From baec8e5ded68493c0648b3c70e5b9b1d8e2ce048 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 Date: Thu, 4 Mar 2021 04:54:41 +0100 Subject: [PATCH 1/4] update vault usage doc --- content/sre/secrets/vault.md | 155 +++++++++-------------------------- 1 file changed, 37 insertions(+), 118 deletions(-) diff --git a/content/sre/secrets/vault.md b/content/sre/secrets/vault.md index ae4ae2d7..9f502c0f 100644 --- a/content/sre/secrets/vault.md +++ b/content/sre/secrets/vault.md @@ -28,118 +28,37 @@ Tokens are created on demand with a specified expiry time and can be revoked at For detailed documentation: [Vault Documentation](https://learn.hashicorp.com/vault#getting-started) -# Setting up Vault - -Along with other tools stakater cloud provides vault as a built-in and recommended feature. Stakater is responsible for -deploying it and hands-over the further configuration part to the end user. -In our set-up we leverage on vault agent for lifecycle management of tokens, that are used for authentication. - -![vault-agent](./images/vault-agent.png) - -## Choosing Auth Method - -For simplicity we use [Kubernetes auth method](https://www.vaultproject.io/docs/auth/kubernetes.html) to authenticate -the clients using a Kubernetes Service Account Token but you can configure -vault to use any of the [auth methods](https://www.vaultproject.io/docs/auth) based on your requirements. - -## Prerequisites - -On your local machine you should have curl, jq, [vault cli](https://www.vaultproject.io/docs/install) and [openshift cli](https://docs.openshift.com/container-platform/4.2/cli_reference/openshift_cli/getting-started-cli.html#cli-installing-cli_cli-developer-commands) - -## Configuring vault - -[[toc]] - -### Make vault service accessible - -Run `oc port-forward -n stakater-vault service/vault 8200:8200 &` to access vault service at https://127.0.0.1:8200 -Alternatively, you can create a route/ingress for the service as well but that is not recommended since we are not exposing our -vault for the external world or services, no access outside the cluster. - -### Run the following commands - -```shell script - -# Directory that will contain vault unseal key and root token -mkdir -p vault-secrets - -export VAULT_ADDR=https://127.0.0.1:8200 - -# Initialize a vault server -curl \ - --insecure \ - --silent \ - --request PUT \ - --data '{"secret_shares": 1, "secret_threshold": 1}' \ - ${VAULT_ADDR}/v1/sys/init | tee \ - >(jq -r '.root_token' > vault-secrets/root-token) \ - >(jq -r '.keys[0]' > vault-secrets/unseal-key) - -# Export unseal key and root token as environment variables, these are used for authentication -export KEYS=`cat vault-secrets/unseal-key` -export ROOT_TOKEN=`cat vault-secrets/root-token` -export VAULT_TOKEN=$ROOT_TOKEN - -# Unseal vault to make it usable -vault operator unseal -tls-skip-verify $KEYS - -# Set VAULT_SA_NAME to the service account you created earlier -export VAULT_SA_NAME=$(oc get sa vault -o jsonpath="{.secrets[*]['name']}" | grep -o '\S*vault-token\S*' | uniq) - -# Set SA_JWT_TOKEN value to the service account JWT used to access the TokenReview API -export SA_JWT_TOKEN=$(oc get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" | base64 --decode; echo) - -# Set SA_CA_CRT to the PEM encoded CA cert used to talk to Kubernetes API -export SA_CA_CRT=$(oc get secret $VAULT_SA_NAME -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo) - -export K8S_HOST="https://kubernetes.default.svc:443" - -# Enable Kubernetes Auth Method -vault auth enable -tls-skip-verify kubernetes - -# Write config -vault write -tls-skip-verify auth/kubernetes/config \ - token_reviewer_jwt="$SA_JWT_TOKEN" \ - kubernetes_host="$K8S_HOST" \ - kubernetes_ca_cert="$SA_CA_CRT" - -# Create Admin Policy -echo ' -path "secret/*" { - capabilities = ["read", "list", "create", "update", "delete"] -}' | vault policy write -tls-skip-verify default-policy - - -# Create Read Policy -echo ' -path "secret/*" { - capabilities = ["read"] -}' | vault policy write -tls-skip-verify read-policy - - -# Enable KV secrets -vault secrets enable --tls-skip-verify -path=secret kv - -# Create a role for binding the policy to a service account -vault write -tls-skip-verify auth/kubernetes/role/default-role \ - bound_service_account_names=default \ - bound_service_account_namespaces=default \ - policies=default-policy \ - ttl=24h - -# Write sample secret -vault kv put -tls-skip-verify secret/helloworld ttl=1m username=test-user password=dummy-pass - -# Retrieve to verify that it worked -vault kv get -tls-skip-verify secret/helloworld +# Vault usage + +There are 2 kinds of secrets in the vault. +* Secrets for managed applications provided by Stakater (ex: Nexus repository credential) + Users only have read permission. + The path is `managed-addons/*`. +* Tenant specific secrets. + Users can create/delete/update/read secrets on the `TENANT_NAME/*` path. + +Users can manage secrets via vault UI or vault CLI. +## Using Vault UI +Once the user is included in any tenants, he can access to the Vault UI using OIDC authentication. +**Step** +* Access https://stakater-vault-openshift-stakater-vault.CLUSTER_DOMAIN +* Select `OIDC` method on `Sing in to Vault` page. +* Keep `Role` as default. +* Click `Sign in with OIDC Provider` and sign in to the proper IdP. + +Users can do all actions on the path `TENANT_NAME/*`. + +- Enable/disable any kinds of secret engines + +- Create/update/get/list/delete secrets + +## Using Vault CLI +To use vault CLI, the token is required. Users can get/renew/revoke the token on the UI. (Click the user account Avatar.) +```bash +vault login token=${TOKEN} ``` -At this point vault is up and ready to use. - -# Important - -`vault-secrets/root-token` and `vault-secrets/unseal-keys` are used for communication with vault via CLI and they should -be stored somewhere safe. - -# Vault usage example +## Inject vault secrets in pods For consuming secrets that are stored in vault, we leverage on vault agent. Vault agent adds init containers and side-car containers for populating secrets and managing token lifecycle. @@ -148,7 +67,7 @@ containers for populating secrets and managing token lifecycle. Let's go through a demonstration: -## Make vault accessible and set environment variables +### Make vault accessible and set