3OfLZhTaT#yl~sfz1ufOLe5m!x>&SGwE+}a>sI#40akke0OzR&5JF#n*Bc4T3Eu{6jWZ5_Z$RrvVDjc z6B!QUeVM75c(58&<)i(LML@@%Xh)kXtC1@ZVY!ud_W4tfl8_3c;sUrhC1Yk}$XHv> z7j+XmlM0|7E>B$hpLPP7ee7$QeSo53bPBQF7JRoPAtEzQH=;{T<=f!(XlBWKy|GBV zc`U>NFE=`0nRpjr|J6jHd!s}ve3KoBmPF7vk~;$+Q(4wGJbvA3%~5>ik?#;O6`7ip zimL4cay3Uy!Ns^j(62QOB`#mI@}dMGKdp!dlngcSD2|nwo1(_E`>2z~K0B^m#$nH{ zOgat{fA7(1mzG&sG7AqC99HQQUa7Ce>s{NAEt7b_Z0usqs5q-S&-p+f_%Ibs&6nL{^ZmqO!CnH zZk4P40FB3rl{e|shadNS8*qa0k#7A@)C?ZP@<<}O+HDaY849iXpc zMhzMOhBUieR(*c24&hzHQ2q$sh-aQ5=8#1P5cbl=XDwxzvmV{KIxtt|-=uPPFzY81 zyH7lv4Uf9TcXLZ8wL5I#QNpGvU__YK`U8i@*6i|$#q!U*JfF2a7ua(IqeqoyrWv=a zyp=TP4M@*?cMvzGO*_J=%KNAyP&0<{(*pKA^)}J75nErVs>Z^mW${*_(7Cv2>!bq0 zoj5T_J>Avqq^qh?K5fn%&t#k7gV{26A7|ID%|2r08PdtRLPM9)3Fqy`*PQwgt>L|r zDdYshG%t_zrVjsuD!C zwH-O1(lpBo-K+B=Z?4ZE%#C|*Af6gyJ1|m>6ORT3sHLvs&Q6uHJ{0nG-0oz_;H1_i zmi-ihz@G73^T^qXZPpz<`#N||?|`Kx+3Z@pS(WMZ@w|m#^2i8ru+k4{7#%z&^gfLc z5%yMMu*2Jj zzdZjRum7WUziJ$y5qdt1P9@Cp>jTlJl>}0GruXHZ|1ZM;nt7KD0Uc{0V}pxrjFNsUoYtkWMew%qk{ii5B{bR zfB$ZP9|O2Pn-OS8l3(_30?NR{x-GfmulV@W_2K?Kw>a`0%l4 z?OB*aq^~gpI&6R$blN<6^)E03UHZ~R&~o<1cBP~lW@Pj#CF0RF=HPpe7Bu;i>t7(n zl9C@l%Zv&b?6d+novYV6b^^-#b?QgT(ck-@`Tg&2Gi)*02_?gYql;~b6GM^a<}gJ84xdc3>FIYxc@OzHi4j%u0B;$8ek;2e!EBc#2xF|-gZ`?a__f& zSVRI9#i@bc_5i44ncKU~bzN!+G_X@VzBb2_uD6{$K>NScaiV25U_fR$y|dHAd*uFUb%k#T@qT55Zia&zc-rKfAe2`NG4&Q@65tT zfh9ctb%Cy9xv{5-L!I^J$vV=Qk=7ffcdmoyE5Lli)r_hCg=TfI3jkD0(c|1HsZnlR zVPuyZ=Ru5<-}lv12r|1qjJpg#02qUN@V~~P7+6Cr11HJz7mNd#VD?~ozZM6?k3QE3 zE$hV8v~0xW^oI@{NrDiru z7Jyui>t8Kl(aPp?5nh+G70~qG%jus$!jfp6l_bQEBvRj({#ny21brf@0h6dLH?5t| z(29BEZX{^A^!D&|fvc(j%IqP<_E*LHCjtQm^fFp<9tycc6o5=gjp#61j`@$>My@v5 zBc|F@EyNeM`z|~Hlpt`*D6fzHI}oS^y-1Mxvtjs0f#u5zpnadC!cLHBzLPJmzan&nwq`#VXNkDyOG#o(eqB(Tzo+@{H1{9% z1AJzAe_dBs*KrejH!yyB_|;O?YNDC>`rBj&p31e!L}N}B?sw~(ZeIyp_M+E<(b-^ZH|igWcTCJv07NKSFca6(+Hr6Pl#8qJ9$ZVV0QlA#{T0z zX>BpR&%DH6fy$|7tlPJZhxX_Zb%{n$3zg(M+&z6xBfzsTc$7iqUyS~g*^mPWi89Mi zkLx#g4IY033V^V?>!>q0!~j>)MTMVo#9AeJ?^~uAr|8^zrCiWtzv6V;Zmo!|__2$5 znixH3a?I#YIv;iWu5ZfoPtN~%^naGv;{n&T{#5*1w8=(>t`DgN4#*RcUz4|c-9`p} z&q-5{`U+aMuOc2mvo%-v^)bo;)?E4P58;31cJ8gCP9SJkPSB*-#(NMnF`RtrV8-D9 zzSW`FfuA*2v6lGz{@_#sG$(JW#Q$CMKHKCCTLhUBEnD9rf%zUgWi2gkZ(H)%5zacC zm<*|9P(Xu~kQq0Ltw%)k`6i@X;QwacB&JhP~NI=sWhu^?#YGs3@kIW@df zi*l&pq45-L=q)k<{4fPh;Pv^Bd=1#^Y_+04DB(ZB_FsMC^WXRM+a_25Nci_UKmz3g3_xI3nfjz1JO(z$3i&kQ5tvb42gE{@SD*m8`+NIh|3ND+tx}`;kU0_1SuiDI1 zOLMCK3t15oc!_d@Cb7tqGbz|81$N8>VKWyz!^d2r)O_3hbf8I%-&;BVHnuRpcFqKo zAg(*^>)-$Fm$wh=C3|i}@}#@5-SxHc51q{vqb88#Z*6}iEucPg_J7yIE%B>&Z5W-5 zTtY0Tf|PDHxwE0=9a*`v?pU-iT(9eJ%(w^Om16L%{=Y!R3`l=ZGZQr`qyV)19?`+L zFmY#A@~!7gDnA-<`Vq;B;I--W-AY&}$W%Aj;d+ZN9|IowKEv3vKe>|Y1NrM0FGGII zNaAXJPK~P!=ZQFNYgf7z4z}iGaYK*i}kq(cZ^P#mNGKe8z1^=0giMqV>}}PEPk53 zY8&e9M)wMv1DgKtst9Bdz2*lp5t*2vb_E`1Qc30-%OPNv4!8lTaf`ls~P-<{C*wg@BG912E?j%YZFPuZC%As z(*J_km&M9iQ`Vl^>55EG``v1du$Z;fnj)EkBXZI<& zLz~gEggs2+by_aff&_^`q*B-Uuh5}nhJk8;p6J;GF8Z1Zs7|o)EHQRYq}sR7W}==B zo6k_!FRhx42@KCZ@NGEXjGAfUELR$PAr3qn;f80g<#WPuO|vW6gYv^oTWwB~oQ&k{ zoq0}a+46D=*+WKrcw;l8f`s;$BSM>K+mj;@;jzN%7jlttXH7%HFEdBPb(iJ_V`JlH z)74bvD3gG4dqbIH(c0og`scQ#E{<}VbDD*O!9|7I=q0kr%q5D;qQ-nn12wb&Z=W@y zyva6s>wMUU%B$d$3AV_k%aC4wibSN_b1+g%7r=zx4Sx9<|Mvo{(JsFPmUK=wPqF41R*~Q<$~#!T3CJ##V3oKiNjcx*d7J*i zt#~WZGVy#Wa^$u#fxQ}EqyWn8BH@)XvfLzd}r--(vk;W>KH6^!PYwYa)}cTZvb4 zkdH}0N+F_Xbpg zj%V&Tl)-9^~IjL{j})`$#%EiVNG>@P~V8SZ0^Xjf?6h^%30M!a|3 z{>AH-yGRME21V_rkpR^e@+w?=R5*@S6c9S35JAogPNklqs%fx>XCG15OHI#4kz;`l z)AixYFbJWK=L-%rlsU29OLHFk>vB0ju(_sfkkxS%x@-t!Z0J~rPT9fd8Zy z?VT=qW-F#yYvAGhsy{7#G^lQ1IOW);rfvHRlFrjq1#NUWw@oe>rfhh0tWwh5yF!)- zVOWb#CJI{F$O~jZx!v)QW~$=gnRk=P-FaZTCf&xpS5;(4vb0ZUg`U!#Ps>yXA3ET( zK#wwiZ=p+Mh&)FHnzg<|0Q+Z)E4F`#MFXcfh_7$PW`6Ky*ds9B+;r9RAgX80Ob$Ug zV{y4PFU}74dddppZx%~^@Yu0iN(gZ#HQ)eHp9#U4&9X!!!EA&`Wk+AbkQ4%9PQ`iF zIKE=vFgmpYFggo4Q=?`fRP*GHukYva8lAqQ!)Pn>n_6iUp!B_14LuZd5@fL~I|$@p z?>US=@9EKvBP;~h+t<9_AiUExV0U?cH{kt#WzLo>@am5Dt^%d0PT;h)^ugfk>$4X;IB=HFhuceFaWzOJ(vYVka|M~O=D&o zp75T9L1Aal8zx}H)VHlNa`|tu@im6Rtb}OiVsCRZ4hhyk@XU*Vi zrpL&wK)#D5H&mFewFhAzw{EC>wqnFeMeh|jla(aJ-Uvl4Wa=VazjyeRI?sy zH7lL^I4OC^iaZUyg`T=ESTi~=h@@H!G+F6JX@@h3|G;IfPMXNe28gM7=BosN4Bldc z!+4cMD!H#7PiKu2<{(BV>-_LoM8r+qZK|f2=q^sP$2Wp*JgeYW9I3tevd>Gb{-d$| zk?PN{i4y3rXYTum*cO&lA+V25phUBwi#@AVVN%}m?)dDc8JfrGS%ACBYk&94$uA~V zH>!G)e`x5*?v!#n9tG*-Uurk+i+O^jl+iUshv*IEy31}?v-h2bno~c7PjU~8fjxcW zW6m|xrsEuiIYAouT=P_SxM*PIY+327y2V$gU$^E+i{6~T^>rn#{HuK~I9n^ybXYnE zF}@@=k2mnO+Q({K*al2Z8Ua(dV$Y9x%E;~WtcXt*Cq0whKy`ov z?&HLP_+j>3BMRcZ;m69FIe1BZ+Ur=-F(PROLqzrQheL9q>Z#2FcKB`ZhPdAt$l%m)z`$ zuRiuT$7nY8|Kg|)KII{sJXla>E?PC+L3ii`PCG_z}Bko2nygNJyd+bNXsU$V3(3!P^^3Xm+Hc?T)% z>?DTw&P46O?Tb2|%GxMo$FkGPt(GjU%90I7=gp)i z0*$JYx*i1i&GwbA<5MXxx)Z;=?1;RuQxRX9p|%LW{~%)qTP#67(^p*jL?bQpMLD;R z`}1;@t=QCQsiPa*UmM#ZZg~W$WRm1Hyu#?7lv$~_g8^I^pu%XRnxuo^f*@tE4Q6Pc z7mqE##Vc8DR$qh#IkxDJUpc)6?RTH>Cj9!QkFl9IaoGnE3Kd`hxhpj#Pcp+_vuw!g zeq=c}Puq-c<2*%0tFDw)(esj1HIVDb=_Y-%!>DWMPtxn%iCJ>TCpcUDX4-&j=xX`A zUZwx@K`~ab`us@pf@}|Q*J7n9?>CqHxA!z0s0<{mJmhZZ-b~kt-$1ByAFhYDuqdFN zUfyiBs&Nxzso`CJ2fy{WKhMwW4Mc;rgJ(==viM|nBrZ|Hs;0MSWnr!o;@I3wA3%8L zrcTRozqjoxg6$bjm(Mr+=5&lbJ48oabZ!Y6MiQksNxI z!X?DK_uMrN<>L(RY=j8Q8jhSPkSWlXo`1f2w=B6UOPA9pbrOmNdmCH)z)cGYg{U?) z6Ciq~y26@@X1g8N+f8&ilU5dLm!aWUCC?7#1+yi59Gj1L?;Z|hNFy*KS#i!<(9DqI zJ(X@c7^Jy1CRPiX4_YSZMBVQ)+xH#4u27S_g56K({c(DQTn=Hm8LU4?Yw<& zO2sFea~)-BVhp4$5?B&?=LmOZOWdy9A1~}F+5%tl6|;Kxj>K+;^nYzyzr#2zTr078 zi8FP1Ap`&tVJZ||k51=qVL!$6U9YUr&oxf*lW=E%^ zl0>0M2IWyV&M&5h3g~R-JwxaDkkEHxD7Q<^24(@dH^Z=S4e{!NIoifk;CN`a_GfNg zl~@49K7T@SvG4To;KXL6o)-tJh*TK+q}ZGy8}Z799~R+ie(drOYaG>ntBu3{@@i}# zf%wzmStsNA1a*?H36YIWuD%BkrgtClI^L<#DLr0VtEviCH!mY7?l!Tu8(IJCl36|Ol$py~%WfR*W%?|wGI=2a zUvdn82hlvB)J?gzPkN5Yen6n#X^Gc~gK2n_qGEaCcLR+eB`n#T4*w!#-a}eLl2?7^xqvfS1l zk?jSuS<~}CI_Zeu3C;(-Ldj<4^_vr`DZRMBN(`+ACM)MA;oGJy1Bb7MW0T{t`4s10 z_rG)pw4WDTftIT~1IW788>*5OxSJEAy>iS>#8kH8Z$zB*RCkLRU-l6vq6htF#x%`e zpr_9|GfWA0qN$$3+5b|?%yLOc#HAo%pU>4qa%XZ=EQeL*38aE?W9}9*)GYRpKfL;hU;RsiZUsn< zmQbSnBrb@^9$tL#T1USt5?cmVH+DW;l)QRSZ}*B^bohO^zSi!`_bgba(+V&6?I-2b znxY0#N3mU)k(Z>wWcXbDu{T1urQIbIt2ZNy&%4Ub{6l?&C*B3X&Nda!y-?$JDo+QG zaE>3zFOA`$C24n)waj)ir40fo>-=v%3nHj#s(-9tU({873spt%-EbW^=r@v;jMb1I zCMNp2B#4l5oK2-`0FQTmf$(d5QHnvG)%H77RWmo|%h!mG6L2!=ErZ?annJZkjF- z&FL?KLJS}6sbZ-N%%F1K&wu7?ESirM;C7a>Xf!&PSPx8Ob$vBkMH{Q8U93ih>UDRW z#&d&pbz9wPM{s4#?87wK>XWrG9y2QW#ku$O)@D{;4A!9J^o1YS!IpGzwp}MJ_;Kbz zeHUSbbUGjS*XB&cUt?ofKfXM?1r(Ippb?i~m8H>(Vv2~HrhaQ$f!NIqSQ2RkWg;XDq`MH>d*h?g&iK;{3Wpx~mRg{4 zxegj1H>l_r_cuQ9-fuixIiO|WG_3H9ewE-KN0|zw@+4C9$03UbedG2V-9OPn>%;=y};%B9jqjxmn-uIj;1!VzCaluvN)RCI{HY`s$0!XTv_eh%Nz^e)gMJU{+Qc{Ok)FMVf+(A8qacUn?< zy<-3Sqe)aub&V(&^UoaPr&TjobuR#PdlwmudaOw2Fe7WtwLb^;jmS>4l4p@eiXXq? z^M0vYWLIiu0(3IHP+8_8 z_*1c%FPN|3hB?IJe?%(~4Z7-nmCmUOc<^+D+9}UgdxCd8Z3lJ1VZsBQM~+|}k|w@o zv0+$%qU+92$;s)e^~-ec+wIeAl0w!zZU}<$V<3t4tkZ6w)DnLZ>!B>ZJ_*l! zXi)yl%5ff00&SMJq{&6sMNG%8xDU$3mk%uwEH>yM&?~mFxGYN&<9l7Vc}2dG`x3G; z&SbEXJ*gc)9I|8XgBNMeH1!LrX<(7X0=?A0G_e-YdM^Hz-LSsc(hBcKN0o*tDtBx^ z=;kq{SlMy6_M|(lTNXuQ)OcL5t6as|dz5ETm6;hV%%l(DIqW0gH)S@rm>S@x8JVTN zaq~pUquBrTipFciIMgt%$!9nx6E?mHCh=xl1y0o=aZX!3_t@djp+wG9lmJac9o36N zRue>_gtUwB-9))A0-N~Q`1X}Uyxc~JZCMu?@qv%S70vmfEY}Kq1ylR-M61si*Mst+ zW)D%6zvryt#0!hl1uE`s{XBv9oZFG=FZH=K4F)v7r-OS8WL9y7gjxt~r!{YiqR3Dj zqb~G;f@Gf9FWp&zV>7Arh)V7--A1G&)Pu?VDCo!Jx!h3TBLZ7a^tU0~Vz-_450u|7 zRLzb$NX<@~mR7vqNGKkspB)Lk42a9}_uuB|CK~P0aUN4=4L>f;Zk)5^e7|CVV;diPza779(Xk*YgiTv@$o_$w~z}t7snd^)RW+ zC|-i;oGCPKFeLKeMWLpe>Vr6nCF|r?V}`1tW{9GSqSeHeMKUF$xMNIHKLnXnv6H-v zikBOk{58CO+Q#%$v0S+${Rz(26QC>`OP4T}vl{(PKP8ekkfX0Q@EF8xe+k~|H0Hji z5ux29q$eRWDe)$TN2m&c5Hq7UjLk{0sZ*yD6Y6=ajntn)n~I)lrRP7t*-(uC%BRyd zc4v*aFb$XQYEyN1@?&|}~8vpyt7m6zgGGcjP^i&gFWp6UXLJBtWW zJzPc~G-@7+O+1b#K~PZNsTR5hjZ=Lu0E|&0B#o#nGO!x|)@`c%>{W zy=nI~Fq31YrJ?@gz4qB}U)9tV&+duoZHB|QB!l36pAI5!6_MeG+wB8K-7a%oE>B(! zAEj$=x>`?oi5K+@De!=gMyIE|Mmf5C_7Y4LU9nc*PknwluiR+d;Uhy2vDb5{!-`G=b*P4A0apF<5` zjUgErzf=nR6=iZBq z3+a-rFGYHnq&39PzLc@{aD(4R6nP;l@Aym>@8Vx|7FOOzOJ`X6IbCk^_5CCue~{s& z;kUuFyE#3Tm_K$&Jm16~GEW0QLI9uqopq~gRn@|+!s^c{WyjIT?tZ4UL6Q&7WhhK! z?+4S*S}Te6aY#Dwd%b-vnF|k@!Y0~X@W7Pk1sgXf4xQ&N3g^!M>wD~a+*S#@U* zIUPL4xK1E+2RPvt`ll0a zk}iE52pbT7ccr7~>qzn0UY=^I7*73MEMG>;?J3mx53(7jm znixfAN_oe6zMM`MfoyVV6BL`!t>UE>J^ElF=hi5>zf*R`w+t#Y$X3F)ixC z3jNiuO9yOja?#Qp+3DU|cvYy@zh!kE=n{JpoM>gUuCbfcNB-@N9;!^!4msSt-6CsG z{c~>>(}1qOERhx=xsR!jK2vA_38iYJY9*%!IDTqRve?U(Iy(g$%`a_z-S zwf;a_;VD8??fkl6KDrp4(rcuq=g9ljfhJK?e;^Sk9fzk}Xc4{c`l85h|6G4_{bsYm z5u2)lN^kSAsWld^8$^AlXV){@$NqkDOtlLZEqV~xpm0b0JblFvKf8_;NGx+V3q)d5 z)yr92Tvn1W;jg{JI?}89buvL1Xqw5zjygn4ZO5mL)0~|bQ%6|R4t^tjS;;X!dXzqR z2<*GVfz*Y#Pay2OV52hNdh=(>o$TGsZ-VfIVa8gJi-XcCGy>NobWaaMV(G zT6u;C0HWUY8t5M-t9(ypibDz@!CPqju9n&daWekSx9xnv`2^Fm_J=58r~@}bXb3`B z=sfRQwKHAd`c3(fqsKF#!T-nJdqy?YZEeGVG(kW`inO4pC?KHpj-p^eP-#*l(u?#S zARq!NO?{lB~KF>Fv=RIS5KfW>E?>#><#vaMq zYiF%F_ng<7Yp!cD)~#lqqU=Ppg|$~pQcN^tYQlhupLs(gdESbc~pDG?pjfQAhRM2EaEQ z=|81i$@{{<%+7u9yR%`-lUM4*^K` zu^{XNSCAw5Q`^fIEEfc;Amh%74c-Uvt3SujLhBwZDRs(MH~BB;E6X_=X(`{n<_-qI zPQ@IJgX0UFc>VArZ}CG;N&^`WYDg`!3<&Idcg%bV9QcESaTsb;Q8$<(Li zC(lL4bT)&Pg`kzOor~QMb7Uy$qzFwZRyGd!(Th-(VyOqMa$I-ZON`1e$scC*514}@pBH@ey7KB*6hkD)+4IDwL##mD+W&aH*DRZEsvYs zbdD!~*MmnGcyD#my#BKG7IilsX)P90+`X4F>sAnlWs-XS^ zz)SK>Y1Q5W;?q|E8wU`a(}GgDLnohxcsPqZz{TcK$W&;xnBQx&NK|Vv^)1YwcJ*YW z1I3utUA4%ZUM$wsGqmiRN!z*flvkIGgX$}ZJrYwl9ZTwsUtr|< zY6FoCmvhN4owF0Kp2|$zc`V?z@lM(0ZM4PMD(s85_7eb`!ra$KJ*LE_H(?om2mT7! z#{DUaz?-j4AuVhBCpkr1L9G}`iP<=crPm5*FGB0K! zvk1nw!kX2of773x16A8;1?}n$V-Yy}YA<7U1oT;kf5D7s*_Ea-y7gNUx8+oBwr0)= z09%?41NPcSzp3xCUGy-Z;{C@pY4s8_|aKv$dBrvz`n5N&us;WV}4 zA z1XTvwU3C3K0KJQxO&*m^dl%Y!_j9yrsd?8rEptyQ1~tf0nWP+m;HfVyqU;QG=bT5U zNB{)yMs<|;iG%-O=Ih350WcvaBdhT~?niB;BBUsn>qf=RAz3Xs%uf^Y2@jK$@dM&IE&PYi6Yo!eQ~duzru@MJGjf#5&qiz%*2Yw*U(BM;le((Zow zRa9Iohdf4$rF)|S#tEbFK=kp^IMVAw+t&&NVyh9z|L=DW+~Z!EYl37$@mQ31AaNSy zM-Id{pyY5Wg8PIqB(I0`9@rM2Ds5VD8{&o|O;&ZUS5?HlhO?wLm+rG6c37*SaBU9aTYHxPv>55miO3izPuuBCdvyGe( zIZ)G`A3HL_AZzU@E7cC|w~bhI`umVCp3w>8`TfL8f_Sa%3otPznmrx$G-Lc5%s+Nn zuFJ+JV!8&i(aG_m@;Vyb<2(>vvLCA}d`OAV6JCh5+KMg0*d81-tcoBN(PvoRmU#M^ zW+cbdiFSNL3|m9+Bl19m?XmaKkd90H69PA<_Zw8@P;Qx?O_~Cj(Epr}!I}t=Oai=s z&!(@YzC(zQMD?l1s*rvFzw)hU$uR)1A?;86Iv9m6@d+3rit|j7@C5*+aj8zfGh9 z8={8QD(p@KpFbcJf^JhPm4~I$|LL5;SD5ry=E9qx%pq7zYcYeinQ-U!qE{+tto>#W z9XUyD*|t@}H|5y>bJXelf3gbh^6mHJC@Q`Dbf$O?S`HJ^wEs=v<9zyX{B5uMk;4yY z(TUX88Dw$ss**{)y7d7^R7E0KlGf;A0YH7KiGhrHHjW)kzb>{tLT17iQTq+v=|(rY zf5xO>jJ(nBytSpqH@6-I+CO(d*&NU`Mh0B-0ckP)V9x~7LBfG_kXdD=g+SMvxA$~2 zdAy7zhGCT-ri`Yo!55_qX_i#{ZQ+VLJK@;`>6nm|A%&a#5gvB~={y@CLVqY=!-W!* zNkRlFHPPR-VI$BHoNx1v*GV`AU?YTPH)-hB>x(%{T&`=WwS2{Avq`!gt(rw;N1S#T z2|q|>{p^2r-xwVCeKTaCnww{K_hS_ZlcHRos_Q)~<*QtwqqWv_#og(S8+g)YlRwa7 zO(EQJ+YoOUpbKztTN>mY%op5TT&JwmgCl^-75d{DQ*$XW&Af)uTAMXLPu6Qp5h&R! zMC4YE=RHhUhm47~6K;G`4PX|%@tQCZpfxnmiMF~(epTyPuv@-Lb})@yOTXe5+F6&f z*Aqu<*mfOTdgYbNGtNGFJ}G{C?uLx{xtyDnTioolSvOgM>MW7f0^XVctT6s3WvW$O z15)U*iV^H!b2>zj^^*{LP1jsNN(uJ9w1<&q^$Y%q!lp4nWY$5~7aLcV(}9|IJe2M= zp|=!1FCO)46SLq4(Z?sBM4E2j%vFIjj!ZvaI~2_M<}<&VgCy?_M3w0?Jnc8iZ#W|D3uc(zo2&9Ru%f zIcR+6)!Ib<^>IIms5+liVCtTZz9{65%n9QuY-CZ%=GWZ^#*&F^Vush| z!Xo*DRJo{O2=^CYPJOE5$|s)-#Cv3H_V53iKi_uv>W;dy9>Qh>(q-UW_hNi!0#lPn z`DfaaAmqFK>v6j*fCqZnY|3u!iH+ZJxFsIFe=|U?DR(Yn-{Wr8aS=&%JF*w;?#AyQ zT>j<;*Xab?EAxG{{3_ew(95T^Etk})kowYb-2E(Fb-Ch#_I?!Nyc35fef*gxuw z06BJa_y^>yhP;ojsbf63&jWcumqhiQo&sj|tY&5|i%O}%jG!+uyd~Dyp>)@rN#ARn zH(jiAA~$P2cwFj%2So0H8#ia{Un6K2LOdR^uO( zn~$hOp@^mkN=Wq!A?&bYOiVV z%%a{N(Xoq4|Gk2;jA)PP^Ct!IoLH~rj>iqR58jp0r{jK|gR3&LQ`Oh&%>^>4#vOR*sitkgmYlNrNNcP-ehN z4U$xh$9f})=@w+h8Y)sTRAJR|8M%ET<1mH2-S3fjcDR`2Ioy)4a*_}P!0`J0ksRh0Ej&-?+bg%LY zZQks613N7xIlvP!M*i7#{r9=Wyv6RI3WnY?v8$_EXj1v{8>3f4!51Mk< zhKhSQ*y}sKeeX%Z^)UIu>kSYFQpgO0=*6fGEG^L(zQKb{azZ)#NJZuPVe_A0v+X3! zaSoHy-W84b6my)hQu@sz9>Ero&4zU!vKLw6XI@9Fsqo~=dopRX)xQ#o?1Y}g$m}7J zKS}suXcvm~>*Sr4#%%i*8kZkvB&K}_noCoy{d(oQJKt2TwhSbt`5yK0)|0mZPSW;d zuKYroz`!yYFCP*~3)#EEO_(AU5{@(yS9Y}m4|Kg}4q6^TC)b;PAx3y5&IB*73#)B; z?;0nT&7hxkunUu>_X(ta2lQds%KU(>`jZ3A}W3i`7Bw0LP zq^;uem5rdnRTyrJ&c7Z)wZ3jAFs!)R8;$2t;ToQ0i^wcer8l6x56z2y?T;P@%H&ph zSF{pL@sOjls!lIFkmGy)6TShh-Ch~%0pJG7SG?gRU5u<}OEaHP1W={+GE4ZI6d6+x zUN%jE#5b84!h@XlnoY>ROldX4QKAQLitiW8W6d_1o+er07{~YL=)1S=)okrw^4FL+ zy`4_~z8rO;>I3gp4v9--d1s~YiMC`uvGM$HN-o6#V}&9x+=qF{W8q?_p?G{B3^Eb z?V@EOws*AmpriqoUGhb_+C~Lk#Up7D-}6GjnyH6){E|_itZ@e2fUoW1{08sXBYv%B ztXW#-5QMRpbi&rI7_rlx?NGB@1u?(<=5pmE=?qYgA`^8nIr;O^RTIwKB2CR_yuv*6 zI5Wd88KD)qbUFtD`cYk~H=WMc)J%i^J~cgQ<;Hk1z4o*0@S?5RFQW#+i*-?pwdR_? zURf34^sUO@|Dj;vq5g!{SG!?R{sNi{Pc?(w$gNe!V~O7%@{1x3m~0G$la5G(J+|<>EiDf2!(`n7Hs(GM?_Lt-80_8+GOX1l;D%gTTjY@NRA&AYP5#W%sIcgWevM+sr}8BYaMWl-^Q_%8o&n+Dc^(9#$)E+-gWQwD zgHdrTh7&5GAxT|VUI=}T%<+WALdg4WxO5d^(UEbIUF`)h+07e$H)}TR`|`#N$kEDK z1PIBA55gkm<5rTw!Mpy#CidH1>5rLU##4p{$l~b%6+bZr_uXvA&mE#gmIUn<l-G&mo+|K)?(Ts?SZXOgkdCiw*2Jt+Q!+@BlM#pEg7W2 zCf-k9E*c+=njb2)X~{M()aVG+G4!gzos^!N0~L6#joTk#nHn57_Q(CT><@ctDu9Yn zlTI5g*`tn|8c<0=rp#q)IdKM$xJBFUgSTbo4# zL)^ZzjUd!w>GDrTWnvWkKHQ>SUwrZ;Lo~v5#F|fWRwb1lvBR+RC`Q2~`Z z0xFfpVc=PSha<cUorG@s6Q`hV3C8iU@+#z+fKQucC|wvF zwOJ?Qul-b%xW$4@CGFtQZmn|Dx$|k8YrBaZja4YcYZHp1$}3pzy$Lj{T?NVU@&@a4 z-icFqhPy(4_3i5~k=*;+wsX{5O&80-@M!;K&Ru(l$rjv0D0#+}Uu^W$4E8|8K^~68 zFQ+`s47OB#vG}sv4ykAiXV}t=0<_=0eqmeq746b6LHh*ri`>pbkA-i2fAktROR}ci zS`w}@M^US zQJx}5z^WV)4W(Pit_s3wRsOliw{A$q1CEAl)=$s8^}1~#sr zP3Ntgd76B6-<9}fFA#s*Gut3J@vAbq-8wmVY1tv9!b2D1wl!4j9{@*SidGB;@M5MD zVhv}lpBdr|?pl%SuByJ&;OCJL^%hGXQZakGxC2-|tyVA_E`}H)v5A*e5wfYjxNF89 z{T+SPjM#w{$Lv-`RN-6Pq^HDBjU>8k6!eaaOzYqE-a?s8rBLS0H%Wf6?se3|B1bnf z9WNn=_vP%Zjg>cA|V!nRV^Qy6|vw{!umkTvW;-X8H0hJ6)q)iJ5#?z+7(I@NxpS*>sv zr;bT|TAB^-5I(-XcvUiF@Y2fQsg>wa>|tx21-?Mxv9nYpi26q&qr&936TO`xy z-UMx)0j)IISYCMV^E!tn@N26~|Ko?rs9!#~1CERyt&OUUl9q7%kFi$ma&5j)Bc+3b zjXGyog?FS4ghd6BhO@+)UHyR5nlIi5p#%%f@3bL`8VkF5(6^OU~!jW6Uw1B{Ld$sqAoi9)lXRkkk zT^fv5<=mU-qJ7)Pw#a6_VgCGLs27)`FzdO}%&2rz3b{Csb*j$T&1Y#8z)>TGzTs2241cYpo(FBf~l{6RdEc;NP+53Ij${NuL=s;U%n!CKGn|FgS)x#Q0V z{PB(L6QEt35ry3Or@+bZe>|Cz>NGt)zu@4*f(QTR*~O>n`8A$1@@r5DY5modpOTVt ziCX?4+vz{X@jpD6U-h#T(C&df@KJ61yXh5v{-88f!Tihr<9+{lP~|mX*bi?8@tn?+ z{i|s(H8u4|*3~O|SN=H&h+AO4z$|Ndg| z6VUF8ry~WSJ&OC3l+VGaK@BKr0MeT^acOD_)SX^7gYE8c`eRJZiu4KC8Y|--eCsaZ zXz|DmZBbKkgFi?yl~kbj-*^Al|8WrqCMcxt;L&M*MtTl~*3y^HmGUGvV|sWSifjlI z06PWHK{8$NE~(Mcfe`pY84NW6m-ugZNz+h&w5b4BefZyN4mC3{hyLOQC&df|6i(Z6`;PK7yj11^MDYwKF90E{u_NUVg-c#jr~8urlO|*KgLe|N7%o; z+W#d^=|95$kFfv$Y{q*{De8vTD#IMq{`6kKb{AxQcb8PF{FS+WZ3i`1tCH}RQ>Qw$ zl?bVR(aj_DBT#7Lfaa5No=5lh@n1@fZu|p$h__NHtMs|7*mDKnVw5$Dyg0J{TXSCK zP&aD#>w4Rt2~Ihm2g$M-S=lI=Gq*^m^N%lf<2t{z~ zS>QR$7Tm*?{dJ7|NJPD?KABOhNonlB@Zvv#65yAI1;sZhmu!$bRcmTG0zeo4g4X^* zjQ_kyHUyAkX9?T?iJp3c0Z2;2p7i6|$&2Yw6oNE{Mb-uoYX_2U9^x1WY&2r{`l5Li zssoH?oc&Cc!83evZr^GgU7-`mSKMd^H10#kXy(!4xB*9@m<9?!rq?Q|{+=!!F#vlX zn0|Znzn?(3Hj1!NxHzd9FHb+c5j+E+ZPlAeZxoBMQW3@mu|8;walWux0(xUe&&fffb4 zoKf~R!^G!uIHQml^S4*&iRG%sHyX6M8s#sM9MvA_dtHZbe%uke9lJp6zv^qVHIs5F zoTuL<(4Y467Tg`HwBjDU+^@8k?oNlm9XMaPgg@%Q5>OmT2*MAjVHyHI?tN2hyk1#h ziCBUZHF0fYo9`Beo22FJRlzC_);wOm{G1@24#y{D2u#D$#Z3E=A9}#@5(%i8{bN&z zwsgQ5x_?=qeXgJpJzi~#?*G*QJxJ$GS4sKPhW$^bCV1{VCqRv563U?J)ITuy_ZwAz z2VjGe8HrQ;ck90fYJj}t#?9X)92)+PU93`30?f!yAC~{S@WX4?-$hHR0Dfi4&A;Oh z00s5$x+hn={%r^Wh<&)lkNhtFP^s{jsSOrA3-n5pcqQWR0sXf#02HA3UG9WY)#?1; z*57UGfyj#+hi;t6zZ?AY@4-L(&*1;xNj{H3b#7Gxi9N!!uo;+~D{0*AZnKjIJIEPl zYSGcsKC&Ao_(AQ=DuDXl!|3C}+T&~qHA3H$0YF@z1}Xm*s7E8fPZ$lqeDU9fjHDR= z4(9X5fW`!Q{T(v`itJE*Z1@~!`R~@wQ`i2eH1fN^&Q$te>ugmH`rpM$9>x9JI9)36 zH?QT>09-$|-haC@Q+}XVMxlr7e+SV1TU-DThy!Z=4LIs@<@4;{Z9Rg4UPbe+82-D# zSDyw34}=N-Gx&c(tl#C8{v-MSsQurD|8JY}&sXpt@BBKD)ek=2vXq6&y}fCE>1~ZE zH?23;M6Sl2qje1_$9oM4Q3eW-hfmf{N1H-gw~N)xSE>`eU;ALtb>f8dwbJeCo8~=e zpEnL(q2DnEvOb#bJ8Ns=J0l*l!+Fi6dqo^s zLS&f3lt7bg)lJ2>fyCgtmE6`8=k(L@Dz%);7Q}aY=e$V3o->&>q;Shv5oYzLEmB1S z7GkT0%fRe!o;W+R5Xr}uqI7EJuTJi97P0Cn5GH2L z2WG6RwHFo%);wo~_B__O&Qo+pL&|~*Y z;14qy5fy6qsPHlsUS{F9;vC+m&7I`^35bT)6-4DiZ0n(ph56wr2YI)7lXM-HVU+(B zqq(xL=r0zm^S^Rw8Li$$B#DJtkgc!JoFsOwzm9MSYt6UmXhC2wk|pvG!zX{nz*hwU z&ri~w?tb*op!i@HmAlwL=Hkm1up00iHjM3r(eZcu znu0)A!d#%ro!+-%TFvbP6*mgb3CNQsc;~|g6wB=&GAjp)@*Mp*dh>Aw;jOqq{B`n_ zt;G-XBAHw`Ep+N5hiI6_iLFNMqHv+L-Hq?2i{>X0t%)6Z6__?>mGfRR9vbPzqlF!r z=`5|7(?y$~{b~>UAg$3cD6nZQmqQpRgMN{2_f99{{6xC3#kOnI54J+u*7r68Z@(P8 z(BtW#qNGx~bXKE5g#=;=Zy>Lp>=IA5V#RSFme6Tszt`Fq%2*k0k)kwOCMNgHG5y9Z z-%rVS-i0k)Vn_?vIB{8^yX5#<)k1mWj5o?XRq(Xr%c|IiImjKf3zkEfBRWZ0j3rbp zW{z83B|t|lQ*b<$gR&Eo=-`CxE5I(h%>wCuAvP)rW$wnwX$KWSWC+QGSS$uX)xaml z{cx$dt?!*9!@C3r!sB=HeJ`B}`*JwaFik$#G(YtADkiya_YBWZfTKgpEb!qeyshRP zn*J>_(Mt0;Z4|q@)2soW&t_|Fcs@29$3aG?F-%)oRD^ z6IYofFu)ySD`QrW)2dG8Ez-9s>YP4eU-4n6`H}we8-&D|#8W@?MFw8V9t_=^sDbtW z@@ZUy&vH9)matMl+|Q^g8(s|Z-{JNS=S3PoC6|p1c_8-6Gq_-`pQD5yNdw^xs6f*f z!?6*(KM9MYDcB;vTFx!riE{<}-YntsydAAONKy97(Fr6Yo*TsV>;rdHy^15s+xgbB zbabn^^hMKY+Y!%bODRe!Q<2iMQ2Gj~le0Nm=L(>!PX)h>9?-lB!j}zT8Ec?+1REup zj@;8}MI_1KBf7F|DJsVK*zd*j(a&FE>}?DQr`ZZOUlWaJ*ju`w4Kg#kD|#yLjpYZ6 zHCi{oQI#7NK)Ls-F@uUVnHofDU%<*HiY0^ew7uWK(Cr?-I*rr%fguyX=!>j@hl&$M z=~^?U_1C7S1Fok*c3)0R{<3XeLApX~xA6M%%THyc+%Ink|H#z}L`Rpd^dE)1d5W3H1!;N~+~oAY7{c{3s*N3LpU^=$2FItay{ z<|>Inhp;F~p3^!u4}2NLWi#qz|M`X9jX~^q)FYm5hX%U)cyCM~jnZ)?DyW zL=J@#ca0JSHxIcdzD~pI=H{X%X~yp^PM$Aml9m}#D{H*f_N61Y<-4|s;V9R+`WZWr zhRR8Z?9mQXG)XL-J2j1|W|MjT5Y$oM_XY)vPrw(?beyN8B3(XOSo#OK59o-Gm0ZtwrL~7`l+t<8La$0VIF5$djdh^1xKa!nFPiNRjv@(sb(BvY~_K z7=_tkm|I#n2q1nC_%TDo?KV?qu|$TFkP4h$W)(`kW@+>m;M#1DOl2QbzW7cqlRvXr za%3oUmQuft-Q|2OW$k?M?rG&Xkq`Cn#FwB5I@h}{BgWsYm@89@~$x7-g81S`k+bN zV0F3<4+kBYJk$ zla_a~T&b57KHb{Xb7u%R-Wc#C^F=oNVZ&M|?bOiieUfKZc0F^(XDABada?UU z41j~y$EZ{DYeS`Ib!K2#ikmh<0o-7Q#bUM~MGk~wt&+b}UA&Vk{H_LSM}e;81fCGX z!I0ijcQbTy>U&}6JmbQ>ui)*yu{=oc*cpm0x z#Jt^%&wPVZF$AFCV`U0OAdVy5~yPCur(%bbU`E=Rc%aew&qMK0KxbML55uy(Y?7X}e9 z4~vg0Au)ZS(_|M}6JxfHi^LZeWXuXXRAlCb>gzz=sj{`hd-Zq&p!YJ_i8h;|(qHr9 zw^aCOhx_cHs%PGsaY+zf%5p&88s3_6^S_I_xpO)oBH&}x3BR}jG8@s0##L@NO&A<~ zFM@kWGK;$U>^vSs_jwAU#VXZbk=K5@k?pEAL^{f#6#_Ge83Qv#XIPP7j(hxkG)nG5 z7zlFZOaQ<7hZXQo#E75?=Y9E1M>L^s`{l9O!WJ7M>4h&jyEq)P7_cX-3FoWfUN=Vewzob=-OPOr_7ciI$q42?2q&xiu+njw$xqg&d<3A1}U z93Ml>#Y<8lPPfyP70y}1G`vv0i*uz|frb_s+M%UoZ+Lzmm3De%@p{GD!1Wq1Qt-^I zzs`g{p~>dG+t!*-qhQ5i+jsZsO?n0IO$LZ^Y2lV~cDjOX&ap?(zH9a3d{_lOjCak` zE8D@24h`0aQTMm!DsGticdH#kZ-bB{CBsg>uZvWb>A&cIzSkMGB<&_b8wRyc&+;k$ z_!?jV{pGlwqm_qc5*^CnEBV7lr%t^~OH<{gB;(hcUo>5!nliA6Tv-IlVjKI*n^{nH zu2?{^o)M&`kXy|@uWmHULJOXw>`QkA+bT)3@{&WfFV_*rgM?**V24< zk9SwQr&}{nybLl;NPiXZvr{{3JMmB*WwRsQbl&l;GYz!(9~NVixeFBR@=sJ1FqK?( z&jSC5dlw%QPw>c0O>J$#0mVJd-5K|Rt3ZjG$AQ}+per1rCJ)Sf=0h#5t*`m+v~k2I znfcxDMJF1>O-@c)Iys5@0{L0-<6x+g?_!ipoD9leA|*3Zo1L9KF7sqRw`(8}SFtpd z{Wt=eBnH;{eKI-eWX=y$e1)8J!3=y1a0N#l3-bidMo4J$JbJ|@IA2m`DXr99Vezp3GxfPd{J~sA-dPtb?!h^Q^}+g%&B#4?Bn;oyl@E?AiGsPb%HX({HleF z&FjyKyuPdV+}0=DQoD@j{3~@qd&6zgl5v`*1qn*t{*^9U$=4J-t)4%orr&RD_P_0g z*(LS{?@VP!ji+yr6vzlA^2pC@eB5kS*H5}IMy&88Wc5( z>Lcb+9~P5GNROEUjM-+Icjwfk%sdYQEvE?D?7eS5wHDM zzhn=n2iTN8q{;A;gg9R;K2oem$ew{r6k`tkr&Q}sRv0DCO$3 zRq?^8T`Vk+pPO!TiYpjDuCR#{z(-yapi__g35mX9lTjR-XD=p9U!?t6jEpUg={Cch z9Yk=crTSbarkTuQ4KVcRla}vSn1h}k2;te5kLcY=Ba0jbUWP`uAUPiJk--4J5^%!^ z%h6EE^Gr1!1_3!e0q9y+4xibU!G!4+-IMX89(~}YdGZlqt(9;j@@U0$YRG^rJq)@< z)~y>L{8~GF(jJONOW|H?DkdDTFkNNsAzdldf8$jl^h`z2Wp;IC${9RaRe>|~Zb=#O zhS&%HE6hMrWs@1}WV1%4mgBP;k`ThY0jm%6dW~>OCl4ZTr8c<~j2L_@9>@vtj!Jr! zTJEmJ3qN-%F(%ypCmuRUcw#K@IlZdAYB-w9=%Rlb9}sa~)KlIYse8WQ7H-F0t2gUv zlzt6VTkoG|l52ufN96R6KCb8**?;w5e}VFGdi-SSF_!}Sa7bFc^Nl>Y9&LH0XYf70 zI!>l1X7Y(YZY4ZU?~Ld`VszCSmRYMB`1*N!5Z60*`7rXJ>x#y_rRg=o1G(P=&~dt> zdc`j{3i#3MUi!*k<*2Crj6d@x@j<*_*~ND@(%CWR+o&qNtz*R3U5*qrRo^ zDN;ol#v}g`d5!1ME=nw;UJwEXsIi09x+ZpZEH{1%bbUWHNnEyd6D0>43XZ4O*Y7Jg zMLXE#!t%%Wqz+uhaJ2C{bq-GOqz2Y*gL3c}_b;)MeF@p|Au+>^2SbIi^^RAbh^0vC zz|@Pl9u8~r88tZz5S*_(Dcq~O)sd;KrIbLN-`twF+~~@V80uYXO~kkM;5)(x>TO>~ zHf3F);UYjsAADMHy~+B3hRaSN>f4%CA7O2#nUzjUQh!8N{2nf=Th_?cO$e`+m{QTB zBB})k)q$=hVF`-?Pfv1`pzS6g54C`Sx_yh`9aUG~$`QCia^%WxqRJC_aD9^K40pnw zp$aEa^Ttbs5wXWRZ?s93lmENw5t z#=|Z|!&P@pGA?H~4@R%cAUPDq^-#xG_i?(=-~&_XxE!6H@f!sDAEmL9>CgEHtIWab zQ@R3n^;wl}4?iQCN6NATm%kHXiv>g2*$QNR1A6O51@X|Br5(GY{Uf;c!zq4I=r|H` zMb6Jr@gnr_>3z-d?}BdWXKu|E@@R`E@O&tvUA#5+tMe3H{5;wxBz6&|8*2 zoSLg;?|Vim^}G*R?<@}tAo8DjFTB|46-=1Q;x=Hf z^H;l-48fN8i(M=}ymhbf>s1T7atA|s-bY#&5D!FRCN5~K4XE$NU@?(XwK{drh*w<%t`qwf`xyu9u2P6#(qtFg|a4_g{s)ag3T_Q@pJ zj?Ehr1mL?rd(YXbe@32Qr39={2lTdJJ^LL#pXHX`g<9bc(7=v&@`w`Zh1 zh+fJFtehGqKFTCA;%U){_lIw@D|EU>bkIl%?Z~Ti&V8mb#KZT}gnF(3MZA@>-c>z# zX9g^p7H$*Jc@=**Ko@Ij79T)J#<`Dky>Cb>7tfu&peh2RF_GzJUp5j1%u#0$IIO-%Q)-y0OW$mejpB%Tl`)>yH2Fbmy(mrU z)YzEM#&bIR8v{|)Z=5}pE~wWEp|64lIpRV>86kS6Y&@m1xd~luv;8o=RdA!@S>*5K%sj#AKeWv9$Evj}vh+%4TZ z-hV%n*S!C$+#Y4ciTCaq7&?h?vb*G+6h!?fE3svY=kvwm%lyE3&gjKDxS9>u`Sc=LB8iF*1= z`0q#(=f6gh$P7OKuLn9c-VnoAkG*F_;i_!*5BQ0NaZ)bo?t+^{^8Q=4*nY7r3mVwCbL_7+kUwh{$H1 zE6TdzlBcXrkAeL$9*Om`}#o5^K6*oTY{X^ClTuZWRDA)<$f+@6_dp~6VK zBs-8vFDFP*mu2trI%O^L$jmrHLC*6Js8b;gOO!&DDa4=2#ryXN=;|uVT&Cq0n`0R} ziG=ZvCNv*Wm*Y5zm${CDpE{HbV0s#wJi-W}{s zv8)u@uALc|^%#FKns>J%mqkx8{q+(et7{@lBR+(#;8fNg{-Dh*0p?Dk$ab>~NN$K3 zIi#wnw0RDk?MC6xda+zplSv}eR#=E>Yk*34zU2Gwn`NXvWL{YhcoLHE<6J=)Y?Bt0 zcO2`})$|<^l`_M6o|{2`z~H@C{J1#y(y#hw-_5_=r^03-~ar^ z=UF|!7wZnegp{R`MZq`;ZLKyz(Y|XH@IJu`iIq5=4(25FyIR;ujhM`yTZv>Art!ua zQD-<_clZvi%n{FEYcp%??a)~V>`^nTYMIIFtRMEs+ZW3F zEat^UfYq1f4GV{gzI;y*rJmg30!%}CFZg$O3PgrQXyW+&@b|)E)?_LMleQQXpVYwy+VoW7c@Y~#WIeZ}77jP~XriJzW#hX( zd6>PTg#NW27C7;=Hc1q(bT5KS<$)$VRl_ZyD~nB=DKF`#nITy2UB`E+#HM3{z>lBB z1%X`3O*438OOuhI>ovKA1DkPM3$%yla%HN#xPFIsTlA{TQ`RQY&*=w#Oa?IR00X~D z`}gjJmb~6qgGFC^a|{U%oY6lXyiLyPaSRln%S`w2%HEw;|9mI-P;F$0)k7%oIuDuU zCjKFdiisRg`%rApG#$23$;EPw*w_+48Y%Nv>3HtgJQ&=nB=f*9L~0P!RauddZ$sHR z3#^!b&R6d*8=v`b!@JQs*!Ys+@G5O+j#>TL1bK#zZm<*kP)@|2_9%mLv;YWhr5nxF z@#GbUPw}tCFY+9vpTcclT2+Cg`j6SiTHiNxA5>4|LqGrG)v#2Iqgk@_ET5S)7RIuM zg6W?q$)^$7p81vhghg^rP*h!^rgyAwc69R~kSq^>8p$x)(e}ukAxNU}sa)9DHM7a2 zX9sVn+_71sVBLN}9l&=B)IIYn7n6%gD><5S7-k!f3m%fHa&fPMSv;6#4xZe-{!9vV zbtGC*R%6XoQ`kS>^hl-Z?kDRjK%PieO?8067sNOWP@>sCm8ft0I2dc|X6^U&xV5-a z2e*;G^wJCN^HOnoHlaC;VSkw1#1!gY8b)0S4@-`l6zmD%kUX#Jx1Lc1zqOfpGs8kz z?m)E;zWs|;YO8L=CjR}fVBF5);tuwnn^1I|WGXEYrY`hBMX{vJct`VL3F!0wg`CGL z-Q(pG1HMaLlLfOwY}o^(P{^7as`b$+k=}%XXA{WfF27e+R@*zBSq|JJ-}MRGe6r7y zPZ2gH#d5i27o3*q=kM#WF&iG2?_qrAT4wQH*3NOz#qj>I5)@lkRVthBQ9u?(9a$5E zO8_f4#JK0C-4CeAy(U}JF=;47Q(rdQXP}g*&`?vD0oy7Qig^9L`4dgIw&?)MW@Uj! z|Fmj<2kVly85W`ZL_$R(F>+Ssc|A+t0#!?~MqCP)igZ6{+~51RDKd0!Ghy-H#GoFK z7ppf85EwY4fr;z=+TCtpj@&i>Vzgs`JTE8b_3S4r7*cjhf3+3OgQPw9!fsOkkMPjf zzc3|Df->8-XtkS)0V0mGo)F*roXk3Vi{|67nF3(5a;pY)man(?LzdcGRwyS(sOI=n z;6}7ds|{Zl`=ZAcO;dR;ucn(d_DmIe9Sy!By_tZ*O7&Zdv*AMCUimnoAAyaHg_FQX}f=Pq0a!ftc! zLYl`70i$h={>ovD3>S^qbc(8#eqbhfcl=;x#jhybI0>pa zWxbTpx)s6JLujqc%+3nh0XwnpU%N@F8aCLP^?eL@SR7*3*DxXL`bT6xkUib{1y$V0 ztY#n6yl+8Vw3%Amu?%nN%?_EL;>xs&LCKxPgBy|@HYYUA+NlX;vmKJ@h(aRD}L+R*h!W$N=EVqLt%onts3Vibxy1Ssz#}j)RYfVSr4}D2b`vx#< z#1Rag&xs|c5B_G)!|>K04vXg7>mQWVnjmX>L_QdcJ8l37yCOd>drIQsL1x}6zE&mj zp84gVfc*(w+2ee+sRw$uUV(o;-N-z_6fg;waQfQ<@-W{~bf1s?vN<2!W+649^}*(+ z(}&A2cd8O@xib|ve{U75Psh^z-YRDQ2Y3rEar6d~9=ebz42;G#`s_KSk}AlnGcLm~ zYpWHI@;4LO7pxh316F#>iBWbU&l^=@cI-nUHVb%ko;HA9Rc(IR3JAFG3*D{bw{$8}(%o!AN~Cks-QAno z@5#(HGhW_vJu`DZ?{U2EhwBq_AhXW3{vGT8ThCC)0uSVHLQKEdZu%nc6reJ45IzBN z$CH{o_%4n;Q<$aVHoJU%Lb-a8q0<8t2P>UB>))yf5#`p>L`W4na2SvDEhb!tUre0& z#)4yS1Ao*40xng-^K-ofx1ARgs_R^R*s4h#7~K$?6igMiPHmlXPE1b&XwOJH(t*KA zXX)^fY}QB!Czf+spL{^f93O!R;nNAP>sj_I!S?WhZ%c84Mdc@zep^X}0UI{yn5Jn- z==wdUC1u#L#CmC~<`+yHT~~eDk*<%{v#spZFo9bV4D8Uovrab5c*Lv41Tj_pxPHnA5YjG)`D~%QT>m&zc0BaZ-FWA$ zYqW}#kK-*eAp;;iL5%(EqFXT*0Hu|0S2YX6VBHCrJ&5K&S;7TN!f-EYavGQqDdlINcugVN){CZi!j-_yO@r=F=I!@FY zm+$;uhqA`0%{#I*uHpIA6wq!tak{p4+NdZ-v7kaR+Kmuhm)~1H61`hg>x`*3OX(Lo zT!E_C|6Uxdl27UK042y;=MKKru`YLd0P5mAvG-6j9Nr0nwBanP7f_O4I@<*?J`HQZ z-<**xo;)iFwco};i9_+2@Z|e07p`{Z$(*xwBmLm~+yztQW?A#nlc@DTu$uLH;0+cP z4aWfV^@9QaIU-?upoL&$xJD9Qlk&1&qh5n@XQ6ITDz-7`*=QdRo;QI)Vbhdf-wy#M z^$SJ43nn|;48dXDcUNNZD|-rB08Nb_EY>mgt zfMqYHEiW(co}Sh|+{`bgzkLq-5CE~HwP}KyJQfvAX9l31ZV{|v(yzBoyR&5D31O_D zrj)CzHBq+f#*;BE>6>D{$k6TqhZl{%$0+Hc zs31sib7A^maS2f}I&Vb^RZfWgrRwYgYDY}oc|twpeBGA-C!W$bo*&0#CCop;t>S9p z>(FU(K#U&_natv=dDTu4rIYn`xz-PGzFxRp;I&aVhplrRh`a3#2h)Ml!(m8eZeOK& z><(0_xC1Ye^b^<0#e~2^#tT6g|cXAs3WJX6Xf4SdE&dRM~5Hsk9W9y`xFF#|O)aMw^i7IwKx_vP&7FOSC-!C57blkloB4 z&-WY|{NSvMrnU-DMjF- zQk{NnnJ%_))TM%6*7mq1uU$Yzaore5TUgN5Ay0nBgR81!#bKjj@gC)%mN`SI*BD0e z%*$NOhiJ=_ohB!wckPWziI6MGbqhu>jFsn3ta$7(*1|>{3M7#$>Ls&2Z<+dz(|ZXQ5rLrRv7zMJzh{ob*xe>6|YWM8}g^Z z&@HrklDpp3JH*YdvuT<3$oXCTX}18~)(7q_KDMm>?{PUA6reA7#EmjiZvdJ3?m7CT zLxbwvjhRW{VvQks!Hu>31hpe%)G86qw}~J@K74srB_c%^d$*A*ImM0Y%lej;(hx%2UJOYzva_Jjhqh{DkrfZ|tV zlQzSU(dz(8?Y6T)I|qQHPA2lQ)-O-*f$u6_o=8%X$kJyo=^>d7tR9-qLm_Xv^MZZR z4?(T%A|unyccD!Ha>y*I0xf6lWeNm?p!?&rmlOk2ro0_5FV34*J%K;Er-i+}!m-YxFCA`$?k&p@TO z4*)@wU35NB$?0TV3}y7%PYF?)>VjKNWLTsMM#W~xNfRJKeaJH2c_r6Wyr}m$rXBM` zOv08C{7ylPg{k-vPb3O@=lpP7&hZmYH?*sp<)gqB4Sp>hDRfq zYZy{h0JmX(qpE!~l*qTch0?S;>28l0p(gV3Cdx?GB47)Lj*^n!6Bah^?+(_Q1-n_Z zhl;w>V}ih06=u7FAnYldD{V9W)F5B&g?)zL{t8xxL@#FSQdpux;Pr}nnAAZmrE@%; zxh08Ua$6TFVQV}PUiGVfSkd!XhJHNnIy!uD6GmPd+4<|e2k~cNGmg}>pn^I2NhO>Z zZ#y9Df(C2*^WobOyNxT~|gyC!Ku#6_N3t`<;F@Glar|3Cz2vkd`&-bKgU~bBdB0e}9doumaXl8muNOX(ovgfb?0Wgd4y3KP-vxo}Ln5rTX0;&!B#1$6UArqH z3obBEsRo!At#d}pjM?0Jckt!T`MXLNoQmR=icaJ(9w7JxRbqlhFJqf;} z9Py9SN7}QMtJ=FRSzbN{t<%Dg#U%r*rZ>kz=G7u2 zcYer!q%1-(dIasfV4(nabfIJ^;V>Siv&rs2OHJdwIvyXqu>R2N5_-6P-+z#lMEFJr z($!SnJvjZ4!tBOy&BO7*k;UW-oN`50(QH;GMY7mW3HeYygziCiMyZXiP2SY-Y2G-w z!k5lK;eG+pulDrAXp0`%Gvn#vcZa}>I&i*x5;rgHUqc5ULC=ytx_3lFNWhHD;63&5 z3eYDH9@35MzDj1`6>H!bXC4HP??A8kqo2Qp{^{&JDIYhgCg&ANbH>#C5R*P~N*y;) zksZsPNrRAq{0h_%yyNTFeIC1w&YpQF-v}9kRP#~ZHtXZFDV<@YTkq+FP zMJZO#U2}f;6m6sHgUu9vmDLns)v{z>fxzyHzwJ%!k)4Mhi+<;cU|Ut}klN04-8~GV z{(z%59O~+OXo7RGVY8(iYxU>T4hfB9t)~{w{uaEa11p$Cl@z*Q;_USFFvlw4?YgEL zw2=p6<3Pk(P;8|?6~{-J?=~vHy2i--)pJc3WKO9SH`QsN)t$v53xJNu=`E~;=ei&h0Q_)g?A-fLXYQ9Wmq^1RjmJ%V zjiR&omnhYR`}fZewYQH_(Y1;p8nAMEp|Ph9Iv9%09hoem7obdq@0Szmgsu!tK z1I#G~en7XDm()WhfM(#auNT<50&~ol2_W;G@HEg1fPn@-GH?!^nfdG9;u7do=W6l# z=FSWv3v#e0g={JO0kfI+vu*c@0%HHTxN;nvqSOl%<2EOe%k-t`sO@vwGLFAKg`ZJ6x>cI7Lwfmt8rZU+rd@Z zy8n*D{&yDm7xDS;AoTyu6u8HeM_#{S0sQTWaNpb4voG9X5w`93)L&ld0QV5@^|bHY zCQLiG3De6*Q*pgSD?>Zb@%TQ>6{6%cBA;olkBEPGm~|Jx=a7S*J^st#_q(s%;SSAP zI?dSaNw`vw=}h4}0PIkeDv@Ni$*id(Hux@AtfL?72p2UlVSql_yN04>=uy#{_9^M0vuP0O(8~x z_;zZ*+4J-wL=3Mm@AD;_Yz>k0j2Rz6%>>dLha7%q9oS;8J3C?l?vLH0IaC3*y03_` z_OER9=^Y1cID0~)6!~(or7L@x4~6}!N5c*xz)V&jt=u0I+PJTZZynD!NW^da`4j5i z{*#+h#tM8_z1MZ)11t*N9uOcBIDCEmrts|uk?y7Zj0C?k&A0C^;3pDKsMUYi_#XoJ z2O~@P5t4yx4Zu}eH6%LIC!HE4c09dfrtqB`T%N`~5D%}UKGR}m&#K$eddT*Bxji8D z7Y|>e`e9jzqFZ_tlJfs0Juq(NgV;6&g?J4%B(`A5pWLrF4BcikX6!TF3Vvr+cO?sF zuiGZ{`!V1V!hqR%YYAzRzi{2_M7LTww|{dMix5%{w-lRg)@)lREZX}vtlUhKza46+ zQ@RMSH6Cuc;l1k*i;>^~bP9~-`r$l(My3Ha1mH32n=l=4lR2C{32h3FOyAp(aaIKAeMm#XnNQ~>AwQ_yrv$&gYVMFup@kzf`VnbRVKEy z$W@rZTvNl>tFBwcqQwBmAHz=fhqh%X-7YL6E%hHnpft3^rc-yyoF9Dab^o@ZDx5wpB%Z>8z&SW?6UF%7bOb*Ffzn4#|K7 zMgFfPX!iOe&P!yf9N(5ogotvuWxzg?5apPy7`3!RxWKIW4Odl`sc_4;rT5>Jz*iC( z01;uNBmez3fBqlGequd{k*MBBeiqnbtSDqe@x#I0fRLJb>8RO3tsnyMU5W4h1&#HK zAcftgG%sZYeo%+s#O6nJ03vEYxAq{{AA{kRxgOSxt#?8$95hoDnWzCAj`EeO3O)dm zLkEyh)qUzeBowGw-FC0&euXgo!{Yq$7r%-wFntMZTU6*gIm>5}YoCu&TU)!&rU#YG z^vKNk^AVFg5ict&Cabp?;O#iO;ve!ZMgx3+R4MxXAEf$I!dyJNwVITWa(BD0OI*Y? zfB|AztIj%Ny3V>6W8JS9auhCQdlQ)uqnHU!^i z@GwO#B!n%ZeVFOB(@agy#cqdYjOnk`)8j<;@S2qKT%#Y*L6~K$%WqnayWQ6$)4Tvg z*T$4aEW^%s@ls{U-O2RZt*JU+X!+8-#Kq2sA<~zvF<@uMZ`@mD4By^v7MJ}BS)=aC z4W8$B-!3M4=dS4fg~v!lp;)3i!9L80`@t0Y2(Xi!CV4h%rMbpe`QIddB~68L^IDGD zrT`BB-LvmCsCAO}i*YL{MJS3P-P(8!+)qgnJGeGm3ZG7tG6ytQwDF)V3vSWF)~*ri zQDWyMveFaB`Hi{x)+v^oHJ(76RQ^IjerE0%{jJf7xQU7QfDoXLA<$Qq^X&QBu)4^4 z4Iel`k6)fAJ^jv4mhun2{zrBWG&DDljJ%8{r>88@O6iXqHly*@V7H5Ns$5~#u}fNI z(TeX~%V~#d_G}2S{lhIM5fQsw0MFQv`=q3aU|{!Uw~H-}j^#{+T;7dH1}OlWuLGTa z170vNHv7?Y|9tX4)1TM6dh>~R7rHg|35bT|54EC+7Qh@DQu;grw9mc1Lri*}6077qgTzu>oYf-;iT226lE{-gu*y<`Zny=`>IgH+ZPdQj15vKe5+z_^Qq$?Qn`z zBVEz(f5SJ=lhI(j$Sq`Ob`GO;58HTBaV4vF%4pSENW5Y)C|y+7uJNDBFOQnu{K+_| z7)`9m@m#Y7-0lcn2}|lfj26|cVoffpV39Ta9q{Du&{WK)xdRQe;h=+*2?b!)K1&hE zj33M*nojrtoRZ!jtZt$6zagt-N^^6vO_K&EoNHF|-0^W`)!O*Vnnf1K%DvEY$PtoX z<6SlTPi1xt9rJsCzdBID#h=ztrlvP0LJ6L^LeBXYU`2BXHUphYjU6_%7%$ z4?bptW)iTiH484CxPQ(DG#~=zCEcFtx(WN-9b6w*0TKD9YF8ntH-EU&!$JzrpT2T} zgkNl$e#QTL;P$85|1-gHseq6OQ4|L4AHV0*pvjYjPGM~_H+pFN2Tb7Kv4lW*glJ*_ zZrKDeAbH078uRooVAg(KGXu}p7kKzCpANVaZhy!Xma+8LDc4VHlt2-Zfs*yQ%Mp_< z_TN1Fzo=0lbsHPM4I5WsIeqXyDfEB%%|Id$eG8WBF8|d71pmGvF{wL%?}T)9kZYtr z{%4_1Miv61v`6JJCiWk--@g;g_=xr20`Mh%d5QbaoKPVVP#bVFH2oWH;0FyK-~6&&Um>9W zn>RQ?8fsqhJ`eClyS>QUNIQ0x(X6Vjb5G>>BM!QRZjlyzm+(Z_y`Z0U>_7Xw2^U{5 z>=KLv;8T2G^qo5hcYb%)uqM2q?zN)c%68St_Ris}cJVCUbEyh10EVJfmaXxw*LfS| zdrH`OXNbT1+~q8h$khVQnZlEC4SWCx?_D|RPvZQaKTb6uiU6HoYH4{w1Hjvjvc++c zL*4A{?d^1N?a>e-FSkW~7XLv$WI^!UPZ4~*W5c$4+H690qWv4vS>XOtoW@Uo`J1>6Dy-r*iY8xtG2ETR5v z+e6W1t#S`j9pvd)vlz@Iz}RWic%tTVeKOt_0&qoC2-eo#aDB)PCPNVwnoxp%xc{H_ z6ovqTU5vK@Nz{Fjn}Y~8FU5f{mQJL>EX+_eWrtFB81qh!CT@rUp9wr#1n< zFYGw|M&)@lt;bV=HGEpD(BbW7c%Eei{$TYOc)Uv9yY3@quDA8>a4@j`2E*sVnV3pwE^8jm!`(+QOo9c)&roK)Q!$ zjVPw~v8Eir-*stU%j2bAL~ZYKb}H7`<22E<4W}PA@UTlq!~OA$x$mC*wYNS!3gsF| zlBFByXAR6CY^-xa$HR%=UHOuF34_1=*rNMIX7uE5tNmX`d4rIth};)1vNw|-uD3c& zfKT3++^yFY>U)upAc}_~_{isM5n{UstK^-Ajkh<9fhc~(l~iDqxNazNm#rRMs>7I+ z7i4|c-HGiloL&n)ked@AT!n2`k%*$czQWy+<|m?n`T@gFFm2DOe*qM#*_6D8^BqI0 zVXf*IRdQDYW=AgDu$;%B%a{8v`Rw%6`{Q(4fTP>^a(cVdH$Xd*Kaxs`_L;MiB16A` zY8bb#3mYNkDhQrz`*UE<`zGFpZZ5z*Vq&lT$=C&{;--7LS}qoC+7#2Ud{QT7RNz_T zYXksE2pazHKcW$gw z^1fc#ujk?QAQ;4w}(%xp*~Ew{@DtUkJA6lWX9iKq)Rt|HM$`pd@_y z?(B>IE3{6Si^T*iOO-&4me}nzb;@~LA8b+Yw`l) z0QgANts6FJ*c-V;l$Yn7Jck3}&oV5K>0t|(`iuTO3pO`vVlGRjq(lxWsCd6LXEHdE zZo!oT;%~-bcYxc*Q?2s>UYVSa>4<(dEb6yV!e2JcwM>wyFvN7-4Y!h-M?)5Fe90GP zE93T?gCd25D#jY?*gVHa49^CO7&?E25UpMvBk5qH)j!wS;x}|Z`xiha&Y1AVgaeu5 z)iwEHkAGclg|ApOMh&ZzJJvVYDv#1}5{`nRI^dd}9M{;6Qb_ z`;*GG%1}pecF!V9ozYw_(n7jP2Yb?o$~Qp{w*h2N{!#+m z*D~|HfROHa&pFDIxApzZ3fL_xzyda(zuxYgcSwP8*ivHNd<9Rd%;8sDIB)x~P6}+5 z_>Q(BFSLvqAGegN5MllPH3p{82)Vw1{#~AEE97tH7;jA5Sf zI)6R&-xI;F!k$%PV53=>&dSs`6}0uijj6t zW%x<*IL*)s=xzI9{j--o>Z&QwCCaPhiq|o5W1sJF5VF7zPT#GLtW?E+R-?f}FWbI6 zXk6R;B?CbkPky%mN_5tpj__k>Dv=>Pai^z}!g_$AhqM^n zyq50ye(*lck|qjb3Crs5kJJewDczYVUwzQNC-c$h2=9sG5374b_sS^--SaaNWT13+zKm zZu~LsurXd|!yBW`kSl#8VqZS$<|6~L7UMxvJ_I>2kv7tV{7y7>1ZAYYyNkPt$~b1? z2N;r6m`K)IbK%}8*fiqrq!WF}9@wUY;XTJin2hVnwbA*IF;qkRXNSI}1fL479>QVb zP;_Y_DnTUh|292)CaaAF{)%RgJGdz&AvR0jr#WPc7F%r+2*Qq?csMl(wZ5lZtbzNE zkRZ~Jsx;KraqIzq`K#!ncMXW@X&ke@si;!}ZWZJ5SDpNM#O`5OW^Ht;Yp;QC1wKF! zV(Y+_Bjo;i`%zpA+agw)X0&s>b;ZTqs5YsAsi_bQ)*84>$*@-bHAycW8Sk++oK;+m z8U=@pr4ptxO@^#CCpyX(VVFW&+MH=-)e3k0?#hXU!v`|I#S7#_i1#=mwPW>d=R^pF z0~Tig`A2i&dpLr~{tCh{dCvr&??}u0ERSRs&Cih~qs8SbzU-`v4<3L-a0A00yj_8q?0A@@?cC@Btq>;4qp`zoHYvqXVpogKHZEK5E-R zGeG%OXGf6>47n!tI9`zQ@`wR{2;C|IV-saPTg@vK-2{@4KokL@M?k)vzWW zR2WJ)rf`q8oLJSnKmv9IaTGuraT2pvgCGBVhF=fHA?}0T#o>1tivJbKh@OfRYjQBE-J2Mnz56tK4sCQyIKefcP9(%)MACJ-u$B!MWovzy}*LK#; zU)2zK<}~E7K7V!*=wPIs^8PdX3cUFzRYxs0GL1(RYz1yvPi?<^-k6lHJB?cl+K2fze(va0zvbqzaGZxTh>XDd>+$ z-b_nM3O^3vjO3x-?#mjdYADIY7C|pNjaA)j`z(*@bMn#2vA5=P( zrVOWy)=>g04x!KuJxJ`x`*624`obf4RLppcKc!AdM?j!H1FJWWsAk$JHO)-iMDz6y z(Iv;&xb3VB+v()=f<5~FN4sg!fP^weO7t@d^Wmb*k$BGEzf|MRRdA-RXhM9_+dqLLLT3gv7Q%k28YeTE|KY<3A5iuERH@G@O z$9lUTY*Bz+l~f+=@(|h!BcoUHFR)j}sPHn>Oi63aMPgy?F_7Ztn%}?2cDWBJ)`dSx z0Pg&sNMF0L_-)TLp5m9L3L#Ta5Y7t9Pm#J;)z2BEB;9JOoOvLiC>WQ*Kekf3U}5;3gajOMk%Jv|oOdw1!` zm~utU4Ye+^qWbPVX%9RheR#_Bf_F2Quh4VG4ZZV4SwOJ`co;y~dOZG2N1rhAArij) z^yrOH`K5Zj-Fl|@6IG$h?Q%QM-IE%Z<@P6g1=RRDI82`JTQ76bx`x+rtqCYw!{SqE zlYFiYT0GB(=PD*?^^a?M?7a9a0#(u%=H0=PJyU!0IGv(z#G^kr;Ia1C62^deDTvZ+ z!iEONP_B;G_FA%7pgNBdY%TDzb**+zPE>|2a~1dUrERu8@gdW&uiqM!42#EV3IEf! z-M3Hup_kOn?Ay0g2)+^C4sT`Ul_hAU3?By-Ym^~i)x`% z`WY?pk?=$ExbVuSDj0q~9^Zmit+;bFRf69;ePs9kY$bVLhKMNhwL!M10^z`>vbdv0 zMs5h74ZLQMkQKpxq?^E51~gW3gjM4a?F>p!d1hG=S@`{!r_>|I4NdqPD&PFtU&yt* zN6byn|5A;dX9=PtQ@_J_?*Tjn>O~;axt1xJTPX0jXf~=l?X*ETA}LHY*R@i<5UsJY z_u-Qb^7fLs*DCllOOvM(@66mQQC6y%(FThUM$5`D)-HQF5DLz z^-#7Vp6}9qYJI7dltVk1naD?uDLaT26c2^eZA;`tP51?0RNJux$0J2N^NoAp?p;TA z1Z#x5--cLfdy?TQizTxb%XArPC@;*o%i^3!A6sw`%4)I>sT6GOcFXk`(4G z386~);F|{F`$`ZvN01A?Pc7d0VD34lVY=`>**ZfUV`GTx6H!o6!1I8QglnI;-?RzN z#07N6^hx`^QKSf_9DQ&+uaKe}n;$Z-$Bg%!3?6Fn+I81@T6b_=6^6n^{-wPJH?bjo z*QWXVBWFYKr^A)xxt3{Cwy5ma8tS1_l-@M!*UN`)mQ9zF87|&m=T2L^+OcNKLP{>X zVu-unq)<{|r|_e(!$ZHD$rhpinJ0#$0nEsvq!|6p$ikfS;`y9VI9i`5jH%{W(D18A z(UOh925jn%Ha|iBUag3ds-hf!PD6X{4Tb9_dz$xa?#U?sto+^9tl5grxyewNO`EP! z?~Qj26WbLjoha<;jke>csx|Vg`<`$LFnID{90=&-#3cK-EP}2yNy-LC_A=!^%R4QL zKB8WHCn>h;T8({b5gaRV_v6!HM%#=cx#u4oPH=@ab108y= zmusk=J$(8lZK1whF;YU~7X#ZD=BBRf2QZo;zFO4%cqCA$_Fxu#IR2Q53Wg_z! zI?@^A;{%ezApjq9~LqikH|`bp3?IwAU?JYb11(qk_Z;+LG)J+vHG>(z%h@(&Flr z5I~vSV3*E>vZK5D6l$o3^G8UAf3{NMj(SMmg}bk|#KCp}7hD|%{T8&IJcgJxTvp11 zgrB9 zQvo2)4Yy`r@tpjq8!z(cPNK^gE!6D^$V{MiA?YbsCc7|OXld*F$tsh(X4NmdM3g;! zzd2vLc-#_HdFt??iIG4rl+DGBVRMgL-$o7rqWzgpC9K_x1JS|ybYr|KiwqLg=ls65 zmw{t{=3q!Bl;t6g#5*$kjM7Yer+jfjWq0C?Q&RiuQFIy#zZrve3lJ!%?-b?k)SZ=O zPf%-y4Jo6yZb)?UQh6LEV>k`|TQP53XF(i?#hpeQ*{z%z31#+7xV1F*BCas#Gw+eM z0z}asyxipYFay|}9hpPEn&U*Zd3V+kDJKH@1F8tpAX)WrF=I}4YrrPTs-#8mogj$Rc@5hT zkh`j0d3s_hTuPq5CeO{+Vz)CF{9&&T!Fm#Nt%q}Cw~}+|XtfN$KFS<5CY)3hiQssQ zUzSh6sZv%#K3qCpdrw0bPGHLfAL=3qL_^^_<(==az9HfW`Q)UzeM{ZDx!mhCj1VR) z!vvySI|TcFR%*(%_X;9aRm>;vtKz^*S@zV_65^XQ20cpDRSAI>N;(G{MXySBZ_xHBzY-`zzMOj-3P za`?o~QJ1jN8v!kRj_XJF-~}~<3e1MzU@AI(yqfO$R0b++KG{1qxIt>v^C$V(Bq056 z3?p!W#N6$Pz(-w<7Gsu>U-JvdxM}NLO zbkL=qG`sYLExbu54rvyj?BWyt{Z)=feWwfRN*tZ)W22w49!9sJ81oJ2geD!A;+-T* z9@^XR79Kqv9KX@y-ey?UYmxNcj6^^t)!e8;ua$CDox)f%^vpwavCht9&DBbg35Yws z6F^iI!+Rt7k=KhTiQ?OnrnfGXGSXXT0|_EZ9N9QLmsnXtgl3DCr=!6;F8*FQGx)tS z_$8t~_h#WK#xQ)9??MonGkZ?X z*FkGIQKC<^TiO{?B8W>34;=}3^>|bBY6P@Kx_?}?l5jQCW48cFUs!6pEIEO#)OYu$ z(JmbrOp$hR*anHVDel!E$p*q;>^6 zJI~R(oblij4T5|cxaAP+Wo0q!--IdDCnYCG#l#T2Mtv5D-X)&s5c$dqw@_|)NP~u%YSVh-2QrHOD)mTX34!3nx7%+UnBvltDY#u#n0gLc z;a|>0J!0fptVtk z?n2e@XFo0Rcen*dZdob0w^>A0tB>-%?ke!emDtQN|JM_+0>npx3>`iP&|Cn_)y) zz51kOK`<^iWc=+x1&+58M?%b1nZdn;slZ{M1 zlMCv-$oag0%V^UZSXPzdNktWjwzvzsIq*K{u&|lmF7KDz#j1S{%kIEO5?Q~3bJsjY z)32Fy;x4n)Xm$S7B{3rYlC@KVO7AB5!!mokQZNR2J;{qBZMrdQ3(khJ+n~^$ti%+Z zp59xAfrO&?X+S>CBaQZiVpl6sh~KLErc!kl3U@Jz(PZ|$jPr11J`=geF5~+lckaCA zB_GW&&s4%LyYr&fMTD$+?b`~Oh2%|_(B1=MK@!n|0MClE;*KXP5=3~S2#2=Qpbx$l zV5cgrCt*IJc1uCN+Xu9mKu~mZKDv^?zQ%7u_iWie{34=ATFiH6Gyr zZwldR^IRUi@xde32I50k+e#vfod-bndJZ1w^D5(tL}sXZKw-i{eTrZ)at8f-kiuM{6*BN>Hx6huXy zQ2z2m9146DjUY0)yWU3k!)HG|8Vq_S=x`)zx5pus*~-bNh&)Y-L#A}~!BYH3jES*| zjFV3IJ{C9DPFJ z-lNN%sEaYx~fp-)bt<;1BR@R#N5 zIvP$j?&|I_$kt93k_r z(w@2-zA5JLsZwW|yY6nTo1&9y0kBo%O^P;z#>krw5rcXoE#!#l{&ua5d>Vo#zX!O%jR zx^&U2dGU&Eo|_g~ce}O^r2B;-;1vaeZ{7z*QV#`eNjMQ!=fpSXR(Gd`9hkbg>SDi| zH}Y1K$oC7pwMMn;$(UR8Kd#0)6Bcj~?|o1=v|D!Yr7|_HC;TGZ?QR0Lcijr~W((ps zbW9d9$B8@v)n~Cs{<;{>;!o^uI`2ezwC4%pC_N7+f`=$M+{^abVFm}cS?dOPs`{U& z2e7s<^M2&Li|`oFr~A!;=PcN4POXyEA{(?DZ-z!@{WaG+Z6}PewNG5ppdy~>O2d@A zs7q_vOZ{R|Wct$2=DggiDt%V|pg~IdvG)!fnq#^X2 zG4c74PbUm(U^kaocArpzI8YVAJ}~*avEn$jw=&8_IEC0uFn@08 z#5z3S)KW(^qS(n4_as(k1R~fO>R(hBL>BpDyJQRoWoC5emz4WG?;*EUVo(ssA%#|d z=b#@K<{ujwT2;EE&GqnHgcWd+He<1S?)ucz{1n;|Z?)_rg#{2FJ>nX8jfm0>R8a0f zsvicDX)Gs}%Wo%gDjS4IJv-`1RkZ7O#+4pC)0CcIuUvY>;EH5UKNmq#byru7dFGfv ze~UFbqpzkEt_n{C`O_t~|J~QgO1}1Gd7;Z94xSVKV<29=6-n}q(B}&|bf0ajo$M?x ziy9>mcC)us&B``sV*~ih+Tb+ka&?|K<;m-Lb#-ZSZg-uynpbT1V{dQgO0Ys2_J%8~ zvHfF$vm};Z*|>D1`)rHt^plt9C|uXoV^xN%@NBk;P4IqLev0b)xETA;Xtv4@yKF58 z{XHGl%rZQCulna*tr;6f^sFc4H+GbU(gfUj1#n>!eSLKHRqom&glY^GUgM!(xG@Ii zlSP3LxwuY8`l7IN2s$eCGLi3IWNbn1(Ok`@B+>o0Rn3|Fa zbYezxQ*<3E)Po`YM1mHqqOIlap8QNR)WTs-Oti0eY__3t^KLkf6Kv+nhF^OYoYCTM(n1VJ0{ZSit`NaZ3JO zc^$nCNw?qgv~4)14Vl@H@^1Ii8#eW-``AVnqjpuFI$-YYD#aOX33shdZP|1{E)o(a z-VJD7H3oNi<~{_o#W;aH-0%YwZ^+mD(Ar^7-YtS&GX{u>-AsvmuUkZ^UNi7%pmc8V zO~Ei8y+&e_t3|+ZZ=@1EoJ6g8Gp#-yBue96yI5C0vyd}K&DJ4e^0<9{?ml`~dZhXa z)0J*4Z*`ROGMtS@Hc}@if*c-K>t?Z#gJAl@0{Rs(@5m^Ej%SLYR~ z0nx07(}Qf*SxXt5?`{UDV>53Wy+J+DsnO?`E%q|iccm0qJD&;6RL#Y_OH5uLl}}!v zMR3UYu=Gm)otbkHh@$0iONb)*QP#!L8ZXCzmdao_v*jH4en3cB$-eXFVMW1%D;zeg zK2mXn!-cj0yHQnjD0zDVhTvYq(LPYiS{RZ=c3a2igojjzWFZ>JeBg3%D|Um&}52lk~f(bg=Fb34)wp(%vS5qvfs7F{5%?9 zE~t?CI#fiG+}g{8uC8N3NeHs~U`#qXznC>HW(h?I9`bUojuK0}^c@lrYZd+AN8!53 zE(@iqPKzj7srG)H47qxR(W{RHjO6Y~FUo5OAzGVC4#s+n>orWA-Ox>rmjQ6;Da&&QY+%dLz7E}?T3mT`|6r(9Ewyv<1~r zh{=OpOHnE*O)|awkl{m~W30d+ey!d);v_`*9iJ%*DzY*gbhIfi-y^tSVB@83J{e`%c%}DblMd*~WFaCx%RZ<|YzSF< z)DR*Y#QSkw)@t_JGOGLNW60PC{vqxxHAM(tagwRA+n2-Rv*~R&aCnDycU{}eyu*p0 zt6K$zkZ@g!@N3sfLW}VM_+(*;3|=gav9g|lNiFzfI})GrM(jMEScPau>4&Fc79Zga z!D-m{ZeW1%+HCZ_!<{M85OJ{|n=L8$B<(p^A?>-pt56hBVYew73`V*#Z>GUzTP#{V zcy;7a;3`Jw*(b2Y%!>|Pj3TNBc>~SS^WNP#F&fILvNq6Odp-sA3_mLp(t0FFWX5D! zl%ye-A}9Uf3nNTjcU4}>w}y|&jSf85BNx+%dcp#F2nRKH(T6n^_-rPWE)}qX>DRGG zUmxDYEcarB+Ap?ct%?gfJS@+AzdF#Iu(56VmWESw{|uwW_j{VUOq7>w1~V$TQ6V9P z(TOVG;a&}1q;!^rH#k-u87H|5zYZ8_PaolP3DczSEHS*o7A+FtA7>eYL6nAY$S$f2&VOKBJlWP@NV1e z({ z48Qs(8tm09VOvhoKY()^?n~f61l}~~Sm6?R4Db3JKawR-fN+*%l%fo1La)_JY}QN4 zZT>%W{bO|BTk}5-H)_<_wr$(C&Bjg|+qP}nXd2sgW81zzIp_OZ|NFtYo}?=)YxS)? zd(X@Z0}{EEge8-ht&9tLI4ipFeMU5?J=%0CPryVJQy@blXirA$tWPE~N;NUOkdUYu zR5`M?x;Kg~N4c$9wST15;8ZE3aWdeW71om$XR?V=V0SP?#s+-%VsZt4`t%SXRGJzB zuSz8paIg^)4WsM-X=OW3%qZ}Q8RL!K`xeK;M2Tq`pc$0jVP2NW#{RU?qoEm1T5S;F z<;)iKYEYbIQ#r4qAiY>BZxgRP{F9xb;@BN5$b9>mEp`*vFfKjColI`pZcsz^kjm*c@Bs>?W=bwTIz4E_6Mp@#BySa+}hx4xcz6AI`yU73f? zY&Nq)b(Ubpp++C;giG^Cln*ATwj|g_@(I*jlC_v z_J7(G9_Z`o^y;9^^~uqaI+B(TpRyHMw_4!=*d%1MMoE+Y1RH zgvGYpXWg&RR_@o~a{E@$@fNE|Gyo_j=GYMfq&yaOH5$IS|g;!xT z?(gGRt}nlQ8>H{%WuvNhv%+rX4yq z*`&YOL4=248YP_{fsl;(y+oOir{>;@A9#?x7GH~dyY{7w1dj$|vYRpS5(pbZ19vQg zq{}Tmc~yiO5@x`fYeS^G3}4ex3BA*9w3hpP8}z(_dLb%?uuzUS+u`@OXDcONs#FM{ zs!(DpPKIu_Ed1WEF_$6w16n&;Oz6C~o?l}rs{y3@3{M>APB z!+VE9IgMjE<(c)U`jPr1|K#!3;HGRTZ6|i-6(4qH@-FkuT1_@|8w&(i+QrYRa(yAH zlS53%(T{LN9?S!hSKH(I_BP^Jx`#YJ021`H6%qT(C#z#tDQ7h*=k0V~^4r~J<{}6m>=Tur!wHdq{+w-fvch!VpIsV`6y*oBw1`>QF6Kx+)BNskZL13@k(4f@wS9@gY;NEP+WGN z@rn%y_GdcrxkjMto7px$&YYyRrTh0txc+L|^9;yiyOCwPPPzP2f3-a+?^^!NKKB0h zP=4HMGXQH`o&5qj(mh19MHd1&>`ne% zQXl;~Mh*_y1hF_|fTd%xQ0V4Fbdz^L%_btWVi2a_uREvw8h_wVwJWSl;P}a7L4&xd zwJ46LRC2@3LdL^-Ld~?f*X$rM<|M4&@{J+JAe)of;jfQwBTlMVvcM9EVZ#yoWk zV(qtuvOQC>{SeLB!C z)Nr+1l#QvvNrp)Dhg zehAg_%~=;em=#r?eJ{2=$5N2;)FO^HPP7l75-Oaa_>U&G1G|Xvh~pfAR-SlxBRf06 zn8@{YJ>0&#uV%{ye7S834!QhV@IofQhaWqVrW`?4(_#wsrQA9#Trt{c$GOOY7V)?Y zmk(kNePTlJZzUm(H@GtMBO(IzfMobnSCCZ^nNE!`35F{Fn|~0`58_vxR7*W)JXE(= zX13omuO-h_t#WBf*SCK}@E7|xye`j$PCKd$RGu;&r+T_4pVW4~S$NA3z4o``#+moD z{k0PEws84-N#azXg12E-q&<@{`1}Q=NOa=8!n3*xuzoHwk2C<{-Fqk<&LquvA)#d- z7%Zjzu!zIyXrkc)0k`~G1%GlYAlSDv7-D!J4k32t{ky2l)mxMa-6y;bM`dgVx`l7(SuxEWcG_Ty0u&1-~tYbO5PJ0eflNG-X;a<(NiP3}nc{@8iZ$(rdu+!&PtAP3!vHX| zd``?8(VR1cJ3lE_u7s23qX-m3ak9Du`7T+gB=ID54G2K=N19 zj)Bx*3bDVciYk(Xits)5mQ9s&9acQ|bkhit*XtPYj1GgUE6$Hq8#hnyHH*)*_7?7; zZ%)ef_8?gxXzCB&P3LXPd;Q5wvNwbhh#Jj(RGYF&4@I1HeGm}9{H>|A87L7gTkFS< z7h2ULw@eN0u%mxE>OHisg*fOyl!ozItjVt#2cF_VdsVHDhu2b$;yq~RWAk~^V6C*E z6elavTv>8Usx6Gc(rQ4ejjC!()g-Ll8&c3xA-WNl2KcrFXWytwRDArRR?5d>pXWe1aB`@dLcSXmwJz0+7IVry^|$V@MG>r`wr~bppm$~ z8{o7wpAW(}FuR=ru(_&KaJd$k7~UST1zHX1PA#Swdu6sA5XmN-*jBh}KNE8!59DW7 z+|Q@iM#Y?OGmhk=RP}**1A=_H-6pVvv2kmJ`~L!Qq;TWgUc2&t{|Nl~n*}%NVjXU0 zgO9dAturj zME9gr?P}G3=-22SgZ7hXZKckVa3mxU8gf= zo1lyf;pdBd&kTXhuut*LuqhubBr)v}7q(+p)aLdsWRI;ZnakOuEZ%OtR^q>8h?bXO z`0r=bmw2fOf8Qo_)O9aMS}v@~F4{Fq8u+%H2u*G8ks1O{&PTFiKd~^mwNut?yLkxq zVHyR4NrBS1yZ3!~=>9qnPE+O~`0c6HLEj|&n!a(Q3s^2G&AWoY1>J8eDrK7!*^B?% ztFzo-LgR4pW2wcUmRK%QdIXQWF0ZE z3f9!5e~@6gcWXSnQa1xI-o?b3Tzo;S=%I3+4fJwv^lk6n zT@OGI#RN~VyO$ncKWj*&?}lTY7RV5kD4q`0i62K5R*v5gD`X&Q?8#T&v!1B}Mriz* zI}HjD<7NY8dFFvudC}ZKnd?*~B4A#xt66^Fx)E5wfdbSFB^4hqH)tITdUa~$#wBjjJ^iLE>$70T*?LW#J4WkB ze_*9uCh4d9{4h$ksk~46`NH}Z&GPx-)Rafhq4lCQO+5N!mTcmQwN%n0$S-Qo6J6P+ z8W!Z|`}R++8RIKG7QebOtTlTy$!Bxn_%y<^JM(h3(P~?eBK@{2irqFBq_Ep{nr|<+ z6Hsh<{ZwjMJCj9)M|Zv!cvb`a`ssmi_PEq$G=ZCx1a%`Ns_#qm2Xqf;lfM%8ziU7G zZwTU`Kr4FZN+EUCc0ZCo;tk)jgTstOjJJ`as6CMoV)e3*4=3LHD*0fS$Sh zVWa?5j3@iGONpLwnLUtaHJ;Xp(qVHx_3*Na2gBDL>P9{;93-^MKeL0l)Hnj1UbcB_ z33Z{!=W{Zj=WpknE!F_=vC$C7FMZomit z8WdhHP2VvLoPGE1?<2d1;wNTZKm{g=NDQFQG}T7QMnKak|96;ldl(U3_if|h|k3WUROAAat}vI zm)=M8ZeY}d65C(;8c(b=JabSdoj7xEgA!k(f$we-Nwo8FoP&a~Yb+Pm_?5rGK6r|& zWyPSrK{%dP4{n8bmYx(SdZ?aY^~&ImzSR-nQw_msWQ3s84UqJ|jXtwW+BThRq5qlO zoEu(Dcyx<+z@~q&%=<}?+Wx#`_yg7?6Ds*KsxDTixdaUbi3U?f zgN+dX7aJiPXmp;knDyq4Oc(ERH&pzUFP?FkZID?wL;v}(~KmBHZKCS`s zki-N8d{}F&c>jl9)i(CQskx|&d$!L6_NX?nrr7=*=Ne!%+K-TlpVB;_C0`T%6^%*dE3*YQv)`_$H(Hv zS87)B;U|d;%R!JN2O!H8_IKM-^c9NDv&ZAp@-SQ@GKEc>t$PGK* zpy*DG>?u4$xG6uZB+B!OF#-pGe1R#^E`~J!15EJ?OX|$-(wUC~80<$27xF175o#}h_W}-~l3p(#vl5Ji%YNiqJYAi*< zDRs-ocEr7(LnellnQ=<8w^j08ue9({l6@@5UM?BOf;AUZh96*|!4=i@AfdaT(QsiW zU5gdH)pl^8e0fMREZX~)uItkUA;%7taVmxdT^+&^e8LjbdE>F3n5HNC-ub%_Bgeh3sq8l=vo|Vg&D+OEVFf@yo=()+n%#?bM}2QY=0{oCZWhOn5`S{ zW1$Yv2neR>ZPB6LEm;-_Wc=9s(2ZECJ#GLPPl3?mfUbeb5r9;e9z$&rTY_Z?CSs`& z>^AbYwoZK-@e*s>9*dk3dn6#luPX$)w?hswjG3PE4n)VzjRm*l-i2#v-v(!Rcni(Y zo-sVQ*Y-m(|~6nx*= z0Hj;o_4A?C|Dj2H_xp+@S?Aa$nSstPL|Wog|9EY$+O@-Nq zciZ!xX<&#mCRwj*&n*cBMjd*!_M>(wQ#q72R-?Mu0hkV+GA>Tb?anP%&8C$(4~1mu z6=P}%ya6N`Mu-~^n$N*9G7W+UGO}|XCc2VqPqI`_9;U_X;X_J$c~*f@!}qKD{HbeU zf6=}ZEJ?2_os^XtIe8HYI%Ir@c6+L78;a(@LfQ2N{#_4{;k2^AW{(A#l)nml4yqRr zP6k+)ZYcYK8Ndf)b;$KqXKl!PW$Ku%Dh9m08iRBBGo23kMn~;Uxa%GfoANNMifhxS z2obl^NfWa>A}%z<7aoqN-#8H+Y-LA8A{0YDtK;ZUoD(UdL&qVqZj8*k5N1&c4rf4M zF)hwN6=IV4LN#6xT{l#Zw$raOVA#6r5~+RqfD>^HSZo}Z%BZ2R7j z7dM=rY}8QsgQPhRL80SFf5D_aKqbEqZ$ z(Cygax)U^N-iGBs0_--z&zGOMe*@s9^4S+%jKh9?9adW&pPn9G_N=r~a?&?iDvm9~ zgKYS$0s+DPt4i3yrj5^JWvWBLzF{Hen~%d>C(f$&jzx)9x0NHe;J9Om!DekbnRNHU zM7NfVk;nVY9C@pH$?G>5SS#QgE5dJ<#CkVB5&gl9vFGDLCvan(pL`x#>uD-PZ~+@f}Khk7hWty_Whted~qae=4(Q3SajW#^KzkUo|<$h zi3;>Rd%dMmD`aH%27O|;ex;+1APZV6LW#a2o6zMBZIyCN?u08`h379AF~}2Q{7}4O?L^A6d&0+CP_*U`4S0Tguigazz}6f67im zn#codT|-esOqs^UA=6Y#ERjtbUq~TG9AmAunEz25@#d-J^YRie-&zRDs)_c*`|lx# z8|hUfDsFRY`m0H8X7JwMw-#RT0lY$?ZP{-eK{af_h5Ecju+Bo`8p9|k{F^Yk&9Y)p z?`!3IPq506l5As_V#JL<*k(l{$-Yu!_Kzda7T6>hojnfq?9I>O8aNC-N)d(RA-e^y zh+(*{y%~j{yWSiGpp~5k<*SvaMT*+0_=9SCkNPb0F8MZa&bmpzd))hZMMaofcv_LF zDjbaT$R(I#wR$NG6o_Q`2)Z4(wjc5`UzJaRs%F1B9x8!Gjf#5tnQU|I4)ulyT#Nj~ zAA%AQVPP`clOiYA0kHJ_W;V&nf;iUKT)F<8PANfui?q~3gU;l+eJ|a(@i?T?19uEa z1U+CFhu(B1q{3CsN;TQ3~(2lHddidlmiXA`@VrU@4(x^gcv3s1-+mC=cpiLjMUa6eYwZJyXSh-vvNzU4Cx1VB*l%_D zt%~Zw51ZSY*AorUR)c#$*MI!C_?mwQA(RA2;O#T`Cm%n*eN?TB5*zF z#{^li(TNbQU_)tZS%r%}VD58(ZdaEDXSLS$NK5SpgzBN*o}8oSp#uOSKlh&0tOxN> z)4uc}gFEWv%Yc|T;GS$zB|0zON6rd57ke-)S8e=~q#S7w(Io)ji-CrQXo&R&iiZ^! zt1O;DYRTuyxEL11`j3LIe;mm1{sGhK< zTEo|CuZvSkgZA4sDH}{ZX>nkqSSjm-< zRRT8g`O$+^D52enOH@@*ZW~ztjBWmry`)CyCHY4w1uw-MY@SQ|=;Y!-w1~*V0oH-+ zknr&}Ar_U9fF+z^v_={~_KAU2zM0;sJ^~g4*>Ez!VX78PHH1poe}u^T)+d?BHape# zbP^GvPC#B=j;Vg`7QaG3LWqshRwWi2jL=JgvZKGz;*N!*&@rE~rd>|>rz6PZpr`(9 z%S$akBOQB}8{ijBTSNBpS?;XoZX8%|KB%ppmdt6Spu_eY z?0UV0@D+D14s(1i9`)bWx`YLJrwueh949%3&Yzzw^RQqF|BK}d=a-5Y+hh^T)Xt`-9#Zz`D&BdJPUC6Fg*uTD9&z{j?z0|UXgdW8H9}=q zwM11*Yjh}gDY)2eJy9mC*)7H=(b6{?5q5Gt#*Jt*fXO-;Fn^!%~oS5_v8o0Qq6vP!*oDua^ zSJ1KBP(RNT`eZn~fQ8f`m&4mD9azuKxZ&v_WUA5@4X~Np|0f4~Klwj77^x&_q!I9q zJTbnORkP*Z+~THtz@uWoBp6PMgw%r3wh(ZnVNh@^DG3xT73E3}g-2o#vv-DypPH>tvm{fHlpM#4 zBz}S-$aT}=XVaFK^nC;4Je~n9Kra9tAoY$!Atwm6(9DeTgoNZMwA=t=Y$~lz86APH zP0dGTifKs(or4dnnuKM>lNPxMWcIOEcA>btI-Zi~7a%+w2@N>mMaY`C4~gQ4an3zW zO;DxbSCstDI8+!Gwlc{xEH@E{9m(iE@F0X?lKZc;d1g)^y9H~e13+9|GXWbJVS;Rd z+g~rygfnxFn5EE(2UNb4rp2uVbdgH=*17lukO!6+S0r;e|2twl|;CY zb4U!MXGw$@dO~CWI)DFU8OI71ggYI?D}gIrZ2xdl-ptm~sogMRx|2dt9c?D);psTK zlB>1~EC|pyMNBJ>oW=c~`~Cv-gATr>iLNY9yI{tnD8*wXeMF0=h)w<{+$yX~k8}9o zQz5c(txMB;cu79fVRP54=eMG zHORx7V_g1gK-;q^%y#BaRMhQTUsC*CIoAWNU4`SSwK=X&U%cpz&|}$Z!T;L=X;2E1J=+8Y`wEyHvn=@ctM4B zMUG*JAJShDO}`e@Wcc5_{qKyx3}pDPlv0yN(Rdt@y4F%+uf#<=vkGVg5|6)>0aCBG zOD9fqA4*8tRV^6_hW9!SR*@f^6zPs>71iydRgWH*U58t{kVS-mj4>Xdf9WLY?%gnA zZ_Jy+>dc$FcSoVksOLA(iig4OBaI>Nz=^_Xs*S0;n3r7@uHN{|?`TSMayTkptN?H5 z&l(%~A_>_%lpe>&C@1Nw=!U}Te#ekp!n1<9kpCP;I5(&PcXA;iR_D*3zaPZ|gdvYu zQ(PtXYtFOKJm{29n3lhiG&q~|ht$-P6dY8_LR0>ZOF{}a4T_AW&LvyH0RdrfTnKM~ z*r~UfhYShHwNT?onaQkIyKZK{Sh$4~!(gtL2$2O|GuHV~YX7a%Y*@2Slij-DleolX ze&nJ(AgvTJj*p*nIuVZVK1^~b+#3#rjI18L;Djgy=4L42X{pg)s4jl+Lc8WkCQ^^5e-Eg8k271^>#N1 z(99-QS@t!TFDJLARbVYXmciAuyr?sp6lLmJ@=Lz3kcLXvFSWUiPr5bu;?ka(uA~!u zOFjif7}P6t@nFf|RyeIbg(W7488h}_4SP2~4()e;`6*)eTT3LQ2HCP$WUuToOkb`G z5b`E#l8esX-1!X^;)7VhsRDv8lxYj30AV8+=iL^Dirj*e5C zn1yms%@RYwsLE4W$jVdMOXk@bgsF#b6xOBImZEW?-23@Wy{Gr&-6pVAZs$(o)ibW* zlMYd&W>}PJs^Hy{vFmmW%V%uzc~^qTt-uIXUMw`FwuuR9R!Jh2TXRv*NHPJoQ@G<2 zQ+}RcQ1d>nm|z6~741KFvG>NICpBdD*~j-?of9XZxnfk6^x$Yg$X4aujaV0(Gd3r3 zw3Ay^30wh(oQv~sK(39CVPR@;aA0wEy?*WH$ zx0*sn_j)jz!?xh8Kp4y2W#|tfTUYakdf9#8d=$Q+s@V9TmJ(aJ;TMq_{ zC~W#ES}z;RUd9}vCpVsNF9oUemRYaobEJZfV<%X4uS~B;I`kYXS$>~@0UiWj-J-y# zLCXKtEsEq{hZug>rlZ{q0H6oi6L$dYAP@`^DK>;02!m`y>o1sttsgE`ecnzG6yb{* z7VF-=l@ZuzOWFv(sYinC-%>~xTn;cQ3x$tM7vtihST>fF*FwL!m52)?9kX|5Cd}l@ zJ0#Ct(Z>4qz!rmdOX1l}X)K*ag>BB2faH`#qD$F@<}Ot}4pvErVz?b@aEm4O*tG1x zO)naCt;RnwL3Ck9T)3ddw+HI-ZRyoxXErge)kqucSF%j1Hdg$~x-mb3;I~I)jhR+Z zwthFxNrt*6L^xd*Z~4K_?n)40%=*glHFg!3*T0iwWd5dX@1_Zz%WecKwI-cCVoCqS zaiSyK?}D)1s+REZD&$cZ2}3uUI5*4D3I^^a;&P;Bq?NT_OLm#&$3k1vtr3tF zXcJfYm6>;$X6>3Dz+Jc!C-jj1<)#!&<|f-bbKDU9h$ZhWQ#aX=RtND#^-jcvUy38X`+jQ=u5ypqgWC!ECAsk1Io{E30|Hw(5Bq zaJvvfYBvn<2b}(06C}NZjgn0~2{C7{p1W~n=^CdqYpi@n{6VMhoP-hJlhWj_&Z0Z`9W0&0Y_(&ESr*FJzE7Ixh-Pb2x01)dTq859x}1Q5;tw8 z@&m8%o^`8jAZ=qKyMNF;&gd8Arl~6a>j|gjz)qZBc&DP^RRc>eOHi7WbzaPXF7xK4 zmty}`G)ogX;jFrY9-F3K8Gva(;mD=&qHrLWERg;=rP&f$30;5;jNf{c-}*6(hKpm8F^dKNY>jB z^gGGd4v;u8DEYs3fN(&S{fhDdq{R*hdP<-)>H4%`AUD)K-zyrmx*54Zg#D%^15{Fy z;?{j(A#(Xc7$q4U2Qbz~NLDhp%GrQaS$TDVnZYbA-}pZT(@BgWf{O4IWj0I-ux^>@ zo%mBfy^Z=y@K&>t8LceRQIxG5P7*{{N!>C0YTMsIjs@XFG>1aP^*EadM{4F($ksSZ z5ymLxg+oyM`7E@UR!!_|45WbvmzNEMbh|_K_a3n;v10<8l0*j|+718hLD16BHliJP zuWN)Dq@fzGOcP@%mJKbVFKYu^NfVuyOSm}Xi}!UJNY>W?QCEOFX1L8=x)I}XjO_`J z;Kvs>V62q60cg@&N$EXXV#Yri^FMlwohOP#<^|;Tj=wuBI0dc8@O< z9-mMJCou*sZXOCds<|qq1tla`G{i$KJi=#4MwplTo$H-{D}OY_xO}!$MVY&_7&(8C7h3&aIYHn7>nURzp}`j0_Fa z`GkMwWuQ}9cHzcvQ26s;fHR&5ayl>!@`QWUOrXYw^7TL~RsZRG<$10WY6M(@VDSknSIKwfe zqBQX!6#=2ENYGv$eZS$ZL}U2E_wG7M3oAju-0wuRRi!J^-)wr!fiM*^USSp|tO>^P zqDUBi+)}8viKGz6K^Qq7W*#JEN`n5-)!J59SHmi67IrI(3~`GLinA$l1)(L>?<}CFUh!FJ7+mArkLh3&?CctM_RE&+7n{L|}EPnEx00S3%;=spc zU%Wx4X28w*1&^VCV-o9{vB1U7;CUykgL~Yf4l`uc)y2>A%;fr zq%HmSmXV#d?W-9&XffysR-K<}dKNha(VG~L z9zv=pM-ot=c9MRHmYBQjGsi7-|LrpIk_@v(E!vm&f@4uO80U`oIN3S18fbAG*_MIn zD%w?RhWeO>29S+a8IeQdKdhpRmm`cJ2wORzd&L0%nu|C2#P=Uu$%ngqtnQsCV~*>- zXloX6Mh?c`IMOL zs>=#rjkt7e`DR`RLD~BLPCU7MLafquvbL?iTh&c6ZSv5Z?ji&)5>Wfl)E6oox^bK% zx+&tl1=|}nU6724~-_Vmn+zs zHy|&`(VqFmJ)~~J6`qJN2r1q>dM!>a3~w&9JEOWxhuRs=SpHKDWg-chFop1FsM>|F zVf7%8E&<}aitQJHmfgEkZPxL?(B#36xzQqSERDF4upsT{hkB*e(h`qo*7;1B=fw9?^A~7`EHdT2sqynEBP8NzE9N+j*2mhQr)wR!rhmh z9RjqiE7CY{d(q-@J`Ycm6RQ2LuK?t~Q%xFl0hZ`s&Oo?L&en&780g+T&q#`55Xy&6 zydN^ZVvFGB8Wapt${Y@4+8fOI2Nfl)<(BXFI(FlHLOe?n4L5#RLL@Es!4`wVp{ijV zgi>&7I4RXxzqt5Z5F$=U>^s7*?G*rr^ruM-=lFbZ06_fCKz$r@9>jcXv|b2ebbtX` zEJ*(r;TiWGv1o)_w;(d?M>%Ya8g(yhjhLZV{+jn2_C=N!zi!-pUHp}vOP{Pyh*Lyb z2P7VRn?}*#P?dA4T|-!4W(PJ`PB&J85QSX+cQGbl5ST9lL?fz!*Z;7K^^5sxc6(#p zhXe!G<_@Uw#F4u$8R88x3XQ03x`~sDE0~VodT_5}!%VKvKCG7Yod**;mwZzpIy9@O z?4{#84*&hR`=z?ONj_13D@okX)+R6`FkwS4j+a`PChG}uLO5$3x=Dg5U6z*=WLO|9 zHMH`J&L7ak!ng_ij|E0T(B+4+@iqriBYeu;y?b^3tn>ZlkR-S~nE>;ih#fK^TOq7C zeN7W$^q6Ugk6(Gm*M@s^kj;bgfeZiCV=@#->kpEOC262P6;ht8o} zia0TuBixz!)S|Lbh5Pd$E9H!pT$39jt~W9^T9FSGMmTT61xUuw_Aaah?u>hmq?!|O z4fj=%c`Z>{0ur#i$!=e31)B66eA`vT-mG@H{^f%mVTK@>mM*!k(!AIZ|X>}HLcdeEv%REP(g z!d^|7f3cQ1Ar>jfw(wp&(OVmqC{`R4QHnoWW`g$>P>#K%$Q_A8#oiUw{Ozsr20Nr$ z#ABeipC@B?e?q#^e8;f+V54Vzr(!@D6GZp(3;bG{ik7vs{|&?Z`OE)>i56rbR*`%e z{+=~+sL5ejEGp~wBrqbD;3PTk+l{9NB46S?KXMBiXPTHYMh8HQE)3r>xKLBCy4AwS z&@JRUjI73TN39lf$a{JKoy|GKaR{n}zLe`8-=70}t?8Bvy7d5q+4ly=v+Sq(`~qV1 zTzcYs#OGrfN+ff#;tc(!VI$y6?P|v(`4i1()+|Pi9V4u%xd2YYNLW2iOccw_7&)F= zXlX%aah#;S_*(}*vO%LEZ}?{yIx7{S1iq3w!BQP7bEkUDDhZWLD|El{ib7p0Xtb7N z+<_&NKz(3S*U5|1%EB?Q7mPwlrkO_*WRsRfol8br4yK|zo|PRnrKrF^MvQgc?W!WN zit`H2K^-sf{w11}zz%lagm>JD0dJ)|;t^Lc51^~kMrOLx=qDpomo0`X^~Qtcg52;X4=rRRdC#2<~~-d`JdMhF2LbOwH(U$zVDvwPwt719Y56 zk-zrOal{QIov`)h3ZNz|p;NVoHWc!~S0!R=8ABL!S$z7_ec8GqpI%;Kd{EZ&)*Vl^!J zTVZoEa40hyaw8W$xl!j$bjo?kFIxDqBdk@R zMXTus^)&tW{?Irc=AJ(Jz*H?G9`UOFtTvpcXw$A}gvIE_4_LkoC-U5jzuk*6vpj}L zDeL|!M5yqt^u4tOF}r;CCOg>&4cR}XIrjTD&?(y|W7X)Eg2WTjG2?|Oo+qPmD1oL(JIODa95EK_)!aD%ySz;t3la7neF!qxMWa>dqSCoL(q+E`ao0w=OYAB*X^;jUV7H zY$+<-p4T)UVh>rhcBO36fLd{JeYq1`8$w1tk(xxBukjf6-tY>ix3^%;6jm=JWC4~o zEZ_QuP<&%o<_1<{lNytGjUi5QdwiSj?x4tc&FL}Y)d)?~fmN%Ywti?T;z;L~7x}49 z8KAU9XUIC(KHQvXthKs)G|=x{j^?$Rnj~qoH!%Nceg^wmuu{oNmU%?dMx1(vioCS8 z6tV}cXudvS_qb0CM!|T-*f)`TEbf@xaZzICDUttEktOIwg)+*6g2G@@V-nYC`t7vv zg>=TXs3$ExUKYJLZrm>EH0Q3axvu(GMqNq4kWN}*;*Y&`c1S4Lj`rErmxI*i-!rjA z51d1Dx)Q7G;+Bzj2+TFG#+g&!Ugg>3(QT_BhP?pWYg3U2jq|vK<+mw!d~^2u3Mp{@ z?(q9{&wP-HZW|%Es%;jmsa8_7gh64(kJ*=;GZ`&_OJWTco3$O$+qzMFGw#whmgtyU zeEf8_kuwHDvUixp3LQwKb747 zP_gUy|J?s$&mR7DQ+_=mUq_i< zM%^IbLiA<;ulj$&_j?sV-3|!USB6%4pl^ci=lxZczC-b$P5!sm@Q36V;zFK5b0Nv} zO*Ljpq;%b8r{U^;pFFvLo?RWOdT9@ptx7l`ezoUIQ(8m$k zecAHvG$O=7|IPgG7Y2AZ;xCa%td+~yzjv4{+6(ZN2V94J4#BQVPY5^m5TZikMv#i~ zvKDgdn8;(ZD&Rfckl-1eoc~ns)Bvk`s>k5pRpD0)_^%w6W9`5H^E;u4{-GsT-unpg ztSv8Q`bxmX+>DORM^4jV9; z8J_*K)6sq=bl$H3-twQt^j|WT0ARl=t(Nvj7#qOoqsOfc@SxdBV{L@#hd5pLW0Dr0 z@k|b;Y7-dc?LLUWIS>_&#jiaV@PPON5bR%R0k};4j%i}v$A#ctlw z1<6Zzz`XBwN^dSxw%1?m8IGlcyAUXCQX=|X_@|thkH`fXvE6DUq}W|p2EgYM4*H`; z`^4Dj^EG?nKW$_Hw~P&{>-}u<_I~Lzlt`gO@5%1*7aF{SiRFAGf$VzKvSwRK?*;K| zhFEslg7RVntm#s{@U60qUeOxNp+;#+_!(qczLhxkxfa8Uop@Q#1KR4^_u z=8DthX4ls!sPNO8Zto+YKP<3)ij0B4&ZW@SbD*gzpgZMX?fZzbF2UDr1&y@~5e2QwWp4)DX)969+;vxf5 zOf6nN8ajQqX7{*0h$xUqoC;P&P#*_=RUUE&=^D&L zgh%k<@QPDmNmm+}*ak)rG4iig!Pz*Fp>f}r1%x(I1)BV%?L&TEq^M-6q|xcAny9L% z{#5aT)XGZo*?R5tq|^KT$cO|4xJr!8MKO5FLX<{yl}w`HI7*v}iiPl7mC+*j3~zmEwKq+P=KLBP;G*ZHMgg1!Mm z;QRi6KlnqSIv-XoZ%*|-(_8R=nZ0-vod14*0?c-6t<>#W?IZ#OTWBoX93Rh;9(-+(|ZP}uJylpOZe)Sxn^-tV-J)8>f2=Ip*T_&iKmY?u(P zz3=jU6liz2$keAaIBeU}B1bd4{`xtVPe(1e=X!?hr;674oUt`b<>RfO%j>4FIrhQ! zd>{2$W1wL8&7qHc1p(L@l6~pq^CCG$Vkz=d*VL<1%I0}_=wuZSi|GIF`Ty@tTxiAO zgwc5&O943NAd=uv#tjAZ|@5?~?-~NB>y=PdH>+>#3QLq6j3er(jM4E!q zA=p5qEd@oSM5IX#9Rh@a2#81%2p}b>6p<2Y=s|if(gFksEwn%)fe=UtoVb?jfA-n? zzt6S5?(6z}fG=;7dGloEnS1WJ=XpKY?U=rNV7&VN`Q2X#Y!VPfD>g^%`;vS`g07h$ zEP1<@uK+4Ti!p$U@XWl!!>LO(v~oC1`GZQ#qaJ_8l54uKC?0AZtUv=E9ppO2?6&i% z+HP$?MODLvKVlp)@@5x*-<9!cH|$$;tE3TW>d4_Q2~$5x^GH|})8E(r$Di%Le!#(Q zmd4#S*~O_E&#-G!FDf2t&{qwsJiLwt=rL3JI{NLlmIsn$1LscOqzqaX$TQV63?+>J zFQ25z!cxQK$@nh&8T&1O{ZR8mviDvdl$v)W<_S#(imwXNwF?T&-R~#v#{|wNz~cy* zS|==@*`@z=CI9s<&2PcJr^|+A0KNqCy#_2zJ@vK|OlgC>?Scr>k|Ji(SLc;f7bc`+{6CkSO1Iq{Li8HAHVwFuE_uX!hihgKYsOJf%8AP$^V`E zvydXw9-#4nH8cwa2hvRrzoUdoZvVT{4%&oZ5B!pe?+!Q6U@Ry|G&uO!-rI7fkjbN+ zfJ#i|JS^K+GMC><>mN`OvU)D-;8q4zP#|RNY*zj2qU}o+e=kzs`B{|-b5Kk;6U*q) zUXOe#&qgU5YaCurn@tpbymRT#N)CE4m(TYwE#`_dvpX|0lXOmAK6^*6h-pu}QYYcz zkB7wj&nG1Q+*?H{6FE=8!2C8?!6o@prPMk1$M0UpjyB z>?zHdU}J~#Y@#MZR(yXxAp7x;!d*Eg<>>tTDY<6BfpXIlKQ_%wgZGEK^LYX5*}j4D z$Uk5!q@O42U}R#|aQ)0XF-`Cp?I>?XDZzY1MW10SFGp$ffhe8Dt|sx|wBpsbr!%H#lAqmN%?{90Z%Odc7*&M|*1>GS?= z$<_a?+Yg@8qVNjMOJ`a~PQ*c!h%eY&Tr}-ZNu@dbkEOKCBZ4JIk93MlGx}RM zD_IudBUkk=F^e^DTiNFQ>#yxBBk)Nj_eg#g4jzWT-?&zH?{_4;mSiqYa7jwP&lZ9_ zeWND_`Of(5!y8P>EKhQtUI;eViLm|i0dZRYIQ*^LvsRy6nMqwWS-@I zNy5x#-#E)3ysu&wOf|C41C(lu#xUU?2uhDV_-$+D7Q;JOQDkxdr9+7I=E*V^;N0HyY3Y+1b$=}d*=2gEmQO(yw>*4E z*?O5iW8Men(HXRSaM{a)yQ`?Dm!Yd4((5kC-E)06^;7bsU7f(z-(k;)krxjbkyDU8 zaw|;U*D~gCzP?i$w}4f!kGEO!O}4M-G$u3*dr*f)Jzj&}ZwFe{NWE_OmbfsuDA64? z`GZ@TGIcD)I`7RD(~9(qk$jO6e}^!AlwjO37@%*YOtbBU0{Li61l2#!-0VT63X zX-^viL&MMI`Te5h|K<&^>R{7Nmqn(P6@c{m$3Q-)3&Ip|4 zaV}g!bLhG}iTFWhfLD?BCXG*7LR^7DU8-!3EoUF=oR8tro`TgDASVW@QbfWv zKjOl`*wN9aS1c;byYQl+RoZ{`Or9 z=rzVho@aHBU39tJW3k2xypFN{{JDFZ+!G!h+xZCjhI5JS?t=X9<#>D z)}t)s@H@uG4G@Ks)mp-gb14bH`jQ*7x!r71S}$KPa=>tN{~gSI(foaDl6i`sex?ZI zg%*(P^KcKn7VtVvZGZP`8HsEA(>?Jdk-R&N{24Pp*SP0GMD}VpUsu;X>HzO9ahQFi z;e=~E^PwdrHCw$#9gD4sg!47qxn2W6Ynh!xVWrFB2eZNMd=DTkTf#CQ&{0{4$$&?kuI4Lg=o5f`RD~%Ih=1#-w=o_s@Z>Kb z<>>V`z{l&dZzvX$i>*m5XH^vTm%tN0>B@ZM=j7=0kDGm~YO)DRlt~GY|Hqp-31B`T zw9eUoRHU9)oXk8`x4*T^pjtDe2kY_KeW?cqX(zTEPY*J8>UuMgvVDg`T0UYLnpGoK zdCo9W9M5r|>89WK;4OzhaAAhNZe@9wNtW@6v}I}Kq-WOuf-cdQCsNL1wKz19x7R;) z>>Lu3#g;RZY<=|(MK40DCuzxB;cX@d`;Jz>C{rl!AzwxKW@(PnUTbc%+L15EFDF4C zX%A$;G9+Q04;KYq$A9n{hre#(q&-PDQv12G9Rq~_TFAE63~eYM5qT0%&nxbp+_N|v zSe{Um+c{_`(=*xA-(qQv3ajU6>1g8m2QR$1oAr~N_auAO{`%tz(tTA9kBZTa;m1Hw zhWzDx(xnuI0^9lSi>9Z?^wI!gczfB8Xmu|K;R_-k;19=Z6gP($r|3rTmkLzr!cj+@ z?>sbeP-PtVESKvw6lADg3}jl9Z)Eb4ms|+o>WYwOsK})gBha$RuELsz4z*{cj_}Je zme;1TWEg9z|BX8tZPXDLqUgm$A{p2??J1?JrtPXNoE z^*PMvG`ew)=RM5qnW;}w% z>wd{~&3Fj@eDheYev-nAh7P{LfK6VtQcx6gr!r(=R=fu!xGtca5Ar6ETg%iY48Y}r z1=|MtYXT$5{@ARUDnl7z0y^OJVdK=>Ajpa&4#5>&p96ew0+Lh(H4C~JtcgE)i>Sia z_Px9ER=3RaJjjt(BR3Z(9r#vE=L_tk)2pRovDTL4$%woR>sK({4M7vo)P>;n(Qj6@ zXISI<-n&a&NIft23wP9GZv7^h{*97QRzQ|lif9Ie8ci~D{|VP%&A%9c-+;(u1ChiH z3V6JtkzQ)14*P{rEMWvaD7cX;T4!fgEUfBcvb`McSe&5}*XeH-jNN77?aIndYS|dA z&&2QsO~Ey(w@5j4e>Fvrj1sCb?5S-@^cMaeZlIvjFo4?r7L>bJ$=@>YxdguwD-t&okU*Fmp5F#pZZibwNTN*w0IKX4C`$# z9a64zJd{wbcC}iq^8J!Q%2l*<$n0M(`&j2=u?WNDBkm$iq2^{&b~ zEyG@Gql+4bD0>*(y}V}P!B#P`-}BIMT-LmH?cnKE$ZY~;bScF5HqcRN2-oIB z(pk=byhKQn5vU1_t&&UMmi#&2Ea?TF+f?ZEwm3FOQ!9pldz3BQ!Qz$2ytHzGcM|?Z zRcb0)rFk7(HoFyd*%NIHX&cWW<{2gLc^37o?0muW6bfUJ2eofKtrZ8L*1X?(dJ{8i zRAxK&6VtdmPG(XQ$LtF6Nh~I2(|Hv&3O@`oHLlo`!$;`o(P=Ty<-UX(_|5qnm3L>k ziI6(mSH!O#X`grsjCO7;m)S3F%l1D~DDYP4_+|ZtEUDgazI@1YQc+WSziODIGj)q| zQ9zyd1YEH`e~-MIM&jj74>}4>a&61jt>eL0P4aH|q2B%E)^3=ZG|@T#e-* z#5aj8+pZMgXsx6dZ4w>+^RoS&Pt~>4x1QN~JDJx0CFhHWd@~&jP}o^!9ccKr6k48; zw>Sl~zjBy14^}iJI`Lx5Z`eT36FMNvpFLyn>K??irh&eGfm5RGeQ1J@`=Nqb1L(!w zIDj;sEPZ-rfc|L7v}SjVd&s4jn49WOCk)}AN#M9Sbb=gS8kZB6Pukm%Fj-z9)3#39xMo?jkEg)@#SZT@TkwYbkEp3r z+24zbu2i@p>RcWIhDX$!7bmvb4iNdYm`uaIgqgjQIT+7IC!s~9+t)xe<1Vp73MF?{Gy1(SUzY|b*n3CWYZ&>7vm*ce z!cYz*4TWUF(tnPqJe_QQ?^H>ECR~#hjD9(J`36%BvrFv+WuRxG(R=dp)+gWhzP9rA ztB_5i?9YImU+i+Bo8{>N{;~>XUYYCZQg9K-y$D-k`-6|Zv>)nptj+*2<3TL>)a@86AjfjQ-JuPslUuIqEH$bbgdztse5N5+ZYJsuZKM-Nc`F2*jYL zhx+*9&cAkQ%m$TY0)s*;xx+qh8kM0aK0-g9ssZaM!ygB7VYSy^j zS2-}h9$+BUT%)B$w7=$TIjnTwzNepN57W)K^n<}v7}YXp7&7;zs0R4y`1928g_cdM zTVdGvZhujkLn|O0Y@9p^Ix^pyVflnj3o{ORQGChNy{`0yvt@1#d=lzfhefGy&T>oVHejWxx zq{FG1Ifzh@`h`qgwYM2tW4c7VAdn|~)7=&hZOFg;DGjiR>=FHBVVz7-tBj=u&DFyznPBGXE~ zTA5I)nVb?eSAZLj)$kVBrE-@!qk^XBLk<&lwvp@GEoR8A2xUtD&Am)cevzWG>F_2< z87_@p_G8$}ZUU^^x0V?A#EhREKg+7}!xR0+*S1K3iZS5LV_lxzIiF(?`lHJYSMece z0oxN}LZ@)dkkbQFg|LCG{+Su-C0ZhDQp=GX3(L5GlNBu&%iH;d?HfaBhTU%8|HyRxg! zaQ0x3i=Rv1gEj{m<*%v(r_5)5{t#fmd-JP6zOmXidEA}~PAHqOt9}UI>Fj64$+cCL z(Y}Jx1oXx*Nn$p zDR+(aRh&muCGy&m_k~BcXk?O9k8z`*a+M)$+RC(5>JN$cP){_HYUEZTMAvINlAalq z+l8id4tZljn>Ks9)V2%vSD70SKLdC%q8%X(5jl#qjxvY5hL}l3zlS?qMVyU*!Yz%; z)5g;s@$p5Z=i}<##(~e&$>DX?@7u76Mx7E=x>6?`^SHF0ge+|I1SiE@QG7!8m=A?~ z+}z1xQ`vgfxe|it+7f`DI`^z#r%{^gaNQESte38iQEk{>{b@?w{uZ#(jI~tu*vytn zTf3H_RANfN$}O3Rt#^EH5Xa57TMo>>6yKgbxLH%GBe|Sec_QJdig@4XUi3epweEKb znaim;*50y7t`f*NG5I-*HA#LZK%n6>*lIzI@0gdyxRLF4tL=naY?a4X{YqlPRrOTu z4FTg6Rq9qj*_^B5jh$a?Y|roqZ#XbJ;k4Q{4aI?;7{b6&yz<3OzQH>wb=2Z+D&fHy zd}QVgpuc|YvNlBkdRV(%`7^;%DBjS~z}gITO!;_2x#HT(riNI?F#K|m@>O3M@~N}i zuG}e>(tujOhdhSUy46vkdjl3v_CT|qpDPzj+115^GAOplrm(r2}&^BMw+=WLt z%mGgQ=*O{q=CbkI3S8FmYr}Flw-P;fMGh}ceDEB-fK=w7TT<%XXh}mGSkPh%(F0Xl zg;1pqQf6q#odMUEEYJYk*EV76f`uA?O-zhP7dYEm%mxmT#dp-NQ@Bt(O5a`DqY^$v z5Xz*jg#WZME?KRok`ba2OzZjV(Vw5GIo zea86!40=lbm2~sp37kcv#W+{NX4V$Ww0Q-4fz!yFCXcG#QZ< zBli=a%eIg-mqtKlW`OSDo9@Qup7~!Ja`zZ4+D?GF0yXTGMl zvzq4KLGG(2G)`_+)6CM&ZuQ_WyC2YEIRE5wD`hHo^$jrF}C9WIbA$cmJR>zZ! zFgA;rpKPLap!$*|Z&Zm>U>QIdwkP>@1Fg(k?k`gtYZ110L*x(H!Y|2)g~*^>E8R=_ zAi(e@u{SYE4EEC04vZ(euazzpYi%>rJ0M&uXfXVRlIE^P?}BP$gRJEDXHfM6`t33j z#!eNEYF$Z3wZ2}vGfX86yIgcG0yC=a7|k0lxonVu6PtT0E~Zo+`j-#(rOG$jO^u;x z#e~atw1;zZQ-z$*8!H8?U+#B@nlDUM=_DzNCdWPpUr$k#ECOl=+{>Bvhi#zQAERe* zsXya(YE+sxY7jEv-AIIoS=}DbLqk251Ona5>Q4E>D$>l{-w3!}di6B2gfC?KxLN$( zF;P(l^~z?cXCrOIkHwk>1R#o}qJ4%2W382Ha5XnE`xBii;idy+qb|J*=q=T8?71MW z(_q0@>dcOFE`1*PVPDTmt}q&}ZRgEv7+&AzZ*^V7sl~{e+WKl&)5d8zA9a=98HF7( z3{ink1(~5JAXv{kO7UO504fYMJpdWaDw0PC9>E%K>ieUmLD)3@#V2dQ=*>H{vCg48 z(1oUAxH&AO&48=1;RpYq;Z)G@USbKSOr{{V2=PWyr9UvE_omDzHR%;yZARakkvhDJ z8Fae72NUUd)h5NxQbtcWAs%2ZCVRpA>`lbavD(Lo4=DGC3QF*iI#|-CMFA`P;})u^ zUFEMn9TLh)nItXL8hDTr7_i_2{8|&BwaZQ#U*pHM8~6$=gMKXym?I8q2eN&7rEaU( zY0W5I!4p%(6n}HdLUlAY9YX|@x%|{37^aTM|_J9pilH@L1ETBjpwcC4Q6=j;9 zmYnKAEDInfWGI6VP|9*Ex{`D~ngo3WD{kKzJq1>#pA_2O*+{QS#vUzJ+Y^zfHeXcHaOxi*8rt^drk9j*eN zOxIzRUB$RO>yzx`T524+#HaEryl|h6!EGc**uHFqg60cxeOtG2rTOlaw_Dh0&$rXCy@z8!$nJM75%2L$)cY5C9 zY;70{JPIA}dG&aht{r~G6Z2G=y3ShGLW0R1roEC}WQE`d4-`>38E_L^5+G32O_tyl zL**}&oQ?%#ql-YrFiep56QAO#bpRl}lS(pH->a=PALrM}_MLsMAO@UbHG2-Q5Hc@N z>IjT#WT=ce?$K;quxCwgP`HQGbr+jsJ8U*5H`-m*KwriT?};2v*jfZxYE_=v#@R1? z3c#dea4kJ14_v#tyV4*JXR885G6D5S zhI!m?MBOe1KKg}fn-)32U={y?C3jgON8p7n61Zc710#z;xr|Q5m?9hdfi2bcP@XPl zQrw*i09<8Njp9lTz<*6*6GiazCxD7yTua6V>5RQVty^&#f1_zU6+68XY-YFM3U+Mq zhzDlGM~VnvuXvy=%cqpb)lvssE1fQ=qs%6-3y&g(ju0sn_z)tYmw5f>s3+WVQs<=M zqFc)5=FWdKyvIeW%tF@`Tg#LbLLguqxUxX&I#IEjbW1*74x`;7r`a zRqcb7$E#EfAc2NXrR3u1Hf)(mhr1wR0vB{Ay--L{Qa0t2+;H*D4bSt%_Y{;p{T+QnDxBSHUSeXa!mB)`PVbvPcVnMIgRC+J2NM6a&)DGEeXP| z%HdchFuK4x1?^}yo$EJyUhX@c|By7cMcOwJPU2Pjys59U(HAh*H3e+Qf%qD-(FlPH zzwYz9i_ED8u`?d(m17X8@>`&?`kQlS@IT)`-%Oou1z)hj{2H;EsC>Zw&W~+(63bL* z$POII3vGa3LFHyls2}vNYd{hyx{;A>8FNzf={?jXJ70WOe{e zsYw~-OOc1n#G*FE%~cI&)=;^7R36+$59B6%#4tjJ3{hd^QTqnw)Jb#MPvYUUD@L_l z*CM8Unf}?zL8!QsY`?T^H?Kn3TL%S_ZQW881YrlO`V@X4QM}N^ z0^d6u7rl|RyeM`NiAHz1#o?Q{_SefVkpf^r$4v9 zgrq!S#i6cB90}FP7ms$?yF2hDM+V^ezY9Z!~qXWgJIvA zz=AGFx4Y*jQ7XBzeb$d?*0qjiC!=qrsg)M}T3x*B_*YT%}MlM&2}D? zWjxO*A=4*jD2TziI~-rAi!qQ+A5@%}COWM=|BRcof(m?)uK$cSj~6qu>$YZpq%9kG z7VQH;;#ffqZ9zc@m>5yyqpf--9dENU#kWfBz56w~tC6$u-$pE7NcNiHw*2{FNe;T6 zy|>%OD^E8UY`KT)e&o>X)ZNz^>^s5`0UayM5*S}HKsWpI34PLuP@2bH_xB_kwV3I=~@le$I~8WV?2ytsv3nrG?|jm z)!=T4iRszvmB!(VS9dxy zfX6xS5{6Mb?uNjC61YWcvJZz7{Nzbrj*ZJ_FpK4g6*P+?wWo=mx4qH7C0(r3F|2IU zIer8qT8wJCR|b7ud6;RAxl|_77neDKL+a`3r7(IA!XXtF;t&@Ue?OI`igzG#NF=Xz z#OtGyV_VldHq)V>6F9zE?-q}SdFlWM%N%-@vXQ!th>aoF^PM{%1?*3L<%~zOTl;@t zx89dkDa}wluEbaBkPNr08Ijri&cnsfm2rPBt7r6*Gg{I|W5{iG9saYsW@PTBI$iiN z*goGz1#ppA;j5Al{q?qY(^+)^)|g-cH(v}mF^E29jTdCFhbsa(S}ilzyt{_>ly}1y zQFZlhHkjz=OZf>N^8yWFIAqku?5@NfHCf|vP}w$&kLtBl!m0FYM$J!^;(QcNu*7~y znx;Lh`HFPAe-Qe2N@8M(VIZE2e&)`5+7<4*1%!-vZWT;rgNdaY`4i{*=B@g^)8GJ_ zpebIcaA8WbAt$@Knxv?OXv4_^s7>*<(3pmAI*ag^d&@$pS8C8 zH~n)T`B(_}IgrieXcz!U$O+0@emdg+twC5-YFUHf=a!jJv;jUU0=C;&J6EKwFt0I+ z}jMQTpp4fOptunGwNQa#rk|ir431EN8QKgs}?F286sLS;^>qJ8}7EM2X z_px8bZD_ObmO_(Ham^h65aLG>)U5_JhskIG9y$F^EG`#s!#JK-lGka4m@Sg$_Q(%m zaU0F$;*ELHj()1Fq0ViaoIN8uEIAA8m1icC5;qznCOAguja#OrOy zTXEwI1qTMheHO~lf~F2d3kI7X>rNUb?fV`yoDx>DxM)N5$(5w~T(v(HQ)E=o3`0GD z&@Km5H!3|u*TP+>`Pp+r35h6|lK_v&J>`xSKS@QkagC@&$b82$O}1DoxDiUH;(Qi0 zx7<@ahsa4o_WrG#)6DuU^doMc(zKLb032Gc%FpCFfeK?jy&{N8nbAeZHCNY1eT+wURC#OHWx=u?U-&3y!OsAJ8&|)&)c`=vuT; z2IK)ecQm55`LHN1J~`Z${(S}+xKcphic}avr?(^3o}svYWy%x83g)J}UDR-+FOy6Uu|V+xK%U?$9+CZP;e?i~GorXq^p0RtwgCwJ4jR?}ve zFM!@qV0dI;$z4F3?{m2vMG0Ptohks*QIP@gw=^H2c^j5z5qf>}Kq+foXk1E1#-mFO ztX3ubtDzkcEh1{jrRDqqINJ^}?K8Zaw&_IbUMZLJuXuvd12dvZrQA9U{jvBWdf9RL zNhJ<V}cj{JLJ6ZwoVoZ>Z&DL;0g&h1j9y{Ns2?ZOxOY1B37N?>;Fc zjqg(ykz1&tu^C&}G*__Yv&PrnzYKr#)(6Ne690h&^!fV6eViI_YRtzqm9{C|h78gN z57!ytEBc;9mqqMvaE$FcIOuk+ww!=(0}5xO>{}+6o#%>6GcMnyMclJjjqUT2IU~+L za2OmgV4o4>QTJDL<#e`R zGJBOwZz*KR2_0D==VoZ&)BkDtu(xnC)dpjqaF>%i#R3H`IiIx?W%p9N_aD7;*1g}6 zQNaMd0|u6A`)_ZSbnBePEWiD7b;Q`dUz&;>A%M$<>ryqE{0VPS677DfQ5(6%<^yg% zFAJQ;Rioc1LJ!FNMwFlJ;phn4O_f7?wuZ;vdD@2NFb;}ec=5zqzn zvdP2@*ZP2dx5Jszxv^Qbv86M2HEZlvOs4ErN>O}H=s^I#V(bLr3L7~Zc@N0JSe_W#?OTOHU8ncWy?Aj-&1w_3TvMRpI(&kF-;twYt6G4lF$64SNYFY zIW7-vPWuNDZ}k%?c8;w!A~#2xL;` z_NqDxsf&BF@nq)q)ao@#QJ8nZsIq`N+;Ku%tMRS>d|l7*^_E&L?3)oB`uUS`F4X}piF;JrDbI2@mQ=+Uz88MVh0j{`I@$Pt{F`#XRt;% zv2!;WGl4P3&LdwuVU3$!z|E*$Rh8p90{`JA4<)!j9NlXUxpfKcqX%}|9G#%2eyn8y zA0E+a?Dkp{6waBOrzNS%(^1lW1Cx_8ua+=b&9U)S#oY^h%Z>t-OhqN~JpUx@|0Z1*^Ypj~_ z?2L(-Exe~}RU&Z&_j>jc9JqY0+Z5m<>@)%~y;uTH^>c`wYILanCAkjZYapsT{v4{{ zTxZv7$ml1`7>nKHr%(AA5(13b+h_w_zk&RQMcA0R?`^u1>Okea)%QV;e&6S+b`%$r z8CWSezQ^7yWgpG2$g;^GO>OrZBeSdcK6Gl~IKD1XNIaLck-do>cW3UR92cIY9_Gsw z4XbhQntNr{N1nITtqnJa7bJNjYr`qJ#xvD&|Ip4%EW_f1iPQvf|805j4Yh~H9AAyFSyBJQJDM>@LqYiC)XXR>j@^D@4bfEj-jl6^9J0vX0#A>E zz=eIXc+%j;;4^vxvjaY;())-?V48H8HQHWwVO`yrlTUZH%j2E@rTPR z@}xIEeb%{j6Pb(s(TI&x>QPikha6?W;sO{F^)yjooKz}BdG|^O{;i|5a5>t3VRHFW zxS1Hg+TjNV6iU+@%%TQ$e;+C@NTbz-+*?_SfHh|V8*31kFEZfG3N9ywgi7{x1 zC2tRZs%p>A80?Hd9%HA^V>}E3Cj{gzd#|eMkzwT+dJV5#xAZ{Yv&VmC=QTz>SfIuc zYOVAX^Rz%lu_xzQwDy#nJd<*9N@>s#Yuw3*;X5c+b>02YIQcr9t!K?E3eIwTr$g(sP?(@mq={7_8=w`^!BGHfBHO1X=RFr>1nR z-DCJGMjZQjq9!ysB*Q&b{yx>o!h%&c)?lG`{2&~9Z1sr(@7KZ?+srd)-!=R!0}&ll`Q*4v(31oeJsQMn?@ot+mTz4 zu>Fl_bv#Y`$pmQukRh%bl&UnF=$uL_1y0S_kL=0 ztd`xv%TB&gyHIW&ko<-C=x%}b zKH^!DUBqv#NDgSuSm3SCyT&g<^Hd%WVxuOQTe2SJMON7L=QQ3hFOxyDS1YER7ah>} zFUjN5$y+%GHd;|ZSB>s}#M_sR5G!0H*XU-8{>}`b;|=a*Jh(?=8>bbKXX$$GFY-Xi zs3G0S54xHhvweq(`gOB2EJ+NT7vMYHJgk$%+f-4C9e}M!Ex&2x=m?tWa2l>`d{6^g zDOo>kKjB_i(Ke(p%cc94<`(^Yv0fqU^lw-H#4f5GldNLw3NMGVHu-E{Tjh2EHf>c; z5uU5~F607P7aYPrZ>uIJEg)jLx}{rkOi{-*fW(Dac9x_gxj2=Hk%Ru1>tCxVlig3K z?rgQZdmS^QawwS;DU`B%aZ!Kx-y3>)PEApaz3Bi(*rlkawLbP&q}Lc%x%pb+IAd(T zKhd?7X|YQLB_U6+kU42*$iaqu>kvrSn^>ezec;qYePfNQbKwJihc1b^9m53GAJuyq zO8W3mVOXQqqHx>oxksJJE^J(7qj|<}2{TA(d2++?Ud)DFdllawrTWTC#zYM!k-2lt zh1Q$;PQ#cSuVMW35my5e#2`BOKq6Dnwc5fA;EVk3w*>2G!ooLb<>MZv^e%|gwtfnu ze%j``R5p5hn@zodRT@NghM^I6do5oDCN%@a9rUIH&}IkgVa#ed9af561wox+z73|MVS`*x!5pi{VCp@uH2-u}bjH zod<~wO7?FyJT67^ELohI+TC@VPS<F_7!0!P+vqQ2p{qNIbGLh{Gzk%x(b=2a!%o;E)&T$rjdVefKXm(J1NiNM$% zOseN#+ag_523^Nh24&#tV%nA}5>fD#F(XJW#A$rmK;X zTR2d7lZ`{$Vg1}{z#0eNVLNI5pz^cZz5sCe&Tt;RLmq#b;~UL-?W z=Y*f)J)Ov17P1HslgC4`0~^=s{o{jawdMH;JwYs`mmAs zL)O=)G-Xze(~l{fO;J4T>lO#+t4F(dyNOR0;NEGZuZ)d~11F_)6{Got&1~-iRO_8SG`YsCBj=LDa>hMI*iYe)kUYWv3pd~UygfjV4i6Sv*8FminX!vVUx!^(+k z0=7Gyo62UmEHk@huUVRSbO^Eb?A27) zeP6a;q-{EO6p90RTVC`)6CQzp&wmH%cNn(Ei6@Wb?}EQs>{9mg5WKoygJx)bV)?mP zpLeG{pR3GvdKjQr>Dk549-X)tIdBk@LEu2Y-|eV8lI`1e%nX-!d- z<^taE1)QPsNH{%=9XMAH^?Xxxx81PeG9)v^UD;*W-^IRhKX4-DgNAt_;z4nT);G^F zDBLl>K;`i&Mw*+ws+)x}7udkwv&M@53Y?N@$css0J2b^3RFvF8t+VE^pEsUsQF2qb z1{rND!ja0+!`rC(YwwQ?w+8{tNag9Er7UbM#;eFB+06C{CVq)$GXB=B+I|C}bD$la zG^^w7vVK^*2B;kH+fzr$(R=vNZU(Z`z1;s6Jk@+RDya&HtzyMKv<(^BMKocTM{C7swU{Y`v|KAFIzbF8)&Oi#21ywDIH=xO1SmW^eWkUqB|pSntv zw_+;Oj?g)B{iGh&`(sdg|3*iCpn-~R!Z&Nb(eMh(3%?Glo6wA1N}%VzQXrSVkow5O~~IZ8~VtGZZiI&3bP{&%I$(&La!R z)4Td{3RjqZSYS=+?tEVQwfCCZd_zVD$AdjY(Ho%Ucf-83A24CcQc3*}Qa)_H`Dy4t zH&qrdZm`8r_AAMD9PVEM&yCJ!2_G5>!ruIR5$w;|efbZ(lVQNSG({%UIoXDMF43an z*}=rVBa_!0@xg8i{3Er!$pEa_9+&sa37SgDI?jHP+{|=y!3cJ-!(AmHe5aTpBEcpK ziM2D~^8eby^G}L?4^8Dw3r)@NrXjnFWqrFgL4XB;ZPiKvI=Ax$&Y;}lYM+tXfr;c> zQfcq!2$<@pRFoIIm;T(+b!sw)qsp+SKcD(hAp9vx-0|Lw@Y;x~$R}~n#qhDJnZ$XF zL(T|zb=|4uM~M_Ibms1~vliN0nY6w1Lm-ZFXpWU}r;HqPQ)FU@&lzOe*jIIs&HLnb zq>7(%sR@U3LQQgJ{9~Y)wmaBvg+sX%0(QXtV$PwJUZ^mW_x``87)-bNV{ zrM^qXjs^g8GhRDYau@BMZaTqtf%<7GZSUB zD7waiPl+q(8y4W2_VO8xR3MkiZvxY{T(r%F-uH^h8E5cE+z&Xm25LdQ$y{jK_gA-}G*F zrO?=!rZ8nY2|b~-p2E1N@C-2z7d=bBiy$Yzdt13-)oMM@a?OT1K3*LQ zQ0wu}HL?DuEPJ62`LZFI2WmkL`w1WyQhr9zmZxuOli1rAzb!Y-+jR`<8)0j{QkL#P zdalTu^q|wIqI6Y6S8j$i;d@&nSKFcEXDIvr-7L=|xnvc-A+Cw>0|RNU)eedD!5JqL z3vvtFNNmAU$&s}SqlgTHZ(l3`MflW>);_oICni2gGN!AY+Ajrt;|mtV_EtUcV2y)B z+zeXj>raB@R8f>qilZ9u6ApJAtQ$@M`ra4dmRkH1&LVYP^i01;OSGT-a>9wmrkjQ_ z8SghArEj>@m+*XmHE9r#`~MKqOw4B(&~=2l^Ai)&FgXqWyjKYOHA4VneK~pJm{VQX zd!#DV;$9WluyHaDd~32DRoQ!EwOIwPffUfgUW^u5ST5GZ3gJ>ad}ZU4R3*`TQJZMy z&asHaZW_rj4B)l|M0f{PLNy}OwCf!Nea#f7UEmHyRzQKuGc$hHdD5UGq%yV^^eo`K z6trd3PG}LZ#8$lql#dH^jYAPi*7g|k`SK>j=@Q3|3TdvWczJ9ZLbAvNZ2Dz&Ls+FO zzU~fr-_mk8W2m2C>S+@}lW)iVsi(?wp>I8PTGHv8@^Vm|Tg6}+SZwlH;lDJp_laAm z1Dkw9V-7L8p1>on$C&+fZ`$|5%=0l&ZOqGF#GW54K)ivHGfFVi#XKnV9P?(Vu%3rS zOg##bF!aN>KP85F$>U9Wx2^WXi10*P^&J(rz1K|=TN>)sT26fqf#AmtEYQ!~{4HV4@6U2IRYv7w$CLzXoIi{|6$M@xa{ks2OCp8Zk zGipymR#665u~@#UDH4*>K0StGD0-8w(W9rsCwEn}$WD3OFU&q+*8E`PKy=TmUVLNh zwc|b`Z%t*qA1yLQU>O#Tv4^~%R(UkIz$6TASURjo(zeC^ff zLXFDi_>N3yI9W@)Z1#1P$jW^t3#hmz9WEz)r4=730d zcY{)gPU$>!$l=iS->AQ<=YR2z@s9W69pkz30%7g7*IaXc=Uj7r_DtHLBG9Mry%!$g zu^dFCLQ|N1=y=va;7#ZVwQKNyD~NhheT9@U@@u(c-9{s#{T{vVu&ScH*~dW(33rc> zaBkb+dJDT$(laByJkjZnqi(9R_~0Go?`LAJ*i6_Gi9QN05)Cv1Xe6Aoa^ z`mZiA#Yjc0mhSoZ$GuCYyk9Nz=*?9-8~*N~d!2ek50x6 zedpxZBLis!ne6nKwRF}g&clMd|4tVOL;@xhN z9*xTMw$Q7&H`&2M@>4f}FhBV@bT~5Ld!3Qs7@Qd`BMM+*{c=&95<6-PXt0ltCfS31 z(z~P&T3zHVg%y4zEwVu@SP#f<=yJ>bfHI@@QGI}9OghvVK#e-m&$fjzEE}iVDlwM#zxo%4dHyx(bk^@Q&_!QE zlYK~rtekY-2w$yKT=Z0KRy)8ugl2g!1y*G-AAo@M+J>cn_cZK8v;lAJU(b_NGOPJ|5@X%?iH)*t8 zQ8PC;Ehf4gX%4qdzC2FeC-zp*=OLI@o@RKeC`h-*Eku4LeqMJy^XziNYRKHmJUzP9 zVNJLF=I6vMyIlv5*;U;@__DW(x+y&;cni9JJY#%Red{r-rI1g5-M35gY3o|(+5E$e z)vKjP`oApI+ZVnE{1&ViT=TBBrhp|orq3Nh92{;s9NDjEx*aA7MOcD;kep`X=1saq z&#w+cTZ(f&@c|cQ!{>+6%LU3!KSAR?&;_cr)ddTPr|a02&+WZ*>z8vj+rW6f zaC89%QN=Uayj~wXl2iT3>0b@Lu%ePy$f7O$`gnz{ez(@tbw^v(6S%G>mOhmZ7ovE& z7`}mMn+$(jG}~I-Juk&*`<`I39tHh_d$`genA@bcU5A1N0k-=5^=scIyH;*t(boH| z)Qnv2ZF4dv;ufqqq1Yq}9h;gb1Y#0E!6h=)(}l=mvo;z>M9jdk-t1WBXX}Z`f*tGg$d0QT@ zEG@!LPoY9BedoIbTeVjSA5Pi^-BGteBW*gaI?3F)rCeY!_f>p^Bc`r-dsNdz&-4%1 ziv69=iD#N-0UmQsj%LR2`CAVbqZ*bS8{`Z=#^sxy=R3pZ*TXcB1AbG@FI)N-t*S1- z2?s3UuH$k`EZcTnX!iQ{&QL2_X~_v>bQi7$ghnwgq;>++W?|0Of!^|RZ)TN-(~nd0 z(pJ!__S;b(9`K4|rz-ob^W zWd7Gx$G-XDfiNx7WR<>@XHB)wxWZ4?+7Vyi?8)0uotGLQbnL4-n^Pc>U1P+K$R1{= zZ)c9TmmS*dv`rl(GY*vr*sGp9ik~|=TGZ+^k>=w6 z&^~(LVT!k>-r3_azjblL1~K6zy1JV>)Z*Ugv90l$BCgKZTn107ohwHHP!Ks%`40qO zzRc;ACNs(Mw?MNVm8)v~*vgg@_o9L~1Q%yZQ(Jh57e{T2XINOTQgSBB*kIv1^lo1H zlG24hhkyny&xqY98u%{SeW%T=r4pp+_t2lMTZ8I4I;W)>UnA@oj)+#Al``2L;WmA3FHPhE>iumbGuwYVsmR|9r zcEfWck25^;D&_N?7>vY>1S}SoSWr=(PN{X%(ly+)MjUs}i?b!rcY!-JC(E08__EMM zN4;0#)m-^vTL7(f><}p5F>-qET^6FnuGgN$DOUl{&W|PlSoMvnJg!!s(7D;o+Znzt z2BbYo!eve+b%jQh`)d6a35h9C6^6jpj0ym|L?XCYw+b|lqGA3Almd`v2tXZ87BDQ_ zLV_fqC$X_dv{EblS+pWOm8Mkp6b`YU72ywka}7pIS%CbcLv8svN9st40QYY#6)32x z13)WvTvKvCKXE@;*O#t;m*nyQpp`lw&USBMPB%M3EEdqUngfcfy9GuVeg)vO{wJ%8 zM6;QZ}wTkg&FD}b?<8=tpY6pH~7>k|e$<3=xm6PAA9{=4F^i}&qLt^JLs z$Tw94S{6R4+)$c_uqMLvM3;u4a4bso0cAx=1@tCJ6Vq5n+2t{x2Z&&Maxed{3^_If0@g>fy+IJrLuh zp8>g_O0V?1&x5`W1MV;@h;T{%<5}bZ7i$cV$f7RCKW>y3!`$*9+)<=p8WEww_|3YY zVjPFHflqJt)ExHGO*S%zr7dala$L=Fxhwx=eg0Pfg>A~VkK_fg90TDB(&lS_FuY3P z4^Lq6|MUr#K_q@R11?%E$H~U*s{O2Hf&0QdjHou&9#wW7@qdg>N*`opz#Mg}_G5?- z2Bm=_HF3 z%!4KbQueRt_>Bp8549#$Sab+jFTb@&{YQ_h2?gE*m$cM(e-XlmWgrwUHBHjM|5=7<7-B#;x?t5Q0VJM$r@V$R7N*HQ(&N5~ z6apgt(kB~nHF;>O7Kjh5#2l6NE-4T0;aI`{x^c}=lzew1oTw8~INk$sBm@2ZrbAg&4Z8B!-BK-R4rY8uA-gNoQE;Ii|0-45;0)kTr^% z?E3SC|G!plCbB;du<#^Q;zb&>h>$rSFR~Q{FndBO)2{{5OE04}5&wm>7r%ko!#=VC zVFU+2qte4FUi_JSH!yjZi)SM6mr_{|Tu;`JP=rDwWHSEL+LmXt{1?Awk)K8rBLX$3 zzc-o~p8W}I^(wnBr%izfl1epXKc@@;QbC0TBsAmv3qe%>*2d3I-tQ_-KF}Swl7s!N zrJ|7a9|7X~qZ#R81cVn-X%7Q3c}WN6X9EKk*dx733y1Q}%N z9jF0?G6z86=&V;|=>>>|AIDgh8~5zLu}KH^)I%FbWn@j_CHX_UQ|3&(*LFQA3;gkZ;#UK$rF?udBB{; zaocjb08SF!tV}?3Hxem-8o-w=RE@j+Pu-~eHDPJ#>SX}Qnh79TU!DPw)_VZb%5i>? z!w zqf;7EWT27a+ZO;Zib(XgRnDmeh>0L!#781z&JU2=rbpDT$dJegD;$rs=);Ak^pbU~ ze^*vxJ&i^e@%e9}yMH07s+qoXbt3N^d~k9Kf;uC#`6*NLD`VS zpcq;J%BE00RqTm`2Tj+2!hgyp@%Cw1mq>y z(L?_|>dxPh}&yj2-`t^ttKpNE2~>PwV^uvp~cOCCgLyyNR32k*55Z z<4Rt#|3~%%HaVvW&_W4mn3YApbpjayI+BU&ALFv7>Ts?qjg9Lg8^s0o!6a@>*o$XK zWRfC9HNe+77d2X z>?k#XfVtO-=a7qidEEChn!XgsO6 zS}+(6vhBhBw+lySfi2C)e;X?J#2)ZnYo9Bb|BRInjJ03$ilz-E$Kb(TlCJf9jRv+B z-~Vo{|KD$|bjm)+#TC#UTTITPpr4T7>ilyy*;z*l2;+V~ns{rYbO#BxE`upS2J$vRP29o!X`q$cR&M}*zvDGJ(2n#NLI1U@P-Bl&|cScISMPt9U)v1>o z83kR>WkyO>ukFeisyT1nWjlMB5TXIeJnb~)M~q7b<} z=#*N|Ny8I6yT1WS%kzB=6R(WxTkzd>^k!=<^mCLN=5w+mLSGrH7pZ=mDvNWLaJ}Mk z-CL-E${7&YZ6rS6Qxl)LfgeAVPyEmUNrXF1kl2>R4PXsn(Ms<0zWFsUZeikt_UI0F z!aquG3PE5d`{Ssm$y5iQ`^~ZtJ%s%(Bk`s&Dc4Nd*DfxaxA-h0K7i0uG_kIGA9m`o z;>Q&sAi(mX@Mgnt+;KUMuU(^OS(wh-XT0kQPk)&?#o1E~2}9QAJgh@#H{}z65Cxt^ zADLuu+8;`LDwKIMrIv;INe+`iX{bO61iM0V9ik3H! z2NG~E0NcW3=1BZqeS*-n*Ot%)9=lcCL&JwsA^-FWzRjHYrK1v3${~2#zHSm z#k-Cdz5@fz)neQybqV4vWj}=Q3DxjuXEg{b5);O*H~T^T`ouqctKI}$6eBZVaytB_ zvP?ge6JYCT_XQmCYFw#eF;B!|RALs8!+@PC&6 z`gQ5OL_^JEqLr$F-ELfCcYm=a)5y?ijqNALbBr@mO9-;z0fwdF=vZXoj}Ude5pY68 z5GmvRw5}2T$q|0B4-%@f;;5mSG@c3N=Z{F9JB>Km0{;y9K6mkG8sYUGKJpUW;vM1L z`sw3gGh5BEB9WOY19rrl;KozPlh7yo)>COY`^a6t*2I5&D~bP7`YQ5_pSdv?V!}o- zcUx>W5s_d!8a6YcWR`=Yas|$fb(VSONPF;8=_a1M3zV99(h&)2TQWQZa3CqcG<|Ni{PVSM?35iFwdhfM`JnVJ^Fe zX#$N+F?bnAL@z@l=UjOmFQ2zd;h4p-tL>L@cDG}wkFnyxH(p<#_@?FE?`%RrS<}T4 zXGO8Mj-jzyX`T4)YndH9{Vvtptb}BqiEk;GXbtWfU(eGBOz*8$F3C`Qp|e>*8bm4! zH2HCWllaoze|+FN<2%3pTtu8zL`&geE{OqNm?Sshl#>{H5#1|~XfwWy+|;B(lS{gg z$2vt@)_lJ&8pwVV+r&SvDzsJgmhkua`SQ6>e1xCj$VqA-?hYZU7-|!P)(?8@XmdY- z4x~PAoo3q^15f+2+I+gHX{cX@Oys&xrt|u4_vzbi2U4_XoERScZ?_=XvTc`~iZ;n+ z%TKMNiBd?nd?h@!6Fwg0?>$h3h3)$n`;L{oZ4)9zj5z9KVs(jYypWvn8U+HMbh0r!2GKD%4gFiX*UoFEt+D}sSqu?G#mMYZbpv3T#}&X2ky)F z+#L2;cZ2wA1P_)aLe_~8(b=80b!FaV*06QSp+g)(k>&0hrg3LO$7H~Q6D-gGCB|1B zN4b%@FmjKK*x0F)UeZC%>odZE$988gMRLXkiB3 z<=Z-rvgy_-UwrpL{{^A1?l%yYt@949SFxcVBP<=Fu8u==cY8eVBuu!5_WSu9x8k{K z806cf`GwUR2K#w><-hTUu%JfojiC(gSr zSXA}6Fk^J}!!7Aak&o+H;*P7;u5`+{M%_o@xz2DElIc#3#+&UB%8jr+6B~Pa!VvJB z)q#`Of$I!WOg)ITmYR#W-sm*D>6Av4&@?Isw1_30fCFPEFu4GQvo|$e>LFF&JXc|n zN|W(M&d9GjcERk0DPO_a<{Iru7f&@5E!>;m9}{SDr%^j&oN%Mnt}B<`HNMA>y-fYu z=aRFwV@n$ZOBf`lH7Y%cDsa4=haXJaPm&qqW$8#|X5I3;DxH<}HY~e|>tpfMd2P4d5-s%e z5}`CE9h-&NH7B9Y!RVsO#}#dc_wC@UwENHOi;QW}k8WjnWhM23OMl_9iD2w9o3pyt z-}?thhT2%=O_o-POlx??5N~g(-jUQh+7O-YUwNiFmhYcyjr2L6{XWbbU%h7!=Q}{> zSz`wci8sM76KV{tdhibFrL$9KnskvkMVR-QrL^JvvQ&Er?v`xaJ_q7&S_3mP4Uc37 z9jEfIqVgGH5_uv^V<|O|nKIukejqQO;x|+|Q}eR8dSBmvOhPl`L@g$h-mDk)O7n|A z_ak0I(}dnfDF?Oc2iZ)^O%NRZ#nFrBz8dWD!@5LSa465Mg1JoTIiQIrcY7#xK%Xq0Ys3vOYBN*J?3brK@oAutjH&|Zzxq<#7lSl1 zD>*bT8uDiVf$ayLr*Or*WRR(Y1cvfh>sJ z2laW0{qrb(WA_Rl$2@HbhC`=cCc!^8YPFIU4`bmvQxHF-b2g~f)YUrIm#v$l1?M1j zxynfXI5m>6ADqks+eMqMFC~t>ORnp2$_-YsRl4aEO72*!&wXdANqS|EyQ~Yd(TA$q zwzE$X4})(us4D}8PKUhSBeEdHp<*HaXmL^RZ6CjN^g7`{VpH`FITte~n*~LRvgmGr zQct`tPAN2TZ3a&()iZTEH09uuU7w>(1cDhisqV)-8!ynfcJz)@T-?QbO9+TfbJbrj2 zmsgizH0ij4#=iPO`rGXz&xp0=K_W`t z3eQ`-Ek>3+Jks-Dl((Ipjd!t`{g;tUj%C$zRPAn>j{`4MA+R|1kCy261Q_RUUQZwE zwxv(>a-iV>RQ$`nT}!J`2QKkxCn|6iM*G6u-M4uj-A0}0|8@U&lQ_g$# zd1M=X)JGgwmBQ2|4S-)4wX!PS(SNU3^7&H7cBZMm``zT#kgcrghD%#C;e@wV`G@5_ z?u;{c&q|>Qc#mApfsz7u$E9zp^^G{ge=LBM`(pwfD(NzH=mg^gwdXZoNOOgw#BrNw(A{hwY5R6KwAu30;q**JS3f2XFzYiyrE3;x^|!7?fZQ5JtQ}Q z9e!JU^^D2#XHHO?q$lo0k0l>OS|}jW>RcLkxAXPZqsAlLyG8?OM?Ur|bu=TFrL5bI zVkSB(9~~OG(_!(;m$=!bw~c(!B2=V3*u>ekWj6mtlP7q{vljR3mpP=vv?=MVlHG;t zU{a{G7}Qo@c>R(>;M)Bx+Z%o$oF+jyxDLOV9sDrA6KE?xM4H~*_4A*LqQ^$zu@k%; zSm*ep-;Ohzq@b7kntQWXhpu=b$m~+V5{_}y0BL4%fvF2RYK@Iu_gT|}9afTeHAOM? zcj{ddTnHuTdaPJIZTJZX>6ddG?NHl7----pWTETH7G$5J<3-y~USB~t&X<&T@9vHk z+|-)X-;_59%(i;=jA#I+wZ7f({UYi1ufm(!s+toEbAWq*7uKW zzkw}m>dQ`#=U#Iuk)-g0JeMHx`uq?!38|xc*O9G)@XFDld5O_m25~;z6B}4DxVfLu z#3)aV7Bye`zRv^ibCpn=K(UsuF|SVpl5S-3sq}D$c1dm_upUD zE>*RMZkT;{2TqZg6u+{I;Ib=ibx&p~P*twaG^Jvc>&O|Q1vKy5FGcPT_ZH@EIbWTf zUT@#IpYb)GxUlhY7|hWmk*i)b7++si1|ndw`X?pB$!*XZ8dw7wBFfT=+=M=j`ZoIb#sB? zOnf&es<{GIw1H$8xH6}< z&PQZ$p_ctg z#pVU|jr_3c5w|&<(2w4E@Qs<_u&wn1&l!wed`Au!qvD3MxY(l0(g8DsryEL+j#-;R zj%>uS%w{N8GHm(PE(>f|6a10x-R|>17HBbaUT>Q6yKUOKDnH_bRXUNHE0I!J414(~ zn=6`cfGMLLME$@kb&CLVHj=irJrlQ5@O!ar)?|w_Tt$(8(dvv&bhq6NWXu9NdaLPk z?#JsmwFh6TrzTXqnd8M=j9X>c&u!Lwz9(FG_{oomZA-?)FMa;fhz(uWE6ioN7fE({ zWx91Q!B^DL;q4J)B^kGrWlDYW;q5reTziS^hpLRHc%N6@JU^BoV1q9j!NohKd}0iq zx=#gNVlDLKFz=L~2A|hFFHh^@vPu3tFI$rk;&Goj@oY_sG8k*HU7i6hP5|liDzvy(dAxnbPMWayZnRcL}WbklpNKSA3DKV?KWuyDV5gWKeMcJoZn)rGWl zpA)KZMsSCW9cgnyxa!Yi1{yG)?JYgQ?!ca$%Jf|>S|Fkk~{qsy? z{mv4k1>2`+(Zp|XJ!oCnB!H)FgjA9=mbZt$ciB3UTMgXo5W$yvI6QSeJVSS~*q?#9XzJn@grgSgYZu5CKwYo`nEOw#2*1bsWZ^}&DK|3u=y4^ACHAJ7vKk;PM;&>diJtma<0AQFr?}AZiWZumdRrZazzlm< zz%{Be~4V24C-iz35H@r4#On zcDkb8VDmu26IIW?LxrZ_)W7C4J`$;}vD`uNP}59-(M-)L7_`OE#CTjMFkew|p{2d) zv02L=@HouB*yCl^_5I>ON+b^NB%BMd;r3 z3X3S`EiaAK;c);R*Bi+t6ZZP1Dp2hoqNc#x)1+l9LwRXO!YO8CZJuBneRmhFv|DcX` z9=P#ghjH7hfRRP)uyI;f>S>G7J>^nmrb>wh4<-Eh0`;r}q-)f|rq_x<@Fw;R|H;}V z2TMjh-fiIpf6tNl9A`?%i)DLjmdQNKl3>(o|Da*KXa3HC#ncndco9t_sAI@(Z?1+i z6K&oPJSS(tt9;zVxwOVAc0JA>G<-O`gK_%a<>-d*azJItkBZxLcfsL{dPt=baScO} zT=s1uV!6z6ldep+&QZuk!`nICo$_xbR=ne%q=kQ+P%bjnD|^&u(7fptz-``e?QeX) zTArNoz9Fehp*?6pl}zH@wcN|E z{mf>h9AC!ohY1;HJ@S`ClRh7so&B`2!kO_IXV9TETEuj3B#$++a3y@BEmH+bvcVo-Yrt^CXj0SzE+v1rUNI0@?@>oDl|7)}* z>?GnOaBD7b*ezgO_M~OSJOj^a{B<$BcbbXCJqqt>{>%=noBraDx-fXSPI=v45>8obQ9YjW zs9(i(KN4Zs57D4czj{;dQ;i(B(>ekxsz~n)%|3>-V*INsu8E19V*W%bYZ7*Vvq)&i zci@R>nOqd-$~KaZ&dG0)qmCMuahzbtU)>mIv>3j-nPChuSQYYxci(h;EQ4i*z=WPK z)~}>dKHcyq9nO=6{1BT|^VnJRNwsfI55nr{iBg)EIUeNltAP?;b#Q&%c=ouFA`ROh z=D^(o%okLd?q5)LRxH$iTB6-u$u3{yZe@n_Fn?TU!ijG6$%sxzVbG@{YBMK~j>4}SPYa{Y`nkhcpVHBfn3{AmPkGS~ zAL>;E{GC>$0aYnH3-@$Nlo(5HDaChq6Ld*9?}0`AGQq);mVvJ>J?n7CPy>HHxnJ4W z;iU>HM*~Saz~$n|Ql4RuDa}(2#;sO%KaAsr2^R{sc;1{6BvAapm%SzYOn#yXKO^H~VzWcuuZ9gj zR_4O2C>3qISEGsWxnh*=lo392ihVy`GCoAzad)bxpqaEjVh9)dO ze_5Of1uJew44>w2{`gAaB}DvjC9oG>hGoUtl#VXp$;&Yj#kE^~s%p_?&>Mg_S9CUF zDra{<&PoZ8j7}?BfUx23{58LsmI_L1FJ^d^>b!BWI^}v&h|sGW&fs`7!~b4dH0BA6 zG-)PKS3j__$_OnUHSGSo7u_rAHdbTNmD^^J_FN=3v9;LM?-PzIp)qD2ydk%N_9FSwrdpXD^mMwyZi6uIn5NZrg#;Xb=7JXb z1tc&gCob+rCQn*kLP`1V>IxrM=C{L?Y_Yy+kY{jt#COl$Egv0j-gI6szNBb_K`xP> z%VW#iE<;Y1fp32ZA6v0F@rA!uZj58vt88F#$@N^-ISWO+;qMNgwr#4`6L6@)pkqjG ze%q{gI+QozbZ|xO$*h+zx;ZmDqe)@|0h3Hr-qAV>yQSe|dVJPUOOd#?hPt2LZ9DAX zmv4#p^@7JXk&+UeHP<*7n-!FLj#yIbrn3!e zNJX85UB85gL+=Z2fF#aV?8{k74|zIH^RUv^D<%W%J*44`CK37iC>2!58b@82neYyn zqRK0e?|MfP)9xM?8q7cav-Jer%tXjyM#%aqt%TJvQ*;9Q)f!pNz=%rFS3m>vwp6mL z*=C1}can$q>md)CnPf(7mEekpHD)ptaoJI&+VP}?xFvLSx4*HbLQrgei$>>M70fbm ze|gAQTfpHNcFVDK!=o^)a*&2Xo?Ny?$wHgnf%?1^mn2`YRnlp~+Cqq_=8!Ha_RXzx zy{zbSO8<RjgcG_Go@!RJKrHEfnk-P3sKIL=Q z_BWIikfugYl8t~cT~PNt(n?UyAgYKY0)OUERJ|-s4q}QD=p60CMgvi31(QYbuH$DL zAdL*S9l%ZMkoz3q>}FA8j$l2DBpNNB(&XTT>q+JTvCWqUv0sGFrn487j~oB zQipCoMY@_T*sAtnnr5MP+%hArv!I34& z$L&s*Aw)V6ThU2!V+%6*k}m*;5;v(B1~ZFlWY1&km#ohDzjuSHjnZeoGg~g!r(`Z# z5awU|LaOjYH0A(Jt28R|_neJ0QlSr>t8T`R_cA7uMZG~5*oe?+#k+M1E2eDFMZYh7 zYeR?v*)4{%mwgpqW6$$wJhjs@w=j|obPj?DL<|+zbnVXYz(kN^+kEj58-!00RL)A% zJ6lh}^7~6pglmu zM=0|Qui0?B1g};n>T7=YH`zCRLP`f777eG9ocKtPTzX+3_cee0)s^UgNV1#K?fQD| zC*xvs4udOs!d}WzttaP3)ZJQ6W?U?Uf8L^dauvq$L9+q zzxbYby218OgR>wZ!JR3+{2Szms(58`Yf zg6HYowY{f#!!+q7-_{fBb&4atUQOEsGA=kMXRdK2DN^r)^PyOJrWW;j$|k9J>)&qG z19P6^HR<9`pa0Qf)g=92x2yJ<82Gufs=e)#8^PgPuAX7e_3v5CTWAV0-uJw@=ND@? z5VL*R7CGi9sB;rh=3HwE5;p1`#-XhxP;clAikyn*X=5@{Q= zXYTGEZ29GlLhOcxo=`yU$QV*VrTsIjs+LWm;O`J+s6FkK40*X~ofF}Q=3DFIg&Ain z+Vu@GYj)x--Z*|oN9v!OTD4vs?AN^0&-9Pv-lgK%HlBJlm3a1h3SgFU#j4q|CMnEO(i!tC+9H_9pB6XikP6R}?kqW6LzLIXZogjoWvN z`0W%hq2OI!e*)sukfwe9Gk>+(i}EU`f4a=of}H#uZkcQmlSuGg7g$!6ZxB{z-Et}*odNTxp-)$*{& zM;qQ(61(q_j>>kD@{5!S7Hb1NSsb= zcN**9^@EmFkD>{!$eRJL-z0jU@jIKpaaGwXJdG+H=cqV0X}XWeZG2U9oE5W@d|V=P z%Z4U;b&-5lmzF|IVe!ISQq|_2(%lo?fKN|YatA*S;7mzLe1J6*JY$;SFV8W*FZ0>e z8%>yJdf(QomhOE7wm}F5jR{LGH6v!<%roDa!0lppwSF|)$#jGc$c2vBa`HUSeRQ=xL>Fe93TlIbL zWqfaUFPNU8hn#PsJio<)2Zf!qsA~mrDEMu$c|_|Y34&Li);}m+JmfM3MR%gg?Ue^% z4KVs#1Mfs!c*`n}pjhv6bUviQ{++-)>Y@+k)T3G3Va>WlkM!bY969yTLue4GM5Vo+ zMLltG({^SOl*>4|zo(alprVafS3 zJj-g%K18LO&0lTq&?L`X@wOWgWtp;-%CCsk5BV)I*-QDzqU5+z3V4zuX8oH+WaKlF z(=8R`U`F-}H}#hnhv=r7OyN7ZII^FE8jW%;1vZ?m_N4oq;-@afxyYL6Tq9zQ@~w_l z8p$)~h1-o>C-_P8$D-g{-!-jDeve^T5Z&4hGZ7*Y4O?ko2cHe4-jClRX2u#3x~GJK zutzK=NvH18lon>b3!hnpFC1dQbn5!^*qaEH%O!j?D8LDBW>*(NSI1T6iItIV1{OF+ zNLQuyUavR^fdVaZ$P+>%y#*U^N$$->f@c)sX4Ad%DFimeww-CB_WR(S2z2CyF@L** zVT;7UoiRQG#HEkJCn*k1I{rRlW3B23Le-8Dd|=sG8JW;li&P7w*2r}C-UKb{=9Ojf z;1(wbhyg_Zj@hX#hi`h6yEm$0&Bscf|1|7put4XIzF77Zca(UE`?Dk?tnLcU>lviM zs|+pE!BHmx*<9oTlS}DiIp?u7;S_Q7Ox?Giv?b-aBT16dUTrRx)!%%iBXl{mYhv?B z88m5MkM{MR`zo`I9`Sj4E7#B#KgT`hw|)LVSSHaLRk_23Xc{IIe2D?HT^zR%HoeTu z5XJk2uYVYwk$an_F~PnxDb4XtpR{_v@Pd#}YFaZ;sDFA-aI@8|4v!D)a5op>m}NQQ zVdd86X|s{EI(RZ3i(?}!N*pX>O(%O-#QuOZ;>7_ zEG3{I>ze}DR&`?%oa&S%Z{f|Y40qddkAQ4)<4D%FL(n(|t*{S_l%{0*T4%XM z71N0rRaimY|3Y`0i*OO`(a#}*r3}>J3^KxxRz5Nnv1)h zP58ddJr`E=<+2VH^|AeQ+Z6_Kky-rAtxIo3%GhHq%sXnQ0v}&w#yM4@z<9_=C?Mv3 zjNhp>Ji^vPT*22g172p7f=&AB3%Vw}&2dq4UK_KzGAaj?)yBAs&hzLT`)|9q!IEi( z-73@O0iOgL&WakE*iNumKdc*~6?`!3WysRk=1d6cKZqi>(&~rLvQ0W1S%aD{9zP*_ z^n~mM#S@te*e+>=TTy~l(Au;cBXjE&YEs=y z)1CVaAmAX!v5~erYLdA31zqYIq#AqMKbFVb&(`1)l!bU&iz4|5RR_D$x$Ba~Y{RfF z%m7!h@+y8gOQ1@srO;@~f}pJDF}l+!OlY?fWcyZGgK*p@3Nme!an?CZ#`2^=ml@iw!up($owlqh@t#<)MRgWm=;>&- zfAiV1vF&>^`pB1(-bGc1M544786%dTiSn_uQStZ;t~8Oysh!Ejx1-}e*RhcQEV_4y zn7Gx%KX^r2xHu$f0RSB_yuZsFvpNf$K<(OH@!AZ4ipW~OclffQS~$kc6x53Hmt}V9 zY-7--mkD{~%>pZdiwUWGgKg;P4`b$Q{NS5Ctu4-bhh22I&MsW$KPuQn;-%m?u#RE)Y2cdc;w_o|2c zS&`sjr1dHTD_xAurcGV?y|t}M%~HrQ6p><{)9dd?B4OB4>Ypd8#O)VjhFK_{d+k)8 zWE>O#EeRj;#(en0MSuG4IGES*UXB4iZdZ=Z#N?KFwyqG?#l`3kf2Eeay;WjUs!8O z(=LEtUV34odo9iK;^#myK=gq^R0SlR!a|Gcp4oZ*DTgvE)!1467d!L-ol(QUtbfX5cPgH3!4$T;4`Ow82Vsy`X+)3i zPnQDMgX(U^JSXe6wY*yb@dt-V-k~;N)t0z{^*5w%(zP6zKbdnWkT6BW4I$}%U}ou5 zP`NvDkTwNXC-aZ7!tFU9S6EIVR3QQXI)zBUZ^L z$FSkgxxdN|aPA*w_#3GV4zi?*nDhNCuK^zqRdUA?xr`M#YAMj{Z03fF$)^nqnkR9+~P zJQ0vMToD%~)Xc1aPR_UdQjRKb!qi;@)1B}g-?&{QI?oqwIo^`6fL-ro?ef_XZcfBs z*M)Lzk`waxea}K8(PFU!oj&QJZS9bJtsin{2Qd~(v4}VMz58pb59LID`v0)^)BZ{@X+`h$_?g8+#Rkm~EcafMp5!ri9AR*YFoOzBy|DdDIoS;7)i+muHDY9J zY?s5Q*BHZL;SJ0)spepO$io5I5qy4L_ecUyvU(vH-kh>~i^%})PP&-<#Yb9}2Pvi% zHy5~@cl)W2*w^0a&EcsNEx(Co`6h+}6)3Asc?wn>Y3((sL)9VBFV`NX1l`vH#gi3R zs`j5YF2oIzh~X1O59ruv!Uk#?`X-5L7cUj%ePxHV1!s$3NtO1Ab4!HuS;HcU5ZXI4IjQeh)}TFJS~+qJMWr%Y=!=daRx;6t2gzJPOUc!|BOPp*$w0l*g*CW1H?y4YDatJdWNTt z2$%Ow=`s8M?+fL_z%65g9Y^Y+m*N%YKQ}XF(`;miJkmviVUC4UD&?x4i8@M!S{~DD zXIosuYy*{g6U%3BKl>O>r#`h=3>SqMep@EN0=)t0AU?k26DUJbgX!3WY9|!sPhS^m zkN)FNKkm2p|8+Qy0gf(xa`*8i3EKl;lK<#z)bGoh!)^>X*Nm}9&P{T--?oaT$SL9F zmsS*9aL4(4Fa$6@GAhqqG8)3cPx=E8&@c{Pe5eHVzH>7=R!gm2(%ucL80l3Jy^a9p z*PB$$G@sa;hN&Q1xCfyUQJJIps}t=q{UuDhi!WQ8@ml)0B$UVHGuiiyX$m?Fm$_d3 z*eDm5Y$l4XrYSmlKeVvKuH7ew)xFywAtX_JOC57;-tjATbGtxJf!&YIKwK)r89Gww zoVARqHRw>MH8kJcKdnF9{Gg`aW;g=>)W?Fc>|-~6W;DiPq@GH7p7qiMImIN95@nl7 zZodmA_2^L<yS=(isH+-D0}Y) zc*RqJ(uHuuh7UhzSWVgH_ALwgg3KA$8hPVgaKEBxsGasHzuo1epvq!XGYhPyscdl~IM@q)W<$E8a>awE^JWRo#*O1ZZD zG>L#iJ>r=m1)?p#cN;iaYFySVyX4Rx$N@{M_G-WSF~=x<#Y?ctc(PM2&r`cnliqA* zL*@5%Hxb88`^RxEJ+`yZ`S-aTY9vzc(4I2yCaMf?>KG&s^emi-IqSwIEjgLvZ29!r z1Wg1p60t-+?Do=Rq;2*GtQ7wm%z>Yh6q(XMjA2`IPGixmJo9;W8`KMyO$8svVRU0U zj_41}1Pm$`Gr2>f1DXqvF;;`Bb zc{8Nm`cd!5HEeGLSfPD}@_*m(k<{$zj6Pqm%PuKSv^X|3pGJy(-Y>V93H zQa8hWqh14>a$mX<6yVuOQ6bijUrI5>dOz=?U*5~?VSKHqDR{$Eb8p>bO_8PCo5n_c zfiP>y9gw2x)~MQNI##`+XoF^WC8|qJsm;Gq*i>C=RAIPD3fysiTmRrihU7Jc013y} zml^j1MB>UGu6OHoeGj|)jAza6CpKI(Ji9X=)j`c_Q!<;xSMxuAe*-2WJl+PG{*3-r zyzpooL>`cuM4lOR14|B?Fuiv?$|Kjhu`I@<+LleM*AStH0zJ^u51L-eJugeLMg*%io<9LhjhS?p)iVjsY9d4o{;?!3GausaS9wMFE#svaC4otU_E^HQ<~J z8xUgta!!i7B~loa>=Eybc;3GqPa@Er9jp7$E#B-+qYAAj+pAQ0j zUx{>OeiX!>&uAuA2PTjS*Oum3h^z(pv=`8*5iHyvDJ~K!((T?)qjPS?wtk$A!shTUwiq^!Ndx_tS<& zm7m>IUL7mflDGgyQ%T}k7ll$R?x+n!(-4L%K=S=U{4}Jy{qotE*paAlut+YT@>2Us zd)zGbWn`V(VZljk)>w|*e&bQQ;wh$%h^I`6c&62jLow;uP*dV&`-dSn7sC@0wi941N zeXH={x@c>}ETqUIlYdKd-!xSEUY!k(Qmo*Rl|CB`Hk0RISpKC*qq8u zVlm#l+WjGJD{QZx^|&2yGM^h))HBBBI$8wIs&yYy-G9s^{(Dq~^EK#;eIk~kb`{Wp zHeXyc7BQG{4p@_8;XAX@m))F%Y(DG$jd3JhC<*2~^$AmsnK_s1d~^7blBe3h2ygdc z!D8Yu|# zm%np)U4oTKR0mhgi=x`2v`?8Fp)Q~90??_DC%7bgf(^7L6f@?W#RsdCXvLQc9HEJL zFXtBpA!HVS*C$oJ6`(AOc^6&#^dsDHBTsJMD|~YYDp^xo&ygA$%J;BLw#hw?FQqZm zz|7QF8z)V#OX}4ZbBc-$d;i$%@8<2!IzY%9HSPzkD%1=5*!$rtk!N$vv7efFBW*(@ zrxK;~C%#p0Mrgswr*F@Bi|nj9oC!tg7ms$x2F-wC=jC{_Y3D9A1k446%-XHP`=#@j zGi4Cs!_&`FuELMR1;!a}p3VmM;n(D#M5$Jom}3Cqmg-Q3X=u38IBH@fTj=2~Pfabz zS9~`CNF|UukSZF=P%kuFSDhh1VSMY;;|>?JE4zL zke=fcc-EL7O($f2cLF_q{*qS-m>1D({lJWeT5?UU2P$>v2vMMKW||cGb8^#{!;eWI z?u*;ma5Ax&|MjTeK$;@tvHs+l8p1_U#tDaKvyQ}fLIrRM z6uey~y(XKgdR(jF>{@AT4GA+Y($J`O7^-Ll@qXjDrwn5{{`IloTtmfG=rJcB zflJ=e`*{yVpJOvkY}#`c_vNZcyW8%ElgAhLs+WjWUdpXNQ(J)uxX3xTQY8~&rJqOV z_ON}`MK>yJkgEbbcdJlQ6Fr;nDUzwb>wv$!D(VhVvG+@U#XfSIrHQHZGH>cwZN9|J zFX=@~6;9CgQvL3FPMlsODzgfA-U;}1?xvV+KGJRp~+p123c z#VD4RJM5ywd;pEWFePVwUhESTH2Jmb6HUPPes@}!WSm+}hL<$yh2Z3;7Nr7Vm2=UK zSdBF{PM=un3zmWD{hdU}4U_rEMK6f8qv4B$zqzm}eJ0NPT9o%G?WxmG(H<7I8{N~* zmG7ID1o`5A>=40G=H1LDS5viqpK_0+;byvo7Zfwq8TCE_0$&lAI`iy2=%QF}HUTFJ z>&mV^J@fQwWKyNJR5lsWc?&xwG?`&qR=j!}gaIAD6UQ}+x;fE8$K?c83v5V&TQ&it5qpKu7h&-|D>WvkttDB1tOLsAL7O|rU2=Ch$ zV%OY%8lkc8iwtlRk)6>7>b>YT+63ZHT1l{KXq>pbt`NSCKs)|^Wf>i$E@%g z_YQ+ORmtJLeu1dTO0kMntLXEDC5?^B$%rd#NV0&*GJ*KoisYJL5kx}I*7v69 z1HZI#vn$>}2ZMgK<0ACe>KPRnl@zxES4kCmIgn*|8E@~q5R#lWKp32HjbAblTSYKR zSeazvORxrP|6MVd@XNQm&*V-d`%iF9g5}Zaja}Vi&FC>KK6jhVJFARbap$CVkp-jh zO?0Az4p(c3oLK?Uavp27UQO1I7nw6`kAidu zgR;9m6W4lgFHB5&M}kw0Lk6~zS+YBx5`EgtKXhoZ6#dFbAZ;r^zutn%TtQ{+Y*I&3 z#bo6PfViXF;eD4cJldeIz-Alh7FXsyMxVN(6WH0vZeO0-4rEDhZOtfC;}sUe)cisn zAD3lT2DZI{yl`Ka#wyLX*Yuw6aMFJ72k^T;l5#gae|ReRoy_F? z6k)DVE7=?y4LhPX%^ckU$8O~$HI)nP#DT@lpR2sPBB#A~f@Z*H-sRGIHW}5L8ETHG z{tQbPKz?}~73Tq$v>51b&3h;c5HaD47WT@_i598>7J|-A;oDmYmfMuaO;pYijtQuc zeYQ-ma2<+wDYXUt6L)Uxiw3Ol99_u(yDGe>7PsWwvoUsfE8$++h7C3#fW`(0} zYI8&*+%vpVJjVIPvS(#mrustzIj`8Ip&fS1WA65NVDikauVBDdIi3v=JKwT-QxShk zlG8@V@9N8DjLb2W8vP{yk3H;CHsC}VTk<>3+s?)Dtt?#88P%RZ^~Q*OJ-8f16OlJ? znU;p+HoJMWO%S-@A=)s250ezX7_!}QW9Q$DccFxz^CAO(LBFm0hB8)!rW5fQu+C9d zrEQ@bU^@aupal^;6jqjjbimU{n%*&Jk5-63nQ8vi)*t^NfQ*<7_-G)Wc1@5xQk0B#|cy7Pmd-y_i z_W9%5H3^YKK@Y1c)8$B@!70(E!}k!N#!Wo_v+`jo;JUSnFUcWnPGQkpm$4BKLO{=9 zTEch|S3Un;zg#LYfhfvhhRmx8k4u2e9ic8wU&+zK#YX|7X0~#8^#V=E;KNe=j{}if zq+m)^(u3`2DaS-%GpE_Ua#^5#hB=%1n#!QAlyAw*vo|W>!I?gn&fzk>RDrCy(PLp> z@9!lq_+&k(Sw=#W1-0;4Q<+oDxNe=K*q@+PR3 zupdC%7~6M1j|Y2eG;Mid_3*B|zbCq<(zvsfftG@@;k-yguNVW3^Wk47ZL|O&2`VSA z3YDK7p+vQQ?i5;nDBvqR&2>D354GHEH2o1t=KP$TP{HRYlYGc=`vtKYV!*(xJIk2- zaMfl4C`$RBC092opk|jZQ~Yv4n^1O*X_JD_ub`IOa?PuQWCfKoTo}45t2%y4XosIK zzO+h1X`js{Fe_ui9e@fdy4iXXb@PIjZ0+QQ{u0yx=fG)o#>V|}kG;(+8&W1(}&%6M>u0?QDLS{`!l04CZr4H ziu~~bJ=VM?+_XgcH13feF2|nFr&YSvsoj;5jIsljMkS!y+BU#nSy6uyqkM_~WP9>Sl!Nz*_diynJIk8#AYXB#a>%&jBt=7zjKd#*}EI^FQnG4^a4{vzZwJ_743% zH>sz?xDwzur|zl5PPew?x#8Ia7+XvP&l@lUxQX8o#Ejee>jgGH>L(rmKHRoXS|NoV zbzx!kKA!176M7*5#QvN2QL!z8=#VA62W#P$=myNVZD`ux+5~VWo}!=d@FirtBMG|U z2*)A(`xx}6ZIeVhihF?VhsyhUiW*f88kGnJ>aPOS9`{n^u4lETdA$QtSEyT@uBnAY zI`%7~-I}GKGh8$=p*>hTc-OYT5kf?tBKF5wzldrc)4_sJbo%S_G2LJHAOzjHs|JlT z9M!*2*AyyoB>di@Dm4=0$fNDQ z`=I8C{m1Z5kL%+cs-aAw0F{l-4Or;09iF}wWb7&i$ck&9vP)ooPWR`Qu>VsvWg1=R zy*qR+pU&@dI{^xZZM;A=7{MO@>LDQfk92q=Q4V~z6!Hy??Glxyxt{T`U@RbFj)gS0 z#`}Yc*{fwr%nlNXTijvxKCzfZxgpV?)PI%vKoKmP0+UYsQ;;wm7o(5S|LjG|WvCWv z&W!$OSwn(_s6Z}iZht&qQ}B! zabKG`l_K1W8o;wCv+>%OOB_^#w)`Jmtzgava^lCZWj+Lcm!nI||HYTn-3=trRaN<= z*ujSr%;0}T60JF=&(Io|8T3W`-)x$XE8$nn>jWdh{HA~+qVq8!7m7dLqXnpZsh+{t z&o!R7m;nx|F!~#?=X~+wem3L(enK!{kF++UZSYk=oyy$HwVRMpME)*#kJJ3htd#|MeVd4gJ9|C;a&;edW3sYX5<=ltALX%h zyLn9WFKVLUd`v~{TzQh7YYDnW%n<`d0VJ`@-*EegL_%EK4|O{%N;U{$pt6wCk!ww% zD4~J68OvGP|A6qXz>+_k-wDIMoeZm&bQlBn1|9Q*%99wmFDACQ*>^wrQ59vm);zQ; zUwrsCk5arsyDSRjA(ML$@PtIdTh$~Rhwv{3%r3ym&MGb1lQxmaeuaaIi%Wg~(OWsdOzIb9MK_i9eVyT5sHh zC;M)Lh6TEW{k~BB8OZ<9N5bwg%D-v1&ZPF>UyA9kum-vhSQu|4I39e&#Qm?o|NZp8 zZDX`B+${ZJ8%rnOEGEBs8?adeaq#~IlK!%?OVIgYqA+2rh-Bn{DEz;l{LgK%EZQGX ziz;08pF!=PnFnAJqXv(`jjQ^15cl8I_}|+f&(Tr2D$)f16<7V$`x6ONN4UL=(vSb^ zp#SHgNo1S+na|@tAml#*%D-0UJsPSbCb~G{cmLAi|8>#+n_&io|5*&_iT{kT{%<5bl3sy?;3F&*uDRtNw4|o z_K#Nm2afzNFzK&H|G*Ix8UDd>{|)Z_H#+(M102y;ez1lo4v?qydpjYaoudNI+W^?J zP|XdHSs??OT~91&)y{T4HT{I!Kldi8t5+)24JA9HxY%Y&+TLo-%-$=c{IN{p*S^`U zcAWGGbI6_p<`EcubA#!7QF81ml$IYFy6oC%w`#re)1qnJg&@E%V>4#ed8JKKxc9Iz zrde9k1-GDL$j|@Pvv73-i4ce2!LU6CvAiH`!qKlFaTSIZ#|Qc=uHcKeJbWq?DyFR; z{68&Q5pxX?f!t#VsYNBJUO4r-iU9&sk+ubgAd$pS)UC5+o~%wn8kMG92P|4aEH3-oVmB!d;GD^+54K# ztkcyvyxMJ$VqrzABkz5RTVcW(tTnd4r;m-y7q-OzALr@`a?}ZLN;{OH@!w`r)R(H4 zj+X*S))$VG%w#h$^!2zBKa1a@trxIPAFBO#Dl~xNkK^PExt=qMI80WTzL0U&@!qL$ zQ#R_>ri5;<=`Wc;C-eoebEbFd)wY|~JDFU(3~K|e(=zIJa}VMzJ7()+%Uh243cov? zVcf2z35*1ih0CyP8ue*3T|vr*-aG;h-kFf-pD*4-ffJ?*4f0Fwy}gzk6U3b!^V3fE zdR!tGBuc0PE^e*zQ9;@Xsp7lm^Pcw|X#?A#iT?EW7dUqMRuuG>*5ihHJ>5M+Z;nBH z<0VMiyzMt{hh&2QbRWQ&z_82aU9TU$UhGy(}8b-($e}73d zw_*Q)fo~)dmq%|?^X=HkM!O9Savp=;WKEXiWIrHHd+GyveaJk)CNb4qGI5ZPy@gvb zNEoaznQ@or!Qcx#6~5XLNE-cFS&RYT=!v)>^K3mFF<)7|v+BRsvbW2wJg*RYXQg=I+$wLs$ro9&6JlS-&4h-u=^_tySdt^vlch$FvtP=Rkz`W*KHiR^0s~SnZw(6_Zd#A6`)RA`Jx7T8l|HDsAqj6~7RUm^(IkXQa5ko4 zn3wt~rD&V|j@`QHm>&@7A_pZcxO#V8HYd4C*xNg9knxsjZ zC&FhaYXMJoJXUXuOp6AUFMbTDCaL@WPO~;ZtNny`Jo8@gt$GKd1?nrb0N*i114I$T z7`jl<8BYI}6Zmzq7&XHdP6_f$XgLd${Fq5*^}EnMd)*)aIKK<`{+hTz_V#O^G5$;1 zo5*0@IUVb{L_1Hew7dDoUUi+kPlsGg7L7VBlpSbp0Xjvep?0>!>t{Ux^Lr*_yd9;0 zp`Q(DRPvK}4I+ICpBE?g6Nu+a0w@Pd2d0Xm;5BbR`h%M?!GJ}ooQJI-qDu~BYJK7m@&*eFPCA^--h9@I_+H_+ zSPnp(LrzEYH8+x!5(ChyDS?e3O@Y>djHdoDLn4t~`ltj>As_?JQzri=&Gg55_!(&Z zNwiQRh{qV2uH9`(nBU~M;Tf~dgwo3 {#Xf!G{A0L`h~i3EXOy zso`Q_Xl!&4B(>VAAlcAqba?o99Kf_?QG;gPvlZahR=%a8f$G3!a$)T+e z^*w0a$!HrL9Pp%Kd5sBFe+Q?l5&D9w*&HNwCG}WB2rq<9I~sd;?-+8=ZC4q8uMmQ~ zs5cMNbAEK=KrQ0OcW>7tFgSe71L}M{@Le;xj52x?d&OfDl7s~j`<+hK!jL)6Pv|9W z<2ZbtewPWf-(5O1%%p{#&=z7t{3`f3e@)V2M^1f>^7OM_?rv9TrKWky18NIn&@{(Z3#^AJZ>V=@5`*FVkhhd_#*REXygZn%A?Z=zL$M*_DKQb2Mk_r$R zslP9!e1}e)ue7Zl!kpY3P1AOpZ+uo&4+)3nUJi*o*`Dyr7;WQ3*%Q6!+xEM87wi@9 z;gjv-_wD=R*Vx!exU2vcRG+3)@pJ`s?B`*+=xkxOxUWpnDSHSCq?){3g!J8~7N ze%AVVD=JA8;^esc>ax|L()%k{VkLYRUp-WxWHEhsAd+jJWZ0HU1bA|>Kh0O1ZH?UNhtHVM;{i-W zH^rtHBBArimVh-ovQItnF(*Gz@8&#-YzBq<;wwuuP($Ap0SEDdg&~RnW_b@9q0L zs!6JDx>-ZH=Mai;o!BWoLi~{HB?s^tIWt@SeSQ$(yK-Pf=SUi9y*)$2_V8Ndl<4y6 zE0ko~CjlBlWXH3d$Th1!OqX3zW&SAfrFf~beA#>%Ap^TYd~1D<9{R%3&jYgKowU#U zN@f4U8MAhtry~*TTju&$DoT<;-ZG{Ng4ttH76#{*wZ6<)c&SLw%!Ss^vH~%#UWWt4 z=jib%!RF6%ba^m8oPU1BW|~4A&zWVr{4nmbt^ICD5Cz?Juob-Js+|93;iBbmjn$#j z$llfHr{wkvg3WiFQ8#YatyeB(X>?v4F6x982X*L2K81H5g`dUghnCOZ8f=%oYMFW8 z97Z;tDR8nOtY4a@8S(1@g^8gsx8Qv=>h2E^;=9!*?4$68wQuyGd@zmKemz69H!Dpk z)IQ-DpQanppW%tB0y@@Km*%f3R-7;3D2v-_6NA>TOB}4T#?89k z@8*khGE-5$5@DS^S^JlBu@ge(0mA*!1S;Et4o>2e^DA&cXGO0KeXJjrXRnW#^!=_K ztbYDfKGh8-aV@za@rhsDKVlXq4Djg4W0IlHtN2w1J}3G9On3!J;)ievo-4o>e`mP( z0;AVg2jml6&#{ImU1Cy5D=?Hb1T8q$I-eQp-;37btUb%V}0xQaS*RBBlZn0 zt?Y$&<0_81?acG=Cd;)WEhjmfX1~(w$nLc>xuZB9SeI zlMXyYw;%Y4{^NN2!r|Jgw1hwamH&V=%&+k6v)8R5+u9lyW4zMi;X7^~xc7@cqY-|) z$!RH6iq*6}?oDO*{X%ktqYhFq;&=H5A z?HD}uI?#h#APMz|Oyz~wrQ#ej$w%C`O2;@mH{{rhf8%AE(YdU} zy?mA1JIzwsanx}^H)+0OHHY)t$dej+&cS=Bb+s$zn?d2>ho#3)XFrDB8#c?V-Y=EZ z+b5k)CtdVTEe~b?foP*VNkz*prrOxwX)P94xjMDDEDlC;2k89jqQp+Ig+yVi%}1UY zKA;9qbl*dpKryg4XkgVK>5hpVE1%LMDeVP%pHSdN;n_&+y=eXy8^1_r^>kHgs6?x3 zPl{oCUT*p)Vt0IlkehPFSN<;Mf~&8UF_=A+X)ZpsVsgOh!tIl*=P^cV&P9AzTWRuk zOSxPEocN$E2NAg^%cMCQ(6plExB=IbvS!z{=3|rDtezdnh-h5F$Ta7)7lxnTiXqWh zyN7sfW{o*oR4YhW38nB-H<}hR(1(?hp(LxE3xKV$rS2@~ zyr8e3-@Yd+#05!0=?qxSgugM|e`M7)Fx@w`Tr~nNkv&0Rxx=Ud$5&T_iwQH$;|EI) zD!bHVX490>*P&Z}Z}NPWB+>yc(@^jMA$0}KEYEbAdwk5fbxc&w?-HWojHgkXtl)In z`SpGbf*}y%ce`lX31QTc7&%mNOJCfq;Svg3Lp~q0cb)i1<%BBn@_`65lHYw<1BvO< z%HUDRHMd_P4)Hi^Uj5qMVtM0!x=FpusZTKhjqk6Q^Ap%SSGo6`uOawkM*}(byv_9Z zW$Jv6nwjMl7Wm$hL%7F0OE|uT_Z3TVvz6ZOLW-w?8Il>jm5#aR%F1=v1v@OlEt2)G zVGmM0DT2dOMne-Eu?0y*42`hO;$%E4R$~^|m5j}$DzGz8W4d8#op#Hgz*Td<&xr`j zeRsaLU*c^Ni5*VNwg(}-1^e;v1tg5DFn6jE1O%i$1OaIMnqs`__YJn3Na@Vxt!Kc|5ll+{1>h!$b$(Y(A``OfHPbrn_8Nb)p1>_k4o*)b8eNXsDz08Rnsw^9%_?O(@eN0w%@n>6J)GC+ zA?)9vy7Q^$g8l@sA3yv4naWT7Aut`2s7HekzQo%bW} z`%AjY1`0Yn*G*74_;Qi}Y8!b>T6k$cUHOT;d^W|HdELx3bF<(>%kA0N(jke?a%ue6 z>R8&qK=0vmXPH56v6buJhR?!-K{^HZ({_5c&$FhTc%#-ZU@u+8df$L=v{>!UGaFm> zm6JWZ6Aem{<7xAEf)z@g6k;pN6gMfqjw(W&vIvDaD}J~geDOwH27Bgx|Ki{$G)}+r z2qlH)2_Fa&eFVa~QdQ_;KTmiW@6jm`*Q1!VE)l=M%9&EJGmL=Wh}* z)g(Wa2HT9OktAxgY-9uq%?5JaFGZexOJklNjhmy(B^Hs|q>`Uv@8rF45NQ_}JW)Mf zn#91fn$Vi%;~#0l1?A2L^&ceq5Tu(wwK=`s!8Pst7E+N&m*Pc5Jsp$0=;brV{SqQl zH8_Dq`sGQ#61pJpX`Tws3KpYeHgN!*IrEpax5&1d3u2rw0n}>$$Q4N_NRz=1+{1M6G(-7<3rAb9V)(v&D&ewzUPJ7OSsvzWhZHkrq%$c7bDptuAn6wY*2@w)wscR1L9j`j zCt+={X8}rVccuor4_~d~gz^W-?PhU_hKhLM+ju=-^SY6JKOBTB8i@MoaSc5Kw5N25 zur!;=fovyZ&UbgS%=;RyyTAuQ-0}jvLBETHH(iFxnl>jO%3XMJsRs>L%H^CFaAl5t z6WB8og8H|m?N`5l1B=KUDt!PEMQOE>W6ePH{k^WKcI`C@v?EaC^C?_;u?YF?a-Qps zm+hLjfQw@DGp`!fg3Eq_{+ED@uUH}8Y>L>xxS)>Y2lL>?eynG4H_}oVK4Z?VSs&x` zLHyBoK?@D&y_a?x(z1{(X5Tx9elh6;@Vg8;hRhl71*5Hvf1om_9#>t=U8|)Y z_!YD%63=C0H-rBg?{KVZ?`?UPfLD!VXv>vOa>mg?(8w?>1^#1nf%lSU4(Azzz|*LCr(-Xtz%PDduvO5l0J@(#NvLH zlnw@R99xJp>rVD@Na zA+*megop0ek?@HqTwPeTdiu7YIJzl9WVe0aj2(KV{3Bzea4)^RvDF7I>L4Qlu<35x zF2j+?EJ9oBx+AxD338TeLr&)QrD+SdQ4&6t-DM*)+Ai_h`O8l{d(>jR$}+DPOL1QLfjFCQ z<-Jz8$^2oiz5;!1ilPPA+g#E4JP+UGhX?_gpjw|BU8e%=C2r3W*xPKw`L zKxoX_>T!zLwkL-#w}tObLo&@OR@sZ&1w&Sk9WJ9i-kBjaYkap6cZ=oQTgt{eoA#GC z{DM)GjKL8zHHQb1WPzc`V}Gcr8|NEpHp12a9}7LJT`_NfX`Iu>166|%~- zxSAWte~U3Yb22r`DD>2SegkbyPh#p2ZRaiQHg5u-6>I$!#ZyEXKlPFl7P|{}@K_=q zC!jHf_**+XSNmDIrBV5TxaBVYJTGDeE?2ux_fTQ()w~l_R^J09HA~8nOsrZUPpU#!PXS45! zWL&}(dg)ih{KhxJ;S?a6$|@iC;GO+B2c?qUZDV}BYoPf&?zCLZK24`vMA_6 zhocfWoyVk`1ctQ6=!*6AbmT`}IC)0LN-oU~(vc%Khwv`-bA-|}{1=%lEdfzB8jFJy zk2WpR?edwk7f3~6FJf@bZg)m8Vv<;|CucltNA#80u1~@I<5gdob-qm5BYt8dEj^EI z-7#xxW{L)U2kld?gCYQjGG2UxhxJ!Ua+4lMrl|dYr0~FlZ}y1owP-=KBYQ^2-mrV(+c{_=)OW;b4j>lI zsb>J5;ykyAZE8SCgxEylGtoYWviX)m*!Bq^0s7j_Gex*!&|gp1A-xvGLaS@Qrlbt) zVNYh$vHrK(-aUnNbKXvyeFlq%pO=p`+-)DVRz+V&{+ox|M10R*k$fwT_CIqgP1-+) zntt_7T6^WYPv06VTNIMPCg=FM0Sf=YbdGhpDm!E3k)n5nNM0Yx4H6W`?R<|OoZsTg ze?}bbO-jb-4o=(MRvf0sX>>4&P~}-1TMz78_6DzJP|oOsn$8#&Gb%sqDPN`K%^4!H z81pI}54*6#oHj=dV22j=?i;FemG0`bC#+0M4Y8dEC%;gu&y$B=OTQSxy&mm^yovCZ-H2^GOMIW(3jVcldKRH+GG)%Z>zFj4mIV zv18ACzuUVqAJFLqY;PsshDSh78*W0AWn)>Ry^9euN9C{g+z|l3+;Hfeva6mUJHI$a z_%Bt?;3$9I*bbn>#bKi+?%yV&Wt6m>IRjgWWm>t1>`5eGVw@7lV8=PPo%ZkdtlLK2 zG%Z$`eBi&CRyc|iu@_^ei6TOrVLwSqD(as&TZica{fc0~0KfXlue=tN9tBS2UbG;b03(G zi-Sqhi8sv-6gd?A$>z6x@kiJc$@{tS7_I= zl5XWj2VYX`;5>5;Y+BA9DDtI3lZ!lJRUb=%S^%vRudPGzy+)&1v@ zZS%Nh*TDgj3Cm_i&hy&8+?cC<&F{sk2Y_RnxtR@nLmD5G>6!L+clTBeT}cajCd^uI zb9l_Ib8&;A3XBkmOelGc42f`Desx5_Bo^VDyjGHdRw5M^S&SGJT<755ic-Gdn88VQ zZlcWN58XaN0H0dQ3PbHE%|*S4DTn=^8F}EvW^d`mce-qc25vVRehHZ*$?uKeE#4&b za=cakXQWqKeIbmEPD5sqjw7obr^Rugpb}%G7eC&<`+eo=QgEZhNL-H~n+6ZFuW?Qo z@q0ZkhU4s(ldq;k&9-|6a{Vwhn{-&t$9>OTM@|Bfip;9dA5`BSINAI7txp2?%V3i? z4QKE7-$PkQyfR1}=X;HTUKS_-kus{h9{$^d=XXaVxuq`4quT0)kgwZkh`pas509|B zxyBj+5|7x|lgXM&xRH|;Lne=kuj80}X*e2MX7Jw7xJTavDZ|c(WW1Emtf=xtj7`8mXvhrr4Igei(ZjXcNX4GK11^7Wt>rK5x#fZfPvHtPy z!7`vY!3aWp^aJ4=l(b@_Fn52K(FT6a>8yWhx zisD+8`Z3>wI%pq!Z4GVJ)=-B!TjVpE^SAt=pfX&Q_?I@x(SKmgl9n)aV|+xlgpR{9 zzlLwm^-+gGR;q-%i5ES*XjXEaBSx!1xcir#>DmXhqvu+DWGInRt{q$?FZLJTI8pp= z4{FXOdF)L@*pXj(hl2tKNchZ*j?0!MT*bo5*Qxd1z*dy1d;6h#pWq%2cwiMXIJ9c@ zMA>s`($vWf38!m@b(`LNBVy1jxL&9(5vsAK$NcJ;k%KRM!*YtA2&nxQ^cYNiuH~ zmAm`$S8%Nwmx7FOK}$Hfvr4KQ_aAr)Q+UuUYjIdaY!p16|1 z)bqO0!BG^Sw-9t0aL7nB`WEKu$!7pf|78%1i5J#0FlRj`h*=OHk>;bn;8b#hpTh>Xe-QV`CiD+pp?Y&P`Y(TXqR%s zY1>)UosJ|JCsD~FOga^Re(P^6Kag@YVhP(D?JhL^f(cOy1seu!9uA1KwiFC2 z!yedzHlpM%1Ohl0h*oKPNkYi@f3f$TVNGRg7$_YP0Tn4qRTNZ8P?X**fCz$$^e#&8 zy@h~?j3A&QO`3{;NRt|R5QNZ?UPI^|LJ0|^-i^+TbLPyMIp^N{;}(DLJo^cI?Y+vk zzVH3kTJO6hrhRnk_^jboP%e~Gn;7qUT`GAD78j-NtjM|jGR}mkiN@m}qve)bo6d^G zAeomnY^+#DhVAQW5DQ^N=!nVrt*sKAEZ=PEt@R@}&@h zuRhM_mv(n{6drj(Dp6>?QZ(0F(p?{5YXb3Aw)Ve7xS ze3Kxpgz0IAhI<1MX6<9)9S`AewqQAYiK*cx)opqub{FBH%08uJS3hOw`14-MiPO8# zQ??()pC^k*HOy>U>|7z|)gpq&$2oUNQJJ1}U7sH+FjpV~Uuo=`saT*Hs5^m~&M=uT z`!!mJzIMl?jVhyLjC5w~m+8}o1CO@noAG1sAi|OoVn;-@iX)m+m)?&{*9a84Dqa&820;Z|ct6e)H^_Q2sf>I`mEHDvD z`Dfb96U#ioLW-+v92jIPIg3X;6o2m6O^U5^{Lw`b9HvOC2W4!LUHfYrMQl;G1Q)dS z$NghX50!&?V`X2RFLKwKGq>ZG<{eI9O}(V*&>OF4#D&tMwi4wmA?%bbZk((Jol!yy z)bHtcGIe6aHyiaT7?l?$`4tbuN^?Jk!>86MlJ!f1SJtJMjMlrfGLBVVZhu_06ir`f zf_#SMr3+u*@GV4n4*PMVjtQ2wq}TBDJ2&9>s+rA9SVGqDnBTD@;0o zOqUbCBh#N~vz+D8CXJ!#RQi~iMw7&$ zsn2FL@zHL1&GhOW!RH>4+q~IF{ByVO5eUAYsyGSWDb8h{Z0(jc9%qum zN-ClW-g?OMoe{^a&zp5Hned4QG)!7UC^mxqeIZI_=L!QR0X;PkNB=9bTk@=u66+=a zlgSTvEaO4CNSAa^e97Ek##elA!}w5W_&nD=1xXoveb3cs7w&u7Hz zt8R0qw9^@uEVnB#mgqPqSi9YzV^0t(ga_#QsI0uQfh+h)!U&V-9vt3!xP|Xk@#l`y zphn) z;OK^D{K7*}+#`nA>44M97Fx6oidJh;B=GKZaCzz$< z!&q;$s&Ka++L*eSBtElhKNnP2O*XDPfibO&l<9RUTWp;ft7X(YADt*1}JN!ELTD1*Pb!5K@}{oGzIXqZsoC^0onCSPzM_HpJbA zqmAaX*2O&Wb#l~qFVa;FCmY(4^<17^8t)W^C|=q*i=J_};^JVRi4%WPg*}~a?<+aB zw`5rpusu3?VOgBF#=rKXi`*N;Y_sFbDo#w|gyrUjTaDkthm#dro|fm#V6_RI&*Tr5 zdrL&TeAtjU4Fs5AC2asQ$`5#BO~QybSub~0GCUkR%V_KK@JQi;$>e(voSOVw)G(Kh zL8b2NW5sYNcu!jL+!|lJL2lOzKE?5;`p6Fvb_a>L$dh!dX2?lZyL_|q{pHVFx>2z` zF`gXE)T$oa*i?jg`t&)HDXC#ByP{mjU|`#(r;kq|=3UGaFEHA~lSJ5CG{Nq@fw82k zp-7X6ML$n5|2c_5)rD|TIa?l^4bpZtN)@HZSc&^0+>;A)4ccJ8N=jD%vnwdIVJjC+ z&Z71_LOD=DTWETgjIQuI=-&216%dQz&PLfGGI}p2U8OsSd-*NaXPxz=c{=CIB0i-k zUeYJl<<-o^vhJFc(<_kGc&y=Bmwr(jUtUSK`#cMSTk`J}+VnSMhaC9SoX$X>Wz!ru ze1j&9yl97BZCtO*tyT(>S%tsUehm)f#bkFkl0XOX>+9w|FdL+o;}qFO=&M3JYOwLe zZ(0CK+RSqc4K5!o;hQDxPcE|@J+QNV3HZ_j<~E-KUoD~aB&>uk->L(fPG~ZZPI@=e zq(sa~ckm9q<-A7Q?-SeP5NP~umDRCkYM4Ld2;g#5m5W<|b<`nWPd-IPt2+7~xYC}z z04xsPo|4JMx)^=N2mYaY<{ZK;&cjmEZ+LRguq^p&rB-uWdU#C=Bhdl8+HCZh;N0S7 z6|_><`qIJXmOX6ODF=ue!GDYzzAvcWqWrnJ4qxn9Yv*k;s%<$mg3&x^Ym;r3Pxaj4 zrIsm$d*{{-tzZgDDxi<}m4lUG!4$JWtf>9#-+%n~i+aMr1Ih)4Sl}U4H-8j=LrVpu zthd#RZ~R?h;Biq5Kyh_Zib}yZv)^C5{|+O5eu_%kxYLn8e)?9aKfnKLB2dZK{r~@c zxfk_wm+^`_EuW?8Hls3zTJdJvi;}-&jb7{JjP*{a!F=!j`78V~6M_$KMTfWI=Z5Cy zUJmiv=l~mKj)S>(kNm^-LSf1><}-*zJ1io zA2&*hJ#-F-&JHU0oIi5x9~^c^^?ukE1sv?3T&@M0VwQYl zt(I83xTGC)5jS8?-dXHhP#V0kM8hxD;3)7wq&c? zsr*Byia!D#d*t~O(Nh$DiP7CZfLO_{0z%YNyU;pzY6RK8WH{?I;< zG)($;C}_hGJT6R7Bio~eVVIR38?(Kfr2VPw+(pN>atX;FR92*Hf&aq*xqjS#r2D~tv-(Rs!Q8|+ z@?{*d4h_vnKkjzw0cDG*?e%{^FqRrmW+p_0LwQ~Ig%A9w{5 zvN;}1h+TkOsM>%kaS%IBzkt_{9u3YL(TY{x!_P=d+$!_H`Q1TgyVys4AC7uQ#$Dp2 zv7KB`8ZDiA()6Xv`H}k;Z+)xY&3(}Rp5K9vXk|b0CE)utVy)w}{16+TBBT2aJ|M`{ z8iUSF)gO^j*_fv5G{xSyMh~)PgR94!oRpr|xv`{8G+Fa9p#0tL{=)^QE&!lE+yzb- z1l>4v)XyOoacHE;FF`vTN`CfN0Y4Je8}auRs%$|6%uWG*CgbZATjD(F zKQe?wrjWja%A_UW8YN?MeMp#z`El>VTwIRll-{<>^#18+(+Pf`qj?}1r)O{azuV)nQzLdSn2s8 z=t5Q47Oqe&eQzXPwy&5`Sy9JK_&3x0t7!??Ovp>X&mC>40MYWt2wVI8sO1_frx3;7 z#27MiA`)`Se^1{mMvSo4-lKi#wh3hm6aN^^e;AtI=D>Ske(FTDrU4mI$E`mkL{3LJ z6)0pPWa%NiD(S%bNoLGt{i~EMorYsa|KW+(UjY6i|1Sb)3dJnP9d61N&{c%w--iov z*f&R1`)`g2=mqwBFGY_2R{Ov1E@i9z;&&PU&FLHfqUo8|Q~%I_OM*a#FIe{T<-fWC z+mN5#{?p)oPPKoHBR`$YPxt!WB7hw3XJGjONq(Tb9~0*P0U>qAkd9x8NFpvGSTYt( z(DD(AIQLT5se!3VFy>O#b~@@h7DjeP6E?(`A3rFp!Gzf^MKuA8&c@hi!cutmJ3M*E z5>3chc;~_Qgeh>V%yvrRnjUYwAI^p)qZZf}@`3msRtO-;%lfPbqT7(Z3OK?7$2)x` zKj+z7EXErnEbD44kYjm@CsevaM;u^9hf`U)wP#$${e4MjOV0&uZ{P{X0vnK(+aQ%f z((*zEC~$osgK#S)+hT7W>yuH9=l1~+b_5Xcj&vsH z7OI%{WV8N|)3#)y=LQHT8vNIFj10}E9 zWVnEpusvZ>iyI{O125Of0lT%xn7Ta{lHV(kieFBXuyM~k%q-%`WATJobZyYC8Zuh3 z8lB&OU%|3uAS-Xjf@XELaT{suWEfDIf!y7PCA z{BEAsS0_he(o`0@!;j4AybiuEc>CD&b;`B*>!%q1E$TJ19}bq6G`#RRhn`<4fD^oe z0!!k&64E>_5jBC};fnxs8St z=3TzV9{=n@Prgf_JPjX>{+dNQi3}tQ* zElDOCp$A~wTY;RHZnuR)2ngHl_39qDInlk;e`%Y^u}84^=wc8HX`{LaMV_+u#4CA0 z97L{1x&&UpjVhT&*Ws{cTn@VIil!kzX?zbf2%D}3?L)Rl_KbGAs0fqs3qrdJGX4`Z z{4vg6uQlpE;1oMAYW7uqKPYv}>89C%(^Pcq&La3>dyvt_Q>CqJl-$a@F#zm-~(vGO_9s`U+Jv-kQs)M)8Ey;LVZI z&d4gBbrLioAJwb>4!PItUb@RQz_hXG9D)pxtJ;S9ypxMzZa{EdQxp?QTn3h049{gB50)2i!Jdtw29_^8h5U&&uvfIdFo||w zE#00lLpNzNn|?qwhC|T#;*A@@6vL6g3G21{6kB~tBx`h=68D*7Qe*wr2RKQ~(v*$V z)Q@9^423BCUiw#%U0~d`Bv5$gPD)&v+}CQ4!