From 7f63af7fece7afe5e5b0ddd1e6d8678304d99b85 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Wed, 26 Feb 2025 15:00:11 +0100 Subject: [PATCH] Add task for installing Hashicorp Vault Signed-off-by: Jakub Stejskal --- .../prepare_secrets.yaml} | 0 .../tasks/common/set_facts.yaml | 3 + .../install/create_clusters_hive.yaml | 3 - .../install/vault/install_vault.yaml | 67 ++++++++++++++++++ install/roles/automation-hub/tasks/main.yml | 7 +- install/secrets/clusters.yaml | Bin 7626 -> 8392 bytes 6 files changed, 75 insertions(+), 5 deletions(-) rename install/roles/automation-hub/tasks/{infra-setup/install/hive/00-prepare_secrets.yaml => common/prepare_secrets.yaml} (100%) create mode 100644 install/roles/automation-hub/tasks/infra-setup/install/vault/install_vault.yaml diff --git a/install/roles/automation-hub/tasks/infra-setup/install/hive/00-prepare_secrets.yaml b/install/roles/automation-hub/tasks/common/prepare_secrets.yaml similarity index 100% rename from install/roles/automation-hub/tasks/infra-setup/install/hive/00-prepare_secrets.yaml rename to install/roles/automation-hub/tasks/common/prepare_secrets.yaml diff --git a/install/roles/automation-hub/tasks/common/set_facts.yaml b/install/roles/automation-hub/tasks/common/set_facts.yaml index edfbd318..cc4e47b5 100644 --- a/install/roles/automation-hub/tasks/common/set_facts.yaml +++ b/install/roles/automation-hub/tasks/common/set_facts.yaml @@ -30,3 +30,6 @@ - name: Show generated cluster dict debug: msg: "{{ clusters_dict }}" + +- include_tasks: + file: prepare_secrets.yaml \ No newline at end of file diff --git a/install/roles/automation-hub/tasks/infra-setup/install/create_clusters_hive.yaml b/install/roles/automation-hub/tasks/infra-setup/install/create_clusters_hive.yaml index f0b3745c..685d996c 100644 --- a/install/roles/automation-hub/tasks/infra-setup/install/create_clusters_hive.yaml +++ b/install/roles/automation-hub/tasks/infra-setup/install/create_clusters_hive.yaml @@ -1,7 +1,4 @@ --- -- include_tasks: - file: hive/00-prepare_secrets.yaml - - include_tasks: file: hive/02-deploy_cluster.yaml