environment variables ```shell script oc port-forward -n stakater-vault service/vault 8200:8200 &` @@ -159,7 +78,7 @@ export ROOT_TOKEN=`cat vault-secrets/root-token` export VAULT_TOKEN=$ROOT_TOKEN ``` -## Create namespace +### Create namespace Create a namespace to deploy our sample application that consumes secret stored in vault. We need to label the namespace with `vault.hashicorp.com/agent-webhook=enabled` to enable the injection of vault sidecars. @@ -173,7 +92,7 @@ metadata: vault.hashicorp.com/agent-webhook: enabled ``` -## Create service account +### Create service account ```yaml apiVersion: v1 @@ -185,7 +104,7 @@ metadata: app: vault-agent-demo ``` -## Create a role in vault for authentication +### Create a role in vault for authentication ```shell script # Create a role for binding the policy to a service account @@ -196,14 +115,14 @@ vault write -tls-skip-verify auth/kubernetes/role/stakater-vault-demo-role \ ttl=24h ``` -## Create a secret +### Create a secret ```shell script # Write sample secret vault kv put -tls-skip-verify secret/helloworld ttl=1m username=test-user password=dummy-pass ``` -## Required Annotations +### Required Annotations To inject secrets, we must use the following annotations: @@ -216,7 +135,7 @@ To inject secrets, we must use the following annotations: - `vault.hashicorp.com/agent-inject-template-{path-to-secret}`: Specify template to use for rendering the secrets -## Deploy the application +### Deploy the application ```yaml apiVersion: apps/v1 @@ -259,6 +178,6 @@ spec: cat /vault/secrets/helloworld ``` -## Verify +### Verify You can verify the workflow through logs of the application pod. From aa50ca27e31e4758794d66e41dfbc1ae7983e09d Mon Sep 17 00:00:00 2001 From: Rasheed Amir Date: Thu, 4 Mar 2021 08:03:17 +0100 Subject: [PATCH 2/4] update vault consuming part --- content/sre/secrets/vault.md | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/content/sre/secrets/vault.md b/content/sre/secrets/vault.md index 9f502c0f..1bd99cd4 100644 --- a/content/sre/secrets/vault.md +++ b/content/sre/secrets/vault.md @@ -38,8 +38,11 @@ There are 2 kinds of secrets in the vault. Users can create/delete/update/read secrets on the `TENANT_NAME/*` path. Users can manage secrets via vault UI or vault CLI. + ## Using Vault UI + Once the user is included in any tenants, he can access to the Vault UI using OIDC authentication. + **Step** * Access https://stakater-vault-openshift-stakater-vault.CLUSTER_DOMAIN * Select `OIDC` method on `Sing in to Vault` page. @@ -53,12 +56,24 @@ Users can do all actions on the path `TENANT_NAME/*`. - Create/update/get/list/delete secrets ## Using Vault CLI + To use vault CLI, the token is required. Users can get/renew/revoke the token on the UI. (Click the user account Avatar.) ```bash vault login token=${TOKEN} ``` -## Inject vault secrets in pods +## Consuming vault secrets in pods + +There are different ways to consume vault secrets in a pod + +1. Vault API +2. Inject secrets via sidecar + +### Vault API + +TBD + +### Inject vault secrets in pods For consuming secrets that are stored in vault, we leverage on vault agent. Vault agent adds init containers and side-car containers for populating secrets and managing token lifecycle. @@ -67,7 +82,7 @@ containers for populating secrets and managing token lifecycle. Let's go through a demonstration: -### Make vault accessible and set environment variables +#### Make vault accessible and set environment variables ```shell script oc port-forward -n stakater-vault service/vault 8200:8200 &` @@ -78,7 +93,7 @@ export ROOT_TOKEN=`cat vault-secrets/root-token` export VAULT_TOKEN=$ROOT_TOKEN ``` -### Create namespace +#### Create namespace Create a namespace to deploy our sample application that consumes secret stored in vault. We need to label the namespace with `vault.hashicorp.com/agent-webhook=enabled` to enable the injection of vault sidecars. @@ -92,7 +107,7 @@ metadata: vault.hashicorp.com/agent-webhook: enabled ``` -### Create service account +#### Create service account ```yaml apiVersion: v1 @@ -104,7 +119,7 @@ metadata: app: vault-agent-demo ``` -### Create a role in vault for authentication +#### Create a role in vault for authentication ```shell script # Create a role for binding the policy to a service account @@ -115,14 +130,14 @@ vault write -tls-skip-verify auth/kubernetes/role/stakater-vault-demo-role \ ttl=24h ``` -### Create a secret +#### Create a secret ```shell script # Write sample secret vault kv put -tls-skip-verify secret/helloworld ttl=1m username=test-user password=dummy-pass ``` -### Required Annotations +#### Add Required Annotations To inject secrets, we must use the following annotations: @@ -135,7 +150,7 @@ To inject secrets, we must use the following annotations: - `vault.hashicorp.com/agent-inject-template-{path-to-secret}`: Specify template to use for rendering the secrets -### Deploy the application +#### Deploy the application ```yaml apiVersion: apps/v1 @@ -178,6 +193,6 @@ spec: cat /vault/secrets/helloworld ``` -### Verify +#### Verify You can verify the workflow through logs of the application pod. From 0db930eb2ae83149a36e50804f23e7489732e967 Mon Sep 17 00:00:00 2001 From: Rasheed Amir Date: Thu, 4 Mar 2021 08:04:53 +0100 Subject: [PATCH 3/4] Update vault.md --- content/sre/secrets/vault.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/sre/secrets/vault.md b/content/sre/secrets/vault.md index 1bd99cd4..80c4020d 100644 --- a/content/sre/secrets/vault.md +++ b/content/sre/secrets/vault.md @@ -69,11 +69,11 @@ There are different ways to consume vault secrets in a pod 1. Vault API 2. Inject secrets via sidecar -### Vault API +### 1. Vault API TBD -### Inject vault secrets in pods +### 2. Inject vault secrets in pods For consuming secrets that are stored in vault, we leverage on vault agent. Vault agent adds init containers and side-car containers for populating secrets and managing token lifecycle. From 33931df860d786fc1b16ac3352de4415d8c08ba5 Mon Sep 17 00:00:00 2001 From: cuttingedge1109 Date: Thu, 4 Mar 2021 11:48:18 +0100 Subject: [PATCH 4/4] add-screenshots --- content/sre/secrets/images/vault_cli.png | Bin 0 -> 68380 bytes content/sre/secrets/images/vault_oidc_login.png | Bin 0 -> 11888 bytes content/sre/secrets/images/vault_token.png | Bin 0 -> 8253 