^>~|H6>vdzJN6ks+m2-p+O=l8inJ` zly@?lGQ@Q-c+0F+ZEhHORlAO-7Tq+x`gQKu$cn=qA+wyzTwdj3z~Y^4e*L!V$qsm9 zm^k&puaLKm!L+ps2K*_DwL73|{3||HLgWTyldDt+G#4f4S`$o`65GhA?iqq$7<=m5 ztHlb`=v|0f=;D#`69umqddA4hj6Dg$Vv2HYEnHl87L>%&M_i5rS+Twk`uYHf&owLhPcY%8bJD*w|jEG zMg^qW?n$X05@hn*y~!D{_~Zi12{;%BM>1P=)Vg(=@U5;L4kpYwQ@H1Vhy-mI7nq>zH0Mc+P0r&y&mo0r?Yig`P2(8$|LVjibzX-kReH;XWBI#6gaC zNDUBG{#j?gmoJ<@ZG5e!KJ25s(OrKblBawc?Q?+vR8c{gxtVPw z!l&R^U%m-40-MhLB^ApHH`b5G0e4%W1HE`1n=GS|bzZaEY;*#H{gAKw#ON!8VYVdYo%s2S9dGL;Waa zi0-_rVHye-XELlhxCY?8eaMQ-(Sl!}0?a+zCHq~bZC9lU7z{Ys-4>n7sPC<2oSLb1 z%Yv-BE;ZX!=8L+6h0X=l?9JcD1biTHt@M}k!pX$$bgdnjj>z)8yk(Uk>^=UJ`-0z% zDdJYc#{(&^ffK$tcZ}|Y1!D$OTBA^=CQpZ49KWm#4Kb1nOig336S)+5fesBpt zg2x)hY<$Uc8tx-C(_})n3+SJE#DbZbGpqWz+0upBS(PG%mF-T3=7|T?77b?RHf;_x zh9}#-9#~1_)7ij4fI5$^gu`{9Kk}!x%wRj!t zBZ%5r*PKq1I(F1J;|inI2;K+U>%SW9@>q`ia7AudYb8T2D`;)dy9T@A)&igLMde3b ztv0OIIl+V`JZ_v>iDXe zYp~E9I4REqPw&iremDI|u($V#h(1`fEw043N=CkOa%R0sYsQ7F=SOjgQL~N8Ntnv~ z+TkT!nB&Mt{;YhB%x+L#_`M9m939kyI$mw81;%?gc$~=C z<3>2kbwh07;Ypi2mtDcVbb|Tejr2sn(F*fJ!4tKw8K22)8AoFSs29Sq8cWFGmgU7B zJ?A&&#tCnEX6eRfSTH!MSAE4k-i*|hriEAE_;7v_rT;8ywlg#J-h0}EN<#Gc7+lOu zlve)HV&W(RgB}J-!j7Hd$cscOsPEMwlp@*w+dh4@xF0^t>7r-Yc zHdQ#|%1G{&terhg4q*J7RAGR@bQ>fUZ@|d^;BvJdDO+^&+nK-YeA8Bz zkb+=Tnzw5_z+=>w;>zHWx#3|@t2vBY~80S38!7YyGu%!;1FMr?!t!7s&-| zZiTHs=3=v9ziOIg)xjZkFgDH;er535Cx0(V?~*s(Yguce&azwSV}&&z+(MUvpGQit z0e>HTpK|H9e%>PGuG0c<1H(drrj zNq}v5uazl~OU3|1fxlUv=87*#g<##$ouD9vWkiZXVEM5%K4+D})OPkrcPO{U1QYP# z;2}~^ZfpDE2pJ#HqmfRw##L3P)qY9~Blx?g&!;OAGF(*CO>wnAAY-*I-HNR4NeGe) z0992Scjh7wEE~TEbG~G*2ph|X5MC@gkhQCTiQjBi>UHk1aXOl#jnL^DP$xnk*)xc6 z9jobvoWo8`8e^G^iSKtd2;I(MxOQZ`h0G|~Lcm|t9Ao42Zpa*Ww?Hw&c6-VaKuT_6 zRd^sEf~U;c$L=JGo;C`UnZ-1^$~DCBAfv@w0}eci7z|peh)xHS_0YXngU0TZ?wpN| zS7demYT!2ZdA8(%DR@i_Q6+BJ1?=T)pWN7BsXGeBK&z#c^M_-?e75m%oobeRn52o% zvwMAuBrG!OownF@#;IBxr3yYoWi}N8jouiR7Woit9c#Zx>!Kti$YYY?yH+TAy%O?IQ2^qcf3f zydxYLsiFCcB|b2=+Fpe&X1RDRt1H&>+9OyC(d90#0R?UjQiIb2*iMoDJC|^&1eY~6 zF7j+y1Kcbns(xFE2?hv#;^p;(!{)N?xX#-PBqx1i@d-pVsUCQC4v5TxiB0gMU+er$`0BWDd@#>` z@&^Kse7ya!hs0Dj9I-pYn7lg!x2kk`Tr^1@R$?b?C_UbM?BWS$)oZ9&ESs*d)#YtW zTo?lWd>U;|9+oyDnYbuVh6DSU5L|ohg?{m91jEemLZtAwgp3SRi0lGB_$N;H0-PAt zqxURBD0g>iZBZaykvAOVD76=;#fv017OKI}0|h~g*r3C>+C8^bhC{rh&qIyAcMXui zmxN6DSz+eVNJ~J{%BR-TfHeH23%n~*MHT{{s3f#ULv8#6-LI?Ii2*14!}1S96cYi{^5IqK9s;${bQE{AGM-+IUT z3^R3)N|VssanB6j?JIUk_aho|Q>9{DF4wtl`&y5~r4srKDPy)SyVA`z*hheFLRVJ` zvc&;ajU|%4C0)2xY~0L9oG`aw>gW3}{adVuZdfN5BtEpd!Hc(1i=GxCHyMxfB*;Z1 z6uQ9WpvA{e#9}kXMOZUtS2ow;?t@iNqB5jnNL8E6lvJYZE!MgbVotgV0;}!u{_tc% z5Psu|i#3uF;2jTKDZzo@0aKW~5s}PRMF~HXMJ2_3@@Zzt*6DUOK74e*fK2*JAGyu> zfhb=xab|T@2;Q$AovCy8-AH@0Wy*xY{T9S=%uB=PASb=<*-HW9pqlG=saUW^BBdxq z>X%D4mEd768y%3fvQ|+yq4iQfHi@J7Gt)N;b5UXIWAK!v3UX}&Kq931n>B%UGG=}r z3KQUaMYoY{HCHSyhEx*PZ>gRcpaGmb%bNH~cmk?IQqf^uYFnB}8aGg`7%p@#*>h`g zG%0cKnUV6a%3Rt)%~^kmVyB;QvnH#e)`d7CO4h9XK2*h8fI#$PO9r-8h?65J12LEa zA!2R>V2=kCMs}O0HhGR!&uC^~rb?3;>}`TxN;`LGo5EUN+S`Ec!uFhill&brQZtUi zDwJyli&F!HgYS`HCMi9wC*FdFsvWl4c6NL#Ipm%e% zM(b$cQM&1N`m&-ngHiPG&g}}(NjI>QqDa9dCP%ID2CJi&u)BH}CzEqm-a8@&9vhFJ zp@jIAkQNY=b&l0wFE-JpfH{xurF+;)r-X!7y`|%n`(Zux7n7<=r8n;f+VAni=oPv& zk3pqo;>_sZ*K`}z6(4b_EjwOl+Q!G)kgw!nJmDuXBBio9omu9)jnS(ChSRL})vA>K zG<=WvP|S%d4bVDZh|Y96Yc98)Shgun-B*9=J(N$+hdN3NA4=q^MG>EW4!aYd6APkj z@j^Fi$lWxJF7EI(PDNy@6`gpPWXFEu3^_wYqVr+LmNzHLq}!B}+c~_>4^<)H>$+ex zXR%&ZT^W79{8aaWes<2efXi(c%Ovj8N}LnFId=SE(%{T{t7^v0u7Jv3&3=w9oSfAT z-Xm81^h{D^3bzu^!=%7>r6!0Ay&G42YhOkui+wS^CiX@h-Mhf_6!j-G{N#j4x70VY z5;<|7dL8R8G1Q$nLm@+xh_Tky+>Qf`?-6X7W+98ZruB+tM}0EfZq~qy>Z%? z;qk~4;{~ykotXrZ{e=m!)Egbv6Rm4pO1>#+fhKjjM-GFBpYrLifg+EmE$c4@`FB_? z-Q%#QyO_XyUZp8`H_vveZ9>Z5smilK&bYaxkF5ox(DNLnflFN;G+pxPv71$+*s?nt zT^zmi0d>cHH2UGUL?yAT+_OB`_M}-=qG?OnuBwY<%hw^300$*S0zX>9MUc8KG}>;& zUqL{;u09ZqZN|QMmllkP!-cuQ39Xgu6_X8N6C@>*$L?$MT9WG5Ufb5k0%>x1Wh)0= zwD3Z+4WrOu`Uja@t|^*li~L+bX59$l;`?fBCJe6u4s~=qHEy}I9#li-$3yX5)-^cQ z^$I`Yt}`UGSV{sFUKATDM8Em@^A*DGXXhHfGnH?u$FiA9G#5fgg+$Qbby&ts{DghB zq@i`|oPIB3h}C18Mg?N;7*{f|$kODLkJ&1e@F;+sVk7V-H8pCbv_Kaur6ZA&>{cH4 zF4$WiypjtdYwfx79CcNeuE=xGsAl_(YcEVK4$tg`53$UeA(#gpdMo#&i1Sf0 z2%y4lfU8)5Xk%WdvYEC>`zTveh{YHb>Fd3=|g#M zO?U$gIM+AQM&@>Je1>1k`3wm^vTgjF;aYmU{0U{c?kl%Ri``(|L;iAH6M?Fpu1H57;zDsP>3jb%KT9c#mX=KNZHxEDhT#b zqQ_Lt8Itg?axD6t1q70rKR(VAnFwfYRMp8{r5uIcs7mLZF&M48TMmNLqaJWDiz3f@ zzph4xtO*+i4@sBEm1*C9?Vhq0z#dKmgn=B_lf!isvvwcrFKh#HEDF|H*}j{88!6!z z1#gMG+BvK2aBgCaXc9osa~qr~yE@rz33`(|?JV7TUg2n>fkhg?gceYj2AI%sU+3^+ zt;5b_D{@$!I<8^nF_9#~V!2u=zo$|hGF~N&C$_q`S~>6C_hav~GAXv*y8vji00hT9 z&1Sb;zJ!}rALe$tdsn_`vRG=$5F|M-p(U7=r@9`8iqSA37btz;%Vrj`dXlBdZuT}^ z@m}MJB?lo_ng+Ve4igwh^Ki~|X@B4ybQUV_ip`4AiD5cRNa*P}VA;z}(QLAzEJD#V zsCHmsrMI=!orr@2N9Z{5ieZrt7ocX@`LlbN=ViI>0et{qnrQ9@#Ec~A`4_0FqG2hF zo0!Z|rdq%yhQOP9j^ z#^za{m8vgU%NL}EW$hJ?70~4v*{s(#<&LaPmmKGgP4y-7yXx*?mgycZP$~#1zfqv7 z1TW!;SL7b$>F}C%Irk;4X?zSdF7D2#a7QMLd6TyD2_3C2d11LC+B0u1DCoZA)lrj= z*V68?Q2-{D(faTSU^PO@*}0i(id`vk4_n#U5r z?spGB)~Ua$?`Yp0B-F28sp(e`+_C;}c0%eD4L=`G^+!m?8Hb%40GxTR@FYo7wMu!> zF}gc;&h+CF$Je?oFHcv9&_s}p)C7dn8V{^-G-4ZhLK*^w#OAEeAM{a^+mv!GKq+X! zlveumHG^I}xCC9lQZgwR$*V9Q-`yM$V3la8I&OI-CluFfs8|heYVzH@k13RoMBhX< zWrdA*c0|t7ILkVC*J*P(hg9pVbls)jEE_k#ep1&i7vqBtgpF^h*Mdw&f8k>}@#Or_ zV{aYyO<6YA@f+vlWv&6zT!-AUT?YV0+s&yzFxossT{+hmNx(u#fQ!<&Og5{}gwiuP zfWMe(Jk*=?yc!IR8;kMK9PzQuDRxN(D=y00KZKEbtevm6hxv+*Z!TGURry*u?mJ3F zxt2#8cTXu2;GA#+pG<>}aU6(c8JD%^wbX0Ph<#D{xvB19v#r`bO&)n5L@E`(N3G(* zFEcLY{Y}0_=)tG^lSNv`w~d7lnefH=0q1INc<$N?)p}W641O(dR$X}n#6f4!$S`?? zIX)aKY#qfMT1+3ZzR~Jj^RoZi`h_HLsRvY=RqxnNx@Q;i6iT{~*gmTuFQjbogw`E; zpGV&KPC?^s8EW?(#fxJJV)u{}5>P(SDh!E?(f7bZXNdjNJ)+jt_|N6!OnCnh0Nj8a zR<`&?C(0;&qzo!*cni(fJ5PDJWq1y_tlS)Zc_b zAYH`Xhm@T0EyRWPRJE!1HtU0h0;a>azmcS;D)im1+{ac_rd5CSd#}9YUN=UNP2{fQ z&^nE5S;zI2rRSmg)giH-aC<#Q9}8*9rBK(a_}|1?P7-SxMoW{a!a4kapi=W>!R8DQ zRN_`W3-p1Y0{R|Qlr_c>v1^C9N^e(uy$I=fxD|MEdE#WY!TrJmny0^xv`?oWD`pZKoWE)mL#;TniWSU&5-nPZ=K{k;~PTD_? z)JfSAMhTrsMd66kgu^5C4o7#nni{PIq;no-(?2@RpXaH3Hd`t1Hd`RKwPL~L>Z^9b zY|LR4<-OB0HLF-TzuTC}DYKdY8=;BXYAzH486$_FL}7gn>K}-btpJqZbDJc;bbw{imtNEluW^b7yb+%VnJu%IZV)KYzGMIAbe^p;8 z{y(L@vd4HWW=7V1^Q8K!7V5&96rlnq$jM$FA6$k24P;>W z95%mjI{10%m*vTsIbUq;gQq(F9Zd3q^ywsu^49V=CKDm0$&aBcPYM;dEj&sbJh!D6 zZ>CTC7gKxOEtnf4e)a~JoEGxBTcL6VWPl1H(I}H~0@N-|=QkqiP5vmh(waWpfr%Ty zx5O&Oc;GiJ@u+o2m9XRP4J6OW)^7HGQ-94{m@(0o5)rzP@m6eQ@`V*z$>7y@Ib|W# zhm2cM`4X>_0AiB|lf{YU>PlcQCjL7rbvYLv<2|z@oV&T4?68T;Po0T0t7h~>@!qM} z)`Id?97XBEUFP(cWI~?O%&%2T9eH`371*)K==JJtW%y{r+xBg+o#$rD{&=ALU`o=ezjOkaSPg-6k6I`lZ-J*bVN1(tGd)p+25L0L-H z+CBj+<&^!pl=G|Piht~+mrw&2+GU|@q6bkLc?J_v|A187~xgpwZ+f5Uah5>9FikFu#h~&48qbK z?F$*Z8*H~Q1z=<=fr*Nu<5~GidwCD`wZP=~Z9mHH`d*&U-qLdnZ_=MqE)EEgn6(p_ zs7aMeGBPTGX;%Q_%{Z)OjwN7?`11p+W8X*FZ zK>R4&br0KlT3#??kT{wD>XCl+=bW%4+--CH_?&4U*bObj)_IzX*t{P#5outI!q1PEIXPR!OG}B5K*F zvXG-svFmG1a;V3_)55|7%$XtEaA-S}rGfOy8Ylqs^Od({^q^tGJAgE1p(<(@C`lHX9I?hKlKvE4q7iQ3Bey!2aXU zx64}@8UYBk?E+o)^Vbwjz2u~Oa$ck)mEeQ|xpW&YnY+4qz_1^!?ErB^`Ri_TsCu0i zAP><|=JsOKxsA-QE@Nx&{7ZQa__)w`tJs?UlcL&&igmoDcV0mCCMjcDH`b6W9|2#& z+Kd_gf^TNIW|}WJQ;~sj@z^om!GnbqDmk0xHpec3GMyeiY;V?UcPbZ;H#?Cb3X*Ft z+`clgf^~O#pj`d5@fG`CQp^xt=VJvyBfah&>Y?i7uEA`?GefqLB420N*1KjVYwEk_ zo&dvl&Ch!M8X&_Qh2?jlYSj>^^pT`SG2vO9Zfj zcCH|0^H-%EME%g|1Hue-JOqQ9e3ON)vfkBJBDKfd{43@S=HvIo4$TU-M{W4Z4+nl# za&S3D7sb*p(^}g_RMu=WyX?vX(?7xqZcz4+bWNq%(4!w}vMhhmbfk?ltoXgeJ#55t z1O_ys>fK=RU0tPT*`wsmX-R56kkj04g)_<)inI;+#vT&cg~%mZ>=R)|p8~Om@Mpcx z)JE!x{rUWQ7vd;eru423HK+&=H8?e~Ofb@iyq7p)9gnQ8ji1kSwY=4S9uW9rmvs^q z{*q@cRa(+WFy(4cA5LA_iwtUL?LkM=mPCky=l)t%1z5fKFH}_!vF>j{q-LWU4;Q6% zPk->thTN{WrsgNVGeg?2PiYf7tF|@LQWsP#^Tb6itHYGmSLd4*8?PUY@eeISp~C9| zB(p00vzNWkuyqPbr5Vdab2ZcSzL^)FuiE41;^ys7=xXL=pU!vX2=4lPCGfDIoAiO0 zm_`JpWFfmyh(UESV@-a`eFx;ha>PiKet}DK088k#gn}U-*;V;ypM$JMv)U6+whvWS zb&THfCEwM9_cZMs9HM~Jz#8Gi{F@fQ!SCA$x8Dr;m{c3Cm+&;>eI)y;=RId44{{XD z-|yG*pqmZ#X*eB`Pyh&c^1{PM4l8q#ha-o2>z3^Uzpfy=EThUwT1E}!R-7K002-Zx z6tnarYw&1l)o{%-eAXD#Z@MgrfG*1ei;AJ!ve>~sih|Rf>LDgziDf;STMt8PD??h3 zJo1R4PmT?mo=|jsZk3h=Jld zg}hrz&as#FlCEQ1=BU%2Bo~Y?!*&o;8EeZ)iHu(Ek2Y!KIMjjDA~}E-OBl0CvH49t z(BsLvUKYF~%)B;6era18%BPJ*vT=Bepm|nC5v`n_y``C=Hd)1~q=_X&*-0m|8oaB? zw;G*npLI}aAdCUV+IQv2N91+JC7#P&?>MQRcVG1ymNj<-v$Pw^DJ6f~ijp%(%~V$Vgi42s;8eC7*`-?F0d)vdBV8dj~DinxZj z)b;xr#2qbVFTBx`w6e@x?ArLSm*kbEH~Z?5&!IU%b%9pUnz9i;(+g>LSNp65SHk#L zDc7u17{soE#Y~WL#qxolUgW|YlZk$YCy0P0SbL8yCB=Plo9VF4mj>25=fvkHb8yaC zFaNlVKhE%M*vF*KZ5-YnSX?&)5aO^gkkdZaUAS1Grjmz#Xh(ZMWilrxqNM8=irI5a z%F&G!D_1RV%Wyr&cRXh4-L}>%!rW>x(L1-}TWG)aw9D*V%j)b1VGC*_X9Q_F)G%`h zBj~rP=!|*fhXE8>PzO*TGX+a!X&Q?Kn=jHvLyf)lxFbeF6K84jkI@?nKTyjL7vD|l z46ZTwP@UQCusMjB5P8Rzy!e|Q%eD)*w@sLDiL{2=g!5jTb&a`n&+XCMLLI8^Ib;eR z6-GZJ>zvu41J!?G$lwK5bCL0YIO*7+X1^zj8=U4wrM{$ zjG6Vr&<0|yVbSIf7#6C*Jm2+8PV}u{MmT25lB?N>XxEG4fIy3>jF`L`Ov#QimEJgW zb9SaEbijCy^`&|QWsD^^e`TD5B=c98qYvHt2O<`m&6{5s@lb!O_fyW!dq*Z69p6FZ zXKZa|oHY7feMad2V$KuOdqn$qf{za)5^ z0aiqwOYE8urZZiovef2UGR1B$%3;=DmbmB2GTY;~Hld1R9~ZjcWh?pfs_-$b z;1(+v347Z;mFwGAAbg536U5KeJ=?&U-8LJus4f;`@2|35lf(sWWYh$h-F@e&{yTlh z6d}iXYKetcH5EABo0(u9X{Okut3=)`S=@^WCGI6;c)aDU%34rzTdxq)I{!H)U6lng z%+OwUtQM1$Ko8Itg0kk9j zBfg}J?4A;q#-O}vHT;)$%k=ob-c>6fBu;*n{O%KKo#cfLz?j0>Nf2);HTcfg)o4=J zPV|xuRK|frQon0XaH5x3wdUno+skuZTWZl5sN2Ee7t(Qk%#z%I|+7a>9 zHD>F`QAHL%8II>_iY397go`3R9>Oj4NBWV-!OwFbT-A$~tfj>^L~p&+iUt#|j2b(N-gRJgA>mJ9F8xZqN&09w`D ziyu-L6d^$XqmL*!@dtH{AN0c?OuLXhwteE~`o9xDe=2GG{c-O9TZ9c(==hNpZW+%* zT>@vg)Cyy{r?^?r&C6f9KuM)?czJA5O0 zLESKR#&RoY&&#iJwhTUU3^;F56tl~bDEvZ`B7fiT*gI1au^%|hsdoA%uHCkrS0d9ufG}{9-f*c#fr165Na|1qH z4!6?2)8Ill&P`(bBKx6ERBJ~+!EE)xt)lxd@)96TGLi?)Kf*6wwXYE3-{vg_=nAFo z2oC)g^qfk}*5NvLel&@3my{y2dCv(*Ty(u!4t+xhh!)4j-VJBlhKGbeK|X<>`Oe`l09X_k{cJd4aSB zkUH4pI3R$k?UKi;`8Z{|@roNtL!a;Dvy@uCIi^|v_&_34fQgj+Z55hG8-(4->Fa!y zeO`|pPYdd44nOm}$hvLNz}DWk`Ch`{QPFWeHlsKB(yy+juO_N8=upru@rN9}cbaDL z_0^F)*GuKJOimQ$HPUQm%K50IRIty4A2!twIg)C)-WA0D$$DY|ObSZ#d7`qBx-aJW z-?RX@r~Wy^0e+T|Cq}?|*8jc~MaY$dK(V{}$p4`X@Pa3Rq@iDnWWW1=UB7Q#edsPw z?0FSV@V9{SUo}n~5NK?sS&2##kT$lf?L#_$(2g^U;vX}Yqdg8YZpgRW?yI~6c2fd{~ zwSe;?CFShNvD@wckpBOvZ^Ul^#jY$bC;#bje{YsQr`n&oQTgXo`_tU`Io19=qkc}c zKTVpSQSC>F`ED%#?}%y}b;(jLB>R@Z2mfPaJ8f(aR1$Si}M4;C_gX9|LJjmYgfVb z;`AVru#3o`8n18WNC+fPPIST z=g+D3rw;kQJk=~LsbULLqr*wqp&5*?kZN6^ATt8?Hb3Jd-YE_b-ZWd@7{Vd!a$&|* z<%5@M1U|WjU;9$3;Cx<> zpTO2p?&ST!GdF_xgH4LzeLArhf_4gLgj}@0e364C=DQi^jg_91B+fW(YD2)+@|GOl z*vmE}PsA*#R$L(F@3mwNmpb3te%B1i4)PZjw9c-yY`>AWX6f9gr0qcTQF^)wQR0P2 zKnH&rbH-cb;TP97d!mx3`7+7*c-MtJ&Dzvv2vnv=Yi42P%WJO-#eSwyah-ZeuYYln z%CZ(4bmo4_jgAhNo>34U zhzKkl<*~KA7r!ihF;004hZo}IP_j-?cE!gok+KJZN8|! z!VacUVrP8nW`6=pQzI4{ennvU8PY8K!q+5WDXRswDwZS!4CS6{S3Md6n0LV1xX%datXF21ue_zT~fhro|4! zfzyR`3efw%frk)(0F^OiFFp0eY?yBDZp)O4W)wlNUAwz2YF2A_owyuWlmmHQ&22Sl zzB1adlc;STaV@=zs>skTrqC%Q-+JstBgb^FfEQJApBpKXYo@2UHE*f#BBzYs8D>Ys zWiDoi@*Eas z@B~g= z4DM`KCYeG8Mm;nyBg+*7GM3OAB_7$~LyiR}Ld<9b=`rWC6hoq^9>IC+#{bILg6l=u z4qva!B+&gX0&Sp5l`9uan0Sy<199LE$gLDmtHax`;vbwmj5j+tOIq+G6CLgg`X`4m z>m1%A{2zsV30P8D_;*=Oi%qteT9(!{W#yJ>TDZ_MlT9U7=B{X(yJ#+m8;~_-WonI? zxga%~j4Q6VLz`M|ST3jtq^5?5gbN4=eAk(gn(yEL`+6Rp?t_%a@oZTU0uu0jKmvrW5ACnTkJj8t zQp_=zfn~k&8 zGD&*!{RQHZI@iyEzq;^{u-cSNgt`^ulA*{$ZYG+6U(AMElR~(!ZS??2Xd7#_Uu1Is!tyflAe>bg&urRa0{3 zQS-S*R+)4<25-%sLS~L~wR0Ey6@q8As1uWXwj~u>()oqf!_xGa4ce8tXBTqn?EMC~ zA%yrr$vk?@>pm*CKD-xYN8`{%Gejz<%F^Zdu1v%(jKkcYsGrLk2HK}>*EXc78H%n# za(tppHwH9lc6JOwF^t&b+k@6=pFObBfQ0ohIYD3PFRf8=tTIgl*i(s%EGA8;5*}tC_P9uV?hB zg5|5o=wJ`isAu|d$lyt)VslQi;i>|IeT*oBq#@GPKva`4{B$~n*r*x46BS8_9L!Pk zP4=4oxK&R*vECeukq)7NH*Wt~G8;WGJV(y2)@{a0SX{&Qx`p<%7O(MRg1)hZ_at+T z31V;{ul-}Q_8IpH74xmw=+6juQOnHL$xef;I@EE=NIhB^Fc>p%BI*nRX*#{w!PbxB z_}m}5gvWR0gw>}oSa*P6q)wI6(nhoOj!qavEnLn*=0<;M^dl8cBQjlP=~tX%gafKr ziDwbjNZA7$U>-e+$0T=?7k#tNUuC}6p^S`GpBd@#S8?aJ>`=Vaw|^w9Y>zrB0MSAg zETkrIZ*j5{Qpnz9cR!-1Ve@pOff4dLFE$JFX-+TC<8^1e2Y>3fA((%rnGNy?o0;5+ zO}2vye#@|)ZP{4n`E&E-`gjDoAO_69+;0QN7$vEjrblOoH$Qug=)|0G*%|G1j`@b~ zALM*r!)4*5Xwe({tR7rzMv#uv^k>TMd9-;`C{gbgqx6HS0vj?V162zN;Ap~^?Z0_X zp@z>klFz>W)THr7pds1K<`#M6j9#k^W%=BvBN0P_yXY;MeQ-fcuDPzn)pz3rB(KrO zFi?^>HK>CAQtweFn(ia*9cY}IA50)OCzn_?!8C@HMJTkW-Q3U|Pe!pagSE}Ha`;Ja z+I*oRh$J!~N>u!0(JiVERc3^=$hDrNYGf9*_4$K_B}2xYE!PT+yT{MxcdT)&_NME& zPYbelfI9^VK`4WyaV+P`)v2)E`?yd)?0`(3ri z$u~C5%nT?P$l4C}QL#2VPC)j&yLE7rC`OI}KNJ`f%6C2xv>3l;B-^61gZ<|1EsK$^ z5=(vYY`!WKGJXL|_8>V`|+j+B>; zopnb0y2e}Iq^`nxuKdKE;5VDCsW>s|L*c=_}UL) zr&x60)2=x}pNotRH0(qMhwgl`?(M|n^J*Nl{{4pC6VzXX8)#>-&)g4$O*-xrd7F$} z(|s~XcM|lTUGM3d@uTMi#VC9+AOL$zIoZ}!%|wy338(J+gQNGEv*eH2N-H|D`7@U? zp9{A3sexPjQ&EpD&96S{m}Hthz9^#I`UD#t7f)tPfNFS)@B4$VPpj!8aP#5Wr&+f5 zrC;oYP%?3Qi19hP`Fv|)L_}zC=-&PKtc2qFjgKndZlgv2OkeCH_8-Pa3OB|a5N8^M zZi!ew2Fbe11T!*GhaV#Ks)ec|u+($}Eujr;{k_}Dh!}b_X{fry=Gi9~Ne@@)9fUlQ zPM81&4*D@dKwUEu`??sd;e>GHKw|i(7H0$iPHdm}ZAIb*fC=W&e&$ucyNqm_!^O!hktI?|9<^%;lXY3M}YJ2b{n5* z#RSk)1wHu%Vw5xwHp)K7dL%Cm^cz2JK-voG0UKTV$n`7St` z`(y=K*WsC=1ar*q*=jLUAM^W>oV*2*l<|wRWES62Hi9w_KVU>7>Yg#@=Jyk8BPRn1 zgfo@ZNPf3>bz4Ol$LU~hlr-S%(YW_k=;>z>W`S0klLQ`7zp8m%e<+&MuoWShop49* z9U3GM2X^q2o+HnZse1cI23Zq>kVP}@heTEC5j{^6%6x;dK*Gu(hach7Konn)SfHSh z9AP}7NuIFUV72X>IiouW*F6m$FlC#w{`9Tgj|vVo)di#Vy)mzV7il&)EyOl|^4IiW z1yw^}L30(eFU!uxE4ApAWG5uRp3RE6UZ8d8(^S%CHY3)`tagt&I7{&g&RZ8#ht!$x zUf3vIP)oc%Gez%^WOg~2Fc9nG$;j!9LYKv%OmRCSzM0t_Khin3a6z(Q5nT5r#@K1y zZsT2xX(y^~dyC_$9Ls`EtI-52#b`>+Uf2{w+HuZqs2#$X;>`DW7Xq4HP_${A}bOsKHxr zh9u6Ur<^?hDy}0MDGWmCoxfGESulSsC&@hg5F{oNQPlQ)0}dU&F9}BN1+6n_y_pDX zDV?~Mhu3>fEZ;O1z1dpIbzGk#`Pm2=u6-uMffDdp(nvIZA0EO7k_hHYgrQ0gf#ULN zJn`KpWb2Z%8@oBkJ76bzxs^L?8ttx;G`ecRN}i1H5j#sFSF4+3fP#d;;Fg-;O^}lW_{q8a#z(i&GuEJT4F)5k)9H zg*Vd)=j{}m&PuLc*oFflI@cJQq|tzKS{&Y5Z<6&kd)__*HrqyHd1V*;0}89$X(o!; zM6l$QPfr0w%hBkJ%W*~hgdv!VR{j1^FYDd}@q^^Jf4i4o zh^b`qxyBn;yx_`CVZiXUiTtov;_>lyd;RN=y(eXwsj$U96$qmoj-_T7^upD?^TFdUZTqz~0!(K{=KJ|-wZA)T z<2b)4`AOThkL*khGf+8^6n5?lJ<(+R)$3r+-5TJ0wLJ?I^?*#3!`U&%!vkmrY7n(V zl@d%MTSGVV&8fCS%~+<9tER@;wlw2INqOBCQSiH*=!5z&!7Zrud#R{ z;wX-fnZrRV>{0}DmhI~B=>koCF(k%Rf2V>?tzu!)4%x6s+I9_}r^evO;1 z%M5n=6?XN#4p0a=FLEUNQ7eYT2A8WCHhe9Weu72EV9pv~40L5NYyOWdeDAD|=z_8Yw;ZdLP87eYbL zgwyIo(T>Cd$>3r}s#Zr1&Hra4L>Io0<$Ph!Xyd@a3D`>hBH}{SbjkDGLCFlXpfPdI z+0~K^AEbVCUf4VZ{pwA za;96&>fay4`-6*bFFTv3^)C+nxLf1w%1@#CQH#CDL~dFKA_V@?BeA0$n}+`_HjP#> zVDjy)H{;lF1v|lYsQHbo0?S6!5hH0|S?v!%ZnIs}yz%NZ2xGZ@f>fig-q@vmD9H>d zjsexqydMzSTrFkR%zS9$LO}Y}i$SoVNDhx+9aY#I#7n_?Tm_ENfIZ4G#VC4)D_k0% z7*f6s8}d=uH}209AOU&HKWIBmDR$UbAOAr@{GfesnzNwTU9tGKc3@J}eV5Ku8nPYT z7n8;qy(1v|g7S~Y{i5;Y$GhRwmcJ9?+Rp?tzn(zwy2eVRQ|2p!p@j|OyuTvkf{3J; zE`$`(eV2g^U=%M7?ucDfIQW31WAYBfc;7DK1t*ZtDHyfa60J$FnR<5!EJ z)z+6Qm_JTc>70eC7i1Grx^csb?T|fj&owXG*L|9!G*}G)DLdZTgR1`PBl*~g`S*Q! z3md9AuOF%e<#ufNaG@%VuDES4tDsbpO^~!RWQn&9$DJNCN7rXU?cc@6ko>69H+HdxreMg?deSbVWM$ zpF-Pkt)GH#HTD4=Ut2A`^Sqgq2xG`MkIe)Z}kyO;Z&zW<^u(Au?o5jQSf zSe9w&h`g=misK4niQ?ZtIx`i;-G^JSR=6AL0k>_>zlOS0M<0SPs*fiTZ8qEuhxIh1 zD^4s0{zGxQ9YwxG_DjO_%1=t_nP*>4{?Rqj{)^x02MJ<5;p$K6vE2u=6=6v&-c|xw zR>lD6Wu@d`iDkQC4xtNfn*mK5QTnt9?OVG$S)Hilt+D-`W%&YuDj_gf;&h#)sxPcX zZ(ML4JCmZ3q`1xM1B%0F_O3SHMDdD`{HJEsZWZf=C7-D(?+O6$rA;OK(wl*>L4i-N z?*t4s9)Cy=4Yx4;k~rRakD*m8sKnZuNGp0IMZn`8WGBLk$7ktP9JCGE^Kr4RwJS4z zV{)gs>ng9aL>xSh0B@zDL#>P0bB*sOb7$*~NKxYgWMEhWr%cRzZRT?1%=$4R@(6^C zMCWooF8rrr9enT{A`VbRABwu;=}Cq{4b`?A|73-BwPIK*WtMZR7Ybm7Q}c4 ziw2Hd{-d}*QygVqYMpk2|M0;3R&$f}f!RH+ zrx}eqL|}(qn=+~6wGXbZCnsU=K2&U{<)cy*15)K5SSzOJ?Mf&nAwo*0N8Nv1=l7K;1c{WUAJy4o=7df{c0LdTg| zj&bWO9JKnw{%+H1!ua;utyZ%q-%RgmZMIJd4iWbq>x-Z+Q2%(<=xaIPTHGC2(W(&H z!SPI75i+0O6j|?HV@8WUFhKr6uMIeW^o}~U!FYR%Q9xo}w?hST&*Ai{fd`^09liY%)~;v!haJxvTM?*87m$%9o#7 z3Pr6eLbRUrs>=l^Yz~Y(R6?4&-qSJoPi(c_%c}#IKz81Phwdrc5&cLp0KOrjYEAzK zK}PVfaG;++XpDh=(PbbqS{p<*-Gu?J`jQJ$0SL3oS5SH_$07VwAhE%$#~3}se%4f} zVyxJt7ozE;Vr7@jc>UA)!G>1KU|ZDSYigWWYc)EWPW@H)sK2>*)Z1fJT>K!)7Anp# zd(A#t7*jA^&9@D)@kk!8DhRMPZ8CBH8Kb`VMXUkr;*QqTMbC1Nr9mvn5+0J(aV$i7 zdn#nQs=8_nY!~P4L1>{1GhuVH+?s{g8gD3y*esLcsKA@dj)$Cv9inNL^0iJ%Hqw=8 zOtO?*VK&nqMq7;X1ij;_4JmShc=|E597KElHtQhQyQG+Dt5L4Em(`Dfh2;jF#PCCB zz>iT8`XalZbja~eUQHCfT%YPnJ>5KjaL?(So1ZP?(k;9T zRbIcFMOT)0)mjn5j}RohDJu|2B6^fLFUJE>2A$-z&baMclVmqDWY@mR{ZE;ZesiH+ z`=V4nA|7UTUUEY9!Eyw4`)&1-m!@al$x)lW*X)qXKKbGmvsN+tjxkm>;l}~rW{#!B z=xwgdM9pfumPHKm--%K1%ezSH z*t;2MiXxEt+f}D_oY2ksbFt?dqR`*dW^-166wFRf1bCj*CYm!i9Gck%VS@&=~)h;YW-^*aDHu z4?*;TGK*Q^U)^3&KS3l`h^DgI2?SKnK%OSo&{$lIlun?H_C~SrhZ*Ud`nKTdh3sSL zMCuG0K=o!kh6{gUd%ou`(&7rHctKI|jajmxl}CyB!G^Ay$&jc+C5^nCW4!1!BB-=1QCF^W?Pl)zn`euf0$`Q2D)zk?Q5x)SaJQ-i2y>Xn9vI zyTeP~)_cWq9mzkftwhypAbEi>T{XSqgXQyXXJZve=q_57!3gbcgdo+c-~ZFQ^TABM z)1J}AgX!KSL-#QnOs=4H4WSP3;nn|?+!=Qu#?mC`njKWUG@(DZbbFVM;-2ZmXs=Zb z%$@HehW*y}7q>z|HGiGE$}@wvIY|HybLpNc!h3JkC+oOF(yJU7+f;IFGBeN~lN{KYHY zcI!d=C`v%7A;u;Xl26wVIM@lU&^U(!3Tv9xs}7Ngg}r%5@R{($Cf;1*5&ijug^w2I z>QoM0JqJ6a>|bvhz9jVq0k-4UA0C9RO#z#0teHkvZtG)ne_xOX`aPOy6E~}CedmYS zVa}pqibu;{%?V*^e54a@%s7w?_KYaGG?qEpIN9IyY0RE9A3H#;!0||Epc_-8nZcd9 zQ;tRmkMapAk6BaE#pH7>y>%zu9M)^|PjEu8jPju?Dc@V^<<_fE^yVVxT-Iy>x@*O9 zW^~(msYT-vWy%X|(9|_DTA*(Y7T1=&?VQbuV!4|}G3d7aC0{n(S4SW1G_T2b5dITn zJNOD_4#pb&1wirF$|-OoNZDfJnVn|z`+ug!ZOYlSB{A#|@3DiA2Qp?u&wI{_@LP-8 zC# z3Pjw2ArP^zKPM9AU-=GPEh5eP?W{xdOx&T~7=tBTY$k(Mr>hQ&e;N@8OpGf&=T~V$Z=Uj$=dexET8)ApI*aNNO%48UB1T}nN zD8k*FCG{8Z^F{{M^jgL!QlQvJg#|m+RZQoojf^4!lOLLRt@2@BYi$HR>6=19yJmau z?wwy1DVR8*(OJ0lr;atR2)RjgKe+9NP%lJD49sE*M8ChW^O0G^PbKEZm05LJ%^+(% zaP^hLBq{Iu(4r_2Is^Ax{o&ufCN6I(iv)#v zw2nynMrr6H9u@DzWbvFb(8<(59hq=GViCbs+-FON)(ZtC{S!|Hl@v~DA|nM zZnXFcXoKEmhi)yJ$*%)bF5!%i@_eA(twzl4Xde$#;kk;jxVxEU#hPti_4K~SQs-2T zc!BSP!={;YW|aq@e{8%PHaYE5ft%(nAnllTM*@Wp-^R}EeK_@q@$i=3o9AFZGtGTE z%Fwy)S>~sCi%ho01*!5*vP8$nI0-1SOr94FLZ(WLeWJmQCnbs2!{Y7-k3g<6FxRC*oQOjtBwDW$h#-OwC+yt^F;yQ9VUVV%a z%bmV)y{trq9D+%7HBiQRPQeb-sLpu?<&Xn-KCdbHEMZg zpD*>iEo*AmG|3f$ZVZ)@*GNX_r-PXbL{-6An?uG`(d>bmiE3}Frx$Q@*^MCw&w$Hc z(Awi?CxIMkw)01-e*fcUpu?1X3{yxw=CY8_Sqxt6lpg+YJR;*&W3+Wm_4aaIh2wqe z`o>scYjdkQ3WM*B3;H8C0lN<)@Y*+G^y3`(URV1dxY$mfzU1|)VDesvT>X)DHDC?T zuHu!Q=wPI2)Si0v1mo_5c(tf?e~j~wv{EwAW)CYI2@j6}6l=6Z)p)V~E=XTQ}Z!jp?zA;te@?+@G(xybk@$qu`=MWh{0pOu ze%kM9vfT-7l5mG}0k>Ag>W83>X7i&7+?-6c5o@5eIJnUjJ*uak5N!^gt+=7&gtY+eS3OlR|DtIX3|!4IrxmZsonGWyv?7b{It8wQ?)kBqfyb9ZhnO{sZ1iTu zoqr zDie@h>URzBE_W~*ZJI?}~_m>7S*v%+IVZE!Tu$?I?MnEvJc zqIQeA$rh?K*pZXLd?FF(jbfB+cacy!oi0ANXUglAW6Qc+PmBr_9|N-jRn;OF-Q5tA zt<3(0!fhn8(0%gv>VJ4iwPM2*FB7nH+nKrKOc#hy`$BbOI-{-pi%UT-=YcO*=~MGB zz=gLB3yi-_}HpeFe13)CfSn7Y-+3DGf8b|&+#Qdgsv!e`qH?$;>Kj)i;~ z?w6GDo<;=ux1mc~Uom~RfUR(-8uBM)8x?1FQM)JWe}#sP-VTInRB@ zoAYLYBw`&CFHTt- zb1o};xPp{P^cdmb&`y&5lBs0HPZF2*JVWX1QE|91_?>1bSob&Zj#{oW{g6K^^+oYk z`;E^SV~69Ns#l%)?q<;!Gn?%@Pcp_#tH&yCdC5*;`Fod<11+DW*Fw>tZpBe=1~SJV zKU8fL^CBiv({i>4`NLW|TOdsj_1H;2?t&P=dW#~`UPVTCGv64zuNqwWsb|7UuUTj{ z1!KjaPSmi&L0dwPbRy@U9s6=2_-I_zE?q2e>auCW^KFIacQp(20<%nx*2FBvVAM~Q za4d7JGdX@HRkb=dvLNzib!G5^(C9CvujMWWbFXxj;an}RwuU(}0d

U{y}+T>=v@ z_R9C2jh*y&9MAX@L6R#J!u+G~>}uAgBbMwuI!FWC$ax=0_9<&K${}3z$?;N*Hh}Nr z1<;SG44I}v{-7f*f-9#fk@5W@KV$x?4;uf47898cxWeh2ym}b!U7vHPO=j2(yDBZI zDQW0nS?cWBZAmd4zp46YnsYC`&z3WAK;fy^DlhWuh1uxKD{9TAu)XR0s34Gdp;jFN z4h*|EW*qdu`Q&<1w&9Rw z+!a{;B%y6Nq02bJ+-h$l(^w6UN7XZA4et|DV3Ddq zUP_Qll12=NJo4F~LeoKc+Twn*M6+eY0IQy8snNM6c*3U0^})@j7S<~w_xI0#%&!TK zK}>&YpQb5U1?ieJRuskOSL2)7(ombw!cWY}uE`Q)Fkh2%pG}>iy=;*Zi{j4nY~ zeV#c(+hpDmWEMvE?Gk`IxRY=0_V@Hz5J^0KQ#W!}bL{VSW~aP4za?{Py!+`66i^Pd z0?L8f*K5Hgc?69MFKhbVWzAYm2VfoIfyEZh#LB+Cvwfh4<4DR>!^A7{t~!4u*BE!? z6f)1@*${%jt=}3fNl)Q^=7v_t$EE3b1Wy78af<#&TtWB2K^E`{?Y+Eq!OLK^sa?-- zM^7>~v4an$H`G5k;g{nH!XT_bnCe=EoTcK5&!@(v!Uy6>NMVgmKXf*7s&9XsfAaI) zz?(TXpK)glmn|#^6`!YgOsuzF%jb+};xP%`Dl;bsk<41NBm5y=9U+R`9Of*LP&_DU zjt1>sRkK#mL<6klun3#nBH&~tfX(Ovk=rLalDh^ySKHrM9G{Y05nCtlgdc)x;cgA!rZ!vI;7VMRNDG10oVmH;>{Au!g<8g47~<28#~Td9 z6xRa+8!F8yl1eZ=16{|+@BVskLr7nXJ znUF3TQu^RaPLnROxG#pwRcCy5MhY)ZiRR8;kbF52fXwBZU6~P_14H{Cq8c6`*Pq#l z>+aS#s0cV#){n9Kw$!8!Gn|g|ws3d+F98(#uTt7B-gc6y?TP0%R)lE&skAdIBjdg+ zM0!N5H$pgC4J>F{a4T}5;<|!y!9gblbM@BTg#2a@`nW-qNAW`m|K(ACcT1sb&xRV> z&3r!m?OmmedjI`~X?4gcU?FoV8_7n$1D(flA(EE63%|x34wSChjOJtan$HcxF9|fl2{8NPneU0g)Z;~GTGfKigUOa znxHlt?LC93VZW{>|6VsL*0`sLx(*YT6ns8djGhErw&*cnNJ>+NViQ|>xQabrYlY2x zhuzn9w7MmpjuoEAmQg_ww(Wk*Ail?RC_|sgxN}x&lvjmk4X-)g4aVN#zMCta#Zun9 zeJsCvFb&#qr|`r_TlpJ7y)}hy=XD;+c>V3gs;%}(v5c`}xLDYYBw3C6aU!sJtbAbo z*4kb<6~(-i+Z8EUuD@v>4=OolNT1xUCVi}s+no%oCP>blc+R#5bZ^s_V%5<3>C#l$GScPDd#R%0c3rLw=$T}VA2}9m zCc8sh6Ij|jR;e}~!dm@rDXlwkd%*E66xTr&{~%hx{f5h{>1xTV)TZx-8q8XfJ32t* zj&`lf^@BcuotJEmOYvT@d7 zW2imGD#vD-5?dU=jmaTIq3-&{#gHP6NVmK&2BHLL>h*2&ui1at^(lMxr{$WIpm$~; zP|!)JH%EsMeEvzNQ97=#qnDCb`}MKUH_&v)>@ic1U+)BUSRP*nkl)H=wQx`A(5vcd zKl5t8A=K0}b6M5N_Ax+7>!4o6uG|-MVHa=`3a~Wd?WH-hD{}uXgRL(AHL+9a>z+P%}IYeWDp%HTgs=}08sQXF%dXhW0S%K64KlVHS<1FYiBLO&?v^u z@&d_ZvmPk~Mig8_gbp8weZGD|xA$0j_vPfYL{{p5IIuipt>4^^ zuMSCz+IZfKelAMAU3QlnS5EG2f^pBPm2!p7ZbDqzC@Ws$P71!~Mh(I>OL(iSAIZ<# zk!rIbU%v6hm$krtKr+;E z-SRglPP!euS$Rv{!6%T;Pa7wXkKf#Mu zl}#t0f@mLk84vc!o!?x#t4CElRgFca9@hF^;q1nX@-3h3x(Ke~o|g^oI} zLo(dP6xQy>FPc@#$%-^vVo$CKTJs(a7EW1c?900Mea?@p7H+O#TWG*PK6cM~uA0;7 z*!xwvHUb`CxZk2smc74Sw*mA!l_OE1GTf;XpZ}L7EEm^n8^zT3^WYcbJ@143ZT??W zX1#d&x<)*W))(vK!IIj)*(W9A&g!*Ahhm#nBUQQy8)u%1g4(YhZ2qgl7A~8REn&$l z>EH_4rh+9pA5h5>6=1W^;CRhAomWq)O=^_QOg16l0@yq&-1eu74_E5~ zq&i>^m3iaa)&N92#_ugyeqbTQt!vL9ibv`qDi7*P56|T!$DrxU?rQn2zv*{7zE<1l zVtp467~Iq7FVyU)Zj-8j+aRMXn`nIZTEZ&g?1oSr+NC z5-#cQ?K5urF9+iYEhD` zZni(GalSWCMFB3G;o4E&FixNY;4@`C-8g$SL7 zPX!|3_0<4NGH*r87@&0;&=Jq66bISPpr2!*r|S|!w0-Z zL1c~9vZpGI0o-dEhyG;y@~mGJozS~VYkI2Vl?5H_D|V`;yZ06SFWd7UDfIj}%&UhA z0vw;iTl}j&i)okdzZVr%%B;&CA}9B@&DXd+Zkd~I*)J~teqF`n42>r)F;?{7EDxU` z+}UIJ-LQ9pvHJ0m-A;%i6oqx$22m7u*ZBRE@+$!6)ZNpV=1#3-#@g%gXhwuAg|C1kmHjx_=1=@i2q4Y>FFQ#g7sV-V)oI zt4Il=bd)8e6`pA+o)onsi=negqMjaz6?C5F)$nxTt8pi&!Y*$ zlb5-tEZz1guo`dMC)p( zEorJs1F0n1^$WI1-&y7hi!LmgTy2oo@+nZNjzCy)SD~UYJR5kyG{3I4agK7H2Ay~& zlj(nE7x)}d$N}i2ZE=199$3X7g|j^8+n}QN7DNV$pT?p74eXXQE;dzX_l<^fK6z@H z=+pZSf4=_DvhJM)D{3$vu_^N7X%iy3g^x( z^ZW2lK(AkyCEK3-_Zxez+^vnRx&$eRT{wA#hOfVCBL@C6N%}6*-K6?MY{4cNK+%S} z`Cc{@b-!+Y26m4FOsdcOzfUTi0W8!`qVBkI*^M_TYycgu@0YMD@deg!Qs;i#`Acw; z-~A>6ev zIrsiA>!Xx9@n5nnZik(h7+8h1T|O<%{u1EeZ@9Fp!Ut`8^XpuzuF?h(^^|-D5J-B` zLY9eKc2j>pQ(F@VB;~Y8M7C&Xcqt39!++H@u8r54%`Rtf#dJi>x&Z zsS)fd6tS2u`|Y3=HY5-%eF zUfKW>=Y-=s_rv`d`KAnSz$pmftT7QU`#&;UHtjZ-r;v-``tZq0_O&a$1gbcY4@$Jt zb`8)-fVpNR`+sFAu!Fr}hTpY*`IlM{w}Wz}3EOj=sB!ed!CZ(q{1BOMXM>wW=^@8h zQL=#ZEm)3yuKbtU@5KexPee8_lk_W9tZ)*w5i+{1O{KfVeNcH~IAfViw_{6(!g**E z-~9KR(mw$Y^hWpE)dVK#?`Jxm#-U77y~Xf4V5a_QXh57q%=Z~xmv8>|!v3HfT&^558Fq-=M`xmNGes^q3WN zV0_~HUevbygpEC+TMQZdF#*B{rP>MLew6$M>du1ZRtBdJO@wmAr>NUR!OL!X_xH4l zCRdT*@b;9b*pISAf5Fj5Ra#nYeCu#hQPKN6>qsJLL=;zfkoQ$^%XI%O_w#$Y{5KJt z#O2YRo&tC(O;4+>nmI?bu7|dn%)8ps^Eu^pg7P>*8-Lhr+0g$-2IkhZcEh2mx-L|G z6)OyH9of78Zz6=uFnm!%kv0oARYehcA`k5SR@G#q6)OQT(#aN}w=54bhM9&JGCKZR zBA`C;QUfKQRr2E=b_BnhOh6) zx2Jr?2G@b)PLVHhTn4AWGK-#dZ9EV+ZqA`MZ%M4Qap%4~VEQ>zP+ECWaCF6n~3M?gB-48kOe7|0d74;l#_14JV+U#IauKs-POD&AG)gDbF1 zhHsLJ7<^JL^z=;REfE2#B9jY?@QY#)Qi)YBv#W1C`w5b~^45T2KPnUD5J@W!5I6Rb z2giW%EF3apu(TyE0O4QwRyZRI|D_>Ic(4DoZzf53<+S+7?$- zL^W-jOiMi~JfMYl>dQw~&onnq;RCX!vh9|==(j4dR@)-Bpo?{ilUAkmcpHA!yeYbg z6+& z!=HsGa8$aDScMwMYsg3$YPa9M!1 zOBicnooOsDFQ2KKFE49@n#^CawUfc*|M2Cp<5S8Ff1J>B44A|GwzdR{Cp_w)e~*r+ z&;(KjbEtR6l(UvxS8uZUj5tyj@Jbt&GAzF2iOh5l$P2fHv8%8JLd-PckRCP5oi+mR z%d>|z1ok-jI5^Y?42}5f!4qIEG7$Z((Eyg)^J7DJft@xm1Anc@DtNVdW$VX@)-gIf zhX&ogAZJQ`H#xkCs0>1tX;5SVsLk~w(pZAUO8h!t(%u31f+U`*XG7`pYC~&Ihd@D4;!*KFZ z>NaX$es{7_llcyc!uI+i4bT5jBOOoFA_+h5(r}O%96h~k7O~GZeYRVG?-7RqO?x1y zm3JKI(}5Zf_8er{VMcbg33d9u2B~j-d~B-rMa>mXMb>Zt1@>yu@l@SHJD%fIMT85^ z(g9Om4ni(j*L)$?o%D4wkJDa=BvVdkZs9Jzl;7rW>$QwXcOR~l6R&^C8?>?!my0|- zF-Cdz)e#tA2s;KrZ8+-)meMz8$(HRN+8LVw^ zOr#S{dSG;G3Re{L4L>YCB9p~0V_lJBuIl#Y21mAj<;S)IKlrNDb;Zqf7hB?hV39Bj zObl0KkBgwG;_PkVn2ut5JuQ5cjz0x2%?a)8pZ>1mJY~qyB%I8qXdBAFP{HIjj`84< z)EpQ~p$C-e%`Tkwo}a-h_@)G5(F`(iM*J1FmBy^5SF=ftEV~wIFX>)~lQ|*A%X7bM z&ZiGvR1S1`dn%fZD?lwls)SJ8J}s#6q)J;siOOJJkxNd|B>otn^WUfKqwPBFpN9tX zEz24vK~AC7QBBeC!E5kVXqylK7}dpfSbS!q>)FgA7`F?k$^WKLd~bl zPkb$q3)VGoG{oazVJ}%aDpiXoE&gJ9m=G=K=(;aMhquo>b=pLj{s{;+)kXjsIi%NF zVULfX{pG6N<~qUfMyj+;LcQnj;T=cTQ#+u8(I@#hbJx05RyV&+68zrLJB=?ZUfK`rBZE0jm2VF1Mvd>65h)2yJzmaqU zAZd6@pR1*qePxK(CIv~-R=FlggC~;4j-IYqE>dn<3cB)6fV`c=ar8E$+0j0cPoH@zx@jNrR0>`&Hn>NuDU1y diff --git a/examples/ingress-resources/mo-example/README.md b/examples/ingress-resources/mo-example/README.md deleted file mode 100644 index 895537d3bb..0000000000 --- a/examples/ingress-resources/mo-example/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# Example - -In this example we deploy the NGINX or NGINX Plus Ingress Controller, a simple web application and then configure load -balancing for that application using the Ingress resource. - -## Running the Example - -## 1. Deploy the Ingress Controller - -1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) - instructions to deploy the Ingress Controller. - -2. Save the public IP address of the Ingress Controller into a shell variable: - - ```console - IC_IP=XXX.YYY.ZZZ.III - ``` - -3. Save the HTTPS port of the Ingress Controller into a shell variable: - - ```console - IC_HTTPS_PORT= - ``` - -## 2. Deploy the Cafe Application - -Create the coffee and the tea deployments and services: - -```console -kubectl create -f cafe.yaml -``` - -## 3. Configure Load Balancing - -1. Create a secret with an SSL certificate and a key: - - ```console - kubectl create -f cafe-secret.yaml - ``` - -2. Create an Ingress resource: - - ```console - kubectl create -f cafe-ingress.yaml - ``` - -## 4. Test the Application - -1. To access the application, curl the coffee and the tea services. We'll use ```curl```'s --insecure option to turn off -certificate verification of our self-signed certificate and the --resolve option to set the Host header of a request -with ```cafe.example.com``` - - To get coffee: - - ```console - curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure - ``` - - ```text - Server address: 10.12.0.18:80 - Server name: coffee-7586895968-r26zn - ... - ``` - - If your prefer tea: - - ```console - $ curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea --insecure - - ```text - Server address: 10.12.0.19:80 - Server name: tea-7cd44fcb4d-xfw2x - ... - ``` - -1. You can view an NGINX status page, either stub_status for NGINX, or the Live Activity Monitoring Dashboard for NGINX - Plus: - 1. Follow the [instructions](https://docs.nginx.com/nginx-ingress-controller/logging-and-monitoring/status-page/) to - access the status page. - 1. For NGINX Plus, If you go to the Upstream tab, you'll see: ![dashboard](dashboard.png) diff --git a/examples/ingress-resources/mo-example/cafe-ingress.yaml b/examples/ingress-resources/mo-example/cafe-ingress.yaml deleted file mode 100644 index 2edbeff3fe..0000000000 --- a/examples/ingress-resources/mo-example/cafe-ingress.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: mo-ingress -spec: - ingressClassName: nginx - tls: - - hosts: - - mo.example.com - secretName: mo-secret - rules: - - host: mo.example.com - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: mo-webserver-svc - port: - number: 80 - - path: /about - pathType: Prefix - backend: - service: - name: mo-webserver-svc - port: - number: 80 - - path: /projects - pathType: Prefix - backend: - service: - name: mo-webserver-svc - port: - number: 80 diff --git a/examples/ingress-resources/mo-example/cafe-secret.yaml b/examples/ingress-resources/mo-example/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/ingress-resources/mo-example/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/mo-example/cafe.yaml b/examples/ingress-resources/mo-example/cafe.yaml deleted file mode 100644 index b8e51dff3e..0000000000 --- a/examples/ingress-resources/mo-example/cafe.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mo-webserver -spec: - replicas: 2 - selector: - matchLabels: - app: mo-webserver - template: - metadata: - labels: - app: mo-webserver - spec: - containers: - - name: mo-webserver - image: mohamadaldawamneh/http-echo:latest - ports: - - containerPort: 3333 - env: - - name: TEXT - value: "Welcome to Mo's Website!" ---- -apiVersion: v1 -kind: Service -metadata: - name: mo-webserver-svc -spec: - ports: - - port: 80 - targetPort: 3333 - protocol: TCP - name: http - selector: - app: mo-webserver ---- diff --git a/examples/ingress-resources/mo-example/dashboard.png b/examples/ingress-resources/mo-example/dashboard.png deleted file mode 100644 index aaa4ebe16192e2f4968ea569e5e824ca5e191a76..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 354834 zcma&O1yogCw?BLU=|;Lkq(izvN|5dbDe3M8=>`!{y1To(1nF*&ldi zK97tc=j?O#T6@kl>o)^K*(L+k7;$GzNhrLgUq7m6arM($o~;B&q%2B;Z>q#F{P`;Ur)Q$lzan!NvF# zMx>!^%TSFN0!b6X~fO_AcGiXqdCS(6;>)|@Z?RY5FkDUJn95bY22E@`FVJI~z2M2->p8K=Ticav1eA(QP z!K1@ddl*b2)jG(xM>wT3-u8@C01i~vjUI{!BCUDb`l|*q7U}wJ31!d=2-2S{DY+dy zEGd~C&i2Ux4WuED5Tr`;mUh@6M?4!S?{`{1BG$iJI?phxZj$5JR|t_08js!x4xP4BGO6*@1i=$3w{h{wCa{() zmZcQNvPcIuh+k=U4`uc+;UT+LHh1T?9CL`Et0Y4q%fA+5{sNlHA#$mEf-K^n}N?RJuT z3s-%jaxapP!9;#T^bKrJ~GaZ!~e!AkBd!K-~ZR9WYAd`A(!Q? zW(5xOGo-h0Ll=(Jx};)O5SOi6Cm8|?ZX%VmvVHdl7wA43FDbFc%J&|YFPS*$Wfe>; z({q@;2d?cQESbfKDuU+^Dk}$TS3(gCUSclUVv72aq9LgZA-se6icsa3(OO@L^Q8DA z0FndEpS}a?>iuxcyDCp{xb)KuxCeN2REeNR$gOHVdALixpxUr}{(&!}*n|A`9WO)9 zZTXjQuKTjrCP`3CmY}W)&kPHZOWz}r!MyAa%@p0&Cng-=!9jV0_CTQX%Jck#GYex^ zCShAI1s|Cs1~En%dJ|l|5QZy#bXH9gIW_ikM+$VGA0sY<@;9Bn>-lx;m|8mGkb9x0 z7~YYdOJ9Bg{EryE_nk}HnO7b`6Z+Px=C>Q}EHkS+*;A8NyJhdO@w%U-$10|y6+X2U zqvNzu_|)`Z>%&%5&%qz?&3s~q#CArq=vt_tVBuSWkKRgUuF*_M(L#x!z^$??aXPSj zc<5fR+`6lBmqc)#L^L818B-odsw559>p<{reiMyFw#hYDnL?Dx2Z}j73@hD0R%$b$ z_<^|Uc-s$gLhnCVV#8BM0}4(Db+}&3nB3vl-P?nr9Bp%c3J1#85kWy_fY@(Tb|FPR zAe4L%80kQEh4Mjz?E8cp15)fXQnwQr@K4G2)A%4j4ZZb&TOE1EfA|Bz9Q4(v#|-ou z-06;X_Je1(Wk zu4sf^1)_OJ8*@3Jnger-#T}6%G(wR&z_1B1;ol-Ikcs|R0Ye`$x37CqXTxVC?);|k@C(EdrVBAhw#MG<}&6Ul%lcS`ox!0|Dp9I<=(|8!tLud2gm_8nRCh;s zNqgD7$2oP+j*Bmg{|4U;Uy9AyB4yS!PjaGW3~7ARJi*j@lCSVK#P5wX-diLTLkL6O z4Yq8p@B-sPtjzdQm9kp3Vx3|+EhUc{=g(J;hqQ+j3p&yfW}OiqwpkM2T(g$53Pv*H zqBDQuG&l`uLQj0xGK*KZQQkdCGg&y>n0GFjm`jkAoZT#3uW+44TxOEZscVz8^15}> zy_KR?+&y|Tf}Wt!XVc0{c~x9c)+g_Yb{)igvw*ou)<)o zykE4Fs*?h&6xDVgtACgeTPGKP_4s-|Jo`1B-N#1XEY`AeENlGdx7;Y>0OMHW(k&gj zr1*4|HkI0G6^pFeV5g`{@qHA6slMqT8zp0h@7T3Y)mU@ZHHS46b8ZXphee0hb4rI$ z2Z)Cjha_CgL|KGkMEFFyQ7i=U9Ok_R)!A)4O+4E?)-Ej@IltIu3g-&vf7Mn;vi3I) z-WDMaQ%)I|NyQBnkJn|pWphTh{Tj3-+G!fAoxTiDZcd&n9VzW!{=vWO<$sTi$`Gv{ zO-a1N2cPDb=D@GTC+ObjhUI#AeK)kY!rSjre_j11!O+#PF4}F=@Mrhc{NCi&(3#Bj z^3TOBlY{=N;wz6`o4wJ?)%9n#4jxk84{{wtLj6K^YndI_Z*|{R`$xeVcItN;cOH@@ zk%f}&iyQ?f1$+#g3Azew3>rq_C6^=pF z_`GOnc2a-lMqiW`_mOptTMcv58<-x^o|1@091FZ;lKVy1pEq--DjVrN+`YqLyab~m z=@{+2PddUMx~c+rLsdg3dS+hL=7dVJOCHDh$I*RmRus?uA=~)1D3Mme>ODm+W$vNG zemWY9{$;>XXxU3CD&2G=ZnL|b^SH~`JF)^SVpa$qgMN;}?)G;_7o!Kb&g{*C6y$~? z;v`fd)j{W<_D6Mk57%!`XkF!4y;$g2(v5G8N`LIF-=EUmwtgb*bnh%aI5`-eKXx#% zciu+Ye!VlZ6MH^!j)KS@$lax+gq$y%zCcrj6(81g)_SJ4a~(?2%lj(C=yOh?5F)X| zLXPT0dJZar7h*AjptMwy^M|HB$MuUkJPuauQCCe&&5I#v&(|g&_vtq@&Q18g5;1%1 z6B^0(rOY(uIY@0gk0K`5TL>6?k36h~6NS@-tujjJj%gdnvy^X+%jpYFCrn87=5k`Y zGcC2i>Ag~)YMV1YZR*tHRz1e+m?>s)6j2+{*OH255wV4Z9P4)zKTI+RGi*a@7kG&g- zNks0vgD#%)G)wcfbk?(l_}58E%XiI*(^<6>3u*i>uN@DNR~D5`^y+KVH1yg~58{qI zo-FRlXRqHK+3>H~WgKPPb|MGk1`p!L1mPijMLzVEwGxXP!FYzGF1_y*R%w-CU5!?QZGY7%SB%ObWmA z$d2}qTlsk~ldHCA%dT@}=5X!d*l}4qiMfk~O~a;lVPSW5cB6yz&iIgbqMSB-oBg(V z&vf`~R=Ja|T#NU4Uk`x}XCr6&@?h)bp7Z*lAMg1Q#!zT_3%i2_G;Z#|JABb;EQc6Z=78*T_#!LmwjOC1JVR| zTL}#Z5D1$R{0~A>@zn_k1d(p0tnR2TBh6!IW5uX%WMg2==xSvP+zkTpx$*#St&AP@ zNnNchtsQt=`N@CZ!2`Spf6PQq`ui3~3x0BS8F^9>8+&6?c1AWvW^w@pQc_Yrd!vs$ zilXBGSq@zBlbbp^+VU_lxwyD6y09|Z*qboD;pXOMVrF4tVPOF7U~q7=cGP!euy&yM zv&sLrkEpSOp}m={qnV90DR^If0~;qtesXf~gZ}&ThfZTxv;TRLwZnhd0vKchf5Y^K zk(uegdjm`Pz@PHSo4FcWs*9Rg8CyF5&k$hYV&mfbz2N`%)&D&5e=XJcpQUfunK}OV z(*O07yL zyaMkb_XBTzM2kQmA&{i#TV+>>gJswcn9~a|Yl#=Sq+|j3?y!Z5qM~AG3T3VOVsFLh zGv=^-ctgVGDz8`2(c|+nNXc7gL4J-C9#7{obH=O(*3O*O^UIq=6VT3YAG&6Nmr%uD`cgONG26CGw|QaZBZ*MUe0CcyV!_cO4NykqOWw z&kL~vJ2O(Ac`yvJ7ipZ}llv=jF*AILAiQFtI$!dtFNp#y3c>I0$Yg;zEntFdK`miY zn`qtX1XX!>&GY^<=l?yL4yqRyZ+T$kJbzZ%#Q+b0g$C$^4ekpIICM zn6FPvpc4PPbH%jP79zEJuh`T$(JOX^E?*N)QtN`{M39MT8zCvueJ8`?Q{FlLhQG?k( zyJ|aZ>H?c~qmPXyBk%lh%L6XFaMrv&c(r%+rI0`k^l??;{H>7W5O@6@k#j zg#38WfK8ojC5S%(x+9bd2kpei|C4wR(7)cp@7z5){cYoV2G2a$kk`as^fRX?SYjfOyCnic?p zvMf+rX*~Z3n&)P!%llhOrT#;y+c!5wfKoqT)5(sqc`Pua(SS~kWj_cw*uunkZ7bSk z{H^q_;eSi2VKj*!(DzFb!1QOLtAA>MWdd>~8Ibd%fJ7qY&FbO!%N_mP8UILWl!;3& z8eqN_Q2i38-~+H4`X&OhACqDXNJRCAFk)&KA|(DhG0A5z{!!CC;naSxThagsy*q2P zJphwM5A8}~TG%;T_X1a_jGur<7JmfQ)CS21u(xIb7SwFt=&2&Gx`MLfUPy~Y+lHnC zRFw;(2X-<52mh+8_yxZ;N)qak^rQyR&0w&X>gKH?121I)>@*`$kCX|I7-~S*o{S6W z?k=VAS}Dwv!$3V`#~M%6Sz8mNJ^shvu&h5gNe>XQGK(oag9pl*PS7F9q>?uSC$ z%;43sV8xfLfLTa^*o1LkcU$Tx@Ehpr55`ea=fumD7J|V0Kz-b0HI6y(`LM_Atq&il*75y!# zT7Lp*T~0$9pe#c10I50P5bt+K-f`b?XHU88L5xJ&Je%11x7y?>{3kk5F%rN^LLj)x zgOAjfnvV_4s0i4as7+cABY;TaVdiG=w{-UZ;hwPGPzqpI9{~tYL4_UF!1?ZFgB|IH z3j0$Et`Nt{7k;oQ{EbR^%KjmAhmj0c8gR&!U}v(?eQpb0z4RK;sQU4l;wU_!GPT4w zD)2G?&BnGee|BYmcO(YH4niQ1%-fEnn7jv`-~t9F*L0RYZr}J?Mo@Tw(aPTl|EA`T z%a_xWMFGTA00oXtu)&*T;MG&1VEzNsX@9w?e8$xu+1GL!qXMFT#0CQC z<-MhwGjJh-0Yqn!riHR}I;erNMZ3R+P(rQfW3az)`3gA!JR=N&(D2*s{bD{y0Bct& zA`qQNzI&bd0?~QXcq8L)&9o2UcO=2xA6fycCKX`%`>S|o5x_+dEug1C?pvw6HZU=% z=LP@@`WrE22(@DVp)@h^8xRi!KcsENB4kJz#Q?1J0S^z2)EPQ^C$3DP2B%I==w;)dV9m zO_u=_u{$m>|2N9N_s2?e7^mC-hu)D0cKJ-{i2bqvqaBI> zr3v_+R#LtYMp`T|rGnZqQN6HFT~%LH=HjbKZgZheEH;DtI>${(mht^x-Wiyldz%u^ zOl45G=OsJgX`M`$1>SIau~vmgoBM|#hW65gLfJ|NSC8{#HJZTWMY)qcGfyC}#(Pji zM|Q?SsVS?H^O0hv8Z7WkEHPM3gjb!MUL9B7tm#QG{1B?}VQykS@*U!d>ZKXJ!*l*I z5yoxdbwTiR%cJ7&Pcd4KU-W=qxBFQ@J4sfapV(VNYr=;L2(i* zK+l-=b+799U z)KIx^+|WFV9CWoWVRCGFi&1WUr;g~NX(8C4LBhxC%A*;?SzR~3?lh$I)Ty-RVQ4YK zn0(KMY7?gAp`8nzZpCrdg$#Qhy>=;+Ua)p*elW_byaCtDeiZVZzpP`vRIa$Pv=%0C zOU(7=7>C*C83QvOOUvR@Kn0if>K6IZ+@WIeVyl<2u9*Pw{f_ZN#kC7VfwfgjsQ&4~ ztutjpKL#q24>B+1MTEiw3DOLA2F5N;}z-PoGVKGIfWUB_he^Gy2%HILs;0ygd z;C=Us!9Kry=leMT%ka|xVltoMa_pmk zvKC2iu%@!UsA6AK-dZ5QUPXo1;i59C~4nV9P)WqZNOf3yiJ=FX{_nyb~PWoH!gg>E@`V{;Q*8O=08fy#A``P=ZTw`s_jg0z5uNr^o zS=@+Y3BT6A`3;;u@mD)w(;9H({=YN1?H;!*;Gz|r$+fok1f`Hd4FoY09~;>mL1?$w zBCv#2MVC9C#Vd=p?dK3E-<)|;U6(X(+k0>Lq{6_H@m8lyetfZw;xYG4N89>-CV}as zCrM3vWi^gBZK8x^h2QY?tB8XmW4A$b?ej&)U{qH6O2HMvQ%uN5NWztO`0tsY2gQ`E zR4Z$zzrBc|3^^zbe{piG#f|7gsH;>=rn`76%*VH;8hjTs*gsojQOD!tFLEdosSVGQ zd{w$%jv>%ycM3K4xpuNpL~h@U|MhjtV4>GuliiqHIr)dq;t?Vaa%?fB6;ZMCsFB0| znSZun`40HsM*NcMWbO-)iN%1^vbW?XIY5f)P6LD}cQ*}WK^mACKevh1a3>PSQ~BDDh<+@ev`H-su$uBP9@*AO-SafXDW?lu=Z6l^G1xldlv}9b zbZQlf()-tX|;Ns=%Wek`&>G z!wdel5u4}N0etz86I;fz(YY-&#<0OU}HP2&Ut z;`0kv67}b@Lf(-O2qP#JwcN7)t@b6q_m|NMLnWQpYh72_k$WRC-avG)yL#A<)o`53 zeQN5d>yI{Ev9)ko#Vg)fd$d|@ViT~Lry-+9S&j0>I-AxRV*2j0mY0jlz1$kWyQ+kh zM5N6@6MndlT?-#=~Ar*Q`yITa%WTp!OnkKS*vg$*{i3(Oe%! z_Su>bVK7Wv;DGWFNUz^c)>M=Yr8bzoE2QSP`|dBRCQwH>@{0kcn08rCv+OKs_N|^^ zxNmP6e~X{55T?vME*1l?$MCH!=|3yV6w@DPf9K@o2IRfIr{E0khN9vf7+|EK1J2%L z$?LEHiIl*#_eg{LrQU(&hY!(0%JN*>saKdVY=>s1?X|xw$NdD~NJ78R(dmK`KHYaa zZe~!Yn>OudXn^nCqAWuhx43F9ntVRl?O0sqNb7%ggSN4G?E3XYiTOCxcuda1yp-v6 ze7~>ZS?ACuVpYm+&v9Z|ib^s2T?FR3EXDZdx>@-+{y35&mcbIm<$Gqk-Q)4~!qU-h z5FJliv4EC~s|p-jb=iAORhF{kiBxa!xD$Zed=ciT)1-)oYA|Yo< zp0go)1zn9Ig&R%;QCFc?2A_V$pe;d$W=fi(Cj@*XvqJkx5+r|VLviWQBECn$2o}f% zaLh{W%Q!1TEgEF!A2r&Nc+c&qeV9IL&pv5 z>pV5ZUeJ6L->);p8Ydp^j+;usiyHH_Eu|*gk}#2E zFqi(?z+oE&%A;hDR-ooh8!kIeDMb>&N>*U(KGInltur+-@Cl$$GdR2PZ7m07-fSo8tfce)TN32~pwiUx z7jn{>8=u24Hotr<%CKXp+jw-PL1auDI(9M8MQo=aE(UD^LBTH)eG{jLxvCWvtzIDm0!Z&<^vIY4qonAJT@X67p_HSDhi%6srgVe6$m^m zEJhc#aXZp5YmdplwxstbqMv#TdtobCU7$FKbpj6?_myi$vNdf-9NSbHxs}{UYE++V z-CJb^Rc^V+nekJ}J+j|j2swrvgyt2!uPWIAayWS*aOI}FV4%e^Y7-q9i>)r@P3l+9>25+rCIJ>|Y#qb9wVc-?W0d0jJ?INzz*0|UE?ES1xSK(* zjNX{r2`HfIM-U>g7rbAwv8xLh%F6Utj{Nmp{b*&qUw$s)FJc6hAvVdZ;Ye3oF7)Z8 zb&nvhu8Ajf^ap`6-bp`y%_C05?f7%{(Hk{^xJV4dT|$E$=^^)66onQXwNoYz!2X|M zVlG)3B?CIa9Xr{&qR%&J9QWysSI8}Ozg{LU>df0p-oJ4*7-PHfSbL`CR*Z=%_Gw-` zX*{1^k2X*)R?=CwT@>)9X+}GXKp;&_Z1#)@lcmZw9pp>A-ii8W|1RH=2Bd&Hhn;a} zgDjf~M7;^w7AH2__6G`B(dSe5Rbdl`fjq^qJFj%98{AAEzzV*==| z(D87gzR5KLL8pyu?GWh0WU4>E`wpt|o1I&RFv8p0B;I&)m;(c^veSERyMhA>oEa9Y_>=|kb8azag*39$}$ z9j)9>#-#X)=}zqn1YW)${U z9qCI&o`L}!Cl3zKT5>CFHb=wDL93`<{!Vywv8rDT99F)#4a)_FbORv)8#j}BZEy2%XUc3>x-E~?u*aHDe##UN6B>sMg+ zf__ab+NY3-By z(nHy+v1`ARn<0Q20DvFhj!MV5E~x)Q9f=d% zgIU4nqbZ~As!OT8**e*oORh(z-18DM4iwuhExOB7Ua&-;K{-^}GPq5`UC<2tm9 zREY4pI3oq&M|`mlg7R0!Tw6gD?1Mf=6-kY@_qp<=v;}(_2}MF_B%dCH$2hVO#W|XB zQ?u_#)my=Sh)o(Od;Ka!5ZelzOSwedK7NL4w&%!JZ>>+^H13g*Hmx-T7!H*bp%WV*_X&_SJ#N&uHV$Fb1UQh7zsKdTS49~DVSF2?(&;+TaH0K^<$$0q;lN_U=8LV+ z)-ZqT$9;+K!TKV=S%&*td1Y&%wDg=PGvfKEqgB#@6h^$$op8 zF##0`4O!h*yLcW|MFl^A2MI6{q5|EUmP3Itd&{ymj=)H@a*g1Y7SHBoQPBWHq4pI` z0wwDCBNSvu3a9}X-J2!^(xI4_T|ZBzcN53?N(%i<*3{Kju!R_D>G~R=IraO;Tcc8a zQ&rD!geOG}^S?}EBY%?mfbXYtjJ?A}Y>nQ4toH?MK^SZTAWdYsfTEbOgR|34=cT=Oz(Xfj-JSL(-H3)>)9VdA^nWaVU zga;%BD6dJvsrTg?7w(JFe-%9!6%Cxp*}0)#6_^i50Yfu>n~?)_yhSRHUs9zzTVHp= zbG2_>?!M%eMm$j2kFf!2kM7`}OY32PF|k(a6|cbJCH_RXVv!1ef*UIfvp95=hoMn; z_?SRbv+B4G@f0)v6q(*3!-A!o<;WLqjqP7L?>P0xJDF5S-H7a^s*8t{KM#c>O7`R) z+VuI}pfB)QmHSv{gP{4S)~v4m#3cv3R?_LzvU76w^pUh4VPIf>ej$VU(azqj+8orD z2BeRI5KeeP3HmP4hrX!d0>NK1B%nsKw#!-=d>h{%dW{8q)~2#&0o*ON~f`a%!y$!G7LYl-1??co=Q%>@K|pMSQ#B?ch3 zag#a`g|yBsqCM@)E5 zNW&hhlEK)_Mzmk8YK|2fhv-~ro=&+PmZqqoAv};+(+0hqeP0}w*17Q2+(G+D3IgFK z3XBjEVu55wQ8&Wr8{O&p)lO^~@d9;qfhYZR@S>=5S7FglyVVALQ$j+U`u8o_JH|z? z(=}3pd?phOzZHeFFu63V25R)ZlJYGIAjFwKQgdo~*@}-U93!|R^UiBN3et&YjR6o- zx`UV)bONJZAZ|~aX^co+`)zv{Tpr|N=8eq9#)kNyt&*%SmK1+n_ z>JEsB#@Dmv6^@~I3aAine-8r#ErMw@Dcm}ew`n1;``&7F#s6HncKh=gM)37GrzIgq zq}Wbd^xPWtjdFu9E|;sJTeAbjs5Sm0els*KHfIOqlLUIcOqVM}sKaH0%ip+i$uukQyH!ANP{hnULd`6-PH_xVA*p`AegD~rylqWnu zyS5Y9zBR|D>YXbjf_0K`-;wk{DM61a_@($mW%_&MWXNts=BWimW#x!?pXUvEklV@k zM|2Df%TfY|SS5HiHD%?lRXvsHM1->$REyf^yNb_%g_UPfK@PAyBsc4YHs3FOSo=12 zJeUkQz^XdhdB50JE4YSVr#t1%_7SBmKS;IDD(w%#j?;AFDqP%Z$UpAUyd>iVWR)u4 zRfY5HX;J#=aK@v|t&|nQ=$Dn%-A9JGWR-(7w6k2IkxnK5qawF8XU&iuaE1#Y7H7@I zHZ$950ayK9{}5EG19vK?3M!}pC*L0;{~#&=waC)}C6*C_PgGm+#$4(Z1bVO9gATd( zYX|%DXp_((6maJ@9g%E!P=3b=F>jBN+jVj;co3W=ragZ9k!<3d9-V_;$6j_R>T;72k6(Dv`iH?Pe zLr~!4eS7+{vEWnG}+H8MO&VthOq1;xwxcMfQnm?3$mr*O!~GoJ=#ga^1A-PF&I z-KT4laxInLmLZ^X3bzaJqhn#YburUUM`7?WGBS3qQxsA&(!8~FWJ_W*i|_?G3GStt zT?W{>b|U~~$QFb&Al}jN@ooxej~&rNjrKXKtzZZVeD!&e?cIP4Z7fy?tJRGSPw< zhgAb7SCE-&m&_Vob=nTixgqqVpU8WuCMQLYd(XimT5s2gIv)$M`SKQF5Wx<}1k@8N zFMA@LD*EO@RY%kqs6*Ru@G{aq}u&cd;7h=@(qqDoxeyd79`#&iEq%_4?Dj9)n#|Rmr7KqS8@rl|h z6jVVJ4ZaIDv|ZBRs_$hFL5R4V8Tw%d6eVH66$Yqg=f>h}%5OLJqXg<{XK{m5n`V!u z=XvfD8yDLfU=XOXR_vBKl58eMb7Qv(d-FKvvd~SKC*-Iu^dg8ds#DC0ikxSlIXtS- z^KAnKw5M_h!4cHq_&4DWk84W9)hB=23$6IOcr^RP997eahDvOSgv*J#k`ir1Iuc2l z?zGnLnzL0a3kG|1g)($(QX#X#y$}#j3vZ0lKYvy<`uNdswCzz7PU9}-(n_;lR53Y$ zqkD8FYHNQVC|sN%xU={Y?vX?^<_mn9)I#Doi70W|Vu09Oe0D_=Ja}9NW+k-mC7x*- z@`j*M>Nv{gfufNqmcGU0Mn%t)>&}IV`K1LlFnQ(;{eD`>$K~Oa3;RG%(@TV?&4JRF zzI*XYBT-xe-)0@!*?;PxQ+h%VgflV0FJ3dcjakJ<2N#^2(g|P)V6y?K#?x-a?{Sg; z+lvxo0R2`zJib`lq!-*zgE!EtM6R$JlxDOCT4mo~+(Bo${6I^YJ<}{btJI^wg0oYC zmV3;Nu~R9qlc3x@Mr{dqnx~W3RLEjKSKA0dHV?Bi*Y;0J$qiKAGuOVeJL3oJo)fUk zYU?QTN9sH`huihr8-wfp0cswDG*17APve~4xQy1k@Wb7U1tpTpqshU_lty^7?Pfy? ziV7vE0Y8#ugfVRGnvUjbXh3bbe>e2%!y&d1ZVc*(-u zRWiE$z3k%2stjlt_@6LT3c1)Bh|J9J2AHVXU_%dy`Z2XpP!YvEJzuJ5aHG8Kd`nGF zFMQ@FqN$f>C@H8??ss+gd8|szVA^vA^qvgxk;h7#n;dd5F~$WzyXyuh)SKc=4}Op3 zon0b;9N>*Q>IE=pW}X2qTw*s(+aShyeH0!7`4qakoQg zllF#s{>YH19PC`=UGzaV`DCP_VER=}^g)!bxSu$Nsh3LN4Qm zI+KVmya;hzjAn0X`^C>hwUy2Wj#TgYzE$0R_jnJ=;cR(HA9W*z zgCb>Vs9}4t`g$$pmb0L}M)gr_Dn3msh_jp1q`fE&Cfv^0h1u6Lp8gEKI1$ng)DvQzi}g#MvIx5u9!sbI&SY z>{dy!+Gc!6EV9;)P}L_If7PH-%bZG+)53MB^+WK6%zmh9Sik9O23N|eJtPbpvEPSh zdH=GgOY1u8BgAB3O~@sRTIEww~40aO}-XA~-1d1tj0 z+#pnmH3CMRTR;8y$!29z=tzi#>wmr|+fk5!)9keJ#qel!F;j(8Hf-0EUYfq$xN&bC zd9tPPqyy*X18ZYY}1wGqU`#6*S1we@hW)BcQvw6r6x z`u5z^lrn?#T&@(3s8}OY;?_yVTnwZ&_Q|GKMypcXiCtxpX^Zo+cqx8mYhB(+MJvaM zwL{J*vkLodj_xu#P{)zFziR>70&CNkL7=LXr~q?H?ftUeNr+8gOv3iGi-x+mpb6e? zi|@Yox`T>BuYw@UF;~yz`dg(t%F60hX?3%Tg^$)~vE94l{i0Hb3uLGP6-A2)4*iF6 zB?WEW%i>tVONV#O3xL~@KI12!4rUFHYBCIIXdCKnC|{N7e?m>z3m%{q2m|+tldGIn zS3it3ugEm5b;nkFF?!PHkAkY+l0Z8DOQyL99*~rSmV1?xpy~*xNAflJx#~%oY^^AL z1G*qAsnsxO?TkYSjR5l)8@6ywLp?3{7^Tg>_M1<^Cq-i}8fR*8DqU~-0PR+JIaNt~ zfq71x{VKJBbbU3I?zp|Is!?bL8&OXQhx&jVPV1$R(3e!gZ8J66UYFCZYksgP2#eEG zRQ168nF<(pDKWCx5YzDa$~m{?AS5!dk0!H_T!s?_S@5jpZdbghN0Qqf{#3>1*>=zF zbU>*Ycmr{ozrHl1rd4X1qTu=B*vbRjVj@wEz~uR6y`iPMR07WGSAyGlcCkvgdWz(lvf6YE;z)Gt{6Gwy1ct8 z9OA&>u}+>skhIdA-qPo{rw0(0(RBhK^3N|`kR14g`c;Fqvgx%rs^#?8I>6iZE zB8{!_du*Yl%iRj3VAQ zp!Nm~JA1FN)w%S0(5ano-$lf`x}76!CK!F&89woqkltrU)G@qovRP5qNQ*BFKj}-L z0y;wl$UL;v*e{!w!o6jJ$OZ&+7D5MF8Y%bne(3seo(&b9v9Q>P7kRyQN%qr~fhn%U z=d~FGwLP3koiE)2GS@%b{65`hd^~JbzZ}%)uwyQxTCN-U^mxB$adc{>h^O~dg3IsD z27`pVc6w?HYNJ^zycc>`Q)jgpC=wj)>I7MsJRGaA>bZPcMVjfzlbS+pA@G1 z#-D6jlp*oGa)t!-(Tb}6uS*TOTCZ1(41&!>@vbx@vMs`o&T<idD(idTp*4Wk*t;ow`M-+n{FEA^~5R+w0tX~Wg1>WEoAy5NfL& zdfa{Kf^dOqtz6`VFobwggdin_wP}y_fnzv%r>+rUV?n!^_-Bay=80^rnFNFpyjuI& zAf4+`zIQUMcZ9F6kmKGQ z3cSq5o;S$JQxtFsFUqYz+#Fo^@cMS(nqQ0pbdjFm`S`&6F3IX-%#(DgE3L1#vTDS* zplEEc@?LGu-aOU75ViatXe2eMd3ljLTN3Q zFaUnv`|_={&u_2KOZ_K^Uf?G2R#I5Y>adiP#h1Q67Ra;Pmx5A0dwK*rxh+noj`m;b zFm>fnqBb#jE>V>ctSH4tQ+RTD(suw8zYlLV{-x736$@^36|PB&pX#?X?!zApEN46( z$j}kgK)F+q2-m& z&51tNCwL)k?MKv(Ingy3ga!rhfc>ewbF(bn`%WnWlAf9DePvv^ZAQV%3UN5={aZ|T zPP_mBcsgIZ7-y@p>jnn5FR-Et9z4qrCsX!EElUtNz?JQ}!X^dRSMt~-s3aKZ^y#_U zb$jiRMP(J;szT>9i(dDY@)N)Fl*pnJscM!JfhXPB+{}S z(XY8GH_LGz9Wk-&N`Bi+?^;Wqglx5rxy*T|=+sy<}Yb&ahY1g|{#j%%pKxO%RAh%liB zYHwfJ>iyp^5!@2}JyCkDd}1Uu((dZjpAD`hL&xMM*($o?ER7q#7JlqfcGCCh=6)sW zSz(K+t48*7Dho;zT7lcTLazW@fEa`G{o}_mAqMplL02(jZUj1nldhRxbII+O>X+l< zA#fpmIZ@FW7Rq{$jEwE+99H<-!^!!F&j;0`20wd38LxYZfLW^r@ObRP^{yr=LAC07 z;N>-0J=-E5I3b9-zyF~!9o?-0H^+az{nV2BwffYXka4bjyX`%@Ag5yI4s(Rs`o?;w zq18z87K=^7&c^pzr3zk?IJcEAVdpLv?g;z_uuU-fCgnjGLb|Q)>@X-LXK{i|)(z`0 zytKfdj4eW@HKEqi@Szd#HsQn69ULW%;HIYZDZ2T+Nwy-52Ca{G+yk~Z|5^MUw^1XuGK%8;bNSYb zlz3OkOaJMgsm7q&^HIV6-SKRTajoexjGwo+JL#uS_s51$54YP-?$<|=$-sX-fura7 z=F_K7KlT~)ELU3aF!m7P;l~%m#l*~GqiALTr3<`ZjY(>>4NKgY$@di6ySA>zetDJEB%n3!x#tLdpgASVW}Mx?cNRVq!itR5C}c zuDtbPoz=~5cJxUXB9r=2P%OnebCrs%h5OrEmBo*@AJ@AA)tj9e@HwqZYH^AMpC4YX zdR-H(c%I8RC^d>FYTLszHXpFCS!}D<9z8$Zqn5W`;R`(77&-`|qoaQn@Zu?JIeRbR zWbHB3=?{DQc)e>4rOTJapCEVo2oWRaMYrwp&+ZU^c3*;>KyS zT8Bkc3uuQ~Y`p9CvFIh9USLQh44%HF#j!VQPJUB2?3#Sv)YO>@u?d8K;cdFxm2?*4 zFb=&3fUcOLOBRyBC8}^w-KXQ{CsZ{(FQ>@#V<=dZwc_%&uKaZGu=c0BAiwhDSi|8U19UY>>_K)%H zPP(!NNC1V5Z@>Mu(~F}g`t~hE&gVAe1-*(75C#TCIMH!#Tm2+HJz6%cxx);3ZwIfd zxFpi+o*tNM8R+Qzf6xpiGR;1uS{QJu4Dv46Q>~tTs z?wLu_kJG#@K%i51c&r~I+@cb=^|lA=SG}7TZbk*}Ev+65jH_5L4R2NWwjQ=d4Zms0 zNR{ih+Ma!U+GLdYFv)eez+YT~9zOSFU$ali2U<%E9G4K;c zqv^M{wlu#simIqMJHsQxi-%)}nif9Ak4CnRMpb)xICy~L4^J&B={tkdXMqXGs&JHt zP)R9bHcQ8D4A?bbOiWb{fBGq?>m|e{Cx=&9{%o5rU35O|a-YTomAcD zo|kfK-%N_U9ZrEh!PU2kag?~^(*eh*zU!Jsb=>!?T;|< zFEtr4LgFmwvC0k^Fd`DxwDxC8OF390#rl{!x!i2<3~K7)UZjokUu#<=*EnHddTz$P zBh|gazSWknm2a0&mmb-#>?fYI;aP9>JOa?UgYepEKoGHRCQzMYPnoUb3)`YWEE-Pc zbZ#W+#^`UbT6y5~;ucsqB?pEsfjll?ETN&{@fDJ}J238TY4K(_c}U5-tEE&Nx;D3{}FcH@ofL^yEm&SS}mREa&RRtaJ>h~0tKjJ;QDCPIza zqNTMr5nI(3d&fNQe!jnR&Ohh-IsbTg5b}_?->>VwuIGKfjgoNmWghNz}T&L-fVw*It61-*XJZ{q7E9{ChWU_EUUpZ+?-K7n)0mO z>yt$vR6ua07HHf{ArtmzcjSB?F3iz)t1dxI90)L74UHeQ?(`H{gNeJ4l z3VpthH$<62Tg=NK^HE#!P>z+zkOve|d2G%x))?2RHV z+&s`mxDG66R8LU!M#-5#C^R@E8IQ zOU;M=I^sr-`KffA&-?vZ)OX-is4C~eb*Ac^iPGi_X3=bSYv>0lcU`*MjaO^Y^MfAo=c`fh1_oFkyub2em z%6<8LL_NDV#!?&f$S1l+bivGAcOO#Kc=^(AaMu@mw_OMtyl++065DD0ar8~}JlTfp zF{cv9bd$x8O4u=g`U{B-nkc&o&kKTkFS@j8O>Tu5kSAtOpGZ+Dg>|r}%s``?EHWn! zhjkSl-&v1qkdy=U+0gsSNSjTIVFD;#21my=2b*?A%J^SxZOVu}P2+x#SfWIQr}v2k zix(b5kbU9Vw;Rtk5VWju&195e6MqAjezT-rYtVvzDX-5sZqz5w$*JTA`8npjF=0n5 zuJ!AMv|{n7v*~l2WX)U;XFqJH_GwR+JPUnX<)|U1IS)~^_=OI1n}K1jajy@_cq<9- z-%29|n4+xo#-m}Mj7p4&i(i*mZDLMc8!t{i|BA|M-kEO)gY;1c4jVE6U=o>ho@ZL* zc!OJ??`+z8RsuDO(Zm`N7|!+%^BYQyM|7R7jRozVi9^0&X`@ zyX+0Nk=izxK7wAUP2jhhX)l(%FZEu=K~U8?HZhPrRDjv6Uf+ld5ps>q0PXyr_L z#JVIMJ*H2U0+dKM{|#~9Qg6=qYMmcW=gmabnhfxA(Jvbnl10*Tc3Y`$T1Zn{ts^cdKInfK zl92pDZ-1s8)i$T>m8BH?F>T|PLl>)7B z&P?Ez^!m*+Kx#Ms8KzScs)f($zOLzPVzc{1pa8~by`QnUUy0qH2gp{xvF z&hU(`v+(k&_Ih4dTG0WGedrl~U%Tq)CEMigN%Q`Y)`Y{rE&k+Ze}tacQr^ zg8{N`-Ke8#hIzQDkN>74tz65CSG4jC+CWs>wp7 z#|2>-oQPd)B6AKpKQP)~AJ?C8ir5$6a?t0o(|=)lsq}8u-_A1bw>!{0^?HWCy+=3R zA)S_VG#kVr>TN2Vv#Na~G4m*a$l&bwFfa7O`>T9j4{5X-#;j7rEEfW~eJ?Rg``8L!46X%1t7P!{9 z-Wllx+yVe7(VsGABtd~}@2Ig+HmUf%=b1Fsw6q3Hlh=4|&wSXO!79!|-QN7OTIFA8 zV7k9Fa28e86lTeMA-UMf4|Ngy5U_oCr^YV0#AzI@jnpR`lJn+gOYGne-A+HTui$(h zlQ5H;qKNo6hQkf=TNYr)BB%XMAi1!gQEee8S753qVcN#jHGyca(IUnga^c0GB#a~R zpCgV<8Q!Akwnqn|%I*rVY4Vs*MrnQ*;}S*5(&zE>bC8lH=0*_r)rLwkLp1KtqnXG%cws#erq!+ivGF+zN8X?j+aWp zJ(P1+B|la6Y7|L0X842jW3|UY%F4Ew08*x_o*MvKv_!gER265# z0bl(ZlZ&!3s{%VgZsJ+iaWaJ(?F*pBRt2(uBsT|PQs&7^z)3y-zeGh+;an{4rN&9`4P6B9UAD`J zPd7+u%+I(;nzJ0A8XX{Fy1rk(rJEWSUfqPp!gg%`HGcoQ<>a3jMwF0UsaL}9tU1uz ztVbmC^zb`$WAll>n`b&Nr;C<>#5|80ru|HXqlnXt34rGxitf;7q~`Er5N;WEs=AI= zhI-*aqRGEM$oCfqfWDD|7?Qb306~Y7R=?_4OiplSH>lx49bcarKfmU+sd7_I#HB(zH9koS zhyOKDXt{G8i{W6QW5GEyeV?s0WZ5WxOj_Ts8K3?6n!gXm0KHf*gV4eG$YIk*N+Be{ zl$zAcREB;4ea%yA_GRxxMMXJqu$mT)?PdtJ{-BSxthA?j{rYu}_B{hvDn2vhM;F&3 z%d`Dq-P-kv?kZ4{i%<*~&hlh^rm11ERDoa$7*%WcN=-bd!VO|ohW}BYuA7pil!&x% zDAftZ4ET#pM6d@`ojL?yzm6mw4RT=&2>n!In0J`0DLWj`(N zNpI)Js*$(-o(tTA7m@UfLS*Y%^+4%X({iMf6*!=Yg$KWA^q$~|_L_5(?ao1VywnyFZw$4=>u1( zoGqaDa2cPbEE8(CjQ=X;qWgHDoWZQx`ALoIbd~qZT+5RxbHRS2^+m3*u`%QB`%Ac& z&kfG5FC-}V6A?6;`|`Xx z1Yx>a?e}I}^ak6cQCXEs0~GXYE3@H{lb{sdWWN@z3xXTXwvwJ6jq<0Zx7pWwmp4?# zKx~P|zf-T20$88B)~Js8N%saYn*7lAr#y>yOM^qt+Xw4LM#Kx~)pYc4^wjs-dh>tq z&{AKjHmpLe)dsm7lhTF%vTp5BnF(6)vyHs@nCmTjn&Ln)o3$w%z?!;Ja?KLjZ?0*y zaTg31?Ue=0H`rt$dMt5sHqA}=8@pe8*HBe!pL=8!-9;2%+4&3HnmLlVerJ7=dvW{U zOX;EJUtHc``)4ANM+nsqyCl{h$){HBX(jm+x~b>C3*Watxs&}?_C!j-0lDhMk4`P}-W9<+T(z zZ~g5DdR0|bO%F^dJ38+&ga{!G48bKc#-X~4xIW!X8SKzndO;=l`2lO1iUaNMA||B$pWAcCaN4go%7lPVt;R>I%E}-)8`ve z_D=(=^WI-tkFT)kda0I$nOqKPW(tT+OXx%y|2iN?Kx3#>Vc?bs4w{DI=I~|Me$E)7t)`gj8QpA*9S(M$;fts z2F?h)^+`408fUiOX5H~pI^_4(79?JY9rF-GTJ0<{%M19wPU{7#mRhQ>)tYq$N$VuY zKLUUBu1V=?KWVCf?GzqYh6}CnT-K?AKpOZK-jh>5wC}ltLZP?6t+H+epiA6xVwLXNVMW#QLPDf0Qjp=%&Ta1zC@( zPuB|{_ZDwk8670^)v$Mj$%-_sSSHXmw}kZvs}%l=hywz3roY&<{*U-cTt>uMh53R0 zyymgQuG;?*a^)7C`tRRL=bIew{600#lC(nRJy;gT%Fchd=^jGG?2;Sv~q7 zHvM>7QkNWZkCms{%d(~ZAfQixa-CIY%^7yCVl3?g8#sC0h!UCnrCHC<{PdHiwli|3ai7Z$ds?@`Fj#(0Ei*+4h$JX6 zz6>wN1`N?Ufnx2V1yOuIL=dLC%MF%;{JiN)y|jAM?nYbVpA10o#j!rYFzUER-ovD0 znU$)&lYq2i&;}0n?a}RDeQ)Pqm^ri*p3r6%2d}FSjEWi{%O(UoD{(t@Z*n`g8 zT`<*0-#=A(FUbKlw=sbpW>5GgMb~9M2qZooazYUXQ^`AHCwr~pM;d0}IcpP~Wv+lyzNj{}Nd+`ww)Y{T=oq;JA;n7~y zk9wMbp9OYdy~BoDp{(0T2}qu`5$c20_ppN|xV(DDR8-jTF1Dvdj+I z$Zg6vz7Is}Z&ikS!ZWbFg#k-SVG;UP?LX=9{>@ zvdiBe7cZd<<)M8c72O_$4NWXq0%cw0-0IV410s1&b@*$+cl0-WxF*oRRL+aX{hf0#;=3QM~RhY{Yya*~vp~{&_$+G_K zgOmMLn@SNsfQ_33Ohh|c&dK$kT~`8#Ows^p$THs^BW3ildTJw5tS>myZ~OO;rEe*V zUJ!rO->jl-(lAoR$r|f_-&418z_7OA$diA5V6+d;j~>_pM&7qq`;6Q;gK7XAAWTB0 zeZLJDTzk^Kk~QHVp8tx&9+e*68q&E06BFbl!Fge*Rnjw2Au*YmQoy8Y@o3?Lv$H?& zt@X%Bw06?Fp){Z{xgXzDO6uB^nsWPqiE!Fl^y@RwFa{)G=u4AhAR81nVy>QojTGtq zWgy+U9uyj%E4cqtsiQ4TN$rU^`m5}Z-EyRZOJ-fSnt*fOz%6Jo(Wu80({yf^j;3nw z%P2#-8~`sx#1yyu@$U~lJHKu(x}a4{i~ZZ$qFBOma&nv|{a2#^TE&G)gXd4vDP2*& z^*crx!+wFHx=us<8eW@t!BV~g6{kK-V&z|zt0c*EPkQ*O!&IQ)sQpuWaJ;65+>ohE$y@leaDpPCv$QgvY?@q}c^lgL1ziQqukHNlP=33bp18-EFj@T=Ea9r*pHB&t757hqVGl5U!% zV@!}0mbbHElpM`|ZO@-lNFN!*PE-H>`Rr1=`})}gN@smgDZTA}&hJY`iGlcK$A8^) z$o$WEfAR0m9-$g*ht2yyAZT6v={p~TQXu^X$fx$k`fUyV7m4vWTcOtXDjeLXV>n}4 z{D21B>gq`wZEMPs(OsEupBY~!X?DJ(GzovGp=uE5}=TLlJDpu+pQ zFxE#S-%(%Ul^?MS<<0H`liF`<%SV4Pf@hI;tP7720~H3D7eKFt_VN|@O44zXQ_1SQ z&=Kp^Za=|yWj5%tiOMP@-7vLTGiM7`Gt&Y@%_B%)e z$94a)PDp~4VPagf{+|73*vvYMH&yATxVF4=Y|aw->0V{vwU_T;YJFE2lrT5zc+`6L z3dph@_R|X?miVK-kGcmGp7((hu(qy%sABbaH~0s*tSJ;QhWo3!&JHp>`+kIR1b#|M zS+mx3=o=Odb{3ifD~y%jrl4h2LK?Osow}E;-VaC!y~G-``@?_;zBee)dFT4c=u4Ru%^G;tW^BPl!w8KV=8FNZRv^DyiLBuqCEp{yihgyTFyIY-PN%5SA&@ z^p_wO`g%F)qFjIoUhjHM#mS3y3<1W;d$U{9PU61rU;-$h;oO#YXExhBW z+r_5nYyqIk*vltwle_KZ4`Jgw#3O$a&p4PNMO!hzAZKy;Z7Vv?Zpux$dfi@;VfP|V zblV;j{p0Us5n+UB?UGMsM0Ow0HGF59=_Qasgvq$R}a4;nJK7S3W~WA~c!f)N0;YFe%4aIIEfa^(8YSggO2 z*gR@nt$V|s_OUE(nG1OjguHl=EUR$u#_j5iPnP8>*GpQu`UE|C!n-^qmQ;^lZFxFP z@i-klbDDbR)Z_4HqWb9ZaHh3OK4PKiXa;$}`vjXR=HT>>B>+A7mz_BQZ>?~e({O6# zlmuN~OjrX9PgU3V+}zv=BmG)v2b>Ge2~|=GhCO~3J)H>!y)YIwQE)88_+U~^O;8{Pc0{R`H~6+izFd4V~c?Ylc@H`;tyNtnScSd=Ne6urx@5|AJZ2Sb2gjL`+v>{> z8x`LY+?xX+CWvW%z{W^%yrK5g?&;4|I0|qQ1KdmxV_tGuJ0xdhux|WF?oCG`y29V} z#HxhRhMbwas_Xc`D`aNKpuXQmRN+`6%G+)3hey>oCC+H$?V`u39QDz^s~yv8g8m{d zLdnfWW!Q^#&#JX@31zuP54eIetPFG5iE0^u z$)1t7^}>+mig}pN`hu**%4=hj~{1>en-R{s;O=6 zXIxF!uYR=5JGy_BkDs4$-9oVNE-$~KPX7$B$=~lt&;jC*YkcFDfv=jct}^}5P1mf? zEK(|7m3CfYl>{0NbuaIw%%gKmda~Zdo*>Cp&S0Yd=Z9FvZ&y~=1blX}q23FvXc2Ws zyU!*!#7gxVS*K2(N@M1I#3Id&7;I^(7ZVpd+VPf2+0|$L*Q!@Ncb>^Q?nL!U?snIt zV`H!eqz|~w*tyhdI2;VrTwOyC-j|QAwKL0Hyy~Ui?JYR!d04?HqZzK1G%pjGJm`WX zf&8d)Y{ysy93*DE9n!GZPqy?ep7O<`mX2nAfC640u8)7Q?tfAJg0v$sG4ab2QJUU0 zN!YF}lcaOX-_CxwgB!%~)yjY8*V={OiM_)tHf zI4UZtrz(2@rsa3Q1w2UzlX^*D%ez@)T<^)+pF*T%a*dH3Pd>x1rTSw0^cUeZ6T#Y}*+l)1-FC>rZi`q7GQX$wN|%CILP4)+IKcVK!WK>X_aXMK^J zeAULXhPmM9G;1#fFHvy#bMj{SygtwZ5__WqnkQJ@`rqj%^|bq{d+iy73L)7ls*Wtl z`ADz=>itw_(fgA0LeYw4Xg>}C_XHixD@LugC*~GpT{=BP!V0c2kM$4xKM&vm1{B^t z6ALbx&dP3j+Qys+_te~VW>P&W$XsX+QxMjUV?K2e86viohZQBlkkIY zemKY5EAW>I6F5^;SR1w!TtYj*6pFuVg31|{0__G*J-W+c2yC7YMY6^YUetMSA)_uO zUQLD5e_uKzs<^V%pYD~}({0K8{Y~rS;)1JM$2528wX)cU(a~1hAMPnat?vklN2+*B zg1J>|0jFd-MxUb~5 zl-Ig30U$_waGQ;LI+d?&_%f*_f=iZ%f=5jpGVQVsC%|P4sE0DIe_s7d%=Rj6L^6rx zsYaw-E|vWdZa85tCfZ%YBJ+bTn-%Tl;SbC2`j|N#*Ot01j1=oHj@iUWoKMt1M3~{j znjKlafHhoQm}^5*j`v#04ND8yGwL0mdh}CKyr{4l>bI2YuuwHjB5;TC&uWW8&jaEG zn6%j9oHR}obA$e{B;6u?KOTQY@qY2n>JrTzC{1;XaknOa_(JKdNGt=4y7!wqNW5+- zw%)Z`1J76Joz3T0HMLdtT-6O!l4%>YPNb;U^{2pxJ(t{D z-&`Jo93|Y=DXC8phU;w3*mN4;<|f>|X%c(mTqyOR11t!;1E$8F$ZeP1cCA}vOci&G zBdjDESw6z4_CJ~lD3=W`0dJ=~viYkH#B^_~qaAdc8=HNP^hn2mfibbmz}=bly{1yd zzilSRsQu!!p~XB6boLcVM^@lp!1qt_N?9TjutKG?ZT4B`tI7_bY%AT?gm6%W(}Ag# z2*rNmmFW1$t`j!ds>H*M$u!T`G+g*ob4Y?|gX@P9i-sqf-CfG1f$OUVh0`+XHKmzy zbT(@O#I`JjViUx+8z&1;#m_Z4|O!O<5#v z)reeJ$`$NA+1*tXCu>_Z72DdU&7Axz8iS7GhXg8-v+sVsB!W$x zFnL_mNHKZut+q3TG}AyNURWv~KN)oDf9L8-%L#eVl~h?^&J*F0L?JWv?FiX_-Qz1; zU7T;j4#zyXv~>)35=+s#oKm<*P1zS8L9<7a|D|MrT6+EDJ98eg?008%T-5H_uB@%& zg}In|q4mtdv4M2isrFFw>O*ez3M&x1 zcRnO(&2?sw?Y5gav|2Ekmt&q8_5^49*JUc)wqY4+^4;CIxt6J#*6j0f85y`C^=xo^6u^Qj-t%$01h%i$gDaA8*_P37Sze) zU;vWGV!%rM%v3`K>uY}ZNIFKl`Yzh6?MwgyY#%VYPF4X2TE`3Mr`FnMX5Xk9qOKx9 zDo~`*Q&$HfSZ5rM=-ZWnHQ`1;VR~%;pfFOb-ecMNEl0fY-LB>q1m3V(cn!=-i(~t&5G3t9AFoY zH^M3jX@<8I_j<&<$NOh*0_KhT0nOD>qTPlqjDYE!NeysVy!Z>FXKTa4D!|l7qh2}Q zr%;ec>4r~0Ujt3%&8FNh)v%7v&PTW`1_8qqZS1HT#E+L8eqhh63v!@&f%nsfka!Fm zTH)SdBCB1ylj`;uQ$_GlouYImWgX3grC!l|RYS48D~)-1_bTg#hF%W3L#C6s$H%3g z9go$%6YBAFY$ZK8lI+9EjR?!0JSORo)X@zfgQHJ%d;Rn`PtT<%pLytH$1m2)3vZ8G zij#Es?(!~S?$e#^eCZDyIZ)PAuJHFi7W(Cvgtt! z6Po+lG>Kra87Jwz^lnvwKtEC}e@Ta2KA zbS1OQTp;-iQgY|t^*-wuw7>-~jSZEXRi z-{==>ab+8>?<~#~PAZK$y>e>+3A-|wQh6gwAnvx&l#r)KLHY*x-m^)Cs*ML8K9fP} zfOt9h24@Ga>=&fF#_4^1milhGr>Dnsa?mY3)cY^=u!ajdSuJD+!KkUJ7lTP@;i?gc z_j1h2qe^3NF0>JNlru5(Fj{))j)sm-sjE~5QH7)jU}mI)xR5Mocor0^w7<^=!;6i7 zD$3OEWcKo+MmiiYHaY>)pTD@ccyx~7?+;v5yH)7qZ84?T$mZie)J)=UUPPTogoi(E zoyc;l+m!NLdOnCi&ZGnF7>$*M`!5EGrM1OmtEBlDMa(F?HuMUwZk8Y*2eaQO=}84# z{)PN100Lh{^$MCR%h6{MWP|gh|@f? z>Ba;UM-oKMDELso4J={PFBx>EEHUl_{pIs zMaZtLU!yiX6pnWFb23HTW0{-(_z}T!qpLegbNkuVx}p~lKC#lhma80oCn+iLS5s~h zKT8_dVZuomdZlW2NxVRCiAwEmVZ&k*!y)o?=8oXd%f9jjJW_xC)L z#_y&l!S6!Ycj4E1*4WGWN&>Z##2jm^E}(eD73U^ZDtPc8P`F5 zuI*$zR zb&v8l!tJ{vOSe!zCIM(FJy#6%EhRCLhneaW7+G4_sF^JtObE>?ZP=`5?q4OP@sDDc zuW#F9-W=*mWfq;Oa*ThoXhu`-l=zzFL4TTrR^x~Mxhrtst<^ifagY@aj6#oJz0fGOd zJIJ|^rxD*n*sdY~QZtoHzTc+bNS3r?q5#8j2v8Nw%cDm>0WRfrC~pm9Rv2lBqNnj$ zJ6kE>veo4qJUvHlSp;OS8o8*bV1fA{aMV%piKCk(>8Q?33En>70Nr9Nwd|ZOta~SS z=4>cq4XD%LTL0exLxtn;oKbCy{=lhYMS>3&SyB83B`rw9!P}nSaibygJ}*>SByYQ1 zG7rDhk}QGYm$W;ot^^!S8#SY5_Cv`w$}Y~!-RGZqviWVGaXp?+9B(c3DW*#jqYmnTUaqBt zBs(RA&y*Or6qex%!Ol9AocN3;VEn9LHRQJCn;E`bn-QvZ=HpQ`P~9dJIsJ}UaE;49 zQdT1<@V1DFFpH$?49}f)!cQ_;l2%OL))vfa8Mi!%cHxotdy6~>WeaktUz7k2-#&wY zEAR*b&B*I>C{ft7ZgrIUhX&@~XxBk1PCTrY=I#BTzq;`hihQkRplJykwuqy7-HQyt z%ab{;twM9cd0l``EcocLVh*NVnFuzufLv^#5hG=WSjh4)doRg1ZXI|WyPo3EU{qPy zX(0BQmEtk+ctbDTbh75O^FUUzyKcBtN_c&P5)wAttY6RZzcAG+l(E6uoJm_maqv8V@Rv3%GnG>{s&7%IeWqt28@*{|hdGyA%u4CfR%(Z6n zsT^FibiUbwB9c8`(IZF{DTLSh?5a zy>_;ag6!PEdqX(8Vqhaq3>xIu&gR|0lWhLdMvZ1?E#u8fL#cLaL}7-9CaM8ulsp<< z^nrq|6sj07B+F_(Dd$H!@?s8%>-j4k`VZw6kB}0Fhz10K^kdub9gS@X#nvKKMPtWAR-+7ugXSoH`10koNu^iQ ztviYW?$2taq#u~X#odfrYte|aH4yFV>rJF#ktBdy4sjFJE<(Lgy7>bv(VE?nvpjas z7#8WjGN0?r-%oqHI)=$Czn?c2Xjv$(PBh+@S_JHJp|w$&WBjW;?Nn!&&7S2azP

&ctUFu{j??)%F(5nCk4JtB(D z0e%TB1yKY?jSl$6i>)bkC5+#p*zWrK8WLtOr>q6~6y_0lIZQH+9u1hfr8Hw+r7e7X zSm2BDcUEPc^@}uD+*igA-w4Whd?2B5w(cGq_vKS|Hx2LDxQEmOHcynnzWbpXQ{9g^ zg}eX7gS^W5Tk`KAsPKW8he35$>(GGkYJ)n?tR9;eDTaX9-?QzC-ROtwp`yi<&D@`a zjO=!M+F_%ARiJIZ=Cu`S;o1Ut1d5^R4B-;%HJ%Rn&!^9F{i`>j+`luxWZL|_f%f;& z@OjzDWb0nFR8Z1}KgXM~=K}P2NKpEfn9H4*AoW6>%(D%9jNywHoRG$y&^N!#ttLNG z-h7HQa|*H2O;nsd0wANfcpaHexpjcaiXGOWzL+)34!R($NcJgKTGw>@*WRcVL37T~1bV-|j1S_vnH3IdDZtnaSl6S;J?#@B=Y-)v$8R`XL6Gi9^?g4hi%}NSs&I@e zu#u;F1^lDrgKy^cZnsGH&(Ajlpsm+@W0=I+N>bL(kHXkZpJa`6~|PjLHS zTxsSwrgYG>>10ri1GRGm_l6SyFDJI#rhRiLY58-E;zg}*=IC0FLxy|ka=rz|DJ1CJ zPge>hD*t96XDxtH*!)fODIhRVfqf@YhoGRNHEj1u9GD%q4AgMmpFi{uL`0-C3#HGscW7o+z8 zd*;%iv(V$bhoVGQ)2egB7)h>8P=^dq_Z(793E%6e1xOldpGVV zMtrIJg~}44)VGZP$fFps;GniQ5-pv4B}U*1E2kYrwven?nrwm9Te5%AuwQsz(F|c7 zwx6mvnrTUP1mWZaDm^h$Dy;muTnjp@O$&L^H}lM%DQdh)xbqNx<)eUCQp8T-PFaV0 zTRG*EupK#GfmxIL-FwR{=YDP1B>Y<1nM0X|obv{o_wrOdCgCl;S)RwI2(H^GQzWrD z&0IoaVroNSUS7&OahgW52FFDO)L5~V#8pJD!8zhb!;1;(!?U^dttAXj!WH$gWN)2d zOkfl;9bpPBL25Tx;=((Cp6E-!P#J(w+RyF>tUv%JNwht0>yhkC!$lv%Dh?2gdHu^} z=TtV+Q?JQFX3Y@WGHgO_JEa3(koXXL;#s1|0z`*&McVz$Wr`wM**9tS!ObKV@dsz% z(UM2A)So|pUaCz4c4Q0?K8$PhS2_;gA57=ncThepu{tn+w-3VA0Y9H!IP%Ee&MwvP z$9}HDA+|XJJu6e=l#?!lXT_pvN7aHp$U6jBQk>wC7Xd4T@%^*umGj5mep!OXwLg6n z4SPQ~SGT}~q@^`Z4mYjO%q0#cIdo@Rq?6-g{#y9!kGX>@L$HLpQTC5`gl4Mj;X^p$XD0b{mWctk$ro@=aGzUYJ8SzZX_0O0Q?{qS_O9pWv862u!Cg^MBN;r5l z`OMp}?B>Ffb#lsvDxku6E$Yv8rO$?Uu-=LxqTgggt%M5??W5pE(I6Bn_~TFNE~=(5`rRW7QJD^Wm>i$WaLeT}V<82Q3{|Hy z3@tAUQjZImQaJG};KM9mok6~=oW*>36N%J|-qEwHVHIv$7W(L4A8zTV(fO-C)L)L` zzv~V_kX(?JJdxog)7|azScr#;bnm0AwDeT5?T+|nu3s$J2(@Y%#{3NI^`-D)`DmDsuq4 zkw3mWo7mrV#G;T4^yHOVOZ802oD|ivhS6(p3#y(wvS6W}T02(=Z?RxeyK}XddM2(V zX&}74sj>~z_~BLQ;%?ZGcxO}gh!)W}<(B`+tD4}OrKBos`WU^$6P!uV9qWY`X4^p- zOHpB)kJLpYb;IARumD-XEU^yIU43&+*~w|F+rK&atcXFQ{ZK|{jXSvHL+$1=#RAGM zJ5(-f>4CQ0?xQlM+k#Bc>himgs3~dugVZ_#-Q@dHXqI>++m)IX?n~)~xg3Gx`Uk;s z8?{pTwO@>NPIl={;u=J+p_=Jj(ngFeWsiwhXB(GibwhVD<4HS!?IX(xNV~r3U)GTi z>%+2!mu>5OJILl0egAy%`*Sr@$hFl&qi#9x8%akZ;I;qJ%8GbF=g9ak2Mu#QP+-d+ ze}BFbh+`;)d*kGUw04(9uAWKiyt&(2NgH==#%5!v94*xXjpcXyYAsFE>$o@%kqQzN ztI;XCcOJKQG1)9l=! zk%zZ`Uv7WY$13Qsf1Lc*dCG#GdHg`*`(QRXNynhna%Ajnw-)HDZ(m2&+Uw8joT5t3 zJhi`tQJ{m8``Ge53!|4FMHK}Dx2BRkz3yg8RM%4*d`IzsnPA;2$RSU==}1G2kvO?Q z5QCu1rO&f|(^jva*WWmqYUrI9%eMGGy8yZ?FE~nP%S~trJ|*r(U~K!t0^zs=YUAMO+Myu03QsF6+6 z)sVquC0zxq*bm~KpUp`U>^EYb#8g(3(nnE`w?CT^{3^R?HrdT3zdS;;ThM|M?Yqh$ z(r0mFsCI2HN56rCr-rt9+Rp zu|*VCw`1uKw2gQ9;{0R+&fRBl{&f3Lhgm2=#T=M4gK%+t|wEEx)R zYGLzRP_akC8lhEVMznYz#Qr0a@3H1mx0#7oE>SQod&v2dE`BW}!=ET^b9m>Vzv}AvLEOY)~!V`%{Ij5=t{}y-M8|}f1&LK z%%wAoiwWyBAn}2>19q;1+Q^4zd%h-;F1)9Ev2&0Q#3WgWLBk9#q0`R4N>SE9@c}F! z!~wIL=ACMH*q0l<#uYZH6TqQMREKd0-sAqS-CMAd1<5F9ras_d2Go{RJY90RRGqOn z&vO~#9x z5*+bH6$Nf}Hxz^=d<{U>A{f2*wmda)j~Xoa&eLh*f7UL*FE%7I0zCkvWh6ToXm*;j zM&v3>_41#+YgUZBzKhplk3;dKBOnaIc#`;9$UIbt3vY)qcx?-MViZ7H(< z3JumTCH;V%sunU^>NB&oEQayl#bHAW-@89N1+V)kUCzWMVjD}BY)+tm!=|#Eq#ZJi zc9TY*ub9^)FHJt4*iNGYvUuyR4~h!<`{1I7TNmR4u6Q~TYmTs16+ z{Hy`s_7zPk#+R)#r7q58^9yac$#*#XZq0;Lq7`+hIr06SwVg&?Q|mmVr4ze8ZV{N> zDPnK+y@cmL?58Z<{n#i^x#My@AnuXF?eU?l6Q_?v9s!-6mj9w$t{VI=_TDlq>aJ@W zr&OdA5s?N#5D<`-20>Clq+6u~WQOik0qF*5Bm_z6E>Re|I|gLPp}YC-(fhvN=Xl=x z^78%m|8RZrn30*^>{x5;Cp4LAv zea$-k+=M-6Sb&3*Xe$CF_v<*Xw9&39ML-lz;*cMF!*Yi!8;2Eo;y+sy7YuY%^u!j9 zoQ>Rz+V?}m&JSzy@m%!X$;?meUvncJ-WIb>a){TucjgSTNAsYpmG7GS=~nA}THs_7 z6#KiE;Y+1Pvk`A^Y@|!6Ro{)VN;3RieApoa}Dc-b7W>!@JP-xiQ;`yHP78W^7rS_IX^f%xqbxgV9C%IrH6xXyVdu+i(O zJ?YH~yBvL+M($8@+=_Nu>dO^Y7Tw=g-{>@Rv1(VSv&-?22ZGx3=t& zkFuluqr@|65Icdg&s<#kb5eMp`bP0hYmrek)!-por4f4k~g4FBN}K7Y4(Bhy`5W7$MiVz|&!#WAw<9m5Ui={DA5?(AnTPMPobMB+crHP)NO(SoQ7 z4;Ri$$rMgv(+3h34Jb%-lf?`?*I#U@GqOvF%+!c%QWfE~Kg9I*WkP9q&Qo1wdR!Zi z=pOY3+K!!Dw~40%&B4#?u}))CAiIcbjCaGR6pqQAqt^RH>H;&6)n=2EAEU$V2cBB{ zSgW)U7*6R{7-r_NX)?%z&0IOnTu`7TmZBL`F&-;{FtldLRe-1*Hl-L_-{mV8u=N2S z9V?M_W)Rs}J$UQB?wtf)4K=Z0WbHU_9l`2QNkXaRz_{kb`E>K-#Gzqxi$bwe+xE)y zZMdtd`(jnd>!}={-L-*%W1F`wPcDI)n~7y~Bg&OBQ8+u4{iL%+*>7025*+~@>EUJ; zFtE_a^BKkrA0hA%+c)E)A8c+Gfp{y&?SEkJzUGWK=aO`f55MMNo(FdZnhmPn#(gQh zzrh)C%bgJv>ySWVO;P>!54iu>HX2w+DF%o(t?TOi0l%(Q<`Y*6-wQ z1qo_RvsiPVg6(AGU*8W7zFvG#t@Zp}C~gN%Py%1+BR92~(UIyg&dhwgb~0KJ4(SV+ z?!KI|TS<85LHnH0YQ;V^GoeQ4J{wc`(GH2czK6H7aMsA1ueR>5r)3Dzl$e)#{db!-q|_ZEPZNqdn?Ze-tR(%TP@H8 zB4`m@E>tWi57<^f1MqXK2AHKq{8r_1V+$||-h>ez-|A8@A zq|R25Nn2(%|)IZL|*u}to&Kc{vRgBj_A*Q>T*{G%`bgWoG{j^FOkffSph4I)4*}>4v zCM$~y89Ennac~eLW44+7*mSPEbso^_@{z0s^L3W*|A@;-#SEQEeXZ6mcCirk@A%%$@-zJA{nuoz=hKJ55Dax%VCt5UB$qL8(lTi~%&UG@1@@cs5PJrDSP z<_zwfS31_UT;(@9r!wu$TU~Vc z+z%2ou8XCzp;zc$8RjKW`fhkuZLd?FXHcPRQ?V%f@@1Oc#`I%t(%BbNIglq4WtV!k z5`wSq6dSW-=H)#pHMcq0x1?vub>6eC4}q6`A9V*E5Q1%yfE1s=S%3cqzs0s%gvzs$ zCzZhz9tp(&ePH}>c$UAtob%bEXMW?mN0%#XBAuE;g!9f298z9iUiMHr1@m4-IaP}C~qpe%?nBp8+nxG$h z7Dee_&~`X&h&cX8B9&oTLk>X7ihFCce;vbkO`&2Koi~goU5a#1G_^B}zfBxILUP6g3cjVXyAO?5OH}6UJ$;Zu9%NK~qluS8_B3qVa!M7}==FjFTI=F( z&sIf+^wSqr(SN^7>P-|p!m}#pNX1uw$II)z{ghpxe?dYu17Mw&ftZ!QzIUo}%czHw zsI^rI-4V{P)HZE< zV$SAo-L^2^UcDUSc==3n28!Ch^C`pn+-v9{2Fa;m0;ue{P1k|V*fmEP>&O1VINm(Q z8faR%^;8GnkJ3I)Kjo{*xq8Lr+|@*srRV;kQfkdcF+9mtpDkW1C#P(Biw zz@|0eGJ3P6%(_*U3};fhA?DEjq!*kR|Fwb|<(O{X1zChD4yPYi=}6RWl3m==zegUZ z(I!BrSuyleM6u)J@G>vP!4!@_|PsACNs*7u8smcdQ7}pZWu;+NxT0`nx z%`MC0K_sxh7cvV>(3gS)$jz;H;eqXrGRofxv>N7=v{b%KY6@zQH6eziteaV-)Q*Ih zE-a>=JQ(h3@mI(Ik)l~-c|s}QaOV`6W2D1!Qm{Rj-ZP^9tCTfc!D1I!s&5}Dv&%$g zw3OAFZ>Y%IXtZ-kJ+CfJOUHuU_>!oM#EsG9U9{Ww?S(RHy#OVo*Od6v}xPAM;T^a4!xw$0iK zG;||q@Ph_NLlE$|A=yJaIs)Oiw!2M~ptP00uv9GMcvV-c#?a6zX>4WQFfLxmrxW5N`I9~_Z`$`AL1gD(X9X`$() zV%@A=vDT4=QT!9Pq>Y}uEp{OvO5ce7BuiReb^(ehZPrVXcWylr$?9oq>DhXhtyW8L z%NNb&%gfc!-}ps+sJkxM$&#*@A5w#8L;*x2)%h2@BtJ#3(LR-(H2L5bjn`^E;lcp~ zpC(pA{lmvb;N#(`&}=rZ;n5(q40xFNm2gTTY)cTIT3Qz+*-&?UXpW41yy>*|CxvrE zQMJ@Drp>Om1JM!RDkYum5coE)TF<^VU!7fgbqQ7fg4iu&kA#=A;eCv?r@rC8S+tlJ zPC$F%IwLy&!`o0e%XUx$0~QibAn^7#GbuxPcvwp2;y;+cwl>OxnYh$_t3d5n?xjis zyS?4V`8xom&v39n)4Ez5XgiN6WM~hl<>3uDgtV`t*?jMo<6qyo3dAXHBeME1TB=`W z@U>(@Q+ddpTbMA7b&mqw-V5q-flK3>ptLTu$61Xkapzg;6pnd=ew^NXe&4kT?W56g zbbMNiy#*_bqhVg*&^^=n=(p>U?i1^?&g~oqS7`)In3u5s>#d_-?$6=%pZjs>^}`Iz zVul^$HLij%k>)xJhVGS?_9s#f6kra!_O@tRq%oETcMa=nHOpgfjb=Y{RROhSd-qcc z;_nbOH019SRiBR4X>YKh%JW(T9)IA|^Rv56sk)Xg$QXhU94Krv-)U`tW2Us$+!m1ZPXXz}r1mjHQ-p^(Zq zjNa`6!HE1&)c$qT`7nB$mR-XvO)7 z+`hjNCBk2uAc+>oKqyA@2@51XpWufy0TlM_tr>wY;!2*4ZyCKP9;i(Twmd@9l0IsQ z2%T?<+t--byA`C0<_y_?$$uV*OGlNuPbHtxKs~T#Rb~23jgVg<4=c=-d+k0n*h3Q( zUIxEcNez~w^E%z6W^YTkHNXcGSmV2wTT%O9r6AikRG4z$`u4KHg$_=|_Fg9D zM)=tTenlp04H>Q1>sb1=-$BM1s5H(S#_)(wdRW)r6N8N)Wtn?PffBS4@7gOEgfw0h z@1J>{1f3ft-k+#vZme^h$~Svv7-zFeF7>{+t$ud!QO~382wd!^K72zt^%4I!)?4g32?!ZNX4=>!g}lK|528*y z9(@ElP^FodzkDx1)pGP{tWfGrhuM|4C z5Q26LzziPy*k_q)M@Ym{Pfz5V;;+5r*06BX11dT`yt)T3>#BZL;2K<>@^DLkc(e*z z%rrHL^$HO-U9smhp4#==$2Z9WCPiOliHda0LGyv%V7MVJs6s#1})>_YI z*{_Xd_c~jAv6`&Gel*iYs?ZQQ&T3wGQE6SCc+@rjB5A{xZgi?fi!a5}?N_|Qn^Jh? z_)R1zHx|+G2`l7z1anT#dUPCrGX;1GduevU<%<*6U-J)!w>NN<3wz9rkpw0~7lYT>$cL2R9z%(>wpc5nj-s5q7*{%w>l88xL z;UwNLFyG#^_|DCZo?viui^)Lmj&r8qYm0i6r-DmI@!>iNR3~BBm-iMVdanMV0WXPV zNj)OI^@7YQ=G3CM^8Nlnrq4z6gvliXg))PZ_3c^0p7-jH2#j1E$4G4UdJZlZTQr^| z4$s}IGVIy>T92M`zmaleZIu3shn;VfTFezE$*w8wOp~^e*4jIy9yzHNJ{xaEs92%} zSuCh1zNL$6)y?~#LBk!)^4~mU7N|KldRNJQvPFQ31h%jGm98>g@IV%5o~pm<_?)Iz zw*Qvcplx1s%2+-neM$!0ckDzn2EHMoaM|Uu(9>0l^dGOSHpaHF^MiLV{RFdn4P`&;{;JLJZWuw85^9zCBQp-np37N46>LpMDXcF0MeVQ$psb!;LP&0V4(*TKMA#vwpLR{ZYl6r8aN|(C+jTN$X zN7i}sNqBKYYK;cR;Zr95lls)qIkewsnHbH}pEgJ~)dq#?oDz}3zacYu$%z8ahm4c%qkuf7I_2#jVB|9%6 zk?jSmc{JP}B`Mbq5u4av`4~<);rKV}59R=<&PdPiB>)0GXd$8OJ9G3GDYki?| zC%ePw)aioVb?Q`a;z zd0>~*RLfTogD?8nf3q&{(SI!q-VZkJH@fEN+yjP-d2>B{6{LrXb!U)U9mcO3I>Tc>fay{Dgbj-vtsCSSF^AkSg0J<1E7vp zsthjAMrP$}Cj%wwI8 z+^BbzkEnMRr#Dqu)3X?qVRprf?Vl?QYbWsb8?b-|nf~UsGMabwuhq3rD7pex_cdyD zzwq1^1{N&><+gGsgp=cUbV6W^1-jhA$Q8Kh$Vv?zk($rpOr?F9SE3nxFK@ z!cyDfexrx~dHIsm(pKOQysam}gO53CK~CKHW0ZQ7tZw>4;Ak*twZ++poe0k()}`eV zN^j97HHW-K9TiBAdV^wlo8S*G=>+3T>w=StRel5+NIQx=Js(@7pP0B-DxN=i^5g48 zd(Npnu$=d_w;pz6e-JEQd%$1Qb6aO|>jb}{-8066nPo>^9%5Gi>aL0VMn(&xyosF3 za(tgS!AfPtDjcFTXUag=OZ(8gAuZsgv+J_y_Evjaag|fT>OB_DmQk7h8_zQJTv+%& zBWG>gM*7nD=-yQ?S8q236e60V4LaiA;4jpEPLH=Y>+f?DT^lfw$?g*T@v!GMTxUyE ztHIDVm}4KddVg_OSPN8H&%Cd{JmD|p<9y>{V&sM>G@hFocI$KAO<9?Ub_d}Mw^8M1 zWA+En6O4Wrl8ez8{jwaeD2n&Mph}_)YS;^|CjfCr1K|;`mu&fq_do;0GOqr{{`|)+ znq>QVhFPBk^@E>%UkXy^LAytO^^Cch#zwxyHbx{7yF<>dZ zevwHCp6~+YZ#PRAzrv>JZN#c1c>SD+>W9@;8b9pT7k}_DAa=h1h!~UDA`p4dqoNS{ zZt(>0T`_lTD@sl3m32WzbfbeVQemmT4#)oE@-#a9Ts;4^Z`@$|+Oi_JQAfG*Y>IZ^$|@GjH;lsq%B$eyRbeAA;ufd8#+gPb`IOiTr0&&v#8Qy*ge0U~J$c-%!EJ*8~hOnoV{fCubX7xhR+26=<1VkM5AE5&$W(L>B)@ zD`0Izm-3Jc1+JSY2xmqSL=sc{(7tsZbi}JbTaiBzJc@h2Y}5>W-(9fyQNTvosV*-4 zgoJ#-PP~}mNd;{f`BK|Vvj07Xf0?8I`u6a~FMKKD2S90!F{K82pUyd))gBUvA|0UuhO&*+Hv0glhHl;^}KfrFl8`0E0jHMCgrDljOMLL0z`P& zbToMjM9rVKlLR%O2gWoSTl5tslRl#1bGA#Q?Q6H^6(9E4MXRCzP==6JDbNvQaA5bO|(XUwUAUCF0k5TjkLB?F2(mO80k9q%rx09dU4#;ejal z4n0saIy6z-SC2A((ArswoW0Mm81PBW- z$yYkB@If$OP0mFCC;WSh!ol=YEBxEcOaL{&bClqf7MaCA0;5||^FlVd%sY0qU8Sip z$yvJhC(jH2wY8Gn@iAa8cu`yXIw(LHHIO^HSGL)(CB4vWXyjIZhd=*&*kVDrKaJ;0 zx38pB7})PnCA7_uu*;|=_XFqlQkcJ$6Cc?cH?QA8`1)_MZ-1%AUJ_W?G=fHVmM;Iv z-2OeTe?1Oz9iaKXT4|yG>;M1c?L)8(e{A!?+WpUG&RhoPBjm%~W8i%J&;S2lAN#Lw z|C#XLtHl3V(|>mO|3Sk35$XR2ZTv@v|Bsga?W=!`);~t;H-_jREB%|r`QOU*kCpz% zO8>Pr`R7>r-}>^`YvuLNvGkk8`M*rkKUVtxT9Ut(wSTPiKUVs$mFxc(R$2@TYa1t! zu9sN>bpd{zk8|+{7=H_hp?P1v`xH>&fD07Q^!3?5N7E?Ke?_3R@Px;FFuVKg z<%=tnrnU`0Q3V_vImjH%i ztG`72_c9}<;0?$sP^+e4zNn>!1S_Ugr_JY`!%7clvG@U9 zWLF_*{PX_2pV-|#OcPq2Q$)Z)E$GmB+8-UYH)5LNervPr;=fyd|nyelq8cdBrXF4sxYk z;9V{YOBQmtZxKFe54iolq4-I67P`3BP-NDizv`<3!zJV%rVF4klhx9SbMA>@)j@!M zTiEWWhA)!-%>^Jzg3?F-8#G>t_hiS#(Y)=5z)J{AyW8JNuJ_=LUjAmV!*KBwn|7wO zhKMS6K=qo|P@6y?0$RzJd>@Lb1I&VRU<L3ya`8G=zX9M!JPq>X?E`3&%{dQ?Tl z#KfOj!t3?est^%hkl*cr42yjQn#vdy;d@<-rVG5x8hgV@`L~vd#s}-o*H*n6hv>Y# zJYL)jDt?=9c;eK;E`ymPRko%_UrFkFP3ElZr+u$bx}U$uzDmP#7X$W!DtgW~n2qk@ z;v9Yv8OUC*$yU4hb&d<$Xm_{t2$BtA9w*`xL9`j5O}@2vZINK zNqn?l`t+-}L}g`V&kPJUR%A6EiL8|lWXQ*|73?fK_4X}NTPT2`P-4J}sKVz?rgflo zcS&@uymj68hQN(dsXl7m*Ff%X1M%~>&LGCRE+YzFE?0c&#QtsiA{7&7b&TfHwY=z{ zfyX&??#AtOL>W-m9=UPD?l71%Vbwm#fbo(Bm%z-A$41T2_2|25r2P^(nLQ0p!e#mP z*RB%`4GnFBHup6P<8`i%{Ck5cdW+-7Gm%On;h0wlDyxNoI)iJ|LwuT7Mg@*f-^P4E zD~_P`qS$q!xY)_nD2$nH_Up)2PB&Wa&rIv6D53Qddx_fD7F1q{<_xv3@OVzT-|nlo z-HrD$Z8^@xPCGRbeFq6PBZorEYmt4ywN;XwCsX|ow}i%&8y?xX6<8>7u5$$5tW#$< zWQQ!iRm6EN8H3jqr4v9-Mt%GwuJ%E_!7~?grQr3c8jTPt;T5uHuGrK%nA^Cs4#;7J z;^N{w`TpY}=s9DGTk-BvA6@<;rG*VvSTq4TLNgS$)U z!{<{ExKa9Ig4=Ef=JW#CCL$?WiT`effu8;R!)FGoJlz)iHTE5Cf%Wjf%=4;*yK&)T zFys#X4svdl@UoA})Qf2$CKYsqM;pZl;k1~I%GSvyOjtUosCIs9oQy+LD6@lRqo`D%w`pWzBG;2FthX3)AZ}@yKR7Z{*%D3w;dO=e>J5I55h4UU{}QK!ytLu8f!ECR(?U7TB)MH|l&odPk%f#_q8d z*#B82YoGI5Mo4;k58PiKP0I{aB8c2rGc}04-_zC>4s@AN3?ka`RiCt8TGUk<>F|tR{}5ua=?Z8Hg^1f|nF!#J zu1<9N;g1^G3@n^(8*s!``PzaeYwyojuyv$U8f=4sa^hpax~0?3RvSQ5I#kd31WYm> z^QilJ)v5xH>ysXrVKUcctbtZC)qCNAs+kA|a1Yn4lpEy~{Po$~JAJ7Z9pSBFbaqPE zzoS{{eejS``Z$?tef*YzeV%sAB%e6M`Bf$YFYeCHEyY-h6p^bm6`GZllcUyPjmb>T z0A;~rPyP!1Iv4)}-^rhwZGjrCzbZBj@>=}yv5PG@%a9D96LZmUugBS<=mk?@-F|%S z(L#cW>^`8k?sO|O?MdFwWOtVZ?JL<)X2;0LX!M}eLHc6BhX5xwDhdWJ#G9U*NSK&> z8e0X&=Ia=B6t(+&?M^q*S$uRfafSTU0#K^?iiWd%Az%^~_FN_>$}PD%O38g^Ct3gz zD4Ax9o({!BtH#=mj7Y_8p6tB5sD_KPjc3ZrFV6R2fQU~LK2qZdJ=%_KxR2`e@~UIu zb#*`qM5)k!AGi;x&NYz5N!y<2)z#NWD;f=C57!rV=WEqH8{GjpFfldz0GL{3)^x_QG~cVc>vi2Mu*0-BU+G`gVPfIjv^IcB=3O8mJl|izp(% zoE&CbyxH?%iU>78LXMrnyVxuqJZ%Oq29@klP zq1$)v-4hQyuEIHYe00QI9mX!WU9_eK#MD)fwB@%Y!!%)b=uk9g#7mCk8vf-ehIC8} zSld&}TwXy%v@xAC%_~m!yiCO9@$qDWt(mP8;W;$OBZu813-B=)WnOP z>2rDO7a#qoI8&~GHX-2mx)y1J=13Y2A3KAdAx5KLUa;cWAsdg5_mJ~VSE%vUOcfq` z`nqkn!nqpQ^U><}^j$p^D$s1E1Pj}9H-_X2p>8^CK^HXyYtCl3$uTV1Hm5@rwx_+5 zIcE|u=~<2)6UW_zT5BYLC+T`=303k2($jzO&rIc2Crp^cE%~$YguB-B1QQSwtgwl0 zfh}Qsz+2z##?PmR{fy+Ef{y~pTwZQ&iQjmY?V>vIw^DMs@FZZ0>z-hR5kCTE$@Ag_ z-T}-_7nGH9u&b+!m~yuk#fvUhd?dwnu{dU$QYO*$0y?B-X)k6A4xSg#tF;i&A!56k z`n=c8z>{kwr?xu4R=$E9TC1#{uRX8RqIczuJ+X0JR~(l#!;=rs*OAxvKn&4&rg@Rx zoGC>Q;+pe&K04;cZsiv|^|-CFSOT?TlDG87RJP@>bS${%e%o79sn9v!-i90n z;Ou*5VqQ7{ghq!@oZps(c!#irt)gvngrA+{W|}KSuZ9lhcoK@J%->gK6FUoBcW)S1 zaKKdT>~fD8zmgr|+H7_WXuCkh(So0+(>FMpIUzrB8_ylazoSFK3N4SP?OzdmbYv;H7y(%u;4YV zGc9L2n6>|M&vaBC?AU*fNGiTE6@U^l4A{!7Ea(DS zkS7S()l0^6_#VWiq(Ie6hG>UXl!Vpn)J6{Ao^ZT!5x`)q3}(>80j&;mMfvWSh#jN)-C*`tbLQI)cS70*v&|+Sv?`F3cF_iun{|LPy^Dw6YQ}2` zu6r~`eQ|G^r;kmi{541OXgBZ6HPQ3Kx$Oba7klN#S&**h*`CQ}wd2Ngf0>1btzLUa zhcR$KmA#EA_lGQxjvn(AC_co5UF?Wn7Sv?*b=y}JMbkRZ%h2gT-J{L_HRzMNFpRSsUmJm#wS)Aa}NN3pX zVK{I4Id%k!zZrXLyt2f>xjj6)P2B3~w5sdkr^^fR?wr}CY@aQ*gmYH)Zmk(!Iw=9HK?{PH?QXLIvKW)kalbG2@zS7?MMtb?@WOs9CP%&T zQ+IK-qr6sEBZIR+&T{5bsaSLE&b*C;iKo_t6YsqYB*D&ttkxOM^5UU$c1@pe`dMMF zr~mmd649q|Iz6;#lVLS46lbTR*n6pOk#49M;az0YAu;?uot^Zg@nzh3M?&Vo`rZEJ zQ=L`ZHwz{Py@^Sf8|@KVmux!Ri-uEQcn}Sq{&*^TG)bOu5lX(mJ^!6K&chu#cCm2T zdAlB?%F$VN2Da_-dEq#PPhM1df$sRn4BEDDihTsqglCFFdR~%2_Xg72tXe&!j^&bG zPqg%!%0TAI(#>V}#7D5{&7AJMz57 zhA?0k`_KypfzcYkkh(*z>Sr6vs$=4-V1JM6)d0E{<#A~afzAj&3x>|(ss2cTo`tVh z{(+t5K8lkc>amkxa(hr<l7M|N9NHbi5(i0Ly9stU8Iqu;o2LX!&lllAnq_c{feo{7yd9oy98q z7!!2RqOwto8lK$({LuWs^TXV*tp_*msmH|EH#`n%o&iJ-6-|?lJLoS?jWn545;&+Q zl{1sN7VZf;Tn?+-Kt4b5JZ<&-mUp|(dB@~v`k;Ps#lX)S#OZW=Q+D8@7NDZ;GG$QT zTlPGiqh2UkPL#K{F2bV{8ilk%7nl0dO|0|}EGz}yoo`&6Z}ev=Q6p7nEI_zXd%E4h z3A&GPZRVv|>s{hkE8iy(D~R-|*pE4FX;@rX=!xp9(tv3w_JqOCnVmO+leS|?V%xux z81VRyxNEY<8uOSDi9w2GGV7{~6}HV|DXJDQT3>$Z$LfEX*MyEZNUo76hU(B%*~%Fm zS(4l}Di`ECRYs7%o&V}kivR&v@gO&LnZobcI4par_DwcU-$Mk;biq7KYQ2oqV}DIg%vn zrMyWbg20>3Z;o;jwn4mKI*l*Od`WC-vC8Va*KM#!-i+wh?$>aw^+PMxj#kB`5u~Q4 z%ovK+Odv`eY8n8ZvMJYgJ4+!9Fox?cCSDP!b=w=#NEiy*bDr7&K|!ZnQ#bPKDiSI{ zdAbU0cV|Zu`UvnQ`tX$eKEFbaWP`4Im=o2VHN@)p8dY*)}I%c_2%V?kYCNOmm7RZjL3YzPy&5MjbzMZZXu=&6Y>)x|2 z&u1}OocB4A(9`%Z+!Ij|Q8AQEkc9GuDhLegSIXd)@9mM( z{KUVu{1H`f&WcWU&Y~g?0quqsOH#d^#2}tci&8k@RLA^Oka+)`WrITk?w`!JB_`X%3QvFBezt~dWBfE`jH43&;&bwMzxd?u z-{+Z^Ji{o;jpp;9mBa_PO2*$KF)&eLlz9nPm_mFr6JQi$49HmzRs#(N?g#f>*f$ znnCx7QZwJSP--ul!=n*Y>@W-!Hc=n3PqtXEACQ8(f=)3VTs=Z`U03CiaHBXO=VDag zQB+fyogD_g3Kvlv4k_s`U7ri)n+^j_Y+Bd4t3-ysvtG4D%6$htXUpQh80hp5r(B$x za=m-aa|6mY*Ag7*yhG+egalEBkI?C6^Kd@pk226&Ikb-HNQ=MtX&XuOU^@&q{vuWo zMBay^IWtHFVdKR6Vex8k=#b}^Pd`>CdOp0xgk7aJM5tBmm9j{xKAtxvQdQ=kHB`mF z@u#Ac@E)yLt%%q3)GqFPPUvXi`&ot`lN?s+91z;L&X&Yv!?Y0WwEbw?78ghYNiEQCc3sd1i3rSQaPq8o*;@EpjcyioYK zQY7yn+js4xrTl#q?0u(r|KT;;K)m~^wh0Kqic$Q#3sdeV`~GY==9bl|COO2Sr7Z=x ze8VFnI({~wc|iHSfmeKCF9j)`&#}UWn&WfO5#V$iBfbM!KbRs?5~3wyR4j!~RM}?f zS~XqTFS2bVof#s22X|hiEZQw!mXiK#F2jAQ^QtAa;)m~G<>(+j%P?)d~6 zpl1-$#D3Z7KmZ;pdB>)UXJmA!EWg|irYCCAHD;&tZ!EjwJ1&P{!@)#*4gZepe%Ttc z7lpHm&kb86`*oFPRpvoPWzVu{KQX+U1aHZHz*cSX%kw9DD&#X|3rk#NHq z_2Z1z2Er=1IY6#z`cp;ZqqtU9>7~6T20s{E~P!(qov5^X%dXZ_?&E<-J%}rDb-7KK<~oYh|3v5lh}Dm%?!QRNFE47Wu%A-$c)wy(jPScyVH5za=>;d{;L-wtU+RFKjUg6K;fcCz(VI zU#fv5r?);Fy*I8;{?ONQhmkBoxJ6TgbW(AkdWb9#XYgSOBl*Ps_xk!zc5&gXm_c8I zYtoO|^aQkmEsFW~<0D=g=D;V1J_NX}TawAwDOX#^DTnbjwkiZoPB4%^?%*Sh9?yDq zv=FL1XLeXJqMI@~+wx_yNvhzuKV-r@e!(!Md9QJy&1iU*%p(OBaPSkCPCc} zyM3eZCDM+dfZIq_6|I-|+2hTEx`UJD9j3VrgI!t@cghd;Y*UZ#X%++_+k?|S|{~yo(=7vO~i;A;{}q3z>c!kN!-3Jr39TfuH6S;K%0#o`o*mQ%@snB;|6e zJlEPejYIAQVKs}J1cRa}kW;d%QP9xq8)=|4uU^*IrD@-wSSl;>+!?1q9tFn9HGjly zq{MyMfir(Na9TM<4ree=k+rt#ImboT2pA#!q@$xFLF90V8m+MYIA_D&UuYSxl0m@BZAeX{OrSA;@fe_k z6Ko(mT)wr{N?j4qh|J4DtH`PQ!dIwW)}Aa~+gmX7$<}?>07si^7<_Da-9Sy4mzjkn z9}<7Il86EpNp{XbTsE-oxH?*tk5kpUnw?Z1mp7vyI6kHE5|8V`hQCphh}nspl5J8w zL*g^@^E{03eFIgsR}RN`lwlOFgB&g!?!0XdnTS!es5Y3=cwiXA;oAL#4({wZeP78- z?b1VA^79`$syA*bvhr<{UtlB&8%9!!*}JNd`vkAuhZ74+ACw)ReVWNOKpSy(S7^hq z)vvNm!yLtTzzkYeteNC!8T^_RH0C4lequNFc#`ycy?7sw3grtuN|7W1l`$oik1BO+ z3I_>0Irn)-1a*AMyAJG}Cblwr_$9`NM@>mc642qkuD-b2}9$!yP}77G}vrh1N%V6ao`^`qdMf`n?Z5hu~jM&CG*Jf<7OG%$!)_rsX3Y$W?^r5(Ff)l#=q2 zty}AupXw6|L{02cIKN$uaUZlT$sHvY8b;q)Hm6X*Wyqm%9&nNOC_2j1xY?t+?~+6g zx6N~GwoM&wW|V|X_$CMT#Fx)ZI~*5vefgWiN2VV5-N;jC=;_(VmJm(S-pcfYcaoTI z3Vlt3#A&A~E)3RpPXMu~H}jq*86-`fi1k zT3>nBS};lMc!`YdDRPF)4+nWnA6tixNQLE zuzdVi0u6n`06g$3vNN7bomm9g{2<_?PK+=xHzFwl9Z^n;9h&p^fCmlMbClsHni@vK z1j7aeKYaA298aj7Q$i&#b)C6d2-G-P4;Tb}?QX6Tsn*^Bl?(A?uNRU_SkEZR8DML# zBhKy?GR`FD`jh7QK?U z%Y?VH;;!~0R$2SRX9IW!RyUSU)0S{bqbD?YF3H&H4_scg)-fve@<>Qs(i-D3!Gg zAJ*oY_aq2^Jc*A`bI^1y&(e1I-rsV)3`Y+-O?-woGBiXs5fDonc*=ZBFle%+sVCfc z!yOXC=h3i`)Bc^@>=+Gr7P$zwOkYn2#u{ zX7i<1mmoiRVLIwCQ=FSM`iNxZ@;<5H!f;tT3z}LBQxF}gyTha!7d}_Vk6Gh#0b(K1X$f=d3zyaIBe%m@KUN3}F?1ESvynma z#9hX2X^m0z$iFjLc!K*Wx>4MN7mxadRI4nj0Gg9oS~|FD_^;H`x3!IfhKsr&3jY3D zMIYhEY6--|k|C}JwYVanv0fFx7y!vXvJI?u0v)y`)tt&VrhxB`9Q8;i6{L3G4R>3!Fo^U#-$_}}Lyi>2S`^lm zld>KfjK}n(^SrT~D39yO6d4}Q3HXv|_4VrTM15iR9w|t`0v!w-X&sBfvF`xYFPR|c zP=D4UsHLlW9|U?l?12Z9P9sm@8H?wI7srKL)v|#HqWm|_40c8j97&Jnp&fz2>C7Kg z?u$|#SuPI=Pd;#DtCL_OuMpD{(i~PRi0DwCK` zOF()zqB+S70J#%dFqQed>S2x;#&9{9-CL%s%Ng;sRHOj4oAdn zt@PT3@dAiM-WHCVs%09HI(whwR9l92#9qu(wIvm)#a!5Vxm#{3O2)v)Ra){X*e3Q_ zBXOs?svv=?r;0A~L4?GoQKrxu*q(mm6q;6vMXoLp_nxIv?$%WPdeXg2d#-sFJ+kkVX-Z7LbOaq*IZWj-f+hfB}XYdf?r2pZj^Q>v`^Tj^}yf zzu!Mz7fyZm-fOMB;B0~Pl(YoV(cCNVX%6t>w zFPc`?%%x{dKDkrCGh$#ulNZI@$VW4VX8Npm_e-kmg*|->1=X4UWQA#crg*HKr46TA z=c<;HB+|4kZ*dy#Z4x+~>O&`~+}i1bj9?9 z%tAreVtVNqvA%T!4NMkxd*^vvG*7Fd!#-IXL}ibd$#0Hp$LSPx!lP}oeI(#M3gRxG zZ>oJc8FLu${fhbW#(u`rXsG5B^j-Uhr}2(m+kyD!sWgjfwT>193TJmI@=ZE1^@Tco z4I6Q+L3Fn{-DeyVM5jqqLzOpf0;E0UMs> z9_hhYt_$598v)a!rwXbI^eTHAraiJ6kEhVoi;IgT?E}B+E8zF2^BNOwKs^khrlYOB zpC(T%TerLKDum~y)8t>x4=Ex>x7NY!W<~|c*rTucebW^MxkWWo z3jV@N-&$)(#i5WGhaHUP*kBmHwOK-M67hh*)P#1tivbj-Pi7P0(Q8i&BMM+gcodQ5 zndBFht$q0{q}o{Cx;7bziEk*e4C9}m_~i5~Z9`~Zv6iohV4D)EmxOG}^Pxox7msj@ zZX}6A1?mG6cQBf)@G^D=QbB=Z$ay<`qZ26h z$py3lYKfjmQt`Am9EQb%hG%;?)iq!zoPO5!-!l~L@R8({ScoV5yCgM02XS8C)Ii5D zzE#kH6h6iHKytWd2)<$O&u9V0j*Lx{EF4;K3>g`IEWHUE6mF0!&uv3{-PRMepPK#_Kokx#LR6rr*_tBm88%hx zN|VR*m8uvLQxy)Tk5l%F? zobjnm3s_pIxhvX)NZ4an5ukc|{;G6W7C)8oV@@^!wsQnIn(rzsJZ;ym6_DNNzI@RI zK1O%!Ll;#rX0?!T#yCfk0FM`G@`}w8`CdJqX4b{A#q7DzG3e6#&}~pHtrL}br7;O zWBV=^1U5;NBX!b39E9MszjR>YP-&Kb`zs?0f~P^QdnV8wIOWdfF8xpnV%d#88-%Wqc!+v<@gdG+B*M{N6zKlq~h|M7|+(#qIJ381}1#p&Qms*+5vSjVwl=! zXo9G(!KFh02yyo27CrN;N5N~uo+JuT1(DDZixSSDlAK6r?qF<{lAQye71gY=%>(p> zbX=eWnl_dHOgi8~{0kepcDs(ah8ZiB#tM_^qjM+VaRfK2=1F9UGLqNdj*(7eJDo;~ z?`c~IHeOD)eY-wWMCaX8J<@H70zg)Q9`SvBBd+xW5USFk>-P=SEAP9Xx)GhoV2reE zZP*RX76dh?Y~2EbXso@yXKLo~vfWy}BsC7PGGKhl?ss2d^0<4i05$b(rZfENaCkig zhPcH?7=5|huLxE|+z~56kQNh8W^XX>Scgtl40AXbYbEvxtQhpxl{QnuOxvmy8W)_B zw#+F!bx=0ep1hq(RvON0?zxsCvF^f=ShF4YXmE9>%;MNC!x3SJiJ#rc?2RKA)c77T z>}pW>ROhLk%|yfSXq|h0iQPO4w7c~s)aBH8r;KS;=aO)$`n10-Nc9wK7LgPnbMwZn z;7`e8m28;zV_-KSnE)A)79vDK?}Pc&y#)e*oQ5ni=}&w zT_PyDAS1j{vO6TY?D^7d`KSg$!l>{{&8lq)T#9A6u=A50d4RRosm8U5dff<>2{!~T zzzb$m8gCust{sHB_9#+xt|{p$rbyzOV7>?n`b{L*N63LPB;5zQl@oS$_VAAAWPe^1 z7x9xK9H6EIc%|g;@3Mas0W%gd_{m%fJA~S@WfwUw9k*U46f_4nrX9as%?b;GK4)uu z-&4}Y0wH`hA`#tF@qN#}Fkrtt6W?Si0)DZ<1GC!1P`Y=t;o4{oKJ|c+(FHv^aa0BK zZ~1W^`#mDV(X)hS{8VM`Q%*=@noP3D!ZOX;SAtLH!uVreESVXgFWHR8yl15$)66u> zmyEZtu@*Cjl)yA&3bh9}-9y6(E0?1%>)du7q~o0b+z zP3|sjE$VBJ%WYo1^`r9^srO2yAq$~1lVpD4OMd7*GKMTo4apnT2d*hkt?}c@-obfL z+12i~?K0=r9H>|lZn}3*-|V9g<@a74v4r<-H$Vb}P{e`Uj8cXk-!rZ_U|GAw{ z>xW{M4XDWrh;j^)2mALpPli4_Lb18&rfaVz@e$Ncf!dP2Hg4UAi+l zi*YKJmbqg=d43#m`i{zzr#_$_`Y&u4YN;og9TcZRJ=I1p>x!O@kLw-+{1*dT7{}QO zQqsE?BCU%X>Avv&GS{y64El>x58FpJ5K%jCOpc)ks*pHjUiIwj%Rf=N6S2ebPF^F` za*eAcaNY7pszP&bnzCkmj%}%UUcSLTJ~YTlO$Kwy)l@~-`8wL$qrf<8WsSFHJCIcN zd-twkIaWCfBArePu?-FtWEH-R?yFA0x+ok{09X1yT(|c{O~mXCqF2n1f812ttXb zZhQYBv14z`s)tNn_UrfOHA$ji^mZ{_rRf{nNyTvbKZ2t5je;GfP`1^@)-pLJ(Ue$2 ztr7)!zSXSH?KFIEk;RO3w(qQ65XX9u7M|A4 zZyIK|KHU;siQ!ey05NL)Iuqi2+WL@zrl{k@!`wvP$>9i?`hHLT_OFD@?H?c8GUwDp zF+H|rCVF$eLIp#@Gv&p)mLBCtyELAIkchpZjor-r1sUOjQ?8y7tW5RRI7{TdrdsqG zy~L#3AYMo65xrx#pwj|-z1oMcn-A|~C}!Cl4-0Q+9NxedyiHQOhgP?hU#O?kGsQSX zcGZ`iS*SVhhP^!OR%@I(u$jn)t`SNqrmZo=fEP&&`9dNWX!V!L#MTSe}qm5)9X49*`C|!*oB*hXwW4; zsIS#-nKUe^$S0 zxDqYc+)$MxM@8y97i?Y7?WU@~A3RgDY&T_{LC_9@E=fEu9c@mz(l;DEY(a{+w)Dt`wig6*iEp`t?HG5IKyu6tJ z@x13ygLYm%th`s6Y$jO#mEe^M<&CHKhkFzDYD(vgtWSay8Xw#R1-~MiMu3hpXbjGf zkXoC^)eQp$E|!(YTVG(L?6R%)j*qI(xk3*%=PKS0>S{HdPRyJxxmwpsy4JCU zR#eP%{<2)sHBsXfNV0tk|Ao?nX+iwDZ4U}U@~lvLw)|Bu*D4O7KexgSb?qYTpM1mH zsd}YS2(5d9<($dP?~kQ9Tryvj%NWW_TAQ#x=qy*Isi)81wy_Wu&-!qF$x8!ol7}8$ zMIDK<3h!1iPe2HI%{+GM?RDi$p9tZ1L5Qsrx97>Yl+n^07jOua(wzNd)2`vqdssTG zWjRl+D9+A^yxA#gqBrts)yjn?)QnHeb6lj>7&3dX?zv{pao|p3J2R^JM=j~C z`K~U5US+3=(A(C#JMY7+$FW30=YB)J#h^owvihA9?ssx}IUZ;4`XodJ0lP+`yV>_AG5xINY9$TCkgQ+|G%H|$%ykq5a#W5qp_1I~lT|P^H7%I%n%U`*$GU{0VLj13o&&;uYe_qBgW4;| z{m@0Ykye3)k*~5tgs6oiRa(7(Wtp@8;aYykcepV$M?ITF`2wM+U@xUjg=l%z_%Ixu zwDuYG3c4eq#!&iFr+I(LHeW-ucHOu{@S0wYbGrM~@?mXwO(*2){sPKVY`sN{gd{?t z9C|(oDMu7!E2^b5?n^sT<>WmcygEpI9Hd7>_v2GT{~S#*`LxUTAWhClT!4;kL)%Wc z*A?c>QCzL-joqQHxA(LKKCD*zA>p*W`wAk;*1b)$I&d{L1SUWWLexu=)b-YoLC& zNgW~X@9o)2d28V6O{u*=XH(;}keLb}y|XS_gucxA#Qc%kjehr!pR3%2OhMzb$YLPQ-g;6C^SzZEAIOb&s#k zEL=WvN|?gnM;Wv29~u8>A7rxYIQ_IpQ~b{-*;62J)vs+#7Ih6=?V;Lxtl_8Wx^`8r zQb1`nIqZ}>UedQg+=#t67x`+}VokFDhA`5EFp7f9?nw3#QQ^dPrMkq~i4*k4yXy}S zlGqhB!_&St&JvgD!Et2kn5K0q+N7YI;@Q3f7K5lg!IagTc9Ekq*N=q8@Ec6ZjY`ZC zEYVkk1Bqd+7hN>%QihAOs?}NwY4yg0E_CS4I<4DfG@X#?+a0rz1jN;J-o7Wi9`>57%@1kTK;rY`~EoD9T$Unl5}0CoXJu3 zOV!5J&lklw9!e;8jDw{y&lTs z;*fFchkWLo0j;A+J3UAxJ&B{`jP7dj)p1BZb$(G^#rF$-$*948f_7^4peAHbvbE$n z54v403R)58d!3c_DHbRxBblS;F+qy#*6YdWE2Vj#(?Km;GZPaCV*4W4;uDAm6e6v; zj}(kx%+cLW$UQeiNkmy)eN;Y|Y7v~`TgWqUWk(lrm3u@(K$4?ctT8Pzx8!>liD08K z+>|w)O$0$0ndUfO&}#0J&aOc%Ub!s57ON(JrW0?hyKiC(`LL(afvGSL()9j5D2)io zVQcT+ofI&y5^g=ojNtJ|p|`&6VK8BhH|D_-@<^O4LEOo*R7D1_x`+6e8eh_IV`2Hv zl$zWX;fu6dyG}!VOA8GML&-`iir-|?lqud3lN@U`hKojI)P^aCOX?vcjfRb6eXB=v zw#{^`U8zFpH{X~P9>4zH3$S>QOC;bD>1EC%E*AzAHX$|p7FM7**CG@a^Yr%)bpoun8+!afNWiP6`VI{^{ zjYFDb6=C8+++NrtlW>`~)|fCnN4;@(9`2tGw>E#PiEX`Y`^;J!5(T^H-oNMPg31fGJ&JbiKvSn+3bpY*;y zA9PzCq9$Kl=`Eg9$RTdeYyp*cQw2-YU8k3OW%iX%hbY71P9PgFPJ_M!+WYgQ$xsWU zXN%(({4rPeq0A)ZyA!8a}JV-w4n522dw#*T1xm}Fe{^SmHtvxAc--+6{!p4yP z*2ceLQ~>BJFn?C@!?(bLR#-NWT9!y5a+r3$of6*`@?`YNeNp6>eIgS6?T_C^x1iV= zSABZE%7dc__SbCZNPqIOOo4WiaDM#_m$T@wQZ>4DHq3rp7v)b%D-)wKd;*T z9Ml(5CxK}knNaq|0>HUFm8d3mBYJ$-OXECLc<#+j-J$IL>MN*ueR?vfSP)Hr&GGe) zE-Ng?62W4_%1KsLK&ku>lwPm2HRnrA%<{g3@GWKMXiht>XM10FYj*8+PS+;qK6oC+ z4Ag4H?zXpoJW7}<-EbW=f#nXLywZ7I@)+QXMeN+Bs&`4MZ6*og>oYYK%+0H2oNvod zf7Da!dOz%b`ODH6I&{C&_6!!SFS!_b)pbGj%PfRy3`Okzv_9TIodd+H6=>5^`)Cty_jiYedtpyX53}QrjVN|(k~!*fD;H2b zLjncHu~%wOXgfqSSu?pFL=zzef8G^!^%L=dXuQ(`QEPf&D9u^rH@F-zanJkjt-`A= z3I@}POhio2>Y?$IqP1zs08CPPl0D-xN&o(>*51dHRt#0Fqz=5gICXb9n$qjxe{lh@ zJUdG>U;ikd+?KwZ3xep^ffYOEKR;adzg;2TIXQU>5i{YbM9JQ$HUWB+Lie0@5jB%x2L-jzr6Bk)>YN&RcXN14RuVid#Xs! z>no@w-yPGTS`{vMkK9NwgJ+wlMf3BP4w<8;fJ^YOrg8p~NLETA2gYVm;x2!FtDLyr z2;RE+uxBI8-v{HV%Dh@FQaD%rY|g5Kt4iiU)iP~|2L0J^?W2WiBKo-2G?i}&Qx7rY zhCSraHO2qCVa9#tVTtfAH}!gQ?~^Y!{zpFb8EN7etnOx^eV4q|)KEy5XVK}?+euRg z-c09A+*>p|VBSR{sd3*P*1xLSmEe4yH*+uUvf>PLHBwj%8YVPmpX}jyOsQCkR6hQj z1_WH^x7;PUPE$G1Qe#=qV^T6yR4=@VOdT;jExN9ASoWBTr|ZlBJ=Rh*tYR1!^I;4f z8(0~5E4QIdVc+|4c!~8OB}7T9)sPm;+t8kPe0>&G#H+{Va=s){`VXFhy;fOjBVO`&&^U6w0S++-I_ff4q)Wc$1>n zGZkvO&Mc^ce&AEcpTzF#lC(=dB~)f6#tJ_ks`;1;TcId_@b3tJx=(AG*A!R(oc*Sa z&Oy2+dH5JipF=9yb`Y+-Fc|DHgv==;-hp=dFM5JxHA?>L07scloIB1uJk~H>4{`}B z4dAA;hubqfo6MaKB>q5MLtR3^)41Cp5w~m$%1JKtHANT{B532gj;-d*@hB9q%L^{c z7%Ywmqv=m(i4;C{R!XnG6)yUoR`CsV-&p@R3MWD)fzjQ=c_nu<2uf4XvH&I7%Q`k( z#%V-GDbN~51>K*}r9mbvo2!60TnBgkX@POiA3#@JQCkQZdqJkveo+Z~dW8f3Gl-7c zk!|xjTlEOC{L~Py~eY$2hdY^ElOpQ}=oDhBN^VaRDiC5?|Lvjar#iRuwd%Q2K(JBuzEOKopsEi&(mCUTbg`wWY6djpG#^<%!B07 zS7$E0*dFU)53=Qw+LS?Es6qc@=qL0M-@)QiFW<;{h>}YMdR(g)WqWkmvBYb97+(~= zcc?;#0zl1s2_ihL`zSnS-&TSQzMSt4Pl9=-3aTc#&8(lKvpuS9&6%9oteW!meL04Q_9=$~k1FZ20%PTvX*| z`i0ZlVx_tCWSuUNMf{42sBpS`B&B-~1_SQ`d4!O4NSeoey@wSm=BRn7#_PSW71o($ zUAXgJ$@W39vjL=Q zMQRdD8#}bGb8f7|fgfk7newr1v!AA#-}}AfCI+%R9Ki3%VI( z3K~?kBuDmL*T?xsY*ctJ03kQ%@N6h({8f=>RNwX7t#gF4KXx!Rp06~ z8&`?j4QhTIlv688PEVOYT87Cojxp9p>j|JMxf3)8*G;jW9Dx4(4>)9`jh193;3Tni zfGvA&R4d;0Ie6h2_JaMIXlloZCKiUv`g%5{B%2hLXVV<3dq;#2qr04X#m!T!3*Sz? z0)>Wb;&%8-UfuwVh*V`kTkheIJ*-0lllW|^?2ZZ~-4?~^_*oU3rTL{~;!4LeNIb9Z z9?y_~td*eHB11gnN_Rq11 z;g#~6<%UeK<6Y{#XV7=986HMD2tHl&J8t!;yvuZdA#XgLe>#uo zHJFm-PaPZ|8&8~Jg{8l_t0Eqqu;CW=)Hjk=B8UD~`D`agx|iol3+a~kji;!W52|Yf zm>0^Ze*MQ{HPv@nwuX1K6(yt8GD%N6!>-eXY z0;$d8baNq+qUf=V?A_(GR@yVgEqHYz(W?3Cus!=Z4A*t@&1fkpp55SmEa3XCyJq@O>?=zcTz1Xq>w5@NvuMp?i)m~T^QX0_}t$DS+YCfBlX!k+#WR7&no$dm{e?en(+!jxmY;(XS zOcPHB@;Rm-`y4CDGGOEIsmB4#cl6R9UHQ9V+<%nHEs~oQX-xX45X!;Bol{)zwno)a zIa3WA6P0SfdtIYW?deGVH(Lk;M0PNE8@0USDguTVTPzdTiYQswitHXC8c!iTl4o8h zjZi}hPTf0|(;oTWXo!}<-9!OfD@}eQbE!cqrAW0P1JC^p+hk(w5y%|tW<8F7X*4sA zmpi2%mi#Vn*_5?qP7e6-i07p0`DQ7B-`f z1VuiS#W{zUl#>=~4?xT3cJMlK_JM%W|HfL~Y zQIZeUBN29M2DXyU7K26_E*q1Un)fQXEZRf?uff)@uUmZ=87g^%rpi45xyiauFeSrp z0&g&(;;y=c>zm!Ptw+ZvNgs6Mxr>9mCkmHBiw~qC$hDRN5cX0`d4%wXN!w9ZQo*k;K%rrLYlxPPT2-;6`Ad{RTrWEUv+irV4 zW_gleVnkkaqlARyY@!jH_&7=EDZJ_zF+eAldE1XB1M@5g=o1)3!fb7Q54(&OR`ZK0 zNHPpD;#!98nFcYsM9;P0`eOyN6~h*#vbi84iUvI!Gpju(Qp1cd>|rmCUki!Wx}sw_ zFlwWqw{~#96O`?$L66Z-b7`Z`si6SM(yn8kyy#iKzYutpW}yZJ-$@aOY`)-EX#Q;G zV+g*90eJ37%)Xb(S@E98DpDsEH6V|rp}JpuT}sto-YSFfhLjz%MU65Qj&G(+T5!p59Vw3;@m6RZsm%I7d~5aV(xVS5T=g2x!?P+6s^vU(-(mHx)B7BxodDeD!+`Lf zCD?(smc(s7i>Mvv9B=c{9gsEWm#yAe;`i2X&{FduF_GQq zuv6=2g~%hku|x69b9*yqr~BQHMz+{O=tZ2{3tnN3&M-zxWwu;?F;kW=!61`fy1sEGpJMebE zt-y}ZcM8{mX$MJQ_5esr#ofJ{DsPx9q&|`4^J+-r3-%!ov}@p9n6U;C3oh+6*5F+W zs1YRS#N3K^*C!AsPtIWz&y$gnZG&o+rpx;HVvS}b7VUdhyNg2f!lpex`*oK1D;LiWn~ARl2cW9-~b`(xk{$!WQ}*nvbX2_uSB zOI#8=K@Th)k2lQC1vF~(bai7*h@xPuN7eoQ^DBedikPB8n3Rs5UT+vlX~X`s=QACh z`?wz&65q-r#t{i#d5u!9bsAhpnQH}gM$!tu6d@8n2ekT&@B?fjm56>(>iY;vslB6c zYW_!n=uL*VuPBwbe#Niq)CUks#P2wI`gSMqZ~LC1&u}{*gy+as@N6QipO}HdE;nXt zti-qEi>-nj*F{<*pnq+M)al^ZzJWOTqT!GU;mH&wunuDRZebA3I>$;Z>>J|MZ{%`Stw zc7j0|q3g=!k44@XX=~r3F!FK;-H=QXye=h?a7}M6KK!DOh~A6)$MDs- zNuT5O?RvDg+G+3Ep`=U8M4#ZX{_+(I57`QI!!evgze+vpN#c@I_VLHtaU^&~?u#)S zf-FcXB0-xp$N?yw6xD>K=2u{8V&`XLp&X8zD-lpEocn=d#6d<3&h8-td^(_?hxaM^QE0K2(7XbL|X3%#a8urSU zCP(1#yMB}K*Z|z%Z&6^%CL_oL(thI<1J9Vmf7`rG`KW0_GTKStRy&zY9nHNlJ}POK($$K<_&lP`^1{oS(a?Nz?6%!aKo*(Ow9A*hy;fjo(v;eqdE^_$qZY zb7G-EtQ9ZG8(&au7fd=u%&ezWTzoUvkga! zNfC|bsGU3SW$+0o;%%lWFbg~65+K|wIS;J@oh@d7;&37?A>wbKrGEfV{g*D&hAJ)i z9f^#*vJPa^jqlGq?Ebnh>MY#?Jfhm!Os6`Li<5v@vdk@e$IE&jwy8s5Hr%2Mt|K}W zLE4IXRllepstOPTI$k^m^STO#92z3PBN^h=C^B5d5p&L^KLnHDlyK7!-*69H{HE0jV67w_l*-nS3_mcOZ0;}E%@bqD|wB|U$q zb=(x?v-q;fO*X=fvz3k32x~sGI$4 zuN>S8RF@U;gsJkBEx=LTP`A9{Px1h8%mzr}JqGk;1Ym231~&h}M64!<8wV#ly_ppi znjpBD1T#>-nbM7~=S&kPJbbvFe?qBv%5lr#3Qw;s4eog5nxcDqfqaL5b zC%gfESa|LWZjR<}(w_`b4EP4+2f!nHqI<2HnJ5z00&qPw9XKN1nj>C48}Owi-s9c1 zK)kx2abF`GPykyx&T;o9V0VDM1S*TfXuC1n~ z)Mx!&V#>ZUYx14=`1mC)MLvs_B*3Mp0S`wr`%SjaItNJ+foWiq_~h~T!5sKdKuuct zEIpDOkW2CM82P*_NI0zVnBqkML66MK5UNA+; z;3Uzagp!Tm;@4cD4g!l=yuZCbacZh0jSC`5Ex^Z3(kNL7?%x6D`IbC14eUZ9?vb9` ziOBw;&wq<1$Me4h2(OcvLKXf$d!!z`ZNU7&;yUB)8WNWD;y0zXf8}BR`#)cz!A{)L z>HhWWr8`h`T)pX``?g8-YF_>`lZ7ic|9(M#@+w0zjLJBH+S~t5Blv*>>}*F9 zA0UbRou>TvWq{)r!P(#JVUq{{+fU;3;h$Tk|9Q@Udl#IkYJP|QKTw4K`4**8u={t; z4T}A*my1WRf|J5z&FJdiyBPnmBT*(mqLnXX;f8wt&jtO-nf|x84B#l$MG9G*aK!Qd z%a1d303D3J@_6Szp6Gub=YI;oza-UJ_sP=V(^&oK7fF2p_MVmM)6#FlkpEng5-ZrN zm9Ggu&;RFZzuP?jJ2;#Ckh}Xgt+0Rg&{3*juLdpo<1ha|5DsN>Ae1J?3IAk#@BcW) z|D(YFi*x=z3jEK7^ZzLDpQ-s@{NMlI3Vd)j=1H@8FR$$EEEIFM#OkJz)ie1k@{iQ{ zXy)#Jsd)67S^&c1p7TlnNS#3QJehKc@w1c@ZibiFG}JHu*lv&UTTFdd9;|V9T=QlD zUmDXJV*byggz{x<3G%ro=&`A>g5)eAORR7#VqZuA3*r$Z@ghm(0wTtXZM^Z_l?o45-_% z{P`mP;V<_c6W*HJ0?GYw9OKJ=_>0Rg6=uQIkCx0h!%i6!QU`K|wgQxc^q*|wKl}yo zHYu^22gfsK5x|8+K;8n*xSO(pSH1}&lLByznd)Lo+u3K=)WvjtK@ZNs!F;3x$R~J# z0T%GitMn4IfX~bQEZ5>4{|kJ_ce6rN|F71|{pzAcOPfGqxcD4NQkLtm#+KLA$jFk2 z+4YA_1Pk~s=U&0$|3Ym3(R%%7FW&n#2#6A@Z{TKZ;BXN%`WI+xjjjnfFJHqoaBCT~ zM$n0VmR|;PLt&7>{_QX2^q>5oTxb*Emxu(1N4$0@r2A%`)oA$UHYg>BfYLLg&y~pH zOd#vr>OB#EF6*1DoAL9!&Zo6E0gC>2hx2yA`rn^}V-9SrC{2oNH(l0pYnMX$0Zy?V|4#9sdZ z^rYZOl4w^&-khT&(q~D6?dcR7*rBdERXzS2Yx7^H_?h%N4sEvu7#QagtlrU*ykZ-QPz=3geXo&PKsNfEbkU6!eEM zKnU7;eAnc9wZx6p+8z2$Z0`KoXaC!t`{&#kt#V+FpqGpQe52PvDl^1NC&}IGn)*>Q z02ClsNuOsu4kpcDwz+#biuuaNGU%V1IKN)n)VV^z8OOAPB8M|F!C%nw^;_4sXLL`O zMCf+rc@7K*_J>qXx(Pq|1vP;xb%bv;VpFY_Zh6I_#>dNC2-ucgQi4vEuRneeCdDVc zq3_!`KXYv8#lf^nzgtcI=cY%>=uR=<*^kpXJUsO77pusPyNDaN@u&feRPgM0Jq^EsP!a#(zjv$E8Vf$IVG!K&Y!W#nqSMmrj=*V(Gk_wzmJa2DKh*R zxEuEP3pdi24sGXMPIU}^EPd`97~orGlZdv#y9 zATl=A?OMMI>15#+Vt1X>ZN2Y4v^Tg_)gNu$w{t8Ly@=;;em(IMiN+Zd)u7;EoaV`6 z_L1qAJB>|@U|n)Sc#;$u%`r~vm4xGnTgD5vujA3HQx>1zPurt<$bd{Sh!J!b3C`zp zHOh#2NNQTcJ)|Wtwb@Ll5DxxNjqy!>teZ=F0?xiJghY`k{#YX~qO;QzJ+HYFftUKR zWG4(S-5nIb54};H9W8;r5=lPTZolpY=re=>%3*W9|AaQUP5g@+TKD6 z@d+Kjp9BlDo`@2c$C8$J@}4|jg1V~F4IIC7K~!gx2d~Iy#fF^Q=|7UEv&jyI?uN2E z3`JmHSDM~U%1MoW_j)n*I_&ydWO@1=yy5IubBQWaMY=5L{)m-2K3bu4&o^FDAy^OrH*JM<6(7qrMZ$`PuVkHSBx73U^I$^D zJLWF$EKmliwD73D6rzPlvUc>MICyvIiZOw$Jz548)V7J(Cz|UjVrCT?VKT)pjlDq6 z>)#+f3u+0Z5~s_|NzMbo#ReV@Gu$DCf9eqd8zpt+QZb%zVDWs;J#vOJJmG^4YQgWr z4>+hlhHM*K3uWN9X-xz?A@kju&!U?rwY^6!YH09gVePXg`>KRc#L15AeVz(Skreip zz7x~$GS=fAsDpPBrH;}Tca4k*wp9I6L${`1+xVid8RI*mUm>5xOZhTvcBUFSK%n2t zZ~m$g!Dilen7U}=mCE>PIYVu8E%B_?X#b2gPoM-(IL}SkiRBu(e{&G&eBDPUhmHMS zVs?7fpMP<6`nxfM%iPVnWONirJ2?Z<%-}D%D(bw?WqFx2ccIa*kvHt`GxbNbB`u4r zNqrBto6Cs?OKbb3I8zz2Z0ft@ayZ%L4h$utY&|1Q9nu50ey9>E7!JJGsS;+IVu2c`TiRGf{|6< zecjtVvLlnN4136gHhLm#GJ%-f`uIBC4x^<+Jp@f9=DnYE(HDW z)^i=V9*g4pNjc@L>C5s@MMSNp^AzTmZ_QH9Iy9{tXL&T#_`TV-4N7-U z-11(Sge_uYO?vAthZIRxna~WQ!^XY$LKMZlMbenpGGFcy7_`h!ox1Rym6KTtk~h1! zaNot4>9bO!du65rJigVu?C;D{{Yk5~&*TfjgLh0o7Zt8QFrVrL(qEk__^J*PiJWy9 zeupbz{ny^)o2&*WaHb87B*J@}`d4A3)% zjf+5~HWD~kE|lTLpKt%>`t{Y@{BLoTGQ>A@v9Af+6Msg>4mAel(G33NBKg?IJ<&6duMsyPd5NZ`ejc9Zwmt8KMIlO$R5K+Ro$R|B4{OJ<6 z|HT{N{0Lt-YMu)N=SQR+u)npsO(ReRa)S` z!uxv0Nr=xcw|R`Njwwr&b=gy40nkCGB^BxJWv=L8`R@I8#nRU&9Z=?cZK7GK>= z6>_oZk)V&@hN6#0-)MS3o@3oAmmX?RwtV{fQv-9cZC03R` z!Kjaq_HN{Vz13M;0{>wB)!zy8G^ig(3=*G$eB6lg2Lv~gT zD{D3r=7jG{65VchW;sI@v`i#N_}#ed$5xKh>(q*Swdg0Nv<}ZCrDSdl3_N@E2OC1I09N8h(E6Z4B;1L6~l+q%mdDZF0^!SJ9a%a8VK z;?O|Lln(rf+x5uwmoh`g+D#a~;2g1=d(TCM`FaVpMDOp=tjcC%p3y(#8Gd+A7c0Bo zsCzC98teGPNzDprZ8mmo$*G-26*Q1%wSdP#A-|I~pXy#J#MA;vQFYl4l} ze&T~D)yLcFT^h)9!Mi8VH`0tZdf#1+GFTr~OzBn#bcQFR-6rBkYnDj(HnNhQ^lIE3 zVbM7}A0I*HEXfAdTYZ}*!G03LQ(08BYjo4;97#wEt(XG#`9$xpBYU>c*3j}-T8HlQ zn8vz@{ZmXzs_D#OkLxSQ9z@7@^Uw!TK=9Ill-={fcg!YX`{5laIJi_kiaaVf->xV* z9_pRETZ!l0AZc@}=g{sI*|A%%3!h-)+j=zpv(xm?YBwHqQigZ=3S4OJ5o>u^mT_D; zKNjx$<5<;o^0Lo~(!Aa)DMgt*{A2Xb* zr-ervKED%1e25)(rz|6{g0>~P?fjjb6%Y68&x-Ev_Xf&rYoQgUuISWr%9)CKs(S?o zSFy?Am(C|Ee2nOnEzd3AZp!gc%sL&~mZ8f-6v$vgZ5?Ho^K2b2J+i<58f%rPK}j`S z!RoI#5juRY(MQt{+o{Ew?=$C?eQ8*&DBW}1E7y;UmFCg%ZH|<*$%%$OC3@w0F||8f zz2QrSDH8|^Q1I_U;R~~(|1!hAJo|A_j%X7F}&m{p;)6{TSqH@`2;OA0WGws@5*Z3J&PEi zM6tIA?`ff)Vok_mmB&0m1uer-7k};Mda=&M?{uCyXK<1)XKe1z=?%579K&2p3}n(< zugNao-nJWBARTtSrizId-)8M;(Q?QqY%=n zz0<68De8E zH7_17^Ci1~zxmX6IUlQ~eI0eVKP8|o-B$r-Xd7Ov_40>qmFMQHw2ilAelZ-x`~)oe zqW*Gcx!;A%D1g@S(p=CVy-qD^WDziEV)Yp+9hw#$!N-`beth}KU6IE7vX4F@TSP=J z^eJK+5RMvNJdKcj1G`Ts*3gwWiDsy*BZ-`Hc&q;SgeOK) z_j!Y0z#35r)^+ezL~*2dpgEi>V#clWbbU{@{i@yQ7I_QN`pQU=fTJFktP^Kol=vlR?$ovzdA7t2EcUF15%7i#}(jCH=H|FV{7t#Et zvHpW)+unTcahx&HLvH)6^{T#``+cd1IbSV%+19UTK@(1|XRhynnSHGw9k`lzjLQ>( zsiVTiBpgy^_z!Cg4HbSN2K+>yO!cVV5wlgCcI0JLH6~bqua_4`-v2=S^zqdM?ck|$ z(<~WfbBf>`idz}Z;qeAp)l>vnTYKO5A8Clk6mFgZcLc@DU)Vlp4r%LZ;beNB`5`l= zZ)jk`=?h`|F2PrqEsk5_l%Irpt|)#bY-ikOjeCE(4kuKsTvw*VOtRfV#$E6wb!#F% zZsEC6&{Lk#zI(cRhujM?f>sy{zk#33V8HP08UD7(4TdwrJ5njC1SY=U^c>bb@9e3_ z&YyE{*SjW{nxy@9s*y{&Mw8ZD7oSykM2iVEBA=xtOFVR`P@ceqrov}3WUZ{Db|XU9 zWa7vCmtxW=2gaG3A9ytN%v&m6mUbIa!^7{2_Oy+Vu1489H@Q|_4c+)DSMB*UhU45^ zd0w2zQ^#_zpJXht2I?D}9<6UgE{t39C@L0S`k*L}D8L_l+A&gf! zPtLj~mGCEN2$HqptzQ38qK!esJIAw4au)q4jj;WQBKcL(a;5)^uy+ctJM6lC8#ZXe zX2rH`+qN6qTyfIaHX1u=+&GPG+eWiu@73r1zJ0Ra=h{c>a2?I-Kj#>~F>XBd{TO@S z??a1|u%@&vMw;jdDlS1-w6MWQ^Dy5tV`xiShKG!rjfGFALU%GlpG$v*!$a~N*rb}*53@U@X|<#dSjexM9~Gm z<;UF{HdN?@h5k7(_q++Gnnb<@O08gK6vJd~{c4)-=u>Svy;`Dsf1dkl>wptuk^kF&O? zYy`P2(ctxrhi#H$#Bc(vGzj7S8!|jjf~?8^{jv-eBLYF1Qo8fCLz;Y)_Ri;)$Jq`h zt~t9+3g)zPkeq(&dRO|MJRk4WChwb{?hm_?7 zCi8JXy`XCWh^LN-fzK#PYWSE#mFgJ-fg{-!7BKrea1Uh_%@g3q9K)#lMxq5Hrx$fO zXq-2st@v8j%n$4xCsj;0y3=5tS|-z=74#+RZEKf;Ui$v+k2dp{?KZUlI#fpZtC$g5 zW!9324yRC(^~QTRb8^6!pQG=}t|B(qzGrCDIa|TPcO#u!C#$YMT8I&!SorLO% zed*wb5^Nku&F1NJ0S%UtA>9x5`6-Z^ir`pdCR{JKXY{j$+R;L$*Zn}B7QDyS+fh5$ zTl8FKZp_EZyP~bl3WXTBnd}|9j{%3G!@dKh(hF&%#$u6aw9LY z+tp~(AAU1|VC~16;#dz48qpOI1PHG7(~~ctHZaMW(LME3R_v*51GR?Bk{Q0?Nx^)D1$%Oag78DM zgJym&C5t!pCUNp)TQeBl)RMh%>Gl)eJR4P%`KsGdo~-dYZeP_&UY{FJ z${@rsgyvW#)lq3WeRoQtldeqQXaFGz{wh3l=S7owt%L5lkoM(jU?sM^aykPx1u5F20ciF@rlNG^2?pmZ&tLVKU zk>4*@$R9D923|1#u9|p$V%%~;DYpgC2LDw-aqB?iVA=|UXefQ(ZKn2jx>F+!hA?eZ zrb+oxOJ&vKj{*u&j#!UOrMFv}WQHZi!$x_!!Es*mf@7Ynd6VG!EX568Br=K^QTPjz zcp=@rrcRx>HhFffMu~=Tj=oqlonf`tF_EGgoh$ZK5=geKyrRezlkpW6ebgb1qz0)z0?_7 z3PGB#Mi>ttTgkXCl_vKOcwqMrjD{>yMmd@s&|XTV$6XLk4sz$RZnN^aOgO#{lC#zH zOd?>Y-BD2)uA?MP+9+)x@t$8V)&}UW-`$-!6cU7m^8e z0aM7gsDFo;rnj@*fAO_#AW<=h2v>uGiIdht0CazvC8dPCYb4=3_fa?)-Y`lSHg?+t z+Alw)?&qBGT*g7}i|W!ckvT-vLX_AA-@qf|8kW6KAwZgn`&5O;Hxd5l2kPn9Cm{HL zvxeIp6w(WzJ`@faH9&*J$ceyxVU-u05pQ{y?|Ef#3OqB9##t2eAJfMxls<}aWN4Sf z3BM%ftCDf36`G$KJD-i;tRb2-h!J)5u!ms+MP_Q%ei>OxTJQqT@vTcI!F-igi@>V-0YbO?13K#EDx2?Y6HuL9(jknWZGI&9px3#;o={PnN zW^~NOqIa&VL%>{bEI|(k^z2bd4a*w~U$aE`%!8X$-q2KZ@lQnNGM)D)ssTyqdZC%R z^+pY5ByT?SN>9GDlhYmpSDUdQtTP&J5lBTrW^8y^nUNPK&oOu@KEn@!#Z4^jeBrS^ z;BcmmlfzTyz^&A&KD%)N9d5IGGl?!Kbo8SOGr)H|`8!b{QWc5Q-zt32Z;mBAC`<2| z0(n-Af_A%-?({bzAU59l4a>1%rh)Bdml2O$1Oox-c>iM?U*WP~$AQ!l)TS1*Ac~i8 zY-(o#M`>mlkK)-igr{6OMx%?VK+QFjV^6W1dL;ts?O7jZ1r_V=kJ#JkO8=aPZ z`X4_MoQ-;KuK6T~ROp>REm4E_s(7v&HpbV@*mR{E>VaKX4pHI{Ll4A6)7Tx(b`VT@L!ixARGp~=yu|P!kS#rx?Wn7 z4n+OU6LlkP7JArw6XC|tF(_gLe0Uv=`r``h_T)n8*K{O*sDwrfCDz%Fj-9wF`ALtK zct0bj9Px<=mu8#~9=Y}kTO}onL40tW_74`2$yLt*lA;7X>;~hSSV-@jgJFijPfSr= zwqFUbdu%*_TNQ%;1w$~+-FqST18Ibil*H8TwZ4J|i}R0uY?SG9;V%Gs33`b17H)Ye z)7A&T%liWUij;~&4=H|`z7i3T+x#!hxh3U{GjFylI%W29M8{dFjm#1ufU#QmJ)Dfo zN=ZpjArX6}b}qTrfC=t0@~Bqq{Z4xrFEzA?49D`DH%6QwV~xn+9U8GDEb!2l^hh1+PJGKZo6b#A^oZU#M6sP3=fdTC{52`)^%JsO>0=-E&vR*r)|tvd znIZFxDWB6h5$+b*c_V^SYnn46n5iL;(No==uFqJo^nMTqN_x2sAJ?|7df_l@UY z^Rb$vj=L^xMJMo_2-VNNdpSrAgxm(bMK$^5j;}4sNgmoALiQy-E2wRx7XZqiQny+% z!+S*w-;@bWM$lTz=m@`(O-@ocHQVT^QD}svywt!~rcR1C4%vY{v z1lqD9{D=`hZ7!jla-nq?kpx66&Pg@aD9GjL+iAIZP{?p%tG-ND>a;1dEPCXT_D&6G z-7*{61@Ss3ZZj)WcxKlD+S33p9fvb6)n=mP_4XKJn{S=i?RM6>szMJPisvSc^Jl0_ z!o2ciWA2$$e=Z#=;%g?oqp^XLg^PmoprRWH_QaQVP)7AIVbUp%g{B$iAD{iXQspTS z=Hky}KAKro(=|5c zvT;EDf*Tc3xK)vSIHSLWR> zx@^*Pbf$IH=8y@?w+XJB-!fD&X$Os!VSf3=Uk7e3ZXZ~Hebt8hS+(BI%v-1;_a0vk zJQxqs=!WC?Rxy!SnG^blqAdOLy%^mGhQa$a)@XR{&VtSDR5%*QUeD~-z9SA0p#21K7_5kdn#LcA&RMimiQy% zIMv8m%*_G)j4kvqT8;ka&+tEei}8BV(B#@x-cCNz z)bOQ|!2EsMXOHG*#N>?+oM>M(@;8Dt|M+3+<&K=&wj=WKg@j6Iv)fgHp6&kUc z+l!iJ4(hm$F0Gbg{}IV7y)+gT?LyzIgN7`g*O)aOeybz=pS1i~?BHHTI~@wzqV z6EUMdFU3C>i6F~1iWGMiqb|5u$G3JNg`_t`drg{JJss!y=Vl#g^=~&1KnA?V&hS4 z9XMGitpRfVmeF>UI|ot;e`gD7d61g(FC)}@?$oIkBTdUQCp{_>xUAc1d)r98YJ5~F zzgh9%<6Ca3#Yk8{R9x1dsDyfxRM#dx_0ycc`@+x0RPG!n?h(;Pt|-N1c4n06>RTS? z!Hywu@o2&07arK#_Sd^t5uXTBG;+Ti?kA>XnMJp4|sZoZDM!i@` zeD#91o4ym_R;gW*b?Shbvh2BDh}`nr3tJ83D~`&&Cz=7?49OoGWJmMO?4pf2(_bJc z;SJY(nzI~Y>b3(SU<2@jh=CrT3Tn;M!Ohqhh$jSPelbkxR5{*=-G zr<-KwFF`2VB_xFrO%Cg=VJcW&D{#0hgFT$>ktb*Zxn5d??{7 z`%+5ZND`&V+w)zh(i=6{W-t1*B2s3uQ>}anF{2l7zN}Et#e7&GAk?kj+7&gMG5%va zng{Lk!3#MtH}1GWWI1X~uIR$wU)|Es%0dPq;~{m2w#h7JB%cy~4OrNOyQLs-^f%w* z=o*F?HQD`^ORpKBs1GA%IHT;>5JzGMLiQvNm*C{*-Ic9Sb$_W6yOm_BR!Y5hxryRA>IU*u(*?YKOC- z2Ug-pKE*Cz(LMyoZIV|vYb@ea^HV7HfuRx0`B1Ca3q)Kc(an_(0ucLBfrsS*@w{9- zD!mxk#W^?`qU;-EZwu>#%H$F);mp#jL}tXlEVagJZ9Rm>_Q{vt8<4TK(vmk(Z_zD6oPFd!2G;C#h;SyXm^U%q{CMH1%xDOQn$@KU zILCaALER@@W-ElxS|9A?n%lxVF?(Ik&+Z?tE7BJ@qg!fSJoh<;mT(>^c}xbt6O7lF zK7U!-itzZ_(Jq7^j9BN94=1I0yW^}=$t9@z(GvV(W=_A^A@*FPUp*ozYx^2$`?$OG zv1Lv@=0xoO6tL?&CUa|{FI`ID9P^`|F zbQq;Xs>J*c#4>Mo`&6l`%qhxPa<#e{-ln-`)!pIxO|F@A;H9rVOf`8VA+ z2++INm!}c@OFag^c(IBdluRPv#)BN4LSr>%60(L=SbJ9BvWIy}!{+*Y%C$8C>+Mjt`MbPxT zT#wOe`JSljFVdc1Z@`72n%WjJjNyOU+d-SMRfey1z4r~QDEHss3}-pT>IR;#H=#0kVMHZ-)l6GbsDA{|F=)N zW*OImoB1RxG#K?85w0`RQ!>mjlyZQrr_jj~rv0%C zhL;_ici@4{>4%D3R$+O7FfQ@FNye{%>=>2gYnXy&Pa6T^MRl5Gl(kh%=wZ7!Orjfm zmy8xY&mwZ%lfCIxgE|s5rt&irqT{woaK zoa2}D8J@ML^j_EktNc#Wn)({C!#AyTF<|*0Ix6PC-?)s=HW( zl)d$<`rQIm*CYU!xL){6zD~Yh+I-UQ4~e?phB25Y4l9sf8U!wA4L6Ufa--@_O$5B5 z1f4I5kXM^e4&jFppROfZF@ZTu5@}KR6B}Q#EZo;r`JNi2(h_#W8kzo}&nh}3=2fKB*NNYIL}qq@Ta-k9w^svk-&>FJAkX z3hKGmgM>6mVT%ueq%a`PAMe~6A(wmPUZ}q~IUfS;W0RCaCY#YF8rGQr@cv2HrWLp@ zuXzn^N1*aR{;cmR~Rr>dv;y%>M8T_*JW?a(xW?U_KZSNFr zCjxlLzEY>lTL~G&VtRV$@|6# zq8?M+kQ+2>&+peq*y^^zL=*1;b3M!8F zmNo+_$2+YHai(cu@(;tWo!l>#I$qb+&H^EXK~pdcX5&b&nX0OJp{M%$+W%Pf5L zCUUAa23%?YL3YZ5$rvoT=sx9Ex(oc>*{&`q!G33P9GE_6i&KeC=G&k3z)XoYr64-G za%sTO-D11^>_l5Xbzc%Y4zV)bWC$E|ElA4c+z4ymaip38Q1Y9sPvH&yaaVI-d0?UZKCWTmskuCOM~D8RSjm(T^)R^L9?Xu2wn@~ZyAmXJ-Zk<&h~EPI9!RH-7o&E@Yt26-0i0P z;I#TAiuo?yMj)&nKxzYr$6g*0u!S2%xKvsnfWO)UR*#eXH2yZP0p9EeKrCsDCcHa9dbzSQUkffxq7H~5RX zoa3Pbn`}tuOAvbp?L&}wq@0UU!jhP7O;1tomm!c=}J!WU{Sk)hn{al zX9l0J*MbZfq?;w&hZeiZW{R-aONuyseq3I)^JL zi1i;LDzeL($&I~G-u%sUkdI zsOKLk0R@{u+vRmyb)TBLrNm|^d@W5UUx%tw!*1f)m-If-(lmG)eU-VS5^EFtb>``Y zo!9`CLewr>FJB|J5R@_8MK;oSe9sQV0_tuzuM*gZpXujTXBR&JfNpQ09c|W>z!Cs7 zVEIk~{WRAgM0-p;cLQo{s8P{7Y4m?4=8T@C2e$e$0o$ z7&2(8d__15BvzW+{2_8z%U$RM*o*5>4CVT$`?XXtfgOia5sfD zQMq7!pK>LI;IZ|x>AjlB zzsCD~CZ>82pZL}!;Q-QI-(V1!C%|ZiYQFNyrsHGL8=?`@B=}pZVR?-znnN1B_~&m_ zA`3>!9Y-T2f_U5!D9}J|6T$>7#r9#?$PZ=-BmFg6tPfw#=|c?hZ|{+3`*jy#@oP_H zp@y0}Jl(%vF>E`$7$wRL(y3ivrzp1<1l#s#69_DQFk1}n`89ps$PF@n;AeV4E2?qd$Y;=(i{TJ8(C2y|3ld$? zZ`+=%NOd)Bn1P$)e4mYVV;GrYsG*E$>DST=oonjAN^`0)?5)T`6`a1-`Kkdm2OdQI zxJhk|3~~0Om;y+^JhiEgFjz-2;}{XJnUB$Kdg6OGH{Vm>f55mAnQ3U@%`eQ0%#m;D zh$L1&^J?KC86Qx1ePt( zzTJcV6o5%8&w8YSHnO@!r)rmX>>1naIr(6FZ5wS%5yUzOzr7Cp1(VWZW;7E8A%;X0 zx#;(C3=**Duy8vu*%)#S(amF<91+_DZNJ30O$H=KQ9^BS9L&m%4cmAZ&)c+f0LP!h z23WNxg*I!e05Bt$%0~XFtGEFk&Q@MG9LS54%Y0c)o#f#rtC_yj;xIwb1M`wgu0uIQxtbntPkox=%7D9-V0gq##@3W zytVfWjShI?GQVGD^5g!NVtxcWbiZ+wMViG<_Ls>@!lVq+ITxK8rE-SBNC_RKq|c6T zMeapeQBse^K`k`?Sa6;4nft9Y&&ECRFlLqZ`HmCsZEN|tZq6Azcm9KQ@_A|H^u1uD zAS<6+X6k9j;QGq;{MAulk}0Yz6n`zMRkWt3q2`8!$uL)N4tvq25OVf~J;Sx2Vd z|Fct00>*8QdpjCNN(iUifh-*8;+4%--C&7#XH*f_+{@>|oGb0{nL%7Bz-NrU<@+2( zYs>$YM7luov04E>ua8dX3~xNcPYUd4lJc1IGmj#}e3@F|Mv0royyiD(kYCxUr&843 zNyb3r*axVQX^O22B)SJA-1(n|bhX0W7CPZ>%@4W3N7xypY1I2SsWluM8@@QRHCnSU zno0H9=32&{VO?>MCb`5hq2X5219Jmf^aYAF{(#BX6rMs@{z}9*3UnRs|IAGZTyQzQ zne2&~zXdvgJ`K3U?u9s)N@{_V&dI9i2Y3i>p5KmxF@cCcvj(Gy$HLlgFvao)QI}ho zbAWG$dCgxBhUwG}kPe;3MWutM^*?7(m}tLb9pqo2&wA5-x^CBgZ)1`~WJzj3kzT1< z^wZa_K?mlsZZ@>tcFqjB!VW9!-z64*+0XnpB}ez_Qh2OmJiKT%gkTNWjgMS{?&aS} zhUk5t_<7%m!aumxn&hY!lkQ1V-#rd2hRkn%atFni#6^G7=J9(pfuj){ChyTJnliZv zs{M2`Cz13K0|Cwr#M(|^Rm)cr$X<{_I3MYfdtKcCE>~tnmOPGe&dLj zJfMq{G;@F!_zvkL^-o@0wzOsWFB}pea2P&5$Ma?-#`2{<0TFzZP^|4Qybyr)VK+}7OW-jTS$Cvb8y|SZ%{tF=6bxi zXC*Ora{}D%cKsKKoT@6IQJ?e<7S#>?JUE2-hpVkPaG~qBe@;E6%i9vTjw>4ch%zpw zfoJ}E&`va1-%twp0t(2MCWxO9R}94z2}LT*jf5ekIB{dlp2s7(vy-$@gtGN(!+Mit zHnB=&96{nRp5Ep&VVQGz**9JeEuL-?Bcpuy=~^SjWzjpBRG3cr^sX;Ypk|Q{R8pUS zudA7LNBz&()$2BgG^H#{7gM~(I<3*VOAT-UL?rh(I(ofA9RJ*F(dt~)Qv(X_F(arF z8NFswzIP0XR2SZEqIhB6XOPGZJW}rh3!*a$OfdA!si5MIe#W8r#CS)PR{54iTZm^T5aA< znK_9bDCfOw;r*tiaRgDVQ2c>CJE{C5J!4}QFZWdAgl&WQRfpjag}!5#&gG%kGovs0 zUK{7o5%5^q~j7kX`@qGA`h$er}CmRMet!m-8gPb!Avgj zv`oV#Gux47@2@Psa5uuhi?SW1N8-npGKtJkdxi9DE-ybaQc~m`@nRBiZ}t}@)9O#+ z9kSyIiO13a7mL7(Mbad}8R3xbC0V^$;Tk~Z@aRc9DdqexxXXCJ_hG{V=K%cbbT9wI zx`~%OE;x}GNF}t``Dxbu^8r`99bHZtWu0PR`SQ@Ci1di+hl(`(j4y!W=Utmx8?#$J zL=G3V{Iex)Vk6WK+Tsqm$~05?2MdxTVV8(z+Lvgw`RWXKZwVZ%bdyHjWHU2IyuJSY-CCoc=+ z>{vi(YY+OsBSp5cSd-GLE@w!J z{h5qw^wgseG)P5<$3(B{r$|I&QniUP)WtE+ryrp$3>S*a6W7NuYf-tv%QOAE3kT>C z1#mAz_1#)!{^|P_2-i*Th}ximb>UN*>W)YSGOOYxL0#vBMa{l!8;DRVI#SRDX+fE9 zX2&!(qm`@Qh!f7C{N+uKK^G#|@kpfP$C(X!YCl@~6psgfW`TYbhTFg9$jHLl5OWaIqW%XAIXtH^@ z-K5X;3w;#_;~(4WutvFtZrMidp|tu}TlaZN6U>~wtIovr8jN4jlKE@BbrBkwD? zH`YzLV7UQr=hFZEhS1h(J*bb65UGM^WMpJ`Vl1SdhF>Mm@f4LB7uHr_5cub{nyV|_ z-30!zkdU|0#mopGxvJ#oMX}ysxu;bzH3fcsZcLL?A#1<*iMOHXogWN`l*n#kDn2)U z0xI%{9T0-8UYetj#Hylw?${d-1Z(h)JtgI^ok`+&Aa$|GUS z@e^!JrnYws%rH)~57yGZ=UDeXMe(878cp6b7}rvHJsiIshA=sJQzn#T@P^5){Ke}MeeD-eCzRHn3exmQa9H;`&cS2pag}`e`t}0rnjd8RiVdWr zxazxk-|s5&;&jiW{vhm43??p9g8Bk^K<^^G{F?4HBeq^;z~Xa788=4yEpANWYOu{y z!In;@cb*5K!yO-QO3}$%I`-EmZE6-?UfhX^iMH8>`ugel`65L0955nCgb+_}5KwD( zChQa{{I}>#_!(27O}0drb8I(>ExaQ*6}~h0)CKuf&Y7@9GS;Hf5jrQTS#pYkw)!o>XBZ|(_qrtP{`4<>AMIz)8TuUj7GGxGPu|%1ECPBNi zw0!&Sq*otZe=jdIC8ic=j!ew5Jf$g3LIUd-IX|0qih!_)8u<*SaYr3uz zpniwH&#l!-^K^M4yvit}oW67U+Zlod{-jM>s`O+pG5d`{8<>~elraO9%i&_T(X?}E z0u)SW3FE6CH}K~rAtXW1T$3uA!%3E+bbQI?t+0wtC-8)1Km1Qh%+vci{Q>!;L6L({ ziH7XopqVj$paRR&R%LHSDKa%<)A*i{7L&reh3vlewX{lcEL%kQy#9pwg6hSA8;yKE zzk3xhnrfdM^VP|*VVD;Md7B>jh}fp)dr_PPgtL~5VUtx~`&LJ5zvZPR`F-5t|NBLI zY2o|`z1P2h&^(&I%8l&EI}(11-KSjl5}Qp8Oi8=$LjF#i1W&Z#GQN8yOAh=GbZwyj z$?}$>wq@j0yOt2~^$5d`?b4!R@4Y{zF>6Fll@XI-;k4;z7oE`H3>ev)hG&SwBC74z z9ihEu>MH=^|DJ^Xg3UjHt|oPzHnvw8A?Stgt_$H#ee^%>^7a>=`N(KlLr+W(Ge1Rn z2&&Bl|6PD&!>5(7kht9}usXlj{Yh3E$r!DA|UViVG_1pBJst=z?5AHq%OCK!H45(eDCwqkoqw zAA`dmPOESx8nZ6{AMh4DRmCLQJKyLMU8$>+Sc^G2aoBv?x8& zpS zU5zHVWQlFtQYfj;eZJXP2p*ru3%6EM*^(w$B_olP)~@%9h_IQN)1vdC7@Zxxiun7i zcb>P077!{68h|8UmY)i~Rmz1Ab#^TUxKQisC81}as4fmFpAZsHeNK)HS*kU4!??F7 z?=+qLg63J93fHleWO1u2-oRHlJi6g2yta~-H$fJx@2Wy0m+N>rs`J-H67B8kKTf(h zFNK!Z#kt7SPqnf{P7~_;g=))mqq)zrFF$MrDoy7Q-!vV3<1L)Mp}^_F3jh1r4j!p8 z(eT@T+_^KH|oCkisgkfq3-0G##e}-YrPhvm(X-tU`8rJmYGc``% zZdPVaqizp*koeJUHdX0SFb}}S1I{TepD-%8o3jk|WYFrvY2~-&kTY>YX6?#D0z>1~ z6)c(xIH=SPfPLq(eyB!3)mP0#tJ=CxD^Q8uySe|ys0+UJzcp3FLzB=5X^c`> zxYqJFK(>0ciFZi2mYFbe zX?Myu2yeGI;~5`o-`MLHmQRi<#nJd~JsDyhaJlvrS32wsvPBph0MNY9T-aa@*`z0n z?6|s(7`8FJbVEMcJr5(v@p#*Qx015ui|ZexrTPGV{j8KAim-3;q6{7@x<6{?j(jj~ zF59AC$wC=^DkXWH(U5Vqf~({I9v8;7)og-`jy#X^!=RbperN~qp}-6S7}tbBZHt#Y zIS(p!O9|eGH~#rWMQ*l~3Fql3V)d&*KX?|qzp+xJbdk+<60w#fBl3h4h--3y2Tb-t zh51X9Byv;O$%`;z{^tYws>;S(W8Lb095er8u>-gK2#{VnWWN;Sm^}@sVK%#8|`rqjV_D%1&SJ{im{yVeIRU@&d^VBL)af8G7js9 zS`#;$JUUymhT{QY)s(LF8^oT{0j8J`Ic%cW+;uhgh(_Ic>fxe8y8~ zGf|KeTK(m!^Q}<9QLpLYUDJP!