loop: "{{ clusters_dict.values() }}" diff --git a/install/roles/automation-hub/tasks/infra-setup/install/vault/install_vault.yaml b/install/roles/automation-hub/tasks/infra-setup/install/vault/install_vault.yaml new file mode 100644 index 00000000..0d85a538 --- /dev/null +++ b/install/roles/automation-hub/tasks/infra-setup/install/vault/install_vault.yaml @@ -0,0 +1,67 @@ +--- +- name: Create {{ vault_namespace }} namespace on Infra cluster + kubernetes.core.k8s: + kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}" + verify_ssl: no + state: present + definition: + apiVersion: v1 + kind: Namespace + metadata: + name: "{{ vault_namespace }}" + labels: + project: "skodjob" + secret: "vault" + +- name: Clean helm releases for Vault + shell: "oc delete secret -l owner=helm -n {{ vault_namespace }} || true" + environment: + KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}" + +- name: Make default SA admin in {{ vault_namespace }} namespace + shell: "oc adm policy add-role-to-user admin system:serviceaccount:{{ vault_namespace }}:default -n {{ vault_namespace }}" + environment: + KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}" + +- name: Add Vault Helm Repo + kubernetes.core.helm_repository: + name: hashicorp + url: https://helm.releases.hashicorp.com + +- name: Install Vault + kubernetes.core.helm: + name: "{{ vault_namespace }}" + kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}" + chart_ref: hashicorp/vault + release_namespace: "{{ vault_namespace }}" + create_namespace: True + force: True + wait: True + replace: True + update_repo_cache: True + values: + commonLabels: + app: vault + project: skodjob + global: + openshift: true + server: + ha: + enabled: true + replicas: 3 + raft: + enabled: true + # Configure AWS KMS for unsealing + extraEnvironmentVars: + AWS_ACCESS_KEY_ID: "{{ aws_secret['aws_access_key_id'] }}" + AWS_SECRET_ACCESS_KEY: "{{ aws_secret['aws_secret_access_key'] }}" + AWS_REGION: "us-east-2" + VAULT_SEAL_TYPE: "awskms" + VAULT_AWSKMS_SEAL_KEY_ID: "{{ vault_auto_unseal_key_id }}" + route: + enabled: true + host: "{{ vault_namespace }}-{{ vault_namespace }}.apps.