From 3d3e2777a31f0c7160f0a813423b462cccbb6f06 Mon Sep 17 00:00:00 2001 From: ctrought <65360454+ctrought@users.noreply.github.com> Date: Sun, 16 Jan 2022 00:12:20 -0500 Subject: [PATCH 0001/1253] handle subject escaped csv Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com> --- pkg/controller/certificate-shim/helper.go | 71 +++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/pkg/controller/certificate-shim/helper.go b/pkg/controller/certificate-shim/helper.go index 994cadd457b..86fd265932e 100644 --- a/pkg/controller/certificate-shim/helper.go +++ b/pkg/controller/certificate-shim/helper.go @@ -17,9 +17,11 @@ limitations under the License. package shimhelper import ( + "encoding/csv" "errors" "fmt" "strconv" + "reflect" "strings" "time" @@ -67,6 +69,52 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] crt.Spec.CommonName = commonName } + if emailAddresses, found := ingLikeAnnotations[cmapi.EmailsAnnotationKey]; found { + crt.Spec.EmailAddresses = strings.Split(emailAddresses, ",") + } + + subject := &cmapi.X509Subject{} + if organizations, found := ingLikeAnnotations[cmapi.SubjectOrganizationsAnnotationKey]; found { + subject.Organizations = strings.Split(organizations, ",") + } + + if organizationalUnits, found := ingLikeAnnotations[cmapi.SubjectOrganizationalUnitsAnnotationKey]; found { + subject.OrganizationalUnits = strings.Split(organizationalUnits, ",") + } + + if countries, found := ingLikeAnnotations[cmapi.SubjectCountriesAnnotationKey]; found { + subject.Countries = strings.Split(countries, ",") + } + + if provinces, found := ingLikeAnnotations[cmapi.SubjectProvincesAnnotationKey]; found { + subject.Provinces = strings.Split(provinces, ",") + } + + if localities, found := ingLikeAnnotations[cmapi.SubjectLocalitiesAnnotationKey]; found { + subject.Localities = strings.Split(localities, ",") + } + + if postalCodes, found := ingLikeAnnotations[cmapi.SubjectPostalCodesAnnotationKey]; found { + subject.PostalCodes = strings.Split(postalCodes, ",") + } + + if streetAddresses, found := ingLikeAnnotations[cmapi.SubjectStreetAddressesAnnotationKey]; found { + addresses, err := splitWithEscapeCSV(streetAddresses) + if err != nil { + return fmt.Errorf("%w %q: %v", errInvalidIngressAnnotation, cmapi.SubjectStreetAddressesAnnotationKey, err) + } + subject.StreetAddresses = addresses + } + + if serialNumber, found := ingLikeAnnotations[cmapi.SubjectSerialNumberAnnotationKey]; found { + subject.SerialNumber = serialNumber + } + + emptySubject := &cmapi.X509Subject{} + if !reflect.DeepEqual(emptySubject, subject) { + crt.Spec.Subject = subject + } + if duration, found := ingLikeAnnotations[cmapi.DurationAnnotationKey]; found { duration, err := time.ParseDuration(duration) if err != nil { @@ -191,3 +239,26 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] return nil } + +// splitWithEscapeCSV parses the given input as a single line of CSV, which allows +// a comma-separated list of strings to be parsed while allowing commas to be present +// in each field. For example, a user can specify: +// "10 Downing Street, Westminster",Manchester +// to produce []string{"10 Downing Street, Westminster", "Manchester"}, keeping the comma +// in the first address. Empty lines or multiple CSV records are both rejected. +func splitWithEscapeCSV(in string) ([]string, error) { + reader := csv.NewReader(strings.NewReader(in)) + + records, err := reader.ReadAll() + if err != nil { + return nil, fmt.Errorf("failed to parse %q as CSV: %w", in, err) + } + + if len(records) == 0 { + return nil, fmt.Errorf("no values found after parsing %q", in) + } else if len(records) > 1 { + return nil, fmt.Errorf("refusing to use %q as input as it parses as multiple lines of CSV", in) + } + + return records[0], nil +} From 8f597dae1dcf0959ef0694db3b8c5c6c7aec3ec1 Mon Sep 17 00:00:00 2001 From: ctrought <65360454+ctrought@users.noreply.github.com> Date: Sun, 16 Jan 2022 00:12:23 -0500 Subject: [PATCH 0002/1253] subject street tests Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com> --- .../certificate-shim/helper_test.go | 31 +++++++++-- pkg/controller/certificate-shim/sync_test.go | 54 +++++++++++++++++++ 2 files changed, 80 insertions(+), 5 deletions(-) diff --git a/pkg/controller/certificate-shim/helper_test.go b/pkg/controller/certificate-shim/helper_test.go index fdf28bd0a3c..424217cdbfc 100644 --- a/pkg/controller/certificate-shim/helper_test.go +++ b/pkg/controller/certificate-shim/helper_test.go @@ -40,11 +40,23 @@ func Test_translateAnnotations(t *testing.T) { validAnnotations := func() map[string]string { return map[string]string{ - cmapi.CommonNameAnnotationKey: "www.example.com", - cmapi.DurationAnnotationKey: "168h", // 1 week - cmapi.RenewBeforeAnnotationKey: "24h", - cmapi.UsagesAnnotationKey: "server auth,signing", - cmapi.RevisionHistoryLimitAnnotationKey: "7", + cmapi.CommonNameAnnotationKey: "www.example.com", + cmapi.DurationAnnotationKey: "168h", // 1 week + cmapi.RenewBeforeAnnotationKey: "24h", + cmapi.UsagesAnnotationKey: "server auth,signing", + cmapi.RevisionHistoryLimitAnnotationKey: "7", + cmapi.EmailsAnnotationKey: "test@example.com", + cmapi.SubjectOrganizationsAnnotationKey: "Test Organization", + cmapi.SubjectOrganizationalUnitsAnnotationKey: "Test Organizational Unit", + cmapi.SubjectCountriesAnnotationKey: "Country", + cmapi.SubjectProvincesAnnotationKey: "Province", + cmapi.SubjectLocalitiesAnnotationKey: "City", + cmapi.SubjectStreetAddressesAnnotationKey: "\"1725 Slough Avenue, Suite 200, Scranton Business Park\"", + cmapi.SubjectPostalCodesAnnotationKey: "ABC123", + cmapi.SubjectSerialNumberAnnotationKey: "123456", + cmapi.DurationAnnotationKey: "168h", // 1 week + cmapi.RenewBeforeAnnotationKey: "24h", + cmapi.UsagesAnnotationKey: "server auth,signing", } } @@ -125,6 +137,7 @@ func Test_translateAnnotations(t *testing.T) { a.Equal(cmapi.Ed25519KeyAlgorithm, crt.Spec.PrivateKey.Algorithm) a.Equal(cmapi.PKCS8, crt.Spec.PrivateKey.Encoding) a.Equal(cmapi.RotationPolicyAlways, crt.Spec.PrivateKey.RotationPolicy) + a.Equal([]string{"1725 Slough Avenue, Suite 200, Scranton Business Park"}, crt.Spec.Subject.StreetAddresses) }, }, "nil annotations": { @@ -246,6 +259,14 @@ func Test_translateAnnotations(t *testing.T) { }, expectedError: errInvalidIngressAnnotation, }, + "bad street addresses": { + crt: gen.Certificate("example-cert"), + annotations: validAnnotations(), + mutate: func(tc *testCase) { + tc.annotations[cmapi.SubjectStreetAddressesAnnotationKey] = "invalid csv\"," + }, + expectedError: errInvalidIngressAnnotation, + }, } for name, tc := range tests { t.Run(name, func(t *testing.T) { diff --git a/pkg/controller/certificate-shim/sync_test.go b/pkg/controller/certificate-shim/sync_test.go index 757874c4654..a6f1f070070 100644 --- a/pkg/controller/certificate-shim/sync_test.go +++ b/pkg/controller/certificate-shim/sync_test.go @@ -1460,6 +1460,60 @@ func TestSync(t *testing.T) { }, }, }, + { + Name: "return a single Certificate for an ingress with a single valid TLS entry with common-name and subject street addresses annotation", + Issuer: acmeClusterIssuer, + IngressLike: &networkingv1.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ingress-name", + Namespace: gen.DefaultTestNamespace, + Labels: map[string]string{ + "my-test-label": "should be copied", + }, + Annotations: map[string]string{ + cmapi.IngressClusterIssuerNameAnnotationKey: "issuer-name", + cmapi.CommonNameAnnotationKey: "my-cn", + "cert-manager.io/subject-streetaddresses": "\"1725 Slough Avenue, Suite 200, Scranton Business Park\"", + }, + UID: types.UID("ingress-name"), + }, + Spec: networkingv1.IngressSpec{ + TLS: []networkingv1.IngressTLS{ + { + Hosts: []string{"example.com", "www.example.com"}, + SecretName: "example-com-tls", + }, + }, + }, + }, + ClusterIssuerLister: []runtime.Object{acmeClusterIssuer}, + ExpectedEvents: []string{`Normal CreateCertificate Successfully created Certificate "example-com-tls"`}, + ExpectedCreate: []*cmapi.Certificate{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "example-com-tls", + Namespace: gen.DefaultTestNamespace, + Labels: map[string]string{ + "my-test-label": "should be copied", + }, + OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + }, + Spec: cmapi.CertificateSpec{ + DNSNames: []string{"example.com", "www.example.com"}, + CommonName: "my-cn", + SecretName: "example-com-tls", + IssuerRef: cmmeta.ObjectReference{ + Name: "issuer-name", + Kind: "ClusterIssuer", + }, + Subject: &cmapi.X509Subject{ + StreetAddresses: []string{"1725 Slough Avenue, Suite 200, Scranton Business Park"}, + }, + Usages: cmapi.DefaultKeyUsages(), + }, + }, + }, + }, } testGatewayShim := []testT{ From 89ae7238be05b8e8864d13fc11438cc7edd9ed47 Mon Sep 17 00:00:00 2001 From: ctrought <65360454+ctrought@users.noreply.github.com> Date: Sun, 16 Jan 2022 00:12:58 -0500 Subject: [PATCH 0003/1253] cleanup comment Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com> --- internal/apis/certmanager/types.go | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/internal/apis/certmanager/types.go b/internal/apis/certmanager/types.go index ac7a113f956..11061bebea8 100644 --- a/internal/apis/certmanager/types.go +++ b/internal/apis/certmanager/types.go @@ -30,6 +30,33 @@ const ( // Annotation key for certificate common name. CommonNameAnnotationKey = "cert-manager.io/common-name" + // Annotation key for emails subjectAltNames. + EmailsAnnotationKey = "cert-manager.io/email-sans" + + // Annotation key for subject organization. + SubjectOrganizationsAnnotationKey = "cert-manager.io/subject-organizations" + + // Annotation key for subject organizational units. + SubjectOrganizationalUnitsAnnotationKey = "cert-manager.io/subject-organizationalunits" + + // Annotation key for subject organizational units. + SubjectCountriesAnnotationKey = "cert-manager.io/subject-countries" + + // Annotation key for subject provinces. + SubjectProvincesAnnotationKey = "cert-manager.io/subject-provinces" + + // Annotation key for subject localities. + SubjectLocalitiesAnnotationKey = "cert-manager.io/subject-localities" + + // Annotation key for subject provinces. + SubjectStreetAddressesAnnotationKey = "cert-manager.io/subject-streetaddresses" + + // Annotation key for subject postal codes. + SubjectPostalCodesAnnotationKey = "cert-manager.io/subject-postalcodes" + + // Annotation key for subject serial number. + SubjectSerialNumberAnnotationKey = "cert-manager.io/subject-serialnumber" + // Annotation key the 'name' of the Issuer resource. IssuerNameAnnotationKey = "cert-manager.io/issuer-name" From d9a8047f9c623918912a094a624737e94ff61ace Mon Sep 17 00:00:00 2001 From: ctrought <65360454+ctrought@users.noreply.github.com> Date: Fri, 8 Apr 2022 22:20:29 -0400 Subject: [PATCH 0004/1253] ingress subject annotations & helper tests Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com> --- .../certificates/policies/checks.go | 5 +- internal/controller/certificates/secrets.go | 55 ++++++- .../controller/certificates/secrets_test.go | 145 ++++++++++++------ pkg/apis/certmanager/v1/types.go | 27 ++++ pkg/controller/certificate-shim/helper.go | 47 +++++- .../certificate-shim/helper_test.go | 34 +++- .../certificates/issuing/internal/secret.go | 7 +- pkg/util/pki/csr.go | 7 + 8 files changed, 268 insertions(+), 59 deletions(-) diff --git a/internal/controller/certificates/policies/checks.go b/internal/controller/certificates/policies/checks.go index 52d47d1ab13..0236e87baeb 100644 --- a/internal/controller/certificates/policies/checks.go +++ b/internal/controller/certificates/policies/checks.go @@ -287,7 +287,10 @@ func SecretTemplateMismatchesSecretManagedFields(fieldManager string) Func { } } - baseAnnotations := internalcertificates.AnnotationsForCertificateSecret(input.Certificate, x509cert) + baseAnnotations, err := internalcertificates.AnnotationsForCertificateSecret(input.Certificate, x509cert) + if err != nil { + return InvalidCertificate, fmt.Sprintf("Failed getting secret annotations: %v", err), true + } managedLabels, managedAnnotations := sets.NewString(), sets.NewString() diff --git a/internal/controller/certificates/secrets.go b/internal/controller/certificates/secrets.go index 0a401c2a508..45021c90b4a 100644 --- a/internal/controller/certificates/secrets.go +++ b/internal/controller/certificates/secrets.go @@ -19,7 +19,9 @@ package certificates import ( "bytes" "crypto/x509" + "encoding/csv" "encoding/pem" + "fmt" "strings" apiutil "github.com/cert-manager/cert-manager/pkg/api/util" @@ -32,7 +34,7 @@ import ( // information about the Issuer and Certificate. // If the X.509 certificate is not-nil, additional annotations will be added // relating to its Common Name and Subject Alternative Names. -func AnnotationsForCertificateSecret(crt *cmapi.Certificate, certificate *x509.Certificate) map[string]string { +func AnnotationsForCertificateSecret(crt *cmapi.Certificate, certificate *x509.Certificate) (map[string]string, error) { annotations := make(map[string]string) annotations[cmapi.CertificateNameKey] = crt.Name @@ -42,13 +44,44 @@ func AnnotationsForCertificateSecret(crt *cmapi.Certificate, certificate *x509.C // Only add certificate data if certificate is non-nil. if certificate != nil { + var err error annotations[cmapi.CommonNameAnnotationKey] = certificate.Subject.CommonName annotations[cmapi.AltNamesAnnotationKey] = strings.Join(certificate.DNSNames, ",") annotations[cmapi.IPSANAnnotationKey] = strings.Join(utilpki.IPAddressesToString(certificate.IPAddresses), ",") annotations[cmapi.URISANAnnotationKey] = strings.Join(utilpki.URLsToString(certificate.URIs), ",") + annotations[cmapi.EmailsAnnotationKey] = strings.Join(certificate.EmailAddresses, ",") + annotations[cmapi.SubjectSerialNumberAnnotationKey] = utilpki.SerialNumberToString(certificate.SerialNumber) + + var errList []error + annotations[cmapi.SubjectOrganizationsAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.Organization) + errList = append(errList, err) + + annotations[cmapi.SubjectOrganizationalUnitsAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.OrganizationalUnit) + errList = append(errList, err) + + annotations[cmapi.SubjectCountriesAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.Country) + errList = append(errList, err) + + annotations[cmapi.SubjectProvincesAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.Province) + errList = append(errList, err) + + annotations[cmapi.SubjectLocalitiesAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.Locality) + errList = append(errList, err) + + annotations[cmapi.SubjectPostalCodesAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.PostalCode) + errList = append(errList, err) + + annotations[cmapi.SubjectStreetAddressesAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.StreetAddress) + errList = append(errList, err) + // return first error + for _, v := range errList { + if v != nil { + return nil, err + } + } } - return annotations + return annotations, nil } // OutputFormatDER returns the byte slice of the private key in DER format. To @@ -64,3 +97,21 @@ func OutputFormatDER(privateKey []byte) []byte { func OutputFormatCombinedPEM(privateKey, certificate []byte) []byte { return bytes.Join([][]byte{privateKey, certificate}, []byte("\n")) } + +// joinWithEscapeCSV returns the given list as a single line of CSV that +// is escaped with quotes if necessary +func joinWithEscapeCSV(in []string) (string, error) { + b := new(bytes.Buffer) + writer := csv.NewWriter(b) + writer.Write(in) + writer.Flush() + + if err := writer.Error(); err != nil { + return "", fmt.Errorf("failed to write %q as CSV: %w", in, err) + } + + s := b.String() + // CSV writer adds a trailing new line, we need to clean it up + s = strings.TrimSuffix(s, "\n") + return s, nil +} diff --git a/internal/controller/certificates/secrets_test.go b/internal/controller/certificates/secrets_test.go index 7ac3d591977..183dc923f1b 100644 --- a/internal/controller/certificates/secrets_test.go +++ b/internal/controller/certificates/secrets_test.go @@ -49,21 +49,39 @@ func Test_AnnotationsForCertificateSecret(t *testing.T) { ), certificate: &x509.Certificate{ Subject: pkix.Name{ - CommonName: "cert-manager", + CommonName: "cert-manager", + Organization: []string{"Example Organization 1", "Example Organization 2"}, + OrganizationalUnit: []string{"Example Organizational Unit 1", "Example Organizational Unit 2"}, + Country: []string{"Country 1", "Country 2"}, + Province: []string{"Province 1", "Province 2"}, + Locality: []string{"City 1", "City 2"}, + StreetAddress: []string{"1725 Slough Avenue, Suite 200, Scranton Business Park", "123 Example St"}, + PostalCode: []string{"55555", "12345"}, + SerialNumber: "12345678", }, - DNSNames: []string{"example.com", "cert-manager.io"}, - IPAddresses: []net.IP{{1, 1, 1, 1}, {1, 2, 3, 4}}, - URIs: urls, + DNSNames: []string{"example.com", "cert-manager.io"}, + IPAddresses: []net.IP{{1, 1, 1, 1}, {1, 2, 3, 4}}, + URIs: urls, + EmailAddresses: []string{"test1@example.com", "test2@cert-manager.io"}, }, expAnnotations: map[string]string{ - "cert-manager.io/certificate-name": "test-certificate", - "cert-manager.io/issuer-name": "another-test-issuer", - "cert-manager.io/issuer-kind": "GoogleCASIssuer", - "cert-manager.io/issuer-group": "my-group.hello.world", - "cert-manager.io/common-name": "cert-manager", - "cert-manager.io/alt-names": "example.com,cert-manager.io", - "cert-manager.io/ip-sans": "1.1.1.1,1.2.3.4", - "cert-manager.io/uri-sans": "spiffe.io//cert-manager.io/test,spiffe.io//hello.world", + "cert-manager.io/certificate-name": "test-certificate", + "cert-manager.io/issuer-name": "another-test-issuer", + "cert-manager.io/issuer-kind": "GoogleCASIssuer", + "cert-manager.io/issuer-group": "my-group.hello.world", + "cert-manager.io/common-name": "cert-manager", + "cert-manager.io/alt-names": "example.com,cert-manager.io", + "cert-manager.io/ip-sans": "1.1.1.1,1.2.3.4", + "cert-manager.io/uri-sans": "spiffe.io//cert-manager.io/test,spiffe.io//hello.world", + "cert-manager.io/email-sans": "test1@example.com,test2@cert-manager.io", + "cert-manager.io/subject-organizations": "Example Organization 1,Example Organization 2", + "cert-manager.io/subject-organizationalunits": "Example Organizational Unit 1,Example Organizational Unit 2", + "cert-manager.io/subject-countries": "Country 1,Country 2", + "cert-manager.io/subject-provinces": "Province 1,Province 2", + "cert-manager.io/subject-localities": "City 1,City 2", + "cert-manager.io/subject-streetaddresses": "\"1725 Slough Avenue, Suite 200, Scranton Business Park\",123 Example St", + "cert-manager.io/subject-postalcodes": "55555,12345", + "cert-manager.io/subject-serialnumber": "12345678", }, }, "if pass non-nil certificate with only CommonName, expect all Annotations to be present": { @@ -76,14 +94,23 @@ func Test_AnnotationsForCertificateSecret(t *testing.T) { }, }, expAnnotations: map[string]string{ - "cert-manager.io/certificate-name": "test-certificate", - "cert-manager.io/issuer-name": "another-test-issuer", - "cert-manager.io/issuer-kind": "GoogleCASIssuer", - "cert-manager.io/issuer-group": "my-group.hello.world", - "cert-manager.io/common-name": "cert-manager", - "cert-manager.io/alt-names": "", - "cert-manager.io/ip-sans": "", - "cert-manager.io/uri-sans": "", + "cert-manager.io/certificate-name": "test-certificate", + "cert-manager.io/issuer-name": "another-test-issuer", + "cert-manager.io/issuer-kind": "GoogleCASIssuer", + "cert-manager.io/issuer-group": "my-group.hello.world", + "cert-manager.io/common-name": "cert-manager", + "cert-manager.io/alt-names": "", + "cert-manager.io/ip-sans": "", + "cert-manager.io/uri-sans": "", + "cert-manager.io/email-sans": "", + "cert-manager.io/subject-organizations": "", + "cert-manager.io/subject-organizationalunits": "", + "cert-manager.io/subject-countries": "", + "cert-manager.io/subject-provinces": "", + "cert-manager.io/subject-localities": "", + "cert-manager.io/subject-streetaddresses": "", + "cert-manager.io/subject-postalcodes": "", + "cert-manager.io/subject-serialnumber": "", }, }, "if pass non-nil certificate with only IP Addresses, expect all Annotations to be present": { @@ -94,14 +121,23 @@ func Test_AnnotationsForCertificateSecret(t *testing.T) { IPAddresses: []net.IP{{1, 1, 1, 1}, {1, 2, 3, 4}}, }, expAnnotations: map[string]string{ - "cert-manager.io/certificate-name": "test-certificate", - "cert-manager.io/issuer-name": "another-test-issuer", - "cert-manager.io/issuer-kind": "GoogleCASIssuer", - "cert-manager.io/issuer-group": "my-group.hello.world", - "cert-manager.io/common-name": "", - "cert-manager.io/alt-names": "", - "cert-manager.io/ip-sans": "1.1.1.1,1.2.3.4", - "cert-manager.io/uri-sans": "", + "cert-manager.io/certificate-name": "test-certificate", + "cert-manager.io/issuer-name": "another-test-issuer", + "cert-manager.io/issuer-kind": "GoogleCASIssuer", + "cert-manager.io/issuer-group": "my-group.hello.world", + "cert-manager.io/common-name": "", + "cert-manager.io/alt-names": "", + "cert-manager.io/ip-sans": "1.1.1.1,1.2.3.4", + "cert-manager.io/uri-sans": "", + "cert-manager.io/email-sans": "", + "cert-manager.io/subject-organizations": "", + "cert-manager.io/subject-organizationalunits": "", + "cert-manager.io/subject-countries": "", + "cert-manager.io/subject-provinces": "", + "cert-manager.io/subject-localities": "", + "cert-manager.io/subject-streetaddresses": "", + "cert-manager.io/subject-postalcodes": "", + "cert-manager.io/subject-serialnumber": "", }, }, "if pass non-nil certificate with only URI SANs, expect all Annotations to be present": { @@ -112,14 +148,23 @@ func Test_AnnotationsForCertificateSecret(t *testing.T) { URIs: urls, }, expAnnotations: map[string]string{ - "cert-manager.io/certificate-name": "test-certificate", - "cert-manager.io/issuer-name": "another-test-issuer", - "cert-manager.io/issuer-kind": "GoogleCASIssuer", - "cert-manager.io/issuer-group": "my-group.hello.world", - "cert-manager.io/common-name": "", - "cert-manager.io/alt-names": "", - "cert-manager.io/ip-sans": "", - "cert-manager.io/uri-sans": "spiffe.io//cert-manager.io/test,spiffe.io//hello.world", + "cert-manager.io/certificate-name": "test-certificate", + "cert-manager.io/issuer-name": "another-test-issuer", + "cert-manager.io/issuer-kind": "GoogleCASIssuer", + "cert-manager.io/issuer-group": "my-group.hello.world", + "cert-manager.io/common-name": "", + "cert-manager.io/alt-names": "", + "cert-manager.io/ip-sans": "", + "cert-manager.io/uri-sans": "spiffe.io//cert-manager.io/test,spiffe.io//hello.world", + "cert-manager.io/email-sans": "", + "cert-manager.io/subject-organizations": "", + "cert-manager.io/subject-organizationalunits": "", + "cert-manager.io/subject-countries": "", + "cert-manager.io/subject-provinces": "", + "cert-manager.io/subject-localities": "", + "cert-manager.io/subject-streetaddresses": "", + "cert-manager.io/subject-postalcodes": "", + "cert-manager.io/subject-serialnumber": "", }, }, "if pass non-nil certificate with only DNS names, expect all Annotations to be present": { @@ -130,14 +175,23 @@ func Test_AnnotationsForCertificateSecret(t *testing.T) { DNSNames: []string{"example.com", "cert-manager.io"}, }, expAnnotations: map[string]string{ - "cert-manager.io/certificate-name": "test-certificate", - "cert-manager.io/issuer-name": "another-test-issuer", - "cert-manager.io/issuer-kind": "GoogleCASIssuer", - "cert-manager.io/issuer-group": "my-group.hello.world", - "cert-manager.io/common-name": "", - "cert-manager.io/alt-names": "example.com,cert-manager.io", - "cert-manager.io/ip-sans": "", - "cert-manager.io/uri-sans": "", + "cert-manager.io/certificate-name": "test-certificate", + "cert-manager.io/issuer-name": "another-test-issuer", + "cert-manager.io/issuer-kind": "GoogleCASIssuer", + "cert-manager.io/issuer-group": "my-group.hello.world", + "cert-manager.io/common-name": "", + "cert-manager.io/alt-names": "example.com,cert-manager.io", + "cert-manager.io/ip-sans": "", + "cert-manager.io/uri-sans": "", + "cert-manager.io/email-sans": "", + "cert-manager.io/subject-organizations": "", + "cert-manager.io/subject-organizationalunits": "", + "cert-manager.io/subject-countries": "", + "cert-manager.io/subject-provinces": "", + "cert-manager.io/subject-localities": "", + "cert-manager.io/subject-streetaddresses": "", + "cert-manager.io/subject-postalcodes": "", + "cert-manager.io/subject-serialnumber": "", }, }, "if no certificate data, then expect no X.509 related annotations": { @@ -156,8 +210,9 @@ func Test_AnnotationsForCertificateSecret(t *testing.T) { for name, test := range tests { t.Run(name, func(t *testing.T) { - gotAnnotations := AnnotationsForCertificateSecret(test.crt, test.certificate) + gotAnnotations, err := AnnotationsForCertificateSecret(test.crt, test.certificate) assert.Equal(t, test.expAnnotations, gotAnnotations) + assert.Equal(t, nil, err) }) } } diff --git a/pkg/apis/certmanager/v1/types.go b/pkg/apis/certmanager/v1/types.go index a3fa3ae35e2..f4a8b166192 100644 --- a/pkg/apis/certmanager/v1/types.go +++ b/pkg/apis/certmanager/v1/types.go @@ -36,6 +36,33 @@ const ( // Annotation key for certificate renewBefore. RenewBeforeAnnotationKey = "cert-manager.io/renew-before" + // Annotation key for emails subjectAltNames. + EmailsAnnotationKey = "cert-manager.io/email-sans" + + // Annotation key for subject organization. + SubjectOrganizationsAnnotationKey = "cert-manager.io/subject-organizations" + + // Annotation key for subject organizational units. + SubjectOrganizationalUnitsAnnotationKey = "cert-manager.io/subject-organizationalunits" + + // Annotation key for subject organizational units. + SubjectCountriesAnnotationKey = "cert-manager.io/subject-countries" + + // Annotation key for subject provinces. + SubjectProvincesAnnotationKey = "cert-manager.io/subject-provinces" + + // Annotation key for subject localities. + SubjectLocalitiesAnnotationKey = "cert-manager.io/subject-localities" + + // Annotation key for subject provinces. + SubjectStreetAddressesAnnotationKey = "cert-manager.io/subject-streetaddresses" + + // Annotation key for subject postal codes. + SubjectPostalCodesAnnotationKey = "cert-manager.io/subject-postalcodes" + + // Annotation key for subject serial number. + SubjectSerialNumberAnnotationKey = "cert-manager.io/subject-serialnumber" + // Annotation key for certificate key usages. UsagesAnnotationKey = "cert-manager.io/usages" diff --git a/pkg/controller/certificate-shim/helper.go b/pkg/controller/certificate-shim/helper.go index 86fd265932e..797938e9966 100644 --- a/pkg/controller/certificate-shim/helper.go +++ b/pkg/controller/certificate-shim/helper.go @@ -75,35 +75,66 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] subject := &cmapi.X509Subject{} if organizations, found := ingLikeAnnotations[cmapi.SubjectOrganizationsAnnotationKey]; found { - subject.Organizations = strings.Split(organizations, ",") + organizations, err := splitWithEscapeCSV(organizations) + subject.Organizations = organizations + + if err != nil { + return fmt.Errorf("%w %q: %v", errInvalidIngressAnnotation, cmapi.SubjectOrganizationsAnnotationKey, err) + } } if organizationalUnits, found := ingLikeAnnotations[cmapi.SubjectOrganizationalUnitsAnnotationKey]; found { - subject.OrganizationalUnits = strings.Split(organizationalUnits, ",") + organizationalUnits, err := splitWithEscapeCSV(organizationalUnits) + subject.OrganizationalUnits = organizationalUnits + + if err != nil { + return fmt.Errorf("%w %q: %v", errInvalidIngressAnnotation, cmapi.SubjectOrganizationsAnnotationKey, err) + } } if countries, found := ingLikeAnnotations[cmapi.SubjectCountriesAnnotationKey]; found { - subject.Countries = strings.Split(countries, ",") + countries, err := splitWithEscapeCSV(countries) + subject.Countries = countries + + if err != nil { + return fmt.Errorf("%w %q: %v", errInvalidIngressAnnotation, cmapi.SubjectCountriesAnnotationKey, err) + } } if provinces, found := ingLikeAnnotations[cmapi.SubjectProvincesAnnotationKey]; found { - subject.Provinces = strings.Split(provinces, ",") + provinces, err := splitWithEscapeCSV(provinces) + subject.Provinces = provinces + + if err != nil { + return fmt.Errorf("%w %q: %v", errInvalidIngressAnnotation, cmapi.SubjectProvincesAnnotationKey, err) + } } if localities, found := ingLikeAnnotations[cmapi.SubjectLocalitiesAnnotationKey]; found { - subject.Localities = strings.Split(localities, ",") + localities, err := splitWithEscapeCSV(localities) + subject.Localities = localities + + if err != nil { + return fmt.Errorf("%w %q: %v", errInvalidIngressAnnotation, cmapi.SubjectLocalitiesAnnotationKey, err) + } } if postalCodes, found := ingLikeAnnotations[cmapi.SubjectPostalCodesAnnotationKey]; found { - subject.PostalCodes = strings.Split(postalCodes, ",") + postalCodes, err := splitWithEscapeCSV(postalCodes) + subject.PostalCodes = postalCodes + + if err != nil { + return fmt.Errorf("%w %q: %v", errInvalidIngressAnnotation, cmapi.SubjectPostalCodesAnnotationKey, err) + } } if streetAddresses, found := ingLikeAnnotations[cmapi.SubjectStreetAddressesAnnotationKey]; found { - addresses, err := splitWithEscapeCSV(streetAddresses) + streetAddresses, err := splitWithEscapeCSV(streetAddresses) + subject.StreetAddresses = streetAddresses + if err != nil { return fmt.Errorf("%w %q: %v", errInvalidIngressAnnotation, cmapi.SubjectStreetAddressesAnnotationKey, err) } - subject.StreetAddresses = addresses } if serialNumber, found := ingLikeAnnotations[cmapi.SubjectSerialNumberAnnotationKey]; found { diff --git a/pkg/controller/certificate-shim/helper_test.go b/pkg/controller/certificate-shim/helper_test.go index 424217cdbfc..ee8cba1de07 100644 --- a/pkg/controller/certificate-shim/helper_test.go +++ b/pkg/controller/certificate-shim/helper_test.go @@ -17,7 +17,11 @@ limitations under the License. package shimhelper import ( + "bytes" + "encoding/csv" "errors" + "fmt" + "strings" "testing" "time" @@ -51,7 +55,7 @@ func Test_translateAnnotations(t *testing.T) { cmapi.SubjectCountriesAnnotationKey: "Country", cmapi.SubjectProvincesAnnotationKey: "Province", cmapi.SubjectLocalitiesAnnotationKey: "City", - cmapi.SubjectStreetAddressesAnnotationKey: "\"1725 Slough Avenue, Suite 200, Scranton Business Park\"", + cmapi.SubjectStreetAddressesAnnotationKey: "\"1725 Slough Avenue, Suite 200, Scranton Business Park\",\"1800 Slough Avenue, Suite 200, Scranton Business Park\"", cmapi.SubjectPostalCodesAnnotationKey: "ABC123", cmapi.SubjectSerialNumberAnnotationKey: "123456", cmapi.DurationAnnotationKey: "168h", // 1 week @@ -70,6 +74,15 @@ func Test_translateAnnotations(t *testing.T) { a.Equal(&metav1.Duration{Duration: time.Hour * 24}, crt.Spec.RenewBefore) a.Equal([]cmapi.KeyUsage{cmapi.UsageServerAuth, cmapi.UsageSigning}, crt.Spec.Usages) a.Equal(pointer.Int32(7), crt.Spec.RevisionHistoryLimit) + a.Equal("123456", crt.Spec.Subject.SerialNumber) + + splitAddresses, splitErr := splitWithEscapeCSV("\"1725 Slough Avenue, Suite 200, Scranton Business Park\",\"1800 Slough Avenue, Suite 200, Scranton Business Park\"") + a.Equal(nil, splitErr) + a.Equal(splitAddresses, crt.Spec.Subject.StreetAddresses) + + joinedAddresses, joinErr := joinWithEscapeCSV(crt.Spec.Subject.StreetAddresses) + a.Equal(nil, joinErr) + a.Equal("\"1725 Slough Avenue, Suite 200, Scranton Business Park\",\"1800 Slough Avenue, Suite 200, Scranton Business Park\"", joinedAddresses) }, }, "success rsa private key algorithm": { @@ -137,7 +150,6 @@ func Test_translateAnnotations(t *testing.T) { a.Equal(cmapi.Ed25519KeyAlgorithm, crt.Spec.PrivateKey.Algorithm) a.Equal(cmapi.PKCS8, crt.Spec.PrivateKey.Encoding) a.Equal(cmapi.RotationPolicyAlways, crt.Spec.PrivateKey.RotationPolicy) - a.Equal([]string{"1725 Slough Avenue, Suite 200, Scranton Business Park"}, crt.Spec.Subject.StreetAddresses) }, }, "nil annotations": { @@ -296,3 +308,21 @@ func assertErrorIs(t *testing.T, err, target error) { assert.Truef(t, errors.Is(err, target), "unexpected error type. err: %v, target: %v", err, target) } } + +// joinWithEscapeCSV returns the given list as a single line of CSV that +// is escaped with quotes if necessary +func joinWithEscapeCSV(in []string) (string, error) { + b := new(bytes.Buffer) + writer := csv.NewWriter(b) + writer.Write(in) + writer.Flush() + + if err := writer.Error(); err != nil { + return "", fmt.Errorf("failed to write %q as CSV: %w", in, err) + } + + s := b.String() + // CSV writer adds a trailing new line, we need to clean it up + s = strings.TrimSuffix(s, "\n") + return s, nil +} diff --git a/pkg/controller/certificates/issuing/internal/secret.go b/pkg/controller/certificates/issuing/internal/secret.go index c145dcb072d..7c29162b161 100644 --- a/pkg/controller/certificates/issuing/internal/secret.go +++ b/pkg/controller/certificates/issuing/internal/secret.go @@ -160,7 +160,12 @@ func (s *SecretsManager) setValues(crt *cmapi.Certificate, secret *corev1.Secret } } - secret.Annotations = certificates.AnnotationsForCertificateSecret(crt, certificate) + var err error + secret.Annotations, err = certificates.AnnotationsForCertificateSecret(crt, certificate) + if err != nil { + return err + } + if secret.Labels == nil { secret.Labels = make(map[string]string) } diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index 2afe88e766d..95d9039dfd9 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -110,6 +110,13 @@ func URLsToString(uris []*url.URL) []string { return uriStrs } +func SerialNumberToString(sn *big.Int) string { + if sn == nil { + return "" + } + return sn.String() +} + func removeDuplicates(in []string) []string { var found []string Outer: From d9a95b7afae51fd2eaa94f982a7a2d151a01b75c Mon Sep 17 00:00:00 2001 From: ctrought <65360454+ctrought@users.noreply.github.com> Date: Tue, 31 May 2022 01:06:21 -0400 Subject: [PATCH 0005/1253] remove empty subject annotations Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com> --- internal/controller/certificates/secrets.go | 67 +++++------- .../controller/certificates/secrets_test.go | 100 ++++++------------ 2 files changed, 61 insertions(+), 106 deletions(-) diff --git a/internal/controller/certificates/secrets.go b/internal/controller/certificates/secrets.go index 45021c90b4a..cbec678e309 100644 --- a/internal/controller/certificates/secrets.go +++ b/internal/controller/certificates/secrets.go @@ -19,13 +19,12 @@ package certificates import ( "bytes" "crypto/x509" - "encoding/csv" "encoding/pem" - "fmt" "strings" apiutil "github.com/cert-manager/cert-manager/pkg/api/util" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + cmutil "github.com/cert-manager/cert-manager/pkg/util" utilpki "github.com/cert-manager/cert-manager/pkg/util/pki" ) @@ -37,50 +36,60 @@ import ( func AnnotationsForCertificateSecret(crt *cmapi.Certificate, certificate *x509.Certificate) (map[string]string, error) { annotations := make(map[string]string) - annotations[cmapi.CertificateNameKey] = crt.Name - annotations[cmapi.IssuerNameAnnotationKey] = crt.Spec.IssuerRef.Name - annotations[cmapi.IssuerKindAnnotationKey] = apiutil.IssuerKind(crt.Spec.IssuerRef) - annotations[cmapi.IssuerGroupAnnotationKey] = crt.Spec.IssuerRef.Group - // Only add certificate data if certificate is non-nil. if certificate != nil { var err error - annotations[cmapi.CommonNameAnnotationKey] = certificate.Subject.CommonName - annotations[cmapi.AltNamesAnnotationKey] = strings.Join(certificate.DNSNames, ",") - annotations[cmapi.IPSANAnnotationKey] = strings.Join(utilpki.IPAddressesToString(certificate.IPAddresses), ",") - annotations[cmapi.URISANAnnotationKey] = strings.Join(utilpki.URLsToString(certificate.URIs), ",") - annotations[cmapi.EmailsAnnotationKey] = strings.Join(certificate.EmailAddresses, ",") - annotations[cmapi.SubjectSerialNumberAnnotationKey] = utilpki.SerialNumberToString(certificate.SerialNumber) var errList []error - annotations[cmapi.SubjectOrganizationsAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.Organization) + annotations[cmapi.SubjectOrganizationsAnnotationKey], err = cmutil.JoinWithEscapeCSV(certificate.Subject.Organization) errList = append(errList, err) - annotations[cmapi.SubjectOrganizationalUnitsAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.OrganizationalUnit) + annotations[cmapi.SubjectOrganizationalUnitsAnnotationKey], err = cmutil.JoinWithEscapeCSV(certificate.Subject.OrganizationalUnit) errList = append(errList, err) - annotations[cmapi.SubjectCountriesAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.Country) + annotations[cmapi.SubjectCountriesAnnotationKey], err = cmutil.JoinWithEscapeCSV(certificate.Subject.Country) errList = append(errList, err) - annotations[cmapi.SubjectProvincesAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.Province) + annotations[cmapi.SubjectProvincesAnnotationKey], err = cmutil.JoinWithEscapeCSV(certificate.Subject.Province) errList = append(errList, err) - annotations[cmapi.SubjectLocalitiesAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.Locality) + annotations[cmapi.SubjectLocalitiesAnnotationKey], err = cmutil.JoinWithEscapeCSV(certificate.Subject.Locality) errList = append(errList, err) - annotations[cmapi.SubjectPostalCodesAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.PostalCode) + annotations[cmapi.SubjectPostalCodesAnnotationKey], err = cmutil.JoinWithEscapeCSV(certificate.Subject.PostalCode) errList = append(errList, err) - annotations[cmapi.SubjectStreetAddressesAnnotationKey], err = joinWithEscapeCSV(certificate.Subject.StreetAddress) + annotations[cmapi.SubjectStreetAddressesAnnotationKey], err = cmutil.JoinWithEscapeCSV(certificate.Subject.StreetAddress) errList = append(errList, err) + + annotations[cmapi.SubjectSerialNumberAnnotationKey] = certificate.Subject.SerialNumber + annotations[cmapi.EmailsAnnotationKey] = strings.Join(certificate.EmailAddresses, ",") + // return first error for _, v := range errList { if v != nil { return nil, err } } + + // remove empty subject annotations + for k, v := range annotations { + if v == "" { + delete(annotations, k) + } + } + + annotations[cmapi.CommonNameAnnotationKey] = certificate.Subject.CommonName + annotations[cmapi.AltNamesAnnotationKey] = strings.Join(certificate.DNSNames, ",") + annotations[cmapi.IPSANAnnotationKey] = strings.Join(utilpki.IPAddressesToString(certificate.IPAddresses), ",") + annotations[cmapi.URISANAnnotationKey] = strings.Join(utilpki.URLsToString(certificate.URIs), ",") } + annotations[cmapi.CertificateNameKey] = crt.Name + annotations[cmapi.IssuerNameAnnotationKey] = crt.Spec.IssuerRef.Name + annotations[cmapi.IssuerKindAnnotationKey] = apiutil.IssuerKind(crt.Spec.IssuerRef) + annotations[cmapi.IssuerGroupAnnotationKey] = crt.Spec.IssuerRef.Group + return annotations, nil } @@ -97,21 +106,3 @@ func OutputFormatDER(privateKey []byte) []byte { func OutputFormatCombinedPEM(privateKey, certificate []byte) []byte { return bytes.Join([][]byte{privateKey, certificate}, []byte("\n")) } - -// joinWithEscapeCSV returns the given list as a single line of CSV that -// is escaped with quotes if necessary -func joinWithEscapeCSV(in []string) (string, error) { - b := new(bytes.Buffer) - writer := csv.NewWriter(b) - writer.Write(in) - writer.Flush() - - if err := writer.Error(); err != nil { - return "", fmt.Errorf("failed to write %q as CSV: %w", in, err) - } - - s := b.String() - // CSV writer adds a trailing new line, we need to clean it up - s = strings.TrimSuffix(s, "\n") - return s, nil -} diff --git a/internal/controller/certificates/secrets_test.go b/internal/controller/certificates/secrets_test.go index 183dc923f1b..98940637602 100644 --- a/internal/controller/certificates/secrets_test.go +++ b/internal/controller/certificates/secrets_test.go @@ -94,23 +94,14 @@ func Test_AnnotationsForCertificateSecret(t *testing.T) { }, }, expAnnotations: map[string]string{ - "cert-manager.io/certificate-name": "test-certificate", - "cert-manager.io/issuer-name": "another-test-issuer", - "cert-manager.io/issuer-kind": "GoogleCASIssuer", - "cert-manager.io/issuer-group": "my-group.hello.world", - "cert-manager.io/common-name": "cert-manager", - "cert-manager.io/alt-names": "", - "cert-manager.io/ip-sans": "", - "cert-manager.io/uri-sans": "", - "cert-manager.io/email-sans": "", - "cert-manager.io/subject-organizations": "", - "cert-manager.io/subject-organizationalunits": "", - "cert-manager.io/subject-countries": "", - "cert-manager.io/subject-provinces": "", - "cert-manager.io/subject-localities": "", - "cert-manager.io/subject-streetaddresses": "", - "cert-manager.io/subject-postalcodes": "", - "cert-manager.io/subject-serialnumber": "", + "cert-manager.io/certificate-name": "test-certificate", + "cert-manager.io/issuer-name": "another-test-issuer", + "cert-manager.io/issuer-kind": "GoogleCASIssuer", + "cert-manager.io/issuer-group": "my-group.hello.world", + "cert-manager.io/common-name": "cert-manager", + "cert-manager.io/alt-names": "", + "cert-manager.io/ip-sans": "", + "cert-manager.io/uri-sans": "", }, }, "if pass non-nil certificate with only IP Addresses, expect all Annotations to be present": { @@ -121,23 +112,14 @@ func Test_AnnotationsForCertificateSecret(t *testing.T) { IPAddresses: []net.IP{{1, 1, 1, 1}, {1, 2, 3, 4}}, }, expAnnotations: map[string]string{ - "cert-manager.io/certificate-name": "test-certificate", - "cert-manager.io/issuer-name": "another-test-issuer", - "cert-manager.io/issuer-kind": "GoogleCASIssuer", - "cert-manager.io/issuer-group": "my-group.hello.world", - "cert-manager.io/common-name": "", - "cert-manager.io/alt-names": "", - "cert-manager.io/ip-sans": "1.1.1.1,1.2.3.4", - "cert-manager.io/uri-sans": "", - "cert-manager.io/email-sans": "", - "cert-manager.io/subject-organizations": "", - "cert-manager.io/subject-organizationalunits": "", - "cert-manager.io/subject-countries": "", - "cert-manager.io/subject-provinces": "", - "cert-manager.io/subject-localities": "", - "cert-manager.io/subject-streetaddresses": "", - "cert-manager.io/subject-postalcodes": "", - "cert-manager.io/subject-serialnumber": "", + "cert-manager.io/certificate-name": "test-certificate", + "cert-manager.io/issuer-name": "another-test-issuer", + "cert-manager.io/issuer-kind": "GoogleCASIssuer", + "cert-manager.io/issuer-group": "my-group.hello.world", + "cert-manager.io/common-name": "", + "cert-manager.io/alt-names": "", + "cert-manager.io/ip-sans": "1.1.1.1,1.2.3.4", + "cert-manager.io/uri-sans": "", }, }, "if pass non-nil certificate with only URI SANs, expect all Annotations to be present": { @@ -148,23 +130,14 @@ func Test_AnnotationsForCertificateSecret(t *testing.T) { URIs: urls, }, expAnnotations: map[string]string{ - "cert-manager.io/certificate-name": "test-certificate", - "cert-manager.io/issuer-name": "another-test-issuer", - "cert-manager.io/issuer-kind": "GoogleCASIssuer", - "cert-manager.io/issuer-group": "my-group.hello.world", - "cert-manager.io/common-name": "", - "cert-manager.io/alt-names": "", - "cert-manager.io/ip-sans": "", - "cert-manager.io/uri-sans": "spiffe.io//cert-manager.io/test,spiffe.io//hello.world", - "cert-manager.io/email-sans": "", - "cert-manager.io/subject-organizations": "", - "cert-manager.io/subject-organizationalunits": "", - "cert-manager.io/subject-countries": "", - "cert-manager.io/subject-provinces": "", - "cert-manager.io/subject-localities": "", - "cert-manager.io/subject-streetaddresses": "", - "cert-manager.io/subject-postalcodes": "", - "cert-manager.io/subject-serialnumber": "", + "cert-manager.io/certificate-name": "test-certificate", + "cert-manager.io/issuer-name": "another-test-issuer", + "cert-manager.io/issuer-kind": "GoogleCASIssuer", + "cert-manager.io/issuer-group": "my-group.hello.world", + "cert-manager.io/common-name": "", + "cert-manager.io/alt-names": "", + "cert-manager.io/ip-sans": "", + "cert-manager.io/uri-sans": "spiffe.io//cert-manager.io/test,spiffe.io//hello.world", }, }, "if pass non-nil certificate with only DNS names, expect all Annotations to be present": { @@ -175,23 +148,14 @@ func Test_AnnotationsForCertificateSecret(t *testing.T) { DNSNames: []string{"example.com", "cert-manager.io"}, }, expAnnotations: map[string]string{ - "cert-manager.io/certificate-name": "test-certificate", - "cert-manager.io/issuer-name": "another-test-issuer", - "cert-manager.io/issuer-kind": "GoogleCASIssuer", - "cert-manager.io/issuer-group": "my-group.hello.world", - "cert-manager.io/common-name": "", - "cert-manager.io/alt-names": "example.com,cert-manager.io", - "cert-manager.io/ip-sans": "", - "cert-manager.io/uri-sans": "", - "cert-manager.io/email-sans": "", - "cert-manager.io/subject-organizations": "", - "cert-manager.io/subject-organizationalunits": "", - "cert-manager.io/subject-countries": "", - "cert-manager.io/subject-provinces": "", - "cert-manager.io/subject-localities": "", - "cert-manager.io/subject-streetaddresses": "", - "cert-manager.io/subject-postalcodes": "", - "cert-manager.io/subject-serialnumber": "", + "cert-manager.io/certificate-name": "test-certificate", + "cert-manager.io/issuer-name": "another-test-issuer", + "cert-manager.io/issuer-kind": "GoogleCASIssuer", + "cert-manager.io/issuer-group": "my-group.hello.world", + "cert-manager.io/common-name": "", + "cert-manager.io/alt-names": "example.com,cert-manager.io", + "cert-manager.io/ip-sans": "", + "cert-manager.io/uri-sans": "", }, }, "if no certificate data, then expect no X.509 related annotations": { From 4413e837e9fa1523f9bb41597cc722949db86bb6 Mon Sep 17 00:00:00 2001 From: ctrought <65360454+ctrought@users.noreply.github.com> Date: Tue, 31 May 2022 01:06:59 -0400 Subject: [PATCH 0006/1253] escape subject util cleanup Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com> --- pkg/controller/certificate-shim/helper.go | 39 ++++------------ .../certificate-shim/helper_test.go | 31 +++---------- pkg/controller/certificate-shim/sync_test.go | 2 +- pkg/util/pki/csr.go | 7 --- pkg/util/util.go | 45 +++++++++++++++++++ 5 files changed, 59 insertions(+), 65 deletions(-) diff --git a/pkg/controller/certificate-shim/helper.go b/pkg/controller/certificate-shim/helper.go index 797938e9966..b3de73cb7c9 100644 --- a/pkg/controller/certificate-shim/helper.go +++ b/pkg/controller/certificate-shim/helper.go @@ -17,7 +17,6 @@ limitations under the License. package shimhelper import ( - "encoding/csv" "errors" "fmt" "strconv" @@ -30,6 +29,7 @@ import ( apiutil "github.com/cert-manager/cert-manager/pkg/api/util" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + "github.com/cert-manager/cert-manager/pkg/util" ) var ( @@ -75,7 +75,7 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] subject := &cmapi.X509Subject{} if organizations, found := ingLikeAnnotations[cmapi.SubjectOrganizationsAnnotationKey]; found { - organizations, err := splitWithEscapeCSV(organizations) + organizations, err := util.SplitWithEscapeCSV(organizations) subject.Organizations = organizations if err != nil { @@ -84,7 +84,7 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] } if organizationalUnits, found := ingLikeAnnotations[cmapi.SubjectOrganizationalUnitsAnnotationKey]; found { - organizationalUnits, err := splitWithEscapeCSV(organizationalUnits) + organizationalUnits, err := util.SplitWithEscapeCSV(organizationalUnits) subject.OrganizationalUnits = organizationalUnits if err != nil { @@ -93,7 +93,7 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] } if countries, found := ingLikeAnnotations[cmapi.SubjectCountriesAnnotationKey]; found { - countries, err := splitWithEscapeCSV(countries) + countries, err := util.SplitWithEscapeCSV(countries) subject.Countries = countries if err != nil { @@ -102,7 +102,7 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] } if provinces, found := ingLikeAnnotations[cmapi.SubjectProvincesAnnotationKey]; found { - provinces, err := splitWithEscapeCSV(provinces) + provinces, err := util.SplitWithEscapeCSV(provinces) subject.Provinces = provinces if err != nil { @@ -111,7 +111,7 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] } if localities, found := ingLikeAnnotations[cmapi.SubjectLocalitiesAnnotationKey]; found { - localities, err := splitWithEscapeCSV(localities) + localities, err := util.SplitWithEscapeCSV(localities) subject.Localities = localities if err != nil { @@ -120,7 +120,7 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] } if postalCodes, found := ingLikeAnnotations[cmapi.SubjectPostalCodesAnnotationKey]; found { - postalCodes, err := splitWithEscapeCSV(postalCodes) + postalCodes, err := util.SplitWithEscapeCSV(postalCodes) subject.PostalCodes = postalCodes if err != nil { @@ -129,7 +129,7 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] } if streetAddresses, found := ingLikeAnnotations[cmapi.SubjectStreetAddressesAnnotationKey]; found { - streetAddresses, err := splitWithEscapeCSV(streetAddresses) + streetAddresses, err := util.SplitWithEscapeCSV(streetAddresses) subject.StreetAddresses = streetAddresses if err != nil { @@ -270,26 +270,3 @@ func translateAnnotations(crt *cmapi.Certificate, ingLikeAnnotations map[string] return nil } - -// splitWithEscapeCSV parses the given input as a single line of CSV, which allows -// a comma-separated list of strings to be parsed while allowing commas to be present -// in each field. For example, a user can specify: -// "10 Downing Street, Westminster",Manchester -// to produce []string{"10 Downing Street, Westminster", "Manchester"}, keeping the comma -// in the first address. Empty lines or multiple CSV records are both rejected. -func splitWithEscapeCSV(in string) ([]string, error) { - reader := csv.NewReader(strings.NewReader(in)) - - records, err := reader.ReadAll() - if err != nil { - return nil, fmt.Errorf("failed to parse %q as CSV: %w", in, err) - } - - if len(records) == 0 { - return nil, fmt.Errorf("no values found after parsing %q", in) - } else if len(records) > 1 { - return nil, fmt.Errorf("refusing to use %q as input as it parses as multiple lines of CSV", in) - } - - return records[0], nil -} diff --git a/pkg/controller/certificate-shim/helper_test.go b/pkg/controller/certificate-shim/helper_test.go index ee8cba1de07..c2e74819a64 100644 --- a/pkg/controller/certificate-shim/helper_test.go +++ b/pkg/controller/certificate-shim/helper_test.go @@ -17,11 +17,7 @@ limitations under the License. package shimhelper import ( - "bytes" - "encoding/csv" "errors" - "fmt" - "strings" "testing" "time" @@ -30,6 +26,7 @@ import ( "k8s.io/utils/pointer" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + cmutil "github.com/cert-manager/cert-manager/pkg/util" "github.com/cert-manager/cert-manager/test/unit/gen" ) @@ -55,7 +52,7 @@ func Test_translateAnnotations(t *testing.T) { cmapi.SubjectCountriesAnnotationKey: "Country", cmapi.SubjectProvincesAnnotationKey: "Province", cmapi.SubjectLocalitiesAnnotationKey: "City", - cmapi.SubjectStreetAddressesAnnotationKey: "\"1725 Slough Avenue, Suite 200, Scranton Business Park\",\"1800 Slough Avenue, Suite 200, Scranton Business Park\"", + cmapi.SubjectStreetAddressesAnnotationKey: `"1725 Slough Avenue, Suite 200, Scranton Business Park","1800 Slough Avenue, Suite 200, Scranton Business Park"`, cmapi.SubjectPostalCodesAnnotationKey: "ABC123", cmapi.SubjectSerialNumberAnnotationKey: "123456", cmapi.DurationAnnotationKey: "168h", // 1 week @@ -76,13 +73,13 @@ func Test_translateAnnotations(t *testing.T) { a.Equal(pointer.Int32(7), crt.Spec.RevisionHistoryLimit) a.Equal("123456", crt.Spec.Subject.SerialNumber) - splitAddresses, splitErr := splitWithEscapeCSV("\"1725 Slough Avenue, Suite 200, Scranton Business Park\",\"1800 Slough Avenue, Suite 200, Scranton Business Park\"") + splitAddresses, splitErr := cmutil.SplitWithEscapeCSV(`"1725 Slough Avenue, Suite 200, Scranton Business Park","1800 Slough Avenue, Suite 200, Scranton Business Park"`) a.Equal(nil, splitErr) a.Equal(splitAddresses, crt.Spec.Subject.StreetAddresses) - joinedAddresses, joinErr := joinWithEscapeCSV(crt.Spec.Subject.StreetAddresses) + joinedAddresses, joinErr := cmutil.JoinWithEscapeCSV(crt.Spec.Subject.StreetAddresses) a.Equal(nil, joinErr) - a.Equal("\"1725 Slough Avenue, Suite 200, Scranton Business Park\",\"1800 Slough Avenue, Suite 200, Scranton Business Park\"", joinedAddresses) + a.Equal(`"1725 Slough Avenue, Suite 200, Scranton Business Park","1800 Slough Avenue, Suite 200, Scranton Business Park"`, joinedAddresses) }, }, "success rsa private key algorithm": { @@ -308,21 +305,3 @@ func assertErrorIs(t *testing.T, err, target error) { assert.Truef(t, errors.Is(err, target), "unexpected error type. err: %v, target: %v", err, target) } } - -// joinWithEscapeCSV returns the given list as a single line of CSV that -// is escaped with quotes if necessary -func joinWithEscapeCSV(in []string) (string, error) { - b := new(bytes.Buffer) - writer := csv.NewWriter(b) - writer.Write(in) - writer.Flush() - - if err := writer.Error(); err != nil { - return "", fmt.Errorf("failed to write %q as CSV: %w", in, err) - } - - s := b.String() - // CSV writer adds a trailing new line, we need to clean it up - s = strings.TrimSuffix(s, "\n") - return s, nil -} diff --git a/pkg/controller/certificate-shim/sync_test.go b/pkg/controller/certificate-shim/sync_test.go index a6f1f070070..715f629098e 100644 --- a/pkg/controller/certificate-shim/sync_test.go +++ b/pkg/controller/certificate-shim/sync_test.go @@ -1473,7 +1473,7 @@ func TestSync(t *testing.T) { Annotations: map[string]string{ cmapi.IngressClusterIssuerNameAnnotationKey: "issuer-name", cmapi.CommonNameAnnotationKey: "my-cn", - "cert-manager.io/subject-streetaddresses": "\"1725 Slough Avenue, Suite 200, Scranton Business Park\"", + cmapi.SubjectStreetAddressesAnnotationKey: `"1725 Slough Avenue, Suite 200, Scranton Business Park"`, }, UID: types.UID("ingress-name"), }, diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index 95d9039dfd9..2afe88e766d 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -110,13 +110,6 @@ func URLsToString(uris []*url.URL) []string { return uriStrs } -func SerialNumberToString(sn *big.Int) string { - if sn == nil { - return "" - } - return sn.String() -} - func removeDuplicates(in []string) []string { var found []string Outer: diff --git a/pkg/util/util.go b/pkg/util/util.go index 40bd5c54b28..94b9b56f34c 100644 --- a/pkg/util/util.go +++ b/pkg/util/util.go @@ -17,10 +17,14 @@ limitations under the License. package util import ( + "bytes" + "encoding/csv" + "fmt" "math/rand" "net" "net/url" "sort" + "strings" "time" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" @@ -182,3 +186,44 @@ func Subset(set, subset []string) bool { return true } + +// JoinWithEscapeCSV returns the given list as a single line of CSV that +// is escaped with quotes if necessary +func JoinWithEscapeCSV(in []string) (string, error) { + b := new(bytes.Buffer) + writer := csv.NewWriter(b) + writer.Write(in) + writer.Flush() + + if err := writer.Error(); err != nil { + return "", fmt.Errorf("failed to write %q as CSV: %w", in, err) + } + + s := b.String() + // CSV writer adds a trailing new line, we need to clean it up + s = strings.TrimSuffix(s, "\n") + return s, nil +} + +// SplitWithEscapeCSV parses the given input as a single line of CSV, which allows +// a comma-separated list of strings to be parsed while allowing commas to be present +// in each field. For example, a user can specify: +// "10 Downing Street, Westminster",Manchester +// to produce []string{"10 Downing Street, Westminster", "Manchester"}, keeping the comma +// in the first address. Empty lines or multiple CSV records are both rejected. +func SplitWithEscapeCSV(in string) ([]string, error) { + reader := csv.NewReader(strings.NewReader(in)) + + records, err := reader.ReadAll() + if err != nil { + return nil, fmt.Errorf("failed to parse %q as CSV: %w", in, err) + } + + if len(records) == 0 { + return nil, fmt.Errorf("no values found after parsing %q", in) + } else if len(records) > 1 { + return nil, fmt.Errorf("refusing to use %q as input as it parses as multiple lines of CSV", in) + } + + return records[0], nil +} From 6fa81fe8beb7d2eb1e47baaaf6921cc11c90adde Mon Sep 17 00:00:00 2001 From: ctrought <65360454+ctrought@users.noreply.github.com> Date: Mon, 22 Aug 2022 12:27:54 -0400 Subject: [PATCH 0007/1253] fix merge conflict Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com> --- pkg/controller/certificate-shim/helper_test.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/pkg/controller/certificate-shim/helper_test.go b/pkg/controller/certificate-shim/helper_test.go index c2e74819a64..450f12fa03a 100644 --- a/pkg/controller/certificate-shim/helper_test.go +++ b/pkg/controller/certificate-shim/helper_test.go @@ -55,9 +55,6 @@ func Test_translateAnnotations(t *testing.T) { cmapi.SubjectStreetAddressesAnnotationKey: `"1725 Slough Avenue, Suite 200, Scranton Business Park","1800 Slough Avenue, Suite 200, Scranton Business Park"`, cmapi.SubjectPostalCodesAnnotationKey: "ABC123", cmapi.SubjectSerialNumberAnnotationKey: "123456", - cmapi.DurationAnnotationKey: "168h", // 1 week - cmapi.RenewBeforeAnnotationKey: "24h", - cmapi.UsagesAnnotationKey: "server auth,signing", } } From a60fc17d61a1fa5dcb2e160182c5011a1a719401 Mon Sep 17 00:00:00 2001 From: Joyce Date: Fri, 16 Sep 2022 18:13:27 -0300 Subject: [PATCH 0008/1253] Add Scorecard Action yml Enable the scorecard github action to run Signed-off-by: Joyce --- .github/workflows/scorecards.yml | 54 ++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 00000000000..8f7adc28888 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,54 @@ +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + - cron: '43 13 * * 6' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Used to receive a badge. + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 + with: + results_file: results.sarif + results_format: sarif + + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 + with: + sarif_file: results.sarif From 4f9c39268ee32312d82fc1ed3d47ab96cdc22a71 Mon Sep 17 00:00:00 2001 From: Joyce Date: Fri, 16 Sep 2022 18:16:43 -0300 Subject: [PATCH 0009/1253] Add scorecard badge to README Signed-off-by: Joyce --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 77f49b03fa2..1e6d1ba381c 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ Go Report Card
Artifact Hub +Scorecard score

# cert-manager From 9071eac950bdd9f643d41a4ad49a0f83594f7104 Mon Sep 17 00:00:00 2001 From: Martin Schimandl Date: Sat, 1 Oct 2022 16:15:04 +0100 Subject: [PATCH 0010/1253] use Vault Helm Chart provied by Hashicorp Signed-off-by: Martin Schimandl --- test/e2e/framework/addon/chart/addon.go | 26 +++++ test/e2e/framework/addon/vault/vault.go | 138 ++++++++++++++++++++---- 2 files changed, 145 insertions(+), 19 deletions(-) diff --git a/test/e2e/framework/addon/chart/addon.go b/test/e2e/framework/addon/chart/addon.go index c4d916f02f3..613c75a9e91 100644 --- a/test/e2e/framework/addon/chart/addon.go +++ b/test/e2e/framework/addon/chart/addon.go @@ -68,6 +68,17 @@ type Chart struct { // before installing. // This should only be set to true when the ChartName is a local path on disk. UpdateDeps bool + + // repository source of this Chart + Repo Repo +} + +type Repo struct { + // name of the repository + Name string + + // source URL of the repository + Url string } // StringTuple is a tuple of strings, used to create ordered maps @@ -103,6 +114,13 @@ func (c *Chart) Setup(cfg *config.Config) error { // Provision an instance of tiller-deploy func (c *Chart) Provision() error { + if len(c.Repo.Name) > 0 && len(c.Repo.Url) > 0 { + err := c.addRepo() + if err != nil { + return fmt.Errorf("error adding helm repo: %v", err) + } + } + if c.UpdateDeps { err := c.runDepUpdate() if err != nil { @@ -297,3 +315,11 @@ func (c *Chart) Logs() (map[string]string, error) { return out, nil } + +func (c *Chart) addRepo() error { + err := c.buildHelmCmd("repo", "add", c.Repo.Name, c.Repo.Url).Run() + if err != nil { + return err + } + return nil +} diff --git a/test/e2e/framework/addon/vault/vault.go b/test/e2e/framework/addon/vault/vault.go index 3ff406b9c23..e4018dad875 100644 --- a/test/e2e/framework/addon/vault/vault.go +++ b/test/e2e/framework/addon/vault/vault.go @@ -24,13 +24,13 @@ import ( "crypto/tls" "crypto/x509" "crypto/x509/pkix" - "encoding/base64" "encoding/pem" "fmt" "math/big" "net" "time" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/cert-manager/cert-manager/test/e2e/framework/addon/base" @@ -41,8 +41,9 @@ import ( // Vault describes the configuration details for an instance of Vault // deployed to the test cluster type Vault struct { - config *config.Config - chart *chart.Chart + config *config.Config + chart *chart.Chart + tlsSecret corev1.Secret Base *base.Base @@ -105,20 +106,91 @@ func (v *Vault) Setup(cfg *config.Config) error { } v.details.Kubectl = cfg.Kubectl v.chart = &chart.Chart{ - Base: v.Base, - ReleaseName: "chart-vault-" + v.Name, - Namespace: v.Namespace, - ChartName: cfg.RepoRoot + "/test/e2e/charts/vault", - // doesn't matter when installing from disk - ChartVersion: "0", + Base: v.Base, + ReleaseName: "chart-vault-" + v.Name, + Namespace: v.Namespace, + ChartName: "hashicorp/vault", + ChartVersion: "0.22.0", + Repo: chart.Repo{ + Name: "hashicorp", + Url: "https://helm.releases.hashicorp.com", + }, Vars: []chart.StringTuple{ { - Key: "vault.publicKey", - Value: base64.StdEncoding.EncodeToString(v.details.VaultCert), + Key: "global.tlsDisable", + Value: "false", + }, + { + Key: "server.standalone.config", + Value: ` + listener "tcp" { + address = "[::]:8200" + cluster_address= "[::]:8201" + tls_disable = false + tls_cert_file = "/vault/tls/server.crt" + tls_key_file = "/vault/tls/server.key" + }`, + }, + { + Key: "server.extraArgs", + Value: "-dev -dev-listen-address=[::]:8202", + }, + { + Key: "server.extraEnvironmentVars.VAULT_DEV_ROOT_TOKEN_ID", + Value: "vault-root-token", + }, + { + Key: "server.volumes[0].name", + Value: "vault-tls", + }, + { + Key: "server.volumes[0].secret.secretName", + Value: "vault-tls", + }, + + { + Key: "server.volumeMounts[0].name", + Value: "vault-tls", + }, + { + Key: "server.volumeMounts[0].mountPath", + Value: "/vault/tls", + }, + { + Key: "server.image.repository", + Value: "index.docker.io/library/vault", + }, + { + Key: "server.image.tag", + Value: "1.2.3@sha256:b1c86c9e173f15bb4a926e4144a63f7779531c30554ac7aee9b2a408b22b2c01", + }, + { + Key: "server.authDelegator.enabled", + Value: "false", + }, + { + Key: "injector.enabled", + Value: "false", + }, + { + Key: "server.datastorage.enabled", + Value: "false", + }, + { + Key: "server.resources.requests.cpu", + Value: "50m", + }, + { + Key: "server.resources.requests.memory", + Value: "64Mi", + }, + { + Key: "server.resources.limits.cpu", + Value: "200m", }, { - Key: "vault.privateKey", - Value: base64.StdEncoding.EncodeToString(v.details.VaultCertPrivateKey), + Key: "server.resources.limits.memory", + Value: "256Mi", }, }, } @@ -126,23 +198,44 @@ func (v *Vault) Setup(cfg *config.Config) error { if err != nil { return err } + + v.tlsSecret = corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + Kind: "secret", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "vault-tls", + Namespace: v.Namespace, + }, + StringData: map[string]string{ + "server.crt": string(v.details.VaultCert), + "server.key": string(v.details.VaultCertPrivateKey), + }, + } + return nil } // Provision will actually deploy this instance of Vault to the cluster. func (v *Vault) Provision() error { - err := v.chart.Provision() + kubeClient := v.Base.Details().KubeClient + + _, err := kubeClient.CoreV1().Secrets(v.Namespace).Create(context.TODO(), &v.tlsSecret, metav1.CreateOptions{}) if err != nil { return err } - // otherwise lookup the newly created pods name - kubeClient := v.Base.Details().KubeClient + err = v.chart.Provision() + if err != nil { + return err + } + // lookup the newly created pods name retries := 5 for { pods, err := kubeClient.CoreV1().Pods(v.Namespace).List(context.TODO(), metav1.ListOptions{ - LabelSelector: "app=vault", + LabelSelector: "app.kubernetes.io/name=vault", }) if err != nil { return err @@ -168,7 +261,7 @@ func (v *Vault) Provision() error { } v.details.Namespace = v.Namespace - v.details.Host = fmt.Sprintf("https://vault.%s:8200", v.Namespace) + v.details.Host = fmt.Sprintf("https://%s:8200", "chart-vault-"+v.Name+"."+v.Namespace) return nil } @@ -180,6 +273,13 @@ func (v *Vault) Details() *Details { // Deprovision will destroy this instance of Vault func (v *Vault) Deprovision() error { + kubeClient := v.Base.Details().KubeClient + + err := kubeClient.CoreV1().Secrets(v.Namespace).Delete(context.TODO(), v.tlsSecret.Name, metav1.DeleteOptions{}) + if err != nil { + return err + } + return v.chart.Deprovision() } @@ -239,7 +339,7 @@ func (v *Vault) generateCert() ([]byte, []byte, error) { ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageDigitalSignature, IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1)}, - DNSNames: []string{"vault." + v.Namespace}, + DNSNames: []string{"chart-vault-" + v.Name + "." + v.Namespace}, } privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { From a00306083a98306b2514ce1909d75794138d3b42 Mon Sep 17 00:00:00 2001 From: Martin Schimandl Date: Sun, 16 Oct 2022 07:57:49 +0100 Subject: [PATCH 0011/1253] Remove the old Helm chart for Vault Signed-off-by: Martin Schimandl --- test/e2e/charts/vault/Chart.yaml | 4 -- test/e2e/charts/vault/templates/_helpers.tpl | 16 ----- .../charts/vault/templates/vault-config.yaml | 9 --- .../vault/templates/vault-deployment.yaml | 62 ------------------- .../charts/vault/templates/vault-secret.yaml | 8 --- .../charts/vault/templates/vault-service.yaml | 12 ---- test/e2e/charts/vault/values.yaml | 18 ------ 7 files changed, 129 deletions(-) delete mode 100644 test/e2e/charts/vault/Chart.yaml delete mode 100644 test/e2e/charts/vault/templates/_helpers.tpl delete mode 100644 test/e2e/charts/vault/templates/vault-config.yaml delete mode 100644 test/e2e/charts/vault/templates/vault-deployment.yaml delete mode 100644 test/e2e/charts/vault/templates/vault-secret.yaml delete mode 100644 test/e2e/charts/vault/templates/vault-service.yaml delete mode 100644 test/e2e/charts/vault/values.yaml diff --git a/test/e2e/charts/vault/Chart.yaml b/test/e2e/charts/vault/Chart.yaml deleted file mode 100644 index e990eb8e19b..00000000000 --- a/test/e2e/charts/vault/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: A Helm chart for Kubernetes -name: vault -version: 0.1.0 diff --git a/test/e2e/charts/vault/templates/_helpers.tpl b/test/e2e/charts/vault/templates/_helpers.tpl deleted file mode 100644 index f0d83d2edba..00000000000 --- a/test/e2e/charts/vault/templates/_helpers.tpl +++ /dev/null @@ -1,16 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/test/e2e/charts/vault/templates/vault-config.yaml b/test/e2e/charts/vault/templates/vault-config.yaml deleted file mode 100644 index bda91bdc301..00000000000 --- a/test/e2e/charts/vault/templates/vault-config.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: vault-config - labels: - app: vault -data: - config.json: | - {{ .Values.vault.config | toJson }} diff --git a/test/e2e/charts/vault/templates/vault-deployment.yaml b/test/e2e/charts/vault/templates/vault-deployment.yaml deleted file mode 100644 index e53f0479fb6..00000000000 --- a/test/e2e/charts/vault/templates/vault-deployment.yaml +++ /dev/null @@ -1,62 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: vault - name: vault -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: vault - release: {{ .Release.Name }} - spec: - containers: - - name: vault - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: Never - command: ["vault", "server", "-dev", "-dev-listen-address=[::]:8202", "-config", "/vault/config/config.json"] - # command: ["/bin/sh", "-c", "sleep 9999"] - ports: - - containerPort: 8200 - name: vaultport - protocol: TCP - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 200m - memory: 256Mi - securityContext: - capabilities: - add: - - IPC_LOCK - env: - - name: VAULT_DEV_ROOT_TOKEN_ID - value: vault-root-token - readinessProbe: - httpGet: - path: /v1/sys/health - port: 8200 - scheme: HTTPS - volumeMounts: - - name: vault-config - mountPath: /vault/config - - name: vault-tls - mountPath: /vault/tls - volumes: - - name: vault-config - configMap: - name: vault-config - - name: vault-tls - secret: - secretName: vault-tls diff --git a/test/e2e/charts/vault/templates/vault-secret.yaml b/test/e2e/charts/vault/templates/vault-secret.yaml deleted file mode 100644 index e0d6be7f6ba..00000000000 --- a/test/e2e/charts/vault/templates/vault-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: vault-tls -type: Opaque -data: - server.crt: {{ .Values.vault.publicKey }} - server.key: {{ .Values.vault.privateKey }} diff --git a/test/e2e/charts/vault/templates/vault-service.yaml b/test/e2e/charts/vault/templates/vault-service.yaml deleted file mode 100644 index 9029e39f1ae..00000000000 --- a/test/e2e/charts/vault/templates/vault-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: vault - labels: - app: vault -spec: - ports: - - name: vault - port: 8200 - selector: - app: vault diff --git a/test/e2e/charts/vault/values.yaml b/test/e2e/charts/vault/values.yaml deleted file mode 100644 index 169a0b5295f..00000000000 --- a/test/e2e/charts/vault/values.yaml +++ /dev/null @@ -1,18 +0,0 @@ -image: - repository: local/vault - tag: local - -vault: - publicKey: - privateKey: - - config: - listener: - tcp: - address: '[::]:8200' - cluster_address: '[::]:8201' - tls_disable: false - tls_prefer_server_cipher_suites: true - tls_cipher_suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA - tls_cert_file: /vault/tls/server.crt - tls_key_file: /vault/tls/server.key From 41f31291ebfaf66031eeaa1c12ee8ffbc01c21a0 Mon Sep 17 00:00:00 2001 From: Joyce Brum Date: Fri, 28 Oct 2022 14:56:18 -0300 Subject: [PATCH 0012/1253] fix: update scorecard not running Signed-off-by: Joyce Brum --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 8f7adc28888..33b738b3f15 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # tag=v2.0.6 with: results_file: results.sarif results_format: sarif From 741fa3cfb4cccb5fb0108b5d47f7600237834e89 Mon Sep 17 00:00:00 2001 From: Igor Beliakov Date: Sat, 29 Oct 2022 15:43:33 +0200 Subject: [PATCH 0013/1253] feat(Azure): add support for workload identity Signed-off-by: Igor Beliakov --- pkg/issuer/acme/dns/azuredns/azuredns.go | 60 +++++++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/pkg/issuer/acme/dns/azuredns/azuredns.go b/pkg/issuer/acme/dns/azuredns/azuredns.go index f674bbccafb..830ff620ac8 100644 --- a/pkg/issuer/acme/dns/azuredns/azuredns.go +++ b/pkg/issuer/acme/dns/azuredns/azuredns.go @@ -13,6 +13,7 @@ package azuredns import ( "context" "fmt" + "os" "strings" "github.com/go-logr/logr" @@ -71,6 +72,30 @@ func NewDNSProviderCredentials(environment, clientID, clientSecret, subscription }, nil } +func getWIToken(env azure.Environment, options adal.ManagedIdentityOptions) (*adal.ServicePrincipalToken, error) { + oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, os.Getenv("AZURE_TENANT_ID")) + if err != nil { + return nil, fmt.Errorf("failed to retrieve OAuth config: %v", err) + } + + jwt, err := os.ReadFile(os.Getenv("AZURE_FEDERATED_TOKEN_FILE")) + if err != nil { + return nil, fmt.Errorf("failed to read a file with a federated token: %v", err) + } + + clientID := os.Getenv("AZURE_CLIENT_ID") + if options.ClientID != "" { + clientID = options.ClientID + } + + token, err := adal.NewServicePrincipalTokenFromFederatedToken(*oauthConfig, clientID, string(jwt), env.ResourceManagerEndpoint) + if err != nil { + return nil, fmt.Errorf("failed to create a workload identity token: %v", err) + } + + return token, nil +} + func getAuthorization(env azure.Environment, clientID, clientSecret, subscriptionID, tenantID string, ambient bool, managedIdentity *cmacme.AzureManagedIdentity) (*adal.ServicePrincipalToken, error) { if clientID != "" { logf.Log.V(logf.InfoLevel).Info("azuredns authenticating with clientID and secret key") @@ -84,7 +109,7 @@ func getAuthorization(env azure.Environment, clientID, clientSecret, subscriptio } return spt, nil } - logf.Log.V(logf.InfoLevel).Info("No ClientID found: authenticating azuredns with managed identity (MSI)") + logf.Log.V(logf.InfoLevel).Info("No ClientID found: attempting to authenticate with ambient credentials (Azure Workload Identity or Azure Managed Service Identity, in that order)") if !ambient { return nil, fmt.Errorf("ClientID is not set but neither `--cluster-issuer-ambient-credentials` nor `--issuer-ambient-credentials` are set. These are necessary to enable Azure Managed Identities") } @@ -96,6 +121,39 @@ func getAuthorization(env azure.Environment, clientID, clientSecret, subscriptio opt.IdentityResourceID = managedIdentity.ResourceID } + // Use Workload Identity if present + if os.Getenv("AZURE_FEDERATED_TOKEN_FILE") != "" { + token, err := getWIToken(env, opt) + if err != nil { + return nil, err + } + + // adal does not offer methods to dynamically replace a federated token, thus we need to have a wrapper to make sure + // we're using up-to-date secret while requesting an access token + var refreshFunc adal.TokenRefresh = func(context context.Context, resource string) (*adal.Token, error) { + newWIToken, err := getWIToken(env, opt) + if err != nil { + return nil, err + } + + // Need to call Refresh(), otherwise .Token() will be empty + err = newWIToken.Refresh() + if err != nil { + return nil, err + } + + accessToken := newWIToken.Token() + + return &accessToken, nil + } + + token.SetCustomRefreshFunc(refreshFunc) + + return token, nil + } + + logf.Log.V(logf.InfoLevel).Info("No Azure Workload Identity found: attempting to authenticate with an Azure Managed Service Identity (MSI)") + spt, err := adal.NewServicePrincipalTokenFromManagedIdentity(env.ServiceManagementEndpoint, &opt) if err != nil { return nil, fmt.Errorf("failed to create the managed service identity token: %v", err) From bb39c5cf7969925b02431553f004188bb0729b25 Mon Sep 17 00:00:00 2001 From: Sathyanarayanan Saravanamuthu Date: Thu, 3 Nov 2022 15:34:25 +0530 Subject: [PATCH 0014/1253] Fixing CA flag in basic constraints extension Signed-off-by: Sathyanarayanan Saravanamuthu --- pkg/util/pki/csr.go | 29 +++++++++++++++++++++++++++++ pkg/util/pki/keyusage.go | 1 + 2 files changed, 30 insertions(+) diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index 2afe88e766d..34dae8bbc78 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -216,6 +216,14 @@ func GenerateCSR(crt *v1.Certificate) (*x509.CertificateRequest, error) { } } + if crt.Spec.IsCA { + extension, err := buildBasicConstraintsExtensionsForCertificate() + if err != nil { + return nil, err + } + extraExtensions = append(extraExtensions, extension) + } + if isLiteralCertificateSubjectEnabled() && len(crt.Spec.LiteralSubject) > 0 { rawSubject, err := ParseSubjectStringToRawDerBytes(crt.Spec.LiteralSubject) if err != nil { @@ -298,6 +306,27 @@ func buildKeyUsagesExtensionsForCertificate(crt *v1.Certificate) ([]pkix.Extensi return extraExtensions, nil } +func buildBasicConstraintsExtensionsForCertificate() (pkix.Extension, error) { + + basicConstraints := pkix.Extension{ + Id: OIDExtensionBasicConstraints, + } + + constraint := struct { + IsCA bool + }{ + IsCA: true, + } + + var err error + basicConstraints.Value, err = asn1.Marshal(constraint) + if err != nil { + return pkix.Extension{}, err + } + + return basicConstraints, nil +} + // GenerateTemplate will create a x509.Certificate for the given Certificate resource. // This should create a Certificate template that is equivalent to the CertificateRequest // generated by GenerateCSR. diff --git a/pkg/util/pki/keyusage.go b/pkg/util/pki/keyusage.go index 37f414401d1..7d621567271 100644 --- a/pkg/util/pki/keyusage.go +++ b/pkg/util/pki/keyusage.go @@ -26,6 +26,7 @@ import ( var ( OIDExtensionKeyUsage = []int{2, 5, 29, 15} OIDExtensionExtendedKeyUsage = []int{2, 5, 29, 37} + OIDExtensionBasicConstraints = []int{2, 5, 29, 19} ) // RFC 5280, 4.2.1.12 Extended Key Usage From 7bb666742c01d5255dfce430af90a24277a6cf0d Mon Sep 17 00:00:00 2001 From: Mary Thibault Date: Thu, 3 Nov 2022 15:58:41 +0100 Subject: [PATCH 0015/1253] feat: add commonLabels to webhook configmap Signed-off-by: Mary Thibault --- deploy/charts/cert-manager/templates/webhook-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/charts/cert-manager/templates/webhook-config.yaml b/deploy/charts/cert-manager/templates/webhook-config.yaml index ccee8e5c333..f3f72f02efc 100644 --- a/deploy/charts/cert-manager/templates/webhook-config.yaml +++ b/deploy/charts/cert-manager/templates/webhook-config.yaml @@ -17,6 +17,7 @@ metadata: app.kubernetes.io/name: {{ include "webhook.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} data: {{- if .Values.webhook.config }} config.yaml: | From fd6032fc45b941e83d52995f193b18201a6d1912 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Fri, 4 Nov 2022 11:02:04 +0100 Subject: [PATCH 0016/1253] re-order Helm parameters & move some values to constants Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- test/e2e/framework/addon/vault/vault.go | 72 +++++++++++++++---------- 1 file changed, 44 insertions(+), 28 deletions(-) diff --git a/test/e2e/framework/addon/vault/vault.go b/test/e2e/framework/addon/vault/vault.go index e4018dad875..d6286fb00b5 100644 --- a/test/e2e/framework/addon/vault/vault.go +++ b/test/e2e/framework/addon/vault/vault.go @@ -38,10 +38,16 @@ import ( "github.com/cert-manager/cert-manager/test/e2e/framework/config" ) +const ( + vaultHelmChartRepo = "https://helm.releases.hashicorp.com" + vaultHelmChartVersion = "0.22.0" + vaultImageRepository = "index.docker.io/library/vault" + vaultImageTag = "1.2.3@sha256:b1c86c9e173f15bb4a926e4144a63f7779531c30554ac7aee9b2a408b22b2c01" +) + // Vault describes the configuration details for an instance of Vault // deployed to the test cluster type Vault struct { - config *config.Config chart *chart.Chart tlsSecret corev1.Secret @@ -110,35 +116,56 @@ func (v *Vault) Setup(cfg *config.Config) error { ReleaseName: "chart-vault-" + v.Name, Namespace: v.Namespace, ChartName: "hashicorp/vault", - ChartVersion: "0.22.0", + ChartVersion: vaultHelmChartVersion, Repo: chart.Repo{ Name: "hashicorp", - Url: "https://helm.releases.hashicorp.com", + Url: vaultHelmChartRepo, }, Vars: []chart.StringTuple{ { - Key: "global.tlsDisable", + Key: "injector.enabled", Value: "false", }, { - Key: "server.standalone.config", - Value: ` - listener "tcp" { - address = "[::]:8200" - cluster_address= "[::]:8201" - tls_disable = false - tls_cert_file = "/vault/tls/server.crt" - tls_key_file = "/vault/tls/server.key" - }`, + Key: "server.authDelegator.enabled", + Value: "false", }, + { + Key: "server.dataStorage.enabled", + Value: "false", + }, + { + Key: "server.standalone.enabled", + Value: "true", + }, + // configure dev mode + // we cannot use the 'server.dev.enabled' Helm value here, because as soon + // as you enable 'server.dev' you cannot specify a config file anymore { Key: "server.extraArgs", Value: "-dev -dev-listen-address=[::]:8202", }, + // configure root token { Key: "server.extraEnvironmentVars.VAULT_DEV_ROOT_TOKEN_ID", Value: "vault-root-token", }, + // configure tls certificate + { + Key: "global.tlsDisable", + Value: "false", + }, + { + Key: "server.standalone.config", + Value: ` + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_disable = false + tls_cert_file = "/vault/tls/server.crt" + tls_key_file = "/vault/tls/server.key" + }`, + }, { Key: "server.volumes[0].name", Value: "vault-tls", @@ -147,7 +174,6 @@ func (v *Vault) Setup(cfg *config.Config) error { Key: "server.volumes[0].secret.secretName", Value: "vault-tls", }, - { Key: "server.volumeMounts[0].name", Value: "vault-tls", @@ -156,26 +182,16 @@ func (v *Vault) Setup(cfg *config.Config) error { Key: "server.volumeMounts[0].mountPath", Value: "/vault/tls", }, + // configure image and repo { Key: "server.image.repository", - Value: "index.docker.io/library/vault", + Value: vaultImageRepository, }, { Key: "server.image.tag", - Value: "1.2.3@sha256:b1c86c9e173f15bb4a926e4144a63f7779531c30554ac7aee9b2a408b22b2c01", - }, - { - Key: "server.authDelegator.enabled", - Value: "false", - }, - { - Key: "injector.enabled", - Value: "false", - }, - { - Key: "server.datastorage.enabled", - Value: "false", + Value: vaultImageTag, }, + // configure resource requests and limits { Key: "server.resources.requests.cpu", Value: "50m", From 40b4bd8b68e06d07c09156de6500d6e2445dac4b Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Fri, 4 Nov 2022 16:28:51 +0000 Subject: [PATCH 0017/1253] bump base / kind images Signed-off-by: Ashley Davis --- make/base_images.mk | 20 ++++++++++---------- make/kind_images.sh | 42 +++++++++++++++++++++--------------------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/make/base_images.mk b/make/base_images.mk index 45e94148717..ae048c70f5a 100644 --- a/make/base_images.mk +++ b/make/base_images.mk @@ -1,11 +1,11 @@ # autogenerated by hack/latest-base-images.sh -STATIC_BASE_IMAGE_amd64 := gcr.io/distroless/static@sha256:f6ba6e4b2b5881fb94a99113de3c886c5f72e589946ece055dee2aade9486b8f -STATIC_BASE_IMAGE_arm64 := gcr.io/distroless/static@sha256:7f7f3b90d455ef2c1dfbe7bdfd2c3a33749d8cb91544e9676146636da775ce50 -STATIC_BASE_IMAGE_s390x := gcr.io/distroless/static@sha256:44787810ec7ff81a7659bed7daed722b640ba92b1217dbf86c5666f2024dfc09 -STATIC_BASE_IMAGE_arm := gcr.io/distroless/static@sha256:5b13d2ab3cff934fc44996b33818aa149001f8aead240d68208c81e0f359bfd0 -STATIC_BASE_IMAGE_ppc64le := gcr.io/distroless/static@sha256:c6c0c8c93600faa416e472b9c95e1e20eb8a85171680ce4bc872887781dda36c -DYNAMIC_BASE_IMAGE_amd64 := gcr.io/distroless/base@sha256:bf37ce66c1c295ef3e965ef273141e41c28866bdb28f54edb99b8596efd07564 -DYNAMIC_BASE_IMAGE_arm64 := gcr.io/distroless/base@sha256:11e438e3d4f7652cb64b16b0e2bbff2271f701f7b93bd61c7eb922503e4f44ab -DYNAMIC_BASE_IMAGE_s390x := gcr.io/distroless/base@sha256:1f3318430844e5fa43843beeec96d1070e45cdf41158d8687cc81f640bb077ab -DYNAMIC_BASE_IMAGE_arm := gcr.io/distroless/base@sha256:ace1935c55c879c8999acfd0ab55cd831b0a2a7f353f5c9b6141ea4afc6873c9 -DYNAMIC_BASE_IMAGE_ppc64le := gcr.io/distroless/base@sha256:087ba40e7c8cd82f702dc53178df9e872b41fe335520a51a320b578d282576ba +STATIC_BASE_IMAGE_amd64 := gcr.io/distroless/static@sha256:ebd8cc37d22551dce0957ba8e58f03b22a8448bbf844c8c9ded4feef883b36bc +STATIC_BASE_IMAGE_arm64 := gcr.io/distroless/static@sha256:b85ecc2cf83157d054f1c358eda78408352cd0e320ae0ed9055f9af0f4f8eaa8 +STATIC_BASE_IMAGE_s390x := gcr.io/distroless/static@sha256:1dd0a37cb6556b320f252af2f8fa0463ba00557d42a93c99ac5e1dd21cbc1daa +STATIC_BASE_IMAGE_arm := gcr.io/distroless/static@sha256:f0bc64e50983fb4ca0d325f330651c1970cf05a7c8fdebaef86330097c5da10f +STATIC_BASE_IMAGE_ppc64le := gcr.io/distroless/static@sha256:982801c3f71c777f134cc4398f011283c692d4a0c29901671fdb660626ba937b +DYNAMIC_BASE_IMAGE_amd64 := gcr.io/distroless/base@sha256:b9b124f955961599e72630654107a0cf04e08e6fa777fa250b8f840728abd770 +DYNAMIC_BASE_IMAGE_arm64 := gcr.io/distroless/base@sha256:3552d4adeabdc6630fe1877198c3b853e977c53c439b0f7afaa7be760ee5ed6d +DYNAMIC_BASE_IMAGE_s390x := gcr.io/distroless/base@sha256:4e8d6616f1bc75cfc5e0e669817c4aa76193edd5e4b7343b62016a0c633b8cbf +DYNAMIC_BASE_IMAGE_arm := gcr.io/distroless/base@sha256:e5ef8136477df3acb7d86db402fd56a7e6d971c81fe48e17149d44e2796b8f3b +DYNAMIC_BASE_IMAGE_ppc64le := gcr.io/distroless/base@sha256:3e982dbe9292bada8f07125daba5f968bd833c5497102b3246dda2994f5318f9 diff --git a/make/kind_images.sh b/make/kind_images.sh index 19eb3c3c6b8..80c4b47353e 100644 --- a/make/kind_images.sh +++ b/make/kind_images.sh @@ -14,37 +14,37 @@ # generated by ./hack/latest-kind-images.sh -KIND_IMAGE_K8S_120=docker.io/kindest/node@sha256:45d0194a8069c46483a0e509088ab9249302af561ebee76a1281a1f08ecb4ed3 -KIND_IMAGE_K8S_121=docker.io/kindest/node@sha256:ad5b7446dd8332439f22a1efdac73670f0da158c00f0a70b45716e7ef3fae20b -KIND_IMAGE_K8S_122=docker.io/kindest/node@sha256:bfd5eaae36849bfb3c1e3b9442f3da17d730718248939d9d547e86bbac5da586 -KIND_IMAGE_K8S_123=docker.io/kindest/node@sha256:9402cf1330bbd3a0d097d2033fa489b2abe40d479cc5ef47d0b6a6960613148a -KIND_IMAGE_K8S_124=docker.io/kindest/node@sha256:97e8d00bc37a7598a0b32d1fabd155a96355c49fa0d4d4790aab0f161bf31be1 -KIND_IMAGE_K8S_125=docker.io/kindest/node@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace +KIND_IMAGE_K8S_120=docker.io/kindest/node@sha256:a32bf55309294120616886b5338f95dd98a2f7231519c7dedcec32ba29699394 +KIND_IMAGE_K8S_121=docker.io/kindest/node@sha256:9d9eb5fb26b4fbc0c6d95fa8c790414f9750dd583f5d7cee45d92e8c26670aa1 +KIND_IMAGE_K8S_122=docker.io/kindest/node@sha256:7d9708c4b0873f0fe2e171e2b1b7f45ae89482617778c1c875f1053d4cef2e41 +KIND_IMAGE_K8S_123=docker.io/kindest/node@sha256:ef453bb7c79f0e3caba88d2067d4196f427794086a7d0df8df4f019d5e336b61 +KIND_IMAGE_K8S_124=docker.io/kindest/node@sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1fe65c0807eb315 +KIND_IMAGE_K8S_125=docker.io/kindest/node@sha256:cd248d1438192f7814fbca8fede13cfe5b9918746dfa12583976158a834fd5c5 # docker.io/kindest/node:v1.20.15 -KIND_IMAGE_SHA_K8S_120=sha256:45d0194a8069c46483a0e509088ab9249302af561ebee76a1281a1f08ecb4ed3 +KIND_IMAGE_SHA_K8S_120=sha256:a32bf55309294120616886b5338f95dd98a2f7231519c7dedcec32ba29699394 # docker.io/kindest/node:v1.21.14 -KIND_IMAGE_SHA_K8S_121=sha256:ad5b7446dd8332439f22a1efdac73670f0da158c00f0a70b45716e7ef3fae20b +KIND_IMAGE_SHA_K8S_121=sha256:9d9eb5fb26b4fbc0c6d95fa8c790414f9750dd583f5d7cee45d92e8c26670aa1 # docker.io/kindest/node:v1.22.15 -KIND_IMAGE_SHA_K8S_122=sha256:bfd5eaae36849bfb3c1e3b9442f3da17d730718248939d9d547e86bbac5da586 +KIND_IMAGE_SHA_K8S_122=sha256:7d9708c4b0873f0fe2e171e2b1b7f45ae89482617778c1c875f1053d4cef2e41 -# docker.io/kindest/node:v1.23.12 -KIND_IMAGE_SHA_K8S_123=sha256:9402cf1330bbd3a0d097d2033fa489b2abe40d479cc5ef47d0b6a6960613148a +# docker.io/kindest/node:v1.23.13 +KIND_IMAGE_SHA_K8S_123=sha256:ef453bb7c79f0e3caba88d2067d4196f427794086a7d0df8df4f019d5e336b61 -# docker.io/kindest/node:v1.24.6 -KIND_IMAGE_SHA_K8S_124=sha256:97e8d00bc37a7598a0b32d1fabd155a96355c49fa0d4d4790aab0f161bf31be1 +# docker.io/kindest/node:v1.24.7 +KIND_IMAGE_SHA_K8S_124=sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1fe65c0807eb315 -# docker.io/kindest/node:v1.25.2 -KIND_IMAGE_SHA_K8S_125=sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace +# docker.io/kindest/node:v1.25.3 +KIND_IMAGE_SHA_K8S_125=sha256:cd248d1438192f7814fbca8fede13cfe5b9918746dfa12583976158a834fd5c5 # note that these 'full' digests should be avoided since not all tools support them # prefer KIND_IMAGE_K8S_*** instead -KIND_IMAGE_FULL_K8S_120=docker.io/kindest/node:v1.20.15@sha256:45d0194a8069c46483a0e509088ab9249302af561ebee76a1281a1f08ecb4ed3 -KIND_IMAGE_FULL_K8S_121=docker.io/kindest/node:v1.21.14@sha256:ad5b7446dd8332439f22a1efdac73670f0da158c00f0a70b45716e7ef3fae20b -KIND_IMAGE_FULL_K8S_122=docker.io/kindest/node:v1.22.15@sha256:bfd5eaae36849bfb3c1e3b9442f3da17d730718248939d9d547e86bbac5da586 -KIND_IMAGE_FULL_K8S_123=docker.io/kindest/node:v1.23.12@sha256:9402cf1330bbd3a0d097d2033fa489b2abe40d479cc5ef47d0b6a6960613148a -KIND_IMAGE_FULL_K8S_124=docker.io/kindest/node:v1.24.6@sha256:97e8d00bc37a7598a0b32d1fabd155a96355c49fa0d4d4790aab0f161bf31be1 -KIND_IMAGE_FULL_K8S_125=docker.io/kindest/node:v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace +KIND_IMAGE_FULL_K8S_120=docker.io/kindest/node:v1.20.15@sha256:a32bf55309294120616886b5338f95dd98a2f7231519c7dedcec32ba29699394 +KIND_IMAGE_FULL_K8S_121=docker.io/kindest/node:v1.21.14@sha256:9d9eb5fb26b4fbc0c6d95fa8c790414f9750dd583f5d7cee45d92e8c26670aa1 +KIND_IMAGE_FULL_K8S_122=docker.io/kindest/node:v1.22.15@sha256:7d9708c4b0873f0fe2e171e2b1b7f45ae89482617778c1c875f1053d4cef2e41 +KIND_IMAGE_FULL_K8S_123=docker.io/kindest/node:v1.23.13@sha256:ef453bb7c79f0e3caba88d2067d4196f427794086a7d0df8df4f019d5e336b61 +KIND_IMAGE_FULL_K8S_124=docker.io/kindest/node:v1.24.7@sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1fe65c0807eb315 +KIND_IMAGE_FULL_K8S_125=docker.io/kindest/node:v1.25.3@sha256:cd248d1438192f7814fbca8fede13cfe5b9918746dfa12583976158a834fd5c5 From cdcfd552ff8605eee9a26fcc20cd229155d1f2d3 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Fri, 4 Nov 2022 16:31:20 +0000 Subject: [PATCH 0018/1253] add make target for updating base images Signed-off-by: Ashley Davis --- hack/latest-base-images.sh | 2 ++ make/tools.mk | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/hack/latest-base-images.sh b/hack/latest-base-images.sh index 6fb12c6aa1b..cda6d941e16 100755 --- a/hack/latest-base-images.sh +++ b/hack/latest-base-images.sh @@ -22,6 +22,8 @@ set -eu -o pipefail # This in turn allows us to easily update all base images to their latest versions, while mantaining the use # of digests rather than tags when we refer to these base images. +CRANE=crane + TARGET=make/base_images.mk STATIC_BASE=gcr.io/distroless/static diff --git a/make/tools.mk b/make/tools.mk index 5d44d6323a8..920061b3eea 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -417,3 +417,7 @@ tools: $(TOOLS_PATHS) $(K8S_CODEGEN_TOOLS_PATHS) ## install all tools .PHONY: update-kind-images update-kind-images: $(BINDIR)/tools/crane CRANE=./$(BINDIR)/tools/crane ./hack/latest-kind-images.sh + +.PHONY: update-base-images +update-base-images: $(BINDIR)/tools/crane + CRANE=./$(BINDIR)/tools/crane ./hack/latest-base-images.sh From d4de98d35b13a0553d1019e85cc0816262a9bdc7 Mon Sep 17 00:00:00 2001 From: Sathyanarayanan Saravanamuthu Date: Sun, 6 Nov 2022 09:36:26 +0530 Subject: [PATCH 0019/1253] Adding unit tests Signed-off-by: Sathyanarayanan Saravanamuthu --- pkg/util/pki/csr_test.go | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/pkg/util/pki/csr_test.go b/pkg/util/pki/csr_test.go index 4430db6d4a8..b2f7467325a 100644 --- a/pkg/util/pki/csr_test.go +++ b/pkg/util/pki/csr_test.go @@ -416,6 +416,32 @@ func TestGenerateCSR(t *testing.T) { }, } + basicConstraintsValue, err := asn1.Marshal(struct { + IsCA bool + }{ + IsCA: true, + }) + if err != nil { + t.Fatal(err) + } + + // 0xa0 = DigitalSignature, Encipherment and KeyCertSign usage + asn1KeyUsageWithCa, err := asn1.Marshal(asn1.BitString{Bytes: []byte{0xa4}, BitLength: asn1BitLength([]byte{0xa4})}) + if err != nil { + t.Fatal(err) + } + + basicConstraintsExtensions := []pkix.Extension{ + { + Id: OIDExtensionKeyUsage, + Value: asn1KeyUsageWithCa, + }, + { + Id: OIDExtensionBasicConstraints, + Value: basicConstraintsValue, + }, + } + exampleLiteralSubject := "CN=actual-cn, OU=FooLong, OU=Bar, O=example.org" rawExampleLiteralSubject, err := ParseSubjectStringToRawDerBytes(exampleLiteralSubject) if err != nil { @@ -457,6 +483,17 @@ func TestGenerateCSR(t *testing.T) { ExtraExtensions: defaultExtraExtensions, }, }, + { + name: "Generate CSR from certificate with isCA set", + crt: &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.org", IsCA: true}}, + want: &x509.CertificateRequest{ + Version: 0, + SignatureAlgorithm: x509.SHA256WithRSA, + PublicKeyAlgorithm: x509.RSA, + Subject: pkix.Name{CommonName: "example.org"}, + ExtraExtensions: basicConstraintsExtensions, + }, + }, { name: "Generate CSR from certificate with extended key usages", crt: &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.org", Usages: []cmapi.KeyUsage{cmapi.UsageDigitalSignature, cmapi.UsageKeyEncipherment, cmapi.UsageIPsecEndSystem}}}, From 96e500f1893538f240455f70d0a861961ccf5729 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Mon, 7 Nov 2022 11:11:11 +0000 Subject: [PATCH 0020/1253] bump to latest go minor version to fix vulns Signed-off-by: Ashley Davis --- make/tools.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make/tools.mk b/make/tools.mk index 920061b3eea..ba9cb0a8169 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -36,7 +36,7 @@ KUBEBUILDER_ASSETS_VERSION=1.25.0 TOOLS += etcd=$(KUBEBUILDER_ASSETS_VERSION) TOOLS += kube-apiserver=$(KUBEBUILDER_ASSETS_VERSION) -VENDORED_GO_VERSION := 1.19.1 +VENDORED_GO_VERSION := 1.19.3 # When switching branches which use different versions of the tools, we # need a way to re-trigger the symlinking from $(BINDIR)/downloaded to $(BINDIR)/tools. From b8e51bc24cad44700f251137aee19d4c89a35ac5 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Mon, 7 Nov 2022 12:16:41 +0000 Subject: [PATCH 0021/1253] fix x/text vuln and ignore AWS vuln Signed-off-by: Ashley Davis --- .trivyignore | 7 +++++++ LICENSES | 2 +- go.mod | 2 +- go.sum | 2 ++ 4 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 00000000000..72622a3c73c --- /dev/null +++ b/.trivyignore @@ -0,0 +1,7 @@ +# These vulns relate to issues with v1 of the AWS Golang SDK +# These issues relate to S3 encryption issues which cert-manager is unlikely to hit +# Fixing them requires upgrading to v2 of the AWS Golang SDK which is a potentially large task +CVE-2020-8911 +CVE-2020-8912 +GHSA-7f33-f4f5-xwgw +GHSA-f5pg-7wfw-84q9 diff --git a/LICENSES b/LICENSES index a18c0732ac4..f36a1d9bda1 100644 --- a/LICENSES +++ b/LICENSES @@ -200,7 +200,7 @@ golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/f2134210:LICENSE, golang.org/x/sync,https://cs.opensource.google/go/x/sync/+/7f9b1623:LICENSE,BSD-3-Clause golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE,BSD-3-Clause golang.org/x/term,https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE,BSD-3-Clause -golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.3.7:LICENSE,BSD-3-Clause +golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.3.8:LICENSE,BSD-3-Clause golang.org/x/time/rate,https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE,BSD-3-Clause gomodules.xyz/jsonpatch/v2,https://github.com/gomodules/jsonpatch/blob/v2.2.0/v2/LICENSE,Apache-2.0 google.golang.org/api,https://github.com/googleapis/google-api-go-client/blob/v0.97.0/LICENSE,BSD-3-Clause diff --git a/go.mod b/go.mod index 31aa64600c1..575461f993b 100644 --- a/go.mod +++ b/go.mod @@ -231,7 +231,7 @@ require ( golang.org/x/net v0.0.0-20220921155015-db77216a4ee9 // indirect golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/text v0.3.8 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect golang.org/x/tools v0.1.12 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index c5549acfc8a..cd784ff9dfc 100644 --- a/go.sum +++ b/go.sum @@ -1305,6 +1305,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From efae037cec5e9f6c898f3d95db3c6574cf68df9f Mon Sep 17 00:00:00 2001 From: Igor Beliakov Date: Wed, 9 Nov 2022 17:33:28 +0100 Subject: [PATCH 0022/1253] chore(Azure): improve naming, add comments Signed-off-by: Igor Beliakov --- pkg/issuer/acme/dns/azuredns/azuredns.go | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/pkg/issuer/acme/dns/azuredns/azuredns.go b/pkg/issuer/acme/dns/azuredns/azuredns.go index 830ff620ac8..1ea57e92f65 100644 --- a/pkg/issuer/acme/dns/azuredns/azuredns.go +++ b/pkg/issuer/acme/dns/azuredns/azuredns.go @@ -72,7 +72,9 @@ func NewDNSProviderCredentials(environment, clientID, clientSecret, subscription }, nil } -func getWIToken(env azure.Environment, options adal.ManagedIdentityOptions) (*adal.ServicePrincipalToken, error) { +// getFederatedSPT prepares an SPT for a Workload Identity-enabled setup +func getFederatedSPT(env azure.Environment, options adal.ManagedIdentityOptions) (*adal.ServicePrincipalToken, error) { + // NOTE: all related environment variables are described here: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, os.Getenv("AZURE_TENANT_ID")) if err != nil { return nil, fmt.Errorf("failed to retrieve OAuth config: %v", err) @@ -83,6 +85,9 @@ func getWIToken(env azure.Environment, options adal.ManagedIdentityOptions) (*ad return nil, fmt.Errorf("failed to read a file with a federated token: %v", err) } + // AZURE_CLIENT_ID will be empty in case azure.workload.identity/client-id annotation is not set + // Also, some users might want to use a different MSI for a particular DNS zone + // Thus, it's important to offer optional ClientID overrides clientID := os.Getenv("AZURE_CLIENT_ID") if options.ClientID != "" { clientID = options.ClientID @@ -123,7 +128,7 @@ func getAuthorization(env azure.Environment, clientID, clientSecret, subscriptio // Use Workload Identity if present if os.Getenv("AZURE_FEDERATED_TOKEN_FILE") != "" { - token, err := getWIToken(env, opt) + spt, err := getFederatedSPT(env, opt) if err != nil { return nil, err } @@ -131,25 +136,25 @@ func getAuthorization(env azure.Environment, clientID, clientSecret, subscriptio // adal does not offer methods to dynamically replace a federated token, thus we need to have a wrapper to make sure // we're using up-to-date secret while requesting an access token var refreshFunc adal.TokenRefresh = func(context context.Context, resource string) (*adal.Token, error) { - newWIToken, err := getWIToken(env, opt) + newSPT, err := getFederatedSPT(env, opt) if err != nil { return nil, err } // Need to call Refresh(), otherwise .Token() will be empty - err = newWIToken.Refresh() + err = newSPT.Refresh() if err != nil { return nil, err } - accessToken := newWIToken.Token() + accessToken := newSPT.Token() return &accessToken, nil } - token.SetCustomRefreshFunc(refreshFunc) + spt.SetCustomRefreshFunc(refreshFunc) - return token, nil + return spt, nil } logf.Log.V(logf.InfoLevel).Info("No Azure Workload Identity found: attempting to authenticate with an Azure Managed Service Identity (MSI)") From 218cdb7e0fbfbcb843da34d5a52d83b29ad16ab3 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Wed, 9 Nov 2022 16:06:12 +0000 Subject: [PATCH 0023/1253] Use RenegotiateOnceAsClient and explain why Signed-off-by: Richard Wall --- pkg/issuer/venafi/client/venaficlient.go | 103 ++++++++++++++++++++--- 1 file changed, 92 insertions(+), 11 deletions(-) diff --git a/pkg/issuer/venafi/client/venaficlient.go b/pkg/issuer/venafi/client/venaficlient.go index cf684890fc3..4648b7ded14 100644 --- a/pkg/issuer/venafi/client/venaficlient.go +++ b/pkg/issuer/venafi/client/venaficlient.go @@ -17,7 +17,11 @@ limitations under the License. package client import ( + "crypto/tls" + "crypto/x509" "fmt" + "net" + "net/http" "time" vcert "github.com/Venafi/vcert/v4" @@ -135,28 +139,27 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi username := string(tppSecret.Data[tppUsernameKey]) password := string(tppSecret.Data[tppPasswordKey]) accessToken := string(tppSecret.Data[tppAccessTokenKey]) - caBundle := string(tpp.CABundle) return &vcert.Config{ ConnectorType: endpoint.ConnectorTypeTPP, BaseUrl: tpp.URL, Zone: venCfg.Zone, // always enable verbose logging for now - LogVerbose: true, - ConnectionTrust: caBundle, + LogVerbose: true, + // We supply the CA bundle here, to trigger the vcert's builtin + // validation of the supplied PEM content. + // This is somewhat redundant because the value (if valid) will be + // ignored by vcert since we also supply a custom HTTP client, + // below. But we want to retain the CA bundle validation errors that + // were returned in previous versions of this code. + // https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/client.go#L55-L61 + ConnectionTrust: string(tpp.CABundle), Credentials: &endpoint.Authentication{ User: username, Password: password, AccessToken: accessToken, }, - // this is needed for local development when tunneling to the TPP server - //Client: &http.Client{ - // Transport: &http.Transport{ - // TLSClientConfig: &tls.Config{ - // Renegotiation: tls.RenegotiateOnceAsClient, - // }, - // }, - //}, + Client: httpClientForVcertTPP(tpp.CABundle), }, nil case venCfg.Cloud != nil: cloud := venCfg.Cloud @@ -187,6 +190,84 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi return nil, fmt.Errorf("neither Venafi Cloud or TPP configuration found") } +// httpClientForVcertTPP creates an HTTP client and customises it to allow client TLS renegotiation. +// +// Here's why: +// +// 1. The TPP API server served by Microsoft Windows Server + IIS. +// 2. IIS uses TLS 1.2 by default[1] and it uses a +// TLS-1.2 feature called "renegotiation" to allow client certificate +// settings to be configured at the folder level. e.g. +// https://tpp.example.com/vedauth may Require or Accept client +// certificates while https://tpp.example.com/vedsdk may Ignore +// client certificates. +// 3. When IIS is configured this way it behaves as follows[2]: +// "Server receives a connection request on port 443; it begins a +// handshake. The server does not ask for a client certificate. Once +// the handshake is completed, the client sends the actual target URL +// as a HTTP request in the SSL tunnel. Up to that point, the server +// did not know which page was targeted; it only knew, at best, the +// intended server name (through the Server Name Indication). Now +// that the server knows which page is targeted, he knows which +// "site" (i.e. part of the server, in IIS terminology) is to be +// used." +// 4. In this scenario, the Go HTTP client MUST be configured to +// renegotiate. By default it will refuse to renegotiate. We use +// RenegotiateOnceAsClient rather than RenegotiateFreelyAsClient +// because cert-manager establishes a new HTTPS connection for each +// API request and therefore should only ever need to renegotiate +// once in this scenario. +// 5. But overriding the HTTP client like this causes vcert to ignore +// the `vcert.Config.ConnectionTrust` field, so we also have to set +// up the root CA trust pool ourselves. +// 6. And the value of RootCAs MUST be nil unless the user has supplied +// custom CA, because a nil value causes the Go HTTP client to load +// the system default root CAs. +// +// [1] TLS protocol version support in Microsoft Windows: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#tls-protocol-version-support +// [2] Should I use SSL/TLS renegotiation?: https://security.stackexchange.com/a/24569 +func httpClientForVcertTPP(caBundle []byte) *http.Client { + // Copy vcert's default HTTP transport, which is mostly identical to the + // http.DefaultTransport settings in Go's stdlib. + // https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/pkg/venafi/tpp/tpp.go#L481-L513 + transport := &http.Transport{ + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + // Note: This DualStack setting is copied from vcert but + // deviates from the http.DefaultTransport in Go's stdlib. + DualStack: true, + }).DialContext, + MaxIdleConns: 100, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + } + + // Copy vcert's initialization of the TLS client config + tlsClientConfig := http.DefaultTransport.