=v&z+nM2tX5fL$M$`Z)>v#sWu>qBvLN~2xbV~wWO zwPLenaAC-I2RD;L%Ra)3+4t$sFSW=naFU=G`oI6;R;7)01)Q}=5VmSb!8Ge{dxY=d zHqN#1TETpl(?roz*l~X_zr@P;id0LgMPpNC;2d!p(W5}znsk44(E857aCW1bsJ_@za4yjogs$kPu}P>abJ2UJ1|(m7KEIrUzsZZk|+FUKZBwwS4#{{G9#2QLPt{ ze5JwAtaQQeF1kh$V=S>T$%lCp&)A-^YXMMzPw{ppqxV0YO8lSRv7l#5_g@Y+2uM^+ zqDqbg);7`4_l3HspQ-YKP4&3;^~fwkhAwGQpSE@!iHM0I6ueq8lT9D1`AEq74JjgB zvcVF>yxAi-=X>ERi6JGg6~IRXGaTtzncS}{@&t32!*YIEBi6PJjKw`YEk8l*=(+#UP>T_4U*|T&(1sv93{D+AvYumXO}3)&Cbf z@P|tb4n%|E~f5wmg}YfC%H=v z=|#~F#d56!&|FKbSlCj|^2y=Xnb49S**(2r`KO2}wR}fo!0aRkHWm9w&XpRe)4Z#E z_#sn(T`_xIahS8iSu$JUm+D%L(*fjMJPaqXxf1LB4GEExFCgpn!y9WlLsym1Ne7yQ zT~33_75 zNcM>VX#OR{wn=i{cqIjm6O1;H zrA{5z*eyumA8k=aX>yueeEHCqZ!=(^Wc*;`fEVPLZ)DGB>N7RCENbl?a|3rP@Js+N z8l`H4yQL^A(*N(nHBW5GQdY$rlLSl|NY{x_(3?y z^Fo&c_XN%k8&6&Gmn_Ck;6xF|JSLnpNkNC|#7QOdE8SQY4UhmsyYK9<8{6k&d%~0F zyCvJ*ik?Vtq1#4bUS3nES_KeCZhxP9R-&e~q@1~bF!?i_9wql~;m#+z?KOTkFlxJz z5~#?fF4!tU+jev-_ z$R?yBrZ=MN0|_ooUO8EQ9LXjTqlFEPa@PnIEXzITA4Kv<3e5T6HzS5xKR|}73Au@4 z1%#zG#esb@F_S<3MKI7$j~GA*K7|yGB!Q9cW6CC9F|O=r4M`FXA6=JZ5Gn0$R$kX- z_Sb39ovB*GR~|d*ZWxoHZ3oJg&FT@v z=)1q2m2CCDd%(A3hw;|ER8!FDs3Lc#{j_!x_Mekg^lRbnTrH zcW+F>AGI%bx>e&q%;E-D<`Q`BAon#Qy=>!Xdcib=9Cqm_%o_3c zWi>8j-eX`BuKfN$g8{Dqc1Hz*_+>7i9qVF&IWs)NH)4*BO8uA2I%kDgo0;Get!~jL zepJ7_C~-nnnuU8$0+uU{AyQHH|B01t1tIL+Z-lB{&W)rjd-*fhe^VTl5iEW$ivBT* zS6E$*?be7jyk;NDadT*Kf~|W-JuSTni(Z^-KGCca2mF9D5fJ*O{DSC3fGF14_OgyR z<3WV$5b~yNUCZcjFzoA)_!t>{P)T4*tbqup5n=B4(lQAYl z2rwpul5MKKM9X~BmyD7hUUNG7qtG~~=ab=4^HYp9kCAPXcxK(%furQ}fUJ$ujGBv}XIU*xO zFfM5zO%L`cMeK=Do!bq9eMZV;9iP(23bhc4=Doxg%KUO#eS8p#PR*y3kGdpG^^;4{ zv7$~DYAP$Qzib4fW-sch zLUgZ#)^*9vOf{F6dWuz#xp6a<^8du9MODB->HmL&0_^#Ph170Qn1dtC7(}XR_9RY1 zu_0VUkGYJ%8AV8lljbF1fcd@1L|VvuaXRC=FPXnIg`&+k?OzvoTrX-)ekZbi0b3}> z0W4LmB_?RxMS{i{jo(uTcILSf->grxRg$MsYL4a*?G*2^#B+Gip-_obgOt|9G*chM zW;HvVf_UMYVp;O#iQcG_Z&h@ER5X*&Rf-YQYyABfe#z`Id@kkq8u14Umz!gsy&vV8@#(J>V62joua*05X-uI5Uhj<|pebRV1Ho_=RkT(gWF9WRa zIJspC0~0Eu=B;j&Zclxitu3qKYwBlEe3KAe@-4bFPbN6^Ns9XXZSE4z=B}Nzzs+Cj zO0e=s*z=7hnOTQ{tI1kx-xd!U*kImaif!=r7{8 zTVzD#MnjHN2-iFx(T4~PuHur2miNk4{9TVS-_i3Y6l;USlB_$Jr^oNPibVP5W-y60 z9=qTLQ60SMEU=)0wh>`Xd?r1=;IL6uV0>vJP-d^lv)JUKOai!Q(SO1eMPYa^9)OVV zu9PVMvsRaxer-p~H@1u4~s`+E-W z7grVMHsS>{^})>RzM$5knfcPRlcLv4x|A#Jbb|MOs4p7ZAXZ5G8fvfIoQ!-KcT_7i znAW$#fl2MHt^_JsM+-MwR1;&A&+G6^bJS%$#^Wegy!a1kf=6;Zmf~71eq~ME>ht-o zs|ELy?L0&qLy=mPsJ)p(QGIp!1S5YmQ9f~8 z7Ej{|PwNQCfzR!YNW>3Y+_cTZ%f9jyGtodk*mGu{rRX*cQ52 zo9uDunodC{9w+YB#i}?|HfoNs-)p5pEs~;N`G<;vA>c!9gvg^Yk&wq{>YTUP#TygA z0xaY?*X51acmkR5f$@oS{3i~0ZozwC0Zgk!c5EPgN=LK&?+feW-p0epNnS@ z#r{bZmG04>jjdUlPCfCF?(==?jk?4_km5ut(@Bg1fRz6FfInBne zs({sj`YYLtQ{SRr$hp_;MfDl{w9C!ljG(1!blZFQu>m4$x|`C%^0+QstToR(yzv)J ze*zpRmC87UWH>DqU-dku?yCAY(3-U%>1ARB!tc=OAb9h=kevR>5%sGsL~_j{uyUuh zimdc!7^{rq5|clfwfK!`Cr3JlUqZ7t^Rn>7d$u*?WFDhe;#~C>o(>F;2P>Cz@-rv7 zQ#l1z>pfQ|MZaJ|ZV$A9EHPiccapyC%>do|au9}hyjdxFDE7?tiq zO+<}@%S~r<3FIeO{ejy>^#_e{WH*xMkw< z?{_l?eEYo^%r@wf2bY4L*z`J&8?r^7002P0;}j0M^L;s$^DKHSqZ z^6`#mu3FoN%czo}o-pgZ7NN_ZZ;NrP^^%8cpAzQyT5(S4*lTc9=a{+?se`#*6m(N; z$OIG%!oJ<0kwPr52xIKaDCHc4lW`#_R*bhi<@)|S4e~9*?Z39OPIg`myZul}+Hq+{ zSk=!@;5O}@ISr_&Ls_Vr)AZhx%!y~N!!Sfz%;@N4tUOMQqx@IRi*w)iU&Q&r6&TB? zvJrPa-VVM#=|>!(Xhq&<1eO2j)(O_$H&>l3EZoo)esW--xNWk2m$YKW)L84e(<4iV z#uD75$#cTRWHL?@ot3*AYy zC)~agQ#&2~67sw<|G7B-X|9mD<3D!+lvpEWx^>c9cycdadS2=F8OoJto)hZbG3B{Z z{mO2>6mo9_=($YZu)p^F9|Z>)z`6Q4rrZH;VP@hTrYdar+ieon1wNb@J2VSH?GiBEHB<95g zhV$A6^)xmP%EuKgpnGZb9f^355PhiRh_oCB8|j~1CPu8%EvBX|(|7(Z?%U<9maqDu z#!#s)6D{Z6P4go7v%6@U+fVldt|&-8`Q`iG3}aH7QDuL{#pZ-qltQQ4-oIJKSrjS# zw3v}3LU$GCw#%2@MaGr>!%{E$ZqyO2EcWTkz6Ujck+izsN~OpzYUc+bmoXv>(IM5+ zUrtVZOdRj2lsKlgMrFWN?TR4#WLdO4u9q;t{=(-wjtq!2%cCDZLapwCh*gc+q&Ud_ z){_fm^uCR1~d;9ArxZBRkt+aavUxK|0ZI7$y9VI z1^D;uXGTL;b6w%X4Hfssvz+f)qG00~nbpWIr`e*DFd%C(5gL~c{HkudKX8I_blK$>ph$6&eHxq zr&JQy3$|2QxSSC4b&J$fpH$NCQNpHV67yFQoUg7&jTCwAoNDHp4%~BQNR1&lVEjG1 z#punI{O`B4ZIJ(liy+_fX;S^YWqEpB9(d%PZ=@Fn46QOMi+;84RTG0ej1%L&qen~s zYyc3Y(Ub)YtmxP3W*Dl@nn*GJ za!9Q>%O~j~estxVOMG6fmDph!S}LVi&;Z0Hsf~HO&S(&v`{M)7)UYpLidJ*xN4w0o zH@hI;hz@BsRe3#P1M1}ksN6LN*q`r4PRpqw`X1@^%@|et)LEij$-La2cRsZADkI@X z*?hB&-<25ud5}7#>g_%B<=5sXRKrX|J0rh%Qk zMpLxe{Z$ zeN|D+@qwQ9=>XM1Cywr2dSNT~6{esq|1x)enHk)NJB*pqJ0V2#^0?T+3f$O{1 zi&e$K6hk;(x6`iS+XeBJ=>&1IZ%B8%rFrm^QIV8DM*(MA=OFxPC1u#!O;L>YoW|Un z8hbbGD>!z4bt-xD%nP$VQC#PSDb`nMU|BGto`@~?K7Pe*%slWcuVUt9&DvY=+$=o!`aI{3X7wlm#b)+M2C% z>@GC{Ys9W1oU<%h573Pxm+5r3m1aIy=`(b9GNX2M>6~uGQORo(@bo1aJ2{ zpdoT#b9|9%KQv-5>k5jNa|r4<9<8mu8f3*9)V)l{Z~ZYwmR;pUD_ZslI|nC|^WE+RR{rd4c!ru`;^ z6?ok_Cle+cnM!dZYvAT)Ij%E2h0Obg^&9`YT~*0EL4^N;!St9}3UB3g_r$R;(q9qJ z^olA~jN3xFi3wwHk17wuI|!ER`EFARL$P{_ES=P_Axc+H_xA>pJk&cApcGcaQAXXp zjGQK&-6u}VX0x)LueMfHtLabOUDsGkdqpv6lf(LawgV5iIG0zxhG}=V-=0a8+=n)} z?QsfwI8{bm^}BX9Qi!h|lCehR2NRp0be^U+ayh`AI;y*|3OR5SKCXt*ckbvtCCFe7 zv@BWAleU*U+1{knCOLA{rT*Jag!Bwd<>hfU1bI=PTspXMn$n|T?L03Wsy}Aj5W)Q; zyJ)d67QRZoI6_74ji>;}sa$Oz@))V4hqvXOZ9s=b$`^zo>v;~{(Y`xHMQ46LI%j83 z_Jl#f<$IGOPn8{-*bw{z1?v+K@tRbdZ({o;AeYZB8((J$?Y7(`5SkN#Vm!)Ca+R5RH%NpT1`1RREh z=Nye-NsHISDeqq0yx*XWxBh|Ws$&$5M$2N79>29}y4yur zgPO?pis*fa%X0z%L!CxWEz;%{jfHDn<;kZiKr&Y4#{tH@N z3`GVmk42yoAg!)a)o{wb-|&yg3iO?O?+qhSkinFya^Irk|0z~cucLTBL zkp}{HLWEv>k#G4Pa0e+n!bexTejE5*Pl^IAvRI80=X1~#X7foF*zMAl5`ApT%&CrP zY{Qvf6DQiFQU7V=@8kWws|oIndk=&In&-}ImNbQDeLK-hu9{yv{hG0drK_tjBPg-= zFWfzh2-Z+sCg3TPs#ZWhcLRguN%s{yO2SSw3%6V;7=jN}yYv0_X-1BQcdN+gU;G;& zL(S)J*9YJQ?$N=7l({oRUmfM{sx9Lvi%yjo)~m0##W5>bi&Z8P%;Vi(1V5>;Ir{YH zjDk4p#65lwuB;#u94+B=2@a(ff!=2xr7$N>q*_FLH(&?>MPMpz-~fQGO9>aWj%zo< zCRY#&4tEfu`+r#Y<@V5Z;ji~m4E|C?_!k>^l5xiiUSRWCftL~&i^P*sA8!-?_zj*; zB__nC9aXC?ap{%L<&9?>AoYRZ;v}-79C@0qC8h<4jLupZ@?9%dwwVa3ZWEWQVNPs zzdW$uL7vI)AvApJ1#pvCHLuRwub>(Z@HiVu_hQ9*E4{QT-3X~=LIdo0>B^vyx5nM3 zQ=?Z*3V17@_R3vuyr%eGXBTL&n@OD5K(WIgfd>!B*9%FG4@*es)g;z|G9?#F6welGrJ`Qe9h~ zWA-~A@K`+xGn?nE|6@yjJHr0ty>^;_y8CjeDqT-P!Scb4w6f3LWhLDi9eaywJ;&CBBg3?`a%|cPM6nJx_3`>O$%Pa2uirvb zuLWuAxiQ3W+9fN&2tc$I94t=xf$+BwH7dTl;oz>mB;J&24G~Zb>X$V0$KPsHbz|V_ z65NeO`vI*E#}>)6Ud-#`k$O{O1uFLru0MdFBY^2xQv}S62$`eob6THO%hNez^AkGk zPAH1;mh$?tpU@ex^X_GMgs%Z5y9|9H=P%b6O_*ll9!cy0CAsiHQz`$t90_@=X&!!p zn*TtjS-YwBe-|TqRTxga2L=j2ho`H>pm+{@Xe>PrmYVcZc- z@@Z8i5LkofZvDu>;pEpgK&$`*z$7WbXt5xka=RrP#VU_z7oZY#FY?|2FtKW-bfYd% z;43{YgYWdayiUT069r?`WD+9JXC%k%byIZl=^anCo8v5e530p{HtZlwSOv({NOJ;F z@ZB!6EK^zhgh#(-3;mWq5zF`H`!Si6*v3AQILM4U>g@QJtNTke5`NF37u`MSvyfo2 zv$H#-W&QyUk`kkZ{bq6jXA0!N1P>6QSE*9Azs(F^c*|*e16OGiwk}n8KdQk6+mI^i zq4p>#Vdbe*?@8gxS@+o$4PrG{#eka(={C!ecWV~_T#hCEegVBWy}FEP80S&*zKnp| z?4PLg)*XhM&dLQxF8_9F!Z&7PV_b^VUBXK)r>c0+xmN!NS^Fk7692QR>fyi;|=jkPEZUG5GGIu{de$Hz!&~j3sFfw z**|jn^O(D*8H;M3&{UM%2_Wv;cp}>?E3rpXySZ7I?Pg%36dc|1UkCU%{ItV=FUlZ_ zz8%k^6t{3zyb$-yq~qi0d`oi&iQ`Pgycb6NblneYA?&uP`4!$927*VAS^>VVLwGWb z;9o4<{|_PHTWIREP!V`oTFTA)U0vR$3!9saYf02LVlUH)h%F5z1H_@q)t!{${}Nj_ zpYVDf(;jj(Z*^z<8JOaZrL6fGwii(-sTNo`0}r;Oh4_33MitpAs% z{&S}wLcmMRhA{st1OL^u{C6h2#Rtsuf9U>?*!~|r|Ia1tKXUay5~=^_@Bdt+{zQ8J zk*oj6)xQb({~y*PK0~~ftHW83JAos<^H|K4kCo_Kn}3EG89g|3P31p5+QCif2bXJj zIQSo9RD=kDeB1v*qrp(zUfy%kBxgw(u zXO^`P)jxbsioV$&V%XFC%B1Ky-U{hx?A?T+9ib9csZzNT(KZ3Zup`qxj{iX0Gb~C#@V(1!&Pc77n|E zL&Wgb2u97QPQnP#!k4Sn%EWc%0zn!6@d2ecZ-2fC268Xs$0WJ26!hs4uD2a8JSpg} z##}bZY28Qa9eJz&mRkbWC^9a_W|1meBy7_Ds8m_`Y3R&AX*+@Fhel>E?H%1geC&KPTo(xOUtf@>-ekgVam>&yzVJA2oyIfXE9+ zz2wb?f2u;L*8XU(mEfsven)Kx0VKf#7vgnoVG9o1jXjD7Lf z-O0gq=FBC1M-9x%cgy8n>nsI&g(~8CMvL!Q8wmwX2>*(rr9B{u{cvnMZNQ5g-;M5n z`C0deSU(FuY+60_gi-bUH?gCa25I*Ik&~7MN?iC|Yyae-+x3cHK*s--^*UY=?)5!+ z&?D04MY;f~eio%yI5M8vL5c7`oC1tF56*7ym!fN&%|p9cLtvD8Zf$8_8L zl}9}Id_jQJTYr>$_3;KMhKYVv4~XY$U3EhKiboaOTMBQ0vEc>MpJnv?y?I91TXs>p zfZPujXuqG5$NcD@!uebGOV;<_({Ra?ER)T+2XHaivW)8wv5Mcss_(Nl;g2-|#J*nM zgRus=N^uSUN5%f5V*gL7*!nvq7E{ZejE8>9*#-#|hLFmLw4uiulFyV_e7wsmMJi_f zVDZl08!>l4ZWC_UoJqJV+B8YTEV(j@Ts}>Lg>~RlM4STSq#~?4*Qj7pP$5uwdut5y1A3l1q0Z6AIW z`+4|9Xy;R^7g2&>xJEHnYj-m0^~EPOMoO;k>?v2PLj%e}I_jv8*Kn%X024!@5&V># z*^z|8gQqT!5A6oxU!dG`6SE)l9)T`JP7Qg_el`4nKpGL_wG- z{XMtGs@)eR%(XEw8j_OiVT5f8RZd^se!RCDwb-Db&MPuqP1OxM7?#ucO561w#SW3IDh3IV$rJNk+`m@H z+8~2;HBTzR%Hnp+SZ~CN&E<%D?`yE5Nn_|rOAoRMa=5d6aum#CG9KQPaYQS|3XXs* z{MhGQ3uRF4Mg^bFj*rB#8XnZejVZ4r`6<)5M@qP8FU{IyHzdioQKwBcTjlm49LLCh z@H;aOGuiQb4nS~vfPR9eT1N7*yhEjR0d|;%D;K3n-=v}^>6^#BV~ERYwrptE1i8p3 zzP?|lNtekbp77iLeJcXR#5+yz>qO5UzxA`sHwMAWZBNB{u8xF9a+wx(i2q*c9-Af* zeLxFw_kfPs>#g~INFcA_8aJ5DgIk~8qwh0x(=pxxmxAdjBhE@Z$-DIoB1YAM3zNN6 z>RHa{V{s0jK~I|O3mZ2MJthx7r?9^B%6S*d?7ig#q;~D7s2+q-Y^Sl*GBhM*k1sXU z!Kj)!Ok1$mt>OY6+z;=honggmaxUybQs%hzyl^SI@|aW>-a&rg>1DIwL}2R<=ESF) zxtjm!wR3Ow82awLg1WQN$%6+HYE>*>J?s`hkzy6QF;yu647sDF(gzvx+&{s%ma-wJt=9X zMZ?|McQ`=YPtp$YFx?D3*N<;qiTMJZ02e|{jD(d-ZsTa~j|RpYmAHExXn(Plxk?+@ zBZ2MvH~LWO@Ei3jZ+|=1ALVXR6CJs_GgB+|87sF_ED}-;3d`>Nlj~1`2*ROO zgdXwOz2D^A&!Z=eEV^gQMy4q~M$#bivX|=JZW0|_!3~=>=2YrB+iu})%dRX@R`8TK zz!E31M=~jkHL541mN!Rm54TcIk!Fi{?A-?+mH~b-we1702C>D?g2=l>M;+>Za<8gE z!mQzWm2!@ztS(BihYO-i;e$flUWextJk%k7+D*U1nz3N1+Fq3;xzT}y%>4B*navf; zCx}TINTcsS%xgpLK&uL=TZ7vP1@FcyyG_bnU(}1OXBMtT?Y5qT1;M>OsED(K4%)PH zMZ)faZrEDOy|H3iRZ`)Z*vP(2@|0@6Hulc<`i8T?t?I3W{VbWVO2znk*g&k7kyPoh zE3*!M0yx9-xZC?(UL$Y1DlZpzP6UG?wAoxs;qkO!~(C(9Fc=Rv@<(T zW-En3rQgieF-{UjK7VSrH#WSzYHrW)_1SQlE+sys9V=xFzPpNEfP#Te-WASx zy^2g(j|+EXIpKuW!vLI~2hNN6u2ua9i4~s2sj=Miw)2P7p?R?;#y~P5Tr&S1sFW6} zwYv(7(5Kv7R(xvgl7p(ySRLE-*_$=Ou$obBSU9?e_}yZyz-9TXuh#-Het(7OyImrW zSI;O{T4sb>{dw{(a2&)qi^~SKd?^nVygS7UhGQytlbnGtIu#H9J~v=pmV+!YGsERm z=l$9$Peq}n(5b1QJ3h_eBTre`?ID{vt`axeujR^6(Z*=WDrw2lhWf6j%CG>k&_E_e z^4gj&f)#uN;c1}+;=~`WY(X*Fy+d9prs|Gnv8FGUEaGSEbhFXP0^5rMOl$v0id2_z zR=FgFhjZWs9b}FEzxdTzJKwTS?x*`72x#>oP zfPI*NYb2Ztl>U%=9gfp{K3Lx*I(S+5PSWix_58_UjoGZURmxkVXYtO~8~JyzqbTaN z;V%r6Dmj)y62gYYW!;&P)?uTps|}-j&@(|jmbsxdY|M#GsM!wPpd3o})e@%qbtj`l zeO&9iKaqWg)o(kvDngG^&~WmxvMy4$fiRYU0|ohlhuO`qhHm)p4m0oU78WBx7wFqwQ{LKsW|Q8 zE8C(^*#%jn^2AozIs0`cdvBC{FIO>lDfS16cuGg1a0|{$bE=eBl+rljCG6YZy$^0- zofj48{sm>`QC1rL$?o-;Y}ds3ptF;ic9I8fa>6jYmq=?7x9=AoOp_skMcAHZ5Aoey zp%JH4PZw+`I(54W-#gArwICTLy?lRK!@DNkTj<&J=+J;h%v)1AO-Zu1D^xFAX%JZ; zs00&O*CX8RpHQI+dTH}QKSe?(01$Zct$dB%%*%Wi0shMMh;yR>VsJln2K+6#%&IyqVD z9zh#U>rCp0l1hRGY1J?boaVL6^?dw^;?3fd<6)jx*cHvB`}weE0&D+l?PyA8Y^|~q zF{2gj)ycIdN%g8H=b$-os}rhs8z6w9WgO?)o zc$;G*PFBO!N?=2O%&FyjxR~2JWYy+zbK-X+A?nu30$_lPXAIe~AjaP5w>Bov!jH*L z?~#cfUSC>BDj3{ag-V31P@ zHi}ozRrcB0amkzjE5dW#Rx~c$ZYUekiFj%%7wE6)#bSgf$UYjQ)?c(4I*Nxi=`2@X z*<99nxw(j#-rSr~LE%qmlr!mws_95NN<)?DNGh{!8g?WF?%67eiO6R@9ge7O zjq@?SNrCWX2O%^3by})MI71ag?eZR+GX;|l6cZ?Z&*Xd_F+=(nrQb_hybSu-H%=1e zK`!y5%&7gAKoOL@5j)T~&o+SBhRq)y%cUH@ST4$lgoLy99q>gJ$JQ*MNT@vZv}Pxe zNu{WgdB(E-!uEZ!TwYN#wz4-YN$2CtFZC^Ying;v5-%sqRzKe1NQWko_#Im5^7jfU zn-}nwNmYZUIKmx{B&DocR>Ke-3NY5EUcSC+=DljuPd#!EJlDbxy26epELp9w|L`wE zvp{L8CJq#XcUVZI(dcG=MwRq)CZG$^*}*P*Cv9#M>>v~tk_M4B=fn`GJVm>@|9S@6 z<;l)uKJAdWT$zDm?<#E1i_j)!+PP#Oi(IYaUZz`BM7|a>?6nTXF{}FZG4kjzwT%*d zG#p9Rxw0GD%rfW0UH7aEi&m{E;a=db$lK_gQ=v=bEHv-ACD~vm>i3zf6dmtiowwU0 zhTufaKQ3&VVb>5RGKaz^$BWFnS%2m@eY-QC0}>Nd_A#We$!SKrI#D~i7r|4k`0!Kj zSVX^G(8h)rc}-l+{xTedKy{DDy^7YSchQ80IRmz7Is%UBO~P+z9vTxCFFG9|8qqOD z$4v)F+Ml;PR7?yqaM%x>n zEc9g8klgLH)GyDMTxY{}PoCwVp^4KVw?_IfB^T3;Bw9{=u{e0C#=P=o)WY(WPlfGN zT4U~smb;&8QLK2QjoA@VT40pcJZ51xzfXU4p}9Wn*Z~s|&vSmkr7Oq{_N5F%TKE%h zSoo`m*Jv3Z+aGPqT&zO3zI;zxnDg|Ngu%^{HWS2ItAR9tBm8sl-y#_~S-$is`_y!l zd+uADC`HlHA(s@hiAI|bt-F0;oSvFk&w7c;jf(K%c#}z}A&)qgvfTJXW5mpGqegWx z_#W0IHR#gjh2jhoZEiNXco*8PzY0!=&#Y8??ZEiuuC4}Ell zEw^$c@+^*Y{m6dXs@tuV><)Mj2cx zwWs*AuDS>8uyyB%%yE*vz;}Rj+ZZL!af@-@6O}E2KvnT;*S9*R&aPVteky1-i?YaW zB2e~eT_)}o^HGynZ;nz%qVza>?FWytx`21mB$mzrB#kOsWsMcz&*p!*CAmLT31OE# zovIM^D9`5!(Ty$^<;8#}1iqq)FNldhz85KA2L!>KzVCK{Qu=4b_R~b9KgUSb9+ENI$;Pk zbXLx-Cm`J+@pH{h{-Mu;+Go{%Mzmn8)GuRxKg7G*^U#_z35%tz>G_Quhv=x`8riv* zd01tbxC33>bQ@952ZVMHsPN3kCg}2W^J)x`(#}-~P2tZq7K6Ephkn#r6pxvvb;!H8 z`TnC0J(U03tb7H}NQkM|{)oc9 z^6OFL+z5rf@dAD4Y?JmtcX`Te%Tyc9hEDN0p_VP;$+p7dbAvy*@g1nki>1*V_)|gm z)cBlYG)Zq*+SBxT&SH%(=R^$nCDoZz6;p!w21&P<-eO%~D_EKn1IuTSEv~^Z@RCbXvCF&ncP6q$3T_#3 z5iMj`D?E<#DMy;X*jj_4hSl=KAh!ob90#KC;?`;+-* zivr&!e&f?NVd(M0JFcGYxMU}yh7-pFi9~a!qK`#W>Lwo}s<<2_kY^wCVO^lPdR*D6 z{`byu`$I(4%zvg^f&3=mHG$@r3)3g8Lj$HNtzWBnt>z|{dk+;TV|$>5ZZYXf1T3&lAD}mUWRG_|MD>wakAN6{?Htr1^GeAI)+|4XzgEPX;;EalF3DkuF z>NY&|n|k_a|IYX{=CuL$!@##Q?>BGQ$v`c5j)i~Lcv5Y;_Nze8j~q^i`FHAU8*IuQ ztN{#^Jv*N4>Sh>feP}_SDUNnlq1PQh%TEueX7yYWGLsSFGRb3wGHEZBkUq>kij(V;*iZI8N zHTfhi3;(ETTRVAY1WRU`U`3+!!=! zW?8!Wyv;VhLQF{SZbI^^!A7;>6%G2)w~3n9Mdvq#cOr$GAkIrxR^x(P-dAFjBkfq( zl{!%`@9dnSqy&2rJ7%tiOqfnA8 zjj=LyLLWOMv+oP&^gJ!AJ%a>O&W(%t^@nB!9YiLvp~P&Y;e0eN0?ml_b&%qCbl5;t zqTW%MWV2Q-$Na-*j|qWX`hRHxV4{Nt2X5zzV257PN(u+d;B;WiT?)a$1DLOpUSVZ zJx7gr9Gf2h;yUAQ_94P3$XxA)&k z{B2PsXajXo)|n(vjxfG*wBmWQgx=brUZ7dhD(57ndKACMcp>+O-|%suZ`fc#0d5ec zO{{4jA*!R+w1>hva3(;AlMlT`J`NLr+AU9BjgF*^+A$QBLVi0SoYqRJ?E`U^_Vva# z9+dUvmk5ip>1Q3fnx62I?d+Db*sxFM;v$6!pA45c{GG=yNQJl)n z`M5qDcY-)=W$1l=Xqf_+l;g+52Lyx_O(yKscu;^BZ0eyhqE?oj&r)Ymwa*Y2x&wfB z87NP*>syBHiB8Sm$KJVDOJ~e}{p+$_KS~`Wo0E|-dcBsu!gsTKuii~UGGkOBaTt3`e z31$PVhg|JuZUv{rgTKV3d_$AGkG=T!au8Q$K%0D58ou$TLd*TMHd&v7H_%M zIAL$mVfzkWbD!U_YU|_3dY5|~%v64`*6oZ`f1!Li$}oMd=(kz1o7D5>vH|f6%M|B* zY?YMfz;%wbO4{v~U3-mMJ($gofa+T;d`;g{>{_l-O0Wm(AuVR2H}bG0w9GJ4*42&Z zs!>GS6AdKN&R`GS9OcL7E5XhjX?JQYR7PnRCl0=Bh&Z2SI2~C^Y!x%t9NW68YqA}p z@t)4`LJ*d}J$oI7jGhjHsVS$P}G<`d^#OSIb ztO6=HNSW9fLi}dWMR(~N$3#a%<8%fppD()SSIu^!Q+IZg7er=%FMO~4E3F~xdAYyG zp@{Br_j*f+$}9X}le7Lg>!d!5o?E~94TVQvLP2~<+{81+Jfm$GRrn-z z{cePGaeB!7RU2>JMfL%be+ZTy>9zemYW`2t>`9^z(xFY9z18VFPs|1`%{83H~fq!+od zPvZ{_Xs){Fo=8}YlYGFvGKQCoslc4f|l=j38Q(=dUztA)UaYW`9^8m&9$bBk`K zNxJzpnfLsHyL7WMPY&}-?H(6Tb5=JowOCZJ=hR59D$BliMU4lgRvs#()u-T#2_%}M z-m9cNR~cG8p%(YvCEazQ{OL}P;BkXwX*{DPVuvomKMXC!!`!a%s2INH;rj5QwAaOBp6W#X?IaXFl6lEAV)fZ4 z&Hanf>3iz2HZ*ORHr;5z9PJKg>cV-Tt*(fM%;jcWs)(EPUB7dy;+ic=hdhskTNl8r zMxoTl-TE2i?VJ^N9;m1$V+l<0nM*L9~V`dX0#UURVno|mM8_j8&G#6{#ZNF;8zW$)mn zMu|$(fS+ZatpOGS3e%-Kf#a1dE+a%J&li40^oBf(|9KU7ym=t!T}Q0nnK9)FdIdp0 z1owp=jAmANr{6u~+t#I%3K5)4Sqn&04l|?WDSvki@&{hX{1!I8B%r=rY=F07`3-y5 zQ2FKwX;Rsbg==NlVBQgN{U>*MuMRT3GTmbikG6JQrOUNgHrqxKqTAh3LR5Rm&$ecj zE>97-b$R8yWVHG}8~qxc6MT*wMq=LyG;9cejmkI~Bhf95RGIhdu5ha5%T-EU(qBur zJGjR$pD(`yHaN3S;XrwVV%B@&OAmS*QW}sM#F=@^Je$eYAvEG;yZiF&R<^yAo)m8A zgp=Hx(=N|tk3Z*Rd7UUTp>Mz-TJp4sIb`Oys3R}HV#9a+1|=EGeu`s9`Hu3V0=@lM zBoR-*xxM~PCqqsz1(>!BMKvTn-jCIAJ6NnO?SJlXC(}OuSew>s3%X@2&U3OvowV8S ze)d9E%vXMzYb=bY`vSt|7;$ue&iGqV|Ha=ptq%ca3Xljr>M z`6YjU$lW4&9}(e1YESgskZ0De0moAP@wCXKNd4wKGq;aP39AaSt3d<$Agn>AnQ@5M zyFq=gstkeStHs!e8(KpJ***_AbdxFRSd3Hw#hIP`Wb${Z{O2x!{4t*qjltMy6&?nH z#vdo!S#5-PZjb6ky~#l?hjrDxU_28-hYfLU)4{L9&I?CX6`8#S0YrBPKtUG68-rmd!=pMe_K8I5mGrlDwVuBqlFYRNl`ZIGgRj5Gf}du z?Jbu{1GNQ1BHUZez>+kL^5Cj(&bBp8AM1UwD}C~i&Dtu`dJmU159=>~T6mx|?T~fN zJR{r1_qvP4exr>ZVwEblfbQhgl*rqb-S^>&ZZj((SJOSEh>(HqEsc~SFnXuvS+0lr zg-adHr!%a60V zbszWFpmn0lPo+)we_g@~(=xpwqh8X8N>0qC=h>@oWO!N@B@AJ${mygif$$j7%3`0E z(Fs~x3(DOb!|BcSA3qGG#pT;YPEUBxs#;dDs9)7gB6a)s!)#Y9RiEVv}KQ# zr>lJfu96H;j7ylvxN3swIz zrwcY%8JZcfSg)NozzoVTd)4eDR}AyjK;_Ia#@NNsSP*92i5;UfnTen@xxj@_4Zv>; zQI%OGqysGrwWUOET32B2SAqouXmE;#3YQR}c>6*QTXwZktbu}N5+oemCNq``+YXf; z)CJ8h&58%MqMM&QOqa*eO*Pki5}#IgJe%`Pieek56!GI~Nf8>b_5|Jc6v)FRJ^UH3w!tliPScFH*yH|WVWM+)y zcd7D^#Sj7_e~(9^^rZ_~iETAN3ru;#_V@_7w-P%yQ`V`mEAV<{XC|zC3ZdHx@fXQY z{5Ik9aZ19_+~(e%whZFOGDc@BXy%l%XzHj`JE}a|jt-fHvP|)6VgXfD@g`!-st!iR z{Ond6hX(Yi9TaditR)MEg#hvGOR-N|=Ib)mSc(5KItAt4g7h6ho(e`!i>&tU!Q-aN zTZF=GnI=5JuPaw2i#5s`W9~$UM!T=!ZHk@Q+e@837-t-Vhws4uaTrck{vs*PL6+|l>qA5S#{ z9^-44Ur39_H|2{jp%tNf@HB0;-pnIs+vwEy4v`ZO2-Z;OD=u;WfuCEOeiTQi%U3(P zkpf&IyTpQbhbn3Gw|YzAdn;+ed!73tk+8&9fo?%a5cy^5Hi4|Tiq@tliDJr+#D+um z)q>Hgpy%KRN=>jBg)_7KmDO-Pl&Id47X~J()wrQQEw};YD*HKjzO`a&+iQarI=%bO z5S;z70l84T3cI9^yZo`U!!qId2>tND1(eNkPV3JN`NY{bf_W=wa^7iaV{n`fp!uCTfqrVgbPL*r=9jKY@K#%#@A(^4Tac-lpUVC`VZ=h*H^$@^aikLclY?)T(Zg%8G0@s zE)u+{P)eT6F%Odj24xhH!0UD8o2y%DkPFn+tGXJxei9xK99a}KuyW8^#&5kkHBysr zQrPa{mMeokaJZP_ifJ{OS~sO5wWCx8 zA-CEYkl#C+I9>kHlD2dQrvF5N$F!7PEl>OyKpmEKM?IVQ>}&2n$`gqL$rA>Q?1 z4ZutZ6gQ2LV;xEkB*vK()>Rz3U`^DL>6Xks!+@JKnO?t!5nlG?85QM@?^NE9<3+>g zUtvjf#1w8dSE+8lA6odHFdbcD(F?AQjkkpW`{PaYw+UpdN0K{jPkU#dZh5TLDjI4d z4?E6{gKL#SeOYWSad|N2;EIaciH}!6L|*phvF9k4b++AlE|u|168mBKzWFWOxzwERtzS)QlFe~&D5*=@l4&|{HK)99q)-k{()%Wj{` z;Lu$MLy?SGvZR(9tRi)^iHC-8krRL20y+bjFz^lo=taP=Kj2gjsbWN1nfR zHjJ*YfIVAh;vWfGFNa>pnB1K2}3<;o2av6>dTZQbi6$$ z3+H|c41&bc|}b>Adn zz}PFl7s{Ion(CoGlF9njmhRWMm*7)bzF13}-Rsu?CAh8VdZn<4+3%rp15`?6ENI)?1cCt zQyQYWV5#BtO8QA}^aiV^mv*V=4z8fhW|#rl9Ag z=k{;+)6%O^6^9V9o@e3xllGQ`SNcH88T7+EVV~CAubT}coJCZjQ1uR24tLFY(6Q7e zsp|IaQf9-KOHho#OtbtThN$E8GB?VXyrIZEu;<2K`PT$zJYHpuq(Cdyjtc09R3vm} zC%Cf|!|Ie!IUx<5lb!|A-;8?dLqtKVwft4~O*|IDX&Rj8ACWLsVsDcun%Pvq%W5NT zfzEDbT`&G{`&@g>#dB(4)7CeqgtE0#m!7+Ej+?hbs48=^`sZPRON%=Ns^0GS2!2H3yM9-?|t?z}kX)$c9WFnjL3_FjAKwZ7|fJ13;RK3(^%0c6bBTW`YwumJPxz!Hsu zdtKXmWOkczE)}59c7}CH5)N9kI;jhnZLy6G&F~j=co@S-(&!nZ#YyB11Y3Gl=I^a` zhkEX@wW*==;u4z&e6u%&eGmVr5ry5R@+k)%fs9E1HH0E7Ag<&<;c3qndh5!Vnk)98 ziJgoq%32dw-{l1x%Y5fmoNX8(Woz__;8!7kC!;1*#H?JSg`R$3mshcQVGSGyH=mlp zR!t&)n;~%zTbJ0e*{$i`3+2{p+FZ2hN3Og*9UNjgY3ogCk(>#AWIvkREO#xmPwM+c z(<(9rvy*-lkIqJ9C`0!H^BnLn^93xtM(x|1Kb?E}jDY)Z+=i*xZ(WL)>oFyc?O2S? zl;epI8h?DhN!wwm7;I0^fpXG*RxV5JZCN>8k;!(%u_^JwXImsXE8wMdqh)W|yNil& zHRc;?XZ3sZlMPa!b}X{n=FN)n9&y2>o|^#93WThFwN~tF>0UQqdrG=r2?R(jT_`i% zZ|5g8g4Y9qd@17BrN$FjpP|&t9$P8_xLNJ}iAu|=X-eMPnDeC~lb&iWom`J6yY;Ir zN4ej3b%q2MFH(1O%s8yv;ZjQx9K(OpBF`PKtFudZWXgcz2wVBI>s?uOXT~gjk{pJ2 z5#i~QTCB{8Mu59V?4?>xb^aR>lI{QI)WrzYX?QA~_%}y;Yo4Y!-H^x&rpxbN*1U>; zXt9+hK?uiY%!aD@vCWZ(d?TVjZ9+T4Ai@>;{zLYlBJ8;tS+iC~m!n|8)6Xui# zv$|bC0WP)JxhuZbPrvKg_GXt!&>V4QF~e3mr9dCohQ~&h4f2}p;y#Y6g?+Yk-K8E_ z_bB%VG`1p)l+R3y!E5)r3R*4LW=m_5E|j_|6dmV(TUu0#@`p5kbovzR%6T!$!d$hC zR2iBSneMWjQQk%-HF!4g#_sQFZ=10pGWdY;Po%7hAU^ee7Za@>=sty4A-TUjixZ-ng(YW?xZa@H!eeh;{{=nc5D-OM!ZXj;8%bk z;W5@9iMB%!{_J>emf?X^-oO}n(MS0z2yzb|R5!kz^W%s`n?7fvH4)_Ghs$?$-P-^z zUWJhstuFT`885w4ty%OtE-`oQ0<-F!`+axk}jl z>-PC{s`!$aJ^*__9;38TlPL~=%iX!m;iQvDd75fD6MWCM%F5k7%fHYssKk36+=`Wl zJ7@C@xqUf#rBw0=BRtc%A(CD?a>VovP%BN`Op8GjgBQ}){N{)l>Pd$KUf9At=r1ZC`>B{PsJonLjwpFURA56C>|*qclg=K9Hb!EegAYqqcchFt ztXAq2y&Z)tt99!|)>yTf17&azdC`{wyQQ8^Lrq!pd2x8g@j7kP(j#4Lz8n~H$xD}yRR zR-nCjIPy-guYyLeSBu>e)%i3v5E&KpXUY%@ih?HyQ)B95ce89|15d|+=1ZGq`}$KMe>Q}kp2G}2A;9L58Wr< zQkYnz!ML(=&1$dbjKS@tWvY5F7s=`$rIhtr=yKl>&tr}19wOT6@V`C?Ca4y>BU>zU z6Wj!z_dD}QGV|tA%=YK8Uh+~xrjxmdsfTU^;*$Z+|G@et(oq}(!mWFNEz?Smymhl& zI>pi(jC@>&c`U1`!6QJ7PXRaVRI@Uea+PwO262(w?0j+Yp*#N=3_AVX2yHKffEeY0 zY!WB3=CRH3&jX}FhB+3xWi~~M>lu9@Z*y|1ZCH%u_2v3+d@KW)q-BnfH`~DMkt1I%L)(jL-kyBq1Zl;aY zWw7BusI{A0x2*ONi@yur1Dm5{V z_i&Rnsd{==a^2_sL=p3So?~J}_UHRDcD3p#&#rnxZx3{hb@E zcNqmFxPdqyVqlb}rC@AcXC!y5s*#?cv;!Gqmlx$r?Oua!CBS3a1+|}jj*dv{UgGW90pn@XDtCee}&XiXdrnGVwGyT;w`9~J0o2->h!?M zq-VY_X?87CU~;gub8?WIT7uOpUE~Sh_D;NPt4r9Msl={g^+p^vq$K9&&QZ3E@fb_D zph0|2MWA%v+*6>Vj*bMzh!0MRL&G&5-1A;Kn6x;{zjQZE%D!uop^7{~oaE?JOpA+w z)`Pv&xR6|9f^M)TfD-mN;q*;t`X-ws&qjX`oVUVn1N?5EPu}=g(I!cSVdhOY(4XQN zc6oyzK;Sq#DiLrH^#)&BF2!X($mpoyts~#M0hIwOIV0BJD3`=*bDR-Jjq>Jaq@^W` zAjyW@rlhpZoJ})k8jjgcq`o|B}ASm_na_oAf4;h*Ii=k7FNa@|Hb5{WFv zJI9nJpE~tI^~t^IZ@Y3HNy`V@p%`5J_^DhEVE&Vf`zh; z5Z)A%%eGNyE6kLwY5_Yc-RU+Hcp#9@({C>Cr7y%vyKSCma4dlF|Wt#b2XJ?*Ucwr!x(mmX`2p)-y$Sh59^ zYly$`S++RqY`t;BXK5sLdp(w0nYlp~&byo6i*;yht9@|H6uZ`8_cyovRPX!w5*wHD zK>wm_NQ|A?ZE?8p&lC=Pne^Cu%AIvz#w@nb1MFqJ+lkGM!%Nj&OXIgp`iC-9xlGjA zp3$Wk+jm+ftv9EZAq^dTKEie&)x5Z_W`z|AD~vjbklX1l|M^B0J;EIQ;NV8XhxFmJ z?_*f_KA2~S>1S1i1k&`Jb0uYBt#(mF-)d&bl6uH9TeiUS32{Ve%=Y8j#f6ITgM;xG0UfQ^iW}T(h8UnEg$Hs{f zSH0*2YDjmk8om_Ppw5!_^sc2!DgvmhBI6x{%Mfo{dmlO%&WvQ)vRX;cTDP8&P_9@Z z^2E5yD&_RGEoH%YYRafz(kl*cVsKU*zs(ZYrwS%3a{7FPdb!KJ3t3?Hz9(7G!^*SJ zVL;iRr_^)7AjYCBnzB8z;1|~F__4}BQjE}q>`%{40P9sV^5}+t@opY?gfg1q=7$zR z-T;lSlQfK}5e?Ox2NTLQvinW0oL;IRh!`$JG;y8L)VqgwQAo)MdB%0ec%+-sM89nC zm4}ep1vE$_#L{e;+SJU{Y$kFPx>v~s2+n1^(|m*7vi$ye*!mMWl7ouWITpT%4>EZx zGEIljl&dC$(s96+TT^lK)PMZ8IzmHpMMq+e#bV3nMEEbScq0C&aa=H63)ne+;5R zrKbzfK3a~GVHsjJwl^y}Op?SeYuE3j`b-VGsQ1gEJ*&N!G&eNgIWugWq{eSg4fBLR z4pVK3U3~gDFOQh$E&;7p1{aq!P^{`W&JzZM-5 zs~{FCiOc$=+jfAYpxIN&-mjvb_mZ6aE%zb9$*VFeC{e&pC#15{8s#j1rZv=dc6D+d zK2yf&wb@%q9pouj`LHzqd&C?Q??}U4}~Tu9T3>|)A_sv&%TiP z6nA*$sSVEdv#Bi}AJ{2PzG%$fEu%PdYvCbCmNAstiF>>iy=1d9vhjFJsDOOZYv);k zw^q=;1NxCh0I&3gR~~tx`HAv|r>U5OKkRGdnD2KPtnp`>sd5ejeLnhQcePU$2FCLYM->6zAYzf zv(oj8V+{i>o^VLN_;$_tA95X#d?T&=tvhft@q zy{@suMJRS(IS_8Y3@-Ea6#xVy{88@1bptjt&b2hdHYHv3twj^!pt4_n zLRuGJixMWg;j_f{Xt*go$69^wu>ypHU^!p3eyn64Dz}uO#_xQ1rY+(L+nV6xPhLLQ z3Cx04+2mF`d5w$zli^U4)(F{X{u5uydsY78d06h~IYz887nBn*W5n7ca$<((hmT76=a-eNpw*d-P$GZtULpe!!+K^0qI+ovYd&%P zcSNcDUEg+87G^pSkI>0wGoGmxlcVDD%MBeuBj3Kx%4yJ=4|m_mbn*oEr=-g4m64I3 zj!laYA_do9x-a{&oY^Vb@K3osh#ilE=w92(#DGefJ4#8&wVwj(R!W#M%C%F%VOFHD zo$zeaN=cE9W!m=lF@1DQ-u93fIqfk_>wD?kW);h#SZsrZ z94YVsR5J;+0C2#coC4jFaz+UD>j%`fS98sl;C;T!aI*Qe?Jn2tI)t@f<4vWWj>g05 zT@nQMyEvW?opkpAdMnSF{jn2@h7yD#D3T)vqiauRi9uYQJWA#^7PcG<+G7VZJi{+| zaKcQ?<7(u<`qXAp2A~b94M59OMx9NQ^IKc7tv}LgYh{^O=LfO8bugK2t!iPN@K0AA zz^c4PBNO6QM)fUUcBUNzXbe1lD{h^}7KJ~O;M@=wXWLE6DL2B%fGX((vCpY$NS6QV z2z#$|gp+j9O8_W=c%h>O24DE$!@HZH%O^|Du$g#yTAx4)N?PlRH*+!WQJ9lDWn&DWw+q^adYi_3sIga)62LzY6Qzo5ey1!~<4sGf`jA z+JZenw~$g5+iCl0cAWPQtPh&^wztP1i8fgr9<=&${YE-JRS%uC_wytDMfrsGBWWMc z&elU$w)Aw^(Oz9Ewu&a0}%KfuVM$Hm2Ho5n&X9(cE9S=W`e=wP3S&_#6 z7~e{QhvUoqN%#cNS6cl=Pggj{;Y1lg)3_`!BoqHs}{1AEO%g5Qd160rWNO(rHpsBRQ^OjVyWdov*7S zAw@~39O>{ZE+v4#Tkzm{+2Oq|Pa+{Nh2tF@?ZjTM4lZ84>!(rLQ0;{;5c1*;(` z>8d#5v&k^9rI}xEx3b1SrytdGMkvBEX6ko4>WtH}$a?yvvl7MZ?`^@e1NYr;MMnme z>`rCu;$YotO#OvQo(yrNW3C>*XjyULmfnbec16e#@7~Rbd>uFw&AP>6;H5H#n|tlS z6iu=sx6{&EfQ4bG*KNwoJx!$th9z}q+*zu8pRjvrL?mKsyqGAVw&ijDAv=|k>H0#b zADs-_F)oiyg2poi_6Jb((G!9KzZIt!TK*;ptDpXxGEtJF)I`l&Q*)Y~bcMFjSX7R! z3F%5*Qu?{nTAvS*$zyn7QJ5KBlbJ-2Ng?(hixJ1-F^{AE^9I$<^h|h^TN_#7SLW5%;uz`PBRn4;4fdZUxXJ|=I9yl(eJ*UK^+vA=7pKKN z5+MMrd55t(`w3b;B(Wf_ z(v<0pV0&59>l?;5>)=!i^r&{XrY|a zcFGamOW{j8!5>^MJ_>#LotF<%%fh0JM~53vzf)A1yxxhkoly{5f=fQBZn`hwqZG@P zHJnzRcK(V^-anN3Z^~Tt`#g|?XamHwURw(Nd@|=VPC7ZfA~VP8?_e6j$^)M=RK-5p z_w=kF!Mz=CGvK#vI}bN`hK%dehneY$T{Q|%k1~f;Mx8lolu+1IgNTMMwY0Jz!K0`Z z))<}q435R~5i4CitaSEz*-Xvnr!KLhk$Fy0W7t=PH!V-StqM*=@?Q^yx{yAtl+;JF zg~0^ZT?4B}2P4Tb&Kz$rLZ}Lw+;EkTd3r%dRlQBzqpIWbL>$06;luCe#wH(Guiw%F;8t4i|2E0BlmpZ*y}au{Rsw)aN#|K zv|sWDCnGF{0~X5l-!+mOpyxQhIrf*Vyk!qFhs3j{|1nSdE&Gh#9BGi!6=3Z>`xSwu zU}0nucrSzAr>_G521N4Z6-fC?b6hDl|P(B6O1)dv8Imhi0W_!fWEHB{KLtktJ~k?M6<(`#C_uz1BJ zOCSR@7zrXuC0hV%jV1RMU}^$mr@yCsegh!L1!f)2L+nYC9>>$6<9%>C=zTT07Pduo z$sC0J+hkBB?%HK-=?jbWD%VePo`Ra5rK>T z$>c_sctY)4Xvi5e7UiO|H?=`B+t}ui6qm(Hk}e>R%v@6c(nx#w7GQqX0##C$|1TE6 ztm(GDo{RTAEkR&T8f2ec*ZF*XF@r`S{`Sq#!%{}>MnFCAXSD=90LXjM-E!IY^Fsh* zd@YBn{`vb&U?wIQiDdcjn==BdZA4N9L4AdbTkM7dbZAV3)_;`;OL<_k0rOKc6g)5z zbPbdJawy>aNZvI}p7?Od`1?3?dr!q5UfY$9x(HzJnJRkBM@Y_H*Wf~@~zTQW2MIZZ`**IHDpbOCbd)Y_X>OI?8AIJKs_JrILl zqA>CMtAH6;y&{*21%@(QUm^#Xo8t1ve_p~c;C@9eAOGLS7kS73kCqDntQ_qYHpC~2 z_M>_Ff>|o?Fw(#6+28T~{bl_3;|M>?0;whTmLn!Mk~@FSmSjDDtZ`h%H7SMw8sO?I zFF@7ym7u@^#0W}m5C5{c<-NK2`CeD#^~*o;1HcYV2d=UJ{Bwi-=$2JAKrI@LT^5RX zDtTeirbZk^zD8%;O7_<{k}a%~nC{$Pq6GKLiR@wJ0KMy9?_PE7M7Ey*`1t}?(`_|Z zq~@O7fDiqw^N!89@}Qzp40!q*f8i1Sl43x}d_`g*i*rCG4c??Y%z_)?C| zSa-$940ss_==S;5+cvI36;CptR042Y^G2A9N68p7)Z~*F_%nf{gH%;OR4Lo7j#&Qh zWL(2bxwgcXa{J&u@T@IIzy3VyRh%^h7*&`Yn60s^Xsjf#?8Dp-{QdIHOC%b5P1Yfm zsCl*>b0aI7S^CTQr|4?7k5&xtzBbZli80SncDlOOJ(7@ZA9@YFnp&ad4`R^>sL$Z-2+#m5eLVCww|aH zbr($y4VR;g#%p-D z_`gbO?X_R4SIH(4>?3%}W&xphuoD2Hu_Bg%=@aIi<^5%w|2~_YaqUd?%;eo|#sSXj zBb0qieO^~zA;}m)V9qxDRAByYz%lFn(!@znweR|K$zyG)?Js)$r{jBH@t`-Nx zhj%Ofv80d6&3jRQhWx%jG@#__O>ylS0htV=9uEumKg3_}-|Tu^E{J}qnv0XJ1>Q)! zSFvylfAPMg@9TfRi!s{$`p0%k{KdAg@LM(h*Oszx40xDK0e+$?;%SlGt^Ly5D5+ z@ROxoFq~nJ-~A5$A|r|KtN+IK{&(y}L^##U3}9?buZI!#YV0V^B3YvS(jYS1|9foZ zYq)N+pAQKb-=|+Ydg~!B8hB-{fPPj<(8R<(+tK}ZOab<=_%@-JOiEOYsCN(X7isY3 z>Hf?w@VQ*_TO7?)jDq?EP0w!tR%O3WrlPM^(OMi=?3^%LFfT3X$```>U+ z$o>q+rXtr?FbWJ;0=c%M%m)mYoI@$G-31co^Zsj2#(@dIpdz{#+4R>PZoLP${Rq_k z^FvnouUEyTu{sRh30Ne*g_7@%a`5>Sg6A0V=!Ik{DI@yN+yhf-E)q~aABN{R{I=ze zs-(YT?DfZ_?QLY=&!1@U6Nggm+uqW+{%5YPOcg=&U81_eUY3SnUBUk>vtN?v-k+a5 z`SseCv2JKwo8)({TVFPEYTl_m3~jkqfBW51s-eGLt&{YXk}G%8Qw{@C58K1c-o^rs zNVDnO5WqR#`*oIozoT>gKEkDe1m8Qe#Ne(dvo-cFN98kGPW5I5<^=}Tp+I6k3 z7q(^yoz-+5!FZ26?Yswyc-94Nztx;EH6MI)|*F1zq{o(PAYZaVBOgPqCO@`oXyX7^EsLnQZ*NwnTNA9&+53oLN&p6H-)%q zSCmViQKV-WkGxQSOD!Wn_D&b1ZRDuCGBaFHjj%|&>+WQE70`INQQ^6wY|y?Y6LdQ0&&gFqT0WUIpMTPG9?-r&khq-);`^Bd zneJwgLsprz8^}#3!7*GOt{!%wd0X~Vc4dS$Yb{-{xG=H=S|2%2)8a8K40w!OmMQ4^1(p3{*ixl+RC*;V-7r(CZZi5stDN4^jwYH+k1e$9!6+G5d6b zKkIUcsKaSB9pxbygSCwmRyVX)#&n}Sl0?4y=@I z7Z$#y!%Ea8EqhJ%?ITXtm{Q6vTDZ4LZf!GfczBvy<uWt}19cd&+@Lzlb~}vCMdR*nP+qmqSt#8@!BuVxdL`@-##hD^5?STab1C1r!`l)!w z1RaDj!CB>*l;=MDZ~@xL*%I`mn$vdx* zm^qGM!XIfELAnOr;F+?q`-xEkmwy5U#v=lSl^?I=C~RVxQ#8BPkQDPcRE}5AuiNRH zoyuL~Wz9ol9p;3BGe7Vp?7}$xRG=x8aKpy%ho16@&v zDN7GQJQpK_7p{^G5@KxkU8Vgd$d40PY4OuH4w>B?YdJA9M$kRBH@wwfKIUTq_?@LG zRxi)E#_TynL5}UYY{SfT;mn&|F_>PtJD8#>esZi7*0XgIHD&nrdDg?}eEpwC1(9_{ z-6EOX?_`!8ev^CVAoGB$|RYfHmJPffd#;d9Gd3n0%m`dabxg(~*-+ z$-R#2O-orELMV3ZBo5JDTA2~Jk)!k@0EjtbOB3;+UWea95zM^FbkCeM`V?Wi9LZ1E z{ao+X|Le~lke7>)*rm>J50{NWR*WoNem^2AX;hV*thfD-1<-T|9_wnbLAU&HwRIuv z2sit3{!vM{;Fk=}I7*aTHIEIm37jrr($}xk#jRp2Dt9(x*p`AC$IJ^M zYroeazxSd(woc{Gyo%tIije3>NT$^`+~sKIdLij*TdtGTd>2wZy{ppa5=CjPh zvR>L9*)ZaFI3haz(Mt~fQ3eXT&%SKAsr*lUi0>TZW*VL@`AVEptT0G0vDXhdCV^86 zZ+>EPs{_%2FOHTZ7iX9iW9ance~qdLn7x z?|Q#H2DzyzGbPtIG{xu{Wl65SB{;vRZgiSmX<%6iXVCBO>4tkMzC4uR^hn_TWS#T0 zSQ@>%pk3yXVK;HJSF#6eKg7h-*{?e)P zGT^RI0u-P}W-erAMOhtj{N2-wCSCo7JdRmYNAd9BJFy!Hb1=VW^4o`#K6GXyyk5q$ zBuiZqV8+jZ#6qz{QGGHE7yEL$FKZU$aW=!|OVt@XMFNuCfO4(sbf-A6RJBi+qn=$I z98X*ObSZDB@x#G%RY4ARxbK~O?3o7OJd64=MjNbxiu*uhu_p@NlV`um;^JnMZLJ=U z#Mjxw)Km@G_rrk|{mU{O4?1Zj<|^sxi#vY5dHyvwd;jF4MhBGgPKT&ww*czoom-ov zQh)U^``vw^I9)R(1ffXT%&1S=v^xx?(hnC0phd!$90D?fKjE^1)0{I8!#kimFpiZw zPKzi#zsf^`&v$Y{GydcXqN%Q{JJWaE6VC~1FFH`Ei2~han_nc!@tWkdsGj>Iq@##U z!xbF*IYK}x8qSAUFU!=#itq#Dnx;L3erZfnXhtW`dXfYGMHq0d^WrbslNEM-u1VB$ zRp@W>d*NsGOR9daBmKOsX6s#9+QYpQg+{RS=s0#!sgu#*hz92@eDk=5G=uN4?_&-I zZ})B=-##{0S+^J_^+56EGo_#K+fB$#ZRVtQWy{xcv^(uX*!Z0!)w~1po(6{PZ1%XB zEK0ie(U^Cdi2##RB%~k`b&NR2_XD!4(6zoOOriSow0QEQ~i-?$S5!f7p`n6 zk!5}^!iH@YkUtBah0MLlTY9XoNS9>R8Dr2i^16j*N7v}I+{z5sO;yhI z)qy6m=CL;20_OMUb9V)lfYPP-YYE4xuCix&=3@B^ z+eVYzE50RX?~zZcPj-6%VJEh*(BU@nGo;gU(nl3M&gQ31Rr}nxu*B%LkG37>WLPF{ zYdu^CndoHHXt!Ez;U#~RC*K77kYeGb%9_6Q-q%`k$*+X#()g%kC|fh-++xKd#b>U8 z#?4`6`5Dqjhm;znrPPeJpK>NHESlVt6NHKlzw4|9eSoBKf*n?CCK4EZUlYtDHVJX5y$4J74g0=0PXjolK90=A$hHAcL4^+v0Y zKNy!A6So9|N+;Y55_d}JVq<*lD08|dEI#32unQmc-ZPii78#|Ienu{d-bVec0nFlW zBhp+Wx1&Kz{`We#{LbfFFv4-Mu#wsH9TeSU&6=@n7K!)6BzQ!L7UKCTWc zq7S$w{>|mJ6BKUNrMs^I7bfpU+KCkLpw zWM|iWilPWC(#Z5TQT<8l)^_R8$JVEFtqZBRZx){8_v#mohBj591M(MLzXK{C>>J@Xa>D_4my2R7gsdOi&Kt%`MqP%bw0 zyziKMQQmexrYkiNIb*o2h5%R7N#2u52?J2k&7QdZP6r-8m5!G@w+=}=?oqfRQTZUB zAGF}4rzh6-LltsvakCGm712Gk2QWO7P7C1Q>WeI);`O4s+P+QR-#j+`Mct+IHyl*S+`)B7~=^iPpY+H?BeG8<4jR!02A3i?pyMCg*Yki`0e0} zH4VDy&EttkO4Q@)0_(1{E($zywUaei3+?9LkA1Y)-dbSC^jL7r>rzu?o0TW^q+w&1 z&Ye4HCy4Y56A`plu~7qkH<&w!|MFlmulEe!(Y$X=Hrb3^OP_hg4=11Ds;hewRZzH%o zoNDd5IFiXT(LdpuSL1n$l#jd-j_Ta9D$M?jZ=%H>vNjnFrmT z?SEEyhp@K!DXPgCUOXJG@vNyXdP>{xt03#Q1fN-Kq_q~-*nxV>OX{8t-EAuV^zoYa zltN9VXA$%Qm-ZivOQf)c$y7TVhK6b%dvRSE7t%IGeaHFHJmVQaiCAXdBv^-<_0Hj;hk9 zR8|^%wxmUo6_adynh#<-$1fh!aX56SR$V6hybuznbDWCLVC`o)8~*W54Q1+?E;m}) ze_$|C=T>`HK@3vYto~t2HmVS3vu{Rxv#Vlx`BR_IvXMw>MXE!%rihbBiWg9;#1sqI z)p;ix3nFc?$7B8EgDBs$M+HXe>uj1JSG^pAg|()Bs)H7RGDOqEk297@>B|_YFWaoV zuJ(<^YF=&cI*oL&CARLO4#sb}>q%NJd3TN@1$O3jrv2hvzH7C{z12+i&^ zxUkB-Qaav1>(c=bkJXyjo#RhgediPJ*~Zc?0qr>VTn0dS&2uKiTE#B;jL{tGa(S;AuQN z2$CNde^QE06w4$hb6aA2k{W3Hx%E=IRK!X0W%#(KnKR6Yc7b-`rzHJqLcmd2j!b`d z%#3mmy-cu1tItBsO>e+c3S<|=7~qTqy-ao{Y8U%SoY~HMq0xBIV_G!k2Tj|W4~}3m zdULA5>735iuQk4&WEK*T4%%Px*%j#a^@405sf&*(Jl@TcH@siqu&w77RX9qtkifT* zS$o2gV20?4DnO+Y?aD))zb+STdpAF;HZSC#S(GSn9cUP2w@7NDO)I|{40l^n-*0)j z!lJ%SVY>D^vJ4|~?39%XiLo*8YIs(z)jGl!x$vu#8k^)eDlAawKGbLu&eh*^mR&sM zpyiV5?QVN&IgpBbA0?d8D0_27>7}pEgm}t3dliM2k$^$ZgtCJmXV56dGnb2RPI%#~ zsv>%*yd%iiN!j4?IGiWkXyx_P2Fs+u&Y-+q)AN!uFr)rCm0$p0gSoJ(R#lUFXEe6t z#p0@@6V$Cw%A=)%cU0MQkQZ})Bmz)!XTsk~z z%O)k6^PFYsJo&n#agP|{xM{jDzR4&d<1 z#^B3gqG2q-{M^i=PB+kovNYk^FkQ6UjHWN?cNU}WUP!==%Ee@o)V+UD2Wq3`2gTfE ztK82cNBk7i46FSDM2G4eK0Aao!MnGm_LmT7Gx){4?AEmz*a&Y8&4t@?ub z3qi-o5jreO*23-JG>01{akr%rkv~R<0s?uLlEWa|#bGO*&U@Y;2QxzbzF!*rFgPG1 zT>upv1x_5k>YSUm{yv9j|NPx3Fsd)Ms9)CvOqm(A{`!zsV!1xFfI|qXS8#LH)=$3G zem$|dz|j=!yEy>vqUS0j=P4N^*4p>U{h8Kj0vo1W_xEgHv{(nyk=3hH$i(zH8)qrG zy2^DuBv@O2!eudd2}7F3HZks28NPL}BKzcdR1Wu%K3ea`LfMc|-~xJht7CXu6L6%p zkrPE>7Bhe*BeYCBvDb5y9o6d?J24p*QyY)VvgS1SUt`vX1zYnt@i4j-D)GO2BKSJsm^m?{b3Ahen z0Xg?U<5F^&g|BY@#+Tkl_Ic}jzBA+#msRUSEeAr-kRPZA2!*9gr>*{PdwiyPIx9Dn z*P0BYc(nL@H_=~*PMlxtj#K!(Ay$QBKB`&5uR9<(qkm#e^OZ2Ao7~~V1Y4Z*>v6uK z^9Desr|x2SogN58Sv0};#_A7J6I9L4vnKi$8)=ce4 zRx-f;XzDV%^frPvmEalteB+elPhne@$#61Qj!qLUcDss4Lnr)~W}jigQdt@|>|wyR ztq7%Bfa|hcr9?tfMrux+W?{(XhlhJ4)qNR`aPjhQw8CmsO=Wl*T6>Cdc>Aj-6g|Dw z{Zb>=9@}P9Cg>70f4q@(lh&D_5c2lT=o>g`GzZn|^)LRl%)0l%8uzw^Sp|K4A=9fj z^6o|ElVZd^i;$9bb^2Z?!)%TAldBiv2&Ipj%^=DUJh3y8rnoRODR3HEFc*YY>fdpn zs+E;?E38m^rQ8d1lY|&AQ!)E9Q>u}0k3U$iVEWP7= zzSx0I;N#WKrLbv_CVA0+*#?Od3N?r5T9tn?T(OuCLQOo(HSB%xR04A==?0BXgJtMYBM~<04M%EPgw`auQdu$JTJm(X&>7issqI4GD`2-sw~+W6#mmIgyw_ zl!+Rl^4KL>)3|$H`z@RA=co{brO zp>gjpVE@&c-+tn&nB_b2g3hsnd5t+Ge&#=nZJ{E%8fT7K%CgAtre?wYxM8TX=PU9N zeIMyFyY8sBR$yBNHpWCYC>@CD;ckMKEw7|+V7&yKfTb&yq2ck3r1M-7R?YxggWUm;q#y$oTVGqSC)Vc zC>}Xwc|uW&OdZim*r#5~>ub^I{*;CkRM-4#aW#e`8bWj6qQ1(gW1H1!_z(4V+fUTe z{t@4Gm$vbkJmVgHCD?sEe)59LWRaf?x>jR#ub#8eog&K1-oKQq=EcBO@A%@!gH?eIxcPW?S`PYYtq5fE|J_)!=3&| z;-i9sFIf}Iw%B`fuxq=EF3akp!PtYm&b!tiR@xodM1(Ti2nVaOs$V0o-He0;_~zNh zTheE9{e@0Ns03VjD$07=OYi1(x;1*0b_r`!a`1c`aHDypTfS|PZ4Mh$eyS1Qo7dV# z4ZdqkN7ivCUn08%pN7Sf7S!}rQOp(3dg{B4=4EHuQqEJ+40yS2A*y}!fu zXPaRyoX`5w)Fg)YeXp~bC7tyVWj0i#lQ(>~Z{U6!uH!E1y00HYYy0xRqM|c>pPd?Y zX%FKsmHencVWf*t7CwZPH;i@moDh^qVAhox0YMd^|d z6#)V1lrBM}L`n&f?rsqf=>}y0>F%C^k&u?|8XAUy0cNP7<~@41M4;ex_s$V4xHMCM#R-ULSJb!M89GWNORuo zmC?(dgcW00>0fQYigIZX+>Yl7{&3G%hg>WW40Uyh0rf=y!feU=*8pMET^* zt8Uim=&ju81T}7};n}2v2Nm5$t(G^YW2|~Fd;%4jbBO4k+}#m$Dr)F=Th!l&CTUC} zWV)Uk^=$b;1c!ILt(&6gZ7NBU5lI0+a}?!vYr)C2QtyH15-}`=XKih8LKZ_&Br|l8 z+3Hkiw-4kYS`23QiwXHN_xT?&4q?VL$M-g#s5YX}DkOe&B-<;Pmq6hSyhIpD_l!g; zMvgjN9@1fu`!*)z+bK~O9Z)Q6K@dxU;&wgoW%rWxqU9Om5}>qv#KY(zfq5C|A|pDy zfb-OebGB?E;uGe0LA2QsMu5HBkmt>}+~aJ*bAVPmp9HcC!jyj7Awl_#rwV)Jx=z9+|z2-hSS@4G-?gs<{MFcSNM>o4q3U^!5nZ1CK~|XnUjlg=kl% z)|+DDR|*>%f+J}6@AqcdECcHLsE25X${L@}`?Xk#k9@Y}Cq8m$yy7H-4fz~dBfh{i zFG0`X6aH7F+9ZNU0{n@uSyIc=+J=2GV5SnKhgRAtbr!T8FMeusL zJNZ*xn=7)SD?M)aU!<9$ENCD6lo6M)(B&QKws>1z;n5U`aDYt1jgV5;SIaEWHnLeK zjAl&U;JdsA*@Ll}N_Cq;L8*;uGv|#O{B1WNK$FALcnotkJ5{+?8F z8@Sn=#rg_?+su(Llj&7}X@59FFTUZokbCMPRegEAoO!c23~OJD2(Jjf;R>-Im&>;0 z!lm~~7L>)7JX6Z^GZ)}_1kVDc8VJQ&tD$k8b-Xk$s+-3o8){G7n$4xzIVfJTuh2SA=sy( zzvs*M3;WxPK085Lb~P<#Dndxl7xtO1Nt2{0hABpGOd@x&eqKLjK)R%{Evqq?-kuSR z0j&c&uT}~6c%C*yD+)C~cLMKVY~0Rweg^Md$5rsZJ(O;s*$hJRO|98a@PKgWns z5RqJ!9&a`!G)EMw%jr#GAx1C1plLAu*BlZe(zl<2*Wqy%s7ROW3`}XY`WpIN56$GG zNhm4QJMNHuWH5!9(jlUKm6=>_g=%&i`cy{smFHY%$ac;@9W*&^a*m2o@3W-~E!OdxAIn+BHrr+zAD;ll-^ztVKvBhfy**CA;E1QWM@5O7BR|$;| z#g6AH$@_{vEB;wXMr_$af&eJ`OvHgP9&93~j0V04Zdcliex3kf8s%gsv5J1sf6Qs-qd#b<#2{({(~9gDM>vg;3+oS(Bt+Gn|+oT$5U_r-gOk=c#xa2 z{_!uS^9S~z>fK-lUTE3FISL3h{+qnq8{;tJEj zS}Cp}D-m%-)DDBd_Ak!T)BK;;W~QRD^-e|82b`pmky?+WHWtO0VGM6rJ1Pp7)z`WO zqxaDPK%?OB>)N;cfs?+oUnT2ZB?8q@NgkL6 zE9$%->NA6?E%z{Qut}os9=1ard=>}CzIQo~?k&Q&7POEec z8I9gY)Lt{;>UV~86PdKIb1&Pc)P3l6s6rO<)*AFU<^WQ_XK&86g)gpxt01#I`dBFg zv2KBSr^OU6H4nT??+QkOGKK81WS!dt0$t6O{Sx~9r;n2MSSeG_cO43iju+Ddk7puo z!fxY7`gVPvOX}m8v>8BZBv)1Ikf^Na^5;ENF>@C!2TIpp#`X z`;(8~o&L({lRdhp=O;VjW?>uMHO8ygc1xvbGScpQtr8LEB69i#)lLfG8IM{p%I_9- zy*E9k3g2xav*-{hzvgW`aL*jVMZeRm66!t^LyuNAkc?(4B|2K7R31sNshCXccMCBU zi=i1rdGH$G_FKBXq2!r*W}XgVhw1e5Rmzjw`ReNT?jBX4Gs2+)ghi~nRT|Y%-Z6eW zX-6TM>JC@4(JoDh9%oyxhu-$R{mztL@a>xo8OcFND`e_-qX0SY%C&XzA#+z-{SXJ& z=-2}H3O%)q{3|l$))}cXl+N_@15rZu`7}N)nTl{f0~u*;_j%aL4nRjf{x-hkmqM98$t0`TLa$Y9Ts<4P5;# z9DSI7;8=d&(xX(0(HGNAXToLtdcm5uYyJ#B0jpw*T*sigOl(^^(1@l-7`tCJoxpNt z==GrIHqL4R04i_ToE+EZ?hN2TBY*C3e3Mo&1bAU}>70E7T3=&y9aba=pVv*XhM zpa3Li(R7jO-Z3dl_R$rkSaVN%Siu>xny>}SA23jy z|L`el8DhMr&8m2!R3{^|vhCO9SJZ}2LG-PP5$e(@hI&bgu7ezUuCwF2+8zc%4%-u| z?Q`GuWDRYSBe>bg&lTB1A=;PxRqMIicb_eO_b`t`=LdBQ_6p=P4YQ|63Nv?<8@}&f zIujfJX^v@WJAb0TVGjGMKPrWCzn|@$I~l@NK4Q46u!I=MxW9|u>g5j6h-<4k$pS&k zw4A@3TlcQa9HP)8R{DCc*R&*wKS0kC87U^U7Iofac)OKKP%nIG6f#;YQ!>|r6;Vij zqwI%}s?XJ{9Cf`Ib?M`mMkXyY$Rcqg4dv3g1IF1s20`nLLVD_0Cy0V1&j`0qg^COS zKtlcikk#Q`6}a`WO{wyXugOo?ZP&L2NET5clO}IBEkitWR0=8BuVQE?z>p6eI*;Fs z+3NC$iW~k>iPRR<8M+o(xWpa6#agbE{xcO+rW(^ z7ej*SBg=Xa~MZYqrcN;Jvs?l7|wAcE6|Y8?0$&i?RnxY z*IMtHtacftJi6d!OjsZyhCrkySddWPlPb%LYzqN-?7IGJQMdMc2XJB)VruU&=tuWU zG@vwenq?X)473@6)`x}sa~{IOh}MR`&Rr%5noTg+6 zd!nSm`DptUc;sA+xg^tUyIUk&h$V*LG|}fuQ&)k!m752C!;m$4)c7>@gH1}0uV-U6HIOZBxEejNLW+%!~Jao>{s!U zgj27YHQ)BGabd47X6d$iOZkrSk23r%HXg+avS>BEUQY9AcKJEIT!FvnaK29aR~Jq_ z%l3S!dx2zDG{Q`U`XIHw&6?-pmgrWWbvJ*S@xt@xq`QPB2|Epz1kBX(5QqAmxlQVC zpCS|S%5AW>|Eyt3y`BY>PT9_!_ZvAEG&~OvF?a31vA4{AQ;9Rc1OoyE=HQ z4Us_y(nhL;E$91SHviC3~!DB?bzm%G-v72#acN!llEy zT*Fqg&DOrG+RpCWIrCgY$2SL2_^ZbcOHvgiiiJumV{~%n?BZ*}^prn&+kN!lhWu1S zD$}@VsGbynjzvCXX=-BmiQgm?UVM z%13!RiK}cJeH`oAyz?Ro8ZVWU_G~O^H z;YmMs+)dM~_7+4gw(7x>6I44&}2&Pv$?dEFbtUp*>uaEQR(B+Aa z1k-ls&#lQ~AM-ly*Fu^bMcp#5B*<<*jV_991<(fOkw22ZOkHn(p#mFD8$+eHJvrywfHxNnm$@gP(j*A= zsrG9RTfgr(V}GRLnnA`k1DwNUG?2UK0TGFime4u8!|-iF)bq!P#tsEOXI(_x&}H@8 z2JjUpYle-mQ`e)fNe*8Sx1{b3>J)8W^}00Qx@fnaaVd*tEk5r%QhIt3iv5ykGH#&r z-pTIsmyf-@;g@q3KOq-`*^7^iqCOzL7&ELYyqfDRWJ~M|c-NqbRAVq&pHJ6|QA%>j zT&3*~*C!W-KZ8HyHKuvLd}j6I!erbh-i0T7kV~%IT*`~S`g%b_qOqBI@(de?+fF6N z4zFp(RDZ`}c622b?~iTbnRXXJotQIMt5Aa-D=}s&#HX1Yjb2iIJ@CaO)cp-%%dX7o zwqNpjp;5~(QxTt&$2J}<`(y(OlW|n~G_Bt8wokiA;-ZUN^<6|Tj%o@T8Ob*mg!;$7 zmD23QxGo_<6wdlDeEHIPgHC@phY~Cgd&iBNMo@Pg6SJ5s6#^bxx`v6`d=+K_$GG)Q zBgNKm3M$_-#p4EEwCSSrPChJb*Jp=o26MEi1oQXP^0z!v z8oJQ}uhWXNGo@IaH}n$XeaGdSUMZS6gL!wquWWXB{OTu zdBZUDMk0I&$QJTZc%de762%4D1BN-Pk+RiC=mLwMv%A)Lx3|I5XPFuKynAPFAGTI~ z$qSB$evF;Pr1Ujo6KYW1wv_Ho2a(O4Y9u<>UOuP*OR{F3pS8b|K)RbB{JLk{zPfR1 zfBlsdGR3D!-U6t)|!pz zMvzHpKaEYay?)_00!X^wp;muwhI^%%iGjynP5N!Xf3&T@&$yKtqG+v_Eb(ov{m{LU{ z*(~D4ING!MV-i)ZKaJ0E>xvU6TGGUL5$SU^t=glsaC*a}R-@$(sGtLWL@HbajhGon z45p8#3K&`!x{06QK6TR#cjrYlnNVgU%0F+?Mtj6R7g)V(JX0yN`&3z`wrbWsZI7QzF4KMAsr@UvsosN7r9cO_TBN&@_1?0 zxr1H;^ioJq^l(?-yL*USdCP#k9`r;(fApH<&NIHuH)dQ(cGbQ#Iua*VAy~sYGZ9_{ z4hLwWUf|t>uM`MTtRB68Jn|I9S)9;+n6NtDo2O+kFw>(ZkyPUGvzVW?`>HhMYe@U7 zlyG(d_Jy0fx!{p*`f>lw@z#ND`ZW%ah!S*S%aR%`B#Q zsK>X)x}*2(YPI6tmBcJWY$tfImtcy*YV z$DgRO-KhtpqU?FZp`fE(&KdP)RTAp78&%@p+FA-ME*B(7@$UTvCFCH{4S1HTi)MU| z9`9C!g&qu%s3+rCE+^4$61Wr9y7L0P5#!{=$z5S*sjJ6JFZj+9bewbEdu_UyVzu~; z^xQY4+${?LpWBa(<|!Fq8ez!$C>Clh+7eDzGFDjkQADL$v}H&NHJSE7)YUz~{HB<; zg`!9Q-asQvK&CDVG6bnrAbRcgT^2@3GgnvY8NcLL7DKjej)sWkZmtppJv!JC16%yG z-1CT{S)t)pj3}vh&Q8B6Mk4%u4o{Gyo+}Z~2?`gA%d@r>;|r+v*>x>H2N&Fn79dvd zTW84KfeO8?dnle(DmF6MvnOYx@shU5hR+VeFjM;yIkU81y{*Ax+alJeh3IdO+k3=% zmu6vvL8EWT=Y213_v^W#MLze#uxjUxYTv7u`B(UF_`D`{{aHp5Tdj1biTdBf5!pD} z=hPG6=^DIT6J!^H2v+S?;h}c)yw_3d{ohkHV(rCPLoy~2mRjpZ6-o`F^krzp$;*&K ze>hBOuYg0fVJZX8lEe>KWXUK5We-YslHp)308_+T)7N1FOAVaCt|GxTXT9+3lmsH! zohH8^D@#uJ>d4R~Z+_l4SbW@i>vL#Pfx*1wrq%#f>37e%y4hxu&133GLD_=Wjz*q? z%5%Lzi}lXl2tEP+nE+7T(h!(t+OEIF3K0-fcvV1=q<}sDUYe@e13Qz{AYu>jdN#Lg z5K{@ORjwYR>I1cC<#k(y-E`AAZprLBVM=B1KsL6=re933A_qnCB}dmR3G4e^5Xb~N z3B3ID8qdAJNI%=q`826LkNJdG`Fjl?BGMP?pFp3MGsG5%lKNvuGxzo>%p3eN-ld|) zh2D=l1%X7lpPp<$I0_ghFSdLArFC^OC3*v9*jk2ZT&+5Mr#8%}$@3;>JqjmZ|rdB(O# znn-z2A$smT5)Q@5`CfQj0hDspFGMfR=xqA3Io5{v`Fao6EFKl-Am>EcE(brdUk*$$ zyw7ZDcxim(kq3EoF+ZhKl0ohUd$K|&a@YQo+Z&r5$4g^C!U@^y6*l9s4o@00-%q;G z5Zk-gJ>;a-YTO@oXD=WgK@84t?=ov>J!VKdY5In~OpHkk-A*toP*+8s8K=D&CSvWc z3SrxBdRK-l9=Z1yGvK1p9%cqMNA%6)8}+oFl>6?7em1^8~lNT73JlszuzJ+)qn_8 zS-tCKb5aK!dgM}hrVxl9Jr zx26S+`aQiwd6Gee_xAX@y>tbk=HAa?Ok&kW`SVAW=bbQiqX28Mjm*bY%F*KBz9-r> zm-y~yLPy`EjJNV;E~7mq>#&Bm zye$QjBEOe-<=lil3gP3*Zs)?hV)pJh6X)*o{LL?7Xib{HOU-(GepBIF2fJMg174;c z`TeaGz83FqT9|y;e^}B@;l~#su6dtD-h_@E!Rx(ITASTH|3{o7NSEU2t}N#BA*p@J zFT`E~V+9`VGQ`~H_HzBMLlna>$QdQ(qvH9rhi#FG#8EWbXQ)-@fLe3ajh+g?c*+1v z)C}CWCD+_HArwE{X-U~L3cKU={#yYt-2Q>}4++l(viQ^(_jET)!_A)3ivm3;P*YHp zC_id>2T@$_ys}BLnOFZVTF7&4o?OirVLlbecmm&PU!|Q(-ll3CN&uJ=5^UtK*UY}= z)xXq8UscB_rPNTI7-4SY>=*m<2X2g~71R#aM);x*5hC*VKalH=jAbX_tZb#s;+ zZZKeWNcYpsr+R>l@2jatY2j*w&*e+mo_MJ?N;GafJ}ETPFTb4ml^1ni#ZzN`mqHAg z0_VIq=6U?_nAv zVj4#At&Z5|R3%*SgH0j6h~!?&HHbL+OAYlXR<3(2z<5^&s7bX(-~K9lv!jagx@b&# zv*{=sXm-{TA=}pUv_i^`E=V+CPF1^NcJ;{{uEU&f0`|AmUlm+2E@ZnT2Ctv9t26DC z9=A1fDJ7x4VCSdwf_LTbp}#Ml%V5ep(P8_ZIiY2j2b#MvbD6Ebx?OQPej&M}{N0T! zv@2%5>v(_;&)OwKq{_F4phj5|oAr>=#~iLqf7#m-XSkj4(kuHa`mJ`D!3^tF;|KVX zE?nVB^Kw{&=a3Wi2shz{;&z{ZM$Dv}ibM>rx@LuMPIx$DLyyC&<%#<^Ms2uD66907 zQsCbK6 zsrK~;^S>vO@>E-pZf>?^SG7eB;xUefz%yFHi(nW2prgJYxO5dTONY}$ zxB+wKh}N`!`7!R|sg@_vzUP_w(r%SM(EfUzp|wN(o5rI@g=g;Y0VYqGNr|(2Y1T2^p5&On_&w&g_Gfbn zr?;|ZfB2pBw_FmlX-&tm^`$j!?yAo`Ae4MywA#GyQ9wVupe{6+Nl(*vW8uiHxdu@p zQA7!^KK}Nvq{nLdn1LyeLqh!gQ>hWA5iZxL4YalvyO}2L&ECG*4bV~+pdfZu;|f^` z&tNOdV<~p>E&J|C*4`(xYz9I+2?;hFy?9u&1ow}+Y3jqR0v<}(o;mOFNU}yX<>_nM z={xWGAeI*fJ2RPbC=$7w_NLo@O$kJ6-=HO8)C9~@EDjfMqjxZ+eLv@L_NqPDYTTc8 z8e2f{wkE1HGSkU$Tvy#S@CP5HlB3Zsxb4TM6tb%g z(tS{m0v$S%m8J~Mm#;_?eH*Q z(nxq|XS5Q~VDP2hfHHnB784{B4c(bU5^p%E@T4zH36&e|(v2IyANIj+Z0H+cs_qya zjPlq7p|smGc_UM9?yB9uDuX5JEtT@0_(N=KA@${@IkZfI8jAu7&y*M4h|)lG{wBI4 zd(oeDDo9AA9^>Plg0B2)sw^!q(zf*&4)`34;2i0f=`f7pON~}R@RMCtV-;uBV{#xTlmz9pLidhbxd*blyvE?IKRP4-p{l#?s%+U)E@9J|W^$&{mWpO^b z*3h~0Pn7*$4H$dIAeBqR&d9EF#{i^FPr72H-W4_mi@SQRnqgl{)w7tuvu)q3ORIKS zctTn9eW`|>GTX1vZTYLk8>&`2FL!m{d9H@c02z;$-hAGJoz6zP76u57Jp}#eU6AbK z?&fQcPcowKiQi)6e9b&`IVF|!NXnzDH=2Ml-5Wg3Jppo6gn(RiS}_=I)ozE;#^-e? zB)-SY$kaL*_U0jL(9eyp&Sf19lI37#M7g>Yxx8JV@y(rg zmMk~19HK$BdlIt+H_b^gUwpBw*ww6N86)FG0h0thKEmX73D=ceLNQa ze9S(`XngOr@T#~2MseN1{(c6XR8H_u8-7I-Z*gacvg_h*lS2ttd;_ruj?61yU-So# z7T?vVbwXGDz3)f6bs=#`(}7<<{mA>h$SR*4bN*rq zI4iP3m*GG!CGY%=KrEj^!+pHXVH=i!ZLkY%G^<9^S634w6Hv{Db2i0_r8+2~+=fGS zs4i%Pn#M;X#%HHlJ>S^m=^gZ)RE7kKJ(EP`%*oY{AC1MSd_8XBNZ5;eG{r&zxi{n_ zBtBbG=hu3H*4q37xZI+^%~$}iz64&-e!eJ}5meE&w{b3h6#4Q`= zq&@vbCB<|V?&!!#2@3yRZO5bDu%J${qw-_c+SLNlhWDtu@Yg}E`>Yz$=rn!~(+!rD zT77nEZ@VllhZip;Ad7aT=r@N2%)Vo~A7=K-gGpX&1$h^$Nc4Mdn2O`iqjGdg&z-hs zy!*zYUw+>aGM5~m2un|~x}bO}oKSq$ZevDlXOq+QdUgAzK10mmnYuuKqW4ekaG6Vn zA0v%SLDfl-%|#EZc)K2LCpn0NxQ-j;HP>3`nwNi)EbNQlUq2%e0gJEh5MKG8s^j(-#;2bPfNvHXtPl_wOCH z&td_t)b1!+e{(Hr2Gzym(R)ZcH6-}77~k%87O3{Eiaak@uE0GsawssUv}g+R}+zqAUav*5t^cnEu5P~q?#UVj_76SqW%YbPJ*o?q6f z&&%5bW?`ZKTWIcD&^4UHf@@^IJM9*L(p+Lt2kYggXOGDqz(tJmtNG(u)mcPrGKyoUdbr{%erEAKueJ8(fn^&z|YD{ zIb+rDHn^%CUR6XQeZWg;3o&M|Y@1wWdy^vquh)v;m<2+9tHbn@^-O#gGvv`(Ent`j zR3~!o{@1E_61bv04dv&Q3;J*C>6Au_q-BRMf*^Y4Si+T-s#3Sac0)B3|yP)DDUq0XnGZ$bp=ZhO(bN5%e zJd^>kKK7A)z?%2>7s>O)YSh?jUITmz3#Q#=Tp+)#|5ot3c0l&0+;}Tc zdhEuhdnP2Y-?(v&KT!0nv-#-fg2nU~bo;`&*vjwUiUH&`87peR3X4`L%m@E5>%S!f zzrIL6dCuGd2o#QTikSj8%nkgZ$kJq}%iWI;zw)f!;CLm?b6YbPr1pvWv)ng|9zP`s z8pY0K??=(FXW-v%1b+vJRZ0Kl>(VUOA*b`e0dVu!AFoatJfNCTJRZ9oCPpD1<)f9& z5Iuy)A5~1<>{ACt+{6U;#K%_FltJ%PG7sv(zg9H&PT06wfW~5r*B!>c<^OJd5CqKl zo?_GQmJ$zO#>2ko)IWhG{adS2FoV|tnEsX9K-u8Hw_pk&p$qhp0VeueweimLw~){$ z8PEgT=?5$aq@O=^|0MQ?_(B}TvBsWt{$aoEX2bpk>&_-EVx?FVpa1^$2Y1ZDtSXP6 zF&MtUb2R6YS?|DOWDHTw8*F39YfFpqq7M6FDEb+7ck7->){U{Bm>h{m2IWe z8S5cidFSEZ2C-8E^bn&$R7aU#S^_D-jZnq$Pdp6k0uP&0NoOO(wR;XIXx7PR7c1ct z_UK4I-o(dSb9VJ4{M%pd{N*nR57}47t%1ksss^4EqydlnH5$R>vBr=|Bl)*d_weChq-cG2P8}j_gu~`Y%FBW*Z z?||k54tg`>x?_6&mNx!BYR!Kq<3IK5zmvGnZ9rPLWlh=o->w3{5BM|A%Nu|38UF3s zzkc~I)b|%SeWjYUN)nst>0)mbQg`N3F)1L98~kto5w8ePIM;eVQU5Q;g#ZwwA*;{7 zqr2bZ$PK(k*z;R58342YZ;nnE?N(v^wx< zWBK2_82}if08Mg1F`_&ungyMP~v z5Xi86`LAE+KU-?}8DNU3&%eRR-_Yq_mme_$*1P#h?(W~X_P;dGpC4pd0j4Ow{Tqnk zc8dLHbG(uUtoIw){QbTE9~^w_k0V+C<4FJ6i2r%cek0F+9O>U8^#5g^KhZ4xk0brh z$>bkL`tQ@)pXB_HBmLt@|9sm1dms1*BmK7!^8e=;De9TDBo=LkiinYGX5&CrDf8{} zXFg_{BOmO)l09Fa9tybMq?)pp?F~jI5A|kWHKB@Z`h3dH;EGH=Rak#RXC_2^dCVa} zW}|%m<@>ZB6TdJXG5sS@Np9%rxeMw!H;0kYRF9hw>;eCKwFC{n?2>IgDv|LL8xHo$HK}v=HO?BU{vJ~T-eD$9mdAFSN}4~VsO4Zy)3fw9W}OC+!T0syten(|_{kvJ$KRA0bp zweNvg#TyA7IHEWG?LSst0S(;u%~T`fVO%oI}R>phl( zzvKfh%)G9?c_?<3LNj@|o>-k0IT5h}8px-J=CPE*uO4R2pub)h3 zBK+8fN~6Xk73#inMC7vGuffFWzp<##CUrHpxsHTI#+%;Y`RinXKPxMS-|HPR3gOsaaLd7fdAcnY zj2imP>f~xz^L)S6EP%nApm7Yl=3&rHs z=K83r$xYg`jlq8MR(DXTXR~P{icA;!B;^X7{g&DSvT?OR(6numBq%9p%yb!Ncn00n zWhg(`H0(_3Q0%tY4*=_^d<#7P9 z#88hUTBekPHOa3Jq|WAqEVvbVlB5slaY4_eJyKy%i`RtE<5ZKqfQ{!~{{0G=QHBK3 z;O7*tynOe_*DxK>*b>Pj0{!#h$On)(y-t>;#9)wAELDb|vA-iyRNr+$1QX&9yUgS1 z5AKJuHTbgVeh@Ba4O;cV%1vH&16-Yvl+C^_%gJ7$-L=@gg;0Vl%kwi;^q<$_;nNZQ<*rX&JRL5jjH zEWmMAW;GFtW+#coIzi_F0n&O0W?eyvv9)fjqc$?y>ZyzGlxUNi<_)}Q5$nJU>)~sd zi^b|h#e@N6ARRjan9Oh}LF3cC!T4gk2@JI4W7b++3sc(3waLuC>Q^Mr{Y2ru#07g;Z0J zH3XCx`oh~n;e6E0VL?J?9yaR>TjK&!7wSthH>_;^2bZI66{-bR>!sc1?$QXn(D|~! z<4)RFKy|Ongtg036+=9a?KZ1MX3PyJP`hAv7%(HU4fyGeQjasvl27<{WBi{ulvkkS zL>YWev!f*-*~Sgqjr+m3SKBvFB=gM%LY#hyd|RK-sAx{etSH7oQ2{OfmnNboLQ=yo zICa-pwUAiL*82{vf`+48P3cp$;{BJG@AQTCTu^{E&#%v^-Sc-eHq&B}Ogj6;KG*n}Oz!*@tA_#?eoZ@)hWqwNJp8lmdYBe`{Vhj;^1o zg!x^eO@1}K8iIN+`)nrF={?&_#2C1)gH(Sy_-uv{MO=uV4rorj(@u@Z@G20FedTcl zUr9<~0_ooMXU=fRfZn-X#wm4`lLd9~#jbPiT`V+lQel_JlTxrBG&NHru1fnn83I~+ zD#Q;jk|MCK>wQ0={+KVwOFG|0CI;v$4#>UEtHk`8to7iM$w*|qeq^(p-p`_Df_tb1^}cY1EVQG-o5FK* z=m~@KU>Bz%c5;LZ)`Ysqaq;teSZX%Gd&d$c6~Nvb;HGBH^3l2uLV@!=I&SMvIuw0> zz}=)1^$Z+@4UAW%TjUGt1{VhseL-xycH9? zT9Q)gv|0xXxavdmcm^0$*c#d$vCp3nb{w|b$Lzh$bVqJ41M@Z`hMY!=g_#J>gAT4s z6jd~{nTT3P1!#b)y@p0EULV6+T-Mj6>NhwfYxEUC#7s$567R2~r2Mb?Mt~2q({|st z3X*fwgeT;pVbQaGv#C=ElaEhr?*pVa@jJdk@z*e=ajpqe$G|y=mt9>>3t@{`-f)LJ zNh_usZW$_8ehzEhRz|m_tPZPARjNw;>Yd} zS-2nnluJK*aQ)?=AWl_{$9)h8@=IgkJs}hLd^U0jweCnz$dtN9G_GK@L_F9T2({O~ zHFg+2>+7#Emt%=msi3 zV(3sGEY5@oP>>zJV5F}d@qK7qQC^v8SbZnYviepWa$V)8m(!!#%Q$6d_HmbM7N73? zwGSoj3r#6CxZnG{c6DZ{C~aVInFI`i;3uFwTS^LSon z-}gv$In`rmgvzZgPmTRn&yXJW1Kai@=&fGqs0t3^XK{U}wj0}dD^n{>uWTUl7e%G< zv;MY&Vw>T48Z-m%>VS^l$$YxGtMh))1B zETNDTrU4aP&E{3DxIrb&tl3}h?Uq;i_9hm6mp1ZSp3O}d*=$(-MCw8T0lDIP$85S1?wDBz@p;har^ z8IL7pBA*+yC&tA*=}9mtcir1W*6C6OoVa0#=97x0QlP^e-B&*|rCjfGjBy;g>!NG8 zQ)=ecr^!o`)YT$fo|iQKva~ZM^pLb_vJ&!FosEJ8l3MDLkqLbzM^uaKVy-6SUC5;(%yV7}wBE^h2| zRJ}7W-A$R+y4*9&I_u{v*AVk&0eptLByuCe$NALx#IAgvR_Sktka z#dfH12V;?;!IYi_d}5A;{5@L^deWY|_rg>iWrJv*5S&4G`ity)LTyV7sit6taTq49 zp4|qwrmF^Y-1A<>c@8mC?g^U;#8r9PC7jV?Ct2e1lJE3Gz>Xj&)eH@zPUL{L<|?~@ z*+I!I5d{_vKAB~1JiDC~@S|r7>2a+w$@f2!-C6o|U_tL_lg!FO7EJ}=2O z#$#!*Q}ZTZewcr~IDL1Ht6*V)i9Y2bslZ~{p`m}7$~A^6xz4{{>g0T-9} z^KLx1$;qEiLplz|No`?dI@|7bjNmMzR^)Z0y`P(W^5W|RJMv>2hELGpikzrIMIo@K zR^|!gW2wD7jF7WNb$)Y`6D%`rPV(=11H_ za2Amk{N8K7_0k>5m&NyE4=@n%%MpSZWAFFn2Zm*aB^6w~yB_jhu6kCwQ@xrJTl|Z21=nk$mWW_Vz=hvS(;l+AM#^NEGp-hGO{LMD53V~o1V!A3W=I&k1 zO#?3CxpHbopQ4?_j}>eg|;E1@M|=0V{vPx>gzc8%^E+NyE0Ov z)q!nWY9$Kp{Yu8F!g#EMYfX*1mvukSWZDi49+8^N@lBi*cqD_WKHFq9Q8srJpBuaO ziJ9BCrHKl`pFp+Lqo-ts6_9xh&I%G~BqixF#^E0jbJlr9;64+N%}Eryi`@w2@XjJL zWbFT8@4cgffZ zqhuOra%!M|$M?>i;hk^h-dStzTHinON3)vlK2>#gJ$vtG@2c9Tyu=v43beMJv2&Z9 zcAR0Vl34grv%t2gu#xN^fYl^sXe1$_OPl>HK$7xlO(tcLsI9-#k*Hs4h@-ENpydwM zCSLZwJyaae+9nFLQb;~zN9N{akQ~#fzVY+hphY)K$U+Z6(i1jxKA*L{cCnc?o}|up z@?mZ472_p`-Ds@GQHE=ATnq!E_l0P9UH+RU)s0J2+6fP+Au0K*2)n5C^rKDf#-$`P zW^#TVn#E~zN?XCK&86|D0%|o4e&w=t`Q;XYoGspMHAY3wm@yS&lP zt52R`bn6cU#qoFGF!?1yV|AiQLAPBROeZf#-2~vBnQF-L@-Qh(H zj|k67=m%I}vEHp9xT5f|R&Gie(Xp6uZ`r&_pO{5S$S+fsP$6}m;r}T_*Egw86#kYdQu@2FK0mLVhK|fw1}uXYJf~kfR>uy~;#)5uvZ0R#DkY7*3 zQS`_1J{}16MeFIa+I4#5@*X{ql{pf-D&qga_e+8%$!zDn(L`c{=(eKaLr3nhi^2F} z;SVs!v1)A#MHBp7zA>X;Gv9b#e-e0@RyH@u4}M!T{R#kdcz3vx!X1oGw99}c;}iE` z@Z(B4G+{rMp@!i?)>xN@j>e&jg+_N`#wfs@8mVGs8*mLA)!&u+qsEAvrKYlF(~|M1 z7|gkU=`qHA=Ts}ScL}>mJ1rZ*U1IfU!b+%3gvl1${n%rUnPk6zCMVcYQ=)nF$Jc1b zfZhI3A(JU?^BrYD`8VpX-;~-_=PFLL-D9G`{a)B#*d^b?ctyr2ECF$D2OeD>kNtVD znBtboWOKV!O~KsPg(_3}U6Wung&n3XgvMB6mBH&ekuGgcP@{F$=-12LmE8y>r>wWF zb;Qn%hiao|baT%2t)7-^>Dq+ZTm$=Yf@Ju<>7w=$yw=uw`UY3^tnnAt5hJIbdsn&7 zA-#9c4Jygj6hQmtPZ%dpuc0U6NKeRmgBT&cQJRjP zOB@u1CNW3@%M@3d!{a?sg~#icLO&TKjNIr8#?v4Af3NxkzN~cL^E8+8)ZcA}bhhp- zpFul16KN7RUE{xL#?nPUtNUbXoXfgk*i&6T=i9LEjM1$PU3Jng|tdF2+X{_IrK_*^;?Z2jDn{=NI)bzQIm#nw*mBpF_lPS}MXJyGtno+S2w#i=Qw@hw8M zAA*-}UVKdcR0_|unkfjlJ(h0X=&3i#A4@iOay8)YN&VD0Z&gq_Q+T9y>2TTWa__8k zZTOT>0B@WH-}ZHEKw03v#IDrTxu2)LW4Dt2*Ta(knqAsP;K6u~-P$_fdatx)SI>Ql zwPQiYm<-Sg$9n4n%qGB|P!W@wjUAu^O^rlT>$65MYm3OO^ zcI)fo&+ia^njz;^)tu}VI%~YBhxiS8&g12FF0s60P|*m9a>yc&U(-{8DT-ldohKzW z_8R?+eYcuF5=94|8Xu?3Kh7U#5AG@q9s_0dbCQN{gs&OnVBS8A@^x#Z#a|jjdGN2C^uDLB~XL4n8oGDD#EPyJiwuAhk@JaVg`$tPA`b4C6 zybBJC5*_>{j)p+XLt<>_B1x01(pdbAM%`J}rfOLXuaF|p%GIlevdRjLH9Xa(2GOB7 z;K0S&m)^RC2**Z??c6kGZv?&bw_&Cpc4~_vVP$odWTB@UGx9pnccV8Fwi`36v-MaL zCSfHX`lk<`%#v0pA7`N9JHJN7`a3@w;VGrLszfZOI z|B$vUqzD`3Gt zYOa$f1p<@aq7|7Et2NZtA_y+KQ6qm=R4gB7Afw5GIs3V_z_|$XmHi0pUc%)^7LTlI zPPRz_Tq4oJ)**qYv6sn>B$%<;J9V$MLP=BPkmI~7CK^zaV=c(K;i+Q%l6~b*3P(-6 z`{tMX?=Ob3c__bSjFPtC*v0+K3D(T2;+B9q{S?vJu-Sn1Dq zkLMTh?1;bT^}yR`QQY6j#{p<sS?23IWo-doxbBL78W`(sw4*fNt7F#z!FPSHFP(ewwAAta|sMUPMg# z(++d6@}hD-8B{U8ndwuskkGcPW!`*QH#~H3ez4bo>~ZN+KiAte%)(?^Q3Q)V7T@efvicLT=cG+jy3TZS@Nvi2 z{GWB*VzRy&AwsT-tZAVfOps4C6^u#tkYYCI_on-qINz?Gmr`{Pc7x!BPYn~%d%Fl8 zSsYv^%Q_fOVcE097DD!I8vUfbP<~87Pdc}D#Yd5^X?OLgP#gy6Ko;kr!K2$(`@Lk% z7%xQd=THp;j+gr@@=y^?FUjK{Zg4&|bKPu*6!2JboiYe4aEta9%S<=tqiws>na2q9 z;yFecevO?`tT$4|h~qSq!oSMOl6N3AX|mn+>{NMcmZbsDdaC(VVtk=S?4Z?sf?DcC zX02cy5qVLaZ7uXqTOWoswqCdpUI?DDon_t3ew&D+a%oQ3Im&@Z$a4r@GbEIruy4o+ z0|E-86G0lKteV1 z4r%<rNUPiszF7cLk?H_F>!g6bmQXr2?I5JiV?jz0W(?3}cHlH3godl)jT-FEa;Il1XntZ5^kT~BUP;ypOSE|Ji{sJ zMh`4&cg0@6lSa{BbqxuIF1h`8JdYkR@+*cb3Z4biP>hQ)Ypx3de5S*!E0;bPw9G*$ zNl@cULC|@`F~cZ0YJ0EbQwVtU>apGJTvM4_G=w5}uZj(m!Zz>Z6>GA{3y|AtJW_?) z>0IshYq9cZVOoy}Nxd%v+?3(W*8qgS?#H~tn-ub{Go0T3y5|Dsj_Oot`2-&dtQaPj zLz8xcjiuhkh_m7asysV23lq-@~D|Y!NCHWdK1o@lBM7MM?lS!)xYj&(*I)xtZIr*1 z4~QuC*!a>D7Dp&1RLJq9-cz5n1zE@CXqTz;+|%+$H=-3JcE!z=Dj=imX z-@b!8)3~ccT=8>7@~1)mKK}zFoj2O=b2$`+qe*isC(qA`A#-6Zddntuw+CB0viiZ# za~wtu1Lj_mnCJ2;MfZ<{9&u}Ev9akC6KD=C)C6V1k70*;bTp^%{WTu0x4w zP{YMd!_!_RcH!ERP0HRo+n?X>q>SPlGxRO`)~)=UR7+yyR1)bi@U2c$S$`od*fJy5 zyZ>%qTGr6Ah-Q_bZ8+l(9tHl zbOmY+6}5{H9Y1KL+2SuJ8hb(O2ZDIwM7}X=!;FD`UAk=PA8BKJNFYFIq=Wux^i{Ev z{Nrt`2OYMQq%R8)YtYliq33*YcTd>#Yj!fDNQO0v?u5#Yd;iF(L#zh*M^q7S<9mM= zf_AhHx;Jw?sfB*!vD_?cbEfoLSPJEteQxroYBS=AKr5x((u0#Q-c=72JP|zRb5Jb$ z_-vNi`+8dN_Cr5Y_~_B*y-jwNhrTxVbM{Pz;fb|^b3Np7cGPP9^+G4Vh5?5Ye~VTY z`%Aav7};Q4q>N%tx`vP#_~++|;CGJ%C?8UA2m^7-q(!aN;4H1g8g`(&A2jwTh`>Cx zS2A}qokGyI-oCIvZ#=^ine}W`dUaxsYw1oZrE|M-k`XNtTTxqd#aynPHNJ}ip54?Y z_RKk{cm+IRLCCup_Fnr&F0@yu&RWP~#|;08IM4m1h2CiB$bJNo?qs6TE^(Cmtu^)#1*zt=diZNV%-Q(5sMV73Rf@ zDJR@q2(}TCY#1FYB&(?zg(@s*4)csVMo|Cq1l<|Q3EF&TooaZ(4!D>WZ_eCb zR@$wWzn56ooMfGmjhe&}-4^fnI6@!i;)ki*k^hpP?bbY-DDVgXO6}}@V7A!kcHW1H zorO7irU=Qa`hrOhjd1-w|BiGn`jalUh7eA{a?ssVpI+Z_9Vz+UzsZeTnWc>In<^^5hG0vDSW|61x^ z0f$LI@k36-hxwm2h%m_p6y z`F1pG${5li*dx65zUkwHAtE%}t917+^c&-ngK%uM#RYg)XK!Ij6yanS954aA<40rV zf%-g*xwqM-rkZbYd4J3m$D2&VyB)3DX#lvy=eN=lFWXqjKNbCVEr6oT14rdDu>KpL z$tz`wVSf~33L!>kvhPF-N40P>#Y-!#qNLwG#zgA@|NTT^jH_d{_!V0*<8CcmJES(O zz(*YsQXI&P>HJXxc8G{u@_5KX!-P;=KRDY@^*<4t@mA)X=@N=|$-3)+QLwnA!+DW~ z8A(-4^ss7EE3X6vH*X2&$=c_04x|m7#4fN=yCTh1jv| zQ-{U31Q3x2H*K+TuB6Nif!7WDwU5)>mwJ?FX)k7qqH8>aoO)UkH0BuNS=^7pX=1j< z6fBO&cE&z?UZ@K5+Rr$-cYXV)QkS38#!bA?^z7-oARtJh>P~gM1E9yc%gv|1n~ z;XZ4Ingv=Bs`l_BKC7YDqMt7ii~#!(Skc_Cyze`c zkI^}v*RW6kUU(OlyIf^9|CH5;O?contHHLB9y{GfYobh(V0F&O!h#pG!5Pfxw~N5) zZ60%NgWe?N9UoSE0rGQVg~3D-6P?97J8k0q>#?eZ2_HXh(k=?e{u;$-d3t7~;WK4< zJCugfF|N2<`@q5qQpbmwX1~X2c&vNK)3X#vcW;)B#J*Ri=7){OuaFO6N}Ioz$TqQd zIG$JX+Ur~2;;n^a-Oze}f$%xxE1v^*Sk2CP?mgUV3s)R%EP>H*|1wC*E$MZh!3i=L zt3OfLZhTaT#yl~sfz1ufOLe5m!x>&SGwE+}a>sI#40akke0OzR&5JF#n*Bc4T3Eu{6jWZ5_Z$RrvVDjc z6B!QUeVM75c(58&<)i(LML@@%Xh)kXtC1@ZVY!ud_W4tfl8_3c;sUrhC1Yk}$XHv> z7j+XmlM0|7E>B$hpLPP7ee7$QeSo53bPBQF7JRoPAtEzQH=;{T<=f!(XlBWKy|GBV zc`U>NFE=`0nRpjr|J6jHd!s}ve3KoBmPF7vk~;$+Q(4wGJbvA3%~5>ik?#;O6`7ip zimL4cay3Uy!Ns^j(62QOB`#mI@}dMGKdp!dlngcSD2|nwo1(_E`>2z~K0B^m#$nH{ zOgat{fA7(1mzG&sG7AqC99HQQUa7Ce>s{NAEt7b_Z0usqs5q-S&-p+f_%Ibs&6nL{^ZmqO!CnH zZk4P40FB3rl{e|shadNS8*qa0k#7A@)C?ZP@<<}O+HDaY849iXpc zMhzMOhBUieR(*c24&hzHQ2q$sh-aQ5=8#1P5cbl=XDwxzvmV{KIxtt|-=uPPFzY81 zyH7lv4Uf9TcXLZ8wL5I#QNpGvU__YK`U8i@*6i|$#q!U*JfF2a7ua(IqeqoyrWv=a zyp=TP4M@*?cMvzGO*_J=%KNAyP&0<{(*pKA^)}J75nErVs>Z^mW${*_(7Cv2>!bq0 zoj5T_J>Avqq^qh?K5fn%&t#k7gV{26A7|ID%|2r08PdtRLPM9)3Fqy`*PQwgt>L|r zDdYshG%t_zrVjsuD!C zwH-O1(lpBo-K+B=Z?4ZE%#C|*Af6gyJ1|m>6ORT3sHLvs&Q6uHJ{0nG-0oz_;H1_i zmi-ihz@G73^T^qXZPpz<`#N||?|`Kx+3Z@pS(WMZ@w|m#^2i8ru+k4{7#%z&^gfLc z5%yMMu*2Jj zzdZjRum7WUziJ$y5qdt1P9@Cp>jTlJl>}0GruXHZ|1ZM;nt7KD0Uc{0V}pxrjFNsUoYtkWMew%qk{ii5B{bR zfB$ZP9|O2Pn-OS8l3(_30?NR{x-GfmulV@W_2K?Kw>a`0%l4 z?OB*aq^~gpI&6R$blN<6^)E03UHZ~R&~o<1cBP~lW@Pj#CF0RF=HPpe7Bu;i>t7(n zl9C@l%Zv&b?6d+novYV6b^^-#b?QgT(ck-@`Tg&2Gi)*02_?gYql;~b6GM^a<}gJ84xdc3>FIYxc@OzHi4j%u0B;$8ek;2e!EBc#2xF|-gZ`?a__f& zSVRI9#i@bc_5i44ncKU~bzN!+G_X@VzBb2_uD6{$K>NScaiV25U_fR$y|dHAd*uFUb%k#T@qT55Zia&zc-rKfAe2`NG4&Q@65tT zfh9ctb%Cy9xv{5-L!I^J$vV=Qk=7ffcdmoyE5Lli)r_hCg=TfI3jkD0(c|1HsZnlR zVPuyZ=Ru5<-}lv12r|1qjJpg#02qUN@V~~P7+6Cr11HJz7mNd#VD?~ozZM6?k3QE3 zE$hV8v~0xW^oI@{NrDiru z7Jyui>t8Kl(aPp?5nh+G70~qG%jus$!jfp6l_bQEBvRj({#ny21brf@0h6dLH?5t| z(29BEZX{^A^!D&|fvc(j%IqP<_E*LHCjtQm^fFp<9tycc6o5=gjp#61j`@$>My@v5 zBc|F@EyNeM`z|~Hlpt`*D6fzHI}oS^y-1Mxvtjs0f#u5zpnadC!cLHBzLPJmzan&nwq`#VXNkDyOG#o(eqB(Tzo+@{H1{9% z1AJzAe_dBs*KrejH!yyB_|;O?YNDC>`rBj&p31e!L}N}B?sw~(ZeIyp_M+E<(b-^ZH|igWcTCJv07NKSFca6(+Hr6Pl#8qJ9$ZVV0QlA#{T0z zX>BpR&%DH6fy$|7tlPJZhxX_Zb%{n$3zg(M+&z6xBfzsTc$7iqUyS~g*^mPWi89Mi zkLx#g4IY033V^V?>!>q0!~j>)MTMVo#9AeJ?^~uAr|8^zrCiWtzv6V;Zmo!|__2$5 znixH3a?I#YIv;iWu5ZfoPtN~%^naGv;{n&T{#5*1w8=(>t`DgN4#*RcUz4|c-9`p} z&q-5{`U+aMuOc2mvo%-v^)bo;)?E4P58;31cJ8gCP9SJkPSB*-#(NMnF`RtrV8-D9 zzSW`FfuA*2v6lGz{@_#sG$(JW#Q$CMKHKCCTLhUBEnD9rf%zUgWi2gkZ(H)%5zacC zm<*|9P(Xu~kQq0Ltw%)k`6i@X;QwacB&JhP~NI=sWhu^?#YGs3@kIW@df zi*l&pq45-L=q)k<{4fPh;Pv^Bd=1#^Y_+04DB(ZB_FsMC^WXRM+a_25Nci_UKmz3g3_xI3nfjz1JO(z$3i&kQ5tvb42gE{@SD*m8`+NIh|3ND+tx}`;kU0_1SuiDI1 zOLMCK3t15oc!_d@Cb7tqGbz|81$N8>VKWyz!^d2r)O_3hbf8I%-&;BVHnuRpcFqKo zAg(*^>)-$Fm$wh=C3|i}@}#@5-SxHc51q{vqb88#Z*6}iEucPg_J7yIE%B>&Z5W-5 zTtY0Tf|PDHxwE0=9a*`v?pU-iT(9eJ%(w^Om16L%{=Y!R3`l=ZGZQr`qyV)19?`+L zFmY#A@~!7gDnA-<`Vq;B;I--W-AY&}$W%Aj;d+ZN9|IowKEv3vKe>|Y1NrM0FGGII zNaAXJPK~P!=ZQFNYgf7z4z}iGaYK*i}kq(cZ^P#mNGKe8z1^=0giMqV>}}PEPk53 zY8&e9M)wMv1DgKtst9Bdz2*lp5t*2vb_E`1Qc30-%OPNv4!8lTaf`ls~P-<{C*wg@BG912E?j%YZFPuZC%As z(*J_km&M9iQ`Vl^>55EG``v1du$Z;fnj)EkBXZI<& zLz~gEggs2+by_aff&_^`q*B-Uuh5}nhJk8;p6J;GF8Z1Zs7|o)EHQRYq}sR7W}==B zo6k_!FRhx42@KCZ@NGEXjGAfUELR$PAr3qn;f80g<#WPuO|vW6gYv^oTWwB~oQ&k{ zoq0}a+46D=*+WKrcw;l8f`s;$BSM>K+mj;@;jzN%7jlttXH7%HFEdBPb(iJ_V`JlH z)74bvD3gG4dqbIH(c0og`scQ#E{<}VbDD*O!9|7I=q0kr%q5D;qQ-nn12wb&Z=W@y zyva6s>wMUU%B$d$3AV_k%aC4wibSN_b1+g%7r=zx4Sx9<|Mvo{(JsFPmUK=wPqF41R*~Q<$~#!T3CJ##V3oKiNjcx*d7J*i zt#~WZGVy#Wa^$u#fxQ}EqyWn8BH@)XvfLzd}r--(vk;W>KH6^!PYwYa)}cTZvb4 zkdH}0N+F_Xbpg zj%V&Tl)-9^~IjL{j})`$#%EiVNG>@P~V8SZ0^Xjf?6h^%30M!a|3 z{>AH-yGRME21V_rkpR^e@+w?=R5*@S6c9S35JAogPNklqs%fx>XCG15OHI#4kz;`l z)AixYFbJWK=L-%rlsU29OLHFk>vB0ju(_sfkkxS%x@-t!Z0J~rPT9fd8Zy z?VT=qW-F#yYvAGhsy{7#G^lQ1IOW);rfvHRlFrjq1#NUWw@oe>rfhh0tWwh5yF!)- zVOWb#CJI{F$O~jZx!v)QW~$=gnRk=P-FaZTCf&xpS5;(4vb0ZUg`U!#Ps>yXA3ET( zK#wwiZ=p+Mh&)FHnzg<|0Q+Z)E4F`#MFXcfh_7$PW`6Ky*ds9B+;r9RAgX80Ob$Ug zV{y4PFU}74dddppZx%~^@Yu0iN(gZ#HQ)eHp9#U4&9X!!!EA&`Wk+AbkQ4%9PQ`iF zIKE=vFgmpYFggo4Q=?`fRP*GHukYva8lAqQ!)Pn>n_6iUp!B_14LuZd5@fL~I|$@p z?>US=@9EKvBP;~h+t<9_AiUExV0U?cH{kt#WzLo>@am5Dt^%d0PT;h)^ugfk>$4X;IB=HFhuceFaWzOJ(vYVka|M~O=D&o zp75T9L1Aal8zx}H)VHlNa`|tu@im6Rtb}OiVsCRZ4hhyk@XU*Vi zrpL&wK)#D5H&mFewFhAzw{EC>wqnFeMeh|jla(aJ-Uvl4Wa=VazjyeRI?sy zH7lL^I4OC^iaZUyg`T=ESTi~=h@@H!G+F6JX@@h3|G;IfPMXNe28gM7=BosN4Bldc z!+4cMD!H#7PiKu2<{(BV>-_LoM8r+qZK|f2=q^sP$2Wp*JgeYW9I3tevd>Gb{-d$| zk?PN{i4y3rXYTum*cO&lA+V25phUBwi#@AVVN%}m?)dDc8JfrGS%ACBYk&94$uA~V zH>!G)e`x5*?v!#n9tG*-Uurk+i+O^jl+iUshv*IEy31}?v-h2bno~c7PjU~8fjxcW zW6m|xrsEuiIYAouT=P_SxM*PIY+327y2V$gU$^E+i{6~T^>rn#{HuK~I9n^ybXYnE zF}@@=k2mnO+Q({K*al2Z8Ua(dV$Y9x%E;~WtcXt*Cq0whKy`ov z?&HLP_+j>3BMRcZ;m69FIe1BZ+Ur=-F(PROLqzrQheL9q>Z#2FcKB`ZhPdAt$l%m)z`$ zuRiuT$7nY8|Kg|)KII{sJXla>E?PC+L3ii`PCG_z}Bko2nygNJyd+bNXsU$V3(3!P^^3Xm+Hc?T)% z>?DTw&P46O?Tb2|%GxMo$FkGPt(GjU%90I7=gp)i z0*$JYx*i1i&GwbA<5MXxx)Z;=?1;RuQxRX9p|%LW{~%)qTP#67(^p*jL?bQpMLD;R z`}1;@t=QCQsiPa*UmM#ZZg~W$WRm1Hyu#?7lv$~_g8^I^pu%XRnxuo^f*@tE4Q6Pc z7mqE##Vc8DR$qh#IkxDJUpc)6?RTH>Cj9!QkFl9IaoGnE3Kd`hxhpj#Pcp+_vuw!g zeq=c}Puq-c<2*%0tFDw)(esj1HIVDb=_Y-%!>DWMPtxn%iCJ>TCpcUDX4-&j=xX`A zUZwx@K`~ab`us@pf@}|Q*J7n9?>CqHxA!z0s0<{mJmhZZ-b~kt-$1ByAFhYDuqdFN zUfyiBs&Nxzso`CJ2fy{WKhMwW4Mc;rgJ(==viM|nBrZ|Hs;0MSWnr!o;@I3wA3%8L zrcTRozqjoxg6$bjm(Mr+=5&lbJ48oabZ!Y6MiQksNxI z!X?DK_uMrN<>L(RY=j8Q8jhSPkSWlXo`1f2w=B6UOPA9pbrOmNdmCH)z)cGYg{U?) z6Ciq~y26@@X1g8N+f8&ilU5dLm!aWUCC?7#1+yi59Gj1L?;Z|hNFy*KS#i!<(9DqI zJ(X@c7^Jy1CRPiX4_YSZMBVQ)+xH#4u27S_g56K({c(DQTn=Hm8LU4?Yw<& zO2sFea~)-BVhp4$5?B&?=LmOZOWdy9A1~}F+5%tl6|;Kxj>K+;^nYzyzr#2zTr078 zi8FP1Ap`&tVJZ||k51=qVL!$6U9YUr&oxf*lW=E%^ zl0>0M2IWyV&M&5h3g~R-JwxaDkkEHxD7Q<^24(@dH^Z=S4e{!NIoifk;CN`a_GfNg zl~@49K7T@SvG4To;KXL6o)-tJh*TK+q}ZGy8}Z799~R+ie(drOYaG>ntBu3{@@i}# zf%wzmStsNA1a*?H36YIWuD%BkrgtClI^L<#DLr0VtEviCH!mY7?l!Tu8(IJCl36|Ol$py~%WfR*W%?|wGI=2a zUvdn82hlvB)J?gzPkN5Yen6n#X^Gc~gK2n_qGEaCcLR+eB`n#T4*w!#-a}eLl2?7^xqvfS1l zk?jSuS<~}CI_Zeu3C;(-Ldj<4^_vr`DZRMBN(`+ACM)MA;oGJy1Bb7MW0T{t`4s10 z_rG)pw4WDTftIT~1IW788>*5OxSJEAy>iS>#8kH8Z$zB*RCkLRU-l6vq6htF#x%`e zpr_9|GfWA0qN$$3+5b|?%yLOc#HAo%pU>4qa%XZ=EQeL*38aE?W9}9*)GYRpKfL;hU;RsiZUsn< zmQbSnBrb@^9$tL#T1USt5?cmVH+DW;l)QRSZ}*B^bohO^zSi!`_bgba(+V&6?I-2b znxY0#N3mU)k(Z>wWcXbDu{T1urQIbIt2ZNy&%4Ub{6l?&C*B3X&Nda!y-?$JDo+QG zaE>3zFOA`$C24n)waj)ir40fo>-=v%3nHj#s(-9tU({873spt%-EbW^=r@v;jMb1I zCMNp2B#4l5oK2-`0FQTmf$(d5QHnvG)%H77RWmo|%h!mG6L2!=ErZ?annJZkjF- z&FL?KLJS}6sbZ-N%%F1K&wu7?ESirM;C7a>Xf!&PSPx8Ob$vBkMH{Q8U93ih>UDRW z#&d&pbz9wPM{s4#?87wK>XWrG9y2QW#ku$O)@D{;4A!9J^o1YS!IpGzwp}MJ_;Kbz zeHUSbbUGjS*XB&cUt?ofKfXM?1r(Ippb?i~m8H>(Vv2~HrhaQ$f!NIqSQ2RkWg;XDq`MH>d*h?g&iK;{3Wpx~mRg{4 zxegj1H>l_r_cuQ9-fuixIiO|WG_3H9ewE-KN0|zw@+4C9$03UbedG2V-9OPn>%;=y};%B9jqjxmn-uIj;1!VzCaluvN)RCI{HY`s$0!XTv_eh%Nz^e)gMJU{+Qc{Ok)FMVf+(A8qacUn?< zy<-3Sqe)aub&V(&^UoaPr&TjobuR#PdlwmudaOw2Fe7WtwLb^;jmS>4l4p@eiXXq? z^M0vYWLIiu0(3IHP+8_8 z_*1c%FPN|3hB?IJe?%(~4Z7-nmCmUOc<^+D+9}UgdxCd8Z3lJ1VZsBQM~+|}k|w@o zv0+$%qU+92$;s)e^~-ec+wIeAl0w!zZU}<$V<3t4tkZ6w)DnLZ>!B>ZJ_*l! zXi)yl%5ff00&SMJq{&6sMNG%8xDU$3mk%uwEH>yM&?~mFxGYN&<9l7Vc}2dG`x3G; z&SbEXJ*gc)9I|8XgBNMeH1!LrX<(7X0=?A0G_e-YdM^Hz-LSsc(hBcKN0o*tDtBx^ z=;kq{SlMy6_M|(lTNXuQ)OcL5t6as|dz5ETm6;hV%%l(DIqW0gH)S@rm>S@x8JVTN zaq~pUquBrTipFciIMgt%$!9nx6E?mHCh=xl1y0o=aZX!3_t@djp+wG9lmJac9o36N zRue>_gtUwB-9))A0-N~Q`1X}Uyxc~JZCMu?@qv%S70vmfEY}Kq1ylR-M61si*Mst+ zW)D%6zvryt#0!hl1uE`s{XBv9oZFG=FZH=K4F)v7r-OS8WL9y7gjxt~r!{YiqR3Dj zqb~G;f@Gf9FWp&zV>7Arh)V7--A1G&)Pu?VDCo!Jx!h3TBLZ7a^tU0~Vz-_450u|7 zRLzb$NX<@~mR7vqNGKkspB)Lk42a9}_uuB|CK~P0aUN4=4L>f;Zk)5^e7|CVV;diPza779(Xk*YgiTv@$o_$w~z}t7snd^)RW+ zC|-i;oGCPKFeLKeMWLpe>Vr6nCF|r?V}`1tW{9GSqSeHeMKUF$xMNIHKLnXnv6H-v zikBOk{58CO+Q#%$v0S+${Rz(26QC>`OP4T}vl{(PKP8ekkfX0Q@EF8xe+k~|H0Hji z5ux29q$eRWDe)$TN2m&c5Hq7UjLk{0sZ*yD6Y6=ajntn)n~I)lrRP7t*-(uC%BRyd zc4v*aFb$XQYEyN1@?&|}~8vpyt7m6zgGGcjP^i&gFWp6UXLJBtWW zJzPc~G-@7+O+1b#K~PZNsTR5hjZ=Lu0E|&0B#o#nGO!x|)@`c%>{W zy=nI~Fq31YrJ?@gz4qB}U)9tV&+duoZHB|QB!l36pAI5!6_MeG+wB8K-7a%oE>B(! zAEj$=x>`?oi5K+@De!=gMyIE|Mmf5C_7Y4LU9nc*PknwluiR+d;Uhy2vDb5{!-`G=b*P4A0apF<5` zjUgErzf=nR6=iZBq z3+a-rFGYHnq&39PzLc@{aD(4R6nP;l@Aym>@8Vx|7FOOzOJ`X6IbCk^_5CCue~{s& z;kUuFyE#3Tm_K$&Jm16~GEW0QLI9uqopq~gRn@|+!s^c{WyjIT?tZ4UL6Q&7WhhK! z?+4S*S}Te6aY#Dwd%b-vnF|k@!Y0~X@W7Pk1sgXf4xQ&N3g^!M>wD~a+*S#@U* zIUPL4xK1E+2RPvt`ll0a zk}iE52pbT7ccr7~>qzn0UY=^I7*73MEMG>;?J3mx53(7jm znixfAN_oe6zMM`MfoyVV6BL`!t>UE>J^ElF=hi5>zf*R`w+t#Y$X3F)ixC z3jNiuO9yOja?#Qp+3DU|cvYy@zh!kE=n{JpoM>gUuCbfcNB-@N9;!^!4msSt-6CsG z{c~>>(}1qOERhx=xsR!jK2vA_38iYJY9*%!IDTqRve?U(Iy(g$%`a_z-S zwf;a_;VD8??fkl6KDrp4(rcuq=g9ljfhJK?e;^Sk9fzk}Xc4{c`l85h|6G4_{bsYm z5u2)lN^kSAsWld^8$^AlXV){@$NqkDOtlLZEqV~xpm0b0JblFvKf8_;NGx+V3q)d5 z)yr92Tvn1W;jg{JI?}89buvL1Xqw5zjygn4ZO5mL)0~|bQ%6|R4t^tjS;;X!dXzqR z2<*GVfz*Y#Pay2OV52hNdh=(>o$TGsZ-VfIVa8gJi-XcCGy>NobWaaMV(G zT6u;C0HWUY8t5M-t9(ypibDz@!CPqju9n&daWekSx9xnv`2^Fm_J=58r~@}bXb3`B z=sfRQwKHAd`c3(fqsKF#!T-nJdqy?YZEeGVG(kW`inO4pC?KHpj-p^eP-#*l(u?#S zARq!NO?{lB~KF>Fv=RIS5KfW>E?>#><#vaMq zYiF%F_ng<7Yp!cD)~#lqqU=Ppg|$~pQcN^tYQlhupLs(gdESbc~pDG?pjfQAhRM2EaEQ z=|81i$@{{<%+7u9yR%`-lUM4*^K` zu^{XNSCAw5Q`^fIEEfc;Amh%74c-Uvt3SujLhBwZDRs(MH~BB;E6X_=X(`{n<_-qI zPQ@IJgX0UFc>VArZ}CG;N&^`WYDg`!3<&Idcg%bV9QcESaTsb;Q8$<(Li zC(lL4bT)&Pg`kzOor~QMb7Uy$qzFwZRyGd!(Th-(VyOqMa$I-ZON`1e$scC*514}@pBH@ey7KB*6hkD)+4IDwL##mD+W&aH*DRZEsvYs zbdD!~*MmnGcyD#my#BKG7IilsX)P90+`X4F>sAnlWs-XS^ zz)SK>Y1Q5W;?q|E8wU`a(}GgDLnohxcsPqZz{TcK$W&;xnBQx&NK|Vv^)1YwcJ*YW z1I3utUA4%ZUM$wsGqmiRN!z*flvkIGgX$}ZJrYwl9ZTwsUtr|< zY6FoCmvhN4owF0Kp2|$zc`V?z@lM(0ZM4PMD(s85_7eb`!ra$KJ*LE_H(?om2mT7! z#{DUaz?-j4AuVhBCpkr1L9G}`iP<=crPm5*FGB0K! zvk1nw!kX2of773x16A8;1?}n$V-Yy}YA<7U1oT;kf5D7s*_Ea-y7gNUx8+oBwr0)= z09%?41NPcSzp3xCUGy-Z;{C@pY4s8_|aKv$dBrvz`n5N&us;WV}4 zA z1XTvwU3C3K0KJQxO&*m^dl%Y!_j9yrsd?8rEptyQ1~tf0nWP+m;HfVyqU;QG=bT5U zNB{)yMs<|;iG%-O=Ih350WcvaBdhT~?niB;BBUsn>qf=RAz3Xs%uf^Y2@jK$@dM&IE&PYi6Yo!eQ~duzru@MJGjf#5&qiz%*2Yw*U(BM;le((Zow zRa9Iohdf4$rF)|S#tEbFK=kp^IMVAw+t&&NVyh9z|L=DW+~Z!EYl37$@mQ31AaNSy zM-Id{pyY5Wg8PIqB(I0`9@rM2Ds5VD8{&o|O;&ZUS5?HlhO?wLm+rG6c37*SaBU9aTYHxPv>55miO3izPuuBCdvyGe( zIZ)G`A3HL_AZzU@E7cC|w~bhI`umVCp3w>8`TfL8f_Sa%3otPznmrx$G-Lc5%s+Nn zuFJ+JV!8&i(aG_m@;Vyb<2(>vvLCA}d`OAV6JCh5+KMg0*d81-tcoBN(PvoRmU#M^ zW+cbdiFSNL3|m9+Bl19m?XmaKkd90H69PA<_Zw8@P;Qx?O_~Cj(Epr}!I}t=Oai=s z&!(@YzC(zQMD?l1s*rvFzw)hU$uR)1A?;86Iv9m6@d+3rit|j7@C5*+aj8zfGh9 z8={8QD(p@KpFbcJf^JhPm4~I$|LL5;SD5ry=E9qx%pq7zYcYeinQ-U!qE{+tto>#W z9XUyD*|t@}H|5y>bJXelf3gbh^6mHJC@Q`Dbf$O?S`HJ^wEs=v<9zyX{B5uMk;4yY z(TUX88Dw$ss**{)y7d7^R7E0KlGf;A0YH7KiGhrHHjW)kzb>{tLT17iQTq+v=|(rY zf5xO>jJ(nBytSpqH@6-I+CO(d*&NU`Mh0B-0ckP)V9x~7LBfG_kXdD=g+SMvxA$~2 zdAy7zhGCT-ri`Yo!55_qX_i#{ZQ+VLJK@;`>6nm|A%&a#5gvB~={y@CLVqY=!-W!* zNkRlFHPPR-VI$BHoNx1v*GV`AU?YTPH)-hB>x(%{T&`=WwS2{Avq`!gt(rw;N1S#T z2|q|>{p^2r-xwVCeKTaCnww{K_hS_ZlcHRos_Q)~<*QtwqqWv_#og(S8+g)YlRwa7 zO(EQJ+YoOUpbKztTN>mY%op5TT&JwmgCl^-75d{DQ*$XW&Af)uTAMXLPu6Qp5h&R! zMC4YE=RHhUhm47~6K;G`4PX|%@tQCZpfxnmiMF~(epTyPuv@-Lb})@yOTXe5+F6&f z*Aqu<*mfOTdgYbNGtNGFJ}G{C?uLx{xtyDnTioolSvOgM>MW7f0^XVctT6s3WvW$O z15)U*iV^H!b2>zj^^*{LP1jsNN(uJ9w1<&q^$Y%q!lp4nWY$5~7aLcV(}9|IJe2M= zp|=!1FCO)46SLq4(Z?sBM4E2j%vFIjj!ZvaI~2_M<}<&VgCy?_M3w0?Jnc8iZ#W|D3uc(zo2&9Ru%f zIcR+6)!Ib<^>IIms5+liVCtTZz9{65%n9QuY-CZ%=GWZ^#*&F^Vush| z!Xo*DRJo{O2=^CYPJOE5$|s)-#Cv3H_V53iKi_uv>W;dy9>Qh>(q-UW_hNi!0#lPn z`DfaaAmqFK>v6j*fCqZnY|3u!iH+ZJxFsIFe=|U?DR(Yn-{Wr8aS=&%JF*w;?#AyQ zT>j<;*Xab?EAxG{{3_ew(95T^Etk})kowYb-2E(Fb-Ch#_I?!Nyc35fef*gxuw z06BJa_y^>yhP;ojsbf63&jWcumqhiQo&sj|tY&5|i%O}%jG!+uyd~Dyp>)@rN#ARn zH(jiAA~$P2cwFj%2So0H8#ia{Un6K2LOdR^uO( zn~$hOp@^mkN=Wq!A?&bYOiVV z%%a{N(Xoq4|Gk2;jA)PP^Ct!IoLH~rj>iqR58jp0r{jK|gR3&LQ`Oh&%>^>4#vOR*sitkgmYlNrNNcP-ehN z4U$xh$9f})=@w+h8Y)sTRAJR|8M%ET<1mH2-S3fjcDR`2Ioy)4a*_}P!0`J0ksRh0Ej&-?+bg%LY zZQks613N7xIlvP!M*i7#{r9=Wyv6RI3WnY?v8$_EXj1v{8>3f4!51Mk< zhKhSQ*y}sKeeX%Z^)UIu>kSYFQpgO0=*6fGEG^L(zQKb{azZ)#NJZuPVe_A0v+X3! zaSoHy-W84b6my)hQu@sz9>Ero&4zU!vKLw6XI@9Fsqo~=dopRX)xQ#o?1Y}g$m}7J zKS}suXcvm~>*Sr4#%%i*8kZkvB&K}_noCoy{d(oQJKt2TwhSbt`5yK0)|0mZPSW;d zuKYroz`!yYFCP*~3)#EEO_(AU5{@(yS9Y}m4|Kg}4q6^TC)b;PAx3y5&IB*73#)B; z?;0nT&7hxkunUu>_X(ta2lQds%KU(>`jZ3A}W3i`7Bw0LP zq^;uem5rdnRTyrJ&c7Z)wZ3jAFs!)R8;$2t;ToQ0i^wcer8l6x56z2y?T;P@%H&ph zSF{pL@sOjls!lIFkmGy)6TShh-Ch~%0pJG7SG?gRU5u<}OEaHP1W={+GE4ZI6d6+x zUN%jE#5b84!h@XlnoY>ROldX4QKAQLitiW8W6d_1o+er07{~YL=)1S=)okrw^4FL+ zy`4_~z8rO;>I3gp4v9--d1s~YiMC`uvGM$HN-o6#V}&9x+=qF{W8q?_p?G{B3^Eb z?V@EOws*AmpriqoUGhb_+C~Lk#Up7D-}6GjnyH6){E|_itZ@e2fUoW1{08sXBYv%B ztXW#-5QMRpbi&rI7_rlx?NGB@1u?(<=5pmE=?qYgA`^8nIr;O^RTIwKB2CR_yuv*6 zI5Wd88KD)qbUFtD`cYk~H=WMc)J%i^J~cgQ<;Hk1z4o*0@S?5RFQW#+i*-?pwdR_? zURf34^sUO@|Dj;vq5g!{SG!?R{sNi{Pc?(w$gNe!V~O7%@{1x3m~0G$la5G(J+|<>EiDf2!(`n7Hs(GM?_Lt-80_8+GOX1l;D%gTTjY@NRA&AYP5#W%sIcgWevM+sr}8BYaMWl-^Q_%8o&n+Dc^(9#$)E+-gWQwD zgHdrTh7&5GAxT|VUI=}T%<+WALdg4WxO5d^(UEbIUF`)h+07e$H)}TR`|`#N$kEDK z1PIBA55gkm<5rTw!Mpy#CidH1>5rLU##4p{$l~b%6+bZr_uXvA&mE#gmIUn<l-G&mo+|K)?(Ts?SZXOgkdCiw*2Jt+Q!+@BlM#pEg7W2 zCf-k9E*c+=njb2)X~{M()aVG+G4!gzos^!N0~L6#joTk#nHn57_Q(CT><@ctDu9Yn zlTI5g*`tn|8c<0=rp#q)IdKM$xJBFUgSTbo4# zL)^ZzjUd!w>GDrTWnvWkKHQ>SUwrZ;Lo~v5#F|fWRwb1lvBR+RC`Q2~`Z z0xFfpVc=PSha<cUorG@s6Q`hV3C8iU@+#z+fKQucC|wvF zwOJ?Qul-b%xW$4@CGFtQZmn|Dx$|k8YrBaZja4YcYZHp1$}3pzy$Lj{T?NVU@&@a4 z-icFqhPy(4_3i5~k=*;+wsX{5O&80-@M!;K&Ru(l$rjv0D0#+}Uu^W$4E8|8K^~68 zFQ+`s47OB#vG}sv4ykAiXV}t=0<_=0eqmeq746b6LHh*ri`>pbkA-i2fAktROR}ci zS`w}@M^US zQJx}5z^WV)4W(Pit_s3wRsOliw{A$q1CEAl)=$s8^}1~#sr zP3Ntgd76B6-<9}fFA#s*Gut3J@vAbq-8wmVY1tv9!b2D1wl!4j9{@*SidGB;@M5MD zVhv}lpBdr|?pl%SuByJ&;OCJL^%hGXQZakGxC2-|tyVA_E`}H)v5A*e5wfYjxNF89 z{T+SPjM#w{$Lv-`RN-6Pq^HDBjU>8k6!eaaOzYqE-a?s8rBLS0H%Wf6?se3|B1bnf z9WNn=_vP%Zjg>cA|V!nRV^Qy6|vw{!umkTvW;-X8H0hJ6)q)iJ5#?z+7(I@NxpS*>sv zr;bT|TAB^-5I(-XcvUiF@Y2fQsg>wa>|tx21-?Mxv9nYpi26q&qr&936TO`xy z-UMx)0j)IISYCMV^E!tn@N26~|Ko?rs9!#~1CERyt&OUUl9q7%kFi$ma&5j)Bc+3b zjXGyog?FS4ghd6BhO@+)UHyR5nlIi5p#%%f@3bL`8VkF5(6^OU~!jW6Uw1B{Ld$sqAoi9)lXRkkk zT^fv5<=mU-qJ7)Pw#a6_VgCGLs27)`FzdO}%&2rz3b{Csb*j$T&1Y#8z)>TGzTs2241cYpo(FBf~l{6RdEc;NP+53Ij${NuL=s;U%n!CKGn|FgS)x#Q0V z{PB(L6QEt35ry3Or@+bZe>|Cz>NGt)zu@4*f(QTR*~O>n`8A$1@@r5DY5modpOTVt ziCX?4+vz{X@jpD6U-h#T(C&df@KJ61yXh5v{-88f!Tihr<9+{lP~|mX*bi?8@tn?+ z{i|s(H8u4|*3~O|SN=H&h+AO4z$|Ndg| z6VUF8ry~WSJ&OC3l+VGaK@BKr0MeT^acOD_)SX^7gYE8c`eRJZiu4KC8Y|--eCsaZ zXz|DmZBbKkgFi?yl~kbj-*^Al|8WrqCMcxt;L&M*MtTl~*3y^HmGUGvV|sWSifjlI z06PWHK{8$NE~(Mcfe`pY84NW6m-ugZNz+h&w5b4BefZyN4mC3{hyLOQC&df|6i(Z6`;PK7yj11^MDYwKF90E{u_NUVg-c#jr~8urlO|*KgLe|N7%o; z+W#d^=|95$kFfv$Y{q*{De8vTD#IMq{`6kKb{AxQcb8PF{FS+WZ3i`1tCH}RQ>Qw$ zl?bVR(aj_DBT#7Lfaa5No=5lh@n1@fZu|p$h__NHtMs|7*mDKnVw5$Dyg0J{TXSCK zP&aD#>w4Rt2~Ihm2g$M-S=lI=Gq*^m^N%lf<2t{z~ zS>QR$7Tm*?{dJ7|NJPD?KABOhNonlB@Zvv#65yAI1;sZhmu!$bRcmTG0zeo4g4X^* zjQ_kyHUyAkX9?T?iJp3c0Z2;2p7i6|$&2Yw6oNE{Mb-uoYX_2U9^x1WY&2r{`l5Li zssoH?oc&Cc!83evZr^GgU7-`mSKMd^H10#kXy(!4xB*9@m<9?!rq?Q|{+=!!F#vlX zn0|Znzn?(3Hj1!NxHzd9FHb+c5j+E+ZPlAeZxoBMQW3@mu|8;walWux0(xUe&&fffb4 zoKf~R!^G!uIHQml^S4*&iRG%sHyX6M8s#sM9MvA_dtHZbe%uke9lJp6zv^qVHIs5F zoTuL<(4Y467Tg`HwBjDU+^@8k?oNlm9XMaPgg@%Q5>OmT2*MAjVHyHI?tN2hyk1#h ziCBUZHF0fYo9`Beo22FJRlzC_);wOm{G1@24#y{D2u#D$#Z3E=A9}#@5(%i8{bN&z zwsgQ5x_?=qeXgJpJzi~#?*G*QJxJ$GS4sKPhW$^bCV1{VCqRv563U?J)ITuy_ZwAz z2VjGe8HrQ;ck90fYJj}t#?9X)92)+PU93`30?f!yAC~{S@WX4?-$hHR0Dfi4&A;Oh z00s5$x+hn={%r^Wh<&)lkNhtFP^s{jsSOrA3-n5pcqQWR0sXf#02HA3UG9WY)#?1; z*57UGfyj#+hi;t6zZ?AY@4-L(&*1;xNj{H3b#7Gxi9N!!uo;+~D{0*AZnKjIJIEPl zYSGcsKC&Ao_(AQ=DuDXl!|3C}+T&~qHA3H$0YF@z1}Xm*s7E8fPZ$lqeDU9fjHDR= z4(9X5fW`!Q{T(v`itJE*Z1@~!`R~@wQ`i2eH1fN^&Q$te>ugmH`rpM$9>x9JI9)36 zH?QT>09-$|-haC@Q+}XVMxlr7e+SV1TU-DThy!Z=4LIs@<@4;{Z9Rg4UPbe+82-D# zSDyw34}=N-Gx&c(tl#C8{v-MSsQurD|8JY}&sXpt@BBKD)ek=2vXq6&y}fCE>1~ZE zH?23;M6Sl2qje1_$9oM4Q3eW-hfmf{N1H-gw~N)xSE>`eU;ALtb>f8dwbJeCo8~=e zpEnL(q2DnEvOb#bJ8Ns=J0l*l!+Fi6dqo^s zLS&f3lt7bg)lJ2>fyCgtmE6`8=k(L@Dz%);7Q}aY=e$V3o->&>q;Shv5oYzLEmB1S z7GkT0%fRe!o;W+R5Xr}uqI7EJuTJi97P0Cn5GH2L z2WG6RwHFo%);wo~_B__O&Qo+pL&|~*Y z;14qy5fy6qsPHlsUS{F9;vC+m&7I`^35bT)6-4DiZ0n(ph56wr2YI)7lXM-HVU+(B zqq(xL=r0zm^S^Rw8Li$$B#DJtkgc!JoFsOwzm9MSYt6UmXhC2wk|pvG!zX{nz*hwU z&ri~w?tb*op!i@HmAlwL=Hkm1up00iHjM3r(eZcu znu0)A!d#%ro!+-%TFvbP6*mgb3CNQsc;~|g6wB=&GAjp)@*Mp*dh>Aw;jOqq{B`n_ zt;G-XBAHw`Ep+N5hiI6_iLFNMqHv+L-Hq?2i{>X0t%)6Z6__?>mGfRR9vbPzqlF!r z=`5|7(?y$~{b~>UAg$3cD6nZQmqQpRgMN{2_f99{{6xC3#kOnI54J+u*7r68Z@(P8 z(BtW#qNGx~bXKE5g#=;=Zy>Lp>=IA5V#RSFme6Tszt`Fq%2*k0k)kwOCMNgHG5y9Z z-%rVS-i0k)Vn_?vIB{8^yX5#<)k1mWj5o?XRq(Xr%c|IiImjKf3zkEfBRWZ0j3rbp zW{z83B|t|lQ*b<$gR&Eo=-`CxE5I(h%>wCuAvP)rW$wnwX$KWSWC+QGSS$uX)xaml z{cx$dt?!*9!@C3r!sB=HeJ`B}`*JwaFik$#G(YtADkiya_YBWZfTKgpEb!qeyshRP zn*J>_(Mt0;Z4|q@)2soW&t_|Fcs@29$3aG?F-%)oRD^ z6IYofFu)ySD`QrW)2dG8Ez-9s>YP4eU-4n6`H}we8-&D|#8W@?MFw8V9t_=^sDbtW z@@ZUy&vH9)matMl+|Q^g8(s|Z-{JNS=S3PoC6|p1c_8-6Gq_-`pQD5yNdw^xs6f*f z!?6*(KM9MYDcB;vTFx!riE{<}-YntsydAAONKy97(Fr6Yo*TsV>;rdHy^15s+xgbB zbabn^^hMKY+Y!%bODRe!Q<2iMQ2Gj~le0Nm=L(>!PX)h>9?-lB!j}zT8Ec?+1REup zj@;8}MI_1KBf7F|DJsVK*zd*j(a&FE>}?DQr`ZZOUlWaJ*ju`w4Kg#kD|#yLjpYZ6 zHCi{oQI#7NK)Ls-F@uUVnHofDU%<*HiY0^ew7uWK(Cr?-I*rr%fguyX=!>j@hl&$M z=~^?U_1C7S1Fok*c3)0R{<3XeLApX~xA6M%%THyc+%Ink|H#z}L`Rpd^dE)1d5W3H1!;N~+~oAY7{c{3s*N3LpU^=$2FItay{ z<|>Inhp;F~p3^!u4}2NLWi#qz|M`X9jX~^q)FYm5hX%U)cyCM~jnZ)?DyW zL=J@#ca0JSHxIcdzD~pI=H{X%X~yp^PM$Aml9m}#D{H*f_N61Y<-4|s;V9R+`WZWr zhRR8Z?9mQXG)XL-J2j1|W|MjT5Y$oM_XY)vPrw(?beyN8B3(XOSo#OK59o-Gm0ZtwrL~7`l+t<8La$0VIF5$djdh^1xKa!nFPiNRjv@(sb(BvY~_K z7=_tkm|I#n2q1nC_%TDo?KV?qu|$TFkP4h$W)(`kW@+>m;M#1DOl2QbzW7cqlRvXr za%3oUmQuft-Q|2OW$k?M?rG&Xkq`Cn#FwB5I@h}{BgWsYm@89@~$x7-g81S`k+bN zV0F3<4+kBYJk$ zla_a~T&b57KHb{Xb7u%R-Wc#C^F=oNVZ&M|?bOiieUfKZc0F^(XDABada?UU z41j~y$EZ{DYeS`Ib!K2#ikmh<0o-7Q#bUM~MGk~wt&+b}UA&Vk{H_LSM}e;81fCGX z!I0ijcQbTy>U&}6JmbQ>ui)*yu{=oc*cpm0x z#Jt^%&wPVZF$AFCV`U0OAdVy5~yPCur(%bbU`E=Rc%aew&qMK0KxbML55uy(Y?7X}e9 z4~vg0Au)ZS(_|M}6JxfHi^LZeWXuXXRAlCb>gzz=sj{`hd-Zq&p!YJ_i8h;|(qHr9 zw^aCOhx_cHs%PGsaY+zf%5p&88s3_6^S_I_xpO)oBH&}x3BR}jG8@s0##L@NO&A<~ zFM@kWGK;$U>^vSs_jwAU#VXZbk=K5@k?pEAL^{f#6#_Ge83Qv#XIPP7j(hxkG)nG5 z7zlFZOaQ<7hZXQo#E75?=Y9E1M>L^s`{l9O!WJ7M>4h&jyEq)P7_cX-3FoWfUN=Vewzob=-OPOr_7ciI$q42?2q&xiu+njw$xqg&d<3A1}U z93Ml>#Y<8lPPfyP70y}1G`vv0i*uz|frb_s+M%UoZ+Lzmm3De%@p{GD!1Wq1Qt-^I zzs`g{p~>dG+t!*-qhQ5i+jsZsO?n0IO$LZ^Y2lV~cDjOX&ap?(zH9a3d{_lOjCak` zE8D@24h`0aQTMm!DsGticdH#kZ-bB{CBsg>uZvWb>A&cIzSkMGB<&_b8wRyc&+;k$ z_!?jV{pGlwqm_qc5*^CnEBV7lr%t^~OH<{gB;(hcUo>5!nliA6Tv-IlVjKI*n^{nH zu2?{^o)M&`kXy|@uWmHULJOXw>`QkA+bT)3@{&WfFV_*rgM?**V24< zk9SwQr&}{nybLl;NPiXZvr{{3JMmB*WwRsQbl&l;GYz!(9~NVixeFBR@=sJ1FqK?( z&jSC5dlw%QPw>c0O>J$#0mVJd-5K|Rt3ZjG$AQ}+per1rCJ)Sf=0h#5t*`m+v~k2I znfcxDMJF1>O-@c)Iys5@0{L0-<6x+g?_!ipoD9leA|*3Zo1L9KF7sqRw`(8}SFtpd z{Wt=eBnH;{eKI-eWX=y$e1)8J!3=y1a0N#l3-bidMo4J$JbJ|@IA2m`DXr99Vezp3GxfPd{J~sA-dPtb?!h^Q^}+g%&B#4?Bn;oyl@E?AiGsPb%HX({HleF z&FjyKyuPdV+}0=DQoD@j{3~@qd&6zgl5v`*1qn*t{*^9U$=4J-t)4%orr&RD_P_0g z*(LS{?@VP!ji+yr6vzlA^2pC@eB5kS*H5}IMy&88Wc5( z>Lcb+9~P5GNROEUjM-+Icjwfk%sdYQEvE?D?7eS5wHDM zzhn=n2iTN8q{;A;gg9R;K2oem$ew{r6k`tkr&Q}sRv0DCO$3 zRq?^8T`Vk+pPO!TiYpjDuCR#{z(-yapi__g35mX9lTjR-XD=p9U!?t6jEpUg={Cch z9Yk=crTSbarkTuQ4KVcRla}vSn1h}k2;te5kLcY=Ba0jbUWP`uAUPiJk--4J5^%!^ z%h6EE^Gr1!1_3!e0q9y+4xibU!G!4+-IMX89(~}YdGZlqt(9;j@@U0$YRG^rJq)@< z)~y>L{8~GF(jJONOW|H?DkdDTFkNNsAzdldf8$jl^h`z2Wp;IC${9RaRe>|~Zb=#O zhS&%HE6hMrWs@1}WV1%4mgBP;k`ThY0jm%6dW~>OCl4ZTr8c<~j2L_@9>@vtj!Jr! zTJEmJ3qN-%F(%ypCmuRUcw#K@IlZdAYB-w9=%Rlb9}sa~)KlIYse8WQ7H-F0t2gUv zlzt6VTkoG|l52ufN96R6KCb8**?;w5e}VFGdi-SSF_!}Sa7bFc^Nl>Y9&LH0XYf70 zI!>l1X7Y(YZY4ZU?~Ld`VszCSmRYMB`1*N!5Z60*`7rXJ>x#y_rRg=o1G(P=&~dt> zdc`j{3i#3MUi!*k<*2Crj6d@x@j<*_*~ND@(%CWR+o&qNtz*R3U5*qrRo^ zDN;ol#v}g`d5!1ME=nw;UJwEXsIi09x+ZpZEH{1%bbUWHNnEyd6D0>43XZ4O*Y7Jg zMLXE#!t%%Wqz+uhaJ2C{bq-GOqz2Y*gL3c}_b;)MeF@p|Au+>^2SbIi^^RAbh^0vC zz|@Pl9u8~r88tZz5S*_(Dcq~O)sd;KrIbLN-`twF+~~@V80uYXO~kkM;5)(x>TO>~ zHf3F);UYjsAADMHy~+B3hRaSN>f4%CA7O2#nUzjUQh!8N{2nf=Th_?cO$e`+m{QTB zBB})k)q$=hVF`-?Pfv1`pzS6g54C`Sx_yh`9aUG~$`QCia^%WxqRJC_aD9^K40pnw zp$aEa^Ttbs5wXWRZ?s93lmENw5t z#=|Z|!&P@pGA?H~4@R%cAUPDq^-#xG_i?(=-~&_XxE!6H@f!sDAEmL9>CgEHtIWab zQ@R3n^;wl}4?iQCN6NATm%kHXiv>g2*$QNR1A6O51@X|Br5(GY{Uf;c!zq4I=r|H` zMb6Jr@gnr_>3z-d?}BdWXKu|E@@R`E@O&tvUA#5+tMe3H{5;wxBz6&|8*2 zoSLg;?|Vim^}G*R?<@}tAo8DjFTB|46-=1Q;x=Hf z^H;l-48fN8i(M=}ymhbf>s1T7atA|s-bY#&5D!FRCN5~K4XE$NU@?(XwK{drh*w<%t`qwf`xyu9u2P6#(qtFg|a4_g{s)ag3T_Q@pJ zj?Ehr1mL?rd(YXbe@32Qr39={2lTdJJ^LL#pXHX`g<9bc(7=v&@`w`Zh1 zh+fJFtehGqKFTCA;%U){_lIw@D|EU>bkIl%?Z~Ti&V8mb#KZT}gnF(3MZA@>-c>z# zX9g^p7H$*Jc@=**Ko@Ij79T)J#<`Dky>Cb>7tfu&peh2RF_GzJUp5j1%u#0$IIO-%Q)-y0OW$mejpB%Tl`)>yH2Fbmy(mrU z)YzEM#&bIR8v{|)Z=5}pE~wWEp|64lIpRV>86kS6Y&@m1xd~luv;8o=RdA!@S>*5K%sj#AKeWv9$Evj}vh+%4TZ z-hV%n*S!C$+#Y4ciTCaq7&?h?vb*G+6h!?fE3svY=kvwm%lyE3&gjKDxS9>u`Sc=LB8iF*1= z`0q#(=f6gh$P7OKuLn9c-VnoAkG*F_;i_!*5BQ0NaZ)bo?t+^{^8Q=4*nY7r3mVwCbL_7+kUwh{$H1 zE6TdzlBcXrkAeL$9*Om`}#o5^K6*oTY{X^ClTuZWRDA)<$f+@6_dp~6VK zBs-8vFDFP*mu2trI%O^L$jmrHLC*6Js8b;gOO!&DDa4=2#ryXN=;|uVT&Cq0n`0R} ziG=ZvCNv*Wm*Y5zm${CDpE{HbV0s#wJi-W}{s zv8)u@uALc|^%#FKns>J%mqkx8{q+(et7{@lBR+(#;8fNg{-Dh*0p?Dk$ab>~NN$K3 zIi#wnw0RDk?MC6xda+zplSv}eR#=E>Yk*34zU2Gwn`NXvWL{YhcoLHE<6J=)Y?Bt0 zcO2`})$|<^l`_M6o|{2`z~H@C{J1#y(y#hw-_5_=r^03-~ar^ z=UF|!7wZnegp{R`MZq`;ZLKyz(Y|XH@IJu`iIq5=4(25FyIR;ujhM`yTZv>Art!ua zQD-<_clZvi%n{FEYcp%??a)~V>`^nTYMIIFtRMEs+ZW3F zEat^UfYq1f4GV{gzI;y*rJmg30!%}CFZg$O3PgrQXyW+&@b|)E)?_LMleQQXpVYwy+VoW7c@Y~#WIeZ}77jP~XriJzW#hX( zd6>PTg#NW27C7;=Hc1q(bT5KS<$)$VRl_ZyD~nB=DKF`#nITy2UB`E+#HM3{z>lBB z1%X`3O*438OOuhI>ovKA1DkPM3$%yla%HN#xPFIsTlA{TQ`RQY&*=w#Oa?IR00X~D z`}gjJmb~6qgGFC^a|{U%oY6lXyiLyPaSRln%S`w2%HEw;|9mI-P;F$0)k7%oIuDuU zCjKFdiisRg`%rApG#$23$;EPw*w_+48Y%Nv>3HtgJQ&=nB=f*9L~0P!RauddZ$sHR z3#^!b&R6d*8=v`b!@JQs*!Ys+@G5O+j#>TL1bK#zZm<*kP)@|2_9%mLv;YWhr5nxF z@#GbUPw}tCFY+9vpTcclT2+Cg`j6SiTHiNxA5>4|LqGrG)v#2Iqgk@_ET5S)7RIuM zg6W?q$)^$7p81vhghg^rP*h!^rgyAwc69R~kSq^>8p$x)(e}ukAxNU}sa)9DHM7a2 zX9sVn+_71sVBLN}9l&=B)IIYn7n6%gD><5S7-k!f3m%fHa&fPMSv;6#4xZe-{!9vV zbtGC*R%6XoQ`kS>^hl-Z?kDRjK%PieO?8067sNOWP@>sCm8ft0I2dc|X6^U&xV5-a z2e*;G^wJCN^HOnoHlaC;VSkw1#1!gY8b)0S4@-`l6zmD%kUX#Jx1Lc1zqOfpGs8kz z?m)E;zWs|;YO8L=CjR}fVBF5);tuwnn^1I|WGXEYrY`hBMX{vJct`VL3F!0wg`CGL z-Q(pG1HMaLlLfOwY}o^(P{^7as`b$+k=}%XXA{WfF27e+R@*zBSq|JJ-}MRGe6r7y zPZ2gH#d5i27o3*q=kM#WF&iG2?_qrAT4wQH*3NOz#qj>I5)@lkRVthBQ9u?(9a$5E zO8_f4#JK0C-4CeAy(U}JF=;47Q(rdQXP}g*&`?vD0oy7Qig^9L`4dgIw&?)MW@Uj! z|Fmj<2kVly85W`ZL_$R(F>+Ssc|A+t0#!?~MqCP)igZ6{+~51RDKd0!Ghy-H#GoFK z7ppf85EwY4fr;z=+TCtpj@&i>Vzgs`JTE8b_3S4r7*cjhf3+3OgQPw9!fsOkkMPjf zzc3|Df->8-XtkS)0V0mGo)F*roXk3Vi{|67nF3(5a;pY)man(?LzdcGRwyS(sOI=n z;6}7ds|{Zl`=ZAcO;dR;ucn(d_DmIe9Sy!By_tZ*O7&Zdv*AMCUimnoAAyaHg_FQX}f=Pq0a!ftc! zLYl`70i$h={>ovD3>S^qbc(8#eqbhfcl=;x#jhybI0>pa zWxbTpx)s6JLujqc%+3nh0XwnpU%N@F8aCLP^?eL@SR7*3*DxXL`bT6xkUib{1y$V0 ztY#n6yl+8Vw3%Amu?%nN%?_EL;>xs&LCKxPgBy|@HYYUA+NlX;vmKJ@h(aRD}L+R*h!W$N=EVqLt%onts3Vibxy1Ssz#}j)RYfVSr4}D2b`vx#< z#1Rag&xs|c5B_G)!|>K04vXg7>mQWVnjmX>L_QdcJ8l37yCOd>drIQsL1x}6zE&mj zp84gVfc*(w+2ee+sRw$uUV(o;-N-z_6fg;waQfQ<@-W{~bf1s?vN<2!W+649^}*(+ z(}&A2cd8O@xib|ve{U75Psh^z-YRDQ2Y3rEar6d~9=ebz42;G#`s_KSk}AlnGcLm~ zYpWHI@;4LO7pxh316F#>iBWbU&l^=@cI-nUHVb%ko;HA9Rc(IR3JAFG3*D{bw{$8}(%o!AN~Cks-QAno z@5#(HGhW_vJu`DZ?{U2EhwBq_AhXW3{vGT8ThCC)0uSVHLQKEdZu%nc6reJ45IzBN z$CH{o_%4n;Q<$aVHoJU%Lb-a8q0<8t2P>UB>))yf5#`p>L`W4na2SvDEhb!tUre0& z#)4yS1Ao*40xng-^K-ofx1ARgs_R^R*s4h#7~K$?6igMiPHmlXPE1b&XwOJH(t*KA zXX)^fY}QB!Czf+spL{^f93O!R;nNAP>sj_I!S?WhZ%c84Mdc@zep^X}0UI{yn5Jn- z==wdUC1u#L#CmC~<`+yHT~~eDk*<%{v#spZFo9bV4D8Uovrab5c*Lv41Tj_pxPHnA5YjG)`D~%QT>m&zc0BaZ-FWA$ zYqW}#kK-*eAp;;iL5%(EqFXT*0Hu|0S2YX6VBHCrJ&5K&S;7TN!f-EYavGQqDdlINcugVN){CZi!j-_yO@r=F=I!@FY zm+$;uhqA`0%{#I*uHpIA6wq!tak{p4+NdZ-v7kaR+Kmuhm)~1H61`hg>x`*3OX(Lo zT!E_C|6Uxdl27UK042y;=MKKru`YLd0P5mAvG-6j9Nr0nwBanP7f_O4I@<*?J`HQZ z-<**xo;)iFwco};i9_+2@Z|e07p`{Z$(*xwBmLm~+yztQW?A#nlc@DTu$uLH;0+cP z4aWfV^@9QaIU-?upoL&$xJD9Qlk&1&qh5n@XQ6ITDz-7`*=QdRo;QI)Vbhdf-wy#M z^$SJ43nn|;48dXDcUNNZD|-rB08Nb_EY>mgt zfMqYHEiW(co}Sh|+{`bgzkLq-5CE~HwP}KyJQfvAX9l31ZV{|v(yzBoyR&5D31O_D zrj)CzHBq+f#*;BE>6>D{$k6TqhZl{%$0+Hc zs31sib7A^maS2f}I&Vb^RZfWgrRwYgYDY}oc|twpeBGA-C!W$bo*&0#CCop;t>S9p z>(FU(K#U&_natv=dDTu4rIYn`xz-PGzFxRp;I&aVhplrRh`a3#2h)Ml!(m8eZeOK& z><(0_xC1Ye^b^<0#e~2^#tT6g|cXAs3WJX6Xf4SdE&dRM~5Hsk9W9y`xFF#|O)aMw^i7IwKx_vP&7FOSC-!C57blkloB4 z&-WY|{NSvMrnU-DMjF- zQk{NnnJ%_))TM%6*7mq1uU$Yzaore5TUgN5Ay0nBgR81!#bKjj@gC)%mN`SI*BD0e z%*$NOhiJ=_ohB!wckPWziI6MGbqhu>jFsn3ta$7(*1|>{3M7#$>Ls&2Z<+dz(|ZXQ5rLrRv7zMJzh{ob*xe>6|YWM8}g^Z z&@HrklDpp3JH*YdvuT<3$oXCTX}18~)(7q_KDMm>?{PUA6reA7#EmjiZvdJ3?m7CT zLxbwvjhRW{VvQks!Hu>31hpe%)G86qw}~J@K74srB_c%^d$*A*ImM0Y%lej;(hx%2UJOYzva_Jjhqh{DkrfZ|tV zlQzSU(dz(8?Y6T)I|qQHPA2lQ)-O-*f$u6_o=8%X$kJyo=^>d7tR9-qLm_Xv^MZZR z4?(T%A|unyccD!Ha>y*I0xf6lWeNm?p!?&rmlOk2ro0_5FV34*J%K;Er-i+}!m-YxFCA`$?k&p@TO z4*)@wU35NB$?0TV3}y7%PYF?)>VjKNWLTsMM#W~xNfRJKeaJH2c_r6Wyr}m$rXBM` zOv08C{7ylPg{k-vPb3O@=lpP7&hZmYH?*sp<)gqB4Sp>hDRfq zYZy{h0JmX(qpE!~l*qTch0?S;>28l0p(gV3Cdx?GB47)Lj*^n!6Bah^?+(_Q1-n_Z zhl;w>V}ih06=u7FAnYldD{V9W)F5B&g?)zL{t8xxL@#FSQdpux;Pr}nnAAZmrE@%; zxh08Ua$6TFVQV}PUiGVfSkd!XhJHNnIy!uD6GmPd+4<|e2k~cNGmg}>pn^I2NhO>Z zZ#y9Df(C2*^WobOyNxT~|gyC!Ku#6_N3t`<;F@Glar|3Cz2vkd`&-bKgU~bBdB0e}9doumaXl8muNOX(ovgfb?0Wgd4y3KP-vxo}Ln5rTX0;&!B#1$6UArqH z3obBEsRo!At#d}pjM?0Jckt!T`MXLNoQmR=icaJ(9w7JxRbqlhFJqf;} z9Py9SN7}QMtJ=FRSzbN{t<%Dg#U%r*rZ>kz=G7u2 zcYer!q%1-(dIasfV4(nabfIJ^;V>Siv&rs2OHJdwIvyXqu>R2N5_-6P-+z#lMEFJr z($!SnJvjZ4!tBOy&BO7*k;UW-oN`50(QH;GMY7mW3HeYygziCiMyZXiP2SY-Y2G-w z!k5lK;eG+pulDrAXp0`%Gvn#vcZa}>I&i*x5;rgHUqc5ULC=ytx_3lFNWhHD;63&5 z3eYDH9@35MzDj1`6>H!bXC4HP??A8kqo2Qp{^{&JDIYhgCg&ANbH>#C5R*P~N*y;) zksZsPNrRAq{0h_%yyNTFeIC1w&YpQF-v}9kRP#~ZHtXZFDV<@YTkq+FP zMJZO#U2}f;6m6sHgUu9vmDLns)v{z>fxzyHzwJ%!k)4Mhi+<;cU|Ut}klN04-8~GV z{(z%59O~+OXo7RGVY8(iYxU>T4hfB9t)~{w{uaEa11p$Cl@z*Q;_USFFvlw4?YgEL zw2=p6<3Pk(P;8|?6~{-J?=~vHy2i--)pJc3WKO9SH`QsN)t$v53xJNu=`E~;=ei&h0Q_)g?A-fLXYQ9Wmq^1RjmJ%V zjiR&omnhYR`}fZewYQH_(Y1;p8nAMEp|Ph9Iv9%09hoem7obdq@0Szmgsu!tK z1I#G~en7XDm()WhfM(#auNT<50&~ol2_W;G@HEg1fPn@-GH?!^nfdG9;u7do=W6l# z=FSWv3v#e0g={JO0kfI+vu*c@0%HHTxN;nvqSOl%<2EOe%k-t`sO@vwGLFAKg`ZJ6x>cI7Lwfmt8rZU+rd@Z zy8n*D{&yDm7xDS;AoTyu6u8HeM_#{S0sQTWaNpb4voG9X5w`93)L&ld0QV5@^|bHY zCQLiG3De6*Q*pgSD?>Zb@%TQ>6{6%cBA;olkBEPGm~|Jx=a7S*J^st#_q(s%;SSAP zI?dSaNw`vw=}h4}0PIkeDv@Ni$*id(Hux@AtfL?72p2UlVSql_yN04>=uy#{_9^M0vuP0O(8~x z_;zZ*+4J-wL=3Mm@AD;_Yz>k0j2Rz6%>>dLha7%q9oS;8J3C?l?vLH0IaC3*y03_` z_OER9=^Y1cID0~)6!~(or7L@x4~6}!N5c*xz)V&jt=u0I+PJTZZynD!NW^da`4j5i z{*#+h#tM8_z1MZ)11t*N9uOcBIDCEmrts|uk?y7Zj0C?k&A0C^;3pDKsMUYi_#XoJ z2O~@P5t4yx4Zu}eH6%LIC!HE4c09dfrtqB`T%N`~5D%}UKGR}m&#K$eddT*Bxji8D z7Y|>e`e9jzqFZ_tlJfs0Juq(NgV;6&g?J4%B(`A5pWLrF4BcikX6!TF3Vvr+cO?sF zuiGZ{`!V1V!hqR%YYAzRzi{2_M7LTww|{dMix5%{w-lRg)@)lREZX}vtlUhKza46+ zQ@RMSH6Cuc;l1k*i;>^~bP9~-`r$l(My3Ha1mH32n=l=4lR2C{32h3FOyAp(aaIKAeMm#XnNQ~>AwQ_yrv$&gYVMFup@kzf`VnbRVKEy z$W@rZTvNl>tFBwcqQwBmAHz=fhqh%X-7YL6E%hHnpft3^rc-yyoF9Dab^o@ZDx5wpB%Z>8z&SW?6UF%7bOb*Ffzn4#|K7 zMgFfPX!iOe&P!yf9N(5ogotvuWxzg?5apPy7`3!RxWKIW4Odl`sc_4;rT5>Jz*iC( z01;uNBmez3fBqlGequd{k*MBBeiqnbtSDqe@x#I0fRLJb>8RO3tsnyMU5W4h1&#HK zAcftgG%sZYeo%+s#O6nJ03vEYxAq{{AA{kRxgOSxt#?8$95hoDnWzCAj`EeO3O)dm zLkEyh)qUzeBowGw-FC0&euXgo!{Yq$7r%-wFntMZTU6*gIm>5}YoCu&TU)!&rU#YG z^vKNk^AVFg5ict&Cabp?;O#iO;ve!ZMgx3+R4MxXAEf$I!dyJNwVITWa(BD0OI*Y? zfB|AztIj%Ny3V>6W8JS9auhCQdlQ)uqnHU!^i z@GwO#B!n%ZeVFOB(@agy#cqdYjOnk`)8j<;@S2qKT%#Y*L6~K$%WqnayWQ6$)4Tvg z*T$4aEW^%s@ls{U-O2RZt*JU+X!+8-#Kq2sA<~zvF<@uMZ`@mD4By^v7MJ}BS)=aC z4W8$B-!3M4=dS4fg~v!lp;)3i!9L80`@t0Y2(Xi!CV4h%rMbpe`QIddB~68L^IDGD zrT`BB-LvmCsCAO}i*YL{MJS3P-P(8!+)qgnJGeGm3ZG7tG6ytQwDF)V3vSWF)~*ri zQDWyMveFaB`Hi{x)+v^oHJ(76RQ^IjerE0%{jJf7xQU7QfDoXLA<$Qq^X&QBu)4^4 z4Iel`k6)fAJ^jv4mhun2{zrBWG&DDljJ%8{r>88@O6iXqHly*@V7H5Ns$5~#u}fNI z(TeX~%V~#d_G}2S{lhIM5fQsw0MFQv`=q3aU|{!Uw~H-}j^#{+T;7dH1}OlWuLGTa z170vNHv7?Y|9tX4)1TM6dh>~R7rHg|35bT|54EC+7Qh@DQu;grw9mc1Lri*}6077qgTzu>oYf-;iT226lE{-gu*y<`Zny=`>IgH+ZPdQj15vKe5+z_^Qq$?Qn`z zBVEz(f5SJ=lhI(j$Sq`Ob`GO;58HTBaV4vF%4pSENW5Y)C|y+7uJNDBFOQnu{K+_| z7)`9m@m#Y7-0lcn2}|lfj26|cVoffpV39Ta9q{Du&{WK)xdRQe;h=+*2?b!)K1&hE zj33M*nojrtoRZ!jtZt$6zagt-N^^6vO_K&EoNHF|-0^W`)!O*Vnnf1K%DvEY$PtoX z<6SlTPi1xt9rJsCzdBID#h=ztrlvP0LJ6L^LeBXYU`2BXHUphYjU6_%7%$ z4?bptW)iTiH484CxPQ(DG#~=zCEcFtx(WN-9b6w*0TKD9YF8ntH-EU&!$JzrpT2T} zgkNl$e#QTL;P$85|1-gHseq6OQ4|L4AHV0*pvjYjPGM~_H+pFN2Tb7Kv4lW*glJ*_ zZrKDeAbH078uRooVAg(KGXu}p7kKzCpANVaZhy!Xma+8LDc4VHlt2-Zfs*yQ%Mp_< z_TN1Fzo=0lbsHPM4I5WsIeqXyDfEB%%|Id$eG8WBF8|d71pmGvF{wL%?}T)9kZYtr z{%4_1Miv61v`6JJCiWk--@g;g_=xr20`Mh%d5QbaoKPVVP#bVFH2oWH;0FyK-~6&&Um>9W zn>RQ?8fsqhJ`eClyS>QUNIQ0x(X6Vjb5G>>BM!QRZjlyzm+(Z_y`Z0U>_7Xw2^U{5 z>=KLv;8T2G^qo5hcYb%)uqM2q?zN)c%68St_Ris}cJVCUbEyh10EVJfmaXxw*LfS| zdrH`OXNbT1+~q8h$khVQnZlEC4SWCx?_D|RPvZQaKTb6uiU6HoYH4{w1Hjvjvc++c zL*4A{?d^1N?a>e-FSkW~7XLv$WI^!UPZ4~*W5c$4+H690qWv4vS>XOtoW@Uo`J1>6Dy-r*iY8xtG2ETR5v z+e6W1t#S`j9pvd)vlz@Iz}RWic%tTVeKOt_0&qoC2-eo#aDB)PCPNVwnoxp%xc{H_ z6ovqTU5vK@Nz{Fjn}Y~8FU5f{mQJL>EX+_eWrtFB81qh!CT@rUp9wr#1n< zFYGw|M&)@lt;bV=HGEpD(BbW7c%Eei{$TYOc)Uv9yY3@quDA8>a4@j`2E*sVnV3pwE^8jm!`(+QOo9c)&roK)Q!$ zjVPw~v8Eir-*stU%j2bAL~ZYKb}H7`<22E<4W}PA@UTlq!~OA$x$mC*wYNS!3gsF| zlBFByXAR6CY^-xa$HR%=UHOuF34_1=*rNMIX7uE5tNmX`d4rIth};)1vNw|-uD3c& zfKT3++^yFY>U)upAc}_~_{isM5n{UstK^-Ajkh<9fhc~(l~iDqxNazNm#rRMs>7I+ z7i4|c-HGiloL&n)ked@AT!n2`k%*$czQWy+<|m?n`T@gFFm2DOe*qM#*_6D8^BqI0 zVXf*IRdQDYW=AgDu$;%B%a{8v`Rw%6`{Q(4fTP>^a(cVdH$Xd*Kaxs`_L;MiB16A` zY8bb#3mYNkDhQrz`*UE<`zGFpZZ5z*Vq&lT$=C&{;--7LS}qoC+7#2Ud{QT7RNz_T zYXksE2pazHKcW$gw z^1fc#ujk?QAQ;4w}(%xp*~Ew{@DtUkJA6lWX9iKq)Rt|HM$`pd@_y z?(B>IE3{6Si^T*iOO-&4me}nzb;@~LA8b+Yw`l) z0QgANts6FJ*c-V;l$Yn7Jck3}&oV5K>0t|(`iuTO3pO`vVlGRjq(lxWsCd6LXEHdE zZo!oT;%~-bcYxc*Q?2s>UYVSa>4<(dEb6yV!e2JcwM>wyFvN7-4Y!h-M?)5Fe90GP zE93T?gCd25D#jY?*gVHa49^CO7&?E25UpMvBk5qH)j!wS;x}|Z`xiha&Y1AVgaeu5 z)iwEHkAGclg|ApOMh&ZzJJvVYDv#1}5{`nRI^dd}9M{;6Qb_ z`;*GG%1}pecF!V9ozYw_(n7jP2Yb?o$~Qp{w*h2N{!#+m z*D~|HfROHa&pFDIxApzZ3fL_xzyda(zuxYgcSwP8*ivHNd<9Rd%;8sDIB)x~P6}+5 z_>Q(BFSLvqAGegN5MllPH3p{82)Vw1{#~AEE97tH7;jA5Sf zI)6R&-xI;F!k$%PV53=>&dSs`6}0uijj6t zW%x<*IL*)s=xzI9{j--o>Z&QwCCaPhiq|o5W1sJF5VF7zPT#GLtW?E+R-?f}FWbI6 zXk6R;B?CbkPky%mN_5tpj__k>Dv=>Pai^z}!g_$AhqM^n zyq50ye(*lck|qjb3Crs5kJJewDczYVUwzQNC-c$h2=9sG5374b_sS^--SaaNWT13+zKm zZu~LsurXd|!yBW`kSl#8VqZS$<|6~L7UMxvJ_I>2kv7tV{7y7>1ZAYYyNkPt$~b1? z2N;r6m`K)IbK%}8*fiqrq!WF}9@wUY;XTJin2hVnwbA*IF;qkRXNSI}1fL479>QVb zP;_Y_DnTUh|292)CaaAF{)%RgJGdz&AvR0jr#WPc7F%r+2*Qq?csMl(wZ5lZtbzNE zkRZ~Jsx;KraqIzq`K#!ncMXW@X&ke@si;!}ZWZJ5SDpNM#O`5OW^Ht;Yp;QC1wKF! zV(Y+_Bjo;i`%zpA+agw)X0&s>b;ZTqs5YsAsi_bQ)*84>$*@-bHAycW8Sk++oK;+m z8U=@pr4ptxO@^#CCpyX(VVFW&+MH=-)e3k0?#hXU!v`|I#S7#_i1#=mwPW>d=R^pF z0~Tig`A2i&dpLr~{tCh{dCvr&??}u0ERSRs&Cih~qs8SbzU-`v4<3L-a0A00yj_8q?0A@@?cC@Btq>;4qp`zoHYvqXVpogKHZEK5E-R zGeG%OXGf6>47n!tI9`zQ@`wR{2;C|IV-saPTg@vK-2{@4KokL@M?k)vzWW zR2WJ)rf`q8oLJSnKmv9IaTGuraT2pvgCGBVhF=fHA?}0T#o>1tivJbKh@OfRYjQBE-J2Mnz56tK4sCQyIKefcP9(%)MACJ-u$B!MWovzy}*LK#; zU)2zK<}~E7K7V!*=wPIs^8PdX3cUFzRYxs0GL1(RYz1yvPi?<^-k6lHJB?cl+K2fze(va0zvbqzaGZxTh>XDd>+$ z-b_nM3O^3vjO3x-?#mjdYADIY7C|pNjaA)j`z(*@bMn#2vA5=P( zrVOWy)=>g04x!KuJxJ`x`*624`obf4RLppcKc!AdM?j!H1FJWWsAk$JHO)-iMDz6y z(Iv;&xb3VB+v()=f<5~FN4sg!fP^weO7t@d^Wmb*k$BGEzf|MRRdA-RXhM9_+dqLLLT3gv7Q%k28YeTE|KY<3A5iuERH@G@O z$9lUTY*Bz+l~f+=@(|h!BcoUHFR)j}sPHn>Oi63aMPgy?F_7Ztn%}?2cDWBJ)`dSx z0Pg&sNMF0L_-)TLp5m9L3L#Ta5Y7t9Pm#J;)z2BEB;9JOoOvLiC>WQ*Kekf3U}5;3gajOMk%Jv|oOdw1!` zm~utU4Ye+^qWbPVX%9RheR#_Bf_F2Quh4VG4ZZV4SwOJ`co;y~dOZG2N1rhAArij) z^yrOH`K5Zj-Fl|@6IG$h?Q%QM-IE%Z<@P6g1=RRDI82`JTQ76bx`x+rtqCYw!{SqE zlYFiYT0GB(=PD*?^^a?M?7a9a0#(u%=H0=PJyU!0IGv(z#G^kr;Ia1C62^deDTvZ+ z!iEONP_B;G_FA%7pgNBdY%TDzb**+zPE>|2a~1dUrERu8@gdW&uiqM!42#EV3IEf! z-M3Hup_kOn?Ay0g2)+^C4sT`Ul_hAU3?By-Ym^~i)x`% z`WY?pk?=$ExbVuSDj0q~9^Zmit+;bFRf69;ePs9kY$bVLhKMNhwL!M10^z`>vbdv0 zMs5h74ZLQMkQKpxq?^E51~gW3gjM4a?F>p!d1hG=S@`{!r_>|I4NdqPD&PFtU&yt* zN6byn|5A;dX9=PtQ@_J_?*Tjn>O~;axt1xJTPX0jXf~=l?X*ETA}LHY*R@i<5UsJY z_u-Qb^7fLs*DCllOOvM(@66mQQC6y%(FThUM$5`D)-HQF5DLz z^-#7Vp6}9qYJI7dltVk1naD?uDLaT26c2^eZA;`tP51?0RNJux$0J2N^NoAp?p;TA z1Z#x5--cLfdy?TQizTxb%XArPC@;*o%i^3!A6sw`%4)I>sT6GOcFXk`(4G z386~);F|{F`$`ZvN01A?Pc7d0VD34lVY=`>**ZfUV`GTx6H!o6!1I8QglnI;-?RzN z#07N6^hx`^QKSf_9DQ&+uaKe}n;$Z-$Bg%!3?6Fn+I81@T6b_=6^6n^{-wPJH?bjo z*QWXVBWFYKr^A)xxt3{Cwy5ma8tS1_l-@M!*UN`)mQ9zF87|&m=T2L^+OcNKLP{>X zVu-unq)<{|r|_e(!$ZHD$rhpinJ0#$0nEsvq!|6p$ikfS;`y9VI9i`5jH%{W(D18A z(UOh925jn%Ha|iBUag3ds-hf!PD6X{4Tb9_dz$xa?#U?sto+^9tl5grxyewNO`EP! z?~Qj26WbLjoha<;jke>csx|Vg`<`$LFnID{90=&-#3cK-EP}2yNy-LC_A=!^%R4QL zKB8WHCn>h;T8({b5gaRV_v6!HM%#=cx#u4oPH=@ab108y= zmusk=J$(8lZK1whF;YU~7X#ZD=BBRf2QZo;zFO4%cqCA$_Fxu#IR2Q53Wg_z! zI?@^A;{%ezApjq9~LqikH|`bp3?IwAU?JYb11(qk_Z;+LG)J+vHG>(z%h@(&Flr z5I~vSV3*E>vZK5D6l$o3^G8UAf3{NMj(SMmg}bk|#KCp}7hD|%{T8&IJcgJxTvp11 zgrB9 zQvo2)4Yy`r@tpjq8!z(cPNK^gE!6D^$V{MiA?YbsCc7|OXld*F$tsh(X4NmdM3g;! zzd2vLc-#_HdFt??iIG4rl+DGBVRMgL-$o7rqWzgpC9K_x1JS|ybYr|KiwqLg=ls65 zmw{t{=3q!Bl;t6g#5*$kjM7Yer+jfjWq0C?Q&RiuQFIy#zZrve3lJ!%?-b?k)SZ=O zPf%-y4Jo6yZb)?UQh6LEV>k`|TQP53XF(i?#hpeQ*{z%z31#+7xV1F*BCas#Gw+eM z0z}asyxipYFay|}9hpPEn&U*Zd3V+kDJKH@1F8tpAX)WrF=I}4YrrPTs-#8mogj$Rc@5hT zkh`j0d3s_hTuPq5CeO{+Vz)CF{9&&T!Fm#Nt%q}Cw~}+|XtfN$KFS<5CY)3hiQssQ zUzSh6sZv%#K3qCpdrw0bPGHLfAL=3qL_^^_<(==az9HfW`Q)UzeM{ZDx!mhCj1VR) z!vvySI|TcFR%*(%_X;9aRm>;vtKz^*S@zV_65^XQ20cpDRSAI>N;(G{MXySBZ_xHBzY-`zzMOj-3P za`?o~QJ1jN8v!kRj_XJF-~}~<3e1MzU@AI(yqfO$R0b++KG{1qxIt>v^C$V(Bq056 z3?p!W#N6$Pz(-w<7Gsu>U-JvdxM}NLO zbkL=qG`sYLExbu54rvyj?BWyt{Z)=feWwfRN*tZ)W22w49!9sJ81oJ2geD!A;+-T* z9@^XR79Kqv9KX@y-ey?UYmxNcj6^^t)!e8;ua$CDox)f%^vpwavCht9&DBbg35Yws z6F^iI!+Rt7k=KhTiQ?OnrnfGXGSXXT0|_EZ9N9QLmsnXtgl3DCr=!6;F8*FQGx)tS z_$8t~_h#WK#xQ)9??MonGkZ?X z*FkGIQKC<^TiO{?B8W>34;=}3^>|bBY6P@Kx_?}?l5jQCW48cFUs!6pEIEO#)OYu$ z(JmbrOp$hR*anHVDel!E$p*q;>^6 zJI~R(oblij4T5|cxaAP+Wo0q!--IdDCnYCG#l#T2Mtv5D-X)&s5c$dqw@_|)NP~u%YSVh-2QrHOD)mTX34!3nx7%+UnBvltDY#u#n0gLc z;a|>0J!0fptVtk z?n2e@XFo0Rcen*dZdob0w^>A0tB>-%?ke!emDtQN|JM_+0>npx3>`iP&|Cn_)y) zz51kOK`<^iWc=+x1&+58M?%b1nZdn;slZ{M1 zlMCv-$oag0%V^UZSXPzdNktWjwzvzsIq*K{u&|lmF7KDz#j1S{%kIEO5?Q~3bJsjY z)32Fy;x4n)Xm$S7B{3rYlC@KVO7AB5!!mokQZNR2J;{qBZMrdQ3(khJ+n~^$ti%+Z zp59xAfrO&?X+S>CBaQZiVpl6sh~KLErc!kl3U@Jz(PZ|$jPr11J`=geF5~+lckaCA zB_GW&&s4%LyYr&fMTD$+?b`~Oh2%|_(B1=MK@!n|0MClE;*KXP5=3~S2#2=Qpbx$l zV5cgrCt*IJc1uCN+Xu9mKu~mZKDv^?zQ%7u_iWie{34=ATFiH6Gyr zZwldR^IRUi@xde32I50k+e#vfod-bndJZ1w^D5(tL}sXZKw-i{eTrZ)at8f-kiuM{6*BN>Hx6huXy zQ2z2m9146DjUY0)yWU3k!)HG|8Vq_S=x`)zx5pus*~-bNh&)Y-L#A}~!BYH3jES*| zjFV3IJ{C9DPFJ z-lNN%sEaYx~fp-)bt<;1BR@R#N5 zIvP$j?&|I_$kt93k_r z(w@2-zA5JLsZwW|yY6nTo1&9y0kBo%O^P;z#>krw5rcXoE#!#l{&ua5d>Vo#zX!O%jR zx^&U2dGU&Eo|_g~ce}O^r2B;-;1vaeZ{7z*QV#`eNjMQ!=fpSXR(Gd`9hkbg>SDi| zH}Y1K$oC7pwMMn;$(UR8Kd#0)6Bcj~?|o1=v|D!Yr7|_HC;TGZ?QR0Lcijr~W((ps zbW9d9$B8@v)n~Cs{<;{>;!o^uI`2ezwC4%pC_N7+f`=$M+{^abVFm}cS?dOPs`{U& z2e7s<^M2&Li|`oFr~A!;=PcN4POXyEA{(?DZ-z!@{WaG+Z6}PewNG5ppdy~>O2d@A zs7q_vOZ{R|Wct$2=DggiDt%V|pg~IdvG)!fnq#^X2 zG4c74PbUm(U^kaocArpzI8YVAJ}~*avEn$jw=&8_IEC0uFn@08 z#5z3S)KW(^qS(n4_as(k1R~fO>R(hBL>BpDyJQRoWoC5emz4WG?;*EUVo(ssA%#|d z=b#@K<{ujwT2;EE&GqnHgcWd+He<1S?)ucz{1n;|Z?)_rg#{2FJ>nX8jfm0>R8a0f zsvicDX)Gs}%Wo%gDjS4IJv-`1RkZ7O#+4pC)0CcIuUvY>;EH5UKNmq#byru7dFGfv ze~UFbqpzkEt_n{C`O_t~|J~QgO1}1Gd7;Z94xSVKV<29=6-n}q(B}&|bf0ajo$M?x ziy9>mcC)us&B``sV*~ih+Tb+ka&?|K<;m-Lb#-ZSZg-uynpbT1V{dQgO0Ys2_J%8~ zvHfF$vm};Z*|>D1`)rHt^plt9C|uXoV^xN%@NBk;P4IqLev0b)xETA;Xtv4@yKF58 z{XHGl%rZQCulna*tr;6f^sFc4H+GbU(gfUj1#n>!eSLKHRqom&glY^GUgM!(xG@Ii zlSP3LxwuY8`l7IN2s$eCGLi3IWNbn1(Ok`@B+>o0Rn3|Fa zbYezxQ*<3E)Po`YM1mHqqOIlap8QNR)WTs-Oti0eY__3t^KLkf6Kv+nhF^OYoYCTM(n1VJ0{ZSit`NaZ3JO zc^$nCNw?qgv~4)14Vl@H@^1Ii8#eW-``AVnqjpuFI$-YYD#aOX33shdZP|1{E)o(a z-VJD7H3oNi<~{_o#W;aH-0%YwZ^+mD(Ar^7-YtS&GX{u>-AsvmuUkZ^UNi7%pmc8V zO~Ei8y+&e_t3|+ZZ=@1EoJ6g8Gp#-yBue96yI5C0vyd}K&DJ4e^0<9{?ml`~dZhXa z)0J*4Z*`ROGMtS@Hc}@if*c-K>t?Z#gJAl@0{Rs(@5m^Ej%SLYR~ z0nx07(}Qf*SxXt5?`{UDV>53Wy+J+DsnO?`E%q|iccm0qJD&;6RL#Y_OH5uLl}}!v zMR3UYu=Gm)otbkHh@$0iONb)*QP#!L8ZXCzmdao_v*jH4en3cB$-eXFVMW1%D;zeg zK2mXn!-cj0yHQnjD0zDVhTvYq(LPYiS{RZ=c3a2igojjzWFZ>JeBg3%D|Um&}52lk~f(bg=Fb34)wp(%vS5qvfs7F{5%?9 zE~t?CI#fiG+}g{8uC8N3NeHs~U`#qXznC>HW(h?I9`bUojuK0}^c@lrYZd+AN8!53 zE(@iqPKzj7srG)H47qxR(W{RHjO6Y~FUo5OAzGVC4#s+n>orWA-Ox>rmjQ6;Da&&QY+%dLz7E}?T3mT`|6r(9Ewyv<1~r zh{=OpOHnE*O)|awkl{m~W30d+ey!d);v_`*9iJ%*DzY*gbhIfi-y^tSVB@83J{e`%c%}DblMd*~WFaCx%RZ<|YzSF< z)DR*Y#QSkw)@t_JGOGLNW60PC{vqxxHAM(tagwRA+n2-Rv*~R&aCnDycU{}eyu*p0 zt6K$zkZ@g!@N3sfLW}VM_+(*;3|=gav9g|lNiFzfI})GrM(jMEScPau>4&Fc79Zga z!D-m{ZeW1%+HCZ_!<{M85OJ{|n=L8$B<(p^A?>-pt56hBVYew73`V*#Z>GUzTP#{V zcy;7a;3`Jw*(b2Y%!>|Pj3TNBc>~SS^WNP#F&fILvNq6Odp-sA3_mLp(t0FFWX5D! zl%ye-A}9Uf3nNTjcU4}>w}y|&jSf85BNx+%dcp#F2nRKH(T6n^_-rPWE)}qX>DRGG zUmxDYEcarB+Ap?ct%?gfJS@+AzdF#Iu(56VmWESw{|uwW_j{VUOq7>w1~V$TQ6V9P z(TOVG;a&}1q;!^rH#k-u87H|5zYZ8_PaolP3DczSEHS*o7A+FtA7>eYL6nAY$S$f2&VOKBJlWP@NV1e z({ z48Qs(8tm09VOvhoKY()^?n~f61l}~~Sm6?R4Db3JKawR-fN+*%l%fo1La)_JY}QN4 zZT>%W{bO|BTk}5-H)_<_wr$(C&Bjg|+qP}nXd2sgW81zzIp_OZ|NFtYo}?=)YxS)? zd(X@Z0}{EEge8-ht&9tLI4ipFeMU5?J=%0CPryVJQy@blXirA$tWPE~N;NUOkdUYu zR5`M?x;Kg~N4c$9wST15;8ZE3aWdeW71om$XR?V=V0SP?#s+-%VsZt4`t%SXRGJzB zuSz8paIg^)4WsM-X=OW3%qZ}Q8RL!K`xeK;M2Tq`pc$0jVP2NW#{RU?qoEm1T5S;F z<;)iKYEYbIQ#r4qAiY>BZxgRP{F9xb;@BN5$b9>mEp`*vFfKjColI`pZcsz^kjm*c@Bs>?W=bwTIz4E_6Mp@#BySa+}hx4xcz6AI`yU73f? zY&Nq)b(Ubpp++C;giG^Cln*ATwj|g_@(I*jlC_v z_J7(G9_Z`o^y;9^^~uqaI+B(TpRyHMw_4!=*d%1MMoE+Y1RH zgvGYpXWg&RR_@o~a{E@$@fNE|Gyo_j=GYMfq&yaOH5$IS|g;!xT z?(gGRt}nlQ8>H{%WuvNhv%+rX4yq z*`&YOL4=248YP_{fsl;(y+oOir{>;@A9#?x7GH~dyY{7w1dj$|vYRpS5(pbZ19vQg zq{}Tmc~yiO5@x`fYeS^G3}4ex3BA*9w3hpP8}z(_dLb%?uuzUS+u`@OXDcONs#FM{ zs!(DpPKIu_Ed1WEF_$6w16n&;Oz6C~o?l}rs{y3@3{M>APB z!+VE9IgMjE<(c)U`jPr1|K#!3;HGRTZ6|i-6(4qH@-FkuT1_@|8w&(i+QrYRa(yAH zlS53%(T{LN9?S!hSKH(I_BP^Jx`#YJ021`H6%qT(C#z#tDQ7h*=k0V~^4r~J<{}6m>=Tur!wHdq{+w-fvch!VpIsV`6y*oBw1`>QF6Kx+)BNskZL13@k(4f@wS9@gY;NEP+WGN z@rn%y_GdcrxkjMto7px$&YYyRrTh0txc+L|^9;yiyOCwPPPzP2f3-a+?^^!NKKB0h zP=4HMGXQH`o&5qj(mh19MHd1&>`ne% zQXl;~Mh*_y1hF_|fTd%xQ0V4Fbdz^L%_btWVi2a_uREvw8h_wVwJWSl;P}a7L4&xd zwJ46LRC2@3LdL^-Ld~?f*X$rM<|M4&@{J+JAe)of;jfQwBTlMVvcM9EVZ#yoWk zV(qtuvOQC>{SeLB!C z)Nr+1l#QvvNrp)Dhg zehAg_%~=;em=#r?eJ{2=$5N2;)FO^HPP7l75-Oaa_>U&G1G|Xvh~pfAR-SlxBRf06 zn8@{YJ>0&#uV%{ye7S834!QhV@IofQhaWqVrW`?4(_#wsrQA9#Trt{c$GOOY7V)?Y zmk(kNePTlJZzUm(H@GtMBO(IzfMobnSCCZ^nNE!`35F{Fn|~0`58_vxR7*W)JXE(= zX13omuO-h_t#WBf*SCK}@E7|xye`j$PCKd$RGu;&r+T_4pVW4~S$NA3z4o``#+moD z{k0PEws84-N#azXg12E-q&<@{`1}Q=NOa=8!n3*xuzoHwk2C<{-Fqk<&LquvA)#d- z7%Zjzu!zIyXrkc)0k`~G1%GlYAlSDv7-D!J4k32t{ky2l)mxMa-6y;bM`dgVx`l7(SuxEWcG_Ty0u&1-~tYbO5PJ0eflNG-X;a<(NiP3}nc{@8iZ$(rdu+!&PtAP3!vHX| zd``?8(VR1cJ3lE_u7s23qX-m3ak9Du`7T+gB=ID54G2K=N19 zj)Bx*3bDVciYk(Xits)5mQ9s&9acQ|bkhit*XtPYj1GgUE6$Hq8#hnyHH*)*_7?7; zZ%)ef_8?gxXzCB&P3LXPd;Q5wvNwbhh#Jj(RGYF&4@I1HeGm}9{H>|A87L7gTkFS< z7h2ULw@eN0u%mxE>OHisg*fOyl!ozItjVt#2cF_VdsVHDhu2b$;yq~RWAk~^V6C*E z6elavTv>8Usx6Gc(rQ4ejjC!()g-Ll8&c3xA-WNl2KcrFXWytwRDArRR?5d>pXWe1aB`@dLcSXmwJz0+7IVry^|$V@MG>r`wr~bppm$~ z8{o7wpAW(}FuR=ru(_&KaJd$k7~UST1zHX1PA#Swdu6sA5XmN-*jBh}KNE8!59DW7 z+|Q@iM#Y?OGmhk=RP}**1A=_H-6pVvv2kmJ`~L!Qq;TWgUc2&t{|Nl~n*}%NVjXU0 zgO9dAturj zME9gr?P}G3=-22SgZ7hXZKckVa3mxU8gf= zo1lyf;pdBd&kTXhuut*LuqhubBr)v}7q(+p)aLdsWRI;ZnakOuEZ%OtR^q>8h?bXO z`0r=bmw2fOf8Qo_)O9aMS}v@~F4{Fq8u+%H2u*G8ks1O{&PTFiKd~^mwNut?yLkxq zVHyR4NrBS1yZ3!~=>9qnPE+O~`0c6HLEj|&n!a(Q3s^2G&AWoY1>J8eDrK7!*^B?% ztFzo-LgR4pW2wcUmRK%QdIXQWF0ZE z3f9!5e~@6gcWXSnQa1xI-o?b3Tzo;S=%I3+4fJwv^lk6n zT@OGI#RN~VyO$ncKWj*&?}lTY7RV5kD4q`0i62K5R*v5gD`X&Q?8#T&v!1B}Mriz* zI}HjD<7NY8dFFvudC}ZKnd?*~B4A#xt66^Fx)E5wfdbSFB^4hqH)tITdUa~$#wBjjJ^iLE>$70T*?LW#J4WkB ze_*9uCh4d9{4h$ksk~46`NH}Z&GPx-)Rafhq4lCQO+5N!mTcmQwN%n0$S-Qo6J6P+ z8W!Z|`}R++8RIKG7QebOtTlTy$!Bxn_%y<^JM(h3(P~?eBK@{2irqFBq_Ep{nr|<+ z6Hsh<{ZwjMJCj9)M|Zv!cvb`a`ssmi_PEq$G=ZCx1a%`Ns_#qm2Xqf;lfM%8ziU7G zZwTU`Kr4FZN+EUCc0ZCo;tk)jgTstOjJJ`as6CMoV)e3*4=3LHD*0fS$Sh zVWa?5j3@iGONpLwnLUtaHJ;Xp(qVHx_3*Na2gBDL>P9{;93-^MKeL0l)Hnj1UbcB_ z33Z{!=W{Zj=WpknE!F_=vC$C7FMZomit z8WdhHP2VvLoPGE1?<2d1;wNTZKm{g=NDQFQG}T7QMnKak|96;ldl(U3_if|h|k3WUROAAat}vI zm)=M8ZeY}d65C(;8c(b=JabSdoj7xEgA!k(f$we-Nwo8FoP&a~Yb+Pm_?5rGK6r|& zWyPSrK{%dP4{n8bmYx(SdZ?aY^~&ImzSR-nQw_msWQ3s84UqJ|jXtwW+BThRq5qlO zoEu(Dcyx<+z@~q&%=<}?+Wx#`_yg7?6Ds*KsxDTixdaUbi3U?f zgN+dX7aJiPXmp;knDyq4Oc(ERH&pzUFP?FkZID?wL;v}(~KmBHZKCS`s zki-N8d{}F&c>jl9)i(CQskx|&d$!L6_NX?nrr7=*=Ne!%+K-TlpVB;_C0`T%6^%*dE3*YQv)`_$H(Hv zS87)B;U|d;%R!JN2O!H8_IKM-^c9NDv&ZAp@-SQ@GKEc>t$PGK* zpy*DG>?u4$xG6uZB+B!OF#-pGe1R#^E`~J!15EJ?OX|$-(wUC~80<$27xF175o#}h_W}-~l3p(#vl5Ji%YNiqJYAi*< zDRs-ocEr7(LnellnQ=<8w^j08ue9({l6@@5UM?BOf;AUZh96*|!4=i@AfdaT(QsiW zU5gdH)pl^8e0fMREZX~)uItkUA;%7taVmxdT^+&^e8LjbdE>F3n5HNC-ub%_Bgeh3sq8l=vo|Vg&D+OEVFf@yo=()+n%#?bM}2QY=0{oCZWhOn5`S{ zW1$Yv2neR>ZPB6LEm;-_Wc=9s(2ZECJ#GLPPl3?mfUbeb5r9;e9z$&rTY_Z?CSs`& z>^AbYwoZK-@e*s>9*dk3dn6#luPX$)w?hswjG3PE4n)VzjRm*l-i2#v-v(!Rcni(Y zo-sVQ*Y-m(|~6nx*= z0Hj;o_4A?C|Dj2H_xp+@S?Aa$nSstPL|Wog|9EY$+O@-Nq zciZ!xX<&#mCRwj*&n*cBMjd*!_M>(wQ#q72R-?Mu0hkV+GA>Tb?anP%&8C$(4~1mu z6=P}%ya6N`Mu-~^n$N*9G7W+UGO}|XCc2VqPqI`_9;U_X;X_J$c~*f@!}qKD{HbeU zf6=}ZEJ?2_os^XtIe8HYI%Ir@c6+L78;a(@LfQ2N{#_4{;k2^AW{(A#l)nml4yqRr zP6k+)ZYcYK8Ndf)b;$KqXKl!PW$Ku%Dh9m08iRBBGo23kMn~;Uxa%GfoANNMifhxS z2obl^NfWa>A}%z<7aoqN-#8H+Y-LA8A{0YDtK;ZUoD(UdL&qVqZj8*k5N1&c4rf4M zF)hwN6=IV4LN#6xT{l#Zw$raOVA#6r5~+RqfD>^HSZo}Z%BZ2R7j z7dM=rY}8QsgQPhRL80SFf5D_aKqbEqZ$ z(Cygax)U^N-iGBs0_--z&zGOMe*@s9^4S+%jKh9?9adW&pPn9G_N=r~a?&?iDvm9~ zgKYS$0s+DPt4i3yrj5^JWvWBLzF{Hen~%d>C(f$&jzx)9x0NHe;J9Om!DekbnRNHU zM7NfVk;nVY9C@pH$?G>5SS#QgE5dJ<#CkVB5&gl9vFGDLCvan(pL`x#>uD-PZ~+@f}Khk7hWty_Whted~qae=4(Q3SajW#^KzkUo|<$h zi3;>Rd%dMmD`aH%27O|;ex;+1APZV6LW#a2o6zMBZIyCN?u08`h379AF~}2Q{7}4O?L^A6d&0+CP_*U`4S0Tguigazz}6f67im zn#codT|-esOqs^UA=6Y#ERjtbUq~TG9AmAunEz25@#d-J^YRie-&zRDs)_c*`|lx# z8|hUfDsFRY`m0H8X7JwMw-#RT0lY$?ZP{-eK{af_h5Ecju+Bo`8p9|k{F^Yk&9Y)p z?`!3IPq506l5As_V#JL<*k(l{$-Yu!_Kzda7T6>hojnfq?9I>O8aNC-N)d(RA-e^y zh+(*{y%~j{yWSiGpp~5k<*SvaMT*+0_=9SCkNPb0F8MZa&bmpzd))hZMMaofcv_LF zDjbaT$R(I#wR$NG6o_Q`2)Z4(wjc5`UzJaRs%F1B9x8!Gjf#5tnQU|I4)ulyT#Nj~ zAA%AQVPP`clOiYA0kHJ_W;V&nf;iUKT)F<8PANfui?q~3gU;l+eJ|a(@i?T?19uEa z1U+CFhu(B1q{3CsN;TQ3~(2lHddidlmiXA`@VrU@4(x^gcv3s1-+mC=cpiLjMUa6eYwZJyXSh-vvNzU4Cx1VB*l%_D zt%~Zw51ZSY*AorUR)c#$*MI!C_?mwQA(RA2;O#T`Cm%n*eN?TB5*zF z#{^li(TNbQU_)tZS%r%}VD58(ZdaEDXSLS$NK5SpgzBN*o}8oSp#uOSKlh&0tOxN> z)4uc}gFEWv%Yc|T;GS$zB|0zON6rd57ke-)S8e=~q#S7w(Io)ji-CrQXo&R&iiZ^! zt1O;DYRTuyxEL11`j3LIe;mm1{sGhK< zTEo|CuZvSkgZA4sDH}{ZX>nkqSSjm-< zRRT8g`O$+^D52enOH@@*ZW~ztjBWmry`)CyCHY4w1uw-MY@SQ|=;Y!-w1~*V0oH-+ zknr&}Ar_U9fF+z^v_={~_KAU2zM0;sJ^~g4*>Ez!VX78PHH1poe}u^T)+d?BHape# zbP^GvPC#B=j;Vg`7QaG3LWqshRwWi2jL=JgvZKGz;*N!*&@rE~rd>|>rz6PZpr`(9 z%S$akBOQB}8{ijBTSNBpS?;XoZX8%|KB%ppmdt6Spu_eY z?0UV0@D+D14s(1i9`)bWx`YLJrwueh949%3&Yzzw^RQqF|BK}d=a-5Y+hh^T)Xt`-9#Zz`D&BdJPUC6Fg*uTD9&z{j?z0|UXgdW8H9}=q zwM11*Yjh}gDY)2eJy9mC*)7H=(b6{?5q5Gt#*Jt*fXO-;Fn^!%~oS5_v8o0Qq6vP!*oDua^ zSJ1KBP(RNT`eZn~fQ8f`m&4mD9azuKxZ&v_WUA5@4X~Np|0f4~Klwj77^x&_q!I9q zJTbnORkP*Z+~THtz@uWoBp6PMgw%r3wh(ZnVNh@^DG3xT73E3}g-2o#vv-DypPH>tvm{fHlpM#4 zBz}S-$aT}=XVaFK^nC;4Je~n9Kra9tAoY$!Atwm6(9DeTgoNZMwA=t=Y$~lz86APH zP0dGTifKs(or4dnnuKM>lNPxMWcIOEcA>btI-Zi~7a%+w2@N>mMaY`C4~gQ4an3zW zO;DxbSCstDI8+!Gwlc{xEH@E{9m(iE@F0X?lKZc;d1g)^y9H~e13+9|GXWbJVS;Rd z+g~rygfnxFn5EE(2UNb4rp2uVbdgH=*17lukO!6+S0r;e|2twl|;CY zb4U!MXGw$@dO~CWI)DFU8OI71ggYI?D}gIrZ2xdl-ptm~sogMRx|2dt9c?D);psTK zlB>1~EC|pyMNBJ>oW=c~`~Cv-gATr>iLNY9yI{tnD8*wXeMF0=h)w<{+$yX~k8}9o zQz5c(txMB;cu79fVRP54=eMG zHORx7V_g1gK-;q^%y#BaRMhQTUsC*CIoAWNU4`SSwK=X&U%cpz&|}$Z!T;L=X;2E1J=+8Y`wEyHvn=@ctM4B zMUG*JAJShDO}`e@Wcc5_{qKyx3}pDPlv0yN(Rdt@y4F%+uf#<=vkGVg5|6)>0aCBG zOD9fqA4*8tRV^6_hW9!SR*@f^6zPs>71iydRgWH*U58t{kVS-mj4>Xdf9WLY?%gnA zZ_Jy+>dc$FcSoVksOLA(iig4OBaI>Nz=^_Xs*S0;n3r7@uHN{|?`TSMayTkptN?H5 z&l(%~A_>_%lpe>&C@1Nw=!U}Te#ekp!n1<9kpCP;I5(&PcXA;iR_D*3zaPZ|gdvYu zQ(PtXYtFOKJm{29n3lhiG&q~|ht$-P6dY8_LR0>ZOF{}a4T_AW&LvyH0RdrfTnKM~ z*r~UfhYShHwNT?onaQkIyKZK{Sh$4~!(gtL2$2O|GuHV~YX7a%Y*@2Slij-DleolX ze&nJ(AgvTJj*p*nIuVZVK1^~b+#3#rjI18L;Djgy=4L42X{pg)s4jl+Lc8WkCQ^^5e-Eg8k271^>#N1 z(99-QS@t!TFDJLARbVYXmciAuyr?sp6lLmJ@=Lz3kcLXvFSWUiPr5bu;?ka(uA~!u zOFjif7}P6t@nFf|RyeIbg(W7488h}_4SP2~4()e;`6*)eTT3LQ2HCP$WUuToOkb`G z5b`E#l8esX-1!X^;)7VhsRDv8lxYj30AV8+=iL^Dirj*e5C zn1yms%@RYwsLE4W$jVdMOXk@bgsF#b6xOBImZEW?-23@Wy{Gr&-6pVAZs$(o)ibW* zlMYd&W>}PJs^Hy{vFmmW%V%uzc~^qTt-uIXUMw`FwuuR9R!Jh2TXRv*NHPJoQ@G<2 zQ+}RcQ1d>nm|z6~741KFvG>NICpBdD*~j-?of9XZxnfk6^x$Yg$X4aujaV0(Gd3r3 zw3Ay^30wh(oQv~sK(39CVPR@;aA0wEy?*WH$ zx0*sn_j)jz!?xh8Kp4y2W#|tfTUYakdf9#8d=$Q+s@V9TmJ(aJ;TMq_{ zC~W#ES}z;RUd9}vCpVsNF9oUemRYaobEJZfV<%X4uS~B;I`kYXS$>~@0UiWj-J-y# zLCXKtEsEq{hZug>rlZ{q0H6oi6L$dYAP@`^DK>;02!m`y>o1sttsgE`ecnzG6yb{* z7VF-=l@ZuzOWFv(sYinC-%>~xTn;cQ3x$tM7vtihST>fF*FwL!m52)?9kX|5Cd}l@ zJ0#Ct(Z>4qz!rmdOX1l}X)K*ag>BB2faH`#qD$F@<}Ot}4pvErVz?b@aEm4O*tG1x zO)naCt;RnwL3Ck9T)3ddw+HI-ZRyoxXErge)kqucSF%j1Hdg$~x-mb3;I~I)jhR+Z zwthFxNrt*6L^xd*Z~4K_?n)40%=*glHFg!3*T0iwWd5dX@1_Zz%WecKwI-cCVoCqS zaiSyK?}D)1s+REZD&$cZ2}3uUI5*4D3I^^a;&P;Bq?NT_OLm#&$3k1vtr3tF zXcJfYm6>;$X6>3Dz+Jc!C-jj1<)#!&<|f-bbKDU9h$ZhWQ#aX=RtND#^-jcvUy38X`+jQ=u5ypqgWC!ECAsk1Io{E30|Hw(5Bq zaJvvfYBvn<2b}(06C}NZjgn0~2{C7{p1W~n=^CdqYpi@n{6VMhoP-hJlhWj_&Z0Z`9W0&0Y_(&ESr*FJzE7Ixh-Pb2x01)dTq859x}1Q5;tw8 z@&m8%o^`8jAZ=qKyMNF;&gd8Arl~6a>j|gjz)qZBc&DP^RRc>eOHi7WbzaPXF7xK4 zmty}`G)ogX;jFrY9-F3K8Gva(;mD=&qHrLWERg;=rP&f$30;5;jNf{c-}*6(hKpm8F^dKNY>jB z^gGGd4v;u8DEYs3fN(&S{fhDdq{R*hdP<-)>H4%`AUD)K-zyrmx*54Zg#D%^15{Fy z;?{j(A#(Xc7$q4U2Qbz~NLDhp%GrQaS$TDVnZYbA-}pZT(@BgWf{O4IWj0I-ux^>@ zo%mBfy^Z=y@K&>t8LceRQIxG5P7*{{N!>C0YTMsIjs@XFG>1aP^*EadM{4F($ksSZ z5ymLxg+oyM`7E@UR!!_|45WbvmzNEMbh|_K_a3n;v10<8l0*j|+718hLD16BHliJP zuWN)Dq@fzGOcP@%mJKbVFKYu^NfVuyOSm}Xi}!UJNY>W?QCEOFX1L8=x)I}XjO_`J z;Kvs>V62q60cg@&N$EXXV#Yri^FMlwohOP#<^|;Tj=wuBI0dc8@O< z9-mMJCou*sZXOCds<|qq1tla`G{i$KJi=#4MwplTo$H-{D}OY_xO}!$MVY&_7&(8C7h3&aIYHn7>nURzp}`j0_Fa z`GkMwWuQ}9cHzcvQ26s;fHR&5ayl>!@`QWUOrXYw^7TL~RsZRG<$10WY6M(@VDSknSIKwfe zqBQX!6#=2ENYGv$eZS$ZL}U2E_wG7M3oAju-0wuRRi!J^-)wr!fiM*^USSp|tO>^P zqDUBi+)}8viKGz6K^Qq7W*#JEN`n5-)!J59SHmi67IrI(3~`GLinA$l1)(L>?<}CFUh!FJ7+mArkLh3&?CctM_RE&+7n{L|}EPnEx00S3%;=spc zU%Wx4X28w*1&^VCV-o9{vB1U7;CUykgL~Yf4l`uc)y2>A%;fr zq%HmSmXV#d?W-9&XffysR-K<}dKNha(VG~L z9zv=pM-ot=c9MRHmYBQjGsi7-|LrpIk_@v(E!vm&f@4uO80U`oIN3S18fbAG*_MIn zD%w?RhWeO>29S+a8IeQdKdhpRmm`cJ2wORzd&L0%nu|C2#P=Uu$%ngqtnQsCV~*>- zXloX6Mh?c`IMOL zs>=#rjkt7e`DR`RLD~BLPCU7MLafquvbL?iTh&c6ZSv5Z?ji&)5>Wfl)E6oox^bK% zx+&tl1=|}nU6724~-_Vmn+zs zHy|&`(VqFmJ)~~J6`qJN2r1q>dM!>a3~w&9JEOWxhuRs=SpHKDWg-chFop1FsM>|F zVf7%8E&<}aitQJHmfgEkZPxL?(B#36xzQqSERDF4upsT{hkB*e(h`qo*7;1B=fw9?^A~7`EHdT2sqynEBP8NzE9N+j*2mhQr)wR!rhmh z9RjqiE7CY{d(q-@J`Ycm6RQ2LuK?t~Q%xFl0hZ`s&Oo?L&en&780g+T&q#`55Xy&6 zydN^ZVvFGB8Wapt${Y@4+8fOI2Nfl)<(BXFI(FlHLOe?n4L5#RLL@Es!4`wVp{ijV zgi>&7I4RXxzqt5Z5F$=U>^s7*?G*rr^ruM-=lFbZ06_fCKz$r@9>jcXv|b2ebbtX` zEJ*(r;TiWGv1o)_w;(d?M>%Ya8g(yhjhLZV{+jn2_C=N!zi!-pUHp}vOP{Pyh*Lyb z2P7VRn?}*#P?dA4T|-!4W(PJ`PB&J85QSX+cQGbl5ST9lL?fz!*Z;7K^^5sxc6(#p zhXe!G<_@Uw#F4u$8R88x3XQ03x`~sDE0~VodT_5}!%VKvKCG7Yod**;mwZzpIy9@O z?4{#84*&hR`=z?ONj_13D@okX)+R6`FkwS4j+a`PChG}uLO5$3x=Dg5U6z*=WLO|9 zHMH`J&L7ak!ng_ij|E0T(B+4+@iqriBYeu;y?b^3tn>ZlkR-S~nE>;ih#fK^TOq7C zeN7W$^q6Ugk6(Gm*M@s^kj;bgfeZiCV=@#->kpEOC262P6;ht8o} zia0TuBixz!)S|Lbh5Pd$E9H!pT$39jt~W9^T9FSGMmTT61xUuw_Aaah?u>hmq?!