{{ infra_context_name }}.{{ cluster_domain }}" + tls: + termination: edge + ui: + enabled: true diff --git a/install/roles/automation-hub/tasks/main.yml b/install/roles/automation-hub/tasks/main.yml index 207a74d5..9e9d8049 100644 --- a/install/roles/automation-hub/tasks/main.yml +++ b/install/roles/automation-hub/tasks/main.yml @@ -9,8 +9,8 @@ - import_tasks: common/set_facts.yaml tags: [always] -- import_tasks: common/prepare_kubeconfigs.yaml - tags: [always, kubeconfigs] +#- import_tasks: common/prepare_kubeconfigs.yaml +# tags: [always, kubeconfigs] # infra installation # Install ACM @@ -88,6 +88,9 @@ - import_tasks: infra-setup/install/orchestrate_cert_manager.yaml tags: [cert-manager, cm, infra, never] +- import_tasks: infra-setup/install/vault/install_vault.yaml + tags: [vault, infra, never ] + - import_tasks: infra-setup/install/orchestrate_logging.yaml tags: [logging, infra, monitoring, never] diff --git a/install/secrets/clusters.yaml b/install/secrets/clusters.yaml index 5fd01cf16595466de2e2d5f066c4748a04d9c33b..9c1984de6998028a3979a5faa7d178265c48c7de 100644 GIT binary patch literal 8392 zcmV;(AUEFtM@dveQdv+`0D-J^;lodTCVHnsz+v^vCYz>p*PW~*mJKQ5+VsH2hx^sU z{nBEMNqEkwtsvaL{qyHpk4ytsAfLP|hmHjn%%!`FzV1)Ltc8B1x>6caX*a?;F=6sy zFl`4CESCW*mO>ZwU!B?@ofMt@0KXFUN3Ik`pChJ#FpPu3X!^qb?d(Aoh#&K<8Y4`v zjyY+KYfSZ{;H*{a63qOn%r#N85|}6PuT%thLni@(jqEZ2*L@+U|opkP;SLX z8<^PO)O11C)qIta5jxODrTG~HWS){U++L=%Abu3HQuk>)vJ|9G=cI;AxRkcul`)FY zsYfnyV`H`=VUM;B7S!H&c4i{20IsqVnhkn3M)@8Ppa>PK{34|9LiFcRd>)Zw-_^tK z!z02CYumXs}1upTUS|AtKW%WU+ z8x_(OLaUjJHY9E(o<5+{9{AOu(}0#`ae!G4aOIp$Rr0rGfWayXmE-N^Pj?;d)dQMc z;d#e1`M}VPMD0#zp=h+*xbd%g_<}JE)8110NX>)`T6P)1Yd!v1i{Ya)DuBka0sk$q&qDuo8$Rsqu~Up`or62EK;A=*fVur_gm58*@h&+k;cmxydS1w2W}sx##;Smz8TVTihIo z$FGnDpsn-;16^PlmrA7o$--F}9V>BcCs?!oJhnwtI#jbQ%W|x-fX2h?&+tUQa`#H| zVcjE0r=OOp{G0kXbI;P34811sA8@C8-VkOgF}p1=WGtD58fFfT1TkSy_sPeR{DYcO z6!h_3Z`OFVF~p##r{AVu9hmSSnL{NVlEF0sn~JT?)Zq^`D}tO)4P6GYKSye)^I1+Z@hWo4G@_^NdRQ}neRzoQau>+^pI ztogX-RJJ0EshVJmg|4Sz^h?