(*http.Transport).TLSClientConfig.Clone() + if len(caBundle) > 0 { + if tlsClientConfig == nil { + tlsClientConfig = &tls.Config{} + } + rootCAs := x509.NewCertPool() + rootCAs.AppendCertsFromPEM(caBundle) + tlsClientConfig.RootCAs = rootCAs + } + transport.TLSClientConfig = tlsClientConfig + + // Enable TLS 1.2 renegotiation (see earlier comment for justification). + transport.TLSClientConfig.Renegotiation = tls.RenegotiateOnceAsClient + + // Copy vcert's initialization of the HTTP client, which overrides the default timeout. + // https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/pkg/venafi/tpp/tpp.go#L481-L513 + return &http.Client{ + Transport: transport, + Timeout: time.Second * 30, + } +} + func (v *Venafi) Ping() error { return v.vcertClient.Ping() } From 1f1ed47c2acf4e79947ef1bab9eb2bfc5418ad99 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Wed, 9 Nov 2022 17:45:52 +0000 Subject: [PATCH 0024/1253] Always initialize tlsClientConfig if the default is nil Signed-off-by: Richard Wall --- pkg/issuer/venafi/client/venaficlient.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/issuer/venafi/client/venaficlient.go b/pkg/issuer/venafi/client/venaficlient.go index 4648b7ded14..0dcc7fa0706 100644 --- a/pkg/issuer/venafi/client/venaficlient.go +++ b/pkg/issuer/venafi/client/venaficlient.go @@ -247,10 +247,10 @@ func httpClientForVcertTPP(caBundle []byte) *http.Client { // Copy vcert's initialization of the TLS client config tlsClientConfig := http.DefaultTransport.(*http.Transport).TLSClientConfig.Clone() + if tlsClientConfig == nil { + tlsClientConfig = &tls.Config{} + } if len(caBundle) > 0 { - if tlsClientConfig == nil { - tlsClientConfig = &tls.Config{} - } rootCAs := x509.NewCertPool() rootCAs.AppendCertsFromPEM(caBundle) tlsClientConfig.RootCAs = rootCAs From df42b81326dce6ebd6e2b68f6e88b263c178af6b Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Wed, 9 Nov 2022 17:50:27 +0000 Subject: [PATCH 0025/1253] Fix typos in explanatory comment Signed-off-by: Richard Wall --- pkg/issuer/venafi/client/venaficlient.go | 26 ++++++++++++------------ 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/pkg/issuer/venafi/client/venaficlient.go b/pkg/issuer/venafi/client/venaficlient.go index 0dcc7fa0706..2b5049fbc29 100644 --- a/pkg/issuer/venafi/client/venaficlient.go +++ b/pkg/issuer/venafi/client/venaficlient.go @@ -194,8 +194,8 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi // // Here's why: // -// 1. The TPP API server served by Microsoft Windows Server + IIS. -// 2. IIS uses TLS 1.2 by default[1] and it uses a +// 1. The TPP API server is served by Microsoft Windows Server and IIS. +// 2. IIS uses TLS-1.2 by default[1] and it uses a // TLS-1.2 feature called "renegotiation" to allow client certificate // settings to be configured at the folder level. e.g. // https://tpp.example.com/vedauth may Require or Accept client @@ -212,17 +212,17 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi // "site" (i.e. part of the server, in IIS terminology) is to be // used." // 4. In this scenario, the Go HTTP client MUST be configured to -// renegotiate. By default it will refuse to renegotiate. We use -// RenegotiateOnceAsClient rather than RenegotiateFreelyAsClient -// because cert-manager establishes a new HTTPS connection for each -// API request and therefore should only ever need to renegotiate -// once in this scenario. -// 5. But overriding the HTTP client like this causes vcert to ignore -// the `vcert.Config.ConnectionTrust` field, so we also have to set -// up the root CA trust pool ourselves. -// 6. And the value of RootCAs MUST be nil unless the user has supplied -// custom CA, because a nil value causes the Go HTTP client to load -// the system default root CAs. +// renegotiate (by default it will refuse to renegotiate). +// We use RenegotiateOnceAsClient rather than RenegotiateFreelyAsClient +// because cert-manager establishes a new HTTPS connection for each API +// request and therefore should only ever need to renegotiate once in this +// scenario. +// 5. But overriding the HTTP client causes vcert to ignore the +// `vcert.Config.ConnectionTrust` field, so we also have to set up the root +// CA trust pool ourselves. +// 6. And the value of RootCAs MUST be nil unless the user has supplied a +// custom CA, because a nil value causes the Go HTTP client to load the +// system default root CAs. // // [1] TLS protocol version support in Microsoft Windows: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#tls-protocol-version-support // [2] Should I use SSL/TLS renegotiation?: https://security.stackexchange.com/a/24569 From b9997498547e8143566a52258019748cdd6ced7d Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Thu, 10 Nov 2022 09:21:31 +0100 Subject: [PATCH 0026/1253] improve gen.CSR and use it everywhere Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- internal/vault/vault_test.go | 21 +--- .../certificaterequests/acme/acme_test.go | 44 ++------ .../certificaterequests/ca/ca_test.go | 22 ++-- .../selfsigned/selfsigned_test.go | 29 ++--- .../certificaterequests/sync_test.go | 26 ++--- .../certificaterequests/vault/vault_test.go | 19 +--- .../certificaterequests/venafi/venafi_test.go | 23 ++-- .../certificatesigningrequests/ca/ca_test.go | 19 ++-- .../selfsigned/selfsigned_test.go | 13 +-- pkg/issuer/venafi/client/request_test.go | 24 ++--- test/e2e/suite/issuers/selfsigned/fixtures.go | 52 ++------- .../ctl/ctl_status_certificate_test.go | 17 +-- test/unit/gen/csr.go | 102 +++++++++++++++--- 13 files changed, 160 insertions(+), 251 deletions(-) diff --git a/internal/vault/vault_test.go b/internal/vault/vault_test.go index 253c0f21ff8..74518af6615 100644 --- a/internal/vault/vault_test.go +++ b/internal/vault/vault_test.go @@ -19,12 +19,8 @@ package vault import ( "bytes" "crypto" - "crypto/rand" "crypto/rsa" "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" - "encoding/pem" "errors" "fmt" "io" @@ -157,22 +153,13 @@ func generateRSAPrivateKey(t *testing.T) *rsa.PrivateKey { } func generateCSR(t *testing.T, secretKey crypto.Signer) []byte { - asn1Subj, _ := asn1.Marshal(pkix.Name{ - CommonName: "test", - }.ToRDNSequence()) - template := x509.CertificateRequest{ - RawSubject: asn1Subj, - SignatureAlgorithm: x509.SHA256WithRSA, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey) + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName("test"), + ) if err != nil { - t.Errorf("failed to create CSR: %s", err) - t.FailNow() + t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) - return csr } diff --git a/pkg/controller/certificaterequests/acme/acme_test.go b/pkg/controller/certificaterequests/acme/acme_test.go index 1b7906ed084..65985a350ed 100644 --- a/pkg/controller/certificaterequests/acme/acme_test.go +++ b/pkg/controller/certificaterequests/acme/acme_test.go @@ -19,13 +19,10 @@ package acme import ( "context" "crypto" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" - "encoding/pem" "errors" "math/big" - "net" "reflect" "testing" "time" @@ -56,50 +53,27 @@ var ( ) func generateCSR(t *testing.T, secretKey crypto.Signer, commonName string, dnsNames ...string) []byte { - // The CommonName of the certificate request must also be present in the DNS - // Names. - template := x509.CertificateRequest{ - Subject: pkix.Name{ - CommonName: commonName, - }, - SignatureAlgorithm: x509.SHA256WithRSA, - DNSNames: dnsNames, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey) + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName(commonName), + gen.SetCSRDNSNames(dnsNames...), + ) if err != nil { t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) - return csr } func generateCSRWithIPs(t *testing.T, secretKey crypto.Signer, commonName string, dnsNames []string, ips []string) []byte { - // The CommonName of the certificate request must also be present in the DNS - // Names. - - var certIPs []net.IP - for _, ip := range ips { - certIPs = append(certIPs, net.ParseIP(ip)) - } - template := x509.CertificateRequest{ - Subject: pkix.Name{ - CommonName: commonName, - }, - SignatureAlgorithm: x509.SHA256WithRSA, - DNSNames: dnsNames, - IPAddresses: certIPs, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey) + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName(commonName), + gen.SetCSRDNSNames(dnsNames...), + gen.SetCSRIPAddressesFromStrings(ips...), + ) if err != nil { t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) - return csr } diff --git a/pkg/controller/certificaterequests/ca/ca_test.go b/pkg/controller/certificaterequests/ca/ca_test.go index 40c03d2b4d0..ff42c29e5cb 100644 --- a/pkg/controller/certificaterequests/ca/ca_test.go +++ b/pkg/controller/certificaterequests/ca/ca_test.go @@ -23,8 +23,6 @@ import ( "crypto/rand" "crypto/x509" "crypto/x509/pkix" - "encoding/asn1" - "encoding/pem" "errors" "math" "math/big" @@ -58,22 +56,14 @@ var ( fixedClock = fakeclock.NewFakeClock(fixedClockStart) ) -func generateCSR(t *testing.T, secretKey crypto.Signer, sigAlg x509.SignatureAlgorithm) []byte { - asn1Subj, _ := asn1.Marshal(pkix.Name{ - CommonName: "test", - }.ToRDNSequence()) - template := x509.CertificateRequest{ - RawSubject: asn1Subj, - SignatureAlgorithm: sigAlg, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey) +func generateCSR(t *testing.T, secretKey crypto.Signer) []byte { + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName("test"), + ) if err != nil { t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) - return csr } @@ -124,7 +114,7 @@ func TestSign(t *testing.T) { if err != nil { t.Fatal(err) } - testCSR := generateCSR(t, testpk, x509.ECDSAWithSHA256) + testCSR := generateCSR(t, testpk) baseCRNotApproved := gen.CertificateRequest("test-cr", gen.SetCertificateRequestIsCA(true), @@ -476,7 +466,7 @@ func TestCA_Sign(t *testing.T) { if err != nil { t.Fatal(err) } - testCSR := generateCSR(t, testpk, x509.ECDSAWithSHA256) + testCSR := generateCSR(t, testpk) tests := map[string]struct { givenCASecret *corev1.Secret diff --git a/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go b/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go index 36daeb3ca42..b53cf146bc0 100644 --- a/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go +++ b/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go @@ -19,11 +19,7 @@ package selfsigned import ( "context" "crypto" - "crypto/rand" "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" - "encoding/pem" "errors" "fmt" "testing" @@ -53,23 +49,14 @@ var ( fixedClock = fakeclock.NewFakeClock(fixedClockStart) ) -func generateCSR(t *testing.T, secretKey crypto.Signer, alg x509.SignatureAlgorithm, commonName string) []byte { - asn1Subj, _ := asn1.Marshal(pkix.Name{ - CommonName: commonName, - }.ToRDNSequence()) - template := x509.CertificateRequest{ - RawSubject: asn1Subj, - SignatureAlgorithm: alg, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey) +func generateCSR(t *testing.T, secretKey crypto.Signer, commonName string) []byte { + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName(commonName), + ) if err != nil { - t.Error(err) - t.FailNow() + t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) - return csr } @@ -108,7 +95,7 @@ func TestSign(t *testing.T) { corev1.TLSPrivateKeyKey: []byte("this is a bad key"), }, } - csrRSAPEM := generateCSR(t, skRSA, x509.SHA256WithRSA, "test-rsa") + csrRSAPEM := generateCSR(t, skRSA, "test-rsa") skEC, err := pki.GenerateECPrivateKey(256) if err != nil { @@ -129,9 +116,9 @@ func TestSign(t *testing.T) { corev1.TLSPrivateKeyKey: skECPEM, }, } - csrECPEM := generateCSR(t, skEC, x509.ECDSAWithSHA256, "test-ec") + csrECPEM := generateCSR(t, skEC, "test-ec") - csrEmptyCertPEM := generateCSR(t, skEC, x509.ECDSAWithSHA256, "") + csrEmptyCertPEM := generateCSR(t, skEC, "") baseCRNotApproved := gen.CertificateRequest("test-cr", gen.SetCertificateRequestAnnotations( diff --git a/pkg/controller/certificaterequests/sync_test.go b/pkg/controller/certificaterequests/sync_test.go index 74b1b279418..cba4dcdb20f 100644 --- a/pkg/controller/certificaterequests/sync_test.go +++ b/pkg/controller/certificaterequests/sync_test.go @@ -22,8 +22,6 @@ import ( "crypto" "crypto/rand" "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" "encoding/pem" "errors" "testing" @@ -52,24 +50,14 @@ var ( fixedClock = fakeclock.NewFakeClock(fixedClockStart) ) -func generateCSR(t *testing.T, secretKey crypto.Signer, alg x509.SignatureAlgorithm) []byte { - t.Helper() - asn1Subj, _ := asn1.Marshal(pkix.Name{ - CommonName: "test", - }.ToRDNSequence()) - template := x509.CertificateRequest{ - RawSubject: asn1Subj, - SignatureAlgorithm: alg, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey) +func generateCSR(t *testing.T, secretKey crypto.Signer) []byte { + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName("test"), + ) if err != nil { - t.Error(err) - t.FailNow() + t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) - return csr } @@ -115,8 +103,8 @@ func TestSync(t *testing.T) { t.FailNow() } - csrRSAPEM := generateCSR(t, skRSA, x509.SHA256WithRSA) - csrECPEM := generateCSR(t, skEC, x509.ECDSAWithSHA256) + csrRSAPEM := generateCSR(t, skRSA) + csrECPEM := generateCSR(t, skEC) baseIssuer := gen.Issuer("test-issuer", gen.SetIssuerSelfSigned(cmapi.SelfSignedIssuer{}), diff --git a/pkg/controller/certificaterequests/vault/vault_test.go b/pkg/controller/certificaterequests/vault/vault_test.go index ee11a87aa9c..d7215524120 100644 --- a/pkg/controller/certificaterequests/vault/vault_test.go +++ b/pkg/controller/certificaterequests/vault/vault_test.go @@ -22,8 +22,6 @@ import ( "crypto" "crypto/rand" "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" "encoding/pem" "errors" "fmt" @@ -56,22 +54,13 @@ var ( ) func generateCSR(t *testing.T, secretKey crypto.Signer) []byte { - asn1Subj, _ := asn1.Marshal(pkix.Name{ - CommonName: "test", - }.ToRDNSequence()) - template := x509.CertificateRequest{ - RawSubject: asn1Subj, - SignatureAlgorithm: x509.SHA256WithRSA, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey) + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName("test"), + ) if err != nil { - t.Error(err) - t.FailNow() + t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) - return csr } diff --git a/pkg/controller/certificaterequests/venafi/venafi_test.go b/pkg/controller/certificaterequests/venafi/venafi_test.go index dc6d446a93e..11394af2681 100644 --- a/pkg/controller/certificaterequests/venafi/venafi_test.go +++ b/pkg/controller/certificaterequests/venafi/venafi_test.go @@ -22,7 +22,6 @@ import ( "crypto/rand" "crypto/x509" "crypto/x509/pkix" - "encoding/pem" "errors" "math/big" "testing" @@ -58,25 +57,15 @@ var ( fixedClock = fakeclock.NewFakeClock(fixedClockStart) ) -func generateCSR(t *testing.T, secretKey crypto.Signer, alg x509.SignatureAlgorithm) []byte { - template := x509.CertificateRequest{ - Subject: pkix.Name{ - CommonName: "test-common-name", - }, - DNSNames: []string{ - "foo.example.com", "bar.example.com", - }, - SignatureAlgorithm: alg, - PublicKey: secretKey.Public(), - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey) +func generateCSR(t *testing.T, secretKey crypto.Signer) []byte { + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName("test-common-name"), + gen.SetCSRDNSNames("foo.example.com", "bar.example.com"), + ) if err != nil { t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) - return csr } @@ -116,7 +105,7 @@ func TestSign(t *testing.T) { t.Fatal(err) } - csrPEM := generateCSR(t, testPK, x509.ECDSAWithSHA256) + csrPEM := generateCSR(t, testPK) tppSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ diff --git a/pkg/controller/certificatesigningrequests/ca/ca_test.go b/pkg/controller/certificatesigningrequests/ca/ca_test.go index e72eb98ef2f..7cabf3a314a 100644 --- a/pkg/controller/certificatesigningrequests/ca/ca_test.go +++ b/pkg/controller/certificatesigningrequests/ca/ca_test.go @@ -23,7 +23,6 @@ import ( "crypto/rand" "crypto/x509" "crypto/x509/pkix" - "encoding/pem" "errors" "math" "math/big" @@ -59,19 +58,13 @@ var ( fixedClock = fakeclock.NewFakeClock(fixedClockStart) ) -func generateCSR(t *testing.T, secretKey crypto.Signer, sigAlg x509.SignatureAlgorithm) []byte { - template := x509.CertificateRequest{ - Subject: pkix.Name{ - CommonName: "test", - }, - SignatureAlgorithm: sigAlg, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey) +func generateCSR(t *testing.T, secretKey crypto.Signer) []byte { + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName("test"), + ) if err != nil { t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) return csr } @@ -124,7 +117,7 @@ func TestSign(t *testing.T) { if err != nil { t.Fatal(err) } - testCSR := generateCSR(t, testpk, x509.ECDSAWithSHA256) + testCSR := generateCSR(t, testpk) baseCSRNotApproved := gen.CertificateSigningRequest("test-cr", gen.SetCertificateSigningRequestIsCA(true), @@ -606,7 +599,7 @@ func TestCA_Sign(t *testing.T) { if err != nil { t.Fatal(err) } - testCSR := generateCSR(t, testpk, x509.ECDSAWithSHA256) + testCSR := generateCSR(t, testpk) tests := map[string]struct { givenCASecret *corev1.Secret diff --git a/pkg/controller/certificatesigningrequests/selfsigned/selfsigned_test.go b/pkg/controller/certificatesigningrequests/selfsigned/selfsigned_test.go index e33d2692c88..a7e910665b2 100644 --- a/pkg/controller/certificatesigningrequests/selfsigned/selfsigned_test.go +++ b/pkg/controller/certificatesigningrequests/selfsigned/selfsigned_test.go @@ -19,10 +19,7 @@ package selfsigned import ( "context" "crypto" - "crypto/rand" "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" "errors" "math" "testing" @@ -69,18 +66,10 @@ func mustCryptoBundle(t *testing.T) cryptoBundle { t.Fatal(err) } - template := x509.CertificateRequest{ - Subject: pkix.Name{ - CommonName: "test", - }, - SignatureAlgorithm: x509.ECDSAWithSHA256, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, key) + csrPEM, err := gen.CSRWithSigner(key, gen.SetCSRCommonName("test")) if err != nil { t.Fatal(err) } - csrPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) keyPEM, err := pki.EncodePKCS8PrivateKey(key) if err != nil { diff --git a/pkg/issuer/venafi/client/request_test.go b/pkg/issuer/venafi/client/request_test.go index 54055381eca..0477875267c 100644 --- a/pkg/issuer/venafi/client/request_test.go +++ b/pkg/issuer/venafi/client/request_test.go @@ -18,10 +18,6 @@ package client import ( "crypto" - "crypto/rand" - "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" "errors" "testing" "time" @@ -34,6 +30,7 @@ import ( internalfake "github.com/cert-manager/cert-manager/pkg/issuer/venafi/client/fake" "github.com/cert-manager/cert-manager/pkg/util" "github.com/cert-manager/cert-manager/pkg/util/pki" + "github.com/cert-manager/cert-manager/test/unit/gen" ) func checkCertificateIssued(t *testing.T, csrPEM []byte, resp []byte) { @@ -77,22 +74,15 @@ func checkCertificateIssued(t *testing.T, csrPEM []byte, resp []byte) { } } -func generateCSR(t *testing.T, sk crypto.Signer, commonName string, dnsNames []string) []byte { - template := x509.CertificateRequest{ - Subject: pkix.Name{ - CommonName: commonName, - }, - SignatureAlgorithm: x509.SHA256WithRSA, - DNSNames: dnsNames, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, sk) +func generateCSR(t *testing.T, secretKey crypto.Signer, commonName string, dnsNames []string) []byte { + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName(commonName), + gen.SetCSRDNSNames(dnsNames...), + ) if err != nil { - t.Error(err) - t.FailNow() + t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) return csr } diff --git a/test/e2e/suite/issuers/selfsigned/fixtures.go b/test/e2e/suite/issuers/selfsigned/fixtures.go index 2b22f51c75b..31dd4d3fd88 100644 --- a/test/e2e/suite/issuers/selfsigned/fixtures.go +++ b/test/e2e/suite/issuers/selfsigned/fixtures.go @@ -18,18 +18,12 @@ package selfsigned import ( "crypto" - "crypto/rand" - "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" - "encoding/pem" - "net" - "net/url" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/cert-manager/cert-manager/pkg/util/pki" + "github.com/cert-manager/cert-manager/test/unit/gen" ) var rootRSAKeySigner, rootECKeySigner, rootEd25519Signer crypto.Signer @@ -107,7 +101,7 @@ func newPrivateKeySecret(name, namespace string, keyData []byte) *corev1.Secret } func generateRSACSR() ([]byte, error) { - csr, err := generateCSR(rootRSAKeySigner, x509.SHA256WithRSA) + csr, err := generateCSR(rootRSAKeySigner) if err != nil { return nil, err } @@ -116,7 +110,7 @@ func generateRSACSR() ([]byte, error) { } func generateECCSR() ([]byte, error) { - csr, err := generateCSR(rootECKeySigner, x509.ECDSAWithSHA256) + csr, err := generateCSR(rootECKeySigner) if err != nil { return nil, err } @@ -125,7 +119,7 @@ func generateECCSR() ([]byte, error) { } func generateEd25519CSR() ([]byte, error) { - csr, err := generateCSR(rootEd25519Signer, x509.PureEd25519) + csr, err := generateCSR(rootEd25519Signer) if err != nil { return nil, err } @@ -133,40 +127,16 @@ func generateEd25519CSR() ([]byte, error) { return csr, nil } -func generateCSR(privateKey crypto.Signer, alg x509.SignatureAlgorithm) ([]byte, error) { - var uris []*url.URL - for _, uri := range []string{ - "spiffe://foo.foo.example.net", - "spiffe://foo.bar.example.net", - } { - parsed, err := url.Parse(uri) - if err != nil { - return nil, err - } - uris = append(uris, parsed) - } - - asn1Subj, _ := asn1.Marshal(pkix.Name{ - CommonName: "my-common-name", - }.ToRDNSequence()) - template := x509.CertificateRequest{ - RawSubject: asn1Subj, - SignatureAlgorithm: alg, - URIs: uris, - - DNSNames: []string{"dnsName1.co", "dnsName2.ninja"}, - IPAddresses: []net.IP{ - []byte{8, 8, 8, 8}, - []byte{1, 1, 1, 1}, - }, - } - - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, privateKey) +func generateCSR(secretKey crypto.Signer) ([]byte, error) { + csr, err := gen.CSRWithSigner(secretKey, + gen.SetCSRCommonName("my-common-name"), + gen.SetCSRURIsFromStrings("spiffe://foo.foo.example.net", "spiffe://foo.bar.example.net"), + gen.SetCSRDNSNames("dnsName1.co", "dnsName2.ninja"), + gen.SetCSRIPAddresses([]byte{8, 8, 8, 8}, []byte{1, 1, 1, 1}), + ) if err != nil { return nil, err } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) - return csr, nil } diff --git a/test/integration/ctl/ctl_status_certificate_test.go b/test/integration/ctl/ctl_status_certificate_test.go index 8477b2a0076..d016f0416d3 100644 --- a/test/integration/ctl/ctl_status_certificate_test.go +++ b/test/integration/ctl/ctl_status_certificate_test.go @@ -18,11 +18,6 @@ package ctl import ( "context" - "crypto/rand" - "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" - "encoding/pem" "fmt" "regexp" "strings" @@ -54,20 +49,14 @@ func generateCSR(t *testing.T) []byte { if err != nil { t.Fatal(err) } - asn1Subj, _ := asn1.Marshal(pkix.Name{ - CommonName: "test", - }.ToRDNSequence()) - template := x509.CertificateRequest{ - RawSubject: asn1Subj, - } - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, skRSA) + csr, err := gen.CSRWithSigner(skRSA, + gen.SetCSRCommonName("test"), + ) if err != nil { t.Fatal(err) } - csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) - return csr } diff --git a/test/unit/gen/csr.go b/test/unit/gen/csr.go index db2fcb0d1e1..659286c1171 100644 --- a/test/unit/gen/csr.go +++ b/test/unit/gen/csr.go @@ -18,6 +18,10 @@ package gen import ( "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -27,32 +31,68 @@ import ( "github.com/cert-manager/cert-manager/pkg/util/pki" ) -type CSRModifier func(*x509.CertificateRequest) +type CSRModifier func(*x509.CertificateRequest) error func CSR(keyAlgorithm x509.PublicKeyAlgorithm, mods ...CSRModifier) (csr []byte, sk crypto.Signer, err error) { - var signatureAlgorithm x509.SignatureAlgorithm - switch keyAlgorithm { case x509.RSA: - sk, err = pki.GenerateRSAPrivateKey(2048) + sk, err = pki.GenerateRSAPrivateKey(pki.MinRSAKeySize) if err != nil { return nil, nil, err } - signatureAlgorithm = x509.SHA256WithRSA case x509.ECDSA: sk, err = pki.GenerateECPrivateKey(pki.ECCurve256) if err != nil { return nil, nil, err } - signatureAlgorithm = x509.ECDSAWithSHA256 case x509.Ed25519: sk, err = pki.GenerateEd25519PrivateKey() if err != nil { return nil, nil, err } + default: + return nil, nil, fmt.Errorf("unrecognised key algorithm: %s", keyAlgorithm) + } + + csr, err = CSRWithSigner(sk, mods...) + return +} + +func CSRWithSigner(sk crypto.Signer, mods ...CSRModifier) (csr []byte, err error) { + var keyAlgorithm x509.PublicKeyAlgorithm + var signatureAlgorithm x509.SignatureAlgorithm + + switch pub := sk.Public().(type) { + case *rsa.PublicKey: + keyAlgorithm = x509.RSA + keySize := pub.N.BitLen() + switch { + case keySize >= 4096: + signatureAlgorithm = x509.SHA512WithRSA + case keySize >= 3072: + signatureAlgorithm = x509.SHA384WithRSA + case keySize >= 2048: + signatureAlgorithm = x509.SHA256WithRSA + default: + signatureAlgorithm = x509.SHA1WithRSA + } + case *ecdsa.PublicKey: + keyAlgorithm = x509.ECDSA + switch pub.Curve { + case elliptic.P256(): + signatureAlgorithm = x509.ECDSAWithSHA256 + case elliptic.P384(): + signatureAlgorithm = x509.ECDSAWithSHA384 + case elliptic.P521(): + signatureAlgorithm = x509.ECDSAWithSHA512 + default: + signatureAlgorithm = x509.ECDSAWithSHA1 + } + case ed25519.PublicKey: + keyAlgorithm = x509.Ed25519 signatureAlgorithm = x509.PureEd25519 default: - return nil, nil, fmt.Errorf("unrecognised key algorithm: %s", err) + return nil, fmt.Errorf("unrecognised public key type: %T", sk) } cr := &x509.CertificateRequest{ @@ -62,12 +102,15 @@ func CSR(keyAlgorithm x509.PublicKeyAlgorithm, mods ...CSRModifier) (csr []byte, PublicKey: sk.Public(), } for _, mod := range mods { - mod(cr) + err = mod(cr) + if err != nil { + return + } } csrBytes, err := pki.EncodeCSR(cr, sk) if err != nil { - return nil, nil, err + return nil, err } csr = pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: csrBytes, @@ -76,31 +119,62 @@ func CSR(keyAlgorithm x509.PublicKeyAlgorithm, mods ...CSRModifier) (csr []byte, } func SetCSRDNSNames(dnsNames ...string) CSRModifier { - return func(c *x509.CertificateRequest) { + return func(c *x509.CertificateRequest) error { c.DNSNames = dnsNames + return nil } } func SetCSRIPAddresses(ips ...net.IP) CSRModifier { - return func(c *x509.CertificateRequest) { + return func(c *x509.CertificateRequest) error { c.IPAddresses = ips + return nil + } +} + +func SetCSRIPAddressesFromStrings(ips ...string) CSRModifier { + return func(c *x509.CertificateRequest) error { + var certIPs []net.IP + for _, ip := range ips { + certIPs = append(certIPs, net.ParseIP(ip)) + } + c.IPAddresses = certIPs + return nil } } func SetCSRURIs(uris ...*url.URL) CSRModifier { - return func(c *x509.CertificateRequest) { + return func(c *x509.CertificateRequest) error { c.URIs = uris + return nil + } +} + +func SetCSRURIsFromStrings(uris ...string) CSRModifier { + return func(c *x509.CertificateRequest) error { + var certUris []*url.URL + for _, uri := range uris { + parsed, err := url.Parse(uri) + if err != nil { + return err + } + certUris = append(certUris, parsed) + } + c.URIs = certUris + return nil } } func SetCSRCommonName(commonName string) CSRModifier { - return func(c *x509.CertificateRequest) { + return func(c *x509.CertificateRequest) error { c.Subject.CommonName = commonName + return nil } } func SetCSREmails(emails []string) CSRModifier { - return func(c *x509.CertificateRequest) { + return func(c *x509.CertificateRequest) error { c.EmailAddresses = emails + return nil } } From 860ba8465a9fc5f680743f1f7e3888f98573cfcc Mon Sep 17 00:00:00 2001 From: Sathyanarayanan Saravanamuthu Date: Thu, 10 Nov 2022 14:27:26 +0530 Subject: [PATCH 0027/1253] Addressing review comments Signed-off-by: Sathyanarayanan Saravanamuthu --- internal/controller/feature/features.go | 7 +++ pkg/util/pki/csr.go | 8 +-- pkg/util/pki/csr_test.go | 81 +++++++++++++++++++------ 3 files changed, 75 insertions(+), 21 deletions(-) diff --git a/internal/controller/feature/features.go b/internal/controller/feature/features.go index db4e65a68bc..05c7b39e6b6 100644 --- a/internal/controller/feature/features.go +++ b/internal/controller/feature/features.go @@ -64,6 +64,12 @@ const ( // This feature gate will disable auto-generated CertificateRequest name // Github Issue: https://github.com/cert-manager/cert-manager/issues/4956 StableCertificateRequestName featuregate.Feature = "StableCertificateRequestName" + + // Alpha: v1.11 + // UseCertificateRequestBasicConstraints will add Basic Constraints section in the Extension Request of the Certificate Signing Request + // This feature will add BasicConstraints section with CA field defaulting to false; CA field will be set true if the Certificate resource spec has isCA as true + // Github Issue: https://github.com/cert-manager/cert-manager/issues/5539 + UseCertificateRequestBasicConstraints featuregate.Feature = "UseCertificateRequestBasicConstraints" ) func init() { @@ -81,4 +87,5 @@ var defaultCertManagerFeatureGates = map[featuregate.Feature]featuregate.Feature ServerSideApply: {Default: false, PreRelease: featuregate.Alpha}, LiteralCertificateSubject: {Default: false, PreRelease: featuregate.Alpha}, StableCertificateRequestName: {Default: false, PreRelease: featuregate.Alpha}, + UseCertificateRequestBasicConstraints: {Default: false, PreRelease: featuregate.Alpha}, } diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index 34dae8bbc78..bb4776fa6e0 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -216,8 +216,8 @@ func GenerateCSR(crt *v1.Certificate) (*x509.CertificateRequest, error) { } } - if crt.Spec.IsCA { - extension, err := buildBasicConstraintsExtensionsForCertificate() + if utilfeature.DefaultFeatureGate.Enabled(feature.UseCertificateRequestBasicConstraints) { + extension, err := buildBasicConstraintsExtensionsForCertificate(crt.Spec.IsCA) if err != nil { return nil, err } @@ -306,7 +306,7 @@ func buildKeyUsagesExtensionsForCertificate(crt *v1.Certificate) ([]pkix.Extensi return extraExtensions, nil } -func buildBasicConstraintsExtensionsForCertificate() (pkix.Extension, error) { +func buildBasicConstraintsExtensionsForCertificate(isCA bool) (pkix.Extension, error) { basicConstraints := pkix.Extension{ Id: OIDExtensionBasicConstraints, @@ -315,7 +315,7 @@ func buildBasicConstraintsExtensionsForCertificate() (pkix.Extension, error) { constraint := struct { IsCA bool }{ - IsCA: true, + IsCA: isCA, } var err error diff --git a/pkg/util/pki/csr_test.go b/pkg/util/pki/csr_test.go index b2f7467325a..ddfb784e6d2 100644 --- a/pkg/util/pki/csr_test.go +++ b/pkg/util/pki/csr_test.go @@ -416,30 +416,28 @@ func TestGenerateCSR(t *testing.T) { }, } - basicConstraintsValue, err := asn1.Marshal(struct { - IsCA bool - }{ - IsCA: true, - }) + basicConstraintsGenerator := func(isCA bool) ([]byte, error) { + return asn1.Marshal(struct { + IsCA bool + }{ + IsCA: isCA, + }) + } + + basicConstraintsWithCA, err := basicConstraintsGenerator(true) if err != nil { t.Fatal(err) } - // 0xa0 = DigitalSignature, Encipherment and KeyCertSign usage - asn1KeyUsageWithCa, err := asn1.Marshal(asn1.BitString{Bytes: []byte{0xa4}, BitLength: asn1BitLength([]byte{0xa4})}) + basicConstraintsWithoutCA, err := basicConstraintsGenerator(false) if err != nil { t.Fatal(err) } - basicConstraintsExtensions := []pkix.Extension{ - { - Id: OIDExtensionKeyUsage, - Value: asn1KeyUsageWithCa, - }, - { - Id: OIDExtensionBasicConstraints, - Value: basicConstraintsValue, - }, + // 0xa0 = DigitalSignature, Encipherment and KeyCertSign usage + asn1KeyUsageWithCa, err := asn1.Marshal(asn1.BitString{Bytes: []byte{0xa4}, BitLength: asn1BitLength([]byte{0xa4})}) + if err != nil { + t.Fatal(err) } exampleLiteralSubject := "CN=actual-cn, OU=FooLong, OU=Bar, O=example.org" @@ -460,6 +458,7 @@ func TestGenerateCSR(t *testing.T) { want *x509.CertificateRequest wantErr bool literalCertificateSubjectFeatureEnabled bool + basicConstraintsFeatureEnabled bool }{ { name: "Generate CSR from certificate with only DNS", @@ -491,8 +490,55 @@ func TestGenerateCSR(t *testing.T) { SignatureAlgorithm: x509.SHA256WithRSA, PublicKeyAlgorithm: x509.RSA, Subject: pkix.Name{CommonName: "example.org"}, - ExtraExtensions: basicConstraintsExtensions, + ExtraExtensions: []pkix.Extension{ + { + Id: OIDExtensionKeyUsage, + Value: asn1KeyUsageWithCa, + }, + }, + }, + }, + { + name: "Generate CSR from certificate with isCA not set and with UseCertificateRequestBasicConstraints flag enabled", + crt: &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.org"}}, + want: &x509.CertificateRequest{ + Version: 0, + SignatureAlgorithm: x509.SHA256WithRSA, + PublicKeyAlgorithm: x509.RSA, + Subject: pkix.Name{CommonName: "example.org"}, + ExtraExtensions: []pkix.Extension{ + { + Id: OIDExtensionKeyUsage, + Value: asn1KeyUsage, + }, + { + Id: OIDExtensionBasicConstraints, + Value: basicConstraintsWithoutCA, + }, + }, + }, + basicConstraintsFeatureEnabled: true, + }, + { + name: "Generate CSR from certificate with isCA set and with UseCertificateRequestBasicConstraints flag enabled", + crt: &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.org", IsCA: true}}, + want: &x509.CertificateRequest{ + Version: 0, + SignatureAlgorithm: x509.SHA256WithRSA, + PublicKeyAlgorithm: x509.RSA, + Subject: pkix.Name{CommonName: "example.org"}, + ExtraExtensions: []pkix.Extension{ + { + Id: OIDExtensionKeyUsage, + Value: asn1KeyUsageWithCa, + }, + { + Id: OIDExtensionBasicConstraints, + Value: basicConstraintsWithCA, + }, + }, }, + basicConstraintsFeatureEnabled: true, }, { name: "Generate CSR from certificate with extended key usages", @@ -555,6 +601,7 @@ func TestGenerateCSR(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultMutableFeatureGate, feature.LiteralCertificateSubject, tt.literalCertificateSubjectFeatureEnabled)() + defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultMutableFeatureGate, feature.UseCertificateRequestBasicConstraints, tt.basicConstraintsFeatureEnabled)() got, err := GenerateCSR(tt.crt) if (err != nil) != tt.wantErr { t.Errorf("GenerateCSR() error = %v, wantErr %v", err, tt.wantErr) From d2aab5f0d3d060be747ec90a262bf478656ce3ab Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Thu, 10 Nov 2022 13:47:30 +0000 Subject: [PATCH 0028/1253] enable basicConstraints feature in e2e environments by default Signed-off-by: Ashley Davis --- make/e2e-setup.mk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 67b88545b1b..3f1eeea1622 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -158,7 +158,7 @@ $(call image-tar,vaultretagged): $(call image-tar,vault) tar cf $@ -C /tmp/vault . @rm -rf /tmp/vault -FEATURE_GATES ?= AdditionalCertificateOutputFormats=true,ExperimentalCertificateSigningRequestControllers=true,ExperimentalGatewayAPISupport=true,ServerSideApply=true,LiteralCertificateSubject=true +FEATURE_GATES ?= AdditionalCertificateOutputFormats=true,ExperimentalCertificateSigningRequestControllers=true,ExperimentalGatewayAPISupport=true,ServerSideApply=true,LiteralCertificateSubject=true,UseCertificateRequestBasicConstraints=true # In make, there is no way to escape commas or spaces. So we use the # variables $(space) and $(comma) instead. @@ -168,7 +168,7 @@ comma = , # Helm's "--set" interprets commas, which means we want to escape commas # for "--set featureGates". That's why we have "\$(comma)". -feature_gates_controller := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% AdditionalCertificateOutputFormats=% ValidateCAA=% ExperimentalCertificateSigningRequestControllers=% ExperimentalGatewayAPISupport=% ServerSideApply=% LiteralCertificateSubject=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) +feature_gates_controller := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% AdditionalCertificateOutputFormats=% ValidateCAA=% ExperimentalCertificateSigningRequestControllers=% ExperimentalGatewayAPISupport=% ServerSideApply=% LiteralCertificateSubject=% UseCertificateRequestBasicConstraints=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) feature_gates_webhook := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% AdditionalCertificateOutputFormats=% LiteralCertificateSubject=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) feature_gates_cainjector := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) From c0dc705c24d3e0013f6da678b11282022233bba3 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 14 Nov 2022 09:11:23 +0100 Subject: [PATCH 0029/1253] fail in case of invalid IP address Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- test/unit/gen/csr.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/unit/gen/csr.go b/test/unit/gen/csr.go index 659286c1171..a62f847af51 100644 --- a/test/unit/gen/csr.go +++ b/test/unit/gen/csr.go @@ -136,7 +136,11 @@ func SetCSRIPAddressesFromStrings(ips ...string) CSRModifier { return func(c *x509.CertificateRequest) error { var certIPs []net.IP for _, ip := range ips { - certIPs = append(certIPs, net.ParseIP(ip)) + if certIP := net.ParseIP(ip); certIP == nil { + return fmt.Errorf("invalid ip: %s", ip) + } else { + certIPs = append(certIPs, certIP) + } } c.IPAddresses = certIPs return nil From 7e6e0940a2a4a31aa120a7980319cf2cd5ad0a1c Mon Sep 17 00:00:00 2001 From: Corey McGalliard Date: Wed, 16 Nov 2022 11:20:36 -0500 Subject: [PATCH 0030/1253] updating to match feedback and adjust the RunAsNonRoot options for http01 solver to be more descriptive Signed-off-by: Corey McGalliard --- cmd/controller/app/controller.go | 2 ++ cmd/controller/app/options/options.go | 5 +++++ pkg/controller/context.go | 3 +++ pkg/issuer/acme/http/pod.go | 2 +- 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/cmd/controller/app/controller.go b/cmd/controller/app/controller.go index ad2b683d361..78ad11ff0a1 100644 --- a/cmd/controller/app/controller.go +++ b/cmd/controller/app/controller.go @@ -261,6 +261,7 @@ func buildControllerContextFactory(ctx context.Context, opts *options.Controller return nil, fmt.Errorf("error parsing ACMEHTTP01SolverResourceLimitsMemory: %w", err) } + ACMEHTTP01SolverRunAsNonRoot := opts.ACMEHTTP01SolverRunAsNonRoot acmeAccountRegistry := accounts.NewDefaultRegistry() ctxFactory, err := controller.NewContextFactory(ctx, controller.ContextOptions{ @@ -279,6 +280,7 @@ func buildControllerContextFactory(ctx context.Context, opts *options.Controller HTTP01SolverResourceRequestMemory: http01SolverResourceRequestMemory, HTTP01SolverResourceLimitsCPU: http01SolverResourceLimitsCPU, HTTP01SolverResourceLimitsMemory: http01SolverResourceLimitsMemory, + ACMEHTTP01SolverRunAsNonRoot: ACMEHTTP01SolverRunAsNonRoot, HTTP01SolverImage: opts.ACMEHTTP01SolverImage, // Allows specifying a list of custom nameservers to perform HTTP01 checks on. HTTP01SolverNameservers: opts.ACMEHTTP01SolverNameservers, diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index d0a2459f933..863677847c0 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -80,6 +80,7 @@ type ControllerOptions struct { ACMEHTTP01SolverResourceRequestMemory string ACMEHTTP01SolverResourceLimitsCPU string ACMEHTTP01SolverResourceLimitsMemory string + ACMEHTTP01SolverRunAsNonRoot bool // Allows specifying a list of custom nameservers to perform HTTP01 checks on. ACMEHTTP01SolverNameservers []string @@ -155,6 +156,7 @@ var ( defaultACMEHTTP01SolverResourceRequestMemory = "64Mi" defaultACMEHTTP01SolverResourceLimitsCPU = "100m" defaultACMEHTTP01SolverResourceLimitsMemory = "64Mi" + defaultACMEHTTP01SolverRunAsNonRoot = true defaultAutoCertificateAnnotations = []string{"kubernetes.io/tls-acme"} @@ -311,6 +313,9 @@ func (s *ControllerOptions) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&s.ACMEHTTP01SolverResourceLimitsMemory, "acme-http01-solver-resource-limits-memory", defaultACMEHTTP01SolverResourceLimitsMemory, ""+ "Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods.") + fs.BoolVar(&s.ACMEHTTP01SolverRunAsNonRoot, "acme-http01-solver-run-as-non-root", defaultACMEHTTP01SolverRunAsNonRoot, ""+ + "Defines the ability to run the http01 solver as root for troubleshooting issues") + fs.StringSliceVar(&s.ACMEHTTP01SolverNameservers, "acme-http01-solver-nameservers", []string{}, "A list of comma separated dns server endpoints used for "+ "ACME HTTP01 check requests. This should be a list containing host and "+ diff --git a/pkg/controller/context.go b/pkg/controller/context.go index 4767ab201b1..e0398f3978e 100644 --- a/pkg/controller/context.go +++ b/pkg/controller/context.go @@ -170,6 +170,9 @@ type ACMEOptions struct { // HTTP01SolverResourceLimitsMemory defines the ACME pod's resource limits Memory size HTTP01SolverResourceLimitsMemory resource.Quantity + // ACMEHTTP01SolverRunAsNonRoot sets the ACME pod's ability to run as root + ACMEHTTP01SolverRunAsNonRoot bool + // HTTP01SolverNameservers is a list of nameservers to use when performing self-checks // for ACME HTTP01 validations. HTTP01SolverNameservers []string diff --git a/pkg/issuer/acme/http/pod.go b/pkg/issuer/acme/http/pod.go index 77f2efd3e5b..d15b4c9fa8f 100644 --- a/pkg/issuer/acme/http/pod.go +++ b/pkg/issuer/acme/http/pod.go @@ -180,7 +180,7 @@ func (s *Solver) buildDefaultPod(ch *cmacme.Challenge) *corev1.Pod { }, RestartPolicy: corev1.RestartPolicyOnFailure, SecurityContext: &corev1.PodSecurityContext{ - RunAsNonRoot: pointer.BoolPtr(true), + RunAsNonRoot: pointer.BoolPtr(s.ACMEOptions.ACMEHTTP01SolverRunAsNonRoot), SeccompProfile: &corev1.SeccompProfile{ Type: corev1.SeccompProfileTypeRuntimeDefault, }, From bf2db73f71e2028534b70e413fce026f6ae0cc60 Mon Sep 17 00:00:00 2001 From: lv Date: Thu, 17 Nov 2022 22:11:57 +0800 Subject: [PATCH 0031/1253] fix: featureGates add webhook deployment in chart yaml Signed-off-by: lvyanru <1113706590@qq.com> --- deploy/charts/cert-manager/templates/webhook-deployment.yaml | 3 +++ deploy/charts/cert-manager/values.yaml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/deploy/charts/cert-manager/templates/webhook-deployment.yaml b/deploy/charts/cert-manager/templates/webhook-deployment.yaml index 9e27afd61c9..259a96c79b6 100644 --- a/deploy/charts/cert-manager/templates/webhook-deployment.yaml +++ b/deploy/charts/cert-manager/templates/webhook-deployment.yaml @@ -71,6 +71,9 @@ spec: {{ if not $config.securePort -}} - --secure-port={{ .Values.webhook.securePort }} {{- end }} + {{- if .Values.featureGates }} + - --feature-gates={{ .Values.featureGates }} + {{- end }} {{- $tlsConfig := default $config.tlsConfig "" }} {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}} - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index 295fea4eeb2..14056dd6631 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -61,7 +61,7 @@ strategy: {} # maxUnavailable: 1 # Comma separated list of feature gates that should be enabled on the -# controller pod. +# controller pod & webhook pod. featureGates: "" image: From 964f4bbd8d034fa997550878d37f49425a47dc7e Mon Sep 17 00:00:00 2001 From: Igor Beliakov Date: Thu, 17 Nov 2022 17:42:05 +0100 Subject: [PATCH 0032/1253] feat(AzureDNS): add a test for federated SPT Signed-off-by: Igor Beliakov --- pkg/issuer/acme/dns/azuredns/azuredns_test.go | 122 ++++++++++++++++++ 1 file changed, 122 insertions(+) diff --git a/pkg/issuer/acme/dns/azuredns/azuredns_test.go b/pkg/issuer/acme/dns/azuredns/azuredns_test.go index 50be548551a..387e704ef30 100644 --- a/pkg/issuer/acme/dns/azuredns/azuredns_test.go +++ b/pkg/issuer/acme/dns/azuredns/azuredns_test.go @@ -9,10 +9,16 @@ this directory. package azuredns import ( + "encoding/json" + "io" + "net/http" + "net/http/httptest" "os" "testing" "time" + "github.com/Azure/go-autorest/autorest/adal" + "github.com/Azure/go-autorest/autorest/azure" v1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1" "github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util" "github.com/stretchr/testify/assert" @@ -77,3 +83,119 @@ func TestInvalidAzureDns(t *testing.T) { _, err := NewDNSProviderCredentials("invalid env", "cid", "secret", "", "", "", "", util.RecursiveNameservers, false, &v1.AzureManagedIdentity{}) assert.Error(t, err) } + +func populateFederatedToken(t *testing.T, filename string, content string) { + t.Helper() + + f, err := os.Create(filename) + if err != nil { + assert.FailNow(t, err.Error()) + } + + if _, err := io.WriteString(f, content); err != nil { + assert.FailNow(t, err.Error()) + } + + if err := f.Close(); err != nil { + assert.FailNow(t, err.Error()) + } +} + +func TestGetAuthorizationFederatedSPT(t *testing.T) { + // Create a file that will be used to store a federated token + f, err := os.CreateTemp("", "") + if err != nil { + assert.FailNow(t, err.Error()) + } + defer os.Remove(f.Name()) + + // Close the file to simplify logic within populateFederatedToken helper + if err := f.Close(); err != nil { + assert.FailNow(t, err.Error()) + } + + // The initial federated token is never used, so we don't care about the value yet + // Though, it's a requirement from adal to have a non-empty value set + populateFederatedToken(t, f.Name(), "random-jwt") + + // Prepare environment variables adal will rely on. Skip changes for some envs if they are already defined (=live environment) + // Envs themselves are described here: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html + if os.Getenv("AZURE_TENANT_ID") == "" { + t.Setenv("AZURE_TENANT_ID", "fakeTenantID") + } + + if os.Getenv("AZURE_CLIENT_ID") == "" { + t.Setenv("AZURE_CLIENT_ID", "fakeClientID") + } + + t.Setenv("AZURE_FEDERATED_TOKEN_FILE", f.Name()) + + t.Run("token refresh", func(t *testing.T) { + // Basically, we want one token to be exchanged for the other (key and value respectively) + tokens := map[string]string{ + "initialFederatedToken": "initialAccessToken", + "refreshedFederatedToken": "refreshedAccessToken", + } + + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if err := r.ParseForm(); err != nil { + assert.FailNow(t, err.Error()) + } + + w.Header().Set("Content-Type", "application/json") + receivedFederatedToken := r.FormValue("client_assertion") + accessToken := adal.Token{AccessToken: tokens[receivedFederatedToken]} + + if err := json.NewEncoder(w).Encode(accessToken); err != nil { + assert.FailNow(t, err.Error()) + } + + // Expected format: http:////oauth2/token?api-version=1.0 + assert.Contains(t, r.RequestURI, os.Getenv("AZURE_TENANT_ID"), "URI should contain the tenant ID exposed through env variable") + + assert.Equal(t, os.Getenv("AZURE_CLIENT_ID"), r.FormValue("client_id"), "client_id should match the value exposed through env variable") + })) + defer ts.Close() + + ambient := true + env := azure.Environment{ActiveDirectoryEndpoint: ts.URL, ResourceManagerEndpoint: ts.URL} + managedIdentity := &v1.AzureManagedIdentity{ClientID: ""} + + spt, err := getAuthorization(env, "", "", "", "", ambient, managedIdentity) + assert.NoError(t, err) + + for federatedToken, accessToken := range tokens { + populateFederatedToken(t, f.Name(), federatedToken) + assert.NoError(t, spt.Refresh(), "Token refresh failed") + assert.Equal(t, accessToken, spt.Token().AccessToken, "Access token should have been set to a value returned by the webserver") + } + }) + + t.Run("clientID overrides through managedIdentity section", func(t *testing.T) { + managedIdentity := &v1.AzureManagedIdentity{ClientID: "anotherClientID"} + + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if err := r.ParseForm(); err != nil { + assert.FailNow(t, err.Error()) + } + + w.Header().Set("Content-Type", "application/json") + accessToken := adal.Token{AccessToken: "abc"} + + if err := json.NewEncoder(w).Encode(accessToken); err != nil { + assert.FailNow(t, err.Error()) + } + + assert.Equal(t, managedIdentity.ClientID, r.FormValue("client_id"), "client_id should match the value passed through managedIdentity section") + })) + defer ts.Close() + + ambient := true + env := azure.Environment{ActiveDirectoryEndpoint: ts.URL, ResourceManagerEndpoint: ts.URL} + + spt, err := getAuthorization(env, "", "", "", "", ambient, managedIdentity) + assert.NoError(t, err) + + assert.NoError(t, spt.Refresh(), "Token refresh failed") + }) +} From f41cf33efe24f99a7fe9a1cf890460ad76849fdc Mon Sep 17 00:00:00 2001 From: Houssem El Fekih Date: Fri, 18 Nov 2022 10:22:39 +0000 Subject: [PATCH 0033/1253] Add support for required LDAP (rfc4514) RDNs in LiteralSubject * Add OID translation for mandatory DC component * Used extensively in LDAP certificates, also required by rfc5280 * Add support for UID, mentioned in LDAP RFC * solves https://github.com/cert-manager/cert-manager/issues/5582 Signed-off-by: SpectralHiss --- .../apis/certmanager/validation/certificate_test.go | 12 ++++++++++++ pkg/util/pki/parse.go | 7 +++++++ 2 files changed, 19 insertions(+) diff --git a/internal/apis/certmanager/validation/certificate_test.go b/internal/apis/certmanager/validation/certificate_test.go index 4d3280cefc2..4a8285b51de 100644 --- a/internal/apis/certmanager/validation/certificate_test.go +++ b/internal/apis/certmanager/validation/certificate_test.go @@ -944,6 +944,18 @@ func Test_validateLiteralSubject(t *testing.T) { }, a: someAdmissionRequest, }, + "valid with a `literalSubject` containing CN with special characters, multiple DC and well-known rfc4514 and rfc5280 RDN OIDs": { + featureEnabled: true, + cfg: &internalcmapi.Certificate{ + Spec: internalcmapi.CertificateSpec{ + Subject: &internalcmapi.X509Subject{SerialNumber: "1"}, + LiteralSubject: "CN=James \\\"Jim\\\" Smith\\, III,DC=dc,DC=net,UID=jamessmith,STREET=La Rambla,L=Barcelona,C=Spain,O=Acme,OU=IT,OU=Admins", + SecretName: "abc", + IssuerRef: validIssuerRef, + }, + }, + a: someAdmissionRequest, + }, "invalid with a `literalSubject` without CN and no dnsNames, ipAddresses, or emailAddress": { featureEnabled: true, cfg: &internalcmapi.Certificate{ diff --git a/pkg/util/pki/parse.go b/pkg/util/pki/parse.go index e6376e5dd7d..c8e21c21651 100644 --- a/pkg/util/pki/parse.go +++ b/pkg/util/pki/parse.go @@ -373,6 +373,8 @@ var OIDConstants = struct { Locality []int Province []int StreetAddress []int + DomainComponent []int + UniqueIdentifier []int }{ Country: []int{2, 5, 4, 6}, Organization: []int{2, 5, 4, 10}, @@ -382,10 +384,13 @@ var OIDConstants = struct { Locality: []int{2, 5, 4, 7}, Province: []int{2, 5, 4, 8}, StreetAddress: []int{2, 5, 4, 9}, + DomainComponent: []int{0,9,2342,19200300,100,1,25}, + UniqueIdentifier: []int{0,9,2342,19200300,100,1,1}, } // Copied from pkix.attributeTypeNames and inverted. (Sadly it is private.) // Source: https://cs.opensource.google/go/go/+/refs/tags/go1.18.2:src/crypto/x509/pkix/pkix.go;l=26 +// Added RDNs identifier to support rfc4514 LDAP certificates, cf https://github.com/cert-manager/cert-manager/issues/5582 var attributeTypeNames = map[string][]int{ "C": OIDConstants.Country, "O": OIDConstants.Organization, @@ -395,6 +400,8 @@ var attributeTypeNames = map[string][]int{ "L": OIDConstants.Locality, "ST": OIDConstants.Province, "STREET": OIDConstants.StreetAddress, + "DC": OIDConstants.DomainComponent, + "UID": OIDConstants.UniqueIdentifier, } func ParseSubjectStringToRdnSequence(subject string) (pkix.RDNSequence, error) { From 8af2d64f3b6374735b0204f173ceb78d066a30ff Mon Sep 17 00:00:00 2001 From: Houssem El Fekih Date: Fri, 18 Nov 2022 10:55:56 +0000 Subject: [PATCH 0034/1253] Gofmt files Signed-off-by: Houssem El Fekih --- pkg/util/pki/parse.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/util/pki/parse.go b/pkg/util/pki/parse.go index c8e21c21651..dff3539ad76 100644 --- a/pkg/util/pki/parse.go +++ b/pkg/util/pki/parse.go @@ -373,8 +373,8 @@ var OIDConstants = struct { Locality []int Province []int StreetAddress []int - DomainComponent []int - UniqueIdentifier []int + DomainComponent []int + UniqueIdentifier []int }{ Country: []int{2, 5, 4, 6}, Organization: []int{2, 5, 4, 10}, @@ -384,8 +384,8 @@ var OIDConstants = struct { Locality: []int{2, 5, 4, 7}, Province: []int{2, 5, 4, 8}, StreetAddress: []int{2, 5, 4, 9}, - DomainComponent: []int{0,9,2342,19200300,100,1,25}, - UniqueIdentifier: []int{0,9,2342,19200300,100,1,1}, + DomainComponent: []int{0, 9, 2342, 19200300, 100, 1, 25}, + UniqueIdentifier: []int{0, 9, 2342, 19200300, 100, 1, 1}, } // Copied from pkix.attributeTypeNames and inverted. (Sadly it is private.) @@ -400,8 +400,8 @@ var attributeTypeNames = map[string][]int{ "L": OIDConstants.Locality, "ST": OIDConstants.Province, "STREET": OIDConstants.StreetAddress, - "DC": OIDConstants.DomainComponent, - "UID": OIDConstants.UniqueIdentifier, + "DC": OIDConstants.DomainComponent, + "UID": OIDConstants.UniqueIdentifier, } func ParseSubjectStringToRdnSequence(subject string) (pkix.RDNSequence, error) { From 6e05f43f8e5beeacfe998a75b4987b9499257324 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 22 Nov 2022 09:59:03 +0000 Subject: [PATCH 0035/1253] Set the Vault namespace using the official method in the vault SDK Signed-off-by: Richard Wall --- internal/vault/vault.go | 49 +++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/internal/vault/vault.go b/internal/vault/vault.go index 25f9ee9cbcd..a4ac2daca0c 100644 --- a/internal/vault/vault.go +++ b/internal/vault/vault.go @@ -68,7 +68,22 @@ type Vault struct { issuer v1.GenericIssuer namespace string + // The pattern below, of namespaced and non-namespaced Vault clients, is copied from Hashicorp Nomad: + // https://github.com/hashicorp/nomad/blob/6e4410a9b13ce167bc7ef53da97c621b5c9dcd12/nomad/vault.go#L180-L190 + + // client is the Vault API client used for Namespace-relative integrations + // with the Vault API (anything except `/v1/sys`). + // The namespace feature is only available in Vault Enterprise. + // The namespace HTTP header (X-Vault-Namespace) is ignored by the open source version of Vault. + // See https://www.vaultproject.io/docs/enterprise/namespaces client Client + + // clientSys is the Vault API client used for non-Namespace-relative integrations + // with the Vault API (anything involving `/v1/sys`). This client is never configured + // with a Vault namespace, because these endpoints may return errors if a namespace + // header is provided + // See https://developer.hashicorp.com/vault/docs/enterprise/namespaces#root-only-api-paths + clientSys Client } // New returns a new Vault instance with the given namespace, issuer and @@ -87,16 +102,21 @@ func New(namespace string, secretsLister corelisters.SecretLister, issuer v1.Gen return nil, err } - client, err := vault.NewClient(cfg) + clientSys, err := vault.NewClient(cfg) if err != nil { return nil, fmt.Errorf("error initializing Vault client: %s", err.Error()) } - if err := v.setToken(client); err != nil { + // Set the Vault namespace. + // An empty namespace string will cause the client to not send the namespace related HTTP headers to Vault. + clientNS := clientSys.WithNamespace(issuer.GetSpec().Vault.Namespace) + + if err := v.setToken(clientNS); err != nil { return nil, err } - v.client = client + v.client = clientNS + v.clientSys = clientSys return v, nil } @@ -124,8 +144,6 @@ func (v *Vault) Sign(csrPEM []byte, duration time.Duration) (cert []byte, ca []b request := v.client.NewRequest("POST", url) - v.addVaultNamespaceToRequest(request) - if err := request.SetJSONBody(parameters); err != nil { return nil, nil, fmt.Errorf("failed to build vault request: %s", err) } @@ -312,8 +330,6 @@ func (v *Vault) requestTokenWithAppRoleRef(client Client, appRole *v1.VaultAppRo return "", fmt.Errorf("error encoding Vault parameters: %s", err.Error()) } - v.addVaultNamespaceToRequest(request) - resp, err := client.RawRequest(request) if err != nil { return "", fmt.Errorf("error logging in to Vault server: %s", err.Error()) @@ -373,8 +389,6 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1 return "", fmt.Errorf("error encoding Vault parameters: %s", err.Error()) } - v.addVaultNamespaceToRequest(request) - resp, err := client.RawRequest(request) if err != nil { return "", fmt.Errorf("error calling Vault server: %s", err.Error()) @@ -425,8 +439,8 @@ func extractCertificatesFromVaultCertificateSecret(secret *certutil.Secret) ([]b func (v *Vault) IsVaultInitializedAndUnsealed() error { healthURL := path.Join("/v1", "sys", "health") - healthRequest := v.client.NewRequest("GET", healthURL) - healthResp, err := v.client.RawRequest(healthRequest) + healthRequest := v.clientSys.NewRequest("GET", healthURL) + healthResp, err := v.clientSys.RawRequest(healthRequest) if healthResp != nil { defer healthResp.Body.Close() @@ -448,16 +462,3 @@ func (v *Vault) IsVaultInitializedAndUnsealed() error { return nil } - -func (v *Vault) addVaultNamespaceToRequest(request *vault.Request) { - vaultIssuer := v.issuer.GetSpec().Vault - if vaultIssuer != nil && vaultIssuer.Namespace != "" { - if request.Headers != nil { - request.Headers.Add("X-VAULT-NAMESPACE", vaultIssuer.Namespace) - } else { - vaultReqHeaders := http.Header{} - vaultReqHeaders.Add("X-VAULT-NAMESPACE", vaultIssuer.Namespace) - request.Headers = vaultReqHeaders - } - } -} From 51ac6fe181fe95bc6714c7e53a8fb7c243af1a51 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 22 Nov 2022 14:35:22 +0000 Subject: [PATCH 0036/1253] Test Signed-off-by: Richard Wall --- internal/vault/vault_test.go | 67 ++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/internal/vault/vault_test.go b/internal/vault/vault_test.go index 74518af6615..0fb4007e517 100644 --- a/internal/vault/vault_test.go +++ b/internal/vault/vault_test.go @@ -32,11 +32,15 @@ import ( vault "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/sdk/helper/certutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientcorev1 "k8s.io/client-go/listers/core/v1" vaultfake "github.com/cert-manager/cert-manager/internal/vault/fake" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" "github.com/cert-manager/cert-manager/pkg/util/pki" "github.com/cert-manager/cert-manager/test/unit/gen" @@ -1169,3 +1173,66 @@ func TestRequestTokenWithAppRoleRef(t *testing.T) { }) } } + +// TestNewWithVaultNamespaces demonstrates that New initializes two Vault +// clients, one with a namespace and one without a namespace which is used for +// interacting with root-only APIs. +func TestNewWithVaultNamespaces(t *testing.T) { + type testCase struct { + name string + vaultNS string + } + + tests := []testCase{ + { + name: "without-namespace", + vaultNS: "", + }, + { + name: "with-namespace", + vaultNS: "vault-ns-1", + }, + } + + for _, tc := range tests { + tc := tc + t.Run(tc.name, func(t *testing.T) { + c, err := New( + "k8s-ns1", + listers.FakeSecretListerFrom(listers.NewFakeSecretLister(), + listers.SetFakeSecretNamespaceListerGet( + &corev1.Secret{ + Data: map[string][]byte{ + "key1": []byte("not-used"), + }, + }, nil), + ), + &cmapi.Issuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: "issuer1", + Namespace: "k8s-ns1", + }, + Spec: v1.IssuerSpec{ + IssuerConfig: v1.IssuerConfig{ + Vault: &v1.VaultIssuer{ + Namespace: tc.vaultNS, + Auth: cmapi.VaultAuth{ + TokenSecretRef: &cmmeta.SecretKeySelector{ + LocalObjectReference: cmmeta.LocalObjectReference{ + Name: "secret1", + }, + Key: "key1", + }, + }, + }, + }, + }, + }) + require.NoError(t, err) + assert.Equal(t, tc.vaultNS, c.(*Vault).client.(*vault.Client).Namespace(), + "The vault client should have the namespace provided in the Issuer recource") + assert.Equal(t, "", c.(*Vault).clientSys.(*vault.Client).Namespace(), + "The vault sys client should never have a namespace") + }) + } +} From 23437dfbbcc87c42e74ffda88081c9a42ecb491d Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 22 Nov 2022 16:25:22 +0000 Subject: [PATCH 0037/1253] Remove unused Sys methods Signed-off-by: Richard Wall --- internal/vault/fake/client.go | 4 ---- internal/vault/fake/vault.go | 6 ------ internal/vault/vault.go | 7 ------- 3 files changed, 17 deletions(-) diff --git a/internal/vault/fake/client.go b/internal/vault/fake/client.go index 64aa0c6aac9..bed9462ef75 100644 --- a/internal/vault/fake/client.go +++ b/internal/vault/fake/client.go @@ -64,7 +64,3 @@ func (c *Client) Token() string { func (c *Client) RawRequest(r *vault.Request) (*vault.Response, error) { return c.RawRequestFn(r) } - -func (c *Client) Sys() *vault.Sys { - return nil -} diff --git a/internal/vault/fake/vault.go b/internal/vault/fake/vault.go index 529a0a54f2a..1ccdcbdf138 100644 --- a/internal/vault/fake/vault.go +++ b/internal/vault/fake/vault.go @@ -20,7 +20,6 @@ package fake import ( "time" - vault "github.com/hashicorp/vault/api" corelisters "k8s.io/client-go/listers/core/v1" v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" @@ -80,11 +79,6 @@ func (v *Vault) New(ns string, sl corelisters.SecretLister, iss v1.GenericIssuer return v, nil } -// Sys returns an empty `vault.Sys`. -func (v *Vault) Sys() *vault.Sys { - return new(vault.Sys) -} - // IsVaultInitializedAndUnsealed always returns nil func (v *Vault) IsVaultInitializedAndUnsealed() error { return nil diff --git a/internal/vault/vault.go b/internal/vault/vault.go index a4ac2daca0c..6b00195a1b8 100644 --- a/internal/vault/vault.go +++ b/internal/vault/vault.go @@ -45,10 +45,8 @@ type ClientBuilder func(namespace string, secretsLister corelisters.SecretLister // Interface implements various high level functionality related to connecting // with a Vault server, verifying its status and signing certificate request for // Vault's certificate. -// TODO: Sys() is duplicated here and in Client interface type Interface interface { Sign(csrPEM []byte, duration time.Duration) (certPEM []byte, caPEM []byte, err error) - Sys() *vault.Sys IsVaultInitializedAndUnsealed() error } @@ -58,7 +56,6 @@ type Client interface { RawRequest(r *vault.Request) (*vault.Response, error) SetToken(v string) Token() string - Sys() *vault.Sys } // Vault implements Interface and holds a Vault issuer, secrets lister and a @@ -409,10 +406,6 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1 return token, nil } -func (v *Vault) Sys() *vault.Sys { - return v.client.Sys() -} - func extractCertificatesFromVaultCertificateSecret(secret *certutil.Secret) ([]byte, []byte, error) { parsedBundle, err := certutil.ParsePKIMap(secret.Data) if err != nil { From 6b2c3b5295a83bbac052c3ce01a1be1730aa566f Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 22 Nov 2022 16:47:41 +0000 Subject: [PATCH 0038/1253] Remove unused Token method Signed-off-by: Richard Wall --- internal/vault/vault.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/vault/vault.go b/internal/vault/vault.go index 6b00195a1b8..78aad557a1c 100644 --- a/internal/vault/vault.go +++ b/internal/vault/vault.go @@ -55,7 +55,6 @@ type Client interface { NewRequest(method, requestPath string) *vault.Request RawRequest(r *vault.Request) (*vault.Response, error) SetToken(v string) - Token() string } // Vault implements Interface and holds a Vault issuer, secrets lister and a From e1740afedfb4fa18a1797242a06fb2134025a8b1 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Wed, 23 Nov 2022 09:58:39 +0000 Subject: [PATCH 0039/1253] Recreate the original behaviour of sending a Vault token to the unauthenticated sys/health endpoint. Signed-off-by: Richard Wall --- internal/vault/vault.go | 16 +++++++++-- internal/vault/vault_test.go | 53 ++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 3 deletions(-) diff --git a/internal/vault/vault.go b/internal/vault/vault.go index 78aad557a1c..9f18a7554be 100644 --- a/internal/vault/vault.go +++ b/internal/vault/vault.go @@ -98,21 +98,31 @@ func New(namespace string, secretsLister corelisters.SecretLister, issuer v1.Gen return nil, err } - clientSys, err := vault.NewClient(cfg) + client, err := vault.NewClient(cfg) if err != nil { return nil, fmt.Errorf("error initializing Vault client: %s", err.Error()) } // Set the Vault namespace. // An empty namespace string will cause the client to not send the namespace related HTTP headers to Vault. - clientNS := clientSys.WithNamespace(issuer.GetSpec().Vault.Namespace) + clientNS := client.WithNamespace(issuer.GetSpec().Vault.Namespace) + // Use the (maybe) namespaced client to authenticate. + // If a Vault namespace is configured, then the authentication endpoints are + // expected to be in that namespace. if err := v.setToken(clientNS); err != nil { return nil, err } + // A client for use with namespaced API paths v.client = clientNS - v.clientSys = clientSys + + // Create duplicate Vault client without a namespace, for interacting with root-only API paths. + // For backwards compatibility, this client will use the token from the namespaced client, + // although this is probably unnecessary / bad practice, since we only + // interact with the sys/health endpoint which is an unauthenticated endpoint: + // https://github.com/hashicorp/vault/issues/209#issuecomment-102485565. + v.clientSys = clientNS.WithNamespace("") return v, nil } diff --git a/internal/vault/vault_test.go b/internal/vault/vault_test.go index 0fb4007e517..b984c3f262b 100644 --- a/internal/vault/vault_test.go +++ b/internal/vault/vault_test.go @@ -25,6 +25,7 @@ import ( "fmt" "io" "net/http" + "net/http/httptest" "strings" "testing" "time" @@ -1236,3 +1237,55 @@ func TestNewWithVaultNamespaces(t *testing.T) { }) } } + +// TestIsVaultInitiatedAndUnsealedIntegration demonstrates that it interacts only with the +// sys/health endpoint and that it supplies the Vault token but not a Vault namespace header. +func TestIsVaultInitiatedAndUnsealedIntegration(t *testing.T) { + + const vaultToken = "token1" + + mux := http.NewServeMux() + mux.HandleFunc("/v1/sys/health", func(response http.ResponseWriter, request *http.Request) { + assert.Empty(t, request.Header.Values("X-Vault-Namespace"), "Unexpected Vault namespace header for root-only API path") + assert.Equal(t, vaultToken, request.Header.Get("X-Vault-Token"), "Expected the Vault token for root-only API path") + }) + server := httptest.NewServer(mux) + defer server.Close() + + v, err := New( + "k8s-ns1", + listers.FakeSecretListerFrom(listers.NewFakeSecretLister(), + listers.SetFakeSecretNamespaceListerGet( + &corev1.Secret{ + Data: map[string][]byte{ + "key1": []byte(vaultToken), + }, + }, nil), + ), + &cmapi.Issuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: "issuer1", + Namespace: "k8s-ns1", + }, + Spec: v1.IssuerSpec{ + IssuerConfig: v1.IssuerConfig{ + Vault: &v1.VaultIssuer{ + Server: server.URL, + Namespace: "ns1", + Auth: cmapi.VaultAuth{ + TokenSecretRef: &cmmeta.SecretKeySelector{ + LocalObjectReference: cmmeta.LocalObjectReference{ + Name: "secret1", + }, + Key: "key1", + }, + }, + }, + }, + }, + }) + require.NoError(t, err) + + err = v.IsVaultInitializedAndUnsealed() + require.NoError(t, err) +} From 75b2ba12dc0e9437d3b2a6f4133572f194416ba0 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Wed, 23 Nov 2022 10:18:48 +0000 Subject: [PATCH 0040/1253] Test that the Sign function *does* use the Vault namespace Signed-off-by: Richard Wall --- internal/vault/vault_test.go | 67 ++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/internal/vault/vault_test.go b/internal/vault/vault_test.go index b984c3f262b..9720e42712b 100644 --- a/internal/vault/vault_test.go +++ b/internal/vault/vault_test.go @@ -1289,3 +1289,70 @@ func TestIsVaultInitiatedAndUnsealedIntegration(t *testing.T) { err = v.IsVaultInitializedAndUnsealed() require.NoError(t, err) } + +// TestSignIntegration demonstrates that it interacts only with the API endpoint +// path supplied in the Issuer resource and that it supplies the Vault namespace +// and token to that endpoint. +func TestSignIntegration(t *testing.T) { + const ( + vaultToken = "token1" + vaultNamespace = "vault-ns-1" + vaultPath = "my_pki_mount/sign/my-role-name" + ) + + privatekey := generateRSAPrivateKey(t) + csrPEM := generateCSR(t, privatekey) + + rootBundleData, err := bundlePEM(testIntermediateCa, testRootCa) + require.NoError(t, err) + + mux := http.NewServeMux() + mux.HandleFunc(fmt.Sprintf("/v1/%s", vaultPath), func(response http.ResponseWriter, request *http.Request) { + assert.Equal(t, vaultNamespace, request.Header.Get("X-Vault-Namespace"), "Expected Vault namespace header for namespaced API path") + assert.Equal(t, vaultToken, request.Header.Get("X-Vault-Token"), "Expected the Vault token for root-only API path") + _, err := response.Write(rootBundleData) + require.NoError(t, err) + }) + server := httptest.NewServer(mux) + defer server.Close() + + v, err := New( + "k8s-ns1", + listers.FakeSecretListerFrom(listers.NewFakeSecretLister(), + listers.SetFakeSecretNamespaceListerGet( + &corev1.Secret{ + Data: map[string][]byte{ + "key1": []byte(vaultToken), + }, + }, nil), + ), + &cmapi.Issuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: "issuer1", + Namespace: "k8s-ns1", + }, + Spec: v1.IssuerSpec{ + IssuerConfig: v1.IssuerConfig{ + Vault: &v1.VaultIssuer{ + Server: server.URL, + Path: vaultPath, + Namespace: vaultNamespace, + Auth: cmapi.VaultAuth{ + TokenSecretRef: &cmmeta.SecretKeySelector{ + LocalObjectReference: cmmeta.LocalObjectReference{ + Name: "secret1", + }, + Key: "key1", + }, + }, + }, + }, + }, + }) + require.NoError(t, err) + + certPEM, caPEM, err := v.Sign(csrPEM, time.Hour) + require.NoError(t, err) + require.NotEmpty(t, certPEM) + require.NotEmpty(t, caPEM) +} From df20fcd3e40accfb4310617f42560afd9a56996d Mon Sep 17 00:00:00 2001 From: Igor Beliakov Date: Thu, 24 Nov 2022 22:42:18 +0100 Subject: [PATCH 0041/1253] chore(AzureDNS): added more comments as requested by @wallrj Signed-off-by: Igor Beliakov --- pkg/issuer/acme/dns/azuredns/azuredns.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/pkg/issuer/acme/dns/azuredns/azuredns.go b/pkg/issuer/acme/dns/azuredns/azuredns.go index 1ea57e92f65..51843fb9699 100644 --- a/pkg/issuer/acme/dns/azuredns/azuredns.go +++ b/pkg/issuer/acme/dns/azuredns/azuredns.go @@ -134,14 +134,20 @@ func getAuthorization(env azure.Environment, clientID, clientSecret, subscriptio } // adal does not offer methods to dynamically replace a federated token, thus we need to have a wrapper to make sure - // we're using up-to-date secret while requesting an access token + // we're using up-to-date secret while requesting an access token. + // NOTE: There's no RefreshToken in the whole process (in fact, it's absent in AAD responses). An AccessToken can be + // received only in exchange for a federated token. var refreshFunc adal.TokenRefresh = func(context context.Context, resource string) (*adal.Token, error) { newSPT, err := getFederatedSPT(env, opt) if err != nil { return nil, err } - // Need to call Refresh(), otherwise .Token() will be empty + // An AccessToken gets populated into an spt only when .Refresh() is called. Normally, it's something that happens implicitly when + // a first request to manipulate Azure resources is made. Since our goal here is only to receive a fresh AccessToken, we need to make + // an explicit call. + // .Refresh() itself results in a call to Oauth endpoint. During the process, a federated token is exchanged for an AccessToken. + // RefreshToken is absent from responses. err = newSPT.Refresh() if err != nil { return nil, err From c7952fd054aeb6033f0418d8a7e7d2b81e10ff2b Mon Sep 17 00:00:00 2001 From: Houssem El Fekih Date: Mon, 28 Nov 2022 21:56:00 +0000 Subject: [PATCH 0042/1253] e2e test confirming LDAP rdn literalsubject in generated certificate * Enabled feature flag for literalsubject in e2e test runner * Added "happy path" test Signed-off-by: SpectralHiss --- make/e2e.sh | 2 +- .../suite/certificates/literalsubjectrdns.go | 101 ++++++++++++++++++ 2 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 test/e2e/suite/certificates/literalsubjectrdns.go diff --git a/make/e2e.sh b/make/e2e.sh index e3d167ba52d..4468736d950 100755 --- a/make/e2e.sh +++ b/make/e2e.sh @@ -73,7 +73,7 @@ nodes=20 flake_attempts=1 ginkgo_skip= ginkgo_focus= -feature_gates=AdditionalCertificateOutputFormats=true,ExperimentalCertificateSigningRequestControllers=true,ExperimentalGatewayAPISupport=true +feature_gates=AdditionalCertificateOutputFormats=true,ExperimentalCertificateSigningRequestControllers=true,ExperimentalGatewayAPISupport=true,LiteralCertificateSubject=true artifacts="./$BINDIR/artifacts" help() { cat < Date: Tue, 29 Nov 2022 09:55:19 +0000 Subject: [PATCH 0043/1253] Make test assertion more specific to slice, need to verify ordering of rdns Signed-off-by: SpectralHiss --- .../suite/certificates/literalsubjectrdns.go | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/test/e2e/suite/certificates/literalsubjectrdns.go b/test/e2e/suite/certificates/literalsubjectrdns.go index 334cf9b9281..c08e328d1d4 100644 --- a/test/e2e/suite/certificates/literalsubjectrdns.go +++ b/test/e2e/suite/certificates/literalsubjectrdns.go @@ -83,19 +83,20 @@ var _ = framework.CertManagerDescribe("literalsubject rdn parsing", func() { pemBlock, _ := pem.Decode(crtPEM) cert, err := x509.ParseCertificate(pemBlock.Bytes) Expect(err).To(BeNil()) + // TODO: the sequence seems to come out 'reversed' in cert.Subject.Names, investigate ordering - Expect(cert.Subject.Names).To(ContainElements( - pkix.AttributeTypeAndValue{Type: asn1.ObjectIdentifier{2, 5, 4, 11}, Value: "Admins"}, - pkix.AttributeTypeAndValue{Type: asn1.ObjectIdentifier{2, 5, 4, 11}, Value: "IT"}, - pkix.AttributeTypeAndValue{Type: asn1.ObjectIdentifier{2, 5, 4, 10}, Value: "Acme"}, - pkix.AttributeTypeAndValue{Type: asn1.ObjectIdentifier{2, 5, 4, 6}, Value: "Spain"}, - pkix.AttributeTypeAndValue{Type: asn1.ObjectIdentifier{2, 5, 4, 7}, Value: "Barcelona"}, - pkix.AttributeTypeAndValue{Type: asn1.ObjectIdentifier{2, 5, 4, 9}, Value: "La Rambla"}, - pkix.AttributeTypeAndValue{Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 1}, Value: "jamessmith"}, - pkix.AttributeTypeAndValue{Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25}, Value: "net"}, - pkix.AttributeTypeAndValue{Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25}, Value: "dc"}, - pkix.AttributeTypeAndValue{Type: asn1.ObjectIdentifier{2, 5, 4, 3}, Value: "James \"Jim\" Smith, III"}, - )) + Expect(cert.Subject.Names).To(Equal([]pkix.AttributeTypeAndValue{ + {Type: asn1.ObjectIdentifier{2, 5, 4, 11}, Value: "Admins"}, + {Type: asn1.ObjectIdentifier{2, 5, 4, 11}, Value: "IT"}, + {Type: asn1.ObjectIdentifier{2, 5, 4, 10}, Value: "Acme"}, + {Type: asn1.ObjectIdentifier{2, 5, 4, 6}, Value: "Spain"}, + {Type: asn1.ObjectIdentifier{2, 5, 4, 7}, Value: "Barcelona"}, + {Type: asn1.ObjectIdentifier{2, 5, 4, 9}, Value: "La Rambla"}, + {Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 1}, Value: "jamessmith"}, + {Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25}, Value: "net"}, + {Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25}, Value: "dc"}, + {Type: asn1.ObjectIdentifier{2, 5, 4, 3}, Value: "James \"Jim\" Smith, III"}, + })) }) }) From 182275ed449a631add2064001910952e9fec031a Mon Sep 17 00:00:00 2001 From: Houssem El Fekih Date: Tue, 29 Nov 2022 14:38:24 +0000 Subject: [PATCH 0044/1253] Add error case + list all supported OIDs in cannonical order Signed-off-by: SpectralHiss --- .../suite/certificates/literalsubjectrdns.go | 39 ++++++++++++------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/test/e2e/suite/certificates/literalsubjectrdns.go b/test/e2e/suite/certificates/literalsubjectrdns.go index c08e328d1d4..594ddc2e2fd 100644 --- a/test/e2e/suite/certificates/literalsubjectrdns.go +++ b/test/e2e/suite/certificates/literalsubjectrdns.go @@ -32,7 +32,7 @@ var _ = framework.CertManagerDescribe("literalsubject rdn parsing", func() { f := framework.NewDefaultFramework("certificate-literalsubject-rdns") - createCertificate := func(f *framework.Framework, literalSubject string) (string, *cmapi.Certificate) { + createCertificate := func(f *framework.Framework, literalSubject string) (*cmapi.Certificate, error) { framework.RequireFeatureGate(f, utilfeature.DefaultFeatureGate, feature.LiteralCertificateSubject) crt := &cmapi.Certificate{ ObjectMeta: metav1.ObjectMeta{ @@ -49,14 +49,11 @@ var _ = framework.CertManagerDescribe("literalsubject rdn parsing", func() { }, } - By("creating Certificate with AdditionalOutputFormats") - crt, err := f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name).Create(context.Background(), crt, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - crt, err = f.Helper().WaitForCertificateReadyAndDoneIssuing(crt, time.Minute*2) - Expect(err).NotTo(HaveOccurred(), "failed to wait for Certificate to become Ready") + By("creating Certificate with LiteralSubject") + return f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name).Create(context.Background(), crt, metav1.CreateOptions{}) - return crt.Name, crt } + BeforeEach(func() { By("creating a self-signing issuer") issuer := gen.Issuer(issuerName, @@ -74,8 +71,14 @@ var _ = framework.CertManagerDescribe("literalsubject rdn parsing", func() { Expect(f.CertManagerClientSet.CertmanagerV1().Issuers(f.Namespace.Name).Delete(context.Background(), issuerName, metav1.DeleteOptions{})).NotTo(HaveOccurred()) }) - FIt("Should create CSR reflecting most common RDNs", func() { - createCertificate(f, "CN=James \\\"Jim\\\" Smith\\, III,DC=dc,DC=net,UID=jamessmith,STREET=La Rambla,L=Barcelona,C=Spain,O=Acme,OU=IT,OU=Admins") + // The parsed RDNSequence should be in REVERSE order as RDNs in String format are expected to be written in reverse order. + // Meaning, a string of "CN=Foo,OU=Bar,O=Baz" actually should have "O=Baz" as the first element in the RDNSequence. + It("Should create a certificate with all the supplied RDNs as subject names in reverse string order, including DC and UID", func() { + crt, err := createCertificate(f, "CN=James \\\"Jim\\\" Smith\\, III,UID=jamessmith,SERIALNUMBER=1234512345,OU=Admins,OU=IT,DC=net,DC=dc,O=Acme,STREET=La Rambla,L=Barcelona,C=Spain") + Expect(err).NotTo(HaveOccurred()) + _, err = f.Helper().WaitForCertificateReadyAndDoneIssuing(crt, time.Minute*2) + Expect(err).NotTo(HaveOccurred(), "failed to wait for Certificate to become Ready") + secret, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Get(context.TODO(), secretName, metav1.GetOptions{}) Expect(err).To(BeNil()) Expect(secret.Data).To(HaveKey("tls.crt")) @@ -84,19 +87,25 @@ var _ = framework.CertManagerDescribe("literalsubject rdn parsing", func() { cert, err := x509.ParseCertificate(pemBlock.Bytes) Expect(err).To(BeNil()) - // TODO: the sequence seems to come out 'reversed' in cert.Subject.Names, investigate ordering Expect(cert.Subject.Names).To(Equal([]pkix.AttributeTypeAndValue{ - {Type: asn1.ObjectIdentifier{2, 5, 4, 11}, Value: "Admins"}, - {Type: asn1.ObjectIdentifier{2, 5, 4, 11}, Value: "IT"}, - {Type: asn1.ObjectIdentifier{2, 5, 4, 10}, Value: "Acme"}, {Type: asn1.ObjectIdentifier{2, 5, 4, 6}, Value: "Spain"}, {Type: asn1.ObjectIdentifier{2, 5, 4, 7}, Value: "Barcelona"}, {Type: asn1.ObjectIdentifier{2, 5, 4, 9}, Value: "La Rambla"}, - {Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 1}, Value: "jamessmith"}, - {Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25}, Value: "net"}, + {Type: asn1.ObjectIdentifier{2, 5, 4, 10}, Value: "Acme"}, {Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25}, Value: "dc"}, + {Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25}, Value: "net"}, + {Type: asn1.ObjectIdentifier{2, 5, 4, 11}, Value: "IT"}, + {Type: asn1.ObjectIdentifier{2, 5, 4, 11}, Value: "Admins"}, + {Type: asn1.ObjectIdentifier{2, 5, 4, 5}, Value: "1234512345"}, + {Type: asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 1}, Value: "jamessmith"}, {Type: asn1.ObjectIdentifier{2, 5, 4, 3}, Value: "James \"Jim\" Smith, III"}, })) + }) + It("Should not allow unknown RDN component", func() { + _, err := createCertificate(f, "UNKNOWN=blah") + Expect(err).NotTo(BeNil()) + Expect(err.Error()).To(ContainSubstring("Literal subject contains unrecognized key with value [blah]")) }) + }) From d56c51092a56cc7f3a1760923896aac73446ee47 Mon Sep 17 00:00:00 2001 From: Houssem El Fekih Date: Tue, 29 Nov 2022 14:47:50 +0000 Subject: [PATCH 0045/1253] Add boilerplate comment Signed-off-by: SpectralHiss --- .../e2e/suite/certificates/literalsubjectrdns.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/test/e2e/suite/certificates/literalsubjectrdns.go b/test/e2e/suite/certificates/literalsubjectrdns.go index 594ddc2e2fd..54ead9a43ec 100644 --- a/test/e2e/suite/certificates/literalsubjectrdns.go +++ b/test/e2e/suite/certificates/literalsubjectrdns.go @@ -1,3 +1,19 @@ +/* +Copyright 2020 The cert-manager Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package certificates import ( From 4d12251fa790f9cd7a242a07dcd0f3918f7eb1a7 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Tue, 29 Nov 2022 16:13:18 +0000 Subject: [PATCH 0046/1253] Use distinct manifest dirs for signed / unsigned manifests This avoids a race condition with the `release-manifests` and `release-manifests-signed` targets. When running in parallel, one could execute `rm -rf $(BINDIR)/scratch/manifests` while the other was running. This could also conceivably have led to incorrectly packaged manifests when both were run in parallel. Signed-off-by: Ashley Davis --- make/manifests.mk | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/make/manifests.mk b/make/manifests.mk index 1f82fc21e5d..c4cfd600d0c 100644 --- a/make/manifests.mk +++ b/make/manifests.mk @@ -41,23 +41,23 @@ release-manifests: $(BINDIR)/scratch/cert-manager-manifests-unsigned.tar.gz ## @category Release release-manifests-signed: $(BINDIR)/release/cert-manager-manifests.tar.gz $(BINDIR)/metadata/cert-manager-manifests.tar.gz.metadata.json -$(BINDIR)/release/cert-manager-manifests.tar.gz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov | $(BINDIR)/scratch/manifests $(BINDIR)/release - mkdir -p $(BINDIR)/scratch/manifests/deploy/chart/ - mkdir -p $(BINDIR)/scratch/manifests/deploy/manifests/ - cp $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov $(BINDIR)/scratch/manifests/deploy/chart/ - cp $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/scratch/manifests/deploy/manifests/ +$(BINDIR)/release/cert-manager-manifests.tar.gz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov | $(BINDIR)/scratch/manifests-signed $(BINDIR)/release + mkdir -p $(BINDIR)/scratch/manifests-signed/deploy/chart/ + mkdir -p $(BINDIR)/scratch/manifests-signed/deploy/manifests/ + cp $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov $(BINDIR)/scratch/manifests-signed/deploy/chart/ + cp $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/scratch/manifests-signed/deploy/manifests/ # removes leading ./ from archived paths - find $(BINDIR)/scratch/manifests -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(BINDIR)/scratch/manifests -T - - rm -rf $(BINDIR)/scratch/manifests - -$(BINDIR)/scratch/cert-manager-manifests-unsigned.tar.gz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml | $(BINDIR)/scratch/manifests - mkdir -p $(BINDIR)/scratch/manifests/deploy/chart/ - mkdir -p $(BINDIR)/scratch/manifests/deploy/manifests/ - cp $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/scratch/manifests/deploy/chart/ - cp $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/scratch/manifests/deploy/manifests/ + find $(BINDIR)/scratch/manifests-signed -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(BINDIR)/scratch/manifests-signed -T - + rm -rf $(BINDIR)/scratch/manifests-signed + +$(BINDIR)/scratch/cert-manager-manifests-unsigned.tar.gz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml | $(BINDIR)/scratch/manifests-unsigned + mkdir -p $(BINDIR)/scratch/manifests-unsigned/deploy/chart/ + mkdir -p $(BINDIR)/scratch/manifests-unsigned/deploy/manifests/ + cp $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/scratch/manifests-unsigned/deploy/chart/ + cp $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/scratch/manifests-unsigned/deploy/manifests/ # removes leading ./ from archived paths - find $(BINDIR)/scratch/manifests -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(BINDIR)/scratch/manifests -T - - rm -rf $(BINDIR)/scratch/manifests + find $(BINDIR)/scratch/manifests-unsigned -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(BINDIR)/scratch/manifests-unsigned -T - + rm -rf $(BINDIR)/scratch/manifests-unsigned # This metadata blob is constructed slightly differently and doesn't use hack/artifact-metadata.template.json directly; # this is because the bazel staged releases didn't include an "os" or "architecture" field for this artifact @@ -164,7 +164,10 @@ $(BINDIR)/helm/cert-manager/templates: $(BINDIR)/scratch/yaml: @mkdir -p $@ -$(BINDIR)/scratch/manifests: +$(BINDIR)/scratch/manifests-unsigned: + @mkdir -p $@ + +$(BINDIR)/scratch/manifests-signed: @mkdir -p $@ $(BINDIR)/yaml/templated-crds: From f884dac55575bbdba962245a15a0ba72834d0950 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mart=C3=ADn=20Montes?= Date: Thu, 1 Dec 2022 12:42:14 +0100 Subject: [PATCH 0047/1253] Return error when Gateway has a cross-namespace secret ref MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martín Montes --- pkg/controller/certificate-shim/sync.go | 9 ++- pkg/controller/certificate-shim/sync_test.go | 73 +++++++++++++++++++- 2 files changed, 79 insertions(+), 3 deletions(-) diff --git a/pkg/controller/certificate-shim/sync.go b/pkg/controller/certificate-shim/sync.go index 112b7d8f463..3948e6a4385 100644 --- a/pkg/controller/certificate-shim/sync.go +++ b/pkg/controller/certificate-shim/sync.go @@ -239,7 +239,7 @@ func validateIngressTLSBlock(path *field.Path, tlsBlock networkingv1.IngressTLS) return errs } -func validateGatewayListenerBlock(path *field.Path, l gwapi.Listener) field.ErrorList { +func validateGatewayListenerBlock(path *field.Path, l gwapi.Listener, ingLike metav1.Object) field.ErrorList { var errs field.ErrorList if l.Hostname == nil || *l.Hostname == "" { @@ -266,6 +266,11 @@ func validateGatewayListenerBlock(path *field.Path, l gwapi.Listener) field.Erro errs = append(errs, field.NotSupported(path.Child("tls").Child("certificateRef").Index(i).Child("kind"), *secretRef.Kind, []string{"Secret", ""})) } + + if secretRef.Namespace != nil && string(*secretRef.Namespace) != ingLike.GetNamespace() { + errs = append(errs, field.Invalid(path.Child("tls").Child("certificateRef").Index(i).Child("namespace"), + *secretRef.Namespace, "cross-namespace secret references are not allowed in listeners")) + } } } @@ -310,7 +315,7 @@ func buildCertificates( } case *gwapi.Gateway: for i, l := range ingLike.Spec.Listeners { - err := validateGatewayListenerBlock(field.NewPath("spec", "listeners").Index(i), l).ToAggregate() + err := validateGatewayListenerBlock(field.NewPath("spec", "listeners").Index(i), l, ingLike).ToAggregate() if err != nil { rec.Eventf(ingLike, corev1.EventTypeWarning, reasonBadConfig, "Skipped a listener block: "+err.Error()) continue diff --git a/pkg/controller/certificate-shim/sync_test.go b/pkg/controller/certificate-shim/sync_test.go index 5b4783cbf9b..1308bdf5ebf 100644 --- a/pkg/controller/certificate-shim/sync_test.go +++ b/pkg/controller/certificate-shim/sync_test.go @@ -3039,11 +3039,18 @@ func ptrMode(mode gwapi.TLSModeType) *gwapi.TLSModeType { func Test_validateGatewayListenerBlock(t *testing.T) { tests := []struct { name string + ingLike metav1.Object listener gwapi.Listener wantErr string }{ { name: "empty TLS block", + ingLike: &gwapi.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "gateway", + Namespace: "default", + }, + }, listener: gwapi.Listener{ Hostname: ptrHostname("example.com"), Port: gwapi.PortNumber(443), @@ -3053,6 +3060,12 @@ func Test_validateGatewayListenerBlock(t *testing.T) { }, { name: "empty hostname", + ingLike: &gwapi.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "gateway", + Namespace: "default", + }, + }, listener: gwapi.Listener{ Hostname: ptrHostname(""), Port: gwapi.PortNumber(443), @@ -3072,6 +3085,12 @@ func Test_validateGatewayListenerBlock(t *testing.T) { }, { name: "empty group", + ingLike: &gwapi.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "example", + Namespace: "default", + }, + }, listener: gwapi.Listener{ Hostname: ptrHostname("example.com"), Port: gwapi.PortNumber(443), @@ -3128,10 +3147,62 @@ func Test_validateGatewayListenerBlock(t *testing.T) { }, wantErr: "spec.listeners[0].tls.certificateRef[0].kind: Unsupported value: \"SomeOtherKind\": supported values: \"Secret\", \"\"", }, + { + name: "cross-namespace secret ref", + ingLike: &gwapi.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "example", + Namespace: "default", + }, + }, + listener: gwapi.Listener{ + Hostname: ptrHostname("example.com"), + Port: gwapi.PortNumber(443), + Protocol: gwapi.HTTPSProtocolType, + TLS: &gwapi.GatewayTLSConfig{ + Mode: ptrMode(gwapi.TLSModeTerminate), + CertificateRefs: []gwapi.SecretObjectReference{ + { + Group: func() *gwapi.Group { g := gwapi.Group(""); return &g }(), + Kind: func() *gwapi.Kind { k := gwapi.Kind("Secret"); return &k }(), + Name: "example-com", + Namespace: func() *gwapi.Namespace { n := gwapi.Namespace("another-namespace"); return &n }(), + }, + }, + }, + }, + wantErr: "spec.listeners[0].tls.certificateRef[0].namespace: Invalid value: \"another-namespace\": cross-namespace secret references are not allowed in listeners", + }, + { + name: "same namespace secret ref", + ingLike: &gwapi.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "example", + Namespace: "another-namespace", + }, + }, + listener: gwapi.Listener{ + Hostname: ptrHostname("example.com"), + Port: gwapi.PortNumber(443), + Protocol: gwapi.HTTPSProtocolType, + TLS: &gwapi.GatewayTLSConfig{ + Mode: ptrMode(gwapi.TLSModeTerminate), + CertificateRefs: []gwapi.SecretObjectReference{ + { + Group: func() *gwapi.Group { g := gwapi.Group(""); return &g }(), + Kind: func() *gwapi.Kind { k := gwapi.Kind("Secret"); return &k }(), + Name: "example-com", + Namespace: func() *gwapi.Namespace { n := gwapi.Namespace("another-namespace"); return &n }(), + }, + }, + }, + }, + wantErr: "", + }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { - gotErr := validateGatewayListenerBlock(field.NewPath("spec", "listeners").Index(0), test.listener).ToAggregate() + gotErr := validateGatewayListenerBlock(field.NewPath("spec", "listeners").Index(0), test.listener, test.ingLike).ToAggregate() if test.wantErr == "" { assert.NoError(t, gotErr) } else { From f4f72c16e64a217479c7785c0391c6cc46fc97e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 25 Nov 2022 13:47:24 +0100 Subject: [PATCH 0048/1253] e2e: use Vault 1.12.1 instead of the outdated 1.2.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The main reason for bumping Vault's version is because 1.2.3 is not compatible with the config parameter `disable_iss_validation`, which is needed for accommodating the future tests [1] that rely on bound tokens and static tokens. For context, Vault 1.2.3 was released on Sep 9, 2019 [2] but `disable_iss_validation` was only added on July 21st, 2020 in Vault 1.5.0. Due to a breaking change that happened in Vault 1.5.0 [3] in which Vault started loading the pod's token instead of using the same token (to be reviewed) for authenticating. An alternative solution could have been to prevent the service account from being mounted to the pod, but I figured that having the two service accounts separated is a better practice. [1]: https://github.com/cert-manager/cert-manager/pull/5502 [2]: https://github.com/hashicorp/vault/commit/c14bd9a2 [3]: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#150 Signed-off-by: Maël Valais --- make/e2e-setup.mk | 8 +-- test/e2e/framework/addon/vault/setup.go | 58 ++++++++++--------- test/e2e/framework/addon/vault/vault.go | 15 +++-- .../vault/kubernetes.go | 21 +++---- test/e2e/suite/issuers/vault/issuer.go | 4 +- 5 files changed, 58 insertions(+), 48 deletions(-) diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 3f1eeea1622..1c4cfc9cfed 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -15,7 +15,7 @@ K8S_VERSION := 1.24 IMAGE_ingressnginx_amd64 := k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:7464dc90abfaa084204176bcc0728f182b0611849395787143f6854dc6c38c85 IMAGE_kyverno_amd64 := ghcr.io/kyverno/kyverno:v1.7.1@sha256:aec4b029660d47aea025336150fdc2822c991f592d5170d754b6acaf158b513e IMAGE_kyvernopre_amd64 := ghcr.io/kyverno/kyvernopre:v1.7.1@sha256:1bcec6bc854720e22f439c6dcea02fcf689f31976babcf03a449d750c2b1f34a -IMAGE_vault_amd64 := index.docker.io/library/vault:1.2.3@sha256:b1c86c9e173f15bb4a926e4144a63f7779531c30554ac7aee9b2a408b22b2c01 +IMAGE_vault_amd64 := index.docker.io/library/vault:1.12.1@sha256:08dd1cb922624c51a5aefd4d9ce0ac5ed9688d96d8a5ad94664fa10e84702ed6 IMAGE_bind_amd64 := docker.io/eafxx/bind:latest-9f74179f@sha256:0b8c766f5bedbcbe559c7970c8e923aa0c4ca771e62fcf8dba64ffab980c9a51 IMAGE_sampleexternalissuer_amd64 := ghcr.io/cert-manager/sample-external-issuer/controller:v0.1.1@sha256:7dafe98c73d229bbac08067fccf9b2884c63c8e1412fe18f9986f59232cf3cb5 IMAGE_projectcontour_amd64 := ghcr.io/projectcontour/contour:v1.22.0@sha256:c8ee1e566340c1bfd11fc9a1a90d758bde562faecb722540207084330b300497 @@ -25,7 +25,7 @@ IMAGE_vaultretagged_amd64 := local/vault:local IMAGE_ingressnginx_arm64 := k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:86be28e506653cbe29214cb272d60e7c8841ddaf530da29aa22b1b1017faa956 IMAGE_kyverno_arm64 := ghcr.io/kyverno/kyverno:v1.7.1@sha256:4355f1f65ea5e952886e929a15628f0c6704905035b4741c6f560378871c9335 IMAGE_kyvernopre_arm64 := ghcr.io/kyverno/kyvernopre:v1.7.1@sha256:141234fb74242155c7b843180b90ee5fb6a20c9e77598bd9c138c687059cdafd -IMAGE_vault_arm64 := index.docker.io/library/vault:1.2.3@sha256:226a269b83c4b28ff8a512e76f1e7b707eccea012e4c3ab4c7af7fff1777ca2d +IMAGE_vault_arm64 := $(IMAGE_vault_amd64) IMAGE_bind_arm64 := docker.io/eafxx/bind:latest-9f74179f@sha256:85de273f24762c0445035d36290a440e8c5a6a64e9ae6227d92e8b0b0dc7dd6d IMAGE_sampleexternalissuer_arm64 := # 🚧 NOT AVAILABLE FOR arm64 🚧 IMAGE_projectcontour_arm64 := ghcr.io/projectcontour/contour:v1.22.0@sha256:ca37e86e284e72b3a969c7845a56a1cfcd348f4cb75bf6312d5b11067efdd667 @@ -131,7 +131,7 @@ $(LOAD_TARGETS): load-%: % $(BINDIR)/scratch/kind-exists | $(NEEDS_KIND) # We don't pull using both the digest and tag because crane replaces the # tag with "i-was-a-digest". We still check that the downloaded image # matches the digest. -$(call image-tar,kyverno) $(call image-tar,kyvernopre) $(call image-tar,bind) $(call image-tar,projectcontour) $(call image-tar,sampleexternalissuer) $(call image-tar,vault) $(call image-tar,ingressnginx): $(BINDIR)/downloaded/containers/$(CRI_ARCH)/%.tar: | $(NEEDS_CRANE) +$(call image-tar,kyverno) $(call image-tar,kyvernopre) $(call image-tar,bind) $(call image-tar,projectcontour) $(call image-tar,sampleexternalissuer) $(call image-tar,ingressnginx): $(BINDIR)/downloaded/containers/$(CRI_ARCH)/%.tar: | $(NEEDS_CRANE) @$(eval IMAGE=$(subst +,:,$*)) @$(eval IMAGE_WITHOUT_DIGEST=$(shell cut -d@ -f1 <<<"$(IMAGE)")) @$(eval DIGEST=$(subst $(IMAGE_WITHOUT_DIGEST)@,,$(IMAGE))) @@ -140,7 +140,7 @@ $(call image-tar,kyverno) $(call image-tar,kyvernopre) $(call image-tar,bind) $( $(CRANE) pull $(IMAGE_WITHOUT_DIGEST) $@ --platform=linux/$(CRI_ARCH) # Same as above, except it supports multiarch images. -$(call image-tar,kind): $(BINDIR)/downloaded/containers/$(CRI_ARCH)/%.tar: | $(NEEDS_CRANE) +$(call image-tar,kind) $(call image-tar,vault): $(BINDIR)/downloaded/containers/$(CRI_ARCH)/%.tar: | $(NEEDS_CRANE) @$(eval IMAGE=$(subst +,:,$*)) @$(eval IMAGE_WITHOUT_DIGEST=$(shell cut -d@ -f1 <<<"$(IMAGE)")) @$(eval DIGEST=$(subst $(IMAGE_WITHOUT_DIGEST)@,,$(IMAGE))) diff --git a/test/e2e/framework/addon/vault/setup.go b/test/e2e/framework/addon/vault/setup.go index ae17a3fc0e3..0cb72bb87f4 100644 --- a/test/e2e/framework/addon/vault/setup.go +++ b/test/e2e/framework/addon/vault/setup.go @@ -142,7 +142,7 @@ func (v *VaultInitializer) Init() error { v.KubernetesAuthPath = "kubernetes" } - v.proxy = newProxy(v.Namespace, v.PodName, v.Kubectl, v.VaultCA) + v.proxy = newProxy(v.PodNS, v.PodName, v.Kubectl, v.VaultCA) client, err := v.proxy.init() if err != nil { return err @@ -446,36 +446,40 @@ func (v *VaultInitializer) setupKubernetesBasedAuth() error { return nil } -// CreateKubernetesRole creates a service account and ClusterRoleBinding for Kubernetes auth delegation -func (v *VaultInitializer) CreateKubernetesRole(client kubernetes.Interface, namespace, roleName, serviceAccountName string) error { - serviceAccount := NewVaultServiceAccount(serviceAccountName) - _, err := client.CoreV1().ServiceAccounts(namespace).Create(context.TODO(), serviceAccount, metav1.CreateOptions{}) - - if err != nil { - return fmt.Errorf("error creating ServiceAccount for Kubernetes auth: %s", err.Error()) - } - - role := NewVaultServiceAccountRole(namespace, serviceAccountName) - _, err = client.RbacV1().ClusterRoles().Create(context.TODO(), role, metav1.CreateOptions{}) +// CreateKubernetesRole creates a service account and ClusterRoleBinding for +// Kubernetes auth delegation. The name "boundSA" refers to the Vault param +// "bound_service_account_names". +func (v *VaultInitializer) CreateKubernetesRole(client kubernetes.Interface, vaultRole, boundNS, boundSA string) error { + // Watch out, we refer to two different namespaces here: + // - v.PodNS = the pod's service account used by Vault's pod to + // authenticate with Kubernetes for the token review. + // - boundSA = the service account used to login using the Vault Kubernetes + // auth. + clusterRole := NewVaultServiceAccountRole(v.PodNS, v.PodSA) + _, err := client.RbacV1().ClusterRoles().Create(context.TODO(), clusterRole, metav1.CreateOptions{}) if err != nil { return fmt.Errorf("error creating Role for Kubernetes auth ServiceAccount: %s", err.Error()) } - - roleBinding := NewVaultServiceAccountClusterRoleBinding(role.Name, namespace, serviceAccountName) + roleBinding := NewVaultServiceAccountClusterRoleBinding(clusterRole.Name, v.PodNS, v.PodSA) _, err = client.RbacV1().ClusterRoleBindings().Create(context.TODO(), roleBinding, metav1.CreateOptions{}) if err != nil { return fmt.Errorf("error creating RoleBinding for Kubernetes auth ServiceAccount: %s", err.Error()) } + _, err = client.CoreV1().ServiceAccounts(boundNS).Create(context.TODO(), NewVaultServiceAccount(boundSA), metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("error creating ServiceAccount for Kubernetes auth: %s", err.Error()) + } + // vault write auth/kubernetes/role/ roleParams := map[string]string{ - "bound_service_account_names": serviceAccountName, - "bound_service_account_namespaces": namespace, + "bound_service_account_names": boundSA, + "bound_service_account_namespaces": boundNS, "policies": "[" + v.Role + "]", } - url := path.Join(fmt.Sprintf("/v1/auth/%s/role", v.KubernetesAuthPath), roleName) + url := path.Join(fmt.Sprintf("/v1/auth/%s/role", v.KubernetesAuthPath), vaultRole) _, err = v.proxy.callVault("POST", url, "", roleParams) if err != nil { return fmt.Errorf("error configuring kubernetes auth role: %s", err.Error()) @@ -489,8 +493,8 @@ func (v *VaultInitializer) CreateKubernetesRole(client kubernetes.Interface, nam "allowed_uri_sans": "spiffe://cluster.local/*", "enforce_hostnames": "false", "allow_bare_domains": "true", - "bound_service_account_names": serviceAccountName, - "bound_service_account_namespaces": namespace, + "bound_service_account_names": boundSA, + "bound_service_account_namespaces": boundNS, } url = path.Join("/v1", v.IntermediateMount, "roles", v.Role) @@ -511,8 +515,8 @@ func (v *VaultInitializer) CreateKubernetesRole(client kubernetes.Interface, nam params = map[string]string{ "period": "24h", "policies": v.Role, - "bound_service_account_names": serviceAccountName, - "bound_service_account_namespaces": namespace, + "bound_service_account_names": boundSA, + "bound_service_account_namespaces": boundNS, } baseUrl := path.Join("/v1", "auth", v.KubernetesAuthPath, "role", v.Role) @@ -525,21 +529,21 @@ func (v *VaultInitializer) CreateKubernetesRole(client kubernetes.Interface, nam } // CleanKubernetesRole cleans up the ClusterRoleBinding and ServiceAccount for Kubernetes auth delegation -func (v *VaultInitializer) CleanKubernetesRole(client kubernetes.Interface, namespace, roleName, serviceAccountName string) error { - if err := client.RbacV1().RoleBindings(namespace).Delete(context.TODO(), roleName, metav1.DeleteOptions{}); err != nil { +func (v *VaultInitializer) CleanKubernetesRole(client kubernetes.Interface, vaultRole, boundNS, boundSA string) error { + clusterRole := NewVaultServiceAccountRole(v.PodNS, v.PodSA) // Just for getting the name. + if err := client.RbacV1().ClusterRoleBindings().Delete(context.TODO(), clusterRole.Name, metav1.DeleteOptions{}); err != nil { return err } - - if err := client.RbacV1().Roles(namespace).Delete(context.TODO(), roleName, metav1.DeleteOptions{}); err != nil { + if err := client.RbacV1().ClusterRoles().Delete(context.TODO(), clusterRole.Name, metav1.DeleteOptions{}); err != nil { return err } - if err := client.CoreV1().ServiceAccounts(namespace).Delete(context.TODO(), serviceAccountName, metav1.DeleteOptions{}); err != nil { + if err := client.CoreV1().ServiceAccounts(boundNS).Delete(context.TODO(), boundSA, metav1.DeleteOptions{}); err != nil { return err } // vault delete auth/kubernetes/role/ - url := path.Join(fmt.Sprintf("/v1/auth/%s/role", v.KubernetesAuthPath), roleName) + url := path.Join(fmt.Sprintf("/v1/auth/%s/role", v.KubernetesAuthPath), vaultRole) _, err := v.proxy.callVault("DELETE", url, "", nil) if err != nil { return fmt.Errorf("error cleaning up kubernetes auth role: %s", err.Error()) diff --git a/test/e2e/framework/addon/vault/vault.go b/test/e2e/framework/addon/vault/vault.go index e8651595ad4..9a38662448f 100644 --- a/test/e2e/framework/addon/vault/vault.go +++ b/test/e2e/framework/addon/vault/vault.go @@ -40,9 +40,9 @@ import ( const ( vaultHelmChartRepo = "https://helm.releases.hashicorp.com" - vaultHelmChartVersion = "0.22.0" + vaultHelmChartVersion = "0.22.1" vaultImageRepository = "index.docker.io/library/vault" - vaultImageTag = "1.2.3@sha256:b1c86c9e173f15bb4a926e4144a63f7779531c30554ac7aee9b2a408b22b2c01" + vaultImageTag = "1.12.1@sha256:08dd1cb922624c51a5aefd4d9ce0ac5ed9688d96d8a5ad94664fa10e84702ed6" ) // Vault describes the configuration details for an instance of Vault @@ -72,8 +72,11 @@ type Details struct { // PodName is the name of the Vault pod PodName string - // Namespace is the namespace vault has been deployed into - Namespace string + // PodNS is the namespace that the Vault pod is deployed into. + PodNS string + + // PodSA is the service accoutn that gets auto-mounted in the Vault pod. + PodSA string // VaultCA is the CA used to sign the vault serving certificate VaultCA []byte @@ -273,10 +276,12 @@ func (v *Vault) Provision() error { continue } v.details.PodName = vaultPod.Name + v.details.PodNS = vaultPod.Namespace + v.details.PodSA = vaultPod.Spec.ServiceAccountName + break } - v.details.Namespace = v.Namespace v.details.Host = fmt.Sprintf("https://%s:8200", "chart-vault-"+v.Name+"."