bytes content/sre/secrets/vault.md | 11 +++++++++++ 4 files changed, 11 insertions(+) create mode 100644 content/sre/secrets/images/vault_cli.png create mode 100644 content/sre/secrets/images/vault_oidc_login.png create mode 100644 content/sre/secrets/images/vault_token.png diff --git a/content/sre/secrets/images/vault_cli.png b/content/sre/secrets/images/vault_cli.png new file mode 100644 index 0000000000000000000000000000000000000000..6c3829f3700fd8aa18199102b661196437623083 GIT binary patch literal 68380 zcmeFac~q0vx(94aTiRNsb>bjG+FFZ>Kr1RjfK;ueih`)jL)4&A5yBioNOG(LDpMT* z6_QjDkTD`cAft#70Z9~uFePCM0YVZ;NJ8c>curf-y}j$Z_n!O5x7L@na48txy`N`4 z)9?4}{qC!We7u%@y7tp0OO`C#_w$d3mn`{c_mU-M-5GWfn zM`d5;9$mX%c4$NHc5laE+0na#vi8lvkG~l_X0@;B{DZOEt&tl(`|7K|{bK#-J?lNc ziH=SFI{4K--Ya6l&G`+#ia)=L*q>LB`zRhy#jrfkfv--PT zk?iUt0!p3I6Cvr__A4QdLWzx&+iKcBl?2wU-v^gd4x0_P8C z2C7iZpmh0vcxZ`DY6(iz>j|xFR{w_wb}#qnrX@$=oqLb#4vzk*8}8NmGwHZ9U~(PH zO87|sZLo|xmrdX#HJv0AD07c1V5x)C)oA$oM3=poqCd66o$GtDhxLTO84zS91z~Ph zBFK&npB)rLSCBWUty}(-C7batlZxy_7J!yV1;dZbyIlKIAyo(>Pj=c6kn%6nd_3_L zpVBG+*AFs-qK4ibcXB5zL6`N8L{T{B-nA~GD54?@U!!j!XoVQ11Or)RnC9u%I%*wy zc;7_Xx-kdC-jN5p6Ukr_bfgZRygHN(C%KT|^l2Lm4aAJv3a#88Gr*1!S%V1L=)Bx?ql3 zV4$viI%98O;n5v-G>d#~-ZbpSb_*LpbT!@Y4>P?XvBBua&0UHjcER7zuiO!Jv&P45 z>H$oZ2UEo#1I?O&UWNaRiDN)=qmQ{ZDhh3*t>7 zkSDCw`{l1H52KpvZ^oqXsTL^K7*?Dm=7^udIrX%{i3i9X3aE_xxUMY-Gw+3&=jjJA znm47M@*0=A+)sPKLvum=0UM#d)s8NJ(zPs-0X0*0A!`0!AicP-n0{r9NZbrr=JBPF zt=GY{O#uBIOy4U>UR+7d`s^@G`iUfUL1gD12BJU+TlKp`Q7Sb{CF*JZ<)kJXOVk($ zX+tt2A4#^`SgO4nE!ilLbMG4`v|)P~Mkm*47!Be~{tC4+hq0M04hr1bYgEMy58UiX zic~uJNUM<%6XrYtckiFVjGaeu{hPS8Lc;$O8AKXaXdpQ1faWAM~So#yv=R}VP0<_Yt~O7LnAA*J-@5~J~E0hCO=f^vlvPycSg+>;|+LCg({bzZNqCz z7l+48cH^7cxMxB7M!dd?r^m*DVlYLNGSs3X`Gj_!<{nF7PFKkh*Wdb4W-ra$!+&3#!^dr-5CtA!H`CZOE_G zxmeI_w)U3l87#PY^}>v=E)DZM4VIr-Z1F-p>ZF&_HA?!N6Pgcx8)-D_*8n3dTBhe+ z+U}-jCmi*)O_^iqXILcRLJ?j!)P9~Pr}7L+%%oQUH+oEomMF=->-V(|JWdK#?lm}r zh&g1sxb`)LxK_cA;cHDa%4rMT2` z45mh^Sr9i0aC+Uhzz8ehgPT6;T(By4dtT+S)>HwIhfs3h2C0)l3eb-L^z*)k`2zdk z+$eZuccz>PN240;oPc95!*#DAk(D*#Bp9Mq-E}>OsOB2~QHIyxfgEcNS@(s^hVe(J zaV;NIf6V}+?fTiz5}C!(-ji1cGxR0dz#6$(ctwm432lyP=y>T zwxIXgMBIHtL}_mt)I2SKV{IRIwkKmc8;eDp0qa}9)5|eqgfuNk+X~C`l^Cb$iy3zY z1v^HH)YkkyB?qHSC(}QZP*n;a_f*BHNEfb*%;WWHf?LZ67pvw^Nbaf|BTV-I;)oi*#Xn-me zfi!8Z^i`D@W03IFBJr;vO)W^6J?%5QxX}7Ou}c6;p1}fr zA4rLOj9<6|o^&klrq;wCh382vnqQ4{26&F}F?ZU(0xyh$RK~$I9RH2%`9V)Tmft5{ zsc!<@@qjgI0?X5$aR#xu>5fj&$}zO)pBdk&EdYIF1elB#m4p|7X8EumpKkW)r;Zu( zTT!9(A-!z&d^$dC-_I=S>^m36D@xHQ!Q@WQthhLRD1pHCpkn;?Q|< zpR~KZI)NowzRB0mnA%lkVvzteo5h(DT2*MSm#583$GR+Zla{>;KRa%_G}iNoWW&o( zkyI~)RLcvPLH5gpff#upNP0cz9FL}Ju>^;03I@xzgS+uD%ifkWQ-WIbH~_& zJitS_y>y+LUgxX)Fh%ReBGj`kaLh^)eKVgUg-^(HP!!6bs3p*|%ccvpi5EA()c>Xm z=*sl`q-IrNAa9{Urvc0TF*+cP3><%YFTWkbTbR!=oWnfV(k~_&fQc!!UqN#1LXrbx z`61w>&SiW+sdV5t=inQv?gB`v%Ehejs1xh6wxn5a;a=|2 zV86R>Sm-%H;PNu?oA%&|k5$~3LyS}B$K)591zPxH!-CPRXB z{g@!zin_F4Ae}*r@dHWLTsADaw;(*$&$VfQ*tIGblmbWhn)EP+Q9(+BmI zZxLWObuK9o(|p-%u-(rN^aPQ-@V%IzRpMu8Lj7wNs)kbWMR^)ee-k9jz%MW*DDfqW zyug4a*85ScAdW3Yjk0&0Nk`8wWvGWTZW`g+5xn}%+}R*bc3>-M{DyZPAql=JSv^&% zWPG@_w>8U}EThS=5+kapT!%j3f?UKr+aS^0$0D4@7CjaUnw#@Q`!3e`a24Xx`csuL z*OB2xnf{m`dI8!Iz}P%v?>{PN*lxrQo+X4`$ zLmN?~j!j;xvubM4wa^z$0^g*En0rFGh8hdFz5zj=eY2c{JQ zbZv$*;7R!Ks}Uo1(EVC-Il{W)2qwBxI`FH#Brh{*h=BcP5w&4xF_)6;>VJz!BAFRR zU3J9%sD7fMQ!@Aj5oKVG2Cw4yZsT)S+zUXT+r)cFpu~#WqlT-sTMiimExL>+<<$m8 z9BK&LU7F_23xC#b@gaw(<3E&&uP(A1)r;P0ZxtoWi^l89@J{f8uQ;DDcP6k0zh6Yu z_HBD=+;j&YPuv?@*Tc|H+qL@}&0Xb-&1JW$HK6(RoSMY|YXq2Z@*ZPlt0EW_hJ_xf z=7T`n)k(9LEOIR`OR~e|E~_1(mFm4o`#pu(qHH4sL906G3*MYhNJJpr2vJ|z^q{Wf zt|S;!U?l?H2_8Dj&(KKo0RH5$Cs@4h*^E<-YPkORo=ruPft~Fe5@Ctyx8Bu!F=vq&F%)Oe^+HEXU`?K7B7+2b1mv(b;Z@pv zv=oZ2p=hM(8n*jp-ZY%|E1Z`FHy67pwNffdwSAPMlwrl3T*ss8YKTAUe)ik7$ByVhG7dboQ&ezgH-~9kWlHqGs=i7 zPIlVUJ!T206S)Oc_cxO;9Tu=zf^Obt2gewlR4J}dS){2GIQjbcHzGJkImOa9i)Ve5 z7OnQYg;dutRu}d$kfPbmqlWAIC$n|qa1;j7&}}R=ORR)Wx?%!ys+mWT5{BFTgM#5U zbkP{EG2VuZ>2e%Ip2Q4Yw-Pphe~;7!v$Ux?mXe|vG?u}b0jGKgB~1w*kpUmjgcAJ)@vlrHwu0rEku6?_$HQObXrHsf z7t5k88z7uILlYl=m4yGor@?T7^DRX88ldx2nn^mG=xMrw5O}L}eZoITH+ZGJm2eM0 z)q#x{lnH&3SttuQj3U~a=lP{Q>kps#PXuQ4)?R_9ve9$T2a2Wi*`>M`n;idYPK~&x zbh%?-d0i;t@~gP8?zfOx>b|O?`!DE91oy6yox>(}?Zaz^1n93GiDx?KXE8>JNW)v-6cVe%C6j-$eD17J zSz%3Y!(Xx7Fc~8dz-9q!d#l5%d~9(0lSO=xwir0@Hk%rr9Fz}GuOubdYN zW><(!FYlY*DLf-9fjwQ2Jb6b^7pf_&`M)Oa10=a@I`zMtiQG12RQF#}`xQipp#Q)8 z->6f6(c1VY70(-VgHWYvB53xxMz`~wMhx(^%RkkiYt$P&ey3E8it_3Evq$l+a%TTj z&b#Uy`TaS65Ic*%1b+tmV*%c2-AFF-{%AbB)8gTNLjR+U@lGpWMXo*BrxqB=y3Nqa z>yP$)_*MVy-H*TDaIf6wu-~b!d%yg8?!dks?U%#LzW>Jh$l>VEZl60~{K$ek{kN*;cke1H6Q#pU1L1bukp;QAG*DZd=Z`})nm3!|R% z-aEbaZ;w9x|GJ`odF33<4070Kc6UkgTZtDXJleBwbNd0ex4LfossEAv_RGe_D$jcF z=3Cw0$O}2)yx*w!RY#6~0Q8H0>A&aD*~(wemo2-9JCo3QcHi1pAN;%4_1S^wFXs;w zI0txl{r%g&zg_0VW&OlI>BhCKH{TlA{>OehX7*<-TIgBG(|;J;gW|lt%oRp!Ygx6r z$>-L(gr3iDt*tnA?5vqFxE9ug-1unQd;jiAn;o$>wo8qD)*IV?`{dYL+g`Ng-Tv4I z_g_AE>s2?--C9OI3^D5R!NA|X`-hjEDci84=%UfUzTdm|(aH^su7)4*QZP{l*mz;Zl?tAOii#j^wZ&$X_dFrj1e`9^Jx%$oDj0!E=@zH^Q zn0?6EtDPIaGTQtBzb|HfZ2LZN*{-shPZxdQ{?~u|zjHvy{=-KVKa&OvYz2zW+hpYf8KS7Su7N z-G2vknT*e5d?vv0*R+8NaQs_LkqPboJDiot_)Nz4-({*yfWrhhOn~FB31$<|XN(Re zlKH>eDl(;AQ`$A9-T$JiY@%9BRLg&}uWL%XrnLJ%*r8!cyQZ{jO1q}CYueSaxNGiz zzn#jIc1>y5ly?7m7o=%di)mNO|6~uf3GJHDt_kh_^(g>TZ`ah@{cj#VFr{5n+BK!! zeWo)Uizl&6JfDf@Gx2;Tp3lVdnRvec(XnF_;4lFW6X5vkgY%{{9HuiIrZXI-GaQvB zs>MXLn5Y&L)$;bGHzumZM75Zx78BKCqFPK;i-~Iae#2kCvRD2Ki`^KWe1*{naPkfX_!w(V4oO)?%Ug0e~B3aX^3MNG|Z+E zyU(eg{(d{@11@>Nxn(3SiZbrmJA-%#oVz9tv;RU6J(3v;+DRU@;9P7L+`jMQDQH@c z9>0V2_Hq9EJ9ni1OD_u6yLM}D$ld#}EIFT`9GV+~NHBAkYvWQvZe(S@E|Z`q&qF<>FAiFc%{Fve4!IikYivu3 zSGqu=k;*zHeRh1QugECG4&!~4>9Wp^g*96TQ7F|%!(3DW;!Rm;#M}!r7JB@80eoz> z?)u_|wAb(MZ*}9BM;V7{v&8jZX!iXawyTw-RhQBc$@w%1wIF{v)Gnkm+a7@BjW{tz z81Mb#GSGM1?$^Gxijs7v(-k%&xhQB%ig0UhnI@tTb;}Y!j#bUd0I8=G_weKsvaa** z0b%Hq3crAkpxmOfu?bY|YbYKOFS#@LVC+CgiA=%O>FvNN(da5LQr+g|G}u_Yu7{Ut zu9Sp%>b~xsLB~$jhs+Jj?d^VkX(jA5-eCGurL`6ZDyYUgx^XISk6nxv2!f64 z(0V`Lv$8#iEXEtEFuhh$r@CD&hf;=XlyI;Ed2n2=wAmTUX@NRrb6gC_`BuGso)7*0 z(0dQb{`_0})-hd*Vq4oQ^J?}VM~ntQD)UeBKtJRSTR;;;pq;k9>b z?@65v*DC79yVTK%cB`nlznA53O7ta$PwC@>{-V4PF84+E1SCCgaYUTt1>2We1#ArfN7tWoGn`j3M9ffW zr(Cuaa|*63Rpa)s6fSK4&;T`4d;B23K2={F2tZCUm-=8mD$jIpXC&nV!vp