%?)N>$9OYCYdH{26`mf(R|EYghk&2z0V;-qF-)xCE~ z{Ts(s{mcY?QK$MSWp3D_OmFj6-YB5y#IF|Q{>S$QzqhGjDY4Jt+ON40x3=o$7yNSb zlC`|dc~9u@n&{UZLp&qU%(XVDR>^ z%hs6fNiLndy`*;&o+K<%dyQUTBqlSSFUqg0OV%}d23|f=hE`jxQbIWO`!#@(SP0&8 zUet?Ne7(yu zVZx1$+mo#UUX(Ga*5@F5zaA0KXi#ghg!xr@8WXe%nUsRi@paH3QG>*KUKZrl-$L#- z_~NapK9h0ZR$6Nn)Y2vRnuKG+Ya6DANe9jN-12(UM*X?Q9oH$+z?a$$PC{Eg+x3}= z^Te~?8t8G>=)1MOZq(U`siLr}srAhFiDNwu2y^bM=_mG?uzevxq3(}>-b#EE?LFV< zL|q5G#hBP^0$h~)!P300f5Bq-#Y68AKTMml$n9I&2RE{!9#V4}78`i0(OW_9qGshD z^o^*0E4-5M&t0r)#o`cY0GBBdZ$5|!r_j}FL<(CU*1!VXjVqY5Hu}ELR(KEI^(v8eidMB=zb8SA?ZY8_Xh)i}pm5Yn;j*dBjm=EzFrT=7>ut=wBo`^_ z)V6-6NabWr6(Eo#=%Y9|x>5=rujSa(=*{tQ*s$YXVK?!_QuN6NNLn?q#tSL1l2&|p z&9Lw$qEpHDvqwD|)2Pr2GZ@9BGHlyg6NXv#Uad#7$D8m5Ejybt8JrU>7K@&1s#4sw zpzJa30Lv%IAkW6QzUFLREahIyW{8dN5mcVOue$YDW+lS{kBdcd%mN)8m3w8ZHo)Rx zEQfuj7`6v(+D0C2<@eZ3Cwa6cxv4X{r|R$HdHiT!!U$E2PPxZw9Wi-o6=owe<{NJY zBY0<)up`ODbcB5;{>eXiiI_tMfdpoGI%PYn<%Z{uyY7PP0{zp==t^PO^o7L%t1v%L zpHE0i{|_lbqRl=4nA+DUxAd#-YulBQ2cZ`2NyY}D$u0ss?`udJ#hqVTcMQD!uQT~I zNK64s(++2@HkG4}?d(YMq9R*;1-o|UCq3V=e}Cua)=Bn+T)05eo9youbt zw}R?FqUQhpQVfYGO>9o_x?QiBk=u4PXxnmgycn`WRk^c*DHU;~v@lz)6b%TdQHE{U z(dD8C^3cyV93o#iTq+&j*_IyUV&P&$|MHle^CQKCPzOz}E7Vz{E=(qQzPr=COqLvm zm2^QMH2z#eRh$J=AE8;I`FXZAOsAq1#*i$)n&&TX)`aOBqn$SbQl)^zfrQk^QVT9% zUqv_BvoPgBltpSx_lajD$W6SkDCJZM%X~lGt3`6|@MIjtX_-Qa$y_6pv_B>&s03@6 ztGN=$F$8XaT8hy1E_;P#o+f}EGM_hHN4G4W<(6_~GbV2D0v|8R`(`;E2bgQseWyyE zL%LjuunzuY_zl$_i7`Fa{C}vKi|4rAX_${NdMC|zK4WQuQJu$)sv%APHMPTU>GlFg zDirOBpT3k==9d8w1w2f{6ymbxM_XK%hgBKErIDH()P_PA{1Y;)i26)JwilI&mQLAp z%*f$antv)af0MzxTI)#~7G6YXI8oOU7hyDhzDtsQwl;Bm$V_F2aLShx{ROaQQD76X%hkOu2GcuO$+~rdMrb24 zL}~!zwUiirH~G`~we5inj1ogfQ=wTw|Lu%ig4Tp-A$(7ojnp|HbWfm?B0V(D;BNPQ zI9mx=;NRAtx&sqy)m4)-$Bh40aB3?E+plV2wM+u~^y%P*50w|njCli>kj$)ktCv#J z3VuM3SHhigsmGDN%rWfr6Jon-vT3{nNdP2%e2)qMC$n3zGaj~mv9cy!jjygL7?s3{|#SF)f@%jd*p4#_EN?94v3QxZ3T8V#Y#CsYN_Z-+l*yojO5eyxH|Uz8JvH5Y*>POdJ&_&XANt zMWNH19riXTftgdM14`Sh4nmq2eJ;xkb{cC6-c?#dCDSfSmHie9s=nu_n7-&EpEcXkcw*V^gxLlaEuv7 zs2nS|z2*RHspZuB;w>WV3Y@l3CYZ(^Or*MU03MChj7_ZDM}8;m*&AcG#wl5f*dfyEb-A)dax z0uvM2BMujx-~h8PgmN(-<(#j+YcYg?W2BwlG_<67TJ4pbw4y7E^3e zEn|mJ?CYzVVr~AOtQ@q*+Y;6+)DB-Mx|p-TNK|-Css9rTV*He_k`G;Ere3M6j`=Ve zzx$R%uC;P8;t0+)EY2buKPUEa;Fkagm>}90Y`f#>Ctsh;oy6gLtLMX)hvW6pFzANj zA7*IFJkU|42p(si97=O8Tu%gq#~7cXS!