From 81849ca568069a0291aa10d17a1eb9ad7d174e13 Mon Sep 17 00:00:00 2001
From: Jeev B <jeevb@users.noreply.github.com>
Date: Thu, 15 Dec 2022 09:38:05 -0800
Subject: [PATCH] Add support for authentication in flyte-binary chart (#3155)

Signed-off-by: Jeev B <jeevb@users.noreply.github.com>

Signed-off-by: Jeev B <jeevb@users.noreply.github.com>
---
 charts/flyte-binary/README.md                 |  11 +++
 charts/flyte-binary/templates/_helpers.tpl    |  14 ++++
 .../templates/admin-auth-secret.yaml          |  16 ++++
 .../templates/auth-client-secret.yaml         |  19 +++++
 charts/flyte-binary/templates/configmap.yaml  |  76 ++++++++++++++++++
 charts/flyte-binary/templates/deployment.yaml |  54 +++++++++++++
 charts/flyte-binary/values.yaml               |  32 ++++++++
 charts/flyte-sandbox/Chart.lock               |   2 +-
 .../charts/flyte-binary-0.1.0.tgz             | Bin 9178 -> 10353 bytes
 .../sandbox-bundled/manifests/compiled.yaml   |   4 +-
 10 files changed, 225 insertions(+), 3 deletions(-)
 create mode 100644 charts/flyte-binary/templates/admin-auth-secret.yaml
 create mode 100644 charts/flyte-binary/templates/auth-client-secret.yaml

diff --git a/charts/flyte-binary/README.md b/charts/flyte-binary/README.md
index 0a8f1f2e1b..35c2e73780 100644
--- a/charts/flyte-binary/README.md
+++ b/charts/flyte-binary/README.md
@@ -16,6 +16,12 @@ Chart for basic single Flyte executable deployment
 | commonAnnotations | object | `{}` |  |
 | commonLabels | object | `{}` |  |
 | configuration.annotations | object | `{}` |  |
+| configuration.auth.enabled | bool | `false` |  |
+| configuration.auth.internal.clientSecret | string | `""` |  |
+| configuration.auth.internal.clientSecretHash | string | `""` |  |
+| configuration.auth.oidc.baseUrl | string | `""` |  |
+| configuration.auth.oidc.clientId | string | `""` |  |
+| configuration.auth.oidc.clientSecret | string | `""` |  |
 | configuration.database.dbname | string | `"flyte"` |  |
 | configuration.database.host | string | `"127.0.0.1"` |  |
 | configuration.database.options | string | `"sslmode=disable"` |  |
@@ -54,6 +60,11 @@ Chart for basic single Flyte executable deployment
 | deployment.extraPodSpec | object | `{}` |  |
 | deployment.extraVolumeMounts | list | `[]` |  |
 | deployment.extraVolumes | list | `[]` |  |
+| deployment.genAdminAuthSecret.args | list | `[]` |  |
+| deployment.genAdminAuthSecret.command | list | `[]` |  |
+| deployment.genAdminAuthSecret.image.pullPolicy | string | `"IfNotPresent"` |  |
+| deployment.genAdminAuthSecret.image.repository | string | `"cr.flyte.org/flyteorg/flyteadmin"` |  |
+| deployment.genAdminAuthSecret.image.tag | string | `"v1.1.57"` |  |
 | deployment.image.pullPolicy | string | `"IfNotPresent"` |  |
 | deployment.image.repository | string | `"ghcr.io/flyteorg/flyte-sandbox"` |  |
 | deployment.image.tag | string | `"flytebinary_1007"` |  |
diff --git a/charts/flyte-binary/templates/_helpers.tpl b/charts/flyte-binary/templates/_helpers.tpl
index 4f0b160eb2..c97d89f4cf 100644
--- a/charts/flyte-binary/templates/_helpers.tpl
+++ b/charts/flyte-binary/templates/_helpers.tpl
@@ -132,6 +132,20 @@ templates: {{- toYaml .custom | nindent 2 -}}
 {{- end -}}
 {{- end -}}
 
+{{/*
+Get the Secret name for Flyte admin authentication secrets.
+*/}}
+{{- define "flyte-binary.configuration.auth.adminAuthSecretName" -}}
+{{- printf "%s-admin-auth" (include "flyte-binary.fullname" .) -}}
+{{- end -}}
+
+{{/*
+Get the Secret name for Flyte authentication client secrets.
+*/}}
+{{- define "flyte-binary.configuration.auth.clientSecretName" -}}
+{{- printf "%s-client-secrets" (include "flyte-binary.fullname" .) -}}
+{{- end -}}
+
 {{/*
 Get the Flyte cluster resource templates ConfigMap name.
 */}}
diff --git a/charts/flyte-binary/templates/admin-auth-secret.yaml b/charts/flyte-binary/templates/admin-auth-secret.yaml
new file mode 100644
index 0000000000..55cdeb4564
--- /dev/null
+++ b/charts/flyte-binary/templates/admin-auth-secret.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.configuration.auth.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "flyte-binary.configuration.auth.adminAuthSecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "flyte-binary.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+type: Opaque
+{{- end }}
diff --git a/charts/flyte-binary/templates/auth-client-secret.yaml b/charts/flyte-binary/templates/auth-client-secret.yaml
new file mode 100644
index 0000000000..d58fecc193
--- /dev/null
+++ b/charts/flyte-binary/templates/auth-client-secret.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.configuration.auth.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "flyte-binary.configuration.auth.clientSecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "flyte-binary.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  client_secret: {{ required "Internal client secret required when authentication is enabled" .Values.configuration.auth.internal.clientSecret | quote }}
+  oidc_client_secret: {{ required "OIDC client secret required when authentication is enabled" .Values.configuration.auth.oidc.clientSecret | quote }}
+{{- end }}
diff --git a/charts/flyte-binary/templates/configmap.yaml b/charts/flyte-binary/templates/configmap.yaml
index fa993ff18d..77af0868a9 100644
--- a/charts/flyte-binary/templates/configmap.yaml
+++ b/charts/flyte-binary/templates/configmap.yaml
@@ -108,6 +108,82 @@ data:
     {{- end }}
       container: {{ required "Metadata container required" .metadataContainer }}
     {{- end }}
+  {{- if.Values.configuration.auth.enabled }}
+  004-auth.yaml: |
+    auth:
+      appAuth:
+        selfAuthServer:
+          staticClients:
+            flytepropeller:
+              client_secret: {{ required "Internal client secret hash required when authentication is enabled" .Values.configuration.auth.internal.clientSecretHash | quote }}
+              grant_types:
+              - refresh_token
+              - client_credentials
+              id: flytepropeller
+              response_types:
+              - token
+              scopes:
+              - all
+              - offline
+              - access_token
+            flyte-cli:
+              grant_types:
+              - refresh_token
+              - authorization_code
+              id: flyte-cli
+              public: true
+              redirect_uris:
+              - http://localhost:53593/callback
+              - http://localhost:12345/callback
+              response_types:
+              - code
+              - token
+              scopes:
+              - all
+              - offline
+              - access_token
+            flytectl:
+              grant_types:
+              - refresh_token
+              - authorization_code
+              id: flytectl
+              public: true
+              redirect_uris:
+              - http://localhost:53593/callback
+              - http://localhost:12345/callback
+              response_types:
+              - code
+              - token
+              scopes:
+              - all
+              - offline
+              - access_token
+        thirdPartyConfig:
+          flyteClient:
+            clientId: flytectl
+            redirectUri: http://localhost:53593/callback
+            scopes:
+            - offline
+            - all
+      authorizedUris:
+      {{- if .Values.ingress.host }}
+      - https://{{ include "flyte-binary.renderTemplate" ( dict "value" .Values.ingress.host "context" $ ) }}
+      {{- end }}
+      - http://{{ include "flyte-binary.fullname" . }}:{{ include "flyte-binary.service.httpPort" . }}
+      - http://{{ include "flyte-binary.fullname" . }}.{{ .Release.Namespace }}:{{ include "flyte-binary.service.httpPort" . }}
+      - http://{{ include "flyte-binary.fullname" . }}.{{ .Release.Namespace }}.svc:{{ include "flyte-binary.service.httpPort" . }}
+      - http://{{ include "flyte-binary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ include "flyte-binary.service.httpPort" . }}
+      userAuth:
+        openId:
+          baseUrl: {{ required "OIDC base URL required when authentication is enabled" .Values.configuration.auth.oidc.baseUrl | quote }}
+          clientId: {{ required "OIDC client ID required when authentication is enabled" .Values.configuration.auth.oidc.clientId | quote }}
+          scopes:
+          - profile
+          - openid
+    server:
+      security:
+        useAuth: true
+  {{- end }}
   {{- if .Values.configuration.inline }}
   010-inline-config.yaml: |
     {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.configuration.inline "context" $ ) | nindent 4 }}