|O z4fj=%c`Z>{0ur#i$!=e31)B66eA`vT-mG@H{^f%mVTK@>mM*!k(!AIZ|X>}HLcdeEv%REP(g z!d^|7f3cQ1Ar>jfw(wp&(OVmqC{`R4QHnoWW`g$>P>#K%$Q_A8#oiUw{Ozsr20Nr$ z#ABeipC@B?e?q#^e8;f+V54Vzr(!@D6GZp(3;bG{ik7vs{|&?Z`OE)>i56rbR*`%e z{+=~+sL5ejEGp~wBrqbD;3PTk+l{9NB46S?KXMBiXPTHYMh8HQE)3r>xKLBCy4AwS z&@JRUjI73TN39lf$a{JKoy|GKaR{n}zLe`8-=70}t?8Bvy7d5q+4ly=v+Sq(`~qV1 zTzcYs#OGrfN+ff#;tc(!VI$y6?P|v(`4i1()+|Pi9V4u%xd2YYNLW2iOccw_7&)F= zXlX%aah#;S_*(}*vO%LEZ}?{yIx7{S1iq3w!BQP7bEkUDDhZWLD|El{ib7p0Xtb7N z+<_&NKz(3S*U5|1%EB?Q7mPwlrkO_*WRsRfol8br4yK|zo|PRnrKrF^MvQgc?W!WN zit`H2K^-sf{w11}zz%lagm>JD0dJ)|;t^Lc51^~kMrOLx=qDpomo0`X^~Qtcg52;X4=rRRdC#2<~~-d`JdMhF2LbOwH(U$zVDvwPwt719Y56 zk-zrOal{QIov`)h3ZNz|p;NVoHWc!~S0!R=8ABL!S$z7_ec8GqpI%;Kd{EZ&)*Vl^!J zTVZoEa40hyaw8W$xl!j$bjo?kFIxDqBdk@R zMXTus^)&tW{?Irc=AJ(Jz*H?G9`UOFtTvpcXw$A}gvIE_4_LkoC-U5jzuk*6vpj}L zDeL|!M5yqt^u4tOF}r;CCOg>&4cR}XIrjTD&?(y|W7X)Eg2WTjG2?|Oo+qPmD1oL(JIODa95EK_)!aD%ySz;t3la7neF!qxMWa>dqSCoL(q+E`ao0w=OYAB*X^;jUV7H zY$+<-p4T)UVh>rhcBO36fLd{JeYq1`8$w1tk(xxBukjf6-tY>ix3^%;6jm=JWC4~o zEZ_QuP<&%o<_1<{lNytGjUi5QdwiSj?x4tc&FL}Y)d)?~fmN%Ywti?T;z;L~7x}49 z8KAU9XUIC(KHQvXthKs)G|=x{j^?$Rnj~qoH!%Nceg^wmuu{oNmU%?dMx1(vioCS8 z6tV}cXudvS_qb0CM!|T-*f)`TEbf@xaZzICDUttEktOIwg)+*6g2G@@V-nYC`t7vv zg>=TXs3$ExUKYJLZrm>EH0Q3axvu(GMqNq4kWN}*;*Y&`c1S4Lj`rErmxI*i-!rjA z51d1Dx)Q7G;+Bzj2+TFG#+g&!Ugg>3(QT_BhP?pWYg3U2jq|vK<+mw!d~^2u3Mp{@ z?(q9{&wP-HZW|%Es%;jmsa8_7gh64(kJ*=;GZ`&_OJWTco3$O$+qzMFGw#whmgtyU zeEf8_kuwHDvUixp3LQwKb747 zP_gUy|J?s$&mR7DQ+_=mUq_i< zM%^IbLiA<;ulj$&_j?sV-3|!USB6%4pl^ci=lxZczC-b$P5!sm@Q36V;zFK5b0Nv} zO*Ljpq;%b8r{U^;pFFvLo?RWOdT9@ptx7l`ezoUIQ(8m$k zecAHvG$O=7|IPgG7Y2AZ;xCa%td+~yzjv4{+6(ZN2V94J4#BQVPY5^m5TZikMv#i~ zvKDgdn8;(ZD&Rfckl-1eoc~ns)Bvk`s>k5pRpD0)_^%w6W9`5H^E;u4{-GsT-unpg ztSv8Q`bxmX+>DORM^4jV9; z8J_*K)6sq=bl$H3-twQt^j|WT0ARl=t(Nvj7#qOoqsOfc@SxdBV{L@#hd5pLW0Dr0 z@k|b;Y7-dc?LLUWIS>_&#jiaV@PPON5bR%R0k};4j%i}v$A#ctlw z1<6Zzz`XBwN^dSxw%1?m8IGlcyAUXCQX=|X_@|thkH`fXvE6DUq}W|p2EgYM4*H`; z`^4Dj^EG?nKW$_Hw~P&{>-}u<_I~Lzlt`gO@5%1*7aF{SiRFAGf$VzKvSwRK?*;K| zhFEslg7RVntm#s{@U60qUeOxNp+;#+_!(qczLhxkxfa8Uop@Q#1KR4^_u z=8DthX4ls!sPNO8Zto+YKP<3)ij0B4&ZW@SbD*gzpgZMX?fZzbF2UDr1&y@~5e2QwWp4)DX)969+;vxf5 zOf6nN8ajQqX7{*0h$xUqoC;P&P#*_=RUUE&=^D&L zgh%k<@QPDmNmm+}*ak)rG4iig!Pz*Fp>f}r1%x(I1)BV%?L&TEq^M-6q|xcAny9L% z{#5aT)XGZo*?R5tq|^KT$cO|4xJr!8MKO5FLX<{yl}w`HI7*v}iiPl7mC+*j3~zmEwKq+P=KLBP;G*ZHMgg1!Mm z;QRi6KlnqSIv-XoZ%*|-(_8R=nZ0-vod14*0?c-6t<>#W?IZ#OTWBoX93Rh;9(-+(|ZP}uJylpOZe)Sxn^-tV-J)8>f2=Ip*T_&iKmY?u(P zz3=jU6liz2$keAaIBeU}B1bd4{`xtVPe(1e=X!?hr;674oUt`b<>RfO%j>4FIrhQ! zd>{2$W1wL8&7qHc1p(L@l6~pq^CCG$Vkz=d*VL<1%I0}_=wuZSi|GIF`Ty@tTxiAO zgwc5&O943NAd=uv#tjAZ|@5?~?-~NB>y=PdH>+>#3QLq6j3er(jM4E!q zA=p5qEd@oSM5IX#9Rh@a2#81%2p}b>6p<2Y=s|if(gFksEwn%)fe=UtoVb?jfA-n? zzt6S5?(6z}fG=;7dGloEnS1WJ=XpKY?U=rNV7&VN`Q2X#Y!VPfD>g^%`;vS`g07h$ zEP1<@uK+4Ti!p$U@XWl!!>LO(v~oC1`GZQ#qaJ_8l54uKC?0AZtUv=E9ppO2?6&i% z+HP$?MODLvKVlp)@@5x*-<9!cH|$$;tE3TW>d4_Q2~$5x^GH|})8E(r$Di%Le!#(Q zmd4#S*~O_E&#-G!FDf2t&{qwsJiLwt=rL3JI{NLlmIsn$1LscOqzqaX$TQV63?+>J zFQ25z!cxQK$@nh&8T&1O{ZR8mviDvdl$v)W<_S#(imwXNwF?T&-R~#v#{|wNz~cy* zS|==@*`@z=CI9s<&2PcJr^|+A0KNqCy#_2zJ@vK|OlgC>?Scr>k|Ji(SLc;f7bc`+{6CkSO1Iq{Li8HAHVwFuE_uX!hihgKYsOJf%8AP$^V`E zvydXw9-#4nH8cwa2hvRrzoUdoZvVT{4%&oZ5B!pe?+!Q6U@Ry|G&uO!-rI7fkjbN+ zfJ#i|JS^K+GMC><>mN`OvU)D-;8q4zP#|RNY*zj2qU}o+e=kzs`B{|-b5Kk;6U*q) zUXOe#&qgU5YaCurn@tpbymRT#N)CE4m(TYwE#`_dvpX|0lXOmAK6^*6h-pu}QYYcz zkB7wj&nG1Q+*?H{6FE=8!2C8?!6o@prPMk1$M0UpjyB z>?zHdU}J~#Y@#MZR(yXxAp7x;!d*Eg<>>tTDY<6BfpXIlKQ_%wgZGEK^LYX5*}j4D z$Uk5!q@O42U}R#|aQ)0XF-`Cp?I>?XDZzY1MW10SFGp$ffhe8Dt|sx|wBpsbr!%H#lAqmN%?{90Z%Odc7*&M|*1>GS?= z$<_a?+Yg@8qVNjMOJ`a~PQ*c!h%eY&Tr}-ZNu@dbkEOKCBZ4JIk93MlGx}RM zD_IudBUkk=F^e^DTiNFQ>#yxBBk)Nj_eg#g4jzWT-?&zH?{_4;mSiqYa7jwP&lZ9_ zeWND_`Of(5!y8P>EKhQtUI;eViLm|i0dZRYIQ*^LvsRy6nMqwWS-@I zNy5x#-#E)3ysu&wOf|C41C(lu#xUU?2uhDV_-$+D7Q;JOQDkxdr9+7I=E*V^;N0HyY3Y+1b$=}d*=2gEmQO(yw>*4E z*?O5iW8Men(HXRSaM{a)yQ`?Dm!Yd4((5kC-E)06^;7bsU7f(z-(k;)krxjbkyDU8 zaw|;U*D~gCzP?i$w}4f!kGEO!O}4M-G$u3*dr*f)Jzj&}ZwFe{NWE_OmbfsuDA64? z`GZ@TGIcD)I`7RD(~9(qk$jO6e}^!AlwjO37@%*YOtbBU0{Li61l2#!-0VT63X zX-^viL&MMI`Te5h|K<&^>R{7Nmqn(P6@c{m$3Q-)3&Ip|4 zaV}g!bLhG}iTFWhfLD?BCXG*7LR^7DU8-!3EoUF=oR8tro`TgDASVW@QbfWv zKjOl`*wN9aS1c;byYQl+RoZ{`Or9 z=rzVho@aHBU39tJW3k2xypFN{{JDFZ+!G!h+xZCjhI5JS?t=X9<#>D z)}t)s@H@uG4G@Ks)mp-gb14bH`jQ*7x!r71S}$KPa=>tN{~gSI(foaDl6i`sex?ZI zg%*(P^KcKn7VtVvZGZP`8HsEA(>?Jdk-R&N{24Pp*SP0GMD}VpUsu;X>HzO9ahQFi z;e=~E^PwdrHCw$#9gD4sg!47qxn2W6Ynh!xVWrFB2eZNMd=DTkTf#CQ&{0{4$$&?kuI4Lg=o5f`RD~%Ih=1#-w=o_s@Z>Kb z<>>V`z{l&dZzvX$i>*m5XH^vTm%tN0>B@ZM=j7=0kDGm~YO)DRlt~GY|Hqp-31B`T zw9eUoRHU9)oXk8`x4*T^pjtDe2kY_KeW?cqX(zTEPY*J8>UuMgvVDg`T0UYLnpGoK zdCo9W9M5r|>89WK;4OzhaAAhNZe@9wNtW@6v}I}Kq-WOuf-cdQCsNL1wKz19x7R;) z>>Lu3#g;RZY<=|(MK40DCuzxB;cX@d`;Jz>C{rl!AzwxKW@(PnUTbc%+L15EFDF4C zX%A$;G9+Q04;KYq$A9n{hre#(q&-PDQv12G9Rq~_TFAE63~eYM5qT0%&nxbp+_N|v zSe{Um+c{_`(=*xA-(qQv3ajU6>1g8m2QR$1oAr~N_auAO{`%tz(tTA9kBZTa;m1Hw zhWzDx(xnuI0^9lSi>9Z?^wI!gczfB8Xmu|K;R_-k;19=Z6gP($r|3rTmkLzr!cj+@ z?>sbeP-PtVESKvw6lADg3}jl9Z)Eb4ms|+o>WYwOsK})gBha$RuELsz4z*{cj_}Je zme;1TWEg9z|BX8tZPXDLqUgm$A{p2??J1?JrtPXNoE z^*PMvG`ew)=RM5qnW;}w% z>wd{~&3Fj@eDheYev-nAh7P{LfK6VtQcx6gr!r(=R=fu!xGtca5Ar6ETg%iY48Y}r z1=|MtYXT$5{@ARUDnl7z0y^OJVdK=>Ajpa&4#5>&p96ew0+Lh(H4C~JtcgE)i>Sia z_Px9ER=3RaJjjt(BR3Z(9r#vE=L_tk)2pRovDTL4$%woR>sK({4M7vo)P>;n(Qj6@ zXISI<-n&a&NIft23wP9GZv7^h{*97QRzQ|lif9Ie8ci~D{|VP%&A%9c-+;(u1ChiH z3V6JtkzQ)14*P{rEMWvaD7cX;T4!fgEUfBcvb`McSe&5}*XeH-jNN77?aIndYS|dA z&&2QsO~Ey(w@5j4e>Fvrj1sCb?5S-@^cMaeZlIvjFo4?r7L>bJ$=@>YxdguwD-t&okU*Fmp5F#pZZibwNTN*w0IKX4C`$# z9a64zJd{wbcC}iq^8J!Q%2l*<$n0M(`&j2=u?WNDBkm$iq2^{&b~ zEyG@Gql+4bD0>*(y}V}P!B#P`-}BIMT-LmH?cnKE$ZY~;bScF5HqcRN2-oIB z(pk=byhKQn5vU1_t&&UMmi#&2Ea?TF+f?ZEwm3FOQ!9pldz3BQ!Qz$2ytHzGcM|?Z zRcb0)rFk7(HoFyd*%NIHX&cWW<{2gLc^37o?0muW6bfUJ2eofKtrZ8L*1X?(dJ{8i zRAxK&6VtdmPG(XQ$LtF6Nh~I2(|Hv&3O@`oHLlo`!$;`o(P=Ty<-UX(_|5qnm3L>k ziI6(mSH!O#X`grsjCO7;m)S3F%l1D~DDYP4_+|ZtEUDgazI@1YQc+WSziODIGj)q| zQ9zyd1YEH`e~-MIM&jj74>}4>a&61jt>eL0P4aH|q2B%E)^3=ZG|@T#e-* z#5aj8+pZMgXsx6dZ4w>+^RoS&Pt~>4x1QN~JDJx0CFhHWd@~&jP}o^!9ccKr6k48; zw>Sl~zjBy14^}iJI`Lx5Z`eT36FMNvpFLyn>K??irh&eGfm5RGeQ1J@`=Nqb1L(!w zIDj;sEPZ-rfc|L7v}SjVd&s4jn49WOCk)}AN#M9Sbb=gS8kZB6Pukm%Fj-z9)3#39xMo?jkEg)@#SZT@TkwYbkEp3r z+24zbu2i@p>RcWIhDX$!7bmvb4iNdYm`uaIgqgjQIT+7IC!s~9+t)xe<1Vp73MF?{Gy1(SUzY|b*n3CWYZ&>7vm*ce z!cYz*4TWUF(tnPqJe_QQ?^H>ECR~#hjD9(J`36%BvrFv+WuRxG(R=dp)+gWhzP9rA ztB_5i?9YImU+i+Bo8{>N{;~>XUYYCZQg9K-y$D-k`-6|Zv>)nptj+*2<3TL>)a@86AjfjQ-JuPslUuIqEH$bbgdztse5N5+ZYJsuZKM-Nc`F2*jYL zhx+*9&cAkQ%m$TY0)s*;xx+qh8kM0aK0-g9ssZaM!ygB7VYSy^j zS2-}h9$+BUT%)B$w7=$TIjnTwzNepN57W)K^n<}v7}YXp7&7;zs0R4y`1928g_cdM zTVdGvZhujkLn|O0Y@9p^Ix^pyVflnj3o{ORQGChNy{`0yvt@1#d=lzfhefGy&T>oVHejWxx zq{FG1Ifzh@`h`qgwYM2tW4c7VAdn|~)7=&hZOFg;DGjiR>=FHBVVz7-tBj=u&DFyznPBGXE~ zTA5I)nVb?eSAZLj)$kVBrE-@!qk^XBLk<&lwvp@GEoR8A2xUtD&Am)cevzWG>F_2< z87_@p_G8$}ZUU^^x0V?A#EhREKg+7}!xR0+*S1K3iZS5LV_lxzIiF(?`lHJYSMece z0oxN}LZ@)dkkbQFg|LCG{+Su-C0ZhDQp=GX3(L5GlNBu&%iH;d?HfaBhTU%8|HyRxg! zaQ0x3i=Rv1gEj{m<*%v(r_5)5{t#fmd-JP6zOmXidEA}~PAHqOt9}UI>Fj64$+cCL z(Y}Jx1oXx*Nn$p zDR+(aRh&muCGy&m_k~BcXk?O9k8z`*a+M)$+RC(5>JN$cP){_HYUEZTMAvINlAalq z+l8id4tZljn>Ks9)V2%vSD70SKLdC%q8%X(5jl#qjxvY5hL}l3zlS?qMVyU*!Yz%; z)5g;s@$p5Z=i}<##(~e&$>DX?@7u76Mx7E=x>6?`^SHF0ge+|I1SiE@QG7!8m=A?~ z+}z1xQ`vgfxe|it+7f`DI`^z#r%{^gaNQESte38iQEk{>{b@?w{uZ#(jI~tu*vytn zTf3H_RANfN$}O3Rt#^EH5Xa57TMo>>6yKgbxLH%GBe|Sec_QJdig@4XUi3epweEKb znaim;*50y7t`f*NG5I-*HA#LZK%n6>*lIzI@0gdyxRLF4tL=naY?a4X{YqlPRrOTu z4FTg6Rq9qj*_^B5jh$a?Y|roqZ#XbJ;k4Q{4aI?;7{b6&yz<3OzQH>wb=2Z+D&fHy zd}QVgpuc|YvNlBkdRV(%`7^;%DBjS~z}gITO!;_2x#HT(riNI?F#K|m@>O3M@~N}i zuG}e>(tujOhdhSUy46vkdjl3v_CT|qpDPzj+115^GAOplrm(r2}&^BMw+=WLt z%mGgQ=*O{q=CbkI3S8FmYr}Flw-P;fMGh}ceDEB-fK=w7TT<%XXh}mGSkPh%(F0Xl zg;1pqQf6q#odMUEEYJYk*EV76f`uA?O-zhP7dYEm%mxmT#dp-NQ@Bt(O5a`DqY^$v z5Xz*jg#WZME?KRok`ba2OzZjV(Vw5GIo zea86!40=lbm2~sp37kcv#W+{NX4V$Ww0Q-4fz!yFCXcG#QZ< zBli=a%eIg-mqtKlW`OSDo9@Qup7~!Ja`zZ4+D?GF0yXTGMl zvzq4KLGG(2G)`_+)6CM&ZuQ_WyC2YEIRE5wD`hHo^$jrF}C9WIbA$cmJR>zZ! zFgA;rpKPLap!$*|Z&Zm>U>QIdwkP>@1Fg(k?k`gtYZ110L*x(H!Y|2)g~*^>E8R=_ zAi(e@u{SYE4EEC04vZ(euazzpYi%>rJ0M&uXfXVRlIE^P?}BP$gRJEDXHfM6`t33j z#!eNEYF$Z3wZ2}vGfX86yIgcG0yC=a7|k0lxonVu6PtT0E~Zo+`j-#(rOG$jO^u;x z#e~atw1;zZQ-z$*8!H8?U+#B@nlDUM=_DzNCdWPpUr$k#ECOl=+{>Bvhi#zQAERe* zsXya(YE+sxY7jEv-AIIoS=}DbLqk251Ona5>Q4E>D$>l{-w3!}di6B2gfC?KxLN$( zF;P(l^~z?cXCrOIkHwk>1R#o}qJ4%2W382Ha5XnE`xBii;idy+qb|J*=q=T8?71MW z(_q0@>dcOFE`1*PVPDTmt}q&}ZRgEv7+&AzZ*^V7sl~{e+WKl&)5d8zA9a=98HF7( z3{ink1(~5JAXv{kO7UO504fYMJpdWaDw0PC9>E%K>ieUmLD)3@#V2dQ=*>H{vCg48 z(1oUAxH&AO&48=1;RpYq;Z)G@USbKSOr{{V2=PWyr9UvE_omDzHR%;yZARakkvhDJ z8Fae72NUUd)h5NxQbtcWAs%2ZCVRpA>`lbavD(Lo4=DGC3QF*iI#|-CMFA`P;})u^ zUFEMn9TLh)nItXL8hDTr7_i_2{8|&BwaZQ#U*pHM8~6$=gMKXym?I8q2eN&7rEaU( zY0W5I!4p%(6n}HdLUlAY9YX|@x%|{37^aTM|_J9pilH@L1ETBjpwcC4Q6=j;9 zmYnKAEDInfWGI6VP|9*Ex{`D~ngo3WD{kKzJq1>#pA_2O*+{QS#vUzJ+Y^zfHeXcHaOxi*8rt^drk9j*eN zOxIzRUB$RO>yzx`T524+#HaEryl|h6!EGc**uHFqg60cxeOtG2rTOlaw_Dh0&$rXCy@z8!$nJM75%2L$)cY5C9 zY;70{JPIA}dG&aht{r~G6Z2G=y3ShGLW0R1roEC}WQE`d4-`>38E_L^5+G32O_tyl zL**}&oQ?%#ql-YrFiep56QAO#bpRl}lS(pH->a=PALrM}_MLsMAO@UbHG2-Q5Hc@N z>IjT#WT=ce?$K;quxCwgP`HQGbr+jsJ8U*5H`-m*KwriT?};2v*jfZxYE_=v#@R1? z3c#dea4kJ14_v#tyV4*JXR885G6D5S zhI!m?MBOe1KKg}fn-)32U={y?C3jgON8p7n61Zc710#z;xr|Q5m?9hdfi2bcP@XPl zQrw*i09<8Njp9lTz<*6*6GiazCxD7yTua6V>5RQVty^&#f1_zU6+68XY-YFM3U+Mq zhzDlGM~VnvuXvy=%cqpb)lvssE1fQ=qs%6-3y&g(ju0sn_z)tYmw5f>s3+WVQs<=M zqFc)5=FWdKyvIeW%tF@`Tg#LbLLguqxUxX&I#IEjbW1*74x`;7r`a zRqcb7$E#EfAc2NXrR3u1Hf)(mhr1wR0vB{Ay--L{Qa0t2+;H*D4bSt%_Y{;p{T+QnDxBSHUSeXa!mB)`PVbvPcVnMIgRC+J2NM6a&)DGEeXP| z%HdchFuK4x1?^}yo$EJyUhX@c|By7cMcOwJPU2Pjys59U(HAh*H3e+Qf%qD-(FlPH zzwYz9i_ED8u`?d(m17X8@>`&?`kQlS@IT)`-%Oou1z)hj{2H;EsC>Zw&W~+(63bL* z$POII3vGa3LFHyls2}vNYd{hyx{;A>8FNzf={?jXJ70WOe{e zsYw~-OOc1n#G*FE%~cI&)=;^7R36+$59B6%#4tjJ3{hd^QTqnw)Jb#MPvYUUD@L_l z*CM8Unf}?zL8!QsY`?T^H?Kn3TL%S_ZQW881YrlO`V@X4QM}N^ z0^d6u7rl|RyeM`NiAHz1#o?Q{_SefVkpf^r$4v9 zgrq!S#i6cB90}FP7ms$?yF2hDM+V^ezY9Z!~qXWgJIvA zz=AGFx4Y*jQ7XBzeb$d?*0qjiC!=qrsg)M}T3x*B_*YT%}MlM&2}D? zWjxO*A=4*jD2TziI~-rAi!qQ+A5@%}COWM=|BRcof(m?)uK$cSj~6qu>$YZpq%9kG z7VQH;;#ffqZ9zc@m>5yyqpf--9dENU#kWfBz56w~tC6$u-$pE7NcNiHw*2{FNe;T6 zy|>%OD^E8UY`KT)e&o>X)ZNz^>^s5`0UayM5*S}HKsWpI34PLuP@2bH_xB_kwV3I=~@le$I~8WV?2ytsv3nrG?|jm z)!=T4iRszvmB!(VS9dxy zfX6xS5{6Mb?uNjC61YWcvJZz7{Nzbrj*ZJ_FpK4g6*P+?wWo=mx4qH7C0(r3F|2IU zIer8qT8wJCR|b7ud6;RAxl|_77neDKL+a`3r7(IA!XXtF;t&@Ue?OI`igzG#NF=Xz z#OtGyV_VldHq)V>6F9zE?-q}SdFlWM%N%-@vXQ!th>aoF^PM{%1?*3L<%~zOTl;@t zx89dkDa}wluEbaBkPNr08Ijri&cnsfm2rPBt7r6*Gg{I|W5{iG9saYsW@PTBI$iiN z*goGz1#ppA;j5Al{q?qY(^+)^)|g-cH(v}mF^E29jTdCFhbsa(S}ilzyt{_>ly}1y zQFZlhHkjz=OZf>N^8yWFIAqku?5@NfHCf|vP}w$&kLtBl!m0FYM$J!^;(QcNu*7~y znx;Lh`HFPAe-Qe2N@8M(VIZE2e&)`5+7<4*1%!-vZWT;rgNdaY`4i{*=B@g^)8GJ_ zpebIcaA8WbAt$@Knxv?OXv4_^s7>*<(3pmAI*ag^d&@$pS8C8 zH~n)T`B(_}IgrieXcz!U$O+0@emdg+twC5-YFUHf=a!jJv;jUU0=C;&J6EKwFt0I+ z}jMQTpp4fOptunGwNQa#rk|ir431EN8QKgs}?F286sLS;^>qJ8}7EM2X z_px8bZD_ObmO_(Ham^h65aLG>)U5_JhskIG9y$F^EG`#s!#JK-lGka4m@Sg$_Q(%m zaU0F$;*ELHj()1Fq0ViaoIN8uEIAA8m1icC5;qznCOAguja#OrOy zTXEwI1qTMheHO~lf~F2d3kI7X>rNUb?fV`yoDx>DxM)N5$(5w~T(v(HQ)E=o3`0GD z&@Km5H!3|u*TP+>`Pp+r35h6|lK_v&J>`xSKS@QkagC@&$b82$O}1DoxDiUH;(Qi0 zx7<@ahsa4o_WrG#)6DuU^doMc(zKLb032Gc%FpCFfeK?jy&{N8nbAeZHCNY1eT+wURC#OHWx=u?U-&3y!OsAJ8&|)&)c`=vuT; z2IK)ecQm55`LHN1J~`Z${(S}+xKcphic}avr?(^3o}svYWy%x83g)J}UDR-+FOy6Uu|V+xK%U?$9+CZP;e?i~GorXq^p0RtwgCwJ4jR?}ve zFM!@qV0dI;$z4F3?{m2vMG0Ptohks*QIP@gw=^H2c^j5z5qf>}Kq+foXk1E1#-mFO ztX3ubtDzkcEh1{jrRDqqINJ^}?K8Zaw&_IbUMZLJuXuvd12dvZrQA9U{jvBWdf9RL zNhJ<V}cj{JLJ6ZwoVoZ>Z&DL;0g&h1j9y{Ns2?ZOxOY1B37N?>;Fc zjqg(ykz1&tu^C&}G*__Yv&PrnzYKr#)(6Ne690h&^!fV6eViI_YRtzqm9{C|h78gN z57!ytEBc;9mqqMvaE$FcIOuk+ww!=(0}5xO>{}+6o#%>6GcMnyMclJjjqUT2IU~+L za2OmgV4o4>QTJDL<#e`R zGJBOwZz*KR2_0D==VoZ&)BkDtu(xnC)dpjqaF>%i#R3H`IiIx?W%p9N_aD7;*1g}6 zQNaMd0|u6A`)_ZSbnBePEWiD7b;Q`dUz&;>A%M$<>ryqE{0VPS677DfQ5(6%<^yg% zFAJQ;Rioc1LJ!FNMwFlJ;phn4O_f7?wuZ;vdD@2NFb;}ec=5zqzn zvdP2@*ZP2dx5Jszxv^Qbv86M2HEZlvOs4ErN>O}H=s^I#V(bLr3L7~Zc@N0JSe_W#?OTOHU8ncWy?Aj-&1w_3TvMRpI(&kF-;twYt6G4lF$64SNYFY zIW7-vPWuNDZ}k%?c8;w!A~#2xL;` z_NqDxsf&BF@nq)q)ao@#QJ8nZsIq`N+;Ku%tMRS>d|l7*^_E&L?3)oB`uUS`F4X}piF;JrDbI2@mQ=+Uz88MVh0j{`I@$Pt{F`#XRt;% zv2!;WGl4P3&LdwuVU3$!z|E*$Rh8p90{`JA4<)!j9NlXUxpfKcqX%}|9G#%2eyn8y zA0E+a?Dkp{6waBOrzNS%(^1lW1Cx_8ua+=b&9U)S#oY^h%Z>t-OhqN~JpUx@|0Z1*^Ypj~_ z?2L(-Exe~}RU&Z&_j>jc9JqY0+Z5m<>@)%~y;uTH^>c`wYILanCAkjZYapsT{v4{{ zTxZv7$ml1`7>nKHr%(AA5(13b+h_w_zk&RQMcA0R?`^u1>Okea)%QV;e&6S+b`%$r z8CWSezQ^7yWgpG2$g;^GO>OrZBeSdcK6Gl~IKD1XNIaLck-do>cW3UR92cIY9_Gsw z4XbhQntNr{N1nITtqnJa7bJNjYr`qJ#xvD&|Ip4%EW_f1iPQvf|805j4Yh~H9AAyFSyBJQJDM>@LqYiC)XXR>j@^D@4bfEj-jl6^9J0vX0#A>E zz=eIXc+%j;;4^vxvjaY;())-?V48H8HQHWwVO`yrlTUZH%j2E@rTPR z@}xIEeb%{j6Pb(s(TI&x>QPikha6?W;sO{F^)yjooKz}BdG|^O{;i|5a5>t3VRHFW zxS1Hg+TjNV6iU+@%%TQ$e;+C@NTbz-+*?_SfHh|V8*31kFEZfG3N9ywgi7{x1 zC2tRZs%p>A80?Hd9%HA^V>}E3Cj{gzd#|eMkzwT+dJV5#xAZ{Yv&VmC=QTz>SfIuc zYOVAX^Rz%lu_xzQwDy#nJd<*9N@>s#Yuw3*;X5c+b>02YIQcr9t!K?E3eIwTr$g(sP?(@mq={7_8=w`^!BGHfBHO1X=RFr>1nR z-DCJGMjZQjq9!ysB*Q&b{yx>o!h%&c)?lG`{2&~9Z1sr(@7KZ?+srd)-!=R!0}&ll`Q*4v(31oeJsQMn?@ot+mTz4 zu>Fl_bv#Y`$pmQukRh%bl&UnF=$uL_1y0S_kL=0 ztd`xv%TB&gyHIW&ko<-C=x%}b zKH^!DUBqv#NDgSuSm3SCyT&g<^Hd%WVxuOQTe2SJMON7L=QQ3hFOxyDS1YER7ah>} zFUjN5$y+%GHd;|ZSB>s}#M_sR5G!0H*XU-8{>}`b;|=a*Jh(?=8>bbKXX$$GFY-Xi zs3G0S54xHhvweq(`gOB2EJ+NT7vMYHJgk$%+f-4C9e}M!Ex&2x=m?tWa2l>`d{6^g zDOo>kKjB_i(Ke(p%cc94<`(^Yv0fqU^lw-H#4f5GldNLw3NMGVHu-E{Tjh2EHf>c; z5uU5~F607P7aYPrZ>uIJEg)jLx}{rkOi{-*fW(Dac9x_gxj2=Hk%Ru1>tCxVlig3K z?rgQZdmS^QawwS;DU`B%aZ!Kx-y3>)PEApaz3Bi(*rlkawLbP&q}Lc%x%pb+IAd(T zKhd?7X|YQLB_U6+kU42*$iaqu>kvrSn^>ezec;qYePfNQbKwJihc1b^9m53GAJuyq zO8W3mVOXQqqHx>oxksJJE^J(7qj|<}2{TA(d2++?Ud)DFdllawrTWTC#zYM!k-2lt zh1Q$;PQ#cSuVMW35my5e#2`BOKq6Dnwc5fA;EVk3w*>2G!ooLb<>MZv^e%|gwtfnu ze%j``R5p5hn@zodRT@NghM^I6do5oDCN%@a9rUIH&}IkgVa#ed9af561wox+z73|MVS`*x!5pi{VCp@uH2-u}bjH zod<~wO7?FyJT67^ELohI+TC@VPS<F_7!0!P+vqQ2p{qNIbGLh{Gzk%x(b=2a!%o;E)&T$rjdVefKXm(J1NiNM$% zOseN#+ag_523^Nh24&#tV%nA}5>fD#F(XJW#A$rmK;X zTR2d7lZ`{$Vg1}{z#0eNVLNI5pz^cZz5sCe&Tt;RLmq#b;~UL-?W z=Y*f)J)Ov17P1HslgC4`0~^=s{o{jawdMH;JwYs`mmAs zL)O=)G-Xze(~l{fO;J4T>lO#+t4F(dyNOR0;NEGZuZ)d~11F_)6{Got&1~-iRO_8SG`YsCBj=LDa>hMI*iYe)kUYWv3pd~UygfjV4i6Sv*8FminX!vVUx!^(+k z0=7Gyo62UmEHk@huUVRSbO^Eb?A27) zeP6a;q-{EO6p90RTVC`)6CQzp&wmH%cNn(Ei6@Wb?}EQs>{9mg5WKoygJx)bV)?mP zpLeG{pR3GvdKjQr>Dk549-X)tIdBk@LEu2Y-|eV8lI`1e%nX-!d- z<^taE1)QPsNH{%=9XMAH^?Xxxx81PeG9)v^UD;*W-^IRhKX4-DgNAt_;z4nT);G^F zDBLl>K;`i&Mw*+ws+)x}7udkwv&M@53Y?N@$css0J2b^3RFvF8t+VE^pEsUsQF2qb z1{rND!ja0+!`rC(YwwQ?w+8{tNag9Er7UbM#;eFB+06C{CVq)$GXB=B+I|C}bD$la zG^^w7vVK^*2B;kH+fzr$(R=vNZU(Z`z1;s6Jk@+RDya&HtzyMKv<(^BMKocTM{C7swU{Y`v|KAFIzbF8)&Oi#21ywDIH=xO1SmW^eWkUqB|pSntv zw_+;Oj?g)B{iGh&`(sdg|3*iCpn-~R!Z&Nb(eMh(3%?Glo6wA1N}%VzQXrSVkow5O~~IZ8~VtGZZiI&3bP{&%I$(&La!R z)4Td{3RjqZSYS=+?tEVQwfCCZd_zVD$AdjY(Ho%Ucf-83A24CcQc3*}Qa)_H`Dy4t zH&qrdZm`8r_AAMD9PVEM&yCJ!2_G5>!ruIR5$w;|efbZ(lVQNSG({%UIoXDMF43an z*}=rVBa_!0@xg8i{3Er!$pEa_9+&sa37SgDI?jHP+{|=y!3cJ-!(AmHe5aTpBEcpK ziM2D~^8eby^G}L?4^8Dw3r)@NrXjnFWqrFgL4XB;ZPiKvI=Ax$&Y;}lYM+tXfr;c> zQfcq!2$<@pRFoIIm;T(+b!sw)qsp+SKcD(hAp9vx-0|Lw@Y;x~$R}~n#qhDJnZ$XF zL(T|zb=|4uM~M_Ibms1~vliN0nY6w1Lm-ZFXpWU}r;HqPQ)FU@&lzOe*jIIs&HLnb zq>7(%sR@U3LQQgJ{9~Y)wmaBvg+sX%0(QXtV$PwJUZ^mW_x``87)-bNV{ zrM^qXjs^g8GhRDYau@BMZaTqtf%<7GZSUB zD7waiPl+q(8y4W2_VO8xR3MkiZvxY{T(r%F-uH^h8E5cE+z&Xm25LdQ$y{jK_gA-}G*F zrO?=!rZ8nY2|b~-p2E1N@C-2z7d=bBiy$Yzdt13-)oMM@a?OT1K3*LQ zQ0wu}HL?DuEPJ62`LZFI2WmkL`w1WyQhr9zmZxuOli1rAzb!Y-+jR`<8)0j{QkL#P zdalTu^q|wIqI6Y6S8j$i;d@&nSKFcEXDIvr-7L=|xnvc-A+Cw>0|RNU)eedD!5JqL z3vvtFNNmAU$&s}SqlgTHZ(l3`MflW>);_oICni2gGN!AY+Ajrt;|mtV_EtUcV2y)B z+zeXj>raB@R8f>qilZ9u6ApJAtQ$@M`ra4dmRkH1&LVYP^i01;OSGT-a>9wmrkjQ_ z8SghArEj>@m+*XmHE9r#`~MKqOw4B(&~=2l^Ai)&FgXqWyjKYOHA4VneK~pJm{VQX zd!#DV;$9WluyHaDd~32DRoQ!EwOIwPffUfgUW^u5ST5GZ3gJ>ad}ZU4R3*`TQJZMy z&asHaZW_rj4B)l|M0f{PLNy}OwCf!Nea#f7UEmHyRzQKuGc$hHdD5UGq%yV^^eo`K z6trd3PG}LZ#8$lql#dH^jYAPi*7g|k`SK>j=@Q3|3TdvWczJ9ZLbAvNZ2Dz&Ls+FO zzU~fr-_mk8W2m2C>S+@}lW)iVsi(?wp>I8PTGHv8@^Vm|Tg6}+SZwlH;lDJp_laAm z1Dkw9V-7L8p1>on$C&+fZ`$|5%=0l&ZOqGF#GW54K)ivHGfFVi#XKnV9P?(Vu%3rS zOg##bF!aN>KP85F$>U9Wx2^WXi10*P^&J(rz1K|=TN>)sT26fqf#AmtEYQ!~{4HV4@6U2IRYv7w$CLzXoIi{|6$M@xa{ks2OCp8Zk zGipymR#665u~@#UDH4*>K0StGD0-8w(W9rsCwEn}$WD3OFU&q+*8E`PKy=TmUVLNh zwc|b`Z%t*qA1yLQU>O#Tv4^~%R(UkIz$6TASURjo(zeC^ff zLXFDi_>N3yI9W@)Z1#1P$jW^t3#hmz9WEz)r4=730d zcY{)gPU$>!$l=iS->AQ<=YR2z@s9W69pkz30%7g7*IaXc=Uj7r_DtHLBG9Mry%!$g zu^dFCLQ|N1=y=va;7#ZVwQKNyD~NhheT9@U@@u(c-9{s#{T{vVu&ScH*~dW(33rc> zaBkb+dJDT$(laByJkjZnqi(9R_~0Go?`LAJ*i6_Gi9QN05)Cv1Xe6Aoa^ z`mZiA#Yjc0mhSoZ$GuCYyk9Nz=*?9-8~*N~d!2ek50x6 zedpxZBLis!ne6nKwRF}g&clMd|4tVOL;@xhN z9*xTMw$Q7&H`&2M@>4f}FhBV@bT~5Ld!3Qs7@Qd`BMM+*{c=&95<6-PXt0ltCfS31 z(z~P&T3zHVg%y4zEwVu@SP#f<=yJ>bfHI@@QGI}9OghvVK#e-m&$fjzEE}iVDlwM#zxo%4dHyx(bk^@Q&_!QE zlYK~rtekY-2w$yKT=Z0KRy)8ugl2g!1y*G-AAo@M+J>cn_cZK8v;lAJU(b_NGOPJ|5@X%?iH)*t8 zQ8PC;Ehf4gX%4qdzC2FeC-zp*=OLI@o@RKeC`h-*Eku4LeqMJy^XziNYRKHmJUzP9 zVNJLF=I6vMyIlv5*;U;@__DW(x+y&;cni9JJY#%Red{r-rI1g5-M35gY3o|(+5E$e z)vKjP`oApI+ZVnE{1&ViT=TBBrhp|orq3Nh92{;s9NDjEx*aA7MOcD;kep`X=1saq z&#w+cTZ(f&@c|cQ!{>+6%LU3!KSAR?&;_cr)ddTPr|a02&+WZ*>z8vj+rW6f zaC89%QN=Uayj~wXl2iT3>0b@Lu%ePy$f7O$`gnz{ez(@tbw^v(6S%G>mOhmZ7ovE& z7`}mMn+$(jG}~I-Juk&*`<`I39tHh_d$`genA@bcU5A1N0k-=5^=scIyH;*t(boH| z)Qnv2ZF4dv;ufqqq1Yq}9h;gb1Y#0E!6h=)(}l=mvo;z>M9jdk-t1WBXX}Z`f*tGg$d0QT@ zEG@!LPoY9BedoIbTeVjSA5Pi^-BGteBW*gaI?3F)rCeY!_f>p^Bc`r-dsNdz&-4%1 ziv69=iD#N-0UmQsj%LR2`CAVbqZ*bS8{`Z=#^sxy=R3pZ*TXcB1AbG@FI)N-t*S1- z2?s3UuH$k`EZcTnX!iQ{&QL2_X~_v>bQi7$ghnwgq;>++W?|0Of!^|RZ)TN-(~nd0 z(pJ!__S;b(9`K4|rz-ob^W zWd7Gx$G-XDfiNx7WR<>@XHB)wxWZ4?+7Vyi?8)0uotGLQbnL4-n^Pc>U1P+K$R1{= zZ)c9TmmS*dv`rl(GY*vr*sGp9ik~|=TGZ+^k>=w6 z&^~(LVT!k>-r3_azjblL1~K6zy1JV>)Z*Ugv90l$BCgKZTn107ohwHHP!Ks%`40qO zzRc;ACNs(Mw?MNVm8)v~*vgg@_o9L~1Q%yZQ(Jh57e{T2XINOTQgSBB*kIv1^lo1H zlG24hhkyny&xqY98u%{SeW%T=r4pp+_t2lMTZ8I4I;W)>UnA@oj)+#Al``2L;WmA3FHPhE>iumbGuwYVsmR|9r zcEfWck25^;D&_N?7>vY>1S}SoSWr=(PN{X%(ly+)MjUs}i?b!rcY!-JC(E08__EMM zN4;0#)m-^vTL7(f><}p5F>-qET^6FnuGgN$DOUl{&W|PlSoMvnJg!!s(7D;o+Znzt z2BbYo!eve+b%jQh`)d6a35h9C6^6jpj0ym|L?XCYw+b|lqGA3Almd`v2tXZ87BDQ_ zLV_fqC$X_dv{EblS+pWOm8Mkp6b`YU72ywka}7pIS%CbcLv8svN9st40QYY#6)32x z13)WvTvKvCKXE@;*O#t;m*nyQpp`lw&USBMPB%M3EEdqUngfcfy9GuVeg)vO{wJ%8 zM6;QZ}wTkg&FD}b?<8=tpY6pH~7>k|e$<3=xm6PAA9{=4F^i}&qLt^JLs z$Tw94S{6R4+)$c_uqMLvM3;u4a4bso0cAx=1@tCJ6Vq5n+2t{x2Z&&Maxed{3^_If0@g>fy+IJrLuh zp8>g_O0V?1&x5`W1MV;@h;T{%<5}bZ7i$cV$f7RCKW>y3!`$*9+)<=p8WEww_|3YY zVjPFHflqJt)ExHGO*S%zr7dala$L=Fxhwx=eg0Pfg>A~VkK_fg90TDB(&lS_FuY3P z4^Lq6|MUr#K_q@R11?%E$H~U*s{O2Hf&0QdjHou&9#wW7@qdg>N*`opz#Mg}_G5?- z2Bm=_HF3 z%!4KbQueRt_>Bp8549#$Sab+jFTb@&{YQ_h2?gE*m$cM(e-XlmWgrwUHBHjM|5=7<7-B#;x?t5Q0VJM$r@V$R7N*HQ(&N5~ z6apgt(kB~nHF;>O7Kjh5#2l6NE-4T0;aI`{x^c}=lzew1oTw8~INk$sBm@2ZrbAg&4Z8B!-BK-R4rY8uA-gNoQE;Ii|0-45;0)kTr^% z?E3SC|G!plCbB;du<#^Q;zb&>h>$rSFR~Q{FndBO)2{{5OE04}5&wm>7r%ko!#=VC zVFU+2qte4FUi_JSH!yjZi)SM6mr_{|Tu;`JP=rDwWHSEL+LmXt{1?Awk)K8rBLX$3 zzc-o~p8W}I^(wnBr%izfl1epXKc@@;QbC0TBsAmv3qe%>*2d3I-tQ_-KF}Swl7s!N zrJ|7a9|7X~qZ#R81cVn-X%7Q3c}WN6X9EKk*dx733y1Q}%N z9jF0?G6z86=&V;|=>>>|AIDgh8~5zLu}KH^)I%FbWn@j_CHX_UQ|3&(*LFQA3;gkZ;#UK$rF?udBB{; zaocjb08SF!tV}?3Hxem-8o-w=RE@j+Pu-~eHDPJ#>SX}Qnh79TU!DPw)_VZb%5i>? z!w zqf;7EWT27a+ZO;Zib(XgRnDmeh>0L!#781z&JU2=rbpDT$dJegD;$rs=);Ak^pbU~ ze^*vxJ&i^e@%e9}yMH07s+qoXbt3N^d~k9Kf;uC#`6*NLD`VS zpcq;J%BE00RqTm`2Tj+2!hgyp@%Cw1mq>y z(L?_|>dxPh}&yj2-`t^ttKpNE2~>PwV^uvp~cOCCgLyyNR32k*55Z z<4Rt#|3~%%HaVvW&_W4mn3YApbpjayI+BU&ALFv7>Ts?qjg9Lg8^s0o!6a@>*o$XK zWRfC9HNe+77d2X z>?k#XfVtO-=a7qidEEChn!XgsO6 zS}+(6vhBhBw+lySfi2C)e;X?J#2)ZnYo9Bb|BRInjJ03$ilz-E$Kb(TlCJf9jRv+B z-~Vo{|KD$|bjm)+#TC#UTTITPpr4T7>ilyy*;z*l2;+V~ns{rYbO#BxE`upS2J$vRP29o!X`q$cR&M}*zvDGJ(2n#NLI1U@P-Bl&|cScISMPt9U)v1>o z83kR>WkyO>ukFeisyT1nWjlMB5TXIeJnb~)M~q7b<} z=#*N|Ny8I6yT1WS%kzB=6R(WxTkzd>^k!=<^mCLN=5w+mLSGrH7pZ=mDvNWLaJ}Mk z-CL-E${7&YZ6rS6Qxl)LfgeAVPyEmUNrXF1kl2>R4PXsn(Ms<0zWFsUZeikt_UI0F z!aquG3PE5d`{Ssm$y5iQ`^~ZtJ%s%(Bk`s&Dc4Nd*DfxaxA-h0K7i0uG_kIGA9m`o z;>Q&sAi(mX@Mgnt+;KUMuU(^OS(wh-XT0kQPk)&?#o1E~2}9QAJgh@#H{}z65Cxt^ zADLuu+8;`LDwKIMrIv;INe+`iX{bO61iM0V9ik3H! z2NG~E0NcW3=1BZqeS*-n*Ot%)9=lcCL&JwsA^-FWzRjHYrK1v3${~2#zHSm z#k-Cdz5@fz)neQybqV4vWj}=Q3DxjuXEg{b5);O*H~T^T`ouqctKI}$6eBZVaytB_ zvP?ge6JYCT_XQmCYFw#eF;B!|RALs8!+@PC&6 z`gQ5OL_^JEqLr$F-ELfCcYm=a)5y?ijqNALbBr@mO9-;z0fwdF=vZXoj}Ude5pY68 z5GmvRw5}2T$q|0B4-%@f;;5mSG@c3N=Z{F9JB>Km0{;y9K6mkG8sYUGKJpUW;vM1L z`sw3gGh5BEB9WOY19rrl;KozPlh7yo)>COY`^a6t*2I5&D~bP7`YQ5_pSdv?V!}o- zcUx>W5s_d!8a6YcWR`=Yas|$fb(VSONPF;8=_a1M3zV99(h&)2TQWQZa3CqcG<|Ni{PVSM?35iFwdhfM`JnVJ^Fe zX#$N+F?bnAL@z@l=UjOmFQ2zd;h4p-tL>L@cDG}wkFnyxH(p<#_@?FE?`%RrS<}T4 zXGO8Mj-jzyX`T4)YndH9{Vvtptb}BqiEk;GXbtWfU(eGBOz*8$F3C`Qp|e>*8bm4! zH2HCWllaoze|+FN<2%3pTtu8zL`&geE{OqNm?Sshl#>{H5#1|~XfwWy+|;B(lS{gg z$2vt@)_lJ&8pwVV+r&SvDzsJgmhkua`SQ6>e1xCj$VqA-?hYZU7-|!P)(?8@XmdY- z4x~PAoo3q^15f+2+I+gHX{cX@Oys&xrt|u4_vzbi2U4_XoERScZ?_=XvTc`~iZ;n+ z%TKMNiBd?nd?h@!6Fwg0?>$h3h3)$n`;L{oZ4)9zj5z9KVs(jYypWvn8U+HMbh0r!2GKD%4gFiX*UoFEt+D}sSqu?G#mMYZbpv3T#}&X2ky)F z+#L2;cZ2wA1P_)aLe_~8(b=80b!FaV*06QSp+g)(k>&0hrg3LO$7H~Q6D-gGCB|1B zN4b%@FmjKK*x0F)UeZC%>odZE$988gMRLXkiB3 z<=Z-rvgy_-UwrpL{{^A1?l%yYt@949SFxcVBP<=Fu8u==cY8eVBuu!5_WSu9x8k{K z806cf`GwUR2K#w><-hTUu%JfojiC(gSr zSXA}6Fk^J}!!7Aak&o+H;*P7;u5`+{M%_o@xz2DElIc#3#+&UB%8jr+6B~Pa!VvJB z)q#`Of$I!WOg)ITmYR#W-sm*D>6Av4&@?Isw1_30fCFPEFu4GQvo|$e>LFF&JXc|n zN|W(M&d9GjcERk0DPO_a<{Iru7f&@5E!>;m9}{SDr%^j&oN%Mnt}B<`HNMA>y-fYu z=aRFwV@n$ZOBf`lH7Y%cDsa4=haXJaPm&qqW$8#|X5I3;DxH<}HY~e|>tpfMd2P4d5-s%e z5}`CE9h-&NH7B9Y!RVsO#}#dc_wC@UwENHOi;QW}k8WjnWhM23OMl_9iD2w9o3pyt z-}?thhT2%=O_o-POlx??5N~g(-jUQh+7O-YUwNiFmhYcyjr2L6{XWbbU%h7!=Q}{> zSz`wci8sM76KV{tdhibFrL$9KnskvkMVR-QrL^JvvQ&Er?v`xaJ_q7&S_3mP4Uc37 z9jEfIqVgGH5_uv^V<|O|nKIukejqQO;x|+|Q}eR8dSBmvOhPl`L@g$h-mDk)O7n|A z_ak0I(}dnfDF?Oc2iZ)^O%NRZ#nFrBz8dWD!@5LSa465Mg1JoTIiQIrcY7#xK%Xq0Ys3vOYBN*J?3brK@oAutjH&|Zzxq<#7lSl1 zD>*bT8uDiVf$ayLr*Or*WRR(Y1cvfh>sJ z2laW0{qrb(WA_Rl$2@HbhC`=cCc!^8YPFIU4`bmvQxHF-b2g~f)YUrIm#v$l1?M1j zxynfXI5m>6ADqks+eMqMFC~t>ORnp2$_-YsRl4aEO72*!&wXdANqS|EyQ~Yd(TA$q zwzE$X4})(us4D}8PKUhSBeEdHp<*HaXmL^RZ6CjN^g7`{VpH`FITte~n*~LRvgmGr zQct`tPAN2TZ3a&()iZTEH09uuU7w>(1cDhisqV)-8!ynfcJz)@T-?QbO9+TfbJbrj2 zmsgizH0ij4#=iPO`rGXz&xp0=K_W`t z3eQ`-Ek>3+Jks-Dl((Ipjd!t`{g;tUj%C$zRPAn>j{`4MA+R|1kCy261Q_RUUQZwE zwxv(>a-iV>RQ$`nT}!J`2QKkxCn|6iM*G6u-M4uj-A0}0|8@U&lQ_g$# zd1M=X)JGgwmBQ2|4S-)4wX!PS(SNU3^7&H7cBZMm``zT#kgcrghD%#C;e@wV`G@5_ z?u;{c&q|>Qc#mApfsz7u$E9zp^^G{ge=LBM`(pwfD(NzH=mg^gwdXZoNOOgw#BrNw(A{hwY5R6KwAu30;q**JS3f2XFzYiyrE3;x^|!7?fZQ5JtQ}Q z9e!JU^^D2#XHHO?q$lo0k0l>OS|}jW>RcLkxAXPZqsAlLyG8?OM?Ur|bu=TFrL5bI zVkSB(9~~OG(_!(;m$=!bw~c(!B2=V3*u>ekWj6mtlP7q{vljR3mpP=vv?=MVlHG;t zU{a{G7}Qo@c>R(>;M)Bx+Z%o$oF+jyxDLOV9sDrA6KE?xM4H~*_4A*LqQ^$zu@k%; zSm*ep-;Ohzq@b7kntQWXhpu=b$m~+V5{_}y0BL4%fvF2RYK@Iu_gT|}9afTeHAOM? zcj{ddTnHuTdaPJIZTJZX>6ddG?NHl7----pWTETH7G$5J<3-y~USB~t&X<&T@9vHk z+|-)X-;_59%(i;=jA#I+wZ7f({UYi1ufm(!s+toEbAWq*7uKW zzkw}m>dQ`#=U#Iuk)-g0JeMHx`uq?!38|xc*O9G)@XFDld5O_m25~;z6B}4DxVfLu z#3)aV7Bye`zRv^ibCpn=K(UsuF|SVpl5S-3sq}D$c1dm_upUD zE>*RMZkT;{2TqZg6u+{I;Ib=ibx&p~P*twaG^Jvc>&O|Q1vKy5FGcPT_ZH@EIbWTf zUT@#IpYb)GxUlhY7|hWmk*i)b7++si1|ndw`X?pB$!*XZ8dw7wBFfT=+=M=j`ZoIb#sB? zOnf&es<{GIw1H$8xH6}< z&PQZ$p_ctg z#pVU|jr_3c5w|&<(2w4E@Qs<_u&wn1&l!wed`Au!qvD3MxY(l0(g8DsryEL+j#-;R zj%>uS%w{N8GHm(PE(>f|6a10x-R|>17HBbaUT>Q6yKUOKDnH_bRXUNHE0I!J414(~ zn=6`cfGMLLME$@kb&CLVHj=irJrlQ5@O!ar)?|w_Tt$(8(dvv&bhq6NWXu9NdaLPk z?#JsmwFh6TrzTXqnd8M=j9X>c&u!Lwz9(FG_{oomZA-?)FMa;fhz(uWE6ioN7fE({ zWx91Q!B^DL;q4J)B^kGrWlDYW;q5reTziS^hpLRHc%N6@JU^BoV1q9j!NohKd}0iq zx=#gNVlDLKFz=L~2A|hFFHh^@vPu3tFI$rk;&Goj@oY_sG8k*HU7i6hP5|liDzvy(dAxnbPMWayZnRcL}WbklpNKSA3DKV?KWuyDV5gWKeMcJoZn)rGWl zpA)KZMsSCW9cgnyxa!Yi1{yG)?JYgQ?!ca$%Jf|>S|Fkk~{qsy? z{mv4k1>2`+(Zp|XJ!oCnB!H)FgjA9=mbZt$ciB3UTMgXo5W$yvI6QSeJVSS~*q?#9XzJn@grgSgYZu5CKwYo`nEOw#2*1bsWZ^}&DK|3u=y4^ACHAJ7vKk;PM;&>diJtma<0AQFr?}AZiWZumdRrZazzlm< zz%{Be~4V24C-iz35H@r4#On zcDkb8VDmu26IIW?LxrZ_)W7C4J`$;}vD`uNP}59-(M-)L7_`OE#CTjMFkew|p{2d) zv02L=@HouB*yCl^_5I>ON+b^NB%BMd;r3 z3X3S`EiaAK;c);R*Bi+t6ZZP1Dp2hoqNc#x)1+l9LwRXO!YO8CZJuBneRmhFv|DcX` z9=P#ghjH7hfRRP)uyI;f>S>G7J>^nmrb>wh4<-Eh0`;r}q-)f|rq_x<@Fw;R|H;}V z2TMjh-fiIpf6tNl9A`?%i)DLjmdQNKl3>(o|Da*KXa3HC#ncndco9t_sAI@(Z?1+i z6K&oPJSS(tt9;zVxwOVAc0JA>G<-O`gK_%a<>-d*azJItkBZxLcfsL{dPt=baScO} zT=s1uV!6z6ldep+&QZuk!`nICo$_xbR=ne%q=kQ+P%bjnD|^&u(7fptz-``e?QeX) zTArNoz9Fehp*?6pl}zH@wcN|E z{mf>h9AC!ohY1;HJ@S`ClRh7so&B`2!kO_IXV9TETEuj3B#$++a3y@BEmH+bvcVo-Yrt^CXj0SzE+v1rUNI0@?@>oDl|7)}* z>?GnOaBD7b*ezgO_M~OSJOj^a{B<$BcbbXCJqqt>{>%=noBraDx-fXSPI=v45>8obQ9YjW zs9(i(KN4Zs57D4czj{;dQ;i(B(>ekxsz~n)%|3>-V*INsu8E19V*W%bYZ7*Vvq)&i zci@R>nOqd-$~KaZ&dG0)qmCMuahzbtU)>mIv>3j-nPChuSQYYxci(h;EQ4i*z=WPK z)~}>dKHcyq9nO=6{1BT|^VnJRNwsfI55nr{iBg)EIUeNltAP?;b#Q&%c=ouFA`ROh z=D^(o%okLd?q5)LRxH$iTB6-u$u3{yZe@n_Fn?TU!ijG6$%sxzVbG@{YBMK~j>4}SPYa{Y`nkhcpVHBfn3{AmPkGS~ zAL>;E{GC>$0aYnH3-@$Nlo(5HDaChq6Ld*9?}0`AGQq);mVvJ>J?n7CPy>HHxnJ4W z;iU>HM*~Saz~$n|Ql4RuDa}(2#;sO%KaAsr2^R{sc;1{6BvAapm%SzYOn#yXKO^H~VzWcuuZ9gj zR_4O2C>3qISEGsWxnh*=lo392ihVy`GCoAzad)bxpqaEjVh9)dO ze_5Of1uJew44>w2{`gAaB}DvjC9oG>hGoUtl#VXp$;&Yj#kE^~s%p_?&>Mg_S9CUF zDra{<&PoZ8j7}?BfUx23{58LsmI_L1FJ^d^>b!BWI^}v&h|sGW&fs`7!~b4dH0BA6 zG-)PKS3j__$_OnUHSGSo7u_rAHdbTNmD^^J_FN=3v9;LM?-PzIp)qD2ydk%N_9FSwrdpXD^mMwyZi6uIn5NZrg#;Xb=7JXb z1tc&gCob+rCQn*kLP`1V>IxrM=C{L?Y_Yy+kY{jt#COl$Egv0j-gI6szNBb_K`xP> z%VW#iE<;Y1fp32ZA6v0F@rA!uZj58vt88F#$@N^-ISWO+;qMNgwr#4`6L6@)pkqjG ze%q{gI+QozbZ|xO$*h+zx;ZmDqe)@|0h3Hr-qAV>yQSe|dVJPUOOd#?hPt2LZ9DAX zmv4#p^@7JXk&+UeHP<*7n-!FLj#yIbrn3!e zNJX85UB85gL+=Z2fF#aV?8{k74|zIH^RUv^D<%W%J*44`CK37iC>2!58b@82neYyn zqRK0e?|MfP)9xM?8q7cav-Jer%tXjyM#%aqt%TJvQ*;9Q)f!pNz=%rFS3m>vwp6mL z*=C1}can$q>md)CnPf(7mEekpHD)ptaoJI&+VP}?xFvLSx4*HbLQrgei$>>M70fbm ze|gAQTfpHNcFVDK!=o^)a*&2Xo?Ny?$wHgnf%?1^mn2`YRnlp~+Cqq_=8!Ha_RXzx zy{zbSO8<RjgcG_Go@!RJKrHEfnk-P3sKIL=Q z_BWIikfugYl8t~cT~PNt(n?UyAgYKY0)OUERJ|-s4q}QD=p60CMgvi31(QYbuH$DL zAdL*S9l%ZMkoz3q>}FA8j$l2DBpNNB(&XTT>q+JTvCWqUv0sGFrn487j~oB zQipCoMY@_T*sAtnnr5MP+%hArv!I34& z$L&s*Aw)V6ThU2!V+%6*k}m*;5;v(B1~ZFlWY1&km#ohDzjuSHjnZeoGg~g!r(`Z# z5awU|LaOjYH0A(Jt28R|_neJ0QlSr>t8T`R_cA7uMZG~5*oe?+#k+M1E2eDFMZYh7 zYeR?v*)4{%mwgpqW6$$wJhjs@w=j|obPj?DL<|+zbnVXYz(kN^+kEj58-!00RL)A% zJ6lh}^7~6pglmu zM=0|Qui0?B1g};n>T7=YH`zCRLP`f777eG9ocKtPTzX+3_cee0)s^UgNV1#K?fQD| zC*xvs4udOs!d}WzttaP3)ZJQ6W?U?Uf8L^dauvq$L9+q zzxbYby218OgR>wZ!JR3+{2Szms(58`Yf zg6HYowY{f#!!+q7-_{fBb&4atUQOEsGA=kMXRdK2DN^r)^PyOJrWW;j$|k9J>)&qG z19P6^HR<9`pa0Qf)g=92x2yJ<82Gufs=e)#8^PgPuAX7e_3v5CTWAV0-uJw@=ND@? z5VL*R7CGi9sB;rh=3HwE5;p1`#-XhxP;clAikyn*X=5@{Q= zXYTGEZ29GlLhOcxo=`yU$QV*VrTsIjs+LWm;O`J+s6FkK40*X~ofF}Q=3DFIg&Ain z+Vu@GYj)x--Z*|oN9v!OTD4vs?AN^0&-9Pv-lgK%HlBJlm3a1h3SgFU#j4q|CMnEO(i!tC+9H_9pB6XikP6R}?kqW6LzLIXZogjoWvN z`0W%hq2OI!e*)sukfwe9Gk>+(i}EU`f4a=of}H#uZkcQmlSuGg7g$!6ZxB{z-Et}*odNTxp-)$*{& zM;qQ(61(q_j>>kD@{5!S7Hb1NSsb= zcN**9^@EmFkD>{!$eRJL-z0jU@jIKpaaGwXJdG+H=cqV0X}XWeZG2U9oE5W@d|V=P z%Z4U;b&-5lmzF|IVe!ISQq|_2(%lo?fKN|YatA*S;7mzLe1J6*JY$;SFV8W*FZ0>e z8%>yJdf(QomhOE7wm}F5jR{LGH6v!<%roDa!0lppwSF|)$#jGc$c2vBa`HUSeRQ=xL>Fe93TlIbL zWqfaUFPNU8hn#PsJio<)2Zf!qsA~mrDEMu$c|_|Y34&Li);}m+JmfM3MR%gg?Ue^% z4KVs#1Mfs!c*`n}pjhv6bUviQ{++-)>Y@+k)T3G3Va>WlkM!bY969yTLue4GM5Vo+ zMLltG({^SOl*>4|zo(alprVafS3 zJj-g%K18LO&0lTq&?L`X@wOWgWtp;-%CCsk5BV)I*-QDzqU5+z3V4zuX8oH+WaKlF z(=8R`U`F-}H}#hnhv=r7OyN7ZII^FE8jW%;1vZ?m_N4oq;-@afxyYL6Tq9zQ@~w_l z8p$)~h1-o>C-_P8$D-g{-!-jDeve^T5Z&4hGZ7*Y4O?ko2cHe4-jClRX2u#3x~GJK zutzK=NvH18lon>b3!hnpFC1dQbn5!^*qaEH%O!j?D8LDBW>*(NSI1T6iItIV1{OF+ zNLQuyUavR^fdVaZ$P+>%y#*U^N$$->f@c)sX4Ad%DFimeww-CB_WR(S2z2CyF@L** zVT;7UoiRQG#HEkJCn*k1I{rRlW3B23Le-8Dd|=sG8JW;li&P7w*2r}C-UKb{=9Ojf z;1(wbhyg_Zj@hX#hi`h6yEm$0&Bscf|1|7put4XIzF77Zca(UE`?Dk?tnLcU>lviM zs|+pE!BHmx*<9oTlS}DiIp?u7;S_Q7Ox?Giv?b-aBT16dUTrRx)!%%iBXl{mYhv?B z88m5MkM{MR`zo`I9`Sj4E7#B#KgT`hw|)LVSSHaLRk_23Xc{IIe2D?HT^zR%HoeTu z5XJk2uYVYwk$an_F~PnxDb4XtpR{_v@Pd#}YFaZ;sDFA-aI@8|4v!D)a5op>m}NQQ zVdd86X|s{EI(RZ3i(?}!N*pX>O(%O-#QuOZ;>7_ zEG3{I>ze}DR&`?%oa&S%Z{f|Y40qddkAQ4)<4D%FL(n(|t*{S_l%{0*T4%XM z71N0rRaimY|3Y`0i*OO`(a#}*r3}>J3^KxxRz5Nnv1)h zP58ddJr`E=<+2VH^|AeQ+Z6_Kky-rAtxIo3%GhHq%sXnQ0v}&w#yM4@z<9_=C?Mv3 zjNhp>Ji^vPT*22g172p7f=&AB3%Vw}&2dq4UK_KzGAaj?)yBAs&hzLT`)|9q!IEi( z-73@O0iOgL&WakE*iNumKdc*~6?`!3WysRk=1d6cKZqi>(&~rLvQ0W1S%aD{9zP*_ z^n~mM#S@te*e+>=TTy~l(Au;cBXjE&YEs=y z)1CVaAmAX!v5~erYLdA31zqYIq#AqMKbFVb&(`1)l!bU&iz4|5RR_D$x$Ba~Y{RfF z%m7!h@+y8gOQ1@srO;@~f}pJDF}l+!OlY?fWcyZGgK*p@3Nme!an?CZ#`2^=ml@iw!up($owlqh@t#<)MRgWm=;>&- zfAiV1vF&>^`pB1(-bGc1M544786%dTiSn_uQStZ;t~8Oysh!Ejx1-}e*RhcQEV_4y zn7Gx%KX^r2xHu$f0RSB_yuZsFvpNf$K<(OH@!AZ4ipW~OclffQS~$kc6x53Hmt}V9 zY-7--mkD{~%>pZdiwUWGgKg;P4`b$Q{NS5Ctu4-bhh22I&MsW$KPuQn;-%m?u#RE)Y2cdc;w_o|2c zS&`sjr1dHTD_xAurcGV?y|t}M%~HrQ6p><{)9dd?B4OB4>Ypd8#O)VjhFK_{d+k)8 zWE>O#EeRj;#(en0MSuG4IGES*UXB4iZdZ=Z#N?KFwyqG?#l`3kf2Eeay;WjUs!8O z(=LEtUV34odo9iK;^#myK=gq^R0SlR!a|Gcp4oZ*DTgvE)!1467d!L-ol(QUtbfX5cPgH3!4$T;4`Ow82Vsy`X+)3i zPnQDMgX(U^JSXe6wY*yb@dt-V-k~;N)t0z{^*5w%(zP6zKbdnWkT6BW4I$}%U}ou5 zP`NvDkTwNXC-aZ7!tFU9S6EIVR3QQXI)zBUZ^L z$FSkgxxdN|aPA*w_#3GV4zi?*nDhNCuK^zqRdUA?xr`M#YAMj{Z03fF$)^nqnkR9+~P zJQ0vMToD%~)Xc1aPR_UdQjRKb!qi;@)1B}g-?&{QI?oqwIo^`6fL-ro?ef_XZcfBs z*M)Lzk`waxea}K8(PFU!oj&QJZS9bJtsin{2Qd~(v4}VMz58pb59LID`v0)^)BZ{@X+`h$_?g8+#Rkm~EcafMp5!ri9AR*YFoOzBy|DdDIoS;7)i+muHDY9J zY?s5Q*BHZL;SJ0)spepO$io5I5qy4L_ecUyvU(vH-kh>~i^%})PP&-<#Yb9}2Pvi% zHy5~@cl)W2*w^0a&EcsNEx(Co`6h+}6)3Asc?wn>Y3((sL)9VBFV`NX1l`vH#gi3R zs`j5YF2oIzh~X1O59ruv!Uk#?`X-5L7cUj%ePxHV1!s$3NtO1Ab4!HuS;HcU5ZXI4IjQeh)}TFJS~+qJMWr%Y=!=daRx;6t2gzJPOUc!|BOPp*$w0l*g*CW1H?y4YDatJdWNTt z2$%Ow=`s8M?+fL_z%65g9Y^Y+m*N%YKQ}XF(`;miJkmviVUC4UD&?x4i8@M!S{~DD zXIosuYy*{g6U%3BKl>O>r#`h=3>SqMep@EN0=)t0AU?k26DUJbgX!3WY9|!sPhS^m zkN)FNKkm2p|8+Qy0gf(xa`*8i3EKl;lK<#z)bGoh!)^>X*Nm}9&P{T--?oaT$SL9F zmsS*9aL4(4Fa$6@GAhqqG8)3cPx=E8&@c{Pe5eHVzH>7=R!gm2(%ucL80l3Jy^a9p z*PB$$G@sa;hN&Q1xCfyUQJJIps}t=q{UuDhi!WQ8@ml)0B$UVHGuiiyX$m?Fm$_d3 z*eDm5Y$l4XrYSmlKeVvKuH7ew)xFywAtX_JOC57;-tjATbGtxJf!&YIKwK)r89Gww zoVARqHRw>MH8kJcKdnF9{Gg`aW;g=>)W?Fc>|-~6W;DiPq@GH7p7qiMImIN95@nl7 zZodmA_2^L<yS=(isH+-D0}Y) zc*RqJ(uHuuh7UhzSWVgH_ALwgg3KA$8hPVgaKEBxsGasHzuo1epvq!XGYhPyscdl~IM@q)W<$E8a>awE^JWRo#*O1ZZD zG>L#iJ>r=m1)?p#cN;iaYFySVyX4Rx$N@{M_G-WSF~=x<#Y?ctc(PM2&r`cnliqA* zL*@5%Hxb88`^RxEJ+`yZ`S-aTY9vzc(4I2yCaMf?>KG&s^emi-IqSwIEjgLvZ29!r z1Wg1p60t-+?Do=Rq;2*GtQ7wm%z>Yh6q(XMjA2`IPGixmJo9;W8`KMyO$8svVRU0U zj_41}1Pm$`Gr2>f1DXqvF;;`Bb zc{8Nm`cd!5HEeGLSfPD}@_*m(k<{$zj6Pqm%PuKSv^X|3pGJy(-Y>V93H zQa8hWqh14>a$mX<6yVuOQ6bijUrI5>dOz=?U*5~?VSKHqDR{$Eb8p>bO_8PCo5n_c zfiP>y9gw2x)~MQNI##`+XoF^WC8|qJsm;Gq*i>C=RAIPD3fysiTmRrihU7Jc013y} zml^j1MB>UGu6OHoeGj|)jAza6CpKI(Ji9X=)j`c_Q!<;xSMxuAe*-2WJl+PG{*3-r zyzpooL>`cuM4lOR14|B?Fuiv?$|Kjhu`I@<+LleM*AStH0zJ^u51L-eJugeLMg*%io<9LhjhS?p)iVjsY9d4o{;?!3GausaS9wMFE#svaC4otU_E^HQ<~J z8xUgta!!i7B~loa>=Eybc;3GqPa@Er9jp7$E#B-+qYAAj+pAQ0j zUx{>OeiX!>&uAuA2PTjS*Oum3h^z(pv=`8*5iHyvDJ~K!((T?)qjPS?wtk$A!shTUwiq^!Ndx_tS<& zm7m>IUL7mflDGgyQ%T}k7ll$R?x+n!(-4L%K=S=U{4}Jy{qotE*paAlut+YT@>2Us zd)zGbWn`V(VZljk)>w|*e&bQQ;wh$%h^I`6c&62jLow;uP*dV&`-dSn7sC@0wi941N zeXH={x@c>}ETqUIlYdKd-!xSEUY!k(Qmo*Rl|CB`Hk0RISpKC*qq8u zVlm#l+WjGJD{QZx^|&2yGM^h))HBBBI$8wIs&yYy-G9s^{(Dq~^EK#;eIk~kb`{Wp zHeXyc7BQG{4p@_8;XAX@m))F%Y(DG$jd3JhC<*2~^$AmsnK_s1d~^7blBe3h2ygdc z!D8Yu|# zm%np)U4oTKR0mhgi=x`2v`?8Fp)Q~90??_DC%7bgf(^7L6f@?W#RsdCXvLQc9HEJL zFXtBpA!HVS*C$oJ6`(AOc^6&#^dsDHBTsJMD|~YYDp^xo&ygA$%J;BLw#hw?FQqZm zz|7QF8z)V#OX}4ZbBc-$d;i$%@8<2!IzY%9HSPzkD%1=5*!$rtk!N$vv7efFBW*(@ zrxK;~C%#p0Mrgswr*F@Bi|nj9oC!tg7ms$x2F-wC=jC{_Y3D9A1k446%-XHP`=#@j zGi4Cs!_&`FuELMR1;!a}p3VmM;n(D#M5$Jom}3Cqmg-Q3X=u38IBH@fTj=2~Pfabz zS9~`CNF|UukSZF=P%kuFSDhh1VSMY;;|>?JE4zL zke=fcc-EL7O($f2cLF_q{*qS-m>1D({lJWeT5?UU2P$>v2vMMKW||cGb8^#{!;eWI z?u*;ma5Ax&|MjTeK$;@tvHs+l8p1_U#tDaKvyQ}fLIrRM z6uey~y(XKgdR(jF>{@AT4GA+Y($J`O7^-Ll@qXjDrwn5{{`IloTtmfG=rJcB zflJ=e`*{yVpJOvkY}#`c_vNZcyW8%ElgAhLs+WjWUdpXNQ(J)uxX3xTQY8~&rJqOV z_ON}`MK>yJkgEbbcdJlQ6Fr;nDUzwb>wv$!D(VhVvG+@U#XfSIrHQHZGH>cwZN9|J zFX=@~6;9CgQvL3FPMlsODzgfA-U;}1?xvV+KGJRp~+p123c z#VD4RJM5ywd;pEWFePVwUhESTH2Jmb6HUPPes@}!WSm+}hL<$yh2Z3;7Nr7Vm2=UK zSdBF{PM=un3zmWD{hdU}4U_rEMK6f8qv4B$zqzm}eJ0NPT9o%G?WxmG(H<7I8{N~* zmG7ID1o`5A>=40G=H1LDS5viqpK_0+;byvo7Zfwq8TCE_0$&lAI`iy2=%QF}HUTFJ z>&mV^J@fQwWKyNJR5lsWc?&xwG?`&qR=j!}gaIAD6UQ}+x;fE8$K?c83v5V&TQ&it5qpKu7h&-|D>WvkttDB1tOLsAL7O|rU2=Ch$ zV%OY%8lkc8iwtlRk)6>7>b>YT+63ZHT1l{KXq>pbt`NSCKs)|^Wf>i$E@%g z_YQ+ORmtJLeu1dTO0kMntLXEDC5?^B$%rd#NV0&*GJ*KoisYJL5kx}I*7v69 z1HZI#vn$>}2ZMgK<0ACe>KPRnl@zxES4kCmIgn*|8E@~q5R#lWKp32HjbAblTSYKR zSeazvORxrP|6MVd@XNQm&*V-d`%iF9g5}Zaja}Vi&FC>KK6jhVJFARbap$CVkp-jh zO?0Az4p(c3oLK?Uavp27UQO1I7nw6`kAidu zgR;9m6W4lgFHB5&M}kw0Lk6~zS+YBx5`EgtKXhoZ6#dFbAZ;r^zutn%TtQ{+Y*I&3 z#bo6PfViXF;eD4cJldeIz-Alh7FXsyMxVN(6WH0vZeO0-4rEDhZOtfC;}sUe)cisn zAD3lT2DZI{yl`Ka#wyLX*Yuw6aMFJ72k^T;l5#gae|ReRoy_F? z6k)DVE7=?y4LhPX%^ckU$8O~$HI)nP#DT@lpR2sPBB#A~f@Z*H-sRGIHW}5L8ETHG z{tQbPKz?}~73Tq$v>51b&3h;c5HaD47WT@_i598>7J|-A;oDmYmfMuaO;pYijtQuc zeYQ-ma2<+wDYXUt6L)Uxiw3Ol99_u(yDGe>7PsWwvoUsfE8$++h7C3#fW`(0} zYI8&*+%vpVJjVIPvS(#mrustzIj`8Ip&fS1WA65NVDikauVBDdIi3v=JKwT-QxShk zlG8@V@9N8DjLb2W8vP{yk3H;CHsC}VTk<>3+s?)Dtt?#88P%RZ^~Q*OJ-8f16OlJ? znU;p+HoJMWO%S-@A=)s250ezX7_!}QW9Q$DccFxz^CAO(LBFm0hB8)!rW5fQu+C9d zrEQ@bU^@aupal^;6jqjjbimU{n%*&Jk5-63nQ8vi)*t^NfQ*<7_-G)Wc1@5xQk0B#|cy7Pmd-y_i z_W9%5H3^YKK@Y1c)8$B@!70(E!}k!N#!Wo_v+`jo;JUSnFUcWnPGQkpm$4BKLO{=9 zTEch|S3Un;zg#LYfhfvhhRmx8k4u2e9ic8wU&+zK#YX|7X0~#8^#V=E;KNe=j{}if zq+m)^(u3`2DaS-%GpE_Ua#^5#hB=%1n#!QAlyAw*vo|W>!I?gn&fzk>RDrCy(PLp> z@9!lq_+&k(Sw=#W1-0;4Q<+oDxNe=K*q@+PR3 zupdC%7~6M1j|Y2eG;Mid_3*B|zbCq<(zvsfftG@@;k-yguNVW3^Wk47ZL|O&2`VSA z3YDK7p+vQQ?i5;nDBvqR&2>D354GHEH2o1t=KP$TP{HRYlYGc=`vtKYV!*(xJIk2- zaMfl4C`$RBC092opk|jZQ~Yv4n^1O*X_JD_ub`IOa?PuQWCfKoTo}45t2%y4XosIK zzO+h1X`js{Fe_ui9e@fdy4iXXb@PIjZ0+QQ{u0yx=fG)o#>V|}kG;(+8&W1(}&%6M>u0?QDLS{`!l04CZr4H ziu~~bJ=VM?+_XgcH13feF2|nFr&YSvsoj;5jIsljMkS!y+BU#nSy6uyqkM_~WP9>Sl!Nz*_diynJIk8#AYXB#a>%&jBt=7zjKd#*}EI^FQnG4^a4{vzZwJ_743% zH>sz?xDwzur|zl5PPew?x#8Ia7+XvP&l@lUxQX8o#Ejee>jgGH>L(rmKHRoXS|NoV zbzx!kKA!176M7*5#QvN2QL!z8=#VA62W#P$=myNVZD`ux+5~VWo}!=d@FirtBMG|U z2*)A(`xx}6ZIeVhihF?VhsyhUiW*f88kGnJ>aPOS9`{n^u4lETdA$QtSEyT@uBnAY zI`%7~-I}GKGh8$=p*>hTc-OYT5kf?tBKF5wzldrc)4_sJbo%S_G2LJHAOzjHs|JlT z9M!*2*AyyoB>di@Dm4=0$fNDQ z`=I8C{m1Z5kL%+cs-aAw0F{l-4Or;09iF}wWb7&i$ck&9vP)ooPWR`Qu>VsvWg1=R zy*qR+pU&@dI{^xZZM;A=7{MO@>LDQfk92q=Q4V~z6!Hy??Glxyxt{T`U@RbFj)gS0 z#`}Yc*{fwr%nlNXTijvxKCzfZxgpV?)PI%vKoKmP0+UYsQ;;wm7o(5S|LjG|WvCWv z&W!$OSwn(_s6Z}iZht&qQ}B! zabKG`l_K1W8o;wCv+>%OOB_^#w)`Jmtzgava^lCZWj+Lcm!nI||HYTn-3=trRaN<= z*ujSr%;0}T60JF=&(Io|8T3W`-)x$XE8$nn>jWdh{HA~+qVq8!7m7dLqXnpZsh+{t z&o!R7m;nx|F!~#?=X~+wem3L(enK!{kF++UZSYk=oyy$HwVRMpME)*#kJJ3htd#|MeVd4gJ9|C;a&;edW3sYX5<=ltALX%h zyLn9WFKVLUd`v~{TzQh7YYDnW%n<`d0VJ`@-*EegL_%EK4|O{%N;U{$pt6wCk!ww% zD4~J68OvGP|A6qXz>+_k-wDIMoeZm&bQlBn1|9Q*%99wmFDACQ*>^wrQ59vm);zQ; zUwrsCk5arsyDSRjA(ML$@PtIdTh$~Rhwv{3%r3ym&MGb1lQxmaeuaaIi%Wg~(OWsdOzIb9MK_i9eVyT5sHh zC;M)Lh6TEW{k~BB8OZ<9N5bwg%D-v1&ZPF>UyA9kum-vhSQu|4I39e&#Qm?o|NZp8 zZDX`B+${ZJ8%rnOEGEBs8?adeaq#~IlK!%?OVIgYqA+2rh-Bn{DEz;l{LgK%EZQGX ziz;08pF!=PnFnAJqXv(`jjQ^15cl8I_}|+f&(Tr2D$)f16<7V$`x6ONN4UL=(vSb^ zp#SHgNo1S+na|@tAml#*%D-0UJsPSbCb~G{cmLAi|8>#+n_&io|5*&_iT{kT{%<5bl3sy?;3F&*uDRtNw4|o z_K#Nm2afzNFzK&H|G*Ix8UDd>{|)Z_H#+(M102y;ez1lo4v?qydpjYaoudNI+W^?J zP|XdHSs??OT~91&)y{T4HT{I!Kldi8t5+)24JA9HxY%Y&+TLo-%-$=c{IN{p*S^`U zcAWGGbI6_p<`EcubA#!7QF81ml$IYFy6oC%w`#re)1qnJg&@E%V>4#ed8JKKxc9Iz zrde9k1-GDL$j|@Pvv73-i4ce2!LU6CvAiH`!qKlFaTSIZ#|Qc=uHcKeJbWq?DyFR; z{68&Q5pxX?f!t#VsYNBJUO4r-iU9&sk+ubgAd$pS)UC5+o~%wn8kMG92P|4aEH3-oVmB!d;GD^+54K# ztkcyvyxMJ$VqrzABkz5RTVcW(tTnd4r;m-y7q-OzALr@`a?}ZLN;{OH@!w`r)R(H4 zj+X*S))$VG%w#h$^!2zBKa1a@trxIPAFBO#Dl~xNkK^PExt=qMI80WTzL0U&@!qL$ zQ#R_>ri5;<=`Wc;C-eoebEbFd)wY|~JDFU(3~K|e(=zIJa}VMzJ7()+%Uh243cov? zVcf2z35*1ih0CyP8ue*3T|vr*-aG;h-kFf-pD*4-ffJ?*4f0Fwy}gzk6U3b!^V3fE zdR!tGBuc0PE^e*zQ9;@Xsp7lm^Pcw|X#?A#iT?EW7dUqMRuuG>*5ihHJ>5M+Z;nBH z<0VMiyzMt{hh&2QbRWQ&z_82aU9TU$UhGy(}8b-($e}73d zw_*Q)fo~)dmq%|?^X=HkM!O9Savp=;WKEXiWIrHHd+GyveaJk)CNb4qGI5ZPy@gvb zNEoaznQ@or!Qcx#6~5XLNE-cFS&RYT=!v)>^K3mFF<)7|v+BRsvbW2wJg*RYXQg=I+$wLs$ro9&6JlS-&4h-u=^_tySdt^vlch$FvtP=Rkz`W*KHiR^0s~SnZw(6_Zd#A6`)RA`Jx7T8l|HDsAqj6~7RUm^(IkXQa5ko4 zn3wt~rD&V|j@`QHm>&@7A_pZcxO#V8HYd4C*xNg9knxsjZ zC&FhaYXMJoJXUXuOp6AUFMbTDCaL@WPO~;ZtNny`Jo8@gt$GKd1?nrb0N*i114I$T z7`jl<8BYI}6Zmzq7&XHdP6_f$XgLd${Fq5*^}EnMd)*)aIKK<`{+hTz_V#O^G5$;1 zo5*0@IUVb{L_1Hew7dDoUUi+kPlsGg7L7VBlpSbp0Xjvep?0>!>t{Ux^Lr*_yd9;0 zp`Q(DRPvK}4I+ICpBE?g6Nu+a0w@Pd2d0Xm;5BbR`h%M?!GJ}ooQJI-qDu~BYJK7m@&*eFPCA^--h9@I_+H_+ zSPnp(LrzEYH8+x!5(ChyDS?e3O@Y>djHdoDLn4t~`ltj>As_?JQzri=&Gg55_!(&Z zNwiQRh{qV2uH9`(nBU~M;Tf~dgwo3 {#Xf!G{A0L`h~i3EXOy zso`Q_Xl!&4B(>VAAlcAqba?o99Kf_?QG;gPvlZahR=%a8f$G3!a$)T+e z^*w0a$!HrL9Pp%Kd5sBFe+Q?l5&D9w*&HNwCG}WB2rq<9I~sd;?-+8=ZC4q8uMmQ~ zs5cMNbAEK=KrQ0OcW>7tFgSe71L}M{@Le;xj52x?d&OfDl7s~j`<+hK!jL)6Pv|9W z<2ZbtewPWf-(5O1%%p{#&=z7t{3`f3e@)V2M^1f>^7OM_?rv9TrKWky18NIn&@{(Z3#^AJZ>V=@5`*FVkhhd_#*REXygZn%A?Z=zL$M*_DKQb2Mk_r$R zslP9!e1}e)ue7Zl!kpY3P1AOpZ+uo&4+)3nUJi*o*`Dyr7;WQ3*%Q6!+xEM87wi@9 z;gjv-_wD=R*Vx!exU2vcRG+3)@pJ`s?B`*+=xkxOxUWpnDSHSCq?){3g!J8~7N ze%AVVD=JA8;^esc>ax|L()%k{VkLYRUp-WxWHEhsAd+jJWZ0HU1bA|>Kh0O1ZH?UNhtHVM;{i-W zH^rtHBBArimVh-ovQItnF(*Gz@8&#-YzBq<;wwuuP($Ap0SEDdg&~RnW_b@9q0L zs!6JDx>-ZH=Mai;o!BWoLi~{HB?s^tIWt@SeSQ$(yK-Pf=SUi9y*)$2_V8Ndl<4y6 zE0ko~CjlBlWXH3d$Th1!OqX3zW&SAfrFf~beA#>%Ap^TYd~1D<9{R%3&jYgKowU#U zN@f4U8MAhtry~*TTju&$DoT<;-ZG{Ng4ttH76#{*wZ6<)c&SLw%!Ss^vH~%#UWWt4 z=jib%!RF6%ba^m8oPU1BW|~4A&zWVr{4nmbt^ICD5Cz?Juob-Js+|93;iBbmjn$#j z$llfHr{wkvg3WiFQ8#YatyeB(X>?v4F6x982X*L2K81H5g`dUghnCOZ8f=%oYMFW8 z97Z;tDR8nOtY4a@8S(1@g^8gsx8Qv=>h2E^;=9!*?4$68wQuyGd@zmKemz69H!Dpk z)IQ-DpQanppW%tB0y@@Km*%f3R-7;3D2v-_6NA>TOB}4T#?89k z@8*khGE-5$5@DS^S^JlBu@ge(0mA*!1S;Et4o>2e^DA&cXGO0KeXJjrXRnW#^!=_K ztbYDfKGh8-aV@za@rhsDKVlXq4Djg4W0IlHtN2w1J}3G9On3!J;)ievo-4o>e`mP( z0;AVg2jml6&#{ImU1Cy5D=?Hb1T8q$I-eQp-;37btUb%V}0xQaS*RBBlZn0 zt?Y$&<0_81?acG=Cd;)WEhjmfX1~(w$nLc>xuZB9SeI zlMXyYw;%Y4{^NN2!r|Jgw1hwamH&V=%&+k6v)8R5+u9lyW4zMi;X7^~xc7@cqY-|) z$!RH6iq*6}?oDO*{X%ktqYhFq;&=H5A z?HD}uI?#h#APMz|Oyz~wrQ#ej$w%C`O2;@mH{{rhf8%AE(YdU} zy?mA1JIzwsanx}^H)+0OHHY)t$dej+&cS=Bb+s$zn?d2>ho#3)XFrDB8#c?V-Y=EZ z+b5k)CtdVTEe~b?foP*VNkz*prrOxwX)P94xjMDDEDlC;2k89jqQp+Ig+yVi%}1UY zKA;9qbl*dpKryg4XkgVK>5hpVE1%LMDeVP%pHSdN;n_&+y=eXy8^1_r^>kHgs6?x3 zPl{oCUT*p)Vt0IlkehPFSN<;Mf~&8UF_=A+X)ZpsVsgOh!tIl*=P^cV&P9AzTWRuk zOSxPEocN$E2NAg^%cMCQ(6plExB=IbvS!z{=3|rDtezdnh-h5F$Ta7)7lxnTiXqWh zyN7sfW{o*oR4YhW38nB-H<}hR(1(?hp(LxE3xKV$rS2@~ zyr8e3-@Yd+#05!0=?qxSgugM|e`M7)Fx@w`Tr~nNkv&0Rxx=Ud$5&T_iwQH$;|EI) zD!bHVX490>*P&Z}Z}NPWB+>yc(@^jMA$0}KEYEbAdwk5fbxc&w?-HWojHgkXtl)In z`SpGbf*}y%ce`lX31QTc7&%mNOJCfq;Svg3Lp~q0cb)i1<%BBn@_`65lHYw<1BvO< z%HUDRHMd_P4)Hi^Uj5qMVtM0!x=FpusZTKhjqk6Q^Ap%SSGo6`uOawkM*}(byv_9Z zW$Jv6nwjMl7Wm$hL%7F0OE|uT_Z3TVvz6ZOLW-w?8Il>jm5#aR%F1=v1v@OlEt2)G zVGmM0DT2dOMne-Eu?0y*42`hO;$%E4R$~^|m5j}$DzGz8W4d8#op#Hgz*Td<&xr`j zeRsaLU*c^Ni5*VNwg(}-1^e;v1tg5DFn6jE1O%i$1OaIMnqs`__YJn3Na@Vxt!Kc|5ll+{1>h!$b$(Y(A``OfHPbrn_8Nb)p1>_k4o*)b8eNXsDz08Rnsw^9%_?O(@eN0w%@n>6J)GC+ zA?)9vy7Q^$g8l@sA3yv4naWT7Aut`2s7HekzQo%bW} z`%AjY1`0Yn*G*74_;Qi}Y8!b>T6k$cUHOT;d^W|HdELx3bF<(>%kA0N(jke?a%ue6 z>R8&qK=0vmXPH56v6buJhR?!-K{^HZ({_5c&$FhTc%#-ZU@u+8df$L=v{>!UGaFm> zm6JWZ6Aem{<7xAEf)z@g6k;pN6gMfqjw(W&vIvDaD}J~geDOwH27Bgx|Ki{$G)}+r z2qlH)2_Fa&eFVa~QdQ_;KTmiW@6jm`*Q1!VE)l=M%9&EJGmL=Wh}* z)g(Wa2HT9OktAxgY-9uq%?5JaFGZexOJklNjhmy(B^Hs|q>`Uv@8rF45NQ_}JW)Mf zn#91fn$Vi%;~#0l1?A2L^&ceq5Tu(wwK=`s!8Pst7E+N&m*Pc5Jsp$0=;brV{SqQl zH8_Dq`sGQ#61pJpX`Tws3KpYeHgN!*IrEpax5&1d3u2rw0n}>$$Q4N_NRz=1+{1M6G(-7<3rAb9V)(v&D&ewzUPJ7OSsvzWhZHkrq%$c7bDptuAn6wY*2@w)wscR1L9j`j zCt+={X8}rVccuor4_~d~gz^W-?PhU_hKhLM+ju=-^SY6JKOBTB8i@MoaSc5Kw5N25 zur!;=fovyZ&UbgS%=;RyyTAuQ-0}jvLBETHH(iFxnl>jO%3XMJsRs>L%H^CFaAl5t z6WB8og8H|m?N`5l1B=KUDt!PEMQOE>W6ePH{k^WKcI`C@v?EaC^C?_;u?YF?a-Qps zm+hLjfQw@DGp`!fg3Eq_{+ED@uUH}8Y>L>xxS)>Y2lL>?eynG4H_}oVK4Z?VSs&x` zLHyBoK?@D&y_a?x(z1{(X5Tx9elh6;@Vg8;hRhl71*5Hvf1om_9#>t=U8|)Y z_!YD%63=C0H-rBg?{KVZ?`?UPfLD!VXv>vOa>mg?(8w?>1^#1nf%lSU4(Azzz|*LCr(-Xtz%PDduvO5l0J@(#NvLH zlnw@R99xJp>rVD@Na zA+*megop0ek?@HqTwPeTdiu7YIJzl9WVe0aj2(KV{3Bzea4)^RvDF7I>L4Qlu<35x zF2j+?EJ9oBx+AxD338TeLr&)QrD+SdQ4&6t-DM*)+Ai_h`O8l{d(>jR$}+DPOL1QLfjFCQ z<-Jz8$^2oiz5;!1ilPPA+g#E4JP+UGhX?_gpjw|BU8e%=C2r3W*xPKw`L zKxoX_>T!zLwkL-#w}tObLo&@OR@sZ&1w&Sk9WJ9i-kBjaYkap6cZ=oQTgt{eoA#GC z{DM)GjKL8zHHQb1WPzc`V}Gcr8|NEpHp12a9}7LJT`_NfX`Iu>166|%~- zxSAWte~U3Yb22r`DD>2SegkbyPh#p2ZRaiQHg5u-6>I$!#ZyEXKlPFl7P|{}@K_=q zC!jHf_**+XSNmDIrBV5TxaBVYJTGDeE?2ux_fTQ()w~l_R^J09HA~8nOsrZUPpU#!PXS45! zWL&}(dg)ih{KhxJ;S?a6$|@iC;GO+B2c?qUZDV}BYoPf&?zCLZK24`vMA_6 zhocfWoyVk`1ctQ6=!*6AbmT`}IC)0LN-oU~(vc%Khwv`-bA-|}{1=%lEdfzB8jFJy zk2WpR?edwk7f3~6FJf@bZg)m8Vv<;|CucltNA#80u1~@I<5gdob-qm5BYt8dEj^EI z-7#xxW{L)U2kld?gCYQjGG2UxhxJ!Ua+4lMrl|dYr0~FlZ}y1owP-=KBYQ^2-mrV(+c{_=)OW;b4j>lI zsb>J5;ykyAZE8SCgxEylGtoYWviX)m*!Bq^0s7j_Gex*!&|gp1A-xvGLaS@Qrlbt) zVNYh$vHrK(-aUnNbKXvyeFlq%pO=p`+-)DVRz+V&{+ox|M10R*k$fwT_CIqgP1-+) zntt_7T6^WYPv06VTNIMPCg=FM0Sf=YbdGhpDm!E3k)n5nNM0Yx4H6W`?R<|OoZsTg ze?}bbO-jb-4o=(MRvf0sX>>4&P~}-1TMz78_6DzJP|oOsn$8#&Gb%sqDPN`K%^4!H z81pI}54*6#oHj=dV22j=?i;FemG0`bC#+0M4Y8dEC%;gu&y$B=OTQSxy&mm^yovCZ-H2^GOMIW(3jVcldKRH+GG)%Z>zFj4mIV zv18ACzuUVqAJFLqY;PsshDSh78*W0AWn)>Ry^9euN9C{g+z|l3+;Hfeva6mUJHI$a z_%Bt?;3$9I*bbn>#bKi+?%yV&Wt6m>IRjgWWm>t1>`5eGVw@7lV8=PPo%ZkdtlLK2 zG%Z$`eBi&CRyc|iu@_^ei6TOrVLwSqD(as&TZica{fc0~0KfXlue=tN9tBS2UbG;b03(G zi-Sqhi8sv-6gd?A$>z6x@kiJc$@{tS7_I= zl5XWj2VYX`;5>5;Y+BA9DDtI3lZ!lJRUb=%S^%vRudPGzy+)&1v@ zZS%Nh*TDgj3Cm_i&hy&8+?cC<&F{sk2Y_RnxtR@nLmD5G>6!L+clTBeT}cajCd^uI zb9l_Ib8&;A3XBkmOelGc42f`Desx5_Bo^VDyjGHdRw5M^S&SGJT<755ic-Gdn88VQ zZlcWN58XaN0H0dQ3PbHE%|*S4DTn=^8F}EvW^d`mce-qc25vVRehHZ*$?uKeE#4&b za=cakXQWqKeIbmEPD5sqjw7obr^Rugpb}%G7eC&<`+eo=QgEZhNL-H~n+6ZFuW?Qo z@q0ZkhU4s(ldq;k&9-|6a{Vwhn{-&t$9>OTM@|Bfip;9dA5`BSINAI7txp2?%V3i? z4QKE7-$PkQyfR1}=X;HTUKS_-kus{h9{$^d=XXaVxuq`4quT0)kgwZkh`pas509|B zxyBj+5|7x|lgXM&xRH|;Lne=kuj80}X*e2MX7Jw7xJTavDZ|c(WW1Emtf=xtj7`8mXvhrr4Igei(ZjXcNX4GK11^7Wt>rK5x#fZfPvHtPy z!7`vY!3aWp^aJ4=l(b@_Fn52K(FT6a>8yWhx zisD+8`Z3>wI%pq!Z4GVJ)=-B!TjVpE^SAt=pfX&Q_?I@x(SKmgl9n)aV|+xlgpR{9 zzlLwm^-+gGR;q-%i5ES*XjXEaBSx!1xcir#>DmXhqvu+DWGInRt{q$?FZLJTI8pp= z4{FXOdF)L@*pXj(hl2tKNchZ*j?0!MT*bo5*Qxd1z*dy1d;6h#pWq%2cwiMXIJ9c@ zMA>s`($vWf38!m@b(`LNBVy1jxL&9(5vsAK$NcJ;k%KRM!*YtA2&nxQ^cYNiuH~ zmAm`$S8%Nwmx7FOK}$Hfvr4KQ_aAr)Q+UuUYjIdaY!p16|1 z)bqO0!BG^Sw-9t0aL7nB`WEKu$!7pf|78%1i5J#0FlRj`h*=OHk>;bn;8b#hpTh>Xe-QV`CiD+pp?Y&P`Y(TXqR%s zY1>)UosJ|JCsD~FOga^Re(P^6Kag@YVhP(D?JhL^f(cOy1seu!9uA1KwiFC2 z!yedzHlpM%1Ohl0h*oKPNkYi@f3f$TVNGRg7$_YP0Tn4qRTNZ8P?X**fCz$$^e#&8 zy@h~?j3A&QO`3{;NRt|R5QNZ?UPI^|LJ0|^-i^+TbLPyMIp^N{;}(DLJo^cI?Y+vk zzVH3kTJO6hrhRnk_^jboP%e~Gn;7qUT`GAD78j-NtjM|jGR}mkiN@m}qve)bo6d^G zAeomnY^+#DhVAQW5DQ^N=!nVrt*sKAEZ=PEt@R@}&@h zuRhM_mv(n{6drj(Dp6>?QZ(0F(p?{5YXb3Aw)Ve7xS ze3Kxpgz0IAhI<1MX6<9)9S`AewqQAYiK*cx)opqub{FBH%08uJS3hOw`14-MiPO8# zQ??()pC^k*HOy>U>|7z|)gpq&$2oUNQJJ1}U7sH+FjpV~Uuo=`saT*Hs5^m~&M=uT z`!!mJzIMl?jVhyLjC5w~m+8}o1CO@noAG1sAi|OoVn;-@iX)m+m)?&{*9a84Dqa&820;Z|ct6e)H^_Q2sf>I`mEHDvD z`Dfb96U#ioLW-+v92jIPIg3X;6o2m6O^U5^{Lw`b9HvOC2W4!LUHfYrMQl;G1Q)dS z$NghX50!&?V`X2RFLKwKGq>ZG<{eI9O}(V*&>OF4#D&tMwi4wmA?%bbZk((Jol!yy z)bHtcGIe6aHyiaT7?l?$`4tbuN^?Jk!>86MlJ!f1SJtJMjMlrfGLBVVZhu_06ir`f zf_#SMr3+u*@GV4n4*PMVjtQ2wq}TBDJ2&9>s+rA9SVGqDnBTD@;0o zOqUbCBh#N~vz+D8CXJ!#RQi~iMw7&$ zsn2FL@zHL1&GhOW!RH>4+q~IF{ByVO5eUAYsyGSWDb8h{Z0(jc9%qum zN-ClW-g?OMoe{^a&zp5Hned4QG)!7UC^mxqeIZI_=L!QR0X;PkNB=9bTk@=u66+=a zlgSTvEaO4CNSAa^e97Ek##elA!}w5W_&nD=1xXoveb3cs7w&u7Hz zt8R0qw9^@uEVnB#mgqPqSi9YzV^0t(ga_#QsI0uQfh+h)!U&V-9vt3!xP|Xk@#l`y zphn) z;OK^D{K7*}+#`nA>44M97Fx6oidJh;B=GKZaCzz$< z!&q;$s&Ka++L*eSBtElhKNnP2O*XDPfibO&l<9RUTWp;ft7X(YADt*1}JN!ELTD1*Pb!5K@}{oGzIXqZsoC^0onCSPzM_HpJbA zqmAaX*2O&Wb#l~qFVa;FCmY(4^<17^8t)W^C|=q*i=J_};^JVRi4%WPg*}~a?<+aB zw`5rpusu3?VOgBF#=rKXi`*N;Y_sFbDo#w|gyrUjTaDkthm#dro|fm#V6_RI&*Tr5 zdrL&TeAtjU4Fs5AC2asQ$`5#BO~QybSub~0GCUkR%V_KK@JQi;$>e(voSOVw)G(Kh zL8b2NW5sYNcu!jL+!|lJL2lOzKE?5;`p6Fvb_a>L$dh!dX2?lZyL_|q{pHVFx>2z` zF`gXE)T$oa*i?jg`t&)HDXC#ByP{mjU|`#(r;kq|=3UGaFEHA~lSJ5CG{Nq@fw82k zp-7X6ML$n5|2c_5)rD|TIa?l^4bpZtN)@HZSc&^0+>;A)4ccJ8N=jD%vnwdIVJjC+ z&Z71_LOD=DTWETgjIQuI=-&216%dQz&PLfGGI}p2U8OsSd-*NaXPxz=c{=CIB0i-k zUeYJl<<-o^vhJFc(<_kGc&y=Bmwr(jUtUSK`#cMSTk`J}+VnSMhaC9SoX$X>Wz!ru ze1j&9yl97BZCtO*tyT(>S%tsUehm)f#bkFkl0XOX>+9w|FdL+o;}qFO=&M3JYOwLe zZ(0CK+RSqc4K5!o;hQDxPcE|@J+QNV3HZ_j<~E-KUoD~aB&>uk->L(fPG~ZZPI@=e zq(sa~ckm9q<-A7Q?-SeP5NP~umDRCkYM4Ld2;g#5m5W<|b<`nWPd-IPt2+7~xYC}z z04xsPo|4JMx)^=N2mYaY<{ZK;&cjmEZ+LRguq^p&rB-uWdU#C=Bhdl8+HCZh;N0S7 z6|_><`qIJXmOX6ODF=ue!GDYzzAvcWqWrnJ4qxn9Yv*k;s%<$mg3&x^Ym;r3Pxaj4 zrIsm$d*{{-tzZgDDxi<}m4lUG!4$JWtf>9#-+%n~i+aMr1Ih)4Sl}U4H-8j=LrVpu zthd#RZ~R?h;Biq5Kyh_Zib}yZv)^C5{|+O5eu_%kxYLn8e)?9aKfnKLB2dZK{r~@c zxfk_wm+^`_EuW?8Hls3zTJdJvi;}-&jb7{JjP*{a!F=!j`78V~6M_$KMTfWI=Z5Cy zUJmiv=l~mKj)S>(kNm^-LSf1><}-*zJ1io zA2&*hJ#-F-&JHU0oIi5x9~^c^^?ukE1sv?3T&@M0VwQYl zt(I83xTGC)5jS8?-dXHhP#V0kM8hxD;3)7wq&c? zsr*Byia!D#d*t~O(Nh$DiP7CZfLO_{0z%YNyU;pzY6RK8WH{?I;< zG)($;C}_hGJT6R7Bio~eVVIR38?(Kfr2VPw+(pN>atX;FR92*Hf&aq*xqjS#r2D~tv-(Rs!Q8|+ z@?{*d4h_vnKkjzw0cDG*?e%{^FqRrmW+p_0LwQ~Ig%A9w{5 zvN;}1h+TkOsM>%kaS%IBzkt_{9u3YL(TY{x!_P=d+$!_H`Q1TgyVys4AC7uQ#$Dp2 zv7KB`8ZDiA()6Xv`H}k;Z+)xY&3(}Rp5K9vXk|b0CE)utVy)w}{16+TBBT2aJ|M`{ z8iUSF)gO^j*_fv5G{xSyMh~)PgR94!oRpr|xv`{8G+Fa9p#0tL{=)^QE&!lE+yzb- z1l>4v)XyOoacHE;FF`vTN`CfN0Y4Je8}auRs%$|6%uWG*CgbZATjD(F zKQe?wrjWja%A_UW8YN?MeMp#z`El>VTwIRll-{<>^#18+(+Pf`qj?}1r)O{azuV)nQzLdSn2s8 z=t5Q47Oqe&eQzXPwy&5`Sy9JK_&3x0t7!??Ovp>X&mC>40MYWt2wVI8sO1_frx3;7 z#27MiA`)`Se^1{mMvSo4-lKi#wh3hm6aN^^e;AtI=D>Ske(FTDrU4mI$E`mkL{3LJ z6)0pPWa%NiD(S%bNoLGt{i~EMorYsa|KW+(UjY6i|1Sb)3dJnP9d61N&{c%w--iov z*f&R1`)`g2=mqwBFGY_2R{Ov1E@i9z;&&PU&FLHfqUo8|Q~%I_OM*a#FIe{T<-fWC z+mN5#{?p)oPPKoHBR`$YPxt!WB7hw3XJGjONq(Tb9~0*P0U>qAkd9x8NFpvGSTYt( z(DD(AIQLT5se!3VFy>O#b~@@h7DjeP6E?(`A3rFp!Gzf^MKuA8&c@hi!cutmJ3M*E z5>3chc;~_Qgeh>V%yvrRnjUYwAI^p)qZZf}@`3msRtO-;%lfPbqT7(Z3OK?7$2)x` zKj+z7EXErnEbD44kYjm@CsevaM;u^9hf`U)wP#$${e4MjOV0&uZ{P{X0vnK(+aQ%f z((*zEC~$osgK#S)+hT7W>yuH9=l1~+b_5Xcj&vsH z7OI%{WV8N|)3#)y=LQHT8vNIFj10}E9 zWVnEpusvZ>iyI{O125Of0lT%xn7Ta{lHV(kieFBXuyM~k%q-%`WATJobZyYC8Zuh3 z8lB&OU%|3uAS-Xjf@XELaT{suWEfDIf!y7PCA z{BEAsS0_he(o`0@!;j4AybiuEc>CD&b;`B*>!%q1E$TJ19}bq6G`#RRhn`<4fD^oe z0!!k&64E>_5jBC};fnxs8St z=3TzV9{=n@Prgf_JPjX>{+dNQi3}tQ* zElDOCp$A~wTY;RHZnuR)2ngHl_39qDInlk;e`%Y^u}84^=wc8HX`{LaMV_+u#4CA0 z97L{1x&&UpjVhT&*Ws{cTn@VIil!kzX?zbf2%D}3?L)Rl_KbGAs0fqs3qrdJGX4`Z z{4vg6uQlpE;1oMAYW7uqKPYv}>89C%(^Pcq&La3>dyvt_Q>CqJl-$a@F#zm-~(vGO_9s`U+Jv-kQs)M)8Ey;LVZI z&d4gBbrLioAJwb>4!PItUb@RQz_hXG9D)pxtJ;S9ypxMzZa{EdQxp?QTn3h049{gB50)2i!Jdtw29_^8h5U&&uvfIdFo||w zE#00lLpNzNn|?qwhC|T#;*A@@6vL6g3G21{6kB~tBx`h=68D*7Qe*wr2RKQ~(v*$V z)Q@9^423BCUiw#%U0~d`Bv5$gPD)&v+}CQ4!^>~|H6>vdzJN6ks+m2-p+O=l8inJ` zly@?lGQ@Q-c+0F+ZEhHORlAO-7Tq+x`gQKu$cn=qA+wyzTwdj3z~Y^4e*L!V$qsm9 zm^k&puaLKm!L+ps2K*_DwL73|{3||HLgWTyldDt+G#4f4S`$o`65GhA?iqq$7<=m5 ztHlb`=v|0f=;D#`69umqddA4hj6Dg$Vv2HYEnHl87L>%&M_i5rS+Twk`uYHf&owLhPcY%8bJD*w|jEG zMg^qW?n$X05@hn*y~!D{_~Zi12{;%BM>1P=)Vg(=@U5;L4kpYwQ@H1Vhy-mI7nq>zH0Mc+P0r&y&mo0r?Yig`P2(8$|LVjibzX-kReH;XWBI#6gaC zNDUBG{#j?gmoJ<@ZG5e!KJ25s(OrKblBawc?Q?+vR8c{gxtVPw z!l&R^U%m-40-MhLB^ApHH`b5G0e4%W1HE`1n=GS|bzZaEY;*#H{gAKw#ON!8VYVdYo%s2S9dGL;Waa zi0-_rVHye-XELlhxCY?8eaMQ-(Sl!}0?a+zCHq~bZC9lU7z{Ys-4>n7sPC<2oSLb1 z%Yv-BE;ZX!=8L+6h0X=l?9JcD1biTHt@M}k!pX$$bgdnjj>z)8yk(Uk>^=UJ`-0z% zDdJYc#{(&^ffK$tcZ}|Y1!D$OTBA^=CQpZ49KWm#4Kb1nOig336S)+5fesBpt zg2x)hY<$Uc8tx-C(_})n3+SJE#DbZbGpqWz+0upBS(PG%mF-T3=7|T?77b?RHf;_x zh9}#-9#~1_)7ij4fI5$^gu`{9Kk}!x%wRj!t zBZ%5r*PKq1I(F1J;|inI2;K+U>%SW9@>q`ia7AudYb8T2D`;)dy9T@A)&igLMde3b ztv0OIIl+V`JZ_v>iDXe zYp~E9I4REqPw&iremDI|u($V#h(1`fEw043N=CkOa%R0sYsQ7F=SOjgQL~N8Ntnv~ z+TkT!nB&Mt{;YhB%x+L#_`M9m939kyI$mw81;%?gc$~=C z<3>2kbwh07;Ypi2mtDcVbb|Tejr2sn(F*fJ!4tKw8K22)8AoFSs29Sq8cWFGmgU7B zJ?A&&#tCnEX6eRfSTH!MSAE4k-i*|hriEAE_;7v_rT;8ywlg#J-h0}EN<#Gc7+lOu zlve)HV&W(RgB}J-!j7Hd$cscOsPEMwlp@*w+dh4@xF0^t>7r-Yc zHdQ#|%1G{&terhg4q*J7RAGR@bQ>fUZ@|d^;BvJdDO+^&+nK-YeA8Bz zkb+=Tnzw5_z+=>w;>zHWx#3|@t2vBY~80S38!7YyGu%!;1FMr?!t!7s&-| zZiTHs=3=v9ziOIg)xjZkFgDH;er535Cx0(V?~*s(Yguce&azwSV}&&z+(MUvpGQit z0e>HTpK|H9e%>PGuG0c<1H(drrj zNq}v5uazl~OU3|1fxlUv=87*#g<##$ouD9vWkiZXVEM5%K4+D})OPkrcPO{U1QYP# z;2}~^ZfpDE2pJ#HqmfRw##L3P)qY9~Blx?g&!;OAGF(*CO>wnAAY-*I-HNR4NeGe) z0992Scjh7wEE~TEbG~G*2ph|X5MC@gkhQCTiQjBi>UHk1aXOl#jnL^DP$xnk*)xc6 z9jobvoWo8`8e^G^iSKtd2;I(MxOQZ`h0G|~Lcm|t9Ao42Zpa*Ww?Hw&c6-VaKuT_6 zRd^sEf~U;c$L=JGo;C`UnZ-1^$~DCBAfv@w0}eci7z|peh)xHS_0YXngU0TZ?wpN| zS7demYT!2ZdA8(%DR@i_Q6+BJ1?=T)pWN7BsXGeBK&z#c^M_-?e75m%oobeRn52o% zvwMAuBrG!OownF@#;IBxr3yYoWi}N8jouiR7Woit9c#Zx>!Kti$YYY?yH+TAy%O?IQ2^qcf3f zydxYLsiFCcB|b2=+Fpe&X1RDRt1H&>+9OyC(d90#0R?UjQiIb2*iMoDJC|^&1eY~6 zF7j+y1Kcbns(xFE2?hv#;^p;(!{)N?xX#-PBqx1i@d-pVsUCQC4v5TxiB0gMU+er$`0BWDd@#>` z@&^Kse7ya!hs0Dj9I-pYn7lg!x2kk`Tr^1@R$?b?C_UbM?BWS$)oZ9&ESs*d)#YtW zTo?lWd>U;|9+oyDnYbuVh6DSU5L|ohg?{m91jEemLZtAwgp3SRi0lGB_$N;H0-PAt zqxURBD0g>iZBZaykvAOVD76=;#fv017OKI}0|h~g*r3C>+C8^bhC{rh&qIyAcMXui zmxN6DSz+eVNJ~J{%BR-TfHeH23%n~*MHT{{s3f#ULv8#6-LI?Ii2*14!}1S96cYi{^5IqK9s;${bQE{AGM-+IUT z3^R3)N|VssanB6j?JIUk_aho|Q>9{DF4wtl`&y5~r4srKDPy)SyVA`z*hheFLRVJ` zvc&;ajU|%4C0)2xY~0L9oG`aw>gW3}{adVuZdfN5BtEpd!Hc(1i=GxCHyMxfB*;Z1 z6uQ9WpvA{e#9}kXMOZUtS2ow;?t@iNqB5jnNL8E6lvJYZE!MgbVotgV0;}!u{_tc% z5Psu|i#3uF;2jTKDZzo@0aKW~5s}PRMF~HXMJ2_3@@Zzt*6DUOK74e*fK2*JAGyu> zfhb=xab|T@2;Q$AovCy8-AH@0Wy*xY{T9S=%uB=PASb=<*-HW9pqlG=saUW^BBdxq z>X%D4mEd768y%3fvQ|+yq4iQfHi@J7Gt)N;b5UXIWAK!v3UX}&Kq931n>B%UGG=}r z3KQUaMYoY{HCHSyhEx*PZ>gRcpaGmb%bNH~cmk?IQqf^uYFnB}8aGg`7%p@#*>h`g zG%0cKnUV6a%3Rt)%~^kmVyB;QvnH#e)`d7CO4h9XK2*h8fI#$PO9r-8h?65J12LEa zA!2R>V2=kCMs}O0HhGR!&uC^~rb?3;>}`TxN;`LGo5EUN+S`Ec!uFhill&brQZtUi zDwJyli&F!HgYS`HCMi9wC*FdFsvWl4c6NL#Ipm%e% zM(b$cQM&1N`m&-ngHiPG&g}}(NjI>QqDa9dCP%ID2CJi&u)BH}CzEqm-a8@&9vhFJ zp@jIAkQNY=b&l0wFE-JpfH{xurF+;)r-X!7y`|%n`(Zux7n7<=r8n;f+VAni=oPv& zk3pqo;>_sZ*K`}z6(4b_EjwOl+Q!G)kgw!nJmDuXBBio9omu9)jnS(ChSRL})vA>K zG<=WvP|S%d4bVDZh|Y96Yc98)Shgun-B*9=J(N$+hdN3NA4=q^MG>EW4!aYd6APkj z@j^Fi$lWxJF7EI(PDNy@6`gpPWXFEu3^_wYqVr+LmNzHLq}!B}+c~_>4^<)H>$+ex zXR%&ZT^W79{8aaWes<2efXi(c%Ovj8N}LnFId=SE(%{T{t7^v0u7Jv3&3=w9oSfAT z-Xm81^h{D^3bzu^!=%7>r6!0Ay&G42YhOkui+wS^CiX@h-Mhf_6!j-G{N#j4x70VY z5;<|7dL8R8G1Q$nLm@+xh_Tky+>Qf`?-6X7W+98ZruB+tM}0EfZq~qy>Z%? z;qk~4;{~ykotXrZ{e=m!)Egbv6Rm4pO1>#+fhKjjM-GFBpYrLifg+EmE$c4@`FB_? z-Q%#QyO_XyUZp8`H_vveZ9>Z5smilK&bYaxkF5ox(DNLnflFN;G+pxPv71$+*s?nt zT^zmi0d>cHH2UGUL?yAT+_OB`_M}-=qG?OnuBwY<%hw^300$*S0zX>9MUc8KG}>;& zUqL{;u09ZqZN|QMmllkP!-cuQ39Xgu6_X8N6C@>*$L?$MT9WG5Ufb5k0%>x1Wh)0= zwD3Z+4WrOu`Uja@t|^*li~L+bX59$l;`?fBCJe6u4s~=qHEy}I9#li-$3yX5)-^cQ z^$I`Yt}`UGSV{sFUKATDM8Em@^A*DGXXhHfGnH?u$FiA9G#5fgg+$Qbby&ts{DghB zq@i`|oPIB3h}C18Mg?N;7*{f|$kODLkJ&1e@F;+sVk7V-H8pCbv_Kaur6ZA&>{cH4 zF4$WiypjtdYwfx79CcNeuE=xGsAl_(YcEVK4$tg`53$UeA(#gpdMo#&i1Sf0 z2%y4lfU8)5Xk%WdvYEC>`zTveh{YHb>Fd3=|g#M zO?U$gIM+AQM&@>Je1>1k`3wm^vTgjF;aYmU{0U{c?kl%Ri``(|L;iAH6M?Fpu1H57;zDsP>3jb%KT9c#mX=KNZHxEDhT#b zqQ_Lt8Itg?axD6t1q70rKR(VAnFwfYRMp8{r5uIcs7mLZF&M48TMmNLqaJWDiz3f@ zzph4xtO*+i4@sBEm1*C9?Vhq0z#dKmgn=B_lf!isvvwcrFKh#HEDF|H*}j{88!6!z z1#gMG+BvK2aBgCaXc9osa~qr~yE@rz33`(|?JV7TUg2n>fkhg?gceYj2AI%sU+3^+ zt;5b_D{@$!I<8^nF_9#~V!2u=zo$|hGF~N&C$_q`S~>6C_hav~GAXv*y8vji00hT9 z&1Sb;zJ!}rALe$tdsn_`vRG=$5F|M-p(U7=r@9`8iqSA37btz;%Vrj`dXlBdZuT}^ z@m}MJB?lo_ng+Ve4igwh^Ki~|X@B4ybQUV_ip`4AiD5cRNa*P}VA;z}(QLAzEJD#V zsCHmsrMI=!orr@2N9Z{5ieZrt7ocX@`LlbN=ViI>0et{qnrQ9@#Ec~A`4_0FqG2hF zo0!Z|rdq%yhQOP9j^ z#^za{m8vgU%NL}EW$hJ?70~4v*{s(#<&LaPmmKGgP4y-7yXx*?mgycZP$~#1zfqv7 z1TW!;SL7b$>F}C%Irk;4X?zSdF7D2#a7QMLd6TyD2_3C2d11LC+B0u1DCoZA)lrj= z*V68?Q2-{D(faTSU^PO@*}0i(id`vk4_n#U5r z?spGB)~Ua$?`Yp0B-F28sp(e`+_C;}c0%eD4L=`G^+!m?8Hb%40GxTR@FYo7wMu!> zF}gc;&h+CF$Je?oFHcv9&_s}p)C7dn8V{^-G-4ZhLK*^w#OAEeAM{a^+mv!GKq+X! zlveumHG^I}xCC9lQZgwR$*V9Q-`yM$V3la8I&OI-CluFfs8|heYVzH@k13RoMBhX< zWrdA*c0|t7ILkVC*J*P(hg9pVbls)jEE_k#ep1&i7vqBtgpF^h*Mdw&f8k>}@#Or_ zV{aYyO<6YA@f+vlWv&6zT!-AUT?YV0+s&yzFxossT{+hmNx(u#fQ!<&Og5{}gwiuP zfWMe(Jk*=?yc!IR8;kMK9PzQuDRxN(D=y00KZKEbtevm6hxv+*Z!TGURry*u?mJ3F zxt2#8cTXu2;GA#+pG<>}aU6(c8JD%^wbX0Ph<#D{xvB19v#r`bO&)n5L@E`(N3G(* zFEcLY{Y}0_=)tG^lSNv`w~d7lnefH=0q1INc<$N?)p}W641O(dR$X}n#6f4!$S`?? zIX)aKY#qfMT1+3ZzR~Jj^RoZi`h_HLsRvY=RqxnNx@Q;i6iT{~*gmTuFQjbogw`E; zpGV&KPC?^s8EW?(#fxJJV)u{}5>P(SDh!E?(f7bZXNdjNJ)+jt_|N6!OnCnh0Nj8a zR<`&?C(0;&qzo!*cni(fJ5PDJWq1y_tlS)Zc_b zAYH`Xhm@T0EyRWPRJE!1HtU0h0;a>azmcS;D)im1+{ac_rd5CSd#}9YUN=UNP2{fQ z&^nE5S;zI2rRSmg)giH-aC<#Q9}8*9rBK(a_}|1?P7-SxMoW{a!a4kapi=W>!R8DQ zRN_`W3-p1Y0{R|Qlr_c>v1^C9N^e(uy$I=fxD|MEdE#WY!TrJmny0^xv`?oWD`pZKoWE)mL#;TniWSU&5-nPZ=K{k;~PTD_? z)JfSAMhTrsMd66kgu^5C4o7#nni{PIq;no-(?2@RpXaH3Hd`t1Hd`RKwPL~L>Z^9b zY|LR4<-OB0HLF-TzuTC}DYKdY8=;BXYAzH486$_FL}7gn>K}-btpJqZbDJc;bbw{imtNEluW^b7yb+%VnJu%IZV)KYzGMIAbe^p;8 z{y(L@vd4HWW=7V1^Q8K!7V5&96rlnq$jM$FA6$k24P;>W z95%mjI{10%m*vTsIbUq;gQq(F9Zd3q^ywsu^49V=CKDm0$&aBcPYM;dEj&sbJh!D6 zZ>CTC7gKxOEtnf4e)a~JoEGxBTcL6VWPl1H(I}H~0@N-|=QkqiP5vmh(waWpfr%Ty zx5O&Oc;GiJ@u+o2m9XRP4J6OW)^7HGQ-94{m@(0o5)rzP@m6eQ@`V*z$>7y@Ib|W# zhm2cM`4X>_0AiB|lf{YU>PlcQCjL7rbvYLv<2|z@oV&T4?68T;Po0T0t7h~>@!qM} z)`Id?97XBEUFP(cWI~?O%&%2T9eH`371*)K==JJtW%y{r+xBg+o#$rD{&=ALU`o=ezjOkaSPg-6k6I`lZ-J*bVN1(tGd)p+25L0L-H z+CBj+<&^!pl=G|Piht~+mrw&2+GU|@q6bkLc?J_v|A187~xgpwZ+f5Uah5>9FikFu#h~&48qbK z?F$*Z8*H~Q1z=<=fr*Nu<5~GidwCD`wZP=~Z9mHH`d*&U-qLdnZ_=MqE)EEgn6(p_ zs7aMeGBPTGX;%Q_%{Z)OjwN7?`11p+W8X*FZ zK>R4&br0KlT3#??kT{wD>XCl+=bW%4+--CH_?&4U*bObj)_IzX*t{P#5outI!q1PEIXPR!OG}B5K*F zvXG-svFmG1a;V3_)55|7%$XtEaA-S}rGfOy8Ylqs^Od({^q^tGJAgE1p(<(@C`lHX9I?hKlKvE4q7iQ3Bey!2aXU zx64}@8UYBk?E+o)^Vbwjz2u~Oa$ck)mEeQ|xpW&YnY+4qz_1^!?ErB^`Ri_TsCu0i zAP><|=JsOKxsA-QE@Nx&{7ZQa__)w`tJs?UlcL&&igmoDcV0mCCMjcDH`b6W9|2#& z+Kd_gf^TNIW|}WJQ;~sj@z^om!GnbqDmk0xHpec3GMyeiY;V?UcPbZ;H#?Cb3X*Ft z+`clgf^~O#pj`d5@fG`CQp^xt=VJvyBfah&>Y?i7uEA`?GefqLB420N*1KjVYwEk_ zo&dvl&Ch!M8X&_Qh2?jlYSj>^^pT`SG2vO9Zfj zcCH|0^H-%EME%g|1Hue-JOqQ9e3ON)vfkBJBDKfd{43@S=HvIo4$TU-M{W4Z4+nl# za&S3D7sb*p(^}g_RMu=WyX?vX(?7xqZcz4+bWNq%(4!w}vMhhmbfk?ltoXgeJ#55t z1O_ys>fK=RU0tPT*`wsmX-R56kkj04g)_<)inI;+#vT&cg~%mZ>=R)|p8~Om@Mpcx z)JE!x{rUWQ7vd;eru423HK+&=H8?e~Ofb@iyq7p)9gnQ8ji1kSwY=4S9uW9rmvs^q z{*q@cRa(+WFy(4cA5LA_iwtUL?LkM=mPCky=l)t%1z5fKFH}_!vF>j{q-LWU4;Q6% zPk->thTN{WrsgNVGeg?2PiYf7tF|@LQWsP#^Tb6itHYGmSLd4*8?PUY@eeISp~C9| zB(p00vzNWkuyqPbr5Vdab2ZcSzL^)FuiE41;^ys7=xXL=pU!vX2=4lPCGfDIoAiO0 zm_`JpWFfmyh(UESV@-a`eFx;ha>PiKet}DK088k#gn}U-*;V;ypM$JMv)U6+whvWS zb&THfCEwM9_cZMs9HM~Jz#8Gi{F@fQ!SCA$x8Dr;m{c3Cm+&;>eI)y;=RId44{{XD z-|yG*pqmZ#X*eB`Pyh&c^1{PM4l8q#ha-o2>z3^Uzpfy=EThUwT1E}!R-7K002-Zx z6tnarYw&1l)o{%-eAXD#Z@MgrfG*1ei;AJ!ve>~sih|Rf>LDgziDf;STMt8PD??h3 zJo1R4PmT?mo=|jsZk3h=Jld zg}hrz&as#FlCEQ1=BU%2Bo~Y?!*&o;8EeZ)iHu(Ek2Y!KIMjjDA~}E-OBl0CvH49t z(BsLvUKYF~%)B;6era18%BPJ*vT=Bepm|nC5v`n_y``C=Hd)1~q=_X&*-0m|8oaB? zw;G*npLI}aAdCUV+IQv2N91+JC7#P&?>MQRcVG1ymNj<-v$Pw^DJ6f~ijp%(%~V$Vgi42s;8eC7*`-?F0d)vdBV8dj~DinxZj z)b;xr#2qbVFTBx`w6e@x?ArLSm*kbEH~Z?5&!IU%b%9pUnz9i;(+g>LSNp65SHk#L zDc7u17{soE#Y~WL#qxolUgW|YlZk$YCy0P0SbL8yCB=Plo9VF4mj>25=fvkHb8yaC zFaNlVKhE%M*vF*KZ5-YnSX?&)5aO^gkkdZaUAS1Grjmz#Xh(ZMWilrxqNM8=irI5a z%F&G!D_1RV%Wyr&cRXh4-L}>%!rW>x(L1-}TWG)aw9D*V%j)b1VGC*_X9Q_F)G%`h zBj~rP=!|*fhXE8>PzO*TGX+a!X&Q?Kn=jHvLyf)lxFbeF6K84jkI@?nKTyjL7vD|l z46ZTwP@UQCusMjB5P8Rzy!e|Q%eD)*w@sLDiL{2=g!5jTb&a`n&+XCMLLI8^Ib;eR z6-GZJ>zvu41J!?G$lwK5bCL0YIO*7+X1^zj8=U4wrM{$ zjG6Vr&<0|yVbSIf7#6C*Jm2+8PV}u{MmT25lB?N>XxEG4fIy3>jF`L`Ov#QimEJgW zb9SaEbijCy^`&|QWsD^^e`TD5B=c98qYvHt2O<`m&6{5s@lb!O_fyW!dq*Z69p6FZ zXKZa|oHY7feMad2V$KuOdqn$qf{za)5^ z0aiqwOYE8urZZiovef2UGR1B$%3;=DmbmB2GTY;~Hld1R9~ZjcWh?pfs_-$b z;1(+v347Z;mFwGAAbg536U5KeJ=?&U-8LJus4f;`@2|35lf(sWWYh$h-F@e&{yTlh z6d}iXYKetcH5EABo0(u9X{Okut3=)`S=@^WCGI6;c)aDU%34rzTdxq)I{!H)U6lng z%+OwUtQM1$Ko8Itg0kk9j zBfg}J?4A;q#-O}vHT;)$%k=ob-c>6fBu;*n{O%KKo#cfLz?j0>Nf2);HTcfg)o4=J zPV|xuRK|frQon0XaH5x3wdUno+skuZTWZl5sN2Ee7t(Qk%#z%I|+7a>9 zHD>F`QAHL%8II>_iY397go`3R9>Oj4NBWV-!OwFbT-A$~tfj>^L~p&+iUt#|j2b(N-gRJgA>mJ9F8xZqN&09w`D ziyu-L6d^$XqmL*!@dtH{AN0c?OuLXhwteE~`o9xDe=2GG{c-O9TZ9c(==hNpZW+%* zT>@vg)Cyy{r?^?r&C6f9KuM)?czJA5O0 zLESKR#&RoY&&#iJwhTUU3^;F56tl~bDEvZ`B7fiT*gI1au^%|hsdoA%uHCkrS0d9ufG}{9-f*c#fr165Na|1qH z4!6?2)8Ill&P`(bBKx6ERBJ~+!EE)xt)lxd@)96TGLi?)Kf*6wwXYE3-{vg_=nAFo z2oC)g^qfk}*5NvLel&@3my{y2dCv(*Ty(u!4t+xhh!)4j-VJBlhKGbeK|X<>`Oe`l09X_k{cJd4aSB zkUH4pI3R$k?UKi;`8Z{|@roNtL!a;Dvy@uCIi^|v_&_34fQgj+Z55hG8-(4->Fa!y zeO`|pPYdd44nOm}$hvLNz}DWk`Ch`{QPFWeHlsKB(yy+juO_N8=upru@rN9}cbaDL z_0^F)*GuKJOimQ$HPUQm%K50IRIty4A2!twIg)C)-WA0D$$DY|ObSZ#d7`qBx-aJW z-?RX@r~Wy^0e+T|Cq}?|*8jc~MaY$dK(V{}$p4`X@Pa3Rq@iDnWWW1=UB7Q#edsPw z?0FSV@V9{SUo}n~5NK?sS&2##kT$lf?L#_$(2g^U;vX}Yqdg8YZpgRW?yI~6c2fd{~ zwSe;?CFShNvD@wckpBOvZ^Ul^#jY$bC;#bje{YsQr`n&oQTgXo`_tU`Io19=qkc}c zKTVpSQSC>F`ED%#?}%y}b;(jLB>R@Z2mfPaJ8f(aR1$Si}M4;C_gX9|LJjmYgfVb z;`AVru#3o`8n18WNC+fPPIST z=g+D3rw;kQJk=~LsbULLqr*wqp&5*?kZN6^ATt8?Hb3Jd-YE_b-ZWd@7{Vd!a$&|* z<%5@M1U|WjU;9$3;Cx<> zpTO2p?&ST!GdF_xgH4LzeLArhf_4gLgj}@0e364C=DQi^jg_91B+fW(YD2)+@|GOl z*vmE}PsA*#R$L(F@3mwNmpb3te%B1i4)PZjw9c-yY`>AWX6f9gr0qcTQF^)wQR0P2 zKnH&rbH-cb;TP97d!mx3`7+7*c-MtJ&Dzvv2vnv=Yi42P%WJO-#eSwyah-ZeuYYln z%CZ(4bmo4_jgAhNo>34U zhzKkl<*~KA7r!ihF;004hZo}IP_j-?cE!gok+KJZN8|! z!VacUVrP8nW`6=pQzI4{ennvU8PY8K!q+5WDXRswDwZS!4CS6{S3Md6n0LV1xX%datXF21ue_zT~fhro|4! zfzyR`3efw%frk)(0F^OiFFp0eY?yBDZp)O4W)wlNUAwz2YF2A_owyuWlmmHQ&22Sl zzB1adlc;STaV@=zs>skTrqC%Q-+JstBgb^FfEQJApBpKXYo@2UHE*f#BBzYs8D>Ys zWiDoi@*Eas z@B~g= z4DM`KCYeG8Mm;nyBg+*7GM3OAB_7$~LyiR}Ld<9b=`rWC6hoq^9>IC+#{bILg6l=u z4qva!B+&gX0&Sp5l`9uan0Sy<199LE$gLDmtHax`;vbwmj5j+tOIq+G6CLgg`X`4m z>m1%A{2zsV30P8D_;*=Oi%qteT9(!{W#yJ>TDZ_MlT9U7=B{X(yJ#+m8;~_-WonI? zxga%~j4Q6VLz`M|ST3jtq^5?5gbN4=eAk(gn(yEL`+6Rp?t_%a@oZTU0uu0jKmvrW5ACnTkJj8t zQp_=zfn~k&8 zGD&*!{RQHZI@iyEzq;^{u-cSNgt`^ulA*{$ZYG+6U(AMElR~(!ZS??2Xd7#_Uu1Is!tyflAe>bg&urRa0{3 zQS-S*R+)4<25-%sLS~L~wR0Ey6@q8As1uWXwj~u>()oqf!_xGa4ce8tXBTqn?EMC~ zA%yrr$vk?@>pm*CKD-xYN8`{%Gejz<%F^Zdu1v%(jKkcYsGrLk2HK}>*EXc78H%n# za(tppHwH9lc6JOwF^t&b+k@6=pFObBfQ0ohIYD3PFRf8=tTIgl*i(s%EGA8;5*}tC_P9uV?hB zg5|5o=wJ`isAu|d$lyt)VslQi;i>|IeT*oBq#@GPKva`4{B$~n*r*x46BS8_9L!Pk zP4=4oxK&R*vECeukq)7NH*Wt~G8;WGJV(y2)@{a0SX{&Qx`p<%7O(MRg1)hZ_at+T z31V;{ul-}Q_8IpH74xmw=+6juQOnHL$xef;I@EE=NIhB^Fc>p%BI*nRX*#{w!PbxB z_}m}5gvWR0gw>}oSa*P6q)wI6(nhoOj!qavEnLn*=0<;M^dl8cBQjlP=~tX%gafKr ziDwbjNZA7$U>-e+$0T=?7k#tNUuC}6p^S`GpBd@#S8?aJ>`=Vaw|^w9Y>zrB0MSAg zETkrIZ*j5{Qpnz9cR!-1Ve@pOff4dLFE$JFX-+TC<8^1e2Y>3fA((%rnGNy?o0;5+ zO}2vye#@|)ZP{4n`E&E-`gjDoAO_69+;0QN7$vEjrblOoH$Qug=)|0G*%|G1j`@b~ zALM*r!)4*5Xwe({tR7rzMv#uv^k>TMd9-;`C{gbgqx6HS0vj?V162zN;Ap~^?Z0_X zp@z>klFz>W)THr7pds1K<`#M6j9#k^W%=BvBN0P_yXY;MeQ-fcuDPzn)pz3rB(KrO zFi?^>HK>CAQtweFn(ia*9cY}IA50)OCzn_?!8C@HMJTkW-Q3U|Pe!pagSE}Ha`;Ja z+I*oRh$J!~N>u!0(JiVERc3^=$hDrNYGf9*_4$K_B}2xYE!PT+yT{MxcdT)&_NME& zPYbelfI9^VK`4WyaV+P`)v2)E`?yd)?0`(3ri z$u~C5%nT?P$l4C}QL#2VPC)j&yLE7rC`OI}KNJ`f%6C2xv>3l;B-^61gZ<|1EsK$^ z5=(vYY`!WKGJXL|_8>V`|+j+B>; zopnb0y2e}Iq^`nxuKdKE;5VDCsW>s|L*c=_}UL) zr&x60)2=x}pNotRH0(qMhwgl`?(M|n^J*Nl{{4pC6VzXX8)#>-&)g4$O*-xrd7F$} z(|s~XcM|lTUGM3d@uTMi#VC9+AOL$zIoZ}!%|wy338(J+gQNGEv*eH2N-H|D`7@U? zp9{A3sexPjQ&EpD&96S{m}Hthz9^#I`UD#t7f)tPfNFS)@B4$VPpj!8aP#5Wr&+f5 zrC;oYP%?3Qi19hP`Fv|)L_}zC=-&PKtc2qFjgKndZlgv2OkeCH_8-Pa3OB|a5N8^M zZi!ew2Fbe11T!*GhaV#Ks)ec|u+($}Eujr;{k_}Dh!}b_X{fry=Gi9~Ne@@)9fUlQ zPM81&4*D@dKwUEu`??sd;e>GHKw|i(7H0$iPHdm}ZAIb*fC=W&e&$ucyNqm_!^O!hktI?|9<^%;lXY3M}YJ2b{n5* z#RSk)1wHu%Vw5xwHp)K7dL%Cm^cz2JK-voG0UKTV$n`7St` z`(y=K*WsC=1ar*q*=jLUAM^W>oV*2*l<|wRWES62Hi9w_KVU>7>Yg#@=Jyk8BPRn1 zgfo@ZNPf3>bz4Ol$LU~hlr-S%(YW_k=;>z>W`S0klLQ`7zp8m%e<+&MuoWShop49* z9U3GM2X^q2o+HnZse1cI23Zq>kVP}@heTEC5j{^6%6x;dK*Gu(hach7Konn)SfHSh z9AP}7NuIFUV72X>IiouW*F6m$FlC#w{`9Tgj|vVo)di#Vy)mzV7il&)EyOl|^4IiW z1yw^}L30(eFU!uxE4ApAWG5uRp3RE6UZ8d8(^S%CHY3)`tagt&I7{&g&RZ8#ht!$x zUf3vIP)oc%Gez%^WOg~2Fc9nG$;j!9LYKv%OmRCSzM0t_Khin3a6z(Q5nT5r#@K1y zZsT2xX(y^~dyC_$9Ls`EtI-52#b`>+Uf2{w+HuZqs2#$X;>`DW7Xq4HP_${A}bOsKHxr zh9u6Ur<^?hDy}0MDGWmCoxfGESulSsC&@hg5F{oNQPlQ)0}dU&F9}BN1+6n_y_pDX zDV?~Mhu3>fEZ;O1z1dpIbzGk#`Pm2=u6-uMffDdp(nvIZA0EO7k_hHYgrQ0gf#ULN zJn`KpWb2Z%8@oBkJ76bzxs^L?8ttx;G`ecRN}i1H5j#sFSF4+3fP#d;;Fg-;O^}lW_{q8a#z(i&GuEJT4F)5k)9H zg*Vd)=j{}m&PuLc*oFflI@cJQq|tzKS{&Y5Z<6&kd)__*HrqyHd1V*;0}89$X(o!; zM6l$QPfr0w%hBkJ%W*~hgdv!VR{j1^FYDd}@q^^Jf4i4o zh^b`qxyBn;yx_`CVZiXUiTtov;_>lyd;RN=y(eXwsj$U96$qmoj-_T7^upD?^TFdUZTqz~0!(K{=KJ|-wZA)T z<2b)4`AOThkL*khGf+8^6n5?lJ<(+R)$3r+-5TJ0wLJ?I^?*#3!`U&%!vkmrY7n(V zl@d%MTSGVV&8fCS%~+<9tER@;wlw2INqOBCQSiH*=!5z&!7Zrud#R{ z;wX-fnZrRV>{0}DmhI~B=>koCF(k%Rf2V>?tzu!)4%x6s+I9_}r^evO;1 z%M5n=6?XN#4p0a=FLEUNQ7eYT2A8WCHhe9Weu72EV9pv~40L5NYyOWdeDAD|=z_8Yw;ZdLP87eYbL zgwyIo(T>Cd$>3r}s#Zr1&Hra4L>Io0<$Ph!Xyd@a3D`>hBH}{SbjkDGLCFlXpfPdI z+0~K^AEbVCUf4VZ{pwA za;96&>fay4`-6*bFFTv3^)C+nxLf1w%1@#CQH#CDL~dFKA_V@?BeA0$n}+`_HjP#> zVDjy)H{;lF1v|lYsQHbo0?S6!5hH0|S?v!%ZnIs}yz%NZ2xGZ@f>fig-q@vmD9H>d zjsexqydMzSTrFkR%zS9$LO}Y}i$SoVNDhx+9aY#I#7n_?Tm_ENfIZ4G#VC4)D_k0% z7*f6s8}d=uH}209AOU&HKWIBmDR$UbAOAr@{GfesnzNwTU9tGKc3@J}eV5Ku8nPYT z7n8;qy(1v|g7S~Y{i5;Y$GhRwmcJ9?+Rp?tzn(zwy2eVRQ|2p!p@j|OyuTvkf{3J; zE`$`(eV2g^U=%M7?ucDfIQW31WAYBfc;7DK1t*ZtDHyfa60J$FnR<5!EJ z)z+6Qm_JTc>70eC7i1Grx^csb?T|fj&owXG*L|9!G*}G)DLdZTgR1`PBl*~g`S*Q! z3md9AuOF%e<#ufNaG@%VuDES4tDsbpO^~!RWQn&9$DJNCN7rXU?cc@6ko>69H+HdxreMg?deSbVWM$ zpF-Pkt)GH#HTD4=Ut2A`^Sqgq2xG`MkIe)Z}kyO;Z&zW<^u(Au?o5jQSf zSe9w&h`g=misK4niQ?ZtIx`i;-G^JSR=6AL0k>_>zlOS0M<0SPs*fiTZ8qEuhxIh1 zD^4s0{zGxQ9YwxG_DjO_%1=t_nP*>4{?Rqj{)^x02MJ<5;p$K6vE2u=6=6v&-c|xw zR>lD6Wu@d`iDkQC4xtNfn*mK5QTnt9?OVG$S)Hilt+D-`W%&YuDj_gf;&h#)sxPcX zZ(ML4JCmZ3q`1xM1B%0F_O3SHMDdD`{HJEsZWZf=C7-D(?+O6$rA;OK(wl*>L4i-N z?*t4s9)Cy=4Yx4;k~rRakD*m8sKnZuNGp0IMZn`8WGBLk$7ktP9JCGE^Kr4RwJS4z zV{)gs>ng9aL>xSh0B@zDL#>P0bB*sOb7$*~NKxYgWMEhWr%cRzZRT?1%=$4R@(6^C zMCWooF8rrr9enT{A`VbRABwu;=}Cq{4b`?A|73-BwPIK*WtMZR7Ybm7Q}c4 ziw2Hd{-d}*QygVqYMpk2|M0;3R&$f}f!RH+ zrx}eqL|}(qn=+~6wGXbZCnsU=K2&U{<)cy*15)K5SSzOJ?Mf&nAwo*0N8Nv1=l7K;1c{WUAJy4o=7df{c0LdTg| zj&bWO9JKnw{%+H1!ua;utyZ%q-%RgmZMIJd4iWbq>x-Z+Q2%(<=xaIPTHGC2(W(&H z!SPI75i+0O6j|?HV@8WUFhKr6uMIeW^o}~U!FYR%Q9xo}w?hST&*Ai{fd`^09liY%)~;v!haJxvTM?*87m$%9o#7 z3Pr6eLbRUrs>=l^Yz~Y(R6?4&-qSJoPi(c_%c}#IKz81Phwdrc5&cLp0KOrjYEAzK zK}PVfaG;++XpDh=(PbbqS{p<*-Gu?J`jQJ$0SL3oS5SH_$07VwAhE%$#~3}se%4f} zVyxJt7ozE;Vr7@jc>UA)!G>1KU|ZDSYigWWYc)EWPW@H)sK2>*)Z1fJT>K!)7Anp# zd(A#t7*jA^&9@D)@kk!8DhRMPZ8CBH8Kb`VMXUkr;*QqTMbC1Nr9mvn5+0J(aV$i7 zdn#nQs=8_nY!~P4L1>{1GhuVH+?s{g8gD3y*esLcsKA@dj)$Cv9inNL^0iJ%Hqw=8 zOtO?*VK&nqMq7;X1ij;_4JmShc=|E597KElHtQhQyQG+Dt5L4Em(`Dfh2;jF#PCCB zz>iT8`XalZbja~eUQHCfT%YPnJ>5KjaL?(So1ZP?(k;9T zRbIcFMOT)0)mjn5j}RohDJu|2B6^fLFUJE>2A$-z&baMclVmqDWY@mR{ZE;ZesiH+ z`=V4nA|7UTUUEY9!Eyw4`)&1-m!@al$x)lW*X)qXKKbGmvsN+tjxkm>;l}~rW{#!B z=xwgdM9pfumPHKm--%K1%ezSH z*t;2MiXxEt+f}D_oY2ksbFt?dqR`*dW^-166wFRf1bCj*CYm!i9Gck%VS@&=~)h;YW-^*aDHu z4?*;TGK*Q^U)^3&KS3l`h^DgI2?SKnK%OSo&{$lIlun?H_C~SrhZ*Ud`nKTdh3sSL zMCuG0K=o!kh6{gUd%ou`(&7rHctKI|jajmxl}CyB!G^Ay$&jc+C5^nCW4!1!BB-=1QCF^W?Pl)zn`euf0$`Q2D)zk?Q5x)SaJQ-i2y>Xn9vI zyTeP~)_cWq9mzkftwhypAbEi>T{XSqgXQyXXJZve=q_57!3gbcgdo+c-~ZFQ^TABM z)1J}AgX!KSL-#QnOs=4H4WSP3;nn|?+!=Qu#?mC`njKWUG@(DZbbFVM;-2ZmXs=Zb z%$@HehW*y}7q>z|HGiGE$}@wvIY|HybLpNc!h3JkC+oOF(yJU7+f;IFGBeN~lN{KYHY zcI!d=C`v%7A;u;Xl26wVIM@lU&^U(!3Tv9xs}7Ngg}r%5@R{($Cf;1*5&ijug^w2I z>QoM0JqJ6a>|bvhz9jVq0k-4UA0C9RO#z#0teHkvZtG)ne_xOX`aPOy6E~}CedmYS zVa}pqibu;{%?V*^e54a@%s7w?_KYaGG?qEpIN9IyY0RE9A3H#;!0||Epc_-8nZcd9 zQ;tRmkMapAk6BaE#pH7>y>%zu9M)^|PjEu8jPju?Dc@V^<<_fE^yVVxT-Iy>x@*O9 zW^~(msYT-vWy%X|(9|_DTA*(Y7T1=&?VQbuV!4|}G3d7aC0{n(S4SW1G_T2b5dITn zJNOD_4#pb&1wirF$|-OoNZDfJnVn|z`+ug!ZOYlSB{A#|@3DiA2Qp?u&wI{_@LP-8 zC# z3Pjw2ArP^zKPM9AU-=GPEh5eP?W{xdOx&T~7=tBTY$k(Mr>hQ&e;N@8OpGf&=T~V$Z=Uj$=dexET8)ApI*aNNO%48UB1T}nN zD8k*FCG{8Z^F{{M^jgL!QlQvJg#|m+RZQoojf^4!lOLLRt@2@BYi$HR>6=19yJmau z?wwy1DVR8*(OJ0lr;atR2)RjgKe+9NP%lJD49sE*M8ChW^O0G^PbKEZm05LJ%^+(% zaP^hLBq{Iu(4r_2Is^Ax{o&ufCN6I(iv)#v zw2nynMrr6H9u@DzWbvFb(8<(59hq=GViCbs+-FON)(ZtC{S!|Hl@v~DA|nM zZnXFcXoKEmhi)yJ$*%)bF5!%i@_eA(twzl4Xde$#;kk;jxVxEU#hPti_4K~SQs-2T zc!BSP!={;YW|aq@e{8%PHaYE5ft%(nAnllTM*@Wp-^R}EeK_@q@$i=3o9AFZGtGTE z%Fwy)S>~sCi%ho01*!5*vP8$nI0-1SOr94FLZ(WLeWJmQCnbs2!{Y7-k3g<6FxRC*oQOjtBwDW$h#-OwC+yt^F;yQ9VUVV%a z%bmV)y{trq9D+%7HBiQRPQeb-sLpu?<&Xn-KCdbHEMZg zpD*>iEo*AmG|3f$ZVZ)@*GNX_r-PXbL{-6An?uG`(d>bmiE3}Frx$Q@*^MCw&w$Hc z(Awi?CxIMkw)01-e*fcUpu?1X3{yxw=CY8_Sqxt6lpg+YJR;*&W3+Wm_4aaIh2wqe z`o>scYjdkQ3WM*B3;H8C0lN<)@Y*+G^y3`(URV1dxY$mfzU1|)VDesvT>X)DHDC?T zuHu!Q=wPI2)Si0v1mo_5c(tf?e~j~wv{EwAW)CYI2@j6}6l=6Z)p)V~E=XTQ}Z!jp?zA;te@?+@G(xybk@$qu`=MWh{0pOu ze%kM9vfT-7l5mG}0k>Ag>W83>X7i&7+?-6c5o@5eIJnUjJ*uak5N!^gt+=7&gtY+eS3OlR|DtIX3|!4IrxmZsonGWyv?7b{It8wQ?)kBqfyb9ZhnO{sZ1iTu zoqr zDie@h>URzBE_W~*ZJI?}~_m>7S*v%+IVZE!Tu$?I?MnEvJc zqIQeA$rh?K*pZXLd?FF(jbfB+cacy!oi0ANXUglAW6Qc+PmBr_9|N-jRn;OF-Q5tA zt<3(0!fhn8(0%gv>VJ4iwPM2*FB7nH+nKrKOc#hy`$BbOI-{-pi%UT-=YcO*=~MGB zz=gLB3yi-_}HpeFe13)CfSn7Y-+3DGf8b|&+#Qdgsv!e`qH?$;>Kj)i;~ z?w6GDo<;=ux1mc~Uom~RfUR(-8uBM)8x?1FQM)JWe}#sP-VTInRB@ zoAYLYBw`&CFHTt- zb1o};xPp{P^cdmb&`y&5lBs0HPZF2*JVWX1QE|91_?>1bSob&Zj#{oW{g6K^^+oYk z`;E^SV~69Ns#l%)?q<;!Gn?%@Pcp_#tH&yCdC5*;`Fod<11+DW*Fw>tZpBe=1~SJV zKU8fL^CBiv({i>4`NLW|TOdsj_1H;2?t&P=dW#~`UPVTCGv64zuNqwWsb|7UuUTj{ z1!KjaPSmi&L0dwPbRy@U9s6=2_-I_zE?q2e>auCW^KFIacQp(20<%nx*2FBvVAM~Q za4d7JGdX@HRkb=dvLNzib!G5^(C9CvujMWWbFXxj;an}RwuU(}0d

U{y}+T>=v@ z_R9C2jh*y&9MAX@L6R#J!u+G~>}uAgBbMwuI!FWC$ax=0_9<&K${}3z$?;N*Hh}Nr z1<;SG44I}v{-7f*f-9#fk@5W@KV$x?4;uf47898cxWeh2ym}b!U7vHPO=j2(yDBZI zDQW0nS?cWBZAmd4zp46YnsYC`&z3WAK;fy^DlhWuh1uxKD{9TAu)XR0s34Gdp;jFN z4h*|EW*qdu`Q&<1w&9Rw z+!a{;B%y6Nq02bJ+-h$l(^w6UN7XZA4et|DV3Ddq zUP_Qll12=NJo4F~LeoKc+Twn*M6+eY0IQy8snNM6c*3U0^})@j7S<~w_xI0#%&!TK zK}>&YpQb5U1?ieJRuskOSL2)7(ombw!cWY}uE`Q)Fkh2%pG}>iy=;*Zi{j4nY~ zeV#c(+hpDmWEMvE?Gk`IxRY=0_V@Hz5J^0KQ#W!}bL{VSW~aP4za?{Py!+`66i^Pd z0?L8f*K5Hgc?69MFKhbVWzAYm2VfoIfyEZh#LB+Cvwfh4<4DR>!^A7{t~!4u*BE!? z6f)1@*${%jt=}3fNl)Q^=7v_t$EE3b1Wy78af<#&TtWB2K^E`{?Y+Eq!OLK^sa?-- zM^7>~v4an$H`G5k;g{nH!XT_bnCe=EoTcK5&!@(v!Uy6>NMVgmKXf*7s&9XsfAaI) zz?(TXpK)glmn|#^6`!YgOsuzF%jb+};xP%`Dl;bsk<41NBm5y=9U+R`9Of*LP&_DU zjt1>sRkK#mL<6klun3#nBH&~tfX(Ovk=rLalDh^ySKHrM9G{Y05nCtlgdc)x;cgA!rZ!vI;7VMRNDG10oVmH;>{Au!g<8g47~<28#~Td9 z6xRa+8!F8yl1eZ=16{|+@BVskLr7nXJ znUF3TQu^RaPLnROxG#pwRcCy5MhY)ZiRR8;kbF52fXwBZU6~P_14H{Cq8c6`*Pq#l z>+aS#s0cV#){n9Kw$!8!Gn|g|ws3d+F98(#uTt7B-gc6y?TP0%R)lE&skAdIBjdg+ zM0!N5H$pgC4J>F{a4T}5;<|!y!9gblbM@BTg#2a@`nW-qNAW`m|K(ACcT1sb&xRV> z&3r!m?OmmedjI`~X?4gcU?FoV8_7n$1D(flA(EE63%|x34wSChjOJtan$HcxF9|fl2{8NPneU0g)Z;~GTGfKigUOa znxHlt?LC93VZW{>|6VsL*0`sLx(*YT6ns8djGhErw&*cnNJ>+NViQ|>xQabrYlY2x zhuzn9w7MmpjuoEAmQg_ww(Wk*Ail?RC_|sgxN}x&lvjmk4X-)g4aVN#zMCta#Zun9 zeJsCvFb&#qr|`r_TlpJ7y)}hy=XD;+c>V3gs;%}(v5c`}xLDYYBw3C6aU!sJtbAbo z*4kb<6~(-i+Z8EUuD@v>4=OolNT1xUCVi}s+no%oCP>blc+R#5bZ^s_V%5<3>C#l$GScPDd#R%0c3rLw=$T}VA2}9m zCc8sh6Ij|jR;e}~!dm@rDXlwkd%*E66xTr&{~%hx{f5h{>1xTV)TZx-8q8XfJ32t* zj&`lf^@BcuotJEmOYvT@d7 zW2imGD#vD-5?dU=jmaTIq3-&{#gHP6NVmK&2BHLL>h*2&ui1at^(lMxr{$WIpm$~; zP|!)JH%EsMeEvzNQ97=#qnDCb`}MKUH_&v)>@ic1U+)BUSRP*nkl)H=wQx`A(5vcd zKl5t8A=K0}b6M5N_Ax+7>!4o6uG|-MVHa=`3a~Wd?WH-hD{}uXgRL(AHL+9a>z+P%}IYeWDp%HTgs=}08sQXF%dXhW0S%K64KlVHS<1FYiBLO&?v^u z@&d_ZvmPk~Mig8_gbp8weZGD|xA$0j_vPfYL{{p5IIuipt>4^^ zuMSCz+IZfKelAMAU3QlnS5EG2f^pBPm2!p7ZbDqzC@Ws$P71!~Mh(I>OL(iSAIZ<# zk!rIbU%v6hm$krtKr+;E z-SRglPP!euS$Rv{!6%T;Pa7wXkKf#Mu zl}#t0f@mLk84vc!o!?x#t4CElRgFca9@hF^;q1nX@-3h3x(Ke~o|g^oI} zLo(dP6xQy>FPc@#$%-^vVo$CKTJs(a7EW1c?900Mea?@p7H+O#TWG*PK6cM~uA0;7 z*!xwvHUb`CxZk2smc74Sw*mA!l_OE1GTf;XpZ}L7EEm^n8^zT3^WYcbJ@143ZT??W zX1#d&x<)*W))(vK!IIj)*(W9A&g!*Ahhm#nBUQQy8)u%1g4(YhZ2qgl7A~8REn&$l z>EH_4rh+9pA5h5>6=1W^;CRhAomWq)O=^_QOg16l0@yq&-1eu74_E5~ zq&i>^m3iaa)&N92#_ugyeqbTQt!vL9ibv`qDi7*P56|T!$DrxU?rQn2zv*{7zE<1l zVtp467~Iq7FVyU)Zj-8j+aRMXn`nIZTEZ&g?1oSr+NC z5-#cQ?K5urF9+iYEhD` zZni(GalSWCMFB3G;o4E&FixNY;4@`C-8g$SL7 zPX!|3_0<4NGH*r87@&0;&=Jq66bISPpr2!*r|S|!w0-Z zL1c~9vZpGI0o-dEhyG;y@~mGJozS~VYkI2Vl?5H_D|V`;yZ06SFWd7UDfIj}%&UhA z0vw;iTl}j&i)okdzZVr%%B;&CA}9B@&DXd+Zkd~I*)J~teqF`n42>r)F;?{7EDxU` z+}UIJ-LQ9pvHJ0m-A;%i6oqx$22m7u*ZBRE@+$!6)ZNpV=1#3-#@g%gXhwuAg|C1kmHjx_=1=@i2q4Y>FFQ#g7sV-V)oI zt4Il=bd)8e6`pA+o)onsi=negqMjaz6?C5F)$nxTt8pi&!Y*$ zlb5-tEZz1guo`dMC)p( zEorJs1F0n1^$WI1-&y7hi!LmgTy2oo@+nZNjzCy)SD~UYJR5kyG{3I4agK7H2Ay~& zlj(nE7x)}d$N}i2ZE=199$3X7g|j^8+n}QN7DNV$pT?p74eXXQE;dzX_l<^fK6z@H z=+pZSf4=_DvhJM)D{3$vu_^N7X%iy3g^x( z^ZW2lK(AkyCEK3-_Zxez+^vnRx&$eRT{wA#hOfVCBL@C6N%}6*-K6?MY{4cNK+%S} z`Cc{@b-!+Y26m4FOsdcOzfUTi0W8!`qVBkI*^M_TYycgu@0YMD@deg!Qs;i#`Acw; z-~A>6ev zIrsiA>!Xx9@n5nnZik(h7+8h1T|O<%{u1EeZ@9Fp!Ut`8^XpuzuF?h(^^|-D5J-B` zLY9eKc2j>pQ(F@VB;~Y8M7C&Xcqt39!++H@u8r54%`Rtf#dJi>x&Z zsS)fd6tS2u`|Y3=HY5-%eF zUfKW>=Y-=s_rv`d`KAnSz$pmftT7QU`#&;UHtjZ-r;v-``tZq0_O&a$1gbcY4@$Jt zb`8)-fVpNR`+sFAu!Fr}hTpY*`IlM{w}Wz}3EOj=sB!ed!CZ(q{1BOMXM>wW=^@8h zQL=#ZEm)3yuKbtU@5KexPee8_lk_W9tZ)*w5i+{1O{KfVeNcH~IAfViw_{6(!g**E z-~9KR(mw$Y^hWpE)dVK#?`Jxm#-U77y~Xf4V5a_QXh57q%=Z~xmv8>|!v3HfT&^558Fq-=M`xmNGes^q3WN zV0_~HUevbygpEC+TMQZdF#*B{rP>MLew6$M>du1ZRtBdJO@wmAr>NUR!OL!X_xH4l zCRdT*@b;9b*pISAf5Fj5Ra#nYeCu#hQPKN6>qsJLL=;zfkoQ$^%XI%O_w#$Y{5KJt z#O2YRo&tC(O;4+>nmI?bu7|dn%)8ps^Eu^pg7P>*8-Lhr+0g$-2IkhZcEh2mx-L|G z6)OyH9of78Zz6=uFnm!%kv0oARYehcA`k5SR@G#q6)OQT(#aN}w=54bhM9&JGCKZR zBA`C;QUfKQRr2E=b_BnhOh6) zx2Jr?2G@b)PLVHhTn4AWGK-#dZ9EV+ZqA`MZ%M4Qap%4~VEQ>zP+ECWaCF6n~3M?gB-48kOe7|0d74;l#_14JV+U#IauKs-POD&AG)gDbF1 zhHsLJ7<^JL^z=;REfE2#B9jY?@QY#)Qi)YBv#W1C`w5b~^45T2KPnUD5J@W!5I6Rb z2giW%EF3apu(TyE0O4QwRyZRI|D_>Ic(4DoZzf53<+S+7?$- zL^W-jOiMi~JfMYl>dQw~&onnq;RCX!vh9|==(j4dR@)-Bpo?{ilUAkmcpHA!yeYbg z6+& z!=HsGa8$aDScMwMYsg3$YPa9M!1 zOBicnooOsDFQ2KKFE49@n#^CawUfc*|M2Cp<5S8Ff1J>B44A|GwzdR{Cp_w)e~*r+ z&;(KjbEtR6l(UvxS8uZUj5tyj@Jbt&GAzF2iOh5l$P2fHv8%8JLd-PckRCP5oi+mR z%d>|z1ok-jI5^Y?42}5f!4qIEG7$Z((Eyg)^J7DJft@xm1Anc@DtNVdW$VX@)-gIf zhX&ogAZJQ`H#xkCs0>1tX;5SVsLk~w(pZAUO8h!t(%u31f+U`*XG7`pYC~&Ihd@D4;!*KFZ z>NaX$es{7_llcyc!uI+i4bT5jBOOoFA_+h5(r}O%96h~k7O~GZeYRVG?-7RqO?x1y zm3JKI(}5Zf_8er{VMcbg33d9u2B~j-d~B-rMa>mXMb>Zt1@>yu@l@SHJD%fIMT85^ z(g9Om4ni(j*L)$?o%D4wkJDa=BvVdkZs9Jzl;7rW>$QwXcOR~l6R&^C8?>?!my0|- zF-Cdz)e#tA2s;KrZ8+-)meMz8$(HRN+8LVw^ zOr#S{dSG;G3Re{L4L>YCB9p~0V_lJBuIl#Y21mAj<;S)IKlrNDb;Zqf7hB?hV39Bj zObl0KkBgwG;_PkVn2ut5JuQ5cjz0x2%?a)8pZ>1mJY~qyB%I8qXdBAFP{HIjj`84< z)EpQ~p$C-e%`Tkwo}a-h_@)G5(F`(iM*J1FmBy^5SF=ftEV~wIFX>)~lQ|*A%X7bM z&ZiGvR1S1`dn%fZD?lwls)SJ8J}s#6q)J;siOOJJkxNd|B>otn^WUfKqwPBFpN9tX zEz24vK~AC7QBBeC!E5kVXqylK7}dpfSbS!q>)FgA7`F?k$^WKLd~bl zPkb$q3)VGoG{oazVJ}%aDpiXoE&gJ9m=G=K=(;aMhquo>b=pLj{s{;+)kXjsIi%NF zVULfX{pG6N<~qUfMyj+;LcQnj;T=cTQ#+u8(I@#hbJx05RyV&+68zrLJB=?ZUfK`rBZE0jm2VF1Mvd>65h)2yJzmaqU zAZd6@pR1*qePxK(CIv~-R=FlggC~;4j-IYqE>dn<3cB)6fV`c=ar8E$+0j0cPoH@zx@jNrR0>`&Hn>NuDU1y diff --git a/hi.txt b/hi.txt deleted file mode 100644 index 4a72ae8938..0000000000 --- a/hi.txt +++ /dev/null @@ -1,2342 +0,0 @@ -NGINX Ingress Controller Version=5.0.0 Commit=5f85b44c19247eb0e99bbabd114274409e841fb2 Date=2025-04-15T16:27:08Z DirtyState=false Arch=linux/arm64 Go=go1.24.2 -I20250501 16:13:00.737858 1 flags.go:288] Starting with flags: ["-nginx-plus=false" "-nginx-reload-timeout=60000" "-enable-app-protect=false" "-enable-app-protect-dos=false" "-nginx-configmaps=default/nginx-ingress" "-ingress-class=nginx" "-health-status=false" "-health-status-uri=/nginx-health" "-nginx-debug=false" "-log-level=info" "-log-format=glog" "-nginx-status=true" "-nginx-status-port=8080" "-nginx-status-allow-cidrs=127.0.0.1" "-report-ingress-status" "-enable-leader-election=true" "-leader-election-lock-name=nginx-ingress-leader-election" "-enable-prometheus-metrics=true" "-prometheus-metrics-listen-port=9113" "-prometheus-tls-secret=" "-enable-service-insight=false" "-service-insight-listen-port=9114" "-service-insight-tls-secret=" "-enable-custom-resources=true" "-enable-snippets=false" "-disable-ipv6=false" "-enable-tls-passthrough=false" "-enable-cert-manager=false" "-enable-oidc=false" "-enable-external-dns=false" "-default-http-listener-port=80" "-default-https-listener-port=443" "-ready-status=true" "-ready-status-port=8081" "-enable-latency-metrics=false" "-ssl-dynamic-reload=true" "-enable-telemetry-reporting=true" "-weight-changes-dynamic-reload=false"] -I20250501 16:13:00.743252 1 main.go:424] Kubernetes version: 1.32.0 -I20250501 16:13:00.749664 1 main.go:579] Using nginx version: nginx/1.27.4 - -I20250501 16:13:00.757557 1 main.go:1074] Pod label updated: nginx-ingress-controller-5cfb8c9f87-4rvh4 -I20250501 16:13:00.757811 1 main.go:107] Event(v1.ObjectReference{Kind:"Pod", Namespace:"default", Name:"nginx-ingress-controller-5cfb8c9f87-4rvh4", UID:"b48df7db-be51-415e-9575-f6017829292c", APIVersion:"v1", ResourceVersion:"411", FieldPath:""}): type: 'Normal' reason: 'UpdatePodLabel' Successfully added version labels, app.kubernetes.io/version="5.0.0", app.kubernetes.io/instance="nginx-ingress", app.kubernetes.io/name="nginx-ingress", pod-template-hash="5cfb8c9f87", app.nginx.org/version="1.27.4" -2025/05/01 16:13:00 [notice] 17#17: js vm init njs: 0000AAAACEE7F900 -2025/05/01 16:13:00 [notice] 17#17: using the "epoll" event method -2025/05/01 16:13:00 [notice] 17#17: nginx/1.27.4 -2025/05/01 16:13:00 [notice] 17#17: built by gcc 12.2.0 (Debian 12.2.0-14) -2025/05/01 16:13:00 [notice] 17#17: OS: Linux 6.10.14-linuxkit -2025/05/01 16:13:00 [notice] 17#17: getrlimit(RLIMIT_NOFILE): 1048576:1048576 -2025/05/01 16:13:00 [notice] 17#17: start worker processes -2025/05/01 16:13:00 [notice] 17#17: start worker process 18 -2025/05/01 16:13:00 [notice] 17#17: start worker process 19 -2025/05/01 16:13:00 [notice] 17#17: start worker process 20 -2025/05/01 16:13:00 [notice] 17#17: start worker process 21 -2025/05/01 16:13:00 [notice] 17#17: start worker process 22 -2025/05/01 16:13:00 [notice] 17#17: start worker process 23 -2025/05/01 16:13:00 [notice] 17#17: start worker process 24 -2025/05/01 16:13:00 [notice] 17#17: start worker process 25 -I0501 16:13:00.770865 1 leaderelection.go:257] attempting to acquire leader lease default/nginx-ingress-leader-election... -I20250501 16:13:00.770822 1 listener.go:47] Starting prometheus listener on: :9113/metrics -2025/05/01 16:13:00 [notice] 17#17: start worker process 27 -2025/05/01 16:13:00 [notice] 17#17: start worker process 29 -I20250501 16:13:00.773471 1 service.go:32] Adding service: kubernetes -I20250501 16:13:00.773495 1 service.go:32] Adding service: nginx-ingress-controller -I20250501 16:13:00.773508 1 service.go:32] Adding service: kube-dns -I0501 16:13:00.778516 1 leaderelection.go:271] successfully acquired lease default/nginx-ingress-leader-election -2025/05/01 16:13:00 [notice] 17#17: signal 1 (SIGHUP) received from 33, reconfiguring -2025/05/01 16:13:00 [notice] 17#17: reconfiguring -2025/05/01 16:13:00 [notice] 17#17: js vm init njs: 0000AAAACEEF0E00 -2025/05/01 16:13:00 [notice] 17#17: using the "epoll" event method -2025/05/01 16:13:00 [notice] 17#17: start worker processes -2025/05/01 16:13:00 [notice] 17#17: start worker process 34 -2025/05/01 16:13:00 [notice] 17#17: start worker process 35 -2025/05/01 16:13:00 [notice] 17#17: start worker process 36 -2025/05/01 16:13:00 [notice] 17#17: start worker process 37 -2025/05/01 16:13:00 [notice] 17#17: start worker process 38 -2025/05/01 16:13:00 [notice] 17#17: start worker process 39 -2025/05/01 16:13:00 [notice] 17#17: start worker process 40 -2025/05/01 16:13:00 [notice] 17#17: start worker process 41 -2025/05/01 16:13:00 [notice] 17#17: start worker process 42 -2025/05/01 16:13:00 [notice] 17#17: start worker process 43 -2025/05/01 16:13:00 [notice] 18#18: gracefully shutting down -2025/05/01 16:13:00 [notice] 19#19: gracefully shutting down -2025/05/01 16:13:00 [notice] 20#20: gracefully shutting down -2025/05/01 16:13:00 [notice] 19#19: exiting -2025/05/01 16:13:00 [notice] 20#20: exiting -2025/05/01 16:13:00 [notice] 23#23: gracefully shutting down -2025/05/01 16:13:00 [notice] 23#23: exiting -2025/05/01 16:13:00 [notice] 21#21: gracefully shutting down -2025/05/01 16:13:00 [notice] 22#22: gracefully shutting down -2025/05/01 16:13:00 [notice] 24#24: gracefully shutting down -2025/05/01 16:13:00 [notice] 25#25: gracefully shutting down -2025/05/01 16:13:00 [notice] 22#22: exiting -2025/05/01 16:13:00 [notice] 21#21: exiting -2025/05/01 16:13:00 [notice] 24#24: exiting -2025/05/01 16:13:00 [notice] 25#25: exiting -2025/05/01 16:13:00 [notice] 18#18: exiting -2025/05/01 16:13:00 [notice] 29#29: gracefully shutting down -2025/05/01 16:13:00 [notice] 29#29: exiting -2025/05/01 16:13:00 [notice] 20#20: exit -2025/05/01 16:13:00 [notice] 24#24: exit -2025/05/01 16:13:00 [notice] 19#19: exit -2025/05/01 16:13:00 [notice] 25#25: exit -2025/05/01 16:13:00 [notice] 21#21: exit -2025/05/01 16:13:00 [notice] 23#23: exit -2025/05/01 16:13:00 [notice] 22#22: exit -2025/05/01 16:13:00 [notice] 18#18: exit -2025/05/01 16:13:00 [notice] 29#29: exit -2025/05/01 16:13:00 [notice] 27#27: gracefully shutting down -2025/05/01 16:13:00 [notice] 27#27: exiting -2025/05/01 16:13:00 [notice] 27#27: exit -I20250501 16:13:00.991260 1 main.go:107] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"default", Name:"nginx-ingress", UID:"9f7e7add-dfe2-4e2f-9381-2e6025ae4168", APIVersion:"v1", ResourceVersion:"364", FieldPath:""}): type: 'Normal' reason: 'Updated' ConfigMap default/nginx-ingress updated without error -2025/05/01 16:13:01 [notice] 17#17: signal 17 (SIGCHLD) received from 20 -2025/05/01 16:13:01 [notice] 17#17: worker process 19 exited with code 0 -2025/05/01 16:13:01 [notice] 17#17: worker process 20 exited with code 0 -2025/05/01 16:13:01 [notice] 17#17: worker process 22 exited with code 0 -2025/05/01 16:13:01 [notice] 17#17: worker process 23 exited with code 0 -2025/05/01 16:13:01 [notice] 17#17: worker process 24 exited with code 0 -2025/05/01 16:13:01 [notice] 17#17: worker process 29 exited with code 0 -2025/05/01 16:13:01 [notice] 17#17: signal 29 (SIGIO) received -2025/05/01 16:13:01 [notice] 17#17: signal 17 (SIGCHLD) received from 19 -2025/05/01 16:13:01 [notice] 17#17: signal 17 (SIGCHLD) received from 25 -2025/05/01 16:13:01 [notice] 17#17: worker process 21 exited with code 0 -2025/05/01 16:13:01 [notice] 17#17: worker process 25 exited with code 0 -2025/05/01 16:13:01 [notice] 17#17: worker process 27 exited with code 0 -2025/05/01 16:13:01 [notice] 17#17: signal 29 (SIGIO) received -2025/05/01 16:13:01 [notice] 17#17: signal 17 (SIGCHLD) received from 27 -2025/05/01 16:13:01 [notice] 17#17: signal 17 (SIGCHLD) received from 18 -2025/05/01 16:13:01 [notice] 17#17: worker process 18 exited with code 0 -2025/05/01 16:13:01 [notice] 17#17: signal 29 (SIGIO) received -I20250501 16:15:40.671873 1 service.go:32] Adding service: coffee-svc -I20250501 16:15:40.753379 1 service.go:32] Adding service: tea-svc -2025/05/01 16:16:46 [notice] 17#17: signal 1 (SIGHUP) received from 47, reconfiguring -2025/05/01 16:16:46 [notice] 17#17: reconfiguring -2025/05/01 16:16:46 [notice] 17#17: js vm init njs: 0000AAAACEE84880 -2025/05/01 16:16:46 [notice] 17#17: using the "epoll" event method -2025/05/01 16:16:46 [notice] 17#17: start worker processes -2025/05/01 16:16:46 [notice] 17#17: start worker process 48 -2025/05/01 16:16:46 [notice] 17#17: start worker process 49 -2025/05/01 16:16:46 [notice] 17#17: start worker process 50 -2025/05/01 16:16:46 [notice] 17#17: start worker process 51 -2025/05/01 16:16:46 [notice] 17#17: start worker process 52 -2025/05/01 16:16:46 [notice] 17#17: start worker process 53 -2025/05/01 16:16:46 [notice] 17#17: start worker process 54 -2025/05/01 16:16:46 [notice] 17#17: start worker process 55 -2025/05/01 16:16:46 [notice] 17#17: start worker process 56 -2025/05/01 16:16:46 [notice] 17#17: start worker process 57 -2025/05/01 16:16:46 [notice] 36#36: gracefully shutting down -2025/05/01 16:16:46 [notice] 35#35: gracefully shutting down -2025/05/01 16:16:46 [notice] 34#34: gracefully shutting down -2025/05/01 16:16:46 [notice] 38#38: gracefully shutting down -2025/05/01 16:16:46 [notice] 40#40: gracefully shutting down -2025/05/01 16:16:46 [notice] 39#39: gracefully shutting down -2025/05/01 16:16:46 [notice] 37#37: gracefully shutting down -2025/05/01 16:16:46 [notice] 41#41: gracefully shutting down -2025/05/01 16:16:46 [notice] 43#43: gracefully shutting down -2025/05/01 16:16:46 [notice] 38#38: exiting -2025/05/01 16:16:46 [notice] 35#35: exiting -2025/05/01 16:16:46 [notice] 34#34: exiting -2025/05/01 16:16:46 [notice] 40#40: exiting -2025/05/01 16:16:46 [notice] 36#36: exiting -2025/05/01 16:16:46 [notice] 39#39: exiting -2025/05/01 16:16:46 [notice] 41#41: exiting -2025/05/01 16:16:46 [notice] 37#37: exiting -2025/05/01 16:16:46 [notice] 43#43: exiting -2025/05/01 16:16:46 [notice] 42#42: gracefully shutting down -2025/05/01 16:16:46 [notice] 36#36: exit -2025/05/01 16:16:46 [notice] 38#38: exit -2025/05/01 16:16:46 [notice] 42#42: exiting -2025/05/01 16:16:46 [notice] 43#43: exit -2025/05/01 16:16:46 [notice] 34#34: exit -2025/05/01 16:16:46 [notice] 39#39: exit -2025/05/01 16:16:46 [notice] 37#37: exit -2025/05/01 16:16:46 [notice] 41#41: exit -2025/05/01 16:16:46 [notice] 35#35: exit -2025/05/01 16:16:46 [notice] 42#42: exit -2025/05/01 16:16:46 [notice] 40#40: exit -I20250501 16:16:46.224592 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"95d571e9-f2c0-483b-b427-8d914611affa", APIVersion:"networking.k8s.io/v1", ResourceVersion:"773", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated -2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 34 -2025/05/01 16:16:46 [notice] 17#17: worker process 34 exited with code 0 -2025/05/01 16:16:46 [notice] 17#17: worker process 36 exited with code 0 -2025/05/01 16:16:46 [notice] 17#17: signal 29 (SIGIO) received -2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 36 -2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 40 -2025/05/01 16:16:46 [notice] 17#17: worker process 40 exited with code 0 -2025/05/01 16:16:46 [notice] 17#17: worker process 38 exited with code 0 -2025/05/01 16:16:46 [notice] 17#17: worker process 35 exited with code 0 -2025/05/01 16:16:46 [notice] 17#17: worker process 39 exited with code 0 -2025/05/01 16:16:46 [notice] 17#17: worker process 41 exited with code 0 -2025/05/01 16:16:46 [notice] 17#17: worker process 42 exited with code 0 -2025/05/01 16:16:46 [notice] 17#17: signal 29 (SIGIO) received -2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 42 -2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 43 -2025/05/01 16:16:46 [notice] 17#17: worker process 43 exited with code 0 -2025/05/01 16:16:46 [notice] 17#17: worker process 37 exited with code 0 -2025/05/01 16:16:46 [notice] 17#17: signal 29 (SIGIO) received -2025/05/01 16:16:46 [notice] 17#17: signal 17 (SIGCHLD) received from 37 -10.244.0.1 - - [01/May/2025:16:54:09 +0000] "GET / HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [01/May/2025:16:54:09 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://127.0.0.1:51678/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [01/May/2025:16:54:13 +0000] "GET / HTTP/1.1" 400 657 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [01/May/2025:16:54:13 +0000] "GET /favicon.ico HTTP/1.1" 400 657 "http://127.0.0.1:51679/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [02/May/2025:08:41:19 +0000] "GET / HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [02/May/2025:08:41:20 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://127.0.0.1:55912/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [02/May/2025:08:41:25 +0000] "GET / HTTP/1.1" 400 657 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [02/May/2025:08:41:25 +0000] "GET /favicon.ico HTTP/1.1" 400 657 "http://127.0.0.1:55913/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [02/May/2025:08:43:45 +0000] "GET / HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [02/May/2025:08:43:45 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://127.0.0.1:56272/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [02/May/2025:08:44:32 +0000] "GET / HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [02/May/2025:08:44:50 +0000] "GET / HTTP/1.1" 400 657 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -10.244.0.1 - - [02/May/2025:08:44:50 +0000] "GET /favicon.ico HTTP/1.1" 400 657 "http://127.0.0.1:56273/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-" -I20250502 08:53:54.506422 1 manager.go:195] Deleting config from /etc/nginx/conf.d/default-cafe-ingress.conf -2025/05/02 08:53:54 [notice] 17#17: signal 1 (SIGHUP) received from 66, reconfiguring -2025/05/02 08:53:54 [notice] 17#17: reconfiguring -I20250502 08:53:54.524603 1 service.go:50] Removing service: coffee-svc -2025/05/02 08:53:54 [notice] 17#17: js vm init njs: 0000AAAACEEF5480 -2025/05/02 08:53:54 [notice] 17#17: using the "epoll" event method -2025/05/02 08:53:54 [notice] 17#17: start worker processes -2025/05/02 08:53:54 [notice] 17#17: start worker process 67 -2025/05/02 08:53:54 [notice] 17#17: start worker process 68 -2025/05/02 08:53:54 [notice] 17#17: start worker process 69 -2025/05/02 08:53:54 [notice] 17#17: start worker process 70 -2025/05/02 08:53:54 [notice] 17#17: start worker process 71 -2025/05/02 08:53:54 [notice] 17#17: start worker process 72 -2025/05/02 08:53:54 [notice] 17#17: start worker process 73 -2025/05/02 08:53:54 [notice] 17#17: start worker process 74 -2025/05/02 08:53:54 [notice] 17#17: start worker process 75 -2025/05/02 08:53:54 [notice] 17#17: start worker process 76 -I20250502 08:53:54.560556 1 service.go:50] Removing service: tea-svc -2025/05/02 08:53:54 [notice] 49#49: gracefully shutting down -2025/05/02 08:53:54 [notice] 50#50: gracefully shutting down -2025/05/02 08:53:54 [notice] 50#50: exiting -2025/05/02 08:53:54 [notice] 48#48: gracefully shutting down -2025/05/02 08:53:54 [notice] 48#48: exiting -2025/05/02 08:53:54 [notice] 52#52: gracefully shutting down -2025/05/02 08:53:54 [notice] 53#53: gracefully shutting down -2025/05/02 08:53:54 [notice] 51#51: gracefully shutting down -2025/05/02 08:53:54 [notice] 53#53: exiting -2025/05/02 08:53:54 [notice] 51#51: exiting -2025/05/02 08:53:54 [notice] 49#49: exiting -2025/05/02 08:53:54 [notice] 56#56: gracefully shutting down -2025/05/02 08:53:54 [notice] 54#54: gracefully shutting down -2025/05/02 08:53:54 [notice] 54#54: exiting -2025/05/02 08:53:54 [notice] 55#55: gracefully shutting down -2025/05/02 08:53:54 [notice] 52#52: exiting -2025/05/02 08:53:54 [notice] 55#55: exiting -2025/05/02 08:53:54 [notice] 48#48: exit -2025/05/02 08:53:54 [notice] 54#54: exit -2025/05/02 08:53:54 [notice] 52#52: exit -2025/05/02 08:53:54 [notice] 56#56: exiting -2025/05/02 08:53:54 [notice] 53#53: exit -2025/05/02 08:53:54 [notice] 51#51: exit -2025/05/02 08:53:54 [notice] 50#50: exit -2025/05/02 08:53:54 [notice] 56#56: exit -2025/05/02 08:53:54 [notice] 57#57: gracefully shutting down -2025/05/02 08:53:54 [notice] 55#55: exit -2025/05/02 08:53:54 [notice] 57#57: exiting -2025/05/02 08:53:54 [notice] 57#57: exit -2025/05/02 08:53:54 [notice] 49#49: exit -2025/05/02 08:53:54 [notice] 17#17: signal 1 (SIGHUP) received from 78, reconfiguring -2025/05/02 08:53:54 [notice] 17#17: reconfiguring -2025/05/02 08:53:54 [notice] 17#17: js vm init njs: 0000AAAACEF3BA80 -2025/05/02 08:53:54 [notice] 17#17: using the "epoll" event method -2025/05/02 08:53:54 [notice] 17#17: start worker processes -2025/05/02 08:53:54 [notice] 17#17: start worker process 79 -2025/05/02 08:53:54 [notice] 17#17: start worker process 80 -2025/05/02 08:53:54 [notice] 17#17: start worker process 81 -2025/05/02 08:53:54 [notice] 17#17: start worker process 82 -2025/05/02 08:53:54 [notice] 17#17: start worker process 83 -2025/05/02 08:53:54 [notice] 17#17: start worker process 84 -2025/05/02 08:53:54 [notice] 17#17: start worker process 85 -2025/05/02 08:53:54 [notice] 17#17: start worker process 86 -2025/05/02 08:53:54 [notice] 17#17: start worker process 87 -2025/05/02 08:53:54 [notice] 17#17: start worker process 88 -2025/05/02 08:53:54 [notice] 68#68: gracefully shutting down -2025/05/02 08:53:54 [notice] 68#68: exiting -2025/05/02 08:53:54 [notice] 67#67: gracefully shutting down -2025/05/02 08:53:54 [notice] 67#67: exiting -2025/05/02 08:53:54 [notice] 67#67: exit -2025/05/02 08:53:54 [notice] 68#68: exit -2025/05/02 08:53:54 [notice] 69#69: gracefully shutting down -2025/05/02 08:53:54 [notice] 72#72: gracefully shutting down -2025/05/02 08:53:54 [notice] 70#70: gracefully shutting down -2025/05/02 08:53:54 [notice] 71#71: gracefully shutting down -2025/05/02 08:53:54 [notice] 72#72: exiting -2025/05/02 08:53:54 [notice] 69#69: exiting -2025/05/02 08:53:54 [notice] 70#70: exiting -2025/05/02 08:53:54 [notice] 71#71: exiting -2025/05/02 08:53:54 [notice] 71#71: exit -2025/05/02 08:53:54 [notice] 69#69: exit -2025/05/02 08:53:54 [notice] 72#72: exit -2025/05/02 08:53:54 [notice] 70#70: exit -2025/05/02 08:53:54 [notice] 73#73: gracefully shutting down -2025/05/02 08:53:54 [notice] 73#73: exiting -2025/05/02 08:53:54 [notice] 73#73: exit -2025/05/02 08:53:54 [notice] 74#74: gracefully shutting down -2025/05/02 08:53:54 [notice] 75#75: gracefully shutting down -2025/05/02 08:53:54 [notice] 74#74: exiting -2025/05/02 08:53:54 [notice] 75#75: exiting -2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 56 -2025/05/02 08:53:54 [notice] 76#76: gracefully shutting down -2025/05/02 08:53:54 [notice] 76#76: exiting -2025/05/02 08:53:54 [notice] 17#17: worker process 48 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: worker process 49 exited with code 0 -2025/05/02 08:53:54 [notice] 74#74: exit -2025/05/02 08:53:54 [notice] 17#17: worker process 50 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: worker process 51 exited with code 0 -2025/05/02 08:53:54 [notice] 76#76: exit -2025/05/02 08:53:54 [notice] 75#75: exit -2025/05/02 08:53:54 [notice] 17#17: worker process 52 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: worker process 53 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: worker process 54 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: worker process 55 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: worker process 56 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: worker process 57 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 69 -2025/05/02 08:53:54 [notice] 17#17: worker process 69 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 70 -2025/05/02 08:53:54 [notice] 17#17: worker process 70 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 67 -2025/05/02 08:53:54 [notice] 17#17: worker process 67 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 68 -2025/05/02 08:53:54 [notice] 17#17: worker process 68 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: worker process 73 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 75 -2025/05/02 08:53:54 [notice] 17#17: worker process 72 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: worker process 75 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 71 -2025/05/02 08:53:54 [notice] 17#17: worker process 71 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: worker process 74 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:53:54 [notice] 17#17: signal 17 (SIGCHLD) received from 74 -2025/05/02 08:53:54 [notice] 17#17: worker process 76 exited with code 0 -2025/05/02 08:53:54 [notice] 17#17: signal 29 (SIGIO) received -W20250502 08:54:22.915598 1 controller.go:2158] Error trying to get the secret cafe-secret for Ingress cafe-ingress: secret doesn't exist or of an unsupported type -W20250502 08:54:22.915663 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: service default/tea-svc doesn't exist -W20250502 08:54:22.915671 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: service default/coffee-svc doesn't exist -2025/05/02 08:54:22 [notice] 17#17: signal 1 (SIGHUP) received from 90, reconfiguring -2025/05/02 08:54:22 [notice] 17#17: reconfiguring -2025/05/02 08:54:22 [notice] 17#17: js vm init njs: 0000AAAACEEF5480 -2025/05/02 08:54:22 [notice] 17#17: using the "epoll" event method -2025/05/02 08:54:22 [notice] 17#17: start worker processes -2025/05/02 08:54:22 [notice] 17#17: start worker process 91 -2025/05/02 08:54:22 [notice] 17#17: start worker process 92 -2025/05/02 08:54:22 [notice] 17#17: start worker process 93 -2025/05/02 08:54:22 [notice] 17#17: start worker process 94 -2025/05/02 08:54:22 [notice] 17#17: start worker process 95 -2025/05/02 08:54:22 [notice] 17#17: start worker process 96 -2025/05/02 08:54:22 [notice] 17#17: start worker process 97 -2025/05/02 08:54:22 [notice] 17#17: start worker process 98 -2025/05/02 08:54:22 [notice] 17#17: start worker process 99 -2025/05/02 08:54:22 [notice] 17#17: start worker process 100 -I20250502 08:54:22.958461 1 service.go:32] Adding service: coffee-svc -2025/05/02 08:54:23 [notice] 87#87: gracefully shutting down -2025/05/02 08:54:23 [notice] 80#80: gracefully shutting down -2025/05/02 08:54:23 [notice] 80#80: exiting -2025/05/02 08:54:23 [notice] 87#87: exiting -2025/05/02 08:54:23 [notice] 87#87: exit -2025/05/02 08:54:23 [notice] 82#82: gracefully shutting down -2025/05/02 08:54:23 [notice] 82#82: exiting -2025/05/02 08:54:23 [notice] 85#85: gracefully shutting down -2025/05/02 08:54:23 [notice] 85#85: exiting -2025/05/02 