#IV|61&Oj0b2KPSKFUS(y7QP99sVirYR? zM4uXI-+e&YPS}6ILE2b-tX>#0E`K#K38kS$gq1|IZ*7LKN6==GnIU>wjh_uW+Uu5< zHs`y$G8ok|+bRYtFD=+!pi!+!Oqyiz0Fh3BhK3$v9GT1C)K?5mG&Lds%#9aDuV}Fq zUlNz|`&!QrPP8vf-!YH1w?>6?RZ5%x4p9&%d}Z}$+=d!d%yiN6_~tX%&KFh={&z5O37LCUq)y8XYd0%Vtx~J}+(1 zh{lE^i!AGq>`XswQ;M}yS2}yF!-(FKf*)dgCEVD`))wH(MVY-FIzXD-E(nY0do&kwG;x{T`qg^Fy(yVu7DB5B#@d2OuO zV<`8UxL^!#TeG7p4oZ3hDxYXRuZUQk<&fD;Jd*34D553dY$^g7@28 zU?kqV-bcWmtshSw*Mm+a*AFc7WM6i~s!0F#o#e(FR{?LS#oiayNn&=>Lb0D$6BmB1 z=8(S(78rQg6@Q)VhC`pVCFopG(e9o$lFw)9qJKduT}iT%!PE=pMpO9RF*Wx+0vW5COk zCGKZbP!FBA#oECMW1nS-D+-*(Q%O1$-|(2qSHDGemdM=0C~RAV#{?Fq*y9(?tJ}t_ z^H&-N8Rsf}GPlFXVWwRAeZ%w#3eB2_tzZYg;EgYu?Dow?J5gu)V8ut5f5i*(KJBR7eP&RW`7tI7+}~{Lrz@Nv)mZdeLeG z>!2!b?xI2iw5+wjr*b5FuI6sb`{XZPbTpl&LN_dC<>LTnIO6wq-0)Pi2fVP ziXrvXve5m@3PjCSGREL2FPJ!x8Mr7PO~HNBx!RkypwYpibaU1!Sm z%z%~N;VB!_Awq7+^Yb0BNA0H%% z<$Tk2K^dT6eoU+0Z04O10 ze*qdav2GogdY^#Ev~X|S1wsU5w#UR(+)aYzoswLN2D+_8t(HHtrbaCS*&jTe(TMUyiaxyz6 z|99i`&mEMGg%4$nBRa)9%YQ5E-eupm1(%gLP!P@k-T7S25;2fOq?78#M+_N7qlC^u zuV>)vp|o-#lZV{`7?~S z6`H+y))3)0AtCG&Cx6N*I{?}%cUPuwcBHxbiv9$-47fA61j9+S*LWyT z#fiyx$+KElqZ-TA#!oz0)sP-MPbF~{A49sW(Hg6Y2^hkES#c5o{Kqq!Z0!~?tpetE z#_rMI6v{@_uw{H!o!xBET zi-Y7ZZSnO0J}Al`>Aalx$kOH{7R;#Wdf?*be_Zcq+_@R;p=jd?bBTkf?=v?*^9=Zj zV7f#Iv}^uoXo27RM&6;W@cI>rQOA`vNixcI21HJsluvAw38`HOq2b`5c-eG1ahBMN z9h&|>e4Z zFl->5;jj%qVLjn#4d#g=sd1PjzT{@(ONV~SpC&CI5gbj`vw`Q{HV-iA@ORVqUJ6*y z5V}yq80hK<$Pz@NB-uRjzqdCaTc+sirGd$euhm8<3p2O3uL>tX__xer3TJKc(RGOW z9pDoirK48js1g{cITJmj!Y205amOyBUUR~VLBWwIfE_2zP)pDE7Yrt(E8aA21*kZS z=COo}keoRpPKC92(BcCC8~utjUPjIyL0Mms=KP?J>j~`~xV-PxqsQszG$|b%hpZY+ znQY+uCsIoxqWuEe$7JDWNYFKNgPUIMO;DA0s878t*Y@ag#u(k7l zdT_dt`ox(`s@?5O&|&P^v)UXt*xQcmjL_}2M(1wIpB3w+B5a*?5cb8qq$jKP`(&86 z5@u@H@Z{X~t9vu;F?Xb)we*-B%6#dtbtCARELF)4Svp9j@2Jc^ALhoA>Gr>vL0_Dw zwW^<31Qs|@xIQ+u33~ZpOx4jCBU3-?Tc{#S#dmY?rvE!x$^pqCCc=KixF0pXI7J zH-sNA6Tz67R_M@ME>+H===Ecr*uFICWG`~>29nW|@Io7%B%43f-#Mu&ImB_)56QS6 z`tV1+F^6nJ*qu5OKwh53R`PS(I9}>BQB+cY?