+v.Namespace) return nil diff --git a/test/e2e/suite/conformance/certificatesigningrequests/vault/kubernetes.go b/test/e2e/suite/conformance/certificatesigningrequests/vault/kubernetes.go index 8b657f409ca..0c73d35a9c7 100644 --- a/test/e2e/suite/conformance/certificatesigningrequests/vault/kubernetes.go +++ b/test/e2e/suite/conformance/certificatesigningrequests/vault/kubernetes.go @@ -67,7 +67,7 @@ var _ = framework.ConformanceDescribe("CertificateSigningRequests", func() { type kubernetes struct { testWithRootCA bool - role string + vaultRole string addon *vault.Vault initializer *vault.VaultInitializer @@ -120,7 +120,7 @@ func (k *kubernetes) delete(f *framework.Framework, signerName string) { err := f.CertManagerClientSet.CertmanagerV1().ClusterIssuers().Delete(context.TODO(), ref.Name, metav1.DeleteOptions{}) Expect(err).NotTo(HaveOccurred()) - k.initializer.CleanKubernetesRole(f.KubeClientSet, f.Config.Addons.CertManager.ClusterResourceNamespace, k.role, k.role) + k.initializer.CleanKubernetesRole(f.KubeClientSet, k.vaultRole, f.Config.Addons.CertManager.ClusterResourceNamespace, k.vaultRole) } Expect(k.initializer.Clean()).NotTo(HaveOccurred(), "failed to deprovision vault initializer") @@ -128,7 +128,7 @@ func (k *kubernetes) delete(f *framework.Framework, signerName string) { } -func (k *kubernetes) initVault(f *framework.Framework, ns string) { +func (k *kubernetes) initVault(f *framework.Framework, boundNS string) { By("Configuring the Vault server") k.addon = &vault.Vault{ Base: addon.Base, @@ -136,7 +136,7 @@ func (k *kubernetes) initVault(f *framework.Framework, ns string) { Namespace: f.Namespace.Name, } - k.role = "vault-issuer-" + util.RandStringRunes(5) + k.vaultRole = "vault-issuer-" + util.RandStringRunes(5) Expect(k.addon.Setup(f.Config)).NotTo(HaveOccurred(), "failed to setup vault") Expect(k.addon.Provision()).NotTo(HaveOccurred(), "failed to provision vault") @@ -153,7 +153,7 @@ func (k *kubernetes) initVault(f *framework.Framework, ns string) { IntermediateMount: intermediateMount, ConfigureWithRoot: k.testWithRootCA, KubernetesAuthPath: "kubernetes", - Role: k.role, + Role: k.vaultRole, APIServerURL: apiHost, APIServerCA: caCert, } @@ -161,16 +161,17 @@ func (k *kubernetes) initVault(f *framework.Framework, ns string) { Expect(k.initializer.Setup()).NotTo(HaveOccurred(), "failed to setup vault") By("Creating a ServiceAccount for Vault authentication") - err := k.initializer.CreateKubernetesRole(f.KubeClientSet, ns, k.role, k.role) + boundSA := k.vaultRole + err := k.initializer.CreateKubernetesRole(f.KubeClientSet, k.vaultRole, boundNS, boundSA) Expect(err).NotTo(HaveOccurred()) - _, err = f.KubeClientSet.CoreV1().Secrets(ns).Create(context.TODO(), vault.NewVaultKubernetesSecret(k.role, k.role), metav1.CreateOptions{}) + _, err = f.KubeClientSet.CoreV1().Secrets(boundNS).Create(context.TODO(), vault.NewVaultKubernetesSecret(k.vaultRole, k.vaultRole), metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred()) _, _, err = k.initializer.CreateAppRole() Expect(err).NotTo(HaveOccurred()) } func (k *kubernetes) issuerSpec(f *framework.Framework) cmapi.IssuerSpec { - vaultPath := path.Join(intermediateMount, "sign", k.role) + vaultPath := path.Join(intermediateMount, "sign", k.vaultRole) return cmapi.IssuerSpec{ IssuerConfig: cmapi.IssuerConfig{ @@ -181,10 +182,10 @@ func (k *kubernetes) issuerSpec(f *framework.Framework) cmapi.IssuerSpec { Auth: cmapi.VaultAuth{ Kubernetes: &cmapi.VaultKubernetesAuth{ Path: "/v1/auth/kubernetes", - Role: k.role, + Role: k.vaultRole, SecretRef: cmmeta.SecretKeySelector{ LocalObjectReference: cmmeta.LocalObjectReference{ - Name: k.role, + Name: k.vaultRole, }, }, }, diff --git a/test/e2e/suite/issuers/vault/issuer.go b/test/e2e/suite/issuers/vault/issuer.go index c8e8b742d83..46ecfad7e4c 100644 --- a/test/e2e/suite/issuers/vault/issuer.go +++ b/test/e2e/suite/issuers/vault/issuer.go @@ -93,7 +93,7 @@ var _ = framework.CertManagerDescribe("Vault Issuer", func() { Expect(err).NotTo(HaveOccurred()) By("creating a service account for Vault authentication") - err = vaultInit.CreateKubernetesRole(f.KubeClientSet, f.Namespace.Name, vaultKubernetesRoleName, vaultSecretServiceAccount) + err = vaultInit.CreateKubernetesRole(f.KubeClientSet, vaultKubernetesRoleName, f.Namespace.Name, vaultSecretServiceAccount) Expect(err).NotTo(HaveOccurred()) }) @@ -104,7 +104,7 @@ var _ = framework.CertManagerDescribe("Vault Issuer", func() { vaultInit.CleanAppRole() By("Cleaning up Kubernetes") - vaultInit.CleanKubernetesRole(f.KubeClientSet, f.Namespace.Name, vaultKubernetesRoleName, vaultSecretServiceAccount) + vaultInit.CleanKubernetesRole(f.KubeClientSet, vaultKubernetesRoleName, f.Namespace.Name, vaultSecretServiceAccount) By("Cleaning up Vault") Expect(vaultInit.Clean()).NotTo(HaveOccurred()) From a13c76d3127f4bef2bb60716f1934c39b3d7ae5b Mon Sep 17 00:00:00 2001 From: lv Date: Thu, 17 Nov 2022 21:53:18 +0800 Subject: [PATCH 0049/1253] feature: update gateway api to v1beta1 Signed-off-by: lvyanru feature: update gateway api to v1beta1 Signed-off-by: lvyanru <1113706590@qq.com> --- internal/apis/acme/types_issuer.go | 2 +- .../apis/acme/v1/zz_generated.conversion.go | 6 ++-- internal/apis/acme/v1alpha2/types_issuer.go | 2 +- .../acme/v1alpha2/zz_generated.conversion.go | 6 ++-- .../acme/v1alpha2/zz_generated.deepcopy.go | 4 +-- internal/apis/acme/v1alpha3/types_issuer.go | 2 +- .../acme/v1alpha3/zz_generated.conversion.go | 6 ++-- .../acme/v1alpha3/zz_generated.deepcopy.go | 4 +-- internal/apis/acme/v1beta1/types_issuer.go | 2 +- .../acme/v1beta1/zz_generated.conversion.go | 6 ++-- .../acme/v1beta1/zz_generated.deepcopy.go | 4 +-- internal/apis/acme/zz_generated.deepcopy.go | 4 +-- .../certmanager/validation/issuer_test.go | 2 +- pkg/apis/acme/v1/types_issuer.go | 2 +- pkg/apis/acme/v1/zz_generated.deepcopy.go | 4 +-- pkg/controller/acmechallenges/controller.go | 2 +- .../certificate-shim/gateways/controller.go | 8 ++--- .../gateways/controller_test.go | 12 +++---- pkg/controller/certificate-shim/sync.go | 2 +- pkg/controller/certificate-shim/sync_test.go | 2 +- pkg/controller/context.go | 2 +- pkg/issuer/acme/http/http.go | 4 +-- pkg/issuer/acme/http/httproute.go | 10 +++--- .../conformance/certificates/acme/acme.go | 2 +- .../suite/conformance/certificates/tests.go | 2 +- test/e2e/util/util.go | 34 +++++++++---------- 26 files changed, 68 insertions(+), 68 deletions(-) diff --git a/internal/apis/acme/types_issuer.go b/internal/apis/acme/types_issuer.go index 8175f86bcf0..2afaaffd471 100644 --- a/internal/apis/acme/types_issuer.go +++ b/internal/apis/acme/types_issuer.go @@ -19,7 +19,7 @@ package acme import ( corev1 "k8s.io/api/core/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" cmmeta "github.com/cert-manager/cert-manager/internal/apis/meta" ) diff --git a/internal/apis/acme/v1/zz_generated.conversion.go b/internal/apis/acme/v1/zz_generated.conversion.go index bf64a7ee2a9..db6b8bbda9e 100644 --- a/internal/apis/acme/v1/zz_generated.conversion.go +++ b/internal/apis/acme/v1/zz_generated.conversion.go @@ -34,7 +34,7 @@ import ( pkgapismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" - v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) func init() { @@ -670,7 +670,7 @@ func Convert_acme_ACMEChallengeSolverHTTP01_To_v1_ACMEChallengeSolverHTTP01(in * func autoConvert_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *v1.ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error { out.ServiceType = corev1.ServiceType(in.ServiceType) out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels)) - out.ParentRefs = *(*[]v1alpha2.ParentReference)(unsafe.Pointer(&in.ParentRefs)) + out.ParentRefs = *(*[]v1beta1.ParentReference)(unsafe.Pointer(&in.ParentRefs)) return nil } @@ -682,7 +682,7 @@ func Convert_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChallengeS func autoConvert_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *v1.ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error { out.ServiceType = corev1.ServiceType(in.ServiceType) out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels)) - out.ParentRefs = *(*[]v1alpha2.ParentReference)(unsafe.Pointer(&in.ParentRefs)) + out.ParentRefs = *(*[]v1beta1.ParentReference)(unsafe.Pointer(&in.ParentRefs)) return nil } diff --git a/internal/apis/acme/v1alpha2/types_issuer.go b/internal/apis/acme/v1alpha2/types_issuer.go index 2866d5942b9..ae4056414c8 100644 --- a/internal/apis/acme/v1alpha2/types_issuer.go +++ b/internal/apis/acme/v1alpha2/types_issuer.go @@ -19,7 +19,7 @@ package v1alpha2 import ( corev1 "k8s.io/api/core/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" ) diff --git a/internal/apis/acme/v1alpha2/zz_generated.conversion.go b/internal/apis/acme/v1alpha2/zz_generated.conversion.go index 3f3817ad9dd..eb6b15d91bf 100644 --- a/internal/apis/acme/v1alpha2/zz_generated.conversion.go +++ b/internal/apis/acme/v1alpha2/zz_generated.conversion.go @@ -33,7 +33,7 @@ import ( pkgapismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" - apisv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) func init() { @@ -669,7 +669,7 @@ func Convert_acme_ACMEChallengeSolverHTTP01_To_v1alpha2_ACMEChallengeSolverHTTP0 func autoConvert_v1alpha2_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error { out.ServiceType = v1.ServiceType(in.ServiceType) out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels)) - out.ParentRefs = *(*[]apisv1alpha2.ParentReference)(unsafe.Pointer(&in.ParentRefs)) + out.ParentRefs = *(*[]v1beta1.ParentReference)(unsafe.Pointer(&in.ParentRefs)) return nil } @@ -681,7 +681,7 @@ func Convert_v1alpha2_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChal func autoConvert_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_v1alpha2_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error { out.ServiceType = v1.ServiceType(in.ServiceType) out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels)) - out.ParentRefs = *(*[]apisv1alpha2.ParentReference)(unsafe.Pointer(&in.ParentRefs)) + out.ParentRefs = *(*[]v1beta1.ParentReference)(unsafe.Pointer(&in.ParentRefs)) return nil } diff --git a/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go b/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go index 38f02321e64..4e6383e64e9 100644 --- a/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go +++ b/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go @@ -27,7 +27,7 @@ import ( apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" - apisv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -202,7 +202,7 @@ func (in *ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopyInto(out *ACMEChall } if in.ParentRefs != nil { in, out := &in.ParentRefs, &out.ParentRefs - *out = make([]apisv1alpha2.ParentReference, len(*in)) + *out = make([]v1beta1.ParentReference, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } diff --git a/internal/apis/acme/v1alpha3/types_issuer.go b/internal/apis/acme/v1alpha3/types_issuer.go index 2735f336a3b..01cd63fedfc 100644 --- a/internal/apis/acme/v1alpha3/types_issuer.go +++ b/internal/apis/acme/v1alpha3/types_issuer.go @@ -19,7 +19,7 @@ package v1alpha3 import ( corev1 "k8s.io/api/core/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" ) diff --git a/internal/apis/acme/v1alpha3/zz_generated.conversion.go b/internal/apis/acme/v1alpha3/zz_generated.conversion.go index dbf2b0d3fc6..b742d30a1dd 100644 --- a/internal/apis/acme/v1alpha3/zz_generated.conversion.go +++ b/internal/apis/acme/v1alpha3/zz_generated.conversion.go @@ -33,7 +33,7 @@ import ( pkgapismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" - v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) func init() { @@ -669,7 +669,7 @@ func Convert_acme_ACMEChallengeSolverHTTP01_To_v1alpha3_ACMEChallengeSolverHTTP0 func autoConvert_v1alpha3_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error { out.ServiceType = v1.ServiceType(in.ServiceType) out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels)) - out.ParentRefs = *(*[]v1alpha2.ParentReference)(unsafe.Pointer(&in.ParentRefs)) + out.ParentRefs = *(*[]v1beta1.ParentReference)(unsafe.Pointer(&in.ParentRefs)) return nil } @@ -681,7 +681,7 @@ func Convert_v1alpha3_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChal func autoConvert_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_v1alpha3_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error { out.ServiceType = v1.ServiceType(in.ServiceType) out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels)) - out.ParentRefs = *(*[]v1alpha2.ParentReference)(unsafe.Pointer(&in.ParentRefs)) + out.ParentRefs = *(*[]v1beta1.ParentReference)(unsafe.Pointer(&in.ParentRefs)) return nil } diff --git a/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go b/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go index 8c2cefc084a..025daa0e599 100644 --- a/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go +++ b/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go @@ -27,7 +27,7 @@ import ( apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" - v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -202,7 +202,7 @@ func (in *ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopyInto(out *ACMEChall } if in.ParentRefs != nil { in, out := &in.ParentRefs, &out.ParentRefs - *out = make([]v1alpha2.ParentReference, len(*in)) + *out = make([]v1beta1.ParentReference, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } diff --git a/internal/apis/acme/v1beta1/types_issuer.go b/internal/apis/acme/v1beta1/types_issuer.go index 23de024f138..aeddaf4807f 100644 --- a/internal/apis/acme/v1beta1/types_issuer.go +++ b/internal/apis/acme/v1beta1/types_issuer.go @@ -19,7 +19,7 @@ package v1beta1 import ( corev1 "k8s.io/api/core/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" ) diff --git a/internal/apis/acme/v1beta1/zz_generated.conversion.go b/internal/apis/acme/v1beta1/zz_generated.conversion.go index 07a975c2d3d..ba4dad5c71a 100644 --- a/internal/apis/acme/v1beta1/zz_generated.conversion.go +++ b/internal/apis/acme/v1beta1/zz_generated.conversion.go @@ -33,7 +33,7 @@ import ( pkgapismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" - v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + apisv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) func init() { @@ -669,7 +669,7 @@ func Convert_acme_ACMEChallengeSolverHTTP01_To_v1beta1_ACMEChallengeSolverHTTP01 func autoConvert_v1beta1_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error { out.ServiceType = v1.ServiceType(in.ServiceType) out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels)) - out.ParentRefs = *(*[]v1alpha2.ParentReference)(unsafe.Pointer(&in.ParentRefs)) + out.ParentRefs = *(*[]apisv1beta1.ParentReference)(unsafe.Pointer(&in.ParentRefs)) return nil } @@ -681,7 +681,7 @@ func Convert_v1beta1_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChall func autoConvert_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_v1beta1_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error { out.ServiceType = v1.ServiceType(in.ServiceType) out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels)) - out.ParentRefs = *(*[]v1alpha2.ParentReference)(unsafe.Pointer(&in.ParentRefs)) + out.ParentRefs = *(*[]apisv1beta1.ParentReference)(unsafe.Pointer(&in.ParentRefs)) return nil } diff --git a/internal/apis/acme/v1beta1/zz_generated.deepcopy.go b/internal/apis/acme/v1beta1/zz_generated.deepcopy.go index b08315dcb0d..7d1a4046041 100644 --- a/internal/apis/acme/v1beta1/zz_generated.deepcopy.go +++ b/internal/apis/acme/v1beta1/zz_generated.deepcopy.go @@ -27,7 +27,7 @@ import ( apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" - v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + apisv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -202,7 +202,7 @@ func (in *ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopyInto(out *ACMEChall } if in.ParentRefs != nil { in, out := &in.ParentRefs, &out.ParentRefs - *out = make([]v1alpha2.ParentReference, len(*in)) + *out = make([]apisv1beta1.ParentReference, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } diff --git a/internal/apis/acme/zz_generated.deepcopy.go b/internal/apis/acme/zz_generated.deepcopy.go index b26095d209e..18091b2bb88 100644 --- a/internal/apis/acme/zz_generated.deepcopy.go +++ b/internal/apis/acme/zz_generated.deepcopy.go @@ -27,7 +27,7 @@ import ( apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" - v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -202,7 +202,7 @@ func (in *ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopyInto(out *ACMEChall } if in.ParentRefs != nil { in, out := &in.ParentRefs, &out.ParentRefs - *out = make([]v1alpha2.ParentReference, len(*in)) + *out = make([]v1beta1.ParentReference, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } diff --git a/internal/apis/certmanager/validation/issuer_test.go b/internal/apis/certmanager/validation/issuer_test.go index 72036425b00..e8df884be83 100644 --- a/internal/apis/certmanager/validation/issuer_test.go +++ b/internal/apis/certmanager/validation/issuer_test.go @@ -25,7 +25,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/utils/clock" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" cmacme "github.com/cert-manager/cert-manager/internal/apis/acme" cmapi "github.com/cert-manager/cert-manager/internal/apis/certmanager" diff --git a/pkg/apis/acme/v1/types_issuer.go b/pkg/apis/acme/v1/types_issuer.go index 967ba864fe5..f64da373c23 100644 --- a/pkg/apis/acme/v1/types_issuer.go +++ b/pkg/apis/acme/v1/types_issuer.go @@ -19,7 +19,7 @@ package v1 import ( corev1 "k8s.io/api/core/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" ) diff --git a/pkg/apis/acme/v1/zz_generated.deepcopy.go b/pkg/apis/acme/v1/zz_generated.deepcopy.go index c584ec88ad6..350445aa73e 100644 --- a/pkg/apis/acme/v1/zz_generated.deepcopy.go +++ b/pkg/apis/acme/v1/zz_generated.deepcopy.go @@ -27,7 +27,7 @@ import ( apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" - v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -202,7 +202,7 @@ func (in *ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopyInto(out *ACMEChall } if in.ParentRefs != nil { in, out := &in.ParentRefs, &out.ParentRefs - *out = make([]v1alpha2.ParentReference, len(*in)) + *out = make([]v1beta1.ParentReference, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } diff --git a/pkg/controller/acmechallenges/controller.go b/pkg/controller/acmechallenges/controller.go index e556d8829bd..74e2a347b32 100644 --- a/pkg/controller/acmechallenges/controller.go +++ b/pkg/controller/acmechallenges/controller.go @@ -110,7 +110,7 @@ func (c *controller) Register(ctx *controllerpkg.Context) (workqueue.RateLimitin } if ctx.GatewaySolverEnabled { - gwAPIHTTPRouteInformer := ctx.GWShared.Gateway().V1alpha2().HTTPRoutes() + gwAPIHTTPRouteInformer := ctx.GWShared.Gateway().V1beta1().HTTPRoutes() mustSync = append(mustSync, gwAPIHTTPRouteInformer.Informer().HasSynced) } diff --git a/pkg/controller/certificate-shim/gateways/controller.go b/pkg/controller/certificate-shim/gateways/controller.go index 2b3e0ad87f9..b602adb325e 100644 --- a/pkg/controller/certificate-shim/gateways/controller.go +++ b/pkg/controller/certificate-shim/gateways/controller.go @@ -26,7 +26,7 @@ import ( "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/tools/cache" "k8s.io/client-go/util/workqueue" - gwlisters "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1alpha2" + gwlisters "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1beta1" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" controllerpkg "github.com/cert-manager/cert-manager/pkg/controller" @@ -53,14 +53,14 @@ type controller struct { } func (c *controller) Register(ctx *controllerpkg.Context) (workqueue.RateLimitingInterface, []cache.InformerSynced, error) { - c.gatewayLister = ctx.GWShared.Gateway().V1alpha2().Gateways().Lister() + c.gatewayLister = ctx.GWShared.Gateway().V1beta1().Gateways().Lister() log := logf.FromContext(ctx.RootContext, ControllerName) c.sync = shimhelper.SyncFnFor(ctx.Recorder, log, ctx.CMClient, ctx.SharedInformerFactory.Certmanager().V1().Certificates().Lister(), ctx.IngressShimOptions, ctx.FieldManager) // We don't need to requeue Gateways on "Deleted" events, since our Sync // function does nothing when the Gateway lister returns "not found". But we // still do it for consistency with the rest of the controllers. - ctx.GWShared.Gateway().V1alpha2().Gateways().Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{ + ctx.GWShared.Gateway().V1beta1().Gateways().Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{ Queue: c.queue, }) @@ -79,7 +79,7 @@ func (c *controller) Register(ctx *controllerpkg.Context) (workqueue.RateLimitin }) mustSync := []cache.InformerSynced{ - ctx.GWShared.Gateway().V1alpha2().Gateways().Informer().HasSynced, + ctx.GWShared.Gateway().V1beta1().Gateways().Informer().HasSynced, ctx.SharedInformerFactory.Certmanager().V1().Certificates().Informer().HasSynced, } diff --git a/pkg/controller/certificate-shim/gateways/controller_test.go b/pkg/controller/certificate-shim/gateways/controller_test.go index 397427641b5..2e1a83e8059 100644 --- a/pkg/controller/certificate-shim/gateways/controller_test.go +++ b/pkg/controller/certificate-shim/gateways/controller_test.go @@ -25,7 +25,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "k8s.io/client-go/util/workqueue" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" gwclient "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" @@ -46,7 +46,7 @@ func Test_controller_Register(t *testing.T) { { name: "gateway is re-queued when an 'Added' event is received for this gateway", givenCall: func(t *testing.T, _ cmclient.Interface, c gwclient.Interface) { - _, err := c.GatewayV1alpha2().Gateways("namespace-1").Create(context.Background(), &gwapi.Gateway{ObjectMeta: metav1.ObjectMeta{ + _, err := c.GatewayV1beta1().Gateways("namespace-1").Create(context.Background(), &gwapi.Gateway{ObjectMeta: metav1.ObjectMeta{ Namespace: "namespace-1", Name: "gateway-1", }}, metav1.CreateOptions{}) require.NoError(t, err) @@ -59,12 +59,12 @@ func Test_controller_Register(t *testing.T) { // We can't use the gateway-api fake.NewSimpleClientset due to // Gateway being pluralized as "gatewaies" instead of // "gateways". The trick is thus to use Create instead. - _, err := c.GatewayV1alpha2().Gateways("namespace-1").Create(context.Background(), &gwapi.Gateway{ObjectMeta: metav1.ObjectMeta{ + _, err := c.GatewayV1beta1().Gateways("namespace-1").Create(context.Background(), &gwapi.Gateway{ObjectMeta: metav1.ObjectMeta{ Namespace: "namespace-1", Name: "gateway-1", }}, metav1.CreateOptions{}) require.NoError(t, err) - _, err = c.GatewayV1alpha2().Gateways("namespace-1").Update(context.Background(), &gwapi.Gateway{ObjectMeta: metav1.ObjectMeta{ + _, err = c.GatewayV1beta1().Gateways("namespace-1").Update(context.Background(), &gwapi.Gateway{ObjectMeta: metav1.ObjectMeta{ Namespace: "namespace-1", Name: "gateway-1", Labels: map[string]string{"foo": "bar"}, }}, metav1.UpdateOptions{}) require.NoError(t, err) @@ -75,12 +75,12 @@ func Test_controller_Register(t *testing.T) { { name: "gateway is re-queued when a 'Deleted' event is received for this gateway", givenCall: func(t *testing.T, _ cmclient.Interface, c gwclient.Interface) { - _, err := c.GatewayV1alpha2().Gateways("namespace-1").Create(context.Background(), &gwapi.Gateway{ObjectMeta: metav1.ObjectMeta{ + _, err := c.GatewayV1beta1().Gateways("namespace-1").Create(context.Background(), &gwapi.Gateway{ObjectMeta: metav1.ObjectMeta{ Namespace: "namespace-1", Name: "gateway-1", }}, metav1.CreateOptions{}) require.NoError(t, err) - err = c.GatewayV1alpha2().Gateways("namespace-1").Delete(context.Background(), "gateway-1", metav1.DeleteOptions{}) + err = c.GatewayV1beta1().Gateways("namespace-1").Delete(context.Background(), "gateway-1", metav1.DeleteOptions{}) require.NoError(t, err) }, expectAddCalls: []interface{}{"namespace-1/gateway-1", "namespace-1/gateway-1"}, diff --git a/pkg/controller/certificate-shim/sync.go b/pkg/controller/certificate-shim/sync.go index 112b7d8f463..c6a6fa531f6 100644 --- a/pkg/controller/certificate-shim/sync.go +++ b/pkg/controller/certificate-shim/sync.go @@ -34,7 +34,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/client-go/tools/record" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" internalcertificates "github.com/cert-manager/cert-manager/internal/controller/certificates" "github.com/cert-manager/cert-manager/internal/controller/feature" diff --git a/pkg/controller/certificate-shim/sync_test.go b/pkg/controller/certificate-shim/sync_test.go index 5b4783cbf9b..965c7a43aa8 100644 --- a/pkg/controller/certificate-shim/sync_test.go +++ b/pkg/controller/certificate-shim/sync_test.go @@ -31,7 +31,7 @@ import ( "k8s.io/apimachinery/pkg/util/validation/field" coretesting "k8s.io/client-go/testing" "k8s.io/utils/pointer" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" diff --git a/pkg/controller/context.go b/pkg/controller/context.go index e0398f3978e..f3010faf68b 100644 --- a/pkg/controller/context.go +++ b/pkg/controller/context.go @@ -36,7 +36,7 @@ import ( "k8s.io/client-go/tools/record" "k8s.io/client-go/util/flowcontrol" "k8s.io/utils/clock" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" gwclient "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned" gwscheme "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/scheme" gwinformers "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions" diff --git a/pkg/issuer/acme/http/http.go b/pkg/issuer/acme/http/http.go index 574b90b2cdd..cf5e57daaf7 100644 --- a/pkg/issuer/acme/http/http.go +++ b/pkg/issuer/acme/http/http.go @@ -32,7 +32,7 @@ import ( corev1listers "k8s.io/client-go/listers/core/v1" networkingv1listers "k8s.io/client-go/listers/networking/v1" k8snet "k8s.io/utils/net" - gwapilisters "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1alpha2" + gwapilisters "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1beta1" cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1" v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" @@ -77,7 +77,7 @@ func NewSolver(ctx *controller.Context) (*Solver, error) { podLister: ctx.KubeSharedInformerFactory.Core().V1().Pods().Lister(), serviceLister: ctx.KubeSharedInformerFactory.Core().V1().Services().Lister(), ingressLister: ctx.KubeSharedInformerFactory.Networking().V1().Ingresses().Lister(), - httpRouteLister: ctx.GWShared.Gateway().V1alpha2().HTTPRoutes().Lister(), + httpRouteLister: ctx.GWShared.Gateway().V1beta1().HTTPRoutes().Lister(), testReachability: testReachability, requiredPasses: 5, }, nil diff --git a/pkg/issuer/acme/http/httproute.go b/pkg/issuer/acme/http/httproute.go index 775b2c00eca..981a0b5adac 100644 --- a/pkg/issuer/acme/http/httproute.go +++ b/pkg/issuer/acme/http/httproute.go @@ -25,7 +25,7 @@ import ( "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/util/retry" "k8s.io/utils/pointer" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1" logf "github.com/cert-manager/cert-manager/pkg/logs" @@ -79,7 +79,7 @@ func (s *Solver) getGatewayHTTPRoute(ctx context.Context, ch *cmacme.Challenge) // If we find this, try to delete them. for _, httpRoute := range httpRoutes[1:] { log.Info("Deleting extra HTTPRoute", "name", httpRoute.Name, "namespace", httpRoute.Namespace) - err := s.GWClient.GatewayV1alpha2().HTTPRoutes(httpRoute.Namespace).Delete(ctx, httpRoute.Name, metav1.DeleteOptions{}) + err := s.GWClient.GatewayV1beta1().HTTPRoutes(httpRoute.Namespace).Delete(ctx, httpRoute.Name, metav1.DeleteOptions{}) if err != nil { return nil, err } @@ -104,7 +104,7 @@ func (s *Solver) createGatewayHTTPRoute(ctx context.Context, ch *cmacme.Challeng }, Spec: generateHTTPRouteSpec(ch, svcName), } - newHTTPRoute, err := s.GWClient.GatewayV1alpha2().HTTPRoutes(ch.Namespace).Create(ctx, httpRoute, metav1.CreateOptions{}) + newHTTPRoute, err := s.GWClient.GatewayV1beta1().HTTPRoutes(ch.Namespace).Create(ctx, httpRoute, metav1.CreateOptions{}) if err != nil { return nil, err } @@ -129,14 +129,14 @@ func (s *Solver) checkAndUpdateGatewayHTTPRoute(ctx context.Context, ch *cmacme. var ret *gwapi.HTTPRoute var err error if err = retry.RetryOnConflict(retry.DefaultBackoff, func() error { - oldHTTPRoute, err := s.GWClient.GatewayV1alpha2().HTTPRoutes(httpRoute.Namespace).Get(ctx, httpRoute.Name, metav1.GetOptions{}) + oldHTTPRoute, err := s.GWClient.GatewayV1beta1().HTTPRoutes(httpRoute.Namespace).Get(ctx, httpRoute.Name, metav1.GetOptions{}) if err != nil { return err } newHTTPRoute := oldHTTPRoute.DeepCopy() newHTTPRoute.Spec = expectedSpec newHTTPRoute.Labels = expectedLabels - ret, err = s.GWClient.GatewayV1alpha2().HTTPRoutes(newHTTPRoute.Namespace).Update(ctx, newHTTPRoute, metav1.UpdateOptions{}) + ret, err = s.GWClient.GatewayV1beta1().HTTPRoutes(newHTTPRoute.Namespace).Update(ctx, newHTTPRoute, metav1.UpdateOptions{}) if err != nil { return err } diff --git a/test/e2e/suite/conformance/certificates/acme/acme.go b/test/e2e/suite/conformance/certificates/acme/acme.go index 55e9c8e099e..0bd38755c94 100644 --- a/test/e2e/suite/conformance/certificates/acme/acme.go +++ b/test/e2e/suite/conformance/certificates/acme/acme.go @@ -27,7 +27,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - gwapi "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapi "sigs.k8s.io/gateway-api/apis/v1beta1" cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" diff --git a/test/e2e/suite/conformance/certificates/tests.go b/test/e2e/suite/conformance/certificates/tests.go index 38414df395b..b9a02fab7fd 100644 --- a/test/e2e/suite/conformance/certificates/tests.go +++ b/test/e2e/suite/conformance/certificates/tests.go @@ -897,7 +897,7 @@ func (s *Suite) Define() { "cert-manager.io/renew-before": renewBefore.String(), }, domain) - gw, err := f.GWClientSet.GatewayV1alpha2().Gateways(f.Namespace.Name).Create(context.TODO(), gw, metav1.CreateOptions{}) + gw, err := f.GWClientSet.GatewayV1beta1().Gateways(f.Namespace.Name).Create(context.TODO(), gw, metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred()) // XXX(Mael): the CertificateRef seems to contain the Gateway name diff --git a/test/e2e/util/util.go b/test/e2e/util/util.go index 73b30a4093b..32e5ceb3c42 100644 --- a/test/e2e/util/util.go +++ b/test/e2e/util/util.go @@ -38,7 +38,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/discovery" - gwapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" apiutil "github.com/cert-manager/cert-manager/pkg/api/util" v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" @@ -380,19 +380,19 @@ func pathTypePrefix() *networkingv1.PathType { // watching the 'foo' gateway class, so this Gateway will not be used to // actually route traffic, but can be used to test cert-manager controllers that // sync Gateways, such as gateway-shim. -func NewGateway(gatewayName, ns, secretName string, annotations map[string]string, dnsNames ...string) *gwapiv1alpha2.Gateway { +func NewGateway(gatewayName, ns, secretName string, annotations map[string]string, dnsNames ...string) *gwapiv1beta1.Gateway { - return &gwapiv1alpha2.Gateway{ + return &gwapiv1beta1.Gateway{ ObjectMeta: metav1.ObjectMeta{ Name: gatewayName, Annotations: annotations, }, - Spec: gwapiv1alpha2.GatewaySpec{ + Spec: gwapiv1beta1.GatewaySpec{ GatewayClassName: "foo", - Listeners: []gwapiv1alpha2.Listener{{ - AllowedRoutes: &gwapiv1alpha2.AllowedRoutes{ - Namespaces: &gwapiv1alpha2.RouteNamespaces{ - From: func() *gwapiv1alpha2.FromNamespaces { f := gwapiv1alpha2.NamespacesFromSame; return &f }(), + Listeners: []gwapiv1beta1.Listener{{ + AllowedRoutes: &gwapiv1beta1.AllowedRoutes{ + Namespaces: &gwapiv1beta1.RouteNamespaces{ + From: func() *gwapiv1beta1.FromNamespaces { f := gwapiv1beta1.NamespacesFromSame; return &f }(), Selector: &metav1.LabelSelector{MatchLabels: map[string]string{ "gw": gatewayName, }}, @@ -400,16 +400,16 @@ func NewGateway(gatewayName, ns, secretName string, annotations map[string]strin Kinds: nil, }, Name: "acme-solver", - Protocol: gwapiv1alpha2.TCPProtocolType, - Port: gwapiv1alpha2.PortNumber(80), - Hostname: (*gwapiv1alpha2.Hostname)(&dnsNames[0]), - TLS: &gwapiv1alpha2.GatewayTLSConfig{ - CertificateRefs: []gwapiv1alpha2.SecretObjectReference{ + Protocol: gwapiv1beta1.TCPProtocolType, + Port: gwapiv1beta1.PortNumber(80), + Hostname: (*gwapiv1beta1.Hostname)(&dnsNames[0]), + TLS: &gwapiv1beta1.GatewayTLSConfig{ + CertificateRefs: []gwapiv1beta1.SecretObjectReference{ { - Kind: func() *gwapiv1alpha2.Kind { k := gwapiv1alpha2.Kind("Secret"); return &k }(), - Name: gwapiv1alpha2.ObjectName(secretName), - Group: func() *gwapiv1alpha2.Group { g := gwapiv1alpha2.Group(corev1.GroupName); return &g }(), - Namespace: (*gwapiv1alpha2.Namespace)(&ns), + Kind: func() *gwapiv1beta1.Kind { k := gwapiv1beta1.Kind("Secret"); return &k }(), + Name: gwapiv1beta1.ObjectName(secretName), + Group: func() *gwapiv1beta1.Group { g := gwapiv1beta1.Group(corev1.GroupName); return &g }(), + Namespace: (*gwapiv1beta1.Namespace)(&ns), }, }, }, From 486c72f12224f1613742878c83ade6b331c7dfc6 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Tue, 22 Nov 2022 13:50:23 +0000 Subject: [PATCH 0050/1253] Update reference to HTTPRoute docs Signed-off-by: irbekrm --- deploy/crds/crd-challenges.yaml | 2 +- deploy/crds/crd-clusterissuers.yaml | 2 +- deploy/crds/crd-issuers.yaml | 2 +- pkg/apis/acme/v1/types_issuer.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/crds/crd-challenges.yaml b/deploy/crds/crd-challenges.yaml index a010a9bb2b9..a50041c7c40 100644 --- a/deploy/crds/crd-challenges.yaml +++ b/deploy/crds/crd-challenges.yaml @@ -392,7 +392,7 @@ spec: additionalProperties: type: string parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' type: array items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index ae3a813ecff..91b8f3d8259 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -427,7 +427,7 @@ spec: additionalProperties: type: string parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' type: array items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index fb79d488989..1fe2570d2a9 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -427,7 +427,7 @@ spec: additionalProperties: type: string parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' type: array items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." diff --git a/pkg/apis/acme/v1/types_issuer.go b/pkg/apis/acme/v1/types_issuer.go index f64da373c23..0aa0fd95262 100644 --- a/pkg/apis/acme/v1/types_issuer.go +++ b/pkg/apis/acme/v1/types_issuer.go @@ -263,7 +263,7 @@ type ACMEChallengeSolverHTTP01GatewayHTTPRoute struct { // When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. // cert-manager needs to know which parentRefs should be used when creating // the HTTPRoute. Usually, the parentRef references a Gateway. See: - // https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways + // https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways ParentRefs []gwapi.ParentReference `json:"parentRefs,omitempty"` } From bc7023325636959ce52025ef13c90fcfba356bac Mon Sep 17 00:00:00 2001 From: irbekrm Date: Tue, 22 Nov 2022 13:51:46 +0000 Subject: [PATCH 0051/1253] Tests download Gateway installation bundle Rather than whole gateway git repo Signed-off-by: irbekrm --- make/e2e-setup.mk | 4 ++-- make/tools.mk | 10 +++------- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 3f1eeea1622..df0c9fedaf7 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -207,8 +207,8 @@ e2e-setup-bind: $(call image-tar,bind) load-$(call image-tar,bind) $(wildcard ma sed -e "s|{SERVICE_IP_PREFIX}|$(SERVICE_IP_PREFIX)|g" -e "s|{IMAGE}|$(IMAGE)|g" make/config/bind/*.yaml | $(KUBECTL) apply -n bind -f - >/dev/null .PHONY: e2e-setup-gatewayapi -e2e-setup-gatewayapi: $(BINDIR)/downloaded/gateway-api@$(GATEWAY_API_VERSION) $(BINDIR)/scratch/kind-exists $(NEEDS_KUBECTL) - $(KUBECTL) kustomize $/dev/null +e2e-setup-gatewayapi: $(BINDIR)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml $(BINDIR)/scratch/kind-exists $(NEEDS_KUBECTL) + $(KUBECTL) apply -f $(BINDIR)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml > /dev/null # v1 NGINX-Ingress by default only watches Ingresses with Ingress class diff --git a/make/tools.mk b/make/tools.mk index ba9cb0a8169..d52033a5dfd 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -376,13 +376,9 @@ $(BINDIR)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOS GATEWAY_API_SHA256SUM=c45f8806883014f7f75a2084c612fc62eb00d5c1915a906f8ca5ecda5450b163 -$(BINDIR)/downloaded/gateway-api@$(GATEWAY_API_VERSION): $(BINDIR)/downloaded/gateway-api@$(GATEWAY_API_VERSION).tar.gz | $(BINDIR)/downloaded - ./hack/util/checkhash.sh $< $(GATEWAY_API_SHA256SUM) - @mkdir -p $@ - tar xz -C $@ -f $< - -$(BINDIR)/downloaded/gateway-api@$(GATEWAY_API_VERSION).tar.gz: | $(BINDIR)/downloaded - $(CURL) https://github.com/kubernetes-sigs/gateway-api/archive/refs/tags/$(GATEWAY_API_VERSION).tar.gz -o $@ +$(BINDIR)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml: | $(BINDIR)/downloaded + $(CURL) https://github.com/kubernetes-sigs/gateway-api/releases/download/$(GATEWAY_API_VERSION)/experimental-install.yaml -o $@ + ./hack/util/checkhash.sh $(BINDIR)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml $(GATEWAY_API_SHA256SUM) ################# # Other Targets # From 608c3a1df0cb615d924749fbee9837ce7083d54d Mon Sep 17 00:00:00 2001 From: irbekrm Date: Tue, 22 Nov 2022 13:52:11 +0000 Subject: [PATCH 0052/1253] Bumps Contour Helm chart version Signed-off-by: irbekrm --- make/e2e-setup.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index df0c9fedaf7..f02d04d4024 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -315,7 +315,7 @@ e2e-setup-projectcontour: $(call image-tar,projectcontour) load-$(call image-tar $(HELM) upgrade \ --install \ --wait \ - --version 7.8.1 \ + --version 10.0.1 \ --namespace projectcontour \ --create-namespace \ --set contour.ingressClass.create=false \ From 75e2d1145aa39381147e6c614fda9fd81de563a3 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Wed, 30 Nov 2022 12:21:20 +0000 Subject: [PATCH 0053/1253] Updates Gateway API test dependency Signed-off-by: irbekrm --- make/tools.mk | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/make/tools.mk b/make/tools.mk index d52033a5dfd..edd04355426 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -28,7 +28,8 @@ TOOLS += yq=v4.27.5 TOOLS += crane=v0.11.0 TOOLS += ginkgo=$(shell awk '/ginkgo\/v2/ {print $$2}' go.mod) -GATEWAY_API_VERSION=v0.5.0 +# Version of Gateway API install bundle https://gateway-api.sigs.k8s.io/v1alpha2/guides/#installing-gateway-api +GATEWAY_API_VERSION=v0.5.1 K8S_CODEGEN_VERSION=v0.25.2 @@ -374,7 +375,7 @@ $(BINDIR)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOS # gatewayapi # ############## -GATEWAY_API_SHA256SUM=c45f8806883014f7f75a2084c612fc62eb00d5c1915a906f8ca5ecda5450b163 +GATEWAY_API_SHA256SUM=b84972572a104012e7fbea5651a113ac872f6ffeb0b037b4505d664383c932a3 $(BINDIR)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml: | $(BINDIR)/downloaded $(CURL) https://github.com/kubernetes-sigs/gateway-api/releases/download/$(GATEWAY_API_VERSION)/experimental-install.yaml -o $@ From 9709833bb66ceee243321fb4ab2da5d390b76cfb Mon Sep 17 00:00:00 2001 From: irbekrm Date: Mon, 5 Dec 2022 12:27:01 +0000 Subject: [PATCH 0054/1253] Removes unused check current cert-manager version no longer supports Kubernetes 1.19 Signed-off-by: irbekrm --- make/e2e.sh | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/make/e2e.sh b/make/e2e.sh index 4468736d950..358781f44d0 100755 --- a/make/e2e.sh +++ b/make/e2e.sh @@ -155,21 +155,6 @@ for v in FEATURE_GATES FLAKE_ATTEMPTS NODES GINKGO_FOCUS GINKGO_SKIP ARTIFACTS; fi done -# Skip Gateway tests for Kubernetes below v1.19. -k8s_version=$(kubectl version -oyaml | yq e '.serverVersion | .major +"."+ .minor' -) -case "$k8s_version" in -1.16* | 1.17* | 1.18*) - printf "${yel}${warn}Warning${end}: Kubernetes version ${k8s_version}, skipping Gateway tests.\n" >&2 - - if [[ -z "$ginkgo_skip" ]]; then - ginkgo_skip="Gateway" - else - # duplicates are ok - ginkgo_skip="${ginkgo_skip}|Gateway" - fi - ;; -esac - ginkgo_args=("$@") if [[ -n "$ginkgo_focus" ]]; then ginkgo_args+=(--ginkgo.focus="${ginkgo_focus}"); fi From 0c8aa75b181d8b08e54c74855d9b64af75cb2b70 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Mon, 5 Dec 2022 12:27:53 +0000 Subject: [PATCH 0055/1253] Corrects test Gateway resources TLS block is only valid for TLS listeners Signed-off-by: irbekrm --- test/e2e/util/util.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/util/util.go b/test/e2e/util/util.go index 32e5ceb3c42..95549154577 100644 --- a/test/e2e/util/util.go +++ b/test/e2e/util/util.go @@ -400,8 +400,8 @@ func NewGateway(gatewayName, ns, secretName string, annotations map[string]strin Kinds: nil, }, Name: "acme-solver", - Protocol: gwapiv1beta1.TCPProtocolType, - Port: gwapiv1beta1.PortNumber(80), + Protocol: gwapiv1beta1.TLSProtocolType, + Port: gwapiv1beta1.PortNumber(443), Hostname: (*gwapiv1beta1.Hostname)(&dnsNames[0]), TLS: &gwapiv1beta1.GatewayTLSConfig{ CertificateRefs: []gwapiv1beta1.SecretObjectReference{ From c60a181baf94762e346c4da210eb232349f247bf Mon Sep 17 00:00:00 2001 From: irbekrm Date: Mon, 5 Dec 2022 12:29:07 +0000 Subject: [PATCH 0056/1253] Gateway and GatewayClass for tests are created against beta Gateway API Signed-off-by: irbekrm --- make/config/projectcontour/gateway.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/make/config/projectcontour/gateway.yaml b/make/config/projectcontour/gateway.yaml index a4ccab95098..695df54c168 100644 --- a/make/config/projectcontour/gateway.yaml +++ b/make/config/projectcontour/gateway.yaml @@ -1,5 +1,5 @@ kind: GatewayClass -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 metadata: name: acmesolver spec: @@ -7,7 +7,7 @@ spec: --- kind: Gateway -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1beta1 metadata: name: acmesolver namespace: projectcontour From 42ae76ae3016ad2a889a74db451d4c4ea32708e2 Mon Sep 17 00:00:00 2001 From: Sathyanarayanan Saravanamuthu Date: Sun, 4 Dec 2022 10:25:41 +0530 Subject: [PATCH 0057/1253] Refreshing secrets when the keystore fields change Signed-off-by: Sathyanarayanan Saravanamuthu --- .../certificates/policies/checks.go | 58 +++ .../certificates/policies/policies.go | 1 + pkg/apis/certmanager/v1/types.go | 15 + .../issuing/secret_manager_test.go | 428 ++++++++++++++++++ 4 files changed, 502 insertions(+) diff --git a/internal/controller/certificates/policies/checks.go b/internal/controller/certificates/policies/checks.go index 52d47d1ab13..9732c662f35 100644 --- a/internal/controller/certificates/policies/checks.go +++ b/internal/controller/certificates/policies/checks.go @@ -94,6 +94,64 @@ func SecretPrivateKeyMatchesSpec(input Input) (string, string, bool) { return "", "", false } +// SecretKeystoreFormatMatchesSpec - When the keystore is not defined, the keystore +// related fields are removed from the secret. +// When one or more key stores are defined, re-issuance ensure that the +// corresponding secrets are generated. +// If the private key rotation is set to "Never", the key store related values are re-encoded +// as per the certificate specification +func SecretKeystoreFormatMatchesSpec(input Input) (string, string, bool) { + if input.Certificate.Spec.Keystores == nil { + if len(input.Secret.Data[cmapi.Pkcs12SecretKey]) != 0 || + len(input.Secret.Data[cmapi.Pkcs12TruststoreKey]) != 0 || + len(input.Secret.Data[cmapi.JksSecretKey]) != 0 || + len(input.Secret.Data[cmapi.JksTruststoreKey]) != 0 { + return SecretMismatch, "Keystore is not defined", true + } + return "", "", false + } + + if input.Certificate.Spec.Keystores.JKS != nil { + if input.Certificate.Spec.Keystores.JKS.Create { + if len(input.Secret.Data[cmapi.JksSecretKey]) == 0 || + len(input.Secret.Data[cmapi.JksTruststoreKey]) == 0 { + return SecretMismatch, "JKS Keystore keys does not contain data", true + } + } else { + if len(input.Secret.Data[cmapi.JksSecretKey]) != 0 || + len(input.Secret.Data[cmapi.JksTruststoreKey]) != 0 { + return SecretMismatch, "JKS Keystore create disabled", true + } + } + } else { + if len(input.Secret.Data[cmapi.JksSecretKey]) != 0 || + len(input.Secret.Data[cmapi.JksTruststoreKey]) != 0 { + return SecretMismatch, "JKS Keystore not defined", true + } + } + + if input.Certificate.Spec.Keystores.PKCS12 != nil { + if input.Certificate.Spec.Keystores.PKCS12.Create { + if len(input.Secret.Data[cmapi.Pkcs12SecretKey]) == 0 || + len(input.Secret.Data[cmapi.Pkcs12TruststoreKey]) == 0 { + return SecretMismatch, "PKCS12 Keystore keys does not contain data", true + } + } else { + if len(input.Secret.Data[cmapi.Pkcs12SecretKey]) != 0 || + len(input.Secret.Data[cmapi.Pkcs12TruststoreKey]) != 0 { + return SecretMismatch, "PKCS12 Keystore create disabled", true + } + } + } else { + if len(input.Secret.Data[cmapi.Pkcs12SecretKey]) != 0 || + len(input.Secret.Data[cmapi.Pkcs12TruststoreKey]) != 0 { + return SecretMismatch, "PKCS12 Keystore not defined", true + } + } + + return "", "", false +} + func SecretIssuerAnnotationsNotUpToDate(input Input) (string, string, bool) { name := input.Secret.Annotations[cmapi.IssuerNameAnnotationKey] kind := input.Secret.Annotations[cmapi.IssuerKindAnnotationKey] diff --git a/internal/controller/certificates/policies/policies.go b/internal/controller/certificates/policies/policies.go index 20e5893f25f..d5bb6c75a0d 100644 --- a/internal/controller/certificates/policies/policies.go +++ b/internal/controller/certificates/policies/policies.go @@ -100,6 +100,7 @@ func NewSecretPostIssuancePolicyChain(ownerRefEnabled bool, fieldManager string) SecretAdditionalOutputFormatsOwnerMismatch(fieldManager), SecretOwnerReferenceManagedFieldMismatch(ownerRefEnabled, fieldManager), SecretOwnerReferenceValueMismatch(ownerRefEnabled), + SecretKeystoreFormatMatchesSpec, } } diff --git a/pkg/apis/certmanager/v1/types.go b/pkg/apis/certmanager/v1/types.go index a3fa3ae35e2..2561bd21e8e 100644 --- a/pkg/apis/certmanager/v1/types.go +++ b/pkg/apis/certmanager/v1/types.go @@ -233,6 +233,21 @@ const ( UsageNetscapeSGC KeyUsage = "netscape sgc" ) +// Keystore specific secret keys +const ( + // Pkcs12SecretKey is the name of the data entry in the Secret resource + // used to store the p12 file. + Pkcs12SecretKey = "keystore.p12" + // Data Entry Name in the Secret resource for PKCS12 containing Certificate Authority + Pkcs12TruststoreKey = "truststore.p12" + + // JksSecretKey is the name of the data entry in the Secret resource + // used to store the jks file. + JksSecretKey = "keystore.jks" + // Data Entry Name in the Secret resource for JKS containing Certificate Authority + JksTruststoreKey = "truststore.jks" +) + // DefaultKeyUsages contains the default list of key usages func DefaultKeyUsages() []KeyUsage { // The serverAuth EKU is required as of Mac OS Catalina: https://support.apple.com/en-us/HT210176 diff --git a/pkg/controller/certificates/issuing/secret_manager_test.go b/pkg/controller/certificates/issuing/secret_manager_test.go index 449c3d2984c..17f2abf2b94 100644 --- a/pkg/controller/certificates/issuing/secret_manager_test.go +++ b/pkg/controller/certificates/issuing/secret_manager_test.go @@ -492,6 +492,434 @@ func Test_ensureSecretData(t *testing.T) { }, expectedAction: false, }, + "refresh secrets when keystore is not defined and the secret has keystore/truststore fields": { + key: "test-namespace/test-name", + enableOwnerRef: true, + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name", UID: types.UID("uid-234")}, + Spec: cmapi.CertificateSpec{ + CommonName: "example.com", + IssuerRef: cmmeta.ObjectReference{ + Name: "testissuer", + Kind: "IssuerKind", + Group: "group.example.com", + }, + SecretName: "test-secret", + }}, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Name: "test-secret", Namespace: "test-namespace", + Annotations: map[string]string{ + cmapi.IssuerNameAnnotationKey: "testissuer", + cmapi.IssuerKindAnnotationKey: "IssuerKind", + cmapi.IssuerGroupAnnotationKey: "group.example.com", + }, + OwnerReferences: []metav1.OwnerReference{ + {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-234"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, + }, + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ + Raw: []byte(` + {"f:metadata": { + "f:ownerReferences": { + "k:{\"uid\":\"uid-234\"}": {} + }}}`), + }}, + }, + }, + Data: map[string][]byte{ + corev1.TLSPrivateKeyKey: pk, + corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, + &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, + ), + cmapi.Pkcs12TruststoreKey: []byte("SomeData"), + }, + }, + expectedAction: true, + }, + "refresh secrets when JKS keystore is defined and the secret does not have keystore/truststore fields": { + key: "test-namespace/test-name", + enableOwnerRef: true, + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name", UID: types.UID("uid-123")}, + Spec: cmapi.CertificateSpec{ + CommonName: "example.com", + IssuerRef: cmmeta.ObjectReference{ + Name: "testissuer", + Kind: "IssuerKind", + Group: "group.example.com", + }, + SecretName: "something", + Keystores: &cmapi.CertificateKeystores{ + JKS: &cmapi.JKSKeystore{ + Create: true, + }, + }, + }}, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Name: "something", Namespace: "test-namespace", + Annotations: map[string]string{ + cmapi.IssuerNameAnnotationKey: "testissuer", + cmapi.IssuerKindAnnotationKey: "IssuerKind", + cmapi.IssuerGroupAnnotationKey: "group.example.com", + }, + OwnerReferences: []metav1.OwnerReference{ + {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, + }, + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ + Raw: []byte(` + {"f:metadata": { + "f:ownerReferences": { + "k:{\"uid\":\"uid-123\"}": {} + }}}`), + }}, + }, + }, + Data: map[string][]byte{ + corev1.TLSPrivateKeyKey: pk, + corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, + &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, + ), + }, + }, + expectedAction: true, + }, + "refresh secrets when JKS keystore is defined, create is disabled and the secret has keystore/truststore fields": { + key: "test-namespace/test-name", + enableOwnerRef: true, + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name", UID: types.UID("uid-123")}, + Spec: cmapi.CertificateSpec{ + CommonName: "example.com", + IssuerRef: cmmeta.ObjectReference{ + Name: "testissuer", + Kind: "IssuerKind", + Group: "group.example.com", + }, + SecretName: "something", + Keystores: &cmapi.CertificateKeystores{ + JKS: &cmapi.JKSKeystore{ + Create: false, + }, + }, + }}, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Name: "something", Namespace: "test-namespace", + Annotations: map[string]string{ + cmapi.IssuerNameAnnotationKey: "testissuer", + cmapi.IssuerKindAnnotationKey: "IssuerKind", + cmapi.IssuerGroupAnnotationKey: "group.example.com", + }, + OwnerReferences: []metav1.OwnerReference{ + {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, + }, + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ + Raw: []byte(` + {"f:metadata": { + "f:ownerReferences": { + "k:{\"uid\":\"uid-123\"}": {} + }}}`), + }}, + }, + }, + Data: map[string][]byte{ + corev1.TLSPrivateKeyKey: pk, + corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, + &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, + ), + cmapi.JksTruststoreKey: []byte("SomeData"), + }, + }, + expectedAction: true, + }, + "refresh secrets when JKS keystore is null and the secret has keystore/truststore fields": { + key: "test-namespace/test-name", + enableOwnerRef: true, + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name", UID: types.UID("uid-123")}, + Spec: cmapi.CertificateSpec{ + CommonName: "example.com", + IssuerRef: cmmeta.ObjectReference{ + Name: "testissuer", + Kind: "IssuerKind", + Group: "group.example.com", + }, + SecretName: "something", + Keystores: &cmapi.CertificateKeystores{ + JKS: nil, + }, + }}, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Name: "something", Namespace: "test-namespace", + Annotations: map[string]string{ + cmapi.IssuerNameAnnotationKey: "testissuer", + cmapi.IssuerKindAnnotationKey: "IssuerKind", + cmapi.IssuerGroupAnnotationKey: "group.example.com", + }, + OwnerReferences: []metav1.OwnerReference{ + {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, + }, + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ + Raw: []byte(` + {"f:metadata": { + "f:ownerReferences": { + "k:{\"uid\":\"uid-123\"}": {} + }}}`), + }}, + }, + }, + Data: map[string][]byte{ + corev1.TLSPrivateKeyKey: pk, + corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, + &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, + ), + cmapi.JksTruststoreKey: []byte("SomeData"), + }, + }, + expectedAction: true, + }, + "do nothing when JKS keystore is defined and create field is set to false": { + key: "test-namespace/test-name", + enableOwnerRef: true, + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name", UID: types.UID("uid-123")}, + Spec: cmapi.CertificateSpec{ + CommonName: "example.com", + IssuerRef: cmmeta.ObjectReference{ + Name: "testissuer", + Kind: "IssuerKind", + Group: "group.example.com", + }, + SecretName: "something", + Keystores: &cmapi.CertificateKeystores{ + JKS: &cmapi.JKSKeystore{ + Create: false, + }, + }, + }}, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Name: "something", Namespace: "test-namespace", + Annotations: map[string]string{ + cmapi.IssuerNameAnnotationKey: "testissuer", + cmapi.IssuerKindAnnotationKey: "IssuerKind", + cmapi.IssuerGroupAnnotationKey: "group.example.com", + }, + OwnerReferences: []metav1.OwnerReference{ + {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, + }, + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ + Raw: []byte(` + {"f:metadata": { + "f:ownerReferences": { + "k:{\"uid\":\"uid-123\"}": {} + }}}`), + }}, + }, + }, + Data: map[string][]byte{ + corev1.TLSPrivateKeyKey: pk, + corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, + &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, + ), + }, + }, + expectedAction: false, + }, + "refresh secret when PKCS12 keystore is defined and the secret does not have keystore/truststore fields": { + key: "test-namespace/test-name", + enableOwnerRef: true, + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name", UID: types.UID("uid-123")}, + Spec: cmapi.CertificateSpec{ + CommonName: "example.com", + IssuerRef: cmmeta.ObjectReference{ + Name: "testissuer", + Kind: "IssuerKind", + Group: "group.example.com", + }, + SecretName: "something", + Keystores: &cmapi.CertificateKeystores{ + PKCS12: &cmapi.PKCS12Keystore{ + Create: true, + }, + }, + }}, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Name: "something", Namespace: "test-namespace", + Annotations: map[string]string{ + cmapi.IssuerNameAnnotationKey: "testissuer", + cmapi.IssuerKindAnnotationKey: "IssuerKind", + cmapi.IssuerGroupAnnotationKey: "group.example.com", + }, + OwnerReferences: []metav1.OwnerReference{ + {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, + }, + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ + Raw: []byte(` + {"f:metadata": { + "f:ownerReferences": { + "k:{\"uid\":\"uid-123\"}": {} + }}}`), + }}, + }, + }, + Data: map[string][]byte{ + corev1.TLSPrivateKeyKey: pk, + corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, + &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, + ), + }, + }, + expectedAction: true, + }, + "refresh secret when PKCS12 keystore is defined, create is disabled and the secret has keystore/truststore fields": { + key: "test-namespace/test-name", + enableOwnerRef: true, + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name", UID: types.UID("uid-123")}, + Spec: cmapi.CertificateSpec{ + CommonName: "example.com", + IssuerRef: cmmeta.ObjectReference{ + Name: "testissuer", + Kind: "IssuerKind", + Group: "group.example.com", + }, + SecretName: "something", + Keystores: &cmapi.CertificateKeystores{ + PKCS12: &cmapi.PKCS12Keystore{ + Create: false, + }, + }, + }}, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Name: "something", Namespace: "test-namespace", + Annotations: map[string]string{ + cmapi.IssuerNameAnnotationKey: "testissuer", + cmapi.IssuerKindAnnotationKey: "IssuerKind", + cmapi.IssuerGroupAnnotationKey: "group.example.com", + }, + OwnerReferences: []metav1.OwnerReference{ + {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, + }, + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ + Raw: []byte(` + {"f:metadata": { + "f:ownerReferences": { + "k:{\"uid\":\"uid-123\"}": {} + }}}`), + }}, + }, + }, + Data: map[string][]byte{ + corev1.TLSPrivateKeyKey: pk, + corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, + &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, + ), + cmapi.Pkcs12TruststoreKey: []byte("SomeData"), + }, + }, + expectedAction: true, + }, + "refresh secret when PKCS12 keystore is null and the secret has keystore/truststore fields": { + key: "test-namespace/test-name", + enableOwnerRef: true, + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name", UID: types.UID("uid-123")}, + Spec: cmapi.CertificateSpec{ + CommonName: "example.com", + IssuerRef: cmmeta.ObjectReference{ + Name: "testissuer", + Kind: "IssuerKind", + Group: "group.example.com", + }, + SecretName: "something", + Keystores: &cmapi.CertificateKeystores{ + PKCS12: nil, + }, + }}, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Name: "something", Namespace: "test-namespace", + Annotations: map[string]string{ + cmapi.IssuerNameAnnotationKey: "testissuer", + cmapi.IssuerKindAnnotationKey: "IssuerKind", + cmapi.IssuerGroupAnnotationKey: "group.example.com", + }, + OwnerReferences: []metav1.OwnerReference{ + {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, + }, + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ + Raw: []byte(` + {"f:metadata": { + "f:ownerReferences": { + "k:{\"uid\":\"uid-123\"}": {} + }}}`), + }}, + }, + }, + Data: map[string][]byte{ + corev1.TLSPrivateKeyKey: pk, + corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, + &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, + ), + cmapi.Pkcs12TruststoreKey: []byte("SomeData"), + }, + }, + expectedAction: true, + }, + "do nothing when PKCS12 keystore is defined and the create is set to false": { + key: "test-namespace/test-name", + enableOwnerRef: true, + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name", UID: types.UID("uid-123")}, + Spec: cmapi.CertificateSpec{ + CommonName: "example.com", + IssuerRef: cmmeta.ObjectReference{ + Name: "testissuer", + Kind: "IssuerKind", + Group: "group.example.com", + }, + SecretName: "something", + Keystores: &cmapi.CertificateKeystores{ + PKCS12: &cmapi.PKCS12Keystore{ + Create: false, + }, + }, + }}, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Name: "something", Namespace: "test-namespace", + Annotations: map[string]string{ + cmapi.IssuerNameAnnotationKey: "testissuer", + cmapi.IssuerKindAnnotationKey: "IssuerKind", + cmapi.IssuerGroupAnnotationKey: "group.example.com", + }, + OwnerReferences: []metav1.OwnerReference{ + {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, + }, + ManagedFields: []metav1.ManagedFieldsEntry{ + {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ + Raw: []byte(` + {"f:metadata": { + "f:ownerReferences": { + "k:{\"uid\":\"uid-123\"}": {} + }}}`), + }}, + }, + }, + Data: map[string][]byte{ + corev1.TLSPrivateKeyKey: pk, + corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, + &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, + ), + }, + }, + expectedAction: false, + }, } for name, test := range tests { From 4a6bae60bed2784974ec7f90bbe234eee85f31f0 Mon Sep 17 00:00:00 2001 From: Sathyanarayanan Saravanamuthu <107846526+sathyanarays@users.noreply.github.com> Date: Tue, 6 Dec 2022 16:18:27 +0530 Subject: [PATCH 0058/1253] Update internal/controller/certificates/policies/checks.go Co-authored-by: Richard Wall Signed-off-by: Sathyanarayanan Saravanamuthu <107846526+sathyanarays@users.noreply.github.com> --- internal/controller/certificates/policies/checks.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/controller/certificates/policies/checks.go b/internal/controller/certificates/policies/checks.go index 9732c662f35..a2e633c9f44 100644 --- a/internal/controller/certificates/policies/checks.go +++ b/internal/controller/certificates/policies/checks.go @@ -96,7 +96,7 @@ func SecretPrivateKeyMatchesSpec(input Input) (string, string, bool) { // SecretKeystoreFormatMatchesSpec - When the keystore is not defined, the keystore // related fields are removed from the secret. -// When one or more key stores are defined, re-issuance ensure that the +// When one or more key stores are defined, the // corresponding secrets are generated. // If the private key rotation is set to "Never", the key store related values are re-encoded // as per the certificate specification From 94fa9eeee62eb14ba3c0a15e45820e411a54da87 Mon Sep 17 00:00:00 2001 From: Sathyanarayanan Saravanamuthu Date: Tue, 6 Dec 2022 16:22:51 +0530 Subject: [PATCH 0059/1253] Addressing review comments Signed-off-by: Sathyanarayanan Saravanamuthu --- pkg/apis/certmanager/v1/types_certificate.go | 4 ++-- .../certificates/issuing/internal/keystore.go | 14 -------------- .../certificates/issuing/internal/secret.go | 8 ++++---- 3 files changed, 6 insertions(+), 20 deletions(-) diff --git a/pkg/apis/certmanager/v1/types_certificate.go b/pkg/apis/certmanager/v1/types_certificate.go index a831d6a5b63..8bbc6a85c53 100644 --- a/pkg/apis/certmanager/v1/types_certificate.go +++ b/pkg/apis/certmanager/v1/types_certificate.go @@ -356,7 +356,7 @@ type JKSKeystore struct { // If true, a file named `keystore.jks` will be created in the target // Secret resource, encrypted using the password stored in // `passwordSecretRef`. - // The keystore file will only be updated upon re-issuance. + // The keystore file will be updated immediately. // A file named `truststore.jks` will also be created in the target // Secret resource, encrypted using the password stored in // `passwordSecretRef` containing the issuing Certificate Authority @@ -374,7 +374,7 @@ type PKCS12Keystore struct { // If true, a file named `keystore.p12` will be created in the target // Secret resource, encrypted using the password stored in // `passwordSecretRef`. - // The keystore file will only be updated upon re-issuance. + // The keystore file will be updated immediately. // A file named `truststore.p12` will also be created in the target // Secret resource, encrypted using the password stored in // `passwordSecretRef` containing the issuing Certificate Authority diff --git a/pkg/controller/certificates/issuing/internal/keystore.go b/pkg/controller/certificates/issuing/internal/keystore.go index 2c73ac1276b..1d16852e5c2 100644 --- a/pkg/controller/certificates/issuing/internal/keystore.go +++ b/pkg/controller/certificates/issuing/internal/keystore.go @@ -34,20 +34,6 @@ import ( "github.com/cert-manager/cert-manager/pkg/util/pki" ) -const ( - // pkcs12SecretKey is the name of the data entry in the Secret resource - // used to store the p12 file. - pkcs12SecretKey = "keystore.p12" - // Data Entry Name in the Secret resource for PKCS12 containing Certificate Authority - pkcs12TruststoreKey = "truststore.p12" - - // jksSecretKey is the name of the data entry in the Secret resource - // used to store the jks file. - jksSecretKey = "keystore.jks" - // Data Entry Name in the Secret resource for JKS containing Certificate Authority - jksTruststoreKey = "truststore.jks" -) - // encodePKCS12Keystore will encode a PKCS12 keystore using the password provided. // The key, certificate and CA data must be provided in PKCS1 or PKCS8 PEM format. // If the certificate data contains multiple certificates, the first will be used diff --git a/pkg/controller/certificates/issuing/internal/secret.go b/pkg/controller/certificates/issuing/internal/secret.go index c145dcb072d..0f89f263bdd 100644 --- a/pkg/controller/certificates/issuing/internal/secret.go +++ b/pkg/controller/certificates/issuing/internal/secret.go @@ -235,7 +235,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec return fmt.Errorf("error encoding PKCS12 bundle: %w", err) } // always overwrite the keystore entry for now - secret.Data[pkcs12SecretKey] = keystoreData + secret.Data[cmapi.Pkcs12SecretKey] = keystoreData if len(data.CA) > 0 { truststoreData, err := encodePKCS12Truststore(string(pw), data.CA) @@ -243,7 +243,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec return fmt.Errorf("error encoding PKCS12 trust store bundle: %w", err) } // always overwrite the truststore entry - secret.Data[pkcs12TruststoreKey] = truststoreData + secret.Data[cmapi.Pkcs12TruststoreKey] = truststoreData } } @@ -263,7 +263,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec return fmt.Errorf("error encoding JKS bundle: %w", err) } // always overwrite the keystore entry - secret.Data[jksSecretKey] = keystoreData + secret.Data[cmapi.JksSecretKey] = keystoreData if len(data.CA) > 0 { truststoreData, err := encodeJKSTruststore(pw, data.CA) @@ -271,7 +271,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec return fmt.Errorf("error encoding JKS trust store bundle: %w", err) } // always overwrite the keystore entry - secret.Data[jksTruststoreKey] = truststoreData + secret.Data[cmapi.JksTruststoreKey] = truststoreData } } From 5aabf625855bc3e4a634803795aa795fd6480966 Mon Sep 17 00:00:00 2001 From: Sathyanarayanan Saravanamuthu Date: Tue, 6 Dec 2022 16:30:00 +0530 Subject: [PATCH 0060/1253] Updating CRDs Signed-off-by: Sathyanarayanan Saravanamuthu --- deploy/crds/crd-certificates.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml index f4d21987512..98cad1df692 100644 --- a/deploy/crds/crd-certificates.yaml +++ b/deploy/crds/crd-certificates.yaml @@ -134,7 +134,7 @@ spec: - passwordSecretRef properties: create: - description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority type: boolean passwordSecretRef: description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. @@ -156,7 +156,7 @@ spec: - passwordSecretRef properties: create: - description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority type: boolean passwordSecretRef: description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. From f719247d2b5f24a38a76e30d0ec68f3152d0c8f2 Mon Sep 17 00:00:00 2001 From: Sathyanarayanan Saravanamuthu Date: Tue, 6 Dec 2022 18:48:23 +0530 Subject: [PATCH 0061/1253] Addressing review comments Signed-off-by: Sathyanarayanan Saravanamuthu --- .../certificates/policies/checks.go | 32 +++++++++---------- pkg/apis/certmanager/v1/types.go | 12 +++---- .../certificates/issuing/internal/secret.go | 8 ++--- .../issuing/secret_manager_test.go | 10 +++--- 4 files changed, 31 insertions(+), 31 deletions(-) diff --git a/internal/controller/certificates/policies/checks.go b/internal/controller/certificates/policies/checks.go index a2e633c9f44..d2c6b27ec9f 100644 --- a/internal/controller/certificates/policies/checks.go +++ b/internal/controller/certificates/policies/checks.go @@ -102,10 +102,10 @@ func SecretPrivateKeyMatchesSpec(input Input) (string, string, bool) { // as per the certificate specification func SecretKeystoreFormatMatchesSpec(input Input) (string, string, bool) { if input.Certificate.Spec.Keystores == nil { - if len(input.Secret.Data[cmapi.Pkcs12SecretKey]) != 0 || - len(input.Secret.Data[cmapi.Pkcs12TruststoreKey]) != 0 || - len(input.Secret.Data[cmapi.JksSecretKey]) != 0 || - len(input.Secret.Data[cmapi.JksTruststoreKey]) != 0 { + if len(input.Secret.Data[cmapi.PKCS12SecretKey]) != 0 || + len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) != 0 || + len(input.Secret.Data[cmapi.JKSSecretKey]) != 0 || + len(input.Secret.Data[cmapi.JKSTruststoreKey]) != 0 { return SecretMismatch, "Keystore is not defined", true } return "", "", false @@ -113,38 +113,38 @@ func SecretKeystoreFormatMatchesSpec(input Input) (string, string, bool) { if input.Certificate.Spec.Keystores.JKS != nil { if input.Certificate.Spec.Keystores.JKS.Create { - if len(input.Secret.Data[cmapi.JksSecretKey]) == 0 || - len(input.Secret.Data[cmapi.JksTruststoreKey]) == 0 { + if len(input.Secret.Data[cmapi.JKSSecretKey]) == 0 || + len(input.Secret.Data[cmapi.JKSTruststoreKey]) == 0 { return SecretMismatch, "JKS Keystore keys does not contain data", true } } else { - if len(input.Secret.Data[cmapi.JksSecretKey]) != 0 || - len(input.Secret.Data[cmapi.JksTruststoreKey]) != 0 { + if len(input.Secret.Data[cmapi.JKSSecretKey]) != 0 || + len(input.Secret.Data[cmapi.JKSTruststoreKey]) != 0 { return SecretMismatch, "JKS Keystore create disabled", true } } } else { - if len(input.Secret.Data[cmapi.JksSecretKey]) != 0 || - len(input.Secret.Data[cmapi.JksTruststoreKey]) != 0 { + if len(input.Secret.Data[cmapi.JKSSecretKey]) != 0 || + len(input.Secret.Data[cmapi.JKSTruststoreKey]) != 0 { return SecretMismatch, "JKS Keystore not defined", true } } if input.Certificate.Spec.Keystores.PKCS12 != nil { if input.Certificate.Spec.Keystores.PKCS12.Create { - if len(input.Secret.Data[cmapi.Pkcs12SecretKey]) == 0 || - len(input.Secret.Data[cmapi.Pkcs12TruststoreKey]) == 0 { + if len(input.Secret.Data[cmapi.PKCS12SecretKey]) == 0 || + len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) == 0 { return SecretMismatch, "PKCS12 Keystore keys does not contain data", true } } else { - if len(input.Secret.Data[cmapi.Pkcs12SecretKey]) != 0 || - len(input.Secret.Data[cmapi.Pkcs12TruststoreKey]) != 0 { + if len(input.Secret.Data[cmapi.PKCS12SecretKey]) != 0 || + len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) != 0 { return SecretMismatch, "PKCS12 Keystore create disabled", true } } } else { - if len(input.Secret.Data[cmapi.Pkcs12SecretKey]) != 0 || - len(input.Secret.Data[cmapi.Pkcs12TruststoreKey]) != 0 { + if len(input.Secret.Data[cmapi.PKCS12SecretKey]) != 0 || + len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) != 0 { return SecretMismatch, "PKCS12 Keystore not defined", true } } diff --git a/pkg/apis/certmanager/v1/types.go b/pkg/apis/certmanager/v1/types.go index 2561bd21e8e..3f7310066ec 100644 --- a/pkg/apis/certmanager/v1/types.go +++ b/pkg/apis/certmanager/v1/types.go @@ -235,17 +235,17 @@ const ( // Keystore specific secret keys const ( - // Pkcs12SecretKey is the name of the data entry in the Secret resource + // PKCS12SecretKey is the name of the data entry in the Secret resource // used to store the p12 file. - Pkcs12SecretKey = "keystore.p12" + PKCS12SecretKey = "keystore.p12" // Data Entry Name in the Secret resource for PKCS12 containing Certificate Authority - Pkcs12TruststoreKey = "truststore.p12" + PKCS12TruststoreKey = "truststore.p12" - // JksSecretKey is the name of the data entry in the Secret resource + // JKSSecretKey is the name of the data entry in the Secret resource // used to store the jks file. - JksSecretKey = "keystore.jks" + JKSSecretKey = "keystore.jks" // Data Entry Name in the Secret resource for JKS containing Certificate Authority - JksTruststoreKey = "truststore.jks" + JKSTruststoreKey = "truststore.jks" ) // DefaultKeyUsages contains the default list of key usages diff --git a/pkg/controller/certificates/issuing/internal/secret.go b/pkg/controller/certificates/issuing/internal/secret.go index 0f89f263bdd..1277f490a51 100644 --- a/pkg/controller/certificates/issuing/internal/secret.go +++ b/pkg/controller/certificates/issuing/internal/secret.go @@ -235,7 +235,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec return fmt.Errorf("error encoding PKCS12 bundle: %w", err) } // always overwrite the keystore entry for now - secret.Data[cmapi.Pkcs12SecretKey] = keystoreData + secret.Data[cmapi.PKCS12SecretKey] = keystoreData if len(data.CA) > 0 { truststoreData, err := encodePKCS12Truststore(string(pw), data.CA) @@ -243,7 +243,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec return fmt.Errorf("error encoding PKCS12 trust store bundle: %w", err) } // always overwrite the truststore entry - secret.Data[cmapi.Pkcs12TruststoreKey] = truststoreData + secret.Data[cmapi.PKCS12TruststoreKey] = truststoreData } } @@ -263,7 +263,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec return fmt.Errorf("error encoding JKS bundle: %w", err) } // always overwrite the keystore entry - secret.Data[cmapi.JksSecretKey] = keystoreData + secret.Data[cmapi.JKSSecretKey] = keystoreData if len(data.CA) > 0 { truststoreData, err := encodeJKSTruststore(pw, data.CA) @@ -271,7 +271,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec return fmt.Errorf("error encoding JKS trust store bundle: %w", err) } // always overwrite the keystore entry - secret.Data[cmapi.JksTruststoreKey] = truststoreData + secret.Data[cmapi.JKSTruststoreKey] = truststoreData } } diff --git a/pkg/controller/certificates/issuing/secret_manager_test.go b/pkg/controller/certificates/issuing/secret_manager_test.go index 17f2abf2b94..98efa95a8bb 100644 --- a/pkg/controller/certificates/issuing/secret_manager_test.go +++ b/pkg/controller/certificates/issuing/secret_manager_test.go @@ -531,7 +531,7 @@ func Test_ensureSecretData(t *testing.T) { corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), - cmapi.Pkcs12TruststoreKey: []byte("SomeData"), + cmapi.PKCS12TruststoreKey: []byte("SomeData"), }, }, expectedAction: true, @@ -628,7 +628,7 @@ func Test_ensureSecretData(t *testing.T) { corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), - cmapi.JksTruststoreKey: []byte("SomeData"), + cmapi.JKSTruststoreKey: []byte("SomeData"), }, }, expectedAction: true, @@ -675,7 +675,7 @@ func Test_ensureSecretData(t *testing.T) { corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), - cmapi.JksTruststoreKey: []byte("SomeData"), + cmapi.JKSTruststoreKey: []byte("SomeData"), }, }, expectedAction: true, @@ -820,7 +820,7 @@ func Test_ensureSecretData(t *testing.T) { corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), - cmapi.Pkcs12TruststoreKey: []byte("SomeData"), + cmapi.PKCS12TruststoreKey: []byte("SomeData"), }, }, expectedAction: true, @@ -867,7 +867,7 @@ func Test_ensureSecretData(t *testing.T) { corev1.TLSCertKey: testcrypto.MustCreateCert(t, pk, &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.com"}}, ), - cmapi.Pkcs12TruststoreKey: []byte("SomeData"), + cmapi.PKCS12TruststoreKey: []byte("SomeData"), }, }, expectedAction: true, From 79bd127d3b16f1d41181933589a4b22ca37f0f28 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Tue, 6 Dec 2022 16:40:20 +0000 Subject: [PATCH 0062/1253] remove verify-licenses from ci-presubmit see https://github.com/cert-manager/release/pull/111 Signed-off-by: Ashley Davis --- make/ci.mk | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/make/ci.mk b/make/ci.mk index 7981bbe552a..b0172b58a17 100644 --- a/make/ci.mk +++ b/make/ci.mk @@ -3,7 +3,7 @@ ## request or change is merged. ## ## @category CI -ci-presubmit: verify-imports verify-errexit verify-boilerplate verify-codegen verify-crds verify-licenses +ci-presubmit: verify-imports verify-errexit verify-boilerplate verify-codegen verify-crds .PHONY: verify-imports verify-imports: | $(NEEDS_GOIMPORTS) @@ -25,6 +25,9 @@ verify-boilerplate: $(__PYTHON) hack/verify_boilerplate.py .PHONY: verify-licenses +## Check that the LICENSES file is up to date; must pass before a change to go.mod can be merged +## +## @category CI verify-licenses: $(BINDIR)/scratch/LATEST-LICENSES @diff $(BINDIR)/scratch/LATEST-LICENSES LICENSES >/dev/null || (echo -e "\033[0;33mLICENSES seem to be out of date; update with 'make update-licenses'\033[0m" && exit 1) From 22f3a6152d49202cd1a6d6a8098b7814e538667c Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Wed, 7 Dec 2022 10:10:35 +0000 Subject: [PATCH 0063/1253] bump go to 1.19.4 Signed-off-by: Ashley Davis --- make/tools.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make/tools.mk b/make/tools.mk index edd04355426..f4d9f0a0617 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -37,7 +37,7 @@ KUBEBUILDER_ASSETS_VERSION=1.25.0 TOOLS += etcd=$(KUBEBUILDER_ASSETS_VERSION) TOOLS += kube-apiserver=$(KUBEBUILDER_ASSETS_VERSION) -VENDORED_GO_VERSION := 1.19.3 +VENDORED_GO_VERSION := 1.19.4 # When switching branches which use different versions of the tools, we # need a way to re-trigger the symlinking from $(BINDIR)/downloaded to $(BINDIR)/tools. From 5ce5129a3cde361605fe5868e67f1111b1abd379 Mon Sep 17 00:00:00 2001 From: Yannic Kilcher Date: Fri, 9 Dec 2022 11:55:33 +0100 Subject: [PATCH 0064/1253] Fixed a typo in helm chart values Signed-off-by: Yannic Kilcher --- deploy/charts/cert-manager/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index 14056dd6631..2c5f13b12aa 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -109,7 +109,7 @@ serviceAccount: extraArgs: [] # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted # - --enable-certificate-owner-ref=true - # Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver + # Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver # - --controllers=*,-certificaterequests-approver extraEnv: [] From a099eb306a54ff5e35cadaa09230a7b8881014e6 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Mon, 12 Dec 2022 09:46:09 +0000 Subject: [PATCH 0065/1253] bump dep versions to fix trivy-reported vulns ```text { "VulnerabilityID": "CVE-2022-41717", "PkgName": "golang.org/x/net", "InstalledVersion": "v0.0.0-20220921155015-db77216a4ee9", "FixedVersion": "0.4.0", "Layer": { "DiffID": "sha256:629212d4fb1b47585329d1c630cb91f919ddcd6168031a07121953d6c6dbd438" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-41717", "DataSource": { "ID": "go-vulndb", "Name": "The Go Vulnerability Database", "URL": "https://github.com/golang/vulndb" }, "Title": "An attacker can cause excessive memory growth in a Go server accepting ...", "Description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "Severity": "UNKNOWN", "References": [ "https://go.dev/cl/455635", "https://go.dev/cl/455717", "https://go.dev/issue/56350", "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ", "https://pkg.go.dev/vuln/GO-2022-1144" ], "PublishedDate": "2022-12-08T20:15:00Z", "LastModifiedDate": "2022-12-08T22:30:00Z" } ``` Signed-off-by: Ashley Davis --- LICENSES | 8 ++++---- go.mod | 8 ++++---- go.sum | 8 ++++++++ 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/LICENSES b/LICENSES index f36a1d9bda1..cb8ecad1de3 100644 --- a/LICENSES +++ b/LICENSES @@ -195,12 +195,12 @@ go.uber.org/atomic,https://github.com/uber-go/atomic/blob/v1.9.0/LICENSE.txt,MIT go.uber.org/multierr,https://github.com/uber-go/multierr/blob/v1.6.0/LICENSE.txt,MIT go.uber.org/zap,https://github.com/uber-go/zap/blob/v1.21.0/LICENSE.txt,MIT golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/4ba4fb4d:LICENSE,BSD-3-Clause -golang.org/x/net,https://cs.opensource.google/go/x/net/+/db77216a:LICENSE,BSD-3-Clause +golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.4.0:LICENSE,BSD-3-Clause golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/f2134210:LICENSE,BSD-3-Clause golang.org/x/sync,https://cs.opensource.google/go/x/sync/+/7f9b1623:LICENSE,BSD-3-Clause -golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE,BSD-3-Clause -golang.org/x/term,https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE,BSD-3-Clause -golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.3.8:LICENSE,BSD-3-Clause +golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/v0.3.0:LICENSE,BSD-3-Clause +golang.org/x/term,https://cs.opensource.google/go/x/term/+/v0.3.0:LICENSE,BSD-3-Clause +golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.5.0:LICENSE,BSD-3-Clause golang.org/x/time/rate,https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE,BSD-3-Clause gomodules.xyz/jsonpatch/v2,https://github.com/gomodules/jsonpatch/blob/v2.2.0/v2/LICENSE,Apache-2.0 google.golang.org/api,https://github.com/googleapis/google-api-go-client/blob/v0.97.0/LICENSE,BSD-3-Clause diff --git a/go.mod b/go.mod index 575461f993b..562f54d1737 100644 --- a/go.mod +++ b/go.mod @@ -228,10 +228,10 @@ require ( go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.21.0 // indirect golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect - golang.org/x/net v0.0.0-20220921155015-db77216a4ee9 // indirect - golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect - golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect - golang.org/x/text v0.3.8 // indirect + golang.org/x/net v0.4.0 // indirect + golang.org/x/sys v0.3.0 // indirect + golang.org/x/term v0.3.0 // indirect + golang.org/x/text v0.5.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect golang.org/x/tools v0.1.12 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index cd784ff9dfc..44f6a18a14f 100644 --- a/go.sum +++ b/go.sum @@ -1162,6 +1162,8 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20220921155015-db77216a4ee9 h1:SdDGdqRuKrF2R4XGcnPzcvZ63c/55GvhoHUus0o+BNI= golang.org/x/net v0.0.0-20220921155015-db77216a4ee9/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= +golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1291,9 +1293,13 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= +golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1307,6 +1313,8 @@ golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= +golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From d62bf032f51abd5a2915d5f4ada0a6f3b0f2f014 Mon Sep 17 00:00:00 2001 From: Denis Romanenko Date: Tue, 13 Dec 2022 09:41:29 +0300 Subject: [PATCH 0066/1253] fix kubebuilder tools arm64 sha256sum Signed-off-by: Denis Romanenko --- make/tools.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make/tools.mk b/make/tools.mk index f4d9f0a0617..0b3464ff70e 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -356,7 +356,7 @@ $(K8S_CODEGEN_TOOLS_DOWNLOADS): $(BINDIR)/downloaded/tools/%-gen@$(K8S_CODEGEN_V KUBEBUILDER_TOOLS_linux_amd64_SHA256SUM=c9796a0a13ccb79b77e3d64b8d3bb85a14fc850800724c63b85bf5bacbe0b4ba KUBEBUILDER_TOOLS_darwin_amd64_SHA256SUM=a232faf4551ffb1185660c5a2eb9eaaf7eb02136fa71e7ead84ee940a205d9bf -KUBEBUILDER_TOOLS_darwin_arm64_SHA256SUM=9a8c8526965f46256ff947303342e73499217df5c53680a03ac950d331191ffc +KUBEBUILDER_TOOLS_darwin_arm64_SHA256SUM=e5ae7aaead02af274f840693131f24aa0506b0b44ccecb5f073847b39bef2ce2 $(BINDIR)/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_%: $(BINDIR)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(BINDIR)/downloaded/tools ./hack/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM) From 2f0d49203603cebe47551a9ed940fbfd26ac9715 Mon Sep 17 00:00:00 2001 From: lv Date: Tue, 13 Dec 2022 18:15:16 +0800 Subject: [PATCH 0067/1253] feat: Add max-concurrent-challenges parameter to helm Set the max-concurrent-challenges value with -set maxConcurrentChallenges=value when deploying with helm Fixes: https://github.com/cert-manager/cert-manager/issues/5627 Signed-off-by: lvyanru --- deploy/charts/cert-manager/README.template.md | 1 + deploy/charts/cert-manager/templates/deployment.yaml | 3 +++ deploy/charts/cert-manager/values.yaml | 3 +++ 3 files changed, 7 insertions(+) diff --git a/deploy/charts/cert-manager/README.template.md b/deploy/charts/cert-manager/README.template.md index 4fd1e752dda..f41b617ec71 100644 --- a/deploy/charts/cert-manager/README.template.md +++ b/deploy/charts/cert-manager/README.template.md @@ -212,6 +212,7 @@ The following table lists the configurable parameters of the cert-manager chart | `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | | | `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | | | `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` | +| `maxConcurrentChallenges` | The maximum number of challenges that can be scheduled as 'processing' at once | `60` | ### Default Security Contexts diff --git a/deploy/charts/cert-manager/templates/deployment.yaml b/deploy/charts/cert-manager/templates/deployment.yaml index 7f99a979653..9d5fb0e0cef 100644 --- a/deploy/charts/cert-manager/templates/deployment.yaml +++ b/deploy/charts/cert-manager/templates/deployment.yaml @@ -107,6 +107,9 @@ spec: {{- if .Values.featureGates }} - --feature-gates={{ .Values.featureGates }} {{- end }} + {{- if .Values.maxConcurrentChallenges }} + - --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }} + {{- end }} ports: - containerPort: 9402 name: http-metrics diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index 2c5f13b12aa..30cc6a94f40 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -64,6 +64,9 @@ strategy: {} # controller pod & webhook pod. featureGates: "" +# The maximum number of challenges that can be scheduled as 'processing' at once +maxConcurrentChallenges: 60 + image: repository: quay.io/jetstack/cert-manager-controller # You can manage a registry with From c99c147059d10271e4c27c59d197ed260bfb0fdc Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Fri, 9 Dec 2022 10:06:37 -0800 Subject: [PATCH 0068/1253] Bump k8s.io deps to v0.26.0 Signed-off-by: Luca Comellini --- LICENSES | 246 ------------------ go.mod | 121 ++++----- go.sum | 225 ++++++++-------- make/tools.mk | 4 +- pkg/client/clientset/versioned/clientset.go | 3 +- .../informers/externalversions/factory.go | 79 +++++- 6 files changed, 248 insertions(+), 430 deletions(-) delete mode 100644 LICENSES diff --git a/LICENSES b/LICENSES deleted file mode 100644 index cb8ecad1de3..00000000000 --- a/LICENSES +++ /dev/null @@ -1,246 +0,0 @@ -cloud.google.com/go/compute/metadata,https://github.com/googleapis/google-cloud-go/blob/compute/v1.7.0/compute/LICENSE,Apache-2.0 -github.com/Azure/azure-sdk-for-go,https://github.com/Azure/azure-sdk-for-go/blob/v66.0.0/LICENSE.txt,MIT -github.com/Azure/go-autorest/autorest,https://github.com/Azure/go-autorest/blob/autorest/v0.11.28/autorest/LICENSE,Apache-2.0 -github.com/Azure/go-autorest/autorest/adal,https://github.com/Azure/go-autorest/blob/autorest/adal/v0.9.21/autorest/adal/LICENSE,Apache-2.0 -github.com/Azure/go-autorest/autorest/date,https://github.com/Azure/go-autorest/blob/autorest/date/v0.3.0/autorest/date/LICENSE,Apache-2.0 -github.com/Azure/go-autorest/autorest/to,https://github.com/Azure/go-autorest/blob/autorest/to/v0.4.0/autorest/to/LICENSE,Apache-2.0 -github.com/Azure/go-autorest/autorest/validation,https://github.com/Azure/go-autorest/blob/autorest/validation/v0.3.1/autorest/validation/LICENSE,Apache-2.0 -github.com/Azure/go-autorest/logger,https://github.com/Azure/go-autorest/blob/logger/v0.2.1/logger/LICENSE,Apache-2.0 -github.com/Azure/go-autorest/tracing,https://github.com/Azure/go-autorest/blob/tracing/v0.6.0/tracing/LICENSE,Apache-2.0 -github.com/Azure/go-ntlmssp,https://github.com/Azure/go-ntlmssp/blob/cb9428e4ac1e/LICENSE,MIT -github.com/BurntSushi/toml,https://github.com/BurntSushi/toml/blob/v1.1.0/COPYING,MIT -github.com/MakeNowJust/heredoc,https://github.com/MakeNowJust/heredoc/blob/v1.0.0/LICENSE,MIT -github.com/Masterminds/goutils,https://github.com/Masterminds/goutils/blob/v1.1.1/LICENSE.txt,Apache-2.0 -github.com/Masterminds/semver/v3,https://github.com/Masterminds/semver/blob/v3.1.1/LICENSE.txt,MIT -github.com/Masterminds/sprig/v3,https://github.com/Masterminds/sprig/blob/v3.2.2/LICENSE.txt,MIT -github.com/Masterminds/squirrel,https://github.com/Masterminds/squirrel/blob/v1.5.3/LICENSE.txt,MIT -github.com/NYTimes/gziphandler,https://github.com/NYTimes/gziphandler/blob/v1.1.1/LICENSE,Apache-2.0 -github.com/PuerkitoBio/purell,https://github.com/PuerkitoBio/purell/blob/v1.1.1/LICENSE,BSD-3-Clause -github.com/PuerkitoBio/urlesc,https://github.com/PuerkitoBio/urlesc/blob/de5bf2ad4578/LICENSE,BSD-3-Clause -github.com/Venafi/vcert/v4,https://github.com/Venafi/vcert/blob/v4.22.1/LICENSE,Apache-2.0 -github.com/akamai/AkamaiOPEN-edgegrid-golang,https://github.com/akamai/AkamaiOPEN-edgegrid-golang/blob/v1.2.1/LICENSE,Apache-2.0 -github.com/armon/go-metrics,https://github.com/armon/go-metrics/blob/v0.3.9/LICENSE,MIT -github.com/armon/go-radix,https://github.com/armon/go-radix/blob/v1.0.0/LICENSE,MIT -github.com/asaskevich/govalidator,https://github.com/asaskevich/govalidator/blob/21a406dcc535/LICENSE,MIT -github.com/aws/aws-sdk-go,https://github.com/aws/aws-sdk-go/blob/v1.44.105/LICENSE.txt,Apache-2.0 -github.com/aws/aws-sdk-go/internal/sync/singleflight,https://github.com/aws/aws-sdk-go/blob/v1.44.105/internal/sync/singleflight/LICENSE,BSD-3-Clause -github.com/beorn7/perks/quantile,https://github.com/beorn7/perks/blob/v1.0.1/LICENSE,MIT -github.com/blang/semver/v4,https://github.com/blang/semver/blob/v4.0.0/v4/LICENSE,MIT -github.com/cenkalti/backoff/v3,https://github.com/cenkalti/backoff/blob/v3.0.0/LICENSE,MIT -github.com/cert-manager/cert-manager,https://github.com/cert-manager/cert-manager/blob/HEAD/LICENSE,Apache-2.0 -github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/azuredns,https://github.com/cert-manager/cert-manager/blob/HEAD/pkg/issuer/acme/dns/azuredns/LICENSE,MIT -github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/clouddns,https://github.com/cert-manager/cert-manager/blob/HEAD/pkg/issuer/acme/dns/clouddns/LICENSE,MIT -github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/cloudflare,https://github.com/cert-manager/cert-manager/blob/HEAD/pkg/issuer/acme/dns/cloudflare/LICENSE,MIT -github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/route53,https://github.com/cert-manager/cert-manager/blob/HEAD/pkg/issuer/acme/dns/route53/LICENSE,MIT -github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util,https://github.com/cert-manager/cert-manager/blob/HEAD/pkg/issuer/acme/dns/util/LICENSE,MIT -github.com/cespare/xxhash/v2,https://github.com/cespare/xxhash/blob/v2.1.2/LICENSE.txt,MIT -github.com/chai2010/gettext-go,https://github.com/chai2010/gettext-go/blob/v1.0.2/LICENSE,BSD-3-Clause -github.com/cloudflare/cloudflare-go,https://github.com/cloudflare/cloudflare-go/blob/v0.50.0/LICENSE,BSD-3-Clause -github.com/containerd/containerd,https://github.com/containerd/containerd/blob/v1.6.6/LICENSE,Apache-2.0 -github.com/coreos/go-semver/semver,https://github.com/coreos/go-semver/blob/v0.3.0/LICENSE,Apache-2.0 -github.com/coreos/go-systemd/v22,https://github.com/coreos/go-systemd/blob/v22.3.2/LICENSE,Apache-2.0 -github.com/cpu/goacmedns,https://github.com/cpu/goacmedns/blob/v0.1.1/LICENSE,MIT -github.com/cpuguy83/go-md2man/v2/md2man,https://github.com/cpuguy83/go-md2man/blob/v2.0.2/LICENSE.md,MIT -github.com/cyphar/filepath-securejoin,https://github.com/cyphar/filepath-securejoin/blob/v0.2.3/LICENSE,BSD-3-Clause -github.com/davecgh/go-spew/spew,https://github.com/davecgh/go-spew/blob/v1.1.1/LICENSE,ISC -github.com/digitalocean/godo,https://github.com/digitalocean/godo/blob/v1.86.0/LICENSE.txt,MIT -github.com/docker/cli/cli/config,https://github.com/docker/cli/blob/v20.10.17/LICENSE,Apache-2.0 -github.com/docker/distribution,https://github.com/docker/distribution/blob/v2.8.1/LICENSE,Apache-2.0 -github.com/docker/docker,https://github.com/docker/docker/blob/v20.10.17/LICENSE,Apache-2.0 -github.com/docker/docker-credential-helpers,https://github.com/docker/docker-credential-helpers/blob/v0.6.4/LICENSE,MIT -github.com/docker/go-connections,https://github.com/docker/go-connections/blob/v0.4.0/LICENSE,Apache-2.0 -github.com/docker/go-metrics,https://github.com/docker/go-metrics/blob/v0.0.1/LICENSE,Apache-2.0 -github.com/docker/go-units,https://github.com/docker/go-units/blob/v0.4.0/LICENSE,Apache-2.0 -github.com/emicklei/go-restful/v3,https://github.com/emicklei/go-restful/blob/v3.8.0/LICENSE,MIT -github.com/evanphx/json-patch,https://github.com/evanphx/json-patch/blob/v5.6.0/LICENSE,BSD-3-Clause -github.com/evanphx/json-patch/v5,https://github.com/evanphx/json-patch/blob/v5.6.0/v5/LICENSE,BSD-3-Clause -github.com/exponent-io/jsonpath,https://github.com/exponent-io/jsonpath/blob/d6023ce2651d/LICENSE,MIT -github.com/fatih/camelcase,https://github.com/fatih/camelcase/blob/v1.0.0/LICENSE.md,MIT -github.com/fatih/color,https://github.com/fatih/color/blob/v1.13.0/LICENSE.md,MIT -github.com/felixge/httpsnoop,https://github.com/felixge/httpsnoop/blob/v1.0.1/LICENSE.txt,MIT -github.com/fsnotify/fsnotify,https://github.com/fsnotify/fsnotify/blob/v1.5.4/LICENSE,BSD-3-Clause -github.com/go-asn1-ber/asn1-ber,https://github.com/go-asn1-ber/asn1-ber/blob/v1.5.4/LICENSE,MIT -github.com/go-errors/errors,https://github.com/go-errors/errors/blob/v1.0.1/LICENSE.MIT,MIT -github.com/go-gorp/gorp/v3,https://github.com/go-gorp/gorp/blob/v3.0.2/LICENSE,MIT -github.com/go-ldap/ldap/v3,https://github.com/go-ldap/ldap/blob/v3.4.4/v3/LICENSE,MIT -github.com/go-logr/logr,https://github.com/go-logr/logr/blob/v1.2.3/LICENSE,Apache-2.0 -github.com/go-openapi/jsonpointer,https://github.com/go-openapi/jsonpointer/blob/v0.19.5/LICENSE,Apache-2.0 -github.com/go-openapi/jsonreference,https://github.com/go-openapi/jsonreference/blob/v0.19.5/LICENSE,Apache-2.0 -github.com/go-openapi/swag,https://github.com/go-openapi/swag/blob/v0.19.14/LICENSE,Apache-2.0 -github.com/gobwas/glob,https://github.com/gobwas/glob/blob/v0.2.3/LICENSE,MIT -github.com/gogo/protobuf,https://github.com/gogo/protobuf/blob/v1.3.2/LICENSE,BSD-3-Clause -github.com/golang-jwt/jwt/v4,https://github.com/golang-jwt/jwt/blob/v4.2.0/LICENSE,MIT -github.com/golang/groupcache/lru,https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE,Apache-2.0 -github.com/golang/protobuf,https://github.com/golang/protobuf/blob/v1.5.2/LICENSE,BSD-3-Clause -github.com/golang/snappy,https://github.com/golang/snappy/blob/v0.0.4/LICENSE,BSD-3-Clause -github.com/google/btree,https://github.com/google/btree/blob/v1.0.1/LICENSE,Apache-2.0 -github.com/google/gnostic,https://github.com/google/gnostic/blob/v0.6.9/LICENSE,Apache-2.0 -github.com/google/go-cmp/cmp,https://github.com/google/go-cmp/blob/v0.5.8/LICENSE,BSD-3-Clause -github.com/google/go-querystring/query,https://github.com/google/go-querystring/blob/v1.1.0/LICENSE,BSD-3-Clause -github.com/google/gofuzz,https://github.com/google/gofuzz/blob/v1.2.0/LICENSE,Apache-2.0 -github.com/google/shlex,https://github.com/google/shlex/blob/e7afc7fbc510/COPYING,Apache-2.0 -github.com/google/uuid,https://github.com/google/uuid/blob/v1.3.0/LICENSE,BSD-3-Clause -github.com/googleapis/enterprise-certificate-proxy/client,https://github.com/googleapis/enterprise-certificate-proxy/blob/v0.1.0/LICENSE,Apache-2.0 -github.com/googleapis/gax-go/v2,https://github.com/googleapis/gax-go/blob/v2.4.0/v2/LICENSE,BSD-3-Clause -github.com/gorilla/mux,https://github.com/gorilla/mux/blob/v1.8.0/LICENSE,BSD-3-Clause -github.com/gosuri/uitable,https://github.com/gosuri/uitable/blob/v0.0.4/LICENSE,MIT -github.com/gosuri/uitable/util/wordwrap,https://github.com/gosuri/uitable/blob/v0.0.4/util/wordwrap/LICENSE.md,MIT -github.com/gregjones/httpcache,https://github.com/gregjones/httpcache/blob/9cad4c3443a7/LICENSE.txt,MIT -github.com/grpc-ecosystem/go-grpc-prometheus,https://github.com/grpc-ecosystem/go-grpc-prometheus/blob/v1.2.0/LICENSE,Apache-2.0 -github.com/grpc-ecosystem/grpc-gateway,https://github.com/grpc-ecosystem/grpc-gateway/blob/v1.16.0/LICENSE.txt,BSD-3-Clause -github.com/hashicorp/errwrap,https://github.com/hashicorp/errwrap/blob/v1.1.0/LICENSE,MPL-2.0 -github.com/hashicorp/go-cleanhttp,https://github.com/hashicorp/go-cleanhttp/blob/v0.5.2/LICENSE,MPL-2.0 -github.com/hashicorp/go-hclog,https://github.com/hashicorp/go-hclog/blob/v1.2.0/LICENSE,MIT -github.com/hashicorp/go-immutable-radix,https://github.com/hashicorp/go-immutable-radix/blob/v1.3.1/LICENSE,MPL-2.0 -github.com/hashicorp/go-multierror,https://github.com/hashicorp/go-multierror/blob/v1.1.1/LICENSE,MPL-2.0 -github.com/hashicorp/go-plugin,https://github.com/hashicorp/go-plugin/blob/v1.4.3/LICENSE,MPL-2.0 -github.com/hashicorp/go-retryablehttp,https://github.com/hashicorp/go-retryablehttp/blob/v0.7.1/LICENSE,MPL-2.0 -github.com/hashicorp/go-rootcerts,https://github.com/hashicorp/go-rootcerts/blob/v1.0.2/LICENSE,MPL-2.0 -github.com/hashicorp/go-secure-stdlib/mlock,https://github.com/hashicorp/go-secure-stdlib/blob/mlock/v0.1.1/mlock/LICENSE,MPL-2.0 -github.com/hashicorp/go-secure-stdlib/parseutil,https://github.com/hashicorp/go-secure-stdlib/blob/parseutil/v0.1.6/parseutil/LICENSE,MPL-2.0 -github.com/hashicorp/go-secure-stdlib/strutil,https://github.com/hashicorp/go-secure-stdlib/blob/strutil/v0.1.2/strutil/LICENSE,MPL-2.0 -github.com/hashicorp/go-sockaddr,https://github.com/hashicorp/go-sockaddr/blob/v1.0.2/LICENSE,MPL-2.0 -github.com/hashicorp/go-uuid,https://github.com/hashicorp/go-uuid/blob/v1.0.2/LICENSE,MPL-2.0 -github.com/hashicorp/go-version,https://github.com/hashicorp/go-version/blob/v1.2.0/LICENSE,MPL-2.0 -github.com/hashicorp/golang-lru,https://github.com/hashicorp/golang-lru/blob/v0.5.4/LICENSE,MPL-2.0 -github.com/hashicorp/hcl,https://github.com/hashicorp/hcl/blob/v1.0.0/LICENSE,MPL-2.0 -github.com/hashicorp/vault/api,https://github.com/hashicorp/vault/blob/api/v1.8.0/api/LICENSE,MPL-2.0 -github.com/hashicorp/vault/sdk,https://github.com/hashicorp/vault/blob/sdk/v0.6.0/sdk/LICENSE,MPL-2.0 -github.com/hashicorp/yamux,https://github.com/hashicorp/yamux/blob/3520598351bb/LICENSE,MPL-2.0 -github.com/huandu/xstrings,https://github.com/huandu/xstrings/blob/v1.3.2/LICENSE,MIT -github.com/imdario/mergo,https://github.com/imdario/mergo/blob/v0.3.12/LICENSE,BSD-3-Clause -github.com/jmespath/go-jmespath,https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE,Apache-2.0 -github.com/jmoiron/sqlx,https://github.com/jmoiron/sqlx/blob/v1.3.5/LICENSE,MIT -github.com/josharian/intern,https://github.com/josharian/intern/blob/v1.0.0/license.md,MIT -github.com/json-iterator/go,https://github.com/json-iterator/go/blob/v1.1.12/LICENSE,MIT -github.com/klauspost/compress,https://github.com/klauspost/compress/blob/v1.13.6/LICENSE,Apache-2.0 -github.com/klauspost/compress/internal/snapref,https://github.com/klauspost/compress/blob/v1.13.6/internal/snapref/LICENSE,BSD-3-Clause -github.com/klauspost/compress/zstd/internal/xxhash,https://github.com/klauspost/compress/blob/v1.13.6/zstd/internal/xxhash/LICENSE.txt,MIT -github.com/kr/pretty,https://github.com/kr/pretty/blob/v0.3.0/License,MIT -github.com/kr/text,https://github.com/kr/text/blob/v0.2.0/License,MIT -github.com/lann/builder,https://github.com/lann/builder/blob/47ae307949d0/LICENSE,MIT -github.com/lann/ps,https://github.com/lann/ps/blob/62de8c46ede0/LICENSE,MIT -github.com/lib/pq,https://github.com/lib/pq/blob/v1.10.6/LICENSE.md,MIT -github.com/liggitt/tabwriter,https://github.com/liggitt/tabwriter/blob/89fcab3d43de/LICENSE,BSD-3-Clause -github.com/mailru/easyjson,https://github.com/mailru/easyjson/blob/v0.7.6/LICENSE,MIT -github.com/mattn/go-colorable,https://github.com/mattn/go-colorable/blob/v0.1.12/LICENSE,MIT -github.com/mattn/go-isatty,https://github.com/mattn/go-isatty/blob/v0.0.14/LICENSE,MIT -github.com/mattn/go-runewidth,https://github.com/mattn/go-runewidth/blob/v0.0.13/LICENSE,MIT -github.com/matttproud/golang_protobuf_extensions/pbutil,https://github.com/matttproud/golang_protobuf_extensions/blob/c182affec369/LICENSE,Apache-2.0 -github.com/miekg/dns,https://github.com/miekg/dns/blob/v1.1.50/LICENSE,BSD-3-Clause -github.com/mitchellh/copystructure,https://github.com/mitchellh/copystructure/blob/v1.2.0/LICENSE,MIT -github.com/mitchellh/go-homedir,https://github.com/mitchellh/go-homedir/blob/v1.1.0/LICENSE,MIT -github.com/mitchellh/go-testing-interface,https://github.com/mitchellh/go-testing-interface/blob/v1.0.0/LICENSE,MIT -github.com/mitchellh/go-wordwrap,https://github.com/mitchellh/go-wordwrap/blob/v1.0.0/LICENSE.md,MIT -github.com/mitchellh/mapstructure,https://github.com/mitchellh/mapstructure/blob/v1.5.0/LICENSE,MIT -github.com/mitchellh/reflectwalk,https://github.com/mitchellh/reflectwalk/blob/v1.0.2/LICENSE,MIT -github.com/moby/locker,https://github.com/moby/locker/blob/v1.0.1/LICENSE,Apache-2.0 -github.com/moby/spdystream,https://github.com/moby/spdystream/blob/v0.2.0/LICENSE,Apache-2.0 -github.com/moby/term,https://github.com/moby/term/blob/3f7ff695adc6/LICENSE,Apache-2.0 -github.com/modern-go/concurrent,https://github.com/modern-go/concurrent/blob/bacd9c7ef1dd/LICENSE,Apache-2.0 -github.com/modern-go/reflect2,https://github.com/modern-go/reflect2/blob/v1.0.2/LICENSE,Apache-2.0 -github.com/monochromegane/go-gitignore,https://github.com/monochromegane/go-gitignore/blob/205db1a8cc00/LICENSE,MIT -github.com/morikuni/aec,https://github.com/morikuni/aec/blob/v1.0.0/LICENSE,MIT -github.com/munnerz/goautoneg,https://github.com/munnerz/goautoneg/blob/a7dc8b61c822/LICENSE,BSD-3-Clause -github.com/oklog/run,https://github.com/oklog/run/blob/v1.0.0/LICENSE,Apache-2.0 -github.com/onsi/ginkgo/v2,https://github.com/onsi/ginkgo/blob/v2.2.0/LICENSE,MIT -github.com/onsi/gomega,https://github.com/onsi/gomega/blob/v1.20.2/LICENSE,MIT -github.com/opencontainers/go-digest,https://github.com/opencontainers/go-digest/blob/v1.0.0/LICENSE,Apache-2.0 -github.com/opencontainers/image-spec/specs-go,https://github.com/opencontainers/image-spec/blob/c5a74bcca799/LICENSE,Apache-2.0 -github.com/patrickmn/go-cache,https://github.com/patrickmn/go-cache/blob/v2.1.0/LICENSE,MIT -github.com/pavlo-v-chernykh/keystore-go/v4,https://github.com/pavlo-v-chernykh/keystore-go/blob/v4.4.0/LICENSE,MIT -github.com/peterbourgon/diskv,https://github.com/peterbourgon/diskv/blob/v2.0.1/LICENSE,MIT -github.com/pierrec/lz4,https://github.com/pierrec/lz4/blob/v2.5.2/LICENSE,BSD-3-Clause -github.com/pkg/errors,https://github.com/pkg/errors/blob/v0.9.1/LICENSE,BSD-2-Clause -github.com/prometheus/client_golang/prometheus,https://github.com/prometheus/client_golang/blob/v1.13.0/LICENSE,Apache-2.0 -github.com/prometheus/client_model/go,https://github.com/prometheus/client_model/blob/v0.2.0/LICENSE,Apache-2.0 -github.com/prometheus/common,https://github.com/prometheus/common/blob/v0.37.0/LICENSE,Apache-2.0 -github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg,https://github.com/prometheus/common/blob/v0.37.0/internal/bitbucket.org/ww/goautoneg/README.txt,BSD-3-Clause -github.com/prometheus/procfs,https://github.com/prometheus/procfs/blob/v0.8.0/LICENSE,Apache-2.0 -github.com/rivo/uniseg,https://github.com/rivo/uniseg/blob/v0.2.0/LICENSE.txt,MIT -github.com/rogpeppe/go-internal/fmtsort,https://github.com/rogpeppe/go-internal/blob/v1.8.1/LICENSE,BSD-3-Clause -github.com/rubenv/sql-migrate,https://github.com/rubenv/sql-migrate/blob/v1.1.2/LICENSE,MIT -github.com/rubenv/sql-migrate/sqlparse,https://github.com/rubenv/sql-migrate/blob/v1.1.2/sqlparse/LICENSE,MIT -github.com/russross/blackfriday,https://github.com/russross/blackfriday/blob/v1.5.2/LICENSE.txt,BSD-2-Clause -github.com/russross/blackfriday/v2,https://github.com/russross/blackfriday/blob/v2.1.0/LICENSE.txt,BSD-2-Clause -github.com/ryanuber/go-glob,https://github.com/ryanuber/go-glob/blob/v1.0.0/LICENSE,MIT -github.com/sergi/go-diff/diffmatchpatch,https://github.com/sergi/go-diff/blob/v1.2.0/LICENSE,MIT -github.com/shopspring/decimal,https://github.com/shopspring/decimal/blob/v1.2.0/LICENSE,MIT -github.com/sirupsen/logrus,https://github.com/sirupsen/logrus/blob/v1.8.1/LICENSE,MIT -github.com/spf13/cast,https://github.com/spf13/cast/blob/v1.4.1/LICENSE,MIT -github.com/spf13/cobra,https://github.com/spf13/cobra/blob/v1.5.0/LICENSE.txt,Apache-2.0 -github.com/spf13/pflag,https://github.com/spf13/pflag/blob/v1.0.5/LICENSE,BSD-3-Clause -github.com/xeipuuv/gojsonpointer,https://github.com/xeipuuv/gojsonpointer/blob/4e3ac2762d5f/LICENSE-APACHE-2.0.txt,Apache-2.0 -github.com/xeipuuv/gojsonreference,https://github.com/xeipuuv/gojsonreference/blob/bd5ef7bd5415/LICENSE-APACHE-2.0.txt,Apache-2.0 -github.com/xeipuuv/gojsonschema,https://github.com/xeipuuv/gojsonschema/blob/v1.2.0/LICENSE-APACHE-2.0.txt,Apache-2.0 -github.com/xlab/treeprint,https://github.com/xlab/treeprint/blob/v1.1.0/LICENSE,MIT -github.com/youmark/pkcs8,https://github.com/youmark/pkcs8/blob/1326539a0a0a/LICENSE,MIT -go.etcd.io/etcd/api/v3,https://github.com/etcd-io/etcd/blob/api/v3.5.4/api/LICENSE,Apache-2.0 -go.etcd.io/etcd/client/pkg/v3,https://github.com/etcd-io/etcd/blob/client/pkg/v3.5.4/client/pkg/LICENSE,Apache-2.0 -go.etcd.io/etcd/client/v3,https://github.com/etcd-io/etcd/blob/client/v3.5.4/client/v3/LICENSE,Apache-2.0 -go.opencensus.io,https://github.com/census-instrumentation/opencensus-go/blob/v0.23.0/LICENSE,Apache-2.0 -go.opentelemetry.io/contrib,https://github.com/open-telemetry/opentelemetry-go-contrib/blob/v0.20.0/LICENSE,Apache-2.0 -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc,https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.20.0/instrumentation/google.golang.org/grpc/otelgrpc/LICENSE,Apache-2.0 -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp,https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/net/http/otelhttp/v0.20.0/instrumentation/net/http/otelhttp/LICENSE,Apache-2.0 -go.opentelemetry.io/otel,https://github.com/open-telemetry/opentelemetry-go/blob/v0.20.0/LICENSE,Apache-2.0 -go.opentelemetry.io/otel/exporters/otlp,https://github.com/open-telemetry/opentelemetry-go/blob/exporters/otlp/v0.20.0/exporters/otlp/LICENSE,Apache-2.0 -go.opentelemetry.io/otel/metric,https://github.com/open-telemetry/opentelemetry-go/blob/metric/v0.20.0/metric/LICENSE,Apache-2.0 -go.opentelemetry.io/otel/sdk,https://github.com/open-telemetry/opentelemetry-go/blob/sdk/v0.20.0/sdk/LICENSE,Apache-2.0 -go.opentelemetry.io/otel/sdk/export/metric,https://github.com/open-telemetry/opentelemetry-go/blob/sdk/export/metric/v0.20.0/sdk/export/metric/LICENSE,Apache-2.0 -go.opentelemetry.io/otel/sdk/metric,https://github.com/open-telemetry/opentelemetry-go/blob/sdk/metric/v0.20.0/sdk/metric/LICENSE,Apache-2.0 -go.opentelemetry.io/otel/trace,https://github.com/open-telemetry/opentelemetry-go/blob/trace/v0.20.0/trace/LICENSE,Apache-2.0 -go.opentelemetry.io/proto/otlp,https://github.com/open-telemetry/opentelemetry-proto-go/blob/otlp/v0.7.0/otlp/LICENSE,Apache-2.0 -go.starlark.net,https://github.com/google/starlark-go/blob/8dd3e2ee1dd5/LICENSE,BSD-3-Clause -go.uber.org/atomic,https://github.com/uber-go/atomic/blob/v1.9.0/LICENSE.txt,MIT -go.uber.org/multierr,https://github.com/uber-go/multierr/blob/v1.6.0/LICENSE.txt,MIT -go.uber.org/zap,https://github.com/uber-go/zap/blob/v1.21.0/LICENSE.txt,MIT -golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/4ba4fb4d:LICENSE,BSD-3-Clause -golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.4.0:LICENSE,BSD-3-Clause -golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/f2134210:LICENSE,BSD-3-Clause -golang.org/x/sync,https://cs.opensource.google/go/x/sync/+/7f9b1623:LICENSE,BSD-3-Clause -golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/v0.3.0:LICENSE,BSD-3-Clause -golang.org/x/term,https://cs.opensource.google/go/x/term/+/v0.3.0:LICENSE,BSD-3-Clause -golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.5.0:LICENSE,BSD-3-Clause -golang.org/x/time/rate,https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE,BSD-3-Clause -gomodules.xyz/jsonpatch/v2,https://github.com/gomodules/jsonpatch/blob/v2.2.0/v2/LICENSE,Apache-2.0 -google.golang.org/api,https://github.com/googleapis/google-api-go-client/blob/v0.97.0/LICENSE,BSD-3-Clause -google.golang.org/api/internal/third_party/uritemplates,https://github.com/googleapis/google-api-go-client/blob/v0.97.0/internal/third_party/uritemplates/LICENSE,BSD-3-Clause -google.golang.org/genproto,https://github.com/googleapis/go-genproto/blob/8cd45d7dbd1f/LICENSE,Apache-2.0 -google.golang.org/grpc,https://github.com/grpc/grpc-go/blob/v1.47.0/LICENSE,Apache-2.0 -google.golang.org/protobuf,https://github.com/protocolbuffers/protobuf-go/blob/v1.28.1/LICENSE,BSD-3-Clause -gopkg.in/inf.v0,https://github.com/go-inf/inf/blob/v0.9.1/LICENSE,BSD-3-Clause -gopkg.in/ini.v1,https://github.com/go-ini/ini/blob/v1.62.0/LICENSE,Apache-2.0 -gopkg.in/natefinch/lumberjack.v2,https://github.com/natefinch/lumberjack/blob/v2.0.0/LICENSE,MIT -gopkg.in/square/go-jose.v2,https://github.com/square/go-jose/blob/v2.5.1/LICENSE,Apache-2.0 -gopkg.in/square/go-jose.v2/json,https://github.com/square/go-jose/blob/v2.5.1/json/LICENSE,BSD-3-Clause -gopkg.in/yaml.v2,https://github.com/go-yaml/yaml/blob/v2.4.0/LICENSE,Apache-2.0 -gopkg.in/yaml.v3,https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE,MIT -helm.sh/helm/v3,https://github.com/helm/helm/blob/v3.10.0/LICENSE,Apache-2.0 -k8s.io/api,https://github.com/kubernetes/api/blob/v0.25.2/LICENSE,Apache-2.0 -k8s.io/apiextensions-apiserver/pkg,https://github.com/kubernetes/apiextensions-apiserver/blob/v0.25.2/LICENSE,Apache-2.0 -k8s.io/apimachinery/pkg,https://github.com/kubernetes/apimachinery/blob/v0.25.2/LICENSE,Apache-2.0 -k8s.io/apimachinery/third_party/forked/golang,https://github.com/kubernetes/apimachinery/blob/v0.25.2/third_party/forked/golang/LICENSE,BSD-3-Clause -k8s.io/apiserver,https://github.com/kubernetes/apiserver/blob/v0.25.2/LICENSE,Apache-2.0 -k8s.io/cli-runtime/pkg,https://github.com/kubernetes/cli-runtime/blob/v0.25.2/LICENSE,Apache-2.0 -k8s.io/client-go,https://github.com/kubernetes/client-go/blob/v0.25.2/LICENSE,Apache-2.0 -k8s.io/client-go/third_party/forked/golang/template,https://github.com/kubernetes/client-go/blob/v0.25.2/third_party/forked/golang/LICENSE,BSD-3-Clause -k8s.io/component-base,https://github.com/kubernetes/component-base/blob/v0.25.2/LICENSE,Apache-2.0 -k8s.io/klog/v2,https://github.com/kubernetes/klog/blob/v2.80.1/LICENSE,Apache-2.0 -k8s.io/kube-aggregator/pkg/apis/apiregistration,https://github.com/kubernetes/kube-aggregator/blob/v0.25.2/LICENSE,Apache-2.0 -k8s.io/kube-openapi/pkg,https://github.com/kubernetes/kube-openapi/blob/a70c9af30aea/LICENSE,Apache-2.0 -k8s.io/kube-openapi/pkg/validation/spec,https://github.com/kubernetes/kube-openapi/blob/a70c9af30aea/pkg/validation/spec/LICENSE,Apache-2.0 -k8s.io/kubectl/pkg,https://github.com/kubernetes/kubectl/blob/v0.25.2/LICENSE,Apache-2.0 -k8s.io/utils,https://github.com/kubernetes/utils/blob/665eaaec4324/LICENSE,Apache-2.0 -k8s.io/utils/internal/third_party/forked/golang,https://github.com/kubernetes/utils/blob/665eaaec4324/internal/third_party/forked/golang/LICENSE,BSD-3-Clause -oras.land/oras-go/pkg,https://github.com/oras-project/oras-go/blob/v1.2.0/LICENSE,Apache-2.0 -sigs.k8s.io/apiserver-network-proxy/konnectivity-client,https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/konnectivity-client/v0.0.32/konnectivity-client/LICENSE,Apache-2.0 -sigs.k8s.io/controller-runtime,https://github.com/kubernetes-sigs/controller-runtime/blob/v0.13.0/LICENSE,Apache-2.0 -sigs.k8s.io/gateway-api,https://github.com/kubernetes-sigs/gateway-api/blob/v0.5.0/LICENSE,Apache-2.0 -sigs.k8s.io/json,https://github.com/kubernetes-sigs/json/blob/f223a00ba0e2/LICENSE,Apache-2.0 -sigs.k8s.io/kustomize/api,https://github.com/kubernetes-sigs/kustomize/blob/api/v0.12.1/api/LICENSE,Apache-2.0 -sigs.k8s.io/kustomize/kyaml,https://github.com/kubernetes-sigs/kustomize/blob/kyaml/v0.13.9/kyaml/LICENSE,Apache-2.0 -sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/go-yaml/yaml,https://github.com/kubernetes-sigs/kustomize/blob/kyaml/v0.13.9/kyaml/internal/forked/github.com/go-yaml/yaml/LICENSE,MIT -sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/qri-io/starlib/util,https://github.com/kubernetes-sigs/kustomize/blob/kyaml/v0.13.9/kyaml/internal/forked/github.com/qri-io/starlib/util/LICENSE,MIT -sigs.k8s.io/structured-merge-diff/v4,https://github.com/kubernetes-sigs/structured-merge-diff/blob/v4.2.3/LICENSE,Apache-2.0 -sigs.k8s.io/yaml,https://github.com/kubernetes-sigs/yaml/blob/v1.3.0/LICENSE,MIT -software.sslmate.com/src/go-pkcs12,https://github.com/SSLMate/go-pkcs12/blob/v0.2.0/LICENSE,BSD-3-Clause diff --git a/go.mod b/go.mod index 562f54d1737..b80a6462317 100644 --- a/go.mod +++ b/go.mod @@ -23,36 +23,36 @@ require ( github.com/miekg/dns v1.1.50 github.com/mitchellh/go-homedir v1.1.0 github.com/munnerz/crd-schema-fuzz v1.0.0 - github.com/onsi/ginkgo/v2 v2.2.0 - github.com/onsi/gomega v1.20.2 + github.com/onsi/ginkgo/v2 v2.4.0 + github.com/onsi/gomega v1.23.0 github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0 github.com/pkg/errors v0.9.1 - github.com/prometheus/client_golang v1.13.0 + github.com/prometheus/client_golang v1.14.0 github.com/segmentio/encoding v0.3.5 github.com/sergi/go-diff v1.2.0 - github.com/spf13/cobra v1.5.0 + github.com/spf13/cobra v1.6.0 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.0 - golang.org/x/crypto v0.0.0-20220924013350-4ba4fb4dd9e7 + golang.org/x/crypto v0.1.0 golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7 gomodules.xyz/jsonpatch/v2 v2.2.0 google.golang.org/api v0.97.0 helm.sh/helm/v3 v3.10.0 - k8s.io/api v0.25.2 - k8s.io/apiextensions-apiserver v0.25.2 - k8s.io/apimachinery v0.25.2 - k8s.io/apiserver v0.25.2 - k8s.io/cli-runtime v0.25.2 - k8s.io/client-go v0.25.2 - k8s.io/code-generator v0.25.2 - k8s.io/component-base v0.25.2 + k8s.io/api v0.26.0 + k8s.io/apiextensions-apiserver v0.26.0 + k8s.io/apimachinery v0.26.0 + k8s.io/apiserver v0.26.0 + k8s.io/cli-runtime v0.26.0 + k8s.io/client-go v0.26.0 + k8s.io/code-generator v0.26.0 + k8s.io/component-base v0.26.0 k8s.io/klog/v2 v2.80.1 - k8s.io/kube-aggregator v0.25.2 - k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea - k8s.io/kubectl v0.25.2 - k8s.io/utils v0.0.0-20220922133306-665eaaec4324 - sigs.k8s.io/controller-runtime v0.13.0 + k8s.io/kube-aggregator v0.26.0 + k8s.io/kube-openapi v0.0.0-20221207184640-f3cff1453715 + k8s.io/kubectl v0.26.0 + k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 + sigs.k8s.io/controller-runtime v0.13.1 sigs.k8s.io/controller-tools v0.10.0 sigs.k8s.io/gateway-api v0.5.0 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 @@ -76,14 +76,14 @@ require ( github.com/Masterminds/sprig/v3 v3.2.2 // indirect github.com/Masterminds/squirrel v1.5.3 // indirect github.com/NYTimes/gziphandler v1.1.1 // indirect - github.com/PuerkitoBio/purell v1.1.1 // indirect - github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect + github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect github.com/armon/go-metrics v0.3.9 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cenkalti/backoff/v3 v3.0.0 // indirect + github.com/cenkalti/backoff/v4 v4.1.3 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect github.com/containerd/containerd v1.6.6 // indirect @@ -99,19 +99,20 @@ require ( github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-units v0.4.0 // indirect - github.com/emicklei/go-restful/v3 v3.8.0 // indirect + github.com/emicklei/go-restful/v3 v3.9.