|@4)D8m6txL z;l$u*g18bWzb2-bN8AmUjs|TCs0hKl)_xRxn}ZO$!8G^RQ8jn^&s)%x^A)(XH2pm& zvDI}jfYjx8&RzJ6H6B&zK2S{_*Km>QiCjnpfLN>gg{s`bDHaH@#L|RnWNLC=DU3&5 z^`M$G)*^n&7Sq*Fip^SjLv1G=Mf_4Hk;SIsQypr1i$u$X@v8hpm@@7Gn=^u^itjs5 z*a6{lamvcVxT!H5Epd2rHl=Ta1q~W^S2XApOpBt%4*FZhgpn?ivY=FDy`2F3GgN?z z;cb8t@Bo^=P-Ba?S$K^kY+;}1PbbS*VMISM3YVwOlt2A29~2-)vTRbt0|~yaL%1DS59Dpu2$_EnNZgWLeg`v@9y2I= z>XL+U!6PTcGNrpBQt2WthEasqYSodoC(&7+v#FRi3l6F&`$+yT%xr8RsD3_IQAUMI zHhS5p-1D1p4g4F$wSk?WM8k{TeA?UyFs6@oh98tRWX29BMd`E;RScA(+#YvFS0L>& zucj{ys4S^$91X_nT{bv@p%I2s_|%-_Kp7uK5?-?>peST9fi5XSvZkH1Z$$aY%B=WO z6e_uts=lA4Gp9Z<>_<-ZXlymcNF?%LNAGR2dL+z-74qIEa51`*p~S@W!g@KS07f=s zZ$DYdE#})FkZ-FPsL^#H*T5J0i=I}y8J^@q*pdb{DLrDE-i01+w%{emnEjNhX! zV#sGAco7%{4JD8uX=Hy3)NqS6Q>4Eoz|Za>I*Hwtg>=DO3sx|LD47BcM!*G#1)R(` z{KrE3Q{dlln8`dW+g-Py<;sWd?P24P17FV-cIo^{X?$M;pDn<=@?LgYxWQ}4K|((% z=xy=yE0s_t=9=MEP&}6`oNw_v;Fs}J!qn&oI=lMBQWQ(k$$zM)xJ0ONgE%aY9HDMC zSA^H&Mo#_E*qACK^ZhNIu*!K+zL*DgOirG;hswthFMHFZc>;1bJ*~Ol%N8xZ;G3K; zo9*OmxCM|yznFd_wB)%bVh(VYZ3XdN`30m)>0IQ(?$|fS%@vh}r-a4!m@6C`$@x%1 zKMfIg)VHfEp+oS2H%of zX((koAg(bK_f^}ejS$fgO~WmgdDg<&clZyR2wlX8kxXC>mgc^ubfnihHY%7Otqu)<9T&}Vga1sZ4y-BR{v|Y%tR~<5fSy5!= z^pWN4Xg5^z6g%87+hGrO05r%+N9tb|e8EiVYw8Ff9fthl#_)eBfmfWY+~dSD*i2KC z4gRI`c0rgC8Zv)^iAhS`~UbA@C}dSR-jxwe)b+gZl{pkltnOhX8A z0mWr!)`@O;1MZ-PnsZvGoqJE_yL)QBc%mHG!^XP;lbiRZhI$yDIg^Pn_o*8UXf*$x zvQp@LD6UD1rwXcXgBO?u5qB{wA4P7mjqcaH?D8r^s*0`E4fVz}6oz0dP4|tRyc$Y$ zVtStTQtd&A&PVwO{1RYst*N3{TJZd8bFla;x*k_N7<)XfXGa)i0G!^^y@D8qBo-=h)Wekl zmkPJRC(D374i06Jm9#R4b*Zy6xqU}#6Or> z1DbVHmZKSONhh3M_x&A^a&d=u@F2R^!HK0`h)7X)RfYO+ zQ&bM=BnTKeJU}~(rOe$h{)R;uy^%g!1r0Nx(I?C$KuE-`-BuNvMwC1!G{nDUVCx#m z6ARIF)SEj<+b%L+zui4CN*`wdp6O!$3YB=En(J@6h`7obt=+|wPVQvEts6=8*f^Qi z;za+<$lltb`&Lnd+ld|w3##E-{7jk7X82=*7+*>>hBOra+B|6FB_*vncmu@7GkI?8 zgg{Pq!iO*P+RyuF)MLaMoXg`IHF-==kU}5D4BEH5x%!U512r}U3uyru5a&jF|Bt^stRILS$KQvgy{@A)X zf(n7-Z|)#Sa~2LetWDI{`6iWWUu6kw5er&~M*=&SGnkQ?q^t9F2q#$D(tj)5dZT6s zxCHau-1cerioofvnxM$a3?;Q;-b*zdou9X|kUS9BpT=NAlt<>J-yTB@3&1Qke+18Lj2I@%mi=dVY_)Nbms6KLwYClp`9nbam ztnj&znbeMyYr1rS%!2FAy@T(+%Zz{19>k(cuWJY%u;#YXaK$SxsKinIx};)xvZ2H_ zZNA=l2h4M7yt9Bw5}of?*4b|=pB^&D;lkrFqXz?7fG=e8*wWER=K_~->Ez7G+BJmY z)h~jm?S9+U51uJO2HeuX6~1jjERJC^Du7*})+D$~;p4GiLd9v5 z)qCAZ^CbeK?KaB0YN3o6H_bCL)G|KSkjr0bZzVkM#ZwN|DzVfvV|n&CEa>a0GH-RQ z#UN0!KI2x2x?rxVJ&0qcx(8H<2Oh-;>xH-ijItN?ZSC87tVn`XUxGRUlZ2#je(79( z%uY!6KI>{)?a(7QIH|qlpk4HUe@vDDj6S8*p7$%p+osM_Gf0UtZ4JoF-Ls;$A${HT z8YUg7?;Kq!AxmeDu&V~2h=_Cp`#3{8lkeeQ z{VaEo1aX1&B~OV5EjaOaR#o`R`yUcV=7E61@Hb1@g*!kGA}jmh)fV7KkU>&H`%PR# zKV0#JAcTXkVCvTz7w%cN?-Z94tL`B(V^l^QP*!*tB)+43DJBxq7J8RL1>r>bPyzuN zZ^%Nmx*>!Il`I-WGkZ{wyS6Txb)ojl`0=sYfF!+^>#5QDdLq#R#7thNkQmlL*9^Wv zod{Jwu00`hWqZ8F>a)DKwNVQ3NKUBFBh*}6J^=6UGW+0J7JG|0BoI$RDB_%^B_S-a zYsi;CglV1&y>V%G*D;Y16^n3U*h}TRT4%r$Wkr3J# zD)yA_4)D{@L?E?!-f+$i15SU*&WWqwBFQch=!vdngULe+=ljn)*^(v-u|k(ZlBy7> zAvB||kscb$C*|r|hJEw^VqhI`QG5<;zUpD5X(+k()g5&7=*qT zamEcH;N&nJWknVgL04x%eHAZxYI{znp$u#JM0%lr%kx4oZJ3fOz+v-2L)7n=`s*CD z&uWp$F9{R&1W^3gC31}B5PW#d1)L}?iL!(bMEP>I8h*2f5A;Lo_P5>*pU|p ze2}}L!9o-o^HYTomJTEFce|D=^G;Sq6Ss(GiTK7Ua{5eP8naUdDiQbDSn>j6NDN1# z6m8Z%z$7I^#*)c(fippAOoEs`TBusqr*p@!ruYF^f2Q;k)>?4mdw9%9Sq72whKJbS z8~iv<;9=3}V;HR~WmyC#-r2+QjBh$qS_L9%Kku`=ez8lK1qw~&A#t#1FP)h;Zih0U!|vA3K-> zN}iGie{{=POutWlsT51Z->^Wb;?^U+cQ8u%3!03)a^6b#T7W~3Jmr^SX$z21vxYT$ zk8LvI?U=74Iy>372zhX9BUQ7<9VKgochc(<;W_-9xla-^)tO0?`aMQ9O>5-^PEIcJ zF&8-I0MLgvd|egT!EhQt{G=4OV%bi#kaqsLfttBYoeo>C=^~wBET(%jF^!+s;W*TA zhS4?{6F%gi>6+bF>bKA-1>{?EYNo3k3Cy>w=(6eGL}ao^Kx#-poJ38oZd!}`K zsPnER_~UDE{aMYH#z^nb5o8eoPsO~rjFRDBd8RTp)WS76gP;TF_+bhBd(nh-4d?j% zX&a6@Fp*tT@J{rJu*3?z71rKA>Uf+*Ff%AW7kSRmP{q6+7`;Gf); z2-?U?huYZMxtaczUui7!#GQbTdu_U?Jbsh-R!jewtnXWcSD?_ z%n^GoX-|$%YBH<+Og$Z{-*`i1b|oSunWe~;2*g0My0+9Yqx<7RGT>i}v@a|)2!lOB@`sKsM=W>Dig zkF1x0Q@V7Y4M8iB1ot|_E7{FlGbQ*nv{JQwbD(UPU!XRF0xI0IQqjjSMyC)-o{-6K zO{V;LG`VAaIkTZy`>bFTFxx=mh8kJyP_$*Ba1?h0+uQ~lC6bngB4ax>+lO&yw2D@V)w z&KlMTO~__Bd8uF5d4s(rjgypGXy@r~yx~&}!eByw?|NKC5Gx3&28yP0mf8z+lhi=b z=Je0x*!O@?-=s7!B8L6!Yil`X{V88dj|R!Ky>G##dwkh)H{C=&*_nB*N36OK3k|H= zR>qcafxumcX00*2$8uadpch@P*R+qE?R~Qxf4~S8x7dE1JXteH9DSGtT*JPCYe@2S zZBlnvhl_m3W8(**;JJkv&IKj!5sl>wq3&3$6({dSn*-d(u0+;`w60CP^-79J-`X3( z)J$L-Wq0ky9m5YFH9AQ{Gz@WfrYfTC|QP;?cGGM8_NaN znwrS#_dZy}vWr)CrO+bO^u1Z}y%K{y4JIb4lksG1~Qkp~1;B?sb>F zue@E5Hp|7PTey!>?5YO8$21Y7lxNb+XF1$PBtNMxH3Rt~zV#V@xZJ^Z*SBj*jfC7| zua2m|)#*4;VrO;qmVgR3U48llAuRU6dglOmu3+`l?XA6sQiaX|y0K~=WyHw3fSw#} zh)CtvdjKuW%cO@0D%qzl;L!Myg9U-vHUa35c?NMe354Ba4o1ZHUTyET_MUfDPTS?x zhQO}Z)NerzId}u$=r?yii>!p_=O>UPnMRewm5)ETJJ79Mj-Pp=q#a$3(M~K4T<(sj zD@|U*A5*-B&TZK}nS*k+5{{1KkkcOD)fWMD8@M?yg7$zuuXcrakfE=iO+bU&f>3qA z?zym2aY8w3ojaoABs-VwI7L;Ad$5hASIWe}Q$r+=T|k*N()X(^}3!=)ek$<`U~2Ebat-f!|rG2cI8}& z(s9bjhtpwC^-ud59%;kv%la@^>|%n?{$}m#s>%cgYEt`jnI0^+4UnY#gdh2v7>dAz zGV>Zhw7UUkp1lyFZW?qH$_~Bh?ch72biMk%)J2R$JdBySewj(m%S=*VQl>?!K)dGy z9>1QDIZ_3=Qny_R1dwKd1D#7M32-(XnehO6FUsafjMXVs2yR z$}%eQ>lf}|L{?GC;lPg9TYJ4El$k`^x;QUYn$cO94N=2y-AyN31}zQSzJrSJB9Hsy zFfPQr%(^_;@{^Ty=pmQmf=ik}syE|+(Hp0%9U z71h|1&m6(H5@wLBF{90m+^rxRbgiKZk2m3E{BG7cH&Laxgd&>iU-~MUm&vV#>nF>X zo+>SL!4@BJbd}z8U&FrvR!w>!effR~y3W2YA-U;?l3Y4Itc6lDc2oN&~VtJBiT`T0A0MA-U|H)G@C8n$9RT%G-CdyL5Z~N70-ovd0}T zVmh4qrgMhy=trbH zIRwJI&#cf8+)61F_5EjCw)Pr*C2B5?=#(9jaXvFi)h#3Ub{+Xx;{{2AR~6r^DhHjE z?>b(}Q~j)j4BoTw=+Q|!oOrPdMR+c+F2-Fsdo_QHZLMO6Onm%xlKRKTFM@9}Y+ zn5%4t19zfz(L6P~68R53dF!HDLnt@i*yOkQ4Yu$3Is3{%9q4R&b>EtfpnMjscTwqV z&{|lOOKB}Gw)&+JbBT~jko_<{SEvj`o=B(@4vFzYS1*kg8$gDlh$(5RB=S=R#edRj! zOAALT_1qENh=?N=(lrytGTO*Wu1xmgakCUvP*xa)RQ1 zh+P$sUkIGw9j0jKH>{{SYIsAxV1c6|WTYxf5o&mk46yenqc?HG(e1idoWSrWXV&L< zv@<+3)jA6fnQRoX{vi7$e##li<&AvlA8~DR_=wX>v6;7%61_?=WQc@Umx5-;XCTpd z>b1_Mz*G6(MSX9db1s!%A|v5H^#RJtOQD=nO@e!2P5ldo$O2q&W4C9j#9s$nF(cnp zPL7frrEQ4vNN$q01+YQ)r=PA=h9|1a;%C}38dwqY)NNPxu(4#zI@vTBdZxprFx>HMj0~r83JODS=?Mu-)ira%NsD5O_#3W~$nz~S2+!HjkJLYZ z+9`JZQyf5pNZpd~2{FRh&u`31x9ubD)I92xg-Ks}=P(a*rfS#CO3m?;Oxk2X2I%?e zR=0&&hXsd=y5NYE;4OwaxnwI!LUagFG8_MwmY7x zoe}588{7Ei09ut{+2u!LCFJE)g|>sIebI@Oe{yv_qpA_#dcw&95v00wB*T}0K`dO-D-X*V z3j8-VbL5ZNB1gh+Pt-LR0+7*_0&uFnyxW^rcCykR)5f_6RpMPSANwONl`tt+) zbk=EO)$t0w>s7B5)ukwP4tYTGeVBUN`&Ln7q;L(NU139e*aMs1tDXWmuKVKhIQRlQW3p`nRy2!XP(q8XVJ*UR}JLn0uN6@*`@vUys zv16TkH<#e;}^J)SN*uQUB(dqjNTDjfg#|X!Wb!u4e`E*6JC_C$9rJRg+ml9%CR0xOFC(Az48DuB3%%!CsOYW{( z2Q;k9PF#S0xn@vfS&ujDcv{??bKl~U*QB@$dJDpu2_4_9+Mb<`*ES5uHs)v#UdpJ5 zJ!d6+wjS+wtWdW2-~EdeAqVvb)zvRHVt&s!!GgL*S z?A*2#V%XGvppPfNw;0In8c8xj0p}R>UYcXoQQVD-&%YKPWdVu&kI=ah+LC8QczCyg zPDNsFihdKO(G4FmUlt}rGOk=1iu_@f)5G6JKU+WfdT!