diff --git a/charts/flyte-binary/templates/deployment.yaml b/charts/flyte-binary/templates/deployment.yaml
index 438b5985e3..3959c8511d 100644
--- a/charts/flyte-binary/templates/deployment.yaml
+++ b/charts/flyte-binary/templates/deployment.yaml
@@ -42,6 +42,10 @@ spec:
         {{- if and .Values.configuration.database.password (not .Values.configuration.externalConfigMap) }}
         checksum/db-password-secret: {{ include (print $.Template.BasePath "/db-password-secret.yaml") . | sha256sum }}
         {{- end }}
+        {{- if .Values.configuration.auth.enabled }}
+        checksum/admin-auth-secret: {{ include (print $.Template.BasePath "/admin-auth-secret.yaml") . | sha256sum }}
+        checksum/auth-client-secret: {{ include (print $.Template.BasePath "/auth-client-secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- if .Values.commonAnnotations }}
         {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 8 }}
         {{- end }}
@@ -91,6 +95,43 @@ spec:
           resources: {{- toYaml .Values.deployment.resources | nindent 12 }}
           {{- end }}
         {{- end }}
+        {{- if .Values.configuration.auth.enabled }}
+        - name: gen-admin-auth-secret
+          {{- with .Values.deployment.genAdminAuthSecret.image }}
+          image: {{ printf "%s:%s" .repository .tag | quote }}
+          imagePullPolicy: {{ .pullPolicy | quote }}
+          {{- end }}
+          command:
+            {{- if .Values.deployment.genAdminAuthSecret.command }}
+            {{- include "flyte-binary.renderTemplate" (dict "value" .Values.deployment.genAdminAuthSecret.command "context" $) | nindent 12 }}
+            {{- else }}
+            - sh
+            - -ec
+            {{- end }}
+          args:
+            {{- if .Values.deployment.genAdminAuthSecret.args }}
+            {{- include "flyte-binary.renderTemplate" (dict "value" .Values.deployment.genAdminAuthSecret.args "context" $) | nindent 12 }}
+            {{- else }}
+            - |
+              flyteadmin --config=/etc/flyte/config.d/*.yaml \
+                secrets init --localPath /tmp/admin-auth-secret
+              flyteadmin --config=/etc/flyte/config.d/*.yaml \
+                secrets create \
+                --name {{ include "flyte-binary.configuration.auth.adminAuthSecretName" . }} \
+                --fromPath /tmp/admin-auth-secret
+            {{- end }}
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: config
+              mountPath: /etc/flyte/config.d
+          {{- if .Values.deployment.resources }}
+          resources: {{- toYaml .Values.deployment.resources | nindent 12 }}
+          {{- end }}
+        {{- end }}
         {{- if .Values.deployment.initContainers }}
         {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.deployment.initContainers "context" $ ) | nindent 8 }}
         {{- end }}
@@ -168,6 +209,10 @@ spec:
           lifecycle: {{- include "flyte-binary.renderTemplate" (dict "value" .Values.deployment.lifecycleHooks "context" $) | nindent 12 }}
           {{- end }}
           volumeMounts:
+            {{- if .Values.configuration.auth.enabled }}
+            - name: auth
+              mountPath: /etc/secrets
+            {{- end }}
             - name: cluster-resource-templates
               mountPath: /etc/flyte/cluster-resource-templates
             - name: config
@@ -186,6 +231,15 @@ spec:
         {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.deployment.sidecars "context" $ ) | nindent 8 }}
         {{- end }}
       volumes:
+        {{- if .Values.configuration.auth.enabled }}
+        - name: auth
+          projected:
+            sources:
+            - secret:
+                name: {{ include "flyte-binary.configuration.auth.adminAuthSecretName" . }}
+            - secret:
+                name: {{ include "flyte-binary.configuration.auth.clientSecretName" . }}
+        {{- end }}
         - name: cluster-resource-templates
           configMap:
             name: {{ include "flyte-binary.clusterResourceTemplates.configMapName" . }}
diff --git a/charts/flyte-binary/values.yaml b/charts/flyte-binary/values.yaml
index 39140a97f0..7ed6180e21 100644
--- a/charts/flyte-binary/values.yaml
+++ b/charts/flyte-binary/values.yaml
@@ -73,6 +73,24 @@ configuration:
         enabled: false
         templateUri: ""
       custom: []
+  # auth Specify configuration for Flyte authentication
+  auth:
+    # enabled Enable Flyte authentication
+    enabled: false
+    # oidc OIDC configuration for Flyte authentication
+    oidc:
+      # baseUrl URL for OIDC provider
+      baseUrl: ""
+      # clientId Flyte application client ID
+      clientId: ""
+      # clientSecret Flyte application client secret
+      clientSecret: ""
+    # internal Configuration for internal authentication
+    internal:
+      # clientSecret Client secret for internal authentication
+      clientSecret: ""
+      # clientSecretHash Bcrypt hash of of clientSecret
+      clientSecretHash: ""
   # externalConfigMap Specify an existing, external ConfigMap to use as configuration for Flyte
   # If set, this no ConfigMap generated by this chart
   externalConfigMap: ""
@@ -156,6 +174,20 @@ deployment:
     command: []
     # args Override default init container args
     args: []
+  # genAdminAuthSecret Configure init container to generate secrets for internal use
+  genAdminAuthSecret:
+    # image Configure image to use for gen-admin-auth-secret init container
+    image:
+      # repository Init container image repository
+      repository: cr.flyte.org/flyteorg/flyteadmin
+      # tag Init container image tag
+      tag: v1.1.57
+      # pullPolicy Init container image pull policy
+      pullPolicy: IfNotPresent
+    # command Override default init container command
+    command: []
+    # args Override default init container args
+    args: []
   # labels Add labels to Flyte deployment
   labels: {}
   # annotations Add annotations to Flyte deployment
diff --git a/charts/flyte-sandbox/Chart.lock b/charts/flyte-sandbox/Chart.lock
index 115e6f3883..9b192cad1d 100644
--- a/charts/flyte-sandbox/Chart.lock
+++ b/charts/flyte-sandbox/Chart.lock
@@ -15,4 +15,4 @@ dependencies:
   repository: https://charts.bitnami.com/bitnami
   version: 12.1.0
 digest: sha256:ce2d6bd1488364f3ca98cc306554e479f1190ac828925af78a468a52f752449c
-generated: "2022-12-14T12:10:02.400116-08:00"
+generated: "2022-12-14T20:07:29.49547-08:00"
diff --git a/charts/flyte-sandbox/charts/flyte-binary-0.1.0.tgz b/charts/flyte-sandbox/charts/flyte-binary-0.1.0.tgz
index a3b36300edfa8c358c31ec6fd78a58820d55ad51..9e4bbebd6ed700d832caf14c43a23700426858f2 100644
GIT binary patch
literal 10353
zcmV-%D2~@3iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PKDHbKEx4;Qso}Ux6KGzqNBFXGSl3rz&?ROOB&j$5B~!wzhIx
z4u-_cV8tOA0F<nia)0|*coHPR$4Dc^iH4POMkKn?4K%tNk4DdvD~^I0P9eP-9W5c{
z;T2pZf7;|T9*@TddwcT#<MFuq|MAYw!Jj63yL$)wlY@it&Y#AU-GlM|pTKydR5Uy}
z<B<MoeCN8V%>7OtnBgB0WtgN>aIrIhS!Vy7gp-4CJctpCD9*TiCnW^T2?aCAa0D1m
z7YPF23Mm5UGm3H!X9)r^$`W$5LMb1laD}G8m9qiA%Fq<REK6_%1>(VlsdOAp!tvm@
zZk5OLl*a!BOmf6Ft^nG{|IXgtc&9S{_r`nM@&6#t6ClRt4;P4193ybXDNYxF6F|%>
zS3*Kj7;v=863EfO1)YN7aPS1o^CVddqX8(eR#9lo5m~KB`WDVm!oXo1gGBx01i&N#
zd}*`}iUCE8<TOHT;6hEo^{*DuVVV*ym5;&(oxl5_bl@dki8!6(MNZ{gaF(G6&#x+P
zh3b^ra!`6d9RTnI#E`=oWT*@FudFB<ku*h-RHDGX73c)QoFOV3_nr7hz>7D6KMf{+
zT2zopFatCN8DV@u5!2W*$k-*JF*r3p8W3G#zSJ-$bHEUP4j?!~5k(wa;v@kx1R{zc
zN3kpm_!2W9wGV)43|1sh#Wzm0Wywe^@fixFNR){>g?tIV7l4`gMdo0R6WKf*;#7!W
z=1@ID0LHOfg=4YYngm*>wk2U4d`B3UtxDzv&p2fqrV)|_MX@QE?7Rra;W(TaQVHeY
zRQ%J_0lIEN`4sH$?e1v6cvf_xTPG)?vt%JvMB7;nMlvhjSp0$sh!TuaZodeLFao3o
zslhE#=wegASh6B9`X<Iqn0G0xj1vkMZL&&c{}vpIf&xSX7};DQ4n=K8s)rB-ukz>|
z$rh0yx?@Z^304D|g5l~aAans!{2y6$pwvrbN(`N`aNMIlIYMlOHK_g-W|Umu7*X(p
z(+<Vkr)PO4dK$$_@<lW6J_n14JyTMk3yRkjj7PGm-F_v$Dgq|E21n(-DPdQrRG-LR
z-36zH!g`OM?N&QgJZ#s%3k(!3MDfFaoSC1HgUcn3mSCnDoFax}tyRRMicP^VX90qY
z2a}<LPs`ld*;{aSiFve?Vya#O@m2}(YL%zbn@kr<r=0Bu5m{xBV^NSHdVwQk@fKL8
zU=9<8oElLYX9TAle0={_jJI}7rnJ=(3JJ{l^21ezfc%Hd<qMQ@?eXfd>luOG+I-T2
z;p#bnQG^&fM_12m-KOR#7-G08(IgB19bJJ#`3sz*D@lP%Tfg?Rs48qTspUl#THoKk
z3X96A;)xg^Z4&zC=*%agi-@^0no%N)ydgwPUyc%z$Mz*o+r?Fv^C*Hvlm+_hQ0mBp
zEEa;>W*wQ31p{b>x#-#1mG%vQfi%i8K^G_iXF^*ok@%?I$glF(6j&>h<O`fKTPG~E
zgds;4QHntQE;PV-K0`D`95HaD$wd`NA*M@sffV%@n92SV@0SSty?{T4Y&j#4#u|Bn
zdg=@xF%IMEC^X*SM~X|`ABnEIghCChO`YuKe+XEOu0VEcdKib%c}(#IqU#fMCV-D6
zuu-K2x?7SI<&2Zn6#VqBfl)(U?qo$Z4U`HoqNi&IujT)nAiPvQ0R+bp_~GREsDIr+
z0u}NoypfMIk;+(rNo>Y^=~B8(MN)*Ta}t|+iq!_=1)UsQIZ#DC@LG#C;!sMeghzom
zP9sja@Te0jAVnM4Po8El-==<&j$8sdku?xk#rhp&OYkb9R~ZLO@te%We{K;EIsv6o
zJ^|>nqCzqIJ<JMClmhe_Gok;V+hU+7r%fVcjdLb<Mj_`6DRJNzC`A-%MJhi>OGpL5
zHJU87I8AVhe9E#+gK%f{e3TUgJ=b%I6{3q`E`xxXnU$O_Rh679O3fjslXBW(YL_z?