08:54:23 [notice] 80#80: exit -2025/05/02 08:54:23 [notice] 85#85: exit -2025/05/02 08:54:23 [notice] 86#86: gracefully shutting down -2025/05/02 08:54:23 [notice] 86#86: exiting -2025/05/02 08:54:23 [notice] 79#79: gracefully shutting down -2025/05/02 08:54:23 [notice] 79#79: exiting -2025/05/02 08:54:23 [notice] 88#88: gracefully shutting down -2025/05/02 08:54:23 [notice] 88#88: exiting -2025/05/02 08:54:23 [notice] 88#88: exit -2025/05/02 08:54:23 [notice] 82#82: exit -2025/05/02 08:54:23 [notice] 79#79: exit -2025/05/02 08:54:23 [notice] 84#84: gracefully shutting down -2025/05/02 08:54:23 [notice] 83#83: gracefully shutting down -2025/05/02 08:54:23 [notice] 83#83: exiting -2025/05/02 08:54:23 [notice] 83#83: exit -2025/05/02 08:54:23 [notice] 86#86: exit -2025/05/02 08:54:23 [notice] 81#81: gracefully shutting down -2025/05/02 08:54:23 [notice] 81#81: exiting -2025/05/02 08:54:23 [notice] 81#81: exit -2025/05/02 08:54:23 [notice] 84#84: exiting -2025/05/02 08:54:23 [notice] 84#84: exit -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 80 -2025/05/02 08:54:23 [notice] 17#17: worker process 80 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 79 -2025/05/02 08:54:23 [notice] 17#17: worker process 79 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 83 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 85 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 82 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 86 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 87 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 82 -2025/05/02 08:54:23 [notice] 17#17: worker process 81 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 81 -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 88 -2025/05/02 08:54:23 [notice] 17#17: worker process 88 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -W20250502 08:54:23.154245 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: service default/tea-svc doesn't exist -I20250502 08:54:23.154225 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Warning' reason: 'AddedOrUpdatedWithWarning' Configuration for default/cafe-ingress was added or updated ; with warning(s): TLS secret cafe-secret is invalid: secret doesn't exist or of an unsupported type -W20250502 08:54:23.154346 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc -I20250502 08:54:23.154598 1 service.go:258] Syncing service default/coffee-svc -I20250502 08:54:23.154623 1 service.go:260] Updating 1 resources -W20250502 08:54:23.154628 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: service default/tea-svc doesn't exist -W20250502 08:54:23.154633 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc -I20250502 08:54:23.154755 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated -W20250502 08:54:23.155433 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: service default/tea-svc doesn't exist -W20250502 08:54:23.155448 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc -I20250502 08:54:23.155717 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated -I20250502 08:54:23.157472 1 service.go:32] Adding service: tea-svc -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 84 -2025/05/02 08:54:23 [notice] 17#17: worker process 84 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 1 (SIGHUP) received from 102, reconfiguring -2025/05/02 08:54:23 [notice] 17#17: reconfiguring -2025/05/02 08:54:23 [notice] 17#17: js vm init njs: 0000AAAACEEAA380 -2025/05/02 08:54:23 [notice] 17#17: using the "epoll" event method -2025/05/02 08:54:23 [notice] 17#17: start worker processes -2025/05/02 08:54:23 [notice] 17#17: start worker process 103 -2025/05/02 08:54:23 [notice] 17#17: start worker process 104 -2025/05/02 08:54:23 [notice] 17#17: start worker process 105 -2025/05/02 08:54:23 [notice] 17#17: start worker process 106 -2025/05/02 08:54:23 [notice] 17#17: start worker process 107 -2025/05/02 08:54:23 [notice] 17#17: start worker process 108 -2025/05/02 08:54:23 [notice] 17#17: start worker process 109 -2025/05/02 08:54:23 [notice] 17#17: start worker process 110 -2025/05/02 08:54:23 [notice] 17#17: start worker process 111 -2025/05/02 08:54:23 [notice] 17#17: start worker process 112 -2025/05/02 08:54:23 [notice] 92#92: gracefully shutting down -2025/05/02 08:54:23 [notice] 93#93: gracefully shutting down -2025/05/02 08:54:23 [notice] 91#91: gracefully shutting down -2025/05/02 08:54:23 [notice] 94#94: gracefully shutting down -2025/05/02 08:54:23 [notice] 95#95: gracefully shutting down -2025/05/02 08:54:23 [notice] 94#94: exiting -2025/05/02 08:54:23 [notice] 91#91: exiting -2025/05/02 08:54:23 [notice] 92#92: exiting -2025/05/02 08:54:23 [notice] 93#93: exiting -2025/05/02 08:54:23 [notice] 95#95: exiting -2025/05/02 08:54:23 [notice] 96#96: gracefully shutting down -2025/05/02 08:54:23 [notice] 97#97: gracefully shutting down -2025/05/02 08:54:23 [notice] 97#97: exiting -2025/05/02 08:54:23 [notice] 96#96: exiting -2025/05/02 08:54:23 [notice] 99#99: gracefully shutting down -2025/05/02 08:54:23 [notice] 99#99: exiting -2025/05/02 08:54:23 [notice] 95#95: exit -2025/05/02 08:54:23 [notice] 92#92: exit -2025/05/02 08:54:23 [notice] 91#91: exit -2025/05/02 08:54:23 [notice] 93#93: exit -2025/05/02 08:54:23 [notice] 94#94: exit -2025/05/02 08:54:23 [notice] 100#100: gracefully shutting down -2025/05/02 08:54:23 [notice] 100#100: exiting -2025/05/02 08:54:23 [notice] 97#97: exit -2025/05/02 08:54:23 [notice] 96#96: exit -2025/05/02 08:54:23 [notice] 98#98: gracefully shutting down -2025/05/02 08:54:23 [notice] 98#98: exiting -2025/05/02 08:54:23 [notice] 100#100: exit -2025/05/02 08:54:23 [notice] 98#98: exit -2025/05/02 08:54:23 [notice] 99#99: exit -I20250502 08:54:23.302569 1 service.go:258] Syncing service default/tea-svc -I20250502 08:54:23.302587 1 service.go:260] Updating 1 resources -W20250502 08:54:23.302614 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: no endpointslices for target port 8080 in service tea-svc -W20250502 08:54:23.302624 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 99 -2025/05/02 08:54:23 [notice] 17#17: worker process 93 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 94 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 95 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 97 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 99 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 95 -2025/05/02 08:54:23 [notice] 17#17: worker process 91 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 100 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 98 -2025/05/02 08:54:23 [notice] 17#17: worker process 98 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 92 -2025/05/02 08:54:23 [notice] 17#17: worker process 92 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 1 (SIGHUP) received from 114, reconfiguring -2025/05/02 08:54:23 [notice] 17#17: reconfiguring -2025/05/02 08:54:23 [notice] 17#17: js vm init njs: 0000AAAACEEFE200 -2025/05/02 08:54:23 [notice] 17#17: using the "epoll" event method -2025/05/02 08:54:23 [notice] 17#17: start worker processes -2025/05/02 08:54:23 [notice] 17#17: start worker process 115 -2025/05/02 08:54:23 [notice] 17#17: start worker process 116 -2025/05/02 08:54:23 [notice] 17#17: start worker process 117 -2025/05/02 08:54:23 [notice] 17#17: start worker process 118 -2025/05/02 08:54:23 [notice] 17#17: start worker process 119 -2025/05/02 08:54:23 [notice] 17#17: start worker process 120 -2025/05/02 08:54:23 [notice] 17#17: start worker process 121 -2025/05/02 08:54:23 [notice] 17#17: start worker process 122 -2025/05/02 08:54:23 [notice] 17#17: start worker process 123 -2025/05/02 08:54:23 [notice] 17#17: start worker process 124 -2025/05/02 08:54:23 [notice] 103#103: gracefully shutting down -2025/05/02 08:54:23 [notice] 104#104: gracefully shutting down -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 96 -2025/05/02 08:54:23 [notice] 17#17: worker process 96 exited with code 0 -2025/05/02 08:54:23 [notice] 103#103: exiting -2025/05/02 08:54:23 [notice] 104#104: exiting -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 105#105: gracefully shutting down -2025/05/02 08:54:23 [notice] 105#105: exiting -2025/05/02 08:54:23 [notice] 106#106: gracefully shutting down -2025/05/02 08:54:23 [notice] 106#106: exiting -2025/05/02 08:54:23 [notice] 103#103: exit -2025/05/02 08:54:23 [notice] 104#104: exit -2025/05/02 08:54:23 [notice] 107#107: gracefully shutting down -2025/05/02 08:54:23 [notice] 107#107: exiting -2025/05/02 08:54:23 [notice] 106#106: exit -2025/05/02 08:54:23 [notice] 107#107: exit -2025/05/02 08:54:23 [notice] 108#108: gracefully shutting down -2025/05/02 08:54:23 [notice] 108#108: exiting -2025/05/02 08:54:23 [notice] 112#112: gracefully shutting down -2025/05/02 08:54:23 [notice] 112#112: exiting -2025/05/02 08:54:23 [notice] 105#105: exit -2025/05/02 08:54:23 [notice] 109#109: gracefully shutting down -2025/05/02 08:54:23 [notice] 109#109: exiting -2025/05/02 08:54:23 [notice] 108#108: exit -2025/05/02 08:54:23 [notice] 109#109: exit -2025/05/02 08:54:23 [notice] 110#110: gracefully shutting down -2025/05/02 08:54:23 [notice] 111#111: gracefully shutting down -2025/05/02 08:54:23 [notice] 110#110: exiting -2025/05/02 08:54:23 [notice] 111#111: exiting -2025/05/02 08:54:23 [notice] 112#112: exit -2025/05/02 08:54:23 [notice] 110#110: exit -2025/05/02 08:54:23 [notice] 111#111: exit -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 104 -2025/05/02 08:54:23 [notice] 17#17: worker process 104 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 110 exited with code 0 -W20250502 08:54:23.449757 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: no endpointslices for target port 8080 in service tea-svc -W20250502 08:54:23.449780 1 controller.go:2313] Error retrieving endpoints for the service coffee-svc: no endpointslices for target port 8080 in service coffee-svc -I20250502 08:54:23.450600 1 main.go:107] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"cafe-ingress", UID:"2a1ee6cc-686b-4692-8c64-e0829e70db6c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"5721", FieldPath:""}): type: 'Normal' reason: 'AddedOrUpdated' Configuration for default/cafe-ingress was added or updated -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 110 -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 108 -2025/05/02 08:54:23 [notice] 17#17: worker process 108 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 106 -2025/05/02 08:54:23 [notice] 17#17: worker process 106 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 112 -2025/05/02 08:54:23 [notice] 17#17: worker process 112 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 103 -2025/05/02 08:54:23 [notice] 17#17: worker process 103 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 111 -2025/05/02 08:54:23 [notice] 17#17: worker process 105 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 111 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 107 -2025/05/02 08:54:23 [notice] 17#17: worker process 107 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 109 -2025/05/02 08:54:23 [notice] 17#17: worker process 109 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 1 (SIGHUP) received from 126, reconfiguring -2025/05/02 08:54:23 [notice] 17#17: reconfiguring -2025/05/02 08:54:23 [notice] 17#17: js vm init njs: 0000AAAACEEF5480 -2025/05/02 08:54:23 [notice] 17#17: using the "epoll" event method -2025/05/02 08:54:23 [notice] 17#17: start worker processes -2025/05/02 08:54:23 [notice] 17#17: start worker process 127 -2025/05/02 08:54:23 [notice] 17#17: start worker process 128 -2025/05/02 08:54:23 [notice] 17#17: start worker process 129 -2025/05/02 08:54:23 [notice] 17#17: start worker process 130 -2025/05/02 08:54:23 [notice] 17#17: start worker process 131 -2025/05/02 08:54:23 [notice] 17#17: start worker process 132 -2025/05/02 08:54:23 [notice] 17#17: start worker process 133 -2025/05/02 08:54:23 [notice] 17#17: start worker process 134 -2025/05/02 08:54:23 [notice] 17#17: start worker process 135 -2025/05/02 08:54:23 [notice] 17#17: start worker process 136 -2025/05/02 08:54:23 [notice] 123#123: gracefully shutting down -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 117#117: gracefully shutting down -2025/05/02 08:54:23 [notice] 124#124: gracefully shutting down -2025/05/02 08:54:23 [notice] 123#123: exiting -2025/05/02 08:54:23 [notice] 124#124: exiting -2025/05/02 08:54:23 [notice] 116#116: gracefully shutting down -2025/05/02 08:54:23 [notice] 117#117: exiting -2025/05/02 08:54:23 [notice] 122#122: gracefully shutting down -2025/05/02 08:54:23 [notice] 116#116: exiting -2025/05/02 08:54:23 [notice] 122#122: exiting -2025/05/02 08:54:23 [notice] 118#118: gracefully shutting down -2025/05/02 08:54:23 [notice] 118#118: exiting -2025/05/02 08:54:23 [notice] 116#116: exit -2025/05/02 08:54:23 [notice] 123#123: exit -2025/05/02 08:54:23 [notice] 122#122: exit -2025/05/02 08:54:23 [notice] 119#119: gracefully shutting down -2025/05/02 08:54:23 [notice] 124#124: exit -2025/05/02 08:54:23 [notice] 119#119: exiting -2025/05/02 08:54:23 [notice] 118#118: exit -2025/05/02 08:54:23 [notice] 119#119: exit -2025/05/02 08:54:23 [notice] 120#120: gracefully shutting down -2025/05/02 08:54:23 [notice] 121#121: gracefully shutting down -2025/05/02 08:54:23 [notice] 120#120: exiting -2025/05/02 08:54:23 [notice] 121#121: exiting -2025/05/02 08:54:23 [notice] 117#117: exit -2025/05/02 08:54:23 [notice] 120#120: exit -2025/05/02 08:54:23 [notice] 121#121: exit -2025/05/02 08:54:23 [notice] 115#115: gracefully shutting down -2025/05/02 08:54:23 [notice] 115#115: exiting -2025/05/02 08:54:23 [notice] 115#115: exit -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 116 -2025/05/02 08:54:23 [notice] 17#17: worker process 116 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 118 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 119 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 120 -2025/05/02 08:54:23 [notice] 17#17: worker process 120 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 124 -2025/05/02 08:54:23 [notice] 17#17: worker process 124 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 115 -2025/05/02 08:54:23 [notice] 17#17: worker process 115 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 121 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 122 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: worker process 123 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:23 [notice] 17#17: signal 17 (SIGCHLD) received from 122 -2025/05/02 08:54:23 [notice] 17#17: worker process 117 exited with code 0 -2025/05/02 08:54:23 [notice] 17#17: signal 29 (SIGIO) received -W20250502 08:54:23.901594 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: no endpointslices for target port 8080 in service tea-svc -2025/05/02 08:54:23 [notice] 17#17: signal 1 (SIGHUP) received from 138, reconfiguring -2025/05/02 08:54:23 [notice] 17#17: reconfiguring -2025/05/02 08:54:23 [notice] 17#17: js vm init njs: 0000AAAACEE94880 -2025/05/02 08:54:23 [notice] 17#17: using the "epoll" event method -2025/05/02 08:54:23 [notice] 17#17: start worker processes -2025/05/02 08:54:23 [notice] 17#17: start worker process 139 -2025/05/02 08:54:23 [notice] 17#17: start worker process 140 -2025/05/02 08:54:23 [notice] 17#17: start worker process 141 -2025/05/02 08:54:23 [notice] 17#17: start worker process 142 -2025/05/02 08:54:23 [notice] 17#17: start worker process 143 -2025/05/02 08:54:23 [notice] 17#17: start worker process 144 -2025/05/02 08:54:23 [notice] 17#17: start worker process 145 -2025/05/02 08:54:23 [notice] 17#17: start worker process 146 -2025/05/02 08:54:23 [notice] 17#17: start worker process 147 -2025/05/02 08:54:23 [notice] 17#17: start worker process 148 -2025/05/02 08:54:24 [notice] 127#127: gracefully shutting down -2025/05/02 08:54:24 [notice] 129#129: gracefully shutting down -2025/05/02 08:54:24 [notice] 127#127: exiting -2025/05/02 08:54:24 [notice] 128#128: gracefully shutting down -2025/05/02 08:54:24 [notice] 129#129: exiting -2025/05/02 08:54:24 [notice] 128#128: exiting -2025/05/02 08:54:24 [notice] 129#129: exit -2025/05/02 08:54:24 [notice] 128#128: exit -2025/05/02 08:54:24 [notice] 127#127: exit -2025/05/02 08:54:24 [notice] 134#134: gracefully shutting down -2025/05/02 08:54:24 [notice] 134#134: exiting -2025/05/02 08:54:24 [notice] 131#131: gracefully shutting down -2025/05/02 08:54:24 [notice] 132#132: gracefully shutting down -2025/05/02 08:54:24 [notice] 130#130: gracefully shutting down -2025/05/02 08:54:24 [notice] 131#131: exiting -2025/05/02 08:54:24 [notice] 132#132: exiting -2025/05/02 08:54:24 [notice] 130#130: exiting -2025/05/02 08:54:24 [notice] 134#134: exit -2025/05/02 08:54:24 [notice] 131#131: exit -2025/05/02 08:54:24 [notice] 130#130: exit -2025/05/02 08:54:24 [notice] 136#136: gracefully shutting down -2025/05/02 08:54:24 [notice] 136#136: exiting -2025/05/02 08:54:24 [notice] 135#135: gracefully shutting down -2025/05/02 08:54:24 [notice] 133#133: gracefully shutting down -2025/05/02 08:54:24 [notice] 135#135: exiting -2025/05/02 08:54:24 [notice] 136#136: exit -2025/05/02 08:54:24 [notice] 133#133: exiting -2025/05/02 08:54:24 [notice] 135#135: exit -2025/05/02 08:54:24 [notice] 133#133: exit -2025/05/02 08:54:24 [notice] 132#132: exit -W20250502 08:54:24.077181 1 controller.go:2313] Error retrieving endpoints for the service tea-svc: no endpointslices for target port 8080 in service tea-svc -2025/05/02 08:54:24 [notice] 17#17: signal 1 (SIGHUP) received from 150, reconfiguring -2025/05/02 08:54:24 [notice] 17#17: reconfiguring -2025/05/02 08:54:24 [notice] 17#17: js vm init njs: 0000AAAACEF07300 -2025/05/02 08:54:24 [notice] 17#17: using the "epoll" event method -2025/05/02 08:54:24 [notice] 17#17: start worker processes -2025/05/02 08:54:24 [notice] 17#17: start worker process 151 -2025/05/02 08:54:24 [notice] 17#17: start worker process 152 -2025/05/02 08:54:24 [notice] 17#17: start worker process 153 -2025/05/02 08:54:24 [notice] 17#17: start worker process 154 -2025/05/02 08:54:24 [notice] 17#17: start worker process 155 -2025/05/02 08:54:24 [notice] 17#17: start worker process 156 -2025/05/02 08:54:24 [notice] 17#17: start worker process 157 -2025/05/02 08:54:24 [notice] 17#17: start worker process 158 -2025/05/02 08:54:24 [notice] 17#17: start worker process 159 -2025/05/02 08:54:24 [notice] 17#17: start worker process 160 -2025/05/02 08:54:24 [notice] 139#139: gracefully shutting down -2025/05/02 08:54:24 [notice] 139#139: exiting -2025/05/02 08:54:24 [notice] 139#139: exit -2025/05/02 08:54:24 [notice] 142#142: gracefully shutting down -2025/05/02 08:54:24 [notice] 140#140: gracefully shutting down -2025/05/02 08:54:24 [notice] 142#142: exiting -2025/05/02 08:54:24 [notice] 141#141: gracefully shutting down -2025/05/02 08:54:24 [notice] 140#140: exiting -2025/05/02 08:54:24 [notice] 141#141: exiting -2025/05/02 08:54:24 [notice] 142#142: exit -2025/05/02 08:54:24 [notice] 141#141: exit -2025/05/02 08:54:24 [notice] 140#140: exit -2025/05/02 08:54:24 [notice] 145#145: gracefully shutting down -2025/05/02 08:54:24 [notice] 144#144: gracefully shutting down -2025/05/02 08:54:24 [notice] 143#143: gracefully shutting down -2025/05/02 08:54:24 [notice] 145#145: exiting -2025/05/02 08:54:24 [notice] 144#144: exiting -2025/05/02 08:54:24 [notice] 143#143: exiting -2025/05/02 08:54:24 [notice] 145#145: exit -2025/05/02 08:54:24 [notice] 144#144: exit -2025/05/02 08:54:24 [notice] 143#143: exit -2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 131 -2025/05/02 08:54:24 [notice] 17#17: worker process 127 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 128 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 129 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 130 exited with code 0 -2025/05/02 08:54:24 [notice] 148#148: gracefully shutting down -2025/05/02 08:54:24 [notice] 17#17: worker process 131 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 132 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 133 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 134 exited with code 0 -2025/05/02 08:54:24 [notice] 146#146: gracefully shutting down -2025/05/02 08:54:24 [notice] 17#17: worker process 135 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 136 exited with code 0 -2025/05/02 08:54:24 [notice] 148#148: exiting -2025/05/02 08:54:24 [notice] 146#146: exiting -2025/05/02 08:54:24 [notice] 147#147: gracefully shutting down -2025/05/02 08:54:24 [notice] 147#147: exiting -2025/05/02 08:54:24 [notice] 146#146: exit -2025/05/02 08:54:24 [notice] 148#148: exit -2025/05/02 08:54:24 [notice] 147#147: exit -2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 141 -2025/05/02 08:54:24 [notice] 17#17: worker process 141 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 144 -2025/05/02 08:54:24 [notice] 17#17: worker process 144 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 148 -2025/05/02 08:54:24 [notice] 17#17: worker process 139 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 142 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 143 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 146 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 147 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: worker process 148 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 139 -2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 145 -2025/05/02 08:54:24 [notice] 17#17: worker process 145 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:24 [notice] 17#17: signal 17 (SIGCHLD) received from 140 -2025/05/02 08:54:24 [notice] 17#17: worker process 140 exited with code 0 -2025/05/02 08:54:24 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:24 [notice] 17#17: signal 1 (SIGHUP) received from 162, reconfiguring -2025/05/02 08:54:24 [notice] 17#17: reconfiguring -2025/05/02 08:54:24 [notice] 17#17: js vm init njs: 0000AAAACEF27F80 -2025/05/02 08:54:24 [notice] 17#17: using the "epoll" event method -2025/05/02 08:54:24 [notice] 17#17: start worker processes -2025/05/02 08:54:24 [notice] 17#17: start worker process 163 -2025/05/02 08:54:24 [notice] 17#17: start worker process 164 -2025/05/02 08:54:24 [notice] 17#17: start worker process 165 -2025/05/02 08:54:24 [notice] 17#17: start worker process 166 -2025/05/02 08:54:24 [notice] 17#17: start worker process 167 -2025/05/02 08:54:24 [notice] 17#17: start worker process 168 -2025/05/02 08:54:24 [notice] 17#17: start worker process 169 -2025/05/02 08:54:24 [notice] 17#17: start worker process 170 -2025/05/02 08:54:24 [notice] 17#17: start worker process 171 -2025/05/02 08:54:24 [notice] 17#17: start worker process 172 -2025/05/02 08:54:25 [notice] 151#151: gracefully shutting down -2025/05/02 08:54:25 [notice] 153#153: gracefully shutting down -2025/05/02 08:54:25 [notice] 152#152: gracefully shutting down -2025/05/02 08:54:25 [notice] 160#160: gracefully shutting down -2025/05/02 08:54:25 [notice] 154#154: gracefully shutting down -2025/05/02 08:54:25 [notice] 153#153: exiting -2025/05/02 08:54:25 [notice] 159#159: gracefully shutting down -2025/05/02 08:54:25 [notice] 151#151: exiting -2025/05/02 08:54:25 [notice] 152#152: exiting -2025/05/02 08:54:25 [notice] 160#160: exiting -2025/05/02 08:54:25 [notice] 155#155: gracefully shutting down -2025/05/02 08:54:25 [notice] 156#156: gracefully shutting down -2025/05/02 08:54:25 [notice] 154#154: exiting -2025/05/02 08:54:25 [notice] 159#159: exiting -2025/05/02 08:54:25 [notice] 156#156: exiting -2025/05/02 08:54:25 [notice] 155#155: exiting -2025/05/02 08:54:25 [notice] 158#158: gracefully shutting down -2025/05/02 08:54:25 [notice] 157#157: gracefully shutting down -2025/05/02 08:54:25 [notice] 157#157: exiting -2025/05/02 08:54:25 [notice] 158#158: exiting -2025/05/02 08:54:25 [notice] 156#156: exit -2025/05/02 08:54:25 [notice] 153#153: exit -2025/05/02 08:54:25 [notice] 154#154: exit -2025/05/02 08:54:25 [notice] 155#155: exit -2025/05/02 08:54:25 [notice] 152#152: exit -2025/05/02 08:54:25 [notice] 151#151: exit -2025/05/02 08:54:25 [notice] 160#160: exit -2025/05/02 08:54:25 [notice] 159#159: exit -2025/05/02 08:54:25 [notice] 157#157: exit -2025/05/02 08:54:25 [notice] 158#158: exit -2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 154 -2025/05/02 08:54:25 [notice] 17#17: worker process 154 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 158 -2025/05/02 08:54:25 [notice] 17#17: worker process 157 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 158 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 160 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 160 -2025/05/02 08:54:25 [notice] 17#17: worker process 151 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 153 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 152 -2025/05/02 08:54:25 [notice] 17#17: worker process 152 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 155 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 156 -2025/05/02 08:54:25 [notice] 17#17: worker process 156 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 159 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:25 [notice] 17#17: signal 1 (SIGHUP) received from 174, reconfiguring -2025/05/02 08:54:25 [notice] 17#17: reconfiguring -2025/05/02 08:54:25 [notice] 17#17: js vm init njs: 0000AAAACEE0E900 -2025/05/02 08:54:25 [notice] 17#17: using the "epoll" event method -2025/05/02 08:54:25 [notice] 17#17: start worker processes -2025/05/02 08:54:25 [notice] 17#17: start worker process 175 -2025/05/02 08:54:25 [notice] 17#17: start worker process 176 -2025/05/02 08:54:25 [notice] 17#17: start worker process 177 -2025/05/02 08:54:25 [notice] 17#17: start worker process 178 -2025/05/02 08:54:25 [notice] 17#17: start worker process 179 -2025/05/02 08:54:25 [notice] 17#17: start worker process 180 -2025/05/02 08:54:25 [notice] 17#17: start worker process 181 -2025/05/02 08:54:25 [notice] 17#17: start worker process 182 -2025/05/02 08:54:25 [notice] 17#17: start worker process 183 -2025/05/02 08:54:25 [notice] 17#17: start worker process 184 -2025/05/02 08:54:25 [notice] 163#163: gracefully shutting down -2025/05/02 08:54:25 [notice] 164#164: gracefully shutting down -2025/05/02 08:54:25 [notice] 164#164: exiting -2025/05/02 08:54:25 [notice] 172#172: gracefully shutting down -2025/05/02 08:54:25 [notice] 163#163: exiting -2025/05/02 08:54:25 [notice] 172#172: exiting -2025/05/02 08:54:25 [notice] 166#166: gracefully shutting down -2025/05/02 08:54:25 [notice] 170#170: gracefully shutting down -2025/05/02 08:54:25 [notice] 165#165: gracefully shutting down -2025/05/02 08:54:25 [notice] 167#167: gracefully shutting down -2025/05/02 08:54:25 [notice] 167#167: exiting -2025/05/02 08:54:25 [notice] 166#166: exiting -2025/05/02 08:54:25 [notice] 170#170: exiting -2025/05/02 08:54:25 [notice] 165#165: exiting -2025/05/02 08:54:25 [notice] 168#168: gracefully shutting down -2025/05/02 08:54:25 [notice] 169#169: gracefully shutting down -2025/05/02 08:54:25 [notice] 168#168: exiting -2025/05/02 08:54:25 [notice] 164#164: exit -2025/05/02 08:54:25 [notice] 163#163: exit -2025/05/02 08:54:25 [notice] 170#170: exit -2025/05/02 08:54:25 [notice] 165#165: exit -2025/05/02 08:54:25 [notice] 167#167: exit -2025/05/02 08:54:25 [notice] 166#166: exit -2025/05/02 08:54:25 [notice] 172#172: exit -2025/05/02 08:54:25 [notice] 168#168: exit -2025/05/02 08:54:25 [notice] 169#169: exiting -2025/05/02 08:54:25 [notice] 171#171: gracefully shutting down -2025/05/02 08:54:25 [notice] 171#171: exiting -2025/05/02 08:54:25 [notice] 169#169: exit -2025/05/02 08:54:25 [notice] 171#171: exit -2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 163 -2025/05/02 08:54:25 [notice] 17#17: worker process 163 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 170 -2025/05/02 08:54:25 [notice] 17#17: worker process 164 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 165 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 166 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 167 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 170 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 169 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 171 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 168 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: worker process 172 exited with code 0 -2025/05/02 08:54:25 [notice] 17#17: signal 29 (SIGIO) received -2025/05/02 08:54:25 [notice] 17#17: signal 17 (SIGCHLD) received from 169 -10.244.0.1 - - [02/May/2025:08:56:11 +0000] "GET /coffee HTTP/1.1" 400 255 "-" "curl/8.7.1" "-" -10.244.0.1 - - [02/May/2025:08:58:41 +0000] "GET /coffee HTTP/1.1" 200 161 "-" "curl/8.7.1" "-" -10.244.0.1 - - [02/May/2025:10:36:23 +0000] "GET /coffee HTTP/1.1" 200 161 "-" "curl/8.7.1" "-" -E0502 10:43:45.064589 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:43:46.124787 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:43:46.124876 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:43:49.065132 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:43:49.065398 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:43:55.419280 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:43:55.419359 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:44:02.677045 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:44:02.677223 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:44:18.286690 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:44:18.286830 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:44:44.821958 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:44:44.822259 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:45:23.892200 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:45:23.892394 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -E0502 10:46:15.403613 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:46:16.697432 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:46:16.697578 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:46:16.729418 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:46:16.729532 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:46:18.946618 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:46:18.946720 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:46:22.727144 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:46:22.727256 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:46:34.919894 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:46:34.920005 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:46:47.933050 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:46:47.933230 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:47:07.155683 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:47:07.155845 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -E0502 10:47:09.567159 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:47:10.575523 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:47:10.575555 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:47:12.414696 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:47:12.414757 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:47:15.731966 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:47:15.732029 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -E0502 10:47:23.888434 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:47:24.952229 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:47:24.952323 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:47:26.025671 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:47:26.025714 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -E0502 10:47:27.210913 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:47:28.137366 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:47:28.137473 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:47:28.723085 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:47:28.723251 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:47:30.862520 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:47:30.862632 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:47:34.065191 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:47:34.065276 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:47:37.000051 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:47:37.000150 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:47:38.144915 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:47:38.145142 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:47:40.593173 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:47:40.593269 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:47:45.971296 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:47:45.971346 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:47:48.164560 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:47:48.164602 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:48:00.576892 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:48:00.576966 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:48:04.747277 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:48:04.747327 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:48:10.630104 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:48:10.630166 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:48:17.164043 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:48:17.164139 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -E0502 10:48:22.748616 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:48:23.991249 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:48:23.991299 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:48:26.628773 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:48:26.628969 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:48:30.134976 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:48:30.135060 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:48:33.326637 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:48:33.326773 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:48:37.454711 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:48:37.454754 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:48:40.419179 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:48:40.419273 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:48:41.768785 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:48:41.768842 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -E0502 10:48:46.867998 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:48:48.254676 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:48:48.254827 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:48:49.957062 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:48:49.957158 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:48:52.412125 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:48:52.412238 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:48:53.188107 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:48:53.188180 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:48:55.794122 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:48:55.794219 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:48:56.089622 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:48:56.089661 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:49:01.312657 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:49:01.312764 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:49:16.512840 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:49:16.512946 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:49:26.000096 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:49:26.000130 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:49:28.851737 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:49:28.851840 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:49:30.998265 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:49:30.998318 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:49:36.001377 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:49:36.001424 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:49:43.363715 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:49:43.363819 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -E0502 10:49:52.197516 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:49:53.173938 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:49:53.174032 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:49:53.923612 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:49:53.923707 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:49:54.988636 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:49:54.988673 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:49:55.092349 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:49:55.092401 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:50:00.579847 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:50:00.579944 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:50:06.836417 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:50:06.836534 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:50:08.100010 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:50:08.100109 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:50:18.107195 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:50:18.107281 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:50:21.231226 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:50:21.231282 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:50:25.073311 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:50:25.073363 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:50:29.814298 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:50:29.814404 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:50:35.550501 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:50:35.550620 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:50:42.480688 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:50:42.480761 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:50:48.562543 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:50:48.562629 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -E0502 10:50:53.804129 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot watch resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:50:55.154414 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:50:55.154463 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:50:57.165913 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:50:57.166007 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:50:58.119001 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:50:58.119106 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:51:00.449916 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:51:00.450041 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:51:01.246804 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:51:01.246850 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:51:02.707010 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:51:02.707159 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:51:09.045801 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:51:09.045954 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:51:10.946872 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:51:10.946980 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:51:26.666787 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:51:26.666906 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:51:26.956291 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:51:26.956353 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:51:29.523481 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:51:29.523536 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:51:30.477904 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:51:30.477991 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:51:32.055614 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:51:32.055695 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:51:33.548308 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:51:33.548342 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:51:49.556609 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:51:49.556659 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:51:56.925764 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:51:56.925863 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:52:08.227763 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:52:08.227848 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:52:13.301158 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:52:13.301229 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:52:14.915056 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:52:14.915136 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:52:24.854879 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:52:24.854977 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:52:25.603227 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:52:25.603316 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:52:29.282246 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:52:29.282338 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:52:31.469377 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:52:31.469417 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:52:38.431450 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:52:38.431552 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:52:41.854951 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:52:41.854993 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:52:46.807614 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:52:46.807700 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:52:51.709176 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:52:51.709205 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:53:00.280790 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:53:00.280920 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:53:05.818105 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:53:05.818199 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:53:10.517744 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:53:10.518005 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:53:16.036538 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:53:16.036621 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:53:16.058202 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:53:16.058236 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:53:20.180692 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:53:20.180781 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:53:27.261665 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:53:27.261768 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:53:28.657273 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:53:28.657387 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:53:48.271454 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:53:48.271558 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:53:52.976303 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:53:52.976419 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:53:58.901956 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:53:58.902055 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:53:59.110533 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:53:59.110729 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:53:59.692224 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:53:59.692346 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:54:01.161860 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:54:01.161924 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:54:01.992858 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:54:01.992926 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:54:04.980830 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:54:04.980871 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:54:13.808892 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:54:13.808990 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:54:22.480105 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:54:22.480144 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:54:38.789063 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:54:38.789225 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:54:43.780494 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:54:43.780636 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:54:45.283721 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:54:45.283794 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:54:49.913812 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:54:49.913991 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:54:52.091310 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:54:52.091419 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:54:52.579356 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:54:52.579435 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:54:52.645216 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:54:52.645324 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:55:00.522611 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:55:00.522701 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:55:09.901201 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:55:09.901282 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:55:15.796262 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:55:15.796301 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:55:16.763862 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:55:16.763978 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:55:26.709760 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:55:26.709852 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:55:33.035629 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:55:33.035703 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:55:36.992670 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:55:36.992733 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:55:44.597515 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:55:44.597665 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:55:46.815729 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:55:46.815815 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:55:50.441393 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:55:50.441456 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:55:52.556756 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:55:52.556885 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:55:53.066048 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:55:53.066207 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:55:57.057443 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:55:57.057533 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:56:16.367623 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:56:16.367707 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:56:18.104315 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:56:18.104415 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:56:29.327082 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:56:29.327146 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:56:35.959046 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:56:35.959116 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:56:36.192187 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:56:36.192320 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:56:42.237335 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:56:42.237456 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:56:48.314114 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:56:48.314159 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:56:48.639416 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:56:48.639503 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:56:53.091830 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:56:53.092063 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:57:04.704801 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:57:04.704855 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:57:10.441071 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:57:10.441257 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:57:12.365810 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:57:12.365925 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:57:13.060638 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:57:13.060709 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:57:29.312178 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:57:29.312278 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:57:29.981237 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:57:29.981366 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:57:30.436887 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:57:30.437002 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:57:34.039426 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:57:34.039523 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:57:38.319690 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:57:38.319802 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:57:43.545726 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:57:43.545836 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:57:47.233015 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:57:47.233077 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:57:53.035510 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:57:53.035595 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:58:00.147571 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:58:00.147670 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:58:12.091782 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:58:12.091825 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:58:15.490635 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:58:15.490712 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:58:16.755984 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:58:16.756085 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:58:23.092408 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:58:23.092487 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:58:23.316390 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:58:23.316428 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:58:26.432637 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:58:26.432673 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:58:28.611149 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:58:28.611344 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:58:33.523199 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:58:33.523259 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:58:55.444014 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:58:55.444125 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:58:56.877256 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:58:56.877382 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:59:06.386190 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 10:59:06.386285 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:59:08.318666 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:59:08.318796 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:59:10.120072 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:59:10.120223 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:59:10.977667 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:59:10.977730 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:59:14.180932 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 10:59:14.180985 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:59:15.342459 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 10:59:15.342568 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:59:23.298346 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 10:59:23.298465 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:59:31.117451 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 10:59:31.117571 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 10:59:42.774208 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 10:59:42.774273 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 10:59:43.247980 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 10:59:43.248134 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 10:59:52.242577 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 10:59:52.242632 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:00:01.024755 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:00:01.024857 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:00:02.267334 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:00:02.267385 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:00:02.739168 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:00:02.739262 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:00:07.364595 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:00:07.364706 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:00:12.223716 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:00:12.223755 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:00:13.650055 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:00:13.650153 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:00:14.589368 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:00:14.589473 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:00:20.589862 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:00:20.589962 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:00:42.844051 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:00:42.844164 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:00:43.627121 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:00:43.627663 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:00:43.820563 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:00:43.820618 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:00:49.894018 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:00:49.894095 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:00:56.206247 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:00:56.206310 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:00:56.723847 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:00:56.723982 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:01:01.028295 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:01:01.028448 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:01:12.619949 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:01:12.619989 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:01:13.085904 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:01:13.086011 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:01:16.464542 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:01:16.464585 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:01:25.788399 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:01:25.788642 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:01:27.439420 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:01:27.439461 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:01:31.483378 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:01:31.483410 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:01:34.620137 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:01:34.620232 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:01:35.881583 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:01:35.881669 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:01:38.535188 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:01:38.535238 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:01:46.703173 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:01:46.703300 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:01:49.422503 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:01:49.422774 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:02:01.813445 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:02:01.813576 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:02:02.339549 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:02:02.339612 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:02:03.858858 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:02:03.858902 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:02:10.213522 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:02:10.213605 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:02:12.156258 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:02:12.156305 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:02:15.495001 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:02:15.495043 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:02:19.514554 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:02:19.514614 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:02:22.844375 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:02:22.844492 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:02:27.600705 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:02:27.600845 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:02:33.760002 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:02:33.760116 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:02:53.284072 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:02:53.284191 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:02:56.816442 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:02:56.816551 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:02:58.177325 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:02:58.177447 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:02:59.408905 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:02:59.408993 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:03:00.161569 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:03:00.161613 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:03:01.311080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:03:01.311157 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:03:03.748154 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:03:03.748313 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:03:07.555373 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:03:07.555489 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:03:09.148984 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:03:09.149082 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:03:30.549495 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:03:30.549787 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:03:35.998482 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:03:35.998534 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:03:41.406059 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:03:41.406129 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:03:41.563711 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:03:41.563765 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:03:46.170906 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:03:46.171073 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:03:48.321355 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:03:48.321557 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:03:53.853674 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:03:53.853766 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:03:55.467164 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:03:55.467284 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:03:58.039000 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:03:58.039044 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:04:07.824808 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:04:07.824939 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:04:18.253571 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:04:18.253806 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:04:23.733455 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:04:23.733557 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:04:27.304894 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:04:27.305122 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:04:29.225140 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:04:29.225210 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:04:30.640736 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:04:30.640819 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:04:33.923491 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:04:33.923597 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:04:37.300488 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:04:37.300536 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:04:38.319376 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:04:38.319418 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:04:50.612991 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:04:50.613093 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:04:59.459218 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:04:59.459255 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:05:05.820216 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:05:05.820291 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:05:08.620297 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:05:08.620386 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:05:13.726571 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:05:13.726664 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:05:16.500087 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:05:16.500129 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:05:19.761009 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:05:19.761123 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:05:22.191119 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:05:22.191155 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:05:25.313863 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:05:25.314006 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:05:30.285810 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:05:30.285925 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:05:51.592172 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:05:51.592232 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:05:59.027833 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:05:59.027943 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:05:59.301055 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:05:59.301214 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:05:59.366574 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:05:59.366691 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:06:00.999237 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:06:00.999366 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:06:05.572668 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:06:05.572748 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:06:08.275927 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:06:08.276082 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:06:11.770584 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:06:11.770723 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:06:15.348705 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:06:15.348984 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:06:39.320220 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:06:39.320343 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:06:39.873954 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:06:39.874066 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:06:46.058080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:06:46.058205 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:06:49.683849 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:06:49.683906 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:06:49.749739 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:06:49.749828 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:06:52.330231 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:06:52.330288 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:06:57.375583 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:06:57.375684 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:06:57.415550 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:06:57.415680 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:07:02.695933 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:07:02.696122 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:07:17.806327 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:07:17.806417 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:07:25.461321 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:07:25.461389 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:07:27.105176 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:07:27.105282 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:07:33.562731 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:07:33.562790 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:07:34.995624 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:07:34.995754 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:07:39.137895 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:07:39.137984 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:07:41.415685 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:07:41.415778 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:07:51.827975 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:07:51.828043 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:07:55.753635 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:07:55.753673 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:07:56.186294 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:07:56.186383 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:08:06.727805 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:08:06.727869 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:08:09.632844 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:08:09.632965 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:08:11.455221 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:08:11.455345 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:08:13.033393 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:08:13.033489 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:08:14.801709 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:08:14.801778 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:08:16.395564 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:08:16.395660 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:08:31.198204 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:08:31.198436 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:08:37.355914 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:08:37.355996 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:08:45.558000 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:08:45.558104 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:08:59.374276 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:08:59.374446 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:09:02.803232 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:09:02.803403 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:09:05.220801 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:09:05.220915 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:09:06.559575 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:09:06.559645 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:09:06.941743 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:09:06.941782 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:09:07.759824 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:09:07.759930 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:09:08.613067 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:09:08.613201 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:09:25.052257 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:09:25.052352 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:09:25.139256 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:09:25.139333 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:09:36.996590 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:09:36.996633 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:09:37.216855 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:09:37.216909 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:09:39.587710 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:09:39.587896 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:09:47.185235 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:09:47.185457 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:09:48.186466 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:09:48.186555 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:09:59.242026 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:09:59.242124 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:10:02.591974 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:10:02.592072 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:10:03.250204 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:10:03.250410 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:10:08.222515 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:10:08.222555 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:10:17.142080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:10:17.142282 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:10:19.051920 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:10:19.052022 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:10:34.396024 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:10:34.396177 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:10:34.910098 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:10:34.910143 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:10:36.952478 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:10:36.952523 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:10:45.928335 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:10:45.928516 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:10:46.046337 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:10:46.046459 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:10:46.466069 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:10:46.466208 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:10:48.604339 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:10:48.604470 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:11:05.564521 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:11:05.564603 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:11:11.783516 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:11:11.783705 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:11:20.527718 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:11:20.527796 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:11:22.297732 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:11:22.297782 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:11:26.191336 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:11:26.191491 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:11:30.760903 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:11:30.761083 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:11:31.534631 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:11:31.534683 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:11:31.641501 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:11:31.641558 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:11:32.810315 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:11:32.810369 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:11:46.623238 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:11:46.623485 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:11:53.649031 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:11:53.649082 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:11:54.574430 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:11:54.574547 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:12:01.106792 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:12:01.106889 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:12:04.169001 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:12:04.169061 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:12:04.861394 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:12:04.861442 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:12:15.812521 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:12:15.812559 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:12:18.343157 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:12:18.343215 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:12:27.592135 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:12:27.592282 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:12:27.741619 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:12:27.741803 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:12:38.608957 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:12:38.609030 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:12:41.230864 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:12:41.230920 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:12:47.442444 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:12:47.442482 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:12:53.831963 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:12:53.832043 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:12:54.075812 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:12:54.075873 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:12:55.503594 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:12:55.503642 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:13:06.613981 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:13:06.614129 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:13:14.318023 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:13:14.318338 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:13:17.613767 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:13:17.613932 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:13:20.280392 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:13:20.280469 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:13:25.302955 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:13:25.303021 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:13:28.848170 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:13:28.848307 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:13:36.001754 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:13:36.001803 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:13:38.107309 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:13:38.107341 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:13:38.682148 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:13:38.682209 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:13:51.136730 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:13:51.137103 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:13:54.581762 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:13:54.581893 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:14:06.286056 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:14:06.286220 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:14:09.244533 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:14:09.244630 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:14:09.975842 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:14:09.975965 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:14:17.010688 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:14:17.010820 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:14:22.701961 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:14:22.702012 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:14:23.893009 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:14:23.893168 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:14:27.909989 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:14:27.910042 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:14:31.718127 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:14:31.718277 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:14:43.241553 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:14:43.241712 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:14:45.117833 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:14:45.118063 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:14:57.743796 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:14:57.743891 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:14:59.869135 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:14:59.869170 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:15:00.134513 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:15:00.134595 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:15:02.675343 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:15:02.675384 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:15:16.564826 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:15:16.564893 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:15:21.255146 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:15:21.255334 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:15:22.290327 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:15:22.290481 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:15:24.305102 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:15:24.305238 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:15:25.726583 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:15:25.726764 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:15:36.755757 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:15:36.755827 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:15:41.803330 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:15:41.803421 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:15:42.953253 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:15:42.953388 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:15:51.066466 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:15:51.066613 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:15:57.318497 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:15:57.318558 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:15:59.023158 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:15:59.023290 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:16:07.471676 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:16:07.471724 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:16:10.415308 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:16:10.415466 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:16:13.293698 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:16:13.293792 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:16:18.200614 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:16:18.200742 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:16:31.362273 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:16:31.362385 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:16:32.821981 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:16:32.822023 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:16:34.524963 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:16:34.525085 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:16:35.451053 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:16:35.451094 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:16:47.160021 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:16:47.160287 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:16:48.653489 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:16:48.653655 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:16:55.824140 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:16:55.824266 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:17:04.652527 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:17:04.652816 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:17:05.463341 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:17:05.463407 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:17:08.675845 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:17:08.675986 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:17:11.706495 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:17:11.706708 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:17:17.902139 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:17:17.902210 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:17:23.462765 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:17:23.462820 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:17:25.736265 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:17:25.736379 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:17:26.625748 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:17:26.625807 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:17:26.647760 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:17:26.647827 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:17:44.684553 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:17:44.684660 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:17:49.378237 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:17:49.378396 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:17:57.385715 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:17:57.385777 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:17:57.849009 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:17:57.849117 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:18:07.155668 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:18:07.155782 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:18:12.778080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:18:12.778118 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:18:14.597196 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:18:14.597320 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:18:15.220126 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:18:15.220195 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:18:16.414731 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:18:16.414825 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:18:31.165930 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:18:31.166049 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:18:31.245263 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:18:31.245379 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:18:31.990625 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:18:31.990744 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:18:36.652906 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:18:36.652965 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:18:47.376075 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:18:47.376220 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:18:53.154034 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:18:53.154160 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:19:00.070656 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:19:00.070750 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:19:01.509545 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:19:01.509593 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:19:06.336606 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:19:06.336736 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:19:06.850944 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:19:06.851025 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:19:15.572886 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:19:15.572967 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:19:20.157037 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:19:20.157229 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:19:21.052080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:19:21.052201 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:19:24.811505 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:19:24.811648 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:19:33.925392 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:19:33.925491 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:19:39.480556 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:19:39.480598 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:19:42.589617 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:19:42.589666 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:19:51.232996 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:19:51.233131 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:19:59.420776 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:19:59.420819 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:20:05.176584 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:20:05.176743 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:20:09.842957 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:20:09.843075 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:20:13.730177 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:20:13.730299 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:20:17.430820 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:20:17.430919 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:20:20.819984 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:20:20.820031 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:20:22.029854 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:20:22.029970 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:20:22.716650 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:20:22.716685 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:20:40.767031 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:20:40.767286 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:20:46.294529 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:20:46.294691 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:20:49.074449 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:20:49.074558 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:20:50.355690 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:20:50.355886 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:20:52.407081 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:20:52.407241 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:20:57.461635 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:20:57.461680 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:21:00.972373 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:21:00.972481 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:21:01.960202 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:21:01.960408 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:21:21.173655 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:21:21.173817 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:21:23.004316 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:21:23.004374 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:21:32.470654 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:21:32.470821 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:21:34.344491 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:21:34.344633 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:21:36.950509 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:21:36.950649 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:21:41.006110 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:21:41.006310 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:21:44.037160 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:21:44.037377 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:21:44.795252 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:21:44.795309 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:21:46.104300 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:21:46.104428 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:21:53.204458 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:21:53.204560 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:22:09.853622 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:22:09.853792 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:22:12.369167 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:22:12.369320 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:22:13.595072 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:22:13.595200 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:22:18.910326 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:22:18.910393 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:22:20.707871 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:22:20.708089 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:22:25.250079 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:22:25.250297 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:22:28.200839 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:22:28.200913 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:22:29.010027 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:22:29.010123 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:22:29.979617 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:22:29.979690 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:22:46.521747 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:22:46.521965 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:22:51.547493 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:22:51.547605 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:23:06.638998 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:23:06.639229 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:23:07.585676 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:23:07.585773 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:23:07.719292 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:23:07.719448 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:23:09.867752 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:23:09.867879 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:23:11.588609 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:23:11.588674 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:23:23.711500 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:23:23.711693 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:23:25.145804 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:23:25.145972 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:23:33.406037 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:23:33.406207 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:23:43.821775 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:23:43.821911 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:23:44.675951 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:23:44.676021 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:23:46.384109 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:23:46.384280 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:23:59.734978 