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect github.com/fatih/camelcase v1.0.0 // indirect github.com/fatih/color v1.13.0 // indirect - github.com/felixge/httpsnoop v1.0.1 // indirect - github.com/fsnotify/fsnotify v1.5.4 // indirect + github.com/felixge/httpsnoop v1.0.3 // indirect + github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect github.com/go-errors/errors v1.0.1 // indirect github.com/go-gorp/gorp/v3 v3.0.2 // indirect + github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.19.5 // indirect + github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-openapi/swag v0.19.14 // indirect github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect github.com/gobuffalo/flect v0.2.5 // indirect @@ -122,7 +123,8 @@ require ( github.com/golang/protobuf v1.5.2 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.0.1 // indirect - github.com/google/go-cmp v0.5.8 // indirect + github.com/google/cel-go v0.12.5 // indirect + github.com/google/go-cmp v0.5.9 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect @@ -133,7 +135,7 @@ require ( github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect - github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-hclog v1.2.0 // indirect @@ -153,7 +155,7 @@ require ( github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect github.com/huandu/xstrings v1.3.2 // indirect github.com/imdario/mergo v0.3.12 // indirect - github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jmoiron/sqlx v1.3.5 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -168,7 +170,7 @@ require ( github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-isatty v0.0.14 // indirect github.com/mattn/go-runewidth v0.0.13 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-testing-interface v1.0.0 // indirect github.com/mitchellh/go-wordwrap v1.0.0 // indirect @@ -176,7 +178,7 @@ require ( github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/spdystream v0.2.0 // indirect - github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect + github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect @@ -189,54 +191,53 @@ require ( github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pierrec/lz4 v2.5.2+incompatible // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/prometheus/client_model v0.2.0 // indirect + github.com/prometheus/client_model v0.3.0 // indirect github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/rivo/uniseg v0.2.0 // indirect github.com/rogpeppe/go-internal v1.8.1 // indirect github.com/rubenv/sql-migrate v1.1.2 // indirect - github.com/russross/blackfriday v1.5.2 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect github.com/segmentio/asm v1.1.3 // indirect github.com/shopspring/decimal v1.2.0 // indirect github.com/sirupsen/logrus v1.8.1 // indirect github.com/spf13/cast v1.4.1 // indirect + github.com/stoewer/go-strcase v1.2.0 // indirect github.com/stretchr/objx v0.4.0 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xlab/treeprint v1.1.0 // indirect github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a // indirect - go.etcd.io/etcd/api/v3 v3.5.4 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.5.4 // indirect - go.etcd.io/etcd/client/v3 v3.5.4 // indirect + go.etcd.io/etcd/api/v3 v3.5.5 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.5 // indirect + go.etcd.io/etcd/client/v3 v3.5.5 // indirect go.opencensus.io v0.23.0 // indirect - go.opentelemetry.io/contrib v0.20.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0 // indirect - go.opentelemetry.io/otel v1.3.0 // indirect - go.opentelemetry.io/otel/exporters/otlp v0.20.0 // indirect - go.opentelemetry.io/otel/metric v0.20.0 // indirect - go.opentelemetry.io/otel/sdk v1.3.0 // indirect - go.opentelemetry.io/otel/sdk/export/metric v0.20.0 // indirect - go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect - go.opentelemetry.io/otel/trace v1.3.0 // indirect - go.opentelemetry.io/proto/otlp v0.11.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.0 // indirect + go.opentelemetry.io/otel v1.10.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0 // indirect + go.opentelemetry.io/otel/metric v0.31.0 // indirect + go.opentelemetry.io/otel/sdk v1.10.0 // indirect + go.opentelemetry.io/otel/trace v1.10.0 // indirect + go.opentelemetry.io/proto/otlp v0.19.0 // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.21.0 // indirect - golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect - golang.org/x/net v0.4.0 // indirect + golang.org/x/mod v0.6.0 // indirect + golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect golang.org/x/sys v0.3.0 // indirect golang.org/x/term v0.3.0 // indirect golang.org/x/text v0.5.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect - golang.org/x/tools v0.1.12 // indirect + golang.org/x/tools v0.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect - google.golang.org/grpc v1.47.0 // indirect + google.golang.org/grpc v1.49.0 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.62.0 // indirect @@ -244,27 +245,13 @@ require ( gopkg.in/square/go-jose.v2 v2.5.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 // indirect + k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect + k8s.io/kms v0.26.0 // indirect oras.land/oras-go v1.2.0 // indirect - sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.32 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/kustomize/api v0.12.1 // indirect sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect ) -replace ( - github.com/miekg/dns v1.1.41 => github.com/miekg/dns v1.1.34 - - go.opentelemetry.io/contrib => go.opentelemetry.io/contrib v0.20.0 - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc => go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0 - go.opentelemetry.io/otel => go.opentelemetry.io/otel v0.20.0 - go.opentelemetry.io/otel/exporters/otlp => go.opentelemetry.io/otel/exporters/otlp v0.20.0 - go.opentelemetry.io/otel/metric => go.opentelemetry.io/otel/metric v0.20.0 - go.opentelemetry.io/otel/oteltest => go.opentelemetry.io/otel/oteltest v0.20.0 - go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v0.20.0 - go.opentelemetry.io/otel/sdk/export/metric => go.opentelemetry.io/otel/sdk/export/metric v0.20.0 - go.opentelemetry.io/otel/sdk/metric => go.opentelemetry.io/otel/sdk/metric v0.20.0 - go.opentelemetry.io/otel/trace => go.opentelemetry.io/otel/trace v0.20.0 - go.opentelemetry.io/proto/otlp => go.opentelemetry.io/proto/otlp v0.7.0 -) +replace github.com/miekg/dns v1.1.41 => github.com/miekg/dns v1.1.34 diff --git a/go.sum b/go.sum index 44f6a18a14f..16ae9f7218f 100644 --- a/go.sum +++ b/go.sum @@ -117,10 +117,8 @@ github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMo github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= github.com/Venafi/vcert/v4 v4.22.1 h1:31A8mV0DAis5qn1cfUCU9eODjALNmZKKx9I9wDOIXZM= @@ -135,6 +133,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves= +github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= @@ -150,7 +150,6 @@ github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0 github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= github.com/aws/aws-sdk-go v1.44.105 h1:UUwoD1PRKIj3ltrDUYTDQj5fOTK3XsnqolLpRTMmSEM= github.com/aws/aws-sdk-go v1.44.105/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= -github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -170,6 +169,8 @@ github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembj github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o= github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3eG1c= github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= +github.com/cenkalti/backoff/v4 v4.1.3 h1:cFAlzYUlVYDysBEH2T5hyJZMh3+5+WCBvSnK6Q8UtC4= +github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -263,8 +264,8 @@ github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7fo github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful/v3 v3.8.0 h1:eCZ8ulSerjdAiaNpF7GxXIE7ZCMo1moN1qX+S609eVw= -github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -289,15 +290,15 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= -github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ= -github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c= github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= -github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= +github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= +github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= @@ -324,8 +325,11 @@ github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KE github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= @@ -347,8 +351,8 @@ github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3Hfo github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= -github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= +github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= @@ -406,6 +410,8 @@ github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= +github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -449,6 +455,8 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/cel-go v0.12.5 h1:DmzaiSgoaqGCjtpPQWl26/gND+yRpim56H1jCVev6d8= +github.com/google/cel-go v0.12.5/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw= github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0= github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -464,8 +472,9 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= -github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= @@ -537,6 +546,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 h1:BZHcxBETFHIdVyhyEfOvn/RdU/QGdLI4y34qQGjGWO0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw= github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= @@ -612,8 +623,9 @@ github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= -github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= +github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jhump/protoreflect v1.6.0 h1:h5jfMVslIg6l29nsMs0D8Wj17RDVdNYti0vDN/PZZoE= github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= @@ -713,8 +725,8 @@ github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsO github.com/mattn/go-sqlite3 v1.14.6 h1:dNPt6NO46WmLVt2DLNpwczCmdV5boIZ6g/tlDrlRUbg= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions v1.0.2 h1:hAHbPm5IJGijwng3PWk09JkG9WeqChjprR5s9bBZ+OM= +github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME= @@ -746,8 +758,8 @@ github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQ github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/sys/mountinfo v0.5.0 h1:2Ks8/r6lopsxWi9m58nlwjaeSzUX9iiL1vj5qB/9ObI= -github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 h1:dcztxKSvZ4Id8iPpHERQBbIJfabdt4wUm5qy3wOL2Zc= -github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw= +github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae h1:O4SWKdcHVCvYqyDV+9CJA1fcDN2L11Bule0iFy3YlAI= +github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -779,12 +791,12 @@ github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI= -github.com/onsi/ginkgo/v2 v2.2.0/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk= +github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs= +github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.20.2 h1:8uQq0zMgLEfa0vRrrBgaJF2gyW9Da9BmfGV+OyUzfkY= -github.com/onsi/gomega v1.20.2/go.mod h1:iYAIXgPSaDHak0LCMA+AWBpIKBr8WZicMxnE8luStNc= +github.com/onsi/gomega v1.23.0 h1:/oxKu9c2HVap+F3PfKort2Hw5DEU+HGlW8n+tguWsys= +github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= @@ -826,13 +838,14 @@ github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= -github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU= -github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= +github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= +github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= @@ -865,7 +878,6 @@ github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XF github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o= github.com/rubenv/sql-migrate v1.1.2 h1:9M6oj4e//owVVHYrFISmY9LBRw6gzkCNmD9MV36tZeQ= github.com/rubenv/sql-migrate v1.1.2/go.mod h1:/7TZymwxN8VWumcIxw1jjHEcR1djpdkMHQPT4FWdnbQ= -github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= @@ -907,8 +919,8 @@ github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= -github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= -github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= +github.com/spf13/cobra v1.6.0 h1:42a0n6jwCot1pUmomAp4T7DeMD+20LFv4Q54pxLf2LI= +github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= @@ -919,6 +931,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= +github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -975,18 +988,18 @@ go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738 h1:VcrIfasaLFkyjk6KNlXQSzO+B0fZcnECiDrKJsfxka0= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= -go.etcd.io/etcd/api/v3 v3.5.4 h1:OHVyt3TopwtUQ2GKdd5wu3PmmipR4FTwCqoEjSyRdIc= -go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A= +go.etcd.io/etcd/api/v3 v3.5.5 h1:BX4JIbQ7hl7+jL+g+2j5UAr0o1bctCm6/Ct+ArBGkf0= +go.etcd.io/etcd/api/v3 v3.5.5/go.mod h1:KFtNaxGDw4Yx/BA4iPPwevUTAuqcsPxzyX8PHydchN8= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= -go.etcd.io/etcd/client/pkg/v3 v3.5.4 h1:lrneYvz923dvC14R54XcA7FXoZ3mlGZAgmwhfm7HqOg= -go.etcd.io/etcd/client/pkg/v3 v3.5.4/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= +go.etcd.io/etcd/client/pkg/v3 v3.5.5 h1:9S0JUVvmrVl7wCF39iTQthdaaNIiAaQbmK75ogO6GU8= +go.etcd.io/etcd/client/pkg/v3 v3.5.5/go.mod h1:ggrwbk069qxpKPq8/FKkQ3Xq9y39kbFR4LnKszpRXeQ= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= -go.etcd.io/etcd/client/v2 v2.305.4 h1:Dcx3/MYyfKcPNLpR4VVQUP5KgYrBeJtktBwEKkw08Ao= -go.etcd.io/etcd/client/v3 v3.5.4 h1:p83BUL3tAYS0OT/r0qglgc3M1JjhM0diV8DSWAhVXv4= -go.etcd.io/etcd/client/v3 v3.5.4/go.mod h1:ZaRkVgBZC+L+dLCjTcF1hRXpgZXQPOvnA/Ak/gq3kiY= -go.etcd.io/etcd/pkg/v3 v3.5.4 h1:V5Dvl7S39ZDwjkKqJG2BfXgxZ3QREqqKifWQgIw5IM0= -go.etcd.io/etcd/raft/v3 v3.5.4 h1:YGrnAgRfgXloBNuqa+oBI/aRZMcK/1GS6trJePJ/Gqc= -go.etcd.io/etcd/server/v3 v3.5.4 h1:CMAZd0g8Bn5NRhynW6pKhc4FRg41/0QYy3d7aNm9874= +go.etcd.io/etcd/client/v2 v2.305.5 h1:DktRP60//JJpnPC0VBymAN/7V71GHMdjDCBt4ZPXDjI= +go.etcd.io/etcd/client/v3 v3.5.5 h1:q++2WTJbUgpQu4B6hCuT7VkdwaTP7Qz6Daak3WzbrlI= +go.etcd.io/etcd/client/v3 v3.5.5/go.mod h1:aApjR4WGlSumpnJ2kloS75h6aHUmAyaPLjHMxpc7E7c= +go.etcd.io/etcd/pkg/v3 v3.5.5 h1:Ablg7T7OkR+AeeeU32kdVhw/AGDsitkKPl7aW73ssjU= +go.etcd.io/etcd/raft/v3 v3.5.5 h1:Ibz6XyZ60OYyRopu73lLM/P+qco3YtlZMOhnXNS051I= +go.etcd.io/etcd/server/v3 v3.5.5 h1:jNjYm/9s+f9A9r6+SC4RvNaz6AqixpOvhrFdT0PvIj0= go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= @@ -998,30 +1011,27 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= -go.opentelemetry.io/contrib v0.20.0 h1:ubFQUn0VCZ0gPwIoJfBJVpeBlyRMxu8Mm/huKWYd9p0= -go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 h1:sO4WKdPAudZGKPcpZT4MJn6JaDmpyLrMPDGGyA1SttE= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0 h1:Q3C9yzW6I9jqEc8sawxzxZmY48fs9u220KXq6d5s3XU= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= -go.opentelemetry.io/otel v0.20.0 h1:eaP0Fqu7SXHwvjiqDq83zImeehOHX8doTvU9AwXON8g= -go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= -go.opentelemetry.io/otel/exporters/otlp v0.20.0 h1:PTNgq9MRmQqqJY0REVbZFvwkYOA85vbdQU/nVfxDyqg= -go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= -go.opentelemetry.io/otel/metric v0.20.0 h1:4kzhXFP+btKm4jwxpjIqjs41A7MakRFUS86bqLHTIw8= -go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= -go.opentelemetry.io/otel/oteltest v0.20.0 h1:HiITxCawalo5vQzdHfKeZurV8x7ljcqAgiWzF6Vaeaw= -go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= -go.opentelemetry.io/otel/sdk v0.20.0 h1:JsxtGXd06J8jrnya7fdI/U/MR6yXA5DtbZy+qoHQlr8= -go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= -go.opentelemetry.io/otel/sdk/export/metric v0.20.0 h1:c5VRjxCXdQlx1HjzwGdQHzZaVI82b5EbBgOu2ljD92g= -go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE= -go.opentelemetry.io/otel/sdk/metric v0.20.0 h1:7ao1wpzHRVKf0OQ7GIxiQJA6X7DLX9o14gmVon7mMK8= -go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= -go.opentelemetry.io/otel/trace v0.20.0 h1:1DL6EXUdcg95gukhuRRvLDO/4X5THh/5dIV52lqtnbw= -go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= -go.opentelemetry.io/proto/otlp v0.7.0 h1:rwOQPCuKAKmwGKq2aVNnYIibI6wnV7EvzgfTCzcdGg8= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 h1:xFSRQBbXF6VvYRf2lqMJXxoB72XI1K/azav8TekHHSw= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.0 h1:Ajldaqhxqw/gNzQA45IKFWLdG7jZuXX/wBW1d5qvbUI= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.0/go.mod h1:9NiG9I2aHTKkcxqCILhjtyNA1QEiCjdBACv4IvrFQ+c= +go.opentelemetry.io/otel v1.10.0 h1:Y7DTJMR6zs1xkS/upamJYk0SxxN4C9AqRd77jmZnyY4= +go.opentelemetry.io/otel v1.10.0/go.mod h1:NbvWjCthWHKBEUMpf0/v8ZRZlni86PpGFEMA9pnQSnQ= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0 h1:TaB+1rQhddO1sF71MpZOZAuSPW1klK2M8XxfrBMfK7Y= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0/go.mod h1:78XhIg8Ht9vR4tbLNUhXsiOnE2HOuSeKAiAcoVQEpOY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0 h1:pDDYmo0QadUPal5fwXoY1pmMpFcdyhXOmL5drCrI3vU= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0/go.mod h1:Krqnjl22jUJ0HgMzw5eveuCvFDXY4nSYb4F8t5gdrag= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0 h1:KtiUEhQmj/Pa874bVYKGNVdq8NPKiacPbaRRtgXi+t4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0/go.mod h1:OfUCyyIiDvNXHWpcWgbF+MWvqPZiNa3YDEnivcnYsV0= +go.opentelemetry.io/otel/metric v0.31.0 h1:6SiklT+gfWAwWUR0meEMxQBtihpiEs4c+vL9spDTqUs= +go.opentelemetry.io/otel/metric v0.31.0/go.mod h1:ohmwj9KTSIeBnDBm/ZwH2PSZxZzoOaG2xZeekTRzL5A= +go.opentelemetry.io/otel/sdk v1.10.0 h1:jZ6K7sVn04kk/3DNUdJ4mqRlGDiXAVuIG+MMENpTNdY= +go.opentelemetry.io/otel/sdk v1.10.0/go.mod h1:vO06iKzD5baltJz1zarxMCNHFpUlUiOy4s65ECtn6kE= +go.opentelemetry.io/otel/trace v1.10.0 h1:npQMbR8o7mum8uF95yFbOEJffhs1sbCOfDh8zAJiH5E= +go.opentelemetry.io/otel/trace v1.10.0/go.mod h1:Sij3YYczqAdz+EhmGhE6TpTxUO5/F/AzrK+kxfGqySM= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw= +go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -1029,9 +1039,8 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= -go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= +go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= @@ -1061,8 +1070,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220924013350-4ba4fb4dd9e7 h1:WJywXQVIb56P2kAvXeMGTIgQ1ZHQxR60+F9dLsodECc= -golang.org/x/crypto v0.0.0-20220924013350-4ba4fb4dd9e7/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1098,8 +1107,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= +golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1160,10 +1169,8 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.0.0-20220921155015-db77216a4ee9 h1:SdDGdqRuKrF2R4XGcnPzcvZ63c/55GvhoHUus0o+BNI= -golang.org/x/net v0.0.0-20220921155015-db77216a4ee9/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= -golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 h1:Frnccbp+ok2GkUS2tC84yAq/U9Vg+0sIO7aRL3T4Xnc= +golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1291,12 +1298,11 @@ golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= @@ -1309,10 +1315,7 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1345,7 +1348,6 @@ golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -1388,8 +1390,8 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= -golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE= +golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1560,12 +1562,15 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= +google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.47.0 h1:9n77onPX5F3qfFCqjy9dhn8PbNQsIKeVU04J9G7umt8= google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw= +google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -1638,58 +1643,60 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.18.0/go.mod h1:q2HRQkfDzHMBZL9l/y9rH63PkQl4vae0xRT+8prbrK8= -k8s.io/api v0.25.2 h1:v6G8RyFcwf0HR5jQGIAYlvtRNrxMJQG1xJzaSeVnIS8= -k8s.io/api v0.25.2/go.mod h1:qP1Rn4sCVFwx/xIhe+we2cwBLTXNcheRyYXwajonhy0= +k8s.io/api v0.26.0 h1:IpPlZnxBpV1xl7TGk/X6lFtpgjgntCg8PJ+qrPHAC7I= +k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg= k8s.io/apiextensions-apiserver v0.18.0/go.mod h1:18Cwn1Xws4xnWQNC00FLq1E350b9lUF+aOdIWDOZxgo= -k8s.io/apiextensions-apiserver v0.25.2 h1:8uOQX17RE7XL02ngtnh3TgifY7EhekpK+/piwzQNnBo= -k8s.io/apiextensions-apiserver v0.25.2/go.mod h1:iRwwRDlWPfaHhuBfQ0WMa5skdQfrE18QXJaJvIDLvE8= +k8s.io/apiextensions-apiserver v0.26.0 h1:Gy93Xo1eg2ZIkNX/8vy5xviVSxwQulsnUdQ00nEdpDo= +k8s.io/apiextensions-apiserver v0.26.0/go.mod h1:7ez0LTiyW5nq3vADtK6C3kMESxadD51Bh6uz3JOlqWQ= k8s.io/apimachinery v0.18.0/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA= -k8s.io/apimachinery v0.25.2 h1:WbxfAjCx+AeN8Ilp9joWnyJ6xu9OMeS/fsfjK/5zaQs= -k8s.io/apimachinery v0.25.2/go.mod h1:hqqA1X0bsgsxI6dXsJ4HnNTBOmJNxyPp8dw3u2fSHwA= +k8s.io/apimachinery v0.26.0 h1:1feANjElT7MvPqp0JT6F3Ss6TWDwmcjLypwoPpEf7zg= +k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= k8s.io/apiserver v0.18.0/go.mod h1:3S2O6FeBBd6XTo0njUrLxiqk8GNy6wWOftjhJcXYnjw= -k8s.io/apiserver v0.25.2 h1:YePimobk187IMIdnmsMxsfIbC5p4eX3WSOrS9x6FEYw= -k8s.io/apiserver v0.25.2/go.mod h1:30r7xyQTREWCkG2uSjgjhQcKVvAAlqoD+YyrqR6Cn+I= -k8s.io/cli-runtime v0.25.2 h1:XOx+SKRjBpYMLY/J292BHTkmyDffl/qOx3YSuFZkTuc= -k8s.io/cli-runtime v0.25.2/go.mod h1:OQx3+/0st6x5YpkkJQlEWLC73V0wHsOFMC1/roxV8Oc= +k8s.io/apiserver v0.26.0 h1:q+LqIK5EZwdznGZb8bq0+a+vCqdeEEe4Ux3zsOjbc4o= +k8s.io/apiserver v0.26.0/go.mod h1:aWhlLD+mU+xRo+zhkvP/gFNbShI4wBDHS33o0+JGI84= +k8s.io/cli-runtime v0.26.0 h1:aQHa1SyUhpqxAw1fY21x2z2OS5RLtMJOCj7tN4oq8mw= +k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= k8s.io/client-go v0.18.0/go.mod h1:uQSYDYs4WhVZ9i6AIoEZuwUggLVEF64HOD37boKAtF8= -k8s.io/client-go v0.25.2 h1:SUPp9p5CwM0yXGQrwYurw9LWz+YtMwhWd0GqOsSiefo= -k8s.io/client-go v0.25.2/go.mod h1:i7cNU7N+yGQmJkewcRD2+Vuj4iz7b30kI8OcL3horQ4= +k8s.io/client-go v0.26.0 h1:lT1D3OfO+wIi9UFolCrifbjUUgu7CpLca0AD8ghRLI8= +k8s.io/client-go v0.26.0/go.mod h1:I2Sh57A79EQsDmn7F7ASpmru1cceh3ocVT9KlX2jEZg= k8s.io/code-generator v0.18.0/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= -k8s.io/code-generator v0.25.2 h1:qEHux0+E1c+j1MhsWn9+4Z6av8zrZBixOTPW064rSiY= -k8s.io/code-generator v0.25.2/go.mod h1:f61OcU2VqVQcjt/6TrU0sta1TA5hHkOO6ZZPwkL9Eys= +k8s.io/code-generator v0.26.0 h1:ZDY+7Gic9p/lACgD1G72gQg2CvNGeAYZTPIncv+iALM= +k8s.io/code-generator v0.26.0/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= k8s.io/component-base v0.18.0/go.mod h1:u3BCg0z1uskkzrnAKFzulmYaEpZF7XC9Pf/uFyb1v2c= -k8s.io/component-base v0.25.2 h1:Nve/ZyHLUBHz1rqwkjXm/Re6IniNa5k7KgzxZpTfSQY= -k8s.io/component-base v0.25.2/go.mod h1:90W21YMr+Yjg7MX+DohmZLzjsBtaxQDDwaX4YxDkl60= +k8s.io/component-base v0.26.0 h1:0IkChOCohtDHttmKuz+EP3j3+qKmV55rM9gIFTXA7Vs= +k8s.io/component-base v0.26.0/go.mod h1:lqHwlfV1/haa14F/Z5Zizk5QmzaVf23nQzCwVOQpfC8= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 h1:TT1WdmqqXareKxZ/oNXEUSwKlLiHzPMyB0t8BaFeBYI= -k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-aggregator v0.25.2 h1:NJHDtwmQR0EfoIQ00JNT8QrBIOljojtxtpXcTQqWZeg= -k8s.io/kube-aggregator v0.25.2/go.mod h1:7N5x4bK6jyxkEYCd77mgiz2uGTwiVs18MRwLwCPeUz8= +k8s.io/kms v0.26.0 h1:5+GOQLvUajSd0z5ODF52RzB2rHo1HJUSYsVC3Ri3VgI= +k8s.io/kms v0.26.0/go.mod h1:ReC1IEGuxgfN+PDCIpR6w8+XMmDE7uJhxcCwMZFdIYc= +k8s.io/kube-aggregator v0.26.0 h1:XF/Q5FwdLmCsK1RKGFNWfIo/b+r63sXOu+KKcaIFa/M= +k8s.io/kube-aggregator v0.26.0/go.mod h1:QUGAvubVFZ43JiT2gMm6f15FvFkyJcZeDcV1nIbmfgk= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= -k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea h1:3QOH5+2fGsY8e1qf+GIFpg+zw/JGNrgyZRQR7/m6uWg= -k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= -k8s.io/kubectl v0.25.2 h1:2993lTeVimxKSWx/7z2PiJxUILygRa3tmC4QhFaeioA= -k8s.io/kubectl v0.25.2/go.mod h1:eoBGJtKUj7x38KXelz+dqVtbtbKwCqyKzJWmBHU0prg= +k8s.io/kube-openapi v0.0.0-20221207184640-f3cff1453715 h1:tBEbstoM+K0FiBV5KGAKQ0kuvf54v/hwpldiJt69w1s= +k8s.io/kube-openapi v0.0.0-20221207184640-f3cff1453715/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= +k8s.io/kubectl v0.26.0 h1:xmrzoKR9CyNdzxBmXV7jW9Ln8WMrwRK6hGbbf69o4T0= +k8s.io/kubectl v0.26.0/go.mod h1:eInP0b+U9XUJWSYeU9XZnTA+cVYuWyl3iYPGtru0qhQ= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= -k8s.io/utils v0.0.0-20220922133306-665eaaec4324 h1:i+xdFemcSNuJvIfBlaYuXgRondKxK4z4prVPKzEaelI= -k8s.io/utils v0.0.0-20220922133306-665eaaec4324/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= +k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go v1.2.0 h1:yoKosVIbsPoFMqAIFHTnrmOuafHal+J/r+I5bdbVWu4= oras.land/oras-go v1.2.0/go.mod h1:pFNs7oHp2dYsYMSS82HaX5l4mpnGO7hbpPN6EWH2ltc= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.32 h1:2WjukG7txtEsbXsSKWtTibCdsyYAhcu6KFnttyDdZOQ= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.32/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw= -sigs.k8s.io/controller-runtime v0.13.0 h1:iqa5RNciy7ADWnIc8QxCbOX5FEKVR3uxVxKHRMc2WIQ= -sigs.k8s.io/controller-runtime v0.13.0/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33 h1:LYqFq+6Cj2D0gFfrJvL7iElD4ET6ir3VDdhDdTK7rgc= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33/go.mod h1:soWkSNf2tZC7aMibXEqVhCd73GOY5fJikn8qbdzemB0= +sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg= +sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= sigs.k8s.io/controller-tools v0.10.0 h1:0L5DTDTFB67jm9DkfrONgTGmfc/zYow0ZaHyppizU2U= sigs.k8s.io/controller-tools v0.10.0/go.mod h1:uvr0EW6IsprfB0jpQq6evtKy+hHyHCXNfdWI5ONPx94= sigs.k8s.io/gateway-api v0.5.0 h1:ze+k9fJqvmL8s1t3e4q1ST8RnN+f09dEv+gfacahlAE= diff --git a/make/tools.mk b/make/tools.mk index f4d9f0a0617..78c3f29b68e 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -31,9 +31,9 @@ TOOLS += ginkgo=$(shell awk '/ginkgo\/v2/ {print $$2}' go.mod) # Version of Gateway API install bundle https://gateway-api.sigs.k8s.io/v1alpha2/guides/#installing-gateway-api GATEWAY_API_VERSION=v0.5.1 -K8S_CODEGEN_VERSION=v0.25.2 +K8S_CODEGEN_VERSION=v0.26.0 -KUBEBUILDER_ASSETS_VERSION=1.25.0 +KUBEBUILDER_ASSETS_VERSION=1.26.0 TOOLS += etcd=$(KUBEBUILDER_ASSETS_VERSION) TOOLS += kube-apiserver=$(KUBEBUILDER_ASSETS_VERSION) diff --git a/pkg/client/clientset/versioned/clientset.go b/pkg/client/clientset/versioned/clientset.go index 519ef01d296..bbe90f7273c 100644 --- a/pkg/client/clientset/versioned/clientset.go +++ b/pkg/client/clientset/versioned/clientset.go @@ -35,8 +35,7 @@ type Interface interface { CertmanagerV1() certmanagerv1.CertmanagerV1Interface } -// Clientset contains the clients for groups. Each group has exactly one -// version included in a Clientset. +// Clientset contains the clients for groups. type Clientset struct { *discovery.DiscoveryClient acmeV1 *acmev1.AcmeV1Client diff --git a/pkg/client/informers/externalversions/factory.go b/pkg/client/informers/externalversions/factory.go index bd544cee97f..9217c911894 100644 --- a/pkg/client/informers/externalversions/factory.go +++ b/pkg/client/informers/externalversions/factory.go @@ -48,6 +48,11 @@ type sharedInformerFactory struct { // startedInformers is used for tracking which informers have been started. // This allows Start() to be called multiple times safely. startedInformers map[reflect.Type]bool + // wg tracks how many goroutines were started. + wg sync.WaitGroup + // shuttingDown is true when Shutdown has been called. It may still be running + // because it needs to wait for goroutines. + shuttingDown bool } // WithCustomResyncConfig sets a custom resync period for the specified informer types. @@ -108,20 +113,39 @@ func NewSharedInformerFactoryWithOptions(client versioned.Interface, defaultResy return factory } -// Start initializes all requested informers. func (f *sharedInformerFactory) Start(stopCh <-chan struct{}) { f.lock.Lock() defer f.lock.Unlock() + if f.shuttingDown { + return + } + for informerType, informer := range f.informers { if !f.startedInformers[informerType] { - go informer.Run(stopCh) + f.wg.Add(1) + // We need a new variable in each loop iteration, + // otherwise the goroutine would use the loop variable + // and that keeps changing. + informer := informer + go func() { + defer f.wg.Done() + informer.Run(stopCh) + }() f.startedInformers[informerType] = true } } } -// WaitForCacheSync waits for all started informers' cache were synced. +func (f *sharedInformerFactory) Shutdown() { + f.lock.Lock() + f.shuttingDown = true + f.lock.Unlock() + + // Will return immediately if there is nothing to wait for. + f.wg.Wait() +} + func (f *sharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool { informers := func() map[reflect.Type]cache.SharedIndexInformer { f.lock.Lock() @@ -168,11 +192,58 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal // SharedInformerFactory provides shared informers for resources in all known // API group versions. +// +// It is typically used like this: +// +// ctx, cancel := context.Background() +// defer cancel() +// factory := NewSharedInformerFactory(client, resyncPeriod) +// defer factory.WaitForStop() // Returns immediately if nothing was started. +// genericInformer := factory.ForResource(resource) +// typedInformer := factory.SomeAPIGroup().V1().SomeType() +// factory.Start(ctx.Done()) // Start processing these informers. +// synced := factory.WaitForCacheSync(ctx.Done()) +// for v, ok := range synced { +// if !ok { +// fmt.Fprintf(os.Stderr, "caches failed to sync: %v", v) +// return +// } +// } +// +// // Creating informers can also be created after Start, but then +// // Start must be called again: +// anotherGenericInformer := factory.ForResource(resource) +// factory.Start(ctx.Done()) type SharedInformerFactory interface { internalinterfaces.SharedInformerFactory - ForResource(resource schema.GroupVersionResource) (GenericInformer, error) + + // Start initializes all requested informers. They are handled in goroutines + // which run until the stop channel gets closed. + Start(stopCh <-chan struct{}) + + // Shutdown marks a factory as shutting down. At that point no new + // informers can be started anymore and Start will return without + // doing anything. + // + // In addition, Shutdown blocks until all goroutines have terminated. For that + // to happen, the close channel(s) that they were started with must be closed, + // either before Shutdown gets called or while it is waiting. + // + // Shutdown may be called multiple times, even concurrently. All such calls will + // block until all goroutines have terminated. + Shutdown() + + // WaitForCacheSync blocks until all started informers' caches were synced + // or the stop channel gets closed. WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool + // ForResource gives generic access to a shared informer of the matching type. + ForResource(resource schema.GroupVersionResource) (GenericInformer, error) + + // InternalInformerFor returns the SharedIndexInformer for obj using an internal + // client. + InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer + Acme() acme.Interface Certmanager() certmanager.Interface } From 26d04f3d8aff1b4e6cf80bffff4e48ab003ec93f Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 12 Dec 2022 10:01:42 +0100 Subject: [PATCH 0069/1253] add WithLegacy function to our fake discovery client Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> Signed-off-by: Luca Comellini --- test/unit/discovery/discovery.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/unit/discovery/discovery.go b/test/unit/discovery/discovery.go index e73ff6c4711..d7a8fd14c9d 100644 --- a/test/unit/discovery/discovery.go +++ b/test/unit/discovery/discovery.go @@ -101,6 +101,12 @@ func (d *Discovery) OpenAPIV3() openapi.Client { return d.openAPIV3SchemaFn() } +func (d *Discovery) WithLegacy() discovery.DiscoveryInterface { + // setting the discovery client to legacy mode (not using the aggregated discovery client) doesn't + // make any difference for our testing purposes here, so we just return the same discovery client + return d +} + func (d *Discovery) RESTClient() restclient.Interface { return d.restClientFn() } From 8baaffc02b4f746ad1fd9bafe8fe5705d0c148e8 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 12 Dec 2022 10:13:25 +0100 Subject: [PATCH 0070/1253] kubebuilder did not yet create a 1.26 release Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> Signed-off-by: Luca Comellini --- make/tools.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make/tools.mk b/make/tools.mk index 78c3f29b68e..dbcb7a9c318 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -33,7 +33,7 @@ GATEWAY_API_VERSION=v0.5.1 K8S_CODEGEN_VERSION=v0.26.0 -KUBEBUILDER_ASSETS_VERSION=1.26.0 +KUBEBUILDER_ASSETS_VERSION=1.25.0 TOOLS += etcd=$(KUBEBUILDER_ASSETS_VERSION) TOOLS += kube-apiserver=$(KUBEBUILDER_ASSETS_VERSION) From bb252356a28546219e95288efd5616c707e0ffe7 Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Wed, 14 Dec 2022 21:53:08 -0800 Subject: [PATCH 0071/1253] Update controller-runtime to v0.14.0 Signed-off-by: Luca Comellini --- LICENSES | 249 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ go.mod | 10 +-- go.sum | 22 +++-- 3 files changed, 264 insertions(+), 17 deletions(-) create mode 100644 LICENSES diff --git a/LICENSES b/LICENSES new file mode 100644 index 00000000000..07dd77eae94 --- /dev/null +++ b/LICENSES @@ -0,0 +1,249 @@ +cloud.google.com/go/compute/metadata,https://github.com/googleapis/google-cloud-go/blob/compute/v1.7.0/compute/LICENSE,Apache-2.0 +github.com/Azure/azure-sdk-for-go,https://github.com/Azure/azure-sdk-for-go/blob/v66.0.0/LICENSE.txt,MIT +github.com/Azure/go-autorest/autorest,https://github.com/Azure/go-autorest/blob/autorest/v0.11.28/autorest/LICENSE,Apache-2.0 +github.com/Azure/go-autorest/autorest/adal,https://github.com/Azure/go-autorest/blob/autorest/adal/v0.9.21/autorest/adal/LICENSE,Apache-2.0 +github.com/Azure/go-autorest/autorest/date,https://github.com/Azure/go-autorest/blob/autorest/date/v0.3.0/autorest/date/LICENSE,Apache-2.0 +github.com/Azure/go-autorest/autorest/to,https://github.com/Azure/go-autorest/blob/autorest/to/v0.4.0/autorest/to/LICENSE,Apache-2.0 +github.com/Azure/go-autorest/autorest/validation,https://github.com/Azure/go-autorest/blob/autorest/validation/v0.3.1/autorest/validation/LICENSE,Apache-2.0 +github.com/Azure/go-autorest/logger,https://github.com/Azure/go-autorest/blob/logger/v0.2.1/logger/LICENSE,Apache-2.0 +github.com/Azure/go-autorest/tracing,https://github.com/Azure/go-autorest/blob/tracing/v0.6.0/tracing/LICENSE,Apache-2.0 +github.com/Azure/go-ntlmssp,https://github.com/Azure/go-ntlmssp/blob/cb9428e4ac1e/LICENSE,MIT +github.com/BurntSushi/toml,https://github.com/BurntSushi/toml/blob/v1.1.0/COPYING,MIT +github.com/MakeNowJust/heredoc,https://github.com/MakeNowJust/heredoc/blob/v1.0.0/LICENSE,MIT +github.com/Masterminds/goutils,https://github.com/Masterminds/goutils/blob/v1.1.1/LICENSE.txt,Apache-2.0 +github.com/Masterminds/semver/v3,https://github.com/Masterminds/semver/blob/v3.1.1/LICENSE.txt,MIT +github.com/Masterminds/sprig/v3,https://github.com/Masterminds/sprig/blob/v3.2.2/LICENSE.txt,MIT +github.com/Masterminds/squirrel,https://github.com/Masterminds/squirrel/blob/v1.5.3/LICENSE.txt,MIT +github.com/NYTimes/gziphandler,https://github.com/NYTimes/gziphandler/blob/v1.1.1/LICENSE,Apache-2.0 +github.com/Venafi/vcert/v4,https://github.com/Venafi/vcert/blob/v4.22.1/LICENSE,Apache-2.0 +github.com/akamai/AkamaiOPEN-edgegrid-golang,https://github.com/akamai/AkamaiOPEN-edgegrid-golang/blob/v1.2.1/LICENSE,Apache-2.0 +github.com/antlr/antlr4/runtime/Go/antlr,https://github.com/antlr/antlr4/blob/runtime/Go/antlr/v1.4.10/runtime/Go/antlr/LICENSE,BSD-3-Clause +github.com/armon/go-metrics,https://github.com/armon/go-metrics/blob/v0.3.9/LICENSE,MIT +github.com/armon/go-radix,https://github.com/armon/go-radix/blob/v1.0.0/LICENSE,MIT +github.com/asaskevich/govalidator,https://github.com/asaskevich/govalidator/blob/21a406dcc535/LICENSE,MIT +github.com/aws/aws-sdk-go,https://github.com/aws/aws-sdk-go/blob/v1.44.105/LICENSE.txt,Apache-2.0 +github.com/aws/aws-sdk-go/internal/sync/singleflight,https://github.com/aws/aws-sdk-go/blob/v1.44.105/internal/sync/singleflight/LICENSE,BSD-3-Clause +github.com/beorn7/perks/quantile,https://github.com/beorn7/perks/blob/v1.0.1/LICENSE,MIT +github.com/blang/semver/v4,https://github.com/blang/semver/blob/v4.0.0/v4/LICENSE,MIT +github.com/cenkalti/backoff/v3,https://github.com/cenkalti/backoff/blob/v3.0.0/LICENSE,MIT +github.com/cenkalti/backoff/v4,https://github.com/cenkalti/backoff/blob/v4.1.3/LICENSE,MIT +github.com/cert-manager/cert-manager,https://github.com/cert-manager/cert-manager/blob/HEAD/LICENSE,Apache-2.0 +github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/azuredns,https://github.com/cert-manager/cert-manager/blob/HEAD/pkg/issuer/acme/dns/azuredns/LICENSE,MIT +github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/clouddns,https://github.com/cert-manager/cert-manager/blob/HEAD/pkg/issuer/acme/dns/clouddns/LICENSE,MIT +github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/cloudflare,https://github.com/cert-manager/cert-manager/blob/HEAD/pkg/issuer/acme/dns/cloudflare/LICENSE,MIT +github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/route53,https://github.com/cert-manager/cert-manager/blob/HEAD/pkg/issuer/acme/dns/route53/LICENSE,MIT +github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util,https://github.com/cert-manager/cert-manager/blob/HEAD/pkg/issuer/acme/dns/util/LICENSE,MIT +github.com/cespare/xxhash/v2,https://github.com/cespare/xxhash/blob/v2.1.2/LICENSE.txt,MIT +github.com/chai2010/gettext-go,https://github.com/chai2010/gettext-go/blob/v1.0.2/LICENSE,BSD-3-Clause +github.com/cloudflare/cloudflare-go,https://github.com/cloudflare/cloudflare-go/blob/v0.50.0/LICENSE,BSD-3-Clause +github.com/containerd/containerd,https://github.com/containerd/containerd/blob/v1.6.6/LICENSE,Apache-2.0 +github.com/coreos/go-semver/semver,https://github.com/coreos/go-semver/blob/v0.3.0/LICENSE,Apache-2.0 +github.com/coreos/go-systemd/v22,https://github.com/coreos/go-systemd/blob/v22.3.2/LICENSE,Apache-2.0 +github.com/cpu/goacmedns,https://github.com/cpu/goacmedns/blob/v0.1.1/LICENSE,MIT +github.com/cpuguy83/go-md2man/v2/md2man,https://github.com/cpuguy83/go-md2man/blob/v2.0.2/LICENSE.md,MIT +github.com/cyphar/filepath-securejoin,https://github.com/cyphar/filepath-securejoin/blob/v0.2.3/LICENSE,BSD-3-Clause +github.com/davecgh/go-spew/spew,https://github.com/davecgh/go-spew/blob/v1.1.1/LICENSE,ISC +github.com/digitalocean/godo,https://github.com/digitalocean/godo/blob/v1.86.0/LICENSE.txt,MIT +github.com/docker/cli/cli/config,https://github.com/docker/cli/blob/v20.10.17/LICENSE,Apache-2.0 +github.com/docker/distribution,https://github.com/docker/distribution/blob/v2.8.1/LICENSE,Apache-2.0 +github.com/docker/docker,https://github.com/docker/docker/blob/v20.10.17/LICENSE,Apache-2.0 +github.com/docker/docker-credential-helpers,https://github.com/docker/docker-credential-helpers/blob/v0.6.4/LICENSE,MIT +github.com/docker/go-connections,https://github.com/docker/go-connections/blob/v0.4.0/LICENSE,Apache-2.0 +github.com/docker/go-metrics,https://github.com/docker/go-metrics/blob/v0.0.1/LICENSE,Apache-2.0 +github.com/docker/go-units,https://github.com/docker/go-units/blob/v0.4.0/LICENSE,Apache-2.0 +github.com/emicklei/go-restful/v3,https://github.com/emicklei/go-restful/blob/v3.9.0/LICENSE,MIT +github.com/evanphx/json-patch,https://github.com/evanphx/json-patch/blob/v5.6.0/LICENSE,BSD-3-Clause +github.com/evanphx/json-patch/v5,https://github.com/evanphx/json-patch/blob/v5.6.0/v5/LICENSE,BSD-3-Clause +github.com/exponent-io/jsonpath,https://github.com/exponent-io/jsonpath/blob/d6023ce2651d/LICENSE,MIT +github.com/fatih/camelcase,https://github.com/fatih/camelcase/blob/v1.0.0/LICENSE.md,MIT +github.com/fatih/color,https://github.com/fatih/color/blob/v1.13.0/LICENSE.md,MIT +github.com/felixge/httpsnoop,https://github.com/felixge/httpsnoop/blob/v1.0.3/LICENSE.txt,MIT +github.com/fsnotify/fsnotify,https://github.com/fsnotify/fsnotify/blob/v1.6.0/LICENSE,BSD-3-Clause +github.com/go-asn1-ber/asn1-ber,https://github.com/go-asn1-ber/asn1-ber/blob/v1.5.4/LICENSE,MIT +github.com/go-errors/errors,https://github.com/go-errors/errors/blob/v1.0.1/LICENSE.MIT,MIT +github.com/go-gorp/gorp/v3,https://github.com/go-gorp/gorp/blob/v3.0.2/LICENSE,MIT +github.com/go-ldap/ldap/v3,https://github.com/go-ldap/ldap/blob/v3.4.4/v3/LICENSE,MIT +github.com/go-logr/logr,https://github.com/go-logr/logr/blob/v1.2.3/LICENSE,Apache-2.0 +github.com/go-logr/stdr,https://github.com/go-logr/stdr/blob/v1.2.2/LICENSE,Apache-2.0 +github.com/go-openapi/jsonpointer,https://github.com/go-openapi/jsonpointer/blob/v0.19.5/LICENSE,Apache-2.0 +github.com/go-openapi/jsonreference,https://github.com/go-openapi/jsonreference/blob/v0.20.0/LICENSE,Apache-2.0 +github.com/go-openapi/swag,https://github.com/go-openapi/swag/blob/v0.19.14/LICENSE,Apache-2.0 +github.com/gobwas/glob,https://github.com/gobwas/glob/blob/v0.2.3/LICENSE,MIT +github.com/gogo/protobuf,https://github.com/gogo/protobuf/blob/v1.3.2/LICENSE,BSD-3-Clause +github.com/golang-jwt/jwt/v4,https://github.com/golang-jwt/jwt/blob/v4.2.0/LICENSE,MIT +github.com/golang/groupcache/lru,https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE,Apache-2.0 +github.com/golang/protobuf,https://github.com/golang/protobuf/blob/v1.5.2/LICENSE,BSD-3-Clause +github.com/golang/snappy,https://github.com/golang/snappy/blob/v0.0.4/LICENSE,BSD-3-Clause +github.com/google/btree,https://github.com/google/btree/blob/v1.0.1/LICENSE,Apache-2.0 +github.com/google/cel-go,https://github.com/google/cel-go/blob/v0.12.5/LICENSE,Apache-2.0 +github.com/google/gnostic,https://github.com/google/gnostic/blob/v0.6.9/LICENSE,Apache-2.0 +github.com/google/go-cmp/cmp,https://github.com/google/go-cmp/blob/v0.5.9/LICENSE,BSD-3-Clause +github.com/google/go-querystring/query,https://github.com/google/go-querystring/blob/v1.1.0/LICENSE,BSD-3-Clause +github.com/google/gofuzz,https://github.com/google/gofuzz/blob/v1.2.0/LICENSE,Apache-2.0 +github.com/google/shlex,https://github.com/google/shlex/blob/e7afc7fbc510/COPYING,Apache-2.0 +github.com/google/uuid,https://github.com/google/uuid/blob/v1.3.0/LICENSE,BSD-3-Clause +github.com/googleapis/enterprise-certificate-proxy/client,https://github.com/googleapis/enterprise-certificate-proxy/blob/v0.1.0/LICENSE,Apache-2.0 +github.com/googleapis/gax-go/v2,https://github.com/googleapis/gax-go/blob/v2.4.0/v2/LICENSE,BSD-3-Clause +github.com/gorilla/mux,https://github.com/gorilla/mux/blob/v1.8.0/LICENSE,BSD-3-Clause +github.com/gosuri/uitable,https://github.com/gosuri/uitable/blob/v0.0.4/LICENSE,MIT +github.com/gosuri/uitable/util/wordwrap,https://github.com/gosuri/uitable/blob/v0.0.4/util/wordwrap/LICENSE.md,MIT +github.com/gregjones/httpcache,https://github.com/gregjones/httpcache/blob/9cad4c3443a7/LICENSE.txt,MIT +github.com/grpc-ecosystem/go-grpc-prometheus,https://github.com/grpc-ecosystem/go-grpc-prometheus/blob/v1.2.0/LICENSE,Apache-2.0 +github.com/grpc-ecosystem/grpc-gateway/v2,https://github.com/grpc-ecosystem/grpc-gateway/blob/v2.7.0/LICENSE.txt,BSD-3-Clause +github.com/hashicorp/errwrap,https://github.com/hashicorp/errwrap/blob/v1.1.0/LICENSE,MPL-2.0 +github.com/hashicorp/go-cleanhttp,https://github.com/hashicorp/go-cleanhttp/blob/v0.5.2/LICENSE,MPL-2.0 +github.com/hashicorp/go-hclog,https://github.com/hashicorp/go-hclog/blob/v1.2.0/LICENSE,MIT +github.com/hashicorp/go-immutable-radix,https://github.com/hashicorp/go-immutable-radix/blob/v1.3.1/LICENSE,MPL-2.0 +github.com/hashicorp/go-multierror,https://github.com/hashicorp/go-multierror/blob/v1.1.1/LICENSE,MPL-2.0 +github.com/hashicorp/go-plugin,https://github.com/hashicorp/go-plugin/blob/v1.4.3/LICENSE,MPL-2.0 +github.com/hashicorp/go-retryablehttp,https://github.com/hashicorp/go-retryablehttp/blob/v0.7.1/LICENSE,MPL-2.0 +github.com/hashicorp/go-rootcerts,https://github.com/hashicorp/go-rootcerts/blob/v1.0.2/LICENSE,MPL-2.0 +github.com/hashicorp/go-secure-stdlib/mlock,https://github.com/hashicorp/go-secure-stdlib/blob/mlock/v0.1.1/mlock/LICENSE,MPL-2.0 +github.com/hashicorp/go-secure-stdlib/parseutil,https://github.com/hashicorp/go-secure-stdlib/blob/parseutil/v0.1.6/parseutil/LICENSE,MPL-2.0 +github.com/hashicorp/go-secure-stdlib/strutil,https://github.com/hashicorp/go-secure-stdlib/blob/strutil/v0.1.2/strutil/LICENSE,MPL-2.0 +github.com/hashicorp/go-sockaddr,https://github.com/hashicorp/go-sockaddr/blob/v1.0.2/LICENSE,MPL-2.0 +github.com/hashicorp/go-uuid,https://github.com/hashicorp/go-uuid/blob/v1.0.2/LICENSE,MPL-2.0 +github.com/hashicorp/go-version,https://github.com/hashicorp/go-version/blob/v1.2.0/LICENSE,MPL-2.0 +github.com/hashicorp/golang-lru,https://github.com/hashicorp/golang-lru/blob/v0.5.4/LICENSE,MPL-2.0 +github.com/hashicorp/hcl,https://github.com/hashicorp/hcl/blob/v1.0.0/LICENSE,MPL-2.0 +github.com/hashicorp/vault/api,https://github.com/hashicorp/vault/blob/api/v1.8.0/api/LICENSE,MPL-2.0 +github.com/hashicorp/vault/sdk,https://github.com/hashicorp/vault/blob/sdk/v0.6.0/sdk/LICENSE,MPL-2.0 +github.com/hashicorp/yamux,https://github.com/hashicorp/yamux/blob/3520598351bb/LICENSE,MPL-2.0 +github.com/huandu/xstrings,https://github.com/huandu/xstrings/blob/v1.3.2/LICENSE,MIT +github.com/imdario/mergo,https://github.com/imdario/mergo/blob/v0.3.12/LICENSE,BSD-3-Clause +github.com/jmespath/go-jmespath,https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE,Apache-2.0 +github.com/jmoiron/sqlx,https://github.com/jmoiron/sqlx/blob/v1.3.5/LICENSE,MIT +github.com/josharian/intern,https://github.com/josharian/intern/blob/v1.0.0/license.md,MIT +github.com/json-iterator/go,https://github.com/json-iterator/go/blob/v1.1.12/LICENSE,MIT +github.com/klauspost/compress,https://github.com/klauspost/compress/blob/v1.13.6/LICENSE,Apache-2.0 +github.com/klauspost/compress/internal/snapref,https://github.com/klauspost/compress/blob/v1.13.6/internal/snapref/LICENSE,BSD-3-Clause +github.com/klauspost/compress/zstd/internal/xxhash,https://github.com/klauspost/compress/blob/v1.13.6/zstd/internal/xxhash/LICENSE.txt,MIT +github.com/kr/pretty,https://github.com/kr/pretty/blob/v0.3.0/License,MIT +github.com/kr/text,https://github.com/kr/text/blob/v0.2.0/License,MIT +github.com/lann/builder,https://github.com/lann/builder/blob/47ae307949d0/LICENSE,MIT +github.com/lann/ps,https://github.com/lann/ps/blob/62de8c46ede0/LICENSE,MIT +github.com/lib/pq,https://github.com/lib/pq/blob/v1.10.6/LICENSE.md,MIT +github.com/liggitt/tabwriter,https://github.com/liggitt/tabwriter/blob/89fcab3d43de/LICENSE,BSD-3-Clause +github.com/mailru/easyjson,https://github.com/mailru/easyjson/blob/v0.7.6/LICENSE,MIT +github.com/mattn/go-colorable,https://github.com/mattn/go-colorable/blob/v0.1.12/LICENSE,MIT +github.com/mattn/go-isatty,https://github.com/mattn/go-isatty/blob/v0.0.14/LICENSE,MIT +github.com/mattn/go-runewidth,https://github.com/mattn/go-runewidth/blob/v0.0.13/LICENSE,MIT +github.com/matttproud/golang_protobuf_extensions/pbutil,https://github.com/matttproud/golang_protobuf_extensions/blob/v1.0.2/LICENSE,Apache-2.0 +github.com/miekg/dns,https://github.com/miekg/dns/blob/v1.1.50/LICENSE,BSD-3-Clause +github.com/mitchellh/copystructure,https://github.com/mitchellh/copystructure/blob/v1.2.0/LICENSE,MIT +github.com/mitchellh/go-homedir,https://github.com/mitchellh/go-homedir/blob/v1.1.0/LICENSE,MIT +github.com/mitchellh/go-testing-interface,https://github.com/mitchellh/go-testing-interface/blob/v1.0.0/LICENSE,MIT +github.com/mitchellh/go-wordwrap,https://github.com/mitchellh/go-wordwrap/blob/v1.0.0/LICENSE.md,MIT +github.com/mitchellh/mapstructure,https://github.com/mitchellh/mapstructure/blob/v1.5.0/LICENSE,MIT +github.com/mitchellh/reflectwalk,https://github.com/mitchellh/reflectwalk/blob/v1.0.2/LICENSE,MIT +github.com/moby/locker,https://github.com/moby/locker/blob/v1.0.1/LICENSE,Apache-2.0 +github.com/moby/spdystream,https://github.com/moby/spdystream/blob/v0.2.0/LICENSE,Apache-2.0 +github.com/moby/term,https://github.com/moby/term/blob/39b0c02b01ae/LICENSE,Apache-2.0 +github.com/modern-go/concurrent,https://github.com/modern-go/concurrent/blob/bacd9c7ef1dd/LICENSE,Apache-2.0 +github.com/modern-go/reflect2,https://github.com/modern-go/reflect2/blob/v1.0.2/LICENSE,Apache-2.0 +github.com/monochromegane/go-gitignore,https://github.com/monochromegane/go-gitignore/blob/205db1a8cc00/LICENSE,MIT +github.com/morikuni/aec,https://github.com/morikuni/aec/blob/v1.0.0/LICENSE,MIT +github.com/munnerz/goautoneg,https://github.com/munnerz/goautoneg/blob/a7dc8b61c822/LICENSE,BSD-3-Clause +github.com/oklog/run,https://github.com/oklog/run/blob/v1.0.0/LICENSE,Apache-2.0 +github.com/onsi/ginkgo/v2,https://github.com/onsi/ginkgo/blob/v2.6.0/LICENSE,MIT +github.com/onsi/gomega,https://github.com/onsi/gomega/blob/v1.24.1/LICENSE,MIT +github.com/opencontainers/go-digest,https://github.com/opencontainers/go-digest/blob/v1.0.0/LICENSE,Apache-2.0 +github.com/opencontainers/image-spec/specs-go,https://github.com/opencontainers/image-spec/blob/c5a74bcca799/LICENSE,Apache-2.0 +github.com/patrickmn/go-cache,https://github.com/patrickmn/go-cache/blob/v2.1.0/LICENSE,MIT +github.com/pavlo-v-chernykh/keystore-go/v4,https://github.com/pavlo-v-chernykh/keystore-go/blob/v4.4.0/LICENSE,MIT +github.com/peterbourgon/diskv,https://github.com/peterbourgon/diskv/blob/v2.0.1/LICENSE,MIT +github.com/pierrec/lz4,https://github.com/pierrec/lz4/blob/v2.5.2/LICENSE,BSD-3-Clause +github.com/pkg/errors,https://github.com/pkg/errors/blob/v0.9.1/LICENSE,BSD-2-Clause +github.com/prometheus/client_golang/prometheus,https://github.com/prometheus/client_golang/blob/v1.14.0/LICENSE,Apache-2.0 +github.com/prometheus/client_model/go,https://github.com/prometheus/client_model/blob/v0.3.0/LICENSE,Apache-2.0 +github.com/prometheus/common,https://github.com/prometheus/common/blob/v0.37.0/LICENSE,Apache-2.0 +github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg,https://github.com/prometheus/common/blob/v0.37.0/internal/bitbucket.org/ww/goautoneg/README.txt,BSD-3-Clause +github.com/prometheus/procfs,https://github.com/prometheus/procfs/blob/v0.8.0/LICENSE,Apache-2.0 +github.com/rivo/uniseg,https://github.com/rivo/uniseg/blob/v0.2.0/LICENSE.txt,MIT +github.com/rogpeppe/go-internal/fmtsort,https://github.com/rogpeppe/go-internal/blob/v1.8.1/LICENSE,BSD-3-Clause +github.com/rubenv/sql-migrate,https://github.com/rubenv/sql-migrate/blob/v1.1.2/LICENSE,MIT +github.com/rubenv/sql-migrate/sqlparse,https://github.com/rubenv/sql-migrate/blob/v1.1.2/sqlparse/LICENSE,MIT +github.com/russross/blackfriday/v2,https://github.com/russross/blackfriday/blob/v2.1.0/LICENSE.txt,BSD-2-Clause +github.com/ryanuber/go-glob,https://github.com/ryanuber/go-glob/blob/v1.0.0/LICENSE,MIT +github.com/sergi/go-diff/diffmatchpatch,https://github.com/sergi/go-diff/blob/v1.2.0/LICENSE,MIT +github.com/shopspring/decimal,https://github.com/shopspring/decimal/blob/v1.2.0/LICENSE,MIT +github.com/sirupsen/logrus,https://github.com/sirupsen/logrus/blob/v1.8.1/LICENSE,MIT +github.com/spf13/cast,https://github.com/spf13/cast/blob/v1.4.1/LICENSE,MIT +github.com/spf13/cobra,https://github.com/spf13/cobra/blob/v1.6.0/LICENSE.txt,Apache-2.0 +github.com/spf13/pflag,https://github.com/spf13/pflag/blob/v1.0.5/LICENSE,BSD-3-Clause +github.com/stoewer/go-strcase,https://github.com/stoewer/go-strcase/blob/v1.2.0/LICENSE,MIT +github.com/xeipuuv/gojsonpointer,https://github.com/xeipuuv/gojsonpointer/blob/4e3ac2762d5f/LICENSE-APACHE-2.0.txt,Apache-2.0 +github.com/xeipuuv/gojsonreference,https://github.com/xeipuuv/gojsonreference/blob/bd5ef7bd5415/LICENSE-APACHE-2.0.txt,Apache-2.0 +github.com/xeipuuv/gojsonschema,https://github.com/xeipuuv/gojsonschema/blob/v1.2.0/LICENSE-APACHE-2.0.txt,Apache-2.0 +github.com/xlab/treeprint,https://github.com/xlab/treeprint/blob/v1.1.0/LICENSE,MIT +github.com/youmark/pkcs8,https://github.com/youmark/pkcs8/blob/1326539a0a0a/LICENSE,MIT +go.etcd.io/etcd/api/v3,https://github.com/etcd-io/etcd/blob/api/v3.5.5/api/LICENSE,Apache-2.0 +go.etcd.io/etcd/client/pkg/v3,https://github.com/etcd-io/etcd/blob/client/pkg/v3.5.5/client/pkg/LICENSE,Apache-2.0 +go.etcd.io/etcd/client/v3,https://github.com/etcd-io/etcd/blob/client/v3.5.5/client/v3/LICENSE,Apache-2.0 +go.opencensus.io,https://github.com/census-instrumentation/opencensus-go/blob/v0.23.0/LICENSE,Apache-2.0 +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc,https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.35.0/instrumentation/google.golang.org/grpc/otelgrpc/LICENSE,Apache-2.0 +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp,https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/net/http/otelhttp/v0.35.0/instrumentation/net/http/otelhttp/LICENSE,Apache-2.0 +go.opentelemetry.io/otel,https://github.com/open-telemetry/opentelemetry-go/blob/v1.10.0/LICENSE,Apache-2.0 +go.opentelemetry.io/otel/exporters/otlp/internal/retry,https://github.com/open-telemetry/opentelemetry-go/blob/exporters/otlp/internal/retry/v1.10.0/exporters/otlp/internal/retry/LICENSE,Apache-2.0 +go.opentelemetry.io/otel/exporters/otlp/otlptrace,https://github.com/open-telemetry/opentelemetry-go/blob/exporters/otlp/otlptrace/v1.10.0/exporters/otlp/otlptrace/LICENSE,Apache-2.0 +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc,https://github.com/open-telemetry/opentelemetry-go/blob/exporters/otlp/otlptrace/otlptracegrpc/v1.10.0/exporters/otlp/otlptrace/otlptracegrpc/LICENSE,Apache-2.0 +go.opentelemetry.io/otel/metric,https://github.com/open-telemetry/opentelemetry-go/blob/metric/v0.31.0/metric/LICENSE,Apache-2.0 +go.opentelemetry.io/otel/sdk,https://github.com/open-telemetry/opentelemetry-go/blob/sdk/v1.10.0/sdk/LICENSE,Apache-2.0 +go.opentelemetry.io/otel/trace,https://github.com/open-telemetry/opentelemetry-go/blob/trace/v1.10.0/trace/LICENSE,Apache-2.0 +go.opentelemetry.io/proto/otlp,https://github.com/open-telemetry/opentelemetry-proto-go/blob/otlp/v0.19.0/otlp/LICENSE,Apache-2.0 +go.starlark.net,https://github.com/google/starlark-go/blob/8dd3e2ee1dd5/LICENSE,BSD-3-Clause +go.uber.org/atomic,https://github.com/uber-go/atomic/blob/v1.9.0/LICENSE.txt,MIT +go.uber.org/multierr,https://github.com/uber-go/multierr/blob/v1.6.0/LICENSE.txt,MIT +go.uber.org/zap,https://github.com/uber-go/zap/blob/v1.24.0/LICENSE.txt,MIT +golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/v0.1.0:LICENSE,BSD-3-Clause +golang.org/x/net,https://cs.opensource.google/go/x/net/+/1e63c2f0:LICENSE,BSD-3-Clause +golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/f2134210:LICENSE,BSD-3-Clause +golang.org/x/sync,https://cs.opensource.google/go/x/sync/+/7f9b1623:LICENSE,BSD-3-Clause +golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/v0.3.0:LICENSE,BSD-3-Clause +golang.org/x/term,https://cs.opensource.google/go/x/term/+/v0.3.0:LICENSE,BSD-3-Clause +golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.5.0:LICENSE,BSD-3-Clause +golang.org/x/time/rate,https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE,BSD-3-Clause +gomodules.xyz/jsonpatch/v2,https://github.com/gomodules/jsonpatch/blob/v2.2.0/v2/LICENSE,Apache-2.0 +google.golang.org/api,https://github.com/googleapis/google-api-go-client/blob/v0.97.0/LICENSE,BSD-3-Clause +google.golang.org/api/internal/third_party/uritemplates,https://github.com/googleapis/google-api-go-client/blob/v0.97.0/internal/third_party/uritemplates/LICENSE,BSD-3-Clause +google.golang.org/genproto,https://github.com/googleapis/go-genproto/blob/8cd45d7dbd1f/LICENSE,Apache-2.0 +google.golang.org/grpc,https://github.com/grpc/grpc-go/blob/v1.49.0/LICENSE,Apache-2.0 +google.golang.org/protobuf,https://github.com/protocolbuffers/protobuf-go/blob/v1.28.1/LICENSE,BSD-3-Clause +gopkg.in/inf.v0,https://github.com/go-inf/inf/blob/v0.9.1/LICENSE,BSD-3-Clause +gopkg.in/ini.v1,https://github.com/go-ini/ini/blob/v1.62.0/LICENSE,Apache-2.0 +gopkg.in/natefinch/lumberjack.v2,https://github.com/natefinch/lumberjack/blob/v2.0.0/LICENSE,MIT +gopkg.in/square/go-jose.v2,https://github.com/square/go-jose/blob/v2.5.1/LICENSE,Apache-2.0 +gopkg.in/square/go-jose.v2/json,https://github.com/square/go-jose/blob/v2.5.1/json/LICENSE,BSD-3-Clause +gopkg.in/yaml.v2,https://github.com/go-yaml/yaml/blob/v2.4.0/LICENSE,Apache-2.0 +gopkg.in/yaml.v3,https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE,MIT +helm.sh/helm/v3,https://github.com/helm/helm/blob/v3.10.0/LICENSE,Apache-2.0 +k8s.io/api,https://github.com/kubernetes/api/blob/v0.26.0/LICENSE,Apache-2.0 +k8s.io/apiextensions-apiserver/pkg,https://github.com/kubernetes/apiextensions-apiserver/blob/v0.26.0/LICENSE,Apache-2.0 +k8s.io/apimachinery/pkg,https://github.com/kubernetes/apimachinery/blob/v0.26.0/LICENSE,Apache-2.0 +k8s.io/apimachinery/third_party/forked/golang,https://github.com/kubernetes/apimachinery/blob/v0.26.0/third_party/forked/golang/LICENSE,BSD-3-Clause +k8s.io/apiserver,https://github.com/kubernetes/apiserver/blob/v0.26.0/LICENSE,Apache-2.0 +k8s.io/cli-runtime/pkg,https://github.com/kubernetes/cli-runtime/blob/v0.26.0/LICENSE,Apache-2.0 +k8s.io/client-go,https://github.com/kubernetes/client-go/blob/v0.26.0/LICENSE,Apache-2.0 +k8s.io/client-go/third_party/forked/golang/template,https://github.com/kubernetes/client-go/blob/v0.26.0/third_party/forked/golang/LICENSE,BSD-3-Clause +k8s.io/component-base,https://github.com/kubernetes/component-base/blob/v0.26.0/LICENSE,Apache-2.0 +k8s.io/klog/v2,https://github.com/kubernetes/klog/blob/v2.80.1/LICENSE,Apache-2.0 +k8s.io/kms/apis,https://github.com/kubernetes/kms/blob/v0.26.0/LICENSE,Apache-2.0 +k8s.io/kube-aggregator/pkg/apis/apiregistration,https://github.com/kubernetes/kube-aggregator/blob/v0.26.0/LICENSE,Apache-2.0 +k8s.io/kube-openapi/pkg,https://github.com/kubernetes/kube-openapi/blob/f3cff1453715/LICENSE,Apache-2.0 +k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json,https://github.com/kubernetes/kube-openapi/blob/f3cff1453715/pkg/internal/third_party/go-json-experiment/json/LICENSE,BSD-3-Clause +k8s.io/kube-openapi/pkg/validation/spec,https://github.com/kubernetes/kube-openapi/blob/f3cff1453715/pkg/validation/spec/LICENSE,Apache-2.0 +k8s.io/kubectl/pkg,https://github.com/kubernetes/kubectl/blob/v0.26.0/LICENSE,Apache-2.0 +k8s.io/utils,https://github.com/kubernetes/utils/blob/99ec85e7a448/LICENSE,Apache-2.0 +k8s.io/utils/internal/third_party/forked/golang,https://github.com/kubernetes/utils/blob/99ec85e7a448/internal/third_party/forked/golang/LICENSE,BSD-3-Clause +oras.land/oras-go/pkg,https://github.com/oras-project/oras-go/blob/v1.2.0/LICENSE,Apache-2.0 +sigs.k8s.io/apiserver-network-proxy/konnectivity-client,https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/konnectivity-client/v0.0.33/konnectivity-client/LICENSE,Apache-2.0 +sigs.k8s.io/controller-runtime,https://github.com/kubernetes-sigs/controller-runtime/blob/v0.14.0/LICENSE,Apache-2.0 +sigs.k8s.io/gateway-api,https://github.com/kubernetes-sigs/gateway-api/blob/v0.5.0/LICENSE,Apache-2.0 +sigs.k8s.io/json,https://github.com/kubernetes-sigs/json/blob/f223a00ba0e2/LICENSE,Apache-2.0 +sigs.k8s.io/kustomize/api,https://github.com/kubernetes-sigs/kustomize/blob/api/v0.12.1/api/LICENSE,Apache-2.0 +sigs.k8s.io/kustomize/kyaml,https://github.com/kubernetes-sigs/kustomize/blob/kyaml/v0.13.9/kyaml/LICENSE,Apache-2.0 +sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/go-yaml/yaml,https://github.com/kubernetes-sigs/kustomize/blob/kyaml/v0.13.9/kyaml/internal/forked/github.com/go-yaml/yaml/LICENSE,MIT +sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/qri-io/starlib/util,https://github.com/kubernetes-sigs/kustomize/blob/kyaml/v0.13.9/kyaml/internal/forked/github.com/qri-io/starlib/util/LICENSE,MIT +sigs.k8s.io/structured-merge-diff/v4,https://github.com/kubernetes-sigs/structured-merge-diff/blob/v4.2.3/LICENSE,Apache-2.0 +sigs.k8s.io/yaml,https://github.com/kubernetes-sigs/yaml/blob/v1.3.0/LICENSE,MIT +software.sslmate.com/src/go-pkcs12,https://github.com/SSLMate/go-pkcs12/blob/v0.2.0/LICENSE,BSD-3-Clause diff --git a/go.mod b/go.mod index b80a6462317..0d111383396 100644 --- a/go.mod +++ b/go.mod @@ -23,8 +23,8 @@ require ( github.com/miekg/dns v1.1.50 github.com/mitchellh/go-homedir v1.1.0 github.com/munnerz/crd-schema-fuzz v1.0.0 - github.com/onsi/ginkgo/v2 v2.4.0 - github.com/onsi/gomega v1.23.0 + github.com/onsi/ginkgo/v2 v2.6.0 + github.com/onsi/gomega v1.24.1 github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.14.0 @@ -52,7 +52,7 @@ require ( k8s.io/kube-openapi v0.0.0-20221207184640-f3cff1453715 k8s.io/kubectl v0.26.0 k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 - sigs.k8s.io/controller-runtime v0.13.1 + sigs.k8s.io/controller-runtime v0.14.0 sigs.k8s.io/controller-tools v0.10.0 sigs.k8s.io/gateway-api v0.5.0 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 @@ -227,13 +227,13 @@ require ( go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.6.0 // indirect - go.uber.org/zap v1.21.0 // indirect + go.uber.org/zap v1.24.0 // indirect golang.org/x/mod v0.6.0 // indirect golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect golang.org/x/sys v0.3.0 // indirect golang.org/x/term v0.3.0 // indirect golang.org/x/text v0.5.0 // indirect - golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect + golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect diff --git a/go.sum b/go.sum index 16ae9f7218f..1793287c8a7 100644 --- a/go.sum +++ b/go.sum @@ -151,7 +151,6 @@ github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:o github.com/aws/aws-sdk-go v1.44.105 h1:UUwoD1PRKIj3ltrDUYTDQj5fOTK3XsnqolLpRTMmSEM= github.com/aws/aws-sdk-go v1.44.105/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= -github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -791,12 +790,12 @@ github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs= -github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= +github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc= +github.com/onsi/ginkgo/v2 v2.6.0/go.mod h1:63DOGlLAH8+REH8jUGdL3YpCpu7JODesutUjdENfUAc= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.23.0 h1:/oxKu9c2HVap+F3PfKort2Hw5DEU+HGlW8n+tguWsys= -github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= +github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= +github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= @@ -1039,15 +1038,14 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= -go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8= -go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw= +go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -1322,8 +1320,8 @@ golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U= -golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1695,8 +1693,8 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33 h1:LYqFq+6Cj2D0gFfrJvL7iElD4ET6ir3VDdhDdTK7rgc= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33/go.mod h1:soWkSNf2tZC7aMibXEqVhCd73GOY5fJikn8qbdzemB0= -sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg= -sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= +sigs.k8s.io/controller-runtime v0.14.0 h1:ju2xsov5Ara6FoQuddg+az+rAxsUsTYn2IYyEKCTyDc= +sigs.k8s.io/controller-runtime v0.14.0/go.mod h1:GaRkrY8a7UZF0kqFFbUKG7n9ICiTY5T55P1RiE3UZlU= sigs.k8s.io/controller-tools v0.10.0 h1:0L5DTDTFB67jm9DkfrONgTGmfc/zYow0ZaHyppizU2U= sigs.k8s.io/controller-tools v0.10.0/go.mod h1:uvr0EW6IsprfB0jpQq6evtKy+hHyHCXNfdWI5ONPx94= sigs.k8s.io/gateway-api v0.5.0 h1:ze+k9fJqvmL8s1t3e4q1ST8RnN+f09dEv+gfacahlAE= From f68693bb6ac9ab5a6d6a14ab8028f88c632874d2 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Thu, 15 Dec 2022 11:35:58 +0000 Subject: [PATCH 0072/1253] change wording on descriptions for Vault and TPP 'CABundle' fields Clarifies language a little; makes it clearer that the bundle should be base64 encoded. Previously it was slightly confusing in that PEM certificates are themselves base64 encoded. Also makes it clearer what our CABundle validation does and does not do by adding a standalone validation function and tweaking the error message for an invalid CA bundle. Also updates validation to not print CA bundle for Vault issuer when the bundle is invalid, since it won't help with debugging anything. Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...") and in any case printing the whole bundle could be noisy if it's large Signed-off-by: Ashley Davis --- deploy/crds/crd-clusterissuers.yaml | 6 +-- deploy/crds/crd-issuers.yaml | 6 +-- internal/apis/certmanager/types_issuer.go | 31 +++++++------- .../apis/certmanager/v1alpha2/types_issuer.go | 31 +++++++------- .../apis/certmanager/v1alpha3/types_issuer.go | 31 +++++++------- .../apis/certmanager/v1beta1/types_issuer.go | 31 +++++++------- .../apis/certmanager/validation/issuer.go | 41 +++++++++++++++---- .../certmanager/validation/issuer_test.go | 6 +-- pkg/apis/certmanager/v1/types_issuer.go | 31 +++++++------- test/e2e/suite/issuers/vault/issuer.go | 3 +- 10 files changed, 117 insertions(+), 100 deletions(-) diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index 91b8f3d8259..a500e82f9d0 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -1156,11 +1156,11 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection. + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. type: string format: byte caBundleSecretRef: - description: CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. type: object required: - name @@ -1215,7 +1215,7 @@ spec: - url properties: caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. type: string format: byte credentialsRef: diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index 1fe2570d2a9..bf1f83483ec 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -1156,11 +1156,11 @@ spec: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection. + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. type: string format: byte caBundleSecretRef: - description: CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. type: object required: - name @@ -1215,7 +1215,7 @@ spec: - url properties: caBundle: - description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. type: string format: byte credentialsRef: diff --git a/internal/apis/certmanager/types_issuer.go b/internal/apis/certmanager/types_issuer.go index 786a52d14fd..606b7441373 100644 --- a/internal/apis/certmanager/types_issuer.go +++ b/internal/apis/certmanager/types_issuer.go @@ -137,12 +137,10 @@ type VenafiTPP struct { // The secret must contain two keys, 'username' and 'password'. CredentialsRef cmmeta.LocalObjectReference - // CABundle is a PEM encoded TLS certificate to use to verify connections to - // the TPP instance. - // If specified, system roots will not be used and the issuing CA for the - // TPP instance must be verifiable using the provided root. - // If not specified, the connection will be verified using the cert-manager - // system root certificates. + // Base64-encoded bundle of PEM CAs which will be used to validate the certificate + // chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. + // If undefined, the certificate bundle in the cert-manager controller container + // is used to validate the chain. CABundle []byte } @@ -182,19 +180,20 @@ type VaultIssuer struct { // More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces Namespace string - // PEM-encoded CA bundle (base64-encoded) used to validate Vault server - // certificate. Only used if the Server URL is using HTTPS protocol. This - // parameter is ignored for plain HTTP protocol connection. If not set the - // system root certificates are used to validate the TLS connection. - // Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, - // the cert-manager controller system root certificates are used to validate the TLS connection. + // Base64-encoded bundle of PEM CAs which will be used to validate the certificate + // chain presented by Vault. Only used if using HTTPS to connect to Vault and + // ignored for HTTP connections. + // Mutually exclusive with CABundleSecretRef. + // If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the TLS connection. // +optional CABundle []byte - // CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when - // connecting to Vault when using HTTPS. - // Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager - // controller system root certificates are used to validate the TLS connection. + // Reference to a Secret containing a bundle of PEM-encoded CAs to use when + // verifying the certificate chain presented by Vault when using HTTPS. + // Mutually exclusive with CABundle. + // If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the TLS connection. // If no key for the Secret is specified, cert-manager will default to 'ca.crt'. // +optional CABundleSecretRef *cmmeta.SecretKeySelector diff --git a/internal/apis/certmanager/v1alpha2/types_issuer.go b/internal/apis/certmanager/v1alpha2/types_issuer.go index 90893c1cf48..aedc5bd3412 100644 --- a/internal/apis/certmanager/v1alpha2/types_issuer.go +++ b/internal/apis/certmanager/v1alpha2/types_issuer.go @@ -150,12 +150,10 @@ type VenafiTPP struct { // The secret must contain two keys, 'username' and 'password'. CredentialsRef cmmeta.LocalObjectReference `json:"credentialsRef"` - // CABundle is a PEM encoded TLS certificate to use to verify connections to - // the TPP instance. - // If specified, system roots will not be used and the issuing CA for the - // TPP instance must be verifiable using the provided root. - // If not specified, the connection will be verified using the cert-manager - // system root certificates. + // Base64-encoded bundle of PEM CAs which will be used to validate the certificate + // chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. + // If undefined, the certificate bundle in the cert-manager controller container + // is used to validate the chain. // +optional CABundle []byte `json:"caBundle,omitempty"` } @@ -199,19 +197,20 @@ type VaultIssuer struct { // +optional Namespace string `json:"namespace,omitempty"` - // PEM-encoded CA bundle (base64-encoded) used to validate Vault server - // certificate. Only used if the Server URL is using HTTPS protocol. This - // parameter is ignored for plain HTTP protocol connection. If not set the - // system root certificates are used to validate the TLS connection. - // Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, - // the cert-manager controller system root certificates are used to validate the TLS connection. + // Base64-encoded bundle of PEM CAs which will be used to validate the certificate + // chain presented by Vault. Only used if using HTTPS to connect to Vault and + // ignored for HTTP connections. + // Mutually exclusive with CABundleSecretRef. + // If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the TLS connection. // +optional CABundle []byte `json:"caBundle,omitempty"` - // CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when - // connecting to Vault when using HTTPS. - // Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager - // controller system root certificates are used to validate the TLS connection. + // Reference to a Secret containing a bundle of PEM-encoded CAs to use when + // verifying the certificate chain presented by Vault when using HTTPS. + // Mutually exclusive with CABundle. + // If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the TLS connection. // If no key for the Secret is specified, cert-manager will default to 'ca.crt'. // +optional CABundleSecretRef *cmmeta.SecretKeySelector `json:"caBundleSecretRef,omitempty"` diff --git a/internal/apis/certmanager/v1alpha3/types_issuer.go b/internal/apis/certmanager/v1alpha3/types_issuer.go index 29ccd7ac599..ead9f921a8a 100644 --- a/internal/apis/certmanager/v1alpha3/types_issuer.go +++ b/internal/apis/certmanager/v1alpha3/types_issuer.go @@ -150,12 +150,10 @@ type VenafiTPP struct { // The secret must contain two keys, 'username' and 'password'. CredentialsRef cmmeta.LocalObjectReference `json:"credentialsRef"` - // CABundle is a PEM encoded TLS certificate to use to verify connections to - // the TPP instance. - // If specified, system roots will not be used and the issuing CA for the - // TPP instance must be verifiable using the provided root. - // If not specified, the connection will be verified using the cert-manager - // system root certificates. + // Base64-encoded bundle of PEM CAs which will be used to validate the certificate + // chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. + // If undefined, the certificate bundle in the cert-manager controller container + // is used to validate the chain. // +optional CABundle []byte `json:"caBundle,omitempty"` } @@ -199,19 +197,20 @@ type VaultIssuer struct { // +optional Namespace string `json:"namespace,omitempty"` - // PEM-encoded CA bundle (base64-encoded) used to validate Vault server - // certificate. Only used if the Server URL is using HTTPS protocol. This - // parameter is ignored for plain HTTP protocol connection. If not set the - // system root certificates are used to validate the TLS connection. - // Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, - // the cert-manager controller system root certificates are used to validate the TLS connection. + // Base64-encoded bundle of PEM CAs which will be used to validate the certificate + // chain presented by Vault. Only used if using HTTPS to connect to Vault and + // ignored for HTTP connections. + // Mutually exclusive with CABundleSecretRef. + // If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the TLS connection. // +optional CABundle []byte `json:"caBundle,omitempty"` - // CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when - // connecting to Vault when using HTTPS. - // Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager - // controller system root certificates are used to validate the TLS connection. + // Reference to a Secret containing a bundle of PEM-encoded CAs to use when + // verifying the certificate chain presented by Vault when using HTTPS. + // Mutually exclusive with CABundle. + // If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the TLS connection. // If no key for the Secret is specified, cert-manager will default to 'ca.crt'. // +optional CABundleSecretRef *cmmeta.SecretKeySelector `json:"caBundleSecretRef,omitempty"` diff --git a/internal/apis/certmanager/v1beta1/types_issuer.go b/internal/apis/certmanager/v1beta1/types_issuer.go index baec4fdcaf0..091ae1adc69 100644 --- a/internal/apis/certmanager/v1beta1/types_issuer.go +++ b/internal/apis/certmanager/v1beta1/types_issuer.go @@ -152,12 +152,10 @@ type VenafiTPP struct { // The secret must contain two keys, 'username' and 'password'. CredentialsRef cmmeta.LocalObjectReference `json:"credentialsRef"` - // CABundle is a PEM encoded TLS certificate to use to verify connections to - // the TPP instance. - // If specified, system roots will not be used and the issuing CA for the - // TPP instance must be verifiable using the provided root. - // If not specified, the connection will be verified using the cert-manager - // system root certificates. + // Base64-encoded bundle of PEM CAs which will be used to validate the certificate + // chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. + // If undefined, the certificate bundle in the cert-manager controller container + // is used to validate the chain. // +optional CABundle []byte `json:"caBundle,omitempty"` } @@ -201,19 +199,20 @@ type VaultIssuer struct { // +optional Namespace string `json:"namespace,omitempty"` - // PEM-encoded CA bundle (base64-encoded) used to validate Vault server - // certificate. Only used if the Server URL is using HTTPS protocol. This - // parameter is ignored for plain HTTP protocol connection. If not set the - // system root certificates are used to validate the TLS connection. - // Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, - // the cert-manager controller system root certificates are used to validate the TLS connection. + // Base64-encoded bundle of PEM CAs which will be used to validate the certificate + // chain presented by Vault. Only used if using HTTPS to connect to Vault and + // ignored for HTTP connections. + // Mutually exclusive with CABundleSecretRef. + // If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the TLS connection. // +optional CABundle []byte `json:"caBundle,omitempty"` - // CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when - // connecting to Vault when using HTTPS. - // Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager - // controller system root certificates are used to validate the TLS connection. + // Reference to a Secret containing a bundle of PEM-encoded CAs to use when + // verifying the certificate chain presented by Vault when using HTTPS. + // Mutually exclusive with CABundle. + // If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the TLS connection. // If no key for the Secret is specified, cert-manager will default to 'ca.crt'. // +optional CABundleSecretRef *cmmeta.SecretKeySelector `json:"caBundleSecretRef,omitempty"` diff --git a/internal/apis/certmanager/validation/issuer.go b/internal/apis/certmanager/validation/issuer.go index 67153fa6a41..6db2f5651d9 100644 --- a/internal/apis/certmanager/validation/issuer.go +++ b/internal/apis/certmanager/validation/issuer.go @@ -226,36 +226,40 @@ func ValidateSelfSignedIssuerConfig(iss *certmanager.SelfSignedIssuer, fldPath * func ValidateVaultIssuerConfig(iss *certmanager.VaultIssuer, fldPath *field.Path) field.ErrorList { el := field.ErrorList{} + if len(iss.Server) == 0 { el = append(el, field.Required(fldPath.Child("server"), "")) } + if len(iss.Path) == 0 { el = append(el, field.Required(fldPath.Child("path"), "")) } - // check if caBundle is valid - certs := iss.CABundle - if len(certs) > 0 { - caCertPool := x509.NewCertPool() - ok := caCertPool.AppendCertsFromPEM(certs) - if !ok { - el = append(el, field.Invalid(fldPath.Child("caBundle"), "", "Specified CA bundle is invalid")) + if len(iss.CABundle) > 0 { + if err := validateCABundleNotEmpty(iss.CABundle); err != nil { + el = append(el, field.Invalid(fldPath.Child("caBundle"), "", err.Error())) } } if len(iss.CABundle) > 0 && iss.CABundleSecretRef != nil { - el = append(el, field.Invalid(fldPath.Child("caBundle"), iss.CABundle, "specified caBundle and caBundleSecretRef cannot be used together")) + // We don't use iss.CABundle for the "value interface{}" argument to field.Invalid for caBundle + // since printing the whole bundle verbatim won't help diagnose any issues + el = append(el, field.Invalid(fldPath.Child("caBundle"), "", "specified caBundle and caBundleSecretRef cannot be used together")) el = append(el, field.Invalid(fldPath.Child("caBundleSecretRef"), iss.CABundleSecretRef.Name, "specified caBundleSecretRef and caBundle cannot be used together")) } - return el // TODO: add validation for Vault authentication types + + return el } func ValidateVenafiTPP(tpp *certmanager.VenafiTPP, fldPath *field.Path) (el field.ErrorList) { if tpp.URL == "" { el = append(el, field.Required(fldPath.Child("url"), "")) } + + // TODO: validate CABundle using validateCABundleNotEmpty + return el } @@ -500,3 +504,22 @@ func ValidateSecretKeySelector(sks *cmmeta.SecretKeySelector, fldPath *field.Pat } return el } + +// validateCABundleNotEmpty performs a soft check on the CA bundle to see if there's at least one +// valid CA certificate inside. +// This uses the standard library crypto/x509.CertPool.AppendCertsFromPEM function, which +// skips over invalid certificates rather than rejecting them. +func validateCABundleNotEmpty(bundle []byte) error { + // TODO: Change this function to actually validate certificates so that invalid certs + // are rejected or at least warned on. + // For example, something like: https://github.com/cert-manager/trust-manager/blob/21c839ff1128990e049eaf23000a9a8d6716c89e/pkg/util/pem.go#L26-L81 + + pool := x509.NewCertPool() + + ok := pool.AppendCertsFromPEM(bundle) + if !ok { + return fmt.Errorf("cert bundle didn't contain any valid certificates") + } + + return nil +} diff --git a/internal/apis/certmanager/validation/issuer_test.go b/internal/apis/certmanager/validation/issuer_test.go index e8df884be83..0741567dbc6 100644 --- a/internal/apis/certmanager/validation/issuer_test.go +++ b/internal/apis/certmanager/validation/issuer_test.go @@ -88,7 +88,7 @@ func TestValidateVaultIssuerConfig(t *testing.T) { }, }, errs: []*field.Error{ - field.Invalid(fldPath.Child("caBundle"), caBundle, "specified caBundle and caBundleSecretRef cannot be used together"), + field.Invalid(fldPath.Child("caBundle"), "", "specified caBundle and caBundleSecretRef cannot be used together"), field.Invalid(fldPath.Child("caBundleSecretRef"), "test-secret", "specified caBundleSecretRef and caBundle cannot be used together"), }, }, @@ -102,14 +102,14 @@ func TestValidateVaultIssuerConfig(t *testing.T) { field.Required(fldPath.Child("path"), ""), }, }, - "vault issuer with invalid fields": { + "vault issuer with a CA bundle containing no valid certificates": { spec: &cmapi.VaultIssuer{ Server: "something", Path: "a/b/c", CABundle: []byte("invalid"), }, errs: []*field.Error{ - field.Invalid(fldPath.Child("caBundle"), "", "Specified CA bundle is invalid"), + field.Invalid(fldPath.Child("caBundle"), "", "cert bundle didn't contain any valid certificates"), }, }, } diff --git a/pkg/apis/certmanager/v1/types_issuer.go b/pkg/apis/certmanager/v1/types_issuer.go index 363d66920a2..6b708fcc4d5 100644 --- a/pkg/apis/certmanager/v1/types_issuer.go +++ b/pkg/apis/certmanager/v1/types_issuer.go @@ -154,12 +154,10 @@ type VenafiTPP struct { // The secret must contain two keys, 'username' and 'password'. CredentialsRef cmmeta.LocalObjectReference `json:"credentialsRef"` - // CABundle is a PEM encoded TLS certificate to use to verify connections to - // the TPP instance. - // If specified, system roots will not be used and the issuing CA for the - // TPP instance must be verifiable using the provided root. - // If not specified, the connection will be verified using the cert-manager - // system root certificates. + // Base64-encoded bundle of PEM CAs which will be used to validate the certificate + // chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. + // If undefined, the certificate bundle in the cert-manager controller container + // is used to validate the chain. // +optional CABundle []byte `json:"caBundle,omitempty"` } @@ -203,19 +201,20 @@ type VaultIssuer struct { // +optional Namespace string `json:"namespace,omitempty"` - // PEM-encoded CA bundle (base64-encoded) used to validate Vault server - // certificate. Only used if the Server URL is using HTTPS protocol. This - // parameter is ignored for plain HTTP protocol connection. If not set the - // system root certificates are used to validate the TLS connection. - // Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, - // the cert-manager controller system root certificates are used to validate the TLS connection. + // Base64-encoded bundle of PEM CAs which will be used to validate the certificate + // chain presented by Vault. Only used if using HTTPS to connect to Vault and + // ignored for HTTP connections. + // Mutually exclusive with CABundleSecretRef. + // If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the TLS connection. // +optional CABundle []byte `json:"caBundle,omitempty"` - // CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when - // connecting to Vault when using HTTPS. - // Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager - // controller system root certificates are used to validate the TLS connection. + // Reference to a Secret containing a bundle of PEM-encoded CAs to use when + // verifying the certificate chain presented by Vault when using HTTPS. + // Mutually exclusive with CABundle. + // If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + // the cert-manager controller container is used to validate the TLS connection. // If no key for the Secret is specified, cert-manager will default to 'ca.crt'. // +optional CABundleSecretRef *cmmeta.SecretKeySelector `json:"caBundleSecretRef,omitempty"` diff --git a/test/e2e/suite/issuers/vault/issuer.go b/test/e2e/suite/issuers/vault/issuer.go index 46ecfad7e4c..8fc30526c06 100644 --- a/test/e2e/suite/issuers/vault/issuer.go +++ b/test/e2e/suite/issuers/vault/issuer.go @@ -233,8 +233,7 @@ var _ = framework.CertManagerDescribe("Vault Issuer", func() { _, err := f.CertManagerClientSet.CertmanagerV1().Issuers(f.Namespace.Name).Create(context.TODO(), vaultIssuer, metav1.CreateOptions{}) Expect(err).To(HaveOccurred()) Expect(err.Error()).To(ContainSubstring(fmt.Sprintf( - "spec.vault.caBundle: Invalid value: %#+v: specified caBundle and caBundleSecretRef cannot be used together", - vault.Details().VaultCA, + "spec.vault.caBundle: Invalid value: \"\": specified caBundle and caBundleSecretRef cannot be used together", ))) Expect(err.Error()).To(ContainSubstring("spec.vault.caBundleSecretRef: Invalid value: \"ca-bundle\": specified caBundleSecretRef and caBundle cannot be used together")) }) From c5924f54a1efb07b4f75797c2ca79b5f144ab16d Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Thu, 15 Dec 2022 13:25:39 +0000 Subject: [PATCH 0073/1253] add + use CABundle field for ACME servers in issuers Previously it wasn't possible to set a custom CA bundle for an ACME server, leading users to either patch the cert-manager system CA bundle manually or else use SkipTLSVerify which is a security issue. This adds CABundle for ACME, similar to what we have for Vault and Venafi TPP issuers. Longer term we'd like to have a more fully featured approach. It would for example make sense to support loading CA bundles from ConfigMaps or Secrets (similar to what we do for Vault issuers today), but for now this change is the simplest change. Signed-off-by: Ashley Davis --- deploy/crds/crd-clusterissuers.yaml | 6 ++- deploy/crds/crd-issuers.yaml | 6 ++- internal/apis/acme/types_issuer.go | 20 ++++++--- .../apis/acme/v1/zz_generated.conversion.go | 2 + internal/apis/acme/v1alpha2/types_issuer.go | 21 ++++++--- .../acme/v1alpha2/zz_generated.conversion.go | 2 + .../acme/v1alpha2/zz_generated.deepcopy.go | 5 +++ internal/apis/acme/v1alpha3/types_issuer.go | 21 ++++++--- .../acme/v1alpha3/zz_generated.conversion.go | 2 + .../acme/v1alpha3/zz_generated.deepcopy.go | 5 +++ internal/apis/acme/v1beta1/types_issuer.go | 21 ++++++--- .../acme/v1beta1/zz_generated.conversion.go | 2 + .../acme/v1beta1/zz_generated.deepcopy.go | 5 +++ internal/apis/acme/zz_generated.deepcopy.go | 5 +++ .../apis/certmanager/validation/issuer.go | 14 ++++++ .../certmanager/validation/issuer_test.go | 44 +++++++++++++++++++ pkg/acme/accounts/client.go | 43 +++++++++++++----- pkg/acme/accounts/registry.go | 14 +++--- pkg/apis/acme/v1/types_issuer.go | 21 ++++++--- pkg/apis/acme/v1/zz_generated.deepcopy.go | 5 +++ pkg/issuer/acme/setup.go | 4 +- 21 files changed, 225 insertions(+), 43 deletions(-) diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index a500e82f9d0..1bbe3126354 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -59,6 +59,10 @@ spec: - privateKeySecretRef - server properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. + type: string + format: byte disableAccountKeyGeneration: description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. type: boolean @@ -117,7 +121,7 @@ spec: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string skipTLSVerify: - description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. + description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' type: boolean solvers: description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index bf1f83483ec..d8c1dc4a6df 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -59,6 +59,10 @@ spec: - privateKeySecretRef - server properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. + type: string + format: byte disableAccountKeyGeneration: description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. type: boolean @@ -117,7 +121,7 @@ spec: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string skipTLSVerify: - description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. + description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' type: boolean solvers: description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' diff --git a/internal/apis/acme/types_issuer.go b/internal/apis/acme/types_issuer.go index 2afaaffd471..07d057a6ba7 100644 --- a/internal/apis/acme/types_issuer.go +++ b/internal/apis/acme/types_issuer.go @@ -49,12 +49,22 @@ type ACMEIssuer struct { // "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. PreferredChain string - // Enables or disables validation of the ACME server TLS certificate. - // If true, requests to the ACME server will not have their TLS certificate - // validated (i.e. insecure connections will be allowed). + // Base64-encoded bundle of PEM CAs which can be used to validate the certificate + // chain presented by the ACME server. + // Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various + // kinds of security vulnerabilities. + // If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. + CABundle []byte + + // INSECURE: Enables or disables validation of the ACME server TLS certificate. + // If true, requests to the ACME server will not have the TLS certificate chain + // validated. + // Mutually exclusive with CABundle; prefer using CABundle to prevent various + // kinds of security vulnerabilities. // Only enable this option in development environments. - // The cert-manager system installed roots will be used to verify connections - // to the ACME server if this is false. + // If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. // Defaults to false. SkipTLSVerify bool diff --git a/internal/apis/acme/v1/zz_generated.conversion.go b/internal/apis/acme/v1/zz_generated.conversion.go index db6b8bbda9e..719d495745b 100644 --- a/internal/apis/acme/v1/zz_generated.conversion.go +++ b/internal/apis/acme/v1/zz_generated.conversion.go @@ -877,6 +877,7 @@ func autoConvert_v1_ACMEIssuer_To_acme_ACMEIssuer(in *v1.ACMEIssuer, out *acme.A out.Email = in.Email out.Server = in.Server out.PreferredChain = in.PreferredChain + out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle)) out.SkipTLSVerify = in.SkipTLSVerify if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding @@ -910,6 +911,7 @@ func autoConvert_acme_ACMEIssuer_To_v1_ACMEIssuer(in *acme.ACMEIssuer, out *v1.A out.Email = in.Email out.Server = in.Server out.PreferredChain = in.PreferredChain + out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle)) out.SkipTLSVerify = in.SkipTLSVerify if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding diff --git a/internal/apis/acme/v1alpha2/types_issuer.go b/internal/apis/acme/v1alpha2/types_issuer.go index ae4056414c8..a1c7a63d590 100644 --- a/internal/apis/acme/v1alpha2/types_issuer.go +++ b/internal/apis/acme/v1alpha2/types_issuer.go @@ -54,12 +54,23 @@ type ACMEIssuer struct { // +kubebuilder:validation:MaxLength=64 PreferredChain string `json:"preferredChain"` - // Enables or disables validation of the ACME server TLS certificate. - // If true, requests to the ACME server will not have their TLS certificate - // validated (i.e. insecure connections will be allowed). + // Base64-encoded bundle of PEM CAs which can be used to validate the certificate + // chain presented by the ACME server. + // Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various + // kinds of security vulnerabilities. + // If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. + // +optional + CABundle []byte `json:"caBundle,omitempty"` + + // INSECURE: Enables or disables validation of the ACME server TLS certificate. + // If true, requests to the ACME server will not have the TLS certificate chain + // validated. + // Mutually exclusive with CABundle; prefer using CABundle to prevent various + // kinds of security vulnerabilities. // Only enable this option in development environments. - // The cert-manager system installed roots will be used to verify connections - // to the ACME server if this is false. + // If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. // Defaults to false. // +optional SkipTLSVerify bool `json:"skipTLSVerify,omitempty"` diff --git a/internal/apis/acme/v1alpha2/zz_generated.conversion.go b/internal/apis/acme/v1alpha2/zz_generated.conversion.go index eb6b15d91bf..75e3246bef7 100644 --- a/internal/apis/acme/v1alpha2/zz_generated.conversion.go +++ b/internal/apis/acme/v1alpha2/zz_generated.conversion.go @@ -876,6 +876,7 @@ func autoConvert_v1alpha2_ACMEIssuer_To_acme_ACMEIssuer(in *ACMEIssuer, out *acm out.Email = in.Email out.Server = in.Server out.PreferredChain = in.PreferredChain + out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle)) out.SkipTLSVerify = in.SkipTLSVerify if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding @@ -909,6 +910,7 @@ func autoConvert_acme_ACMEIssuer_To_v1alpha2_ACMEIssuer(in *acme.ACMEIssuer, out out.Email = in.Email out.Server = in.Server out.PreferredChain = in.PreferredChain + out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle)) out.SkipTLSVerify = in.SkipTLSVerify if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding diff --git a/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go b/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go index 4e6383e64e9..f6bc324cb97 100644 --- a/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go +++ b/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go @@ -401,6 +401,11 @@ func (in *ACMEExternalAccountBinding) DeepCopy() *ACMEExternalAccountBinding { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ACMEIssuer) DeepCopyInto(out *ACMEIssuer) { *out = *in + if in.CABundle != nil { + in, out := &in.CABundle, &out.CABundle + *out = make([]byte, len(*in)) + copy(*out, *in) + } if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding *out = new(ACMEExternalAccountBinding) diff --git a/internal/apis/acme/v1alpha3/types_issuer.go b/internal/apis/acme/v1alpha3/types_issuer.go index 01cd63fedfc..bfc6d9dc335 100644 --- a/internal/apis/acme/v1alpha3/types_issuer.go +++ b/internal/apis/acme/v1alpha3/types_issuer.go @@ -54,12 +54,23 @@ type ACMEIssuer struct { // +kubebuilder:validation:MaxLength=64 PreferredChain string `json:"preferredChain"` - // Enables or disables validation of the ACME server TLS certificate. - // If true, requests to the ACME server will not have their TLS certificate - // validated (i.e. insecure connections will be allowed). + // Base64-encoded bundle of PEM CAs which can be used to validate the certificate + // chain presented by the ACME server. + // Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various + // kinds of security vulnerabilities. + // If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. + // +optional + CABundle []byte `json:"caBundle,omitempty"` + + // INSECURE: Enables or disables validation of the ACME server TLS certificate. + // If true, requests to the ACME server will not have the TLS certificate chain + // validated. + // Mutually exclusive with CABundle; prefer using CABundle to prevent various + // kinds of security vulnerabilities. // Only enable this option in development environments. - // The cert-manager system installed roots will be used to verify connections - // to the ACME server if this is false. + // If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. // Defaults to false. // +optional SkipTLSVerify bool `json:"skipTLSVerify,omitempty"` diff --git a/internal/apis/acme/v1alpha3/zz_generated.conversion.go b/internal/apis/acme/v1alpha3/zz_generated.conversion.go index b742d30a1dd..92b3785d6d4 100644 --- a/internal/apis/acme/v1alpha3/zz_generated.conversion.go +++ b/internal/apis/acme/v1alpha3/zz_generated.conversion.go @@ -876,6 +876,7 @@ func autoConvert_v1alpha3_ACMEIssuer_To_acme_ACMEIssuer(in *ACMEIssuer, out *acm out.Email = in.Email out.Server = in.Server out.PreferredChain = in.PreferredChain + out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle)) out.SkipTLSVerify = in.SkipTLSVerify if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding @@ -909,6 +910,7 @@ func autoConvert_acme_ACMEIssuer_To_v1alpha3_ACMEIssuer(in *acme.ACMEIssuer, out out.Email = in.Email out.Server = in.Server out.PreferredChain = in.PreferredChain + out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle)) out.SkipTLSVerify = in.SkipTLSVerify if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding diff --git a/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go b/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go index 025daa0e599..4ec73b3f06f 100644 --- a/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go +++ b/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go @@ -401,6 +401,11 @@ func (in *ACMEExternalAccountBinding) DeepCopy() *ACMEExternalAccountBinding { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ACMEIssuer) DeepCopyInto(out *ACMEIssuer) { *out = *in + if in.CABundle != nil { + in, out := &in.CABundle, &out.CABundle + *out = make([]byte, len(*in)) + copy(*out, *in) + } if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding *out = new(ACMEExternalAccountBinding) diff --git a/internal/apis/acme/v1beta1/types_issuer.go b/internal/apis/acme/v1beta1/types_issuer.go index aeddaf4807f..b0c58d8b7b6 100644 --- a/internal/apis/acme/v1beta1/types_issuer.go +++ b/internal/apis/acme/v1beta1/types_issuer.go @@ -54,12 +54,23 @@ type ACMEIssuer struct { // +kubebuilder:validation:MaxLength=64 PreferredChain string `json:"preferredChain"` - // Enables or disables validation of the ACME server TLS certificate. - // If true, requests to the ACME server will not have their TLS certificate - // validated (i.e. insecure connections will be allowed). + // Base64-encoded bundle of PEM CAs which can be used to validate the certificate + // chain presented by the ACME server. + // Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various + // kinds of security vulnerabilities. + // If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. + // +optional + CABundle []byte `json:"caBundle,omitempty"` + + // INSECURE: Enables or disables validation of the ACME server TLS certificate. + // If true, requests to the ACME server will not have the TLS certificate chain + // validated. + // Mutually exclusive with CABundle; prefer using CABundle to prevent various + // kinds of security vulnerabilities. // Only enable this option in development environments. - // The cert-manager system installed roots will be used to verify connections - // to the ACME server if this is false. + // If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. // Defaults to false. // +optional SkipTLSVerify bool `json:"skipTLSVerify,omitempty"` diff --git a/internal/apis/acme/v1beta1/zz_generated.conversion.go b/internal/apis/acme/v1beta1/zz_generated.conversion.go index ba4dad5c71a..545773bd084 100644 --- a/internal/apis/acme/v1beta1/zz_generated.conversion.go +++ b/internal/apis/acme/v1beta1/zz_generated.conversion.go @@ -876,6 +876,7 @@ func autoConvert_v1beta1_ACMEIssuer_To_acme_ACMEIssuer(in *ACMEIssuer, out *acme out.Email = in.Email out.Server = in.Server out.PreferredChain = in.PreferredChain + out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle)) out.SkipTLSVerify = in.SkipTLSVerify if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding @@ -909,6 +910,7 @@ func autoConvert_acme_ACMEIssuer_To_v1beta1_ACMEIssuer(in *acme.ACMEIssuer, out out.Email = in.Email out.Server = in.Server out.PreferredChain = in.PreferredChain + out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle)) out.SkipTLSVerify = in.SkipTLSVerify if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding diff --git a/internal/apis/acme/v1beta1/zz_generated.deepcopy.go b/internal/apis/acme/v1beta1/zz_generated.deepcopy.go index 7d1a4046041..30e116660a3 100644 --- a/internal/apis/acme/v1beta1/zz_generated.deepcopy.go +++ b/internal/apis/acme/v1beta1/zz_generated.deepcopy.go @@ -401,6 +401,11 @@ func (in *ACMEExternalAccountBinding) DeepCopy() *ACMEExternalAccountBinding { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ACMEIssuer) DeepCopyInto(out *ACMEIssuer) { *out = *in + if in.CABundle != nil { + in, out := &in.CABundle, &out.CABundle + *out = make([]byte, len(*in)) + copy(*out, *in) + } if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding *out = new(ACMEExternalAccountBinding) diff --git a/internal/apis/acme/zz_generated.deepcopy.go b/internal/apis/acme/zz_generated.deepcopy.go index 18091b2bb88..ce44a31d28c 100644 --- a/internal/apis/acme/zz_generated.deepcopy.go +++ b/internal/apis/acme/zz_generated.deepcopy.go @@ -401,6 +401,11 @@ func (in *ACMEExternalAccountBinding) DeepCopy() *ACMEExternalAccountBinding { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ACMEIssuer) DeepCopyInto(out *ACMEIssuer) { *out = *in + if in.CABundle != nil { + in, out := &in.CABundle, &out.CABundle + *out = make([]byte, len(*in)) + copy(*out, *in) + } if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding *out = new(ACMEExternalAccountBinding) diff --git a/internal/apis/certmanager/validation/issuer.go b/internal/apis/certmanager/validation/issuer.go index 6db2f5651d9..3a1fcf20829 100644 --- a/internal/apis/certmanager/validation/issuer.go +++ b/internal/apis/certmanager/validation/issuer.go @@ -105,10 +105,24 @@ func ValidateIssuerConfig(iss *certmanager.IssuerConfig, fldPath *field.Path) (f func ValidateACMEIssuerConfig(iss *cmacme.ACMEIssuer, fldPath *field.Path) (field.ErrorList, []string) { var warnings []string + el := field.ErrorList{} + + if len(iss.CABundle) > 0 && iss.SkipTLSVerify { + el = append(el, field.Invalid(fldPath.Child("caBundle"), "", "caBundle and skipTLSVerify are mutually exclusive and cannot both be set")) + el = append(el, field.Invalid(fldPath.Child("skipTLSVerify"), iss.SkipTLSVerify, "caBundle and skipTLSVerify are mutually exclusive and cannot both be set")) + } + + if len(iss.CABundle) > 0 { + if err := validateCABundleNotEmpty(iss.CABundle); err != nil { + el = append(el, field.Invalid(fldPath.Child("caBundle"), "", err.Error())) + } + } + if len(iss.PrivateKey.Name) == 0 { el = append(el, field.Required(fldPath.Child("privateKeySecretRef", "name"), "private key secret name is a required field")) } + if len(iss.Server) == 0 { el = append(el, field.Required(fldPath.Child("server"), "acme server URL is a required field")) } diff --git a/internal/apis/certmanager/validation/issuer_test.go b/internal/apis/certmanager/validation/issuer_test.go index 0741567dbc6..544f759ec61 100644 --- a/internal/apis/certmanager/validation/issuer_test.go +++ b/internal/apis/certmanager/validation/issuer_test.go @@ -132,6 +132,12 @@ func TestValidateVaultIssuerConfig(t *testing.T) { func TestValidateACMEIssuerConfig(t *testing.T) { fldPath := field.NewPath("") + + caBundle := unitcrypto.MustCreateCryptoBundle(t, + &pubcmapi.Certificate{Spec: pubcmapi.CertificateSpec{CommonName: "test"}}, + clock.RealClock{}, + ).CertBytes + scenarios := map[string]struct { spec *cmacme.ACMEIssuer errs []*field.Error @@ -147,6 +153,44 @@ func TestValidateACMEIssuerConfig(t *testing.T) { field.Required(fldPath.Child("server"), "acme server URL is a required field"), }, }, + "acme issuer with an invalid CA bundle": { + spec: &cmacme.ACMEIssuer{ + Email: "valid-email", + Server: "valid-server", + CABundle: []byte("abc123"), + PrivateKey: validSecretKeyRef, + Solvers: []cmacme.ACMEChallengeSolver{ + { + DNS01: &cmacme.ACMEChallengeSolverDNS01{ + CloudDNS: &validCloudDNSProvider, + }, + }, + }, + }, + errs: []*field.Error{ + field.Invalid(fldPath.Child("caBundle"), "", "cert bundle didn't contain any valid certificates"), + }, + }, + "acme issuer with both a CA bundle and SkipTLSVerify": { + spec: &cmacme.ACMEIssuer{ + Email: "valid-email", + Server: "valid-server", + CABundle: caBundle, + SkipTLSVerify: true, + PrivateKey: validSecretKeyRef, + Solvers: []cmacme.ACMEChallengeSolver{ + { + DNS01: &cmacme.ACMEChallengeSolverDNS01{ + CloudDNS: &validCloudDNSProvider, + }, + }, + }, + }, + errs: []*field.Error{ + field.Invalid(fldPath.Child("caBundle"), "", "caBundle and skipTLSVerify are mutually exclusive and cannot both be set"), + field.Invalid(fldPath.Child("skipTLSVerify"), true, "caBundle and skipTLSVerify are mutually exclusive and cannot both be set"), + }, + }, "acme solver without any config": { spec: &cmacme.ACMEIssuer{ Email: "valid-email", diff --git a/pkg/acme/accounts/client.go b/pkg/acme/accounts/client.go index b11f87b048e..d15d5b76d76 100644 --- a/pkg/acme/accounts/client.go +++ b/pkg/acme/accounts/client.go @@ -19,6 +19,7 @@ package accounts import ( "crypto/rsa" "crypto/tls" + "crypto/x509" "net" "net/http" "time" @@ -55,15 +56,36 @@ func NewClient(client *http.Client, config cmacme.ACMEIssuer, privateKey *rsa.Pr }) } -// BuildHTTPClient returns a instrumented HTTP client to be used by the ACME -// client. -// For the time being, we construct a new HTTP client on each invocation. -// This is because we need to set the 'skipTLSVerify' flag on the HTTP client -// itself. -// In future, we may change to having two global HTTP clients - one that ignores -// TLS connection errors, and the other that does not. +// BuildHTTPClient returns a instrumented HTTP client to be used by an ACME client. +// For the time being, we construct a new HTTP client on each invocation, because we need +// to set the 'skipTLSVerify' flag on the HTTP client itself distinct from the ACME client func BuildHTTPClient(metrics *metrics.Metrics, skipTLSVerify bool) *http.Client { - return acmecl.NewInstrumentedClient(metrics, + return BuildHTTPClientWithCABundle(metrics, skipTLSVerify, nil) +} + +// BuildHTTPClientWithCABundle returns a instrumented HTTP client to be used by an ACME +// client, with an optional custom CA bundle set. +// For the time being, we construct a new HTTP client on each invocation, because we need +// to set the 'skipTLSVerify' flag and the CA bundle on the HTTP client itself, distinct +// from the ACME client +func BuildHTTPClientWithCABundle(metrics *metrics.Metrics, skipTLSVerify bool, caBundle []byte) *http.Client { + tlsConfig := &tls.Config{ + InsecureSkipVerify: skipTLSVerify, + } + + // len also checks if the bundle is nil + if len(caBundle) > 0 { + pool := x509.NewCertPool() + + // We only want tlsConfig.RootCAs to be non-nil if we added at least one custom + // CA to "pool". + if ok := pool.AppendCertsFromPEM(caBundle); ok { + tlsConfig.RootCAs = pool + } + } + + return acmecl.NewInstrumentedClient( + metrics, &http.Client{ Transport: &http.Transport{ Proxy: http.ProxyFromEnvironment, @@ -71,12 +93,13 @@ func BuildHTTPClient(metrics *metrics.Metrics, skipTLSVerify bool) *http.Client Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, }).DialContext, - TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify}, + TLSClientConfig: tlsConfig, MaxIdleConns: 100, IdleConnTimeout: 90 * time.Second, TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, }, Timeout: defaultACMEHTTPTimeout, - }) + }, + ) } diff --git a/pkg/acme/accounts/registry.go b/pkg/acme/accounts/registry.go index 44dfa5471ce..0767035381a 100644 --- a/pkg/acme/accounts/registry.go +++ b/pkg/acme/accounts/registry.go @@ -35,7 +35,7 @@ var ErrNotFound = errors.New("ACME client for issuer not initialised/available") type Registry interface { // AddClient will ensure the registry has a stored ACME client for the Issuer // object with the given UID, configuration and private key. - AddClient(client *http.Client, uid string, config cmacme.ACMEIssuer, privateKey *rsa.PrivateKey, userAgent string) + AddClient(httpClient *http.Client, uid string, config cmacme.ACMEIssuer, privateKey *rsa.PrivateKey, userAgent string) // RemoveClient will remove a registered client using the UID of the Issuer // resource that constructed it. @@ -82,6 +82,7 @@ type stableOptions struct { issuerUID string publicKey string exponent int + caBundle string } func (c stableOptions) equalTo(c2 stableOptions) bool { @@ -97,6 +98,7 @@ func newStableOptions(uid string, config cmacme.ACMEIssuer, privateKey *rsa.Priv issuerUID: uid, publicKey: string(publicNBytes), exponent: privateKey.PublicKey.E, + caBundle: string(config.CABundle), } } @@ -110,9 +112,9 @@ type clientWithMeta struct { // AddClient will ensure the registry has a stored ACME client for the Issuer // object with the given UID, configuration and private key. -func (r *registry) AddClient(client *http.Client, uid string, config cmacme.ACMEIssuer, privateKey *rsa.PrivateKey, userAgent string) { +func (r *registry) AddClient(httpClient *http.Client, uid string, config cmacme.ACMEIssuer, privateKey *rsa.PrivateKey, userAgent string) { // ensure the client is up to date for the current configuration - r.ensureClient(client, uid, config, privateKey, userAgent) + r.ensureClient(httpClient, uid, config, privateKey, userAgent) } // ensureClient will ensure an ACME client with the given parameters is registered. @@ -120,21 +122,23 @@ func (r *registry) AddClient(client *http.Client, uid string, config cmacme.ACME // the client will NOT be mutated or replaced, allowing this method to be called // even if the client does not need replacing/updating without causing issues for // consumers of the registry. -func (r *registry) ensureClient(client *http.Client, uid string, config cmacme.ACMEIssuer, privateKey *rsa.PrivateKey, userAgent string) { +func (r *registry) ensureClient(httpClient *http.Client, uid string, config cmacme.ACMEIssuer, privateKey *rsa.PrivateKey, userAgent string) { // acquire a read-write lock even if we hit the fast-path where the client // is already present to avoid having to RLock, RUnlock and Lock again, // which could itself cause a race r.lock.Lock() defer r.lock.Unlock() + newOpts := newStableOptions(uid, config, privateKey) // fast-path if there is nothing to do if meta, ok := r.clients[uid]; ok && meta.equalTo(newOpts) { return } + // create a new client if one is not registered or if the // 'metadata' does not match r.clients[uid] = clientWithMeta{ - Interface: NewClient(client, config, privateKey, userAgent), + Interface: NewClient(httpClient, config, privateKey, userAgent), stableOptions: newOpts, } } diff --git a/pkg/apis/acme/v1/types_issuer.go b/pkg/apis/acme/v1/types_issuer.go index 0aa0fd95262..f68db0e9f20 100644 --- a/pkg/apis/acme/v1/types_issuer.go +++ b/pkg/apis/acme/v1/types_issuer.go @@ -54,12 +54,23 @@ type ACMEIssuer struct { // +kubebuilder:validation:MaxLength=64 PreferredChain string `json:"preferredChain"` - // Enables or disables validation of the ACME server TLS certificate. - // If true, requests to the ACME server will not have their TLS certificate - // validated (i.e. insecure connections will be allowed). + // Base64-encoded bundle of PEM CAs which can be used to validate the certificate + // chain presented by the ACME server. + // Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various + // kinds of security vulnerabilities. + // If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. + // +optional + CABundle []byte `json:"caBundle,omitempty"` + + // INSECURE: Enables or disables validation of the ACME server TLS certificate. + // If true, requests to the ACME server will not have the TLS certificate chain + // validated. + // Mutually exclusive with CABundle; prefer using CABundle to prevent various + // kinds of security vulnerabilities. // Only enable this option in development environments. - // The cert-manager system installed roots will be used to verify connections - // to the ACME server if this is false. + // If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + // the container is used to validate the TLS connection. // Defaults to false. // +optional SkipTLSVerify bool `json:"skipTLSVerify,omitempty"` diff --git a/pkg/apis/acme/v1/zz_generated.deepcopy.go b/pkg/apis/acme/v1/zz_generated.deepcopy.go index 350445aa73e..fd25aec7314 100644 --- a/pkg/apis/acme/v1/zz_generated.deepcopy.go +++ b/pkg/apis/acme/v1/zz_generated.deepcopy.go @@ -401,6 +401,11 @@ func (in *ACMEExternalAccountBinding) DeepCopy() *ACMEExternalAccountBinding { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ACMEIssuer) DeepCopyInto(out *ACMEIssuer) { *out = *in + if in.CABundle != nil { + in, out := &in.CABundle, &out.CABundle + *out = make([]byte, len(*in)) + copy(*out, *in) + } if in.ExternalAccountBinding != nil { in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding *out = new(ACMEExternalAccountBinding) diff --git a/pkg/issuer/acme/setup.go b/pkg/issuer/acme/setup.go index 4438f767645..a689e62384c 100644 --- a/pkg/issuer/acme/setup.go +++ b/pkg/issuer/acme/setup.go @@ -155,7 +155,9 @@ func (a *Acme) Setup(ctx context.Context) error { // We could therefore move the removing of the client up to the start of // this function. a.accountRegistry.RemoveClient(string(a.issuer.GetUID())) - httpClient := accounts.BuildHTTPClient(a.metrics, a.issuer.GetSpec().ACME.SkipTLSVerify) + + httpClient := accounts.BuildHTTPClientWithCABundle(a.metrics, a.issuer.GetSpec().ACME.SkipTLSVerify, a.issuer.GetSpec().ACME.CABundle) + cl := a.clientBuilder(httpClient, *a.issuer.GetSpec().ACME, rsaPk, a.userAgent) // TODO: perform a complex check to determine whether we need to verify From ff6fec9088c82761040e4bdbe95008404b0525be Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Fri, 16 Dec 2022 18:05:00 +0100 Subject: [PATCH 0074/1253] Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.10.0 to 3.10.3. - [Release notes](https://github.com/helm/helm/releases) - [Commits](helm/helm@v3.10.0...v3.10.3) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- LICENSES | 2 +- go.mod | 2 +- go.sum | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/LICENSES b/LICENSES index 07dd77eae94..0c1791f9703 100644 --- a/LICENSES +++ b/LICENSES @@ -216,7 +216,7 @@ gopkg.in/square/go-jose.v2,https://github.com/square/go-jose/blob/v2.5.1/LICENSE gopkg.in/square/go-jose.v2/json,https://github.com/square/go-jose/blob/v2.5.1/json/LICENSE,BSD-3-Clause gopkg.in/yaml.v2,https://github.com/go-yaml/yaml/blob/v2.4.0/LICENSE,Apache-2.0 gopkg.in/yaml.v3,https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE,MIT -helm.sh/helm/v3,https://github.com/helm/helm/blob/v3.10.0/LICENSE,Apache-2.0 +helm.sh/helm/v3,https://github.com/helm/helm/blob/v3.10.3/LICENSE,Apache-2.0 k8s.io/api,https://github.com/kubernetes/api/blob/v0.26.0/LICENSE,Apache-2.0 k8s.io/apiextensions-apiserver/pkg,https://github.com/kubernetes/apiextensions-apiserver/blob/v0.26.0/LICENSE,Apache-2.0 k8s.io/apimachinery/pkg,https://github.com/kubernetes/apimachinery/blob/v0.26.0/LICENSE,Apache-2.0 diff --git a/go.mod b/go.mod index 0d111383396..9edee3a1d9a 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7 gomodules.xyz/jsonpatch/v2 v2.2.0 google.golang.org/api v0.97.0 - helm.sh/helm/v3 v3.10.0 + helm.sh/helm/v3 v3.10.3 k8s.io/api v0.26.0 k8s.io/apiextensions-apiserver v0.26.0 k8s.io/apimachinery v0.26.0 diff --git a/go.sum b/go.sum index 1793287c8a7..2ec57e323cf 100644 --- a/go.sum +++ b/go.sum @@ -1631,8 +1631,8 @@ gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= -helm.sh/helm/v3 v3.10.0 h1:y/MYONZ/bsld9kHwqgBX2uPggnUr5hahpjwt9/jrHlI= -helm.sh/helm/v3 v3.10.0/go.mod h1:paPw0hO5KVfrCMbi1M8+P8xdfBri3IiJiVKATZsFR94= +helm.sh/helm/v3 v3.10.3 h1:wL7IUZ7Zyukm5Kz0OUmIFZgKHuAgByCrUcJBtY0kDyw= +helm.sh/helm/v3 v3.10.3/go.mod h1:CXOcs02AYvrlPMWARNYNRgf2rNP7gLJQsi/Ubd4EDrI= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 1e419a468f105cf95b2d1fbff84be02d743a43ab Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Thu, 15 Dec 2022 15:21:00 +0000 Subject: [PATCH 0075/1253] Enable + use k8s 1.26 for e2e tests by default Signed-off-by: Ashley Davis --- hack/latest-kind-images.sh | 16 ++++++++++++++++ make/cluster.sh | 3 ++- make/e2e-setup.mk | 2 +- make/kind_images.sh | 10 ++++++++++ 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/hack/latest-kind-images.sh b/hack/latest-kind-images.sh index 6f02dc0290e..30fe1dc8f9a 100755 --- a/hack/latest-kind-images.sh +++ b/hack/latest-kind-images.sh @@ -63,6 +63,12 @@ LATEST_123_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_123_TAG) LATEST_124_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_124_TAG) LATEST_125_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_125_TAG) +# k8s 1.26 is manually added for now, pending a wider rethink of how we can automate bumping of kind images +# given that kind release notes say there are specific digests which should be used with specific kind releases + +LATEST_126_TAG=v1.26.0 +LATEST_126_DIGEST=sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352 + cat << EOF > ./make/kind_images.sh # Copyright 2022 The cert-manager Authors. # @@ -87,6 +93,9 @@ KIND_IMAGE_K8S_123=$KIND_IMAGE_REPO@$LATEST_123_DIGEST KIND_IMAGE_K8S_124=$KIND_IMAGE_REPO@$LATEST_124_DIGEST KIND_IMAGE_K8S_125=$KIND_IMAGE_REPO@$LATEST_125_DIGEST +# Manually set - see hack/latest-kind-images.sh for details +KIND_IMAGE_K8S_126=$KIND_IMAGE_REPO@$LATEST_126_DIGEST + # $KIND_IMAGE_REPO:$LATEST_120_TAG KIND_IMAGE_SHA_K8S_120=$LATEST_120_DIGEST @@ -105,6 +114,10 @@ KIND_IMAGE_SHA_K8S_124=$LATEST_124_DIGEST # $KIND_IMAGE_REPO:$LATEST_125_TAG KIND_IMAGE_SHA_K8S_125=$LATEST_125_DIGEST +# Manually set - see hack/latest-kind-images.sh for details +# $KIND_IMAGE_REPO:$LATEST_126_TAG +KIND_IMAGE_SHA_K8S_126=$LATEST_126_DIGEST + # note that these 'full' digests should be avoided since not all tools support them # prefer KIND_IMAGE_K8S_*** instead KIND_IMAGE_FULL_K8S_120=$KIND_IMAGE_REPO:$LATEST_120_TAG@$LATEST_120_DIGEST @@ -114,6 +127,9 @@ KIND_IMAGE_FULL_K8S_123=$KIND_IMAGE_REPO:$LATEST_123_TAG@$LATEST_123_DIGEST KIND_IMAGE_FULL_K8S_124=$KIND_IMAGE_REPO:$LATEST_124_TAG@$LATEST_124_DIGEST KIND_IMAGE_FULL_K8S_125=$KIND_IMAGE_REPO:$LATEST_125_TAG@$LATEST_125_DIGEST +# Manually set - see hack/latest-kind-images.sh for details +KIND_IMAGE_FULL_K8S_126=$KIND_IMAGE_REPO:$LATEST_126_TAG@$LATEST_126_DIGEST + EOF cat << EOF diff --git a/make/cluster.sh b/make/cluster.sh index 5383d135640..af52aa93ed7 100755 --- a/make/cluster.sh +++ b/make/cluster.sh @@ -25,7 +25,7 @@ set -e source ./make/kind_images.sh mode=kind -k8s_version=1.25 +k8s_version=1.26 kind_cluster_name=kind help() { @@ -110,6 +110,7 @@ case "$k8s_version" in 1.23*) image=$KIND_IMAGE_FULL_K8S_123 ;; 1.24*) image=$KIND_IMAGE_FULL_K8S_124 ;; 1.25*) image=$KIND_IMAGE_FULL_K8S_125 ;; +1.26*) image=$KIND_IMAGE_FULL_K8S_126 ;; v*) printf "${red}${redcross}Error${end}: Kubernetes version must be given without the leading 'v'\n" >&2 && exit 1 ;; *) printf "${red}${redcross}Error${end}: unsupported Kubernetes version ${yel}${k8s_version}${end}\n" >&2 && exit 1 ;; esac diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 8ec142ce6b9..fe46378b3f5 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -10,7 +10,7 @@ CRI_ARCH := $(HOST_ARCH) # TODO: this version is also defaulted in ./make/cluster.sh. Make it so that it # is set in one place only. -K8S_VERSION := 1.24 +K8S_VERSION := 1.26 IMAGE_ingressnginx_amd64 := k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:7464dc90abfaa084204176bcc0728f182b0611849395787143f6854dc6c38c85 IMAGE_kyverno_amd64 := ghcr.io/kyverno/kyverno:v1.7.1@sha256:aec4b029660d47aea025336150fdc2822c991f592d5170d754b6acaf158b513e diff --git a/make/kind_images.sh b/make/kind_images.sh index 80c4b47353e..09e6de9d3da 100644 --- a/make/kind_images.sh +++ b/make/kind_images.sh @@ -21,6 +21,9 @@ KIND_IMAGE_K8S_123=docker.io/kindest/node@sha256:ef453bb7c79f0e3caba88d2067d4196 KIND_IMAGE_K8S_124=docker.io/kindest/node@sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1fe65c0807eb315 KIND_IMAGE_K8S_125=docker.io/kindest/node@sha256:cd248d1438192f7814fbca8fede13cfe5b9918746dfa12583976158a834fd5c5 +# Manually set - see hack/latest-kind-images.sh for details +KIND_IMAGE_K8S_126=docker.io/kindest/node@sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352 + # docker.io/kindest/node:v1.20.15 KIND_IMAGE_SHA_K8S_120=sha256:a32bf55309294120616886b5338f95dd98a2f7231519c7dedcec32ba29699394 @@ -39,6 +42,10 @@ KIND_IMAGE_SHA_K8S_124=sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1 # docker.io/kindest/node:v1.25.3 KIND_IMAGE_SHA_K8S_125=sha256:cd248d1438192f7814fbca8fede13cfe5b9918746dfa12583976158a834fd5c5 +# Manually set - see hack/latest-kind-images.sh for details +# docker.io/kindest/node:v1.26.0 +KIND_IMAGE_SHA_K8S_126=sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352 + # note that these 'full' digests should be avoided since not all tools support them # prefer KIND_IMAGE_K8S_*** instead KIND_IMAGE_FULL_K8S_120=docker.io/kindest/node:v1.20.15@sha256:a32bf55309294120616886b5338f95dd98a2f7231519c7dedcec32ba29699394 @@ -48,3 +55,6 @@ KIND_IMAGE_FULL_K8S_123=docker.io/kindest/node:v1.23.13@sha256:ef453bb7c79f0e3ca KIND_IMAGE_FULL_K8S_124=docker.io/kindest/node:v1.24.7@sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1fe65c0807eb315 KIND_IMAGE_FULL_K8S_125=docker.io/kindest/node:v1.25.3@sha256:cd248d1438192f7814fbca8fede13cfe5b9918746dfa12583976158a834fd5c5 +# Manually set - see hack/latest-kind-images.sh for details +KIND_IMAGE_FULL_K8S_126=docker.io/kindest/node:v1.26.0@sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352 + From 1542ea0492a8b519855605da57272fc5584d1945 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Mon, 19 Dec 2022 17:18:27 +0000 Subject: [PATCH 0076/1253] update SECURITY policy to exclude vuln reports Signed-off-by: Ashley Davis --- SECURITY.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index f8b6fbacd3a..2f98f02f4d6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -25,6 +25,24 @@ All that said, **if you're unsure** please reach out using this process before raising your issue through another channel. We'd rather err on the side of caution! +### Explicitly Not Covered: Vulnerability Scanner Reports + +We do not accept reports which amount to copy and pasted output from a vulnerability +scanning tool **unless** work has specifically been done to confirm that a vulnerability +reported by the tool _actually exists_ in cert-manager or a cert-manager subproject. + +We make use of these tools ourselves and try to act on the output they produce; they +can be useful! We tend to find, however, that when these reports are sent to our security +mailing list they almost always represent false positives, since these tools tend to check +for the presence of a library without considering how the library is used in context. + +If we receive a report which seems to simply be a vulnerability list from a scanner we +reserve the right to ignore it. + +This applies especially when tools produce vulnerability identifiers which are not publicly +visible or which are proprietary in some way. We can look up CVEs or other publicly-available +identifiers for further details, but cannot do the same for proprietary identifiers. + ## Security Contacts The people who should have access to read your security report are listed in From 12e0e0a9eb3a5e853edb39600c5470c325a066c9 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Tue, 20 Dec 2022 11:45:57 +0000 Subject: [PATCH 0077/1253] bump golang.org/x/net version to fix trivy vulns Signed-off-by: Ashley Davis --- LICENSES | 2 +- go.mod | 2 +- go.sum | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/LICENSES b/LICENSES index 07dd77eae94..6125aa50179 100644 --- a/LICENSES +++ b/LICENSES @@ -196,7 +196,7 @@ go.uber.org/atomic,https://github.com/uber-go/atomic/blob/v1.9.0/LICENSE.txt,MIT go.uber.org/multierr,https://github.com/uber-go/multierr/blob/v1.6.0/LICENSE.txt,MIT go.uber.org/zap,https://github.com/uber-go/zap/blob/v1.24.0/LICENSE.txt,MIT golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/v0.1.0:LICENSE,BSD-3-Clause -golang.org/x/net,https://cs.opensource.google/go/x/net/+/1e63c2f0:LICENSE,BSD-3-Clause +golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.4.0:LICENSE,BSD-3-Clause golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/f2134210:LICENSE,BSD-3-Clause golang.org/x/sync,https://cs.opensource.google/go/x/sync/+/7f9b1623:LICENSE,BSD-3-Clause golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/v0.3.0:LICENSE,BSD-3-Clause diff --git a/go.mod b/go.mod index 0d111383396..bbf78909345 100644 --- a/go.mod +++ b/go.mod @@ -229,7 +229,7 @@ require ( go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.24.0 // indirect golang.org/x/mod v0.6.0 // indirect - golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect + golang.org/x/net v0.4.0 // indirect golang.org/x/sys v0.3.0 // indirect golang.org/x/term v0.3.0 // indirect golang.org/x/text v0.5.0 // indirect diff --git a/go.sum b/go.sum index 1793287c8a7..67b3a89081c 100644 --- a/go.sum +++ b/go.sum @@ -1169,6 +1169,8 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 h1:Frnccbp+ok2GkUS2tC84yAq/U9Vg+0sIO7aRL3T4Xnc= golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= +golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= From 2eef0dad06071ed08910d3bbfcc7809be593cde0 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Thu, 15 Dec 2022 12:47:07 +0000 Subject: [PATCH 0078/1253] Add ko tool Signed-off-by: Richard Wall --- make/tools.mk | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/make/tools.mk b/make/tools.mk index 95613d70c2c..e74372980ef 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -27,6 +27,7 @@ TOOLS += ytt=v0.43.0 TOOLS += yq=v4.27.5 TOOLS += crane=v0.11.0 TOOLS += ginkgo=$(shell awk '/ginkgo\/v2/ {print $$2}' go.mod) +TOOLS += ko=v0.12.0 # Version of Gateway API install bundle https://gateway-api.sigs.k8s.io/v1alpha2/guides/#installing-gateway-api GATEWAY_API_VERSION=v0.5.1 @@ -329,6 +330,25 @@ $(BINDIR)/downloaded/tools/yq@$(YQ_VERSION)_%: | $(BINDIR)/downloaded/tools ./hack/util/checkhash.sh $@ $(YQ_$*_SHA256SUM) chmod +x $@ +###### +# ko # +###### + +KO_linux_amd64_SHA256SUM=05aa77182fa7c55386bd2a210fd41298542726f33bbfc9c549add3a66f7b90ad +KO_darwin_amd64_SHA256SUM=8679d0d74fc75f24e044649c6a961dad0a3ef03bedbdece35e2f3f29eb7876af +KO_darwin_arm64_SHA256SUM=cfef98db8ad0e1edaa483fa5c6af89eb573a8434abd372b510b89005575de702 + +$(BINDIR)/downloaded/tools/ko@$(KO_VERSION)_%: | $(BINDIR)/downloaded/tools + $(eval OS_AND_ARCH := $(subst darwin,Darwin,$*)) + $(eval OS_AND_ARCH := $(subst linux,Linux,$(OS_AND_ARCH))) + $(eval OS_AND_ARCH := $(subst amd64,x86_64,$(OS_AND_ARCH))) + + $(CURL) https://github.com/ko-build/ko/releases/download/$(KO_VERSION)/ko_$(patsubst v%,%,$(KO_VERSION))_$(OS_AND_ARCH).tar.gz -o $@.tar.gz + ./hack/util/checkhash.sh $@.tar.gz $(KO_$*_SHA256SUM) + tar xfO $@.tar.gz ko > $@ + chmod +x $@ + rm $@.tar.gz + ##################### # k8s codegen tools # ##################### From 31a3edf03117f060fc09ffc17f9183d255ae47d6 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Tue, 20 Dec 2022 16:05:40 +0000 Subject: [PATCH 0079/1253] Bump version of contour helm chart + images Also adds a note about how to update the helm chart version, in the future Signed-off-by: Ashley Davis --- make/e2e-setup.mk | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index fe46378b3f5..30ed2066070 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -18,7 +18,7 @@ IMAGE_kyvernopre_amd64 := ghcr.io/kyverno/kyvernopre:v1.7.1@sha256:1bcec6bc85472 IMAGE_vault_amd64 := index.docker.io/library/vault:1.12.1@sha256:08dd1cb922624c51a5aefd4d9ce0ac5ed9688d96d8a5ad94664fa10e84702ed6 IMAGE_bind_amd64 := docker.io/eafxx/bind:latest-9f74179f@sha256:0b8c766f5bedbcbe559c7970c8e923aa0c4ca771e62fcf8dba64ffab980c9a51 IMAGE_sampleexternalissuer_amd64 := ghcr.io/cert-manager/sample-external-issuer/controller:v0.1.1@sha256:7dafe98c73d229bbac08067fccf9b2884c63c8e1412fe18f9986f59232cf3cb5 -IMAGE_projectcontour_amd64 := ghcr.io/projectcontour/contour:v1.22.0@sha256:c8ee1e566340c1bfd11fc9a1a90d758bde562faecb722540207084330b300497 +IMAGE_projectcontour_amd64 := ghcr.io/projectcontour/contour:v1.23.2@sha256:4b9ed5bfd4afd02eabc3b6235293489dbae1684d4d3dee37e982e87638a011f9 IMAGE_pebble_amd64 := local/pebble:local IMAGE_vaultretagged_amd64 := local/vault:local @@ -28,7 +28,7 @@ IMAGE_kyvernopre_arm64 := ghcr.io/kyverno/kyvernopre:v1.7.1@sha256:141234fb74242 IMAGE_vault_arm64 := $(IMAGE_vault_amd64) IMAGE_bind_arm64 := docker.io/eafxx/bind:latest-9f74179f@sha256:85de273f24762c0445035d36290a440e8c5a6a64e9ae6227d92e8b0b0dc7dd6d IMAGE_sampleexternalissuer_arm64 := # 🚧 NOT AVAILABLE FOR arm64 🚧 -IMAGE_projectcontour_arm64 := ghcr.io/projectcontour/contour:v1.22.0@sha256:ca37e86e284e72b3a969c7845a56a1cfcd348f4cb75bf6312d5b11067efdd667 +IMAGE_projectcontour_arm64 := ghcr.io/projectcontour/contour:v1.23.2@sha256:c877e098c42d07244cc26d4d6d4743d80fe4313a69d8c775782cba93341e0099 IMAGE_pebble_arm64 := local/pebble:local IMAGE_vaultretagged_arm64 := local/vault:local @@ -312,10 +312,13 @@ e2e-setup-samplewebhook: load-$(BINDIR)/downloaded/containers/$(CRI_ARCH)/sample e2e-setup-projectcontour: $(call image-tar,projectcontour) load-$(call image-tar,projectcontour) make/config/projectcontour/gateway.yaml make/config/projectcontour/contour.yaml $(BINDIR)/scratch/kind-exists | $(NEEDS_HELM) $(NEEDS_KUBECTL) @$(eval TAG=$(shell tar xfO $< manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f2)) $(HELM) repo add bitnami --force-update https://charts.bitnami.com/bitnami >/dev/null + # Warning: When upgrading the version of this helm chart, bear in mind that the IMAGE_projectcontour_* images above might need to be updated, too. + # Each helm chart version in the bitnami repo corresponds to an underlying application version. Check application versions and chart versions with: + # $ helm search repo bitnami -l | grep -E "contour[^-]" $(HELM) upgrade \ --install \ --wait \ - --version 10.0.1 \ + --version 10.1.3 \ --namespace projectcontour \ --create-namespace \ --set contour.ingressClass.create=false \ From a08cf19aa7734078cea888083cf1bef55dd95dcc Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Tue, 20 Dec 2022 17:21:01 +0000 Subject: [PATCH 0080/1253] update base images to latest Signed-off-by: Ashley Davis --- make/base_images.mk | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/make/base_images.mk b/make/base_images.mk index ae048c70f5a..a10b082cca2 100644 --- a/make/base_images.mk +++ b/make/base_images.mk @@ -1,11 +1,11 @@ # autogenerated by hack/latest-base-images.sh -STATIC_BASE_IMAGE_amd64 := gcr.io/distroless/static@sha256:ebd8cc37d22551dce0957ba8e58f03b22a8448bbf844c8c9ded4feef883b36bc -STATIC_BASE_IMAGE_arm64 := gcr.io/distroless/static@sha256:b85ecc2cf83157d054f1c358eda78408352cd0e320ae0ed9055f9af0f4f8eaa8 -STATIC_BASE_IMAGE_s390x := gcr.io/distroless/static@sha256:1dd0a37cb6556b320f252af2f8fa0463ba00557d42a93c99ac5e1dd21cbc1daa -STATIC_BASE_IMAGE_arm := gcr.io/distroless/static@sha256:f0bc64e50983fb4ca0d325f330651c1970cf05a7c8fdebaef86330097c5da10f -STATIC_BASE_IMAGE_ppc64le := gcr.io/distroless/static@sha256:982801c3f71c777f134cc4398f011283c692d4a0c29901671fdb660626ba937b -DYNAMIC_BASE_IMAGE_amd64 := gcr.io/distroless/base@sha256:b9b124f955961599e72630654107a0cf04e08e6fa777fa250b8f840728abd770 -DYNAMIC_BASE_IMAGE_arm64 := gcr.io/distroless/base@sha256:3552d4adeabdc6630fe1877198c3b853e977c53c439b0f7afaa7be760ee5ed6d -DYNAMIC_BASE_IMAGE_s390x := gcr.io/distroless/base@sha256:4e8d6616f1bc75cfc5e0e669817c4aa76193edd5e4b7343b62016a0c633b8cbf -DYNAMIC_BASE_IMAGE_arm := gcr.io/distroless/base@sha256:e5ef8136477df3acb7d86db402fd56a7e6d971c81fe48e17149d44e2796b8f3b -DYNAMIC_BASE_IMAGE_ppc64le := gcr.io/distroless/base@sha256:3e982dbe9292bada8f07125daba5f968bd833c5497102b3246dda2994f5318f9 +STATIC_BASE_IMAGE_amd64 := gcr.io/distroless/static@sha256:5b2fa762fb6ebf66ff88ae1db2dc4ad8fc6ddf1164477297dfac1a09f20e7339 +STATIC_BASE_IMAGE_arm64 := gcr.io/distroless/static@sha256:6ecd23a434fca0bca716a7a484aa462d86e4c3d18397701d61b7cccc4d035f6f +STATIC_BASE_IMAGE_s390x := gcr.io/distroless/static@sha256:ea565db08ea3f726e7761ffa5ba594c1096bc1741a22c832b4ec1128e5f1ee37 +STATIC_BASE_IMAGE_arm := gcr.io/distroless/static@sha256:dd7e98090e5415071ef3353055bde559729ad17cd90c3bd4d944c554abd73d12 +STATIC_BASE_IMAGE_ppc64le := gcr.io/distroless/static@sha256:a77004eb85b3e38fa6963064d44cb8b100988319eb9850eaae77307b043ddfe6 +DYNAMIC_BASE_IMAGE_amd64 := gcr.io/distroless/base@sha256:d33b9c8d01976cc9137b32b3022e0d490f68205e7c679cd6e677e0d2588cb25a +DYNAMIC_BASE_IMAGE_arm64 := gcr.io/distroless/base@sha256:0ee9b89e5440df8ba0e226e09685c191dde5e189ed65b66abf3cebc568501232 +DYNAMIC_BASE_IMAGE_s390x := gcr.io/distroless/base@sha256:81b4db05d1c5c5ed8e0afb0a1ed689694ec3ed6860e0bca0656b7cd9cf5cfcef +DYNAMIC_BASE_IMAGE_arm := gcr.io/distroless/base@sha256:da2b5ce931f24374d38df219770997759d08d61c80f2a442249fdd06ae9cb525 +DYNAMIC_BASE_IMAGE_ppc64le := gcr.io/distroless/base@sha256:2b10be3fd42dcdbc8b8be0824cddf25e6c96585945acbc9c972ecfd4486b43e3 From 755fec117085cadf07275ff4895b32b53fa5d2fc Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Fri, 16 Dec 2022 12:46:23 +0000 Subject: [PATCH 0081/1253] Add some experimental ko based build and deploy tools Signed-off-by: Richard Wall --- Makefile | 1 + make/ko.mk | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 make/ko.mk diff --git a/Makefile b/Makefile index 80b6eb68d7b..f356c35066e 100644 --- a/Makefile +++ b/Makefile @@ -71,6 +71,7 @@ include make/licenses.mk include make/e2e-setup.mk include make/scan.mk include make/legacy.mk +include make/ko.mk include make/help.mk .PHONY: clean diff --git a/make/ko.mk b/make/ko.mk new file mode 100644 index 00000000000..b6d48537e52 --- /dev/null +++ b/make/ko.mk @@ -0,0 +1,68 @@ +## Experimental tools for building and deploying cert-manager using ko to build and push Docker images. +## +## Examples: +## +## # Build and Push all images to an OCI registry +## make ko-images-push KO_REGISTRY= +## +## # Build and Push images to an OCI registry and deploy cert-manager to the current cluster in KUBECONFIG +## make ko-deploy-certmanager KO_REGISTRY= +## +## @category Experimental/ko + +## (required) The OCI registry prefix to which images will be pushed by ko. +## @category Experimental/ko +KO_REGISTRY ?= $(error "KO_REGISTRY is a required environment variable") + +## (optional) The SBOM media type to use (none will disable SBOM synthesis and +## upload, also supports: spdx, cyclonedx, go.version-m). +## @category Experimental/ko +KO_SBOM ?= none + +## (optional) Which platforms to include in the multi-arch image. +## Format: all | [/[/]][,platform]* +## @category Experimental/ko +KO_PLATFORM ?= linux/amd64 + +## (optional) Which cert-manager images to build. +## @category Experimental/ko +KO_BINS ?= controller acmesolver cainjector webhook ctl + +export KOCACHE = $(BINDIR)/scratch/ko/cache + +KO_IMAGE_REFS = $(foreach bin,$(KO_BINS),_bin/scratch/ko/$(bin).yaml) +$(KO_IMAGE_REFS): _bin/scratch/ko/%.yaml: FORCE | $(NEEDS_KO) $(NEEDS_YQ) + @mkdir -p $(dir $@) + @$(eval export KO_DOCKER_REPO=$(KO_REGISTRY)/cert-manager-$*) + $(KO) build ./cmd/$* \ + --bare \ + --sbom=$(KO_SBOM) \ + --platform=$(KO_PLATFORM) \ + --tags=$(RELEASE_VERSION) \ + | $(YQ) 'capture("(?P(?P[^:]+):(?P[^@]+)@(?P.*))")' > $@ + +.PHONY: ko-images-push +## Build and push docker images to an OCI registry using ko. +## @category Experimental/ko +ko-images-push: $(KO_IMAGE_REFS) + +.PHONY: ko-deploy-cert-manager +## Deploy cert-manager after pushing docker images to an OCI registry using ko. +## @category Experimental/ko +ko-deploy-certmanager: $(BINDIR)/cert-manager.tgz $(KO_IMAGE_REFS) + @$(eval ACME_HTTP01_SOLVER_IMAGE = $(shell $(YQ) '.repository + "@" + .digest' $(BINDIR)/scratch/ko/acmesolver.yaml)) + $(HELM) upgrade cert-manager $< \ + --install \ + --create-namespace \ + --wait \ + --namespace cert-manager \ + --set image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/controller.yaml)" \ + --set image.digest="$(shell $(YQ) .digest $(BINDIR)/scratch/ko/controller.yaml)" \ + --set cainjector.image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/cainjector.yaml)" \ + --set cainjector.image.digest="$(shell $(YQ) .digest $(BINDIR)/scratch/ko/cainjector.yaml)" \ + --set webhook.image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/webhook.yaml)" \ + --set webhook.image.digest="$(shell $(YQ) .digest $(BINDIR)/scratch/ko/webhook.yaml)" \ + --set startupapicheck.image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/ctl.yaml)" \ + --set startupapicheck.image.digest="$(shell $(YQ) .digest $(BINDIR)/scratch/ko/ctl.yaml)" \ + --set installCRDs=true \ + --set "extraArgs={--acme-http01-solver-image=$(ACME_HTTP01_SOLVER_IMAGE)}" \ From 1a63cba52a62d0b417317004acd35ef0142883bb Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Wed, 21 Dec 2022 17:17:19 +0000 Subject: [PATCH 0082/1253] Bump supported versions of k8s mentioned in the helm chart This reflects the latest supported releases as of an update on 2022-12-16 See https://github.com/cert-manager/website/pull/1131 Signed-off-by: Ashley Davis --- deploy/charts/cert-manager/Chart.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/charts/cert-manager/Chart.template.yaml b/deploy/charts/cert-manager/Chart.template.yaml index e3271dd7bcf..a2d315281b3 100644 --- a/deploy/charts/cert-manager/Chart.template.yaml +++ b/deploy/charts/cert-manager/Chart.template.yaml @@ -3,7 +3,7 @@ name: cert-manager # The version and appVersion fields are set automatically by the release tool version: v0.1.0 appVersion: v0.1.0 -kubeVersion: ">= 1.20.0-0" +kubeVersion: ">= 1.21.0-0" description: A Helm chart for cert-manager home: https://github.com/cert-manager/cert-manager icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png From dbd6dc9b16a0a7542ab74d775a35e6f764f2aa6e Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Wed, 21 Dec 2022 09:36:44 -0800 Subject: [PATCH 0083/1253] Bump sigs.k8s.io deps Signed-off-by: Luca Comellini --- LICENSES | 12 ++--- deploy/crds/crd-challenges.yaml | 6 +-- deploy/crds/crd-clusterissuers.yaml | 6 +-- deploy/crds/crd-issuers.yaml | 6 +-- go.mod | 24 +++++----- go.sum | 48 +++++++++---------- make/tools.mk | 4 +- ...oup.testing.cert-manager.io_testtypes.yaml | 2 +- 8 files changed, 54 insertions(+), 54 deletions(-) diff --git a/LICENSES b/LICENSES index 9b2b44146c5..0c30eabfeec 100644 --- a/LICENSES +++ b/LICENSES @@ -145,8 +145,8 @@ github.com/monochromegane/go-gitignore,https://github.com/monochromegane/go-giti github.com/morikuni/aec,https://github.com/morikuni/aec/blob/v1.0.0/LICENSE,MIT github.com/munnerz/goautoneg,https://github.com/munnerz/goautoneg/blob/a7dc8b61c822/LICENSE,BSD-3-Clause github.com/oklog/run,https://github.com/oklog/run/blob/v1.0.0/LICENSE,Apache-2.0 -github.com/onsi/ginkgo/v2,https://github.com/onsi/ginkgo/blob/v2.6.0/LICENSE,MIT -github.com/onsi/gomega,https://github.com/onsi/gomega/blob/v1.24.1/LICENSE,MIT +github.com/onsi/ginkgo/v2,https://github.com/onsi/ginkgo/blob/v2.6.1/LICENSE,MIT +github.com/onsi/gomega,https://github.com/onsi/gomega/blob/v1.24.2/LICENSE,MIT github.com/opencontainers/go-digest,https://github.com/opencontainers/go-digest/blob/v1.0.0/LICENSE,Apache-2.0 github.com/opencontainers/image-spec/specs-go,https://github.com/opencontainers/image-spec/blob/c5a74bcca799/LICENSE,Apache-2.0 github.com/patrickmn/go-cache,https://github.com/patrickmn/go-cache/blob/v2.1.0/LICENSE,MIT @@ -169,7 +169,7 @@ github.com/sergi/go-diff/diffmatchpatch,https://github.com/sergi/go-diff/blob/v1 github.com/shopspring/decimal,https://github.com/shopspring/decimal/blob/v1.2.0/LICENSE,MIT github.com/sirupsen/logrus,https://github.com/sirupsen/logrus/blob/v1.8.1/LICENSE,MIT github.com/spf13/cast,https://github.com/spf13/cast/blob/v1.4.1/LICENSE,MIT -github.com/spf13/cobra,https://github.com/spf13/cobra/blob/v1.6.0/LICENSE.txt,Apache-2.0 +github.com/spf13/cobra,https://github.com/spf13/cobra/blob/v1.6.1/LICENSE.txt,Apache-2.0 github.com/spf13/pflag,https://github.com/spf13/pflag/blob/v1.0.5/LICENSE,BSD-3-Clause github.com/stoewer/go-strcase,https://github.com/stoewer/go-strcase/blob/v1.2.0/LICENSE,MIT github.com/xeipuuv/gojsonpointer,https://github.com/xeipuuv/gojsonpointer/blob/4e3ac2762d5f/LICENSE-APACHE-2.0.txt,Apache-2.0 @@ -198,7 +198,7 @@ go.uber.org/zap,https://github.com/uber-go/zap/blob/v1.24.0/LICENSE.txt,MIT golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/v0.1.0:LICENSE,BSD-3-Clause golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.4.0:LICENSE,BSD-3-Clause golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/f2134210:LICENSE,BSD-3-Clause -golang.org/x/sync,https://cs.opensource.google/go/x/sync/+/7f9b1623:LICENSE,BSD-3-Clause +golang.org/x/sync,https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE,BSD-3-Clause golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/v0.3.0:LICENSE,BSD-3-Clause golang.org/x/term,https://cs.opensource.google/go/x/term/+/v0.3.0:LICENSE,BSD-3-Clause golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.5.0:LICENSE,BSD-3-Clause @@ -237,8 +237,8 @@ k8s.io/utils,https://github.com/kubernetes/utils/blob/99ec85e7a448/LICENSE,Apach k8s.io/utils/internal/third_party/forked/golang,https://github.com/kubernetes/utils/blob/99ec85e7a448/internal/third_party/forked/golang/LICENSE,BSD-3-Clause oras.land/oras-go/pkg,https://github.com/oras-project/oras-go/blob/v1.2.0/LICENSE,Apache-2.0 sigs.k8s.io/apiserver-network-proxy/konnectivity-client,https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/konnectivity-client/v0.0.33/konnectivity-client/LICENSE,Apache-2.0 -sigs.k8s.io/controller-runtime,https://github.com/kubernetes-sigs/controller-runtime/blob/v0.14.0/LICENSE,Apache-2.0 -sigs.k8s.io/gateway-api,https://github.com/kubernetes-sigs/gateway-api/blob/v0.5.0/LICENSE,Apache-2.0 +sigs.k8s.io/controller-runtime,https://github.com/kubernetes-sigs/controller-runtime/blob/v0.14.1/LICENSE,Apache-2.0 +sigs.k8s.io/gateway-api,https://github.com/kubernetes-sigs/gateway-api/blob/v0.6.0/LICENSE,Apache-2.0 sigs.k8s.io/json,https://github.com/kubernetes-sigs/json/blob/f223a00ba0e2/LICENSE,Apache-2.0 sigs.k8s.io/kustomize/api,https://github.com/kubernetes-sigs/kustomize/blob/api/v0.12.1/api/LICENSE,Apache-2.0 sigs.k8s.io/kustomize/kyaml,https://github.com/kubernetes-sigs/kustomize/blob/kyaml/v0.13.9/kyaml/LICENSE,Apache-2.0 diff --git a/deploy/crds/crd-challenges.yaml b/deploy/crds/crd-challenges.yaml index a50041c7c40..84af2eeaf69 100644 --- a/deploy/crds/crd-challenges.yaml +++ b/deploy/crds/crd-challenges.yaml @@ -401,13 +401,13 @@ spec: - name properties: group: - description: "Group is the group of the referent. \n Support: Core" + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" type: string default: gateway.networking.k8s.io maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ kind: - description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)" + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" type: string default: Gateway maxLength: 63 @@ -419,7 +419,7 @@ spec: maxLength: 253 minLength: 1 namespace: - description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" type: string maxLength: 63 minLength: 1 diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index 1bbe3126354..b19bb894bb1 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -440,13 +440,13 @@ spec: - name properties: group: - description: "Group is the group of the referent. \n Support: Core" + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" type: string default: gateway.networking.k8s.io maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ kind: - description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)" + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" type: string default: Gateway maxLength: 63 @@ -458,7 +458,7 @@ spec: maxLength: 253 minLength: 1 namespace: - description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" type: string maxLength: 63 minLength: 1 diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index d8c1dc4a6df..b167f4579d5 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -440,13 +440,13 @@ spec: - name properties: group: - description: "Group is the group of the referent. \n Support: Core" + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" type: string default: gateway.networking.k8s.io maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ kind: - description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)" + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" type: string default: Gateway maxLength: 63 @@ -458,7 +458,7 @@ spec: maxLength: 253 minLength: 1 namespace: - description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" type: string maxLength: 63 minLength: 1 diff --git a/go.mod b/go.mod index e9f8c7eaee4..bbd2b6982a5 100644 --- a/go.mod +++ b/go.mod @@ -23,19 +23,19 @@ require ( github.com/miekg/dns v1.1.50 github.com/mitchellh/go-homedir v1.1.0 github.com/munnerz/crd-schema-fuzz v1.0.0 - github.com/onsi/ginkgo/v2 v2.6.0 - github.com/onsi/gomega v1.24.1 + github.com/onsi/ginkgo/v2 v2.6.1 + github.com/onsi/gomega v1.24.2 github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.14.0 github.com/segmentio/encoding v0.3.5 github.com/sergi/go-diff v1.2.0 - github.com/spf13/cobra v1.6.0 + github.com/spf13/cobra v1.6.1 github.com/spf13/pflag v1.0.5 - github.com/stretchr/testify v1.8.0 + github.com/stretchr/testify v1.8.1 golang.org/x/crypto v0.1.0 golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 - golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7 + golang.org/x/sync v0.1.0 gomodules.xyz/jsonpatch/v2 v2.2.0 google.golang.org/api v0.97.0 helm.sh/helm/v3 v3.10.3 @@ -52,9 +52,9 @@ require ( k8s.io/kube-openapi v0.0.0-20221207184640-f3cff1453715 k8s.io/kubectl v0.26.0 k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 - sigs.k8s.io/controller-runtime v0.14.0 - sigs.k8s.io/controller-tools v0.10.0 - sigs.k8s.io/gateway-api v0.5.0 + sigs.k8s.io/controller-runtime v0.14.1 + sigs.k8s.io/controller-tools v0.11.1 + sigs.k8s.io/gateway-api v0.6.0 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 sigs.k8s.io/yaml v1.3.0 software.sslmate.com/src/go-pkcs12 v0.2.0 @@ -115,7 +115,7 @@ require ( github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-openapi/swag v0.19.14 // indirect github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect - github.com/gobuffalo/flect v0.2.5 // indirect + github.com/gobuffalo/flect v0.3.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.2.0 // indirect @@ -204,7 +204,7 @@ require ( github.com/sirupsen/logrus v1.8.1 // indirect github.com/spf13/cast v1.4.1 // indirect github.com/stoewer/go-strcase v1.2.0 // indirect - github.com/stretchr/objx v0.4.0 // indirect + github.com/stretchr/objx v0.5.0 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect @@ -228,13 +228,13 @@ require ( go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.24.0 // indirect - golang.org/x/mod v0.6.0 // indirect + golang.org/x/mod v0.7.0 // indirect golang.org/x/net v0.4.0 // indirect golang.org/x/sys v0.3.0 // indirect golang.org/x/term v0.3.0 // indirect golang.org/x/text v0.5.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.2.0 // indirect + golang.org/x/tools v0.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect google.golang.org/grpc v1.49.0 // indirect diff --git a/go.sum b/go.sum index 2f0905ca2a8..60a3f14fd2b 100644 --- a/go.sum +++ b/go.sum @@ -387,8 +387,8 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/me github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= -github.com/gobuffalo/flect v0.2.5 h1:H6vvsv2an0lalEaCDRThvtBfmg44W/QHXBCYUXf/6S4= -github.com/gobuffalo/flect v0.2.5/go.mod h1:1ZyCLIbg0YD7sDkzvFdPoOydPtD8y9JQnrOROolUcM8= +github.com/gobuffalo/flect v0.3.0 h1:erfPWM+K1rFNIQeRPdeEXxo8yFr/PO17lhRnS8FUrtk= +github.com/gobuffalo/flect v0.3.0/go.mod h1:5pf3aGnsvqvCj50AVni7mJJF8ICxGZ8HomberC3pXLE= github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU= github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs= github.com/gobuffalo/packd v1.0.1 h1:U2wXfRr4E9DH8IdsDLlRFwTZTK7hLfq9qT/QHXGVe/0= @@ -790,12 +790,12 @@ github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc= -github.com/onsi/ginkgo/v2 v2.6.0/go.mod h1:63DOGlLAH8+REH8jUGdL3YpCpu7JODesutUjdENfUAc= +github.com/onsi/ginkgo/v2 v2.6.1 h1:1xQPCjcqYw/J5LchOcp4/2q/jzJFjiAOc25chhnDw+Q= +github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= -github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM= +github.com/onsi/gomega v1.24.2 h1:J/tulyYK6JwBldPViHJReihxxZ+22FHs0piGjQAvoUE= +github.com/onsi/gomega v1.24.2/go.mod h1:gs3J10IS7Z7r7eXRoNJIrNqU4ToQukCJhFtKrWgHWnk= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= @@ -918,8 +918,8 @@ github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= -github.com/spf13/cobra v1.6.0 h1:42a0n6jwCot1pUmomAp4T7DeMD+20LFv4Q54pxLf2LI= -github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= +github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= +github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= @@ -935,8 +935,9 @@ github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= -github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -945,8 +946,9 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= -github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= @@ -1105,8 +1107,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= -golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= +golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA= +golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1167,8 +1169,6 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 h1:Frnccbp+ok2GkUS2tC84yAq/U9Vg+0sIO7aRL3T4Xnc= -golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1207,8 +1207,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7 h1:ZrnxWX62AgTKOSagEqxvb3ffipvEDX2pl7E1TdqLqIc= -golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1390,8 +1390,8 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= -golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE= -golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= +golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4= +golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1695,12 +1695,12 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33 h1:LYqFq+6Cj2D0gFfrJvL7iElD4ET6ir3VDdhDdTK7rgc= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33/go.mod h1:soWkSNf2tZC7aMibXEqVhCd73GOY5fJikn8qbdzemB0= -sigs.k8s.io/controller-runtime v0.14.0 h1:ju2xsov5Ara6FoQuddg+az+rAxsUsTYn2IYyEKCTyDc= -sigs.k8s.io/controller-runtime v0.14.0/go.mod h1:GaRkrY8a7UZF0kqFFbUKG7n9ICiTY5T55P1RiE3UZlU= -sigs.k8s.io/controller-tools v0.10.0 h1:0L5DTDTFB67jm9DkfrONgTGmfc/zYow0ZaHyppizU2U= -sigs.k8s.io/controller-tools v0.10.0/go.mod h1:uvr0EW6IsprfB0jpQq6evtKy+hHyHCXNfdWI5ONPx94= -sigs.k8s.io/gateway-api v0.5.0 h1:ze+k9fJqvmL8s1t3e4q1ST8RnN+f09dEv+gfacahlAE= -sigs.k8s.io/gateway-api v0.5.0/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA= +sigs.k8s.io/controller-runtime v0.14.1 h1:vThDes9pzg0Y+UbCPY3Wj34CGIYPgdmspPm2GIpxpzM= +sigs.k8s.io/controller-runtime v0.14.1/go.mod h1:GaRkrY8a7UZF0kqFFbUKG7n9ICiTY5T55P1RiE3UZlU= +sigs.k8s.io/controller-tools v0.11.1 h1:blfU7DbmXuACWHfpZR645KCq8cLOc6nfkipGSGnH+Wk= +sigs.k8s.io/controller-tools v0.11.1/go.mod h1:dm4bN3Yp1ZP+hbbeSLF8zOEHsI1/bf15u3JNcgRv2TM= +sigs.k8s.io/gateway-api v0.6.0 h1:v2FqrN2ROWZLrSnI2o91taHR8Sj3s+Eh3QU7gLNWIqA= +sigs.k8s.io/gateway-api v0.6.0/go.mod h1:EYJT+jlPWTeNskjV0JTki/03WX1cyAnBhwBJfYHpV/0= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= diff --git a/make/tools.mk b/make/tools.mk index e74372980ef..e28644dc00f 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -14,12 +14,12 @@ TOOLS := TOOLS += helm=v3.10.0 TOOLS += kubectl=v1.25.2 TOOLS += kind=v0.16.0 -TOOLS += controller-gen=v0.10.0 +TOOLS += controller-gen=v0.11.1 TOOLS += cosign=v1.12.1 TOOLS += cmrel=a1e2bad95be9688794fd0571c4c40e88cccf9173 TOOLS += release-notes=v0.14.0 TOOLS += goimports=v0.1.12 -TOOLS += go-licenses=v1.3.1 +TOOLS += go-licenses=v1.5.0 TOOLS += gotestsum=v1.8.2 TOOLS += rclone=v1.59.2 TOOLS += trivy=v0.32.0 diff --git a/pkg/webhook/handlers/testdata/apis/testgroup/crds/testgroup.testing.cert-manager.io_testtypes.yaml b/pkg/webhook/handlers/testdata/apis/testgroup/crds/testgroup.testing.cert-manager.io_testtypes.yaml index 8a494f133c2..295159d0b2f 100644 --- a/pkg/webhook/handlers/testdata/apis/testgroup/crds/testgroup.testing.cert-manager.io_testtypes.yaml +++ b/pkg/webhook/handlers/testdata/apis/testgroup/crds/testgroup.testing.cert-manager.io_testtypes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: testtypes.testgroup.testing.cert-manager.io spec: From ea0bea9db054b73fca78e90dd815312a0b1c3593 Mon Sep 17 00:00:00 2001 From: Yann Soubeyrand Date: Thu, 3 Nov 2022 15:36:08 +0100 Subject: [PATCH 0084/1253] helm: add option to override ACME HTTP-01 solver image Signed-off-by: Yann Soubeyrand --- deploy/charts/cert-manager/README.template.md | 3 +++ .../charts/cert-manager/templates/deployment.yaml | 3 +++ deploy/charts/cert-manager/values.yaml | 14 ++++++++++++++ make/e2e-setup.mk | 4 +++- 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/deploy/charts/cert-manager/README.template.md b/deploy/charts/cert-manager/README.template.md index f41b617ec71..b3014ac079c 100644 --- a/deploy/charts/cert-manager/README.template.md +++ b/deploy/charts/cert-manager/README.template.md @@ -192,6 +192,9 @@ The following table lists the configurable parameters of the cert-manager chart | `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | | `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) | | `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) | +| `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` | +| `acmesolver.image.tag` | acmesolver image tag | `{{RELEASE_VERSION}}` | +| `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` | | `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` | | `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) | | `startupapicheck.containerSecurityContext` | Security context to be set on startupapicheck component container | refer to [Default Security Contexts](#default-security-contexts) | diff --git a/deploy/charts/cert-manager/templates/deployment.yaml b/deploy/charts/cert-manager/templates/deployment.yaml index 9d5fb0e0cef..e621f2dc8d5 100644 --- a/deploy/charts/cert-manager/templates/deployment.yaml +++ b/deploy/charts/cert-manager/templates/deployment.yaml @@ -110,6 +110,9 @@ spec: {{- if .Values.maxConcurrentChallenges }} - --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }} {{- end }} + {{- with .Values.acmesolver.image }} + - --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}} + {{- end }} ports: - containerPort: 9402 name: http-metrics diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index 30cc6a94f40..35ec9766a2b 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -501,6 +501,20 @@ cainjector: # Automounting API credentials for a particular pod # automountServiceAccountToken: true +acmesolver: + image: + repository: quay.io/jetstack/cert-manager-acmesolver + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-acmesolver + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + + # Setting a digest will override any tag + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + # This startupapicheck is a Helm post-install hook that waits for the webhook # endpoints to become available. # The check is implemented using a Kubernetes Job- if you are injecting mesh diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 8ec142ce6b9..cb5b5701055 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -188,16 +188,18 @@ e2e-setup-certmanager: $(BINDIR)/cert-manager.tgz $(foreach binaryname,controlle --set image.repository="$(shell tar xfO $(BINDIR)/containers/cert-manager-controller-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \ --set cainjector.image.repository="$(shell tar xfO $(BINDIR)/containers/cert-manager-cainjector-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \ --set webhook.image.repository="$(shell tar xfO $(BINDIR)/containers/cert-manager-webhook-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \ + --set acmesolver.image.repository="$(shell tar xfO $(BINDIR)/containers/cert-manager-acmesolver-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \ --set startupapicheck.image.repository="$(shell tar xfO $(BINDIR)/containers/cert-manager-ctl-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \ --set image.tag="$(TAG)" \ --set cainjector.image.tag="$(TAG)" \ --set webhook.image.tag="$(TAG)" \ + --set acmesolver.image.tag="$(TAG)" \ --set startupapicheck.image.tag="$(TAG)" \ --set installCRDs=true \ --set featureGates="$(feature_gates_controller)" \ --set "webhook.extraArgs={--feature-gates=$(feature_gates_webhook)}" \ --set "cainjector.extraArgs={--feature-gates=$(feature_gates_cainjector)}" \ - --set "extraArgs={--dns01-recursive-nameservers=$(SERVICE_IP_PREFIX).16:53,--dns01-recursive-nameservers-only=true,--acme-http01-solver-image=cert-manager-acmesolver-$(CRI_ARCH):$(TAG)}" \ + --set "extraArgs={--dns01-recursive-nameservers=$(SERVICE_IP_PREFIX).16:53,--dns01-recursive-nameservers-only=true}" \ cert-manager $< >/dev/null .PHONY: e2e-setup-bind From 1c0197381374c5d9254c25512a5d49f26c8adb87 Mon Sep 17 00:00:00 2001 From: Igor Beliakov Date: Thu, 22 Dec 2022 11:59:37 +0100 Subject: [PATCH 0085/1253] fix(AzureDNS): suppress original message in adal.TokenRefreshError to prevent early CR reconciliations due to unique data (timestamp, Trace ID) that lands to CR status Signed-off-by: Igor Beliakov --- pkg/issuer/acme/dns/azuredns/azuredns.go | 39 +++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/pkg/issuer/acme/dns/azuredns/azuredns.go b/pkg/issuer/acme/dns/azuredns/azuredns.go index 51843fb9699..77eb552314d 100644 --- a/pkg/issuer/acme/dns/azuredns/azuredns.go +++ b/pkg/issuer/acme/dns/azuredns/azuredns.go @@ -13,6 +13,7 @@ package azuredns import ( "context" "fmt" + "net/http" "os" "strings" @@ -72,6 +73,41 @@ func NewDNSProviderCredentials(environment, clientID, clientSecret, subscription }, nil } +// Implements adal.TokenRefreshError +type tokenRefreshError struct { + Message string + Resp *http.Response +} + +func (tre tokenRefreshError) Error() string { + return tre.Message +} + +func (tre tokenRefreshError) Response() *http.Response { + return tre.Resp +} + +// suppressMessageInTokenRefreshError can be used to suppress error message contents in adal.TokenRefreshError to prevent early +// reconciliations in controller due to CR status updates with unique data (such as timestamp, Trace ID) present in response body +func suppressMessageInTokenRefreshError(originalError error) error { + if originalError == nil { + return nil + } + + // No need to overwrite errors of another type + tre, ok := originalError.(adal.TokenRefreshError) + if !ok { + return originalError + } + + err := tokenRefreshError{ + Message: "failed to refresh token", + Resp: tre.Response(), + } + + return err +} + // getFederatedSPT prepares an SPT for a Workload Identity-enabled setup func getFederatedSPT(env azure.Environment, options adal.ManagedIdentityOptions) (*adal.ServicePrincipalToken, error) { // NOTE: all related environment variables are described here: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html @@ -150,7 +186,8 @@ func getAuthorization(env azure.Environment, clientID, clientSecret, subscriptio // RefreshToken is absent from responses. err = newSPT.Refresh() if err != nil { - return nil, err + logf.Log.V(logf.ErrorLevel).Error(err, "failed to refresh token") + return nil, suppressMessageInTokenRefreshError(err) } accessToken := newSPT.Token() From dcab0d2e3f98c4f5cac8100aa1848b3be4a82541 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 2 Jan 2023 13:19:49 +0100 Subject: [PATCH 0086/1253] vcert: upgrade to v4.23.0 to fix "Click Retry" and "WebSDK CertRequest" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cert-manager was not able to retry failed TPP certificates due to the fact that TPP will not reset a given certificate that has a failed enrollment status from a previous enrollment. More specifically, cert-manager was getting stuck with either: WebSDK CertRequest Module Requested Certificate or This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry. With vcert v4.23.0, a call to "reset" is made when one of these two messages are found while polling for the certificate (i.e., while calling vcert's RetrieveCertificate function). Signed-off-by: Maël Valais --- go.mod | 2 +- go.sum | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index e9f8c7eaee4..b7b477f0424 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/Azure/go-autorest/autorest v0.11.28 github.com/Azure/go-autorest/autorest/adal v0.9.21 github.com/Azure/go-autorest/autorest/to v0.4.0 - github.com/Venafi/vcert/v4 v4.22.1 + github.com/Venafi/vcert/v4 v4.23.0 github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.1 github.com/aws/aws-sdk-go v1.44.105 github.com/cloudflare/cloudflare-go v0.50.0 diff --git a/go.sum b/go.sum index 2f0905ca2a8..866f7bd7a3f 100644 --- a/go.sum +++ b/go.sum @@ -121,8 +121,8 @@ github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= -github.com/Venafi/vcert/v4 v4.22.1 h1:31A8mV0DAis5qn1cfUCU9eODjALNmZKKx9I9wDOIXZM= -github.com/Venafi/vcert/v4 v4.22.1/go.mod h1:4Nec3twWisOdS1unpDZ93sfau9eVSDS8Ot+Ry/gg0es= +github.com/Venafi/vcert/v4 v4.23.0 h1:FlHqH+gVMEIDJ5Orkb9mdWaPFVx746gkIcnTfjVufR0= +github.com/Venafi/vcert/v4 v4.23.0/go.mod h1:4Nec3twWisOdS1unpDZ93sfau9eVSDS8Ot+Ry/gg0es= github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.1 h1:5BIsppVPdWJA29Yb5cYawQYeh5geN413WxAgBZvEtdA= github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.1/go.mod h1:kX6YddBkXqqywAe8c9LyvgTCyFuZCTMF4cRPQhc3Fy8= @@ -1167,8 +1167,6 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 h1:Frnccbp+ok2GkUS2tC84yAq/U9Vg+0sIO7aRL3T4Xnc= -golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= From 6403091073b3602aa90065a236425ffd2539128a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 3 Jan 2023 11:46:33 +0100 Subject: [PATCH 0087/1253] update LICENSES (make update-licenses) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- LICENSES | 14 +++++++------- go.mod | 12 ++++++------ go.sum | 15 +++++++++++++++ 3 files changed, 28 insertions(+), 13 deletions(-) diff --git a/LICENSES b/LICENSES index 9b2b44146c5..3356200aca8 100644 --- a/LICENSES +++ b/LICENSES @@ -15,7 +15,7 @@ github.com/Masterminds/semver/v3,https://github.com/Masterminds/semver/blob/v3.1 github.com/Masterminds/sprig/v3,https://github.com/Masterminds/sprig/blob/v3.2.2/LICENSE.txt,MIT github.com/Masterminds/squirrel,https://github.com/Masterminds/squirrel/blob/v1.5.3/LICENSE.txt,MIT github.com/NYTimes/gziphandler,https://github.com/NYTimes/gziphandler/blob/v1.1.1/LICENSE,Apache-2.0 -github.com/Venafi/vcert/v4,https://github.com/Venafi/vcert/blob/v4.22.1/LICENSE,Apache-2.0 +github.com/Venafi/vcert/v4,https://github.com/Venafi/vcert/blob/v4.23.0/LICENSE,Apache-2.0 github.com/akamai/AkamaiOPEN-edgegrid-golang,https://github.com/akamai/AkamaiOPEN-edgegrid-golang/blob/v1.2.1/LICENSE,Apache-2.0 github.com/antlr/antlr4/runtime/Go/antlr,https://github.com/antlr/antlr4/blob/runtime/Go/antlr/v1.4.10/runtime/Go/antlr/LICENSE,BSD-3-Clause github.com/armon/go-metrics,https://github.com/armon/go-metrics/blob/v0.3.9/LICENSE,MIT @@ -61,7 +61,7 @@ github.com/felixge/httpsnoop,https://github.com/felixge/httpsnoop/blob/v1.0.3/LI github.com/fsnotify/fsnotify,https://github.com/fsnotify/fsnotify/blob/v1.6.0/LICENSE,BSD-3-Clause github.com/go-asn1-ber/asn1-ber,https://github.com/go-asn1-ber/asn1-ber/blob/v1.5.4/LICENSE,MIT github.com/go-errors/errors,https://github.com/go-errors/errors/blob/v1.0.1/LICENSE.MIT,MIT -github.com/go-gorp/gorp/v3,https://github.com/go-gorp/gorp/blob/v3.0.2/LICENSE,MIT +github.com/go-gorp/gorp/v3,https://github.com/go-gorp/gorp/blob/v3.1.0/LICENSE,MIT github.com/go-ldap/ldap/v3,https://github.com/go-ldap/ldap/blob/v3.4.4/v3/LICENSE,MIT github.com/go-logr/logr,https://github.com/go-logr/logr/blob/v1.2.3/LICENSE,Apache-2.0 github.com/go-logr/stdr,https://github.com/go-logr/stdr/blob/v1.2.2/LICENSE,Apache-2.0 @@ -118,15 +118,15 @@ github.com/json-iterator/go,https://github.com/json-iterator/go/blob/v1.1.12/LIC github.com/klauspost/compress,https://github.com/klauspost/compress/blob/v1.13.6/LICENSE,Apache-2.0 github.com/klauspost/compress/internal/snapref,https://github.com/klauspost/compress/blob/v1.13.6/internal/snapref/LICENSE,BSD-3-Clause github.com/klauspost/compress/zstd/internal/xxhash,https://github.com/klauspost/compress/blob/v1.13.6/zstd/internal/xxhash/LICENSE.txt,MIT -github.com/kr/pretty,https://github.com/kr/pretty/blob/v0.3.0/License,MIT +github.com/kr/pretty,https://github.com/kr/pretty/blob/v0.3.1/License,MIT github.com/kr/text,https://github.com/kr/text/blob/v0.2.0/License,MIT github.com/lann/builder,https://github.com/lann/builder/blob/47ae307949d0/LICENSE,MIT github.com/lann/ps,https://github.com/lann/ps/blob/62de8c46ede0/LICENSE,MIT -github.com/lib/pq,https://github.com/lib/pq/blob/v1.10.6/LICENSE.md,MIT +github.com/lib/pq,https://github.com/lib/pq/blob/v1.10.7/LICENSE.md,MIT github.com/liggitt/tabwriter,https://github.com/liggitt/tabwriter/blob/89fcab3d43de/LICENSE,BSD-3-Clause github.com/mailru/easyjson,https://github.com/mailru/easyjson/blob/v0.7.6/LICENSE,MIT -github.com/mattn/go-colorable,https://github.com/mattn/go-colorable/blob/v0.1.12/LICENSE,MIT -github.com/mattn/go-isatty,https://github.com/mattn/go-isatty/blob/v0.0.14/LICENSE,MIT +github.com/mattn/go-colorable,https://github.com/mattn/go-colorable/blob/v0.1.13/LICENSE,MIT +github.com/mattn/go-isatty,https://github.com/mattn/go-isatty/blob/v0.0.16/LICENSE,MIT github.com/mattn/go-runewidth,https://github.com/mattn/go-runewidth/blob/v0.0.13/LICENSE,MIT github.com/matttproud/golang_protobuf_extensions/pbutil,https://github.com/matttproud/golang_protobuf_extensions/blob/v1.0.2/LICENSE,Apache-2.0 github.com/miekg/dns,https://github.com/miekg/dns/blob/v1.1.50/LICENSE,BSD-3-Clause @@ -160,7 +160,7 @@ github.com/prometheus/common,https://github.com/prometheus/common/blob/v0.37.0/L github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg,https://github.com/prometheus/common/blob/v0.37.0/internal/bitbucket.org/ww/goautoneg/README.txt,BSD-3-Clause github.com/prometheus/procfs,https://github.com/prometheus/procfs/blob/v0.8.0/LICENSE,Apache-2.0 github.com/rivo/uniseg,https://github.com/rivo/uniseg/blob/v0.2.0/LICENSE.txt,MIT -github.com/rogpeppe/go-internal/fmtsort,https://github.com/rogpeppe/go-internal/blob/v1.8.1/LICENSE,BSD-3-Clause +github.com/rogpeppe/go-internal/fmtsort,https://github.com/rogpeppe/go-internal/blob/v1.9.0/LICENSE,BSD-3-Clause github.com/rubenv/sql-migrate,https://github.com/rubenv/sql-migrate/blob/v1.1.2/LICENSE,MIT github.com/rubenv/sql-migrate/sqlparse,https://github.com/rubenv/sql-migrate/blob/v1.1.2/sqlparse/LICENSE,MIT github.com/russross/blackfriday/v2,https://github.com/russross/blackfriday/blob/v2.1.0/LICENSE.txt,BSD-2-Clause diff --git a/go.mod b/go.mod index b7b477f0424..f3b353668c1 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/google/gofuzz v1.2.0 github.com/hashicorp/vault/api v1.8.0 github.com/hashicorp/vault/sdk v0.6.0 - github.com/kr/pretty v0.3.0 + github.com/kr/pretty v0.3.1 github.com/miekg/dns v1.1.50 github.com/mitchellh/go-homedir v1.1.0 github.com/munnerz/crd-schema-fuzz v1.0.0 @@ -109,7 +109,7 @@ require ( github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect github.com/go-errors/errors v1.0.1 // indirect - github.com/go-gorp/gorp/v3 v3.0.2 // indirect + github.com/go-gorp/gorp/v3 v3.1.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.20.0 // indirect @@ -164,11 +164,11 @@ require ( github.com/kr/text v0.2.0 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect - github.com/lib/pq v1.10.6 // indirect + github.com/lib/pq v1.10.7 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mailru/easyjson v0.7.6 // indirect - github.com/mattn/go-colorable v0.1.12 // indirect - github.com/mattn/go-isatty v0.0.14 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-isatty v0.0.16 // indirect github.com/mattn/go-runewidth v0.0.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect @@ -195,7 +195,7 @@ require ( github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/rivo/uniseg v0.2.0 // indirect - github.com/rogpeppe/go-internal v1.8.1 // indirect + github.com/rogpeppe/go-internal v1.9.0 // indirect github.com/rubenv/sql-migrate v1.1.2 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect diff --git a/go.sum b/go.sum index 866f7bd7a3f..ba8e64fa97b 100644 --- a/go.sum +++ b/go.sum @@ -311,6 +311,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gorp/gorp/v3 v3.0.2 h1:ULqJXIekoqMx29FI5ekXXFoH1dT2Vc8UhnRzBg+Emz4= github.com/go-gorp/gorp/v3 v3.0.2/go.mod h1:BJ3q1ejpV8cVALtcXvXaXyTOlMmJhWDxTmncaR6rwBY= +github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= +github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= @@ -671,6 +673,8 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= @@ -684,6 +688,8 @@ github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.6 h1:jbk+ZieJ0D7EVGJYpL9QTz7/YW6UHbmdnZWYyK5cdBs= github.com/lib/pq v1.10.6/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw= +github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= @@ -708,6 +714,8 @@ github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVc github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= @@ -715,6 +723,8 @@ github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcME github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-oci8 v0.1.1/go.mod h1:wjDx6Xm9q7dFtHJvIlrI99JytznLw5wQ4R+9mNXJwGI= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= @@ -723,6 +733,7 @@ github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-sqlite3 v1.14.6 h1:dNPt6NO46WmLVt2DLNpwczCmdV5boIZ6g/tlDrlRUbg= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= +github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2 h1:hAHbPm5IJGijwng3PWk09JkG9WeqChjprR5s9bBZ+OM= github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= @@ -827,6 +838,7 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/poy/onpar v0.0.0-20190519213022-ee068f8ea4d1 h1:oL4IBbcqwhhNWh31bjOX8C/OCy0zs9906d/VUru+bqg= github.com/poy/onpar v0.0.0-20190519213022-ee068f8ea4d1/go.mod h1:nSbFQvMj97ZyhFRSJYtut+msi4sOY6zJDGCdSc+/rZU= +github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= @@ -875,6 +887,8 @@ github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTE github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg= github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o= +github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rubenv/sql-migrate v1.1.2 h1:9M6oj4e//owVVHYrFISmY9LBRw6gzkCNmD9MV36tZeQ= github.com/rubenv/sql-migrate v1.1.2/go.mod h1:/7TZymwxN8VWumcIxw1jjHEcR1djpdkMHQPT4FWdnbQ= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= @@ -1297,6 +1311,7 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= From c685efeb03cc3c5404ffa7527ac8ba0ab4953c60 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Tue, 3 Jan 2023 15:10:42 +0000 Subject: [PATCH 0088/1253] use template when generating tempdir in verify-crds Due to a bug in controller-gen[1] certain paths are incorrectly split and part of these paths can be interpreted as a numeric literal, which will cause controller-gen to fail. We observe this as occasional test flakes in the "verify-crds" target, when the tmpdir starts with a zero, such as in "/tmp/tmp.0PFqFSHBID" This commit attempts to avoid this bug by specifying a template for the tmpdir we generate when verifying CRDs which doesn't include any "." characters, which seem to be being split incorrectly. [1] https://github.com/kubernetes-sigs/controller-tools/issues/734 Signed-off-by: Ashley Davis --- hack/check-crds.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/check-crds.sh b/hack/check-crds.sh index 232cc5fd797..c4d26961ee3 100755 --- a/hack/check-crds.sh +++ b/hack/check-crds.sh @@ -41,7 +41,7 @@ fi echo "+++ verifying that generated CRDs are up-to-date..." >&2 -tmpdir="$(mktemp -d)" +tmpdir="$(mktemp -d tmp-CHECKCRD-XXXXXXXXX --tmpdir)" trap 'rm -r $tmpdir' EXIT make PATCH_CRD_OUTPUT_DIR=$tmpdir patch-crds From 5f1a4ac91c66556e40caa3e4ad6ef5cfaa24d085 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 3 Jan 2023 16:44:42 +0000 Subject: [PATCH 0089/1253] Remove duplicate ko-deploy-cert-manager make target Signed-off-by: Richard Wall --- make/ko.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make/ko.mk b/make/ko.mk index b6d48537e52..32b67f72b42 100644 --- a/make/ko.mk +++ b/make/ko.mk @@ -46,7 +46,7 @@ $(KO_IMAGE_REFS): _bin/scratch/ko/%.yaml: FORCE | $(NEEDS_KO) $(NEEDS_YQ) ## @category Experimental/ko ko-images-push: $(KO_IMAGE_REFS) -.PHONY: ko-deploy-cert-manager +.PHONY: ko-deploy-certmanager ## Deploy cert-manager after pushing docker images to an OCI registry using ko. ## @category Experimental/ko ko-deploy-certmanager: $(BINDIR)/cert-manager.tgz $(KO_IMAGE_REFS) From f8bee19c04617e6845ae7656c0ad75ec36540121 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Tue, 3 Jan 2023 14:51:47 +0000 Subject: [PATCH 0090/1253] various ginkgo tweaks 1. Remove deprecated args (progress, slow spec threshold) 2. Disable colors in CI Signed-off-by: Ashley Davis --- make/config/lib.sh | 13 ++++++++++++- make/e2e-ci.sh | 10 +++++++++- make/e2e.sh | 32 ++++++++++++++++++++++---------- 3 files changed, 43 insertions(+), 12 deletions(-) diff --git a/make/config/lib.sh b/make/config/lib.sh index 79b856dde8b..f599ba8cc45 100644 --- a/make/config/lib.sh +++ b/make/config/lib.sh @@ -36,7 +36,18 @@ warn= wait= greencheck= redcross= -if ! printenv NO_COLOR >/dev/null; then + +should_color() { + if [[ "${CI:-}" == "true" ]]; then + return 1 + elif [[ "${NO_COLOR:-}" ]]; then + return 1 + fi + + return 0 +} + +if should_color >/dev/null; then red="\033[0;31m" green="\033[0;32m" yel="\033[0;33m" diff --git a/make/e2e-ci.sh b/make/e2e-ci.sh index f757ae7a1e7..dfbddb18da8 100755 --- a/make/e2e-ci.sh +++ b/make/e2e-ci.sh @@ -15,5 +15,13 @@ # limitations under the License. set -o errexit + trap 'make kind-logs' EXIT -make --no-print-directory e2e FLAKE_ATTEMPTS=2 K8S_VERSION="$(K8S_VERSION)" + +# Note: We set CI here, even though it should be set by Prow, which is the cert-manager CI test runner +# See the list of defined variables here: https://docs.prow.k8s.io/docs/jobs/#job-environment-variables +# We explicitly set CI here because it helps with local testing +# (i.e. "I want to run the exact same e2e test that will be run in CI") +# and because it allows us to be explicit about where it's getting set when we call "make e2e-ci" + +make --no-print-directory e2e FLAKE_ATTEMPTS=2 CI=true K8S_VERSION="$(K8S_VERSION)" diff --git a/make/e2e.sh b/make/e2e.sh index 358781f44d0..9300c939700 100755 --- a/make/e2e.sh +++ b/make/e2e.sh @@ -69,12 +69,18 @@ BINDIR=${BINDIR:-$_default_bindir} # [5]: https://prow.build-infra.jetstack.net/view/gs/jetstack-logs/pr-logs/pull/cert-manager_cert-manager/4968/pull-cert-manager-make-e2e-v1-23/1507011895024947200 # [6]: https://prow.build-infra.jetstack.net/view/gs/jetstack-logs/pr-logs/pull/cert-manager_cert-manager/4968/pull-cert-manager-make-e2e-v1-23/1507019887451574272 # [7]: https://prow.build-infra.jetstack.net/view/gs/jetstack-logs/pr-logs/pull/cert-manager_cert-manager/4968/pull-cert-manager-make-e2e-v1-23/1507040653668782080 + nodes=20 + flake_attempts=1 + ginkgo_skip= ginkgo_focus= + feature_gates=AdditionalCertificateOutputFormats=true,ExperimentalCertificateSigningRequestControllers=true,ExperimentalGatewayAPISupport=true,LiteralCertificateSubject=true + artifacts="./$BINDIR/artifacts" + help() { cat < Date: Tue, 3 Jan 2023 16:51:31 +0000 Subject: [PATCH 0091/1253] Remove trailing escape slash Signed-off-by: Richard Wall --- make/ko.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make/ko.mk b/make/ko.mk index 32b67f72b42..5419c6ce8f2 100644 --- a/make/ko.mk +++ b/make/ko.mk @@ -65,4 +65,4 @@ ko-deploy-certmanager: $(BINDIR)/cert-manager.tgz $(KO_IMAGE_REFS) --set startupapicheck.image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/ctl.yaml)" \ --set startupapicheck.image.digest="$(shell $(YQ) .digest $(BINDIR)/scratch/ko/ctl.yaml)" \ --set installCRDs=true \ - --set "extraArgs={--acme-http01-solver-image=$(ACME_HTTP01_SOLVER_IMAGE)}" \ + --set "extraArgs={--acme-http01-solver-image=$(ACME_HTTP01_SOLVER_IMAGE)}" From 33ba0f3ae7508fb0c9744f544cdac1f241b5deb9 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 3 Jan 2023 17:21:21 +0000 Subject: [PATCH 0092/1253] Allow custom helm values files to be supplied to make ko-deploy-certmanager Signed-off-by: Richard Wall --- make/ko.mk | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/make/ko.mk b/make/ko.mk index b6d48537e52..c1d157f293e 100644 --- a/make/ko.mk +++ b/make/ko.mk @@ -6,7 +6,7 @@ ## make ko-images-push KO_REGISTRY= ## ## # Build and Push images to an OCI registry and deploy cert-manager to the current cluster in KUBECONFIG -## make ko-deploy-certmanager KO_REGISTRY= +## make ko-deploy-certmanager KO_REGISTRY= [KO_HELM_VALUES_FILES=path/to/values.yaml] ## ## @category Experimental/ko @@ -28,6 +28,11 @@ KO_PLATFORM ?= linux/amd64 ## @category Experimental/ko KO_BINS ?= controller acmesolver cainjector webhook ctl +## (optional) Paths of Helm values files which will be supplied to `helm install +## --values` flag by make ko-deploy-certmanager. +## @category Experimental/ko +KO_HELM_VALUES_FILES ?= + export KOCACHE = $(BINDIR)/scratch/ko/cache KO_IMAGE_REFS = $(foreach bin,$(KO_BINS),_bin/scratch/ko/$(bin).yaml) @@ -56,6 +61,7 @@ ko-deploy-certmanager: $(BINDIR)/cert-manager.tgz $(KO_IMAGE_REFS) --create-namespace \ --wait \ --namespace cert-manager \ + $(and $(KO_HELM_VALUES_FILES),--values $(KO_HELM_VALUES_FILES)) \ --set image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/controller.yaml)" \ --set image.digest="$(shell $(YQ) .digest $(BINDIR)/scratch/ko/controller.yaml)" \ --set cainjector.image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/cainjector.yaml)" \ From 0225cc9234426d9b3c6c164384833322dbaed0d9 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Tue, 3 Jan 2023 16:23:17 +0000 Subject: [PATCH 0093/1253] avoid logging confusing error messages for external issuers See https://github.com/cert-manager/cert-manager/issues/5601 When referring to external issuers whose kind is not "Issuer" or "ClusterIssuer" we log an error message thanks to a new check added in a previous PR[1] which should only trigger for SelfSigned issuers. The error previously looked like: ```text "error"="invalid value \"x\" for issuerRef.kind. Must be empty, \"Issuer\" or \"ClusterIssuer\"" ``` After this PR, any CR with an issuer whose group or kind doesn't match what's expected for a built-in issuer will be skipped https://github.com/cert-manager/cert-manager/pull/5336 Signed-off-by: Ashley Davis WIP: test other issuer kinds Signed-off-by: Ashley Davis --- .../certificaterequests/selfsigned/checks.go | 6 ++++++ .../certificaterequests/selfsigned/checks_test.go | 14 ++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/pkg/controller/certificaterequests/selfsigned/checks.go b/pkg/controller/certificaterequests/selfsigned/checks.go index cd133e1a20e..1e3ac3a95ff 100644 --- a/pkg/controller/certificaterequests/selfsigned/checks.go +++ b/pkg/controller/certificaterequests/selfsigned/checks.go @@ -26,6 +26,7 @@ import ( "k8s.io/client-go/util/workqueue" apiutil "github.com/cert-manager/cert-manager/pkg/api/util" + cmdoc "github.com/cert-manager/cert-manager/pkg/apis/certmanager" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" clientv1 "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1" controllerpkg "github.com/cert-manager/cert-manager/pkg/controller" @@ -85,6 +86,11 @@ func certificateRequestsForSecret(log logr.Logger, dbg.Info("checking if self signed certificate requests reference secret") var affected []*cmapi.CertificateRequest for _, request := range requests { + if request.Spec.IssuerRef.Group != cmdoc.GroupName { + dbg.Info("skipping SelfSigned secret reference checks since issuer has external group", "group", request.Spec.IssuerRef.Group) + continue + } + issuerObj, err := helper.GetGenericIssuer(request.Spec.IssuerRef, request.Namespace) if k8sErrors.IsNotFound(err) { dbg.Info("issuer not found, skipping") diff --git a/pkg/controller/certificaterequests/selfsigned/checks_test.go b/pkg/controller/certificaterequests/selfsigned/checks_test.go index 09bd3026e35..83aa39483c0 100644 --- a/pkg/controller/certificaterequests/selfsigned/checks_test.go +++ b/pkg/controller/certificaterequests/selfsigned/checks_test.go @@ -225,6 +225,20 @@ func Test_certificatesRequestsForSecret(t *testing.T) { }, expectedAffected: []*cmapi.CertificateRequest{}, }, + "if issuer has different group, do nothing": { + existingCRs: []runtime.Object{ + gen.CertificateRequest("a", + gen.SetCertificateRequestNamespace("test-namespace"), + gen.SetCertificateRequestAnnotations(map[string]string{ + "cert-manager.io/private-key-secret-name": "test-secret", + }), gen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ + Name: "a", Kind: "Keith", Group: "not-cert-manager.io", + }), + ), + }, + existingIssuers: []runtime.Object{}, + expectedAffected: []*cmapi.CertificateRequest{}, + }, "should not return requests which are in a different namespace": { existingCRs: []runtime.Object{ gen.CertificateRequest("a", From 6d1a65c771f3f014c594c3b5098ab922f9f875e6 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Wed, 4 Jan 2023 15:34:15 +0000 Subject: [PATCH 0094/1253] bump base images to latest Signed-off-by: Ashley Davis --- make/base_images.mk | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/make/base_images.mk b/make/base_images.mk index a10b082cca2..2d515e58c00 100644 --- a/make/base_images.mk +++ b/make/base_images.mk @@ -1,11 +1,11 @@ # autogenerated by hack/latest-base-images.sh -STATIC_BASE_IMAGE_amd64 := gcr.io/distroless/static@sha256:5b2fa762fb6ebf66ff88ae1db2dc4ad8fc6ddf1164477297dfac1a09f20e7339 -STATIC_BASE_IMAGE_arm64 := gcr.io/distroless/static@sha256:6ecd23a434fca0bca716a7a484aa462d86e4c3d18397701d61b7cccc4d035f6f -STATIC_BASE_IMAGE_s390x := gcr.io/distroless/static@sha256:ea565db08ea3f726e7761ffa5ba594c1096bc1741a22c832b4ec1128e5f1ee37 -STATIC_BASE_IMAGE_arm := gcr.io/distroless/static@sha256:dd7e98090e5415071ef3353055bde559729ad17cd90c3bd4d944c554abd73d12 -STATIC_BASE_IMAGE_ppc64le := gcr.io/distroless/static@sha256:a77004eb85b3e38fa6963064d44cb8b100988319eb9850eaae77307b043ddfe6 -DYNAMIC_BASE_IMAGE_amd64 := gcr.io/distroless/base@sha256:d33b9c8d01976cc9137b32b3022e0d490f68205e7c679cd6e677e0d2588cb25a -DYNAMIC_BASE_IMAGE_arm64 := gcr.io/distroless/base@sha256:0ee9b89e5440df8ba0e226e09685c191dde5e189ed65b66abf3cebc568501232 -DYNAMIC_BASE_IMAGE_s390x := gcr.io/distroless/base@sha256:81b4db05d1c5c5ed8e0afb0a1ed689694ec3ed6860e0bca0656b7cd9cf5cfcef -DYNAMIC_BASE_IMAGE_arm := gcr.io/distroless/base@sha256:da2b5ce931f24374d38df219770997759d08d61c80f2a442249fdd06ae9cb525 -DYNAMIC_BASE_IMAGE_ppc64le := gcr.io/distroless/base@sha256:2b10be3fd42dcdbc8b8be0824cddf25e6c96585945acbc9c972ecfd4486b43e3 +STATIC_BASE_IMAGE_amd64 := gcr.io/distroless/static@sha256:764a31ea2f5757d9e2d3da001790cbdcb6384d3e2d2e458867a08cac59899711 +STATIC_BASE_IMAGE_arm64 := gcr.io/distroless/static@sha256:441d0c9160c4792f1fc6afb2f0c4bd7f25f678e0752edd2dbda11ec778ae05bd +STATIC_BASE_IMAGE_s390x := gcr.io/distroless/static@sha256:88d4eb9e8038c5e20cc88c2435388784838211c3357d20c183b24a51e38240b4 +STATIC_BASE_IMAGE_arm := gcr.io/distroless/static@sha256:a82e0bff09513a3b1a050ab338b4be3fefb5c9dc5ecf8371a905454730ad22da +STATIC_BASE_IMAGE_ppc64le := gcr.io/distroless/static@sha256:ab3192ef35ea6f5077dffc137060a632c560d6f423786595adbeaf406619668f +DYNAMIC_BASE_IMAGE_amd64 := gcr.io/distroless/base@sha256:8e8769bf7b83830995154e6c37c7d0de27ed91e58eaf45662057eea4c22705eb +DYNAMIC_BASE_IMAGE_arm64 := gcr.io/distroless/base@sha256:5f6c645dc9cfd335dc62f7d77f49a5a6123a1d78947cc4a912e4516a622759b3 +DYNAMIC_BASE_IMAGE_s390x := gcr.io/distroless/base@sha256:d1784da21f7b1aaf0a4ead7136e9b507fbea314b0259dfe97865f53fd6be5542 +DYNAMIC_BASE_IMAGE_arm := gcr.io/distroless/base@sha256:1ed08a4dd4275335bae8017dee98048398adf60230e93d8665f8435512dd0ad5 +DYNAMIC_BASE_IMAGE_ppc64le := gcr.io/distroless/base@sha256:d3013f0b6618d0cebf29b34a7f6627d280f4ddb35a77227ee8ace2b0199baeb3 From 036b01394250086b39ca63c729c468328e9a1d37 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Thu, 5 Jan 2023 10:11:48 +0000 Subject: [PATCH 0095/1253] Ensures that only one secrets cache is created for cert-manager controller Signed-off-by: irbekrm --- pkg/issuer/acme/dns/dns.go | 3 ++- pkg/issuer/acme/dns/rfc2136/provider.go | 30 ++++++++++++++++--------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/pkg/issuer/acme/dns/dns.go b/pkg/issuer/acme/dns/dns.go index e9aeb1cc760..80c5fcc56b6 100644 --- a/pkg/issuer/acme/dns/dns.go +++ b/pkg/issuer/acme/dns/dns.go @@ -488,9 +488,10 @@ func (s *Solver) dns01SolverForConfig(config *cmacme.ACMEChallengeSolverDNS01) ( // NewSolver creates a Solver which can instantiate the appropriate DNS // provider. func NewSolver(ctx *controller.Context) (*Solver, error) { + secretsLister := ctx.KubeSharedInformerFactory.Core().V1().Secrets().Lister() webhookSolvers := []webhook.Solver{ &webhookslv.Webhook{}, - rfc2136.New(rfc2136.WithNamespace(ctx.Namespace)), + rfc2136.New(rfc2136.WithNamespace(ctx.Namespace), rfc2136.WithSecretsLister(secretsLister)), } initialized := make(map[string]webhook.Solver) diff --git a/pkg/issuer/acme/dns/rfc2136/provider.go b/pkg/issuer/acme/dns/rfc2136/provider.go index be68ee665de..8167bb2b4fc 100644 --- a/pkg/issuer/acme/dns/rfc2136/provider.go +++ b/pkg/issuer/acme/dns/rfc2136/provider.go @@ -50,6 +50,12 @@ func WithNamespace(ns string) Option { } } +func WithSecretsLister(secretLister corelisters.SecretLister) Option { + return func(s *Solver) { + s.secretLister = secretLister + } +} + func New(opts ...Option) *Solver { s := &Solver{} for _, o := range opts { @@ -91,18 +97,22 @@ func (s *Solver) CleanUp(ch *whapi.ChallengeRequest) error { } func (s *Solver) Initialize(kubeClientConfig *restclient.Config, stopCh <-chan struct{}) error { - cl, err := kubernetes.NewForConfig(kubeClientConfig) - if err != nil { - return err + // Only start a secrets informerfactory if it is needed (if the solver + // is not already initialized with a secrets lister) + if s.secretLister == nil { + cl, err := kubernetes.NewForConfig(kubeClientConfig) + if err != nil { + return err + } + + // obtain a secret lister and start the informer factory to populate the + // secret cache + factory := informers.NewSharedInformerFactoryWithOptions(cl, time.Minute*5, informers.WithNamespace(s.namespace)) + s.secretLister = factory.Core().V1().Secrets().Lister() + factory.Start(stopCh) + factory.WaitForCacheSync(stopCh) } - // obtain a secret lister and start the informer factory to populate the - // secret cache - factory := informers.NewSharedInformerFactoryWithOptions(cl, time.Minute*5, informers.WithNamespace(s.namespace)) - s.secretLister = factory.Core().V1().Secrets().Lister() - factory.Start(stopCh) - factory.WaitForCacheSync(stopCh) - return nil } From 8ed0faf2287c703cb32b93170bd51fa6994bb89d Mon Sep 17 00:00:00 2001 From: irbekrm Date: Thu, 5 Jan 2023 12:07:25 +0000 Subject: [PATCH 0096/1253] Fix integration tests Signed-off-by: irbekrm --- pkg/issuer/acme/dns/rfc2136/provider.go | 5 ++-- test/acme/dns/fixture.go | 28 +++++++++++++++++-- test/acme/dns/options.go | 6 ++-- .../rfc2136_dns01/provider_test.go | 4 +-- 4 files changed, 33 insertions(+), 10 deletions(-) diff --git a/pkg/issuer/acme/dns/rfc2136/provider.go b/pkg/issuer/acme/dns/rfc2136/provider.go index 8167bb2b4fc..c9ef4101212 100644 --- a/pkg/issuer/acme/dns/rfc2136/provider.go +++ b/pkg/issuer/acme/dns/rfc2136/provider.go @@ -33,6 +33,8 @@ import ( logf "github.com/cert-manager/cert-manager/pkg/logs" ) +const SolverName = "rfc2136" + type Solver struct { secretLister corelisters.SecretLister @@ -65,7 +67,7 @@ func New(opts ...Option) *Solver { } func (s *Solver) Name() string { - return "rfc2136" + return SolverName } func (s *Solver) Present(ch *whapi.ChallengeRequest) error { @@ -112,7 +114,6 @@ func (s *Solver) Initialize(kubeClientConfig *restclient.Config, stopCh <-chan s factory.Start(stopCh) factory.WaitForCacheSync(stopCh) } - return nil } diff --git a/test/acme/dns/fixture.go b/test/acme/dns/fixture.go index 9bd1116b352..abdac67f2fa 100644 --- a/test/acme/dns/fixture.go +++ b/test/acme/dns/fixture.go @@ -24,10 +24,12 @@ import ( "time" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" "sigs.k8s.io/controller-runtime/pkg/envtest" "github.com/cert-manager/cert-manager/pkg/acme/webhook" + "github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/rfc2136" "github.com/cert-manager/cert-manager/test/internal/apiserver" ) @@ -42,7 +44,8 @@ func init() { type fixture struct { // testSolver is the actual DNS solver that is under test. // It is set when calling the NewFixture function. - testSolver webhook.Solver + testSolver webhook.Solver + testSolverType string resolvedFQDN string resolvedZone string @@ -96,7 +99,28 @@ func (f *fixture) setup(t *testing.T) func() { f.clientset = cl stopCh := make(chan struct{}) - f.testSolver.Initialize(env.Config, stopCh) + + var testSolver webhook.Solver + switch f.testSolverType { + case rfc2136.SolverName: + cl, err := kubernetes.NewForConfig(env.Config) + if err != nil { + t.Errorf("error initializing solver: %#+v", err) + } + + // obtain a secret lister and start the informer factory to populate the + // secret cache + factory := informers.NewSharedInformerFactoryWithOptions(cl, time.Minute*5) + secretLister := factory.Core().V1().Secrets().Lister() + factory.Start(stopCh) + factory.WaitForCacheSync(stopCh) + testSolver = rfc2136.New(rfc2136.WithSecretsLister(secretLister)) + f.testSolver = testSolver + default: + t.Errorf("unknown solver type: %s", f.testSolverType) + } + + testSolver.Initialize(env.Config, stopCh) return func() { close(stopCh) diff --git a/test/acme/dns/options.go b/test/acme/dns/options.go index 66693eb8757..053eb358e73 100644 --- a/test/acme/dns/options.go +++ b/test/acme/dns/options.go @@ -24,8 +24,6 @@ import ( "time" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - - "github.com/cert-manager/cert-manager/pkg/acme/webhook" ) // Option applies a configuration option to the test fixture being built @@ -33,9 +31,9 @@ type Option func(*fixture) // NewFixture constructs a new *fixture, applying the given Options before // returning. -func NewFixture(solver webhook.Solver, opts ...Option) *fixture { +func NewFixture(solverType string, opts ...Option) *fixture { f := &fixture{ - testSolver: solver, + testSolverType: solverType, } for _, o := range opts { o(f) diff --git a/test/integration/rfc2136_dns01/provider_test.go b/test/integration/rfc2136_dns01/provider_test.go index 42cbbfad265..e22128b68bb 100644 --- a/test/integration/rfc2136_dns01/provider_test.go +++ b/test/integration/rfc2136_dns01/provider_test.go @@ -59,7 +59,7 @@ func TestRunSuiteWithTSIG(t *testing.T) { TSIGKeyName: rfc2136TestTsigKeyName, } - fixture := dns.NewFixture(&rfc2136.Solver{}, + fixture := dns.NewFixture(rfc2136.SolverName, dns.SetResolvedZone(rfc2136TestZone), dns.SetResolvedFQDN(rfc2136TestFqdn), dns.SetAllowAmbientCredentials(false), @@ -91,7 +91,7 @@ func TestRunSuiteNoTSIG(t *testing.T) { Nameserver: server.ListenAddr(), } - fixture := dns.NewFixture(&rfc2136.Solver{}, + fixture := dns.NewFixture(rfc2136.SolverName, dns.SetResolvedZone(rfc2136TestZone), dns.SetResolvedFQDN(rfc2136TestFqdn), dns.SetAllowAmbientCredentials(false), From 264ebe6d29bbb4a1ef3ab38abc42a27dd395ae71 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Thu, 5 Jan 2023 16:42:55 +0000 Subject: [PATCH 0097/1253] move custom acmesolver image above extraArgs since the acmesolver image has defaults (i.e. the repository is set by default[1]), the helm chart changes introduced in #5554 will always set the `--acme-http01-solver-image` parameter. This can break users who previously had this parameter set via the extraArgs Helm option, which was found and reported on Slack[2]. This commit moves the new Helm value added in #5554 above extraArgs, so that if extraArgs is set it will take precedence and nothing should change as users upgrade. [1] https://github.com/cert-manager/cert-manager/blob/a5d67d3a21f86fb21b8194808601da429a1c4752/deploy/charts/cert-manager/values.yaml#L504-L516 [2] https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1672925692339849 Signed-off-by: Ashley Davis --- deploy/charts/cert-manager/templates/deployment.