_uZ_Z&sCpcP%L2|(J z;Jz43A2~ub6?O~n_;(G+=7j3On;vS!Ok1#Eq^4BH&<|@g-;{tS>c(tfj~b($o6OLa zWpEnVxo$>1wJThb>AV3%%2&c(1t zO7CSL^3p>CQ*i*hgrS!w-*ns9wyHU6 z*&5F8xtHJ0<*STAo~HH6J~`L%78x1swDt3V zuN1v@R!1OTywvu^pfl=EZJ(B?A`_-D*7+oJ$u!iQ_o#fh4io#ioN8|M1Dr)Wxp#r$Fu z!el;c$#)hZ<$?9fmAjX>?M6{=CIDg%kkE)`#bDKVxRH4_@9eu3Xq~O`%k#h!XHAL_ zan6iUn1223WiD*Zl;E~|Wt;01#!^05N2j@MpSrU})CVhG8tHk{G=)+oE58HGBP9DK z|G|XW?um=~CIHN->CXKS#PwX0Y2GpUyD0lHl<*z-0sSS0P4`yxuL4mq|I`GFqCq%u z&jAV&(Kpik0&Qe={B%g`a`btWute)24!;AHoJo{l$5w)<1|Uyc*~FFXsA0d$7nat1 zYkm56K^p>tz|&k#?YQqxL8ls?X+SAN;2Hb1PNnibV+k2(5aL!J8M}zNw&k&-xm2a-L;m$6PMj zWX%|OB}PN>(L5LeR$^m2^woF|)@`rXxb%F~@gj&yp^acmVEkS-EtNQA%5F{uV5MaT zA}WKC1{N*r7)8w77oQBxCy%}KMfbh?31j+G9!2(H4R*X{=jL{#VDzC(#bHf|;|s#89uh#&lny)@!4cAdK?j<8m%r5^ET_ z$=!s|y&w5>Pc@RymWQ=8K5*6WP!dkgMuku0 z6FTxuMFLr`ND;vNRiG@GNn~i-J*6ih5x3O7_M+~lIQP4^mg<_*ACVmzz6JXfU`nJh zjgbOL*;md*pO>7V+iNVKq3{!ZPpv(V(x_$G$Y|gB{myLBtVQhxy?Sx{BGN_$ zKr;lnhzICj!_3-*V0bl~v4y}M#P0j-jZF7(xTOS#UYAXZ{`(5Ah)-LiN?Or zprl0buPY%7g7VWK&qk_=5iS--yUIh eVIQPqf|Af`>7^x(Zvk``|NXHJf9d z>KOqQaz>O|0nx98ne;kwZ?pT7yrHM;jKFErt?LLWtddrdZxj(q>39aBMd8DUTWMhK zU#kj}o%}F+fQRdDBLd31u{_xqTmK{btiR&VmV2TWAEL~*%};XLMj*cXU%MA(ConcO zZlGD2x)dV{&_0_9E6zI+^m^mK@^9;WYX<^jvSlHJi^NY@4a<)*mc72t-&0NHhWGJG zcK1vYAph8?boR0KgSg%NbdAN(@+@7|mb}q6)

(+1pO=^+5RU?|7XWgteTNmsHXD zF2_ZkABCG^-rg9gTNpdf*D*MsydDH6blV)bY-8kx-r=|~R)!{TP1z$H*I+6mr&3{?t~@PP$+XN#O(a{^#P(dl0j zi@5s5;%sKTvdlLpHHKIp4^TOpT7c#0jlg>ckNT3qc=rsL%^D%1mD2`VeuKWe>zk9o z1Js(As*tZJy{%0wr0Z0l`KJyTp8H)E~8n{;&9ZD=M|vm>htn&bcEYDqAydP)hS zsMW{O>bMalk7B=^e;}2J_9df@+|w1&M$tESb1)a$gHq1r+E**iL#_{1if02pq0EdF zsFpbmxMM4wS(T>iZ)u7D=&-A`kGr@%Kk^%u?9T?reL(ud<3joTZ<5XH~BeYI^}dCQrJNqvJ9dK&dUZcV*+&#bn_zCm$-#L zJA6SABa?m)WEW|O?J*U!ni2(&2C6@ONj&DL6NdegK+5PqR>U5x@JN}wY7EQ47Q=U9 z&{Ni`PF}x{HqG)k?T;zYnld@dB0R>pY> z0HLqLkc7~{R2u+biILVWOPuvjG{njJ~ft>Vfkd9d!O7i z2cwwiSsN*JykMJF)yuhBEfn$9a=AFp)42>hQA&ka=B;d~t7R&Ct>|8omLqBWFFh>j zUfteVac*6gcIm@M82m3;+m9qWEkXeZ)tiw8t%8$L~!t4ZEtSZ zsWa}M-W7I^DzqVA5+sN2yA}Xg*aimyy;_Pq@;X=Bz`3dvTDo<0?4pGlA0~TfO$L9> zXmBzZpkWiM;$^hs*fLxXxOgfbh} zH0YnQy^riKp7$4eP0W?DaG;Vyi1%*lZmH`#_u(+o0XR+@S)T8LRB;C&?C~KS3xti$ z0ZOLHmC<%D?OG=F1`ytt8RkiLxCdW92Z#O8ow5od&}%FLgqLDT{MCPmu4~$Vr!J zwsWnpcUxfOTG#F#`w@dsJKgmnJSn?