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:23:59.735283 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:24:00.856700 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:24:00.856853 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:24:06.608975 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:24:06.609209 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:24:08.311351 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:24:08.311463 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:24:10.440161 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:24:10.440217 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:24:16.766643 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:24:16.766739 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:24:18.844067 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:24:18.844298 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:24:23.040272 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:24:23.040323 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:24:24.251853 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:24:24.251951 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:24:44.822454 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:24:44.822717 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:24:48.460559 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:24:48.460739 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:24:48.853889 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:24:48.854106 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:24:56.939191 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:24:56.939510 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:24:59.628323 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:24:59.628421 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:25:01.411408 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:25:01.411514 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:25:03.454208 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:25:03.454455 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:25:15.111030 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:25:15.111314 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:25:22.458828 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:25:22.458980 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:25:33.934994 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:25:33.935161 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:25:35.352373 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:25:35.352574 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:25:35.353560 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:25:35.353669 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:25:42.565396 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:25:42.565690 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:25:42.617179 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:25:42.617254 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:25:42.989899 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:25:42.990042 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:25:49.913324 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:25:49.914302 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:25:53.105156 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:25:53.105261 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:25:58.611759 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:25:58.611928 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:26:18.718249 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:26:18.718369 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:26:19.094367 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:26:19.094427 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:26:22.499147 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:26:22.499242 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:26:26.628227 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:26:26.628396 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:26:29.434548 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:26:29.434637 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:26:40.412536 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:26:40.412721 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:26:40.729570 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:26:40.729738 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:26:45.055623 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:26:45.055871 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:26:51.982634 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:26:51.982689 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:26:58.109460 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:26:58.109515 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:27:07.799958 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:27:07.800069 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:27:08.957191 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:27:08.957335 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:27:10.535490 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:27:10.535605 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:27:14.415210 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:27:14.415318 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:27:17.410682 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:27:17.410769 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:27:19.655905 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:27:19.656084 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:27:36.311743 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:27:36.311815 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:27:40.726479 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:27:40.726608 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:27:43.800855 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:27:43.800974 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:27:46.666681 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:27:46.666731 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:27:49.406641 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:27:49.406760 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:27:51.298850 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:27:51.298967 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:27:57.117187 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:27:57.117225 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:27:59.543491 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:27:59.543548 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:28:09.933536 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:28:09.933696 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:28:19.655838 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:28:19.655888 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:28:20.981156 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:28:20.981252 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:28:22.020167 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:28:22.020257 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:28:34.220440 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:28:34.220501 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:28:40.638474 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:28:40.638584 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:28:41.601610 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:28:41.601702 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:28:42.615840 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:28:42.615943 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:28:46.360773 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:28:46.360946 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:28:54.438454 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:28:54.438613 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:28:55.897988 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:28:55.898092 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:28:56.558082 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:28:56.558177 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:29:11.435828 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:29:11.435891 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:29:19.667236 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:29:19.667369 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:29:20.017418 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:29:20.017565 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:29:20.814244 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:29:20.814408 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:29:34.666704 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:29:34.666786 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:29:41.281418 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:29:41.281513 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:29:42.195119 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:29:42.195200 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:29:43.714682 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:29:43.714924 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:29:43.821120 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:29:43.821172 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:29:53.606531 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:29:53.606730 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:29:55.443929 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:29:55.443976 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:30:12.663332 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:30:12.663584 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:30:16.804852 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:30:16.804987 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:30:19.078856 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:30:19.078957 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:30:20.165811 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:30:20.165877 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:30:23.489562 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:30:23.489630 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:30:28.216445 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:30:28.216586 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:30:33.057110 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:30:33.057214 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:30:34.574741 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:30:34.574874 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:30:42.681477 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:30:42.681600 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:30:48.972125 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:30:48.972212 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:30:59.151077 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:30:59.151174 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:30:59.207160 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:30:59.207208 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:31:06.844731 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:31:06.844910 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:31:10.970266 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:31:10.970412 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:31:14.312994 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:31:14.313154 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:31:16.944179 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:31:16.944222 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:31:17.397530 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:31:17.397599 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:31:19.569323 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:31:19.569394 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:31:31.329701 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:31:31.329801 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:31:34.370711 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:31:34.370905 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:31:47.079147 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:31:47.079296 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:31:50.154498 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:31:50.154612 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:31:52.171401 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:31:52.171515 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:31:56.116343 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:31:56.116401 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:32:02.845169 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:32:02.845248 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:32:06.014998 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:32:06.015133 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:32:12.042466 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:32:12.042540 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:32:18.979724 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:32:18.979791 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:32:26.381649 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:32:26.381718 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:32:31.464461 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:32:31.464523 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:32:32.347274 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:32:32.347357 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:32:40.443090 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:32:40.443231 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:32:43.288732 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:32:43.288768 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:32:44.770090 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:32:44.770217 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:32:51.843434 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:32:51.843475 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:32:59.425401 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:32:59.425531 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:32:59.908562 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:32:59.908683 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:33:05.810707 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:33:05.810811 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:33:09.880856 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:33:09.880968 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:33:21.651285 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:33:21.651396 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:33:25.275711 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:33:25.275853 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:33:32.478130 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:33:32.478226 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:33:37.473489 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:33:37.473529 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:33:45.334828 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:33:45.334924 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:33:49.751843 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:33:49.751943 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:33:51.180701 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:33:51.180758 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:33:57.790879 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:33:57.791156 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:34:01.906220 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:34:01.906346 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:34:10.463253 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:34:10.463459 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:34:20.088416 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:34:20.088514 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:34:23.982372 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:34:23.982528 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:34:30.423742 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:34:30.423891 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:34:33.219572 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:34:33.219751 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:34:38.315838 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:34:38.315938 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:34:39.727372 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:34:39.727472 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:34:41.532949 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:34:41.533000 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:34:50.742218 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:34:50.742393 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:34:54.098361 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:34:54.098463 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:35:02.482027 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:35:02.482138 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:35:03.135401 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:35:03.135476 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:35:14.965122 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:35:14.965260 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:35:16.621733 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:35:16.621776 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:35:17.473784 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:35:17.473823 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:35:21.600301 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:35:21.600354 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:35:22.044384 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:35:22.044498 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:35:29.263425 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:35:29.263583 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:35:38.772233 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:35:38.772412 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:35:42.574892 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:35:42.575005 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:35:48.633121 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:35:48.633252 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:35:49.865758 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:35:49.865916 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:36:05.010840 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:36:05.010973 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:36:06.775890 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:36:06.776012 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:36:15.189263 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:36:15.189324 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:36:16.921515 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:36:16.921684 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:36:20.311383 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:36:20.311515 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:36:20.796721 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:36:20.796791 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:36:23.319439 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:36:23.319537 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:36:25.601022 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:36:25.601067 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:36:25.765008 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:36:25.765176 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:36:50.676870 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:36:50.676977 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:36:51.427840 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:36:51.427890 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:36:53.846982 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:36:53.847033 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:36:58.555452 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:36:58.555643 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:36:58.599946 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:36:58.599994 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:36:58.604460 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:36:58.604492 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:36:59.821163 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:36:59.821258 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:37:05.303430 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:37:05.303532 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:37:06.499164 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:37:06.499323 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:37:30.215738 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:37:30.215878 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:37:40.299556 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:37:40.299861 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:37:41.566601 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:37:41.566855 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:37:44.542555 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:37:44.542670 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:37:47.842864 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:37:47.842941 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:37:48.850516 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:37:48.850569 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:37:49.712680 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:37:49.712850 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:37:50.299840 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:37:50.299886 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:37:57.050573 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:37:57.050699 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:38:14.134702 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:38:14.135028 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:38:18.606500 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:38:18.606534 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:38:25.082529 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:38:25.082691 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:38:25.475486 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:38:25.475544 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:38:25.858627 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:38:25.858746 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:38:25.868865 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:38:25.868915 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:38:31.002586 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:38:31.002696 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:38:31.044027 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:38:31.044086 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:38:33.257033 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:38:33.257132 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:38:53.072255 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:38:53.072307 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:38:54.113122 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:38:54.113163 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:39:00.558707 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:39:00.558929 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:39:02.301196 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:39:02.301353 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:39:02.524272 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:39:02.524798 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:39:02.789080 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:39:02.789169 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:39:02.967341 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:39:02.967397 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:39:12.821367 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:39:12.821412 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:39:17.581328 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:39:17.581399 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:39:31.492256 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:39:31.492366 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:39:36.306129 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:39:36.306304 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:39:44.344691 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:39:44.344882 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:39:48.732421 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:39:48.732588 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:39:53.341136 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:39:53.341304 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:39:54.642227 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:39:54.642317 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:40:00.126248 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:40:00.126294 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:40:00.819369 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:40:00.819493 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:40:02.120085 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:40:02.120173 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:40:30.370229 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:40:30.370356 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:40:35.801097 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:40:35.801379 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:40:37.139276 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:40:37.139424 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:40:39.055355 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:40:39.055427 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:40:43.656964 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:40:43.657022 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:40:45.404654 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:40:45.404822 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:40:48.632377 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:40:48.632449 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:40:51.488619 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:40:51.488697 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:41:01.318100 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:41:01.318194 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:41:05.879653 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:41:05.879821 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:41:16.535794 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:41:16.535928 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:41:20.817324 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:41:20.817463 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:41:23.174394 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:41:23.174679 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:41:27.150756 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:41:27.150884 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:41:29.024714 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:41:29.024787 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:41:30.201947 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:41:30.202006 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:41:39.314521 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:41:39.314608 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:41:47.868133 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:41:47.868562 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:41:48.845661 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:41:48.845741 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:42:04.631479 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:42:04.631823 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:42:09.532668 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:42:09.532921 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:42:11.650911 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:42:11.651032 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:42:14.198155 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:42:14.198255 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:42:18.686068 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:42:18.686253 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:42:19.161904 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:42:19.162014 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:42:22.483087 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:42:22.483169 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:42:32.751119 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:42:32.751294 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:42:42.631401 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:42:42.631670 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:42:46.490925 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:42:46.491128 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:42:51.113040 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:42:51.113204 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:42:51.286883 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:42:51.287009 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:42:56.515081 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:42:56.515159 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:42:58.709477 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:42:58.709542 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:43:01.259248 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:43:01.259444 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:43:03.943600 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:43:03.943645 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:43:05.031915 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:43:05.032088 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:43:17.194042 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:43:17.194124 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:43:29.581923 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:43:29.581961 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:43:30.305232 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:43:30.305304 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:43:33.783653 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:43:33.783721 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:43:38.233320 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:43:38.233410 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:43:45.227629 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:43:45.227805 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:43:47.105361 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:43:47.105465 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:43:57.716210 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:43:57.716347 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:44:03.396664 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:44:03.397056 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:44:06.245618 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:44:06.245754 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:44:13.384137 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:44:13.384366 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:44:22.852526 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:44:22.852650 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:44:27.528867 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:44:27.528940 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:44:28.156164 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:44:28.156261 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:44:35.797057 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:44:35.797180 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:44:41.632989 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:44:41.633126 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:44:44.811962 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:44:44.812015 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:44:47.377746 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:44:47.377859 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:44:48.371953 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:44:48.372076 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:44:51.725755 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:44:51.725859 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:44:55.717522 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:44:55.717669 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:45:02.274737 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:45:02.274870 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:45:06.826555 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:45:06.826647 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:45:09.288422 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:45:09.288516 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:45:17.424697 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:45:17.425042 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:45:42.738316 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:45:42.738553 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:45:43.925634 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:45:43.925728 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:45:44.135789 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:45:44.135892 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:45:46.846191 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:45:46.846231 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:45:47.467369 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:45:47.467485 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:45:48.970005 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:45:48.970095 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:45:56.644849 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:45:56.645080 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:45:59.139592 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:45:59.139681 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:46:03.043717 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope -E0502 11:46:03.043866 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:46:26.490960 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "transportservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:46:26.491038 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.TransportServer: failed to list *v1.TransportServer: transportservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"transportservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:46:30.767624 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualserverroutes" in API group "k8s.nginx.org" at the cluster scope -E0502 11:46:30.767734 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServerRoute: failed to list *v1.VirtualServerRoute: virtualserverroutes.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualserverroutes\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:46:31.076482 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "services" in API group "" at the cluster scope -E0502 11:46:31.076660 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:46:36.824477 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "virtualservers" in API group "k8s.nginx.org" at the cluster scope -E0502 11:46:36.824591 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.VirtualServer: failed to list *v1.VirtualServer: virtualservers.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"virtualservers\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" -W0502 11:46:41.567069 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope -E0502 11:46:41.567207 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError" -W0502 11:46:43.075711 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "pods" in API group "" at the cluster scope -E0502 11:46:43.075806 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:46:50.602327 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "secrets" in API group "" at the cluster scope -E0502 11:46:50.602716 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" -W0502 11:46:50.976617 1 reflector.go:569] pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User "system:serviceaccount:default:nginx-ingress" cannot list resource "policies" in API group "k8s.nginx.org" at the cluster scope -E0502 11:46:50.976687 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.3/tools/cache/reflector.go:251: Failed to watch *v1.Policy: failed to list *v1.Policy: policies.k8s.nginx.org is forbidden: User \"system:serviceaccount:default:nginx-ingress\" cannot list resource \"policies\" in API group \"k8s.nginx.org\" at the cluster scope" logger="UnhandledError" diff --git a/internal/certmanager/cm_controller_test.go b/internal/certmanager/cm_controller_test.go index bdf4beb90d..2d0cde941d 100644 --- a/internal/certmanager/cm_controller_test.go +++ b/internal/certmanager/cm_controller_test.go @@ -140,8 +140,8 @@ func Test_controller_Register(t *testing.T) { ig := make(map[string]*namespacedInformer) nsi := &namespacedInformer{ - cmSharedInformerFactory: b.SharedInformerFactory, - kubeSharedInformerFactory: b.KubeSharedInformerFactory, + cmSharedInformerFactory: b.Context.SharedInformerFactory, + kubeSharedInformerFactory: b.Context.KubeSharedInformerFactory, vsSharedInformerFactory: b.VsSharedInformerFactory, } diff --git a/internal/certmanager/helper.go b/internal/certmanager/helper.go index 39a30c29b8..7f076cd254 100644 --- a/internal/certmanager/helper.go +++ b/internal/certmanager/helper.go @@ -118,10 +118,10 @@ func translateVsSpec(crt *cmapi.Certificate, vsCmSpec *vsapi.CertManager) error } if vsCmSpec.IssueTempCert { - if crt.Annotations == nil { - crt.Annotations = make(map[string]string) + if crt.ObjectMeta.Annotations == nil { + crt.ObjectMeta.Annotations = make(map[string]string) } - crt.Annotations[certMgrTempCertAnnotation] = "true" + crt.ObjectMeta.Annotations[certMgrTempCertAnnotation] = "true" } if len(errs) > 0 { diff --git a/internal/certmanager/helper_test.go b/internal/certmanager/helper_test.go index 3880a3afeb..4824e28852 100644 --- a/internal/certmanager/helper_test.go +++ b/internal/certmanager/helper_test.go @@ -87,7 +87,7 @@ func Test_translateVsSpec(t *testing.T) { a.Equal(&metav1.Duration{Duration: time.Hour * 24 * 7}, crt.Spec.Duration) a.Equal(&metav1.Duration{Duration: time.Hour * 24}, crt.Spec.RenewBefore) a.Equal([]cmapi.KeyUsage{cmapi.UsageServerAuth, cmapi.UsageSigning}, crt.Spec.Usages) - a.Equal("true", crt.Annotations[certMgrTempCertAnnotation]) + a.Equal("true", crt.ObjectMeta.Annotations[certMgrTempCertAnnotation]) }, }, "nil cm spec": { diff --git a/internal/certmanager/sync.go b/internal/certmanager/sync.go index a8a0d0a566..5b362a7b83 100644 --- a/internal/certmanager/sync.go +++ b/internal/certmanager/sync.go @@ -33,6 +33,7 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/client-go/tools/record" nl "github.com/nginx/kubernetes-ingress/internal/logger" @@ -137,7 +138,7 @@ func buildCertificates( return nil, nil, err } - controllerGVK := vsGVK + var controllerGVK schema.GroupVersionKind = vsGVK hosts := []string{vs.Spec.Host} crt := &cmapi.Certificate{ diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go index e7c85acee2..d7ebe63c4b 100644 --- a/internal/configs/configurator.go +++ b/internal/configs/configurator.go @@ -1275,7 +1275,7 @@ func (cnf *Configurator) updatePlusEndpoints(ingEx *IngressEx) error { } for _, rule := range ingEx.Ingress.Spec.Rules { - if rule.HTTP == nil { + if rule.IngressRuleValue.HTTP == nil { continue } @@ -1540,7 +1540,7 @@ func (cnf *Configurator) BatchDeleteIngresses(deletedKeys []string) []error { } func keyToFileName(key string) string { - return strings.ReplaceAll(key, "/", "-") + return strings.Replace(key, "/", "-", -1) } func objectMetaToFileName(meta *meta_v1.ObjectMeta) string { @@ -1560,12 +1560,12 @@ func getFileNameForTransportServer(transportServer *conf_v1.TransportServer) str } func getFileNameForVirtualServerFromKey(key string) string { - replaced := strings.ReplaceAll(key, "/", "_") + replaced := strings.Replace(key, "/", "_", -1) return fmt.Sprintf("vs_%s", replaced) } func getFileNameForTransportServerFromKey(key string) string { - replaced := strings.ReplaceAll(key, "/", "_") + replaced := strings.Replace(key, "/", "_", -1) return fmt.Sprintf("ts_%s", replaced) } diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index 93fc8bf4b6..9cc56a1942 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -403,7 +403,11 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig( vsc.clearWarnings() var maps []version2.Map - useCustomListeners := vsEx.VirtualServer.Spec.Listener != nil + useCustomListeners := false + + if vsEx.VirtualServer.Spec.Listener != nil { + useCustomListeners = true + } sslConfig := vsc.generateSSLConfig(vsEx.VirtualServer, vsEx.VirtualServer.Spec.TLS, vsEx.VirtualServer.Namespace, vsEx.SecretRefs, vsc.cfgParams) tlsRedirectConfig := generateTLSRedirectConfig(vsEx.VirtualServer.Spec.TLS) @@ -1501,7 +1505,7 @@ func (p *policiesCfg) addAPIKeyConfig( } func rfc1123ToSnake(rfc1123String string) string { - return strings.ReplaceAll(rfc1123String, "-", "_") + return strings.Replace(rfc1123String, "-", "_", -1) } func generateAPIKeyClients(secretData map[string][]byte) []apiKeyClient { @@ -2192,10 +2196,9 @@ func GenerateExternalNameSvcKey(namespace string, service string) string { } func generateLBMethod(method string, defaultMethod string) string { - switch method { - case "": + if method == "" { return defaultMethod - case "round_robin": + } else if method == "round_robin" { return "" } return method @@ -2227,7 +2230,10 @@ func generateRewrites(path string, proxy *conf_v1.ActionProxy, internal bool, or path = originalPath } - isRegex := strings.HasPrefix(path, "~") + isRegex := false + if strings.HasPrefix(path, "~") { + isRegex = true + } trimmedPath := strings.TrimPrefix(strings.TrimPrefix(path, "~"), "*") trimmedPath = strings.TrimSpace(trimmedPath) diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index f9d61d42b3..106e4162e2 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -2899,8 +2899,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpAndHttpsListeners(t *testing.T Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.Namespace, - VSName: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.Name, + VSNamespace: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.ObjectMeta.Namespace, + VSName: virtualServerExWithCustomHTTPAndHTTPSListeners.VirtualServer.ObjectMeta.Name, DisableIPV6: true, HTTPPort: virtualServerExWithCustomHTTPAndHTTPSListeners.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPAndHTTPSListeners.HTTPSPort, @@ -2948,8 +2948,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpListener(t *testing.T) { Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPListener.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPListener.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPListener.VirtualServer.Namespace, - VSName: virtualServerExWithCustomHTTPListener.VirtualServer.Name, + VSNamespace: virtualServerExWithCustomHTTPListener.VirtualServer.ObjectMeta.Namespace, + VSName: virtualServerExWithCustomHTTPListener.VirtualServer.ObjectMeta.Name, DisableIPV6: true, HTTPPort: virtualServerExWithCustomHTTPListener.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPListener.HTTPSPort, @@ -2997,8 +2997,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpsListener(t *testing.T) { Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPSListener.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPSListener.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPSListener.VirtualServer.Namespace, - VSName: virtualServerExWithCustomHTTPSListener.VirtualServer.Name, + VSNamespace: virtualServerExWithCustomHTTPSListener.VirtualServer.ObjectMeta.Namespace, + VSName: virtualServerExWithCustomHTTPSListener.VirtualServer.ObjectMeta.Name, DisableIPV6: true, HTTPPort: virtualServerExWithCustomHTTPSListener.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPSListener.HTTPSPort, @@ -3046,8 +3046,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpAndHttpsIPListeners(t *testing Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.Namespace, - VSName: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.Name, + VSNamespace: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.ObjectMeta.Namespace, + VSName: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.ObjectMeta.Name, DisableIPV6: false, HTTPPort: virtualServerExWithCustomHTTPAndHTTPSIPListeners.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPAndHTTPSIPListeners.HTTPSPort, @@ -3099,8 +3099,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpIPListener(t *testing.T) { Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPIPListener.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPIPListener.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPIPListener.VirtualServer.Namespace, - VSName: virtualServerExWithCustomHTTPIPListener.VirtualServer.Name, + VSNamespace: virtualServerExWithCustomHTTPIPListener.VirtualServer.ObjectMeta.Namespace, + VSName: virtualServerExWithCustomHTTPIPListener.VirtualServer.ObjectMeta.Name, DisableIPV6: false, HTTPPort: virtualServerExWithCustomHTTPIPListener.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPIPListener.HTTPSPort, @@ -3152,8 +3152,8 @@ func TestGenerateVirtualServerConfigWithCustomHttpsIPListener(t *testing.T) { Server: version2.Server{ ServerName: virtualServerExWithCustomHTTPSIPListener.VirtualServer.Spec.Host, StatusZone: virtualServerExWithCustomHTTPSIPListener.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithCustomHTTPSIPListener.VirtualServer.Namespace, - VSName: virtualServerExWithCustomHTTPSIPListener.VirtualServer.Name, + VSNamespace: virtualServerExWithCustomHTTPSIPListener.VirtualServer.ObjectMeta.Namespace, + VSName: virtualServerExWithCustomHTTPSIPListener.VirtualServer.ObjectMeta.Name, DisableIPV6: false, HTTPPort: virtualServerExWithCustomHTTPSIPListener.HTTPPort, HTTPSPort: virtualServerExWithCustomHTTPSIPListener.HTTPSPort, @@ -3205,8 +3205,8 @@ func TestGenerateVirtualServerConfigWithNilListener(t *testing.T) { Server: version2.Server{ ServerName: virtualServerExWithNilListener.VirtualServer.Spec.Host, StatusZone: virtualServerExWithNilListener.VirtualServer.Spec.Host, - VSNamespace: virtualServerExWithNilListener.VirtualServer.Namespace, - VSName: virtualServerExWithNilListener.VirtualServer.Name, + VSNamespace: virtualServerExWithNilListener.VirtualServer.ObjectMeta.Namespace, + VSName: virtualServerExWithNilListener.VirtualServer.ObjectMeta.Name, DisableIPV6: true, HTTPPort: virtualServerExWithNilListener.HTTPPort, HTTPSPort: virtualServerExWithNilListener.HTTPSPort, diff --git a/internal/externaldns/sync.go b/internal/externaldns/sync.go index 7c717364b0..0cc6448deb 100644 --- a/internal/externaldns/sync.go +++ b/internal/externaldns/sync.go @@ -12,6 +12,7 @@ import ( clientset "github.com/nginx/kubernetes-ingress/pkg/client/clientset/versioned" extdnslisters "github.com/nginx/kubernetes-ingress/pkg/client/listers/externaldns/v1" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime/schema" validators "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation/field" @@ -149,19 +150,19 @@ func buildDNSEndpoint(ctx context.Context, extdnsLister extdnslisters.DNSEndpoin var err error l := nl.LoggerFromContext(ctx) - existingDNSEndpoint, err = extdnsLister.DNSEndpoints(vs.Namespace).Get(vs.Name) + existingDNSEndpoint, err = extdnsLister.DNSEndpoints(vs.Namespace).Get(vs.ObjectMeta.Name) if !apierrors.IsNotFound(err) && err != nil { return nil, nil, err } - controllerGVK := vsGVK + var controllerGVK schema.GroupVersionKind = vsGVK ownerRef := *metav1.NewControllerRef(vs, controllerGVK) blockOwnerDeletion := false ownerRef.BlockOwnerDeletion = &blockOwnerDeletion dnsEndpoint := &extdnsapi.DNSEndpoint{ ObjectMeta: metav1.ObjectMeta{ - Name: vs.Name, + Name: vs.ObjectMeta.Name, Namespace: vs.Namespace, Labels: vs.Labels, OwnerReferences: []metav1.OwnerReference{ownerRef}, @@ -245,7 +246,7 @@ func buildProviderSpecificProperties(extdnsSpec vsapi.ExternalDNS) extdnsapi.Pro } func extdnsendpointNeedsUpdate(dnsA, dnsB *extdnsapi.DNSEndpoint) bool { - if !cmp.Equal(dnsA.Name, dnsB.Name) { + if !cmp.Equal(dnsA.ObjectMeta.Name, dnsB.ObjectMeta.Name) { return true } if !cmp.Equal(dnsA.Labels, dnsB.Labels) { diff --git a/internal/k8s/appprotect_dos.go b/internal/k8s/appprotect_dos.go index a85ce22411..babfcd2425 100644 --- a/internal/k8s/appprotect_dos.go +++ b/internal/k8s/appprotect_dos.go @@ -207,8 +207,7 @@ func (lbc *LoadBalancerController) processAppProtectDosChanges(changes []appprot nl.Debugf(lbc.Logger, "Processing %v App Protect Dos changes", len(changes)) for _, c := range changes { - switch c.Op { - case appprotectdos.AddOrUpdate: + if c.Op == appprotectdos.AddOrUpdate { switch impl := c.Resource.(type) { case *appprotectdos.DosProtectedResourceEx: nl.Debugf(lbc.Logger, "handling change UPDATE OR ADD for DOS protected %s/%s", impl.Obj.Namespace, impl.Obj.Name) @@ -232,7 +231,7 @@ func (lbc *LoadBalancerController) processAppProtectDosChanges(changes []appprot } lbc.recorder.Event(impl.Obj, eventType, eventTitle, msg) } - case appprotectdos.Delete: + } else if c.Op == appprotectdos.Delete { switch impl := c.Resource.(type) { case *appprotectdos.DosPolicyEx: lbc.configurator.DeleteAppProtectDosPolicy(impl.Obj) diff --git a/internal/k8s/appprotect_waf.go b/internal/k8s/appprotect_waf.go index 600018efb1..8ed8748f23 100644 --- a/internal/k8s/appprotect_waf.go +++ b/internal/k8s/appprotect_waf.go @@ -356,8 +356,7 @@ func (lbc *LoadBalancerController) processAppProtectChanges(changes []appprotect nl.Debugf(lbc.Logger, "Processing %v App Protect changes", len(changes)) for _, c := range changes { - switch c.Op { - case appprotect.AddOrUpdate: + if c.Op == appprotect.AddOrUpdate { switch impl := c.Resource.(type) { case *appprotect.PolicyEx: namespace := impl.Obj.GetNamespace() @@ -388,7 +387,7 @@ func (lbc *LoadBalancerController) processAppProtectChanges(changes []appprotect lbc.updateResourcesStatusAndEvents(resources, warnings, updateErr) lbc.recorder.Eventf(impl.Obj, api_v1.EventTypeNormal, nl.EventReasonAddedOrUpdated, "AppProtectLogConfig %v was added or updated", namespace+"/"+name) } - case appprotect.Delete: + } else if c.Op == appprotect.Delete { switch impl := c.Resource.(type) { case *appprotect.PolicyEx: namespace := impl.Obj.GetNamespace() diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 62a9e0efe5..dcdca18b94 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -1276,8 +1276,7 @@ func (lbc *LoadBalancerController) processChanges(changes []ResourceChange) { nl.Debugf(lbc.Logger, "Processing %v changes", len(changes)) for _, c := range changes { - switch c.Op { - case AddOrUpdate: + if c.Op == AddOrUpdate { switch impl := c.Resource.(type) { case *VirtualServerConfiguration: vsEx := lbc.createVirtualServerEx(impl.VirtualServer, impl.VirtualServerRoutes) @@ -1302,7 +1301,7 @@ func (lbc *LoadBalancerController) processChanges(changes []ResourceChange) { warnings, addOrUpdateErr := lbc.configurator.AddOrUpdateTransportServer(tsEx) lbc.updateTransportServerStatusAndEvents(impl, warnings, addOrUpdateErr) } - case Delete: + } else if c.Op == Delete { switch impl := c.Resource.(type) { case *VirtualServerConfiguration: key := getResourceKey(&impl.VirtualServer.ObjectMeta) @@ -2294,7 +2293,7 @@ func (lbc *LoadBalancerController) createIngressEx(ing *networking.Ingress, vali } // check if rule has any paths - if rule.HTTP == nil { + if rule.IngressRuleValue.HTTP == nil { continue } @@ -3081,7 +3080,7 @@ func findProbeForPods(pods []*api_v1.Pod, svcPort *api_v1.ServicePort) *api_v1.P for _, port := range container.Ports { if compareContainerPortAndServicePort(port, *svcPort) { // only http ReadinessProbes are useful for us - if container.ReadinessProbe != nil && container.ReadinessProbe.HTTPGet != nil && container.ReadinessProbe.PeriodSeconds > 0 { + if container.ReadinessProbe != nil && container.ReadinessProbe.ProbeHandler.HTTPGet != nil && container.ReadinessProbe.PeriodSeconds > 0 { return container.ReadinessProbe } } @@ -3556,13 +3555,12 @@ func (lbc *LoadBalancerController) haltIfVSConfigInvalid(vsNew *conf_v1.VirtualS } for _, c := range changes { - switch c.Op { - case AddOrUpdate: + if c.Op == AddOrUpdate { switch impl := c.Resource.(type) { case *VirtualServerConfiguration: lbc.updateVirtualServerStatusAndEvents(impl, configs.Warnings{}, nil) } - case Delete: + } else if c.Op == Delete { switch impl := c.Resource.(type) { case *VirtualServerConfiguration: key := getResourceKey(&impl.VirtualServer.ObjectMeta) @@ -3648,7 +3646,7 @@ func (lbc *LoadBalancerController) vsrHasWeightChanges(vsrOld *conf_v1.VirtualSe } func (lbc *LoadBalancerController) createCombinedDeploymentHeadlessServiceName() string { - owner := lbc.metadata.pod.OwnerReferences[0] + owner := lbc.metadata.pod.ObjectMeta.OwnerReferences[0] name := owner.Name if strings.ToLower(owner.Kind) == "replicaset" { if dash := strings.LastIndex(name, "-"); dash != -1 { diff --git a/internal/k8s/global_configuration.go b/internal/k8s/global_configuration.go index 8869f121e9..4e87ca1d70 100644 --- a/internal/k8s/global_configuration.go +++ b/internal/k8s/global_configuration.go @@ -123,25 +123,23 @@ func (lbc *LoadBalancerController) processChangesFromGlobalConfiguration(changes for _, c := range changes { switch impl := c.Resource.(type) { case *VirtualServerConfiguration: - switch c.Op { - case AddOrUpdate: + if c.Op == AddOrUpdate { vsEx := lbc.createVirtualServerEx(impl.VirtualServer, impl.VirtualServerRoutes) updatedVSExes = append(updatedVSExes, vsEx) updatedResources = append(updatedResources, impl) - case Delete: + } else if c.Op == Delete { key := getResourceKey(&impl.VirtualServer.ObjectMeta) deletedVSKeys = append(deletedVSKeys, key) } case *TransportServerConfiguration: - switch c.Op { - case AddOrUpdate: + if c.Op == AddOrUpdate { tsEx := lbc.createTransportServerEx(impl.TransportServer, impl.ListenerPort, impl.IPv4, impl.IPv6) updatedTSExes = append(updatedTSExes, tsEx) updatedResources = append(updatedResources, impl) - case Delete: + } else if c.Op == Delete { key := getResourceKey(&impl.TransportServer.ObjectMeta) deletedTSKeys = append(deletedTSKeys, key) diff --git a/internal/k8s/reference_checkers.go b/internal/k8s/reference_checkers.go index 4855a9522d..97c522691a 100644 --- a/internal/k8s/reference_checkers.go +++ b/internal/k8s/reference_checkers.go @@ -121,10 +121,10 @@ func (rc *serviceReferenceChecker) IsReferencedByIngress(svcNamespace string, sv } } for _, rules := range ing.Spec.Rules { - if rules.HTTP == nil { + if rules.IngressRuleValue.HTTP == nil { continue } - for _, p := range rules.HTTP.Paths { + for _, p := range rules.IngressRuleValue.HTTP.Paths { if p.Backend.Service.Name == svcName { return true } diff --git a/internal/k8s/status.go b/internal/k8s/status.go index 0352d8d8c3..a9c8c49b1b 100644 --- a/internal/k8s/status.go +++ b/internal/k8s/status.go @@ -230,14 +230,13 @@ var ( ) func isRequiredPort(port intstr.IntOrString) bool { - switch port.Type { - case intstr.Int: + if port.Type == intstr.Int { for _, p := range intPorts { if p == port.IntVal { return true } } - case intstr.String: + } else if port.Type == intstr.String { for _, p := range stringPorts { if p == port.StrVal { return true diff --git a/internal/k8s/status_test.go b/internal/k8s/status_test.go index 4513ed4dd9..a3911a6b85 100644 --- a/internal/k8s/status_test.go +++ b/internal/k8s/status_test.go @@ -238,7 +238,7 @@ func TestStatusUpdateWithExternalStatusAndExternalService(t *testing.T) { }, ) - err := ingLister.Add(&ing) + err := ingLister.Store.Add(&ing) if err != nil { t.Errorf("Error adding Ingress to the ingress lister: %v", err) } @@ -357,7 +357,7 @@ func TestStatusUpdateWithExternalStatusAndIngressLink(t *testing.T) { }, ) - err := ingLister.Add(&ing) + err := ingLister.Store.Add(&ing) if err != nil { t.Errorf("Error adding Ingress to the ingress lister: %v", err) } diff --git a/internal/k8s/utils.go b/internal/k8s/utils.go index a7ebd97087..3b8618054b 100644 --- a/internal/k8s/utils.go +++ b/internal/k8s/utils.go @@ -42,7 +42,7 @@ type storeToIngressLister struct { // GetByKeySafe calls Store.GetByKeySafe and returns a copy of the ingress, so it is // safe to modify. func (s *storeToIngressLister) GetByKeySafe(key string) (ing *networking.Ingress, exists bool, err error) { - item, exists, err := s.GetByKey(key) + item, exists, err := s.Store.GetByKey(key) if !exists || err != nil { return nil, exists, err } @@ -91,7 +91,7 @@ type storeToEndpointSliceLister struct { // GetServiceEndpointSlices returns the endpoints of a service, matched on service name. func (s *storeToEndpointSliceLister) GetServiceEndpointSlices(svc *v1.Service) (endpointSlices []discovery_v1.EndpointSlice, err error) { - for _, epStore := range s.List() { + for _, epStore := range s.Store.List() { ep := *epStore.(*discovery_v1.EndpointSlice) if svc.Name == ep.Labels["kubernetes.io/service-name"] && svc.Namespace == ep.Namespace { endpointSlices = append(endpointSlices, ep) diff --git a/internal/metrics/collectors/processes.go b/internal/metrics/collectors/processes.go index 67ae70ce46..21763f0fe8 100644 --- a/internal/metrics/collectors/processes.go +++ b/internal/metrics/collectors/processes.go @@ -72,10 +72,9 @@ func getWorkerProcesses() (int, int, error) { } text := string(bytes.TrimRight(content, "\x00")) - switch text { - case "nginx: worker process": + if text == "nginx: worker process" { workerProcesses++ - case "nginx: worker process is shutting down": + } else if text == "nginx: worker process is shutting down" { prevWorkerProcesses++ } } diff --git a/nginx-ingress/.helmignore b/nginx-ingress/.helmignore deleted file mode 100644 index c1347c2c27..0000000000 --- a/nginx-ingress/.helmignore +++ /dev/null @@ -1,2 +0,0 @@ -# Patterns to ignore when building packages. -*.png diff --git a/nginx-ingress/Chart.yaml b/nginx-ingress/Chart.yaml deleted file mode 100644 index 98e0157a33..0000000000 --- a/nginx-ingress/Chart.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v2 -appVersion: 5.0.0 -description: NGINX Ingress Controller -home: https://github.com/nginx/kubernetes-ingress -icon: https://raw.githubusercontent.com/nginx/kubernetes-ingress/v5.0.0/charts/nginx-ingress/chart-icon.png -keywords: -- ingress -- nginx -kubeVersion: '>= 1.23.0-0' -maintainers: -- email: kubernetes@nginx.com - name: nginx -name: nginx-ingress -sources: -- https://github.com/nginx/kubernetes-ingress/tree/v5.0.0/charts/nginx-ingress -type: application -version: 2.1.0 diff --git a/nginx-ingress/README.md b/nginx-ingress/README.md deleted file mode 100644 index ff68d539d2..0000000000 --- a/nginx-ingress/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Helm Documentation - -Please refer to the [Installation with Helm](https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/) guide in the NGINX Ingress Controller documentation site. diff --git a/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml b/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml deleted file mode 100644 index 8aacce99c3..0000000000 --- a/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: aplogconfs.appprotect.f5.com -spec: - group: appprotect.f5.com - names: - kind: APLogConf - listKind: APLogConfList - plural: aplogconfs - singular: aplogconf - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APLogConf is the Schema for the APLogConfs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APLogConfSpec defines the desired state of APLogConf - properties: - content: - properties: - escaping_characters: - items: - properties: - from: - type: string - to: - type: string - type: object - type: array - format: - enum: - - splunk - - arcsight - - default - - user-defined - - grpc - type: string - format_string: - type: string - list_delimiter: - type: string - list_prefix: - type: string - list_suffix: - type: string - max_message_size: - pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ - type: string - max_request_size: - pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|[1-9][0-9]{3}|10[0-2][0-9][0-9]|[1-9]k|10k|any)$ - type: string - type: object - filter: - properties: - request_type: - enum: - - all - - illegal - - blocked - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml b/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml deleted file mode 100644 index 4929c96247..0000000000 --- a/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml +++ /dev/null @@ -1,2172 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: appolicies.appprotect.f5.com -spec: - group: appprotect.f5.com - names: - kind: APPolicy - listKind: APPolicyList - plural: appolicies - singular: appolicy - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APPolicyConfig is the Schema for the APPolicyconfigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APPolicySpec defines the desired state of APPolicy - properties: - modifications: - items: - properties: - action: - type: string - description: - type: string - entity: - properties: - name: - type: string - type: object - entityChanges: - properties: - type: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - modificationsReference: - properties: - link: - pattern: ^http - type: string - type: object - policy: - description: Defines the App Protect policy - properties: - applicationLanguage: - enum: - - iso-8859-10 - - iso-8859-6 - - windows-1255 - - auto-detect - - koi8-r - - gb18030 - - iso-8859-8 - - windows-1250 - - iso-8859-9 - - windows-1252 - - iso-8859-16 - - gb2312 - - iso-8859-2 - - iso-8859-5 - - windows-1257 - - windows-1256 - - iso-8859-13 - - windows-874 - - windows-1253 - - iso-8859-3 - - euc-jp - - utf-8 - - gbk - - windows-1251 - - big5 - - iso-8859-1 - - shift_jis - - euc-kr - - iso-8859-4 - - iso-8859-7 - - iso-8859-15 - type: string - blocking-settings: - properties: - evasions: - items: - properties: - description: - enum: - - '%u decoding' - - Apache whitespace - - Bad unescape - - Bare byte decoding - - Directory traversals - - IIS backslashes - - IIS Unicode codepoints - - Multiple decoding - - Multiple slashes - - Semicolon path parameters - - Trailing dot - - Trailing slash - type: string - enabled: - type: boolean - maxDecodingPasses: - type: integer - type: object - type: array - http-protocols: - items: - properties: - description: - enum: - - Unescaped space in URL - - Unparsable request content - - Several Content-Length headers - - 'POST request with Content-Length: 0' - - Null in request - - No Host header in HTTP/1.1 request - - Multiple host headers - - Host header contains IP address - - High ASCII characters in headers - - Header name with no header value - - CRLF characters before request start - - Content length should be a positive number - - Chunked request with Content-Length header - - Check maximum number of cookies - - Check maximum number of parameters - - Check maximum number of headers - - Body in GET or HEAD requests - - Bad multipart/form-data request parsing - - Bad multipart parameters parsing - - Bad HTTP version - - Bad host header value - type: string - enabled: - type: boolean - maxCookies: - maximum: 100 - minimum: 1 - type: integer - maxHeaders: - maximum: 150 - minimum: 1 - type: integer - maxParams: - maximum: 5000 - minimum: 1 - type: integer - type: object - type: array - violations: - items: - properties: - alarm: - type: boolean - block: - type: boolean - description: - type: string - name: - enum: - - VIOL_ACCESS_INVALID - - VIOL_ACCESS_MALFORMED - - VIOL_ACCESS_MISSING - - VIOL_ACCESS_UNAUTHORIZED - - VIOL_ASM_COOKIE_HIJACKING - - VIOL_ASM_COOKIE_MODIFIED - - VIOL_BLACKLISTED_IP - - VIOL_COOKIE_EXPIRED - - VIOL_COOKIE_LENGTH - - VIOL_COOKIE_MALFORMED - - VIOL_COOKIE_MODIFIED - - VIOL_CSRF - - VIOL_DATA_GUARD - - VIOL_ENCODING - - VIOL_EVASION - - VIOL_FILE_UPLOAD - - VIOL_FILE_UPLOAD_IN_BODY - - VIOL_FILETYPE - - VIOL_GRAPHQL_ERROR_RESPONSE - - VIOL_GRAPHQL_FORMAT - - VIOL_GRAPHQL_INTROSPECTION_QUERY - - VIOL_GRAPHQL_MALFORMED - - VIOL_GRPC_FORMAT - - VIOL_GRPC_MALFORMED - - VIOL_GRPC_METHOD - - VIOL_HEADER_LENGTH - - VIOL_HEADER_METACHAR - - VIOL_HEADER_REPEATED - - VIOL_HTTP_PROTOCOL - - VIOL_HTTP_RESPONSE_STATUS - - VIOL_JSON_FORMAT - - VIOL_JSON_MALFORMED - - VIOL_JSON_SCHEMA - - VIOL_MANDATORY_HEADER - - VIOL_MANDATORY_PARAMETER - - VIOL_MANDATORY_REQUEST_BODY - - VIOL_METHOD - - VIOL_PARAMETER - - VIOL_PARAMETER_ARRAY_VALUE - - VIOL_PARAMETER_DATA_TYPE - - VIOL_PARAMETER_EMPTY_VALUE - - VIOL_PARAMETER_LOCATION - - VIOL_PARAMETER_MULTIPART_NULL_VALUE - - VIOL_PARAMETER_NAME_METACHAR - - VIOL_PARAMETER_NUMERIC_VALUE - - VIOL_PARAMETER_REPEATED - - VIOL_PARAMETER_STATIC_VALUE - - VIOL_PARAMETER_VALUE_BASE64 - - VIOL_PARAMETER_VALUE_LENGTH - - VIOL_PARAMETER_VALUE_METACHAR - - VIOL_PARAMETER_VALUE_REGEXP - - VIOL_POST_DATA_LENGTH - - VIOL_QUERY_STRING_LENGTH - - VIOL_RATING_NEED_EXAMINATION - - VIOL_RATING_THREAT - - VIOL_REQUEST_LENGTH - - VIOL_REQUEST_MAX_LENGTH - - VIOL_THREAT_CAMPAIGN - - VIOL_URL - - VIOL_URL_CONTENT_TYPE - - VIOL_URL_LENGTH - - VIOL_URL_METACHAR - - VIOL_XML_FORMAT - - VIOL_XML_MALFORMED - type: string - type: object - type: array - type: object - blockingSettingReference: - properties: - link: - pattern: ^http - type: string - type: object - bot-defense: - properties: - mitigations: - properties: - anomalies: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - default - - detect - - ignore - type: string - name: - type: string - scoreThreshold: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: array - browsers: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - detect - type: string - maxVersion: - maximum: 2147483647 - minimum: 0 - type: integer - minVersion: - maximum: 2147483647 - minimum: 0 - type: integer - name: - type: string - type: object - type: array - classes: - items: - properties: - action: - enum: - - alarm - - block - - detect - - ignore - type: string - name: - enum: - - browser - - malicious-bot - - suspicious-browser - - trusted-bot - - unknown - - untrusted-bot - type: string - type: object - type: array - signatures: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - detect - - ignore - type: string - name: - type: string - type: object - type: array - type: object - settings: - properties: - caseSensitiveHttpHeaders: - type: boolean - isEnabled: - type: boolean - type: object - type: object - browser-definitions: - items: - properties: - $action: - enum: - - delete - type: string - isUserDefined: - type: boolean - matchRegex: - type: string - matchString: - type: string - name: - type: string - type: object - type: array - caseInsensitive: - type: boolean - character-sets: - items: - properties: - characterSet: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - characterSetType: - enum: - - gwt-content - - header - - json-content - - parameter-name - - parameter-value - - plain-text-content - - url - - xml-content - type: string - type: object - type: array - characterSetReference: - properties: - link: - pattern: ^http - type: string - type: object - cookie-settings: - properties: - maximumCookieHeaderLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - cookieReference: - properties: - link: - pattern: ^http - type: string - type: object - cookieSettingsReference: - properties: - link: - pattern: ^http - type: string - type: object - cookies: - items: - properties: - $action: - enum: - - delete - type: string - accessibleOnlyThroughTheHttpProtocol: - type: boolean - attackSignaturesCheck: - type: boolean - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - enforcementType: - type: string - insertSameSiteAttribute: - enum: - - lax - - none - - none-value - - strict - type: string - maskValueInLogs: - type: boolean - name: - type: string - securedOverHttpsConnection: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: - - explicit - - wildcard - type: string - wildcardOrder: - type: integer - type: object - type: array - csrf-protection: - properties: - enabled: - type: boolean - expirationTimeInSeconds: - pattern: disabled|\d+ - type: string - sslOnly: - type: boolean - type: object - csrf-urls: - items: - properties: - $action: - enum: - - delete - type: string - enforcementAction: - enum: - - verify-origin - - none - type: string - method: - enum: - - GET - - POST - - any - type: string - url: - type: string - wildcardOrder: - type: integer - type: object - type: array - data-guard: - properties: - creditCardNumbers: - type: boolean - customPatterns: - type: boolean - customPatternsList: - items: - type: string - type: array - enabled: - type: boolean - enforcementMode: - enum: - - ignore-urls-in-list - - enforce-urls-in-list - type: string - enforcementUrls: - items: - type: string - type: array - firstCustomCharactersToExpose: - type: integer - lastCcnDigitsToExpose: - type: integer - lastCustomCharactersToExpose: - type: integer - lastSsnDigitsToExpose: - type: integer - maskData: - type: boolean - usSocialSecurityNumbers: - type: boolean - type: object - dataGuardReference: - properties: - link: - pattern: ^http - type: string - type: object - description: - type: string - enablePassiveMode: - type: boolean - enforcementMode: - enum: - - transparent - - blocking - type: string - enforcer-settings: - properties: - enforcerStateCookies: - properties: - httpOnlyAttribute: - type: boolean - sameSiteAttribute: - enum: - - lax - - none - - none-value - - strict - type: string - secureAttribute: - enum: - - always - - never - type: string - type: object - type: object - filetypeReference: - properties: - link: - pattern: ^http - type: string - type: object - filetypes: - items: - properties: - $action: - enum: - - delete - type: string - allowed: - type: boolean - checkPostDataLength: - type: boolean - checkQueryStringLength: - type: boolean - checkRequestLength: - type: boolean - checkUrlLength: - type: boolean - name: - type: string - postDataLength: - type: integer - queryStringLength: - type: integer - requestLength: - type: integer - responseCheck: - type: boolean - type: - enum: - - explicit - - wildcard - type: string - urlLength: - type: integer - wildcardOrder: - type: integer - type: object - type: array - fullPath: - type: string - general: - properties: - allowedResponseCodes: - items: - format: int32 - maximum: 999 - minimum: 100 - type: integer - type: array - customXffHeaders: - items: - type: string - type: array - maskCreditCardNumbersInRequest: - type: boolean - trustXff: - type: boolean - type: object - generalReference: - properties: - link: - pattern: ^http - type: string - type: object - graphql-profiles: - items: - properties: - $action: - enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: - properties: - allowIntrospectionQueries: - type: boolean - maximumBatchedQueries: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumQueryCost: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumStructureDepth: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumTotalLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumValueLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - tolerateParsingWarnings: - type: boolean - type: object - description: - type: string - metacharElementCheck: - type: boolean - metacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - name: - type: string - responseEnforcement: - properties: - blockDisallowedPatterns: - type: boolean - disallowedPatterns: - items: - type: string - type: array - type: object - sensitiveData: - items: - properties: - parameterName: - type: string - type: object - type: array - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: object - type: array - grpc-profiles: - items: - properties: - $action: - enum: - - delete - type: string - associateUrls: - type: boolean - attackSignaturesCheck: - type: boolean - decodeStringValuesAsBase64: - enum: - - disabled - - enabled - type: string - defenseAttributes: - properties: - allowUnknownFields: - type: boolean - maximumDataLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - description: - type: string - hasIdlFiles: - type: boolean - idlFiles: - items: - properties: - idlFile: - properties: - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - importUrl: - type: string - isPrimary: - type: boolean - primaryIdlFileName: - type: string - type: object - type: array - metacharCheck: - type: boolean - metacharElementCheck: - type: boolean - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: object - type: array - header-settings: - properties: - maximumHttpHeaderLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - headerReference: - properties: - link: - pattern: ^http - type: string - type: object - headerSettingsReference: - properties: - link: - pattern: ^http - type: string - type: object - headers: - items: - properties: - $action: - enum: - - delete - type: string - allowRepeatedOccurrences: - type: boolean - base64Decoding: - type: boolean - checkSignatures: - type: boolean - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - htmlNormalization: - type: boolean - mandatory: - type: boolean - maskValueInLogs: - type: boolean - name: - type: string - normalizationViolations: - type: boolean - percentDecoding: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: - - explicit - - wildcard - type: string - urlNormalization: - type: boolean - wildcardOrder: - type: integer - type: object - type: array - host-names: - items: - properties: - $action: - enum: - - delete - type: string - includeSubdomains: - type: boolean - name: - type: string - type: object - type: array - idl-files: - items: - properties: - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: array - json-profiles: - items: - properties: - $action: - enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: - properties: - maximumArrayLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumStructureDepth: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumTotalLengthOfJSONData: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumValueLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - tolerateJSONParsingWarnings: - type: boolean - type: object - description: - type: string - handleJsonValuesAsParameters: - type: boolean - hasValidationFiles: - type: boolean - metacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - validationFiles: - items: - properties: - importUrl: - type: string - isPrimary: - type: boolean - jsonValidationFile: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: object - type: array - type: object - type: array - json-validation-files: - items: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: array - jsonProfileReference: - properties: - link: - pattern: ^http - type: string - type: object - jsonValidationFileReference: - properties: - link: - pattern: ^http - type: string - type: object - methodReference: - properties: - link: - pattern: ^http - type: string - type: object - methods: - items: - properties: - $action: - enum: - - delete - type: string - name: - type: string - type: object - type: array - name: - type: string - open-api-files: - items: - properties: - link: - pattern: ^http - type: string - type: object - type: array - parameterReference: - properties: - link: - pattern: ^http - type: string - type: object - parameters: - items: - properties: - $action: - enum: - - delete - type: string - allowEmptyValue: - type: boolean - allowRepeatedParameterName: - type: boolean - arraySerializationFormat: - enum: - - csv - - form - - label - - matrix - - multi - - multipart - - pipe - - ssv - - tsv - type: string - attackSignaturesCheck: - type: boolean - checkMaxValue: - type: boolean - checkMaxValueLength: - type: boolean - checkMetachars: - type: boolean - checkMinValue: - type: boolean - checkMinValueLength: - type: boolean - checkMultipleOfValue: - type: boolean - contentProfile: - properties: - name: - type: string - type: object - dataType: - enum: - - alpha-numeric - - binary - - boolean - - decimal - - email - - integer - - none - - phone - type: string - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - disallowFileUploadOfExecutables: - type: boolean - enableRegularExpression: - type: boolean - exclusiveMax: - type: boolean - exclusiveMin: - type: boolean - isBase64: - type: boolean - isCookie: - type: boolean - isHeader: - type: boolean - level: - enum: - - global - - url - type: string - mandatory: - type: boolean - maximumLength: - type: integer - maximumValue: - type: integer - metacharsOnParameterValueCheck: - type: boolean - minimumLength: - type: integer - minimumValue: - type: integer - multipleOf: - type: integer - name: - type: string - nameMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - objectSerializationStyle: - type: string - parameterEnumValues: - items: - type: string - type: array - parameterLocation: - enum: - - any - - cookie - - form-data - - header - - path - - query - type: string - regularExpression: - type: string - sensitiveParameter: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - staticValues: - type: string - type: - enum: - - explicit - - wildcard - type: string - url: - properties: - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - - '*' - type: string - name: - type: string - protocol: - enum: - - http - - https - type: string - type: - enum: - - explicit - - wildcard - type: string - type: object - valueMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - valueType: - enum: - - array - - auto-detect - - dynamic-content - - dynamic-parameter-name - - ignore - - json - - object - - openapi-array - - static-content - - user-input - - xml - type: string - wildcardOrder: - type: integer - type: object - type: array - response-pages: - items: - properties: - ajaxActionType: - enum: - - alert-popup - - custom - - redirect - type: string - ajaxCustomContent: - type: string - ajaxEnabled: - type: boolean - ajaxPopupMessage: - type: string - ajaxRedirectUrl: - type: string - grpcStatusCode: - pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ - type: string - grpcStatusMessage: - type: string - responseActionType: - enum: - - custom - - default - - erase-cookies - - redirect - - soap-fault - type: string - responseContent: - type: string - responseHeader: - type: string - responsePageType: - enum: - - ajax - - ajax-login - - captcha - - captcha-fail - - default - - failed-login-honeypot - - failed-login-honeypot-ajax - - hijack - - leaked-credentials - - leaked-credentials-ajax - - mobile - - persistent-flow - - xml - - grpc - type: string - responseRedirectUrl: - type: string - type: object - type: array - responsePageReference: - properties: - link: - pattern: ^http - type: string - type: object - sensitive-parameters: - items: - properties: - $action: - enum: - - delete - type: string - name: - type: string - type: object - type: array - sensitiveParameterReference: - properties: - link: - pattern: ^http - type: string - type: object - server-technologies: - items: - properties: - $action: - enum: - - delete - type: string - serverTechnologyName: - enum: - - Jenkins - - SharePoint - - Oracle Application Server - - Python - - Oracle Identity Manager - - Spring Boot - - CouchDB - - SQLite - - Handlebars - - Mustache - - Prototype - - Zend - - Redis - - Underscore.js - - Ember.js - - ZURB Foundation - - ef.js - - Vue.js - - UIKit - - TYPO3 CMS - - RequireJS - - React - - MooTools - - Laravel - - GraphQL - - Google Web Toolkit - - Express.js - - CodeIgniter - - Backbone.js - - AngularJS - - JavaScript - - Nginx - - Jetty - - Joomla - - JavaServer Faces (JSF) - - Ruby - - MongoDB - - Django - - Node.js - - Citrix - - JBoss - - Elasticsearch - - Apache Struts - - XML - - PostgreSQL - - IBM DB2 - - Sybase/ASE - - CGI - - Proxy Servers - - SSI (Server Side Includes) - - Cisco - - Novell - - Macromedia JRun - - BEA Systems WebLogic Server - - Lotus Domino - - MySQL - - Oracle - - Microsoft SQL Server - - PHP - - Outlook Web Access - - Apache/NCSA HTTP Server - - Apache Tomcat - - WordPress - - Macromedia ColdFusion - - Unix/Linux - - Microsoft Windows - - ASP.NET - - Front Page Server Extensions (FPSE) - - IIS - - WebDAV - - ASP - - Java Servlets/JSP - - jQuery - type: string - type: object - type: array - serverTechnologyReference: - properties: - link: - pattern: ^http - type: string - type: object - signature-requirements: - items: - properties: - $action: - enum: - - delete - type: string - tag: - type: string - type: object - type: array - signature-sets: - items: - properties: - $action: - enum: - - delete - type: string - alarm: - type: boolean - block: - type: boolean - name: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - signature-settings: - properties: - attackSignatureFalsePositiveMode: - enum: - - detect - - detect-and-allow - - disabled - type: string - minimumAccuracyForAutoAddedSignatures: - enum: - - high - - low - - medium - type: string - type: object - signatureReference: - properties: - link: - pattern: ^http - type: string - type: object - signatureSetReference: - properties: - link: - pattern: ^http - type: string - type: object - signatureSettingReference: - properties: - link: - pattern: ^http - type: string - type: object - signatures: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - softwareVersion: - type: string - template: - properties: - name: - type: string - type: object - threat-campaigns: - items: - properties: - isEnabled: - type: boolean - name: - type: string - type: object - type: array - threatCampaignReference: - properties: - link: - pattern: ^http - type: string - type: object - urlReference: - properties: - link: - pattern: ^http - type: string - type: object - urls: - items: - properties: - $action: - enum: - - delete - type: string - allowRenderingInFrames: - enum: - - never - - only-same - type: string - allowRenderingInFramesOnlyFrom: - type: string - attackSignaturesCheck: - type: boolean - clickjackingProtection: - type: boolean - description: - type: string - disallowFileUploadOfExecutables: - type: boolean - html5CrossOriginRequestsEnforcement: - properties: - allowOriginsEnforcementMode: - enum: - - replace-with - - unmodified - type: string - checkAllowedMethods: - type: boolean - crossDomainAllowedOrigin: - items: - properties: - includeSubDomains: - type: boolean - originName: - type: string - originPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - originProtocol: - enum: - - http - - http/https - - https - type: string - type: object - type: array - enforcementMode: - enum: - - disabled - - enforce - type: string - type: object - isAllowed: - type: boolean - mandatoryBody: - type: boolean - metacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - metacharsOnUrlCheck: - type: boolean - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - - '*' - type: string - methodOverrides: - items: - properties: - allowed: - type: boolean - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - type: string - type: object - type: array - methodsOverrideOnUrlCheck: - type: boolean - name: - type: string - operationId: - type: string - positionalParameters: - items: - properties: - parameter: - properties: - $action: - enum: - - delete - type: string - allowEmptyValue: - type: boolean - allowRepeatedParameterName: - type: boolean - arraySerializationFormat: - enum: - - csv - - form - - label - - matrix - - multi - - multipart - - pipe - - ssv - - tsv - type: string - attackSignaturesCheck: - type: boolean - checkMaxValue: - type: boolean - checkMaxValueLength: - type: boolean - checkMetachars: - type: boolean - checkMinValue: - type: boolean - checkMinValueLength: - type: boolean - checkMultipleOfValue: - type: boolean - contentProfile: - properties: - name: - type: string - type: object - dataType: - enum: - - alpha-numeric - - binary - - boolean - - decimal - - email - - integer - - none - - phone - type: string - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - disallowFileUploadOfExecutables: - type: boolean - enableRegularExpression: - type: boolean - exclusiveMax: - type: boolean - exclusiveMin: - type: boolean - isBase64: - type: boolean - isCookie: - type: boolean - isHeader: - type: boolean - level: - enum: - - global - - url - type: string - mandatory: - type: boolean - maximumLength: - type: integer - maximumValue: - type: integer - metacharsOnParameterValueCheck: - type: boolean - minimumLength: - type: integer - minimumValue: - type: integer - multipleOf: - type: integer - name: - type: string - nameMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - objectSerializationStyle: - type: string - parameterEnumValues: - items: - type: string - type: array - parameterLocation: - enum: - - any - - cookie - - form-data - - header - - path - - query - type: string - regularExpression: - type: string - sensitiveParameter: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - staticValues: - type: string - type: - enum: - - explicit - - wildcard - type: string - url: - properties: - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - - '*' - type: string - name: - type: string - protocol: - enum: - - http - - https - type: string - type: - enum: - - explicit - - wildcard - type: string - type: object - valueMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - valueType: - enum: - - array - - auto-detect - - dynamic-content - - dynamic-parameter-name - - ignore - - json - - object - - openapi-array - - static-content - - user-input - - xml - type: string - wildcardOrder: - type: integer - type: object - urlSegmentIndex: - type: integer - type: object - type: array - protocol: - enum: - - http - - https - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: - - explicit - - wildcard - type: string - urlContentProfiles: - items: - properties: - contentProfile: - properties: - name: - type: string - type: object - headerName: - type: string - headerOrder: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - headerValue: - type: string - name: - type: string - type: - enum: - - apply-content-signatures - - apply-value-and-content-signatures - - disallow - - do-nothing - - form-data - - gwt - - json - - xml - - grpc - type: string - type: object - type: array - wildcardOrder: - type: integer - type: object - type: array - whitelist-ips: - items: - properties: - $action: - enum: - - delete - type: string - blockRequests: - enum: - - always - - never - - policy-default - type: string - ipAddress: - pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' - type: string - ipMask: - pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' - type: string - neverLogRequests: - type: boolean - type: object - type: array - whitelistIpReference: - properties: - link: - pattern: ^http - type: string - type: object - xml-profiles: - items: - properties: - $action: - enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: - properties: - allowCDATA: - type: boolean - allowDTDs: - type: boolean - allowExternalReferences: - type: boolean - allowProcessingInstructions: - type: boolean - maximumAttributeValueLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumAttributesPerElement: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumChildrenPerElement: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumDocumentDepth: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumDocumentSize: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumElements: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumNSDeclarations: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumNameLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumNamespaceLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - tolerateCloseTagShorthand: - type: boolean - tolerateLeadingWhiteSpace: - type: boolean - tolerateNumericNames: - type: boolean - type: object - description: - type: string - enableWss: - type: boolean - followSchemaLinks: - type: boolean - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - useXmlResponsePage: - type: boolean - type: object - type: array - xml-validation-files: - items: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: array - xmlProfileReference: - properties: - link: - pattern: ^http - type: string - type: object - xmlValidationFileReference: - properties: - link: - pattern: ^http - type: string - type: object - type: object - type: object - type: object - served: true - storage: true diff --git a/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml b/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml deleted file mode 100644 index 6d71ed6336..0000000000 --- a/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: apusersigs.appprotect.f5.com -spec: - group: appprotect.f5.com - names: - kind: APUserSig - listKind: APUserSigList - plural: apusersigs - singular: apusersig - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APUserSig is the Schema for the apusersigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APUserSigSpec defines the desired state of APUserSig - properties: - properties: - type: string - signatures: - items: - properties: - accuracy: - enum: - - high - - medium - - low - type: string - attackType: - properties: - name: - type: string - type: object - description: - type: string - name: - type: string - references: - properties: - type: - enum: - - bugtraq - - cve - - nessus - - url - type: string - value: - type: string - type: object - risk: - enum: - - high - - medium - - low - type: string - rule: - type: string - signatureType: - enum: - - request - - response - type: string - systems: - items: - properties: - name: - type: string - type: object - type: array - type: object - type: array - softwareVersion: - type: string - tag: - type: string - type: object - type: object - served: true - storage: true diff --git a/nginx-ingress/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/nginx-ingress/crds/appprotectdos.f5.com_apdoslogconfs.yaml deleted file mode 100644 index e23e87184b..0000000000 --- a/nginx-ingress/crds/appprotectdos.f5.com_apdoslogconfs.