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/charts/cert-manager/templates/deployment.yaml b/deploy/charts/cert-manager/templates/deployment.yaml index e621f2dc8d5..6e74f1e825a 100644 --- a/deploy/charts/cert-manager/templates/deployment.yaml +++ b/deploy/charts/cert-manager/templates/deployment.yaml @@ -90,6 +90,9 @@ spec: - --leader-election-retry-period={{ .retryPeriod }} {{- end }} {{- end }} + {{- with .Values.acmesolver.image }} + - --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}} + {{- end }} {{- with .Values.extraArgs }} {{- toYaml . | nindent 10 }} {{- end }} @@ -110,9 +113,6 @@ spec: {{- if .Values.maxConcurrentChallenges }} - --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }} {{- end }} - {{- with .Values.acmesolver.image }} - - --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}} - {{- end }} ports: - containerPort: 9402 name: http-metrics From 02297b4e56113c1d36b2f37bf7fa95a316365706 Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Thu, 5 Jan 2023 11:36:05 +0100 Subject: [PATCH 0098/1253] Bump golang.org/x/crypto and golang.org/x/oauth2 Signed-off-by: Luca Comellini --- LICENSES | 12 ++++++------ go.mod | 12 ++++++------ go.sum | 39 ++++++++++++--------------------------- 3 files changed, 24 insertions(+), 39 deletions(-) diff --git a/LICENSES b/LICENSES index 393e5ec4caa..e5127232ad7 100644 --- a/LICENSES +++ b/LICENSES @@ -195,13 +195,13 @@ go.starlark.net,https://github.com/google/starlark-go/blob/8dd3e2ee1dd5/LICENSE, go.uber.org/atomic,https://github.com/uber-go/atomic/blob/v1.9.0/LICENSE.txt,MIT go.uber.org/multierr,https://github.com/uber-go/multierr/blob/v1.6.0/LICENSE.txt,MIT go.uber.org/zap,https://github.com/uber-go/zap/blob/v1.24.0/LICENSE.txt,MIT -golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/v0.1.0:LICENSE,BSD-3-Clause -golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.4.0:LICENSE,BSD-3-Clause -golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/f2134210:LICENSE,BSD-3-Clause +golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/v0.5.0:LICENSE,BSD-3-Clause +golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.5.0:LICENSE,BSD-3-Clause +golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/v0.4.0:LICENSE,BSD-3-Clause golang.org/x/sync,https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE,BSD-3-Clause -golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/v0.3.0:LICENSE,BSD-3-Clause -golang.org/x/term,https://cs.opensource.google/go/x/term/+/v0.3.0:LICENSE,BSD-3-Clause -golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.5.0:LICENSE,BSD-3-Clause +golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/v0.4.0:LICENSE,BSD-3-Clause +golang.org/x/term,https://cs.opensource.google/go/x/term/+/v0.4.0:LICENSE,BSD-3-Clause +golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.6.0:LICENSE,BSD-3-Clause golang.org/x/time/rate,https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE,BSD-3-Clause gomodules.xyz/jsonpatch/v2,https://github.com/gomodules/jsonpatch/blob/v2.2.0/v2/LICENSE,Apache-2.0 google.golang.org/api,https://github.com/googleapis/google-api-go-client/blob/v0.97.0/LICENSE,BSD-3-Clause diff --git a/go.mod b/go.mod index 9fa4ee6364f..8752bb02244 100644 --- a/go.mod +++ b/go.mod @@ -33,8 +33,8 @@ require ( github.com/spf13/cobra v1.6.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.1 - golang.org/x/crypto v0.1.0 - golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 + golang.org/x/crypto v0.5.0 + golang.org/x/oauth2 v0.4.0 golang.org/x/sync v0.1.0 gomodules.xyz/jsonpatch/v2 v2.2.0 google.golang.org/api v0.97.0 @@ -229,10 +229,10 @@ require ( go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.24.0 // indirect golang.org/x/mod v0.7.0 // indirect - golang.org/x/net v0.4.0 // indirect - golang.org/x/sys v0.3.0 // indirect - golang.org/x/term v0.3.0 // indirect - golang.org/x/text v0.5.0 // indirect + golang.org/x/net v0.5.0 // indirect + golang.org/x/sys v0.4.0 // indirect + golang.org/x/term v0.4.0 // indirect + golang.org/x/text v0.6.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index 262dfc8717c..74cc8c68183 100644 --- a/go.sum +++ b/go.sum @@ -309,7 +309,6 @@ github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-gorp/gorp/v3 v3.0.2 h1:ULqJXIekoqMx29FI5ekXXFoH1dT2Vc8UhnRzBg+Emz4= github.com/go-gorp/gorp/v3 v3.0.2/go.mod h1:BJ3q1ejpV8cVALtcXvXaXyTOlMmJhWDxTmncaR6rwBY= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= @@ -671,8 +670,6 @@ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFB github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= -github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -686,8 +683,6 @@ github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhR github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.10.6 h1:jbk+ZieJ0D7EVGJYpL9QTz7/YW6UHbmdnZWYyK5cdBs= -github.com/lib/pq v1.10.6/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw= github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= @@ -712,8 +707,6 @@ github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kN github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= -github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= -github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= @@ -721,7 +714,6 @@ github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= -github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= @@ -731,7 +723,6 @@ github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= -github.com/mattn/go-sqlite3 v1.14.6 h1:dNPt6NO46WmLVt2DLNpwczCmdV5boIZ6g/tlDrlRUbg= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= @@ -836,7 +827,6 @@ github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/poy/onpar v0.0.0-20190519213022-ee068f8ea4d1 h1:oL4IBbcqwhhNWh31bjOX8C/OCy0zs9906d/VUru+bqg= github.com/poy/onpar v0.0.0-20190519213022-ee068f8ea4d1/go.mod h1:nSbFQvMj97ZyhFRSJYtut+msi4sOY6zJDGCdSc+/rZU= github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= @@ -883,10 +873,7 @@ github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= -github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg= -github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o= github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rubenv/sql-migrate v1.1.2 h1:9M6oj4e//owVVHYrFISmY9LBRw6gzkCNmD9MV36tZeQ= @@ -995,7 +982,6 @@ github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1 github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY= -github.com/ziutek/mymysql v1.5.4 h1:GB0qdRGsTwQSBVYuVShFBKaXSnSnYYC2d9knnE1LHFs= github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= @@ -1084,8 +1070,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= -golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE= +golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1183,8 +1169,8 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= -golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw= +golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1207,8 +1193,8 @@ golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= -golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 h1:lxqLZaMad/dJHMFZH0NiNpiEZI/nhgWhe4wgzpE+MuA= -golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M= +golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1297,7 +1283,6 @@ golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1315,12 +1300,12 @@ golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= -golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18= +golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= -golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= +golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg= +golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1331,8 +1316,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= -golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k= +golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From eaf814cffa91bbe80aaa687934cd00bd54226812 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Thu, 5 Jan 2023 17:42:40 +0000 Subject: [PATCH 0099/1253] Code review feedback- better comment Signed-off-by: irbekrm --- pkg/issuer/acme/dns/rfc2136/provider.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/issuer/acme/dns/rfc2136/provider.go b/pkg/issuer/acme/dns/rfc2136/provider.go index c9ef4101212..874b8689d9a 100644 --- a/pkg/issuer/acme/dns/rfc2136/provider.go +++ b/pkg/issuer/acme/dns/rfc2136/provider.go @@ -100,7 +100,11 @@ func (s *Solver) CleanUp(ch *whapi.ChallengeRequest) error { func (s *Solver) Initialize(kubeClientConfig *restclient.Config, stopCh <-chan struct{}) error { // Only start a secrets informerfactory if it is needed (if the solver - // is not already initialized with a secrets lister) + // is not already initialized with a secrets lister) This is legacy + // functionality. If you have a secrets watcher already available in the + // caller, you probably want to use that to avoid double caching the + // Secrets + // TODO: refactor and remove this functionality if s.secretLister == nil { cl, err := kubernetes.NewForConfig(kubeClientConfig) if err != nil { From 87bef523374b0f73ea293a99fb48fcd503d67c51 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Thu, 5 Jan 2023 18:15:19 +0000 Subject: [PATCH 0100/1253] Fix cainjector's namespace flag Ensures that when cainjector has the namespace flag passed, namespaced resource caching is scoped to that namespace Signed-off-by: irbekrm --- cmd/cainjector/app/start.go | 4 ++-- pkg/controller/cainjector/setup.go | 13 ++++++++----- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/cmd/cainjector/app/start.go b/cmd/cainjector/app/start.go index 713c80ed8f2..948e7442ec6 100644 --- a/cmd/cainjector/app/start.go +++ b/cmd/cainjector/app/start.go @@ -215,7 +215,7 @@ func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) er // Never retry if the controller exits cleanly. g.Go(func() (err error) { for { - err = cainjector.RegisterCertificateBased(gctx, mgr) + err = cainjector.RegisterCertificateBased(gctx, mgr, o.Namespace) if err == nil { return } @@ -234,7 +234,7 @@ func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) er // We do not retry this controller because it only interacts with core APIs // which should always be in a working state. g.Go(func() (err error) { - if err = cainjector.RegisterSecretBased(gctx, mgr); err != nil { + if err = cainjector.RegisterSecretBased(gctx, mgr, o.Namespace); err != nil { return fmt.Errorf("error registering secret controller: %v", err) } return diff --git a/pkg/controller/cainjector/setup.go b/pkg/controller/cainjector/setup.go index acb7743f8db..52f20064020 100644 --- a/pkg/controller/cainjector/setup.go +++ b/pkg/controller/cainjector/setup.go @@ -180,8 +180,8 @@ func dataFromSliceOrFile(data []byte, file string) ([]byte, error) { // indices. // The registered controllers require the cert-manager API to be available // in order to run. -func RegisterCertificateBased(ctx context.Context, mgr ctrl.Manager) error { - cache, client, err := newIndependentCacheAndDelegatingClient(mgr) +func RegisterCertificateBased(ctx context.Context, mgr ctrl.Manager, namespace string) error { + cache, client, err := newIndependentCacheAndDelegatingClient(mgr, namespace) if err != nil { return err } @@ -202,8 +202,8 @@ func RegisterCertificateBased(ctx context.Context, mgr ctrl.Manager) error { // indices. // The registered controllers only require the corev1 APi to be available in // order to run. -func RegisterSecretBased(ctx context.Context, mgr ctrl.Manager) error { - cache, client, err := newIndependentCacheAndDelegatingClient(mgr) +func RegisterSecretBased(ctx context.Context, mgr ctrl.Manager, namespace string) error { + cache, client, err := newIndependentCacheAndDelegatingClient(mgr, namespace) if err != nil { return err } @@ -226,11 +226,14 @@ func RegisterSecretBased(ctx context.Context, mgr ctrl.Manager) error { // cert-manager Certificates CRDs have been installed and before the CA bundles // have been injected into the cert-manager CRDs, by the secrets based injector, // which is running in a separate goroutine. -func newIndependentCacheAndDelegatingClient(mgr ctrl.Manager) (cache.Cache, client.Client, error) { +func newIndependentCacheAndDelegatingClient(mgr ctrl.Manager, namespace string) (cache.Cache, client.Client, error) { cacheOptions := cache.Options{ Scheme: mgr.GetScheme(), Mapper: mgr.GetRESTMapper(), } + if namespace != "" { + cacheOptions.Namespace = namespace + } ca, err := cache.New(mgr.GetConfig(), cacheOptions) if err != nil { return nil, nil, err From ff800307374aff81d69b16f7e2d13c78a542c845 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Thu, 5 Jan 2023 18:15:19 +0000 Subject: [PATCH 0101/1253] Log error if CA source is in a namespace that is not in scope cainjector will still watch cluster-scoped resources such as CRDs, so it can get references to Secrets or Certificates in namespaces that are out of scope Signed-off-by: irbekrm --- pkg/controller/cainjector/controller.go | 10 ++++++++- pkg/controller/cainjector/setup.go | 9 +++++--- pkg/controller/cainjector/sources.go | 28 +++++++++++++++++++------ 3 files changed, 37 insertions(+), 10 deletions(-) diff --git a/pkg/controller/cainjector/controller.go b/pkg/controller/cainjector/controller.go index 1bcfc4ec350..44c063afbf5 100644 --- a/pkg/controller/cainjector/controller.go +++ b/pkg/controller/cainjector/controller.go @@ -106,6 +106,9 @@ type genericInjectReconciler struct { log logr.Logger client.Client + // if set, the reconciler is namespace scoped + namespace string + resourceName string // just used for logging } @@ -157,11 +160,16 @@ func (r *genericInjectReconciler) Reconcile(_ context.Context, req ctrl.Request) return ctrl.Result{}, nil } - caData, err := dataSource.ReadCA(ctx, log, metaObj) + caData, err := dataSource.ReadCA(ctx, log, metaObj, r.namespace) + if apierrors.IsForbidden(err) { + log.V(logf.InfoLevel).Info("cainjector was forbidden to retrieve the ca data source") + return ctrl.Result{}, nil + } if err != nil { log.Error(err, "failed to read CA from data source") return ctrl.Result{}, err } + if caData == nil { log.V(logf.InfoLevel).Info("could not find any ca data in data source for target") return ctrl.Result{}, nil diff --git a/pkg/controller/cainjector/setup.go b/pkg/controller/cainjector/setup.go index 52f20064020..87892a749c2 100644 --- a/pkg/controller/cainjector/setup.go +++ b/pkg/controller/cainjector/setup.go @@ -77,10 +77,10 @@ var ( // registerAllInjectors registers all injectors and based on the // graduation state of the injector decides how to log no kind/resource match errors -func registerAllInjectors(ctx context.Context, groupName string, mgr ctrl.Manager, sources []caDataSource, client client.Client, ca cache.Cache) error { +func registerAllInjectors(ctx context.Context, groupName string, mgr ctrl.Manager, sources []caDataSource, client client.Client, ca cache.Cache, namespace string) error { controllers := make([]controller.Controller, len(injectorSetups)) for i, setup := range injectorSetups { - controller, err := newGenericInjectionController(ctx, groupName, mgr, setup, sources, ca, client) + controller, err := newGenericInjectionController(ctx, groupName, mgr, setup, sources, ca, client, namespace) if err != nil { if !meta.IsNoMatchError(err) || !setup.injector.IsAlpha() { return err @@ -126,7 +126,7 @@ func registerAllInjectors(ctx context.Context, groupName string, mgr ctrl.Manage // * https://github.com/kubernetes-sigs/controller-runtime/issues/764 func newGenericInjectionController(ctx context.Context, groupName string, mgr ctrl.Manager, setup injectorSetup, sources []caDataSource, ca cache.Cache, - client client.Client) (controller.Controller, error) { + client client.Client, namespace string) (controller.Controller, error) { log := ctrl.Log.WithName(groupName).WithName(setup.resourceName) typ := setup.injector.NewTarget().AsObject() @@ -140,6 +140,7 @@ func newGenericInjectionController(ctx context.Context, groupName string, mgr ct log: log.WithName("generic-inject-reconciler"), resourceName: setup.resourceName, injector: setup.injector, + namespace: namespace, }, LogConstructor: func(request *reconcile.Request) logr.Logger { return log }, }) @@ -194,6 +195,7 @@ func RegisterCertificateBased(ctx context.Context, mgr ctrl.Manager, namespace s }, client, cache, + namespace, ) } @@ -217,6 +219,7 @@ func RegisterSecretBased(ctx context.Context, mgr ctrl.Manager, namespace string }, client, cache, + namespace, ) } diff --git a/pkg/controller/cainjector/sources.go b/pkg/controller/cainjector/sources.go index 044d667afd0..8eb2e8080be 100644 --- a/pkg/controller/cainjector/sources.go +++ b/pkg/controller/cainjector/sources.go @@ -18,11 +18,11 @@ package cainjector import ( "context" - - logf "github.com/cert-manager/cert-manager/pkg/logs" + "fmt" "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" @@ -34,6 +34,7 @@ import ( cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" + logf "github.com/cert-manager/cert-manager/pkg/logs" ) // caDataSource knows how to extract CA data given a provided InjectTarget. @@ -52,7 +53,7 @@ type caDataSource interface { // In this case, the caller should not retry the operation. // It is up to the ReadCA implementation to inform the user why the CA // failed to read. - ReadCA(ctx context.Context, log logr.Logger, metaObj metav1.Object) (ca []byte, err error) + ReadCA(ctx context.Context, log logr.Logger, metaObj metav1.Object, namespace string) (ca []byte, err error) // ApplyTo applies any required watchers to the given controller. ApplyTo(ctx context.Context, mgr ctrl.Manager, setup injectorSetup, controller controller.Controller, ca cache.Cache) error @@ -69,7 +70,7 @@ func (c *kubeconfigDataSource) Configured(log logr.Logger, metaObj metav1.Object return metaObj.GetAnnotations()[cmapi.WantInjectAPIServerCAAnnotation] == "true" } -func (c *kubeconfigDataSource) ReadCA(ctx context.Context, log logr.Logger, metaObj metav1.Object) (ca []byte, err error) { +func (c *kubeconfigDataSource) ReadCA(ctx context.Context, log logr.Logger, metaObj metav1.Object, namespace string) (ca []byte, err error) { return c.apiserverCABundle, nil } @@ -99,15 +100,22 @@ func (c *certificateDataSource) Configured(log logr.Logger, metaObj metav1.Objec return true } -func (c *certificateDataSource) ReadCA(ctx context.Context, log logr.Logger, metaObj metav1.Object) (ca []byte, err error) { +func (c *certificateDataSource) ReadCA(ctx context.Context, log logr.Logger, metaObj metav1.Object, namespace string) (ca []byte, err error) { certNameRaw := metaObj.GetAnnotations()[cmapi.WantInjectAnnotation] certName := splitNamespacedName(certNameRaw) log = log.WithValues("certificate", certName) if certName.Namespace == "" { log.Error(nil, "invalid certificate name; needs a namespace/ prefix") + // TODO: should an error be returned here to prevent the caller from proceeding? // don't return an error, requeuing won't help till this is changed return nil, nil } + if namespace != "" && certName.Namespace != namespace { + err := fmt.Errorf("cannot read CA data from Certificate in namespace %s, cainjector is scoped to namespace %s", certName.Namespace, namespace) + forbidenErr := apierrors.NewForbidden(cmapi.Resource("certificates"), certName.Name, err) + log.Error(forbidenErr, "cannot read data source") + return nil, forbidenErr + } var cert cmapi.Certificate if err := c.client.Get(ctx, certName, &cert); err != nil { @@ -185,16 +193,24 @@ func (c *secretDataSource) Configured(log logr.Logger, metaObj metav1.Object) bo return true } -func (c *secretDataSource) ReadCA(ctx context.Context, log logr.Logger, metaObj metav1.Object) ([]byte, error) { +func (c *secretDataSource) ReadCA(ctx context.Context, log logr.Logger, metaObj metav1.Object, namespace string) ([]byte, error) { secretNameRaw := metaObj.GetAnnotations()[cmapi.WantInjectFromSecretAnnotation] secretName := splitNamespacedName(secretNameRaw) log = log.WithValues("secret", secretName) if secretName.Namespace == "" { log.Error(nil, "invalid certificate name") + // TODO: should we return error here to prevent the caller from proceeding? // don't return an error, requeuing won't help till this is changed return nil, nil } + if namespace != "" && secretName.Namespace != namespace { + err := fmt.Errorf("cannot read CA data from Secret in namespace %s, cainjector is scoped to namespace %s", secretName.Namespace, namespace) + forbidenErr := apierrors.NewForbidden(cmapi.Resource("certificates"), secretName.Name, err) + log.Error(forbidenErr, "cannot read data source") + return nil, forbidenErr + } + // grab the associated secret var secret corev1.Secret if err := c.client.Get(ctx, secretName, &secret); err != nil { From 767170d65ffe7540702b2857d6df0aa31e2e4007 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Fri, 6 Jan 2023 18:28:40 +0000 Subject: [PATCH 0102/1253] Adds a new label to cert-manager API Signed-off-by: irbekrm --- pkg/apis/certmanager/v1/types.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/apis/certmanager/v1/types.go b/pkg/apis/certmanager/v1/types.go index 3f7310066ec..3978707aae0 100644 --- a/pkg/apis/certmanager/v1/types.go +++ b/pkg/apis/certmanager/v1/types.go @@ -16,8 +16,15 @@ limitations under the License. package v1 -// Common annotation keys added to resources. const ( + + // Common label keys added to resources + + // Label key that indicates that a resource is of interest to cert-manager controller + PartOfCertManagerControllerLabelKey = "controller.cert-manager.io/fao" + + // Common annotation keys added to resources + // Annotation key for DNS subjectAltNames. AltNamesAnnotationKey = "cert-manager.io/alt-names" From c7465fd9211d19af4c015e46c5744ac8ebdc1f90 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Fri, 6 Jan 2023 18:29:51 +0000 Subject: [PATCH 0103/1253] Issuing controller ensures that cert.spec.secretName secrets are labelled Signed-off-by: irbekrm --- .../certificates/policies/checks.go | 4 + .../certificates/issuing/internal/secret.go | 2 + .../issuing/internal/secret_test.go | 94 +++++++++++++++---- 3 files changed, 81 insertions(+), 19 deletions(-) diff --git a/internal/controller/certificates/policies/checks.go b/internal/controller/certificates/policies/checks.go index d2c6b27ec9f..644fbdc6857 100644 --- a/internal/controller/certificates/policies/checks.go +++ b/internal/controller/certificates/policies/checks.go @@ -388,6 +388,10 @@ func SecretTemplateMismatchesSecretManagedFields(fieldManager string) Func { managedAnnotations = managedAnnotations.Delete(k) } + // Remove the base label from the managed Labels so we can + // compare 1 to 1 against the SecretTemplate + managedLabels.Delete(cmapi.PartOfCertManagerControllerLabelKey) + // Check early for Secret Template being nil, and whether managed // labels/annotations are not. if input.Certificate.Spec.SecretTemplate == nil { diff --git a/pkg/controller/certificates/issuing/internal/secret.go b/pkg/controller/certificates/issuing/internal/secret.go index 1277f490a51..3366e271783 100644 --- a/pkg/controller/certificates/issuing/internal/secret.go +++ b/pkg/controller/certificates/issuing/internal/secret.go @@ -165,6 +165,8 @@ func (s *SecretsManager) setValues(crt *cmapi.Certificate, secret *corev1.Secret secret.Labels = make(map[string]string) } + secret.Labels[cmapi.PartOfCertManagerControllerLabelKey] = "true" + if crt.Spec.SecretTemplate != nil { for k, v := range crt.Spec.SecretTemplate.Labels { secret.Labels[k] = v diff --git a/pkg/controller/certificates/issuing/internal/secret_test.go b/pkg/controller/certificates/issuing/internal/secret_test.go index 56caf0def30..ce7bec31a1d 100644 --- a/pkg/controller/certificates/issuing/internal/secret_test.go +++ b/pkg/controller/certificates/issuing/internal/secret_test.go @@ -137,7 +137,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(make(map[string]string)). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: []byte("test-key"), @@ -172,7 +172,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.AltNamesAnnotationKey: strings.Join(baseCertBundle.Cert.DNSNames, ","), cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(make(map[string]string)). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: []byte("test-key"), cmmeta.TLSCAKey: []byte("test-ca")}). WithType(corev1.SecretTypeTLS). WithOwnerReferences(&applymetav1.OwnerReferenceApplyConfiguration{ @@ -191,7 +191,7 @@ func Test_SecretsManager(t *testing.T) { expectedErr: false, }, - "if secret does exist, update existing Secret and leave custom annotations, with owner disabled": { + "if secret does exist, update existing Secret and leave custom annotations and labels, with owner disabled": { certificateOptions: controllerpkg.CertificateOptions{EnableOwnerRef: false}, certificate: baseCertBundle.Certificate, existingSecret: &corev1.Secret{ @@ -199,7 +199,7 @@ func Test_SecretsManager(t *testing.T) { Namespace: gen.DefaultTestNamespace, Name: "output", Annotations: map[string]string{"my-custom": "annotation"}, - Labels: map[string]string{}, + Labels: map[string]string{"my-custom": "label"}, }, Data: map[string][]byte{corev1.TLSCertKey: []byte("foo"), corev1.TLSPrivateKeyKey: []byte("foo"), cmmeta.TLSCAKey: []byte("foo")}, Type: corev1.SecretTypeTLS, @@ -218,7 +218,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(make(map[string]string)). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: []byte("test-key"), @@ -235,7 +235,7 @@ func Test_SecretsManager(t *testing.T) { }, expectedErr: false, }, - "if secret does exist, update existing Secret and leave custom annotations, with owner enabled": { + "if secret does exist, update existing Secret and leave custom annotations and labels, with owner enabled": { certificateOptions: controllerpkg.CertificateOptions{EnableOwnerRef: true}, certificate: baseCertBundle.Certificate, existingSecret: &corev1.Secret{ @@ -243,7 +243,7 @@ func Test_SecretsManager(t *testing.T) { Namespace: gen.DefaultTestNamespace, Name: "output", Annotations: map[string]string{"my-custom": "annotation"}, - Labels: map[string]string{}, + Labels: map[string]string{"my-custom": "label"}, }, Data: map[string][]byte{corev1.TLSCertKey: []byte("foo"), corev1.TLSPrivateKeyKey: []byte("foo"), cmmeta.TLSCAKey: []byte("foo")}, Type: corev1.SecretTypeTLS, @@ -263,7 +263,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(make(map[string]string)). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: []byte("test-key"), @@ -286,7 +286,7 @@ func Test_SecretsManager(t *testing.T) { expectedErr: false, }, - "if secret does not exist, create new Secret using the secret template": { + "if secret does exist, update existing Secret and add annotations set in secretTemplate": { certificateOptions: controllerpkg.CertificateOptions{EnableOwnerRef: false}, certificate: baseCertWithSecretTemplate, existingSecret: &corev1.Secret{ @@ -294,7 +294,7 @@ func Test_SecretsManager(t *testing.T) { Namespace: gen.DefaultTestNamespace, Name: "output", Annotations: map[string]string{"my-custom": "annotation"}, - Labels: map[string]string{}, + Labels: map[string]string{"my-custom": "label"}, }, Data: map[string][]byte{corev1.TLSCertKey: []byte("foo"), corev1.TLSPrivateKeyKey: []byte("foo"), cmmeta.TLSCAKey: []byte("foo")}, Type: corev1.SecretTypeTLS, @@ -315,7 +315,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(map[string]string{"template": "label"}). + WithLabels(map[string]string{"template": "label", cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: []byte("test-key"), @@ -333,7 +333,54 @@ func Test_SecretsManager(t *testing.T) { expectedErr: false, }, - "if secret does exist, update existing Secret and add annotations set in secretTemplate": { + "if secret does exist, ensure that any missing base labels and annotations are added": { + certificateOptions: controllerpkg.CertificateOptions{EnableOwnerRef: false}, + certificate: baseCertWithSecretTemplate, + existingSecret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: gen.DefaultTestNamespace, + Name: "output", + Annotations: map[string]string{"my-custom": "annotation"}, + Labels: map[string]string{"my-custom": "label"}, + }, + Data: map[string][]byte{corev1.TLSCertKey: []byte("foo"), corev1.TLSPrivateKeyKey: []byte("foo"), cmmeta.TLSCAKey: []byte("foo")}, + Type: corev1.SecretTypeTLS, + }, + secretData: SecretData{Certificate: baseCertBundle.CertBytes, CA: []byte("test-ca"), PrivateKey: []byte("test-key")}, + applyFn: func(t *testing.T) testcoreclients.ApplyFn { + return func(_ context.Context, gotCnf *applycorev1.SecretApplyConfiguration, gotOpts metav1.ApplyOptions) (*corev1.Secret, error) { + expCnf := applycorev1.Secret("output", gen.DefaultTestNamespace). + WithAnnotations( + map[string]string{ + "template": "annotation", + "my-custom": "annotation-from-secret", + cmapi.CertificateNameKey: "test", cmapi.IssuerGroupAnnotationKey: "foo.io", + cmapi.IssuerKindAnnotationKey: "Issuer", cmapi.IssuerNameAnnotationKey: "ca-issuer", + + cmapi.CommonNameAnnotationKey: baseCertBundle.Cert.Subject.CommonName, + cmapi.AltNamesAnnotationKey: strings.Join(baseCertBundle.Cert.DNSNames, ","), + cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), + cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), + }). + WithLabels(map[string]string{"template": "label", cmapi.PartOfCertManagerControllerLabelKey: "true"}). + WithData(map[string][]byte{ + corev1.TLSCertKey: baseCertBundle.CertBytes, + corev1.TLSPrivateKeyKey: []byte("test-key"), + cmmeta.TLSCAKey: []byte("test-ca"), + }). + WithType(corev1.SecretTypeTLS) + assert.Equal(t, expCnf, gotCnf) + + expOpts := metav1.ApplyOptions{FieldManager: "cert-manager-test", Force: true} + assert.Equal(t, expOpts, gotOpts) + + return nil, nil + } + }, + expectedErr: false, + }, + + "if secret does not exist, create new Secret using the secret template": { certificateOptions: controllerpkg.CertificateOptions{EnableOwnerRef: true}, certificate: baseCertWithSecretTemplate, existingSecret: nil, @@ -354,7 +401,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(map[string]string{"template": "label"}). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true", "template": "label"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: []byte("test-key"), @@ -395,7 +442,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(make(map[string]string)). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: baseCertBundle.PrivateKeyBytes, @@ -432,7 +479,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(make(map[string]string)). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: baseCertBundle.PrivateKeyBytes, @@ -469,7 +516,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(make(map[string]string)). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: baseCertBundle.PrivateKeyBytes, @@ -500,6 +547,9 @@ func Test_SecretsManager(t *testing.T) { Annotations: map[string]string{ "my-custom": "annotation", }, + Labels: map[string]string{ + "my-custom": "label", + }, }, Data: map[string][]byte{ corev1.TLSCertKey: []byte("foo"), @@ -524,7 +574,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(make(map[string]string)). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: baseCertBundle.PrivateKeyBytes, @@ -553,6 +603,9 @@ func Test_SecretsManager(t *testing.T) { Annotations: map[string]string{ "my-custom": "annotation", }, + Labels: map[string]string{ + "my-custom": "label", + }, }, Data: map[string][]byte{ corev1.TLSCertKey: []byte("foo"), @@ -577,7 +630,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(make(map[string]string)). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: baseCertBundle.PrivateKeyBytes, @@ -607,6 +660,9 @@ func Test_SecretsManager(t *testing.T) { Annotations: map[string]string{ "my-custom": "annotation", }, + Labels: map[string]string{ + "my-custom": "label", + }, }, Data: map[string][]byte{ corev1.TLSCertKey: []byte("foo"), @@ -631,7 +687,7 @@ func Test_SecretsManager(t *testing.T) { cmapi.IPSANAnnotationKey: strings.Join(utilpki.IPAddressesToString(baseCertBundle.Cert.IPAddresses), ","), cmapi.URISANAnnotationKey: strings.Join(utilpki.URLsToString(baseCertBundle.Cert.URIs), ","), }). - WithLabels(make(map[string]string)). + WithLabels(map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}). WithData(map[string][]byte{ corev1.TLSCertKey: baseCertBundle.CertBytes, corev1.TLSPrivateKeyKey: baseCertBundle.PrivateKeyBytes, From 213949a590605efbb703b789aa32d2600bc08913 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Fri, 6 Jan 2023 18:30:34 +0000 Subject: [PATCH 0104/1253] Keymanager controller ensures that temporary private key Secrets are labelled Signed-off-by: irbekrm --- .../certificates/keymanager/keymanager_controller.go | 5 +++-- .../keymanager/keymanager_controller_test.go | 9 +++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/pkg/controller/certificates/keymanager/keymanager_controller.go b/pkg/controller/certificates/keymanager/keymanager_controller.go index a6aa2788abb..f971d84243a 100644 --- a/pkg/controller/certificates/keymanager/keymanager_controller.go +++ b/pkg/controller/certificates/keymanager/keymanager_controller.go @@ -128,7 +128,7 @@ func NewController( var isNextPrivateKeyLabelSelector labels.Selector func init() { - r, err := labels.NewRequirement("cert-manager.io/next-private-key", selection.Equals, []string{"true"}) + r, err := labels.NewRequirement(cmapi.IsNextPrivateKeySecretLabelKey, selection.Equals, []string{"true"}) if err != nil { panic(err) } @@ -351,7 +351,8 @@ func (c *controller) createNewPrivateKeySecret(ctx context.Context, crt *cmapi.C Name: name, OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(crt, certificateGvk)}, Labels: map[string]string{ - "cert-manager.io/next-private-key": "true", + cmapi.IsNextPrivateKeySecretLabelKey: "true", + cmapi.PartOfCertManagerControllerLabelKey: "true", }, }, Data: map[string][]byte{ diff --git a/pkg/controller/certificates/keymanager/keymanager_controller_test.go b/pkg/controller/certificates/keymanager/keymanager_controller_test.go index c417932cfbc..1ffbf7b6edd 100644 --- a/pkg/controller/certificates/keymanager/keymanager_controller_test.go +++ b/pkg/controller/certificates/keymanager/keymanager_controller_test.go @@ -82,7 +82,8 @@ func TestProcessItem(t *testing.T) { Namespace: namespace, Name: name, Labels: map[string]string{ - cmapi.IsNextPrivateKeySecretLabelKey: "true", + cmapi.IsNextPrivateKeySecretLabelKey: "true", + cmapi.PartOfCertManagerControllerLabelKey: "true", }, OwnerReferences: []metav1.OwnerReference{ *metav1.NewControllerRef(&cmapi.Certificate{ @@ -181,7 +182,7 @@ func TestProcessItem(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Namespace: "testns", GenerateName: "test-", - Labels: map[string]string{cmapi.IsNextPrivateKeySecretLabelKey: "true"}, + Labels: map[string]string{cmapi.IsNextPrivateKeySecretLabelKey: "true", cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(&cmapi.Certificate{ObjectMeta: metav1.ObjectMeta{Namespace: "testns", Name: "test"}}, certificateGvk)}, }, Data: map[string][]byte{"tls.key": nil}, @@ -211,7 +212,7 @@ func TestProcessItem(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Namespace: "testns", Name: "fixed-name", - Labels: map[string]string{cmapi.IsNextPrivateKeySecretLabelKey: "true"}, + Labels: map[string]string{cmapi.IsNextPrivateKeySecretLabelKey: "true", cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(&cmapi.Certificate{ObjectMeta: metav1.ObjectMeta{Namespace: "testns", Name: "test"}}, certificateGvk)}, }, Data: map[string][]byte{"tls.key": nil}, @@ -243,7 +244,7 @@ func TestProcessItem(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Namespace: "testns", Name: "fixed-name", - Labels: map[string]string{cmapi.IsNextPrivateKeySecretLabelKey: "true"}, + Labels: map[string]string{cmapi.IsNextPrivateKeySecretLabelKey: "true", cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(&cmapi.Certificate{ObjectMeta: metav1.ObjectMeta{Namespace: "testns", Name: "test"}}, certificateGvk)}, }, Data: map[string][]byte{"tls.key": nil}, From 5e8fd7dc418ecf02c4edd58ad8562c72ce9cff86 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Fri, 6 Jan 2023 18:31:31 +0000 Subject: [PATCH 0105/1253] Policy check ensures that cert.sepc.secretName secret gets labelled Makes sure that when an unlabelled Secret is encountered at any point (even outside issuance) it will be labelled Signed-off-by: irbekrm --- .../certificates/policies/checks.go | 23 ++++ .../certificates/policies/constants.go | 5 + .../certificates/policies/policies.go | 1 + .../issuing/secret_manager_test.go | 126 ++++++++++++++---- 4 files changed, 126 insertions(+), 29 deletions(-) diff --git a/internal/controller/certificates/policies/checks.go b/internal/controller/certificates/policies/checks.go index 644fbdc6857..7106b6693e9 100644 --- a/internal/controller/certificates/policies/checks.go +++ b/internal/controller/certificates/policies/checks.go @@ -433,6 +433,29 @@ func SecretTemplateMismatchesSecretManagedFields(fieldManager string) Func { } } +func SecretBaseLabelsAreMissing(input Input) (string, string, bool) { + // If certificate has not been issued yet or is in invalid state, do not attempt to update metadata + if len(input.Secret.Data[corev1.TLSCertKey]) > 0 { + var err error + _, err = pki.DecodeX509CertificateBytes(input.Secret.Data[corev1.TLSCertKey]) + if err != nil { + // This case should never happen as it should always be caught by the + // secretPublicKeysMatch function beforehand, but handle it just in case. + return InvalidCertificate, fmt.Sprintf("Failed to decode stored certificate: %v", err), true + } + } + + // check if Secret has the base labels. Currently there is only one base label + if input.Secret.Labels == nil { + return SecretBaseLabelsMissing, fmt.Sprintf("missing base label %s", cmapi.PartOfCertManagerControllerLabelKey), true + } + if _, ok := input.Secret.Labels[cmapi.PartOfCertManagerControllerLabelKey]; !ok { + return SecretBaseLabelsMissing, fmt.Sprintf("missing base label %s", cmapi.PartOfCertManagerControllerLabelKey), true + } + + return "", "", false +} + // SecretAdditionalOutputFormatsDataMismatch validates that the Secret has the // expected Certificate AdditionalOutputFormats. // Returns true (violation) if AdditionalOutputFormat(s) are present and any of diff --git a/internal/controller/certificates/policies/constants.go b/internal/controller/certificates/policies/constants.go index 7a371ac154b..6afde6e0e74 100644 --- a/internal/controller/certificates/policies/constants.go +++ b/internal/controller/certificates/policies/constants.go @@ -48,6 +48,11 @@ const ( // SecretTemplate is not reflected on the target Secret, either by having // extra, missing, or wrong Annotations or Labels. SecretTemplateMismatch string = "SecretTemplateMismatch" + + // SecretBaseLabelsMissing is a policy violation whereby the Secret is + // missing labels that should have been added by cert-manager + SecretBaseLabelsMissing string = "SecretBaseLabelsMissing" + // AdditionalOutputFormatsMismatch is a policy violation whereby the // Certificate's AdditionalOutputFormats is not reflected on the target // Secret, either by having extra, missing, or wrong values. diff --git a/internal/controller/certificates/policies/policies.go b/internal/controller/certificates/policies/policies.go index d5bb6c75a0d..ff8f27cc56b 100644 --- a/internal/controller/certificates/policies/policies.go +++ b/internal/controller/certificates/policies/policies.go @@ -101,6 +101,7 @@ func NewSecretPostIssuancePolicyChain(ownerRefEnabled bool, fieldManager string) SecretOwnerReferenceManagedFieldMismatch(ownerRefEnabled, fieldManager), SecretOwnerReferenceValueMismatch(ownerRefEnabled), SecretKeystoreFormatMatchesSpec, + SecretBaseLabelsAreMissing, } } diff --git a/pkg/controller/certificates/issuing/secret_manager_test.go b/pkg/controller/certificates/issuing/secret_manager_test.go index 98efa95a8bb..efc77ec5daf 100644 --- a/pkg/controller/certificates/issuing/secret_manager_test.go +++ b/pkg/controller/certificates/issuing/secret_manager_test.go @@ -257,13 +257,14 @@ func Test_ensureSecretData(t *testing.T) { }, expectedAction: true, }, - "if Certificate exists in a false Issuing condition, Secret exists and matches the SecretTemplate with the correct managed fields, should do nothing": { + "if Certificate exists in a false Issuing condition, Secret exists and matches the SecretTemplate with the correct managed fields and base labels, should do nothing": { key: "test-namespace/test-name", cert: &cmapi.Certificate{ ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name"}, Spec: cmapi.CertificateSpec{ - SecretName: "test-secret", - SecretTemplate: &cmapi.CertificateSecretTemplate{Annotations: map[string]string{"foo": "bar"}, Labels: map[string]string{"abc": "123"}}, + SecretName: "test-secret", + SecretTemplate: &cmapi.CertificateSecretTemplate{Annotations: map[string]string{"foo": "bar"}, + Labels: map[string]string{"abc": "123"}}, }, Status: cmapi.CertificateStatus{ Conditions: []cmapi.CertificateCondition{{Type: cmapi.CertificateConditionIssuing, Status: cmmeta.ConditionFalse}}, @@ -272,7 +273,8 @@ func Test_ensureSecretData(t *testing.T) { secret: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test-namespace", Name: "test-secret", - Annotations: map[string]string{"foo": "bar"}, Labels: map[string]string{"abc": "123"}, + Annotations: map[string]string{"foo": "bar"}, + Labels: map[string]string{"abc": "123", cmapi.PartOfCertManagerControllerLabelKey: "true"}, ManagedFields: []metav1.ManagedFieldsEntry{{ Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ @@ -295,6 +297,56 @@ func Test_ensureSecretData(t *testing.T) { expectedAction: false, }, "if Certificate exists in a false Issuing condition, Secret exists but does not match SecretTemplate, should apply the Labels and Annotations": { + key: "test-namespace/test-name", + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name"}, + Spec: cmapi.CertificateSpec{ + SecretName: "test-secret", + SecretTemplate: &cmapi.CertificateSecretTemplate{Annotations: map[string]string{"foo": "bar"}, Labels: map[string]string{"abc": "123"}}, + }, + Status: cmapi.CertificateStatus{ + Conditions: []cmapi.CertificateCondition{ + {Type: cmapi.CertificateConditionIssuing, Status: cmmeta.ConditionFalse}, + {Type: cmapi.CertificateConditionIssuing, Status: cmmeta.ConditionFalse}, + }, + }, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret", + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}}, + Data: map[string][]byte{ + "tls.crt": cert, + "tls.key": pk, + }, + }, + expectedAction: true, + }, + "if Certificate exists in a false Issuing condition, Secret exists but is missing the required label, apply the label": { + key: "test-namespace/test-name", + cert: &cmapi.Certificate{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name"}, + Spec: cmapi.CertificateSpec{ + SecretName: "test-secret", + SecretTemplate: &cmapi.CertificateSecretTemplate{Annotations: map[string]string{"foo": "bar"}, Labels: map[string]string{"abc": "123"}}, + }, + Status: cmapi.CertificateStatus{ + Conditions: []cmapi.CertificateCondition{ + {Type: cmapi.CertificateConditionIssuing, Status: cmmeta.ConditionFalse}, + {Type: cmapi.CertificateConditionIssuing, Status: cmmeta.ConditionFalse}, + }, + }, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret", + Labels: map[string]string{"foo": "bar"}}, + Data: map[string][]byte{ + "tls.crt": cert, + "tls.key": pk, + }, + }, + expectedAction: true, + }, + "if Certificate exists in a false Issuing condition, Secret exists with some labels, but is missing the required label, apply the label": { key: "test-namespace/test-name", cert: &cmapi.Certificate{ ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-name"}, @@ -330,7 +382,8 @@ func Test_ensureSecretData(t *testing.T) { }, }, secret: &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret"}, + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret", + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}}, Data: map[string][]byte{ "tls.crt": cert, "tls.key": pk, @@ -350,7 +403,8 @@ func Test_ensureSecretData(t *testing.T) { }, }, secret: &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret"}, + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret", + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}}, Data: map[string][]byte{ "tls.crt": cert, "tls.key": pk, @@ -371,7 +425,8 @@ func Test_ensureSecretData(t *testing.T) { }, }, secret: &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret"}, + ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret", + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}}, Data: map[string][]byte{ "tls.crt": cert, "tls.key": pk, @@ -393,6 +448,7 @@ func Test_ensureSecretData(t *testing.T) { }, secret: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret", + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, ManagedFields: []metav1.ManagedFieldsEntry{{ Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ @@ -423,6 +479,7 @@ func Test_ensureSecretData(t *testing.T) { }, secret: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret", + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, ManagedFields: []metav1.ManagedFieldsEntry{{ Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ @@ -452,12 +509,13 @@ func Test_ensureSecretData(t *testing.T) { }, secret: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret", + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-123\"}": {} + "k:{\"uid\":\"uid-123\"}": {} }}}`), }}, }, @@ -475,15 +533,16 @@ func Test_ensureSecretData(t *testing.T) { }, secret: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "test-secret", + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{ {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, }, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-123\"}": {} + "k:{\"uid\":\"uid-123\"}": {} }}}`), }}, }, @@ -513,15 +572,16 @@ func Test_ensureSecretData(t *testing.T) { cmapi.IssuerKindAnnotationKey: "IssuerKind", cmapi.IssuerGroupAnnotationKey: "group.example.com", }, + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{ {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-234"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, }, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-234\"}": {} + "k:{\"uid\":\"uid-234\"}": {} }}}`), }}, }, @@ -562,15 +622,16 @@ func Test_ensureSecretData(t *testing.T) { cmapi.IssuerKindAnnotationKey: "IssuerKind", cmapi.IssuerGroupAnnotationKey: "group.example.com", }, + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{ {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, }, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-123\"}": {} + "k:{\"uid\":\"uid-123\"}": {} }}}`), }}, }, @@ -610,15 +671,16 @@ func Test_ensureSecretData(t *testing.T) { cmapi.IssuerKindAnnotationKey: "IssuerKind", cmapi.IssuerGroupAnnotationKey: "group.example.com", }, + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{ {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, }, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-123\"}": {} + "k:{\"uid\":\"uid-123\"}": {} }}}`), }}, }, @@ -657,15 +719,16 @@ func Test_ensureSecretData(t *testing.T) { cmapi.IssuerKindAnnotationKey: "IssuerKind", cmapi.IssuerGroupAnnotationKey: "group.example.com", }, + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{ {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, }, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-123\"}": {} + "k:{\"uid\":\"uid-123\"}": {} }}}`), }}, }, @@ -706,15 +769,16 @@ func Test_ensureSecretData(t *testing.T) { cmapi.IssuerKindAnnotationKey: "IssuerKind", cmapi.IssuerGroupAnnotationKey: "group.example.com", }, + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{ {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, }, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-123\"}": {} + "k:{\"uid\":\"uid-123\"}": {} }}}`), }}, }, @@ -754,15 +818,16 @@ func Test_ensureSecretData(t *testing.T) { cmapi.IssuerKindAnnotationKey: "IssuerKind", cmapi.IssuerGroupAnnotationKey: "group.example.com", }, + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{ {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, }, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-123\"}": {} + "k:{\"uid\":\"uid-123\"}": {} }}}`), }}, }, @@ -802,15 +867,16 @@ func Test_ensureSecretData(t *testing.T) { cmapi.IssuerKindAnnotationKey: "IssuerKind", cmapi.IssuerGroupAnnotationKey: "group.example.com", }, + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{ {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, }, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-123\"}": {} + "k:{\"uid\":\"uid-123\"}": {} }}}`), }}, }, @@ -849,15 +915,16 @@ func Test_ensureSecretData(t *testing.T) { cmapi.IssuerKindAnnotationKey: "IssuerKind", cmapi.IssuerGroupAnnotationKey: "group.example.com", }, + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{ {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, }, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-123\"}": {} + "k:{\"uid\":\"uid-123\"}": {} }}}`), }}, }, @@ -898,15 +965,16 @@ func Test_ensureSecretData(t *testing.T) { cmapi.IssuerKindAnnotationKey: "IssuerKind", cmapi.IssuerGroupAnnotationKey: "group.example.com", }, + Labels: map[string]string{cmapi.PartOfCertManagerControllerLabelKey: "true"}, OwnerReferences: []metav1.OwnerReference{ {APIVersion: "cert-manager.io/v1", Kind: "Certificate", Name: "test-name", UID: types.UID("uid-123"), Controller: pointer.Bool(true), BlockOwnerDeletion: pointer.Bool(true)}, }, ManagedFields: []metav1.ManagedFieldsEntry{ {Manager: fieldManager, FieldsV1: &metav1.FieldsV1{ Raw: []byte(` - {"f:metadata": { + {"f:metadata": { "f:ownerReferences": { - "k:{\"uid\":\"uid-123\"}": {} + "k:{\"uid\":\"uid-123\"}": {} }}}`), }}, }, From 8c4f6cda4287c650ecbfa1ea1f83cc5428e6ef44 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Mon, 9 Jan 2023 18:16:44 +0000 Subject: [PATCH 0106/1253] bump containerd to fix reported vuln note that cert-manager is not actually vulnerable to CVE-2022-23471 since the affected code is not used Signed-off-by: Ashley Davis --- LICENSES | 20 +++--- go.mod | 19 +++--- go.sum | 184 ++++++++----------------------------------------------- 3 files changed, 46 insertions(+), 177 deletions(-) diff --git a/LICENSES b/LICENSES index e5127232ad7..5dd4e729248 100644 --- a/LICENSES +++ b/LICENSES @@ -1,4 +1,4 @@ -cloud.google.com/go/compute/metadata,https://github.com/googleapis/google-cloud-go/blob/compute/v1.7.0/compute/LICENSE,Apache-2.0 +cloud.google.com/go/compute/metadata,https://github.com/googleapis/google-cloud-go/blob/compute/metadata/v0.2.1/compute/metadata/LICENSE,Apache-2.0 github.com/Azure/azure-sdk-for-go,https://github.com/Azure/azure-sdk-for-go/blob/v66.0.0/LICENSE.txt,MIT github.com/Azure/go-autorest/autorest,https://github.com/Azure/go-autorest/blob/autorest/v0.11.28/autorest/LICENSE,Apache-2.0 github.com/Azure/go-autorest/autorest/adal,https://github.com/Azure/go-autorest/blob/autorest/adal/v0.9.21/autorest/adal/LICENSE,Apache-2.0 @@ -36,7 +36,7 @@ github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util,https://github.com github.com/cespare/xxhash/v2,https://github.com/cespare/xxhash/blob/v2.1.2/LICENSE.txt,MIT github.com/chai2010/gettext-go,https://github.com/chai2010/gettext-go/blob/v1.0.2/LICENSE,BSD-3-Clause github.com/cloudflare/cloudflare-go,https://github.com/cloudflare/cloudflare-go/blob/v0.50.0/LICENSE,BSD-3-Clause -github.com/containerd/containerd,https://github.com/containerd/containerd/blob/v1.6.6/LICENSE,Apache-2.0 +github.com/containerd/containerd,https://github.com/containerd/containerd/blob/v1.6.15/LICENSE,Apache-2.0 github.com/coreos/go-semver/semver,https://github.com/coreos/go-semver/blob/v0.3.0/LICENSE,Apache-2.0 github.com/coreos/go-systemd/v22,https://github.com/coreos/go-systemd/blob/v22.3.2/LICENSE,Apache-2.0 github.com/cpu/goacmedns,https://github.com/cpu/goacmedns/blob/v0.1.1/LICENSE,MIT @@ -82,8 +82,8 @@ github.com/google/go-querystring/query,https://github.com/google/go-querystring/ github.com/google/gofuzz,https://github.com/google/gofuzz/blob/v1.2.0/LICENSE,Apache-2.0 github.com/google/shlex,https://github.com/google/shlex/blob/e7afc7fbc510/COPYING,Apache-2.0 github.com/google/uuid,https://github.com/google/uuid/blob/v1.3.0/LICENSE,BSD-3-Clause -github.com/googleapis/enterprise-certificate-proxy/client,https://github.com/googleapis/enterprise-certificate-proxy/blob/v0.1.0/LICENSE,Apache-2.0 -github.com/googleapis/gax-go/v2,https://github.com/googleapis/gax-go/blob/v2.4.0/v2/LICENSE,BSD-3-Clause +github.com/googleapis/enterprise-certificate-proxy/client,https://github.com/googleapis/enterprise-certificate-proxy/blob/v0.2.0/LICENSE,Apache-2.0 +github.com/googleapis/gax-go/v2,https://github.com/googleapis/gax-go/blob/v2.7.0/v2/LICENSE,BSD-3-Clause github.com/gorilla/mux,https://github.com/gorilla/mux/blob/v1.8.0/LICENSE,BSD-3-Clause github.com/gosuri/uitable,https://github.com/gosuri/uitable/blob/v0.0.4/LICENSE,MIT github.com/gosuri/uitable/util/wordwrap,https://github.com/gosuri/uitable/blob/v0.0.4/util/wordwrap/LICENSE.md,MIT @@ -128,7 +128,7 @@ github.com/mailru/easyjson,https://github.com/mailru/easyjson/blob/v0.7.6/LICENS github.com/mattn/go-colorable,https://github.com/mattn/go-colorable/blob/v0.1.13/LICENSE,MIT github.com/mattn/go-isatty,https://github.com/mattn/go-isatty/blob/v0.0.16/LICENSE,MIT github.com/mattn/go-runewidth,https://github.com/mattn/go-runewidth/blob/v0.0.13/LICENSE,MIT -github.com/matttproud/golang_protobuf_extensions/pbutil,https://github.com/matttproud/golang_protobuf_extensions/blob/v1.0.2/LICENSE,Apache-2.0 +github.com/matttproud/golang_protobuf_extensions/pbutil,https://github.com/matttproud/golang_protobuf_extensions/blob/v1.0.4/LICENSE,Apache-2.0 github.com/miekg/dns,https://github.com/miekg/dns/blob/v1.1.50/LICENSE,BSD-3-Clause github.com/mitchellh/copystructure,https://github.com/mitchellh/copystructure/blob/v1.2.0/LICENSE,MIT github.com/mitchellh/go-homedir,https://github.com/mitchellh/go-homedir/blob/v1.1.0/LICENSE,MIT @@ -180,7 +180,7 @@ github.com/youmark/pkcs8,https://github.com/youmark/pkcs8/blob/1326539a0a0a/LICE go.etcd.io/etcd/api/v3,https://github.com/etcd-io/etcd/blob/api/v3.5.5/api/LICENSE,Apache-2.0 go.etcd.io/etcd/client/pkg/v3,https://github.com/etcd-io/etcd/blob/client/pkg/v3.5.5/client/pkg/LICENSE,Apache-2.0 go.etcd.io/etcd/client/v3,https://github.com/etcd-io/etcd/blob/client/v3.5.5/client/v3/LICENSE,Apache-2.0 -go.opencensus.io,https://github.com/census-instrumentation/opencensus-go/blob/v0.23.0/LICENSE,Apache-2.0 +go.opencensus.io,https://github.com/census-instrumentation/opencensus-go/blob/v0.24.0/LICENSE,Apache-2.0 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc,https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.35.0/instrumentation/google.golang.org/grpc/otelgrpc/LICENSE,Apache-2.0 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp,https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/net/http/otelhttp/v0.35.0/instrumentation/net/http/otelhttp/LICENSE,Apache-2.0 go.opentelemetry.io/otel,https://github.com/open-telemetry/opentelemetry-go/blob/v1.10.0/LICENSE,Apache-2.0 @@ -204,10 +204,10 @@ golang.org/x/term,https://cs.opensource.google/go/x/term/+/v0.4.0:LICENSE,BSD-3- golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.6.0:LICENSE,BSD-3-Clause golang.org/x/time/rate,https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE,BSD-3-Clause gomodules.xyz/jsonpatch/v2,https://github.com/gomodules/jsonpatch/blob/v2.2.0/v2/LICENSE,Apache-2.0 -google.golang.org/api,https://github.com/googleapis/google-api-go-client/blob/v0.97.0/LICENSE,BSD-3-Clause -google.golang.org/api/internal/third_party/uritemplates,https://github.com/googleapis/google-api-go-client/blob/v0.97.0/internal/third_party/uritemplates/LICENSE,BSD-3-Clause -google.golang.org/genproto,https://github.com/googleapis/go-genproto/blob/8cd45d7dbd1f/LICENSE,Apache-2.0 -google.golang.org/grpc,https://github.com/grpc/grpc-go/blob/v1.49.0/LICENSE,Apache-2.0 +google.golang.org/api,https://github.com/googleapis/google-api-go-client/blob/v0.103.0/LICENSE,BSD-3-Clause +google.golang.org/api/internal/third_party/uritemplates,https://github.com/googleapis/google-api-go-client/blob/v0.103.0/internal/third_party/uritemplates/LICENSE,BSD-3-Clause +google.golang.org/genproto,https://github.com/googleapis/go-genproto/blob/3c3c17ce83e6/LICENSE,Apache-2.0 +google.golang.org/grpc,https://github.com/grpc/grpc-go/blob/v1.51.0/LICENSE,Apache-2.0 google.golang.org/protobuf,https://github.com/protocolbuffers/protobuf-go/blob/v1.28.1/LICENSE,BSD-3-Clause gopkg.in/inf.v0,https://github.com/go-inf/inf/blob/v0.9.1/LICENSE,BSD-3-Clause gopkg.in/ini.v1,https://github.com/go-ini/ini/blob/v1.62.0/LICENSE,Apache-2.0 diff --git a/go.mod b/go.mod index 8752bb02244..9e3edf5fc9b 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( golang.org/x/oauth2 v0.4.0 golang.org/x/sync v0.1.0 gomodules.xyz/jsonpatch/v2 v2.2.0 - google.golang.org/api v0.97.0 + google.golang.org/api v0.103.0 helm.sh/helm/v3 v3.10.3 k8s.io/api v0.26.0 k8s.io/apiextensions-apiserver v0.26.0 @@ -61,7 +61,8 @@ require ( ) require ( - cloud.google.com/go/compute v1.7.0 // indirect + cloud.google.com/go/compute v1.13.0 // indirect + cloud.google.com/go/compute/metadata v0.2.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect @@ -86,7 +87,7 @@ require ( github.com/cenkalti/backoff/v4 v4.1.3 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect - github.com/containerd/containerd v1.6.6 // indirect + github.com/containerd/containerd v1.6.15 // indirect github.com/coreos/go-semver v0.3.0 // indirect github.com/coreos/go-systemd/v22 v22.3.2 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect @@ -129,8 +130,8 @@ require ( github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.3.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect - github.com/googleapis/gax-go/v2 v2.4.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect + github.com/googleapis/gax-go/v2 v2.7.0 // indirect github.com/gorilla/mux v1.8.0 // indirect github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect @@ -170,7 +171,7 @@ require ( github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.16 // indirect github.com/mattn/go-runewidth v0.0.13 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-testing-interface v1.0.0 // indirect github.com/mitchellh/go-wordwrap v1.0.0 // indirect @@ -213,7 +214,7 @@ require ( go.etcd.io/etcd/api/v3 v3.5.5 // indirect go.etcd.io/etcd/client/pkg/v3 v3.5.5 // indirect go.etcd.io/etcd/client/v3 v3.5.5 // indirect - go.opencensus.io v0.23.0 // indirect + go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.0 // indirect go.opentelemetry.io/otel v1.10.0 // indirect @@ -236,8 +237,8 @@ require ( golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect - google.golang.org/grpc v1.49.0 // indirect + google.golang.org/genproto v0.0.0-20230109162033-3c3c17ce83e6 // indirect + google.golang.org/grpc v1.51.0 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.62.0 // indirect diff --git a/go.sum b/go.sum index 74cc8c68183..0c2e803ec5c 100644 --- a/go.sum +++ b/go.sum @@ -18,33 +18,21 @@ cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmW cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= -cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= -cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= -cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= -cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= -cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= -cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= -cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= -cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= -cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= -cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= +cloud.google.com/go v0.105.0 h1:DNtEKRBAAzeS4KyIory52wWHuClNaXJ5x1F7xa4q+5Y= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= -cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= -cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= -cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= -cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= -cloud.google.com/go/compute v1.7.0 h1:v/k9Eueb8aAJ0vZuxKMrgm6kPhCLZU9HxFU+AFDs9Uk= -cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= +cloud.google.com/go/compute v1.13.0 h1:AYrLkB8NPdDRslNp4Jxmzrhdr03fUAIDbiGFjLWowoU= +cloud.google.com/go/compute v1.13.0/go.mod h1:5aPTS0cUNMIc1CE546K+Th6weJUNQErARyZtRXDJ8GE= +cloud.google.com/go/compute/metadata v0.2.1 h1:efOwf5ymceDhK6PKMnnrTHP4pppY5L22mle96M1yP48= +cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= -cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= +cloud.google.com/go/longrunning v0.3.0 h1:NjljC+FYPV3uh5/OwWT6pVU+doBqMg2x/rZlE+CamDs= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -54,7 +42,6 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-sdk-for-go v66.0.0+incompatible h1:bmmC38SlE8/E81nNADlgmVGurPWMHDX2YNXVQMrBpEE= github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= @@ -109,8 +96,8 @@ github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmy github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= github.com/Masterminds/squirrel v1.5.3 h1:YPpoceAcxuzIljlr5iWpNKaql7hLeG1KLSrhvdHpkZc= github.com/Masterminds/squirrel v1.5.3/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= -github.com/Microsoft/go-winio v0.5.1 h1:aPJp2QD7OOrhO5tQXqQoGSJc+DjDtWTGLOmNyAm6FgY= -github.com/Microsoft/hcsshim v0.9.3 h1:k371PzBuRrz2b+ebGuI2nVgVhgsVX60jMfSw80NECxo= +github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= +github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= @@ -192,12 +179,11 @@ github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XP github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= -github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4= -github.com/containerd/containerd v1.6.6 h1:xJNPhbrmz8xAMDNoVjHy9YHtWwEQNS+CDkcIRh7t8Y0= -github.com/containerd/containerd v1.6.6/go.mod h1:ZoP1geJldzCVY3Tonoz7b1IXk8rIX0Nltt5QE4OMNk0= +github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA= +github.com/containerd/containerd v1.6.15 h1:4wWexxzLNHNE46aIETc6ge4TofO550v+BlLoANrbses= +github.com/containerd/containerd v1.6.15/go.mod h1:U2NnBPIhzJDm59xF7xB2MMHnKtggpZ+phKg8o2TKj2c= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= @@ -273,7 +259,6 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= -github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= @@ -427,7 +412,6 @@ github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= -github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -447,7 +431,6 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k= @@ -471,8 +454,6 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= @@ -485,7 +466,6 @@ github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -497,8 +477,6 @@ github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= @@ -509,20 +487,14 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= -github.com/googleapis/enterprise-certificate-proxy v0.1.0 h1:zO8WHNx/MYiAKJ3d5spxZXZE6KHmIQGQcAzwUzV7qQw= -github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= +github.com/googleapis/enterprise-certificate-proxy v0.2.0 h1:y8Yozv7SZtlU//QXbezB6QkpuE6jMD2/gfzk4AftXjs= +github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= -github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= -github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= -github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= -github.com/googleapis/gax-go/v2 v2.4.0 h1:dS9eYAjhrE2RjmzYw2XAPvcXfmcQLtFEQWn0CR82awk= -github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= +github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ= +github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8= github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= @@ -726,8 +698,8 @@ github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsO github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.2 h1:hAHbPm5IJGijwng3PWk09JkG9WeqChjprR5s9bBZ+OM= -github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME= @@ -1010,8 +982,9 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 h1:xFSRQBbXF6VvYRf2lqMJXxoB72XI1K/azav8TekHHSw= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.0 h1:Ajldaqhxqw/gNzQA45IKFWLdG7jZuXX/wBW1d5qvbUI= @@ -1156,19 +1129,12 @@ golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1184,15 +1150,8 @@ golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= -golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M= golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1206,7 +1165,6 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1273,31 +1231,14 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18= @@ -1383,11 +1324,7 @@ golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4= @@ -1396,10 +1333,7 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0= -golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= @@ -1424,26 +1358,8 @@ google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjR google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8= -google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= -google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= -google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= -google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= -google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= -google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= -google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= -google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= -google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= -google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= -google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= -google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= -google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= -google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= -google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= -google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= -google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= -google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= -google.golang.org/api v0.97.0 h1:x/vEL1XDF/2V4xzdNgFPaKHluRESo2aTsL7QzHnBtGQ= -google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.103.0 h1:9yuVqlu2JCvcLg9p8S3fcFLZij8EPSyvODIY1rkMizQ= +google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1492,48 +1408,12 @@ google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= -google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= -google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= -google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= -google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= -google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E= -google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f h1:hJ/Y5SqPXbarffmAsApliUlcvMU+wScNGfyop4bZm8o= -google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20230109162033-3c3c17ce83e6 h1:uUn6GsgKK2eCI0bWeRMgRCcqDaQXYDuB+5tXA5Xeg/8= +google.golang.org/genproto v0.0.0-20230109162033-3c3c17ce83e6/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= @@ -1555,23 +1435,12 @@ google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA5 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= -google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= -google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw= -google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= -google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U= +google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1585,7 +1454,6 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= From 65be2caaaeadbfb8dff63c1afeb01522cff52805 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Wed, 14 Dec 2022 06:46:24 +0000 Subject: [PATCH 0107/1253] Initial commit Signed-off-by: irbekrm --- design/20221205-memory-management.md | 682 ++++++++++++++++++ .../createsecrets.png | Bin 0 -> 36441 bytes .../labelsecret.png | Bin 0 -> 2099 bytes .../latestmastersecrets.png | Bin 0 -> 78701 bytes .../mastercertmanager.png | Bin 0 -> 142578 bytes .../masterissuanceterminal.png | Bin 0 -> 10968 bytes .../masterkubeapiserver.png | Bin 0 -> 107874 bytes .../partiallabels.png | Bin 0 -> 11182 bytes .../partialmetadatagrafana.png | Bin 0 -> 98161 bytes .../partialmetadatasecrets.png | Bin 0 -> 127370 bytes .../partialmetadataterminal.png | Bin 0 -> 35804 bytes .../partialnolabels.png | Bin 0 -> 11620 bytes .../partialnolabelscertmanager.png | Bin 0 -> 111975 bytes .../partialnolabelskubeapiserver.png | Bin 0 -> 113940 bytes .../partialonly.png | Bin 0 -> 11362 bytes .../partialonlycertmanager.png | Bin 0 -> 118716 bytes .../partialonlykubeapiserver.png | Bin 0 -> 94074 bytes .../transformfunctionsgrafana.png | Bin 0 -> 96839 bytes .../transformwithlimit.png | Bin 0 -> 95499 bytes 19 files changed, 682 insertions(+) create mode 100644 design/20221205-memory-management.md create mode 100644 design/images/20221205-memory-management/createsecrets.png create mode 100644 design/images/20221205-memory-management/labelsecret.png create mode 100644 design/images/20221205-memory-management/latestmastersecrets.png create mode 100644 design/images/20221205-memory-management/mastercertmanager.png create mode 100644 design/images/20221205-memory-management/masterissuanceterminal.png create mode 100644 design/images/20221205-memory-management/masterkubeapiserver.png create mode 100644 design/images/20221205-memory-management/partiallabels.png create mode 100644 design/images/20221205-memory-management/partialmetadatagrafana.png create mode 100644 design/images/20221205-memory-management/partialmetadatasecrets.png create mode 100644 design/images/20221205-memory-management/partialmetadataterminal.png create mode 100644 design/images/20221205-memory-management/partialnolabels.png create mode 100644 design/images/20221205-memory-management/partialnolabelscertmanager.png create mode 100644 design/images/20221205-memory-management/partialnolabelskubeapiserver.png create mode 100644 design/images/20221205-memory-management/partialonly.png create mode 100644 design/images/20221205-memory-management/partialonlycertmanager.png create mode 100644 design/images/20221205-memory-management/partialonlykubeapiserver.png create mode 100644 design/images/20221205-memory-management/transformfunctionsgrafana.png create mode 100644 design/images/20221205-memory-management/transformwithlimit.png diff --git a/design/20221205-memory-management.md b/design/20221205-memory-management.md new file mode 100644 index 00000000000..46f29b76fc7 --- /dev/null +++ b/design/20221205-memory-management.md @@ -0,0 +1,682 @@ +# Memory consumption reduction + + +- [Release Signoff Checklist](#release-signoff-checklist) +- [Summary](#summary) +- [Motivation](#motivation) + - [Goals](#goals) + - [Non-Goals](#non-goals) + - [Nice-to-Have](#nice-to-have) + - [Must-not](#must-not) +- [Proposal](#proposal) + - [Background](#background) + - [User Stories](#user-stories) + - [Story 1](#story-1) + - [Risks and Mitigations](#risks-and-mitigations) +- [Design Details](#design-details) + - [Implementation](#implementation) + - [Metrics](#metrics) + - [cluster-with-many-cert-manager-unrelated-secrets](#cluster-with-large-cert-manager-unrelated-secrets) + - [cert-manager-v1-11](#cert-manager-v111) + - [partial metadata prototype](#partial-metadata-prototype) + - [issuance-of-a-large-number-of-certificates](#issuance-of-a-large-number-of-certificates) + - [latest cert-manager](#latest-cert-manager) + - [partial metadata prototype](#partial-metadata) + - [Pros](#pros) + - [Cons](#cons) + - [Test Plan](#test-plan) + - [Graduation Criteria](#graduation-criteria) + - [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy) + - [Supported Versions](#supported-versions) + - [Notes](#notes) + - [Current state](#current-state) + - [Secrets for Certificates](#secrets-for-certificates) + - [Secrets for issuers](#secrets-for-clusterissuers) + - [Upstream mechanisms](#upstream-mechanisms) + - [Filtering](#filtering) + - [Partial object metadata](#partial-object-metadata) + - [Transform functions](#transform-functions) +- [Production Readiness](#production-readiness) +- [Drawbacks](#drawbacks) +- [Alternatives](#alternatives) + - [Transform functions](#use-transform-functions-to-remove-data-for-non-labelled-secrets-before-adding-them-to-informers-cache) + - [PartialMetadata only](#use-partialmetadata-only) + - [Paging limit](#use-paging-to-limit-the-memory-spike-when-controller-starts-up) + - [Filter watched Secrets](#filter-the-secrets-to-watch-with-a-label) + - [Custom filter](#allow-users-to-pass-a-custom-filter) + - [Standalone typed cache](#use-a-standalone-typed-cache-populated-from-different-sources) + + +## Release Signoff Checklist + +This checklist contains actions which must be completed before a PR implementing this design can be merged. + + +- [ ] This design doc has been discussed and approved +- [ ] Test plan has been agreed upon and the tests implemented +- [ ] Feature gate status has been agreed upon (whether the new functionality will be placed behind a feature gate or not) +- [ ] Graduation criteria is in place if required (if the new functionality is placed behind a feature gate, how will it graduate between stages) +- [ ] User-facing documentation has been PR-ed against the release branch in [cert-manager/website] + + +## Summary + +[cert-manager's controller](https://cert-manager.io/docs/cli/controller/) watches and caches all `Secret` resources in cluster. +This causes high memory consumption for cert-manager controller pods in clusters which contain many large `Secret`s such as Helm release `Secret`s. + +This proposal suggests a mechanism how to avoid caching cert-manager unrelated `Secret` data. + +## Motivation + +### Goals + +- make cert-manager installation more reliable (no OOM kills caused by events against large cert-manager unrelated `Secret`s) + +- reduce cost of running cert-manager installation (need to allocate less memory) + +- make it easier to predict how much memory needs to be allocated to cert-manager controller + +### Non-Goals + +- memory improvements related to caching objects other than `Secret`s + +- memory improvements related to caching cert-manager related `Secret`s + +- rewrite cert-manager controllers as controller-runtime controllers + +#### Nice to have + +- have this mechanism eventually be on by default (users shouldn't need to have to discover a feature flag to not cache unrelated `Secret`s) + +- use the same mechanism to improve memory consumption by cainjector. This proposal focuses on controller only as it is the more complex part however we need to fix this problem in cainjector too and it would be nice to be consistent + +#### Must not + +- make our controllers less reliable (i.e by introducing edge cases where a cert-manager related event does not trigger a reconcile). Given the wide usage of cert-manager and the various different usage scenarios, any such edge case would be likely to occur for some users + +- make our issuance flow harder to reason about or less intuitive + +- break any existing installation/issuance flows (i.e where some resources, such as issuer `Secret`s are created after the issuer and the flow relies on the `Secret` creation event to trigger the issuer reconcile) + +- significantly slow down issuance + +## Proposal + +The current `Secret`s informer will have a filter to watch only `Secret`s that are known to be cert-manager related (using a label selector). +A new informer will be added that knows how to watch `PartialMetadata` for `Secret`s. This informer will have a filter to watch only `Secret`s that don't have a known cert-manager label. This will ensure that for each `Secret` either full data is cached in the typed informer's cache or metadata only is cached in metadata informer's cache. +Cert-manager will label `cert.spec.secretName` and temporary private key `Secret`s. These are the most frequently accessed `Secret` resources. Users could also optionally apply the label to other `Secret`s that cert-manager controller needs to watch to ensure that those get cached. + +This will reduce the excessive memory consumption caused by caching full contents of cert-manager unrelated `Secret`s whilst still ensuring that most of the `Secret`s that cert-manager needs frequently are retrieved from cache and cert-manager relevant events are not missed. + +### Background + +The excessive memory consumption comes from the amount of cluster objects being stored in the [shared informers caches](https://github.com/kubernetes/client-go/blob/v12.0.0/tools/cache/shared_informer.go#L47-L58), mostly from `Secret`s. +cert-manager uses client-go's [informer factory](https://github.com/kubernetes/client-go/tree/master/informers) to create informers for core types. We have [auto-generated informers](https://github.com/cert-manager/cert-manager/tree/v1.10.1/pkg/client/informers/externalversions) for cert-manager.io types. These informers do not directly expose the cache or the [ListerWatcher](https://github.com/kubernetes/client-go/blob/v12.0.0/tools/cache/shared_informer.go#L188) which is responsible for listing and setting up watches for objects. +When cert-manager controller starts, all `Secret`s are listed and processed, which causes a memory spike. +When there is change to `Secret`s, the cache gets resynced, which can also cause a memory spike. +For the rest of the time, `Secret`s remain in controller's cache. + +cert-manager needs to watch all `Secret`s in the cluster because some user created `Secret`s, for example issuer credentials, might not be labelled and we do want to trigger issuer reconciles when those `Secret`s change because: + +- in cases where an issuer gets created and is unready because its credential has not yet been applied/is incorrect and a user at some point applies or corrects it, it is a better user experience that the creation/update event triggers an immediate reconcile instead of the user having to wait for the failed issuer to be reconciled again after the backoff period ([max wait can be 5 minutes for the issuers workqueue](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/controller/issuers/controller.go#L70)) + +- in cases where an issuer credential change should trigger issuer status update (i.e Venafi credentials `Secret` gets updated with incorrect credentials) it is a better user experience if the update event caused a reconcile and the issuer status would be changed to unready instead of failing at issuance time + +- in some cases a missing `Secret` does not cause issuer reconcile ([such as a missing ACME EAB key where we explicitly rely on `Secret` events to retry issuer setup](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/issuer/acme/setup.go#L228)). In this case, it is more efficient as well as a better user experience to reconcile on `Secret` creation event as that way we avoid wasting CPU cycles whilst waiting for the user to create the `Secret` and when the `Secret` does get created, the issuer will be reconciled immediately. + +The caching mechanim is required for ensuring quick issuance and not taking too much of kube apiserver's resources. `Secret`s with the issued X.509 certificates and with temporary private keys get retrieved a number of times during issuance and all the control loops involved in issuance need full `Secret` data. Currently the `Secret`s are retrieved from informers cache. Retrieving them from kube apiserver would mean a large number of additional calls to kube apiserver, which is undesirable. The default cert-manager installation uses a rate-limited client (20QPS with a burst of 50). There is also server-side [API Priority and Fairness system](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/) that prevents rogue clients from overwhelming kube apiserver. Both these mechanisms mean that the result of a large number of additional calls will be slower issuance as cert-manager will get rate limited (either client-side or server-side). The rate limiting can be modified to allow higher throughput for cert-manager, but this would have an impact of kube apiserver's availability for other tenants - so in either case additional API calls would have a cost for the user. + +### User Stories + +#### Story 1 + +User has a cluster with 4 cert-manager `Certificate`s and 30k other (cert-manager unrelated) `Secret`s. +They observe unreasonably high memory consumption in proportion to the amount of cert-manager resources. + +See issue description here https://github.com/cert-manager/cert-manager/issues/4722 + +### Risks and Mitigations + +Risk of slowing down issuance in cases where cert-manager needs to retrieve unlabelled `Secret`s, such as CA issuer's `Secret`. +Users could mitigate this by labelling the `Secret`s. + +## Design details +### Implementation + +Ensure that `certificate.Spec.SecretName` `Secret` as well as the `Secret` with temporary private key are labelled with a `controller.cert-manager.io/fao: true` label. +The temporary private key `Secret` is short lived so it should be okay to only label it on creation. +The `certificate.Spec.SecretName` `Secret` should be checked for the label value on every reconcile of the owning `Certificate`, same as with the secret template labels and annotations, see [here](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/controller/certificates/issuing/issuing_controller.go#L187-L191). + +Add a partial metadata informers factory, set up with [a client-go client that knows how to make GET/LIST/WATCH requests for `PartialMetadata`](https://github.com/kubernetes/client-go/blob/v0.26.0/metadata/metadata.go#L50-L58). +Add a filter to ensure that any informers for this factory will list _only_ resources that are _not_ labelled with a known 'cert-manager' label. + + +```go +import ( + ... + "k8s.io/client-go/metadata" + ... +) +metadataOnlyClient := metadata.NewForConfigOrDie(restConfig) + +metadataLabelSelector, _ := notKnownCertManagerSecretLabelSelector() + +metadataSharedInformerFactory := metadatainformer.NewFilteredSharedInformerFactory(metadataOnlyClient, resyncPeriod, opts.Namespace, func(listOptions *metav1.ListOptions) { + // select only objects that do not have a known cert-manager label + listOptions.LabelSelector = metadataLabelSelector +}) + +func notKnownCertManagerSecretLabelSelector() (string, error) { + r, _ := labels.NewRequirement("controller.cert-manager.io/fao", selection.DoesNotExist, make([]string, 0)) + sel := labels.NewSelector().Add(*r) + return sel.String(), nil +} +``` + +Create informer a partial metadata informer that watches events for `Secret` GVK: + +```go + metadataSecretsInformer := metadataSharedInformerFactory.ForResource(corev1.SchemeGroupVersion.WithResource("secrets")) +``` + +Add a label selector to the existing `Secret`s informer created for [typed informers factory](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/controller/context.go#L264) to ensure that only `Secret` that _do_ have a known cert-manager label are watched: + +```go +import ( + ... + kubeinternalinterfaces "k8s.io/client-go/informers/internalinterfaces" + coreinformers "k8s.io/client-go/informers/core/v1" + "k8s.io/client-go/kubernetes" + ... +) +concreteSecretsInformer := NewFilteredSecretsInformer(factory, kubeClient) // factory is the existing typed informers factory + +func NewFilteredSecretsInformer(factory kubeinternalinterfaces.SharedInformerFactory, client kubernetes.Interface) coreinformers.SecretInformer { + return &filteredSecretsInformer{ + factory: factory, + client: client, + newInformer: newFilteredSecretsInformer, + } +} + +type filteredSecretsInformer struct { + factory kubeinternalinterfaces.SharedInformerFactory + client kubernetes.Interface + newInformer kubeinternalinterfaces.NewInformerFunc + namespace string +} + +func (f *filteredSecretsInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&corev1.Secret{}, f.newInformer) +} + +func (f *filteredSecretsInformer) Lister() corelisters.SecretLister { + return corelisters.NewSecretLister(f.Informer().GetIndexer()) +} + +func newFilteredSecretsInformer(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + secretLabelSeclector, _ := knownCertManagerSecretLabelSelector() + return coreinformers.NewFilteredSecretInformer(client, "", resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, func(listOptions *metav1.ListOptions) { + listOptions.LabelSelector = secretLabelSeclector + }) +} + +func knownCertManagerSecretLabelSelector() (string, error) { + r, _ := labels.NewRequirement("controller.cert-manager.io/fao", selection.Exists, make([]string, 0)) + sel := labels.NewSelector().Add(*r) + return sel.String(), nil +} +``` + +Create a new `Secret`s getter function. The function will check for the `Secret` in both typed and `PartialMetadata` cache. +- If the object is found in both caches, it assumes that either cache must be stale and get the `Secret` from kube apiserver[^1] +- If the object is found in `PartialMetadata` cache, it will get it from kube apiserver +- If the object is found in the typed cache, it will get it from there +- If the object is not found, it will return NotFound error + +```go +func SecretGetter(ctx context.Context, liveSecretsClient typedcorev1.SecretsGetter, cacheSecretsClient corelisters.SecretLister, partialMetadataClient cache.GenericLister, name string, namespace string) (*corev1.Secret, error) { + var secretFoundInTypedCache, secretFoundInMetadataCache bool + secret, err := cacheSecretsClient.Secrets(namespace).Get(name) + if err == nil { + secretFoundInTypedCache = true + } + + if err != nil && !apierrors.IsNotFound(err) { + return nil, fmt.Errorf("error retrieving secret from the typed cache: %w", err) + } + _, partialMetadataGetErr := partialMetadataClient.ByNamespace(namespace).Get(name) + if partialMetadataGetErr == nil { + secretFoundInMetadataCache = true + } + + if partialMetadataGetErr != nil && !apierrors.IsNotFound(partialMetadataGetErr) { + return nil, fmt.Errorf("error retrieving object from partial object metadata cache: %w", err) + } + + if secretFoundInMetadataCache && secretFoundInTypedCache { + return liveSecretsClient.Secrets(namespace).Get(ctx, name, metav1.GetOptions{}) + } + + if secretFoundInTypedCache { + return secret, nil + } + + if secretFoundInMetadataCache { + return liveSecretsClient.Secrets(namespace).Get(ctx, name, metav1.GetOptions{}) + } + + return nil, partialMetadataGetErr +} + +``` + +Use the new `Secret`s getter in all control loops that need to get any `Secret`: + +```go + ... + // Fetch and parse the 'next private key secret' + nextPrivateKeySecret, err := SecretGetter(ctx, c.secretLiveClient, c.secretLister, c.metadataSecretLister, *crt.Status.NextPrivateKeySecretName, crt.Namespace) + ... + +``` + +### Metrics + +The following metrics are based on [a prototype implementation of this design](https://github.com/irbekrm/cert-manager/tree/partial_metadata). +The tests were run on a kind cluster. + +#### Cluster with large cert-manager unrelated secrets + +Test the memory spike caused by the inital LIST-ing of `Secret`s, the size of cache after the inital LIST has been processed and a spike caused by changes to `Secret` resources. + +##### cert-manager v1.11 + +Create 300 cert-manager unrelated `Secret`s of size ~1Mb: + +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/createsecrets.png?raw=true) + +Install cert-manager from [latest master with client-go metrics enabled](https://github.com/irbekrm/cert-manager/tree/client_go_metrics). + +Wait for cert-manager to start and populate the caches. + +Apply a label to all `Secret`s to initate cache resync: + +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/labelsecret.png?raw=true) + +Observe that memory consumption spikes on controller startup when all `Secret`s are initally listed, there is a second smaller spike around the time the `Secret`s got labelled and that memory consumption remains high: + +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/latestmastersecrets.png?raw=true) + +##### partial metadata prototype + +Create 300 cert-manager unrelated `Secret`s of size ~1Mb: + +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/createsecrets.png?raw=true) + +Deploy cert-manager from [partial metadata prototype](https://github.com/irbekrm/cert-manager/tree/partial_metadata). + +Wait for cert-manager to start and populate the caches. + +Apply a label to all `Secret`s to initate cache resync: + +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/labelsecret.png?raw=true) + +Observe that the memory consumption is significantly lower: + +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/partialmetadatasecrets.png?raw=true) + +#### Issuance of a large number of `Certificate`s + +This scenario tests issuing 500 certificates from 10 cert-manager [CA issuers](https://cert-manager.io/docs/configuration/ca/). +The CA issuers have been set up with CA certificates that do not have known cert-manager labels. + +Here is a script that sets up the issuers, creates the `Certificate`s, waits for them to become ready and outputs the total time taken https://gist.github.com/irbekrm/bc56a917a164b1a3a097bda483def0b8. + +##### latest cert-manager + +This test was run against a version of cert-manager that corresponds to v1.11.0-alpha.2 with some added client-go metrics https://github.com/irbekrm/cert-manager/tree/client_go_metrics. +Run a script to set up 10 CA issuers, create 500 certificates and observe the time taken for all certs to be issued: +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/masterissuanceterminal.png?raw=true) + +Observe resource consumption, request rate and latency for cert-manager controller: +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/mastercertmanager.png?raw=true) + +Observe resource consumption and rate of requests for `Secret` resources for kube apiserver: +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/masterkubeapiserver.png?raw=true) + +##### partial metadata + +Run a script to set up 10 CA issuers, create 500 certificates and observe the time taken for all certs to be issued: +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/partialnolabels.png?raw=true) + +Observe resource consumption, request rate and latency for cert-manager controller: +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/partialnolabelscertmanager.png?raw=true) + +Observe resource consumption and rate of requests for `Secret` resources for kube apiserver: +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/partialnolabelskubeapiserver.png?raw=true) + +The issuance is slightly slowed down because on each issuance cert-manager needs to get the unlabelled CA `Secret` directly from kube apiserver. +Users could mitigate this by adding cert-manager labels to the CA `Secret`s. +Run a modified version of the same script, but [with CA `Secret`s labelled](https://gist.github.com/irbekrm/bc56a917a164b1a3a097bda483def0b8#file-measure-issuance-time-sh-L31-L34): + +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/partiallabels.png?raw=true) + +### Pros + +- In most setups in majority of cases where a control loop needs a `Secret` it would still be retrieved from cache (as it is certificate secrets that get parsed most frequently and those will be labelled in practically all cases) + +- Memory consumption improvements appear quite significant + +- Once graduated to GA would work for all installations without needing to discover a flag to set + +### Cons + +- All cluster `Secret`s are still listed + +- Slower issuance in cases where cert-manager needs to retrieve unlabelled `Secret`s +### Test Plan + +Unit and e2e tests (largely updating our existing e2e tests and writing unit tests for any new functions). + +We do not currently have any automated tests that observe resource consumption/do load testing. + +See [Metrics](#metrics) for how to test resource consumption/issuance speed manually. + +### Graduation Criteria + +Alpha (cert-manager 1.12): + +- feature implemented behind a feature flag + +- CI tests pass for all supported Kubernetes versions + +- this design discussed and merged + +Beta: + +User feedback: +- does this solve the target use case (memory consumption reduction for clusters with large number of cert-manager unrelated `Secret`s)? +- does this work in cases where large number of `Certificate`s need to be issued around the same time (i.e is the slight slowdown of issuance acceptable)? + +GA: + +- TODO: define criteria which should be a certain number of working installations + +### Upgrade / Downgrade Strategy + +Recommend users to upgrade to cert-manager v1.11 first to ensure that all `Certificate` `Secret`s are labelled to avoid spike in apiserver calls on controller startup. + +### Supported Versions + +This feature will work with all versions of Kubernetes currently supported by cert-manager. + +`PartialMetadata` support by kube apiserver has been GA [since Kubernetes 1.15](https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/2334-graduate-server-side-get-and-partial-objects-to-GA#implementation-history). +[The oldest Kubernetes version supported by cert-manager 1.12 will be 1.22](https://cert-manager.io/docs/installation/supported-releases/#upcoming-releases). + +### Notes +#### Current state + +This sections lists all `Secret`s that _need_ to be watched by cert-manager controller's reconcile loops. + +##### Secrets for Certificates + +- `certificate.spec.secretName` `Secret`s (that contain the issued certs). These can be created by cert-manager or pre-created by users or external tools (i.e ingress controller). If created by cert-manager, they [will have a number of `cert-manager.io` annotations](https://github.com/cert-manager/cert-manager/blob/2f24231383173cf8ef66858c24e7d2f01c699219/internal/controller/certificates/secrets.go#L35-L52). Secrets without annotations will cause re-issuance (see https://cert-manager.io/docs/faq/#when-do-certs-get-re-issued) and upon successful issuance cert-manager.io annotations will be added. + +- The temporary `Secret`s that get created for each issuance and contain the private key of that the certificate request is signed with. These can only be created by cert-manager controller and are all labelled with `cert-manager.io/next-private-key: true` label. + +##### Secrets for [Cluster]Issuers + +The issuers and clusterissuers controllers set up watches for all events on all secrets, but have [a filter](https://github.com/cert-manager/cert-manager/blob/2f24231383173cf8ef66858c24e7d2f01c699219/pkg/controller/issuers/controller.go#L100) to determine whether an event should cause a reconcile. + +**ACME issuer** + +- the secret referenced by `issuer.spec.acme.privateKeySecretRef`. This can be created by user (for an already existing ACME account) or by cert-manager. Cert-manager does not currently add any labels or annotations to this secret. + +A number of optional secrets that will always be created by users with no labelling enforced: + +- the secret referenced by `issuer.spec.acme.solvers.dns01.acmeDNS.accountSecretRef`. + +- the secret referenced in `issuer.spec.acme.externalAccountBinding`. + +- the secret referenced in `issuer.spec.acme.solvers.dns01.akamai.accessTokenSecretRef` + +- the secret referenced in `issuer.spec.acme.solvers.dns01.akamai.clientSecretSecretRef` + +- the secret referenced in `issuer.spec.acme.solvers.dns01.akamai.clientTokenSecretRef` + +- the secret referenced in `issuer.spec.acme.solvers.dns01.azureDNS.clientSecretSecretRef` + +- the secret referenced in `issuer.spec.acme.solvers.dns01.cloudDNS.serviceAccountSecretRef` + +- the secret referenced in `issuer.spec.acme.solvers.dns01.cloudflare.apiTokenSecretRef` + +- the secret referenced in `issuer.spec.acme.solvers.dns01.cloudflare.apiKeySecretRef` + +- the secret referenced in `issuer.spec.acme.solvers.dns01.digitalocean.tokenSecretRef` + +- the secret referenced in `issuer.spec.acme.solvers.dns01.rfc2136.tsigSecretSecretRef` + +- the secret referenced in `issuer.spec.acme.solvers.dns01.route53.accessKeyIDSecretRef` + +- the secret referenced in `issuer.spec.acme.solvers.dns01.route53.secretAccessKeySecretRef` + +**CA** + +- the secret referenced by `issuer.spec.ca.secretName`. This will always be created by user. No labelling is currently enforced. + +**Vault** + +- the optional secret referenced by `issuers.spec.vault.auth.appRole.secretRef`. Always created by user with no labelling enforced + +- the optional secret referenced by `issuers.spec.vault.auth.kubernetes.secretRef`. Always created by user with no labelling enforced + +- the optional secret referenced by `issuers.spec.vault.auth.tokenSecretRef`. Always created by user with no labelling enforced + +- the optional secret referenced by `issuers.spec.vault.caBundleSecretRef`. Always created by user with no labelling enforced + +**Venafi** + +- the secret referenced by `issuers.spec.venafi.tpp.secretRef`. Always created by user with no labelling enforced + +- the secret referenced by `issuers.spec.venafi.cloud.secretRef`. Always created by user with no labelling enforced + +#### Upstream mechanisms + +There are a number of existing upstream mechanisms how to limit what gets stored in the cache. This section focuses on what is available for client-go informers which we use in cert-manager controllers, but there is a controller-runtime wrapper available for each of these mechanisms that should make it usable in cainjector as well. + + ##### Filtering + +Filtering which objects get watched using [label or field selectors](https://github.com/kubernetes/apimachinery/blob/v0.26.0/pkg/apis/meta/v1/types.go#L328-L332). These selectors allow to filter what resources are retrieved during the initial list call and watch calls to kube apiserver by informer's `ListerWatcher` component (and therefore will end up in the cache). client-go informer factory allows configuring individual informers with [list options](https://github.com/kubernetes/client-go/blob/v12.0.0/informers/factory.go#L78-L84) that will be used [for list and watch calls](https://github.com/kubernetes/client-go/blob/v12.0.0/informers/core/v1/secret.go#L59-L72). +This mechanism is used by other projects that use client-go controllers, for example [istio](https://github.com/istio/istio/blob/1.16.0/pilot/pkg/status/distribution/state.go#L100-L103). +The same filtering mechanism is [also available for cert-manager.io resources](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/client/informers/externalversions/factory.go#L63-L69). We shouldn't need to filter what cert-manager.io resoruces we watch though. +This mechanism seems the most straightforward to use, but currently we don't have a way to identify all resources (secrets) we need to watch using a label or field selector, see [###Secrets]. + +##### Partial object metadata + +Caching only metadata for a given object. This mechanism relies on making list and watch calls against kube apiserver with a `PartialObjectMetadata` header. The apiserver then returns [PartialObjectMetadata](https://github.com/kubernetes/apimachinery/blob/v0.26.0/pkg/apis/meta/v1/types.go#L1425-L1447) instead of an object of a concrete type such as a `Secret`. The `PartialObjectMetadata` only contains the metadata and type information of the object. +To use this mechanism to ensure that metadata only is being cached for a particular resource type that triggers a reconcile, `ListerWatcher` of the informer for that type needs to use a client that knows how to make calls with `PartialObjectMetadata` header. Also if the reconcile loop can only retrieve `PartialObjectMetadata` types from cache. +client-go has a [metadata only client](https://github.com/kubernetes/client-go/blob/v0.25.5/metadata/metadata.go#L85-L99) that can be used to get, list and watch with `PartialObjectMetadata`. client-go also has a [metadata informer](https://github.com/kubernetes/client-go/blob/v0.25.5/metadata/metadatainformer/informer.go#L118-L142) that uses the metadata only client to list and watch resources. This informer implements the same [SharedIndexInformer interface](https://github.com/kubernetes/client-go/blob/v0.26.0/tools/cache/shared_informer.go#L219) as the core and cert-manager.io informers that we use currently, so it would fit our existing controller setup. +The downside to having metadata only in cache is that if the reconcile loop needs the whole object, it needs to make another call to the kube apiserver to get the actual object. We have a number of reconcile loops that retrieve and parse secret data numerous times, for example [readiness controller](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/controller/certificates/readiness/readiness_controller.go) retrieves and parses `spec.SecretName` secret for a `Certificate` on any event associated with the `Certificate`, any of its `CertificateRequest`s or the `spec.secretName` secret. +TODO: add which projects have adopted metadata-only watches, especially with client-go informers + +##### Transform functions + +Transforming the object before it gets placed into cache. Client-go allows configuring core informers with [transform functions](https://github.com/kubernetes/client-go/blob/v0.25.5/tools/cache/controller.go#L356-L365). These functions will get called with the object as an argument [before the object is placed into cache](https://github.com/kubernetes/client-go/blob/v0.25.5/tools/cache/controller.go#L420-L426). The transformer will need to convert the object to a concrete or metadata type if it wants to retrieve its fields. +This is a lesser used functionality in comparison with metadata only caching. +A couple usage examples: +- support for transform functions was added in controller-runtime [controller-runtime#1805](https://github.com/kubernetes-sigs/controller-runtime/pull/1805) with the goal of allowing users to remove managed fields and annotations +- Istio's pilot controller uses this mechanism to configure their client-go informers to [remove managed fields before putting object into cache](https://github.com/istio/istio/blob/1.16.0/pilot/pkg/config/kube/crdclient/client.go#L179) +I haven't seen any usage examples where non-metadata fields are modified using this mechanism. I cannot see a reason why new fields (i.e a label that signals that a transform was applied could not be _added_) as well as fields being removed. + +##### Future changes + +There is an open KEP for replacing initial LIST with a WATCH https://github.com/kubernetes/enhancements/pull/3667 + +Perhaps this would also reduce the memory spike on controller startup. + +## Production Readiness + + + +### How can this feature be enabled / disabled for an existing cert-manager installation? + + + +### Does this feature depend on any specific services running in the cluster? + +No + +### Will enabling / using this feature result in new API calls (i.e to Kubernetes apiserver or external services)? + +There will be additional calls to kube apiserver to retrieve unlabelled `Secret`s. + +See [Metrics](#metrics) and [Risks and Mitigation](#risks-and-mitigations) + +### Will enabling / using this feature result in increasing size or count of the existing API objects? + +No new objects will be created + +### Will enabling / using this feature result in significant increase of resource usage? (CPU, RAM...) + +No, see [Metrics](#metrics) + +## Alternatives + +### Use transform functions to remove `data` for non-labelled `Secret`s before adding them to informers cache + +Watch all `Secret`s as before. Use client-go's [transform functions mechanism](https://github.com/kubernetes/client-go/blob/v0.25.5/tools/cache/controller.go#L356-L365) to remove the `data` field for a `Secret` that does not have a known cert-manager label before it gets placed in informer's cache. In the same transform function add a custom `cert-manager.io/metadata-only` label to all `Secret`s whose `data` got removed (this label will only exist on the cached object). +In reconcilers, use a custom `Secret`s getter that can get the `Secret` either from kube apiserver or cache, depending on whether it has the `cert-manager.io/metadata-only` label that suggests that the `Secret`'s `data` has been removed. +Additionally, ensure that as many `Secret`s as we can (ACME registry account keys) get labelled. +Users would be encouraged to add a cert-manager label to all `Secret`s they create to reduce extra calls to kube apiserver. + +In practice: + +- cert-manager would cache the full `Secret` object for all `certificate.spec.secretName` `Secret`s and all `Secret`s containing temporary private keys in almost all cases and would retrieve these `Secret`s from cache in almost all cases (see the section about [Secrets for Certificates](#Secrets-for-Certificates)) + +- cert-manager would cache the full `Secret` object for all labelled user created `Secret`s (issuer credentials) + +- cert-manager would cache metadata only for user created unlabelled `Secret`s that are used by issuers/cluster-issuers and would call kube apiserver directly to retrieve `Secret` data for those `Secret`s + +- cert-manager would cache metadata for all other unrelated cluster `Secret`s + +This would need to start as an alpha feature and would require alpha/beta testing by actual users for us to be able to measure the gain in memory reduction in concrete cluster setup. + +[Here](https://github.com/irbekrm/cert-manager/tree/experimental_transform_funcs) is a prototype of this solution. +In the prototype [`Secrets Transformer` function](https://github.com/irbekrm/cert-manager/blob/d44d4ed2e27fb9b7695a74ae254113f3166aadb4/pkg/controller/util.go#L219-L238) +is the tranform that gets applied to all `Secret`s before they are cached. If a `Secret` does not have any known cert-manager labels or annotations it removes `data`, `metada.managedFields` and `metadata.Annotations` and applies a `cert-manager.io/metadata-only` label. +[`SecretGetter`](https://github.com/irbekrm/cert-manager/blob/d44d4ed2e27fb9b7695a74ae254113f3166aadb4/pkg/controller/util.go#L241-L261) is used by any control loop that needs to GET a `Secret`. It retrieves it from kube apiserver or cache dependign on whether `cert-manager.io/metadata-only` label was found. + +#### Drawbacks + +- All cluster `Secret`s are still listed + +- The transform functions only get run before the object is placed into informer's cache. The full object will be in controller's memory for a period of time before that (in DeltaFIFO store (?)). So the users will still see memory spikes when events related to cert-manager unrelated cluster `Secret`s occur. +See performance of the protototype: + +Create 300 cert-manager unrelated `Secret`s of size ~1Mb: + +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/createsecrets.png?raw=true) + +Deploy cert-manager from https://github.com/irbekrm/cert-manager/tree/experimental_transform_funcs + +Wait for cert-manager caches to sync, then run a command to label all `Secret`s to make caches resync: + +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/labelsecret.png?raw=true) + +Observe that altough altogether memory consumption remains quite low, there is a spike corresponding to the initial listing of `Secret`s: + +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/transformfunctionsgrafana.png?raw=true) + +### Use PartialMetadata only + +We could cache PartialMetadata only for `Secret` objects. This would mean having +just one, metadata, informer for `Secret`s and always GETting the `Secret`s +directly from kube apiserver. + +#### Drawbacks + +Large number of additional requests to kube apiserver. For a default cert-manager installation this would mean slow issuance as client-go rate limiting would kick in. The limits can be modified via cert-manager controller flags, however this would then mean less availability of kube apisever to other cluster tenants. +Additionally, the `Secret`s that we actually need to cache are not likely going to be large in size, so there would be less value from memory savings perspective. + +Here is a branch that implements a very experimental version of using partial metadata only https://github.com/irbekrm/cert-manager/tree/just_partial. + +The following metrics are approximate as the prototype could probably be optimized. Compare with [metrics section of this proposal](#issuance-of-a-large-number-of-certificates) for an approximate idea of the increase in kube apiserver calls during issuance. + +Deploy cert-manager from https://github.com/irbekrm/cert-manager/tree/just_partial + +Run a script to set up 10 CA issuers, create 500 certificates and observe that the time taken is significantly higher than for latest version of cert-manager: +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/partialonly.png?raw=true) + +Observe high request latency for cert-manager: +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/partialonlycertmanager.png?raw=true) + +Observe a large number of additional requests to kube apiserver: +![alt text](https://github.com/irbekrm/cert-manager/blob/memory_design/design/images/20221205-memory-management/partialonlykubeapiserver.png?raw=true) + +### Use paging to limit the memory spike when controller starts up + +LIST calls to kube apiserver can be [paginated](https://kubernetes.io/docs/reference/using-api/api-concepts/#retrieving-large-results-sets-in-chunks). +Perhaps not getting all objects at once on the initial LIST would limit the spike in memory when cert-manager controller starts up. + +However, currently it is not possible to paginate the initial LISTs made by client-go informers. +Although it is possible to set [page limit](https://github.com/kubernetes/apimachinery/blob/v0.26.0/pkg/apis/meta/v1/types.go#L371-L387) when creating a client-go informer factory or an individual informer, this will in practice not be used for the inital LIST. +LIST requests can be served either from etcd or [kube apiserver watch cache](https://github.com/kubernetes/apiserver/tree/v0.26.0/pkg/storage/cacher). +Watch cache does not support pagination, so if a request is forwarded to the cache, the response will contain a full list. +Client-go makes the inital LIST request [with resource version 0](https://github.com/kubernetes/client-go/blob/v0.26.0/tools/cache/reflector.go#L592-L596) for performance reasons (to ensure that watch cache is used) and this results in [the response being served from kube apiserver watch cache](https://github.com/kubernetes/apiserver/blob/v0.26.0/pkg/storage/cacher/cacher.go#L621-L635). + +There is currently an open PR to implement pagination from watch cache https://github.com/kubernetes/kubernetes/pull/108392. + +### Filter the Secrets to watch with a label + +Only watch `Secret`s with known `cert-manager.io` labels. Ensure that label gets applied to all `Secret`s we manage (such as `spec.secretName` `Secret` for `Certificate`). +We already ensure that all `spec.secretName` `Secret`s get annotated when synced- we can use the same mechanism to apply a label. +Users will have to ensure that `Secret`s they create are labelled. +We can help them to discover which `Secret`s that are currently deployed to cluster and need labelling with a `cmctl` command. +In terms of resource consumption and calls to apiserver, this would be the most efficient solution (only relevant `Secret`s are being listed/watched/cached and all relevant `Secret`s are cached in full). + +#### Drawbacks + +- Bad user experience - breaking change to adopt and introduces a potential footgun after adoption as even if users labelled all relevant `Secret`s in cluster at time of adoption, there would likely be no visible warning if an unlabelled `Secret` for an issuer got created at some point in future and things would just silently not work (i.e `Secret` data updates would not trigger issuer reconcile etc). + +- This feature would likely need to be opt-in 'forever' as else it would be a major breaking change when adopting and a potential footgun after adoption + +- Maintenance cost of the `cmctl` command: if a new user created `Secret` needs to be watched in a reconcile loop, the cmctl command would also need to be updated, which could be easily forgotten + +### Allow users to pass a custom filter + +Add a flag that allows users to pass a custom selector (a label or field filter) + +See an example flag implementation for cainjector in https://github.com/cert-manager/cert-manager/pull/5174 thanks to @aubm for working on this. + +It might work well for cases where 'known' selectors need to be passed that we could event document such as `type!