%r^pA5NefCw%?k~Ujb>Fk) z-=Dv|^Ybr0KK*k2iz^FH$9LJr9{Y9O`(IuBb?FE1pa1T?Pu}0vI(&8ffRBGw`E)sp z7$vWc;MB3tMi2zLW-h9%IwYLjExb8B?WLVPQp%9Q(PFPP5nQgas=?cZ-I&y>&hv6t z2jXDMwY8ULddv6I;<2#xgFv(KaqW<)ABh)@HbXr)XV$ zHTp~W5^vYQs?B+8>sH;&I(zck^x@?{m=~>kbocUikSujQ!(9*B0y3Ll>)h*-!@OC_ zi!9Vu@ERA&SK6v|Ak6gmoiCWFt=%}qf&?|=n@MQXPIDy3LHd_GE6~TnN~ovqOpb;* z(VxJ+T|=9i)dBPir5;I?6X!Gos~uQDtW<@SudWA=d}AiC`1@IG&2oIo!g-MPIT*ur z{+74OQ`leX!53ggzmh@E;yu4t%?mz&x*QhM2@xIT6hv)gh@0{~J=X}q1JD=~#2`l|Bf2rfD;0PT3L>5bS}B@}cJBCtL~>MK+dP%XD6E4x?#Z+O*DU0bBOGFZAaFIL*CFuC2-yCy3~68G3SG ziJUR-7B_B#7lakBHB^h*BW(n--eh=8OdE zvy7CkX0XblMD8?C)10F@b5qcqI86HL=Hz-`b`lBhC}>A5_mPx=f!YJ^r(soQuIulz zH9t`_b0FuKbb=GNS5zWgz$1Irm-29~!^%DyYTAGW4jCH}_s!!a<|t&x{6I;-ioa&f z4foCRD}MTSBIo1tXb*^{FVi&^`In9pq12LP^#Tm6-pvQ2XKRzYt{>F;l9Hy!ZR)*X zRXzsD@R>#;TK+*`HB*bgi}fLhmtFgaUIdXE-IDgAclm`kTZjTX%ab0J+BAF6P^QA2 zrRZBU;Cv4iR;6UiZtQju$3cLT7$t%Rn6n09ZpXMwR71hDkGU2CBUO0nM=75Pa{+3^HBqN7%TQs%KWIf z(UK8CR&d}>vtM8kbG|TWCL~ScTcSd{B+jPIK#-gJN;WHL=QjVM9HqEAnksg_)>(IC;^pOses^EEMJ;x?Iwm1LpBZu*r5m|bzZH=AkUkt z|GE!nFdYZTL^WGBDX)k?HlpWi4bU5_jY|8_ob(Mh^s0US`UYFJA&&z3hPXsX4b~nX zqRDUKH*0sFfV|C)*_vnCD~M~95W-!Bl_V~}G*lTl8TnD^zOKGpx@&0h=9*0VkR7i1 zs7PFO2rQZOa19e=K#;v|=uIqomYW6jL@OS8(t2FiZ}0(a^FfF{;y!Q`d;met`5xep zkOY$+C%}Jn;C`=Nhm{<2$fh}{KLsmq?Djr*rhUUSgbr(js${}9T#RFKLG8iRuIu>E zl`SCTiZ5!`2UFsV46_R@-gskhcZ>J^bslF z!y^XiCE`-5Ng}?MOk>z8B3mViU)CE%jq0JT@Ln$9q3i2fJ}O1{Z1{?`w@>xj=bd_pw>cy(JQ*qw9_5r(yc@(eq#i-Y(nDL6~@_j_D zeR)cUd2o6f!YNqjc2L!V{8AiRR7)ngB`+$yodiA*oc6l0ExtB)F@vwH)^cFDV~NU- zB9z{#y%4LJGPJ-4yiu9gF0LI2D8+0}qLrgd7}Dk9bPn8k@f%F)84>NG7FGpUm+(~r zHuCj1+6duI@hVKS{*<(thoN}{XYgdsilvgytC>(-t+R2|o1V+1=L;US-P0R-`N{68 za_V3JJS%`x!zA_?Fy4}17+yVZu~}-peKyV9wrs@B`|YkfZX&6k zxo;N)G`m0M?&ED|5;L2*I;fD~6)*R_HW8Nw#WW0c5so`cc7e5rFatRedW&HV3H>P@ zl%j807YJE>Ve>~-pLOSzNc*+veEhpagu|(%Pg5S1U=zlkU3%){d2H&*+43jWi#rlO zf4#G^FT2rWaqn0yFnFM;VL@%arLPY@ic`Tk*KJWOiGrNuztDHmmY(_b zd{>%(sm`a`%P08t&gBdD^v>oPMPXi>Jqra`cR)AmCy@lNQyDd@-~f){s;I5I&mOC zCTDAIwn;!`gX&6&!q9C6O)pon%VO2$(+|;4&6MD>*o?e}I&@Mt(|@{suk2x+spJ^| zB@YCst)%Zn7~X&Qtn>JON$c^ta8lMcU!HHSoBrfAuseP5@#7@R{+lPZcDC<-l*GMi z{#m~dVQcF@M!SUhDcQ&9*|cucZ+R$7+P+o2GUrhdfCp?*3Hn+TUvu7X;P>BQw>#Zt z@BckPTJr~QmV)J;BQ6d?f&AIxGiMt)=zDTEe7`&!_k33 zbprvrt0oUU4nA}1ne_FU(WTeDkJQ#j-i=_sjx7De!es2y-Jiy*tqeyxiYm|Ux4AJ| z)}8Uh%0oG+KDgOip&Gw4?+~h9rMZ3@a-8q#@H(9NudCUbzi1E7$RlJkfuwSxTqG+x z*-ly(g6}fF3zUtuXIgj|RR^wqFk=0gn;+uJXDbO;E)Sy&x0s{Ddnc$Tjp5i;mk z`J>U7Dtg^NjF0TK!kK zK0mKCd;I9XY?_BziKN}G@n<@&ssZM$oCu9+znIeo$vu9)`CpgF_Gp28x{&R8@|o!F zeZ8~vby$_3$@mlH!Y8FkSuS5rpZXh=nQb-A-xBI7yC380e2#9(di+OJ9kzYU?dxF2 znatPm4gDzYgtvlg;gTfI4C{83w=TWnAD+>1buFHpE=VIyL6ENM8znL9X1+_S7_!dpyiHcNq({JX)0az7Y zxyZgfvEKAso$#=AAaIX_EiG@X^|zBi%#pPBp^C=51A!{$&Gw_atB%;51^?@7J6Z`y z+wo9I{l6|`ou6%Ys`Cf`mFoQe#a^TAbp(mu!f$q7DD*~Nr5Oj8#ry`@=*_lW`%Uhz z%!n6w>6GI-kVb0&*^GNQ zD6MP&;slq^Ql8}MG8DSB+pmFiom-MFG4wimv^m~?`l>E%_O}oONCBOnzT9dgd9F*F z?d$bk^d8-clC5kbKLy(4>!?{ZW|2M5vePG<3TmZKW*$1~w(~kFe~T%8$+}tA`>TZ!v7N8^}W)tpJjB{|WsgNq>IL_L=-Y@{FbD{}#(TouTM*Sbv|Z z`(*^>WvBBCeGGKTt0Ext`p@Msw`u=lUU!=(+dTPa^8ed%vMndua&mUt@BGJeGuyuS zzZ;(?c*~CwR*Z1O8$_AtKc>!V>Q%V-s=(DGJA_h zAZgloHSN;rDBfM$k?eCh+`sDj-eGdAq}EjldytzQgfmLz1wXVWDn3>f1 zoC!!!3NwisTIYH)j{22NgdhF3zK)KR`Y;gQnWVW^)pMBFZLYa$6K0DzTY9chS9qa& zZ-#=7CrZWx;jN4Lx;cmr^KRV^8;A_Dr@tSltMmMu%-Hs|CSaIZp5v$Y+0R_+#Q@Be?)<09b9FepwW)mB13bNY&i>%_uoWF&uVut9OBrxH=v-Fl_}8L0 zRb&qx(Knk8;wc)c>0F(Tw!FK}-St>p|5x>qImq{Q<++(|c;(Cz?l2Fn!f4|duPVT5 zF68upIesksR`n@r?-o0iYeQx!Gs9NrM8~2uy;brO+YztxIoztP!ov7veduNvP(dK4 zphrDPQF5SI8?fRN;6bm7s!NVhTgwp_zZ|tMh3d7t`u49PM`1if<07P0 zcep?Mc~O38*y5(;4{>CAD3NFSjPjI+;itNPM;Rw`K}gJAImMsvA47j9T`4boqO_f6^~3 zZmIDOb=)#qP0;>LkH=EU=dUP^=&D@pXrykb;n2Rn*ZejBl&e7h4ybgEXiWR1Qo`R= z`mZ(nnvrg1*LHsXPnnIsGYi{||G^k{J(1qOw*O^ zggYO9a~JqcFZt&-4*ye(du{~;si<#eq9|g}zEToODuNbifS~W1k+32Z9VEerMY_5J1(dTi={3E=`FJ0Rpp)J^k6co`0kph7&m1ay(3WxjF;4aEm^hPs>H#r-H^mQ|yB@LBF}K2n8q~DINt#;>ehDzC$z8ylj+}s8-_KOtrj2Hvi*X9I zMR(3}Ahz)O@~DtwjuPfdfd6gIt2*v#^F3L_;FCh@&M-yS(;iHVqC3a>V&*=fU@=_S|qh*4?XcZaZI#)G$%T<&Q{t(^L0XO%ztXVmN6jDK^=yL0f zrC_?@K!#uqeZuuy!_NACczFPt{39qTFCDyb8Z)*F9+>{ly5RFp1gKF;62srgLnpF# z=vlt_2{6ib7l~ff-A@T>x>(ywxjS||G)FVkL9Hz;G7UkEiQzeYT(-Bx(tJu0iF%oM z?)>3=Vm(IRRGXwZtzCF8IwARl%WdO$y1BMU3 zLj&SY{96-E-Tul3F`Ia&Ogp)ANFNZ}(+@ztXeE)iMEc>XIMX0VR%?bgiJGt(UuFpW ze7iPH%Oxt+vr24;lV%V#D?UORHpgoRX!~kfBe_nRyWngDV$Gafpd^O$h1ny~gyGKOzAy`#dR6yDSSbWQu;z=Jqv}SWQVRryO z6*Wr$8M6oC5Gb5_&+$-OeqpK9I5utmW~pBMf&shz#7iW%cnJeaE(EBQwMNC{>~ey9 zM$K*{JJ*J1B82wWV#2Cw`+U~86K%}%{K^bD!DNRzl>FA@4f*jgFCVC~q8*$#Z-K+E zPGs9U8Wf>HL}vU6MVNY0YakLj&^FJ&pIaIQyoJ!;;l@8`G?WzJ*QJbTDuE#_&HG-3gU(o>?oWO zK@svRSt)N^LdlNq)Wb!|azA~Hc_)vF&CUHTHjrl%8Z-F}6y>6gZ#Ll}8_kb}?iAyV z^e^n=^q;Xgbu`vbX%ouSl#9yQElUx7Yt6L5_X%k|$M6QA;NH#mZ3f>ve~{21^qcRW znSIZc2MB5UylCW`{)w2lu0r;WsoSR$?Apc8YJ2+4q1sRfW-xKD=hFA|Ku6{WNBrT1 zmd_dZz}6+4f3~^0A+-`Nudnw2wQkVB4hj*o87k*wg~Y#Hi2H8I)L~u*LiJO%Lmgv@ zW#?5bR8Nj!?G$Ae}<_^|?-`qG3zije0ITF+M6 zcMA5GLOevmb}(X$2WnlA=jl7k8$^R03)S|g&8r-eX~pJg^ur{ue5P30f$b1XWAZE0 zX-fno(~?%yp}b>beNqOgnU-?94f$bt9Q+&sB@8BjWmSDi2esE&hp{2@)-f8GHDjKe zySGccOU9B6dXho%>#}VBs(i*Db|-wi{&xL!8^ydhwsmNPR9=v86qQWsTpKj#Siiee z?5YqgEZh2rNnGS5G?KP1tFY88^AhTNJbI}T8mb>mHe2&o#o}Q<8)F?Wr@D++@dF9X5n&JvV`oP#N$AdxT}lx zHjk$E7tXw>)<4&x8k<0Wk?>tZlGl-mi@bU7SgyI13tqh-ikGGZVrPn^tK#pQl4yXN z%DgUONpEuXT{Zp{m{?{O3)#O3DrLlrM@3N4Gcbx-soAuJVIU7MC0Z%xXvI>zzIj7h zp9%+3NjxWrvlyuCZeRVO;&hEU2DAom@@{oYaBXE;#758l4j#XvSxE_E$KTS7MTNw1 z94zp1m_OUrsc&Z1wVucs{MI@--32CF0mM^$*Ar8On%xBmJQI!#V!NpA~Ob&p}e zaMfK-IEix#R;28(q0s8U;JwttL5WIklYKyu)?BTpPAfoV{NY7+5(sF%wydr@{ysTOWkv0wknS05)eyqH3qH_fk zVkd7g1WIaI@e-^%NVDRH^)9hR$7h8k_4VU+Er}z~LJ4*3(N^sinG82MW zL*tzfR4z8XdTAOF@`v59cz@N%7+T)uAMC8zNzQ|A)M0Z#Yr%Pl_z$&*%t+KP>pi2^ zn?Ww=FXh06Z<-*lb!ok2{andRRhb1|vpbK6o=St|?2T4=%CGweId<}L39y9bG(nkR zXSmP^4FGyW$b0%M#Z%6*7vCRCx+Ek-DW14eq zG@)tHEtv4)b!baHqDCnae0fai7e|HsanM>NEj)0L5=ZmP!}k{wuO!41Q+YV-03lM< z*lJPbDzsUHONU7++EOkI+i#sJ5FfilzyB;U3`Y-O#_i4HJf-)P~7Y?)8CnZ zPOvdte?o^Qq;VES`VYJvXzFfD4N7rWEaRVqi>*Pa-I*5XLd{pRWfLd-pZ}Z0S&)Ai zrzMGcE^5&#*=Ym^X!{b%WYDjmNKdEmI4c(gs{mf9?aar)Cab9T4isz+- zPlW5oNa>z@C%ZHyxATf{sSLA!B2x7>Bc$)CfO5X2B8P8M={laf`*CYv4Kihi^wzJo zkpsw$QrN_Qp@XXWNVSbeZyT`%b>+72xsg4Rcj%II0xyae9W5lUmmlPs8o`W8g!|{9G55!U4 zJ34T}iCLN)A^fz)&`F+Hl(4dBZ-zIK&0m6n2O(qeLjW@WBtekiDG z+^xV^HX|3vh>|)mirNYzB`UhF(DgK}_R!B2qBKJ1!?gC>WtGz%FYRK`DKV^+*}ch< zD2l;cpsP?8B!4Y994+I9pYS}FP>q9vo^ROPvV`}GFIa1Aw(JiN$5*wo);;NG5=g;C zqF7~?A*eHsb*d1;wzJKQQh=`Tc47_zi>}EA9qpy-5j)>s%q7skgQen>(Jc=EZj7_?88KT5T9&G1I4q8+K z)^-aXJ_sq`_Q|`x@fY2d@6RIT=V|xn3aG}^;Ie}+IK3EXV+^B19cwH5Nf>C>Z1!;F z-4(I#cu=np*4i2o_bv#E{6Wlx>^e9k1AKwWTqhjo9R9@N zP1*(}-}Nt|w?P?lfT<-iYssA$bI-93ewSHvd*Ho^Rz(+sobpi6Hc|CCXj2qbXfm1{ z*d(`tBd#{p3>+K?