z>D^EiaYC;|wbg0NeUezvWE&{)O}NeE&9<koSj8M$DxUWFwGRXIOsSKcaYWzi$@d4X
z@(Sz5?Hj?dV|(m;9q=XOfGtU$#O}mXluyy6nPDok%?3?1PVXq(P7mrTEQt;iwq-1N
zmaqqv{YDD!M~>U7`{HD>SSfHUesvK6n7Nl4TEzz?M|dTs&IP#o+nEy>eJ4K{Q%q4t
z7?usH>Qi9FYgw-Na|#yAh=!Pq<P??Ah58XNn8q{mS)=7}QNqXJLVn?Jp%)a?THU9~
zc>Kb6nR$|&k_1O(Qp9VJ$@j{;w8f_2Wd4ruQ;L{cW08Z2!q@4=kB~BONGZHh>Pfx_
zD80axq_QzDAjQJFP)l=hv23H{+hVb9kNdJ1BxV7{3{?N{wAG7hS*bU?XkE)^ziK00
zt5LsSzq*p)R*RT0je%WfjnN$DiN%blDKY@&SK$=W1#5#8--YbcMbV-OzCbBr?39uj
zY6CU}h31+mlYNHJ6f8N<*mN{1CILb)V-m3uhwPk<j4?t%M&e>Q#d&W~2Nb~=%U_H`
z%5ypGnjtn4W8Njy4t)#JNxv;=87RXRiceLo5LzW_UMpzF(X}<mrLY3j;!E%xMORUR
zz9Zzkuy9NH7bk$`shBiWuz?wx6N-d}g>#`qHE!7wE<&d%jAb-N4kUPmIg@Lz6#bGT
z##sa97Fg*d1!z3f6<SHHGkJrxCQ`V}_bAKNJoO34NPLE(oML`;L{g4EbIUN(?`6H>
zLqUmJ2fnL7nF<13fsmRyJ=3OH4b9U-_K_hv1qb{4yL-jUH<aX=`*vP^^#oi(%)ce{
z_?4^uQ|wA0C$f~}`}h@zbGd_(k=W_mC*XrH@|c;GtQcG_QL5aKn)88~Ff3ASGTq9y
zYfBEGrOud~PD3Rif;pi<Jge}bCNYKms#vg-GSgmDRyJm(?FeJIyl9LC(>83fAHXET
zDYB4``SK#D+Obwk)~b&yeOoBys#<PV%oP+`J6H7c0;PxX3a5uTUz!<Wi+~w_QO_S)
zc><|+73wH^OT_}E0Ti%-n2QE_l6ueb5z$b3E1`9C><>xH+H!L-2`AzHi$Ac`cs*&)
zhS++Jv<E@ekM5{kDf*1WZ*Nht1+MPVS|{yClH@BScMH7>r5EmZzagyQDf^!4OEYd(
zvuX}lfs5f7MZzugFHk6I>bMM;#Uq5_s3`BjRu-2!$})yBv!^5$7`s<d>Xuwuu?VJO
zW-d*X+$)G<IYXS!MXguQ0VfGkDA;qkx%v+AOG3||1H_}yG@d5I%+t))Nuj39o5IJ|
zZ`7oWUuC7`Yg1gj9{`|EEgh-3>dEQAZ0R!1k|{3Vndy2;>{JlN&&}Xe(@jDtVi`##
zv&Bd?@bdpkH40b9uGuYU7TI|~N@8>>iFik1UANQBh9*2OaU&dppWkWFpM~%E^IHPr
zS1^HTgy_!$P$2H2ATkXiw<nkwZxJ{-^;T&cPt;%m+voKqM%XQNkpu44L=N-47^${a
z89{9=^aB;L9BJF3SJKT2vU0&sPC+JY1HDi~W&IxO>lUl6yTDn@4s=(H)Cx#o$PNTs
z!A#dNdZG!$=_24u6etD)#Xx{FXR)coupKnDwmy@f?_s(?vhyfn%&gc!iU3R!a%o&!
zE6W}2?;@@0DKR>nZF4nTDr*YPMq~jc5e<YQ6&@%n`Bv&pp;Yu6rBw8C-jVvBDO{W;
z0=h&o!)O=>KG4cg@Ski_Z+!=xywrG4H_5XvoM-)Ti;^|u15m|aF$;at53?xg!(72o
z&|EsN!wHz-G;V55b!ulg6#YzRFmgKCu?p{B9UeKIEeiU2T8sR9lBhFH&fl-FQu#h1
z;52WM0a<s80CecW8n|b5Qw#rL6bY}Uw!(Q<`aCF?_O(M9ptQWzkLOB_>+)O!uk!p`
zpTPWWpVIkXyX-!C_rr(RXCeR0H&I8|`G4`deExTT=f(E??}I!I{r_o+k_=H6^6c(M
z!Q1<Pvb#H}#(x~_jQ6(v{}9jh_2}!t>(7}mQGAJjIoB$F%N@jU@b&1|UkBIMftbAD
z6oFywMEDQ{MG?995UNljx&0CTsKN?L$HH%f)=wjFuq%J!)mc8D<Ii9i41val(pdZ)
zND{R*fwqQuo+MY`mmDT?Y6W1HN#eu7Kaj#L%X3kKV1$7gieSzVU}RM?=#u3*MoG-1
z(<#@q)ncjKNPQ}IR1r9ScP7dT%PnSf&%(jU98i=X$aK5uIh@{mRqt?d<XO&dAp=kn
zuc>WsU2_(`Xkk3J4O%;EuZuK(@6+fBvv|Ie3{1c2->U_UwkZ^n@V#m$1#9Rmy<C&H
zjN+8f!SF9E_zN3WaH&fB%b5RXN%EX76=OvQEQ#)v-Ku3om69GxSJ%p-MZZ@0ahqEG
z)`3~z22hkGFhXGXzlLD=X}JDiQoglvq&mn{g%q7jl&nIw97)or;QAWiG)nTgfwfRo
z-cX34L>>-!t1Ac{>Cqe?+GsTK4Q5$bp48f?vFmFO$PM@<CmdB;ppIn)Q@B8JFuPKS
zj3jB#(c6M&n)rTgSY<Wv(xDFUH@25j1EHS>6MazTz#VKpnXW2)GsA}3S=aFeUCg--
z_PZu!RW26lNkYYJJoU3)Xu<GV6T;Nx)zK3M^-%v9_CnC03*MtNMpS5U6|5o`Dy*tA
z?o-#urxJ@fSyXB*ewCpU28K*VO$|Y)>iP9ox$Y(k@hmZKL$g6zVcRYGRF}O0oct56
zl4o_OGOvMU_KiMm?Aa-Fwif$Xu@bEQ>wB0r%1XI>{mfP1Fj?r$;ac#v!TiVqg=5%D
zB!f!(t=E<|oW}+z>Fu)ho7SKT4Jx&5S8iyB$#@oslDFgX4xGsVFL_LCBmBt?m{Z7?