*`vbhQy=imO>F1y)u z>Bz;pMi-Oj_{=IFl)ImsrA-=;)SN@WXQbx*oRM!duA=PJj-&SvUmpx|bzWJqQY?cDQ0dQY%Bh0UIUAcE@K7FS9Je<%it4jbw|98+flj zfX(ZALin@P?yN0I@RDY$TP|~QZhNeLa3rsa*+#FADXZMki;eJCE`Ueh14ev0u&Pnm zj%-)*>7uzI?8>HYIJpuVD3U$}fZ5qwRmA#`y&+XG*Fy0W99$AK4j++T9~3QA2};{b z0n8;UqP>wgFJP97U$(?1A-@s2i?D}JBX^My=Zp2PW$+_GI(hu-DLDt$iAhE>XK|K2$Tf&D=_9#5S(5^+0xJ8kmpMV)ZY_=Xm zcBj=6PnG%3UJVq@dtdWPVNur;bd&azDeJ4wLATm;nNUU6gK3N)NNyd!{gFw$JuU12 z-m(!%*xEKfL8S@WRIPP=FfxR2QGHauKgsvm)CXVT@{JXFSIZ!UJ*MIGTHjW$`(t|B z89!9Me1Wr&$xmrVIi_&(xE{s5Ni@<&oCkNwc%>2%%r+Hp-e3E_MO}kk=g7km=`?0g z_u(<(Te89aO&iQfv!E(YtLm<@dO$ zeIzfvl9_(@W4Bg_3k-6mg5`N#G9)0uep^#G{Eu^qPO!kF*AB87K$l z$#PYWq3f^hD4WsDd1LB4B$h-I!EcBfmR5q95-TGUbk=Bk7?T4z%vI&*!bxm{;_0W$ zd#%;`N7Mn|4nP4>Qi*1cR29sPuPUU+Ck{K9D-T(EctgdxFzra0@bh#Px7Y&rh2YisX=zs2eT=&}(`wvd6*N18;qqqa$-Z$6OC6V+I@ zkQEg_p zYl)JM0TK%wX2$*T;v%*@_#ipcHIsmK`o6+iBCVkPIqL$Vu=}bnl>VLIode;EoqT_K z_79j|aNc=AS`WvO2qd0#gGuogvSZ4itdZR{fu0wt8`)Ss1NK1H9TZ)jd}yLtsa!Hf znvRFdaHcXp(uF>-u@PEM%7Veg^g$Jzl2ao#vt?bDCT;77yV9 zJo@Ejy?>tll!$Ea@Al5X`6~WYRFqFd-)l_P6*SXP`GB z+;^y4;OGPEzzHM&~l>m#J-AZ$(a708KoFn?S0mjhq2lLpcPGhOTz7$PJV-|7`}rOd^~FB8lC2M_+oq@)`pcgUe+XA7jmbPYf8ea@{cpryC8Y?$ z=Dv-IqMLxkGOAzK9CrBfc&wFf;^((^$1DR?H6Np_1AM4LQ5}P*3+|Csagm1vZ5M&+ z5*MT>r3SIrWAb|ye{s~Y&<6InI89Z;o8UH<$pTaRQjdqa`8T3n0BhXXFLYfD4A3r_ z)K1d*c;9{5#TXbpMppW|uMMJ#(-6Vuj(HXDGvTUpcBhy}y6p z^?&ANpg6D5AZWofKU{K1Xm7Mxgb6Y*eVbA8b7~NdYx2sxw&ik)-`F8_ZT7Nru`Voo9wWO(D)k9)bLFMsb|2wM%e`XSwC$KR zl)^1?d8>%T{hi5w&j=|Jd7m%KES%!i_Y!C5?=@A(w4LNscX@e7_$&RmeCqrU0mb_H z7}n}jO2oWvQLzv_%l|ha%n!}a$(nOQRFrYuBs}T71>}vpu z7|ZVx1l;4EpKy9&w{IPZyyq8+F~WKxRKB9&>yA)+7_VgtvqPK%rxt=77SzmJW#S@K zu$4KR{Mu5uSli=gZv^;FROuSQM{ANj9jI&~rncfKUxL?SbA!0UD$);}SndwJE-Z1v z>-)>xJpyOiW_lYiQ%xX31goxiaynhDV_wv+;x$i*YeXXPtlHqqplN~*dm%Y*HTU))2d>#i1rOHF{;=H^A`oCovuX@-VtnA&Tc)w z8GRb6R%PmKkxy-q13kZt#mBW&jWNCBJ`z%!HLt>;ol-*UT(&_)5#i5tsb5h_SZD7_ z$jEAcBu)6s(BMJDtxOuv1 ziwnHh`_=va`WVe=`B+?bVyG7%y1f6BB&ARp$Xdaafl7b)6t^qieCT-WXs$J%D8Ba5)4g;UqYjh zAJs+5#G^$7T13GgmyeE7Qngr$QSw=CuHLMYshE6ov!8g%f?