$RbR0OPo6mf}~I^W&y!c*7lJ~IZTiyi*W=#GbylPb-WzEUVQ{O zMk?5Mp;Iy^poirU20mTt;QSb9ftikEak}h}Li1#uOK$k7SEaRNe?;=nP4e%+$F+A) zI#@BZo>fpgEGtztjNKbdRF8~B?fp7p_9O_}*LR2A2D)z_?t0qO|A;2oiuI(&lQDbE zOB+P`iJ_F%JJg;-5#kfh6JRA$FRK#cm;_JW{*&c;bt5WDZVg`b z@$~A&LsXlqc+p5ojPhDJ=YiG1N>1zSl7F=PXR2$xQ^{Sk`9fPlAo#_8 zFw>#)Mh_xP?tPXu)fYwj*^`QoeJj_}6VsajiQ#mQ`N6`OMp9d;!>EvRyEwIJQPyTATRV=iWpv ztv!rAgU!3)_qxEVapiXx1dC}`jx2r52>JfzzU*|ny2M5-czwa|=+Z}V2Tly52AkHd zG?|Ocn48lA+J55d^5$+T2TVE9I#4aRBE83=TiP(KLN=kX5g{&!yF&S$2v!E~&$bp? zEthb>{9awo%scrrk`#P!YE2E-V81tdjJY?t#4Z`u7GT!;=0}JZzI%C{!In$|3hR<4 z|2mJT#+U2D$ zO0llqSe(y%b2O-Ict1(Qyc^H#x zj%c)f)X2)8%B$;KCd9^uxMUbV9ot6 zlG#k0Uo(%;1c0uhoSRGL(b9oSRQNl^onOoZ8^Wp>@M0$0JvO6T1^b>P9u#3gX^B%% zqO_PFQL-6@iI(|ArArR1KVoF;3fYV#sc&YV&Yhg|ujhnUsqQ{750~Fys?!_RKZXA?vl&04KAbIC~CQBOgm%>pi#p6;>z&PK6(VMaAKcX=>6lTOXHvc%!Vo zxC~D3m-qdJvXNiuy(2$_m}p{AVJhND3z~z7NtOp7b}M_L!Ttp^tdrrT7$<~s&HKgy zO&j%SaR{xN_jww2Jd~IhHu|AGqDFSd1UjMmtWCfN_SrW<4(fq2v&)W`onFjj4KKRps@&$1OGm@SavI_0(A69^A+9>mgMCG9yRSy(IGa=GjJph_zrel zMrK%R)SORQ_!O>feHllpRg5HfVA0&&&4GlasEA6`iY8dY}V>EaP0rMZ=kL576Z7aDWW8kds#p6IQ+r zmH$YmIie%nJJd1MMjY~0zxBzbnWf;3x|<%MF*#q**#?uUx(+{WLxmf|VIIm#>BDO# z1ep&^*M@gl16Q<_1$I`0h-wU(ZyPBncsLEX;IyA{3?a_2Sa8>D@1WScce8o3Qw5md zgY^Y{6Sa#Kso?ole^OG1WI^3Te9X$jqK6k2WN*g?|3T$@8H$>eNzL?NGOgql@CsbIcdHOAkq|Jnh_-=%eR=%pX2)CfhkeZ)eg5$n zE<(UTR&^kg&;C9}^aTap+Wm3u%J2RZ;_BpKY}@wYW_|9WW&Kq%GMpaIsb8Z6Z+=2Q z;GGm^@jX2sK4I6Kn7-=(*wz!WWJhUnw5U9_D^ zq4U?%I1A;)@f-l7kjNpY*HNPR=S;7wvVrHN z73mt(%05U3fDaH`Je~!0R@=T)QIsawMQD$dn!L^1l^bHG4noe2r$jSrnyqFEVDRUO zDKYEa)LZdN1SqXfj7>V|F#kgWRGnMM!4TVI>kI-?-3mMHDq*N>rt}!dhatAt?CdX( z3(Zoaxt{E9s+u}3g`L^8JoZ(W;zrRz}#tr}K50dS**C~cxF#~vN2d0Q0Qk|q(E*;pY? zgxZ3~ggH~<-zVpUPE&%%9u<`Ghlfy80QIzVkJ17EW7sLCsdw$JU3`AO~ zV??`F`=tHYr_>WJiXDkz0L=LlBbGE@?2ihk81Zyz1N2x2DT6I3#X{IW=)EYdy%k3B z2+a`S?28amal!o~v>FL+0xEC4PxI{=N;`32hpB}wi6K`^@a3yZ6w+5USIFm)V^2~- zi$>D1ggP7;Iz#1-d_*4{WsF5f95k0e62x2ZhRH| T_T#O?JKvo0{;KB73qSmC_=?V7 literal 0 HcmV?d00001 diff --git a/content/sre/secrets/images/vault_oidc_login.png b/content/sre/secrets/images/vault_oidc_login.png new file mode 100644 index 0000000000000000000000000000000000000000..e4248b332090ae4bd595527e6a7a4705cd3a44e2 GIT binary patch literal 11888 zcmc(FXH-*LxZpt)?1(g#Cf!I;1VOr7KnR`Cq^mS(K}td|SFR$V_YNX8fPl2n5iuye zcLEYoAT&cKKr#pKeQ##Xn|W`|TQhHdWM!Sb&-wcP>JHP@R=sro#(4k$E{>dw#D#Bg%tzkUTqO4BDk5*|$`Rf z6NIq=fK@CW0QOOgw7^H>yaxc#!i}W@elbBV1HtA0&tGkYH8mX1`cMMaXFTS%=5@+_ z^Bq|Wha+@8@_xM{JM#ueq@Q63>|;3iCW}&kU0zE z1jh1~odJA!`v`PIb%PwTKGF^m*?1!1zZg|=r}bOX7nkmYNXoY$*{m<*Y6cN{P`5~`6^OpgASOf^LVzc}uPoVl4h-C@f3NcE%eP%6x zjx#M)kYJJeQ9nCgw6|l|O9<=qo$k*0(B^L!LTc}eHxU@xa;wT${omN?0Rjg4%HXm)Qr;naEXcMD|9{G;hB?bVlvn7WgHdg8vXs;50pG za;fRyY>+lzHl$097LvZrgU#&T2UV)6#|1m8X_R-Q+vAg~^nzfmSw`=e9=voJoe3=? z2eSN;!AKjtE@+PGKbRP=)tuOszTS4TSV^IA<#n``cZ=`y^;eu04an}#PF_}~5BTiDcr^oDJtWS5~zEOP1f&)X!P)c7gkr33gdu4QR?!Cosr-n$wz|VC* z`4^pu6#qRPFPrtk7(YF^+Aqb?d!dEP;bSFN$~k-xzoxy+w}^Csx&h~`rWP&tSvXtg z$y&MV+ngJ8kJ1C;w~+0Vqk4Y07I!a$(oZ^?0Pr5tv4{_`dN3zd+F!rV(9J<^t}o(9 zj>TK|&yvPFT|0UYCbYuuoLev8Uymyf*mBP#X*X|p=-ihTc1gkuM^B1lOI!me(mPOp z3tIGEFJ*m~-&JNNoDi_r>SE?p6N$0B5@9V;X#Z%{CmF|dtj!LZ&8rhFN6O6x>1}=^ zXVC?b`ULQc>1c@j?o!-^+aFhiI6NV4pM(ucz53_Ift43|JY{WITzORT zJ5poaIQl4X?S9|%%aOjSJEqk}nM7k%$@fQ(J#V+}57HE3die+XQa)Xm*sb5!@Oos0 zYkf|(=tsNgC%15#Z<8yUO->u}`GoYfVJ5Py4!EZ8?U^#*YZPWE%Yw;4e(kl*p*@EM zVM?uJ^*W2EM>-JfC3`Po{fX^7g_)zHn)bg{3M$A-%97I44)?sKof;r*cbf=ZZ|z^0 zI@B#ErqxmQpX{%{B`xjLet=esYY>qgjMpLSN3gLBCk|wPJ}dWweRT$AT4Ul77=U$jXq2=qwj^K~I`^c@e}rUFig?h`-XH5%7TcM1gp zmnXxLMm{69HWSMOc%Ns(P#Cd-uWF!hwd=3JtK(j2FRUowcXu%qt~%D14RjRQd2)_d zVUR8yH1B7(pP`&aV?)cMTQ=<|&!OsfAJjiJ3!3wgsnBRcyF$I+LDK7H+(Wi7Ww6zPC+RC+k*8{WFMW^T~xjosu!wk`EnKC(hK zZqHeYYE?!p^?%CCuN$t~{nQoSjs#^;pd$)1KW^DS2=eIm%9_3rh;f{5&u-+sSp02{ zpmy%{{#-yKa;=0QIl_;WTMVr4DP#mJzosKQ;PTW!^&x2Z+Qh(Q38&mmt3z#!A%eL2K5KjQIbc~V37EUipRIn zE98r;2K8jX3(hDZzQ5PYt4GXcbj-m8bx|^{&Fl#WT2&vuz#Wg$?Lg=A(l08j^SCS< zT`#FZd5CH}_f)F&K1;6xIsI5ss!5UCAW`C?o1mCe?7aoCI73QGissh#k{$}I1|OVZ`N`r zY$EsGzU|&D1H4p>LdtT71@>6@F*pW_SguK%Zu$iAYo*|w=5KO@oO%|^z~keqM}46+uXNm`R>;n`Qt*sZj<-b#be7Sx?ml(Yl;y#k;;IiH z4s=$%_mjGNTd5Qln}Z6y5Q1}XhCWX8C>VAhrlVr@K#{^4^%61?tXU5R%~xj&wilaw%H&6Y$s%?5g%Da$!t{mr3dm~0)mr$rLl|T zAD;{dTZ_*D52Ke~F>(g&V^XP{-=Rp z_o}c57Sb8`U1k9Iq4Xal4T*CQd0AO!S1LePemFaXU4vL<-yequg73w%C5Tsh6{y(5 z%=xuIDC&KAbrpM!<SUFD zUj`RQzb(JiEr;hGZl*7r#2_N^%znG8AKn8%LiEDhbIJ@+wKeGl33$7tPnv09Hj`k& zjeQmH)=4@BZ`ZNWa=5;ZYh0uL`|Z4(FcpT_-9O7tpe|js(l_Uqlahjhgmr1U>kbW^ zt`Ac?d^ld6jkgPY3Br0fQdn0Jji3bsz(f1}Wc)q7lgw$ppzf}s1LsPVcENs`MdPaV zZ{RmiGN)u&ZK7k%6ddJhF6Fmg58E1Btro7)>PB?09<01})?iR_VpgO4U|qxcBQN(P z*OanVdr<)?=Q|al?Ue=I36nd*4m8Hf*EK`Z<1{o7=jiZ0N2J}>dkYJFlE&nUUL z0!H??H`V<`TKr#;%TZ66%C^Qz^|{#d>dranlRo*q=(I={vX$;hcWr#dvbb~506Apl zI=fMEB5l}y@$ZfrgE5egZG$u`V;B4-(vH1Y#ch^lF!#Aw2JaiXNj% zuYWAQ{_h>CaK`>uzdt@t86bfK=X(43^)+QohYD)(UJc{i4rlivi^zG$gYT|V(Jec< zcSM>fXFLv#_hfJe?@5Wn!wCdVhq@)$1q>8CN>N>4EbAb_Dj)Q11jg{v4v zZH?t?WPH%7=ejh6{EBn!9%fA`oYYz~IVHx%DvwyvH# zJyfkmG@sIPLolz?R6&^f6|YIExk1<$b|cI)(J~t}pzv;?82j^k8I1+-gAN#dcO#c+ z)`<DRM@ zR&qY|74K__fv8;tcO-k0gzEcT985udtQFSXM%>8UDKxzb;Xs7j2k8=XW|U8qe}tw9 z+To*Liv$&D>-bwIdY$gpGEKc!0nmH#Vhnu06^A#tHv6cAUIb+5Z<=vMu7O)-E~<5m z|EfwfZ|ijU3&_8y^7fN|*E$S8{;O4-V*VExOckKOZ8%SCyj?X)0Ll5=%nVMfJQm;E zDL+;3XMjv0t^)NY9Ju!ACskB?>!;%Qc^xg`)-pan`Mh&X)C7n`=h_@J72@i#0VMRG?xkh zZ?Ewt@}~3VI2-*iY5@J^TYE76{?`_jU8#6h<36xr)EA^(qlVBJtA(DSR@xN-fLD4y z8Ld7*d}JK5E`NsNWxG@NsXq)E-YB3(=+X zkk)it6vr`xm{Rokbco-M%&a(EGw?rGXDm%Yxd7_f_+3v~H=^tss^M67CQzVEqK<#- z0$7r3UVzCyVE5ALMNAIE1*WX$;7-44kN{AiBBjp;1Y17*4}$OC6?<0-p68J6-*JEw zIbKl!pnEY+Jx)s^-&C)IG1*HFi2+0Q#or5xAey^dYQ!cR9d;Sy>S+ML-b5>-7Ww=L z3!U+m`@H{{K^SAd#%_WTD_j^{Py_Aa?}etliK| zTg#O^zvyx4GO%<%PBqW_f~mTjWJGimStD$5F?0=QP~7jzx~sOBxBqKn>IN0?jqf*J zm%_RM#o47i6X|MiW;lpj7xw$>f;hZ1Jm?_JC4PGMS);rnW_&1@xzpNj+~Ttj!<93& zE|P_ZgJ(g(3-~CbFi#vIW$&bWR=*A2n!1z z=g)Yc8+wcsIb_1T=rVhMiKSH>uMaac;T=+)ee})UNtNZwopKb`8a~RM20=Rd1t9pPperg!K9IR(#LCRe4dbNsY*2;B&DmVL3fdYu`6tjS2q&ho0;@5^KY)% zD^^SNE1Fn$ah(z-d~?dJe-fTV8Qy+heb7yt5Dbv8qX?G(^JCETbB+c=tEv zErYY`av$Dzvvj%$4H;CmS2qn!`7&o1V-2#uAT6J)X*br{*@dgQEhwR;?_G_|^LE`7 zz)t(-_xhuB4(ZgqdV82-@m~w`AeKQYI5qKFcNL2$FG5=SNSEStUQ|x)Ajh_(aI}S8 zLQY?eLXktbYEPT^D#N2U9x?CDjIT({!