zbw_kKx`1><^K_&)I@NyQ$a3zNnOa5id|RIuu;D`>qiBvlug9Q{kqS-N(W%5yu=Q0v
zifQ_dJZFI^iox)st=&D)qP{lqTCKA{?F>!y3mCH9E)+JnsVZx1cRCvVg^dJhLmwBV
zA*t(IM2-E^S>b~9t+3~qHAni(bgb368bzo>E{a~2r{4UGR$xln(s2RIA${?=cpcc&
zD{_g=`Cv>{kW(yuhC+mlT>>B9pA@evr)$dr4#N^HPFzCOuo%jVz>5;)#p?>?&WBr3
zUPOM>DR*e;LAev4Q6k-WU!mRoax3E95R)49E<Jr3UPgz=S9Y;ys+<Ms9@r8$AjN5n
zQVw=nhf4FXIV+5q8}1RWa9WLp)2eyB(Ijw$uzWtH(a;rVQ8r=g8dxhcRSFQf4R3CQ
zMI&Qo4^GvxK||hrMtx1+ui-p>A2+ZG^cEiBdZ;>`LxnCdtz!rFEqkD=H_XKByAK~u
z<)&p<t80L8$$554+;s-y7`+_7d|90eg>pYs0<A^XoA;+jYmv2}S=30@-x|o0dw+e%
zx<s=jA?KF7K4Pk2OqGq}O_$r;Kr4vt?eiD3wyFkQOzVctQS9z)_92(fU}Og%Nt)Z%
zjw+I%+mZWQucrV0o`(IO+S$#!Tnf~&|2LVucv0T}*%^-ycDDOJ5An3Fyhu01c)4=j
z(YY*aGC0R+Jk`$7z}(C+9RSd=lG)df3)Nzlz{WD@Tiled-GyG~bbw&YTYX{|oC_y+
z&s{ewwTE-*kXyuyxw^3T6vQ~<U?`X1hJK_&y&N|LUx8;$6zMg(^5KPMdfl@$n<d)C
zybk5+?Bov_{3S>3s^f1h{*V4?(*Hv9m*y6CFaTZp|KP=>s{eQPUTpRMLp)!I{;$t<
zx61#Isr=Q>*0Gip)$gB}4sI>2h@F^dq|!=CQ9#AJl^0zwGZA}DE5}mYOrTRq?#iM>
za2$PVBTwCGvT@Qxy^UmT-f}kR|K<gbTiAgP{l9bYVz;9IcgFkM^Is40XcdwYew($j
zCYw;)ps<cv=($q3wG1`OP$#gdEtA{Q>?gUSn#W<^)@gruC+gSh1nB3diybpu`?933
zk&%eXW?~9%io+;+f2k+78j0@aa3>PyP8tjRH2fAPh=p$wGFu13v+z*g^-<asD--3f
z#hf{6v!|o4Wm641tEnAH+KB#dxBrwR=<e5nci8{kgPn@~pS+k%CR_Xe5Km>0tF?N2
zHqSNg@{@2;3Dx&qhUYKUF-&Xri$(r*48MPaU~A^P&5Ufh&6;!<<r+rg4`scTsBhj<
z*YK{<z%)+~n+^g1Gb}HavA603D%!YmGmm(0#}2cvOeryDVDVa?9~b~|f#}RZp>%=$
zb7Aj)3_yZe@ki!ds~Uhjiv`qL#AYP!u0KWzx-~iGPkGp9J>t*>N_#X<g}nZaqV6q8
zuI5}wv!4c8=919!c|tDNrbYc3ktDI%0@iB7j5weAHz>@om^P-uhA?d~{OqZNN9Kdv
zNtR*Sw-8D{CGiR~K?X$&%s6#Tn4h9m&gEs*dLzBGShMM&@>}hRbo+lZ6|H=K>;F5u
z2Yc1^|GjPgmxp<@<%4PL^#MDhH*W7C>L~bi97X5s2l(~Z(s_|Ui|N*5+<J^#k5PGy
zBth@dTr{mQhb?1t06={bcbBOf%Vin{*|h;Mdxe$D7&<HPMVEz!*>y(x_RxX%X|n&)
z*IB`A6UpE@;{OkXv9HAc?@zY-{}1x`_J2B}=Qg|P(-s=IT>|R1Je6>v&2I1ba6eWP
zU)ig_hkcyJ3U0A^GaiqFh)`78hmof&&4jhcTa}OqCi3#Dm*baz)1PrFuSqVhX96IC
z942HDL@-*S4m6WyH0CBnL8?Zn&?`6MQ*9>BI80-hkQ5yk*XWm$;TXfEvIL9}k93%4
z^S+COOvqwUWZGd%a;a~#E0L=cEL~sQD1}K!w4O@Wq<bf$BtuD3)T3|NE3M}Q5sjTn
z^^${yK$IV2It4bGRkMfGRgsF92qs5}@)GSuj6jPL_5~DJCkp^4CZZP-CxW7m<y0m&
z+}qogLOKa_U}H&6<voRlckxG1$x>zS<*t8_D>0=jhRs`jDQfB6-(Q{uhwtAX{?oqI
zT`aG(mQ@R3ZNfiosLH<m1Sy4A(@H%Rq7$-cwO1Wcq^=ozS+w{0OBSfwEorhMhfsxh
zLsd`oX61Oi6WH+S>Mn3gq^k`U*Bq2{nF4$JcfmlBs8qNGHrJ_bfkK7b_;cr5Im2g9
z2c<gz{i|yI?yU^oddo59Rp_)tw7Q~D0LhyTU9?1B$s(hr+%G0IsQ9Kci8^0xj!*H~
z<OMA`R24$T<K4i7U%TB~Q*#tvlALEb4^$+4??!G4f)8DKS|rJ2Ce@`&c}K4+;p{em
z+%`#pyqqI5WV=NnWx;e}PT(ZrEu_<AwJaSPe6KQMmg0NQc5N<IQ{xbXI(MeqkLsfT
zfU!h(W|0}wBl9+krSq*Y*3C2e4)@BUExS|gV(YXzhN~e6ZFWqjkUVqFJ&7x?EB6A}
zoR>Wi6=jRh>i*kvbXDmbCn;u+4l0sqI#nwR>cQ<~!|Z{($fDVyOxy^%lk@^6Smy_A
zLS9QldX=FNy#Ab_h@%*gR9*)3w31u&Ihf@fEC`<h8C7dr{RYe-PFj24<5kx$d8iLV
zJ;FG-EE<=SOV@m<Y3D-b@T^-k=M4b=W-`I-u=G-=*7}6wN@u+}I<?tAOTG2x=*-t$
z6-BX#SZKhVmXRz(M0gYSlIF|H%TO@@Gb|@9GW22;qYI-2DT48*ON#Z@QdJ7tC7?>I
zr>jlU;c6e-E-CkMt$!V7sMLtx>qP+nO(gZ~&p!N0Z}baJ5SD3AhAfunJT{dj05HoA
zoj=8JP39`<jFvKP0)73r%CX4GvLw}I&DvS%TmMA6Otg4!$J%8|$BIEOo&|*||5WpF
zfj%rSr-&^-adM8*+E>kKM3M0SFicpbh!|Jp#;O!h*WWYLRKKrYJ%VawVUpC|k@-9+
zvc5QFrDF52r89XaxQhP{%~V=!{}hq9N{?+OQE}y4md_F#m1cD2p-83I`;=4cAxd7@
zKN=O2^8MZYzwM49m?Se8op+a??CkFCH<j<|IS-q^Rd+@_`AvE=;#Cf|o$0(=t26l$
zi|G-S$+;@VT{gB-)a9CstiIm<FikGgC$H1MJ}&+IxSSioLGeeYiz{o4`d0eN<Swx8
z!mYh_AN~dhzGmR9IQ86@pLT8LIk%F8x34Dj?*;t!^@r>t`Vwd``?8^w>RVDI=HO+Y
ziDW1}iCyux*|+QQadJWD<NLRp3ym}Bz`Y(#G2|OV^-hjA9j12@`-!RR3E`=eIWEms
z0@<Kg<@RDFKh)$YEUkFS&M+p#<19B2?FMO#C*wf<t#7%kEz{j`=fzWT$L5PSx}&_P
z;|u9fH=O$7IvQY|D2uQ}$NfiIe3?(f{=dE+^ODf`{^S4mtMMN@<DLE8?f(BmJf8D^
z9V_18=^BRxo;98pxa+k6tykS{4-V8kx!>zfe9Pql8{4xH{i(N}l%(_=34eg&Wlj3u
zZnSUU09d>J-+8fr@S=MD>&4zy|3Ap%>SmZ_tT?J&oVB?95$&xGZa-7x471Ii+^Qpf
ztjD&TmbiyATMgLPXl#}tnLm&snU0gG1o<*P2`%*0Pualt$VM2Mgd*zm3i4?AwsYjv
z6Rs4L9e`5!zQ*eed+~G+&bBIE`ZlRs2I|8N)*5C0-D^*u+XU6OB)Utc3j7Tc)lPbC
z7(3jwIq{froGy;c8F06bXo;e8maj%7n36$wDz_uSSD|4vd<B`BxeqG`%ZJaTh_EHx
z**{?Us$WO+ysV}d7meow*I=pruB6-Xc&`((S~JwA`~BH(SSq+3+kLlsEA-c{tL;y|
z|EAkE>Wf-ymn5!Ht^b0>yS7?`S$<&Cd?$r^ck+8^)dnv5GGUB%J2R!+_@(`o4KY%x
zpn;8pmYto}emK*s&qoSvef+U<0p%Bv73TdAf}ve!H_53yr%AnZ*Mq`t8$o8<fKVUR
zIK|waP+_-Kv}G)7Sz=G@je!pIRO}LBby_)|Iok@gBa#kR0^(ajk6(p&<(!k$#EMt4
zIg6Xwr}97$MHyk36M6+g4j2AS4+(ynCy7b@E>EP|zx_ZS6`>N5!!$1Mvo=d?!ITE9
zo^{#axU1LIF!)?4c37<(;#0lJmX#L)it3<Mz93z&^_xgQJxKe=itgMvYn~i0n((G_
zydY0GPC&N!gc(IJz5@TRQUHKp=^n5470BFE*1iHC8_%PwCnhx*6fKDy$v9oegL{Uj
zT1l25l!0+LsUfW#KJbc5!|P_5vB5ZHfFedm!d5PK^TIcGe1nIu2@laI$puP-ny1%O
zT`o|1SiYYAkEAy}+}*zdZK?Ekp-DaT-?K_>s&NC&RaKIbP?e`E&<6y*aYO3Vk%3rW
zT<B4N`Z6i$_kbXf$4}(6XT(=oeZqBL)$2=2JPJCHdU+%HDZJ?Cl&tzP?3G27UR2MQ
zDLr=j!||tghu^<GJ3TylU8z|L&$pDUst53Z%5JXjg7AJ*!ANGoFSLvHPWcOx<SQh1
z&1#3=6mhEEDpjn^Hd{F^Q}^QU+Xgky6gD~UZm#8a^Y7*p{7%1`K9vObG?ZVmRc!7#
zueCEqbdxH4O$&EtBX!RfX;bEhaY%X9U<V#u68IE|HUk?_srRc*zcg*$xo-73z4#H*
z`xKy3HR}md!|3)e;<)t`D=8fXb-Z3xgz6pAuNl27IKae;t54n@Ekbv1SwYJ*u$ydO
zD-_p--ics8>c-x!y_7j2{UdtGc~+sznmBd+z{~N=mtN2X&7w}wzj;CR{Ri#Pe^VD9
zboYYPig|WQ$*g*;*!i+q`y?;mJaa3)i>XTR1xgWPiqKw6mq0utd_xB!O0}%RqQ`y-
zS$l(cbsS{M;awt_@TJ@^suqyqP?1z`J5mH=yk<j|VeYLZE7g4QP5H%5G1>>i97R`A
zg1#f<oK?q`{<cvCP^s}QgTHyQc&lYR;OJRVrels-+-BWDrZabKzbL4=u3q;H)oQ!b
zO!;9C3Al9Yz5ZsxH+UqswrtMw*~Tle=YH3b6~-a2F3h`~SGuEV9k1(0XVl!c<6Wxj
zF5Y*G52G$zy0_I3i~n}(AWBEo_hWCj!%$I6`u+!0S%<IOY-UjC(<9B!^hOft-cOB<
zsT&(5W-Xm-r$=R4H=9eWLRVEg-;#zNS6h|@??KdgvnuzAM6c`P)(_0-6pgBiMXQWo
z$s6#l`)D3V!`++qDb=yA2Kud!{oAJ@{zC_fkHmcV&JiFT@qaH4s`=k1FD5U>+xU-%
zc&_~y5cn_nPZ7T)^c<&)+Qt4S3h)lM`Rk>ZZM;ZJFoWry%?689us+sE5i9!}Ai1@j
zTPeQ-;bH{cBiU8-w+V7lNv!Ne7uqytkT0D?Ix`rZqw)zBeTZ`{|Em^?Ry=aasN(yk
z`D&&wF>AjkL$pKfo(#KAB|&hU*y8fohE9A?D*Qo4^_;A-1PO;iw(41iB0R^@BWR1!