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: apdoslogconfs.appprotectdos.f5.com -spec: - group: appprotectdos.f5.com - names: - kind: APDosLogConf - listKind: APDosLogConfList - plural: apdoslogconfs - singular: apdoslogconf - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APDosLogConf is the Schema for the APDosLogConfs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APDosLogConfSpec defines the desired state of APDosLogConf - properties: - content: - properties: - format: - enum: - - splunk - - arcsight - - user-defined - type: string - format_string: - type: string - max_message_size: - pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ - type: string - type: object - filter: - properties: - traffic-mitigation-stats: - enum: - - none - - all - default: all - type: string - bad-actors: - pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ - default: top 10 - type: string - attack-signatures: - pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ - default: top 10 - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/nginx-ingress/crds/appprotectdos.f5.com_apdospolicy.yaml b/nginx-ingress/crds/appprotectdos.f5.com_apdospolicy.yaml deleted file mode 100644 index a16399a1a2..0000000000 --- a/nginx-ingress/crds/appprotectdos.f5.com_apdospolicy.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: apdospolicies.appprotectdos.f5.com -spec: - group: appprotectdos.f5.com - names: - kind: APDosPolicy - listKind: APDosPoliciesList - plural: apdospolicies - singular: apdospolicy - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - type: object - description: APDosPolicy is the Schema for the APDosPolicy API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - description: APDosPolicySpec defines the desired state of APDosPolicy - properties: - mitigation_mode: - enum: - - "standard" - - "conservative" - - "none" - default: "standard" - type: string - signatures: - enum: - - "on" - - "off" - default: "on" - type: string - bad_actors: - enum: - - "on" - - "off" - default: "on" - type: string - automation_tools_detection: - enum: - - "on" - - "off" - default: "on" - type: string - tls_fingerprint: - enum: - - "on" - - "off" - default: "on" - type: string - served: true - storage: true diff --git a/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml deleted file mode 100644 index 9c3ce82174..0000000000 --- a/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml +++ /dev/null @@ -1,113 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: dosprotectedresources.appprotectdos.f5.com -spec: - group: appprotectdos.f5.com - names: - kind: DosProtectedResource - listKind: DosProtectedResourceList - plural: dosprotectedresources - shortNames: - - pr - singular: dosprotectedresource - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: DosProtectedResource defines a Dos protected resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: DosProtectedResourceSpec defines the properties and values - a DosProtectedResource can have. - properties: - allowList: - description: AllowList is a list of allowed IPs and subnet masks - items: - description: AllowListEntry represents an IP address and a subnet - mask. - properties: - ipWithMask: - type: string - type: object - type: array - apDosMonitor: - description: 'ApDosMonitor is how NGINX App Protect DoS monitors the - stress level of the protected object. The monitor requests are sent - from localhost (127.0.0.1). Default value: URI - None, protocol - - http1, timeout - NGINX App Protect DoS default.' - properties: - protocol: - description: Protocol determines if the server listens on http1 - / http2 / grpc / websocket. The default is http1. - enum: - - http1 - - http2 - - grpc - - websocket - type: string - timeout: - description: Timeout determines how long (in seconds) should NGINX - App Protect DoS wait for a response. Default is 10 seconds for - http1/http2 and 5 seconds for grpc. - format: int64 - type: integer - uri: - description: 'URI is the destination to the desired protected - object in the nginx.conf:' - type: string - type: object - apDosPolicy: - description: ApDosPolicy is the namespace/name of a ApDosPolicy resource - type: string - dosAccessLogDest: - description: DosAccessLogDest is the network address for the access - logs - type: string - dosSecurityLog: - description: DosSecurityLog defines the security log of the DosProtectedResource. - properties: - apDosLogConf: - description: ApDosLogConf is the namespace/name of a APDosLogConf - resource - type: string - dosLogDest: - description: DosLogDest is the network address of a logging service, - can be either IP or DNS name. - type: string - enable: - description: Enable enables the security logging feature if set - to true - type: boolean - type: object - enable: - description: Enable enables the DOS feature if set to true - type: boolean - name: - description: Name is the name of protected object, max of 63 characters. - type: string - type: object - type: object - served: true - storage: true diff --git a/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml b/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml deleted file mode 100644 index bca4965c46..0000000000 --- a/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml +++ /dev/null @@ -1,97 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: dnsendpoints.externaldns.nginx.org -spec: - group: externaldns.nginx.org - names: - kind: DNSEndpoint - listKind: DNSEndpointList - plural: dnsendpoints - singular: dnsendpoint - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: DNSEndpoint is the CRD wrapper for Endpoint - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: DNSEndpointSpec holds information about endpoints. - properties: - endpoints: - items: - description: Endpoint describes DNS Endpoint. - properties: - dnsName: - description: The hostname for the DNS record - type: string - labels: - additionalProperties: - type: string - description: Labels stores labels defined for the Endpoint - type: object - providerSpecific: - description: ProviderSpecific stores provider specific config - items: - description: ProviderSpecificProperty represents provider - specific config property. - properties: - name: - description: Name of the property - type: string - value: - description: Value of the property - type: string - type: object - type: array - recordTTL: - description: TTL for the record - format: int64 - type: integer - recordType: - description: RecordType type of record, e.g. CNAME, A, SRV, - TXT, MX - type: string - targets: - description: The targets the DNS service points to - items: - type: string - type: array - type: object - type: array - type: object - status: - description: DNSEndpointStatus represents generation observed by the external - dns controller. - properties: - observedGeneration: - description: The generation observed by by the external-dns controller. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/nginx-ingress/templates/NOTES.txt b/nginx-ingress/templates/NOTES.txt deleted file mode 100644 index 1fcca30c24..0000000000 --- a/nginx-ingress/templates/NOTES.txt +++ /dev/null @@ -1,13 +0,0 @@ -NGINX Ingress Controller {{ .Chart.AppVersion }} has been installed. - -For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/ - -Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/ - -{{ if .Release.IsUpgrade -}} -If you are upgrading from a version of the chart that uses older Custom Resource Definitions (CRD) it is necessary to manually upgrade the CRDs as this is not managed by Helm. -To update to the latest version of the CRDs: - $ kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{ .Chart.AppVersion }}/deploy/crds.yaml - -More details on upgrading the CRDs: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/#upgrading-the-crds -{{- end -}} diff --git a/nginx-ingress/templates/_helpers.tpl b/nginx-ingress/templates/_helpers.tpl deleted file mode 100644 index d3dc468085..0000000000 --- a/nginx-ingress/templates/_helpers.tpl +++ /dev/null @@ -1,516 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Expand the name of the chart. -*/}} -{{- define "nginx-ingress.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "nginx-ingress.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create a default fully qualified controller name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "nginx-ingress.controller.fullname" -}} -{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified controller service name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "nginx-ingress.controller.service.name" -}} -{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "nginx-ingress.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "nginx-ingress.labels" -}} -helm.sh/chart: {{ include "nginx-ingress.chart" . }} -{{ include "nginx-ingress.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Pod labels -*/}} -{{- define "nginx-ingress.podLabels" -}} -{{- include "nginx-ingress.selectorLabels" . }} -{{- if .Values.nginxServiceMesh.enable }} -nsm.nginx.com/enable-ingress: "true" -nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" -nsm.nginx.com/{{ .Values.controller.kind }}: {{ include "nginx-ingress.controller.fullname" . }} -{{- end }} -{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} -agent-configuration-revision-hash: {{ include "nginx-ingress.agentConfiguration" . | sha1sum | trunc 8 | quote }} -{{- end }} -{{- if .Values.controller.pod.extraLabels }} -{{ toYaml .Values.controller.pod.extraLabels }} -{{- end }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "nginx-ingress.selectorLabels" -}} -{{- if .Values.controller.selectorLabels -}} -{{ toYaml .Values.controller.selectorLabels }} -{{- else -}} -app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} -{{- end -}} - -{{/* -Expand the name of the configmap. -*/}} -{{- define "nginx-ingress.configName" -}} -{{- if .Values.controller.customConfigMap -}} -{{ .Values.controller.customConfigMap }} -{{- else -}} -{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} -{{- end -}} -{{- end -}} - -{{/* -Expand the name of the configmap used for NGINX Agent. -*/}} -{{- define "nginx-ingress.agentConfigName" -}} -{{- if ne (.Values.nginxAgent.customConfigMap | default "") "" -}} -{{ .Values.nginxAgent.customConfigMap }} -{{- else -}} -{{- printf "%s-agent-config" (include "nginx-ingress.fullname" . | trunc 49 | trimSuffix "-") -}} -{{- end -}} -{{- end -}} - -{{/* -Expand the name of the mgmt configmap. -*/}} -{{- define "nginx-ingress.mgmtConfigName" -}} -{{- if .Values.controller.mgmt.configMapName -}} -{{ .Values.controller.mgmt.configMapName }} -{{- else -}} -{{- default (printf "%s-mgmt" (include "nginx-ingress.fullname" .)) -}} -{{- end -}} -{{- end -}} - -{{/* -Expand license token secret name. -*/}} -{{- define "nginx-ingress.licenseTokenSecretName" -}} -{{- if hasKey .Values.controller.mgmt "licenseTokenSecretName" -}} -{{- .Values.controller.mgmt.licenseTokenSecretName -}} -{{- else }} -{{- fail "Error: When using Nginx Plus, 'controller.mgmt.licenseTokenSecretName' must be set." }} -{{- end -}} -{{- end -}} - -{{/* -Expand leader election lock name. -*/}} -{{- define "nginx-ingress.leaderElectionName" -}} -{{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} -{{ .Values.controller.reportIngressStatus.leaderElectionLockName }} -{{- else -}} -{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} -{{- end -}} -{{- end -}} - -{{/* -Expand service account name. -*/}} -{{- define "nginx-ingress.serviceAccountName" -}} -{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} -{{- end -}} - -{{/* -Expand default TLS name. -*/}} -{{- define "nginx-ingress.defaultTLSName" -}} -{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} -{{- end -}} - -{{/* -Expand wildcard TLS name. -*/}} -{{- define "nginx-ingress.wildcardTLSName" -}} -{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} -{{- end -}} - -{{- define "nginx-ingress.tag" -}} -{{- default .Chart.AppVersion .Values.controller.image.tag -}} -{{- end -}} - -{{/* -Expand image name. -*/}} -{{- define "nginx-ingress.image" -}} -{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion ) }} -{{- end -}} - -{{- define "nap-enforcer.image" -}} -{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.enforcer.image "default" .Chart.AppVersion ) }} -{{- end -}} - -{{- define "nap-config-manager.image" -}} -{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.configManager.image "default" .Chart.AppVersion ) }} -{{- end -}} - -{{/* -Accepts an image struct like .Values.controller.image along with a default value to use -if the digest or tag is not set. Can be called like: -include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion -*/}} -{{- define "nginx-ingress.image-digest-or-tag" -}} -{{- if .image.digest -}} -{{- printf "%s@%s" .image.repository .image.digest -}} -{{- else -}} -{{- printf "%s:%s" .image.repository (default .default .image.tag) -}} -{{- end -}} -{{- end -}} - -{{- define "nginx-ingress.prometheus.serviceName" -}} -{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} -{{- end -}} - -{{/* -return if readOnlyRootFilesystem is enabled or not. -*/}} -{{- define "nginx-ingress.readOnlyRootFilesystem" -}} -{{- if or .Values.controller.readOnlyRootFilesystem (and .Values.controller.securityContext .Values.controller.securityContext.readOnlyRootFilesystem) -}} -true -{{- else -}} -false -{{- end -}} -{{- end -}} - -{{/* -Build the args for the service binary. -*/}} -{{- define "nginx-ingress.args" -}} -{{- if and .Values.controller.debug .Values.controller.debug.enable }} -- --listen=:2345 -- --headless=true -- --log=true -- --log-output=debugger,debuglineerr,gdbwire,lldbout,rpc,dap,fncall,minidump,stack -- --accept-multiclient -- --api-version=2 -- exec -- ./nginx-ingress -{{- if .Values.controller.debug.continue }} -- --continue -{{- end }} -- -- -{{- end }} -- -nginx-plus={{ .Values.controller.nginxplus }} -- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} -- -enable-app-protect={{ .Values.controller.appprotect.enable }} -{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} -- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} -{{ end }} -{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.v5 }} -- -app-protect-enforcer-address="{{ .Values.controller.appprotect.enforcer.host | default "127.0.0.1" }}:{{ .Values.controller.appprotect.enforcer.port | default 50000 }}" -{{- end }} -- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} -{{- if .Values.controller.appprotectdos.enable }} -- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} -- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} -- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} -- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} -{{ end }} -- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} -{{- if .Values.controller.nginxplus }} -- -mgmt-configmap=$(POD_NAMESPACE)/{{ include "nginx-ingress.mgmtConfigName" . }} -{{- end }} -{{- if .Values.controller.defaultTLS.secret }} -- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} -{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} -- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} -{{- end }} -- -ingress-class={{ .Values.controller.ingressClass.name }} -{{- if .Values.controller.watchNamespace }} -- -watch-namespace={{ .Values.controller.watchNamespace }} -{{- end }} -{{- if .Values.controller.watchNamespaceLabel }} -- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} -{{- end }} -{{- if .Values.controller.watchSecretNamespace }} -- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} -{{- end }} -- -health-status={{ .Values.controller.healthStatus }} -- -health-status-uri={{ .Values.controller.healthStatusURI }} -- -nginx-debug={{ .Values.controller.nginxDebug }} -- -log-level={{ .Values.controller.logLevel }} -- -log-format={{ .Values.controller.logFormat }} -- -nginx-status={{ .Values.controller.nginxStatus.enable }} -{{- if .Values.controller.nginxStatus.enable }} -- -nginx-status-port={{ .Values.controller.nginxStatus.port }} -- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} -{{- end }} -{{- if .Values.controller.reportIngressStatus.enable }} -- -report-ingress-status -{{- if .Values.controller.reportIngressStatus.ingressLink }} -- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} -{{- else if .Values.controller.reportIngressStatus.externalService }} -- -external-service={{ .Values.controller.reportIngressStatus.externalService }} -{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} -- -external-service={{ include "nginx-ingress.controller.service.name" . }} -{{- end }} -{{- end }} -- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} -{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} -- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} -{{- end }} -{{- if .Values.controller.wildcardTLS.secret }} -- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} -{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} -- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} -{{- end }} -- -enable-prometheus-metrics={{ .Values.prometheus.create }} -- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} -- -prometheus-tls-secret={{ .Values.prometheus.secret }} -- -enable-service-insight={{ .Values.serviceInsight.create }} -- -service-insight-listen-port={{ .Values.serviceInsight.port }} -- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} -- -enable-custom-resources={{ .Values.controller.enableCustomResources }} -- -enable-snippets={{ .Values.controller.enableSnippets }} -- -disable-ipv6={{ .Values.controller.disableIPV6 }} -{{- if .Values.controller.enableCustomResources }} -- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} -{{- if .Values.controller.enableTLSPassthrough }} -- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} -{{- end }} -- -enable-cert-manager={{ .Values.controller.enableCertManager }} -- -enable-oidc={{ .Values.controller.enableOIDC }} -- -enable-external-dns={{ .Values.controller.enableExternalDNS }} -- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} -- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} -{{- if .Values.controller.globalConfiguration.create }} -- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} -{{- end }} -{{- end }} -- -ready-status={{ .Values.controller.readyStatus.enable }} -- -ready-status-port={{ .Values.controller.readyStatus.port }} -- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} -- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }} -- -enable-telemetry-reporting={{ .Values.controller.telemetryReporting.enable}} -- -weight-changes-dynamic-reload={{ .Values.controller.enableWeightChangesDynamicReload}} -{{- if .Values.nginxAgent.enable }} -- -agent=true -- -agent-instance-group={{ default (include "nginx-ingress.controller.fullname" .) .Values.nginxAgent.instanceGroup }} -{{- end }} -{{- end -}} - -{{/* -Volumes for controller. -*/}} -{{- define "nginx-ingress.volumes" -}} -{{- $volumesSet := "false" }} -volumes: -{{- if eq (include "nginx-ingress.volumeEntries" .) "" -}} -{{ toYaml list | printf " %s" }} -{{- else }} -{{ include "nginx-ingress.volumeEntries" . }} -{{- end -}} -{{- end -}} - -{{/* -List of volumes for controller. -*/}} -{{- define "nginx-ingress.volumeEntries" -}} -{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} -- name: nginx-etc - emptyDir: {} -- name: nginx-cache - emptyDir: {} -- name: nginx-lib - emptyDir: {} -- name: nginx-state - emptyDir: {} -- name: nginx-log - emptyDir: {} -{{- end }} -{{- if .Values.controller.appprotect.v5 }} -{{ toYaml .Values.controller.appprotect.volumes }} -{{- end }} -{{- if .Values.controller.volumes }} -{{ toYaml .Values.controller.volumes }} -{{- end }} -{{- if .Values.nginxAgent.enable }} -- name: agent-conf - configMap: - name: {{ include "nginx-ingress.agentConfigName" . }} -- name: agent-dynamic - emptyDir: {} -{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} -- name: nginx-agent-tls - projected: - sources: -{{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} - - secret: - name: {{ .Values.nginxAgent.instanceManager.tls.secret }} -{{- end }} -{{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} - - secret: - name: {{ .Values.nginxAgent.instanceManager.tls.caSecret }} -{{- end }} -{{- end }} -{{- end -}} -{{- end -}} - -{{/* -Volume mounts for controller. -*/}} -{{- define "nginx-ingress.volumeMounts" -}} -{{- $volumesSet := "false" }} -volumeMounts: -{{- if eq (include "nginx-ingress.volumeMountEntries" .) "" -}} -{{ toYaml list | printf " %s" }} -{{- else }} -{{ include "nginx-ingress.volumeMountEntries" . }} -{{- end -}} -{{- end -}} -{{- define "nginx-ingress.volumeMountEntries" -}} -{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} -- mountPath: /etc/nginx - name: nginx-etc -- mountPath: /var/cache/nginx - name: nginx-cache -- mountPath: /var/lib/nginx - name: nginx-lib -- mountPath: /var/lib/nginx/state - name: nginx-state -- mountPath: /var/log/nginx - name: nginx-log -{{- end }} -{{- if .Values.controller.appprotect.v5 }} -- name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config -- name: app-protect-config - mountPath: /opt/app_protect/config - # app-protect-bundles is mounted so that Ingress Controller - # can verify that referenced bundles are present -- name: app-protect-bundles - mountPath: /etc/app_protect/bundles -{{- end }} -{{- if .Values.controller.volumeMounts }} -{{ toYaml .Values.controller.volumeMounts }} -{{- end }} -{{- if .Values.nginxAgent.enable }} -- name: agent-conf - mountPath: /etc/nginx-agent/nginx-agent.conf - subPath: nginx-agent.conf -- name: agent-dynamic - mountPath: /var/lib/nginx-agent -{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} -- name: nginx-agent-tls - mountPath: /etc/ssl/nms - readOnly: true -{{- end }} -{{- end -}} -{{- end -}} - -{{- define "nginx-ingress.appprotect.v5" -}} -{{- if .Values.controller.appprotect.v5}} -- name: waf-enforcer - image: {{ include "nap-enforcer.image" . }} - imagePullPolicy: "{{ .Values.controller.appprotect.enforcer.image.pullPolicy }}" -{{- if .Values.controller.appprotect.enforcer.securityContext }} - securityContext: -{{ toYaml .Values.controller.appprotect.enforcer.securityContext | nindent 6 }} -{{- end }} - env: - - name: ENFORCER_PORT - value: "{{ .Values.controller.appprotect.enforcer.port | default 50000 }}" - - name: ENFORCER_CONFIG_TIMEOUT - value: "0" - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config -- name: waf-config-mgr - image: {{ include "nap-config-manager.image" . }} - imagePullPolicy: "{{ .Values.controller.appprotect.configManager.image.pullPolicy }}" -{{- if .Values.controller.appprotect.configManager.securityContext }} - securityContext: -{{ toYaml .Values.controller.appprotect.configManager.securityContext | nindent 6 }} -{{- end }} - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles -{{- end}} -{{- end -}} - -{{- define "nginx-ingress.agentConfiguration" -}} -log: - level: {{ .Values.nginxAgent.logLevel }} - path: "" -server: - host: {{ required ".Values.nginxAgent.instanceManager.host is required when setting .Values.nginxAgent.enable to true" .Values.nginxAgent.instanceManager.host }} - grpcPort: {{ .Values.nginxAgent.instanceManager.grpcPort }} -{{- if ne (.Values.nginxAgent.instanceManager.sni | default "") "" }} - metrics: {{ .Values.nginxAgent.instanceManager.sni }} - command: {{ .Values.nginxAgent.instanceManager.sni }} -{{- end }} -{{- if .Values.nginxAgent.instanceManager.tls }} -tls: - enable: {{ .Values.nginxAgent.instanceManager.tls.enable | default true }} - skip_verify: {{ .Values.nginxAgent.instanceManager.tls.skipVerify | default false }} - {{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} - ca: "/etc/ssl/nms/ca.crt" - {{- end }} - {{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} - cert: "/etc/ssl/nms/tls.crt" - key: "/etc/ssl/nms/tls.key" - {{- end }} -{{- end }} -features: - - registration - - nginx-counting - - metrics-sender - - dataplane-status -extensions: - - nginx-app-protect - - nap-monitoring -nginx_app_protect: - report_interval: 15s - precompiled_publication: true -nap_monitoring: - collector_buffer_size: {{ .Values.nginxAgent.napMonitoring.collectorBufferSize }} - processor_buffer_size: {{ .Values.nginxAgent.napMonitoring.processorBufferSize }} - syslog_ip: {{ .Values.nginxAgent.syslog.host }} - syslog_port: {{ .Values.nginxAgent.syslog.port }} - -{{ end -}} diff --git a/nginx-ingress/templates/clusterrole.yaml b/nginx-ingress/templates/clusterrole.yaml deleted file mode 100644 index 7c3a5c89f3..0000000000 --- a/nginx-ingress/templates/clusterrole.yaml +++ /dev/null @@ -1,180 +0,0 @@ -{{- if and .Values.rbac.create .Values.rbac.clusterrole.create }} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "nginx-ingress.fullname" . }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -rules: -- apiGroups: - - "" - resources: - - configmaps - - namespaces - - pods - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "apps" - resources: - - replicasets - - daemonsets - verbs: - - get -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list -{{- if .Values.controller.reportIngressStatus.enable }} -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -{{- end }} -{{- if .Values.controller.appprotect.enable }} -- apiGroups: - - appprotect.f5.com - resources: - - appolicies - - aplogconfs - - apusersigs - verbs: - - get - - watch - - list -{{- end }} -{{- if .Values.controller.appprotectdos.enable }} -- apiGroups: - - appprotectdos.f5.com - resources: - - apdospolicies - - apdoslogconfs - - dosprotectedresources - verbs: - - get - - watch - - list -{{- end }} -{{- if .Values.controller.enableCustomResources }} -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers - - virtualserverroutes - - globalconfigurations - - transportservers - - policies - verbs: - - list - - watch - - get -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers/status - - virtualserverroutes/status - - policies/status - - transportservers/status - verbs: - - update -{{- end }} -{{- if .Values.controller.reportIngressStatus.ingressLink }} -- apiGroups: - - cis.f5.com - resources: - - ingresslinks - verbs: - - list - - watch - - get -{{- end }} -{{- if .Values.controller.enableCertManager }} -- apiGroups: - - cert-manager.io - resources: - - certificates - verbs: - - list - - watch - - get - - update - - create - - delete -{{- end }} -{{- if .Values.controller.enableExternalDNS }} -- apiGroups: - - externaldns.nginx.org - resources: - - dnsendpoints - verbs: - - list - - watch - - get - - update - - create - - delete -- apiGroups: - - externaldns.nginx.org - resources: - - dnsendpoints/status - verbs: - - update -{{- end }} -{{- end}} diff --git a/nginx-ingress/templates/clusterrolebinding.yaml b/nginx-ingress/templates/clusterrolebinding.yaml deleted file mode 100644 index ed06c48ccb..0000000000 --- a/nginx-ingress/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.rbac.create }} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "nginx-ingress.fullname" . }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ include "nginx-ingress.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ include "nginx-ingress.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/nginx-ingress/templates/controller-configmap.yaml b/nginx-ingress/templates/controller-configmap.yaml deleted file mode 100644 index a341ec084c..0000000000 --- a/nginx-ingress/templates/controller-configmap.yaml +++ /dev/null @@ -1,82 +0,0 @@ -{{- if not .Values.controller.customConfigMap -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "nginx-ingress.configName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.config.annotations }} - annotations: -{{ toYaml .Values.controller.config.annotations | indent 4 }} -{{- end }} -data: -{{ toYaml (default dict .Values.controller.config.entries) | indent 2 }} -{{- end }} ---- -{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "nginx-ingress.agentConfigName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.config.annotations }} - annotations: -{{ toYaml .Values.controller.config.annotations | indent 4 }} -{{- end }} -data: - nginx-agent.conf: |- -{{ include "nginx-ingress.agentConfiguration" . | indent 4 }} -{{- end }} ---- -{{- if .Values.controller.nginxplus }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "nginx-ingress.mgmtConfigName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.config.annotations }} - annotations: -{{ toYaml .Values.controller.config.annotations | indent 4 }} -{{- end }} -data: - license-token-secret-name: {{ required "When using Nginx Plus, 'controller.mgmt.licenseTokenSecretName' cannot be empty " (include "nginx-ingress.licenseTokenSecretName" . ) }} -{{- if hasKey .Values.controller.mgmt "sslVerify" }} - ssl-verify: {{ quote .Values.controller.mgmt.sslVerify }} -{{- end }} -{{- if hasKey .Values.controller.mgmt "enforceInitialReport" }} - enforce-initial-report: {{ quote .Values.controller.mgmt.enforceInitialReport }} -{{- end }} -{{- if hasKey .Values.controller.mgmt "usageReport" }} -{{- if hasKey .Values.controller.mgmt.usageReport "endpoint" }} - usage-report-endpoint: {{ quote .Values.controller.mgmt.usageReport.endpoint }} -{{- end }} -{{- if hasKey .Values.controller.mgmt.usageReport "interval" }} - usage-report-interval: {{ quote .Values.controller.mgmt.usageReport.interval }} -{{- end }} -{{- if hasKey .Values.controller.mgmt.usageReport "proxyHost" }} - usage-report-proxy-host: {{ quote .Values.controller.mgmt.usageReport.proxyHost }} -{{- end }} -{{- end }} -{{- if hasKey .Values.controller.mgmt "sslTrustedCertificateSecretName" }} - ssl-trusted-certificate-secret-name: {{ quote .Values.controller.mgmt.sslTrustedCertificateSecretName }} -{{- end }} -{{- if hasKey .Values.controller.mgmt "sslCertificateSecretName" }} - ssl-certificate-secret-name: {{ quote .Values.controller.mgmt.sslCertificateSecretName}} -{{- end }} -{{- if hasKey .Values.controller.mgmt "resolver" }} -{{- if hasKey .Values.controller.mgmt.resolver "addresses" }} - resolver-addresses: {{ join "," .Values.controller.mgmt.resolver.addresses | quote }} -{{- end }} -{{- if hasKey .Values.controller.mgmt.resolver "ipv6" }} - resolver-ipv6: {{ quote .Values.controller.mgmt.resolver.ipv6 }} -{{- end }} -{{- if hasKey .Values.controller.mgmt.resolver "valid" }} - resolver-valid: {{ quote .Values.controller.mgmt.resolver.valid }} -{{- end }} -{{- end }} -{{- end }} diff --git a/nginx-ingress/templates/controller-daemonset.yaml b/nginx-ingress/templates/controller-daemonset.yaml deleted file mode 100644 index 653ef4eb9e..0000000000 --- a/nginx-ingress/templates/controller-daemonset.yaml +++ /dev/null @@ -1,196 +0,0 @@ -{{- if eq .Values.controller.kind "daemonset" }} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "nginx-ingress.controller.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.annotations }} - annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} -{{- end }} -spec: - selector: - matchLabels: - {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "nginx-ingress.podLabels" . | nindent 8 }} -{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} - annotations: -{{- if .Values.prometheus.create }} - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.prometheus.port }}" - prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" -{{- end }} -{{- if .Values.controller.pod.annotations }} -{{ toYaml .Values.controller.pod.annotations | indent 8 }} -{{- end }} -{{- end }} - spec: - serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} - automountServiceAccountToken: true - securityContext: -{{ toYaml .Values.controller.podSecurityContext | indent 8 }} - terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} -{{- if .Values.controller.nodeSelector }} - nodeSelector: -{{ toYaml .Values.controller.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.controller.tolerations }} - tolerations: -{{ toYaml .Values.controller.tolerations | indent 6 }} -{{- end }} -{{- if .Values.controller.affinity }} - affinity: -{{ toYaml .Values.controller.affinity | indent 8 }} -{{- end }} -{{- include "nginx-ingress.volumes" . | indent 6 }} -{{- if .Values.controller.priorityClassName }} - priorityClassName: {{ .Values.controller.priorityClassName }} -{{- end }} - hostNetwork: {{ .Values.controller.hostNetwork }} - dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.controller.shareProcessNamespace }} - shareProcessNamespace: true - {{- end }} - containers: - - name: {{ include "nginx-ingress.name" . }} - image: {{ include "nginx-ingress.image" . }} - imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" -{{- if .Values.controller.lifecycle }} - lifecycle: -{{ toYaml .Values.controller.lifecycle | indent 10 }} -{{- end }} - ports: -{{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP - {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} - hostPort: {{ index $.Values.controller.hostPort $key }} - {{- end }} -{{- end }} -{{ if .Values.controller.customPorts }} -{{ toYaml .Values.controller.customPorts | indent 8 }} -{{ end }} -{{- if .Values.prometheus.create }} - - name: prometheus - containerPort: {{ .Values.prometheus.port }} -{{- end }} -{{- if .Values.serviceInsight.create }} - - name: service-insight - containerPort: {{ .Values.serviceInsight.port }} -{{- end }} -{{- if .Values.controller.readyStatus.enable }} - - name: readiness-port - containerPort: {{ .Values.controller.readyStatus.port }} - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} -{{- end }} -{{- if .Values.controller.securityContext }} - securityContext: -{{ toYaml .Values.controller.securityContext | indent 10 }} -{{- else }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE -{{- end }} -{{- include "nginx-ingress.volumeMounts" . | indent 8 }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name -{{- if .Values.controller.env }} -{{ toYaml .Values.controller.env | indent 8 }} -{{- end }} -{{- if .Values.nginxServiceMesh.enable }} - - name: POD_SERVICEACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName -{{- end }} -{{- if hasKey .Values.controller.mgmt "usageReport" -}} -{{- if hasKey .Values.controller.mgmt.usageReport "proxyCredentialsSecretName" }} -{{- if not (hasKey .Values.controller.mgmt.usageReport "proxyHost") -}} -{{- fail "Error: 'controller.mgmt.usageReport.proxyHost' must be set when using 'controller.mgmt.usageReport.proxyCredentialsSecretName'." }} -{{- end }} - - name: PROXY_USER - valueFrom: - secretKeyRef: - name: {{ .Values.controller.mgmt.usageReport.proxyCredentialsSecretName }} - key: username - - name: PROXY_PASS - valueFrom: - secretKeyRef: - name: {{ .Values.controller.mgmt.usageReport.proxyCredentialsSecretName }} - key: password -{{- end }} -{{- end }} - resources: -{{ toYaml .Values.controller.resources | indent 10 }} - args: -{{- include "nginx-ingress.args" . | nindent 10 }} -{{- if .Values.controller.extraContainers }} - {{ toYaml .Values.controller.extraContainers | nindent 6 }} -{{- end }} - -{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} - -{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} - initContainers: -{{- end }} -{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - - name: init-{{ include "nginx-ingress.name" . }} - image: {{ include "nginx-ingress.image" . }} - imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" - command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] -{{- if .Values.controller.initContainerResources }} - resources: -{{ toYaml .Values.controller.initContainerResources | indent 10 }} -{{- end }} -{{- if .Values.controller.initContainerSecurityContext }} - securityContext: -{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} -{{- else }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- end }} - volumeMounts: - - mountPath: /mnt/etc - name: nginx-etc -{{- end }} -{{- if .Values.controller.initContainers }} -{{ toYaml .Values.controller.initContainers | indent 6 }} -{{- end }} -{{- if .Values.controller.strategy }} - updateStrategy: -{{ toYaml .Values.controller.strategy | indent 4 }} -{{- end }} -{{- if .Values.controller.minReadySeconds }} - minReadySeconds: {{ .Values.controller.minReadySeconds }} -{{- end }} -{{- end }} diff --git a/nginx-ingress/templates/controller-deployment.yaml b/nginx-ingress/templates/controller-deployment.yaml deleted file mode 100644 index 9f2c6bd1e3..0000000000 --- a/nginx-ingress/templates/controller-deployment.yaml +++ /dev/null @@ -1,203 +0,0 @@ -{{- if eq .Values.controller.kind "deployment" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "nginx-ingress.controller.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.annotations }} - annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} -{{- end }} -spec: - {{- if not .Values.controller.autoscaling.enabled }} - replicas: {{ .Values.controller.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "nginx-ingress.podLabels" . | nindent 8 }} -{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} - annotations: -{{- if .Values.prometheus.create }} - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.prometheus.port }}" - prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" -{{- end }} -{{- if .Values.controller.pod.annotations }} -{{ toYaml .Values.controller.pod.annotations | indent 8 }} -{{- end }} -{{- end }} - spec: -{{- if .Values.controller.nodeSelector }} - nodeSelector: -{{ toYaml .Values.controller.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.controller.tolerations }} - tolerations: -{{ toYaml .Values.controller.tolerations | indent 6 }} -{{- end }} -{{- if .Values.controller.affinity }} - affinity: -{{ toYaml .Values.controller.affinity | indent 8 }} -{{- end }} -{{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: -{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} -{{- end }} -{{- include "nginx-ingress.volumes" . | indent 6 }} -{{- if .Values.controller.priorityClassName }} - priorityClassName: {{ .Values.controller.priorityClassName }} -{{- end }} - serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} - automountServiceAccountToken: true - securityContext: -{{ toYaml .Values.controller.podSecurityContext | indent 8 }} - terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - hostNetwork: {{ .Values.controller.hostNetwork }} - dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.controller.shareProcessNamespace }} - shareProcessNamespace: true - {{- end }} - containers: - - image: {{ include "nginx-ingress.image" . }} - name: {{ include "nginx-ingress.name" . }} - imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" -{{- if .Values.controller.lifecycle }} - lifecycle: -{{ toYaml .Values.controller.lifecycle | indent 10 }} -{{- end }} - ports: -{{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP - {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} - hostPort: {{ index $.Values.controller.hostPort $key }} - {{- end }} -{{- end }} -{{- if .Values.controller.customPorts }} -{{ toYaml .Values.controller.customPorts | indent 8 }} -{{- end }} -{{- if .Values.prometheus.create }} - - name: prometheus - containerPort: {{ .Values.prometheus.port }} -{{- end }} -{{- if .Values.serviceInsight.create }} - - name: service-insight - containerPort: {{ .Values.serviceInsight.port }} -{{- end }} -{{- if .Values.controller.readyStatus.enable }} - - name: readiness-port - containerPort: {{ .Values.controller.readyStatus.port }} - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} -{{- end }} - resources: -{{ toYaml .Values.controller.resources | indent 10 }} -{{- if .Values.controller.securityContext }} - securityContext: -{{ toYaml .Values.controller.securityContext | indent 10 }} -{{- else }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE -{{- end }} -{{- include "nginx-ingress.volumeMounts" . | indent 8 }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name -{{- if .Values.controller.env }} -{{ toYaml .Values.controller.env | indent 8 }} -{{- end }} -{{- if .Values.nginxServiceMesh.enable }} - - name: POD_SERVICEACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName -{{- end }} -{{- if hasKey .Values.controller.mgmt "usageReport" -}} -{{- if hasKey .Values.controller.mgmt.usageReport "proxyCredentialsSecretName" }} -{{- if not (hasKey .Values.controller.mgmt.usageReport "proxyHost") -}} -{{- fail "Error: 'controller.mgmt.usageReport.proxyHost' must be set when using 'controller.mgmt.usageReport.proxyCredentialsSecretName'." }} -{{- end }} - - name: PROXY_USER - valueFrom: - secretKeyRef: - name: {{ .Values.controller.mgmt.usageReport.proxyCredentialsSecretName }} - key: username - - name: PROXY_PASS - valueFrom: - secretKeyRef: - name: {{ .Values.controller.mgmt.usageReport.proxyCredentialsSecretName }} - key: password -{{- end }} -{{- end }} - args: -{{- include "nginx-ingress.args" . | nindent 10 }} -{{- if .Values.controller.extraContainers }} - {{ toYaml .Values.controller.extraContainers | nindent 6 }} -{{- end }} - -{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} - -{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} - initContainers: -{{- end }} -{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - - name: init-{{ include "nginx-ingress.name" . }} - image: {{ include "nginx-ingress.image" . }} - imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" - command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] -{{- if .Values.controller.initContainerResources }} - resources: -{{ toYaml .Values.controller.initContainerResources | indent 10 }} -{{- end }} -{{- if .Values.controller.initContainerSecurityContext }} - securityContext: -{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} -{{- else }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- end }} - volumeMounts: - - mountPath: /mnt/etc - name: nginx-etc -{{- end }} -{{- if .Values.controller.initContainers }} -{{ toYaml .Values.controller.initContainers | indent 6 }} -{{- end }} -{{- if .Values.controller.strategy }} - strategy: -{{ toYaml .Values.controller.strategy | indent 4 }} -{{- end }} -{{- if .Values.controller.minReadySeconds }} - minReadySeconds: {{ .Values.controller.minReadySeconds }} -{{- end }} -{{- end }} diff --git a/nginx-ingress/templates/controller-globalconfiguration.yaml b/nginx-ingress/templates/controller-globalconfiguration.yaml deleted file mode 100644 index 939923f2e0..0000000000 --- a/nginx-ingress/templates/controller-globalconfiguration.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{ if .Values.controller.globalConfiguration.create }} -apiVersion: k8s.nginx.org/v1 -kind: GlobalConfiguration -metadata: - name: {{ include "nginx-ingress.controller.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -spec: -{{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} -{{- end }} diff --git a/nginx-ingress/templates/controller-hpa.yaml b/nginx-ingress/templates/controller-hpa.yaml deleted file mode 100644 index 971aca90d3..0000000000 --- a/nginx-ingress/templates/controller-hpa.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "nginx-ingress.controller.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.autoscaling.annotations }} - annotations: -{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} -{{- end }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "nginx-ingress.controller.fullname" . }} - minReplicas: {{ .Values.controller.autoscaling.minReplicas }} - maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} -{{- if .Values.controller.autoscaling.behavior }} - behavior: -{{ toYaml .Values.controller.autoscaling.behavior | indent 4 }} -{{- end }} - metrics: - {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} - {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/nginx-ingress/templates/controller-ingress-class.yaml b/nginx-ingress/templates/controller-ingress-class.yaml deleted file mode 100644 index a351d697c6..0000000000 --- a/nginx-ingress/templates/controller-ingress-class.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{ if .Values.controller.ingressClass.create }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ .Values.controller.ingressClass.name }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.ingressClass.setAsDefaultIngress }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: nginx.org/ingress-controller -{{ end }} diff --git a/nginx-ingress/templates/controller-leader-election-configmap.yaml b/nginx-ingress/templates/controller-leader-election-configmap.yaml deleted file mode 100644 index 440914eb3e..0000000000 --- a/nginx-ingress/templates/controller-leader-election-configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "nginx-ingress.leaderElectionName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.reportIngressStatus.annotations }} - annotations: -{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} -{{- end }} -{{- end }} diff --git a/nginx-ingress/templates/controller-lease.yaml b/nginx-ingress/templates/controller-lease.yaml deleted file mode 100644 index 6a761acb51..0000000000 --- a/nginx-ingress/templates/controller-lease.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{ if .Values.controller.reportIngressStatus.enableLeaderElection }} -apiVersion: coordination.k8s.io/v1 -kind: Lease -metadata: - name: {{ include "nginx-ingress.leaderElectionName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.reportIngressStatus.annotations }} - annotations: -{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} -{{- end }} -{{- end }} diff --git a/nginx-ingress/templates/controller-pdb.yaml b/nginx-ingress/templates/controller-pdb.yaml deleted file mode 100644 index 1c3ddc8ae5..0000000000 --- a/nginx-ingress/templates/controller-pdb.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.controller.podDisruptionBudget.enabled -}} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "nginx-ingress.controller.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.podDisruptionBudget.annotations }} - annotations: -{{ toYaml .Values.controller.podDisruptionBudget.annotations | indent 4 }} -{{- end }} -spec: - selector: - matchLabels: - {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} -{{- if .Values.controller.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} -{{- end }} -{{- if .Values.controller.podDisruptionBudget.maxUnavailable }} - maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} -{{- end }} -{{- end }} diff --git a/nginx-ingress/templates/controller-prometheus-service.yaml b/nginx-ingress/templates/controller-prometheus-service.yaml deleted file mode 100644 index d36514284b..0000000000 --- a/nginx-ingress/templates/controller-prometheus-service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.prometheus.create .Values.prometheus.service.create}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "nginx-ingress.prometheus.serviceName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} - {{- if .Values.prometheus.service.labels -}} - {{- toYaml .Values.prometheus.service.labels | nindent 4 }} - {{- end }} -spec: - clusterIP: None - ports: - - name: prometheus - protocol: TCP - port: {{ .Values.prometheus.port }} - targetPort: {{ .Values.prometheus.port }} - selector: - {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/nginx-ingress/templates/controller-role.yaml b/nginx-ingress/templates/controller-role.yaml deleted file mode 100644 index cb75d99cc3..0000000000 --- a/nginx-ingress/templates/controller-role.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if .Values.rbac.create }} -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "nginx-ingress.fullname" . }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} -rules: -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - pods - verbs: - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - {{ include "nginx-ingress.leaderElectionName" . }} - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -{{- end }} diff --git a/nginx-ingress/templates/controller-rolebinding.yaml b/nginx-ingress/templates/controller-rolebinding.yaml deleted file mode 100644 index 51ee528da3..0000000000 --- a/nginx-ingress/templates/controller-rolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.rbac.create }} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "nginx-ingress.fullname" . }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "nginx-ingress.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ include "nginx-ingress.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/nginx-ingress/templates/controller-secret.yaml b/nginx-ingress/templates/controller-secret.yaml deleted file mode 100644 index f9941e8878..0000000000 --- a/nginx-ingress/templates/controller-secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{ if and (not .Values.controller.defaultTLS.secret) (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "nginx-ingress.defaultTLSName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -type: kubernetes.io/tls -data: - tls.crt: {{ .Values.controller.defaultTLS.cert }} - tls.key: {{ .Values.controller.defaultTLS.key }} -{{- end }} diff --git a/nginx-ingress/templates/controller-service.yaml b/nginx-ingress/templates/controller-service.yaml deleted file mode 100644 index 0073813227..0000000000 --- a/nginx-ingress/templates/controller-service.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{- if .Values.controller.service.create }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "nginx-ingress.controller.service.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.service.extraLabels }} -{{ toYaml .Values.controller.service.extraLabels | indent 4 }} -{{- end }} -{{- if .Values.controller.service.annotations }} - annotations: -{{ toYaml .Values.controller.service.annotations | indent 4 }} -{{- end }} -spec: -{{- if .Values.controller.service.clusterIP }} - clusterIP: {{ .Values.controller.service.clusterIP }} -{{- end }} -{{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} - {{- if .Values.controller.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} - {{- end }} -{{- end }} -{{- if eq .Values.controller.service.type "LoadBalancer" }} - {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} - {{- end }} - {{- if .Values.controller.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} - {{- end }} - {{- if .Values.controller.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} - {{- end }} -{{- end }} - type: {{ .Values.controller.service.type }} - {{- if .Values.controller.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} - {{- end }} - {{- if .Values.controller.service.ipFamilies }} - ipFamilies: {{ .Values.controller.service.ipFamilies }} - {{- end }} - ports: -{{- if .Values.controller.service.customPorts }} -{{ toYaml .Values.controller.service.customPorts | indent 2 }} -{{ end }} -{{- if .Values.controller.service.httpPort.enable }} - - port: {{ .Values.controller.service.httpPort.port }} - targetPort: {{ .Values.controller.service.httpPort.targetPort }} - protocol: TCP - name: {{ .Values.controller.service.httpPort.name }} - {{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} - nodePort: {{ .Values.controller.service.httpPort.nodePort }} - {{- end }} -{{- end }} -{{- if .Values.controller.service.httpsPort.enable }} - - port: {{ .Values.controller.service.httpsPort.port }} - targetPort: {{ .Values.controller.service.httpsPort.targetPort }} - protocol: TCP - name: {{ .Values.controller.service.httpsPort.name }} - {{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} - nodePort: {{ .Values.controller.service.httpsPort.nodePort }} - {{- end }} -{{- end }} - selector: - {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} - {{- if .Values.controller.service.externalIPs }} - externalIPs: -{{ toYaml .Values.controller.service.externalIPs | indent 4 }} - {{- end }} -{{- end }} diff --git a/nginx-ingress/templates/controller-serviceaccount.yaml b/nginx-ingress/templates/controller-serviceaccount.yaml deleted file mode 100644 index 8cde4f5b01..0000000000 --- a/nginx-ingress/templates/controller-serviceaccount.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "nginx-ingress.serviceAccountName" . }} -{{- if .Values.controller.serviceAccount.annotations }} - annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} -{{- end }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }} -imagePullSecrets: -{{- end }} - -{{- if .Values.controller.serviceAccount.imagePullSecretName }} -- name: {{ .Values.controller.serviceAccount.imagePullSecretName}} -{{- end }} - -{{- if .Values.controller.serviceAccount.imagePullSecretsNames }} -{{- range .Values.controller.serviceAccount.imagePullSecretsNames }} -- name: {{ . }} -{{- end }} -{{- end }} -{{- end }} diff --git a/nginx-ingress/templates/controller-servicemonitor.yaml b/nginx-ingress/templates/controller-servicemonitor.yaml deleted file mode 100644 index e1a4268f95..0000000000 --- a/nginx-ingress/templates/controller-servicemonitor.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.prometheus.serviceMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "nginx-ingress.controller.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} - {{- if .Values.prometheus.serviceMonitor.labels -}} - {{- toYaml .Values.prometheus.serviceMonitor.labels | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- if .Values.prometheus.serviceMonitor.selectorMatchLabels -}} - {{- toYaml .Values.prometheus.serviceMonitor.selectorMatchLabels | nindent 6 }} - {{- end }} - {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} - endpoints: - {{- toYaml .Values.prometheus.serviceMonitor.endpoints | nindent 4 }} -{{- end }} diff --git a/nginx-ingress/templates/controller-wildcard-secret.yaml b/nginx-ingress/templates/controller-wildcard-secret.yaml deleted file mode 100644 index 3abe16c4c3..0000000000 --- a/nginx-ingress/templates/controller-wildcard-secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "nginx-ingress.wildcardTLSName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -type: kubernetes.io/tls -data: - tls.crt: {{ .Values.controller.wildcardTLS.cert }} - tls.key: {{ .Values.controller.wildcardTLS.key }} -{{- end }} diff --git a/nginx-ingress/values-icp.yaml b/nginx-ingress/values-icp.yaml deleted file mode 100644 index 2ff124b245..0000000000 --- a/nginx-ingress/values-icp.yaml +++ /dev/null @@ -1,17 +0,0 @@ -controller: - name: controller - kind: daemonset - nginxplus: true - image: - repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "5.0.0" - nodeSelector: - beta.kubernetes.io/arch: "amd64" - proxy: true - terminationGracePeriodSeconds: 60 - tolerations: - - key: "dedicated" - operator: "Exists" - effect: "NoSchedule" - - key: "CriticalAddonsOnly" - operator: "Exists" diff --git a/nginx-ingress/values-nsm.yaml b/nginx-ingress/values-nsm.yaml deleted file mode 100644 index 47d11e0571..0000000000 --- a/nginx-ingress/values-nsm.yaml +++ /dev/null @@ -1,6 +0,0 @@ -controller: - name: controller - enableLatencyMetrics: true -nginxServiceMesh: - enable: true - enableEgress: true diff --git a/nginx-ingress/values-plus.yaml b/nginx-ingress/values-plus.yaml deleted file mode 100644 index bf2d5bc56b..0000000000 --- a/nginx-ingress/values-plus.yaml +++ /dev/null @@ -1,6 +0,0 @@ -controller: - name: controller - nginxplus: true - image: - repository: nginx-plus-ingress - tag: "5.0.0" diff --git a/nginx-ingress/values.schema.json b/nginx-ingress/values.schema.json deleted file mode 100644 index 9357682e08..0000000000 --- a/nginx-ingress/values.schema.json +++ /dev/null @@ -1,2745 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "type": "object", - "default": {}, - "title": "Root Schema", - "required": [ - "controller", - "rbac", - "prometheus", - "serviceInsight", - "nginxServiceMesh" - ], - "properties": { - "controller": { - "type": "object", - "default": {}, - "title": "The Ingress Controller Helm Schema", - "required": [ - "name", - "kind", - "image" - ], - "properties": { - "name": { - "type": "string", - "default": "", - "title": "The name of the Ingress Controller", - "examples": [ - "controller" - ] - }, - "kind": { - "type": "string", - "default": "", - "title": "The kind of the Ingress Controller", - "enum": [ - "deployment", - "daemonset" - ], - "examples": [ - "deployment", - "daemonset" - ] - }, - "selectorLabels": { - "type": "object", - "default": {}, - "title": "The selectorLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" - }, - "annotations": { - "type": "object", - "default": {}, - "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" - }, - "nginxplus": { - "type": "boolean", - "default": false, - "title": "Deploys the Ingress Controller for NGINX Plus", - "examples": [ - false, - true - ] - }, - "debug": { - "type": "object", - "default": {}, - "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", - "properties": { - "enable": { - "type": "boolean", - "default": false, - "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", - "examples": [ - false, - true - ] - }, - "continue": { - "type": "boolean", - "default": true, - "title": "Starts Delve with --continue which means that IC will not wait for a debugger attach to start", - "examples": [ - false, - true - ] - } - }, - "examples": [ - { - "enable": true, - "continue": "fatal" - } - ] - }, - "mgmt": { - "type": "object", - "default": {}, - "title": "The mgmt block Schema", - "properties": { - "licenseTokenSecretName": { - "type": "string", - "default": "", - "title": "The licenseTokenSecretName Schema", - "examples": [ - "nginx-plus-secret", - "license-token", - "license" - ] - }, - "sslCertificateSecretName": { - "type": "string", - "default": "", - "title": "The sslCertificateSecretName Schema", - "examples": [ - "ssl-certificate" - ] - }, - "usageReport": { - "type": "object", - "default": {}, - "title": "The usageReport Schema", - "properties": { - "endpoint": { - "type": "string", - "title": "The endpoint of the usageReport", - "default": "", - "examples": [ - "", - "product.connect.nginx.com", - "nginx-mgmt.local" - ] - }, - "interval": { - "type": "string", - "pattern": "^[0-9]+[mhd]$", - "default": "1h", - "title": "The usage report interval Schema", - "examples": [ - "1m", - "1h", - "24h" - ] - }, - "proxyHost": { - "type": "string", - "title": "The proxy hostname with optional port", - "default": "", - "examples": [ - "proxy.example.com", - "proxy.local", - "proxy", - "192.168.1.254", - "proxy.example.com:3128", - "proxy.local:3128", - "proxy:3128", - "192.168.1.254:3128" - ] - }, - "proxyCredentialsSecretName": { - "type": "string", - "default": "", - "title": "The secret containing the proxy username/password combination. Must contain a `username` and `password` field", - "examples": [ - "proxy-credentials" - ] - } - } - }, - "enforceInitialReport": { - "type": "boolean", - "default": false, - "title": "The enforceInitialReport Schema", - "examples": [ - true, - false - ] - }, - "sslVerify": { - "type": "boolean", - "default": true, - "title": "The sslVerify Schema", - "examples": [ - true, - false - ] - }, - "resolver": { - "type": "object", - "default": {}, - "title": "The resolver Schema", - "properties": { - "addresses": { - "type": "array", - "default": [], - "title": "List of resolver addresses/fqdns" - }, - "valid": { - "type": "string", - "pattern": "^[0-9]+[smhdwMy]$", - "title": "A valid nginx time", - "examples": [ - "1m", - "5d" - ] - }, - "ipv6": { - "type": "boolean", - "title": "turn on or off ipv6 support", - "default": false - } - } - }, - "sslTrustedCertificateSecretName": { - "type": "string", - "default": "ssl-trusted-cert", - "title": "The sslTrustedCertificateSecretName Schema", - "examples": [ - "ssl-trusted-cert", - "certificate-secret" - ] - }, - "configMapName": { - "type": "string", - "default": "", - "title": "The configMap Schema", - "examples": [ - "" - ] - } - }, - "examples": [ - { - "licenseTokenSecretName": "license-token" - } - ] - }, - "nginxReloadTimeout": { - "type": "integer", - "default": 0, - "title": "Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start", - "examples": [ - 60000 - ] - }, - "appprotect": { - "type": "object", - "default": {}, - "title": "The App Protect WAF Schema", - "required": [ - "enable" - ], - "properties": { - "enable": { - "type": "boolean", - "default": false, - "title": "Enable the App Protect WAF module in the Ingress Controller", - "examples": [ - false, - true - ] - }, - "v5": { - "type": "boolean", - "default": false, - "title": "Enables App Protect WAF v5.", - "examples": [ - false, - true - ] - }, - "logLevel": { - "type": "string", - "default": "", - "title": "The logLevel for App Protect WAF", - "enum": [ - "fatal", - "error", - "warn", - "info", - "debug", - "trace" - ], - "examples": [ - "fatal", - "error", - "warn", - "info", - "debug", - "trace" - ] - }, - "volumes": { - "type": "array", - "default": [ - { - "name": "app-protect-bd-config", - "emptyDir": {} - }, - { - "name": "app-protect-config", - "emptyDir": {} - }, - { - "name": "app-protect-bundles", - "emptyDir": {} - } - ], - "title": "Volumes for App Protect WAF v5", - "items": { - "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" - } - }, - "enforcer": { - "type": "object", - "properties": { - "host": { - "type": "string", - "default": "127.0.0.1", - "title": "Port which the App Protect WAF v5 Enforcer process runs on", - "examples": [ - "127.0.0.1" - ] - }, - "port": { - "type": "integer", - "default": 50000, - "title": "Port which the App Protect WAF v5 Enforcer process runs on", - "examples": [ - 50000 - ] - }, - "image": { - "type": "object", - "default": {}, - "title": "The image Schema", - "required": [ - "repository" - ], - "properties": { - "repository": { - "type": "string", - "default": "private-registry.nginx.com/nap/waf-enforcer", - "title": "The repository of the App Protect WAF v5 Enforcer image", - "examples": [ - "private-registry.nginx.com/nap/waf-enforcer" - ] - }, - "tag": { - "type": "string", - "default": "5.6.0", - "title": "The tag of the App Protect WAF v5 Enforcer image", - "examples": [ - "5.6.0" - ] - }, - "digest": { - "type": "string", - "default": "", - "title": "The digest of the App Protect WAF v5 Enforcer image", - "examples": [ - "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" - ] - }, - "pullPolicy": { - "type": "string", - "default": "IfNotPresent", - "title": "The pullPolicy for the App Protect WAF v5 Enforcer image", - "allOf": [ - { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" - }, - { - "enum": [ - "Always", - "IfNotPresent", - "Never" - ] - } - ], - "examples": [ - "Always", - "IfNotPresent", - "Never" - ] - } - }, - "examples": [ - { - "repository": "private-registry.nginx.com/nap/waf-enforcer", - "tag": "5.6.0", - "pullPolicy": "IfNotPresent" - } - ] - }, - "securityContext": { - "type": "object", - "default": {}, - "title": "The securityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" - } - } - }, - "configManager": { - "type": "object", - "properties": { - "image": { - "type": "object", - "default": {}, - "title": "The image Schema", - "required": [ - "repository" - ], - "properties": { - "repository": { - "type": "string", - "default": "private-registry.nginx.com/nap/waf-config-mgr", - "title": "The repository of the App Protect WAF v5 Config Manager image", - "examples": [ - "private-registry.nginx.com/nap/waf-config-mgr" - ] - }, - "tag": { - "type": "string", - "default": "5.6.0", - "title": "The tag of the App Protect WAF v5 Config Manager image", - "examples": [ - "5.6.0" - ] - }, - "digest": { - "type": "string", - "default": "", - "title": "The digest of the App Protect WAF v5 Config Manager image", - "examples": [ - "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" - ] - }, - "pullPolicy": { - "type": "string", - "default": "IfNotPresent", - "title": "The pullPolicy for the App Protect WAF v5 Config Manager image", - "allOf": [ - { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" - }, - { - "enum": [ - "Always", - "IfNotPresent", - "Never" - ] - } - ], - "examples": [ - "Always", - "IfNotPresent", - "Never" - ] - } - }, - "examples": [ - { - "repository": "private-registry.nginx.com/nap/waf-config-mgr", - "tag": "5.6.0", - "pullPolicy": "IfNotPresent" - } - ] - }, - "securityContext": { - "type": "object", - "default": { - "allowPrivilegeEscalation": false, - "runAsUser": 101, - "runAsNonRoot": true, - "capabilities": { - "drop": [ - "all" - ] - } - }, - "title": "The securityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" - } - } - } - }, - "examples": [ - { - "enable": true, - "logLevel": "fatal" - } - ] - }, - "appprotectdos": { - "type": "object", - "default": {}, - "title": "The App Protect DoS Schema", - "required": [ - "enable" - ], - "properties": { - "enable": { - "type": "boolean", - "default": false, - "title": "Enable the App Protect DoS module in the Ingress Controller", - "examples": [ - false, - true - ] - }, - "debug": { - "type": "boolean", - "default": false, - "title": "debugging for App Protect DoS", - "examples": [ - false, - true - ] - }, - "maxWorkers": { - "type": "integer", - "default": 0, - "title": "Max number of nginx processes to support", - "examples": [ - 0 - ] - }, - "maxDaemons": { - "type": "integer", - "default": 0, - "title": "Max number of ADMD instances", - "examples": [ - 0 - ] - }, - "memory": { - "type": "integer", - "default": 0, - "title": "RAM memory size to consume in MB", - "examples": [ - 0 - ] - } - }, - "examples": [ - { - "enable": true, - "debug": false, - "maxWorkers": 0, - "maxDaemons": 0, - "memory": 0 - } - ] - }, - "hostNetwork": { - "type": "boolean", - "default": false, - "title": "The hostNetwork Schema", - "examples": [ - false, - true - ] - }, - "hostPort": { - "type": "object", - "default": {}, - "title": "The hostPort Schema", - "patternProperties": { - "^.*$": { - "anyOf": [ - { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" - }, - { - "type": "boolean" - } - ] - } - }, - "additionalProperties": false - }, - "containerPort": { - "type": "object", - "default": {}, - "title": "The containerPort Schema", - "patternProperties": { - "^.*$": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" - } - }, - "additionalProperties": false - }, - "dnsPolicy": { - "type": "string", - "allOf": [ - { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" - }, - { - "enum": [ - "ClusterFirstWithHostNet", - "ClusterFirst", - "Default", - "None" - ] - } - ] - }, - "nginxDebug": { - "type": "boolean", - "default": false, - "title": "Enables debugging for NGINX", - "examples": [ - false, - true - ] - }, - "shareProcessNamespace": { - "type": "boolean", - "default": false, - "title": "Enables sharing of the process namespace between pods within the Ingress Controller", - "examples": [ - false, - true - ] - }, - "logLevel": { - "type": "string", - "default": "info", - "title": "The logLevel of the Ingress Controller", - "enum": [ - "trace", - "debug", - "info", - "warning", - "error", - "fatal" - ], - "examples": [ - "info" - ] - }, - "logFormat": { - "type": "string", - "default": "glog", - "title": "The logFormat of the Ingress Controller", - "enum": [ - "glog", - "json", - "text" - ], - "examples": [ - "json" - ] - }, - "customPorts": { - "type": "array", - "default": [], - "title": "The customPorts to expose on the NGINX Ingress Controller pod", - "items": { - "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" - }, - "examples": [ - [ - { - "name": "http", - "containerPort": 80, - "protocol": "TCP" - }, - { - "name": "https", - "containerPort": 443, - "protocol": "TCP" - } - ] - ] - }, - "image": { - "type": "object", - "default": {}, - "title": "The image Schema", - "required": [ - "repository" - ], - "properties": { - "repository": { - "type": "string", - "default": "nginx/nginx-ingress", - "title": "The repository of the Ingress Controller", - "examples": [ - "nginx/nginx-ingress" - ] - }, - "tag": { - "type": "string", - "default": "5.0.0", - "title": "The tag of the Ingress Controller image", - "examples": [ - "5.0.0" - ] - }, - "digest": { - "type": "string", - "default": "", - "title": "The digest of the Ingress Controller image", - "examples": [ - "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" - ] - }, - "pullPolicy": { - "type": "string", - "default": "IfNotPresent", - "title": "The pullPolicy for the Ingress Controller image", - "allOf": [ - { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" - }, - { - "enum": [ - "Always", - "IfNotPresent", - "Never" - ] - } - ], - "examples": [ - "Always", - "IfNotPresent", - "Never" - ] - } - }, - "examples": [ - { - "repository": "nginx/nginx-ingress", - "tag": "5.0.0", - "pullPolicy": "IfNotPresent" - } - ] - }, - "lifecycle": { - "type": "object", - "default": {}, - "title": "The lifecycle Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" - }, - "customConfigMap": { - "type": "string", - "default": "", - "title": "The customConfigMap Schema", - "examples": [ - "" - ] - }, - "config": { - "type": "object", - "default": {}, - "title": "The config Schema", - "required": [], - "properties": { - "name": { - "type": "string", - "default": "", - "title": "The name Schema", - "examples": [ - "" - ] - }, - "annotations": { - "type": "object", - "default": {}, - "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" - }, - "entries": { - "type": "object", - "default": {}, - "title": "The entries Schema", - "required": [], - "properties": {}, - "examples": [ - {} - ] - } - }, - "examples": [ - { - "name": "", - "annotations": {}, - "entries": {} - } - ] - }, - "defaultTLS": { - "type": "object", - "default": {}, - "title": "The defaultTLS Schema", - "required": [], - "properties": { - "cert": { - "type": "string", - "default": "", - "title": "The cert Schema", - "examples": [] - }, - "key": { - "type": "string", - "default": "", - "title": "The key Schema", - "examples": [] - }, - "secret": { - "type": "string", - "default": "", - "title": "The secret Schema", - "examples": [ - "" - ] - } - }, - "examples": [] - }, - "wildcardTLS": { - "type": "object", - "default": {}, - "title": "The wildcardTLS Schema", - "required": [], - "properties": { - "cert": { - "type": "string", - "default": "", - "title": "The cert Schema", - "examples": [ - "" - ] - }, - "key": { - "type": "string", - "default": "", - "title": "The key Schema", - "examples": [ - "" - ] - }, - "secret": { - "type": "string", - "default": "", - "title": "The secret Schema", - "examples": [ - "" - ] - } - }, - "examples": [] - }, - "nodeSelector": { - "type": "object", - "default": {}, - "title": "The nodeSelector Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" - }, - "terminationGracePeriodSeconds": { - "type": "integer", - "default": 30, - "title": "The terminationGracePeriodSeconds Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" - }, - "podSecurityContext": { - "type": "object", - "default": {}, - "title": "The podSecurityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" - }, - "securityContext": { - "type": "object", - "default": {}, - "title": "The securityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" - }, - "initContainerSecurityContext": { - "type": "object", - "default": {}, - "title": "The initContainerSecurityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" - }, - "resources": { - "type": "object", - "default": {}, - "title": "The resources Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" - }, - "initContainerResources": { - "type": "object", - "default": {}, - "title": "The resources Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" - }, - "tolerations": { - "type": "array", - "default": [], - "title": "The tolerations Schema", - "items": { - "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" - } - }, - "affinity": { - "type": "object", - "default": {}, - "title": "The affinity Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" - }, - "topologySpreadConstraints": { - "type": "object", - "default": {}, - "title": "The topologySpreadConstraints Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" - }, - "env": { - "type": "array", - "default": [], - "title": "The env Schema", - "items": { - "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" - } - }, - "volumes": { - "type": "array", - "default": [], - "title": "The volumes Schema", - "items": { - "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" - } - }, - "volumeMounts": { - "type": "array", - "default": [], - "title": "The volumeMounts Schema", - "items": { - "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" - } - }, - "initContainers": { - "type": "array", - "default": [], - "title": "The initContainers Schema", - "items": { - "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container" - } - }, - "minReadySeconds": { - "type": "integer", - "default": 0, - "title": "The minReadySeconds Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" - }, - "strategy": { - "type": "object", - "default": {}, - "title": "The strategy Schema", - "allOf": [ - { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" - }, - { - "properties": { - "type": { - "type": "string", - "enum": [ - "Recreate", - "RollingUpdate", - "OnDelete" - ] - } - } - } - ] - }, - "extraContainers": { - "type": "array", - "default": [], - "title": "The extraContainers Schema", - "items": { - "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container" - } - }, - "replicaCount": { - "type": "integer", - "default": 1, - "title": "The replicaCount", - "examples": [ - 1 - ] - }, - "ingressClass": { - "type": "object", - "default": {}, - "title": "The ingressClass", - "required": [], - "properties": { - "create": { - "type": "boolean", - "default": true, - "title": "The create", - "examples": [ - true - ] - }, - "name": { - "type": "string", - "default": "", - "title": "The ingressClass name", - "examples": [ - "nginx" - ] - }, - "setAsDefaultIngress": { - "type": "boolean", - "default": false, - "title": "The setAsDefaultIngress", - "examples": [ - false - ] - } - } - }, - "watchNamespace": { - "type": "string", - "default": "", - "title": "The watchNamespace", - "examples": [ - "" - ] - }, - "watchSecretNamespace": { - "type": "string", - "default": "", - "title": "The watchSecretNamespace", - "examples": [ - "" - ] - }, - "enableCustomResources": { - "type": "boolean", - "default": false, - "title": "The enableCustomResources", - "examples": [ - true - ] - }, - "enableOIDC": { - "type": "boolean", - "default": false, - "title": "The enableOIDC", - "examples": [ - false - ] - }, - "enableTLSPassthrough": { - "type": "boolean", - "default": false, - "title": "The enableTLSPassthrough", - "examples": [ - false - ] - }, - "tlsPassthroughPort": { - "type": "integer", - "default": 443, - "title": "The tlsPassthroughPort", - "examples": [ - 443 - ] - }, - "enableCertManager": { - "type": "boolean", - "default": false, - "title": "The enableCertManager", - "examples": [ - false - ] - }, - "enableExternalDNS": { - "type": "boolean", - "default": false, - "title": "The enableExternalDNS", - "examples": [ - false - ] - }, - "globalConfiguration": { - "type": "object", - "default": {}, - "title": "The globalConfiguration Schema", - "required": [ - "create", - "spec" - ], - "properties": { - "create": { - "type": "boolean", - "default": false, - "title": "The create Schema", - "examples": [ - false - ] - }, - "spec": { - "type": "object", - "default": {}, - "title": "The spec Schema", - "required": [], - "properties": { - "listeners": { - "type": "array", - "default": [], - "title": "The listeners Schema", - "items": { - "type": "object", - "default": {}, - "properties": { - "port": { - "type": "integer", - "default": 0, - "title": "The port", - "examples": [ - 5353 - ] - }, - "protocol": { - "type": "string", - "default": "", - "title": "The protocol", - "examples": [ - "TCP" - ] - }, - "name": { - "type": "string", - "default": "", - "title": "The name", - "examples": [ - "dns-tcp" - ] - }, - "ipv4": { - "type": "string", - "default": "", - "title": "The ipv4 ip", - "examples": [ - "127.0.0.1" - ] - }, - "ipv6": { - "type": "string", - "default": "", - "title": "The ipv6 ip", - "examples": [ - "::1" - ] - } - } - } - } - }, - "examples": [ - {} - ] - } - }, - "examples": [ - { - "create": false, - "spec": {} - } - ] - }, - "enableSnippets": { - "type": "boolean", - "default": false, - "title": "The enableSnippets", - "examples": [ - false - ] - }, - "healthStatus": { - "type": "boolean", - "default": false, - "title": "The healthStatus", - "examples": [ - false - ] - }, - "healthStatusURI": { - "type": "string", - "format": "uri-reference", - "default": "/nginx-health", - "title": "The healthStatusURI Schema", - "examples": [ - "/nginx-health" - ] - }, - "nginxStatus": { - "type": "object", - "default": {}, - "title": "The nginxStatus Schema", - "required": [], - "properties": { - "enable": { - "type": "boolean", - "default": false, - "title": "The enable", - "examples": [ - true - ] - }, - "port": { - "type": "integer", - "default": 8080, - "title": "The port", - "examples": [ - 8080 - ] - }, - "allowCidrs": { - "type": "string", - "default": "127.0.0.1", - "title": "The allowCidrs", - "examples": [ - "127.0.0.1" - ] - } - }, - "examples": [ - { - "enable": true, - "port": 8080, - "allowCidrs": "127.0.0.1" - } - ] - }, - "service": { - "type": "object", - "default": {}, - "title": "The service Schema", - "required": [], - "properties": { - "create": { - "type": "boolean", - "default": false, - "title": "The create", - "examples": [ - true - ] - }, - "type": { - "type": "string", - "default": "", - "title": "The type", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" - }, - "externalTrafficPolicy": { - "type": "string", - "default": "", - "title": "The externalTrafficPolicy", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" - }, - "annotations": { - "type": "object", - "default": {}, - "title": "The annotations", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" - }, - "extraLabels": { - "type": "object", - "default": {}, - "title": "The extraLabels", - "required": [], - "properties": {}, - "examples": [ - {} - ] - }, - "loadBalancerIP": { - "type": "string", - "default": "", - "title": "The loadBalancerIP", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" - }, - "externalIPs": { - "type": "array", - "default": [], - "title": "The externalIPs", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" - }, - "loadBalancerSourceRanges": { - "type": "array", - "default": [], - "title": "The loadBalancerSourceRanges", - "items": {}, - "examples": [ - [] - ] - }, - "allocateLoadBalancerNodePorts": { - "type": "boolean", - "default": false, - "title": "The allocateLoadBalancerNodePorts Schema", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" - }, - "ipFamilyPolicy": { - "type": "string", - "default": "", - "title": "The ipFamilyPolicy Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", - "examples": [ - "" - ] - }, - "ipFamilies": { - "type": "array", - "default": [], - "title": "The ipFamilies Schema", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" - }, - "httpPort": { - "type": "object", - "default": {}, - "title": "The httpPort", - "required": [], - "properties": { - "enable": { - "type": "boolean", - "default": false, - "title": "The enable", - "examples": [ - true - ] - }, - "port": { - "type": "integer", - "default": 0, - "title": "The port", - "examples": [ - 80 - ] - }, - "nodePort": { - "type": "integer", - "default": 0, - "title": "The nodePort", - "examples": [ - 443 - ] - }, - "targetPort": { - "type": "integer", - "default": 0, - "title": "The targetPort", - "examples": [ - 80 - ] - }, - "name": { - "type": "string", - "default": "http", - "title": "The httpPort name", - "examples": [ - "http" - ] - } - }, - "examples": [ - { - "enable": true, - "port": 80, - "nodePort": "", - "targetPort": 80, - "name": "http" - } - ] - }, - "httpsPort": { - "type": "object", - "default": {}, - "title": "The httpsPort", - "required": [], - "properties": { - "enable": { - "type": "boolean", - "default": false, - "title": "The enable", - "examples": [ - true - ] - }, - "port": { - "type": "integer", - "default": 0, - "title": "The port", - "examples": [ - 443 - ] - }, - "nodePort": { - "type": "integer", - "default": 0, - "title": "The nodePort", - "examples": [ - 443 - ] - }, - "targetPort": { - "type": "integer", - "default": 0, - "title": "The targetPort", - "examples": [ - 443 - ] - } - }, - "name": { - "type": "string", - "default": "https", - "title": "The httpsPort name", - "examples": [ - "https" - ] - }, - "examples": [ - { - "enable": true, - "port": 443, - "nodePort": "", - "targetPort": 443, - "name": "https" - } - ] - }, - "customPorts": { - "type": "array", - "default": [], - "title": "The customPorts", - "items": { - "type": "object", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" - } - } - }, - "examples": [ - { - "create": true, - "type": "LoadBalancer", - "externalTrafficPolicy": "Local", - "annotations": {}, - "extraLabels": {}, - "loadBalancerIP": "", - "externalIPs": [], - "loadBalancerSourceRanges": [], - "name": "", - "allocateLoadBalancerNodePorts": false, - "ipFamilyPolicy": "", - "ipFamilies": [], - "httpPort": { - "enable": true, - "port": 80, - "targetPort": 80, - "name": "http" - }, - "httpsPort": { - "enable": true, - "port": 443, - "targetPort": 443, - "name": "https" - }, - "customPorts": [] - } - ] - }, - "serviceAccount": { - "type": "object", - "default": {}, - "title": "The serviceAccount Schema", - "required": [], - "properties": { - "annotations": { - "type": "object", - "default": {}, - "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" - }, - "name": { - "type": "string", - "default": "", - "title": "The name Schema", - "examples": [ - "" - ] - }, - "imagePullSecretName": { - "type": "string", - "default": "", - "title": "The imagePullSecretName", - "examples": [ - "" - ] - }, - "imagePullSecretsNames": { - "type": "array", - "default": [], - "title": "The imagePullSecretName list", - "examples": [ - [] - ] - } - }, - "oneOf": [ - { - "properties": { - "imagePullSecretName": { - "maxLength": 0 - }, - "imagePullSecretsNames": { - "minItems": 1 - } - }, - "required": [ - "imagePullSecretsNames" - ] - }, - { - "properties": { - "imagePullSecretName": { - "minLength": 1 - }, - "imagePullSecretsNames": { - "maxItems": 0 - } - }, - "required": [ - "imagePullSecretName" - ] - }, - { - "properties": { - "imagePullSecretName": { - "maxLength": 0 - }, - "imagePullSecretsNames": { - "maxItems": 0 - } - }, - "required": [ - "imagePullSecretName", - "imagePullSecretsNames" - ] - }, - { - "properties": { - "imagePullSecretName": { - "maxLength": 0 - }, - "imagePullSecretsNames": { - "maxItems": 0 - } - }, - "not": { - "required": [ - "imagePullSecretName", - "imagePullSecretsNames" - ] - } - } - ], - "examples": [ - { - "name": "", - "imagePullSecretName": "", - "imagePullSecretsNames": [] - } - ] - }, - "reportIngressStatus": { - "type": "object", - "default": {}, - "title": "The reportIngressStatus Schema", - "required": [ - "enable" - ], - "properties": { - "enable": { - "type": "boolean", - "default": false, - "title": "The enable", - "examples": [ - true - ] - }, - "externalService": { - "type": "string", - "default": "", - "title": "The externalService", - "examples": [ - "" - ] - }, - "ingressLink": { - "type": "string", - "default": "", - "title": "The ingressLink", - "examples": [ - "" - ] - }, - "enableLeaderElection": { - "type": "boolean", - "default": false, - "title": "The enableLeaderElection", - "examples": [ - true - ] - }, - "leaderElectionLockName": { - "type": "string", - "default": "", - "title": "The leaderElectionLockName", - "examples": [ - "" - ] - }, - "annotations": { - "type": "object", - "default": {}, - "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" - } - }, - "examples": [ - { - "enable": true, - "externalService": "", - "ingressLink": "", - "enableLeaderElection": true, - "leaderElectionLockName": "", - "annotations": {} - } - ] - }, - "pod": { - "type": "object", - "default": {}, - "title": "The pod Schema", - "required": [], - "properties": { - "annotations": { - "type": "object", - "default": {}, - "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" - }, - "extraLabels": { - "type": "object", - "default": {}, - "title": "The extraLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" - } - }, - "examples": [ - { - "annotations": {}, - "extraLabels": {} - } - ] - }, - "priorityClassName": { - "type": "string", - "default": "", - "title": "The priorityClassName", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" - }, - "podDisruptionBudget": { - "type": "object", - "default": {}, - "title": "The podDisruptionBudget Schema", - "required": [ - "enabled" - ], - "properties": { - "enabled": { - "type": "boolean" - }, - "annotations": { - "type": "object", - "default": {}, - "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" - }, - "minAvailable": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" - }, - "maxUnavailable": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" - } - }, - "examples": [ - { - "enable": true, - "minAvailable": 1 - }, - { - "enable": true, - "maxUnavailable": 1 - } - ] - }, - "readyStatus": { - "type": "object", - "default": {}, - "title": "The readyStatus", - "required": [], - "properties": { - "enable": { - "type": "boolean", - "default": false, - "title": "The enable", - "examples": [ - true - ] - }, - "port": { - "type": "integer", - "default": 0, - "title": "The port", - "examples": [ - 8081 - ] - }, - "initialDelaySeconds": { - "type": "integer", - "default": 0, - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" - } - }, - "examples": [ - { - "enable": true, - "port": 8081, - "initialDelaySeconds": 0 - } - ] - }, - "enableLatencyMetrics": { - "type": "boolean", - "default": false, - "title": "The enableLatencyMetrics", - "examples": [ - false - ] - }, - "disableIPV6": { - "type": "boolean", - "default": false, - "title": "The disableIPV6", - "examples": [ - false - ] - }, - "defaultHTTPListenerPort": { - "type": "integer", - "default": 80, - "title": "The defaultHTTPListenerPort", - "examples": [ - 80 - ] - }, - "defaultHTTPSListenerPort": { - "type": "integer", - "default": 443, - "title": "The defaultHTTPSListenerPort", - "examples": [ - 443 - ] - }, - "readOnlyRootFilesystem": { - "type": "boolean", - "default": false, - "title": "The readOnlyRootFilesystem", - "examples": [ - false - ] - }, - "enableSSLDynamicReload": { - "type": "boolean", - "default": true, - "title": "Enable dynamic certificate reloads for NGINX Plus", - "examples": [ - true - ] - }, - "telemetryReporting": { - "type": "object", - "default": {}, - "title": "Configure telemetry reporting options", - "required": [], - "properties": { - "enable": { - "type": "boolean", - "default": true, - "title": "Enable telemetry reporting", - "examples": [ - true - ] - } - } - }, - "enableWeightChangesDynamicReload": { - "type": "boolean", - "default": false, - "title": "Enables weight changes without reloading for NGINX Plus", - "examples": [ - false - ] - } - }, - "examples": [ - { - "name": "controller", - "kind": "deployment", - "nginxplus": false, - "nginxReloadTimeout": 60000, - "appprotect": { - "enable": false, - "v5": false, - "logLevel": "fatal", - "volumes": [ - { - "name": "app-protect-bd-config", - "emptyDir": {} - }, - { - "name": "app-protect-config", - "emptyDir": {} - }, - { - "name": "app-protect-bundles", - "emptyDir": {} - } - ], - "enforcer": { - "host": "127.0.0.1", - "port": 50000, - "image": { - "repository": "private-registry.nginx.com/nap/waf-enforcer", - "tag": "5.6.0", - "pullPolicy": "IfNotPresent" - }, - "securityContext": {} - }, - "configManager": { - "image": { - "repository": "private-registry.nginx.com/nap/waf-config-mgr", - "tag": "5.6.0", - "pullPolicy": "IfNotPresent" - }, - "securityContext": { - "allowPrivilegeEscalation": false, - "runAsUser": 101, - "runAsNonRoot": true, - "capabilities": { - "drop": [ - "all" - ] - } - } - } - }, - "appprotectdos": { - "enable": false, - "debug": false, - "maxWorkers": 0, - "maxDaemons": 0, - "memory": 0 - }, - "hostNetwork": false, - "hostPort": { - "enable": false, - "http": 80, - "https": 443 - }, - "containerPort": { - "http": 80, - "https": 443 - }, - "dnsPolicy": "ClusterFirst", - "nginxDebug": false, - "shareProcessNamespace": false, - "logLevel": "info", - "logFormat": "glog", - "customPorts": [], - "image": { - "repository": "nginx/nginx-ingress", - "tag": "5.0.0", - "digest": "", - "pullPolicy": "IfNotPresent" - }, - "lifecycle": {}, - "customConfigMap": "", - "config": { - "name": "", - "annotations": {}, - "entries": {} - }, - "defaultTLS": { - "cert": "", - "key": "", - "secret": "" - }, - "wildcardTLS": { - "cert": "", - "key": "", - "secret": "" - }, - "nodeSelector": {}, - "terminationGracePeriodSeconds": 30, - "autoscaling": { - "enabled": false, - "annotations": {}, - "minReplicas": 1, - "maxReplicas": 3, - "targetCPUUtilizationPercentage": 50, - "targetMemoryUtilizationPercentage": 50, - "behavior": {} - }, - "resources": { - "requests": { - "cpu": "100m", - "memory": "128Mi" - } - }, - "podSecurityContext": { - "seccompProfile": { - "type": "RuntimeDefault" - } - }, - "securityContext": {}, - "initContainerSecurityContext": {}, - "initContainerResources": { - "requests": { - "cpu": "100m", - "memory": "128Mi" - } - }, - "tolerations": [], - "affinity": {}, - "env": [], - "volumes": [], - "volumeMounts": [], - "initContainers": [], - "minReadySeconds": 0, - "podDisruptionBudget": { - "enabled": false, - "annotations": {}, - "minAvailable": 1, - "minUnavailable": 1 - }, - "strategy": {}, - "extraContainers": [], - "replicaCount": 1, - "ingressClass": { - "name": "nginx", - "create": true, - "setAsDefaultIngress": false - }, - "watchNamespace": "", - "enableCustomResources": true, - "enableOIDC": false, - "enableTLSPassthrough": false, - "tlsPassthroughPort": 443, - "enableCertManager": false, - "enableExternalDNS": false, - "globalConfiguration": { - "create": false, - "spec": {} - }, - "enableSnippets": false, - "healthStatus": false, - "healthStatusURI": "/nginx-health", - "nginxStatus": { - "enable": true, - "port": 8080, - "allowCidrs": "127.0.0.1" - }, - "service": { - "create": true, - "type": "LoadBalancer", - "externalTrafficPolicy": "Local", - "annotations": {}, - "extraLabels": {}, - "loadBalancerIP": "", - "clusterIP": "", - "externalIPs": [], - "loadBalancerSourceRanges": [], - "allocateLoadBalancerNodePorts": false, - "ipFamilyPolicy": "", - "ipFamilies": [], - "httpPort": { - "enable": true, - "port": 80, - "nodePort": 8443, - "targetPort": 80 - }, - "httpsPort": { - "enable": true, - "port": 443, - "nodePort": 8443, - "targetPort": 443 - }, - "customPorts": [] - }, - "serviceAccount": { - "annotations": {}, - "name": "", - "imagePullSecretName": "", - "imagePullSecretsNames": [] - }, - "reportIngressStatus": { - "enable": true, - "externalService": "", - "ingressLink": "", - "enableLeaderElection": true, - "leaderElectionLockName": "", - "annotations": {} - }, - "pod": { - "annotations": {}, - "extraLabels": {} - }, - "priorityClassName": "", - "readyStatus": { - "enable": true, - "port": 8081, - "initialDelaySeconds": 0 - }, - "enableLatencyMetrics": false, - "disableIPV6": false, - "defaultHTTPListenerPort": 80, - "defaultHTTPSListenerPort": 443, - "readOnlyRootFilesystem": false, - "enableSSLDynamicReload": true, - "telemetryReporting": { - "enable": true - }, - "enableWeightChangesDynamicReload": false - } - ] - }, - "rbac": { - "type": "object", - "default": {}, - "title": "The rbac Schema", - "required": [ - "create" - ], - "properties": { - "create": { - "type": "boolean", - "default": false, - "title": "The create Schema", - "examples": [ - true - ] - } - }, - "examples": [ - { - "create": true - } - ] - }, - "prometheus": { - "type": "object", - "default": {}, - "title": "The prometheus Schema", - "required": [ - "create" - ], - "properties": { - "create": { - "type": "boolean", - "default": false, - "title": "The create", - "examples": [ - true - ] - }, - "port": { - "type": "integer", - "default": 9113, - "title": "The port", - "examples": [ - 9113 - ] - }, - "secret": { - "type": "string", - "default": "", - "title": "The secret", - "examples": [ - "" - ] - }, - "scheme": { - "type": "string", - "default": "http", - "title": "The scheme", - "examples": [ - "http" - ] - }, - "service": { - "type": "object", - "default": {}, - "properties": { - "create": { - "type": "boolean", - "default": false, - "title": "The create", - "examples": [ - true - ] - }, - "labels": { - "type": "object", - "default": {}, - "title": "The labels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" - } - } - }, - "serviceMonitor": { - "type": "object", - "default": {}, - "title": "The serviceMonitor Schema", - "required": [], - "properties": { - "create": { - "type": "boolean", - "default": false, - "title": "The create", - "examples": [ - false - ] - }, - "labels": { - "type": "object", - "default": {}, - "title": "The labels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" - }, - "selectorMatchLabels": { - "type": "object", - "default": {}, - "title": "The selectorMatchLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.32.