{+BF&T%yxJo6YSUFDv)v7w*7s`;SPq^tC6 zYI-Ardj12%$+zr9%+E|*z{={x-Og2AgxR?Nf)VpMR{d<%dCxaUl_p%-r`Z}|NPoEy zzH|y+P_gFFZ>{F~>08!Ca<72TP3asOJR;kJ{@ zA>P%WBi9GNaW?SmkI>1ZhsD-z`$}a=Lkb_4!)1EW}5CsB-3fIk#TSV|U!9a*0XX)!HAvKDL~brrFQLng?Bc-Z$h!e(9rU-yEMC zkXVV(Dv0%<0-RrCeuQ%_3fd$hF@T&@YTVKRkb7el3czVJGi%nTa2Mf_i@$F z^Boj!ayv1B2A_GoRP;y9qI#)UWI)N_C(RjQbsU#(8@~=}`pfM5X=%)0fDdrOpbGvS ziEyc=SH^Kqp1vl}Qkw-ri(dLz{59IDQt2pku4U(PdCCvd89CIekk542lNv?r(MzW? z;l_n$c2qlp{kFZLONaD)(q$@pRY6?2TY3$$(j|QxO|3p<$~HJC;PV-Jne{yX6}IA+ z^?c0HT0F;Zm(NPx)v>R!s6-x~zEq}5iS(5|?7}se^DLSvlazH7r#Skin66*wuyh!b zB0Q1cB^ST3OR32(+vf*)kR!;34Ne*IN%opJbkV)}YOc~KGmPtbvZyS2UA+vmlbToH z{Vb-aN=%Row@Qwt%W6QRo>-YA_SJ&t@%T($-iJ0$xQ3J(U-X4ElH#SHECyA!`nBpj z5e}ZrOr>CH?iA`I4^60v@t9s`wFZX7WBrikVl??fn~MJg?|o-?(3VuZstOhz8-zuF zq9?1(_eKIFMmd9CH6jik_0_07(^!Ghdg;7A7GsXEbog+l{gPX)ni{7}d#Nx2E6F9% za+dSb>#md>9#aQ9RAKo$TxRNozltg0Wm8~=k$s#1Hn)*z0&T=mh;1wOd{-GX)~H7y z2o!7iI&AJ){6bP3s}^NQV@gq-T|O?dk1j_DPxkLh-R}CaK7ZeZcx{wxwfvC=+r6Rj zM1;Zl>8f!->PN%zWMYjf-5DC=)2ce7Qc3s^HA^{h!vjO##n^at?1$y&aGLe3LQIzp zTM<$xJnWLIE0HRsmxF@BTL+QRcJ_aZ|1+~!HvUDCY`UHC4e+2lF%eU%YsGeM=v(@g zO*~l64wp;~YgC!HYiK7>x!5CQ#Dz?r=h4pR2qJ`|( z^mi+m`g#Klf;g-cF3q!vv#--gtO<<-o~4T-q@o(6w!&O2`eHpqo;5C?H(pemW8$_| z6p$T3rm9+(^LbVOdA9;Q(@b-xv8fN+GYd)rhu>xORWrbh2Y34}j$K>(>sI=A!ua%* z<`8Vg!u1HP83enr{;R$J4^Rhha9cg^u?kXe-9$rSH z;Z~uf^UW~w-AQcyuNtqMbSeJ7&UgL|0p6jwKl{Xia>Aa$~a)+7EN!W%MVU(d8o@z8f$CW<~WFFuo#{u3? zYd9GvrS*F64m?HyO)i-V(KtJQwuuP{=H|ijY_;kgCL?xhi3f<{4}APsTD~|0cX9W! zyV93Jludk^_Q#TGlAffImUn2#V{|uxwKjd2>j%m=1k1OYucxErTP&5%3_Sc0i;p$- z8vW@nf8IUpMZI98uqXsRr1$Bug?4hqMVKsojD%CjKI44oQf)@xa`$VlHHm_J?+|SK zVAV$)Ty19lB2%YV@wEx~O*!6+$uJ@DZy3?;*EKAenCYqH%9K(CN<^J{RaGM!Rz;D z(Q&Z9ARIFiwmidH#G7QTSCK}?mHfUtK2-@8hzD;n{KvK04bktqe$Ay(s1)G^+vG}Z$JoGb|JpNZr6^kPvfzza^>^taV4A#I$!xGrM2LN+m@8`!^ z`IXmGQj)MA!ah`AyFrSK!TLu3!)MXV+fO@Bo>fu$e8Mochjcfw=s2)UdrKRGH-Lf@ zf&pqZx8gjoKf6Sg_rP!n9D;5Gu#DRdpyBxf5beZjkU_a%#zJ+|ya&M?5C0cnF0F8R zS!L88cT^SFK5tL8>6g8qXxrX(W1*}{Y4f9CBu(qHknM^L`o6N+JC}S{;IcB$IWF@W zC5Zk}u{%H(GcFo@cgC!w+C{vC!@p>drqB6|wU`=K;UtjS6dQMl1*VmoZd^k4SLIX&ZB(&L z`BK(#e2MChzQO53oo<&zuv8>5J14>e6l9nX8WF$H%_X^)&W*vD{lC2-V45A19P43T zBbPRIkDtMA(6)N1Nh@a->i$F4=wyq1zuIC>;hsU6f@MAVvsCt^hc;!oD^4j<$EDm{ zX2|`j#)Fz>=f~?ek4J6ql=Kd^?ZSVQ6e3WZYC6R7Y`tjsq{YE%;3V_GMy0TOYXfP; za9QCk%-_6O)kGTI=dDV&YvEN|>G{sRmpsa&DCu?DN6qm=I^K89u`M^TJYztt(_djQ z59Vc%f?v4|_L;A6W5v|niHZUIw-w158Ae&7VeY#bJEUjjaJM^m!rMYuJKbD@Uie74 zJ(V)AeJUBy<%is{AY3%FTB)_4CJ34M(u4?2mvL0q>d;6P_lK!CYaT|~yy(qdhKzJ2RbOGtI%Swc<$VoWJywpGhYFNHigXUW8-CuZyN$ z7yaFQ^?m8MJwf5{d+8ao9iR87dmh_n`Wj@$iOkp~v72++T2`#KbxAWtF5^f7z0kr1 zryoumX*M@}?V2`gp!IUw+agt~19x_f<*QaCs%B|xi&sulkm?8yshC>AFJ)wFq@_=E zJMHO4!cA-lPe)(BLIq_}T}i6C8( zp>sJ6L&ZuQh942H`Om4F9JPAyZ>MA1rlFXmQ${8^u-;XevoEuAeSC=g(UAMI$>`ot z$JW?<7ebX3SSEIuO1$}?|F3SNv1O{^#%8mFO;IMb=~+Fr!o8NK%FlM5XZr@daQvnb zhj%nd#E)~1cbc;Lzo_P>a(<>6E#_J4=NL!6xdS0F7i}ooCq{SR- za*q)m_O==^mVWC`U)w=l@%-4q7HsHk4T04i%6-=^j`W@UTtZHAw2{1@@_V;AQIqe4 z0Cy+Y-d^ZYn<0K?iXOl#|+VBu1Sz{xENx+m6Hb()?)LQ?ot7@K|n$ zyPr+aTwFWy3Y3^%_)yq z^tHbtxaUE%zO6hefY}bN@DGpLD}|yFx9us{5Y|mub+A0N>{Z+Ddb2HIFhMm&ogElnTjR=dD(E^WezN#P=1m zM5|cY$1@+gePnevWplPrN2N#4hGtFW#36`vLmQpw(nH_5V)6^>62wJrRJKYLTsmIuMUlpi^9=4`c?@ethqOAD735ZmGx@(> z3b2HC^vB{!nabFst7!$ZN@SIpjZXyQ6MzBN!M@`VZt?ycOE>?VN4!4 z9_dbWnjNE;c?S<|72y-LOJ;|U2(NFV5D`@CjuX8nJxF0{|QYr{|nRChAbWBffl`7Q+j>cMmvqq1%v_% zD|IE)Qq8>#4Bh`#^s6vYNMT{IX2Vj47^yaI+=NMBb7`k=^q_<^V0tFP*C6P2DQO~W zKDe#&XHF^nsSadESlA@CB{L&<+kkF)S&Jq-MHDB$UeU*_65Vyva8%*3@rZyqdRWYN zgnh2e;_AqOsYyUC9BnppnRO@P=N-D`%#4(1nJ5SGa9;j_lW`Xqwp|-D6pW;O-)|&D00_+UrKbW;hkc65Mog^};Ej$q-Cdumb%2m)Rav z*!Oc>r^@HnX^`F7JQb7tXMiFQj9I8K>R?px*<5G~p$!cU{gDy{ixsfQ@;ym*KDOKh zKAPETx?Nw`ULOAb{kyw(^6 zorMyhyUCbBcqu z^pFN~B#ue%_#dDUvC1hnsZ#XGp79a!dGSs0Bk`;8r?(;4SE*LqSX?-P|0^A+ch|X= z*jV~WcZS8yM>Jsdmhy`^&h`W)|0i7cG8zKks&tZ$$HQaN!wEk^gpYd`78wh zfui*MCd^r{G&)ilh@|f2Ps(|{-DS)EsPtjCt!3|P3mZ*aQO;Wv6DiJ3Tr#J?9(+|j z;@8_ekSbo&YxDC0_%H^yr`$t7ZO1)tf>gN$#B|FfSbvG?L`FGPPQG4!8M8_c0H}_F z1iRstUr!nAPvkIf;%)TTh4f?#v3y1ryCl0Ie(Xxfj7@zQcn9*x7T=?6#{CH^p8X~q zocQ0}Dx=$s7trZKzINk~2FK)d&hRsuMbL)(Q7@jxSEd)F;Xi3h2!GW|N`D|3#_<~L z-g1c2+krsR!=xB|#IDZ2i-(BxNPO+!t(>`=4qk#Nbk1_%|Ealr=yD45l)&An|FF9PMy!0BFYk%&^m(ye27-ZtviHUc0=nuqFL0G{VSga5yEX%Y)1&T~?nD4$ds$U9-pwI4#8J?GxZ1j;&Zh~GQ< z>~hIhBCxu|(*Ny_fZ(1{Xn{4gS+-%(;C8`XAz(p2g3&ni6Zz1xdT(Jpx_!F7+P6;V z(|pae$5(|wKe5>Sj6$Ju?$ra|_kFkRDbL_S!CA1s7>(`c-!J}IqMZC6gyZQpQy~vX`9d!%41(VQf74e07YJ z%;dZ;uB{A>B`V1)8-AjbR^hGj-b5SG2uQ_Mlmh`p5a zIa*31!RO1ED!3gm13*)}I?Cd(P(=nBJAg`gSnFk@4Rlg&850fYQ z;E}2T-bL%CfkOP!u{xnLlGb&e98JF!5*ZsW0>^AS4@;Q8oJ1(s;e%d-@Nw*s>+ciBw(LCOd4GNG=*OgKz|iBP=3m!{CMYA9WY3O-$%h1MK>LF=7Nn z2dVl3RV^;RRJ8VdqbU>I5P2^_O1eZvGuJoyiUI?Q-I9m!mHaVa_lgiq;O(QTNXIDz z!`b{E-Wzw1Z^KDzBvzA1^ucksbY&H|p01M-cZp zcvp?aCv3jlZu^Zof{}$V!D8NdQ77(QM?;9+QEf&K8cw)cB%QXR80X_mBS{M{42p2{ zV%6t=@@ZO#{P6Cd3q(_mbZCY16b4fXAD>fmx@d39Fo=8P)s|p_-F*}vz=4vi{b0}@ zkbbZxF)ilwLhP+i()WOOqi4+0PV8q{P-_~qBO~Emw2r0<)`n=JSVGt`*UoX3QgB2)P{O8 V5&|8llUw2dR7G34?2jie{~JtWw#5Jd literal 0 HcmV?d00001 diff --git a/content/sre/secrets/images/vault_token.png b/content/sre/secrets/images/vault_token.png new file mode 100644 index 0000000000000000000000000000000000000000..50810f41ce86a8e0f7ff9e1a56fe4c4d48462624 GIT binary patch literal 8253 zcmbVxcQl-D*RB#okKSwa5E0QCNp#VM8KQS0dhZ0$`%j79i7trVg6L&*Q73}Y>yR-F zzRCNYcb)INzxSN;t?!R#J)tzBOGAm6fSv#Y1A|yaSza3h15*V3 zC_cnO|M@tUFO7a-x@#-F#;BcS+(R!O*uGMKg@I9@NQg4WL9g*$l=a;)Fi86UJeWhy zV;dC8P5zA#diFDz3(dEF;V^_6s&!ZA_% z$shrN0BO+`XpWm!y1AS(nx{yUOfzH|PhdFz1E@l4;4?Kz8f_@qVPiAZgG!Xjx;M<* z-CbDfCRohh8-AN3GuGvOGCuhfKG7xIF|y^kJJrj^{-gzqlrR6=0uX&T z5J0{Zi{xmafvZ>v!cvA!#<`Qb{<+~7!kL$5t4UU%PUqD+K2whLSVT_5b;M>Q1IdCY zBQo-R^br2ha+8ii(cwpzW{FEwr|3~`r}Vs4VyCpj+jYHmNhMkDgy2GY%fU0@4q_JH ziG3=;3RU}gnCa7D`<04~Sj~OX1@TKIa24nBSNqwDhe!u;uP=8e&Q*gMXICi=c~Ui= zj12wwmr85I_N&7_Liwq;TN$%`E(A+oK9a;8joIFGl0e0gbJNBhsoR?oSe5TUiR4XO zUQEGxJ{pl4w^BQ~yZ05-r`ET<6E{5p_g^Y?iszVvsi`lo7reWx`0AI=BNx3E54F>X zBnl5oTV?M?PD-gi7*kIXu$4pEr8tsu3SoZpbD% z-=vqTzOWohP&butl+8baYxEow#pOKQh|X_ecvinvHDElATHMzZov4vqsOj!k_-sab zyYj0?T#4QaKa>&%M|GRt*ToD~F4WW-+(^w+s*fZ+QN<;_hn%n6UmV|8mZ?2#K|nnh zjb}e=3JMAa@8o)ebdrK@ufZVDc#Z_T7mo#`UXktsaFn<^occ`B7oAM8f$E*zj1iRi z4A1=h3k{+pqDi9RgwW%qSQAF+5cfSosE>M+ICtKHT24IJ*=MnsFK>8ng5U6bse3B7 z*TTSm$+48%>pJEI0chIiY61duI#KuN7vG80boBEDZ#oXT%&X14`+c}{BTf4ZoU-OH zV!JZCRwuNP0k0QZpuKWITH{O2Mrm4;~%aJpiV?_;LbI zWAz30w1AC#(l;IS&*f_>d+t%QRp9!8u8WyBX=!PdzkJU}xTnkcmNqB-nbpkYh3}fL zLQ?