=helm.sh/release.v1`. + +#### Drawbacks + +- bad user experience- no straightforward way to tell if the selector actually does what was expected and an easy footgun especially when users attempt to specify which `Secret`s _should_ (rather than _shouldn't_) be watched + +- users should aim to use 'negative' selectors, but that be complicated if there is a large number of random `Secret`s in cluster that don't have a unifying selector + +### Use a standalone typed cache populated from different sources + +As suggested by @sftim https://kubernetes.slack.com/archives/C0EG7JC6T/p1671478591357519 + +We could have a standalone cache for typed `Secret`s that gets populated by a standard watch for labelled `Secret`s as well as from `Secret`s that were retrieved in reconciler loops. A metadata only cache would also be maintained. +This should ensure that a `Secret` that our control loop needs, but is not labelled only gets retrieved from kube apiserver once. So it should provide the same memory improvements as the main design, but should avoid additional kube apiserver calls in cases where users have unlabelled cert-manager related `Secret`s in cluster. + +#### Drawbacks + +- complexity of implementation and maintenance of a custom caching mechanism + +[^1]: We thought this might happen when the known cert-manager label gets added to or removed from a `Secret`. There is a mechanism for removing such `Secret` from a cache that should no longer have it, see [this Slack conversation](https://kubernetes.slack.com/archives/C0EG7JC6T/p1671476139766499) and when experimenting with the prototype implementation I have not observed stale cache when adding/removing labels diff --git a/design/images/20221205-memory-management/createsecrets.png b/design/images/20221205-memory-management/createsecrets.png new file mode 100644 index 0000000000000000000000000000000000000000..7dc2379cf29c71504257039837c85c63ed5902c9 GIT binary patch literal 36441 zcmb4q1yEeu+9e4ZoZub;!GpUr4#C~s-CY_DZo%C{aCg^+;O_43P9wv+H+SaE)O&x` zbai!~t~!0rKHuK^leN|tDkmd`1dj&~0Re#|{!Lf`0s=DN?YJ5a=I!%d9nbdd3(8SY zTnX;&8ItKQSZUZ8aei^uMjE+TsLKDIES2h`@_Q0UrVt%#$oi@_J*h>mG^3id6|%Ea zlPj(PleJ!%^j`Z-B7&tx14NuOi(=GoEF|AO&Wx2rjen*zoe_T|6jxxaCT*rlc zGmT=F+E^}{4kbit;Fj%Es;pJ`eS@u3zv?@ygVyJ@v`X41)%KM2Xa{#dbpJZMUWLJ# zq|dr!1?H2PHZA#({p$S)1b>`k}3!8E$W)51H8Azn6j(V@ouz_ zg#LLm@zpw<5X#bA_XYb)@K@SB3R%!*{&fw|X|`Yf>Wk0Ivq1OkOMC)pMOpZ4so|3K zp4%C=ts?K0Cl50>24-hwKgBB;=F3!jKXZ*xqnwxRQh7-!zEKHhFTT&RfaxU4!{{*o zxZ>=IRS$yu!2y2T_#yIT(q2br<-P8GpVMpk)_O6Z!g8s?Q)~PD;*xfGVLt5_sY#6h3ocI2?15Dd3C9mp#0z`RpZL_-cP8(%XB_t{ z#vI9>@SlcaNwga3JT3Qz7Q*LmmucdAUzyi3(SAp&+_)TA`}jp|DfI(xI9>rAUIhV| zuMbdLkx4JJnOBS*tMkA8vq}xC3tkcrOGdRZr>Z(UICb}NeF(mAyS?N;Pji(&XW-fK ztvx1vL6ipr_HIo}YcOrLTq{f%T~4%8*?|$x7twAG3aS8)L*_=2{)@mU&dxx#ee2`4 zRky+!`*ZpZ!-AuaFEnsi`A`!GoZw3lTH zP1dV1^UQ>$yU79^4+ikz>As)uG{;*IZi2ff2nqkibG_3K+ec1bzRR+rO;kZ4HZIJp zfb0aWsn4EFCd6nRXb8thym!UBCm+<0dSD0v!W_GOA4SM52EFPw5!S?%<#_O=kn|U` zdnK%dD}b}C9TCnhr-?eNc8pKoCnnS!g-&0~7a>fO;oYnhG9iadrU)njnRZtqtlGhx zDG+@-$M;Yy#1z^bHrlTECz6P>p0#;)eeRERJV;2PR=P|$3`2YoDs!V*uJap}N+oRj zb_IR8!h^~0l8kyZd;*6}cvkK0l)JIzUjA*@(t}R3VwPXG?mAqGT3nZ`S2%sL~q%fAKpS$D7Cf)gUvCDD&oZ4o6hDNSgbIMsmQ5DJK z<=KKI6j$R^sie)fMXS&MTCv5g@5&w#`^Vy^PEP_B)dXb{2D4GoCHSJ~O(#+v#AQlI zj3jtSy()&a?Gd^gc4%QyGV(`f5aw>FnQpE0ZQEh(QRu#Kb&9Cs0WldJAH#W#*de2k z--a3gi+H>9fXjb#m(lw7&eE#*LQ&6lQ@`EoK1BJ_Vq4u6=FY7B={nV7@Q9wmcd#}w z;%$8g|Cs&a-HXGti5NXF)F6Z=Y-;e(gx+M%()P+&lnpux zO$z_Ob>w2%6F`XJeL+r)EmH09?DhE>26abQ`Vw1=5hb;E|C6fr%|eZ5!|4m{chsbo zwk|y>N*GYa5BVO(-DAVO3(;{{7kdh?CSDu1^fX(Z3uXy^tj2phykL8F+q& z_y^oJGf{`th)Z*dE-t*s;}v7L+E51m_IF#Z|qz!Eskyb#Z70Tmra z-rYj;=@N$_aUV_<4}L5*F;-CGP@L(q#Qct6IC;ZQE1k3vijnfSgt;j7fLOFWb&0=A z7G)n&3oR0LJEVVQg2|7>^zP6riE-m=_q`Bud!&}0a`U)~T3fAoFX0_{_hu-93jd}aUvTI%0?Ou;)h`H;$ zpD^+-wOq643uZ7DR`$U5UYz1*=+4+r!O}j>3i-$+8#!Xh>`&c|ITVq| zQREV1KOM*(P=k>v;=GQb7Ff%LS6@G&jD>VQheedeXL3mS?S0P-=+aqwxP)PFd^xAm zAVqJ->dMZ1b{6v&&<2+@Tm?pLO|J(fHL$PFf!&()<@nb)=R{uB3fxdFiudNL-Xo%8 z*U*yhPfFC6Kkjq3Uk|^dJATpWTSd^tb9Kv(&)6QHV8+l4NNLyjvUF*W0S=*Q0-sYffvZk7sh2i5tc<5*FzCY6Pca9K7H;I9NF!bC3Ht zYWhm_0VWWYU9@Q@DHNW>X<|6o{h=u%ndpHkTC8Q|;4majZ^$c4*QUDWl8@N%_y!BB z&O|{6tn2dl3dsj_+rFVkpBc&=5qqscyIS_yJ1AOp1u{^c@SB-pDFmK2bErJVvakRHp zl4FyH_lTduZMXT0uZrDN)ADu>M-RbX<#REH}R^u9O`N<=<`2VoA8es#1H) z6y;MNy_-BEMeK$R>n{jLViN)tAh`TN1Ht*hbUv*rypIh(ERCHcAkY20s43#)PBEl+ zrO)`UaXd{5k{%Z}G|}{xyKcxW{A<8k}eU59jCISjPc=OveocI=oCl5ftVZ zR^*~Eo2&9-I*T%Zl@x(z!s28+uE-hLh%Z|eV~Vr6D=8AoLs|j2e720C=)oH{ES0-_ zc?_!QyEPrQd+9r)wRAcD$~+4piP~|2@Qeivv=eX){1oC^j`@m1@$Iz31UHDaiGG z2^){FT9*vKi!+#f&TccQY@3)s`spD2qZQDU6RTpZ7X7bN9vUA z*F4)o3fIDIrna;=LEy4jmedgLM>4gCn);0817J)?dgX{iD>`#rwWbZnM*6fB5KUF- zA6t{b_u`ELzYZ|rT$56mzq+I_s)f|xMsndb{_wB)4XH>a3J?Hc3@P$?C&#Q%Ssk36 zUp0)4yE}75clC~>$T%5sba}73xi@Azt5MG1P}>rfZ**_^;{gJk`Lz1h`PsP+5jg8y z@w2i@o8z-KK|k&v$UsqKJiigjn$oYt0EXa=&&^n-TA>o@WBZ8#t=C;7gH{mAR%`63 zS#*(K9ArOmvOz$$_iUvwJ2K^c_GiRp<)Xd8Ao7ZCKu&O-DHyAEvPvQeGv-_Dbm}M% z*EQw6qA_`wJ>l?#cWt#>rV-t80}bGr3k#w_6F+kINX?keNL$c00bwL`=0aPlTR%hE64~-Q z;z|s2*bXA6XD^=$2tOHMeOVSuu7DNI|M5vSFrEB7RA-=pm@qgoZTRJDOQHE`CkP`% zv#p6HWI{19^Q1bd@-AU5hRKZlhzM8a)YH}>JJ&Lt@Fa4-ty|^>_xCtIbFj{u=tE;d zX{fd7tER0SdQEI_(#ZDl)e=>Gz^uyXK^w7S@q|AnJ&a7|SS&1YLEfXQmx>i^1e92m z(GS*?yH!qEnpMO|-Ol5Fm8r{a8iMkpV)?a)Mzp4L^H~|i-}7}T+WA-vk@~Bo7s7#! z0x~66i*lAZMGH~-W(1*m@C#|i?Yl!T+8FeGrD|ivj98N{)|*pYkX=1n-v}Ixs{sw# zbAXwKlhNHmuAWRFvPJp68ZzE6mVYV3z9o~kMkvW~~N;+I7KhfO24I|E(}#WiDAopj;5dhHCgLkqJTD^U4@IqRIi^R%rY2-5KGvvfFOh|Dan~>l4L$rOlJHh{<_<)pGik_@yle28hLGlxbh5_SP8+kK1-)OsrkN!MXImUG6OkdoE;|6Yo4W%>CXi?03W=C ztk!Qj;7HZY|GhQvOnFCz30a&Ssd#ZzJ#^c+IeemfNUI17sshR8b>B}KA}D-&kpdx$3F5$0jgL~e zcq8w0pF^B7QVK~R;S}+{(HsJmPem8cQ+d*BPb}`=d!L`AKovp2hrPGV%7F4U0Spg~ z*%o~3cka{JQU?GJXtSt^B0SDpXuonuU4Ackn4m^Uo#fkEvBqs6AR&#{u39dusz1+o znj=$3wT_gS(zDb>_Jw7_+dIuXA0j3|`~oybiM(q%UcEqGV6~>yAx#F~KhdbRmn$*{ z_krqX6QXl-4f;14BdyIWbGNSn5;DYkcl-IJK0HzRHL`I{oMLN2es6cm=e9d7>VCHD zS*>5iT{h0sp?1jL|-Mt!d$II%dj(g9oXM3_YWsk`dM6Y*H$>VZN(0R%E(E8l3 zMebvYdzZyI=E5tV|5wg%zc_)0=rXxb z3!#cPDOusUmYh?AjxV~bRmM_pfy2AZ*oj%9s$qzmFHMc!AK7(hbm&a6>oItUtx3TK zLUO&!e2*4czi4o22_7BHd}i#puPFD?y^s+T!U^cnF660EMB{V^qL+L}^-V=-xSo%?@qF^|%!Hh=`BtpVPScNR#?( z-lKC{G*#a=C1{-h4Uy#QLVygrTTESS^T|eWIhfIQ!4AIuCFS#(7=y~5oDCJ}&)Hr| zUCh&a1pU8rv6aFzJ-HeMb)8@)LuzrwRF1h#0bdQ#!3F9S6mh?DNe(fjhVk7)S*2qu zlb{)g>ls_mXcVk7PK=xT@B{wSmW98Vdvyfa)#`HxCPJ; zmOycVl%JE%%3mOE1(8n%$xL<}+MC$og(xly>*wWGfNQA}(dB05ns&0~ZJBF4RK;zjw%4F1F zX1QNI=VZsK&CfTdO1Mz3{YRg=b>Tg;xA*&Y3|WUC z;?$m%-qS_74CkjDdu$;f?`YEhqI%p^)-nI~+5Aw7D1udgdeOX;YF$qNK6}HAGP{!} zD;aG=4Y1T*Ae3ozfZ{W%pky}ma|I?_A8>$)Sol{l1 zWY$&v*Wr@y4tT%BKG*V9+gw$BHFK4?nLH1hD3gxg-&p zc{e|gGC#B9{m$OJ3T09cXW*vfaDZ&3o)u*~5uMqrNpbj?!*;m#&xD4xSnOhizcK+5 zn+{JpoK}9;)bks*%{P}B_NS1#?%{Px*-s!K#2R*XZN~ajc-h-3oH;@NwQt`( zmc2hB!vB4#-nk!d_2Az_yI}o!lqoQm{ee~&j4H2QakX48NXOeS<@*W@9Zuu)L)&=g zMtPDfS@Uh7DMJYQ>$7KJ_~u&<_c3u4r-$D*aQ6}s*?MI(CU#cxVPAa8Rlp4~bvXT} zTOTq~SATw7Ul>6YuqyJ|eI)79{)5qSI%qhPCqj-su)g{8=<#a=y^NAxLcz@6V<9=U zZ!1SE)`7(3yR&ZxuP95wI|($A2ST=#Ae=P8&Ogl_wLZKMU22KeoL_v2us@S!#dspG zFj?6|tIfKPkF>Sk5C+3xm1%;=bn}VLudVDqp<|DdRPzS#5?gJLNVoi!7h^mN#gt;u z{@tHY2rYY|RvL4qsk9_qMCA2RCwA9^e~9#_e| zuy_aOEho)b@_o7z!(YepI*P2!Y78>yNW-+9}u^8Q|!?usccNY z>m9}UfSWd7%blTueXETfM6 zkV}Ze;x5dIAlQ-J8bFzk)A>$VSor9FZoj72JN{`p-C>*X?(Z24@l>a$2|%X4ZSS?! zdGv);H{k-evM7M|iAB7Y?GR`728!CKwG;wE@NoSL#283(-&atoF(R3K%ND(O@ZvF; zyPSHxLi**o7pI+z#zXd=UPKp<*Z7?oHlzRqG&?czGJ*4SYKu=XtGudhzv(?r_ewJp z8x$hRa!bNwEY}C9z`t#E*SdO!JI$hfw@F15=XOa!gL_iUZwbiixcCC9FZs9-zVNzH z;Do69Tbi!@xLrt2YSoSA1cTLelL*&0DT(Igl+cJ>UA`O0KsBCADqZvDnpBygWHxg| z^2~THx%!Vi{F4cap@u<0bm%9aHarrQkMh(cOH_FI2-jK}>VVGrx|9?t6E^ z)9gY*@<4p?I4VdN=niiK@Ple(jZJWfHE?E_Kz4=clhW@E{WzLzZ2gaSuyq_Q`BLkG zS29S+ku`|z^ZH|Jwu`J6sVn<#?CS`N<*Az|zC6JR3tPQ`>hk%8y-*E{;ly?RglyN> z&oOoQSg3a1=oMaesgFZRDB8KnEf(ZKJ^1dXvhZRqz|Nr#pNy?RvcxgMKpsKSKmMqq z1^Ug<<1BL1B{eDxA~MFO%Wj{gRRPb6H5iIY1q^P}c0A2K`EH1YMva2f@{C_o+gUsY z-^;b;x$lQAxMcy8=IYb)E{X#IAm;C=w)oCWd(yFHDRCY2Qg3PpfgsFF)ZjQN?hq!9-=X zAL{V-=$VvhjYjY%@2iYDE``xOugZ5_1T08-+I@%~mgm$$3_!t8u@-S0AoZ6CJL?}jS29@>uU>LVd;l@~i zPnG1)+S@#xvScU>BCotnfrV?T{Ec0idL}(-CgUEdYdZ=m$GJF<)|2phPvT8fSdVo$ zWea-wJ+tO)@Y7gYQ7s4c{Og@718ru{F-2xqzj9t%Rcx!!SvAln zpGR8h&zy}Z#>U0f4a8CCJ_%@O;9Xo?xK>L1S+XQHb((f#|3G3PEgApjn#ukRDidd* z{4*=MLjUH;$IDP)Fxk5)#!L@t;Sd{I8AzIox*{Ysx`*HBLH4*^oonS4I@6}O6Vk1m zd+L~fLFIR?fB=C8{qXx2pJ&)LaRR4+fHqj6U&BU+46hZtOg|^Gy6z$kek4h?*arP8 zC?4-cGuF?s>)r<7_1*Wni3a1?(n+IS6Jk@Z_L$b}rub~}y`Is#-J0@k1h092FVbiC zCM)a;^}54;?JAyVFln(72cEJuQ~}FxFo{t_&Q80p0*4w|dBDe8!fWI6G|vy^j@;nn zn!)C!OSDbPU(p-7UHjNlzQNe_dc=tF`W?JChcS#sJmTS|%#2K^cTrrIlP;GBqlkxR za-ivP^HOgET3jDsW;NEysM4m+F5d9Hd$@Qy2cm19AL}b_VACc`)-#ZMkJi=F^N^bk zW6UhEOx(ckf~ekVIDbOFcY9C3@hZ|LNy5&F1#)q;hNfc6gsoHjwEi)K1}9hTHV;Ya zuEizww2-e?H)}~WhEPr@<$2|d(RO`D*K(fYZnegW$Gq*>6uvJzrWe%DWYeoB*hcg4 zWWJ(fup*0*^XIZQcvh%;iR;^(W&fw1nNjJT2xu?hsmV~Um-%%$7 zbgi@_yn`uw2>(}VD!(rt5H8RZQ9W4)ta(Ry-u5543%g^0a6+M^knr&R6e zYIPeV-S94#8$+BdO+n}#R$pG%%{FCq5(qJ8c{ed4*MGLF^n8EGaQZeYiEG*!*`T{3BUJx$NuDjq|b%DJJ1jYo*_a6(i z=)j4~j!;*sV}11O!HWoSI&WnSdt_`|#pT4o?y0Y2&!XFdj5CSRphTt?j?DAH7Qrh| zN@}0zVTEHlp1*;+)iVK%nQHWJ+C3t@t9B2rWg%R4M>+&z)xy^k&o}5XjKVOn zVsAs9_4svLnF)_KwAtqa!faXBOaI)r@|J$nLz!$3Br=aj$YB{Ap-TCj3mMh@@~w#W zH=m|U%nK6`MwM9L{lq}pqBuXfwy|fMm2-9IL=+I3#+M>xMt?v%#!$<_sjM?1mZn% zwCU*ZKtvc^pV9Pw<+P&PIqxc$(yDS6U}&;RTNQW&I7-oFM1Y7)+_F6{iLQ1ADwZHO zXHlq*kx_SM$T*VhU2?$@v%mMz#O>#EPa;&;j$;O4j0DKi>ude^;5s8?31l?Av)!wy zh38`7zcAWfRwj$Y=g+SA;EK)tRoVUL>Ed9f)D@`tIt9h|uqQ-4JQ<%m%&%RvHVSK) z)%fSxqwfl5nRc9rX>AVPw`m5x+NTw-%v8xaJYmi+4_tVs7Ud*T$sO^W=)oWLjytt1 z`mzOue5S4i=Irg2*WeyT=~LeMW^A5}T}^g1<7;fl_2h;kTa!47btUW^ER+LolRU5S zUY@J$CSM*2mgr#0sdH*NhVD$J&rd7Xc8+(#g?VShkPJs%Uqj8m*q$GaG-*GNeo5_r z1;e-q7I?yEM|Dpy)TNAPZt^_ly2N?d*244XJ32RtOUB+OQJ%&O>oTK6=ix7GUU5XDwC4)` zr{s{U)0!+UPdfg@J4O3IyI*`E7%zv}X5DQ%kry$uLewCW_4cUlVyanl_N(?Xx-$Y7rq{LlPDU9d9qn7YDrFfH zC^y%PZ;Zn);eQ#lEa;1aNouBhp5Qd1=6He{c z(n5U=R``rx*9w&LE{*IW49yNKV28gfqjP^@ShJ4E^$5YstsE0c^>gg()in!u5jT5H z%WxPKwVw#WZ1v(J>?+Ty?=Dk(vi)j2A%{TINEZPQRMy zDt3^D(kw3(oY8f%9G64K_F@UYXJNFAM;}tbwY&DomgsbDfjYkF-ZeIHb&UpzmBL5I zIY8vx5q$y_;ml?q|)Ii4LdufD!mI`&aws#90?)eb5S3chCSXtw_k<10~&G?!i1i zaC%<+x3u4dWNs-HtoHSYN`r>BKUk|{Y-7qzPR_W7UC})QJHXMKL*Eyw?&FV5WbdG! z4RmzMIqT-%+g6TuMh z&Ru&eISy=5QR;sDH1z5~c?=*2ff$`{?o!rteiy~(5lHijxrevg2B*)V+>D9W_9;|5 zUL8PPI?}ACoG~#o20;cEsikYpj_l=4BsK&{dv-s}ZuYC8Eq3q6+#Ej)0VKGnIc z%a;w84+92^K@Ix-Ei`SqPys+fj5A(IA(SoO;=EGPf=qKHMD2SaHmSQ4kHyrU;SE*q zp;`YUXt9+mg1}Ss_OM*15%2%VZe$lc#F!NISSiC@T?*&W;2hHsf3aeKM2buwEIYlZ zhBvLxDWeYT;L8&4oge50fj%}^@hTP+T)dPJ$CNXpvl>C@OF){7@K!V*h&ys~Qlnfn z@MZShaG~%{Sz(p8vko#)2HC%pPM4%_-dt7FUMe^B;nW!5a?iYF-NIqlL)kG##X=WK z-l63#chokJy|E`Zy>=Io1%D4>9v|-veQK6m`^0_tdx$-bg)v?3h9giFWAe)0L#P}N z1^*<&=xn9$fFh~pW$iTYeA!$ki>Iq7JvE#L|M`T^LXGx9o{ecux^34rsu^R|gAQ7b z;W3Dr&Yp9K2nat{&sX_nE^Ko*Ai70#;Mx)|_fzn%EJ^ZN!4^XT{nXDT!T zOkBqaw8LZLnyMvVe9KI)bat-J)*Zhm`h%*s!g)#*Sw+XWucl#Q9Rg(5i;2(H z0;@xgX{p>(SAw~+mTaMM#(G*(`f}LD0*fiOx;s;Yow_J$C?Xrk(R}Fb93%muNUYtT z>#OB*<`#UM%7#&aHVpLgCN9yyLyio$E~6n95dlT@*yAsa&k7G50OQjEou?C$>aT7D zlBQYYj*e07{6bUXa?KRm>@mNxYz`auYvojDCJjeb**g5r_p9#NO@8P&DTnVb)A52! zc)25M5^)Urf@=x}JGVo-rZb*?SXR70$p@I3;T0ZA1I$*{fiGCccSO-s_%0`IW+mcV z&)B1mc1noo2ILIjft2B|3;o7vtuuLOmnU6{sU863VK^+KXc@JKttbK-VYX134@d6h#x*|5gn{j&-fM(?|}Kj zjfQO3*5?Cp%VuQ^m2o4LjWM=ow{GcW<51bZ3uSHV!*UJAy6-(0HoAj1cP7QthM;DF zK13NJ&u*!8qmF)25jK^4x-%#h_tGejb+TtBsyC(?{SH~c%=Ui9kp-YKHfHn>G^vO* ziQ`^*DD`m8lypBw>|c*_DBwBe+VK8RhoPb73ooU$oCrAP@l_iNt7WKel(V1rT&i`e z%)z0ku4sf^dK4KMcy4a%<@^QAQ7l5JJ$X-6Nl6Mj5Mst3c5VlR5$*Cx+OC`LB5}F6 ztMq$EW+V(tf+l(hA+;De$MJ?Jtrb!@Y!KTi6f5xK_o+&Btup2@*q2v4Q>`p&XRzXQ zmt0kDkE0(zKF-hJFxNTUZXAMB!5zPhW7&$s$J_Ds(1l+&XCK7~A2<$+3yt5Sp|w+f z**!uom9gy!KV~r@+>vsoMY(_2{N*bx=F=jVrB5ovfT618+FeK?{kptt{}#K(eNwXY z85j+p&3=FD*ln+UvGU9UmoR6=Pg{`p_n|4C3__h5+!D2nLbWD6X4j1`=WY<;d>0>R zzfg9exOq#>6qO~KfJ`y+eubbJ?6V{Stexn#T+4`Nt?2%P$Yu+kRwX$E%)Qtmj-=u8 zb+G$k7FM<1ptuf~T<~PpOI{G;V>`rR4PT3lo)2M|gE8uqx{xwqLWXr zsf1B(esaEIP^G;JYnVWDRiHxK2=E;{$~a(xvT}r;?Uaqnb)|Rn zV-uwk8pooo0YLK+9*IPCA?7)K^3+aWWEm4|p-BvKXyaJ;Bp7E;l3*9(k2MaQYg+h& zIq2?6npTCU04TY^st5}LuE9eTF(7opiB5#1R4)Gj$l#o$H{U<+AYrt{d_n#{k%`D| zT$dAvvW_f{SS7oFQFv>5(<3A(#K1)KEJJ8+>3 z9mi+VHoNRJz-nCKwo9dSJ@!(#3oi6j`NMFnd_GsE1FC0JNOvr6+fQUkc54L*GxyC& zd3YSKI=@LrJnoVL!VJZz8hxlx=-xE9X&mkuzy(d;SQ+Z*_Ng?=aK$jbrlR1?nWs0QFhvq)B1KZCDTS>C z0T9r0!8l)Neb8*w!1pY6LDW6|DRNQ>G^cLvO7hu;O~^W5iLExT>4DkF;j+;+=g-!EzATr`T?MWJ4-Gyu zj3Z#PLc}59@Ib;LS?AS^NLf!w17k86T)COL$W$e5;G|(d2_-WBbMvE zYiP8;JTrVdwB5${OU~MFL{s!qHX6{ITgrEN@gRA}zn1urjH)ZZwabA#h+?fj=8H*2 z>*+sGFFF|I(_Iunoe_6~Yyp2&l*te}Bl~52)2v@Bb)cNReSI8MVB{=!4Jv7!{2@F! zox+1-*b?XL2w50nk&8JHw~NzX4FPZV!K;_va=)PAuN z*Bc!cCj($a4=Cr<c~lRX>7K2S%e&3^h>udn`?J)JEb7z~AFcX`Er1 zfezELPpjN+w5ihFJ+f8fJA{S*jO87 zW3CpVrzmbwj&;)l@7r-a$F66SL8m}kQ^YZ^ZPj!2T&qh$Gdne({ ztf->%y8_Fy=WkQQ?Cx4lY>J9GdsPs0h>^JAvd>hLL*?wx(>2GPM%sS9?g;!0qfRNOjy0Vy^9NUW*OQy;uR*V0OCNW~)CM%@ zE0s*De70O}54>}K>TvZ5fkF;92P%tbzMWrnLgQN_C2XH~29L=&>puQ!dG*D^5UiZ+ zO*xWQ!DL?s3WjE)ip6$N(A~a0W|P;$UB>ZPTjdF|MRaS=npR?^-J(T1?_A*RB9FqV zdy+Qj*?lq&4doT?S1$$X=ANI0WllS7643T!n}0R1TB-YE=62deCd-_PT>JwrJu#<% zzM_v1J@4LoUhst znQvV$1da;2Gj#_GRxjFE?7%P8g*KGr%OjGnpW&L`7kV{4wNW}!Sh(li&tyBbVLcepynY`+i1V7 z>IG(=X>D(huf=#_EiVEw95>Qb8s5~?>;1`zQ^SndUp&t;;ulU%^)w#$OAztT{CqTG zVjtL&pV1a98%Nf?6SKmKC6Sugzy46&y{cnvbxdx!V!_akD;ec~m@L8NG@Hwj@qehH zQ<0B|t2X~AqOmVEl>QL-8K1k>Pkse40vIzVNcuEm+x|@+-EAi+@rS?m!rX5*9cMLr zKQsprR+>HHX(+3FrLR-w2?^2dp2Ri8*)JQ{%IwN1TjErhq(h9sy1U54^}?y zgY`CD;J4YGA^AfH1Jj7_5zoL^l0UvJP(qmj0@PvKYSD^z%3(AiD7CSo?A z!0uZ+8~(HUIeK#?t?rG#Xox}KBo|lWVT9stKd?0%IrpNy`fhtfv^=CU->q$245x6W z$fI>7N8k}AdcdQ!_iF|>>;5WxWHOljybFpn@NE!vbjRvY!gRea&AZ@ae#{#_ma!3K@}H6V_Np;GGTVp$C%p8f`SF{ zm8O&xV-+d+540MUi8Hf&=erj$EErz7s+T8X{W&}2H9kXh7OC8JjL@4Zwx{h@Gm(WN zvNdd@qX+Z=Bhxy;`JZIFoc4b}Qe^$6YsNmwHUvtp(&0g)yMy6NP z*i7IFSE2#lSUUK5;ANY$KGW);*wg$=PzZ62$0m-KLiBhcvi@%OMdP0J28xelmlxy9 zKwEtDnA^v#_eJyI_r!$deebrnl{Y><0g1jv==*eC3>_{@0=@d<7*>TZ_ULOKzVYJy zh$}$DB@R6>pvI(+qo_5O|Dnn+E~y$AcJ(+#?wgm;R;{wq55k(_0IK5w>jw`>2{*D^TvI`$-_y!mXvjY z)t%&12L`5OUWUG+&97~uLuNgOfCwVDvZoJY0I!3+Kj@4fc?TQ}n2U1NGckw=t9yFf z4h9d8BSzQt;G>Edq5FeLEO`)mF;RhfKWl=;Z;0-An8`3aj}O&c1FJ2OQ?hiX&mC{T zZ_`vdz};VwlU2=D$mo~)A%iAncPo$l552!-4j~ocY49+F%E9yZ{c$)DLepODoU&V2 zsxAt8u*YT7O9C}4Q>9H?C)UFDwG;Djl$rPUjXCP6RUDj;a{pTl`kB{LQ}ukVZL!F_ zfpl_mTuv^2b&c|WD4Q)`j}|&Q#_i0;#W4T4M_oqtyUZ>bggRwqC1qv#mGP*aiJ&I% zt8(3l)BDu?KisTdJQ`W#y?S)Xqn`!Gb4K-Q#I%VE#u*WU9>7 zP8C?4&l8Ep+LJ@M43*6u8Rh$o{qYTR^O^m0>e#vQAmS_qU;urPC<>Eh`~b_ZqT5*Z z)ai@G?nhCl-B?wdUn8gfW9xQah-?;`P5_DPFu^jV#JQZ|WQoam^3ggs)a=9#u*JLc`5VX4g2>EZ_=)1Us?+y~r`j6UsgpTaZ;hv_oACh;$(;E7 zmp!ATDWI2+%s-zeVC4&^GR73h5EP}#*v#-Mc znBl%9o2C_2Rn{M_OiPW*u+^w*<~!`U!Ixn4Z1sV)3u;>ptREN+$*d@id5eo?#dPaV z)~8yGzM|@n^*uiXwnaSZfu%d-tc>Ou&wGM+;>GUFcQoJBZlU6=BjX8QzboP@ z*WPf`{|URQ3I9QA`0-D)wl7&(=KV)jM{+9uZz7F)hR zt|jR|{Y(+A&E##&kIeV&@`#tQKa~GEC!``*N0-aT&vG0pu>u%USUTr!qq%`epEf6Q z@#(Yo2T9Wi{ptxgY8f8kst;#eUk9mvfO7Bd~wToexW}DwQ11t z7x;g9%agBp6D1D^60m2_heFkKx?D=IsN9BRMpgz>r%oEIzaL(YGu}Gv#S-^@?&_xx z6E!&B!+#@#{7mYH3is}POa_EuB@)bPsVOfvGq?WS729aqxiyX_%$P@Oy?r;)6308X zu1}q0B*HN7-tVO6tC$5QHiO&w$iAb(H{_trPoIHLO(o-tWipB#Z89{A#=~CeGYw3X zQ1?*c4HT(Lf1-TxSVim$gxxyZiAr1jkUt}AGl{h-S#C8Z=0HkI9`n601`6Di!xC?I zG9(IH^p6&xm&k=;&(YCeGGOl)QK{hbsj8{AlicqTN+}G#7<$1I~MA^gEfA-j)-M>8xc~S5M$Fbqu8&`60!g{! z3a!jQ1MA_EkyVBZ#RzEO?A3IOgCJm5O^4uTGl%zAbJo2l8FTXqhAI@%+kMIXY?TfX zp*7-J=gM_3uNxD+!Omp~LF3=+c-ZQLdUS1fH0p50_x!S=0}t6eS;}N~y{oVs_RIKU zxyYh!WRWN=mplo+TF;f2<;ys))4e_U-v%JEdR%2Lq;zd7kY#GzqO1F{HXcN`49m`L z+Ui_pG@TaX&&%+w5E*94Jn!iccaq5_D=QWeJ(+zfErO8#>gJ)(Wg&cU{CjI}vAE$m zhoe6iXGEh2`nd7g_RO6kql+lJI{Vc{GQU?XeSR?8m52j0+b8B00*cox1`2N;F$Y=K zm?ji=9tu?MF8(fd+v;awB={dGWvE2xQ8~;B5oukRsTFZ)8It;jE&R|6xBJ5R!^I93 zJxbc*ahB*RAc?rD*g*-j_wfHr=Nh{b;ioBlhjT&iM?nH_Cg1O5UCnD!F#L?;e78XSM z3ndkueCdmU48Scd+R>7^8A)N#WL@AC{YVatPMP&f0Hh(#sfQ|{@YVFn5)4T35~2IR^4h0;~&dI5iTn;n9=Z!&hll6L7IL3_|Ww} z&~|lEwj8sPP2Lb1G|eB7+q0q_Ze;nZ9QlXV#krjTBdeZ+o$u#`H$r$oB`U!={JM1H zo~G3kfSCxL-gi?>SEpRf&N$E-^FMXvs1&c|p)#nw!PT z#cjD}Ef{-*)cz@?+xx4zj=YypJ7xHQD@HtuLCC zk}1E#>&DydHlW(+nfWz^I1{ zRTH%=rks95+w&%TK~AYo_=RLGfd2RY>WB}~trocrkcu=|rn4C!6FreSB+SFuz6XKF zBnHb%veNH)rH8w6i-EdVe+`QIHY@T0GV-|g+h|eW`?~656mchb^+^O_iBGo|9L;KV zaC>Vby?)LiA`tMDmz^eGd6&}mLPPj%1a^;p3nb*@QNxVZ7@U^|5hHhKldd6d;{3AqCX8# zX91Ry{_Bq`qhb=>CB4TeCyGnNT@!RSm%?_&jrroPaLVXXFBwHCEEy0QWB)OcrDw@8BdhSoPmR?Sn=!x$i0#j zhJ?>Mn6Q?62Cuh50DR1CkLq=|dtq|N)}2dSN%bdD)ArY^saCzK2fiQl^E6Av^Enkk z4q2A`?$1zMSGVF6+AG6HSi$Cxc#|$`_@YGI1oRSWEEaJ7Ys6UMmA0=ZYw2W`wG+`L zLn2aG!OI@_X0y*(@0KD~JcwlD-pFo_Ysi9{KEVK&J*T58bI)+`j~QBblByTd%v+Ap zkJl%V0+txC{mX5c{i*sJUbh29u+`X$#4CK(DE_ep(P8U$PN6@Oe6#Y18>1f8!Sdup z)AsoKY{LmWv}}JnF;Q#|o|d*b+d+GOkh1d>y-wgIXy=aXi`scDbWNI~$rFSd%iWa`_JNtE}6@p{h3ZD7#>k;7M28hrm5cBR2u|3zAzXZI@pSuJK zM;8I2y7L#Fj#E+5ANYhPv}& z1Oh+q>gG{&3nAzx_^#8boQ70~ET7>Rbk>+(baA)Qw0iDeI_z%6d7XSVV=hx`!|o)4 zWIZ1#8`1bwPrsv8>4=S#X|QV)DKD8{%c&*xoVI5%nV(8To)zC2AY#<6==P5#_pC0` zKUxqUTTA40Hx-NL31c9(aigMiPDR}F3YxJ$M&bE)=E|O&g$jZVXFO`N{~R3rmRfm6 zc+kZv40IWf>oXp7#mV$ZDEe(zb-VqGi5Ad|8JlNo3(f3Z1wX3l5$7?Jd)g(3KG<_EITIO+feovRGBu>7X07u#-b|@Hy zq#;aU80Wk4Wfc=I69x_ARr&n7SJx|vD|y`Uz128$cT=tWW655?OUtxkXs0_z%hRDF zorTXnqnGjH*QXC;pDme}FwSeI{n$j>D@#!dpQjn`umX)v=?U+vhtcz5iJc>tr#E!W zGaXN2)^7c;Vj);!)mhl$KcE++PxV~vy^Au50bP<>^~q`mKQ5gdy3MU~bFM#eZmdfM zJvlGE6r+MFn9xn9_KOUJHCHg7|7cwa4&b5kJy@9dx%=RHpv!YMr$V=osGw~eRI49$ z+>UX#qZ;%$B)jvQ97O3E^RZ)@CfqkxBFn(dl^JT|J+3}#31jF>-wiGI&>(_EQ@&Sk z)rb4hePh#)U~vfqsQ5|-y*Wve7w!GxwLA;>%pQYebk;yQf_IF1n2JKI>nN)o{~h8p zCjd7ly$3yPt_c00R!+_?M^W6pJyBid+Xk_UFpa9z_G8zhTg!GnlL1wWu=zAA(E(Ha zL|kb_D-3oo`_ItOkz`ggGM;7S2q9r6hS_Dc8}C>sBxVaD&8Gkvg#4*|KI0tJ4;`+) z(c*98_+&~8th2j$EmQ-G9-U^hiva1sv*LS$w;i^P6?_KY8GJ%JS7Op8FTa89xrlb^ zNSKXWibxnDL@szEL&Iiz_Xzx8%8CfQ9r61+dmuN8$ua1k=GmZxiZsyFB|P$Qu&L?s zovHh?47KDwOCp?2vQwpgi@(2W+I4ao9fyQlRvyK2S#@eiRxfWFXA*N4o=6SqEC{-? z@EPJlG@)`5(q!)d*o-IWcEqaMlU~;-2`2gUec;jb+oQMP zSHRNL3OFd-jOAPPp(IgC!olJoegTs&=zj}-{xMWB_b{MZ3YNv5qxM{I}_-pY#zKI5s=~B-DRi(_2h|wfGl1>G476V_z zldA-}VsUQeP9BdusYMz+C53akldHe1=F4L#l4(fskTe*vcduXkCcQP(ana{|TQRd? zn|!zr2WFhBZZ@D$QP`7vh29D-mYNo`3enTo=zrD6IduFqV-(o|7#r1}Fw0N-g7 zg@a424IgjV48n!s1b32WXf0r z)PItBnxjZb8m1a2@)~=ur=S9{r|aoym_^sz?+vA*z#{e>7(b{P$P!t&6#@2W3IIm5 zy&`I8aYF}HT7}xNS0_>^Z-$v~b1=f35|ar%tQUBN*#<%-`V>T+;`+w7lHVB+Vijz9 zmU<9r(V}zQ7#|X7W*tPS% zc?2V$TamEVRkxql>y=jK4>drS=@$&CiW%)y(25Sx`MNQ-4=r9X=ww|iPRJ<+k?ayH zOJVsBq#)0dGgw2an0828JJSS4p1GkImQ_iR+JpFi%6_#ZUqjzs@8`C0;fzU#POc3r z0tCvnJW%sUP@goe%Jdv2e)M0ch>O;OSL~&~K7yn~X~(&TOSYdtLDp7@yGm*gIap)a zcdU+{k6OR@SyIm`HT*Q}pFQ|JEREZkD6a{c=l2>*U%C-o1Wjl?1@5@S>2~*~7?D8| z>r^LLIW28>hQEa5~W_TKfgJLvXBz*^%>bjE!om{%1Ricq4b*Atq@^sQP@ z8aCvRu*JL3^Z_-oaS&>g#YT+Dy@lcn9MPk z0wcjcHzc$==KTt@#m1;sspz_Eq~vG7JY(|Uqlj9^vs-$aj*&?c=1?CPVurw7!;I!I zLk>v6p3c_8pbW6L3)?a!z|;wMtUEAg_jGynVpGekd3bz5dnftfo3J!c`Vn-XH?o35 zUh}gefH3Q<`=bQH@>Pi|44y~=)|fPI^1Ojz#YfA4vo6NQ+53%`gbFNzi{29~2{W)5ip7(Mr zuRVmjTJ3{E1{>Kc z+uyf$sVq>jwYt+E#;WdDxq$*?J^&Nb#}`9e{9Z?YY=$CPf|2Y#?RN;fL~`5*xe3J? z#+{RX5kewbss>-#jFTF}Ja3%J=bTIy7zC}tMquMDcDm%QRQ2&aMHlwA!qih7Lg;uu z=meRW$(apx%E7@>qw)MNe!Gl@C11oN;Zr|BA`#8mvvfLxAm-M}du}?tQ!4ck_~nu=`#VMgCYRnPP$`uqkM`zh-xvW4ErJ7Q zud(b{Ufu0qU!0AM^cvJ_zU$e}5l-=d{8kpR%J7R%1I+-RE-s0&i`Blal6sy%AFlG^H4sM^=9NO6O(T2_+dVD_8-_-kt%xYbdGy_a&Dn@Y0D@ z*+`f-I9(lPK>p=cqr<4q2UWCF3? z9(l%-bLahbrKPN#Y)nl4c{2yzKSQ8mo^lZ>V408;`n@$k=5VEBb|p%kcb*gBradYj zeXx{@w;&49{Qd zf?x2@_o}IQe~h;fL~2ZxA*DKJofb?c&`D)6H)imF;3>DU%>FDspU|XK^HdZ%owcET zmG{9c78~Q6{V~h+SCfukrrpYReic<-{OVP$Z>T5`M9m(|<;mFQ#b&ky_Ifx3QfB#@ zEh9?=k@!7?Koo@HbP5HYU|gBOC8ITok{c9h=oldAyxg#YNLpR57ppmWWQ{MnJPbn) zL`V#SDa*s+6sX=VOvl?a!D$J4%_1>n?yzI?V9;3?`_J zlRH|2mQ5`b_^OJ6D;L4u4kyV&xjtQP^7R6I(1xUWM5w>6W@%Nu0tZ|K5vpE%dB$XV^;;ps>5BCp5k4BP<-vHyNp zXLP@zzAtP>6)Wn2z*eRt8)HsLn4K*Dsb81#>(}PA#h%9%cB*WD^j+?~I2J^^P#$7^ zCd407Cf3R5ALoJb;|(P&3jMZvU^F!5uoV!~TlI(w=K7vmw1hb@HiTW{L18pN`EdB%*<)BTC*HCHwV)mS(#@Z8*@sa`VS4#Ihn5KSlqJki0SL2FomZ5XCkjT{GjAK~PikCkcF)0b z7;Ss)jv1*;eg2-wRFJjXA_tlt8lo{A(nwV+5y7O9arqg(|A#?N>D0Kvyd|?{r}DVp zqF97|yRbT~J7$b?6S@R5dZ#CLcx~vMMP|;?nTriOSzlidB5$X1`rSHsbTp}5KwvuV zg3XG~9u7ye)Wldf_k%^Fr(+Ulvs`|HtOS{-Lt zN^P8ZzS@jvviiiFFgK4qeF05?1>r@X%e3^5u1}b(^r_%BD!?Wt7~yqnuUp1a zpH35Oas{M7@5EGjb*Z&hCCbuez9e@h>!+ZzraY4B)3Hg^Gb<}NTB8Fhl_&F)hn8+w zG|~WZY!(nFtG^YUGYBs!7s?9l7CWza9|+MU)-OhQ=&8`4k*`D(2fIx0gLY zdo2TS8)sa2D5^&u*4u4j!3@+MwsAgLOKv`uZx6(yV##mp^ER63DeY(|K4ra6wU~D4 zcQ04Kgv|w^qHAgrnJS#Hrekn;Q{geAi&CC<4Y1$hlKx@8t)gOLa_SlyoLLD8D1rA= z(XNU-wL0n7O&=Ge!>WHSJv_qQlPh)F3zzEz(B=L}q;lg}*B$=12wKZQU zO0WHJ?Z4p8jpj}dalXJkxV(yRF5AD}`}%^A_7(U6ba9K^72Nn~#0E>6+_hl3t{js| zuJn266g_w^cKe6uZ$B^CTxqXaekyBOlX&13o_hMSsmV93f$xyBxXw8MP9`;*q;>F{ zQ-m$);qn&S;|uT(1?xR*Ofgx!nJN=YG-*(C{!n)=)Bj&yA7YgIHy{7w9WK9o_xrzj zAHHv{pPL`Lvi}X>n-2iYu)z23g0Pe|7*Nm~Y3pH%VE^ZKfWN3ac>&5m(}Q-?y*yNp z=LKLzL@#TrZlrYYF6^ftQygX`g}vCkz_+bm4-f{|r5??Gg})I-C3%@p9>!L@aHjnhm9HLD+wd6X)V7Y`*jxU(@!Xac9wUHuoy6_nH(L1N}5| zeMtB|>SOn8Ht6EQ7bDL15T5qx(H2vpF1A|&>hb#IMiD-tF3vys3%6x#NX>n*~KV zTi*5Id6p*GRTWEnK&XiQJMGft zFU;GOEzr{}v#7Zr-jEyc!p#)NMOte=gABfResIIeSmJ^}V*CV?SvPmX`vTLv15MoJ z)tz$Ldsm*i+*_h`aU&##95){Ry9=u{?G%xkDC^s&h6c^&dpf}N#e)f~$kI5-N_Kuv zkCudkHwR{-)7mE)=qmCu)lS3DeZigj7N7xrH2PQ1iS=zQiFHmV}jsm*~)pm0vbk|6e^EqBIip{XaglW4uSkI4_<{_4*S9TH+B zz{zoaOvgu@it35Igy?+SeYIMfIroak>- z^KLQ%edmmf4>WF=eQ(Y&+y~YRY(Y$K06`C`7z$ zL~(E*7yvfY@8FVQh}gM`lnA|L%#N>MnnSUD8nnJor!G(eB~lR{*AWxg{pQIHf0$m* zlw{&Sa%6!}h|Otq#EK8HnR6=9OGlfK z4(91V0?P+6*fbmS%?xnnqbH&v4t&_kPj4KYi%!35M2B ztm_Xb#lL~(Ie;J|1L$q0Wj*UFFv25D4U5lGg@ttfm4W=F0Tc%%7BY1_D&VOv{q99g zcZOS5 zOeiSSo)!?7{VTCg|C$d z?Gn^aWq3YQX1e-{HZ*tk^)4$Kb}O8v*1DxPG5?GRHRU&55QI$M7o^QkDN<20In$zE z{-|S}q$U?_1C^+y zj`vk4bE^URr(z42yLu>oZXn3~-=sRLX{gN%>K8eZ;doJn+i)pLEOXb%=X}OOW{4pk zXnoNkv7o<>^#lWGua)AxK%4$qWh0eeS@kb{$tra_EpkHxutM@v9Hv4i;VsK>RVD#- z-h*B&^#{s}0*5hk?eHY{J2$Lxgo)3y*zp<(olPMtCa3oP$qnv{Z`glT%0ONaz)hu* zkyZ9E+Y_H8!EG-CG@jHM!=<8I^6Wk_>Ge{l{-p6Bt?I}Mt8u_dpCb=8JnSq_D_eUm zRlzPi7EjeotENy+jYw2fzUR73%FvqR7&_~*>BZR-H}b{< z3>poA^S;*0PQs~{4M~@szs7INn|$xDBA^pv~T+*3Em91aPA#k2vDb<4|3=2>exo;@k zq`x`)`TE(c8@_~Mp?qW1AmAc-E%aKNQ~8%4KTr3TL2f4{6TZGSk0nL?&IdV@EgNKd z_p9O&wbSj|nBiZX(08Z@77^GAXp(`!nTdv7=Vt8bQ))1)L0>y}`+s3~&`4@RY6xr3 z0YN$8-u;D`nP(5KixEVfcTgSUXXI>tn9$?{~Qq%9Bg!Q;GdnHDgT?VV*}sU|@`@3!`AwP}>n4aZ7$kxKZGD#7Pe>k_(E6 zAhmmf%^0We%~0#a?Eemm`Hy1h+kmo^b5v}ASQq$kk=d_}6*yc$nX`3XEMcyDiOleO zL2{no*d=pbuNjHkU{yCdB@Bfels$zU;@2y3>Xo%O4GV1h+##_u2XWO~Zj09}BH}IQ zUz7=>#ZyoTi(K%HuVKp`2Xtt6Z=pW=?lpK|$dc`4;u1Ve?qb3I#UmS4-gqRvl>U-g zbiD~F(H%ZUPs$%Klw-R|G-8c=)+QRPRe@BqC|H1rmGxo5qLtyX`bRXkCGDU4k;A~W zpSm2YyYm_?No*7>k#S$CG-`I_n8P|1w4>@<0NOo*;t*$)t4wNS(4g+U1%-_m<5oWJ zS4o|wOC3rvXel8kR3wf))Re;0{FZEV$g3Lx|As4{DgAO7n=lJxkem`r(UX z#Cg9rQ?aI`M@)MJuRRiCw0CS;D1vhke$qrEq9_T^M8>hY)*#wwe0&Ttgo=oWj-mkO zjQ3uO01W%C^^b?chsH{~_71Q^BN28Uqbw~cc55_@#U?@)kHD2lZnh4Fb~&HDp@sPQ zj~@pK|CXHC`pDTGd16~x!5rQl;xKzpJ<@Y^V_S$J?XgrRqRQ*veK(9@Y)DL0boMe| zmU&WGUarpW>syj^i1$;jYCZevQBawj>z*<>Nbh)h^^5G!%CXTEE$I|( z(9l<>cb_bSPpXkAofc&5O9Z;+Mv&2=q5xKVLVqM*(Ur1x1zDS(q1Zjb;A_@8|3+RS8wA1m`2B;rp~J7AtlQOuy1(#5KHV66X1yh; zPi1Nno$SbxNm3dy$Qu2L^SjzsMVvN2M%z5UCV2ex6uB!PwCBo6nZTaadU3ou7PRT8 ziE+&9sO<0U7oPBQ7N+88LZTw!SgLUMta~NP@l|ZNSi7e6LW%P~&?fnpbwE%!4i~+@ zRNX=izfVB?!iZ_Tx!uD!#opG!_y_R#)h9P+$7n1_pso3e&l_Q?Q$iI z%yT4jV*Hn=?ezkg7$kus zozWNcXyPW!F<7#yzN`t9OC63LblfWa9qAwvQzV5hld*Ti`}^Y&IzKT=*38OzxOmYXeu~3Rmhw8%=>t=E$PSXahTPkoDrQPKnJp zBT^73mJQ9jSjd>X-!Wz~Gdxl6sYbl-Es_X+IB-y-fk5muM?Zy=C%M_hhx&Yn^sf`t zFklusaJD-#hmaEg0M3|yhC5NP#+FL?mM@>*wwrr-p18tqr5DxH%*@HY=Pj3O>oY%* z-Dy5kh0MS!jvv=3(ZWeM?R`L>kZcS3I0KcGi}o!aUDoce(RqJ?7~>%UL2 z&kBU`I1QBx{7530$H@4t4>j-ZKe&O?J?ky*8G*04fNJ9?gr#XoFCiNAvQgFUh&<+um-6T`Mx?cz^OI=mGTPAwmIUd8xBS}Bc3O~ajB?DA8qHfrYsd6*?! zPZOO=EK&|C`FJy;VHT>n*Lfcg(Zk4u7a80kB3#=@(XM}32wbm&k2G>Sp`~K_W0=i= zrT)+}>flN|TbhnY{5rfzibj?BmsJR9xD~mwQ$_7J`c9b7c ziLorT_aBLCDf&s$f3I0C*yO~-LMaSJ;s>F(aHU&BB3 ziJry)ONpf8>Moz-NO$mkf&vY|u4XxNlCg`)evO8DiKSDUHGBP}dR!;)h%(*^>yyMh z4lj$3JjMMOS}B3w*k}a63EH@Z4g`;=rj`zI)&);I6l{18eEWLtFJMEuFKTf0C*zhg=JHGyN$tqaKj}bwezIpR*Rj z{i0rdsmYzz?mv(GLX0+1+g1#MaL;aF(Wjaqa2qhmPg=_|2+9zy+Rjq8czk8WcPIe7 zoG^RGtG*k4+VN|jda#w1$#Oq;Ka~0pgK@Hfo8!O{#cR7i&U!aGFKdUq_u49UIR_i& zd)5|7yvyGEvpQ>i!AE%ELr5PlHR-qCi&U|8XcM0?YV1`1smwyRH3Z+gMv8fX>NTfz zNp~V5aIzO2y$&DV359j8M;8*v0=rnQi~>Q0R;_MLD`k&6aLo)IfQDmuFi&-CsSc;@ zj)eu(Rk6J=>UDkHCWZe|G*`W^^PMh9+i)Vdwb}fbB05R#CW(IT?h}58dq8f|JtdcQ z;i1TcIN<^BGvagx)8P-}I_EQneIrf1mAUhU&f=LZzH7b)fcP_@`QrY$qmvdg&iA%G zisFQSMC6am=(}GRXWx88O)h4>F;?%LhhH${f6?MS)SplqtB)$DVx@tGCZWNOjqR@( z*Z()LVv@Zh>ALN%EM>JlTlw&mn-48^Ahf9qKPR=8pXBKJ%ff72hBU9XGWcf;FE?d9 zbDAj_R%KEA21;aA5kly^#$BF#FxZg)jP~)7&c64uL>uj2obIPRz8^odm+Gg9sw~i< zi>vW2Pxbt7`)`LA$=Z)JA2r-%Ub?$XQ4Jp*SUu~!m&Ua<4wv7dCiLGXl8}#21T3WR z&=JnI({A=y0V|^a#7{h}y+vm>*|~z;>=ZCix1;&XCe2F;E*4pM*tGqmkh`vRto4Ib zUXq5FXx}rJK**Rfy#X6Ov0Ix9nJUnwp!DuwvF4OU^aRdGY(61!tF#DJYYwhb@)3JM7i>;IwJ#^+>7{S*VIbXKhM z8YGUu4=5=mD{`r`@IfW1gO3~snd=`1IDR-m6*LEg2Y2iWWI!`o!)3+|P7f?ht6z!S zqo^v)YiX&y~hl}VPsy4=pPG_Uf|$o(p5#evT_9n);@XlP=KbH zXrKuxofY&;zu3?&8PNUkip23TK_`x-R7IZajzwHAuz!Wg)WjRuQ*l7>| zOlZ2_t8ZHP86^hHEcEpM20|uAPzB|y+gdvDhmJmz5+j%T-q9qVus3pC9j&_m1^C$f zH{kRClt#HvmD3dbzgjkK`z9>r>(zv^zlyEg7g>#D;fh*P>0d@M!%FmE*DG_Aw|)6>c{DX0RWiHynQ zVlUpm>vb%y$c?Hxc8bt~?Xh!1e$iNl2e@6bHGxy5E5>XLkTPIOIDKZsFH&aTmq^kl zqOC%6yZ-jckPiO8R-BQ<8^X&+qT_v?^$7fOY?ik$hil-*Dc7hTEztu~X zJTklGe>p9Yj6KF?ku$I64_?~ARYqOrv;05Qn{8ltBI>4bRBBTU{|6e;Tr?}Vp(rp5 z*9pd?QGO-K2Q3HWJ=f*^hZRX>8I+N54v2Q=>wemsVJZ=w(S?|#bDWx3Wa_DVlg3Mn z-EDgRz0l06F)5!p99)%;%-{?&H6Ef{~3f7{T6qS%Pkj%cqwdt zw|23i5Rty_l{`dSzK!qG9y5dgioW6jvwsoxeo{#@ww6~Yb<^_hJH53)#0L~V#pYwL zTk9Gs`vW^ga*n_Fbc8q{*8L9a6LeZon)PaPn0rF|XK~-486u?>#jf0p_QUPzHwy?% zwT96Y6oDAepmM0|Ra97Fk;WRV(iRcLC8#pW~t}8JoDGV z1w7~8QMmUB%@du~ojcl#p`Gr9h@m12VRNMJ`*QF2Qn7|$Yg(~!v!*z>}5mghp#O(yzX;@Z>L zZAnNY!*f%T(QM=B3m#cz3I#&{jY(}dcLos3D!3#*W7=Atz14^qaVYP%p547Imy8KI zxfxUyth89R9=>Fhjgyi|9i>aK0{cg}zDlPXP7caivbPSJpAVK)__)ok!CG!${N~}N z%y<`VIWSst&@u5AAbQ)c)pbgnYSgb zOyx?*P4GoEX`O*v*uRVa{1bA#lLU4KE`b6oVxfeU-^$9Op-wOa{^=!Bl*ewJ(pvOF zcMS302R7Z_B{#tIB(TwjATlbeq#~86lp!=VC&ed?i;9$iE)P+0P77Jkv>Mq+cY?2vl-UFlwOjO~@6 zq$Q1t3`Aps6sK;q8F{y-m-o4mjVuti?v88EZGYxbbt1Z)eujW+0Ifa0&;aPy4!H2k ze)Z)oR>gcXk(}nzpXn401sWx--fM z7l$QEevul9VRYw(V$#F|Pxa7LK*YQUMBnHdS80z=POr7SD`CUxxTY(G+q<2WNv5K5 zUjHc}y(`oe7m=TC$z^=liKDWYcQha7{9ZDVx-V^(bCT>@6cFDPL;r!9lt;1tod zn(z@}%6etF9fqJ3yD2yam1le9scaI zLj80bD(*(qlp`pG*yDJGp;G2Cs3x^0cZtUw8A?!DKg*&&)3SYp-hUWMXiF}-=U6%1 zQbr*GKQ7qIEq<$OLKKPC-iqi?*#Cun7|6@@*l)k_(L~2|wZKbu=<%LKPoqMC(@=#Y4=lYUici?7B+Hw$dClrqtL+b~3 zmeS<=R;LRmO+olo5@#5Q~$xF-yC8=vmYr`FjC1c8G^NP-l3W*h| zV#Ey!t(?ux=i|~0&0lQnazpdv_!ZkIhn4u7mw(#V`JUI&@-c-r2Adjw@06Llfy{Ks z^x>UgFPi9_n0XV7so$MYWoQrf5Aj88T=0AVy(8PeCJ~ zp$SQhkiz$a?4BkO#A#M<4f`)iDX0OM=kceUEADALS5p(LDs@ssc5+xR6wu(5g zJ(Uh;o|knQkeMXj0fia!$IT4f*?LylHI|fgBQ?oijtO;ummu`$kU_e&4Z}-AWbGL# z2{%+PMtnUrVKP8eW*_ie@rsTxcfz>*Q7-$seMT2&w*5U03Td38={cyN$jxfgLP@D_ zgchJT@jI9c3Pb4l?Gu$bN3?jAiW#}3BSZDOaJ9AQbiB;IhjuLL!!q)$kD+S~L5%68 zCnlbn3`c5eRLNPw)3-z5E(`L?dq8P*$$(HhWz1pz)2^XO9E$}EKQ426rTJdJrFVQ; zB;YDqTHjk5?FKKbd&((OL5Ze({ITilM25{Qb(?ctnuJp1Vj)p%O1y|R@S?c9&&QVA zuSW(6%xjK>M>h=`CkLGP*j)iqG6aN_X{)O^wG8rN$-6m?u8bOpOmOeVYwg%G9@D`| z&jT>5QmAu|LDDAL&Uk7LCJaO8eQ3w|MV|N~$E)+(HF0q2o?7$q{PE*K#-oFR`z9vz zHuszKI_$Qi8a$onNE@ujc*_(Mwo@S_%q9eGn4yBn=w#1_+|J6*@LH_rnggFa$mmNj zcXxMV0e~O(er}^M7dx*V0zAtatgc)-h#WD=Zq2<;_&2d|&*ujOjnG^PfS?`EsY6jn z>WGCwB7dMQE&OFmD-tdyP`J1{v>96GT}D3TZ3hTD>L&M-tIWO-u-lh-EB*V(mDn=1 z6}<*muPr;=zb7wWTJ90NO>q{%rp$JY#`Mf}VFw!92j=6?e%NiKHCCPs*lb%GOPv;4 ze((&dThlkq40uN*e|p~z#h_UK(7B&Qv|L${mrzl}lh}upclx#64;S9*y@7<(9Jsx$ zU)R*+QjCI*o(3l=p&}>O9NmYJW%2&F2N*R`_$0!Gme@+^U8j=9>v0rp9JgV0j6tyP zcc8=a@l*mn1VK=EMS8icgx98@_G|EUsIyI%CbBl#m5L{veth)p zYGMqKm0|E4?MOud9KfSyKZTEne||(_W=$J>7uLjW$1vzlNo-9n;Wm1$d`_ck`MyDJ zj7X!x%6~OPByGLz*%bV4p>?bJK3(JMQ|HY8D5wVEQ|{Sv8CkN6~t!v1=B)rT+vPBumMSh>Ud6F97$lnmyKbqCU7>$CROzKAzcdY2`Nq~Ynyr2O7^Evcn!Z4R(m zfCl<{l*+AdEFPE;n9zbUj=IjX4vmM%jc1+N%yEK$4ahYfOt@q|$zyr6O81DyYr+H^ zvMo_JM(%aJMqM^hPkr18B4_!Q8!eXB(}0OVBHsIbao^r5)rn z-Fb=b%I1UMVU93GuexAaRdA|F?8T>K@Wl?;JwLcGI%jYWdR#GSH?rt;N2hkrbb)W% zr3T4kG`w6|!tiwKdnFk*%3qJ`Di-e3WGBXOCLn5DoDil+4mx=@RR z%gpFIwG^A_>+51{^oRM8Xd_#%H*8t$UAAH`tvn`zaC6rqx`dVeZF*qG_e0s-0m%uH zwG0RG3|4Tsa|2}LuP)*vSk-JlP(W-9aPKl53rQurwO4*uu-vg|<*&y}YkFcdF8iA0 zE_Ns5@#4w!2&Gby*e$Gth29pu?Fv1Y2b2Hx_83YZMInn~u0&xBh99n1x(O4SG+%^y zJM^8?bzO!8=J!6>c^P;Pbfq}GeCY$Q;E03v=XOqck_TEu<}V#T4sa}3LPRyXdyr@l zI=uW4kgG3sr%u_%4}{pcI$fzx{2pvKH3_vcK?J&g9MN$8Ze|%nLjCJ;fa(nC+OP*! zW%jh4{GR|f1<3mR$xZe4H`&m+oPx~9So3fYw*DTjHrH_cvinAzPu^l<&q|gpe44cm z=xjX4o{ii1W3}7o-oFww7e0NHH`)s*Sg?pEGn@pN*SOMB!`_+_&~J%~h=_=YhyY*| z7Z;o9>FGm%C@n1|J3D&>LlO}Y5fKrQZ<}qT0}v4r5fKrQ`%lTBh=_=Yh{!0UWKcvz zL_|bn6jCxMA|fIpA~Fgo859u_5fKp?g_I1+gUJ?7a=}U#&2(5;gnHoO{PhB~ey6(KTpe;O~pS+Mq({KNc_se>3{tqED@>#WPKGP?UCBV}~TT?ar zKYpK*M(?*5|7bJJ@v_7gL27i z$%T#ZloTR+&a$(r_e=jV#-#B0ngXWQe$J+im0a-#;2alBN5=>(UT*{wlf9Bv3lo_V zV$e~4ntfZgQB>E>2t;#F4R5?eL_|bH5IBdn}4eyEn737GiTBWyN#PaP9StlwMH+B_bjsA|k`%GZ{1j zr!fD~6)a4OA=l8zH|Lm*B3mCyu$y|~{N?bJI<3ex*`(gHWQnT|-HtcV~ zYo#rFJdgkMd2+@Ld=+x>U;l!|0GM+g?N8P`F>-&!oTl zIST>sP`m9{{KsC`z|%NeC^HwY;Cq>~hzv35s6WTSo!i+{afP8tq*m(Oi7k?hg$Z!_ zUEcldB;6)d)OiU1`|p#N5y8>V8m#Z@evJiSI8%6X{YsK2Itj9Q=x(j$)Shj8QrbZ8 zaK_8ZG3Gysxyx3uByAcK0(xn?*oNH(?UwsRL_|bHWOVV74BDAm@GMUxwX%E5M$Wq2 z7(rv1IH4ccP}by6Ou;(VXL&fhqma)oxpBtlvSRsKR=Zzk!=ZLe492EB&0qc?8MCsO zJ)3sY($R~bGmOC2wxKDGhBKaw>_p5%+t|9}GM#QO_8=#?+6EIH3vGGo*!9M%lteA! zx$n=Q^1Tgw(J-*J_u8$JFB_4`DTH^Hv9+e}#-Dxcr?0bpFy=twSFC4kribI7e!z}q zgNS(rEM2=E$J@VVYqi^AojWs}Q;7{TsohgeaK>8xZfO8}-uxZqbtZ|iF*u9{tj%1# zk7EItJ@p*l^%2LebmGRrl=Nk+eDYa(n_uOVT940uzA;`F+AbdN zAep$>h&|>-R;ML0_HYqbY_TkQG?k#LO}zf!CA1A?WRsjj?Z+6KN`7V-4ZB|B!~M;8fr_do z{K8-0;ru!5sX0Vv$ert4PvUI;fdu&327dX{^wQt!rq6r*wTBR5T;oDVA3<>wa5(%K zAJj|vRX0ZTSeypdl0p0Z91FnXqUxk;XuC@d{>0B&Lu~9gj9M3_m43F+*45Bda#Nku x{^2(i7PVpm6;&p2*>N~6bc=|Hh=|B&^#2E2ma?-!4blJr002ovPDHLkV1n=<>(&4O literal 0 HcmV?d00001 diff --git a/design/images/20221205-memory-management/labelsecret.png b/design/images/20221205-memory-management/labelsecret.png new file mode 100644 index 0000000000000000000000000000000000000000..8f3632cf09e86dc39b25720a5e5ea32e84db80a2 GIT binary patch literal 2099 zcmY*aX*d*W8=e$G`i!!VC6g~pA#2QN>;^~37BMqoY?)CrV;RO&oGfRCN+yjhTgkCy zoyOK;8Da>D3@TG}60$Rv&N%1CcYXJd_r9O!dVaj`^*rx$r@CCQ6Bm^i1polz_HgTq z0Du66uVoGk@y~!k!F@V}x3qUZ%m?XkUm#0qI=d<-^A2FPsPPa z#m>q7rB=-y06>^(Z*AcolRG~NBaFk9gn#OgH}c_Vre4{P%4^AP7Ivn&q7iD*Fl?MWO3gH%*NcZc2&2~ zmHasGh)TlMAH6jq;e2~K&MLJYSZq6O#K4~K{j?J=(;W&!1#4{SH zKq=l(S#>aW;4i1`(0c3k1x%c$8&C5tcFR9b46n{8QPv#vp@_!Paoq~|*%RCtZOD5- z$DhrTX1JZ$RxtT#r!1H^1udbm(*$QPhAn8Uuu!_PN4g%FiKfr?cx<2AF**R`W02bL zD^fUxk8j%^=Cz%0Yd%&1(bB2>REW0r|8tcgD{`>D)+=O7sQ3br=~*EJl`6XIUF9P! zu46e?-rvTIJOsPwGXC;N?hoY$48+vVa^r?#EJ3NQp?-;!P_wWJtRH+k&KjIKwz_c^ zx%5jE2y|7t8l0SbZd>xom%SPpE&aVUEyV6mP{Xj8Z#*TI7(chZ_hYCFKT=b*e(m|T zNb81%h5}lA(T>dzz2O2qUxHG!+u2{glK5x3VMqh5(`dWi9>r!#&r^+P~i#d~1P%hm) zyr^2>IZNBNFkwj4qB@^P|Hy?xHOkWw1qJ<_F^zdH`*Fe_LLpAc2K3|-9aB)>s#<0E zJ>tLpv9q?$%;7c-`A(Oqj5=TYfP;#Fk?ESA7lRBtD3*VDl(Mjqfq|q@?_oW)q8;!7 zmCOC+s)iE5yx*yar)m$+TLjhpWgk;oF(j9I)a?2jdx#W^P8_#ur=0xZp*%nLehI$% z(wnD48z>)zo_}C#LiB+*=u0X#F_^P`IuWotNj?eK3`T=D&30`)^dyrt9Oi&jaNS#C z2h+52=s0*za%nnq<*q+;CI8q;zQM3q1J!gS6q!`C2)gfSWGtQQSjH^vQ%-!vpED+y zDzKDZYxey=aA`^*?5<1l^!rLq?QM#U8iE_^?=55OfVdp#rE2)l`&raMwcRI%yNr9E z2X}N@BAAzQQ`y{;FV;qudpQH(kMMU9_UPek;*G~k_1QzC(aYVNbjr-<@~%l@w{E_3 z)1?Z6+S};yMv&Y$msr|rZJ4n{lujCOkIxxcB%r((=!yg%X)~S zyz0`}31{+@o9OrHcx57g8-ICLPT9gbn2Mhez37iUZ|myRtU&cQ+OM^}%g~Q*5N}QTh&Ry3Iw>#6ZTKJHSxLPw zdt*ENpIM2TZ|@Xtnc}b%Kn1N?^Okj#QQqGW;P7Z;{G!-I62`f= z!ZaMx6>|gywIyu{ZF2^ec8HP+3JRM`lZPIXI?grLv|lUie!?fd7+E> z=MP#t_>98v&(PlMTx+&NW-9>LzEP$HF= z5dNk)=CIda)S5Uyr&DsI3h*2G7i7FT0F=86X43tafihglsIVSsIC@bnDkzNhEE)#@ zjE%!yA(oEy!<=-tHua~F^W4=EGCpwfx=Y>yt}Q<9*5v)sYj1k8f;;K0S0PF)_4&R= z0tTvdkYji{?pJ%j+G$RbB651V_eKU81VU|y?2l9vx1fnmwFe!1?hqx$Zx}1E=LAM6 ze`uNrR~~4Y?I>=`^ z=TzyxPEhN|h>1_^U7PENJAQjFcr)C{Pb4!#T{d-5{A4aO=67!W2(5Vb^<3K#>-VIQRI%4C#Z&uN@txYu+q`n|)ZF?Mb@R_dbMO7b ztAFahmv5mj|Eb$Me!^U|uMukTzNr7AG7`V2+eVboUepC;$BF;ceUs|hjeM$Mf|jTI z)gvWFS>5lChbCVh7JGZzg{@O^Aua81I98MM`Ha$s2&4IlX^Jf61=rh2SFj58y}HY# z>k-LWTjIiQMQz6WGnsCbBQ*rlj~;`Ei^}`TO=`tX`yZ}@W<5(G+5vm60}nw(18lAV z`dG(5luM9)lDBK4yCxXDmPka=reVoE-Bc=|Y1x;V zOjw|#ka5~TV9{PJ?2d8G8T3L}thL!jxP(_ewlKv|vR*`NkgW5a&3rMA`HFS_8i$~9 z??|9$%k^JICDO>L+JTkI(4qLe@fu*|4`zYBqC6pGt2b%)Y_wxtu>2Q2Ce@i3;U-?; zVjj{CM9~Lvjm&Yq*(NmJU+uWOt}ZTB)@pe)Sj}&IXqK>*l%*^K*$=hc8>Bp#<>aRootow;i{f%e6D7ZGwtF=U{#HvjA1pAt?YAtx0=1h} z1|}i)HOikrqYv4K!}7~3(2Lbq{6r!Kva)XG0lmb9VtfYHYk>!&i4VzLcK%G2J%vGZ zDn`rrC;XKDV9@cZ$uy7TLz)KJhcl6y$LXE!6%Y-;9htR5BRg<4uVNweSHTpNJqq}A z9kcHg9xR;QpBpyl-``aH-MM`=pxwQLmE|k~kT^W6{MeAT@FuOB%$>n0FzQZZ!BAB7 z!S80(Q`BeRPH5ZuVYwf6s9_4(hV&jtW-;cUi`y~*bIWiw3Ic2v%q+Ve8uL59&rF;? z`V=S_$53eNX;~I1P$@d9^lWcO*!h zMNAlGlIyvtokM?jvY)>i+vXBVNBvq@{Iot}1PSj>Ddrv@#1!u&^kBF!zd|Dhq1Tmy>`a zR6ZdTccvg<*JQ;I4?SQC({P(xSzruipIQm39tVzD4AaZ3UWTc7CNv&1jvyqb!5csQ zoJkL6s|$`C!NcgD?wP%UKrA?;N03m3X+b%Wd%@AB93Xrzt9spK;PG^qdvUTuU2=4? zLp<6qwN>P`U<75><6`c_YHlTmC5xSX*~%xJx&Q%yZeHsYHWQLqp;F=!`>VuW8a&f& z2X?mV1ebm2f2(LUuC3Xc-~0O;!K{#^vR7&C;@-ofDze!ZvR>|dqscV|ao7HcU#m+x z05e@T<0QNa$xcqD!Yt4}Wc}4{);%y5+BBTnSkJjU9M>(U?vCV6+;>st553Eh(7R!y zdCFxDfbhcB}(`FHH6Hw@LtUp!vGE-2@D&I!L#bT_DRJY0^C^_1s zNEdM3{Mwol6sVM>2+eYY0EwUsS<=ypYn^Ia2*t7N2t|@joA@xZgm4kLzPL)wJMni% zv)jqmvyucYry_cF5$ld#dVR6zE*J+OIyoZx@zo`ZQFxGFb^l->!Pum;)znSn18g7f zmD4lz35LqxA}+>c>tH9V3go;dF%bgkh569lc~hn{fu`7$_ZhPM1wam{=1m@+!Uqr( zC}u2Fjh#H|;e%8TdTDvt@UUd|*Zh4&kGjG`1UigHpCZf2+>6k|BjOZN?LWXS z{D_XK(r3PO9pq%0VNxGB>9u3l$;Ui30Dk;~QUS+Szc?hr<^q*EKaG zY8y|T$}N!KB#rkkw_-Vjly=^mhO?f;e`{?;=j6bXGtCiUEJ9}91<}zqK2)=llFCi{ z+3T>RBB^q?Q(VhkvDmk#pwPYn!CR zN*pG#l4EDluVKd9r-#|@g@mzPlxDACW)8@DbdXC-69;J;qIY!~K~HHVuT*MeB)eR7 z$^ysaqH4GE#KfMeu4{r+%~DEpzqR&8xlTSHeN3)(*cP}k(nFcmdPm;RyOX`Jy4K3v ziE-T`8u-l_+?ils)*H>>mSo!Js(F$`b-{biIq&a>gcZ}UgKL^%O-)ViM~!1}>wfQY zjk%};`O5V7%S^1IJD-v(-K{#PMJk?XhSWKSZRT@L9O@|%bw%|qL1j4fSl5rAwzjbk z&x^WRppH93d>rEi7<5KZ5wiSMozF!1=NyH;dsrQ(94tBY4hAl$sYk|_2@l1_b9TmM zC3~{e7F-v_%wsXUUri4EzcJ}EH4Fw2nXei@>rZ#_PA+i zMaCGt`@H!5QxqtRZ$*Ms$tQO>z#UoK=I*c`lju?yOM*!uZMB$k1s-6@%r0D&n$t&qe&0j5T0h!ucucKPU)pGX~! zltc*Op}o9I2S@&AmQ;GfW@bh^A@dTl5mcIT4$*ZkjR3Q9X;F{Efqrp24VfGFOZB?N zGC@RCLnkf+7cP*#5QH5C=_5SrB?}d>(RIxyy6|u=b=ePyqWh~nTZzjitSR{{^2j(6 zee#L_dEe*I>3%`$CExWq)#(dly5t)w`5&GV{r|2b_P@}*dBKGv+4b-@EpuU-k2B;l zpeotg)YLq_Ui8Tm6-~CSk&zCwZcR*08m;O_+l1uOKpY zS=B~_Z~yIZHfwaRufVgj7aVH!M-007doB1_UN&e37$HX1;Xi&{BPAyXed|)8@c)*s zTS?bVh;H=sG%Ys;%@x=em+4~Qt1G>4pLdLn!GHNqceiWR)(UAYZWVV~<-gJJQMO$8 z+rfodUBis@FR>O4zVO2q5^vpxnQEMzf%0dg*xu7zsMhc3oxQ!7evMyb&$zg>P7XaO z6n!?edo;B3TKo#8voCM2H23^*hV^;09Dj1f4Ih~kpE4Re9J`gy_n&@p_3hJ<(HP8_ETJk#yC1q}GtVvEb!Y?>PwVp8<;*nNs%pAasi{TFrGf`!@J3el2-sVF zzo~IV|0$N8os4T*(CO2av#W9TsJsUc=1D1Zl#ixGUJsxTE!N5ywTj~N0>ei#yqNgy zX4G!@zuMVhJUB+*%yWh7jZ`8PPtA6;cdf1(35P~k@Y(>|9n_czb%3Kgyk zOx($NJ!Od5Mv#WEu^Oi#Z>(p~P@L{AILnFdxkVzK&^3B-CnpLvJvH0WMbt7@P8&Av zt~-|vU^%K+ulg@7Y-IHm-IeAKQNy?sE-fsunSYd&jcl_-AND%DNRFdvw?2&RG|{wI zAzWHoVd3S)@M!2?PZeCv5KL9mLhze`nR~Ek^0IT;vYiw*=7a>xg+F)l3Mf%<+tA#&!*|Fjh7u)QNyAty+@0-hz+Xx z)io;Y#@0;o5a&YbdbbmuJyf3JakS0`(71J`XeG3owhm=^WoLS1+@v9V)7fgeAf*YrEYJ9i2EMJWWd1R^ z@5;o+3Bm3BjOOOw>x5^FtzP0fc115q2o&AtR z5SM%pjYj+c<#*jY8&QbBmU8iE3HF^fyW#q1Wqmv+S}Dkw7!WO7vBdzGtg)P4^F`p5 z&FO`}a#tnaZHsIdYO9WeZXKgqSuf|UDV@tZv*67Z<6Rp;?W6t8tmE%{m9y35r_S)= zqO@hJxt-?+l*7sx;Wo>|w(LD|1h10F7-!4_&gc1DaO|BW)odIQORT`xgZ_o+Fll#J z?TiSH19hvQE28(<6BJv^NaTe${i)tRJD4(2Nh1oNoGsDj4;zHbD!Lnm1`*Y8z7i$R zQ&oQ$FnU*nX%!+jDdW}n;p1k#>n9h~FL&uF*-DEUxu_^-ex$#vlK6`KcqQIYo7ixf z=HI62#mvf%3=Tq-gI+ft)ujAcJ!iLd9_P2)c#XUq2kw@zxpm|B=978?#sp8w!hQ?~ z>4R0S9Gekh5M1-uM7bZ>dBnFVg=CqYg-NEc>Eu2@UgbX{TMHc-^bJZvHjCgVmQhESaAf=x zy}wyKz%$zP3gc0!nFj@^6&%8}^Ele!5mQ(33a{3+#RB!mmPu_*6&`Mg6iT9%&J`&j zg}Efac5_Oy*XnxLqQVF~i5%PsV<5dzrGl6`&C?n0)Hy{W2Fi*KDIHzGCzLs3`_4MnwhHVyOx+X3oIWJhMUxa}`( zyPw;LX=b2j0lTwR_qxL14E0S@n^9>(KgOx3O5K`8^BfAwd>~@VRNqbI&O>2~ zc>ZoN2sGNluwj7B*TiZ{ipqwo_)9wSdq_qrgyS)Ds#q6i5G_3OUK2yXKU{Ql>A+f7 z&rmu+xXHCPz9>|~R%Z+$zW35l+uw|X7aX6B*nhv;bhmtS+VYE}+D6-Tch14|6><+N zQ`M-{HBh=aToC-DX?N=5^=sE+2`2izJxg^fEOJ)8Ji0~AUbm<+QiW=TE*Ep1mAlY1 z9q$ee`EYV|%$7PP2|KN3%czFKKZq0>q?uZ+35QY=S9fLY&i%drZMIU`B;_7{%E!)8crH;G#kn{R`J$gnjT-A)%k&V|0nB!n= zB5ybhF!ilb4mK@E*c*LDS(q_vC%lhL_*Mi-oOMWQFv?O&AWJv_s zhz8~fU@ly}eKmhlHHxRR;Iy)l#5Eh04vNNalU*HMD&ds;BNdi=1aO2|xJsq-k7hvMQxW;}*P*PfZ@4aoF17*`%u(@)Zp=e6~M zlYhO{m=eQ~IGALZdF@9m!}`?Alk8&c_TPDxE`6oi5x1O)93b_))0|zheTf>kX55>& z7qPtYMcCPrzB{hAKrSFKP{UGnczj$EO1{~6?>I>KT0(fYf`b|LI5%L@S|+6}SM(Rgi9bejEn zf934jwQJ0Hg9wYg3_&H60`R8KDKt|+bZ1AFl#M!rwl)RLSxHVm^2M)60<$Sc@2F|_&QT5lqF*kV zDt*yla$@)43p++9!v$ z86_KdS1zyEeJ(#l$1wVZ$OBEw8Hh}62!nB4gnr(S*@(h#;rQ5#Z8ZC39#X0ph?7PI zwiGYPI1QedvthdYXuKYusx6e2@o=&3D~5_>7TpkBKfEvahQ^zR61cRak$3zM&}B2I zk2!rr>gZIw?B%UrYg*j-o=mpKHPM6pO{K_Pbp(yq@M?8y!IO5*;&Iqw)_b{b_Td4B zBw<#in-6&6Ood=Y^GMUm*!zWKQ*oY)Uj}({=m7%GMaH6-Bc-J)Bk8Yd!uVU9$2vwC zmEB0XXsp#HuN(T1a;kY74kpNZX6L%E1`!;-0RTqV`PrOi8;`&TiKOe(NU~zXJ>xjr z8!3^#z7o_CqS>E59XnP{Y!Kuw-Jcv;0zcji@wUsgi3qGdDLF?uFf1G9?`J ziXrRTw14ooqvb1}HaUGWzp-KKKVU%#q z)~7mto1A5`!U$W;Mv=-W0}DWe%=1H^A0n6jHi7jBfWvc-6n&sXI_e=2KIO*7a8eSX z`2|H8PU9ea$8+IHaOGgUYlU`fh)?dgTgNCa6}r*L^l8LM(~@Xdzs#kXM3u+F-XgxTtaO zKvnG_KUf_^C>*JB!bd%i8HL`FA*Z)8`%lr?$wSIPas z!t{E#YqAw^2r)~oTZgKbpQ(Dr#syuK-RZ0^3$)7H>Ff_<$%F<*uI4`{ zj`J*S`M|nc-92|#-9j;jA+)7Msp|4>Nk=ywsW9FYP%kvx*!z0l`vmWh*x4R$rQ zXa5!^;0Ca=s$_i2^!+WNBiCs7(Q4Ey{l>mUafvUb)z6}g*95@0cov}uYG7i1lWyfL zh+X)y6^*6(2>Dn?8g|fggE$z3223q20i{XLg$o^rwb~V#lSh=mWy5!|K z4yV28tHV9I-wx6oIsGF{$dRX?-<<#o?i*&`;Pm${kK;bfF1}4upfi@UX$DAbr5tLM zFt*b04tnlBYuJ0bz0p0G=H1?B!$kg_1Fc85G3Bi0>*Gt*-lo6nn6`oH$4;C(uoOB+ z`^wH=59Tc}WgD`j!e##ex;25bQ@1eVG`Bjjs5J=lAf(zaNffe{>tl)KM7^oM$OS+} zheUwKmb2=R%kSOupo*Qr336<^vG5?LlgDxDn=8~)!%YTE{2^9qn{T729fM}$U9TL(2nRA8$1Pq2;R3^_7a2ne=qCtc~(dVRK3{HZ_-CB%6H8c zm?G(&JgTGIJ5Xwq18Ei39u$N)t^@^48OEHyHYW&sI@TwrP?n<4l^%8~$T`Zh<-I=R zQzYD#`$H03$u^r?v3Iel1 z4__X%d@SHNe9uC@Bnp(1E5mzBu=<-bSvlSDv8O$ic4L4>kLk=$#L&Wh z>cORCLwu)x_l|lhya%<19`&zxScEh{NE=yMP&1Ah%YGS)k2wt^fw(huBBHItxh5^2m372= z*pbmaI(U7os;G$F)HKE8;d$r{E2n z{cuRIwxI6I7UN1qzIODhi!2yhMqXY6Lqo&egPphmlc=B|b!}~S{~+jVNpSbu7Zddp zD(`1)Acb$PD|rMId-#^)qj_-?^;9*3_&{4>)02J1-}d9Ajdpgmvu{sMldj{#XuPE4 z5Ozu+`{bWEVGVWtw2}nzCFa(wx;uYDhnFsqUqsRHzxew)DK4(WTCzp*_FDLMs`N z_;I}hR(M;r4F9RG_+v;nV{qzuidPMp8^2cn z=A6$7U_k-A@DBJ!MHY_`RDK;0J{2E2`6 z%zqUr7INm2`hbBSHDVC8Q!1DD*wZ0Qhw!Gt@G<_NIRg&7?a?&+7~VSsPca-NUwB>N znx>(scSD|O6g)r)ts_EZ1Z)$VYs z+;bVr<}78)RYFw));EKxq;^)P?e)XkrPtk`p@5<J#Ad&O+d=dMCl}@V;PAmI**C`k~e`!`b-5H(f z)r<4sQ5UGDf|>_Puda;Au3>|RoYVVmDLx|6C>!W5*w={R!`4oO6c5Ns+EuK@th8C} z$|dO%*J&B_s(sG@^1%!u$P_7Hx9wn%N}QD9s>iyFpN8C-8ke|;!EBK>oZj1JBq!L! zc0#AP@m=M6gF%Y8(UIxMNUioFu7jTMS^I69_ohX?D|Bxj42Y*vWu{LL@z2dM@r&0M zw<%H;Bb6&Vb|8mMM|sa0Dh;g!Usnsp^i0cuouE{`J~fEIK5edULP@3SaTYC7m_~F@ zzPQD%|5g6E(1%vSD3)pJI>RAaPo1P>CCpi$glIhd4o<}BF>-0-jIjcga%e@0OrXHqZ1L;9 z>jjos1iEx5RT{`=gQ+=bR{eMePTWhYrjP|1kHNK-=jUE|RDXj-?+)Koh1mw@G_Kj8 z4k2T1iSC|Uw1#Css~-2NO}-OF9|=~jgpu(q8+sLdxM98)w8SZwluatWG4yjP5NVjD z;Xz)c)uuyF(C7J9S?zU0_7ebS5J89%HKIY{EKJxt2^vhir8Z_OnD?DQe2yQ?H+jzw{p=OHrmNJaL{BXwWRnD7zgSl&KJLNmU0LW$ zA~zeM#dJu%A>Vex(VD~2GGeDbL|)AP-X_C|3svT2#TL?u_n&MLGx?46M{yJ&^CA%Z z>MNU(NuM+U8vs`$w`&^F4|zrO-Qk0bx%KVe=+k%0QvBi51)_(`bxWz6Az`1@W-q6Z z##YHsMaKCwMoG>Np0Nma*S@bZ^RAG)-E=UV9uKUdO6oD{9Vs=ep>zQkZadg1#5xy8 z*m*dh*;@5?N!jIhh&P}3_^~U zagqU7Kz-VA2H_J~WFho=pDIJnu+}`d=58!qN21pDJ4|EJ^Fwl`gO;W7;l$&GgM%bH zR_im1#+Qy2cavNJhGR<>MLDdtV^b3= z<(j0|glnvFm$%}hABvAmx-9TvD~0ehDEHmbxjW|W|Ez)MbyS-Z=B)G1>FFnijiJf# zox~6QcNKeRU=z@rO!%RoZ093y_t~@9AV&L=b5Gj4;M91QC6?~K`exKhN_Z=uf;DL) z8HdFGc*(xBM>Bw*B5y}|HYdzA5PV7|2sSXr=Q7$gXf>@4g=|F!vCQcpw5SnTc{v3_V*@S3-Mb)J*#TS)MiW}T04spiUGDEe3Z zQkV4q??>*rcW?MJbgK6{|4k8|+B;v;(xCX$Y{vgcz>as=v+3%s24sf+lS*J4`QId2 z|35P$@S#=w0Xf5ej!~p3p7P?oKHfUK2+H7f(g1(NE??J?fccK&Q44=8IC2Mwb?&SB z`SZD`*j(D~(UF#tQiNf`Vdfz3pgLP-6^#!HRCcP1H)$hhJaCGnq@;0^)hmi#d?p>w z6MD^Be^3oiZ8hcMosj8KoKpCsLtpD!0SeKu$&&ZQ*rPS;T76h(?fIhktNfaj?nSwh zlCm%}*YwyN-K8wpiuWv*ZNnKP2^5cQRL?Tv9f!H^G(TIU(~udmvTQG2NEPc=MSXkw zq7h_bB6@ygjh)?7Ms68zX*tM6Z&LFp(9kgEaOyQlEzr12EYNsMPzyV0N=a>~q5sYX zz-wV~ZC;7b$?jJ7^xvs8kP zY(*=aP9B(=n7xU{r{R5kXKbwGLpn!NK0)XI?Mb~TF4^XSC4G5L6z^gw*&$Arz1M%v-3SN> zv}}zOXQrpeI2it8YHBrh*GX*ki&U*)qa^qD`lt9l{PbenaOtzHHD(rNoBjU%!)bq{ z@-cMA#}#Ina9S7E7QLbc)6Z>BeFR0*)@Y4^X7vdlOAWN0Z=mPJUa{Vq7d=&F1NXmq z#3n8d(yOxl`TNxoAR2W-8h@C^a-ABU6FWhWlgzhxEXRc%z7>n`qJ#0gf&;i z3)4_aK?KQt>zvmmNKZbX^WLq zR&=%`HyWR@U~V(npo9+@435pRGdqVlBggOv!UbN)brz0t($B~+V&$Z7-rwg#o+6XL z-BpS!`>6izZlIyzOilye?}BAkCl(PVSy)TUUlhNfQW8SB2;mc0s^{>+$((<;v}dQ# z%%ROrhS&e4#YOdVPCAB6qNi=OG|kMMAy?8v@E{Np5*izyh-d6~wmjwG7<^XZ`_|)p za;O+wdD*Loi3SZlKhckliP>LA;xyjBFJ1N$&{BRW2A~fVO$TKjSN`5Y9A-Rp%%ZivziEXI~PeRJBQ^X+pBOkkz3{ae~Q`xnXsvkXlCT|yAE z`z0}>Y@&>f@=AK*_3PKU%W3WDy|GyQ_Vnv69z%~>dc2!49}*RIOLg%K4-bl#0iTA|U6kT;6@37fYxxDF zs(O*)hg>>d#UV4*vRjR~+>nqExs9p4Tro->ldnBypX>Rgc-Io%LudS1!s{R6=}B#$3w&Ck!P zE%ca$;`JSMc;;Ajky2;RQHz%*=|ss6bjYWv)>Yi=2s4K7Egk|nahgi`^-CY0IKfp3 z>P<8{b)J#|FkbdnQmPWL)jeu2wcUggQQN9$TYS|#JND<{8RQycyb#rIGETj5pRSGS z>3k}^h(l~y{bF#r-sU5@{;s3#=c(Aeg@@RDWD*}xQ#0_H=utL<3(^nDUaKF zj*l|%`wdlL{k9&Tiw1Kts+soU9lgudF?vN!|Jah3XIm8Q?Q&yZZV#E0xt8 zGS`P;(BjF=v6*A|>(^FRctDY7^@?d;b6WlV4Sy-iTe6i#NS_sTw6hZx30Lm)pPzTM zdw$7>=kmvoJW0I{q@~*YzlqL@yvszWS?z@j&jD@`pWsAC+MT)uJV(DP<*jt(oj@`! z`M(e(OeV&&xM_F40kx-gS)c9(1<50leWhu$BAyO1|O?e z*O&2KTeBQJ7!w?ew@K2>GkvT!`q8B_r-mD@R@+Nfe9F24gZ{) z@T8JrP#Zg^xwJ%Lf&K-GCDYqE9+jl*6#rFlmVAqpRGRI;-mGS5bCK5NXQuC9Gp3Kk$zN4^RtRVg$%Bl_;0L)E3CYBV8u z%j&%Ow{Q}bZn()=gO{ApSDnq{pE4h<`17K!SfM*pf$1EFjdGKa+)TeRCgD2ToT>WOEwveZs}ffANOw?fv+gC zF#OQ5NBuC_c>v#euvKLZ80E=I80blMOcj?A;2wP=R}^J}L}PEFPSzo_39HU@1}llk zF@u+gyu{Wm8)z9zmxOCP;Vjo;Bi;4wI_VMpv(x}}f%Z4frW4!#TC3xO{MJoXjrg_( zZ%iFy)wLqR#eaQ^>P?XzgW15B=a1Oa3m7#!aI2&d)|)NeWNRop_`4nIJNee(G3$N1 zyOA#TAAsgNXDzIpO~y|v9a#Y`rf+DJ7u=*%tv+8A1zs5qXUyl3vcyT@=uT|#WMqdB z6xJ9bZI|*rA`bncuK4&-^22w|0h{P=AE`vq53`oDoK5+93!%_*$fg%2E21)ZG+uS! zo{{|%<*koW1M^-_ALnLflt5;#cHS?CE&?S_P~*E3>Jh0|uS(y+FzxZSu%nyZP`HEp zL`9D=o>!vsSq%;Q-aeBQNJ>E!f9`lBouzvA#gu!9m1@L-`)8zG*-Kgt6Rc6Fx4xIeDiX2 z`yfMPPJ08kxs)#jf6?_}CwH;<&jhn{M{6Xpli8zHDl}o<;tA|-a0E&4X3tlchSZ;8 zQumz6<0{>X@RY#LuGp*6SEsvmi#J56#@e2Tcg}=dNU?1;^;9UHH3Su4 z7UncV0a()eT?E#iNPI7W6z7vrIgf4LD@gp$9^1LxvPP0 zmlliR>OqY?qP_p8M8%+ZPv(yhTSwX@Z}0n@X!*EIf^#j)oH|W^xpz-}*e}Js+kmHC zy<#RHu+yo0Mp0@J)~hG5+v{_}~P>WRU9oTusISIFN*fplq zZ#E?AwM6qn++ zVhs&Z6nG4DWCrsb8qtmq-bp0-bu{ZHNGy8hC3d<)tZHEJU7DP;?YTGbx{YN*tH-P( zxzGDq=*hMy?eEo6qRkISDPPTu!ewdE6tpL+)1Hey)4gS;kfHH$r>?P31^!%{xfQQo z6fIM&0!?@2bG~xWg~%4Od07v|566ATy=;~qM($Mlobpgp%ib~sE+)@beSwTNO5D3v zq=&m=vqzS?>&ymg2n4-6(+UzX(DDc&@7_klhsQe#g;TZ`S zR;9=w{kHE!I!v^e{?!qRh#fcj7NeuZ@sy7rFRxoYR&r~ss!G*L16?H{I1ZK)2d5f1 z?;bq1Ye+Edjt7FY`nhOvLZYJWOx9a;cAwV1F7li_oE>xsEX${g2e1FQnArPKV_&!5 zi6cZE+Fw*&u}VZx{J?aIV}X<8sj?stu@81a`ErTFQr64u->#)LL5PzUt*?UB;VIvp zu%Qa1xi(f|{Vxa_F3l2`q_i-nHIJcL|IyjGR;+^iz4rGMR6X~?W!AQ~#Fq{tvVtsa z6In`$Pm-uj(1*o638Ik(^{%OEs7NU~sm!PrTEE}>H}BFt zWH!9t{^)sr>iypYl<@kl*8cE0pQ0_sVv zwM$tw9i1@=OX%;1UjVXyLBI`L=1*XePc0ee%P%a-bVABlmCAe`ttPz~&iy>Es6ZIn z2TXNp6S~L+*jPs;qBxSH-Z%Ou<^tT@gc=(grFr3~@vgEQ$R5hEP`hrC$9s2(Hf{H` zz&v%{@yIKRzaKXLrv2&q`ugoambbzY@*e1uA}{R3P~9mopCn)1%9B%W@osOA=72{- zB&=_Nk?qjKEfOnrg)5D#^AxD)qfFZAtSdzf93$Q z_q{Kp{a@+K15}tlA?p|(1pm#9@stS<#i>jlOK`{VyGJ*?e-BNMh)(E5Jzda6rHOiQ zZux9&?Tq<&fCfs1XFayPH!+K8j$ZV}eL;ryG zUbyueskXing@y*)l(}j*MF;V6i6ohJT|n>!WcY?)=ormw&F1b+IIa{$10eEl+OY6^ zk*^mGZl&W9vQww(BZTa>N7mnOWd}Osj zezA})tE0$Sgu1J?MI$AOF$>SqI*n@u0yp1YEC;&32r$)s*0gp1m{O28mB84OT_Jqu z;`{r5b->ciz0+_>QW3Mj3h6SgCBwu1MF&^Tw*a+V;|GgZuMnbWwG8{(pEs8&-j%%W z^G_e7Xlc2QGQzV4=yx~y-#?gXzvFTJANuj+Kj5Lh14_X#Mk#w}!-6T%(ibn!sb?7y z*lv`-zx^V=Qi|Un9RKTU#%_Tf2eDV_R=5w{W)9j<_5Nf3P{D5>*$Pt(+n%@7ztGs7 zR0L5EUT(Y~o$g$;0G)^c$Ps@l^qNBgRXouu=>^q)Gd?76d-t+MSbt47RMdK`P2C)E zF)^RutaY2pujUje42G>Zc8xCAH>-KD; zuL9VI-W?=DPmXRjg|E0h^rE0Mepi3PQ0(VP!?}R&@S+Jd{uR)(2Dw9Vv2FaSr~KSL z|GjBukSFx0X@wIz-=w@Z=ONZSU`+jMXH$ebXwsF|3uW%PnB}?`g>x3{jyF&;Hhvgr z=F&~#oLLTX^lSr(EzG_6FT1ybr#TMcjeLBm!SW>TdsEYV7x=io4qw zUnaPICY70nM=jx#({RC=o-)(!e0bpsBoddLnz|5E0gM{ZiI5hE(=zu7UL10>9&4#k z@a#`RZCv#BSs{@{3ni$CT*ToPX>lwYclxv7@E~y<3VKPqc2||=!*>06)%RJ?Ikujp zskS}?k>P1BV6^4qYi^)Q?1RqSJ#E-^tIdn06lH1KMT!=QpvkSZBtw{SfH3V`sz6}( z$|jl)VbI%cc5|Z1i_Ouj-xwbYfs&x8_0mG`ZO0&i#=5d6Q@bl_P+bPo;q_oTH zqK2PvP-W)GfskiyvlW!ix>+11rH}$%jYcxK{eJGxEq-2R*ult}>1* zTt6>2GDgdLe46JBbl&vTSGa(g#qhsPVxA$M?S@M!PxL5HoM@)_xfL4`{|wQXj|aNf z@pzycnE2&I zx>^MyHWMS=y10v-pkqImAmPnziui!7le|g<-)=tMxcu>)uTA!X$Xvm59Q{$Dcx85| z2K%6k&|RByf&OBEOgxt5Ye#%cJK|PHaV0bpcMzXyKfNOvw0~i(b@1h$8{1#;csJI7 zRqKX2;xX#aV(F-W{`Ia3@cSgDG2GEmAg2Aj4Su{ogPZ6A@lYydJ@upe`ZeK{>TJC2 ztJ(3R;+Y521p#z1vgb(7P4#egPqi3P@qc)G%dn`TE^HXZBvk~Fl#=d}9F>-mk_Krh zQMy5q?rsoJQo5u|x|U zrN55={TI6ERg|=(|EGU@j@a-d#pOT~Qte&dl1{?CHoS!iw*Po4>FqdA1%x@xeKQf9 z`W@^RRe8P$`R>;m`J8Q}E%#KYoZDq%OS(@NgNXz-1AlFGxDN=qF3Y4L;shQL#X@uU z{IIJAjY|h2OW1bEN>B$@`r7sD>KL?X0A~2`g!S~S(my_P$(hq*(Mxpj9dn9pwfE@c z`58W>578>vL=>M;Y1iOtkgePGcK>51%JC+XF#QDm6gwzb&J!I}1!Gl0Qm|)1?B2 zbG%rw?Sl`Z-W+s;(fnQDd#mK=PJgb>2-H`_j^Dz5`B z-{g3OT*9LoK;IpK|>^E(T|Cl=!EgNkr3Gc%jre~o6)|&~+_eZQlMzgr4u*b!;D~Feh zt-xQ5TQWFPOb5TrfSK>04_Q&_?8lWxNVeRsCrrM-b|qdpfpWcE762_#$h^Qm4F)|q z2oeKUZs~tjqjC1cr8X?e34-@>sTEmQ&yDvWeVg@8_~l#CvVix4{~(d>+gq9%@Dl*T zqtWOhr@jWSgU#fhh~-#*7i+bC+1M{i}?1pFzuF4_EI%gO@m7@1I7Qh zj?jA4GaW{OcSJ-SWu;>!^4k?-6@yFN_r+EuUJ2cS%6LF}$kZ_j4{mrulXr~VH^~9- zmJxt2V}L=&^R()J!DHNzWs_^z`-3HQKQR~MId?=tFRjRS*Sc3{b}w9gsptLG$dFO7 z|2jn0$3>d#nk7@|CK&_w)3eJ9ipoM)vi*XCyp;!reGXagcp`n3uwq)tUQ_*1x<4je zvRvW6ES(fAwf}EiB5xno3;HL-?ALYa3%-Z^zO#HUrm zGo678_H0sNH*8=a1&fh$2yi9!3r)P@ZySl$(b1V~t_7LU=j}AVaF?u(eK$5qell|=L}g*fq9+XHEcQt!2Q*ZjMZu409IfOF?(*TRX&E9wdIpK2RAa^w~sa{(vL_A zgHn0sfWQlB6oA9#KF}@Xs!aA5g~x9yCG!JDWv9EVl}b>@yGa}1J32GAv;XPcFclJ< zRqW&=QtA0Nd`2}3y40E#YZhpwzdm(y@1OE!wD=5|x0{p=8jrGcgE2P~0rlVWFk|&U z)^jp`$efYo<-)`EB6F-Pp#8aKyZNTU|M7ArV*yjo@>2Yv2@l>VESIkdfCu$_DvLA! zQClbt9hFa4RQj3s&IgzJ>Jmm*0jjI?=$}{zTtC&MDc;m;kXu6B6zaF>UY(?Cuz&ww zDr`UqM}^%?Yj_ezC{!D88LH-bZ1_J0`mg}^XFY&?x=IBGy#uVLNXY*{XB806;RxJJ zI~7yUMw78+9s}Knd|t@-CnyzAX+(HZpjD=)$>WbRfC$D{tBlEHJcR%GJLw_X6lCm| zCaZ5qlA~BPd9wQn($mC0>i(NyA;X2BYlvH0i_(D}04~pn8nDU#-juB(&iwN^M0O(h zwRZp!sn9Km@NxeShCpcm7~+aUf9LR3@m!Dh&>w&VEVklI{xbq=?c2B!@b62}kM5`I zHK~}r2K_Gpm%r%2F{qR9hPGSIa~wvi7aIC6K%zZUX+LEO*n7*P-+Fial2*IHog%WRpBz>G?EO5kPsLe^lsC;n6fszm1qKe{0S4a6x3}hP zZc)B*09rB?Y=35Wx|pALe*F4QsKVIAf*zQ93ur2E?fO0d4Q`F9miwZxD2VTQEH)5U z(H1{8riM9I&Rx%je+^o2^0^KH(YZ%5Asdy&-IJ~Jcq2Bm;p;c+S>2n zN~htQ$v6xFEHlgBIt_hIdpnLo#zqR#>$OJ{QrkYeH=0~upZaP=9XF0yuU)NQt(9J& zTNqxlA-y*~PBUbxr!0N1YNuLi+t4M=A>Oxlge`JOeBILjjQ6C*<0vm4Av$ioCg&!D zl-f3yI!BR5Ys@?4s7}hcc_IUMV&PWfTQZhfy)!Wrn3NY8JQe-J*IR3xc`K#0Bu$s} z21I%3hCtP^y1KM94D{SzI=<3D3gWQSH;^H0gb;zqHRUY=BjApR_Xxt~7c>NWXvRjzXhPrR%&oFuiJ2Z1%Fz{k zy2SE=zSot@NaAHzgtc{!?#2NL1NOqu?u83C0n^j*gzq_2Sj1XD$`%(>r`@q9J{Q0FRS@iks1OC(l z)D3_xB)B}kB$SA17`lBxvX6Sj0KY!ck{{pP@a!OnX%&{Q_u35Iq&xD-{hO~D==eLz zB~?^YqSAb>mD(kIR!(i#Y781Zk|yCx(HTxsPTO$va#~C4yLmC_YJ^c48F~~I0w*hH zXQFZWt2xD#voxx))4Co9Sih704?Sj>RdsCGgBxLTE0zMmv1Fv5uCej*UVlL2zTetC zm-B~Y4>5*sl{r1Q6CST}>@uA^yFb80>H@aX%^LaXxiZRS*pP*4_V!1fj&E*?`9Dm3 zpm`_7@y@E>G>TPEI-AvitWO)D-yZ7KaLPfdFPTSc)ZC2SiQTmtuMLf$P~tTF&4tQt z5;B$y+729#F$L~t#2@feEQ-XYN7}?G6GL_Hjq3{a>$xr%Wl+o}sGn_n`qKO4h$$An zk{-)9w3&2OqD8uP0+F^k#Kbo{4l@aSJGPwz_^k2lL1{S)NRu$&WNbBr|7}srPCwwd9C* z?iL*;cu!HXTmH@XnV|Ak3t6{>j z1ooy&fw_d9Zm)K522^d6oW!?Mn9^E1mWU*t}>KZ*=plL(HyQ%EGb*hrQc!z#s@c=jZV&F1P$-O_?QLkE=XtVUWwkekOt5aD4 z*u)@?s~=AuzdwR3^zE`*+`4i|OGjDl(|qzc;fVCL#fg^24N75%2j5@_+-ZHfh~zFt z(oVW7gub=AOr8D;K8l3({x-co*6%u*!+Dp;@%a`W<@bO`N`;CPAK}jvh(SO5a&#<) zPw1c3?1wIZ5oJM?@{a=)N?+w+EinoU;99$FWNJWNP+J*^8P)e$em-;Qx1NE~p!u%& z^_EVejh_pGb{Hr<+!C@SLs|F)8~-k!^cvnBg=?Njkb9NW(Gw#3Ro~wOc$swbgBamZ z`O(YF5}LvFvozgxL?{W(Pmy;~>Z_tsb%`;=*+Rye3h-siiR<_m*iPUG*ggS^A*ln< zn(eu!?4hA&H2nbi139bZRz&}A%bK9o8mj2GJmLKXo=W)euS$|ePb4K#v!{zP zrqn#Vs+d#ikx-7X*%)qWLY-UGENAiuPt=#=y+*is^_P5Ty$Z&ASt(tX;Oys4Q{1fL zDZcPIL?tWXtwV|m;jM4sGkpr9q;w>T+C-W37MvzgfwZMCI7sGV4$9TuRlyZzL{X z%t-y#VD?eR-oW8qg5WpCsj`gx7lf#@L#E0@8B-_tANrAx=)AM2rOXG2w#fjyGhpNU zllJ`pOtg{oIF3_)|KR_^trGWM2jWZBZ=Oh$xT5N2U$<|Hy!i5!1fW8!k0u=!8swOK zEr<9W$w2fQJ}&Q}T3$HrC|g23Np5v}ISKp=DMtz>7t3Up(E8*pC~H5=Rz?*42=fQG z7G5hTZTA0WXQ}E)JGi>Z2+-HC(b(-m z>>KBrMkY<|)>flz^!i7zuE?b~mRhVqawNIQwX?3U?d!!3F_UlniQ7UGTpeC`bYvOh z{ITP=4w;Hvg}AU)m>H$^tae!~){RP~1H+$gQ9hCBWGTZaATZ3oCz<>B`k`7ez#!TH zA&+n08QK^Hx_$}(xPHGD;HX_>Ao0viDmgFEOTI5LF)covo%TEZ%pS?OwKCLMO@#1+wOG> z>%VDu#UwCQr`mK(YP0>x9R;lq!!qAs(~B2Qqks;;Hwuh#Ep(5sYuIB~2RD(c9K@V@HelC0(L zyW(el(fjc(FKPtknnh*m8lq~3z5}eog?|>3XO}kcNDx3+nt(92<4Rh98L<_O&{3@v zjQNXsWT!2fmVp0|LRtw!W{fK%xOg0pb)l4iqe7`Cf9$BrK8%raee7f+cm}1J@nBZs zNi51|i7~WRKX$+9WVNxF>Y>1x|0KB54r@8^8Ap+tZ3LR!PJhHovT-Ebr!Z#r?%sEw z2bZL^i(4)Ne3nCi&j$z(moq`NBBb6`^-+714i)?+*PI-D zbXts(oR%xFB`#J}CEyhUqHrV|M?6pWI#?A1DDW-Q_hBk{Wg}fDmnDIfVaxc|6Hl_( z;m03-HoipmViAg6dw1`ZC6;;Uv#VkyZb3NQ@sw_tKOGQ?-=$`L>k#-{F3hv7`44AY zNTAa#+n2tn7rd)Re#WZGlgLZ+ql{mgQQ%TmRWuywsqc0?d^i!{8Q4h*Y)70@#{F30 z!iG5E`;G&gAkY=SG<=()Rg--fsAaw41?-cR)J-OEI^%RAgMqHRzSXOL^8(_m0=q;D z-^Q;N*OO}}D*np_2mq$|m+}+1oh3jmnd{2~0v1&I^Kd4a+OtgIzi)!0YG}wjmzw=n zxcs2?^-#YZYE!J}>o%w(E>q?dO^Rj!s=zU3jvj1+kVNnR$RbzAxoT_O?p1(hP6y9@ zGhI4qY+Z4LTOWTB18#f0pRJRI;QqDj43mfIahe+=vn(~Hpq)`(MJcU{pK6xsU%jl7Wyqw0B|g^E$bde6|7mfS=E`$KUOs)_a9>w zG-z*#N>QdxtNtj2+=${UXFc%BRe?|*3{$05S4BJ!4e?b?n^A_980!V4p2&|X*mc)M z@za-(kS`5iOXC5!+-v_ovv&}hTbeO8xR4AyER57*z8*z&}mEs_(#$P{JdAR1<)_CqE%!ZE` z3n-*5l+(x{Wg5``+)sW15A?9rH&E}nS|6ysb^6LHbnP?olqnxRz9Q{-R937+FdDe% zp_HPJXsP2VFT&(km(xcy0lyY3=Zh0DJ(xC@ytpnaSnd|*qvR+2)kg!M?#VZ1v>{?4 zzEkY2C--K%U?bENpPJ>zByP9t!MA=JNJ5yVlj(#Z&2=$-y+^?({&naia2*%*kYQgj ztmSrQO5Tww*){pO4lV16<}dFG^Xjk5FZiU(4ga`i%~R4(qbzOY>4f{OhWMJe!q~!c z_flqx(98L#98&!{uJR&VTl_V>nSeI0#yBUFAAwLR=Gf@0Mx)3SmLnl<`%dS+jLHHp zeWn!q1j!VR95)rfg|0bf18W_mikOG0Bq%71Wj5%~4S$Z-V+dNEh(GbS^CyBCUK>@0 z+1`iwa|NxjxYe0R*X}JvrHGm)(!)@xQxmPN@tubXBe{AlR!EhsD!F`%)q3K|k8W&E zu`EuMz^Dq`kSg0X)vI|{wzRb=qQuba@*}aLyjT=N(>7Q$m$CDGTy*5tm8q$bkLBgrM=;Yz>0XD`x%-_#klq@u_G41W>OL#o3Xna+ zaXOr2_Vr==dY+hcB5UdxE`bCW`ucPTSoJPTHNi8h`S4l!;&h#^5kk8X(?>yiejjK# zPvTWcOgm#|Q~0qVFRXF20rj?tOB`)1oI4|SI;Hv-3b<=B(9yj1K;p$Nr$JooD4PZ5 zsC>l4WB~4Ue5+Ej-Q$Dr2jr}%puHEJPW$XnzAr#i6RwvRPX*;ny?9J|V zg;7^=jgTsxmgDn10MWd9eh$k>_md-gS#>fS3O?S*$tS&$FKji^(U1;yvb+2ej-Yio z>n&qi?Wr@K?9Sp0oe97Ugdr8((vY(vg6l)pd_>1mkgkSYI1eiDfhKL?&X)CB1?5o3 z_pS!4f3ga8uOm*rw0oqbFx-pNpp$P7`&**{w8#G((8<8BWyEh=DrW6CjOqRn@f|3 zWzR4%UE!KvefnuL&yVw#YlG{J*II2K628s~wlbtyn(FNfHDO2XG0=FV`$1Laow9;$ z4Qb|o_6}n;fX&@9;-|$#2$7_oY+!9KrV%eKrX45t)mVoe>y_BX*f@_g z7dfUK(a|o~kOL5v7|6$qDe^VXszd{=O%G`!`DlwqsMs*|s{j}cSAU^}4=J^ORkZf_ zCcKE+EzM63XqyuaougS?>S?Bb&1Af4_MV!3b=(K$z%{!za7;IYeYtx61xlQCG9xxu zA=4kT^5qP}h8(7T1W$R2*%+gnk@{M{(L>xgVm1Rk%JP62ZO6%sc014bIVGK20XG(m zvZ{I}vfEk@+qmTjF=}(xGr(=E1foiYq~HDI;0JyIl=>0YgWzoQ=i+dr+=1Fa;n9IN z&uO-o9z*D^lwa!}+)&Yt)O6LYTckX7#-(c~*mpKZ+JuI|DU{2Aw|u>OVWDc6rup~~ z(cR(1gR1H#(XZnvTkmcphMpWFexoxZrJu9i-GzMx7|2Ivp}S}$lhfV8-(Iu%ZnjeQ zS}o|*=9W+2T^SE3Iz^?}PXMZs5Hb-$<}T*X*M)%aw6{ak0JXc`?Ll!Mbv^MMwZI#j z=A^GVE(f>kVRzY-O0(SQ-1C~`w>8%6mxE`-YOVcnc@^08F7^HfRXdx*JO#J1UDK&C z;w=-8ROod|m6(*=u3oso^8xz%zh?1y6Suh%8dWkemA`%W{#9};O9;(?5#I)?tl7}KXi%7Hs>t$s25SFH2M3!(Ls*;&te(ugwQz2 z7hY6VuMjand0OrJ+`ALeEM%hDQ;QD^8Kn++f?yHU^Hq?@(+k5?+zlH1ZBJeJWU@E7 z?Slmas%7$vQUx#SO&=eTwTX65!U+$f(e3;W&e7WNBj$)Tvo$$Ey@PhS4=W6Jve|RC zC_iEczEPYj_ZF8{&{s3+YZ)pCfI+_*JI=;V;>U>gAfSK`Ak=A*Uj3G>h=VVXw+;5) z2s+u*H9aN59z>rZH~K-c(z)w1hOdjbXrOty=f5oDF*AlseLw>4wO`7n$jj|;L`)-= zhwxrjDE#_4TDN0B)u}1@zObO@uP(Ue3yNh1i=Fr_h1)meZJESBI^9 z7aLN4e{%v5;GqFgL8pzuUroh!FT?;d0!EkN7r1+dsf2iXi2=zn;Ozn9C}($I0j^Cz z_&f95`uC*B&&PHCq|X$|@7~E!11SEc4O&N`9MK@WfkSIWI@S1L670=;tXp>~BX32B z;aQ@tDY+9x#d)w*#@>k#yVCU>vw_#dnEUZ9BMJ2A_S3f>BRF95=F475bQj=}$Q`iO z%Gi@0lO}9XTJ1FFNfxZ{)O6Q}3=__Z&!w`w6%sr44M>sghYhnzBv?kSIsSIz9~z>) z{9wU!PF+OsX}k0@eXnJpUMM}!Y7dkL4=f8b#siP+friD+GUvjN6b5s1M&maWDU26L z7QSue%W}w@Qg@P&&w%2`S!xey??2ELa=L9FcAFg(P zFkS+8iU)T-aj@iL{|5@D@vS=s->87+$Xw|f&}X}QX{B80c%lrxn6TcKi-~ zmkkOkjRB7kJhewk$$cX1^&ofb-VD9PlJfc{Eek#F;Z*bElryoj3SlpT_tm%8zwaTn zYAo~@stMp$I-V-CcH$lS9dRccpsbfwua=li=%s`Mn7e*;Dk3SXw{H34ne-LF_ilLk zu$dy{5y3E8cKWi|+vNoBE-k%WZlmWh9gq*7y}NW4U&D%U(=ZnfKIx-A+>p@rg@*_q zn!E_@x&m66@L?PL)w$Q9K$*htT5fh3|NM&ryo)(#FdnggKNv0;@a7fz_Ca-XH!3aI z7m~-EZtgYtK%@>64t$7(#z%Spbx60(s`ZKgmu!1$LlrjuAlM=4V7^A97BB7EK8kJs zzEyDBs;@U`RGcVV>xtk{=Z6QNB;I3o`Jg;|+M)H3W5GU2WMB@ypBy5@?3QDgrgR-v zGzAVkQlsl*9HMu(q&q%mY8 ztJW^sc3plzYe093d}f?@&FdKJ@atEIg&bnVkq?cs*Rd#>=(+EHEVFFdSwCwso{K@U zUiw2{o4&uMiJz33ihqlw#Z#sOkCce$x$eT7c>`PuMOkJ0J4I%B0r0qvu1P;rtmKGQ zs_|O^mz8MIS_iQ67HkU%T>%vpt)HfwydU^l<4~~IRsr~{iRu?IYg{H~QVKMU^5LnN zX|R8~yMR>CAy66vY!H)+@N%1GaIg5OT&kGr*eX4Ao@tQo*Q;`F)VX9sQfmQSGHcPk zWbSsG;-^p~Sa*bZ@3M*C8lMC`y%-3~T@IK&vUm5YY>sZbpF58az&gArYAdsVxa+pD zOB!v*PYDNB+b<1O$3HnU)vZmD(42hZqKSC{idHWQmkPV?6a3?Hv2IQPkmd%gaIICm z>OL{U)+)?lHt00_L*bs0B!17#cO$Id;~h(ReAtO?H>ewA5HE;opf*VNaTB~!g>52f z05xa6V?+)_y)i?V8R9+KGrGRu&;PXjp~?brIRIMXARP@sI~{YzuG?~-9*(ra3~gH) z?(;p`gLSiBkAM!B_KbA22Ybyn20Fd@g)DG5Lspm}tftN8E9}iM#O0Llx-jb!bH|Vt zC5lY~?lOW&cRxbM*~XVI-~0-;a5#e-%Sq4=dG;&=ADgy&B&9DfNzMVNr3jf$KkQV;DsV9qkvVhx@Js#d6 zzh#hy))rt21^LmIk#@U>>x<&|hDF3$Hy>rvdk13}3z&ZDF$7@BU8-mznKHfS4!<9p zAy{i0iTwy(YKdlIR>)Bi<+N^TZqq6}UmbZG>|HE}-$Z}3!ljuIvIeo{@>Jjq)icNqG}2pb)-Wpq;AeEcBJPp z+GoZnAwClW7$o>ZK1u({L$6JY>LCqVLZfO1fX)(58dl^Ty^l$vGMt)P-vO{j@sWuh zwiiw@PMz{(`16s`!IE6?c{?+&zs-ju?w~@eBQ7rp zZgdk7eBm-B`5@k$=&`T00fQ{VU%h*ee0Or&FJJLp8<+0y0U;R{Ou_Q1s@%EA+KyFq zY4qD&>=@~38)j2@Tr*Sq~hvvK-Poeun_pqHal@o$ax{vhEN+Qzx%@)AVZx z;RU_tqeLSiDjmYIPT_W(EAbS{gQ$4DcA6tC-rx#wf}cK2fkBd@YtJWc_0|#Jp)JV| z#!McJJ@-%YT6jH`m(Twmns(Sx(JE)!-&u@kRUf2RC8t$-%V@ZCtIJ(s{ONMyO>!9| zrl3T_#zo?GW<(#G`v8X#3^qtl`(Rq?pkDlTOI2=_RADQ1HQ}tpjBmPXD}Mxa!-hl( zm7Da5Jp$dY$u!m@U5!0JvAqUwc(IymO=>FXOO8~x83PExT4U)}PxRa&J@w0vwO5dR zY_HP=*L+(Up0WLo+fa!XubgME4HuQ|%WCWq0WuzdwT7`+$qYc-8zza$-t4Ej)33=a zKOD;SJ6dDNeD}Hks*f`ReIC~f%E>rNE6m}bucWqK02eak#0Tk|>3=SHia1J-@iUOotDz ztkS-*foCgd%L&L2Lgk04lSIFTy@=&^x*vR0*2CN~c^I7_$`uqrhFq~lk+jDg^{2&( z%7^QOD!JQ4NEbh1f!tydDfm)_WhA}hpC}qGDjznT#Q!~;2lZ>Y9_*=Vwi91dx#-hc z7`3`D)ONiuA@){fcoaLZ^Z{x87Gz|Owb|g-{2JgWy`;C{sqP-@h$ch6Te0;%j&)h$ zW6Qm7w)XRy_%SUlzZ0d5{jA*m4JBaxAJ(r#TWL@AD#kFxUfS=wk$l8|r+@O0!i#Uu z0C!2up8#A&F@SQOfx!WNy_j+THA2b5y%TVQA17YGVYQEbn>9IXrbE$w*g@L!Boz24 zOF&8hvJdUM9Sc$caumxOf2utKPO5>B6YRa1j4i4hUvHKZ-&2e2`L;y->&Fwbvpq+% zZNUMj^Ci9hkP~Ds{rQdSq`T_?Thbda+Vv@3@q?m}=BdoByL8|%l{f@EZ4@KiuSlmv zc1otTU0M8v8JydRaN}bR+@$34o~1dKerq|^^IrC$%%9|aAcIW5^2b2?VCvlyE1hXEVXx0+ zwPmZ=D0YdyA|RjE&FzSl5RF&aT9ZA@)ArsCW@-tp83s4mD=fo39H2j}hP{rPba1o~ z2)P*>YK+)h4*Kxa?1hmVaqj7=6qjDrtGTR|uXT;NwJ&$L%dBayWhH;VA(a%!s=-D5mi}BdHH|dg& z%jx6EdwyfqO^NyN!HZRg5K$k0-w_w!gEO)e{i@4-Y;l<(TZu~MS`Txy(odUCvF!9!Nk3~f@tvGoH(V2JpR%gH z?%Y&)5cilh?rYa|>TOEXee`99XvfY3uBK;hm2D?p8uGssYpjyDjT72)*O!CcxgF7j zvig|m9|jeijh%$VxWn8J^sHj{FTH6+o{Y@&^}BOSkKd`9e3y=HGd>)oXltpJ**O!3 zQs`xb4|R`V;w^s2S?EmPn(>i{Ek0v*3F2>^0Fx5&x*p^A0O!pjUg%B&mrNmMY)h0y zwb;AaWBk%f%rbCEF>B3ttRqbuZUw$5kKR`Sl~U9BI=2w zeY;97Me(Pk%w?cZ3K7FFKeQ!kzvN1_NIfyKpl09ov1%<%{VS<9&PCc}svcaSTJCF>u!^R3)8jQ*lYo%@tdDiWo)%6mI@Nr-*J=AQ*s%%dAJ;_t#vNb+U^QF) zf+zE)w+X=czyv0KlKv99p`(BBx7>B{Eub{PEdfWv*Ao^I>cMQ*5j8Rt1-^J$6l%## z<3~_nVc?!sjQ6LROgk(x51pJB=VlemeIFQDNE$RvKxL5A^T6m&6`RL*>!3e&2~3H&B_bFz!ZJ%=l71 zP$9UCfoE6>FgN)JK)s>iJzVh>wGE5LG6m68^khBH(weN~Nx^caT7~ zep{_$;L#}Y&_ieM^&@v^0&B%}d2v>AfE!EYzbLE`NTBgz4%_R~@kPqVeXISfV}|TC z&sXcb`T6<76H{!d^jk!c>k6?bY#)1~(CoH_V4!?`i&p2UsuF^`LiY#+* z0MPA#p#58;#jn26SI=SjF65vhwWCCPoslMQCtVxcqNntIBD1jW%uF3nlNxyUJ&}Ft z(t?|;3COs`A`>PITeB9XDHFw7H7+fJc`9>%IXP&xSug(l6ygF)-r;$LQ1^hf(eC(N z3%1C3b`qmrp~a&!Wo?tXw7BF^&K#ZoLbnvu*se`4{sJ=Y8P7kt<=UmHYL{hDX*4vQ zlDjh_v9O?~2SOA+j7~SGbSV8uysJk0(^c!q< zu;)9vF@*Dm2G$$UR9&S65eL0W3HVp#1fe#s5W4fwO63Efs++yt>x{heN+;=Ee`?XT z!m{-MS(yJxgfC?F+-vsLa0;>C7>G2uTYyLg>=5#ip1h|{6s;R@QKyD~t59oubtwFeb{PAfLIdG(55p`B6 z^>HhM3jHe-G8q!xq2=~P9_-M3=qdhre%?Syllcy?2l}OXKfkqLJ#2<#I_*xLBLhlb z)fp@<-ZXZDUPd3Jf@Xg<=^jpT8F^-}jWijp^heJ+`JZvRxzn+)v*XDO)u=Sd#R9ta z&Ea#+@E%+J+sf%oR~^w{leXG&)m|gWrK7ZzYsQBq_akx*3sh{LRDzmxLrp+W&{4qM zL5kj@DY`O9k&Gc}?jGhIrk_F>xICURq5b)z(7fX0RbC(NzXvxX)XTLRYCk%v?@V@; zhw6+RONA7_^$y}WUv(8$E7NKy`?v$*U2OU8#_DRiF~IKWK*F&)^}_Y2mX0>l zfTlyiHaqX;-Dr?Oob92S4EOL%vzxtZFI3kKzGVFDA=xu#vVJ#QR$nWf&+pJ0M}>fs zM#%F?pq}bNN9wM>_LWKgXW8iOAY!Al9JO*k&&aKZ+MKzAWr)YmUW1;rGS|a*rsme zR+G|E+7^!ntdGYwYzmICEdx3zi{mVXJuZcaUVCIKTSUCO!mycCFL)R(VWmVS|agh_gH-u(YgFm+fu> z?6x?%`rIesuBMFR#@#L2=~Hojj9?zuhM zvSqjE0ynm^6{{Q<@4s16?^XyLW~5-dgYs3sEHm!ZVb0W14)r+@mrie)c5c{~qG9U%0wwDs zgKy^iUhS1cAdAaAPan~|V7sdcoXSP9;avmH=UUb3)9!2$TwL)Hd9@eC9LIc&eQz;D zaE65z#cpEG+PP&4+fUF~mRattULDT*^WR|aQwh*>pMJAN4=e$)y|O>|G`{`oIcKxu z{vF4Kb{*iu05DM^EJvD%`LgM}DXg_*hIQ6CppSfqyNnEeHu@104{D02t+Bv3^u%?DvnI{8%FfPybDO@ePo+%D*C2cT z*tHblC@!x+D1P>CIe5(f<>^}o!-*|B;L_|HA5ky$itBN1zR}v0OV2y&!wWnuI?2CE zzOmImkg_|#W<-`iTi8NhkZKGaaARrggh}C4#7AcUz{-59gQx56FR zL8V}wlvQsIic?1pT)W3mphi|mm=*OwgtR_LzRuN0Z8@WgtJ^=yTleh%NNPqQQ_w$A%dZL!bk=zoBk z5;w@S2A0YVrEh4;t4pRo>_d?jR|+DvtOgOj1E2$$@cdI<6Q#USNdG zQ~Zl}(M$)ti)dE``8>OnL-WHojKDH3V!Ws{jQ8;}4o81$P(`{PTii8M;+3Z^8;XY^ zo&Q#`47`|Kd`>$03H_BvGC1M&m2kKnxBT;nKGw|hcN{=4Etu8c%24EIlE&Ufzo!k3 z_DCtyAFD2frEM!!?fabsEO!)yZGY<<_`_4lBm3(7`d>($4>YcN(Yy9>H)9?ydJpe3 zuhcfOr4An%Vdr(>T8!~i_@ouz>*5^dwsjsh$y8`xH z{S%s!`vQZ5@|)*_x6M^_-TgU;LjXbbhO3P&!45F zsZ!W(7XuWM#Q+t|k|DS*pql0RqVf#yNmYy+5ZJn2ASbP*&EF5a5IXl{rrBi4zrM{? z4$kb7@^WBak9G}|hlzkvnI;K!W_kL|&*Ms<_L8ou`g3f5fqT@_JK+4VLF4P_ zim&I-b{1Qd2Q8n5TmJr96#yMtKbj*0B{@m}hz1>!Q7CK=!L+%aFuh4}1e|x|i*IZR zy91?f4Wxi=&hbd6!FiCz;!j0H@{%uA0sUjM$)nb8d*3gimr0#$e}3J6=FUnU-N&p{ z{YoYLn}(96NMhp3qoH+|h+gxyKCEJb1T^aO;#B~n+|QQD3)|<_{mLX_S|vX zlilnL@y|+UkU0;dIr?aM@@P3_`cr?1C|-!3&X;Fy!o&pRrDLbF6@QTczrkgj6i2;M zdc%ULQ+@*S@$(bR8yzj<0te}$r_%I?8gB@;s9{M50;QEM(AmAQ-B)Dg5krZU4iBjS z_JZg!8<2tOemCYrkTgNyr5Y~7>a8@IPzcqv5JH)dEov(HDe39shU1U1&r@nlo^-VT zX5hwxK$QSQP)Z!rH1x?l-UWYdN;Sz-%@ln#mNi`Ggf&t6k<%vOwwX12v^Ae9e3sDU zjY`iw@)`$@stCbG+L}?5n{_`nUB%RiA6dyc zMTpPOCrc+tt(Y!wH$P)ebdKy5#MHmrH$ED=t0n%!OV%VlX8qj&^kB%Uc8Khllsd(N zBfCUPS3%PeUVqh(=E?(#$U%gk)#-gQN{a5~s;7Bz34@m36)y2Tj&bD79Nl`Qt9x+; zC^3YTTb;)hzq>SAfRE|Ki;;(5LgB-FpK>wq{^`Z+smQVycF5k^qdgD*kAT}=4UYdb#WKY|h{D?|<@mVn4B-Yqthd4vj=^ate_buVF zI{R4?`O^n)3ay4tD3^mKO6oq%#?v+=v2OR@fNFyeBu!uEKtBF4d=Cp4q%j}%Em!8= zZtd<$IbZL*p2cD40&jhsNeB6?qPrUvfDQ?{CVqB1P3c~=&e0qP?c7x1Vf>QQkNn1r zc?0pY(Dbdh8rf1lt>VWXC61;x-}|570hTc29?s+g=aA*f$~J+^+dX`DouVee0TIsW zTDb%Q-=lJ(BRX&KIck|q6xGrfXf`vIy-`hLX``F~2G9;G)B9L^;Y&VGSF{dfcnJ=X zoK04rkJTs^>g!J-Z+I_F@Maz`9Tl)4PQFqCoMCvLjsHM zp77#Ye0&-|geTMKtkP7$`@=u#1)x_HttmsY!nh%B{}?Ad92fwE;ooHyMJmq?m@{UV z|A#qyA3p#*qlOqDvU=HYN?7{^po9_7wZ8?LlOwC>DKCdu40=f2kJ|5I>%%os(*X!4 zE0aIE>pjjOcDfTa$%&uwHv?#ZNr%nIpnI&!4!aOk75je!1nqHnTOV5_SpZg- z5x_=nQcYgse+q2=8D^p55O1?3@EmEqAIfvF@jWFq&=$IX+AbP5lN4iv@5=MB6BRZ} zPGME_Orc~AQ1aftAVCf&Cmr$_N2bC0i%&2KCcum|0r=LF(3-DHHG4skJ`M&x%o7p_ zO>>UqdVK|eCDhiyaBcvwZXM~2XzjZoDmgNZkBPaIA;_7Nqez>83R4jFOZReE3IxHT zDs59bFF^vMCjIi9@vU~^!<^616Mua`*)DiEO!vh4D(9R$3H_N5bNT@UKPn`oeIlKk zjK+^D{f?wr?kGv^{UR_vn~=jnbhn~rtMrta)|zJ^|80#Xo`6dVRVoV!{gm{Nf9xxJ zBci0b_-qs$yySBKLhuM(_XVh`sGnxu^RMeGS7*7j4GlAQP259)vLwaSPG9vy%r<6v zl@C|7)HimmJUHl_rh;pE0At_3$a$B*_L#-Rr$SUDM#IIWOxoxeAe?MB*Hd3@-b=yh zPNBEI_1kvwvuslwhmL%ee0eY97Nn-Z7;ev1kIP_IO1NUS@z)onFO%^Db3 zzv}5bO87)fJyX`?6~b)mjX0b2bDTfV$jGz?c#A&O%FQh#{pL;h`gn^x@cFWhT7B`m z1jBqpR<-w$u3AhlLmUTqy@B31xHpM)LILA`yQ`uG+MFZ#cWIDU0AaB)iIlBSpajcG z--dR-UD9YFi&BZ}v-v2P44H3S{`7+~S5Y-=%s=V|z^EI= z{zVoMx-aJ7&2l^Q_2>`6QcuwIvGe@i9*+%E%H3cy8xg~mQ%#9QZ0Ra&@hUX;aK%7c zclFz~bM+6{>l?&?Hh;@)sfUn+Hy zI#iDk{RVB8b8~a!0B36pQ6)0>=JNwUl0^xuq878lmOIW)5y=izCXWyRCgUObNXR^SMo{#C$!>fnt%_+!DfncRI0 zeZDKODeG5$RPJ~a%51xDdd}+R?q;{sEL>V%GW}Dz@;eY>60#Yynr{rKWVRh&%5HWY zgL=E|3#5WdvXypNE1boOD=|JB36qhQGazd-HZS6)UMbBEomPO}N85P~km@efx|%vv8hkIijAY`js-Sj%4Ighf&!9WRRU*Hw_X}MTwv{hk62od8 zIk|*Gd}aOIBuQYxK-LeMVO80iG(!=pw6Oeln(Lq8#AA9z(fl*2-bpMU-##R}3D!SN zj1)#pxU@K0UObi;^uhkhFNTHKn}0@8)J3#kw29>v`or4)0&V;Z`+uN~%m;Fj`aqyK z{#rD&!C|odnnNboY%+jlU;EXLx!HyTp2WhihW2~?ur_uM>ZlK8@D2gq!_#Z)nPjFk@~BQEO%+yf#b?!vtT4r9?Bxe`u4q}fAKf5# z+|njE&9>ss6j_;Jmd4jupk3s*aNoXBhZ?V;edi40idRfMAd-fDJ|I#4=`_AqXth4$ zj_AF%1DS>^a_pU57)jFB&Pn1C@dB@sZg5s~SA)4jP-9TuoxTjy!7KVoKdU9m3=WY{ zo+TtV->>i+(P;c7Sm^D`G42oX)io}`lNaRfX5UzoMW-lhx>c{FkymF*{vu$qh!qQX zC5hbis&m?fmt5)P*gM20*9)dp@5!srAvW0B z*O5BOr|s}5pCJkIj?NAJ>=Wda($aQ_2MhRE;RS0LPX-dm`ZE$G|iNFZb?qUvv9 z>m(^Vh@O6ib1dlDq@-WjM7kq!ww%!jiG;<93(PkEqbR$?nu$hq0wxLX<)zMdqwPQ} zHxhav-r=CQ?#%SGrcJ&e7qHhmu%@1!oUdz{iVfL1C1}^`HlPm`xG}{bNK=ta@e!E0Eqg)@XeR0pkzIt}q zFwo3`8j3C+uA0{6asb>H=2M5$DbIf9bQvPoTJeRxV8n3L_6$NT4Y5JhZLY+r zK3uTkR_J~{^>9fM1%;U|OQ)Y|Imp+XmkpE8=t59MGda=kU!>Yh6@X{T5zb~7Gl;?@ zh1?j*xD4Ntws2E-luI4l^xP<0s6vI!Dn7%PC_r9t$+WLC}Y7AxZ;~^A2Pzwo9Ss=pHx3O=C~G*r9__Mhx?ql8lQQh1VxG`w{>$p~(;V+F>(4}% z2>Hnc`XPfw3RNB1Aw`;xeg9(=?=OVVdvmv@KtISnS&N^n2`JhOnY8xu;PR(q1rt40slYva} z^Q!n$b5(R2ZqzT*ChMMIKMs~R-^M60<%tL=34aYB7PAC^q>{9KheK>Ol;Jvmx+b;1ww7cyEQ|o&mztsi5UAXbgVz0$|WO z-;HPR!-zKiBKokfE_;2aq{hc}{(aHQ0Af>z0ku&pisl#T3r@QT*uL-%yWb=x7S?UR zlO{`z6vd!Q|MD<^%U%ELa)1y__(jG2eOjrs(-lBi{naI`PcOkwWwW>W^!_R>z|p2( zZQ=z?rTCvN&i?MA&Tn!DeCv~b)Io=CEuzcR)KsNtbv?xWv>a5s8UMZ*?IeKEutP~# z!y_l`+l{Q`8KX9;&}D_wnXeyZ<4|aQGZU&7t6x!%cV&gR7bHyvVjxv%$ z4X-5|zQ49z*2?h3?_0O0oRwlVe+8J(-&_-B761j&eJAN$K2%9}Ciyihjku{v%(ok) zFv(v!>hkja(6qIl9bLq433XuOk9?X&RhuNVLt-&j{Hz(G&aviNQ1qX;_%rj|TO{PLO@r*Gf)5hyuGBadM z2GLwcmzqWB z3By*9ox5z$nCZd0bG%+Yd>XtJc}ebsY(j-I4mwa!kQ{vRjR!Cyt+=ck?_33?MaE`@ zcsiR3!q^Uspb#w`x|Y{?VLT|BKNVMLD2!H1cm#&=;{1^;c9uSWT^#G z1?=yZKhs*B3#(1L&yX)+#9BvDvpr7AZZ&=JzV|n%nTiSUV$!b)zv=!;Q`mU*cdW!} zVkMbhkR?{+3?k3m-kyH!fF(B2_QeoVtFD-`=tXIDEci&wg7<2#jXMFANgdUZxW9tOp2}qQf{A%tz5FT2MSm?JtP6mP=zKHo z?F!Qm|I5LH~kwm+x804zo4n=z5>lBB;Q zy$9xd#6f^Y>G+HA2LapwHTP?8@um=IyN7|N z?>|iKjcJB=EjbssZ{;FDp}qbQM|E{Pm~qg;KPrn4%FtC>x*VZ=x~Cu9X+LF?h|O$_ zsqG;r0einQ=h=tw595_g-DE!-72gXy*fN9mj(sJNaF41~+=D9;sFyb=Y zo!_*5H6iG~%@6-KUgkEqcMOBjU!FZItT(&n6Ds!hfqF%zG0U@$k;R0EBQV%T!x>a} zW9NM3T#hp?-^io}zYDLKZpTz zU?U^gUos4ZfpWbAuBLJW4~GNF(Yb6(yXXno!eV~^-*PY97~jN$u401RpbqO!zZ|Ui z7v6YKF7|*dkxihUJg+Y>7-J0>ymx1!JiO1vvsxA~G3W5Yb1TR>01-aZJfpT2eTh@C zE^7o}dofR7C6YoO?J#K1)F?*vR%sO$K-2+J$<0hUQBOkf+pT&4Ds)-fzHGY+!B_^A zWut_J&zQ6ejNs#DhVHxxD!d7dE7=#Q2(oeMrUYcj$+tQwZg76L^)I;Fkv6Hv(r=4J z9IeGzsKuGf4+wSh|IinqnbFs;?Ov6)vVcQ*>W#_MT}+AjJ`D$#${ff>Ac(@RJ4oj< zU&=NAu7(t#sScEHX_o1)l)Dja6zCj;8kUyQCUhJ+Z&sUG_18M#z9aTlDO69_uKDmi zndl=kIY8NLg@0DlY=HOiF}_GdpniLHO%38F`J2+*gxiW;qM61MY{+oQ%M%F`{r%5D zwGc2oJTeG8!EArm5DTN_DNrcpBY4%1A6MJjrjT%zR5`2+09ZL{C1?I9c|l$7?LAPS zg1LP~gl>p)i9p~t{Rv`x5Foz)weMlXC(Oq#8ZXpl!0+IGn;nSlU!{OwMebkGQ-*f)K8z3({hzX*pSS?Qa84hTf^5 z@8^F#W+w#^1SSiM(avl$v%W)j=QD+J#Q)pU?n(@ZXg2 zb^7WE|I?&F4U!n$@o%F9K--ldXYACX7@ZPx-*XS!TKxNZeS4qKwSQNyH~Ms+6_`B! zb)PW2x)r)T>hQFjpv7)nZ`qjYJ1r$V_4-mZr3zg&$Pq2Usl zK&zk=_j~=)W@>OW@i$wag#7n)_*bZV9$~EJsl(7dyg&GbV78QLb?e&tx#Muq0N;}` zdd-cI`~iX}-E3PbS$WnNxkoYFjGMYu`%Y6OuGxYmi;AWe3E3GYJwOV(Z!`w#&fnGv z-~jgq5&tN?hVPp(`!jI>5G0-iNrV>1#FMql3nnSj69OZ{Duj4q1n{Hl1$_)dY2rp3 zAmeqgyEMo?5C=}X8i$?XVH)Z2^S1hh>DymKQvKRe(r^70;IG2CZSua7%v-m<^hyp+ ztv+=I@VJV?*2`lqIip%+%vHwARS*-#lZ};?5?u}01~6C|>m?A5%TwP!A;XB}Uw^af zuPBr+a7*Le&#^KlmJb}=ves$rY^v zRaku<#&|r`cb3=JC-m%2 z&FvitTA7w(yzgpc`HM7dWL8krlmr31yZ?WBz+;JZOa}%M;LC4vYkOKECue*5%{Z|G zNk>=e8pYm?WoW_D{}O;fC=~`iGwdcisgr+@AhZ`i#=8nMHe1Nwaf{$12$`3Gi;NH= z{x`V#gb7=pwutw&WwF(T{_2j$b|8#)-mZ`xr2v;$Y zU9Fs^Vzwg+^PtG@^TBoShFJbd)cii%qSIdB|7Z_*IE3i$t=N-UG5JG|WMRQS>rYO6 z`m1}z3{_WD|8Di4?)^0SOXLP<|2oDa_sJyA2DkpnYZcVqh{u@Uyi4E+?M< z{y}NrTK=1V`n!Ehr|f?UoUE%yF{dy8JLz==&R_o@Jaw>d%kp{;% z3X})b=(BFWTUivp?~F_Z8{v_xRpKui=a2V&AlGmq17-(53qJgeI9Sn6Wzgh2y5^|uj6BInQp)#7*D41N znHp%+j{Q!I57dmz17tBi^M8>zsy+WpqdAYF?1jg2Tk2(goJt*BH-ybzRxb+4sOHeY zcIeTo(OEg|B2T;IDo5m}j-!KWW4^Xi)BNu71z!EP4d`EiTlyb?yUxV{2vrz8^)Ft> zdDEA&vz#0?HRJXQ@H%C{;Zu!dq1MK^%R3&akWa4cps5o_Ig^k0VE@w=iFP9qDv>9e zVSQzfufJ~DMQ8tnst*_K!bIl#Q|ei(=FP_4+c$lb=(<7_@eJZaUC7jWWX%lss|KV-)WyBi@HkF z^zGA0R_R!~avdF1s8k68c{wz^Z>7`)AtRkIn1-_2x^*FtDsSc_Oeo7)ORdUI-iwoF`nHfK)wX6H@3WbMMdub&<9j(p?Z;I26zC~& zG4^2UUv}xa_tcnt@t0ltCwt%Mq6VlVemSVxb`ctHMw#DHlLVS{kFva=H27IsQHBHg zTnswm{@>M*dQSSy zYWcS=p479R1zf|!oqMkasLqaetiP(1_Hv9{tu&YJ*QaLY#gjzdaX#SM3F6Uzd%hrh zCZ?-}CYUOB^ewlT$sy;ffb%&U!DFM?Q`42#q%vUoFl`sl)EyQk-@(Owcm3S>rzzLp_@J%SrGL-+CaRXCDzWB;F$w1;7+>W{pUM)|Je8( z&(_G?P{`wB&FT+-`!3zdg6eT+l;Kh#JZ|PJmvt;a&~}2n+I%}gBC{I4D+Cd>s)M&# z+csc45nNjCCBU~1A3R5B3Lq!hB+{$xn^WRSXJdnD?_FP`3Kqy=(Bvv6zDN9$VaRB; zPiW5scu@Rwv=M%Z?sMv86%}jx{(=Qpa0xpRH&9)&?kT|JnIm^RdtN70IeX(u*#wk+ewXwgFHhb=niQz9WnTIke)Qy5iJZZN~?XU1r!Z#OBN zHP26Tb&U@q1FPRGdsU-^ASx>|iL|=)BenbIB@Q!t(#jTC?e6N*L#1}|yrYWhpYX<9 znB<>dA-EmGsuXE%&?WMY`nuozbFwdforIU)?M%H?*S71kd(wjxHD0YW=^~t2K?YN< z^>ox3C9O=m6#E-=5$Tt8?!38X-9Q{zz-~1XDnnj#7qBvIx^9cJ-yp}xE4vyq7s6?@ z6H8WP4o--YzJ9%(v~o~i?^Zima%+Hv#kJ}K!L-h_-OhAatSs~yJN;*-5w}kG28^O9 z;@aL!`hc;CT*E^q#Jc}je1~@utmL3De-++~=d!?%qm(UUY<$&UC|c57Yr3jHCR2a) zYlU1c2fYp}QG!f+C5vK~d@5ngh}7WF(CS1XRZPr2>4#f>myuq_QS!Oa!&NkEt|0Qu z_x{_@WTM+b9^>r6;mvhls1&CmJ__kw{pI#9pkR)uvxV;;W=L<`q}ML`vbriZ9mgN{ z%IDVC(D;`j6)qOR#L&$zObXvfRfeilse@mTK@qmVbg znaAuOpPVkN5H0{;)78$X!q-Yl zPefAba#h^B2lRb@{`^Tji}(4qgG9Q*p4620XK%0FCDo*%?1d7gT#ZYCB9bwK1}7&` zl-F+Irt8#+C>5%BzVbm_Do++(qRO>dTzx?ZVUF7FYj_T&h5GsiEq74mzF*zF5Javk z6E{K*hKiH#eEjrFq0*Og><9_rbiW9e>S`9tc`;J~Z69nn$sJ0{t}t1prT)1~WW2RW z;K)$cTQ;x*=4FqPl8-h9ba(MdTfbD`41Ry1zb-KJH7rwRc5$&KTd_Tc7sB7M-~8z% z|7~#Rhx6p4_V7jJ`I9eCCAs@{HGLe;Q}_Sce>*b&*aI6*I*_feTCa^T2-0{gToum}BiT#kER$nz z-ZajtehKb#QIwr@zq?5^uiIAl1&4;FqouVqG(NPuY(sT-Z|~uQ2Og49m&Bzxtj~_` zRNF)D)RiRO+~P|eFy?War=B_AWe5r30)GyPj`mPV{boK^tabfnOL(l5<7?`I0!w3# z!9%Y~T`g_@uZbZtTCVgR9paz8y=Uj=KV@bT&CR`i@}$lB!0XqIkgNbsXYq+-_K7H!d(sEgemd-Sggvj&bVSrt?;X!IW|3h?`79JxOXlzJ$`19AV zxrHYuspV6i_=@{Z*4}S|nyF?f=Q2)D3p?dF-{_3U{h2*Pbv)N@U(T+jC1=L2MsHZ_ z?;I9s_=ulBJS$5KtQcmJz~KG6UdOW5HiHX`X^$TY2DP*}>glD3iPOmV-cA3m!B*vl zBH^+UdC$iBiHcS^Lu$=tI7it>GV0T@8H^L_&{=>t0ssE}`&mlKLpS^x;Da)l|}u0WKQl;(K7OfBZ-!E+zGVdG}(OnSf_hCKrQd`9pg8 z@H*s&g$2a`>>IJW?MV%DOUn0*jEr3UPT!+{I7wyP`|;!D-u|KUa1>38yPrh*kLD@= z<74jmc|Fi}+pSXqi3nQhBE42_+oQ{d{xQv>H+Nqmbd1Y1ss#`i_x7%tPgh@~q7o3$ zUGH(&Xh?A`i&f87Xz2-TX=xF4wm6r4GEddg5HJ806A{6Vi7DUWRZx(stgO6CLLw2? z*2De&J!QH?RJvM`p7Air2Xq%%(n(?hrjUHKjF>hB>ARanAOtaBdl7PPseqR;Nm5w z{V9a*TRWB%1(VG+b@~|4r&5v|hW@oF^euJ33l5r|HZy*`Pp{~!Nts?Rb68A__!#Tb z)oXPxTK!~a*Vj7(NmYF-?;Bc$ahMIy!`-aDhK9DpG6}YtbEXdQ43vsXCT43Ukv`-a z-92#bP2@vSGbw&KzZWRt-!%KuRD%R7CWer8kWDVP49sSQbQ=PhL|&1lPAIiPOG4$b zn%lYlW5bdw4h{~9IXYo%MlyGZi2S2e<=II%da*BwiLv0W1w z#1CdoVXb3hjkek@w~6gO(y4yJ8a>{?u0J)r5fc-0xWn~Xf`AU6h=@-16n76xJ^wxG zltYQu7*>u?=--N7d@CX%62wpjfMK@~60z?Jqu|#r;f!L!p-D4p^;>_d^Xc}vLrTgc z-{9btssaH_6u5tXZ89LB(Y)vl=TzcjN+IiThqeask_-mp@zSSJj5yXulO~2ePEkL9 zUM1l&mFXh1xLSQr%-LB(aEAJGrD{iquT~wQR75A#$zc%h$KxMh8a`%Y3k$!8PZEgj z-Y~C}bNmF8SV?3BwwM_vid9C+U-BD+5yqzqR#?c+j1h96Sz(NS$iP653zd+NxK0~! zor%dRmeZtZcnv>Gp(++tVrYwvOVrR;b&$Eou-v}r%Z6D2G&IFt)1Hr-+#aG0Lc_w$ zWyx|ZE?gucx&)%A8huRO`5fuU`R8-sf_O4o$vU`Tw<_6X+Cy}gLb>X z4=cmT7#=1|QqET5KcB??Ec)5@>{uSefGnt~i4 zlx;OF6JWqA-{Q}!aAV$_{e~jrFQsHEOer;+_}G$m8M%UoeMwNT{s|QoJ~_F#<7;9N z|1=VA=5h=rCN7VtnH7n}5zM>&te#t5Ov8DeI*_c8&5|BlX#;0HAnI-D=_yy%xx>YU zT#1iAyazvek^bpxKj~*5pM?!lkIYP}q9T?j&)UL5LYe|eVbmI>#M|53uSKR^m43y@ zR=u`&5>2z_SkLoEl5Gb=!sDghElLY&m1EUS$7CiINGE9YjS8)-uZwJH^vPA(C{HJq z-6rz9Q!*x{p+RC@#6pbM>tR6wMt2dB|G6?4tT=ITUt&D<3Hco6N@B4}4xNItcVqdG zlcXn&4WCiABxSK8H)7>Wvu+)%FgCZgdNhrBfpol71J||QJ~NSehX3#zSEbtmZL6zm zl?})7fY##q1$e69g@>WE$y`( zFN02^PGxnqe68a(sb^uRd{WT+atppYM3kanI6wsL?ZqB8y#ccEi&PccDH}VwRMp99M!jN%{GUPOO^6968s2~X1m9Rj5$cajB>6^G==62 zl}n3)c~MzI^rFz=$2-=6N_ksn_@-xA7(N9>VkI%&lP6E^y?^%d%MaGLo+p`46w|)& zVaB4SW??})Adai~!i029=u?TIS`)gPy7hZlrHk+2+C8CrJc_fUvZ*UbU+9!*=Z)!T0by_@i z1d#i{i2xFymX=n(vHjWpL@*xNWL$;ljkhO$tz?2W9#$}jI18mvhHQe5N@|la`}_{k z1FjKD=D?;|UXF%KS^*+X5%OPreuAsqzyD%J@RC#c!NFOb5mlxPB}n9+Bl+VjuB+4q zT2w`SxU}R3KzMu- z7rHTmuIZg&C&iDKlT4sUu``Cn5LGvHwP6HiZbxHEU-5lU zk(ZOQ*RJgi=cq@i>TZiFDBN{HY(0ARES6R|XQ*N3fvcz5zN!8CaJHzP z!Xp4MO@^~*m>P!TKDWF^Pa`q75rm>x4vUTw?P_b(sq)e0Sb|Zmz{8d)NtSfET1Rmm zcZ;i*mX_u-RbIQh%osSdql(Lpxek+IvO17TTkJ93#M9&r(o zHi)$5qH+m%7opuwN7E~0jF8ba@SgW498jg%6^hq9SB{B{HlsVh%$OjDSaxS!ix;%@ zD=n=ti(-ha$k6kmGKQuwG&MyciQUzAA$xWMvgW5$pgIzsw&FU&nHpNrTA4 z~P&AnQ)?4EQJ~P^R(M(~_ zq%wsMM#7nNLsCU=U69M354(9FnmQm?sPhUeXJ$r5kx!o(FD_OFIWdW~r3%9;~>DrD97PPgGy}_V(Lr5fSe0%tR*max0Ne)dG*++cL8WUzjeb)C4Cv zrr-j>+3F_cE5HL7kEcD=<`wE2;@J4^Fk{);H?sy`RH=}GOp^)5dU%A!bDNlz)Hxr$ zUH!^sGF?hwq3Q6ZZ(2LLXW4bALm;YG8y&PRfpWg#r2kX1)Odu1GD$C<$K^UmtOJj! z`iq50c|SNt`hQ#jcvLmd^J|H=u(0R_2Ng?*4ussn;nvHSR@A*Oa2M8M?TshDtAAU* zkEnL5)I=P(;Ff$)Sa-pV4L&(N-2*Te&k=P4J$k13aVD-N(H>IH$7JUolOe4!m}f$V zebdqNhLC$wrqxd!Bar^XGjCqJ$D|WF@VI>_#fcO>Zh)-cT#FZQiRH}aV?GS5;08Bn z@0xYFnUe7kZG_*QX3?Q~3##$b?Zy+_6)`C(>O*2Ruwt+eDJ6!UF_?fcdgW8wf%ZI4 zR%kkQm`*ndi)6PP{_N>KfIvco&z zH+jy^Wm_0McFwibr98Wo2r-sxV8OY$-Nof@)Tbqe{E%QWQ7xdH%ioH=}j?k)Xu zC~}IDy(r3^6PIw1O)jcPW&B_=w$spl~w>D!TgyJ5_7v*_|BAqgsB4IPVxY2MPo7#Sp zh!%wtGjn5us~mPf*fRkp4-eiWARy<&`E;Jk9Znoo*aDz=!$!3ge!!U2SYxeI=NL;8h!55R1?1?m#Cv;~H zZcN5?h<}!>hQ2|{E}us?RRh=CuhAEmlw9)kqTE|qo-rQC<9HFpxI5$x=SSIDV7LoH zMrYlko8F(Ne-0GPZg*{2t|Y&~^~gW7Gx-)&H-Q!u@>-*$XhBR{!IMm0zv;iCQD&~X zTXY?6zQ80j4tsWEool%h`sRVv%-6c!?xY%aS#l|{FCa18p+_2ny|3nucDfT~0A7Dn zq$VaUEu5}!A!x!5ZpzW0#UYi%6O*Hy1QJ|f@%z2_mn&U>;pBFkzlsImb}gGBE0?9# zLWB-vti*u`JQDkDMY0YAkt-m5eskRPXR7^yzJxrsJ+L}l6Y$88jxB+-6SnSbz>FT4 zHJk>3vA`TRl-4YA>U!3yFCf6rc{N>)paV*A|u{0|>W*B{f68uG}pRBQfRGX6;c z8trQO9cj|wf!3eM5+YkbGq>6ZxX;l8=)063^6I_KV9|Rt>k;LsXia$nt~Qlz#oP3w z>_wSz9n@){Z$NEF?G?7Q(K&St6=&9fj(01(VYnAs_4@T^HrrGFGt|YaxVIP%dCuY% ziCmoJtVj3&zxhRH$F*;5vdaz7=Tp z33~D%`SQSkJXjKC)F~-YZ96L(rvSyFM&_@#000 z{@zW0imBys4X@jDnPU!dARoiYNchy+X!O=6+UN=qe6*Z>dDlG-f2ZndB7 zN-y9KMVy^U{G+-7nxtE9KI4&$7BC`#=E8m|5>07MWvN!&QKnO+qNo47zeG2fW{rzP zm>-|G1d$891nlg`kL9i5KAA*20WqJFk|;5w0m6Q5|AGPNwDCykQ+rdPu*bnf-I|@g zVeQl^dBhlIs6tvu5x}e3X)9)MlluEffnv-ps*|sFdf%uo;YVLzQgpQO-LSiR2;Aqn zP!>qrYu5Zl8c(nwm$D|hq6(JB;kogA?%1lSbgBi|CCHtG+T$N|KXh7p%bvuPa?mGq`qw(gyK=0l3YNy-ai@Pd-Cil;H(#ahIoQnema45 z!p&7n3(sFLI*zIbLw)z51$YMC_I*3?R)qpg*q#j*?mPf|bA)21>@KLb?vj&tggo}y z1)vmzNsI^d&QJ&$PW0(xu-t2T^zZ;}s%U!MpRli|qIV76%hQRr*?o#Ek~j%THw+xd zfcu(pc`w0YfdEW#sN^%r9$nAvFfc`t*4imHv=p74sJBg z&i}}PcJa8+9Sw076bKWuneqef5U@A3S4wQOBvs;MC1kqUM!Y_2scyPsC1y`}ATnet z7hIjnyAJFi<)na@S!RkBmNGAG-oaWDWOqRJki=QKi}Xaxg;qGo15``m-}=%pBLZ~&E)h{XUEL{$qxAI) z`Y~(%UJbj-O5q--u1!Tnbo442oI_BMQ5Ld;KJ#~UbY#{WC9YSm@D3tR6wX(%UFtLd z1y;5rIjA*?5Wb)k>tYG6qO_-@r)QVd5fv6*&eGf#p4`de-w~Z!pQve=FEg}ua9Ek@ zC^>OlQjiFz{@9?4HIs)7#Z>t+v|+>I3ZR?yWaH<4{bnGF49MWJ3&^+B+=^ zg1Kfpe30NiRqwPoH)p?L$Xm-c$ABD?l;I`spb@_rY%!E`36K&}G3=gz7};Bpo#Bah zAYjsohYO9i1ue7(%Y8e;2O2ETJ{4m0?ptov~Scmf+?PFy!ok!p??<(-&MwL*{o_YH5b)NZwOI z|CpjwDvUl!m85-XTT{WO=5BniODX$|92!xyAc8f!m?oO8 zfPtUoTkfH58w}D$bsy7Q*Jp93T*fA#DXk?en)FVc41DQs4^0ae%vB+od^j$w%=?w#_ad>KX_r~1b@i7{_Lq=)Wz_257zXq zrAn1Rktiym(9pa6rtEe*BVkGICl?Y_jD)DtoqQBd$hnVY6Hl?_Dr5vECnr}Yv*{Yn zPVq&9C=@m)3TG;NKY5jNl&a)De){z3OtFfoZWVH3%r@iV?Dm|vLg<#Q#1aW9sidRh zYW~sNhXMjOJey{}%Pen`K6-4mZ0y4IvS7s|Y3|NjKZE70EgEvt+j5^~>7uq)1RcNT zTkRem7FRR@?UGtKhn-O*b)JVhe~uhlLocy+p_Sz)RN1;W_g;fS_OR3PV3odXl|iez zYyz+Ro3ni#{ZK$4^x>28L6$Frw+p_=9r`x3c5g_bQ#bwC@Mw=8>8iH&Y_fT`-xJlx zVEJ*NU2fL8BjlMIMb*&UOkG{AZyl7T%yca1>sK>Z)D}@VgJ$9>oFw$?*XMeAk0c`* z8v#JcRy1Up-+F;XCh+0Q7GF8WRWa;beUp+=vn8|@6dUjrVmxemLfn!Ssq}Xp3V0OU z@u0q1KHkpCq82=UPl2ggl>Ip|!C=lR;N4kT1(?A`=*e{RnWFn1z#KD%v*eH&)MZOP zhBNRHHS=aT`Yqsv+1@wGO-@bWMp!muORH78$|t@7Z_F|TMFzOsNFF*!6?xRC$8s>1 zV`UNeG?^Rc7OJ`49i5@?V`MT?N&wiyk0PmtdpNfJ>vr@yyLTEa$DfZCFP)sm^up$vsqDxlf9VHtC12!9ffa5W?2FdIq9a$xbXAC=eED%WFC&QW^Gy!$B1 zlgXOrIJB8T5lB?Khr2&wV>&=Qu?~O-~*VFn9o#g2>hvDoj~o1GVW*6lkppGg2tf5|)UhkI2MR zaVw^mokFiJ-17Ae%;?K4yi^Vw#W*%V0W!asX7n@p&gM)*R4;jw{zyFHOORh01j&fy zRgXm36bibYFYsb)65CVGDJt2_n)Fx7bv>4QG>YB~Y{gwP=u*NE7@)S{>C1H)GkBNA zX4OQmM5|W*j$q=0c?KdEHFk((BI7^2g*v^N;#TK<#BZ;(QXB>OAaU|7?K?!y)%C35 zNaF&ydF_BtVs`0OVr64HI1}iCnl;gDm*3Xa6#{JAk1UpEvLjtk7a5*^gp^uBgN$nI zjDX?6cqETtC%_#a;DS$1l043vU-eMHIFP+JJcQ?BizQqK0gF{C=m5i41Ca>$exhPI zOy{&&te5!FtWyD49Az_37Sgc<7#Ix9HNXI) zsIxs571(elwl&@d=FlDEGG0OLs*$(%7jGUB{Q?f2KIjg4-5Ixo1b#RQN!gJ83dz{5 z$$ZHpf8x9ah^g8&4$RJr$NaFO`Gu#ATY>{eb_T8dO*<~xn%34ueoHw@71uQr5vi62 zln7h4>Pl9FL3%;mlF-KFgK%p3`4CwCr?&PV%Uz2!JBw?gH_0X)+U;|N4^&*wn|T>= zbQSV6X9_gq^wGAb-Qqqc5KwpsYS&%F41GXs%c%8ZVnMriiB(blO;7tKso3eChzj6< z7~dAx+;;o6T)e!#k6xLEuYZZf{r+zdB7ksA&d(>?FCL$q>`m;Da=V>TE6zZY!l-2B z3e0(0onSyZ;a5hPpvTJsO`(a8*y+Oob{xntAaz0C^B%OXop!hlIE`2$=fhIU3Wpub zqs=K{AhtaVijznfhuiSqiAe{=YyX;EypVev1-nXY;m%ZrCIAQ-c09|yNr1rS%~f%0 z1&b+_`14HZno%UZj;~H(1&&^EsntwO{sbC}tgqy{tw7L-5^zdf*1d+QnVgD5nRp%6 zJA;KF?G+pKivY13vuhCc=(dIE``m*814p<5y<+rHC3!?hYfMSsEt;`5oA^n z677J))oFj8gAATL&#H+Cg(`#0;ak-58blms6+8_8BI?i2h@XenA1*G~^UMVakSTlm+gU6Ax1QEo< zCEJo%@d?^LE6d=Y$IN>}EVuP5c1F94pC;{hvjsB8v4Ily zu8%<^bOiW-o>vtUsF$7U`?Py|>lpRcu3g5~o&`PuM=)N3nkB5Flm+b1XyK@!{U;85 zs+|i=Ft;{9ictrJsE3d6oNvxFgZdqVxCuH{^;*8m2avD@pbHzCz`Xhb63n{* zaTu$}miN0w9e52$y((Hh)UAcJ{B;Ddn{WID2-1>|m+IP{R9GSvSvU#F_5JB8Or~^L z7}C$KEFBw0ZXV2uE`7s6;^MC|t#Z3JV2R+7HuK?67oVS>;2K@Hdb9pDfJ3JUQoZvE z;2u2e?KQTlvmqt7pzB^tdlzq8SMZiKMof}zZ{!OLup}MIINSL97TuTy$%>ng5A;V7 zh~}VtxnTZLnn`xz6L0Q&Iu*xH^$_gQA?^=n?}Ml=96B2fvaxPD5DICRrO2%rs-ASv z0&wMjc*riOUG`})?FrE5X=rEwJ3F2v(Q#@8Y?BPJWf>pxtB+4lt@q|nG)>yymaBmT zU~FGbYja|Ad#a}H^7AzXg8{y^y#si~Oi_1ru12&i1^avAR@bx9a?~xr3~b`&SWH-i z)tq%P8ckC@Tf&>BdiwNhj7ifQ=C39_rS2u>bigS6C>a%!NuK;{R@iA~zw)Js&V4ct3Ja{O% zT^+4C!C79XT5?wTmb^V^$<<3XyY?UqZYK$H{`cM6Kp8(qw_72kE zm1s=*Rn`4yAb+FGei!)RT3W{wY5n~DUlqdm=shQkkFIqCdAV`vjV8I2tZYfcr+T}S zN2f;=9!+m%E2K$rYct49PNQb^X7gDkq>{z%H~>48;!F){U0X{_DiIdyPsAi{XQvc& zMIR8Zm99M0?TShgck!)YWuQrZ&PcgxI}_mgF`3ACERq@m*o7l3c{h6*@wfX6GN%tz zVUNyZ%{Ykh0w{RyRBFS3O5ao1VA+^*`&}=iAS2=TsZwjE`4Fq~h*;ANu0pLF86!h| zaw)HAfcP`+xeRnTFp8ymD1hykbFD_0EjMd`%OwxBUP88Fz4-G&XE;s!u!9lUw7w~p zNvLURimmU2HqahmAjR&a4;FkS%U!azuJzwf?mE!vek#<;uuO2i68YlA78hbvspzG! z9|4_87G%04$v-JcNKn|H#w|*rL8WFW z1EiWg)ro?fi(<~siF|bseHF50ay#7;zQHHPQfLdyuVLsz%2$k+ZM~l2g;x(`f6ZMUF0{Z;%wt0P=orNqUna;uf)gf1cqEqP+k7khW|YJI<41y+dWxk<@< zdA@k$JEHqeVKj;}b1~I7h<8s(k5s44U^$XNgNg~+f*PmmD`)Z8?{foY2jf4=kW%+K zD6krVG-*C=Qvd|$uqlVUJi@3e9zX|tB1#N2;X$Je7o}YiDS*vYA-$6t8;Lx+-#EC0 zJCJ47hX`NZ2wD~b+%xOD{;TwaY$B<5$}|!(`w+Xk$=WqCc;ska=Q_5XK8=>216FT1 z;|7e`+0DlNiWa6X|DBkCmrt?ch(hqgWV!v_=Wpba1$z8HRuss;Ma^XaXO$51YHhPK zd_i{O*l7XL9a9%A;NpN!LikA~*I<%wXCDen!jG}wqe$mfllwat!PlmkWNTD%Ih3-s zBCM>gEQX)Hm%YW*T7H&1@)iNP0Wot`q}|y(@Y~|!q&upUI4I(a5t=a(xa5egB064z z{jd@bskv#&ZVE7_*O=bi|3}_iM@9X$f4?XqA_yWP4I%>4-KC-+-6h?ULrAx@2#9ox zv~)K^cSv`4_fW&k*?#lBpJ%P#InP?>uXARx)-b~`pW2_jul;_%u4~U;mR&qKVNvD} zn=Ypt^NSq7DBknalWfpFunYIemQ9uaf{9XYITQdrhZ`SADJm)1^xS{9{gH3me&0}c zhvRDz^ri*I?HI1}ac?-8gmU6>FP0^bT_6rwcm8?yw|FyK-pT|;nLFC0H`YDP4O^=q zAL}WK#G6;jzDQQ*Ux$L1KR9XDC(gn2vt`v*pO-jME|o8M%$%Ba^EM!90fuPwo)N~z zxwAwk&X%|vb({`vO=9j3Jr}`{5&nrMDm5Eq8g{X%k3z*{-gP;+d2aF75B~_zswr}z4PN8qj#I3 zx3BMJ!nShyqNY>Q4RJ`}f%MUNY%a@KK)1sI5=RgvC%WutDLVM{2PtkTa$5h zO;{fBM^Uw)F^?wpR?L)CDzc`^lJ*E3&g@}#-<&~9u>cA$E>G*lVyg=n2$uJ>Ipx~1 zv1*%EojTVO10)@;Reo%wy7_?F<>NT!mwjnsZ)klh~kxT!K!?iGmQr4$u!|DL67 z$PO;8ZC!A9Tx010^TcK!u0iv~4aXZm+#sfC0)orTfi*r2OQ{a#-5E`c-&6u1`vjG$ zZh`*SN!xMC7>zRIu`Ml7CIC3RK6}aW*=+V+jVy@mbUn)M0vInbk%ay@YwI0gPprkn zSa)umKv(YUM&RIV`L651HG}3rP0BVKu{Q84vq88xS-U3(AgTMwI8(+Z)BK#?Oqxi& z-f@xp9!xOK{CF6r-9|}sJ6g1)zgT+Oo1<@U#KngjwM`qft6~6BYSORXlqPz;=TO2L z)zjq2R9UHf}x%`Z&_Ntk${@#8TF z(_!rFnv9oV_7t{Pw>n9Vt_MISfaUv=&$%AogfAFK$~13o-=Cxj9U7`+Vk@-i1+I71gLlc1L9w zhB{k3jqH$H>8lw5{`LLHZoi?;&)rc53yyazi^NTm#Vxfg8*gHVKHT~K`ce`!B0E47 zxPElQ0LLzwnWZ<5;V_A4bo1z`=`H5o_&u!G!Co?0rYoZ@)l4VLLZ(ju62AK4W( z0#8=)Nak^7$$npaq|0&V+#Fe`SYq};!-zYbTBTr`J|!B=7Oi4o)^KDjPc4qk?YSNUX9fJ=mB5`X^$xJ{V|-9ImU*S^aT-bYmauDD2L=B4DjQ zH37mhz#%*@GiNsn*7L267JzDNS-NO~lL2mHvVn%Aq$JV-kJ67H7W~W0IYB|K*RNkE z-OyG4HXG92Sh5C_j8akg__;wR#AQDEd-tQ5l)^-+;MnT;Pys;apKr*D7CEgq(3S1a z;OO&Mk3JR=@d825tM>c&bni!FK}a+LWP9KWp#n>oPUYv9<)m^z&Q}xIn(86-f!ax@ zR4WMl&gWcQ)PwHYW(W{|>9SgG&io!&zW3lZbq}=b)vGLU6st3CmcK85&ty^--w~Q% zyE{pF9ZD*`z+p1#ce|)_C}G=R(Zzh+{Wq>6pC!%r`n8ovPu0h6NwF|;01fklll_$a zn8p|V!C)Q2hBa1|-Yc{AhiYCtfMy~W$U@o;nvK}g0J*Q2>uk}c?zlVIQnFHYey#e` z*PpJ6!t1@Mh*&O#yxq-Jh2YM!OvfAPIag9)cQ@wj(Lf4E`D}_&{@qsvY0*6b*Yz!f z6S^e_Dhc6p;arJ!BB*aet`=967(2N`!+3xC0+tK71$RN_HEW2}j;jom1Hd5m8}>K=R_pMI(nJJWD(ZZ5b6 z|8dxt&p$qH4U_U#%a!zLY0nV~m_MU%=N)Xcw&AQaL1XoTZwdUS;GC;lX2sI>jEph_ zcCYO>KulK68Z|%#Y&_I!=x-Vs2=ugj<2A-+9q5Q}ncXBe5mu%DT9l3)iSL0KQ* zMVb#q&Xk#ecyz+i1l`y@-AV*x0bz zg6E8aQ9wY_?-+G4dd~z$bg~$kyblTwF$P{7@KU)M1g#S4u*$BlW>^Rj9WMa%5?)m$ z*C=8V)!r>37yO9&q#l+EAn*-c_m+GjOu!9r0*QL9Uq5~8S0M;pNn)AN=7qDJ=G$lL zUi?;P?IhVP8nyZl(;y?6BPU>+`F)kV_J62)V?ATRA>qao`($YA;xR3!uPhqjr@BrB zH9IbnpMza6O^@cIrldWcu%L)aA8>ir)DLd~AQ%{293VT#WUaunM*%tZ+X>}__yQbr zAHD@-j}o^*Srh3*V2!S9=z2bRlu08GsXQrjg1~!`qL0t z37rs?Zz2!Xh25UHSUBk*xVtex_;X$M1Z0p{cqMdwGh2$*DO%du`3--EkqcNNnIdO@ z4_4){ok2oa$INeB7!a~8?FW(HzO?{>HJ;t9qo69(@}^jkXjOI6UBMhOwUejlF?i5T zkh#;vbgh1|wT<5wUlCNYvQV2{i;s&NLtDfkqQN9LM{nseUsUUG)kk+-;R%-*pvdZD z&7P^O%+(4da64U&UEn^1mkGrQk5$TA`lOPx- zMVd7y*WI-A9JX+`i;IhC)F4TFmIBosoBc>*0Or--tP5~j{<;IaFkx*gDadklF2KU3 z78a-LAXTk~P`EkQZ}M-#)XfHX`e5*1ZSgO|hPr`N%EPm>l^qDQSY*w)s1%(8$c0Ui zL{AzpW`H0qfah+5L;zoMRMe^<)CIMYcBQn^0t;XVUz;JvVB!Lj&y-UxYlq?JdJB!v z_-h0@h`GRt4opl;^r-V=1i?cRpZ&Kjr44}XUhbWT!k)g29hi#~@T$F07hh0{+rhxW zQPWb|1AsD6KTM|G?16M;ePa?}CGh1utFOhpqSWGC)?mc|sCQxO!;))Wd(+W^4%8qM z1x#=_JbqevT{ShG{7zK?pjEEYH4*5$iFvHCo04jj@OSiJ3%6~QtwD0(51Bk{z>7$v zZFEci9>?Z>8VkfQHr)93NP0Ny&kj0F`u;Zb9BTFtWm!j`L z+a4_xU(5{QtK6JDy%rN|5DEjHPh?6;2aZS~==EyPbU_v0Hpo&8|^Jr5-Q z?11MEFxs!`&1W8ffQcALXSvHIKsnbx?fUK5qS7X(Q1>1W%#el#OL{;RQy$ZVV~TDG zzJ6T@h!dBr1|IYVoxz`)5ZWTdt|5&~oGi#OMIdgyTr%L6yu`)FH^Z^4v={-{{wyCz zxH;S5>f<=DQT7aTKRtRx6P9{c{qiXL0OTSl?ath|-w?5XxC7j|Qs^17zm{baIR5RW zj-!pGchGg8jhO3i*Od*KTg`MCDbP>odR+(qzSydHm)qm2QeoRhuRKK6opTHTAjlzZ zCAX#S4Se)WAko3gyuxps9yMOraX}jRVnB8UND{O1QWxL)J*|>F8yFes6=tUUJ+k@1 z$0@8$PIlV* z{rL2_-|0CFMkl7I*!%#Ye{yS5_t*{(= zk{%MF%VSjy*{~Hc{1*PKG2Wy{fMR4P+19Sq3N;#}b_xkmbuM6%q# z2>ok8S@PA$8-FCe;@?#LpL{)>;r}gS-i+c5_-z+Oc)YATO#Soa!C;z;52z+*ScJed2Af%Gw z`5%94^YXD=q5AV<_=-w0AdA?j*Yk)~qX6W<{qbeU2mky={OBY8pL-NkM>TWt-`6Ib z@2{Qw=k5Qmyt9`s?9&;qn%CYx_Q2Hl766tdGkfd-6$R2^BhA?(;-Z44EIsd-((kLh zGG$(@U#z^wl8s~7`Jj!=TCi3S=QerH`>q2G+*L;=GjB_-wa zt*%{VdVG*rmMj~Xmq=1lQUW9%;f%8S0^|644TM2F*;eC*ihy-W$u}Iht+TNnQn`{^J_|dCk*dFMV%D zvih6HHalXN5hr2BDuNRGa#RX?3h8@&0n6+p0ynCl3Do|V(o1=&&xF~z8lZHC|^C>NS>A8;6`a!tg z*O#yF-Fba_<1YAtccXE@LHL~SoUHd+YlA<;#l@l<|7X3!`1m-;OxIGSU}k1kR*up= zqZ8k?w4$SDe9FD=Ty_Seg8TMp48oqsPcs|4h_6mgsN-pUwO)cX42b41IDyQmE{% zZOyHZlFB?t;*R{9RCIZ!X~C?GYmud*BF}g5F6d!9m5>C#u_%f{z5C|f6zKjvx%ne@ zbfQ6si07??oObwC+3AxV+mAMu6`l-{JU$**Lp)t?hOdf(t&MF;{Qc3wu)|gfw6-$f z`S=uGzqTz*#oTcy$h$#?wYDNsXN6)lMvsHK5_{G127L$fE{Eap(|Sv+m)wEl1xDhZ znW&yDh%XEq9UeAM6@DJIqQG+~Mq#WQ^6KgTvcKeA;ecO*K7O<|U@pcS_YNnWOs8s2 zwhAJ$dcA6Wn(EGx?n_o&k^k)E@b0*$*QZB2HtRR8&#<>t;;`8A5uAY$IHB!V8APTO zIHcy0lMS?F2Z!?Yq0t@({cQxD+wc^`T}@y4?nauA8@aad5Vo9VpvGEHn05+ zAt0MT^m`=Nn7{Z`tvc) zmU}O~Q*okmZQCZ2G-9RP6`8qP-4?CJu41@xagN|D?o;s2cEQAnL;)RVpH70^RmAhA zj({)yEXNZK+3!l(ABkMw?FeXLOH{xr4_P@mc#nN`%W`k`y-WMMuArkk`W-{Ld#&ac zrs!&PUr0g!1{yS5BEx_i6W!Kha7UyHH(aw@sz0A$HWV2*9(vV9t?TSx;w?4|B*g1L|~`TSNiSm3rS{6f;ZXv)zXmnV$8g*%Uux6Qq0 zy>I-wqSAWrYkcrr{WtX)8QqoG$28F$Bh1ZJDKX+uwxdp?~i}VvVY7-$W9!@ z%{~)wB`#RHEl2!ekCd;*(YM~2J?}dW1Ezf(IR z0a}q>+RwDH@K9fw;g^XLJV_($$q;Ue z^>K|V`@Co>bdkB&I@j~dTr3$jbpwCGe-$K@vu(|#7-%9Eu_e|zhe z(9!X+x%;M_l8HSUc*SB(Pf^r-dS2cN3kY;xyxTO4jUHn2$x8O&Oh$ZjOTuS7i_3|L zewN!0oi!loXyfV{L(a2#dAFo2^1rti>%RHxvAVJTIq>FO#D+GKb|I*$iUoy;$ZQtb zl+1|S6d|a%X?Cy(N-Yi26|(u9xwBkMV%l8WlX zD0=Lrs$yQ&FgaBUz0Ta*(ntvLT-__nGL852yvb4ho5ju5oqLp>J*jC8b++be?7v`h zkN3u=YYKC7J9>Ul&R11_N*G7o$h-MEX=_+yxKqg#I;j7lr?)o|ytFuZ)raD#pJro& z2C+!LYfgC26;!cH9)Bx+0+Igx^G>E_@hwhN;B&-KK zkayWuQavb0rC6O*qbPQnEOOpGNd0QN${PJ(OLuL)%K1n)3~oNJ>wHit$sU$(YG#hX zTU8uhe`Xot7WDPo151W_8$SHCHL^!AwWwHKM+yRq!IWgbK%BPm50;hlAIgnqCwC5y zK^+Lrycj1hs(zNbIzHgwsdJ0#)x0y&@(b8$n|jnsPlnu+ zF~LDoKODlKn)AyM7-48-T>pm1y9>c_AFN$e4Bh8E8XB*6OFoL7V|J!(Q86iU7rUMd zX3ZYo6E)Av?V2B4k25b8sTwg?G?ddzxbiuG^av$OBuy@s$*SjVv^4-Y>|@j~$I z?T=(_V3B+6+urREZk;RI&q!AKRP`$jbw2IH8Sb?nao*8iU%%2ac)Pf=vZJ$;024DL zhGa5;!_XG;O&EzY#3WRLpOcqIB_y=>GgP?oy6~E0V?`Ilc!1ZeHrLx^$ z|5O%f-|2rNg8OH1AsyGl>h)J}F+tkJE8^HVy+QP$+Qv{Sbw156P`ub}kQt;DNqjt| z1o|9nBEx&qGp~Z`#q-|BeVZg5BfZ@T+b!vqbH%xR5?%O3k!P@7~wH?`r?@rCcB{l3^M{aY5}?n7n{O=lKS(CE!18y`9|0Tc`e(q! z#f^|1R-n3ODthPecl!a)c4IGg{~0Q9akrKq!~VI4gMvQV-oJkP_x`+jQ_H(kNnFp{ z9FHEzZ(w%I!IXSW6Wzwd|E=MSsxG9m5fS*-@cKj-G9AVrQl?oxUWmWM@m^;o>}C{}q}q#L@Q~RplyBM}JpO=a+#%lQEY2zW zkW;%4M+}UPoL+Ewj4;iyJ^lBx*oA>Zht^e9FF{Pjay64UGH!NzWjc3K$wCIFC@-Iw z&Tv`HN zq(f$(llR(laNj@62_wl3&X`bcaiJ85CWUuA=wbNp#-E|6`<)Vfw_W*7AnmM5W73PuGnb#Azk=|e8?kG!wZq5U>QSvYPJI>5-N2cQs&&no{A-?ryGp zkdbg8W4;i?%!L2UjwuTYU=jbxp2@ytv=Dk3rFMQVJ_;Yry6b# zibk7VwOWP*`{zqD?6uurQ=FQa;;>u&@T>)WWqn)LS_eDu$9Wl8O}nS3m%mQ%p98og z8s-#MdzlepW%vu(iHC-g-<^ZwgSxw2R3!LhRT{j%@z@#Tc41vIiKx{!fu;50r3%C@ zU36o7l&BVz5AB2KWH=ScJMPUli!;m{0`n2;3t$#1kL#1)?OA5YsW?X-{ z5$kNT|8Dky8U#7d)7Z3-5+CA4OWP;wkJ^)0{hlN$|V%l*3T(@pO%%D5Yr#k)y3_V9x``h0_u2}y%JPkYgm!x zvG-g+GYo2Hh&HW$BFAOU$_?GD(fCv*u3nYtH(9aR8}1Qvle3`b>Cw#2CXTWoq}+{X zGyBe=^s>VXV5eDmv7fJ;w z1@bD|W9A}n-}Z|L6nJ(H=yMVi@f-2x=F$<2HS#&tXF~_SH(AQ&UkjB4;+1S6QEslL zzL7U1_S8yk9-9}Fi!WT_EG9K3jpj?{y!es7c#khPJGVy6!jY`f&n@fXt0S+^4-T$r z9D{vr%q{KO*h%=qtl0){1s@;3Q<8T%YGm=<8d19G2iZhYc;pQMtmb{s?@lH^=T7(J zXHQ2Gnn;t2B8z?eYGWfm^5dMRl~sGH^WI#;Xv-ID#Kc`A2$EmEN)Aq;f~*GME?taf zev7j=Q%Z<$*(hUu9=N%h=N1?>7$;CY|1oYd$uWsFounC6jLrJ>^Fob439}bdRL9s) zM4CrXMxlix5|+jUE>0umrc(5tS{@5_ z2y~X+sAH>9S#c6s{kFjjf>kb~lq4B9{yDUKwP31Q1VaM!uCf3b6LDU`^-Y*92( z&L<4(k6Dq->*k(FZF)7pZP~+Y7?7=924m^ey%2q5H_=(o$(wv(C$1$ln=^azgr)IX z$i>&Iw@2J9Qei)+bqQ*R)V#hIcd1F9%7cPV@*+5Nxd7_fQ}T$%+H=pNkR==yI`5qL zc?z%MbG;7-A^Bo}=%s9o@Hu-TM>FL|+;9=z@Q0>PuhC-=TUP4jQEuo0i_-@zg1RSI zEQRR#vxFykJT*0Pa#{t;7Z*5#hpE+)He@Zy;UXPxM5snHN-mR4oxPw`JV-0LTdDJX z3ozAB2Yc`veBGGeYFjc@&3SGh;fhsT04F!{WVPDfYm)9YxF9c`Vtw*5kkOBxgFwV z$X!MCydw40U}Kn(#|dXJt)2JWW9xhEC*xapE*RIUdv~Oh?_MKeC`4ng?#x~C2`Nz+ zp9B;v@&*fYq-116DOA@2-%X#AiW`t_o%Dud$_+XESdvC>Pg1gzLPf`slU5|E%y-^C&mNdxAXnlAMc2nc zkV7o=I-Ue*%IV7?1fOLEe*0P)-8L)_x4sbaxbip9Oq3izOz@T)a9y)xl|#-a=U?PVf{cPa43B3F5?8eS3L#Tsnv5P@MnL2slnl= zJ!n%kVhQh*gqhqJ_g9KqtQW>;*g5yuVep=13Oqi!ZI2O@1EPOa`! z_QIT`i|B)SD(j_~S3?;T+Wt3IkVCz5XY5hf)4qw6mUIS}jnsv23KnvyBnQSzZSwU6 zJLl(9;<}N%iwcO^uH@B^cnD!wRJP?>*}1CCca%+TKNo1V|Bw&4dTdA8Mz3-H1sjR) z1g~|C2XkwkfKoC^YfLnxjCN5WrM{T}wNdc6-p5Ht>y_(44P(5QkcS{vRQ8_X94&JB zI)lE&+RYc;4gc$hwUCiCHJAO9iva;2wRfGfMhY=qJUgCkCX+^YNh}W&;k-rlHD8Rq zbUP?wv6_ttTjs+1((3e4FjH$n=ec#hT&^(yhJ!t(;e`J@^vrxd^_+L#&5Q^Fy}SiM zUfR;QqE>puUrq`zYQiuMpqJ<|SdOe;IV^jhOOg_q9SUpWuB`-d;M1gaq# zzg*w--k1z@UQ3p9_L@SkKkj`en7C^=Rf^+$?PX2XS0WmA$AferY&eV|_eVx;% za*oXUfXyF2RcCbNVRv;rk9GE;NaJO6;Q_K%;>t4q_6=xFeBHvdgz=^j+|eguFts|K zI^Auqb#b&nI&T!$sP*yZ7zm|{2IMW+!y zB%~Bb(d#DTu|MC*CbVB5J1sN6vGSiieP~#^u)Z%~y}myY{*Zm`?rr8@jdY+I$bRFF zCzv%RGA@X}d^s4h^F8_5v%6*X6R?gokOzBw5s5Qgr?$}HAmC(0`^?}Fe@djOLuTP? za%6u!A10`ZOaM&_p@7BkJvQNS`6cd%MSZcf=$JP6o#NIA!drI=efQ#;(QzLQN|M@C zr;mq<&IjA_APvzJ?+KRFa+B$J_b{dTRh;3(w~>!grF&W}>$73nEfiB%=jcI9#P2R- za8_myHM>ebJaC&&X&Nt}tCoRNxbj1uT_rC>C|J>0^xuJz_L-^1x8|q?ZAQy1XO~Tu zx-xX6c|CnLTa?Bjj@6!8x{>N+|BNLlrPWlgDd>8WcFU~hbAeZ|QD@_Q!9bRl%vK0j z9_5Y^eIZCXzpd^%EK>bhDO-xy>zCsLmq5c8J4BxWLXYM1C0Qu7#-11!?hb176{qNH@$jN#??*^)AKX<1ZiZkgn*Dm2 zUbEJ-o54%0%P=EYQrUH~P+!&MPL23vis^kjT>qLPXnUE$t%#7$@$ zg)FMHpI^1Xo?z6L{SyuW_OHDu5>%Ch^`Et-c@rA@S@@cnnRG z9#~}?{igf%)QoYD#^LpUO{+O=P8>T68IxD*%XaLPhUs{&7Uv4i_OKctODRPAq?el- zDV}?}&z%R2x>v~`6iti5Tw@Ri*Sn$f?LO|hEzjJWnWKuE=)>R_hK9cuo}mY6Uq14B zUxITrX!QEtB6pYu52!@57AXi{wtF<&!R~3(nvA9TmGBHJTm;FDzFTCvlut=$V*L7_ysVaL81}+BXm@QMJ(F{SD&0f-_hOujYufP7FE8igmUUC03bQIP3^v z2&$myZV|{@c8BZ2w{VI|nR%l8od&2k`=CXk#%-Pm`U6WrkM2&y`*D4o%>sJ*%+Ybo z$e~E#dFp&n5WuofyJ?4It}Tuwb)|u)@%wqIs0K0{zm4w=dt7q;? zB>!mzrN}WUTVM$niOcrUSRBo~WLy=dXZpTz+RT#_*F$?raYTUHL1Q#kU~Gks{9Df6 zRL!1r2`}x!4Yge7+1h?~7DtOn0^I)`*Kv7J@WPVaFx4}VI3w=GlveRo>^RdN@+E-n#9t3Cs3+Zuff`y~wWUZQwhP!0yPXD+X24$3a;LPK}#?CpW6Uia)8GO$d)i&{+NV~Qib z%am&TdNV#cn3w-{9GyT-z?V@`6eF@J$+4soXBY1(HS8@-M;@quFXT>2WoPhQP0TmN z7nk}}lu}}gTcvkd4F`n8G#uF86j3`ZmsMX8OMI~^D1Iu4>YMZV1~Xd`&xc1sIz{Tu z;Y&t2)Qa}i)JZW3%GHdGUwMIecl#b^lQzvlnDs|UyCu~-!q)28bb}QZ{MnMWxuX!W z;*$rg-YJ=EyKFd_5GkuXsoY{t{gKls)nucY?Q!vCO+Gh$4?B*$@C^fE-c*eSA-?ju zO#ZOLIRuKkYe(_c2j;B9OTR>?!-G(>QQil}`(M~D++j>xreUw9nN__?@{%FreMh2Z zSSfY{A@re>G(~HXKWHi(DI_UQa8>bd#|-fDy`HbEu#~K%Hn<{vb`v=n>#OH9^Tq^hmh6jsP zUxH{!JAaSx`y}t)vplI}@}th4@)~*>v%39~W{%%GrA}6Hv}OL}$3zKzZ3CB@z1;!- zH~Yx0vhDV$nw4PQ8$K70*Gm_)`TXxgk=~whU%omuBWbDs6hQ2b>aYEmtv7l@aq4?Q zAME@TbZ12wef;fkMb;qlr?(}Hw8umlNqJ!kds_0;u}Uuxd?! z>*AWa3WtWv-Fqec^>C=_xrthHEaYn$o}GDfgT#Y?#d}xNsU~wB9!8H}c4Q?>yYfb{ zLf+l^S(<*iBrnLfp@JOwrLPZ7OJvCUd|R?#!^oIO-Fd_QORi%k3H4-BqA3Awq#{?m zKa}WpC4vwun3GI1sp8V($8GDiU>+JJ7jxP?;TM_LFIbN83?vF}hmq6v+TKf{d7r|5 z@2N<96noPQrreA)cW3nLDdBlHeG2t6mu%=Tw~f&jKjnfrHf!)sWn8IvHyws6By`X|H~l~4ENSO{XD zuK{z6aH7ydZ7aE|al3q8u;t2QefLA!e$NfW9w{nB#LM`t1QXG+98Yn$8e-8^-6bR@ zPH{)C<1|sd4A$GR#z4u!Lcqi0#B1v~m*AkwExUudxV|o{Gv6*JI;z8wz2KLgj;ElT zZ@IuJjFuZUR=cvhbZ_gyOby!7OKgqH=wI8THe!rENe}QQE1+9N&G)X7MoM9)?}z(~ zRz!xLYz!B)WmL-Rj_5Uv;r5F%K1x!|m**l_74Nc!H+piNww;#=2QIKS( z=hF3M-Kn2U&xHE1DokXv)E@1c zV8#j^c%m5_pNTLq6cmeW*r?YyFK;jQ`Na#5sznD5{b=;KnaBxPt$zLt9c@W>RorZr zxi7AJpp4pXne$3zX4wpNtH9kvyEU6FcOqUNPbGswtG&{%l38z5KFV=@lIBsWP{K>o zNvIPZd21GH6;D(agEuk=g@C|7QCXpt~JkUwOC zz^&0rWbC7?l?E*mt4#@N3i)LQXU20t|XT}Az8ImX7jAN%gy zg1zcX;`Zxl(42$_1XEW9d^;Ypha*~(jkqj6H0hzVHfdJ7y&>0yo{~a5W8LQ^Fi82Z zW78o=o2_zXQ>>x>k#&*ZB7$>GDd1SY3cPd$G1(=U0($6K`DzS`?V8(j{Ug=BzE<@o z@M)0IBN>?06={1DE?sIT)jeGog>-?xO7T2{z;AjTae6HkEG0au_sz;z8_C14?Ah!f zIO6+zOI<=jq+1&w7E{Q>POS-tys|trN#R$ER%pE9?6yGLsApT91ys2DwqEO@xbS-B&eCF*oXZXc$%`!xZ|{(X%3n|Uubv)& zSdoGF6s$&5o*F?V#-mBVXV>S_8;HFJeRj=5917~!oOGK~RIqHKztC>Yoiq^aM5cUS zyhjROA3g}EnKUT`OBKXV9~+o6`r01g`ZX*(pG_uNp6{76%1pE+gFW}udBuC``YEmK zps6v_L-~M)iv~RwEX`vuF7Ir8n9`Uy+tYX_?Mpf7wH+|4qE6LY} zNEnsiQMVKas)@OIC}Ay{z9p>Y-ScxJ`T!lwtt~u1kHv=5)1v1hON(gCk1lXoy=V=^ z`66mIsIm8i?pb@(OvaZ_=WVv(O8Q#sMTrx4%2qix<{uJ14)Yks7*2SiCk`w1>=kM?vXr1ZK5v= zc}2}C*9}@yWyqL<>G_PwFC1@-$YyCXB6-c%68`uw*n?|F@;8317(WJQD^(JuR2%W; zP``NN;_#42Viv(gwah;szhDf~ADKukGe4tmd|#HVw1Lp+`%F2de+LhKpVxC3OV#I1 zm?O342>&=l_~jLvr^?3LA_2F;AHvX}?-a%N^Hce|?x{Prj?{c>c|;}Tb{$dWhM(7X z5o4KpgavC%a{7xH5>ZhJgc{3PlY&9m+4r_H@SG34>u&y1L28d0*j%JYM(j(HrHJnder5 z$UwKv$cE^g=saHe#V=5=o2MVJgikR}+8eHUY2G-?M?I1gbHOT+P`MMD*jtQ(1E*TI z8=RY1u?nMQBl|>EMBCNxTU^6(II(e%5l*c_Pg^mXN)=tg=HM3f5;-6y}z!e7DU4 z`MwGU`a_|yqayGoSiPIeMZd9;v6_Ne;*{n5dQ|lr>2qXQ734NO?C31)u_8xoDgA|- zATpefP!ewv-mDlls%$V_8XSKv)LE)eXQWbj7?C&GeY_^>439;wdWd4=iqsG4vLDmk zEP7lCUJyc{rlKm=oVv&rUR$(1LbQd?EW^Fk-F1k$(a~m+$j^foC%q`0CVMPmnLEzp zUT(~{_QQ!aRK>-vU|f$!rKw|=aCJzCJk6WXGCZGsH(dLQ(QOw!QuaZ46JX_o=`h{N0 z=knyDS6L$894>XQW1>541>FQ&rLZHlFcC7kWf*#+GABd^X5aZ)5@a+Zr_XHWhckG4 zXk-n2bkQ>^?2lb<;y z`IIi5(`8B*T0f^FcSRodWN3tJ>00QYOi;uF}Cq8?gL|BqNgR<3=l5F$MoyV=Y z^xllik)(uNrfj%t)bbcpj!b)-kH(UW1`+ep32dqNq%_|lQYtP@@=rpgYi!wY^Pq~{ zC@7EK|E>!#re`JG;xuLD^jB~!BDzla15xsL9n7j*IZDcYcs{-fbN=bwW@RxsgM4Cr z-7mG;)~PgiIC${WkU`@rI@lkNV(pS7uPb<=`{(ZXaW^M6sZc*-_Q&IOu_PGP0`XisC&zxvU=f!t7;~8CYqJ9vl9Zrci&T=7{Q;0N? z-t#%D7gbLmmmi=73MW2(a~I~tF3cmkzmzy@p`e^$zw4uH5h(n z$}?=+%B6^Om)$;yo3cfhHpNN(UN57|c~?6DlhyGF=2O~(-3D5a&tqjhGRNY5y?=vW zQ^U7ATai3FOA0FL1(WjK1z{t_%SM~F<Mv7LYnEJ!X zIBa<{vh&VX)WNZF{i()H0}N4SRU&Oo7iuonD)6<5$@251@Z*WM#qivTDYvN#9ifeN z*S)pH#W&WDsxuD;m)4ggB*4-+k1PvY*LP#f9M{zjtJ+?ZWB#NtaGyxC411zBv@p~J zeYOozy3{mSdW&{rXC)yavnjQxs5bw`BqDlM$p^EXQuV_{iQbaorjWeWINb@{R61np z<@sp&i$yI=45sS`3)>Yjj4O-S5wgT6;gQ!yAAj;tQ?Wm0)(-Zh(tf~U%O;k+6iTH< zLiG<}kx}*$EF4oq&smBzwS=T;q&5EQUTfLLBx`&B`#MOA{D1Oy|99&f`A9=u{i7p> z9nnXSH2K$KHM_00;4Uz?39-1<(qk+XRaDkob^sd&68aAO%rmH>V`I5A0U+KoG_>`3 zzpT1?v))1E{2=bH9qAhEu5noz>&jR?u87*vwqUHkaUFGV#QhIXUc?w1TXxmNw8Bk* z2M5R;(~Xng&D{Uq0q|VQ`+s&I|G<3z_a6TL%(DFdYqNmd0T=m?>-^*&%N;ku;=PIr zHE00I+8r){b1C}%pQm@eA|c*_nBqS^{=c`Y|NQ)aBNZYHprSc}*8b=JybN7~9n1bu zy`vWDQ_Kgb-*rC_0=G^dyiC@bS}WP#z0KSgbX|V-WjFTaX`NG~^7zzQd0S9kB9}`| zX0rCXPFtJS?j$J%6;pzL+t?qqk`Q;${TEj^r4?)`F@lfU+DJjxjIQd!N{5a(^cR9K zR17Rkqo4~<+}+K`{t53nJUlcyK2riu&jkcRLKg}lYW-7u8lYCM9=93_C!%klyYbnX z4wEXj?3_-uJgRT=I(_u;?Zn*Ecz%3Z5=j1Mo``QT3oaGqU2jr%On*VwpJVXFo@bh~ zFu0kL7WBvEH9JfiSf5Hir%Cr6cIiY&6E8_mcauh)|ASY3B*(##Tko$y^R4iy#w#HW z;ghtrWovLdH{SfZl#!Jwuj*)q8j+loRBgMB)d)Ao?=%Q|B>eQ#e8ZI;|JEq=`IIvB z7poXnxKWe$y-%p3fZf~w`qBfSy;0H8M>myBpa=n|bM;R83v_c24{v1(EP8Z#>4LJl zu>mrv2OQ57R8*$+YppE5MCrEJR`A5<ba&@Ysbtv4viPSRr2C;IKSvY? z?^8a>AfNS+@gI~$HDMn%phXJBiO#9aJB8bZ5UM-G`Q4UsM}MPde26vZKZ#1_v!Wzoa~SRrZ!TMp7jInZ^@A$jUpq11`p5vv8JY`n0OfV`h|kI zx%u?ic~cPO7jmvAk=<>;RFT)xYU{#H4-&xb1<*J%!y%Zp&2qYtQ#Mn!b+kWndKQzA zKpgOZOjch0UU2ZyUf~2N(L<6go2~o7tM>ZRu#{(MX~`$Bjuy1Z)6Jns&oq$Q)ZLg< z3)b@~BOcJU?v>--1$CKLV=k+>JyEt}2_nI=o3=-pG`~DQrk*~xCORmEco8+G7q+q^ zlnUdg>=-?Wgy$2LG`*hJ5yNR`n|JT&x_=5}t1k-f^LyOaU}Ae7x^#hl@lui)CYr_J z@P_xM^=jpP!b?T{2SP>H)Ewv^X>DFUPj8tmwtryU^>qjfr-E9D*}s&Z3L%=!VfKa> zwdLBNFU(iizM8p@2pAv!*}aEEoG5ag`=|d`PuCvLWc$Vyue}u`(bODX#|bgyOhU<< zkY2gK2&ec)Rme&JMi&cn%r+B@$t6_dJ*6FZJ?n5 zQ*!?N!{aurRW5)fB_-Xb42Fk`t1C9^DQ1Wx2ucz)3>P0tE?uOT!T{M~ftC;LhaeD0 znw0{_VjB_8i0|ETqYe&w17)QRj13PMP{a?{bY*Eoy2J17jT=vz;IkKXV+uwG%TrTXeb-Q9$<=*liKlG zt>$tNcN##GLjQ+9nnWT2g?)?xG$jGUeK-AiRCa$7PJ7^~L04>xhf1L83n!iJM%Qy z>Zrx(OM7`+#?lLh|0VP?qIRyn|N3^&An ze~;nTEQbJRU7zqE#qa_OWldpM!*M6nRppH+p}d+yOR zz1|#)P-`WVYdQP4ugltpCv{{Ssn`nOdj#80w#{Y+?kT7-y4ujkyS|*3yt13qpj|G7|!^6FLmf^&@a%D9^skbPNK_$vj6szNe zS=K*F36uld!Q-X2&G9JmH52;WkhaU z2iKoYCLpkf4z6h3dhZF4&*<;Zqs8pINI@)-GaMl;;8X)@j=)4lU&6->Vz$-d9M*hNfZ~qi2QD>u< z>4z;(CVYszr=FJ_PgF3h0qA$UxmxYx@SGlH+Y0qh#XpVY@f6UC1;{}h< zxFZp^!lQ3S&j?q1YN{FB%2JO(bUpFUy25Wjp79w_XcizSU&+LLRU7Tf zt*O;Vx;vygc}jNOk-V_46bJoM)FR|UZnQwk`(1r;BGr3>HjQ-;>iBZW_FB~S3b&lg z&L9IphNVpRl1a*ac-Hq7)y;9R*DC(@Ek%sIUg%bXL{<$cZo}_458ApLIF@a6Dw!^% z3V4rTp}~Fm1^FkI6HMNe0xC#Fw+|;89F4d;G9nIyw=x1D1L%NS{cLZ!-wF&jrxz0N z5s4gv4AT;n%sG=Rz~RGayzs%h+Wd`aHy_Z)=3zihZ7|E_Dlol!4xZ!W=}Q#sbBSu0 z30~;3o7KC1@2v@k@h}%Q=xvU8CZBN4X`VYr)5{t5;2$@H2LVMtA*s_MFD!tXsC5&(LS9z=-7dP|s z`^%y>w60h>O#10b+s-l4r_T%|Dl z$)!h@YQLd<#=^p+xR{gIUoxy&7f&LZovJefYVGHY#D|4(@QUWm@#(%AnO~F3+G_a(aPA~$`g<=LM(*mQS*|!cC6QRif9zGKyR*GbMLH- z!Ck+}Y?eha^I2hm3#xXy?#RV1MsZ>Op2P zOW$Gxp&xZKTz-D5-1dcsqhklltsWl0c;9tHX0=dULLxg;GM+l1(y5s4D5&RU z^Cxd+WoO@|B*W03xHhS&5AL(Qd?yO(LN^ljdW+P+y-NKD1zcc5oB7H!`i57GPke&%{M6+PZ z^D5`gB}K9}V8A{N*bT%s-TbL!YwlfFQ%pgi0ZC;b+X%jD=FPUnyRvu_l*G}BRydgP zu)PjG%zSnXh`S$dW8;MWFslR&C4SZyW&V}=EV=d|A-X==Itk2AD z|I%%KdVZ8z(#T*;ZOE8KiATLVGP_P!ZXH62&aO?*vutmyjIORAcy7d|0)pD18$^k) zo7VgJfa?-y<)$%sRmRGJS&H)w(|+0!5GmDepJ+3f7mwm0#hW+*^==#fzOJ3XTCY5s zuR1XwQ&d=Adlz13Fbqu#G&pv7e(SSh(1ZFv3Ucir*WamZ@7rD2^S}-D?fNHN?cE07 zCAA*Ro)KW+Yqn>c%CD8(GmhKQMfMEgdg5|Xf7OjId#!}=mqGrRxS>0Ad{xM;y{;C? z|IG+6`TrV|ZCa;aK2of<&K@<2r^*gI^y#S$ExYEQn6ft^&)0}^3`?a}c<*?x_?qFc wiq*|M+*2zZw4rsuBYTf|s<)s7(Ob*Yx6w&zh(Ut_b|?OQ&h9M1!t>650soS6w*UYD literal 0 HcmV?d00001 diff --git a/design/images/20221205-memory-management/mastercertmanager.png b/design/images/20221205-memory-management/mastercertmanager.png new file mode 100644 index 0000000000000000000000000000000000000000..39058cdf3ca445171457043bcf10a234933acf77 GIT binary patch literal 142578 zcmdqJRajh0w=N7JSg;_$Ef63ixH}01*8suY8h3Ys2MZ8fI>FuDp>cO;8X9+ZhttVg zYkzB>=RD`XIs4|H7d^ddRMpUTjM-s|@)8&?h+n|L!C^>Aeo}&iLq>yxLr_LRf?fHX zd725^J$Dq5QbB=jUMR+)uyZ0OF?A@j0|yg0fQ_xS38SNtgNccaqnWMK5ki{~ z>>DWwf;DA`!p*eO|A`PjJmSXd}O%27(lsQ^BF z`v?a|2`BaGql#PF{-USb5a99Y1R&2YW$HkS8n5`34~hPpQlVUtQ#}3`mBGV_nO|B? zzD{jgE?SEv+xQ0)he|qD1q@?-y2J+D0#2}n{XseZ( zZaUU4UC|j`4_O}G)t;SRzW?y)-5~DT4j4ErwXy;8*CsHc5<}a>ai) zk{zt1{+8-ro02F!1Kz)yz%KZOhyU$gO@vM#EU&N~prmIF*6`>Y!)=ccZgl9=zEIPk%$!mEmDtvN#w44JTHmh{n~tWZm&rC78mr5GTK6f1NN$$RVJNR_^NUx55?3PVaC;l~%lzTS%SZinpT{aQ zpZHqFf98@?t&9%X0|FuVTZi*+L{`Knv_|VX~ z!LWRzX;qmIAH1LKBH|FLQ~1rz5w6Pj;t&uhTXXie^qV>5nuM!z*eu}r6&EvPW=7d> zACG>~>^%zzuCRHSH8wH9ohTKA^})l>9~U1lW@z{f`|eV8?@rX@_~L>(TgOvCKtN`Z zn`VOwc0D#J$xh2UfuA9;ljYa}j&Pxo@mKWKI~NjdR07+cvHh!|>p^|=CLxo}uP6+d z7~6by=(hJI_+X>lW6%wx;1YAJB#q9Z0(iul8(w?b%8I)LeA*?J@XeSPenpJA?*3ozJNPa4DWBxUT_er{lfu; zfgvHt@E5ykT6d#Z#Nr=X+70VyGGz33D!adsqnvx3nn#FJlapt3b$34-Yj9N4tTq#K zalzl4DJ!Yej1UJjIvq+&Her(Td40#Fdm&7BadD9)vt{#X9|FQkZ7ZwvSch)z?e(&I z1J@QBKCP}AO3BK$&(20CFha&EO<0QBG(Vg8k|XRQPBbX15hHWboM=epikfifp;7Z}{0ViHKI1FNt)3ehu zu&Wh6magYmT+0a<{jNvE1TCMSZ-SWsmrxPt=XcAXQ;SlMLnS0^W)_bW+>+r%tf%LT zgUjfrGahpJd&*s0xLRACw=ax=@6gbjoDRidOev&yZi|D9i-PhN-G%z{;I-irxrg8l z3Hbr`09GpZ!u=;qxgGXhUN0)4&9g-U+ag-!hY+(Z&kS$REXlTCWD3txYkoPOO9GrYLnkz6h5joc)Y|qt1 z+N(Dz1Z>0V3$jLfbVIW1+X6DLJ9uPKUo>t^^!$S3M)+^K%9OkP7>@@#;fIcq!_a4XciIZRSUB<6Xu#gyJOew4gb==9uS5WnL$d;9_+ zhl`JOcXz+6u*HIhzu1{|g#&}ZFit8Tuqc!b(o+njpA228uTRRn3V_&a8TPAm~wEwf>fmyZsCOv*B%&WGrx8aEY|%#GL*Fjhr1zuOstY z^jNk)%shsOAW_?@eFYn@2PqtDq>zb)!C)E(8uq2T9|-h8c^p&Tfr-5j8FX4)?cd$M zA?yhmZhlRFgD@;nrZ0ZCW+iPSGHMDgb~8c&c5|+9XZ5iBlzD$Y%*D`Kcf8~~#IQ7# zAN(?7{~4r{>h0*9u;_=k%+cf{SsfV1BQo!HJsp6f>KvJNx3gSFHo3EdXiZVaQD)0o(^^j-bU_NyVY+5j3r z%0!)v%#iyDsRnl(FJzZ(y=FyVp$~b4!tkM)eh8f5G&w)07M{HMK*w^~aQM6t^1EGM zz^JiKb;&X3u?qsGRrPqY1TNCWj=jw6bvJ?U;3e4#9J;6dn;6{QA8XuSTuiG-9_}!* z4M5`6jd=347K`{YB3?PQ@Bd5N%6%MHkdm5ZDli_bus@xBySm2gO=|+@8As+a@uZ{erxJ4Tr>r|lu4IzS)oy(R1dqw;8uK{kcjLOkXYq{ zMU1yIZxn3=(tC+nMk9bB6I_G&Mw&k}YwWNvPh67b2&NlH?qWbq-(ADk&d%8NxwBn1 zQG+BN7J^#h>ostvoPzUUj&CV7b>h5Z4|ViSivwY*zP`t)+`#2AB@InZS8rXBN%%|} zf1>)TQxnA1%4F)O_vK5)Hfdc;7{3xmii^xU|1=5LH}%DH8NRHqCsZxdkZ)^62<0bJ zHki$FCgs$1?;%1O=C)eo-5B9nGFrY7^r(erOGbf#0efC-Z*|mBKt$TD% zn^QI=&v@CBe@A`2ot_8=u7a|%mQ05z^j5o)6v_&Vtk4hc#>Q)d%tHnUIHGR%jQQ?w z>5n48B9#s7%ugp6v~6B#F;8B}P!i;`!_JO3ZCB6OT{SA=9ZH526igkMso$GM8OC*o zV1nq_cMmGMTCd5e?`-t@kb%c`>*~51b|_k`8^kHjc?Ye@vYynaXQIrk2G>rTmpmi0 zXt}IHGaphr;)pn1(3`I0jj*^2yyc%m>(piRpLUx0U$#DOsYAm#Crr1Edt}K(@B6TL zo-L0BQl8}v-T1Q0v=sl==%fo#!I58&uZl#o#3PeWR{7x=Zbx5i4(o){yv~Rl|NKe( zu&E>_7{=@d?3-ixpN%rJ6v~Yxcph#sCI9}~2XXj}pEB3$6`NsoVxMK>j zfw%_7#W`+>wk|BBSzZnf46Gi<0FzG@iOVpGy1frE=bGltbSVdzF@kRGaNWj#U6D9Wro+p=AcWJ%V zu~mPZ!bNrikce%>?#=!C%SJ)a_oy1XpZKHEPR8B$N1-jGgqwQCONCgdqxm2sYGnH* z&d4NIqm3aAG%1=$Bo5)O?@K}vM*Hp&7l$CLDm#`{f}vsl@iCI(aV_Z;!WoO1sucvL@cq3Efg60LpS zWGrnv{hnx-`lUB~F#l@p#vi19yOEh$@DWJC^JCglRYl!yw%&d+)A3c5`uloQPi<|6 ziVD`c3(clivmpW9Vd3GgX*h#^ipzz~)os;6iofl7<9&_osUdKum=(si5{WZB0^KQn zfaHaIRMRMlzwPMjY!g>gr@g2vH9a_e{+a|{pe-dAR(pF)yfPus zAuazoiQTtXOXP;_sd8pke)(Dh_d@~;S?v9gUWYeFs!>gEj_@oydn)gzUNflr#TSFw zlU!44yZD)(4d#R=T2~nizJJiv*q!ON^FdqjjK;MLm;+Br9&H9p!_^MSkPTM7BEfq$ zmpRJ@IEfCL-I*e=+FK06)Y>}k?-7OjWw+~+mU0m;^EIzsS9m6*2b?aF+TvwK5fbCfR7*eU_RJDM7e8)`ip?I z@v`PmTO&FrS7n3c2GnMFQ`fbfor4|v>T^wj!I!zdPyR#c{NYDjUTEzDUj_@Ec9s7L zT?%*|938`bE>8;NCTWM^<|-WDYa|oF1tM)B+#ba`sxBEK zjfIBrY}ax1lK}}iIeE1iG{w)aJ<}PFSw>d&r~O*)hE=!h;+=q`@HHX@h2*bsWoq|I zORcEKD>^T}%j|gXH)ul8u!=>;b8~{um?tLVu*tW<9Fc}QfK(pOVTRgw zxN}9vWb`~+Fp9>$+fy@sHTl%8$EAZRF*u0nmA1V8#XDL+c|ok{x2B=svR#JB%eBE7 z68XUikFeEaYv+@|8(P|z6Qu~zmu~mL)Npfi-BNklGE@rL3b8uCIIsM`o(JbyePUI~d zt`!Gk$mprnIF^da&oD4hQfiX7zF~6d+wlap&E|x-gR}K6x??;23Roi0t)}2aOI|{C zUU`@xBO?Sqr?@98of7$+1fb@HCx5UejDv7@FLf){w~0RIv9lCtoMgXdSlQ6=WMxK` zF{Kli%NPO;?;5(mp(CM>2Ps$Ujw%k++^#^F=O)e3t2XNl6+S(`tFzUAD3qDZO31Nw zSJTV0vf?6{DGG_$0+$=KZ!3BnNZ91yN9R7DVH?