z*N?q5)ZM1!^VL>5yzQ}-5HXQA_b6_Kq^U`^a&jVXVB}jx;%$ycCm(Xwt~SiVi%IyM
z{IzWZzFb!l8XRr+dOmw2`#oRGcYQxMQ+2HW2rvDf*MBCv_4_|w?2NbhpC07-a@K$J
z2L5*aXS@EhUH`ci;bH{cBiU8-k9GaWdrzwMJ0g-YlKk;p@LpX10X^+@zF~$RAIFcb
zmwjgs9|z|blSkLt;U!9v;5;Rl>Eq@6(e-*l7WlFCx8(UT_B6@)qh$Kg^>r<O$KzuA
z(e?N05zf2ZqpFXI=|?Br1m=9X^C+3#?%Ukg)3E=eJ7=_lIKA)lzx$Kjz1sQT-N|<U
z=OLbk+#Ko{!S>$wd)mh_x^J`lI2Ejqbsxtx!#!O0?n8ZxZ4h;zyK_f^!OLwX>*7X>
zr|1`dx#3#^<5w_&X@uzTSxdopBu3K2YO7=-gg#I>pX12AT&Du>Em<DA*Pa|?Fpbxs
zJ0%=El@UI5QFe-+$xyEMFkK+_Omouo-OEf<;Roj9<kUy~$!RCeC#UU{R$+Az+{tMR
z4@ahqkqryvC8t1Hr^LCD!*dgdiqgNGH^?DfAbwhn^LIO`b)Y!%-?um0yED}Y)u!k(
zC&12p@wQ$WtN^+$=S1)7DPL`AZZnNmw4>*0lb(IyJz(Ybg@f`-=nFy4E&4)$Jy2gX
zSSo#wH{}~QR1W5~+yR?lq=k~UWFLE9)Ffy7G(H{kKYgju-KKyY^S_<(?m>0_cd)me
z|2@dFsrjD~6fHR0G>qG+;C3q5dn#!C3BMa%zFJOsZ^cD&u18js+*<JM)8lEk|4=1O
zx#J3OSN`W0ll`jw-#^&q|9p_guP}A8oQ5!fs-K`suj4MXB<0z93*83I^v}IG4He{%
z+;=doaepp^uZA@m{cgL8CH)^RQL@5|lu)!u9n+!z$NRfg{l7P!>~Hn|Lp)EwDdZf{
zlmSkF>U(gxL@Ai%IEit(02z$V;R3O6@C1BVVg^{ANhcMsB}x*oNXSg(pvCFpIiM(k
z9A6;0Q}4WoX*_rWQnZjF4xVNd&GBaxt8@Z?einis(&P$|R6+`pK!zwtaEih~czpKh
zj1!6mPr#8J>EOqsGZ16S2H^tpk^EPYKL}_4p(FXPd9hrK#6RXwc9D(>L^Bwj=NXve
z1hK)_A-l{5UxzbzKKMH1EAg99ycm4_{|8UNkC0-LGjMYJnhipI$KN2tF@hsioRWVJ
z!V4CW7>#}p?sIAUe-F=*Xod~f(dGZ`)%?HR-JR|F&x1UJH?QBlet-Dk_3@`~Pu{-%
zX1GA<NQuLz6-@CQF`b!oaQyoFA3pht$7n?=Wd~7$U@FYXbnsvQ_a_j{!B<bqu+PB1
zz<>WYpexUpn;XDsjx-v9-$CP{!^P$OY!Qa1-~I6JpHm=68%X+qC3Wy$;$NEt8>nUo
zIOBo3_YZ_45Tq(63JAnYVdvB6D#)`K>UXnz0fInz&VhAiK>z`r!ARbjNhto0x-8L#
z(TeZB@Y<0MtQFs3hS6t^QsIR&r^u1KxZT`!d5q>b#Zt%q?|Rb~Eg)J|a&3O-mJokd
zTS9UyKFAiBtG^?jh*v5N)9<ZWd{Xjz(AS%OO8Wo(>%-&kUx%xBvvqXD|L^VYPpbNV
zvbUZ8Kgjb0xDqfJ{P`z4%^!!8aQv^QOU^Sk9gXm65waylNh}B048{vI(uD(AHo)ne
z(3Kp*F!?`>UnS_9c>;OBe#s$4&%mF5Qb#vomL)in1v@Gb<pZa9pE?e+%rY?vCkLHe
z6aaxL-&xCGaI}P!%T%2+$Z!N0P8SIR-%2HjKBFk-aF!rY+!#9;JP{tGnEDL{H{kE+
z3fus}AGiU>Xb$s)%U>*_IFpL%W^faTNBwL5SNbLY8r*=!3y<Ad<qaS+;jw}n@bmSr
zKZ6?pT4C$?hi?GmR7?tPz|X^BHwK&v|9$O>_0q$-VCrv~d9R7k+A2X)9qyt{W0}%r
z*nN;T-Y9+pW`rc7{2V3>wSnMN^-AgH?PiAi!G8x?OQY3r5FAJ03^MeQChLN!YER<Z
z!L7rty^1=X$&8OBAgT8{A?3mD65M3xMK}(};iMCmWJVesaK@4qiP1MPW}@dik=Pr*
z*W=iLwGReAD4~L7oJ#TC-`m~kg0QKMOBH2=ap9yjRoGv<l)ySvN~vsz9x0b4i-qtp
z6Lf)+g8xZJ@hr&~IAvj!kUYMGJX&{5w;(e9_eYBRwM`9|bb-MQNU#*+pMUySPssCp
zhG>eU6}S^S4x&4=!#Ir2V~Q^jy(3jFrnSlHV`fU_IiYZYLbE?&GkBK4S62a{3z+Ij
zP@o($n?S4!dq&9xj;l!7ZeKVx48ujl%)(YXd5b6ubip;NV7noVBE*<-f!1h2529R!
z1C{Y$xLO~T*2rgPZ+i+=Gb)tE8Bq%4PTWznkba<xC1(MGj0cVOrx~5f=CF3F3-x}y
z0l9UPhju$l)l{QiCFV)5+EuQUc5<D<op!1{(_v4bQxczLDC*HF^)x=cxG^a!x(YXC
z9KQuz->zxOv|mp7>onuZ{2k$^6fu-?Z<97+bkYx(Fh(?#@*5JmP#25ZA2PMhdbOy;
z#t!<6NjM4jUwE<Hk=1s-7R!i=32&LDfWb7Lk<Tp%Yb;1Wy+S-0j~jR?C#vr1_;x?7
zIYnI`05{oVclnIOJ!Xexfc9Bpx$GH=a*FxYk=ozwbYt3~=j;t7c~*F<2mAZGdp&_^
zo*v#A{v(s-pbNZ`DYCn%Y(m8_!7I#JxI(L%P*2`quk;nb6#bGT##tC;xzDHfWfSWX
z)>3NLZcZ*C=HC)}{HmY&EQ<HlngzriHAodvlP;-G>{^i2^v7gBfJuf^XX<N$M}N3L
zl;RjQ*~;b%6dSssa-C_@AZyBS(SfzTHc%(EdTC+@%63KAr;XHZN_UO2T&-O=%~82X
zJ4L=zupLE<5V8gix?&F<AboDu3v1$Dyu+t*KDvYCN)TQL-Hl;}t&~*akvi(AM3Qxs
z&U)j`dgJ7^NmmgRRW0m0;nd#bl>>+k0_s1o=EeLN_xAccrTxEH?Lx4YbhabAb=&_?