~-@smM1G`lo~jRps5w zYwhiK%jyCfQc1D|*0m=Pr$(rGw*CQ7TKv7g^A#&hi#u^Ausx)mC*aCRq^-4PLix~s z(6|Rsz4flnn$cX{+|m-G#>pQtfz)(l!_}i+GU}CV5if?9&%(Ms1{l`GCj#-i0{zK$_p+jBcWWN&ObroExeAD%Aixv1 z7b{`Nt+FtjP4KxMdL!T}NlZOD!{0&0UWUJHu$Ye*!Cj?Dck!JNiWT&#t$|efw(wl% z*GX2VN7?8o^ZfwSR5f-f>mv+hL7humg^$?bGmJ8|r6AS@c}qlq*IUqgI4;+3Gf%Af zc610kD*H#dtK*f+tXMLFLD3?YhJRSsR-7-5pY)O++L?Uy|iW~!HsZk9@tm)yNe&7TQjj2 zE>H#EsVXK}lrdf)L7@0HDdcah`Z_ednl%OY1KBiB@;tU`tmDL?e}s}v@Kh=`8$P>YkIOsVn)N~cY2ta zJAJ-g@EN`YTI9Y;7a$x`C2rTUTtou4tHWi#o1U-eky`8X6fkGNKTB1+Z0p!~20nns zVrEFW(kC_2!rZ=lX5E0+|8M=5`vifS~?-2%Bu z@9=rmZ^S!Nvd$IqIk^;IX2)}Q;z7mmZq(L@AFQ+dLLojfELiZEFUJtHWm^=NG|Sft z(0!(NViQ8{)@aFR?x_gz$6~JTq6v-YGWr)ai`L7F(o1`ZbirC;gQEYbmxD%wKa&a; z6e9gUY0axGS(G;~Q%h3Jm-m3{*t#ufEen*CuP5N-uUC}pXZ@M?M>W04xBz%Np@<2* z^^-pZi1LlYTqdqKa@Mp~lgT zYj0nV^6C)G&w2scH$)()8?UWw!@d0Co&RaicIBDW+qZf5+iv*iqpMjU*K&o-K|Zz; zUaL{nFs_EKE(}rR$775zS&f1yLO@@gmS9k3kfa22mv2tPy&7FwvuEQbsxx@)-?#X5 z^qC8Tp`bOu?RWqoUXbFaih29koRnsq*pW2pbwp!;V2+H#HA`p1Exs`UZPthjj^-iI zrr`ljbky{H!to+*Z8&2YCUL7UY=vr(6)IPFp&OAi2nNCNK)=2gHb>GD4kH_MX~Vw5 zOvT_hwFr(bm&Uoq$C&i$9!xaAC2aMF)UHW(5pO{c#=s_&DJtibe)H`sA;VgF*-Y99 z69y`>Xv1=!K89cOn)pZOfP;Yqcw-CtWd=gLSa`A!2(5T`+sBnWaGOr8%x{{soDH&w z8wGIjh;Y<9yEx&}hl2(IV>!w{ckfZpNtiJ_$zI3{(J)`4BJkO3v9?~7s46G;PqZK; z(?(Y;1Xy^mseTnuXnQxW>|P%Ne0U^e$mD$g#ZF-qE+3n$9z0W`0hx^kMJRu!ntT*%eWZ$qrQ{D#}R+59M?Oh8-h_rGVx7*|0`V9X_^^|6Lto_c+G$FH@U_9 zp=gX?Jws>Z5@_S?lB3NRKtq+13MxISjAR&5S8SM9mm+p_12?wBe6hyQb1YK2ADun9(%d3jd)R^ma}T8Svwxf&ds9D#RWd?Wc_kkz^57 z|BhGz!ep`rv(DHEyoFKXBjFW$A|d}&a*4f3dshBn&LwBlNTYYond+SDBx)A zn2TCg{_j6x%RjlB-76YhS#*hbb|QdKCw1WOfe|4tL_G^tOsVqNglvAP=txpYvODXB z3ixoy*X89uXO`0J8}}{3+TWR)qD!>*< zg;m#)s~F7q*raV zn=S4Ur@9sH@W20gA^Xf<<3omP4F(^-HZsT;*4BV&9|zTZ>;kv|gDYY=ot%>nN6#cV zre*v(pbh#tK)H(z(txc=kbkWACRJ^*i-#ao;a!}$LaHUp`vvv@x@^LP?p-qa9h}>r z;J9{LaXUP;{!k_3=6yZDN#Hg(Jxz6fB^nbqW$By3ZSa%uxPxly&@~v$G%u^h#fFfE z|1wOdi48TP5Yobwh`?UOw7YBffe=4>0SaX7!9^?@{*P>vK!)Vjdm=RP$r5Ixi=YuN z6Guv#_EqSvfl?>>p-tmgtgz^JykS8=`%G2`tOf=wWJo>TgLRgDggX39m_59n-MY~U z46oJXS4OVdcSo7!>H{!ha>5)7!PnU0r6gP^_@op!ww0V8KN^g&8}fs^kFsCJid1ma z!>|_@d}ZU$vX3Pgu&#fvlW$^~7&$yA*I