|YeSf_aT6Ajyms$tU^q`eFwR{r` zQxS}$2eT}p4UPbV8r@`UKEB)MsHpgzrbDk`N9?A}TD5Tr%VA?su|1q;FurHHyhP9Lp67Go!NGDJRl0g#G|)Pdv$Ig}9u{yh zPPW?T8Obaa;B8={L7s=e*-^4RgY$iA6u`d4GcY*9Z;8=^&d~A%a&^4s#zGqfcE;`m z`1)b(e?x}I3%MJi$gqr=c9Hg^Fh7LZv-mN7Re)am2_~xnDO1;zs-8 zy4Y@QK2txX+zw9nz8+3xCo)v;_q3HY7}aINOK>9@U+eemxxw_mVy!2+oap5y1}a0W zbbi;h0^N+_M+@GtEgV8_(`Sl=+PT@;V@JvG^-Z3YM!hrAWm~)0$}p8|#r$g+LTqoo z(RDQ^f^WqeFbc{dbTI#JIM87-RL7CyzJ|oH&-0`7ptfSY4Kg?@Z}Xxe1V>V8 z6w$?jr5-KX^KQA%-R5z(xj15FX?g%}A7;eE7TLm0?#i@8PrObZ6zU(FZ(Kg*;g2=R z!`lG%S#Gx`Sw^FdV-t*r>gX1p8If!`>SYRUEuOj+0mvn|2yKY*MGU@wiP<~TIp_*A zst)`tQ8i9`ifj%b<>$i24aHxR;$)5GNkt)Bpb$T zzgWWTtJzjg0OqZm)KPO*Z-9JaY)JPd`s{l1jF))$ zA&SogM=DpZH-7f{b>!IX4zG&O=?pv2l55o=x#{tA`wzD11;C4DL>eMz5@}AwL>$lTXNnonA?<$PZbd^z?lx5+CqkB_ zpY_bwM>FxH;Kta|RuWJq*6n1~xU^6>lWojK!2`afl%QC|v@Du$=)fx^=!+Tb&+mZ&0&{@qVfIM!;a7C)V{Y7Q1BQR60 z(Q+#jj6vcL-dE+2R?9;FhrzNljg55$1&(_@+hZJIWv)DY+@EWB#h<6Wuj5$G%?H=> zu4o(v^K?0)!hG2L?FI?Yz==wey?1D63ZGsD(`aY}P0ljHpb@O-PEIuD5Tqaold6SRum zlWQL&CWJiE24`$nja3=NT?#^?so&tOuPz(+OfE{UcJH$VdFLj06M<1(iXSN?&M1C{ z*)mDRNSUC&7)AiD_KgTllkRy6Y zJXVW@Pf(xc-nZ@LwJhpG+iS)0wKJV4j=flrD>EDyf9ujpUtuakS%XC)HAd5B<-I%Q zXw+hi{1C6+>7!avG2GtRNHZv%&oCDZBa!eF=xJ~a`@&XvJhmdq=ejHX z0dZNgG z(2;k3yNm&SL}R#jKnPJrcUxLYZY@Edi=ufI?B1(ZNqcH89+@h=zpnr`Wu3g=sfe&> z43JtAX66j7vbtu5WTcPe_qX-dE|X-MiIidEx?NAkr=jum(_W$EYS* zOTD2%a5v93`RbbWGKE{3nu{+ZwiWI(Eq96F0lp=;e|9fwvg!%aY=4NL`svLI8Cz0C zfVVoUDOKu#hT-0F?I#Hd_~WjeabK8flo0tEG}G~_D(WXpxo)fJHf}ad7bQ-XEy3w} z*}s9saaCsHUN9z?+Qx194_Yo6B&EQ7N9RT1wb6yF$NR;Q(K^-Mb!Lh0E8JKZSr#03kS#-aR7>;^v&d|Wq*zZB zz1H7J9?&XE$T$1pHPp9!)p9xSC$PMFJ&uH&d@ng0=e49F9%C*%2a}@W2gQ7#cervC zzJUaK`+XYW@%w|k?wzbrKufW^*3sC9rJKOArx(#3=^EK$k$^5Vt4DS8f1;c?y_ z{=&tK29af6o{#nCjlY;QE(5)7DT_OAwOA9Fv_7=~kYJFlY485X<3{?8IS2f@5RLu&QK!hTFCRN!0^0>4SN$nAI?GD={GsR%3G8fZk zGQT0RVhzu4b$21G)XRdwauB;XOB3qLxG=BvVrg>yv$KWUW6qa{@(qtMP0>~s^yIrmFd z8+gQ_)TWodPkeCbBwVrEadgL5Wu7GIZM;RCkz(QaV=zxBAm*-IeU+E6A$n{K8b6c! z4{R}oZl71?Ri6RNPMz~mQ=g?+&mL(_!?GTy_wB#LqUq$^_JX~Ao*=AU=}{%IF+zJY zzM?P}0cl@SPL5G?iItz9q?{TSP&n_k6`b=i-TetDum_F}+BU{k`ZC+g?LHZ>z;yR1 zXcHp``1Xj<^67@jG8}^65R4dOY2zhyLN~+oxYM)62+`m=qMeM{1RAcjJ^JX}ZSkHy zh(vk$#u1k^sh_TtW`Wx;|FlZSSJzqgz9|4wqn5$s_ zjh(>6(&J>xY2z z?&9{RDOUMUWLZn>zmYvqSiau3T9_CZa`35btCYLwLVY$ggPiBevAJa#Eu=yLFfifU zqRT^dHfMM;*J!if)hOD{>suEb?gCkMkWjAk9#^sEgUPt%?^n)`xW5M=W3d>lTE@>m zRy`n}48eL4s0S|3Sl{dxZ4_(Q6e~gg$w zISFJF03hC+V`M<@l630F_wSe=Ry>01_`c;)l@6OEf>L2wi4QCJpt<^_)3Psb zIlqDTbq$VQF=|!!%+9t=eQ(UveS*14u=8A4WK0-2VhjLa6A*wDus!WuxF+`cm$ccv z?WJl|raeu>E}CH2XtfoQ7w9YmQ!IfupYcEt+lHC}uVL0{XCV^CpDj zm7XJN4V!ZRP8#hkyO6?Ci!j{zRi%99KP;5}CdguU4$htZ~zI@TsfWSz?ZXlSRntfWl&e&G(cm9Xw&`?R5fdR>0 zV~3(kVw>8McY945jEQwi^cS#Hun||2ng%1)mj{ogN!_O})6m893>5vXjRQ4B#G3!K z06Xd<6QBJ4zvYjFE3`wx{|s7^b8vW=MvyTQ2A<+vjkf^*TY9M;uK{?+}D#w56;CpRcYfTg+=wA5u%ifA(52lkDVd#0YV1geQXYgd}!rg z%v;KWyI}jG3cuKBy3m;+MKImKx*7i1^ALBY6s&T-R2T$g$kjxcURr=JGaZWYD_ zw{;tGnnZaxa?fm$#u^M(oaN?P{cgg!a1zyqo&TCi?bTV!cgnhEvgZ@@vbUh;_+rz) zmQrz1FB+;vZ*4XsNjm#x#aX?riHC#bjEp6R>s`-nF7O^Q%))^P-)n$1Xr@)Wel?AQ zFgfk0XheI79pmXAS+B>);gwAXugClv(`+j1J$%LIE<_K#`Q8s%Lbya%+G@nfR$XE~ z{l&fvE5;!^3}gqO4v=X|&1vwpovL;1c!RA1af5o8_665u0$GPC${VNiH^I*4QS_so z;}~ZsT7)BrK={B1%eT4t#?5qvz^CJT6042?j)B+2$=*-lrVjd&BylQ40Gvz*TFElIAQ+x?N&|Bc; zW%u%QE~9SkTdtvu_U0DV=J{yT)gw>reWPU&E1p49*d(+t8&F`qxm<)F5`x3Jw?UoM zvNF6+)k1yfrE`*BjI5D|bb8i1>z&Fhv!9!T&cZL@~YtwJq#1Cr=OjXBc`$3a;6JF{Fh&f=mN-VE4LN0k{ZXQ z?VkLdxISckoFrUiiu^Je%;Mw1v#ERF@E&6hByr+oeOMdE9E z)?Dkf!?7Q!jr?+%w#)%)o%Bwl^eA`c%5^? z;c0;L-~~b@;Y}ywA`$jpNUWQo(Q{Vvy^Ty2!3vR+eF6>2-Z7;zm9=*N^q`q#`kO`2 zol%bAWxR&sS>AJ|-5kl9fMZBpxjBy{*Pom+kw%7Xe4j?hyZeN_!#Ise zvqW2LeMYzSdv@-Lb6bTHrce9>FAu^JMPEMX5&QXesUQgoe=|Xi+<9>7Rmv0K+#)kQ zT>mV)WIu^2ymi<%_K>#^g^Hhfaxu7k(L*GkNVE*XOaZ%P1^1?Y?{RA*(o%BkbB#4}0tVn#$an^sXXL<3#eYPouxB!(L2Tc2eY^=ayl;_t*^*6v&8 z?>eq`e(+h&@3k;JCtD;OWjh3SR-1v0$d&euc(sUu)!n00X&-%cJ2QP{X{KiV^wMv6 z;O7i^>bVmF^B3=9&DJ_&O75Nb5(0#Ql#9>^Fc^poc^=#9%3Bnz9tx>RdLrW*Ym^J` zOwDUHjtaJ=VjB?g7^>S3y~uqKwKkt=Wz01q0mr(1DaggI#th6#ojI2AV&KP@H=Q_V z4l|#R(O1UPQVqf-@C~df;)+?GOt?&Z#;tYlQ%h0xvTlndL4X~4h-8(A>Bv^b`k+f9 z@pOmD?t1zu;X!jC=Uq)199OIYkg~&++6KfIg(F$j!`(o_QA1Nt|EW|kO0CSm zR+X{@k|a~C^OuvOS$}0b5bIp5*&1fzdx)w9VE2^)=dD`J6(Z)cuiV?(GNAS*uzR1X zZyscJ)QI? zw5r9uujc(0nEya3S8ZU|#xZM=5kIHLIA?|LVg(&V1mbg?HA?|S=2r>Y!ltz{C9j=v z2f2C;Efy0@F%#znD&zY|4oP4z(z~eK*RQZ+UaT0GSGo`S1h<@{gDji_TPDE5h3OPfp_-}*3@m#_4K&^;_r5Xgo|waG_<_AdJxZa*dj z)vLFo^$pT)o!0S_NxzsXEnJ(Wk@d0`PHz(E3c!jq?eS}6aC3Z-fD^@#h_mJ#T*q7inwDkb@Kna`Q!rIs7=Dm2C*%hOPYJ)KOk-gHIlEOe;CK+twYM0Mp?us~l& zXx!vR91#l-TDqF$xJ%szP$7LF0ydUANVHq6fKUzcc zQ`hmfStxz{_2#OA6KF{u--l1XW6B54JLML4%;#+jMY;WP`-4k+%`JI8w zexnUv>N$usGRRc$?$obL7%S>NFz1YRg2942MuXAqzM=H_6e?A};(*Sxk7ZIo8@L9NAdi{bb4=-2EtL)y|(!jWu;bSO273 zP5UjYZ4QoPo#glwt#fbJHa7Q&j_t))PYjy+DB+H_9U0G%x0vK_@9G@?LJe)SbQwsv z4tvMUpHnw-(!s{oh(#jT#sytZYio{N$?YAz#Mn=FvSgBCe>l(FJ%skM(immUu<@EmZQ=_#gYiqj7iRlNfY3%zg5}x?Fg1 zXN7&{<{Fc%b}J7!q$EL=;9`9$ezh>@vb$|^RM`%|34m&JhLWO5%m%Sqin3kfRh>JirlML7UdWm<&faV4q0{}juCr4N` z?XQ!8_$|Y`ZhjyuF!^BDmMI&nGYZ-_m)dd<7eb#k@#D*0QOX?@t<7P5@J_5H!5;^? z03FpbkA0CNYMk11qL+**4LZ7;Y)~xstSyx+sXDmacgow_ zeyY}z%b+Na#byC;ZZA#C=f!2P7Z>)&slb^Zd;u8mtd%9^3i-lJBpJOlTIs%5{~fbP z?aJ7&jd$pPsCzv7)Ejkj%;~v-0&M9Zqm|(B8yc*+s`$RKUlDiV@n}X^dOONp0#F^U zm=o$vmL;&b_PSvw{(es|ei{LGOrgQ=xXP{w`DW^}+oEMXVny#VWhoJ&BP}c}7Bxk@064ky3=eBBny9=WARv%6 zRd!DNyrL~ftF5C0yDe?NmTG5jUvS9wE+{pXD67ix_ifm#tc2*(I^sFU$H(pC{RNGK z`F0t)x;%V*s=vD)gpeR3hrs&jyqP-f7#S&T9Q;oFQ}sY|T1O;E8F+}fJGuDLyOBR% z!8OFQMBz%)_k(w%R=&a&)Bgm7z^m#C|Hq6{QE^XJh|&eOU2E-^1E$sVP9J)lXRWR- zPgk(Y+QOn;t(7K~+j}J(vM~IFmr>BOX z;HQ&O_bQtmufOQx4EybE{N7^t6A}}#3g`(M+)kbm5fRt9ISasw1xzoaeKq(jixugj9@hJu{ zw?3NEz>#NUIQeGNDFj~9^4;=KcwJwyrT+z5WYhk!A-|h!D1ue}3%0{kMCTA^hc=d*cD~SDW&_`P?HYMR(QBlEmMZYl>C+9`* z0}KW2rq-b_8F-R==P_a-w|0NyxW2Vj<-CUl10?f@wj79F7`7$WE(BAYPs}UlDEU zz*^qj5xMQQs?9s1yRh;o$eP}*KK`}%9og=}?lmKQTy2}NrZ%I z`i6#n8h|L}fngm`D7mYvE0b=so|(D^uNCe5LOeW!myi|M{xKwV1EO3&p(x@vxPaP04z{Qq18sZOIhnNLvH9 zHLU7yeN9@tFj6ux%Q$&Z`m>y%*}l=y ztw~?+A-%lT==5|ln52oAn$lvBAf0rcf!qPNPps!bi6@t(-Tc1ZZQJ!~y%FneG6byV zop`#0_f%3+Tc~&X9${O5;I)|5Y0E8{5bP4W6Bea9Z^p_=DoL5Q58=+vTGLdn?l-)fTP$KSGI}Dga^sSc+P$6kPI@S4*LGJ2I)GQ~ zN0Yo_+>0={Rba7+A^-`~aBbfe}z&^6&R+q>6n|i+hveH8&kqle$&F+0A1WsjZTvG~y7yAcx_Uv}P ziFfsO?;`inNopgs*_cgZ9cUBNhDfc58s;V(Pi)pdruxg-6&;93dvRd{DK@pIx|JmG zZ|h2j13)PTg&QKfU3TWIp5FWkM+%u=`@6a5b9lkEV-fYVJa>t7q zu4+zb%8kghEqLQ%OhL=59|n?TT}Gdh*Oj?T@4QJ$M02w>%5)HBr_aIh~;HYg|_G5oym zt|sbF5M~2|5D^jgAy2rAjY0#kDXXZf%i9Ajf_<0s3?X(7Y=!`UglR%<`0p8lr2*=v zSwEMhQ^3FWc|$I@IyN7d-IcqtyA~1B7B*CE#nhuIgYg0$$45xvTKMu6l3M{-J3{Wg z^RS3tbs##`a@h}SMM9U6&20o5oZ@)s#Hc*frnvrW@BB) zwDDoovJb8T2n%MXZr;t$7V2N7BHi3PcRB7|wy57&iW|4;N>O3=QFv9N)Y&;x0;$|S z+gP7-aI;>JgiA}uSl`?*fDPEggRjQoM%Pgm9`O@UpaZ1iq3^&M6Q3@YII^f-W%}v> z;`+QD3eBJc?t?_J1Z592Yi?W~X0@B$ez7%D{xQ5?x{ly&cLlej8*0%`kVmnFEGab9 zN?w`C4YjAJM^Q4p&XV0Tlf0S2YJSRv7#aGOWJ>?>0HimGmZJcE$+XeaZ5ss~az3=$ z3z6%NM+#ZyEWFrrUXfMiyO6!-I_!*H0 zSKcs$#KD!jmV?;G(i28Gdj1*yb5FYyj@2DoRdu&;m{di;Qc-OLLpiYIo}15@BEHX~ zZFv<;7?C}ZU5=pQdGb18-}uBWEZ&*Vyl3vYzxSFc)AKYZR>GZx`a}m~1n{`C6|yzH z{xf8n{K<)sM#f#c!yhs1F#A@u5$_}Wo}&5aii$=k@~oG6b!j2Q1M4;>E(QdC*qZY_ zh8e}2XyPCIpd+8VcW^ac7Axz>GAm76A(j}j)Tj`rl()2P391Ye*BpHbwJA?gbe21 z&VdQ^Ad5pCQ244Qt+3e#o6Y6r(0;4V@$p}cG6jlJQSva)OrM44iz_|M*Vbvx%P zsK8DJ%wTmv+kxZY2H10UBO@bo5dP)WRi(uomA3>0YCqv-hdhrch)YXpPtVT!1_lZb zmENU+je8PO0~q<6ez$GP&0Sel+1KA+@cUM36F(DC>G~#A%iHnlxZR8+HZf5P))*nM z=a6HMBDA0u4WsxmDQ!4Aqc+wzE^V~v7l|COGz4Y|NVVWK3czp3o7=(G{n_cmKPlVb zY?+S=_qycV+}(|A0SfTbb$_{X-1eRGt0(VZv<} zHqHsOzZvSPz9^Pxl;$d@yiRM4PxlL+!9z{(w(w|3?x{ z!=gFIUTxWzTyu_%HH$>h1-mwGTK^B^nF{N#3w z#~joAweuGEUH&yxk>0@I3|Z4*y>GPIZ06hb^&}iAzfT~tC|{-J6&LJF7ya&m9BxuI zMa6b-m3@7E{X~rnw=R$+1%FtJ0217xpDh(<8fXjg0@X%DptG^PW4@`as-qJYj?T_r zm$uAm(SS8H z<{TXQTYJBb?OSOXELlxIVO@VqFdBRR!>zs=D}A6_N^j$G+pnP-}$&cH!kzfi0+7Yn&0NrO#6)I&et)KG^6i*AS;@N zmg!Z(w|6nBIy>^7K9@9!# z{yeIvuHrI9k;uq&f%77=EL}(fq|c$GvQ1RSkA}8zXx~)D zva~TV(#iUXAFY@CfPvIA?Pdgab!=mRB9R|W2N7}21@H@UKn^<*3<@%G0T`I4hn(Kx zyxaUS)<*YXD_56~>mpX(wC`%ZAVpW+7a;6C>`#ppWIK2@Z=c8?hJ<^4g%rX;OYlwR z8{N=I=l%V&TMta%(tbs~JKppg*}`OWV{>Sgr}m=`5h_g%&H3f|W@Cgw4re5W=H%SZ zzjiFp84l!ncf!2>LgJ$P`3>%q^SBs|%Vb z28Lc;vn*$4f>CJWH{pl#VI*WI zP$irGboVP~{&-a@G$T+RWM^wUb@&)JzUIljATB_jS5@@j*ZWr?VV~j@hg$(p!83>{ z^`e&domQl{x4ovS>%=(EqpNp+-~4eO*QQT>LQvwc!6HaYif*ET$$aYbU;jqHhN+Ua zPt(@r-(l6YQpxg^H5qnoNLmn=n>FWOv;a?wU>f1n3?7}ybB&9LYDp-FDN)mG#Zc402 zjc&Av@$#L5s2;Ajl5|*4UNNE?bv77zz}mp!RBp24`cdJ>k&nMY<(QR?lwS@3bX zsI>3npA-*ULj3?)*BbqhDfMIRTmKQeQkhu$(w%Pn*b}@wFAJuFy(ara_i}5liP~Dv zK1bNP*(;nZTV7I3*N^`VX7mw$=4<)Bi)aFC$;tL`tHyH%_oBPs^zwoj!&L&+m12>O zT6FQVhy<_rIt4x6?|QA6EE8wVq^k;|Kt5^#?}ztOL;2Z83IwgDHRSOzbpSEsj6yGb zZ9bB$amfvOnyvs#6c;fhGA#|g&aVn1w4)}}b0jol*i>_@*Y)G_e=iIQed-rU6K|SU zE(+_tCMoe?7kvGjeX4J}FHoH&wigexvP-|GC=W=|O;p=%|2m15%UP?Fu9$y0CavW`Oom^au-<$aDa~tD1sBN$x8L@Ah?VI$TdBShY-<({$eftBK zE*(CuUlPgAqnM%93UhpUd5e&5Fl`Ra${5b`7lwj+>)%yKyc|cxBE(F|aw{<1zVZTQ zz7`?(#!5TXQSZ|a4WPZI%cXsE@dG$#V&*!K;Y&cujwNQkTz&-Kto8-t<9#CC&0`6- zJ_{kwLp6=pTFTyaPhD%m-^Bf(=PyWdr%3HcXxq;;i4@YNZJ2EH^z+X^!HkaduYLRe z$TGW)mu0(tAeasRu?@_Fb|%@)_5-LbGT2zL^iAdOxnp71h*07DvG&fc%7~) zY}CH}BVo?DX{!CzG}Fc2c4#g94-HHbwDp(Hi_K$1e7pGd2bN84zo6zMDph}t8e+CICBw(sH`1vg zHuQ8YE5IpF)gtvZ-C#oMfcD3@F)l zf>!BmRH3ty^%8*G!R?p(p`^-a3;GhqzI&gS4k?x8OO~sdhq6w>$ecJXqdpZ-|HEJQ z5#AJHdso`B$w%sf9GN@W1O!`DM(j2!WCh)&ld+VqwyRU5&q*O|} zK>;Zd5ReX~K|;E_Te{gI-2&33q=0mHOSg2lba$P#;rTu9`+n#9#y8Fw$3F!2zW3Ve zo@=eSu6fOCuA9&O?v^lAB*ya+`MRUBkUS#5Zhhx$zdMf+Gqm9-@K{F6ma|9OGoq3I zN}11bv0cNtS@`-;`K~oH^_n%D=Tcp%K&=^d9FiKfwLVg1+WP(I9^4(+VXwcr(`VT) z_nA0^)Y@u>bp~wC^ER3D&o|A4|0&)tiJAbDsrViFxFKr%!xD^Vk}$?SERg9Co4~ITu+hvjm>I_52k6uX}0iYZ-QQ&QI6`;e3$xXl%S_ z5Y^$r^z&_L$FW<(p7HPZ=*Bk|6~#4uCTpBWYTBLUj#prbx16rrh4j~)n5$G;y@koQ zbo=@97yS1EE5yoqn^!RAV+DGyv-D~}z5T#>he=6!Pupt7 zbUuj)$x=DnSK92)b;)~eip4waQO#g3_Hfirr;qGM#m}V^U_CT}%mdorNw>kki0JoVH`K^|5|zLzx2a&vF3VYTaQX(zWE?!tDj514mvQs+_B zRa6#iF+%H0<=+saE!$S3JNLgTY$&_iI;%g^cG;8(hy5BGD@vC<$6rvEVIlTl|Dimq z{Sp&XUdPH%1*)FhD>gcsZ%=Z-hVdv_SGwU7SFN_W{`le0-MrU7wtptE#iNj{fkFk> zieB>;vbdcow5#hv|l7 z-%_J~s%I!+e|hK8sO~0R);)c6n3{h7K7qkU@q>`MC_Hp)P?3SA1GeiTd_s|`42)-d^AJ!NvNYcRR)|o*2cKGeL7}u_h z5ql@6!{yZLPZMkC@NgW&{Ws&%*-`JFe;Pbm>(5!|HBM=D7>DTJ=?|G;2e(Tw$4{^` z;Nu^a0Fuq8{#4fwWf})On;5 z;2Wv3EkdsOgnmUzyq>M&?U!}%CW~_Tc zS{kNRgX!e0jdsl;%k^oq_R)!XW9!}3O7`SLRSG*hdt{#xI_G_E3Z;LujLFo7GYU_6 zxUxrPnapWn`bav~Pe;^8r=t_HAYnkiG0*$%JNuVe{g;Ed6x&1|WI{?07)Sb~` z{m)>1W-4m9B{iue3ZIxz*ralUJt}|Q4Q|85$=;*=>)-*~EA&0milS#aeN&3RRBJas zcR22tEv=~+AT5N|dVcD(N!BERjw71sJ-g2N@xkXb81di6JO@34cJOr`m#T|4#Sbgr zFXVzl4F!pKT!I~STc<)F|LKgt`|2pu54q3)*|p@!e9H6qKl>Ge*b&~U`D|+HXSIvOt~e+-FPIIP)Z-XZS+!P@q7&k7oP zAi&MOpBi(DdW?FzG{T+!HLXS|iZP}wX-guX#Ve4M*04)9CAU?r6()Kkp#_7Vy-VyVa}gdRY} zio%9H`Vk*r@NkX5(jvA9i@n9>%Vdu0f~H6{_LKE-S&m6Ts>Do7OX|cF3%&2JC8_df zeaNYY1<~gRk~pbHh9<*W7gzAkZbCvsx9sla!U4pY;Iq+3bqf7wn473rXl+GYz3@|d zK9}~tOFNzaf$L~;YU^1ht{4Yi93+XZfk=L1Mp^bX{!29idT=&egl_0&GWva$3-sNs zvIZTpN&e{*(i^?xK~&XDai}ZRy}i7ZF*(^vk>X?x5xQEkq$$kQh^4TRs_xuKkI&k% zv4d7V1CB9D`k>a|Q&3S6wR~i=X!05gC7hn{TDZ94 zbctaq`|2yC7E_V88Vj|wn2v0oFReE|#XtWIaYy)^+ig}*eL2msjRv5~a*Ep?RpRU! z;@4)K1;KT#rVhrMZ#}VELUhrOPV4{HZTvPoK0C9yO0Kk-t6sP3qGq6Yh5`_)O2aiL zsq_9gMKL^dh@RwS^!Ih$@kNyo2)Cu1vhh@eo}%(*U_p^^%4XIrMLD+2$=87F$?`g1 zF>RE@=?cc@^c7K3hJok$LYHYiS9-@5JJf?1KBZWQM@2^*|vxSdoUTwHDJZme<7*F=DE`EB2bjb!uhDGEj~e(Whu!12I6kAY&MH6!$?jV zGE$urJJG~ldn1WU;TVo;TudSw2xn|cIyc$=P5MZu48MzoAnvMgB(CJA`ydlT;b2&8 zZ`hDtn;G*$4(;<{vUFp0ez!|Kq04kiebbV7@AZwT85u)M+U9pY4QsG+qK}`#URGQ= z-^`&p(;bSp$(^eUX6T8cu?QO&{27&A4`S5nzaYE7hg@u7U9aAyEUoijIsCKmDizqB zRm;jqYo|qc5?bbQ+vbVCdkCVNlg*Ss3d##C#q-hSxk@gG-i2pTe3>1FBHo4tfvcS&s5Yt>-YN(kw0U0E&PsN$W!By%BpoS0jLVzzXmO#SC7nmQJgx9(7@p1bGtW z4AIL!Sh_ma0VWV^?-w5yvDpv2uoG`5gtn%nBZnxEoZB5pH~G1eBe~FRAd$0-l|wZJ zQ3m$=&lrdCpm3Ks@T&yr1>assAl3$vnhqT~1vT-LgJ$%kj;pyVSgZ57$~b;&SU9*_ zjo6n^#>YCo?B^r@4iQ8q^-$KviI%WfHK?};AqSQK|7_2a&oBf1s*eiDh9^hgYo$ah zaD_JOJSRqzms{f1k&L0|cG_7885#J!@d-1y0~+@6T&yf7*>>x}fHQB%t`}VDu4aut zs>yZV@!nv2Hd;UMh|IYh_0mc0jwrYkY*Aj5d#Sw{2!?=>;7ey5h!XW0hc%+WO^21K zj{4{pcX~4G$jRz~kF!X|gP2U~$!4 zlE`^B&(~6Td$xXja%QtZ9c#Nj%isM#Gh!vQ>*@}-Fz4dM=rR#KMp{zYrh2sV=JFKY zRx>3agc;m68Vbs%k+Zuf7HRDkW4;@N2FNt34igGjzX5Bp?dq!}*Ufm=x0V#o9zR2= zKjJTtq-q_Jxx2_`%aFFJTT}wOu>N>KR)mTll-~WhK+~UYUxSq1Cq|b-wIow?k)v7m zYxDV=POHW=HFi73pRL@bUnkxLX%;#R)?`Hqt#mG@-MmS=DNZjqQRxWmoEV)PZT7fx z8@S!7-M!UC%L9uKBYt8=k-hCGmvQpJR*zF|B;RxVT( zr;0LK&BcKRy|B-Me;2F#%8(OJlBV`*YI?scNrlD80Pz}t?Di-qC>#tQuD^*7@vjr* zA=SS+&6iB%+WB5IxcF(|6W6JxL8;(Vx^O>OxRe$Fl;48mY%%d6RENkK{x{X(hE!1m z#tm4dli#-F{Gulf(XCoIM^Vwrz|^E!-55!AJ`3O*1xy12OD zhf-}jx`98G9Bbh^mjbw;pRnUdGGI2A&31WGA#73y z!D9#y7NQr)cq#tA0qGDa{y7YHs!4WUS*ktVhYS{RuMxO@EV)}*8ysw%a1OD|$Z7^d z6`ZQs2@AI2jUVO8Bp-N4(Q$))C5_y7p1-E2Z!uwteCcFdd3^Hzr4H@-6pLDh*pd;>in`}ehMTF4xEV_t=-ED%2ntmNYEa^AtCMS zCy$!7$Ha;*{yk8IOWEdxgEAWKoebwMsFf3KW< z!#EK((HiRVo44+m&l*c3x7`+@q_4a40tMA@jXVp*Vf~H`w|%eBFRm@vdQ$HW+ith0 z?~W&K3+GkpBiWS-;TLlFdHdxduI})3xX_71l1tS6(`=JGRW+GqTIIKg5}M{G2ONmkt$r=Yecpi8|uD7rBthdq2wgUj0Wn?b}1KnP3D-0{KC5IU`^KxGX{VvgaV-4|N9YtfMs8K&Cvtufik5h0Yo z@BECH74Jx4aPKqYr6X^Bpr1Q!Xj0VPbsg(14Z&+BUIttuqF)AO*U%=*3Ngn6UbKC& zqIfHs&9&krDrgJU5raT|?raYI)8YkLhgId##(-9@C}Y**^se64M#%H=OemoeV)hnQ zYet^uJmID+eJrQ;MkA>SCaSZ-bTM4laa{;W_PYw*Mz~;Zr9_jk@=XeTe{KKh6&?lw zA709xO+n3R@U_Y0EX?)d!TeFM8|g!!VGI8-i9i^S5uUYQiEzMU`p2u5D|OS?@S7xKo5@=}7NWS5hOR%oXOYr|Xxw}Q$)fM$Nz&WJ zxT2|MNM7Jbq%`3K1fUd3vVpC30;0M0nmR&krHCBNu85&R+xMJ+FGbO*AT;$X_9bB~ zU#p?Vi2r{7b)8l6tdqj4T{vy6HdAc&SR27;d`1$mnJmHJuxa~-$q!`^ZEjh&2ojlS zET?j0Cq=$~J?;aYFJ2YTZh2w1Nr`;rp9UaBSzH`hoi@x#liQx}7k&y#tX?0NbCkn4 z&vD{>iDLIt_HmN)s=0p^ajBE0#F!shUQs7_HL09FS9gAtbG{T*$nG_ z8{a6+KdJo5V4O2B3FxI++>{-^@(7p@wh)dtjD0T+7SArRx7en_6ZJQsz%! zf;@aYqxC5HMdXlEOZ{wN8DKXf`wjLheZ@r3AY?GwM=*Ji8>-!>)bR?4^Ur>Rd1drU zIbTPA+0`st3aMnuJo_d}f_a}tUOTohg`i>b{^S?!Qy#`3}X zax!IKI2jkd7uwj`rTx#bBW515MHIP3RH@ZuIq934-~eiZitGINwecx&k??D6+r<6&K9EhcQtN85zC z(hM(>q1JjtRKQFv68yxQHu&X0Z%TBsg=<=%3e$TwyYo`=v|A2Y$n{T8st#rmA%n6K z75XHbOVvN4{Y^TbgMxPI&WB4WqgqGwCQVpNjz_c?_!~TM0)>*etsDK7wLBtBj*~T) z*OP7-dy`qv(}zAcpG$xE)6yc4;UT=D0b2{teui=DZvzs;JWizjnA{ib zE*uiu(B;Hk|17G{r%TV^GSZArnvRNBY)dM!N2I|?`?K*Iq8zSj_`DH;KX?=bQV{_e zkI#g}gd#Kat_q@tu>0k>S@@aagE(Kd37S^$&i3x&SW0c*#{8rps7p|3W6 zGI(J`7Fg7eiH$+f%iegadF@G-H|IRT|ndPaA%j|v1`q9H8Wpz_(7SBX>6IHjemjvK_nff^nYPEm|gEF@c7R>qZdiX zi)vJ_X{e*RBiD;duA(a_Qp%AQ3hbG$yybIvs=q04eE=cCwVU9?VLr!)?TJ|>xnk_a zIhw@={2%?D4P!szQ8G)Piu z35t^9ZG>ZNqAVvX3D8Ak7>D114Bh8O&Za4(ia~|l=TTkEgSbk-zcLFk#3t^|ySCnL zfq>}u0OWK_H?gs4m7LHm8`Xh>`1h(Uy6La!<;7oTb+JGnrs23d)4$_%yHK?Tjb}N( z{qOk~(&O^NfKHR|&~3`#QTMCfR>e(s^GfZQ8kStzR7D}WHxpL;uPzLwLzJ*$BylUp z#lOE48eb!AseeO$VE43%B!kcI)C10+ z|CpangL`tB_=qx+7PI(8n5_9nz{?DejCA!9l>Xh_MbtT5$=RN)O%#y9fZ>DO70t6G z^18eIg_JFwC{NT~NIC9KHLvqs2{Z8A&AVJg%1gqHn^{; zpuz`{r+6|_UXK8C3OT7*>2fviw%VKkJrjrr%ZD?+~)r3o%Q6mAwId& zgL|R}CwgaO)0_HyZ9JPvSV*L_D=Pb7l~L1faGBk6j}4~5brh%LE#x_V)8ePyMn|q> z_(xt8A`Nt9J8KbA)_?FS$}`qdFfwKvgI4&F)lds5=al0 z#}E9xybmre0o#d<7yB$!B#tdVY^;J8oXz|6>C^qI8-J3kco_&dxMUofm3iZKsxdXK z{x3~S0jU@?ak10kF#VT~hBD14>j}MVSR*kC^0gTW$vx_-Za0Y&!4}TlM^7%&&J(;_ z9Sd8B_Dn1W6Mp+0RAr^#KUBcr5!1A!Lf@GjbLrQxJ`a1g)2{&;pVp|mGFaNu1o=~~ z=NaB3_>hy^>KXiBSXjtJaiiNgY=g~?gNE&a;ql4IVfwT+=k|R;gW#K!5IVD11t?pB z2PsSV+tjd3|AhqO3kk*DdkTz*h==K)^oqubd8d~y#0aZa%cOan`7repK!gO+&>RgQ zQjvHn%#}ypzh9K`bnJi~_we9#->S*;XNA(boe>I*^!iirZ{eo|e_fAKeMw%_h@~WF zwz%JbL-glVg(bB#-hZd)ol_(cx;cQpNxuBGUGGJ_q#kR+C%meIi}2edwR_x=mem~W z7KEf-nrctqS9Ycl6_PP=+=d2nZ7bj)zX;vz`_)QZQfn!xrs37Ir8BTaa?ExCtahK! z{QU#D|IP`QHL0bq@|wEGsvbGLt20;eRn=W(W4D7TG;R>huW9Z{%RHHwWm_u7)=a#b zxUDqeVn162pdkW7zt;g;pu$`il!g5fvS@$E!&Y(Qfj&EZiGv*!&>3(s4mgfbb`Sp% z8TFQK#lnN=Le1vLm+LDJfJ9%e`a3b;ImTe9f+J=bD`;r2BWz^2p_N`D7*5exd%r-i zML(N(_1F>BlcOe^E_GN{Scg@oBH$`N+)XC~SE5fS=%tbpF_1mt+zCx5PK9@HQ~hEzld00JW7 zB65^^v~m&HfhL%>9U`-wQ9rd7UgGqW907~Fn=%ej_&^Y%FM2O4bNO+LI;gC(JH32vNAPBPF>}(PwWlH`Nqq{aJIUcDuE0a`d^Ka3mT=DDX|Xf?xFHBPJK>F3337OA z6LOuRpCP|wT93y!3CG+FUW580*)9$_EXXN~Hsv#Xm{VV`SPgehAOwKXzU-Eh_)!06 zAlYdUKe4a71tIuM8xJq`qcXStoda9cstn|oLfL(hxxw)ShhEE_3uiT&q8y|g;uj8k zNMPV=S~v^9a2XuetXAylG9{>7ZVcG98yB=~d@9-YXMYH<;=cp>@*u?=_v?De!Hm?a zi)l#x@88;cD<|5&(i=IyZXE)zmI+jSRn9}E_Gk8s_FQNDZ1q-DPBShvUV(U_^C{zXo-F zx_JS{KKuII^-J~Zk3ghE6j8LF2DziWyQsfgxZJxQzwJ0Y{FO0m3KSuWpW-4h_h9u) z3?{41k&Kf(*`)oWRCs5)W_liXLf3K5`>l9XXfJXxu{Ph_NEr5Lv} zEj^qHK44-H*a5=D{n8pjMT|yr{=J#$FGti+TX%Hfr_CJW;Xh@e@1DP7I_@9ae;|G1 zk;pDl(fp%`tgE6yPHLh&&$KEQ$YilJ-cL5n9{lKM@{8bJ0#9l&=vBA<4Wz)^)Z$bQ zN`;^UNgURxA5;J=$y!&R*!KsjA8~LMVT2Pu|Md^#i$NE>kE*imP7No#w@1ING5(9T zUB5j-xr^vBSZZHo+`ky`hz|;)(^9+Tp&I!St{BpxZ!zBxZ7QElf{n{Xj7Hq=!7b2f zu$^!s1PZ{lLE*{#fBbX9$boe$+enqy6bc_O{6woB|;0!|HIBIK$&6E zaHQaN0jj8e2in%$qN2y?&0;Y#maq4=b||<-Dk`j}8=}+F$ZKl2>@=awREYk+ybyi} zA{bVvgah`%Du6(qdR@tN3T&72SS$?5Ypf0 z{Rw0Hj7+Vqo2{Hat!;d$+MHr!TF;0=cR|k^{S6onD9}f{)S|?Efk{w(l!+n&?jxb0 z;TEG-v>;BB3bTu{;r5`Ct#ne7hqPmlNIT#BH7>HFzjsqpGwijBak*OY>M90GNMUQX zrHhNoYojmCg9|dG`u~u%CKjo(E3fG&vC)R=>&dibp81bFncNPzwd}$%_WUNvCCJKk z+Yb}gp$B4?rDgiZp&eLPV=?#;Zs*8A%0)4sKOD#c@;R(ObiOK>fpB!g-mj?%X5;w$ zDKc2)K!&bQ^{c0R%C!7?r9gXle%`HVIrVNh+gAQ7)P&ssvZ5m7@mU_0<6i5S09V;? zzVH|YF1XR{uP0Q|#ZYTcOT<>7e-tC-@39Nw3VC&PQC8Q5L^s5A;G>;jjgwFK!1avv z$MouzmYf*(9=Jt^_2b9IFZA$S9oifKtuW6NT>Or%W_SNQ9is(?%F;I~k9cJHNHSYekSl^oGIS%gpzfrJ0xu8NARyiInYEh#jc7nzQji%YZY>yP&zGHKFb-G*Eb%XlV;lHR-q?AU_eR^vd|$&u+yneM%g&%j{xKl|K&^>J`xd-x+(s_3$WCNPb>o^N!QZ(F&PfZl@s~jXk{tH|>Kvd8VGzG0UuJ-V z3p+pF?A@xTX+UMoJJ1FYYz89U@G06TyW>{!xk>=RD-c=1pmMkYg zE4sq8SHIXkaQFEl3ECFA9UtGu=T;;jf8;i`0 zGJ}a-7ny0k6INrBFHsNT{ZlTcV4kM|}D6=-Ts6x5MiHDA=NC5X2N2 zNQ7$@|1UD5EX!Lp8B~@q7#}W4TsmH;9$kS$UjX$um$IC{|2MR9e#BWF9cZ+C$5{EG zd|Skm0T8?BeD)f97GE~?6(B+4P@dXkUbnKo5#**&ZY0NxZO z_4sPS+FfSqpm7-3Q+*M$h0c9iiGG_Ltp`#X#b5|a_>tIHG3~pxXu*f6s^#DvEBs-rxYn{Qo%Rulu4Cg&H*${> z7CIF)`5k}~0hK|<4<61aB?&t&HFFHzsuc79FG*mxdo}N-GWh9fsd3+nXz8Q2D2UFD zU-^AxFC-E-X{2|!p~%6*#{9X<%%DeJYFl&UUXs2-^I*_E#WncngE{xBzJo4a5@-pU zO9yU3OG<2iDG>z<@jL+T$22((@|*)7R^1tY%rX7&!dLQ-f2SVuF;&eiI3PqAx^fK! zdd|4s=scew0N4Qd5dC31{=2tevN$-fIGIlzE5ddn8N zLuFi6ADs^?#~dzm?;$Kyuct09$!NqZ=RyZk<-f{9EX`}7)fPZ>EiC`kM0;Lvd6|2^ zoEZNxA~!ia_n&-GAp`n*r+}s884re30a*@=s6K9(&(GXk*d`sOqLtoKK!Vw6K!Zx+ z{D+8bd4B>#Y$*RbXV&@nVTMGuTm4pCdrt5HV_WW_O^0>Op7WOVMgb`YRP?z!d^hz| z+YZehAlZesoH;!C@_w`?%`z_9aUJXaBy5#{dx5_XsIlZc48O*M1!pOHuc1f)(DwPmK+)0I!92Sc za@uOF4VW(^mEQSs@2dTdZFI)5TTkk}X}rNH%y;Iz&+T*Ep)4lMa^uT(#i9+ z%EBdo{_|q!2O?yDWsFJfOh$EPmHvX*6E&<=I%1%`bLtK+6n+0Api}5RGN&Sr9rtS1 z8B~StORY_2o z3c#LKyhmq^hk4r9VIYePmC@IZ-{8F}%Y*XT3NBX~EmJQ?S$XGM{P-;f9K?ac4}zX< z8}TOldvBnVBSstw;AkiY*~$h76nAyHm!8f~y9R`6RbnoblTcWdr zk`7EK$8;sCaNOFax>u!cVm^_gr0Wh$%k^(1xiY`dKidoi$tM1T?^792Pgq##E$|N5 zEkGP@Hs8Y3j!LzL3;zAHl8^#L0151UO0L5RT)irFpa3%`;_4U5! zeD?gfsG{N9ag7^GP+>qsG;RaRV50hrV1XFc{qGF&`MGec?Zt4gSf(5dfaO*-HUu{} z9y6Znme9N%)I~prhXb)~3?n2AiS+tJj2-|{k(@aG_eI>2;=O|82}a|GN{-j{@d0<8 zmI@#+?{&Y!rb<hiIQ)iq8^#h&1yq=z0X`a6UGd#{4>dmOo z022nhui}w}_{-t4!ad!dkvuVxNWcgFhcrK7R|R8Y0mfupOC9Z<`7|lrt5+}pg++1i z)}ekb-^(TD?9^RXf*on|i9fV5Vkx%QeB7a4SMx}S8LR|8%o`8*Bk zmVYE5GVaony7zfbjXBE8YD=uv$pLnF@D@}65A1W~mZC48^`16twwJu@iFDhm*Y&nZ zcM=dlu6Gg>K=+A_@$vDA85DTrweZC<7r7nvOly_=L&>O9`728Z|F1d~u?pCpNF|;| zbPZ=EWBc2L*QH0joW_>4M0^wPS8x3g-a8fJITcq%yVCnSBcDt9ruU;`3sz^CHk-w* z{|W{_)b-1cXF+KT2hL*B(w2i%0zR6xPE4+U;OUK!9U8bqLWz5Rsgf}nbTYvxC>nNu z+dv`XOZc{ez4kgzN>OpOE8w}$v$W8XtoSqvxM1G=S)3O>&z6ky>*_WV9dD0z)$2|V z8`Y}V1s=Z;y88B(Df$O^s=*4=LLRD|LzC1fDW33_gzC*{%mlLxxTGzRgSK7Z^TtSj z(@udA*t%(g9tGLXun{VP+>rJgy*7N1n)B;fZP7fMU8)5n3zo+YdLzipTN&K7X>9UIyAnLt1VO>=y}0JXdaGU#DnbNq7C3ez*$cX`T_ zr6&B`xOf$gl|Ih|%2=o~!2_q1$$p2%ciuGCzpBVD81t9Trp8CnDOUMZol8_cV!}$V zR`S)npusC71dU$n5P>jsYGrT#VsoOw<5hLC9T5(4pAm~uFz02s*a{L39Rvjd!C2r? z(3JiBQoP8hPWg1$rBk>uVJL3!=oh6t)13m=SNTf*T^0g`RZ3CYrh9X~;N+F$kB zSAE?&Oy5U0neapNXQPdbSqWtoQK_OfGPdXEhC*6()6E)VSH7)89dajt#DLf1H8s27 zoBkL*HucB;f`3NK8xi*MabMl)z(BZbbu7y#_eV!D9>c4FcKeMg^$!!CAWkc@)wY5? zH*(`h}@Ytrr_xe4UmO|ez-@RUS)9kRO z1VeKz28PDDZw6vQzNu%E( zggyCA8XpQ%JQA--T#?&5$`Y#|4TIAC6n`&Bw93zJQ;tPZ3;m>?aQ12>>V+!f)%WtIpVxpvJ-e`iY3r}c&7_Kbv?85ay-WjCp;Qq0XD zzDQ4P6qRKaaq0t$zU$y6a~YLdUX5XG)`Iyqlyr4SH*YQ7dy5}p0&iEC++xjPLt3Rsw;t6 zmb_k%eo3QK!0S@;1%C>ue;Ns`l;1ijF&SD%A!Ccw)^^~9xEx$yO=S<6gh-boI`fdq zMUD{iSd~r@g}|WreZfZ&A?}ASDd9St>bXnH`rT&-aSi(NMN?{bz^YW%t?j2>c!zi2 z8pjXMduNt^cQH#dslwnZ0POX8DdWN6t!1#77H7pjxe%xd%2c6&IyVH~nvP&DOjzk~kfz2jqoKFV!(H+W4-GIhf3W6^EiGSj zC8xY=3UAkIUbQ-(+_SCili59(b+sRC2a2{tRH{tbFXruyf@JNx>wS9IRMQ22*uiH6TXU14PEc@{n_iajm;oXxKQ1eIY7|4%{I%#cDI^ zEi^S>p9~aYfYixi;Q)yP1US`Lty|=9zGLj5wEbN-YjzbRS?F>_C8&?;A{p^oEwr>a z5%>Z2*;F!GsM|0ZvB)t}2o)Kl0~6%MR9rQg$K%hrxjwDB&$-@i1pc~Hwk?X|-fJix zI?XG*5Z=DK17P8LeYTR2hxDnh^XUcu^}ZPpBv8qkSatGt#1ycR%_k(qgPo-SiI8a>`#akE*H z=dvA<4W2S%-k$OVeCnX}n@$E;JSundBnsFHmG=g`mJ~1k2la(i_u2@Dc|o~vZobfGy}S{9IY zl9@kC0=|Y{|6!RJsgCs05F#i?NWQ0oF2}dDv^nlKeUT#5jjA<1Wo02sew^5$5`kTc^IKY3sWOj!e}!B#e3%< z4obg>&t`9)BOuh$aH>dx^Z_rgcT$pu=iQ26{wy!F!M-lSxbDGMmpZoi`xk=r=Y6sH zvoFCLkG|?b$DU0rUB1{@C6ER~LztQQJ#>NuL&a1M>{{@Ec!~5+ECvXKY-@DY;(L-yXLm#!`lzGJ5`Z?ZDRkl;O4E5V8qyN z7<4qkTK3M0%}#>GcKyJgLv&ndk}uMYsr>rrkd(+Cy)zzL+BTv7ksj(J?MO_L?<`@S zGqacFEJ(XXiG^5;JMP8B6YY?n^bR^~kq`avh%piw{i%R63bu8qp+N5h0z|@+x+2k zPkSWjPp(4GPpD^q_~17I9~~y2G#UjQS6US{_Zb0T_{T#^|IFDRX4pvtO4#{9Tc5KZ z7Qy{JutttiM1*K{xu0a0PwcP-osoW{6$bvU?d?M+S$>%sDb!1h^5Ok>_w&Dh?(4TL zorQK@m5WQNZbzkvB+RrDg{M%*xs*6HMFQ;-T4|Qb$8x#?z4#j8`|kovXL_l(Oxsk* zHGC@ful0QTe;F>c&(dmme68;ZR=;0CZQ?&HchH~>l3CCiaUIJDj+${4HTZ18@&Ed3 z{DEb}RE+CM@(!_zx zNR$I(cT#uEcM6~{Q%B!#=t)f8g5kWaLH!voF}=2%b102eAD;_!SY)$o6=lW`5tjM1 z=mLX?Bx>DT?7ov~iojnk9>Gr>4(*QZ27!Lt4411E7YQ2SR?a(;8AZjP5RL6u#@>R} z4*O0P+enf-7`eako3@q>U$c(=Q?5{v)^v1!aNG;$0N)+uNOp2pJD!$b&yIjBHUM-< z?DMzAAB3UJVmpj_(jm`s*li056s_mMSzOtp&jr=!SCnQYbn%yCC5swjJQ4X6JBG2} z&6)wVA4jzxDoHaVW9?IfXmmdJSQ-Ar`6*3IFq!?1`6$qZeNpeGhwk0q3pJr&Y-Aka z#id}+uG+o&uAu0iiygS|;cO@VF>96Sg>@7}UT-8+{mH{ZSTP9+s=^P-N(%G{&oRT8 zjCb#xuad{#Buep|tfZcAAIZ=#(3%B8gT$~F`Ax&+Uz)@k@?rfymj~ybnuW{L!2jf2 zF&w#bl&$)OA1W>A5a>T8p^bd30v!o{<=kA`_SJFQ0gp-mU7T+x8xKaugMa4dTkaG9 zS7riNlR8I`E;vwWZDI8=c&|k)bF{w!7@(M^^r*8nX2OLGkXaFRhK6M<*(RVa=`T!On%LWHi^qjF%W^2@ovE#=ec z{Hpt|>@$a9x4j=anUsX>(<9v8tlZp^Ome7AphFp8=a?8eRkLShap=r5VG*XZ4fe5s zwa9VF z5t^%eaaf4|Mh}JC$*OhLcCo;wofO@_m0pFZ(vwgQ8J+(ezPj3Fd#?V-;8f$EZU}MX z1`4UwB7>F^yjVKCx^$nXeV)uQUO<@5$>BNeW$zDj45=_7QdBJBKvgLF2)PG*Y3)J2 z4&{9IT)fRXFv0C#dK72>f;bx$ocFqtkZ1jzA{{O`*4;~FrFFaoc?3#^9!_^!i5D5j)tfjf?C$1y#0yL%w1s9^6(qLvTP$nY=LT*Oc% zZ>>VGrdexSCs7bR%$+h-O8LM!txk z sbkjhX}Q&*Z59G2M9>LgP#R3evN)DG1DJ(E{XPvxGRe+3I_>!3KfVSbDXK3o+uGb20Hfft}Yfp4GVj>*cDyy1(dry}z$A5fFmqI85HFf-J z+yEizP2&&d#VW6T1a-~Kr{@Wq*b;G|k@&8E;SU0I3rFsT8m?Ol&gOfySk^fJ@7@NN2i>^QvSs=I0){FXiA0Jnn;`U^*Ya*X zaFMiHVp*qo!a=?Oc0=lq5S?Z``C~O*5w^w(b&p~~MQsxv3D)$=)AsZG<8>V(>sS*1OPWy+v2&| z;N4Xv@_I@Tfy>i)Wic^FJdbxu#A$Q>{3$Dp;N$m8qrngT?Reo^!fPxKf@dumO>QFH zv>}s0v+{HI2IvelFPtn>d!3tG(IfkwD<2oz_Z>G8PR7W_bIccmXrc(^>lUu{AiSH| z6|o~gLHyFJQ%lr^u*04>WYV^GhJ{wyXeuT}h2`MjuwwWfoi{4&vhgFG@7C^a z*Qq4FZ_Sb2&I>v(Y55*ZDCpMn=bvzn){|tfHuZjggnEG`;|I6^bxT9H(6^?(cmM$X zA7ecHR`%i^Q~r+^!6&DuNK9yh(!NGUwwOj`59P=klR}o9-r1AXGE{5EGaC{b8XDFe z?Tr(ae~^+|E$bTjJNSb_=6X>VMv{u9v0)Rj#$o5ZWpb>t*3B#R3aha45wr3T;x`G% zjOPfjkk5A>=cM33<*;U*l@??M!}Gz2Dviv$;j7!F3{A@ihl{`N4o}#Fizl~}AiM1-gdE>W4&}5wc7#uN zr|krwBS^wr8ppAy&})PY$O+EpHE4?AyY&Ptt~^(#JG!Sc=!6v`Cg4C*qa~j%;BmCB zuTu5GX@dl$9nr?M>{v?Iufq!)RWaRq^(w$~IfSxgxTA7&&5ZhP8GDr71?BXZ*OTmC z++3k${H*#4X*hW5>w6_lqwMHtOcjzSM2WdL3b{swNgop0)AGP)v!?_F+bhd5Yiwq* zQBgfUHc^k^A6*}X#=>^){)spD^ni2GtigEEk|nj}a(plkSfp{0l4%mjB&I-lYN_5SQs$Nh%%4Rxaej#@=4i-m7c&N^40?LQdOCb?EBT-<}9`HZubV;jekO z1=~pF9t`3sS#M0fx=PjGsJ-%$sMOejze8A`sx_{!_^sQR&vr*+?FOm?a&slLTvrRL zG!%;+1D^y+a;>ud4o~d$N`vc-zk&sk_7C}N;{GHThS{1Eovn(#y0f`P5L8`9*=?L4 z)&QRB_~*g57?PD6^jo;kqh|UGpWh#E55c)*vRecH;NBmH zVOeW+W5$%zmUj$%(Evb`a|P* zzt8|_Jw7LN_ubKH?igA(pXa;b)L;95=z8m@sK2Oh6cZHz1qn(0Dc#+mC?GA}Al*51 zDu_sT4vln-bPORa-3&d1Fmw$)#63LkeePQCANL=YOL68K=j^>dvG);h{@V{G3Gno% zWA0$%d7n1+ej56B#4z?!*n(fk&DMNy4u85F!X)B#WOPwg`FC*8u(Nly|7!h1Z=bB6 z6Kiab9C*7gMZI4@d2JU%14mH0;^KEdJdAuxm(Rtd&TP8VpoX+I&$iFFeoDz1gG-Jm zw>U5dd<8fkJXzq%#zvi-+D|ZYsO9YY%*@^z*HG`~->O3M;g-F3y!O+7rO;;O@Gm4+ z7kFQ0#<{>;{^c!uV)Q{bwUUz7K`i9`(eZc-^4$--m$&ufnVIF04>JQt^7A*K19{{d zSi5a&1LR~?Tj1%8<)y#ZPb{;UY5W$sb`?4Q0REEO;ZeR~@_SED+E8M@F7phw%%V*= zLQBEb+^nA;nm+GU?mABfM3I5(D=+XkNN;~xTbs;)`7#b%Z_?)GCSk8xxh9~G=)u%^ zz+aHA z*DO2%od&+G{*fqUHMO39()nDL%a%zj#0x%q1|^rSFI`;3d~nTz+6R+H2sg&y)b@?% zR@-O}F0Rm?*t|?7p4(4cB{IdG38&yl02%Z@j@QwhV3X}OYSrnEAOaa8h(zmc6g9ay@Z}{TziS)G@N^@8vaAW zz$-eO9PwQE+c6_y>SH-U(r0OpZ{ z#+J(mkR;3qvwtfVFEp*VtS&;d33IUc=2Tg;uBDai2Z#!*6|%5*`CRPQgV^3D)588) z&qz|;IE=dhT*N~oT119wc64S}J>$j9rGusA1Z)NM;3tc%L3`o0dvoA9xx9H4o?6W;elYt&;N&=i|Yo`79 zpjjp4I398DNyG)1iyeLE-or|B`#ZIBt}KA?rW_POT|V4NRlp{sOYQQ(pKHx9aQ|Vc zVs2Ef*|Qt>0mQo6c@L3Fl=mMGl%99nGy!33-8P9v7X1@fc#|kJVt3xtsjDCI^JClk zQFvwUuV0QEG>Lo`Zb|J+U)s)kEUM*e$+;a!PemMrU@Zrnv26IOI|bR?nEZIo`v zza%(fEB(o+)X!yj$&~f`m$FK#L{OHQTL1x)ihxh=Q-Cl$L65I-cZtGnje|RL$HGM$ zkAnW+VKM8nf2i5vU*ncwq9;TWSs#KT{-In@3)prmAhmKhwwY|ZV%OK}Jqi?`a~UcH z(c=M#-@fAYSWZHy+pU&0VNpI~^RB7@WRNek^873*YKSw@z{^H&pktAzsfU7*0!ChZ zv}sO)w+Cem37>up5YNh{cix=~tg3pt>$Aw)ta-+fBNg7ha|bg@?L+GI(YvO-2em!G5pID zg^$kLTqce~Jr8<1* zS>(K|d^ptbLr})&GVsCdP92)SP+?a2_-FH8_)DJXJ6G7*N^0C>@;R<=enc9c{T>1S z3pv_1SU{bNg^mSAt_`f+r29}*_QQ|)5u@o=RV8yIf8 zK3&O&L*mo*Ci03HI-n3q)uhNj`%hYBW1^A`444UM#d_z@6+K3)NW;cP9WFUW4+Jdp zj{Onu<6|Q`I9l+(=j)TzbcKbMasn=7dQRxgSsvkqkZg9tIR!wKd+Oa&EMQn)4VM zc>DHkOl+Dg$iO}qN2>-mz5#UC`|R`Z`%p_=gRLLYD5SYw0 z2tuJWdtt zQ8L@3`q-3|u6lEWPySpS+N3IR4{ZrjgHt&jIoVn+NN%65=gIa5Gs&PSuYvCe`BABH z{@L7@UIj(H)8=}Ap!Q8&AefMfbQN0u$~PSa^&secmj+k&m^LhfLMT$?xyI!t*|sYk z7$uo|Jq3Qpq4m7wk5PFh-}>j~L>5pmswj%2nWy{s&+axxEVXw>#iT|Q6;18n?cNOR z=sNc#>pG0|KMWLCQ@agP9!qRPj;MJ)PR}ELaGfS*CL9ibzEFAo^94#Pekuo=qMw+F zZuw%%uJa4~va_JE-%5WN9%%JiU3Z?jIE~v|m62IGV&L*vAHmdJMQjP!9&!^95PW_S zNDgaBtEl*(>(vgMYVk7w;ijla*L6cp`1)V_oZ~639MtonIyAh$pZOskX7RnHR66*^NBKRodqq4E_Y?CM6>&V zbGPkjx!;Yxugj`LIO}1jaUS1-XE?yLw^oH13{_p4zX+WC#gi2d6@7gTC#MF7`EZT> zf7Dc~MNBYYU!vj)Clesf8R<|%==N?4Q1AEgdm?2)?YtINS+_H|Re$>o_fkX4wQak1 zbQ;YB)!_+$$5TC)&ncEIlK;<7ywGmQPh-;%#O+Tj9MrSY9dq;m&$E3rJZSed4^Q~@ z752Sn!QUCCDxp$TUSE~obdS_S%wK7T31a#og+*m+v5F`#IdJc_2up0U&jq43)M4?@ z^^{&4D9@ARB#%5rZjoHkrWHUfpMVQvbCVGSd{E@Ck23(6CivTMMbQ7f*aNR8pQIH8 zmTXuxc<{w8uqZ1ldSKLrFP=V}uJOUSB_4n~OV-o#$Uk}7#%yMTi-C#Fd?{Pe<6k*4 zW}YEvP@o=bd}88o8in(9{U<$WeGBgn=rl6jjN4FERj&ZKePTil9NnJ9$OtaX#N3UR ziz^o3N>E;cY(Xs@+(VbTGn^H0dEFEAcPnOS+C0r5gXPZ!uJv@aHTD~+h)z2#1cwV%@Q`KNcps(m6#Myir=59?Ke37;G9a@jv-=WY0auE>28((3 zU@0(A2)c3z(9i@r8Y^b~b`a}J@EcH36qC#ly&@HH@($1iM|$i%f5WD%@*;1i|9`yz zW2At{z{XElJoW@HsAIJ#uc9KRxA%!th0uz_6lmfTqKbr$js`rX;{FE`$nC*@=ILJk zAc+jakndhyG+vl(5Y*Vt_5&ztEH?X^D|D${svMlKQmhX9(mhBC{$JceQ+D7JP>z5A zs&9{L;9Je_8qLa7{N_VYSZ2W)R#7&&9do+(p?E?`P3`55pTtW`%MIt<)KG0!-1KJFlxTXa2C(3$(6z-z_?U6u4q5RB_qa6gB)?RJD&)KFjqKFCzj|} z#sm}68goj7h5;DkKp!Sq{62pI7^na>)%>C@+YT3+Er%|Ko9>IQ%ED8U2}yeiJbaOmg#h6zDeH`@jA(} z_T}TXow=>~mY}%?PM|O!DKz>rFKoFr7fH2BVSz{GBcw+XUDhnDe9=|sg*Dfg`jF%)(4vJAKnAT96;r4 zm2L{)GkX7)0Ei(mDP(+Ld1a1Rtj9p50=^BhJRV@r{Hl^L@U2!>x`4_pDlYaw@AwUuT1QS{p8xrs z^#+hxUqCnD{SU8;igKo9LPEjGodEpjWLKnygm8w);$;>wN*b@kUQn;3`L%rOG+HH* z0uWJOsY^`XFPKWia}2ikb?OAftEjl7wuDmX`B7yg1FOJS#8&5yYYzRQlg2IK@*?rY z^I*UlOXiFKBPc%sVa!yc%bV-3)QQCek@-Kev&Bo)aX{H30L}<5DtZzU@?>P=NZwcL zy!`s$LRPbsw@h&PS6xX-TuaNPIY{`584F0F$?iy@2k?Q`AM#u07S}c>JF@}cTh&y; ziwZy=Z-QEJPL4G2Z?*58KF148;y2_Zu8aq47>Gs6YD5F-nsxX=^Y8t+zFh@k9N>C! z2~=$+oLOUh%^PdoXIseYp95>4_scHWR>*n%m7nL5<-@0>6qu5`{4R$eUJ`C0V5@%A z%~I0RN>?0^tP!ivKNm{IVSqQXoB5jW+pz!$-|Vq1z_;M)+jA!(whWQYO>gOF47Z~? zcm31ct*r|f%i64}JD*h0El;Cvo;6t(pxrWF(_n{sTqJkDn8tv&w6 z#s)tH9*8kvLk3dsTNP3j%yY62BahDr@s}O=H^wkGVLlYaF-kNcJ>4z)nlapvs{ylPJqL8o|; zjCZr($?m*_nVHn6vhsADC1vXu04r(`BthiF^b(g|i?wbsi*hFaesYxCV&iS2YVqd> zrZ@=KCrhPlFb`0AVeq^kfJfq+-d)Txy2kiAcZIaw3nZ1#d$^MT(+nwY2q`LBmp27g zlJ#*8C@4ZE%k(7pDU3h_|CPRoOE8dZITACZRrL>ol{)x+ihk35@csxK5rjuI*d~#| zYefP}2IU@WVsUGY`(RvZsyJZ1@x?s-0?37z1;(OjGdSY`t;WC0H8C-fH6dwF3kXx7 z&^Tr=aJ`8Inl=IO6*g=aYnHQ9ah7V<$AJ#W=NT|O>JjU(k(V(IJkz!AgU*evEYXDm z=nk|%#|UTV|NNX7uUk2xSk_ElKE5po!X%BM{6QABVo;-{$mdTUBn#OSXXVHRym%5g z)nJSBEX~Pr{BOB8dVt{WH!KKh;O>9Un^Vc4;}`3{=Rg(iG=qHMm^GSxEly7%4&z%q z#iU&74V2c@Bt)(aiCXdgRPU_>U>}YYju=9%v`X!EZXF+vTuuX0KXJ}`bJP3yaod@< z%akpzoMhkg(rcLA5(25eA|9|p*a z+HvUIitfOFeS>Mw5O6N|etL6CeX=_}00<_~>i|BV)X&E+AnR4u=SR?i2n8^U(a&*j zAKIv14A`91Bi+D2F9G+0vx54Fxb*06?a_ZGZGnMV90Vd`&JLb-t2>*%d)l4zs*Sku}_{q;=Xb#DRiuKGq?lhEO3w*oXIw8UC`J! zUy*@OzdhSRQaLRi)L$}%=6JTBlli4`Mu{h7%D3I{vno-kq%6DhVWll-OZWFrlNtbW z-t!%=Ai2f`GAAb|0f)?}+cXH~RRHhz_?uewy@|KTL9>!exuN#%^9$EJQ2V z$L`EW)P`4x7mEAYsGE)gZz3{cjKJ!f@x$MMyyvyk4npol9ZoX-@ zl`116(^Qj}#s!pg7|)?ox4H&jpEbwwyPAc7x2EFs`>mjw zrx8Kc=cLa*KfrznlO*(PdhJ;$&QH*nH@5j%ty&__PxsK&`H5A_4O~}CEA3IBziOPu zv!{XlTm9&>3n-0=iSy#VMr5Y}>-}sJKG5l9^CYoB@D^Z$k^irr{ak$#)V}WQ`9i{S z|G}Ech0#(zNSfZF)F518XODSaT!}LF_T^;2)yX4;kKO|R_pJbz;dj81;dA{s`cu;Q zIQQi>RuFva*pnT~qFL(d-TaOjxY8tH_VqT@euqlTh$YKjA=JO+(qm)Cj!--y-z4-!Ug=Ik% zJCv|+I$65=_RA7p@|!bMpEumfL)TnTPU%HgWX4~S(}kH#Jz+CO=DBWg(1trYV-Ki8 z^((tjvZ~N-IXI3hWTtTJ>?}5N9pUy0(A~H*)vIzqppA={NW57erJ;5UhaMhQOUmIUF)k}1HA%2%)KpXs9@Z30A#GaeJlqHhns-O_Q{vss zr2J;D>kA4%fT?i+g)WeTsA79M7JMGuzk3H{70G~dC8%*z+<#Sb^s(>$3`O&NZd&;B zOGTkwXA2yTSB;woyHvQ}f&^pK+H5Mg4=n!C!zvSm%--d=%z{0vqL?Aw(`r<+H{}%O zI)Z>s%pAo9N%c)C+eaeV7{Op;(C<|<&lN}K9peow2#5SJ=4zZn*O>QQxFd&EI#+lPOy|9Hgm9H`D6 zfFyODb1l8n#k@||Ewd`SJf?XH>T&Y2mT-(8L`v6u6Uatjd9dj4^41NL3?;u39Q9tw zbGa4aI`%S5JA3Vy1!Jd80ELR4#olYRt3+eE)0c{@S;M#Ff^K!2G$FT+NyiA39Qea) zxC&mPp6?xi{p!Ir*KMUkmj%ZFNjq}OLiwH8ml(AC5H#3voUN{w1LtPx*f)gUc%2;N z)Cer_bh`JCtHR$@o8?ib&;k7*rS}C87LY^ZRD-Wm1QiZ^@eZ!!4&3n^IX{)}(<#3Q z9FODnb(vNZM$ZxAvTlP33Rc3qQ)K!f1WlxCt{N)F;P_Cer|SD+aBw4i8MS!v#3)BG zA;4E3g77LlwjKgeQ|QF~EkUc!R&eP}Zl)18sbhUn`K)cZfG?56d$kGP_yMy@4&ONj z=l;zOpjrK%-k}iI^q<`^0&QF0KfJcuvf`M)pG6dq0cRC(9RDa z^6aza<5i+nRW&uo_0Nw1Bb_ur48+a*{&&E%%O4lw;p&8xuUDMZ0HWuZB>4)iQ^}%y z#7#_9JxJm9olT>t`KG9zK74fFpPzE1Ek&VNLg@u)%Ek-gQg=`x3jFlZG8&AwQ3ZS| zu(ttlzq%R(s%dE%nc(ohhnTAokM=DtkaAv$SHl|&d5M00)V4XA$1ex2K6Nm_9QZJR zYViZ^+dzSpfz)XEVdd=kEXAj7E73!5mc23CIUO)4V67E4-XIMP#B&>UglV-wk>@L4R02T$)*Q$ zlj`Frm<{I})XJe!pvTWV!$s5@;nSB;N=|;XvmY*N#hm!9XjA6$j@V-bbDJv>;5aGp z{pVy2C`X*3mN-hG+Hyco0sH{Coy>wKxw*OE+|6XjP&0dtE6vy1$pA1gymSvVQx&2o zmQNAUQHx==2n+7}A4+3)_O)G$5hX@oD$D)5zPDyV(3`bBmM`WCE%nvzeS|~e8`8bi zx>fofhR9(|xzIHePS*woxW|L{Rn>xbgh-!O%_QOjVs&j3s@Z7rTFBLojx;2Kexccz zNi+k$cD55lO>o!zn#ywQFFI6Ky1uY?o8Wx;ZRa?y? z-&@Q%ucW7+y4BuR94kHgXy@!SoL_(v3lDw|h9DO~z#I*Ep~hFWn*DWicKv1$XT6^G zdhQfSKHf(MK0xQyv1~YA zC=civMgM^9?ueFm;|481Txo(HjOQMD=VNHL=%lDmU<@YU5pw&Q?=Ex2O6C}jtsMjQ z&M~tfs>$mlDj|gm{+^DCtKM4IW~S^EwMhh$}L3zJ-hMZNQGqJM;L zJVJdiCwE6gsf+(dzMOH&%UKOZL4M|Oc47oRsw6L8QDhg&fk-o=ns?%jcVL`4)%I#9 zE}K4SVC^AEe)Et~xzi309~!7pdB1+uy%$PTkaBV1afPP+>UayvW{WMWQ8KC9|}1Ph2GSh4sK1Xa^>e=^hM~y$PN2#j zw%{X;SMrVlU9B4a5bPOOcv{Ezj}&;=g@uLNvl{QT&R;jUZ3TDQycTJ?M|5oeg5^E1 zA|dogdD3J-Xaqz-+4-?Nuw#NoZdW*EExe)mPvIf}c!swy`PJ*!-@bQzJlSRXvsy$8 zj5I(_kBj4GWMtH4*5HQLi0X`Ou}##?*Uj4jFaeY{eu~HIE}mdXuqVp_P^QEP)Q0>q zX>sxYz=btoTvv`KW1!H;_N7-GuY-#=i-`MjOU2A)j7ykI*-3#DB%;)d%r?K%gp=?| zAb7=7lz=Rt3l3&Tk~cfqo|j-JeFZ$9*T<+ot5)^8&wQG}7^|EJPFF6xU-8gTN~nPy6+B|`7Q7_}2Fvwh zPb;ekgAOYN!8EFzk?-oorhgZge!b2A?RhK{5|WcsC(|eMTf5{}u31z9`!oSdg?y0IO=g~3F&#Kj}4TUW4VUZ_FfT02$C`J(=AGi#`pg}wW0zweTUvs?)b)a|Zc(F`}T)MX8CIhlh zn0n6AtXiKDT_LDSA%pc%pyU8k9$iZ8M?6mC$0sGt?|zc|)B&a~WPOlo)W?Urg3}mS zV(**(2Ve_GVC99iIw7sM2ZU!8G3KWU;f(~34y*EL-3%tWd>k4Y%yhGl z^;LayL?i1w;B2El{c?G7m~H#h7iJ@TuhmdH{D;@>1tqNU0x@Ndj@|+7`@g4c0IOxp z3+)*g$l3p+53Zy4&vn3v6*sWTQ9%`IX)eXQPAN6i&aoXX?~$S5R>~@sWeOqDdkLj?cj9SYxofqEMQt@Xu9;h_K?W-a(ZWbn7*r#jQMKSB@)R5Eb9pw-^QGFO8m6BfDJ}ctbCOTHeERb* z>(Oq!Hrm}S-Pa7m9*pY!5d!+5>?(!yx^?WiGVyCCX|oRm6%$#pm8-2>m|0jD)cc8{ z*_}Uw!&!zs{QLPvQ}cm^Pq|u#M^0Ye(ZS)Z2n*V67sn~RLX)Vb?RaHq z3T~gc;L7He4jP}u7jv;9uDw2C+&)+`{q^XzhJ(`C4vTK&Cnfoxhrxuhddo;Kq@ih8;5a-_$|Q z_DoZ3@>r8}W5!?mS>D*Bq`%?ht#gep+x$Ib>mjFjVkO$wx@h$(3#FMF-^Bf&4iOY0 z7Duj~HX$PoE?%IeJU9bs8FAwl20kP>Jk)S@uO%kxnWDo!&q5J-(CHk__xY!*bV%xS zLxrR1>FJSd4{I>|UEmryLgA+;^1YwmNxVsXn)#2E-ulz8H4nZe9Z}X6HdmndU5xq>4wMPGSduz)M=^dHe)5n4xy5urX@-yRsT( z^yk5j`QYH-c$r=#lLjk<<4*>sY3~w`@f|+#GIVzYOGj6i(}vTldH9LZT9`-bvCzOI zl2;67bLVrGH%*ZStS49Y&i(rrs51<3AKu=l*SzOQsWtv!sz@hb=?hdx0*lnFpOLyh zZ-L}*oY`qKC)Y=17AKw=V|a~>j2=C0{FFE-Vu3i(yB2Z`yN3-qQ5xzcw^z-o=p#SF z7`$5Fr0LvKEmaP;)AKSkGwZT%xsh>jcn0q9mvSy&-J)MaEM4SSp^Dp@JIk`s9}m~d z`tbE6i_0sv;arFtuvE7$`Qa_2+&1f1aX9zpSWvp(tXto6+l_|-m1^Wy&n%X1qx&~X zzw0iK8;G-KExC`U-=F3y_(6+%1R0OjvTmNR`IQ2CC_11KQA&~~_)c|P zk5zX+X9ccz>kjlf-BGq798%uVwqN?E8N#H&hIXxVE6~m*lZTpJ|E@;Xk8Pi!-N2%O z*l5%$h)~D~I&B{Lfrtl97r7WM?hZ=j_Xx|(>;vm32!a|K%|&}n&Ca4xgJO>wJXh;i zi{D@Un3^U=9mao^QtS}xM--~uJSQU-FHLdz&0;2%IJkG`_s(hQyN6Z~o^C~oRhXX8 z`q5EePPPR(^q@Na0>yeX!N+j8!y_11sjEso{6 zU~k*(SWK2Y!0L{mTpDV*{*$Y0DoV|DC%%xO#b)|X>AnuP^-OA8U@5=n(X*DD119Pt z%D;4F3KYVPkvg?)Kf}XUkCJalHwDAm)F*)hHsY@^E18%)OG-;Xef77k zqow_AIHpZNNVqt`~X+jp3Z6ERf|G9 zuWd_jBCP*b&=h}?mN)HT8kK59H1W+h9R1sy_p9(48l;$QD)A76oV*3TZ5ra^Nw3%a40q+u}*($5)1h7Cko&WCVrzGrYT&#IP^GArgBcUCCmy8)e?gt|Qaus$w z6{}iMAj^g^#G0>JLmM}TSJ1&PSgdkRwHWe8K1o_V)M!$D)6LMwtR7gppSpi68;>9!&^b8BR7|(hPVZPrUD2wz zD54WUVFTX})Lzx_-+uYHSMmFFWG#zXH@Noj88_dH&w5OWr5sjsb|Z~M)VK}q#zzTn3hK7uh?T#e;bRox;2*`#6KXH;*N4I$@sGY~-kKxQMSlx(HlgwQY`xG|6~;ISJ=_EX7vTvb8S0&*1c(`<35d zV5m9i9)tAAwJSMl6y7o392`rR@C~CxRd|g;WcjW=sf^bv_xaJVxy|9vB~d&JYvvg$ zv_l_DYupRh++_4m>$lOG?H+RwiX%)$w+M>by!5r$YRtrs!<@`A9^tJjlSnpabPPv?1zu(72c9$`o`0-27RSAgpuy>`ZKe`3^C=V$0(0ABU_csV%^imkog z#^Y6`k9lW#tcdw1ogNXGi5UKdH#y^tv%u zQ6x!&Aj2Wj>)#F3HFqp^*a(fgF6nG_hOF=w*B3vYI}ts`Z^vwF+90)|}K_>pV4MkM}Jg$rS9zW2AZ zQV|!c7E=cu5cI(-O#+z*OHN)5xJ(ma&DSv-Tq5UZIa!jqS(#QdRRSq5aNoaA%y2j8 zO67|bV(XU$G5z2mlKQks0ZmOa#I!rWr0zM{%}twe{u0OFqwmw6tvOD!{vIY)1Phd; zT0LgA{^Ea@;=ZGC;5Me8ES4t)`+Na0_6jnsF}4zsUop9V__w&p>~_uJ8~+uY1ZF;t z8|m4}%G7(@c2i+Y?-S{je-$jCCeI1q~XS7*QY8TlOnPbe506WV1>GGV6 z$3pVBhzGnrX(uPnvVi$lZvu|OxYq`u(&1z-?r<%fX1$syQ)JolnJnk+pTV5Q{cse^_+q zS_+R^Hu^sa&`Huh)0;A8uBepdEkQv+kp#>EOV4X>ZyK!Ryd-%JUOWAv!m%5MwV}4` zXYHbp{Lfk9FPO~w+BzXW!@?HZ@kO&0N*m_F8)QLbeEIL<&WY@8Fj=W2+%;$Txc=t+-;^R(`shQSaWgQJ(-p)@l4UuVSA`3XpuX%YT z%PBU;%gleXTo1Vs`FNg=)dWFn+s-WhJhK%XN)_n=Fr(6CmKKYXlM`!wu8>?0ew3-n zp_8YO@i#x?Y4<|&{d*YvHDBcz{g-U|RWV<&{7OngGe?BKEG^e-Y7w=rpdS~gGRn!x zC2fhw+KXGr>6GX<5#PJ;xqVgUgX#YYEmt!rdpSRuh)P#g-)=&ubd40`-^Sv&RMSGN}v{V_@%1jH#vFDq-u)qGmP1!#_3Z4?C zm^1j%XjWccZrE$W2Glfh&|&J}#N2s-dy}JGo#JeP2o4NIk)|bBsaX$K%PIooLBFaR z!qZ&*=uurJf0v1g34QvCj7yZu^_?nvL^KGg#%5-N=}mqI2;^+F-jiw_qC~8x}R_V>32?kJCqR&5L_PIFsLeaFZ6cBH{; z8B}Ioeg#W=>i0-uy2t{82_LiE>5=bYox*L^)%g{tHl9)<%c)kG+?M<*WO83s78kUgRY9q+*{VXPM&%a$ zH-awPA=k-!Eb3ox@?$4ml zg@Ul~KcdT5-bS_r5z<9&Oz25U{?PZHUf!7$xZvunG5J`MBBDNOYG*e%H9|3V*)+I`IVsP7r1w!nkzi&=h>Tdrq#c=*8aTrbru{`Fa@sxMnZtz1eO3V}E`*O{VGf^$Qk8yxUze9I&rokej z`juYfq}DRzC~aw}HvIww`+E9gM=kv$?GM^k+RYck-CEY{yexnp=utvQgc6Tg!yFyU z1$wQ27DIWP>%3QE^tYe8u_-u)A$ACLYOR>IG>0;6MIv2F=qz<6iV>6KXk>}9h}6yT zTU(~uEgF`TTFwR=uvm!@KWncJn6NT%DRVWbTwPCYp)41Ks~Ka+(Aug&gjrj;xxz77 zkSqFSjXIq=M^IyV!@a+q2+CxM6N5@|tJ7brd}qa-ft9$q_BW9_O_;Z^_|;zUZhq$7|)bgPwX8JfB|qyMcy}P=}KH_$vz~%fZ2UcE;@7BdT57?Fafpf z)bxx>t(^!!&im(+(2HZTkz#X$yLT_^y=gwrX8E*OX_cK*^0(buPMvlywPtEI-hl$* zcV%T?ITG|K#-^tBBgTZK6&2sGvi^8@3|;5BWDdF!_yd;BVel3^mf296LgeYiaFr#_ z^;|trD!3cX6mxB~%tgrsV^s2QRQfaI%Z)DGmJI+?n*yMNZXfr z9^27W8d(wxlHUoi{nvuDApnLFP*V>r(=1HQCVtt}s3hfC8>2A&x48JJIALf1%;>GU zxz2tO=gSWXlJg^x(}OQ|&Ck_v|Am#bjoADM7mu ziPyAs&&B<=m>;q#-Y{x}x7700$F7L$7(tf>z`DHG)uq588Ol=Fsr_ABIplb%X=i(YU?C?Juwf>o zHBE=1*O(3S5GD~B{MjOGcdi$z0|J6hHblO$JG>i2=lM4M*q%S-gP&eXU|cByE`7_( zON$WfA8jzzX?tT=zS&LGs8s*t9#!)wO)Z+wI%8+nZEa8QLXjwfj3dGtQC5M5iT$o+ zGjyPC-clzda!DNO_U_SfAqVIZ z4~^gG7&Qw;%TtdBzZq=?G-AyTR#M`1A3ymem&_^99Gg*f|Na@|+zAT_(+1(;4ONDs z(Pd)Ji|!dHPL+Z(eXe8Qo_q39d{?vy0eHm(QA=-My zboJxn^SmPuyvA1WbFG38ScxMOP=T`!PWI7>-@wWF$DZViGJHv^b^%~UOcM$w%WDEXg2aXu8FmAU1w}k&q+wSt6(i0nrv875fsZAZ?NkjDBg4f zg@pKdqUu^8+QCnnsU#80vP#{d{JXLv5NqTimH z_#p`2VR4aa20&2Ie|i9zy^(5b#S`i&5I7mv@JZ;(4Dj>R2O22&>w*AT?8tPPuzU@4 znT_FQ96~xD1-NTkRmR@b0eL7%SqG@Vyg0avDVv$Y!mkcPFxxvJx5ZMXuz}@#5zDNb z%}Pg)F(6m{eW{-sO^0-PfbgVR5cj4Fq`b6+^2#ApPR@YIZW>MU%;DSNDkG=) zf}FB4_vLRV7O0;V%vOg^fhtF12p=TVJ`IWoz38M!v5U7-^H+_nB=Nm*fuUx`fSVQH zTfHndF4mu~wpfrMH&~m@Fg2GeDe^M5cD2=ZTU;A>HhFbPNW`d`?U<9dJzJ|YE0vs5 zq`8R>Sa8o{;$dMKI+Nqe_+d12Sz=%kdFA}F=tC~gom@w}&;4-aCRUv+WcM1;EIFay z{1X6vZBgK1{L0VYsC^kI;G>V;ZyYRDXPNy+n&XV}t?Ar8nzXl?{OjFRqb%ldJ*U;_ z@xjieK-RJm_en#lIkd8>s$-#<-w@xvD=5*}mky%U4$;c3?+Q)oQ-`U)>DG=S$Zh80 zsxA)-dC_mcL5+ z4F?itdSW3WUEyh1qO+>)M|gz50Eho8$_A!2Jv=gJaEb$A0= zaG1)TGxanY8quQI&X$xnZ~L&sWg-zM)|jV8lOH%ea(1z`g?j&mYumzuR=4`7djno6*%! zReFQyEk6I?h-MrU1@_7XbkWvK^($cLzNQ_-D2G3d%cvdkIK_wrIF>Y zFy9*tLiVM8?567=#O&h*O-+%eQpiTf#dQQ=ONUXdeoIbH))%cr?M;?Kt32~rK<@nt zVp$>^_VW6A$MKd%&)>iAay&A9^d#z?R)1Gl=lZ}EG_|xGx710cd!%P7Zq*ae7V%RO z{nZEKhAMyq@bm12vz8FY6TId;mfFTmyjQ#WYtsL8Ybd@YvWoT(Q8GUvYLi>i>ox6* z%K-oyR9Dyggs~Ku-q0*zb46HA4xt82AGDn6!TPacV!3WGpxR$3nvLQ#O~p+JDBE_) zEd~Yn(~I>HFW4;z1@Dq^`wdr=qTHunQGrhNn=-!ce4WSS2nT2S&fR%G+hIDp;Gv*QqgQJD zwOpSeQ8@6j;vA6?&KP-l^qz9Y&2ZqR*^l9HCdH6X;oDl0J8sP5?DV#ls+8J);Oc=Ax-9Fdb|k<3BU4lEl-nY|D*V`BUD@M zGaMY-?cmC)IP#waI-W0Hrc;PzhW%Rh3NiSUg8e%HX#B31^jOq>+;J{qH*x15#rNF&-!5RjH`kj`P~p+lq_WJ=ULDDto8f-^Zxa+7R+~s zIla$5dw=#mdvhN5Y`OO(R{hZRZ7(`o<9p}Y$ZGQEDWg`u$MCCN1+*Q%uiI(zcV6-^o}wPlnrj>dX5$MvxI-?ZPd=+o}bqfmzM0Q zR~yoFrKO;6WaqTt{Sj7U5U?j~X|f0igo0&%KtR%`M3>_wpmDMD z`?pCw!HdSgpYidd@kbcKc7?5*D`CUj4{4UCzz>8l3luUU=A#|_g)g!^5qw_Q%I zuzU9T5g~-om{IHK^E=IXHA&Cy?JMV9%zG1?!J62t?rJv-Xd^FW;(84+dj!W^Qtj2W za%D&dO7RW!^^+(XBs^EjwarcBn&eX*cUfT^i>Lr1b=h7r3IJ*_kJ~@k&C?=`!q@Ld zTows`nPZt5Osry5>u}qz;NNmAGDcNBInr5M>$Vp0zC^$_&5`Y~q50iPwxPejV_dIv zc6R;&KrXFW?Zk^?1 z1@)^rvRiaPa^(bA{VDk8@t3-lfBpJ(9|Hq}flM3Z?Zz-1m}%PMbM}AzF(@)QSt_c% zuj1nIU-g|*aJYBxBjMxPNg$vDSHd<>3I|7#P9^UbuzkwIOfcIjvU79w%@Pl&dEm3v zqD$S@HjAsTHn%p1Ovo0i>B;_#!kB@dhQTP8BADIgnMRl5r5s8)zj2K#TgY&BkI^zD z`@_{PhX|UAiV9k_lAG`DH;u1fH6aWEMPq?4GA7B2?`!GpNAI2W%ZiHf=DZ2-W_Ksl zP*bx9a~h*HV{nq%lm~&oy1w?Zn5u~NBFD=3crbcq7K}|siQ~$b{87+e{L?pp7;?+Y zJDbkbS8_7>)1+`I&lGhJ5PRIZdyGD@mPzJr@8f^NqGmPoWF*%1RSI9+J};D*)8toI z)Ok~!%|g4Qk&9;=5Y<`N=&=FzOQXqMo*Il_In)?O)I2&GR_DAUSL%ZSkkz>s--kT? zo>~%?jP4DFrl>N@uzfi_3vxibz7mExT!d~Bu2=43z`oq0!EW8A1Ks&Ebygli%=g8V z?M*~<^4FM34m9AJvbHrDUx6%8i~H%vhG5dFWhgCWnfSwc@j`!<1XAEz#A#|)kRcwm z4B`ucWyJ8nFJ2tc<$<~{0B~ALimZVS-r??f>*+IJ!{*Rw(*U8l!vLUffTNGptvs~2 zJ~EDs+!3OS(`)+{RGZnSIQm)%*b#xbT%#1L08;qq#kO#HJ1Q%S(lRa05V@KzmB@^F zPgcr;b)}wPnIb7rd_4*h0nVC2l>}c5pVT- zO3o(V+P^JanXNkP;16B?GJiS$vEuDCi%x!1f9Reiy*<_sK4_1g)HrbKib#zJ1F|o` zpjFjDiXbnbF&S)FH`!3pJT+d~2d)i(Rx}&;kAYJLxBc?hnL@pptwHppjE_e%cDnld z!iTNY4ck)rCPyR zsRQK*2EY>iHeB~gG@1#LikJmgNLl!RXxI!Wi#$w?7D(Z`R!07}q7a`4;S1u6CHxao z9=C4*m6d~Q3y0mDz~?<~F-N+(`j-3=YL|o1f*Qt()l@DC78&i3wT^>CUjUn3U~hKW zH~B9Msll5Dq`mZ}p0#%HYkDxJzrX5ry#&rb`KqO?@z>plhIB#5DOH?m=pr8>**HW-0-4Y3M>8-u=cssY@^yk{WGeP2b#H zOjY%-o0QWyLdBKH)QI-iBgKmU_yVNyK_7lz+i&yWxuzc;9{vlnA>H%nYa|9iKkF}4 zsKy-PbfxpXe@*DCH*bhQyN}iIU-Qta+14>!9Pj7>!@5*LvTN>9EQ}{@raO42mYk5q z;t8->Qqryo_CU^U&g|ZWUCq?HDq7cVw6r{NBz+IilnQ707a+r;&tZszk^5U9dQSbZ zet~wH(z97|3z!4;{QC9JKwuw2uHD4*O@gbMeDR4!P8sIch@gnpj=@TM>|wTH)qML8 zMg(NG^kUN=Mf~ko)2@2sIUlmI*?V1FLAL6$V{Tz#ah%*ao^j!wgR6(fWfr*1d*U&h{sGA|!hW@;5nyX? zZ>8QM!{pzZbj(ujaRM?vi}8#D(01^8UcrO?!Y9cbvU76mR<FgJN4`$YxOLO z`KNl91_}xa-@+OtMGUHEI8%6?T9HVQ_R_1TvH|C7EufG)kc_+z^WLr@ zf9fJ%XPwPSfaeI&um*5V`=%Pk3n5*0V3f6w77KiiB^r~hK(16Nfw?u!%_OW1@j!?$ zy`{}h>>V>yg0);U2rZs$X{-&wxJGjOT~FzJsy(vNS)r{z?SGC%)6D%yF`x-$@t)@? zR(c40@LqE=`U52E83A!?@7e(~2glNm=C;|zb%3FZOtL6&4;u6Ft#)Q&?5HVUhR!PH zNR5-gD{l>R9chjFqakPa?`waay`HWPe<9X^rBzZ!_Y+kJshGXm52pP+Nw5-5ssUUm z%eKf$PbF#$lM<@*=C z=oHzFcSClB$AG*;5dff%svSLR9iMVz*=K}=GH^0a(}@anKL&>1CE_=D4rk)Q3R=0@ z*=vdJB5oc87AQXLpxMRcWEJ6IJ_)X-tZf-Ga-8S6x(y&xnuJzw>NVDjX9WMgu9stGKpKOyRCrc1Y;TQ%% zLYs!;&M?^0B=%2)I)Lv9z*Y1w(k4NItkJ60B8XF?i7fqb9kJs>zPes?!R)i3omy1L z3r_$3l-j6>h?Yw~|1{)q3O#)rw`-U6<`0qlSq`J7@s-uHble3ZyTeu8WsmZ2KraKf zECnDX0^>(dbt%s3a19?mek=fXU(Xt*vxmzU@L^Pf;Bp%>nXX9kC2Fr;*`miK7F}lk z;cgCN$JbYNw&Y8<-ZH@URI=XD3we)M%J}otHi}kl_=_d<68LB+6x+k5R+sHT)Q_O6 z^@U=cTQp)n^f|(U2I{?m%*RPa~uMpK_FPRP)D$}7d zEBy=K^NjjLj}}Fr_jdxXsM^sVN{oPo*Bsk2xxwa^`;q`i1L%Ou4fZ~+)bvq3?hlv7 zwW_hpu=Mtjy;^%>Anl)xm8Kd^4wD|(Z%C4ZIB8XaRu<#&2?>M^q8ZOvth+0Qv-1_WbazqD@HfY^INxal7%%_2y&+ts@8br&Fi=KAlmA)&-Qzef98 zc2O_yZAwN{zIt^shTcHaIxT8{z9|k25BnKW`x6CnjjvnA;JTJtxH~+-w#2%p(+%*T zTLY`|Z@P|fs8Ar_W%~mW!oZvM2zh)~RHRwuKbPshc%~i_H=Y-<@Ee$$eDJ&|-hJCt zXSe%U2Ak8}(p;J1Kib)CbKwYvT?6U& z13JN0(+!`kl6(4|X-O5M1d?=VEahhp@dXF8j!L;eX{51MfgcKRikCb*317duXbN42 z0L%!4@f-`58D�%et3VUAs0-S@5eWo-`Gw(dhE)&;YGrcn4CcZBy-FFPXpp&ue8b zyy*JYLY7>vD(S}&OOAyzw$DtzwMa!2aGOad|28>>#p!LYzPKNa#lPVzuhl15d>2gRrn&z1@mh z*EubE`rpD!u8e@D=1k`vuD^?5kSc-huM!rZ_I*#j^uB><9c4rv_O`XP%^ht0tZ!0% z2M|P-4)61!o32bq;8FP)^x4Sh_;(l1 zzlXRt4{(>r7v!>LW)_>;dKR%MU9^qF>w<$dS>EGW^-+ZJQ zZ&S?tGm(Ek?IlJA{~zD1&so&_&wT$=08U%;cZ#Y1wboze-J7MHtZW?xpPu#hl9}88 z^JOMgGc&rty*<$J7nfoGG~Ozo>P@&VK1ue^KA$uE}@z8uNV3 z7iA9AJwi?_ywb867PB!Hhql>~>op|*PB5ZN88Aan-ey1PRA%ePW!1O;tuQ%p#QC#x zfhwWvQ%7Qct{nq2Vh&uhu#QAam#Q*O-cYx_uQR1vtE`5^jTA(>29$@-%Q8E-_{O<& zo|!e=jHcV=EWLwFK$yMYm13Zim)G1c&aTe4lg3#Q;X|{~*Wp7C09Do3{yl&75{$)0 z6&g@~&$+%wj>J<_7jm3&7{X2*d_$SSS|q7I+bA4;w;h}UKX3eM>75|lTjcXtFUp_D zz!o6pCM0bZ?Av!G6d_aVqnj1@n$xfv{cl3B`^4Y>_~iPDEqO=5JL=kM_dzNI9|0-R zP_~9f0g-#D9Auxc3Vy8HGk!mlYbcodFpRV>0w&0CGfCd3Pnq2;r<`Mo5M+m`+AsyK zyM}Ortd{dA!{ZE`+Xq^Spf~LNcQKz?Tv2~x^rTZ%L4Raj!+O53jkHsUvb%Vq5$k4q z*k>I-Hc80Q?*fx!>+1{nVRl8hb1YbyjHL7@F?%uw%k&Z8k%R2{R(M~ zL+>#<2O0NOrXWgJc|V&l+x)BL^nt+CuSV>dS?p#y8lpNo`69ccMKgNrDR-{1ZT-EU zj`!d24%_`=_pfkhp*wzZM;v8aGuQS`N31@!QMR*4@HE+vPIzoi*^?==1NNpu)!skE zG4m=ZEWSf$u{lxglq9IR>I*Shnp0L)Lt^~*RtwE~lD=lgC;2)4X4w7HjuPEWej)b7?ym zd>fEZ&(Wl8nL&T3%)Y`24ILYO*9-#tu~k;C9V7hJ8r?_GSQ8W4y606UG6}5j(mAU`ZL(2drl=qd6;gyDG zSz*5mbUTM*RNX!Nt$pk~vOZ0JOU>k$gL8*K&XqW;$L;%P6AL)DUS2Y59Gja=G+@Rs z;OtKBbBu6md*I4awzxFt%TlJNJtP;ASz2^628)E9YyDXxm$54GrPEo6ep}#uB%|l< z3qJ32s#p6Sf2}8uk_?8DDl&JC6ezh1$8!%foon--lhMQ|&B-X|2yEd~6YL1c+zX#*Mz;1l$OnaE z{>qM-;$o{bV*f&CY;lv)KFX@Y#yn0uW_=u~+8@(~G5K`&=(ERKlzr%&wsQlAPot+m z2>*M)C-^1zZ%_03pvN_X6=7^&1D+-tiJ{iRL~aBkzK|appH+4rlKy_y$CUZvM)I%3 z-9DGvvp?TIw84psDw-+|al;j#>A~@$bx{_|_YUjoW0;7T-uno2*d9&VoF+GA_h;Q}8T)!`n zDvhProSG%pbsAEC#@XIaiEZE+=%8UC;c7q4z|^<7#x zXSUeZE#h-$E(x4uMxA-#*m1D) z5V^fiR;m1;`*1F$Tg4Qzo5G1Tt5wHsI~j3~netvME(e9YPr@gqC%shL$Dfth>8l;0 zQ_U7W{4eofo+Gy`MAdD4>A1AbSSfG=j!w0t4T#ERU=Z%qBe2)jsH?S~Psg}t@= zs%n{y#^JEX3J#pg5OWbr4L*y9jJl}i0P=R;xgwwV0645j70!q?=f21LRK!62De*~@ zY>$j%egUsk*oJTIaKCOe4doK>*g+3S;m&=#+cVr^Ji^jZ_bN@GP=~iTrI+o-Rr?R z9=k|@)+>d~FIs$$UaY=Hb(_hold!SxK4$5gV4jffd)9<X3R9 zb&r6}{Jc5PWCFOpj!Q1(S*{JVQw&9K6>B1vb-kA#i{0?Hq9ErDBL9+q`M+dX?rM&a zgi3_+Qhn8uY#1j)PZp3dXuado3nf=_%Igy@>GpayDCeO>@`=(qkvN&}*#`rn`!h~$ zd-Jbk{QZ6iLj8UnJE;rn7Bk+Q&hW3?mY5{BKe3jIxqKg76l zACRwTW)OQ)-*mo1a_1EV(mu|*XF8{eDe*3or+*vgRRy$=)lixoy{vn$ltRFt@SEfv z=~G)L(z;QwkbeeCSN-pLX(u(C6o zP>6h587eO9xjQmm)%_I0E^)y{b6_Rfgz}895SWA|0QOs}O`O<>`qr=W1nP2bPG;_S!jnvRM|pr^wpFB9>5~`6ANt zqS-ef&|=ny%yP5j@zk$~7dFgth;=Ey|BNU6Jyid zhBH^+h}OX=DiR+yMs?F#BujcI$*uij^`GyY(!-oi(iabV$$p=`pthPAk6cK`4bziM z+T?p;P|5>2D4dHriiI^y#r(vS=BCzSvTkAKLu-)j)i~bdg8@e}nvcHAbdLQ4cnkX0 zzP6^GCl-^le7!>lR)>}>XaU_r$*Rz2MKg-p`XxK9?{1}Ri$xBQTyKv~97wDT-|jV< z^O&L@jHNREC==ECi@CD7N|PdSv|{AJgG6@B^$$+mu@(N39gjXa0T;+^C0n~3r=5JM zEr>MJw`!;3CxJ4St3yB01MDnUC%Y3wZWit@F8ItNZFoW1+M?e6k1h$th=FxS%s%n@Q359U?hBTTM~}@mHHqZgx*{e7 z_~e6M-o5K6%*R(NH69`>Yc6wH=CcI75KdT+mS&U7k$7*tOC~b|6TQH9O6Dtzi`QIN z`IjQ1`xQu**8Vn*7mqpb^NkpOb|yjF_>e#lTC}NUGG4^1LMK<~&5lVF!+~W;S}M`i zp*i!y74~ACY%*S-@&f1S-O5SqA5MhEW?V&KDf3RqqNkwhEK2}%+@n4U0G*$15D8rn|G(@i^a%s!E)X>0tkC_J}$saCz z7K7yFQH;w}xo1p5=a40-FQ!*~hLd=`I?%mmD>7r7uX0x`>{Nfch@w&-%l^-ElMq$? z+rw@D`z>a$M;A2FRbcrldTU-H?sdobY8`>POQ}a9eN1FVOE(rD-q&mAzl0JO1gB#P z0^Qa4p`?(W>iJ3ss#F+KvjI2V`Q*nk^0AR+{RgTss-k_TT(eX4dImPGqyl|fK>w9yca6n-GS{MQ(PeCvl zOS)*aLlJRr%lRV9oY9E~)^j=B&lq$n627{TF=*F*{gQpDw$+gM?jC`JFrvTpB#6y( zS}Q+Vj|Ll!NROSd+UtO#+>Q5Hi5H7T>!0;=pnnYw+HHmxB`*2*2tbS5H>`}RweOTz z^{&0AiAUCB^C+Bmqj)b zf!Ocn)BlES_9?!SHu8z*@pyj;)g5cEOr}2<)DCV;54OZ*`K_ykTWuGg+2Z7oz#N*| ze-_^(gz477$tbH42X7y!;w#5zY=QN+VrWUMDSk8DCpZ6Eg6ass;oMoMoEK~7`leSn z@c1(F;9I6$=H5zk#MAEM)NnBkObyTaaarOP8$YK}Qv!QWLu-+GDS>)5 zTTz0)mPXYx`JtG$;N_7Kap4RZ9+U0&ThHj#u0M()J3Le?xhC>11Gd%sMv0efQtBf2 z-WCPcJglm6ny_=)-pA}&sZ+d|;f%dl@7PO!Fu%aRpg_f+eH14vKs%xw=os%(zHvX{}l_HA7^#Ua1w$%;LR7W*%}DT77SLg`2ZBw# z7IVn`9y~nam#_8SsFn(lX?KDcl^jK}zY-5GYDHE>T#nd#XHr}~1|yX~LQ zyS=$_=5qR%qTuWSPn~%0=7oFz9W?OMEBDp!_Vw?d<|iLj|N7_6|NpQ5$!t&=uoEr8 z4(#cK@8S z>0EMBt__W}uhq2UO^LC}T%59s+r$#fo}{TsBtlqlYTP~%g^Q^aR)R`CT3W(-@g>1$ zJn#YP@^Q`E>Q+vA3|Ma~Da1f_eP&jw#Z;2}At<+o-<_krq5?aJjGuH+`oFyJKKuWY z29_nbmFzVC@m&FGmqc{Xmrx%In78Zmv%AwH~ToSNyZxle}o7=8LC*!?Ij;973Z z>TgQDrAzO8OLZ6ndxF&YpNE14H;(vSrW=`>WNctrZ82_PfDbo=;1_u1#^CkGUysT_oP+NwZyZfR;?c%{1-eW)9 z$DuT2;UIFkaJg}%O0Cv^%6*ndQknd|eBdf@x-zu&krXRVMy*l7dGk=+G$}_+Nsj`JRmIowN&~U43~|P7&4~yu7OfBH1#uy>;FHLjN1>?d zU%9b(Z;95(Ic;!f zRDHcn<5^`87A3OIP_E|iSGyTcwoG47B8SWGoNeiQ-Nx;3bG2vRts5b8GkI=Y*mP-c zr7Vi@9QWVu(oT^o4=lgOv%@LUApCBv4f`p;a%4dy_ezHZVKkb5hl9yFLLaUsK>SdN zCPc?R!w6mg+46w@6#Kb8!=9%{*g;px3r*2>ZSga+)+rc(&M6MKO>Y$ss(jrFYkX2hrju(igbUoYiUa&N1Xa#*0k1@holcdgf9|{%R zT%a1jGMJf|xQ)7><~;%{4$bxolr5aC5^+3ekZ3Dsjd#k2Lgf55o3QHE2~cKB#FI*V zJ(&)#b3=1d)@L~~K5U=fQS(fKJ3E!MBC$WOEy{rBmM^B8QSwX)MNeuLo^6K$3)t^|xF5?6oo9jE;VVSDBu^ zbD1gyD_5}&3sxTaGn{Oaxj$a-^N@lL_u5fw;dzrv15AtKPF!R}2w9I6>XVqk6mzj@ zzE0sxmFl*)VxWy^xM7vaqK(6pcfM(Y&h4Ozc>|u$g^Xq+Xpn>gRxiiur{E}pw=q4| zkPX5+0{qcRtDSr1VTqLm+B2@&eziZ>$GN?Bxy+Rt`dtQS?aoPqu&D92pdaS8e^;C_ z+aGlZ!ayYJ&Xoh9l?^87IDMt@0OR!D2>JTYv3eP6k1LI%rrEQc8QU)R!vpti+PQJiZIY}~S10qW%OrAAks>O;cG-wEVacw}ph~Jv z=y8W3r^ccUuR*0c-L!wwvxZrMFZ zEmpf2&6fBWu47-(?^x7dFv6tHX_Ydv^PTN8X-Zs20ozQYM}<-H;DEew9N%ZfA(QVT z`Y6IU1_*CrlB(A9h@)|%e$DVuQ5a-7ue@gok#EA>xmLdB2T9IZv=JRwlBqG!9#_&n zbI`6akQrBcU$eM+kcuC$+*JROGfp{QMAUsfjD~oiXP&vsfU9esxo4fZYmvD}kE?r= zxo3Jly2o6(`qSETvjfG`8jniBBP-nWL#ru^>#tNGKOnW_XpyAKcmAcQI3f z5Xdpcp)Su3P$MH}Mdu>?#UlLLqu2X>^**gFWufx4Z=%E#EL133))SM)EmU}86lib@ z067?zssakadlW!_OF=M|@lB_XX$wZ)YrRH@9y1ntqEO}9m`HnW64u0!ppNbnXKN~M zEyjG+yJ+lI+H%RQ5zZ)I55S zjv4H^&vZyjC{f_t^PP2Xh}YRyaYoGw)n6dLWf7Mw7%<-w{c{>{%$=wq)9<_h;KZBndjqt^^&zT?_27;Obsy?wPOXoM#rg5=#5nk6*VQ zcWz*>Mj2&bua0yvgZTtxc2lxSP%3m|8O8*zL`xgRh%ZKmt}I%^Q3Z&%v4GKKQD--X zy~4!y3nMm?p@zEc-tpWjyeZ`K@(8yZPZsoO%Z>yYAi4$cuGyD~rTA{81Wus$t&+*ZHc zuwzA4xcM*za7LG^^W3}jwSIz2BWk3sWjbxiN+X*}Zz7cQ_=-P4lms*$;;w~;KbpjX zZA2itU{b7wauACt`*Z)}5R>VxB<0CPl{X1PpNu^|7$0J8lMQ7etW|n`iuwgm5DAi~ z2-;tMH@9(?3!kYHuasuYUQqMn)yLtTwEhf{3!eg?g=RWZh-EDJd)?y;IO^o$>S7Bd z5?`NXDS~?FXBt&<(EcVs+JHl65DvZgetms}Szu{LOV~%_K*^iVcK-r_y|IHJgGtgm zP;y$y(THD7`X8Ra!$zrIuRRJKLs))-UUWa`voarkcT(aLK!G#iQ(uY%3Im@1l#2f_+in9h6n;LKZo3b>h4(^KDs4(mi_1t-g*uaECgBjg6 z_zqjip%8!LtzA~9;UrF>{1ff-_v1yJ)9$lcL}X;VuG06=(D(yZh|k-EO$AIRiY@r5 z%Uc1BGX%H34z@phz<&Gad02`-QRI&0_)rE6ys?f-DtY>DT)MD?Ij(1I_(bP284iP9 z%7fpbsHtaQndtJJoIA2-}uyV$oapNK8Os$mfCKw`Tb6zRD6^KM%?L#_o(9y?zuoy z>GL2=sp|mBq3f?1S5bw*$JFfKvFW)<2%QT@GS929*5NvV;SZwbDnxnPg%sr@GdyiS zUKE(4U(5Hz!3UY3o=uc%J2x(>X_voNw*k{uzzRFA*|JMs| zX$=R%Nw>gcwu$ox-$}7{=nX4e#`VHOO$(nYlW?o?rlf4Iz85Qsfip@9D+)aHaz-)S zzAX>IiZV+iwR3~feX?^aQuk{4@X;-@JNuxU>Y$tYpj&i5=)@QoqzjbAiy;#^iXs`XA@fY4 z%hrmXw`S5~JUspyExAHBO=k4NMCZd$V}j=xV#p-AV?mwM#c>6j9Oc-Sxn{J+gp;?$H8+;ni5Yrxa2Qb%IXMQPmNdJWHuG1#Ji2(|)~y;@IMh(H<2 z54{}M#OFv^R^I&tz9N$^A~D`FWVvkLmCV|e*<_?VyFIcV9M?TpNjID_yx?pFDbc^o zbacZKPvLVzPRwM?v|jD^?X5-!ub6f0U=?h1U9TKuC$gSiaSJGKOcgk4NBymLdz-dR z{~7in=#A{tAKIQJRq&w9Cu$N-P?AaS-$US_%Ym>_ZwK258Z@|OJQ}?ApeL(|g+keJ z^^1le|I0ZXKE)tjdyp$M%t78Hvs1q)Fi~q+4w6`LE)#)tq;bWy`|6&H!eow)&g%g} zUPX7=fL?|AWx`4`xU6{5v(f`tJF?q^N)M$XQ;f_q)`60;0wXz}t>m@?@2 zuF8nc!t;-U=-7UE+hLt-Jydla88#4wq@8g-tKB%&+1$a1PH-q>b6Ybb@ldta)JFUy`}jz{BCeP5IKmZgfg}M9dT&C8c38qpdThq8l8RkW8x`3kl{Xe z=UJbajnei##txa8<6Ait#Uy<(w4Ao1LYJIx;|#ijCSh4W*fm$#wT9?XTlrqz&loqG zo}+lLqo1sTxA*bMn~LiIKBL~VB|i`ONvPvHY5KdoM}5Jl%5q(uR3$=%M4EDbwI1%MCyALAl)GEM7tK9R5~fBsLRtmH8t_`S9e^li=`(d zy?G-I$&|zjmqr%{e}c8SHCiZG3~>kzpYu@piu>`|cfTp`rnKvBw=dAxM6CzMb}p6E z$Mu>Y6G{{PCQ#sQmrie1dUwkyy=h;SbW%HKYCI@^?_c!3^+FVPEer=2tPo!hY~UVW_I1kp z$|^+OiOtQ|0kR^|1XWQAE!#f6)=MQ9W919UWf~XC0t?n$3qAIVU@$w9%hBS?splMp z=T2!VI`v9eaOH^Y=us#%$%iz;w!=bg`bXuCx>J$Wfq;7lOtNT4arM*U?-PcS!CZTx zG6_DY{X0)Sf5}4>noY*v^erdPAY^gLtdqjturO68yVa`0YiTv>tj41w1Sn=}; zcMA!Tk%@7acW*`%@8~u&CXHnLwo%wi&zkoY$K1xE_~EA4mws+Xh1!L0HMrKmairD%>XxCQvsbuQE-D{z>`dVUzFc|8 zf#I;8G#N91d$>r-R{`!a+`q-0n{fdnQ=yBMe+3!*WUN`|1^x8!W+uBar8VfVEsc-H zL!yE!ycu3Wp!k zkW$fr4x{DNf*q-MPkif2(l}eA-eefiibd#E7FSjQ2pRCx&E&Ex&Mx%Dr#V?7F6ZuCjY_@eRYT z3PsSxo*U1o(IP=Dq0=Emj8qQ$bCOXesH642rVTxQ%ZP(<&-{2ol*fb9P=SZgQZ!q% zEC@4KsdI^b`ZegN_ahVSXL37LEfR=3G-+M*NP;nsV6|JmsJz9LkohMfudFM%EHJsO zt7yJed?}I#V4%5PeFcrvxhMjrm{xOTpcWp@&gOg;TdZEFEV3G$aDGb+TT4~#W82Ua ztYh8tnWxBq?uqUlm0P4cmo$6mH0^jo+Cg@+*YfbNQBo*t$LmI8i3A_?g*uS_kK94G z+b#d8U@8t1b7S{l24_ssgi)N`TJnc!7Q?8&PnBjRPD~ zv&l;dzY(Gd@<>D*Y}}j}zawuNE(0F_+f5dT zj*nVLA{bPJ>vU@BqaRbF>Ks1>kZ%nQwv^cAYi4WQ61Lpye%?C%KAEGf7XamHuBckU zCgr`!G*_C%NB(J)%bvXRCacI8Kh^eJO}*R=W_3M`c|MTT^d_?_?`VS@MJjZq%M*YO zT6=W5jOrd)j2+U89+w-Ob8MKn$ZeJIABnNT1kJn)tSrid>~Q*g_;W_L_;})=qty)B z=7G6AskG+g{fH&@U>@$#W`0P{<)yNc?3qfYar3RXe*GTr&1GD){q6Me%c{hE#L#Be zfaP+Ci_%8*)A2^DWN{U1`lG(yHo#$aOZTIyY!R}@{iPAW-R>N^xXD4_@W1vmP~DE?eb5!tWGkSB?)07=g$uX}> zHn+<_$8~OxPl)Rigu~dh^S_3W?47gZsBSZ3kxfBpd9mc>7bc?IiAO2Em#*Yj2lR0? zIhnV)$UdPWt~y%PFN0j&E(0d%r?G4_4KXpeEIc%cIR(8o_ms(R2W}E@l3h#d+^lce)lEfGMs;P4 zT}>uA+z2#{ObcDaY+vqqs#jTjq|LdVCA_;B=9T+>Tj~c@PANw-c)UwTmO;mDm1isN zsG~)+zfW&wVGj6TdCrr7g3$_8D!7X8LAR7H&=2UQAA?al8m6Pn6v3ISA6`BlLfQIA zXTX4UEoG-#Y0W{M(YcRJn%1-Qe;VklSGn^zW4Uc5QO|uLkqY)YRaquw?9@{9ArGOYW)) z(K(`Z<*#(R+L$Sdt6yC@?`ehd&TT9mxO%SCA-XI$H$p}R_>b$~e{|*74*mKe+XNVF zeiWRpj1?Ffrbux{0p2-JLD=RW33d|LUd`+(EASC|rfRvZEy<%ZCXaPBI20flg^Y64 z;;fxCag*83R~H(nVSY*SrgJts-sFiY&vL7qV=g5Id|9UpFf@gpZtwFd%>8jR?nh2H z>B980Q^jAV-!HMANg(cp$b)mq*!fBX;3!JgI^iT(xs4~jla-E>%aP%V(eJ;!dq;jY zs0`{opA@>zAirL%qap|T+GpOE- zSorfEkG1oo@uM; zCt9z;m=-kDL%XS;=c3+r_F^5Yg7|Nv_5561fNsrFjpB+J%O9MSY7pC$ZJr4S z^xv!!p%Cb2ox2$@Nsmo|BAQlly|HE2^4tKX z4i7|j8%3PSm>;b zWN{$y(9-6PWPf-C2QgP~OKjQENA=J}$=sH(8$;3nKp!Nab)8u*%`=rwNp^I?v?3qs zY>6j%fFL>Ae(cEW%0U)R@+jA?X7kiKRTQLtEE~7zUa`Mzq+S~iOu>)+)*st@2sVX0 z$P6mzJqGuXKLm=}VZlM}Z=iP%-=rkkVknYeEqG2c2Q1+V2r zGv&`dXt&IL9&gXX1w2ZMvoPYbV_zRQd%+Ya8LnulGvMvfB^`d@azM3M&9wN^K6-X!*R5r3O-Uj_ zN@a}>17l>ZSJA$Q#J%_|+IzXFT0EUXeyiTSDUxD@?X=IREQtDfw_zbYL+{f5EtI-c z03KH`g1)vYBlZhb8R)o478x3zyDXs-tcPO@+H982sc~6`T@hJNTxQLI8t}U1gUPlQo5wR&LunA=cMiwzuTo{*LN|~ zMuBqzjA>@qaN40~1vx#!u`D2yt0*(}|1kCzU{!5h*eDh%snTuG-CcrocXx+$r;3QQ zbc3*^OS-$HyGy!Dy7sp9>-=X6=oDa~CX3E|D z*mazz?el>4&lA>vFGfeBiHY7p<~LT}SDb#&U=Jph9l5lv`TDWG2NQniFE`#UmwnES z-Q#lmQA87FIoN!;>j8aA;~6bq?Y^z1=S)KFd1GCt_6kJJO9&ly`ug_FwMlVj*Il#P zZn&(q_096C^(eOre|4O2#XzCv1{qV;R?eSqn`s;44vlg|a!#rpUik)SFv&kx$QauA zMP71@WT^FzG{65W$}P0Lz{!|C0+NP#DH|!u{l|sJ^kp=Sqnx?5TN#PI0K}MDRG>QpFC)Q(d#&`Rb2fD z;N9NdA4B)Ond-JAL3oGPV$785ZqnewHv}SqcX)+g`tuEP_2_5_Fp;xj!ffQrVHX_j z6$Otr%cWv_)+?#_nM)GQCZ?^dF^G54cK(2CO666xVQVcpzyxfhoiF=dYJyagt?zlS z0~$Ke!_M0?H@{dXf9Nyye4(M7d#d2Y_*(wa*O#I~uXQd%h;-42=X_}?qrb`Nxt^9; zUR`-Q_gBQhdaYbsUAHmP>NCni?;^Z2(o{uc{Z5l(ol!gR=pkr&Sg)y3V2VXrQ?HtG zS+pi8%FvgId82+UcPX4ah8l+FCS3x z{;EsB&X;Q#L1GR<73pYSpF)7vM!MRBg7j=@Zb4*vfguRmSo|fc;CQHhqPeC*@c_jY z^*kcu3LJVRmj3Yv3%@$BRr>zQVJ-z6H6!I$s|Uu>CxynSy z^A!M0T5duR<}kA*cPl&gXlJ5UZjFZ6L!)&TIg^{lwc|pR`;{ znjI@={VG(FGo`OMpLAVu+Sq_}-mdb)9{U9t@!iPbUlE72_4R86w=4jwE$zpzr%o5N z?RWzBU9t~&)eM?bMGW&^`Hh#S2jY>?y;hEG;674sd;uejesXP8tDv(QzZNvDxG4cfl$ z7jkQa&%k-W5W^oiL5#o8a%HnVGjpVotAwtaRlYMb)~!8^PPD@2!o41 z8=ul~+E!|+PUM@>Xc4Fd19c)$w?m=X=#}Yl?XhaddD=iSS5!F59tV$5-%%M!i@S0D zD)<5x7y+TDf0vbJXn%6u^GvlC3qd8rNT&)rc~MebU8Dya8$VQZ-e(s5^gVim7LSWH z-6RMw5R`=Gy~6Llb(W-H4nikgO;huvC7tt{BqsX+T!Kg70{u@GI-_6D;`)`W8HGbsTC&PilYmzrr-}Hk0u#c;>F0A#h{pB5lK_U83dDnyCN8cqTY^pjFjt4yUCgcxU;T0 zs;8nMq?l^#Lc$vgkwb`{SnBd%J1>AsLVn^q*aBbi@%lyC z=!!>MaRyYqC^P#7W+BqlG;$3}{z9)`>45yiU!eBakWQ@^n};*2C$nn>jz2Wa;(8C{ zM|0nsee_YSXfh7_AePZX4pJDRZH*UpihzxjV7#BJSC(gcZgJWnwRWh9wIyo-5&~Ge zp9!m)+OPP5qWUZOiNEzZc1P-t{-^Dksp1D4{gJ?;dr{6^K3@MVJz&EPtyJZi_Ip5M2Z|hud!kP6Jtu;p|wR1K*_)J1^4|CdLTwR z#p@~aLh79T;K0^jWVmj@=1-#>(169WQ@q&lWP{CN1IZETE@r3SzBY*hAt>Cce7#$L zY?-F}VzZL^dvpE*QQI~b^Vc_atj~Epl$LPenU)rb0G|=_!>$BBgsj9@;pdiMi>$sa zRLF@Uz{tuk{pg?81SKcpcMxarS?V>e(CDgHrIi$bcAxh!fkdXD#KnfYa?@0?^vir> z%FIvfO@#bO9#!c1wq0MCO8^S^TeH1x5jGI{^sKA$!Tjm9Foxy}%BNR%a`*w9!gjuk z?azGWrm)tM_y?B2cG-x%)Cj~DA>IVL88*a0Hb zPO9B@vcoOW4tN9PaA_bQT&QtRoNkk)@#;K;O=MokmyYb|N5ZX#_jvY6(jrumV;&S1 z2o+879Js7qH%gnRNNdbXZUb_V4jQ+ZC>Tu~8`>WSIID|*ow!Sth`*4+(tb6w{lIU~ z9X|fAgnDk`z2W+@q>7cvhrsBO!=a?f%bkxZ4qaS)}MMu9Ows#V_TI%`Z zakMIXv{f$9^)G0*5Ur)6_$$|Nb35D5zq4LIRCmFwEzf4iLGBmegHg&8G5%uQ=sWWV z9%;lLo3Fd&$AWb)9Edo-SN+ZmNPlja$l@|%&2@>@0`3Y>v+C2vMI&#)js;)RQqyl# z113)`_qqCKZUq5(yoD5Gf^K>Wt2Sk9-I9tfeso3muL0nK{C2RaQT2D4rgQxJRJI5J zwG-rOJ1Liz+E~xiwaC`6Dy5RsZz7<(-|U2bnCZP6k6dc^9%yxC_lXeXIZ&x zlv(qHM&ajcf44jIlV8{id# z11i**NVPDW^KAz7+jL_i;K*+OMB-#UD8S~rVJEs0t3o^vql_C+tEKxrn|FCn)YWMM z28&{F=;fWEigU%>A3jw!z$Rdt5rvI&y7b)Ksw`ZtK$qgl%b zk*lGHMbRz#V{DVU^b(d9shQz=w|HDcvTtV_HL85C2>>!mQRWPPB9rA5HJY;Vf)Au| zlX)zQ724hArgPjNdwhnU6!fWkl8d)eB6P#jse8RrLbQATPim&X>0VUC;Kpgn!2)^N zbODR3fKsF}Bkq6b>OZX6|Dvl~f|^iR`?$c92(q;aRjqH7q063-67_@Q_Z!9NU=xb_ zd!>);-Dxg&{U6dWT7YmGY&Z1kiUX!az`^IfdkJUb-`=G1R6viMuWn8`EY^ZlW=fq$ zyDhbxZ*NN8RKE;ET|w!zLJ-l%jE;&^c>5^OWpB-+=y;VMSeB;Z!CG{z8}E3 zkz57D{)oYyNiMUr^W@?*=XKmD^a^n0^SVpTr3y*(S#%=lp9@n|0GsGI4H@%1t`9ioxILdn+DLfAHRYc)M#Gfe67 zr86;fw6vH=d4;E27DWS}a;>v_* zhy*D1m|PgJASBZwuQNmsZj5p?oe_~ev-jR3fMqT;5>M~BtfeBsmXE5p?}Zv|(|eun zoMt~H89IO+5&+-7cN|c~>s$^B+A-m~B>A1W?efRUQ{DvU;f0T%&P9|dzmQ9qEPNW< zIEJeU*c3&uh|XmRdbCrrI_=BsQNF9@=UjyJA}T$& z*wOu_QPb8D{WisbfNNGYYr>icyiPa^n~P9ZLWC;{yjG#8D4Q+iFQl70b~5YH^4yQt zQO8nqEpFOC)!g^Z^}#_b3gUQwt_pjSQaKG-I7Brsaxv_0+V(V@dHXjs2l&3(m8yUa ze(6;NzxU)$OoyRDy1b4-{oqF2u)cDMP}K`^IEi`mx(_9LG}n%^fMMZ;tKsL|@#z9c z{1MnT>V7iwMg!%v7RoOr8qP=1drT{~7OwY44iAUAt>CNQ91?+&wQ7@7ly;DkQ%X*% zrt6%r>r!_Eedpm(Ys{P=+2}0|T-6^xKJ%vHkB>iy?locag?gQyIPvc^1iEPly48PM z5r`T#S8n{GW>;QB4p;b z7m1X~p-w+A@j@s8kvTM(qY4~3F z1H*2s=KsHdumF$WKp3>C_y599{4ZBAf@?$mZNAR?E5QyA+`qvtuW2cUAp$)ZJ2)y0 z=cQ67Sse8$h!6=^*v&v>SX8gcX%vsoS2zrZ732 z9V#+@QjUX`irk6gOU``w{J4tj8af6K5TrQ(c1j#BmM$+2I&hCXD0TyC?T4Oo&o3+x z3<9!yook$|o@Xqv&N)XR-<~v_r)pGmG)%*v9ss-g>T_MEm+O4SOQ&7EsbOI7(%wN; zS2hNHe@(v7F@M5cqVFwt-oJdSEg@vghdwyYbFhh00Z9x%j?L$H=?^&7)4Qq#ue
?|g^ER~h^}xvWG1ssHB(bNGdBw=erOr@wyq)@~=s zr-fK?JQ=_`f~D|6E5|7q0YT!Q{6Kcw>8~*~YCBqsH}4~Jzco7S&_#aZ@x6Mbb9}UO zG9a}80U@JR*T7q&BKw0|*R4F7;&CzlRRuNIY@dsjE^0;$xC$DlPwD{~>E5LZD!jZR zqFnO)0?^_>9@mjr#7H=bIbnN7774hMX;l@f6=l54Gt!FbISYG!GsgkKL8v8Bzyghk zQ|8bV*X~ZO_&q$|=}amXIJ=;5^^y~)S@AUb7g+10AD(`076?3}0Dk0CY><<6g`PaD zUCS!YNl#ap)H@fcsGysG&7F-qpn-fz-e(s5$pRJd`hf<6-}F~$=4>a{d~-d;X-us! z_(%ZeXzxH=ahT*`tEN!jQl-uVK^l1T#R8y!n$=%r6cqxv(Wr>SW8l%V{Db5>b*3pZ zU$5BHKpydJy;Z&UsG6kf29+AG z%+ZM)D|L+{_PBU$Qg&kpa6aCoG8-o{1MeicrPO#hXQ$+Sdyy7YtJ$yQ)P*#b`~ z*fv7e{~D{fVZAKqO{?bllz=fap7WW;1~5Qoo3XGPq2D0bXrJ2)5H!KR%l%Fh(b? zhN#o;kM01kfjW*$q5F*`ii4MGR+*vNK7lhK~I-$s4|HCeX{$_B<$=j%u%K%KG- zIxY5CIGKPE6}aW*mpj;&XL+Jnp^D!a(g6(k=y&iACik?Y<=fmTeQT@Ybt|eK_t_$j z-pPIm19tElE`UL#??K%wehr@X7_(5NF_`Obd_jX2I*P)Kz-EVk#b6M8&d(aoh3ddn zry-yk=(>-atX0F=o}Z*uqwXR%SnAADxV=9njvx1{b`$)HKpyB)%yPVrOXYKN6iSNC{TXE?-oHO)Td?CM*j*wI-{C z>&i7NG%21-iO6HVK9hZ9Aj~c?FfiRDAj^w?CqME<0C?~BM4@KzGWptLV*rn9^7e8L zyr}%2uT88S)!Gy)m}<7xwtZ%$@jTHy89W45%)H5>SQ(8Ha(?${oK^rW`>hzbu_ zxo*ayCmhXn*w{=?@AI~V(JTB_*bNl5_eDuEG3!xUq#?I#hNDOz1`^f*%RXUqQE;PK4KbJ^HG{9oi)Ieg3{_1RN z@V(!)mbEK4(c2m=cvZ3T7Y!;>npMV@QUp|5E?>yANyPjgHqi_XXZ}_A5nS`=sG-KH zUVS9=@1f53`8F3C#Dd=fLi>(QbuFDM4g7)GGbVC>kR(cw;+n$D#O%}3cdC)$_xSxt zpWB!6jtr%lzA96F{s9eDYJ3@nW@=~eXJc9pI4tP|Xb9|^AS&Hf{< zM-dm=Y`W50pTg)N!sQlac9TU!N3bx_C9oG26idtgo`RwDgc2ux9J$&%NRri~t5zbN z$iD;*e~7oOo&}FnG=ep=U#<$2H9oY8GEHxJvQuv}QxC14b>gPuPb;Q#`Mr3m8EiRQ ztS^(^QM9Ks_?^nH#5hz|3J#tAcVUoSLvfU9OCY`Gu5Ug1g&@N}=7M1) zuf)QZ*5dSjuBebybo+pM-7IFwZE_4vLHd+$7@w>zb?uu>7VW()6#&D(9G-HdTRrJ- zPBwXoiQ-@`Lx%cruz)28tg4p)RX0^KpELP9&C2pcQ9l!fsFp9p3(<(q?v! znC!39*IwnI=E-FCqpwx0Y}G9;-=D^wWqfjny+%6{XA&gGCRGb zM1@2Rtbw=_zF%U9F4Z^e8HFw7H?2=YROz^*K7HjF8(sst;o@oCagmlpDFur|dpyR1 zP1UqLCt=rH2I}ojB{_k+&7Cqko0?+~kut_tucBsc8j#Dn+f#qd^WOS~W1t1hlK*{7 zy+Q|<#4;7qneqm64m!cUs`l!*{=R&Ru`q$%+xtf0OJZV=^RZ2qB(Wmn(4{V7qkAewh{sRDu9;6!QSaaN*{{FlzdFNfuG}k) z4h0`QBD4Aw7_y96di4!dW6xPo=mIRtCBBJ|3wbXZ9H}G3KhF4_UZen{0i@k-QB?Yi zQjYJKQme|wboDcnwr79wMgJa0hCF4X{a`Fbw9P{4`~0FCGVa2#ss*1Eqpt0lV)H+z zsvU1oX9pOHXj2g$DK`X!KU{#NEpq%&MFn@vs@YJQM;5eJ*wVwB==$z{iiKoXG#`WQ^(*(O@GvkdLrk~S)u9IVlJ3J?&L&O zC$v2FMwvko;zQ)1->M*x3bhtduOewe;;B2!j^ksm?DlgCEG)8D^2 zTZc^;vnM?M_~HHyG>kq|C4mn6Mn>koU*P0ag?b@wy{J%nI|zQKhqjzPwgpy%1kT%t zL580Ml1_xIe*0z|jYOuP>1z^w(7JQ9eCoktyjVy^81~($i~VK9qqIWkM=KwDJ_Pwlh1<8V zhBrEU;VY{@K5l*i5+kmKq0gQF)T!1+t999Hi8MJNauq1<@|#?-DC3TnBwG@XzcM;~ zTNxgfp_u#Vz8~utg(`c6W@uAxVCVh1g-lUMi$3czZws5DtQkn-rs#(EZrv=p@`rAo zc$DL_(Z|(6q%52f{qAH+26oN66gLpHm@~g-y@Fgnn~XIgH*;cl_bdBM-2&{Y(n==u zYgCF3h2d>vL8FF_o-PiBmH>*w4 zCujNl$4Gif_TRoxDEl`#KV!oYuN)l?bP(zF!<6|UHPuHE`J}&9oU|_(2BkP(xMj4A z2?DK3N=PTlvG=KyXAMFGcS&)DK}fm z1TLx2`Mq$`ilFiD?>#);P1AjjiS%p3EDiBzjGEr+gx(@>$8=jN_q3*JtUQCe+;&nX zYqr#??B{uD#KMTz^%x5G-jV(>eVLvoH_PVMv)U_nPm>PWS*J3Zd%+dpg3S9A~ zjyZF)doxDTrOBzB9P5tnmv;=}%@|oeO~`siN@8)8z+}B=W1Tq8FTN$JwAJH+PYhwn zEE7yAL9Uew?(pFm%=NSB0f^*PpH(s`euq42Z08hE)&as;IN{Q%3(Rup3>KE-)ed%c8-b!Q3hppCr}^ z!uq=&&~S-0m+6QnDaK>5Tq>?lLg}RWw$v8$QI9-?l&uTXE3HXn^sa}NT}5-8*`4&q z|6~832qiCQvk~{wc6qT9yC^EnG*7@{ zf!pZh6!?!3NJ(8QaIC^=fc@tf`TaaT#;k}~a98di@uOxj`LnOHT{V61|p!y+uB48k|Bhf-A z9l$`o43>Mh<;^^XDOE;^}7JXoh2E3{$d^oqoJA z0OF09=0Od8-Cyzx(WSl)M=Uc~oD!d8!xb^dS<>$xwU<7ht>>K?4lqjmDae%FnfNwi zBZM9krT1>kUA54Mu9@MVgk{gXJ>on4WIxC(h0!YkVf^it9kK1>qp!2Rs;JxHsf}i* z_$`+VRJ>geT0B!_54K@(OjrN#J>=fp#e>bwk^g)Sj6ktebQ&?&Ju_@lj%*@^1FBjH zkuuvFVT5AICTjcCqxysqIW1e6Z*P|V^HYnhATUZc*xh8F@$dV+fHPn6TiYr*&g~A% zAe7Naget^|_-ouB|FP&d@imt9@uQg<;3xpk`={%J9D9lXk-?}4=abF@6hq1Jm0YRa zm{wyv#s5CzpPw3AbXHoDO}D{~lmG1Fe_nBc=vs)=i)S}4Wbt>MtN+aU2(`$PA&cc_ zt^c3J`p+N00Luix-=qDP-}kK)9RbJTT?T~4LhE1tPVjPxGPRbR)*_IvPX6~f_~)=f z$?xhq{iuZhGEWvk`_}uirJv1pV8!_!x7B~t0IXt!R-aHExJ#zO3K5x?JH!m;h7r-CJ zMP5ElOibji4N=7jd~+yOG%Cu8*-8@VB`3=TlJlmz$_~+a6@OJN9Bk*WFFA29!y0!-Xxvu%)#6=mu|N;6(JDDuCB4dDYb+a>-x*BB z$3zkQ9>h;Ew89=&5hmht41tL>gh(B+zS4r}`dR49C=}v$q{p)@tS{?+87P z?@ep&Z++800h%U#kzq?46l1+p?3$QUGZQ5WS<66XSOa#~x-x1Ejjsj)H((x@Ywl}euB&L<&m}lf}Roi)uVc5dC{`72zkVkd0Gv;qA3R?%@g#^ct+tf7hZ@K@gAk3XH zC}dkUj+w01YmCj-4zGFkSI*DpJ`HXNLx!KBAcC4{oH}%{p@sjOZ%O_N0nsmAM%7J1 zR@UOQ>!w6}%o+%abaspKU;N7xZ%3*`V1_W>jf{^N%oVQW7w=LcGPJKx@==u2ksG_o?qEdPx;fv_+hRv5Z)O5to zZTJqacyEp`Hz?;DX!vCdRaq=oap@a3neRdo4hDRK;el$yLURX>PS0WbD|=3&o4o^H zL)d%o>}Z)><;aADj@7cPh{)ttr9oco;&jjRRB1wigrFXz1)q&m>=h7?YiMXBvu#=L zRvM>XuB=dEB1J|i)m-(suWoFN4#^LKzAW$g)-sRmJsRFKLAo6Fxp0^=I z8z8e;Uv-hP(z&*_#$s@T$%;?sd)<|`Tt$V6gv9N5u9_*YJ6&cz2U_(#3sqr3{$H^0hh8tec-W$49GiC`!VDZ`2c=Ph9uG^8V z;O>UzTpa^AM_;`Th!(o9a>j@*$az9-1 z{48qJn+B@Hk%y%9MVDnMX{oh+@V70qIQA%IF5^0w3*MTqi}$`h`;|5cl@T%NWiV@m z2P_H(PmMaIoA(@!($+U3yUoAZF1|lG;P^Z;U#EU~6hPN$QK5;1T*vIvcb^dLVKMA{ z?P4%j&R$?Z;DCaaed74smp@>18kZyvES5%87PHN+hO#oD$x=qubfq`)rTc?qmW{i$ zt_R)w^E~dLNI_0s(M?N@6E~4ga4n1JiCdmkp8Li;?5;k$7A~hgV}r+;0e~e6pf^#V zS>?e*l)|en1r6uuOXP)&oE!p2(-biS12u#YL<}C+w;Lpb0#Zgs_YlBFP3AM zpdq>|yX``A?Wt8G(|}-cY6BjZAk zD(JJ$O5uwFA1}-H;t0lO(3f+k;`792vFfaG+8zsZ-kB^lKe`)6lz-b&gMxU^JLsCp zdWzCze{LWsh6Le@v7F)NPz1O#!Fh+@3=|gY3f-ACLjbF8400}BrQ5GCksh=Kgc?rt zIhMrJ(O&B_(Wv@-9y}jEEd($`Jl8GZ)hSVPQ6v$qX8k*meHbY|5HyuelW}pOhexI7 zi+a++Mz`n#Cam~di?&aM148uYuh_gA*OfrqXeIE3tQs2AUX>nLWMn*=Av@C$(7kOi z-O7N&CDz((IKy??SD(ZW5zS;~y6i_^pW#{;N$Cyb+@7=1BMi%FyRSfFV>n;Tw$ggG zFESIE%j@E~Fe3WOZf+U8`z!>DR%)J*8K~ZTG zm&JoOm&&5x#+Yku&4jM=lxlyl56_WubIcz|`Pag-E0@D6BUsrGJigTERb_t7%RAR+ zF;%!~>gw$^j`ZKYOQ}uRs&|c;AmwDljZU+^0?WV)4vKJq$d;OS*D0$_G8$c3 zcZLy%cUzlwkDRNYZb@qEU5_+)R_!PIF3A1p-D}^l;y2p5K2T6o>jnMB;=LwV3siZK zu^U?w+47Iv_yjm{-gOw7fN6o#^o3*L3jO;0;DO=bQ6L66WRgI=)X5-tC-x5L>=>y5 zZVvS5;G|Cv==o~TiC_KmgA_cV)hvvCfV^nfpE#&FHU(l{96h(kcv~7?^_C9~e7}G0 z>_p6xPVM~mScxf7y8dWAAM{^;AR{ACAE;k84a9pF?6{+mCYXfCngT*;nPUQ&qp~C! zm}7s*RV>NASSVpH&`^=d(R~zYMf$_bmz*gj8y_VzmtCtCg{M=QV`+7!mgB*~bji^- zCa-?Oj4gH(;HR;hn%;p*oSI3UVU1REdBEi4QR zCm8a564!T2Wg6w5*^7My4G2EEPU18hcp#1IiY*xvw4vt)+LTpx#%15Uh}@Ns=HIdQ zIN9vSkmC!fx=fr+`NhNHJwsd1&j43fE3sArRwK%${ha6xuLnm=4ob|AyoA!9U=ZZni<1V;r`~UeHt$6*CP*<{;th-6FI4rM<806!JUzA{zpAjetVn#?CWi6oqGl;8 z?f4fBgWaWxS|zR-Yhpah_1*pI<4N9|sfNA;M}Bfh;7z?3QXS?|ev)suRWU3{Y8|>8 zU8X^c?PGs>`Uc{q0+AF^FyNr)^`(!9GA`4!)^_fw5ZpyBWjID7Wc&&1IwQ;Xxj!>+nD_lR0%~r$P?b7aPC-XoY!% z1((&1(sj-qxw!s{*Gz_+pln)l;{!eJ38GEIo(Dk49{`KtD_P^<_^alkwO2kbTAj8; zn>!_JdEqwRQsiJCTFT=2%g`ul+WAPywp z4RLW@Vq!UOoblM2LR&c!7=4}r<3XDTE$Kh_{28_6(MNQO=uhuI#?R6L9#msz_-$39*i4X-rE1bjbk zS9;L(+;8@vJ|SGyr+HIh<@@w5xG`jSxS7Zmng|SY0;j<*s!?%nCn{1FP*?l6e{Z1jZ2`WtJ@hRC(r{h{tlU{zLgGNn4fR} zdOLwXAY~HIdqT$XFZK>>0I*wuLcn~tjxVrCWS$dvDXt67G%;8)A;fIZXoou|2LhiT zuaHB=Et&8Q*%GC(MNvrFzNf#Er^d`t?$Z0=`tw~2=mAZ|K7h+Jx@aSp;kfYOn)}FkWyq0HE5wrO1jvc^Hr_b*Wqy+ zPf@MmvpZn|tNuEB+=vku;k&wZ2oXyJ^cFEgkylKzAmv8Zb9_U_%u1AII@)`7B#}?|FA>-&i*bCGBpIWTsH2^(9lMVF|O>g*d;~?PHEb zZghDd8-|fl7EaF|X>dN-!mTck`yPZSrwccZevFr;ePAjM2a@GH?zA3l$(YolM~E zRj^eeCKue`f)%rorTBG>yg6z693ZR|sa~JOh#TS>y{|wwQ9P1tW$FaB6+&!UuOuyB z&wD!Dt}l3a;zB}b;U174?8uDRclq@vG(1^Rk4~z!TBm&w?`9cQ%*eAf6=i3e*|oR} zyy#BFvCLa3&Q-36i+6G zreAlP8uvV|PVodiJP;G`rcpKpzJS@qgMS|%uTXRe%-+hYL3ife)A83&kQAufP8Vf$I&_bY0g24QDWAK0_f# znfkI@B<^^liMPM7N@p;hX+^x00%Qk!oA3D5Y(RP3wiCL5%JxF(RH{2`t2nk1${#nV znq3iC+$|uauRB3v#dkh7TeMx3lrRD=8~Dg<&D!K7v-2;M$jC@gC{EjVk8W&y{IGY& zr*o+-K$8_IMv@G6P@3<47~y$w`gW4Z=!&qG4*m3L)&EwD@WOE zfGhFA1D$H+GNAqrZ4e=}?a7>5O5o*czxM^{a?|fbssP@|{RD|cx0>8tWb&1^$WkthN1+!%z z2wHy{t8p9vIm8HfM81D*LqWrmw7lGi08+$Z#C&hI_H{tOM4eAPw1c|o#J%3f9WEN+ z7deu`Nf-+Liw_|WBjgeXBN>}*eD}Uq{m_B{8r#33W7~@^15Cnw-$PlTIw+}W?>@&w zQ>yjE3FmbYfQW{L`W~4wC&u%?#jbF6_PXhIAa>iN2N9a%WoF8q!%Hu(YA?JeR{DSl z%1g`v983!(GrNMu)V2Wh&a&KSYM^W=DJh@R&;;v{@f=-y1J~m7>gt$MkBW*)cU$;^ z*kpzcJSal=(DHn?($@5#kuQXhiG1Nr`D_%Y)v|J4UjBvkX&3L+l(*B~L=^B20|inw zGhfos1l-)*Ww*Y$`)>7{F}ZBK&|4kUuCVdpP4o68J3v>3dmdkv?od(X?$XnA?3^lU zsI+`M%AWAzwzDG%zg@Z$)(5QDhoYsN21>P(~n$kXi6 z*TQW~b2e%PC00X@Kbv)v2So7+cBpn0-6U%&t>=G$a3}eR6Mv>Qg4JY^>G67~G;m5xl?qyR zj;h^Yej?V3CH^n`nk;9WcV_$+8m{GmJO(GddO#*Sfz@8J-U8H44-|a~PCY9=TZH)i zrbRh`nrw~d$KQK+4pF4CaAI9{-~vl3l07}lFy!0g^jLbRxu z1pnEUtjbCN+)}ruKM{pQ+_{Gsk*3z1`inVZSlp2whiyCt$RG$Q*se}zY(iB@M@NK{ zu;r^jg*L#6FrtRr{c(JpKS&50@fA0oy##ILzxu*nAMFVTpa5+UP|BBCpjq)@rk1;2 zmw`Sm%A7T*ZRzKln%-B>s#LnfG7wCYvb+igKGP$AVODPZLpN<@RpqavTa>$sZ-j;U zPEVbcRf$C2Gehfcg&WSUq~fJb>6=afaA|bve6y3;G@7qQ0&L8aMSjawb;U>}DysR8 zUu(TN1>7^qH0-0jTb9OaUA-UxeU2aM?W2%82BOt4QcolvDVHaY5bd}L4&CMe9@1jX zt~8ZNGd>=}Nr(#m|21Sd^>8))V8)-PgfwW z{H|$jy;u{|A%$bNIrM(r8VwU^s`f21I5iKy0&w!a-yNZJMhpt+PGiS{f&>*(&$p{*0^*-C%cji%SmrwaADB=m9jGLx5=UjEGmkPQ7W6{voDjcVLAu;-R& zwkMOqd@oeA4PY%tm-Vdd>_1OEIK5V%=ThZvI-=~(tA$N&q?c|}nwC8{rD9J@^;j>N zk`PL1@(?JrGz4yjQTo#wVXXy0GUa%3-s_L=rhR z6P62}b}TbZ6=p?BVt?DbXFt4|)3tI61mnZZ!csDAy}Qs5EZ95^j5 z<2dp0cP__enm)rk7aJXjy)KGY_FbZSZiR+$Q}m%V;0u zg(g59iWI6KGeiI=XPV=9i?lcVLg~+gV`-mzMP^2{E-_}-Nxhp2>4otF<=A7h{(0`DAfVYKO8dDU3) z1NA&J3&$r(jJjc*y3`ekcWxgZ#R)*8K6QF5cEJ{Gtij(jK zE|O7+`mm*Q^?ZL#B8e1WV4xt*a$^It35Rs#H`^J?O``&%$CLrM_p5!yHzO}E$aNhS z=lAfe#A(_S*eS#lk`DrhCPj=(cC>M#5V9wqO)g5ib5yM!`OolAM!b5MTa?RdQB>U9 z)6-&FrUX>7IH$CU$^*oP_rL&kg}(+_1pH9L3U!5C)+6mF*B?|1ReiI)D?WK&_i}ly z{*>?)n6se(PQ(hxANRl{M3nfwl_=AbZ}_!3W$7J-J7ni*Ckz<8Zf*- zl7Gc0DKT-#(iv=*)`&+DcC>1ogs%&SzbfZ_elx?5)0|k5uRx7;aSL^GqynI;Ijba4 z)#>t2fHjceSP%uS$<10#c5YtLx7w^ccZ-wg^~noyM|KjAhC5)_Q(}UgeZxS&D+5+b zRLRUzo!EEUr(0bJ_wVYh_4M~sU?Ppm`-aGK_SI}?|Hw`&e96PZ1LeQ&&chPiy~IWN z^qIBz{?B7~CfpEU3_i5T-`vtX3-n$G@fMwFZAA=-e!w1CKELMjV69yB$i5i>bgk{3 z@Qwwme(e3Gb0&ao1Je~1u3A6%E1VzLg)gb8ub)5p*{j%~O9E0^Wz#{6Bq6rw{x8j0 zYh8Lzp$~&sY8tf@>m6U?0L<$2^z>v~BV=%6ZGTbVbGP;SIIO-M0MqKVyLs)&m;ryjhhF#_Wv0#gQ8~x_6_uvLM<*4_I56Q4O zX7Qxw9Gh&TM5f|!p%wZk6ylavkprIqdkQG?H@-&F%d1AHTBSH?EA-a$a?M%oaFIiA z?Uz(B>9auAa2^f60;95y?cTVnx4Hd`ikQaU>ZtKW-5Q{!_!ql(?r{Pn z816||&D&!Dm@1^i|Ti`_R|3YR6K<~!rix2;Pjmq_Xtef=6|qEM^1f-bALP5Z90$xmlHehl*J)}D;C+5ihfvbcWR{lx%D1PmzDfB8b>Y=T z@bSgqPh(h+XTe3$c3R4`o+}Rv>X~9g<@MXDdd-5(yBhfPg^S>&L2(@{m` zN>^5trRA^Tu@e<~$Z#{9OVkrC@NHimo@jv#n@`sj7l>e7_uA{x<3OE>ZWHbq(nzzi zv2~nVu;SNj_kenM3p~|H#Z?!BIH@aVi}UR|t}u|<=zC5^R>-9``q*l3^W2n^Kd#%{ zaDk2E*S4?j%O{5%3|)CEM-(LMEdl%M*>QUQy2Y@WY7AxAD^A_NHsgz#u(}C9F21AK zm%tk=lunob5|P>sr_xfSxtDj~wS#?G)#YDusY#23iHqWqEc*~U*grbDe7y@HMsb>+ zWvr2=LQ_W9hJsg@gNDU=Qp zDfZxwp6ZgQAHDrXV?RpN3sgZ=W?z?LJ=>UBL$x7N9K5DTrD9%=uWdu&l7#B_!i9*= z|1KtyNnM}fH7FPKfIlq`sNpA%?sGbvJVHf1C7q4}nJZFEq~&vtj<`{!Ttk*hFjMv< zwnm-Tw6o!4K!s&wRR#f16a)vkxw%3zt~@w(GbU&A93Y)Z zE|VN0lx{p<%T}#DaPjyRet+C46(C~h^^=}lznd!1Mo3YWqQvanax$!^xQP;}R%^(w?MaC#TZOV$5&2L+AUU8|DD4kuI^irlaWI33z zI-8#a_Z#5b5CT!}RH+FDzuvBTybL)UTL96Vpu|=fc7=O`E=c(HtZRETq>75&d$0eF zw2sKckv@j{3_4ECav=LAUH&jCnBGY4(gyfsVT+4zTvXAJGC$1BXaWnl{NZ>bW7NAs zId5`96f)c%S1`7N%6jR2|E>&RKc_2q>Tak=Vzr?4WB~+bYfZpxbUidWcK;!`XsTJ zp6!de%AGPAOh#sS1|I}Ca~PpgQx--@4i~*!QZ!Ud%E0ZO5K*}OC3-_$b`SfX$>mu; z5&LuL9x9T@wss2AqOn6?^bO}v(muV?H6k#zr>zYI=pzB50S{yrlKuSIAkezdG=!%> zjq&HpEN#}r&hE{Yd8!B8c55%(&ksLj4axOqhfP);Us9h#CfJEE1Y8bv+e&yqVgU4| z-+6iOvK4jNi2w|$n3Bm=BJLFLRAEqJWh>^fGZu=D7G0k%W(Hfw)Rf!CBuk=vc8m6# zw1K2kH7O2`&%k0J&{KUS0rfaBuPHYcys-(8@|6S7`RVm%r&=dD0^deA~Pjoyg-cD?un`X&vQqp z0@ZDB!*ygOXn1(yy?l=s?RWvNNgCKH0l+;52F7-rWN@Rl9~Wg^=d#_rP38J3xQ9gHopmz zU$3`>v~(b3mz`4voYl5RUpSYOBo0c7tt;o$ICB3vP{kZ&Pz19UvPIi*ACUWVeO@%e`8adY@N zqPy6~w?joueb1}$Ex5Sg5RnpI#;TRb_MrPzbaZrp^W?SPcyDfw>w3JEDH=MnW`DoR zZe7CN-QCS(;<%6FWTBheY3)TS48;J|l>izqV2Xe&pi@q(Q+!i%v2TqLj1eb|C$AvS zLMZ+G`E%g;_bw`u2ek-aMRL-A7w~bEj?gA?y#A+g?l6MyP4bU@9{m#;gO26eLVfoW z!tc&^hUf%g#5{L~5Cu)-GKP3i%rB+i-rj*S=E?iJ*-i_!%kA2cVe#fyX5xb&?}- zKwJN;M0I$0_@Fb3oYb)zzPcF5tYmxidF;SLR!CG@8kf1|)Di5$Lz#U5Dg-c(=FK-R zcRTG}(OS7q^+5LU$U=R+e4kpCEIgFGoQDq&kM3R6ri7tA z`ub(5{Ro58t~r9qi&K;|lyLx)`$NR&<+6@KPZxTn>S0q2o z;1=NCH!X%Qt-;wIUmo0Z<3 zad%our=_Et=p?qh%$l}YUUATE`1&p?b{80N7-?%{Wn`E@9N&69fi)YGI_nR;ykBGl zw~&x<42w;KH)Ha*f+9fGl2c8P_e^LibtS2;?$6!v&_>1tgR4_=ZM~f)xk~AB^xE)b z2OE5f%+b}{oCCl?7Nb#APrN%>V!4_Azz@`Ohjj^fN-Z7ZbSof|Zj>%E=RK1fc@P*A z*x5NhsZ~V+n}$Kxl8IZP1tYzX){I3ZFc!T7g0#cVq>Quk#G~DzVo}SL9zhURS}%b4 z$-{%Ewf03k1?uw=M*DcFDIZ%VT<3TTd3snJI#Fe= zP`&&bXlNHTw~u$|jZO>Xo)EDIVNr?PDKH&-ipLxe2ZpP77I#h{UB?12sIT1V5D<7C zma5(mlb5J+iE8hOw-;o~?A7Tm3kJ#R(s&_nndNNPp-FMYT9f3daq9y{Xe>hQ8hQsv zMTYPhR*_I5$oKf=+R|sBJnO;I;r8L%Xf{_})EGLXc^h zdNpn?-jm?`6b*@A=+8pds=B<#nujXFLEvig2x}6)t?h zW7cc{(dM8UvDMcebn@HMxM9~)_wuZC z%Jt;KtEksksEgv$nrl~1D^swW+y`)53G_g95M4j$6|GMFqZO_de0XkFN1K?|#3^?o{ZiNZ7WY;+1R^IjeCw9I) zC3yct^;KK+rS4kKc!Q)<6b zb0E>KV#AG_e!Ai{Viz^M6wr)W;zUf*fqLUB*})_c(aPj(Z}7r&VU?%fTixqUnRUVoY&239!s-S@GS z65$JXI6sEdJpA$Xkn;0;$**BrV(!-uTfDbuZr$mmsfXJOj8RSSu${QC^u%}0#K+U0 z?5tCq$Xoa3Rjl0W>cz$#t9e_g`ePvh{}q>{q6YHzvZ22P7xQe@$XSQ@# zW#klJ$~siMf2+Lu&$HRYPKk%_YZWnVq5a1vK7RaZ^*;`jf1j-q=X(IfEi5W}U2s%c z71K1-T--29tLuMp(WS=@%ne0FKXiR0d`QCm{`C^;{Hd$M1P&O=UhGy;#g*ckn3%wM z!yPtUQgT~0bt*-<>LgPbsYLMP{z{*k;`qEukoaQO{LV^av;78(Ns}EB*O!3OQjYFe zX!Fngp*VIZ5xjIWY}LiB#+{JQkdoPc%QHBb@y>;>A@ta+`l;e8m}mOGzTK~*HWPfk zOZ{Z(J@nOxn3#msqN7cYmU_tB{O%HubQ}Qks90GSLiD=e4iW(oqxi66w_rnQ^(m#q z&Pc#IM8F{qi^`W(cj;5zxsH9xHnWe` zQuXfGr>@>)g)Et{q@*Tr2{$S-sNY&2bNp0?#K!v9E8J6uVGHeXL~$|wH&`e@5!wa@ ztu1Mx*$^0o;7lEZ`V}>YsbGtOEPrp52~He`I|Yb;EeM3K=~$D$e{f?v0zYHmI}3Sm z({wWqJv}`oCG2L7mz%>HEv+tHDCy`rrBYaL8PU?-{(cuI z@DlHJ`BP=$8!~#;`U{)8TiRL=P(R={W~)lh%LZ>I-=uk<9UmW8R93PXOx}&ir)9C& z(w9l)@ed7U23=U@&Pz@Aj_5w@YF&k;$f&uz#-R;v?V3!$vaIn+P8Jv#kgKS6-P<{* z`u#bFbGo`tLPCNSWYaoF3DHl;xJe+hMc%#;gM%npo0iEmC>3w*DeG8d1UK~Jm1GQK z(@-({Ew9-Z930UlC3c2A2|>7{JPU|YSEI5zFS3Z#I5f+*!zK-0-HR*3H_=PXEd?zM`sX z;I|Ijmk}pF$yg?B_R0QgWe@QEl}`KoY=+XnH7TH;#O&Zi2qA}jf8vt-2&cXO_&TL~ zfcBObqmQW_-SacNRC%g?{l4AZ#R7Ml28U;i#R zU2B`M{spZ9xAg*npr8S26DG8OaL~31wR}p-)3QK45g4Hkz4UQ_*EG~!dSGEW2QMw@ zySaB+?GN5VKB)ZnvhjQVn^KO!O-F)0X~(u>tjJm!`_%B%Ffw)I59)=SoSalV=QrQY z;qIg9ulKz;0%Mt8zJ48GlG>-Ua}f_V{;-o-QpsNupZE9n=B6scdX{l;a8Ps2a)6>7 zEc}2^BSi#22{v+-NoQoNTjl78m59^038v09zq~A+6C?ZVbVWNUN#k^_S=Q;KmP=e# zl8TyRk*O7!yoz;~v7eGmi6)N9$`!YH@sBQ8k6xXUdhDDfYYChWRLCiyg`{$~1*s~a z6`8Nf97xEBufR3yix*GK`KOP0$V>+kAW&7`M(y6H>_wKz@i)}QoU<^^53K>ws#ROI zeHXR~ z>46>`(KYLZmag=M-%?Rk#bUSS_1K;^VEs-ueZDlYnmN^zbF?UnjgK$67xaQ?*s>*% zloxr4Is2*FL12c25L7AXH`e?z9MiMN9nRK_eRm5cH;ELyxOlzSp33)IwHS|9hGg|H zUg2%EJ?F}qzAGIN$Q-fhd=68956imoJN)~)XVEm zAYN{oD;!kKWENOmDf0yQfJWRIHov~aUkieG1Rk#d+Clz%+p)pK_1D#bqWd^ARvW>| z6@P#7AJ`40VqgdohCoGp9*YG`< z(5F<{<**5~u%u0OBBG_GWzyo8eXo0aU|?d`tXtB;IT-`xs}x$A4z2y}jTCoCg(w{TpyyfG^4%W;e@XT9#YDp|LH}T zT*0B$Nll^FP$6PsA~GsTN&~d0N3OuTwyNtx$?wgL&x$(FSK{}!Ip!o@DwgGv)5?<3 zZnsraz>|2SD~pz;%jh6=7ofyL!ZzUW&@Lh} zQe0eyrJ77ZkD5s^gc=x)NBvI3#l;Ol{>?L)cQ&hR=Z?Z9GarqpJ$G1r^?asFBNf2V zH@5NK-gomMvf685Z-Ydr9LgLF$6~|c8afr)Z=E9Hv%qWr2F<##@Ml&Q4mr83nb{L@ z@v&R1*FrfJ6)I-t=4{ubq@=;M?pLd~|FxlEVWD;dJ{G>&k!UiXRyCHnJPWlt-GeIS zYP=s~5-=IKu>SFb%G$=^enVcAdYxWCP|#eX8fN^3S$~7h6Ot+7f*(3wB4|H*G+16WR&bR5X^AW@eY+~ZxCShBXlOA-Z3fDNzvQ>ImJk^%XKfM6^ z+l~<1!*Q$`=;j?XCXJf6AaIQr*;Do}?y(simF&P=%&LUxu0%>SySlL_2vy+K!0bK}gn!o``zMzzxQ!DU=enougn;2t;iQnO~|ZhRa<+{SkD zdxfTBGE5r$sl}m#g9T+}oCw);0{(Y0fT{Fa(Qz!>ZAed+|ld%L4hE)6dY5f_&uB^8xQ&7tjm41zXWxWfwyij)ak zFV(~4+xIa^+KS;Nw2T7Ll}N*t@#8#1r6!;V7lY@ivNfy8tgQ>ZziY8pZ&@Nd48C5! zp`^^$F);9{^%6ip5mI1=5PuDgH1{bc42fvc5MPU|0VzW`npug!6S#VV;Y3fb|4@`ds2PBYwB)VCZg7w z9}xs|x*?~pLEaG1X}^>Ox4o%h0zbI#d^hBt_E7>Z39nliC}i5}Y){1|gW_g1I_XV7 z9sb3?I3Usa|^tVWdUQEZQGsSSNTEE8DeZr42`&TH$Hg7}dYSHl<@< z*K~8Yn{dMu`1uYkC+C?(i^5M(9TJy^D6=|TOTVoO8KUW>Qy&eD&grRd-f;*b;vq6M z{jgH6>|PsHZ^^H8XaOEg;pBR5bLI9BgP1+jByvS6F~u?c_ZwZthtpMuKXqGQ$6sIB zjy)Z{F4`#@Ewq|pbvfBq>rXdO$WI~{a6RljE>4pbqG9RIu)NM`3r^hc_p)atCv>GH zGa2^=^bxD&6~heCK3QO0lBkNxE6^G5*S5m8jl1m6oBZZEzmbu06HJ5i+*uqo4UZZ; ziC)==o=T0=%?>cNXysu3WD)cGe+P7|)UeshfR8vY5o;y55 z*??%K*Iw(WTpk`5_O|p7hw;>JI=<_1Ys9vDjl1*C#4!nX0eCjDTCppf+}p=T*WA1p zOb0eSrK`4xo9pQi2=9*MWYGG5grNbZT8?iW@m3nO-#iyf-?M-zv_wp~JXwo-239s5 zNmX%w&BBFpTPsKTf1y|Kv9u`$IqP2Zs6^`5`OfhXW4qANlQ(#Qc3h7MUI&PYJ8rV1 z>An9qZu}3>XcKq}s!pEH=hNj^{%_FuUnk#``4`XxpE+GPZ+-XwdNJ=?-~T%%VF3g$ z@ju__QW?K>Gd|$;{H`pf?A30zgJO=77p5RdJPH|rOOM=Q+x8C%Sn6&?B1ifrCmYgk zeaM!(d^b3#5HH}!>x)U=F`7R>CB23M!m>{9hNaR$_jh}=n+-KVXc9Qb^)q`PE-ZB} z3cuz89hdqksD5iyJ_gR!o@B0!ejECZ8VgpUCp`~S;N`P0!)e)BdJ86>T#~>rd3!Ku>lw<+eiNkc5axV`pU!yW9FPS=|{RSFaFB-;opE{khzDi@p zXHKbKb;h-`K)bs9{^?}?>}TdLFx$W$-h<%!Q=>g2U9ptuhOV=iT96evtgvH z`D9Z)RC9Cr{A2ld?q_`4^-$@>G_CJdc8e*1_bkUK^GWvRz0wSPuCFD$&igaXwz_i= zCfu{Eq?j-Km>2fLhE#rh=d|xVJ$;U6(1*Y7^-lW2Dc|&F^DGSqBZi}6Xiq9Ih=~=SgBz!w~-qLnwN>yunh`Jr$E{2z^UZW@s@Vjq- zgBX8y9|pBP?vhdSkjdX#a-B&io?G8U9O&XrzGqjt_m z4oeD9`*r6#tCdCwHh!xYuzHp-8D@vpi3w`>DT7Yxa*VpgHUm%j4?9NrFlXFfn_-@P z+cc7Oc%6*pKWrG~`<-#4H^Z77L|dDpqMnHhVPc`3GU>TSI*{TshSm5AtxgBo#00oUDnuU<=-He;%$(IENouqq0L?RAjkQ*^-WiIcEs%z zUxtTcwY0a}uJq7dbVX;WjXW4Hx5P9t$xh;S4m#gGVX~<-pQs9VMmM}Qx3VH5C1sbs ztQ6+_t__kPG?>PcSbhLJi3mWfI)k)cdPefJQyR?ErgfV ze!f7ymKdY(*$yH5K!lIu6&Wa5_T_JYsuBW5a>2r_Q61a8{+Jk)V)a0whvVTr*A_!( zbb#rI%1aI{XMW`GAK%^5+B&}={}|s$85$GwE+RdPn-yx_r9nbUq6)H+vWu#8l_jNY zUEGBQU6lToev+ofsoMa*!!9bLV>Kq#{XU_ib-5Xe+cKCWCQnnYm)5Qc7xRV}u?}F<&D(Zkzz* ze+j{`->cE7QwLv+Ix7u&;Su@52gPuPecqS#m8xf@Vp`|DgW#>M&G7Hi3u)OBLWv!7HV7r?=-VD-@dsOqn<9ur<8;9G@NhpQv7fOFB>!Q+Bw6LRh zpb<-5U47$+OYFtoVEG`!}ZXm~TMdOl=U^=}9& zpHx{{$zlgib3eFuU%6?3Wq_NP*We1#+3CNwwicAicX@7`(I_TAc;t#_3k69#AtaUc zZ5#gLau>?rd`jNd^}s(XTd9<{Q9)>Ny$rs8AUSP3cskGnXXIc;^J;7Wjsr1p|C(Bn zNtdhSHAVb8T@ki{{=qAI^B=&Rw4pns#0nn+0W1bpNxgc1&knJQa=ygmfm(Dr-*7A* z+lUW)}trW<_FSBu>ZA62TVt0N8P_}of$A5l;k z-8u+@V;|fes$6azv@Jd~#Zqv_joo~vP>CB0{$7de`;T`{Hp39$Jh ziI-ExZ}tFyjIY`tv^ro=)-U88(O!T4^M37D;9qO0%M{Rcd*s7`Uv(}|t*0FsAeB+Gj#o-c zNY5HuTU(@dQ$;ob#(fe}()}aGW)N=zg)KbDg+zjhO0BG{8hU$^b<3Csg z4~`30^X?&;g>KRso=M!+DT}spa4>JlZcioB$mD8G4=wj{UmehE$(^SGE?THw z#&Qs_5l5S2j0b8jVKvY*=R9F8-zD1e1%9$IaF{R{H(F-Nnx~b-xl;l)4Cn9u{DmEC zl$~ZAg$fG?d`Q3lW9##~c+l6E?+vLmJGK@0uK4c+66g-z@`a!N`;Dp$NALh6PVUMI zZT5|5-@nco^9pE&6>$Xe@)78K&;PndbRQiRw{2~#ft(oM(sJql{OhoU;IFfxn0FbZm@8iWb&jPJ3E8n-yT88t zAT{8hnoJCQr1W_TS<1btz5v|UxNB!0KOV?u>n`_PA6uQY^!DaG%joby~ezp`97t?B6y~s8(xmVVw#F(09F?}C=s#6Gr zlquCfv>W+j$AZjx-Pqfzu>;0SmyYdt9aWD% zygP2)b^&BvTS&Y&*b^~FUHq8wn2ZKbO{9o~g4IgDtWMNfXJkqxJnI2sg)!&6tUzTLg71cffI5APe~=04upY=^=y+B!Rb0RaegVwHRb zD0+Sbzq+D+@H%Q$>nF5U^k8JiA*PlTxx&O$U_YH_+fa*rdWKN+NE6ZV4exAh{5F@J zx({e=G@ysZi{p64gNtjvJ<~JBdjsD?Uyuy#K@dEzJnEXesd}PeVD?&iS zem6!T=Rqm3F~?s{f$&5-c|mSkr)uBMGBG~RYTD+>X8}oizFg;2x@yX9I=K)snF11` zR!O1yZG-D>PIR?VcVIYbiYwg3v-ud49hJx@ba9Fi`<_{T5(%xlgmO@cJT++PNGB0= zdjUTNkgTy#PZV&9bM5xCfJ&8J+}e5%h%t5Ov{?I7=0r2)bT?`y&8nL{!&8P%VOROQ zSbJUr5FtnnPN8;}Jhf6l%&n{qd~hUDxOBnT-^I6T-wurYF@^7(Y-)?#cDx46k;lwv zk?^)gr2XtvAL_kSca=w89tK*jM(J}jBU&So8r%lI@DK4s{49`7^c1X?ORX86m5E&2 z0zc|O#MWPu-%^UxKWKY4kJxVMzj^!OR7|2bPb`@sBqXFDy3@2@33k;~2CgIOAE4>A zOX;5VblSNTqBAk&gU*gg$w?^FS+dtkzrAB)@o_*CyuzIcg4Rha`L8z8= zI{geZmZq;)x5g2O#g&ylAW}J%s7kuIyAiUk+0#goG~XF99jM*R`T6rDP-4lHV5;Ja zBB4dAFik+{>FMb;-*nBfvuiMBXLa4NW76Ojtv1q16JHc9EGsia1+;Dn6~tB+<6+tC zFo=edW&&N&$z?_~)S^}j`i|RaZjT@7lC8k?M=?J@osLT>SFJ6j{z`wZVV;|td#0n) zYd~*?24vQvDWHix`|nvl3r$y>o;VI45V~!a*51|B zx>qld55)qZ;38-X*?e$OZXkrJrW#E zLYh2Yyei8tu&dWXoI$|zh5PMFVU)ep&QxXcOzj1QKyt~UB8?1@WW(GT+evTHGKAIi z?DiR^8?G#T@a_|+*YL0+$g$&DOj$tzB~U`YdOg6L+uQ{C=@T3;sab#HjZ;qho|{3I zVXo^r`uQ@1T&OF;AW+Hz@z@mf5b9ZHqut-%H$bjnxYauZchB~Z8FgjOlBR>iY&n<3uuRypy{j%ZcilJ*)rmxdqCFd*3TZ9Wa z_UDS*La&xZuTE_rOjjqQh)!P37K2|WU6#tjR}JEn7~nKP$d-C?MnFug9=S*bv)fx_D7#uMh(5q-XXTplMHvw-e~xBBV51z!~DBzG>3 z3^lX0^B;nFQ<;MQctImE5l{##sl`TU2mB5eOo)Pa8T{>#Q5Lh;-z_v<7<^i+Uz2u+JV?7ZxwrFBxHJiU=k%c^}&c zvjW^?SIjS=0R?p9yCUM zNnN&N9UG(0oSP&Jx+aPYf9?DL)d=}C)x_A^*!_^%u6pv=DR?mDWPVkdV$9zB+#J2$ z{5pEf1rtphEa4m3UpldDE-ST;R)8@$YS<%?R|p2_2Ku91p{~Kz)Da(G^V){YQx^;I z@>DCo(ETlx0U5|(@9TV!n-Rf{1e)+B87OO+Hosm2+>8HpG*qb72c3f9as&Ma)hvog zqs-4?C0|f?zgZgcOYCM~3hA5@d!fY%(8if!&4ck_HJ2FC*nQc-2qPbJm;5iqEy+2y z72@hx2(mw|Z4}Yb2Iq^VDb+~l8=(<+4sO_JUvhmn@##MXrT~IIO2PW*br$SY_`wKN zmG|u9w8ycS26S>uAHB1)V`pJukxC@<&RTU3g6`^lf3j)BS~o|SYIy8Zo%q1t-`{O- z{uS7#;@Ob4Gepq?*H@Rfok}M3wocvELkOf=Yi*W`%r;q<4YdGU!*hn5KAHV#*sGSr zZJh+LD+|M%^#4#`BMakn->4Kjt-t^A<44@_I>}03Dkx-m;Cww@sQ5>b!?se$@iJwV zbAFb^Ok#`)Rnm}A+g6Bc0a=IL`qQ-*07 z0JUvn%v5YsNj8oFFM+p?nA13FF%AW8`*058Yk0YU=&h)%rpT$nQf)n=Hxss~TyZGb05y3D2V zuYOBJK3hsMD(-8fj1d7WayVt?WlQj(^NUqD)#!sky_K0Ha)JxviBgQRdPe9ohacG~ul1BzIyBoOOmRGY+Po}}u$287 zf(OpV%m1}?H_GTJjUu9)@$?NNZR76y6SfxA)q z1bksprN|7+GT12<5YE7j7q?jjbjVwN{=pQil#5SeJ34}@pKOtmh>1z{lwI^PzhKs? zd7INd`Key(LrqN$5GYj2mbbRH=rqp+zdw0=m$gnCz>*#nqxT{gz-B~pe*O>*1l5I} zcm=S5KLqZQ8su>tvFTa43Jxx*I26#s@891ZgVDaR6MG?&fmO}0`w|@!ej35X#QD^f z&o$DS2$anhbzNXH)6fv1)!X1Y?KS#3ISz{w1m6ev^>*Av(JqaGdw*7}#|j+0p>1Rt zx-U|=K6+}iLMpAM_8J5gAo?2Yz;3ickmb>!+pR3rRWjLHtVFAO%qZ5mIZsVbgDob@ z+Qw#Kp%rO3W*V@5N$8)Pj5_IzM;KZ_ew>5s;M6~;kc1c~c~$SqBBXODOZGt5w~r8U zlw(|kY4KXQjNgMCUO~M3xAe{?R6TJ5B*JmT>Qp`0u51jtSGf(rK#5Dp&@c%;{pyS~ zTCUpu{aZ|4UI7IDR%1PO1U@PmqI9`SUsZSUIF!@0bH=?ISev*ImpbY-ymKU@$+Cz8ugzQ;{_}k1>ga~^?baemb9>9it9Ljt~esS%!9+@gZabtNUpNTLP&42 zEbFN0nG=(r-kcKGYE6;BCAaedw+YwGvg=BZNmn$ZWl?ap^D7D#iZSH-(VCq@jl@~q z`E3$Du6SY(?JNH6?d|4l1zIslNh-Q^mz2fB?(5dh(t!@(vNCo5B zaxlC8(+iNi_RJxU1MwligF@-!$AF|MGR6eR|E{@HP~4)WH3EJVx@h*MHC_f^ZNeMZUN1WfDGy<1F>M~jQHGqeH%q~K_tvgDMM@1@b}%;?DG|5L-S z&dugmP*4z;7HJYGJbPbR1O?*0w#Q<3PfN>PfIGehU6rs}m+Qd6#)a6e zTUjfls<|9}@D=5bgio+3=E(;Ocx*3x`@+FZd>~tgWV3f;RzDUF(OUtoi`-n+osU6* zp&6Ix$>S9!m*(aOMMzvC#A4)+0dbvLU0lcShk{qH{4}c_BEkqlBW*==dV70=fejDU zcb?fWHfz|+1+iUNVgaTotHW`fVxK#yud9Rwem)y}owVp9^8wv3cXwyUfw zF`x-Q_GFQ@Rf)kgCT$R9n%4m!t^r)<~n&$^o@J@sA8*Nj)J8$3XHq|5F({V+b zKLG708yahG(GziYR3wfM*HtDXQ|K~7EEU>=ylSaPC+nla0|&%bWu{fmM(|NH4uDZM zSvTRHI$flD@IbT}aqWCLX=dIVY^s3hgI8|S*sjt8mnHCweI3vfkpnii{Mq?RzW-in z5tQ#A-7(9E{Q6QC_8lAV>G;{ce#1i-_8fnOFRw($;1tG$hpKM^GRqp$EK%cS#JgKL zf!Ap>B`yubi7n3@V5f0u81oPL}rS4|_=o4)L zChsn+Xdb}~Z{4k#OyEr^`*=|sGNIr(VNEzizSG-Z2fwbq2zmkKR`3yI%Nk-gBgR@L zlAETExil4=Yc>!SD}srif5oyhUh`GZeORq5OKB|qin03sfz7zFgRDR}0BmURS>#54VgLaDH07*pb*N$oGEmvRAsz z7~w+FeeP^Cm&VAk;ne)gyoZc9DDPVSY`DZHVNu15Kzg@+vdBr>xzA@@KE#sX?3nY* z=`3p-o;ejHw$f1dmeC&}{En|rgMV+?=|S!>8`MkFdal^DulH~y(VxvfuZ-nj6D@Xv zFzjGlKH3`N)XOy>^aAWAnvPDaQ=z+20;l=6+GNshWu|*`=j5ZH3aG^la?;FD2&X68q0iexr>h=_f4%+{R52&wf8_0e68nr=SZ|Omq zotdA=85_R>^Eil{E4rXS5+LA2%~6dMki{+o=DmUldP7{?;NpLoZVYQoEr9FBxlQ*E z=KBxK2Kns+1O929JhQF#3Zr!@)_RaxcH3k28`=@rIgU!+@;N0xoaK=+Lz8hG2 z!rtBazTYzh2h51Yfu`w79B*AODH|{k>JB5wBf`QO0Gr|;62e+(&Zj=)I1#sjZj0>B zlS$$4OQf0scPAb+bHXNa@Rv^XpwR9oE^+@u3d*07c25v;s|F&#_Ow>4~{p{bauh+DFgw%ilLM6&{uMx*g8n4H6-)L+yBI z)Vj3l7w*Zdr00Uv#B>K!YDW>;2C=v~(()QobJ8cuwIkO3N@IKW8h<-=vmF(xkIkSYseh0iB1IfO!}R z_y=&84;HI-EnE@kczyH9&lMIYhs(aX!KGDCEJsCaAV9ufY!BU^ zf3R3sT&#E1G=bXa&b3JX3u3h07^p5RF%17!L>#Heu&^o{%O;Ft>gPKb>OQF8Ko`S9 z^Oy^rbl+5KLS9%osZ-(|>K?{aT?@9^=wUCbJ?O7&dNj%~D`vK7-Ln(Zk~EXSJ<`}h zMP>OMJyrZ7X6~Ml&0zqh0L{I*tL+DOEv0|x)XT1ImqZ9g>Jjn|k+0fk#FyMkArTC5 zQ1)75d2rk4{z9oe$vYu$h1C(vedhY`hOc?-=qY`XSdxTXws$zqh4k$bi|-y0NE?U# z3Nm$z8>DMnIpa27{l_YrM)j_WaM$5fj)IrPb}wzWyFa58REoth(+*C z$cR^0vBB8`20`V(TjY1=>hkeF#I_C!c2jAYaD*&3|0!~9I9d1FR9s_xjvVdKRK zzyx{PUD}(`OO^o=Zq{p3JO?^;tnA;fmHR?d1kMc4Rr|BZuUD(@fcDA3rAPIx-Jc=M z%e(4ig^pafqvM^h>XF@h+ZHE!z|4MwmqEX8X#3{cPM7QJ<58I6kPI*@ak?nFp!g{?;Y-(rY^Mym-;f ztnMs*@I$FpRY7=Z_4|jC7&=o3*L^X+)*S4YnrB`|e4)=)hGPUV8?M$R$2|lejk zX^-+u$Ix|t6Et<%0()dn`v>LTLsc`)`*Hr((zjp!O3^+!j`XIcwm!7MmaTHRUC5)H zYUfERw7skt!Ij(_TzKT{y`~t;Yp6T1`xzf5NlaM2{8A^IR<#gCttO}$OY~hbj7YL0 z{u3w=8ZUHa#=Sy*>Zu`q__c2|PLGWHV4{4bKn~V?0 z1AYK%9MtH~3&CJ-LgfB8Kj+cnL{c@Dqg)){V^=6V@K;hOdIq^A-oDnx@OH@cCkCMC z#x}pV?I~7W)y9(id1Jh2typFW;z=#I%RN*y`)aZ}U*EVvzHj7-{ytwOq)&h+)3dVDn1ty;`DQqogAD7~KI0Lm+zg7aLsgzgSmDI)|Kl<#G zCEufrJ)walCFza9v_*ZF67?oOu2`Fm6%O6jox8{R-2 zNS2wxi=aZcu0hWBJ0GPrxriG^(VlgOWY-d?)pJO1axBDiRS!8MU!CsjRz17h8;hZhd z254~cT=iDFFD0a;^t*;1-IIS+bMr{&d%TcY)51a)se}t_9bXE0UFw%FFS4p1-=dK^ zdk8!@Vdg29Hl3cglXpMvl=69Gz(A<|kiIp8AE3}IQ{vi?XoFFWlsbC(bc;_4TRhA# zuv!^+YP)e_2Jgw-lB!Qk@0a-~Rqsyq!C4P0_QJ=q4(=%%g3#f0?t}qN)23Nho&=5P z82DIgcNR^ukVfkQm%1MEgnUajw-tvpQK2vEv22;Cx9h2vL%jPvsaNNr8qGOS^_1K- z=}NqB3@W^_WVq7I$!0WU2;bXrwR5CjAR6tSJm?c-JMWeyW+o;RHhqVDF>#bLdEo4a z%{g7jAgw({a(>%x$@RtKqU)E#CWvHS!I@#_9cLmU85?Z~!!oa|QLC@H*koN84?3q! zUp9ZVn}G4j)oV{a?&8f&o}Mezo2Wcto0=EamRO4)WHgx>rgS*)sQa+gXF;ioXk z5n`Uy9N<3YS5fA@;pNKa>iptks($-|_*TbRmp2u?YE2=Y`~BWu^CPt+!BS0aBX<&O zB&`k47@}UXu}lhTTSymfO;!aTyWe?u5c=yRe=9YCR1b3%SBL4+9{Q9V_E6t=cb%a? zc46v@`Yz*z*Gpm{G&Axw>Hh1_jdX_0^q#R+3;>l0+Y=7x@#a8EsdomolzQmSb{B3u z;s1EiNyYYEd&y2bb{rlBSu6de197x>>{K8yoog;l_^0tOW3ko|H@Y4$#Rd3vOoxw2 z?i^L8{^jpk?%s41`ahgKgL-1Xq_8xD4iVPQ`s_pM^Vh+Ceq#Rrm;nD_`;mC{PghI} z18^QUJ$?7LmFE)_nx*hhhme$nxOih*+tW{te_4iF4pekZO+`WFXujn7Kg*_dL{?4JHT(NH>V&Ha22(Dv0E$5yI&1?)=_? z@6Yr6{(|2geFV4Hz2}^J?&+PAJj0=E5S__y*atWe|1!xKc}MsS)c)Bn+kU3{qYu9E z{MOO+=_1GV#7^^cb(rdBDyjGA{QO@aB$`+EO-*-%JP&GbrTr8T5&|5h``73mzZn^swT<<4p|2ISJv}7G z&svd@36xT4r_b6hFN3~|_y@{7OUZEJ*{2YGc?J2ebm{E(FOkasfB)lEm{}gr>k0FZ zooxgV*OH{p-gm(t@1!NIwS6EtyY=}G_m?zJ?^+=DN94Jh%Lb(}uJp{@A&$O!kM}&7 z(`V9#@VymO9EN7%W>P4b{o95J$|=b&%G`eV^NEy7`jhaxTrZjVza|zLgoM+4>>rtO1W-ejtzudnI{Ua0Z3abH*NbJ|ubm{^4J; z9`CiI#0vpK!JZ>Km#+8p?0{j51~|mFvyIOEr&i`WrGw?J)I}ae^XnST)S(OAM1LlE z+q`cO;9o4{MvuThZv)Wd(XFwtpM;Y~VFjnD!5h7t&TAO&LkKb_UDMQ&?_4+FtmT^0Z`a z`dl(eN#S<9L6M!gntM4sb%@vjzMMd9*1&did0u5?3c)QD-UTyjnCflwPNd@Fd8?2j z$Xkfu*Y2GimMK#(%!D=;-XM=om1M}2WUt<3q0xMtpxi!1C0oRJ@4o6|s1abvC(E>ahHgUx5q)!iTE z;S{u9Mc&hb@_O1a2>Wq_|&zd^lDr~YSg|}9^KRG>u zpR!VCm~pw(cKt+AJ6kU*LyO^KA`uSEAvYw%$oG@>{&L)Giu5RPu{@|th+1gL)^@%p zr^T!Yf!53SKa+#hsfLi0Y@%{dOLIR*!@8 zZi9ccOaV)FYY^E%e4G_A@fG*?gEdTaGIKsLu^gx6wTGO{YF3LOoTOzr>4c0Bo@xmu z_bt^QlsRh_y^&DFMCrOt^$H6(YnJhV7|P1!Da|a6I2+585i0CpzPr2K-9OGYwtdA{ z_+V9H6{Q0!LDD>)Ki;<8&h>PxKzW%*3_#4(lWk{rcl>xf3!a=jK-@7@OR~up#JRQj zM)$;(!@0IfyjpkV(43B{BgM8i#l(CJ#^~_i6R_Mly%TxzvC)r&ED&Z^SzSvqO_7VS z8OaJu;YQio_LIHBJ=2uy6v>0-ELmesHl+^psCBD?^26k<=G-PYFRnY)F0r>Y-+gbn z{Z_dp;ms%pM6+{NcTVyNysF>$($e1KIb{D|#2)O!^|TB=5!-347oI26?*KFLG>6C% z_iS9ht_$7tR~ztZc=yLJ4uT#pET=jJPCS3SwpQ|SDyq%4>03M|)6~rD-o^KvafJgo zL6VDI;`!fYGY01&=LiViZM?bfw-|}Ewv(-jaeji0P&LZ=;r0jOTnv*i6v~)0zO-lO zK=W&Eys|k$16qM~unY+#j&i*GITwcM(Ma&LLaZ1F*(yRw$l9L1j!d7|)9)e7?z!&B zNH#fKs3W2)$X#t`s(mHl6fC`L5)#t*OjwepVcNm6_jA+&%piBZ{bXE89SPZN!>x2V z_YFT8A#wuEKD_r>Qesv%>V(0Q(Ir~VkOC3ZaEoA%>&vXnTV$K#S+|<=Cne7x)9>6deLGv?|XEqizOP8sgDh$({7jYYn$qhh68+IMHF zePQPWyV6wfrhGjR5&4SFX~mPegT`l3Y$5b`m&gfp1bUKyDJs_o0F0Ui(%WQIgwK!k zAXt`%vbAb^Sqz0UiIr|5syozeP$*d1B@(IT8LE44<`k&o)mTZ?a08V$u;$J}r--wb zkrWkhd;?WXs9*1$nWN+iSk)XI(Ux`#%K7TbWqOe|I0`DN&iEcHbyoJmawvF6@)fH^ zi)`%r;B#Ay1`x%)3Hj+rw>C&C8p{8EQC)tB64z5vq*f%ZFI~-(KE9hUvO$D=wqE;b zKX#{}y1AAr3p4Acx1s0ua&PX@yxp81rLAh2Uf1m3FOb}2%`|&cM8&| z_sp~G7jkH;LQ$E;$2paLS=jbq%Vnp4sE;j!yYIDaO1+==4@Z(pHD5n3j;ABRbEi*t zNsEh$QZ^O{2|p7G=0f8=7CVV%+m8>81sx{yd^XZ*()5LLvAer@^4Rdg()|u@Huq%L z-nC4NX6`zidk@Erei!-Tsvn$xH{R$(Tek!bS{K{2g!FeNwuFq1XtKJP7Mo*8&}`aw zyqEKAbp0%(YE*W!hmaw`OK_5T3U7Pa;2*Sg+$OO>xeJ@dCpPhZ<;8^y%{wSfA7=9WjREf3G zwe85Yqv%mCaz#7K+DKmF|; zw+eZ9l}lRFKsPxGgYULp8aOWnTN?JbRWfX1=ORh5Es&j>2?VjE}hODG9 zP~H7jGcji)M&27pgDNS|9V2GNQ_yETd;j3d=KR=&W>d}r8{N#IPZ+SqLjoDe7wQ&F zDR$Vy!$WQVh6#K6@TPjA56^YR2`Mryn3H5q%%hAyX+^{2c@dcth2>H7P+T>Tvt_Vp0~jr#m@40j8RUFbBK=+v0BGw+lUHqL?hg9&Po<@zJO z@TT-B_iA|-9U~)#gfQIKmSSV1EmQ_tKwfXH8?0409iA>PNL$Czc5vXx3T;ySdwuXZ zCf>0Zl8iS76ttt6XiXan8P&>2ClO9#zWqw2XU*?!e&pRdy9;3O z;kq!NL#|L)Tp5mgpADP^Z7U9`!ylRj;lupE@=juRR%;wm+|B$P<>@&R0Ij5 z8*Iu8}`Sz3EZQuf+)J68C9f0LhWiGmelt>GMtLj9YhDq*%<~H0)EerlRUdk|0 z6}{M)7tA&Gor%SQC7SnM`#@lpG59k-n5ZdCrt7s4Yw={*NCurepOKk(Ny&C7Ol@b1 z=Yar^l5L$@CSL}|6{XSe9MW@1+P}s_94kFDRn^p7yS?SE@6+z#jI`5)7H7hUx#Clp zBuy7ou-qDYT3<%z_2oW`k4dM#enBA;tKwp;7cr7Fc^r->_PfTb^sI-y5r#2zBAcVe z`-d}PNLlB#$M(!oT_Hzc2=zBpdQQ_t0IPzB?Rp}$74kB`ZJ+(NDBW$iBftSju(7I7p$%jRsZ;S#n4@73FxTTpJj^aqZ;e!TfP}l z1ZG+H1UW}#Sp|)~&VQ6US2GqJ=9onqx%8^ZUO0*oVOK7$9BxUd&_g=BZ`n2=F0qlt z!W_eV@iU8-edUjJrDfedz(qoM8!6#~u(Pu+mSetcWB{Ukn z-|c&15=#$kfw$MzL^P+$;uFge>+<@HDdgDhF~{87UJ6xtrCqn(SfqUTkr>w-mWxs3 zJT1aL_(cg=470(P6Y{?M9?pX*$Y(OD-=D`>GqmDQwp5aC!+y#WEx5N?${Ydh3B+s| zJi4lvT}Di}ZmXTPtY8!WSFEmz5bO-rF~~L=8(OKBUg)*`X47DDKPZLp!*kzN!()k9 zDEP!}`?W~quLTH9+nHy7{L?&H9?z4vsZ!gDmZJk2@dBK=rWl)l%C?d%)$j98^^Etv z>&fwmrL8S*D<>YDPg>8^5U$%#dcryaRzl$hbWeWQ^EkU1B-qj@`*36di|djo;vY1c z0GjU2bcg;!?Gzd+s%vOgu)>e#Z-RYOc&#hZ9*Ph&jA^uZ8+OU(dny@2PYpt8BP(z{ z-TFQbNtCX z4E7N{@V12l>epeR7;6D7Y_$lK!sVb13EqEmXlJ?vCdZ&l+fmu&6ZKZ;#D!;GOX0Ww0O zAJ5N`wij0573x`Mw0GarT~>3rMupasQG4x6AAwf?qPMZ|Y$gW#WbT5vFkm_ujZuxZBGnj0j|} zd7~{?`7hy@$>9LYNQY8)#>A&YSZFyU`mwfj&84atMPCFa&_$qfms@a=`cb`eW)133 z9a6+u4ealFYTwi%nuEuHeEn7E2x(#J&LXhtBRl~%~V?YD3CF5H{9N*A!A^? z8QI24eF4AnbHYy)q&}+wDSe>(N{=-!$;J1IiNbIqpHZ?iOi7rN11y%d5QTdpM+4id z3>q^O@j@DrxK*7Yiq*{K2$C)R;Z&+no6bz3D^acW(1B?I-wdG$;EQ~B5q5~SO%f8a$G-r&X`OQ zzOsw7CFFl90z8tTFm+sfqDQe)6HE}GMv`c(V!Z-g8rWZU4$PQDVSM*BqwtwAjp(}fFP^h z)E@F|KX6*&>9g{BqlZRg_m8n7gr^J)`6kJZvR2ZeT5t$tWL2O}*31-vIi#ZYQp1J) z*;=ko zweR1*=&{tmVA|)fCmVLo{n5yQLVNT!jT?Py0id$hG|=^NsKSB1=}5yQ6=-IrW{th9 zEmmV^o*lH-Ct++^|Lb>;MRH7CCD&{DOV`ph9_A2ct|Go6#lpAn>=-dmt+|kT<7O-m zDaqNUf?TZ;V#j~|BV{w4CbszG!tVy8i?04|_dn&mmRNEw5NI&p(hvcTQJNb=<`@}+ z^ZXTKX3)a^DYpg%0?w^X`{Z|^8VfhKCp>$7GvUf-G5gl0AI)kP&*VVwRUTG7w8!(2 z{q4Rfeg!~g*qn^Bi;Lgc2H%YC%R18)dFYnxyKX(f#q=(&T}nDU&Yo5xxpw(fZxHCv z0ZC%mzY~tCS!T%KvKZP7!4vGcrVE3v!dFaKeenNwfVO6U6v2hJGO0=EcP##65~^x4%7qIa-IRv1N< zmpEmsIIAZhTEJvUB~9l;AqjXJ&!lG#9k}55lei^*laQqc?z1|`ML~Ixv+tn^L$c*c zp{Y$}z}tmdeVM#A9y8wsd#5H3x;i!{1oxL7VUqM-SE!sm{|<_mw3)7ha1&10=g%LO z%QtKYtMO1B zZGQu}c(D2Z!AZt3cWkogrkWQi}WLk*t_3xVGN_s`&`f z55ODIS_Nz<6LzNdwMoxv&LO6$J`*4#%zd)6n?5=^z!ed=v%~#)2_Rx^WreM+6_2F{ z58e(p(bZe9(?X(J1gE;GG)yfyV~STXP|=-3^~M!G)diuRfQSYjLBYdqf3Q`l zWX1sT{BRdaQZ)4^$7HV_CWY0~DCcqeqknAsB~ZEKk%-&sI~VH_*xp`$pBULiGHOx^ zztpxi_NtXCqGm^Zo}^5=CQgMR&y|Bo_xJa9%e@wOk1&j4?0p;2CbxiUmwU+yWhr4! zYjYL=*SV8Mktr+)rsBZk=Z;EuFz0VDeonx_iD^ll1_A0TiyuEO#fBRI}4 zC=*fCFpFT3hjfYR(lubknY*=@g6jtdk}okEF0Apt!}|_Iw?DO)UXRX8q2iTDI^eMR z(|DYGPU+wP%gHvW>v(%3oN!22^NBxfvUK4NZPqgI=a#$)vcHMtIKW=dowV)cfOgbD zBQ!-4a2ihq1dkSD8Hg}Vu>7GXrv&|(@es&C&+>|*gT0x}jtikp95*!J8c=juiEG!x z4#KCxxe~e59d$%ihJE_3X~{m*o`Ln_L56&ExDZ&sb)vI*YcaIpja}}s!2L{^33CP* zmZB33dB&#JWb)Vn-Cta^>)OkIuvQS>pC7B*l%8mc2L35bOBiMH_)(ud-anP4ivVF1 zJw6Yz=?GY)JoeklODi5#&az#<$cI;T2AjHMGga4x4W$s2+HaanWHX^H+!EfQ-7jNg z8KC!pg(SFQeAiuf&FgTBA2@TFML&-Xe{_M($l4Z0&EL z^pjs`{apK8XC9H7Y1GJxq3QW@8(V0i1DQ1Cl9$W0khDehQTvA_v=o>~uG*W&`?Y=% zb=8Vy!hRXHj<#U>_LwimBKCUgLkCClX!@2N{IA*t@@m8GZBdqTmaBgZoNX;5`ZhI^ zkT7j4OP|v8+JL~pa?j~XTpLRnN|d&&mU2*7K(K1(d+b5tesuoYkFBr5&*<(Be3De&Wc>PS9^>_Tv!6zRnn6z z9b_>+wDihB#BfUo37Ccn%h7EuXent;Qf8rJ*}Y(yJj1*`_$P87wX8f-UU^=Iv04m{ z9ihb5nrm0rRMxWK3N&C4+LCZ#(jbHmtTFhnWxktms%#N+d(hv&CKJ^t2YLrYjCJUXQ=0Xqtiw_>?cx?fLG5&Z~T zSm?1uv6V~S5p!}(NaodMicYmV!Sc25A9i#w-MpFPK{*5rDM__*E||QTDzJT5#SC~NB_BC}~^Jdo{&PvbEK&x~Hm~Tl*1W2kPG<*0$H3_|L}JCC4k{oo-j3@rjfhSIV>iO1J&wHC3%# zwwnXvC`P1}Pcw4_?^1wW{&t11qE1)@Z0IAK>A6Pz8PeLldrThnhk4!mgZMu@@|ElG zKk5m`EpxG4Ujly{u3bMpT!Oc@rm>9e>0IU3EmPs?TMNANehVY1Ue#=;@rIamc~{vZ zAy25zf6(#!0-Csv92p=DYh;qBl04dnb}Zh$O6ksX9OJmzt2=J z*is2NC=0ph0nRQmTX8H0=X2_=yp`Eo`~KGJg!@097!Frn(bhshxcN&JO9s6XM33TX zG(2^)WT#Y5t(wPAhvL*{1`@rv(iY+A=av53sPthfiuLfo_fTkS3)KtC#CW)!bSQbP zyZdU^h)yk;FNIEKstLABebJs*oa-+vM9sglTz{w=3eEz&Mr%Kn7p(TrB=?3;RZI#h zl%Wt2jG+swVVb9K-nLk>+L*6FDJ3loOtN(RZNb9XxUc?4$QR=J+HOZ%D;?9p3C=qe zD-m=+?dsZ%CF9L>z{kcS)#6aO3 zr%YFE?T2OW_MNsvp9dH4M76uYO76tG<>`NX*h+z4EMsA;aJhItU zTj$?0gv7v*P#W3G9Nt(y=5(lq4T|oGtdKCro`O(*;@{;Xs+3c?$#Q z&Bx{G z0p}dM2n$N)kVqa^%NM}~X+Mc{hN#a7^OzwrZ*|#qWP_Nd&yq(*l{u)I5 zC=%QYEqhLV8K_4WfPxNYWt=b$iIi$6fGbZohL<^$OMg#vNOm9 z;_xqSo39Xh7P@alpRGmcXOxW;%Tg#I%67HNf^Rqn*Knq-fmn=^=2XRC%$Wm3fFx_? zP0#H|yOxM<{xa-XZOo&C`6|@7tQ@~M>jsut+s$9#@AK zpTmA6#`pc_sJ=_NeP%ts#1-3U3MYS?*#o?qzD@I&4DVjP3u4D6bxph8%3cX%FH6oH zcYB!;5IC*Gp3R}7nl|}lwg1gOncsqsVt_EGDkB!er!{WB%5acbvRMMttFPi+%%3lN zc)wxisjBAnQetQ>!WH|tkLDAv(?W|W&otN10#X1-qeLi6LJJIneDW=Sx9MR=SX!>1 zHpnB6{%G3D#OG`8mVqdYCVJe$s4%D5I_djAazHB9fD5c|)8f7HJ^T_d>(A#qa z@2-9^o0uQ|n_2um2avLAe=9eK*!PTEKn!^mr&qb){D^L+CDW9}2-b76r^DV>01da{uH`6y8B+Ia#ge z+g-%@##9;IA8?s+8S>h&+5c^L7;vMmV_G3*u29Lty8q#k+6c5ffRS{OLDc^g7Xxx${A0jd933`+;B4r z8R6wS$p=MC%}b~Iu(tH#P5Sl~cS!Zh0tn6acBbVv+sDgsfDbWf4`Ii(-*29An4g=&5+!@<0Hh$CajJH9E4XDEpsqa%s+eqi`o5!ltb<%c@--;! zmSS+L+{JcM5&qNaai}~01nomkK=|B>>C4_Hb1U;@Lt-81b`fM&^$FEd<^BMnXo}H& zutg8Z{A>-ah`3KXs)~-FEQ=mDSTs9RVcOea2(%~c4{x9uVu9dC_LLB3*`m81U+ z88vWuIn*O{U3LEx$$9DGLw-)FrQeru#a1W3ysw|Pz>(m1xP-ia&2TBG;XQ$5?`3jK z>*1_$v`x!Kn_eX$UArT+KQ#no0v|Jkol2VC#aR_r%7~RcOLaZAubLo#H03#%@Q;f- zi7kI@_qTh?YOa(@={~JdOoH35@gv$Vy_XIoIhlk^TfTM9L!$LKqd*Z@!B=In z0z)U5lMV<_K!Sv{b>^%g)iX@g`Fw*W4%z}CX_805h8KQ2KAXDCX-V1m>b<(KfrfK> zs=B7Q0akO*Nk2eKc1>^mv8#`5zaC`GOL0+Ofcz#UU5wP?kg2O&@^>xvL4(M`4^K`S&6z*E&Nrr~cttSDtl7f)8dV*U=Ru_u z5E-_0hS57uzVZ=U@={nzaO-hgbxGWH<`AFteEt`=;X5eKI zZh|X*kOc!S`ZpUKczb1zwr1A~c+0t!>*0YJpV1*i2en@T=Dd`aylJkTZ3V0X7}H79 z4R1q?7OR8fr56ve1;7KNYvKUzrBS@5YA2?#h5XS zNrG!qGGo*umlR>f-U(g}*hSb6P=us0d^ZvxF#1!+d#B>$-f8$&MzvZjZJ4Dzil()hD1ChP zLnaZ%!Zus-)tPP}NW25I;+EZUTCsJte3>33dB)0Zw=jfCh~o6|DG0RCQnv)eUcLG> z)8^qEswx(6*?)c#!C@>guT37qsBpOuGqaN8%?aQ1B~5)K=wVz;2!whnh-QPBZ|XLW zb`%4P$5fDXPj8Y2dfD9iq%fW&>pydlpd}DQf5mp+r(l0cT zh^Tx%q$_B0-!C(?&B`b}#{-u7uID5EaspdH_pXkXxo$M52=UonC&c?9GO8J>DrVA} zTEJ?3E;;3aEngh6Dzfwp{qUUm1{sgLxgwV|A>O9rsrt{4A;@`^`suT#UbRA~=z8h= zR{8i^>G8qIuI{Dlo7D%@s-B+y$E(IQG*a5YF;>}o4>DOUFr*mbClR-&mjRdbjK+i9 zC#%{D|5!&a8`#o#bGLeHvX6&{C!@%!Z!YDe_at*|?aq?eYGCz2x7cSDkol7Yxe-gl z7&YLK)8od0V-Ose)n%d(tQzs3edU$_?D{KL`YeIh4KjSd3QkWsS(V;2qdAGq%*;|} zkEz8Mmp*2wVNUB2@`!BwgE#N~7{o!!MIMc8@i-TLH|@7@4*Ex~Kr&ga`=N}5E^j}k z*OQzJH;FHXY$3xSG7TYAx6**Q_~o6Gr+Ag73v&%KV%|%l?x`Z2Q#)#5zraR~ldfc} z#Z2ST*;1>;pYM_;i+ZcN)*OhKiE?ra@*eItyf}?AyhHz1EiUJC&E6@v#bXunX9ttb zuM(}c1w!(4u(@5fWqi^TyuL&OLWTN{pNKSQYU8a@pWhreoO9Z(RtH2cz4+dwX{PZ2 znQdU(?0W6WnS1e$1MC_Sa?9Ud2OPz@z3Re&-YF1J8HA^`Z7s=~7&G69;pS6Ucg|#Q zU(*?4INb)sOh9!CU_3Y4vg)tJgCg0-RNm|KpsJV0{WV0w(^Nef)nwy#y_D=9Zf`sB zv66Q|3^fdhWH$X~q-@L11K0Zzz*xbd%E@jDCV`10=R$WI&E**5HAqW!N**E<6Ai>Y|q8|`akK`;n(LEmb zWCX}nvL%#Qo*ZjNwoGXtG^P%!f!~**s;XO^)`Kr_`uA!X2)s^659>5K&~pE?LccY$=FaVUQ19b`Xuek|3ph1SBznFex zM;D(S$x!7~07>+fm-SY;3%Wd-NF6mK#7f2nkK)e^=u3Tjz8h+wh($`%1_uj0>huMf z%}6>7+4bfrhxx_X$OU&Dp;80Tbk>Z@Ft@MAoV#|Rox5k4on)FYwFg+k+$4pU!V)kA ztWdNzaA{8qIvd`AZJ9}eP7#=}uP441C6|FOAiNv!=}j@xA*1V`w*aMptHbf1%D^&R z(y9DLNgpS#lRSek$SuJm*JL^+sF=TYeV@J^*tyXa0~dc9}A%|PMH(3+FFfjrxYThs%-z4ldARUV_q()j2y*0CZb zj4ngf;%GnjI1>cFd^2&jRT8wcb@53F?nnH%VrQ(7ZD-A4l5d*p&>A(ETnK6;L3p8? zc;zI|2lzs$1iNwtMy2GATJbR(jA?u(Bv%J{W!YD9rSeD-bX+K_r)JgFEip*Ndl?sw ztekfnQ&aeXmxRcy(jY5bl;&LO6&f|e6=o_Smr2GDG@IPVj|-clN1?OjR(9QT zVqRk)Y2=scY{fTgcogKD=23+T>m2K=iIy>QnyDB@o^1K<#gwo4=>j8-M^qG!YGe0a z4KVC@dR&`pexM=bG`}emC7VH*+)`|V)Gc{IB)S@l&)I8kSJ7FlRV(01R=O{M(h5-O zC+NPutKDGpH%|q8D7#ocU;kjchE+zV!X@dr-tL43+{gW!pz!v7*#cWIZF1Wf_w-f*Dgx*Fx9ZT-FudHpnU84O`;@7nb#OT5oj}9 z_!8_ed(uAaeML$m!~4OBqFtOx*Q=|KZhNd$u_$;DFIIun^N{|KGuvO!J`GJx*S_-Y za%NIxl^4$iKRv%{k-ozlw|@N0=po(1^B-2GclNH7I<_Zm3_4PRzqf|UUBE1ajJ+vK(hn*0#b|Fs5AI9y=4`L8#ZyPu^P(RKl9J zo(vGzZCY@Z&DOHa;mio8rl9voN%7-t$+ME`EV7anEG-!e&|EMSN_4R_2f{K`v178` zx>u+)>`7gwcjpEbXChNXmN6RF*w!|Xn;1+j;=yIs>jm0H$l!`UcXziXI{$G`^k|Ng zPvZPohE~dyo3XX-FAvz?@2HHhw_j_G7YHS6tN039mniG#h}+xWfx(glHZ~mvpq<)u z^hLBnj0<086pH#6H|K_8`q9(GWR&gOR5*gS6`L+%Hh5&Ct?E+*S)!~%#rEXPj7nMiGca%^+TD@VVOf9-o8jmxD;xBL zjV;x)BpHCZmsmN<4Laa8VKAaU+|{UVT{+snWwM=fNm8=3v32m;yM_s)&1`%5`+Rq5 zMxm>)BWAm7|=diYXsE%^x!|Rx}OT%g8KgIjzqn zI!|A6n*AoLqVfn(8ekNPZWm11+fW3}qrwL(6KUfOyXTxZ%ttwi0;c)`dcDK$yH1o%g zuLT8N3{!#`F5|6S?GxQE&AJ#w!wx?TscULJd$aqbP2fO$y4B#_uh*}4mW3%OZu#C) zjA8lEN!!5T*?YdZMXqk?F3pG^Of8cOP%cm|Fky)CV2AQ|nVDf@?WHU%!=v|=LuK9F z-JH(NH`)Xi&YQ}o1pRvbP|VjgLO{I2Y3`5vjNb3s2&KA-04UhO(#i@<|2sdE?EQ$# ztTpY|LdJKFlP@!)P8CC6DLv1l&5~M|hukBh{I~7ji0gv+8<^1-68%Xj($3Br5e^@( z+?@E}_|)jvq1u;#fJcmsL6;3L0NRe{aJ5aP!?-NW%?%pBtXhZ8&oNxS!}xDT1769j zt_}g5*y=uGP`hb?hQZQKT zd3tN~D@>*_`jRQbM}NcetNPbO!5~NW>RDO9XQ6dQj9iY4qJ|g94BZ4`^!F)ATXlaA z_A_p5t!F4KOM@FQ3TN?c$cfwFpa?dBLdSOw;slJ@$r4?e)EJe_c9!*I1B0$Uco8ZZ z+E6E>X2xl@eZKc_S7JBTVx;;4Az7kSJ9Slmd~rscuZ#-a2+((tJByMz%IF(1S@1xP0?LD^JZHF*d86;r7*Uad9s=?wbq`zSMI&hRP@N zN42&lMMg&*T6!|;AbBmVZk@!vI_n^Cd}6gFLdZtS5~IIP*~-9m&F1bq<#4tPZ)ruL zDOOffF4R>`G+t21v6o**H_0dbaWF;4jnzq=ds`RWx894(wf{3W!^$b4e7t6Uv2Y`2)?FeXWd_p?1O$Nz14AJJAp;FOX3J=#V9d%lCp?vl%707+c zDvxdGKzAIdgm`dE8tt$Yp@zqC(M1R}X&IX$4T=JzbWvs7*V(JUycmy3>JPsNZp(%+ zlvpY4*jANJpmcYgntaK{Z138-(j}=@yym7TI|@noTWBGomMJgxqf}MM1xV3L{0|g= z2zL_vUAncuMfv+TF{5#jPCjl4)9k$59R)xea}o@&Wxdjo;i$;~_#n61pm`+OC#UHU zcKPFbplu2j!CK(nz_l|v78nZidjL~jml-Mtv8OhH;wg9Vn!S%Fnw#& zxZH5VJfTEZj{7&9R(d0@#v}+Wmj?tVfX@4Wp9oVE4V7hnp82%2Ne48g z7woEH9)0wuQPGp||N43}JHM26s8r9EU~u`BR47IJ_xBR{{nlE@UehTc_UpflrP)`| z2AEgU&@pC#4K=Iv_Q`!cr=R_JoHmQg@{K6DU0oM!$?xaP42bOhh4NVscN>EZZk6j2iG9UfAT}7PVLvCLGEh-{*AW zw*Z4gH;{d5hK5QhqTT^PRuX{LT6=Xn!kdjEl2Y!o{b;3#QmGp>5-y6oB}4Ya$L~^- zMLg~h6HBKIdxMF6c5bs_o&f>DY2W~*@AdsA&gv>r@)cI; zxCoJ=%VgrdT;-$n4}H@Ej~et^NXgf+0Vf8=Q1XI4@<}NDim^Q0vjjGUX7U@C{{#z# zVG{Tp4ygFX-U`ljm9f~{+stAs#N*fuJG4M%lNO60& zJme7`-jyn&7s04FaX>Nx27>a1$9{X|A9?F{LrJRP$hpdmWlG_-$&Z`MLot&sOw#wr zehvx*&3+4)wU(FP)e8*1SvC7DGV*KP+;3}33SIR`|7#OUlT}2+)6=@Sj77#~s;Yur zpf5fkgsd=cZmnUl;zNR3b?PA7v*%D_A4*1^NKOVbw2I4sFi>Lme|~q zTlo_cl$&KY@*Z5k>te=uMGGe4Xt6?WT$U&W9Xm{h7e80-^;!+O9NfI|fdA7c-fMJp zh0u)j9b zV}JtVE>6&$0+dJJ=X-k01$vM&va?gCb%L2}5AXuJ1tpv!m&+eI?roq96c($F8$rbDE_}4W31Inmy`~AHvDTI z(wG~tm!-KkGQHL7*e6nQm!{9}_~^>{+gC6CjVg*bpf3FwM*F9$+I#j2cTjyT(8W(! zSSB`}ijE~8*wTuMz8Cf0KX?0vxQ`DtIXMn|Ifq_|F$l0f1Q8s^WvXUi@T<2F1BSh* zXlcE}j+wX~+X4>x7TKMQ(dAXu*KZ2>>U8(+0JXg}7=ki*@RO?0Dh6~2N~PgD@}Zf- zVcljsJ;|SWsq+WSI+Vw9LIvyVUwUnA#SET|CKW0zKljI~p36ocpmPQ7&j=XM*D8h- zy}d<%4pU=LN-IqNv^dBLhqF9kW_~!jqo$?)_rC63U2L(kipn2UtGp?OzaSlaKlU7v zs25R^ptF&S@rSkARc90RKPjQdLgriZ%$_ee-obadpQQ2LiIKWni;WaV0BJ5p)Eu$pu` zrL>%!uY;8j{saq*eHm|V9tHzfMx=q2LXInC%PmPRT7Up6j1frDpM$#+YI=IYY0|;8 ze0=^I2+h^M#6%qkGefD6`&CMMrmUod85#5!&!^HECGcMR`rw)0hYwzr22V+%rtXoE zjk{C;WAMANe~9EucQBVIsjJ}4_3P_k2K(rp`lxDeN~Oc4N8su`5Y?QYx703M*X86a z<}z93xbexSP|gw;k}Bbkw(4W=Md@N9d|OOLf2M-D48&LIm2ibJ=_ph*n45DqMXXyb z9T<3caXq}O*J?@_b-KBVy83e)&}YKsRsEdPx45#8V+JhN(o%s@sIS@kNG^FQoq^t+7GX#97 zE3(|W&TBjHbJw2ut>9w{W5hIIVR|+j!V6b!-O9yf$nkk>%}NXuv*jF)dGcE8wSQV8 zt_wI{BX)bf)$-jtv3Fv(f3ECw7ReELY|l2Ka^wN|r%0fniLi=Rq>`$tr(kC0`4;_MvfrBTPiRXj&$noi zsy;SlLiFXB%umjxKEFzD2V99p42GW8SP1ydw4&8Ft30++!OT_@6YB;OUKI#LTt?>3 zrAvFDM`l?3z%@IG3-0a$lT%Zp$ep`)#zcRVik^%US061?nqm@Ll1FM-SX$gys`zHR zVO9~2r9jN5r#qQQ|8apJ4PIz#lS84R7yaafP&JC^b$H!10qr-hAMgfKz8f(lnsZIJ@n^?5usavY!Sks}DBSzFiW8Z27X%PVhVr3x-Yn)*G41UH}R z;pS@q_krw-eYms5uDom#z>J=5*F61CbMIVlGNtYu1psmV`d|0%-Gl2#>5X2qsdSun zdtvOoTrlEbtoIYU|MCJnR(`ZPt=T&3Ug9=Q6R5}oZ3wX=F!%Uo%FoQr-hH5V%iR2o zATqBFNfjK8kSB}(qLo6LxStFtJOEinevi<>-j86a-wJn_3fF=1$Z?`7jZw)TxwIsZ z>tO$(u&~*tcIn$?Mehv_T^0h@_$xu%P|U1Et0^}-ELIoZ*E&+EF?+1bk{DH(m% z@WWx#>(&=f%AADsQM`oQ*stE-`pOGsVhj2?6-1u={>(u-4)GUhq_ewPZ)BMtdEpQ< z1wQ*K!A;JKI2>$v-E2`}2771KeveB?kX+D^#=lEC6hZ@wB}0b|RqxzUoSmJWnX!5G z@};uXyDeKo6qjZ&=SxB4YtwY8lrfhaB`^m6Zyl_|45t zt9hH)3Be>N!(ivl@HdN>DzcsaF;8#(-8lLA=b}4#S}fG!;=V0vVG7ibspw5yq&um9 ztP{6q24iRsUB&s=n^2SJ%x4IskvA1dX2Q=$9nD*d2Lj1^Qt(&AnL#r3m9g_V+J=U= zh1t&Dd45 zg$Y{7T~=UsgxOkgPK_u`zh0BsqqsN*BXW-62f{axd1EOZL&KJw+xwi014AWZUS6Ar zLatC>QS$Qgx_12r*7MraFb3!_1~2C8ImDi+3=TG;*Vx*dtm0^{pQi#Q#$au>XT zilfeC_i;9fw?brfYXE`CvFy;K($&=~o+*nFNqXUl{}STw!rf%Xl#YoRHq?42_jhvd z6)&%IOlO&Bna)0Mvrt&VE^K{OVzQIH7LQrR)Yh%O-zY7;n-I7q5{!ybKK*DI=Omeu z(CKKSOui!Ti(v-Pyaokg>BB*P%0VoVNhS&;?56(_nvm_FV2(h=31>#h zhJdx_+FJ1pn6|IM5L(NZId_PE5e0}#%z+L4JCo0z@u}ojrwCeb27I0H#?_xVu{2lU zGkF^3&D)A(w&bB(sNj$fd5qj)is>JErv5|GHZ0K__5CIY?Kl7 z%@cKam9&SQc8W=v;EITd&; zMQ62NcU?f1NY`Lml7ckdv$cG!z!}zZg*3x}Wn0A6v(YilZkdTEHFw-R%>)e$%_WnP zjf)V$Mgh3W`MNC$ai_8k{DRf5u2x(@$1))_`hAe15I=t#*7Y^;in+PBWZ%7e9h$d}gPv3NOGH47@FyKSpw1@-II8$^5dX1b&U7>_lU0kj z@aL}6-eLaI65@i4G`oqtd~ncyi=z+(4rW;SWwsk}PjQ!&YRM^8;KEf=spzS|KocJ0 z5;E$Tk)JOv--Fwq{pNB%tn<_3n?5I+PGbYijE%W%%Koa9%N1$DyEqp0?+YiX_ZC)% zokA9kN?4#b?a8FUvGP0-ju&5thmXBqVK6r@wfPf7kwz+kQ9}W}x8q@Z6@{(JHB)pHQWuvlj5cgyF)gR@j}v zs!okH2@jL|WUZp2Qs&T_W}E*bm}EbyZ)$e>rjs#ut%NLuL3DeQf zXWCH{5kvN~sf5XyNFijg=O~hmmWh)U;~V@ediu?xy^)|4up{N=kWMn@|3WD}8uFiU z!~5xBlnVF4oc5L?wa&1;ttgCs(i{kBkz39)GrQv1>n|4m8$UISjV~kWwrGq5S&JIB zT=e!=6kre@qGe)DRyH;^o-VU}35gcSO1Ijq4+S61(PEiOOwv>H{=fGHd}aFjb*Pex zFxzft^*FpYUu?MZ_Zl(JpR~@X^>$a8*v_6bsV@X)v5lN2Gg`7R%67CQWf;;B*Ih?B zF`u)7vw<%l+vce8v5YrS}dSpO=%1q`;n(6oDNAPwS^xn-U49 zqeDaYq`CUqca{w;Fg#Ztt`RJUO&V-G4Dj7nlGtLoQ7Ey8O%O>dEde{}(AdDnR%ct3SFZa=-xo6iUo(34OZB+*^DSUgwliqPb;Pggm zThs9wxEuI!AG4vwc);SkFW42L%~e#_n!=X*`+u}KPKpVPKaN4wBN*NDpRD`i701)FI;6Dd`HkhxPTuuhaVEF6vkj$9`WJ0k~h@e%ABpOV+dr5 zgW5xkJNoO6zfdqrNZ!##=L+4kxsuSaUn8G}_dOKH93`_;#Upp0$bYGDlDS#k?>FaJ z6Ws14=-X2mPC^entQ=30@Hn+FUimtynm3T!E;+Gv1)D{jOMVZ2twYfsN)8bzR#e)iI z_x48GOHh0BFTA9=QryO>1FJW5A|j41OjPrG*M@B1A6`@Kcp7%Dz&S;zkD1$yjPw8S zov!z)Tmm{=g4Am}?$U|33WDk&9uMM@U}9W{x36kagH(-S(Ty_N%%&Z3~g? z(3)py@1tD;@Z=t>drj5M6u%!f9j$F@8Z(G(wl7<4Z1J%yxnK1wMyk|#Z>(J=CZx5k zA`opaQ)oIL_+R^!zO};Mu@z>sV@_{0uuVZ{#eB!ibQGHjD|>0&^R<&aNW;Y-ck<+H z)%RCeB7u%Zm^~`&y9yp@CYh|}jJ)bK&6LY2RmjMw_E*L=3k?koUrmLBH22f zm>UpfySiSx`@q7ZmN!W__@B;ByoyKT_3I@8KBwa2t@AO(3{W!|8`FCmUJ#5Oc-m&4 zQJVV%=tZvR{$eMZgKTu|Ex+D-e*&(_-adCEp&@=}#~-GnOxqYmXbf5gZvzbc=BC#O zK4T|Y{RWWNfa0JV=d*bxai$3T@Npz&Iji^rRK^w&kw-hx7>$nTkJ71{xw*M^D?~fH z6^pXaMHkT|VGfNbx9iXn>9}-2aI4(wNgveHnVGHD_SQ8bYr3RCLk?j*En{Pgj;Lo~ zpr-roeBH#OW3;Ed(Y2;mjT{AF=%*&h0erfB{kqJ6NC`I0z{KU? z%RvXav98+2#-VK%l#3FK?QvvK;5}7TRamvlp}0Sz@}<(nA+VyrqWhZ$00bz8>5W@B z!!j6XGIDb>-O`q{sWfw9Bf4&-Fq}_|`?=y?*6BIIYyXF{;yU_9ei{ZG9fV>2w}WUL z^D*pP=Fy@bZOF9qQbIXu)%~t^Fx;FiEG^uwUwfG{@i;$Uy|h$xVLV3(n5k%P**o`j zUGtm&9v;BDatTXDw%v+3Ri7vlBxzF?THzE6gpp$ks`GKDRd%Up9NUZV=q7yhSrL)& z{QQ2V(E5N)D7!$c2H6-Z66v6|CyoM99kUUr zD-_uYln*cu!gqoCos+qS#vW%M9_W4MDz42yc0lO8{0Vs z2uC#yyt=OLiGeh>uCDHA10$Q*BVjFmja5{Rl5#*`L1DAzJujIcHtj0S8EbC>QyFw) zeI6Cnvfx@Q<{_tuieccEJ&r$;>I3Pn<5IphcdyNox2kk!DJpl-Uj2rc(-gCtY^t=e z;BEsAKo##=UU9lKbj)&TZ=jF0b*jt+M) zd#ke#jLN7X`*X6gG@yn zgU+bQjX25QK%YJ@)UZp9B2UNf{$kW$Z8t1h0r7HuQ>q)lEgXI6Qf~1$cWdjjsap>* zkH37e_%c}e<)e;%iY6&Jue8{bzSw*i-LkP(8KQtp)bl)bu~w67l8bI z5ciH836Il{GcO-49$kVbpn~z2dzk2+UXBO82$#FM~f*#!ey!uY)`Up`oj*YgQTdZ2dC75X8u_vPTgVMGJgKpPficz zeaX{sCM!J{9;NIO8E#DwL9So9qS)QAlQ}vMUW@$uL~e@2%{W0g6dGFVhc!h{fhsI( zEepI0(35f$1Rd#89k!TzX_EBgGR(uDC(2{%>bPJT^|8N?9wm0Hqq)keKmbniozev$ zYOs&jznp)Jju3cc`ykfu5$J4*!sf@TtE=-3QO^MKpbH|G-{9$YJC~G@76OF5gu;6lz7C-*0#iAwz5~z#m>%5Uyo*wME@h>a2nVSUix4H zlAk}Ph4FA(@0%c$jMffgHqQ04CU8!^qCZmHh* z*Wp{OrGDM*t}zi?c%7faE~gh39s(isYO9mGYVRAVvuC37Fi*Y8!-p3E?g|IY1+rk= zrEtUK&k(4=JyX;-@gqql^*hC0IGYN`?_ZbJfp-Tc$!06xuO~$WxrrNI*+0D8U#-Jh zvkMrsqjauU6TAK(7b;&b8RW%KR?jh;jiq*|<|#VjLcefA3)67KgJ zuN;T@UydW6(ts0tV3Y%bV^5j{4~XzS78L@2ZF zzM;7L(->?lqji1d`Z`_&tviWc^amYe4}P^IZ|9Fz~{($x<#q zT4E+GTiQ3(l^*h~&!;zku}&}X>!#V+_;s5!bAnR5%yuJ19OjHPYl2vCQcwNMPO`F= zx=qW13Kaqlr#@EG;I6sLoG}JQ5DaHQx`N{T1-Dol=)+ zQ2qEI&0w|$b)Mc{pL`^?^K-IG{S9Z6Qy~5|EqIm$67}l{`-T+rR-cm4 zt0I)aElo{H=rfQ{bUO*69=m2(B)M)?^smsvS{ytYmK`rTEJ`RWShi;B<2DQHna?7J zLRL1VOxLig%XbXeIV!}MXdj7)&rg9+A)F*2Kw3OH>AQXsOeBt(S(e*V-REXlPe2Cm zT$JFinv+5_+mx?Pbqi_hc`upF$*ewAI}}oEKK%eZV3EUyJkhxB_qVrKvV0%|3?*w!xVC@*zm65~#4DtO(4OeHiT|vrk^kxt%*u*;8@xb&gQ7Mab`P^Y%<0@>B~Hm~ zI))xgCgO>rezHKM<{J`tJ!~$&{q*VSE8Y(3VyjNoz?Fg8I%1#0?&h<8qZdVWJ1&d$ zUf{7qj*a;z2oPV+lZih2zIam+LxDh$33Tt>)6vuG>x%ELo-Yi8tR%nLlhyG)r~FUO z%@DoTadvmfE!bjuTzg1bsgry>q^aL=Buk;?9NwUTj3Nj@`S-@@JR6})F`rX~)7*e%pK#j;;4k{T-64y*v2)DR%g0r{8J_K* zlJ%|KJ?>Vni%Lk~u{XNxH1FH$^;Wjx(=Os;FT?B(!DDQ7m`mR-=%B`Yq`YfA;=3EZ zzJW`iFeF}1dymo6RPOHKT1M{e{W0;vba(lwu`+x*kD<HTNUoeXJm{aV2a6ThSS(w*_N z&t#v}yK-UVQ_S3v9n&(=<^T3U4~^plG z{ZrfYfC%MAax9MFlz7~2p@yBexSr(Nm*>)ht{E6Cm=7;#H_Ri3_6UlaR#snE3vc9= zFYmj=zWkgOqeP`_t>(@aAw3UU1D74on9@-#8V=db8&xIu+`-@Ovm`Jk*NO!&xwp^pOBgzDF{{5Kc7 zzjhA#tzc{YrUvFmKKUtxhdW)ocrm*)_jN_MT4FB?3uebQ)6xR0Hb9j#;lr_yNvF=s z*|NGcZ1Sk{fgi26*}lBQc`ru5a7*T>mSXD9pKR?ha8W_@x9+P1Zt{V|qq;Un$EQG1D`| zoV)jo+mzA}HJt>gufdzB;^%kKi8*%LV&Qm==dT-JVy)Xs>SOa>CDYKEM_$D@vOojIpq(ugz=n-g)L zq0A(vf_pE(L-N&P4{BY_yW?jIYo>fAg3uPH5E};G*48ky-$)Q7rQ{XuDg>h_o+V4I z2`vyfBRg*1#;-wmhE;BY5+T9w(PoW0CvxUU*kC6nJtzfSj+Tv$IG2W=7Yk)Tm%ogS zZHwz1{P6MP8GwCYPI(G09bu~#R~A9(c>f~gr%%1Rr1$g5PN?@mI=Z@_t&v9Gs~9sW z_ZTRWpqukoZg)TMR?U1G&$3CTTx>QAJrqW>(SrR=BbQ zC~3m8JN?L^-4u!x*+7uw;HcZ(`-oUiA2yv*DnhmPpW!vAS@HlAjf{D-RpH)rJov$& z7Swd!#_=4Xq2AujFo~cL6BO3?TLJl%8d$3GYKUy0*>Mc?jCHuH2z|=QQ4I zsU=U_KNHX%rSKSxacO~z=1?(qf*Yk8+pg3P@_nD|w0r|8SO!3by`KIf5dPLi=hI!m zYb|Q`g9!|VEGP_`;%XypT{LnZh|hme|0Ghd>V=XKffJkq)w9`h2c*rLujS_D`OcJ( zD6X-ibLq_vMfG2;cuh~!d)OnabMY&N0C^m3dP|N}?TWhpV z;(z1lfDp`y+~1>dZyRDg&dRBE>y~PRQO#4-K2gsEv2G2nj}~SvMRf{1xpZj?6jF1L z)Yaw9MJXj*=25|EpJ9_LUK$dt#=bIl?%at(BFQri2K94?;kzfyVuIVCLINM;KSg`< zZ3j=GN%jjP5s{HOzz>A+)W?jB_&V?7@J5^Ck&IPQdzOAn;fIs)WCfGp+4QBZu2w72 z^~U;`lH3w{)XvUrieG^>4Z%)Du|4^Du!`D$m4-4Uo^Skf*J#_@11djsR)~S(+Z-#t z@}RqO-|hMLX!NB-ql(6f{jW87dO=zp(WzC$cDc`J^gI!v2;^caLsjs-dnc*l@5RT( zCs1kY={@VUX>s;}t^dl|p5S+FYv^!fvG4iZP$XcRT` zk^WGSceE%rF0M8D1)d6|LrbbYMVx$QR#p;}FoMX)i3vv_Qa*mLdt)@F@8xA}Np~+U zKGXsX4sAANJf8~N+A>=2d)<@pPEH*gd$5ReAokuH2C=WizzI^kFk3Um)WG0?@-0&I z#=;k^r6>_&8{-tAgHa8MYEM@4~^{K-upD_>5)e*n3{H#xtFf=~Za-lfjIK8sFUo-*(6l-vm00>XL> z&)DTjLIA_{+g?uKD?I#+k-OK_WuIaYs$N^ez-+!s+6A`^3=BY? z6iot;0$Z@fPWMuZb{(|slmHL%!cd+N1@d*SYc-h(gLJwOHB#%6OqIl$I~--n*`HKO}cVYLD6(cMn>jvK?kd8VAqhoaW}*9=XsvS?%VPqrS7{{n~FKY)&GL-6gscxOYc_=9aZq=5a0=6%`49UN3JQ zhg%B}L=<@Y*3D~c>)+RhqG%!p$yZS&@U1f-YzJgj`U-z9GO$ht3EAbGc80yhi^P#g8G}6?Xpl31Pd0{En zkp5npq4QohdM7%o-lb0(&vjR)_9?mEV%A-exRKQ|Iho-mizrH}d3WyEu~#Q}+CMY>olB0L31E?6PJgD`4CO!^Xi z^%tseAOOH>lfPo*x2VRyFa`-WkYW`=Q{2BuGL*I-o&B$BC#6FBi38=X6fc+zPlYaiZh>Yn@$*%Tk3_;Z5N?^34X zzmJ(-Eo?0MF7&EOTlAV$Q4soY>c4}Tj)d3$r6m6Tk_B=97hd>ke*P#uP0K)j*uQYf zb1sz~rPSX~8_oHS1}XBeMAG*o1b-*=eX@vI`54UF9kqYvYWI{R#vE-g>vMvY$je)SJ$*L{qGAP(?>TTa-?b6_{i_y|NNBMVhH#@f$A|LS>r!Js{aAF z{hvSi-}mCxf5s2|&n5i-{t^;VTT9B6h3CpIQJbfcHz-flJOAvPk@y<6;GjH&&;9Pf zKxKA|vMnt<8sjKiw7}!hMT0*Z>FAXH*`F=j>d!_W{|~;=U-Ea~8zUe1{%dDdwd|NX-lyp#UWTI&{Eusg;3lH?(XjH?k>gMic4@QT7tXlkGALB z_ul*7lRuK3WPSF`?3r2X`>ZtqGEyRF&xxMH!NH-4eioL4gF`TVycR}5dVI&KUo3e1 zcxojms(|wNaz@edfBa5p{ZZLk9-?P$r)jARr*8%^)n%~Kw$#-%voe5KA0V{yKN>Oo zG7_@X)wDK*n7vXkG}VQZe7s-+yb{wid&R=U!upDtnVW^3o0ap`2gz3=k_s<$kU(&7 zui!+5KPcEI?=3ngC@8gT9vuJ_afEQag3;YQ17&5Io(BpGcg+%DhY(84b**pME?L`M zFW!vP-A%b%`~cs50hdjuWDhmEoNzM-m||rmOmIS`eCPo7a9HTvaIRN7E{hZPR$i;++8GJFc{oi{ zQMkWTzF2|o)p}0 zeNh%^+~L{)5{9{4q&eJ#Bkozs+z(#&#(h3Edm{8q?V%|EI;4tG@$9uXrXb2|;fF2A zCAJ8f$TyP?7YnQ-x>VhWMlumK)S-}^^+Z!pO6&~ny(`ZWhD-R2h-=U3xnqB*DFsDi zAYKVj*X#>1ehYYn$ENSCwDj@{0X9-e%=NY)I!-QpV$@!xY`H!kaWSfBsCq|~)q)I< zszLs{w^=>5lE4JOy*g5rD+g|=66rLF}*(5uSg}CCvK;;jkxjooVeXc%k?|X z!Q(vk^U=iLqy9)LX)|VZyY~=I38(gD7k#Q1Y)hI8#P}@f*I2wUwai7wIRv)-33*%e zsDwz)qILFlIzvqo*M~m;8E)6BsBBaBUBpKFy(PQFEvCO(23l;VpbPwN1?6>Di0C-g zUw_y!i_Y!a7{NvKiHi~#3)e#{{xT}HQld01&B8w!Z@r^y{Y>JquScdsAh_wWMxfb* zX81jPfx!hOLHf7w91g>on;LWsa8pn;ayUYJK^c@8O)w+#xjzAczKTVu69 zf!PubGTR)5ZDg>AVWystmF>}QSKJLp*KakPx(W}g3yx2WJtf3d9mMBKX-F!QR`^OR zfbCQwj`n6Nu2t{;aNp1oSw-!>ttaXme2wI#m945w1!9QSK&jTPC)GoA0)Og zIKj?E1G5&~XI`Jy0)~oo(e=j%0dKpdU$v#n0NYr+Zo zsQ`}6r#Hl7L<0ajd(K95^*T$xWbs#HsAM|((Xy9BbLG*h zqXjZBomS9(T8q{fKbDKQR;^EcH@6nXV14In(c=5CUgo_kRtR}zI_={yoTAsiYhF4e znM3Cd8{(xM`_a#J)f(m|>T~TwctkHK{>;~T*;6WuL#;3 ztp&_&Y1jUiLDU(Kz#t85k}Hg0(w||DEhkIf9|}<6I2RU4CY12x9b~cCe{H&3wnZ*O zXktO3kw6N;N9(T~y@hj5G}+7ShLk`zUMz+Kl!AHrd@~av$Z==Ql%)fFZhS{TK$5$y zGd|D7)YlroXnjJP$rh-MUH|w>BakVdDpQGnsm8uJ*27&ki*U}`Us7#kEc4{G^EC*M z_l6|(;10hLb-oSUac}qIm8tNP5nc}8CI;fmmQ1UFO@orwO6A?C(9!it`ZVPMJ01?p zVG|*Xla8fYgp(XI^Ge2&oaEp;4fDbufoK$+d5mATI*Sa89K9C1ZDH5F1q~n+QSg8j z>u&bJVn3%Yhs4SeJ-E(S@f+u?c@w%MGmGYxDp|_cpMKFp&W2MjnW$pBBBbmFbzORP zaS-4&Uj~Ux)v?_hW#>O6x7=)yn8?-HLFZ_yZpNV4ugMDC* z!NGbJpo*}e$^+J>!rWCIL`?D>wtL&2IusonUuHHvG=;dV)uCh1nS0U&EkQRfTHNYV z{k`#fGvlTy=4mgtg=`zjw8qL@#Z7Fv4Gnv_Vj%UEUKzxq9ho!>$F(OLOVDx4)Ii~Wv5y7wVdV2a|7h($M2TAH6p{g5)OjKD~$G(hbGya z*tDm2+0+UPN^M=QoO}Yu*5MfdI2-tK;}ciGtG7k-YYOVNtXBye18($1=C7TPqk>7c zyyQ&wzqRe=xFzR{Gk;{h@OZs$<`hCooy47{rW(Mwj{8M2!CmQElc*`nKa558c5>c? z4-|xyJTi?EgxbmG4&LU|gBjX%>%i8>(ASk3UY;Lg?Gx{{Yo5fU#DND+_3uxQNqDIv zxE9k25ALI+Tgo=)NZGK8y3bnOu1PN16N}t)&r^^}p8)G$OH)!^aQGmT+Ip3Jtc@}cH_%3E@n|EB^ zww$xd7o9qh?pKgG(jMLU@HVj|m?G(+<5}yNL@J*6LeztVgr$9+8mZy{DMU)b$Q}y+m$>! zJ+Z?-DXpuTx%1FMshoY*oLL|x2ptj0R7rpouOG#WrzfU$4TG-qwmEZK#>nMRu8oK* zI75sS2+D6XwxeJxA`Ft$%pXHQG!C=ime+e_Ln|aiSXu;A08dJiYgsn-xEvZPqlQJw zagC19)j3|R?5Ijh&4~t1%1{9o2>2a{w56lX=f>~I1CvTnNjBK{?HSNynCy|U6D~0a z$lUPaVmW71sgWaoufDvD3n&HrXnDd3*S!rHb?D*<_CvKNZh%8mMI(X8G^B&w^e{I4 z&MDHie%}~FqIK4vyU=Yp$_B>8WX3WUl_l!P?cqSVRJqmZf&;R`96;NVb56LwWTihJ zT1(7r!2GW^H@nz$m zQ@yJUE!RI$yWJY%1HDM?>@aLmqV{i|%pn#tC{OJ_ZO+!illh|Z!BCbkHWZ!_>Qpcw zt0Gvx=ohZZIH9N{zj)WGO1HPz9~_F(baoMMD9OfQSa)@$-C(K|er9zK>eOucj3$Kg z?5L$asON@t--}%dImDCJg!^Qp`z43Fhdl3-XQ#VuAbGo=PAMfhIEvQG+j~|+bqgSM zKIHV%h(pxhp8xXH(NSmpR>zaR9!GHsT3Elz$sMYaMH20zK6lm3;q($&zA~Zd_%&D= zyQ>}hNbE-9;>5ctBD9`0ucMy znB-C_v2!7uO3KYX(bsH8Q^XW8rsUHb>?m4=pHk&5tr_Zf&zxW;G69_7lpHhdq2Hy;gC<;J2Mn?R>XWiMz zDSq!id|;@qRn9jw*jeba%6;L^7(Gizt`$ozVZi{aNx?6z_bLg4DF@NyTWX#+`NjXR zjqh+ge4f;|aP$tpm9A@!57Io_Fp7N7Z zRTNJT#5j?EBG*vA&nh>%Izcd&^K_BN0?IMIW7s7v~plZ1jd{#}S5vsM_S3l96O3 z%~hp?iE1`%jo2r7)8WKiXIDrsg5sE*?xQ52^X1VtVBd7ZyUQ~nx1Kva*t>M3?y8M$ zz*F$t-nn{r*}=4dgww^b4eF!n#&P;!#tzL~arU@s=&BfjalQL|XO7)KX(j5o{jmwe zrn*Dd2fSo%lq(YzhJ0guRKR7gs6O^a@^&FKHxr7hkS)2?#VK6z|K=H2!RX-N7pAwD zM{y5tczBZX^YeKK#?ff_yIK!ff{N8jTfM~n)r1MLMo=GE$ai9uu4v@3;D1dkip34U z0y6;f;yE8h<{H72Y(RYlS~rEe#ZlEW)4q+hC-rqIznre%0%2tJGm8MNuJ_I?qS&yN zy;6}Xb~(l5zNrg&uKCj_?lsxpcDMew_TaF;LCk41on+$uuXY~qu{sr={Tmz}zwK*9 zRtGr65eeuV%VG5pLH1cpe|P7#Sw_3)+zTO;W(WyIaINN+6VDD7&~#fS6Kjot+@KEn zI|Mv-Tgc1OF`J0ZOHo>KeRm0*w~LonX~(nk#QZ-9r@`{sk?wP(2NbO}Eq@YXv2cA# zjpieMLo}kz4wduclflz^eoos7vUNz=-nyrHZ}<&XLK^1K%vX(tm@o7>fb6}+?)Hw{ z(x7alz%=sl(8x41_NvP9YN~m|Uihq(h zUyL)M_l-CTQobF`s&1)|Am3(};f+5WRs9lNL}fGYI6UQqdEX|7$A9wn{NaXCWH5Ai z8%JpY#4dJT20IBBM>R!LyOVwxu5z-wU!JJDm<3Ap(*Kq>&}rlG+&Xmqxy^0%AmZu0r-QCXih2m?W7fAW;5%M?p7eOCqeCn4fK$$u+&RNih7E~r zM%xFO4{FnM;uaW`w)+xPK8V=MYXM{GVN-fJOuBr;=!$FRm8HXegoLfTx#SUCy8j{4$orEEF_(+*(pl=9PE_PQ;2y%c<{qm zZ3;U56L8`6IjgRcBof)VG_7VnXDQRkcyd7H5* zqxajgpY?>c;}>Q>lURsz5AE^ZgF4^MCz)`8{d_&#%TYefgqG_<0f|RC3JZdfsmdRr z4R%~Qw(eRw9mh4i-0l4sv`JUv#S~v9=mRL6h>#M12q{2!?6rO22d=-I0bgcZwq&=# zv3o4Z^Al8B!)*`^F3j#dG;|UqStY`1J0w+=leoQ2hNtkq;fTo?ruBt8p`MQ+BBdDh z-zmich`*rDR&w!F2u)8S-otm5m4rW8L@~;9smp=h?NVhSacMcKYDmcqd_=`fi&Pc~ znTeZpUaZ2sxN*3)qa!@X6tIHVXnr8=CgoEqIcZE2!3)c}KXf7~o4h8KhS<K&R~nhky??*-GciZz|-i(E0fF`uT6LR#!Y zF`)C+BzH+^{BAPuoX4#gX9pPE;gZG2W%A9_4(CXgDzMctsl?BC%>CqwNYg?yzO+PP zW5gYX!3EfNISXTD{;f+FC>%xS=K2;}qk{9uwe}zfSu}KB!BNy)HZ2Xk>h3@CbD35* zsF_U%nVc7JO(Z!$FJxeuS;j8F?`*|BBBHb;r^p()b&e}Pb2a(xlA#VMWh089Tdap0 z*UsckW`g0=+#5ZAZZ_Y#L-fi=Ke!-NT2P}`aaZQ{vn^axc<}QZhrO!udv&>iGOz=& zZ}-t<;>V|W&cjYlL5$O5Y4*uQ15&e`kR!Koh2k^YPtrT*6e56vwEefs6<53$jlyim zG^8anr|D+qB zzgX|MDf-Fnc*Q+Ao2OH}hF(we;QACtR@-tnEt-{toUJf#6o? zlVB6+RY*KawdXgA$F+-nzc;Cl9a~Bimbh%_v4Bs=-Mpk!nGSJu8wX@ z5t2xpnu>%Yf_ir5zUmPdN0(R=Ar1pp$B=45cY4jwPJ8kpc^}D#SlOH zo>3;x)O%^Ze2>XT>z(4@Aa(GSHdJ+-6S6MwlYKU@*@qkX)VVLwR|w(f_z2r?Fytu> zyet?_E9yPn=xHvC_xTmV_imjU$28%}53^;s$CkLs?L z46myp!y9R*Kw?SUNDp2&1~(cnMsthc>-MCYdK_(hM=mP_Orn{qR{a@LwvkErr1O*I zRX>+H+z0sQB{h1b{f3hn!L1{4Qw#LZow%1)xQP;x0v&bjaYjUWj}@>|_4zjz_xR|+ zH`vneZ49Th7~^pTdqdircL0Gm25&rZ3*X~doiU)=nuOF$a5P}mGkJt>NQ5SvZBlwD zZ9<0E^XW4d_JzJP;cpif73|+@l;GwyRLxs`5_y`rQ&l~f2436BD&2YUbs;72w_;o+ z8yk>HLS1<#PB@<`;#%*6*GN`2`nAcLbb?L&&NDLWn`i$Qiim(doOce&HsGh*bX