zaM$^-$#}QC|F^SyFy8L}J;>ud*K5z(dXDt|_4>Lvq6>cg^{?BJwSBhF_Srta$LD_n
P0096053sD*06+l%2)<Em

literal 9178
zcmV<0BPHA)iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PKBjciXtpXum%C6{xa(n(PfJ$!|$@&fa^yPB!&vHtQ2-x2LDK
zCkv4fg_<I`0BFaJbAS7D@Jf&bUu4VfZY_SWDG(UU3<iS%Fu*L+YmR~i&LF*>oU9<_
z;Wb>RzuV?Bold7m2M6;1bULm7pYH7){cd)!e{giLcXYJB|GVjI|7bS*9hhzvi<YNg
z9Ma!S?_5`%xZlVFbNmyc43lgQF84+-&+X4yI6DfbqZqM>;+)GgDIs7<C|E#-BfxN$
zqzHT`qzIr-C@MHyqzJ?)Ps#NfWqg#uHJSrg&PMz?M{@x4JjD?dfJc|6(rGvgr=x#2
zS02w(>Hn87EfCwf0_g7ldwa9}y;}c2m>#^?_5X)>o&eE5f4D@H;uwK*PH~n1P5?1U
zu7rdlGvH{Qr;wwOTXYV_<IxkaEYfr%h^9aZwGKi<j>vjVvbS)7QU;FW7^Lcz69Cf`
z@RiXzC<YWUQqTyoky~mGK7X-*j<bw#seBYP==>f6(kU<DO2F9?Ck2(M;5<hWUS8Ky
zh3b^ra#Ts5j{tZAV#whFGSpZ0kF3lZkt{=zRHDG93UC5o!4Q?qeJB2i@*+jhr;CYK
z3kot>%oLh~oG_kH#5A-VGIm9149?6;3!p2^SGvsU5-`M{0|?GhL=gv9I8DI<frui=
zQ7rQUzQPPh?E_#IgEc8K@r@Hbvg9O|@C*i0B&tZALB0ati-Ng$BTKNvsbmj_I1?h6
zJ6JCefN|_r;fz>rO#-Y_+lnv_{!AE`TqVnrW}Gn&vk1wIBHJ9y_Fjb3a2n1Gs)TZI
zCjPWFfUcWRJ_m;f`+K@zyeJ#dt&<bcSTd8!qQ_ZXjO13lv3P?ih*FF)ZodeLFao4H
zsevs)=xlSqSh^-L`X<Iq4DV7{87CAbU9w6R{}dF8jG~AxU}STRI25&=s1`yLd|N~p
zNOD9L(G6qr$zqK{b1+_C2ZSat!~c?12THv}Cdb(63$F&$Cwqvkuu*Dwg*hdcI7Srw
z;P9bLeR^KxqNP!+Bww(3|2aq^_Do5E&M1;=5Kknl-F79uDgq{(21nJlsX$ktRGY|F
z-3Mm|!)A+~@7EhuJZ#^T7Z4~)ME2vqo|{+5!PN>!E3i-ur-<QLYZdXRY;!O!Sb!ko
z!EEfn(=vB{{uZ2HVIHldn5sk|Qk4*|*F`3+$t+Pi<$OPg$U27{i;N7>OB^8!w}d(e
zOPDg`)QGY;CphEa$M<hVf9r;1a$7B-fWU&UK3wMr$UkH$6Hvyr#jE?Srw4j#^GOSa
z>*oMQ5n}8DT|cvRo0{ifjN!V1lg#`VbPbN>8@NE%5(5{vVf?e8YGgC1<wX@*-`~Cp
z3(BeDiRd3)68h%k+$W+*#9SH8DUn&;5F(~8Cn+gnn~1Y+an<=eiXe&dKz|)e9hs6O
z5!ANp$dn`upf%>AWf#}lHUOriQI;vXL@78I+G>TwN0lPK%C|YNqfA;PIAgX>SZWD_
zj?SVKfqE}Bz(uh@G(#LQaH7#gwUR<iSMU-k>@P8s?I+S#2>hii{|d6zf<PK;;3ep}
z(|trgjO)G7Sc5-OTxtGDG}RRpYG7mRWHbL&l-1x$V7JDHaTs016kj5`IYQ^6@GDu^
zsL~SLEm4XJ#>sjP{{9asf#?$#)?BJ^`yS?{Tx0-!!c6qW=QbNC^JxVIS*r!>+IP}|
z%ZO7xK^dY@i?#e5tsoT^P6H>6{u6++6lcgMx>X#6aiM1itVHO!w(Qo3CZ%PGfU%P+
zL!hckn(ne4rExEfNK?DCBjs2_QN#(o7S+~`%KJpI#K|%!^-X__DQ)>F^hY`4k($4I
zw&Q~UJrkU?U>wo+dMflm3t*{hxJ?lhJDR}Go&aA#4%mtmY3xn|ME(q28GBzTQ8sF;
zaehbPc3MzZVNrC5u$-~zS;QVx_FFN$A35%-?pG(1<-E<&zx62{FqW|DTIB~NM|dqJ
zGG%e~+p*A$zLOu!m`qVl7?uoG^{HZI@<<uC=I0zFtB8h}Oyq=t&_uli3}*3ye9~Y!
zOe*j=Oyn016Ft3CD<>ak)9DK{<`-#tMp7JAQ4z@?m+5M(x7p_4boq|(Gm4m+@ygCb
z;p^=3CrBAMrW9T)^(4~)$}TY_nPlcAq*#ndYM~@9C(%m2EfjYUvWaCUG1FPoQT^T1
zRxhe$mDccrwPNXh)wXD(MxDNSb*iAPOH4mt76ZHL6{96AQVSVTlVt?Vo8=Cq3F|5;
zz6;r>Ny*U^U!n{#c1Fnpbrm)lh2~nQA^RMmIaqO?v-xCFnq)#SV-m3mhwOq)%wU9q
zoW$ki)=4*@1Bzgb<s0LW@<JNH3&bX(&%21)u5U~9;%{?W0;*+8#iy!P0Id==$*OeO
zoMjDiVWKQ*;iY(qqU$I{e<tLj9N|{-7bk!gnK0pM(7*yM#S~mjc$PwmYS@w!E<lGB
zW@I#j97ypRb0$~9DEg&9jI$QZZDFO8R6%1nuF+a*o!J|#HIag4zDIeXW(`k3PU3SE
z6%_O96OwWCiCco1PM7tH4<#mQRqn0=Whw}C1wv|?_$Z`3mM|@{WA-CMbPkRV5BCqs
z#5a@_xtqGICp`gI5cBT{ef6!Y{WI)JASW`Hr2EykATH#3c1~iaZJ&S-VvxtotSiLe
zYK1aohBS;1%*4PV)h5$iwoO|x04;WA$mt!ZM2TQYXb>-IbVvx!_*EOhPOC(FhqCHm
zR#_Z21D6+!8Nu`zHaiSpn&S-FlFsnu1yCQyI!CfjeOznXQYqKfa=T)#fzaByuAhB2
zk!PWKGn2>zpl%WMRIa*gPU5$>sMr>+?|s<e_9v1SYb00Uy$cYR?svaRYrv^m5$a1j
zY}U|EPO%ae!!e4)0Pmk_Dr}mtOfd^b2*XL4-vg~GE=`bC2vuUwNGu@s&xe~jS?Z$*
zW@3&dm5p43i(_f)FPEa$YcUy3kpjV<%T0@Sh+h$U@f;u?g@$<=4P$YeCCO3^nUvC6
z(kaTk=GS>;S;%A;=_3G?H^7OSb)24!%vK50B$@0o%}l&9VvTwfKR2CIO&kcNh~*@c
z#FjnPl$ZaN5)^}$T{}r=9$AYnBQZLYNW3GluG?X=!3i%b)Ckr7^E+MiXJG~W{FcD@
zTbRNuLiFbmC;|6j5E+KZWj`kRTLezeyj5D}i5hId?ipHz5Ozyl<P`U6B8T`vgw(lJ
z1>oBDa!~z1g)B#U?07A$1GC4ajj7W!kc+W_UaGFLd5aA-aMY4`;JCE}x+x}VE*luM
z13^}>&~;3nXasSV1bl@8ML?hk2ypH!8&n9kou<L-b6NB~%n~FUk0Qp*+6$xzz%(US
z#z?WU+{1qtXkAZ<-r;OVsqRvn9XbpAWhn`0BowKzC0NA_Qz@lV(J4x)=!KaR_0ME3
zcj<x7QQC?v{lHhW))o9711i<$IN-&`>op+vlsV6b!4^3iz(=4C!9o`LWEf<T(+9Z*
zp~She56%f#;4E(ArrHf3k3~Dv1&o|Vc1DHw-yWYhjV&_zT3U<zdy*<&0q6I(SgCxU
z5O7*_$bhW7LjZboVWYTbok|P;aTE!wrm<FaUimz#=JxTSTA;E}F^uL~jhoWkC|;-e
z-|gA7dxks}|3ACXJ9+oRhu7yJ|HQXZN1y+%c(3~Z9qvze{=X0Mw6y=n6-skNS;+Id
zyMlJN|7`D|;s1TKxAXsgnCJ87$=9RTpK>vj@)ZKcuT8wmJ*#l^_2kQ!(dW;Bm}KD$
zfpNnlbPR$ri(DiL)lmYu;2!>@+=?r1p*Lc5$|7*IFJJNcyjU*rCom4iK*K^=EM7+v
zMLp_4Tf?$Q(`)cc0aG~z1TfDf^5N*ONWqr*xu`)9!oUJWuwV!<vaT2&lH?^uY0RW?
zELTz0@|@hddn)(v5P0?OT;vrNhM0Li3rD9*Kv9Yy(|pr&O}*Qv(s1eWDCgmj0Vt8z
z*miT*_`;SP#!Ji4hOe#8()xV}(^F>Qd?g8(e>1#QOB^jL6p-+};*%<C@T??mh+Ix_
z#+P9H2NwK+jcc$}rNd>+|5}ker%6R$(FYbpbINAbGNN)xORBGFW!AD?>-4y+R`2>?