~3zeMOs@5Po2AfA?cOD*Kf0#-b3LhkbuOwDaJC_ijXxfd$L?U9Lz$MRj_Y`ooN= zzm!DiOS1&f?91}JH|C9dHwaDN$qzP3lkR@s$&quvsbVVcII@$xcK;nsFv+g#t7}2h zK;C#P@C&cjU8~em!w>u1T+-+5DZxjKABV;Yf4s2#X60RG*mBW~3GKiyK9G>vxACL+ zi75;HwUyXLQaVkhbX31skGW zB^+?&BEkI;t8zc&N=00+`YjOlpZ07ZNJJScWb02$1T_KIeesZh)8$(1;H5+cf^y~q zU1;};-W2BA99H4N+8(plu_s5V`Cv<#?@8IB$xz19n%GZ8cU?_qqne;!NKX?PqAtPL z=@AtDT)3Jb`7s}5$ODlQV8f_tp;?CVjn+jF=X`Xq?2G|u` zxxaT2u?bDV%T4zNcFem6cbr0ZHk)*o!I zC*XTW7x?Df5|SQl_-FuJrF-?(#7C_V21}q| zn1Rd>aX{0woH=2(d%}_l?vvgqf@8-cb@iJIn_m`)e%b38-9c=Z}m* zHU9gDLeXXX4StvVnAlilI`8D=!2_yZ+q0e}8>fc(!Oa&bnokgaazcH; zXUz%ewQR(zcbl1c%b)N4-)y$&D}B;)Z2xXYFFOIincUaE2F+HE?O)(kXprikZV%N> zK%cw!&7M@jR%ep zXjIEb*LO0MQmUN|slE5J8A-b8rqOTm@*M05XD~lelDDK|c9kB73Kq}3aRfAi`uu}q zReT7Kr0zJ16vw%(dm{W0-SIWSyt<-lqR%zZf4U+zk8PbDC8?HZfhQ;Szf6~geg08j zP=W8k_266EVAY?R!|;Ig;70{LQDQl^UrznzFYS2~x*CX9F}~8I5sUVgKKU=Hk3fkETD~rxU=J z#tY>lLD4*(l7mRYCi+C#e^ZHliHU1&-R7>DezZ871_gDeMr*%2S?^kF_e^oSh&`hd z58^{fDA=X_AX!+3+jZN=@sz6cb?DpYL-#)=V!>K$b3M~R#mm=2j#P=`Y3H7nO7VB= z4|x-r{Wlvp2}@Z8T=qDjc>#vA+a7%aRYz-xvm@D#Hw)P9J=L~LV^3%V^`DZ4RQCq7 zpYu`(-oe6oP!7vo{s52ryIV`y;AcH6nH!=iE!hm4hPw3OZOr=eqCXDlmho_)2LvKJ zXWXtV$09{$PV)?gP=dqay|mrP*U-`_YKQ(4(_rlRDJrhR;zU3nN*Cg=neoe_$6;ch zfk`%~v$j^FNwM)_@rj}_{4v<>-PPWlf6&?6(o|0=0+ypSZtKSW^cv^Pv542UtK$Ga z@VlX3Gdxr5IPkp(d1NaUe0eU}9H&V^GgH>;g^=*cZiUx3AG@EjEMY)(LxSSTnpF|g zr;2-ulvb7(x+Cu4%|A_g`mYPO%oqDe%DkGc{pRVhnSKV<=?+elvSwO?*iBO4P=Cw9n_VUei=NIeUV?vkGmE9hVEVtK@YPUl~oi0__A5%sVfQOxW*E`|JFu7&|gr6VFGFHQc>#b%fHXIECQs6o`nn_u^ z(EROSVJ@J(|C9&pA%|5e^vKJ}qn{t6qvET)v92tQVz#M(;q?6qO(7W~8|tGY`C&;( zBs}EvH%P&hQ}-fmE4c6^?A!9xQ(sZ3VciXro*z@x)fAbD(#tJGFkz>2VX)$BGRdNA zWxPY7-LTL${sO*^PQeg$$4s*PPFLwja%?NoNj{`x^5`*WwO^!U#3DD{EI z?q@v5K;4?@j02-iD+wn*;%ohYI-ygl%)o$^y*%6V^SI~higmG}GzZz|yVM*k2Xh;7 zsO8y7DFVl?Egz<#W0gFXnH>R-4qq=!>orUqxRqin1+$-w+xqL#YiYb)MRP#zl)&}Z zm?b=Gs7|&fWqb9A5#$dgZ9TNo;ZJN>Qi5V$b~hm<@tnY0RH42_%5|8ChJrdA1Pr$% zCWi%U2@0|&TCU8{mfm`YC#zFRe=ILeVpmcidx`;VIG>flLK&es&7%2{kKn2>f#vu5 zruxO~$Zs=VyWTIwVuBti&n$LH{V(=1zgc4=Bg9juEl9@j2?OH`4XLgG??Rj#g7BUd zriCt@4=%Jk`*5KDl0eo%g-G_^!?b&K=n}~dJluk7Qf{R{e#qW$o&6WN|F`=<&|T*6 zPX2Y6b5i0L?4ByKpo^0O+)tu+xUdG=phY2c25^5JBsgu99RPhm!+opTEr#dE z**)>BXSl2fznqZXz(u%4y$%myBUP%}2R+$DiK3O)gauMYGtPl_6tu?R+<#m9cu-TO zI{Ze_a1QE2>9hW@C$q38OheQRK=BdDRuAvfhd6ALQH7hahAKK zdy)O58Jmaj6kU8PvTW$*LG>c(HQQ?TQ7T^!)Bv-e9u`UaOY7mSj3$fp`#W5lIjHBw zt%*g!!=AG!sw_)SRtM1t54xfe+;LkzHaGE-)L~;WFUqox8Ir=;H)>qdO5jeY+k(Er zE0!$wl(i0TIXd2W*YoHP8>Y636VIwRL?zI|x6KXL3zN_zS%-(B)A1ug+SA(sncmj-yQU}FA2zyH8hn2{Y78kK#aUk-H6_q5 zp>rPPJIDt#xn?*55*_J-CcG?rxvRRUIe&t+6rbg*EE_kuMGE`+%7oArz~O}~Rgx;%c1iezZIrLzqR5ww_1RTU7K11OrR#~I8cbT!w(H!jgD4MBIe zE0C@o-8v(`F_|3+sVeK!C7|)KJxW06Tj?HW6|s&|`=GJY$29LgzD| zI@kAUi$dS8-7?jvE$c^4ICc!)igQ!y3#%;B60Y<*LjVPfL)|!IWmM}7vvIaN! zAXx34b!`-z*iRRd4aOc+JB~^4g-TjqW4(yqZdFZ!=Q_jje*)-c8?nO2)xlDqO432{ z7}7cT%Iy~G#6hd=`l7VF6$uuZmtJ6~n-qBJHpZYQ#vm(4t7BTTl%gxMm#0V`KCmOP zqFW2sFap=;!Uu;AVpFKc{YTjew+=QR&^0Z;h(r#qV{EmWIR1RD@BT$4i*sn{IwMo zK+k@v$F+Uxqp~-NcDr2GlpgvmHw$6s6!84ih6w5|R{6KGeimSu>J&wwRuXrg%qY)K zF3tC~0(b+>*k6eb4H^Og%uZn$ODzfl9>qzs zjo-ulROgSZ$)Yxe57n*2m^k~V8I zQ-L)H3UPCehPNz6f4dPv>Me0(1;$V1M0UDu&3E}DV7=!1+wuTkRHl%)mb??tOq`c7 zAzwf!NE_D$#ZmP2@AUnbzT>~$Fnz8s?5w=g3x5xak22669E7+fRz3nIy+iW1dmi0+ zwoq3X5Og8dJ6bCU$Z+gt+u*#p+%;*c6P>+IO>ka0E_Ll$1DPIA!p~}1JL}o8;`ZDl z?77)lQ9L5cho;w$ZGqt&Uk)d0Hq)7Z^xVJPUTk&-GiB*t*nf7r$8=9-v&<=dw-ju) z*J?ZXtWchJeo*4Zo<_>>9u=a~=!aa0WyyN+-BExZuy1i;CChOgdjO@o)<&x z-qQQ(z^)J>Nq4ew&mD#AbzKk$b?jZWwJ=m%<)iG$UZgm9C9ySKx|yS3xjOQGDIY?Z z1HC5py*SdR8Dq~Ce0$vbX^X8W6(5dpwuce7nIU_+a?>?+zfr?|e@i_J#E`^X(-Bvk?5Rj5Q2m)@{kYHSUQN1`s*>Aw#x>y zg#8(d*J6#0$9ByHjIFt;LgIJhgDa-@K^S=P$v<1=oXAElrG{EV#xGHL@N8! zwj~$bfR1gUp6crH9#fwhNRAv#rj}b$yLX#l9oJ25Hq{G8q<*7KUoTZ(=hItLx)82S zI#8{UOg$&>4iX)LJP(>YH_5FR)&hAO3?b)sK zAAVnm52YP;&3qr?eSOz^lqPbZrKsu4!>GTqIs{V&>)MliKqn%L*H3Mue=Tc_^23B* zxuK$OvIjq@#2#)dhi*~dAZqvD`|^OyY^~&GLf^8pwHBU*(Ti1$7~PuK^pPt^*-P;@ zWpzilIDa#?9}->IChE0{Lq0oc-1 zC|iQ$`z}?gTbom!qj9JH9Ymy+5pGc%wZG~MFEuW!&?cd(g>Uyqn#1CRh?!jEFu^ZW zTeKQd)pR_u>J6Ytu@!>4oZOlJ%Wi!)t;jw0VWw?`Sc$Xc*YUVHA5$)KuQV3EgO3S;lIus z{*jEp<9xOrGF_S{SYZ6`@Rk}Qjhvo|6k}mLp?viBRtntkzd5=1w;ANWjyC?jVfHyT zu6QhUh1+PU=XNSusK0hGAL60u%IAFUmO zR9h~1mEarbBU3)AM*dj9X*rHg9qj&ygj234FJV8gkOK6T-)NV5Tq(tBoN%B zGiCuuX*Lg&N+&p+dR_}S{g6#}xFEK^Tc)S^p{jCKI;;ewXvQB(lrhB;Yq{jQx%z(h zz4~rg-UpKQ9#D$D#3*8Ir`a;}!*gpav;yQ%AEZ9qrKQ637cJtEy0!k))*({K^KCHx zxa;tGmsO@7L8$*-ZS8WgBXjzwuqvJv{AB2W@3i*ib~dXPp#^|~(~{))q}#A*SR<~> z)GfA>D0??dh(XQ?$y#DDQj*Wa|$N9ccr8w(ZP)Cl~Vt4YI_6{M;DI zZ8gE)zJ-JL+%-0I89sfj&6$Zns?q=UAyTFFvf``KtY=MnPOZ{GWTc&*SwezO{R+&L zg4L)aZ%{<;)KqveTWYzTia%~UV^tf)%WlRxGgSJpL<8q}obpc-|KIv83J^Y^h`7T`+xJm))fE#I)yNT-g~h4w1LmY5_BW7~KMs3q|)xBeO6tY3#0u zPw%c|wJ%^$6IX?(FiM?O8l+vMxLC&9VCmAtCr{z$1+$>w0pg>6cg2ti@uI zV~O~q0_cE9!h1;~2Y+0gqY>*n;qVgtR7>VvlE1Y*3xBNQgSW$~eZ-A(1ZesB7aPf= zX%}o>pc|Sp(uf>?L8TJAna0obZkIk|EO<4za5`Bv@yi^YzoH-7xp`DV79KELMTA+q z8u^`cRmP+h@NLMO_v6;hpRvqhQDhfqKt8Spwn)_s5QpP2Ymv=Ng+5flgPz%fAb^8} zlm>o+a)N55mh6L6OAsSI9Od}**QMS}z-=0xaMnPa0jEju0GA(6|5pm^y@FSjs+4Fn ziCqeKD1gW;GTF=$d9Zhrq^4~(u0Bqs-IhZ69e%| zGYLca|4-qc{nf7DJ8Xu1!#LKzQuebDgB+N-^vlGc1RDs7VkhSrN$u4!@Zk4kqaL?y z4EV)tC;uu!eYKdsgcSJTFS#Uh3ItCvE9o9UI||)wopBER^t~)~wCn3|G1?5FO}yte z`&OYrAOax^0G04Z?S)x`+ebi+1krby$H{nk$v4)*+4|C|^j<{H}|ALCKHPE0*@c*BSqa)d2Tl}8XKZJ$9 UXdo#bJ@Us;QP7aDeQg%{A0_|79smFU literal 0 HcmV?d00001 diff --git a/content/sre/secrets/vault.md b/content/sre/secrets/vault.md index 9f502c0f..1bda3fb1 100644 --- a/content/sre/secrets/vault.md +++ b/content/sre/secrets/vault.md @@ -40,6 +40,9 @@ There are 2 kinds of secrets in the vault. Users can manage secrets via vault UI or vault CLI. ## Using Vault UI Once the user is included in any tenants, he can access to the Vault UI using OIDC authentication. + +![vault-oidc-login](./images/vault_oidc_login.png) + **Step** * Access https://stakater-vault-openshift-stakater-vault.CLUSTER_DOMAIN * Select `OIDC` method on `Sing in to Vault` page. @@ -54,6 +57,14 @@ Users can do all actions on the path `TENANT_NAME/*`. ## Using Vault CLI To use vault CLI, the token is required. Users can get/renew/revoke the token on the UI. (Click the user account Avatar.) + +![vault-token](./images/vault_token.png) + +Once token is fetched, users can use the CLI provided by UI. So there is no need to install vault CLI. + +![vault-cli](./images/vault_cli.png) + + ```bash vault login token=${TOKEN} ```