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" - }, - "endpoints": { - "type": "array", - "default": [], - "title": "The endpoints", - "required": [], - "items": {} - } - }, - "examples": [ - { - "create": false, - "labels": {}, - "selectorMatchLabels": {}, - "endpoints": [] - } - ] - } - }, - "examples": [ - { - "create": true, - "port": 9113, - "secret": "", - "scheme": "http" - } - ] - }, - "serviceInsight": { - "type": "object", - "default": {}, - "title": "The Service Insight Schema", - "required": [ - "create" - ], - "properties": { - "create": { - "type": "boolean", - "default": false, - "title": "The create", - "examples": [ - true - ] - }, - "port": { - "type": "integer", - "default": 9114, - "title": "The port", - "examples": [ - 9114 - ] - }, - "secret": { - "type": "string", - "default": "", - "title": "The secret", - "examples": [ - "" - ] - }, - "scheme": { - "type": "string", - "default": "http", - "title": "The scheme", - "examples": [ - "http" - ] - } - }, - "examples": [ - { - "create": true, - "port": 9114, - "secret": "", - "scheme": "http" - } - ] - }, - "nginxServiceMesh": { - "type": "object", - "default": {}, - "title": "The nginxServiceMesh Schema", - "required": [ - "enable" - ], - "properties": { - "enable": { - "type": "boolean", - "default": false, - "title": "The enable", - "examples": [ - false - ] - }, - "enableEgress": { - "type": "boolean", - "default": false, - "title": "The enableEgress", - "examples": [ - false - ] - } - }, - "examples": [ - { - "enable": false, - "enableEgress": false - } - ] - }, - "nginxAgent": { - "type": "object", - "default": { - "enable": false - }, - "title": "Configuration for NGINX Agent.", - "required": [ - "enable" - ], - "properties": { - "enable": { - "type": "boolean", - "default": false, - "title": "Enable NGINX Agent", - "examples": [ - false - ] - }, - "instanceGroup": { - "type": "string", - "default": "", - "title": "Set the --instance-group argument for NGINX Agent", - "examples": [ - "my-instance-group" - ] - }, - "logLevel": { - "type": "string", - "default": "info", - "title": "Log level for NGINX Agent", - "enum": [ - "panic", - "fatal", - "error", - "info", - "debug", - "trace" - ], - "examples": [ - "error" - ] - }, - "instanceManager": { - "type": "object", - "default": {}, - "title": "Configuration for the connection to NGINX Instance Manager", - "examples": [], - "required": [ - "host" - ], - "properties": { - "host": { - "type": "string", - "title": "FQDN or IP for connecting to NGINX Instance Manager", - "examples": [ - "nim.example.com" - ] - }, - "grpcPort": { - "type": "integer", - "title": "Port for connecting to NGINX Instance Manager", - "default": 443, - "examples": [ - 443 - ] - }, - "sni": { - "type": "string", - "title": "Server Name Indication for NGINX Instance Manager", - "default": "", - "examples": [ - "nim.example.com" - ] - }, - "tls": { - "type": "object", - "default": {}, - "title": "TLS configuration for connection between NGINX Agent and NGINX Instance Manager", - "properties": { - "enable": { - "type": "boolean", - "default": "true", - "title": "enable TLS for NGINX Instance Manager connection" - }, - "secret": { - "type": "string", - "default": "", - "title": "kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and NGINX Instance Manager" - }, - "caSecret": { - "type": "string", - "default": "", - "title": "nginx.org/ca secret for verification of Instance Manager TLS" - }, - "skipVerify": { - "type": "boolean", - "default": "false", - "title": "skip certificate verification" - } - } - } - } - }, - "syslog": { - "type": "object", - "default": { - "host": "127.0.0.1", - "port": 1514 - }, - "title": "Syslog listener which NGINX Agent uses to accept messages from App Protect WAF", - "properties": { - "host": { - "type": "string", - "title": "Address for NGINX Agent to run syslog listener", - "default": "127.0.0.1", - "examples": [ - "127.0.0.1" - ] - }, - "port": { - "type": "integer", - "title": "Port for NGINX Agent to run syslog listener", - "default": 1514, - "examples": [ - 1514 - ] - } - } - }, - "napMonitoring": { - "type": "object", - "default": {}, - "title": "NGINX App Protect Monitoring config", - "properties": { - "collectorBufferSize": { - "type": "integer", - "default": 50000, - "title": "Buffer size for collector. Will contain log lines and parsed log lines", - "examples": [ - 50000 - ] - }, - "processorBufferSize": { - "type": "integer", - "default": 50000, - "title": "Buffer size for processor. Will contain log lines and parsed log lines", - "examples": [ - 50000 - ] - } - } - }, - "customConfigMap": { - "type": "string", - "title": "The name of a custom ConfigMap to use instead of the one provided by default", - "default": "", - "examples": [ - "my-custom-configmap" - ] - } - } - } - }, - "examples": [ - { - "controller": { - "name": "controller", - "kind": "deployment", - "nginxplus": false, - "nginxReloadTimeout": 60000, - "appprotect": { - "enable": false, - "v5": false, - "logLevel": "fatal", - "volumes": [ - { - "name": "app-protect-bd-config", - "emptyDir": {} - }, - { - "name": "app-protect-config", - "emptyDir": {} - }, - { - "name": "app-protect-bundles", - "emptyDir": {} - } - ], - "enforcer": { - "host": "127.0.0.1", - "port": 50000, - "image": { - "repository": "private-registry.nginx.com/nap/waf-enforcer", - "tag": "5.6.0", - "pullPolicy": "IfNotPresent" - }, - "securityContext": {} - }, - "configManager": { - "image": { - "repository": "private-registry.nginx.com/nap/waf-config-mgr", - "tag": "5.6.0", - "pullPolicy": "IfNotPresent" - }, - "securityContext": { - "allowPrivilegeEscalation": false, - "runAsUser": 101, - "runAsNonRoot": true, - "capabilities": { - "drop": [ - "all" - ] - } - } - } - }, - "appprotectdos": { - "enable": false, - "debug": false, - "maxWorkers": 0, - "maxDaemons": 0, - "memory": 0 - }, - "hostNetwork": false, - "hostPort": { - "enable": false, - "http": 80, - "https": 443 - }, - "containerPort": { - "http": 80, - "https": 443 - }, - "dnsPolicy": "ClusterFirst", - "nginxDebug": false, - "shareProcessNamespace": false, - "logLevel": "info", - "logFormat": "glog", - "customPorts": [], - "image": { - "repository": "nginx/nginx-ingress", - "tag": "5.0.0", - "digest": "", - "pullPolicy": "IfNotPresent" - }, - "lifecycle": {}, - "customConfigMap": "", - "config": { - "name": "", - "annotations": {}, - "entries": {} - }, - "defaultTLS": { - "cert": "", - "key": "", - "secret": "" - }, - "wildcardTLS": { - "cert": "", - "key": "", - "secret": "" - }, - "nodeSelector": {}, - "terminationGracePeriodSeconds": 30, - "autoscaling": { - "enabled": false, - "annotations": {}, - "minReplicas": 1, - "maxReplicas": 3, - "targetCPUUtilizationPercentage": 50, - "targetMemoryUtilizationPercentage": 50, - "behavior": {} - }, - "resources": { - "requests": { - "cpu": "100m", - "memory": "128Mi" - } - }, - "podSecurityContext": { - "seccompProfile": { - "type": "RuntimeDefault" - } - }, - "securityContext": {}, - "initContainerSecurityContext": {}, - "initContainerResources": { - "requests": { - "cpu": "100m", - "memory": "128Mi" - } - }, - "tolerations": [], - "affinity": {}, - "env": [], - "volumes": [], - "volumeMounts": [], - "initContainers": [], - "minReadySeconds": 0, - "podDisruptionBudget": { - "enabled": false, - "annotations": {}, - "minAvailable": 1, - "minUnavailable": 1 - }, - "strategy": {}, - "extraContainers": [], - "replicaCount": 1, - "ingressClass": { - "name": "nginx", - "create": true, - "setAsDefaultIngress": false - }, - "watchNamespace": "", - "enableCustomResources": true, - "enableOIDC": false, - "enableTLSPassthrough": false, - "tlsPassthroughPort": 443, - "enableCertManager": false, - "enableExternalDNS": false, - "globalConfiguration": { - "create": false, - "spec": {} - }, - "enableSnippets": false, - "healthStatus": false, - "healthStatusURI": "/nginx-health", - "nginxStatus": { - "enable": true, - "port": 8080, - "allowCidrs": "127.0.0.1" - }, - "service": { - "create": true, - "type": "LoadBalancer", - "externalTrafficPolicy": "Local", - "annotations": {}, - "extraLabels": {}, - "loadBalancerIP": "", - "clusterIP": "", - "externalIPs": [], - "loadBalancerSourceRanges": [], - "allocateLoadBalancerNodePorts": false, - "ipFamilyPolicy": "", - "ipFamilies": [], - "httpPort": { - "enable": true, - "port": 80, - "nodePort": 8080, - "targetPort": 80 - }, - "httpsPort": { - "enable": true, - "port": 443, - "nodePort": 8443, - "targetPort": 443 - }, - "customPorts": [] - }, - "serviceAccount": { - "annotations": {}, - "name": "", - "imagePullSecretName": "", - "imagePullSecretsNames": [] - }, - "reportIngressStatus": { - "enable": true, - "externalService": "", - "ingressLink": "", - "enableLeaderElection": true, - "leaderElectionLockName": "", - "annotations": {} - }, - "pod": { - "annotations": {}, - "extraLabels": {} - }, - "priorityClassName": "", - "readyStatus": { - "enable": true, - "port": 8081, - "initialDelaySeconds": 0 - }, - "enableLatencyMetrics": false, - "disableIPV6": false, - "defaultHTTPListenerPort": 80, - "defaultHTTPSListenerPort": 443, - "readOnlyRootFilesystem": false, - "enableSSLDynamicReload": true, - "telemetryReporting": { - "enable": true - }, - "enableWeightChangesDynamicReload": false - }, - "rbac": { - "create": true, - "clusterrole": { - "create": true - } - }, - "prometheus": { - "create": true, - "port": 9113, - "secret": "", - "scheme": "http", - "service": { - "create": false, - "labels": { - "service": "nginx-ingress-prometheus-service" - } - }, - "serviceMonitor": { - "create": false, - "labels": {}, - "selectorMatchLabels": { - "service": "nginx-ingress-prometheus-service" - }, - "endpoints": [ - { - "port": "prometheus" - } - ] - } - }, - "serviceInsight": { - "create": false, - "port": 9114, - "secret": "", - "scheme": "http" - }, - "nginxServiceMesh": { - "enable": false, - "enableEgress": false - }, - "nginxAgent": { - "enable": false, - "instanceGroup": "", - "logLevel": "error", - "syslog": { - "host": "127.0.0.1", - "port": 1514 - }, - "napMonitoring": { - "collectorBufferSize": 50000, - "processorBufferSize": 50000 - }, - "instanceManager": { - "host": "", - "grpcPort": 443, - "sni": "", - "tls": { - "enabled": true, - "skipVerify": false, - "secret": "", - "caSecret": "" - } - }, - "customConfigMap": "" - } - } - ] -} diff --git a/nginx-ingress/values.yaml b/nginx-ingress/values.yaml deleted file mode 100644 index 48bf04d894..0000000000 --- a/nginx-ingress/values.yaml +++ /dev/null @@ -1,691 +0,0 @@ -controller: - ## The name of the Ingress Controller daemonset or deployment. - name: controller - - ## The kind of the Ingress Controller installation - deployment or daemonset. - kind: deployment - - ## The selectorLabels used to override the default values. - selectorLabels: {} - - ## Annotations for deployments and daemonsets - annotations: {} - - ## Deploys the Ingress Controller for NGINX Plus. - nginxplus: false - - ## Configures NGINX mgmt block for NGINX Plus - mgmt: - ## Secret name of license token for NGINX Plus - licenseTokenSecretName: "license-token" # required for NGINX Plus - - ## Enables the 180-day grace period for sending the initial usage report - # enforceInitialReport: false - - # usageReport: - # endpoint: "product.connect.nginx.com" # Endpoint for usage report - # interval: 1h - # proxyHost: "proxy.example.com:3138" # Proxy server for usage report, with optional port - # proxyCredentialsSecretName: "proxy-credentials" # Secret containing proxy credentials, must contain a `username` and `password` field - - ## Configures the ssl_verify directive in the mgmt block - # sslVerify: true - - ## Configures the resolver directive in the mgmt block - # resolver: - # ipv6: true - # valid: 1s - # addresses: - # - kube-dns.kube-system.svc.cluster.local - - ## Secret containing TLS client certificate - # sslCertificateSecretName: ssl-certificate # kubernetes.io/tls secret type - - ## Secret containing trusted CA certificate - # sslTrustedCertificateSecretName: ssl-trusted-cert - - # configMapName allows changing the name of the MGMT config map - # the name should not include a namespace - # configMapName: "" - - - ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. - nginxReloadTimeout: 60000 - - ## Support for App Protect WAF - appprotect: - ## Enable the App Protect WAF module in the Ingress Controller. - enable: false - ## Enables App Protect WAF v5. - v5: false - ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace - # logLevel: fatal - - # Volumes for App Protect WAF v5 - # Required volumes are: app-protect-bd-config, app-protect-config, and app-protect-bundles - volumes: - - name: app-protect-bd-config - emptyDir: {} - - name: app-protect-config - emptyDir: {} - - name: app-protect-bundles - emptyDir: {} - - ## Configuration for App Protect WAF v5 Enforcer - enforcer: - # Host that the App Protect WAF v5 Enforcer runs on. - # This will normally be "127.0.0.1" as the Enforcer container - # will run in the same pod as the Ingress Controller container. - host: "127.0.0.1" - # Port that the App Protect WAF v5 Enforcer runs on. - port: 50000 - image: - ## The image repository of the App Protect WAF v5 Enforcer. - repository: private-registry.nginx.com/nap/waf-enforcer - - ## The tag of the App Protect WAF v5 Enforcer image. - tag: "5.6.0" - ## The digest of the App Protect WAF v5 Enforcer image. - ## If digest is specified it has precedence over tag and will be used instead - # digest: "sha256:CHANGEME" - - ## The pull policy for the App Protect WAF v5 Enforcer image. - pullPolicy: IfNotPresent - securityContext: {} - - ## Configuration for App Protect WAF v5 Configuration Manager - configManager: - image: - ## The image repository of the App Protect WAF v5 Configuration Manager. - repository: private-registry.nginx.com/nap/waf-config-mgr - - ## The tag of the App Protect WAF v5 Configuration Manager image. - tag: "5.6.0" - ## The digest of the App Protect WAF v5 Configuration Manager image. - ## If digest is specified it has precedence over tag and will be used instead - # digest: "sha256:CHANGEME" - - ## The pull policy for the App Protect WAF v5 Configuration Manager image. - pullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - all - - ## Support for App Protect DoS - appprotectdos: - ## Enable the App Protect DoS module in the Ingress Controller. - enable: false - ## Enable debugging for App Protect DoS. - debug: false - ## Max number of nginx processes to support. - maxWorkers: 0 - ## Max number of ADMD instances. - maxDaemons: 0 - ## RAM memory size to consume in MB. - memory: 0 - - ## Enables the Ingress Controller pods to use the host's network namespace. - hostNetwork: false - - ## The hostPort configuration for the Ingress Controller pods. - hostPort: - ## Enables hostPort for the Ingress Controller pods. - enable: false - - ## The HTTP hostPort configuration for the Ingress Controller pods. - http: 80 - - ## The HTTPS hostPort configuration for the Ingress Controller pods. - https: 443 - - containerPort: - ## The HTTP containerPort configuration for the Ingress Controller pods. - http: 80 - - ## The HTTPS containerPort configuration for the Ingress Controller pods. - https: 443 - - ## DNS policy for the Ingress Controller pods - dnsPolicy: ClusterFirst - - ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. - nginxDebug: false - - ## Share process namespace between containers in the Ingress Controller pod. - shareProcessNamespace: false - - ## The log level of the Ingress Controller. Options include: trace, debug, info, warning, error, fatal - logLevel: info - - ## Sets the log format of Ingress Controller. Options include: glog, json, text - logFormat: glog - - ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. - customPorts: [] - - image: - ## The image repository of the Ingress Controller. - repository: nginx/nginx-ingress - - ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. - # tag: "5.0.0" - ## The digest of the Ingress Controller image. - ## If digest is specified it has precedence over tag and will be used instead - # digest: "sha256:CHANGEME" - - ## The pull policy for the Ingress Controller image. - pullPolicy: IfNotPresent - - ## The lifecycle of the Ingress Controller pods. - lifecycle: {} - - ## The custom ConfigMap to use instead of the one provided by default - customConfigMap: "" - - config: - ## The name of the ConfigMap used by the Ingress Controller. - ## Autogenerated if not set or set to "". - # name: nginx-config - - ## The annotations of the Ingress Controller configmap. - annotations: {} - - ## The entries of the ConfigMap for customizing NGINX configuration. - entries: {} - - ## It is recommended to use your own TLS certificates and keys - defaultTLS: - ## The base64-encoded TLS certificate for the default HTTPS server. - ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. - cert: "" - - ## The base64-encoded TLS key for the default HTTPS server. - ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. - key: "" - - ## The secret with a TLS certificate and key for the default HTTPS server. - ## The value must follow the following format: `/`. - ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. - ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. - ## Format: / - secret: "" - - wildcardTLS: - ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. - ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. - cert: "" - - ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. - ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. - key: "" - - ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. - ## The value must follow the following format: `/`. - ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. - ## Format: / - secret: "" - - ## The node selector for pod assignment for the Ingress Controller pods. - # nodeSelector: {} - - ## The termination grace period of the Ingress Controller pod. - terminationGracePeriodSeconds: 30 - - ## HorizontalPodAutoscaling (HPA) - autoscaling: - ## Enables HorizontalPodAutoscaling. - enabled: false - ## The annotations of the Ingress Controller HorizontalPodAutoscaler. - annotations: {} - ## Minimum number of replicas for the HPA. - minReplicas: 1 - ## Maximum number of replicas for the HPA. - maxReplicas: 3 - ## The target cpu utilization percentage. - targetCPUUtilizationPercentage: 50 - ## The target memory utilization percentage. - targetMemoryUtilizationPercentage: 50 - ## Custom behavior policies - behavior: {} - - ## The resources of the Ingress Controller pods. - resources: - requests: - cpu: 100m - memory: 128Mi - # limits: - # cpu: 1 - # memory: 1Gi - - ## The security context for the Ingress Controller pods. - podSecurityContext: - seccompProfile: - type: RuntimeDefault - - ## The security context for the Ingress Controller containers. - securityContext: - {} # Remove curly brackets before adding values - # allowPrivilegeEscalation: true - # readOnlyRootFilesystem: true - # runAsUser: 101 #nginx - # runAsNonRoot: true - # capabilities: - # drop: - # - ALL - # add: - # - NET_BIND_SERVICE - - ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. - initContainerSecurityContext: {} - - ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. - initContainerResources: - requests: - cpu: 100m - memory: 128Mi - # limits: - # cpu: 1 - # memory: 1Gi - - ## The tolerations of the Ingress Controller pods. - tolerations: [] - - ## The affinity of the Ingress Controller pods. - affinity: {} - - ## The topology spread constraints of the Ingress controller pods. - # topologySpreadConstraints: {} - - ## The additional environment variables to be set on the Ingress Controller pods. - env: [] - # - name: MY_VAR - # value: myvalue - - ## The volumes of the Ingress Controller pods. - volumes: [] - # - name: extra-conf - # configMap: - # name: extra-conf - - ## The volumeMounts of the Ingress Controller pods. - volumeMounts: [] - # - name: extra-conf - # mountPath: /etc/nginx/conf.d/extra.conf - # subPath: extra.conf - - ## InitContainers for the Ingress Controller pods. - initContainers: [] - # - name: init-container - # image: busybox:1.34 - # command: ['sh', '-c', 'echo this is initial setup!'] - - ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. - minReadySeconds: 0 - - ## Pod disruption budget for the Ingress Controller pods. - podDisruptionBudget: - ## Enables PodDisruptionBudget. - enabled: false - ## The annotations of the Ingress Controller pod disruption budget. - annotations: {} - ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". - # minAvailable: 1 - ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". - # maxUnavailable: 1 - - ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. - strategy: {} - - ## Extra containers for the Ingress Controller pods. - extraContainers: [] - # - name: container - # image: busybox:1.34 - # command: ['sh', '-c', 'echo this is a sidecar!'] - - ## The number of replicas of the Ingress Controller deployment. - replicaCount: 1 - - ## Configures the ingress class the Ingress Controller uses. - ingressClass: - ## A class of the Ingress Controller. - - ## IngressClass resource with the name equal to the class must be deployed. Otherwise, - ## the Ingress Controller will fail to start. - ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. - - ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. - name: nginx - - ## Creates a new IngressClass object with the name "controller.ingressClass.name". To use an existing IngressClass with the same name, set this value to false. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. - create: true - - ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". - setAsDefaultIngress: false - - ## Comma separated list of namespaces to watch for Ingress resources. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". - watchNamespace: "" - - ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". - watchNamespaceLabel: "" - - ## Comma separated list of namespaces to watch for Secret resources. By default, the Ingress Controller watches all namespaces. - watchSecretNamespace: "" - - ## Enable the custom resources. - enableCustomResources: true - - ## Enable OIDC policies. - enableOIDC: false - - ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. - enableTLSPassthrough: false - - ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. - tlsPassthroughPort: 443 - - ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. - enableCertManager: false - - ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. - enableExternalDNS: false - - globalConfiguration: - ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. - create: false - - ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. - spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. - # listeners: - # - name: dns-udp - # port: 5353 - # protocol: UDP - # - name: dns-tcp - # port: 5353 - # protocol: TCP - - ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. - enableSnippets: false - - ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. - ## Useful for external health-checking of the Ingress Controller. - healthStatus: false - - ## Sets the URI of health status location in the default server. Requires controller.healthStatus. - healthStatusURI: "/nginx-health" - - nginxStatus: - ## Enable the NGINX stub_status, or the NGINX Plus API. - enable: true - - ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. - port: 8080 - - ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. - allowCidrs: "127.0.0.1" - - service: - ## Creates a service to expose the Ingress Controller pods. - create: true - - ## The type of service to create for the Ingress Controller. - type: LoadBalancer - - ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. - externalTrafficPolicy: Local - - ## The annotations of the Ingress Controller service. - annotations: {} - - ## The extra labels of the service. - extraLabels: {} - - ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. - loadBalancerIP: "" - - ## The ClusterIP for the Ingress Controller service, autoassigned if not specified. - clusterIP: "" - - ## The list of external IPs for the Ingress Controller service. - externalIPs: [] - - ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. - loadBalancerSourceRanges: [] - - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - - ## Dual stack preference. - ## Valid values: SingleStack, PreferDualStack, RequireDualStack - # ipFamilyPolicy: SingleStack - - ## List of IP families assigned to this service. - ## Valid values: IPv4, IPv6 - # ipFamilies: - # - IPv6 - - httpPort: - ## Enables the HTTP port for the Ingress Controller service. - enable: true - - ## The HTTP port of the Ingress Controller service. - port: 80 - - ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort or LoadBalancer. - # nodePort: 80 - - ## The HTTP port on the POD where the Ingress Controller service is running. - targetPort: 80 - - ## The name of the HTTP port. - name: "http" - - httpsPort: - ## Enables the HTTPS port for the Ingress Controller service. - enable: true - - ## The HTTPS port of the Ingress Controller service. - port: 443 - - ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort or LoadBalancer. - # nodePort: 443 - - ## The HTTPS port on the POD where the Ingress Controller service is running. - targetPort: 443 - - ## The name of the HTTPS port. - name: "https" - - ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. - customPorts: [] - - serviceAccount: - ## The annotations of the service account of the Ingress Controller pods. - annotations: {} - - ## The name of the service account of the Ingress Controller pods. Used for RBAC. - ## Autogenerated if not set or set to "". - # name: nginx-ingress - - ## The name of the secret containing docker registry credentials. - ## Secret must exist in the same namespace as the helm release. - imagePullSecretName: "" - - ## A list of secret names containing docker registry credentials. - ## Secrets must exist in the same namespace as the helm release. - imagePullSecretsNames: [] - - reportIngressStatus: - ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. - ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, - ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. - ## Note: controller.config.entries.external-status-address takes precedence over the others. - enable: true - - ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. - ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. - ## controller.reportIngressStatus.enable must be set to true. - ## The default is autogenerated and matches the created service (see controller.service.create). - # externalService: nginx-ingress - - ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. - ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. - ## controller.reportIngressStatus.enable must be set to true. - ingressLink: "" - - ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. - enableLeaderElection: true - - ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. - ## The default is autogenerated. - leaderElectionLockName: "" - - ## The annotations of the leader election Lease. - annotations: {} - - pod: - ## The annotations of the Ingress Controller pod. - annotations: {} - - ## The additional extra labels of the Ingress Controller pod. - extraLabels: {} - - ## The PriorityClass of the Ingress Controller pods. - # priorityClassName: "" - - readyStatus: - ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. - enable: true - - ## Set the port where the readiness endpoint is exposed. - port: 8081 - - ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. - initialDelaySeconds: 0 - - ## Enable collection of latency metrics for upstreams. Requires prometheus.create. - enableLatencyMetrics: false - - ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. - disableIPV6: false - - ## Sets the port for the HTTP `default_server` listener. - defaultHTTPListenerPort: 80 - - ## Sets the port for the HTTPS `default_server` listener. - defaultHTTPSListenerPort: 443 - - ## Configure root filesystem as read-only and add volumes for temporary data. - ## Three major releases after 3.5.x this argument will be moved to the `securityContext` section. - ## This value will not be used if `controller.securityContext` is set - readOnlyRootFilesystem: false - - ## Enable dynamic reloading of certificates - enableSSLDynamicReload: true - - ## Configure telemetry reporting options - telemetryReporting: - ## Enable telemetry reporting - enable: true - - ## Allows weight adjustments without reloading the NGINX Configuration for two-way splits in NGINX Plus. - ## May require increasing map_hash_bucket_size, map_hash_max_size, - ## variable_hash_bucket_size, and variable_hash_max_size in the ConfigMap based on the number of two-way splits. - enableWeightChangesDynamicReload: false - -rbac: - ## Configures RBAC. - create: true - - clusterrole: - ## Create ClusterRole - create: true - -prometheus: - ## Expose NGINX or NGINX Plus metrics in the Prometheus format. - create: true - - ## Configures the port to scrape the metrics. - port: 9113 - - ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. - secret: "" - - ## Configures the HTTP scheme used. - scheme: http - - service: - ## Creates a ClusterIP Service to expose Prometheus metrics internally - ## Requires prometheus.create=true - create: false - - labels: - service: "nginx-ingress-prometheus-service" - - serviceMonitor: - ## Creates a serviceMonitor to expose statistics on the kubernetes pods. - create: false - - ## Kubernetes object labels to attach to the serviceMonitor object. - labels: {} - - ## A set of labels to allow the selection of endpoints for the ServiceMonitor. - selectorMatchLabels: - service: "nginx-ingress-prometheus-service" - - ## A list of endpoints allowed as part of this ServiceMonitor. - ## Matches on the name of a Service port. - endpoints: - - port: prometheus - -serviceInsight: - ## Expose NGINX Plus Service Insight endpoint. - create: false - - ## Configures the port to expose endpoint. - port: 9114 - - ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. - secret: "" - - ## Configures the HTTP scheme used. - scheme: http - -nginxServiceMesh: - ## Enables integration with NGINX Service Mesh. - enable: false - - ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. - ## Requires nginxServiceMesh.enable - enableEgress: false - -nginxAgent: - ## Enables NGINX Agent. - enable: false - ## If nginxAgent.instanceGroup is not set the value of nginx-ingress.controller.fullname will be used - instanceGroup: "" - logLevel: "error" - ## Syslog listener which NGINX Agent uses to accept messages from App Protect WAF - syslog: - host: "127.0.0.1" - port: 1514 - napMonitoring: - collectorBufferSize: 50000 - processorBufferSize: 50000 - instanceManager: - # FQDN or IP for connecting to NGINX Instance Manager, e.g. nim.example.com - host: "" - grpcPort: 443 - sni: "" - tls: - enabled: true - skipVerify: false - ## kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager - secret: "" - ## nginx.org/ca secret for verification of Instance Manager TLS - caSecret: "" - ## The name of a custom ConfigMap to use instead of the one provided by default - customConfigMap: "" diff --git a/pkg/apis/configuration/validation/common.go b/pkg/apis/configuration/validation/common.go index ab0d3a59ef..10ba10e399 100644 --- a/pkg/apis/configuration/validation/common.go +++ b/pkg/apis/configuration/validation/common.go @@ -38,7 +38,7 @@ func validateVariable(nVar string, validVars map[string]bool, fieldPath *field.P // isValidSpecialHeaderLikeVariable validates special variables $http_, $jwt_header_, $jwt_claim_ func isValidSpecialHeaderLikeVariable(value string) []string { // underscores in a header-like variable represent '-'. - errMsgs := validation.IsHTTPHeaderName(strings.ReplaceAll(value, "_", "-")) + errMsgs := validation.IsHTTPHeaderName(strings.Replace(value, "_", "-", -1)) if len(errMsgs) >= 1 || strings.Contains(value, "-") { return []string{"a valid special variable must consists of alphanumeric characters or '_'"} } diff --git a/pkg/apis/externaldns/validation/externaldns.go b/pkg/apis/externaldns/validation/externaldns.go index da27da6756..bcfd81556f 100644 --- a/pkg/apis/externaldns/validation/externaldns.go +++ b/pkg/apis/externaldns/validation/externaldns.go @@ -53,7 +53,7 @@ func validateTargets(targets v1.Targets) error { switch { case strings.Contains(target, ":"): if errMsg := validation.IsValidIPForLegacyField(field.NewPath(""), target, false, nil); len(errMsg) > 0 { - return fmt.Errorf("%w: target %q is invalid: %w", ErrTypeInvalid, target, errMsg[0]) + return fmt.Errorf("%w: target %q is invalid: %s", ErrTypeInvalid, target, errMsg[0]) } default: if err := isFullyQualifiedDomainName(target); err != nil { diff --git a/release_notes.json b/release_notes.json deleted file mode 100644 index affc9ca004..0000000000 --- a/release_notes.json +++ /dev/null @@ -1,1623 +0,0 @@ -{ - "Miscellaneous": [ - { - "title": "PR #1373", - "number": 1373, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1373" - }, - { - "title": "PR #1439", - "number": 1439, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1439" - }, - { - "title": "PR #1440", - "number": 1440, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1440" - }, - { - "title": "PR #1304", - "number": 1304, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1304" - }, - { - "title": "PR #1281", - "number": 1281, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1281" - }, - { - "title": "PR #1290", - "number": 1290, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1290" - }, - { - "title": "PR #1232", - "number": 1232, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1232" - }, - { - "title": "PR #1228", - "number": 1228, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1228" - }, - { - "title": "PR #1299", - "number": 1299, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1299" - }, - { - "title": "PR #1291", - "number": 1291, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1291" - }, - { - "title": "PR #1290", - "number": 1290, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1290" - }, - { - "title": "PR #1225", - "number": 1225, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1225" - }, - { - "title": "PR #1237", - "number": 1237, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1237" - }, - { - "title": "PR #1270", - "number": 1270, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1270" - }, - { - "title": "PR #1277", - "number": 1277, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1277" - }, - { - "title": "PR #1232", - "number": 1232, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1232" - }, - { - "title": "PR #1225", - "number": 1225, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1225" - }, - { - "title": "PR #1180", - "number": 1180, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1180" - }, - { - "title": "PR #1166", - "number": 1166, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1166" - }, - { - "title": "PR #1154", - "number": 1154, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1154" - }, - { - "title": "PR #1120", - "number": 1120, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1120" - }, - { - "title": "PR #1058", - "number": 1058, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1058" - }, - { - "title": "PR #1147", - "number": 1147, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1147" - }, - { - "title": "PR #1131", - "number": 1131, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1131" - }, - { - "title": "PR #1100", - "number": 1100, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1100" - }, - { - "title": "PR #1085", - "number": 1085, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1085" - }, - { - "title": "PR #1105", - "number": 1105, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1105" - }, - { - "title": "PR #1133", - "number": 1133, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1133" - }, - { - "title": "PR #1148", - "number": 1148, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1148" - }, - { - "title": "PR #1182", - "number": 1182, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1182" - }, - { - "title": "PR #1036", - "number": 1036, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1036" - }, - { - "title": "PR #1028", - "number": 1028, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1028" - }, - { - "title": "PR #1019", - "number": 1019, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1019" - }, - { - "title": "PR #1006", - "number": 1006, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1006" - }, - { - "title": "PR #994", - "number": 994, - "url": "https://github.com/nginx/kubernetes-ingress/pull/994" - }, - { - "title": "PR #973", - "number": 973, - "url": "https://github.com/nginx/kubernetes-ingress/pull/973" - }, - { - "title": "PR #1035", - "number": 1035, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1035" - }, - { - "title": "PR #1034", - "number": 1034, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1034" - }, - { - "title": "PR #1029", - "number": 1029, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" - }, - { - "title": "PR #1003", - "number": 1003, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1003" - }, - { - "title": "PR #1047", - "number": 1047, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1047" - }, - { - "title": "PR #1009", - "number": 1009, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1009" - }, - { - "title": "PR #1029", - "number": 1029, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" - }, - { - "title": "PR #980", - "number": 980, - "url": "https://github.com/nginx/kubernetes-ingress/pull/980" - }, - { - "title": "PR #868", - "number": 868, - "url": "https://github.com/nginx/kubernetes-ingress/pull/868" - }, - { - "title": "PR #847", - "number": 847, - "url": "https://github.com/nginx/kubernetes-ingress/pull/847" - }, - { - "title": "PR #921", - "number": 921, - "url": "https://github.com/nginx/kubernetes-ingress/pull/921" - }, - { - "title": "PR #878", - "number": 878, - "url": "https://github.com/nginx/kubernetes-ingress/pull/878" - }, - { - "title": "PR #807", - "number": 807, - "url": "https://github.com/nginx/kubernetes-ingress/pull/807" - }, - { - "title": "PR #854", - "number": 854, - "url": "https://github.com/nginx/kubernetes-ingress/pull/854" - }, - { - "title": "PR #852", - "number": 852, - "url": "https://github.com/nginx/kubernetes-ingress/pull/852" - }, - { - "title": "PR #847", - "number": 847, - "url": "https://github.com/nginx/kubernetes-ingress/pull/847" - }, - { - "title": "PR #827", - "number": 827, - "url": "https://github.com/nginx/kubernetes-ingress/pull/827" - }, - { - "title": "PR #825", - "number": 825, - "url": "https://github.com/nginx/kubernetes-ingress/pull/825" - }, - { - "title": "PR #780", - "number": 780, - "url": "https://github.com/nginx/kubernetes-ingress/pull/780" - }, - { - "title": "PR #778", - "number": 778, - "url": "https://github.com/nginx/kubernetes-ingress/pull/778" - }, - { - "title": "PR #766", - "number": 766, - "url": "https://github.com/nginx/kubernetes-ingress/pull/766" - }, - { - "title": "PR #748", - "number": 748, - "url": "https://github.com/nginx/kubernetes-ingress/pull/748" - }, - { - "title": "PR #745", - "number": 745, - "url": "https://github.com/nginx/kubernetes-ingress/pull/745" - }, - { - "title": "PR #728", - "number": 728, - "url": "https://github.com/nginx/kubernetes-ingress/pull/728" - }, - { - "title": "PR #724", - "number": 724, - "url": "https://github.com/nginx/kubernetes-ingress/pull/724" - }, - { - "title": "PR #712", - "number": 712, - "url": "https://github.com/nginx/kubernetes-ingress/pull/712" - }, - { - "title": "PR #707", - "number": 707, - "url": "https://github.com/nginx/kubernetes-ingress/pull/707" - }, - { - "title": "PR #701", - "number": 701, - "url": "https://github.com/nginx/kubernetes-ingress/pull/701" - }, - { - "title": "PR #693", - "number": 693, - "url": "https://github.com/nginx/kubernetes-ingress/pull/693" - }, - { - "title": "PR #670", - "number": 670, - "url": "https://github.com/nginx/kubernetes-ingress/pull/670" - }, - { - "title": "PR #660", - "number": 660, - "url": "https://github.com/nginx/kubernetes-ingress/pull/660" - }, - { - "title": "PR #659", - "number": 659, - "url": "https://github.com/nginx/kubernetes-ingress/pull/659" - }, - { - "title": "PR #655", - "number": 655, - "url": "https://github.com/nginx/kubernetes-ingress/pull/655" - }, - { - "title": "PR #653", - "number": 653, - "url": "https://github.com/nginx/kubernetes-ingress/pull/653" - }, - { - "title": "PR #641", - "number": 641, - "url": "https://github.com/nginx/kubernetes-ingress/pull/641" - }, - { - "title": "PR #635", - "number": 635, - "url": "https://github.com/nginx/kubernetes-ingress/pull/635" - }, - { - "title": "PR #634", - "number": 634, - "url": "https://github.com/nginx/kubernetes-ingress/pull/634" - }, - { - "title": "PR #628", - "number": 628, - "url": "https://github.com/nginx/kubernetes-ingress/pull/628" - }, - { - "title": "PR #621", - "number": 621, - "url": "https://github.com/nginx/kubernetes-ingress/pull/621" - }, - { - "title": "PR #617", - "number": 617, - "url": "https://github.com/nginx/kubernetes-ingress/pull/617" - }, - { - "title": "PR #612", - "number": 612, - "url": "https://github.com/nginx/kubernetes-ingress/pull/612" - }, - { - "title": "PR #607", - "number": 607, - "url": "https://github.com/nginx/kubernetes-ingress/pull/607" - }, - { - "title": "PR #596", - "number": 596, - "url": "https://github.com/nginx/kubernetes-ingress/pull/596" - }, - { - "title": "PR #750", - "number": 750, - "url": "https://github.com/nginx/kubernetes-ingress/pull/750" - }, - { - "title": "PR #636", - "number": 636, - "url": "https://github.com/nginx/kubernetes-ingress/pull/636" - }, - { - "title": "PR #600", - "number": 600, - "url": "https://github.com/nginx/kubernetes-ingress/pull/600" - }, - { - "title": "PR #581", - "number": 581, - "url": "https://github.com/nginx/kubernetes-ingress/pull/581" - }, - { - "title": "PR #722", - "number": 722, - "url": "https://github.com/nginx/kubernetes-ingress/pull/722" - }, - { - "title": "PR #573", - "number": 573, - "url": "https://github.com/nginx/kubernetes-ingress/pull/573" - }, - { - "title": "PR #799", - "number": 779, - "url": "https://github.com/nginx/kubernetes-ingress/pull/779" - }, - { - "title": "PR #772", - "number": 772, - "url": "https://github.com/nginx/kubernetes-ingress/pull/772" - }, - { - "title": "PR #748", - "number": 748, - "url": "https://github.com/nginx/kubernetes-ingress/pull/748" - }, - { - "title": "PR #745", - "number": 745, - "url": "https://github.com/nginx/kubernetes-ingress/pull/745" - }, - { - "title": "PR #710", - "number": 710, - "url": "https://github.com/nginx/kubernetes-ingress/pull/710" - }, - { - "title": "PR #603", - "number": 603, - "url": "https://github.com/nginx/kubernetes-ingress/pull/603" - }, - { - "title": "PR #593", - "number": 593, - "url": "https://github.com/nginx/kubernetes-ingress/pull/593" - }, - { - "title": "PR #593", - "number": 593, - "url": "https://github.com/nginx/kubernetes-ingress/pull/593" - }, - { - "title": "PR #562", - "number": 562, - "url": "https://github.com/nginx/kubernetes-ingress/pull/562" - }, - { - "title": "PR #561", - "number": 561, - "url": "https://github.com/nginx/kubernetes-ingress/pull/561" - }, - { - "title": "PR #553", - "number": 553, - "url": "https://github.com/nginx/kubernetes-ingress/pull/553" - }, - { - "title": "PR #534", - "number": 534, - "url": "https://github.com/nginx/kubernetes-ingress/pull/534" - }, - { - "title": "PR #479", - "number": 479, - "url": "https://github.com/nginx/kubernetes-ingress/pull/479" - }, - { - "title": "PR #468", - "number": 468, - "url": "https://github.com/nginx/kubernetes-ingress/pull/468" - }, - { - "title": "PR #456", - "number": 456, - "url": "https://github.com/nginx/kubernetes-ingress/pull/456" - }, - { - "title": "PR #546", - "number": 546, - "url": "https://github.com/nginx/kubernetes-ingress/pull/546" - }, - { - "title": "PR #542", - "number": 542, - "url": "https://github.com/nginx/kubernetes-ingress/pull/542" - }, - { - "title": "PR #430", - "number": 430, - "url": "https://github.com/nginx/kubernetes-ingress/pull/430" - }, - { - "title": "PR #420", - "number": 420, - "url": "https://github.com/nginx/kubernetes-ingress/pull/420" - }, - { - "title": "PR #398", - "number": 398, - "url": "https://github.com/nginx/kubernetes-ingress/pull/398" - }, - { - "title": "PR #393", - "number": 393, - "url": "https://github.com/nginx/kubernetes-ingress/pull/393" - }, - { - "title": "PR #390", - "number": 390, - "url": "https://github.com/nginx/kubernetes-ingress/pull/390" - }, - { - "title": "PR #377", - "number": 377, - "url": "https://github.com/nginx/kubernetes-ingress/pull/377" - }, - { - "title": "PR #335", - "number": 335, - "url": "https://github.com/nginx/kubernetes-ingress/pull/335" - }, - { - "title": "PR #430", - "number": 430, - "url": "https://github.com/nginx/kubernetes-ingress/pull/430" - }, - { - "title": "PR #399", - "number": 399, - "url": "https://github.com/nginx/kubernetes-ingress/pull/399" - }, - { - "title": "PR #357", - "number": 357, - "url": "https://github.com/nginx/kubernetes-ingress/pull/357" - }, - { - "title": "PR #347", - "number": 347, - "url": "https://github.com/nginx/kubernetes-ingress/pull/347" - }, - { - "title": "PR #391", - "number": 391, - "url": "https://github.com/nginx/kubernetes-ingress/pull/391" - }, - { - "title": "PR #344", - "number": 344, - "url": "https://github.com/nginx/kubernetes-ingress/pull/344" - }, - { - "title": "PR #435", - "number": 435, - "url": "https://github.com/nginx/kubernetes-ingress/pull/435" - }, - { - "title": "PR #433", - "number": 433, - "url": "https://github.com/nginx/kubernetes-ingress/pull/433" - }, - { - "title": "PR #432", - "number": 432, - "url": "https://github.com/nginx/kubernetes-ingress/pull/432" - }, - { - "title": "PR #418", - "number": 418, - "url": "https://github.com/nginx/kubernetes-ingress/pull/418" - }, - { - "title": "PR #406", - "number": 406, - "url": "https://github.com/nginx/kubernetes-ingress/pull/406" - }, - { - "title": "PR #381", - "number": 381, - "url": "https://github.com/nginx/kubernetes-ingress/pull/381" - }, - { - "title": "PR #349", - "number": 349, - "url": "https://github.com/nginx/kubernetes-ingress/pull/349" - }, - { - "title": "PR #343", - "number": 343, - "url": "https://github.com/nginx/kubernetes-ingress/pull/343" - }, - { - "title": "PR #330", - "number": 330, - "url": "https://github.com/nginx/kubernetes-ingress/pull/330" - }, - { - "title": "PR #329", - "number": 329, - "url": "https://github.com/nginx/kubernetes-ingress/pull/329" - }, - { - "title": "PR #279", - "number": 279, - "url": "https://github.com/nginx/kubernetes-ingress/pull/279" - }, - { - "title": "PR #278", - "number": 278, - "url": "https://github.com/nginx/kubernetes-ingress/pull/278" - }, - { - "title": "PR #277", - "number": 277, - "url": "https://github.com/nginx/kubernetes-ingress/pull/277" - }, - { - "title": "PR #276", - "number": 276, - "url": "https://github.com/nginx/kubernetes-ingress/pull/276" - }, - { - "title": "PR #274", - "number": 274, - "url": "https://github.com/nginx/kubernetes-ingress/pull/274" - }, - { - "title": "PR #272", - "number": 272, - "url": "https://github.com/nginx/kubernetes-ingress/pull/272" - }, - { - "title": "PR #268", - "number": 268, - "url": "https://github.com/nginx/kubernetes-ingress/pull/268" - }, - { - "title": "PR #266", - "number": 266, - "url": "https://github.com/nginx/kubernetes-ingress/pull/266" - }, - { - "title": "PR #261", - "number": 261, - "url": "https://github.com/nginx/kubernetes-ingress/pull/261" - }, - { - "title": "PR #258", - "number": 258, - "url": "https://github.com/nginx/kubernetes-ingress/pull/258" - }, - { - "title": "PR #256", - "number": 256, - "url": "https://github.com/nginx/kubernetes-ingress/pull/256" - }, - { - "title": "PR #249", - "number": 249, - "url": "https://github.com/nginx/kubernetes-ingress/pull/249" - }, - { - "title": "PR #241", - "number": 241, - "url": "https://github.com/nginx/kubernetes-ingress/pull/241" - }, - { - "title": "PR #240", - "number": 240, - "url": "https://github.com/nginx/kubernetes-ingress/pull/240" - }, - { - "title": "PR #239", - "number": 239, - "url": "https://github.com/nginx/kubernetes-ingress/pull/239" - }, - { - "title": "PR #238", - "number": 238, - "url": "https://github.com/nginx/kubernetes-ingress/pull/238" - }, - { - "title": "PR #237", - "number": 237, - "url": "https://github.com/nginx/kubernetes-ingress/pull/237" - }, - { - "title": "PR #236", - "number": 236, - "url": "https://github.com/nginx/kubernetes-ingress/pull/236" - }, - { - "title": "PR #235", - "number": 235, - "url": "https://github.com/nginx/kubernetes-ingress/pull/235" - }, - { - "title": "PR #234", - "number": 234, - "url": "https://github.com/nginx/kubernetes-ingress/pull/234" - }, - { - "title": "PR #233", - "number": 233, - "url": "https://github.com/nginx/kubernetes-ingress/pull/233" - }, - { - "title": "PR #231", - "number": 231, - "url": "https://github.com/nginx/kubernetes-ingress/pull/231" - }, - { - "title": "PR #248", - "number": 248, - "url": "https://github.com/nginx/kubernetes-ingress/pull/248" - }, - { - "title": "PR #252", - "number": 252, - "url": "https://github.com/nginx/kubernetes-ingress/pull/252" - }, - { - "title": "PR #270", - "number": 270, - "url": "https://github.com/nginx/kubernetes-ingress/pull/270" - }, - { - "title": "PR #228", - "number": 228, - "url": "https://github.com/nginx/kubernetes-ingress/pull/228" - }, - { - "title": "PR #223", - "number": 223, - "url": "https://github.com/nginx/kubernetes-ingress/pull/223" - }, - { - "title": "PR #221", - "number": 221, - "url": "https://github.com/nginx/kubernetes-ingress/pull/221" - }, - { - "title": "PR #220", - "number": 220, - "url": "https://github.com/nginx/kubernetes-ingress/pull/220" - }, - { - "title": "PR #213", - "number": 213, - "url": "https://github.com/nginx/kubernetes-ingress/pull/213" - }, - { - "title": "PR #211", - "number": 211, - "url": "https://github.com/nginx/kubernetes-ingress/pull/211" - }, - { - "title": "PR #208", - "number": 208, - "url": "https://github.com/nginx/kubernetes-ingress/pull/208" - }, - { - "title": "PR #199", - "number": 199, - "url": "https://github.com/nginx/kubernetes-ingress/pull/199" - }, - { - "title": "PR #194", - "number": 194, - "url": "https://github.com/nginx/kubernetes-ingress/pull/194" - }, - { - "title": "PR #193", - "number": 193, - "url": "https://github.com/nginx/kubernetes-ingress/pull/193" - }, - { - "title": "PR #192", - "number": 192, - "url": "https://github.com/nginx/kubernetes-ingress/pull/192" - }, - { - "title": "PR #186", - "number": 186, - "url": "https://github.com/nginx/kubernetes-ingress/pull/186" - }, - { - "title": "PR #184", - "number": 184, - "url": "https://github.com/nginx/kubernetes-ingress/pull/184" - }, - { - "title": "PR #175", - "number": 175, - "url": "https://github.com/nginx/kubernetes-ingress/pull/175" - }, - { - "title": "PR #171", - "number": 171, - "url": "https://github.com/nginx/kubernetes-ingress/pull/171" - }, - { - "title": "PR #170", - "number": 170, - "url": "https://github.com/nginx/kubernetes-ingress/pull/170" - }, - { - "title": "PR #169", - "number": 169, - "url": "https://github.com/nginx/kubernetes-ingress/pull/169" - }, - { - "title": "PR #168", - "number": 168, - "url": "https://github.com/nginx/kubernetes-ingress/pull/168" - }, - { - "title": "PR #166", - "number": 166, - "url": "https://github.com/nginx/kubernetes-ingress/pull/166" - }, - { - "title": "PR #160", - "number": 160, - "url": "https://github.com/nginx/kubernetes-ingress/pull/160" - }, - { - "title": "PR #157", - "number": 157, - "url": "https://github.com/nginx/kubernetes-ingress/pull/157" - }, - { - "title": "PR #156", - "number": 156, - "url": "https://github.com/nginx/kubernetes-ingress/pull/156" - }, - { - "title": "PR #155", - "number": 155, - "url": "https://github.com/nginx/kubernetes-ingress/pull/155" - }, - { - "title": "PR #154", - "number": 154, - "url": "https://github.com/nginx/kubernetes-ingress/pull/154" - }, - { - "title": "PR #151", - "number": 151, - "url": "https://github.com/nginx/kubernetes-ingress/pull/151" - }, - { - "title": "PR #146", - "number": 146, - "url": "https://github.com/nginx/kubernetes-ingress/pull/146" - }, - { - "title": "PR #141", - "number": 141, - "url": "https://github.com/nginx/kubernetes-ingress/pull/141" - }, - { - "title": "PR #140", - "number": 140, - "url": "https://github.com/nginx/kubernetes-ingress/pull/140" - }, - { - "title": "PR #117", - "number": 117, - "url": "https://github.com/nginx/kubernetes-ingress/pull/117" - }, - { - "title": "PR #116", - "number": 116, - "url": "https://github.com/nginx/kubernetes-ingress/pull/116" - }, - { - "title": "PR #113", - "number": 113, - "url": "https://github.com/nginx/kubernetes-ingress/pull/113" - }, - { - "title": "PR #108", - "number": 108, - "url": "https://github.com/nginx/kubernetes-ingress/pull/108" - }, - { - "title": "PR #103", - "number": 103, - "url": "https://github.com/nginx/kubernetes-ingress/pull/103" - }, - { - "title": "PR #100", - "number": 100, - "url": "https://github.com/nginx/kubernetes-ingress/pull/100" - }, - { - "title": "PR #95", - "number": 95, - "url": "https://github.com/nginx/kubernetes-ingress/pull/95" - }, - { - "title": "PR #93", - "number": 93, - "url": "https://github.com/nginx/kubernetes-ingress/pull/93" - }, - { - "title": "PR #91", - "number": 91, - "url": "https://github.com/nginx/kubernetes-ingress/pull/91" - }, - { - "title": "PR #88", - "number": 88, - "url": "https://github.com/nginx/kubernetes-ingress/pull/88" - }, - { - "title": "PR #85", - "number": 85, - "url": "https://github.com/nginx/kubernetes-ingress/pull/85" - }, - { - "title": "PR #84", - "number": 84, - "url": "https://github.com/nginx/kubernetes-ingress/pull/84" - }, - { - "title": "PR #81", - "number": 81, - "url": "https://github.com/nginx/kubernetes-ingress/pull/81" - }, - { - "title": "PR #75", - "number": 75, - "url": "https://github.com/nginx/kubernetes-ingress/pull/75" - }, - { - "title": "PR #74", - "number": 74, - "url": "https://github.com/nginx/kubernetes-ingress/pull/74" - }, - { - "title": "PR #70", - "number": 70, - "url": "https://github.com/nginx/kubernetes-ingress/pull/70" - }, - { - "title": "PR #68", - "number": 68, - "url": "https://github.com/nginx/kubernetes-ingress/pull/68" - }, - { - "title": "PR #66", - "number": 66, - "url": "https://github.com/nginx/kubernetes-ingress/pull/66" - }, - { - "title": "PR #65", - "number": 65, - "url": "https://github.com/nginx/kubernetes-ingress/pull/65" - }, - { - "title": "PR #64", - "number": 64, - "url": "https://github.com/nginx/kubernetes-ingress/pull/64" - }, - { - "title": "PR #62", - "number": 62, - "url": "https://github.com/nginx/kubernetes-ingress/pull/62" - }, - { - "title": "PR #54", - "number": 54, - "url": "https://github.com/nginx/kubernetes-ingress/pull/54" - }, - { - "title": "PR #55", - "number": 55, - "url": "https://github.com/nginx/kubernetes-ingress/pull/55" - }, - { - "title": "PR #58", - "number": 58, - "url": "https://github.com/nginx/kubernetes-ingress/pull/58" - } - ], - "Enhancements": [ - { - "title": "PR #1266", - "number": 1266, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1266" - }, - { - "title": "PR #1233", - "number": 1233, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1233" - }, - { - "title": "PR #1231", - "number": 1231, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1231" - }, - { - "title": "PR #1270", - "number": 1270, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1270" - }, - { - "title": "PR #1277", - "number": 1277, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1277" - }, - { - "title": "PR #1265", - "number": 1265, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1265" - }, - { - "title": "PR #1262", - "number": 1262, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1262" - }, - { - "title": "PR #1263", - "number": 1263, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1263" - }, - { - "title": "PR #1264", - "number": 1264, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1264" - }, - { - "title": "PR #1256", - "number": 1256, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1256" - }, - { - "title": "PR #1260", - "number": 1260, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1260" - }, - { - "title": "PR #1240", - "number": 1240, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1240" - }, - { - "title": "PR #1235", - "number": 1235, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1235" - }, - { - "title": "PR #1282", - "number": 1282, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1282" - }, - { - "title": "PR #1293", - "number": 1293, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1293" - }, - { - "title": "PR #1303", - "number": 1303, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1303" - }, - { - "title": "PR #1315", - "number": 1315, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1315" - }, - { - "title": "PR #1133", - "number": 1133, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1133" - }, - { - "title": "PR #1130", - "number": 1130, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1130" - }, - { - "title": "PR #1076", - "number": 1076, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1076" - }, - { - "title": "PR #1075", - "number": 1075, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1075" - }, - { - "title": "PR #1178", - "number": 1178, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1178" - }, - { - "title": "PR #1158", - "number": 1158, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1158" - }, - { - "title": "PR #1137", - "number": 1137, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1137" - }, - { - "title": "PR #1107", - "number": 1107, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1107" - }, - { - "title": "PR #1099", - "number": 1099, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1099" - }, - { - "title": "PR #1088", - "number": 1088, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1088" - }, - { - "title": "PR #1080", - "number": 1080, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1080" - }, - { - "title": "PR #1078", - "number": 1078, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1078" - }, - { - "title": "PR #1083", - "number": 1083, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1083" - }, - { - "title": "PR #1092", - "number": 1092, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1092" - }, - { - "title": "PR #1089", - "number": 1089, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1089" - }, - { - "title": "PR #1174", - "number": 1174, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1174" - }, - { - "title": "PR #1175", - "number": 1175, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1175" - }, - { - "title": "PR #1171", - "number": 1171, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1171" - }, - { - "title": "PR #1035", - "number": 1035, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1035" - }, - { - "title": "PR #1029", - "number": 1029, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1029" - }, - { - "title": "PR #995", - "number": 995, - "url": "https://github.com/nginx/kubernetes-ingress/pull/995" - }, - { - "title": "PR #946", - "number": 946, - "url": "https://github.com/nginx/kubernetes-ingress/pull/946" - }, - { - "title": "PR #948", - "number": 948, - "url": "https://github.com/nginx/kubernetes-ingress/pull/948" - }, - { - "title": "PR #972", - "number": 972, - "url": "https://github.com/nginx/kubernetes-ingress/pull/972" - }, - { - "title": "PR #965", - "number": 965, - "url": "https://github.com/nginx/kubernetes-ingress/pull/965" - }, - { - "title": "PR #902", - "number": 902, - "url": "https://github.com/nginx/kubernetes-ingress/pull/902" - }, - { - "title": "PR #894", - "number": 894, - "url": "https://github.com/nginx/kubernetes-ingress/pull/894" - }, - { - "title": "PR #857", - "number": 857, - "url": "https://github.com/nginx/kubernetes-ingress/pull/857" - }, - { - "title": "PR #852", - "number": 852, - "url": "https://github.com/nginx/kubernetes-ingress/pull/852" - }, - { - "title": "PR #845", - "number": 845, - "url": "https://github.com/nginx/kubernetes-ingress/pull/845" - }, - { - "title": "PR #827", - "number": 827, - "url": "https://github.com/nginx/kubernetes-ingress/pull/827" - }, - { - "title": "PR #850", - "number": 850, - "url": "https://github.com/nginx/kubernetes-ingress/pull/850" - }, - { - "title": "PR #832", - "number": 832, - "url": "https://github.com/nginx/kubernetes-ingress/pull/832" - }, - { - "title": "PR #825", - "number": 825, - "url": "https://github.com/nginx/kubernetes-ingress/pull/825" - }, - { - "title": "PR #750", - "number": 750, - "url": "https://github.com/nginx/kubernetes-ingress/pull/750" - }, - { - "title": "PR #691", - "number": 691, - "url": "https://github.com/nginx/kubernetes-ingress/pull/691" - }, - { - "title": "PR #631", - "number": 631, - "url": "https://github.com/nginx/kubernetes-ingress/pull/631" - }, - { - "title": "PR #629", - "number": 629, - "url": "https://github.com/nginx/kubernetes-ingress/pull/629" - }, - { - "title": "PR #616", - "number": 616, - "url": "https://github.com/nginx/kubernetes-ingress/pull/616" - }, - { - "title": "PR #615", - "number": 615, - "url": "https://github.com/nginx/kubernetes-ingress/pull/615" - }, - { - "title": "PR #614", - "number": 614, - "url": "https://github.com/nginx/kubernetes-ingress/pull/614" - }, - { - "title": "PR #678", - "number": 678, - "url": "https://github.com/nginx/kubernetes-ingress/pull/678" - }, - { - "title": "PR #694", - "number": 694, - "url": "https://github.com/nginx/kubernetes-ingress/pull/694" - }, - { - "title": "PR #713", - "number": 713, - "url": "https://github.com/nginx/kubernetes-ingress/pull/713" - }, - { - "title": "PR #560", - "number": 560, - "url": "https://github.com/nginx/kubernetes-ingress/pull/560" - }, - { - "title": "PR #554", - "number": 554, - "url": "https://github.com/nginx/kubernetes-ingress/pull/554" - }, - { - "title": "PR #496", - "number": 496, - "url": "https://github.com/nginx/kubernetes-ingress/pull/496" - }, - { - "title": "PR #485", - "number": 485, - "url": "https://github.com/nginx/kubernetes-ingress/pull/485" - }, - { - "title": "PR #565", - "number": 565, - "url": "https://github.com/nginx/kubernetes-ingress/pull/565" - }, - { - "title": "PR #511", - "number": 511, - "url": "https://github.com/nginx/kubernetes-ingress/pull/511" - }, - { - "title": "PR #504", - "number": 504, - "url": "https://github.com/nginx/kubernetes-ingress/pull/504" - }, - { - "title": "PR #401", - "number": 401, - "url": "https://github.com/nginx/kubernetes-ingress/pull/401" - }, - { - "title": "PR #387", - "number": 387, - "url": "https://github.com/nginx/kubernetes-ingress/pull/387" - }, - { - "title": "PR #376", - "number": 376, - "url": "https://github.com/nginx/kubernetes-ingress/pull/376" - }, - { - "title": "PR #375", - "number": 375, - "url": "https://github.com/nginx/kubernetes-ingress/pull/375" - }, - { - "title": "PR #346", - "number": 346, - "url": "https://github.com/nginx/kubernetes-ingress/pull/346" - }, - { - "title": "PR #344", - "number": 344, - "url": "https://github.com/nginx/kubernetes-ingress/pull/344" - }, - { - "title": "PR #342", - "number": 342, - "url": "https://github.com/nginx/kubernetes-ingress/pull/342" - }, - { - "title": "PR #320", - "number": 340, - "url": "https://github.com/nginx/kubernetes-ingress/pull/340" - }, - { - "title": "PR #434", - "number": 434, - "url": "https://github.com/nginx/kubernetes-ingress/pull/434" - }, - { - "title": "PR #432", - "number": 432, - "url": "https://github.com/nginx/kubernetes-ingress/pull/432" - }, - { - "title": "PR #419", - "number": 419, - "url": "https://github.com/nginx/kubernetes-ingress/pull/419" - }, - { - "title": "PR #403", - "number": 403, - "url": "https://github.com/nginx/kubernetes-ingress/pull/403" - }, - { - "title": "PR #400", - "number": 400, - "url": "https://github.com/nginx/kubernetes-ingress/pull/400" - }, - { - "title": "PR #399", - "number": 399, - "url": "https://github.com/nginx/kubernetes-ingress/pull/399" - }, - { - "title": "PR #391", - "number": 391, - "url": "https://github.com/nginx/kubernetes-ingress/pull/391" - }, - { - "title": "PR #389", - "number": 389, - "url": "https://github.com/nginx/kubernetes-ingress/pull/389" - }, - { - "title": "PR #380", - "number": 380, - "url": "https://github.com/nginx/kubernetes-ingress/pull/380" - }, - { - "title": "PR #362", - "number": 362, - "url": "https://github.com/nginx/kubernetes-ingress/pull/362" - }, - { - "title": "PR #357", - "number": 357, - "url": "https://github.com/nginx/kubernetes-ingress/pull/357" - }, - { - "title": "PR #351", - "number": 351, - "url": "https://github.com/nginx/kubernetes-ingress/pull/351" - }, - { - "title": "PR #325", - "number": 325, - "url": "https://github.com/nginx/kubernetes-ingress/pull/325" - }, - { - "title": "PR #311", - "number": 311, - "url": "https://github.com/nginx/kubernetes-ingress/pull/311" - }, - { - "title": "PR #310", - "number": 310, - "url": "https://github.com/nginx/kubernetes-ingress/pull/310" - }, - { - "title": "PR #308", - "number": 308, - "url": "https://github.com/nginx/kubernetes-ingress/pull/308" - }, - { - "title": "PR #303", - "number": 303, - "url": "https://github.com/nginx/kubernetes-ingress/pull/303" - }, - { - "title": "PR #301", - "number": 301, - "url": "https://github.com/nginx/kubernetes-ingress/pull/301" - }, - { - "title": "PR #298", - "number": 298, - "url": "https://github.com/nginx/kubernetes-ingress/pull/298" - }, - { - "title": "PR #296", - "number": 296, - "url": "https://github.com/nginx/kubernetes-ingress/pull/296" - }, - { - "title": "PR #295", - "number": 295, - "url": "https://github.com/nginx/kubernetes-ingress/pull/295" - }, - { - "title": "PR #294", - "number": 294, - "url": "https://github.com/nginx/kubernetes-ingress/pull/294" - }, - { - "title": "PR #287", - "number": 287, - "url": "https://github.com/nginx/kubernetes-ingress/pull/287" - }, - { - "title": "PR #286", - "number": 286, - "url": "https://github.com/nginx/kubernetes-ingress/pull/286" - } - ], - "Bug Fixes": [ - { - "title": "PR #1179", - "number": 1179, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1179" - }, - { - "title": "PR #1129", - "number": 1129, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1129" - }, - { - "title": "PR #1110", - "number": 1110, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1110" - }, - { - "title": "PR #1030", - "number": 1030, - "url": "https://github.com/nginx/kubernetes-ingress/pull/1030" - }, - { - "title": "PR #953", - "number": 953, - "url": "https://github.com/nginx/kubernetes-ingress/pull/953" - }, - { - "title": "PR #828", - "number": 828, - "url": "https://github.com/nginx/kubernetes-ingress/pull/828" - }, - { - "title": "PR #788", - "number": 788, - "url": "https://github.com/nginx/kubernetes-ingress/pull/788" - }, - { - "title": "PR #736", - "number": 736, - "url": "https://github.com/nginx/kubernetes-ingress/pull/736" - }, - { - "title": "PR #686", - "number": 686, - "url": "https://github.com/nginx/kubernetes-ingress/pull/686" - }, - { - "title": "PR #664", - "number": 664, - "url": "https://github.com/nginx/kubernetes-ingress/pull/664" - }, - { - "title": "PR #632", - "number": 632, - "url": "https://github.com/nginx/kubernetes-ingress/pull/632" - }, - { - "title": "PR #520", - "number": 520, - "url": "https://github.com/nginx/kubernetes-ingress/pull/520" - }, - { - "title": "PR #481", - "number": 481, - "url": "https://github.com/nginx/kubernetes-ingress/pull/481" - }, - { - "title": "PR #439", - "number": 439, - "url": "https://github.com/nginx/kubernetes-ingress/pull/439" - }, - { - "title": "PR #429", - "number": 429, - "url": "https://github.com/nginx/kubernetes-ingress/pull/429" - }, - { - "title": "PR #386", - "number": 386, - "url": "https://github.com/nginx/kubernetes-ingress/pull/386" - }, - { - "title": "PR #379", - "number": 379, - "url": "https://github.com/nginx/kubernetes-ingress/pull/379" - }, - { - "title": "PR #365", - "number": 365, - "url": "https://github.com/nginx/kubernetes-ingress/pull/365" - }, - { - "title": "PR #348", - "number": 348, - "url": "https://github.com/nginx/kubernetes-ingress/pull/348" - }, - { - "title": "PR #326", - "number": 326, - "url": "https://github.com/nginx/kubernetes-ingress/pull/326" - }, - { - "title": "PR #284", - "number": 284, - "url": "https://github.com/nginx/kubernetes-ingress/pull/284" - } - ] -} From 32a9a03397b70894fe3740e6d2cd6d2637e2f69f Mon Sep 17 00:00:00 2001 From: mohamad_al Date: Wed, 23 Jul 2025 14:16:05 +0100 Subject: [PATCH 31/33] Apply suggestions from code review Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Signed-off-by: mohamad_al --- pkg/apis/configuration/v1/types.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 2a29c51403..19c8e0182a 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -294,9 +294,9 @@ type Action struct { // ActionRedirect defines a redirect in an Action. type ActionRedirect struct { - // The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. + // The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. URL string `json:"url"` - // The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. + // The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. Code int `json:"code"` } From 43f4545b3f5a2e19225f71dae1572da66b0b4aaa Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Wed, 23 Jul 2025 14:19:23 +0100 Subject: [PATCH 32/33] fixing encoding error --- pkg/apis/configuration/v1/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 19c8e0182a..df32e367dc 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -984,7 +984,7 @@ type SecurityLog struct { ApLogConf string `json:"apLogConf"` // The App Protect WAF log bundle resource. Only works with apBundle. ApLogBundle string `json:"apLogBundle"` - // The log destination for the security log. Only accepted variables are syslog:server=:, stderr, . + // The log destination for the security log. Only accepted variables are syslog:server=; localhost; fqdn>:, stderr, . LogDest string `json:"logDest"` } From ba1d00ecab99de625ccd375b1918cdccd3370f5c Mon Sep 17 00:00:00 2001 From: mohamad aldawamneh Date: Wed, 23 Jul 2025 14:29:04 +0100 Subject: [PATCH 33/33] fixing failing tests --- config/crd/bases/k8s.nginx.org_policies.yaml | 8 +- .../k8s.nginx.org_virtualserverroutes.yaml | 35 ++++----- .../bases/k8s.nginx.org_virtualservers.yaml | 35 ++++----- deploy/crds.yaml | 78 +++++++++---------- docs/crd/k8s.nginx.org_policies.md | 4 +- docs/crd/k8s.nginx.org_transportservers.md | 2 +- docs/crd/k8s.nginx.org_virtualserverroutes.md | 20 ++--- docs/crd/k8s.nginx.org_virtualservers.md | 20 ++--- 8 files changed, 99 insertions(+), 103 deletions(-) diff --git a/config/crd/bases/k8s.nginx.org_policies.yaml b/config/crd/bases/k8s.nginx.org_policies.yaml index 8150634199..32ce353821 100644 --- a/config/crd/bases/k8s.nginx.org_policies.yaml +++ b/config/crd/bases/k8s.nginx.org_policies.yaml @@ -431,8 +431,8 @@ spec: type: boolean logDest: description: The log destination for the security log. Only - accepted variables are syslog:server=:, stderr, . + accepted variables are syslog:server=; localhost; + fqdn>:, stderr, . type: string type: object securityLogs: @@ -452,8 +452,8 @@ spec: type: boolean logDest: description: The log destination for the security log. Only - accepted variables are syslog:server=:, stderr, . + accepted variables are syslog:server=; localhost; + fqdn>:, stderr, . type: string type: object type: array diff --git a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml index 6d5ccd8f8b..9b3afbe076 100644 --- a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml @@ -178,13 +178,12 @@ spec: properties: code: description: 'The status code of a redirect. The allowed - values are: 301 , 302 , 307 , 308. The default is - 301.' + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request to. Supported - NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -244,13 +243,13 @@ spec: properties: code: description: 'The status code of a redirect. The allowed - values are: 301 , 302 , 307 , 308. The default is + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request to. - Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -400,13 +399,13 @@ spec: properties: code: description: 'The status code of a redirect. The - allowed values are: 301 , 302 , 307 , 308. The + allowed values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -585,14 +584,14 @@ spec: properties: code: description: 'The status code of a redirect. - The allowed values are: 301 , 302 , 307 - , 308. The default is 301.' + The allowed values are: 301, 302, 307 + or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme - , $http_x_forwarded_proto , $request_uri - , $host. Variables must be enclosed in + to. Supported NGINX variables: $scheme, + $http_x_forwarded_proto, $request_uri + or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -783,13 +782,13 @@ spec: properties: code: description: 'The status code of a redirect. The - allowed values are: 301 , 302 , 307 , 308. The + allowed values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object diff --git a/config/crd/bases/k8s.nginx.org_virtualservers.yaml b/config/crd/bases/k8s.nginx.org_virtualservers.yaml index 6da1e18582..8e4cafe4e3 100644 --- a/config/crd/bases/k8s.nginx.org_virtualservers.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualservers.yaml @@ -265,13 +265,12 @@ spec: properties: code: description: 'The status code of a redirect. The allowed - values are: 301 , 302 , 307 , 308. The default is - 301.' + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request to. Supported - NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -331,13 +330,13 @@ spec: properties: code: description: 'The status code of a redirect. The allowed - values are: 301 , 302 , 307 , 308. The default is + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request to. - Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -487,13 +486,13 @@ spec: properties: code: description: 'The status code of a redirect. The - allowed values are: 301 , 302 , 307 , 308. The + allowed values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -672,14 +671,14 @@ spec: properties: code: description: 'The status code of a redirect. - The allowed values are: 301 , 302 , 307 - , 308. The default is 301.' + The allowed values are: 301, 302, 307 + or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme - , $http_x_forwarded_proto , $request_uri - , $host. Variables must be enclosed in + to. Supported NGINX variables: $scheme, + $http_x_forwarded_proto, $request_uri + or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -870,13 +869,13 @@ spec: properties: code: description: 'The status code of a redirect. The - allowed values are: 301 , 302 , 307 , 308. The + allowed values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object diff --git a/deploy/crds.yaml b/deploy/crds.yaml index c2097c5a58..5b80d9dff9 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -602,8 +602,8 @@ spec: type: boolean logDest: description: The log destination for the security log. Only - accepted variables are syslog:server=:, stderr, . + accepted variables are syslog:server=; localhost; + fqdn>:, stderr, . type: string type: object securityLogs: @@ -623,8 +623,8 @@ spec: type: boolean logDest: description: The log destination for the security log. Only - accepted variables are syslog:server=:, stderr, . + accepted variables are syslog:server=; localhost; + fqdn>:, stderr, . type: string type: object type: array @@ -1111,13 +1111,12 @@ spec: properties: code: description: 'The status code of a redirect. The allowed - values are: 301 , 302 , 307 , 308. The default is - 301.' + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request to. Supported - NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -1177,13 +1176,13 @@ spec: properties: code: description: 'The status code of a redirect. The allowed - values are: 301 , 302 , 307 , 308. The default is + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request to. - Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -1333,13 +1332,13 @@ spec: properties: code: description: 'The status code of a redirect. The - allowed values are: 301 , 302 , 307 , 308. The + allowed values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -1518,14 +1517,14 @@ spec: properties: code: description: 'The status code of a redirect. - The allowed values are: 301 , 302 , 307 - , 308. The default is 301.' + The allowed values are: 301, 302, 307 + or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme - , $http_x_forwarded_proto , $request_uri - , $host. Variables must be enclosed in + to. Supported NGINX variables: $scheme, + $http_x_forwarded_proto, $request_uri + or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -1716,13 +1715,13 @@ spec: properties: code: description: 'The status code of a redirect. The - allowed values are: 301 , 302 , 307 , 308. The + allowed values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -2422,13 +2421,12 @@ spec: properties: code: description: 'The status code of a redirect. The allowed - values are: 301 , 302 , 307 , 308. The default is - 301.' + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request to. Supported - NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -2488,13 +2486,13 @@ spec: properties: code: description: 'The status code of a redirect. The allowed - values are: 301 , 302 , 307 , 308. The default is + values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request to. - Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -2644,13 +2642,13 @@ spec: properties: code: description: 'The status code of a redirect. The - allowed values are: 301 , 302 , 307 , 308. The + allowed values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -2829,14 +2827,14 @@ spec: properties: code: description: 'The status code of a redirect. - The allowed values are: 301 , 302 , 307 - , 308. The default is 301.' + The allowed values are: 301, 302, 307 + or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme - , $http_x_forwarded_proto , $request_uri - , $host. Variables must be enclosed in + to. Supported NGINX variables: $scheme, + $http_x_forwarded_proto, $request_uri + or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object @@ -3027,13 +3025,13 @@ spec: properties: code: description: 'The status code of a redirect. The - allowed values are: 301 , 302 , 307 , 308. The + allowed values are: 301, 302, 307 or 308. The default is 301.' type: integer url: description: 'The URL to redirect the request - to. Supported NGINX variables: $scheme , $http_x_forwarded_proto - , $request_uri , $host. Variables must be enclosed + to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, + $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}.' type: string type: object diff --git a/docs/crd/k8s.nginx.org_policies.md b/docs/crd/k8s.nginx.org_policies.md index dd20548824..d8c8bb0f1c 100644 --- a/docs/crd/k8s.nginx.org_policies.md +++ b/docs/crd/k8s.nginx.org_policies.md @@ -91,9 +91,9 @@ The `.spec` object supports the following fields: | `waf.securityLog.apLogBundle` | `string` | The App Protect WAF log bundle resource. Only works with apBundle. | | `waf.securityLog.apLogConf` | `string` | The App Protect WAF log conf resource. Accepts an optional namespace. Only works with apPolicy. | | `waf.securityLog.enable` | `boolean` | Enables security log. | -| `waf.securityLog.logDest` | `string` | The log destination for the security log. Only accepted variables are syslog:server=:, stderr, . | +| `waf.securityLog.logDest` | `string` | The log destination for the security log. Only accepted variables are syslog:server=; localhost; fqdn>:, stderr, . | | `waf.securityLogs` | `array` | List of configuration values. | | `waf.securityLogs[].apLogBundle` | `string` | The App Protect WAF log bundle resource. Only works with apBundle. | | `waf.securityLogs[].apLogConf` | `string` | The App Protect WAF log conf resource. Accepts an optional namespace. Only works with apPolicy. | | `waf.securityLogs[].enable` | `boolean` | Enables security log. | -| `waf.securityLogs[].logDest` | `string` | The log destination for the security log. Only accepted variables are syslog:server=:, stderr, . | +| `waf.securityLogs[].logDest` | `string` | The log destination for the security log. Only accepted variables are syslog:server=; localhost; fqdn>:, stderr, . | diff --git a/docs/crd/k8s.nginx.org_transportservers.md b/docs/crd/k8s.nginx.org_transportservers.md index 94ce901990..0a986b3ca9 100644 --- a/docs/crd/k8s.nginx.org_transportservers.md +++ b/docs/crd/k8s.nginx.org_transportservers.md @@ -31,7 +31,7 @@ The `.spec` object supports the following fields: | `upstreamParameters` | `object` | UpstreamParameters defines parameters for an upstream. | | `upstreamParameters.connectTimeout` | `string` | The timeout for establishing a connection with a proxied server. The default is 60s. | | `upstreamParameters.nextUpstream` | `boolean` | If a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. The default is true. | -| `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. The default us 0. | +| `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. The default is 0. | | `upstreamParameters.nextUpstreamTries` | `integer` | The number of tries for passing a connection to the next server. The default is 0. | | `upstreamParameters.udpRequests` | `integer` | The number of datagrams, after receiving which, the next datagram from the same client starts a new session. The default is 0. | | `upstreamParameters.udpResponses` | `integer` | The number of datagrams expected from the proxied server in response to a client datagram. By default, the number of datagrams is not limited. | diff --git a/docs/crd/k8s.nginx.org_virtualserverroutes.md b/docs/crd/k8s.nginx.org_virtualserverroutes.md index 2fddbc2992..93bc49f191 100644 --- a/docs/crd/k8s.nginx.org_virtualserverroutes.md +++ b/docs/crd/k8s.nginx.org_virtualserverroutes.md @@ -37,8 +37,8 @@ The `.spec` object supports the following fields: | `subroutes[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `subroutes[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `subroutes[].action.redirect` | `object` | Redirects requests to a provided URL. | -| `subroutes[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | -| `subroutes[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `subroutes[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | | `subroutes[].action.return` | `object` | Returns a preconfigured response. | | `subroutes[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | | `subroutes[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | @@ -50,8 +50,8 @@ The `.spec` object supports the following fields: | `subroutes[].errorPages` | `array` | The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. | | `subroutes[].errorPages[].codes` | `array[integer]` | A list of error status codes. | | `subroutes[].errorPages[].redirect` | `object` | The canned response action for the given status codes. | -| `subroutes[].errorPages[].redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | -| `subroutes[].errorPages[].redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].errorPages[].redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `subroutes[].errorPages[].redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | | `subroutes[].errorPages[].return` | `object` | The redirect action for the given status codes. | | `subroutes[].errorPages[].return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | | `subroutes[].errorPages[].return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | @@ -80,8 +80,8 @@ The `.spec` object supports the following fields: | `subroutes[].matches[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `subroutes[].matches[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `subroutes[].matches[].action.redirect` | `object` | Redirects requests to a provided URL. | -| `subroutes[].matches[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | -| `subroutes[].matches[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].matches[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `subroutes[].matches[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | | `subroutes[].matches[].action.return` | `object` | Returns a preconfigured response. | | `subroutes[].matches[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | | `subroutes[].matches[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | @@ -115,8 +115,8 @@ The `.spec` object supports the following fields: | `subroutes[].matches[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `subroutes[].matches[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `subroutes[].matches[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | -| `subroutes[].matches[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | -| `subroutes[].matches[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].matches[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `subroutes[].matches[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | | `subroutes[].matches[].splits[].action.return` | `object` | Returns a preconfigured response. | | `subroutes[].matches[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | | `subroutes[].matches[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | @@ -150,8 +150,8 @@ The `.spec` object supports the following fields: | `subroutes[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `subroutes[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `subroutes[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | -| `subroutes[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | -| `subroutes[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `subroutes[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `subroutes[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | | `subroutes[].splits[].action.return` | `object` | Returns a preconfigured response. | | `subroutes[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | | `subroutes[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | diff --git a/docs/crd/k8s.nginx.org_virtualservers.md b/docs/crd/k8s.nginx.org_virtualservers.md index 83eee730f8..154584e564 100644 --- a/docs/crd/k8s.nginx.org_virtualservers.md +++ b/docs/crd/k8s.nginx.org_virtualservers.md @@ -55,8 +55,8 @@ The `.spec` object supports the following fields: | `routes[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `routes[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `routes[].action.redirect` | `object` | Redirects requests to a provided URL. | -| `routes[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | -| `routes[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `routes[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | | `routes[].action.return` | `object` | Returns a preconfigured response. | | `routes[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | | `routes[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | @@ -68,8 +68,8 @@ The `.spec` object supports the following fields: | `routes[].errorPages` | `array` | The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. | | `routes[].errorPages[].codes` | `array[integer]` | A list of error status codes. | | `routes[].errorPages[].redirect` | `object` | The canned response action for the given status codes. | -| `routes[].errorPages[].redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | -| `routes[].errorPages[].redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].errorPages[].redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `routes[].errorPages[].redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | | `routes[].errorPages[].return` | `object` | The redirect action for the given status codes. | | `routes[].errorPages[].return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | | `routes[].errorPages[].return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | @@ -98,8 +98,8 @@ The `.spec` object supports the following fields: | `routes[].matches[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `routes[].matches[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `routes[].matches[].action.redirect` | `object` | Redirects requests to a provided URL. | -| `routes[].matches[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | -| `routes[].matches[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].matches[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `routes[].matches[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | | `routes[].matches[].action.return` | `object` | Returns a preconfigured response. | | `routes[].matches[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | | `routes[].matches[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | @@ -133,8 +133,8 @@ The `.spec` object supports the following fields: | `routes[].matches[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `routes[].matches[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `routes[].matches[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | -| `routes[].matches[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | -| `routes[].matches[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].matches[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `routes[].matches[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | | `routes[].matches[].splits[].action.return` | `object` | Returns a preconfigured response. | | `routes[].matches[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | | `routes[].matches[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. | @@ -168,8 +168,8 @@ The `.spec` object supports the following fields: | `routes[].splits[].action.proxy.rewritePath` | `string` | The rewritten URI. If the route path is a regular expression – starts with ~ – the rewritePath can include capture groups with $1-9. For example $1 for the first group, and so on. For more information, check the rewrite example. | | `routes[].splits[].action.proxy.upstream` | `string` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | | `routes[].splits[].action.redirect` | `object` | Redirects requests to a provided URL. | -| `routes[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301 , 302 , 307 , 308. The default is 301. | -| `routes[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme , $http_x_forwarded_proto , $request_uri , $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | +| `routes[].splits[].action.redirect.code` | `integer` | The status code of a redirect. The allowed values are: 301, 302, 307 or 308. The default is 301. | +| `routes[].splits[].action.redirect.url` | `string` | The URL to redirect the request to. Supported NGINX variables: $scheme, $http_x_forwarded_proto, $request_uri or $host. Variables must be enclosed in curly braces. For example: ${host}${request_uri}. | | `routes[].splits[].action.return` | `object` | Returns a preconfigured response. | | `routes[].splits[].action.return.body` | `string` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: Request is ${request_uri}\n. | | `routes[].splits[].action.return.code` | `integer` | The status code of the response. The allowed values are: 2XX, 4XX or 5XX. The default is 200. |