z2Dkwf<tdC182_&^7=IjZ-kH=KKpA{JXsS#K&lO77AzMu(>T~e<Gr(Dt7I6z{p{l$k
z6GN%oj()2v2p#Fs6d&8uDB>H;^RPPkwx>oufA$o)0lyT4qZ$XAP}VSm35tWowE|=$
zNn5yH4xVe|hw-pZYT(5~Iq<gfOR0g-PlNG3u2SH3HlIw_6~0*sfO=A){fqmEb0-4t
z+LTo_Tc{^9wPE9_pY&1-hR@mnW-hIco-m-t`ei%_K#MMTkFpq1p~022x?E7Ps?L~C
zeLbH_D8`qi!YzKCqf-XPOrDw;gHYA;<%?V&6q$IQn$*y2$<@eqvp&^%ZvZEMgX{EJ
zvs9JVz!LjLdmDQ8rku^JA){EOtp4>q%v)upn!oAg6F5YcdUL!{dCM?Aut32W4-(0s
z#=p&YY2Eql0R`pxdJEPXP@w^({1mE;c8H7@fyj9~D(^s<Jm4W6leR*i+$cJOeAP5W
z$CFD)C$z{Ws%oZuZYGv;zsxi$k{(q<IAD(tfSjTw{<Il^`iw+qjvbsy7$sR>HBT|j
zzmYrpn4%brf3&r`E)?o(8?E&^OVCc&M8AMB+wTKm4>#0hjqT4TlRvPDKyB=!qS7UG
zeM!{XKD`wtY-oi8`>b*4t>Up!<7yD0cDXKFRr*=^39Xf>XiLWg(2f!EbD11ie+ju1
z=zK6kRZvhYZH7{W%(w)8e1BRd*ZeuF4$k8WE{<PvePA(|myXvJ%**5&=FW#(VP1NE
zH!*i`8GyOtpj|=TNw4AVez_I$u8VmCdl#P}jF;ZwGRZFX%$2bq%>$d`24pykQO3bu
zXIJSR5Zb+KH?$#IJb{Op6KzFrVOeYjs@KR+-~z)PD<HQVlKWc282Eqw@Zn5u()Dp&
z7YJ9J=V!#7ubKh&<@Dvtx=9_%{Xbb~BedSUKRek7t%T-LD_VbQK}+s+4MFP)EmnkF
zSoDU7sV-xxY_+^}zU^6FC9;EU#}e00BT;7yRJQG5?C#_ZL6<IIWIG^9+j(ny6-m+U
z(EWF>%0ArFvi{$$m~L@9M9==u-qDNw>iYlQ-t=g?TmOHEM-P=5;kOy%<XV(-fy``l
zfwOq-oY^o3w&x=NdKS2bj_{#c;}FnT4t;B0GTB}Kb2hgHz253myAD~}J_qh{N@an<
zxr@Th;)Psa?|BMh9C0v~D>Gw1(6L^n8H2CDvo?(M(v1(nHeRN;#o3Q?Pc@rS;d&6X
zbKP}l*)Ho{$oIv6cqi;PYXs=0r;i-dU5ApS53Wf-)nQ@|Zpy_-J--+Tt%0JuIM55k
zIR$46KMlXbDPrN9lq@!Z@GLymr;93+qAF7UTFjbr*LXVlTC!@~TTNq0dMo<Bd;Av`
z)ZMRx>KXs{kM?Tg|LnzVcDNh=AL6NXa%E%Ny%~3Km!Dw4SA^>O4#JC<Y8%cD`=xQd
z$-wV7?03U_|1cvtx7{J#1-ZeX@gFsMD^cJ6NZo+D0fT9gA~qid0OnX8W3%V@0_7E7
zI}0e%ZQo%w$>b7!2A0Wsb7Ta-C87%lgwh4}XM(tWPcbWh<j%Dk0VwiVl-dZ{oW%Y0
z$0$X&M#ub=i@lp6hb~bzfIT(zhBHM9Q<z>axsYZ*4l>Ubp%=@PTy2bt`WcZlwYSA>
z#KW98pN2CO=2%P{GckrRJz)6BQwz`LgIocU#|dsBlzvR&HD&@0iW1B?b%!uNM(cvh
z%Zl^@SY=~o+g)YbcHPjY-~L-DulhTffqm;g`$q@0^`Gg%;m-f_K^{Hw!7TRLfW6*3
zx3>`WX^l+`MQ6<xeECvY=MA)&?kvWg#kjK=mBmO>^d2n*Yt3-j(MLxBG$(O)nYyt;
zUc)DwHqfvehlYA9@Oc-8hS*Jd`oC*{{gpp$<G-|Z)-d13W#B#MKc+8U)X)DM9nOw+
z<NrfEzWtvb@5$|M`gFO5?v{Z1N1mFy*mk#fe6Szu5MO1+eeC13R&a~Wo9T2KM1-Qs
zK8%<GXJ*1$-dmiK2&VFo_RHzZKk3gnlNU3U$A|%lAcrYQf(S+{)B|SL4#wR0AyCyI
z6?kPvd~D3b8HZU6Q<9-q<;8uK%TUe0rS2u1ARcKq-}ZeMSu!O_Qr@)6R^&?Gx==w^
zU$Fc6v-K{T^>}Nl>w0zT<doznP0M=pZ4j09oFJmHQ>k8Zuq6=XuP~hh>&>jmL+VNs
zMN0(J6GV9h_tLkgLkasFfvk}QfaA+F2#DkP)P!;-FSkE9*q1^&3$$ZvMNZ{?8isc9
zBdFa{Y;OW<evm6Ml}oQos=mCZlJ=LE=fUy&_s4&;sk({fC0ep-A*^li=Pgy))Q^x-
zcs;MxQ$so>N#}Ug<3;QaV=qg7U%X_2s@<X{D{>H3fVWijOm9|Br+a~QpRex%cX&G6
z!vdOuYAg$2?;9%#C<9dpv%to>upB5=xIKU1e5*!y7-*pMA3*r3UcY-P$6Igpj6uD0
zRzX@_r6CH*8#r9BL?6kMUXJb;6B<H%(~%^cuQtYm_-x`rR1B&bBGc)9VBGKB=544s
z3a?1P^MVKJB*b7Qw;h5AU3@wu$wa2mxhrue>c<)E0RqdC5_mO6Ldf>ZOlkzvff;}k
zgr$^D6V;&N<^5hoM5y?8pYPjP8m7iE2zBfPw;k2hf&pWxZp<<=f=A|U6a(j5Ias&P
z=zGj73$|)bb&IXTbqv>I5ZdSnP9~8Sa8KZZ`neDr^I!m=GH>}=-P3e|u4|3s1VtFo
zKxHrmr)o8VdSE-z5C*_5qbT$!6W8<gG`oZ;*6|_QfH%TWT<0hRuRrA|;wT0rlZQc{
z)?!OM2aAG(gz!0#-td;|H(&{I+S&RZtGao}r`Zj4598#jWG*LH?(n6ior#R$&>YpA
z6afCoWPp)zB~f4I{Sn8t#(HydW}`t=TI<cpxv#luiXw?vXo@?Wkt9S!SQGX#v8$`A
zP!RxgEGI1!!P`lUE{ztX2*w|;DArp`bt&kUfI70CrZz!m>TPVBq}s-f_H~S*3KPHA
ziva$UXwB$9KKPweFxT&FI-3USw?4SpusrTKne<fLGoSQ2tX0P;pO>0CwCi(KYbonE
zj)fIG204$ltpDlbk-{p`e*gEk|2I3V`+x0C_YQaQ{~qM=?Em#xyx{2ui-pfxR}0mE
zc>ATo&ZEw|g~Ns_{jILVDLdeY9R4EDQc|2HudIXemga1tJ@wR6Ny@;U@E@?f)TaOK
zLfaNLfV%bn-rkF8<NmJ~`#b;N2YFoG4D+0ot{UZ9>+M}Mb~?CwPr>PC+ugZo0)DL9
zHV!B5Vb7)o`UcEqIg<C>QY5d9W-26y^iM>IUb|Ie;Co~}49$g7>hl`%X!W+Y=QJ<e
zDlt0(mE$`auG8(s)89F}s(9&Jr0VFX57${6nE6+)JZ)|RDcln2KA9@vw@6es>Wyyf
zP}60^tLR84#s|c$BU+*8f)(pYHGH)@AUu`J5#X!P5E_09nVRN~YmO!3XHrDi3ho^q
zv0^=}AqE~+9YjUz{@?~Ab)S{K9gX)oA#1RqIo%&le#=t9?a1yOU><moxsz(RJNg6k
zLkkr{i7>-YH!+oHB$bujEfG?wpoNU1)-~mxcBqAtviJ5lThrB8QxY6mV?GQZ7;A`Q
zd(EC_U(}0t)4lPwzL1s&g!-_q1**BF%BTga*<?)dc#)aXfu2-2!K<7_^TuYMLzNAX
z6{<i{mDP3?>`Jh+yc=XLm$sd_S0RT<eY?{se&)oPl6$LVq$+PAkBTTGOI3CP+9kFm
z%7n41Z6a*3-!<!M>3psfJEYdOqf~3MRV^VvQL|{BE*U>-V;0F6T@S$@S<#)Dv!M?}
z$-<k;Zvcvn;}qn{N6aXK@iq8=wG03RE7wuLmmzok1$-HPZ1t>APfQwRP_$A3^Kh2P
zEhs}%BPUA{%E2_8HGpQQUtC&}+hwK<v{)%ndYj3zwQCBz<=Y#+#X=ZtG}N^8Hf^5v
zT5f0iwC@8tz1V2>rH)MELTl6Mzh+I|-f~`5Z9@ufQ6p`rr|+z4?^(faN38}b7H56f
z(R;zQWY;}Z?G?xR5{`cLg0jnb4V;qjvmai4e0Ti)>zXc;gnviLdfrffGU9+fpX2?e
z9K_5bjJ%(^v+DD+<CA-?U#{2=6r4&t>H8C)N;R7aQcLgl8_@n3);$@u*H2x9nhi3H
zjb7^+7>`r+$=jl(1K=$y=oo_g(e`nnyma7B2>U^|wr(TQi3M5Wr7B->p4afQL!5GA
zemQ;l(pxm4dDL6<Pu`;1i@Lk?pOpJ_e=AgiVpj;S#k}6)_#}_<pSu;`WvHsg4<AHy
zH8y&)hi_?HrBcf#Bznd#A!~0CulIvo9cNe}nDUietgB~`;!u-RFCS}B(+672l_>4^
z#mQPVzj{{w>ZTaoouLxOzSg(&x2-CGT8($<{BF2tzmo1b-%~zo<L$A@@t{U+O>?pp
zvbHRJ!{vjl?YnsECHi*6x9CaJSR-J?V(XPycby?dis1s|kk?ls+{UXMt=h!QsYE@$
zXG^zI*Imrr4x_=uM!%=!2Mhmp3lBQZdvlRtP-nJwa#f#f_iEZ2UUjW;OB@EAl&&=G
zgQ%Hy6{GhND<lp&jkvj=XRDC6b$ztX`L#Sy`FTi>aC+Xo^@>UzoA!*``+v3g|LHK!
z6ETyyvj<?0|M!cd7cUz3f4(@_`Tsq{QxkgK?kyKQWr$x9dV#Z~ak0~>DtL$6ob;r5
z=P%gd%x0QryUv0&sE^fC(8~T6Q10Y&C+2rRydLg<%V^iZ-^R&NU1BN*W--&YN4p_k
zITtA|V03}1`{mm8VIza7;fh>7a<X5W3S`B4p%1Zjx?ea!XDV>@3WF?y<J4w9j@LNT
z7hhE}e~@0Cr|UdL!UB+7J<m~umpFO^yqJ9b*twz3wv$iSJL&N9V<#cU1z(wSv^ybb
zW64fVPQ}QJ`A(5|+41P)L(baOR!4X_3;!(Nc0Ay#O(mhl(01?Mu{ZMEX);rR?7dm#
z^Zmqt=~@2~R{A}!|IGFej~eSgd$axB`p-i=zn=9Uz4f|V|Jkko?ACv7g}CTJ_lR~K
z{9|4JDPtk~?2d?JjHLg0Cioz#{{t=UZn|NPA0Ne!u9baWV~>OK%h{uA?C=VuX>gH|
ztL*Vo{^(jgB?*3P?Ja43j4e$H{wRrlbZs5MG!+CqQnDXid#@kiyvy}1eN03@I^ia;
z;H$kyN%U^t=Dwbm{U6;plQqQIef$3&&h`%){=d8XKOg34xtm$J5$x{$yr+E}qx-hI
zk5hyCSod)Z8}8w{Pao)8Y=fx#Je||+1}?XeOv<|mo}yp;`NnSvjK75`%pyd`&pI-`
zBe9ITHP)k&Inwii!sQZ2?zJej^4^@)uKU>&umNWA26$(LgQxOHPE(YftmpFV)q9vF
zh&|Jkw0-vy)0X*x={P;}VSjqoi}UGOH>UNn`qbL#SqBX#CXbN~TgZz}39^ZabC-hW
z4h0*Z>K4`@hcrR_tbRh<ZKTeQ;>iEd*6eQ1OaoM#qR*TYapsGcd(~oPq0iNrIDIYU
zt1T<i)P+`RN6)1c1KYyuVCA-j1M=6<76P4Hw1p`4KyA@7Qt8_-Dc|})<v`xZ9IzKm
zcVN<W+4I4#YLc^iTA!Zzp9$)Drzv31{BLi%UyuLr;^<&E|9g;UTl2rJ=&!q};BG3o
zn+kSK1+6{dH>0bUg5^#G<+?>y=G=|oyJx`DJ^n*=)%YD(fcxVAy_g-=$N$5lUHrcX
zdHf1fUoqcu44`f&=-iu_3msS4@2rLX0nN0}y%-HO;E&vPFx<F56T(-+228)(u3|<1
zhbxq>agq^=wy9%!^#Am5zpnoerhBuU{(p$)2{?nCBbqV52~cehu2v`mivp)H&JvKr
z=mI8)g`+3n!wNINid-70fUQuPf+Qsi6@v_C$#Xza3OT++a;M%&hgm#&0y31Sz~fJI
z8Py-f>LU2xKMTPRS$ZwQQs)XKkRu9GoS|?OzB>PS&Iv`MC*VZ(bnw&3IfyZ3qcFjI
zBL6D%N8#dMbRz$ngjF&Tf6PyInN3PS3m9D#IauNpvC-EdyUIsjhYNTy`a0xm@lGgC
zMqmH`(G&0!q?i;8oW6R^MkdDhD8w;>6P2Bke~!XS7LgcDehcPvrT>2qFOXovmh0%V
z{|*}V-~RsIZvE#$p3$4v?_R$@{_y(M$L~(xzW!#MplqVV;o}-+c!`*f=QVou`uiU~
z`m)DpO=@{ZQHo$DhLic|zy9yvL9hg0J*}2~2L1v5`@aEQd%oP<08R^}!3g*c7!MvU
zEbnIvFg*M75AXgq2LiQ`#1B|hNB<@M+8~HPu_54$2kN3e5Kcglsc04;5Q$=(&!X#~
z$YZF}7DWPrKv~X#HD*Bo0bRf-gauy_ivOi<H?+rS#dqKF+KE0`E55@VqfZ=V!U|_j
zmJ@m9wz-`06<Xp9OC9^ao2)H4Ah;^2HZPhJ;%A)`l49{ea$u=`M?4itvc-RMZ1G9S
zZ$V#g`>E*v_pgs%eg8UK$J?!==luWP(a~OA|IZHhcKZJzo+rSSfYIppf49^8X*dg~
z|9HCMJZJOC1h12jtuRVs*})btPS8YW4rJZ{XG=oYvJ1oX|1f@?qHmTd<N^DofD}Cg
zzyG^(-GsReb}KUWR3P#PPWB;n9Ot<uViwMhdZ{Q21S)@TEu+!N3Q{fuTrD8O5nwn=
zQUtz}N)UZQQNiINMWDRmbu@Y+EJ!i+8;x$jU(hwU0fIho174veEK)AtSVVCy71hn?
zCJ>MMYyMT<<gd{UXuYA>omJidvJe(4xB)+Z{_-=p0id&NGiu)rP$BpQgz>l^0?vf}
zzH!BR>0#4i>bHzb+J<Ojm7uK-chRObk9$$^5JvlNHjWoEx>^Ng*(=9=C8gVOrQB@q
zMK}$o;jFhT$qlYfamLa$iP1MPW<q*<f!GVATlw8tth=fFMF|xo<4iL5@L+$huY?U>
zSE(o`j0+Q@t-|55Un$lj@RhthQeMqVl0;ZQDY`^yN&l=Td!7~v&R7_wq=>J?T--)K
zy#WhC1gM{vFlA_SK*l=!k>X*zX~2>O8n^)|mSX(#-~TbN<VCSSG(%EH-H99r(4EO)
z97Y#0#g~ZQ5i1wc#%K*uf|dN7P?(_5tlrzmfYsvb>wwS%X4*s#l-Xbd6ZJvQDY?XP
z9Vpu$T26JtFo~F1cIiehiSj^a+^`C^AHpa?jHv;70}grs73#1`6%K~$%|U66e186R
zpis4gLRp*>r9kdP9Yu+>Qd}qn3lL;HXdQpr!KvT?8*^Q#_g7nxTQ?|S|4?2JVdzz2
zp0JI5`6}V;Hp$#OPIX668(7GM=<erAGg`?YYD@%#zRWVFXElhYL%`|s9pPsbF_dvH
zF{-!|J+x9hSw&RL4y3FQny8n6!7N^oPaObN2-3P4r<c=a)9DL;*=ju2KGM6*hW1EI
zLkhSt&HD4#!p{#X&}~u=3*6qO0J}>s*&9lVyfmJU4iEPa1{S78c6{gZKQgJE`ij>A
zqV==N#tjQoyvCe`YqV|%_3RDyN?%!+qF)NcI18h^@R^vt7(RW%T8Ti|Pf0D_b|3U+
z`10W;?x;cPfZB9PbDq%wq@h1%hXG7;oH;WwbJFgIOGGJ-QJd;EM^gt3X0=-%+qzff
zuxn4P-AZZ*{%TpcA9<OtfjOrIs%GiN$mh=2leIhx(?UVtAu6Ykb^!F2H4gk<(XKgq
z_MlulP1J*T>v^e8Olk)!dg`bhiRsCm4~Cl$hRGZDd3m~{p4sQB(arLjCsm7p`aN&F
zkhi=^QCa_w)hZ<Gh>JL}TQ|d<0{i?wX4C!Z`v2bk(RAnk_aKkguh070d0hJb`1y0`
kq6fZw`Qu~UHQPPAXZP%$-~RJI0RRC1|I>9~`T!IG0QGO^cmMzZ

diff --git a/docker/sandbox-bundled/manifests/compiled.yaml b/docker/sandbox-bundled/manifests/compiled.yaml
index 25723382e0..842449edad 100644
--- a/docker/sandbox-bundled/manifests/compiled.yaml
+++ b/docker/sandbox-bundled/manifests/compiled.yaml
@@ -698,7 +698,7 @@ type: Opaque
 ---
 apiVersion: v1
 data:
-  haSharedSecret: TmlVTUpabjh5RGI5c3E3Mg==
+  haSharedSecret: ZzBxYVNHclBTTWtBWnFHNw==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -1000,7 +1000,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 044987b193c168f87ad6b75510b710dae15de36461cb822559e13e6f3bf1789a
-        checksum/secret: 5bd04f7a79cf46595637b045ca93a072b7add79ded27415becc6db6b01cdcc42
+        checksum/secret: 72a6bbe72d54584038d8aa7f79754ee807898053f9564c2beeede9fab93b7c25
       labels:
         app: docker-registry
         release: sandbox